In case kernel-install is called to install what's already a UKI, 60-ukify
must be skipped. E.g. when distro shipped and signed UKI is being installed,
it is counter-productive to try to rebuild it with ukify. Also, the existing
script is not ready to handle UKIs with embedded initramfs.
Note, it is already possible to disable 60-ukify by setting
KERNEL_INSTALL_UKI_GENERATOR to something but in case it is not set, 60-ukify
assumes it should run.
The testuser user is only needed for integration tests,
which are used in the system user and this config
can be provided as drop-ins instead of inline in postinst scripts.
The Toshiba Z830 has 3 hotkeys which use the ACPI PNP0C32 quickstart spec:
https://archive.org/details/microsoft-acpi-dirapplaunch
These devices have an ACPI method called GHID() which suggests
it returns a value from the "HID Usage Tables" document, but these
methods simple returns a follow number for the button (1, 2 and 3).
The first 2 buttons are for what the manual calls "TOSHIBA eco button"
and "TOSHIBA Presentation button", since there is no good match for
these simply map them to KEY_PROG1 and KEY_PROG2.
The third button is intended to toggle the touchpad on/off, map
this to F21 which GNOME/KDE will interpret as touchpad toggle.
Identify an virtualbox instance even if product_name, sys_vendor and bios_vendor reflect the
information of the real hardware, by checking if board_vendor == "Oracle Corporation"
This fixes#13429 again
The previous fix was removed in #21127
Recreate the encryption session on each retry. It's invalidated along
with the policy session when freed, failing subsequent retries.
Unsealing HMAC key.
WARNING:esys:src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Unseal.c:98:Esys_Unseal() Esys Finish ErrorCode (0x00000128)
A PCR value changed during the TPM2 policy session, restarting HMAC key unsealing (30 tries left).
Missing encryption session
Failed to unseal secret using TPM2: Invalid argument
Fixes#31881
This patch fixes an issue where, when not specifiying either at least one
`SocketBindAllow` or `SocketBindDeny` rule, behavior for the bind syscall
filtering would be unexpected.
For example, when trying to bind to a port with only "SocketBindDeny=any"
given, the syscall would succeed:
> systemd-run -t -p "SocketBindDeny=any" nc -l 8080
Expected with this set of rules (also in accordance with the documentation)
would be an Operation not permitted error.
This behavior occurs because a default initialized socket_bind_rule struct
matches what "any" represents. When creating the bpf list all elements get
default initialized, as such represeting "any". Seemingly it is necressarry
to set the size of the map to at least one, as such if no allow rule is
given default initialization and minimal map size cause one any allow rule
to be in the map, causing the behavior observed above.
This patch solves this by introducing a new "match nothing" magic stored in
the rule's address family and setting such a rule as the first one if no
rule is given, making sure that default initialized rule structs are never
used.
Resolves#30556
I don't quite understand the rationale of making these
verbs work with --global back in the day. But realistically
they interact with/spawn manager, while there's no
--global runtime scope manager. And to verify/inspect user
units it's sufficient to just use --user.
Fixes#31911
Currently, SocketPeer object acquired through
socket_acquire_peer() are referenced twice
in socket_enter_running and service_set_socket_fd,
and the reference taken by former gets dropped
through _cleanup_. This is a bit confusing.
Let's just pass ownership instead.