summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/analyze/analyze-pcrs.c2
-rw-r--r--src/basic/strbuf.c5
-rw-r--r--src/core/service.c8
-rw-r--r--src/fundamental/macro-fundamental.h5
-rw-r--r--src/hostname/hostnamed.c11
-rw-r--r--src/libsystemd-network/sd-dhcp-server.c2
-rw-r--r--src/partition/repart.c9
-rw-r--r--src/resolve/resolved-dns-server.c3
-rw-r--r--src/shared/cryptsetup-util.c19
-rw-r--r--src/shared/cryptsetup-util.h6
-rw-r--r--src/shared/install.c14
-rw-r--r--src/shared/logs-show.c6
-rw-r--r--src/shared/tpm2-util.c2
-rw-r--r--src/systemd/sd-messages.h3
-rw-r--r--src/tmpfiles/tmpfiles.c23
-rw-r--r--src/tpm2-setup/tpm2-setup.c13
16 files changed, 89 insertions, 42 deletions
diff --git a/src/analyze/analyze-pcrs.c b/src/analyze/analyze-pcrs.c
index 43e415f..1c3da3f 100644
--- a/src/analyze/analyze-pcrs.c
+++ b/src/analyze/analyze-pcrs.c
@@ -11,7 +11,7 @@
static int get_pcr_alg(const char **ret) {
assert(ret);
- FOREACH_STRING(alg, "sha256", "sha1") {
+ FOREACH_STRING(alg, "sha256", "sha384", "sha1") {
_cleanup_free_ char *p = NULL;
if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/0", alg) < 0)
diff --git a/src/basic/strbuf.c b/src/basic/strbuf.c
index 0617acc..6d43955 100644
--- a/src/basic/strbuf.c
+++ b/src/basic/strbuf.c
@@ -107,7 +107,6 @@ static void bubbleinsert(struct strbuf_node *node,
/* add string, return the index/offset into the buffer */
ssize_t strbuf_add_string(struct strbuf *str, const char *s, size_t len) {
uint8_t c;
- char *buf_new;
struct strbuf_child_entry *child;
struct strbuf_node *node;
ssize_t off;
@@ -147,10 +146,8 @@ ssize_t strbuf_add_string(struct strbuf *str, const char *s, size_t len) {
}
/* add new string */
- buf_new = realloc(str->buf, str->len + len+1);
- if (!buf_new)
+ if (!GREEDY_REALLOC(str->buf, str->len + len + 1))
return -ENOMEM;
- str->buf = buf_new;
off = str->len;
memcpy(str->buf + off, s, len);
str->len += len;
diff --git a/src/core/service.c b/src/core/service.c
index 8ec27c4..6e81460 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -1351,7 +1351,7 @@ static int service_coldplug(Unit *u) {
service_start_watchdog(s);
if (UNIT_ISSET(s->accept_socket)) {
- Socket* socket = SOCKET(UNIT_DEREF(s->accept_socket));
+ Socket *socket = SOCKET(UNIT_DEREF(s->accept_socket));
if (socket->max_connections_per_source > 0) {
SocketPeer *peer;
@@ -3220,8 +3220,8 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value,
} else if (streq(key, "accept-socket")) {
Unit *socket;
- if (u->type != UNIT_SOCKET) {
- log_unit_debug(u, "Failed to deserialize accept-socket: unit is not a socket");
+ if (unit_name_to_type(value) != UNIT_SOCKET) {
+ log_unit_debug(u, "Deserialized accept-socket is not a socket unit, ignoring: %s", value);
return 0;
}
@@ -3230,7 +3230,7 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value,
log_unit_debug_errno(u, r, "Failed to load accept-socket unit '%s': %m", value);
else {
unit_ref_set(&s->accept_socket, u, socket);
- SOCKET(socket)->n_connections++;
+ ASSERT_PTR(SOCKET(socket))->n_connections++;
}
} else if (streq(key, "socket-fd")) {
diff --git a/src/fundamental/macro-fundamental.h b/src/fundamental/macro-fundamental.h
index 5ccbda5..8aca5f7 100644
--- a/src/fundamental/macro-fundamental.h
+++ b/src/fundamental/macro-fundamental.h
@@ -517,6 +517,10 @@ static inline uint64_t ALIGN_OFFSET_U64(uint64_t l, uint64_t ali) {
} \
}
+/* Restriction/bug (see above) was fixed in GCC 15 and clang 19.*/
+#if __GNUC__ >= 15 || (defined(__clang__) && __clang_major__ >= 19)
+#define DECLARE_FLEX_ARRAY(type, name) type name[];
+#else
/* Declare a flexible array usable in a union.
* This is essentially a work-around for a pointless constraint in C99
* and might go away in some future version of the standard.
@@ -528,6 +532,7 @@ static inline uint64_t ALIGN_OFFSET_U64(uint64_t l, uint64_t ali) {
dummy_t __empty__ ## name; \
type name[]; \
}
+#endif
/* Declares an ELF read-only string section that does not occupy memory at runtime. */
#define DECLARE_NOALLOC_SECTION(name, text) \
diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c
index 82d0880..fe1216f 100644
--- a/src/hostname/hostnamed.c
+++ b/src/hostname/hostnamed.c
@@ -1682,6 +1682,13 @@ static int connect_varlink(Context *c) {
return 0;
}
+static bool context_check_idle(void *userdata) {
+ Context *c = ASSERT_PTR(userdata);
+
+ return varlink_server_current_connections(c->varlink_server) == 0 &&
+ hashmap_isempty(c->polkit_registry);
+}
+
static int run(int argc, char *argv[]) {
_cleanup_(context_destroy) Context context = {
.hostname_source = _HOSTNAME_INVALID, /* appropriate value will be set later */
@@ -1731,8 +1738,8 @@ static int run(int argc, char *argv[]) {
context.bus,
"org.freedesktop.hostname1",
DEFAULT_EXIT_USEC,
- /* check_idle= */ NULL,
- /* userdata= */ NULL);
+ context_check_idle,
+ &context);
if (r < 0)
return log_error_errno(r, "Failed to run event loop: %m");
diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c
index c3b0f82..4967f06 100644
--- a/src/libsystemd-network/sd-dhcp-server.c
+++ b/src/libsystemd-network/sd-dhcp-server.c
@@ -1252,7 +1252,7 @@ static int server_receive_message(sd_event_source *s, int fd,
/* Preallocate the additional size for DHCP Relay Agent Information Option if needed */
buflen += relay_agent_information_length(server->agent_circuit_id, server->agent_remote_id) + 2;
- message = malloc(buflen);
+ message = malloc0(buflen);
if (!message)
return -ENOMEM;
diff --git a/src/partition/repart.c b/src/partition/repart.c
index 6f67d46..8f64520 100644
--- a/src/partition/repart.c
+++ b/src/partition/repart.c
@@ -187,6 +187,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_tpm2_hash_pcr_values, freep);
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_public_key, freep);
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_pcrlock, freep);
STATIC_DESTRUCTOR_REGISTER(arg_filter_partitions, freep);
+STATIC_DESTRUCTOR_REGISTER(arg_defer_partitions, freep);
STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep);
STATIC_DESTRUCTOR_REGISTER(arg_copy_from, strv_freep);
STATIC_DESTRUCTOR_REGISTER(arg_copy_source, freep);
@@ -3913,7 +3914,7 @@ static int partition_target_sync(Context *context, Partition *p, PartitionTarget
}
static int partition_encrypt(Context *context, Partition *p, PartitionTarget *target, bool offline) {
-#if HAVE_LIBCRYPTSETUP && HAVE_CRYPT_SET_DATA_OFFSET && HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE && HAVE_CRYPT_REENCRYPT
+#if HAVE_LIBCRYPTSETUP && HAVE_CRYPT_SET_DATA_OFFSET && HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE && (HAVE_CRYPT_REENCRYPT_RUN || HAVE_CRYPT_REENCRYPT)
const char *node = partition_target_path(target);
struct crypt_params_luks2 luks_params = {
.label = strempty(ASSERT_PTR(p)->new_label),
@@ -4220,7 +4221,11 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
if (r < 0)
return log_error_errno(r, "Failed to load reencryption context: %m");
+#if HAVE_CRYPT_REENCRYPT_RUN
+ r = sym_crypt_reencrypt_run(cd, NULL, NULL);
+#else
r = sym_crypt_reencrypt(cd, NULL);
+#endif
if (r < 0)
return log_error_errno(r, "Failed to encrypt %s: %m", node);
} else {
@@ -4232,7 +4237,7 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
dm_name,
NULL,
VOLUME_KEY_SIZE,
- arg_discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0);
+ (arg_discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0) | CRYPT_ACTIVATE_PRIVATE);
if (r < 0)
return log_error_errno(r, "Failed to activate LUKS superblock: %m");
diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c
index 340f11f..b37f541 100644
--- a/src/resolve/resolved-dns-server.c
+++ b/src/resolve/resolved-dns-server.c
@@ -706,9 +706,6 @@ bool dns_server_dnssec_supported(DnsServer *server) {
if (dns_server_get_dnssec_mode(server) == DNSSEC_YES) /* If strict DNSSEC mode is enabled, always assume DNSSEC mode is supported. */
return true;
- if (!DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(server->possible_feature_level))
- return false;
-
if (server->packet_bad_opt)
return false;
diff --git a/src/shared/cryptsetup-util.c b/src/shared/cryptsetup-util.c
index 288e6e8..d0dd434 100644
--- a/src/shared/cryptsetup-util.c
+++ b/src/shared/cryptsetup-util.c
@@ -54,10 +54,10 @@ DLSYM_FUNCTION(crypt_volume_key_get);
#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
DLSYM_FUNCTION(crypt_reencrypt_init_by_passphrase);
#endif
-#if HAVE_CRYPT_REENCRYPT
-DISABLE_WARNING_DEPRECATED_DECLARATIONS;
+#if HAVE_CRYPT_REENCRYPT_RUN
+DLSYM_FUNCTION(crypt_reencrypt_run);
+#elif HAVE_CRYPT_REENCRYPT
DLSYM_FUNCTION(crypt_reencrypt);
-REENABLE_WARNING;
#endif
DLSYM_FUNCTION(crypt_metadata_locking);
#if HAVE_CRYPT_SET_DATA_OFFSET
@@ -246,11 +246,8 @@ int dlopen_cryptsetup(void) {
/* libcryptsetup added crypt_reencrypt() in 2.2.0, and marked it obsolete in 2.4.0, replacing it with
* crypt_reencrypt_run(), which takes one extra argument but is otherwise identical. The old call is
- * still available though, and given we want to support 2.2.0 for a while longer, we'll stick to the
- * old symbol. However, the old symbols now has a GCC deprecation decorator, hence let's turn off
- * warnings about this for now. */
-
- DISABLE_WARNING_DEPRECATED_DECLARATIONS;
+ * still available though, and given we want to support 2.2.0 for a while longer, we'll use the old
+ * symbol if the new one is not available. */
ELF_NOTE_DLOPEN("cryptsetup",
"Support for disk encryption, integrity, and authentication",
@@ -304,7 +301,9 @@ int dlopen_cryptsetup(void) {
#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
DLSYM_ARG(crypt_reencrypt_init_by_passphrase),
#endif
-#if HAVE_CRYPT_REENCRYPT
+#if HAVE_CRYPT_REENCRYPT_RUN
+ DLSYM_ARG(crypt_reencrypt_run),
+#elif HAVE_CRYPT_REENCRYPT
DLSYM_ARG(crypt_reencrypt),
#endif
DLSYM_ARG(crypt_metadata_locking),
@@ -316,8 +315,6 @@ int dlopen_cryptsetup(void) {
if (r <= 0)
return r;
- REENABLE_WARNING;
-
/* Redirect the default logging calls of libcryptsetup to our own logging infra. (Note that
* libcryptsetup also maintains per-"struct crypt_device" log functions, which we'll also set
* whenever allocating a "struct crypt_device" context. Why set both? To be defensive: maybe some
diff --git a/src/shared/cryptsetup-util.h b/src/shared/cryptsetup-util.h
index f00ac36..d255e59 100644
--- a/src/shared/cryptsetup-util.h
+++ b/src/shared/cryptsetup-util.h
@@ -70,10 +70,10 @@ DLSYM_PROTOTYPE(crypt_volume_key_get);
#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase);
#endif
-#if HAVE_CRYPT_REENCRYPT
-DISABLE_WARNING_DEPRECATED_DECLARATIONS;
+#if HAVE_CRYPT_REENCRYPT_RUN
+DLSYM_PROTOTYPE(crypt_reencrypt_run);
+#elif HAVE_CRYPT_REENCRYPT
DLSYM_PROTOTYPE(crypt_reencrypt);
-REENABLE_WARNING;
#endif
DLSYM_PROTOTYPE(crypt_metadata_locking);
#if HAVE_CRYPT_SET_DATA_OFFSET
diff --git a/src/shared/install.c b/src/shared/install.c
index dd2bd5c..c94b456 100644
--- a/src/shared/install.c
+++ b/src/shared/install.c
@@ -2282,7 +2282,9 @@ static int install_context_mark_for_removal(
else {
log_debug_errno(r, "Unit %s not found, removing name.", i->name);
r = install_changes_add(changes, n_changes, r, i->path ?: i->name, NULL);
- if (r < 0)
+ /* In case there's no unit, we still want to remove any leftover symlink, even if
+ * the unit might have been removed already, hence treating ENOENT as non-fatal. */
+ if (r != -ENOENT)
return r;
}
} else if (r < 0) {
@@ -2874,9 +2876,13 @@ static int do_unit_file_disable(
r = install_info_add(&ctx, *name, NULL, lp->root_dir, /* auxiliary= */ false, &info);
if (r >= 0)
r = install_info_traverse(&ctx, lp, info, SEARCH_LOAD|SEARCH_FOLLOW_CONFIG_SYMLINKS, NULL);
-
- if (r < 0)
- return install_changes_add(changes, n_changes, r, *name, NULL);
+ if (r < 0) {
+ r = install_changes_add(changes, n_changes, r, *name, NULL);
+ /* In case there's no unit, we still want to remove any leftover symlink, even if
+ * the unit might have been removed already, hence treating ENOENT as non-fatal. */
+ if (r != -ENOENT)
+ return r;
+ }
/* If we enable multiple units, some with install info and others without,
* the "empty [Install] section" warning is not shown. Let's make the behavior
diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c
index c71c868..153a411 100644
--- a/src/shared/logs-show.c
+++ b/src/shared/logs-show.c
@@ -450,6 +450,9 @@ static void parse_display_realtime(
assert(j);
assert(ret);
+ // FIXME: _SOURCE_MONOTONIC_TIMESTAMP is in CLOCK_BOOTTIME, hence we cannot use it for adjusting realtime.
+ source_monotonic = NULL;
+
/* First, try _SOURCE_REALTIME_TIMESTAMP. */
if (source_realtime && safe_atou64(source_realtime, &t) >= 0 && VALID_REALTIME(t)) {
*ret = t;
@@ -488,6 +491,9 @@ static void parse_display_timestamp(
assert(ret_display_ts);
assert(ret_boot_id);
+ // FIXME: _SOURCE_MONOTONIC_TIMESTAMP is in CLOCK_BOOTTIME, hence we cannot use it for adjusting realtime.
+ source_monotonic = NULL;
+
if (source_realtime && safe_atou64(source_realtime, &t) >= 0 && VALID_REALTIME(t))
source_ts.realtime = t;
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 87ce53c..9603f18 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -2119,6 +2119,8 @@ int tpm2_create_primary(
/* creationData= */ NULL,
/* creationHash= */ NULL,
/* creationTicket= */ NULL);
+ if (rc == TPM2_RC_BAD_AUTH)
+ return log_debug_errno(SYNTHETIC_ERRNO(EDEADLK), "Authorization failure while attempting to enroll SRK into TPM.");
if (rc != TSS2_RC_SUCCESS)
return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to generate primary key in TPM: %s",
diff --git a/src/systemd/sd-messages.h b/src/systemd/sd-messages.h
index e3f6806..16e9986 100644
--- a/src/systemd/sd-messages.h
+++ b/src/systemd/sd-messages.h
@@ -272,6 +272,9 @@ _SD_BEGIN_DECLARATIONS;
#define SD_MESSAGE_PORTABLE_DETACHED SD_ID128_MAKE(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b)
#define SD_MESSAGE_PORTABLE_DETACHED_STR SD_ID128_MAKE_STR(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b)
+#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION SD_ID128_MAKE(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a)
+#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR SD_ID128_MAKE_STR(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a)
+
_SD_END_DECLARATIONS;
#endif
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index 807925f..8cc8c1c 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -3024,10 +3024,16 @@ static int remove_recursive(
return r;
if (remove_instance) {
- log_debug("Removing directory \"%s\".", instance);
- r = RET_NERRNO(rmdir(instance));
- if (r < 0 && !IN_SET(r, -ENOENT, -ENOTEMPTY))
- return log_error_errno(r, "Failed to remove %s: %m", instance);
+ log_action("Would remove", "Removing", "%s directory \"%s\".", instance);
+ if (!arg_dry_run) {
+ r = RET_NERRNO(rmdir(instance));
+ if (r < 0) {
+ bool fatal = !IN_SET(r, -ENOENT, -ENOTEMPTY);
+ log_full_errno(fatal ? LOG_ERR : LOG_DEBUG, r, "Failed to remove %s: %m", instance);
+ if (fatal)
+ return r;
+ }
+ }
}
return 0;
}
@@ -4142,7 +4148,9 @@ static int help(void) {
"\n%3$sCommands:%4$s\n"
" --create Create files and directories\n"
" --clean Clean up files and directories\n"
- " --remove Remove files and directories\n"
+ " --remove Remove files and directories marked for removal\n"
+ " --purge Delete files and directories marked for creation in\n"
+ " specified configuration files (careful!)\n"
" -h --help Show this help\n"
" --version Show package version\n"
"\n%3$sOptions:%4$s\n"
@@ -4151,7 +4159,6 @@ static int help(void) {
" --tldr Show non-comment parts of configuration\n"
" --boot Execute actions only safe at boot\n"
" --graceful Quietly ignore unknown users or groups\n"
- " --purge Delete all files owned by the configuration files\n"
" --prefix=PATH Only apply rules with the specified prefix\n"
" --exclude-prefix=PATH Ignore rules with the specified prefix\n"
" -E Ignore rules prefixed with /dev, /proc, /run, /sys\n"
@@ -4338,6 +4345,10 @@ static int parse_argv(int argc, char *argv[]) {
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"You need to specify at least one of --clean, --create, --remove, or --purge.");
+ if (FLAGS_SET(arg_operation, OPERATION_PURGE) && optind >= argc)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Refusing --purge without specification of a configuration file.");
+
if (arg_replace && arg_cat_flags != CAT_CONFIG_OFF)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Option --replace= is not supported with --cat-config/--tldr.");
diff --git a/src/tpm2-setup/tpm2-setup.c b/src/tpm2-setup/tpm2-setup.c
index 35628fc..b95c5e7 100644
--- a/src/tpm2-setup/tpm2-setup.c
+++ b/src/tpm2-setup/tpm2-setup.c
@@ -3,6 +3,8 @@
#include <getopt.h>
#include <unistd.h>
+#include "sd-messages.h"
+
#include "build.h"
#include "fd-util.h"
#include "fileio.h"
@@ -223,6 +225,8 @@ static int load_public_key_tpm2(struct public_key_data *ret) {
/* ret_name= */ NULL,
/* ret_qname= */ NULL,
NULL);
+ if (r == -EDEADLK)
+ return r;
if (r < 0)
return log_error_errno(r, "Failed to get or create SRK: %m");
if (r > 0)
@@ -289,6 +293,13 @@ static int run(int argc, char *argv[]) {
}
r = load_public_key_tpm2(&tpm2_key);
+ if (r == -EDEADLK) {
+ log_struct_errno(LOG_INFO, r,
+ LOG_MESSAGE("Insufficient permissions to access TPM, not generating SRK."),
+ "MESSAGE_ID=" SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR);
+ return 76; /* Special return value which means "Insufficient permissions to access TPM,
+ * cannot generate SRK". This isn't really an error when called at boot. */;
+ }
if (r < 0)
return r;
@@ -383,4 +394,4 @@ static int run(int argc, char *argv[]) {
return 0;
}
-DEFINE_MAIN_FUNCTION(run);
+DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run);