So far credentials are a concept for system services only: to encrypt or
decrypt credential you must be privileged, as only then you can access
the TPM and the host key.
Let's break this up a bit: let's add a "user-scoped" credential, that
are specific to users. Internally this works by adding another step to
the acquisition of the symmetric encryption key for the credential: if a
"user-scoped" credential is used we'll generate an symmetric encryption
key K as usual, but then we'll use it to calculate
K' = HMAC(K, flags || uid || machine-id || username)
and then use the resulting K' as encryption key instead. This basically
includes the (public) user's identity in the encryption key, ensuring
that only if the right user credentials are specified the correct key
can be acquired.
Before this commit, if --exec is used but no message shall
be sent, we silently ignore --exec and exit, which is pretty
surprising. Therefore, let's emit clear error instead.
Let's always derive credentials from a bus name or a conneciton fd if we
can, because they pin things.
Let's not go via PID really, because it's always racy to do so.
Note that this doesn't change much, since we wouldn't use such augmented
data for auth anyway (because it will be masked in the
sd_bus_creds.augmented mask as untrusted). But still, let's prefer
trusted data over untrusted data.
We do this for getgroups_malloc() hence we should do this here too,
after all whether we do it for a socket peer or for ourselves doesn't
make too much of a difference.
Addresses https://github.com/systemd/systemd/pull/31075#issuecomment-1911117026:
[ 40.039232] testsuite-50.sh[624]: ++ systemd-dissect --make-archive /tmp/tmp.RZEq3t/minimal_0.raw
[ 40.044745] testsuite-50.sh[625]: ++ sha256sum
[ 40.066693] systemd-dissect[621]: libarchive.so.13 is not installed: libarchive.so.13: cannot open shared object file: No such file or directory
[ 40.068577] systemd-dissect[621]: Archive support not available (compiled without libarchive, or libarchive not installed?).
[ 40.092242] systemd-dissect[624]: libarchive.so.13 is not installed: libarchive.so.13: cannot open shared object file: No such file or directory
[ 40.095716] systemd-dissect[624]: Archive support not available (compiled without libarchive, or libarchive not installed?).
[ 40.100510] testsuite-50.sh[538]: + test e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 '!=' ''
[ 40.100510] testsuite-50.sh[538]: + test e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 = e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
[ 40.108249] testsuite-50.sh[627]: + tar t
[ 40.113791] testsuite-50.sh[626]: + systemd-dissect --make-archive /tmp/tmp.RZEq3t/minimal_0.raw
[ 40.120300] testsuite-50.sh[628]: + grep etc/os-release
[ 40.176288] systemd-dissect[626]: libarchive.so.13 is not installed: libarchive.so.13: cannot open shared object file: No such file or directory
[ 40.180273] systemd-dissect[626]: Archive support not available (compiled without libarchive, or libarchive not installed?).
[ 40.184017] testsuite-50.sh[627]: tar: This does not look like a tar archive
[ 40.185430] testsuite-50.sh[627]: tar: Exiting with failure status due to previous errors
Follow-up for b68f4ca.
It never worked, but the fail was masked by missing set -e, see the
previous commit.
Also, throw env into the test container and dump the environment on
container start, to make potential failures easier to debug.
When running an image that cannot be mounted (e.g.: key missing intentionally
for development purposes), there's a retry loop that takes some time
and slows development down. Add an env var to disable it.
If sd_bus_set_exit_on_disconnect is used and the bus is part of an event
loop, and the D-Bus connection goes away (e.g.: soft-reboot), sd-bus
will always exit() the program instead of returning from the loop, as
the reference to the event is removed before it is checked.
Some tests have hard-coded results that need to match, and change if
the caller has a timezone set via the TZ= environment variable, as it
is the case during reproducible build tests. Unset it.