Merge a050031d05 into 9bf6ffe166

man: split cryptenroll man page into sections (#35297 )
cryptenroll: it's called PKCS#11, not PKCS11
2024-11-22 13:40:26 +01:00 · 2024-11-22 12:01:07 +00:00 · 2024-11-22 10:42:37 +01:00 · 2024-11-22 10:42:37 +01:00 · 2024-11-22 10:38:19 +01:00 · 2024-11-22 04:15:51 +01:00
30 changed files with 129 additions and 72 deletions
--- a/hwdb.d/60-keyboard.hwdb
+++ b/hwdb.d/60-keyboard.hwdb
@ -1438,6 +1438,11 @@ evdev:input:b0003v046DpC309*
 KEYBOARD_KEY_c01b6=images                              # My Pictures (F11)
 KEYBOARD_KEY_c01b7=audio                               # My Music (F12)
 # Logitech MX Keys for Mac
 evdev:input:b0003v046Dp4092*
 KEYBOARD_KEY_70035=102nd                               # '<' key
 KEYBOARD_KEY_70064=grave                               # '^' key
 ###########################################################
 # Maxdata
 ###########################################################
--- a/man/systemd-cryptenroll.xml
+++ b/man/systemd-cryptenroll.xml
@ -265,32 +265,11 @@
  </refsect1>
  <refsect1>
-    <title>Options</title>
+    <title>Unlocking</title>
-    <para>The following options are understood:</para>
+    <para>The following options are understood that may be used to unlock the device in preparation of the enrollment operations:</para>
    <variablelist>
      <varlistentry>
        <term><option>--password</option></term>
        <listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
        <command>cryptsetup luksAddKey</command>, however may be combined with
        <option>--wipe-slot=</option> in one call, see below.</para>
        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
      </varlistentry>
      <varlistentry>
        <term><option>--recovery-key</option></term>
        <listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
        computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
        key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
        </para>
        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
      </varlistentry>
      <varlistentry>
        <term><option>--unlock-key-file=<replaceable>PATH</replaceable></option></term>
@ -328,7 +307,45 @@
        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>Simple Enrollment</title>
    <para>The following options are understood that may be used to enroll simple user input based
    unlocking:</para>
    <variablelist>
      <varlistentry>
        <term><option>--password</option></term>
        <listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
        <command>cryptsetup luksAddKey</command>, however may be combined with
        <option>--wipe-slot=</option> in one call, see below.</para>
        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
      </varlistentry>
      <varlistentry>
        <term><option>--recovery-key</option></term>
        <listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
        computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
        key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
        </para>
        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>PKCS#11 Enrollment</title>
    <para>The following option is understood that may be used to enroll PKCS#11 tokens:</para>
    <variablelist>
      <varlistentry>
        <term><option>--pkcs11-token-uri=<replaceable>URI</replaceable></option></term>
@ -361,7 +378,15 @@
        <xi:include href="version-info.xml" xpointer="v248"/></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>FIDO2 Enrollment</title>
    <para>The following options are understood that may be used to enroll PKCS#11 tokens:</para>
    <variablelist>
      <varlistentry>
        <term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
        <listitem><para>Specify COSE algorithm used in credential generation. The default value is
@ -461,7 +486,15 @@
        <xi:include href="version-info.xml" xpointer="v249"/></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>TPM2 Enrollment</title>
    <para>The following options are understood that may be used to enroll TPM2 devices:</para>
    <variablelist>
      <varlistentry>
        <term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term>
@ -636,7 +669,15 @@
        <xi:include href="version-info.xml" xpointer="v255"/></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>Other Options</title>
    <para>The following additional options are understood:</para>
    <variablelist>
      <varlistentry>
        <term><option>--wipe-slot=<replaceable>SLOT<optional>,SLOT...</optional></replaceable></option></term>
--- a/po/uk.po
+++ b/po/uk.po
@ -9,8 +9,8 @@ msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2024-11-06 14:42+0000\n"
-"PO-Revision-Date: 2024-11-20 19:13+0000\n"
+"PO-Revision-Date: 2024-11-21 19:38+0000\n"
-"Last-Translator: Dmytro Markevych <hotr1pak@gmail.com>\n"
+"Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
 "Language-Team: Ukrainian <https://translate.fedoraproject.org/projects/"
 "systemd/main/uk/>\n"
 "Language: uk\n"
@ -120,11 +120,11 @@ msgstr "Для оновлення домашньої теки користува
 #: src/home/org.freedesktop.home1.policy:53
 msgid "Update your home area"
-msgstr "Оновіть свій домашній простір"
+msgstr "Оновлення домашньої області"
 #: src/home/org.freedesktop.home1.policy:54
 msgid "Authentication is required to update your home area."
-msgstr "Для оновлення домашньої області потрібна автентифікація."
+msgstr "Для оновлення домашньої області слід пройти розпізнавання."
 #: src/home/org.freedesktop.home1.policy:63
 msgid "Resize a home area"
@ -1215,7 +1215,7 @@ msgstr "Керування додатковими функціями"
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
 msgid "Authentication is required to manage optional features"
-msgstr "Для керування додатковими функціями потрібна автентифікація"
+msgstr "Для керування додатковими можливостями слід пройти розпізнавання"
 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"
--- a/rules.d/60-persistent-storage.rules.in
+++ b/rules.d/60-persistent-storage.rules.in
@ -136,6 +136,12 @@ KERNEL!="sr*|mmcblk[0-9]boot[0-9]", IMPORT{builtin}="blkid"
 LABEL="persistent_storage_blkid_probe_end"
 {% endif %}
 # Decrease devlink priority for whole disk of ISO hybrid images, and make the
 # priority for partitions in the image relatively higher. This is for the case
 # that a disk and one of its partition have the same label or so.
 # See issue #28468.
 ENV{ID_FS_TYPE}=="iso9660", ENV{DEVTYPE}=="disk", OPTIONS+="link_priority=-10"
 # by-label/by-uuid links (filesystem metadata)
 ENV{ID_FS_USAGE}=="filesystem|other|crypto", ENV{ID_FS_UUID_ENC}=="?*", SYMLINK+="disk/by-uuid/$env{ID_FS_UUID_ENC}"
 ENV{ID_FS_USAGE}=="filesystem|other|crypto", ENV{ID_FS_LABEL_ENC}=="?*", SYMLINK+="disk/by-label/$env{ID_FS_LABEL_ENC}"
--- a/rules.d/99-systemd.rules.in
+++ b/rules.d/99-systemd.rules.in
@ -22,6 +22,10 @@ SUBSYSTEM=="ubi", TAG+="systemd"
 SUBSYSTEM=="block", TAG+="systemd"
 # Make dm devices can replace existing symlinks with the same priority.
 # Otherwise, activating a device while another is being deactivated may fail.
 SUBSYSTEM=="block", KERNEL=="dm-*", ENV{.UDEV_REPLACE_SYMLINK_WITH_SAME_PRIORITY}="1"
 # When a dm device is first created, it's just an empty container. Ignore it.
 # DM_NAME is not set in this case, but it's set on spurious "add" events that occur later.
 SUBSYSTEM=="block", ACTION=="add", KERNEL=="dm-*", ENV{DM_NAME}!="?*", ENV{SYSTEMD_READY}="0"
--- a/shell-completion/bash/systemd-cryptenroll
+++ b/shell-completion/bash/systemd-cryptenroll
@ -38,19 +38,12 @@ __get_tpm2_devices() {
    done
 }
 __get_block_devices() {
    local i
    for i in /dev/*; do
        [ -b "$i" ] && printf '%s\n' "$i"
    done
 }
 _systemd_cryptenroll() {
    local comps
    local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} words cword
    local -A OPTS=(
        [STANDALONE]='-h --help --version
-                     --password --recovery-key'
+                     --password --recovery-key --list-devices'
        [ARG]='--unlock-key-file
               --unlock-fido2-device
               --unlock-tpm2-device
@ -116,7 +109,7 @@ _systemd_cryptenroll() {
        return 0
    fi
-    comps=$(__get_block_devices)
+    comps=$(systemd-cryptenroll --list-devices)
    COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
    return 0
 }
--- a/src/core/service.c
+++ b/src/core/service.c
@ -3426,14 +3426,12 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value,
                        return 0;
                }
-                r = service_add_fd_store(s, fd, fdn, do_poll);
+                r = service_add_fd_store(s, TAKE_FD(fd), fdn, do_poll);
                if (r < 0) {
                        log_unit_debug_errno(u, r,
                                             "Failed to store deserialized fd '%s', ignoring: %m", fdn);
                        return 0;
                }
                TAKE_FD(fd);
        } else if (streq(key, "extra-fd")) {
                _cleanup_free_ char *fdv = NULL, *fdn = NULL;
                _cleanup_close_ int fd = -EBADF;
--- a/src/cryptenroll/cryptenroll.c
+++ b/src/cryptenroll/cryptenroll.c
@ -193,7 +193,7 @@ static int help(void) {
               "\n%3$sSimple Enrollment:%4$s\n"
               "     --password        Enroll a user-supplied password\n"
               "     --recovery-key    Enroll a recovery key\n"
-               "\n%3$sPKCS11 Enrollment:%4$s\n"
+               "\n%3$sPKCS#11 Enrollment:%4$s\n"
               "     --pkcs11-token-uri=URI\n"
               "                       Specify PKCS#11 security token URI\n"
               "\n%3$sFIDO2 Enrollment:%4$s\n"
--- a/src/udev/udev-node.c
+++ b/src/udev/udev-node.c
@ -462,6 +462,18 @@ static int link_update(sd_device *dev, const char *slink, bool add) {
                                         * another device. Hence, it is not necessary to recreate it. */
                                        return 0;
                                /* When the priorities are equivalent, replace symlink only when it is
                                 * explicitly requested. This is necessary for DM devices, otherwise
                                 * activating a device while another is being deactivated may fail. See issue
                                 * #28141. However, in general, replacing symlink with a same-priority device
                                 * is dangerous. For example, when managing or assembling multiple disks,
                                 * when fdisk or wipefs is called, we trigger synthesized events and that can
                                 * replace existing symlinks, and unexpected device may be used and data may
                                 * be lost. */
                                if (current_prio == prio &&
                                    device_get_property_bool(dev, ".UDEV_REPLACE_SYMLINK_WITH_SAME_PRIORITY") <= 0)
                                        return 0;
                                /* This device has the equal or a higher priority than the current. Let's
                                 * create the devlink to our device node. */
                                return node_create_symlink(dev, /* devnode = */ NULL, slink);
--- a/test/units/TEST-67-INTEGRITY.sh
+++ b/test/units/TEST-67-INTEGRITY.sh
@ -34,6 +34,9 @@ ${DM_NAME} ${loop} - integrity-algorithm=$1
 EOF
 }
 udevadm settle
 udevadm control --log-level=debug
 image_dir="$(mktemp -d -t -p / integrity.tmp.XXXXXX)"
 if [ -z "${image_dir}" ] || [ ! -d "${image_dir}" ]; then
    echo "mktemp under / failed"
@ -93,13 +96,7 @@ do
    # Check the signature on the FS to ensure we can retrieve it and that is matches
    if [ -e "${FULL_DM_DEV_NAME}" ]; then
-        # If a separate device is used for the metadata storage, then blkid will return one of the loop devices
+        if [ "$(blkid -U "${FS_UUID}")" != "${FULL_DM_DEV_NAME}" ]; then
        if [ "${separate_data}" -eq 1 ]; then
            dev_name="$(integritysetup status ${DM_NAME} | grep '^\s*device:' | awk '{print $2}')"
        else
            dev_name="${FULL_DM_DEV_NAME}"
        fi
        if [ "${dev_name}" != "$(blkid -U "${FS_UUID}")" ]; then
            echo "Failed to locate FS with matching UUID!"
            exit 1
        fi
--- a/tmpfiles.d/20-systemd-shell-extra.conf.in
+++ b/tmpfiles.d/20-systemd-shell-extra.conf.in
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 {% if LINK_SHELL_EXTRA_DROPIN %}
 L$ {{SHELLPROFILEDIR}}/70-systemd-shell-extra.sh - - - - {{LIBEXECDIR}}/profile.d/70-systemd-shell-extra.sh
--- a/tmpfiles.d/20-systemd-ssh-generator.conf.in
+++ b/tmpfiles.d/20-systemd-ssh-generator.conf.in
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 {% if LINK_SSH_PROXY_DROPIN %}
 L$ {{SSHCONFDIR}}/20-systemd-ssh-proxy.conf - - - - {{LIBEXECDIR}}/ssh_config.d/20-systemd-ssh-proxy.conf
--- a/tmpfiles.d/20-systemd-stub.conf.in
+++ b/tmpfiles.d/20-systemd-stub.conf.in
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 # Copy systemd-stub provided metadata such as PCR signature and public key file
 # from initrd into /run/, so that it will survive the initrd stage
--- a/tmpfiles.d/20-systemd-userdb.conf.in
+++ b/tmpfiles.d/20-systemd-userdb.conf.in
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 {% if LINK_SSHD_USERDB_DROPIN %}
 L {{SSHDCONFDIR}}/20-systemd-userdb.conf - - - - {{LIBEXECDIR}}/sshd_config.d/20-systemd-userdb.conf
--- a/tmpfiles.d/credstore.conf
+++ b/tmpfiles.d/credstore.conf
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 d /etc/credstore 0700 root root
 d /etc/credstore.encrypted 0700 root root
--- a/tmpfiles.d/etc.conf.in
+++ b/tmpfiles.d/etc.conf.in
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 L /etc/os-release - - - - ../usr/lib/os-release
 L+ /etc/mtab - - - - ../proc/self/mounts
--- a/tmpfiles.d/home.conf
+++ b/tmpfiles.d/home.conf
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 Q /home 0755 - - -
 q /srv 0755 - - -
--- a/tmpfiles.d/journal-nocow.conf
+++ b/tmpfiles.d/journal-nocow.conf
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 # Set the NOCOW attribute for directories of journal files. This flag
 # is inherited by their new files and sub-directories. Matters only
--- a/tmpfiles.d/legacy.conf.in
+++ b/tmpfiles.d/legacy.conf.in
@ -5,10 +5,11 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
-# These files are considered legacy and are unnecessary on legacy-free
+# The functionality provided by these files and directories has been replaced
-# systems.
+# by newer interfaces. Their use is discouraged on legacy-free systems. This
 # configuration is provided to maintain backward compatibility.
 d /run/lock 0755 root root -
 L /var/lock - - - - ../run/lock
@ -16,15 +17,15 @@ L /var/lock - - - - ../run/lock
 L$ /var/log/README - - - - ../..{{DOC_DIR}}/README.logs
 {% endif %}
 {% if HAVE_SYSV_COMPAT %}
 # /run/lock/subsys is used for serializing SysV service execution, and
 # hence without use on SysV-less systems.
 d /run/lock/subsys 0755 root root -
 # /forcefsck, /fastboot and /forcequotacheck are deprecated in favor of the
 # kernel command line options 'fsck.mode=force', 'fsck.mode=skip' and
 # 'quotacheck.mode=force'
 r! /forcefsck
 r! /fastboot
 r! /forcequotacheck
 {% endif %}
--- a/tmpfiles.d/meson.build
+++ b/tmpfiles.d/meson.build
@ -35,7 +35,7 @@ in_files = [
        ['20-systemd-stub.conf',          'ENABLE_EFI'],
        ['20-systemd-userdb.conf',        'ENABLE_SSH_USERDB_CONFIG'],
        ['etc.conf'],
-        ['legacy.conf',                   'HAVE_SYSV_COMPAT'],
+        ['legacy.conf'],
        ['static-nodes-permissions.conf'],
        ['systemd.conf'],
        ['var.conf'],
--- a/tmpfiles.d/portables.conf
+++ b/tmpfiles.d/portables.conf
@ -1,4 +1,4 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 Q /var/lib/portables 0700
--- a/tmpfiles.d/provision.conf
+++ b/tmpfiles.d/provision.conf
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 # Provision additional login messages from credentials, if they are set. Note
 # that these lines are NOPs if the credentials are not set or if the files
--- a/tmpfiles.d/systemd-network.conf
+++ b/tmpfiles.d/systemd-network.conf
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 d$ /run/systemd/netif        0755 systemd-network systemd-network -
 d$ /run/systemd/netif/links  0755 systemd-network systemd-network -
--- a/tmpfiles.d/systemd-nspawn.conf
+++ b/tmpfiles.d/systemd-nspawn.conf
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 Q /var/lib/machines 0700 - - -
--- a/tmpfiles.d/systemd-resolve.conf
+++ b/tmpfiles.d/systemd-resolve.conf
@ -5,6 +5,6 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf
--- a/tmpfiles.d/systemd-tmp.conf
+++ b/tmpfiles.d/systemd-tmp.conf
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 # Exclude namespace mountpoints created with PrivateTmp=yes
 x /tmp/systemd-private-%b-*
--- a/tmpfiles.d/systemd.conf.in
+++ b/tmpfiles.d/systemd.conf.in
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 d /run/user 0755 root root -
 {% if ENABLE_UTMP %}
--- a/tmpfiles.d/tmp.conf
+++ b/tmpfiles.d/tmp.conf
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 # Clear tmp directories separately, to make them easier to override
 q /tmp 1777 root root 10d
--- a/tmpfiles.d/var.conf.in
+++ b/tmpfiles.d/var.conf.in
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 q /var 0755 - - -
--- a/tmpfiles.d/x11.conf
+++ b/tmpfiles.d/x11.conf
@ -5,7 +5,7 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
-# See tmpfiles.d(5) for details
+# See tmpfiles.d(5) for details.
 # Make sure these are created by default so that nobody else can
 # or empty them at startup
Author	SHA1	Message	Date
Yu Watanabe	1d387c22eb	Merge `a050031d05` into `9bf6ffe166`	2024-11-22 13:40:26 +01:00
Luca Boccassi	9bf6ffe166	man: split cryptenroll man page into sections (#35297 )	2024-11-22 12:01:07 +00:00
Lennart Poettering	cc6baba720	cryptenroll: it's called PKCS#11, not PKCS11 In the --help text we really should use the official spelling, just like in the man page.	2024-11-22 10:42:37 +01:00
Lennart Poettering	3ae48d071c	man: add enrollment type sections to cryptenroll man page We have the same sections in the --help text, hence we even more so should have them in the man page.	2024-11-22 10:42:37 +01:00
Antonio Alvarez Feijoo	2ccacdd57c	bash-completion: add --list-devices to systemd-cryptenroll And also use it to list suitable block devices.	2024-11-22 10:38:19 +01:00
Yu Watanabe	d99198819c	core/service: service_add_fd_store() consumes passed fd Without this change, the fd is closed twice on failure. Fixes a bug introduced by `dff9808a62`. Fixes #35288.	2024-11-22 04:15:51 +01:00
Tobias Zimmermann	f70e5620b6	hwdb: Add quirk for Logitech MX Keys for Mac The KEY_102ND and KEY_GRAVE keys are switched on the Logitech MX Keys for Mac, so switch them back	2024-11-21 21:16:07 +01:00
Zbigniew Jędrzejewski-Szmek	3127c71bf4	Keep tmpfiles/legacy.conf even if SysVInit support is dropped (#35278 )	2024-11-21 21:13:50 +01:00
Yuri Chornoivan	b153eebfb2	po: Translated using Weblate (Ukrainian) Currently translated at 100.0% (257 of 257 strings) Co-authored-by: Yuri Chornoivan <yurchor@ukr.net> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/uk/ Translation: systemd/main	2024-11-22 05:02:16 +09:00
Zbigniew Jędrzejewski-Szmek	2c06e40ae9	tmpfiles: add period at end of the sentence The license that is immediately above is properly punctuated and it looks sloppy when our line below isn't.	2024-11-21 18:35:18 +01:00
Zbigniew Jędrzejewski-Szmek	5ca9149464	tmpfiles: narrow scope of HAVE_SYSV_COMPAT condition for legacy.conf That file contains a bunch of entries of which only some are related to SysV. The rest are just "traditional APIs" that need to stay. In particular, /var/lock a.k.a. /run/lock is used by many programs (LVM, iscsi, alsactl). Similarly, the README about /var/log is something that should stay as long as we have people migrating from older systems or using the copiuos documentation that mentions /var/log/messages.txt on the Internet. /var/lock/subsys is only used by sysvinit, and our code to support /forcefsck, /fastboot, and /forcequotacheck is conditionalized on HAVE_SYSV_COMPAT, so conditionalize those here on HAVE_SYSV_COMPAT too.	2024-11-21 18:32:46 +01:00
Yu Watanabe	a050031d05	udev-node: replace existing symlink with the same priority only when explicitly requested History: - Before `331aa7aa15`, a symlink creation requested by a new event replaced an existing symlink with the same priority. - With `331aa7aa15` (v254), if an existing symlink has the same priority with the newly requested one, then the new request was skipped, and the existing symlink was kept. But this caused #28141. - With `7ec5ce5673` (v255, and backported to v254.6), the behavior is restored prior to the `331aa7aa15`. But, it is pointed out that the replacing symlink may be dangerous. See discussion in https://github.com/systemd/systemd/pull/34482#issuecomment-2362115374. This introduce .UDEV_REPLACE_SYMLINK_WITH_SAME_PRIORITY flag, and set the flag for dm devices. Why? We need to consider several points: - On boot time, devices appear in random order. So, if e.g. sda and sdb requests the same symlink, then there are no way to guarantee which device will own the symlink, as these devices will be processed by udevd in parallel. Since, there are no guarantee, we can change the logic which device will win to own the symlink, that is, the first wins (with this PR) or the last wins (the current behavior). - After the system is booted, e.g. when a USB stick (sdb) is inserted and it requests a symlink which is currently owned by sda. In that case, the current behavior makes the new device (sdb) steal the ownership of the symlink. But, that may be problematic as a user or a program may assume that the symlink is persistent, and data may be lost or stolen. We can easily create such hackish USB stick by creating a partition which has the same partition UUID on the stick. With this commit, new devices cannot override the ownership of the symlink, so such the issue will not be triggered anymore. - As you can see the change in the test code for integrity in this commit, this commit is also important for dm-integrity. Without this PR, the data partition and the DM devices both request the same partition UUID symlink, and the data device gained the ownership, as a synthetic event for the underlying data device is triggered after the DM device is activated, and it steels the ownership from the DM device. People may mistakenly mounts the underlying data device rather than the DM device, and may causes data loss or corruption. With this PR, the underlying device will not gain the symlink, and blkid command always returns the DM device. - Unfortunately, this re-introduce issue #28468, which is triggered for spurious ISO images. But, it can be easily avoided by reapplying the 'workaround' done by `df1dccd255`. Fixes #31448. Replaces #34482, #33572, #32981.	2024-09-25 14:09:23 +02:00