We want to make use of that when formatting file systems, hence let's
pull in these modules explicitly.
(This is necessary because we are an early boot service that might run
before systemd-tmpfiles-dev.service, which creates /dev/loop-control and
/dev/mapper/control.)
Alternatively we could just order ourselves after
systemd-tmpfiles-dev.service, but I think there's value in adding an
explicit minimal ordering here, since we know what we'll need.
Fixes: #25775
EFI_LOADER_VARIABLE() already applies to the stringify to construct the
path of EFI variable in efivars, so it is wrong to enclose the name of
EFI variable with the quotes. Otherwise, the following errors are
reported.
Reading EFI variable /sys/firmware/efi/efivars/StubFeatures-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f.
Reading EFI variable /sys/firmware/efi/efivars/"StubPcrKernelImage"-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f.
open("/sys/firmware/efi/efivars/"StubPcrKernelImage"-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f") failed: No such file or directory
Reading EFI variable /sys/firmware/efi/efivars/"StubPcrKernelParameters"-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f.
open("/sys/firmware/efi/efivars/"StubPcrKernelParameters"-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f") failed: No such file or directory
Reading EFI variable /sys/firmware/efi/efivars/"StubPcrInitRDSysExts"-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f.
open("/sys/firmware/efi/efivars/"StubPcrInitRDSysExts"-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f") failed: No such file or directory
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
This is useful to make the dissection logic at boot a bit safer, as we
can reference device nodes by diskseq.
This locks down dissection a bit, since it makes it harder to swap out
the backing device between the time we dissected and validated it, until
we actually mounted it.
This is not complete though, as /bin/mount would have to verify the
diskseq after opening the diskseq symlink again.
See: https://github.com/util-linux/util-linux/issues/1786
This allows FIDO2 users to wipe out password slots and still be able to
enroll new key slots via systemd-cryptenroll. Note that when the user
wants to both unlock with a FIDO2 token and enroll a new FIDO2 token,
they cannot be set to automatic discovery. This is to safeguard against
confusion, because there will be multiple tokens connected to the system
when doing so -- and we require users to explicitly confirm which one to
use for unlocking and which one to use for enrollment.
Addresses #20230 for the FIDO2 case.
`acquire_fido2_key_auto()` will not be used in PLAIN mode, and
parameters such as the salt will be acquired from the LUKS header.
Parameters intended for PLAIN mode are useless in
`acquire_fido2_key_auto()`.
llvm-objcopy works on stubs built for foreign architectures whereas
objcopy doesn't so let's prefer using llvm-objcopy instead of objcopy.
llvm-objcopy automatically sets the virtual address and doesn't provide
an option to set it manually so we only add --change-section-vma when
using objcopy
The default section flags differ between llvm-objcopy and objcopy
so we add a default for the section flags so we make sure all sections
are read-only data unless specified otherwise.
When we dissect images automatically, let's be a bit more conservative
with the file system types we are willing to mount: only mount common
file systems automatically.
Explicit mounts requested by admins should always be OK, but when we do
automatic mounts, let's not permit barely maintained, possibly legacy
file systems.
The list for now covers the four common writable and two common
read-only file systems. Sooner or later we might want to add more to the
list.
Also, it might make sense to eventually make this configurable via the
image dissection policy logic.
Previously, when neither '--any' nor '--interface' options specified,
at least one of the interfaces must be in configured state.
This patch makes wait-online exit with success even if all interfaces
are in unmanaged state.
This may break backward compatibility in a rare situation. But in most
cases, this typically not change anything, as at least one interface
is managed by networkd.service when it is enabled.
This is mostly for making wait-online gracefully handle the case that
networkd.service and wait-online.service are enabled by mistake. In such
situation, all interfaces are typically not managed.
Fixes#25813.
This changes the definition from enpty_to_null() so that we are still
typesafe (i.e. only accept strings) but do not drop (or add) any const
to the returned string that wasn't also on the input.
Inspired by: 3196e2996f
The MSI Summit E16 Flip A12UCT laptop sends the following unmapped
atkbd scancodes:
0x91: Launch MSI Control Center
0xf1: Toggle mic mute
0xf2: Rotate screen
The 0x91, 0xf1 and 0xf2 codes are already present in the MSI Prestige/Modern
series specific keymappings and the 0xf1 mapping is also already present in
the MSI Bravo 15-B5DX FnKeys entry.
This shows that these are generic to many MSI models, so add mappings for
these to the generic MSI mappings.
Since the MSI Bravo 15-B5DX FnKeys entry only contains the 0xf1 mapping and
that is covered by the generic MSI mappings now, that entry is removed.
Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/822
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216824
The [kernel documentation][0] for the in_proximity_nearlevel sysfs
attribute on iio proximity devices states:
If the value read from the sensor is above or equal to the value in
this file an object should typically be considered near.
Meaning a 'greater than or equal to' comparison.
Make the documentation comment in 60-sensors.hwdb suggest a
greater-or-equal rather than a strict greater-than comparison.
[0]: https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-bus-iio-proximityFixes#25793
CVE-2022-4415: systemd: coredump not respecting fs.suid_dumpable kernel setting
Affects systemd >= 247 with libacl support enabled.
This is a merge of https://github.com/systemd/systemd-security/pull/12/.
I'm doing the merge locally because github doesn't support merging directly
from systemd/systemd-security to systemd/systemd.
