Compare commits
10 Commits
af737a5a5e
...
472a6475ec
| Author | SHA1 | Date |
|---|---|---|
Timothée Ravier
|
472a6475ec | |
|
Lennart Poettering
|
d209e197f8 | |
|
Antonio Alvarez Feijoo
|
9ed090230e | |
|
Luca Boccassi
|
9bf6ffe166 | |
|
Lennart Poettering
|
47c5ca237b | |
|
Lennart Poettering
|
7f8a4f12df | |
|
Lennart Poettering
|
e412fc5e04 | |
|
Lennart Poettering
|
cc6baba720 | |
|
Lennart Poettering
|
3ae48d071c | |
|
Timothée Ravier
|
b4d2e2c185 |
|
|
@ -265,32 +265,11 @@
|
|||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Options</title>
|
||||
<title>Unlocking</title>
|
||||
|
||||
<para>The following options are understood:</para>
|
||||
<para>The following options are understood that may be used to unlock the device in preparation of the enrollment operations:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--password</option></term>
|
||||
|
||||
<listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
|
||||
<command>cryptsetup luksAddKey</command>, however may be combined with
|
||||
<option>--wipe-slot=</option> in one call, see below.</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--recovery-key</option></term>
|
||||
|
||||
<listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
|
||||
computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
|
||||
key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
|
||||
</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--unlock-key-file=<replaceable>PATH</replaceable></option></term>
|
||||
|
||||
|
|
@ -328,7 +307,45 @@
|
|||
|
||||
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Simple Enrollment</title>
|
||||
|
||||
<para>The following options are understood that may be used to enroll simple user input based
|
||||
unlocking:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--password</option></term>
|
||||
|
||||
<listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
|
||||
<command>cryptsetup luksAddKey</command>, however may be combined with
|
||||
<option>--wipe-slot=</option> in one call, see below.</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--recovery-key</option></term>
|
||||
|
||||
<listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
|
||||
computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
|
||||
key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
|
||||
</para>
|
||||
|
||||
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>PKCS#11 Enrollment</title>
|
||||
|
||||
<para>The following option is understood that may be used to enroll PKCS#11 tokens:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--pkcs11-token-uri=<replaceable>URI</replaceable></option></term>
|
||||
|
||||
|
|
@ -361,7 +378,15 @@
|
|||
|
||||
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>FIDO2 Enrollment</title>
|
||||
|
||||
<para>The following options are understood that may be used to enroll PKCS#11 tokens:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
|
||||
<listitem><para>Specify COSE algorithm used in credential generation. The default value is
|
||||
|
|
@ -461,7 +486,15 @@
|
|||
|
||||
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>TPM2 Enrollment</title>
|
||||
|
||||
<para>The following options are understood that may be used to enroll TPM2 devices:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term>
|
||||
|
||||
|
|
@ -636,7 +669,15 @@
|
|||
|
||||
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Other Options</title>
|
||||
|
||||
<para>The following additional options are understood:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--wipe-slot=<replaceable>SLOT<optional>,SLOT...</optional></replaceable></option></term>
|
||||
|
||||
|
|
|
|||
|
|
@ -193,7 +193,7 @@ static int help(void) {
|
|||
"\n%3$sSimple Enrollment:%4$s\n"
|
||||
" --password Enroll a user-supplied password\n"
|
||||
" --recovery-key Enroll a recovery key\n"
|
||||
"\n%3$sPKCS11 Enrollment:%4$s\n"
|
||||
"\n%3$sPKCS#11 Enrollment:%4$s\n"
|
||||
" --pkcs11-token-uri=URI\n"
|
||||
" Specify PKCS#11 security token URI\n"
|
||||
"\n%3$sFIDO2 Enrollment:%4$s\n"
|
||||
|
|
|
|||
|
|
@ -392,7 +392,7 @@ int tpm2_make_pcr_json_array(uint32_t pcr_mask, sd_json_variant **ret);
|
|||
int tpm2_parse_pcr_json_array(sd_json_variant *v, uint32_t *ret);
|
||||
|
||||
int tpm2_make_luks2_json(int keyslot, uint32_t hash_pcr_mask, uint16_t pcr_bank, const struct iovec *pubkey, uint32_t pubkey_pcr_mask, uint16_t primary_alg, const struct iovec blobs[], size_t n_blobs, const struct iovec policy_hash[], size_t n_policy_hash, const struct iovec *salt, const struct iovec *srk, const struct iovec *pcrlock_nv, TPM2Flags flags, sd_json_variant **ret);
|
||||
int tpm2_parse_luks2_json(sd_json_variant *v, int *ret_keyslot, uint32_t *ret_hash_pcr_mask, uint16_t *ret_pcr_bank, struct iovec *ret_pubkey, uint32_t *ret_pubkey_pcr_mask, uint16_t *ret_primary_alg, struct iovec **ret_blobs, size_t *ret_n_blobs, struct iovec **ret_policy_hash, size_t *ret_n_policy_hash, struct iovec *ret_salt, struct iovec *ret_srk, struct iovec *pcrlock_nv, TPM2Flags *ret_flags);
|
||||
int tpm2_parse_luks2_json(sd_json_variant *v, int *ret_keyslot, uint32_t *ret_hash_pcr_mask, uint16_t *ret_pcr_bank, struct iovec *ret_pubkey, uint32_t *ret_pubkey_pcr_mask, uint16_t *ret_primary_alg, struct iovec **ret_blobs, size_t *ret_n_blobs, struct iovec **ret_policy_hash, size_t *ret_n_policy_hash, struct iovec *ret_salt, struct iovec *ret_srk, struct iovec *ret_pcrlock_nv, TPM2Flags *ret_flags);
|
||||
|
||||
/* Default to PCR 7 only */
|
||||
#define TPM2_PCR_INDEX_DEFAULT UINT32_C(7)
|
||||
|
|
|
|||
|
|
@ -44,6 +44,7 @@
|
|||
#include "pretty-print.h"
|
||||
#include "process-util.h"
|
||||
#include "rm-rf.h"
|
||||
#include "selinux-util.h"
|
||||
#include "sort-util.h"
|
||||
#include "string-table.h"
|
||||
#include "string-util.h"
|
||||
|
|
@ -1289,6 +1290,7 @@ static int mount_overlayfs_with_op(
|
|||
|
||||
int r;
|
||||
const char *top_layer = NULL;
|
||||
int atfd = -1;
|
||||
|
||||
assert(op);
|
||||
assert(overlay_path);
|
||||
|
|
@ -1301,6 +1303,14 @@ static int mount_overlayfs_with_op(
|
|||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to make directory '%s': %m", meta_path);
|
||||
|
||||
atfd = open(meta_path, O_DIRECTORY|O_CLOEXEC);
|
||||
if (atfd < 0)
|
||||
return log_error_errno(atfd, "Failed to open directory '%s': %m", meta_path);
|
||||
|
||||
r = mac_selinux_fix_full(atfd, NULL, op->hierarchy, 0);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", meta_path);
|
||||
|
||||
if (op->upper_dir && op->work_dir) {
|
||||
r = mkdir_p(op->work_dir, 0700);
|
||||
if (r < 0)
|
||||
|
|
@ -1325,9 +1335,10 @@ static int mount_overlayfs_with_op(
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int write_extensions_file(ImageClass image_class, char **extensions, const char *meta_path) {
|
||||
static int write_extensions_file(ImageClass image_class, char **extensions, const char *meta_path, const char* hierarchy) {
|
||||
_cleanup_free_ char *f = NULL, *buf = NULL;
|
||||
int r;
|
||||
int atfd = -1;
|
||||
|
||||
assert(extensions);
|
||||
assert(meta_path);
|
||||
|
|
@ -1347,13 +1358,22 @@ static int write_extensions_file(ImageClass image_class, char **extensions, cons
|
|||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to write extension meta file '%s': %m", f);
|
||||
|
||||
atfd = open(f, O_CLOEXEC);
|
||||
if (atfd < 0)
|
||||
return log_error_errno(atfd, "Failed to open '%s': %m", f);
|
||||
|
||||
r = mac_selinux_fix_full(atfd, NULL, hierarchy, 0);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", f);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int write_dev_file(ImageClass image_class, const char *meta_path, const char *overlay_path) {
|
||||
static int write_dev_file(ImageClass image_class, const char *meta_path, const char *overlay_path, const char *hierarchy) {
|
||||
_cleanup_free_ char *f = NULL;
|
||||
struct stat st;
|
||||
int r;
|
||||
int atfd = -1;
|
||||
|
||||
assert(meta_path);
|
||||
assert(overlay_path);
|
||||
|
|
@ -1376,13 +1396,22 @@ static int write_dev_file(ImageClass image_class, const char *meta_path, const c
|
|||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to write '%s': %m", f);
|
||||
|
||||
atfd = open(f, O_CLOEXEC);
|
||||
if (atfd < 0)
|
||||
return log_error_errno(atfd, "Failed to open '%s': %m", f);
|
||||
|
||||
r = mac_selinux_fix_full(atfd, NULL, hierarchy, 0);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", f);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int write_work_dir_file(ImageClass image_class, const char *meta_path, const char *work_dir) {
|
||||
static int write_work_dir_file(ImageClass image_class, const char *meta_path, const char *work_dir, const char* hierarchy) {
|
||||
_cleanup_free_ char *escaped_work_dir_in_root = NULL, *f = NULL;
|
||||
char *work_dir_in_root = NULL;
|
||||
int r;
|
||||
int atfd = -1;
|
||||
|
||||
assert(meta_path);
|
||||
|
||||
|
|
@ -1401,6 +1430,14 @@ static int write_work_dir_file(ImageClass image_class, const char *meta_path, co
|
|||
if (!f)
|
||||
return log_oom();
|
||||
|
||||
atfd = open(f, O_CLOEXEC);
|
||||
if (atfd < 0)
|
||||
return log_error_errno(atfd, "Failed to open '%s': %m", f);
|
||||
|
||||
r = mac_selinux_fix_full(atfd, NULL, hierarchy, 0);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", f);
|
||||
|
||||
/* Paths can have newlines for whatever reason, so better escape them to really get a single
|
||||
* line file. */
|
||||
escaped_work_dir_in_root = cescape(work_dir_in_root);
|
||||
|
|
@ -1418,24 +1455,42 @@ static int store_info_in_meta(
|
|||
char **extensions,
|
||||
const char *meta_path,
|
||||
const char *overlay_path,
|
||||
const char *work_dir) {
|
||||
|
||||
const char *work_dir,
|
||||
const char *hierarchy) {
|
||||
_cleanup_free_ char *f = NULL;
|
||||
int r;
|
||||
int atfd = -1;
|
||||
|
||||
assert(extensions);
|
||||
assert(meta_path);
|
||||
assert(overlay_path);
|
||||
/* work_dir may be NULL */
|
||||
|
||||
r = write_extensions_file(image_class, extensions, meta_path);
|
||||
f = path_join(meta_path, image_class_info[image_class].dot_directory_name);
|
||||
if (!f)
|
||||
return log_oom();
|
||||
|
||||
r = mkdir_p(f, 0755);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = write_dev_file(image_class, meta_path, overlay_path);
|
||||
atfd = open(f, O_CLOEXEC);
|
||||
if (atfd < 0)
|
||||
return log_error_errno(atfd, "Failed to open '%s': %m", f);
|
||||
|
||||
r = mac_selinux_fix_full(atfd, NULL, hierarchy, 0);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", f);
|
||||
|
||||
r = write_extensions_file(image_class, extensions, meta_path, hierarchy);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = write_work_dir_file(image_class, meta_path, work_dir);
|
||||
r = write_dev_file(image_class, meta_path, overlay_path, hierarchy);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = write_work_dir_file(image_class, meta_path, work_dir, hierarchy);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
|
|
@ -1501,6 +1556,8 @@ static int merge_hierarchy(
|
|||
assert(overlay_path);
|
||||
assert(workspace_path);
|
||||
|
||||
mac_selinux_init();
|
||||
|
||||
r = determine_used_extensions(hierarchy, paths, &used_paths, &extensions_used);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
|
@ -1528,7 +1585,7 @@ static int merge_hierarchy(
|
|||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = store_info_in_meta(image_class, extensions, meta_path, overlay_path, op->work_dir);
|
||||
r = store_info_in_meta(image_class, extensions, meta_path, overlay_path, op->work_dir, op->hierarchy);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@
|
|||
#include "user-util.h"
|
||||
#include "userdb.h"
|
||||
#include "verbs.h"
|
||||
#include "virt.h"
|
||||
|
||||
static enum {
|
||||
OUTPUT_CLASSIC,
|
||||
|
|
@ -139,10 +140,16 @@ static int show_user(UserRecord *ur, Table *table) {
|
|||
return 0;
|
||||
}
|
||||
|
||||
static bool test_show_mapped(void) {
|
||||
/* Show mapped user range only in environments where user mapping is a thing. */
|
||||
return running_in_userns() > 0;
|
||||
}
|
||||
|
||||
static const struct {
|
||||
uid_t first, last;
|
||||
const char *name;
|
||||
UserDisposition disposition;
|
||||
bool (*test)(void);
|
||||
} uid_range_table[] = {
|
||||
{
|
||||
.first = 1,
|
||||
|
|
@ -175,11 +182,12 @@ static const struct {
|
|||
.last = MAP_UID_MAX,
|
||||
.name = "mapped",
|
||||
.disposition = USER_REGULAR,
|
||||
.test = test_show_mapped,
|
||||
},
|
||||
};
|
||||
|
||||
static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
|
||||
int r;
|
||||
int r, n_added = 0;
|
||||
|
||||
assert(table);
|
||||
|
||||
|
|
@ -192,6 +200,9 @@ static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
|
|||
if (!uid_range_covers(p, i->first, i->last - i->first + 1))
|
||||
continue;
|
||||
|
||||
if (i->test && !i->test())
|
||||
continue;
|
||||
|
||||
name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN),
|
||||
" begin ", i->name, " users ",
|
||||
special_glyph(SPECIAL_GLYPH_ARROW_DOWN));
|
||||
|
|
@ -249,9 +260,11 @@ static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
|
|||
TABLE_INT, 1); /* sort after any other entry with the same UID */
|
||||
if (r < 0)
|
||||
return table_log_add_error(r);
|
||||
|
||||
n_added += 2;
|
||||
}
|
||||
|
||||
return ELEMENTSOF(uid_range_table) * 2;
|
||||
return n_added;
|
||||
}
|
||||
|
||||
static int add_unavailable_uid(Table *table, uid_t start, uid_t end) {
|
||||
|
|
@ -565,16 +578,22 @@ static int show_group(GroupRecord *gr, Table *table) {
|
|||
}
|
||||
|
||||
static int table_add_gid_boundaries(Table *table, const UIDRange *p) {
|
||||
int r;
|
||||
int r, n_added = 0;
|
||||
|
||||
assert(table);
|
||||
|
||||
FOREACH_ELEMENT(i, uid_range_table) {
|
||||
_cleanup_free_ char *name = NULL, *comment = NULL;
|
||||
|
||||
if (!FLAGS_SET(arg_disposition_mask, UINT64_C(1) << i->disposition))
|
||||
continue;
|
||||
|
||||
if (!uid_range_covers(p, i->first, i->last - i->first + 1))
|
||||
continue;
|
||||
|
||||
if (i->test && !i->test())
|
||||
continue;
|
||||
|
||||
name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN),
|
||||
" begin ", i->name, " groups ",
|
||||
special_glyph(SPECIAL_GLYPH_ARROW_DOWN));
|
||||
|
|
@ -626,9 +645,11 @@ static int table_add_gid_boundaries(Table *table, const UIDRange *p) {
|
|||
TABLE_INT, 1); /* sort after any other entry with the same GID */
|
||||
if (r < 0)
|
||||
return table_log_add_error(r);
|
||||
|
||||
n_added += 2;
|
||||
}
|
||||
|
||||
return ELEMENTSOF(uid_range_table) * 2;
|
||||
return n_added;
|
||||
}
|
||||
|
||||
static int add_unavailable_gid(Table *table, uid_t start, uid_t end) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue