| Commit message (Collapse) | Author | Files | Lines |
|---|
|
Our docs say that the Description should be capitalized.
Also, change "commit" to "save" to make this more accessible.
|
|
I was looking at the logs in some bug and saw this:
Mar 13 15:55:12 fedora systemd[1]: systemd-pcrmachine.service - TPM2 PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
Mar 13 15:55:12 fedora systemd[1]: Starting systemd-remount-fs.service - Remount Root and Kernel File Systems...
Mar 13 15:55:12 fedora systemd[1]: systemd-tpm2-setup-early.service - TPM2 SRK Setup (Early) was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
This is overly technical, for most units we don't provide this level of
detail about the implementation. So retitle the units to be more accessible.
Also, the fact that it's a v. 2 of the TPM is not that important. We don't
support TPM 1.2, but computers without TPM v2 are getting rare. For other
units we don't advertise the version of hardware, and let's not do this here,
to reduce some complexity.
|
|
Follow-up for d0aa368c85adf2efa29c363a6671927fe7e8e76f.
|
|
Follow-up for 54b0e05ed0db04d515ecf7773e39cd61b6445698.
|
|
Follow-up for 7cff2b79f00e82c85d0773e8cb4074c59abc6f43.
|
|
Added in
https://github.com/torvalds/linux/commit/501a06fe8e4c185bbda371b8cedbdf1b23a633d8
|
|
Since https://github.blog/2024-01-17-github-hosted-runners-double-the-power-for-open-source/,
it seems that KVM is supported on GA runners, so let's explicitly
enable it to make sure it is used.
We update mkosi to latest and set QemuFirmware=uefi to disable
secure boot which crashes qemu until https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2038777
is fixed.
|
|
Don't fail if SecureBoot is not enabled. Instead, only execute
the secure boot related checks if secure boot is actually enabled.
|
|
Otherwise the cmdline is duplicated for UKIs.
|
|
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.6 to 3.24.7.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/8a470fddafa5cbb6266ee11b37ef4d8aae19c571...3ab4101902695724f9365a384f86c1074d94e18c)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|
Bumps pkg/debian from `49132a8` to `5451923`.
---
updated-dependencies:
- dependency-name: pkg/debian
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.1 to 4.1.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/b4ffde65f46336ab88eb53be808477a3936bae11...9bb56186c3b09b4f86b1c65136769dd318469633)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|
Bumps [meson](https://github.com/mesonbuild/meson) from 1.3.2 to 1.4.0.
- [Release notes](https://github.com/mesonbuild/meson/releases)
- [Commits](https://github.com/mesonbuild/meson/compare/1.3.2...1.4.0)
---
updated-dependencies:
- dependency-name: meson
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|
Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 1 to 2.
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](https://github.com/softprops/action-gh-release/compare/de2c0eb89ae2a093876385947365aca7b0e5f844...9d7c94cfd0a1f3ed45544c887983e9fa900f0564)
---
updated-dependencies:
- dependency-name: softprops/action-gh-release
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|
The branch with configure_file() was broken: meson doesn't know that
this file is a prerequisite for other targets, so partial rebuilds were broken.
Easy reproducer:
git mv .git{,.no}
touch meson build && ninja -C build src/basic/libbasic.a
rm build/version.h
ninja -C build src/basic/libbasic.a
Using vcs_tag() also in that case makes meson always build the file.
(Combined with the issue fixed in previous commit, I was encountering
failed builds quite often.)
Fixes 3f6ce3d4f04de0f765bb3bde0e400d0823829486.
|
|
With git-worktree, .git is just a file that specifies where
the parent git directory is. All the git information is available
in a git worktree, so it should be treated the same as a checkout
with a .git directory.
|
|
|
|
|
|
In mkosi, we've been having CI failures caused by
systemd-machine-id-commit.service timing out. Let's bump the timeout
for it and systemd-rfkill.service to 90s which we also use for other
oneshot services to avoid transient failures on slower systems.
|
|
Now that fa3357b9e8d9d7a486902d0b6d4b4015fc10aac0 is merged the fuzz
target should no longer crash there.
|
|
The rest of the kernel build infra for mkosi was already removed a
long time ago, but we forgot to remove this config file. Let's drop
it now as well;
|
|
EVENT_RESULT_EXIT_STATUS_BASE and EVENT_RESULT_SUCCESS has the same value.
Code updated to add assert statement for EVENT_RESULT_EXIT_STATUS_BASE.
|
|
Addresses https://github.com/systemd/systemd/pull/30021#discussion_r1521595855.
|
|
networkctl.c : call 'assert_not_reached' where appropriate
|
|
Follow-up for f90eb086270f0aea8efcbff5a5e4c338d178cfd4
|
|
By always cloning the latest branch commit, we can't bisect properly
using mkosi as when bisecting wildly different packaging sources will
be used compared to when the commit was merged. By using submodules, we
track individual commits which means when bisecting the same packaging
sources will be used.
We use git submodules as dependabot has support for automatically making
PRs to update git submodules. This commit also includes the necessary
dependabot configuration to enable this.
We make ubuntu/debian use the same submodule instead of adding the debian
packaging sources twice by introducing a new $PKG_SUBDIR environment variable
and using it instead of $DISTRIBUTION.
|
|
|
|
Instead of cloning the same repository twice, let's make sure we
use the same directory for both debian/ubuntu.
|
|
|
|
|
|
Typically if PK is not present we want to treat this as "denied". But
sometimes it makes sense to treat this case as "allowed".
In particular the combination POLKIT_ALWAYS_QUERY and
POLKIT_DEFAULT_ALLOW makes a lot of sense: it means we can enable PK
logic for actions where we so far bypassed the checks for root. With the
new combination we can have a default policy of allowing some operation
but still provide an effective hook to disable it.
Also add some debug logging about PK operations and results as they are ongoing.
|
|
When this flag is set we'll disable the local shortcut that skips polkit
checks for clients that are privileged, and assumes they are
authenticated.
Or in other words: if this flag is set, we'll query PK not matter what,
regardless if it's root we talk about or any other user.
|
|
This adds a new helper that basically just wraps
async_polkit_query_have_action() and allows calling this without
actually triggering a PK authentication operation: it just checks if we
aleady have acquired an action or not.
|
|
Added code for calling the 'assert_not_reached' function as the value of the 'family' parameter must be either 'AF_INET' or 'AF_INET6'.
|
|
- prefix length and preference should be fit in uint8_t, and actually
the kernel and networkd uses uint8_t to store them.
- captive portal is now stored as a NUL-terminated string. Hence, it
is not necessary to also provide its length.
|
|
The Router Advertisement option can take the MAC address of the sender.
Let's introduce a function to get it from the parsed options.
|
|
|
|
Advertisement
|
|
It is not used in this commit, but will be used for parsing NDisc
options in Router Advertisement message and friends.
The parser does mostly equivalent to what currently we do in
sd-ndisc-router.c. Several notable differences are:
- also perse source and target link-layer address,
- refuse multiple captive portals,
- check if the captive portal is in safe characters, as previously we
checked that in networkd-ndisc.c,
- dedup prefixes, routes, and pref64,
- limit the total number of options, for safety.
|
|
|
|
ProtectSystem=full remounts /boot and/or /efi read-only, but that
may trigger automount for the paths and delay the service being started.
===
systemd[1]: boot.automount: Got automount request for /boot, triggered by 720 ((networkd))
===
The service does not need to access the paths, so let's hide them.
Follow-up for f90eb086270f0aea8efcbff5a5e4c338d178cfd4.
Fixes #31742.
|
|
|
|
We may want to propagate O_APPEND, or (try to) keep the current file position,
even if we use fd_reopen() to re-initialize (and "unshare") other file
description status.
For now, used only with --pty to keep/propagate O_APPEND (and/or) position
if set on stdin/stdout.
If we re-open stdout and "drop" the O_APPEND,
we get rather "unexpected" behavior,
for example with repeated "systemd-run --pty >> some-log".
If someone carefully pre-positioned the passed in original file descriptors,
we avoid surprises if we do not reset file postition to zero.
fcntl F_GETFL first, and propagate O_APPEND if present in the existing flags.
Then use lseek to propagate the file position.
|
|
If both $ARTIFACT_DIRECTORY and $SPLIT_TEST_LOGS are set, split the
output from each test into a separate log file, so we don't have to load
one ginormous log file when checking the results.
|
|
|
|
|
|
The latest GH Action runners started using 32-bit entropy for ASLR,
which makes it incompatible with llvm-14. This was fixed in later llvm
releases, but these aren't available on Ubuntu Jammy (22.04). Let's
reduce the ASLR entropy to 28-bit, which should make llvm happy again,
until the issue is resolved.
See: https://github.com/actions/runner-images/issues/9491
|
|
|
|
|
|
This was lost on refactor, and only addons had a default uki
line in the .sbat. Add it back, and differentiate between the
default for UKIs vs the default for addons, so that they can
be revoked separately. These are only defaults and users are
encouraged to provide their own.
Follow-up for a8b645dec8e6abf4c9ba0c93a6a0088953a2155e
|
