Commit graph

69571 commits

Author SHA1 Message Date
Matt Layher 4591eccfc7 network: use varlink for networkctl check_netns_match()
Use varlink to detect networkd's network namespace when executing
networkctl rather than the D-Bus interface.

Signed-off-by: Matt Layher <mdlayher@gmail.com>
2023-12-23 04:25:13 +09:00
Yu Watanabe 2b575c0c95
Merge pull request #30585 from YHNdnzj/isatty-handling
various: clean up isatty() handling
2023-12-23 03:19:19 +09:00
Mike Yuan dd9c8da865
various: clean up isatty() handling
As per https://github.com/systemd/systemd/pull/30547#discussion_r1434371627
2023-12-22 23:06:49 +08:00
Mike Yuan 76270f5c09
terminal-util: introduce isatty_safe that rejects EBADF 2023-12-22 23:06:48 +08:00
Mike Yuan d3f818fea6
terminal-util: use RET_GATHER more 2023-12-22 23:04:47 +08:00
Luca Boccassi 4f276e97de test: fix check for device in test-execute
The unit actually uses /dev/kmsg, not /dev/kvm

Follow-up for ae7482b994
2023-12-22 15:32:28 +01:00
Luca Boccassi 12b6b3cfd9
Merge pull request #30550 from yuwata/network-nexthop-cleanups-3
network: several cleanups for nexthop (part3)
2023-12-22 10:44:39 +01:00
Yu Watanabe 2962a50850 systemctl: swap cached_id_map and cached_name_map
These are unused or used in the same order. So, this patch does not
change any behavior, just for naming consistency with the function
prototype.

Closes #30570.
2023-12-22 12:34:01 +09:00
Lennart Poettering c5c74d85d3 networkd: add basic Varlink interface
Let's get networkd onto Varlink. This only adds the most basic of
operations.

I'd love to see networkd do Varlink for all its basic operations so that
networkctl can use that, and work correctly before D-Bus is up. Right
now, many of networkctls calls simply don't work before D-Bus, and I'd
like to see that improved.
2023-12-22 11:54:43 +09:00
Lennart Poettering 8017ed7e0e service: don't try to determine selinux label for socket activation if RootImage= is used
We cannot determine the SELinux label ahead of time if RootImage= is
used, since we'd have to mount the image then, hence don't, and handle
this cleanly, and gracefully.

While we are at it, stop "reaching over" so much from the socket code to
the service code, and instead provide function that most of the hard
work in service.c that socket.c just calls.

While we are at it, add debug logging and stuff.

I noticed the issue when also noticing #30560, but that one is harder to
fix, hence I avoided it for now.
2023-12-22 11:51:51 +09:00
Yu Watanabe a16335cd17
Merge pull request #30553 from yuwata/network-post-event-source
network: merge two post event sources
2023-12-22 11:50:56 +09:00
Yu Watanabe 4e22097489
Merge pull request #30541 from yuwata/network-address-empty
network/address: make Address= in [Network] support an empty string
2023-12-22 11:50:44 +09:00
Luca Boccassi eb2afc75e0
Merge pull request #30575 from arthurzam/bash
bash-completion: add some missing options
2023-12-21 23:44:17 +01:00
Lennart Poettering 66f3da245b
Merge pull request #30284 from YHNdnzj/fstab-wantedby-defaultdeps
fstab-generator: disable default deps if x-systemd.{wanted,required}-by= is used
2023-12-21 22:47:54 +01:00
Lennart Poettering dc6522b18f
Merge pull request #28658 from H5117/enroll_with_ec
cryptsetup: Add support for EC keys in PKCS#11 tokens
2023-12-21 22:45:40 +01:00
Lennart Poettering aafd495af8
Merge pull request #30547 from poettering/uid0
add new "uid0" command as alternative multi-call interface for systemd-run, as sudo replacement
2023-12-21 22:45:15 +01:00
Daan De Meyer bacad14f94 Drop /dev test in test-mountpoint-util
Even /dev isn't always guaranteed to be a mount point, so let's drop
this part of the test.
2023-12-22 06:28:01 +09:00
Arthur Zamarin 8546a4af00
bash-completion: add missing option to systemd-confext
Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>
2023-12-21 23:23:13 +02:00
Arthur Zamarin bd97ae259d
bash-completion: add missing option to systemd-cgls
Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>
2023-12-21 23:13:35 +02:00
Arthur Zamarin fabe596e7e
bash-completion: add missing option to systemd-cat
Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>
2023-12-21 23:07:05 +02:00
Yu Watanabe 2c6c2b893b
Merge pull request #30568 from poettering/creds-varlink
creds: add varlink interface to encrypt/decrypt credentials
2023-12-22 05:30:23 +09:00
Yu Watanabe 4d5ea06c83
Merge pull request #30566 from poettering/varlink-inval-param
add a new helper varlink_error_invalid_parameter_name(), and make more use of the existing varlink_error_invalid_parameter()
2023-12-22 05:28:36 +09:00
Lennart Poettering 7b36fb9f96 polkit: simplify bus_verify_polkit_async() + drop auth-by-cap dbus feature
This simplifies bus_verify_polkit_async() and related calls quite a bit:

1. This removes any support for authentication-by-Linux-capability. This
   is ultimately a kdbus leftover: with classic AF_UNIX transports we
   cannot authenticate by capabilities securely (because we cannot
   acquire it from the peer without races), hence we never actually did.
   Since the necessary kernel work didn't materialize in the last 10y,
   and is unlikely to be added, let's just kill this context. We cannot
   quite remove the caps stuff from sd-bus for API compat, but for our
   polkit logic let's kill it.

2. The "good_uid" and "interactive" params are only necessary in very
   few cases, hence let's move them to a new call
   bus_verify_polkit_async_full() and make bus_verify_polkit_async() a
   wrapper around it without those two parameters.

This also fixes a bunch of wrong uses of the "interactive" bool. The
bool makes no sense today as the ALLOW_INTERACTIVE_AUTHORIZATION field
in the D-Bus message header replaces it fully. We only need it to
implement method calls we introduced prior to that header field becoming
available in D-Bus. And it should only be used on such old method calls,
and otherwise always be set to false.

This does not change behaviour in any way. Just simplifies stuff.

Fixes: #21586
2023-12-22 05:27:36 +09:00
Lennart Poettering c2fb27ca04 varlink: make use of varlink_error_invalid_parameter() helper where appropriate 2023-12-21 19:22:47 +01:00
Lennart Poettering afc50293bb varlink: add helper varlink_error_invalid_parameter_name() 2023-12-21 19:22:46 +01:00
Lennart Poettering 1760716959 test: add simple creds/varlink integration test 2023-12-21 19:19:12 +01:00
Lennart Poettering 644f19c75c creds: add varlink API for encrypting/decrypting credentials 2023-12-21 19:19:12 +01:00
Lennart Poettering fa328d8a45 varlink: add helper varlink_error_invalid_parameter_name() 2023-12-21 19:19:11 +01:00
Lennart Poettering 73d8041c9a update TODO 2023-12-21 19:15:01 +01:00
Lennart Poettering dd25a95763 test: add minimal integration test coverage for uid0 tool 2023-12-21 19:15:01 +01:00
Lennart Poettering 2118b179ca man: try to improve wording on --slice-inherit docs 2023-12-21 19:15:01 +01:00
Lennart Poettering 2f0b4d578b run/uid0: tint the terminal background color (and add new --background= switch)
This adds a new --background= switch that allows specifiying a
background color for the terminal while the tool runs.

It also teaches the tool when invoked as uid0 to tint the terminal in a
reddish hue when operating as root, and in a yellowish hue when
operating as any other user.

This should highlight nicely when the user is operating with elevated
privileges, or changed privileges.
2023-12-21 19:15:01 +01:00
Lennart Poettering 447bcbfc90 color-util: add helper to convert RGB → HSV
We already have HSV → RGB, add the opposite operation.
2023-12-21 19:15:01 +01:00
Lennart Poettering eee799fa86 color-util: split out HSV color conversion into color-util.[ch] 2023-12-21 19:15:01 +01:00
Lennart Poettering 23d9fcc3c9 ptyfwd: optionally, change ANSI background color of forwarded terminals
As the bytes flow through our terminal forwarder we can color the
background of the terminal with a color of our choices, if that's
desired.

This will later allow us to color the background of the uid0 tool when
running as root with a slightly alarming red color.

This does two things:

1. When an ANSI sequence is seen that resets the background color, it is
   extended to immediately set the color to our choice.
2. When a newline is seen it is immeidately extended to set the
   background color again and clear the current line till the end.

Net effect: all lines written while we forward the ttys will be shown
with the background color of choice.
2023-12-21 19:15:01 +01:00
Lennart Poettering 63e9c38370 terminal-util: add helper that determines terminal default bg color 2023-12-21 19:15:01 +01:00
Lennart Poettering d02d4f83f0 terminal-util: add helper for disabling terminal echo in termios struct 2023-12-21 19:15:01 +01:00
Lennart Poettering b0936baf11 mkosi: don't turn off installation of our PAM snippets
Otherwise we don't get the new PAM snippet for the uid0 PAM stack
installed.
2023-12-21 19:14:43 +01:00
Lennart Poettering 1072d94731 run: optionally set the "ignore-failure" flag for ExecStart= lines 2023-12-21 19:14:43 +01:00
Lennart Poettering 72eb3081b2 run: when invoked as "uid0", expose some sudo-like behaviour
This turns "systemd-run" into a multi-call binary. When invoked under
the name "uid0", then it behaves a bit more like traditional "sudo".
This mostly means defaults appropriuate for that, for example a PAM
stack, interactivity and more.

Fixes: #29199
2023-12-21 19:14:43 +01:00
Lennart Poettering 20f8b345db env-util: add strv_env_assignf() helper 2023-12-21 19:07:29 +01:00
Yu Watanabe 207aafe7e1
Merge pull request #30567 from yuwata/hashmap_isempty
tree-wide: use hashmap_isempty() and friends
2023-12-22 02:36:19 +09:00
Yu Watanabe 187f920713
Merge pull request #30564 from poettering/varlink-log-tweaks
varlink: minor fixes & tweaks
2023-12-22 02:31:09 +09:00
Yu Watanabe 6280da4746
Merge pull request #30563 from poettering/socket-tweaks
two minor tweak to socket-util.c
2023-12-22 02:30:46 +09:00
Yu Watanabe 474536c949 sd-journal: use FOREACH_ARRAY() at one more place 2023-12-22 01:28:44 +09:00
Yu Watanabe 43127aebc7 tree-wide: use hashmap_isempty() and friends 2023-12-22 01:27:09 +09:00
Lennart Poettering 7ff96ce383 varlink: check state rather than flags to determine whether it makes sense to reply
We already checked the flags before, and updated the state accordingly,
hence let's only look at the state afterwards. This allows us to use the
same expressions for all cases where we want to reply automatically to
clients.
2023-12-21 15:28:01 +01:00
Lennart Poettering a13518231a varlink: add an extra assert encoding our assumption that ucred is valid here 2023-12-21 15:27:37 +01:00
Lennart Poettering c931c871aa varlink: never turn method call handler errors into connection errors
Let's make sure method call handlers failing will result in that very
method call failing but not the whole connection. We mostly got that
right, except for "oneway" calls where the method reply is supposed to
be eaten up, but wasn't. Fix that.
2023-12-21 15:25:46 +01:00
Lennart Poettering 6bcc12325b varlink: switch various log calls to the local log helpers
Most code in varlink.c got that right, but some didn't. Fix that.
2023-12-21 15:24:32 +01:00