Compare commits

...

12 Commits

Author SHA1 Message Date
Yu Watanabe 1d387c22eb
Merge a050031d05 into 9bf6ffe166 2024-11-22 13:40:26 +01:00
Luca Boccassi 9bf6ffe166
man: split cryptenroll man page into sections (#35297) 2024-11-22 12:01:07 +00:00
Lennart Poettering cc6baba720 cryptenroll: it's called PKCS#11, not PKCS11
In the --help text we really should use the official spelling, just like
in the man page.
2024-11-22 10:42:37 +01:00
Lennart Poettering 3ae48d071c man: add enrollment type sections to cryptenroll man page
We have the same sections in the --help text, hence we even more so
should have them in the man page.
2024-11-22 10:42:37 +01:00
Antonio Alvarez Feijoo 2ccacdd57c bash-completion: add --list-devices to systemd-cryptenroll
And also use it to list suitable block devices.
2024-11-22 10:38:19 +01:00
Yu Watanabe d99198819c core/service: service_add_fd_store() consumes passed fd
Without this change, the fd is closed twice on failure.

Fixes a bug introduced by dff9808a62.

Fixes #35288.
2024-11-22 04:15:51 +01:00
Tobias Zimmermann f70e5620b6 hwdb: Add quirk for Logitech MX Keys for Mac
The KEY_102ND and KEY_GRAVE keys are switched on the
Logitech MX Keys for Mac, so switch them back
2024-11-21 21:16:07 +01:00
Zbigniew Jędrzejewski-Szmek 3127c71bf4
Keep tmpfiles/legacy.conf even if SysVInit support is dropped (#35278) 2024-11-21 21:13:50 +01:00
Yuri Chornoivan b153eebfb2 po: Translated using Weblate (Ukrainian)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Yuri Chornoivan <yurchor@ukr.net>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/uk/
Translation: systemd/main
2024-11-22 05:02:16 +09:00
Zbigniew Jędrzejewski-Szmek 2c06e40ae9 tmpfiles: add period at end of the sentence
The license that is immediately above is properly punctuated and it looks
sloppy when our line below isn't.
2024-11-21 18:35:18 +01:00
Zbigniew Jędrzejewski-Szmek 5ca9149464 tmpfiles: narrow scope of HAVE_SYSV_COMPAT condition for legacy.conf
That file contains a bunch of entries of which only some are related to SysV.
The rest are just "traditional APIs" that need to stay. In particular,
/var/lock a.k.a. /run/lock is used by many programs (LVM, iscsi, alsactl).
Similarly, the README about /var/log is something that should stay as long as
we have people migrating from older systems or using the copiuos documentation
that mentions /var/log/messages.txt on the Internet.

/var/lock/subsys is only used by sysvinit, and our code to support /forcefsck,
/fastboot, and /forcequotacheck is conditionalized on HAVE_SYSV_COMPAT, so
conditionalize those here on HAVE_SYSV_COMPAT too.
2024-11-21 18:32:46 +01:00
Yu Watanabe a050031d05 udev-node: replace existing symlink with the same priority only when explicitly requested
History:
- Before 331aa7aa15, a symlink creation
  requested by a new event replaced an existing symlink with the same
  priority.
- With 331aa7aa15 (v254), if an existing symlink
  has the same priority with the newly requested one, then the new request
  was skipped, and the existing symlink was kept. But this caused #28141.
- With 7ec5ce5673 (v255, and backported to v254.6),
  the behavior is restored prior to the 331aa7aa15.
  But, it is pointed out that the replacing symlink may be dangerous.
  See discussion in https://github.com/systemd/systemd/pull/34482#issuecomment-2362115374.

This introduce .UDEV_REPLACE_SYMLINK_WITH_SAME_PRIORITY flag, and set the flag
for dm devices. Why? We need to consider several points:
- On boot time, devices appear in random order. So, if e.g. sda and sdb
  requests the same symlink, then there are no way to guarantee which
  device will own the symlink, as these devices will be processed by
  udevd in parallel. Since, there are no guarantee, we can change the
  logic which device will win to own the symlink, that is, the first
  wins (with this PR) or the last wins (the current behavior).
- After the system is booted, e.g. when a USB stick (sdb) is inserted and
  it requests a symlink which is currently owned by sda. In that case,
  the current behavior makes the new device (sdb) steal the ownership of
  the symlink. But, that may be problematic as a user or a program may
  assume that the symlink is persistent, and data may be lost or stolen.
  We can easily create such hackish USB stick by creating a partition
  which has the same partition UUID on the stick.
  With this commit, new devices cannot override the ownership of the symlink,
  so such the issue will not be triggered anymore.
- As you can see the change in the test code for integrity in this commit,
  this commit is also important for dm-integrity. Without this PR, the data
  partition and the DM devices both request the same partition UUID symlink,
  and the data device gained the ownership, as a synthetic event for the
  underlying data device is triggered after the DM device is activated,
  and it steels the ownership from the DM device. People may mistakenly
  mounts the underlying data device rather than the DM device, and may causes
  data loss or corruption. With this PR, the underlying device will not
  gain the symlink, and blkid command always returns the DM device.
- Unfortunately, this re-introduce issue #28468, which is triggered for
  spurious ISO images. But, it can be easily avoided by reapplying the
  'workaround' done by df1dccd255.

Fixes #31448.
Replaces #34482, #33572, #32981.
2024-09-25 14:09:23 +02:00
30 changed files with 129 additions and 72 deletions

View File

@ -1438,6 +1438,11 @@ evdev:input:b0003v046DpC309*
KEYBOARD_KEY_c01b6=images # My Pictures (F11)
KEYBOARD_KEY_c01b7=audio # My Music (F12)
# Logitech MX Keys for Mac
evdev:input:b0003v046Dp4092*
KEYBOARD_KEY_70035=102nd # '<' key
KEYBOARD_KEY_70064=grave # '^' key
###########################################################
# Maxdata
###########################################################

View File

@ -265,32 +265,11 @@
</refsect1>
<refsect1>
<title>Options</title>
<title>Unlocking</title>
<para>The following options are understood:</para>
<para>The following options are understood that may be used to unlock the device in preparation of the enrollment operations:</para>
<variablelist>
<varlistentry>
<term><option>--password</option></term>
<listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
<command>cryptsetup luksAddKey</command>, however may be combined with
<option>--wipe-slot=</option> in one call, see below.</para>
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--recovery-key</option></term>
<listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
</para>
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--unlock-key-file=<replaceable>PATH</replaceable></option></term>
@ -328,7 +307,45 @@
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Simple Enrollment</title>
<para>The following options are understood that may be used to enroll simple user input based
unlocking:</para>
<variablelist>
<varlistentry>
<term><option>--password</option></term>
<listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
<command>cryptsetup luksAddKey</command>, however may be combined with
<option>--wipe-slot=</option> in one call, see below.</para>
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--recovery-key</option></term>
<listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
</para>
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>PKCS#11 Enrollment</title>
<para>The following option is understood that may be used to enroll PKCS#11 tokens:</para>
<variablelist>
<varlistentry>
<term><option>--pkcs11-token-uri=<replaceable>URI</replaceable></option></term>
@ -361,7 +378,15 @@
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FIDO2 Enrollment</title>
<para>The following options are understood that may be used to enroll PKCS#11 tokens:</para>
<variablelist>
<varlistentry>
<term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
<listitem><para>Specify COSE algorithm used in credential generation. The default value is
@ -461,7 +486,15 @@
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>TPM2 Enrollment</title>
<para>The following options are understood that may be used to enroll TPM2 devices:</para>
<variablelist>
<varlistentry>
<term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term>
@ -636,7 +669,15 @@
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Other Options</title>
<para>The following additional options are understood:</para>
<variablelist>
<varlistentry>
<term><option>--wipe-slot=<replaceable>SLOT<optional>,SLOT...</optional></replaceable></option></term>

View File

@ -9,8 +9,8 @@ msgid ""
msgstr ""
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-11-06 14:42+0000\n"
"PO-Revision-Date: 2024-11-20 19:13+0000\n"
"Last-Translator: Dmytro Markevych <hotr1pak@gmail.com>\n"
"PO-Revision-Date: 2024-11-21 19:38+0000\n"
"Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
"Language-Team: Ukrainian <https://translate.fedoraproject.org/projects/"
"systemd/main/uk/>\n"
"Language: uk\n"
@ -120,11 +120,11 @@ msgstr "Для оновлення домашньої теки користува
#: src/home/org.freedesktop.home1.policy:53
msgid "Update your home area"
msgstr "Оновіть свій домашній простір"
msgstr "Оновлення домашньої області"
#: src/home/org.freedesktop.home1.policy:54
msgid "Authentication is required to update your home area."
msgstr "Для оновлення домашньої області потрібна автентифікація."
msgstr "Для оновлення домашньої області слід пройти розпізнавання."
#: src/home/org.freedesktop.home1.policy:63
msgid "Resize a home area"
@ -1215,7 +1215,7 @@ msgstr "Керування додатковими функціями"
#: src/sysupdate/org.freedesktop.sysupdate1.policy:76
msgid "Authentication is required to manage optional features"
msgstr "Для керування додатковими функціями потрібна автентифікація"
msgstr "Для керування додатковими можливостями слід пройти розпізнавання"
#: src/timedate/org.freedesktop.timedate1.policy:22
msgid "Set system time"

View File

@ -136,6 +136,12 @@ KERNEL!="sr*|mmcblk[0-9]boot[0-9]", IMPORT{builtin}="blkid"
LABEL="persistent_storage_blkid_probe_end"
{% endif %}
# Decrease devlink priority for whole disk of ISO hybrid images, and make the
# priority for partitions in the image relatively higher. This is for the case
# that a disk and one of its partition have the same label or so.
# See issue #28468.
ENV{ID_FS_TYPE}=="iso9660", ENV{DEVTYPE}=="disk", OPTIONS+="link_priority=-10"
# by-label/by-uuid links (filesystem metadata)
ENV{ID_FS_USAGE}=="filesystem|other|crypto", ENV{ID_FS_UUID_ENC}=="?*", SYMLINK+="disk/by-uuid/$env{ID_FS_UUID_ENC}"
ENV{ID_FS_USAGE}=="filesystem|other|crypto", ENV{ID_FS_LABEL_ENC}=="?*", SYMLINK+="disk/by-label/$env{ID_FS_LABEL_ENC}"

View File

@ -22,6 +22,10 @@ SUBSYSTEM=="ubi", TAG+="systemd"
SUBSYSTEM=="block", TAG+="systemd"
# Make dm devices can replace existing symlinks with the same priority.
# Otherwise, activating a device while another is being deactivated may fail.
SUBSYSTEM=="block", KERNEL=="dm-*", ENV{.UDEV_REPLACE_SYMLINK_WITH_SAME_PRIORITY}="1"
# When a dm device is first created, it's just an empty container. Ignore it.
# DM_NAME is not set in this case, but it's set on spurious "add" events that occur later.
SUBSYSTEM=="block", ACTION=="add", KERNEL=="dm-*", ENV{DM_NAME}!="?*", ENV{SYSTEMD_READY}="0"

View File

@ -38,19 +38,12 @@ __get_tpm2_devices() {
done
}
__get_block_devices() {
local i
for i in /dev/*; do
[ -b "$i" ] && printf '%s\n' "$i"
done
}
_systemd_cryptenroll() {
local comps
local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} words cword
local -A OPTS=(
[STANDALONE]='-h --help --version
--password --recovery-key'
--password --recovery-key --list-devices'
[ARG]='--unlock-key-file
--unlock-fido2-device
--unlock-tpm2-device
@ -116,7 +109,7 @@ _systemd_cryptenroll() {
return 0
fi
comps=$(__get_block_devices)
comps=$(systemd-cryptenroll --list-devices)
COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
return 0
}

View File

@ -3426,14 +3426,12 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value,
return 0;
}
r = service_add_fd_store(s, fd, fdn, do_poll);
r = service_add_fd_store(s, TAKE_FD(fd), fdn, do_poll);
if (r < 0) {
log_unit_debug_errno(u, r,
"Failed to store deserialized fd '%s', ignoring: %m", fdn);
return 0;
}
TAKE_FD(fd);
} else if (streq(key, "extra-fd")) {
_cleanup_free_ char *fdv = NULL, *fdn = NULL;
_cleanup_close_ int fd = -EBADF;

View File

@ -193,7 +193,7 @@ static int help(void) {
"\n%3$sSimple Enrollment:%4$s\n"
" --password Enroll a user-supplied password\n"
" --recovery-key Enroll a recovery key\n"
"\n%3$sPKCS11 Enrollment:%4$s\n"
"\n%3$sPKCS#11 Enrollment:%4$s\n"
" --pkcs11-token-uri=URI\n"
" Specify PKCS#11 security token URI\n"
"\n%3$sFIDO2 Enrollment:%4$s\n"

View File

@ -462,6 +462,18 @@ static int link_update(sd_device *dev, const char *slink, bool add) {
* another device. Hence, it is not necessary to recreate it. */
return 0;
/* When the priorities are equivalent, replace symlink only when it is
* explicitly requested. This is necessary for DM devices, otherwise
* activating a device while another is being deactivated may fail. See issue
* #28141. However, in general, replacing symlink with a same-priority device
* is dangerous. For example, when managing or assembling multiple disks,
* when fdisk or wipefs is called, we trigger synthesized events and that can
* replace existing symlinks, and unexpected device may be used and data may
* be lost. */
if (current_prio == prio &&
device_get_property_bool(dev, ".UDEV_REPLACE_SYMLINK_WITH_SAME_PRIORITY") <= 0)
return 0;
/* This device has the equal or a higher priority than the current. Let's
* create the devlink to our device node. */
return node_create_symlink(dev, /* devnode = */ NULL, slink);

View File

@ -34,6 +34,9 @@ ${DM_NAME} ${loop} - integrity-algorithm=$1
EOF
}
udevadm settle
udevadm control --log-level=debug
image_dir="$(mktemp -d -t -p / integrity.tmp.XXXXXX)"
if [ -z "${image_dir}" ] || [ ! -d "${image_dir}" ]; then
echo "mktemp under / failed"
@ -93,13 +96,7 @@ do
# Check the signature on the FS to ensure we can retrieve it and that is matches
if [ -e "${FULL_DM_DEV_NAME}" ]; then
# If a separate device is used for the metadata storage, then blkid will return one of the loop devices
if [ "${separate_data}" -eq 1 ]; then
dev_name="$(integritysetup status ${DM_NAME} | grep '^\s*device:' | awk '{print $2}')"
else
dev_name="${FULL_DM_DEV_NAME}"
fi
if [ "${dev_name}" != "$(blkid -U "${FS_UUID}")" ]; then
if [ "$(blkid -U "${FS_UUID}")" != "${FULL_DM_DEV_NAME}" ]; then
echo "Failed to locate FS with matching UUID!"
exit 1
fi

View File

@ -5,7 +5,7 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
# See tmpfiles.d(5) for details.
{% if LINK_SHELL_EXTRA_DROPIN %}
L$ {{SHELLPROFILEDIR}}/70-systemd-shell-extra.sh - - - - {{LIBEXECDIR}}/profile.d/70-systemd-shell-extra.sh

View File

@ -5,7 +5,7 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
# See tmpfiles.d(5) for details.
{% if LINK_SSH_PROXY_DROPIN %}
L$ {{SSHCONFDIR}}/20-systemd-ssh-proxy.conf - - - - {{LIBEXECDIR}}/ssh_config.d/20-systemd-ssh-proxy.conf

View File

@ -5,7 +5,7 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
# See tmpfiles.d(5) for details.
# Copy systemd-stub provided metadata such as PCR signature and public key file
# from initrd into /run/, so that it will survive the initrd stage

View File

@ -5,7 +5,7 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
# See tmpfiles.d(5) for details.
{% if LINK_SSHD_USERDB_DROPIN %}
L {{SSHDCONFDIR}}/20-systemd-userdb.conf - - - - {{LIBEXECDIR}}/sshd_config.d/20-systemd-userdb.conf

View File

@ -5,7 +5,7 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
# See tmpfiles.d(5) for details.
d /etc/credstore 0700 root root
d /etc/credstore.encrypted 0700 root root

View File

@ -5,7 +5,7 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
# See tmpfiles.d(5) for details.
L /etc/os-release - - - - ../usr/lib/os-release
L+ /etc/mtab - - - - ../proc/self/mounts

View File

@ -5,7 +5,7 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
# See tmpfiles.d(5) for details.
Q /home 0755 - - -
q /srv 0755 - - -

View File

@ -5,7 +5,7 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
# See tmpfiles.d(5) for details.
# Set the NOCOW attribute for directories of journal files. This flag
# is inherited by their new files and sub-directories. Matters only

View File

@ -5,10 +5,11 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
# See tmpfiles.d(5) for details.
# These files are considered legacy and are unnecessary on legacy-free
# systems.
# The functionality provided by these files and directories has been replaced
# by newer interfaces. Their use is discouraged on legacy-free systems. This
# configuration is provided to maintain backward compatibility.
d /run/lock 0755 root root -
L /var/lock - - - - ../run/lock
@ -16,15 +17,15 @@ L /var/lock - - - - ../run/lock
L$ /var/log/README - - - - ../..{{DOC_DIR}}/README.logs
{% endif %}
{% if HAVE_SYSV_COMPAT %}
# /run/lock/subsys is used for serializing SysV service execution, and
# hence without use on SysV-less systems.
d /run/lock/subsys 0755 root root -
# /forcefsck, /fastboot and /forcequotacheck are deprecated in favor of the
# kernel command line options 'fsck.mode=force', 'fsck.mode=skip' and
# 'quotacheck.mode=force'
r! /forcefsck
r! /fastboot
r! /forcequotacheck
{% endif %}

View File

@ -35,7 +35,7 @@ in_files = [
['20-systemd-stub.conf', 'ENABLE_EFI'],
['20-systemd-userdb.conf', 'ENABLE_SSH_USERDB_CONFIG'],
['etc.conf'],
['legacy.conf', 'HAVE_SYSV_COMPAT'],
['legacy.conf'],
['static-nodes-permissions.conf'],
['systemd.conf'],
['var.conf'],

View File

@ -1,4 +1,4 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
# See tmpfiles.d(5) for details
# See tmpfiles.d(5) for details.
Q /var/lib/portables 0700

View File

@ -5,7 +5,7 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
# See tmpfiles.d(5) for details.
# Provision additional login messages from credentials, if they are set. Note
# that these lines are NOPs if the credentials are not set or if the files

View File

@ -5,7 +5,7 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
# See tmpfiles.d(5) for details.
d$ /run/systemd/netif 0755 systemd-network systemd-network -
d$ /run/systemd/netif/links 0755 systemd-network systemd-network -

View File

@ -5,7 +5,7 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
# See tmpfiles.d(5) for details.
Q /var/lib/machines 0700 - - -

View File

@ -5,6 +5,6 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
# See tmpfiles.d(5) for details.
L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf

View File

@ -5,7 +5,7 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
# See tmpfiles.d(5) for details.
# Exclude namespace mountpoints created with PrivateTmp=yes
x /tmp/systemd-private-%b-*

View File

@ -5,7 +5,7 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
# See tmpfiles.d(5) for details.
d /run/user 0755 root root -
{% if ENABLE_UTMP %}

View File

@ -5,7 +5,7 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
# See tmpfiles.d(5) for details.
# Clear tmp directories separately, to make them easier to override
q /tmp 1777 root root 10d

View File

@ -5,7 +5,7 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
# See tmpfiles.d(5) for details.
q /var 0755 - - -

View File

@ -5,7 +5,7 @@
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
# See tmpfiles.d(5) for details.
# Make sure these are created by default so that nobody else can
# or empty them at startup