mirror of
https://github.com/systemd/systemd
synced 2026-04-26 00:45:09 +02:00
Compare commits
No commits in common. "2338b8f9c56e0b14f25e8633f6e8e636e68638c8" and "255689ae92224df2d2bd7b65fb1f566d6fda15e3" have entirely different histories.
2338b8f9c5
...
255689ae92
2
.github/workflows/mkosi.yml
vendored
2
.github/workflows/mkosi.yml
vendored
@ -49,7 +49,7 @@ jobs:
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
|
||||
- uses: systemd/mkosi@93098e2406e12ea7f06f962d4808952b8a06d345
|
||||
- uses: systemd/mkosi@0dd39c20a4b3a2fab6efdc54da92bffad7c7b7ca
|
||||
|
||||
- name: Install
|
||||
run: sudo apt-get update && sudo apt-get install --no-install-recommends python3-pexpect python3-jinja2
|
||||
|
||||
@ -441,10 +441,3 @@ SYSTEMD_HOME_DEBUG_SUFFIX=foo \
|
||||
use for LUKS home directories, overriding the built-in default mount
|
||||
options. There's one variable for each of the supported file systems for the
|
||||
LUKS home directory backend.
|
||||
|
||||
`kernel-install`:
|
||||
|
||||
* `$KERNEL_INSTALL_BYPASS` – If set to "1", execution of kernel-install is skipped
|
||||
when kernel-install is invoked. This can be useful if kernel-install is invoked
|
||||
unconditionally as a child process by another tool, such as package managers
|
||||
running kernel-install in a postinstall script.
|
||||
|
||||
@ -624,17 +624,6 @@ evdev:input:b0003v258Ap001E*
|
||||
EVDEV_ABS_35=::15
|
||||
EVDEV_ABS_36=::15
|
||||
|
||||
#########################################
|
||||
# Positivo-Vaio
|
||||
#########################################
|
||||
|
||||
# Vaio FE14
|
||||
evdev:name:SYNA3602:00 0911:5288 Touchpad:dmi:*svnPositivoBahia-VAIO:pnVJFE41F11*
|
||||
EVDEV_ABS_00=::28
|
||||
EVDEV_ABS_01=::27
|
||||
EVDEV_ABS_35=::28
|
||||
EVDEV_ABS_36=::27
|
||||
|
||||
#########################################
|
||||
# Razer
|
||||
#########################################
|
||||
|
||||
@ -90,7 +90,7 @@
|
||||
<term><command>encrypt</command> <replaceable>input|-</replaceable> <replaceable>output|-</replaceable></term>
|
||||
|
||||
<listitem><para>Loads the specified (unencrypted plaintext) input credential file, encrypts it and
|
||||
writes the (encrypted ciphertext) output to the specified target credential file. The resulting file
|
||||
writes the (encrypted ciphertext) version to the specified output credential file. The resulting file
|
||||
may be referenced in the <varname>LoadCredentialEncrypted=</varname> setting in unit files, or its
|
||||
contents used literally in <varname>SetCredentialEncrypted=</varname> settings.</para>
|
||||
|
||||
@ -102,8 +102,8 @@
|
||||
output path is specified as <literal>-</literal> the credential name cannot be derived from the file
|
||||
system path, and thus should be specified explicitly via the <option>--name=</option> switch.</para>
|
||||
|
||||
<para>The credential data is encrypted and authenticated symmetrically with one of the following
|
||||
encryption keys:</para>
|
||||
<para>The credential data is encrypted symmetrically with one of the following encryption
|
||||
keys:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem><para>A secret key automatically derived from the system's TPM2 chip. This encryption key
|
||||
@ -145,8 +145,8 @@
|
||||
<optional><replaceable>output|-</replaceable></optional></term>
|
||||
|
||||
<listitem><para>Undoes the effect of the <command>encrypt</command> operation: loads the specified
|
||||
(encrypted ciphertext) input credential file, decrypts and authenticates it and writes the (decrypted
|
||||
plaintext) output to the specified target credential file.</para>
|
||||
(encrypted ciphertext) input credential file, decrypts it and writes the (decrypted plaintext)
|
||||
version to the specified output credential file.</para>
|
||||
|
||||
<para>Takes one or two file system paths. The file name part of the input path is compared with the
|
||||
credential name embedded in the encrypted file. If it does not match decryption fails. This is done
|
||||
|
||||
@ -3054,19 +3054,18 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy
|
||||
loading from a directory, symlinks will be ignored.</para>
|
||||
|
||||
<para>The <varname>LoadCredentialEncrypted=</varname> setting is identical to
|
||||
<varname>LoadCredential=</varname>, except that the credential data is decrypted and authenticated
|
||||
before being passed on to the executed processes. Specifically, the referenced path should refer to a
|
||||
file or socket with an encrypted credential, as implemented by
|
||||
<varname>LoadCredential=</varname>, except that the credential data is decrypted before being passed
|
||||
on to the executed processes. Specifically, the referenced path should refer to a file or socket with
|
||||
an encrypted credential, as implemented by
|
||||
<citerefentry><refentrytitle>systemd-creds</refentrytitle><manvolnum>1</manvolnum></citerefentry>. This
|
||||
credential is loaded, decrypted, authenticated and then passed to the application in plaintext form,
|
||||
in the same way a regular credential specified via <varname>LoadCredential=</varname> would be. A
|
||||
credential configured this way may be symmetrically encrypted/authenticated with a secret key derived
|
||||
from the system's TPM2 security chip, or with a secret key stored in
|
||||
<filename>/var/lib/systemd/credentials.secret</filename>, or with both. Using encrypted and
|
||||
authenticated credentials improves security as credentials are not stored in plaintext and only
|
||||
authenticated and decrypted into plaintext the moment a service requiring them is started. Moreover,
|
||||
credentials may be bound to the local hardware and installations, so that they cannot easily be
|
||||
analyzed offline, or be generated externally.</para>
|
||||
credential is loaded, decrypted and then passed to the application in decrypted plaintext form, in
|
||||
the same way a regular credential specified via <varname>LoadCredential=</varname> would be. A
|
||||
credential configured this way may encrypted with a secret key derived from the system's TPM2
|
||||
security chip, or with a secret key stored in
|
||||
<filename>/var/lib/systemd/credentials.secret</filename>, or with both. Using encrypted credentials
|
||||
improves security as credentials are not stored in plaintext and only decrypted into plaintext the
|
||||
moment a service requiring them is started. Moreover, credentials may be bound to the local hardware
|
||||
and installations, so that they cannot easily be analyzed offline.</para>
|
||||
|
||||
<para>The credential files/IPC sockets must be accessible to the service manager, but don't have to
|
||||
be directly accessible to the unit's processes: the credential data is read and copied into separate,
|
||||
|
||||
@ -1284,49 +1284,66 @@ static const sd_bus_vtable hostname_vtable[] = {
|
||||
SD_BUS_PROPERTY("HardwareModel", "s", property_get_hardware_model, 0, SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("FirmwareVersion", "s", property_get_firmware_version, 0, SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
|
||||
SD_BUS_METHOD_WITH_ARGS("SetHostname",
|
||||
SD_BUS_ARGS("s", hostname, "b", interactive),
|
||||
SD_BUS_NO_RESULT,
|
||||
SD_BUS_METHOD_WITH_NAMES("SetHostname",
|
||||
"sb",
|
||||
SD_BUS_PARAM(hostname)
|
||||
SD_BUS_PARAM(interactive),
|
||||
NULL,,
|
||||
method_set_hostname,
|
||||
SD_BUS_VTABLE_UNPRIVILEGED),
|
||||
SD_BUS_METHOD_WITH_ARGS("SetStaticHostname",
|
||||
SD_BUS_ARGS("s", hostname, "b", interactive),
|
||||
SD_BUS_NO_RESULT,
|
||||
SD_BUS_METHOD_WITH_NAMES("SetStaticHostname",
|
||||
"sb",
|
||||
SD_BUS_PARAM(hostname)
|
||||
SD_BUS_PARAM(interactive),
|
||||
NULL,,
|
||||
method_set_static_hostname,
|
||||
SD_BUS_VTABLE_UNPRIVILEGED),
|
||||
SD_BUS_METHOD_WITH_ARGS("SetPrettyHostname",
|
||||
SD_BUS_ARGS("s", hostname, "b", interactive),
|
||||
SD_BUS_NO_RESULT,
|
||||
SD_BUS_METHOD_WITH_NAMES("SetPrettyHostname",
|
||||
"sb",
|
||||
SD_BUS_PARAM(hostname)
|
||||
SD_BUS_PARAM(interactive),
|
||||
NULL,,
|
||||
method_set_pretty_hostname,
|
||||
SD_BUS_VTABLE_UNPRIVILEGED),
|
||||
SD_BUS_METHOD_WITH_ARGS("SetIconName",
|
||||
SD_BUS_ARGS("s", icon, "b", interactive),
|
||||
SD_BUS_NO_RESULT,
|
||||
SD_BUS_METHOD_WITH_NAMES("SetIconName",
|
||||
"sb",
|
||||
SD_BUS_PARAM(icon)
|
||||
SD_BUS_PARAM(interactive),
|
||||
NULL,,
|
||||
method_set_icon_name,
|
||||
SD_BUS_VTABLE_UNPRIVILEGED),
|
||||
SD_BUS_METHOD_WITH_ARGS("SetChassis",
|
||||
SD_BUS_ARGS("s", chassis, "b", interactive),
|
||||
SD_BUS_NO_RESULT,
|
||||
SD_BUS_METHOD_WITH_NAMES("SetChassis",
|
||||
"sb",
|
||||
SD_BUS_PARAM(chassis)
|
||||
SD_BUS_PARAM(interactive),
|
||||
NULL,,
|
||||
method_set_chassis,
|
||||
SD_BUS_VTABLE_UNPRIVILEGED),
|
||||
SD_BUS_METHOD_WITH_ARGS("SetDeployment",
|
||||
SD_BUS_ARGS("s", deployment, "b", interactive),
|
||||
SD_BUS_NO_RESULT,
|
||||
SD_BUS_METHOD_WITH_NAMES("SetDeployment",
|
||||
"sb",
|
||||
SD_BUS_PARAM(deployment)
|
||||
SD_BUS_PARAM(interactive),
|
||||
NULL,,
|
||||
method_set_deployment,
|
||||
SD_BUS_VTABLE_UNPRIVILEGED),
|
||||
SD_BUS_METHOD_WITH_ARGS("SetLocation",
|
||||
SD_BUS_ARGS("s", location, "b", interactive),
|
||||
SD_BUS_NO_RESULT,
|
||||
SD_BUS_METHOD_WITH_NAMES("SetLocation",
|
||||
"sb",
|
||||
SD_BUS_PARAM(location)
|
||||
SD_BUS_PARAM(interactive),
|
||||
NULL,,
|
||||
method_set_location,
|
||||
SD_BUS_VTABLE_UNPRIVILEGED),
|
||||
SD_BUS_METHOD_WITH_ARGS("GetProductUUID",
|
||||
SD_BUS_ARGS("b", interactive),
|
||||
SD_BUS_RESULT("ay", uuid),
|
||||
SD_BUS_METHOD_WITH_NAMES("GetProductUUID",
|
||||
"b",
|
||||
SD_BUS_PARAM(interactive),
|
||||
"ay",
|
||||
SD_BUS_PARAM(uuid),
|
||||
method_get_product_uuid,
|
||||
SD_BUS_VTABLE_UNPRIVILEGED),
|
||||
SD_BUS_METHOD_WITH_ARGS("GetHardwareSerial",
|
||||
SD_BUS_NO_ARGS,
|
||||
SD_BUS_RESULT("s", serial),
|
||||
SD_BUS_METHOD_WITH_NAMES("GetHardwareSerial",
|
||||
NULL,,
|
||||
"s",
|
||||
SD_BUS_PARAM(serial),
|
||||
method_get_hardware_serial,
|
||||
SD_BUS_VTABLE_UNPRIVILEGED),
|
||||
SD_BUS_METHOD_WITH_ARGS("Describe",
|
||||
|
||||
@ -67,11 +67,6 @@ for i; do
|
||||
fi
|
||||
done
|
||||
|
||||
if [ "$KERNEL_INSTALL_BYPASS" = "1" ]; then
|
||||
echo "kernel-install: Skipping execution because KERNEL_INSTALL_BYPASS=1"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
export KERNEL_INSTALL_VERBOSE=0
|
||||
if [ "$1" = "--verbose" ] || [ "$1" = "-v" ]; then
|
||||
shift
|
||||
|
||||
@ -55,18 +55,6 @@ else
|
||||
CFLAGS="$CFLAGS $UBSAN_FLAGS"
|
||||
CXXFLAGS="$CXXFLAGS $UBSAN_FLAGS"
|
||||
fi
|
||||
|
||||
if [[ "$SANITIZER" == introspector ]]; then
|
||||
# fuzz-introspector passes -fuse-ld=gold and -flto using CFLAGS/LDFLAGS and due to
|
||||
# https://github.com/mesonbuild/meson/issues/6377#issuecomment-575977919 and
|
||||
# https://github.com/mesonbuild/meson/issues/6377 it doesn't mix well with meson.
|
||||
# It's possible to build systemd with duct tape there using something like
|
||||
# https://github.com/google/oss-fuzz/pull/7583#issuecomment-1104011067 but
|
||||
# apparently even with gold and lto some parts of systemd are missing from
|
||||
# reports (presumably due to https://github.com/google/oss-fuzz/issues/7598).
|
||||
# Let's just fail here for now to make it clear that fuzz-introspector isn't supported.
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
if ! meson "$build" "-D$fuzzflag" -Db_lundef=false; then
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user