Compare commits

...

175 Commits

Author SHA1 Message Date
cvlc12 8fa1c6173d man: update PCR and Secure Boot key names and paths 2024-09-19 14:50:34 +02:00
Daan De Meyer bc9a9177b2
Merge pull request #34483 from yuwata/network-conf-parser-neighbor-nexthop
network: several cleanups for conf parsers
2024-09-19 13:59:56 +02:00
Yu Watanabe a13ead6814
Merge pull request #34479 from yuwata/sd-json-dispatch-field-table-static
tree-wide: make sd_json_dispatch_field table static
2024-09-19 18:59:17 +09:00
Yu Watanabe f901a7b39f network/nexthop: introduce generic conf parser for [NextHop] section 2024-09-19 18:41:47 +09:00
Yu Watanabe 9b01cf0406 network/nexthop: make conf parsers for Family= and Gateway= independent of each other 2024-09-19 18:41:46 +09:00
Yu Watanabe d5aae0713d network/nexthop: use log_section_warning() and friend 2024-09-19 18:40:38 +09:00
Daan De Meyer 86c1317270
Merge pull request #34474 from DaanDeMeyer/user-group
Two integration test fixes
2024-09-19 09:20:03 +02:00
Daan De Meyer f4faac2073 test: Run TEST-74-AUX-UTILS in virtual machine
Various tests skip themselves when running in a container so make
sure the test runs in a virtual machine so we get full coverage.
2024-09-19 14:56:34 +09:00
Yu Watanabe 2bcc2a89f3 test: create .netdev file at last
Previously, when the test ran on mkosi, then networkd was not masked, and
might be already started. In that case, the interface test2 would be created
soon after the .netdev file is created, and the .link file would not be
applied to the interface. Hence, the later test case for
'networkctl cat @test2:link' would fail.

This make networkd always started at the beginning of the test, and
.netdev file created after .link file is created. So, .link file is
always applied to the interface created by the .netdev file.
2024-09-19 14:50:10 +09:00
Yu Watanabe 07e6a111c0 man: fix typo
Follow-up for 8aee931e7a.
2024-09-19 09:18:47 +09:00
Yu Watanabe c2648f6e23 efi: fix typo
Follow-up for f4e081051d.
2024-09-19 09:14:25 +09:00
Daan De Meyer 1d5b4317cd ci: Don't add testuser to wheel and systemd-journal groups
This breaks TEST-74-AUX-UTILS when run in a VM as the user gets access
to journal files that the test expects it can't access.
2024-09-19 08:47:53 +09:00
Frantisek Sumsal cd57920fbf test: drop removed SCSI passthrough feature
This feature has been deprecated since QEMU 5.0 and finally removed in
QEMU 9.1 [0] which now causes issues when running the storage tests on
latest Arch:

------ testcase_long_sysfs_path: BEGIN ------
...
qemu-system-x86_64: -device virtio-blk-pci,drive=drive0,scsi=off,bus=pci_bridge25: Property 'virtio-blk-pci.scsi' not found
E: qemu failed with exit code 1

[0] a271b8d7b2
2024-09-19 08:14:39 +09:00
Yu Watanabe 8d6eedd8a3 network/neighbor: use log_section_warning_errno() 2024-09-19 04:03:11 +09:00
Yu Watanabe 91eaa90b81 network/neighbor: introduce generic Neighbor section parser 2024-09-19 03:59:34 +09:00
Yu Watanabe 3b5c5da73a network/neighbor: use struct in_addr_data 2024-09-19 03:58:28 +09:00
Yu Watanabe 1775654e2c conf-parser: drop unnecessary temporary variable 2024-09-19 03:39:15 +09:00
Yu Watanabe 0ea6d55a4b conf-parser: introduce config_parse_in_addr_data() 2024-09-19 03:38:22 +09:00
Yu Watanabe 26d35019de tree-wide: drop unnecessary 'struct' 2024-09-19 01:34:57 +09:00
Yu Watanabe b962338104 nsresource: make sd_json_dispatch_field table static
This also adds missing error check of sd_json_dispatch().

Follow-up for 54452c7b2a.
2024-09-19 01:34:57 +09:00
Yu Watanabe fae0b00434 creds-util: make sd_json_dispatch_field table static 2024-09-19 01:34:57 +09:00
Yu Watanabe f7923ef318 resolve: make sd_json_dispatch_field table static 2024-09-19 01:34:57 +09:00
Yu Watanabe 36df48d863 resolvectl: make sd_json_dispatch_field table static 2024-09-19 01:34:57 +09:00
Yu Watanabe 53c638db16 updatectl: make sd_json_dispatch_field table static
This also fixes memory leak of Version object on failure.

Follow-up for ec15bb71c2.
2024-09-19 01:34:57 +09:00
Yu Watanabe 751a247794 varlinkctl: make sd_json_dispatch_field table static 2024-09-19 01:34:56 +09:00
Yu Watanabe 07dbbda0fc ssh-generator: make sd_json_dispatch_field table static 2024-09-19 01:34:56 +09:00
Yu Watanabe ed4a6c476e machine: make sd_json_dispatch_field table static 2024-09-19 01:34:56 +09:00
Antonio Alvarez Feijoo fb4c82b643 nsresourced: fix build without libbpf
```
In file included from ../src/nsresourced/nsresourced-manager.c:9:
../src/shared/bpf-link.h:5:10: fatal error: bpf/libbpf.h: No such file or directory
    5 | #include <bpf/libbpf.h>
      |          ^~~~~~~~~~~~~~
```

Follow-up for 46718d344f
2024-09-18 16:44:12 +02:00
Daan De Meyer 4d9ccdc9ae repart: Drop unprivileged subvolumes logic for btrfs
The functionality was explicitly not included in 6.11 for some
unknown reason so drop the logic from systemd-repart as well so
we don't release v257 with it included.
2024-09-18 16:41:42 +02:00
Antonio Alvarez Feijoo bf39626d61 man/repart: use <varname> instead of <variable>
Otherwise, `<variable>$BOOT</variable>` is rendered:

```
[2548/2992] Generating man/repart.d.5 with a custom command
Element variable in namespace '' encountered in para, but no template matches.
Element variable in namespace '' encountered in para, but no template matches.
```
2024-09-18 16:03:56 +02:00
Marius Hoch ff831e7c50 hwdb: Add accel orientation quirk for the IdeaPad Duet 3 10IGL5-LTE
Signed-off-by: Marius Hoch <mail@mariushoch.de>
2024-09-18 20:30:11 +09:00
Daan De Meyer 81af8f998e repart: Support specifying multiple directories to ExcludeFiles= 2024-09-18 10:22:33 +02:00
chenjiayi 4fc8a63f9e systemd: rewatch pids under cgroup v1 when sigchld of processes more than main pid and control pid is captured
If `Delegate` is configured in service, cgroup agent will never send out
any datagram as .control subcgroup is generated. Thus systemd will watch
all processes on the cgroup hierarchy for SIGCHLD to deal with unreliable
cgroup notifications.

In this way, systemd should rewatch all processes when any SIGCHLD is
captured, more than the control pid or main pid.
2024-09-18 10:13:20 +02:00
Jason Yundt dfb3155419 man: document ShowStatus and SetShowStatus()
SetShowStatus() was added in order to fix #11447. Recently, I ran into
the exact same problem that OP was experiencing in #11447. I wasn’t able
to figure out how to deal with the problem until I found #11447, and it
took me a while to find #11447.

This commit takes what I learned from reading #11447 and adds it to the
documentation. Hopefully, this will make it easier for other people who
run into the same problem in the future.
2024-09-18 10:11:55 +02:00
Daan De Meyer fc5037e7d7
Merge pull request #34464 from yuwata/test-space-in-path
test: allow to run tests under directory that contains spaces
2024-09-18 08:50:38 +02:00
Yu Watanabe 13f6ec7ce7 test: quote paths to executables
Fixes #34459.
2024-09-18 09:47:04 +09:00
Yu Watanabe 6e1816ef16 kernel-install: unquote plugin paths in KERNEL_INSTALL_PLUGINS
To support the case that paths to plugins contain spaces.

Prompted by #34459
2024-09-18 09:47:00 +09:00
Yu Watanabe 7ac1ad90d0
Merge pull request #34460 from yuwata/test-86-follow-ups
test: follow-ups for TEST-86
2024-09-18 09:31:17 +09:00
Daan De Meyer 099b16c3e7 tmpfiles.d: Remove purge flag from lines that don't support it
Fixes db15657dfb
2024-09-17 23:02:01 +02:00
Daan De Meyer 7a7f306b6c ukify: Remove debug log
This prints a python data structure which we shouldn't do during
normal operation.
2024-09-17 22:34:13 +02:00
Yu Watanabe 4f2975385f
Merge pull request #34040 from AdrianVovk/repart-dollar-boot
repart: Implement $BOOT support
2024-09-18 05:09:20 +09:00
Daan De Meyer 0432e28394
Merge pull request #34440 from yuwata/network-log-no-matching-network
network: log when no matching .network file found
2024-09-17 21:09:19 +02:00
Yu Watanabe fc956a3973 network/dhcp4: use device_get_property_bool() at link_needs_dhcp_broadcast()
No functional change, just refactoring.
2024-09-17 21:03:59 +02:00
Yu Watanabe d265b8afb7 test: drop unused test.sh for TEST-86-MULTI-PROFILE-UKI
The test cannot run with the bash test runner, as it requires python.
Hence, test.sh is not necessary.

Follow-up for a37640653c.
2024-09-18 04:00:05 +09:00
Yu Watanabe 1aab0a5b10 test: minor coding style fixlets
Follow-up for a37640653c.
2024-09-18 03:50:46 +09:00
Yu Watanabe b0dbb4aa3a
Merge pull request #34457 from poettering/uki-with-many-testcase
multi-profile UKIs: test case
2024-09-18 03:48:45 +09:00
Michael Ferrari 91ea3dcf35 homed: wait for user input during firstboot
This mirrors the behavior of `systemd-firstboot` and allows bootup
messages to settle down before user input is actually processed.

See: https://github.com/systemd/systemd/issues/34448
2024-09-18 03:21:11 +09:00
Yu Watanabe a95ae2d36a conf-parser: use hashmap_ensure_put() at one more place 2024-09-18 03:13:47 +09:00
Yu Watanabe be8e4b1a87 conf-parser: log errors in config_parse_many_files() and friends
Previously, if an file cannot be opened, e.g. due to its permission,
config_parse_many() or so did not log the error even if CONFIG_PARSE_WARN
flag is set. This makes all error paths in these functions are logged,
and the log level is controlled by the flag.

Prompted by #34436.
2024-09-18 03:13:25 +09:00
Adrian Vovk cf612c5fd5
repart: Add tests for supplement partitions 2024-09-17 14:06:51 -04:00
Adrian Vovk 2cb9c68c3a
repart: Add SupplementFor= logic
This was designed to deal with $BOOT, as defined by the Boot Loader
Specification, but it was made a generic mechanism because it is useful
elsewhere too. See the updated man page for usage examples, motivation,
and an explanation of how this works.
2024-09-17 14:06:50 -04:00
Adrian Vovk 78e9059208
repart: Consider existing partitions when placing
Fixes an oversight in `context_allocate_partitions` that makes it
succeed in cases where it should fail. Essentially, there was nothing
actually enforcing SizeMinBytes= and PaddingMinBytes= for partitions
that exist, only for new partitions. This behavior is inconsistent with
the docs, which state that existing partitions will be grown to at least
the specified minimum size, and that "If the backing device does not
provide enough space to fulfill the constraints placing the partition
will fail".
2024-09-17 14:06:49 -04:00
Adrian Vovk e671bdc5c3
strv: Fixup STRV_FOREACH_PAIR macro
The macro didn't properly parenthesize a caller-controlled argument.
For example: `STRV_FOREACH_PAIR(a, b, something ?: something_else)`
would expand to `typeof(*something ?: something_else)`, which would
cause compile failures
2024-09-17 14:06:26 -04:00
Yu Watanabe 572d031eca log: introduce log_oom_full() 2024-09-18 02:50:19 +09:00
Yu Watanabe 25da422bd1 network: log loaded .network and .netdev files 2024-09-18 02:35:28 +09:00
Yu Watanabe 5872ea7008 network: log when no matching .network file found
When an interface enters unmanaged state, there are two possibilities:
- no matching .network file found,
- found a matching .network with Unmanaged=yes.

When a matching .network file is found, networkd logs the filename.
Let's also log when no matching .network file is found.

This also slightly adjust the log message when a matching .network file
found.

Closes #34436.
2024-09-18 02:27:13 +09:00
PavlNekrasov d80a9042ca
Use correct error code in log message in output_waiting_jobs (#34404)
The error code `r` from the read function is being logged, but the error code `rc` from the table data insertion function should be logged instead.
2024-09-17 19:17:21 +09:00
Yu Watanabe a7afe5a3e7
Merge pull request #34443 from yuwata/network-sysctl-monitor-follow-ups
network/sysctl-monitor: several follow-ups and cleanups
2024-09-17 19:15:12 +09:00
Lennart Poettering a2369d0224 update TODO 2024-09-17 10:40:51 +02:00
Lennart Poettering a37640653c ci: add testcase for multi-profile UKIs
This tests the whole shebang:

1. That ukify can generate them properly
2. That systemd-boot can dissect them properly
3. That systemd-stub can accept profile selection propery
4. That the profile information ends up in /run/systemd/stub/ properly
5. That systemd-measure correctly calculates the expected PCR 11 values
   for each profile and that we can unlock a public-key bound LUKS
   volume with it
2024-09-17 10:40:51 +02:00
Yu Watanabe a65b864835 docs: fix typo in filename: REATLIME -> REALTIME 2024-09-17 10:21:54 +02:00
Yu Watanabe 9959681a0d test/repart: fix mkfs checker
Follow-up for 27cacec939.
2024-09-17 10:15:21 +02:00
Daan De Meyer b3ebd480d6 Fix generator logging
log_setup() overrides the previously set log target again so we
can't use it in log_setup_generator().

Follow-up for aa976d8788
2024-09-17 15:10:39 +09:00
Arian van Putten 6695ff4c15 CONTROL_GROUP_INTERFACE: fix link to systemd-run code 2024-09-17 15:09:48 +09:00
Yu Watanabe 4d6ad22f8d network: drop unnecessary BPF related objects from Manager when disabled 2024-09-17 15:00:06 +09:00
Yu Watanabe 099ee34ca1 network/sysctl-monitor: do not allocate sysctl_shadow when eBPF is not supported
When eBPF is disabled, the hashmap will be never used. Let's not
allocate it.
2024-09-17 14:53:29 +09:00
Yu Watanabe a2fbe9f3f9 network/sysctl-monitor: fix use-after-free
Previously, manager_free() did not assign NULL to Manager.sysctl_shadow,
hence sysctl_clear_link_shadows() called by link_free() will causes
use-after-free. To fix the issue, this makes Manager.sysctl_shadow will be
set to NULL after it is freed,

Fixes a bug introduced by 6d9ef22acd.
2024-09-16 15:12:47 +09:00
Yu Watanabe 7c778cecdb network/sysctl: several cleanups for sysctl_add_monitor()
- rename rootcg -> root_cgroup_fd, to emphasize it is a fd,
- drop nested function call, and check error code.
2024-09-16 14:36:54 +09:00
Yu Watanabe 46718d344f bpf-link: introduce bpf_ring_buffer_free() and friends
Then, replace rb_free() in networkd.

Follow-up for 6d9ef22acd.
2024-09-16 14:36:54 +09:00
Yu Watanabe 9295c7ae09 network/sysctl: use wrapped free functions
No functional change, just refactoring.

Follow-up for 6d9ef22acd.
2024-09-16 14:36:54 +09:00
Yu Watanabe 41afafbf2a network/sysctl-monitor: fix sanity check in cut_last()
This also adds basic comment about the return code.

Follow-up for 6d9ef22acd.
2024-09-16 14:36:54 +09:00
Yu Watanabe 9671efff78 NEWS: fix typo
Follow-up for dcc359010c.
2024-09-16 11:50:48 +09:00
Yu Watanabe 4f0bc2582e man: fix typo
Follow-up for a632d8dd9f.
2024-09-16 11:49:04 +09:00
Yu Watanabe 3292120adf nspawn: fix typo
Follow-up for d7a6bb9891.
2024-09-16 11:47:43 +09:00
Yu Watanabe f6cc5e1c8d
Merge pull request #34393 from poettering/tmpfiles-ownership-flag
tmpfiles: introduce an explicit line flag $ for enabling purge logic …
2024-09-16 10:51:09 +09:00
Yu Watanabe 590f430cac
Merge pull request #34425 from yuwata/udev-rules-case-insensitive-match
udev-rules: support case insensitive match
2024-09-16 10:42:37 +09:00
Mike Yuan 93d2d36638 basic/build: also include BTF status 2024-09-16 10:42:16 +09:00
Lennart Poettering 369b12375b coredump: use _cleanup_(iovec_done) where appropriate 2024-09-16 10:42:02 +09:00
Yu Watanabe b5ec8f77e0
Merge pull request #34434 from poettering/bootctl-stub-paths
bootctl: expose new stub path efi vars and related
2024-09-16 10:41:24 +09:00
Lennart Poettering 3e0a3a0259 bootctl: show whether a PE file is an addon in 'booctl kernel-identify' 2024-09-16 10:41:10 +09:00
Celeste Liu 6573f0c82c hwdb: add Kensington SlimBlade Pro trackball (Bluetooth mode)
Wired and 2.4G dongle connectivity is covered by general trackball rule,
but with Bluetooth connectivity Kensington SlimBlade Pro uses the name
"SlimBlade Pro" which doesn't contain "[Tt]rack[Bb]all". We need to
process it specially.

Signed-off-by: Celeste Liu <CoelacanthusHex@gmail.com>
2024-09-16 10:40:56 +09:00
Daan De Meyer e0258ac886 repart: Fix log messages in partition_populate_directory()
We're not actually populating a filesystem here, we're preparing
to populate a filesystem, so update the log messages accordingly.
2024-09-15 22:40:10 +02:00
Lennart Poettering a859d0d378 tmpfiles.d: add $ flag to all lines which are clearly private to our packages, and should be removed on package removal
(This excludes any dirs that contain resources placed there by the user)

(I also didn't bother marking resources belonging to components that are
really not optional for us)
2024-09-15 19:44:05 +02:00
Lennart Poettering db15657dfb tmpfiles: introduce an explicit line flag $ for enabling purge logic for a line
Let's make the risk of accidental misuse, and mark lines that shall be
covered by --purge with an explicit new flag "$".

See: #33349
2024-09-15 19:43:09 +02:00
Lennart Poettering 2aa3005ad2 bootctl: also show current/default/oneshot entry literally in output 2024-09-15 19:34:19 +02:00
Lennart Poettering 90cf998875 bootctl: add --print-loader-path + --print-stub-path
These are inspired by the existing commands that return the path to the
boot or ESP partitions. However, these new commands show the path to the
boot loader (systemd-boot) or UKI/stub (systemd-stub) that was used on
the current boot. This information is derived from EFI variables.
2024-09-15 19:34:19 +02:00
Lennart Poettering c8d60ae79d efivars: add helper that reads an fs path from an efi var 2024-09-15 19:34:19 +02:00
Lennart Poettering bfcf48b842 bootctl: show stub partition data too in "status" too 2024-09-15 19:33:48 +02:00
Mike Yuan 3a41a21666 man/bootup: rename initrd to exitrd at one more place
Follow-up for f2c2fa87b6
2024-09-16 01:35:31 +09:00
Luca Boccassi 37c2010bcf test: fix ASAN options in TEST-29-PORTABLE
Bash arrays cannot be exported, so we need to redefine it in each
subtest

Follow-up for 680dec33f2
2024-09-15 18:10:29 +02:00
Yu Watanabe 5f5c5c48b9 udev-rules: support case insensitive match
This introduces 'i' prefix for match string. When specified, string or
pattern will match case-insensitively.

Closes #34359.

Co-authored-by: Ryan Wilson <ryantimwilson@meta.com>
2024-09-15 23:09:26 +09:00
Daan De Meyer 27a8a29e32 mkosi: Disable makepkg PKGBUILD linting using the newly added environment variable 2024-09-15 12:44:15 +02:00
Daan De Meyer faa79a78c8
Merge pull request #34409 from DaanDeMeyer/boot-fix
boot: Make initrd_prepare() semantically equivalent to combine_initrds()
2024-09-15 11:57:57 +02:00
Daan De Meyer f8fa4222c9 boot: Make initrd_prepare() semantically equivalent to combine_initrds()
Currently, trying to boot images with type 1 entries generated by mkosi
with qemu freezes in the kernel EFI stub. I'm not going to pretend I
understand what's going on, but when I reported a similar problem with
UKIs, the fix was to rework the code in combine_initrds() in the stub
to behave like it does today. It seems that same fix was never applied
to systemd-boot's combine_initrds() function, so let's do that now to
fix the freezes I've been seeing trying to boot images with type 1 entries
in qemu.
2024-09-15 10:11:59 +02:00
Daan De Meyer c9c5c8d29b boot: Use TAKE_STRUCT() in one more place 2024-09-15 10:11:59 +02:00
Lennart Poettering 1b7ef87fc1
Merge pull request #34347 from poettering/uki-with-many-bootctl
bootctl: multi-profile UKI support
2024-09-15 09:06:58 +02:00
Yu Watanabe 68fdef46a7 udev-rules: embed UdevRuleToken.attr_match_remove_trailing_whitespace flag into UdevRuleMatchType
No functional change, just refactoring and preparation for later change.
2024-09-15 13:52:50 +09:00
Luca Boccassi 680dec33f2 test: split TEST-29-PORTABLE in subtests
The test script is quite long and hard to read. Split it.
Start with one image-based and one directory-based subtest.
2024-09-15 12:23:12 +09:00
Ronan Pigott 32b8065e87
load-fragment: terminate the specifier table (#34421)
Otherwise an invalid specifier iterates over uninitialized data.

Fixes a bug introduced by 0b40688d18 (v254).
2024-09-15 12:21:39 +09:00
Yu Watanabe f921e7d6a3
Merge pull request #34419 from yuwata/creds
creds: several follow-ups and cleanups
2024-09-15 12:15:57 +09:00
Yu Watanabe d97c672be0
Merge pull request #34405 from poettering/dns-domain-validate-fix
dns-domain: fix validation check for max name
2024-09-15 03:33:12 +09:00
Yu Watanabe 60b2ddc9b7 creds: move -h/--help and --version to correct section in the help message 2024-09-15 03:22:13 +09:00
Yu Watanabe 6c38915d35 creds: add short comment that has-tpm2 is moved
Follow-up for 58e359604f.
2024-09-15 03:22:04 +09:00
Yu Watanabe acdfb85d97 creds: align table 2024-09-15 03:19:21 +09:00
Yu Watanabe 4f176f24d6 creds: drop unnecessary include of build-path.h
Follow-up for 58e359604f.
2024-09-15 03:18:46 +09:00
Matthieu CHARETTE 8ee3d4df80 Add HUAWEI MateBook D 15 AMD ACCEL properties 2024-09-14 19:50:28 +02:00
Mike Yuan c7f7225f1a
Merge pull request #34401 from poettering/implicit-sigprocmask
tree-wide: make sigprocmask() changes more automatic
2024-09-14 17:47:47 +02:00
Gregory Arenius 3f3dc6ab84 Add ACCEL_MOUNT_MATRIX for Chuwi Hi10 Max. 2024-09-14 11:06:38 +02:00
Lennart Poettering 3f49d58920 dns-domain: add test case from #34399 2024-09-13 18:03:17 +02:00
Lennart Poettering 1e1661c5d2 dns-domain: validate dns domain name max size based on unescaped, not escaped size
Otherwise we'll consider various domains invalid that really shouldn't
be considered invalid.

Fixes: #34399
2024-09-13 18:02:54 +02:00
Lennart Poettering dc8ed83892 dns-domain: follow our current variable naming style 2024-09-13 18:00:38 +02:00
Luca Boccassi 00f546e25e core: do not fail if ignorable img.v/ vpick dir is empty
If the vpick directory is configured to be ignored if missing, do not
fail and just skip ahead.

Follow-up for 5e79dd96a8
Follow-up for 622efc544d
2024-09-13 17:32:00 +02:00
Lennart Poettering 831ad06bf5 update TODO 2024-09-13 17:12:28 +02:00
Lennart Poettering d7a6bb9891 tree-wide: make sigprocmask() changes more automatic
This tries to get rid of most manual sigprocmask() changes, in favour
of:

1. The SD_EVENT_SIGNAL_PROCMASK flag to sd_event_add_signal()
2. The sd_event_set_signal_exit() call for handling SIGTERM/SIGINT
3. Move masking of SIGWINCH into ptyfwd, out of nspawn/vmspawn/run

And while we are at it get rid of a bunch of event source fields whose
lifetime is bound to the sd_event object they belong to anyway, and make
use of the "floating" event source feature of sd-event instead.
2024-09-13 17:12:28 +02:00
Luca Boccassi a7af35f1d4
Merge pull request #34402 from keszybz/notes-readme
Add examples not package/dlopen notes
2024-09-13 15:19:56 +02:00
Zbigniew Jędrzejewski-Szmek 2e1f83d1ab docs/ELF_DLOPEN_METADATA: add detailed example 2024-09-13 14:53:17 +02:00
Zbigniew Jędrzejewski-Szmek 9a2b54d9f7 docs/ELF_PACKAGE_METADATA: add detailed example
When the spec was initially written, we didn't add good documentation of how to
display the notes, also because there was no good way to display the data
except manually extracting the section to a file and running 'jq' on that. But
the tools have improved, so let's show the users how easy it is to use this
data.
2024-09-13 14:51:44 +02:00
Luca Boccassi 7b9dc72c3c mkosi: update debian commit reference
* 0704bfd93f Use dh-exec for d/systemd-timesyncd.manpages
* b668a942e9 Install new sd-stub tmpfiles.d
* 57aa6890f3 Install new org.freedesktop.timesync1 manpage
* 63e7fb5a48 Install new shell credentials snippets
* 3ce727ad45 Update changelog for 256.6-1 release
* 65e0731d3a Note systemd-cryptsetup package split in NEWS
*   2bd9927f5d Update upstream source from tag 'upstream/256.6'
|\
| * 27c691ac24 New upstream version 256.6
* 395974bae4 Re-enable utmp support, tmux's autopkgtests require it
* 685e1c84eb initramfs-tools: ensure rules file exists before invoking chzdev
* a454822396 Filter out zdev rules in the initramfs hook (LP: #2044104)
* cd0179221d salsa-ci: test the stage1 build profile
* 55917feab0 Update changelog for 256.5-2 release
* f280a3cbf5 Disable utmp support, replaced by wtmpdb
* 635c5f48dc d/t/upstream: do not pass /var/cache/apt/archives to PackageDirectories
2024-09-13 12:06:27 +02:00
Ricky Tigg 809b844a9e po: Translated using Weblate (Finnish)
Currently translated at 100.0% (253 of 253 strings)

Co-authored-by: Ricky Tigg <ricky.tigg@gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/fi/
Translation: systemd/main
2024-09-13 11:17:04 +02:00
Daan De Meyer 76c774828f
Merge pull request #34392 from poettering/format-util-split
tweaks to networkd sysctl logging
2024-09-13 09:18:56 +02:00
Lennart Poettering e1f9d3c84b catalog: beef up new sysctl message
Let's make use of the templating logic, to make the entry more useful.
2024-09-13 07:29:04 +02:00
Lennart Poettering 9d63491f25 catalog: rebreak catalog entry 2024-09-13 07:28:55 +02:00
Lennart Poettering a44fa55e26 networkd: move sysctl code to use PID_FMT
Now that format-util.h doesn't pull in net/if.h anymore, we can use it
to format PIDs in the networkd-sysctl.c code.
2024-09-13 07:28:51 +02:00
Lennart Poettering 868258cf38 basic: split ifname related calls from format-util.h into format-ifname.h
This way we don't have to pull in net/if.h into format-util.h.

This is supposed to address https://github.com/systemd/systemd/pull/32212#discussion_r1755639881

No actual code changes, just a .c/.h file split-up.
2024-09-13 07:27:47 +02:00
Matteo Croce 64e03ca8bf minor fixups for #32212
Fix minor post merge comments
2024-09-13 07:23:07 +02:00
Daan De Meyer cf94f513f0 mkosi: Stop applying device groups patch on Arch
It stopped applying so let's stop applying it to make CI green again.
2024-09-12 22:23:57 +02:00
Ryan Wilson b0b4e39a4d analyze: add test for verify exit status with warnings 2024-09-12 22:19:48 +02:00
Daan De Meyer e196136bc5 units: Order ldconfig.service after systemd-confext.service
The configuration files required by ldconfig could be put into
place by systemd-confext.service (ldconfig only looks in /etc) so
let's order the service after systemd-confext.service to make sure
any config files are in place before the service runs.
2024-09-12 20:20:53 +02:00
Luca Boccassi ca690e6b84
Merge pull request #34390 from poettering/bus-process-man-tweak
man: document that sd_bus_process() only returns otherwise unhandled …
2024-09-12 20:04:49 +02:00
Lennart Poettering 5892950ba4
Merge pull request #32212 from teknoraver/networkd-sysctl
More visibility into systemd-networkd sysctls
2024-09-12 17:28:59 +02:00
Lennart Poettering 07696a1f07 update TODO 2024-09-12 16:18:59 +02:00
Lennart Poettering 55184c4cfc man: document that sd_bus_process() only returns otherwise unhandled messages in *ret_message 2024-09-12 16:18:07 +02:00
Lennart Poettering dd4114317a update TODO 2024-09-12 16:17:42 +02:00
Lennart Poettering 9045f88d72
Merge pull request #34388 from poettering/syscall-update
seccomp: update syscall list and categorize new additions a bit
2024-09-12 15:46:03 +02:00
Lennart Poettering 1791854ce4
Merge pull request #34385 from poettering/man-unify-pcr-key-name
man: clean up PCR public key filenames in systemd-stub and systemd-measure man pages
2024-09-12 15:45:40 +02:00
Mike Yuan 8e8e41c724
NEWS: correct/complete some entries 2024-09-12 14:47:42 +02:00
Daan De Meyer 236a5e5f89
Merge pull request #34386 from keszybz/mkosi-update-helper
Mkosi update helper
2024-09-12 14:35:17 +02:00
Lennart Poettering 626df2fe8d seccomp-util: add recently added new syscalls to various seccomp groups, as appropriate 2024-09-12 14:25:42 +02:00
Lennart Poettering 1d551b1e7d syscalls: run "ninja update-syscalls-*" 2024-09-12 14:20:50 +02:00
Zbigniew Jędrzejewski-Szmek dcc359010c NEWS: the first big batch for v257 2024-09-12 13:27:57 +02:00
Lennart Poettering 58e359604f analyze: move "has-tpm2" from systemd-creds to systemd-analyze
The verb s not really specific to credential management, it was always a
bit misplaced. Hence move it to systemd-analyze, where we already have
some general TPM related verbs such as "srk" and "pcrs"
2024-09-12 12:56:03 +02:00
Zbigniew Jędrzejewski-Szmek 37bf958e7b mkosi: update mkosi commit reference to v24.3-158-g2c9954fa51
* 2c9954fa51 mkosi-initrd: correct `--debug-shell` help output
*   671708a10b Merge pull request #2990 from behrmann/allthemanuals
|\
| * 2671849125 initrd: add --show-documentation option
| * e2238f5dc7 Move show_docs to its own module
| * e366093b1c doc: make documentation command take an argument
* | 9fcff08b34 Update documentation links
* | 113f7f67dd Only write to /etc/machine-id if /etc exists
|/
*   62a610c0e5 Merge pull request #3005 from DaanDeMeyer/mypy
|\
| * 9b569c93bb Don't delete reader in _tempfile() backport
| * 16f4c94930 Mark all class variables as Final
| * ca7021e9a7 Annotate two more variables that need it
| * fec368dd4d Move KeySource.Type out of KeySource
| * ff5f7b06b8 user: Drop lru_cache() for home() and name()
| * 8f7c7b366f Move code backported from cpython upstream to backport.py
| * f66212e9c2 Drop listify()
| * 4293866df2 mypy: Disable allow_redefinition
| * 2700337f11 Fix mypyc warnings in sandbox.py
|/
* 025483af04 sandbox: Use separate variable name when we change types
*   b04800cd30 Merge pull request #3003 from DaanDeMeyer/initrd
|\
| * fd64be9b60 mkosi-initrd: Ignore gnupg subdirectory
| * 7a8a21f8f6 mkosi-initrd: Only set --cacheonly=metadata when running as root
| * 156880c398 mkosi-initrd: Add --debug-shell argument
|/
*   a32c8f393a Merge pull request #3002 from DaanDeMeyer/cherry-pick
|\
| * 1d8bfabc97 news: add note to change where the manual pages are
| * 8917d65db1 initrd: flatten module into a single file
| * 76085b788a sandbox: flatten module into a single file
| * 9f48afa4a7 cli: add missing completion stubs to pyproject.toml
| * 6e21cceb03 doc: move man pages to resources/man
| * 25d1c6b579 cli: use ellipsis ligature instead of writing out ...
|/
* 013d9b5595 Move various functions to bootloader.py
* 508ad85475 Update NEWS.md
* f25b8dee6f Simplify package cache dir mirror key
*   dce4c8af51 Merge pull request #2998 from DaanDeMeyer/ci
|\
| * f4934828f7 tests: Show debug messages on console
| * fa3ae22598 ci: Drop machine-id commit timeout drop-in
* dba01269de base64 encode mirror if we put it in package cache dir key
* 364b65f7bb Add 'login' to Debian/Ubuntu/Kali package list
* ee07b5b6d2 Bump github/codeql-action from 3.25.15 to 3.26.6
2024-09-12 11:01:17 +02:00
Zbigniew Jędrzejewski-Szmek e31134b5f2 mkosi: add helper script to update mkosi hash
This is very similar to tools/fetch-distro.py. The idea is that we extend the
commit to update the mkosi hash with a git log --pretty=oneline output, so that
the reader can know what changes were actually included.

The motivation is that I'm always wondering what changed in mkosi when I see a
commit updating the hash, and it's nicer to have this information shown
directly in the commit.

The script does _not_ pull changes from upstream, on the assumption that the
person doing the commit always has a fresh checkout and that they tested with
that checkout.
2024-09-12 10:52:52 +02:00
Lennart Poettering 6a92a793ac bootspec: automatically filter non-native UKIs and add-ons when enumerating 2024-09-12 10:02:15 +02:00
Lennart Poettering 59b3df9bae bootspec: process multi-profile UKIs 2024-09-12 10:02:15 +02:00
Lennart Poettering 9de565dd5d pe-binary: add pe_is_native() for checking if PE is native 2024-09-12 10:02:15 +02:00
Lennart Poettering e6c49f7f11 pe-binary: split pe_header_find_section() in two
This splits out the core part into a new function
pe_section_table_find().

pe_header_find_section() takes a PeHeader as input, while
pe_section_table_find() just takes the section table and its size.
2024-09-12 10:02:15 +02:00
Lennart Poettering f3c1d7fea1 pe-binary: split pe_read_section_data() into two
This renames pe_read_section_data() to pe_read_section_data_by_name()
and makes pe_read_section_data() a bit more low-level: it takes a header
table entry directly, instead of searching it first by name.
2024-09-12 10:02:15 +02:00
Lennart Poettering a8e912f01b pe-binary: add helper pe_is_addon() for detecting whether we are looking at PE EFI add-on 2024-09-12 10:02:15 +02:00
Lennart Poettering 201aca5f9a man: fix advertised filename of the PCR public key 2024-09-12 09:46:26 +02:00
Lennart Poettering 6f1dfc407e man: systemd-stub places PCR public key in file 'tpm2-pcr-public-key.pem', stick to that name across the board
systemd-stub provides the signing key for TPM2 signed PCR policies in a
file tpm2-pcr-public-key.pem to userspace. Hence, to clarify that this
is the same key as used when signing via "systemd-measure", let's rename
it in the docs like that.

Also rename the private key to tpm2-pcr-private-key.pem, to keep the
symmetry.

With this we should universally stick to this nomenclature:

1. tpm2-pcr-public-key.pem   ← public part of signing key
2. tpm2-pcr-private-key.pem  ← private part of signing key
3. tpm2-pcr-signature.json   ← signature file made with key pair

Inspired by: #34069
2024-09-12 09:46:26 +02:00
Lennart Poettering d258b1c60c update TODO 2024-09-12 09:38:32 +02:00
Mike Yuan 53c75243af network/wireguard: refuse default key if all zero
Follow-up for fa724cd52c

We attempt to retrieve default key if eqzero(Wireguard.private_key),
but a all zero default key should be refused too.
2024-09-12 09:25:50 +02:00
Matteo Croce c78bcda461 test-network: add test for sysctl watch
Add a NetworkdSysctlTest class which ensures that networkd correctly
complains when a sysctl file it's handling has been changed externally.
2024-09-11 23:10:36 +02:00
Matteo Croce 6d9ef22acd emit a warning in networkd if managed sysctls are changed
Monitor the sysctl set by networkd for writes, if a sysctl is
overwritten with a different value than the one we set, emit a warning.
Writes are detected with an eBPF program attached as BPF_CGROUP_SYSCTL
which reports the sysctl writes only in net/.

The eBPF program only reports sysctl writes from a different cgroup than networkd.
To do this, it uses the `bpf_current_task_under_cgroup_proto()` helper,
which will be available allowed in BPF_CGROUP_SYSCTL from kernel 6.12[1].

Loading a BPF_CGROUP_SYSCTL program requires the CAP_SYS_ADMIN capability,
so drop it just after the program load, whether it loads successfully or not.

Writes are logged but permitted, in future the functionality can be
extended to also deny writes to managed sysctls.

[1] https://lore.kernel.org/bpf/20240819162805.78235-3-technoboy85@gmail.com/
2024-09-11 23:07:00 +02:00
Matteo Croce 64629617b6 store the sysctls set by networkd
networkd set several sysctl to set the network configuration. Save their
value so we can check is other processes change them.
2024-09-11 23:01:25 +02:00
Matteo Croce 766bcf302a extend sysctl functions to shadow values
Pass to all the sysctl_* functions a hashmap which can be used to
optionally save the value written in the sysctl.
2024-09-11 23:01:25 +02:00
Lennart Poettering 2b735c7d71 resolvectl: rework StatusMode handling into a switch/case statement 2024-09-11 21:36:50 +02:00
Lennart Poettering da8540583d resolvectl: rename shallow destructors …_done() 2024-09-11 21:36:36 +02:00
Daan De Meyer 783a15081e
Merge pull request #34373 from poettering/resolved-dnssd-move-out
move dnssd configuration file parsing from generic code into dnssd source files
2024-09-11 21:36:24 +02:00
Lennart Poettering 967c84ebb0 resolved: simplify dns_scope_get_n_dns_servers(), don't count each time 2024-09-11 21:36:11 +02:00
Lennart Poettering 6e1fa7516a resolved: use dns_scope_ifindex() at more places
And add a mirroring dns_scope_ifname()
2024-09-11 21:35:58 +02:00
Lennart Poettering 14dc0fc4ef resolved: simplify initialization of DnsScope 2024-09-11 21:35:47 +02:00
Lennart Poettering 8b4fb52462 pcrlock: remove empty components from our list
This is a rework of e7a93e75219b22424bab95fe45982f5eef21d581: instead of
handling components with n_variants being zero at every step of the way, we instead
remove it from our list after loading all components, given that such a
component simply makes not sense for the rest of our logic.
2024-09-11 21:35:34 +02:00
Lennart Poettering 368051ee6b resolved: use unlinkat() where appropriate 2024-09-11 21:34:51 +02:00
Daan De Meyer aaa6c6e279
Merge pull request #34377 from DaanDeMeyer/symlinks
repart: Add MakeSymlinks=
2024-09-11 21:34:37 +02:00
Lennart Poettering e5868783ca resolvectl: show DefaultRoute state in per-link DNS staus info too 2024-09-11 21:14:28 +02:00
Lennart Poettering 118592cc49 pcrlock: correct --help text regarding recovery pin
Fixes: #33917
2024-09-11 21:13:38 +02:00
Lennart Poettering 8d647ed2ff cryptenroll: don't try to get PCR bank if we know the device key
If we operate in "offline" mode, i.e. know the device key, then we will
not have a TPM2 connection, hence don't try to read the PCR bank to use form
it.

We don't need it anyway because we are not going to test unseal things.

Fixes: #33855
2024-09-11 21:07:53 +02:00
Daan De Meyer c64ddefd5c repart: Add MakeSymlinks=
Similar to MakeDirectories=, but creates symlinks in the filesystem.
2024-09-11 18:45:05 +02:00
Daan De Meyer e2b0f23713 repart: Add missing parameter comment 2024-09-11 18:44:59 +02:00
Daan De Meyer bc48bd83d3 repart: Fix memory corruption 2024-09-11 17:52:20 +02:00
Lennart Poettering 8e1c345921 resolved: move dnssd parsers to resolved-dnssd.c
Let's keep only the parsers for the main config in resolved-conf.c
2024-09-11 17:00:03 +02:00
Lennart Poettering c87afdf23d resolved: move resolved_dnssd_gperf_lookup() prototype definition to resolved-dnssd.h 2024-09-11 16:59:48 +02:00
Daan De Meyer 2232452379 repart: Reuse partition_needs_populate() more 2024-09-11 16:36:47 +02:00
223 changed files with 4679 additions and 2379 deletions

View File

@ -105,7 +105,7 @@ jobs:
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: systemd/mkosi@31b4e756c1484c302435653da5d3b9bdfae38518
- uses: systemd/mkosi@2c9954fa51a3a995bbdc02db6ef51f5bd27bc1ba
# Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
# immediately, we remove the files in the background. However, we first move them to a different location

243
NEWS
View File

@ -2,6 +2,15 @@ systemd System and Service Manager
CHANGES WITH 257 in spe:
Incompatible changes:
* The --purge switch of systemd-tmpfiles (which was added in v256) has
been reworked: it will now only apply to tmpfiles.d/ lines marked
with the new "$" flag. This is an incompatible change, and means any
tmpfiles.d/ files which shall be used together with --purge need to
be updated accordingly. This change has been made to make it harder
to accidentally delete too many files when using --purge incorrectly.
Announcements of Future Feature Removals and Incompatible Changes:
* Support for automatic flushing of the nscd user/group database caches
@ -44,18 +53,248 @@ CHANGES WITH 257 in spe:
but it should make the inhibitor logic easier to use and understand,
and also help avoiding accidental reboots and shutdowns. New 'delay-weak'
and 'block-weak' inhibitor modes were added, if taken they will make
the inhibitor lock work as in the previous versions.
the inhibitor lock work as in the previous versions. Inhibitor locks
can also be taken by remote users (subject to polkit policy).
* systemd-nspawn will now mount the unified cgroup hierarchy into a
container if no systemd installation is found in a container's root
filesystem. `$SYSTEMD_NSPAWN_UNIFIED_HIERARCHY=0` can be used to override
this behavior.
libsystemd:
* New sd-json component is now available as part of libsystemd. The
goal of the library is to allow structures to be conveniently
created in C code and serialized to JSON, and for JSON to
conveniently deserialized into in-memory structures, using callbacks
to handle specific keys. Various data types like integers, floats,
booleans, strings, UUIDs, hex-encoded strings, and arrays are
supported natively.
Service and system management:
* Environment variable $REMOTE_ADDR is now set when using socket
activation for AF_UNIX sockets.
* Multipath TCP (MPTCP) is now supported as a socket protocol.
* New crypttab options fido2-pin=, fido2-up=, fido2-uv= can be used to
enable/disable the PIN query, User Presence check, and User
Verification.
* New crypttab option password-cache=yes|no|read-only can be used to
customize password caching.
* New fstab option x-systemd.wants= creates "Wants" dependencies.
(This is similar to the previously available x-systemd.requires=.)
* The initialization of the system clock during boot and updates has
been simplified: either pid1 or systemd-timesyncd will pick the
latest time as indicated by the compiled-in epoch,
/usr/lib/clock-epoch, and /var/lib/systemd/timesync/clock. See
systemd(1) for an detailed updated description.
* Ctrl-Alt-Delete is re-enabled during late shutdown, so that the user
can still initiate a reboot if the system freezes.
* Unit option PrivateUsers=identity can be used to request a user
namespace with an identity mapping for the first 65536 UIDs/GIDs.
This is analogous to the systemd-nspawn's --private-users=identity.
* Unit option PrivateTmp=disconnected can be used to specify that a
separate tmpfs instance should be used for /tmp/ and /var/tmp/ for
the unit.
* A new sleep.conf HibernateOnACPower= option has been added, which
when disabled would suppress hibernation in suspend-then-hibernate
mode until the system is disconnected from a power source.
* udev rules now set 'uaccess' for /dev/udmabuf, giving locally
logged-in users access to the hardware. This is necessary to support
IPMI cameras with libcamera.
* New RELEASE_TYPE= and EXPERIMENT= fields are documented for the
os-release file. For example, "RELEASE_TYPE=development|stable|lts"
can be used to indicate various stages of the release life cycle,
and "RELEASE_TYPE=experimental" can indicate experimental builds,
with the EXPERIMENT= field providing a human-readable description of
the nature of the experiment.
* The manager (and various other tools too) use pidfds in more places
to refer to processes.
* A bunch of patches to ease building against musl have been merged.
* A build option -D link-executor-shared=false can be used to build
the systemd-executor binary (added in the previous release) in a way
where it does not link to shared libsystemd-shared-….so library.
PID1 holds a reference to the executor binary that was on disk when
the manager was started or restarted, but the shared libraries it is
linked to are not loaded until the executor binary needs to be used.
This partial static linking is a workaround for the issue where,
during upgrades, the old libsystemd-shared-….so may have already
been removed and the pinned executor binary will just fail to
execute.
systemd-logind:
* New DesignatedMaintenanceTime= configuration option allows
shutdowns to be automatically scheduled at the specified time.
* logind now reacts to Ctrl-Alt-Shift-Esc being pressed. It will send
out a org.freedesktop.login1.SecureAttentionKey signal, indicating a
request by the user for the system to display a secure login dialog.
The handling of SAK can be suppressed in logind configuration.
systemd-machined:
* Unprivileged clients are now allowed to register VMs and containers.
Machines started via the systemd-vmspawn@.service unit will now be
registered with systemd-machined.
systemd-resolved:
* 'resolvconf' command now supports '-p' switch. If specified, the
* resolvconf command now supports '-p' switch. If specified, the
interface will not be used as the default route.
* resolvectl now allows interactive polkit authorization. It gained a
--no-ask-password option to suppress it.
systemd-networkd and networkctl:
* IPv6 address labels can be configured in a new [IPv6AddressLabel]
section with Prefix= and Label= settings.
* 'networkctl edit' can now read the new contents from standard input
with the new --stdin option.
* 'networkctl edit' and 'cat' now supports editing .netdev files by
link. 'networkctl cat' can also list all configuration files
associated with an interface at once with ':all'.
* networkctl gained a --no-ask-password option to suppress interactive
polkit authorization.
systemd-boot, systemd-stub, and related tools:
* The EFI stub now supports loading of .ucode sections with microcode
from addons.
* A new .profile PE section type is now documented and supported in
systemd-measure, ukify, systemd-stub and systemd-boot. Those new
sections allow multiple "profiles" to be stored together in the UKI,
with .profile sections creating groupings the UKI, allowing some
sections to be shared and other sections like .cmdline or .initrd
unique to the profile.
* ukify gained an --extend switch to import an existing UKI to
be extended, and a --measure-base= switch to support measurement
of multi-profile UKIs.
The journal:
* journalctl can now list invocations of a unit with the
--list-invocation options and show logs for a specific invocation
with the new --invocation/-I option. (This is analogous to the
--list-boots/--boot/-b options.)
systemd-sysupdate and related tools:
* systemd-sysupdate can be run as system service, allowing
unprivileged clients to update the system via D-Bus calls.
A new updatectl command-line tool can be used to control the
service.
* systemd-sysupdate gained a new --offline option to force it to
operate locally. This is useful when listing locally installed
versions.
* systemd-sysupdate gained a new --transfer-source= option to set the
directory to which transfer sources configured with
PathRelativeTo=explicit will be interpreted.
Miscellaneous:
* systemctl now supports the --now option with the 'reenable' verb.
* systemd-analyze will now show the SMBIOS #11 vendor strings set for
the machine with a new 'smbios11' verb.
* systemd-analyze gained a new --instance= option that can be used to
provide an instance name to analyze multiple templates instantiated
with the same instance name.
* The 'tpm2' verb which lists usable TPM2 devices has been moved from
systemd-creds to systemd-analyze.
* varlinkctl gained a new verb 'list-methods' to show a list of
methods implemented by a service.
* varlinkctl gained a --quiet/-q option to suppress method call
replies.
* varlinkctl gained a --graceful= option to suppress specified Varlink
errors.
* varlinkctl gained a --timeout= option to limit how long the
invocation can take.
* varlinkctl allows remote invocations over ssh, via the new
"ssh-exec:" address specification. It'll make an ssh connection,
start the specified executable on the remote, and communicate with
the remote process using the Varlink protocol.
"ssh:" address specification has been renamed to "ssh-unix:".
(The old syntax is still supported for backwards compatibility.)
* bootctl gained a --random-seed=yes|no option to control provisioning
of the random seed file in ESP. (This is useful when producing an
image that will be used multiple times.)
* systemd-cryptenroll gained new options -fido2-salt-file= and
--fido2-parameters-in-header= to simplify manual enrollment of FIDO2
tokens.
* systemd-cryptenroll, systemd-repart, and systemd-storagetm gained a
new --list-devices option to list appropriate candidate block
devices.
* systemd-repart's CopyBlocks= directive can now use a char device as
source (in addition to previously supported regular files and block
devices).
* systemd-repart gained a new Compression= and CompressionLevel=
settings to enable internal compression in filesystems created
offline.
* systemd-repart understands a new MakeSymlinks= option to create one
or more symlinks (each specified as a symlink name and target).
* systemd-mount can now output JSON with a new --json= switch.
* A new generator sytemd-import-generator has been added to
synthetisize image download jobs. This provides functionality
similar to importctl, but configured via the kernel command line and
system credentials.
* systemd-inhibit now allows interactive polkit authorization. It
gained a --no-ask-password option to suppress it.
* systemd-id128 gained a new 'var-partition-uuid' verb to calculate
the DPS UUID for /var/ keyed by the local machine-id.
* locatectl gained a -l/--full option to show output without
ellipsization.
* 'busctl monitor' gained new options --num-matches= and --timeout=
to set the number of matches or limit the runtime of the command.
This is intended to be used in scripts.
* systemd-run can output some data as JSON via the new --json= option.
* timedatectl now supports interactive polkit authorization.
— <place>, <date>
CHANGES WITH 256:

60
TODO
View File

@ -130,6 +130,10 @@ Deprecations and removals:
Features:
* find a nice way to opt-in into auto-masking SIGCHLD on first
sd_event_add_child(), and then get rid of many more explicit sigprocmask()
calls.
* maybe set shell.prompt.prefix credential in run0 to some warning emoji,
i.e. ⚠️ or ☢️ or ⚡ or 👊 or 🧑‍🔧 or so.
@ -158,10 +162,6 @@ Features:
services where mount propagation from the root fs is off, an still have
confext/sysext propagated in.
* marry pcrlock + signed pcr policies for FDE/credentials by letting each
unlock "half" of the volume key, so that the combination of both must be
XOR'ed to get the actual volume key
* support F_DUDFD_QUERY for comparing fds in same_fd (requires kernel 6.10)
* generic interface for varlink for setting log level and stuff that all our daemons can implement
@ -189,6 +189,8 @@ Features:
* go through our codebase, and convert "vertical tables" (i.e. things such as
"systemctl status") to use table_new_vertical() for output
* pcrlock: add support for multi-profile UKIs
* logind: when logging in use new tmpfs quota support to configure quota on
/tmp/ + /dev/shm/. But do so only in case of tmpfs, because otherwise quota
is persistent and any persistent settings mean we don#t have to reapply them.
@ -485,13 +487,9 @@ Features:
nvme-oF
* pcrlock:
- make signed PCR work together with pcrlock
- add kernel-install plugin that automatically creates UKI .pcrlock file when
UKI is installed, and removes it when it is removed again
- automatically install PE measurement of sd-boot on "bootctl install"
- write generated pcrlock signature files to the ESP as credential, one for
each installed OS & pick up generated pcrlock signature file in sd-stub,
pass it via initrd to OS
- pre-calc sysext + kernel cmdline measurements
- pre-calc cryptsetup root key measurement
- maybe make systemd-repart generate .pcrlock for old and new GPT header in
@ -951,9 +949,6 @@ Features:
* systemd-tmpfiles: add concept for conditionalizing lines on factory reset
boot, or on first boot.
* in UKIs: add way to define allowlist of additional words that can be added to
the kernel cmdline even in SecureBoot mode
* we probably needs .pcrpkeyrd or so as additional PE section in UKIs,
which contains a separate public key for PCR values that only apply in the
initrd, i.e. in the boot phase "enter-initrd". Then, consumers in userspace
@ -1006,12 +1001,6 @@ Features:
* in the initrd, once the rootfs encryption key has been measured to PCR 15,
derive default machine ID to use from it, and pass it to host PID 1.
* tree-wide: convert as much as possible over to use sd_event_set_signal_exit(), instead
of manually hooking into SIGINT/SIGTERM
* tree-wide: convert as much as possible over to SD_EVENT_SIGNAL_PROCMASK
instead of manual blocking.
* sd-boot: for each installed OS, grey out older entries (i.e. all but the
newest), to indicate they are obsolete
@ -1079,9 +1068,6 @@ Features:
* in sd-boot: load EFI drivers from a new PE section. That way, one can have a
"supercharged" sd-boot binary, that could carry ext4 drivers built-in.
* sd-bus: document that sd_bus_process() only returns messages that non of the
filters/handlers installed on the connection took possession of.
* sd-device: add an API for acquiring list of child devices, given a device
objects (i.e. all child dirents that dirs or symlinks to dirs)
@ -1261,9 +1247,6 @@ Features:
appropriate qemu cmdline. That way qemu payloads could talk sd_notify()
directly to host service manager.
* sd-device has an API to create an sd_device object from a device id, but has
no api to query the device id
* sd-device should return the devnum type (i.e. 'b' or 'c') via some API for an
sd_device object, so that data passed into sd_device_new_from_devnum() can
also be queried.
@ -1308,14 +1291,6 @@ Features:
multiple versions are around of the same resource, show which ones. (in other
words: show partition labels).
* maybe add a generator that reads /proc/cmdline, looks for
systemd.pull-raw-portable=, systemd-pull-raw-sysext= and similar switches
that take a URL as parameter. It then generates service units for
systemd-pull calls that download these URLs if not installed yet. Use case:
invoke a VM or nspawn container in a way it automatically deploys/runs these
images as OS payloads. i.e. have a generic OS image you can point to any
payload you like, which is then downloaded, securely verified and run.
* systemd-dissect: add --cat switch for dumping files such as /etc/os-release
* per-service sandboxing option: ProtectIds=. If used, will overmount
@ -1526,6 +1501,8 @@ Features:
* systemd-analyze netif that explains predictable interface (or networkctl)
* systemd-analyze inspect-elf should show other notes too, at least build-id.
* Figure out naming of verbs in systemd-analyze: we have (singular) capability,
exit-status, but (plural) filesystems, architectures.
@ -1710,7 +1687,8 @@ Features:
zero and is not open anymore, while the latter happens when a file is
unlinked from any dir.
* port systemctl, busctl, … over to format-table.[ch]'s table formatters
* systemctl, machinectl, loginctl: port "status" commands over to
format-table.c's vertical output logic.
* pid1: lock image configured with RootDirectory=/RootImage= using the usual nspawn semantics while the unit is up
@ -1736,9 +1714,6 @@ Features:
the entire system, with the exception of one specific service. See:
https://lists.freedesktop.org/archives/systemd-devel/2018-February/040369.html
* maybe rework get_user_creds() to query the user database if $SHELL is used
for root, but only then.
* calenderspec: add support for week numbers and day numbers within a
year. This would allow us to define "bi-weekly" triggers safely.
@ -1887,7 +1862,7 @@ Features:
* fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline
* docs: bring https://systemd.io/MY_SERVICE_CANT_GET_REATLIME up to date
* docs: bring https://systemd.io/MY_SERVICE_CANT_GET_REALTIME up to date
* add a job mode that will fail if a transaction would mean stopping
running units. Use this in timedated to manage the NTP service
@ -2185,16 +2160,9 @@ Features:
- follow PropertiesChanged state more closely, to deal with quick logouts and
relogins
- (optionally?) spawn seat-manager@$SEAT.service whenever a seat shows up that as CanGraphical set
- expose details of boot entries on the bus. In particular, it should be possible
to query the list of boot entry titles that bootctl / sd-boot would show.
Currently we only expose their identifiers.
* move multiseat vid/pid matches from logind udev rule to hwdb
* logind: rework pam_logind to also do a bus call in case of invocation from
user@.service, which returns the XDG_RUNTIME_DIR value, and make this
behaviour selectable via pam module option.
* delay activation of logind until somebody logs in, or when /dev/tty0 pulls it
in or lingering is on (so that containers don't bother with it until PAM is used). also exit-on-idle
@ -2308,9 +2276,7 @@ Features:
should probably honour that same limit (JOURNAL_FILES_MAX) when vacuuming to
ensure we never generate more files than we can actually view.
* maybe add a tool that displays most recent journal logs as QR code to scan
off screen and run it automatically on boot failures, emergency logs and
such. Use DRM APIs directly, see
* bsod: maybe use graphical mode. Use DRM APIs directly, see
https://github.com/dvdhrm/docs/blob/master/drm-howto/modeset.c for an example
for doing that.
@ -2364,7 +2330,7 @@ Features:
- GNOME's side for forget key on suspend (requires rework so that lock screen runs outside of uid)
- update LUKS password on login if we find there's a password that unlocks the JSON record but not the LUKS device.
- create on activate?
- properties: icon url?, preferred session type?, administrator bool (which translates to 'wheel' membership)?, address?, telephone?, vcard?, samba stuff?, parental controls?
- properties: icon url?, administrator bool (which translates to 'wheel' membership)?, address?, telephone?, vcard?, samba stuff?, parental controls?
- communicate clearly when usb stick is safe to remove. probably involves
beefing up logind to make pam session close hook synchronous and wait until
systemd --user is shut down.

View File

@ -788,9 +788,22 @@ Defined-By: systemd
Support: %SUPPORT_URL%
Documentation: man:systemd-tpm2-setup.service(8)
An authorization failure occurred while attempting to enroll a Storage Root Key (SRK) on the Trusted Platform
Module (TPM). Most likely this means that a PIN/Password (authValue) has been set on the Owner hierarchy of
the TPM.
An authorization failure occurred while attempting to enroll a Storage Root Key
(SRK) on the Trusted Platform Module (TPM). Most likely this means that a
PIN/Password (authValue) has been set on the Owner hierarchy of the TPM.
Automatic SRK enrollment on TPMs in such scenarios is not supported. In order to unset the PIN/password
protection on the owner hierarchy issue a command like the following: 'tpm2_changeauth -c o -p <OLDPW> ""'.
Automatic SRK enrollment on TPMs in such scenarios is not supported. In order
to unset the PIN/password protection on the owner hierarchy issue a command
like the following: 'tpm2_changeauth -c o -p <OLDPW> ""'.
-- 9cf56b8baf9546cf9478783a8de42113
Subject: A foreign process changed a sysctl systemd-networkd manages
Defined-By: systemd
Support: %SUPPORT_URL%
The sysctl configuration setting @SYSCTL@, which is managed by
systemd-networkd, has been changed by another, unrelated process
("@OBJECT_COMM@", PID @OBJECT_PID@). This represents a conflict of ownership
and will likely result in problems later on.
Value changed to "@NEWVALUE@", which should be "@OURVALUE@".

View File

@ -247,4 +247,4 @@ Note that scope units created by `machined`'s `CreateMachine()` call have this f
### Example
Please see the [systemd-run sources](http://cgit.freedesktop.org/systemd/systemd/plain/src/run/run.c) for a relatively simple example how to create scope or service units transiently and pass properties to them.
Please see the [systemd-run sources](https://github.com/systemd/systemd/blob/main/src/run/run.c) for a relatively simple example how to create scope or service units transiently and pass properties to them.

View File

@ -87,3 +87,90 @@ of the libraries they specify in order to be enabled.
| required | Core functionality needs the dependency, the binary will not work if it cannot be found |
| recommended | Important functionality needs the dependency, the binary will work but in most cases the dependency should be provided |
| suggested | Secondary functionality needs the dependency, the binary will work and the dependency is only needed for full-featured installations |
### Displaying `dlopen()` notes
The raw ELF section can be extracted using `objdump`:
```console
$ objdump -j .note.dlopen -s /usr/lib64/systemd/libsystemd-shared-257.so
/usr/lib64/systemd/libsystemd-shared-257.so: file format elf64-x86-64
Contents of section .note.dlopen:
0334 04000000 8e000000 0a0c7c40 46444f00 ..........|@FDO.
0344 5b7b2266 65617475 7265223a 22627066 [{"feature":"bpf
0354 222c2264 65736372 69707469 6f6e223a ","description":
0364 22537570 706f7274 20666972 6577616c "Support firewal
0374 6c696e67 20616e64 2073616e 64626f78 ling and sandbox
0384 696e6720 77697468 20425046 222c2270 ing with BPF","p
0394 72696f72 69747922 3a227375 67676573 riority":"sugges
03a4 74656422 2c22736f 6e616d65 223a5b22 ted","soname":["
03b4 6c696262 70662e73 6f2e3122 2c226c69 libbpf.so.1","li
03c4 62627066 2e736f2e 30225d7d 5d000000 bbpf.so.0"]}]...
03d4 04000000 9e000000 0a0c7c40 46444f00 ..........|@FDO.
...
```
It is more convenient to use a higher level tool:
```console
$ dlopen-notes /usr/lib64/systemd/libsystemd-shared-257.so
# /usr/lib64/systemd/libsystemd-shared-257.so
[
{
"feature": "archive",
"description": "Support for decompressing archive files",
"priority": "suggested",
"soname": [
"libarchive.so.13"
]
},
{
"feature": "bpf",
"description": "Support firewalling and sandboxing with BPF",
"priority": "suggested",
"soname": [
"libbpf.so.1",
"libbpf.so.0"
]
},
...
```
`dlopen-notes` can display the notes grouped in a few different ways.
One option is to filter the libraries by "feature". This answers the
question "what libraries are needed to provide specified features":
```console
$ dlopen-notes.py -f archive,bpf /usr/lib64/systemd/libsystemd-shared-257.so
# grouped by feature
{
"bpf": {
"description": "Support firewalling and sandboxing with BPF",
"sonames": {
"libbpf.so.1": "suggested",
"libbpf.so.0": "suggested"
}
},
"archive": {
"description": "Support for decompressing archive files",
"sonames": {
"libarchive.so.13": "suggested"
}
}
}
The format that is used when building `deb` packages:
```console
$ dlopen-notes -s /usr/lib64/systemd/libsystemd-shared-257.so
libarchive.so.13 suggested
libbpf.so.0 suggested
libbpf.so.1 suggested
...
```
The format that can be useful when building `rpm` packages:
```console
$ dlopen-notes --rpm-requires archive --rpm-recommends bpf /usr/lib64/systemd/libsystemd-shared-257.so
Requires: libarchive.so.13()(64bit)
Recommends: libbpf.so.1()(64bit)
```

View File

@ -103,3 +103,97 @@ A set of well-known keys is defined here, and hopefully shared among all vendors
| architecture | The binary package architecture | arm32 |
| osCpe | A CPE name for the OS, typically corresponding to CPE_NAME in os-release | cpe:/o:fedoraproject:fedora:33 |
| debugInfoUrl | The debuginfod server url, if available | https://debuginfod.fedoraproject.org/ |
### Displaying package notes
The raw ELF section can be extracted using `objdump`:
```console
$ objdump -j .note.package -s /usr/bin/ls
/usr/bin/ls: file format elf64-x86-64
Contents of section .note.package:
03cc 04000000 7c000000 7e1afeca 46444f00 ....|...~...FDO.
03dc 7b227479 7065223a 2272706d 222c226e {"type":"rpm","n
03ec 616d6522 3a22636f 72657574 696c7322 ame":"coreutils"
03fc 2c227665 7273696f 6e223a22 392e342d ,"version":"9.4-
040c 372e6663 3430222c 22617263 68697465 7.fc40","archite
041c 63747572 65223a22 7838365f 3634222c cture":"x86_64",
042c 226f7343 7065223a 22637065 3a2f6f3a "osCpe":"cpe:/o:
043c 6665646f 72617072 6f6a6563 743a6665 fedoraproject:fe
044c 646f7261 3a343022 7d000000 dora:40"}...
```
It is more convenient to use a higher level tool:
```console
$ readelf --notes /usr/bin/ls
...
Displaying notes found in: .note.gnu.build-id
Owner Data size Description
GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID bitstring)
Build ID: 40e5a1570a9d97fc48f5c61cfb7690fec0f872b2
Displaying notes found in: .note.ABI-tag
Owner Data size Description
GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag)
OS: Linux, ABI: 3.2.0
Displaying notes found in: .note.package
Owner Data size Description
FDO 0x0000007c FDO_PACKAGING_METADATA
Packaging Metadata: {"type":"rpm","name":"coreutils","version":"9.4-7.fc40","architecture":"x86_64","osCpe":"cpe:/o:fedoraproject:fedora:40"}
...
$ systemd-analyze inspect-elf /usr/bin/ls
path: /usr/bin/ls
elfType: executable
elfArchitecture: AMD x86-64
type: rpm
name: coreutils
version: 9.4-7.fc40
architecture: x86_64
osCpe: cpe:/o:fedoraproject:fedora:40
buildId: 40e5a1570a9d97fc48f5c61cfb7690fec0f872b2
```
If the binary crashes, `systemd-coredump` will display the combined information
from the crashing binary and any shared libraries it links to:
```console
$ coredumpctl info
PID: 3987823 (ls)
Signal: 11 (SEGV)
Command Line: ls --color=tty -lR /
Executable: /usr/bin/ls
...
Storage: /var/lib/systemd/coredump/core.ls.1000.88dea1b9831c420dbb398f9d2ad9b41e.3987823.1726230641000000.zst (present)
Size on Disk: 194.4K
Package: coreutils/9.4-7.fc40
build-id: 40e5a1570a9d97fc48f5c61cfb7690fec0f872b2
Message: Process 3987823 (ls) of user 1000 dumped core.
Module /usr/bin/ls from rpm coreutils-9.4-7.fc40.x86_64
Module libz.so.1 from rpm zlib-ng-2.1.7-1.fc40.x86_64
Module libcrypto.so.3 from rpm openssl-3.2.2-3.fc40.x86_64
Module libmount.so.1 from rpm util-linux-2.40.1-1.fc40.x86_64
Module libcrypt.so.2 from rpm libxcrypt-4.4.36-5.fc40.x86_64
Module libblkid.so.1 from rpm util-linux-2.40.1-1.fc40.x86_64
Module libnss_sss.so.2 from rpm sssd-2.9.5-1.fc40.x86_64
Module libpcre2-8.so.0 from rpm pcre2-10.44-1.fc40.x86_64
Module libcap.so.2 from rpm libcap-2.69-8.fc40.x86_64
Module libselinux.so.1 from rpm libselinux-3.6-4.fc40.x86_64
Stack trace of thread 3987823:
#0 0x00007f19331c3f7e lgetxattr (libc.so.6 + 0x116f7e)
#1 0x00007f19332be4c0 lgetfilecon_raw (libselinux.so.1 + 0x134c0)
#2 0x00007f19332c3bd9 lgetfilecon (libselinux.so.1 + 0x18bd9)
#3 0x000056038273ad55 gobble_file.constprop.0 (/usr/bin/ls + 0x17d55)
#4 0x0000560382733c55 print_dir (/usr/bin/ls + 0x10c55)
#5 0x0000560382727c35 main (/usr/bin/ls + 0x4c35)
#6 0x00007f19330d7088 __libc_start_call_main (libc.so.6 + 0x2a088)
#7 0x00007f19330d714b __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x2a14b)
#8 0x0000560382728f15 _start (/usr/bin/ls + 0x5f15)
ELF object binary architecture: AMD x86-64
```
(This is just a simulation. `ls` is not prone to crashing with a segmentation violation.)

View File

@ -104,7 +104,7 @@ A: Use:
**Q: Whenever my service tries to acquire RT scheduling for one of its threads this is refused with EPERM even though my service is running with full privileges. This works fine on my non-systemd system!**
A: By default, systemd places all systemd daemons in their own cgroup in the "cpu" hierarchy. Unfortunately, due to a kernel limitation, this has the effect of disallowing RT entirely for the service. See [My Service Can't Get Realtime!](/MY_SERVICE_CANT_GET_REATLIME) for a longer discussion and what to do about this.
A: By default, systemd places all systemd daemons in their own cgroup in the "cpu" hierarchy. Unfortunately, due to a kernel limitation, this has the effect of disallowing RT entirely for the service. See [My Service Can't Get Realtime!](/MY_SERVICE_CANT_GET_REALTIME) for a longer discussion and what to do about this.
**Q: My service is ordered after `network.target` but at boot it is still called before the network is up. What's going on?**

View File

@ -299,6 +299,10 @@ sensor:modalias:acpi:KIOX000A*:dmi:*:svnCHUWIInnovationAndTechnology*:pnHi10X:*
sensor:modalias:acpi:MXC6655*:dmi:*:svnCHUWIINNOVATIONLIMITED:pnHi10Go:*
ACCEL_MOUNT_MATRIX=-1, 0, 0; 0,-1, 0; 0, 0, 1
# Chuwi Hi10 Max
sensor:modalias:acpi:MXC6655*:dmi:*:svnCHUWIInnovationAndTechnology*:pnHi10Max:*
ACCEL_MOUNT_MATRIX=0, 1, 0; 1, 0, 0; 0, 0, 1
# Chuwi Hi12
sensor:modalias:acpi:BOSC0200*:dmi:*:svnHampoo:pnP02BD6_HI-122LP:*
sensor:modalias:acpi:BOSC0200*:dmi:*:svnDefaultstring:pnDefaultstring:*
@ -603,6 +607,15 @@ sensor:modalias:i2c:bmc150_accel:dmi:*:svnHewlett-Packard:pnHPPavilionx2Detachab
sensor:modalias:i2c:bmc150_accel:dmi:*:svnHewlett-Packard:pnHPProTablet408:*:rn8048:*
ACCEL_MOUNT_MATRIX=0, 1, 0; -1, 0, 0; 0, 0, 1
#########################################
# HUAWEI
#########################################
# HUAWEI MateBook D 15 AMD
sensor:modalias:acpi:SMO8840*:dmi:*:svnHUAWEI:pnBOHK-WAX9X:*
ACCEL_MOUNT_MATRIX=0, 1, 0; 1, 0, 0; 0, 0, 1
ACCEL_LOCATION=base
#########################################
# I.T.Works
#########################################
@ -747,8 +760,9 @@ sensor:modalias:i2c:bmc150_accel:dmi:*:svnLENOVO:*:pvrLenovoYoga300-11IBR:*
sensor:modalias:acpi:ACCL0001*:dmi:*:svnLENOVO:pn60072:pvr851*:*
ACCEL_MOUNT_MATRIX=0, 1, 0; -1, 0, 0; 0, 0, 1
# IdeaPad Duet 3 10IGL5 (82AT)
# IdeaPad Duet 3 10IGL5 (82AT) and 10IGL5-LTE (82HK)
sensor:modalias:acpi:SMO8B30*:dmi:*:svnLENOVO*:pn82AT:*
sensor:modalias:acpi:SMO8B30*:dmi:*:svnLENOVO*:pn82HK:*
ACCEL_MOUNT_MATRIX=0, 1, 0; -1, 0, 0; 0, 0, 1
#########################################

View File

@ -310,6 +310,10 @@ mouse:bluetooth:v047dp8019:name:Expert Wireless TB Mouse:*
ID_INPUT_TRACKBALL=1
MOUSE_DPI=400@125
# Kensington SlimBlade Pro trackball (via Bluetooth)
mouse:bluetooth:v047dp80d4:name:SlimBlade Pro:*
ID_INPUT_TRACKBALL=1
##########################################
# Lenovo
##########################################

View File

@ -267,7 +267,8 @@
<term><option>kernel-identify</option> <replaceable>kernel</replaceable></term>
<listitem><para>Takes a kernel image as argument. Checks what kind of kernel the image is. Returns
one of <literal>uki</literal>, <literal>pe</literal>, and <literal>unknown</literal>.
one of <literal>uki</literal>, <literal>addon</literal>, <literal>pe</literal>, and
<literal>unknown</literal>.
</para>
<xi:include href="version-info.xml" xpointer="v253"/></listitem>
@ -360,6 +361,24 @@
<xi:include href="version-info.xml" xpointer="v242"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--print-loader-path</option></term>
<listitem><para>This option modifies the behaviour of <command>status</command>: it shows the
absolute path to the boot loader EFI binary used for the current boot if this information is
available. Note that no attempt is made to verify whether the binary still exists.</para>
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--print-stub-path</option></term>
<listitem><para>This option modifies the behaviour of <command>status</command>: it shows the
absolute path to the UKI/stub EFI binary used for the current boot if this information is
available. Note that no attempt is made to verify whether the binary still exists.</para>
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
</varlistentry>
<varlistentry>
<term><option>-R</option></term>
<term><option>--print-root-device</option></term>

View File

@ -46,11 +46,10 @@
the root file system, which is then responsible for probing all remaining hardware, mounting all
necessary file systems and spawning all configured services.</para>
<para>On shutdown, the system manager stops all services, unmounts
all file systems (detaching the storage technologies backing
them), and then (optionally) jumps back into the initrd code which
unmounts/detaches the root file system and the storage it resides
on. As a last step, the system is powered down.</para>
<para>On shutdown, the system manager stops all services, unmounts all non-busy file systems (detaching
the storage technologies backing them), and then (optionally) jumps into the exitrd, which is backed by
tmpfs, and unmounts/detaches the remaining file systems, including the real root. As a last step,
the system is powered down.</para>
<para>Additional information about the system boot process may be
found in

View File

@ -593,8 +593,6 @@ node /org/freedesktop/systemd1 {
<!--method GetJobBefore is not documented!-->
<!--method SetShowStatus is not documented!-->
<!--method ListUnitsFiltered is not documented!-->
<!--method ListUnitsByPatterns is not documented!-->
@ -673,8 +671,6 @@ node /org/freedesktop/systemd1 {
<!--property ConfirmSpawn is not documented!-->
<!--property ShowStatus is not documented!-->
<!--property DefaultStandardOutput is not documented!-->
<!--property DefaultStandardError is not documented!-->
@ -1362,6 +1358,24 @@ node /org/freedesktop/systemd1 {
<para><function>ResetFailedUnit()</function> resets the "failed" state of a specific unit.</para>
<para><function>SetShowStatus()</function> configures the display of status messages during bootup and
shutdown. The <varname>mode</varname> parameter can be set to any value that's valid for the
<varname>systemd.show_status</varname> kernel parameter. For more information about
<varname>systemd.show_status</varname>, see
<citerefentry project="man-pages"><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
The <varname>mode</varname> parameter can also be set to an empty string. When <varname>mode</varname>
is set to an empty string, <function>SetShowStatus()</function> will reset
<varname>ShowStatus</varname> back to its original value. You can use
<function>SetShowStatus()</function> create a service that does something like this:
<orderedlist>
<listitem><para>Send a D-Bus message that will turn off status messages.</para></listitem>
<listitem><para>Block until a reply to that message is received.</para></listitem>
<listitem><para>Print multiples lines without being interrupted by status messages.</para></listitem>
<listitem><para>Send a D-Bus message that will reset <varname>ShowStatus</varname> back to its
original value.</para></listitem>
</orderedlist>
</para>
<para><function>ResetFailed()</function> resets the "failed" state of all units.</para>
<para><function>ListUnits()</function> returns an array of all currently loaded units. Note that
@ -1788,6 +1802,12 @@ node /org/freedesktop/systemd1 {
<para><varname>Environment</varname> encodes the environment block passed to all executed services. It
may be altered with bus calls such as <function>SetEnvironment()</function> (see above).</para>
<para><varname>ShowStatus</varname> encodes systemd's current policy for displaying status messages
during bootup and shutdown. Its value can be any valid value for the
<varname>systemd.show_status</varname> kernel parameter (see
<citerefentry project="man-pages"><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).
It may be altered using <function>SetShowStatus()</function> (see above).</para>
<para><varname>UnitPath</varname> encodes the currently active unit file search path. It is an array of
file system paths encoded as strings.</para>

View File

@ -76,16 +76,7 @@
<term><varname>Type=</varname></term>
<listitem><para>The GPT partition type UUID to match. This may be a GPT partition type UUID such as
<constant>4f68bce3-e8cd-4db1-96e7-fbcaf984b709</constant>, or an identifier.
Architecture specific partition types can use one of these architecture identifiers:
<constant>alpha</constant>, <constant>arc</constant>, <constant>arm</constant> (32-bit),
<constant>arm64</constant> (64-bit, aka aarch64), <constant>ia64</constant>,
<constant>loongarch64</constant>, <constant>mips-le</constant>, <constant>mips64-le</constant>,
<constant>parisc</constant>, <constant>ppc</constant>, <constant>ppc64</constant>,
<constant>ppc64-le</constant>, <constant>riscv32</constant>, <constant>riscv64</constant>,
<constant>s390</constant>, <constant>s390x</constant>, <constant>tilegx</constant>,
<constant>x86</constant> (32-bit, aka i386) and <constant>x86-64</constant> (64-bit, aka amd64).
</para>
<constant>4f68bce3-e8cd-4db1-96e7-fbcaf984b709</constant>, or an identifier.</para>
<para>The supported identifiers are:</para>
@ -237,7 +228,14 @@
</tgroup>
</table>
<para>This setting defaults to <constant>linux-generic</constant>.</para>
<para>Architecture specific partition types can use one of these architecture identifiers:
<constant>alpha</constant>, <constant>arc</constant>, <constant>arm</constant> (32-bit),
<constant>arm64</constant> (64-bit, aka aarch64), <constant>ia64</constant>,
<constant>loongarch64</constant>, <constant>mips-le</constant>, <constant>mips64-le</constant>,
<constant>parisc</constant>, <constant>ppc</constant>, <constant>ppc64</constant>,
<constant>ppc64-le</constant>, <constant>riscv32</constant>, <constant>riscv64</constant>,
<constant>s390</constant>, <constant>s390x</constant>, <constant>tilegx</constant>,
<constant>x86</constant> (32-bit, aka i386) and <constant>x86-64</constant> (64-bit, aka amd64).</para>
<para>Most of the partition type UUIDs listed above are defined in the <ulink
url="https://uapi-group.org/specifications/specs/discoverable_partitions_specification">Discoverable Partitions
@ -485,18 +483,18 @@
<term><varname>ExcludeFiles=</varname></term>
<term><varname>ExcludeFilesTarget=</varname></term>
<listitem><para>Takes an absolute file system path referring to a source file or directory on the
host. This setting may be used to exclude files or directories from the host from being copied into
the file system when <varname>CopyFiles=</varname> is used. This option may be used multiple times to
exclude multiple files or directories from host from being copied into the newly formatted file
system.</para>
<listitem><para>Takes one or more absolute paths, separated by whitespace, each referring to a
source file or directory on the host. This setting may be used to exclude files or directories from
the host from being copied into the file system when <varname>CopyFiles=</varname> is used. This
option may be used multiple times to exclude multiple files or directories from host from being
copied into the newly formatted file system.</para>
<para>If the path is a directory and ends with <literal>/</literal>, only the directory's
contents are excluded but not the directory itself. If the path is a directory and does not end with
<literal>/</literal>, both the directory and its contents are excluded.</para>
<para><varname>ExcludeFilesTarget=</varname> is like <varname>ExcludeFiles=</varname> except that
instead of excluding the path on the host from being copied into the partition, we exclude any files
instead of excluding the path on the host from being copied into the partition, it exclude any files
and directories from being copied into the given path in the partition.</para>
<para>When
@ -537,6 +535,30 @@
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>MakeSymlinks=</varname></term>
<listitem><para>Takes one or more arguments, separated by whitespace, each declaring a symlink to
create within the new file system. Each argument is a pair of symlink source and target paths,
separated by a colon. This option may be used more than once to create multiple symlinks. When
<varname>CopyFiles=</varname> and <varname>MakeSymlinks=</varname> are used together the former is
applied first.</para>
<para>The primary use case for this option is to create symlinks that need to exist before
<citerefentry><refentrytitle>systemd-tmpfiles</refentrytitle><manvolnum>8</manvolnum></citerefentry>
is executed. For example, when using
<citerefentry><refentrytitle>systemd-confext</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
this setting can be used to create symlinks in <filename>/var/lib/extensions.mutable</filename> to
redirect writes to mutable confexts to a custom location.</para>
<para>Consider using
<citerefentry><refentrytitle>systemd-tmpfiles</refentrytitle><manvolnum>8</manvolnum></citerefentry>
with its <option>--image=</option> option to pre-create other symlinks (as well as other inodes) with
fine-grained control of ownership, access modes and other file attributes.</para>
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>Subvolumes=</varname></term>
@ -873,6 +895,59 @@
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>SupplementFor=</varname></term>
<listitem><para>Takes a partition definition name, such as <literal>10-esp</literal>. If specified,
<command>systemd-repart</command> will avoid creating this partition and instead prefer to partially
merge the two definitions. However, depending on the existing layout of partitions on disk,
<command>systemd-repart</command> may be forced to fall back onto un-merging the definitions and
using them as originally written, potentially creating this partition. Specifically,
<command>systemd-repart</command> will fall back if this partition is found to already exist on disk,
or if the target partition already exists on disk but is too small, or if it cannot allocate space
for the merged partition for some other reason.</para>
<para>The following fields are merged into the target definition in the specified ways:
<varname>Weight=</varname> and <varname>PaddingWeight=</varname> are simply overwritten;
<varname>SizeMinBytes=</varname> and <varname>PaddingMinBytes=</varname> use the larger of the two
values; <varname>SizeMaxBytes=</varname> and <varname>PaddingMaxBytes=</varname> use the smaller
value; and <varname>CopyFiles=</varname>, <varname>ExcludeFiles=</varname>,
<varname>ExcludeFilesTarget=</varname>, <varname>MakeDirectories=</varname>, and
<varname>Subvolumes=</varname> are concatenated.</para>
<para>Usage of this option in combination with <varname>CopyBlocks=</varname>,
<varname>Encrypt=</varname>, or <varname>Verity=</varname> is not supported. The target definition
cannot set these settings either. A definition cannot simultaneously be a supplement and act as a
target for some other supplement definition. A target cannot have more than one supplement partition
associated with it.</para>
<para>For example, distributions can use this to implement <varname>$BOOT</varname> as defined in
the <ulink url="https://uapi-group.org/specifications/specs/boot_loader_specification/">Boot Loader
Specification</ulink>. Distributions may prefer to use the ESP as <varname>$BOOT</varname> whenever
possible, but to adhere to the spec XBOOTLDR must sometimes be used instead. So, they should create
two definitions: the first defining an ESP big enough to hold just the bootloader, and a second for
the XBOOTLDR that's sufficiently large to hold kernels and configured as a supplement for the ESP.
Whenever possible, <command>systemd-repart</command> will try to merge the two definitions to create
one large ESP, but if that's not allowable due to the existing conditions on disk a small ESP and a
large XBOOTLDR will be created instead.</para>
<para>As another example, distributions can also use this to seamlessly share a single
<filename>/home</filename> partition in a multi-boot scenario, while preferring to keep
<filename>/home</filename> on the root partition by default. Having a <filename>/home</filename>
partition separated from the root partition entails some extra complexity: someone has to decide how
to split the space between the two partitions. On the other hand, it allows a user to share their
home area between multiple installed OSs (i.e. via <citerefentry><refentrytitle>systemd-homed.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>). Distributions should create two definitions:
the first for a root partition that takes up some relatively small percentage of the disk, and the
second as a supplement for the first to create a <filename>/home</filename> partition that takes up
all the remaining free space. On first boot, if <command>systemd-repart</command> finds an existing
<filename>/home</filename> partition on disk, it'll un-merge the definitions and create just a small
root partition. Otherwise, the definitions will be merged and a single large root partition will be
created.</para>
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
</varlistentry>
</variablelist>
</refsect1>

View File

@ -52,12 +52,24 @@
<citerefentry><refentrytitle>sd_bus_get_fd</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
</para>
<para><function>sd_bus_process()</function> processes at most one incoming message per call. If the parameter
<parameter>ret</parameter> is not <constant>NULL</constant> and the call processed a message,
<parameter>*ret</parameter> is set to this message. The caller owns a reference to this message and should call
<citerefentry><refentrytitle>sd_bus_message_unref</refentrytitle><manvolnum>3</manvolnum></citerefentry> when the
message is no longer needed. If <parameter>ret</parameter> is not <constant>NULL</constant>, progress was made, but no message was
processed, <parameter>*ret</parameter> is set to <constant>NULL</constant>.</para>
<para><function>sd_bus_process()</function> processes at most one incoming message per call. If the
parameter <parameter>ret</parameter> is not <constant>NULL</constant> and the call processed a message,
<parameter>*ret</parameter> is set to this message. The caller owns a reference to this message and
should call
<citerefentry><refentrytitle>sd_bus_message_unref</refentrytitle><manvolnum>3</manvolnum></citerefentry>
when the message is no longer needed. If <parameter>ret</parameter> is not <constant>NULL</constant> and
progress was made, but no message was processed, <parameter>*ret</parameter> is set to
<constant>NULL</constant>. Note that only messages not already handled by the various types of registered
message handlers (i.e. by filters registered via
<citerefentry><refentrytitle>sd_bus_add_filter</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
object handlers registered via
<citerefentry><refentrytitle>sd_bus_add_object</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
matches registered via
<citerefentry><refentrytitle>sd_bus_add_match</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
and related) will be returned through this parameter. Also note that if such a message handler returns a
zero return value (as opposed to some value &gt; 0) an incoming message will not be considered handled,
and be passed to other suitable handlers (until one returns &gt; > 0), or returned by
<function>sd_bus_process()</function> (in case none returns &gt; 0).</para>
<para>If the bus object is connected to an
<citerefentry><refentrytitle>sd-event</refentrytitle><manvolnum>3</manvolnum></citerefentry> event loop (with

View File

@ -177,6 +177,11 @@
<arg choice="plain">image-policy</arg>
<arg choice="plain" rep="repeat"><replaceable>POLICY</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>systemd-analyze</command>
<arg choice="opt" rep="repeat">OPTIONS</arg>
<arg choice="plain">has-tpm2</arg>
</cmdsynopsis>
<cmdsynopsis>
<command>systemd-analyze</command>
<arg choice="opt" rep="repeat">OPTIONS</arg>
@ -948,6 +953,35 @@ default ignore - -</programlisting>
</example>
</refsect2>
<refsect2>
<title><command>systemd-analyze has-tpm2</command></title>
<para>Reports whether the system is equipped with a usable TPM2 device. If a TPM2 device has been
discovered, is supported, and is being used by firmware, by the OS kernel drivers and by userspace
(i.e. systemd) this prints <literal>yes</literal> and exits with exit status zero. If no such device is
discovered/supported/used, prints <literal>no</literal>. Otherwise prints
<literal>partial</literal>. In either of these two cases exits with non-zero exit status. It also shows
five lines indicating separately whether firmware, drivers, the system, the kernel and libraries
discovered/support/use TPM2.</para>
<para>Note, this checks for TPM 2.0 devices only, and does not consider TPM 1.2 at all.</para>
<para>Combine with <option>--quiet</option> to suppress the output.</para>
<example>
<title>Example Output</title>
<programlisting>yes
+firmware
+driver
+system
+subsystem
+libraries</programlisting>
</example>
<xi:include href="version-info.xml" xpointer="v257"/>
</refsect2>
<refsect2>
<title><command>systemd-analyze pcrs <optional><replaceable>PCR</replaceable></optional></command></title>
@ -1653,6 +1687,12 @@ io.systemd.credential:vmm.notify_socket=vsock-stream:2:254570042
<constant>12</constant>, <constant>0</constant>, <constant>11</constant> is returned if the second
version string is respectively larger, equal, or smaller to the first. In the three-argument form,
<constant>0</constant> or <constant>1</constant> if the condition is respectively true or false.</para>
<para>In case of the <command>has-tpm2</command> command returns 0 if a TPM2 device is discovered,
supported and used by firmware, driver, and userspace (i.e. systemd). Otherwise returns the OR
combination of the value 1 (in case firmware support is missing), 2 (in case driver support is missing)
and 4 (in case userspace support is missing). If no TPM2 support is available at all, value 7 is hence
returned.</para>
</refsect1>
<xi:include href="common-variables.xml" />

View File

@ -177,22 +177,6 @@
<xi:include href="version-info.xml" xpointer="v250"/></listitem>
</varlistentry>
<varlistentry>
<term><command>has-tpm2</command></term>
<listitem><para>Reports whether the system is equipped with a TPM2 device usable for protecting
credentials. If a TPM2 device has been discovered, is supported, and is being used by firmware,
by the OS kernel drivers and by userspace (i.e. systemd) this prints <literal>yes</literal> and exits
with exit status zero. If no such device is discovered/supported/used, prints
<literal>no</literal>. Otherwise prints <literal>partial</literal>. In either of these two cases
exits with non-zero exit status. It also shows four lines indicating separately whether firmware,
drivers, the system and the kernel discovered/support/use TPM2.</para>
<para>Combine with <option>--quiet</option> to suppress the output.</para>
<xi:include href="version-info.xml" xpointer="v251"/></listitem>
</varlistentry>
<xi:include href="standard-options.xml" xpointer="help" />
<xi:include href="standard-options.xml" xpointer="version" />
</variablelist>
@ -445,8 +429,7 @@
<term><option>--quiet</option></term>
<term><option>-q</option></term>
<listitem><para>When used with <command>has-tpm2</command> suppresses the output, and only returns an
exit status indicating support for TPM2.</para>
<listitem><para>Suppress additional output.</para>
<xi:include href="version-info.xml" xpointer="v251"/></listitem>
</varlistentry>
@ -461,12 +444,6 @@
<title>Exit status</title>
<para>On success, 0 is returned.</para>
<para>In case of the <command>has-tpm2</command> command returns 0 if a TPM2 device is discovered,
supported and used by firmware, driver, and userspace (i.e. systemd). Otherwise returns the OR
combination of the value 1 (in case firmware support is missing), 2 (in case driver support is missing)
and 4 (in case userspace support is missing). If no TPM2 support is available at all, value 7 is hence
returned.</para>
</refsect1>
<refsect1>

View File

@ -286,9 +286,9 @@
<title>Generate a private/public key pair, a unified kernel image, and a TPM PCR 11 signature for
it, and embed the signature and the public key in the image</title>
<programlisting>$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private.pem
<programlisting>$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private-key.pem
..+.+++++++++......+.........+......+.......+....+.....+.+...+..........
$ openssl rsa -pubout -in tpm2-pcr-private.pem -out tpm2-pcr-public.pem
$ openssl rsa -pubout -in tpm2-pcr-private-key.pem -out tpm2-pcr-public-key.pem
# systemd-measure sign \
--linux=vmlinux \
--osrel=os-release.txt \
@ -296,25 +296,25 @@ $ openssl rsa -pubout -in tpm2-pcr-private.pem -out tpm2-pcr-public.pem
--initrd=initrd.cpio \
--splash=splash.bmp \
--dtb=devicetree.dtb \
--pcrpkey=tpm2-pcr-public.pem \
--pcrpkey=tpm2-pcr-public-key.pem \
--bank=sha1 \
--bank=sha256 \
--private-key=tpm2-pcr-private.pem \
--public-key=tpm2-pcr-public.pem >tpm2-pcr-signature.json
--private-key=tpm2-pcr-private-key.pem \
--public-key=tpm2-pcr-public-key.pem >tpm2-pcr-signature.json
# ukify --output=vmlinuz.efi \
--os-release=@os-release.txt \
--cmdline=@cmdline.txt \
--splash=splash.bmp \
--devicetree=devicetree.dtb \
--pcr-private-key=tpm2-pcr-private.pem \
--pcr-public-key=tpm2-pcr-public.pem \
--pcr-private-key=tpm2-pcr-private-key.pem \
--pcr-public-key=tpm2-pcr-public-key.pem \
--pcr-banks=sha1,sha256 \
vmlinux initrd.cpio</programlisting>
<para>Later on, enroll the signed PCR policy on a LUKS volume:</para>
<programlisting># systemd-cryptenroll --tpm2-device=auto \
--tpm2-public-key=tpm2-pcr-public.pem \
--tpm2-public-key=tpm2-pcr-public-key.pem \
--tpm2-signature=tpm2-pcr-signature.json \
/dev/sda5</programlisting>
@ -339,38 +339,38 @@ $ openssl rsa -pubout -in tpm2-pcr-private.pem -out tpm2-pcr-public.pem
two classes of secrets or credentials: one that can be unlocked during the entire runtime, and the
other that can only be used in the initrd.</para>
<programlisting>$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private.pem
<programlisting>$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private-key.pem
.+........+.+........+.......+...+...+........+....+......+..+..........
$ openssl rsa -pubout -in tpm2-pcr-private.pem -out tpm2-pcr-public.pem
$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-initrd-private.pem
$ openssl rsa -pubout -in tpm2-pcr-private-key.pem -out tpm2-pcr-public-key.pem
$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private-key-initrd.pem
..+.......++........+........+......+........+....+.....+.+..+..........
$ openssl rsa -pubout -in tpm2-pcr-initrd-private.pem -out tpm2-pcr-initrd-public.pem
$ openssl rsa -pubout -in tpm2-pcr-private-key-initrd.pem -out tpm2-pcr-public-key-initrd.pem
# ukify --output vmlinux-1.2.3.efi \
--os-release=@os-release.txt \
--cmdline=@cmdline.txt \
--splash=splash.bmp \
--devicetree=devicetree.dtb \
--pcr-private-key=tpm2-pcr-private.pem \
--pcr-public-key=tpm2-pcr-public.pem \
--pcr-private-key=tpm2-pcr-private-key.pem \
--pcr-public-key=tpm2-pcr-public-key.pem \
--phases=enter-initrd,enter-initrd:leave-initrd,enter-initrd:leave-initrd:sysinit,enter-initrd:leave-initrd:sysinit:ready \
--pcr-banks=sha1,sha256 \
--pcr-private-key=tpm2-pcr-initrd-private.pem \
--pcr-public-key=tpm2-pcr-initrd-public.pem \
--pcr-private-key=tpm2-pcr-private-key-initrd.pem \
--pcr-public-key=tpm2-pcr-public-key-initrd.pem \
--phases=enter-initrd \
vmlinux-1.2.3 initrd.cpio \
--uname=1.2.3
+ /usr/lib/systemd/systemd-measure sign --linux=vmlinux-1.2.3 \
--osrel=os-release.txt --cmdline=cmdline.txt --dtb=devicetree.dtb \
--splash=splash.bmp --initrd=initrd.cpio --bank=sha1 --bank=sha256 \
--private-key=tpm2-pcr-private.pem --public-key=tpm2-pcr-public.pem \
--private-key=tpm2-pcr-private-key.pem --public-key=tpm2-pcr-public-key.pem \
--phase=enter-initrd --phase=enter-initrd:leave-initrd \
--phase=enter-initrd:leave-initrd:sysinit \
--phase=enter-initrd:leave-initrd:sysinit:ready
+ /usr/lib/systemd/systemd-measure sign --linux=vmlinux-1.2.3 \
--osrel=os-release.txt --cmdline=cmdline.txt --dtb=devicetree.dtb \
--splash=splash.bmp --initrd=initrd.cpio --bank=sha1 --bank=sha256 \
--private-key=tpm2-pcr-initrd-private.pem \
--public-key=tpm2-pcr-initrd-public.pem \
--private-key=tpm2-pcr-private-key-initrd.pem \
--public-key=tpm2-pcr-public-key-initrd.pem \
--phase=enter-initrd
Wrote unsigned vmlinux-1.2.3.efi
</programlisting>
@ -385,8 +385,8 @@ Wrote unsigned vmlinux-1.2.3.efi
by the first <option>--pcr-private-key=</option> option, covering all boot phases. The
<literal>.pcrpkey</literal> section is used in the default policies of
<command>systemd-cryptenroll</command> and <command>systemd-creds</command>. To use the stricter policy
bound to <filename>tpm-pcr-initrd-public.pem</filename>, specify <option>--tpm2-public-key=</option> on
the command line of those tools.</para>
bound to <filename>tpm2-pcr-public-key-initrd.pem</filename>, specify
<option>--tpm2-public-key=</option> on the command line of those tools.</para>
</example>
</refsect1>

View File

@ -29,7 +29,7 @@
<refsect1>
<title>Description</title>
<para><command>systemd-nsresourced</command> is a system service that permits transient delegation of a a
<para><command>systemd-nsresourced</command> is a system service that permits transient delegation of a
UID/GID range to a user namespace (see <citerefentry
project='man-pages'><refentrytitle>user_namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>)
allocated by a client, via a Varlink IPC API.</para>

View File

@ -115,7 +115,7 @@
result can be pre-calculated without too much effort. The <literal>.pcrsig</literal> section is not
included in this PCR measurement, since it is supposed to contain signatures for the output of the
measurement operation, and thus cannot also be input to it. If an UKI contains multiple profiles, only
the PE sections of the selected profile (and those of the base profile, except if overriden) are
the PE sections of the selected profile (and those of the base profile, except if overridden) are
measured.</para>
<para>If non-zero, the selected numeric profile is measured into PCR 12.</para>
@ -641,7 +641,7 @@
</varlistentry>
<varlistentry>
<term><filename>/.extra/tpm2-pcr-pkey.pem</filename></term>
<term><filename>/.extra/tpm2-pcr-public-key.pem</filename></term>
<listitem><para>The PEM public key included in the <literal>.pcrpkey</literal> PE section of the
unified kernel image is copied into the <filename>/.extra/tpm2-pcr-public-key.pem</filename> file in
the initrd execution environment.</para>

View File

@ -152,10 +152,11 @@
<varlistentry>
<term><option>--purge</option></term>
<listitem><para>If this option is passed, all files and directories marked for
<emphasis>creation</emphasis> by the <filename>tmpfiles.d/</filename> files specified on the command
line will be <emphasis>deleted</emphasis>. Specifically, this acts on all files and directories
marked with <varname>f</varname>, <varname>F</varname>, <varname>d</varname>, <varname>D</varname>,
<listitem><para>If this option is passed, all files and directories declared for
<emphasis>creation</emphasis> and marked with the <literal>$</literal> character by the
<filename>tmpfiles.d/</filename> files specified on the command line will be
<emphasis>deleted</emphasis>. Specifically, this acts on all files and directories marked with
<varname>f</varname>, <varname>F</varname>, <varname>d</varname>, <varname>D</varname>,
<varname>v</varname>, <varname>q</varname>, <varname>Q</varname>, <varname>p</varname>,
<varname>L</varname>, <varname>c</varname>, <varname>b</varname>, <varname>C</varname>,
<varname>w</varname>, <varname>e</varname>. If this switch is used at least one

View File

@ -3001,7 +3001,12 @@ SystemCallErrorNumber=EPERM</programlisting>
<para><option>tty</option> connects standard output to a tty (as configured via <varname>TTYPath=</varname>,
see below). If the TTY is used for output only, the executed process will not become the controlling process of
the terminal, and will not fail or wait for other processes to release the terminal.</para>
the terminal, and will not fail or wait for other processes to release the terminal. Note: if a unit
tries to print multiple lines to a TTY during bootup or shutdown, then there's a chance that those
lines will be broken up by status messages. <function>SetShowStatus()</function> can be used to
prevent this problem. See
<citerefentry project="man-pages"><refentrytitle>org.freedesktop.systemd1</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details.</para>
<para><option>journal</option> connects standard output with the journal, which is accessible via
<citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>. Note

View File

@ -568,7 +568,11 @@
<listitem><para>Enables display of status messages on the
console, as controlled via
<varname>systemd.show_status=1</varname> on the kernel command
line.</para></listitem>
line.</para>
<para>You may want to use <function>SetShowStatus()</function> instead of
<constant>SIGRTMIN+20</constant> in order to prevent race conditions. See
<citerefentry project="man-pages"><refentrytitle>org.freedesktop.systemd1</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
</para></listitem>
</varlistentry>
<varlistentry>
@ -579,7 +583,11 @@
controlled via
<varname>systemd.show_status=0</varname>
on the kernel command
line.</para></listitem>
line.</para>
<para>You may want to use <function>SetShowStatus()</function> instead of
<constant>SIGRTMIN+21</constant> in order to prevent race conditions. See
<citerefentry project="man-pages"><refentrytitle>org.freedesktop.systemd1</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
</para></listitem>
</varlistentry>
<varlistentry>

View File

@ -539,6 +539,10 @@ w- /proc/sys/vm/swappiness - - - - 10</programlisting></para>
service, the line is silently skipped. If <literal>^</literal> and <literal>~</literal> are combined
Base64 decoding is applied to the credential contents.</para>
<para>If the dollar sign (<literal>$</literal>) is used, the file becomes subject to removal when
<command>systemd-tmpfiles</command> is invoked with the <option>--purge</option> switch. Lines without
this character are unaffected by that switch.</para>
<para>Note that for all line types that result in creation of any kind of file node
(i.e. <varname>f</varname>,
<varname>d</varname>/<varname>D</varname>/<varname>v</varname>/<varname>q</varname>/<varname>Q</varname>,

View File

@ -141,6 +141,12 @@
For example, e"string\n" is parsed as 7 characters: 6 lowercase letters and a newline.
This can be useful for writing special characters when a kernel driver requires them.</para>
<para>The string can be prefixed with a lowercase i (i"string") to mark that the string or pattern
will match case-insensitively. For example, i"foo" will match
<literal>foo</literal>, <literal>FOO</literal>, <literal>FoO</literal> and so on. The prefix can be
used only for match (<literal>==</literal>) or unmatch (<literal>!=</literal>) rules, e.g.
<varname>ATTR{foo}==i"abcd"</varname>.</para>
<para>Please note that <constant>NUL</constant> is not allowed in either string variant.</para>
</refsect2>

View File

@ -1,14 +1,14 @@
[UKI]
SecureBootPrivateKey=/etc/kernel/secure-boot.key.pem
SecureBootCertificate=/etc/kernel/secure-boot.cert.pem
SecureBootPrivateKey=/etc/kernel/secure-boot-key.pem
SecureBootCertificate=/etc/kernel/secure-boot-certificate.pem
[PCRSignature:initrd]
Phases=enter-initrd
PCRPrivateKey=/etc/kernel/pcr-initrd.key.pem
PCRPublicKey=/etc/kernel/pcr-initrd.pub.pem
PCRPrivateKey=/etc/systemd/tpm2-pcr-private-key-initrd.pem
PCRPublicKey=/etc/systemd/tpm2-pcr-public-key-initrd.pem
[PCRSignature:system]
Phases=enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit
enter-initrd:leave-initrd:sysinit:ready
PCRPrivateKey=/etc/kernel/pcr-system.key.pem
PCRPublicKey=/etc/kernel/pcr-system.pub.pem
PCRPrivateKey=/etc/systemd/tpm2-pcr-private-key-system.pem
PCRPublicKey=/etc/systemd/tpm2-pcr-public-key-system.pem

View File

@ -619,11 +619,11 @@
--initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img \
--sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
uki.author.myimage,1,UKI for System,uki.author.myimage,1,https://uapi-group.org/specifications/specs/unified_kernel_image/' \
--pcr-private-key=pcr-private-initrd-key.pem \
--pcr-public-key=pcr-public-initrd-key.pem \
--pcr-private-key=tpm2-pcr-private-key-initrd.pem \
--pcr-public-key=tpm2-pcr-public-key-initrd.pem \
--phases='enter-initrd' \
--pcr-private-key=pcr-private-system-key.pem \
--pcr-public-key=pcr-public-system-key.pem \
--pcr-private-key=tpm2-pcr-private-key-system.pem \
--pcr-public-key=tpm2-pcr-public-key-system.pem \
--phases='enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit \
enter-initrd:leave-initrd:sysinit:ready' \
--pcr-banks=sha384,sha512 \
@ -638,9 +638,9 @@
and <filename index='false'>initramfs-6.0.9-300.fc37.x86_64.img</filename>.
The policy embedded in the <literal>.pcrsig</literal> section will be signed for the initrd (the
<constant>enter-initrd</constant> phase) with the key
<filename index='false'>pcr-private-initrd-key.pem</filename>, and for the main system (phases
<filename index='false'>tpm2-pcr-private-key-initrd.pem</filename>, and for the main system (phases
<constant>leave-initrd</constant>, <constant>sysinit</constant>, <constant>ready</constant>) with the
key <filename index='false'>pcr-private-system-key.pem</filename>. The Linux binary and the resulting
key <filename index='false'>tpm2-pcr-private-key-system.pem</filename>. The Linux binary and the resulting
combined image will be signed with the SecureBoot key <filename index='false'>sb.key</filename>.</para>
</example>
@ -655,19 +655,19 @@
Initrd=early_cpio
Cmdline=quiet rw rhgb
SecureBootPrivateKey=sb.key
SecureBootCertificate=sb.cert
SecureBootPrivateKey=secure-boot-key.pem
SecureBootCertificate=secure-boot-certificate.pem
SignKernel=yes
PCRBanks=sha384,sha512
[PCRSignature:initrd]
PCRPrivateKey=pcr-private-initrd-key.pem
PCRPublicKey=pcr-public-initrd-key.pem
PCRPrivateKey=tpm2-pcr-private-key-initrd.pem
PCRPublicKey=tpm2-pcr-public-key-initrd.pem
Phases=enter-initrd
[PCRSignature:system]
PCRPrivateKey=pcr-private-system-key.pem
PCRPublicKey=pcr-public-system-key.pem
PCRPrivateKey=tpm2-pcr-private-key-system.pem
PCRPublicKey=tpm2-pcr-public-key-system.pem
Phases=enter-initrd:leave-initrd
enter-initrd:leave-initrd:sysinit
enter-initrd:leave-initrd:sysinit:ready
@ -687,8 +687,8 @@ $ ukify -c ukify.conf build \
<title>Kernel command line PE addon</title>
<programlisting>ukify build \
--secureboot-private-key=sb.key \
--secureboot-certificate=sb.cert \
--secureboot-private-key=secure-boot-key.pem \
--secureboot-certificate=secure-boot-certificate.pem \
--cmdline='debug' \
--sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
uki-addon.author,1,UKI Addon for System,uki-addon.author,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html'
@ -709,12 +709,12 @@ $ ukify -c ukify.conf build \
<para>Next, we can generate the certificate and keys:</para>
<programlisting># ukify genkey --config=/etc/kernel/uki.conf
Writing SecureBoot private key to /etc/kernel/secure-boot.key.pem
Writing SecureBoot certificate to /etc/kernel/secure-boot.cert.pem
Writing private key for PCR signing to /etc/kernel/pcr-initrd.key.pem
Writing public key for PCR signing to /etc/kernel/pcr-initrd.pub.pem
Writing private key for PCR signing to /etc/kernel/pcr-system.key.pem
Writing public key for PCR signing to /etc/kernel/pcr-system.pub.pem
Writing SecureBoot private key to /etc/kernel/secure-boot-key.pem
Writing SecureBoot certificate to /etc/kernel/secure-boot-certificate.pem
Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-initrd.pem
Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-initrd.pem
Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-system.pem
Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-system.pem
</programlisting>
<para>(Both operations need to be done as root to allow write access

View File

@ -58,23 +58,18 @@ OPTIONS=(
)
EOF
# Linting the PKGBUILD takes multiple seconds every build so avoid that by nuking all the linting functions.
rm /usr/share/makepkg/lint_pkgbuild/*
TS="${SOURCE_DATE_EPOCH:-$(date +%s)}"
sed --in-place "pkg/$PKG_SUBDIR/PKGBUILD" \
--expression "s/^_tag=.*/_tag=$(cat meson.version)/" \
--expression "s/^pkgrel=.*/pkgrel=$(date "+%Y%m%d%H%M%S" --date "@$TS")/"
# Replace cdrom/dialout/tape groups with optical/uucp/storage. We apply this patch manually because we run
# with --noprepare.
patch -Np1 -i pkg/arch/0001-Use-Arch-Linux-device-access-groups.patch
# We get around makepkg's root check by setting EUID to something else.
# Linting the PKGBUILD takes multiple seconds every build so avoid that by nuking all the linting functions.
# shellcheck disable=SC2046
env --chdir="pkg/$PKG_SUBDIR" \
EUID=123 \
MAKEPKG_LINT_PKGBUILD=0 \
makepkg \
--noextract \
--noprepare \

View File

@ -9,7 +9,7 @@ Environment=
GIT_URL=https://salsa.debian.org/systemd-team/systemd.git
GIT_SUBDIR=debian
GIT_BRANCH=debian/master
GIT_COMMIT=bb6db3edfe40fe1a98cdcc6d2d07a7dac38aefc5
GIT_COMMIT=0704bfd93f407eb4622c724328a5693155f913a1
PKG_SUBDIR=debian
Packages=

View File

@ -3,18 +3,11 @@
set -e
set -o nounset
if [[ "$DISTRIBUTION" =~ ubuntu|debian ]]; then
SUDO_GROUP=sudo
else
SUDO_GROUP=wheel
fi
useradd \
--uid 4711 \
--user-group \
--create-home \
--password "$(openssl passwd -1 testuser)" \
--groups "$SUDO_GROUP",systemd-journal \
--shell /bin/bash \
testuser

109
po/fi.po
View File

@ -2,21 +2,21 @@
#
# Finnish translation of systemd.
# Jan Kuparinen <copper_fin@hotmail.com>, 2021, 2022, 2023.
# Ricky Tigg <ricky.tigg@gmail.com>, 2022.
# Ricky Tigg <ricky.tigg@gmail.com>, 2022, 2024.
msgid ""
msgstr ""
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-08-23 15:33+0200\n"
"PO-Revision-Date: 2023-08-21 17:21+0000\n"
"Last-Translator: Jan Kuparinen <copper_fin@hotmail.com>\n"
"PO-Revision-Date: 2024-09-12 13:43+0000\n"
"Last-Translator: Ricky Tigg <ricky.tigg@gmail.com>\n"
"Language-Team: Finnish <https://translate.fedoraproject.org/projects/systemd/"
"master/fi/>\n"
"main/fi/>\n"
"Language: fi\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=n != 1;\n"
"X-Generator: Weblate 4.18.2\n"
"X-Generator: Weblate 5.7.2\n"
#: src/core/org.freedesktop.systemd1.policy.in:22
msgid "Send passphrase back to system"
@ -129,14 +129,12 @@ msgid ""
msgstr "Todennus vaaditaan käyttäjän kotialueen salasanan vaihtamiseksi."
#: src/home/org.freedesktop.home1.policy:73
#, fuzzy
msgid "Activate a home area"
msgstr "Luo kotialue"
msgstr "Aktivoi kotialue"
#: src/home/org.freedesktop.home1.policy:74
#, fuzzy
msgid "Authentication is required to activate a user's home area."
msgstr "Todennus vaaditaan käyttäjän kotialueen luomiseksi."
msgstr "Todennus vaaditaan käyttäjän kotialueen aktivoimiseksi."
#: src/home/pam_systemd_home.c:293
#, c-format
@ -364,47 +362,37 @@ msgid "Authentication is required to get system description."
msgstr "Järjestelmän kuvauksen saamiseksi vaaditaan todennus."
#: src/import/org.freedesktop.import1.policy:22
#, fuzzy
msgid "Import a disk image"
msgstr "Tuo virtuaalikoneen tai kontin levykuva"
msgstr "Tuo levykuva"
#: src/import/org.freedesktop.import1.policy:23
#, fuzzy
msgid "Authentication is required to import an image."
msgstr ""
"Todennus vaaditaan, jos haluat tuoda virtuaalikoneen tai kontin levykuvan"
msgstr "Levykuvan tuonti edellyttää todennusta."
#: src/import/org.freedesktop.import1.policy:32
#, fuzzy
msgid "Export a disk image"
msgstr "Vie virtuaalikoneen tai kontin levykuva"
msgstr "Vie levykuva"
#: src/import/org.freedesktop.import1.policy:33
#, fuzzy
msgid "Authentication is required to export disk image."
msgstr ""
"Todennus vaaditaan, jos haluat viedä virtuaalikoneen tai kontin levykuvan"
msgstr "Todennus vaaditaan levykuvan viemiseen."
#: src/import/org.freedesktop.import1.policy:42
#, fuzzy
msgid "Download a disk image"
msgstr "Lataa virtuaalikoneen tai kontin levykuva"
msgstr "Lataa levykuva"
#: src/import/org.freedesktop.import1.policy:43
#, fuzzy
msgid "Authentication is required to download a disk image."
msgstr ""
"Todennus vaaditaan, jos haluat ladata virtuaalikoneen tai kontin levykuvan"
msgstr "Todennus vaaditaan levykuvan lataamiseen."
#: src/import/org.freedesktop.import1.policy:52
msgid "Cancel transfer of a disk image"
msgstr ""
msgstr "Peruuta levykuvan siirto"
#: src/import/org.freedesktop.import1.policy:53
#, fuzzy
msgid ""
"Authentication is required to cancel the ongoing transfer of a disk image."
msgstr "Todennus vaaditaan käyttäjän kotialueen salasanan vaihtamiseksi."
msgstr "Todennus vaaditaan meneillään olevan levykuvan siirron peruuttamiseksi."
#: src/locale/org.freedesktop.locale1.policy:22
msgid "Set system locale"
@ -797,9 +785,8 @@ msgid "Set a wall message"
msgstr "Aseta seinäviesti"
#: src/login/org.freedesktop.login1.policy:397
#, fuzzy
msgid "Authentication is required to set a wall message."
msgstr "Seinäviestin asettaminen edellyttää todennusta"
msgstr "Todennus vaaditaan seinäviestin asettamiseen."
#: src/login/org.freedesktop.login1.policy:406
msgid "Change Session"
@ -869,16 +856,13 @@ msgstr ""
"Todennus vaaditaan paikallisten virtuaalikoneiden ja konttien hallintaan."
#: src/machine/org.freedesktop.machine1.policy:95
#, fuzzy
msgid "Create a local virtual machine or container"
msgstr "Hallitse paikallisia virtuaalikoneita ja kontteja"
msgstr "Luo paikallinen virtuaalikone tai säilö"
#: src/machine/org.freedesktop.machine1.policy:96
#, fuzzy
msgid ""
"Authentication is required to create a local virtual machine or container."
msgstr ""
"Todennus vaaditaan paikallisten virtuaalikoneiden ja konttien hallintaan."
msgstr "Todennus vaaditaan paikallisen virtuaalikoneen tai säilön luomiseen."
#: src/machine/org.freedesktop.machine1.policy:106
msgid "Manage local virtual machine and container images"
@ -1037,13 +1021,15 @@ msgstr "Todennus vaaditaan verkkokäyttöliittymän määrittämiseksi uudelleen
#: src/network/org.freedesktop.network1.policy:187
msgid "Specify whether persistent storage for systemd-networkd is available"
msgstr ""
msgstr "Määritä, onko systemd-networkd:lle saatavana pysyvä tallennustila"
#: src/network/org.freedesktop.network1.policy:188
msgid ""
"Authentication is required to specify whether persistent storage for systemd-"
"networkd is available."
msgstr ""
"Todennus vaaditaan sen määrittämiseksi, onko systemd-networkd:lle pysyvä "
"tallennustila saatavana."
#: src/portable/org.freedesktop.portable1.policy:13
msgid "Inspect a portable service image"
@ -1080,18 +1066,16 @@ msgid "Register a DNS-SD service"
msgstr "Rekisteröi DNS-SD-palvelu"
#: src/resolve/org.freedesktop.resolve1.policy:23
#, fuzzy
msgid "Authentication is required to register a DNS-SD service."
msgstr "Todennus vaaditaan DNS-SD-palvelun rekisteröimiseksi"
msgstr "Todennus vaaditaan DNS-SD-palvelun rekisteröimiseksi."
#: src/resolve/org.freedesktop.resolve1.policy:33
msgid "Unregister a DNS-SD service"
msgstr "Poista DNS-SD-palvelun rekisteröinti"
#: src/resolve/org.freedesktop.resolve1.policy:34
#, fuzzy
msgid "Authentication is required to unregister a DNS-SD service."
msgstr "Todennus vaaditaan DNS-SD-palvelun rekisteröinnin poistamiseksi"
msgstr "Todennus vaaditaan DNS-SD-palvelun rekisteröinnin poistamiseksi."
#: src/resolve/org.freedesktop.resolve1.policy:132
msgid "Revert name resolution settings"
@ -1103,86 +1087,79 @@ msgstr "Todennus vaaditaan aiempien nimipalveluasetusten palauttamiseksi."
#: src/resolve/org.freedesktop.resolve1.policy:143
msgid "Subscribe query results"
msgstr ""
msgstr "Tilauskyselyn tulokset"
#: src/resolve/org.freedesktop.resolve1.policy:144
#, fuzzy
msgid "Authentication is required to subscribe query results."
msgstr "Todennus vaaditaan järjestelmän pysäyttämiseksi väliaikaisesti."
msgstr "Todennus vaaditaan kyselytulosten tilaamiseen."
#: src/resolve/org.freedesktop.resolve1.policy:154
msgid "Dump cache"
msgstr ""
msgstr "Tyhjennä välimuisti"
#: src/resolve/org.freedesktop.resolve1.policy:155
#, fuzzy
msgid "Authentication is required to dump cache."
msgstr "Todennus vaaditaan toimialueiden asettamiseen."
msgstr "Todennus vaaditaan välimuistin tyhjentämiseen."
#: src/resolve/org.freedesktop.resolve1.policy:165
msgid "Dump server state"
msgstr ""
msgstr "Tyhjennä palvelimen tila"
#: src/resolve/org.freedesktop.resolve1.policy:166
#, fuzzy
msgid "Authentication is required to dump server state."
msgstr "Todennus vaaditaan NTP-palvelimien asettamiseen."
msgstr "Todennus vaaditaan palvelimen tilan tyhjentämiseksi."
#: src/resolve/org.freedesktop.resolve1.policy:176
msgid "Dump statistics"
msgstr ""
msgstr "Tyhjennä tilastot"
#: src/resolve/org.freedesktop.resolve1.policy:177
#, fuzzy
msgid "Authentication is required to dump statistics."
msgstr "Todennus vaaditaan toimialueiden asettamiseen."
msgstr "Todennus vaaditaan tilastojen tyhjentämiseen."
#: src/resolve/org.freedesktop.resolve1.policy:187
msgid "Reset statistics"
msgstr ""
msgstr "Nollaa tilastot"
#: src/resolve/org.freedesktop.resolve1.policy:188
#, fuzzy
msgid "Authentication is required to reset statistics."
msgstr "Todennus vaaditaan aiempien NTP-asetusten palauttamiseksi."
msgstr "Todennus vaaditaan tilastojen nollaamiseen."
#: src/sysupdate/org.freedesktop.sysupdate1.policy:35
msgid "Check for system updates"
msgstr ""
msgstr "Tarkista, onko järjestelmäpäivityksiä"
#: src/sysupdate/org.freedesktop.sysupdate1.policy:36
#, fuzzy
msgid "Authentication is required to check for system updates."
msgstr "Todennus vaaditaan järjestelmän ajan asettamiseksi."
msgstr "Todennus vaaditaan järjestelmäpäivitysten tarkistamiseen."
#: src/sysupdate/org.freedesktop.sysupdate1.policy:45
msgid "Install system updates"
msgstr ""
msgstr "Asenna järjestelmäpäivitykset"
#: src/sysupdate/org.freedesktop.sysupdate1.policy:46
#, fuzzy
msgid "Authentication is required to install system updates."
msgstr "Todennus vaaditaan järjestelmän ajan asettamiseksi."
msgstr "Todennus vaaditaan järjestelmäpäivitysten asentamiseen."
#: src/sysupdate/org.freedesktop.sysupdate1.policy:55
msgid "Install specific system version"
msgstr ""
msgstr "Asenna tietty järjestelmäversio"
#: src/sysupdate/org.freedesktop.sysupdate1.policy:56
#, fuzzy
msgid ""
"Authentication is required to update the system to a specific (possibly old) "
"version."
msgstr "Todennus vaaditaan järjestelmän aikavyöhykkeen asettamiseksi."
msgstr ""
"Todennus vaaditaan järjestelmän päivittämiseen tiettyyn, mahdollisesti "
"vanhaan versioon."
#: src/sysupdate/org.freedesktop.sysupdate1.policy:65
msgid "Cleanup old system updates"
msgstr ""
msgstr "Puhdista vanhat järjestelmäpäivitykset"
#: src/sysupdate/org.freedesktop.sysupdate1.policy:66
#, fuzzy
msgid "Authentication is required to cleanup old system updates."
msgstr "Todennus vaaditaan järjestelmän ajan asettamiseksi."
msgstr "Todennus vaaditaan vanhojen järjestelmäpäivitysten puhdistamiseen."
#: src/timedate/org.freedesktop.timedate1.policy:22
msgid "Set system time"

View File

@ -0,0 +1,9 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include "analyze.h"
#include "analyze-has-tpm2.h"
#include "tpm2-util.h"
int verb_has_tpm2(int argc, char **argv, void *userdata) {
return verb_has_tpm2_generic(arg_quiet);
}

View File

@ -0,0 +1,4 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
int verb_has_tpm2(int argc, char *argv[], void *userdata);

View File

@ -26,6 +26,7 @@
#include "analyze-exit-status.h"
#include "analyze-fdstore.h"
#include "analyze-filesystems.h"
#include "analyze-has-tpm2.h"
#include "analyze-image-policy.h"
#include "analyze-inspect-elf.h"
#include "analyze-log-control.h"
@ -253,6 +254,7 @@ static int help(int argc, char *argv[], void *userdata) {
"\n%3$sExecutable Analysis:%4$s\n"
" inspect-elf FILE... Parse and print ELF package metadata\n"
"\n%3$sTPM Operations:%4$s\n"
" has-tpm2 Report whether TPM2 support is available\n"
" pcrs [PCR...] Show TPM2 PCRs and their names\n"
" srk [>FILE] Write TPM2 SRK (to FILE)\n"
"\n%3$sOptions:%4$s\n"
@ -700,6 +702,7 @@ static int run(int argc, char *argv[]) {
{ "malloc", VERB_ANY, VERB_ANY, 0, verb_malloc },
{ "fdstore", 2, VERB_ANY, 0, verb_fdstore },
{ "image-policy", 2, 2, 0, verb_image_policy },
{ "has-tpm2", VERB_ANY, 1, 0, verb_has_tpm2 },
{ "pcrs", VERB_ANY, VERB_ANY, 0, verb_pcrs },
{ "srk", VERB_ANY, 1, 0, verb_srk },
{ "architectures", VERB_ANY, VERB_ANY, 0, verb_architectures },

View File

@ -14,6 +14,7 @@ systemd_analyze_sources = files(
'analyze-exit-status.c',
'analyze-fdstore.c',
'analyze-filesystems.c',
'analyze-has-tpm2.c',
'analyze-image-policy.c',
'analyze-inspect-elf.c',
'analyze-log-control.c',

View File

@ -221,6 +221,12 @@ const char* const systemd_features =
" -BPF_FRAMEWORK"
#endif
#if HAVE_VMLINUX_H
" +BTF"
#else
" -BTF"
#endif
#if HAVE_XKBCOMMON
" +XKBCOMMON"
#else
@ -247,7 +253,7 @@ const char* const systemd_features =
;
static char *systemd_features_with_color(void) {
static char* systemd_features_with_color(void) {
const char *p = systemd_features;
_cleanup_free_ char *ret = NULL;
int r;

View File

@ -145,8 +145,10 @@ int efi_get_variable(
int efi_get_variable_string(const char *variable, char **ret) {
_cleanup_free_ void *s = NULL;
size_t ss = 0;
int r;
char *x;
int r;
assert(variable);
r = efi_get_variable(variable, NULL, &s, &ss);
if (r < 0)
@ -156,10 +158,27 @@ int efi_get_variable_string(const char *variable, char **ret) {
if (!x)
return -ENOMEM;
*ret = x;
if (ret)
*ret = x;
return 0;
}
int efi_get_variable_path(const char *variable, char **ret) {
int r;
assert(variable);
r = efi_get_variable_string(variable, ret);
if (r < 0)
return r;
if (ret)
efi_tilt_backslashes(*ret);
return r;
}
static int efi_verify_variable(const char *variable, uint32_t attr, const void *value, size_t size) {
_cleanup_free_ void *buf = NULL;
size_t n;

View File

@ -11,6 +11,7 @@
#include "sd-id128.h"
#include "efivars-fundamental.h"
#include "string-util.h"
#include "time-util.h"
#define EFI_VENDOR_LOADER SD_ID128_MAKE(4a,67,b0,82,0a,4c,41,cf,b6,c7,44,0b,29,bb,8c,4f)
@ -47,6 +48,7 @@
int efi_get_variable(const char *variable, uint32_t *attribute, void **ret_value, size_t *ret_size);
int efi_get_variable_string(const char *variable, char **ret);
int efi_get_variable_path(const char *variable, char **ret);
int efi_set_variable(const char *variable, const void *value, size_t size);
int efi_set_variable_string(const char *variable, const char *p);
@ -68,6 +70,10 @@ static inline int efi_get_variable_string(const char *variable, char **ret) {
return -EOPNOTSUPP;
}
static inline int efi_get_variable_path(const char *variable, char **ret) {
return -EOPNOTSUPP;
}
static inline int efi_set_variable(const char *variable, const void *value, size_t size) {
return -EOPNOTSUPP;
}
@ -100,3 +106,7 @@ static inline int systemd_efi_options_efivarfs_if_newer(char **line) {
return -ENODATA;
}
#endif
static inline char *efi_tilt_backslashes(char *s) {
return string_replace_char(s, '\\', '/');
}

37
src/basic/format-ifname.c Normal file
View File

@ -0,0 +1,37 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include "format-ifname.h"
#include "string-util.h"
assert_cc(STRLEN("%") + DECIMAL_STR_MAX(int) <= IF_NAMESIZE);
int format_ifname_full(int ifindex, FormatIfnameFlag flag, char buf[static IF_NAMESIZE]) {
if (ifindex <= 0)
return -EINVAL;
if (if_indextoname(ifindex, buf))
return 0;
if (!FLAGS_SET(flag, FORMAT_IFNAME_IFINDEX))
return -errno;
if (FLAGS_SET(flag, FORMAT_IFNAME_IFINDEX_WITH_PERCENT))
assert_se(snprintf_ok(buf, IF_NAMESIZE, "%%%d", ifindex));
else
assert_se(snprintf_ok(buf, IF_NAMESIZE, "%d", ifindex));
return 0;
}
int format_ifname_full_alloc(int ifindex, FormatIfnameFlag flag, char **ret) {
char buf[IF_NAMESIZE];
int r;
assert(ret);
r = format_ifname_full(ifindex, flag, buf);
if (r < 0)
return r;
return strdup_to(ret, buf);
}

27
src/basic/format-ifname.h Normal file
View File

@ -0,0 +1,27 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
#include <net/if.h>
typedef enum {
FORMAT_IFNAME_IFINDEX = 1 << 0,
FORMAT_IFNAME_IFINDEX_WITH_PERCENT = (1 << 1) | FORMAT_IFNAME_IFINDEX,
} FormatIfnameFlag;
int format_ifname_full(int ifindex, FormatIfnameFlag flag, char buf[static IF_NAMESIZE]);
int format_ifname_full_alloc(int ifindex, FormatIfnameFlag flag, char **ret);
static inline int format_ifname(int ifindex, char buf[static IF_NAMESIZE]) {
return format_ifname_full(ifindex, 0, buf);
}
static inline int format_ifname_alloc(int ifindex, char **ret) {
return format_ifname_full_alloc(ifindex, 0, ret);
}
static inline char* _format_ifname_full(int ifindex, FormatIfnameFlag flag, char buf[static IF_NAMESIZE]) {
(void) format_ifname_full(ifindex, flag, buf);
return buf;
}
#define FORMAT_IFNAME_FULL(index, flag) _format_ifname_full(index, flag, (char[IF_NAMESIZE]){})
#define FORMAT_IFNAME(index) _format_ifname_full(index, 0, (char[IF_NAMESIZE]){})

View File

@ -5,38 +5,6 @@
#include "stdio-util.h"
#include "strxcpyx.h"
assert_cc(STRLEN("%") + DECIMAL_STR_MAX(int) <= IF_NAMESIZE);
int format_ifname_full(int ifindex, FormatIfnameFlag flag, char buf[static IF_NAMESIZE]) {
if (ifindex <= 0)
return -EINVAL;
if (if_indextoname(ifindex, buf))
return 0;
if (!FLAGS_SET(flag, FORMAT_IFNAME_IFINDEX))
return -errno;
if (FLAGS_SET(flag, FORMAT_IFNAME_IFINDEX_WITH_PERCENT))
assert(snprintf_ok(buf, IF_NAMESIZE, "%%%d", ifindex));
else
assert(snprintf_ok(buf, IF_NAMESIZE, "%d", ifindex));
return 0;
}
int format_ifname_full_alloc(int ifindex, FormatIfnameFlag flag, char **ret) {
char buf[IF_NAMESIZE];
int r;
assert(ret);
r = format_ifname_full(ifindex, flag, buf);
if (r < 0)
return r;
return strdup_to(ret, buf);
}
char* format_bytes_full(char *buf, size_t l, uint64_t t, FormatBytesFlag flag) {
typedef struct {
const char *suffix;

View File

@ -2,7 +2,6 @@
#pragma once
#include <inttypes.h>
#include <net/if.h>
#include <stdbool.h>
#include "cgroup-util.h"
@ -66,29 +65,6 @@ assert_cc(sizeof(gid_t) == sizeof(uint32_t));
# error Unknown ino_t size
#endif
typedef enum {
FORMAT_IFNAME_IFINDEX = 1 << 0,
FORMAT_IFNAME_IFINDEX_WITH_PERCENT = (1 << 1) | FORMAT_IFNAME_IFINDEX,
} FormatIfnameFlag;
int format_ifname_full(int ifindex, FormatIfnameFlag flag, char buf[static IF_NAMESIZE]);
int format_ifname_full_alloc(int ifindex, FormatIfnameFlag flag, char **ret);
static inline int format_ifname(int ifindex, char buf[static IF_NAMESIZE]) {
return format_ifname_full(ifindex, 0, buf);
}
static inline int format_ifname_alloc(int ifindex, char **ret) {
return format_ifname_full_alloc(ifindex, 0, ret);
}
static inline char* _format_ifname_full(int ifindex, FormatIfnameFlag flag, char buf[static IF_NAMESIZE]) {
(void) format_ifname_full(ifindex, flag, buf);
return buf;
}
#define FORMAT_IFNAME_FULL(index, flag) _format_ifname_full(index, flag, (char[IF_NAMESIZE]){})
#define FORMAT_IFNAME(index) _format_ifname_full(index, 0, (char[IF_NAMESIZE]){})
typedef enum {
FORMAT_BYTES_USE_IEC = 1 << 0,
FORMAT_BYTES_BELOW_POINT = 1 << 1,

View File

@ -300,9 +300,10 @@ int log_emergency_level(void);
#define log_dump(level, buffer) \
log_dump_internal(level, 0, PROJECT_FILE, __LINE__, __func__, buffer)
#define log_oom() log_oom_internal(LOG_ERR, PROJECT_FILE, __LINE__, __func__)
#define log_oom_debug() log_oom_internal(LOG_DEBUG, PROJECT_FILE, __LINE__, __func__)
#define log_oom_warning() log_oom_internal(LOG_WARNING, PROJECT_FILE, __LINE__, __func__)
#define log_oom_full(level) log_oom_internal(level, PROJECT_FILE, __LINE__, __func__)
#define log_oom() log_oom_full(LOG_ERR)
#define log_oom_debug() log_oom_full(LOG_DEBUG)
#define log_oom_warning() log_oom_full(LOG_WARNING)
bool log_on_console(void) _pure_;

View File

@ -33,6 +33,7 @@ basic_sources = files(
'fd-util.c',
'fileio.c',
'filesystems.c',
'format-ifname.c',
'format-util.c',
'fs-util.c',
'gcrypt-util.c',

View File

@ -28,7 +28,7 @@ int sigaction_many_internal(const struct sigaction *sa, ...);
int sigset_add_many_internal(sigset_t *ss, ...);
#define sigset_add_many(...) sigset_add_many_internal(__VA_ARGS__, -1)
int sigprocmask_many_internal(int how, sigset_t *old, ...);
int sigprocmask_many_internal(int how, sigset_t *ret_old_mask, ...);
#define sigprocmask_many(...) sigprocmask_many_internal(__VA_ARGS__, -1)
const char* signal_to_string(int i) _const_;

View File

@ -21,7 +21,7 @@
#include "escape.h"
#include "fd-util.h"
#include "fileio.h"
#include "format-util.h"
#include "format-ifname.h"
#include "io-util.h"
#include "log.h"
#include "memory-util.h"

View File

@ -153,7 +153,7 @@ bool strv_overlap(char * const *a, char * const *b) _pure_;
_STRV_FOREACH_BACKWARDS(s, l, UNIQ_T(h, UNIQ), UNIQ_T(i, UNIQ))
#define _STRV_FOREACH_PAIR(x, y, l, i) \
for (typeof(*l) *x, *y, *i = (l); \
for (typeof(*(l)) *x, *y, *i = (l); \
i && *(x = i) && *(y = i + 1); \
i += 2)

View File

@ -95,7 +95,6 @@ fsopen
fspick
fstat
fstat64
fstatat
fstatat64
fstatfs
fstatfs64
@ -247,7 +246,6 @@ munlockall
munmap
name_to_handle_at
nanosleep
newfstat
newfstatat
nice
old_adjtimex

View File

@ -95,7 +95,6 @@ fsopen 540
fspick 543
fstat 91
fstat64 427
fstatat
fstatat64 455
fstatfs 329
fstatfs64 529
@ -247,7 +246,6 @@ munlockall 317
munmap 73
name_to_handle_at 497
nanosleep 340
newfstat
newfstatat
nice
old_adjtimex 303

View File

@ -95,7 +95,6 @@ fsopen 430
fspick 433
fstat
fstat64 80
fstatat
fstatat64 79
fstatfs
fstatfs64 44
@ -247,7 +246,6 @@ munlockall 231
munmap 215
name_to_handle_at 264
nanosleep 101
newfstat
newfstatat
nice
old_adjtimex

View File

@ -95,7 +95,6 @@ fsopen 430
fspick 433
fstat 108
fstat64 197
fstatat
fstatat64 327
fstatfs 100
fstatfs64 267
@ -247,7 +246,6 @@ munlockall 153
munmap 91
name_to_handle_at 370
nanosleep 162
newfstat
newfstatat
nice 34
old_adjtimex

View File

@ -93,9 +93,8 @@ fsetxattr 7
fsmount 432
fsopen 430
fspick 433
fstat
fstat 80
fstat64
fstatat
fstatat64
fstatfs 44
fstatfs64
@ -247,7 +246,6 @@ munlockall 231
munmap 215
name_to_handle_at 264
nanosleep 101
newfstat 80
newfstatat 79
nice
old_adjtimex

View File

@ -95,7 +95,6 @@ fsopen 430
fspick 433
fstat 108
fstat64 197
fstatat
fstatat64 300
fstatfs 100
fstatfs64 269
@ -247,7 +246,6 @@ munlockall 153
munmap 91
name_to_handle_at 341
nanosleep 162
newfstat
newfstatat
nice 34
old_adjtimex

View File

@ -93,9 +93,8 @@ fsetxattr 7
fsmount 432
fsopen 430
fspick 433
fstat
fstat 80
fstat64
fstatat
fstatat64
fstatfs 44
fstatfs64
@ -247,7 +246,6 @@ munlockall 231
munmap 215
name_to_handle_at 264
nanosleep 101
newfstat 80
newfstatat 79
nice
old_adjtimex

View File

@ -95,7 +95,6 @@ fsopen 430
fspick 433
fstat 108
fstat64 197
fstatat
fstatat64 293
fstatfs 100
fstatfs64 264
@ -247,7 +246,6 @@ munlockall 153
munmap 91
name_to_handle_at 340
nanosleep 162
newfstat
newfstatat
nice 34
old_adjtimex

View File

@ -95,7 +95,6 @@ fsopen 5430
fspick 5433
fstat 5005
fstat64
fstatat
fstatat64
fstatfs 5135
fstatfs64
@ -247,7 +246,6 @@ munlockall 5149
munmap 5011
name_to_handle_at 5298
nanosleep 5034
newfstat
newfstatat 5252
nice
old_adjtimex

View File

@ -95,7 +95,6 @@ fsopen 6430
fspick 6433
fstat 6005
fstat64
fstatat
fstatat64
fstatfs 6135
fstatfs64 6218
@ -247,7 +246,6 @@ munlockall 6149
munmap 6011
name_to_handle_at 6303
nanosleep 6034
newfstat
newfstatat 6256
nice
old_adjtimex

View File

@ -95,7 +95,6 @@ fsopen 4430
fspick 4433
fstat 4108
fstat64 4215
fstatat
fstatat64 4293
fstatfs 4100
fstatfs64 4256
@ -247,7 +246,6 @@ munlockall 4157
munmap 4091
name_to_handle_at 4339
nanosleep 4166
newfstat
newfstatat
nice 4034
old_adjtimex

View File

@ -95,7 +95,6 @@ fsopen 430
fspick 433
fstat 28
fstat64 112
fstatat
fstatat64 280
fstatfs 100
fstatfs64 299
@ -247,7 +246,6 @@ munlockall 153
munmap 91
name_to_handle_at 325
nanosleep 162
newfstat
newfstatat
nice 34
old_adjtimex

View File

@ -95,7 +95,6 @@ fsopen 430
fspick 433
fstat 108
fstat64 197
fstatat
fstatat64 291
fstatfs 100
fstatfs64 253
@ -247,7 +246,6 @@ munlockall 153
munmap 91
name_to_handle_at 345
nanosleep 162
newfstat
newfstatat
nice 34
old_adjtimex

View File

@ -95,7 +95,6 @@ fsopen 430
fspick 433
fstat 108
fstat64
fstatat
fstatat64
fstatfs 100
fstatfs64 253
@ -247,7 +246,6 @@ munlockall 153
munmap 91
name_to_handle_at 345
nanosleep 162
newfstat
newfstatat 291
nice 34
old_adjtimex

View File

@ -95,7 +95,6 @@ fsopen 430
fspick 433
fstat
fstat64
fstatat
fstatat64
fstatfs
fstatfs64 44
@ -247,7 +246,6 @@ munlockall 231
munmap 215
name_to_handle_at 264
nanosleep
newfstat
newfstatat
nice
old_adjtimex

View File

@ -93,9 +93,8 @@ fsetxattr 7
fsmount 432
fsopen 430
fspick 433
fstat
fstat 80
fstat64
fstatat
fstatat64
fstatfs 44
fstatfs64
@ -247,7 +246,6 @@ munlockall 231
munmap 215
name_to_handle_at 264
nanosleep 101
newfstat 80
newfstatat 79
nice
old_adjtimex

View File

@ -95,7 +95,6 @@ fsopen 430
fspick 433
fstat 108
fstat64 197
fstatat
fstatat64 293
fstatfs 100
fstatfs64 266
@ -247,7 +246,6 @@ munlockall 153
munmap 91
name_to_handle_at 335
nanosleep 162
newfstat
newfstatat
nice 34
old_adjtimex

View File

@ -95,7 +95,6 @@ fsopen 430
fspick 433
fstat 108
fstat64
fstatat
fstatat64
fstatfs 100
fstatfs64 266
@ -247,7 +246,6 @@ munlockall 153
munmap 91
name_to_handle_at 335
nanosleep 162
newfstat
newfstatat 293
nice 34
old_adjtimex

View File

@ -95,7 +95,6 @@ fsopen 430
fspick 433
fstat 62
fstat64 63
fstatat
fstatat64 289
fstatfs 158
fstatfs64 235
@ -247,7 +246,6 @@ munlockall 240
munmap 73
name_to_handle_at 332
nanosleep 249
newfstat
newfstatat
nice 34
old_adjtimex

View File

@ -95,7 +95,6 @@ fsopen 430
fspick 433
fstat 5
fstat64
fstatat
fstatat64
fstatfs 138
fstatfs64
@ -247,7 +246,6 @@ munlockall 152
munmap 11
name_to_handle_at 303
nanosleep 35
newfstat
newfstatat 262
nice
old_adjtimex

View File

@ -44,8 +44,42 @@ char* sysctl_normalize(char *s) {
return s;
}
int sysctl_write(const char *property, const char *value) {
static int shadow_update(Hashmap **shadow, const char *property, const char *value) {
_cleanup_free_ char *k = NULL, *v = NULL, *cur_k = NULL, *cur_v = NULL;
int r;
assert(property);
assert(value);
if (!shadow)
return 0;
k = strdup(property);
if (!k)
return -ENOMEM;
v = strdup(value);
if (!v)
return -ENOMEM;
cur_v = hashmap_remove2(*shadow, k, (void**)&cur_k);
r = hashmap_ensure_put(shadow, &path_hash_ops_free_free, k, v);
if (r < 0) {
assert(r != -EEXIST);
return r;
}
TAKE_PTR(k);
TAKE_PTR(v);
return 0;
}
int sysctl_write_full(const char *property, const char *value, Hashmap **shadow) {
char *p;
int r;
assert(property);
assert(value);
@ -58,6 +92,10 @@ int sysctl_write(const char *property, const char *value) {
log_debug("Setting '%s' to '%s'", p, value);
r = shadow_update(shadow, p, value);
if (r < 0)
return r;
return write_string_file(p, value, WRITE_STRING_FILE_VERIFY_ON_FAILURE | WRITE_STRING_FILE_DISABLE_BUFFER | WRITE_STRING_FILE_SUPPRESS_REDUNDANT_VIRTUAL);
}
@ -76,7 +114,7 @@ int sysctl_writef(const char *property, const char *format, ...) {
return sysctl_write(property, v);
}
int sysctl_write_ip_property(int af, const char *ifname, const char *property, const char *value) {
int sysctl_write_ip_property(int af, const char *ifname, const char *property, const char *value, Hashmap **shadow) {
const char *p;
assert(property);
@ -93,10 +131,10 @@ int sysctl_write_ip_property(int af, const char *ifname, const char *property, c
} else
p = strjoina("net/", af_to_ipv4_ipv6(af), "/", property);
return sysctl_write(p, value);
return sysctl_write_full(p, value, shadow);
}
int sysctl_write_ip_neighbor_property(int af, const char *ifname, const char *property, const char *value) {
int sysctl_write_ip_neighbor_property(int af, const char *ifname, const char *property, const char *value, Hashmap **shadow) {
const char *p;
assert(property);
@ -113,7 +151,7 @@ int sysctl_write_ip_neighbor_property(int af, const char *ifname, const char *pr
} else
p = strjoina("net/", af_to_ipv4_ipv6(af), "/neigh/default/", property);
return sysctl_write(p, value);
return sysctl_write_full(p, value, shadow);
}
int sysctl_read(const char *property, char **ret) {

View File

@ -10,27 +10,30 @@
char* sysctl_normalize(char *s);
int sysctl_read(const char *property, char **value);
int sysctl_write(const char *property, const char *value);
int sysctl_write_full(const char *property, const char *value, Hashmap **shadow);
int sysctl_writef(const char *property, const char *format, ...) _printf_(2, 3);
int sysctl_read_ip_property(int af, const char *ifname, const char *property, char **ret);
int sysctl_write_ip_property(int af, const char *ifname, const char *property, const char *value);
static inline int sysctl_write_ip_property_boolean(int af, const char *ifname, const char *property, bool value) {
return sysctl_write_ip_property(af, ifname, property, one_zero(value));
static inline int sysctl_write(const char *property, const char *value) {
return sysctl_write_full(property, value, NULL);
}
int sysctl_write_ip_neighbor_property(int af, const char *ifname, const char *property, const char *value);
static inline int sysctl_write_ip_neighbor_property_uint32(int af, const char *ifname, const char *property, uint32_t value) {
int sysctl_read_ip_property(int af, const char *ifname, const char *property, char **ret);
int sysctl_write_ip_property(int af, const char *ifname, const char *property, const char *value, Hashmap **shadow);
static inline int sysctl_write_ip_property_boolean(int af, const char *ifname, const char *property, bool value, Hashmap **shadow) {
return sysctl_write_ip_property(af, ifname, property, one_zero(value), shadow);
}
int sysctl_write_ip_neighbor_property(int af, const char *ifname, const char *property, const char *value, Hashmap **shadow);
static inline int sysctl_write_ip_neighbor_property_uint32(int af, const char *ifname, const char *property, uint32_t value, Hashmap **shadow) {
char buf[DECIMAL_STR_MAX(uint32_t)];
xsprintf(buf, "%u", value);
return sysctl_write_ip_neighbor_property(af, ifname, property, buf);
return sysctl_write_ip_neighbor_property(af, ifname, property, buf, shadow);
}
#define DEFINE_SYSCTL_WRITE_IP_PROPERTY(name, type, format) \
static inline int sysctl_write_ip_property_##name(int af, const char *ifname, const char *property, type value) { \
static inline int sysctl_write_ip_property_##name(int af, const char *ifname, const char *property, type value, Hashmap **shadow) { \
char buf[DECIMAL_STR_MAX(type)]; \
xsprintf(buf, format, value); \
return sysctl_write_ip_property(af, ifname, property, buf); \
return sysctl_write_ip_property(af, ifname, property, buf, shadow); \
}
DEFINE_SYSCTL_WRITE_IP_PROPERTY(int, int, "%i");

View File

@ -255,6 +255,25 @@ int ask_string(char **ret, const char *text, ...) {
return 0;
}
bool any_key_to_proceed(void) {
char key = 0;
bool need_nl = true;
/*
* Insert a new line here as well as to when the user inputs, as this is also used during the
* boot up sequence when status messages may be interleaved with the current program output.
* This ensures that the status messages aren't appended on the same line as this message.
*/
puts("-- Press any key to proceed --");
(void) read_one_char(stdin, &key, USEC_INFINITY, &need_nl);
if (need_nl)
putchar('\n');
return key != 'q';
}
int open_terminal(const char *name, int mode) {
_cleanup_close_ int fd = -EBADF;
unsigned c = 0;

View File

@ -78,6 +78,7 @@ int chvt(int vt);
int read_one_char(FILE *f, char *ret, usec_t timeout, bool *need_nl);
int ask_char(char *ret, const char *replies, const char *text, ...) _printf_(3, 4);
int ask_string(char **ret, const char *text, ...) _printf_(2, 3);
bool any_key_to_proceed(void);
int vt_disallocate(const char *name);

View File

@ -219,14 +219,12 @@ static int acquire_boot_count_path(
uint64_t left, done;
int r;
r = efi_get_variable_string(EFI_LOADER_VARIABLE(LoaderBootCountPath), &path);
r = efi_get_variable_path(EFI_LOADER_VARIABLE(LoaderBootCountPath), &path);
if (r == -ENOENT)
return -EUNATCH; /* in this case, let the caller print a message */
if (r < 0)
return log_error_errno(r, "Failed to read LoaderBootCountPath EFI variable: %m");
efi_tilt_backslashes(path);
if (!path_is_normalized(path))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Path read from LoaderBootCountPath is not normalized, refusing: %s",

View File

@ -298,12 +298,24 @@ fail:
return r;
}
static void read_efi_var(const char *variable, char **ret) {
static int efi_get_variable_string_and_warn(const char *variable, char **ret) {
int r;
r = efi_get_variable_string(variable, ret);
if (r < 0 && r != -ENOENT)
log_warning_errno(r, "Failed to read EFI variable %s: %m", variable);
return log_warning_errno(r, "Failed to read EFI variable '%s', ignoring: %m", variable);
return r;
}
static int efi_get_variable_path_and_warn(const char *variable, char **ret) {
int r;
r = efi_get_variable_path(variable, ret);
if (r < 0 && r != -ENOENT)
return log_warning_errno(r, "Failed to read EFI variable '%s', ignoring: %m", variable);
return r;
}
static void print_yes_no_line(bool first, bool good, const char *name) {
@ -396,26 +408,23 @@ int verb_status(int argc, char *argv[], void *userdata) {
{ EFI_STUB_FEATURE_MULTI_PROFILE_UKI, "Stub understands profile selector" },
{ EFI_STUB_FEATURE_REPORT_STUB_PARTITION, "Stub sets stub partition information" },
};
_cleanup_free_ char *fw_type = NULL, *fw_info = NULL, *loader = NULL, *loader_path = NULL, *stub = NULL;
sd_id128_t loader_part_uuid = SD_ID128_NULL;
_cleanup_free_ char *fw_type = NULL, *fw_info = NULL, *loader = NULL, *loader_path = NULL, *stub = NULL, *stub_path = NULL,
*current_entry = NULL, *oneshot_entry = NULL, *default_entry = NULL;
uint64_t loader_features = 0, stub_features = 0;
Tpm2Support s;
int have;
read_efi_var(EFI_LOADER_VARIABLE(LoaderFirmwareType), &fw_type);
read_efi_var(EFI_LOADER_VARIABLE(LoaderFirmwareInfo), &fw_info);
read_efi_var(EFI_LOADER_VARIABLE(LoaderInfo), &loader);
read_efi_var(EFI_LOADER_VARIABLE(StubInfo), &stub);
read_efi_var(EFI_LOADER_VARIABLE(LoaderImageIdentifier), &loader_path);
(void) efi_get_variable_string_and_warn(EFI_LOADER_VARIABLE(LoaderFirmwareType), &fw_type);
(void) efi_get_variable_string_and_warn(EFI_LOADER_VARIABLE(LoaderFirmwareInfo), &fw_info);
(void) efi_get_variable_string_and_warn(EFI_LOADER_VARIABLE(LoaderInfo), &loader);
(void) efi_get_variable_string_and_warn(EFI_LOADER_VARIABLE(StubInfo), &stub);
(void) efi_get_variable_path_and_warn(EFI_LOADER_VARIABLE(LoaderImageIdentifier), &loader_path);
(void) efi_get_variable_path_and_warn(EFI_LOADER_VARIABLE(StubImageIdentifier), &stub_path);
(void) efi_loader_get_features(&loader_features);
(void) efi_stub_get_features(&stub_features);
if (loader_path)
efi_tilt_backslashes(loader_path);
k = efi_loader_get_device_part_uuid(&loader_part_uuid);
if (k < 0 && k != -ENOENT)
r = log_warning_errno(k, "Failed to read EFI variable LoaderDevicePartUUID: %m");
(void) efi_get_variable_string_and_warn(EFI_LOADER_VARIABLE(LoaderEntrySelected), &current_entry);
(void) efi_get_variable_string_and_warn(EFI_LOADER_VARIABLE(LoaderEntryOneShot), &oneshot_entry);
(void) efi_get_variable_string_and_warn(EFI_LOADER_VARIABLE(LoaderEntryDefault), &default_entry);
SecureBootMode secure = efi_get_secure_boot_mode();
printf("%sSystem:%s\n", ansi_underline(), ansi_normal());
@ -463,34 +472,58 @@ int verb_status(int argc, char *argv[], void *userdata) {
}
printf("\n");
printf("%sCurrent Boot Loader:%s\n", ansi_underline(), ansi_normal());
printf(" Product: %s%s%s\n", ansi_highlight(), strna(loader), ansi_normal());
if (loader) {
printf("%sCurrent Boot Loader:%s\n", ansi_underline(), ansi_normal());
printf(" Product: %s%s%s\n", ansi_highlight(), loader, ansi_normal());
for (size_t i = 0; i < ELEMENTSOF(loader_flags); i++)
print_yes_no_line(i == 0, FLAGS_SET(loader_features, loader_flags[i].flag), loader_flags[i].name);
for (size_t i = 0; i < ELEMENTSOF(loader_flags); i++)
print_yes_no_line(i == 0, FLAGS_SET(loader_features, loader_flags[i].flag), loader_flags[i].name);
sd_id128_t loader_partition_uuid;
bool have_loader_partition_uuid = efi_loader_get_device_part_uuid(&loader_partition_uuid) >= 0;
sd_id128_t bootloader_esp_uuid;
bool have_bootloader_esp_uuid = efi_loader_get_device_part_uuid(&bootloader_esp_uuid) >= 0;
print_yes_no_line(false, have_loader_partition_uuid, "Boot loader set ESP information");
print_yes_no_line(false, have_bootloader_esp_uuid, "Boot loader sets ESP information");
if (have_bootloader_esp_uuid && !sd_id128_is_null(esp_uuid) &&
!sd_id128_equal(esp_uuid, bootloader_esp_uuid))
printf("WARNING: The boot loader reports a different ESP UUID than detected ("SD_ID128_UUID_FORMAT_STR" vs. "SD_ID128_UUID_FORMAT_STR")!\n",
SD_ID128_FORMAT_VAL(bootloader_esp_uuid),
SD_ID128_FORMAT_VAL(esp_uuid));
if (current_entry)
printf("Current Entry: %s\n", current_entry);
if (default_entry)
printf("Default Entry: %s\n", default_entry);
if (oneshot_entry && !streq_ptr(oneshot_entry, default_entry))
printf("OneShot Entry: %s\n", oneshot_entry);
if (have_loader_partition_uuid && !sd_id128_is_null(esp_uuid) && !sd_id128_equal(esp_uuid, loader_partition_uuid))
printf("WARNING: The boot loader reports a different partition UUID than the detected ESP ("SD_ID128_UUID_FORMAT_STR" vs. "SD_ID128_UUID_FORMAT_STR")!\n",
SD_ID128_FORMAT_VAL(loader_partition_uuid), SD_ID128_FORMAT_VAL(esp_uuid));
if (!sd_id128_is_null(loader_partition_uuid))
printf(" Partition: /dev/disk/by-partuuid/" SD_ID128_UUID_FORMAT_STR "\n",
SD_ID128_FORMAT_VAL(loader_partition_uuid));
else
printf(" Partition: n/a\n");
printf(" Loader: %s%s\n", special_glyph(SPECIAL_GLYPH_TREE_RIGHT), strna(loader_path));
printf("\n");
}
if (stub) {
printf(" Stub: %s\n", stub);
printf("%sCurrent Stub:%s\n", ansi_underline(), ansi_normal());
printf(" Product: %s%s%s\n", ansi_highlight(), stub, ansi_normal());
for (size_t i = 0; i < ELEMENTSOF(stub_flags); i++)
print_yes_no_line(i == 0, FLAGS_SET(stub_features, stub_flags[i].flag), stub_flags[i].name);
sd_id128_t stub_partition_uuid;
bool have_stub_partition_uuid = efi_stub_get_device_part_uuid(&stub_partition_uuid) >= 0;
if (have_stub_partition_uuid && (!(!sd_id128_is_null(esp_uuid) && sd_id128_equal(esp_uuid, stub_partition_uuid)) &&
!(!sd_id128_is_null(xbootldr_uuid) && sd_id128_equal(xbootldr_uuid, stub_partition_uuid))))
printf("WARNING: The stub loader reports a different UUID than the detected ESP or XBOOTDLR partition ("SD_ID128_UUID_FORMAT_STR" vs. "SD_ID128_UUID_FORMAT_STR"/"SD_ID128_UUID_FORMAT_STR")!\n",
SD_ID128_FORMAT_VAL(stub_partition_uuid), SD_ID128_FORMAT_VAL(esp_uuid), SD_ID128_FORMAT_VAL(xbootldr_uuid));
if (!sd_id128_is_null(stub_partition_uuid))
printf(" Partition: /dev/disk/by-partuuid/" SD_ID128_UUID_FORMAT_STR "\n",
SD_ID128_FORMAT_VAL(stub_partition_uuid));
else
printf(" Partition: n/a\n");
printf(" Stub: %s%s\n", special_glyph(SPECIAL_GLYPH_TREE_RIGHT), strna(stub_path));
printf("\n");
}
if (!sd_id128_is_null(loader_part_uuid))
printf(" ESP: /dev/disk/by-partuuid/" SD_ID128_UUID_FORMAT_STR "\n",
SD_ID128_FORMAT_VAL(loader_part_uuid));
else
printf(" ESP: n/a\n");
printf(" File: %s%s\n", special_glyph(SPECIAL_GLYPH_TREE_RIGHT), strna(loader_path));
printf("\n");
printf("%sRandom Seed:%s\n", ansi_underline(), ansi_normal());
have = access(EFIVAR_PATH(EFI_LOADER_VARIABLE(LoaderSystemToken)), F_OK) >= 0;

View File

@ -16,12 +16,14 @@
#include "build.h"
#include "devnum-util.h"
#include "dissect-image.h"
#include "efi-loader.h"
#include "escape.h"
#include "find-esp.h"
#include "main-func.h"
#include "mount-util.h"
#include "pager.h"
#include "parse-argument.h"
#include "path-util.h"
#include "pretty-print.h"
#include "utf8.h"
#include "varlink-io.systemd.BootControl.h"
@ -38,6 +40,8 @@ char *arg_esp_path = NULL;
char *arg_xbootldr_path = NULL;
bool arg_print_esp_path = false;
bool arg_print_dollar_boot_path = false;
bool arg_print_loader_path = false;
bool arg_print_stub_path = false;
unsigned arg_print_root_device = 0;
bool arg_touch_variables = true;
bool arg_install_random_seed = true;
@ -133,6 +137,71 @@ int acquire_xbootldr(
return 1;
}
static int print_loader_or_stub_path(void) {
_cleanup_free_ char *p = NULL;
sd_id128_t uuid;
int r;
if (arg_print_loader_path) {
r = efi_loader_get_device_part_uuid(&uuid);
if (r == -ENOENT)
return log_error_errno(r, "No loader partition UUID passed.");
if (r < 0)
return log_error_errno(r, "Unable to determine loader partition UUID: %m");
r = efi_get_variable_path(EFI_LOADER_VARIABLE(LoaderImageIdentifier), &p);
if (r == -ENOENT)
return log_error_errno(r, "No loader EFI binary path passed.");
if (r < 0)
return log_error_errno(r, "Unable to determine loader EFI binary path: %m");
} else {
assert(arg_print_stub_path);
r = efi_stub_get_device_part_uuid(&uuid);
if (r == -ENOENT)
return log_error_errno(r, "No stub partition UUID passed.");
if (r < 0)
return log_error_errno(r, "Unable to determine stub partition UUID: %m");
r = efi_get_variable_path(EFI_LOADER_VARIABLE(StubImageIdentifier), &p);
if (r == -ENOENT)
return log_error_errno(r, "No stub EFI binary path passed.");
if (r < 0)
return log_error_errno(r, "Unable to determine stub EFI binary path: %m");
}
sd_id128_t esp_uuid;
r = acquire_esp(/* unprivileged_mode= */ false, /* graceful= */ false,
/* ret_part= */ NULL, /* ret_pstart= */ NULL, /* ret_psize= */ NULL,
&esp_uuid, /* ret_devid= */ NULL);
if (r < 0)
return r;
const char *found_path = NULL;
if (sd_id128_equal(esp_uuid, uuid))
found_path = arg_esp_path;
else if (arg_print_stub_path) { /* In case of the stub, also look for things in the xbootldr partition */
sd_id128_t xbootldr_uuid;
r = acquire_xbootldr(/* unprivileged_mode= */ false, &xbootldr_uuid, /* ret_devid= */ NULL);
if (r < 0)
return r;
if (sd_id128_equal(xbootldr_uuid, uuid))
found_path = arg_xbootldr_path;
}
if (!found_path)
return log_error_errno(SYNTHETIC_ERRNO(ENOENT), "Failed to discover partition " SD_ID128_FORMAT_STR " among mounted boot partitions.", SD_ID128_FORMAT_VAL(uuid));
_cleanup_free_ char *j = path_join(found_path, p);
if (!j)
return log_oom();
puts(j);
return 0;
}
static int help(int argc, char *argv[], void *userdata) {
_cleanup_free_ char *link = NULL;
int r;
@ -182,6 +251,9 @@ static int help(int argc, char *argv[], void *userdata) {
" Where to pick files when using --root=/--image=\n"
" -p --print-esp-path Print path to the EFI System Partition mount point\n"
" -x --print-boot-path Print path to the $BOOT partition mount point\n"
" --print-loader-path\n"
" Print path to currently booted boot loader binary\n"
" --print-stub-path Print path to currently booted unified kernel binary\n"
" -R --print-root-device\n"
" Print path to the block device node backing the\n"
" root file system (returns e.g. /dev/nvme0n1p5)\n"
@ -235,6 +307,8 @@ static int parse_argv(int argc, char *argv[]) {
ARG_ARCH_ALL,
ARG_EFI_BOOT_OPTION_DESCRIPTION,
ARG_DRY_RUN,
ARG_PRINT_LOADER_PATH,
ARG_PRINT_STUB_PATH,
};
static const struct option options[] = {
@ -250,6 +324,8 @@ static int parse_argv(int argc, char *argv[]) {
{ "print-esp-path", no_argument, NULL, 'p' },
{ "print-path", no_argument, NULL, 'p' }, /* Compatibility alias */
{ "print-boot-path", no_argument, NULL, 'x' },
{ "print-loader-path", no_argument, NULL, ARG_PRINT_LOADER_PATH },
{ "print-stub-path", no_argument, NULL, ARG_PRINT_STUB_PATH },
{ "print-root-device", no_argument, NULL, 'R' },
{ "no-variables", no_argument, NULL, ARG_NO_VARIABLES },
{ "random-seed", required_argument, NULL, ARG_RANDOM_SEED },
@ -332,6 +408,14 @@ static int parse_argv(int argc, char *argv[]) {
arg_print_dollar_boot_path = true;
break;
case ARG_PRINT_LOADER_PATH:
arg_print_loader_path = true;
break;
case ARG_PRINT_STUB_PATH:
arg_print_stub_path = true;
break;
case 'R':
arg_print_root_device++;
break;
@ -414,9 +498,9 @@ static int parse_argv(int argc, char *argv[]) {
assert_not_reached();
}
if (!!arg_print_esp_path + !!arg_print_dollar_boot_path + (arg_print_root_device > 0) > 1)
if (!!arg_print_esp_path + !!arg_print_dollar_boot_path + (arg_print_root_device > 0) + arg_print_loader_path + arg_print_stub_path > 1)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"--print-esp-path/-p, --print-boot-path/-x, --print-root-device=/-R cannot be combined.");
"--print-esp-path/-p, --print-boot-path/-x, --print-root-device=/-R, --print-loader-path, --print-stub-path cannot be combined.");
if ((arg_root || arg_image) && argv[optind] && !STR_IN_SET(argv[optind], "status", "list",
"install", "update", "remove", "is-installed", "random-seed", "unlink", "cleanup"))
@ -541,6 +625,9 @@ static int run(int argc, char *argv[]) {
return 0;
}
if (arg_print_loader_path || arg_print_stub_path)
return print_loader_or_stub_path();
/* Open up and mount the image */
if (arg_image) {
assert(!arg_root);

View File

@ -13,6 +13,7 @@
#include "initrd.h"
#include "linux.h"
#include "measure.h"
#include "memory-util-fundamental.h"
#include "part-discovery.h"
#include "pe.h"
#include "proto/block-io.h"
@ -2420,18 +2421,18 @@ static EFI_STATUS initrd_prepare(
EFI_FILE *root,
const BootEntry *entry,
char16_t **ret_options,
void **ret_initrd,
Pages *ret_initrd_pages,
size_t *ret_initrd_size) {
assert(root);
assert(entry);
assert(ret_options);
assert(ret_initrd);
assert(ret_initrd_pages);
assert(ret_initrd_size);
if (entry->type != LOADER_LINUX || !entry->initrd) {
*ret_options = NULL;
*ret_initrd = NULL;
*ret_initrd_pages = (Pages) {};
*ret_initrd_size = 0;
return EFI_SUCCESS;
}
@ -2445,7 +2446,6 @@ static EFI_STATUS initrd_prepare(
EFI_STATUS err;
size_t size = 0;
_cleanup_free_ uint8_t *initrd = NULL;
STRV_FOREACH(i, entry->initrd) {
_cleanup_free_ char16_t *o = options;
@ -2464,30 +2464,58 @@ static EFI_STATUS initrd_prepare(
if (err != EFI_SUCCESS)
return err;
if (!ADD_SAFE(&size, size, ALIGN4(info->FileSize)))
return EFI_OUT_OF_RESOURCES;
}
_cleanup_pages_ Pages pages = xmalloc_pages(
AllocateMaxAddress,
EfiLoaderData,
EFI_SIZE_TO_PAGES(size),
UINT32_MAX /* Below 4G boundary. */);
uint8_t *p = PHYSICAL_ADDRESS_TO_POINTER(pages.addr);
STRV_FOREACH(i, entry->initrd) {
_cleanup_(file_closep) EFI_FILE *handle = NULL;
err = root->Open(root, &handle, *i, EFI_FILE_MODE_READ, 0);
if (err != EFI_SUCCESS)
return err;
_cleanup_free_ EFI_FILE_INFO *info = NULL;
err = get_file_info(handle, &info, NULL);
if (err != EFI_SUCCESS)
return err;
if (info->FileSize == 0) /* Automatically skip over empty files */
continue;
size_t new_size, read_size = info->FileSize;
if (!ADD_SAFE(&new_size, size, read_size))
return EFI_OUT_OF_RESOURCES;
initrd = xrealloc(initrd, size, new_size);
err = chunked_read(handle, &read_size, initrd + size);
size_t read_size = info->FileSize;
err = chunked_read(handle, &read_size, p);
if (err != EFI_SUCCESS)
return err;
/* Make sure the actual read size is what we expected. */
assert(size + read_size == new_size);
size = new_size;
assert(read_size == info->FileSize);
p += read_size;
size_t pad;
pad = ALIGN4(read_size) - read_size;
if (pad == 0)
continue;
memzero(p, pad);
p += pad;
}
assert(PHYSICAL_ADDRESS_TO_POINTER(pages.addr + size) == p);
if (entry->options) {
_cleanup_free_ char16_t *o = options;
options = xasprintf("%ls %ls", o, entry->options);
}
*ret_options = TAKE_PTR(options);
*ret_initrd = TAKE_PTR(initrd);
*ret_initrd_pages = TAKE_STRUCT(pages);
*ret_initrd_size = size;
return EFI_SUCCESS;
}
@ -2517,9 +2545,9 @@ static EFI_STATUS image_start(
return log_error_status(err, "Error making file device path: %m");
size_t initrd_size = 0;
_cleanup_free_ void *initrd = NULL;
_cleanup_pages_ Pages initrd_pages = {};
_cleanup_free_ char16_t *options_initrd = NULL;
err = initrd_prepare(image_root, entry, &options_initrd, &initrd, &initrd_size);
err = initrd_prepare(image_root, entry, &options_initrd, &initrd_pages, &initrd_size);
if (err != EFI_SUCCESS)
return log_error_status(err, "Error preparing initrd: %m");
@ -2537,7 +2565,7 @@ static EFI_STATUS image_start(
}
_cleanup_(cleanup_initrd) EFI_HANDLE initrd_handle = NULL;
err = initrd_register(initrd, initrd_size, &initrd_handle);
err = initrd_register(PHYSICAL_ADDRESS_TO_POINTER(initrd_pages.addr), initrd_size, &initrd_handle);
if (err != EFI_SUCCESS)
return log_error_status(err, "Error registering initrd: %m");

View File

@ -450,7 +450,7 @@ static size_t pe_section_table_find_profile_length(
assert(start >= section_table);
assert(start < section_table + n_section_table);
/* Look for the next .profile (or the end of the table), this is where the the sections for this
/* Look for the next .profile (or the end of the table), this is where the sections for this
* profile end. The base profile does not start with a .profile, the others do, hence conditionally
* skip over the first entry. */
const PeSectionHeader *e;
@ -485,7 +485,7 @@ EFI_STATUS pe_locate_profile_sections(
if (!p)
return EFI_NOT_FOUND;
/* Look for the next .profile (or the end of the table), this is where the the sections for this
/* Look for the next .profile (or the end of the table), this is where the sections for this
* profile end. */
size_t n = pe_section_table_find_profile_length(section_table, n_section_table, p, profile);

View File

@ -134,9 +134,8 @@ static EFI_STATUS combine_initrds(
assert(PHYSICAL_ADDRESS_TO_POINTER(pages.addr + n) == p);
*ret_initrd_pages = pages;
*ret_initrd_pages = TAKE_STRUCT(pages);
*ret_initrd_size = n;
pages.n_pages = 0;
return EFI_SUCCESS;
}

View File

@ -2728,6 +2728,7 @@ int config_parse_environ(
COMMON_CREDS_SPECIFIERS(ltype),
{ 'h', specifier_user_home, NULL },
{ 's', specifier_user_shell, NULL },
{}
};
for (const char *p = rvalue;; ) {

View File

@ -528,11 +528,15 @@ static int append_extensions(
&result);
if (r < 0)
return r;
if (!result.path)
if (!result.path) {
if (m->ignore_enoent)
continue;
return log_debug_errno(
SYNTHETIC_ERRNO(ENOENT),
"No matching entry in .v/ directory %s found.",
m->source);
}
r = verity_settings_load(&verity, result.path, /* root_hash_path= */ NULL, /* root_hash_sig_path= */ NULL);
if (r < 0)
@ -575,10 +579,6 @@ static int append_extensions(
const char *e = *extension_directory;
bool ignore_enoent = false;
/* Pick up the counter where the ExtensionImages left it. */
if (asprintf(&mount_point, "%s/unit-extensions/%zu", private_namespace_dir, n_mount_images++) < 0)
return -ENOMEM;
/* Look for any prefixes */
if (startswith(e, "-")) {
e++;
@ -596,11 +596,19 @@ static int append_extensions(
&result);
if (r < 0)
return r;
if (!result.path)
if (!result.path) {
if (ignore_enoent)
continue;
return log_debug_errno(
SYNTHETIC_ERRNO(ENOENT),
"No matching entry in .v/ directory %s found.",
e);
}
/* Pick up the counter where the ExtensionImages left it. */
if (asprintf(&mount_point, "%s/unit-extensions/%zu", private_namespace_dir, n_mount_images++) < 0)
return -ENOMEM;
for (size_t j = 0; hierarchies && hierarchies[j]; ++j) {
char *prefixed_hierarchy = path_join(mount_point, hierarchies[j]);

View File

@ -4169,7 +4169,7 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) {
* detect when the cgroup becomes empty. Note that the control process is always
* our child so it's pointless to watch all other processes. */
if (!control_pid_good(s))
if (!s->main_pid_known || s->main_pid_alien)
if (!s->main_pid_known || s->main_pid_alien || unit_cgroup_delegate(u))
(void) unit_enqueue_rewatch_pids(u);
}

View File

@ -1046,7 +1046,6 @@ static int process_socket(int fd) {
_cleanup_close_ int input_fd = -EBADF, mount_tree_fd = -EBADF;
Context context = {};
struct iovec_wrapper iovw = {};
struct iovec iovec;
bool first = true;
int r;
@ -1063,8 +1062,7 @@ static int process_socket(int fd) {
.msg_controllen = sizeof(control),
.msg_iovlen = 1,
};
ssize_t n;
ssize_t l;
ssize_t n, l;
l = next_datagram_size_fd(fd);
if (l < 0) {
@ -1072,8 +1070,10 @@ static int process_socket(int fd) {
goto finish;
}
iovec.iov_len = l;
iovec.iov_base = malloc(l + 1);
_cleanup_(iovec_done) struct iovec iovec = {
.iov_len = l,
.iov_base = malloc(l + 1),
};
if (!iovec.iov_base) {
r = log_oom();
goto finish;
@ -1083,7 +1083,6 @@ static int process_socket(int fd) {
n = recvmsg_safe(fd, &mh, MSG_CMSG_CLOEXEC);
if (n < 0) {
free(iovec.iov_base);
r = log_error_errno(n, "Failed to receive datagram: %m");
goto finish;
}
@ -1093,8 +1092,6 @@ static int process_socket(int fd) {
if (n == 0) {
struct cmsghdr *found;
free(iovec.iov_base);
found = cmsg_find(&mh, SOL_SOCKET, SCM_RIGHTS, CMSG_LEN(sizeof(int) * 2));
if (found) {
int fds[2] = EBADF_PAIR;
@ -1134,6 +1131,8 @@ static int process_socket(int fd) {
r = iovw_put(&iovw, iovec.iov_base, iovec.iov_len);
if (r < 0)
goto finish;
TAKE_STRUCT(iovec);
}
/* Make sure we got all data we really need */

View File

@ -69,11 +69,11 @@ STATIC_DESTRUCTOR_REGISTER(arg_tpm2_public_key, freep);
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_signature, freep);
static const char* transcode_mode_table[_TRANSCODE_MAX] = {
[TRANSCODE_OFF] = "off",
[TRANSCODE_BASE64] = "base64",
[TRANSCODE_OFF] = "off",
[TRANSCODE_BASE64] = "base64",
[TRANSCODE_UNBASE64] = "unbase64",
[TRANSCODE_HEX] = "hex",
[TRANSCODE_UNHEX] = "unhex",
[TRANSCODE_HEX] = "hex",
[TRANSCODE_UNHEX] = "unhex",
};
DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(transcode_mode, TranscodeMode);
@ -690,35 +690,10 @@ static int verb_setup(int argc, char **argv, void *userdata) {
}
static int verb_has_tpm2(int argc, char **argv, void *userdata) {
Tpm2Support s;
if (!arg_quiet)
log_notice("The 'systemd-creds %1$s' command has been replaced by 'systemd-analyze %1$s'. Redirecting invocation.", argv[optind]);
s = tpm2_support();
if (!arg_quiet) {
if (s == TPM2_SUPPORT_FULL)
puts("yes");
else if (s == TPM2_SUPPORT_NONE)
puts("no");
else
puts("partial");
printf("%sfirmware\n"
"%sdriver\n"
"%ssystem\n"
"%ssubsystem\n"
"%slibraries\n",
plus_minus(s & TPM2_SUPPORT_FIRMWARE),
plus_minus(s & TPM2_SUPPORT_DRIVER),
plus_minus(s & TPM2_SUPPORT_SYSTEM),
plus_minus(s & TPM2_SUPPORT_SUBSYSTEM),
plus_minus(s & TPM2_SUPPORT_LIBRARIES));
}
/* Return inverted bit flags. So that TPM2_SUPPORT_FULL becomes EXIT_SUCCESS and the other values
* become some reasonable values 17. i.e. the flags we return here tell what is missing rather than
* what is there, acknowledging the fact that for process exit statuses it is customary to return
* zero (EXIT_FAILURE) when all is good, instead of all being bad. */
return ~s & TPM2_SUPPORT_FULL;
return verb_has_tpm2_generic(arg_quiet);
}
static int verb_help(int argc, char **argv, void *userdata) {
@ -739,10 +714,9 @@ static int verb_help(int argc, char **argv, void *userdata) {
" ciphertext credential file\n"
" decrypt INPUT [OUTPUT] Decrypt ciphertext credential file and write to\n"
" plaintext credential file\n"
" has-tpm2 Report whether TPM2 support is available\n"
"\n%3$sOptions:%4$s\n"
" -h --help Show this help\n"
" --version Show package version\n"
"\n%3$sOptions:%4$s\n"
" --no-pager Do not pipe output into a pager\n"
" --no-legend Do not show the headers and footers\n"
" --json=pretty|short|off\n"
@ -774,7 +748,6 @@ static int verb_help(int argc, char **argv, void *userdata) {
" --user Select user-scoped credential encryption\n"
" --uid=UID Select user for scoped credentials\n"
" --allow-null Allow decrypting credentials with empty key\n"
" -q --quiet Suppress output for 'has-tpm2' verb\n"
"\nSee the %2$s for details.\n",
program_invocation_short_name,
link,
@ -1073,7 +1046,7 @@ static int creds_main(int argc, char *argv[]) {
{ "decrypt", 2, 3, 0, verb_decrypt },
{ "setup", VERB_ANY, 1, 0, verb_setup },
{ "help", VERB_ANY, 1, 0, verb_help },
{ "has-tpm2", VERB_ANY, 1, 0, verb_has_tpm2 },
{ "has-tpm2", VERB_ANY, 1, 0, verb_has_tpm2 }, /* for backward compatibility */
{}
};

View File

@ -425,7 +425,8 @@ int enroll_tpm2(struct crypt_device *cd,
r = tpm2_pcr_values_to_mask(hash_pcr_values, n_hash_pcr_values, hash_pcr_bank, &hash_pcr_mask);
if (r < 0)
return log_error_errno(r, "Could not get hash mask: %m");
} else if (pubkey_pcr_mask != 0) {
} else if (pubkey_pcr_mask != 0 && !device_key) {
/* If no literal PCR value policy is used, then let's determine the mask to use automatically
* from the measurements of the TPM. */

View File

@ -93,20 +93,6 @@ STATIC_DESTRUCTOR_REGISTER(arg_root_shell, freep);
STATIC_DESTRUCTOR_REGISTER(arg_kernel_cmdline, freep);
STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep);
static bool press_any_key(void) {
char k = 0;
bool need_nl = true;
puts("-- Press any key to proceed --");
(void) read_one_char(stdin, &k, USEC_INFINITY, &need_nl);
if (need_nl)
putchar('\n');
return k != 'q';
}
static void print_welcome(int rfd) {
_cleanup_free_ char *pretty_name = NULL, *os_name = NULL, *ansi_color = NULL;
static bool done = false;
@ -141,7 +127,7 @@ static void print_welcome(int rfd) {
printf("\nPlease configure your system!\n\n");
press_any_key();
any_key_to_proceed();
done = true;
}
@ -184,7 +170,7 @@ static int show_menu(char **x, unsigned n_columns, unsigned width, unsigned perc
/* on the first screen we reserve 2 extra lines for the title */
if (i % break_lines == break_modulo) {
if (!press_any_key())
if (!any_key_to_proceed())
return 0;
}
}

View File

@ -31,3 +31,25 @@ static inline bool unified_section_measure(UnifiedSection section) {
/* Max number of profiles per UKI */
#define UNIFIED_PROFILES_MAX 256U
/* The native PE machine type, if known, for a full list see:
* https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#machine-types */
#ifndef _IMAGE_FILE_MACHINE_NATIVE
# if defined(__x86_64__)
# define _IMAGE_FILE_MACHINE_NATIVE UINT16_C(0x8664)
# elif defined(__i386__)
# define _IMAGE_FILE_MACHINE_NATIVE UINT16_C(0x014c)
# elif defined(__ia64__)
# define _IMAGE_FILE_MACHINE_NATIVE UINT16_C(0x0200)
# elif defined(__aarch64__)
# define _IMAGE_FILE_MACHINE_NATIVE UINT16_C(0xaa64)
# elif defined(__arm__)
# define _IMAGE_FILE_MACHINE_NATIVE UINT16_C(0x01c0)
# elif defined(__riscv)
# if __SIZEOF_POINTER__ == 4
# define _IMAGE_FILE_MACHINE_NATIVE UINT16_C(0x5032)
# elif __SIZEOF_POINTER__ == 8
# define _IMAGE_FILE_MACHINE_NATIVE UINT16_C(0x5064)
# endif
# endif
#endif

View File

@ -2434,6 +2434,8 @@ static int create_interactively(void) {
return 0;
}
any_key_to_proceed();
r = acquire_bus(&bus);
if (r < 0)
return r;

View File

@ -222,20 +222,16 @@ int manager_new(Manager **ret) {
if (r < 0)
return r;
r = sd_event_add_signal(m->event, NULL, SIGINT, NULL, NULL);
r = sd_event_set_signal_exit(m->event, true);
if (r < 0)
return r;
r = sd_event_add_signal(m->event, NULL, SIGTERM, NULL, NULL);
if (r < 0)
return r;
r = sd_event_add_memory_pressure(m->event, NULL, NULL, NULL);
r = sd_event_add_memory_pressure(m->event, /* ret_event_source= */ NULL, /* callback= */ NULL, /* userdata= */ NULL);
if (r < 0)
log_full_errno(ERRNO_IS_NOT_SUPPORTED(r) || ERRNO_IS_PRIVILEGE(r) || (r == -EHOSTDOWN) ? LOG_DEBUG : LOG_WARNING, r,
"Failed to allocate memory pressure watch, ignoring: %m");
r = sd_event_add_signal(m->event, NULL, SIGRTMIN+18, sigrtmin18_handler, NULL);
r = sd_event_add_signal(m->event, /* ret_event_source= */ NULL, (SIGRTMIN+18)|SD_EVENT_SIGNAL_PROCMASK, sigrtmin18_handler, /* userdata = */ NULL);
if (r < 0)
return r;

View File

@ -29,7 +29,7 @@ static int run(int argc, char *argv[]) {
umask(0022);
assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGCHLD, SIGTERM, SIGINT, SIGRTMIN+18) >= 0);
assert_se(sigprocmask_many(SIG_BLOCK, /* ret_old_mask= */ NULL, SIGCHLD) >= 0);
r = manager_new(&m);
if (r < 0)

View File

@ -1787,17 +1787,15 @@ static int server_setup_signals(Server *s) {
assert(s);
assert_se(sigprocmask_many(SIG_SETMASK, NULL, SIGINT, SIGTERM, SIGUSR1, SIGUSR2, SIGRTMIN+1, SIGRTMIN+18) >= 0);
r = sd_event_add_signal(s->event, &s->sigusr1_event_source, SIGUSR1, dispatch_sigusr1, s);
r = sd_event_add_signal(s->event, &s->sigusr1_event_source, SIGUSR1|SD_EVENT_SIGNAL_PROCMASK, dispatch_sigusr1, s);
if (r < 0)
return r;
r = sd_event_add_signal(s->event, &s->sigusr2_event_source, SIGUSR2, dispatch_sigusr2, s);
r = sd_event_add_signal(s->event, &s->sigusr2_event_source, SIGUSR2|SD_EVENT_SIGNAL_PROCMASK, dispatch_sigusr2, s);
if (r < 0)
return r;
r = sd_event_add_signal(s->event, &s->sigterm_event_source, SIGTERM, dispatch_sigterm, s);
r = sd_event_add_signal(s->event, &s->sigterm_event_source, SIGTERM|SD_EVENT_SIGNAL_PROCMASK, dispatch_sigterm, s);
if (r < 0)
return r;
@ -1808,7 +1806,7 @@ static int server_setup_signals(Server *s) {
/* When journald is invoked on the terminal (when debugging), it's useful if C-c is handled
* equivalent to SIGTERM. */
r = sd_event_add_signal(s->event, &s->sigint_event_source, SIGINT, dispatch_sigterm, s);
r = sd_event_add_signal(s->event, &s->sigint_event_source, SIGINT|SD_EVENT_SIGNAL_PROCMASK, dispatch_sigterm, s);
if (r < 0)
return r;
@ -1819,7 +1817,7 @@ static int server_setup_signals(Server *s) {
/* SIGRTMIN+1 causes an immediate sync. We process this very late, so that everything else queued at
* this point is really written to disk. Clients can watch /run/systemd/journal/synced with inotify
* until its mtime changes to see when a sync happened. */
r = sd_event_add_signal(s->event, &s->sigrtmin1_event_source, SIGRTMIN+1, dispatch_sigrtmin1, s);
r = sd_event_add_signal(s->event, &s->sigrtmin1_event_source, (SIGRTMIN+1)|SD_EVENT_SIGNAL_PROCMASK, dispatch_sigrtmin1, s);
if (r < 0)
return r;
@ -1827,7 +1825,7 @@ static int server_setup_signals(Server *s) {
if (r < 0)
return r;
r = sd_event_add_signal(s->event, NULL, SIGRTMIN+18, sigrtmin18_handler, &s->sigrtmin18_info);
r = sd_event_add_signal(s->event, /* ret_event_source= */ NULL, (SIGRTMIN+18)|SD_EVENT_SIGNAL_PROCMASK, sigrtmin18_handler, &s->sigrtmin18_info);
if (r < 0)
return r;

View File

@ -404,15 +404,16 @@ static int context_set_path_strv(Context *c, char* const* strv, const char *sour
static int context_set_plugins(Context *c, const char *s, const char *source) {
_cleanup_strv_free_ char **v = NULL;
int r;
assert(c);
if (c->plugins || !s)
return 0;
v = strv_split(s, NULL);
if (!v)
return log_oom();
r = strv_split_full(&v, s, NULL, EXTRACT_UNQUOTE);
if (r < 0)
return log_error_errno(r, "Failed to parse plugin paths from %s: %m", source);
return context_set_path_strv(c, v, source, "plugins", &c->plugins);
}

View File

@ -46,7 +46,13 @@ echo 'DTBDTBDTBDTB' >"$D/sources/subdir/whatever.dtb"
export KERNEL_INSTALL_CONF_ROOT="$D/sources"
# We "install" multiple plugins, but control which ones will be active via install.conf.
export KERNEL_INSTALL_PLUGINS="${ukify_install} ${loaderentry_install} ${uki_copy_install}"
KERNEL_INSTALL_PLUGINS="'${loaderentry_install}' '${uki_copy_install}'"
if [[ -n "$ukify_install" ]]; then
# shellcheck disable=SC2089
KERNEL_INSTALL_PLUGINS="'${ukify_install}' $KERNEL_INSTALL_PLUGINS"
fi
# shellcheck disable=SC2090
export KERNEL_INSTALL_PLUGINS
export BOOT_ROOT="$D/boot"
export BOOT_MNT="$D/boot"
export MACHINE_ID='3e0484f3634a418b8e6a39e8828b03e3'

View File

@ -1,7 +1,7 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include "env-util.h"
#include "format-util.h"
#include "format-ifname.h"
#include "network-common.h"
#include "socket-util.h"
#include "unaligned.h"

View File

@ -1229,7 +1229,7 @@ static int generic_method_get_interface_description(
sd_varlink_method_flags_t flags,
void *userdata) {
static const struct sd_json_dispatch_field dispatch_table[] = {
static const sd_json_dispatch_field dispatch_table[] = {
{ "interface", SD_JSON_VARIANT_STRING, sd_json_dispatch_const_string, 0, SD_JSON_MANDATORY },
{}
};

View File

@ -86,15 +86,11 @@ static int manager_new(Manager **ret) {
if (r < 0)
return r;
r = sd_event_add_signal(m->event, NULL, SIGINT, NULL, NULL);
r = sd_event_set_signal_exit(m->event, true);
if (r < 0)
return r;
r = sd_event_add_signal(m->event, NULL, SIGTERM, NULL, NULL);
if (r < 0)
return r;
r = sd_event_add_signal(m->event, NULL, SIGRTMIN+18, sigrtmin18_handler, NULL);
r = sd_event_add_signal(m->event, /* ret_event_source= */ NULL, (SIGRTMIN+18)|SD_EVENT_SIGNAL_PROCMASK, sigrtmin18_handler, /* userdata= */ NULL);
if (r < 0)
return r;
@ -826,7 +822,7 @@ static int manager_connect_console(Manager *m) {
return log_error_errno(r, "Failed to watch foreground console: %m");
/*
* SIGRTMIN is used as global VT-release signal, SIGRTMIN + 1 is used
* SIGRTMIN + 0 is used as global VT-release signal, SIGRTMIN + 1 is used
* as VT-acquire signal. We ignore any acquire-events (yes, we still
* have to provide a valid signal-number for it!) and acknowledge all
* release events immediately.
@ -838,11 +834,10 @@ static int manager_connect_console(Manager *m) {
SIGRTMIN, SIGRTMAX);
assert_se(ignore_signals(SIGRTMIN + 1) >= 0);
assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGRTMIN) >= 0);
r = sd_event_add_signal(m->event, NULL, SIGRTMIN, manager_vt_switch, m);
r = sd_event_add_signal(m->event, /* ret_event_source= */ NULL, (SIGRTMIN + 0) | SD_EVENT_SIGNAL_PROCMASK, manager_vt_switch, m);
if (r < 0)
return log_error_errno(r, "Failed to subscribe to signal: %m");
return log_error_errno(r, "Failed to subscribe to SIGRTMIN+0 signal: %m");
return 0;
}
@ -1097,7 +1092,7 @@ static int manager_startup(Manager *m) {
assert(m);
r = sd_event_add_signal(m->event, NULL, SIGHUP, manager_dispatch_reload_signal, m);
r = sd_event_add_signal(m->event, /* ret_event_source= */ NULL, SIGHUP|SD_EVENT_SIGNAL_PROCMASK, manager_dispatch_reload_signal, m);
if (r < 0)
return log_error_errno(r, "Failed to register SIGHUP handler: %m");
@ -1247,7 +1242,7 @@ static int run(int argc, char *argv[]) {
(void) mkdir_label("/run/systemd/users", 0755);
(void) mkdir_label("/run/systemd/sessions", 0755);
assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGHUP, SIGTERM, SIGINT, SIGCHLD, SIGRTMIN+18) >= 0);
assert_se(sigprocmask_many(SIG_BLOCK, /* ret_old_mask= */ NULL, SIGCHLD) >= 0);
r = manager_new(&m);
if (r < 0)

View File

@ -32,6 +32,7 @@
#include "edit-util.h"
#include "env-util.h"
#include "fd-util.h"
#include "format-ifname.h"
#include "format-table.h"
#include "hostname-util.h"
#include "import-util.h"
@ -1219,8 +1220,6 @@ static int process_forward(sd_event *event, PTYForward **forward, int master, PT
assert(master >= 0);
assert(name);
assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGWINCH, SIGTERM, SIGINT) >= 0);
if (!arg_quiet) {
if (streq(name, ".host"))
log_info("Connected to the local host. Press ^] three times within 1s to exit session.");
@ -1228,8 +1227,9 @@ static int process_forward(sd_event *event, PTYForward **forward, int master, PT
log_info("Connected to machine %s. Press ^] three times within 1s to exit session.", name);
}
(void) sd_event_add_signal(event, NULL, SIGINT, NULL, NULL);
(void) sd_event_add_signal(event, NULL, SIGTERM, NULL, NULL);
r = sd_event_set_signal_exit(event, true);
if (r < 0)
return log_error_errno(r, "Failed to enable SIGINT/SITERM handling: %m");
r = pty_forward_new(event, master, flags, forward);
if (r < 0)

View File

@ -416,19 +416,18 @@ static int list_machine_one(sd_varlink *link, Machine *m, bool more) {
}
static int vl_method_list(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) {
Manager *m = ASSERT_PTR(userdata);
const char *mn = NULL;
const sd_json_dispatch_field dispatch_table[] = {
{ "name", SD_JSON_VARIANT_STRING, sd_json_dispatch_const_string, PTR_TO_SIZE(&mn), 0 },
static const sd_json_dispatch_field dispatch_table[] = {
{ "name", SD_JSON_VARIANT_STRING, sd_json_dispatch_const_string, 0, 0 },
{}
};
Manager *m = ASSERT_PTR(userdata);
const char *mn = NULL;
int r;
assert(parameters);
r = sd_varlink_dispatch(link, parameters, dispatch_table, 0);
r = sd_varlink_dispatch(link, parameters, dispatch_table, &mn);
if (r != 0)
return r;

View File

@ -55,15 +55,11 @@ static int manager_new(Manager **ret) {
if (r < 0)
return r;
r = sd_event_add_signal(m->event, NULL, SIGINT, NULL, NULL);
r = sd_event_set_signal_exit(m->event, true);
if (r < 0)
return r;
r = sd_event_add_signal(m->event, NULL, SIGTERM, NULL, NULL);
if (r < 0)
return r;
r = sd_event_add_signal(m->event, NULL, SIGRTMIN+18, sigrtmin18_handler, NULL);
r = sd_event_add_signal(m->event, /* ret_event_source= */ NULL, (SIGRTMIN+18)|SD_EVENT_SIGNAL_PROCMASK, sigrtmin18_handler, /* userdata= */ NULL);
if (r < 0)
return r;
@ -332,7 +328,7 @@ static int run(int argc, char *argv[]) {
* make sure this check stays in. */
(void) mkdir_label("/run/systemd/machines", 0755);
assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGCHLD, SIGTERM, SIGINT, SIGRTMIN+18) >= 0);
assert_se(sigprocmask_many(SIG_BLOCK, /* ret_old_mask= */ NULL, SIGCHLD) >= 0);
r = manager_new(&m);
if (r < 0)

View File

@ -0,0 +1,25 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
if conf.get('HAVE_VMLINUX_H') != 1
subdir_done()
endif
sysctl_monitor_bpf_o_unstripped = custom_target(
'sysctl-monitor.bpf.unstripped.o',
input : 'sysctl-monitor.bpf.c',
output : 'sysctl-monitor.bpf.unstripped.o',
command : bpf_o_unstripped_cmd,
depends : vmlinux_h_dependency)
sysctl_monitor_bpf_o = custom_target(
'sysctl-monitor.bpf.o',
input : sysctl_monitor_bpf_o_unstripped,
output : 'sysctl-monitor.bpf.o',
command : bpf_o_cmd)
sysctl_monitor_skel_h = custom_target(
'sysctl-monitor.skel.h',
input : sysctl_monitor_bpf_o,
output : 'sysctl-monitor.skel.h',
command : skel_h_cmd,
capture : true)

View File

@ -0,0 +1,16 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
/* The SPDX header above is actually correct in claiming this was
* LGPL-2.1-or-later, because it is. Since the kernel doesn't consider that
* compatible with GPL we will claim this to be GPL however, which should be
* fine given that LGPL-2.1-or-later downgrades to GPL if needed.
*/
#include "bpf-dlopen.h"
/* libbpf is used via dlopen(), so rename symbols */
#define bpf_object__destroy_skeleton sym_bpf_object__destroy_skeleton
#define bpf_object__load_skeleton sym_bpf_object__load_skeleton
#define bpf_object__open_skeleton sym_bpf_object__open_skeleton
#include "bpf/sysctl_monitor/sysctl-monitor.skel.h"

Some files were not shown because too many files have changed in this diff Show More