Merge fc2ed0424e into c946b13575

The file README.logs is installed only if SysVInit support is enabled.
Thus the link should depend on it as well.

hwdb.d/60-sensor.hwdb

@@ -953,6 +953,15 @@ sensor:modalias:acpi:MXC6655*:dmi:*:svnDefaultstring*:pnP612F:*
 sensor:modalias:acpi:SMO8500*:dmi:*:svnPEAQ:pnPEAQPMMC1010MD99187:*
  ACCEL_MOUNT_MATRIX=-1, 0, 0; 0, 1, 0; 0, 0, 1
 
+#########################################
+# Pine64
+#########################################
+
+# PineTab2
+
+sensor:modalias:of:NaccelerometerT_null_Csilan,sc7a20:*
+ ACCEL_MOUNT_MATRIX=0, 0, -1; 1, 0, 0; 0, -1, 0
+
 #########################################
 # Pipo
 #########################################

man/systemd-cryptenroll.xml

@@ -387,21 +387,6 @@
     <para>The following options are understood that may be used to enroll PKCS#11 tokens:</para>
 
     <variablelist>
-      <varlistentry>
-        <term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
-        <listitem><para>Specify COSE algorithm used in credential generation. The default value is
-        <literal>es256</literal>. Supported values are <literal>es256</literal>, <literal>rs256</literal>
-        and <literal>eddsa</literal>.</para>
-
-        <para><literal>es256</literal> denotes ECDSA over NIST P-256 with SHA-256. <literal>rs256</literal>
-        denotes 2048-bit RSA with PKCS#1.5 padding and SHA-256. <literal>eddsa</literal> denotes
-        EDDSA over Curve25519 with SHA-512.</para>
-
-        <para>Note that your authenticator may choose not to support some algorithms.</para>
-
-        <xi:include href="version-info.xml" xpointer="v251"/></listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><option>--fido2-device=<replaceable>PATH</replaceable></option></term>
 
@@ -428,6 +413,21 @@
         <xi:include href="version-info.xml" xpointer="v248"/></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
+        <listitem><para>Specify COSE algorithm used in credential generation. The default value is
+        <literal>es256</literal>. Supported values are <literal>es256</literal>, <literal>rs256</literal>
+        and <literal>eddsa</literal>.</para>
+
+        <para><literal>es256</literal> denotes ECDSA over NIST P-256 with SHA-256. <literal>rs256</literal>
+        denotes 2048-bit RSA with PKCS#1.5 padding and SHA-256. <literal>eddsa</literal> denotes
+        EDDSA over Curve25519 with SHA-512.</para>
+
+        <para>Note that your authenticator may choose not to support some algorithms.</para>
+
+        <xi:include href="version-info.xml" xpointer="v251"/></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><option>--fido2-salt-file=<replaceable>PATH</replaceable></option></term>
 

src/libsystemd/sd-varlink/varlink-util.c

@@ -16,7 +16,7 @@ int varlink_get_peer_pidref(sd_varlink *v, PidRef *ret) {
 
         int pidfd = sd_varlink_get_peer_pidfd(v);
         if (pidfd < 0) {
-                if (!ERRNO_IS_NEG_NOT_SUPPORTED(pidfd))
+                if (!ERRNO_IS_NEG_NOT_SUPPORTED(pidfd) && pidfd != -EINVAL)
                         return pidfd;
 
                 pid_t pid;

src/shared/libfido2-util.c

@@ -4,6 +4,7 @@
 
 #if HAVE_LIBFIDO2
 #include "alloc-util.h"
+#include "ansi-color.h"
 #include "ask-password-api.h"
 #include "dlfcn-util.h"
 #include "format-table.h"
@@ -45,21 +46,21 @@ DLSYM_PROTOTYPE(fido_cred_set_rp) = NULL;
 DLSYM_PROTOTYPE(fido_cred_set_type) = NULL;
 DLSYM_PROTOTYPE(fido_cred_set_user) = NULL;
 DLSYM_PROTOTYPE(fido_cred_set_uv) = NULL;
+DLSYM_PROTOTYPE(fido_dev_close) = NULL;
 DLSYM_PROTOTYPE(fido_dev_free) = NULL;
 DLSYM_PROTOTYPE(fido_dev_get_assert) = NULL;
 DLSYM_PROTOTYPE(fido_dev_get_cbor_info) = NULL;
 DLSYM_PROTOTYPE(fido_dev_info_free) = NULL;
 DLSYM_PROTOTYPE(fido_dev_info_manifest) = NULL;
 DLSYM_PROTOTYPE(fido_dev_info_manufacturer_string) = NULL;
-DLSYM_PROTOTYPE(fido_dev_info_product_string) = NULL;
 DLSYM_PROTOTYPE(fido_dev_info_new) = NULL;
 DLSYM_PROTOTYPE(fido_dev_info_path) = NULL;
+DLSYM_PROTOTYPE(fido_dev_info_product_string) = NULL;
 DLSYM_PROTOTYPE(fido_dev_info_ptr) = NULL;
 DLSYM_PROTOTYPE(fido_dev_is_fido2) = NULL;
 DLSYM_PROTOTYPE(fido_dev_make_cred) = NULL;
 DLSYM_PROTOTYPE(fido_dev_new) = NULL;
 DLSYM_PROTOTYPE(fido_dev_open) = NULL;
-DLSYM_PROTOTYPE(fido_dev_close) = NULL;
 DLSYM_PROTOTYPE(fido_init) = NULL;
 DLSYM_PROTOTYPE(fido_set_log_handler) = NULL;
 DLSYM_PROTOTYPE(fido_strerr) = NULL;
@@ -108,6 +109,7 @@ int dlopen_libfido2(void) {
                         DLSYM_ARG(fido_cred_set_type),
                         DLSYM_ARG(fido_cred_set_user),
                         DLSYM_ARG(fido_cred_set_uv),
+                        DLSYM_ARG(fido_dev_close),
                         DLSYM_ARG(fido_dev_free),
                         DLSYM_ARG(fido_dev_get_assert),
                         DLSYM_ARG(fido_dev_get_cbor_info),
@@ -122,7 +124,6 @@ int dlopen_libfido2(void) {
                         DLSYM_ARG(fido_dev_make_cred),
                         DLSYM_ARG(fido_dev_new),
                         DLSYM_ARG(fido_dev_open),
-                        DLSYM_ARG(fido_dev_close),
                         DLSYM_ARG(fido_init),
                         DLSYM_ARG(fido_set_log_handler),
                         DLSYM_ARG(fido_strerr));
@@ -903,7 +904,7 @@ int fido2_generate_hmac_hash(
                                        "Token action timeout. (User didn't interact with token quickly enough.)");
         if (r == FIDO_ERR_UNSUPPORTED_ALGORITHM)
                 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
-                                        "Token doesn't support credential algorithm %s.", fido2_algorithm_to_string(cred_alg));
+                                       "Token doesn't support credential algorithm %s.", fido2_algorithm_to_string(cred_alg));
         if (r != FIDO_OK)
                 return log_error_errno(SYNTHETIC_ERRNO(EIO),
                                        "Failed to generate FIDO2 credential: %s", sym_fido_strerr(r));
@@ -1074,7 +1075,13 @@ int fido2_generate_hmac_hash(
 #endif
 
 #if HAVE_LIBFIDO2
-static int check_device_is_fido2_with_hmac_secret(const char *path) {
+static int check_device_is_fido2_with_hmac_secret(
+                const char *path,
+                bool *ret_has_rk,
+                bool *ret_has_client_pin,
+                bool *ret_has_up,
+                bool *ret_has_uv) {
+
         _cleanup_(fido_dev_free_wrapper) fido_dev_t *d = NULL;
         int r;
 
@@ -1087,7 +1094,7 @@ static int check_device_is_fido2_with_hmac_secret(const char *path) {
                 return log_error_errno(SYNTHETIC_ERRNO(EIO),
                                        "Failed to open FIDO2 device %s: %s", path, sym_fido_strerr(r));
 
-        r = verify_features(d, path, LOG_DEBUG, NULL, NULL, NULL, NULL);
+        r = verify_features(d, path, LOG_DEBUG, ret_has_rk, ret_has_client_pin, ret_has_up, ret_has_uv);
         if (r == -ENODEV) /* Not a FIDO2 device, or not implementing 'hmac-secret' */
                 return false;
         if (r < 0)
@@ -1124,7 +1131,7 @@ int fido2_list_devices(void) {
                 goto finish;
         }
 
-        t = table_new("path", "manufacturer", "product");
+        t = table_new("path", "manufacturer", "product", "rk", "clientpin", "up", "uv");
         if (!t) {
                 r = log_oom();
                 goto finish;
@@ -1132,6 +1139,7 @@ int fido2_list_devices(void) {
 
         for (size_t i = 0; i < found; i++) {
                 const fido_dev_info_t *entry;
+                bool has_rk, has_client_pin, has_up, has_uv;
 
                 entry = sym_fido_dev_info_ptr(di, i);
                 if (!entry) {
@@ -1140,7 +1148,7 @@ int fido2_list_devices(void) {
                         goto finish;
                 }
 
-                r = check_device_is_fido2_with_hmac_secret(sym_fido_dev_info_path(entry));
+                r = check_device_is_fido2_with_hmac_secret(sym_fido_dev_info_path(entry), &has_rk, &has_client_pin, &has_up, &has_uv);
                 if (r < 0)
                         goto finish;
                 if (!r)
@@ -1150,7 +1158,11 @@ int fido2_list_devices(void) {
                                 t,
                                 TABLE_PATH, sym_fido_dev_info_path(entry),
                                 TABLE_STRING, sym_fido_dev_info_manufacturer_string(entry),
-                                TABLE_STRING, sym_fido_dev_info_product_string(entry));
+                                TABLE_STRING, sym_fido_dev_info_product_string(entry),
+                                TABLE_BOOLEAN_CHECKMARK, has_rk,
+                                TABLE_BOOLEAN_CHECKMARK, has_client_pin,
+                                TABLE_BOOLEAN_CHECKMARK, has_up,
+                                TABLE_BOOLEAN_CHECKMARK, has_uv);
                 if (r < 0) {
                         table_log_add_error(r);
                         goto finish;
@@ -1163,6 +1175,16 @@ int fido2_list_devices(void) {
                 goto finish;
         }
 
+        if (table_get_rows(t) > 1)
+                printf("\n"
+                       "%1$sLegend: RK        %2$s Resident key%3$s\n"
+                       "%1$s        CLIENTPIN %2$s PIN request%3$s\n"
+                       "%1$s        UP        %2$s User presence%3$s\n"
+                       "%1$s        UV        %2$s User verification%3$s\n",
+                       ansi_grey(),
+                       special_glyph(SPECIAL_GLYPH_ARROW_RIGHT),
+                       ansi_normal());
+
         r = 0;
 
 finish:
@@ -1213,7 +1235,12 @@ int fido2_find_device_auto(char **ret) {
                 goto finish;
         }
 
-        r = check_device_is_fido2_with_hmac_secret(sym_fido_dev_info_path(entry));
+        r = check_device_is_fido2_with_hmac_secret(
+                        sym_fido_dev_info_path(entry),
+                        /* ret_has_rk= */ NULL,
+                        /* ret_has_client_pin= */ NULL,
+                        /* ret_has_up= */ NULL,
+                        /* ret_has_uv= */ NULL);
         if (r < 0)
                 goto finish;
         if (!r) {

src/shared/libfido2-util.h

@@ -52,21 +52,21 @@ extern DLSYM_PROTOTYPE(fido_cred_set_rp);
 extern DLSYM_PROTOTYPE(fido_cred_set_type);
 extern DLSYM_PROTOTYPE(fido_cred_set_user);
 extern DLSYM_PROTOTYPE(fido_cred_set_uv);
+extern DLSYM_PROTOTYPE(fido_dev_close);
 extern DLSYM_PROTOTYPE(fido_dev_free);
 extern DLSYM_PROTOTYPE(fido_dev_get_assert);
 extern DLSYM_PROTOTYPE(fido_dev_get_cbor_info);
 extern DLSYM_PROTOTYPE(fido_dev_info_free);
 extern DLSYM_PROTOTYPE(fido_dev_info_manifest);
 extern DLSYM_PROTOTYPE(fido_dev_info_manufacturer_string);
-extern DLSYM_PROTOTYPE(fido_dev_info_product_string);
 extern DLSYM_PROTOTYPE(fido_dev_info_new);
 extern DLSYM_PROTOTYPE(fido_dev_info_path);
+extern DLSYM_PROTOTYPE(fido_dev_info_product_string);
 extern DLSYM_PROTOTYPE(fido_dev_info_ptr);
 extern DLSYM_PROTOTYPE(fido_dev_is_fido2);
 extern DLSYM_PROTOTYPE(fido_dev_make_cred);
 extern DLSYM_PROTOTYPE(fido_dev_new);
 extern DLSYM_PROTOTYPE(fido_dev_open);
-extern DLSYM_PROTOTYPE(fido_dev_close);
 extern DLSYM_PROTOTYPE(fido_init);
 extern DLSYM_PROTOTYPE(fido_set_log_handler);
 extern DLSYM_PROTOTYPE(fido_strerr);

src/shared/tpm2-util.h

@@ -392,7 +392,7 @@ int tpm2_make_pcr_json_array(uint32_t pcr_mask, sd_json_variant **ret);
 int tpm2_parse_pcr_json_array(sd_json_variant *v, uint32_t *ret);
 
 int tpm2_make_luks2_json(int keyslot, uint32_t hash_pcr_mask, uint16_t pcr_bank, const struct iovec *pubkey, uint32_t pubkey_pcr_mask, uint16_t primary_alg, const struct iovec blobs[], size_t n_blobs, const struct iovec policy_hash[], size_t n_policy_hash, const struct iovec *salt, const struct iovec *srk, const struct iovec *pcrlock_nv, TPM2Flags flags, sd_json_variant **ret);
-int tpm2_parse_luks2_json(sd_json_variant *v, int *ret_keyslot, uint32_t *ret_hash_pcr_mask, uint16_t *ret_pcr_bank, struct iovec *ret_pubkey, uint32_t *ret_pubkey_pcr_mask, uint16_t *ret_primary_alg, struct iovec **ret_blobs, size_t *ret_n_blobs, struct iovec **ret_policy_hash, size_t *ret_n_policy_hash, struct iovec *ret_salt, struct iovec *ret_srk, struct iovec *pcrlock_nv, TPM2Flags *ret_flags);
+int tpm2_parse_luks2_json(sd_json_variant *v, int *ret_keyslot, uint32_t *ret_hash_pcr_mask, uint16_t *ret_pcr_bank, struct iovec *ret_pubkey, uint32_t *ret_pubkey_pcr_mask, uint16_t *ret_primary_alg, struct iovec **ret_blobs, size_t *ret_n_blobs, struct iovec **ret_policy_hash, size_t *ret_n_policy_hash, struct iovec *ret_salt, struct iovec *ret_srk, struct iovec *ret_pcrlock_nv, TPM2Flags *ret_flags);
 
 /* Default to PCR 7 only */
 #define TPM2_PCR_INDEX_DEFAULT UINT32_C(7)

src/userdb/userdbctl.c

@@ -23,6 +23,7 @@
 #include "user-util.h"
 #include "userdb.h"
 #include "verbs.h"
+#include "virt.h"
 
 static enum {
         OUTPUT_CLASSIC,
@@ -139,10 +140,16 @@ static int show_user(UserRecord *ur, Table *table) {
         return 0;
 }
 
+static bool test_show_mapped(void) {
+        /* Show mapped user range only in environments where user mapping is a thing. */
+        return running_in_userns() > 0;
+}
+
 static const struct {
         uid_t first, last;
         const char *name;
         UserDisposition disposition;
+        bool (*test)(void);
 } uid_range_table[] = {
         {
                 .first = 1,
@@ -175,11 +182,12 @@ static const struct {
                 .last = MAP_UID_MAX,
                 .name = "mapped",
                 .disposition = USER_REGULAR,
+                .test = test_show_mapped,
         },
 };
 
 static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
-        int r;
+        int r, n_added = 0;
 
         assert(table);
 
@@ -192,6 +200,9 @@ static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
                 if (!uid_range_covers(p, i->first, i->last - i->first + 1))
                         continue;
 
+                if (i->test && !i->test())
+                        continue;
+
                 name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN),
                                " begin ", i->name, " users ",
                                special_glyph(SPECIAL_GLYPH_ARROW_DOWN));
@@ -249,9 +260,11 @@ static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
                                 TABLE_INT, 1); /* sort after any other entry with the same UID */
                 if (r < 0)
                         return table_log_add_error(r);
+
+                n_added += 2;
         }
 
-        return ELEMENTSOF(uid_range_table) * 2;
+        return n_added;
 }
 
 static int add_unavailable_uid(Table *table, uid_t start, uid_t end) {
@@ -565,16 +578,22 @@ static int show_group(GroupRecord *gr, Table *table) {
 }
 
 static int table_add_gid_boundaries(Table *table, const UIDRange *p) {
-        int r;
+        int r, n_added = 0;
 
         assert(table);
 
         FOREACH_ELEMENT(i, uid_range_table) {
                 _cleanup_free_ char *name = NULL, *comment = NULL;
 
+                if (!FLAGS_SET(arg_disposition_mask, UINT64_C(1) << i->disposition))
+                        continue;
+
                 if (!uid_range_covers(p, i->first, i->last - i->first + 1))
                         continue;
 
+                if (i->test && !i->test())
+                        continue;
+
                 name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN),
                                " begin ", i->name, " groups ",
                                special_glyph(SPECIAL_GLYPH_ARROW_DOWN));
@@ -626,9 +645,11 @@ static int table_add_gid_boundaries(Table *table, const UIDRange *p) {
                                 TABLE_INT, 1); /* sort after any other entry with the same GID */
                 if (r < 0)
                         return table_log_add_error(r);
+
+                n_added += 2;
         }
 
-        return ELEMENTSOF(uid_range_table) * 2;
+        return n_added;
 }
 
 static int add_unavailable_gid(Table *table, uid_t start, uid_t end) {

tmpfiles.d/legacy.conf.in

@@ -13,11 +13,12 @@
 
 d /run/lock 0755 root root -
 L /var/lock - - - - ../run/lock
+
+{% if HAVE_SYSV_COMPAT %}
 {% if CREATE_LOG_DIRS %}
 L$ /var/log/README - - - - ../..{{DOC_DIR}}/README.logs
 {% endif %}
 
-{% if HAVE_SYSV_COMPAT %}
 # /run/lock/subsys is used for serializing SysV service execution, and
 # hence without use on SysV-less systems.
 d /run/lock/subsys 0755 root root -