This is pretty low-level functionality, hence placed in systemd-analyze.
This is useful for working with systemd-cryptenroll --tpm2-device-key=,
as it acquires the SRK without requiring the full tpm2-tss tool set.
We already save it in PEM format, also store it TPM2_PUBLIC format next
to it. This is useful for usage with systemd-cryptenroll's
--tpm2-device-key= switch.
In 0531bded79 ("core: include peak memory in unit_log_resources()") new log
messages where added, however the size of the according arrays to hold the
messages was not adjusted.
Fixes: 0531bded79 ("core: include peak memory in unit_log_resources()")
Let's use the newly gained feature of `busctl` and start is as a
Type=notify unit, which should make sure the unit is started only after
`busctl` is on the bus listening for messages.
This should help with a race spotted in CIs, where we continued too
early after starting `busctl monitor` and miss the emitted signals:
[ 10.914831] testsuite-45.sh[694]: + systemd-run --unit busctl-monitor.service --service-type=exec busctl monitor --json=short '--match=type='\''signal'\'',sender=org.freedesktop.timesync1,member='\''PropertiesChanged'\'',path=/org/free>
[ 11.064365] systemd[1]: Starting busctl-monitor.service...
[ 11.064903] systemd[1]: Started busctl-monitor.service.
[ 11.065192] testsuite-45.sh[740]: Running as unit: busctl-monitor.service; invocation ID: ee44a9d713c34b9a97e3e7f6f4fffe77
...
[ 11.069255] testsuite-45.sh[694]: + timedatectl ntp-servers ntp99 10.0.0.1
[ 11.077140] systemd-timesyncd[728]: Network configuration changed, trying to establish connection.
[ 11.077461] testsuite-45.sh[694]: + assert_networkd_ntp ntp99 10.0.0.1
...
[ 11.087418] testsuite-45.sh[694]: + assert_timesyncd_signal '2023-11-08 16:28:48.861455' LinkNTPServers 10.0.0.1
...
[ 11.095543] testsuite-45.sh[694]: + for _ in {0..9}
[ 11.095543] testsuite-45.sh[694]: + journalctl -q '--since=2023-11-08 16:28:48.861455' -p info _SYSTEMD_UNIT=busctl-monitor.service --grep .
[ 11.193258] systemd-journald[375]: Received client request to sync journal.
[ 11.112424] testsuite-45.sh[694]: + sleep .5
[ 11.160318] dbus-daemon[465]: [system] Connection :1.56 (uid=0 pid=741 comm="/usr/bin/busctl monitor --json=short --match=type=") became a monitor.
Resolves: #29923
This is pretty much the same stuff as `resolvectl monitor` does, and
allows us to run `busctl monitor` in a Type=notify unit which ensures
that `busctl` is really listening for messages once the unit is marked
as started.
Currently test_setpriority_closest assumes that setting RLIMIT_NICE to 30 will
fail if the process is unprivileged. If it succeeds, it assumes that the
process is privileged and setresuid and setresgid will succeed.
However, if RLIMIT_NICE is already >= 30, then setrlimit will succeed even if
the process is unprivileged. Guard against that by checking for permission
errors in setresuid and setresgid and skipping the full test if so.
Fixes#22896.
Currently empty epochs are not sealed. This allows an attacker to truncate
a sealed log and continue it without any problems showing when verifying the
log.
This partially addresses CVE-2023-31438. One way to extend this change to
address CVE-2023-31438 completely, would be to verify that there is exactly
one seal per epoch (and not sealing when the epoch has not ended yet).
the change also adds a journal-file flag: HEADER_COMPATIBLE_SEALED_CONTINUOUS
this flag indicates that a journal file is sealed continuously and decides whether
any missing crypto epochs should trigger a warning or an error.
O_CREAT doesn't make sense for fd_reopen, since we're
working on an already opened fd. Also, in fd_reopen
we don't handle the mode parameter of open(2), which
means we may get runtime error like #29938.
