Lines Matching refs:we
78 semantics, like we do for device.c now
87 are not directly belonging to the user's UID. Goal: we shouldn't place more
102 this way we can implement disk encryption policies that bind to specific
104 the kernel includes the PCR signature blob we should be good, as disk
107 on the measured kernel/initrd of course, thus we cannot put the signature
109 Hence we have to find a separate place. A simple solution is a PE section
118 optionally sign them. for that we should extend our syntax for specifying pcr
190 descriptors, and clear this set piecemeal when we see the IN_IGNORED event
191 for it, or when read() returns EAGAIN or on IN_Q_OVERFLOW. Then, whenever we
194 case the same wd is reused multiple times before we start processing
200 * sd-stub: set efi vars declaring TPM PCRs we measured creds/cmdline + sysext
201 into (even if we hardcode them)
225 - sd-stub should measure the kernel/initrd/… into a separate PCR, so that we
226 have one PCR we can bind the encrypted creds to that is not effected by
227 anything else but what we drop in via kernel-install, i.e. by earlier EFI
237 while we are at it, also maybe extend the logic to require handling of some
239 the sigqueue() data parameter. With that we extended with minimal logic the
242 * firstboot: maybe just default to C.UTF-8 locale if nothing is set, so that we
267 so that we might even open up up the random seed logic to non-SecureBoot
285 priority again. That way we can combat event source starvation without
301 * sd-boot: maybe add support for embedding the various auxiliary resources we
304 files, drivers, keys to enroll and so on. Then, add whatever we find that way
322 sd-stub credentials. That way, we can support parallel OS installations with
373 timestamp of the entry to the realtime clock using this info. This way we can
433 file system tree to boot into, similar to how we do that for the gpt auto
438 The GPT dissection logic should automatically enable this tool whenever we
453 we'll switch to the real user record, i.e. home dir and shell, and our tool
455 we'll neatly prompt for the homedir's password if its needed. –– Building on
456 this we could take this even further: since this tool will potentially have
457 access to the client's ssh-agent (if ssh-agent forwarding is enabled) we
459 ssh pubkey in a user record we'd ask the ssh-agent to sign some random value
472 CapabilityQuintet we already have. (This likely allows us drop drop libcap
478 * add concept for "exitrd" as inverse of "initrd", that we can transition to at
499 including a path to an AF_UNIX path, similar to how we do things with the
516 * we probably should extend the root verity hash of the root fs into some PCR
573 /dev/gpt-auto-{home,srv,boot,…} similar in style to /dev/gpt-auto-root as we
576 * whenever we receive fds via SCM_RIGHTS make sure none got dropped due to the
642 entered, and we are on battery power (or so), power off machine again
670 it up from there in sd_bus_creds logic. i.e. we can use the socket peer
680 documented in the pivot_root(2) man page, so that we can drop the /oldroot
684 that the kernel does what we otherwise do.
714 * seccomp: maybe use seccomp_merge() to merge our filters per-arch if we can.
760 if the host has no machine ID set yet we continue to use the random one the
766 arbitrary processes, regardless of the priority we want to watch them with,
767 hence on each event loop iteration check all processes which we shall watch
777 that's outside of the LUKS encryption/verity verification, and we probably
778 shouldn't operate in a volatile mode unless we got told so from a trusted
793 threshold, go to suspend again, only hibernate if below it. This means we'd
795 empty (well, subject to our sampling interval). Related to this, check if we
797 i.e. see if it can wake up machines from suspend, so that we could resume
842 a seccomp option we don't have to set NNP. For that, change uid first whil
850 * paranoia: whenever we process passwords, call mlock() on the memory
851 first. i.e. look for all places we use free_and_erasep() and
871 imports). For example, for systemd we could use
876 * Augment MESSAGE_ID with MESSAGE_BASE, in a similar fashion so that we can
899 files and suchlike we operate on.
934 environment. Which we can use for /etc/machine-id and in particular
943 and so on, which would mean we could report errors and such.
945 * introduce DefaultSlice= or so in system.conf that allows changing where we
957 * be stricter with fds we receive for the fdstore: close them asynchronously
973 creating them when starting up. That way, we could declare that
974 systemd-journald writes to /var/log/journal, which could be useful when we
980 the runtime dir as we maintain for the fdstore: i.e. keep it around as long
996 make it lose its identity, i.e. be anonymous. For this we'd have to patch
1010 alternatively, do this with projids, so that we can also cover services
1026 that we create the dir in question when the service is started. Example:
1038 services results in two things: we raise SIGSTOP right before invoking
1074 * in nss-systemd, if we run inside of RootDirectory= with PrivateUsers= set,
1088 * transient units: don't bother with actually setting unit properties, we
1095 * PID1: find a way how we can reload unit file configuration for
1102 * when we detect that there are waiting jobs but no running jobs, do something
1107 as we have for debugfs. for example, src/core/mount.c handles mounts
1113 * initrd-parse-etc.service: can we skip daemon-reload if /sysroot/etc/fstab is missing?
1114 Note that we start initrd-fs.target and initrd-cleanup.target there, so a straightforward
1128 the behaviour we already have for CD drives.
1138 * as soon as we have sender timestamps, revisit coalescing multiple parallel daemon reloads:
1141 * figure out when we can use the coarse timers
1148 * exponential backoff in timesyncd when we cannot reach a server
1166 names, so that for the container case we can establish the same name
1179 * figure out a nice way how we can let the admin know what child/sibling unit causes cgroup members…
1211 * when we detect low battery and no AC on boot, show pretty splash and refuse boot
1215 * be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1
1217 * rfkill,backlight: we probably should run the load tools inside of the udev rules so that the stat…
1221 * If we try to find a unit via a dangling symlink, generate a clean
1222 error. Currently, we just ignore it and read the unit from the search
1238 when we start a service in order to avoid confusion when a user
1263 - when we automatically restart a service, ensure we restart its rdeps, too.
1266 …- If we show an error about a unit (such as not showing up) and it has no Description string, then…
1267 - after deserializing sockets in socket.c we should reapply sockopts and things
1269 currently is properly synchronous, Reexec() is weird, because we
1270 cannot delay the response properly until we are back, so instead of
1271 being properly synchronous we just keep open the fd and close it
1291 - Allow multiple ExecStart= for all Type= settings, so that we can cover rescue.service nicely
1300 * clean up date formatting and parsing so that all absolute/relative timestamps we format can also …
1315 * seems that when we follow symlinks to units we prefer the symlink
1320 * when isolating, try to figure out a way how we implicitly can order
1321 all units we stop before the isolating unit...
1334 and we might want to requeue the mounts local-fs acquired through
1339 * remove any syslog support from log.c — we probably cannot do this before split-off udev is gone f…
1357 …- see if we can introduce a new sd_bus_get_owner_machine_id() call to retrieve the machine ID of t…
1358 - see if we can drop more message validation on the sending side
1370 - define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ...
1371 - maybe support iouring as backend, so that we allow hooking read and write
1376 * dbus: when a unit failed to load (i.e. is in UNIT_ERROR state), we
1385 * firstboot: allow provisioning of /etc/hosts entries, so that we can via the
1438 any session we should probably just become a NOP, since that's
1451 the session scope can be arranged freely in slices and we don't have
1458 Currently we only expose their identifiers.
1474 - fall back to /dev/log based logging in libsystemd-journal, if we cannot log natively?
1478 "dropped %u messages" not only when we are about to print the next
1480 …- check if we can make journalctl by default use --follow mode inside of less if called without ar…
1487 …- journal-send.c, log.c: when the log socket is clogged, and we drop, count this and write a messa…
1492 - journald: we currently rotate only after MaxUse+MaxFilesize has been reached.
1497 - when a kernel driver logs in a tight loop, we should ratelimit that too.
1499 - journald: when we drop syslog messages because the syslog socket is
1507 lazily. Encode just enough information in the file name, so that we
1514 in a world where userns is ubiquitous since otherwise we cannot
1516 if LimitNPROC= is used without User= we should warn and refuse
1544 keyed by PID, cache per-cgroup attributes (i.e. the various xattrs we read)
1562 and we should also have a unit test to check that all our message are OK.)
1568 …- update LUKS password on login if we find there's a password that unlocks the JSON record but not…
1577 …- distinguish destroy / remove (i.e. currently we can unregister a user, unregister+remove their h…
1578 …- in systemd's PAMName= logic: query passwords with ssh-askpassword, so that we can make "loginctl…
1585 …1-token-uri=" is used, synthesize ssh-authorized-keys records for all keys we have private keys on…
1613 - maybe make all *.home files owned by `systemd-home` user or so, so that we
1615 - on login, if we can't fallocate initially, but rebalance is on, then allow
1623 specified, synthesize a definition automatically if we can: enlarge last
1654 we can reasonably size swap partitions for hibernation.
1670 them (think ESP: we don't ever want to grow it, since we cannot resize vfat)
1707 right) become genuine first class citizens, and we gain automatic, sane JSON
1728 races though, since we should flush out all journal messages before
1773 so that we make cgroup agent logic safe
1808 … also log the full size that the process had, and make a metadata field so we can report truncated…
1824 network devices where possible, so we can safely rely
1837 …- dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp inf…
1856 - figure out how much we can increase Maximum Message Size