The official org.varlink.service interface definition, as per:
https://varlink.org/Service
And the io.systemd service where we carry some super generic errors our
Varlink implementation generates.
When verifying seals produced with forward secure sealing, the verification
currently does not check that old entries are only sealed with the key for
their epoch and not a more recent one. This missing check allows an attacker
to remove seals, and create new ones with the currently available key, and
verify will claim everything is in order, although all entries could have
been modified.
This resolves CVE-2023-31439.
Co-authored-by: Felix Dörre <felix.doerre@kit.edu>
Previously, if the input offset 'p' does not point to an entry object,
the function returns the next of the nearest entry object on
DIRECTION_DOWN, as generic_array_bisect() already returns the nearest
entry object.
If the first call of generic_array_bisect_plus_one() provides the same
offset, then it is not necessary to call the next one, as we already
know the entry object is also liked to the input data object.
Also, this make the function reuse the object returned by
generic_array_bisect_plus_one().
No functional change, just optimization.
Follow-up for ec50313d4e.
The function generic_array_bisect_plus_one() does not read any new data
objects, so the data object is still valid, and not necessary to re-read it.
Now that we translate in both directions (from enum to string, and
string to enum) let's just make the thing a proper enum with a proper
string table, like we generally do.
If a source dir doesn't exist, mention this, but continue.
This is useful to permit generic definitions that apply to all kinds of
trees, where some parts might remain unpopulated.
Back at Plumbers 2022 we discussed that we should push people towards
using the .sysext.raw and .confext.raw for their DDIs if they are
extension images. Let's actually support that, by chopping off these
suffixes when turning file names into "pretty image names".
This adds --make-ddi=confext, --make-ddi=sysext, --make-ddi=portable, to
make it really easiy to generate DDIs of the specified class. It
it's ultimately just a fancy wrapper around some defaults and in
particular --definitions=.
This makes it very easy to generate a confext:
$ systemd-repart -C --private-key=privkey.pem --certificate=cert.crt -s mytree/ mytree.confext.raw
This specifies a directory to which CopyFiles= is considered relative.
If unset defaults to the --root=/--image= setting, or host / otherwise.
This is very similar to --root= but is much more focussed: it is really
and exclusively about CopyFiles= (and related settings such as
ExcludeFiles=) and does not affect any of the settings, i.e. it doesn't
affect CopyBlocks=, the machine ID/seed handling, or where definitions
are read from.
In fact, --root= and --copy-source= may be combined for example to
use the machine ID and similar from one tree, but the copy the files
from another.
Introduce a new enum value EMPTY_UNSET to which arg_empty now is set
initially. Only after we finished parsing the command line we'll now set
this to EMPTY_REFUSE as before.
This prepares ground for later changes, where we then can make different
decisions after havig all input from the command line.
As of now this doesn't change behaviour of systemd-repart, it just
rearranges things a bit.
When --dry-run=yes is used it makes sense to spawn a pager to look at
the report it provides you with about what it is about to do. Hoewver,
when we are actually doing it, then the output is more in the category
of "logs" than "review material", and logs we generally don't page when
we generate them.
Let's modernize and clean up search_and_fopen a bit: let's add support
for regular open() (instead of fopen()), as well as access() (if caller
just wants to check if a file exists without opening it.
This unifies much of the code involved, which previously was duplicated
in search_and_fopen() and search_and_fopen_nulstr()
mount_option_supported() will call fsopen() which will probe the
kernel filesystem module. This means that we'll suddenly start
probing filesystem modules when running generators as those determine
which mount options to use. To prevent generators from loading kernel
filesystem modules as much as possible, let's always first check the
hardcoded list of filesystem which we know support a feature before
falling back to asking the kernel.
The option was introduced with systemd v250 although it went
undocumented. It effectively sits between Default and OneShot, in term
of priority.
It is repeatedly updated as long as loader.conf default is "@saved" and
the OneShot is not set.
v2:
- squash some typos
v3:
- special mention to default @saved + loader.conf reference
- reword update side, to avoid misleading that it's needlessly
overwritten
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
