machined: Skip root user namespace check for user managers

You can register whatever process you want in the user machined instance
that is running in the same namespace as pid 1 as machined won't be allowed
to do anything privileged anyway that could be dangerous when running as a user
instance.

We have to skip the check as we user machined instances don't have
privileges to inspect pid1's user namespaces.

.github/workflows/build-test.yml

@@ -47,7 +47,7 @@ jobs:
           # older glibc
           - env: { COMPILER: "gcc",   COMPILER_VERSION: "12", LINKER: "bfd", CUSTOM_PYTHON: "1"  }
             runner: [ ubuntu-22.04 ]
-            python-version: '3.7'
+            python-version: '3.9'
     env: ${{ matrix.env }}
     steps:
       - name: Repository checkout

README

@@ -247,7 +247,7 @@ REQUIREMENTS:
         gperf
         docbook-xsl (optional, required for documentation)
         xsltproc    (optional, required for documentation)
-        python >= 3.7 (required by meson too, >= 3.9 is required for ukify)
+        python >= 3.9
         python-jinja2
         python-pefile (optional, required for ukify)
         python-lxml (optional, required to build the indices)

man/check-os-release.py

@@ -17,8 +17,7 @@ def read_os_release():
         line = line.rstrip()
         if not line or line.startswith('#'):
             continue
-        m = re.match(r'([A-Z][A-Z_0-9]+)=(.*)', line)
+        if m := re.match(r'([A-Z][A-Z_0-9]+)=(.*)', line):
-        if m:
             name, val = m.groups()
             if val and val[0] in '"\'':
                 val = ast.literal_eval(val)

man/systemd-vmspawn.xml

@@ -221,6 +221,9 @@
           when the VM shuts down. This mode is not suitable for VMs which lock disk encryption keys to the
           TPM, as these keys will be lost on every reboot. Defaults to <literal>auto</literal>.</para>
 
+          <para>If <option>--ephemeral</option> is specified, <literal>auto</literal> behaves like
+          <literal>off</literal>.</para>
+
           <xi:include href="version-info.xml" xpointer="v258"/></listitem>
         </varlistentry>
 

meson.build

@@ -1695,7 +1695,9 @@ conf.set10('SYSTEMD_SLOW_TESTS_DEFAULT', want_slow_tests)
 
 pymod = import('python')
 python = pymod.find_installation('python3', required : true, modules : ['jinja2'])
-python_39 = python.language_version().version_compare('>=3.9')
+if not python.language_version().version_compare('>=3.9')
+        error('Python >= 3.9 is required')
+endif
 
 #####################################################################
 
@@ -1896,9 +1898,7 @@ if have and efi_arch == 'x64' and cc.links('''
         efi_cpu_family_alt = 'x86'
 endif
 
-pefile = pymod.find_installation('python3', required: false, modules : ['pefile'])
+want_ukify = pymod.find_installation('python3', required: get_option('ukify'), modules : ['pefile']).found()
-
-want_ukify = get_option('ukify').require(python_39 and (want_tests != 'true' or pefile.found()), error_message : 'Python >= 3.9 and pefile required').allowed()
 conf.set10('ENABLE_UKIFY', want_ukify)
 
 #####################################################################

ruff.toml

@@ -1,11 +1,6 @@
-target-version = "py37"
+target-version = "py39"
 line-length = 109
 lint.select = ["E", "F", "I", "UP"]
 
 [format]
 quote-style = "single"
-
-[per-file-target-version]
-"src/ukify/*.py" = "py39"
-"test/**/integration-test-wrapper.py" = "py39"
-"test/test-udev.py" = "py39"

rules.d/70-uaccess.rules.in

@@ -47,6 +47,8 @@ SUBSYSTEM=="drm", KERNEL=="card*", TAG+="uaccess"
 {% if GROUP_RENDER_UACCESS %}
 # DRI render nodes
 SUBSYSTEM=="drm", KERNEL=="renderD*", TAG+="uaccess", TAG+="xaccess-render"
+# DRI accel nodes
+SUBSYSTEM=="accel", KERNEL=="accel*", TAG+="uaccess", TAG+="xaccess-accel"
 {% endif %}
 {% if DEV_KVM_UACCESS %}
 # KVM

src/basic/filesystem-sets.py

@@ -308,7 +308,7 @@ def generate_fs_in_group():
     print('        switch (fs_group) {')
 
     for name, _, *filesystems in FILESYSTEM_SETS:
-        magics = sorted(set(sum((NAME_TO_MAGIC[fs] for fs in filesystems), [])))
+        magics = sorted(set(sum((NAME_TO_MAGIC[fs] for fs in filesystems), start=[])))
         enum = 'FILESYSTEM_SET_' + name[1:].upper().replace('-', '_')
         print(f'        case {enum}:')
         opts = '\n                    || '.join(f'F_TYPE_EQUAL(st->f_type, {magic})'
@@ -355,7 +355,7 @@ def magic_defines():
 
 def check():
     kernel_magics = set(magic_defines())
-    our_magics = set(sum(NAME_TO_MAGIC.values(), []))
+    our_magics = set(sum(NAME_TO_MAGIC.values(), start=[]))
     extra = kernel_magics - our_magics
     if extra:
         sys.exit(f"kernel knows additional filesystem magics: {', '.join(sorted(extra))}")

src/boot/linux.c

@@ -275,8 +275,16 @@ EFI_STATUS linux_exec(
                 if (h->SizeOfRawData == 0)
                         continue;
 
+                if (UINT32_MAX - h->VirtualAddress < h->SizeOfRawData)
+                        return log_error_status(EFI_LOAD_ERROR, "Invalid PE section, SizeOfRawData + VirtualAddress, overflows");
                 if (h->VirtualAddress + h->SizeOfRawData > kernel_size_in_memory)
                         return log_error_status(EFI_LOAD_ERROR, "Section would write outside of memory");
+                if (h->SizeOfRawData > h->VirtualSize)
+                        return log_error_status(EFI_LOAD_ERROR, "Invalid PE section, raw data size is greater than virtual size");
+                if (UINT32_MAX - h->PointerToRawData < h->SizeOfRawData)
+                        return log_error_status(EFI_LOAD_ERROR, "Invalid PE section, PointerToRawData + SizeOfRawData overflows");
+                if (h->PointerToRawData + h->SizeOfRawData > kernel->iov_len)
+                        return log_error_status(EFI_LOAD_ERROR, "Invalid PE section, raw data extends outside of file");
                 memcpy(loaded_kernel + h->VirtualAddress,
                        (const uint8_t*)kernel->iov_base + h->PointerToRawData,
                        h->SizeOfRawData);

src/core/generate-bpf-delegate-configs.py

@@ -7,7 +7,6 @@
 
 import re
 import sys
-import typing
 
 
 def print_usage_and_exit() -> None:
@@ -27,7 +26,7 @@ if output not in ['code', 'doc']:
 
 with open(header) as file:
     inEnum = False
-    enumValues: typing.List[str] = []
+    enumValues: list[str] = []
     enumName = ''
 
     if output == 'doc':
@@ -68,9 +67,7 @@ with open(header) as file:
                 match = re.fullmatch(r'(\w+)\b,', line)
                 if match and len(match.groups()) > 0 and not match[1].startswith('__'):
                     enumValues.append(match[1])
-        else:
+        elif match := re.match(r'^\s*enum\s+bpf_(cmd|map_type|prog_type|attach_type)+\s*{', line):
-            match = re.match(r'^\s*enum\s+bpf_(cmd|map_type|prog_type|attach_type)+\s*{', line)
-            if match:
             # Start of a new enum
             inEnum = True
             enumName = 'bpf_delegate_' + match[1]

src/machine/machine-dbus.c

@@ -373,7 +373,7 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu
          * do not need to check the caller's uid, as that will be checked by polkit, and if they machine's
          * and the caller's do not match, authorization will be required. It's only the case where the
          * caller owns the machine that will be shortcut and needs to be checked here. */
-        if (m->uid != 0 && m->class != MACHINE_HOST) {
+        if (m->manager->runtime_scope != RUNTIME_SCOPE_USER && m->uid != 0 && m->class != MACHINE_HOST) {
                 r = pidref_in_same_namespace(&PIDREF_MAKE_FROM_PID(1), &m->leader, NAMESPACE_USER);
                 if (r < 0)
                         return log_debug_errno(

src/shared/pcrextend-util.c

@@ -260,7 +260,7 @@ int pcrextend_verity_now(
         if (r < 0)
                 return r;
 
-        _cleanup_free_ sd_varlink *vl = NULL;
+        _cleanup_(sd_varlink_unrefp) sd_varlink *vl = NULL;
         r = sd_varlink_connect_address(&vl, "/run/systemd/io.systemd.PCRExtend");
         if (r < 0)
                 return r;

src/vmspawn/vmspawn.c

@@ -85,7 +85,7 @@
 
 typedef enum TpmStateMode {
         TPM_STATE_OFF,      /* keep no state around */
-        TPM_STATE_AUTO,     /* keep state around, derive path from image/directory */
+        TPM_STATE_AUTO,     /* keep state around if not ephemeral, derive path from image/directory */
         TPM_STATE_PATH,     /* explicitly specified location */
         _TPM_STATE_MODE_MAX,
         _TPM_STATE_MODE_INVALID = -EINVAL,
@@ -2569,7 +2569,7 @@ static int run_virtual_machine(int kvm_device_fd, int vhost_device_fd) {
 
         _cleanup_free_ char *swtpm = NULL;
         if (arg_tpm != 0) {
-                if (arg_tpm_state_mode == TPM_STATE_AUTO) {
+                if (arg_tpm_state_mode == TPM_STATE_AUTO && !arg_ephemeral) {
                         assert(!arg_tpm_state_path);
 
                         const char *p = ASSERT_PTR(arg_image ?: arg_directory);

test/test-udev.py

@@ -17,6 +17,7 @@
 # removes the device node. After creation and removal the result is checked
 # against the expected value and the result is printed.
 
+import dataclasses
 import functools
 import os
 import pwd, grp
@@ -30,7 +31,6 @@ from pathlib import Path
 from typing import Callable, Optional
 
 try:
-    import dataclasses  # requires Python >= 3.7
     import pytest
 except ImportError as e:
     print(str(e), file=sys.stderr)

tools/update-dbus-docs.py

@@ -19,11 +19,6 @@ try:
 except ImportError as e:
     shlex_join = e
 
-try:
-    from shlex import quote as shlex_quote
-except ImportError as e:
-    shlex_quote = e
-
 class NoCommand(Exception):
     pass
 
@@ -214,9 +209,6 @@ def subst_output(document, programlisting, stats, missing_version):
     interface = programlisting.get('interface')
 
     argv = [f'{arguments.build_dir}/{executable}', f'--bus-introspect={interface}']
-    if isinstance(shlex_join, Exception):
-        print(f'COMMAND: {" ".join(shlex_quote(arg) for arg in argv)}')
-    else:
     print(f'COMMAND: {shlex_join(argv)}')
 
     try:
@@ -326,7 +318,7 @@ def main():
     global arguments
     arguments = parse_args()
 
-    for item in (etree, shlex_quote):
+    for item in (etree, shlex_join):
         if isinstance(item, Exception):
             print(item, file=sys.stderr)
             sys.exit(77 if arguments.test else 1)
@@ -348,7 +340,7 @@ def main():
 
     # Let's print all statistics at the end
     mlen = max(len(page) for page in stats)
-    total = sum((item['stats'] for item in stats.values()), collections.Counter())
+    total = sum((item['stats'] for item in stats.values()), start=collections.Counter())
     total = 'total', { "stats" : total, "modified" : False }
     modified = []
     classification = 'OUTDATED' if arguments.test else 'MODIFIED'