Compare commits
175 Commits
3082f35003
...
8fa1c6173d
Author | SHA1 | Date |
---|---|---|
cvlc12 | 8fa1c6173d | |
Daan De Meyer | bc9a9177b2 | |
Yu Watanabe | a13ead6814 | |
Yu Watanabe | f901a7b39f | |
Yu Watanabe | 9b01cf0406 | |
Yu Watanabe | d5aae0713d | |
Daan De Meyer | 86c1317270 | |
Daan De Meyer | f4faac2073 | |
Yu Watanabe | 2bcc2a89f3 | |
Yu Watanabe | 07e6a111c0 | |
Yu Watanabe | c2648f6e23 | |
Daan De Meyer | 1d5b4317cd | |
Frantisek Sumsal | cd57920fbf | |
Yu Watanabe | 8d6eedd8a3 | |
Yu Watanabe | 91eaa90b81 | |
Yu Watanabe | 3b5c5da73a | |
Yu Watanabe | 1775654e2c | |
Yu Watanabe | 0ea6d55a4b | |
Yu Watanabe | 26d35019de | |
Yu Watanabe | b962338104 | |
Yu Watanabe | fae0b00434 | |
Yu Watanabe | f7923ef318 | |
Yu Watanabe | 36df48d863 | |
Yu Watanabe | 53c638db16 | |
Yu Watanabe | 751a247794 | |
Yu Watanabe | 07dbbda0fc | |
Yu Watanabe | ed4a6c476e | |
Antonio Alvarez Feijoo | fb4c82b643 | |
Daan De Meyer | 4d9ccdc9ae | |
Antonio Alvarez Feijoo | bf39626d61 | |
Marius Hoch | ff831e7c50 | |
Daan De Meyer | 81af8f998e | |
chenjiayi | 4fc8a63f9e | |
Jason Yundt | dfb3155419 | |
Daan De Meyer | fc5037e7d7 | |
Yu Watanabe | 13f6ec7ce7 | |
Yu Watanabe | 6e1816ef16 | |
Yu Watanabe | 7ac1ad90d0 | |
Daan De Meyer | 099b16c3e7 | |
Daan De Meyer | 7a7f306b6c | |
Yu Watanabe | 4f2975385f | |
Daan De Meyer | 0432e28394 | |
Yu Watanabe | fc956a3973 | |
Yu Watanabe | d265b8afb7 | |
Yu Watanabe | 1aab0a5b10 | |
Yu Watanabe | b0dbb4aa3a | |
Michael Ferrari | 91ea3dcf35 | |
Yu Watanabe | a95ae2d36a | |
Yu Watanabe | be8e4b1a87 | |
Adrian Vovk | cf612c5fd5 | |
Adrian Vovk | 2cb9c68c3a | |
Adrian Vovk | 78e9059208 | |
Adrian Vovk | e671bdc5c3 | |
Yu Watanabe | 572d031eca | |
Yu Watanabe | 25da422bd1 | |
Yu Watanabe | 5872ea7008 | |
PavlNekrasov | d80a9042ca | |
Yu Watanabe | a7afe5a3e7 | |
Lennart Poettering | a2369d0224 | |
Lennart Poettering | a37640653c | |
Yu Watanabe | a65b864835 | |
Yu Watanabe | 9959681a0d | |
Daan De Meyer | b3ebd480d6 | |
Arian van Putten | 6695ff4c15 | |
Yu Watanabe | 4d6ad22f8d | |
Yu Watanabe | 099ee34ca1 | |
Yu Watanabe | a2fbe9f3f9 | |
Yu Watanabe | 7c778cecdb | |
Yu Watanabe | 46718d344f | |
Yu Watanabe | 9295c7ae09 | |
Yu Watanabe | 41afafbf2a | |
Yu Watanabe | 9671efff78 | |
Yu Watanabe | 4f0bc2582e | |
Yu Watanabe | 3292120adf | |
Yu Watanabe | f6cc5e1c8d | |
Yu Watanabe | 590f430cac | |
Mike Yuan | 93d2d36638 | |
Lennart Poettering | 369b12375b | |
Yu Watanabe | b5ec8f77e0 | |
Lennart Poettering | 3e0a3a0259 | |
Celeste Liu | 6573f0c82c | |
Daan De Meyer | e0258ac886 | |
Lennart Poettering | a859d0d378 | |
Lennart Poettering | db15657dfb | |
Lennart Poettering | 2aa3005ad2 | |
Lennart Poettering | 90cf998875 | |
Lennart Poettering | c8d60ae79d | |
Lennart Poettering | bfcf48b842 | |
Mike Yuan | 3a41a21666 | |
Luca Boccassi | 37c2010bcf | |
Yu Watanabe | 5f5c5c48b9 | |
Daan De Meyer | 27a8a29e32 | |
Daan De Meyer | faa79a78c8 | |
Daan De Meyer | f8fa4222c9 | |
Daan De Meyer | c9c5c8d29b | |
Lennart Poettering | 1b7ef87fc1 | |
Yu Watanabe | 68fdef46a7 | |
Luca Boccassi | 680dec33f2 | |
Ronan Pigott | 32b8065e87 | |
Yu Watanabe | f921e7d6a3 | |
Yu Watanabe | d97c672be0 | |
Yu Watanabe | 60b2ddc9b7 | |
Yu Watanabe | 6c38915d35 | |
Yu Watanabe | acdfb85d97 | |
Yu Watanabe | 4f176f24d6 | |
Matthieu CHARETTE | 8ee3d4df80 | |
Mike Yuan | c7f7225f1a | |
Gregory Arenius | 3f3dc6ab84 | |
Lennart Poettering | 3f49d58920 | |
Lennart Poettering | 1e1661c5d2 | |
Lennart Poettering | dc8ed83892 | |
Luca Boccassi | 00f546e25e | |
Lennart Poettering | 831ad06bf5 | |
Lennart Poettering | d7a6bb9891 | |
Luca Boccassi | a7af35f1d4 | |
Zbigniew Jędrzejewski-Szmek | 2e1f83d1ab | |
Zbigniew Jędrzejewski-Szmek | 9a2b54d9f7 | |
Luca Boccassi | 7b9dc72c3c | |
Ricky Tigg | 809b844a9e | |
Daan De Meyer | 76c774828f | |
Lennart Poettering | e1f9d3c84b | |
Lennart Poettering | 9d63491f25 | |
Lennart Poettering | a44fa55e26 | |
Lennart Poettering | 868258cf38 | |
Matteo Croce | 64e03ca8bf | |
Daan De Meyer | cf94f513f0 | |
Ryan Wilson | b0b4e39a4d | |
Daan De Meyer | e196136bc5 | |
Luca Boccassi | ca690e6b84 | |
Lennart Poettering | 5892950ba4 | |
Lennart Poettering | 07696a1f07 | |
Lennart Poettering | 55184c4cfc | |
Lennart Poettering | dd4114317a | |
Lennart Poettering | 9045f88d72 | |
Lennart Poettering | 1791854ce4 | |
Mike Yuan | 8e8e41c724 | |
Daan De Meyer | 236a5e5f89 | |
Lennart Poettering | 626df2fe8d | |
Lennart Poettering | 1d551b1e7d | |
Zbigniew Jędrzejewski-Szmek | dcc359010c | |
Lennart Poettering | 58e359604f | |
Zbigniew Jędrzejewski-Szmek | 37bf958e7b | |
Zbigniew Jędrzejewski-Szmek | e31134b5f2 | |
Lennart Poettering | 6a92a793ac | |
Lennart Poettering | 59b3df9bae | |
Lennart Poettering | 9de565dd5d | |
Lennart Poettering | e6c49f7f11 | |
Lennart Poettering | f3c1d7fea1 | |
Lennart Poettering | a8e912f01b | |
Lennart Poettering | 201aca5f9a | |
Lennart Poettering | 6f1dfc407e | |
Lennart Poettering | d258b1c60c | |
Mike Yuan | 53c75243af | |
Matteo Croce | c78bcda461 | |
Matteo Croce | 6d9ef22acd | |
Matteo Croce | 64629617b6 | |
Matteo Croce | 766bcf302a | |
Lennart Poettering | 2b735c7d71 | |
Lennart Poettering | da8540583d | |
Daan De Meyer | 783a15081e | |
Lennart Poettering | 967c84ebb0 | |
Lennart Poettering | 6e1fa7516a | |
Lennart Poettering | 14dc0fc4ef | |
Lennart Poettering | 8b4fb52462 | |
Lennart Poettering | 368051ee6b | |
Daan De Meyer | aaa6c6e279 | |
Lennart Poettering | e5868783ca | |
Lennart Poettering | 118592cc49 | |
Lennart Poettering | 8d647ed2ff | |
Daan De Meyer | c64ddefd5c | |
Daan De Meyer | e2b0f23713 | |
Daan De Meyer | bc48bd83d3 | |
Lennart Poettering | 8e1c345921 | |
Lennart Poettering | c87afdf23d | |
Daan De Meyer | 2232452379 |
|
@ -105,7 +105,7 @@ jobs:
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
|
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
|
||||||
- uses: systemd/mkosi@31b4e756c1484c302435653da5d3b9bdfae38518
|
- uses: systemd/mkosi@2c9954fa51a3a995bbdc02db6ef51f5bd27bc1ba
|
||||||
|
|
||||||
# Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
|
# Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
|
||||||
# immediately, we remove the files in the background. However, we first move them to a different location
|
# immediately, we remove the files in the background. However, we first move them to a different location
|
||||||
|
|
243
NEWS
243
NEWS
|
@ -2,6 +2,15 @@ systemd System and Service Manager
|
||||||
|
|
||||||
CHANGES WITH 257 in spe:
|
CHANGES WITH 257 in spe:
|
||||||
|
|
||||||
|
Incompatible changes:
|
||||||
|
|
||||||
|
* The --purge switch of systemd-tmpfiles (which was added in v256) has
|
||||||
|
been reworked: it will now only apply to tmpfiles.d/ lines marked
|
||||||
|
with the new "$" flag. This is an incompatible change, and means any
|
||||||
|
tmpfiles.d/ files which shall be used together with --purge need to
|
||||||
|
be updated accordingly. This change has been made to make it harder
|
||||||
|
to accidentally delete too many files when using --purge incorrectly.
|
||||||
|
|
||||||
Announcements of Future Feature Removals and Incompatible Changes:
|
Announcements of Future Feature Removals and Incompatible Changes:
|
||||||
|
|
||||||
* Support for automatic flushing of the nscd user/group database caches
|
* Support for automatic flushing of the nscd user/group database caches
|
||||||
|
@ -44,18 +53,248 @@ CHANGES WITH 257 in spe:
|
||||||
but it should make the inhibitor logic easier to use and understand,
|
but it should make the inhibitor logic easier to use and understand,
|
||||||
and also help avoiding accidental reboots and shutdowns. New 'delay-weak'
|
and also help avoiding accidental reboots and shutdowns. New 'delay-weak'
|
||||||
and 'block-weak' inhibitor modes were added, if taken they will make
|
and 'block-weak' inhibitor modes were added, if taken they will make
|
||||||
the inhibitor lock work as in the previous versions.
|
the inhibitor lock work as in the previous versions. Inhibitor locks
|
||||||
|
can also be taken by remote users (subject to polkit policy).
|
||||||
|
|
||||||
* systemd-nspawn will now mount the unified cgroup hierarchy into a
|
* systemd-nspawn will now mount the unified cgroup hierarchy into a
|
||||||
container if no systemd installation is found in a container's root
|
container if no systemd installation is found in a container's root
|
||||||
filesystem. `$SYSTEMD_NSPAWN_UNIFIED_HIERARCHY=0` can be used to override
|
filesystem. `$SYSTEMD_NSPAWN_UNIFIED_HIERARCHY=0` can be used to override
|
||||||
this behavior.
|
this behavior.
|
||||||
|
|
||||||
|
libsystemd:
|
||||||
|
|
||||||
|
* New sd-json component is now available as part of libsystemd. The
|
||||||
|
goal of the library is to allow structures to be conveniently
|
||||||
|
created in C code and serialized to JSON, and for JSON to
|
||||||
|
conveniently deserialized into in-memory structures, using callbacks
|
||||||
|
to handle specific keys. Various data types like integers, floats,
|
||||||
|
booleans, strings, UUIDs, hex-encoded strings, and arrays are
|
||||||
|
supported natively.
|
||||||
|
|
||||||
|
Service and system management:
|
||||||
|
|
||||||
|
* Environment variable $REMOTE_ADDR is now set when using socket
|
||||||
|
activation for AF_UNIX sockets.
|
||||||
|
|
||||||
|
* Multipath TCP (MPTCP) is now supported as a socket protocol.
|
||||||
|
|
||||||
|
* New crypttab options fido2-pin=, fido2-up=, fido2-uv= can be used to
|
||||||
|
enable/disable the PIN query, User Presence check, and User
|
||||||
|
Verification.
|
||||||
|
|
||||||
|
* New crypttab option password-cache=yes|no|read-only can be used to
|
||||||
|
customize password caching.
|
||||||
|
|
||||||
|
* New fstab option x-systemd.wants= creates "Wants" dependencies.
|
||||||
|
(This is similar to the previously available x-systemd.requires=.)
|
||||||
|
|
||||||
|
* The initialization of the system clock during boot and updates has
|
||||||
|
been simplified: either pid1 or systemd-timesyncd will pick the
|
||||||
|
latest time as indicated by the compiled-in epoch,
|
||||||
|
/usr/lib/clock-epoch, and /var/lib/systemd/timesync/clock. See
|
||||||
|
systemd(1) for an detailed updated description.
|
||||||
|
|
||||||
|
* Ctrl-Alt-Delete is re-enabled during late shutdown, so that the user
|
||||||
|
can still initiate a reboot if the system freezes.
|
||||||
|
|
||||||
|
* Unit option PrivateUsers=identity can be used to request a user
|
||||||
|
namespace with an identity mapping for the first 65536 UIDs/GIDs.
|
||||||
|
This is analogous to the systemd-nspawn's --private-users=identity.
|
||||||
|
|
||||||
|
* Unit option PrivateTmp=disconnected can be used to specify that a
|
||||||
|
separate tmpfs instance should be used for /tmp/ and /var/tmp/ for
|
||||||
|
the unit.
|
||||||
|
|
||||||
|
* A new sleep.conf HibernateOnACPower= option has been added, which
|
||||||
|
when disabled would suppress hibernation in suspend-then-hibernate
|
||||||
|
mode until the system is disconnected from a power source.
|
||||||
|
|
||||||
|
* udev rules now set 'uaccess' for /dev/udmabuf, giving locally
|
||||||
|
logged-in users access to the hardware. This is necessary to support
|
||||||
|
IPMI cameras with libcamera.
|
||||||
|
|
||||||
|
* New RELEASE_TYPE= and EXPERIMENT= fields are documented for the
|
||||||
|
os-release file. For example, "RELEASE_TYPE=development|stable|lts"
|
||||||
|
can be used to indicate various stages of the release life cycle,
|
||||||
|
and "RELEASE_TYPE=experimental" can indicate experimental builds,
|
||||||
|
with the EXPERIMENT= field providing a human-readable description of
|
||||||
|
the nature of the experiment.
|
||||||
|
|
||||||
|
* The manager (and various other tools too) use pidfds in more places
|
||||||
|
to refer to processes.
|
||||||
|
|
||||||
|
* A bunch of patches to ease building against musl have been merged.
|
||||||
|
|
||||||
|
* A build option -D link-executor-shared=false can be used to build
|
||||||
|
the systemd-executor binary (added in the previous release) in a way
|
||||||
|
where it does not link to shared libsystemd-shared-….so library.
|
||||||
|
PID1 holds a reference to the executor binary that was on disk when
|
||||||
|
the manager was started or restarted, but the shared libraries it is
|
||||||
|
linked to are not loaded until the executor binary needs to be used.
|
||||||
|
This partial static linking is a workaround for the issue where,
|
||||||
|
during upgrades, the old libsystemd-shared-….so may have already
|
||||||
|
been removed and the pinned executor binary will just fail to
|
||||||
|
execute.
|
||||||
|
|
||||||
|
systemd-logind:
|
||||||
|
|
||||||
|
* New DesignatedMaintenanceTime= configuration option allows
|
||||||
|
shutdowns to be automatically scheduled at the specified time.
|
||||||
|
|
||||||
|
* logind now reacts to Ctrl-Alt-Shift-Esc being pressed. It will send
|
||||||
|
out a org.freedesktop.login1.SecureAttentionKey signal, indicating a
|
||||||
|
request by the user for the system to display a secure login dialog.
|
||||||
|
The handling of SAK can be suppressed in logind configuration.
|
||||||
|
|
||||||
|
systemd-machined:
|
||||||
|
|
||||||
|
* Unprivileged clients are now allowed to register VMs and containers.
|
||||||
|
Machines started via the systemd-vmspawn@.service unit will now be
|
||||||
|
registered with systemd-machined.
|
||||||
|
|
||||||
systemd-resolved:
|
systemd-resolved:
|
||||||
|
|
||||||
* 'resolvconf' command now supports '-p' switch. If specified, the
|
* resolvconf command now supports '-p' switch. If specified, the
|
||||||
interface will not be used as the default route.
|
interface will not be used as the default route.
|
||||||
|
|
||||||
|
* resolvectl now allows interactive polkit authorization. It gained a
|
||||||
|
--no-ask-password option to suppress it.
|
||||||
|
|
||||||
|
systemd-networkd and networkctl:
|
||||||
|
|
||||||
|
* IPv6 address labels can be configured in a new [IPv6AddressLabel]
|
||||||
|
section with Prefix= and Label= settings.
|
||||||
|
|
||||||
|
* 'networkctl edit' can now read the new contents from standard input
|
||||||
|
with the new --stdin option.
|
||||||
|
|
||||||
|
* 'networkctl edit' and 'cat' now supports editing .netdev files by
|
||||||
|
link. 'networkctl cat' can also list all configuration files
|
||||||
|
associated with an interface at once with ':all'.
|
||||||
|
|
||||||
|
* networkctl gained a --no-ask-password option to suppress interactive
|
||||||
|
polkit authorization.
|
||||||
|
|
||||||
|
systemd-boot, systemd-stub, and related tools:
|
||||||
|
|
||||||
|
* The EFI stub now supports loading of .ucode sections with microcode
|
||||||
|
from addons.
|
||||||
|
|
||||||
|
* A new .profile PE section type is now documented and supported in
|
||||||
|
systemd-measure, ukify, systemd-stub and systemd-boot. Those new
|
||||||
|
sections allow multiple "profiles" to be stored together in the UKI,
|
||||||
|
with .profile sections creating groupings the UKI, allowing some
|
||||||
|
sections to be shared and other sections like .cmdline or .initrd
|
||||||
|
unique to the profile.
|
||||||
|
|
||||||
|
* ukify gained an --extend switch to import an existing UKI to
|
||||||
|
be extended, and a --measure-base= switch to support measurement
|
||||||
|
of multi-profile UKIs.
|
||||||
|
|
||||||
|
The journal:
|
||||||
|
|
||||||
|
* journalctl can now list invocations of a unit with the
|
||||||
|
--list-invocation options and show logs for a specific invocation
|
||||||
|
with the new --invocation/-I option. (This is analogous to the
|
||||||
|
--list-boots/--boot/-b options.)
|
||||||
|
|
||||||
|
systemd-sysupdate and related tools:
|
||||||
|
|
||||||
|
* systemd-sysupdate can be run as system service, allowing
|
||||||
|
unprivileged clients to update the system via D-Bus calls.
|
||||||
|
|
||||||
|
A new updatectl command-line tool can be used to control the
|
||||||
|
service.
|
||||||
|
|
||||||
|
* systemd-sysupdate gained a new --offline option to force it to
|
||||||
|
operate locally. This is useful when listing locally installed
|
||||||
|
versions.
|
||||||
|
|
||||||
|
* systemd-sysupdate gained a new --transfer-source= option to set the
|
||||||
|
directory to which transfer sources configured with
|
||||||
|
PathRelativeTo=explicit will be interpreted.
|
||||||
|
|
||||||
|
Miscellaneous:
|
||||||
|
|
||||||
|
* systemctl now supports the --now option with the 'reenable' verb.
|
||||||
|
|
||||||
|
* systemd-analyze will now show the SMBIOS #11 vendor strings set for
|
||||||
|
the machine with a new 'smbios11' verb.
|
||||||
|
|
||||||
|
* systemd-analyze gained a new --instance= option that can be used to
|
||||||
|
provide an instance name to analyze multiple templates instantiated
|
||||||
|
with the same instance name.
|
||||||
|
|
||||||
|
* The 'tpm2' verb which lists usable TPM2 devices has been moved from
|
||||||
|
systemd-creds to systemd-analyze.
|
||||||
|
|
||||||
|
* varlinkctl gained a new verb 'list-methods' to show a list of
|
||||||
|
methods implemented by a service.
|
||||||
|
|
||||||
|
* varlinkctl gained a --quiet/-q option to suppress method call
|
||||||
|
replies.
|
||||||
|
|
||||||
|
* varlinkctl gained a --graceful= option to suppress specified Varlink
|
||||||
|
errors.
|
||||||
|
|
||||||
|
* varlinkctl gained a --timeout= option to limit how long the
|
||||||
|
invocation can take.
|
||||||
|
|
||||||
|
* varlinkctl allows remote invocations over ssh, via the new
|
||||||
|
"ssh-exec:" address specification. It'll make an ssh connection,
|
||||||
|
start the specified executable on the remote, and communicate with
|
||||||
|
the remote process using the Varlink protocol.
|
||||||
|
|
||||||
|
"ssh:" address specification has been renamed to "ssh-unix:".
|
||||||
|
(The old syntax is still supported for backwards compatibility.)
|
||||||
|
|
||||||
|
* bootctl gained a --random-seed=yes|no option to control provisioning
|
||||||
|
of the random seed file in ESP. (This is useful when producing an
|
||||||
|
image that will be used multiple times.)
|
||||||
|
|
||||||
|
* systemd-cryptenroll gained new options -fido2-salt-file= and
|
||||||
|
--fido2-parameters-in-header= to simplify manual enrollment of FIDO2
|
||||||
|
tokens.
|
||||||
|
|
||||||
|
* systemd-cryptenroll, systemd-repart, and systemd-storagetm gained a
|
||||||
|
new --list-devices option to list appropriate candidate block
|
||||||
|
devices.
|
||||||
|
|
||||||
|
* systemd-repart's CopyBlocks= directive can now use a char device as
|
||||||
|
source (in addition to previously supported regular files and block
|
||||||
|
devices).
|
||||||
|
|
||||||
|
* systemd-repart gained a new Compression= and CompressionLevel=
|
||||||
|
settings to enable internal compression in filesystems created
|
||||||
|
offline.
|
||||||
|
|
||||||
|
* systemd-repart understands a new MakeSymlinks= option to create one
|
||||||
|
or more symlinks (each specified as a symlink name and target).
|
||||||
|
|
||||||
|
* systemd-mount can now output JSON with a new --json= switch.
|
||||||
|
|
||||||
|
* A new generator sytemd-import-generator has been added to
|
||||||
|
synthetisize image download jobs. This provides functionality
|
||||||
|
similar to importctl, but configured via the kernel command line and
|
||||||
|
system credentials.
|
||||||
|
|
||||||
|
* systemd-inhibit now allows interactive polkit authorization. It
|
||||||
|
gained a --no-ask-password option to suppress it.
|
||||||
|
|
||||||
|
* systemd-id128 gained a new 'var-partition-uuid' verb to calculate
|
||||||
|
the DPS UUID for /var/ keyed by the local machine-id.
|
||||||
|
|
||||||
|
* locatectl gained a -l/--full option to show output without
|
||||||
|
ellipsization.
|
||||||
|
|
||||||
|
* 'busctl monitor' gained new options --num-matches= and --timeout=
|
||||||
|
to set the number of matches or limit the runtime of the command.
|
||||||
|
This is intended to be used in scripts.
|
||||||
|
|
||||||
|
* systemd-run can output some data as JSON via the new --json= option.
|
||||||
|
|
||||||
|
* timedatectl now supports interactive polkit authorization.
|
||||||
|
|
||||||
— <place>, <date>
|
— <place>, <date>
|
||||||
|
|
||||||
CHANGES WITH 256:
|
CHANGES WITH 256:
|
||||||
|
|
60
TODO
60
TODO
|
@ -130,6 +130,10 @@ Deprecations and removals:
|
||||||
|
|
||||||
Features:
|
Features:
|
||||||
|
|
||||||
|
* find a nice way to opt-in into auto-masking SIGCHLD on first
|
||||||
|
sd_event_add_child(), and then get rid of many more explicit sigprocmask()
|
||||||
|
calls.
|
||||||
|
|
||||||
* maybe set shell.prompt.prefix credential in run0 to some warning emoji,
|
* maybe set shell.prompt.prefix credential in run0 to some warning emoji,
|
||||||
i.e. ⚠️ or ☢️ or ⚡ or 👊 or 🧑🔧 or so.
|
i.e. ⚠️ or ☢️ or ⚡ or 👊 or 🧑🔧 or so.
|
||||||
|
|
||||||
|
@ -158,10 +162,6 @@ Features:
|
||||||
services where mount propagation from the root fs is off, an still have
|
services where mount propagation from the root fs is off, an still have
|
||||||
confext/sysext propagated in.
|
confext/sysext propagated in.
|
||||||
|
|
||||||
* marry pcrlock + signed pcr policies for FDE/credentials by letting each
|
|
||||||
unlock "half" of the volume key, so that the combination of both must be
|
|
||||||
XOR'ed to get the actual volume key
|
|
||||||
|
|
||||||
* support F_DUDFD_QUERY for comparing fds in same_fd (requires kernel 6.10)
|
* support F_DUDFD_QUERY for comparing fds in same_fd (requires kernel 6.10)
|
||||||
|
|
||||||
* generic interface for varlink for setting log level and stuff that all our daemons can implement
|
* generic interface for varlink for setting log level and stuff that all our daemons can implement
|
||||||
|
@ -189,6 +189,8 @@ Features:
|
||||||
* go through our codebase, and convert "vertical tables" (i.e. things such as
|
* go through our codebase, and convert "vertical tables" (i.e. things such as
|
||||||
"systemctl status") to use table_new_vertical() for output
|
"systemctl status") to use table_new_vertical() for output
|
||||||
|
|
||||||
|
* pcrlock: add support for multi-profile UKIs
|
||||||
|
|
||||||
* logind: when logging in use new tmpfs quota support to configure quota on
|
* logind: when logging in use new tmpfs quota support to configure quota on
|
||||||
/tmp/ + /dev/shm/. But do so only in case of tmpfs, because otherwise quota
|
/tmp/ + /dev/shm/. But do so only in case of tmpfs, because otherwise quota
|
||||||
is persistent and any persistent settings mean we don#t have to reapply them.
|
is persistent and any persistent settings mean we don#t have to reapply them.
|
||||||
|
@ -485,13 +487,9 @@ Features:
|
||||||
nvme-oF
|
nvme-oF
|
||||||
|
|
||||||
* pcrlock:
|
* pcrlock:
|
||||||
- make signed PCR work together with pcrlock
|
|
||||||
- add kernel-install plugin that automatically creates UKI .pcrlock file when
|
- add kernel-install plugin that automatically creates UKI .pcrlock file when
|
||||||
UKI is installed, and removes it when it is removed again
|
UKI is installed, and removes it when it is removed again
|
||||||
- automatically install PE measurement of sd-boot on "bootctl install"
|
- automatically install PE measurement of sd-boot on "bootctl install"
|
||||||
- write generated pcrlock signature files to the ESP as credential, one for
|
|
||||||
each installed OS & pick up generated pcrlock signature file in sd-stub,
|
|
||||||
pass it via initrd to OS
|
|
||||||
- pre-calc sysext + kernel cmdline measurements
|
- pre-calc sysext + kernel cmdline measurements
|
||||||
- pre-calc cryptsetup root key measurement
|
- pre-calc cryptsetup root key measurement
|
||||||
- maybe make systemd-repart generate .pcrlock for old and new GPT header in
|
- maybe make systemd-repart generate .pcrlock for old and new GPT header in
|
||||||
|
@ -951,9 +949,6 @@ Features:
|
||||||
* systemd-tmpfiles: add concept for conditionalizing lines on factory reset
|
* systemd-tmpfiles: add concept for conditionalizing lines on factory reset
|
||||||
boot, or on first boot.
|
boot, or on first boot.
|
||||||
|
|
||||||
* in UKIs: add way to define allowlist of additional words that can be added to
|
|
||||||
the kernel cmdline even in SecureBoot mode
|
|
||||||
|
|
||||||
* we probably needs .pcrpkeyrd or so as additional PE section in UKIs,
|
* we probably needs .pcrpkeyrd or so as additional PE section in UKIs,
|
||||||
which contains a separate public key for PCR values that only apply in the
|
which contains a separate public key for PCR values that only apply in the
|
||||||
initrd, i.e. in the boot phase "enter-initrd". Then, consumers in userspace
|
initrd, i.e. in the boot phase "enter-initrd". Then, consumers in userspace
|
||||||
|
@ -1006,12 +1001,6 @@ Features:
|
||||||
* in the initrd, once the rootfs encryption key has been measured to PCR 15,
|
* in the initrd, once the rootfs encryption key has been measured to PCR 15,
|
||||||
derive default machine ID to use from it, and pass it to host PID 1.
|
derive default machine ID to use from it, and pass it to host PID 1.
|
||||||
|
|
||||||
* tree-wide: convert as much as possible over to use sd_event_set_signal_exit(), instead
|
|
||||||
of manually hooking into SIGINT/SIGTERM
|
|
||||||
|
|
||||||
* tree-wide: convert as much as possible over to SD_EVENT_SIGNAL_PROCMASK
|
|
||||||
instead of manual blocking.
|
|
||||||
|
|
||||||
* sd-boot: for each installed OS, grey out older entries (i.e. all but the
|
* sd-boot: for each installed OS, grey out older entries (i.e. all but the
|
||||||
newest), to indicate they are obsolete
|
newest), to indicate they are obsolete
|
||||||
|
|
||||||
|
@ -1079,9 +1068,6 @@ Features:
|
||||||
* in sd-boot: load EFI drivers from a new PE section. That way, one can have a
|
* in sd-boot: load EFI drivers from a new PE section. That way, one can have a
|
||||||
"supercharged" sd-boot binary, that could carry ext4 drivers built-in.
|
"supercharged" sd-boot binary, that could carry ext4 drivers built-in.
|
||||||
|
|
||||||
* sd-bus: document that sd_bus_process() only returns messages that non of the
|
|
||||||
filters/handlers installed on the connection took possession of.
|
|
||||||
|
|
||||||
* sd-device: add an API for acquiring list of child devices, given a device
|
* sd-device: add an API for acquiring list of child devices, given a device
|
||||||
objects (i.e. all child dirents that dirs or symlinks to dirs)
|
objects (i.e. all child dirents that dirs or symlinks to dirs)
|
||||||
|
|
||||||
|
@ -1261,9 +1247,6 @@ Features:
|
||||||
appropriate qemu cmdline. That way qemu payloads could talk sd_notify()
|
appropriate qemu cmdline. That way qemu payloads could talk sd_notify()
|
||||||
directly to host service manager.
|
directly to host service manager.
|
||||||
|
|
||||||
* sd-device has an API to create an sd_device object from a device id, but has
|
|
||||||
no api to query the device id
|
|
||||||
|
|
||||||
* sd-device should return the devnum type (i.e. 'b' or 'c') via some API for an
|
* sd-device should return the devnum type (i.e. 'b' or 'c') via some API for an
|
||||||
sd_device object, so that data passed into sd_device_new_from_devnum() can
|
sd_device object, so that data passed into sd_device_new_from_devnum() can
|
||||||
also be queried.
|
also be queried.
|
||||||
|
@ -1308,14 +1291,6 @@ Features:
|
||||||
multiple versions are around of the same resource, show which ones. (in other
|
multiple versions are around of the same resource, show which ones. (in other
|
||||||
words: show partition labels).
|
words: show partition labels).
|
||||||
|
|
||||||
* maybe add a generator that reads /proc/cmdline, looks for
|
|
||||||
systemd.pull-raw-portable=, systemd-pull-raw-sysext= and similar switches
|
|
||||||
that take a URL as parameter. It then generates service units for
|
|
||||||
systemd-pull calls that download these URLs if not installed yet. Use case:
|
|
||||||
invoke a VM or nspawn container in a way it automatically deploys/runs these
|
|
||||||
images as OS payloads. i.e. have a generic OS image you can point to any
|
|
||||||
payload you like, which is then downloaded, securely verified and run.
|
|
||||||
|
|
||||||
* systemd-dissect: add --cat switch for dumping files such as /etc/os-release
|
* systemd-dissect: add --cat switch for dumping files such as /etc/os-release
|
||||||
|
|
||||||
* per-service sandboxing option: ProtectIds=. If used, will overmount
|
* per-service sandboxing option: ProtectIds=. If used, will overmount
|
||||||
|
@ -1526,6 +1501,8 @@ Features:
|
||||||
|
|
||||||
* systemd-analyze netif that explains predictable interface (or networkctl)
|
* systemd-analyze netif that explains predictable interface (or networkctl)
|
||||||
|
|
||||||
|
* systemd-analyze inspect-elf should show other notes too, at least build-id.
|
||||||
|
|
||||||
* Figure out naming of verbs in systemd-analyze: we have (singular) capability,
|
* Figure out naming of verbs in systemd-analyze: we have (singular) capability,
|
||||||
exit-status, but (plural) filesystems, architectures.
|
exit-status, but (plural) filesystems, architectures.
|
||||||
|
|
||||||
|
@ -1710,7 +1687,8 @@ Features:
|
||||||
zero and is not open anymore, while the latter happens when a file is
|
zero and is not open anymore, while the latter happens when a file is
|
||||||
unlinked from any dir.
|
unlinked from any dir.
|
||||||
|
|
||||||
* port systemctl, busctl, … over to format-table.[ch]'s table formatters
|
* systemctl, machinectl, loginctl: port "status" commands over to
|
||||||
|
format-table.c's vertical output logic.
|
||||||
|
|
||||||
* pid1: lock image configured with RootDirectory=/RootImage= using the usual nspawn semantics while the unit is up
|
* pid1: lock image configured with RootDirectory=/RootImage= using the usual nspawn semantics while the unit is up
|
||||||
|
|
||||||
|
@ -1736,9 +1714,6 @@ Features:
|
||||||
the entire system, with the exception of one specific service. See:
|
the entire system, with the exception of one specific service. See:
|
||||||
https://lists.freedesktop.org/archives/systemd-devel/2018-February/040369.html
|
https://lists.freedesktop.org/archives/systemd-devel/2018-February/040369.html
|
||||||
|
|
||||||
* maybe rework get_user_creds() to query the user database if $SHELL is used
|
|
||||||
for root, but only then.
|
|
||||||
|
|
||||||
* calenderspec: add support for week numbers and day numbers within a
|
* calenderspec: add support for week numbers and day numbers within a
|
||||||
year. This would allow us to define "bi-weekly" triggers safely.
|
year. This would allow us to define "bi-weekly" triggers safely.
|
||||||
|
|
||||||
|
@ -1887,7 +1862,7 @@ Features:
|
||||||
|
|
||||||
* fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline
|
* fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline
|
||||||
|
|
||||||
* docs: bring https://systemd.io/MY_SERVICE_CANT_GET_REATLIME up to date
|
* docs: bring https://systemd.io/MY_SERVICE_CANT_GET_REALTIME up to date
|
||||||
|
|
||||||
* add a job mode that will fail if a transaction would mean stopping
|
* add a job mode that will fail if a transaction would mean stopping
|
||||||
running units. Use this in timedated to manage the NTP service
|
running units. Use this in timedated to manage the NTP service
|
||||||
|
@ -2185,16 +2160,9 @@ Features:
|
||||||
- follow PropertiesChanged state more closely, to deal with quick logouts and
|
- follow PropertiesChanged state more closely, to deal with quick logouts and
|
||||||
relogins
|
relogins
|
||||||
- (optionally?) spawn seat-manager@$SEAT.service whenever a seat shows up that as CanGraphical set
|
- (optionally?) spawn seat-manager@$SEAT.service whenever a seat shows up that as CanGraphical set
|
||||||
- expose details of boot entries on the bus. In particular, it should be possible
|
|
||||||
to query the list of boot entry titles that bootctl / sd-boot would show.
|
|
||||||
Currently we only expose their identifiers.
|
|
||||||
|
|
||||||
* move multiseat vid/pid matches from logind udev rule to hwdb
|
* move multiseat vid/pid matches from logind udev rule to hwdb
|
||||||
|
|
||||||
* logind: rework pam_logind to also do a bus call in case of invocation from
|
|
||||||
user@.service, which returns the XDG_RUNTIME_DIR value, and make this
|
|
||||||
behaviour selectable via pam module option.
|
|
||||||
|
|
||||||
* delay activation of logind until somebody logs in, or when /dev/tty0 pulls it
|
* delay activation of logind until somebody logs in, or when /dev/tty0 pulls it
|
||||||
in or lingering is on (so that containers don't bother with it until PAM is used). also exit-on-idle
|
in or lingering is on (so that containers don't bother with it until PAM is used). also exit-on-idle
|
||||||
|
|
||||||
|
@ -2308,9 +2276,7 @@ Features:
|
||||||
should probably honour that same limit (JOURNAL_FILES_MAX) when vacuuming to
|
should probably honour that same limit (JOURNAL_FILES_MAX) when vacuuming to
|
||||||
ensure we never generate more files than we can actually view.
|
ensure we never generate more files than we can actually view.
|
||||||
|
|
||||||
* maybe add a tool that displays most recent journal logs as QR code to scan
|
* bsod: maybe use graphical mode. Use DRM APIs directly, see
|
||||||
off screen and run it automatically on boot failures, emergency logs and
|
|
||||||
such. Use DRM APIs directly, see
|
|
||||||
https://github.com/dvdhrm/docs/blob/master/drm-howto/modeset.c for an example
|
https://github.com/dvdhrm/docs/blob/master/drm-howto/modeset.c for an example
|
||||||
for doing that.
|
for doing that.
|
||||||
|
|
||||||
|
@ -2364,7 +2330,7 @@ Features:
|
||||||
- GNOME's side for forget key on suspend (requires rework so that lock screen runs outside of uid)
|
- GNOME's side for forget key on suspend (requires rework so that lock screen runs outside of uid)
|
||||||
- update LUKS password on login if we find there's a password that unlocks the JSON record but not the LUKS device.
|
- update LUKS password on login if we find there's a password that unlocks the JSON record but not the LUKS device.
|
||||||
- create on activate?
|
- create on activate?
|
||||||
- properties: icon url?, preferred session type?, administrator bool (which translates to 'wheel' membership)?, address?, telephone?, vcard?, samba stuff?, parental controls?
|
- properties: icon url?, administrator bool (which translates to 'wheel' membership)?, address?, telephone?, vcard?, samba stuff?, parental controls?
|
||||||
- communicate clearly when usb stick is safe to remove. probably involves
|
- communicate clearly when usb stick is safe to remove. probably involves
|
||||||
beefing up logind to make pam session close hook synchronous and wait until
|
beefing up logind to make pam session close hook synchronous and wait until
|
||||||
systemd --user is shut down.
|
systemd --user is shut down.
|
||||||
|
|
|
@ -788,9 +788,22 @@ Defined-By: systemd
|
||||||
Support: %SUPPORT_URL%
|
Support: %SUPPORT_URL%
|
||||||
Documentation: man:systemd-tpm2-setup.service(8)
|
Documentation: man:systemd-tpm2-setup.service(8)
|
||||||
|
|
||||||
An authorization failure occurred while attempting to enroll a Storage Root Key (SRK) on the Trusted Platform
|
An authorization failure occurred while attempting to enroll a Storage Root Key
|
||||||
Module (TPM). Most likely this means that a PIN/Password (authValue) has been set on the Owner hierarchy of
|
(SRK) on the Trusted Platform Module (TPM). Most likely this means that a
|
||||||
the TPM.
|
PIN/Password (authValue) has been set on the Owner hierarchy of the TPM.
|
||||||
|
|
||||||
Automatic SRK enrollment on TPMs in such scenarios is not supported. In order to unset the PIN/password
|
Automatic SRK enrollment on TPMs in such scenarios is not supported. In order
|
||||||
protection on the owner hierarchy issue a command like the following: 'tpm2_changeauth -c o -p <OLDPW> ""'.
|
to unset the PIN/password protection on the owner hierarchy issue a command
|
||||||
|
like the following: 'tpm2_changeauth -c o -p <OLDPW> ""'.
|
||||||
|
|
||||||
|
-- 9cf56b8baf9546cf9478783a8de42113
|
||||||
|
Subject: A foreign process changed a sysctl systemd-networkd manages
|
||||||
|
Defined-By: systemd
|
||||||
|
Support: %SUPPORT_URL%
|
||||||
|
|
||||||
|
The sysctl configuration setting @SYSCTL@, which is managed by
|
||||||
|
systemd-networkd, has been changed by another, unrelated process
|
||||||
|
("@OBJECT_COMM@", PID @OBJECT_PID@). This represents a conflict of ownership
|
||||||
|
and will likely result in problems later on.
|
||||||
|
|
||||||
|
Value changed to "@NEWVALUE@", which should be "@OURVALUE@".
|
||||||
|
|
|
@ -247,4 +247,4 @@ Note that scope units created by `machined`'s `CreateMachine()` call have this f
|
||||||
|
|
||||||
### Example
|
### Example
|
||||||
|
|
||||||
Please see the [systemd-run sources](http://cgit.freedesktop.org/systemd/systemd/plain/src/run/run.c) for a relatively simple example how to create scope or service units transiently and pass properties to them.
|
Please see the [systemd-run sources](https://github.com/systemd/systemd/blob/main/src/run/run.c) for a relatively simple example how to create scope or service units transiently and pass properties to them.
|
||||||
|
|
|
@ -87,3 +87,90 @@ of the libraries they specify in order to be enabled.
|
||||||
| required | Core functionality needs the dependency, the binary will not work if it cannot be found |
|
| required | Core functionality needs the dependency, the binary will not work if it cannot be found |
|
||||||
| recommended | Important functionality needs the dependency, the binary will work but in most cases the dependency should be provided |
|
| recommended | Important functionality needs the dependency, the binary will work but in most cases the dependency should be provided |
|
||||||
| suggested | Secondary functionality needs the dependency, the binary will work and the dependency is only needed for full-featured installations |
|
| suggested | Secondary functionality needs the dependency, the binary will work and the dependency is only needed for full-featured installations |
|
||||||
|
|
||||||
|
### Displaying `dlopen()` notes
|
||||||
|
|
||||||
|
The raw ELF section can be extracted using `objdump`:
|
||||||
|
```console
|
||||||
|
$ objdump -j .note.dlopen -s /usr/lib64/systemd/libsystemd-shared-257.so
|
||||||
|
|
||||||
|
/usr/lib64/systemd/libsystemd-shared-257.so: file format elf64-x86-64
|
||||||
|
|
||||||
|
Contents of section .note.dlopen:
|
||||||
|
0334 04000000 8e000000 0a0c7c40 46444f00 ..........|@FDO.
|
||||||
|
0344 5b7b2266 65617475 7265223a 22627066 [{"feature":"bpf
|
||||||
|
0354 222c2264 65736372 69707469 6f6e223a ","description":
|
||||||
|
0364 22537570 706f7274 20666972 6577616c "Support firewal
|
||||||
|
0374 6c696e67 20616e64 2073616e 64626f78 ling and sandbox
|
||||||
|
0384 696e6720 77697468 20425046 222c2270 ing with BPF","p
|
||||||
|
0394 72696f72 69747922 3a227375 67676573 riority":"sugges
|
||||||
|
03a4 74656422 2c22736f 6e616d65 223a5b22 ted","soname":["
|
||||||
|
03b4 6c696262 70662e73 6f2e3122 2c226c69 libbpf.so.1","li
|
||||||
|
03c4 62627066 2e736f2e 30225d7d 5d000000 bbpf.so.0"]}]...
|
||||||
|
03d4 04000000 9e000000 0a0c7c40 46444f00 ..........|@FDO.
|
||||||
|
...
|
||||||
|
```
|
||||||
|
|
||||||
|
It is more convenient to use a higher level tool:
|
||||||
|
```console
|
||||||
|
$ dlopen-notes /usr/lib64/systemd/libsystemd-shared-257.so
|
||||||
|
# /usr/lib64/systemd/libsystemd-shared-257.so
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"feature": "archive",
|
||||||
|
"description": "Support for decompressing archive files",
|
||||||
|
"priority": "suggested",
|
||||||
|
"soname": [
|
||||||
|
"libarchive.so.13"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"feature": "bpf",
|
||||||
|
"description": "Support firewalling and sandboxing with BPF",
|
||||||
|
"priority": "suggested",
|
||||||
|
"soname": [
|
||||||
|
"libbpf.so.1",
|
||||||
|
"libbpf.so.0"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
...
|
||||||
|
```
|
||||||
|
|
||||||
|
`dlopen-notes` can display the notes grouped in a few different ways.
|
||||||
|
One option is to filter the libraries by "feature". This answers the
|
||||||
|
question "what libraries are needed to provide specified features":
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ dlopen-notes.py -f archive,bpf /usr/lib64/systemd/libsystemd-shared-257.so
|
||||||
|
# grouped by feature
|
||||||
|
{
|
||||||
|
"bpf": {
|
||||||
|
"description": "Support firewalling and sandboxing with BPF",
|
||||||
|
"sonames": {
|
||||||
|
"libbpf.so.1": "suggested",
|
||||||
|
"libbpf.so.0": "suggested"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"archive": {
|
||||||
|
"description": "Support for decompressing archive files",
|
||||||
|
"sonames": {
|
||||||
|
"libarchive.so.13": "suggested"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
The format that is used when building `deb` packages:
|
||||||
|
```console
|
||||||
|
$ dlopen-notes -s /usr/lib64/systemd/libsystemd-shared-257.so
|
||||||
|
libarchive.so.13 suggested
|
||||||
|
libbpf.so.0 suggested
|
||||||
|
libbpf.so.1 suggested
|
||||||
|
...
|
||||||
|
```
|
||||||
|
|
||||||
|
The format that can be useful when building `rpm` packages:
|
||||||
|
```console
|
||||||
|
$ dlopen-notes --rpm-requires archive --rpm-recommends bpf /usr/lib64/systemd/libsystemd-shared-257.so
|
||||||
|
Requires: libarchive.so.13()(64bit)
|
||||||
|
Recommends: libbpf.so.1()(64bit)
|
||||||
|
```
|
||||||
|
|
|
@ -103,3 +103,97 @@ A set of well-known keys is defined here, and hopefully shared among all vendors
|
||||||
| architecture | The binary package architecture | arm32 |
|
| architecture | The binary package architecture | arm32 |
|
||||||
| osCpe | A CPE name for the OS, typically corresponding to CPE_NAME in os-release | cpe:/o:fedoraproject:fedora:33 |
|
| osCpe | A CPE name for the OS, typically corresponding to CPE_NAME in os-release | cpe:/o:fedoraproject:fedora:33 |
|
||||||
| debugInfoUrl | The debuginfod server url, if available | https://debuginfod.fedoraproject.org/ |
|
| debugInfoUrl | The debuginfod server url, if available | https://debuginfod.fedoraproject.org/ |
|
||||||
|
|
||||||
|
### Displaying package notes
|
||||||
|
|
||||||
|
The raw ELF section can be extracted using `objdump`:
|
||||||
|
```console
|
||||||
|
$ objdump -j .note.package -s /usr/bin/ls
|
||||||
|
|
||||||
|
/usr/bin/ls: file format elf64-x86-64
|
||||||
|
|
||||||
|
Contents of section .note.package:
|
||||||
|
03cc 04000000 7c000000 7e1afeca 46444f00 ....|...~...FDO.
|
||||||
|
03dc 7b227479 7065223a 2272706d 222c226e {"type":"rpm","n
|
||||||
|
03ec 616d6522 3a22636f 72657574 696c7322 ame":"coreutils"
|
||||||
|
03fc 2c227665 7273696f 6e223a22 392e342d ,"version":"9.4-
|
||||||
|
040c 372e6663 3430222c 22617263 68697465 7.fc40","archite
|
||||||
|
041c 63747572 65223a22 7838365f 3634222c cture":"x86_64",
|
||||||
|
042c 226f7343 7065223a 22637065 3a2f6f3a "osCpe":"cpe:/o:
|
||||||
|
043c 6665646f 72617072 6f6a6563 743a6665 fedoraproject:fe
|
||||||
|
044c 646f7261 3a343022 7d000000 dora:40"}...
|
||||||
|
```
|
||||||
|
|
||||||
|
It is more convenient to use a higher level tool:
|
||||||
|
```console
|
||||||
|
$ readelf --notes /usr/bin/ls
|
||||||
|
...
|
||||||
|
Displaying notes found in: .note.gnu.build-id
|
||||||
|
Owner Data size Description
|
||||||
|
GNU 0x00000014 NT_GNU_BUILD_ID (unique build ID bitstring)
|
||||||
|
Build ID: 40e5a1570a9d97fc48f5c61cfb7690fec0f872b2
|
||||||
|
|
||||||
|
Displaying notes found in: .note.ABI-tag
|
||||||
|
Owner Data size Description
|
||||||
|
GNU 0x00000010 NT_GNU_ABI_TAG (ABI version tag)
|
||||||
|
OS: Linux, ABI: 3.2.0
|
||||||
|
|
||||||
|
Displaying notes found in: .note.package
|
||||||
|
Owner Data size Description
|
||||||
|
FDO 0x0000007c FDO_PACKAGING_METADATA
|
||||||
|
Packaging Metadata: {"type":"rpm","name":"coreutils","version":"9.4-7.fc40","architecture":"x86_64","osCpe":"cpe:/o:fedoraproject:fedora:40"}
|
||||||
|
...
|
||||||
|
|
||||||
|
$ systemd-analyze inspect-elf /usr/bin/ls
|
||||||
|
path: /usr/bin/ls
|
||||||
|
elfType: executable
|
||||||
|
elfArchitecture: AMD x86-64
|
||||||
|
|
||||||
|
type: rpm
|
||||||
|
name: coreutils
|
||||||
|
version: 9.4-7.fc40
|
||||||
|
architecture: x86_64
|
||||||
|
osCpe: cpe:/o:fedoraproject:fedora:40
|
||||||
|
buildId: 40e5a1570a9d97fc48f5c61cfb7690fec0f872b2
|
||||||
|
```
|
||||||
|
|
||||||
|
If the binary crashes, `systemd-coredump` will display the combined information
|
||||||
|
from the crashing binary and any shared libraries it links to:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ coredumpctl info
|
||||||
|
PID: 3987823 (ls)
|
||||||
|
Signal: 11 (SEGV)
|
||||||
|
Command Line: ls --color=tty -lR /
|
||||||
|
Executable: /usr/bin/ls
|
||||||
|
...
|
||||||
|
Storage: /var/lib/systemd/coredump/core.ls.1000.88dea1b9831c420dbb398f9d2ad9b41e.3987823.1726230641000000.zst (present)
|
||||||
|
Size on Disk: 194.4K
|
||||||
|
Package: coreutils/9.4-7.fc40
|
||||||
|
build-id: 40e5a1570a9d97fc48f5c61cfb7690fec0f872b2
|
||||||
|
Message: Process 3987823 (ls) of user 1000 dumped core.
|
||||||
|
|
||||||
|
Module /usr/bin/ls from rpm coreutils-9.4-7.fc40.x86_64
|
||||||
|
Module libz.so.1 from rpm zlib-ng-2.1.7-1.fc40.x86_64
|
||||||
|
Module libcrypto.so.3 from rpm openssl-3.2.2-3.fc40.x86_64
|
||||||
|
Module libmount.so.1 from rpm util-linux-2.40.1-1.fc40.x86_64
|
||||||
|
Module libcrypt.so.2 from rpm libxcrypt-4.4.36-5.fc40.x86_64
|
||||||
|
Module libblkid.so.1 from rpm util-linux-2.40.1-1.fc40.x86_64
|
||||||
|
Module libnss_sss.so.2 from rpm sssd-2.9.5-1.fc40.x86_64
|
||||||
|
Module libpcre2-8.so.0 from rpm pcre2-10.44-1.fc40.x86_64
|
||||||
|
Module libcap.so.2 from rpm libcap-2.69-8.fc40.x86_64
|
||||||
|
Module libselinux.so.1 from rpm libselinux-3.6-4.fc40.x86_64
|
||||||
|
Stack trace of thread 3987823:
|
||||||
|
#0 0x00007f19331c3f7e lgetxattr (libc.so.6 + 0x116f7e)
|
||||||
|
#1 0x00007f19332be4c0 lgetfilecon_raw (libselinux.so.1 + 0x134c0)
|
||||||
|
#2 0x00007f19332c3bd9 lgetfilecon (libselinux.so.1 + 0x18bd9)
|
||||||
|
#3 0x000056038273ad55 gobble_file.constprop.0 (/usr/bin/ls + 0x17d55)
|
||||||
|
#4 0x0000560382733c55 print_dir (/usr/bin/ls + 0x10c55)
|
||||||
|
#5 0x0000560382727c35 main (/usr/bin/ls + 0x4c35)
|
||||||
|
#6 0x00007f19330d7088 __libc_start_call_main (libc.so.6 + 0x2a088)
|
||||||
|
#7 0x00007f19330d714b __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x2a14b)
|
||||||
|
#8 0x0000560382728f15 _start (/usr/bin/ls + 0x5f15)
|
||||||
|
ELF object binary architecture: AMD x86-64
|
||||||
|
```
|
||||||
|
|
||||||
|
(This is just a simulation. `ls` is not prone to crashing with a segmentation violation.)
|
||||||
|
|
|
@ -104,7 +104,7 @@ A: Use:
|
||||||
|
|
||||||
**Q: Whenever my service tries to acquire RT scheduling for one of its threads this is refused with EPERM even though my service is running with full privileges. This works fine on my non-systemd system!**
|
**Q: Whenever my service tries to acquire RT scheduling for one of its threads this is refused with EPERM even though my service is running with full privileges. This works fine on my non-systemd system!**
|
||||||
|
|
||||||
A: By default, systemd places all systemd daemons in their own cgroup in the "cpu" hierarchy. Unfortunately, due to a kernel limitation, this has the effect of disallowing RT entirely for the service. See [My Service Can't Get Realtime!](/MY_SERVICE_CANT_GET_REATLIME) for a longer discussion and what to do about this.
|
A: By default, systemd places all systemd daemons in their own cgroup in the "cpu" hierarchy. Unfortunately, due to a kernel limitation, this has the effect of disallowing RT entirely for the service. See [My Service Can't Get Realtime!](/MY_SERVICE_CANT_GET_REALTIME) for a longer discussion and what to do about this.
|
||||||
|
|
||||||
**Q: My service is ordered after `network.target` but at boot it is still called before the network is up. What's going on?**
|
**Q: My service is ordered after `network.target` but at boot it is still called before the network is up. What's going on?**
|
||||||
|
|
||||||
|
|
|
@ -299,6 +299,10 @@ sensor:modalias:acpi:KIOX000A*:dmi:*:svnCHUWIInnovationAndTechnology*:pnHi10X:*
|
||||||
sensor:modalias:acpi:MXC6655*:dmi:*:svnCHUWIINNOVATIONLIMITED:pnHi10Go:*
|
sensor:modalias:acpi:MXC6655*:dmi:*:svnCHUWIINNOVATIONLIMITED:pnHi10Go:*
|
||||||
ACCEL_MOUNT_MATRIX=-1, 0, 0; 0,-1, 0; 0, 0, 1
|
ACCEL_MOUNT_MATRIX=-1, 0, 0; 0,-1, 0; 0, 0, 1
|
||||||
|
|
||||||
|
# Chuwi Hi10 Max
|
||||||
|
sensor:modalias:acpi:MXC6655*:dmi:*:svnCHUWIInnovationAndTechnology*:pnHi10Max:*
|
||||||
|
ACCEL_MOUNT_MATRIX=0, 1, 0; 1, 0, 0; 0, 0, 1
|
||||||
|
|
||||||
# Chuwi Hi12
|
# Chuwi Hi12
|
||||||
sensor:modalias:acpi:BOSC0200*:dmi:*:svnHampoo:pnP02BD6_HI-122LP:*
|
sensor:modalias:acpi:BOSC0200*:dmi:*:svnHampoo:pnP02BD6_HI-122LP:*
|
||||||
sensor:modalias:acpi:BOSC0200*:dmi:*:svnDefaultstring:pnDefaultstring:*
|
sensor:modalias:acpi:BOSC0200*:dmi:*:svnDefaultstring:pnDefaultstring:*
|
||||||
|
@ -603,6 +607,15 @@ sensor:modalias:i2c:bmc150_accel:dmi:*:svnHewlett-Packard:pnHPPavilionx2Detachab
|
||||||
sensor:modalias:i2c:bmc150_accel:dmi:*:svnHewlett-Packard:pnHPProTablet408:*:rn8048:*
|
sensor:modalias:i2c:bmc150_accel:dmi:*:svnHewlett-Packard:pnHPProTablet408:*:rn8048:*
|
||||||
ACCEL_MOUNT_MATRIX=0, 1, 0; -1, 0, 0; 0, 0, 1
|
ACCEL_MOUNT_MATRIX=0, 1, 0; -1, 0, 0; 0, 0, 1
|
||||||
|
|
||||||
|
#########################################
|
||||||
|
# HUAWEI
|
||||||
|
#########################################
|
||||||
|
|
||||||
|
# HUAWEI MateBook D 15 AMD
|
||||||
|
sensor:modalias:acpi:SMO8840*:dmi:*:svnHUAWEI:pnBOHK-WAX9X:*
|
||||||
|
ACCEL_MOUNT_MATRIX=0, 1, 0; 1, 0, 0; 0, 0, 1
|
||||||
|
ACCEL_LOCATION=base
|
||||||
|
|
||||||
#########################################
|
#########################################
|
||||||
# I.T.Works
|
# I.T.Works
|
||||||
#########################################
|
#########################################
|
||||||
|
@ -747,8 +760,9 @@ sensor:modalias:i2c:bmc150_accel:dmi:*:svnLENOVO:*:pvrLenovoYoga300-11IBR:*
|
||||||
sensor:modalias:acpi:ACCL0001*:dmi:*:svnLENOVO:pn60072:pvr851*:*
|
sensor:modalias:acpi:ACCL0001*:dmi:*:svnLENOVO:pn60072:pvr851*:*
|
||||||
ACCEL_MOUNT_MATRIX=0, 1, 0; -1, 0, 0; 0, 0, 1
|
ACCEL_MOUNT_MATRIX=0, 1, 0; -1, 0, 0; 0, 0, 1
|
||||||
|
|
||||||
# IdeaPad Duet 3 10IGL5 (82AT)
|
# IdeaPad Duet 3 10IGL5 (82AT) and 10IGL5-LTE (82HK)
|
||||||
sensor:modalias:acpi:SMO8B30*:dmi:*:svnLENOVO*:pn82AT:*
|
sensor:modalias:acpi:SMO8B30*:dmi:*:svnLENOVO*:pn82AT:*
|
||||||
|
sensor:modalias:acpi:SMO8B30*:dmi:*:svnLENOVO*:pn82HK:*
|
||||||
ACCEL_MOUNT_MATRIX=0, 1, 0; -1, 0, 0; 0, 0, 1
|
ACCEL_MOUNT_MATRIX=0, 1, 0; -1, 0, 0; 0, 0, 1
|
||||||
|
|
||||||
#########################################
|
#########################################
|
||||||
|
|
|
@ -310,6 +310,10 @@ mouse:bluetooth:v047dp8019:name:Expert Wireless TB Mouse:*
|
||||||
ID_INPUT_TRACKBALL=1
|
ID_INPUT_TRACKBALL=1
|
||||||
MOUSE_DPI=400@125
|
MOUSE_DPI=400@125
|
||||||
|
|
||||||
|
# Kensington SlimBlade Pro trackball (via Bluetooth)
|
||||||
|
mouse:bluetooth:v047dp80d4:name:SlimBlade Pro:*
|
||||||
|
ID_INPUT_TRACKBALL=1
|
||||||
|
|
||||||
##########################################
|
##########################################
|
||||||
# Lenovo
|
# Lenovo
|
||||||
##########################################
|
##########################################
|
||||||
|
|
|
@ -267,7 +267,8 @@
|
||||||
<term><option>kernel-identify</option> <replaceable>kernel</replaceable></term>
|
<term><option>kernel-identify</option> <replaceable>kernel</replaceable></term>
|
||||||
|
|
||||||
<listitem><para>Takes a kernel image as argument. Checks what kind of kernel the image is. Returns
|
<listitem><para>Takes a kernel image as argument. Checks what kind of kernel the image is. Returns
|
||||||
one of <literal>uki</literal>, <literal>pe</literal>, and <literal>unknown</literal>.
|
one of <literal>uki</literal>, <literal>addon</literal>, <literal>pe</literal>, and
|
||||||
|
<literal>unknown</literal>.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v253"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v253"/></listitem>
|
||||||
|
@ -360,6 +361,24 @@
|
||||||
<xi:include href="version-info.xml" xpointer="v242"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v242"/></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><option>--print-loader-path</option></term>
|
||||||
|
<listitem><para>This option modifies the behaviour of <command>status</command>: it shows the
|
||||||
|
absolute path to the boot loader EFI binary used for the current boot if this information is
|
||||||
|
available. Note that no attempt is made to verify whether the binary still exists.</para>
|
||||||
|
|
||||||
|
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><option>--print-stub-path</option></term>
|
||||||
|
<listitem><para>This option modifies the behaviour of <command>status</command>: it shows the
|
||||||
|
absolute path to the UKI/stub EFI binary used for the current boot if this information is
|
||||||
|
available. Note that no attempt is made to verify whether the binary still exists.</para>
|
||||||
|
|
||||||
|
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>-R</option></term>
|
<term><option>-R</option></term>
|
||||||
<term><option>--print-root-device</option></term>
|
<term><option>--print-root-device</option></term>
|
||||||
|
|
|
@ -46,11 +46,10 @@
|
||||||
the root file system, which is then responsible for probing all remaining hardware, mounting all
|
the root file system, which is then responsible for probing all remaining hardware, mounting all
|
||||||
necessary file systems and spawning all configured services.</para>
|
necessary file systems and spawning all configured services.</para>
|
||||||
|
|
||||||
<para>On shutdown, the system manager stops all services, unmounts
|
<para>On shutdown, the system manager stops all services, unmounts all non-busy file systems (detaching
|
||||||
all file systems (detaching the storage technologies backing
|
the storage technologies backing them), and then (optionally) jumps into the exitrd, which is backed by
|
||||||
them), and then (optionally) jumps back into the initrd code which
|
tmpfs, and unmounts/detaches the remaining file systems, including the real root. As a last step,
|
||||||
unmounts/detaches the root file system and the storage it resides
|
the system is powered down.</para>
|
||||||
on. As a last step, the system is powered down.</para>
|
|
||||||
|
|
||||||
<para>Additional information about the system boot process may be
|
<para>Additional information about the system boot process may be
|
||||||
found in
|
found in
|
||||||
|
|
|
@ -593,8 +593,6 @@ node /org/freedesktop/systemd1 {
|
||||||
|
|
||||||
<!--method GetJobBefore is not documented!-->
|
<!--method GetJobBefore is not documented!-->
|
||||||
|
|
||||||
<!--method SetShowStatus is not documented!-->
|
|
||||||
|
|
||||||
<!--method ListUnitsFiltered is not documented!-->
|
<!--method ListUnitsFiltered is not documented!-->
|
||||||
|
|
||||||
<!--method ListUnitsByPatterns is not documented!-->
|
<!--method ListUnitsByPatterns is not documented!-->
|
||||||
|
@ -673,8 +671,6 @@ node /org/freedesktop/systemd1 {
|
||||||
|
|
||||||
<!--property ConfirmSpawn is not documented!-->
|
<!--property ConfirmSpawn is not documented!-->
|
||||||
|
|
||||||
<!--property ShowStatus is not documented!-->
|
|
||||||
|
|
||||||
<!--property DefaultStandardOutput is not documented!-->
|
<!--property DefaultStandardOutput is not documented!-->
|
||||||
|
|
||||||
<!--property DefaultStandardError is not documented!-->
|
<!--property DefaultStandardError is not documented!-->
|
||||||
|
@ -1362,6 +1358,24 @@ node /org/freedesktop/systemd1 {
|
||||||
|
|
||||||
<para><function>ResetFailedUnit()</function> resets the "failed" state of a specific unit.</para>
|
<para><function>ResetFailedUnit()</function> resets the "failed" state of a specific unit.</para>
|
||||||
|
|
||||||
|
<para><function>SetShowStatus()</function> configures the display of status messages during bootup and
|
||||||
|
shutdown. The <varname>mode</varname> parameter can be set to any value that's valid for the
|
||||||
|
<varname>systemd.show_status</varname> kernel parameter. For more information about
|
||||||
|
<varname>systemd.show_status</varname>, see
|
||||||
|
<citerefentry project="man-pages"><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
|
||||||
|
The <varname>mode</varname> parameter can also be set to an empty string. When <varname>mode</varname>
|
||||||
|
is set to an empty string, <function>SetShowStatus()</function> will reset
|
||||||
|
<varname>ShowStatus</varname> back to its original value. You can use
|
||||||
|
<function>SetShowStatus()</function> create a service that does something like this:
|
||||||
|
<orderedlist>
|
||||||
|
<listitem><para>Send a D-Bus message that will turn off status messages.</para></listitem>
|
||||||
|
<listitem><para>Block until a reply to that message is received.</para></listitem>
|
||||||
|
<listitem><para>Print multiples lines without being interrupted by status messages.</para></listitem>
|
||||||
|
<listitem><para>Send a D-Bus message that will reset <varname>ShowStatus</varname> back to its
|
||||||
|
original value.</para></listitem>
|
||||||
|
</orderedlist>
|
||||||
|
</para>
|
||||||
|
|
||||||
<para><function>ResetFailed()</function> resets the "failed" state of all units.</para>
|
<para><function>ResetFailed()</function> resets the "failed" state of all units.</para>
|
||||||
|
|
||||||
<para><function>ListUnits()</function> returns an array of all currently loaded units. Note that
|
<para><function>ListUnits()</function> returns an array of all currently loaded units. Note that
|
||||||
|
@ -1788,6 +1802,12 @@ node /org/freedesktop/systemd1 {
|
||||||
<para><varname>Environment</varname> encodes the environment block passed to all executed services. It
|
<para><varname>Environment</varname> encodes the environment block passed to all executed services. It
|
||||||
may be altered with bus calls such as <function>SetEnvironment()</function> (see above).</para>
|
may be altered with bus calls such as <function>SetEnvironment()</function> (see above).</para>
|
||||||
|
|
||||||
|
<para><varname>ShowStatus</varname> encodes systemd's current policy for displaying status messages
|
||||||
|
during bootup and shutdown. Its value can be any valid value for the
|
||||||
|
<varname>systemd.show_status</varname> kernel parameter (see
|
||||||
|
<citerefentry project="man-pages"><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).
|
||||||
|
It may be altered using <function>SetShowStatus()</function> (see above).</para>
|
||||||
|
|
||||||
<para><varname>UnitPath</varname> encodes the currently active unit file search path. It is an array of
|
<para><varname>UnitPath</varname> encodes the currently active unit file search path. It is an array of
|
||||||
file system paths encoded as strings.</para>
|
file system paths encoded as strings.</para>
|
||||||
|
|
||||||
|
|
109
man/repart.d.xml
109
man/repart.d.xml
|
@ -76,16 +76,7 @@
|
||||||
<term><varname>Type=</varname></term>
|
<term><varname>Type=</varname></term>
|
||||||
|
|
||||||
<listitem><para>The GPT partition type UUID to match. This may be a GPT partition type UUID such as
|
<listitem><para>The GPT partition type UUID to match. This may be a GPT partition type UUID such as
|
||||||
<constant>4f68bce3-e8cd-4db1-96e7-fbcaf984b709</constant>, or an identifier.
|
<constant>4f68bce3-e8cd-4db1-96e7-fbcaf984b709</constant>, or an identifier.</para>
|
||||||
Architecture specific partition types can use one of these architecture identifiers:
|
|
||||||
<constant>alpha</constant>, <constant>arc</constant>, <constant>arm</constant> (32-bit),
|
|
||||||
<constant>arm64</constant> (64-bit, aka aarch64), <constant>ia64</constant>,
|
|
||||||
<constant>loongarch64</constant>, <constant>mips-le</constant>, <constant>mips64-le</constant>,
|
|
||||||
<constant>parisc</constant>, <constant>ppc</constant>, <constant>ppc64</constant>,
|
|
||||||
<constant>ppc64-le</constant>, <constant>riscv32</constant>, <constant>riscv64</constant>,
|
|
||||||
<constant>s390</constant>, <constant>s390x</constant>, <constant>tilegx</constant>,
|
|
||||||
<constant>x86</constant> (32-bit, aka i386) and <constant>x86-64</constant> (64-bit, aka amd64).
|
|
||||||
</para>
|
|
||||||
|
|
||||||
<para>The supported identifiers are:</para>
|
<para>The supported identifiers are:</para>
|
||||||
|
|
||||||
|
@ -237,7 +228,14 @@
|
||||||
</tgroup>
|
</tgroup>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
<para>This setting defaults to <constant>linux-generic</constant>.</para>
|
<para>Architecture specific partition types can use one of these architecture identifiers:
|
||||||
|
<constant>alpha</constant>, <constant>arc</constant>, <constant>arm</constant> (32-bit),
|
||||||
|
<constant>arm64</constant> (64-bit, aka aarch64), <constant>ia64</constant>,
|
||||||
|
<constant>loongarch64</constant>, <constant>mips-le</constant>, <constant>mips64-le</constant>,
|
||||||
|
<constant>parisc</constant>, <constant>ppc</constant>, <constant>ppc64</constant>,
|
||||||
|
<constant>ppc64-le</constant>, <constant>riscv32</constant>, <constant>riscv64</constant>,
|
||||||
|
<constant>s390</constant>, <constant>s390x</constant>, <constant>tilegx</constant>,
|
||||||
|
<constant>x86</constant> (32-bit, aka i386) and <constant>x86-64</constant> (64-bit, aka amd64).</para>
|
||||||
|
|
||||||
<para>Most of the partition type UUIDs listed above are defined in the <ulink
|
<para>Most of the partition type UUIDs listed above are defined in the <ulink
|
||||||
url="https://uapi-group.org/specifications/specs/discoverable_partitions_specification">Discoverable Partitions
|
url="https://uapi-group.org/specifications/specs/discoverable_partitions_specification">Discoverable Partitions
|
||||||
|
@ -485,18 +483,18 @@
|
||||||
<term><varname>ExcludeFiles=</varname></term>
|
<term><varname>ExcludeFiles=</varname></term>
|
||||||
<term><varname>ExcludeFilesTarget=</varname></term>
|
<term><varname>ExcludeFilesTarget=</varname></term>
|
||||||
|
|
||||||
<listitem><para>Takes an absolute file system path referring to a source file or directory on the
|
<listitem><para>Takes one or more absolute paths, separated by whitespace, each referring to a
|
||||||
host. This setting may be used to exclude files or directories from the host from being copied into
|
source file or directory on the host. This setting may be used to exclude files or directories from
|
||||||
the file system when <varname>CopyFiles=</varname> is used. This option may be used multiple times to
|
the host from being copied into the file system when <varname>CopyFiles=</varname> is used. This
|
||||||
exclude multiple files or directories from host from being copied into the newly formatted file
|
option may be used multiple times to exclude multiple files or directories from host from being
|
||||||
system.</para>
|
copied into the newly formatted file system.</para>
|
||||||
|
|
||||||
<para>If the path is a directory and ends with <literal>/</literal>, only the directory's
|
<para>If the path is a directory and ends with <literal>/</literal>, only the directory's
|
||||||
contents are excluded but not the directory itself. If the path is a directory and does not end with
|
contents are excluded but not the directory itself. If the path is a directory and does not end with
|
||||||
<literal>/</literal>, both the directory and its contents are excluded.</para>
|
<literal>/</literal>, both the directory and its contents are excluded.</para>
|
||||||
|
|
||||||
<para><varname>ExcludeFilesTarget=</varname> is like <varname>ExcludeFiles=</varname> except that
|
<para><varname>ExcludeFilesTarget=</varname> is like <varname>ExcludeFiles=</varname> except that
|
||||||
instead of excluding the path on the host from being copied into the partition, we exclude any files
|
instead of excluding the path on the host from being copied into the partition, it exclude any files
|
||||||
and directories from being copied into the given path in the partition.</para>
|
and directories from being copied into the given path in the partition.</para>
|
||||||
|
|
||||||
<para>When
|
<para>When
|
||||||
|
@ -537,6 +535,30 @@
|
||||||
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><varname>MakeSymlinks=</varname></term>
|
||||||
|
|
||||||
|
<listitem><para>Takes one or more arguments, separated by whitespace, each declaring a symlink to
|
||||||
|
create within the new file system. Each argument is a pair of symlink source and target paths,
|
||||||
|
separated by a colon. This option may be used more than once to create multiple symlinks. When
|
||||||
|
<varname>CopyFiles=</varname> and <varname>MakeSymlinks=</varname> are used together the former is
|
||||||
|
applied first.</para>
|
||||||
|
|
||||||
|
<para>The primary use case for this option is to create symlinks that need to exist before
|
||||||
|
<citerefentry><refentrytitle>systemd-tmpfiles</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
||||||
|
is executed. For example, when using
|
||||||
|
<citerefentry><refentrytitle>systemd-confext</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
||||||
|
this setting can be used to create symlinks in <filename>/var/lib/extensions.mutable</filename> to
|
||||||
|
redirect writes to mutable confexts to a custom location.</para>
|
||||||
|
|
||||||
|
<para>Consider using
|
||||||
|
<citerefentry><refentrytitle>systemd-tmpfiles</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
||||||
|
with its <option>--image=</option> option to pre-create other symlinks (as well as other inodes) with
|
||||||
|
fine-grained control of ownership, access modes and other file attributes.</para>
|
||||||
|
|
||||||
|
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><varname>Subvolumes=</varname></term>
|
<term><varname>Subvolumes=</varname></term>
|
||||||
|
|
||||||
|
@ -873,6 +895,59 @@
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><varname>SupplementFor=</varname></term>
|
||||||
|
|
||||||
|
<listitem><para>Takes a partition definition name, such as <literal>10-esp</literal>. If specified,
|
||||||
|
<command>systemd-repart</command> will avoid creating this partition and instead prefer to partially
|
||||||
|
merge the two definitions. However, depending on the existing layout of partitions on disk,
|
||||||
|
<command>systemd-repart</command> may be forced to fall back onto un-merging the definitions and
|
||||||
|
using them as originally written, potentially creating this partition. Specifically,
|
||||||
|
<command>systemd-repart</command> will fall back if this partition is found to already exist on disk,
|
||||||
|
or if the target partition already exists on disk but is too small, or if it cannot allocate space
|
||||||
|
for the merged partition for some other reason.</para>
|
||||||
|
|
||||||
|
<para>The following fields are merged into the target definition in the specified ways:
|
||||||
|
<varname>Weight=</varname> and <varname>PaddingWeight=</varname> are simply overwritten;
|
||||||
|
<varname>SizeMinBytes=</varname> and <varname>PaddingMinBytes=</varname> use the larger of the two
|
||||||
|
values; <varname>SizeMaxBytes=</varname> and <varname>PaddingMaxBytes=</varname> use the smaller
|
||||||
|
value; and <varname>CopyFiles=</varname>, <varname>ExcludeFiles=</varname>,
|
||||||
|
<varname>ExcludeFilesTarget=</varname>, <varname>MakeDirectories=</varname>, and
|
||||||
|
<varname>Subvolumes=</varname> are concatenated.</para>
|
||||||
|
|
||||||
|
<para>Usage of this option in combination with <varname>CopyBlocks=</varname>,
|
||||||
|
<varname>Encrypt=</varname>, or <varname>Verity=</varname> is not supported. The target definition
|
||||||
|
cannot set these settings either. A definition cannot simultaneously be a supplement and act as a
|
||||||
|
target for some other supplement definition. A target cannot have more than one supplement partition
|
||||||
|
associated with it.</para>
|
||||||
|
|
||||||
|
<para>For example, distributions can use this to implement <varname>$BOOT</varname> as defined in
|
||||||
|
the <ulink url="https://uapi-group.org/specifications/specs/boot_loader_specification/">Boot Loader
|
||||||
|
Specification</ulink>. Distributions may prefer to use the ESP as <varname>$BOOT</varname> whenever
|
||||||
|
possible, but to adhere to the spec XBOOTLDR must sometimes be used instead. So, they should create
|
||||||
|
two definitions: the first defining an ESP big enough to hold just the bootloader, and a second for
|
||||||
|
the XBOOTLDR that's sufficiently large to hold kernels and configured as a supplement for the ESP.
|
||||||
|
Whenever possible, <command>systemd-repart</command> will try to merge the two definitions to create
|
||||||
|
one large ESP, but if that's not allowable due to the existing conditions on disk a small ESP and a
|
||||||
|
large XBOOTLDR will be created instead.</para>
|
||||||
|
|
||||||
|
<para>As another example, distributions can also use this to seamlessly share a single
|
||||||
|
<filename>/home</filename> partition in a multi-boot scenario, while preferring to keep
|
||||||
|
<filename>/home</filename> on the root partition by default. Having a <filename>/home</filename>
|
||||||
|
partition separated from the root partition entails some extra complexity: someone has to decide how
|
||||||
|
to split the space between the two partitions. On the other hand, it allows a user to share their
|
||||||
|
home area between multiple installed OSs (i.e. via <citerefentry><refentrytitle>systemd-homed.service
|
||||||
|
</refentrytitle><manvolnum>8</manvolnum></citerefentry>). Distributions should create two definitions:
|
||||||
|
the first for a root partition that takes up some relatively small percentage of the disk, and the
|
||||||
|
second as a supplement for the first to create a <filename>/home</filename> partition that takes up
|
||||||
|
all the remaining free space. On first boot, if <command>systemd-repart</command> finds an existing
|
||||||
|
<filename>/home</filename> partition on disk, it'll un-merge the definitions and create just a small
|
||||||
|
root partition. Otherwise, the definitions will be merged and a single large root partition will be
|
||||||
|
created.</para>
|
||||||
|
|
||||||
|
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
|
|
|
@ -52,12 +52,24 @@
|
||||||
<citerefentry><refentrytitle>sd_bus_get_fd</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
|
<citerefentry><refentrytitle>sd_bus_get_fd</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para><function>sd_bus_process()</function> processes at most one incoming message per call. If the parameter
|
<para><function>sd_bus_process()</function> processes at most one incoming message per call. If the
|
||||||
<parameter>ret</parameter> is not <constant>NULL</constant> and the call processed a message,
|
parameter <parameter>ret</parameter> is not <constant>NULL</constant> and the call processed a message,
|
||||||
<parameter>*ret</parameter> is set to this message. The caller owns a reference to this message and should call
|
<parameter>*ret</parameter> is set to this message. The caller owns a reference to this message and
|
||||||
<citerefentry><refentrytitle>sd_bus_message_unref</refentrytitle><manvolnum>3</manvolnum></citerefentry> when the
|
should call
|
||||||
message is no longer needed. If <parameter>ret</parameter> is not <constant>NULL</constant>, progress was made, but no message was
|
<citerefentry><refentrytitle>sd_bus_message_unref</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
||||||
processed, <parameter>*ret</parameter> is set to <constant>NULL</constant>.</para>
|
when the message is no longer needed. If <parameter>ret</parameter> is not <constant>NULL</constant> and
|
||||||
|
progress was made, but no message was processed, <parameter>*ret</parameter> is set to
|
||||||
|
<constant>NULL</constant>. Note that only messages not already handled by the various types of registered
|
||||||
|
message handlers (i.e. by filters registered via
|
||||||
|
<citerefentry><refentrytitle>sd_bus_add_filter</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
|
object handlers registered via
|
||||||
|
<citerefentry><refentrytitle>sd_bus_add_object</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
|
matches registered via
|
||||||
|
<citerefentry><refentrytitle>sd_bus_add_match</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
|
and related) will be returned through this parameter. Also note that if such a message handler returns a
|
||||||
|
zero return value (as opposed to some value > 0) an incoming message will not be considered handled,
|
||||||
|
and be passed to other suitable handlers (until one returns > > 0), or returned by
|
||||||
|
<function>sd_bus_process()</function> (in case none returns > 0).</para>
|
||||||
|
|
||||||
<para>If the bus object is connected to an
|
<para>If the bus object is connected to an
|
||||||
<citerefentry><refentrytitle>sd-event</refentrytitle><manvolnum>3</manvolnum></citerefentry> event loop (with
|
<citerefentry><refentrytitle>sd-event</refentrytitle><manvolnum>3</manvolnum></citerefentry> event loop (with
|
||||||
|
|
|
@ -177,6 +177,11 @@
|
||||||
<arg choice="plain">image-policy</arg>
|
<arg choice="plain">image-policy</arg>
|
||||||
<arg choice="plain" rep="repeat"><replaceable>POLICY</replaceable></arg>
|
<arg choice="plain" rep="repeat"><replaceable>POLICY</replaceable></arg>
|
||||||
</cmdsynopsis>
|
</cmdsynopsis>
|
||||||
|
<cmdsynopsis>
|
||||||
|
<command>systemd-analyze</command>
|
||||||
|
<arg choice="opt" rep="repeat">OPTIONS</arg>
|
||||||
|
<arg choice="plain">has-tpm2</arg>
|
||||||
|
</cmdsynopsis>
|
||||||
<cmdsynopsis>
|
<cmdsynopsis>
|
||||||
<command>systemd-analyze</command>
|
<command>systemd-analyze</command>
|
||||||
<arg choice="opt" rep="repeat">OPTIONS</arg>
|
<arg choice="opt" rep="repeat">OPTIONS</arg>
|
||||||
|
@ -948,6 +953,35 @@ default ignore - -</programlisting>
|
||||||
</example>
|
</example>
|
||||||
</refsect2>
|
</refsect2>
|
||||||
|
|
||||||
|
<refsect2>
|
||||||
|
<title><command>systemd-analyze has-tpm2</command></title>
|
||||||
|
|
||||||
|
<para>Reports whether the system is equipped with a usable TPM2 device. If a TPM2 device has been
|
||||||
|
discovered, is supported, and is being used by firmware, by the OS kernel drivers and by userspace
|
||||||
|
(i.e. systemd) this prints <literal>yes</literal> and exits with exit status zero. If no such device is
|
||||||
|
discovered/supported/used, prints <literal>no</literal>. Otherwise prints
|
||||||
|
<literal>partial</literal>. In either of these two cases exits with non-zero exit status. It also shows
|
||||||
|
five lines indicating separately whether firmware, drivers, the system, the kernel and libraries
|
||||||
|
discovered/support/use TPM2.</para>
|
||||||
|
|
||||||
|
<para>Note, this checks for TPM 2.0 devices only, and does not consider TPM 1.2 at all.</para>
|
||||||
|
|
||||||
|
<para>Combine with <option>--quiet</option> to suppress the output.</para>
|
||||||
|
|
||||||
|
<example>
|
||||||
|
<title>Example Output</title>
|
||||||
|
|
||||||
|
<programlisting>yes
|
||||||
|
+firmware
|
||||||
|
+driver
|
||||||
|
+system
|
||||||
|
+subsystem
|
||||||
|
+libraries</programlisting>
|
||||||
|
</example>
|
||||||
|
|
||||||
|
<xi:include href="version-info.xml" xpointer="v257"/>
|
||||||
|
</refsect2>
|
||||||
|
|
||||||
<refsect2>
|
<refsect2>
|
||||||
<title><command>systemd-analyze pcrs <optional><replaceable>PCR</replaceable>…</optional></command></title>
|
<title><command>systemd-analyze pcrs <optional><replaceable>PCR</replaceable>…</optional></command></title>
|
||||||
|
|
||||||
|
@ -1653,6 +1687,12 @@ io.systemd.credential:vmm.notify_socket=vsock-stream:2:254570042
|
||||||
<constant>12</constant>, <constant>0</constant>, <constant>11</constant> is returned if the second
|
<constant>12</constant>, <constant>0</constant>, <constant>11</constant> is returned if the second
|
||||||
version string is respectively larger, equal, or smaller to the first. In the three-argument form,
|
version string is respectively larger, equal, or smaller to the first. In the three-argument form,
|
||||||
<constant>0</constant> or <constant>1</constant> if the condition is respectively true or false.</para>
|
<constant>0</constant> or <constant>1</constant> if the condition is respectively true or false.</para>
|
||||||
|
|
||||||
|
<para>In case of the <command>has-tpm2</command> command returns 0 if a TPM2 device is discovered,
|
||||||
|
supported and used by firmware, driver, and userspace (i.e. systemd). Otherwise returns the OR
|
||||||
|
combination of the value 1 (in case firmware support is missing), 2 (in case driver support is missing)
|
||||||
|
and 4 (in case userspace support is missing). If no TPM2 support is available at all, value 7 is hence
|
||||||
|
returned.</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<xi:include href="common-variables.xml" />
|
<xi:include href="common-variables.xml" />
|
||||||
|
|
|
@ -177,22 +177,6 @@
|
||||||
<xi:include href="version-info.xml" xpointer="v250"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v250"/></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term><command>has-tpm2</command></term>
|
|
||||||
|
|
||||||
<listitem><para>Reports whether the system is equipped with a TPM2 device usable for protecting
|
|
||||||
credentials. If a TPM2 device has been discovered, is supported, and is being used by firmware,
|
|
||||||
by the OS kernel drivers and by userspace (i.e. systemd) this prints <literal>yes</literal> and exits
|
|
||||||
with exit status zero. If no such device is discovered/supported/used, prints
|
|
||||||
<literal>no</literal>. Otherwise prints <literal>partial</literal>. In either of these two cases
|
|
||||||
exits with non-zero exit status. It also shows four lines indicating separately whether firmware,
|
|
||||||
drivers, the system and the kernel discovered/support/use TPM2.</para>
|
|
||||||
|
|
||||||
<para>Combine with <option>--quiet</option> to suppress the output.</para>
|
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v251"/></listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<xi:include href="standard-options.xml" xpointer="help" />
|
<xi:include href="standard-options.xml" xpointer="help" />
|
||||||
<xi:include href="standard-options.xml" xpointer="version" />
|
<xi:include href="standard-options.xml" xpointer="version" />
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
@ -445,8 +429,7 @@
|
||||||
<term><option>--quiet</option></term>
|
<term><option>--quiet</option></term>
|
||||||
<term><option>-q</option></term>
|
<term><option>-q</option></term>
|
||||||
|
|
||||||
<listitem><para>When used with <command>has-tpm2</command> suppresses the output, and only returns an
|
<listitem><para>Suppress additional output.</para>
|
||||||
exit status indicating support for TPM2.</para>
|
|
||||||
|
|
||||||
<xi:include href="version-info.xml" xpointer="v251"/></listitem>
|
<xi:include href="version-info.xml" xpointer="v251"/></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
@ -461,12 +444,6 @@
|
||||||
<title>Exit status</title>
|
<title>Exit status</title>
|
||||||
|
|
||||||
<para>On success, 0 is returned.</para>
|
<para>On success, 0 is returned.</para>
|
||||||
|
|
||||||
<para>In case of the <command>has-tpm2</command> command returns 0 if a TPM2 device is discovered,
|
|
||||||
supported and used by firmware, driver, and userspace (i.e. systemd). Otherwise returns the OR
|
|
||||||
combination of the value 1 (in case firmware support is missing), 2 (in case driver support is missing)
|
|
||||||
and 4 (in case userspace support is missing). If no TPM2 support is available at all, value 7 is hence
|
|
||||||
returned.</para>
|
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
|
|
|
@ -286,9 +286,9 @@
|
||||||
<title>Generate a private/public key pair, a unified kernel image, and a TPM PCR 11 signature for
|
<title>Generate a private/public key pair, a unified kernel image, and a TPM PCR 11 signature for
|
||||||
it, and embed the signature and the public key in the image</title>
|
it, and embed the signature and the public key in the image</title>
|
||||||
|
|
||||||
<programlisting>$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private.pem
|
<programlisting>$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private-key.pem
|
||||||
..+.+++++++++......+.........+......+.......+....+.....+.+...+..........
|
..+.+++++++++......+.........+......+.......+....+.....+.+...+..........
|
||||||
$ openssl rsa -pubout -in tpm2-pcr-private.pem -out tpm2-pcr-public.pem
|
$ openssl rsa -pubout -in tpm2-pcr-private-key.pem -out tpm2-pcr-public-key.pem
|
||||||
# systemd-measure sign \
|
# systemd-measure sign \
|
||||||
--linux=vmlinux \
|
--linux=vmlinux \
|
||||||
--osrel=os-release.txt \
|
--osrel=os-release.txt \
|
||||||
|
@ -296,25 +296,25 @@ $ openssl rsa -pubout -in tpm2-pcr-private.pem -out tpm2-pcr-public.pem
|
||||||
--initrd=initrd.cpio \
|
--initrd=initrd.cpio \
|
||||||
--splash=splash.bmp \
|
--splash=splash.bmp \
|
||||||
--dtb=devicetree.dtb \
|
--dtb=devicetree.dtb \
|
||||||
--pcrpkey=tpm2-pcr-public.pem \
|
--pcrpkey=tpm2-pcr-public-key.pem \
|
||||||
--bank=sha1 \
|
--bank=sha1 \
|
||||||
--bank=sha256 \
|
--bank=sha256 \
|
||||||
--private-key=tpm2-pcr-private.pem \
|
--private-key=tpm2-pcr-private-key.pem \
|
||||||
--public-key=tpm2-pcr-public.pem >tpm2-pcr-signature.json
|
--public-key=tpm2-pcr-public-key.pem >tpm2-pcr-signature.json
|
||||||
# ukify --output=vmlinuz.efi \
|
# ukify --output=vmlinuz.efi \
|
||||||
--os-release=@os-release.txt \
|
--os-release=@os-release.txt \
|
||||||
--cmdline=@cmdline.txt \
|
--cmdline=@cmdline.txt \
|
||||||
--splash=splash.bmp \
|
--splash=splash.bmp \
|
||||||
--devicetree=devicetree.dtb \
|
--devicetree=devicetree.dtb \
|
||||||
--pcr-private-key=tpm2-pcr-private.pem \
|
--pcr-private-key=tpm2-pcr-private-key.pem \
|
||||||
--pcr-public-key=tpm2-pcr-public.pem \
|
--pcr-public-key=tpm2-pcr-public-key.pem \
|
||||||
--pcr-banks=sha1,sha256 \
|
--pcr-banks=sha1,sha256 \
|
||||||
vmlinux initrd.cpio</programlisting>
|
vmlinux initrd.cpio</programlisting>
|
||||||
|
|
||||||
<para>Later on, enroll the signed PCR policy on a LUKS volume:</para>
|
<para>Later on, enroll the signed PCR policy on a LUKS volume:</para>
|
||||||
|
|
||||||
<programlisting># systemd-cryptenroll --tpm2-device=auto \
|
<programlisting># systemd-cryptenroll --tpm2-device=auto \
|
||||||
--tpm2-public-key=tpm2-pcr-public.pem \
|
--tpm2-public-key=tpm2-pcr-public-key.pem \
|
||||||
--tpm2-signature=tpm2-pcr-signature.json \
|
--tpm2-signature=tpm2-pcr-signature.json \
|
||||||
/dev/sda5</programlisting>
|
/dev/sda5</programlisting>
|
||||||
|
|
||||||
|
@ -339,38 +339,38 @@ $ openssl rsa -pubout -in tpm2-pcr-private.pem -out tpm2-pcr-public.pem
|
||||||
two classes of secrets or credentials: one that can be unlocked during the entire runtime, and the
|
two classes of secrets or credentials: one that can be unlocked during the entire runtime, and the
|
||||||
other that can only be used in the initrd.</para>
|
other that can only be used in the initrd.</para>
|
||||||
|
|
||||||
<programlisting>$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private.pem
|
<programlisting>$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private-key.pem
|
||||||
.+........+.+........+.......+...+...+........+....+......+..+..........
|
.+........+.+........+.......+...+...+........+....+......+..+..........
|
||||||
$ openssl rsa -pubout -in tpm2-pcr-private.pem -out tpm2-pcr-public.pem
|
$ openssl rsa -pubout -in tpm2-pcr-private-key.pem -out tpm2-pcr-public-key.pem
|
||||||
$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-initrd-private.pem
|
$ openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out tpm2-pcr-private-key-initrd.pem
|
||||||
..+.......++........+........+......+........+....+.....+.+..+..........
|
..+.......++........+........+......+........+....+.....+.+..+..........
|
||||||
$ openssl rsa -pubout -in tpm2-pcr-initrd-private.pem -out tpm2-pcr-initrd-public.pem
|
$ openssl rsa -pubout -in tpm2-pcr-private-key-initrd.pem -out tpm2-pcr-public-key-initrd.pem
|
||||||
# ukify --output vmlinux-1.2.3.efi \
|
# ukify --output vmlinux-1.2.3.efi \
|
||||||
--os-release=@os-release.txt \
|
--os-release=@os-release.txt \
|
||||||
--cmdline=@cmdline.txt \
|
--cmdline=@cmdline.txt \
|
||||||
--splash=splash.bmp \
|
--splash=splash.bmp \
|
||||||
--devicetree=devicetree.dtb \
|
--devicetree=devicetree.dtb \
|
||||||
--pcr-private-key=tpm2-pcr-private.pem \
|
--pcr-private-key=tpm2-pcr-private-key.pem \
|
||||||
--pcr-public-key=tpm2-pcr-public.pem \
|
--pcr-public-key=tpm2-pcr-public-key.pem \
|
||||||
--phases=enter-initrd,enter-initrd:leave-initrd,enter-initrd:leave-initrd:sysinit,enter-initrd:leave-initrd:sysinit:ready \
|
--phases=enter-initrd,enter-initrd:leave-initrd,enter-initrd:leave-initrd:sysinit,enter-initrd:leave-initrd:sysinit:ready \
|
||||||
--pcr-banks=sha1,sha256 \
|
--pcr-banks=sha1,sha256 \
|
||||||
--pcr-private-key=tpm2-pcr-initrd-private.pem \
|
--pcr-private-key=tpm2-pcr-private-key-initrd.pem \
|
||||||
--pcr-public-key=tpm2-pcr-initrd-public.pem \
|
--pcr-public-key=tpm2-pcr-public-key-initrd.pem \
|
||||||
--phases=enter-initrd \
|
--phases=enter-initrd \
|
||||||
vmlinux-1.2.3 initrd.cpio \
|
vmlinux-1.2.3 initrd.cpio \
|
||||||
--uname=1.2.3
|
--uname=1.2.3
|
||||||
+ /usr/lib/systemd/systemd-measure sign --linux=vmlinux-1.2.3 \
|
+ /usr/lib/systemd/systemd-measure sign --linux=vmlinux-1.2.3 \
|
||||||
--osrel=os-release.txt --cmdline=cmdline.txt --dtb=devicetree.dtb \
|
--osrel=os-release.txt --cmdline=cmdline.txt --dtb=devicetree.dtb \
|
||||||
--splash=splash.bmp --initrd=initrd.cpio --bank=sha1 --bank=sha256 \
|
--splash=splash.bmp --initrd=initrd.cpio --bank=sha1 --bank=sha256 \
|
||||||
--private-key=tpm2-pcr-private.pem --public-key=tpm2-pcr-public.pem \
|
--private-key=tpm2-pcr-private-key.pem --public-key=tpm2-pcr-public-key.pem \
|
||||||
--phase=enter-initrd --phase=enter-initrd:leave-initrd \
|
--phase=enter-initrd --phase=enter-initrd:leave-initrd \
|
||||||
--phase=enter-initrd:leave-initrd:sysinit \
|
--phase=enter-initrd:leave-initrd:sysinit \
|
||||||
--phase=enter-initrd:leave-initrd:sysinit:ready
|
--phase=enter-initrd:leave-initrd:sysinit:ready
|
||||||
+ /usr/lib/systemd/systemd-measure sign --linux=vmlinux-1.2.3 \
|
+ /usr/lib/systemd/systemd-measure sign --linux=vmlinux-1.2.3 \
|
||||||
--osrel=os-release.txt --cmdline=cmdline.txt --dtb=devicetree.dtb \
|
--osrel=os-release.txt --cmdline=cmdline.txt --dtb=devicetree.dtb \
|
||||||
--splash=splash.bmp --initrd=initrd.cpio --bank=sha1 --bank=sha256 \
|
--splash=splash.bmp --initrd=initrd.cpio --bank=sha1 --bank=sha256 \
|
||||||
--private-key=tpm2-pcr-initrd-private.pem \
|
--private-key=tpm2-pcr-private-key-initrd.pem \
|
||||||
--public-key=tpm2-pcr-initrd-public.pem \
|
--public-key=tpm2-pcr-public-key-initrd.pem \
|
||||||
--phase=enter-initrd
|
--phase=enter-initrd
|
||||||
Wrote unsigned vmlinux-1.2.3.efi
|
Wrote unsigned vmlinux-1.2.3.efi
|
||||||
</programlisting>
|
</programlisting>
|
||||||
|
@ -385,8 +385,8 @@ Wrote unsigned vmlinux-1.2.3.efi
|
||||||
by the first <option>--pcr-private-key=</option> option, covering all boot phases. The
|
by the first <option>--pcr-private-key=</option> option, covering all boot phases. The
|
||||||
<literal>.pcrpkey</literal> section is used in the default policies of
|
<literal>.pcrpkey</literal> section is used in the default policies of
|
||||||
<command>systemd-cryptenroll</command> and <command>systemd-creds</command>. To use the stricter policy
|
<command>systemd-cryptenroll</command> and <command>systemd-creds</command>. To use the stricter policy
|
||||||
bound to <filename>tpm-pcr-initrd-public.pem</filename>, specify <option>--tpm2-public-key=</option> on
|
bound to <filename>tpm2-pcr-public-key-initrd.pem</filename>, specify
|
||||||
the command line of those tools.</para>
|
<option>--tpm2-public-key=</option> on the command line of those tools.</para>
|
||||||
</example>
|
</example>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
|
|
|
@ -29,7 +29,7 @@
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>Description</title>
|
<title>Description</title>
|
||||||
|
|
||||||
<para><command>systemd-nsresourced</command> is a system service that permits transient delegation of a a
|
<para><command>systemd-nsresourced</command> is a system service that permits transient delegation of a
|
||||||
UID/GID range to a user namespace (see <citerefentry
|
UID/GID range to a user namespace (see <citerefentry
|
||||||
project='man-pages'><refentrytitle>user_namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>)
|
project='man-pages'><refentrytitle>user_namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>)
|
||||||
allocated by a client, via a Varlink IPC API.</para>
|
allocated by a client, via a Varlink IPC API.</para>
|
||||||
|
|
|
@ -115,7 +115,7 @@
|
||||||
result can be pre-calculated without too much effort. The <literal>.pcrsig</literal> section is not
|
result can be pre-calculated without too much effort. The <literal>.pcrsig</literal> section is not
|
||||||
included in this PCR measurement, since it is supposed to contain signatures for the output of the
|
included in this PCR measurement, since it is supposed to contain signatures for the output of the
|
||||||
measurement operation, and thus cannot also be input to it. If an UKI contains multiple profiles, only
|
measurement operation, and thus cannot also be input to it. If an UKI contains multiple profiles, only
|
||||||
the PE sections of the selected profile (and those of the base profile, except if overriden) are
|
the PE sections of the selected profile (and those of the base profile, except if overridden) are
|
||||||
measured.</para>
|
measured.</para>
|
||||||
|
|
||||||
<para>If non-zero, the selected numeric profile is measured into PCR 12.</para>
|
<para>If non-zero, the selected numeric profile is measured into PCR 12.</para>
|
||||||
|
@ -641,7 +641,7 @@
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><filename>/.extra/tpm2-pcr-pkey.pem</filename></term>
|
<term><filename>/.extra/tpm2-pcr-public-key.pem</filename></term>
|
||||||
<listitem><para>The PEM public key included in the <literal>.pcrpkey</literal> PE section of the
|
<listitem><para>The PEM public key included in the <literal>.pcrpkey</literal> PE section of the
|
||||||
unified kernel image is copied into the <filename>/.extra/tpm2-pcr-public-key.pem</filename> file in
|
unified kernel image is copied into the <filename>/.extra/tpm2-pcr-public-key.pem</filename> file in
|
||||||
the initrd execution environment.</para>
|
the initrd execution environment.</para>
|
||||||
|
|
|
@ -152,10 +152,11 @@
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>--purge</option></term>
|
<term><option>--purge</option></term>
|
||||||
|
|
||||||
<listitem><para>If this option is passed, all files and directories marked for
|
<listitem><para>If this option is passed, all files and directories declared for
|
||||||
<emphasis>creation</emphasis> by the <filename>tmpfiles.d/</filename> files specified on the command
|
<emphasis>creation</emphasis> and marked with the <literal>$</literal> character by the
|
||||||
line will be <emphasis>deleted</emphasis>. Specifically, this acts on all files and directories
|
<filename>tmpfiles.d/</filename> files specified on the command line will be
|
||||||
marked with <varname>f</varname>, <varname>F</varname>, <varname>d</varname>, <varname>D</varname>,
|
<emphasis>deleted</emphasis>. Specifically, this acts on all files and directories marked with
|
||||||
|
<varname>f</varname>, <varname>F</varname>, <varname>d</varname>, <varname>D</varname>,
|
||||||
<varname>v</varname>, <varname>q</varname>, <varname>Q</varname>, <varname>p</varname>,
|
<varname>v</varname>, <varname>q</varname>, <varname>Q</varname>, <varname>p</varname>,
|
||||||
<varname>L</varname>, <varname>c</varname>, <varname>b</varname>, <varname>C</varname>,
|
<varname>L</varname>, <varname>c</varname>, <varname>b</varname>, <varname>C</varname>,
|
||||||
<varname>w</varname>, <varname>e</varname>. If this switch is used at least one
|
<varname>w</varname>, <varname>e</varname>. If this switch is used at least one
|
||||||
|
|
|
@ -3001,7 +3001,12 @@ SystemCallErrorNumber=EPERM</programlisting>
|
||||||
|
|
||||||
<para><option>tty</option> connects standard output to a tty (as configured via <varname>TTYPath=</varname>,
|
<para><option>tty</option> connects standard output to a tty (as configured via <varname>TTYPath=</varname>,
|
||||||
see below). If the TTY is used for output only, the executed process will not become the controlling process of
|
see below). If the TTY is used for output only, the executed process will not become the controlling process of
|
||||||
the terminal, and will not fail or wait for other processes to release the terminal.</para>
|
the terminal, and will not fail or wait for other processes to release the terminal. Note: if a unit
|
||||||
|
tries to print multiple lines to a TTY during bootup or shutdown, then there's a chance that those
|
||||||
|
lines will be broken up by status messages. <function>SetShowStatus()</function> can be used to
|
||||||
|
prevent this problem. See
|
||||||
|
<citerefentry project="man-pages"><refentrytitle>org.freedesktop.systemd1</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||||
|
for details.</para>
|
||||||
|
|
||||||
<para><option>journal</option> connects standard output with the journal, which is accessible via
|
<para><option>journal</option> connects standard output with the journal, which is accessible via
|
||||||
<citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>. Note
|
<citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>. Note
|
||||||
|
|
|
@ -568,7 +568,11 @@
|
||||||
<listitem><para>Enables display of status messages on the
|
<listitem><para>Enables display of status messages on the
|
||||||
console, as controlled via
|
console, as controlled via
|
||||||
<varname>systemd.show_status=1</varname> on the kernel command
|
<varname>systemd.show_status=1</varname> on the kernel command
|
||||||
line.</para></listitem>
|
line.</para>
|
||||||
|
<para>You may want to use <function>SetShowStatus()</function> instead of
|
||||||
|
<constant>SIGRTMIN+20</constant> in order to prevent race conditions. See
|
||||||
|
<citerefentry project="man-pages"><refentrytitle>org.freedesktop.systemd1</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
||||||
|
</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
@ -579,7 +583,11 @@
|
||||||
controlled via
|
controlled via
|
||||||
<varname>systemd.show_status=0</varname>
|
<varname>systemd.show_status=0</varname>
|
||||||
on the kernel command
|
on the kernel command
|
||||||
line.</para></listitem>
|
line.</para>
|
||||||
|
<para>You may want to use <function>SetShowStatus()</function> instead of
|
||||||
|
<constant>SIGRTMIN+21</constant> in order to prevent race conditions. See
|
||||||
|
<citerefentry project="man-pages"><refentrytitle>org.freedesktop.systemd1</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
||||||
|
</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
|
|
@ -539,6 +539,10 @@ w- /proc/sys/vm/swappiness - - - - 10</programlisting></para>
|
||||||
service, the line is silently skipped. If <literal>^</literal> and <literal>~</literal> are combined
|
service, the line is silently skipped. If <literal>^</literal> and <literal>~</literal> are combined
|
||||||
Base64 decoding is applied to the credential contents.</para>
|
Base64 decoding is applied to the credential contents.</para>
|
||||||
|
|
||||||
|
<para>If the dollar sign (<literal>$</literal>) is used, the file becomes subject to removal when
|
||||||
|
<command>systemd-tmpfiles</command> is invoked with the <option>--purge</option> switch. Lines without
|
||||||
|
this character are unaffected by that switch.</para>
|
||||||
|
|
||||||
<para>Note that for all line types that result in creation of any kind of file node
|
<para>Note that for all line types that result in creation of any kind of file node
|
||||||
(i.e. <varname>f</varname>,
|
(i.e. <varname>f</varname>,
|
||||||
<varname>d</varname>/<varname>D</varname>/<varname>v</varname>/<varname>q</varname>/<varname>Q</varname>,
|
<varname>d</varname>/<varname>D</varname>/<varname>v</varname>/<varname>q</varname>/<varname>Q</varname>,
|
||||||
|
|
|
@ -141,6 +141,12 @@
|
||||||
For example, e"string\n" is parsed as 7 characters: 6 lowercase letters and a newline.
|
For example, e"string\n" is parsed as 7 characters: 6 lowercase letters and a newline.
|
||||||
This can be useful for writing special characters when a kernel driver requires them.</para>
|
This can be useful for writing special characters when a kernel driver requires them.</para>
|
||||||
|
|
||||||
|
<para>The string can be prefixed with a lowercase i (i"string") to mark that the string or pattern
|
||||||
|
will match case-insensitively. For example, i"foo" will match
|
||||||
|
<literal>foo</literal>, <literal>FOO</literal>, <literal>FoO</literal> and so on. The prefix can be
|
||||||
|
used only for match (<literal>==</literal>) or unmatch (<literal>!=</literal>) rules, e.g.
|
||||||
|
<varname>ATTR{foo}==i"abcd"</varname>.</para>
|
||||||
|
|
||||||
<para>Please note that <constant>NUL</constant> is not allowed in either string variant.</para>
|
<para>Please note that <constant>NUL</constant> is not allowed in either string variant.</para>
|
||||||
</refsect2>
|
</refsect2>
|
||||||
|
|
||||||
|
|
|
@ -1,14 +1,14 @@
|
||||||
[UKI]
|
[UKI]
|
||||||
SecureBootPrivateKey=/etc/kernel/secure-boot.key.pem
|
SecureBootPrivateKey=/etc/kernel/secure-boot-key.pem
|
||||||
SecureBootCertificate=/etc/kernel/secure-boot.cert.pem
|
SecureBootCertificate=/etc/kernel/secure-boot-certificate.pem
|
||||||
|
|
||||||
[PCRSignature:initrd]
|
[PCRSignature:initrd]
|
||||||
Phases=enter-initrd
|
Phases=enter-initrd
|
||||||
PCRPrivateKey=/etc/kernel/pcr-initrd.key.pem
|
PCRPrivateKey=/etc/systemd/tpm2-pcr-private-key-initrd.pem
|
||||||
PCRPublicKey=/etc/kernel/pcr-initrd.pub.pem
|
PCRPublicKey=/etc/systemd/tpm2-pcr-public-key-initrd.pem
|
||||||
|
|
||||||
[PCRSignature:system]
|
[PCRSignature:system]
|
||||||
Phases=enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit
|
Phases=enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit
|
||||||
enter-initrd:leave-initrd:sysinit:ready
|
enter-initrd:leave-initrd:sysinit:ready
|
||||||
PCRPrivateKey=/etc/kernel/pcr-system.key.pem
|
PCRPrivateKey=/etc/systemd/tpm2-pcr-private-key-system.pem
|
||||||
PCRPublicKey=/etc/kernel/pcr-system.pub.pem
|
PCRPublicKey=/etc/systemd/tpm2-pcr-public-key-system.pem
|
||||||
|
|
|
@ -619,11 +619,11 @@
|
||||||
--initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img \
|
--initrd=/some/path/initramfs-6.0.9-300.fc37.x86_64.img \
|
||||||
--sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
|
--sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
|
||||||
uki.author.myimage,1,UKI for System,uki.author.myimage,1,https://uapi-group.org/specifications/specs/unified_kernel_image/' \
|
uki.author.myimage,1,UKI for System,uki.author.myimage,1,https://uapi-group.org/specifications/specs/unified_kernel_image/' \
|
||||||
--pcr-private-key=pcr-private-initrd-key.pem \
|
--pcr-private-key=tpm2-pcr-private-key-initrd.pem \
|
||||||
--pcr-public-key=pcr-public-initrd-key.pem \
|
--pcr-public-key=tpm2-pcr-public-key-initrd.pem \
|
||||||
--phases='enter-initrd' \
|
--phases='enter-initrd' \
|
||||||
--pcr-private-key=pcr-private-system-key.pem \
|
--pcr-private-key=tpm2-pcr-private-key-system.pem \
|
||||||
--pcr-public-key=pcr-public-system-key.pem \
|
--pcr-public-key=tpm2-pcr-public-key-system.pem \
|
||||||
--phases='enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit \
|
--phases='enter-initrd:leave-initrd enter-initrd:leave-initrd:sysinit \
|
||||||
enter-initrd:leave-initrd:sysinit:ready' \
|
enter-initrd:leave-initrd:sysinit:ready' \
|
||||||
--pcr-banks=sha384,sha512 \
|
--pcr-banks=sha384,sha512 \
|
||||||
|
@ -638,9 +638,9 @@
|
||||||
and <filename index='false'>initramfs-6.0.9-300.fc37.x86_64.img</filename>.
|
and <filename index='false'>initramfs-6.0.9-300.fc37.x86_64.img</filename>.
|
||||||
The policy embedded in the <literal>.pcrsig</literal> section will be signed for the initrd (the
|
The policy embedded in the <literal>.pcrsig</literal> section will be signed for the initrd (the
|
||||||
<constant>enter-initrd</constant> phase) with the key
|
<constant>enter-initrd</constant> phase) with the key
|
||||||
<filename index='false'>pcr-private-initrd-key.pem</filename>, and for the main system (phases
|
<filename index='false'>tpm2-pcr-private-key-initrd.pem</filename>, and for the main system (phases
|
||||||
<constant>leave-initrd</constant>, <constant>sysinit</constant>, <constant>ready</constant>) with the
|
<constant>leave-initrd</constant>, <constant>sysinit</constant>, <constant>ready</constant>) with the
|
||||||
key <filename index='false'>pcr-private-system-key.pem</filename>. The Linux binary and the resulting
|
key <filename index='false'>tpm2-pcr-private-key-system.pem</filename>. The Linux binary and the resulting
|
||||||
combined image will be signed with the SecureBoot key <filename index='false'>sb.key</filename>.</para>
|
combined image will be signed with the SecureBoot key <filename index='false'>sb.key</filename>.</para>
|
||||||
</example>
|
</example>
|
||||||
|
|
||||||
|
@ -655,19 +655,19 @@
|
||||||
Initrd=early_cpio
|
Initrd=early_cpio
|
||||||
Cmdline=quiet rw rhgb
|
Cmdline=quiet rw rhgb
|
||||||
|
|
||||||
SecureBootPrivateKey=sb.key
|
SecureBootPrivateKey=secure-boot-key.pem
|
||||||
SecureBootCertificate=sb.cert
|
SecureBootCertificate=secure-boot-certificate.pem
|
||||||
SignKernel=yes
|
SignKernel=yes
|
||||||
PCRBanks=sha384,sha512
|
PCRBanks=sha384,sha512
|
||||||
|
|
||||||
[PCRSignature:initrd]
|
[PCRSignature:initrd]
|
||||||
PCRPrivateKey=pcr-private-initrd-key.pem
|
PCRPrivateKey=tpm2-pcr-private-key-initrd.pem
|
||||||
PCRPublicKey=pcr-public-initrd-key.pem
|
PCRPublicKey=tpm2-pcr-public-key-initrd.pem
|
||||||
Phases=enter-initrd
|
Phases=enter-initrd
|
||||||
|
|
||||||
[PCRSignature:system]
|
[PCRSignature:system]
|
||||||
PCRPrivateKey=pcr-private-system-key.pem
|
PCRPrivateKey=tpm2-pcr-private-key-system.pem
|
||||||
PCRPublicKey=pcr-public-system-key.pem
|
PCRPublicKey=tpm2-pcr-public-key-system.pem
|
||||||
Phases=enter-initrd:leave-initrd
|
Phases=enter-initrd:leave-initrd
|
||||||
enter-initrd:leave-initrd:sysinit
|
enter-initrd:leave-initrd:sysinit
|
||||||
enter-initrd:leave-initrd:sysinit:ready
|
enter-initrd:leave-initrd:sysinit:ready
|
||||||
|
@ -687,8 +687,8 @@ $ ukify -c ukify.conf build \
|
||||||
<title>Kernel command line PE addon</title>
|
<title>Kernel command line PE addon</title>
|
||||||
|
|
||||||
<programlisting>ukify build \
|
<programlisting>ukify build \
|
||||||
--secureboot-private-key=sb.key \
|
--secureboot-private-key=secure-boot-key.pem \
|
||||||
--secureboot-certificate=sb.cert \
|
--secureboot-certificate=secure-boot-certificate.pem \
|
||||||
--cmdline='debug' \
|
--cmdline='debug' \
|
||||||
--sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
|
--sbat='sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
|
||||||
uki-addon.author,1,UKI Addon for System,uki-addon.author,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html'
|
uki-addon.author,1,UKI Addon for System,uki-addon.author,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html'
|
||||||
|
@ -709,12 +709,12 @@ $ ukify -c ukify.conf build \
|
||||||
|
|
||||||
<para>Next, we can generate the certificate and keys:</para>
|
<para>Next, we can generate the certificate and keys:</para>
|
||||||
<programlisting># ukify genkey --config=/etc/kernel/uki.conf
|
<programlisting># ukify genkey --config=/etc/kernel/uki.conf
|
||||||
Writing SecureBoot private key to /etc/kernel/secure-boot.key.pem
|
Writing SecureBoot private key to /etc/kernel/secure-boot-key.pem
|
||||||
Writing SecureBoot certificate to /etc/kernel/secure-boot.cert.pem
|
Writing SecureBoot certificate to /etc/kernel/secure-boot-certificate.pem
|
||||||
Writing private key for PCR signing to /etc/kernel/pcr-initrd.key.pem
|
Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-initrd.pem
|
||||||
Writing public key for PCR signing to /etc/kernel/pcr-initrd.pub.pem
|
Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-initrd.pem
|
||||||
Writing private key for PCR signing to /etc/kernel/pcr-system.key.pem
|
Writing private key for PCR signing to /etc/systemd/tpm2-pcr-private-key-system.pem
|
||||||
Writing public key for PCR signing to /etc/kernel/pcr-system.pub.pem
|
Writing public key for PCR signing to /etc/systemd/tpm2-pcr-public-key-system.pem
|
||||||
</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para>(Both operations need to be done as root to allow write access
|
<para>(Both operations need to be done as root to allow write access
|
||||||
|
|
|
@ -58,23 +58,18 @@ OPTIONS=(
|
||||||
)
|
)
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Linting the PKGBUILD takes multiple seconds every build so avoid that by nuking all the linting functions.
|
|
||||||
rm /usr/share/makepkg/lint_pkgbuild/*
|
|
||||||
|
|
||||||
TS="${SOURCE_DATE_EPOCH:-$(date +%s)}"
|
TS="${SOURCE_DATE_EPOCH:-$(date +%s)}"
|
||||||
|
|
||||||
sed --in-place "pkg/$PKG_SUBDIR/PKGBUILD" \
|
sed --in-place "pkg/$PKG_SUBDIR/PKGBUILD" \
|
||||||
--expression "s/^_tag=.*/_tag=$(cat meson.version)/" \
|
--expression "s/^_tag=.*/_tag=$(cat meson.version)/" \
|
||||||
--expression "s/^pkgrel=.*/pkgrel=$(date "+%Y%m%d%H%M%S" --date "@$TS")/"
|
--expression "s/^pkgrel=.*/pkgrel=$(date "+%Y%m%d%H%M%S" --date "@$TS")/"
|
||||||
|
|
||||||
# Replace cdrom/dialout/tape groups with optical/uucp/storage. We apply this patch manually because we run
|
|
||||||
# with --noprepare.
|
|
||||||
patch -Np1 -i pkg/arch/0001-Use-Arch-Linux-device-access-groups.patch
|
|
||||||
|
|
||||||
# We get around makepkg's root check by setting EUID to something else.
|
# We get around makepkg's root check by setting EUID to something else.
|
||||||
|
# Linting the PKGBUILD takes multiple seconds every build so avoid that by nuking all the linting functions.
|
||||||
# shellcheck disable=SC2046
|
# shellcheck disable=SC2046
|
||||||
env --chdir="pkg/$PKG_SUBDIR" \
|
env --chdir="pkg/$PKG_SUBDIR" \
|
||||||
EUID=123 \
|
EUID=123 \
|
||||||
|
MAKEPKG_LINT_PKGBUILD=0 \
|
||||||
makepkg \
|
makepkg \
|
||||||
--noextract \
|
--noextract \
|
||||||
--noprepare \
|
--noprepare \
|
||||||
|
|
|
@ -9,7 +9,7 @@ Environment=
|
||||||
GIT_URL=https://salsa.debian.org/systemd-team/systemd.git
|
GIT_URL=https://salsa.debian.org/systemd-team/systemd.git
|
||||||
GIT_SUBDIR=debian
|
GIT_SUBDIR=debian
|
||||||
GIT_BRANCH=debian/master
|
GIT_BRANCH=debian/master
|
||||||
GIT_COMMIT=bb6db3edfe40fe1a98cdcc6d2d07a7dac38aefc5
|
GIT_COMMIT=0704bfd93f407eb4622c724328a5693155f913a1
|
||||||
PKG_SUBDIR=debian
|
PKG_SUBDIR=debian
|
||||||
|
|
||||||
Packages=
|
Packages=
|
||||||
|
|
|
@ -3,18 +3,11 @@
|
||||||
set -e
|
set -e
|
||||||
set -o nounset
|
set -o nounset
|
||||||
|
|
||||||
if [[ "$DISTRIBUTION" =~ ubuntu|debian ]]; then
|
|
||||||
SUDO_GROUP=sudo
|
|
||||||
else
|
|
||||||
SUDO_GROUP=wheel
|
|
||||||
fi
|
|
||||||
|
|
||||||
useradd \
|
useradd \
|
||||||
--uid 4711 \
|
--uid 4711 \
|
||||||
--user-group \
|
--user-group \
|
||||||
--create-home \
|
--create-home \
|
||||||
--password "$(openssl passwd -1 testuser)" \
|
--password "$(openssl passwd -1 testuser)" \
|
||||||
--groups "$SUDO_GROUP",systemd-journal \
|
|
||||||
--shell /bin/bash \
|
--shell /bin/bash \
|
||||||
testuser
|
testuser
|
||||||
|
|
||||||
|
|
109
po/fi.po
109
po/fi.po
|
@ -2,21 +2,21 @@
|
||||||
#
|
#
|
||||||
# Finnish translation of systemd.
|
# Finnish translation of systemd.
|
||||||
# Jan Kuparinen <copper_fin@hotmail.com>, 2021, 2022, 2023.
|
# Jan Kuparinen <copper_fin@hotmail.com>, 2021, 2022, 2023.
|
||||||
# Ricky Tigg <ricky.tigg@gmail.com>, 2022.
|
# Ricky Tigg <ricky.tigg@gmail.com>, 2022, 2024.
|
||||||
msgid ""
|
msgid ""
|
||||||
msgstr ""
|
msgstr ""
|
||||||
"Report-Msgid-Bugs-To: \n"
|
"Report-Msgid-Bugs-To: \n"
|
||||||
"POT-Creation-Date: 2024-08-23 15:33+0200\n"
|
"POT-Creation-Date: 2024-08-23 15:33+0200\n"
|
||||||
"PO-Revision-Date: 2023-08-21 17:21+0000\n"
|
"PO-Revision-Date: 2024-09-12 13:43+0000\n"
|
||||||
"Last-Translator: Jan Kuparinen <copper_fin@hotmail.com>\n"
|
"Last-Translator: Ricky Tigg <ricky.tigg@gmail.com>\n"
|
||||||
"Language-Team: Finnish <https://translate.fedoraproject.org/projects/systemd/"
|
"Language-Team: Finnish <https://translate.fedoraproject.org/projects/systemd/"
|
||||||
"master/fi/>\n"
|
"main/fi/>\n"
|
||||||
"Language: fi\n"
|
"Language: fi\n"
|
||||||
"MIME-Version: 1.0\n"
|
"MIME-Version: 1.0\n"
|
||||||
"Content-Type: text/plain; charset=UTF-8\n"
|
"Content-Type: text/plain; charset=UTF-8\n"
|
||||||
"Content-Transfer-Encoding: 8bit\n"
|
"Content-Transfer-Encoding: 8bit\n"
|
||||||
"Plural-Forms: nplurals=2; plural=n != 1;\n"
|
"Plural-Forms: nplurals=2; plural=n != 1;\n"
|
||||||
"X-Generator: Weblate 4.18.2\n"
|
"X-Generator: Weblate 5.7.2\n"
|
||||||
|
|
||||||
#: src/core/org.freedesktop.systemd1.policy.in:22
|
#: src/core/org.freedesktop.systemd1.policy.in:22
|
||||||
msgid "Send passphrase back to system"
|
msgid "Send passphrase back to system"
|
||||||
|
@ -129,14 +129,12 @@ msgid ""
|
||||||
msgstr "Todennus vaaditaan käyttäjän kotialueen salasanan vaihtamiseksi."
|
msgstr "Todennus vaaditaan käyttäjän kotialueen salasanan vaihtamiseksi."
|
||||||
|
|
||||||
#: src/home/org.freedesktop.home1.policy:73
|
#: src/home/org.freedesktop.home1.policy:73
|
||||||
#, fuzzy
|
|
||||||
msgid "Activate a home area"
|
msgid "Activate a home area"
|
||||||
msgstr "Luo kotialue"
|
msgstr "Aktivoi kotialue"
|
||||||
|
|
||||||
#: src/home/org.freedesktop.home1.policy:74
|
#: src/home/org.freedesktop.home1.policy:74
|
||||||
#, fuzzy
|
|
||||||
msgid "Authentication is required to activate a user's home area."
|
msgid "Authentication is required to activate a user's home area."
|
||||||
msgstr "Todennus vaaditaan käyttäjän kotialueen luomiseksi."
|
msgstr "Todennus vaaditaan käyttäjän kotialueen aktivoimiseksi."
|
||||||
|
|
||||||
#: src/home/pam_systemd_home.c:293
|
#: src/home/pam_systemd_home.c:293
|
||||||
#, c-format
|
#, c-format
|
||||||
|
@ -364,47 +362,37 @@ msgid "Authentication is required to get system description."
|
||||||
msgstr "Järjestelmän kuvauksen saamiseksi vaaditaan todennus."
|
msgstr "Järjestelmän kuvauksen saamiseksi vaaditaan todennus."
|
||||||
|
|
||||||
#: src/import/org.freedesktop.import1.policy:22
|
#: src/import/org.freedesktop.import1.policy:22
|
||||||
#, fuzzy
|
|
||||||
msgid "Import a disk image"
|
msgid "Import a disk image"
|
||||||
msgstr "Tuo virtuaalikoneen tai kontin levykuva"
|
msgstr "Tuo levykuva"
|
||||||
|
|
||||||
#: src/import/org.freedesktop.import1.policy:23
|
#: src/import/org.freedesktop.import1.policy:23
|
||||||
#, fuzzy
|
|
||||||
msgid "Authentication is required to import an image."
|
msgid "Authentication is required to import an image."
|
||||||
msgstr ""
|
msgstr "Levykuvan tuonti edellyttää todennusta."
|
||||||
"Todennus vaaditaan, jos haluat tuoda virtuaalikoneen tai kontin levykuvan"
|
|
||||||
|
|
||||||
#: src/import/org.freedesktop.import1.policy:32
|
#: src/import/org.freedesktop.import1.policy:32
|
||||||
#, fuzzy
|
|
||||||
msgid "Export a disk image"
|
msgid "Export a disk image"
|
||||||
msgstr "Vie virtuaalikoneen tai kontin levykuva"
|
msgstr "Vie levykuva"
|
||||||
|
|
||||||
#: src/import/org.freedesktop.import1.policy:33
|
#: src/import/org.freedesktop.import1.policy:33
|
||||||
#, fuzzy
|
|
||||||
msgid "Authentication is required to export disk image."
|
msgid "Authentication is required to export disk image."
|
||||||
msgstr ""
|
msgstr "Todennus vaaditaan levykuvan viemiseen."
|
||||||
"Todennus vaaditaan, jos haluat viedä virtuaalikoneen tai kontin levykuvan"
|
|
||||||
|
|
||||||
#: src/import/org.freedesktop.import1.policy:42
|
#: src/import/org.freedesktop.import1.policy:42
|
||||||
#, fuzzy
|
|
||||||
msgid "Download a disk image"
|
msgid "Download a disk image"
|
||||||
msgstr "Lataa virtuaalikoneen tai kontin levykuva"
|
msgstr "Lataa levykuva"
|
||||||
|
|
||||||
#: src/import/org.freedesktop.import1.policy:43
|
#: src/import/org.freedesktop.import1.policy:43
|
||||||
#, fuzzy
|
|
||||||
msgid "Authentication is required to download a disk image."
|
msgid "Authentication is required to download a disk image."
|
||||||
msgstr ""
|
msgstr "Todennus vaaditaan levykuvan lataamiseen."
|
||||||
"Todennus vaaditaan, jos haluat ladata virtuaalikoneen tai kontin levykuvan"
|
|
||||||
|
|
||||||
#: src/import/org.freedesktop.import1.policy:52
|
#: src/import/org.freedesktop.import1.policy:52
|
||||||
msgid "Cancel transfer of a disk image"
|
msgid "Cancel transfer of a disk image"
|
||||||
msgstr ""
|
msgstr "Peruuta levykuvan siirto"
|
||||||
|
|
||||||
#: src/import/org.freedesktop.import1.policy:53
|
#: src/import/org.freedesktop.import1.policy:53
|
||||||
#, fuzzy
|
|
||||||
msgid ""
|
msgid ""
|
||||||
"Authentication is required to cancel the ongoing transfer of a disk image."
|
"Authentication is required to cancel the ongoing transfer of a disk image."
|
||||||
msgstr "Todennus vaaditaan käyttäjän kotialueen salasanan vaihtamiseksi."
|
msgstr "Todennus vaaditaan meneillään olevan levykuvan siirron peruuttamiseksi."
|
||||||
|
|
||||||
#: src/locale/org.freedesktop.locale1.policy:22
|
#: src/locale/org.freedesktop.locale1.policy:22
|
||||||
msgid "Set system locale"
|
msgid "Set system locale"
|
||||||
|
@ -797,9 +785,8 @@ msgid "Set a wall message"
|
||||||
msgstr "Aseta seinäviesti"
|
msgstr "Aseta seinäviesti"
|
||||||
|
|
||||||
#: src/login/org.freedesktop.login1.policy:397
|
#: src/login/org.freedesktop.login1.policy:397
|
||||||
#, fuzzy
|
|
||||||
msgid "Authentication is required to set a wall message."
|
msgid "Authentication is required to set a wall message."
|
||||||
msgstr "Seinäviestin asettaminen edellyttää todennusta"
|
msgstr "Todennus vaaditaan seinäviestin asettamiseen."
|
||||||
|
|
||||||
#: src/login/org.freedesktop.login1.policy:406
|
#: src/login/org.freedesktop.login1.policy:406
|
||||||
msgid "Change Session"
|
msgid "Change Session"
|
||||||
|
@ -869,16 +856,13 @@ msgstr ""
|
||||||
"Todennus vaaditaan paikallisten virtuaalikoneiden ja konttien hallintaan."
|
"Todennus vaaditaan paikallisten virtuaalikoneiden ja konttien hallintaan."
|
||||||
|
|
||||||
#: src/machine/org.freedesktop.machine1.policy:95
|
#: src/machine/org.freedesktop.machine1.policy:95
|
||||||
#, fuzzy
|
|
||||||
msgid "Create a local virtual machine or container"
|
msgid "Create a local virtual machine or container"
|
||||||
msgstr "Hallitse paikallisia virtuaalikoneita ja kontteja"
|
msgstr "Luo paikallinen virtuaalikone tai säilö"
|
||||||
|
|
||||||
#: src/machine/org.freedesktop.machine1.policy:96
|
#: src/machine/org.freedesktop.machine1.policy:96
|
||||||
#, fuzzy
|
|
||||||
msgid ""
|
msgid ""
|
||||||
"Authentication is required to create a local virtual machine or container."
|
"Authentication is required to create a local virtual machine or container."
|
||||||
msgstr ""
|
msgstr "Todennus vaaditaan paikallisen virtuaalikoneen tai säilön luomiseen."
|
||||||
"Todennus vaaditaan paikallisten virtuaalikoneiden ja konttien hallintaan."
|
|
||||||
|
|
||||||
#: src/machine/org.freedesktop.machine1.policy:106
|
#: src/machine/org.freedesktop.machine1.policy:106
|
||||||
msgid "Manage local virtual machine and container images"
|
msgid "Manage local virtual machine and container images"
|
||||||
|
@ -1037,13 +1021,15 @@ msgstr "Todennus vaaditaan verkkokäyttöliittymän määrittämiseksi uudelleen
|
||||||
|
|
||||||
#: src/network/org.freedesktop.network1.policy:187
|
#: src/network/org.freedesktop.network1.policy:187
|
||||||
msgid "Specify whether persistent storage for systemd-networkd is available"
|
msgid "Specify whether persistent storage for systemd-networkd is available"
|
||||||
msgstr ""
|
msgstr "Määritä, onko systemd-networkd:lle saatavana pysyvä tallennustila"
|
||||||
|
|
||||||
#: src/network/org.freedesktop.network1.policy:188
|
#: src/network/org.freedesktop.network1.policy:188
|
||||||
msgid ""
|
msgid ""
|
||||||
"Authentication is required to specify whether persistent storage for systemd-"
|
"Authentication is required to specify whether persistent storage for systemd-"
|
||||||
"networkd is available."
|
"networkd is available."
|
||||||
msgstr ""
|
msgstr ""
|
||||||
|
"Todennus vaaditaan sen määrittämiseksi, onko systemd-networkd:lle pysyvä "
|
||||||
|
"tallennustila saatavana."
|
||||||
|
|
||||||
#: src/portable/org.freedesktop.portable1.policy:13
|
#: src/portable/org.freedesktop.portable1.policy:13
|
||||||
msgid "Inspect a portable service image"
|
msgid "Inspect a portable service image"
|
||||||
|
@ -1080,18 +1066,16 @@ msgid "Register a DNS-SD service"
|
||||||
msgstr "Rekisteröi DNS-SD-palvelu"
|
msgstr "Rekisteröi DNS-SD-palvelu"
|
||||||
|
|
||||||
#: src/resolve/org.freedesktop.resolve1.policy:23
|
#: src/resolve/org.freedesktop.resolve1.policy:23
|
||||||
#, fuzzy
|
|
||||||
msgid "Authentication is required to register a DNS-SD service."
|
msgid "Authentication is required to register a DNS-SD service."
|
||||||
msgstr "Todennus vaaditaan DNS-SD-palvelun rekisteröimiseksi"
|
msgstr "Todennus vaaditaan DNS-SD-palvelun rekisteröimiseksi."
|
||||||
|
|
||||||
#: src/resolve/org.freedesktop.resolve1.policy:33
|
#: src/resolve/org.freedesktop.resolve1.policy:33
|
||||||
msgid "Unregister a DNS-SD service"
|
msgid "Unregister a DNS-SD service"
|
||||||
msgstr "Poista DNS-SD-palvelun rekisteröinti"
|
msgstr "Poista DNS-SD-palvelun rekisteröinti"
|
||||||
|
|
||||||
#: src/resolve/org.freedesktop.resolve1.policy:34
|
#: src/resolve/org.freedesktop.resolve1.policy:34
|
||||||
#, fuzzy
|
|
||||||
msgid "Authentication is required to unregister a DNS-SD service."
|
msgid "Authentication is required to unregister a DNS-SD service."
|
||||||
msgstr "Todennus vaaditaan DNS-SD-palvelun rekisteröinnin poistamiseksi"
|
msgstr "Todennus vaaditaan DNS-SD-palvelun rekisteröinnin poistamiseksi."
|
||||||
|
|
||||||
#: src/resolve/org.freedesktop.resolve1.policy:132
|
#: src/resolve/org.freedesktop.resolve1.policy:132
|
||||||
msgid "Revert name resolution settings"
|
msgid "Revert name resolution settings"
|
||||||
|
@ -1103,86 +1087,79 @@ msgstr "Todennus vaaditaan aiempien nimipalveluasetusten palauttamiseksi."
|
||||||
|
|
||||||
#: src/resolve/org.freedesktop.resolve1.policy:143
|
#: src/resolve/org.freedesktop.resolve1.policy:143
|
||||||
msgid "Subscribe query results"
|
msgid "Subscribe query results"
|
||||||
msgstr ""
|
msgstr "Tilauskyselyn tulokset"
|
||||||
|
|
||||||
#: src/resolve/org.freedesktop.resolve1.policy:144
|
#: src/resolve/org.freedesktop.resolve1.policy:144
|
||||||
#, fuzzy
|
|
||||||
msgid "Authentication is required to subscribe query results."
|
msgid "Authentication is required to subscribe query results."
|
||||||
msgstr "Todennus vaaditaan järjestelmän pysäyttämiseksi väliaikaisesti."
|
msgstr "Todennus vaaditaan kyselytulosten tilaamiseen."
|
||||||
|
|
||||||
#: src/resolve/org.freedesktop.resolve1.policy:154
|
#: src/resolve/org.freedesktop.resolve1.policy:154
|
||||||
msgid "Dump cache"
|
msgid "Dump cache"
|
||||||
msgstr ""
|
msgstr "Tyhjennä välimuisti"
|
||||||
|
|
||||||
#: src/resolve/org.freedesktop.resolve1.policy:155
|
#: src/resolve/org.freedesktop.resolve1.policy:155
|
||||||
#, fuzzy
|
|
||||||
msgid "Authentication is required to dump cache."
|
msgid "Authentication is required to dump cache."
|
||||||
msgstr "Todennus vaaditaan toimialueiden asettamiseen."
|
msgstr "Todennus vaaditaan välimuistin tyhjentämiseen."
|
||||||
|
|
||||||
#: src/resolve/org.freedesktop.resolve1.policy:165
|
#: src/resolve/org.freedesktop.resolve1.policy:165
|
||||||
msgid "Dump server state"
|
msgid "Dump server state"
|
||||||
msgstr ""
|
msgstr "Tyhjennä palvelimen tila"
|
||||||
|
|
||||||
#: src/resolve/org.freedesktop.resolve1.policy:166
|
#: src/resolve/org.freedesktop.resolve1.policy:166
|
||||||
#, fuzzy
|
|
||||||
msgid "Authentication is required to dump server state."
|
msgid "Authentication is required to dump server state."
|
||||||
msgstr "Todennus vaaditaan NTP-palvelimien asettamiseen."
|
msgstr "Todennus vaaditaan palvelimen tilan tyhjentämiseksi."
|
||||||
|
|
||||||
#: src/resolve/org.freedesktop.resolve1.policy:176
|
#: src/resolve/org.freedesktop.resolve1.policy:176
|
||||||
msgid "Dump statistics"
|
msgid "Dump statistics"
|
||||||
msgstr ""
|
msgstr "Tyhjennä tilastot"
|
||||||
|
|
||||||
#: src/resolve/org.freedesktop.resolve1.policy:177
|
#: src/resolve/org.freedesktop.resolve1.policy:177
|
||||||
#, fuzzy
|
|
||||||
msgid "Authentication is required to dump statistics."
|
msgid "Authentication is required to dump statistics."
|
||||||
msgstr "Todennus vaaditaan toimialueiden asettamiseen."
|
msgstr "Todennus vaaditaan tilastojen tyhjentämiseen."
|
||||||
|
|
||||||
#: src/resolve/org.freedesktop.resolve1.policy:187
|
#: src/resolve/org.freedesktop.resolve1.policy:187
|
||||||
msgid "Reset statistics"
|
msgid "Reset statistics"
|
||||||
msgstr ""
|
msgstr "Nollaa tilastot"
|
||||||
|
|
||||||
#: src/resolve/org.freedesktop.resolve1.policy:188
|
#: src/resolve/org.freedesktop.resolve1.policy:188
|
||||||
#, fuzzy
|
|
||||||
msgid "Authentication is required to reset statistics."
|
msgid "Authentication is required to reset statistics."
|
||||||
msgstr "Todennus vaaditaan aiempien NTP-asetusten palauttamiseksi."
|
msgstr "Todennus vaaditaan tilastojen nollaamiseen."
|
||||||
|
|
||||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:35
|
#: src/sysupdate/org.freedesktop.sysupdate1.policy:35
|
||||||
msgid "Check for system updates"
|
msgid "Check for system updates"
|
||||||
msgstr ""
|
msgstr "Tarkista, onko järjestelmäpäivityksiä"
|
||||||
|
|
||||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:36
|
#: src/sysupdate/org.freedesktop.sysupdate1.policy:36
|
||||||
#, fuzzy
|
|
||||||
msgid "Authentication is required to check for system updates."
|
msgid "Authentication is required to check for system updates."
|
||||||
msgstr "Todennus vaaditaan järjestelmän ajan asettamiseksi."
|
msgstr "Todennus vaaditaan järjestelmäpäivitysten tarkistamiseen."
|
||||||
|
|
||||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:45
|
#: src/sysupdate/org.freedesktop.sysupdate1.policy:45
|
||||||
msgid "Install system updates"
|
msgid "Install system updates"
|
||||||
msgstr ""
|
msgstr "Asenna järjestelmäpäivitykset"
|
||||||
|
|
||||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:46
|
#: src/sysupdate/org.freedesktop.sysupdate1.policy:46
|
||||||
#, fuzzy
|
|
||||||
msgid "Authentication is required to install system updates."
|
msgid "Authentication is required to install system updates."
|
||||||
msgstr "Todennus vaaditaan järjestelmän ajan asettamiseksi."
|
msgstr "Todennus vaaditaan järjestelmäpäivitysten asentamiseen."
|
||||||
|
|
||||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:55
|
#: src/sysupdate/org.freedesktop.sysupdate1.policy:55
|
||||||
msgid "Install specific system version"
|
msgid "Install specific system version"
|
||||||
msgstr ""
|
msgstr "Asenna tietty järjestelmäversio"
|
||||||
|
|
||||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:56
|
#: src/sysupdate/org.freedesktop.sysupdate1.policy:56
|
||||||
#, fuzzy
|
|
||||||
msgid ""
|
msgid ""
|
||||||
"Authentication is required to update the system to a specific (possibly old) "
|
"Authentication is required to update the system to a specific (possibly old) "
|
||||||
"version."
|
"version."
|
||||||
msgstr "Todennus vaaditaan järjestelmän aikavyöhykkeen asettamiseksi."
|
msgstr ""
|
||||||
|
"Todennus vaaditaan järjestelmän päivittämiseen tiettyyn, mahdollisesti "
|
||||||
|
"vanhaan versioon."
|
||||||
|
|
||||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:65
|
#: src/sysupdate/org.freedesktop.sysupdate1.policy:65
|
||||||
msgid "Cleanup old system updates"
|
msgid "Cleanup old system updates"
|
||||||
msgstr ""
|
msgstr "Puhdista vanhat järjestelmäpäivitykset"
|
||||||
|
|
||||||
#: src/sysupdate/org.freedesktop.sysupdate1.policy:66
|
#: src/sysupdate/org.freedesktop.sysupdate1.policy:66
|
||||||
#, fuzzy
|
|
||||||
msgid "Authentication is required to cleanup old system updates."
|
msgid "Authentication is required to cleanup old system updates."
|
||||||
msgstr "Todennus vaaditaan järjestelmän ajan asettamiseksi."
|
msgstr "Todennus vaaditaan vanhojen järjestelmäpäivitysten puhdistamiseen."
|
||||||
|
|
||||||
#: src/timedate/org.freedesktop.timedate1.policy:22
|
#: src/timedate/org.freedesktop.timedate1.policy:22
|
||||||
msgid "Set system time"
|
msgid "Set system time"
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||||
|
|
||||||
|
#include "analyze.h"
|
||||||
|
#include "analyze-has-tpm2.h"
|
||||||
|
#include "tpm2-util.h"
|
||||||
|
|
||||||
|
int verb_has_tpm2(int argc, char **argv, void *userdata) {
|
||||||
|
return verb_has_tpm2_generic(arg_quiet);
|
||||||
|
}
|
|
@ -0,0 +1,4 @@
|
||||||
|
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||||
|
#pragma once
|
||||||
|
|
||||||
|
int verb_has_tpm2(int argc, char *argv[], void *userdata);
|
|
@ -26,6 +26,7 @@
|
||||||
#include "analyze-exit-status.h"
|
#include "analyze-exit-status.h"
|
||||||
#include "analyze-fdstore.h"
|
#include "analyze-fdstore.h"
|
||||||
#include "analyze-filesystems.h"
|
#include "analyze-filesystems.h"
|
||||||
|
#include "analyze-has-tpm2.h"
|
||||||
#include "analyze-image-policy.h"
|
#include "analyze-image-policy.h"
|
||||||
#include "analyze-inspect-elf.h"
|
#include "analyze-inspect-elf.h"
|
||||||
#include "analyze-log-control.h"
|
#include "analyze-log-control.h"
|
||||||
|
@ -253,6 +254,7 @@ static int help(int argc, char *argv[], void *userdata) {
|
||||||
"\n%3$sExecutable Analysis:%4$s\n"
|
"\n%3$sExecutable Analysis:%4$s\n"
|
||||||
" inspect-elf FILE... Parse and print ELF package metadata\n"
|
" inspect-elf FILE... Parse and print ELF package metadata\n"
|
||||||
"\n%3$sTPM Operations:%4$s\n"
|
"\n%3$sTPM Operations:%4$s\n"
|
||||||
|
" has-tpm2 Report whether TPM2 support is available\n"
|
||||||
" pcrs [PCR...] Show TPM2 PCRs and their names\n"
|
" pcrs [PCR...] Show TPM2 PCRs and their names\n"
|
||||||
" srk [>FILE] Write TPM2 SRK (to FILE)\n"
|
" srk [>FILE] Write TPM2 SRK (to FILE)\n"
|
||||||
"\n%3$sOptions:%4$s\n"
|
"\n%3$sOptions:%4$s\n"
|
||||||
|
@ -700,6 +702,7 @@ static int run(int argc, char *argv[]) {
|
||||||
{ "malloc", VERB_ANY, VERB_ANY, 0, verb_malloc },
|
{ "malloc", VERB_ANY, VERB_ANY, 0, verb_malloc },
|
||||||
{ "fdstore", 2, VERB_ANY, 0, verb_fdstore },
|
{ "fdstore", 2, VERB_ANY, 0, verb_fdstore },
|
||||||
{ "image-policy", 2, 2, 0, verb_image_policy },
|
{ "image-policy", 2, 2, 0, verb_image_policy },
|
||||||
|
{ "has-tpm2", VERB_ANY, 1, 0, verb_has_tpm2 },
|
||||||
{ "pcrs", VERB_ANY, VERB_ANY, 0, verb_pcrs },
|
{ "pcrs", VERB_ANY, VERB_ANY, 0, verb_pcrs },
|
||||||
{ "srk", VERB_ANY, 1, 0, verb_srk },
|
{ "srk", VERB_ANY, 1, 0, verb_srk },
|
||||||
{ "architectures", VERB_ANY, VERB_ANY, 0, verb_architectures },
|
{ "architectures", VERB_ANY, VERB_ANY, 0, verb_architectures },
|
||||||
|
|
|
@ -14,6 +14,7 @@ systemd_analyze_sources = files(
|
||||||
'analyze-exit-status.c',
|
'analyze-exit-status.c',
|
||||||
'analyze-fdstore.c',
|
'analyze-fdstore.c',
|
||||||
'analyze-filesystems.c',
|
'analyze-filesystems.c',
|
||||||
|
'analyze-has-tpm2.c',
|
||||||
'analyze-image-policy.c',
|
'analyze-image-policy.c',
|
||||||
'analyze-inspect-elf.c',
|
'analyze-inspect-elf.c',
|
||||||
'analyze-log-control.c',
|
'analyze-log-control.c',
|
||||||
|
|
|
@ -221,6 +221,12 @@ const char* const systemd_features =
|
||||||
" -BPF_FRAMEWORK"
|
" -BPF_FRAMEWORK"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if HAVE_VMLINUX_H
|
||||||
|
" +BTF"
|
||||||
|
#else
|
||||||
|
" -BTF"
|
||||||
|
#endif
|
||||||
|
|
||||||
#if HAVE_XKBCOMMON
|
#if HAVE_XKBCOMMON
|
||||||
" +XKBCOMMON"
|
" +XKBCOMMON"
|
||||||
#else
|
#else
|
||||||
|
|
|
@ -145,8 +145,10 @@ int efi_get_variable(
|
||||||
int efi_get_variable_string(const char *variable, char **ret) {
|
int efi_get_variable_string(const char *variable, char **ret) {
|
||||||
_cleanup_free_ void *s = NULL;
|
_cleanup_free_ void *s = NULL;
|
||||||
size_t ss = 0;
|
size_t ss = 0;
|
||||||
int r;
|
|
||||||
char *x;
|
char *x;
|
||||||
|
int r;
|
||||||
|
|
||||||
|
assert(variable);
|
||||||
|
|
||||||
r = efi_get_variable(variable, NULL, &s, &ss);
|
r = efi_get_variable(variable, NULL, &s, &ss);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
|
@ -156,10 +158,27 @@ int efi_get_variable_string(const char *variable, char **ret) {
|
||||||
if (!x)
|
if (!x)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
|
if (ret)
|
||||||
*ret = x;
|
*ret = x;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int efi_get_variable_path(const char *variable, char **ret) {
|
||||||
|
int r;
|
||||||
|
|
||||||
|
assert(variable);
|
||||||
|
|
||||||
|
r = efi_get_variable_string(variable, ret);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
if (ret)
|
||||||
|
efi_tilt_backslashes(*ret);
|
||||||
|
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
|
||||||
static int efi_verify_variable(const char *variable, uint32_t attr, const void *value, size_t size) {
|
static int efi_verify_variable(const char *variable, uint32_t attr, const void *value, size_t size) {
|
||||||
_cleanup_free_ void *buf = NULL;
|
_cleanup_free_ void *buf = NULL;
|
||||||
size_t n;
|
size_t n;
|
||||||
|
|
|
@ -11,6 +11,7 @@
|
||||||
#include "sd-id128.h"
|
#include "sd-id128.h"
|
||||||
|
|
||||||
#include "efivars-fundamental.h"
|
#include "efivars-fundamental.h"
|
||||||
|
#include "string-util.h"
|
||||||
#include "time-util.h"
|
#include "time-util.h"
|
||||||
|
|
||||||
#define EFI_VENDOR_LOADER SD_ID128_MAKE(4a,67,b0,82,0a,4c,41,cf,b6,c7,44,0b,29,bb,8c,4f)
|
#define EFI_VENDOR_LOADER SD_ID128_MAKE(4a,67,b0,82,0a,4c,41,cf,b6,c7,44,0b,29,bb,8c,4f)
|
||||||
|
@ -47,6 +48,7 @@
|
||||||
|
|
||||||
int efi_get_variable(const char *variable, uint32_t *attribute, void **ret_value, size_t *ret_size);
|
int efi_get_variable(const char *variable, uint32_t *attribute, void **ret_value, size_t *ret_size);
|
||||||
int efi_get_variable_string(const char *variable, char **ret);
|
int efi_get_variable_string(const char *variable, char **ret);
|
||||||
|
int efi_get_variable_path(const char *variable, char **ret);
|
||||||
int efi_set_variable(const char *variable, const void *value, size_t size);
|
int efi_set_variable(const char *variable, const void *value, size_t size);
|
||||||
int efi_set_variable_string(const char *variable, const char *p);
|
int efi_set_variable_string(const char *variable, const char *p);
|
||||||
|
|
||||||
|
@ -68,6 +70,10 @@ static inline int efi_get_variable_string(const char *variable, char **ret) {
|
||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static inline int efi_get_variable_path(const char *variable, char **ret) {
|
||||||
|
return -EOPNOTSUPP;
|
||||||
|
}
|
||||||
|
|
||||||
static inline int efi_set_variable(const char *variable, const void *value, size_t size) {
|
static inline int efi_set_variable(const char *variable, const void *value, size_t size) {
|
||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
}
|
}
|
||||||
|
@ -100,3 +106,7 @@ static inline int systemd_efi_options_efivarfs_if_newer(char **line) {
|
||||||
return -ENODATA;
|
return -ENODATA;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
static inline char *efi_tilt_backslashes(char *s) {
|
||||||
|
return string_replace_char(s, '\\', '/');
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,37 @@
|
||||||
|
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||||
|
|
||||||
|
#include "format-ifname.h"
|
||||||
|
#include "string-util.h"
|
||||||
|
|
||||||
|
assert_cc(STRLEN("%") + DECIMAL_STR_MAX(int) <= IF_NAMESIZE);
|
||||||
|
|
||||||
|
int format_ifname_full(int ifindex, FormatIfnameFlag flag, char buf[static IF_NAMESIZE]) {
|
||||||
|
if (ifindex <= 0)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
if (if_indextoname(ifindex, buf))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
if (!FLAGS_SET(flag, FORMAT_IFNAME_IFINDEX))
|
||||||
|
return -errno;
|
||||||
|
|
||||||
|
if (FLAGS_SET(flag, FORMAT_IFNAME_IFINDEX_WITH_PERCENT))
|
||||||
|
assert_se(snprintf_ok(buf, IF_NAMESIZE, "%%%d", ifindex));
|
||||||
|
else
|
||||||
|
assert_se(snprintf_ok(buf, IF_NAMESIZE, "%d", ifindex));
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int format_ifname_full_alloc(int ifindex, FormatIfnameFlag flag, char **ret) {
|
||||||
|
char buf[IF_NAMESIZE];
|
||||||
|
int r;
|
||||||
|
|
||||||
|
assert(ret);
|
||||||
|
|
||||||
|
r = format_ifname_full(ifindex, flag, buf);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
return strdup_to(ret, buf);
|
||||||
|
}
|
|
@ -0,0 +1,27 @@
|
||||||
|
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||||
|
#pragma once
|
||||||
|
|
||||||
|
#include <net/if.h>
|
||||||
|
|
||||||
|
typedef enum {
|
||||||
|
FORMAT_IFNAME_IFINDEX = 1 << 0,
|
||||||
|
FORMAT_IFNAME_IFINDEX_WITH_PERCENT = (1 << 1) | FORMAT_IFNAME_IFINDEX,
|
||||||
|
} FormatIfnameFlag;
|
||||||
|
|
||||||
|
int format_ifname_full(int ifindex, FormatIfnameFlag flag, char buf[static IF_NAMESIZE]);
|
||||||
|
int format_ifname_full_alloc(int ifindex, FormatIfnameFlag flag, char **ret);
|
||||||
|
|
||||||
|
static inline int format_ifname(int ifindex, char buf[static IF_NAMESIZE]) {
|
||||||
|
return format_ifname_full(ifindex, 0, buf);
|
||||||
|
}
|
||||||
|
static inline int format_ifname_alloc(int ifindex, char **ret) {
|
||||||
|
return format_ifname_full_alloc(ifindex, 0, ret);
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline char* _format_ifname_full(int ifindex, FormatIfnameFlag flag, char buf[static IF_NAMESIZE]) {
|
||||||
|
(void) format_ifname_full(ifindex, flag, buf);
|
||||||
|
return buf;
|
||||||
|
}
|
||||||
|
|
||||||
|
#define FORMAT_IFNAME_FULL(index, flag) _format_ifname_full(index, flag, (char[IF_NAMESIZE]){})
|
||||||
|
#define FORMAT_IFNAME(index) _format_ifname_full(index, 0, (char[IF_NAMESIZE]){})
|
|
@ -5,38 +5,6 @@
|
||||||
#include "stdio-util.h"
|
#include "stdio-util.h"
|
||||||
#include "strxcpyx.h"
|
#include "strxcpyx.h"
|
||||||
|
|
||||||
assert_cc(STRLEN("%") + DECIMAL_STR_MAX(int) <= IF_NAMESIZE);
|
|
||||||
int format_ifname_full(int ifindex, FormatIfnameFlag flag, char buf[static IF_NAMESIZE]) {
|
|
||||||
if (ifindex <= 0)
|
|
||||||
return -EINVAL;
|
|
||||||
|
|
||||||
if (if_indextoname(ifindex, buf))
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
if (!FLAGS_SET(flag, FORMAT_IFNAME_IFINDEX))
|
|
||||||
return -errno;
|
|
||||||
|
|
||||||
if (FLAGS_SET(flag, FORMAT_IFNAME_IFINDEX_WITH_PERCENT))
|
|
||||||
assert(snprintf_ok(buf, IF_NAMESIZE, "%%%d", ifindex));
|
|
||||||
else
|
|
||||||
assert(snprintf_ok(buf, IF_NAMESIZE, "%d", ifindex));
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
int format_ifname_full_alloc(int ifindex, FormatIfnameFlag flag, char **ret) {
|
|
||||||
char buf[IF_NAMESIZE];
|
|
||||||
int r;
|
|
||||||
|
|
||||||
assert(ret);
|
|
||||||
|
|
||||||
r = format_ifname_full(ifindex, flag, buf);
|
|
||||||
if (r < 0)
|
|
||||||
return r;
|
|
||||||
|
|
||||||
return strdup_to(ret, buf);
|
|
||||||
}
|
|
||||||
|
|
||||||
char* format_bytes_full(char *buf, size_t l, uint64_t t, FormatBytesFlag flag) {
|
char* format_bytes_full(char *buf, size_t l, uint64_t t, FormatBytesFlag flag) {
|
||||||
typedef struct {
|
typedef struct {
|
||||||
const char *suffix;
|
const char *suffix;
|
||||||
|
|
|
@ -2,7 +2,6 @@
|
||||||
#pragma once
|
#pragma once
|
||||||
|
|
||||||
#include <inttypes.h>
|
#include <inttypes.h>
|
||||||
#include <net/if.h>
|
|
||||||
#include <stdbool.h>
|
#include <stdbool.h>
|
||||||
|
|
||||||
#include "cgroup-util.h"
|
#include "cgroup-util.h"
|
||||||
|
@ -66,29 +65,6 @@ assert_cc(sizeof(gid_t) == sizeof(uint32_t));
|
||||||
# error Unknown ino_t size
|
# error Unknown ino_t size
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
typedef enum {
|
|
||||||
FORMAT_IFNAME_IFINDEX = 1 << 0,
|
|
||||||
FORMAT_IFNAME_IFINDEX_WITH_PERCENT = (1 << 1) | FORMAT_IFNAME_IFINDEX,
|
|
||||||
} FormatIfnameFlag;
|
|
||||||
|
|
||||||
int format_ifname_full(int ifindex, FormatIfnameFlag flag, char buf[static IF_NAMESIZE]);
|
|
||||||
int format_ifname_full_alloc(int ifindex, FormatIfnameFlag flag, char **ret);
|
|
||||||
|
|
||||||
static inline int format_ifname(int ifindex, char buf[static IF_NAMESIZE]) {
|
|
||||||
return format_ifname_full(ifindex, 0, buf);
|
|
||||||
}
|
|
||||||
static inline int format_ifname_alloc(int ifindex, char **ret) {
|
|
||||||
return format_ifname_full_alloc(ifindex, 0, ret);
|
|
||||||
}
|
|
||||||
|
|
||||||
static inline char* _format_ifname_full(int ifindex, FormatIfnameFlag flag, char buf[static IF_NAMESIZE]) {
|
|
||||||
(void) format_ifname_full(ifindex, flag, buf);
|
|
||||||
return buf;
|
|
||||||
}
|
|
||||||
|
|
||||||
#define FORMAT_IFNAME_FULL(index, flag) _format_ifname_full(index, flag, (char[IF_NAMESIZE]){})
|
|
||||||
#define FORMAT_IFNAME(index) _format_ifname_full(index, 0, (char[IF_NAMESIZE]){})
|
|
||||||
|
|
||||||
typedef enum {
|
typedef enum {
|
||||||
FORMAT_BYTES_USE_IEC = 1 << 0,
|
FORMAT_BYTES_USE_IEC = 1 << 0,
|
||||||
FORMAT_BYTES_BELOW_POINT = 1 << 1,
|
FORMAT_BYTES_BELOW_POINT = 1 << 1,
|
||||||
|
|
|
@ -300,9 +300,10 @@ int log_emergency_level(void);
|
||||||
#define log_dump(level, buffer) \
|
#define log_dump(level, buffer) \
|
||||||
log_dump_internal(level, 0, PROJECT_FILE, __LINE__, __func__, buffer)
|
log_dump_internal(level, 0, PROJECT_FILE, __LINE__, __func__, buffer)
|
||||||
|
|
||||||
#define log_oom() log_oom_internal(LOG_ERR, PROJECT_FILE, __LINE__, __func__)
|
#define log_oom_full(level) log_oom_internal(level, PROJECT_FILE, __LINE__, __func__)
|
||||||
#define log_oom_debug() log_oom_internal(LOG_DEBUG, PROJECT_FILE, __LINE__, __func__)
|
#define log_oom() log_oom_full(LOG_ERR)
|
||||||
#define log_oom_warning() log_oom_internal(LOG_WARNING, PROJECT_FILE, __LINE__, __func__)
|
#define log_oom_debug() log_oom_full(LOG_DEBUG)
|
||||||
|
#define log_oom_warning() log_oom_full(LOG_WARNING)
|
||||||
|
|
||||||
bool log_on_console(void) _pure_;
|
bool log_on_console(void) _pure_;
|
||||||
|
|
||||||
|
|
|
@ -33,6 +33,7 @@ basic_sources = files(
|
||||||
'fd-util.c',
|
'fd-util.c',
|
||||||
'fileio.c',
|
'fileio.c',
|
||||||
'filesystems.c',
|
'filesystems.c',
|
||||||
|
'format-ifname.c',
|
||||||
'format-util.c',
|
'format-util.c',
|
||||||
'fs-util.c',
|
'fs-util.c',
|
||||||
'gcrypt-util.c',
|
'gcrypt-util.c',
|
||||||
|
|
|
@ -28,7 +28,7 @@ int sigaction_many_internal(const struct sigaction *sa, ...);
|
||||||
int sigset_add_many_internal(sigset_t *ss, ...);
|
int sigset_add_many_internal(sigset_t *ss, ...);
|
||||||
#define sigset_add_many(...) sigset_add_many_internal(__VA_ARGS__, -1)
|
#define sigset_add_many(...) sigset_add_many_internal(__VA_ARGS__, -1)
|
||||||
|
|
||||||
int sigprocmask_many_internal(int how, sigset_t *old, ...);
|
int sigprocmask_many_internal(int how, sigset_t *ret_old_mask, ...);
|
||||||
#define sigprocmask_many(...) sigprocmask_many_internal(__VA_ARGS__, -1)
|
#define sigprocmask_many(...) sigprocmask_many_internal(__VA_ARGS__, -1)
|
||||||
|
|
||||||
const char* signal_to_string(int i) _const_;
|
const char* signal_to_string(int i) _const_;
|
||||||
|
|
|
@ -21,7 +21,7 @@
|
||||||
#include "escape.h"
|
#include "escape.h"
|
||||||
#include "fd-util.h"
|
#include "fd-util.h"
|
||||||
#include "fileio.h"
|
#include "fileio.h"
|
||||||
#include "format-util.h"
|
#include "format-ifname.h"
|
||||||
#include "io-util.h"
|
#include "io-util.h"
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
#include "memory-util.h"
|
#include "memory-util.h"
|
||||||
|
|
|
@ -153,7 +153,7 @@ bool strv_overlap(char * const *a, char * const *b) _pure_;
|
||||||
_STRV_FOREACH_BACKWARDS(s, l, UNIQ_T(h, UNIQ), UNIQ_T(i, UNIQ))
|
_STRV_FOREACH_BACKWARDS(s, l, UNIQ_T(h, UNIQ), UNIQ_T(i, UNIQ))
|
||||||
|
|
||||||
#define _STRV_FOREACH_PAIR(x, y, l, i) \
|
#define _STRV_FOREACH_PAIR(x, y, l, i) \
|
||||||
for (typeof(*l) *x, *y, *i = (l); \
|
for (typeof(*(l)) *x, *y, *i = (l); \
|
||||||
i && *(x = i) && *(y = i + 1); \
|
i && *(x = i) && *(y = i + 1); \
|
||||||
i += 2)
|
i += 2)
|
||||||
|
|
||||||
|
|
|
@ -95,7 +95,6 @@ fsopen
|
||||||
fspick
|
fspick
|
||||||
fstat
|
fstat
|
||||||
fstat64
|
fstat64
|
||||||
fstatat
|
|
||||||
fstatat64
|
fstatat64
|
||||||
fstatfs
|
fstatfs
|
||||||
fstatfs64
|
fstatfs64
|
||||||
|
@ -247,7 +246,6 @@ munlockall
|
||||||
munmap
|
munmap
|
||||||
name_to_handle_at
|
name_to_handle_at
|
||||||
nanosleep
|
nanosleep
|
||||||
newfstat
|
|
||||||
newfstatat
|
newfstatat
|
||||||
nice
|
nice
|
||||||
old_adjtimex
|
old_adjtimex
|
||||||
|
|
|
@ -95,7 +95,6 @@ fsopen 540
|
||||||
fspick 543
|
fspick 543
|
||||||
fstat 91
|
fstat 91
|
||||||
fstat64 427
|
fstat64 427
|
||||||
fstatat
|
|
||||||
fstatat64 455
|
fstatat64 455
|
||||||
fstatfs 329
|
fstatfs 329
|
||||||
fstatfs64 529
|
fstatfs64 529
|
||||||
|
@ -247,7 +246,6 @@ munlockall 317
|
||||||
munmap 73
|
munmap 73
|
||||||
name_to_handle_at 497
|
name_to_handle_at 497
|
||||||
nanosleep 340
|
nanosleep 340
|
||||||
newfstat
|
|
||||||
newfstatat
|
newfstatat
|
||||||
nice
|
nice
|
||||||
old_adjtimex 303
|
old_adjtimex 303
|
||||||
|
|
|
@ -95,7 +95,6 @@ fsopen 430
|
||||||
fspick 433
|
fspick 433
|
||||||
fstat
|
fstat
|
||||||
fstat64 80
|
fstat64 80
|
||||||
fstatat
|
|
||||||
fstatat64 79
|
fstatat64 79
|
||||||
fstatfs
|
fstatfs
|
||||||
fstatfs64 44
|
fstatfs64 44
|
||||||
|
@ -247,7 +246,6 @@ munlockall 231
|
||||||
munmap 215
|
munmap 215
|
||||||
name_to_handle_at 264
|
name_to_handle_at 264
|
||||||
nanosleep 101
|
nanosleep 101
|
||||||
newfstat
|
|
||||||
newfstatat
|
newfstatat
|
||||||
nice
|
nice
|
||||||
old_adjtimex
|
old_adjtimex
|
||||||
|
|
|
@ -95,7 +95,6 @@ fsopen 430
|
||||||
fspick 433
|
fspick 433
|
||||||
fstat 108
|
fstat 108
|
||||||
fstat64 197
|
fstat64 197
|
||||||
fstatat
|
|
||||||
fstatat64 327
|
fstatat64 327
|
||||||
fstatfs 100
|
fstatfs 100
|
||||||
fstatfs64 267
|
fstatfs64 267
|
||||||
|
@ -247,7 +246,6 @@ munlockall 153
|
||||||
munmap 91
|
munmap 91
|
||||||
name_to_handle_at 370
|
name_to_handle_at 370
|
||||||
nanosleep 162
|
nanosleep 162
|
||||||
newfstat
|
|
||||||
newfstatat
|
newfstatat
|
||||||
nice 34
|
nice 34
|
||||||
old_adjtimex
|
old_adjtimex
|
||||||
|
|
|
@ -93,9 +93,8 @@ fsetxattr 7
|
||||||
fsmount 432
|
fsmount 432
|
||||||
fsopen 430
|
fsopen 430
|
||||||
fspick 433
|
fspick 433
|
||||||
fstat
|
fstat 80
|
||||||
fstat64
|
fstat64
|
||||||
fstatat
|
|
||||||
fstatat64
|
fstatat64
|
||||||
fstatfs 44
|
fstatfs 44
|
||||||
fstatfs64
|
fstatfs64
|
||||||
|
@ -247,7 +246,6 @@ munlockall 231
|
||||||
munmap 215
|
munmap 215
|
||||||
name_to_handle_at 264
|
name_to_handle_at 264
|
||||||
nanosleep 101
|
nanosleep 101
|
||||||
newfstat 80
|
|
||||||
newfstatat 79
|
newfstatat 79
|
||||||
nice
|
nice
|
||||||
old_adjtimex
|
old_adjtimex
|
||||||
|
|
|
@ -95,7 +95,6 @@ fsopen 430
|
||||||
fspick 433
|
fspick 433
|
||||||
fstat 108
|
fstat 108
|
||||||
fstat64 197
|
fstat64 197
|
||||||
fstatat
|
|
||||||
fstatat64 300
|
fstatat64 300
|
||||||
fstatfs 100
|
fstatfs 100
|
||||||
fstatfs64 269
|
fstatfs64 269
|
||||||
|
@ -247,7 +246,6 @@ munlockall 153
|
||||||
munmap 91
|
munmap 91
|
||||||
name_to_handle_at 341
|
name_to_handle_at 341
|
||||||
nanosleep 162
|
nanosleep 162
|
||||||
newfstat
|
|
||||||
newfstatat
|
newfstatat
|
||||||
nice 34
|
nice 34
|
||||||
old_adjtimex
|
old_adjtimex
|
||||||
|
|
|
@ -93,9 +93,8 @@ fsetxattr 7
|
||||||
fsmount 432
|
fsmount 432
|
||||||
fsopen 430
|
fsopen 430
|
||||||
fspick 433
|
fspick 433
|
||||||
fstat
|
fstat 80
|
||||||
fstat64
|
fstat64
|
||||||
fstatat
|
|
||||||
fstatat64
|
fstatat64
|
||||||
fstatfs 44
|
fstatfs 44
|
||||||
fstatfs64
|
fstatfs64
|
||||||
|
@ -247,7 +246,6 @@ munlockall 231
|
||||||
munmap 215
|
munmap 215
|
||||||
name_to_handle_at 264
|
name_to_handle_at 264
|
||||||
nanosleep 101
|
nanosleep 101
|
||||||
newfstat 80
|
|
||||||
newfstatat 79
|
newfstatat 79
|
||||||
nice
|
nice
|
||||||
old_adjtimex
|
old_adjtimex
|
||||||
|
|
|
@ -95,7 +95,6 @@ fsopen 430
|
||||||
fspick 433
|
fspick 433
|
||||||
fstat 108
|
fstat 108
|
||||||
fstat64 197
|
fstat64 197
|
||||||
fstatat
|
|
||||||
fstatat64 293
|
fstatat64 293
|
||||||
fstatfs 100
|
fstatfs 100
|
||||||
fstatfs64 264
|
fstatfs64 264
|
||||||
|
@ -247,7 +246,6 @@ munlockall 153
|
||||||
munmap 91
|
munmap 91
|
||||||
name_to_handle_at 340
|
name_to_handle_at 340
|
||||||
nanosleep 162
|
nanosleep 162
|
||||||
newfstat
|
|
||||||
newfstatat
|
newfstatat
|
||||||
nice 34
|
nice 34
|
||||||
old_adjtimex
|
old_adjtimex
|
||||||
|
|
|
@ -95,7 +95,6 @@ fsopen 5430
|
||||||
fspick 5433
|
fspick 5433
|
||||||
fstat 5005
|
fstat 5005
|
||||||
fstat64
|
fstat64
|
||||||
fstatat
|
|
||||||
fstatat64
|
fstatat64
|
||||||
fstatfs 5135
|
fstatfs 5135
|
||||||
fstatfs64
|
fstatfs64
|
||||||
|
@ -247,7 +246,6 @@ munlockall 5149
|
||||||
munmap 5011
|
munmap 5011
|
||||||
name_to_handle_at 5298
|
name_to_handle_at 5298
|
||||||
nanosleep 5034
|
nanosleep 5034
|
||||||
newfstat
|
|
||||||
newfstatat 5252
|
newfstatat 5252
|
||||||
nice
|
nice
|
||||||
old_adjtimex
|
old_adjtimex
|
||||||
|
|
|
@ -95,7 +95,6 @@ fsopen 6430
|
||||||
fspick 6433
|
fspick 6433
|
||||||
fstat 6005
|
fstat 6005
|
||||||
fstat64
|
fstat64
|
||||||
fstatat
|
|
||||||
fstatat64
|
fstatat64
|
||||||
fstatfs 6135
|
fstatfs 6135
|
||||||
fstatfs64 6218
|
fstatfs64 6218
|
||||||
|
@ -247,7 +246,6 @@ munlockall 6149
|
||||||
munmap 6011
|
munmap 6011
|
||||||
name_to_handle_at 6303
|
name_to_handle_at 6303
|
||||||
nanosleep 6034
|
nanosleep 6034
|
||||||
newfstat
|
|
||||||
newfstatat 6256
|
newfstatat 6256
|
||||||
nice
|
nice
|
||||||
old_adjtimex
|
old_adjtimex
|
||||||
|
|
|
@ -95,7 +95,6 @@ fsopen 4430
|
||||||
fspick 4433
|
fspick 4433
|
||||||
fstat 4108
|
fstat 4108
|
||||||
fstat64 4215
|
fstat64 4215
|
||||||
fstatat
|
|
||||||
fstatat64 4293
|
fstatat64 4293
|
||||||
fstatfs 4100
|
fstatfs 4100
|
||||||
fstatfs64 4256
|
fstatfs64 4256
|
||||||
|
@ -247,7 +246,6 @@ munlockall 4157
|
||||||
munmap 4091
|
munmap 4091
|
||||||
name_to_handle_at 4339
|
name_to_handle_at 4339
|
||||||
nanosleep 4166
|
nanosleep 4166
|
||||||
newfstat
|
|
||||||
newfstatat
|
newfstatat
|
||||||
nice 4034
|
nice 4034
|
||||||
old_adjtimex
|
old_adjtimex
|
||||||
|
|
|
@ -95,7 +95,6 @@ fsopen 430
|
||||||
fspick 433
|
fspick 433
|
||||||
fstat 28
|
fstat 28
|
||||||
fstat64 112
|
fstat64 112
|
||||||
fstatat
|
|
||||||
fstatat64 280
|
fstatat64 280
|
||||||
fstatfs 100
|
fstatfs 100
|
||||||
fstatfs64 299
|
fstatfs64 299
|
||||||
|
@ -247,7 +246,6 @@ munlockall 153
|
||||||
munmap 91
|
munmap 91
|
||||||
name_to_handle_at 325
|
name_to_handle_at 325
|
||||||
nanosleep 162
|
nanosleep 162
|
||||||
newfstat
|
|
||||||
newfstatat
|
newfstatat
|
||||||
nice 34
|
nice 34
|
||||||
old_adjtimex
|
old_adjtimex
|
||||||
|
|
|
@ -95,7 +95,6 @@ fsopen 430
|
||||||
fspick 433
|
fspick 433
|
||||||
fstat 108
|
fstat 108
|
||||||
fstat64 197
|
fstat64 197
|
||||||
fstatat
|
|
||||||
fstatat64 291
|
fstatat64 291
|
||||||
fstatfs 100
|
fstatfs 100
|
||||||
fstatfs64 253
|
fstatfs64 253
|
||||||
|
@ -247,7 +246,6 @@ munlockall 153
|
||||||
munmap 91
|
munmap 91
|
||||||
name_to_handle_at 345
|
name_to_handle_at 345
|
||||||
nanosleep 162
|
nanosleep 162
|
||||||
newfstat
|
|
||||||
newfstatat
|
newfstatat
|
||||||
nice 34
|
nice 34
|
||||||
old_adjtimex
|
old_adjtimex
|
||||||
|
|
|
@ -95,7 +95,6 @@ fsopen 430
|
||||||
fspick 433
|
fspick 433
|
||||||
fstat 108
|
fstat 108
|
||||||
fstat64
|
fstat64
|
||||||
fstatat
|
|
||||||
fstatat64
|
fstatat64
|
||||||
fstatfs 100
|
fstatfs 100
|
||||||
fstatfs64 253
|
fstatfs64 253
|
||||||
|
@ -247,7 +246,6 @@ munlockall 153
|
||||||
munmap 91
|
munmap 91
|
||||||
name_to_handle_at 345
|
name_to_handle_at 345
|
||||||
nanosleep 162
|
nanosleep 162
|
||||||
newfstat
|
|
||||||
newfstatat 291
|
newfstatat 291
|
||||||
nice 34
|
nice 34
|
||||||
old_adjtimex
|
old_adjtimex
|
||||||
|
|
|
@ -95,7 +95,6 @@ fsopen 430
|
||||||
fspick 433
|
fspick 433
|
||||||
fstat
|
fstat
|
||||||
fstat64
|
fstat64
|
||||||
fstatat
|
|
||||||
fstatat64
|
fstatat64
|
||||||
fstatfs
|
fstatfs
|
||||||
fstatfs64 44
|
fstatfs64 44
|
||||||
|
@ -247,7 +246,6 @@ munlockall 231
|
||||||
munmap 215
|
munmap 215
|
||||||
name_to_handle_at 264
|
name_to_handle_at 264
|
||||||
nanosleep
|
nanosleep
|
||||||
newfstat
|
|
||||||
newfstatat
|
newfstatat
|
||||||
nice
|
nice
|
||||||
old_adjtimex
|
old_adjtimex
|
||||||
|
|
|
@ -93,9 +93,8 @@ fsetxattr 7
|
||||||
fsmount 432
|
fsmount 432
|
||||||
fsopen 430
|
fsopen 430
|
||||||
fspick 433
|
fspick 433
|
||||||
fstat
|
fstat 80
|
||||||
fstat64
|
fstat64
|
||||||
fstatat
|
|
||||||
fstatat64
|
fstatat64
|
||||||
fstatfs 44
|
fstatfs 44
|
||||||
fstatfs64
|
fstatfs64
|
||||||
|
@ -247,7 +246,6 @@ munlockall 231
|
||||||
munmap 215
|
munmap 215
|
||||||
name_to_handle_at 264
|
name_to_handle_at 264
|
||||||
nanosleep 101
|
nanosleep 101
|
||||||
newfstat 80
|
|
||||||
newfstatat 79
|
newfstatat 79
|
||||||
nice
|
nice
|
||||||
old_adjtimex
|
old_adjtimex
|
||||||
|
|
|
@ -95,7 +95,6 @@ fsopen 430
|
||||||
fspick 433
|
fspick 433
|
||||||
fstat 108
|
fstat 108
|
||||||
fstat64 197
|
fstat64 197
|
||||||
fstatat
|
|
||||||
fstatat64 293
|
fstatat64 293
|
||||||
fstatfs 100
|
fstatfs 100
|
||||||
fstatfs64 266
|
fstatfs64 266
|
||||||
|
@ -247,7 +246,6 @@ munlockall 153
|
||||||
munmap 91
|
munmap 91
|
||||||
name_to_handle_at 335
|
name_to_handle_at 335
|
||||||
nanosleep 162
|
nanosleep 162
|
||||||
newfstat
|
|
||||||
newfstatat
|
newfstatat
|
||||||
nice 34
|
nice 34
|
||||||
old_adjtimex
|
old_adjtimex
|
||||||
|
|
|
@ -95,7 +95,6 @@ fsopen 430
|
||||||
fspick 433
|
fspick 433
|
||||||
fstat 108
|
fstat 108
|
||||||
fstat64
|
fstat64
|
||||||
fstatat
|
|
||||||
fstatat64
|
fstatat64
|
||||||
fstatfs 100
|
fstatfs 100
|
||||||
fstatfs64 266
|
fstatfs64 266
|
||||||
|
@ -247,7 +246,6 @@ munlockall 153
|
||||||
munmap 91
|
munmap 91
|
||||||
name_to_handle_at 335
|
name_to_handle_at 335
|
||||||
nanosleep 162
|
nanosleep 162
|
||||||
newfstat
|
|
||||||
newfstatat 293
|
newfstatat 293
|
||||||
nice 34
|
nice 34
|
||||||
old_adjtimex
|
old_adjtimex
|
||||||
|
|
|
@ -95,7 +95,6 @@ fsopen 430
|
||||||
fspick 433
|
fspick 433
|
||||||
fstat 62
|
fstat 62
|
||||||
fstat64 63
|
fstat64 63
|
||||||
fstatat
|
|
||||||
fstatat64 289
|
fstatat64 289
|
||||||
fstatfs 158
|
fstatfs 158
|
||||||
fstatfs64 235
|
fstatfs64 235
|
||||||
|
@ -247,7 +246,6 @@ munlockall 240
|
||||||
munmap 73
|
munmap 73
|
||||||
name_to_handle_at 332
|
name_to_handle_at 332
|
||||||
nanosleep 249
|
nanosleep 249
|
||||||
newfstat
|
|
||||||
newfstatat
|
newfstatat
|
||||||
nice 34
|
nice 34
|
||||||
old_adjtimex
|
old_adjtimex
|
||||||
|
|
|
@ -95,7 +95,6 @@ fsopen 430
|
||||||
fspick 433
|
fspick 433
|
||||||
fstat 5
|
fstat 5
|
||||||
fstat64
|
fstat64
|
||||||
fstatat
|
|
||||||
fstatat64
|
fstatat64
|
||||||
fstatfs 138
|
fstatfs 138
|
||||||
fstatfs64
|
fstatfs64
|
||||||
|
@ -247,7 +246,6 @@ munlockall 152
|
||||||
munmap 11
|
munmap 11
|
||||||
name_to_handle_at 303
|
name_to_handle_at 303
|
||||||
nanosleep 35
|
nanosleep 35
|
||||||
newfstat
|
|
||||||
newfstatat 262
|
newfstatat 262
|
||||||
nice
|
nice
|
||||||
old_adjtimex
|
old_adjtimex
|
||||||
|
|
|
@ -44,8 +44,42 @@ char* sysctl_normalize(char *s) {
|
||||||
return s;
|
return s;
|
||||||
}
|
}
|
||||||
|
|
||||||
int sysctl_write(const char *property, const char *value) {
|
static int shadow_update(Hashmap **shadow, const char *property, const char *value) {
|
||||||
|
_cleanup_free_ char *k = NULL, *v = NULL, *cur_k = NULL, *cur_v = NULL;
|
||||||
|
int r;
|
||||||
|
|
||||||
|
assert(property);
|
||||||
|
assert(value);
|
||||||
|
|
||||||
|
if (!shadow)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
k = strdup(property);
|
||||||
|
if (!k)
|
||||||
|
return -ENOMEM;
|
||||||
|
|
||||||
|
v = strdup(value);
|
||||||
|
if (!v)
|
||||||
|
return -ENOMEM;
|
||||||
|
|
||||||
|
cur_v = hashmap_remove2(*shadow, k, (void**)&cur_k);
|
||||||
|
|
||||||
|
r = hashmap_ensure_put(shadow, &path_hash_ops_free_free, k, v);
|
||||||
|
if (r < 0) {
|
||||||
|
assert(r != -EEXIST);
|
||||||
|
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
|
||||||
|
TAKE_PTR(k);
|
||||||
|
TAKE_PTR(v);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int sysctl_write_full(const char *property, const char *value, Hashmap **shadow) {
|
||||||
char *p;
|
char *p;
|
||||||
|
int r;
|
||||||
|
|
||||||
assert(property);
|
assert(property);
|
||||||
assert(value);
|
assert(value);
|
||||||
|
@ -58,6 +92,10 @@ int sysctl_write(const char *property, const char *value) {
|
||||||
|
|
||||||
log_debug("Setting '%s' to '%s'", p, value);
|
log_debug("Setting '%s' to '%s'", p, value);
|
||||||
|
|
||||||
|
r = shadow_update(shadow, p, value);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
return write_string_file(p, value, WRITE_STRING_FILE_VERIFY_ON_FAILURE | WRITE_STRING_FILE_DISABLE_BUFFER | WRITE_STRING_FILE_SUPPRESS_REDUNDANT_VIRTUAL);
|
return write_string_file(p, value, WRITE_STRING_FILE_VERIFY_ON_FAILURE | WRITE_STRING_FILE_DISABLE_BUFFER | WRITE_STRING_FILE_SUPPRESS_REDUNDANT_VIRTUAL);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -76,7 +114,7 @@ int sysctl_writef(const char *property, const char *format, ...) {
|
||||||
return sysctl_write(property, v);
|
return sysctl_write(property, v);
|
||||||
}
|
}
|
||||||
|
|
||||||
int sysctl_write_ip_property(int af, const char *ifname, const char *property, const char *value) {
|
int sysctl_write_ip_property(int af, const char *ifname, const char *property, const char *value, Hashmap **shadow) {
|
||||||
const char *p;
|
const char *p;
|
||||||
|
|
||||||
assert(property);
|
assert(property);
|
||||||
|
@ -93,10 +131,10 @@ int sysctl_write_ip_property(int af, const char *ifname, const char *property, c
|
||||||
} else
|
} else
|
||||||
p = strjoina("net/", af_to_ipv4_ipv6(af), "/", property);
|
p = strjoina("net/", af_to_ipv4_ipv6(af), "/", property);
|
||||||
|
|
||||||
return sysctl_write(p, value);
|
return sysctl_write_full(p, value, shadow);
|
||||||
}
|
}
|
||||||
|
|
||||||
int sysctl_write_ip_neighbor_property(int af, const char *ifname, const char *property, const char *value) {
|
int sysctl_write_ip_neighbor_property(int af, const char *ifname, const char *property, const char *value, Hashmap **shadow) {
|
||||||
const char *p;
|
const char *p;
|
||||||
|
|
||||||
assert(property);
|
assert(property);
|
||||||
|
@ -113,7 +151,7 @@ int sysctl_write_ip_neighbor_property(int af, const char *ifname, const char *pr
|
||||||
} else
|
} else
|
||||||
p = strjoina("net/", af_to_ipv4_ipv6(af), "/neigh/default/", property);
|
p = strjoina("net/", af_to_ipv4_ipv6(af), "/neigh/default/", property);
|
||||||
|
|
||||||
return sysctl_write(p, value);
|
return sysctl_write_full(p, value, shadow);
|
||||||
}
|
}
|
||||||
|
|
||||||
int sysctl_read(const char *property, char **ret) {
|
int sysctl_read(const char *property, char **ret) {
|
||||||
|
|
|
@ -10,27 +10,30 @@
|
||||||
|
|
||||||
char* sysctl_normalize(char *s);
|
char* sysctl_normalize(char *s);
|
||||||
int sysctl_read(const char *property, char **value);
|
int sysctl_read(const char *property, char **value);
|
||||||
int sysctl_write(const char *property, const char *value);
|
int sysctl_write_full(const char *property, const char *value, Hashmap **shadow);
|
||||||
int sysctl_writef(const char *property, const char *format, ...) _printf_(2, 3);
|
int sysctl_writef(const char *property, const char *format, ...) _printf_(2, 3);
|
||||||
|
static inline int sysctl_write(const char *property, const char *value) {
|
||||||
int sysctl_read_ip_property(int af, const char *ifname, const char *property, char **ret);
|
return sysctl_write_full(property, value, NULL);
|
||||||
int sysctl_write_ip_property(int af, const char *ifname, const char *property, const char *value);
|
|
||||||
static inline int sysctl_write_ip_property_boolean(int af, const char *ifname, const char *property, bool value) {
|
|
||||||
return sysctl_write_ip_property(af, ifname, property, one_zero(value));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
int sysctl_write_ip_neighbor_property(int af, const char *ifname, const char *property, const char *value);
|
int sysctl_read_ip_property(int af, const char *ifname, const char *property, char **ret);
|
||||||
static inline int sysctl_write_ip_neighbor_property_uint32(int af, const char *ifname, const char *property, uint32_t value) {
|
int sysctl_write_ip_property(int af, const char *ifname, const char *property, const char *value, Hashmap **shadow);
|
||||||
|
static inline int sysctl_write_ip_property_boolean(int af, const char *ifname, const char *property, bool value, Hashmap **shadow) {
|
||||||
|
return sysctl_write_ip_property(af, ifname, property, one_zero(value), shadow);
|
||||||
|
}
|
||||||
|
|
||||||
|
int sysctl_write_ip_neighbor_property(int af, const char *ifname, const char *property, const char *value, Hashmap **shadow);
|
||||||
|
static inline int sysctl_write_ip_neighbor_property_uint32(int af, const char *ifname, const char *property, uint32_t value, Hashmap **shadow) {
|
||||||
char buf[DECIMAL_STR_MAX(uint32_t)];
|
char buf[DECIMAL_STR_MAX(uint32_t)];
|
||||||
xsprintf(buf, "%u", value);
|
xsprintf(buf, "%u", value);
|
||||||
return sysctl_write_ip_neighbor_property(af, ifname, property, buf);
|
return sysctl_write_ip_neighbor_property(af, ifname, property, buf, shadow);
|
||||||
}
|
}
|
||||||
|
|
||||||
#define DEFINE_SYSCTL_WRITE_IP_PROPERTY(name, type, format) \
|
#define DEFINE_SYSCTL_WRITE_IP_PROPERTY(name, type, format) \
|
||||||
static inline int sysctl_write_ip_property_##name(int af, const char *ifname, const char *property, type value) { \
|
static inline int sysctl_write_ip_property_##name(int af, const char *ifname, const char *property, type value, Hashmap **shadow) { \
|
||||||
char buf[DECIMAL_STR_MAX(type)]; \
|
char buf[DECIMAL_STR_MAX(type)]; \
|
||||||
xsprintf(buf, format, value); \
|
xsprintf(buf, format, value); \
|
||||||
return sysctl_write_ip_property(af, ifname, property, buf); \
|
return sysctl_write_ip_property(af, ifname, property, buf, shadow); \
|
||||||
}
|
}
|
||||||
|
|
||||||
DEFINE_SYSCTL_WRITE_IP_PROPERTY(int, int, "%i");
|
DEFINE_SYSCTL_WRITE_IP_PROPERTY(int, int, "%i");
|
||||||
|
|
|
@ -255,6 +255,25 @@ int ask_string(char **ret, const char *text, ...) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool any_key_to_proceed(void) {
|
||||||
|
char key = 0;
|
||||||
|
bool need_nl = true;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Insert a new line here as well as to when the user inputs, as this is also used during the
|
||||||
|
* boot up sequence when status messages may be interleaved with the current program output.
|
||||||
|
* This ensures that the status messages aren't appended on the same line as this message.
|
||||||
|
*/
|
||||||
|
puts("-- Press any key to proceed --");
|
||||||
|
|
||||||
|
(void) read_one_char(stdin, &key, USEC_INFINITY, &need_nl);
|
||||||
|
|
||||||
|
if (need_nl)
|
||||||
|
putchar('\n');
|
||||||
|
|
||||||
|
return key != 'q';
|
||||||
|
}
|
||||||
|
|
||||||
int open_terminal(const char *name, int mode) {
|
int open_terminal(const char *name, int mode) {
|
||||||
_cleanup_close_ int fd = -EBADF;
|
_cleanup_close_ int fd = -EBADF;
|
||||||
unsigned c = 0;
|
unsigned c = 0;
|
||||||
|
|
|
@ -78,6 +78,7 @@ int chvt(int vt);
|
||||||
int read_one_char(FILE *f, char *ret, usec_t timeout, bool *need_nl);
|
int read_one_char(FILE *f, char *ret, usec_t timeout, bool *need_nl);
|
||||||
int ask_char(char *ret, const char *replies, const char *text, ...) _printf_(3, 4);
|
int ask_char(char *ret, const char *replies, const char *text, ...) _printf_(3, 4);
|
||||||
int ask_string(char **ret, const char *text, ...) _printf_(2, 3);
|
int ask_string(char **ret, const char *text, ...) _printf_(2, 3);
|
||||||
|
bool any_key_to_proceed(void);
|
||||||
|
|
||||||
int vt_disallocate(const char *name);
|
int vt_disallocate(const char *name);
|
||||||
|
|
||||||
|
|
|
@ -219,14 +219,12 @@ static int acquire_boot_count_path(
|
||||||
uint64_t left, done;
|
uint64_t left, done;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
r = efi_get_variable_string(EFI_LOADER_VARIABLE(LoaderBootCountPath), &path);
|
r = efi_get_variable_path(EFI_LOADER_VARIABLE(LoaderBootCountPath), &path);
|
||||||
if (r == -ENOENT)
|
if (r == -ENOENT)
|
||||||
return -EUNATCH; /* in this case, let the caller print a message */
|
return -EUNATCH; /* in this case, let the caller print a message */
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to read LoaderBootCountPath EFI variable: %m");
|
return log_error_errno(r, "Failed to read LoaderBootCountPath EFI variable: %m");
|
||||||
|
|
||||||
efi_tilt_backslashes(path);
|
|
||||||
|
|
||||||
if (!path_is_normalized(path))
|
if (!path_is_normalized(path))
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||||
"Path read from LoaderBootCountPath is not normalized, refusing: %s",
|
"Path read from LoaderBootCountPath is not normalized, refusing: %s",
|
||||||
|
|
|
@ -298,12 +298,24 @@ fail:
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void read_efi_var(const char *variable, char **ret) {
|
static int efi_get_variable_string_and_warn(const char *variable, char **ret) {
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
r = efi_get_variable_string(variable, ret);
|
r = efi_get_variable_string(variable, ret);
|
||||||
if (r < 0 && r != -ENOENT)
|
if (r < 0 && r != -ENOENT)
|
||||||
log_warning_errno(r, "Failed to read EFI variable %s: %m", variable);
|
return log_warning_errno(r, "Failed to read EFI variable '%s', ignoring: %m", variable);
|
||||||
|
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int efi_get_variable_path_and_warn(const char *variable, char **ret) {
|
||||||
|
int r;
|
||||||
|
|
||||||
|
r = efi_get_variable_path(variable, ret);
|
||||||
|
if (r < 0 && r != -ENOENT)
|
||||||
|
return log_warning_errno(r, "Failed to read EFI variable '%s', ignoring: %m", variable);
|
||||||
|
|
||||||
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void print_yes_no_line(bool first, bool good, const char *name) {
|
static void print_yes_no_line(bool first, bool good, const char *name) {
|
||||||
|
@ -396,26 +408,23 @@ int verb_status(int argc, char *argv[], void *userdata) {
|
||||||
{ EFI_STUB_FEATURE_MULTI_PROFILE_UKI, "Stub understands profile selector" },
|
{ EFI_STUB_FEATURE_MULTI_PROFILE_UKI, "Stub understands profile selector" },
|
||||||
{ EFI_STUB_FEATURE_REPORT_STUB_PARTITION, "Stub sets stub partition information" },
|
{ EFI_STUB_FEATURE_REPORT_STUB_PARTITION, "Stub sets stub partition information" },
|
||||||
};
|
};
|
||||||
_cleanup_free_ char *fw_type = NULL, *fw_info = NULL, *loader = NULL, *loader_path = NULL, *stub = NULL;
|
_cleanup_free_ char *fw_type = NULL, *fw_info = NULL, *loader = NULL, *loader_path = NULL, *stub = NULL, *stub_path = NULL,
|
||||||
sd_id128_t loader_part_uuid = SD_ID128_NULL;
|
*current_entry = NULL, *oneshot_entry = NULL, *default_entry = NULL;
|
||||||
uint64_t loader_features = 0, stub_features = 0;
|
uint64_t loader_features = 0, stub_features = 0;
|
||||||
Tpm2Support s;
|
Tpm2Support s;
|
||||||
int have;
|
int have;
|
||||||
|
|
||||||
read_efi_var(EFI_LOADER_VARIABLE(LoaderFirmwareType), &fw_type);
|
(void) efi_get_variable_string_and_warn(EFI_LOADER_VARIABLE(LoaderFirmwareType), &fw_type);
|
||||||
read_efi_var(EFI_LOADER_VARIABLE(LoaderFirmwareInfo), &fw_info);
|
(void) efi_get_variable_string_and_warn(EFI_LOADER_VARIABLE(LoaderFirmwareInfo), &fw_info);
|
||||||
read_efi_var(EFI_LOADER_VARIABLE(LoaderInfo), &loader);
|
(void) efi_get_variable_string_and_warn(EFI_LOADER_VARIABLE(LoaderInfo), &loader);
|
||||||
read_efi_var(EFI_LOADER_VARIABLE(StubInfo), &stub);
|
(void) efi_get_variable_string_and_warn(EFI_LOADER_VARIABLE(StubInfo), &stub);
|
||||||
read_efi_var(EFI_LOADER_VARIABLE(LoaderImageIdentifier), &loader_path);
|
(void) efi_get_variable_path_and_warn(EFI_LOADER_VARIABLE(LoaderImageIdentifier), &loader_path);
|
||||||
|
(void) efi_get_variable_path_and_warn(EFI_LOADER_VARIABLE(StubImageIdentifier), &stub_path);
|
||||||
(void) efi_loader_get_features(&loader_features);
|
(void) efi_loader_get_features(&loader_features);
|
||||||
(void) efi_stub_get_features(&stub_features);
|
(void) efi_stub_get_features(&stub_features);
|
||||||
|
(void) efi_get_variable_string_and_warn(EFI_LOADER_VARIABLE(LoaderEntrySelected), ¤t_entry);
|
||||||
if (loader_path)
|
(void) efi_get_variable_string_and_warn(EFI_LOADER_VARIABLE(LoaderEntryOneShot), &oneshot_entry);
|
||||||
efi_tilt_backslashes(loader_path);
|
(void) efi_get_variable_string_and_warn(EFI_LOADER_VARIABLE(LoaderEntryDefault), &default_entry);
|
||||||
|
|
||||||
k = efi_loader_get_device_part_uuid(&loader_part_uuid);
|
|
||||||
if (k < 0 && k != -ENOENT)
|
|
||||||
r = log_warning_errno(k, "Failed to read EFI variable LoaderDevicePartUUID: %m");
|
|
||||||
|
|
||||||
SecureBootMode secure = efi_get_secure_boot_mode();
|
SecureBootMode secure = efi_get_secure_boot_mode();
|
||||||
printf("%sSystem:%s\n", ansi_underline(), ansi_normal());
|
printf("%sSystem:%s\n", ansi_underline(), ansi_normal());
|
||||||
|
@ -463,34 +472,58 @@ int verb_status(int argc, char *argv[], void *userdata) {
|
||||||
}
|
}
|
||||||
printf("\n");
|
printf("\n");
|
||||||
|
|
||||||
|
if (loader) {
|
||||||
printf("%sCurrent Boot Loader:%s\n", ansi_underline(), ansi_normal());
|
printf("%sCurrent Boot Loader:%s\n", ansi_underline(), ansi_normal());
|
||||||
printf(" Product: %s%s%s\n", ansi_highlight(), strna(loader), ansi_normal());
|
printf(" Product: %s%s%s\n", ansi_highlight(), loader, ansi_normal());
|
||||||
|
|
||||||
for (size_t i = 0; i < ELEMENTSOF(loader_flags); i++)
|
for (size_t i = 0; i < ELEMENTSOF(loader_flags); i++)
|
||||||
print_yes_no_line(i == 0, FLAGS_SET(loader_features, loader_flags[i].flag), loader_flags[i].name);
|
print_yes_no_line(i == 0, FLAGS_SET(loader_features, loader_flags[i].flag), loader_flags[i].name);
|
||||||
|
|
||||||
sd_id128_t bootloader_esp_uuid;
|
sd_id128_t loader_partition_uuid;
|
||||||
bool have_bootloader_esp_uuid = efi_loader_get_device_part_uuid(&bootloader_esp_uuid) >= 0;
|
bool have_loader_partition_uuid = efi_loader_get_device_part_uuid(&loader_partition_uuid) >= 0;
|
||||||
|
|
||||||
print_yes_no_line(false, have_bootloader_esp_uuid, "Boot loader sets ESP information");
|
print_yes_no_line(false, have_loader_partition_uuid, "Boot loader set ESP information");
|
||||||
if (have_bootloader_esp_uuid && !sd_id128_is_null(esp_uuid) &&
|
|
||||||
!sd_id128_equal(esp_uuid, bootloader_esp_uuid))
|
if (current_entry)
|
||||||
printf("WARNING: The boot loader reports a different ESP UUID than detected ("SD_ID128_UUID_FORMAT_STR" vs. "SD_ID128_UUID_FORMAT_STR")!\n",
|
printf("Current Entry: %s\n", current_entry);
|
||||||
SD_ID128_FORMAT_VAL(bootloader_esp_uuid),
|
if (default_entry)
|
||||||
SD_ID128_FORMAT_VAL(esp_uuid));
|
printf("Default Entry: %s\n", default_entry);
|
||||||
|
if (oneshot_entry && !streq_ptr(oneshot_entry, default_entry))
|
||||||
|
printf("OneShot Entry: %s\n", oneshot_entry);
|
||||||
|
|
||||||
|
if (have_loader_partition_uuid && !sd_id128_is_null(esp_uuid) && !sd_id128_equal(esp_uuid, loader_partition_uuid))
|
||||||
|
printf("WARNING: The boot loader reports a different partition UUID than the detected ESP ("SD_ID128_UUID_FORMAT_STR" vs. "SD_ID128_UUID_FORMAT_STR")!\n",
|
||||||
|
SD_ID128_FORMAT_VAL(loader_partition_uuid), SD_ID128_FORMAT_VAL(esp_uuid));
|
||||||
|
|
||||||
|
if (!sd_id128_is_null(loader_partition_uuid))
|
||||||
|
printf(" Partition: /dev/disk/by-partuuid/" SD_ID128_UUID_FORMAT_STR "\n",
|
||||||
|
SD_ID128_FORMAT_VAL(loader_partition_uuid));
|
||||||
|
else
|
||||||
|
printf(" Partition: n/a\n");
|
||||||
|
printf(" Loader: %s%s\n", special_glyph(SPECIAL_GLYPH_TREE_RIGHT), strna(loader_path));
|
||||||
|
printf("\n");
|
||||||
|
}
|
||||||
|
|
||||||
if (stub) {
|
if (stub) {
|
||||||
printf(" Stub: %s\n", stub);
|
printf("%sCurrent Stub:%s\n", ansi_underline(), ansi_normal());
|
||||||
|
printf(" Product: %s%s%s\n", ansi_highlight(), stub, ansi_normal());
|
||||||
for (size_t i = 0; i < ELEMENTSOF(stub_flags); i++)
|
for (size_t i = 0; i < ELEMENTSOF(stub_flags); i++)
|
||||||
print_yes_no_line(i == 0, FLAGS_SET(stub_features, stub_flags[i].flag), stub_flags[i].name);
|
print_yes_no_line(i == 0, FLAGS_SET(stub_features, stub_flags[i].flag), stub_flags[i].name);
|
||||||
}
|
|
||||||
if (!sd_id128_is_null(loader_part_uuid))
|
sd_id128_t stub_partition_uuid;
|
||||||
printf(" ESP: /dev/disk/by-partuuid/" SD_ID128_UUID_FORMAT_STR "\n",
|
bool have_stub_partition_uuid = efi_stub_get_device_part_uuid(&stub_partition_uuid) >= 0;
|
||||||
SD_ID128_FORMAT_VAL(loader_part_uuid));
|
|
||||||
|
if (have_stub_partition_uuid && (!(!sd_id128_is_null(esp_uuid) && sd_id128_equal(esp_uuid, stub_partition_uuid)) &&
|
||||||
|
!(!sd_id128_is_null(xbootldr_uuid) && sd_id128_equal(xbootldr_uuid, stub_partition_uuid))))
|
||||||
|
printf("WARNING: The stub loader reports a different UUID than the detected ESP or XBOOTDLR partition ("SD_ID128_UUID_FORMAT_STR" vs. "SD_ID128_UUID_FORMAT_STR"/"SD_ID128_UUID_FORMAT_STR")!\n",
|
||||||
|
SD_ID128_FORMAT_VAL(stub_partition_uuid), SD_ID128_FORMAT_VAL(esp_uuid), SD_ID128_FORMAT_VAL(xbootldr_uuid));
|
||||||
|
if (!sd_id128_is_null(stub_partition_uuid))
|
||||||
|
printf(" Partition: /dev/disk/by-partuuid/" SD_ID128_UUID_FORMAT_STR "\n",
|
||||||
|
SD_ID128_FORMAT_VAL(stub_partition_uuid));
|
||||||
else
|
else
|
||||||
printf(" ESP: n/a\n");
|
printf(" Partition: n/a\n");
|
||||||
printf(" File: %s%s\n", special_glyph(SPECIAL_GLYPH_TREE_RIGHT), strna(loader_path));
|
printf(" Stub: %s%s\n", special_glyph(SPECIAL_GLYPH_TREE_RIGHT), strna(stub_path));
|
||||||
printf("\n");
|
printf("\n");
|
||||||
|
}
|
||||||
|
|
||||||
printf("%sRandom Seed:%s\n", ansi_underline(), ansi_normal());
|
printf("%sRandom Seed:%s\n", ansi_underline(), ansi_normal());
|
||||||
have = access(EFIVAR_PATH(EFI_LOADER_VARIABLE(LoaderSystemToken)), F_OK) >= 0;
|
have = access(EFIVAR_PATH(EFI_LOADER_VARIABLE(LoaderSystemToken)), F_OK) >= 0;
|
||||||
|
|
|
@ -16,12 +16,14 @@
|
||||||
#include "build.h"
|
#include "build.h"
|
||||||
#include "devnum-util.h"
|
#include "devnum-util.h"
|
||||||
#include "dissect-image.h"
|
#include "dissect-image.h"
|
||||||
|
#include "efi-loader.h"
|
||||||
#include "escape.h"
|
#include "escape.h"
|
||||||
#include "find-esp.h"
|
#include "find-esp.h"
|
||||||
#include "main-func.h"
|
#include "main-func.h"
|
||||||
#include "mount-util.h"
|
#include "mount-util.h"
|
||||||
#include "pager.h"
|
#include "pager.h"
|
||||||
#include "parse-argument.h"
|
#include "parse-argument.h"
|
||||||
|
#include "path-util.h"
|
||||||
#include "pretty-print.h"
|
#include "pretty-print.h"
|
||||||
#include "utf8.h"
|
#include "utf8.h"
|
||||||
#include "varlink-io.systemd.BootControl.h"
|
#include "varlink-io.systemd.BootControl.h"
|
||||||
|
@ -38,6 +40,8 @@ char *arg_esp_path = NULL;
|
||||||
char *arg_xbootldr_path = NULL;
|
char *arg_xbootldr_path = NULL;
|
||||||
bool arg_print_esp_path = false;
|
bool arg_print_esp_path = false;
|
||||||
bool arg_print_dollar_boot_path = false;
|
bool arg_print_dollar_boot_path = false;
|
||||||
|
bool arg_print_loader_path = false;
|
||||||
|
bool arg_print_stub_path = false;
|
||||||
unsigned arg_print_root_device = 0;
|
unsigned arg_print_root_device = 0;
|
||||||
bool arg_touch_variables = true;
|
bool arg_touch_variables = true;
|
||||||
bool arg_install_random_seed = true;
|
bool arg_install_random_seed = true;
|
||||||
|
@ -133,6 +137,71 @@ int acquire_xbootldr(
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int print_loader_or_stub_path(void) {
|
||||||
|
_cleanup_free_ char *p = NULL;
|
||||||
|
sd_id128_t uuid;
|
||||||
|
int r;
|
||||||
|
|
||||||
|
if (arg_print_loader_path) {
|
||||||
|
r = efi_loader_get_device_part_uuid(&uuid);
|
||||||
|
if (r == -ENOENT)
|
||||||
|
return log_error_errno(r, "No loader partition UUID passed.");
|
||||||
|
if (r < 0)
|
||||||
|
return log_error_errno(r, "Unable to determine loader partition UUID: %m");
|
||||||
|
|
||||||
|
r = efi_get_variable_path(EFI_LOADER_VARIABLE(LoaderImageIdentifier), &p);
|
||||||
|
if (r == -ENOENT)
|
||||||
|
return log_error_errno(r, "No loader EFI binary path passed.");
|
||||||
|
if (r < 0)
|
||||||
|
return log_error_errno(r, "Unable to determine loader EFI binary path: %m");
|
||||||
|
} else {
|
||||||
|
assert(arg_print_stub_path);
|
||||||
|
|
||||||
|
r = efi_stub_get_device_part_uuid(&uuid);
|
||||||
|
if (r == -ENOENT)
|
||||||
|
return log_error_errno(r, "No stub partition UUID passed.");
|
||||||
|
if (r < 0)
|
||||||
|
return log_error_errno(r, "Unable to determine stub partition UUID: %m");
|
||||||
|
|
||||||
|
r = efi_get_variable_path(EFI_LOADER_VARIABLE(StubImageIdentifier), &p);
|
||||||
|
if (r == -ENOENT)
|
||||||
|
return log_error_errno(r, "No stub EFI binary path passed.");
|
||||||
|
if (r < 0)
|
||||||
|
return log_error_errno(r, "Unable to determine stub EFI binary path: %m");
|
||||||
|
}
|
||||||
|
|
||||||
|
sd_id128_t esp_uuid;
|
||||||
|
r = acquire_esp(/* unprivileged_mode= */ false, /* graceful= */ false,
|
||||||
|
/* ret_part= */ NULL, /* ret_pstart= */ NULL, /* ret_psize= */ NULL,
|
||||||
|
&esp_uuid, /* ret_devid= */ NULL);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
const char *found_path = NULL;
|
||||||
|
if (sd_id128_equal(esp_uuid, uuid))
|
||||||
|
found_path = arg_esp_path;
|
||||||
|
else if (arg_print_stub_path) { /* In case of the stub, also look for things in the xbootldr partition */
|
||||||
|
sd_id128_t xbootldr_uuid;
|
||||||
|
|
||||||
|
r = acquire_xbootldr(/* unprivileged_mode= */ false, &xbootldr_uuid, /* ret_devid= */ NULL);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
if (sd_id128_equal(xbootldr_uuid, uuid))
|
||||||
|
found_path = arg_xbootldr_path;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!found_path)
|
||||||
|
return log_error_errno(SYNTHETIC_ERRNO(ENOENT), "Failed to discover partition " SD_ID128_FORMAT_STR " among mounted boot partitions.", SD_ID128_FORMAT_VAL(uuid));
|
||||||
|
|
||||||
|
_cleanup_free_ char *j = path_join(found_path, p);
|
||||||
|
if (!j)
|
||||||
|
return log_oom();
|
||||||
|
|
||||||
|
puts(j);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static int help(int argc, char *argv[], void *userdata) {
|
static int help(int argc, char *argv[], void *userdata) {
|
||||||
_cleanup_free_ char *link = NULL;
|
_cleanup_free_ char *link = NULL;
|
||||||
int r;
|
int r;
|
||||||
|
@ -182,6 +251,9 @@ static int help(int argc, char *argv[], void *userdata) {
|
||||||
" Where to pick files when using --root=/--image=\n"
|
" Where to pick files when using --root=/--image=\n"
|
||||||
" -p --print-esp-path Print path to the EFI System Partition mount point\n"
|
" -p --print-esp-path Print path to the EFI System Partition mount point\n"
|
||||||
" -x --print-boot-path Print path to the $BOOT partition mount point\n"
|
" -x --print-boot-path Print path to the $BOOT partition mount point\n"
|
||||||
|
" --print-loader-path\n"
|
||||||
|
" Print path to currently booted boot loader binary\n"
|
||||||
|
" --print-stub-path Print path to currently booted unified kernel binary\n"
|
||||||
" -R --print-root-device\n"
|
" -R --print-root-device\n"
|
||||||
" Print path to the block device node backing the\n"
|
" Print path to the block device node backing the\n"
|
||||||
" root file system (returns e.g. /dev/nvme0n1p5)\n"
|
" root file system (returns e.g. /dev/nvme0n1p5)\n"
|
||||||
|
@ -235,6 +307,8 @@ static int parse_argv(int argc, char *argv[]) {
|
||||||
ARG_ARCH_ALL,
|
ARG_ARCH_ALL,
|
||||||
ARG_EFI_BOOT_OPTION_DESCRIPTION,
|
ARG_EFI_BOOT_OPTION_DESCRIPTION,
|
||||||
ARG_DRY_RUN,
|
ARG_DRY_RUN,
|
||||||
|
ARG_PRINT_LOADER_PATH,
|
||||||
|
ARG_PRINT_STUB_PATH,
|
||||||
};
|
};
|
||||||
|
|
||||||
static const struct option options[] = {
|
static const struct option options[] = {
|
||||||
|
@ -250,6 +324,8 @@ static int parse_argv(int argc, char *argv[]) {
|
||||||
{ "print-esp-path", no_argument, NULL, 'p' },
|
{ "print-esp-path", no_argument, NULL, 'p' },
|
||||||
{ "print-path", no_argument, NULL, 'p' }, /* Compatibility alias */
|
{ "print-path", no_argument, NULL, 'p' }, /* Compatibility alias */
|
||||||
{ "print-boot-path", no_argument, NULL, 'x' },
|
{ "print-boot-path", no_argument, NULL, 'x' },
|
||||||
|
{ "print-loader-path", no_argument, NULL, ARG_PRINT_LOADER_PATH },
|
||||||
|
{ "print-stub-path", no_argument, NULL, ARG_PRINT_STUB_PATH },
|
||||||
{ "print-root-device", no_argument, NULL, 'R' },
|
{ "print-root-device", no_argument, NULL, 'R' },
|
||||||
{ "no-variables", no_argument, NULL, ARG_NO_VARIABLES },
|
{ "no-variables", no_argument, NULL, ARG_NO_VARIABLES },
|
||||||
{ "random-seed", required_argument, NULL, ARG_RANDOM_SEED },
|
{ "random-seed", required_argument, NULL, ARG_RANDOM_SEED },
|
||||||
|
@ -332,6 +408,14 @@ static int parse_argv(int argc, char *argv[]) {
|
||||||
arg_print_dollar_boot_path = true;
|
arg_print_dollar_boot_path = true;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case ARG_PRINT_LOADER_PATH:
|
||||||
|
arg_print_loader_path = true;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case ARG_PRINT_STUB_PATH:
|
||||||
|
arg_print_stub_path = true;
|
||||||
|
break;
|
||||||
|
|
||||||
case 'R':
|
case 'R':
|
||||||
arg_print_root_device++;
|
arg_print_root_device++;
|
||||||
break;
|
break;
|
||||||
|
@ -414,9 +498,9 @@ static int parse_argv(int argc, char *argv[]) {
|
||||||
assert_not_reached();
|
assert_not_reached();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!!arg_print_esp_path + !!arg_print_dollar_boot_path + (arg_print_root_device > 0) > 1)
|
if (!!arg_print_esp_path + !!arg_print_dollar_boot_path + (arg_print_root_device > 0) + arg_print_loader_path + arg_print_stub_path > 1)
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||||
"--print-esp-path/-p, --print-boot-path/-x, --print-root-device=/-R cannot be combined.");
|
"--print-esp-path/-p, --print-boot-path/-x, --print-root-device=/-R, --print-loader-path, --print-stub-path cannot be combined.");
|
||||||
|
|
||||||
if ((arg_root || arg_image) && argv[optind] && !STR_IN_SET(argv[optind], "status", "list",
|
if ((arg_root || arg_image) && argv[optind] && !STR_IN_SET(argv[optind], "status", "list",
|
||||||
"install", "update", "remove", "is-installed", "random-seed", "unlink", "cleanup"))
|
"install", "update", "remove", "is-installed", "random-seed", "unlink", "cleanup"))
|
||||||
|
@ -541,6 +625,9 @@ static int run(int argc, char *argv[]) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (arg_print_loader_path || arg_print_stub_path)
|
||||||
|
return print_loader_or_stub_path();
|
||||||
|
|
||||||
/* Open up and mount the image */
|
/* Open up and mount the image */
|
||||||
if (arg_image) {
|
if (arg_image) {
|
||||||
assert(!arg_root);
|
assert(!arg_root);
|
||||||
|
|
|
@ -13,6 +13,7 @@
|
||||||
#include "initrd.h"
|
#include "initrd.h"
|
||||||
#include "linux.h"
|
#include "linux.h"
|
||||||
#include "measure.h"
|
#include "measure.h"
|
||||||
|
#include "memory-util-fundamental.h"
|
||||||
#include "part-discovery.h"
|
#include "part-discovery.h"
|
||||||
#include "pe.h"
|
#include "pe.h"
|
||||||
#include "proto/block-io.h"
|
#include "proto/block-io.h"
|
||||||
|
@ -2420,18 +2421,18 @@ static EFI_STATUS initrd_prepare(
|
||||||
EFI_FILE *root,
|
EFI_FILE *root,
|
||||||
const BootEntry *entry,
|
const BootEntry *entry,
|
||||||
char16_t **ret_options,
|
char16_t **ret_options,
|
||||||
void **ret_initrd,
|
Pages *ret_initrd_pages,
|
||||||
size_t *ret_initrd_size) {
|
size_t *ret_initrd_size) {
|
||||||
|
|
||||||
assert(root);
|
assert(root);
|
||||||
assert(entry);
|
assert(entry);
|
||||||
assert(ret_options);
|
assert(ret_options);
|
||||||
assert(ret_initrd);
|
assert(ret_initrd_pages);
|
||||||
assert(ret_initrd_size);
|
assert(ret_initrd_size);
|
||||||
|
|
||||||
if (entry->type != LOADER_LINUX || !entry->initrd) {
|
if (entry->type != LOADER_LINUX || !entry->initrd) {
|
||||||
*ret_options = NULL;
|
*ret_options = NULL;
|
||||||
*ret_initrd = NULL;
|
*ret_initrd_pages = (Pages) {};
|
||||||
*ret_initrd_size = 0;
|
*ret_initrd_size = 0;
|
||||||
return EFI_SUCCESS;
|
return EFI_SUCCESS;
|
||||||
}
|
}
|
||||||
|
@ -2445,7 +2446,6 @@ static EFI_STATUS initrd_prepare(
|
||||||
|
|
||||||
EFI_STATUS err;
|
EFI_STATUS err;
|
||||||
size_t size = 0;
|
size_t size = 0;
|
||||||
_cleanup_free_ uint8_t *initrd = NULL;
|
|
||||||
|
|
||||||
STRV_FOREACH(i, entry->initrd) {
|
STRV_FOREACH(i, entry->initrd) {
|
||||||
_cleanup_free_ char16_t *o = options;
|
_cleanup_free_ char16_t *o = options;
|
||||||
|
@ -2464,30 +2464,58 @@ static EFI_STATUS initrd_prepare(
|
||||||
if (err != EFI_SUCCESS)
|
if (err != EFI_SUCCESS)
|
||||||
return err;
|
return err;
|
||||||
|
|
||||||
|
if (!ADD_SAFE(&size, size, ALIGN4(info->FileSize)))
|
||||||
|
return EFI_OUT_OF_RESOURCES;
|
||||||
|
}
|
||||||
|
|
||||||
|
_cleanup_pages_ Pages pages = xmalloc_pages(
|
||||||
|
AllocateMaxAddress,
|
||||||
|
EfiLoaderData,
|
||||||
|
EFI_SIZE_TO_PAGES(size),
|
||||||
|
UINT32_MAX /* Below 4G boundary. */);
|
||||||
|
uint8_t *p = PHYSICAL_ADDRESS_TO_POINTER(pages.addr);
|
||||||
|
|
||||||
|
STRV_FOREACH(i, entry->initrd) {
|
||||||
|
_cleanup_(file_closep) EFI_FILE *handle = NULL;
|
||||||
|
err = root->Open(root, &handle, *i, EFI_FILE_MODE_READ, 0);
|
||||||
|
if (err != EFI_SUCCESS)
|
||||||
|
return err;
|
||||||
|
|
||||||
|
_cleanup_free_ EFI_FILE_INFO *info = NULL;
|
||||||
|
err = get_file_info(handle, &info, NULL);
|
||||||
|
if (err != EFI_SUCCESS)
|
||||||
|
return err;
|
||||||
|
|
||||||
if (info->FileSize == 0) /* Automatically skip over empty files */
|
if (info->FileSize == 0) /* Automatically skip over empty files */
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
size_t new_size, read_size = info->FileSize;
|
size_t read_size = info->FileSize;
|
||||||
if (!ADD_SAFE(&new_size, size, read_size))
|
err = chunked_read(handle, &read_size, p);
|
||||||
return EFI_OUT_OF_RESOURCES;
|
|
||||||
initrd = xrealloc(initrd, size, new_size);
|
|
||||||
|
|
||||||
err = chunked_read(handle, &read_size, initrd + size);
|
|
||||||
if (err != EFI_SUCCESS)
|
if (err != EFI_SUCCESS)
|
||||||
return err;
|
return err;
|
||||||
|
|
||||||
/* Make sure the actual read size is what we expected. */
|
/* Make sure the actual read size is what we expected. */
|
||||||
assert(size + read_size == new_size);
|
assert(read_size == info->FileSize);
|
||||||
size = new_size;
|
p += read_size;
|
||||||
|
|
||||||
|
size_t pad;
|
||||||
|
pad = ALIGN4(read_size) - read_size;
|
||||||
|
if (pad == 0)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
memzero(p, pad);
|
||||||
|
p += pad;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
assert(PHYSICAL_ADDRESS_TO_POINTER(pages.addr + size) == p);
|
||||||
|
|
||||||
if (entry->options) {
|
if (entry->options) {
|
||||||
_cleanup_free_ char16_t *o = options;
|
_cleanup_free_ char16_t *o = options;
|
||||||
options = xasprintf("%ls %ls", o, entry->options);
|
options = xasprintf("%ls %ls", o, entry->options);
|
||||||
}
|
}
|
||||||
|
|
||||||
*ret_options = TAKE_PTR(options);
|
*ret_options = TAKE_PTR(options);
|
||||||
*ret_initrd = TAKE_PTR(initrd);
|
*ret_initrd_pages = TAKE_STRUCT(pages);
|
||||||
*ret_initrd_size = size;
|
*ret_initrd_size = size;
|
||||||
return EFI_SUCCESS;
|
return EFI_SUCCESS;
|
||||||
}
|
}
|
||||||
|
@ -2517,9 +2545,9 @@ static EFI_STATUS image_start(
|
||||||
return log_error_status(err, "Error making file device path: %m");
|
return log_error_status(err, "Error making file device path: %m");
|
||||||
|
|
||||||
size_t initrd_size = 0;
|
size_t initrd_size = 0;
|
||||||
_cleanup_free_ void *initrd = NULL;
|
_cleanup_pages_ Pages initrd_pages = {};
|
||||||
_cleanup_free_ char16_t *options_initrd = NULL;
|
_cleanup_free_ char16_t *options_initrd = NULL;
|
||||||
err = initrd_prepare(image_root, entry, &options_initrd, &initrd, &initrd_size);
|
err = initrd_prepare(image_root, entry, &options_initrd, &initrd_pages, &initrd_size);
|
||||||
if (err != EFI_SUCCESS)
|
if (err != EFI_SUCCESS)
|
||||||
return log_error_status(err, "Error preparing initrd: %m");
|
return log_error_status(err, "Error preparing initrd: %m");
|
||||||
|
|
||||||
|
@ -2537,7 +2565,7 @@ static EFI_STATUS image_start(
|
||||||
}
|
}
|
||||||
|
|
||||||
_cleanup_(cleanup_initrd) EFI_HANDLE initrd_handle = NULL;
|
_cleanup_(cleanup_initrd) EFI_HANDLE initrd_handle = NULL;
|
||||||
err = initrd_register(initrd, initrd_size, &initrd_handle);
|
err = initrd_register(PHYSICAL_ADDRESS_TO_POINTER(initrd_pages.addr), initrd_size, &initrd_handle);
|
||||||
if (err != EFI_SUCCESS)
|
if (err != EFI_SUCCESS)
|
||||||
return log_error_status(err, "Error registering initrd: %m");
|
return log_error_status(err, "Error registering initrd: %m");
|
||||||
|
|
||||||
|
|
|
@ -450,7 +450,7 @@ static size_t pe_section_table_find_profile_length(
|
||||||
assert(start >= section_table);
|
assert(start >= section_table);
|
||||||
assert(start < section_table + n_section_table);
|
assert(start < section_table + n_section_table);
|
||||||
|
|
||||||
/* Look for the next .profile (or the end of the table), this is where the the sections for this
|
/* Look for the next .profile (or the end of the table), this is where the sections for this
|
||||||
* profile end. The base profile does not start with a .profile, the others do, hence conditionally
|
* profile end. The base profile does not start with a .profile, the others do, hence conditionally
|
||||||
* skip over the first entry. */
|
* skip over the first entry. */
|
||||||
const PeSectionHeader *e;
|
const PeSectionHeader *e;
|
||||||
|
@ -485,7 +485,7 @@ EFI_STATUS pe_locate_profile_sections(
|
||||||
if (!p)
|
if (!p)
|
||||||
return EFI_NOT_FOUND;
|
return EFI_NOT_FOUND;
|
||||||
|
|
||||||
/* Look for the next .profile (or the end of the table), this is where the the sections for this
|
/* Look for the next .profile (or the end of the table), this is where the sections for this
|
||||||
* profile end. */
|
* profile end. */
|
||||||
size_t n = pe_section_table_find_profile_length(section_table, n_section_table, p, profile);
|
size_t n = pe_section_table_find_profile_length(section_table, n_section_table, p, profile);
|
||||||
|
|
||||||
|
|
|
@ -134,9 +134,8 @@ static EFI_STATUS combine_initrds(
|
||||||
|
|
||||||
assert(PHYSICAL_ADDRESS_TO_POINTER(pages.addr + n) == p);
|
assert(PHYSICAL_ADDRESS_TO_POINTER(pages.addr + n) == p);
|
||||||
|
|
||||||
*ret_initrd_pages = pages;
|
*ret_initrd_pages = TAKE_STRUCT(pages);
|
||||||
*ret_initrd_size = n;
|
*ret_initrd_size = n;
|
||||||
pages.n_pages = 0;
|
|
||||||
|
|
||||||
return EFI_SUCCESS;
|
return EFI_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
|
@ -2728,6 +2728,7 @@ int config_parse_environ(
|
||||||
COMMON_CREDS_SPECIFIERS(ltype),
|
COMMON_CREDS_SPECIFIERS(ltype),
|
||||||
{ 'h', specifier_user_home, NULL },
|
{ 'h', specifier_user_home, NULL },
|
||||||
{ 's', specifier_user_shell, NULL },
|
{ 's', specifier_user_shell, NULL },
|
||||||
|
{}
|
||||||
};
|
};
|
||||||
|
|
||||||
for (const char *p = rvalue;; ) {
|
for (const char *p = rvalue;; ) {
|
||||||
|
|
|
@ -528,11 +528,15 @@ static int append_extensions(
|
||||||
&result);
|
&result);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
if (!result.path)
|
if (!result.path) {
|
||||||
|
if (m->ignore_enoent)
|
||||||
|
continue;
|
||||||
|
|
||||||
return log_debug_errno(
|
return log_debug_errno(
|
||||||
SYNTHETIC_ERRNO(ENOENT),
|
SYNTHETIC_ERRNO(ENOENT),
|
||||||
"No matching entry in .v/ directory %s found.",
|
"No matching entry in .v/ directory %s found.",
|
||||||
m->source);
|
m->source);
|
||||||
|
}
|
||||||
|
|
||||||
r = verity_settings_load(&verity, result.path, /* root_hash_path= */ NULL, /* root_hash_sig_path= */ NULL);
|
r = verity_settings_load(&verity, result.path, /* root_hash_path= */ NULL, /* root_hash_sig_path= */ NULL);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
|
@ -575,10 +579,6 @@ static int append_extensions(
|
||||||
const char *e = *extension_directory;
|
const char *e = *extension_directory;
|
||||||
bool ignore_enoent = false;
|
bool ignore_enoent = false;
|
||||||
|
|
||||||
/* Pick up the counter where the ExtensionImages left it. */
|
|
||||||
if (asprintf(&mount_point, "%s/unit-extensions/%zu", private_namespace_dir, n_mount_images++) < 0)
|
|
||||||
return -ENOMEM;
|
|
||||||
|
|
||||||
/* Look for any prefixes */
|
/* Look for any prefixes */
|
||||||
if (startswith(e, "-")) {
|
if (startswith(e, "-")) {
|
||||||
e++;
|
e++;
|
||||||
|
@ -596,11 +596,19 @@ static int append_extensions(
|
||||||
&result);
|
&result);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
if (!result.path)
|
if (!result.path) {
|
||||||
|
if (ignore_enoent)
|
||||||
|
continue;
|
||||||
|
|
||||||
return log_debug_errno(
|
return log_debug_errno(
|
||||||
SYNTHETIC_ERRNO(ENOENT),
|
SYNTHETIC_ERRNO(ENOENT),
|
||||||
"No matching entry in .v/ directory %s found.",
|
"No matching entry in .v/ directory %s found.",
|
||||||
e);
|
e);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Pick up the counter where the ExtensionImages left it. */
|
||||||
|
if (asprintf(&mount_point, "%s/unit-extensions/%zu", private_namespace_dir, n_mount_images++) < 0)
|
||||||
|
return -ENOMEM;
|
||||||
|
|
||||||
for (size_t j = 0; hierarchies && hierarchies[j]; ++j) {
|
for (size_t j = 0; hierarchies && hierarchies[j]; ++j) {
|
||||||
char *prefixed_hierarchy = path_join(mount_point, hierarchies[j]);
|
char *prefixed_hierarchy = path_join(mount_point, hierarchies[j]);
|
||||||
|
|
|
@ -4169,7 +4169,7 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) {
|
||||||
* detect when the cgroup becomes empty. Note that the control process is always
|
* detect when the cgroup becomes empty. Note that the control process is always
|
||||||
* our child so it's pointless to watch all other processes. */
|
* our child so it's pointless to watch all other processes. */
|
||||||
if (!control_pid_good(s))
|
if (!control_pid_good(s))
|
||||||
if (!s->main_pid_known || s->main_pid_alien)
|
if (!s->main_pid_known || s->main_pid_alien || unit_cgroup_delegate(u))
|
||||||
(void) unit_enqueue_rewatch_pids(u);
|
(void) unit_enqueue_rewatch_pids(u);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1046,7 +1046,6 @@ static int process_socket(int fd) {
|
||||||
_cleanup_close_ int input_fd = -EBADF, mount_tree_fd = -EBADF;
|
_cleanup_close_ int input_fd = -EBADF, mount_tree_fd = -EBADF;
|
||||||
Context context = {};
|
Context context = {};
|
||||||
struct iovec_wrapper iovw = {};
|
struct iovec_wrapper iovw = {};
|
||||||
struct iovec iovec;
|
|
||||||
bool first = true;
|
bool first = true;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
|
@ -1063,8 +1062,7 @@ static int process_socket(int fd) {
|
||||||
.msg_controllen = sizeof(control),
|
.msg_controllen = sizeof(control),
|
||||||
.msg_iovlen = 1,
|
.msg_iovlen = 1,
|
||||||
};
|
};
|
||||||
ssize_t n;
|
ssize_t n, l;
|
||||||
ssize_t l;
|
|
||||||
|
|
||||||
l = next_datagram_size_fd(fd);
|
l = next_datagram_size_fd(fd);
|
||||||
if (l < 0) {
|
if (l < 0) {
|
||||||
|
@ -1072,8 +1070,10 @@ static int process_socket(int fd) {
|
||||||
goto finish;
|
goto finish;
|
||||||
}
|
}
|
||||||
|
|
||||||
iovec.iov_len = l;
|
_cleanup_(iovec_done) struct iovec iovec = {
|
||||||
iovec.iov_base = malloc(l + 1);
|
.iov_len = l,
|
||||||
|
.iov_base = malloc(l + 1),
|
||||||
|
};
|
||||||
if (!iovec.iov_base) {
|
if (!iovec.iov_base) {
|
||||||
r = log_oom();
|
r = log_oom();
|
||||||
goto finish;
|
goto finish;
|
||||||
|
@ -1083,7 +1083,6 @@ static int process_socket(int fd) {
|
||||||
|
|
||||||
n = recvmsg_safe(fd, &mh, MSG_CMSG_CLOEXEC);
|
n = recvmsg_safe(fd, &mh, MSG_CMSG_CLOEXEC);
|
||||||
if (n < 0) {
|
if (n < 0) {
|
||||||
free(iovec.iov_base);
|
|
||||||
r = log_error_errno(n, "Failed to receive datagram: %m");
|
r = log_error_errno(n, "Failed to receive datagram: %m");
|
||||||
goto finish;
|
goto finish;
|
||||||
}
|
}
|
||||||
|
@ -1093,8 +1092,6 @@ static int process_socket(int fd) {
|
||||||
if (n == 0) {
|
if (n == 0) {
|
||||||
struct cmsghdr *found;
|
struct cmsghdr *found;
|
||||||
|
|
||||||
free(iovec.iov_base);
|
|
||||||
|
|
||||||
found = cmsg_find(&mh, SOL_SOCKET, SCM_RIGHTS, CMSG_LEN(sizeof(int) * 2));
|
found = cmsg_find(&mh, SOL_SOCKET, SCM_RIGHTS, CMSG_LEN(sizeof(int) * 2));
|
||||||
if (found) {
|
if (found) {
|
||||||
int fds[2] = EBADF_PAIR;
|
int fds[2] = EBADF_PAIR;
|
||||||
|
@ -1134,6 +1131,8 @@ static int process_socket(int fd) {
|
||||||
r = iovw_put(&iovw, iovec.iov_base, iovec.iov_len);
|
r = iovw_put(&iovw, iovec.iov_base, iovec.iov_len);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
goto finish;
|
goto finish;
|
||||||
|
|
||||||
|
TAKE_STRUCT(iovec);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Make sure we got all data we really need */
|
/* Make sure we got all data we really need */
|
||||||
|
|
|
@ -690,35 +690,10 @@ static int verb_setup(int argc, char **argv, void *userdata) {
|
||||||
}
|
}
|
||||||
|
|
||||||
static int verb_has_tpm2(int argc, char **argv, void *userdata) {
|
static int verb_has_tpm2(int argc, char **argv, void *userdata) {
|
||||||
Tpm2Support s;
|
if (!arg_quiet)
|
||||||
|
log_notice("The 'systemd-creds %1$s' command has been replaced by 'systemd-analyze %1$s'. Redirecting invocation.", argv[optind]);
|
||||||
|
|
||||||
s = tpm2_support();
|
return verb_has_tpm2_generic(arg_quiet);
|
||||||
|
|
||||||
if (!arg_quiet) {
|
|
||||||
if (s == TPM2_SUPPORT_FULL)
|
|
||||||
puts("yes");
|
|
||||||
else if (s == TPM2_SUPPORT_NONE)
|
|
||||||
puts("no");
|
|
||||||
else
|
|
||||||
puts("partial");
|
|
||||||
|
|
||||||
printf("%sfirmware\n"
|
|
||||||
"%sdriver\n"
|
|
||||||
"%ssystem\n"
|
|
||||||
"%ssubsystem\n"
|
|
||||||
"%slibraries\n",
|
|
||||||
plus_minus(s & TPM2_SUPPORT_FIRMWARE),
|
|
||||||
plus_minus(s & TPM2_SUPPORT_DRIVER),
|
|
||||||
plus_minus(s & TPM2_SUPPORT_SYSTEM),
|
|
||||||
plus_minus(s & TPM2_SUPPORT_SUBSYSTEM),
|
|
||||||
plus_minus(s & TPM2_SUPPORT_LIBRARIES));
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Return inverted bit flags. So that TPM2_SUPPORT_FULL becomes EXIT_SUCCESS and the other values
|
|
||||||
* become some reasonable values 1…7. i.e. the flags we return here tell what is missing rather than
|
|
||||||
* what is there, acknowledging the fact that for process exit statuses it is customary to return
|
|
||||||
* zero (EXIT_FAILURE) when all is good, instead of all being bad. */
|
|
||||||
return ~s & TPM2_SUPPORT_FULL;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static int verb_help(int argc, char **argv, void *userdata) {
|
static int verb_help(int argc, char **argv, void *userdata) {
|
||||||
|
@ -739,10 +714,9 @@ static int verb_help(int argc, char **argv, void *userdata) {
|
||||||
" ciphertext credential file\n"
|
" ciphertext credential file\n"
|
||||||
" decrypt INPUT [OUTPUT] Decrypt ciphertext credential file and write to\n"
|
" decrypt INPUT [OUTPUT] Decrypt ciphertext credential file and write to\n"
|
||||||
" plaintext credential file\n"
|
" plaintext credential file\n"
|
||||||
" has-tpm2 Report whether TPM2 support is available\n"
|
"\n%3$sOptions:%4$s\n"
|
||||||
" -h --help Show this help\n"
|
" -h --help Show this help\n"
|
||||||
" --version Show package version\n"
|
" --version Show package version\n"
|
||||||
"\n%3$sOptions:%4$s\n"
|
|
||||||
" --no-pager Do not pipe output into a pager\n"
|
" --no-pager Do not pipe output into a pager\n"
|
||||||
" --no-legend Do not show the headers and footers\n"
|
" --no-legend Do not show the headers and footers\n"
|
||||||
" --json=pretty|short|off\n"
|
" --json=pretty|short|off\n"
|
||||||
|
@ -774,7 +748,6 @@ static int verb_help(int argc, char **argv, void *userdata) {
|
||||||
" --user Select user-scoped credential encryption\n"
|
" --user Select user-scoped credential encryption\n"
|
||||||
" --uid=UID Select user for scoped credentials\n"
|
" --uid=UID Select user for scoped credentials\n"
|
||||||
" --allow-null Allow decrypting credentials with empty key\n"
|
" --allow-null Allow decrypting credentials with empty key\n"
|
||||||
" -q --quiet Suppress output for 'has-tpm2' verb\n"
|
|
||||||
"\nSee the %2$s for details.\n",
|
"\nSee the %2$s for details.\n",
|
||||||
program_invocation_short_name,
|
program_invocation_short_name,
|
||||||
link,
|
link,
|
||||||
|
@ -1073,7 +1046,7 @@ static int creds_main(int argc, char *argv[]) {
|
||||||
{ "decrypt", 2, 3, 0, verb_decrypt },
|
{ "decrypt", 2, 3, 0, verb_decrypt },
|
||||||
{ "setup", VERB_ANY, 1, 0, verb_setup },
|
{ "setup", VERB_ANY, 1, 0, verb_setup },
|
||||||
{ "help", VERB_ANY, 1, 0, verb_help },
|
{ "help", VERB_ANY, 1, 0, verb_help },
|
||||||
{ "has-tpm2", VERB_ANY, 1, 0, verb_has_tpm2 },
|
{ "has-tpm2", VERB_ANY, 1, 0, verb_has_tpm2 }, /* for backward compatibility */
|
||||||
{}
|
{}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -425,7 +425,8 @@ int enroll_tpm2(struct crypt_device *cd,
|
||||||
r = tpm2_pcr_values_to_mask(hash_pcr_values, n_hash_pcr_values, hash_pcr_bank, &hash_pcr_mask);
|
r = tpm2_pcr_values_to_mask(hash_pcr_values, n_hash_pcr_values, hash_pcr_bank, &hash_pcr_mask);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Could not get hash mask: %m");
|
return log_error_errno(r, "Could not get hash mask: %m");
|
||||||
} else if (pubkey_pcr_mask != 0) {
|
|
||||||
|
} else if (pubkey_pcr_mask != 0 && !device_key) {
|
||||||
|
|
||||||
/* If no literal PCR value policy is used, then let's determine the mask to use automatically
|
/* If no literal PCR value policy is used, then let's determine the mask to use automatically
|
||||||
* from the measurements of the TPM. */
|
* from the measurements of the TPM. */
|
||||||
|
|
|
@ -93,20 +93,6 @@ STATIC_DESTRUCTOR_REGISTER(arg_root_shell, freep);
|
||||||
STATIC_DESTRUCTOR_REGISTER(arg_kernel_cmdline, freep);
|
STATIC_DESTRUCTOR_REGISTER(arg_kernel_cmdline, freep);
|
||||||
STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep);
|
STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep);
|
||||||
|
|
||||||
static bool press_any_key(void) {
|
|
||||||
char k = 0;
|
|
||||||
bool need_nl = true;
|
|
||||||
|
|
||||||
puts("-- Press any key to proceed --");
|
|
||||||
|
|
||||||
(void) read_one_char(stdin, &k, USEC_INFINITY, &need_nl);
|
|
||||||
|
|
||||||
if (need_nl)
|
|
||||||
putchar('\n');
|
|
||||||
|
|
||||||
return k != 'q';
|
|
||||||
}
|
|
||||||
|
|
||||||
static void print_welcome(int rfd) {
|
static void print_welcome(int rfd) {
|
||||||
_cleanup_free_ char *pretty_name = NULL, *os_name = NULL, *ansi_color = NULL;
|
_cleanup_free_ char *pretty_name = NULL, *os_name = NULL, *ansi_color = NULL;
|
||||||
static bool done = false;
|
static bool done = false;
|
||||||
|
@ -141,7 +127,7 @@ static void print_welcome(int rfd) {
|
||||||
|
|
||||||
printf("\nPlease configure your system!\n\n");
|
printf("\nPlease configure your system!\n\n");
|
||||||
|
|
||||||
press_any_key();
|
any_key_to_proceed();
|
||||||
|
|
||||||
done = true;
|
done = true;
|
||||||
}
|
}
|
||||||
|
@ -184,7 +170,7 @@ static int show_menu(char **x, unsigned n_columns, unsigned width, unsigned perc
|
||||||
|
|
||||||
/* on the first screen we reserve 2 extra lines for the title */
|
/* on the first screen we reserve 2 extra lines for the title */
|
||||||
if (i % break_lines == break_modulo) {
|
if (i % break_lines == break_modulo) {
|
||||||
if (!press_any_key())
|
if (!any_key_to_proceed())
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -31,3 +31,25 @@ static inline bool unified_section_measure(UnifiedSection section) {
|
||||||
|
|
||||||
/* Max number of profiles per UKI */
|
/* Max number of profiles per UKI */
|
||||||
#define UNIFIED_PROFILES_MAX 256U
|
#define UNIFIED_PROFILES_MAX 256U
|
||||||
|
|
||||||
|
/* The native PE machine type, if known, for a full list see:
|
||||||
|
* https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#machine-types */
|
||||||
|
#ifndef _IMAGE_FILE_MACHINE_NATIVE
|
||||||
|
# if defined(__x86_64__)
|
||||||
|
# define _IMAGE_FILE_MACHINE_NATIVE UINT16_C(0x8664)
|
||||||
|
# elif defined(__i386__)
|
||||||
|
# define _IMAGE_FILE_MACHINE_NATIVE UINT16_C(0x014c)
|
||||||
|
# elif defined(__ia64__)
|
||||||
|
# define _IMAGE_FILE_MACHINE_NATIVE UINT16_C(0x0200)
|
||||||
|
# elif defined(__aarch64__)
|
||||||
|
# define _IMAGE_FILE_MACHINE_NATIVE UINT16_C(0xaa64)
|
||||||
|
# elif defined(__arm__)
|
||||||
|
# define _IMAGE_FILE_MACHINE_NATIVE UINT16_C(0x01c0)
|
||||||
|
# elif defined(__riscv)
|
||||||
|
# if __SIZEOF_POINTER__ == 4
|
||||||
|
# define _IMAGE_FILE_MACHINE_NATIVE UINT16_C(0x5032)
|
||||||
|
# elif __SIZEOF_POINTER__ == 8
|
||||||
|
# define _IMAGE_FILE_MACHINE_NATIVE UINT16_C(0x5064)
|
||||||
|
# endif
|
||||||
|
# endif
|
||||||
|
#endif
|
||||||
|
|
|
@ -2434,6 +2434,8 @@ static int create_interactively(void) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
any_key_to_proceed();
|
||||||
|
|
||||||
r = acquire_bus(&bus);
|
r = acquire_bus(&bus);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
|
@ -222,20 +222,16 @@ int manager_new(Manager **ret) {
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
r = sd_event_add_signal(m->event, NULL, SIGINT, NULL, NULL);
|
r = sd_event_set_signal_exit(m->event, true);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
r = sd_event_add_signal(m->event, NULL, SIGTERM, NULL, NULL);
|
r = sd_event_add_memory_pressure(m->event, /* ret_event_source= */ NULL, /* callback= */ NULL, /* userdata= */ NULL);
|
||||||
if (r < 0)
|
|
||||||
return r;
|
|
||||||
|
|
||||||
r = sd_event_add_memory_pressure(m->event, NULL, NULL, NULL);
|
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
log_full_errno(ERRNO_IS_NOT_SUPPORTED(r) || ERRNO_IS_PRIVILEGE(r) || (r == -EHOSTDOWN) ? LOG_DEBUG : LOG_WARNING, r,
|
log_full_errno(ERRNO_IS_NOT_SUPPORTED(r) || ERRNO_IS_PRIVILEGE(r) || (r == -EHOSTDOWN) ? LOG_DEBUG : LOG_WARNING, r,
|
||||||
"Failed to allocate memory pressure watch, ignoring: %m");
|
"Failed to allocate memory pressure watch, ignoring: %m");
|
||||||
|
|
||||||
r = sd_event_add_signal(m->event, NULL, SIGRTMIN+18, sigrtmin18_handler, NULL);
|
r = sd_event_add_signal(m->event, /* ret_event_source= */ NULL, (SIGRTMIN+18)|SD_EVENT_SIGNAL_PROCMASK, sigrtmin18_handler, /* userdata = */ NULL);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
|
|
|
@ -29,7 +29,7 @@ static int run(int argc, char *argv[]) {
|
||||||
|
|
||||||
umask(0022);
|
umask(0022);
|
||||||
|
|
||||||
assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGCHLD, SIGTERM, SIGINT, SIGRTMIN+18) >= 0);
|
assert_se(sigprocmask_many(SIG_BLOCK, /* ret_old_mask= */ NULL, SIGCHLD) >= 0);
|
||||||
|
|
||||||
r = manager_new(&m);
|
r = manager_new(&m);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
|
|
|
@ -1787,17 +1787,15 @@ static int server_setup_signals(Server *s) {
|
||||||
|
|
||||||
assert(s);
|
assert(s);
|
||||||
|
|
||||||
assert_se(sigprocmask_many(SIG_SETMASK, NULL, SIGINT, SIGTERM, SIGUSR1, SIGUSR2, SIGRTMIN+1, SIGRTMIN+18) >= 0);
|
r = sd_event_add_signal(s->event, &s->sigusr1_event_source, SIGUSR1|SD_EVENT_SIGNAL_PROCMASK, dispatch_sigusr1, s);
|
||||||
|
|
||||||
r = sd_event_add_signal(s->event, &s->sigusr1_event_source, SIGUSR1, dispatch_sigusr1, s);
|
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
r = sd_event_add_signal(s->event, &s->sigusr2_event_source, SIGUSR2, dispatch_sigusr2, s);
|
r = sd_event_add_signal(s->event, &s->sigusr2_event_source, SIGUSR2|SD_EVENT_SIGNAL_PROCMASK, dispatch_sigusr2, s);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
r = sd_event_add_signal(s->event, &s->sigterm_event_source, SIGTERM, dispatch_sigterm, s);
|
r = sd_event_add_signal(s->event, &s->sigterm_event_source, SIGTERM|SD_EVENT_SIGNAL_PROCMASK, dispatch_sigterm, s);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
|
@ -1808,7 +1806,7 @@ static int server_setup_signals(Server *s) {
|
||||||
|
|
||||||
/* When journald is invoked on the terminal (when debugging), it's useful if C-c is handled
|
/* When journald is invoked on the terminal (when debugging), it's useful if C-c is handled
|
||||||
* equivalent to SIGTERM. */
|
* equivalent to SIGTERM. */
|
||||||
r = sd_event_add_signal(s->event, &s->sigint_event_source, SIGINT, dispatch_sigterm, s);
|
r = sd_event_add_signal(s->event, &s->sigint_event_source, SIGINT|SD_EVENT_SIGNAL_PROCMASK, dispatch_sigterm, s);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
|
@ -1819,7 +1817,7 @@ static int server_setup_signals(Server *s) {
|
||||||
/* SIGRTMIN+1 causes an immediate sync. We process this very late, so that everything else queued at
|
/* SIGRTMIN+1 causes an immediate sync. We process this very late, so that everything else queued at
|
||||||
* this point is really written to disk. Clients can watch /run/systemd/journal/synced with inotify
|
* this point is really written to disk. Clients can watch /run/systemd/journal/synced with inotify
|
||||||
* until its mtime changes to see when a sync happened. */
|
* until its mtime changes to see when a sync happened. */
|
||||||
r = sd_event_add_signal(s->event, &s->sigrtmin1_event_source, SIGRTMIN+1, dispatch_sigrtmin1, s);
|
r = sd_event_add_signal(s->event, &s->sigrtmin1_event_source, (SIGRTMIN+1)|SD_EVENT_SIGNAL_PROCMASK, dispatch_sigrtmin1, s);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
|
@ -1827,7 +1825,7 @@ static int server_setup_signals(Server *s) {
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
r = sd_event_add_signal(s->event, NULL, SIGRTMIN+18, sigrtmin18_handler, &s->sigrtmin18_info);
|
r = sd_event_add_signal(s->event, /* ret_event_source= */ NULL, (SIGRTMIN+18)|SD_EVENT_SIGNAL_PROCMASK, sigrtmin18_handler, &s->sigrtmin18_info);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
|
|
|
@ -404,15 +404,16 @@ static int context_set_path_strv(Context *c, char* const* strv, const char *sour
|
||||||
|
|
||||||
static int context_set_plugins(Context *c, const char *s, const char *source) {
|
static int context_set_plugins(Context *c, const char *s, const char *source) {
|
||||||
_cleanup_strv_free_ char **v = NULL;
|
_cleanup_strv_free_ char **v = NULL;
|
||||||
|
int r;
|
||||||
|
|
||||||
assert(c);
|
assert(c);
|
||||||
|
|
||||||
if (c->plugins || !s)
|
if (c->plugins || !s)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
v = strv_split(s, NULL);
|
r = strv_split_full(&v, s, NULL, EXTRACT_UNQUOTE);
|
||||||
if (!v)
|
if (r < 0)
|
||||||
return log_oom();
|
return log_error_errno(r, "Failed to parse plugin paths from %s: %m", source);
|
||||||
|
|
||||||
return context_set_path_strv(c, v, source, "plugins", &c->plugins);
|
return context_set_path_strv(c, v, source, "plugins", &c->plugins);
|
||||||
}
|
}
|
||||||
|
|
|
@ -46,7 +46,13 @@ echo 'DTBDTBDTBDTB' >"$D/sources/subdir/whatever.dtb"
|
||||||
|
|
||||||
export KERNEL_INSTALL_CONF_ROOT="$D/sources"
|
export KERNEL_INSTALL_CONF_ROOT="$D/sources"
|
||||||
# We "install" multiple plugins, but control which ones will be active via install.conf.
|
# We "install" multiple plugins, but control which ones will be active via install.conf.
|
||||||
export KERNEL_INSTALL_PLUGINS="${ukify_install} ${loaderentry_install} ${uki_copy_install}"
|
KERNEL_INSTALL_PLUGINS="'${loaderentry_install}' '${uki_copy_install}'"
|
||||||
|
if [[ -n "$ukify_install" ]]; then
|
||||||
|
# shellcheck disable=SC2089
|
||||||
|
KERNEL_INSTALL_PLUGINS="'${ukify_install}' $KERNEL_INSTALL_PLUGINS"
|
||||||
|
fi
|
||||||
|
# shellcheck disable=SC2090
|
||||||
|
export KERNEL_INSTALL_PLUGINS
|
||||||
export BOOT_ROOT="$D/boot"
|
export BOOT_ROOT="$D/boot"
|
||||||
export BOOT_MNT="$D/boot"
|
export BOOT_MNT="$D/boot"
|
||||||
export MACHINE_ID='3e0484f3634a418b8e6a39e8828b03e3'
|
export MACHINE_ID='3e0484f3634a418b8e6a39e8828b03e3'
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||||
|
|
||||||
#include "env-util.h"
|
#include "env-util.h"
|
||||||
#include "format-util.h"
|
#include "format-ifname.h"
|
||||||
#include "network-common.h"
|
#include "network-common.h"
|
||||||
#include "socket-util.h"
|
#include "socket-util.h"
|
||||||
#include "unaligned.h"
|
#include "unaligned.h"
|
||||||
|
|
|
@ -1229,7 +1229,7 @@ static int generic_method_get_interface_description(
|
||||||
sd_varlink_method_flags_t flags,
|
sd_varlink_method_flags_t flags,
|
||||||
void *userdata) {
|
void *userdata) {
|
||||||
|
|
||||||
static const struct sd_json_dispatch_field dispatch_table[] = {
|
static const sd_json_dispatch_field dispatch_table[] = {
|
||||||
{ "interface", SD_JSON_VARIANT_STRING, sd_json_dispatch_const_string, 0, SD_JSON_MANDATORY },
|
{ "interface", SD_JSON_VARIANT_STRING, sd_json_dispatch_const_string, 0, SD_JSON_MANDATORY },
|
||||||
{}
|
{}
|
||||||
};
|
};
|
||||||
|
|
|
@ -86,15 +86,11 @@ static int manager_new(Manager **ret) {
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
r = sd_event_add_signal(m->event, NULL, SIGINT, NULL, NULL);
|
r = sd_event_set_signal_exit(m->event, true);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
r = sd_event_add_signal(m->event, NULL, SIGTERM, NULL, NULL);
|
r = sd_event_add_signal(m->event, /* ret_event_source= */ NULL, (SIGRTMIN+18)|SD_EVENT_SIGNAL_PROCMASK, sigrtmin18_handler, /* userdata= */ NULL);
|
||||||
if (r < 0)
|
|
||||||
return r;
|
|
||||||
|
|
||||||
r = sd_event_add_signal(m->event, NULL, SIGRTMIN+18, sigrtmin18_handler, NULL);
|
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
|
@ -826,7 +822,7 @@ static int manager_connect_console(Manager *m) {
|
||||||
return log_error_errno(r, "Failed to watch foreground console: %m");
|
return log_error_errno(r, "Failed to watch foreground console: %m");
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* SIGRTMIN is used as global VT-release signal, SIGRTMIN + 1 is used
|
* SIGRTMIN + 0 is used as global VT-release signal, SIGRTMIN + 1 is used
|
||||||
* as VT-acquire signal. We ignore any acquire-events (yes, we still
|
* as VT-acquire signal. We ignore any acquire-events (yes, we still
|
||||||
* have to provide a valid signal-number for it!) and acknowledge all
|
* have to provide a valid signal-number for it!) and acknowledge all
|
||||||
* release events immediately.
|
* release events immediately.
|
||||||
|
@ -838,11 +834,10 @@ static int manager_connect_console(Manager *m) {
|
||||||
SIGRTMIN, SIGRTMAX);
|
SIGRTMIN, SIGRTMAX);
|
||||||
|
|
||||||
assert_se(ignore_signals(SIGRTMIN + 1) >= 0);
|
assert_se(ignore_signals(SIGRTMIN + 1) >= 0);
|
||||||
assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGRTMIN) >= 0);
|
|
||||||
|
|
||||||
r = sd_event_add_signal(m->event, NULL, SIGRTMIN, manager_vt_switch, m);
|
r = sd_event_add_signal(m->event, /* ret_event_source= */ NULL, (SIGRTMIN + 0) | SD_EVENT_SIGNAL_PROCMASK, manager_vt_switch, m);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to subscribe to signal: %m");
|
return log_error_errno(r, "Failed to subscribe to SIGRTMIN+0 signal: %m");
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -1097,7 +1092,7 @@ static int manager_startup(Manager *m) {
|
||||||
|
|
||||||
assert(m);
|
assert(m);
|
||||||
|
|
||||||
r = sd_event_add_signal(m->event, NULL, SIGHUP, manager_dispatch_reload_signal, m);
|
r = sd_event_add_signal(m->event, /* ret_event_source= */ NULL, SIGHUP|SD_EVENT_SIGNAL_PROCMASK, manager_dispatch_reload_signal, m);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to register SIGHUP handler: %m");
|
return log_error_errno(r, "Failed to register SIGHUP handler: %m");
|
||||||
|
|
||||||
|
@ -1247,7 +1242,7 @@ static int run(int argc, char *argv[]) {
|
||||||
(void) mkdir_label("/run/systemd/users", 0755);
|
(void) mkdir_label("/run/systemd/users", 0755);
|
||||||
(void) mkdir_label("/run/systemd/sessions", 0755);
|
(void) mkdir_label("/run/systemd/sessions", 0755);
|
||||||
|
|
||||||
assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGHUP, SIGTERM, SIGINT, SIGCHLD, SIGRTMIN+18) >= 0);
|
assert_se(sigprocmask_many(SIG_BLOCK, /* ret_old_mask= */ NULL, SIGCHLD) >= 0);
|
||||||
|
|
||||||
r = manager_new(&m);
|
r = manager_new(&m);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
|
|
|
@ -32,6 +32,7 @@
|
||||||
#include "edit-util.h"
|
#include "edit-util.h"
|
||||||
#include "env-util.h"
|
#include "env-util.h"
|
||||||
#include "fd-util.h"
|
#include "fd-util.h"
|
||||||
|
#include "format-ifname.h"
|
||||||
#include "format-table.h"
|
#include "format-table.h"
|
||||||
#include "hostname-util.h"
|
#include "hostname-util.h"
|
||||||
#include "import-util.h"
|
#include "import-util.h"
|
||||||
|
@ -1219,8 +1220,6 @@ static int process_forward(sd_event *event, PTYForward **forward, int master, PT
|
||||||
assert(master >= 0);
|
assert(master >= 0);
|
||||||
assert(name);
|
assert(name);
|
||||||
|
|
||||||
assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGWINCH, SIGTERM, SIGINT) >= 0);
|
|
||||||
|
|
||||||
if (!arg_quiet) {
|
if (!arg_quiet) {
|
||||||
if (streq(name, ".host"))
|
if (streq(name, ".host"))
|
||||||
log_info("Connected to the local host. Press ^] three times within 1s to exit session.");
|
log_info("Connected to the local host. Press ^] three times within 1s to exit session.");
|
||||||
|
@ -1228,8 +1227,9 @@ static int process_forward(sd_event *event, PTYForward **forward, int master, PT
|
||||||
log_info("Connected to machine %s. Press ^] three times within 1s to exit session.", name);
|
log_info("Connected to machine %s. Press ^] three times within 1s to exit session.", name);
|
||||||
}
|
}
|
||||||
|
|
||||||
(void) sd_event_add_signal(event, NULL, SIGINT, NULL, NULL);
|
r = sd_event_set_signal_exit(event, true);
|
||||||
(void) sd_event_add_signal(event, NULL, SIGTERM, NULL, NULL);
|
if (r < 0)
|
||||||
|
return log_error_errno(r, "Failed to enable SIGINT/SITERM handling: %m");
|
||||||
|
|
||||||
r = pty_forward_new(event, master, flags, forward);
|
r = pty_forward_new(event, master, flags, forward);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
|
|
|
@ -416,19 +416,18 @@ static int list_machine_one(sd_varlink *link, Machine *m, bool more) {
|
||||||
}
|
}
|
||||||
|
|
||||||
static int vl_method_list(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) {
|
static int vl_method_list(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) {
|
||||||
Manager *m = ASSERT_PTR(userdata);
|
static const sd_json_dispatch_field dispatch_table[] = {
|
||||||
const char *mn = NULL;
|
{ "name", SD_JSON_VARIANT_STRING, sd_json_dispatch_const_string, 0, 0 },
|
||||||
|
|
||||||
const sd_json_dispatch_field dispatch_table[] = {
|
|
||||||
{ "name", SD_JSON_VARIANT_STRING, sd_json_dispatch_const_string, PTR_TO_SIZE(&mn), 0 },
|
|
||||||
{}
|
{}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
Manager *m = ASSERT_PTR(userdata);
|
||||||
|
const char *mn = NULL;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
assert(parameters);
|
assert(parameters);
|
||||||
|
|
||||||
r = sd_varlink_dispatch(link, parameters, dispatch_table, 0);
|
r = sd_varlink_dispatch(link, parameters, dispatch_table, &mn);
|
||||||
if (r != 0)
|
if (r != 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
|
|
|
@ -55,15 +55,11 @@ static int manager_new(Manager **ret) {
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
r = sd_event_add_signal(m->event, NULL, SIGINT, NULL, NULL);
|
r = sd_event_set_signal_exit(m->event, true);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
r = sd_event_add_signal(m->event, NULL, SIGTERM, NULL, NULL);
|
r = sd_event_add_signal(m->event, /* ret_event_source= */ NULL, (SIGRTMIN+18)|SD_EVENT_SIGNAL_PROCMASK, sigrtmin18_handler, /* userdata= */ NULL);
|
||||||
if (r < 0)
|
|
||||||
return r;
|
|
||||||
|
|
||||||
r = sd_event_add_signal(m->event, NULL, SIGRTMIN+18, sigrtmin18_handler, NULL);
|
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
|
@ -332,7 +328,7 @@ static int run(int argc, char *argv[]) {
|
||||||
* make sure this check stays in. */
|
* make sure this check stays in. */
|
||||||
(void) mkdir_label("/run/systemd/machines", 0755);
|
(void) mkdir_label("/run/systemd/machines", 0755);
|
||||||
|
|
||||||
assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGCHLD, SIGTERM, SIGINT, SIGRTMIN+18) >= 0);
|
assert_se(sigprocmask_many(SIG_BLOCK, /* ret_old_mask= */ NULL, SIGCHLD) >= 0);
|
||||||
|
|
||||||
r = manager_new(&m);
|
r = manager_new(&m);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||||
|
|
||||||
|
if conf.get('HAVE_VMLINUX_H') != 1
|
||||||
|
subdir_done()
|
||||||
|
endif
|
||||||
|
|
||||||
|
sysctl_monitor_bpf_o_unstripped = custom_target(
|
||||||
|
'sysctl-monitor.bpf.unstripped.o',
|
||||||
|
input : 'sysctl-monitor.bpf.c',
|
||||||
|
output : 'sysctl-monitor.bpf.unstripped.o',
|
||||||
|
command : bpf_o_unstripped_cmd,
|
||||||
|
depends : vmlinux_h_dependency)
|
||||||
|
|
||||||
|
sysctl_monitor_bpf_o = custom_target(
|
||||||
|
'sysctl-monitor.bpf.o',
|
||||||
|
input : sysctl_monitor_bpf_o_unstripped,
|
||||||
|
output : 'sysctl-monitor.bpf.o',
|
||||||
|
command : bpf_o_cmd)
|
||||||
|
|
||||||
|
sysctl_monitor_skel_h = custom_target(
|
||||||
|
'sysctl-monitor.skel.h',
|
||||||
|
input : sysctl_monitor_bpf_o,
|
||||||
|
output : 'sysctl-monitor.skel.h',
|
||||||
|
command : skel_h_cmd,
|
||||||
|
capture : true)
|
|
@ -0,0 +1,16 @@
|
||||||
|
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||||
|
|
||||||
|
/* The SPDX header above is actually correct in claiming this was
|
||||||
|
* LGPL-2.1-or-later, because it is. Since the kernel doesn't consider that
|
||||||
|
* compatible with GPL we will claim this to be GPL however, which should be
|
||||||
|
* fine given that LGPL-2.1-or-later downgrades to GPL if needed.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "bpf-dlopen.h"
|
||||||
|
|
||||||
|
/* libbpf is used via dlopen(), so rename symbols */
|
||||||
|
#define bpf_object__destroy_skeleton sym_bpf_object__destroy_skeleton
|
||||||
|
#define bpf_object__load_skeleton sym_bpf_object__load_skeleton
|
||||||
|
#define bpf_object__open_skeleton sym_bpf_object__open_skeleton
|
||||||
|
|
||||||
|
#include "bpf/sysctl_monitor/sysctl-monitor.skel.h"
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue