Monitor the sysctl set by networkd for writes, if a sysctl is
overwritten with a different value than the one we set, emit a warning.
Writes are detected with an eBPF program attached as BPF_CGROUP_SYSCTL
which reports the sysctl writes only in net/.
The eBPF program only reports sysctl writes from a different cgroup than networkd.
To do this, it uses the `bpf_current_task_under_cgroup_proto()` helper,
which will be available allowed in BPF_CGROUP_SYSCTL from kernel 6.12[1].
Loading a BPF_CGROUP_SYSCTL program requires the CAP_SYS_ADMIN capability,
so drop it just after the program load, whether it loads successfully or not.
Writes are logged but permitted, in future the functionality can be
extended to also deny writes to managed sysctls.
[1] https://lore.kernel.org/bpf/20240819162805.78235-3-technoboy85@gmail.com/
Requested in https://github.com/systemd/systemd/pull/33214#discussion_r1630251308.
Also, reword error messages a bit. When /usr/lib/clock-epoch was introduced,
"build time" stopped being acurate. Just say "epoch" instead.
The same message ID is used in the manager and timesyncd. The event is
essentially equivalent for the user, and it seems reasonable that to search for
both at the same time.
The catalog entry is dropped. It provided almost no additional information above
the message. When the same message ID is now applied to messages from PID1 and
timesyncd, and the clock can be both advanced and rewound, it becomes very hard
to make the catalog entry provide something useful, because catalog entries don't
allow conditionalization.
The TPM might be password/pin protected for various reasons even if
there is no SRK yet. Let's handle those cases gracefully instead of
failing the unit as it is enabled by default.
Currently portabled is completely silent (when not using debug level). But
when the system state is changed (ie: a portable is attached or detached)
there are no traces left in the journal. Log at info level when either of
those operations succeed, as they are effectively changing the state of
the system.
Create new MESSAGE_IDs for these logs, and also append PORTABLE_ROOT=
(and PORTABLE_EXTENSION= if any), like the units themselves are
configured to do via LogExtraFields=, so that the same metadata can
be found in the attach/detach messages and in logs from the units
themselves.
We went back-and-forth a bit on this. Very old meson would print a message
about detecting the program if a quoted argument was used, leading to a lot of
noise. So we started to convert various places to use the variable, but then it
turned out that meson < 0.56.2 doesn't handle this correctly and we reverted to
using strings everywhere in 7c22f07cbd. Then at
some point we stopped supporting old meson and over time we started using the
variable in various places again, somewhat inconsistently. Then most calls to
'sh' were removed in 9289e093ae when
install_emptydir() builtin started being used.
Now meson allows either the string or variable to be used, and doesn't print a
message if the string is used. Let's use the variable everywhere. For 'sh', we
could do either, but for other variables, we _do_ want the detection to happen,
for example for git, find, awk, which might not be installed and we want to
detect that early, before we start the build. It would be ugly to use quotes
for some programs, but not for others. Also, a string is still refused for
test(), so we couldn't use the string version even if we didn't care about
detection.
Let's add a catalog entry, make the log record structured, and most
importantly, let's add warning emojis.
Just to underline that this stuff should really go away.
Doesn't really matter since the two unicode symbols are supposedly
equivalent, but let's better follow the unicode recommendations to
prefer greek small letter mu, as per:
https://www.unicode.org/reports/tr25
Typically, in reasonably complex programs we want to realease various
caches (such as glibc allocation caches) in case of memory pressure.
Let's add explicit infrastructure for that to sd-event, that can hook
Linux' Pressure Stall Information (PSI) logic with our event loop.
This adds sd_event_add_memory_pressure() as easy, one-step API to
install an even source that is called under memory pressure.
The parameters which file to watch (the per-cgroup PSI file, or the
system-wide file /proc/pressure/memory) can be configured via env vars.
The idea is that the service manager sooner or later gains controls for
setting this up correctly.
Alternatively to the PSI a similar logic is supported but instead of
waiting for POLLPRI on a procfs/cgroupfs fd we'll wait for POLLIN on
FIFO or AF_UNIX sockets. This is useful for testing, and possibly in
other environments, for example to hook up this protocol directly with
GNOME's low memory monitor.
By default this watches on the cgroup-local PSI so that we aren't
affected by pressure on cgroups we are not related to.
It's useful being able to easily detect if a disk-based clock bump was
done, let's make it a structure message, the same way as acquiring an
NTP fix already is.
Also, set the clock to 1 µs further than the timestamp from the disk,
after all we know that that timestamp was current when it was written,
hence it can't be the right one right now anymore.
Originally, people used "extend a PCR with a measurement" or
"measure some blob into the PCR". In our docs those uses got merged
into "extend a string into a PCR". The meaning is clear to developers, but
it's a very jargony syntax that wouldn't make any sense to somebody who encounters
it the first time. Let's return to the more natural original phrasing.
Also, change various "this is supposed to act as" to "this acts as". If it
doesn't work, we have a bug to fix. This indirection is not useful.
Also, "boot path" → "phase path" and other smaller cleanups.
Usecase: later on we can use this to retroactively adjust log output in
journalctl or similar on systems lacking an RTC: we just have to search
for this sructured log message that indicates the first sync point and
can then retroactively adjust the incorrect timestamps collected before
that.
The approach to use '''…'''.split() instead of a list of strings was initially
used when converting from automake because it allowed identical blocks of lines
to be used for both, making the conversion easier.
But over the years we have been using normal lists more and more, especially
when there were just a few filenames listed. This converts the rest.
No functional change.
Currently, running "meson build" followed by "meson test -C build"
will result in many failed tests due to missing dependencies. This
commit adds the missing dependencies to make sure no tests fail.
Old meson fails with:
Element not a string: [<Holder: <ExternalProgram 'sh' -> ['/bin/sh']>>, '-c', 'test -n "$DESTDIR" || /bin/journalctl --update-catalog']
I'm doing it as a revert so that it's easy to undo the revert when we require
newer meson. The effect is not so bad, maybe a dozen or so lines about finding
'sh'.
Meson 0.58 has gotten quite bad with emitting a message every time
a quoted command is used:
Program /home/zbyszek/src/systemd-work/tools/meson-make-symlink.sh found: YES (/home/zbyszek/src/systemd-work/tools/meson-make-symlink.sh)
Program sh found: YES (/usr/bin/sh)
Program sh found: YES (/usr/bin/sh)
Program sh found: YES (/usr/bin/sh)
Program sh found: YES (/usr/bin/sh)
Program sh found: YES (/usr/bin/sh)
Program sh found: YES (/usr/bin/sh)
Program xsltproc found: YES (/usr/bin/xsltproc)
Configuring custom-entities.ent using configuration
Message: Skipping bootctl.1 because ENABLE_EFI is false
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Message: Skipping journal-remote.conf.5 because HAVE_MICROHTTPD is false
Message: Skipping journal-upload.conf.5 because HAVE_MICROHTTPD is false
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Message: Skipping loader.conf.5 because ENABLE_EFI is false
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
Program ln found: YES (/usr/bin/ln)
...
Let's suffer one message only for each command. Hopefully we can silence
even this when https://github.com/mesonbuild/meson/issues/8642 is
resolved.
Let's add a catalog entry explaining further details.
Most importantly though: talk to PID 1 directly, via the private D-Bus
socket, so that this actually works correctly during early boot, where
D-Bus is not around.