pam-systemd: talk to logind via varlink

This makes sure we now use Varlink per default as transport for allocating sessions. This reduces the time it takes to do one run0 cycle by roughly ~10% on my completely synthetic test setup (assuming the target user's service manager is already started) The D-Bus codepaths are kept in place for two reasons: * To make upgrades easy * If the user actually sets resource properties on the PAM session we fall back to the D-Bus codepaths, as we currently have no way to encode the scope properties in JSON, this is only supported for D-Bus serialization. The latter should be revisited once it is possible to allocate a scope unit from PID1 via varlink.
logind: add basic Varlink API
2024-11-23 00:21:44 +01:00 · 2024-11-23 00:18:46 +01:00 · 2024-11-23 00:18:46 +01:00 · 2024-11-23 00:18:46 +01:00 · 2024-11-23 00:18:46 +01:00 · 2024-11-23 00:18:46 +01:00
8 changed files with 104 additions and 32 deletions
--- a/hwdb.d/60-sensor.hwdb
+++ b/hwdb.d/60-sensor.hwdb
@ -953,6 +953,15 @@ sensor:modalias:acpi:MXC6655*:dmi:*:svnDefaultstring*:pnP612F:*
 sensor:modalias:acpi:SMO8500*:dmi:*:svnPEAQ:pnPEAQPMMC1010MD99187:*
 ACCEL_MOUNT_MATRIX=-1, 0, 0; 0, 1, 0; 0, 0, 1

+#########################################
+# Pine64
+#########################################
+
+# PineTab2
+
+sensor:modalias:of:NaccelerometerT_null_Csilan,sc7a20:*
+ ACCEL_MOUNT_MATRIX=0, 0, -1; 1, 0, 0; 0, -1, 0
+
 #########################################
 # Pipo
 #########################################
--- a/man/systemd-cryptenroll.xml
+++ b/man/systemd-cryptenroll.xml
@ -265,32 +265,11 @@
  </refsect1>

  <refsect1>
-    <title>Options</title>
+    <title>Unlocking</title>

-    <para>The following options are understood:</para>
+    <para>The following options are understood that may be used to unlock the device in preparation of the enrollment operations:</para>

    <variablelist>
-      <varlistentry>
-        <term><option>--password</option></term>
-
-        <listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
-        <command>cryptsetup luksAddKey</command>, however may be combined with
-        <option>--wipe-slot=</option> in one call, see below.</para>
-
-        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><option>--recovery-key</option></term>
-
-        <listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
-        computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
-        key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
-        </para>
-
-        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><option>--unlock-key-file=<replaceable>PATH</replaceable></option></term>

@ -328,7 +307,45 @@

        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
      </varlistentry>
+    </variablelist>
+  </refsect1>

+  <refsect1>
+    <title>Simple Enrollment</title>
+
+    <para>The following options are understood that may be used to enroll simple user input based
+    unlocking:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><option>--password</option></term>
+
+        <listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
+        <command>cryptsetup luksAddKey</command>, however may be combined with
+        <option>--wipe-slot=</option> in one call, see below.</para>
+
+        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--recovery-key</option></term>
+
+        <listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
+        computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
+        key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
+        </para>
+
+        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>PKCS#11 Enrollment</title>
+
+    <para>The following option is understood that may be used to enroll PKCS#11 tokens:</para>
+
+    <variablelist>
      <varlistentry>
        <term><option>--pkcs11-token-uri=<replaceable>URI</replaceable></option></term>

@ -361,7 +378,15 @@

        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
      </varlistentry>
+    </variablelist>
+  </refsect1>

+  <refsect1>
+    <title>FIDO2 Enrollment</title>
+
+    <para>The following options are understood that may be used to enroll PKCS#11 tokens:</para>
+
+    <variablelist>
      <varlistentry>
        <term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
        <listitem><para>Specify COSE algorithm used in credential generation. The default value is
@ -461,7 +486,15 @@

        <xi:include href="version-info.xml" xpointer="v249"/></listitem>
      </varlistentry>
+    </variablelist>
+  </refsect1>

+  <refsect1>
+    <title>TPM2 Enrollment</title>
+
+    <para>The following options are understood that may be used to enroll TPM2 devices:</para>
+
+    <variablelist>
      <varlistentry>
        <term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term>

@ -636,7 +669,15 @@

        <xi:include href="version-info.xml" xpointer="v255"/></listitem>
      </varlistentry>
+    </variablelist>
+  </refsect1>

+  <refsect1>
+    <title>Other Options</title>
+
+    <para>The following additional options are understood:</para>
+
+    <variablelist>
      <varlistentry>
        <term><option>--wipe-slot=<replaceable>SLOT<optional>,SLOT...</optional></replaceable></option></term>

--- a/src/cryptenroll/cryptenroll.c
+++ b/src/cryptenroll/cryptenroll.c
@ -193,7 +193,7 @@ static int help(void) {
               "\n%3$sSimple Enrollment:%4$s\n"
               "     --password        Enroll a user-supplied password\n"
               "     --recovery-key    Enroll a recovery key\n"
-               "\n%3$sPKCS11 Enrollment:%4$s\n"
+               "\n%3$sPKCS#11 Enrollment:%4$s\n"
               "     --pkcs11-token-uri=URI\n"
               "                       Specify PKCS#11 security token URI\n"
               "\n%3$sFIDO2 Enrollment:%4$s\n"
--- a/src/login/logind-varlink.c
+++ b/src/login/logind-varlink.c
@ -163,7 +163,7 @@ static int vl_method_create_session(sd_varlink *link, sd_json_variant *parameter

        static const sd_json_dispatch_field dispatch_table[] = {
                { "UID",        _SD_JSON_VARIANT_TYPE_INVALID, sd_json_dispatch_uid_gid,      offsetof(CreateSessionParameters, uid),         SD_JSON_MANDATORY },
-                { "PID",        _SD_JSON_VARIANT_TYPE_INVALID, json_dispatch_pidref,          offsetof(CreateSessionParameters, pid),         0                 },
+                { "PID",        _SD_JSON_VARIANT_TYPE_INVALID, json_dispatch_pidref,          offsetof(CreateSessionParameters, pid),         SD_JSON_RELAX     },
                { "Service",    SD_JSON_VARIANT_STRING,        sd_json_dispatch_const_string, offsetof(CreateSessionParameters, service),     0                 },
                { "Type",       SD_JSON_VARIANT_STRING,        json_dispatch_session_type,    offsetof(CreateSessionParameters, type),        SD_JSON_MANDATORY },
                { "Class",      SD_JSON_VARIANT_STRING,        json_dispatch_session_class,   offsetof(CreateSessionParameters, class),       SD_JSON_MANDATORY },
--- a/src/login/pam_systemd.c
+++ b/src/login/pam_systemd.c
@ -1071,7 +1071,6 @@ static int register_session(
                         strna(c->memory_max), strna(c->tasks_max), strna(c->cpu_weight), strna(c->io_weight), strna(c->runtime_max_sec));

        _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; /* the following variables point into this message, hence pin it for longer */
-        _cleanup_(sd_json_variant_unrefp) sd_json_variant *vreply = NULL; /* similar */
        _cleanup_(sd_varlink_unrefp) sd_varlink *vl = NULL; /* similar */
        const char *id = NULL, *object_path = NULL, *runtime_path = NULL, *real_seat = NULL;
        int session_fd = -EBADF, existing = false;
@ -1101,6 +1100,7 @@ static int register_session(
                        if (r < 0)
                                return pam_syslog_errno(handle, LOG_ERR, r, "Failed to acquire PID reference on ourselves: %m");

+                        sd_json_variant *vreply = NULL;
                        const char *error_id = NULL;
                        r = sd_varlink_callbo(
                                        vl,
--- a/src/shared/tpm2-util.h
+++ b/src/shared/tpm2-util.h
@ -392,7 +392,7 @@ int tpm2_make_pcr_json_array(uint32_t pcr_mask, sd_json_variant **ret);
 int tpm2_parse_pcr_json_array(sd_json_variant *v, uint32_t *ret);

 int tpm2_make_luks2_json(int keyslot, uint32_t hash_pcr_mask, uint16_t pcr_bank, const struct iovec *pubkey, uint32_t pubkey_pcr_mask, uint16_t primary_alg, const struct iovec blobs[], size_t n_blobs, const struct iovec policy_hash[], size_t n_policy_hash, const struct iovec *salt, const struct iovec *srk, const struct iovec *pcrlock_nv, TPM2Flags flags, sd_json_variant **ret);
-int tpm2_parse_luks2_json(sd_json_variant *v, int *ret_keyslot, uint32_t *ret_hash_pcr_mask, uint16_t *ret_pcr_bank, struct iovec *ret_pubkey, uint32_t *ret_pubkey_pcr_mask, uint16_t *ret_primary_alg, struct iovec **ret_blobs, size_t *ret_n_blobs, struct iovec **ret_policy_hash, size_t *ret_n_policy_hash, struct iovec *ret_salt, struct iovec *ret_srk, struct iovec *pcrlock_nv, TPM2Flags *ret_flags);
+int tpm2_parse_luks2_json(sd_json_variant *v, int *ret_keyslot, uint32_t *ret_hash_pcr_mask, uint16_t *ret_pcr_bank, struct iovec *ret_pubkey, uint32_t *ret_pubkey_pcr_mask, uint16_t *ret_primary_alg, struct iovec **ret_blobs, size_t *ret_n_blobs, struct iovec **ret_policy_hash, size_t *ret_n_policy_hash, struct iovec *ret_salt, struct iovec *ret_srk, struct iovec *ret_pcrlock_nv, TPM2Flags *ret_flags);

 /* Default to PCR 7 only */
 #define TPM2_PCR_INDEX_DEFAULT UINT32_C(7)
--- a/src/userdb/userdbctl.c
+++ b/src/userdb/userdbctl.c
@ -23,6 +23,7 @@
 #include "user-util.h"
 #include "userdb.h"
 #include "verbs.h"
+#include "virt.h"

 static enum {
        OUTPUT_CLASSIC,
@ -139,10 +140,16 @@ static int show_user(UserRecord *ur, Table *table) {
        return 0;
 }

+static bool test_show_mapped(void) {
+        /* Show mapped user range only in environments where user mapping is a thing. */
+        return running_in_userns() > 0;
+}
+
 static const struct {
        uid_t first, last;
        const char *name;
        UserDisposition disposition;
+        bool (*test)(void);
 } uid_range_table[] = {
        {
                .first = 1,
@ -175,11 +182,12 @@ static const struct {
                .last = MAP_UID_MAX,
                .name = "mapped",
                .disposition = USER_REGULAR,
+                .test = test_show_mapped,
        },
 };

 static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
-        int r;
+        int r, n_added = 0;

        assert(table);

@ -192,6 +200,9 @@ static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
                if (!uid_range_covers(p, i->first, i->last - i->first + 1))
                        continue;

+                if (i->test && !i->test())
+                        continue;
+
                name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN),
                               " begin ", i->name, " users ",
                               special_glyph(SPECIAL_GLYPH_ARROW_DOWN));
@ -249,9 +260,11 @@ static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
                                TABLE_INT, 1); /* sort after any other entry with the same UID */
                if (r < 0)
                        return table_log_add_error(r);
+
+                n_added += 2;
        }

-        return ELEMENTSOF(uid_range_table) * 2;
+        return n_added;
 }

 static int add_unavailable_uid(Table *table, uid_t start, uid_t end) {
@ -565,16 +578,22 @@ static int show_group(GroupRecord *gr, Table *table) {
 }

 static int table_add_gid_boundaries(Table *table, const UIDRange *p) {
-        int r;
+        int r, n_added = 0;

        assert(table);

        FOREACH_ELEMENT(i, uid_range_table) {
                _cleanup_free_ char *name = NULL, *comment = NULL;

+                if (!FLAGS_SET(arg_disposition_mask, UINT64_C(1) << i->disposition))
+                        continue;
+
                if (!uid_range_covers(p, i->first, i->last - i->first + 1))
                        continue;

+                if (i->test && !i->test())
+                        continue;
+
                name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN),
                               " begin ", i->name, " groups ",
                               special_glyph(SPECIAL_GLYPH_ARROW_DOWN));
@ -626,9 +645,11 @@ static int table_add_gid_boundaries(Table *table, const UIDRange *p) {
                                TABLE_INT, 1); /* sort after any other entry with the same GID */
                if (r < 0)
                        return table_log_add_error(r);
+
+                n_added += 2;
        }

-        return ELEMENTSOF(uid_range_table) * 2;
+        return n_added;
 }

 static int add_unavailable_gid(Table *table, uid_t start, uid_t end) {
--- a/tmpfiles.d/legacy.conf.in
+++ b/tmpfiles.d/legacy.conf.in
@ -13,11 +13,12 @@

 d /run/lock 0755 root root -
 L /var/lock - - - - ../run/lock
+
+{% if HAVE_SYSV_COMPAT %}
 {% if CREATE_LOG_DIRS %}
 L$ /var/log/README - - - - ../..{{DOC_DIR}}/README.logs
 {% endif %}

-{% if HAVE_SYSV_COMPAT %}
 # /run/lock/subsys is used for serializing SysV service execution, and
 # hence without use on SysV-less systems.
 d /run/lock/subsys 0755 root root -
Author	SHA1	Message	Date
Lennart Poettering	67591fd782	pam-systemd: talk to logind via varlink This makes sure we now use Varlink per default as transport for allocating sessions. This reduces the time it takes to do one run0 cycle by roughly ~10% on my completely synthetic test setup (assuming the target user's service manager is already started) The D-Bus codepaths are kept in place for two reasons: * To make upgrades easy * If the user actually sets resource properties on the PAM session we fall back to the D-Bus codepaths, as we currently have no way to encode the scope properties in JSON, this is only supported for D-Bus serialization. The latter should be revisited once it is possible to allocate a scope unit from PID1 via varlink.	2024-11-23 00:21:44 +01:00
Lennart Poettering	759036b42f	logind: add basic Varlink API For now this only covers CreateSession() and ReleaseSession(), i.e. the two operations pam_systemd cares about.	2024-11-23 00:18:46 +01:00
Lennart Poettering	3ccbb4e518	logind: split create session reply handling in two This prepares ground so that later on we can reply with either D-Bus or Varlink depending on the client's request.	2024-11-23 00:18:46 +01:00
Lennart Poettering	70731b1425	logind: also potentially GC the session if we cannot send reply	2024-11-23 00:18:46 +01:00
Lennart Poettering	a098cdbefe	logind: indicate that 'error' parameter is input by making it const	2024-11-23 00:18:46 +01:00
Lennart Poettering	b5dd575cb3	logind: rework session creation logic, to be more reusable for varlink codepaths This separates the preparatory checks that generate D-Bus errors from the code that actually allocates the session. This make the logic easier to follow and prepares ground so that we can reuse the 2nd part later when exposing session creation via Varlink.	2024-11-23 00:18:46 +01:00
Lennart Poettering	c771a195b6	logind: split out logic that finds free session ID into helper call Just some refactoring to make an overly large function a bit smaller.	2024-11-23 00:18:46 +01:00
Lennart Poettering	d30ae4c4d2	logind: normalize parameter to create_session() We can pass a properly typed Manager object here, no reason to pass it as void*.	2024-11-23 00:18:46 +01:00
Lennart Poettering	49e778d40a	sd-varlink: fix bug when enqueuing messages with fds asynchronously When determining the poll events to wait for we need to take the queue of pending messages that carry fds into account. Otherwise we might end up not waking up if such an fd-carrying message is enqueued asynchronously (i.e. not from a dispatch callback).	2024-11-23 00:18:46 +01:00
Lennart Poettering	1f377e6f73	sd-varlink: add flag for sd_varlink_server for creating connections with fd passing enabled Let's add a simple flag that enables fd passing for all connections of a server. It's much easier to use this than to install a connect handler which manually enables this for each connection.	2024-11-23 00:18:46 +01:00
Lennart Poettering	69c59f707c	terminal-util: modernize vtnr_from_tty() a bit	2024-11-23 00:18:46 +01:00
Lennart Poettering	ccfdaa7117	sd-login: make use of getpeerpidref() and cg_pidref_get_*()	2024-11-23 00:18:46 +01:00
Lennart Poettering	32f31fa6bf	socket-util: introduce getpeerpidref() This combines getpeercred() and getpeerpidfd() and returns a PidRef	2024-11-23 00:18:46 +01:00
Lennart Poettering	eb87a43e9d	cgroup-util: add pidref counterparts for cg_pid_get_session() + cg_pid_get_owner_uid()	2024-11-23 00:18:46 +01:00
Lennart Poettering	05e4039436	tree-wide: use pidref_is_self() at more places	2024-11-23 00:18:46 +01:00
Lennart Poettering	b9e124b84c	sd-json: add json_dispatch_const_path() helper The new json_dispatch_const_path() is to json_dispatch_path() what sd_json_dispatch_const_string() is to sd_json_dispatch_ string(), i.e. doesn't implicitly strdup() the string, but gives you the pointer into the JSON structure, and thus requires you to keep it pinned.	2024-11-23 00:18:46 +01:00
Lennart Poettering	eb543b192e	pam_systemd: introduce pam_get_data_many() helper and make use of it This is to pam_get_data() what pam_get_item() is to pam_get_item_many().	2024-11-23 00:18:46 +01:00
Lennart Poettering	19159b60c9	pam_systemd: fix error code confusion when prepping D-Bus message We got confused by the error codes here, and sometimes return PAM errors where the caller propagated them unconverted as negative errno errors. Fix that.	2024-11-23 00:18:46 +01:00
Lennart Poettering	b5f653430e	pam_systemd: split pam_sm_open_session() into more digestable blocks Let's separate four different parts of pam_sm_open_session(): 1. Acquiring of our various parameters from pam env, pam data, pam items 2. Mangling of that data to clean it up 3. Registering of the service with logind 4. Importing shell credentials into environment variables 5. Enforcement of user record data This makes the code a lot more readable, and gets rid of an ugly got label. It also corrects things: if step 3 doesnt work because logind is not around, we'll now still do step 4, which we previously erroneously skipped. Besodes that no real code changes.	2024-11-23 00:18:46 +01:00
Lennart Poettering	293efc0a01	pam_systemd: split out setting of shell env vars from credentials and move it later Let's shorten the code of pam_sm_open_session() a bit, and also make sure the importing of the env vars from the creds also happens if the session registration with logind is skipped.	2024-11-23 00:18:46 +01:00
Lennart Poettering	a14cc13650	pam_systemd: drop "uid" field from SessionContext Let's instead just pass over the UserRecord, it's a much more useful object with lots more information we'll sooner or later need (preparation for later commits).	2024-11-23 00:18:46 +01:00
Lennart Poettering	796c8d3ecf	pam_systemd: drop "pid" field from SessionContext We never use the field and this is not going to change... This addresses a weird asymmetry, as create_session_message() always went to the process' own PID when doing pidfds but otherwise (i.e. without pidfds) would honour the PID specified as function parameter.	2024-11-23 00:18:46 +01:00
Lennart Poettering	dea25e026f	pam-systemd: normalize parsing of XDG_VTNR Let's make it more like the parsing of the "incomplete" boolean env var, to streamline things.	2024-11-23 00:18:46 +01:00
Christian Hesse	c946b13575	link README.logs from tmpfiles.d/legacy.conf only if available The file README.logs is installed only if SysVInit support is enabled. Thus the link should depend on it as well.	2024-11-22 18:33:20 +00:00
Lennart Poettering	e39cbb1442	varlink: apparently on old kernels SO_PEERPIDFD returns EINVAL	2024-11-23 03:09:49 +09:00
Marco Tomaschett	bc4a027f9c	hwdb: add support for PineTab2 to 60-sensor.hwdb (#35304 ) Add accelerometer support for PineTab2	2024-11-23 03:08:06 +09:00
Lennart Poettering	d209e197f8	userdbctl: two trivial fixlets (#35296 ) Fixes: #35294	2024-11-22 16:06:01 +01:00
Antonio Alvarez Feijoo	9ed090230e	tpm2-util: fix parameter name	2024-11-22 16:04:16 +01:00
Luca Boccassi	9bf6ffe166	man: split cryptenroll man page into sections (#35297 )	2024-11-22 12:01:07 +00:00
Lennart Poettering	47c5ca237b	userdbctl: respect selected disposition also when showing gid boundaries Follow-up for: `ad5de3222f`	2024-11-22 11:28:30 +01:00
Lennart Poettering	7f8a4f12df	userdbctl: fix counting Fixes: #35294	2024-11-22 11:28:28 +01:00
Lennart Poettering	e412fc5e04	userbdctl: show 'mapped' user range only inside of userns Outside of userns the concept makes no sense, there cannot be users mapped from further outside.	2024-11-22 11:28:17 +01:00
Lennart Poettering	cc6baba720	cryptenroll: it's called PKCS#11, not PKCS11 In the --help text we really should use the official spelling, just like in the man page.	2024-11-22 10:42:37 +01:00
Lennart Poettering	3ae48d071c	man: add enrollment type sections to cryptenroll man page We have the same sections in the --help text, hence we even more so should have them in the man page.	2024-11-22 10:42:37 +01:00