pam-systemd: talk to logind via varlink

This makes sure we now use Varlink per default as transport for allocating sessions. This reduces the time it takes to do one run0 cycle by roughly ~10% on my completely synthetic test setup (assuming the target user's service manager is already started) The D-Bus codepaths are kept in place for two reasons: * To make upgrades easy * If the user actually sets resource properties on the PAM session we fall back to the D-Bus codepaths, as we currently have no way to encode the scope properties in JSON, this is only supported for D-Bus serialization. The latter should be revisited once it is possible to allocate a scope unit from PID1 via varlink.
logind: add basic Varlink API
2024-11-22 12:22:47 +01:00 · 2024-11-22 12:22:47 +01:00 · 2024-11-22 12:22:47 +01:00 · 2024-11-22 12:22:47 +01:00 · 2024-11-22 12:22:47 +01:00 · 2024-11-22 12:22:47 +01:00
26 changed files with 40 additions and 43 deletions
--- a/hwdb.d/60-keyboard.hwdb
+++ b/hwdb.d/60-keyboard.hwdb
@ -1438,6 +1438,11 @@ evdev:input:b0003v046DpC309*
 KEYBOARD_KEY_c01b6=images                              # My Pictures (F11)
 KEYBOARD_KEY_c01b7=audio                               # My Music (F12)

+# Logitech MX Keys for Mac
+evdev:input:b0003v046Dp4092*
+ KEYBOARD_KEY_70035=102nd                               # '<' key
+ KEYBOARD_KEY_70064=grave                               # '^' key
+
 ###########################################################
 # Maxdata
 ###########################################################
--- a/po/uk.po
+++ b/po/uk.po
@ -9,8 +9,8 @@ msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-11-20 19:13+0000\n"
-"Last-Translator: Dmytro Markevych <hotr1pak@gmail.com>\n"
+"PO-Revision-Date: 2024-11-21 19:38+0000\n"
+"Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
 "Language-Team: Ukrainian <https://translate.fedoraproject.org/projects/"
 "systemd/main/uk/>\n"
 "Language: uk\n"
@ -120,11 +120,11 @@ msgstr "Для оновлення домашньої теки користува

 #: src/home/org.freedesktop.home1.policy:53
 msgid "Update your home area"
-msgstr "Оновіть свій домашній простір"
+msgstr "Оновлення домашньої області"

 #: src/home/org.freedesktop.home1.policy:54
 msgid "Authentication is required to update your home area."
-msgstr "Для оновлення домашньої області потрібна автентифікація."
+msgstr "Для оновлення домашньої області слід пройти розпізнавання."

 #: src/home/org.freedesktop.home1.policy:63
 msgid "Resize a home area"
@ -1215,7 +1215,7 @@ msgstr "Керування додатковими функціями"

 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
 msgid "Authentication is required to manage optional features"
-msgstr "Для керування додатковими функціями потрібна автентифікація"
+msgstr "Для керування додатковими можливостями слід пройти розпізнавання"

 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"
--- a/shell-completion/bash/systemd-cryptenroll
+++ b/shell-completion/bash/systemd-cryptenroll
@ -38,19 +38,12 @@ __get_tpm2_devices() {
    done
 }

-__get_block_devices() {
-    local i
-    for i in /dev/*; do
-        [ -b "$i" ] && printf '%s\n' "$i"
-    done
-}
-
 _systemd_cryptenroll() {
    local comps
    local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} words cword
    local -A OPTS=(
        [STANDALONE]='-h --help --version
-                     --password --recovery-key'
+                     --password --recovery-key --list-devices'
        [ARG]='--unlock-key-file
               --unlock-fido2-device
               --unlock-tpm2-device
@ -116,7 +109,7 @@ _systemd_cryptenroll() {
        return 0
    fi

-    comps=$(__get_block_devices)
+    comps=$(systemd-cryptenroll --list-devices)
    COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
    return 0
 }
--- a/src/basic/socket-util.c
+++ b/src/basic/socket-util.c
@ -983,7 +983,7 @@ int getpeerpidref(int fd, PidRef *ret) {

        int pidfd = getpeerpidfd(fd);
        if (pidfd < 0)  {
-                if (!ERRNO_IS_NEG_NOT_SUPPORTED(pidfd))
+                if (!ERRNO_IS_NEG_NOT_SUPPORTED(pidfd) && pidfd != -EINVAL)
                        return pidfd;

                struct ucred ucred;
--- a/src/core/service.c
+++ b/src/core/service.c
@ -3426,14 +3426,12 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value,
                        return 0;
                }

-                r = service_add_fd_store(s, fd, fdn, do_poll);
+                r = service_add_fd_store(s, TAKE_FD(fd), fdn, do_poll);
                if (r < 0) {
                        log_unit_debug_errno(u, r,
                                             "Failed to store deserialized fd '%s', ignoring: %m", fdn);
                        return 0;
                }
-
-                TAKE_FD(fd);
        } else if (streq(key, "extra-fd")) {
                _cleanup_free_ char *fdv = NULL, *fdn = NULL;
                _cleanup_close_ int fd = -EBADF;
--- a/src/libsystemd/sd-varlink/varlink-util.c
+++ b/src/libsystemd/sd-varlink/varlink-util.c
@ -16,7 +16,7 @@ int varlink_get_peer_pidref(sd_varlink *v, PidRef *ret) {

        int pidfd = sd_varlink_get_peer_pidfd(v);
        if (pidfd < 0) {
-                if (!ERRNO_IS_NEG_NOT_SUPPORTED(pidfd))
+                if (!ERRNO_IS_NEG_NOT_SUPPORTED(pidfd) && pidfd != -EINVAL)
                        return pidfd;

                pid_t pid;
--- a/tmpfiles.d/20-systemd-shell-extra.conf.in
+++ b/tmpfiles.d/20-systemd-shell-extra.conf.in
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 {% if LINK_SHELL_EXTRA_DROPIN %}
 L$ {{SHELLPROFILEDIR}}/70-systemd-shell-extra.sh - - - - {{LIBEXECDIR}}/profile.d/70-systemd-shell-extra.sh
--- a/tmpfiles.d/20-systemd-ssh-generator.conf.in
+++ b/tmpfiles.d/20-systemd-ssh-generator.conf.in
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 {% if LINK_SSH_PROXY_DROPIN %}
 L$ {{SSHCONFDIR}}/20-systemd-ssh-proxy.conf - - - - {{LIBEXECDIR}}/ssh_config.d/20-systemd-ssh-proxy.conf
--- a/tmpfiles.d/20-systemd-stub.conf.in
+++ b/tmpfiles.d/20-systemd-stub.conf.in
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 # Copy systemd-stub provided metadata such as PCR signature and public key file
 # from initrd into /run/, so that it will survive the initrd stage
--- a/tmpfiles.d/20-systemd-userdb.conf.in
+++ b/tmpfiles.d/20-systemd-userdb.conf.in
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 {% if LINK_SSHD_USERDB_DROPIN %}
 L {{SSHDCONFDIR}}/20-systemd-userdb.conf - - - - {{LIBEXECDIR}}/sshd_config.d/20-systemd-userdb.conf
--- a/tmpfiles.d/credstore.conf
+++ b/tmpfiles.d/credstore.conf
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 d /etc/credstore 0700 root root
 d /etc/credstore.encrypted 0700 root root
--- a/tmpfiles.d/etc.conf.in
+++ b/tmpfiles.d/etc.conf.in
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 L /etc/os-release - - - - ../usr/lib/os-release
 L+ /etc/mtab - - - - ../proc/self/mounts
--- a/tmpfiles.d/home.conf
+++ b/tmpfiles.d/home.conf
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 Q /home 0755 - - -
 q /srv 0755 - - -
--- a/tmpfiles.d/journal-nocow.conf
+++ b/tmpfiles.d/journal-nocow.conf
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 # Set the NOCOW attribute for directories of journal files. This flag
 # is inherited by their new files and sub-directories. Matters only
--- a/tmpfiles.d/legacy.conf.in
+++ b/tmpfiles.d/legacy.conf.in
@ -5,10 +5,11 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

-# These files are considered legacy and are unnecessary on legacy-free
-# systems.
+# The functionality provided by these files and directories has been replaced
+# by newer interfaces. Their use is discouraged on legacy-free systems. This
+# configuration is provided to maintain backward compatibility.

 d /run/lock 0755 root root -
 L /var/lock - - - - ../run/lock
@ -16,15 +17,15 @@ L /var/lock - - - - ../run/lock
 L$ /var/log/README - - - - ../..{{DOC_DIR}}/README.logs
 {% endif %}

+{% if HAVE_SYSV_COMPAT %}
 # /run/lock/subsys is used for serializing SysV service execution, and
 # hence without use on SysV-less systems.
-
 d /run/lock/subsys 0755 root root -

 # /forcefsck, /fastboot and /forcequotacheck are deprecated in favor of the
 # kernel command line options 'fsck.mode=force', 'fsck.mode=skip' and
 # 'quotacheck.mode=force'
-
 r! /forcefsck
 r! /fastboot
 r! /forcequotacheck
+{% endif %}
--- a/tmpfiles.d/meson.build
+++ b/tmpfiles.d/meson.build
@ -35,7 +35,7 @@ in_files = [
        ['20-systemd-stub.conf',          'ENABLE_EFI'],
        ['20-systemd-userdb.conf',        'ENABLE_SSH_USERDB_CONFIG'],
        ['etc.conf'],
-        ['legacy.conf',                   'HAVE_SYSV_COMPAT'],
+        ['legacy.conf'],
        ['static-nodes-permissions.conf'],
        ['systemd.conf'],
        ['var.conf'],
--- a/tmpfiles.d/portables.conf
+++ b/tmpfiles.d/portables.conf
@ -1,4 +1,4 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 Q /var/lib/portables 0700
--- a/tmpfiles.d/provision.conf
+++ b/tmpfiles.d/provision.conf
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 # Provision additional login messages from credentials, if they are set. Note
 # that these lines are NOPs if the credentials are not set or if the files
--- a/tmpfiles.d/systemd-network.conf
+++ b/tmpfiles.d/systemd-network.conf
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 d$ /run/systemd/netif        0755 systemd-network systemd-network -
 d$ /run/systemd/netif/links  0755 systemd-network systemd-network -
--- a/tmpfiles.d/systemd-nspawn.conf
+++ b/tmpfiles.d/systemd-nspawn.conf
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 Q /var/lib/machines 0700 - - -

--- a/tmpfiles.d/systemd-resolve.conf
+++ b/tmpfiles.d/systemd-resolve.conf
@ -5,6 +5,6 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf
--- a/tmpfiles.d/systemd-tmp.conf
+++ b/tmpfiles.d/systemd-tmp.conf
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 # Exclude namespace mountpoints created with PrivateTmp=yes
 x /tmp/systemd-private-%b-*
--- a/tmpfiles.d/systemd.conf.in
+++ b/tmpfiles.d/systemd.conf.in
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 d /run/user 0755 root root -
 {% if ENABLE_UTMP %}
--- a/tmpfiles.d/tmp.conf
+++ b/tmpfiles.d/tmp.conf
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 # Clear tmp directories separately, to make them easier to override
 q /tmp 1777 root root 10d
--- a/tmpfiles.d/var.conf.in
+++ b/tmpfiles.d/var.conf.in
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 q /var 0755 - - -

--- a/tmpfiles.d/x11.conf
+++ b/tmpfiles.d/x11.conf
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.

 # Make sure these are created by default so that nobody else can
 # or empty them at startup
Author	SHA1	Message	Date
Lennart Poettering	4baee2d732	pam-systemd: talk to logind via varlink This makes sure we now use Varlink per default as transport for allocating sessions. This reduces the time it takes to do one run0 cycle by roughly ~10% on my completely synthetic test setup (assuming the target user's service manager is already started) The D-Bus codepaths are kept in place for two reasons: * To make upgrades easy * If the user actually sets resource properties on the PAM session we fall back to the D-Bus codepaths, as we currently have no way to encode the scope properties in JSON, this is only supported for D-Bus serialization. The latter should be revisited once it is possible to allocate a scope unit from PID1 via varlink.	2024-11-22 12:22:47 +01:00
Lennart Poettering	81d96882c7	logind: add basic Varlink API For now this only covers CreateSession() and ReleaseSession(), i.e. the two operations pam_systemd cares about.	2024-11-22 12:22:47 +01:00
Lennart Poettering	b52d094f36	logind: split create session reply handling in two This prepares ground so that later on we can reply with either D-Bus or Varlink depending on the client's request.	2024-11-22 12:22:47 +01:00
Lennart Poettering	4801535168	logind: also potentially GC the session if we cannot send reply	2024-11-22 12:22:47 +01:00
Lennart Poettering	674d6d5f3f	logind: indicate that 'error' parameter is input by making it const	2024-11-22 12:22:47 +01:00
Lennart Poettering	104ea6f13a	logind: rework session creation logic, to be more reusable for varlink codepaths This separates the preparatory checks that generate D-Bus errors from the code that actually allocates the session. This make the logic easier to follow and prepares ground so that we can reuse the 2nd part later when exposing session creation via Varlink.	2024-11-22 12:22:47 +01:00
Lennart Poettering	8ff54135a8	logind: split out logic that finds free session ID into helper call Just some refactoring to make an overly large function a bit smaller.	2024-11-22 12:22:47 +01:00
Lennart Poettering	2a356c976a	logind: normalize parameter to create_session() We can pass a properly typed Manager object here, no reason to pass it as void*.	2024-11-22 12:22:47 +01:00
Lennart Poettering	756654b230	sd-varlink: fix bug when enqueuing messages with fds asynchronously When determining the poll events to wait for we need to take the queue of pending messages that carry fds into account. Otherwise we might end up not waking up if such an fd-carrying message is enqueued asynchronously (i.e. not from a dispatch callback).	2024-11-22 12:22:47 +01:00
Lennart Poettering	7900a06e48	sd-varlink: add flag for sd_varlink_server for creating connections with fd passing enabled Let's add a simple flag that enables fd passing for all connections of a server. It's much easier to use this than to install a connect handler which manually enables this for each connection.	2024-11-22 12:22:47 +01:00
Lennart Poettering	2eeb395d2f	terminal-util: modernize vtnr_from_tty() a bit	2024-11-22 12:22:47 +01:00
Lennart Poettering	4c0268ffcd	sd-login: make use of getpeerpidref() and cg_pidref_get_*()	2024-11-22 12:22:47 +01:00
Lennart Poettering	43b28e046b	socket-util: introduce getpeerpidref() This combines getpeercred() and getpeerpidfd() and returns a PidRef	2024-11-22 12:22:47 +01:00
Lennart Poettering	8437948063	cgroup-util: add pidref counterparts for cg_pid_get_session() + cg_pid_get_owner_uid()	2024-11-22 12:22:47 +01:00
Lennart Poettering	71e6c1643a	tree-wide: use pidref_is_self() at more places	2024-11-22 12:22:47 +01:00
Lennart Poettering	8c4474092c	sd-json: add json_dispatch_const_path() helper The new json_dispatch_const_path() is to json_dispatch_path() what sd_json_dispatch_const_string() is to sd_json_dispatch_ string(), i.e. doesn't implicitly strdup() the string, but gives you the pointer into the JSON structure, and thus requires you to keep it pinned.	2024-11-22 12:22:47 +01:00
Lennart Poettering	a4b0cdbb5f	pam_systemd: introduce pam_get_data_many() helper and make use of it This is to pam_get_data() what pam_get_item() is to pam_get_item_many().	2024-11-22 12:22:47 +01:00
Lennart Poettering	4be09a13ba	pam_systemd: fix error code confusion when prepping D-Bus message We got confused by the error codes here, and sometimes return PAM errors where the caller propagated them unconverted as negative errno errors. Fix that.	2024-11-22 12:22:47 +01:00
Lennart Poettering	a7280afc81	pam_systemd: split pam_sm_open_session() into more digestable blocks Let's separate four different parts of pam_sm_open_session(): 1. Acquiring of our various parameters from pam env, pam data, pam items 2. Mangling of that data to clean it up 3. Registering of the service with logind 4. Importing shell credentials into environment variables 5. Enforcement of user record data This makes the code a lot more readable, and gets rid of an ugly got label. It also corrects things: if step 3 doesnt work because logind is not around, we'll now still do step 4, which we previously erroneously skipped. Besodes that no real code changes.	2024-11-22 12:22:47 +01:00
Lennart Poettering	9ab9a982b2	pam_systemd: split out setting of shell env vars from credentials and move it later Let's shorten the code of pam_sm_open_session() a bit, and also make sure the importing of the env vars from the creds also happens if the session registration with logind is skipped.	2024-11-22 12:22:47 +01:00
Lennart Poettering	2c073ccdba	pam_systemd: drop "uid" field from SessionContext Let's instead just pass over the UserRecord, it's a much more useful object with lots more information we'll sooner or later need (preparation for later commits).	2024-11-22 12:22:47 +01:00
Lennart Poettering	a6eccef309	pam_systemd: drop "pid" field from SessionContext We never use the field and this is not going to change... This addresses a weird asymmetry, as create_session_message() always went to the process' own PID when doing pidfds but otherwise (i.e. without pidfds) would honour the PID specified as function parameter.	2024-11-22 12:22:47 +01:00
Lennart Poettering	1dfb7c16f0	pam-systemd: normalize parsing of XDG_VTNR Let's make it more like the parsing of the "incomplete" boolean env var, to streamline things.	2024-11-22 12:22:47 +01:00
Lennart Poettering	604a4389fd	varlink: apparently on old kernels SO_PEERPIDFD returns EINVAL	2024-11-22 12:17:50 +01:00
Antonio Alvarez Feijoo	2ccacdd57c	bash-completion: add --list-devices to systemd-cryptenroll And also use it to list suitable block devices.	2024-11-22 10:38:19 +01:00
Yu Watanabe	d99198819c	core/service: service_add_fd_store() consumes passed fd Without this change, the fd is closed twice on failure. Fixes a bug introduced by `dff9808a62`. Fixes #35288.	2024-11-22 04:15:51 +01:00
Tobias Zimmermann	f70e5620b6	hwdb: Add quirk for Logitech MX Keys for Mac The KEY_102ND and KEY_GRAVE keys are switched on the Logitech MX Keys for Mac, so switch them back	2024-11-21 21:16:07 +01:00
Zbigniew Jędrzejewski-Szmek	3127c71bf4	Keep tmpfiles/legacy.conf even if SysVInit support is dropped (#35278 )	2024-11-21 21:13:50 +01:00
Yuri Chornoivan	b153eebfb2	po: Translated using Weblate (Ukrainian) Currently translated at 100.0% (257 of 257 strings) Co-authored-by: Yuri Chornoivan <yurchor@ukr.net> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/uk/ Translation: systemd/main	2024-11-22 05:02:16 +09:00
Zbigniew Jędrzejewski-Szmek	2c06e40ae9	tmpfiles: add period at end of the sentence The license that is immediately above is properly punctuated and it looks sloppy when our line below isn't.	2024-11-21 18:35:18 +01:00
Zbigniew Jędrzejewski-Szmek	5ca9149464	tmpfiles: narrow scope of HAVE_SYSV_COMPAT condition for legacy.conf That file contains a bunch of entries of which only some are related to SysV. The rest are just "traditional APIs" that need to stay. In particular, /var/lock a.k.a. /run/lock is used by many programs (LVM, iscsi, alsactl). Similarly, the README about /var/log is something that should stay as long as we have people migrating from older systems or using the copiuos documentation that mentions /var/log/messages.txt on the Internet. /var/lock/subsys is only used by sysvinit, and our code to support /forcefsck, /fastboot, and /forcequotacheck is conditionalized on HAVE_SYSV_COMPAT, so conditionalize those here on HAVE_SYSV_COMPAT too.	2024-11-21 18:32:46 +01:00