mirror of
https://github.com/systemd/systemd
synced 2026-04-26 00:45:09 +02:00
Compare commits
No commits in common. "2338b8f9c56e0b14f25e8633f6e8e636e68638c8" and "255689ae92224df2d2bd7b65fb1f566d6fda15e3" have entirely different histories.
2338b8f9c5
...
255689ae92
2
.github/workflows/mkosi.yml
vendored
2
.github/workflows/mkosi.yml
vendored
@ -49,7 +49,7 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
|
- uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
|
||||||
- uses: systemd/mkosi@93098e2406e12ea7f06f962d4808952b8a06d345
|
- uses: systemd/mkosi@0dd39c20a4b3a2fab6efdc54da92bffad7c7b7ca
|
||||||
|
|
||||||
- name: Install
|
- name: Install
|
||||||
run: sudo apt-get update && sudo apt-get install --no-install-recommends python3-pexpect python3-jinja2
|
run: sudo apt-get update && sudo apt-get install --no-install-recommends python3-pexpect python3-jinja2
|
||||||
|
|||||||
@ -441,10 +441,3 @@ SYSTEMD_HOME_DEBUG_SUFFIX=foo \
|
|||||||
use for LUKS home directories, overriding the built-in default mount
|
use for LUKS home directories, overriding the built-in default mount
|
||||||
options. There's one variable for each of the supported file systems for the
|
options. There's one variable for each of the supported file systems for the
|
||||||
LUKS home directory backend.
|
LUKS home directory backend.
|
||||||
|
|
||||||
`kernel-install`:
|
|
||||||
|
|
||||||
* `$KERNEL_INSTALL_BYPASS` – If set to "1", execution of kernel-install is skipped
|
|
||||||
when kernel-install is invoked. This can be useful if kernel-install is invoked
|
|
||||||
unconditionally as a child process by another tool, such as package managers
|
|
||||||
running kernel-install in a postinstall script.
|
|
||||||
|
|||||||
@ -624,17 +624,6 @@ evdev:input:b0003v258Ap001E*
|
|||||||
EVDEV_ABS_35=::15
|
EVDEV_ABS_35=::15
|
||||||
EVDEV_ABS_36=::15
|
EVDEV_ABS_36=::15
|
||||||
|
|
||||||
#########################################
|
|
||||||
# Positivo-Vaio
|
|
||||||
#########################################
|
|
||||||
|
|
||||||
# Vaio FE14
|
|
||||||
evdev:name:SYNA3602:00 0911:5288 Touchpad:dmi:*svnPositivoBahia-VAIO:pnVJFE41F11*
|
|
||||||
EVDEV_ABS_00=::28
|
|
||||||
EVDEV_ABS_01=::27
|
|
||||||
EVDEV_ABS_35=::28
|
|
||||||
EVDEV_ABS_36=::27
|
|
||||||
|
|
||||||
#########################################
|
#########################################
|
||||||
# Razer
|
# Razer
|
||||||
#########################################
|
#########################################
|
||||||
|
|||||||
@ -90,7 +90,7 @@
|
|||||||
<term><command>encrypt</command> <replaceable>input|-</replaceable> <replaceable>output|-</replaceable></term>
|
<term><command>encrypt</command> <replaceable>input|-</replaceable> <replaceable>output|-</replaceable></term>
|
||||||
|
|
||||||
<listitem><para>Loads the specified (unencrypted plaintext) input credential file, encrypts it and
|
<listitem><para>Loads the specified (unencrypted plaintext) input credential file, encrypts it and
|
||||||
writes the (encrypted ciphertext) output to the specified target credential file. The resulting file
|
writes the (encrypted ciphertext) version to the specified output credential file. The resulting file
|
||||||
may be referenced in the <varname>LoadCredentialEncrypted=</varname> setting in unit files, or its
|
may be referenced in the <varname>LoadCredentialEncrypted=</varname> setting in unit files, or its
|
||||||
contents used literally in <varname>SetCredentialEncrypted=</varname> settings.</para>
|
contents used literally in <varname>SetCredentialEncrypted=</varname> settings.</para>
|
||||||
|
|
||||||
@ -102,8 +102,8 @@
|
|||||||
output path is specified as <literal>-</literal> the credential name cannot be derived from the file
|
output path is specified as <literal>-</literal> the credential name cannot be derived from the file
|
||||||
system path, and thus should be specified explicitly via the <option>--name=</option> switch.</para>
|
system path, and thus should be specified explicitly via the <option>--name=</option> switch.</para>
|
||||||
|
|
||||||
<para>The credential data is encrypted and authenticated symmetrically with one of the following
|
<para>The credential data is encrypted symmetrically with one of the following encryption
|
||||||
encryption keys:</para>
|
keys:</para>
|
||||||
|
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem><para>A secret key automatically derived from the system's TPM2 chip. This encryption key
|
<listitem><para>A secret key automatically derived from the system's TPM2 chip. This encryption key
|
||||||
@ -145,8 +145,8 @@
|
|||||||
<optional><replaceable>output|-</replaceable></optional></term>
|
<optional><replaceable>output|-</replaceable></optional></term>
|
||||||
|
|
||||||
<listitem><para>Undoes the effect of the <command>encrypt</command> operation: loads the specified
|
<listitem><para>Undoes the effect of the <command>encrypt</command> operation: loads the specified
|
||||||
(encrypted ciphertext) input credential file, decrypts and authenticates it and writes the (decrypted
|
(encrypted ciphertext) input credential file, decrypts it and writes the (decrypted plaintext)
|
||||||
plaintext) output to the specified target credential file.</para>
|
version to the specified output credential file.</para>
|
||||||
|
|
||||||
<para>Takes one or two file system paths. The file name part of the input path is compared with the
|
<para>Takes one or two file system paths. The file name part of the input path is compared with the
|
||||||
credential name embedded in the encrypted file. If it does not match decryption fails. This is done
|
credential name embedded in the encrypted file. If it does not match decryption fails. This is done
|
||||||
|
|||||||
@ -3054,19 +3054,18 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy
|
|||||||
loading from a directory, symlinks will be ignored.</para>
|
loading from a directory, symlinks will be ignored.</para>
|
||||||
|
|
||||||
<para>The <varname>LoadCredentialEncrypted=</varname> setting is identical to
|
<para>The <varname>LoadCredentialEncrypted=</varname> setting is identical to
|
||||||
<varname>LoadCredential=</varname>, except that the credential data is decrypted and authenticated
|
<varname>LoadCredential=</varname>, except that the credential data is decrypted before being passed
|
||||||
before being passed on to the executed processes. Specifically, the referenced path should refer to a
|
on to the executed processes. Specifically, the referenced path should refer to a file or socket with
|
||||||
file or socket with an encrypted credential, as implemented by
|
an encrypted credential, as implemented by
|
||||||
<citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>. This
|
<citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>. This
|
||||||
credential is loaded, decrypted, authenticated and then passed to the application in plaintext form,
|
credential is loaded, decrypted and then passed to the application in decrypted plaintext form, in
|
||||||
in the same way a regular credential specified via <varname>LoadCredential=</varname> would be. A
|
the same way a regular credential specified via <varname>LoadCredential=</varname> would be. A
|
||||||
credential configured this way may be symmetrically encrypted/authenticated with a secret key derived
|
credential configured this way may encrypted with a secret key derived from the system's TPM2
|
||||||
from the system's TPM2 security chip, or with a secret key stored in
|
security chip, or with a secret key stored in
|
||||||
<filename>/var/lib/systemd/credentials.secret</filename>, or with both. Using encrypted and
|
<filename>/var/lib/systemd/credentials.secret</filename>, or with both. Using encrypted credentials
|
||||||
authenticated credentials improves security as credentials are not stored in plaintext and only
|
improves security as credentials are not stored in plaintext and only decrypted into plaintext the
|
||||||
authenticated and decrypted into plaintext the moment a service requiring them is started. Moreover,
|
moment a service requiring them is started. Moreover, credentials may be bound to the local hardware
|
||||||
credentials may be bound to the local hardware and installations, so that they cannot easily be
|
and installations, so that they cannot easily be analyzed offline.</para>
|
||||||
analyzed offline, or be generated externally.</para>
|
|
||||||
|
|
||||||
<para>The credential files/IPC sockets must be accessible to the service manager, but don't have to
|
<para>The credential files/IPC sockets must be accessible to the service manager, but don't have to
|
||||||
be directly accessible to the unit's processes: the credential data is read and copied into separate,
|
be directly accessible to the unit's processes: the credential data is read and copied into separate,
|
||||||
|
|||||||
@ -1284,51 +1284,68 @@ static const sd_bus_vtable hostname_vtable[] = {
|
|||||||
SD_BUS_PROPERTY("HardwareModel", "s", property_get_hardware_model, 0, SD_BUS_VTABLE_PROPERTY_CONST),
|
SD_BUS_PROPERTY("HardwareModel", "s", property_get_hardware_model, 0, SD_BUS_VTABLE_PROPERTY_CONST),
|
||||||
SD_BUS_PROPERTY("FirmwareVersion", "s", property_get_firmware_version, 0, SD_BUS_VTABLE_PROPERTY_CONST),
|
SD_BUS_PROPERTY("FirmwareVersion", "s", property_get_firmware_version, 0, SD_BUS_VTABLE_PROPERTY_CONST),
|
||||||
|
|
||||||
SD_BUS_METHOD_WITH_ARGS("SetHostname",
|
SD_BUS_METHOD_WITH_NAMES("SetHostname",
|
||||||
SD_BUS_ARGS("s", hostname, "b", interactive),
|
"sb",
|
||||||
SD_BUS_NO_RESULT,
|
SD_BUS_PARAM(hostname)
|
||||||
method_set_hostname,
|
SD_BUS_PARAM(interactive),
|
||||||
SD_BUS_VTABLE_UNPRIVILEGED),
|
NULL,,
|
||||||
SD_BUS_METHOD_WITH_ARGS("SetStaticHostname",
|
method_set_hostname,
|
||||||
SD_BUS_ARGS("s", hostname, "b", interactive),
|
SD_BUS_VTABLE_UNPRIVILEGED),
|
||||||
SD_BUS_NO_RESULT,
|
SD_BUS_METHOD_WITH_NAMES("SetStaticHostname",
|
||||||
method_set_static_hostname,
|
"sb",
|
||||||
SD_BUS_VTABLE_UNPRIVILEGED),
|
SD_BUS_PARAM(hostname)
|
||||||
SD_BUS_METHOD_WITH_ARGS("SetPrettyHostname",
|
SD_BUS_PARAM(interactive),
|
||||||
SD_BUS_ARGS("s", hostname, "b", interactive),
|
NULL,,
|
||||||
SD_BUS_NO_RESULT,
|
method_set_static_hostname,
|
||||||
method_set_pretty_hostname,
|
SD_BUS_VTABLE_UNPRIVILEGED),
|
||||||
SD_BUS_VTABLE_UNPRIVILEGED),
|
SD_BUS_METHOD_WITH_NAMES("SetPrettyHostname",
|
||||||
SD_BUS_METHOD_WITH_ARGS("SetIconName",
|
"sb",
|
||||||
SD_BUS_ARGS("s", icon, "b", interactive),
|
SD_BUS_PARAM(hostname)
|
||||||
SD_BUS_NO_RESULT,
|
SD_BUS_PARAM(interactive),
|
||||||
method_set_icon_name,
|
NULL,,
|
||||||
SD_BUS_VTABLE_UNPRIVILEGED),
|
method_set_pretty_hostname,
|
||||||
SD_BUS_METHOD_WITH_ARGS("SetChassis",
|
SD_BUS_VTABLE_UNPRIVILEGED),
|
||||||
SD_BUS_ARGS("s", chassis, "b", interactive),
|
SD_BUS_METHOD_WITH_NAMES("SetIconName",
|
||||||
SD_BUS_NO_RESULT,
|
"sb",
|
||||||
method_set_chassis,
|
SD_BUS_PARAM(icon)
|
||||||
SD_BUS_VTABLE_UNPRIVILEGED),
|
SD_BUS_PARAM(interactive),
|
||||||
SD_BUS_METHOD_WITH_ARGS("SetDeployment",
|
NULL,,
|
||||||
SD_BUS_ARGS("s", deployment, "b", interactive),
|
method_set_icon_name,
|
||||||
SD_BUS_NO_RESULT,
|
SD_BUS_VTABLE_UNPRIVILEGED),
|
||||||
method_set_deployment,
|
SD_BUS_METHOD_WITH_NAMES("SetChassis",
|
||||||
SD_BUS_VTABLE_UNPRIVILEGED),
|
"sb",
|
||||||
SD_BUS_METHOD_WITH_ARGS("SetLocation",
|
SD_BUS_PARAM(chassis)
|
||||||
SD_BUS_ARGS("s", location, "b", interactive),
|
SD_BUS_PARAM(interactive),
|
||||||
SD_BUS_NO_RESULT,
|
NULL,,
|
||||||
method_set_location,
|
method_set_chassis,
|
||||||
SD_BUS_VTABLE_UNPRIVILEGED),
|
SD_BUS_VTABLE_UNPRIVILEGED),
|
||||||
SD_BUS_METHOD_WITH_ARGS("GetProductUUID",
|
SD_BUS_METHOD_WITH_NAMES("SetDeployment",
|
||||||
SD_BUS_ARGS("b", interactive),
|
"sb",
|
||||||
SD_BUS_RESULT("ay", uuid),
|
SD_BUS_PARAM(deployment)
|
||||||
method_get_product_uuid,
|
SD_BUS_PARAM(interactive),
|
||||||
SD_BUS_VTABLE_UNPRIVILEGED),
|
NULL,,
|
||||||
SD_BUS_METHOD_WITH_ARGS("GetHardwareSerial",
|
method_set_deployment,
|
||||||
SD_BUS_NO_ARGS,
|
SD_BUS_VTABLE_UNPRIVILEGED),
|
||||||
SD_BUS_RESULT("s", serial),
|
SD_BUS_METHOD_WITH_NAMES("SetLocation",
|
||||||
method_get_hardware_serial,
|
"sb",
|
||||||
SD_BUS_VTABLE_UNPRIVILEGED),
|
SD_BUS_PARAM(location)
|
||||||
|
SD_BUS_PARAM(interactive),
|
||||||
|
NULL,,
|
||||||
|
method_set_location,
|
||||||
|
SD_BUS_VTABLE_UNPRIVILEGED),
|
||||||
|
SD_BUS_METHOD_WITH_NAMES("GetProductUUID",
|
||||||
|
"b",
|
||||||
|
SD_BUS_PARAM(interactive),
|
||||||
|
"ay",
|
||||||
|
SD_BUS_PARAM(uuid),
|
||||||
|
method_get_product_uuid,
|
||||||
|
SD_BUS_VTABLE_UNPRIVILEGED),
|
||||||
|
SD_BUS_METHOD_WITH_NAMES("GetHardwareSerial",
|
||||||
|
NULL,,
|
||||||
|
"s",
|
||||||
|
SD_BUS_PARAM(serial),
|
||||||
|
method_get_hardware_serial,
|
||||||
|
SD_BUS_VTABLE_UNPRIVILEGED),
|
||||||
SD_BUS_METHOD_WITH_ARGS("Describe",
|
SD_BUS_METHOD_WITH_ARGS("Describe",
|
||||||
SD_BUS_NO_ARGS,
|
SD_BUS_NO_ARGS,
|
||||||
SD_BUS_RESULT("s", json),
|
SD_BUS_RESULT("s", json),
|
||||||
|
|||||||
@ -67,11 +67,6 @@ for i; do
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ "$KERNEL_INSTALL_BYPASS" = "1" ]; then
|
|
||||||
echo "kernel-install: Skipping execution because KERNEL_INSTALL_BYPASS=1"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
export KERNEL_INSTALL_VERBOSE=0
|
export KERNEL_INSTALL_VERBOSE=0
|
||||||
if [ "$1" = "--verbose" ] || [ "$1" = "-v" ]; then
|
if [ "$1" = "--verbose" ] || [ "$1" = "-v" ]; then
|
||||||
shift
|
shift
|
||||||
|
|||||||
@ -55,18 +55,6 @@ else
|
|||||||
CFLAGS="$CFLAGS $UBSAN_FLAGS"
|
CFLAGS="$CFLAGS $UBSAN_FLAGS"
|
||||||
CXXFLAGS="$CXXFLAGS $UBSAN_FLAGS"
|
CXXFLAGS="$CXXFLAGS $UBSAN_FLAGS"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ "$SANITIZER" == introspector ]]; then
|
|
||||||
# fuzz-introspector passes -fuse-ld=gold and -flto using CFLAGS/LDFLAGS and due to
|
|
||||||
# https://github.com/mesonbuild/meson/issues/6377#issuecomment-575977919 and
|
|
||||||
# https://github.com/mesonbuild/meson/issues/6377 it doesn't mix well with meson.
|
|
||||||
# It's possible to build systemd with duct tape there using something like
|
|
||||||
# https://github.com/google/oss-fuzz/pull/7583#issuecomment-1104011067 but
|
|
||||||
# apparently even with gold and lto some parts of systemd are missing from
|
|
||||||
# reports (presumably due to https://github.com/google/oss-fuzz/issues/7598).
|
|
||||||
# Let's just fail here for now to make it clear that fuzz-introspector isn't supported.
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! meson "$build" "-D$fuzzflag" -Db_lundef=false; then
|
if ! meson "$build" "-D$fuzzflag" -Db_lundef=false; then
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user