Compare commits

...

12 Commits

Author SHA1 Message Date
Antonio Álvarez Feijoo 7974be8ba3
Merge fc2ed0424e into c946b13575 2024-11-23 02:41:23 +08:00
Christian Hesse c946b13575 link README.logs from tmpfiles.d/legacy.conf only if available
The file README.logs is installed only if SysVInit support is enabled.
Thus the link should depend on it as well.
2024-11-22 18:33:20 +00:00
Lennart Poettering e39cbb1442 varlink: apparently on old kernels SO_PEERPIDFD returns EINVAL 2024-11-23 03:09:49 +09:00
Marco Tomaschett bc4a027f9c
hwdb: add support for PineTab2 to 60-sensor.hwdb (#35304)
Add accelerometer support for PineTab2
2024-11-23 03:08:06 +09:00
Lennart Poettering d209e197f8
userdbctl: two trivial fixlets (#35296)
Fixes: #35294
2024-11-22 16:06:01 +01:00
Antonio Alvarez Feijoo 9ed090230e tpm2-util: fix parameter name 2024-11-22 16:04:16 +01:00
Lennart Poettering 47c5ca237b userdbctl: respect selected disposition also when showing gid boundaries
Follow-up for: ad5de3222f
2024-11-22 11:28:30 +01:00
Lennart Poettering 7f8a4f12df userdbctl: fix counting
Fixes: #35294
2024-11-22 11:28:28 +01:00
Lennart Poettering e412fc5e04 userbdctl: show 'mapped' user range only inside of userns
Outside of userns the concept makes no sense, there cannot be users
mapped from further outside.
2024-11-22 11:28:17 +01:00
Antonio Alvarez Feijoo fc2ed0424e
libfido2-util: show also verity features when listing FIDO2 devices
This way, users don't have to check those features using an external program, or
wait for later failure when trying to enroll using an unsupported feature.
2024-11-22 10:36:09 +01:00
Antonio Alvarez Feijoo 4112839d8e
libfido2-util: reorder dl symbols alphabetically 2024-11-22 09:10:03 +01:00
Antonio Alvarez Feijoo 41f348cf1d
man/systemd-cryptenroll: sort --fido2-credential-algorithm after --fido2-device 2024-11-22 09:09:37 +01:00
8 changed files with 92 additions and 34 deletions

View File

@ -953,6 +953,15 @@ sensor:modalias:acpi:MXC6655*:dmi:*:svnDefaultstring*:pnP612F:*
sensor:modalias:acpi:SMO8500*:dmi:*:svnPEAQ:pnPEAQPMMC1010MD99187:*
ACCEL_MOUNT_MATRIX=-1, 0, 0; 0, 1, 0; 0, 0, 1
#########################################
# Pine64
#########################################
# PineTab2
sensor:modalias:of:NaccelerometerT_null_Csilan,sc7a20:*
ACCEL_MOUNT_MATRIX=0, 0, -1; 1, 0, 0; 0, -1, 0
#########################################
# Pipo
#########################################

View File

@ -387,21 +387,6 @@
<para>The following options are understood that may be used to enroll PKCS#11 tokens:</para>
<variablelist>
<varlistentry>
<term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
<listitem><para>Specify COSE algorithm used in credential generation. The default value is
<literal>es256</literal>. Supported values are <literal>es256</literal>, <literal>rs256</literal>
and <literal>eddsa</literal>.</para>
<para><literal>es256</literal> denotes ECDSA over NIST P-256 with SHA-256. <literal>rs256</literal>
denotes 2048-bit RSA with PKCS#1.5 padding and SHA-256. <literal>eddsa</literal> denotes
EDDSA over Curve25519 with SHA-512.</para>
<para>Note that your authenticator may choose not to support some algorithms.</para>
<xi:include href="version-info.xml" xpointer="v251"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--fido2-device=<replaceable>PATH</replaceable></option></term>
@ -428,6 +413,21 @@
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
<listitem><para>Specify COSE algorithm used in credential generation. The default value is
<literal>es256</literal>. Supported values are <literal>es256</literal>, <literal>rs256</literal>
and <literal>eddsa</literal>.</para>
<para><literal>es256</literal> denotes ECDSA over NIST P-256 with SHA-256. <literal>rs256</literal>
denotes 2048-bit RSA with PKCS#1.5 padding and SHA-256. <literal>eddsa</literal> denotes
EDDSA over Curve25519 with SHA-512.</para>
<para>Note that your authenticator may choose not to support some algorithms.</para>
<xi:include href="version-info.xml" xpointer="v251"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--fido2-salt-file=<replaceable>PATH</replaceable></option></term>

View File

@ -16,7 +16,7 @@ int varlink_get_peer_pidref(sd_varlink *v, PidRef *ret) {
int pidfd = sd_varlink_get_peer_pidfd(v);
if (pidfd < 0) {
if (!ERRNO_IS_NEG_NOT_SUPPORTED(pidfd))
if (!ERRNO_IS_NEG_NOT_SUPPORTED(pidfd) && pidfd != -EINVAL)
return pidfd;
pid_t pid;

View File

@ -4,6 +4,7 @@
#if HAVE_LIBFIDO2
#include "alloc-util.h"
#include "ansi-color.h"
#include "ask-password-api.h"
#include "dlfcn-util.h"
#include "format-table.h"
@ -45,21 +46,21 @@ DLSYM_PROTOTYPE(fido_cred_set_rp) = NULL;
DLSYM_PROTOTYPE(fido_cred_set_type) = NULL;
DLSYM_PROTOTYPE(fido_cred_set_user) = NULL;
DLSYM_PROTOTYPE(fido_cred_set_uv) = NULL;
DLSYM_PROTOTYPE(fido_dev_close) = NULL;
DLSYM_PROTOTYPE(fido_dev_free) = NULL;
DLSYM_PROTOTYPE(fido_dev_get_assert) = NULL;
DLSYM_PROTOTYPE(fido_dev_get_cbor_info) = NULL;
DLSYM_PROTOTYPE(fido_dev_info_free) = NULL;
DLSYM_PROTOTYPE(fido_dev_info_manifest) = NULL;
DLSYM_PROTOTYPE(fido_dev_info_manufacturer_string) = NULL;
DLSYM_PROTOTYPE(fido_dev_info_product_string) = NULL;
DLSYM_PROTOTYPE(fido_dev_info_new) = NULL;
DLSYM_PROTOTYPE(fido_dev_info_path) = NULL;
DLSYM_PROTOTYPE(fido_dev_info_product_string) = NULL;
DLSYM_PROTOTYPE(fido_dev_info_ptr) = NULL;
DLSYM_PROTOTYPE(fido_dev_is_fido2) = NULL;
DLSYM_PROTOTYPE(fido_dev_make_cred) = NULL;
DLSYM_PROTOTYPE(fido_dev_new) = NULL;
DLSYM_PROTOTYPE(fido_dev_open) = NULL;
DLSYM_PROTOTYPE(fido_dev_close) = NULL;
DLSYM_PROTOTYPE(fido_init) = NULL;
DLSYM_PROTOTYPE(fido_set_log_handler) = NULL;
DLSYM_PROTOTYPE(fido_strerr) = NULL;
@ -108,6 +109,7 @@ int dlopen_libfido2(void) {
DLSYM_ARG(fido_cred_set_type),
DLSYM_ARG(fido_cred_set_user),
DLSYM_ARG(fido_cred_set_uv),
DLSYM_ARG(fido_dev_close),
DLSYM_ARG(fido_dev_free),
DLSYM_ARG(fido_dev_get_assert),
DLSYM_ARG(fido_dev_get_cbor_info),
@ -122,7 +124,6 @@ int dlopen_libfido2(void) {
DLSYM_ARG(fido_dev_make_cred),
DLSYM_ARG(fido_dev_new),
DLSYM_ARG(fido_dev_open),
DLSYM_ARG(fido_dev_close),
DLSYM_ARG(fido_init),
DLSYM_ARG(fido_set_log_handler),
DLSYM_ARG(fido_strerr));
@ -1074,7 +1075,13 @@ int fido2_generate_hmac_hash(
#endif
#if HAVE_LIBFIDO2
static int check_device_is_fido2_with_hmac_secret(const char *path) {
static int check_device_is_fido2_with_hmac_secret(
const char *path,
bool *ret_has_rk,
bool *ret_has_client_pin,
bool *ret_has_up,
bool *ret_has_uv) {
_cleanup_(fido_dev_free_wrapper) fido_dev_t *d = NULL;
int r;
@ -1087,7 +1094,7 @@ static int check_device_is_fido2_with_hmac_secret(const char *path) {
return log_error_errno(SYNTHETIC_ERRNO(EIO),
"Failed to open FIDO2 device %s: %s", path, sym_fido_strerr(r));
r = verify_features(d, path, LOG_DEBUG, NULL, NULL, NULL, NULL);
r = verify_features(d, path, LOG_DEBUG, ret_has_rk, ret_has_client_pin, ret_has_up, ret_has_uv);
if (r == -ENODEV) /* Not a FIDO2 device, or not implementing 'hmac-secret' */
return false;
if (r < 0)
@ -1124,7 +1131,7 @@ int fido2_list_devices(void) {
goto finish;
}
t = table_new("path", "manufacturer", "product");
t = table_new("path", "manufacturer", "product", "rk", "clientpin", "up", "uv");
if (!t) {
r = log_oom();
goto finish;
@ -1132,6 +1139,7 @@ int fido2_list_devices(void) {
for (size_t i = 0; i < found; i++) {
const fido_dev_info_t *entry;
bool has_rk, has_client_pin, has_up, has_uv;
entry = sym_fido_dev_info_ptr(di, i);
if (!entry) {
@ -1140,7 +1148,7 @@ int fido2_list_devices(void) {
goto finish;
}
r = check_device_is_fido2_with_hmac_secret(sym_fido_dev_info_path(entry));
r = check_device_is_fido2_with_hmac_secret(sym_fido_dev_info_path(entry), &has_rk, &has_client_pin, &has_up, &has_uv);
if (r < 0)
goto finish;
if (!r)
@ -1150,7 +1158,11 @@ int fido2_list_devices(void) {
t,
TABLE_PATH, sym_fido_dev_info_path(entry),
TABLE_STRING, sym_fido_dev_info_manufacturer_string(entry),
TABLE_STRING, sym_fido_dev_info_product_string(entry));
TABLE_STRING, sym_fido_dev_info_product_string(entry),
TABLE_BOOLEAN_CHECKMARK, has_rk,
TABLE_BOOLEAN_CHECKMARK, has_client_pin,
TABLE_BOOLEAN_CHECKMARK, has_up,
TABLE_BOOLEAN_CHECKMARK, has_uv);
if (r < 0) {
table_log_add_error(r);
goto finish;
@ -1163,6 +1175,16 @@ int fido2_list_devices(void) {
goto finish;
}
if (table_get_rows(t) > 1)
printf("\n"
"%1$sLegend: RK %2$s Resident key%3$s\n"
"%1$s CLIENTPIN %2$s PIN request%3$s\n"
"%1$s UP %2$s User presence%3$s\n"
"%1$s UV %2$s User verification%3$s\n",
ansi_grey(),
special_glyph(SPECIAL_GLYPH_ARROW_RIGHT),
ansi_normal());
r = 0;
finish:
@ -1213,7 +1235,12 @@ int fido2_find_device_auto(char **ret) {
goto finish;
}
r = check_device_is_fido2_with_hmac_secret(sym_fido_dev_info_path(entry));
r = check_device_is_fido2_with_hmac_secret(
sym_fido_dev_info_path(entry),
/* ret_has_rk= */ NULL,
/* ret_has_client_pin= */ NULL,
/* ret_has_up= */ NULL,
/* ret_has_uv= */ NULL);
if (r < 0)
goto finish;
if (!r) {

View File

@ -52,21 +52,21 @@ extern DLSYM_PROTOTYPE(fido_cred_set_rp);
extern DLSYM_PROTOTYPE(fido_cred_set_type);
extern DLSYM_PROTOTYPE(fido_cred_set_user);
extern DLSYM_PROTOTYPE(fido_cred_set_uv);
extern DLSYM_PROTOTYPE(fido_dev_close);
extern DLSYM_PROTOTYPE(fido_dev_free);
extern DLSYM_PROTOTYPE(fido_dev_get_assert);
extern DLSYM_PROTOTYPE(fido_dev_get_cbor_info);
extern DLSYM_PROTOTYPE(fido_dev_info_free);
extern DLSYM_PROTOTYPE(fido_dev_info_manifest);
extern DLSYM_PROTOTYPE(fido_dev_info_manufacturer_string);
extern DLSYM_PROTOTYPE(fido_dev_info_product_string);
extern DLSYM_PROTOTYPE(fido_dev_info_new);
extern DLSYM_PROTOTYPE(fido_dev_info_path);
extern DLSYM_PROTOTYPE(fido_dev_info_product_string);
extern DLSYM_PROTOTYPE(fido_dev_info_ptr);
extern DLSYM_PROTOTYPE(fido_dev_is_fido2);
extern DLSYM_PROTOTYPE(fido_dev_make_cred);
extern DLSYM_PROTOTYPE(fido_dev_new);
extern DLSYM_PROTOTYPE(fido_dev_open);
extern DLSYM_PROTOTYPE(fido_dev_close);
extern DLSYM_PROTOTYPE(fido_init);
extern DLSYM_PROTOTYPE(fido_set_log_handler);
extern DLSYM_PROTOTYPE(fido_strerr);

View File

@ -392,7 +392,7 @@ int tpm2_make_pcr_json_array(uint32_t pcr_mask, sd_json_variant **ret);
int tpm2_parse_pcr_json_array(sd_json_variant *v, uint32_t *ret);
int tpm2_make_luks2_json(int keyslot, uint32_t hash_pcr_mask, uint16_t pcr_bank, const struct iovec *pubkey, uint32_t pubkey_pcr_mask, uint16_t primary_alg, const struct iovec blobs[], size_t n_blobs, const struct iovec policy_hash[], size_t n_policy_hash, const struct iovec *salt, const struct iovec *srk, const struct iovec *pcrlock_nv, TPM2Flags flags, sd_json_variant **ret);
int tpm2_parse_luks2_json(sd_json_variant *v, int *ret_keyslot, uint32_t *ret_hash_pcr_mask, uint16_t *ret_pcr_bank, struct iovec *ret_pubkey, uint32_t *ret_pubkey_pcr_mask, uint16_t *ret_primary_alg, struct iovec **ret_blobs, size_t *ret_n_blobs, struct iovec **ret_policy_hash, size_t *ret_n_policy_hash, struct iovec *ret_salt, struct iovec *ret_srk, struct iovec *pcrlock_nv, TPM2Flags *ret_flags);
int tpm2_parse_luks2_json(sd_json_variant *v, int *ret_keyslot, uint32_t *ret_hash_pcr_mask, uint16_t *ret_pcr_bank, struct iovec *ret_pubkey, uint32_t *ret_pubkey_pcr_mask, uint16_t *ret_primary_alg, struct iovec **ret_blobs, size_t *ret_n_blobs, struct iovec **ret_policy_hash, size_t *ret_n_policy_hash, struct iovec *ret_salt, struct iovec *ret_srk, struct iovec *ret_pcrlock_nv, TPM2Flags *ret_flags);
/* Default to PCR 7 only */
#define TPM2_PCR_INDEX_DEFAULT UINT32_C(7)

View File

@ -23,6 +23,7 @@
#include "user-util.h"
#include "userdb.h"
#include "verbs.h"
#include "virt.h"
static enum {
OUTPUT_CLASSIC,
@ -139,10 +140,16 @@ static int show_user(UserRecord *ur, Table *table) {
return 0;
}
static bool test_show_mapped(void) {
/* Show mapped user range only in environments where user mapping is a thing. */
return running_in_userns() > 0;
}
static const struct {
uid_t first, last;
const char *name;
UserDisposition disposition;
bool (*test)(void);
} uid_range_table[] = {
{
.first = 1,
@ -175,11 +182,12 @@ static const struct {
.last = MAP_UID_MAX,
.name = "mapped",
.disposition = USER_REGULAR,
.test = test_show_mapped,
},
};
static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
int r;
int r, n_added = 0;
assert(table);
@ -192,6 +200,9 @@ static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
if (!uid_range_covers(p, i->first, i->last - i->first + 1))
continue;
if (i->test && !i->test())
continue;
name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN),
" begin ", i->name, " users ",
special_glyph(SPECIAL_GLYPH_ARROW_DOWN));
@ -249,9 +260,11 @@ static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
TABLE_INT, 1); /* sort after any other entry with the same UID */
if (r < 0)
return table_log_add_error(r);
n_added += 2;
}
return ELEMENTSOF(uid_range_table) * 2;
return n_added;
}
static int add_unavailable_uid(Table *table, uid_t start, uid_t end) {
@ -565,16 +578,22 @@ static int show_group(GroupRecord *gr, Table *table) {
}
static int table_add_gid_boundaries(Table *table, const UIDRange *p) {
int r;
int r, n_added = 0;
assert(table);
FOREACH_ELEMENT(i, uid_range_table) {
_cleanup_free_ char *name = NULL, *comment = NULL;
if (!FLAGS_SET(arg_disposition_mask, UINT64_C(1) << i->disposition))
continue;
if (!uid_range_covers(p, i->first, i->last - i->first + 1))
continue;
if (i->test && !i->test())
continue;
name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN),
" begin ", i->name, " groups ",
special_glyph(SPECIAL_GLYPH_ARROW_DOWN));
@ -626,9 +645,11 @@ static int table_add_gid_boundaries(Table *table, const UIDRange *p) {
TABLE_INT, 1); /* sort after any other entry with the same GID */
if (r < 0)
return table_log_add_error(r);
n_added += 2;
}
return ELEMENTSOF(uid_range_table) * 2;
return n_added;
}
static int add_unavailable_gid(Table *table, uid_t start, uid_t end) {

View File

@ -13,11 +13,12 @@
d /run/lock 0755 root root -
L /var/lock - - - - ../run/lock
{% if HAVE_SYSV_COMPAT %}
{% if CREATE_LOG_DIRS %}
L$ /var/log/README - - - - ../..{{DOC_DIR}}/README.logs
{% endif %}
{% if HAVE_SYSV_COMPAT %}
# /run/lock/subsys is used for serializing SysV service execution, and
# hence without use on SysV-less systems.
d /run/lock/subsys 0755 root root -