diff --git a/0001-macro-fix-indentation.patch b/0001-macro-fix-indentation.patch new file mode 100644 index 0000000..49c18bc --- /dev/null +++ b/0001-macro-fix-indentation.patch @@ -0,0 +1,28 @@ +From 0c372e24bb30c25beccd76c071baca22258e71c9 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 26 Oct 2022 03:28:08 +0900 +Subject: [PATCH] macro: fix indentation + +(cherry picked from commit e967926b092d8635b3da28fc4ca492009e32228f) + +Related #2138081 +--- + src/fundamental/macro-fundamental.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/fundamental/macro-fundamental.h b/src/fundamental/macro-fundamental.h +index 63f4c49e78..faab16ab31 100644 +--- a/src/fundamental/macro-fundamental.h ++++ b/src/fundamental/macro-fundamental.h +@@ -290,7 +290,7 @@ + switch (x) { \ + FOR_EACH_MAKE_CASE(__VA_ARGS__) \ + _found = true; \ +- break; \ ++ break; \ + default: \ + break; \ + } \ +-- +2.38.1 + diff --git a/0002-test-add-a-couple-of-sanity-tests-for-journalctl.patch b/0002-test-add-a-couple-of-sanity-tests-for-journalctl.patch new file mode 100644 index 0000000..777b6c5 --- /dev/null +++ b/0002-test-add-a-couple-of-sanity-tests-for-journalctl.patch @@ -0,0 +1,64 @@ +From 5ac8c56f111f2875467422c851a05891c0ec7d1b Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Mon, 31 Oct 2022 12:11:59 +0100 +Subject: [PATCH] test: add a couple of sanity tests for journalctl + +(cherry picked from commit ca46781c5ffa3aaa7a8fb6f09976357d003c4aae) + +Related #2138081 +--- + test/units/testsuite-04.sh | 38 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 38 insertions(+) + +diff --git a/test/units/testsuite-04.sh b/test/units/testsuite-04.sh +index b5468cbea4..fdc3273fea 100755 +--- a/test/units/testsuite-04.sh ++++ b/test/units/testsuite-04.sh +@@ -119,6 +119,44 @@ systemctl start silent-success + journalctl --sync + [[ -z "$(journalctl -b -q -u silent-success.service)" ]] + ++# Exercise the matching machinery ++SYSTEMD_LOG_LEVEL=debug journalctl -b -n 1 /dev/null /dev/zero /dev/null /dev/null /dev/null ++journalctl -b -n 1 /bin/true /bin/false ++journalctl -b -n 1 /bin/true + /bin/false ++journalctl -b -n 1 -r --unit "systemd*" ++ ++systemd-run --user -M "testuser@.host" /bin/echo hello ++journalctl --sync ++journalctl -b -n 1 -r --user-unit "*" ++ ++(! journalctl -b /dev/lets-hope-this-doesnt-exist) ++(! journalctl -b /dev/null /dev/zero /dev/this-also-shouldnt-exist) ++(! journalctl -b --unit "this-unit-should-not-exist*") ++ ++# Facilities & priorities ++journalctl --facility help ++journalctl --facility kern -n 1 ++journalctl --facility syslog --priority 0..3 -n 1 ++journalctl --facility syslog --priority 3..0 -n 1 ++journalctl --facility user --priority 0..0 -n 1 ++journalctl --facility daemon --priority warning -n 1 ++journalctl --facility daemon --priority warning..info -n 1 ++journalctl --facility daemon --priority notice..crit -n 1 ++journalctl --facility daemon --priority 5..crit -n 1 ++ ++(! journalctl --facility hopefully-an-unknown-facility) ++(! journalctl --priority hello-world) ++(! journalctl --priority 0..128) ++(! journalctl --priority 0..systemd) ++ ++# Other options ++journalctl --disk-usage ++journalctl --dmesg -n 1 ++journalctl --fields ++journalctl --list-boots ++journalctl --update-catalog ++journalctl --list-catalog ++ + # Add new tests before here, the journald restarts below + # may make tests flappy. + +-- +2.38.1 + diff --git a/0003-man-fix-typo-found-by-Lintian.patch b/0003-man-fix-typo-found-by-Lintian.patch new file mode 100644 index 0000000..4c0761e --- /dev/null +++ b/0003-man-fix-typo-found-by-Lintian.patch @@ -0,0 +1,28 @@ +From b1a2687cf5b419d6928d024f26aabe1de8ff7727 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 31 Oct 2022 21:17:47 +0000 +Subject: [PATCH] man: fix typo found by Lintian + +(cherry picked from commit 84033dd40588dbf4f57a746c141fe7d111247a93) + +Related #2138081 +--- + man/loader.conf.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/man/loader.conf.xml b/man/loader.conf.xml +index 3ee42cdb73..7f173aec61 100644 +--- a/man/loader.conf.xml ++++ b/man/loader.conf.xml +@@ -236,7 +236,7 @@ + + The different sets of variables can be set up under /loader/keys/NAME + where NAME is the name that is going to be used as the name of the entry. +- This allows to ship multiple sets of Secure Boot variables and choose which one to enroll at runtime. ++ This allows one to ship multiple sets of Secure Boot variables and choose which one to enroll at runtime. + + Supported secure boot variables are one database for authorized images, one key exchange key (KEK) + and one platform key (PK). For more information, refer to the UEFI specification, +-- +2.38.1 + diff --git a/0004-test-add-x-to-assert.sh.patch b/0004-test-add-x-to-assert.sh.patch new file mode 100644 index 0000000..29e8ae8 --- /dev/null +++ b/0004-test-add-x-to-assert.sh.patch @@ -0,0 +1,22 @@ +From 3d2fc0517d43ff2c5c6fc03ebb68ef9429be5fd4 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 31 Oct 2022 21:18:53 +0000 +Subject: [PATCH] test: add +x to assert.sh + +The script has a shebang and .sh extension, so make it executable + +W: systemd-tests: script-not-executable [usr/lib/systemd/tests/testdata/units/assert.sh] +(cherry picked from commit fb4f7271d9f75a44756b110706cdb53b82f407ce) + +Related #2138081 +--- + test/units/assert.sh | 0 + 1 file changed, 0 insertions(+), 0 deletions(-) + mode change 100644 => 100755 test/units/assert.sh + +diff --git a/test/units/assert.sh b/test/units/assert.sh +old mode 100644 +new mode 100755 +-- +2.38.1 + diff --git a/0005-parse_hwdb-allow-negative-value-for-EVDEV_ABS_-prope.patch b/0005-parse_hwdb-allow-negative-value-for-EVDEV_ABS_-prope.patch new file mode 100644 index 0000000..c428964 --- /dev/null +++ b/0005-parse_hwdb-allow-negative-value-for-EVDEV_ABS_-prope.patch @@ -0,0 +1,28 @@ +From a2cb8467652ca36bd5420dc685d5e6b76014c3e1 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 1 Nov 2022 13:10:20 +0900 +Subject: [PATCH] parse_hwdb: allow negative value for EVDEV_ABS_ properties + +(cherry picked from commit f0b75cda5a3eac3fe953fd1a429a39e077387997) + +Related #2138081 +--- + hwdb.d/parse_hwdb.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hwdb.d/parse_hwdb.py b/hwdb.d/parse_hwdb.py +index c0dde75650..5a1ae5a6a0 100755 +--- a/hwdb.d/parse_hwdb.py ++++ b/hwdb.d/parse_hwdb.py +@@ -202,7 +202,7 @@ def property_grammar(): + ] + abs_props = [Regex(r'EVDEV_ABS_[0-9a-f]{2}')('NAME') + - Suppress('=') - +- Word(nums + ':')('VALUE') ++ Word('-' + nums + ':')('VALUE') + ] + + grammar = Or(fixed_props + kbd_props + abs_props) + EOL +-- +2.38.1 + diff --git a/0006-resolved-fix-typo-in-feature-level-table.patch b/0006-resolved-fix-typo-in-feature-level-table.patch new file mode 100644 index 0000000..f25e4ee --- /dev/null +++ b/0006-resolved-fix-typo-in-feature-level-table.patch @@ -0,0 +1,27 @@ +From 07aa3fcbb7b4e4cca7b2e9be6e038ab92bfc5fdc Mon Sep 17 00:00:00 2001 +From: Youfu Zhang <1315097+zhangyoufu@users.noreply.github.com> +Date: Tue, 1 Nov 2022 13:18:25 +0800 +Subject: [PATCH] resolved: fix typo in feature level table + +(cherry picked from commit 2ab0042854934827e61076c6e42c7381fdf78fdf) + +Related #2138081 +--- + src/resolve/resolved-dns-server.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c +index 9b74a8d6d8..04a4f53ed0 100644 +--- a/src/resolve/resolved-dns-server.c ++++ b/src/resolve/resolved-dns-server.c +@@ -1087,6 +1087,6 @@ static const char* const dns_server_feature_level_table[_DNS_SERVER_FEATURE_LEVE + [DNS_SERVER_FEATURE_LEVEL_EDNS0] = "UDP+EDNS0", + [DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN] = "TLS+EDNS0", + [DNS_SERVER_FEATURE_LEVEL_DO] = "UDP+EDNS0+DO", +- [DNS_SERVER_FEATURE_LEVEL_TLS_DO] = "TLS+EDNS0+D0", ++ [DNS_SERVER_FEATURE_LEVEL_TLS_DO] = "TLS+EDNS0+DO", + }; + DEFINE_STRING_TABLE_LOOKUP(dns_server_feature_level, DnsServerFeatureLevel); +-- +2.38.1 + diff --git a/0007-coverage-Mark-_coverage__exit-as-noreturn.patch b/0007-coverage-Mark-_coverage__exit-as-noreturn.patch new file mode 100644 index 0000000..d4726a3 --- /dev/null +++ b/0007-coverage-Mark-_coverage__exit-as-noreturn.patch @@ -0,0 +1,31 @@ +From a1f18876d5f7122c9f94af9a84f1324f50dba0ed Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Tue, 1 Nov 2022 09:43:32 +0100 +Subject: [PATCH] coverage: Mark _coverage__exit as noreturn + +../src/basic/coverage.h:15:48: warning: function '_coverage__exit' could +be declared with attribute 'noreturn' [-Wmissing-noreturn] + +(cherry picked from commit 0bab5534b334677652bb69fe15eaa54ce84cbe7d) + +Related #2138081 +--- + src/basic/coverage.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/coverage.h b/src/basic/coverage.h +index 3ef02cf70e..640bddc485 100644 +--- a/src/basic/coverage.h ++++ b/src/basic/coverage.h +@@ -12,7 +12,7 @@ + extern void _exit(int); + extern void __gcov_dump(void); + +-static inline void _coverage__exit(int status) { ++static inline _Noreturn void _coverage__exit(int status) { + __gcov_dump(); + _exit(status); + } +-- +2.38.1 + diff --git a/0008-namespace-Add-hidepid-subset-support-check.patch b/0008-namespace-Add-hidepid-subset-support-check.patch new file mode 100644 index 0000000..9d02760 --- /dev/null +++ b/0008-namespace-Add-hidepid-subset-support-check.patch @@ -0,0 +1,157 @@ +From 6ab61ac93e534aec1ea4d16e77c1c355c8286e64 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Thu, 27 Oct 2022 13:14:12 +0200 +Subject: [PATCH] namespace: Add hidepid/subset support check + +Using fsopen()/fsconfig(), we can check if hidepid/subset are supported to +avoid the noisy logs from the kernel if they aren't supported. This works +on centos/redhat 8 as well since they've backported fsopen()/fsconfig(). + +(cherry picked from commit 1c265fcd5963603d338233840129ecad8d9c1420) + +Related #2138081 +--- + meson.build | 2 ++ + src/basic/missing_syscall.h | 40 +++++++++++++++++++++++++++++++ + src/core/namespace.c | 47 ++++++++++++++++++++++++++++++++----- + 3 files changed, 83 insertions(+), 6 deletions(-) + +diff --git a/meson.build b/meson.build +index 76ad51d3fb..7750534466 100644 +--- a/meson.build ++++ b/meson.build +@@ -606,6 +606,8 @@ foreach ident : [ + ['mount_setattr', '''#include '''], + ['move_mount', '''#include '''], + ['open_tree', '''#include '''], ++ ['fsopen', '''#include '''], ++ ['fsconfig', '''#include '''], + ['getdents64', '''#include '''], + ] + +diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h +index 793d111c55..d54e59fdf9 100644 +--- a/src/basic/missing_syscall.h ++++ b/src/basic/missing_syscall.h +@@ -593,6 +593,46 @@ static inline int missing_move_mount( + + /* ======================================================================= */ + ++#if !HAVE_FSOPEN ++ ++#ifndef FSOPEN_CLOEXEC ++#define FSOPEN_CLOEXEC 0x00000001 ++#endif ++ ++static inline int missing_fsopen(const char *fsname, unsigned flags) { ++# if defined __NR_fsopen && __NR_fsopen >= 0 ++ return syscall(__NR_fsopen, fsname, flags); ++# else ++ errno = ENOSYS; ++ return -1; ++# endif ++} ++ ++# define fsopen missing_fsopen ++#endif ++ ++/* ======================================================================= */ ++ ++#if !HAVE_FSCONFIG ++ ++#ifndef FSCONFIG_SET_STRING ++#define FSCONFIG_SET_STRING 1 /* Set parameter, supplying a string value */ ++#endif ++ ++static inline int missing_fsconfig(int fd, unsigned cmd, const char *key, const void *value, int aux) { ++# if defined __NR_fsconfig && __NR_fsconfig >= 0 ++ return syscall(__NR_fsconfig, fd, cmd, key, value, aux); ++# else ++ errno = ENOSYS; ++ return -1; ++# endif ++} ++ ++# define fsconfig missing_fsconfig ++#endif ++ ++/* ======================================================================= */ ++ + #if !HAVE_GETDENTS64 + + static inline ssize_t missing_getdents64(int fd, void *buffer, size_t length) { +diff --git a/src/core/namespace.c b/src/core/namespace.c +index c3cced7410..852be3bdde 100644 +--- a/src/core/namespace.c ++++ b/src/core/namespace.c +@@ -26,6 +26,7 @@ + #include "list.h" + #include "loop-util.h" + #include "loopback-setup.h" ++#include "missing_syscall.h" + #include "mkdir-label.h" + #include "mount-util.h" + #include "mountpoint-util.h" +@@ -1073,6 +1074,27 @@ static int mount_sysfs(const MountEntry *m) { + return 1; + } + ++static bool mount_option_supported(const char *fstype, const char *key, const char *value) { ++ _cleanup_close_ int fd = -1; ++ int r; ++ ++ /* This function assumes support by default. Only if the fsconfig() call fails with -EINVAL/-EOPNOTSUPP ++ * will it report that the option/value is not supported. */ ++ ++ fd = fsopen(fstype, FSOPEN_CLOEXEC); ++ if (fd < 0) { ++ if (errno != ENOSYS) ++ log_debug_errno(errno, "Failed to open superblock context for '%s': %m", fstype); ++ return true; /* If fsopen() fails for whatever reason, assume the value is supported. */ ++ } ++ ++ r = fsconfig(fd, FSCONFIG_SET_STRING, key, value, 0); ++ if (r < 0 && !IN_SET(errno, EINVAL, EOPNOTSUPP, ENOSYS)) ++ log_debug_errno(errno, "Failed to set '%s=%s' on '%s' superblock context: %m", key, value, fstype); ++ ++ return r >= 0 || !IN_SET(errno, EINVAL, EOPNOTSUPP); ++} ++ + static int mount_procfs(const MountEntry *m, const NamespaceInfo *ns_info) { + _cleanup_free_ char *opts = NULL; + const char *entry_path; +@@ -1090,12 +1112,25 @@ static int mount_procfs(const MountEntry *m, const NamespaceInfo *ns_info) { + * per-instance, we'll exclusively use the textual value for hidepid=, since support was + * added in the same commit: if it's supported it is thus also per-instance. */ + +- opts = strjoin("hidepid=", +- ns_info->protect_proc == PROTECT_PROC_DEFAULT ? "off" : +- protect_proc_to_string(ns_info->protect_proc), +- ns_info->proc_subset == PROC_SUBSET_PID ? ",subset=pid" : ""); +- if (!opts) +- return -ENOMEM; ++ const char *hpv = ns_info->protect_proc == PROTECT_PROC_DEFAULT ? ++ "off" : ++ protect_proc_to_string(ns_info->protect_proc); ++ ++ /* hidepid= support was added in 5.8, so we can use fsconfig()/fsopen() (which were added in ++ * 5.2) to check if hidepid= is supported. This avoids a noisy dmesg log by the kernel when ++ * trying to use hidepid= on systems where it isn't supported. The same applies for subset=. ++ * fsopen()/fsconfig() was also backported on some distros which allows us to detect ++ * hidepid=/subset= support in even more scenarios. */ ++ ++ if (mount_option_supported("proc", "hidepid", hpv)) { ++ opts = strjoin("hidepid=", hpv); ++ if (!opts) ++ return -ENOMEM; ++ } ++ ++ if (ns_info->proc_subset == PROC_SUBSET_PID && mount_option_supported("proc", "subset", "pid")) ++ if (!strextend_with_separator(&opts, ",", "subset=pid")) ++ return -ENOMEM; + } + + entry_path = mount_entry_path(m); +-- +2.38.1 + diff --git a/0009-test-add-a-couple-of-sanity-tests-for-loginctl.patch b/0009-test-add-a-couple-of-sanity-tests-for-loginctl.patch new file mode 100644 index 0000000..3d5fddf --- /dev/null +++ b/0009-test-add-a-couple-of-sanity-tests-for-loginctl.patch @@ -0,0 +1,78 @@ +From 07f188e9ca17345af904e6549c03b1c57d34405a Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 1 Nov 2022 09:17:58 +0100 +Subject: [PATCH] test: add a couple of sanity tests for loginctl + +(cherry picked from commit 70e9066bc2eaf159e9cde7d95bbee99e44f3045a) + +Related #2138081 +--- + test/units/testsuite-35.sh | 45 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 45 insertions(+) + +diff --git a/test/units/testsuite-35.sh b/test/units/testsuite-35.sh +index 4ef0f0c11c..85925f2471 100755 +--- a/test/units/testsuite-35.sh ++++ b/test/units/testsuite-35.sh +@@ -338,6 +338,50 @@ EOF + assert_eq "$(loginctl --no-legend | awk '$3=="logind-test-user" { print $5 }')" "tty2" + } + ++test_sanity_check() { ++ # Exercise basic loginctl options ++ ++ if [[ ! -c /dev/tty2 ]]; then ++ echo "/dev/tty2 does not exist, skipping test ${FUNCNAME[0]}." ++ return ++ fi ++ ++ trap cleanup_session RETURN ++ create_session ++ ++ # Run most of the loginctl commands from a user session to make ++ # the seat/session autodetection work-ish ++ systemd-run --user --pipe --wait -M "logind-test-user@.host" bash -eux <<\EOF ++ loginctl list-sessions ++ loginctl session-status ++ loginctl show-session ++ loginctl show-session -P DelayInhibited ++ ++ # We're not in the same session scope, so in this case we need to specify ++ # the session ID explicitly ++ session=$(loginctl --no-legend | awk '$3 == "logind-test-user" { print $1; exit; }') ++ loginctl kill-session --signal=SIGCONT "$session" ++ # FIXME(?) ++ #loginctl kill-session --signal=SIGCONT --kill-who=leader "$session" ++ ++ loginctl list-users ++ loginctl user-status ++ loginctl show-user -a ++ loginctl show-user -P IdleAction ++ loginctl kill-user --signal=SIGCONT "" ++ ++ loginctl list-seats ++ loginctl seat-status ++ loginctl show-seat ++ loginctl show-seat -P IdleActionUSec ++EOF ++ ++ # Requires root privileges ++ loginctl lock-sessions ++ loginctl unlock-sessions ++ loginctl flush-devices ++} ++ + test_session() { + local dev + +@@ -537,6 +581,7 @@ test_properties + test_started + test_suspend_on_lid + test_shutdown ++test_sanity_check + test_session + test_lock_idle_action + test_session_properties +-- +2.38.1 + diff --git a/0010-test-rename-TEST-26-SETENV-to-TEST-26-SYSTEMCTL.patch b/0010-test-rename-TEST-26-SETENV-to-TEST-26-SYSTEMCTL.patch new file mode 100644 index 0000000..c67a807 --- /dev/null +++ b/0010-test-rename-TEST-26-SETENV-to-TEST-26-SYSTEMCTL.patch @@ -0,0 +1,51 @@ +From 66a9a36c3bcd5709c30ac1f2be998eea034a9f6d Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 1 Nov 2022 17:53:42 +0100 +Subject: [PATCH] test: rename TEST-26-SETENV to TEST-26-SYSTEMCTL + +(cherry picked from commit c5c258ae0a4a0cfc829ed07ff96c7fab79b6ca71) + +Related #2138081 +--- + test/{TEST-26-SETENV => TEST-26-SYSTEMCTL}/Makefile | 0 + test/{TEST-26-SETENV => TEST-26-SYSTEMCTL}/test.sh | 2 +- + test/units/testsuite-26.service | 2 +- + 3 files changed, 2 insertions(+), 2 deletions(-) + rename test/{TEST-26-SETENV => TEST-26-SYSTEMCTL}/Makefile (100%) + rename test/{TEST-26-SETENV => TEST-26-SYSTEMCTL}/test.sh (79%) + +diff --git a/test/TEST-26-SETENV/Makefile b/test/TEST-26-SYSTEMCTL/Makefile +similarity index 100% +rename from test/TEST-26-SETENV/Makefile +rename to test/TEST-26-SYSTEMCTL/Makefile +diff --git a/test/TEST-26-SETENV/test.sh b/test/TEST-26-SYSTEMCTL/test.sh +similarity index 79% +rename from test/TEST-26-SETENV/test.sh +rename to test/TEST-26-SYSTEMCTL/test.sh +index b38e37bfce..64accf850f 100755 +--- a/test/TEST-26-SETENV/test.sh ++++ b/test/TEST-26-SYSTEMCTL/test.sh +@@ -2,7 +2,7 @@ + # SPDX-License-Identifier: LGPL-2.1-or-later + set -e + +-TEST_DESCRIPTION="test setenv" ++TEST_DESCRIPTION="systemctl-related tests" + + # shellcheck source=test/test-functions + . "${TEST_BASE_DIR:?}/test-functions" +diff --git a/test/units/testsuite-26.service b/test/units/testsuite-26.service +index aa553b61a6..d8fdaffb06 100644 +--- a/test/units/testsuite-26.service ++++ b/test/units/testsuite-26.service +@@ -1,6 +1,6 @@ + # SPDX-License-Identifier: LGPL-2.1-or-later + [Unit] +-Description=TEST-26-SETENV ++Description=TEST-26-SYSTEMCTL + + [Service] + ExecStartPre=rm -f /failed /testok +-- +2.38.1 + diff --git a/0011-test-add-a-couple-of-sanity-tests-for-systemctl.patch b/0011-test-add-a-couple-of-sanity-tests-for-systemctl.patch new file mode 100644 index 0000000..4abf580 --- /dev/null +++ b/0011-test-add-a-couple-of-sanity-tests-for-systemctl.patch @@ -0,0 +1,254 @@ +From 680d2b33d3b2a0bed17c2c1594690155bdb910bb Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 1 Nov 2022 20:47:37 +0100 +Subject: [PATCH] test: add a couple of sanity tests for systemctl + +(cherry picked from commit d16684fe13e1d56e55df19b57b6c01b9a9303086) + +Related #2138081 +--- + test/units/testsuite-26.sh | 209 +++++++++++++++++++++++++++++++++++-- + 1 file changed, 202 insertions(+), 7 deletions(-) + +diff --git a/test/units/testsuite-26.sh b/test/units/testsuite-26.sh +index ad08415317..b83f85917b 100755 +--- a/test/units/testsuite-26.sh ++++ b/test/units/testsuite-26.sh +@@ -3,32 +3,227 @@ + set -eux + set -o pipefail + ++at_exit() { ++ if [[ -v UNIT_NAME && -e "/usr/lib/systemd/system/$UNIT_NAME" ]]; then ++ rm -fv "/usr/lib/systemd/system/$UNIT_NAME" ++ fi ++} ++ ++trap at_exit EXIT ++ ++# Create a simple unit file for testing ++# Note: the service file is created under /usr on purpose to test ++# the 'revert' verb as well ++UNIT_NAME="systemctl-test-$RANDOM.service" ++cat >"/usr/lib/systemd/system/$UNIT_NAME" <<\EOF ++[Unit] ++Description=systemctl test ++ ++[Service] ++ExecStart=sleep infinity ++ExecReload=true ++ ++# For systemctl clean ++CacheDirectory=%n ++ConfigurationDirectory=%n ++LogsDirectory=%n ++RuntimeDirectory=%n ++StateDirectory=%n ++ ++[Install] ++WantedBy=multi-user.target ++EOF ++ ++# Configure the preset setting for the unit file ++mkdir /run/systemd/system-preset/ ++echo "disable $UNIT_NAME" >/run/systemd/system-preset/99-systemd-test.preset ++ ++systemctl daemon-reload ++ ++# Argument help ++systemctl --state help ++systemctl --signal help ++systemctl --type help ++ ++# list-dependencies ++systemctl list-dependencies systemd-journald ++systemctl list-dependencies --after systemd-journald ++systemctl list-dependencies --before systemd-journald ++systemctl list-dependencies --after --reverse systemd-journald ++systemctl list-dependencies --before --reverse systemd-journald ++systemctl list-dependencies --plain systemd-journald ++ ++# list-* verbs ++systemctl list-units ++systemctl list-units --recursive ++systemctl list-units --type=socket ++systemctl list-units --type=service,timer ++systemctl list-units --legend=yes -a "systemd-*" ++systemctl list-units --state=active ++systemctl list-units --with-dependencies systemd-journald.service ++systemctl list-units --with-dependencies --after systemd-journald.service ++systemctl list-units --with-dependencies --before --reverse systemd-journald.service ++systemctl list-sockets ++systemctl list-sockets --legend=no -a "*journal*" ++systemctl list-sockets --show-types ++systemctl list-sockets --state=listening ++systemctl list-timers -a -l ++systemctl list-unit-files ++systemctl list-unit-files "*journal*" ++systemctl list-jobs ++systemctl list-jobs --after ++systemctl list-jobs --before ++systemctl list-jobs --after --before ++systemctl list-jobs "*" ++ ++# Basic service management ++systemctl start --show-transaction "$UNIT_NAME" ++systemctl status -n 5 "$UNIT_NAME" ++systemctl is-active "$UNIT_NAME" ++systemctl reload -T "$UNIT_NAME" ++systemctl restart -T "$UNIT_NAME" ++systemctl try-restart --show-transaction "$UNIT_NAME" ++systemctl try-reload-or-restart --show-transaction "$UNIT_NAME" ++systemctl kill "$UNIT_NAME" ++(! systemctl is-active "$UNIT_NAME") ++systemctl restart "$UNIT_NAME" ++systemctl is-active "$UNIT_NAME" ++systemctl restart "$UNIT_NAME" ++systemctl stop "$UNIT_NAME" ++(! systemctl is-active "$UNIT_NAME") ++ ++# enable/disable/preset ++(! systemctl is-enabled "$UNIT_NAME") ++systemctl enable "$UNIT_NAME" ++systemctl is-enabled -l "$UNIT_NAME" ++# We created a preset file for this unit above with a "disable" policy ++systemctl preset "$UNIT_NAME" ++(! systemctl is-enabled "$UNIT_NAME") ++systemctl reenable "$UNIT_NAME" ++systemctl is-enabled "$UNIT_NAME" ++systemctl preset --preset-mode=enable-only "$UNIT_NAME" ++systemctl is-enabled "$UNIT_NAME" ++systemctl preset --preset-mode=disable-only "$UNIT_NAME" ++(! systemctl is-enabled "$UNIT_NAME") ++systemctl enable --runtime "$UNIT_NAME" ++[[ -e "/run/systemd/system/multi-user.target.wants/$UNIT_NAME" ]] ++systemctl is-enabled "$UNIT_NAME" ++systemctl disable "$UNIT_NAME" ++# The unit should be still enabled, as we didn't use the --runtime switch ++systemctl is-enabled "$UNIT_NAME" ++systemctl disable --runtime "$UNIT_NAME" ++(! systemctl is-enabled "$UNIT_NAME") ++ ++# mask/unmask/revert ++systemctl disable "$UNIT_NAME" ++[[ "$(systemctl is-enabled "$UNIT_NAME")" == disabled ]] ++systemctl mask "$UNIT_NAME" ++[[ "$(systemctl is-enabled "$UNIT_NAME")" == masked ]] ++systemctl unmask "$UNIT_NAME" ++[[ "$(systemctl is-enabled "$UNIT_NAME")" == disabled ]] ++systemctl mask "$UNIT_NAME" ++[[ "$(systemctl is-enabled "$UNIT_NAME")" == masked ]] ++systemctl revert "$UNIT_NAME" ++[[ "$(systemctl is-enabled "$UNIT_NAME")" == disabled ]] ++systemctl mask --runtime "$UNIT_NAME" ++[[ "$(systemctl is-enabled "$UNIT_NAME")" == masked-runtime ]] ++# This should be a no-op without the --runtime switch ++systemctl unmask "$UNIT_NAME" ++[[ "$(systemctl is-enabled "$UNIT_NAME")" == masked-runtime ]] ++systemctl unmask --runtime "$UNIT_NAME" ++[[ "$(systemctl is-enabled "$UNIT_NAME")" == disabled ]] ++ ++# add-wants/add-requires ++(! systemctl show -P Wants "$UNIT_NAME" | grep "systemd-journald.service") ++systemctl add-wants "$UNIT_NAME" "systemd-journald.service" ++systemctl show -P Wants "$UNIT_NAME" | grep "systemd-journald.service" ++(! systemctl show -P Requires "$UNIT_NAME" | grep "systemd-journald.service") ++systemctl add-requires "$UNIT_NAME" "systemd-journald.service" ++systemctl show -P Requires "$UNIT_NAME" | grep "systemd-journald.service" ++ ++# set-property ++systemctl set-property "$UNIT_NAME" IPAccounting=yes MemoryMax=1234567 ++systemctl cat "$UNIT_NAME" ++# These properties should be saved to a persistent storage ++grep -r "IPAccounting=yes" "/etc/systemd/system.control/${UNIT_NAME}.d/" ++grep -r "MemoryMax=1234567" "/etc/systemd/system.control/${UNIT_NAME}.d" ++systemctl revert "$UNIT_NAME" ++(! grep -r "IPAccounting=" "/etc/systemd/system.control/${UNIT_NAME}.d/") ++(! grep -r "MemoryMax=" "/etc/systemd/system.control/${UNIT_NAME}.d/") ++# Same stuff, but with --runtime, which should use /run ++systemctl set-property --runtime "$UNIT_NAME" CPUAccounting=no CPUQuota=10% ++systemctl cat "$UNIT_NAME" ++grep -r "CPUAccounting=no" "/run/systemd/system.control/${UNIT_NAME}.d/" ++grep -r "CPUQuota=10%" "/run/systemd/system.control/${UNIT_NAME}.d/" ++systemctl revert "$UNIT_NAME" ++(! grep -r "CPUAccounting=" "/run/systemd/system.control/${UNIT_NAME}.d/") ++(! grep -r "CPUQuota=" "/run/systemd/system.control/${UNIT_NAME}.d/") ++ ++# Failed-unit related tests ++systemd-run --unit "failed.service" /bin/false ++systemctl is-failed failed.service ++systemctl --state=failed | grep failed.service ++systemctl --failed | grep failed.service ++systemctl reset-failed "fail*.service" ++(! systemctl is-failed failed.service) ++ ++# clean ++systemctl restart "$UNIT_NAME" ++systemctl stop "$UNIT_NAME" ++# Check if the directories from *Directory= directives exist ++# (except RuntimeDirectory= in /run, which is removed when the unit is stopped) ++for path in /var/lib /var/cache /var/log /etc; do ++ [[ -e "$path/$UNIT_NAME" ]] ++done ++# Run the cleanup ++for what in "" configuration state cache logs runtime all; do ++ systemctl clean ${what:+--what="$what"} "$UNIT_NAME" ++done ++# All respective directories should be removed ++for path in /run /var/lib /var/cache /var/log /etc; do ++ [[ ! -e "$path/$UNIT_NAME" ]] ++done ++ ++# --timestamp ++for value in pretty us µs utc us+utc µs+utc; do ++ systemctl show -P KernelTimestamp --timestamp="$value" ++done ++ ++# Aux verbs & assorted checks ++systemctl is-active "*-journald.service" ++systemctl cat "*journal*" ++systemctl cat "$UNIT_NAME" ++systemctl help "$UNIT_NAME" ++ ++# show/set-environment + # Make sure PATH is set + systemctl show-environment | grep -q '^PATH=' +- + # Let's add an entry and override a built-in one + systemctl set-environment PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/testaddition FOO=BAR +- + # Check that both are set + systemctl show-environment | grep -q '^PATH=.*testaddition$' + systemctl show-environment | grep -q '^FOO=BAR$' +- + systemctl daemon-reload +- + # Check again after the reload + systemctl show-environment | grep -q '^PATH=.*testaddition$' + systemctl show-environment | grep -q '^FOO=BAR$' +- + # Check that JSON output is supported + systemctl show-environment --output=json | grep -q '^{.*"FOO":"BAR".*}$' +- + # Drop both + systemctl unset-environment FOO PATH +- + # Check that one is gone and the other reverted to the built-in + systemctl show-environment | grep '^FOO=$' && exit 1 + systemctl show-environment | grep '^PATH=.*testaddition$' && exit 1 + systemctl show-environment | grep -q '^PATH=' ++# Check import-environment ++export IMPORT_THIS=hello ++export IMPORT_THIS_TOO=world ++systemctl import-environment IMPORT_THIS IMPORT_THIS_TOO ++systemctl show-environment | grep "^IMPORT_THIS=$IMPORT_THIS" ++systemctl show-environment | grep "^IMPORT_THIS_TOO=$IMPORT_THIS_TOO" ++systemctl unset-environment IMPORT_THIS IMPORT_THIS_TOO ++(! systemctl show-environment | grep "^IMPORT_THIS=") ++(! systemctl show-environment | grep "^IMPORT_THIS_TOO=") + + echo OK >/testok + +-- +2.38.1 + diff --git a/0012-docs-DPS-and-BLS-have-moved-to-uapi-group.org.patch b/0012-docs-DPS-and-BLS-have-moved-to-uapi-group.org.patch new file mode 100644 index 0000000..a00bb00 --- /dev/null +++ b/0012-docs-DPS-and-BLS-have-moved-to-uapi-group.org.patch @@ -0,0 +1,1195 @@ +From 3c3d99309e5e8dfd1c6a7c48dc3810e30b77fefc Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 1 Nov 2022 21:55:23 +0000 +Subject: [PATCH] docs: DPS and BLS have moved to uapi-group.org + +(cherry picked from commit 729a49288153d341d5c4edd5d701421bb766135c) + +Related #2138081 +--- + docs/BOOT_LOADER_SPECIFICATION.md | 745 +----------------------------- + docs/DISCOVERABLE_PARTITIONS.md | 424 +---------------- + 2 files changed, 2 insertions(+), 1167 deletions(-) + +diff --git a/docs/BOOT_LOADER_SPECIFICATION.md b/docs/BOOT_LOADER_SPECIFICATION.md +index 9188033768..33066b2875 100644 +--- a/docs/BOOT_LOADER_SPECIFICATION.md ++++ b/docs/BOOT_LOADER_SPECIFICATION.md +@@ -1,744 +1 @@ +---- +-title: Boot Loader Specification +-category: Booting +-layout: default +-SPDX-License-Identifier: LGPL-2.1-or-later +---- +- +-# The Boot Loader Specification +- +-This document defines a set of file formats and naming conventions that allow +-the boot loader menu entries to be shared between multiple operating systems +-and boot loaders installed on one device. +- +-Operating systems cooperatively manage boot loader menu entry directories that +-contain drop-in files, making multi-boot scenarios easy to support. Boot menu +-entries are defined via two simple formats that can be understood by different +-boot loader implementations, operating systems, and userspace programs. The +-same scheme can be used to prepare OS media for cases where the firmware +-includes a boot loader. +- +-## Target Audience +- +-The target audience for this specification is: +- +-* Boot loader developers, to write a boot loader that directly reads its +- menu entries from these files +-* Firmware developers, to add generic boot loading support directly to the +- firmware itself +-* OS installer developers, to create appropriate partitions and set up the +- initial boot loader menu entries +-* Distribution developers, to create appropriate menu entry snippets when +- installing or updating kernel packages +-* UI developers, to implement user interfaces that list and select among the +- available boot options +- +-## The Partitions +- +-Everything described below is located on one or two partitions. The boot loader +-or user-space programs reading the boot loader menu entries should locate them +-in the following manner: +- +-* On disks with an MBR partition table: +- +- * The boot partition — a partition with the type ID of `0xEA` — shall be used +- as the single location for boot loader menu entries. +- +-* On disks with GPT (GUID Partition Table) +- +- * The EFI System Partition (ESP for short) — a partition with a GPT type GUID +- of `c12a7328-f81f-11d2-ba4b-00a0c93ec93b` — may be used as one of two locations for +- boot loader menu entries. +- +- * Optionally, an Extended Boot Loader Partition (XBOOTLDR partition for +- short) — a partition with GPT type GUID of +- `bc13c2ff-59e6-4262-a352-b275fd6f7172` — may be used as the second of two +- locations for boot loader menu entries. This partition must be located on +- the same disk as the ESP. +- +-There may be at most one partition of each of the types listed above on the +-same disk. +- +-**Note:** _These partitions are **shared** among all OS installations on the +-same disk. Instead of maintaining one boot partition per installed OS (as +-`/boot/` was traditionally handled), all installed OSes use the same place for +-boot loader menu entries._ +- +-For systems where the firmware is able to read file systems directly, the ESP +-must — and the MBR boot and GPT XBOOTLDR partition should — be a file system +-readable by the firmware. For most systems this means VFAT (16 or 32 +-bit). Applications accessing both partitions should hence not assume that +-fancier file system features such as symlinks, hardlinks, access control or +-case sensitivity are supported. +- +-### The `$BOOT` Partition Placeholder +- +-In the text below, the placeholder `$BOOT` will be used to refer to the +-partition determined as follows: +- +- 1. On disks with an MBR partition table: → the boot partition, as described above +- +- 2. On disks with a GPT partition table: → the XBOOTLDR partition if it exists +- +- 3. Otherwise, on disks with a GPT partition table: → the ESP +- +-`$BOOT` is the *primary* place to put boot menu entry resources into, but +-typically not the only one. Most importantly, boot loaders should also pick up +-menu entries from the ESP, even if XBOOTLDR exists (for details see below). +- +-### Creating These Partitions +- +-An installer for an operating system should use this logic when selecting or +-creating partitions: +- +- * If a boot partition (in case of MBR) or an XBOOTLDR partition (in case of +- GPT) already exists it should be used as `$BOOT` and used as primary +- location to place boot loader menu resources in. +- +- * Otherwise, if on GPT and an ESP is found and it is large enough (let's say +- at least 1G) it should be used as `$BOOT` and used as primary location to +- place boot loader menu resources in. +- +- * Otherwise, if on GPT and neither XBOOTLDR nor ESP exist, an ESP should be +- created of the appropriate size and be used as `$BOOT`, and used as primary +- location to place boot loader menu resources in. +- +- * Otherwise, a boot partition (in case of MBR) or XBOOTLDR partition (in case +- of GPT) should be created of an appropriate size, and be used as `$BOOT`, +- and used as primary location to place boot loader menu resources in. +- +-These partitions shall be determined during _installation time_, and +-`/etc/fstab` entries may be created. +- +-### Mount Points +- +-It is recommended to mount `$BOOT` to `/boot/`, and the ESP to `/efi/`. If +-`$BOOT` and the ESP are the same, then either a bind mount or a symlink should +-be established making the partition available under both paths. +- +-(Mounting the ESP to `/boot/efi/`, as was traditionally done, is not +-recommended. Such a nested setup complicates an implementation via direct +-`autofs` mounts — as implemented by `systemd` for example —, as establishing +-the inner `autofs` will trigger the outer one. Mounting the two partitions via +-`autofs` is recommended because the simple VFAT file system has weak data +-integrity properties and should remain unmounted whenever possible.) +- +-## Boot Loader Entries +- +-This specification defines two types of boot loader entries. The first type is +-text based, very simple, and suitable for a variety of firmware, architecture +-and image types ("Type #1"). The second type is specific to EFI, but allows +-single-file images that embed all metadata in the kernel binary itself, which +-is useful to cryptographically sign them as one file for the purpose of +-SecureBoot ("Type #2"). +- +-Not all boot loader entries will apply to all systems. For example, Type #1 +-entries that use the `efi` key and all Type #2 entries only apply to EFI +-systems. Entries using the `architecture` key might specify an architecture that +-doesn't match the local one. Boot loaders should ignore all entries that don't +-match the local platform and what the boot loader can support, and hide them +-from the user. Only entries matching the feature set of boot loader and system +-shall be considered and displayed. This allows image builders to put together +-images that transparently support multiple different architectures. +- +-Note that the three partitions described above are not supposed to be the +-exclusive territory of this specification. This specification only defines +-semantics of the `/loader/entries/` directory (along with the companion file +-`/loader/entries.srel`) and the `/EFI/Linux/` directory inside the file system, +-but it doesn't intend to define contents of the rest of the file system. Boot +-loaders, firmware, and other software implementing this specification may +-choose to place other files and directories in the same file system. For +-example, boot loaders that implement this specification might install their own +-boot code on the same partition; this is particularly common in the case of the +-ESP. Implementations of this specification must be able to operate correctly if +-files or directories other than `/loader/entries/` and `/EFI/Linux/` are found +-in the top level directory. Implementations that add their own files or +-directories to the file systems should use well-named directories, to make name +-collisions between multiple users of the file system unlikely. +- +-### Type #1 Boot Loader Specification Entries +- +-`/loader/entries/` in `$BOOT` is the primary directory containing Type #1 +-drop-in snippets defining boot entries, one `.conf` file for each boot menu +-item. Each OS may provide one or more such entries. +- +-If the ESP is separate from `$BOOT` it may also contain a `/loader/entries/` +-directory, where the boot loader should look for boot entry snippets, as an +-additional source. The boot loader should enumerate both directories and +-present a merged list to the user. Note that this is done for compatibility +-only: while boot loaders should look in both places, OSes should only add their +-files to `$BOOT`. +- +-**Note:** _In all cases the `/loader/entries/` directory should be located +-directly in the root of the file system. Specifically, the `/loader/entries/` +-directory should **not** be located under the `/EFI/` subdirectory on the ESP._ +- +-The file name of the boot entry snippets is used for identification of the boot +-item but shall never be presented to the user in the UI. The file name may be +-chosen freely but should be unique enough to avoid clashes between OS +-installations. More specifically, it is suggested to include the `entry-token` +-(see +-[kernel-install](https://www.freedesktop.org/software/systemd/man/kernel-install.html)) +-or machine ID (see +-[/etc/machine-id](https://www.freedesktop.org/software/systemd/man/machine-id.html)), +-and the kernel version (as returned by `uname -r`, including the OS +-identifier), so that the whole filename is +-`$BOOT/loader/entries/-.conf`. +- +-Example: `$BOOT/loader/entries/6a9857a393724b7a981ebb5b8495b9ea-3.8.0-2.fc19.x86_64.conf`. +- +-In order to maximize compatibility with file system implementations and +-restricted boot loader environments, and to minimize conflicting character use +-with other programs, file names shall be chosen from a restricted character +-set: ASCII upper and lower case characters, digits, "+", "-", "_" and ".". +-Also, the file names should have a length of at least one and at most 255 +-characters (including the file name suffix). +- +-These boot loader menu snippets shall be UNIX-style text files (i.e. lines +-separated by a single newline character), in the UTF-8 encoding. The +-boot loader menu snippets are loosely inspired by Grub1's configuration syntax. +-Lines beginning with "#" are used for comments and shall be ignored. The first +-word of a line is used as key and is separated by one or more spaces from the +-value. +- +-#### Type #1 Boot Loader Entry Keys +- +-The following keys are recognized: +- +-* `title` is a human-readable title for this menu item to be displayed in the +- boot menu. It is a good idea to initialize this from the `PRETTY_NAME=` of +- [os-release](https://www.freedesktop.org/software/systemd/man/os-release.html). +- This name should be descriptive and does not have to be unique. If a boot +- loader discovers two entries with the same title it should show more than +- just the raw title in the UI, for example by appending the `version` +- field. This field is optional. +- +- Example: `title Fedora 18 (Spherical Cow)` +- +-* `version` is a human-readable version for this menu item. This is usually the +- kernel version and is intended for use by OSes to install multiple kernel +- versions with the same `title` field. This field is used for sorting entries, +- so that the boot loader can order entries by age or select the newest one +- automatically. This field is optional. +- +- See [Sorting](#sorting) below. +- +- Example: `version 3.7.2-201.fc18.x86_64` +- +-* `machine-id` is the machine ID of the OS. This can be used by boot loaders +- and applications to filter out boot entries, for example to show only a +- single newest kernel per OS, to group items by OS, or to filter out the +- currently booted OS when showing only other installed operating systems. +- This ID shall be formatted as 32 lower case hexadecimal characters +- (i.e. without any UUID formatting). This key is optional. +- +- Example: `machine-id 4098b3f648d74c13b1f04ccfba7798e8` +- +-* `sort-key` is a short string used for sorting entries on display. This should +- typically be initialized from the `IMAGE_ID=` or `ID=` fields of +- [os-release](https://www.freedesktop.org/software/systemd/man/os-release.html), +- possibly with an additional suffix. This field is optional. +- +- Example: `sort-key fedora` +- +-* `linux` is the Linux kernel image to execute and takes a path relative to the +- root of the file system containing the boot entry snippet itself. It is +- recommended that every distribution creates an entry-token/machine-id and +- version specific subdirectory and places its kernels and initrd images there +- (see below). +- +- Example: `linux /6a9857a393724b7a981ebb5b8495b9ea/3.8.0-2.fc19.x86_64/linux` +- +-* `initrd` is the initrd `cpio` image to use when executing the kernel. This key +- may appear more than once in which case all specified images are used, in the +- order they are listed. +- +- Example: `initrd 6a9857a393724b7a981ebb5b8495b9ea/3.8.0-2.fc19.x86_64/initrd` +- +-* `efi` refers to an arbitrary EFI program. If this key is set, and the system +- is not an EFI system, this entry should be hidden. +- +-* `options` shall contain kernel parameters to pass to the Linux kernel to +- spawn. This key is optional and may appear more than once in which case all +- specified parameters are combined in the order they are listed. +- +- Example: `options root=UUID=6d3376e4-fc93-4509-95ec-a21d68011da2 quiet` +- +-* `devicetree` refers to the binary device tree to use when executing the +- kernel. This key is optional. +- +- Example: `devicetree 6a9857a393724b7a981ebb5b8495b9ea/3.8.0-2.fc19.armv7hl/tegra20-paz00.dtb` +- +-* `devicetree-overlay` refers to a list of device tree overlays that should be +- applied by the boot loader. Multiple overlays are separated by spaces and +- applied in the same order as they are listed. This key is optional but +- depends on the `devicetree` key. +- +- Example: `devicetree-overlay /6a9857a393724b7a981ebb5b8495b9ea/overlays/overlay_A.dtbo /6a9857a393724b7a981ebb5b8495b9ea/overlays/overlay_B.dtbo` +- +-* `architecture` refers to the architecture this entry is for. The argument +- should be an architecture identifier, using the architecture vocabulary +- defined by the EFI specification (i.e. `IA32`, `x64`, `IA64`, `ARM`, `AA64`, +- …). If specified and it does not match the local system architecture this +- entry should be hidden. The comparison should be done case-insensitively. +- +- Example: `architecture aa64` +- +-Each boot loader menu entry drop-in snippet must include at least a `linux` or an `efi` +-key. Here is an example for a complete drop-in file: +- +- # /boot/loader/entries/6a9857a393724b7a981ebb5b8495b9ea-3.8.0-2.fc19.x86_64.conf +- title Fedora 19 (Rawhide) +- sort-key fedora +- machine-id 6a9857a393724b7a981ebb5b8495b9ea +- version 3.8.0-2.fc19.x86_64 +- options root=UUID=6d3376e4-fc93-4509-95ec-a21d68011da2 quiet +- architecture x64 +- linux /6a9857a393724b7a981ebb5b8495b9ea/3.8.0-2.fc19.x86_64/linux +- initrd /6a9857a393724b7a981ebb5b8495b9ea/3.8.0-2.fc19.x86_64/initrd +- +-On EFI systems all Linux kernel images should be EFI images. In order to +-increase compatibility with EFI systems it is highly recommended only to +-install EFI kernel images, even on non-EFI systems, if that's applicable and +-supported on the specific architecture. +- +-Conversely, in order to increase compatibility it is recommended to install +-generic kernel images that make few assumptions about the firmware they run on, +-i.e. it is a good idea that both images shipped as UEFI PE images and those +-which are not don't make unnecessary assumption on the underlying firmware, +-i.e. don't hard depend on legacy BIOS calls or UEFI boot services. +- +-When Type #1 boot loader menu entry snippets refer to other files (for `linux`, +-`initrd`, `efi`, `devicetree`, and `devicetree-overlay`), those files must be +-located on the same partition, and the paths must be absolute paths relative to +-the root of that file system. The naming of those files can be chosen by the +-installer. A recommended scheme is described in the next section. Paths should +-be normalized, i.e. not include `..`, `.` or a sequence of more than one +-`/`. Paths may be prefixed with a `/`, but this is optional and has the same +-effect as paths without it: all paths are always relative to the root directory +-of the partition they are referenced from. +- +-Even though the backing file system is typically case-insensitive (i.e. VFAT) +-it is strongly recommended to reference files in the casing actually used for +-the directories/files, so that placing these files on other file systems is +-still safe and robust. +- +-### Recommended Directory Layout for Additional Files +- +-It is recommended to place the kernel and other other files comprising a single +-boot loader entry in a separate directory: +-`///`. This naming scheme uses the same +-elements as the boot loader menu entry snippet, providing the same level of +-uniqueness. +- +-Example: `$BOOT/6a9857a393724b7a981ebb5b8495b9ea/3.8.0-2.fc19.x86_64/linux` +- `$BOOT/6a9857a393724b7a981ebb5b8495b9ea/3.8.0-2.fc19.x86_64/initrd` +- +-Other naming schemes are possible. In particular, traditionally a flat naming +-scheme with files in the root directory was used. This is not recommended +-because it is hard to avoid conflicts in a multi-boot installation. +- +-### Standard-conformance Marker File +- +-Unfortunately, there are implementations of boot loading infrastructure that +-are also using the `/loader/entries/` directory, but install files that do not +-follow this specification. In order to minimize confusion, a boot loader +-implementation may place the file `/loader/entries.srel` next to the +-`/loader/entries/` directory containing the ASCII string `type1` (followed by a +-UNIX newline). Tools that need to determine whether an existing directory +-implements the semantics described here may check for this file and contents: +-if it exists and contains the mentioned string, it shall assume a +-standards-compliant implementation is in place. If it exists but contains a +-different string it shall assume other semantics are implemented. If the file +-does not exist, no assumptions should be made. +- +-### Type #2 EFI Unified Kernel Images +- +-A unified kernel image is a single EFI PE executable combining an EFI stub +-loader, a kernel image, an initrd image, and the kernel command line. See +-[systemd-stub(7)](https://www.freedesktop.org/software/systemd/man/systemd-stub.html) +-for details. The primary place for such unified images is the `/EFI/Linux/` +-directory in `$BOOT`. Operating systems should place unified EFI kernels only +-in the `$BOOT` partition. Boot loaders should also look in the `/EFI/Linux/` of +-the ESP — if it is different from `$BOOT` — and present a merged list of menu +-entries from both partitions. Regardless if placed in the primary or secondary +-location: the files must have the extension `.efi`. Support for images of this +-type is of course specific to systems with EFI firmware. Ignore this section if +-you work on systems not supporting EFI. +- +-Type #2 file names should be chosen from the same restricted character set as +-Type #1 described above (but with the file name suffix of `.efi` instead of +-`.conf`). +- +-Images of this type have the advantage that all metadata and payload that makes +-up the boot entry is contained in a single PE file that can be signed +-cryptographically as one for the purpose of EFI SecureBoot. +- +-A valid unified kernel image in the `/EFI/Linux/` directory must contain two PE sections: +- +-* `.cmdline` section with the kernel command line, +-* `.osrel` section with an embedded copy of the +- [os-release](https://www.freedesktop.org/software/systemd/man/os-release.html) +- file describing the image. +- +-The `PRETTY_NAME=` and `VERSION_ID=` fields in the embedded `os-release` file +-are used the same as `title` and `version` in the Type #1 entries. The +-`.cmdline` section is used instead of the `options` field. `linux` and `initrd` +-fields are not necessary, and there is no counterpart for the `machine-id` +-field. +- +-On EFI, any such images shall be added to the list of valid boot entries. +- +-### Additional Notes +- +-Note that these boot entry snippets and unified kernels do not need to be the +-only menu entry sources for a boot loader. It may extend this list of +-entries with additional items from other configuration files (for example its +-own native configuration files) or automatically detected other entries without +-explicit configuration. +- +-To make this explicitly clear: this specification is designed with "free" +-operating systems in mind, starting Windows or MacOS is out of focus with these +-boot loader menu entry snippets, use boot-loader specific solutions for +-that. In the text above, if we say "OS" we hence imply "free", i.e. primarily +-Linux (though this could be easily be extended to the BSDs and whatnot). +- +-Note that all paths used in the boot loader menu entry snippets use a +-Unix-style "/" as path separator. This needs to be converted to an EFI-style +-"\\" separator in EFI boot loaders. +- +- +-## Locating Boot Entries +- +-A _boot loader_ locates the XBOOTLDR partition and the ESP, then simply reads +-all the files `/loader/entries/*.conf` in them, and populates its boot menu +-(and handle gracefully if one of the two partitions is missing). On EFI, it +-then extends this with any unified kernel images found in `/EFI/Linux/*.efi` in +-the two partitions. It may also add additional entries, for example a "Reboot +-into firmware" option. Optionally it may sort the menu based on the +-`sort-key`, `machine-id` and `version` fields, and possibly others. It uses the +-file name to identify specific items, for example in case it supports storing +-away default entry information somewhere. A boot loader should generally not +-modify these files. +- +-For "Boot Loader Specification Entries" (Type #1), the _kernel package +-installer_ installs the kernel and initrd images to `$BOOT`. It is recommended +-to place these files in a vendor and OS and installation specific directory. It +-then generates a boot loader menu entry snippet, placing it in +-`$BOOT/loader/entries/xyz.conf`, with "xyz" as concatenation of +-entry-token/machine-id and version information (see above). The files created +-by a kernel package are tied to the kernel package and should be removed along +-with it. +- +-For "EFI Unified Kernel Images" (Type #2), the vendor or kernel package +-installer should create the combined image and drop it into +-`$BOOT/EFI/Linux/`. This file is also tied to the kernel package and should be +-removed along with it. +- +-A _UI application_ intended to show available boot options shall operate +-similarly to a boot loader (and thus search both `$BOOT` and the ESP if +-distinct), but might apply additional filters, for example by filtering the +-booted OS via the machine ID, or by suppressing all but the newest kernel +-versions. +- +-An _OS installer_ picks the right place for `$BOOT` as defined above (possibly +-creating a partition and file system for it) and creates the `/loader/entries/` +-directory and the `/loader/entries.srel` file in it (the latter only if the +-directory didn't exist yet). It then installs an appropriate boot loader that +-can read these snippets. Finally, it installs one or more kernel packages. +- +-## Boot counting +- +-The main idea is that when boot entries are initially installed, they are +-marked as "indeterminate" and assigned a number of boot attempts. Each time the +-boot loader tries to boot an entry, it decreases this count by one. If the +-operating system considers the boot as successful, it removes the counter +-altogether and the entry becomes "good". Otherwise, once the assigned number of +-boots is exhausted, the entry is marked as "bad". +- +-Which boots are "successful" is determined by the operating system. systemd +-provides a generic mechanism that can be extended with arbitrary checks and +-actions, see [Automatic Boot Assessment](AUTOMATIC_BOOT_ASSESSMENT.md), but the +-boot counting mechanism described in this specification can also be used with +-other implementations. +- +-The boot counting data is stored in the name of the boot loader entry. A boot +-loader entry file name may contain a plus (`+`) followed by a number. This may +-optionally be followed by a minus (`-`) followed by a second number. The dot +-(`.`) and file name suffix (`conf` of `efi`) must immediately follow. Boot +-counting is enabled for entries which match this pattern. +- +-The first number is the "tries left" counter signifying how many attempts to boot +-this entry shall still be made. The second number is the "tries done" counter, +-showing how many failed attempts to boot it have already been made. Each time +-a boot loader entry marked this way is booted, the first counter is decremented, +-and the second one incremented. (If the second counter is missing, +-then it is assumed to be equivalent to zero.) If the "tries left" counter is +-above zero the entry is still considered "indeterminate". A boot entry with the +-"tries left" counter at zero is considered "bad". +- +-If the boot attempt completed successfully the entry's counters are removed +-from the name (entry state becomes "good"), thus turning off boot counting for +-this entry. +- +-## Sorting +- +-The boot loader menu should generally show entries in some order meaningful to +-the user. The `title` key is free-form and not suitable to be used as the +-primary sorting key. Instead, the boot loader should use the following rules: +- +-1. Entries which are subject to boot counting and are marked as "bad", should +- be sorted later than all other entries. Entries which are marked as +- "indeterminate" or "good" (or were not subject to boot counting at all), +- are thus sorted earlier. +- +-2. If `sort-key` is set on both entries, use in order of priority, +- the `sort-key` (A-Z, increasing [alphanumerical order](#alphanumerical-order)), +- `machine-id` (A-Z, increasing alphanumerical order), +- and `version` keys (decreasing [version order](#version-order)). +- +-3. If `sort-key` is set on one entry, it sorts earlier. +- +-4. At the end, if necessary, when `sort-key` is not set or those fields are not +- set or are all equal, the boot loader should sort using the file name of the +- entry (decreasing version sort), with the suffix removed. +- +-**Note:** _This description assumes that the boot loader shows entries in a +-traditional menu, with newest and "best" entries at the top, thus entries with +-a higher version number are sorter *earlier*. The boot loader is free to +-use a different direction (or none at all) during display._ +- +-**Note:** _The boot loader should allow booting "bad" entries, e.g. in case no +-other entries are left or they are unusable for other reasons. It may +-deemphasize or hide such entries by default._ +- +-**Note:** _"Bad" boot entries have a suffix of "+0-`n`", where `n` is the +-number of failed boot attempts. Removal of the suffix is not necessary for +-comparisons described by the last point above. In the unlikely scenario that we +-have multiple such boot entries that differ only by the boot counting data, we +-would sort them by `n`._ +- +-### Alphanumerical Order +- +-Free-form strings and machine IDs should be compared using a method equivalent +-to [strcmp(3)](https://man7.org/linux/man-pages/man3/strcmp.3.html) on their +-UTF-8 representations. If just one of the strings is unspecified or empty, it +-compares lower. If both strings are unspecified or empty, they compare equal. +- +-### Version Order +- +-The following method should be used to compare version strings. The algorithm +-is based on rpm's `rpmvercmp()`, but not identical. +- +-ASCII letters (`a-z`, `A-Z`) and digits (`0-9`) form alphanumerical components of the version. +-Minus (`-`) separates the version and release parts. +-Dot (`.`) separates parts of version or release. +-Tilde (`~`) is a prefix that always compares lower. +-Caret (`^`) is a prefix that always compares higher. +- +-Both strings are compared from the beginning until the end, or until the +-strings are found to compare as different. In a loop: +-1. Any characters which are outside of the set of listed above (`a-z`, `A-Z`, `0-9`, `-`, `.`, `~`, `^`) +- are skipped in both strings. In particular, this means that non-ASCII characters +- that are Unicode digits or letters are skipped too. +-2. If one of the strings has ended: if the other string hasn't, the string that +- has remaining characters compares higher. Otherwise, the strings compare +- equal. +-3. If the remaining part of one of strings starts with `~`: +- if other remaining part does not start with `~`, +- the string with `~` compares lower. Otherwise, both tilde characters are skipped. +-4. The check from point 2. is repeated here. +-5. If the remaining part of one of strings starts with `-`: +- if the other remaining part does not start with `-`, +- the string with `-` compares lower. Otherwise, both minus characters are skipped. +-6. If the remaining part of one of strings starts with `^`: +- if the other remaining part does not start with `^`, +- the string with `^` compares higher. Otherwise, both caret characters are skipped. +-6. If the remaining part of one of strings starts with `.`: +- if the other remaining part does not start with `.`, +- the string with `.` compares lower. Otherwise, both dot characters are skipped. +-7. If either of the remaining parts starts with a digit, numerical prefixes are +- compared numerically. Any leading zeroes are skipped. +- The numerical prefixes (until the first non-digit character) are evaluated as numbers. +- If one of the prefixes is empty, it evaluates as 0. +- If the numbers are different, the string with the bigger number compares higher. +- Otherwise, the comparison continues at the following characters at point 1. +-8. Leading alphabetical prefixes are compared alphabetically. +- The substrings are compared letter-by-letter. +- If both letters are the same, the comparison continues with the next letter. +- Capital letters compare lower than lower-case letters (`A < a`). +- When the end of one substring has been reached (a non-letter character or the end +- of the whole string), if the other substring has remaining letters, it compares higher. +- Otherwise, the comparison continues at the following characters at point 1. +- +-Examples (with '' meaning the empty string): +- +-* `11 == 11` +-* `systemd-123 == systemd-123` +-* `bar-123 < foo-123` +-* `123a > 123` +-* `123.a > 123` +-* `123.a < 123.b` +-* `123a > 123.a` +-* `11α == 11β` +-* `A < a` +-* '' < `0` +-* `0.` > `0` +-* `0.0` > `0` +-* `0` < `~` +-* '' < `~` +- +-Note: [systemd-analyze](https://www.freedesktop.org/software/systemd/man/systemd-analyze.html) +-implements this version comparison algorithm as +-``` +-systemd-analyze compare-versions +-``` +- +-## Additional discussion +- +-### Why is there a need for this specification? +- +-This specification brings the following advantages: +- +-* Installation of new boot entries is more robust, as no explicit rewriting of +- configuration files is required. +- +-* It allows an out-of-the-box boot experience on any platform without the need +- of traditional firmware mechanisms (e.g. BIOS calls, UEFI Boot Services). +- +-* It improves dual-boot scenarios. Without cooperation, multiple Linux +- installations tend to fight over which boot loader becomes the primary one in +- possession of the MBR or the boot partition, and only that one installation +- can then update the boot loader configuration. Other Linux installs have to +- be manually configured to never touch the MBR and instead install a +- chain-loaded boot loader in their own partition headers. In this new scheme +- all installations share a loader directory and no manual configuration has to +- take place. All participants implicitly cooperate due to removal of name +- collisions and can install/remove their own boot menu entries without +- interfering with the entries of other installed operating systems. +- +-* Drop-in directories are now pretty ubiquitous on Linux as an easy way to +- extend boot loader menus without having to edit, regenerate or manipulate +- configuration files. For the sake of uniformity, we should do the same for +- the boot menu. +- +-* Userspace code can sanely parse boot loader menu entries which is essential +- with modern firmware which does not necessarily initialize USB keyboards +- during boot, which makes boot menus hard to reach for the user. If userspace +- code can parse the boot loader menu entries too, UI can be written that +- select a boot menu item to boot into before rebooting the machine, thus not +- requiring interactivity during early boot. +- +-* To unify and thus simplify menu entries of the various boot loaders, which +- makes configuration of the boot loading process easier for users, +- administrators, and developers alike. +- +-* For boot loaders with configuration _scripts_ such as grub2, adopting this +- spec allows for mostly static scripts that are generated only once at first +- installation, but then do not need to be updated anymore as that is done via +- drop-in files exclusively. +- +-### Why not simply rely on the EFI boot menu logic? +- +-EFI is not ubiquitous, especially not in embedded systems. But even on systems +-with EFI, which provides a boot options logic that can offer similar +-functionality, this specification is still needed for the following reasons: +- +-* The various EFI implementations implement the boot order/boot item logic to +- different levels. Some firmware implementations do not offer a boot menu at +- all and instead unconditionally follow the EFI boot order, booting the first +- item that is working. +- +-* If the firmware setup is used to reset data, usually all EFI boot entries +- are lost, making the system entirely unbootable, as the firmware setups +- generally do not offer a UI to define additional boot items. By placing the +- menu item information on disk, it is always available, even if the firmware +- configuration is lost. +- +-* Harddisk images should be movable between machines and be bootable without +- requiring firmware configuration. This also requires that the list +- of boot options is defined on disk, and not in EFI variables alone. +- +-* EFI is not universal yet (especially on non-x86 platforms), this +- specification is useful both for EFI and non-EFI boot loaders. +- +-* Many EFI systems disable USB support during early boot to optimize boot +- times, thus making keyboard input unavailable in the EFI menu. It is thus +- useful if the OS UI has a standardized way to discover available boot options +- which can be booted to. +- +-### Why is the version comparison logic so complicated? +- +-The `sort-key` allows us to group entries by "operating system", e.g. all +-versions of Fedora together, no matter if they identify themselves as "Fedora +-Workstation" or "Fedora Rawhide (prerelease)". The `sort-key` was introduced +-only recently, so we need to provide a meaningful order for entries both with +-and without it. Since it is a new concept, it is assumed that entries with +-`sort-key` are newer. +- +-In a traditional menu with entries displayed vertically, we want names to be +-sorter alpabetically (CentOS, Debian, Fedora, OpenSUSE, …), it would be strange +-to have them in reverse order. But when multiple kernels are available for the +-same installation, we want to display the latest kernel with highest priority, +-i.e. earlier in the list. +- +-### Why do you use file renames to store the counter? Why not a regular file? +- +-Mainly two reasons: it's relatively likely that renames can be implemented +-atomically even in simpler file systems, as renaming generally avoids +-allocating or releasing data blocks. Writing to file contents has a much bigger +-chance to be result in incomplete or corrupt data. Moreover renaming has the +-benefit that the boot count metadata is directly attached to the boot loader +-entry file, and thus the lifecycle of the metadata and the entry itself are +-bound together. This means no additional clean-up needs to take place to drop +-the boot loader counting information for an entry when it is removed. +- +-### Why not use EFI variables for storing the boot counter? +- +-The memory chips used to back the persistent EFI variables are generally not of +-the highest quality, hence shouldn't be written to more than necessary. This +-means we can't really use it for changes made regularly during boot, but should +-use it only for seldom-made configuration changes. +- +-### Out of Focus +- +-There are a couple of items that are out of focus for this specification: +- +-* If userspace can figure out the available boot options, then this is only +- useful so much: we'd still need to come up with a way how userspace could +- communicate to the boot loader the default boot loader entry temporarily or +- persistently. Defining a common scheme for this is certainly a good idea, but +- out of focus for this specification. +- +-* This specification is just about "Free" Operating systems. Hooking in other +- operating systems (like Windows and macOS) into the boot menu is a different +- story and should probably happen outside of this specification. For example, +- boot loaders might choose to detect other available OSes dynamically at +- runtime without explicit configuration (like `systemd-boot` does it), or via +- native configuration (for example via explicit Grub2 configuration generated +- once at installation). +- +-* This specification leaves undefined what to do about systems which are +- upgraded from an OS that does not implement this specification. As the +- previous boot loader logic was largely handled by in distribution-specific +- ways we probably should leave the upgrade path (and whether there actually is +- one) to the distributions. The simplest solution might be to simply continue +- with the old scheme for old installations and use this new scheme only for +- new installations. +- +-* Referencing kernels or initrds on other partitions other than the partition +- containing the Type #1 boot loader entry. This is by design, as specifying +- other partitions or devices would require a non-trivial language for denoting +- device paths. In particular this means that on non-EFI systems boot loader +- menu entry snippets following this specification cannot be used to spawn +- other operating systems (such as Windows). +- +- +-## Links +- +-[GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table)
+-[Boot Loader Interface](BOOT_LOADER_INTERFACE.md)
+-[Discoverable Partitions Specification](DISCOVERABLE_PARTITIONS.md)
+-[`systemd-boot(7)`](https://www.freedesktop.org/software/systemd/man/systemd-boot.html)
+-[`bootctl(1)`](https://www.freedesktop.org/software/systemd/man/bootctl.html)
+-[`systemd-gpt-auto-generator(8)`](https://www.freedesktop.org/software/systemd/man/systemd-gpt-auto-generator.html) ++[This content has moved to the UAPI group website](https://uapi-group.org/specifications/specs/boot_loader_specification/) +diff --git a/docs/DISCOVERABLE_PARTITIONS.md b/docs/DISCOVERABLE_PARTITIONS.md +index efd20533a5..bc05b6cc5a 100644 +--- a/docs/DISCOVERABLE_PARTITIONS.md ++++ b/docs/DISCOVERABLE_PARTITIONS.md +@@ -1,423 +1 @@ +---- +-title: Discoverable Partitions Specification +-category: Concepts +-layout: default +-SPDX-License-Identifier: LGPL-2.1-or-later +---- +-# The Discoverable Partitions Specification (DPS) +- +-_TL;DR: Let's automatically discover, mount and enable the root partition, +-`/home/`, `/srv/`, `/var/` and `/var/tmp/` and the swap partitions based on +-GUID Partition Tables (GPT)!_ +- +-This specification describes the use of GUID Partition Table (GPT) UUIDs to +-enable automatic discovery of partitions and their intended mountpoints. +-Traditionally Linux has made little use of partition types, mostly just +-defining one UUID for file system/data partitions and another one for swap +-partitions. With this specification, we introduce additional partition types +-for specific uses. This has many benefits: +- +-* OS installers can automatically discover and make sense of partitions of +- existing Linux installations. +-* The OS can discover and mount the necessary file systems with a non-existent +- or incomplete `/etc/fstab` file and without the `root=` kernel command line +- option. +-* Container managers (such as nspawn and libvirt-lxc) can introspect and set up +- file systems contained in GPT disk images automatically and mount them to the +- right places, thus allowing booting the same, identical images on bare metal +- and in Linux containers. This enables true, natural portability of disk +- images between physical machines and Linux containers. +-* As a help to administrators and users partition manager tools can show more +- descriptive information about partitions tables. +- +-Note that the OS side of this specification is currently implemented in +-[systemd](https://systemd.io/) 211 and newer in the +-[systemd-gpt-auto-generator(8)](https://www.freedesktop.org/software/systemd/man/systemd-gpt-auto-generator.html) +-generator tool. Note that automatic discovery of the root only works if the +-boot loader communicates this information to the OS, by implementing the +-[Boot Loader Interface](BOOT_LOADER_INTERFACE.md). +- +-## Defined Partition Type UUIDs +- +-| Name | Partition Type UUID | Allowed File Systems | Explanation | +-|------|---------------------|----------------------|-------------| +-| _Root Partition (Alpha)_ | `6523f8ae-3eb1-4e2a-a05a-18b695ae656f` `SD_GPT_ROOT_ALPHA` | Any native, optionally in LUKS | On systems with matching architecture, the first partition with this type UUID on the disk containing the active EFI ESP is automatically mounted to the root directory `/`. If the partition is encrypted with LUKS or has dm-verity integrity data (see below), the device mapper file will be named `/dev/mapper/root`. | +-| _Root Partition (ARC)_ | `d27f46ed-2919-4cb8-bd25-9531f3c16534` `SD_GPT_ROOT_ARC` | ditto | ditto | +-| _Root Partition (32-bit ARM)_ | `69dad710-2ce4-4e3c-b16c-21a1d49abed3` `SD_GPT_ROOT_ARM` | ditto | ditto | +-| _Root Partition (64-bit ARM/AArch64)_ | `b921b045-1df0-41c3-af44-4c6f280d3fae` `SD_GPT_ROOT_ARM64` | ditto | ditto | +-| _Root Partition (Itanium/IA-64)_ | `993d8d3d-f80e-4225-855a-9daf8ed7ea97` `SD_GPT_ROOT_IA64` | ditto | ditto | +-| _Root Partition (LoongArch 64-bit)_ | `77055800-792c-4f94-b39a-98c91b762bb6` `SD_GPT_ROOT_LOONGARCH64` | ditto | ditto | +-| _Root Partition (32-bit MIPS LittleEndian (mipsel))_ | `37c58c8a-d913-4156-a25f-48b1b64e07f0` `SD_GPT_ROOT_MIPS_LE` | ditto | ditto | +-| _Root Partition (64-bit MIPS LittleEndian (mips64el))_ | `700bda43-7a34-4507-b179-eeb93d7a7ca3` `SD_GPT_ROOT_MIPS64_LE` | ditto | ditto | +-| _Root Partition (HPPA/PARISC)_ | `1aacdb3b-5444-4138-bd9e-e5c2239b2346` `SD_GPT_ROOT_PARISC` | ditto | ditto | +-| _Root Partition (32-bit PowerPC)_ | `1de3f1ef-fa98-47b5-8dcd-4a860a654d78` `SD_GPT_ROOT_PPC` | ditto | ditto | +-| _Root Partition (64-bit PowerPC BigEndian)_ | `912ade1d-a839-4913-8964-a10eee08fbd2` `SD_GPT_ROOT_PPC64` | ditto | ditto | +-| _Root Partition (64-bit PowerPC LittleEndian)_ | `c31c45e6-3f39-412e-80fb-4809c4980599` `SD_GPT_ROOT_PPC64_LE` | ditto | ditto | +-| _Root Partition (RISC-V 32-bit)_ | `60d5a7fe-8e7d-435c-b714-3dd8162144e1` `SD_GPT_ROOT_RISCV32` | ditto | ditto | +-| _Root Partition (RISC-V 64-bit)_ | `72ec70a6-cf74-40e6-bd49-4bda08e8f224` `SD_GPT_ROOT_RISCV64` | ditto | ditto | +-| _Root Partition (s390)_ | `08a7acea-624c-4a20-91e8-6e0fa67d23f9` `SD_GPT_ROOT_S390` | ditto | ditto | +-| _Root Partition (s390x)_ | `5eead9a9-fe09-4a1e-a1d7-520d00531306` `SD_GPT_ROOT_S390X` | ditto | ditto | +-| _Root Partition (TILE-Gx)_ | `c50cdd70-3862-4cc3-90e1-809a8c93ee2c` `SD_GPT_ROOT_TILEGX` | ditto | ditto | +-| _Root Partition (x86)_ | `44479540-f297-41b2-9af7-d131d5f0458a` `SD_GPT_ROOT_X86` | ditto | ditto | +-| _Root Partition (amd64/x86_64)_ | `4f68bce3-e8cd-4db1-96e7-fbcaf984b709` `SD_GPT_ROOT_X86_64` | ditto | ditto | +-| _`/usr/` Partition (Alpha)_ | `e18cf08c-33ec-4c0d-8246-c6c6fb3da024` `SD_GPT_USR_ALPHA` | Any native, optionally in LUKS | Similar semantics to root partition, but just the `/usr/` partition. | +-| _`/usr/` Partition (ARC)_ | `7978a683-6316-4922-bbee-38bff5a2fecc` `SD_GPT_USR_ARC` | ditto | ditto | +-| _`/usr/` Partition (32-bit ARM)_ | `7d0359a3-02b3-4f0a-865c-654403e70625` `SD_GPT_USR_ARM` | ditto | ditto | +-| _`/usr/` Partition (64-bit ARM/AArch64)_ | `b0e01050-ee5f-4390-949a-9101b17104e9` `SD_GPT_USR_ARM64` | ditto | ditto | +-| _`/usr/` Partition (Itanium/IA-64)_ | `4301d2a6-4e3b-4b2a-bb94-9e0b2c4225ea` `SD_GPT_USR_IA64` | ditto | ditto | +-| _`/usr/` Partition (LoongArch 64-bit)_ | `e611c702-575c-4cbe-9a46-434fa0bf7e3f` `SD_GPT_USR_LOONGARCH64` | ditto | ditto | +-| _`/usr/` Partition (32-bit MIPS LittleEndian (mipsel))_ | `0f4868e9-9952-4706-979f-3ed3a473e947` `SD_GPT_USR_MIPS_LE` | ditto | ditto | +-| _`/usr/` Partition (64-bit MIPS LittleEndian (mips64el))_ | `c97c1f32-ba06-40b4-9f22-236061b08aa8` `SD_GPT_USR_MIPS64_LE` | ditto | ditto | +-| _`/usr/` Partition (HPPA/PARISC)_ | `dc4a4480-6917-4262-a4ec-db9384949f25` `SD_GPT_USR_PARISC` | ditto | ditto | +-| _`/usr/` Partition (32-bit PowerPC)_ | `7d14fec5-cc71-415d-9d6c-06bf0b3c3eaf` `SD_GPT_USR_PPC` | ditto | ditto | +-| _`/usr/` Partition (64-bit PowerPC BigEndian)_ | `2c9739e2-f068-46b3-9fd0-01c5a9afbcca` `SD_GPT_USR_PPC64` | ditto | ditto | +-| _`/usr/` Partition (64-bit PowerPC LittleEndian)_ | `15bb03af-77e7-4d4a-b12b-c0d084f7491c` `SD_GPT_USR_PPC64_LE` | ditto | ditto | +-| _`/usr/` Partition (RISC-V 32-bit)_ | `b933fb22-5c3f-4f91-af90-e2bb0fa50702` `SD_GPT_USR_RISCV32` | ditto | ditto | +-| _`/usr/` Partition (RISC-V 64-bit)_ | `beaec34b-8442-439b-a40b-984381ed097d` `SD_GPT_USR_RISCV64` | ditto | ditto | +-| _`/usr/` Partition (s390)_ | `cd0f869b-d0fb-4ca0-b141-9ea87cc78d66` `SD_GPT_USR_S390` | ditto | ditto | +-| _`/usr/` Partition (s390x)_ | `8a4f5770-50aa-4ed3-874a-99b710db6fea` `SD_GPT_USR_S390X` | ditto | ditto | +-| _`/usr/` Partition (TILE-Gx)_ | `55497029-c7c1-44cc-aa39-815ed1558630` `SD_GPT_USR_TILEGX` | ditto | ditto | +-| _`/usr/` Partition (x86)_ | `75250d76-8cc6-458e-bd66-bd47cc81a812` `SD_GPT_USR_X86` | ditto | ditto | +-| _`/usr/` Partition (amd64/x86_64)_ | `8484680c-9521-48c6-9c11-b0720656f69e` `SD_GPT_USR_X86_64` | ditto | ditto | +-| _Root Verity Partition (Alpha)_ | `fc56d9e9-e6e5-4c06-be32-e74407ce09a5` `SD_GPT_ROOT_ALPHA_VERITY` | A dm-verity superblock followed by hash data | Contains dm-verity integrity hash data for the matching root partition. If this feature is used the partition UUID of the root partition should be the first 128 bits of the root hash of the dm-verity hash data, and the partition UUID of this dm-verity partition should be the final 128 bits of it, so that the root partition and its Verity partition can be discovered easily, simply by specifying the root hash. | +-| _Root Verity Partition (ARC)_ | `24b2d975-0f97-4521-afa1-cd531e421b8d` `SD_GPT_ROOT_ARC_VERITY` | ditto | ditto | +-| _Root Verity Partition (32-bit ARM)_ | `7386cdf2-203c-47a9-a498-f2ecce45a2d6` `SD_GPT_ROOT_ARM_VERITY` | ditto | ditto | +-| _Root Verity Partition (64-bit ARM/AArch64)_ | `df3300ce-d69f-4c92-978c-9bfb0f38d820` `SD_GPT_ROOT_ARM64_VERITY` | ditto | ditto | +-| _Root Verity Partition (Itanium/IA-64)_ | `86ed10d5-b607-45bb-8957-d350f23d0571` `SD_GPT_ROOT_IA64_VERITY` | ditto | ditto | +-| _Root Verity Partition (LoongArch 64-bit)_ | `f3393b22-e9af-4613-a948-9d3bfbd0c535` `SD_GPT_ROOT_LOONGARCH64_VERITY` | ditto | ditto | +-| _Root Verity Partition (32-bit MIPS LittleEndian (mipsel))_ | `d7d150d2-2a04-4a33-8f12-16651205ff7b` `SD_GPT_ROOT_MIPS_LE_VERITY` | ditto | ditto | +-| _Root Verity Partition (64-bit MIPS LittleEndian (mips64el))_ | `16b417f8-3e06-4f57-8dd2-9b5232f41aa6` `SD_GPT_ROOT_MIPS64_LE_VERITY` | ditto | ditto | +-| _Root Verity Partition (HPPA/PARISC)_ | `d212a430-fbc5-49f9-a983-a7feef2b8d0e` `SD_GPT_ROOT_PARISC_VERITY` | ditto | ditto | +-| _Root Verity Partition (64-bit PowerPC LittleEndian)_ | `906bd944-4589-4aae-a4e4-dd983917446a` `SD_GPT_ROOT_PPC64_LE_VERITY` | ditto | ditto | +-| _Root Verity Partition (64-bit PowerPC BigEndian)_ | `9225a9a3-3c19-4d89-b4f6-eeff88f17631` `SD_GPT_ROOT_PPC64_VERITY` | ditto | ditto | +-| _Root Verity Partition (32-bit PowerPC)_ | `98cfe649-1588-46dc-b2f0-add147424925` `SD_GPT_ROOT_PPC_VERITY` | ditto | ditto | +-| _Root Verity Partition (RISC-V 32-bit)_ | `ae0253be-1167-4007-ac68-43926c14c5de` `SD_GPT_ROOT_RISCV32_VERITY` | ditto | ditto | +-| _Root Verity Partition (RISC-V 64-bit)_ | `b6ed5582-440b-4209-b8da-5ff7c419ea3d` `SD_GPT_ROOT_RISCV64_VERITY` | ditto | ditto | +-| _Root Verity Partition (s390)_ | `7ac63b47-b25c-463b-8df8-b4a94e6c90e1` `SD_GPT_ROOT_S390_VERITY` | ditto | ditto | +-| _Root Verity Partition (s390x)_ | `b325bfbe-c7be-4ab8-8357-139e652d2f6b` `SD_GPT_ROOT_S390X_VERITY` | ditto | ditto | +-| _Root Verity Partition (TILE-Gx)_ | `966061ec-28e4-4b2e-b4a5-1f0a825a1d84` `SD_GPT_ROOT_TILEGX_VERITY` | ditto | ditto | +-| _Root Verity Partition (amd64/x86_64)_ | `2c7357ed-ebd2-46d9-aec1-23d437ec2bf5` `SD_GPT_ROOT_X86_64_VERITY` | ditto | ditto | +-| _Root Verity Partition (x86)_ | `d13c5d3b-b5d1-422a-b29f-9454fdc89d76` `SD_GPT_ROOT_X86_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (Alpha)_ | `8cce0d25-c0d0-4a44-bd87-46331bf1df67` `SD_GPT_USR_ALPHA_VERITY` | A dm-verity superblock followed by hash data | Similar semantics to root Verity partition, but just for the `/usr/` partition. | +-| _`/usr/` Verity Partition (ARC)_ | `fca0598c-d880-4591-8c16-4eda05c7347c` `SD_GPT_USR_ARC_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (32-bit ARM)_ | `c215d751-7bcd-4649-be90-6627490a4c05` `SD_GPT_USR_ARM_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (64-bit ARM/AArch64)_ | `6e11a4e7-fbca-4ded-b9e9-e1a512bb664e` `SD_GPT_USR_ARM64_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (Itanium/IA-64)_ | `6a491e03-3be7-4545-8e38-83320e0ea880` `SD_GPT_USR_IA64_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (LoongArch 64-bit)_ | `f46b2c26-59ae-48f0-9106-c50ed47f673d` `SD_GPT_USR_LOONGARCH64_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (32-bit MIPS LittleEndian (mipsel))_ | `46b98d8d-b55c-4e8f-aab3-37fca7f80752` `SD_GPT_USR_MIPS_LE_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (64-bit MIPS LittleEndian (mips64el))_ | `3c3d61fe-b5f3-414d-bb71-8739a694a4ef` `SD_GPT_USR_MIPS64_LE_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (HPPA/PARISC)_ | `5843d618-ec37-48d7-9f12-cea8e08768b2` `SD_GPT_USR_PARISC_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (64-bit PowerPC LittleEndian)_ | `ee2b9983-21e8-4153-86d9-b6901a54d1ce` `SD_GPT_USR_PPC64_LE_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (64-bit PowerPC BigEndian)_ | `bdb528a5-a259-475f-a87d-da53fa736a07` `SD_GPT_USR_PPC64_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (32-bit PowerPC)_ | `df765d00-270e-49e5-bc75-f47bb2118b09` `SD_GPT_USR_PPC_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (RISC-V 32-bit)_ | `cb1ee4e3-8cd0-4136-a0a4-aa61a32e8730` `SD_GPT_USR_RISCV32_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (RISC-V 64-bit)_ | `8f1056be-9b05-47c4-81d6-be53128e5b54` `SD_GPT_USR_RISCV64_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (s390)_ | `b663c618-e7bc-4d6d-90aa-11b756bb1797` `SD_GPT_USR_S390_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (s390x)_ | `31741cc4-1a2a-4111-a581-e00b447d2d06` `SD_GPT_USR_S390X_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (TILE-Gx)_ | `2fb4bf56-07fa-42da-8132-6b139f2026ae` `SD_GPT_USR_TILEGX_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (amd64/x86_64)_ | `77ff5f63-e7b6-4633-acf4-1565b864c0e6` `SD_GPT_USR_X86_64_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (x86)_ | `8f461b0d-14ee-4e81-9aa9-049b6fb97abd` `SD_GPT_USR_X86_VERITY` | ditto | ditto | +-| _Root Verity Signature Partition (Alpha)_ | `d46495b7-a053-414f-80f7-700c99921ef8` `SD_GPT_ROOT_ALPHA_VERITY_SIG` | A serialized JSON object, see below | Contains a root hash and a PKCS#7 signature for it, permitting signed dm-verity GPT images. | +-| _Root Verity Signature Partition (ARC)_ | `143a70ba-cbd3-4f06-919f-6c05683a78bc` `SD_GPT_ROOT_ARC_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (32-bit ARM)_ | `42b0455f-eb11-491d-98d3-56145ba9d037` `SD_GPT_ROOT_ARM_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (64-bit ARM/AArch64)_ | `6db69de6-29f4-4758-a7a5-962190f00ce3` `SD_GPT_ROOT_ARM64_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (Itanium/IA-64)_ | `e98b36ee-32ba-4882-9b12-0ce14655f46a` `SD_GPT_ROOT_IA64_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (LoongArch 64-bit)_ | `5afb67eb-ecc8-4f85-ae8e-ac1e7c50e7d0` `SD_GPT_ROOT_LOONGARCH64_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (32-bit MIPS LittleEndian (mipsel))_ | `c919cc1f-4456-4eff-918c-f75e94525ca5` `SD_GPT_ROOT_MIPS_LE_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (64-bit MIPS LittleEndian (mips64el))_ | `904e58ef-5c65-4a31-9c57-6af5fc7c5de7` `SD_GPT_ROOT_MIPS64_LE_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (HPPA/PARISC)_ | `15de6170-65d3-431c-916e-b0dcd8393f25` `SD_GPT_ROOT_PARISC_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (64-bit PowerPC LittleEndian)_ | `d4a236e7-e873-4c07-bf1d-bf6cf7f1c3c6` `SD_GPT_ROOT_PPC64_LE_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (64-bit PowerPC BigEndian)_ | `f5e2c20c-45b2-4ffa-bce9-2a60737e1aaf` `SD_GPT_ROOT_PPC64_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (32-bit PowerPC)_ | `1b31b5aa-add9-463a-b2ed-bd467fc857e7` `SD_GPT_ROOT_PPC_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (RISC-V 32-bit)_ | `3a112a75-8729-4380-b4cf-764d79934448` `SD_GPT_ROOT_RISCV32_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (RISC-V 64-bit)_ | `efe0f087-ea8d-4469-821a-4c2a96a8386a` `SD_GPT_ROOT_RISCV64_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (s390)_ | `3482388e-4254-435a-a241-766a065f9960` `SD_GPT_ROOT_S390_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (s390x)_ | `c80187a5-73a3-491a-901a-017c3fa953e9` `SD_GPT_ROOT_S390X_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (TILE-Gx)_ | `b3671439-97b0-4a53-90f7-2d5a8f3ad47b` `SD_GPT_ROOT_TILEGX_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (amd64/x86_64)_ | `41092b05-9fc8-4523-994f-2def0408b176` `SD_GPT_ROOT_X86_64_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (x86)_ | `5996fc05-109c-48de-808b-23fa0830b676` `SD_GPT_ROOT_X86_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (Alpha)_ | `5c6e1c76-076a-457a-a0fe-f3b4cd21ce6e` `SD_GPT_USR_ALPHA_VERITY_SIG` | A serialized JSON object, see below | Similar semantics to root Verity signature partition, but just for the `/usr/` partition. | +-| _`/usr/` Verity Signature Partition (ARC)_ | `94f9a9a1-9971-427a-a400-50cb297f0f35` `SD_GPT_USR_ARC_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (32-bit ARM)_ | `d7ff812f-37d1-4902-a810-d76ba57b975a` `SD_GPT_USR_ARM_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (64-bit ARM/AArch64)_ | `c23ce4ff-44bd-4b00-b2d4-b41b3419e02a` `SD_GPT_USR_ARM64_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (Itanium/IA-64)_ | `8de58bc2-2a43-460d-b14e-a76e4a17b47f` `SD_GPT_USR_IA64_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (LoongArch 64-bit)_ | `b024f315-d330-444c-8461-44bbde524e99` `SD_GPT_USR_LOONGARCH64_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (32-bit MIPS LittleEndian (mipsel))_ | `3e23ca0b-a4bc-4b4e-8087-5ab6a26aa8a9` `SD_GPT_USR_MIPS_LE_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (64-bit MIPS LittleEndian (mips64el))_ | `f2c2c7ee-adcc-4351-b5c6-ee9816b66e16` `SD_GPT_USR_MIPS64_LE_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (HPPA/PARISC)_ | `450dd7d1-3224-45ec-9cf2-a43a346d71ee` `SD_GPT_USR_PARISC_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (64-bit PowerPC LittleEndian)_ | `c8bfbd1e-268e-4521-8bba-bf314c399557` `SD_GPT_USR_PPC64_LE_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (64-bit PowerPC BigEndian)_ | `0b888863-d7f8-4d9e-9766-239fce4d58af` `SD_GPT_USR_PPC64_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (32-bit PowerPC)_ | `7007891d-d371-4a80-86a4-5cb875b9302e` `SD_GPT_USR_PPC_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (RISC-V 32-bit)_ | `c3836a13-3137-45ba-b583-b16c50fe5eb4` `SD_GPT_USR_RISCV32_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (RISC-V 64-bit)_ | `d2f9000a-7a18-453f-b5cd-4d32f77a7b32` `SD_GPT_USR_RISCV64_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (s390)_ | `17440e4f-a8d0-467f-a46e-3912ae6ef2c5` `SD_GPT_USR_S390_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (s390x)_ | `3f324816-667b-46ae-86ee-9b0c0c6c11b4` `SD_GPT_USR_S390X_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (TILE-Gx)_ | `4ede75e2-6ccc-4cc8-b9c7-70334b087510` `SD_GPT_USR_TILEGX_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (amd64/x86_64)_ | `e7bb33fb-06cf-4e81-8273-e543b413e2e2` `SD_GPT_USR_X86_64_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (x86)_ | `974a71c0-de41-43c3-be5d-5c5ccd1ad2c0` `SD_GPT_USR_X86_VERITY_SIG` | ditto | ditto | +-| _EFI System Partition_ | `c12a7328-f81f-11d2-ba4b-00a0c93ec93b` `SD_GPT_ESP` | VFAT | The ESP used for the current boot is automatically mounted to `/efi/` (or `/boot/` as fallback), unless a different partition is mounted there (possibly via `/etc/fstab`, or because the Extended Boot Loader Partition — see below — exists) or the directory is non-empty on the root disk. This partition type is defined by the [UEFI Specification](http://www.uefi.org/specifications). | +-| _Extended Boot Loader Partition_ | `bc13c2ff-59e6-4262-a352-b275fd6f7172` `SD_GPT_XBOOTLDR` | Typically VFAT | The Extended Boot Loader Partition (XBOOTLDR) used for the current boot is automatically mounted to `/boot/`, unless a different partition is mounted there (possibly via `/etc/fstab`) or the directory is non-empty on the root disk. This partition type is defined by the [Boot Loader Specification](https://systemd.io/BOOT_LOADER_SPECIFICATION). | +-| _Swap_ | `0657fd6d-a4ab-43c4-84e5-0933c84b4f4f` `SD_GPT_SWAP` | Swap, optionally in LUKS | All swap partitions on the disk containing the root partition are automatically enabled. If the partition is encrypted with LUKS, the device mapper file will be named `/dev/mapper/swap`. This partition type predates the Discoverable Partitions Specification. | +-| _Home Partition_ | `933ac7e1-2eb4-4f13-b844-0e14e2aef915` `SD_GPT_HOME` | Any native, optionally in LUKS | The first partition with this type UUID on the disk containing the root partition is automatically mounted to `/home/`. If the partition is encrypted with LUKS, the device mapper file will be named `/dev/mapper/home`. | +-| _Server Data Partition_ | `3b8f8425-20e0-4f3b-907f-1a25a76f98e8` `SD_GPT_SRV` | Any native, optionally in LUKS | The first partition with this type UUID on the disk containing the root partition is automatically mounted to `/srv/`. If the partition is encrypted with LUKS, the device mapper file will be named `/dev/mapper/srv`. | +-| _Variable Data Partition_ | `4d21b016-b534-45c2-a9fb-5c16e091fd2d` `SD_GPT_VAR` | Any native, optionally in LUKS | The first partition with this type UUID on the disk containing the root partition is automatically mounted to `/var/` — under the condition that its partition UUID matches the first 128 bits of `HMAC-SHA256(machine-id, 0x4d21b016b53445c2a9fb5c16e091fd2d)` (i.e. the SHA256 HMAC hash of the binary type UUID keyed by the machine ID as read from [`/etc/machine-id`](https://www.freedesktop.org/software/systemd/man/machine-id.html). This special requirement is made because `/var/` (unlike the other partition types listed here) is inherently private to a specific installation and cannot possibly be shared between multiple OS installations on the same disk, and thus should be bound to a specific instance of the OS, identified by its machine ID. If the partition is encrypted with LUKS, the device mapper file will be named `/dev/mapper/var`. | +-| _Temporary Data Partition_ | `7ec6f557-3bc5-4aca-b293-16ef5df639d1` `SD_GPT_TMP` | Any native, optionally in LUKS | The first partition with this type UUID on the disk containing the root partition is automatically mounted to `/var/tmp/`. If the partition is encrypted with LUKS, the device mapper file will be named `/dev/mapper/tmp`. Note that the intended mount point is indeed `/var/tmp/`, not `/tmp/`. The latter is typically maintained in memory via `tmpfs` and does not require a partition on disk. In some cases it might be desirable to make `/tmp/` persistent too, in which case it is recommended to make it a symlink or bind mount to `/var/tmp/`, thus not requiring its own partition type UUID. | +-| _Per-user Home Partition_ | `773f91ef-66d4-49b5-bd83-d683bf40ad16` `SD_GPT_USER_HOME` | Any native, optionally in LUKS | A home partition of a user, managed by [`systemd-homed`](https://www.freedesktop.org/software/systemd/man/systemd-homed.html). | +-| _Generic Linux Data Partition_ | `0fc63daf-8483-4772-8e79-3d69d8477de4` `SD_GPT_LINUX_GENERIC` | Any native, optionally in LUKS | No automatic mounting takes place for other Linux data partitions. This partition type should be used for all partitions that carry Linux file systems. The installer needs to mount them explicitly via entries in `/etc/fstab`. Optionally, these partitions may be encrypted with LUKS. This partition type predates the Discoverable Partitions Specification. | +- +-Other GPT type IDs might be used on Linux, for example to mark software RAID or +-LVM partitions. The definitions of those GPT types is outside of the scope of +-this specification. +- +-[systemd-id128(1)](https://www.freedesktop.org/software/systemd/man/systemd-id128.html)'s +-`show` command may be used to list those GPT partition type UUIDs. +- +-## Partition Names +- +-For partitions of the types listed above it is recommended to use +-human-friendly, descriptive partition names in the GPT partition table, for +-example "*Home*", "*Server* *Data*", "*Fedora* *Root*" and similar, possibly +-localized. +- +-For the Root/Verity/Verity signature partitions it might make sense to use a +-versioned naming scheme reflecting the OS name and its version, +-e.g. "fooOS_2021.4" or similar. +- +-## Partition Attribute Flags +- +-This specification defines three GPT partition attribute flags that may be set +-for the partition types defined above: +- +-1. For the root, `/usr/`, Verity, Verity signature, home, server data, variable +- data, temporary data, swap, and extended boot loader partitions, the +- partition flag bit 63 ("*no-auto*", *SD_GPT_FLAG_NO_AUTO*) may be used to +- turn off auto-discovery for the specific partition. If set, the partition +- will not be automatically mounted or enabled. +- +-2. For the root, `/usr/`, Verity, Verity signature home, server data, variable +- data, temporary data and extended boot loader partitions, the partition flag +- bit 60 ("*read-only*", *SD_GPT_FLAG_READ_ONLY*) may be used to mark a +- partition for read-only mounts only. If set, the partition will be mounted +- read-only instead of read-write. Note that the variable data partition and +- the temporary data partition will generally not be able to serve their +- purpose if marked read-only, since by their very definition they are +- supposed to be mutable. (The home and server data partitions are generally +- assumed to be mutable as well, but the requirement for them is not equally +- strong.) Because of that, while the read-only flag is defined and supported, +- it's almost never a good idea to actually use it for these partitions. Also +- note that Verity and signature partitions are by their semantics always +- read-only. The flag is hence of little effect for them, and it is +- recommended to set it unconditionally for the Verity and signature partition +- types. +- +-3. For the root, `/usr/`, home, server data, variable data, temporary data and +- extended boot loader partitions, the partition flag bit 59 +- ("*grow-file-system*", *SD_GPT_FLAG_GROWFS*) may be used to mark a partition +- for automatic growing of the contained file system to the size of the +- partition when mounted. Tools that automatically mount disk image with a GPT +- partition table are suggested to implicitly grow the contained file system +- to the partition size they are contained in, if they are found to be +- smaller. This flag is without effect on partitions marked "*read-only*". +- +-Note that the first two flag definitions happen to correspond nicely to the +-same ones used by Microsoft Basic Data Partitions. +- +-All three of these flags generally affect only auto-discovery and automatic +-mounting of disk images. If partitions marked with these flags are mounted +-using low-level commands like +-[mount(8)](https://man7.org/linux/man-pages/man2/mount.8.html) or directly with +-[mount(2)](https://man7.org/linux/man-pages/man2/mount.2.html), they typically +-have no effect. +- +-## Verity +- +-The Root/`/usr/` partition types and their matching Verity and Verity signature +-partitions enable relatively automatic handling of `dm-verity` protected +-setups. These types are defined with two modes of operation in mind: +- +-1. A trusted Verity root hash is passed in externally, for example is specified +- on the kernel command line that is signed along with the kernel image using +- SecureBoot PE signing (which in turn is tested against a set of +- firmware-provided set of signing keys). If so, discovery and setup of a +- Verity volume may be fully automatic: if the root partition's UUID is chosen +- to match the first 128 bit of the root hash, and the matching Verity +- partition UUIDs is chosen to match the last 128bit of the root hash, then +- automatic discovery and match-up of the two partitions is possible, as the +- root hash is enough to both find the partitions and then combine them in a +- Verity volume. In this mode a Verity signature partition is not used and +- unnecessary. +- +-2. A Verity signature partition is included on the disk, with a signature to be +- tested against a system-provided set of signing keys. The signature +- partition primarily contains two fields: the root hash to use, and a PKCS#7 +- signature of it, using a signature key trusted by the OS. If so, discovery +- and setup of a Verity volume may be fully automatic. First, the specified +- root hash is validated with the signature and the OS-provided trusted +- keys. If the signature checks out the root hash is then used in the same way +- as in the first mode of operation described above. +- +-Both modes of operation may be combined in a single image. This is particularly +-useful for images that shall be usable in two different contexts: for example +-an image that shall be able to boot directly on UEFI systems (in which +-case it makes sense to include the root hash on the kernel command line that is +-included in the signed kernel image to boot, as per mode of operation #1 +-above), but also be able to used as image for a container engine (such as +-`systemd-nspawn`), which can use the signature partition to validate the image, +-without making use of the signed kernel image (and thus following mode of +-operation #2). +- +-The Verity signature partition's contents should be a serialized JSON object in +-text form, padded with NUL bytes to the next multiple of 4096 bytes in +-size. Currently three fields are defined for the JSON object: +- +-1. The (mandatory) `rootHash` field should be a string containing the Verity root hash, +- formatted as series of (lowercase) hex characters. +- +-2. The (mandatory) `signature` field should be a string containing the PKCS#7 +- signature of the root hash, in Base64-encoded DER format. This should be the +- same format used by the Linux kernel's dm-verity signature logic, i.e. the +- signed data should be the exact string representation of the hash, as stored +- in `rootHash` above. +- +-3. The (optional) `certificateFingerprint` field should be a string containing +- a SHA256 fingerprint of the X.509 certificate in DER format for the key that +- signed the root hash, formatted as series of (lowercase) hex characters (no `:` +- separators or such). +- +-More fields might be added in later revisions of this specification. +- +-## Suggested Mode of Operation +- +-An *installer* that repartitions the hard disk _should_ use the above UUID +-partition types for appropriate partitions it creates. +- +-An *installer* which supports a "manual partitioning" interface _may_ choose to +-pre-populate the interface with swap, `/home/`, `/srv/`, `/var/tmp/` partitions +-of pre-existing Linux installations, identified with the GPT type UUIDs +-above. The installer should not pre-populate such an interface with any +-identified root, `/usr` or `/var/` partition unless the intention is to +-overwrite an existing operating system that might be installed. +- +-An *installer* _may_ omit creating entries in `/etc/fstab` for root, `/home/`, +-`/srv/`, `/var/`, `/var/tmp` and for the swap partitions if they use these UUID +-partition types, and are the first partitions on the disk of each type. If the +-ESP shall be mounted to `/efi/` (or `/boot/`), it may additionally omit +-creating the entry for it in `/etc/fstab`. If the EFI partition shall not be +-mounted to `/efi/` or `/boot/`, it _must_ create `/etc/fstab` entries for them. +-If other partitions are used (for example for `/usr/local/` or +-`/var/lib/mysql/`), the installer _must_ register these in `/etc/fstab`. The +-`root=` parameter passed to the kernel by the boot loader may be omitted if the +-root partition is the first one on the disk of its type. If the root partition +-is not the first one on the disk, the `root=` parameter _must_ be passed to the +-kernel by the boot loader. An installer that mounts a root, `/usr/`, `/home/`, +-`/srv/`, `/var/`, or `/var/tmp/` file system with the partition types defined +-as above which contains a LUKS header _must_ call the device mapper device +-"root", "usr", "home", "srv", "var" or "tmp", respectively. This is necessary +-to ensure that the automatic discovery will never result in different device +-mapper names than any static configuration by the installer, thus eliminating +-possible naming conflicts and ambiguities. +- +-An *operating* *system* _should_ automatically discover and mount the first +-root partition that does not have the no-auto flag set (as described above) by +-scanning the disk containing the currently used EFI ESP. It _should_ +-automatically discover and mount the first `/usr/`, `/home/`, `/srv/`, `/var/`, +-`/var/tmp/` and swap partitions that do not have the no-auto flag set by +-scanning the disk containing the discovered root partition. It should +-automatically discover and mount the partition containing the currently used +-EFI ESP to `/efi/` (or `/boot/` as fallback). It should automatically discover +-and mount the partition containing the currently used Extended Boot Loader +-Partition to `/boot/`. It _should not_ discover or automatically mount +-partitions with other UUID partition types, or partitions located on other +-disks, or partitions with the no-auto flag set. User configuration shall +-always override automatic discovery and mounting. If a root, `/usr/`, +-`/home/`, `/srv/`, `/boot/`, `/var/`, `/var/tmp/`, `/efi/`, `/boot/` or swap +-partition is listed in `/etc/fstab` or with `root=` on the kernel command line, +-it _must_ take precedence over automatically discovered partitions. If a +-`/home/`, `/usr/`, `/srv/`, `/boot/`, `/var/`, `/var/tmp/`, `/efi/` or `/boot/` +-directory is found to be populated already in the root partition, the automatic +-discovery _must not_ mount any discovered file system over it. Optionally, in +-case of the root, `/usr/` and their Verity partitions instead of strictly +-mounting the first suitable partition an OS might choose to mount the partition +-whose label compares the highest according to `strverscmp()` or similar logic, +-in order to implement a simple partition-based A/B versioning scheme. The +-precise rules are left for the implementation to decide, but when in doubt +-earlier partitions (by their index) should always win over later partitions if +-the label comparison is inconclusive. +- +-A *container* *manager* should automatically discover and mount the root, +-`/usr/`, `/home/`, `/srv/`, `/var/`, `/var/tmp/` partitions inside a container +-disk image. It may choose to mount any discovered ESP and/or XBOOTLDR +-partition to `/efi/` or `/boot/`. It should ignore any swap should they be +-included in a container disk image. +- +-If a btrfs file system is automatically discovered and mounted by the operating +-system/container manager it will be mounted with its *default* subvolume. The +-installer should make sure to set the default subvolume correctly using "btrfs +-subvolume set-default". +- +-## Sharing of File Systems between Installations +- +-If two Linux-based operating systems are installed on the same disk, the scheme +-above suggests that they may share the swap, `/home/`, `/srv/`, `/var/tmp/`, +-ESP, XBOOTLDR. However, they should each have their own root, `/usr/` and +-`/var/` partition. +- +-## Frequently Asked Questions +- +-### Why are you taking my `/etc/fstab` away? +- +-We are not. `/etc/fstab` always overrides automatic discovery and is indeed +-mentioned in the specifications. We are simply trying to make the boot and +-installation processes of Linux a bit more robust and self-descriptive. +- +-### Why did you only define the root partition for these listed architectures? +- +-Please submit a patch that adds appropriate partition type UUIDs for the +-architecture of your choice should they be missing so far. The only reason they +-aren't defined yet is that nobody submitted them yet. +- +-### Why define distinct root partition UUIDs for the various architectures? +- +-This allows disk images that may be booted on multiple architectures to use +-discovery of the appropriate root partition on each architecture. +- +-### Doesn't this break multi-boot scenarios? +- +-No, it doesn't. The specification says that installers may not stop creating +-`/etc/fstab` or stop including `root=` on the kernel command line, unless the used +-partitions are the first ones of their type on the disk. Additionally, +-`/etc/fstab` and `root=` both override automatic discovery. Multi-boot is hence +-well supported, since it doesn't change anything for anything but the first +-installation. +- +-That all said, it's not expected that generic installers generally stop setting +-`root=` and creating `/etc/fstab` anyway. The option to drop these configuration +-bits is primarily something for appliance-like devices. However, generic +-installers should *still* set the right GPT partition types for the partitions +-they create so that container managers, partition tools and administrators can +-benefit. Phrased differently, this specification introduces A) the +-*recommendation* to use the newly defined partition types to tag things +-properly and B) the *option* to then drop `root=` and `/etc/fstab`. While we +-advertise A) to *all* installers, we only propose B) for simpler, +-appliance-like installations. +- +-### What partitioning tools will create a DPS-compliant partition table? +- +-As of util-linux 2.25.2, the `fdisk` tool provides type codes to create the +-root, home, and swap partitions that the DPS expects. By default, `fdisk` will +-create an old-style MBR, not a GPT, so typing `l` to list partition types will +-not show the choices to let you set the correct UUID. Make sure to first create +-an empty GPT, then type `l` in order for the DPS-compliant type codes to be +-available. +- +-The `gdisk` tool (from version 1.0.5 onward) and its variants (`sgdisk`, +-`cgdisk`) also support creation of partitions with a matching type code. +- +-## Links +- +-[Boot Loader Specification](BOOT_LOADER_SPECIFICATION.md)
+-[Boot Loader Interface](BOOT_LOADER_INTERFACE.md)
+-[Safely Building Images](BUILDING_IMAGES.md)
+-[`systemd-boot(7)`](https://www.freedesktop.org/software/systemd/man/systemd-boot.html)
+-[`bootctl(1)`](https://www.freedesktop.org/software/systemd/man/bootctl.html)
+-[`systemd-gpt-auto-generator(8)`](https://www.freedesktop.org/software/systemd/man/systemd-gpt-auto-generator.html) ++[This content has moved to the UAPI group website](https://uapi-group.org/specifications/specs/discoverable_partitions_specification/) +-- +2.38.1 + diff --git a/0013-core-fix-memleak-in-GetUnitFileLinks-method.patch b/0013-core-fix-memleak-in-GetUnitFileLinks-method.patch new file mode 100644 index 0000000..c2857ca --- /dev/null +++ b/0013-core-fix-memleak-in-GetUnitFileLinks-method.patch @@ -0,0 +1,52 @@ +From a9424191821c8c967edd7dd92a19d02ff5bbca87 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 2 Nov 2022 07:06:46 +0900 +Subject: [PATCH] core: fix memleak in GetUnitFileLinks method + +(cherry picked from commit a12ba535fa677e642c7ba19e81062ed6e9365ceb) + +Related #2138081 +--- + src/core/dbus-manager.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c +index 919aa58cde..88f098ec86 100644 +--- a/src/core/dbus-manager.c ++++ b/src/core/dbus-manager.c +@@ -2647,21 +2647,27 @@ static int method_get_unit_file_links(sd_bus_message *message, void *userdata, s + (runtime ? UNIT_FILE_RUNTIME : 0); + + r = unit_file_disable(LOOKUP_SCOPE_SYSTEM, flags, NULL, p, &changes, &n_changes); +- if (r < 0) +- return log_error_errno(r, "Failed to get file links for %s: %m", name); ++ if (r < 0) { ++ log_error_errno(r, "Failed to get file links for %s: %m", name); ++ goto finish; ++ } + + for (i = 0; i < n_changes; i++) + if (changes[i].type == INSTALL_CHANGE_UNLINK) { + r = sd_bus_message_append(reply, "s", changes[i].path); + if (r < 0) +- return r; ++ goto finish; + } + + r = sd_bus_message_close_container(reply); + if (r < 0) +- return r; ++ goto finish; + +- return sd_bus_send(NULL, reply, NULL); ++ r = sd_bus_send(NULL, reply, NULL); ++ ++finish: ++ install_changes_free(changes, n_changes); ++ return r; + } + + static int method_get_job_waiting(sd_bus_message *message, void *userdata, sd_bus_error *error) { +-- +2.38.1 + diff --git a/0014-man-use-the-correct-Markers-property-name-for-markin.patch b/0014-man-use-the-correct-Markers-property-name-for-markin.patch new file mode 100644 index 0000000..e939e7a --- /dev/null +++ b/0014-man-use-the-correct-Markers-property-name-for-markin.patch @@ -0,0 +1,45 @@ +From ada95dd4f4c0014815a2c3162de6297107569b05 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 2 Nov 2022 11:48:23 +0100 +Subject: [PATCH] man: use the correct 'Markers' property name for marking + units + +Follow-up to c9615f7352 and 70666e28a1. + +(cherry picked from commit 1ca1bb03dec9ae3e8d734bd40eeb60210ffd7a0a) + +Related #2138081 +--- + man/org.freedesktop.systemd1.xml | 2 +- + man/systemctl.xml | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml +index cbd552bd99..5e08b35234 100644 +--- a/man/org.freedesktop.systemd1.xml ++++ b/man/org.freedesktop.systemd1.xml +@@ -1250,7 +1250,7 @@ node /org/freedesktop/systemd1 { + "ReloadOrRestart" flavors attempt a reload if the unit supports it and use a restart otherwise. + + EnqueueMarkedJobs() creates reload/restart jobs for units which have been +- appropriately marked, see Marks property above. This is equivalent to calling ++ appropriately marked, see Markers property above. This is equivalent to calling + TryRestartUnit() or ReloadOrTryRestartUnit() for the marked + units. + +diff --git a/man/systemctl.xml b/man/systemctl.xml +index 4d4f6c3992..997925892d 100644 +--- a/man/systemctl.xml ++++ b/man/systemctl.xml +@@ -2386,7 +2386,7 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err + Only allowed with reload-or-restart. Enqueues restart jobs for all + units that have the needs-restart mark, and reload jobs for units that have the + needs-reload mark. When a unit marked for reload does not support reload, restart +- will be queued. Those properties can be set using set-property Marks. ++ will be queued. Those properties can be set using set-property Markers=…. + + Unless is used, systemctl will wait for the + queued jobs to finish. +-- +2.38.1 + diff --git a/0015-test-further-extend-systemctl-s-sanity-coverage.patch b/0015-test-further-extend-systemctl-s-sanity-coverage.patch new file mode 100644 index 0000000..e131c22 --- /dev/null +++ b/0015-test-further-extend-systemctl-s-sanity-coverage.patch @@ -0,0 +1,118 @@ +From cce2e337e37524df5ff81e758dbcfa91bf8b696a Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 2 Nov 2022 11:44:00 +0100 +Subject: [PATCH] test: further extend systemctl's sanity coverage + +Also, fix a race condition introduced by d16684fe13: +``` +[ 16.904218] H testsuite-26.sh[394]: + systemd-run --unit failed.service /bin/false +[ 16.964783] H systemd[845]: failed.service: Executing: /bin/false +[ 16.965062] H systemd[1]: Started failed.service. +[ 16.965462] H testsuite-26.sh[844]: Running as unit: failed.service +[ 16.966390] H testsuite-26.sh[394]: + systemctl is-failed failed.service +[ 16.977970] H testsuite-26.sh[846]: active +[ 16.978403] H systemd[1]: failed.service: Main process exited, code=exited, status=1/FAILURE +[ 16.978478] H systemd[1]: failed.service: Failed with result 'exit-code'. +``` + +(cherry picked from commit 23f3a6f5ff864fd26063c6c35fdaa6d85de566c7) + +Related #2138081 +--- + test/units/testsuite-26.sh | 61 +++++++++++++++++++++++++++++++++++++- + 1 file changed, 60 insertions(+), 1 deletion(-) + +diff --git a/test/units/testsuite-26.sh b/test/units/testsuite-26.sh +index b83f85917b..7c7a12b1ae 100755 +--- a/test/units/testsuite-26.sh ++++ b/test/units/testsuite-26.sh +@@ -58,6 +58,9 @@ systemctl list-units + systemctl list-units --recursive + systemctl list-units --type=socket + systemctl list-units --type=service,timer ++# Compat: --type= allows load states for compatibility reasons ++systemctl list-units --type=loaded ++systemctl list-units --type=loaded,socket + systemctl list-units --legend=yes -a "systemd-*" + systemctl list-units --state=active + systemctl list-units --with-dependencies systemd-journald.service +@@ -160,7 +163,7 @@ systemctl revert "$UNIT_NAME" + (! grep -r "CPUQuota=" "/run/systemd/system.control/${UNIT_NAME}.d/") + + # Failed-unit related tests +-systemd-run --unit "failed.service" /bin/false ++(! systemd-run --wait --unit "failed.service" /bin/false) + systemctl is-failed failed.service + systemctl --state=failed | grep failed.service + systemctl --failed | grep failed.service +@@ -189,11 +192,67 @@ for value in pretty us µs utc us+utc µs+utc; do + systemctl show -P KernelTimestamp --timestamp="$value" + done + ++# set-default/get-default ++target="$(systemctl get-default)" ++systemctl set-default emergency.target ++[[ "$(systemctl get-default)" == emergency.target ]] ++systemctl set-default "$target" ++[[ "$(systemctl get-default)" == "$target" ]] ++ ++# show/status ++systemctl show --property "" ++# Pick a heavily sandboxed unit for the best effect on coverage ++systemctl show systemd-logind.service ++systemctl status ++# Ignore the exit code in this case, as it might try to load non-existing units ++systemctl status -a >/dev/null || : ++systemctl status -a --state active,running,plugged >/dev/null ++systemctl status "systemd-*.timer" ++systemctl status "systemd-journald*.socket" ++systemctl status "sys-devices-*-ttyS0.device" ++systemctl status -- -.mount ++ ++# --marked ++systemctl restart "$UNIT_NAME" ++systemctl set-property "$UNIT_NAME" Markers=needs-restart ++systemctl show -P Markers "$UNIT_NAME" | grep needs-restart ++systemctl reload-or-restart --marked ++(! systemctl show -P Markers "$UNIT_NAME" | grep needs-restart) ++ ++# --dry-run with destructive verbs ++# kexec is skipped intentionally, as it requires a bit more involved setup ++VERBS=( ++ default ++ emergency ++ exit ++ halt ++ hibernate ++ hybrid-sleep ++ poweroff ++ reboot ++ rescue ++ suspend ++ suspend-then-hibernate ++) ++ ++for verb in "${VERBS[@]}"; do ++ systemctl --dry-run "$verb" ++ ++ if [[ "$verb" =~ (halt|poweroff|reboot) ]]; then ++ systemctl --dry-run --message "Hello world" "$verb" ++ systemctl --dry-run --no-wall "$verb" ++ systemctl --dry-run -f "$verb" ++ systemctl --dry-run -ff "$verb" ++ fi ++done ++ + # Aux verbs & assorted checks + systemctl is-active "*-journald.service" + systemctl cat "*journal*" + systemctl cat "$UNIT_NAME" + systemctl help "$UNIT_NAME" ++systemctl service-watchdogs ++systemctl service-watchdogs "$(systemctl service-watchdogs)" + + # show/set-environment + # Make sure PATH is set +-- +2.38.1 + diff --git a/0016-test-add-a-sanity-coverage-for-systemd-analyze-verbs.patch b/0016-test-add-a-sanity-coverage-for-systemd-analyze-verbs.patch new file mode 100644 index 0000000..cb48303 --- /dev/null +++ b/0016-test-add-a-sanity-coverage-for-systemd-analyze-verbs.patch @@ -0,0 +1,134 @@ +From d68d785ba0e3ecd59a2678fe00fbd7b1bde90622 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 2 Nov 2022 17:51:51 +0100 +Subject: [PATCH] test: add a sanity coverage for systemd-analyze verbs + +(cherry picked from commit 6c83054c0133eb53245e479d71589dceff76cf74) + +Related #2138081 +--- + test/units/testsuite-65.sh | 108 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 108 insertions(+) + +diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh +index 64ce629f3b..ece6b8734e 100755 +--- a/test/units/testsuite-65.sh ++++ b/test/units/testsuite-65.sh +@@ -9,6 +9,114 @@ set -eux + systemd-analyze log-level debug + export SYSTEMD_LOG_LEVEL=debug + ++# Sanity checks ++# ++# We can't really test time, blame, critical-chain and plot verbs here, as ++# the testsuite service is a part of the boot transaction, so let's assume ++# they fail ++systemd-analyze || : ++systemd-analyze time || : ++systemd-analyze blame || : ++systemd-analyze critical-chain || : ++systemd-analyze plot >/dev/null || : ++# dot ++systemd-analyze dot >/dev/null ++systemd-analyze dot systemd-journald.service >/dev/null ++systemd-analyze dot systemd-journald.service systemd-logind.service >/dev/null ++systemd-analyze dot --from-pattern="*" --from-pattern="*.service" systemd-journald.service >/dev/null ++systemd-analyze dot --to-pattern="*" --to-pattern="*.service" systemd-journald.service >/dev/null ++systemd-analyze dot --from-pattern="*.service" --to-pattern="*.service" systemd-journald.service >/dev/null ++systemd-analyze dot --order systemd-journald.service systemd-logind.service >/dev/null ++systemd-analyze dot --require systemd-journald.service systemd-logind.service >/dev/null ++systemd-analyze dot "systemd-*.service" >/dev/null ++(! systemd-analyze dot systemd-journald.service systemd-logind.service "*" bbb ccc) ++# dump ++systemd-analyze dump >/dev/null ++systemd-analyze dump "*" >/dev/null ++systemd-analyze dump "*.socket" >/dev/null ++systemd-analyze dump systemd-journald.service >/dev/null ++(! systemd-analyze dump "") ++# unit-paths ++systemd-analyze unit-paths ++systemd-analyze unit-paths --user ++systemd-analyze unit-paths --global ++# exist-status ++systemd-analyze exit-status ++systemd-analyze exit-status STDOUT BPF ++systemd-analyze exit-status 0 1 {63..65} ++(! systemd-analyze exit-status STDOUT BPF "hello*") ++# capability ++systemd-analyze capability ++systemd-analyze capability cap_chown CAP_KILL ++systemd-analyze capability 0 1 {30..32} ++(! systemd-analyze capability cap_chown CAP_KILL "hello*") ++# condition ++mkdir -p /run/systemd/system ++UNIT_NAME="analyze-condition-$RANDOM.service" ++cat >"/run/systemd/system/$UNIT_NAME" <1.0 ++ConditionPathExists=/etc/os-release ++ ++[Service] ++ExecStart=/bin/true ++EOF ++systemctl daemon-reload ++systemd-analyze condition --unit="$UNIT_NAME" ++systemd-analyze condition 'ConditionKernelVersion = ! <4.0' \ ++ 'ConditionKernelVersion = >=3.1' \ ++ 'ConditionACPower=|false' \ ++ 'ConditionArchitecture=|!arm' \ ++ 'AssertPathExists=/etc/os-release' ++(! systemd-analyze condition 'ConditionArchitecture=|!arm' 'AssertXYZ=foo') ++(! systemd-analyze condition 'ConditionKernelVersion=<1.0') ++(! systemd-analyze condition 'AssertKernelVersion=<1.0') ++# syscall-filter ++systemd-analyze syscall-filter >/dev/null ++systemd-analyze syscall-filter @chown @sync ++systemd-analyze syscall-filter @sync @sync @sync ++(! systemd-analyze syscall-filter @chown @sync @foobar) ++# filesystems (requires libbpf support) ++if systemctl --version | grep "+BPF_FRAMEWORK"; then ++ systemd-analyze filesystems >/dev/null ++ systemd-analyze filesystems @basic-api ++ systemd-analyze filesystems @basic-api @basic-api @basic-api ++ (! systemd-analyze filesystems @basic-api @basic-api @foobar @basic-api) ++fi ++# calendar ++systemd-analyze calendar '*-2-29 0:0:0' ++systemd-analyze calendar --iterations=5 '*-2-29 0:0:0' ++systemd-analyze calendar '*-* *:*:*' ++systemd-analyze calendar --iterations=5 '*-* *:*:*' ++systemd-analyze calendar --iterations=50 '*-* *:*:*' ++systemd-analyze calendar --iterations=0 '*-* *:*:*' ++systemd-analyze calendar --base-time=yesterday --iterations=5 '*-* *:*:*' ++(! systemd-analyze calendar --iterations=0 '*-* 99:*:*') ++(! systemd-analyze calendar --base-time=never '*-* *:*:*') ++(! systemd-analyze calendar 1) ++(! systemd-analyze calendar "") ++# timestamp ++systemd-analyze timestamp now ++systemd-analyze timestamp -- -1 ++systemd-analyze timestamp yesterday now tomorrow ++(! systemd-analyze timestamp yesterday never tomorrow) ++(! systemd-analyze timestamp 1) ++(! systemd-analyze timestamp "") ++# timespan ++systemd-analyze timespan 1 ++systemd-analyze timespan 1s 300s '1year 0.000001s' ++(! systemd-analyze timespan 1s 300s aaaaaa '1year 0.000001s') ++(! systemd-analyze timespan -- -1) ++(! systemd-analyze timespan "") ++# cat-config ++systemd-analyze cat-config systemd/system.conf >/dev/null ++systemd-analyze cat-config /etc/systemd/system.conf >/dev/null ++systemd-analyze cat-config systemd/system.conf systemd/journald.conf >/dev/null ++systemd-analyze cat-config systemd/system.conf foo/bar systemd/journald.conf >/dev/null ++systemd-analyze cat-config foo/bar ++ + mkdir -p /tmp/img/usr/lib/systemd/system/ + mkdir -p /tmp/img/opt/ + +-- +2.38.1 + diff --git a/0017-udev-first-set-properties-based-on-usb-subsystem.patch b/0017-udev-first-set-properties-based-on-usb-subsystem.patch new file mode 100644 index 0000000..de2f7d2 --- /dev/null +++ b/0017-udev-first-set-properties-based-on-usb-subsystem.patch @@ -0,0 +1,40 @@ +From 080747ee6685b9c5877073c5120375e7a04d8216 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 3 Nov 2022 09:39:36 +0900 +Subject: [PATCH] udev: first set properties based on usb subsystem + +After 479da1107a0d4e2f7ef5cd938512b87a0e45f180, the usb_id builtin +command does not set ID_SERIAL if ID_BUS is already set. +Before the commit, all properties set based on pci bus were overwritten +by the usb_id, hence now it is sufficient setting them only when ID_BUS is +not set yet. + +Fixes #25238. + +(cherry picked from commit 01e704eba982fbc1517287cd261d229ff8e0a779) + +Related #2138081 +--- + rules.d/60-serial.rules | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/rules.d/60-serial.rules b/rules.d/60-serial.rules +index f303e27fd5..c133f26109 100644 +--- a/rules.d/60-serial.rules ++++ b/rules.d/60-serial.rules +@@ -3,9 +3,10 @@ + ACTION=="remove", GOTO="serial_end" + SUBSYSTEM!="tty", GOTO="serial_end" + +-SUBSYSTEMS=="pci", ENV{ID_BUS}="pci", ENV{ID_VENDOR_ID}="$attr{vendor}", ENV{ID_MODEL_ID}="$attr{device}" +-SUBSYSTEMS=="pci", IMPORT{builtin}="hwdb --subsystem=pci" + SUBSYSTEMS=="usb", IMPORT{builtin}="usb_id", IMPORT{builtin}="hwdb --subsystem=usb" ++SUBSYSTEMS=="pci", ENV{ID_BUS}=="", ENV{ID_BUS}="pci", \ ++ ENV{ID_VENDOR_ID}="$attr{vendor}", ENV{ID_MODEL_ID}="$attr{device}", \ ++ IMPORT{builtin}="hwdb --subsystem=pci" + + # /dev/serial/by-path/, /dev/serial/by-id/ for USB devices + KERNEL!="ttyUSB[0-9]*|ttyACM[0-9]*", GOTO="serial_end" +-- +2.38.1 + diff --git a/0018-udev-drop-redundant-call-of-usb_id-and-assignment-of.patch b/0018-udev-drop-redundant-call-of-usb_id-and-assignment-of.patch new file mode 100644 index 0000000..91ce747 --- /dev/null +++ b/0018-udev-drop-redundant-call-of-usb_id-and-assignment-of.patch @@ -0,0 +1,33 @@ +From 35ec16bfef92d072edacad892fc138b3595ee69b Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 3 Nov 2022 09:43:14 +0900 +Subject: [PATCH] udev: drop redundant call of usb_id and assignment of + ID_USB_INTERFACE_NUM + +The usb_id builtin command is already called in the above, and the +command sets the ID_USB_INTERFACE_NUM property. + +(cherry picked from commit b2e53f5a0f12db65c88404477fedee5c57d201ba) + +Related #2138081 +--- + rules.d/60-serial.rules | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/rules.d/60-serial.rules b/rules.d/60-serial.rules +index c133f26109..2c1488e930 100644 +--- a/rules.d/60-serial.rules ++++ b/rules.d/60-serial.rules +@@ -17,9 +17,7 @@ IMPORT{builtin}="path_id" + ENV{ID_PATH}=="?*", ENV{.ID_PORT}=="", SYMLINK+="serial/by-path/$env{ID_PATH}" + ENV{ID_PATH}=="?*", ENV{.ID_PORT}=="?*", SYMLINK+="serial/by-path/$env{ID_PATH}-port$env{.ID_PORT}" + +-IMPORT{builtin}="usb_id" + ENV{ID_SERIAL}=="", GOTO="serial_end" +-SUBSYSTEMS=="usb", ENV{ID_USB_INTERFACE_NUM}="$attr{bInterfaceNumber}" + ENV{ID_USB_INTERFACE_NUM}=="", GOTO="serial_end" + ENV{.ID_PORT}=="", SYMLINK+="serial/by-id/$env{ID_BUS}-$env{ID_SERIAL}-if$env{ID_USB_INTERFACE_NUM}" + ENV{.ID_PORT}=="?*", SYMLINK+="serial/by-id/$env{ID_BUS}-$env{ID_SERIAL}-if$env{ID_USB_INTERFACE_NUM}-port$env{.ID_PORT}" +-- +2.38.1 + diff --git a/0019-udev-add-safe-guard-for-setting-by-id-symlink.patch b/0019-udev-add-safe-guard-for-setting-by-id-symlink.patch new file mode 100644 index 0000000..01aece5 --- /dev/null +++ b/0019-udev-add-safe-guard-for-setting-by-id-symlink.patch @@ -0,0 +1,29 @@ +From 03bb31bbb875e20da7ae37eb44e98d244823e0e7 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 3 Nov 2022 09:52:23 +0900 +Subject: [PATCH] udev: add safe guard for setting by-id symlink + +The ID_BUS property is necessary for creating by-id symlinks. + +(cherry picked from commit 5286da064c97d2ac934cb301066aaa8605a3c8f9) + +Related #2138081 +--- + rules.d/60-serial.rules | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/rules.d/60-serial.rules b/rules.d/60-serial.rules +index 2c1488e930..a0e66323a9 100644 +--- a/rules.d/60-serial.rules ++++ b/rules.d/60-serial.rules +@@ -17,6 +17,7 @@ IMPORT{builtin}="path_id" + ENV{ID_PATH}=="?*", ENV{.ID_PORT}=="", SYMLINK+="serial/by-path/$env{ID_PATH}" + ENV{ID_PATH}=="?*", ENV{.ID_PORT}=="?*", SYMLINK+="serial/by-path/$env{ID_PATH}-port$env{.ID_PORT}" + ++ENV{ID_BUS}=="", GOTO="serial_end" + ENV{ID_SERIAL}=="", GOTO="serial_end" + ENV{ID_USB_INTERFACE_NUM}=="", GOTO="serial_end" + ENV{.ID_PORT}=="", SYMLINK+="serial/by-id/$env{ID_BUS}-$env{ID_SERIAL}-if$env{ID_USB_INTERFACE_NUM}" +-- +2.38.1 + diff --git a/0020-test-cover-legacy-deprecated-systemd-analyze-verbs.patch b/0020-test-cover-legacy-deprecated-systemd-analyze-verbs.patch new file mode 100644 index 0000000..d5ca319 --- /dev/null +++ b/0020-test-cover-legacy-deprecated-systemd-analyze-verbs.patch @@ -0,0 +1,48 @@ +From 266baa71dbb336d9c2eb1e4e7db3983477cc6ce0 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 3 Nov 2022 10:59:38 +0100 +Subject: [PATCH] test: cover legacy/deprecated systemd-analyze verbs + +They're no longer documented since 26e1e97345 but still work. + +(cherry picked from commit 926d95cd4c209b8c292829511542b11d7c43e662) + +Related #2138081 +--- + test/units/testsuite-65.sh | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh +index ece6b8734e..89406a108e 100755 +--- a/test/units/testsuite-65.sh ++++ b/test/units/testsuite-65.sh +@@ -6,7 +6,7 @@ set -eux + # shellcheck source=test/units/assert.sh + . "$(dirname "$0")"/assert.sh + +-systemd-analyze log-level debug ++systemctl log-level debug + export SYSTEMD_LOG_LEVEL=debug + + # Sanity checks +@@ -19,6 +19,17 @@ systemd-analyze time || : + systemd-analyze blame || : + systemd-analyze critical-chain || : + systemd-analyze plot >/dev/null || : ++# legacy/deprecated options (moved to systemctl, but still usable from analyze) ++systemd-analyze log-level ++systemd-analyze log-level "$(systemctl log-level)" ++systemd-analyze get-log-level ++systemd-analyze set-log-level "$(systemctl log-level)" ++systemd-analyze log-target ++systemd-analyze log-target "$(systemctl log-target)" ++systemd-analyze get-log-target ++systemd-analyze set-log-target "$(systemctl log-target)" ++systemd-analyze service-watchdogs ++systemd-analyze service-watchdogs "$(systemctl service-watchdogs)" + # dot + systemd-analyze dot >/dev/null + systemd-analyze dot systemd-journald.service >/dev/null +-- +2.38.1 + diff --git a/0021-test-cover-a-couple-of-previously-missed-analyze-cod.patch b/0021-test-cover-a-couple-of-previously-missed-analyze-cod.patch new file mode 100644 index 0000000..17b155c --- /dev/null +++ b/0021-test-cover-a-couple-of-previously-missed-analyze-cod.patch @@ -0,0 +1,59 @@ +From 37614533602981aa3757cd3e847f184fdae1432e Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 3 Nov 2022 11:33:13 +0100 +Subject: [PATCH] test: cover a couple of previously missed analyze code paths + +(cherry picked from commit 8b1879bcd0ed1168f5ad35a3dd0e213a31a2ee42) + +Related #2138081 +--- + test/units/testsuite-65.sh | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh +index 89406a108e..1f34308b44 100755 +--- a/test/units/testsuite-65.sh ++++ b/test/units/testsuite-65.sh +@@ -45,8 +45,16 @@ systemd-analyze dot "systemd-*.service" >/dev/null + systemd-analyze dump >/dev/null + systemd-analyze dump "*" >/dev/null + systemd-analyze dump "*.socket" >/dev/null ++systemd-analyze dump "*.socket" "*.service" aaaaaaa ... >/dev/null + systemd-analyze dump systemd-journald.service >/dev/null + (! systemd-analyze dump "") ++# unit-files ++systemd-analyze unit-files >/dev/null ++systemd-analyze unit-files systemd-journald.service >/dev/null ++systemd-analyze unit-files "*" >/dev/null ++systemd-analyze unit-files "*" aaaaaa "*.service" "*.target" >/dev/null ++systemd-analyze unit-files --user >/dev/null ++systemd-analyze unit-files --user "*" aaaaaa "*.service" "*.target" >/dev/null + # unit-paths + systemd-analyze unit-paths + systemd-analyze unit-paths --user +@@ -103,6 +111,7 @@ systemd-analyze calendar '*-* *:*:*' + systemd-analyze calendar --iterations=5 '*-* *:*:*' + systemd-analyze calendar --iterations=50 '*-* *:*:*' + systemd-analyze calendar --iterations=0 '*-* *:*:*' ++systemd-analyze calendar --iterations=5 '01-01-22 01:00:00' + systemd-analyze calendar --base-time=yesterday --iterations=5 '*-* *:*:*' + (! systemd-analyze calendar --iterations=0 '*-* 99:*:*') + (! systemd-analyze calendar --base-time=never '*-* *:*:*') +@@ -114,12 +123,14 @@ systemd-analyze timestamp -- -1 + systemd-analyze timestamp yesterday now tomorrow + (! systemd-analyze timestamp yesterday never tomorrow) + (! systemd-analyze timestamp 1) ++(! systemd-analyze timestamp '*-2-29 0:0:0') + (! systemd-analyze timestamp "") + # timespan + systemd-analyze timespan 1 + systemd-analyze timespan 1s 300s '1year 0.000001s' + (! systemd-analyze timespan 1s 300s aaaaaa '1year 0.000001s') + (! systemd-analyze timespan -- -1) ++(! systemd-analyze timespan '*-2-29 0:0:0') + (! systemd-analyze timespan "") + # cat-config + systemd-analyze cat-config systemd/system.conf >/dev/null +-- +2.38.1 + diff --git a/0022-test-introduce-sanity-coverage-for-auxiliary-utils.patch b/0022-test-introduce-sanity-coverage-for-auxiliary-utils.patch new file mode 100644 index 0000000..3d90f1d --- /dev/null +++ b/0022-test-introduce-sanity-coverage-for-auxiliary-utils.patch @@ -0,0 +1,374 @@ +From e0d51a65a8bbe8c86af4bb843a5f9ac7d590fa01 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 3 Nov 2022 13:13:03 +0100 +Subject: [PATCH] test: introduce sanity coverage for auxiliary utils + +(cherry picked from commit d1020334fd15e0cffe68cb4d7e862a36253cc481) + +Related #2138081 +--- + test/TEST-74-AUX-UTILS/Makefile | 1 + + test/TEST-74-AUX-UTILS/test.sh | 10 ++ + test/units/testsuite-74.cgls.sh | 26 +++++ + test/units/testsuite-74.cgtop.sh | 32 ++++++ + test/units/testsuite-74.delta.sh | 59 +++++++++++ + test/units/testsuite-74.firstboot.sh | 145 +++++++++++++++++++++++++++ + test/units/testsuite-74.service | 8 ++ + test/units/testsuite-74.sh | 14 +++ + 8 files changed, 295 insertions(+) + create mode 120000 test/TEST-74-AUX-UTILS/Makefile + create mode 100755 test/TEST-74-AUX-UTILS/test.sh + create mode 100755 test/units/testsuite-74.cgls.sh + create mode 100755 test/units/testsuite-74.cgtop.sh + create mode 100755 test/units/testsuite-74.delta.sh + create mode 100755 test/units/testsuite-74.firstboot.sh + create mode 100644 test/units/testsuite-74.service + create mode 100755 test/units/testsuite-74.sh + +diff --git a/test/TEST-74-AUX-UTILS/Makefile b/test/TEST-74-AUX-UTILS/Makefile +new file mode 120000 +index 0000000000..e9f93b1104 +--- /dev/null ++++ b/test/TEST-74-AUX-UTILS/Makefile +@@ -0,0 +1 @@ ++../TEST-01-BASIC/Makefile +\ No newline at end of file +diff --git a/test/TEST-74-AUX-UTILS/test.sh b/test/TEST-74-AUX-UTILS/test.sh +new file mode 100755 +index 0000000000..f422c89141 +--- /dev/null ++++ b/test/TEST-74-AUX-UTILS/test.sh +@@ -0,0 +1,10 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++set -e ++ ++TEST_DESCRIPTION="Tests for auxiliary utilities" ++ ++# shellcheck source=test/test-functions ++. "${TEST_BASE_DIR:?}/test-functions" ++ ++do_test "$@" +diff --git a/test/units/testsuite-74.cgls.sh b/test/units/testsuite-74.cgls.sh +new file mode 100755 +index 0000000000..120570c9cc +--- /dev/null ++++ b/test/units/testsuite-74.cgls.sh +@@ -0,0 +1,26 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++set -eux ++set -o pipefail ++ ++systemd-cgls ++systemd-cgls --all --full ++systemd-cgls -k ++systemd-cgls --xattr=yes ++systemd-cgls --xattr=no ++systemd-cgls --cgroup-id=yes ++systemd-cgls --cgroup-id=no ++ ++systemd-cgls /system.slice/systemd-journald.service ++systemd-cgls /system.slice/systemd-journald.service /init.scope ++systemd-cgls /sys/fs/cgroup/system.slice/systemd-journald.service /init.scope ++(cd /sys/fs/cgroup/init.scope && systemd-cgls) ++systemd-cgls --unit=systemd-journald.service ++# There's most likely no user session running, so we need to create one ++systemd-run --user --wait --pipe -M testuser@.host systemd-cgls --user-unit=app.slice ++ ++(! systemd-cgls /foo/bar) ++(! systemd-cgls --unit=hello.world) ++(! systemd-cgls --user-unit=hello.world) ++(! systemd-cgls --xattr=foo) ++(! systemd-cgls --cgroup-id=foo) +diff --git a/test/units/testsuite-74.cgtop.sh b/test/units/testsuite-74.cgtop.sh +new file mode 100755 +index 0000000000..8141ec1b1f +--- /dev/null ++++ b/test/units/testsuite-74.cgtop.sh +@@ -0,0 +1,32 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++set -eux ++set -o pipefail ++ ++# Without tty attached cgtop should default to --iterations=1 ++systemd-cgtop ++systemd-cgtop --iterations=1 ++# Same as --iterations=1 ++systemd-cgtop -1 ++systemd-cgtop --delay=1ms ++systemd-cgtop --raw ++systemd-cgtop --batch ++systemd-cgtop --cpu=percentage ++systemd-cgtop --cpu=time ++systemd-cgtop -P ++systemd-cgtop -k ++# FIXME: https://github.com/systemd/systemd/issues/25248 ++#systemd-cgtop --recursive=no ++systemd-cgtop --depth=0 ++systemd-cgtop --depth=100 ++ ++for order in path tasks cpu memory io; do ++ systemd-cgtop --order="$order" ++done ++systemd-cgtop -p -t -c -m -i ++ ++(! systemd-cgtop --cpu=foo) ++(! systemd-cgtop --order=foo) ++(! systemd-cgtop --depth=-1) ++(! systemd-cgtop --recursive=foo) ++(! systemd-cgtop --delay=1foo) +diff --git a/test/units/testsuite-74.delta.sh b/test/units/testsuite-74.delta.sh +new file mode 100755 +index 0000000000..a0e1cb52dd +--- /dev/null ++++ b/test/units/testsuite-74.delta.sh +@@ -0,0 +1,59 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++set -eux ++set -o pipefail ++ ++at_exit() { ++ rm -rfv /{run,etc}/systemd/system/delta-test* ++} ++ ++trap at_exit EXIT ++ ++# Create a couple of supporting units with overrides ++# ++# Extended unit ++cat >"/run/systemd/system/delta-test-unit-extended.service" <"/run/systemd/system/delta-test-unit-extended.service.d/override.conf" <>/etc/systemd/system/delta-test-unit-overridden.service ++# Overridden but equivalent unit ++ln -srfv /run/systemd/system/delta-test-unit-extended.service /run/systemd/system/delta-test-unit-equivalent.service ++ln -sfv /run/systemd/system/delta-test-unit-extended.service /etc/systemd/system/delta-test-unit-equivalent.service ++# Redirected unit ++ln -srfv /run/systemd/system/delta-test-unit-extended.service /run/systemd/system/delta-test-unit-redirected.service ++ln -sfv /run/systemd/system/delta-test-unit-overidden.service /etc/systemd/system/delta-test-unit-extended.service ++ ++systemctl daemon-reload ++ ++systemd-delta ++systemd-delta /run ++systemd-delta systemd/system ++systemd-delta /run systemd/system /run ++systemd-delta /run foo/bar hello/world systemd/system /run ++systemd-delta foo/bar ++systemd-delta --diff=true ++systemd-delta --diff=false ++ ++for type in masked equivalent redirected overridden extended unchanged; do ++ systemd-delta --type="$type" ++ systemd-delta --type="$type" /run ++done ++systemd-delta --type=equivalent,redirected ++ ++(! systemd-delta --diff=foo) ++(! systemd-delta --type=foo) ++(! systemd-delta --type=equivalent,redirected,foo) +diff --git a/test/units/testsuite-74.firstboot.sh b/test/units/testsuite-74.firstboot.sh +new file mode 100755 +index 0000000000..02f9f5cd7a +--- /dev/null ++++ b/test/units/testsuite-74.firstboot.sh +@@ -0,0 +1,145 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++set -eux ++set -o pipefail ++ ++if ! command -v systemd-firstboot >/dev/null; then ++ echo "systemd-firstboot not found, skipping the test" ++ exit 0 ++fi ++ ++at_exit() { ++ if [[ -v ROOT && -n "$ROOT" ]]; then ++ ls -lR "$ROOT" ++ rm -fr "$ROOT" ++ fi ++} ++ ++trap at_exit EXIT ++ ++# Generated via `mkpasswd -m sha-512 -S foobarsalt password1` ++# shellcheck disable=SC2016 ++ROOT_HASHED_PASSWORD1='$6$foobarsalt$YbwdaATX6IsFxvWbY3QcZj2gB31R/LFRFrjlFrJtTTqFtSfn4dfOAg/km2k4Sl.a2g7LOYDo31wMTaEsCo9j41' ++# Generated via `mkpasswd -m sha-512 -S foobarsalt password2` ++# shellcheck disable=SC2016 ++ROOT_HASHED_PASSWORD2='$6$foobarsalt$q.P2932zYMLbKnjFwIxPI8y3iuxeuJ2BgE372LcZMMnj3Gcg/9mJg2LPKUl.ha0TG/.fRNNnRQcLfzM0SNot3.' ++ ++# Create a minimal root so we don't modify the testbed ++ROOT=test-root ++mkdir -p "$ROOT/bin" ++# Dummy shell for --root-shell= ++touch "$ROOT/bin/fooshell" "$ROOT/bin/barshell" ++ ++systemd-firstboot --root="$ROOT" --locale=foo ++grep -q "LANG=foo" "$ROOT/etc/locale.conf" ++rm -fv "$ROOT/etc/locale.conf" ++# FIXME: https://github.com/systemd/systemd/issues/25249 ++#systemd-firstboot --root="$ROOT" --locale-messages=foo ++#grep -q "LC_MESSAGES=foo" "$ROOT/etc/locale.conf" ++#rm -fv "$ROOT/etc/locale.conf" ++systemd-firstboot --root="$ROOT" --locale=foo --locale-messages=bar ++grep -q "LANG=foo" "$ROOT/etc/locale.conf" ++grep -q "LC_MESSAGES=bar" "$ROOT/etc/locale.conf" ++ ++systemd-firstboot --root="$ROOT" --keymap=foo ++grep -q "KEYMAP=foo" "$ROOT/etc/vconsole.conf" ++ ++systemd-firstboot --root="$ROOT" --timezone=Europe/Berlin ++readlink "$ROOT/etc/localtime" | grep -q "Europe/Berlin" ++ ++systemd-firstboot --root="$ROOT" --hostname "foobar" ++grep -q "foobar" "$ROOT/etc/hostname" ++ ++systemd-firstboot --root="$ROOT" --machine-id=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ++grep -q "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "$ROOT/etc/machine-id" ++ ++rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" ++systemd-firstboot --root="$ROOT" --root-password=foo ++grep -q "^root:x:0:0:" "$ROOT/etc/passwd" ++grep -q "^root:" "$ROOT/etc/shadow" ++rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" ++echo "foo" >root.passwd ++systemd-firstboot --root="$ROOT" --root-password-file=root.passwd ++grep -q "^root:x:0:0:" "$ROOT/etc/passwd" ++grep -q "^root:" "$ROOT/etc/shadow" ++rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" root.passwd ++# Set the shell together with the password, as firstboot won't touch ++# /etc/passwd if it already exists ++systemd-firstboot --root="$ROOT" --root-password-hashed="$ROOT_HASHED_PASSWORD1" --root-shell=/bin/fooshell ++grep -q "^root:x:0:0:.*:/bin/fooshell$" "$ROOT/etc/passwd" ++grep -q "^root:$ROOT_HASHED_PASSWORD1:" "$ROOT/etc/shadow" ++ ++systemd-firstboot --root="$ROOT" --kernel-command-line="foo.bar=42" ++grep -q "foo.bar=42" "$ROOT/etc/kernel/cmdline" ++ ++# Configs should not get overwritten if they exist unless --force is used ++systemd-firstboot --root="$ROOT" \ ++ --locale=locale-overwrite \ ++ --locale-messages=messages-overwrite \ ++ --keymap=keymap-overwrite \ ++ --timezone=CET \ ++ --hostname=hostname-overwrite \ ++ --machine-id=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb \ ++ --root-password-hashed="$ROOT_HASHED_PASSWORD2" \ ++ --root-shell=/bin/barshell \ ++ --kernel-command-line="hello.world=0" ++grep -q "LANG=foo" "$ROOT/etc/locale.conf" ++grep -q "LC_MESSAGES=bar" "$ROOT/etc/locale.conf" ++grep -q "KEYMAP=foo" "$ROOT/etc/vconsole.conf" ++readlink "$ROOT/etc/localtime" | grep -q "Europe/Berlin$" ++grep -q "foobar" "$ROOT/etc/hostname" ++grep -q "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "$ROOT/etc/machine-id" ++grep -q "^root:x:0:0:.*:/bin/fooshell$" "$ROOT/etc/passwd" ++grep -q "^root:$ROOT_HASHED_PASSWORD1:" "$ROOT/etc/shadow" ++grep -q "foo.bar=42" "$ROOT/etc/kernel/cmdline" ++ ++# The same thing, but now with --force ++systemd-firstboot --root="$ROOT" --force \ ++ --locale=locale-overwrite \ ++ --locale-messages=messages-overwrite \ ++ --keymap=keymap-overwrite \ ++ --timezone=CET \ ++ --hostname=hostname-overwrite \ ++ --machine-id=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb \ ++ --root-password-hashed="$ROOT_HASHED_PASSWORD2" \ ++ --root-shell=/bin/barshell \ ++ --kernel-command-line="hello.world=0" ++grep -q "LANG=locale-overwrite" "$ROOT/etc/locale.conf" ++grep -q "LC_MESSAGES=messages-overwrite" "$ROOT/etc/locale.conf" ++grep -q "KEYMAP=keymap-overwrite" "$ROOT/etc/vconsole.conf" ++readlink "$ROOT/etc/localtime" | grep -q "/CET$" ++grep -q "hostname-overwrite" "$ROOT/etc/hostname" ++grep -q "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" "$ROOT/etc/machine-id" ++grep -q "^root:x:0:0:.*:/bin/barshell$" "$ROOT/etc/passwd" ++grep -q "^root:$ROOT_HASHED_PASSWORD2:" "$ROOT/etc/shadow" ++grep -q "hello.world=0" "$ROOT/etc/kernel/cmdline" ++ ++# --copy-* options ++rm -fr "$ROOT" ++mkdir "$ROOT" ++# Copy everything at once (--copy) ++systemd-firstboot --root="$ROOT" --copy ++diff /etc/locale.conf "$ROOT/etc/locale.conf" ++diff <(awk -F: '/^root/ { print $7; }' /etc/passwd) <(awk -F: '/^root/ { print $7; }' "$ROOT/etc/passwd") ++diff <(awk -F: '/^root/ { print $2; }' /etc/shadow) <(awk -F: '/^root/ { print $2; }' "$ROOT/etc/shadow") ++[[ -e /etc/vconsole.conf ]] && diff /etc/vconsole.conf "$ROOT/etc/vconsole.conf" ++[[ -e /etc/localtime ]] && diff <(readlink /etc/localtime) <(readlink "$ROOT/etc/localtime") ++rm -fr "$ROOT" ++mkdir "$ROOT" ++# Copy everything at once, but now by using separate switches ++systemd-firstboot --root="$ROOT" --copy-locale --copy-keymap --copy-timezone --copy-root-password --copy-root-shell ++diff /etc/locale.conf "$ROOT/etc/locale.conf" ++diff <(awk -F: '/^root/ { print $7; }' /etc/passwd) <(awk -F: '/^root/ { print $7; }' "$ROOT/etc/passwd") ++diff <(awk -F: '/^root/ { print $2; }' /etc/shadow) <(awk -F: '/^root/ { print $2; }' "$ROOT/etc/shadow") ++[[ -e /etc/vconsole.conf ]] && diff /etc/vconsole.conf "$ROOT/etc/vconsole.conf" ++[[ -e /etc/localtime ]] && diff <(readlink /etc/localtime) <(readlink "$ROOT/etc/localtime") ++ ++# Assorted tests ++rm -fr "$ROOT" ++mkdir "$ROOT" ++ ++systemd-firstboot --root="$ROOT" --setup-machine-id ++grep -E "[a-z0-9]{32}" "$ROOT/etc/machine-id" ++ ++systemd-firstboot --root="$ROOT" --delete-root-password ++diff <(echo) <(awk -F: '/^root/ { print $2; }' "$ROOT/etc/shadow") +diff --git a/test/units/testsuite-74.service b/test/units/testsuite-74.service +new file mode 100644 +index 0000000000..f782132a92 +--- /dev/null ++++ b/test/units/testsuite-74.service +@@ -0,0 +1,8 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++[Unit] ++Description=TEST-74-AUX-UTILS ++ ++[Service] ++ExecStartPre=rm -f /failed /testok ++ExecStart=/usr/lib/systemd/tests/testdata/units/%N.sh ++Type=oneshot +diff --git a/test/units/testsuite-74.sh b/test/units/testsuite-74.sh +new file mode 100755 +index 0000000000..13c767e490 +--- /dev/null ++++ b/test/units/testsuite-74.sh +@@ -0,0 +1,14 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++set -eux ++set -o pipefail ++ ++: >/failed ++ ++for script in "${0%.sh}".*.sh; do ++ echo "Running $script" ++ "./$script" ++done ++ ++touch /testok ++rm /failed +-- +2.38.1 + diff --git a/0023-firstboot-fix-segfault-when-locale-messages-is-passe.patch b/0023-firstboot-fix-segfault-when-locale-messages-is-passe.patch new file mode 100644 index 0000000..e1d37c1 --- /dev/null +++ b/0023-firstboot-fix-segfault-when-locale-messages-is-passe.patch @@ -0,0 +1,59 @@ +From 1ef6ffdf0923095752665c7ff6062514dfa6c6bf Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 4 Nov 2022 00:01:16 +0000 +Subject: [PATCH] firstboot: fix segfault when --locale-messages= is passed + without --locale= + +\#0 __strcmp_evex () at ../sysdeps/x86_64/multiarch/strcmp-evex.S:295 +No locals. +\#1 0x0000557444eb172b in process_locale () at ../src/firstboot/firstboot.c:342 + etc_localeconf = 0x7ffd40217b80 "/root/root/etc/locale.conf" + locales = {0x0, 0x0, 0x0} + i = 0 + r = + __PRETTY_FUNCTION__ = "process_locale" + __func__ = "process_locale" +\#2 0x0000557444eaff93 in run (argv=0x7ffd40217d98, argc=3) at ../src/firstboot/firstboot.c:1401 + loop_device = 0x0 + unlink_dir = 0x0 + r = + loop_device = + unlink_dir = + r = + __func__ = + __PRETTY_FUNCTION__ = + enabled = + _error = + _level = + _e = + _level = + _e = +\#3 main (argc=3, argv=0x7ffd40217d98) at ../src/firstboot/firstboot.c:1432 + r = + __PRETTY_FUNCTION__ = "main" + +Fixes https://github.com/systemd/systemd/issues/25249 + +(cherry picked from commit 4c4a73ce068ef16cfe7ad07c7c3386ac1dbc58fe) + +Related #2138081 +--- + src/firstboot/firstboot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c +index 065ee896cd..63db78b52d 100644 +--- a/src/firstboot/firstboot.c ++++ b/src/firstboot/firstboot.c +@@ -339,7 +339,7 @@ static int process_locale(void) { + + if (!isempty(arg_locale)) + locales[i++] = strjoina("LANG=", arg_locale); +- if (!isempty(arg_locale_messages) && !streq(arg_locale_messages, arg_locale)) ++ if (!isempty(arg_locale_messages) && !streq_ptr(arg_locale_messages, arg_locale)) + locales[i++] = strjoina("LC_MESSAGES=", arg_locale_messages); + + if (i == 0) +-- +2.38.1 + diff --git a/0024-tests-make-test-execute-pass-on-openSUSE.patch b/0024-tests-make-test-execute-pass-on-openSUSE.patch new file mode 100644 index 0000000..2dbf06d --- /dev/null +++ b/0024-tests-make-test-execute-pass-on-openSUSE.patch @@ -0,0 +1,79 @@ +From 1d41d2789bb67f5909d6974d2fd916e462a0a5cf Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Fri, 4 Nov 2022 12:24:10 +0100 +Subject: [PATCH] tests: make test-execute pass on openSUSE + +In my understanding user group "3" (aka "sys") is kept for historical reasons +but not really useful these days. That's probably explained why this group +isn't defined on openSUSE. + +Hence let's drop reference to this user group, this shouldn't lessen the +revelance of the test since SupplementaryGroups= is still tested with 2 other +groups. + +(cherry picked from commit d723b0467d7b8c5c772086d5352442f3fca4368d) + +Related #2138081 +--- + test/test-execute/exec-dynamicuser-supplementarygroups.service | 3 +-- + ...plementarygroups-multiple-groups-default-group-user.service | 3 +-- + .../exec-supplementarygroups-multiple-groups-withgid.service | 3 +-- + .../exec-supplementarygroups-multiple-groups-withuid.service | 3 +-- + 4 files changed, 4 insertions(+), 8 deletions(-) + +diff --git a/test/test-execute/exec-dynamicuser-supplementarygroups.service b/test/test-execute/exec-dynamicuser-supplementarygroups.service +index fb0b57bc00..53ba0ec7cb 100644 +--- a/test/test-execute/exec-dynamicuser-supplementarygroups.service ++++ b/test/test-execute/exec-dynamicuser-supplementarygroups.service +@@ -5,7 +5,6 @@ Description=Test DynamicUser with SupplementaryGroups= + [Service] + ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' + ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1' +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "3" && HAVE=1; done; test "$$HAVE" -eq 1' + Type=oneshot + DynamicUser=yes +-SupplementaryGroups=1 2 3 ++SupplementaryGroups=1 2 +diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service b/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service +index 362e539287..4cb0326320 100644 +--- a/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service ++++ b/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service +@@ -6,7 +6,6 @@ Description=Test for Supplementary Group with multiple groups without Group and + ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "%G" && HAVE=1; done; test "$$HAVE" -eq 1' + ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' + ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1' +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "3" && HAVE=1; done; test "$$HAVE" -eq 1' + ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "%G" && test "$$(id -u)" = "%U"' + Type=oneshot +-SupplementaryGroups=1 2 3 ++SupplementaryGroups=1 2 +diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service b/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service +index ff3fdc8142..e11743d754 100644 +--- a/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service ++++ b/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service +@@ -5,8 +5,7 @@ Description=Test for Supplementary Group with multiple groups and Group=1 + [Service] + ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' + ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1' +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "3" && HAVE=1; done; test "$$HAVE" -eq 1' + ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "%U"' + Type=oneshot + Group=1 +-SupplementaryGroups=1 2 3 ++SupplementaryGroups=1 2 +diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service b/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service +index f35ff84765..3efbbfb0f9 100644 +--- a/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service ++++ b/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service +@@ -5,7 +5,6 @@ Description=Test for Supplementary Group with multiple groups and Uid=1 + [Service] + ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' + ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1' +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "3" && HAVE=1; done; test "$$HAVE" -eq 1' + Type=oneshot + User=1 +-SupplementaryGroups=1 2 3 ++SupplementaryGroups=1 2 +-- +2.38.1 + diff --git a/0025-tests-minor-simplification-in-test-execute.patch b/0025-tests-minor-simplification-in-test-execute.patch new file mode 100644 index 0000000..0d843f3 --- /dev/null +++ b/0025-tests-minor-simplification-in-test-execute.patch @@ -0,0 +1,153 @@ +From 5685a8b01abf34ec5da7c43a99ede6e3bb7394eb Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Fri, 4 Nov 2022 12:50:04 +0100 +Subject: [PATCH] tests: minor simplification in test-execute + +No functional change. + +(cherry picked from commit 09415aef940f4a471da7cb899b9a66f1504d7c77) + +Related #2138081 +--- + ...xec-dynamicuser-fixeduser-one-supplementarygroup.service | 2 +- + test/test-execute/exec-dynamicuser-fixeduser.service | 2 +- + .../exec-dynamicuser-supplementarygroups.service | 4 ++-- + ...mentarygroups-multiple-groups-default-group-user.service | 6 +++--- + ...exec-supplementarygroups-multiple-groups-withgid.service | 4 ++-- + ...exec-supplementarygroups-multiple-groups-withuid.service | 4 ++-- + .../exec-supplementarygroups-single-group-user.service | 2 +- + .../exec-supplementarygroups-single-group.service | 2 +- + test/test-execute/exec-supplementarygroups.service | 4 ++-- + 9 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service b/test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service +index 0c2a218be0..bbb1af5fb3 100644 +--- a/test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service ++++ b/test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service +@@ -3,7 +3,7 @@ + Description=Test DynamicUser with User= and SupplementaryGroups= + + [Service] +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' + ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "1"' + Type=oneshot + User=1 +diff --git a/test/test-execute/exec-dynamicuser-fixeduser.service b/test/test-execute/exec-dynamicuser-fixeduser.service +index 061bbd2b93..c5828c2a93 100644 +--- a/test/test-execute/exec-dynamicuser-fixeduser.service ++++ b/test/test-execute/exec-dynamicuser-fixeduser.service +@@ -3,7 +3,7 @@ + Description=Test DynamicUser with User= + + [Service] +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' + ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "1"' + Type=oneshot + User=1 +diff --git a/test/test-execute/exec-dynamicuser-supplementarygroups.service b/test/test-execute/exec-dynamicuser-supplementarygroups.service +index 53ba0ec7cb..d601af272e 100644 +--- a/test/test-execute/exec-dynamicuser-supplementarygroups.service ++++ b/test/test-execute/exec-dynamicuser-supplementarygroups.service +@@ -3,8 +3,8 @@ + Description=Test DynamicUser with SupplementaryGroups= + + [Service] +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "2" && exit 0; done; exit 1' + Type=oneshot + DynamicUser=yes + SupplementaryGroups=1 2 +diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service b/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service +index 4cb0326320..0ecc34441c 100644 +--- a/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service ++++ b/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service +@@ -3,9 +3,9 @@ + Description=Test for Supplementary Group with multiple groups without Group and User + + [Service] +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "%G" && HAVE=1; done; test "$$HAVE" -eq 1' +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "%G" && exit 0; done; exit 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "2" && exit 0; done; exit 1' + ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "%G" && test "$$(id -u)" = "%U"' + Type=oneshot + SupplementaryGroups=1 2 +diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service b/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service +index e11743d754..cd1021bbdf 100644 +--- a/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service ++++ b/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service +@@ -3,8 +3,8 @@ + Description=Test for Supplementary Group with multiple groups and Group=1 + + [Service] +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "2" && exit 0; done; exit 1' + ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "%U"' + Type=oneshot + Group=1 +diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service b/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service +index 3efbbfb0f9..7913a2c2ed 100644 +--- a/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service ++++ b/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service +@@ -3,8 +3,8 @@ + Description=Test for Supplementary Group with multiple groups and Uid=1 + + [Service] +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "2" && exit 0; done; exit 1' + Type=oneshot + User=1 + SupplementaryGroups=1 2 +diff --git a/test/test-execute/exec-supplementarygroups-single-group-user.service b/test/test-execute/exec-supplementarygroups-single-group-user.service +index aae71d0a30..ee4017e74e 100644 +--- a/test/test-execute/exec-supplementarygroups-single-group-user.service ++++ b/test/test-execute/exec-supplementarygroups-single-group-user.service +@@ -3,7 +3,7 @@ + Description=Test for Supplementary Group with only one group and uid 1 + + [Service] +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' + ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "1"' + Type=oneshot + User=1 +diff --git a/test/test-execute/exec-supplementarygroups-single-group.service b/test/test-execute/exec-supplementarygroups-single-group.service +index c870774382..62275201cc 100644 +--- a/test/test-execute/exec-supplementarygroups-single-group.service ++++ b/test/test-execute/exec-supplementarygroups-single-group.service +@@ -3,7 +3,7 @@ + Description=Test for Supplementary Group with only one group + + [Service] +-ExecStart=/bin/sh -x -c 'HAVE=; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' + ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "0"' + Type=oneshot + Group=1 +diff --git a/test/test-execute/exec-supplementarygroups.service b/test/test-execute/exec-supplementarygroups.service +index 75601eab57..03406c3ee8 100644 +--- a/test/test-execute/exec-supplementarygroups.service ++++ b/test/test-execute/exec-supplementarygroups.service +@@ -3,7 +3,7 @@ + Description=Test for Supplementary Group + + [Service] +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "%G" && HAVE=1; done; test "$$HAVE" -eq 1' +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "%G" && exit 0; done; exit 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' + Type=oneshot + SupplementaryGroups=1 +-- +2.38.1 + diff --git a/0026-tmpfiles.d-do-not-fail-if-provision.conf-fails.patch b/0026-tmpfiles.d-do-not-fail-if-provision.conf-fails.patch new file mode 100644 index 0000000..fe82b3a --- /dev/null +++ b/0026-tmpfiles.d-do-not-fail-if-provision.conf-fails.patch @@ -0,0 +1,32 @@ +From 6d8f91ab2f7db862d95d0565bad3aaf4279c00bc Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 3 Nov 2022 20:10:57 +0000 +Subject: [PATCH] tmpfiles.d: do not fail if provision.conf fails + +On a read-only filesystem creating /root/.ssh might fail, but that's ok. +Do not fail the run, as this is only needed to add the credential, which +is a separate step. + +(cherry picked from commit e0fc9be37e4d15e2c322eb8281692c2639dac023) + +Related #2138081 +--- + tmpfiles.d/provision.conf | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tmpfiles.d/provision.conf b/tmpfiles.d/provision.conf +index 3c56f42d58..093104aaaf 100644 +--- a/tmpfiles.d/provision.conf ++++ b/tmpfiles.d/provision.conf +@@ -17,6 +17,6 @@ f^ /etc/issue.d/50-provision.conf - - - - login.issue + f^ /etc/hosts - - - - network.hosts + + # Provision SSH key for root +-d /root :0700 root :root - +-d /root/.ssh :0700 root :root - ++d- /root :0700 root :root - ++d- /root/.ssh :0700 root :root - + f^ /root/.ssh/authorized_keys :0600 root :root - ssh.authorized_keys.root +-- +2.38.1 + diff --git a/0027-kernel-install-90-loaderentry-do-not-add-multiple-sy.patch b/0027-kernel-install-90-loaderentry-do-not-add-multiple-sy.patch new file mode 100644 index 0000000..0e03529 --- /dev/null +++ b/0027-kernel-install-90-loaderentry-do-not-add-multiple-sy.patch @@ -0,0 +1,34 @@ +From d3b559f5e561750e6c50449b2ca84b40abeb492d Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Fri, 4 Nov 2022 09:57:24 +0100 +Subject: [PATCH] kernel-install/90-loaderentry: do not add multiple + systemd.machine_id options + +Do not unconditionally add a new systemd.machine_id command line option, first +check if it already exists with the expected value. + +Fixes #25203 + +(cherry picked from commit 981502c5cc9ce32c3f77ff74aad87cd6f0da3b16) + +Related #2138081 +--- + src/kernel-install/90-loaderentry.install | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/kernel-install/90-loaderentry.install b/src/kernel-install/90-loaderentry.install +index 743af33aa9..ea75e1b0d8 100755 +--- a/src/kernel-install/90-loaderentry.install ++++ b/src/kernel-install/90-loaderentry.install +@@ -85,7 +85,7 @@ BOOT_OPTIONS="${BOOT_OPTIONS% }" + # command line with the machine ID we use, so that the machine ID remains + # stable, even during factory reset, in the initrd (where the system's machine + # ID is not directly accessible yet), and if the root file system is volatile. +-if [ "$ENTRY_TOKEN" = "$MACHINE_ID" ]; then ++if [ "$ENTRY_TOKEN" = "$MACHINE_ID" ] && ! echo "$BOOT_OPTIONS" | grep -q "systemd.machine_id=$MACHINE_ID"; then + BOOT_OPTIONS="$BOOT_OPTIONS systemd.machine_id=$MACHINE_ID" + fi + +-- +2.38.1 + diff --git a/0028-condition-Check-that-subsystem-is-enabled-in-Conditi.patch b/0028-condition-Check-that-subsystem-is-enabled-in-Conditi.patch new file mode 100644 index 0000000..342e1b0 --- /dev/null +++ b/0028-condition-Check-that-subsystem-is-enabled-in-Conditi.patch @@ -0,0 +1,123 @@ +From 1b7dfe48d6d66cad5d0368b8e8b387a4d9586ccd Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Thu, 27 Oct 2022 11:12:10 +0200 +Subject: [PATCH] condition: Check that subsystem is enabled in + ConditionSecurity=tpm2 + +Instead of succeeding when either the firmware reports a TPM device +or we find a TPM device, let's check that the firmware reports a TPM +device and the TPM subsystem is enabled in the kernel. + +To check whether the subsystem enabled, we check if the relevant +subdirectory in /sys exists at all. + +(cherry picked from commit 300bba79c22e4be1effe2faad0e59ac725d396a1) + +Related #2138081 +--- + man/systemd-creds.xml | 4 ++-- + src/creds/creds.c | 6 ++++-- + src/shared/condition.c | 9 ++++----- + src/shared/tpm2-util.c | 6 +++++- + src/shared/tpm2-util.h | 11 ++++++----- + 5 files changed, 21 insertions(+), 15 deletions(-) + +diff --git a/man/systemd-creds.xml b/man/systemd-creds.xml +index 1e5632e63d..003fbcd463 100644 +--- a/man/systemd-creds.xml ++++ b/man/systemd-creds.xml +@@ -175,8 +175,8 @@ + by the OS kernel drivers and by userspace (i.e. systemd) this prints yes and exits + with exit status zero. If no such device is discovered/supported/used, prints + no. Otherwise prints partial. In either of these two cases +- exits with non-zero exit status. It also shows three lines indicating separately whether drivers, +- firmware and the system discovered/support/use TPM2. ++ exits with non-zero exit status. It also shows four lines indicating separately whether firmware, ++ drivers, the system and the kernel discovered/support/use TPM2. + + Combine with to suppress the output. + +diff --git a/src/creds/creds.c b/src/creds/creds.c +index 5586fd776a..a755a52c34 100644 +--- a/src/creds/creds.c ++++ b/src/creds/creds.c +@@ -637,10 +637,12 @@ static int verb_has_tpm2(int argc, char **argv, void *userdata) { + + printf("%sfirmware\n" + "%sdriver\n" +- "%ssystem\n", ++ "%ssystem\n" ++ "%ssubsystem\n", + plus_minus(s & TPM2_SUPPORT_FIRMWARE), + plus_minus(s & TPM2_SUPPORT_DRIVER), +- plus_minus(s & TPM2_SUPPORT_SYSTEM)); ++ plus_minus(s & TPM2_SUPPORT_SYSTEM), ++ plus_minus(s & TPM2_SUPPORT_SUBSYSTEM)); + } + + /* Return inverted bit flags. So that TPM2_SUPPORT_FULL becomes EXIT_SUCCESS and the other values +diff --git a/src/shared/condition.c b/src/shared/condition.c +index 310ffcbdc6..a23d6a3e45 100644 +--- a/src/shared/condition.c ++++ b/src/shared/condition.c +@@ -664,14 +664,13 @@ static int condition_test_ac_power(Condition *c, char **env) { + } + + static int has_tpm2(void) { +- /* Checks whether the system has at least one TPM2 resource manager device, i.e. at least one "tpmrm" +- * class device. Alternatively, we are also happy if the firmware reports support (this is to cover +- * for cases where we simply haven't loaded the driver for it yet, i.e. during early boot where we +- * very likely want to use this condition check). ++ /* Checks whether the kernel has the TPM subsystem enabled and the firmware reports support. Note ++ * we don't check for actual TPM devices, since we might not have loaded the driver for it yet, i.e. ++ * during early boot where we very likely want to use this condition check). + * + * Note that we don't check if we ourselves are built with TPM2 support here! */ + +- return (tpm2_support() & (TPM2_SUPPORT_DRIVER|TPM2_SUPPORT_FIRMWARE)) != 0; ++ return FLAGS_SET(tpm2_support(), TPM2_SUPPORT_SUBSYSTEM|TPM2_SUPPORT_FIRMWARE); + } + + static int condition_test_security(Condition *c, char **env) { +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index 13e92c4144..65e8d48347 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -2189,7 +2189,11 @@ Tpm2Support tpm2_support(void) { + if (r != -ENOENT) + log_debug_errno(r, "Unable to test whether /sys/class/tpmrm/ exists and is populated, assuming it is not: %m"); + } else if (r == 0) /* populated! */ +- support |= TPM2_SUPPORT_DRIVER; ++ support |= TPM2_SUPPORT_SUBSYSTEM|TPM2_SUPPORT_DRIVER; ++ else ++ /* If the directory exists but is empty, we know the subsystem is enabled but no ++ * driver has been loaded yet. */ ++ support |= TPM2_SUPPORT_SUBSYSTEM; + } + + if (efi_has_tpm2()) +diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h +index 048c28d6ca..c240335ae6 100644 +--- a/src/shared/tpm2-util.h ++++ b/src/shared/tpm2-util.h +@@ -137,11 +137,12 @@ typedef struct { + typedef enum Tpm2Support { + /* NOTE! The systemd-creds tool returns these flags 1:1 as exit status. Hence these flags are pretty + * much ABI! Hence, be extra careful when changing/extending these definitions. */ +- TPM2_SUPPORT_NONE = 0, /* no support */ +- TPM2_SUPPORT_FIRMWARE = 1 << 0, /* firmware reports TPM2 was used */ +- TPM2_SUPPORT_DRIVER = 1 << 1, /* the kernel has a driver loaded for it */ +- TPM2_SUPPORT_SYSTEM = 1 << 2, /* we support it ourselves */ +- TPM2_SUPPORT_FULL = TPM2_SUPPORT_FIRMWARE|TPM2_SUPPORT_DRIVER|TPM2_SUPPORT_SYSTEM, ++ TPM2_SUPPORT_NONE = 0, /* no support */ ++ TPM2_SUPPORT_FIRMWARE = 1 << 0, /* firmware reports TPM2 was used */ ++ TPM2_SUPPORT_DRIVER = 1 << 1, /* the kernel has a driver loaded for it */ ++ TPM2_SUPPORT_SYSTEM = 1 << 2, /* we support it ourselves */ ++ TPM2_SUPPORT_SUBSYSTEM = 1 << 3, /* the kernel has the tpm subsystem enabled */ ++ TPM2_SUPPORT_FULL = TPM2_SUPPORT_FIRMWARE|TPM2_SUPPORT_DRIVER|TPM2_SUPPORT_SYSTEM|TPM2_SUPPORT_SUBSYSTEM, + } Tpm2Support; + + Tpm2Support tpm2_support(void); +-- +2.38.1 + diff --git a/0029-semaphore-remove-the-Semaphore-repositories-recursiv.patch b/0029-semaphore-remove-the-Semaphore-repositories-recursiv.patch new file mode 100644 index 0000000..1629b9f --- /dev/null +++ b/0029-semaphore-remove-the-Semaphore-repositories-recursiv.patch @@ -0,0 +1,55 @@ +From f0839034c9910529f368e60262b5653afad58f63 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Mon, 7 Nov 2022 16:39:12 +0100 +Subject: [PATCH] semaphore: remove the Semaphore repositories recursively + +The list of disabled repositories was recently converted from a single +file into a directory with separate repository files, so let's adjust +the setup script accordingly. + +``` +$ ls -lR /etc/apt/sources.list.d/ +/etc/apt/sources.list.d/: +total 36 +-rw-r--r-- 1 root root 76 Nov 3 10:28 azure-cli.list +-rw-r--r-- 1 root root 72 Nov 3 10:22 bazel.list +drwxr-xr-x 2 root root 4096 Nov 3 10:31 disabled +-rw-r--r-- 1 root root 113 Nov 3 10:13 docker-source.list +-rw-r--r-- 1 root root 367 Nov 3 10:28 github_git-lfs.list +-rw-r--r-- 1 root root 111 Nov 3 10:25 google-chrome-source.list +-rw-r--r-- 1 root root 64 Nov 3 10:14 google-cloud-sdk.list +-rw-r--r-- 1 root root 54 Nov 3 10:23 helm-stable-debian.list +-rw-r--r-- 1 root root 89 Nov 3 10:29 yarn-source.list + +/etc/apt/sources.list.d/disabled: +total 20 +-rw-r--r-- 1 root root 100 Nov 3 10:23 devel_kubic_libcontainers_stable.list +-rw-r--r-- 1 root root 103 Nov 3 10:27 git.list +-rw-r--r-- 1 root root 105 Nov 3 10:22 gradle.list +-rw-r--r-- 1 root root 118 Nov 3 10:13 pypy.list +-rw-r--r-- 1 root root 104 Nov 3 10:13 python.list +``` + +(cherry picked from commit 610eb3f8260ecbb161db5186a5e27417f3110a68) + +Related #2138081 +--- + .semaphore/semaphore-runner.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.semaphore/semaphore-runner.sh b/.semaphore/semaphore-runner.sh +index 98fd7b4411..b0d32bd136 100755 +--- a/.semaphore/semaphore-runner.sh ++++ b/.semaphore/semaphore-runner.sh +@@ -55,7 +55,7 @@ for phase in "${PHASES[@]}"; do + case "$phase" in + SETUP) + # remove semaphore repos, some of them don't work and cause error messages +- sudo rm -f /etc/apt/sources.list.d/* ++ sudo rm -rf /etc/apt/sources.list.d/* + + # enable backports for latest LXC + echo "deb http://archive.ubuntu.com/ubuntu $UBUNTU_RELEASE-backports main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list.d/backports.list +-- +2.38.1 + diff --git a/0030-kernel-install-90-loaderentry-do-not-override-an-exi.patch b/0030-kernel-install-90-loaderentry-do-not-override-an-exi.patch new file mode 100644 index 0000000..c16b9cc --- /dev/null +++ b/0030-kernel-install-90-loaderentry-do-not-override-an-exi.patch @@ -0,0 +1,32 @@ +From c440081c968c93d527d441f4d106e0acad9540eb Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Mon, 7 Nov 2022 15:25:25 +0100 +Subject: [PATCH] kernel-install/90-loaderentry: do not override an existing + systemd.machine_id + +If the systemd.machine_id command line option is already set, do not override +it. + +(cherry picked from commit 802d9219aa19d759113dd6cd1e91b2bb661fe9ba) + +Related #2138081 +--- + src/kernel-install/90-loaderentry.install | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/kernel-install/90-loaderentry.install b/src/kernel-install/90-loaderentry.install +index ea75e1b0d8..41a05534b9 100755 +--- a/src/kernel-install/90-loaderentry.install ++++ b/src/kernel-install/90-loaderentry.install +@@ -85,7 +85,7 @@ BOOT_OPTIONS="${BOOT_OPTIONS% }" + # command line with the machine ID we use, so that the machine ID remains + # stable, even during factory reset, in the initrd (where the system's machine + # ID is not directly accessible yet), and if the root file system is volatile. +-if [ "$ENTRY_TOKEN" = "$MACHINE_ID" ] && ! echo "$BOOT_OPTIONS" | grep -q "systemd.machine_id=$MACHINE_ID"; then ++if [ "$ENTRY_TOKEN" = "$MACHINE_ID" ] && ! echo "$BOOT_OPTIONS" | grep -q "systemd.machine_id="; then + BOOT_OPTIONS="$BOOT_OPTIONS systemd.machine_id=$MACHINE_ID" + fi + +-- +2.38.1 + diff --git a/0031-kernel-install-skip-50-depmod-if-depmod-is-not-avail.patch b/0031-kernel-install-skip-50-depmod-if-depmod-is-not-avail.patch new file mode 100644 index 0000000..52179b8 --- /dev/null +++ b/0031-kernel-install-skip-50-depmod-if-depmod-is-not-avail.patch @@ -0,0 +1,31 @@ +From d1abf107c5b4c661886001de996bf03587bb35c1 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 7 Nov 2022 16:28:33 +0000 +Subject: [PATCH] kernel-install: skip 50-depmod if depmod is not available + +Images might be built without any kernel module, and without +installing depmod as it is not needed. Skip it. + +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023607 +(cherry picked from commit cda4d00dfcbcd075cef95341f8a466f0c4ee8e1d) + +Related #2138081 +--- + src/kernel-install/50-depmod.install | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/kernel-install/50-depmod.install b/src/kernel-install/50-depmod.install +index d4b991cfd6..43bd87c7ed 100755 +--- a/src/kernel-install/50-depmod.install ++++ b/src/kernel-install/50-depmod.install +@@ -26,6 +26,7 @@ KERNEL_VERSION="${2:?}" + case "$COMMAND" in + add) + [ -d "/lib/modules/$KERNEL_VERSION/kernel" ] || exit 0 ++ command -v depmod >/dev/null || exit 0 + [ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] && echo "+depmod -a $KERNEL_VERSION" + exec depmod -a "$KERNEL_VERSION" + ;; +-- +2.38.1 + diff --git a/0032-man-add-note-that-network-generator-is-not-a-generat.patch b/0032-man-add-note-that-network-generator-is-not-a-generat.patch new file mode 100644 index 0000000..c960b89 --- /dev/null +++ b/0032-man-add-note-that-network-generator-is-not-a-generat.patch @@ -0,0 +1,41 @@ +From 04cdbacc26c7e38d3bd684235b51c79ab64b6026 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 8 Nov 2022 11:07:02 +0100 +Subject: [PATCH] man: add note that network-generator is not a generator + +Also fix indentation. + +(cherry picked from commit 2fa6574e835566c2aa5cbf4167ecee316f71bf98) + +Related #2138081 +--- + man/systemd-network-generator.service.xml | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/man/systemd-network-generator.service.xml b/man/systemd-network-generator.service.xml +index 6b7e2564d4..2ddeadfc54 100644 +--- a/man/systemd-network-generator.service.xml ++++ b/man/systemd-network-generator.service.xml +@@ -41,10 +41,17 @@ + + + Files are generated in /run/systemd/network/. ++ ++ Note: despite the name, this generator executes as a normal systemd service and is ++ not an implementation of the ++ systemd.generator7 ++ concept. + + +- Kernel command line options +- This tool understands the following options: ++ ++ Kernel command line options ++ ++ This tool understands the following options: + + + +-- +2.38.1 + diff --git a/0033-test-fstab-generator-adjust-PATH-for-fsck.patch b/0033-test-fstab-generator-adjust-PATH-for-fsck.patch new file mode 100644 index 0000000..7d9fa24 --- /dev/null +++ b/0033-test-fstab-generator-adjust-PATH-for-fsck.patch @@ -0,0 +1,67 @@ +From 054da791c98fba7e11079e94c9b9fe0b1ca4e8d4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Fri, 4 Nov 2022 15:48:50 +0100 +Subject: [PATCH] test: fstab-generator: adjust PATH for fsck + +fsck(8) is located in /usr/sib/ on Debian sid: + + stdout: + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-01-dev-nfs.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-02-dhcp.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-03-dhcp6.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-04-nfs.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-05-nfs4.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-06-ipv4.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-07-ipv6.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-08-implicit-nfs.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-09-cifs.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-10-iscsi.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-11-live.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-12-dev-sdx.input + --- /dev/fd/63 2022-11-04 15:39:13.131532174 +0100 + +++ /dev/fd/62 2022-11-04 15:39:13.131532174 +0100 + @@ -6,3 +6,4 @@ + initrd-usr-fs.target.requires + initrd-usr-fs.target.requires/sysroot.mount + sysroot.mount + +systemd-fsck-root.service + **** Unexpected output for /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-12-dev-sdx.input + stderr: + Skipping root directory handling, as root on NFS was requested. + Skipping root directory handling, as root on NFS was requested. + Skipping root directory handling, as root on NFS was requested. + Skipping root directory handling, as root on NFS was requested. + Skipping root directory handling, as root on NFS was requested. + Skipping root directory handling, as root on NFS was requested. + Skipping root directory handling, as root on NFS was requested. + Skipping root directory handling, as root on NFS was requested. + Skipping root directory handling, as root on CIFS was requested. + Skipping root directory handling, as root on iSCSI was requested. + Skipping root directory handling, as root on live image was requested. + Found entry what=/dev/sdx1 where=/sysroot type=n/a opts=ro + Checking was requested for /dev/sdx1, but the fsck command does not exist. + +(cherry picked from commit a45efc9e4b574a85176610496f2ac7ae769364bb) + +Related #2138081 +--- + test/test-fstab-generator.sh | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/test/test-fstab-generator.sh b/test/test-fstab-generator.sh +index 0c977645e3..7c060dfac7 100755 +--- a/test/test-fstab-generator.sh ++++ b/test/test-fstab-generator.sh +@@ -14,6 +14,9 @@ fi + + src="$(dirname "$0")/testdata/test-fstab-generator" + ++# fsck(8) is located in /usr/sbin on Debian ++PATH=$PATH:/usr/sbin ++ + for f in "$src"/test-*.input; do + echo "*** Running $f" + +-- +2.38.1 + diff --git a/0034-loop-util-open-lock-fd-read-only.patch b/0034-loop-util-open-lock-fd-read-only.patch new file mode 100644 index 0000000..99f9839 --- /dev/null +++ b/0034-loop-util-open-lock-fd-read-only.patch @@ -0,0 +1,33 @@ +From ba5d26d85d0c4250b10a46a5c9cd3a3e1f0ce43b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Fri, 4 Nov 2022 19:36:31 +0100 +Subject: [PATCH] loop-util: open lock fd read-only + +flock(2) works with file descriptors opened with O_RDONLY. + +This affects SELinux systems where access to block devices is quite +restricted to avoid bypasses on filesystem objects. + +(cherry picked from commit 3e6b7d2626de9c0faf8b34b2629e8d6d8fa85a7d) + +Related #2138081 +--- + src/shared/loop-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/loop-util.c b/src/shared/loop-util.c +index 731ce29112..fb7e80b1b5 100644 +--- a/src/shared/loop-util.c ++++ b/src/shared/loop-util.c +@@ -77,7 +77,7 @@ static int open_lock_fd(int primary_fd, int operation) { + assert(primary_fd >= 0); + assert(IN_SET(operation & ~LOCK_NB, LOCK_SH, LOCK_EX)); + +- lock_fd = fd_reopen(primary_fd, O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY); ++ lock_fd = fd_reopen(primary_fd, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_NOCTTY); + if (lock_fd < 0) + return lock_fd; + +-- +2.38.1 + diff --git a/0035-test-don-t-ignore-non-existent-paths-in-inst_recursi.patch b/0035-test-don-t-ignore-non-existent-paths-in-inst_recursi.patch new file mode 100644 index 0000000..3dd9971 --- /dev/null +++ b/0035-test-don-t-ignore-non-existent-paths-in-inst_recursi.patch @@ -0,0 +1,33 @@ +From ca92c2e035d5702f23f9a8d1cd705425b5605822 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Mon, 7 Nov 2022 11:55:29 +0100 +Subject: [PATCH] test: don't ignore non-existent paths in inst_recursive() + +The process substitution in the while loop hides errors raised by the +find utility, which might (and did), in turn, hide errors in test setup. + +(cherry picked from commit eb5d7730e1b3b1bddecb80be37e5a4c938183f61) + +Related #2138081 +--- + test/test-functions | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/test/test-functions b/test/test-functions +index 16d9da637b..80ce383e64 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -2773,6 +2773,10 @@ inst_recursive() { + local p item + + for p in "$@"; do ++ # Make sure the source exists, as the process substitution below ++ # suppresses errors ++ stat "$p" >/dev/null || return 1 ++ + while read -r item; do + if [[ -d "$item" ]]; then + inst_dir "$item" +-- +2.38.1 + diff --git a/0036-test-fix-locale-installation-when-locale-gen-is-used.patch b/0036-test-fix-locale-installation-when-locale-gen-is-used.patch new file mode 100644 index 0000000..b759530 --- /dev/null +++ b/0036-test-fix-locale-installation-when-locale-gen-is-used.patch @@ -0,0 +1,49 @@ +From ea8b80cdc0dfd0ad92301a0e421df4d3110fe09c Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Mon, 7 Nov 2022 11:57:59 +0100 +Subject: [PATCH] test: fix locale installation when locale-gen is used + +locale-gen might merge all compiled locales into a simple archive, so we +need to install it as well if necessary. + +(cherry picked from commit 0c416ea01bc14adff10f4fc5415a36bd2d48f604) + +Related #2138081 +--- + test/test-functions | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/test/test-functions b/test/test-functions +index 80ce383e64..45ca472916 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -1988,14 +1988,19 @@ install_locales() { + inst /usr/share/i18n/SUPPORTED || : + inst_recursive /usr/share/i18n/charmaps + inst_recursive /usr/share/i18n/locales +- inst_recursive /usr/share/locale/en +- inst_recursive /usr/share/locale/en_* ++ inst_recursive /usr/share/locale/en* ++ inst_recursive /usr/share/locale/de* ++ image_install /usr/share/locale/locale.alias ++ # locale-gen might either generate each locale separately or merge them ++ # into a single archive ++ if ! (inst_recursive /usr/lib/locale/C.*8 /usr/lib/locale/en_*8 || ++ image_install /usr/lib/locale/locale-archive); then ++ dfatal "Failed to install required locales" ++ exit 1 ++ fi ++ else ++ inst_recursive /usr/lib/locale/C.*8 /usr/lib/locale/en_*8 + fi +- +- inst_recursive /usr/lib/locale/C.utf8 +- inst_recursive /usr/lib/locale/C.UTF-8 +- inst_recursive /usr/lib/locale/en_*.utf8 +- inst_recursive /usr/lib/locale/en_*.UTF-8 + } + + # shellcheck disable=SC2120 +-- +2.38.1 + diff --git a/0037-test-fix-keymaps-installation-on-Arch.patch b/0037-test-fix-keymaps-installation-on-Arch.patch new file mode 100644 index 0000000..810537a --- /dev/null +++ b/0037-test-fix-keymaps-installation-on-Arch.patch @@ -0,0 +1,74 @@ +From bec9d65390249d4e88f5095e751283645a2a4c08 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Mon, 7 Nov 2022 12:07:27 +0100 +Subject: [PATCH] test: fix keymaps installation on Arch + +Where the keymaps live under /usr/share/kbd/keymaps/. + +(cherry picked from commit 1edad89399e7cbee230878589ac618103c157ec7) + +Related #2138081 +--- + test/test-functions | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/test/test-functions b/test/test-functions +index 45ca472916..194cd682bb 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -2007,7 +2007,8 @@ install_locales() { + install_keymaps() { + local i p + local -a prefix=( +- "/usr" ++ "/usr/lib" ++ "/usr/share" + ) + + dinfo "Install console keymaps" +@@ -2016,7 +2017,7 @@ install_keymaps() { + && [[ "$(meson configure "${BUILD_DIR:?}" | grep 'split-usr' | awk '{ print $2 }')" == "true" ]] \ + || [[ ! -L /lib ]]; then + prefix+=( +- "" ++ "/lib" + ) + fi + +@@ -2025,12 +2026,12 @@ install_keymaps() { + # The first three paths may be deprecated. + # It seems now the last three paths are used by many distributions. + for i in \ +- "$p"/lib/kbd/keymaps/include/* \ +- "$p"/lib/kbd/keymaps/i386/include/* \ +- "$p"/lib/kbd/keymaps/i386/qwerty/us.* \ +- "$p"/lib/kbd/keymaps/legacy/include/* \ +- "$p"/lib/kbd/keymaps/legacy/i386/qwerty/us.* \ +- "$p"/lib/kbd/keymaps/xkb/us*; do ++ "$p"/kbd/keymaps/include/* \ ++ "$p"/kbd/keymaps/i386/include/* \ ++ "$p"/kbd/keymaps/i386/qwerty/us.* \ ++ "$p"/kbd/keymaps/legacy/include/* \ ++ "$p"/kbd/keymaps/legacy/i386/qwerty/us.* \ ++ "$p"/kbd/keymaps/xkb/us*; do + [[ -f "$i" ]] || continue + inst "$i" + done +@@ -2039,10 +2040,10 @@ install_keymaps() { + # When it takes any argument, then install more keymaps. + for p in "${prefix[@]}"; do + for i in \ +- "$p"/lib/kbd/keymaps/include/* \ +- "$p"/lib/kbd/keymaps/i386/*/* \ +- "$p"/lib/kbd/keymaps/legacy/i386/*/* \ +- "$p"/lib/kbd/keymaps/xkb/*; do ++ "$p"/kbd/keymaps/include/* \ ++ "$p"/kbd/keymaps/i386/*/* \ ++ "$p"/kbd/keymaps/legacy/i386/*/* \ ++ "$p"/kbd/keymaps/xkb/*; do + [[ -f "$i" ]] || continue + inst "$i" + done +-- +2.38.1 + diff --git a/0038-test-compile-test-utmp.c-only-if-UTMP-is-enabled.patch b/0038-test-compile-test-utmp.c-only-if-UTMP-is-enabled.patch new file mode 100644 index 0000000..3b049f9 --- /dev/null +++ b/0038-test-compile-test-utmp.c-only-if-UTMP-is-enabled.patch @@ -0,0 +1,46 @@ +From d63a1edb6bef959e8d6a481464a809badcc3a2eb Mon Sep 17 00:00:00 2001 +From: Torsten Hilbrich +Date: Mon, 7 Nov 2022 08:38:58 +0100 +Subject: [PATCH] test: compile test-utmp.c only if UTMP is enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When compiling with -D utmp=false the compilation fails with: + +../../git/systemd/src/test/test-utmp.c: In function ‘test_dump_run_utmp’: +../../git/systemd/src/test/test-utmp.c:21:9: error: cleanup argument not a function + 21 | _unused_ _cleanup_(utxent_cleanup) bool utmpx = false; + | ^~~~~~~~ +../../git/systemd/src/test/test-utmp.c:23:17: error: implicit declaration of function ‘utxent_start’ [-Werror=implicit-function-declaration] + 23 | utmpx = utxent_start(); + | ^~~~~~~~~~~~ + +any many other errors + +Add a conditional to compile test-utmp.c only if ENABLE_UTMP is true. + +(cherry picked from commit 41cac2a8b98fc5faebe942c697b17e109822342d) + +Related: #2138081 +--- + src/test/meson.build | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/test/meson.build b/src/test/meson.build +index 86fc1d4fc0..2a4dfe26db 100644 +--- a/src/test/meson.build ++++ b/src/test/meson.build +@@ -622,7 +622,8 @@ tests += [ + + [files('test-journal-importer.c')], + +- [files('test-utmp.c')], ++ [files('test-utmp.c'), ++ [], [], [], 'ENABLE_UTMP'], + + [files('test-udev.c'), + [libudevd_core, +-- +2.38.1 + diff --git a/0039-Create-CNAME.patch b/0039-Create-CNAME.patch new file mode 100644 index 0000000..b7398ba --- /dev/null +++ b/0039-Create-CNAME.patch @@ -0,0 +1,22 @@ +From d9328ee5e53d1901af9396ae3e0b2dd05f731781 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 14 Nov 2022 09:25:37 +0100 +Subject: [PATCH] Create CNAME + +Related: #2138081 +--- + docs/CNAME | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 docs/CNAME + +diff --git a/docs/CNAME b/docs/CNAME +new file mode 100644 +index 0000000000..cdcf4d9a52 +--- /dev/null ++++ b/docs/CNAME +@@ -0,0 +1 @@ ++systemd.io +\ No newline at end of file +-- +2.38.1 + diff --git a/0040-tpm2-util-force-default-TCTI-to-be-device-with-param.patch b/0040-tpm2-util-force-default-TCTI-to-be-device-with-param.patch new file mode 100644 index 0000000..9ffaa63 --- /dev/null +++ b/0040-tpm2-util-force-default-TCTI-to-be-device-with-param.patch @@ -0,0 +1,49 @@ +From 31f0c1b06bfd90d52009b59b9a4bf26c297790a7 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 14 Nov 2022 17:26:49 +0100 +Subject: [PATCH] tpm2-util: force default TCTI to be "device" with parameter + "/dev/tpmrm0" + +Apparently some distros default to tss-abmrd. Let's bypass that and +always go to the kernel resource manager. + +abmrd cannot really work for us, since we want to access the TPM already +in earliest boot i.e. in environments the abmrd service is not available +in. + +Fixes: #25352 +(cherry picked from commit 34906680afe60d724ea435b79b9b830a4bf2e7e9) + +Related: #2138081 +--- + src/shared/tpm2-util.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index 65e8d48347..9d73316146 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -152,8 +152,19 @@ int tpm2_context_init(const char *device, struct tpm2_context *ret) { + if (r < 0) + return log_error_errno(r, "TPM2 support not installed: %m"); + +- if (!device) ++ if (!device) { + device = secure_getenv("SYSTEMD_TPM2_DEVICE"); ++ if (device) ++ /* Setting the env var to an empty string forces tpm2-tss' own device picking ++ * logic to be used. */ ++ device = empty_to_null(device); ++ else ++ /* If nothing was specified explicitly, we'll use a hardcoded default: the "device" tcti ++ * driver and the "/dev/tpmrm0" device. We do this since on some distributions the tpm2-abrmd ++ * might be used and we really don't want that, since it is a system service and that creates ++ * various ordering issues/deadlocks during early boot. */ ++ device = "device:/dev/tpmrm0"; ++ } + + if (device) { + const char *param, *driver, *fn; +-- +2.38.1 + diff --git a/0041-tpm2-add-some-extra-validation-of-device-string-befo.patch b/0041-tpm2-add-some-extra-validation-of-device-string-befo.patch new file mode 100644 index 0000000..3fe657f --- /dev/null +++ b/0041-tpm2-add-some-extra-validation-of-device-string-befo.patch @@ -0,0 +1,55 @@ +From 5b20ba25259da453a2aac5e65978a11bc2d048ed Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 15 Nov 2022 23:01:04 +0100 +Subject: [PATCH] tpm2: add some extra validation of device string before using + it + +Let's add some extra validation before constructing and using the .so +name to load. This isn't really security sensitive, given that we +used secure_getenv() to get the device string (and it thus should have +been come from a trusted source) but let's better be safe than sorry. + +(cherry picked from commit 50a085143fa8f5dd6b6b3cef8a6ea2ec7c53ed0d) + +Related: #2138081 +--- + src/shared/tpm2-util.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index 9d73316146..4d0df944a9 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -174,15 +174,27 @@ int tpm2_context_init(const char *device, struct tpm2_context *ret) { + + param = strchr(device, ':'); + if (param) { ++ /* Syntax #1: Pair of driver string and arbitrary parameter */ + driver = strndupa_safe(device, param - device); ++ if (isempty(driver)) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name is empty, refusing."); ++ + param++; +- } else { ++ } else if (path_is_absolute(device) && path_is_valid(device)) { ++ /* Syntax #2: TPM device node */ + driver = "device"; + param = device; +- } ++ } else ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid TPM2 driver string, refusing."); ++ ++ log_debug("Using TPM2 TCTI driver '%s' with device '%s'.", driver, param); + + fn = strjoina("libtss2-tcti-", driver, ".so.0"); + ++ /* Better safe than sorry, let's refuse strings that cannot possibly be valid driver early, before going to disk. */ ++ if (!filename_is_valid(fn)) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name '%s' not valid, refusing.", driver); ++ + dl = dlopen(fn, RTLD_NOW); + if (!dl) + return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to load %s: %s", fn, dlerror()); +-- +2.38.1 + diff --git a/0042-boot-Fix-error-message.patch b/0042-boot-Fix-error-message.patch new file mode 100644 index 0000000..75d4a6c --- /dev/null +++ b/0042-boot-Fix-error-message.patch @@ -0,0 +1,28 @@ +From 2fdb15b3053d20282d7f3c20a7a4d2bd96d9a39b Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Sun, 13 Nov 2022 16:14:17 +0100 +Subject: [PATCH] boot: Fix error message + +(cherry picked from commit 6ee4aa22140dd8d51b1a18882eb4220629b8dd8f) + +Related: #2138081 +--- + src/boot/efi/boot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index 4150b16ecf..84f4cc11a3 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -2678,7 +2678,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { + + err = device_path_to_str(loaded_image->FilePath, &loaded_image_path); + if (err != EFI_SUCCESS) +- return log_error_status_stall(err, L"Error getting loaded image path: %m"); ++ return log_error_status_stall(err, L"Error getting loaded image path: %r", err); + + export_variables(loaded_image, loaded_image_path, init_usec); + +-- +2.38.1 + diff --git a/0043-boot-Fix-memory-leak.patch b/0043-boot-Fix-memory-leak.patch new file mode 100644 index 0000000..7d38b62 --- /dev/null +++ b/0043-boot-Fix-memory-leak.patch @@ -0,0 +1,28 @@ +From 58a3aaaad640bee3cca79a644422489e184b49c1 Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Mon, 14 Nov 2022 14:18:26 +0100 +Subject: [PATCH] boot: Fix memory leak + +(cherry picked from commit b7b327f856b3782f28be561d612d66ff406c7789) + +Related: #2138081 +--- + src/boot/efi/boot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index 84f4cc11a3..17d4ec2d09 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -2650,7 +2650,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { + EFI_LOADED_IMAGE_PROTOCOL *loaded_image; + _cleanup_(file_closep) EFI_FILE *root_dir = NULL; + _cleanup_(config_free) Config config = {}; +- char16_t *loaded_image_path; ++ _cleanup_free_ char16_t *loaded_image_path = NULL; + EFI_STATUS err; + uint64_t init_usec; + bool menu = false; +-- +2.38.1 + diff --git a/0044-boot-Do-not-require-a-loaded-image-path.patch b/0044-boot-Do-not-require-a-loaded-image-path.patch new file mode 100644 index 0000000..4f363c5 --- /dev/null +++ b/0044-boot-Do-not-require-a-loaded-image-path.patch @@ -0,0 +1,91 @@ +From 8cbb38625364640f390b2df2cda44ff3877fb16d Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Mon, 14 Nov 2022 14:37:13 +0100 +Subject: [PATCH] boot: Do not require a loaded image path + +If the device path to text protocol is not available (looking angrily at +Apple) we would fail to boot because we cannot get the loaded image +path. As this is only used for cosmetic purposes, we can just silently +continue. + +Fixes: #25363 +(cherry picked from commit af7ef648cddeb96da525de2410565d166f75cc96) + +Related: #2138081 +--- + src/boot/efi/boot.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index 17d4ec2d09..b490a1d972 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -471,7 +471,6 @@ static void print_status(Config *config, char16_t *loaded_image_path) { + _cleanup_free_ char16_t *device_part_uuid = NULL; + + assert(config); +- assert(loaded_image_path); + + clear_screen(COLOR_NORMAL); + console_query_mode(&x_max, &y_max); +@@ -619,7 +618,6 @@ static bool menu_run( + + assert(config); + assert(chosen_entry); +- assert(loaded_image_path); + + EFI_STATUS err; + UINTN visible_max = 0; +@@ -1478,7 +1476,7 @@ static void config_entry_add_type1( + entry->loader = xstra_to_path(value); + + /* do not add an entry for ourselves */ +- if (loaded_image_path && strcaseeq16(entry->loader, loaded_image_path)) { ++ if (strcaseeq16(entry->loader, loaded_image_path)) { + entry->type = LOADER_UNDEFINED; + break; + } +@@ -1908,12 +1906,11 @@ static ConfigEntry *config_entry_add_loader_auto( + assert(root_dir); + assert(id); + assert(title); +- assert(loader || loaded_image_path); + + if (!config->auto_entries) + return NULL; + +- if (loaded_image_path) { ++ if (!loader) { + loader = L"\\EFI\\BOOT\\BOOT" EFI_MACHINE_TYPE_NAME ".efi"; + + /* We are trying to add the default EFI loader here, +@@ -2562,7 +2559,6 @@ static void export_variables( + char16_t uuid[37]; + + assert(loaded_image); +- assert(loaded_image_path); + + efivar_set_time_usec(LOADER_GUID, L"LoaderTimeInitUSec", init_usec); + efivar_set(LOADER_GUID, L"LoaderInfo", L"systemd-boot " GIT_VERSION, 0); +@@ -2591,7 +2587,6 @@ static void config_load_all_entries( + + assert(config); + assert(loaded_image); +- assert(loaded_image_path); + assert(root_dir); + + config_load_defaults(config, root_dir); +@@ -2676,9 +2671,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { + if (err != EFI_SUCCESS) + return log_error_status_stall(err, L"Error getting a LoadedImageProtocol handle: %r", err); + +- err = device_path_to_str(loaded_image->FilePath, &loaded_image_path); +- if (err != EFI_SUCCESS) +- return log_error_status_stall(err, L"Error getting loaded image path: %r", err); ++ (void) device_path_to_str(loaded_image->FilePath, &loaded_image_path); + + export_variables(loaded_image, loaded_image_path, init_usec); + +-- +2.38.1 + diff --git a/0045-boot-Manually-convert-filepaths-if-needed.patch b/0045-boot-Manually-convert-filepaths-if-needed.patch new file mode 100644 index 0000000..e8e0294 --- /dev/null +++ b/0045-boot-Manually-convert-filepaths-if-needed.patch @@ -0,0 +1,78 @@ +From 806165285b822436023df84ca0a3e5b28a3099d6 Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Mon, 14 Nov 2022 15:24:32 +0100 +Subject: [PATCH] boot: Manually convert filepaths if needed + +The conversion of a filepath device path to text is needed for the stub +loader to find credential files. + +(cherry picked from commit 679007044fbbcf82c66cf20b99f2f5086b7df6b4) + +Related: #2138081 +--- + src/boot/efi/util.c | 40 ++++++++++++++++++++++++++++++++++++---- + 1 file changed, 36 insertions(+), 4 deletions(-) + +diff --git a/src/boot/efi/util.c b/src/boot/efi/util.c +index 5547d288de..57436dbf0c 100644 +--- a/src/boot/efi/util.c ++++ b/src/boot/efi/util.c +@@ -772,19 +772,51 @@ EFI_STATUS make_file_device_path(EFI_HANDLE device, const char16_t *file, EFI_DE + EFI_STATUS device_path_to_str(const EFI_DEVICE_PATH *dp, char16_t **ret) { + EFI_DEVICE_PATH_TO_TEXT_PROTOCOL *dp_to_text; + EFI_STATUS err; ++ _cleanup_free_ char16_t *str = NULL; + + assert(dp); + assert(ret); + + err = BS->LocateProtocol(&(EFI_GUID) EFI_DEVICE_PATH_TO_TEXT_PROTOCOL_GUID, NULL, (void **) &dp_to_text); +- if (err != EFI_SUCCESS) +- return err; ++ if (err != EFI_SUCCESS) { ++ /* If the device path to text protocol is not available we can still do a best-effort attempt ++ * to convert it ourselves if we are given filepath-only device path. */ ++ ++ size_t size = 0; ++ for (const EFI_DEVICE_PATH *node = dp; !IsDevicePathEnd(node); ++ node = NextDevicePathNode(node)) { ++ ++ if (DevicePathType(node) != MEDIA_DEVICE_PATH || ++ DevicePathSubType(node) != MEDIA_FILEPATH_DP) ++ return err; ++ ++ size_t path_size = DevicePathNodeLength(node); ++ if (path_size <= offsetof(FILEPATH_DEVICE_PATH, PathName) || path_size % sizeof(char16_t)) ++ return EFI_INVALID_PARAMETER; ++ path_size -= offsetof(FILEPATH_DEVICE_PATH, PathName); ++ ++ _cleanup_free_ char16_t *old = str; ++ str = xmalloc(size + path_size); ++ if (old) { ++ memcpy(str, old, size); ++ str[size / sizeof(char16_t) - 1] = '\\'; ++ } ++ ++ memcpy(str + (size / sizeof(char16_t)), ++ ((uint8_t *) node) + offsetof(FILEPATH_DEVICE_PATH, PathName), ++ path_size); ++ size += path_size; ++ } ++ ++ *ret = TAKE_PTR(str); ++ return EFI_SUCCESS; ++ } + +- char16_t *str = dp_to_text->ConvertDevicePathToText(dp, false, false); ++ str = dp_to_text->ConvertDevicePathToText(dp, false, false); + if (!str) + return EFI_OUT_OF_RESOURCES; + +- *ret = str; ++ *ret = TAKE_PTR(str); + return EFI_SUCCESS; + } + +-- +2.38.1 + diff --git a/0046-boot-Rework-security-arch-override.patch b/0046-boot-Rework-security-arch-override.patch new file mode 100644 index 0000000..92fe1cd --- /dev/null +++ b/0046-boot-Rework-security-arch-override.patch @@ -0,0 +1,436 @@ +From 519625977d19b7842d9b2ded8be12ed0aecbaefc Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Tue, 15 Nov 2022 18:22:38 +0100 +Subject: [PATCH] boot: Rework security arch override + +This simplifies the caller interface for security arch overrides by only +having to pass a validator and an optional context. + +(cherry picked from commit 5489c13bae119dc5f6e65be8d7f241aa7d54c023) + +Related: #2138081 +--- + src/boot/efi/linux.c | 61 ++++++++------------- + src/boot/efi/secure-boot.c | 105 +++++++++++++++++++++++++++++-------- + src/boot/efi/secure-boot.h | 28 +++------- + src/boot/efi/shim.c | 104 +++++++++++------------------------- + 4 files changed, 146 insertions(+), 152 deletions(-) + +diff --git a/src/boot/efi/linux.c b/src/boot/efi/linux.c +index 75b9507709..dd7eb48c8c 100644 +--- a/src/boot/efi/linux.c ++++ b/src/boot/efi/linux.c +@@ -20,35 +20,26 @@ + #define STUB_PAYLOAD_GUID \ + { 0x55c5d1f8, 0x04cd, 0x46b5, { 0x8a, 0x20, 0xe5, 0x6c, 0xbb, 0x30, 0x52, 0xd0 } } + +-static EFIAPI EFI_STATUS security_hook( +- const SecurityOverride *this, uint32_t authentication_status, const EFI_DEVICE_PATH *file) { ++typedef struct { ++ const void *addr; ++ size_t len; ++ const EFI_DEVICE_PATH *device_path; ++} ValidationContext; + +- assert(this); +- assert(this->hook == security_hook); ++static bool validate_payload( ++ const void *ctx, const EFI_DEVICE_PATH *device_path, const void *file_buffer, size_t file_size) { + +- if (file == this->payload_device_path) +- return EFI_SUCCESS; ++ const ValidationContext *payload = ASSERT_PTR(ctx); + +- return this->original_security->FileAuthenticationState( +- this->original_security, authentication_status, file); +-} +- +-static EFIAPI EFI_STATUS security2_hook( +- const SecurityOverride *this, +- const EFI_DEVICE_PATH *device_path, +- void *file_buffer, +- size_t file_size, +- BOOLEAN boot_policy) { +- +- assert(this); +- assert(this->hook == security2_hook); ++ if (device_path != payload->device_path) ++ return false; + +- if (file_buffer == this->payload && file_size == this->payload_len && +- device_path == this->payload_device_path) +- return EFI_SUCCESS; ++ /* Security arch (1) protocol does not provide a file buffer. Instead we are supposed to fetch the payload ++ * ourselves, which is not needed as we already have everything in memory and the device paths match. */ ++ if (file_buffer && (file_buffer != payload->addr || file_size != payload->len)) ++ return false; + +- return this->original_security2->FileAuthentication( +- this->original_security2, device_path, file_buffer, file_size, boot_policy); ++ return true; + } + + static EFI_STATUS load_image(EFI_HANDLE parent, const void *source, size_t len, EFI_HANDLE *ret_image) { +@@ -79,19 +70,13 @@ static EFI_STATUS load_image(EFI_HANDLE parent, const void *source, size_t len, + + /* We want to support unsigned kernel images as payload, which is safe to do under secure boot + * because it is embedded in this stub loader (and since it is already running it must be trusted). */ +- SecurityOverride security_override = { +- .hook = security_hook, +- .payload = source, +- .payload_len = len, +- .payload_device_path = &payload_device_path.payload.Header, +- }, security2_override = { +- .hook = security2_hook, +- .payload = source, +- .payload_len = len, +- .payload_device_path = &payload_device_path.payload.Header, +- }; +- +- install_security_override(&security_override, &security2_override); ++ install_security_override( ++ validate_payload, ++ &(ValidationContext) { ++ .addr = source, ++ .len = len, ++ .device_path = &payload_device_path.payload.Header, ++ }); + + EFI_STATUS ret = BS->LoadImage( + /*BootPolicy=*/false, +@@ -101,7 +86,7 @@ static EFI_STATUS load_image(EFI_HANDLE parent, const void *source, size_t len, + len, + ret_image); + +- uninstall_security_override(&security_override, &security2_override); ++ uninstall_security_override(); + + return ret; + } +diff --git a/src/boot/efi/secure-boot.c b/src/boot/efi/secure-boot.c +index 171b2c96b3..0e615c55e0 100644 +--- a/src/boot/efi/secure-boot.c ++++ b/src/boot/efi/secure-boot.c +@@ -127,10 +127,60 @@ out_deallocate: + return err; + } + +-static EFI_STATUS install_security_override_one(EFI_GUID guid, SecurityOverride *override) { ++static struct SecurityOverride { ++ /* Our own security arch instances that we register onto original_handle, thereby replacing the ++ * firmware provided instances. */ ++ EFI_SECURITY_ARCH_PROTOCOL override; ++ EFI_SECURITY2_ARCH_PROTOCOL override2; ++ ++ /* These are saved so we can uninstall our own instance later. */ ++ EFI_HANDLE original_handle, original_handle2; ++ EFI_SECURITY_ARCH_PROTOCOL *original_security; ++ EFI_SECURITY2_ARCH_PROTOCOL *original_security2; ++ ++ security_validator_t validator; ++ const void *validator_ctx; ++} security_override; ++ ++static EFIAPI EFI_STATUS security_hook( ++ const EFI_SECURITY_ARCH_PROTOCOL *this, ++ uint32_t authentication_status, ++ const EFI_DEVICE_PATH *file) { ++ ++ assert(security_override.validator); ++ assert(security_override.original_security); ++ ++ if (security_override.validator(security_override.validator_ctx, file, NULL, 0)) ++ return EFI_SUCCESS; ++ ++ return security_override.original_security->FileAuthenticationState( ++ security_override.original_security, authentication_status, file); ++} ++ ++static EFIAPI EFI_STATUS security2_hook( ++ const EFI_SECURITY2_ARCH_PROTOCOL *this, ++ const EFI_DEVICE_PATH *device_path, ++ void *file_buffer, ++ size_t file_size, ++ BOOLEAN boot_policy) { ++ ++ assert(security_override.validator); ++ assert(security_override.original_security2); ++ ++ if (security_override.validator(security_override.validator_ctx, device_path, file_buffer, file_size)) ++ return EFI_SUCCESS; ++ ++ return security_override.original_security2->FileAuthentication( ++ security_override.original_security2, device_path, file_buffer, file_size, boot_policy); ++} ++ ++static EFI_STATUS install_security_override_one( ++ EFI_GUID guid, void *override, EFI_HANDLE *ret_original_handle, void **ret_original_security) { + EFI_STATUS err; + + assert(override); ++ assert(ret_original_handle); ++ assert(ret_original_security); + + _cleanup_free_ EFI_HANDLE *handles = NULL; + size_t n_handles = 0; +@@ -152,8 +202,8 @@ static EFI_STATUS install_security_override_one(EFI_GUID guid, SecurityOverride + if (err != EFI_SUCCESS) + return log_error_status_stall(err, u"Error overriding security arch protocol: %r", err); + +- override->original = security; +- override->original_handle = handles[0]; ++ *ret_original_security = security; ++ *ret_original_handle = handles[0]; + return EFI_SUCCESS; + } + +@@ -161,35 +211,46 @@ static EFI_STATUS install_security_override_one(EFI_GUID guid, SecurityOverride + * Specification) with the provided override instances. If not running in secure boot or the protocols are + * not available nothing happens. The override instances are provided with the necessary info to undo this + * in uninstall_security_override(). */ +-void install_security_override(SecurityOverride *override, SecurityOverride *override2) { +- assert(override); +- assert(override2); ++void install_security_override(security_validator_t validator, const void *validator_ctx) { ++ assert(validator); + + if (!secure_boot_enabled()) + return; + +- (void) install_security_override_one((EFI_GUID) EFI_SECURITY_ARCH_PROTOCOL_GUID, override); +- (void) install_security_override_one((EFI_GUID) EFI_SECURITY2_ARCH_PROTOCOL_GUID, override2); +-} ++ security_override = (struct SecurityOverride) { ++ { .FileAuthenticationState = security_hook, }, ++ { .FileAuthentication = security2_hook, }, ++ .validator = validator, ++ .validator_ctx = validator_ctx, ++ }; + +-void uninstall_security_override(SecurityOverride *override, SecurityOverride *override2) { +- assert(override); +- assert(override2); ++ (void) install_security_override_one( ++ (EFI_GUID) EFI_SECURITY_ARCH_PROTOCOL_GUID, ++ &security_override.override, ++ &security_override.original_handle, ++ (void **) &security_override.original_security); ++ (void) install_security_override_one( ++ (EFI_GUID) EFI_SECURITY2_ARCH_PROTOCOL_GUID, ++ &security_override.override2, ++ &security_override.original_handle2, ++ (void **) &security_override.original_security2); ++} + ++void uninstall_security_override(void) { + /* We use assert_se here to guarantee the system is not in a weird state in the unlikely case of an + * error restoring the original protocols. */ + +- if (override->original_handle) ++ if (security_override.original_handle) + assert_se(BS->ReinstallProtocolInterface( +- override->original_handle, +- &(EFI_GUID) EFI_SECURITY_ARCH_PROTOCOL_GUID, +- override, +- override->original) == EFI_SUCCESS); ++ security_override.original_handle, ++ &(EFI_GUID) EFI_SECURITY_ARCH_PROTOCOL_GUID, ++ &security_override.override, ++ security_override.original_security) == EFI_SUCCESS); + +- if (override2->original_handle) ++ if (security_override.original_handle2) + assert_se(BS->ReinstallProtocolInterface( +- override2->original_handle, +- &(EFI_GUID) EFI_SECURITY2_ARCH_PROTOCOL_GUID, +- override2, +- override2->original) == EFI_SUCCESS); ++ security_override.original_handle2, ++ &(EFI_GUID) EFI_SECURITY2_ARCH_PROTOCOL_GUID, ++ &security_override.override2, ++ security_override.original_security2) == EFI_SUCCESS); + } +diff --git a/src/boot/efi/secure-boot.h b/src/boot/efi/secure-boot.h +index 91b6770edb..e98de81c2a 100644 +--- a/src/boot/efi/secure-boot.h ++++ b/src/boot/efi/secure-boot.h +@@ -17,23 +17,11 @@ SecureBootMode secure_boot_mode(void); + + EFI_STATUS secure_boot_enroll_at(EFI_FILE *root_dir, const char16_t *path); + +-typedef struct { +- void *hook; +- +- /* End of EFI_SECURITY_ARCH(2)_PROTOCOL. The rest is our own protocol instance data. */ +- +- EFI_HANDLE original_handle; +- union { +- void *original; +- EFI_SECURITY_ARCH_PROTOCOL *original_security; +- EFI_SECURITY2_ARCH_PROTOCOL *original_security2; +- }; +- +- /* Used by the stub to identify the embedded image. */ +- const void *payload; +- size_t payload_len; +- const EFI_DEVICE_PATH *payload_device_path; +-} SecurityOverride; +- +-void install_security_override(SecurityOverride *override, SecurityOverride *override2); +-void uninstall_security_override(SecurityOverride *override, SecurityOverride *override2); ++typedef bool (*security_validator_t)( ++ const void *ctx, ++ const EFI_DEVICE_PATH *device_path, ++ const void *file_buffer, ++ size_t file_size); ++ ++void install_security_override(security_validator_t validator, const void *validator_ctx); ++void uninstall_security_override(void); +diff --git a/src/boot/efi/shim.c b/src/boot/efi/shim.c +index 3ae058cb84..ac224336bc 100644 +--- a/src/boot/efi/shim.c ++++ b/src/boot/efi/shim.c +@@ -23,7 +23,7 @@ + #endif + + struct ShimLock { +- EFI_STATUS __sysv_abi__ (*shim_verify) (void *buffer, uint32_t size); ++ EFI_STATUS __sysv_abi__ (*shim_verify) (const void *buffer, uint32_t size); + + /* context is actually a struct for the PE header, but it isn't needed so void is sufficient just do define the interface + * see shim.c/shim.h and PeHeader.h in the github shim repo */ +@@ -41,79 +41,45 @@ bool shim_loaded(void) { + return BS->LocateProtocol((EFI_GUID*) SHIM_LOCK_GUID, NULL, (void**) &shim_lock) == EFI_SUCCESS; + } + +-static bool shim_validate(void *data, uint32_t size) { +- struct ShimLock *shim_lock; +- +- if (!data) +- return false; +- +- if (BS->LocateProtocol((EFI_GUID*) SHIM_LOCK_GUID, NULL, (void**) &shim_lock) != EFI_SUCCESS) +- return false; +- +- if (!shim_lock) +- return false; +- +- return shim_lock->shim_verify(data, size) == EFI_SUCCESS; +-} +- +-static EFIAPI EFI_STATUS security2_hook( +- const SecurityOverride *this, +- const EFI_DEVICE_PATH *device_path, +- void *file_buffer, +- UINTN file_size, +- BOOLEAN boot_policy) { +- +- assert(this); +- assert(this->hook == security2_hook); +- +- if (shim_validate(file_buffer, file_size)) +- return EFI_SUCCESS; +- +- return this->original_security2->FileAuthentication( +- this->original_security2, device_path, file_buffer, file_size, boot_policy); +-} +- +-static EFIAPI EFI_STATUS security_hook( +- const SecurityOverride *this, +- uint32_t authentication_status, +- const EFI_DEVICE_PATH *device_path) { ++static bool shim_validate( ++ const void *ctx, const EFI_DEVICE_PATH *device_path, const void *file_buffer, size_t file_size) { + + EFI_STATUS err; ++ _cleanup_free_ char *file_buffer_owned = NULL; + +- assert(this); +- assert(this->hook == security_hook); ++ if (!file_buffer) { ++ if (!device_path) ++ return false; + +- if (!device_path) +- return this->original_security->FileAuthenticationState( +- this->original_security, authentication_status, device_path); ++ EFI_HANDLE device_handle; ++ EFI_DEVICE_PATH *file_dp = (EFI_DEVICE_PATH *) device_path; ++ err = BS->LocateDevicePath(&FileSystemProtocol, &file_dp, &device_handle); ++ if (err != EFI_SUCCESS) ++ return false; + +- EFI_HANDLE device_handle; +- EFI_DEVICE_PATH *dp = (EFI_DEVICE_PATH *) device_path; +- err = BS->LocateDevicePath(&FileSystemProtocol, &dp, &device_handle); +- if (err != EFI_SUCCESS) +- return err; ++ _cleanup_(file_closep) EFI_FILE *root = NULL; ++ err = open_volume(device_handle, &root); ++ if (err != EFI_SUCCESS) ++ return false; + +- _cleanup_(file_closep) EFI_FILE *root = NULL; +- err = open_volume(device_handle, &root); +- if (err != EFI_SUCCESS) +- return err; ++ _cleanup_free_ char16_t *dp_str = NULL; ++ err = device_path_to_str(file_dp, &dp_str); ++ if (err != EFI_SUCCESS) ++ return false; + +- _cleanup_free_ char16_t *dp_str = NULL; +- err = device_path_to_str(dp, &dp_str); +- if (err != EFI_SUCCESS) +- return err; ++ err = file_read(root, dp_str, 0, 0, &file_buffer_owned, &file_size); ++ if (err != EFI_SUCCESS) ++ return false; + +- char *file_buffer; +- size_t file_size; +- err = file_read(root, dp_str, 0, 0, &file_buffer, &file_size); +- if (err != EFI_SUCCESS) +- return err; ++ file_buffer = file_buffer_owned; ++ } + +- if (shim_validate(file_buffer, file_size)) +- return EFI_SUCCESS; ++ struct ShimLock *shim_lock; ++ err = BS->LocateProtocol((EFI_GUID *) SHIM_LOCK_GUID, NULL, (void **) &shim_lock); ++ if (err != EFI_SUCCESS) ++ return false; + +- return this->original_security->FileAuthenticationState( +- this->original_security, authentication_status, device_path); ++ return shim_lock->shim_verify(file_buffer, file_size) == EFI_SUCCESS; + } + + EFI_STATUS shim_load_image(EFI_HANDLE parent, const EFI_DEVICE_PATH *device_path, EFI_HANDLE *ret_image) { +@@ -122,20 +88,14 @@ EFI_STATUS shim_load_image(EFI_HANDLE parent, const EFI_DEVICE_PATH *device_path + + bool have_shim = shim_loaded(); + +- SecurityOverride security_override = { +- .hook = security_hook, +- }, security2_override = { +- .hook = security2_hook, +- }; +- + if (have_shim) +- install_security_override(&security_override, &security2_override); ++ install_security_override(shim_validate, NULL); + + EFI_STATUS ret = BS->LoadImage( + /*BootPolicy=*/false, parent, (EFI_DEVICE_PATH *) device_path, NULL, 0, ret_image); + + if (have_shim) +- uninstall_security_override(&security_override, &security2_override); ++ uninstall_security_override(); + + return ret; + } +-- +2.38.1 + diff --git a/0047-boot-Replace-firmware-security-hooks-directly.patch b/0047-boot-Replace-firmware-security-hooks-directly.patch new file mode 100644 index 0000000..f1140c4 --- /dev/null +++ b/0047-boot-Replace-firmware-security-hooks-directly.patch @@ -0,0 +1,188 @@ +From 8d0b70887a09b9d4a8b669620579d3b6780f0755 Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Tue, 15 Nov 2022 18:53:02 +0100 +Subject: [PATCH] boot: Replace firmware security hooks directly + +For some firmware, replacing their own security arch instance with our +override using ReinstallProtocolInterface() is not enough as they will +not use it. This commit goes back to how this was done before by +directly modifying the security protocols. + +Fixes: #25336 +(cherry picked from commit 967a868563996e928f1fade5bcafc82a7219742b) + +Related: #2138081 +--- + src/boot/efi/secure-boot.c | 119 +++++++++++++------------------------ + 1 file changed, 40 insertions(+), 79 deletions(-) + +diff --git a/src/boot/efi/secure-boot.c b/src/boot/efi/secure-boot.c +index 0e615c55e0..65457bf423 100644 +--- a/src/boot/efi/secure-boot.c ++++ b/src/boot/efi/secure-boot.c +@@ -128,15 +128,10 @@ out_deallocate: + } + + static struct SecurityOverride { +- /* Our own security arch instances that we register onto original_handle, thereby replacing the +- * firmware provided instances. */ +- EFI_SECURITY_ARCH_PROTOCOL override; +- EFI_SECURITY2_ARCH_PROTOCOL override2; +- +- /* These are saved so we can uninstall our own instance later. */ +- EFI_HANDLE original_handle, original_handle2; +- EFI_SECURITY_ARCH_PROTOCOL *original_security; +- EFI_SECURITY2_ARCH_PROTOCOL *original_security2; ++ EFI_SECURITY_ARCH_PROTOCOL *security; ++ EFI_SECURITY2_ARCH_PROTOCOL *security2; ++ EFI_SECURITY_FILE_AUTHENTICATION_STATE original_hook; ++ EFI_SECURITY2_FILE_AUTHENTICATION original_hook2; + + security_validator_t validator; + const void *validator_ctx; +@@ -148,13 +143,13 @@ static EFIAPI EFI_STATUS security_hook( + const EFI_DEVICE_PATH *file) { + + assert(security_override.validator); +- assert(security_override.original_security); ++ assert(security_override.security); ++ assert(security_override.original_hook); + + if (security_override.validator(security_override.validator_ctx, file, NULL, 0)) + return EFI_SUCCESS; + +- return security_override.original_security->FileAuthenticationState( +- security_override.original_security, authentication_status, file); ++ return security_override.original_hook(security_override.security, authentication_status, file); + } + + static EFIAPI EFI_STATUS security2_hook( +@@ -165,92 +160,58 @@ static EFIAPI EFI_STATUS security2_hook( + BOOLEAN boot_policy) { + + assert(security_override.validator); +- assert(security_override.original_security2); ++ assert(security_override.security2); ++ assert(security_override.original_hook2); + + if (security_override.validator(security_override.validator_ctx, device_path, file_buffer, file_size)) + return EFI_SUCCESS; + +- return security_override.original_security2->FileAuthentication( +- security_override.original_security2, device_path, file_buffer, file_size, boot_policy); ++ return security_override.original_hook2( ++ security_override.security2, device_path, file_buffer, file_size, boot_policy); + } + +-static EFI_STATUS install_security_override_one( +- EFI_GUID guid, void *override, EFI_HANDLE *ret_original_handle, void **ret_original_security) { ++/* This replaces the platform provided security arch protocols hooks (defined in the UEFI Platform ++ * Initialization Specification) with our own that uses the given validator to decide if a image is to be ++ * trusted. If not running in secure boot or the protocols are not available nothing happens. The override ++ * must be removed with uninstall_security_override() after LoadImage() has been called. ++ * ++ * This is a hack as we do not own the security protocol instances and modifying them is not an official part ++ * of their spec. But there is little else we can do to circumvent secure boot short of implementing our own ++ * PE loader. We could replace the firmware instances with our own instance using ++ * ReinstallProtocolInterface(), but some firmware will still use the old ones. */ ++void install_security_override(security_validator_t validator, const void *validator_ctx) { + EFI_STATUS err; + +- assert(override); +- assert(ret_original_handle); +- assert(ret_original_security); +- +- _cleanup_free_ EFI_HANDLE *handles = NULL; +- size_t n_handles = 0; +- +- err = BS->LocateHandleBuffer(ByProtocol, &guid, NULL, &n_handles, &handles); +- if (err != EFI_SUCCESS) +- /* No security arch protocol around? */ +- return err; +- +- /* There should only ever be one security arch protocol instance, but let's be paranoid here. */ +- assert(n_handles == 1); +- +- void *security = NULL; +- err = BS->LocateProtocol(&guid, NULL, &security); +- if (err != EFI_SUCCESS) +- return log_error_status_stall(err, u"Error getting security arch protocol: %r", err); +- +- err = BS->ReinstallProtocolInterface(handles[0], &guid, security, override); +- if (err != EFI_SUCCESS) +- return log_error_status_stall(err, u"Error overriding security arch protocol: %r", err); +- +- *ret_original_security = security; +- *ret_original_handle = handles[0]; +- return EFI_SUCCESS; +-} +- +-/* This replaces the platform provided security arch protocols (defined in the UEFI Platform Initialization +- * Specification) with the provided override instances. If not running in secure boot or the protocols are +- * not available nothing happens. The override instances are provided with the necessary info to undo this +- * in uninstall_security_override(). */ +-void install_security_override(security_validator_t validator, const void *validator_ctx) { + assert(validator); + + if (!secure_boot_enabled()) + return; + + security_override = (struct SecurityOverride) { +- { .FileAuthenticationState = security_hook, }, +- { .FileAuthentication = security2_hook, }, + .validator = validator, + .validator_ctx = validator_ctx, + }; + +- (void) install_security_override_one( +- (EFI_GUID) EFI_SECURITY_ARCH_PROTOCOL_GUID, +- &security_override.override, +- &security_override.original_handle, +- (void **) &security_override.original_security); +- (void) install_security_override_one( +- (EFI_GUID) EFI_SECURITY2_ARCH_PROTOCOL_GUID, +- &security_override.override2, +- &security_override.original_handle2, +- (void **) &security_override.original_security2); ++ EFI_SECURITY_ARCH_PROTOCOL *security = NULL; ++ err = BS->LocateProtocol(&(EFI_GUID) EFI_SECURITY_ARCH_PROTOCOL_GUID, NULL, (void **) &security); ++ if (err == EFI_SUCCESS) { ++ security_override.security = security; ++ security_override.original_hook = security->FileAuthenticationState; ++ security->FileAuthenticationState = security_hook; ++ } ++ ++ EFI_SECURITY2_ARCH_PROTOCOL *security2 = NULL; ++ err = BS->LocateProtocol(&(EFI_GUID) EFI_SECURITY2_ARCH_PROTOCOL_GUID, NULL, (void **) &security2); ++ if (err == EFI_SUCCESS) { ++ security_override.security2 = security2; ++ security_override.original_hook2 = security2->FileAuthentication; ++ security2->FileAuthentication = security2_hook; ++ } + } + + void uninstall_security_override(void) { +- /* We use assert_se here to guarantee the system is not in a weird state in the unlikely case of an +- * error restoring the original protocols. */ +- +- if (security_override.original_handle) +- assert_se(BS->ReinstallProtocolInterface( +- security_override.original_handle, +- &(EFI_GUID) EFI_SECURITY_ARCH_PROTOCOL_GUID, +- &security_override.override, +- security_override.original_security) == EFI_SUCCESS); +- +- if (security_override.original_handle2) +- assert_se(BS->ReinstallProtocolInterface( +- security_override.original_handle2, +- &(EFI_GUID) EFI_SECURITY2_ARCH_PROTOCOL_GUID, +- &security_override.override2, +- security_override.original_security2) == EFI_SUCCESS); ++ if (security_override.original_hook) ++ security_override.security->FileAuthenticationState = security_override.original_hook; ++ if (security_override.original_hook2) ++ security_override.security2->FileAuthentication = security_override.original_hook2; + } +-- +2.38.1 + diff --git a/0048-networkd-ipv4acd.c-Use-net-if.h-for-getting-IFF_LOOP.patch b/0048-networkd-ipv4acd.c-Use-net-if.h-for-getting-IFF_LOOP.patch new file mode 100644 index 0000000..7fd3fb5 --- /dev/null +++ b/0048-networkd-ipv4acd.c-Use-net-if.h-for-getting-IFF_LOOP.patch @@ -0,0 +1,34 @@ +From a43bf9f897002744610a9ea5ce7bdc91c3e3dc83 Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Tue, 8 Nov 2022 12:21:35 -0800 +Subject: [PATCH] networkd-ipv4acd.c: Use net/if.h for getting IFF_LOOPBACK + definition + +This helps in avoiding compiling errors on musl. Definition of +IFF_LOOPBACK is the reason for including linux/if_arp.h, this however +could be obtained from net/if.h glibc header equally and makes it +portable as well. + +(cherry picked from commit 239e4a42a69c31e55e58618d800e0d68c68931d3) + +Related: #2138081 +--- + src/network/networkd-ipv4acd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/network/networkd-ipv4acd.c b/src/network/networkd-ipv4acd.c +index 4127657ebd..877dee00ec 100644 +--- a/src/network/networkd-ipv4acd.c ++++ b/src/network/networkd-ipv4acd.c +@@ -1,6 +1,7 @@ + /* SPDX-License-Identifier: LGPL-2.1-or-later */ + +-#include ++#include /* IFF_LOOPBACK */ ++#include /* ARPHRD_ETHER */ + + #include "sd-dhcp-client.h" + #include "sd-ipv4acd.h" +-- +2.38.1 + diff --git a/0049-Revert-initrd-extend-SYSTEMD_IN_INITRD-to-accept-non.patch b/0049-Revert-initrd-extend-SYSTEMD_IN_INITRD-to-accept-non.patch new file mode 100644 index 0000000..9c2988c --- /dev/null +++ b/0049-Revert-initrd-extend-SYSTEMD_IN_INITRD-to-accept-non.patch @@ -0,0 +1,114 @@ +From 94f9a80db599dcc298f3058e5cf2bb60c4972228 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 24 Nov 2022 13:58:39 +0100 +Subject: [PATCH] Revert "initrd: extend SYSTEMD_IN_INITRD to accept non-ramfs + rootfs" + +This reverts commit 1f22621ba33f8089d2ae5fbcaf8b3970dd68aaf0. + +This is a replacement for b1fd5cd4eda02a323db93d7daa97f5138f89677d. See that +commit for details. + +Related: #2138081 +--- + docs/ENVIRONMENT.md | 10 +++------- + src/basic/util.c | 47 ++++++++------------------------------------- + 2 files changed, 11 insertions(+), 46 deletions(-) + +diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md +index a840dd0c90..ab3add6031 100644 +--- a/docs/ENVIRONMENT.md ++++ b/docs/ENVIRONMENT.md +@@ -73,13 +73,9 @@ All tools: + (relevant in particular for the system manager and `systemd-hostnamed`). + Must be a valid hostname (either a single label or a FQDN). + +-* `$SYSTEMD_IN_INITRD=[auto|lenient|0|1]` — if set, specifies initrd detection +- method. Defaults to `auto`. Behavior is defined as follows: +- `auto`: Checks if `/etc/initrd-release` exists, and a temporary fs is mounted +- on `/`. If both conditions meet, then it's in initrd. +- `lenient`: Similar to `auto`, but the rootfs check is skipped. +- `0|1`: Simply overrides initrd detection. This is useful for debugging and +- testing initrd-only programs in the main system. ++* `$SYSTEMD_IN_INITRD` — takes a boolean. If set, overrides initrd detection. ++ This is useful for debugging and testing initrd-only programs in the main ++ system. + + * `$SYSTEMD_BUS_TIMEOUT=SECS` — specifies the maximum time to wait for method call + completion. If no time unit is specified, assumes seconds. The usual other units +diff --git a/src/basic/util.c b/src/basic/util.c +index d7ef382737..981f917fab 100644 +--- a/src/basic/util.c ++++ b/src/basic/util.c +@@ -52,13 +52,11 @@ int prot_from_flags(int flags) { + + bool in_initrd(void) { + int r; +- const char *e; +- bool lenient = false; + + if (saved_in_initrd >= 0) + return saved_in_initrd; + +- /* We have two checks here: ++ /* We make two checks here: + * + * 1. the flag file /etc/initrd-release must exist + * 2. the root file system must be a memory file system +@@ -66,46 +64,17 @@ bool in_initrd(void) { + * The second check is extra paranoia, since misdetecting an + * initrd can have bad consequences due the initrd + * emptying when transititioning to the main systemd. +- * +- * If env var $SYSTEMD_IN_INITRD is not set or set to "auto", +- * both checks are used. If it's set to "lenient", only check +- * 1 is used. If set to a boolean value, then the boolean +- * value is returned. + */ + +- e = secure_getenv("SYSTEMD_IN_INITRD"); +- if (e) { +- if (streq(e, "lenient")) +- lenient = true; +- else if (!streq(e, "auto")) { +- r = parse_boolean(e); +- if (r >= 0) { +- saved_in_initrd = r > 0; +- return saved_in_initrd; +- } +- log_debug_errno(r, "Failed to parse $SYSTEMD_IN_INITRD, ignoring: %m"); +- } +- } +- +- if (!lenient) { +- r = path_is_temporary_fs("/"); +- if (r < 0) +- log_debug_errno(r, "Couldn't determine if / is a temporary file system: %m"); ++ r = getenv_bool_secure("SYSTEMD_IN_INITRD"); ++ if (r < 0 && r != -ENXIO) ++ log_debug_errno(r, "Failed to parse $SYSTEMD_IN_INITRD, ignoring: %m"); + ++ if (r >= 0) + saved_in_initrd = r > 0; +- } +- +- r = access("/etc/initrd-release", F_OK); +- if (r >= 0) { +- if (saved_in_initrd == 0) +- log_debug("/etc/initrd-release exists, but it's not an initrd."); +- else +- saved_in_initrd = 1; +- } else { +- if (errno != ENOENT) +- log_debug_errno(errno, "Failed to test if /etc/initrd-release exists: %m"); +- saved_in_initrd = 0; +- } ++ else ++ saved_in_initrd = access("/etc/initrd-release", F_OK) >= 0 && ++ path_is_temporary_fs("/") > 0; + + return saved_in_initrd; + } +-- +2.38.1 + diff --git a/0050-pid1-skip-cleanup-if-root-is-not-tmpfs-ramfs.patch b/0050-pid1-skip-cleanup-if-root-is-not-tmpfs-ramfs.patch new file mode 100644 index 0000000..0e38099 --- /dev/null +++ b/0050-pid1-skip-cleanup-if-root-is-not-tmpfs-ramfs.patch @@ -0,0 +1,127 @@ +From 7b6a09c47f1fee035c4b42840fabf65edce12aa8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 7 Nov 2022 12:40:20 +0100 +Subject: [PATCH] pid1: skip cleanup if root is not tmpfs/ramfs + +in_initrd() was really doing two things: checking if we're in the initrd, and +also verifying that the initrd is set up correctly. But this second check is +complicated, in particular it would return false for overlayfs, even with an +upper tmpfs layer. It also doesn't support the use case of having an initial +initrd with tmpfs, and then transitioning into an intermediate initrd that is +e.g. a DDI, i.e. a filesystem possibly with verity arranged as a disk image. + +We don't need to check if we're in initrd in every program. Instead, concerns +are separated: +- in_initrd() just does a simple check for /etc/initrd-release. +- When doing cleanup, pid1 checks if it's on a tmpfs before starting to wipe + the old root. The only case where we want to remove the old root is when + we're on a plain tempory filesystem. With an overlay, we'd be creating + whiteout files, which is not very useful. (*) + +This should resolve https://bugzilla.redhat.com/show_bug.cgi?id=2137631 +which is caused by systemd refusing to treat the system as an initrd because +overlayfs is used. + +(*) I think the idea of keeping the initrd fs around for shutdown is outdated. +We should just have a completely separate exitrd that is unpacked when we want +to shut down. This way, we don't waste memory at runtime, and we also don't +transition to a potentially older version of systemd. But we don't have support +for this yet. + +This replaces 0fef5b0f0bd9ded1ae7bcb3e4e4b2893e36c51a6. + +(cherry picked from commit a940f507fbe1c81d6787dc0b7ce232c39818eec9) + +Related: #2138081 +--- + src/basic/util.c | 19 ++++++++----------- + src/shared/switch-root.c | 22 ++++++++++++---------- + 2 files changed, 20 insertions(+), 21 deletions(-) + +diff --git a/src/basic/util.c b/src/basic/util.c +index 981f917fab..e6aaa2dc9b 100644 +--- a/src/basic/util.c ++++ b/src/basic/util.c +@@ -56,14 +56,8 @@ bool in_initrd(void) { + if (saved_in_initrd >= 0) + return saved_in_initrd; + +- /* We make two checks here: +- * +- * 1. the flag file /etc/initrd-release must exist +- * 2. the root file system must be a memory file system +- * +- * The second check is extra paranoia, since misdetecting an +- * initrd can have bad consequences due the initrd +- * emptying when transititioning to the main systemd. ++ /* If /etc/initrd-release exists, we're in an initrd. ++ * This can be overridden by setting SYSTEMD_IN_INITRD=0|1. + */ + + r = getenv_bool_secure("SYSTEMD_IN_INITRD"); +@@ -72,9 +66,12 @@ bool in_initrd(void) { + + if (r >= 0) + saved_in_initrd = r > 0; +- else +- saved_in_initrd = access("/etc/initrd-release", F_OK) >= 0 && +- path_is_temporary_fs("/") > 0; ++ else { ++ r = access("/etc/initrd-release", F_OK); ++ if (r < 0 && errno != ENOENT) ++ log_debug_errno(r, "Failed to check if /etc/initrd-release exists, assuming it does not: %m"); ++ saved_in_initrd = r >= 0; ++ } + + return saved_in_initrd; + } +diff --git a/src/shared/switch-root.c b/src/shared/switch-root.c +index 1a444841fa..4cad3551a6 100644 +--- a/src/shared/switch-root.c ++++ b/src/shared/switch-root.c +@@ -32,7 +32,6 @@ int switch_root(const char *new_root, + + _cleanup_free_ char *resolved_old_root_after = NULL; + _cleanup_close_ int old_root_fd = -1; +- bool old_root_remove; + int r; + + assert(new_root); +@@ -42,12 +41,16 @@ int switch_root(const char *new_root, + return 0; + + /* Check if we shall remove the contents of the old root */ +- old_root_remove = in_initrd(); +- if (old_root_remove) { +- old_root_fd = open("/", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_NOCTTY|O_DIRECTORY); +- if (old_root_fd < 0) +- return log_error_errno(errno, "Failed to open root directory: %m"); +- } ++ old_root_fd = open("/", O_RDONLY | O_CLOEXEC | O_DIRECTORY); ++ if (old_root_fd < 0) ++ return log_error_errno(errno, "Failed to open root directory: %m"); ++ r = fd_is_temporary_fs(old_root_fd); ++ if (r < 0) ++ return log_error_errno(r, "Failed to stat root directory: %m"); ++ if (r > 0) ++ log_debug("Root directory is on tmpfs, will do cleanup later."); ++ else ++ old_root_fd = safe_close(old_root_fd); + + /* Determine where we shall place the old root after the transition */ + r = chase_symlinks(old_root_after, new_root, CHASE_PREFIX_ROOT|CHASE_NONEXISTENT, &resolved_old_root_after, NULL); +@@ -117,9 +120,8 @@ int switch_root(const char *new_root, + struct stat rb; + + if (fstat(old_root_fd, &rb) < 0) +- log_warning_errno(errno, "Failed to stat old root directory, leaving: %m"); +- else +- (void) rm_rf_children(TAKE_FD(old_root_fd), 0, &rb); /* takes possession of the dir fd, even on failure */ ++ return log_error_errno(errno, "Failed to stat old root directory: %m"); ++ (void) rm_rf_children(TAKE_FD(old_root_fd), 0, &rb); /* takes possession of the dir fd, even on failure */ + } + + return 0; +-- +2.38.1 + diff --git a/0051-ac-power-check-battery-existence-and-status.patch b/0051-ac-power-check-battery-existence-and-status.patch new file mode 100644 index 0000000..ad0ee2f --- /dev/null +++ b/0051-ac-power-check-battery-existence-and-status.patch @@ -0,0 +1,109 @@ +From 2ac7d7a818788110342a99978680485fbe27cc25 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 11 Nov 2022 13:54:03 +0900 +Subject: [PATCH] ac-power: check battery existence and status + +If a battery is not present or its status is not discharging, then +the battery should not be used as a power source. +Let's count batteries currently discharging. + +Fixes #25316. + +(cherry picked from commit 1c03f7f4ba419aa65997e90accc0d935ae1cfbc5) + +Related: #2138081 +--- + src/shared/udev-util.c | 58 ++++++++++++++++++++++++++++++++---------- + 1 file changed, 44 insertions(+), 14 deletions(-) + +diff --git a/src/shared/udev-util.c b/src/shared/udev-util.c +index aac02cd61b..7d95353452 100644 +--- a/src/shared/udev-util.c ++++ b/src/shared/udev-util.c +@@ -642,9 +642,46 @@ static int device_is_power_sink(sd_device *device) { + return found_sink || !found_source; + } + ++static bool battery_is_discharging(sd_device *d) { ++ const char *val; ++ int r; ++ ++ assert(d); ++ ++ r = sd_device_get_sysattr_value(d, "scope", &val); ++ if (r < 0) { ++ if (r != -ENOENT) ++ log_device_debug_errno(d, r, "Failed to read 'scope' sysfs attribute, ignoring: %m"); ++ } else if (streq(val, "Device")) { ++ log_device_debug(d, "The power supply is a device battery, ignoring device."); ++ return false; ++ } ++ ++ r = device_get_sysattr_bool(d, "present"); ++ if (r < 0) ++ log_device_debug_errno(d, r, "Failed to read 'present' sysfs attribute, assuming the battery is present: %m"); ++ else if (r == 0) { ++ log_device_debug(d, "The battery is not present, ignoring the power supply."); ++ return false; ++ } ++ ++ /* Possible values: "Unknown", "Charging", "Discharging", "Not charging", "Full" */ ++ r = sd_device_get_sysattr_value(d, "status", &val); ++ if (r < 0) { ++ log_device_debug_errno(d, r, "Failed to read 'status' sysfs attribute, assuming the battery is discharging: %m"); ++ return true; ++ } ++ if (!streq(val, "Discharging")) { ++ log_device_debug(d, "The battery status is '%s', assuming the battery is not used as a power source of this machine.", val); ++ return false; ++ } ++ ++ return true; ++} ++ + int on_ac_power(void) { + _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL; +- bool found_ac_online = false, found_battery = false; ++ bool found_ac_online = false, found_discharging_battery = false; + sd_device *d; + int r; + +@@ -686,17 +723,10 @@ int on_ac_power(void) { + } + + if (streq(val, "Battery")) { +- r = sd_device_get_sysattr_value(d, "scope", &val); +- if (r < 0) { +- if (r != -ENOENT) +- log_device_debug_errno(d, r, "Failed to read 'scope' sysfs attribute, ignoring: %m"); +- } else if (streq(val, "Device")) { +- log_device_debug(d, "The power supply is a device battery, ignoring device."); +- continue; ++ if (battery_is_discharging(d)) { ++ found_discharging_battery = true; ++ log_device_debug(d, "The power supply is a battery and currently discharging."); + } +- +- found_battery = true; +- log_device_debug(d, "The power supply is battery."); + continue; + } + +@@ -713,11 +743,11 @@ int on_ac_power(void) { + if (found_ac_online) { + log_debug("Found at least one online non-battery power supply, system is running on AC."); + return true; +- } else if (found_battery) { +- log_debug("Found battery and no online power sources, assuming system is running from battery."); ++ } else if (found_discharging_battery) { ++ log_debug("Found at least one discharging battery and no online power sources, assuming system is running from battery."); + return false; + } else { +- log_debug("No power supply reported online and no battery, assuming system is running on AC."); ++ log_debug("No power supply reported online and no discharging battery found, assuming system is running on AC."); + return true; + } + } +-- +2.38.1 + diff --git a/0052-systemctl-do-not-show-unit-properties-with-all.patch b/0052-systemctl-do-not-show-unit-properties-with-all.patch new file mode 100644 index 0000000..85241c6 --- /dev/null +++ b/0052-systemctl-do-not-show-unit-properties-with-all.patch @@ -0,0 +1,37 @@ +From c2317e2a2be2dd39266b82712ec9569a86f7fde3 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 13 Nov 2022 21:10:56 +0900 +Subject: [PATCH] systemctl: do not show unit properties with --all + +Fixes a bug introduced by a6e334649d4bdff0c6f664e98666b2223aa21a8b. + +Fixes #25343. + +(cherry picked from commit 0b51a1c8c4c77f98a8c234cd2c7a7849329be027) + +Related: #2138081 +--- + src/systemctl/systemctl-show.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/systemctl/systemctl-show.c b/src/systemctl/systemctl-show.c +index 8d3db98c0a..24c7d564b8 100644 +--- a/src/systemctl/systemctl-show.c ++++ b/src/systemctl/systemctl-show.c +@@ -2207,9 +2207,10 @@ int verb_show(int argc, char *argv[], void *userdata) { + + if (!arg_states && !arg_types) { + if (show_mode == SYSTEMCTL_SHOW_PROPERTIES) +- r = show_one(bus, "/org/freedesktop/systemd1", NULL, show_mode, &new_line, &ellipsized); +- else +- r = show_system_status(bus); ++ /* systemctl show --all → show properties of the manager */ ++ return show_one(bus, "/org/freedesktop/systemd1", NULL, show_mode, &new_line, &ellipsized); ++ ++ r = show_system_status(bus); + if (r < 0) + return r; + +-- +2.38.1 + diff --git a/0053-Fix-reading-etc-machine-id-in-kernel-install-25388.patch b/0053-Fix-reading-etc-machine-id-in-kernel-install-25388.patch new file mode 100644 index 0000000..ec1b81d --- /dev/null +++ b/0053-Fix-reading-etc-machine-id-in-kernel-install-25388.patch @@ -0,0 +1,49 @@ +From abbfdf2aa3e17a84d0f4075f125e670defaf7296 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marcus=20Sch=C3=A4fer?= +Date: Wed, 16 Nov 2022 00:17:19 +0100 +Subject: [PATCH] Fix reading /etc/machine-id in kernel-install (#25388) + +* Fix reading /etc/machine-id in kernel-install + +The kernel-install script has code to read the contents of +/etc/machine-id into the MACHINE_ID variable. Depending +on the variable content kernel-install either logs the +value or creates a new machine id via 'systemd-id128 new'. +In that logic there is one issue. If the file /etc/machine-id +exists but is empty, the script tries to call read on an +empty file which return with an exit code != 0. As the +script code also uses 'set -e', kernel-install will exit at +this point which is unexpected. + +The condition of an empty /etc/machine-id file exists for +example when building OS images, which should initialize the +system id on first boot but not staticly inside of the image. +afaik an empty /etc/machine-id is also a common approach +to make systemd indicate that it should create a new system +id. Because of this, the commit makes sure the reading of +/etc/machine-id does not fail in any case such that the +handling of the MACHINE_ID variable takes place. + +(cherry picked from commit 883e7cbfc0dba6c81338e7924419b5cbb0cba0b2) + +Related: #2138081 +--- + src/kernel-install/kernel-install.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/kernel-install/kernel-install.in b/src/kernel-install/kernel-install.in +index 22eb4d2be1..bba22f8a20 100755 +--- a/src/kernel-install/kernel-install.in ++++ b/src/kernel-install/kernel-install.in +@@ -158,7 +158,7 @@ if [ -z "$MACHINE_ID" ] && [ -f /etc/machine-info ]; then + [ -n "$MACHINE_ID" ] && \ + log_verbose "machine-id $MACHINE_ID acquired from /etc/machine-info" + fi +-if [ -z "$MACHINE_ID" ] && [ -f /etc/machine-id ]; then ++if [ -z "$MACHINE_ID" ] && [ -s /etc/machine-id ]; then + read -r MACHINE_ID +Date: Mon, 14 Nov 2022 12:45:47 +0100 +Subject: [PATCH] Revert "journal: Make sd_journal_previous/next() return 0 at + HEAD/TAIL" + +This commit broke backwards compatibility so let's revert it until +we find a better solution. + +This reverts commit 977ad21b5b8f6323515297bd8995dcaaca0905df. + +(cherry picked from commit 1db6dbb1dcdacfd7d2b4c84562fc6e77bc8c43a5) + +Related: #2138081 +--- + src/journal/test-journal-interleaving.c | 4 ---- + src/libsystemd/sd-journal/sd-journal.c | 8 ++++---- + 2 files changed, 4 insertions(+), 8 deletions(-) + +diff --git a/src/journal/test-journal-interleaving.c b/src/journal/test-journal-interleaving.c +index 378bf162ca..b3ae4b8143 100644 +--- a/src/journal/test-journal-interleaving.c ++++ b/src/journal/test-journal-interleaving.c +@@ -158,7 +158,6 @@ static void test_skip_one(void (*setup)(void)) { + */ + assert_ret(sd_journal_open_directory(&j, t, 0)); + assert_ret(sd_journal_seek_head(j)); +- assert_ret(sd_journal_previous(j) == 0); + assert_ret(sd_journal_next(j)); + test_check_numbers_down(j, 4); + sd_journal_close(j); +@@ -167,7 +166,6 @@ static void test_skip_one(void (*setup)(void)) { + */ + assert_ret(sd_journal_open_directory(&j, t, 0)); + assert_ret(sd_journal_seek_tail(j)); +- assert_ret(sd_journal_next(j) == 0); + assert_ret(sd_journal_previous(j)); + test_check_numbers_up(j, 4); + sd_journal_close(j); +@@ -176,7 +174,6 @@ static void test_skip_one(void (*setup)(void)) { + */ + assert_ret(sd_journal_open_directory(&j, t, 0)); + assert_ret(sd_journal_seek_tail(j)); +- assert_ret(sd_journal_next(j) == 0); + assert_ret(r = sd_journal_previous_skip(j, 4)); + assert_se(r == 4); + test_check_numbers_down(j, 4); +@@ -186,7 +183,6 @@ static void test_skip_one(void (*setup)(void)) { + */ + assert_ret(sd_journal_open_directory(&j, t, 0)); + assert_ret(sd_journal_seek_head(j)); +- assert_ret(sd_journal_previous(j) == 0); + assert_ret(r = sd_journal_next_skip(j, 4)); + assert_se(r == 4); + test_check_numbers_up(j, 4); +diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c +index 53c0b2a01e..1e4d128f05 100644 +--- a/src/libsystemd/sd-journal/sd-journal.c ++++ b/src/libsystemd/sd-journal/sd-journal.c +@@ -606,9 +606,9 @@ static int find_location_for_match( + /* FIXME: missing: find by monotonic */ + + if (j->current_location.type == LOCATION_HEAD) +- return direction == DIRECTION_DOWN ? journal_file_next_entry_for_data(f, d, DIRECTION_DOWN, ret, offset) : 0; ++ return journal_file_next_entry_for_data(f, d, DIRECTION_DOWN, ret, offset); + if (j->current_location.type == LOCATION_TAIL) +- return direction == DIRECTION_UP ? journal_file_next_entry_for_data(f, d, DIRECTION_UP, ret, offset) : 0; ++ return journal_file_next_entry_for_data(f, d, DIRECTION_UP, ret, offset); + if (j->current_location.seqnum_set && sd_id128_equal(j->current_location.seqnum_id, f->header->seqnum_id)) + return journal_file_move_to_entry_by_seqnum_for_data(f, d, j->current_location.seqnum, direction, ret, offset); + if (j->current_location.monotonic_set) { +@@ -701,9 +701,9 @@ static int find_location_with_matches( + /* No matches is simple */ + + if (j->current_location.type == LOCATION_HEAD) +- return direction == DIRECTION_DOWN ? journal_file_next_entry(f, 0, DIRECTION_DOWN, ret, offset) : 0; ++ return journal_file_next_entry(f, 0, DIRECTION_DOWN, ret, offset); + if (j->current_location.type == LOCATION_TAIL) +- return direction == DIRECTION_UP ? journal_file_next_entry(f, 0, DIRECTION_UP, ret, offset) : 0; ++ return journal_file_next_entry(f, 0, DIRECTION_UP, ret, offset); + if (j->current_location.seqnum_set && sd_id128_equal(j->current_location.seqnum_id, f->header->seqnum_id)) + return journal_file_move_to_entry_by_seqnum(f, j->current_location.seqnum, direction, ret, offset); + if (j->current_location.monotonic_set) { +-- +2.38.1 + diff --git a/0055-boot-Correctly-handle-saved-default-patterns.patch b/0055-boot-Correctly-handle-saved-default-patterns.patch new file mode 100644 index 0000000..471f46f --- /dev/null +++ b/0055-boot-Correctly-handle-saved-default-patterns.patch @@ -0,0 +1,32 @@ +From f740d67fd0ed36bc3318d724ccb1fdfca2f04125 Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Sun, 4 Sep 2022 00:22:23 +0200 +Subject: [PATCH] boot: Correctly handle @saved default patterns + +(cherry picked from commit 7941f11acb67c4f8ec857a791a51f3148af67b32) + +Related: #2138081 +--- + src/shared/bootspec.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/shared/bootspec.c b/src/shared/bootspec.c +index 6a34b10c04..d3cfb41a12 100644 +--- a/src/shared/bootspec.c ++++ b/src/shared/bootspec.c +@@ -994,6 +994,12 @@ static int boot_config_find(const BootConfig *config, const char *id) { + if (!id) + return -1; + ++ if (id[0] == '@') { ++ if (!strcaseeq(id, "@saved")) ++ return -1; ++ id = config->entry_selected; ++ } ++ + for (size_t i = 0; i < config->n_entries; i++) + if (fnmatch(id, config->entries[i].id, FNM_CASEFOLD) == 0) + return i; +-- +2.38.1 + diff --git a/0056-shared-tpm2-util-Fix-Error-Esys-invalid-ESAPI-handle.patch b/0056-shared-tpm2-util-Fix-Error-Esys-invalid-ESAPI-handle.patch new file mode 100644 index 0000000..2758d54 --- /dev/null +++ b/0056-shared-tpm2-util-Fix-Error-Esys-invalid-ESAPI-handle.patch @@ -0,0 +1,85 @@ +From fda254c954d6a543e1977edc1d283c915ee43adc Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Tue, 15 Nov 2022 14:57:23 +0100 +Subject: [PATCH] shared/tpm2-util: Fix "Error: Esys invalid ESAPI handle + (40000001)" warning + +systemd-cryptenroll complains (but succeeds!) upon binding to a signed PCR +policy: + +$ systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto + --tpm2-public-key=... --tpm2-signature=..." /tmp/tmp.img + +ERROR:esys:src/tss2-esys/esys_iutil.c:394:iesys_handle_to_tpm_handle() Error: Esys invalid ESAPI handle (40000001). +WARNING:esys:src/tss2-esys/esys_iutil.c:415:iesys_is_platform_handle() Convert handle from TPM2_RH to ESYS_TR, got: 0x40000001 +ERROR:esys:src/tss2-esys/esys_iutil.c:394:iesys_handle_to_tpm_handle() Error: Esys invalid ESAPI handle (40000001). +WARNING:esys:src/tss2-esys/esys_iutil.c:415:iesys_is_platform_handle() Convert handle from TPM2_RH to ESYS_TR, got: 0x4000000 +New TPM2 token enrolled as key slot 1. + +The problem seems to be that Esys_LoadExternal() function from tpm2-tss +expects a 'ESYS_TR_RH*' constant specifying the requested hierarchy and not +a 'TPM2_RH_*' one (see Esys_LoadExternal() -> Esys_LoadExternal_Async() -> +iesys_handle_to_tpm_handle() call chain). + +It all works because Esys_LoadExternal_Async() falls back to using the +supplied values when iesys_handle_to_tpm_handle() fails: + + r = iesys_handle_to_tpm_handle(hierarchy, &tpm_hierarchy); + if (r != TSS2_RC_SUCCESS) { + ... + tpm_hierarchy = hierarchy; + } + +Note, TPM2_RH_OWNER was used on purpose to support older tpm2-tss versions +(pre https://github.com/tpm2-software/tpm2-tss/pull/1531), use meson magic +to preserve compatibility. + +Signed-off-by: Vitaly Kuznetsov +(cherry picked from commit 155c51293d5bf37f54c65fd0a66ea29e6eedd580) + +Related: #2138081 +--- + meson.build | 3 +++ + src/shared/tpm2-util.c | 6 ++++++ + 2 files changed, 9 insertions(+) + +diff --git a/meson.build b/meson.build +index 7750534466..015849af49 100644 +--- a/meson.build ++++ b/meson.build +@@ -1474,11 +1474,14 @@ if want_tpm2 != 'false' and not skip_deps + tpm2 = dependency('tss2-esys tss2-rc tss2-mu', + required : want_tpm2 == 'true') + have = tpm2.found() ++ have_esys3 = tpm2.version().version_compare('>= 3.0.0') + else + have = false ++ have_esys3 = false + tpm2 = [] + endif + conf.set10('HAVE_TPM2', have) ++conf.set10('HAVE_TSS2_ESYS3', have_esys3) + + want_elfutils = get_option('elfutils') + if want_elfutils != 'false' and not skip_deps +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index 4d0df944a9..8171b3e9e9 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -1117,7 +1117,13 @@ static int tpm2_make_policy_session( + ESYS_TR_NONE, + NULL, + &pubkey_tpm2, ++#if HAVE_TSS2_ESYS3 ++ /* tpm2-tss >= 3.0.0 requires a ESYS_TR_RH_* constant specifying the requested ++ * hierarchy, older versions need TPM2_RH_* instead. */ ++ ESYS_TR_RH_OWNER, ++#else + TPM2_RH_OWNER, ++#endif + &pubkey_handle); + if (rc != TSS2_RC_SUCCESS) { + r = log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), +-- +2.38.1 + diff --git a/0057-Handle-MACHINE_ID-uninitialized.patch b/0057-Handle-MACHINE_ID-uninitialized.patch new file mode 100644 index 0000000..7d0fc7e --- /dev/null +++ b/0057-Handle-MACHINE_ID-uninitialized.patch @@ -0,0 +1,34 @@ +From 89adb54468aff192fccc9dce793e24d98b26d994 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marcus=20Sch=C3=A4fer?= +Date: Wed, 16 Nov 2022 16:25:08 +0100 +Subject: [PATCH] Handle MACHINE_ID=uninitialized + +systemd supports /etc/machine-id to be set to: uninitialized +In this case the expectation is that systemd creates a new +machine ID and replaces the value 'uninitialized' with the +effective machine id. In the scope of kernel-install we +should also enforce the creation of a new machine id in this +condition + +(cherry picked from commit 305dd91adfde332e7e5c1b2470edb32774f9a032) + +Related: #2138081 +--- + src/kernel-install/kernel-install.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/kernel-install/kernel-install.in b/src/kernel-install/kernel-install.in +index bba22f8a20..fa2c0d5276 100755 +--- a/src/kernel-install/kernel-install.in ++++ b/src/kernel-install/kernel-install.in +@@ -160,6 +160,7 @@ if [ -z "$MACHINE_ID" ] && [ -f /etc/machine-info ]; then + fi + if [ -z "$MACHINE_ID" ] && [ -s /etc/machine-id ]; then + read -r MACHINE_ID +Date: Fri, 18 Nov 2022 06:03:41 +0000 +Subject: [PATCH] fuzz: fuzz-compress: fix copy-and-paste error: buf -> buf2 + (#25431) + +(cherry picked from commit f54f6d88b1235487eb7f0c634c488edc7813579a) + +Related: #2138081 +--- + src/fuzz/fuzz-compress.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/fuzz/fuzz-compress.c b/src/fuzz/fuzz-compress.c +index 712ab3ffa9..10956cc548 100644 +--- a/src/fuzz/fuzz-compress.c ++++ b/src/fuzz/fuzz-compress.c +@@ -55,7 +55,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + + size_t sw_alloc = MAX(h->sw_alloc, 1u); + buf2 = malloc(sw_alloc); +- if (!buf) { ++ if (!buf2) { + log_oom(); + return 0; + } +-- +2.38.1 + diff --git a/0059-boot-measure-fix-oom-check.patch b/0059-boot-measure-fix-oom-check.patch new file mode 100644 index 0000000..187a8ff --- /dev/null +++ b/0059-boot-measure-fix-oom-check.patch @@ -0,0 +1,28 @@ +From 944fa2afca2bd6bd4d1d5aecd265fd4756ee44e2 Mon Sep 17 00:00:00 2001 +From: Li kunyu +Date: Fri, 18 Nov 2022 16:10:24 +0900 +Subject: [PATCH] boot/measure: fix oom check + +(cherry picked from commit fc0cc6db1ecbaa16513125d3fd1a7d11e391a8ee) + +Related: #2138081 +--- + src/boot/measure.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/boot/measure.c b/src/boot/measure.c +index 4f16acedf0..0bbd386449 100644 +--- a/src/boot/measure.c ++++ b/src/boot/measure.c +@@ -897,7 +897,7 @@ static int verb_sign(int argc, char *argv[], void *userdata) { + } + + _cleanup_free_ void *sig = malloc(ss); +- if (!ss) { ++ if (!sig) { + r = log_oom(); + goto finish; + } +-- +2.38.1 + diff --git a/0060-nspawn-allow-sched_rr_get_interval_time64-through-se.patch b/0060-nspawn-allow-sched_rr_get_interval_time64-through-se.patch new file mode 100644 index 0000000..a91a309 --- /dev/null +++ b/0060-nspawn-allow-sched_rr_get_interval_time64-through-se.patch @@ -0,0 +1,60 @@ +From b2d259a82329e37b0f369e9951f19a067cb8bfb4 Mon Sep 17 00:00:00 2001 +From: Sam James +Date: Fri, 18 Nov 2022 07:18:18 +0000 +Subject: [PATCH] nspawn: allow sched_rr_get_interval_time64 through seccomp + filter + +We only allow a selected subset of syscalls from nspawn containers +and don't list any time64 variants (needed for 32-bit arches when +built using TIME_BITS=64, which is relatively new). + +We allow sched_rr_get_interval which cpython's test suite makes +use of, but we don't allow sched_rr_get_interval_time64. + +The test failures when run in an arm32 nspawn container on an arm64 host +were as follows: +``` +====================================================================== +ERROR: test_sched_rr_get_interval (test.test_posix.PosixTester.test_sched_rr_get_interval) +---------------------------------------------------------------------- +Traceback (most recent call last): + File "/var/tmp/portage/dev-lang/python-3.11.0_p1/work/Python-3.11.0/Lib/test/test_posix.py", line 1180, in test_sched_rr_get_interval + interval = posix.sched_rr_get_interval(0) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +PermissionError: [Errno 1] Operation not permitted +``` + +Then strace showed: +``` +sched_rr_get_interval_time64(0, 0xffbbd4a0) = -1 EPERM (Operation not permitted) +``` + +This appears to be the only time64 syscall that isn't already included one of +the sets listed in nspawn-seccomp.c that has a non-time64 variant. Checked +over each of the time64 syscalls known to systemd and verified that none +of the others had a non-time64-variant whitelisted in nspawn other than +sched_rr_get_interval. + +Bug: https://bugs.gentoo.org/880131 +(cherry picked from commit b9e7f22c2d80930cad36ae53e66e42a2996dca4a) + +Related: #2138081 +--- + src/nspawn/nspawn-seccomp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c +index 77f4c2ac88..27044fadd2 100644 +--- a/src/nspawn/nspawn-seccomp.c ++++ b/src/nspawn/nspawn-seccomp.c +@@ -88,6 +88,7 @@ static int add_syscall_filters( + { 0, "sched_getparam" }, + { 0, "sched_getscheduler" }, + { 0, "sched_rr_get_interval" }, ++ { 0, "sched_rr_get_interval_time64" }, + { 0, "sched_yield" }, + { 0, "seccomp" }, + { 0, "sendfile" }, +-- +2.38.1 + diff --git a/0061-resolved-use-right-conditionalization-when-setting-u.patch b/0061-resolved-use-right-conditionalization-when-setting-u.patch new file mode 100644 index 0000000..542311c --- /dev/null +++ b/0061-resolved-use-right-conditionalization-when-setting-u.patch @@ -0,0 +1,29 @@ +From 39974d2ee3b1e514e9d2cf25e4a11447d4dfee53 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 18 Nov 2022 16:52:01 +0100 +Subject: [PATCH] resolved: use right conditionalization when setting unicast + ifindex on UDP sockets + +(cherry picked from commit 5faaed5b62d5ed88d8df2802c5ab4d3ab2eb755a) + +Related: #2138081 +--- + src/resolve/resolved-dns-scope.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c +index 852829569d..4f744499aa 100644 +--- a/src/resolve/resolved-dns-scope.c ++++ b/src/resolve/resolved-dns-scope.c +@@ -424,7 +424,7 @@ static int dns_scope_socket( + return r; + } + +- if (s->link) { ++ if (ifindex != 0) { + r = socket_set_unicast_if(fd, sa.sa.sa_family, ifindex); + if (r < 0) + return r; +-- +2.38.1 + diff --git a/0062-resolved-when-configuring-127.0.0.1-as-per-interface.patch b/0062-resolved-when-configuring-127.0.0.1-as-per-interface.patch new file mode 100644 index 0000000..cbed663 --- /dev/null +++ b/0062-resolved-when-configuring-127.0.0.1-as-per-interface.patch @@ -0,0 +1,37 @@ +From d8d96bce62e8597b8d35bed1d9e9cb103336fd6b Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 18 Nov 2022 16:52:06 +0100 +Subject: [PATCH] resolved: when configuring 127.0.0.1 as per-interface DNS + server, contact it via "lo" always + +ussually if you specify a DNS server on some interface then we'll use +that interface to talk to it. Let's override this for localhost +addresses, as they only really make sense on "lo". + +Fixes: #25397 +(cherry picked from commit 6e32414a66ff8dbcef233981a7066684d903ee9f) + +Related: #2138081 +--- + src/resolve/resolved-dns-server.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c +index 04a4f53ed0..8ff513fa33 100644 +--- a/src/resolve/resolved-dns-server.c ++++ b/src/resolve/resolved-dns-server.c +@@ -648,6 +648,11 @@ int dns_server_adjust_opt(DnsServer *server, DnsPacket *packet, DnsServerFeature + int dns_server_ifindex(const DnsServer *s) { + assert(s); + ++ /* For loopback addresses, go via the loopback interface, regardless which interface this is linked ++ * to. */ ++ if (in_addr_is_localhost(s->family, &s->address)) ++ return LOOPBACK_IFINDEX; ++ + /* The link ifindex always takes precedence */ + if (s->link) + return s->link->ifindex; +-- +2.38.1 + diff --git a/0063-manager-fix-format-strings-for-trigger-metadata.patch b/0063-manager-fix-format-strings-for-trigger-metadata.patch new file mode 100644 index 0000000..6adab63 --- /dev/null +++ b/0063-manager-fix-format-strings-for-trigger-metadata.patch @@ -0,0 +1,53 @@ +From bca4fe362cb2198f964d33c5a0fb27298d8e9ad8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 21 Nov 2022 20:03:08 +0100 +Subject: [PATCH] manager: fix format strings for trigger metadata + +Fixup for c8bc7519c888a99134f88f8c82353246d3c0cc5d. + +(cherry picked from commit 6457ce15be84cf3c304d1ba47b89bacc2f60bf6e) + +Related: #2138081 +--- + src/core/timer.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/core/timer.c b/src/core/timer.c +index 8bd430b931..b6810c8599 100644 +--- a/src/core/timer.c ++++ b/src/core/timer.c +@@ -948,11 +948,11 @@ static int activation_details_timer_append_env(ActivationDetails *details, char + if (!dual_timestamp_is_set(&t->last_trigger)) + return 0; + +- r = strv_extendf(strv, "TRIGGER_TIMER_REALTIME_USEC=%" USEC_FMT, t->last_trigger.realtime); ++ r = strv_extendf(strv, "TRIGGER_TIMER_REALTIME_USEC=" USEC_FMT, t->last_trigger.realtime); + if (r < 0) + return r; + +- r = strv_extendf(strv, "TRIGGER_TIMER_MONOTONIC_USEC=%" USEC_FMT, t->last_trigger.monotonic); ++ r = strv_extendf(strv, "TRIGGER_TIMER_MONOTONIC_USEC=" USEC_FMT, t->last_trigger.monotonic); + if (r < 0) + return r; + +@@ -974,7 +974,7 @@ static int activation_details_timer_append_pair(ActivationDetails *details, char + if (r < 0) + return r; + +- r = strv_extendf(strv, "%" USEC_FMT, t->last_trigger.realtime); ++ r = strv_extendf(strv, USEC_FMT, t->last_trigger.realtime); + if (r < 0) + return r; + +@@ -982,7 +982,7 @@ static int activation_details_timer_append_pair(ActivationDetails *details, char + if (r < 0) + return r; + +- r = strv_extendf(strv, "%" USEC_FMT, t->last_trigger.monotonic); ++ r = strv_extendf(strv, USEC_FMT, t->last_trigger.monotonic); + if (r < 0) + return r; + +-- +2.38.1 + diff --git a/0064-basic-strv-check-printf-arguments-to-strv_extendf.patch b/0064-basic-strv-check-printf-arguments-to-strv_extendf.patch new file mode 100644 index 0000000..2827d79 --- /dev/null +++ b/0064-basic-strv-check-printf-arguments-to-strv_extendf.patch @@ -0,0 +1,33 @@ +From c103428e24f002e495412a5f9a0b919f4b92c2b7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 21 Nov 2022 20:06:55 +0100 +Subject: [PATCH] basic/strv: check printf arguments to strv_extendf() + +The second argument to _printf_() specifies where the arguments start. We need to +use 0 in two cases: when the args in a va_list and can't be checked, and with journald +logging functions which accept multiple format strings with multiple argument sets, +which the _printf_ checker does not understand. But strv_extendf() can be checked. + +(cherry picked from commit 400102ec91aa3404848a04f49a43d49e1a181708) + +Related: #2138081 +--- + src/basic/strv.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/strv.h b/src/basic/strv.h +index d6f5ac6ba5..6c9fa47943 100644 +--- a/src/basic/strv.h ++++ b/src/basic/strv.h +@@ -45,7 +45,7 @@ static inline int strv_extend(char ***l, const char *value) { + return strv_extend_with_size(l, NULL, value); + } + +-int strv_extendf(char ***l, const char *format, ...) _printf_(2,0); ++int strv_extendf(char ***l, const char *format, ...) _printf_(2,3); + int strv_extend_front(char ***l, const char *value); + + int strv_push_with_size(char ***l, size_t *n, char *value); +-- +2.38.1 + diff --git a/0065-resolved-Fix-OpenSSL-error-messages.patch b/0065-resolved-Fix-OpenSSL-error-messages.patch new file mode 100644 index 0000000..0e95002 --- /dev/null +++ b/0065-resolved-Fix-OpenSSL-error-messages.patch @@ -0,0 +1,142 @@ +From 57bdd8a488d544282dcc71e6a23987ded71ac64d Mon Sep 17 00:00:00 2001 +From: Benjamin Fogle +Date: Thu, 17 Nov 2022 09:52:50 -0500 +Subject: [PATCH] resolved: Fix OpenSSL error messages + +(cherry picked from commit f4a49d1c58578cb8d759dc6266a23d1acabdc38f) + +Related: #2138081 +--- + src/resolve/resolved-dnstls-openssl.c | 65 +++++++++++---------------- + 1 file changed, 26 insertions(+), 39 deletions(-) + +diff --git a/src/resolve/resolved-dnstls-openssl.c b/src/resolve/resolved-dnstls-openssl.c +index 4d3a88c8da..4a0132ad3d 100644 +--- a/src/resolve/resolved-dnstls-openssl.c ++++ b/src/resolve/resolved-dnstls-openssl.c +@@ -14,6 +14,19 @@ + #include "resolved-dnstls.h" + #include "resolved-manager.h" + ++static char *dnstls_error_string(int ssl_error, char *buf, size_t count) { ++ assert(buf || count == 0); ++ if (ssl_error == SSL_ERROR_SSL) ++ ERR_error_string_n(ERR_get_error(), buf, count); ++ else ++ snprintf(buf, count, "SSL_get_error()=%d", ssl_error); ++ return buf; ++} ++ ++#define DNSTLS_ERROR_BUFSIZE 256 ++#define DNSTLS_ERROR_STRING(error) \ ++ dnstls_error_string((error), (char[DNSTLS_ERROR_BUFSIZE]){}, DNSTLS_ERROR_BUFSIZE) ++ + static int dnstls_flush_write_buffer(DnsStream *stream) { + ssize_t ss; + +@@ -97,26 +110,18 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) { + + if (server->server_name) { + r = SSL_set_tlsext_host_name(s, server->server_name); +- if (r <= 0) { +- char errbuf[256]; +- +- error = ERR_get_error(); +- ERR_error_string_n(error, errbuf, sizeof(errbuf)); +- return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set server name: %s", errbuf); +- } ++ if (r <= 0) ++ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), ++ "Failed to set server name: %s", DNSTLS_ERROR_STRING(SSL_ERROR_SSL)); + } + + ERR_clear_error(); + stream->dnstls_data.handshake = SSL_do_handshake(s); + if (stream->dnstls_data.handshake <= 0) { + error = SSL_get_error(s, stream->dnstls_data.handshake); +- if (!IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) { +- char errbuf[256]; +- +- ERR_error_string_n(error, errbuf, sizeof(errbuf)); ++ if (!IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) + return log_debug_errno(SYNTHETIC_ERRNO(ECONNREFUSED), +- "Failed to invoke SSL_do_handshake: %s", errbuf); +- } ++ "Failed to invoke SSL_do_handshake: %s", DNSTLS_ERROR_STRING(error)); + } + + stream->encrypted = true; +@@ -177,12 +182,8 @@ int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) { + } else if (error == SSL_ERROR_SYSCALL) { + if (errno > 0) + log_debug_errno(errno, "Failed to invoke SSL_shutdown, ignoring: %m"); +- } else { +- char errbuf[256]; +- +- ERR_error_string_n(error, errbuf, sizeof(errbuf)); +- log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf); +- } ++ } else ++ log_debug("Failed to invoke SSL_shutdown, ignoring: %s", DNSTLS_ERROR_STRING(error)); + } + + stream->dnstls_events = 0; +@@ -206,14 +207,10 @@ int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) { + return r; + + return -EAGAIN; +- } else { +- char errbuf[256]; +- +- ERR_error_string_n(error, errbuf, sizeof(errbuf)); ++ } else + return log_debug_errno(SYNTHETIC_ERRNO(ECONNREFUSED), + "Failed to invoke SSL_do_handshake: %s", +- errbuf); +- } ++ DNSTLS_ERROR_STRING(error)); + } + + stream->dnstls_events = 0; +@@ -275,12 +272,8 @@ int dnstls_stream_shutdown(DnsStream *stream, int error) { + } else if (ssl_error == SSL_ERROR_SYSCALL) { + if (errno > 0) + log_debug_errno(errno, "Failed to invoke SSL_shutdown, ignoring: %m"); +- } else { +- char errbuf[256]; +- +- ERR_error_string_n(ssl_error, errbuf, sizeof(errbuf)); +- log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf); +- } ++ } else ++ log_debug("Failed to invoke SSL_shutdown, ignoring: %s", DNSTLS_ERROR_STRING(ssl_error)); + } + + stream->dnstls_events = 0; +@@ -307,10 +300,7 @@ static ssize_t dnstls_stream_write(DnsStream *stream, const char *buf, size_t co + stream->dnstls_events = 0; + ss = 0; + } else { +- char errbuf[256]; +- +- ERR_error_string_n(error, errbuf, sizeof(errbuf)); +- log_debug("Failed to invoke SSL_write: %s", errbuf); ++ log_debug("Failed to invoke SSL_write: %s", DNSTLS_ERROR_STRING(error)); + stream->dnstls_events = 0; + ss = -EPIPE; + } +@@ -375,10 +365,7 @@ ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) { + stream->dnstls_events = 0; + ss = 0; + } else { +- char errbuf[256]; +- +- ERR_error_string_n(error, errbuf, sizeof(errbuf)); +- log_debug("Failed to invoke SSL_read: %s", errbuf); ++ log_debug("Failed to invoke SSL_read: %s", DNSTLS_ERROR_STRING(error)); + stream->dnstls_events = 0; + ss = -EPIPE; + } +-- +2.38.1 + diff --git a/0066-network-wifi-try-to-reconfigure-when-connected.patch b/0066-network-wifi-try-to-reconfigure-when-connected.patch new file mode 100644 index 0000000..8e5e83c --- /dev/null +++ b/0066-network-wifi-try-to-reconfigure-when-connected.patch @@ -0,0 +1,73 @@ +From ff7e9a0e3bf9229b2ea55ac0e832358fe13b97b4 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 22 Nov 2022 14:24:32 +0900 +Subject: [PATCH] network: wifi: try to reconfigure when connected + +Sometimes, RTM_NEWLINK message with carrier is received earlier than +NL80211_CMD_CONNECT. To make SSID= or other WiFi related settings in +[Match] section work, let's try to reconfigure the interface. + +Fixes a bug introduced by 96f5f9ef9a1ba5146d3357c1548fb675d3bd5b68. + +Fixes #25384. + +(cherry picked from commit 8a4ad01a72481a6a7c0309064dd2dbd814818c94) + +Related: #2138081 +--- + src/network/networkd-link.c | 2 +- + src/network/networkd-link.h | 1 + + src/network/networkd-wifi.c | 12 ++++++++++++ + 3 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index 00e4e451ef..788c7957d3 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -1178,7 +1178,7 @@ static int link_get_network(Link *link, Network **ret) { + return -ENOENT; + } + +-static int link_reconfigure_impl(Link *link, bool force) { ++int link_reconfigure_impl(Link *link, bool force) { + Network *network = NULL; + NetDev *netdev = NULL; + int r; +diff --git a/src/network/networkd-link.h b/src/network/networkd-link.h +index 9f1cdca312..65b0164106 100644 +--- a/src/network/networkd-link.h ++++ b/src/network/networkd-link.h +@@ -234,6 +234,7 @@ int link_stop_engines(Link *link, bool may_keep_dhcp); + const char* link_state_to_string(LinkState s) _const_; + LinkState link_state_from_string(const char *s) _pure_; + ++int link_reconfigure_impl(Link *link, bool force); + int link_reconfigure(Link *link, bool force); + int link_reconfigure_after_sleep(Link *link); + +diff --git a/src/network/networkd-wifi.c b/src/network/networkd-wifi.c +index 4bf798a9eb..62cbca0cf9 100644 +--- a/src/network/networkd-wifi.c ++++ b/src/network/networkd-wifi.c +@@ -269,6 +269,18 @@ int manager_genl_process_nl80211_mlme(sd_netlink *genl, sd_netlink_message *mess + if (link->wlan_iftype == NL80211_IFTYPE_STATION && link->ssid) + log_link_info(link, "Connected WiFi access point: %s (%s)", + link->ssid, ETHER_ADDR_TO_STR(&link->bssid)); ++ ++ /* Sometimes, RTM_NEWLINK message with carrier is received earlier than NL80211_CMD_CONNECT. ++ * To make SSID= or other WiFi related settings in [Match] section work, let's try to ++ * reconfigure the interface. */ ++ if (link->ssid && link_has_carrier(link)) { ++ r = link_reconfigure_impl(link, /* force = */ false); ++ if (r < 0) { ++ log_link_warning_errno(link, r, "Failed to reconfigure interface: %m"); ++ link_enter_failed(link); ++ return 0; ++ } ++ } + break; + } + case NL80211_CMD_DISCONNECT: +-- +2.38.1 + diff --git a/0067-oomd-always-allow-root-owned-cgroups-to-set-ManagedO.patch b/0067-oomd-always-allow-root-owned-cgroups-to-set-ManagedO.patch new file mode 100644 index 0000000..8bb55e2 --- /dev/null +++ b/0067-oomd-always-allow-root-owned-cgroups-to-set-ManagedO.patch @@ -0,0 +1,41 @@ +From 6135d6239a40edb260dde80e5662d3e062dde0bd Mon Sep 17 00:00:00 2001 +From: Nick Rosbrook +Date: Tue, 22 Nov 2022 10:33:55 -0500 +Subject: [PATCH] oomd: always allow root-owned cgroups to set + ManagedOOMPreference + +Commit 652a4efb66a ("oomd: loosen the restriction on ManagedOOMPreference") +made the change to allow ManagedOOMPreference on a cgroup candidate when +the monitored cgroup and cgroup candidate are owned by the same user. + +The commit assumed that this check was sufficient to continue allowing +ManagedOOMPreference on all cgroups owned by root. However, it caused a +regression for unprivileged LXD containers where e.g. /sys/fs/cgroup is +owned by nobody (uid=65534). + +Fix this by explicitly allowing the ManagedOOMPreference if uid == 0 in +oomd_fetch_cgroup_oom_preference(). + +(cherry picked from commit 89186093485b52ca957d17842fc1f7c87958454a) + +Related: #2138081 +--- + src/oom/oomd-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/oom/oomd-util.c b/src/oom/oomd-util.c +index 1fc81d1843..70a1dc941e 100644 +--- a/src/oom/oomd-util.c ++++ b/src/oom/oomd-util.c +@@ -164,7 +164,7 @@ int oomd_fetch_cgroup_oom_preference(OomdCGroupContext *ctx, const char *prefix) + if (r < 0) + return log_debug_errno(r, "Failed to get owner/group from %s: %m", ctx->path); + +- if (uid == prefix_uid) { ++ if (uid == prefix_uid || uid == 0) { + /* Ignore most errors when reading the xattr since it is usually unset and cgroup xattrs are only used + * as an optional feature of systemd-oomd (and the system might not even support them). */ + r = cg_get_xattr_bool(SYSTEMD_CGROUP_CONTROLLER, ctx->path, "user.oomd_avoid"); +-- +2.38.1 + diff --git a/0068-oomd-fix-unreachable-test-case-in-test-oomd-util.patch b/0068-oomd-fix-unreachable-test-case-in-test-oomd-util.patch new file mode 100644 index 0000000..a4ae783 --- /dev/null +++ b/0068-oomd-fix-unreachable-test-case-in-test-oomd-util.patch @@ -0,0 +1,39 @@ +From 7706a5f2d35c6192a557fe7a72f76ea4e2591daf Mon Sep 17 00:00:00 2001 +From: Nick Rosbrook +Date: Tue, 22 Nov 2022 11:30:03 -0500 +Subject: [PATCH] oomd: fix unreachable test case in test-oomd-util + +This conditional with !empty_or_root(ctx->path) always returns false +because the most recent oomd_cgroup_context_acquire() call was with the +root cgroup. Make sure this test case can be reached by checking cgroup +instead of ctx->path. + +While here, use an unused uid (61183) instead of the nobody uid so the +test case does not fail in unprivileged LXD containers. + +(cherry picked from commit f05bcc18941eef5c2f93cfa06660eb06e0dc4c55) + +Related: #2138081 +--- + src/oom/test-oomd-util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/oom/test-oomd-util.c b/src/oom/test-oomd-util.c +index 176e3a8d69..faa75c5578 100644 +--- a/src/oom/test-oomd-util.c ++++ b/src/oom/test-oomd-util.c +@@ -475,9 +475,9 @@ static void test_oomd_fetch_cgroup_oom_preference(void) { + + /* Assert that avoid/omit are not set if the cgroup and prefix are not + * owned by the same user.*/ +- if (test_xattrs && !empty_or_root(ctx->path)) { ++ if (test_xattrs && !empty_or_root(cgroup)) { + ctx = oomd_cgroup_context_free(ctx); +- assert_se(cg_set_access(SYSTEMD_CGROUP_CONTROLLER, cgroup, 65534, 0) >= 0); ++ assert_se(cg_set_access(SYSTEMD_CGROUP_CONTROLLER, cgroup, 61183, 0) >= 0); + assert_se(oomd_cgroup_context_acquire(cgroup, &ctx) == 0); + + assert_se(oomd_fetch_cgroup_oom_preference(ctx, NULL) == 0); +-- +2.38.1 + diff --git a/0069-portable-add-a-few-more-useful-debug-log-messages.patch b/0069-portable-add-a-few-more-useful-debug-log-messages.patch new file mode 100644 index 0000000..3832d1b --- /dev/null +++ b/0069-portable-add-a-few-more-useful-debug-log-messages.patch @@ -0,0 +1,51 @@ +From e44e907f58d3c89e0de01e8ff4e25079f1ca505e Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 23 Nov 2022 16:06:48 +0000 +Subject: [PATCH] portable: add a few more useful debug log messages + +When attaching and /etc/systemd/system.attached can't be created or used +(eg: dead symlink) the logs are pretty much useless as even at debug +level there's no indication of what is going wrong. +Add some debug logs, and return a more specific error string over D-Bus. + +(cherry picked from commit 80d95fcd6e1947a7887b96b22a32dbca115baac9) + +Related: #2138081 +--- + src/portable/portable.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/portable/portable.c b/src/portable/portable.c +index be906f786c..fbc4497014 100644 +--- a/src/portable/portable.c ++++ b/src/portable/portable.c +@@ -1131,7 +1131,7 @@ static int attach_unit_file( + (void) mkdir_parents(where, 0755); + if (mkdir(where, 0755) < 0) { + if (errno != EEXIST) +- return -errno; ++ return log_debug_errno(errno, "Failed to create attach directory %s: %m", where); + } else + (void) portable_changes_add(changes, n_changes, PORTABLE_MKDIR, where, NULL); + +@@ -1145,7 +1145,7 @@ static int attach_unit_file( + + if (mkdir(dropin_dir, 0755) < 0) { + if (errno != EEXIST) +- return -errno; ++ return log_debug_errno(errno, "Failed to create drop-in directory %s: %m", dropin_dir); + } else + (void) portable_changes_add(changes, n_changes, PORTABLE_MKDIR, dropin_dir, NULL); + +@@ -1392,7 +1392,7 @@ int portable_attach( + r = attach_unit_file(&paths, image->path, image->type, extension_images, + item, profile, flags, changes, n_changes); + if (r < 0) +- return r; ++ return sd_bus_error_set_errnof(error, r, "Failed to attach unit '%s': %m", item->name); + } + + /* We don't care too much for the image symlink, it's just a convenience thing, it's not necessary for proper +-- +2.38.1 + diff --git a/0070-repart-respect-discard-no-also-for-block-devices.patch b/0070-repart-respect-discard-no-also-for-block-devices.patch new file mode 100644 index 0000000..211a5b5 --- /dev/null +++ b/0070-repart-respect-discard-no-also-for-block-devices.patch @@ -0,0 +1,46 @@ +From 44843b307d9acbe4f17b7af710cf66932667533a Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 22 Nov 2022 16:24:54 +0000 +Subject: [PATCH] repart: respect --discard=no also for block devices + +It's only used to avoid BLKDISCARD on individual partitions at the moment. +It can take a lot of time to run on very slow devices, so avoid it for +them too. + +(cherry picked from commit 0dce448bbc97c861520c287b01d632b887442925) + +Related: #2138081 +--- + src/partition/repart.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/src/partition/repart.c b/src/partition/repart.c +index 8e3cfece89..c4ca9840c8 100644 +--- a/src/partition/repart.c ++++ b/src/partition/repart.c +@@ -4387,13 +4387,15 @@ static int context_write_partition_table( + + log_info("Wiped block device."); + +- r = context_discard_range(context, 0, context->total); +- if (r == -EOPNOTSUPP) +- log_info("Storage does not support discard, not discarding entire block device data."); +- else if (r < 0) +- return log_error_errno(r, "Failed to discard entire block device: %m"); +- else if (r > 0) +- log_info("Discarded entire block device."); ++ if (arg_discard) { ++ r = context_discard_range(context, 0, context->total); ++ if (r == -EOPNOTSUPP) ++ log_info("Storage does not support discard, not discarding entire block device data."); ++ else if (r < 0) ++ return log_error_errno(r, "Failed to discard entire block device: %m"); ++ else if (r > 0) ++ log_info("Discarded entire block device."); ++ } + } + + r = fdisk_get_partitions(context->fdisk_context, &original_table); +-- +2.38.1 + diff --git a/0071-udev-make-sure-auto-root-logic-also-works-in-UKIs-bo.patch b/0071-udev-make-sure-auto-root-logic-also-works-in-UKIs-bo.patch new file mode 100644 index 0000000..4f39256 --- /dev/null +++ b/0071-udev-make-sure-auto-root-logic-also-works-in-UKIs-bo.patch @@ -0,0 +1,95 @@ +From e3dfedee10cb0c348d748bf438c76e5c3623ad69 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 21 Nov 2022 15:32:22 +0100 +Subject: [PATCH] udev: make sure auto-root logic also works in UKIs booted + from XBOOTLDR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If no root= switch is specified on the kernel command line we'll use the +root disk on which the partition the LoaderDevicePartUUID efi var is +located – as long as that partition is an ESP. Let's slightly liberalize +that and also allow it if that partition is an XBOOTLDR partition. This +ensures that UKIs spawned directly from XBOOTLDR work the same as those +from the ESP. + +(Note that this makes no difference if sd-boot is in the mix, as in that +case LoaderDevicePartUUID is always set to the ESP, as that's where +sd-boot is located, and sd-boot will set the var first, sd-stub will +only set it later if it#s not set yet.) + +(cherry picked from commit e4cb147a2e230a4a0b804c3e70f2692a5e2fd698) + +Related: #2138081 +--- + src/udev/udev-builtin-blkid.c | 27 +++++++++++++-------------- + 1 file changed, 13 insertions(+), 14 deletions(-) + +diff --git a/src/udev/udev-builtin-blkid.c b/src/udev/udev-builtin-blkid.c +index 92ea43eef0..9f5646ffdd 100644 +--- a/src/udev/udev-builtin-blkid.c ++++ b/src/udev/udev-builtin-blkid.c +@@ -120,14 +120,14 @@ static int find_gpt_root(sd_device *dev, blkid_probe pr, bool test) { + #if defined(SD_GPT_ROOT_NATIVE) && ENABLE_EFI + + _cleanup_free_ char *root_id = NULL, *root_label = NULL; +- bool found_esp = false; ++ bool found_esp_or_xbootldr = false; + int r; + + assert(pr); + +- /* Iterate through the partitions on this disk, and see if the +- * EFI ESP we booted from is on it. If so, find the first root +- * disk, and add a property indicating its partition UUID. */ ++ /* Iterate through the partitions on this disk, and see if the UEFI ESP or XBOOTLDR partition we ++ * booted from is on it. If so, find the first root disk, and add a property indicating its partition ++ * UUID. */ + + errno = 0; + blkid_partlist pl = blkid_probe_get_partitions(pr); +@@ -157,21 +157,20 @@ static int find_gpt_root(sd_device *dev, blkid_probe pr, bool test) { + if (sd_id128_from_string(stype, &type) < 0) + continue; + +- if (sd_id128_equal(type, SD_GPT_ESP)) { +- sd_id128_t id, esp; ++ if (sd_id128_in_set(type, SD_GPT_ESP, SD_GPT_XBOOTLDR)) { ++ sd_id128_t id, esp_or_xbootldr; + +- /* We found an ESP, let's see if it matches +- * the ESP we booted from. */ ++ /* We found an ESP or XBOOTLDR, let's see if it matches the ESP/XBOOTLDR we booted from. */ + + if (sd_id128_from_string(sid, &id) < 0) + continue; + +- r = efi_loader_get_device_part_uuid(&esp); ++ r = efi_loader_get_device_part_uuid(&esp_or_xbootldr); + if (r < 0) + return r; + +- if (sd_id128_equal(id, esp)) +- found_esp = true; ++ if (sd_id128_equal(id, esp_or_xbootldr)) ++ found_esp_or_xbootldr = true; + + } else if (sd_id128_equal(type, SD_GPT_ROOT_NATIVE)) { + unsigned long long flags; +@@ -195,9 +194,9 @@ static int find_gpt_root(sd_device *dev, blkid_probe pr, bool test) { + } + } + +- /* We found the ESP on this disk, and also found a root +- * partition, nice! Let's export its UUID */ +- if (found_esp && root_id) ++ /* We found the ESP/XBOOTLDR on this disk, and also found a root partition, nice! Let's export its ++ * UUID */ ++ if (found_esp_or_xbootldr && root_id) + udev_builtin_add_property(dev, test, "ID_PART_GPT_AUTO_ROOT_UUID", root_id); + #endif + +-- +2.38.1 + diff --git a/0072-meson-install-test-kernel-install-only-when-Dkernel-.patch b/0072-meson-install-test-kernel-install-only-when-Dkernel-.patch new file mode 100644 index 0000000..49b3979 --- /dev/null +++ b/0072-meson-install-test-kernel-install-only-when-Dkernel-.patch @@ -0,0 +1,35 @@ +From 812e979fe66e9c1a768fbcee3f568234fec2cded Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Tue, 15 Nov 2022 09:04:42 +0100 +Subject: [PATCH] meson: install test-kernel-install only when + -Dkernel-install=true + +This patch fixes the following build failure: + + meson.build:3853:8: ERROR: Unknown variable "test_kernel_install_sh". + +Fixes #25432. + +(cherry picked from commit cc77a56532ddb59770e8312fc1b9954b0b135e72) + +Related: #2138081 +--- + meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/meson.build b/meson.build +index 015849af49..35704947e3 100644 +--- a/meson.build ++++ b/meson.build +@@ -3841,7 +3841,7 @@ exe = custom_target( + install_dir : bindir) + public_programs += exe + +-if want_tests != 'false' ++if want_tests != 'false' and want_kernel_install + test('test-kernel-install', + test_kernel_install_sh, + args : [exe.full_path(), loaderentry_install]) +-- +2.38.1 + diff --git a/0073-boot-Silence-driver-reconnect-errors.patch b/0073-boot-Silence-driver-reconnect-errors.patch new file mode 100644 index 0000000..314fdc3 --- /dev/null +++ b/0073-boot-Silence-driver-reconnect-errors.patch @@ -0,0 +1,58 @@ +From 1dc423e2c194eec07a04b666533cd39e74eab6de Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Sat, 12 Nov 2022 16:24:53 +0100 +Subject: [PATCH] boot: Silence driver reconnect errors + +(cherry picked from commit 98ac5192d5feddae19f6f5ceb60aa3751a30676b) + +Related: #2138081 +--- + src/boot/efi/drivers.c | 28 +++++++++++++--------------- + 1 file changed, 13 insertions(+), 15 deletions(-) + +diff --git a/src/boot/efi/drivers.c b/src/boot/efi/drivers.c +index 39b65e74a6..7f2057f5a1 100644 +--- a/src/boot/efi/drivers.c ++++ b/src/boot/efi/drivers.c +@@ -51,25 +51,23 @@ static EFI_STATUS load_one_driver( + } + + EFI_STATUS reconnect_all_drivers(void) { +- _cleanup_free_ EFI_HANDLE *handles = NULL; +- UINTN n_handles = 0; +- EFI_STATUS err; ++ _cleanup_free_ EFI_HANDLE *handles = NULL; ++ size_t n_handles = 0; ++ EFI_STATUS err; + +- /* Reconnects all handles, so that any loaded drivers can take effect. */ ++ /* Reconnects all handles, so that any loaded drivers can take effect. */ + +- err = BS->LocateHandleBuffer(AllHandles, NULL, NULL, &n_handles, &handles); +- if (err != EFI_SUCCESS) +- return log_error_status_stall(err, L"Failed to get list of handles: %r", err); ++ err = BS->LocateHandleBuffer(AllHandles, NULL, NULL, &n_handles, &handles); ++ if (err != EFI_SUCCESS) ++ return log_error_status_stall(err, L"Failed to get list of handles: %r", err); + +- for (UINTN i = 0; i < n_handles; i++) { +- err = BS->ConnectController(handles[i], NULL, NULL, true); +- if (err == EFI_NOT_FOUND) /* No drivers for this handle */ +- continue; +- if (err != EFI_SUCCESS) +- log_error_status_stall(err, L"Failed to reconnect handle %" PRIuN L", ignoring: %r", i, err); +- } ++ for (size_t i = 0; i < n_handles; i++) ++ /* Some firmware gives us some bogus handles (or they might become bad due to ++ * reconnecting everything). Security policy may also prevent us from doing so too. ++ * There is nothing we can realistically do on errors anyways, so just ignore them. */ ++ (void) BS->ConnectController(handles[i], NULL, NULL, true); + +- return EFI_SUCCESS; ++ return EFI_SUCCESS; + } + + EFI_STATUS load_drivers( +-- +2.38.1 + diff --git a/0074-dissect-image-do-not-try-to-close-invalid-fd.patch b/0074-dissect-image-do-not-try-to-close-invalid-fd.patch new file mode 100644 index 0000000..24d4d04 --- /dev/null +++ b/0074-dissect-image-do-not-try-to-close-invalid-fd.patch @@ -0,0 +1,127 @@ +From c67164cf2c6aed29f70a98ef9050503e56aba952 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 13 Nov 2022 19:25:02 +0900 +Subject: [PATCH] dissect-image: do not try to close invalid fd + +Fixes a bug introduced by f7725647bb41c3398a867f139efe526efe8aa1b3. + +Hopefully fixes #25348. + +(cherry picked from commit 088377e0920a3785e7926f2ed382810836480ae6) + +Related: #2138081 +--- + src/shared/dissect-image.c | 58 +++++++++++++------------------------- + src/shared/dissect-image.h | 6 ++++ + 2 files changed, 26 insertions(+), 38 deletions(-) + +diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c +index 2989d31d3c..6a991c877a 100644 +--- a/src/shared/dissect-image.c ++++ b/src/shared/dissect-image.c +@@ -1010,19 +1010,13 @@ static int dissect_image( + log_debug("No root partition found of the native architecture, falling back to a root " + "partition of the secondary architecture."); + +- m->partitions[PARTITION_ROOT] = m->partitions[PARTITION_ROOT_SECONDARY]; +- zero(m->partitions[PARTITION_ROOT_SECONDARY]); +- m->partitions[PARTITION_ROOT_VERITY] = m->partitions[PARTITION_ROOT_SECONDARY_VERITY]; +- zero(m->partitions[PARTITION_ROOT_SECONDARY_VERITY]); +- m->partitions[PARTITION_ROOT_VERITY_SIG] = m->partitions[PARTITION_ROOT_SECONDARY_VERITY_SIG]; +- zero(m->partitions[PARTITION_ROOT_SECONDARY_VERITY_SIG]); +- +- m->partitions[PARTITION_USR] = m->partitions[PARTITION_USR_SECONDARY]; +- zero(m->partitions[PARTITION_USR_SECONDARY]); +- m->partitions[PARTITION_USR_VERITY] = m->partitions[PARTITION_USR_SECONDARY_VERITY]; +- zero(m->partitions[PARTITION_USR_SECONDARY_VERITY]); +- m->partitions[PARTITION_USR_VERITY_SIG] = m->partitions[PARTITION_USR_SECONDARY_VERITY_SIG]; +- zero(m->partitions[PARTITION_USR_SECONDARY_VERITY_SIG]); ++ m->partitions[PARTITION_ROOT] = TAKE_PARTITION(m->partitions[PARTITION_ROOT_SECONDARY]); ++ m->partitions[PARTITION_ROOT_VERITY] = TAKE_PARTITION(m->partitions[PARTITION_ROOT_SECONDARY_VERITY]); ++ m->partitions[PARTITION_ROOT_VERITY_SIG] = TAKE_PARTITION(m->partitions[PARTITION_ROOT_SECONDARY_VERITY_SIG]); ++ ++ m->partitions[PARTITION_USR] = TAKE_PARTITION(m->partitions[PARTITION_USR_SECONDARY]); ++ m->partitions[PARTITION_USR_VERITY] = TAKE_PARTITION(m->partitions[PARTITION_USR_SECONDARY_VERITY]); ++ m->partitions[PARTITION_USR_VERITY_SIG] = TAKE_PARTITION(m->partitions[PARTITION_USR_SECONDARY_VERITY_SIG]); + + m->partitions[PARTITION_ROOT_OTHER].found = false; + m->partitions[PARTITION_ROOT_OTHER_VERITY].found = false; +@@ -1044,19 +1038,13 @@ static int dissect_image( + "falling back to a root partition of a non-native architecture (%s).", + architecture_to_string(m->partitions[PARTITION_ROOT_OTHER].architecture)); + +- m->partitions[PARTITION_ROOT] = m->partitions[PARTITION_ROOT_OTHER]; +- zero(m->partitions[PARTITION_ROOT_OTHER]); +- m->partitions[PARTITION_ROOT_VERITY] = m->partitions[PARTITION_ROOT_OTHER_VERITY]; +- zero(m->partitions[PARTITION_ROOT_OTHER_VERITY]); +- m->partitions[PARTITION_ROOT_VERITY_SIG] = m->partitions[PARTITION_ROOT_OTHER_VERITY_SIG]; +- zero(m->partitions[PARTITION_ROOT_OTHER_VERITY_SIG]); +- +- m->partitions[PARTITION_USR] = m->partitions[PARTITION_USR_OTHER]; +- zero(m->partitions[PARTITION_USR_OTHER]); +- m->partitions[PARTITION_USR_VERITY] = m->partitions[PARTITION_USR_OTHER_VERITY]; +- zero(m->partitions[PARTITION_USR_OTHER_VERITY]); +- m->partitions[PARTITION_USR_VERITY_SIG] = m->partitions[PARTITION_USR_OTHER_VERITY_SIG]; +- zero(m->partitions[PARTITION_USR_OTHER_VERITY_SIG]); ++ m->partitions[PARTITION_ROOT] = TAKE_PARTITION(m->partitions[PARTITION_ROOT_OTHER]); ++ m->partitions[PARTITION_ROOT_VERITY] = TAKE_PARTITION(m->partitions[PARTITION_ROOT_OTHER_VERITY]); ++ m->partitions[PARTITION_ROOT_VERITY_SIG] = TAKE_PARTITION(m->partitions[PARTITION_ROOT_OTHER_VERITY_SIG]); ++ ++ m->partitions[PARTITION_USR] = TAKE_PARTITION(m->partitions[PARTITION_USR_OTHER]); ++ m->partitions[PARTITION_USR_VERITY] = TAKE_PARTITION(m->partitions[PARTITION_USR_OTHER_VERITY]); ++ m->partitions[PARTITION_USR_VERITY_SIG] = TAKE_PARTITION(m->partitions[PARTITION_USR_OTHER_VERITY_SIG]); + } + + /* Hmm, we found a signature partition but no Verity data? Something is off. */ +@@ -1083,12 +1071,9 @@ static int dissect_image( + "partition of the secondary architecture."); + + /* Upgrade secondary arch to primary */ +- m->partitions[PARTITION_USR] = m->partitions[PARTITION_USR_SECONDARY]; +- zero(m->partitions[PARTITION_USR_SECONDARY]); +- m->partitions[PARTITION_USR_VERITY] = m->partitions[PARTITION_USR_SECONDARY_VERITY]; +- zero(m->partitions[PARTITION_USR_SECONDARY_VERITY]); +- m->partitions[PARTITION_USR_VERITY_SIG] = m->partitions[PARTITION_USR_SECONDARY_VERITY_SIG]; +- zero(m->partitions[PARTITION_USR_SECONDARY_VERITY_SIG]); ++ m->partitions[PARTITION_USR] = TAKE_PARTITION(m->partitions[PARTITION_USR_SECONDARY]); ++ m->partitions[PARTITION_USR_VERITY] = TAKE_PARTITION(m->partitions[PARTITION_USR_SECONDARY_VERITY]); ++ m->partitions[PARTITION_USR_VERITY_SIG] = TAKE_PARTITION(m->partitions[PARTITION_USR_SECONDARY_VERITY_SIG]); + + m->partitions[PARTITION_USR_OTHER].found = false; + m->partitions[PARTITION_USR_OTHER_VERITY].found = false; +@@ -1105,12 +1090,9 @@ static int dissect_image( + architecture_to_string(m->partitions[PARTITION_ROOT_OTHER].architecture)); + + /* Upgrade other arch to primary */ +- m->partitions[PARTITION_USR] = m->partitions[PARTITION_USR_OTHER]; +- zero(m->partitions[PARTITION_USR_OTHER]); +- m->partitions[PARTITION_USR_VERITY] = m->partitions[PARTITION_USR_OTHER_VERITY]; +- zero(m->partitions[PARTITION_USR_OTHER_VERITY]); +- m->partitions[PARTITION_USR_VERITY_SIG] = m->partitions[PARTITION_USR_OTHER_VERITY_SIG]; +- zero(m->partitions[PARTITION_USR_OTHER_VERITY_SIG]); ++ m->partitions[PARTITION_USR] = TAKE_PARTITION(m->partitions[PARTITION_USR_OTHER]); ++ m->partitions[PARTITION_USR_VERITY] = TAKE_PARTITION(m->partitions[PARTITION_USR_OTHER_VERITY]); ++ m->partitions[PARTITION_USR_VERITY_SIG] = TAKE_PARTITION(m->partitions[PARTITION_USR_OTHER_VERITY_SIG]); + } + + /* Hmm, we found a signature partition but no Verity data? Something is off. */ +diff --git a/src/shared/dissect-image.h b/src/shared/dissect-image.h +index 8007b544e7..f2278c4dfa 100644 +--- a/src/shared/dissect-image.h ++++ b/src/shared/dissect-image.h +@@ -40,6 +40,12 @@ struct DissectedPartition { + .architecture = _ARCHITECTURE_INVALID, \ + .mount_node_fd = -1, \ + }) ++#define TAKE_PARTITION(p) \ ++ ({ \ ++ DissectedPartition *_pp = &(p), _p = *_pp; \ ++ *_pp = DISSECTED_PARTITION_NULL; \ ++ _p; \ ++ }) + + typedef enum PartitionDesignator { + PARTITION_ROOT, +-- +2.38.1 + diff --git a/0075-bootctl-make-boot-entry-id-logged-in-hex.patch b/0075-bootctl-make-boot-entry-id-logged-in-hex.patch new file mode 100644 index 0000000..1ff5bd2 --- /dev/null +++ b/0075-bootctl-make-boot-entry-id-logged-in-hex.patch @@ -0,0 +1,36 @@ +From 29180c67635d3a6e4d5fd340ff9251724c803a65 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 13 Nov 2022 14:36:01 +0900 +Subject: [PATCH] bootctl: make boot entry id logged in hex + +To make consistent with the printed boot id below and other tools e.g. +efibootmgr. + +(cherry picked from commit a7dcb75c539dd5bb69b72e47c820fe79c794409a) + +Related: #2138081 +--- + src/boot/bootctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/boot/bootctl.c b/src/boot/bootctl.c +index b53df11764..64a4b74715 100644 +--- a/src/boot/bootctl.c ++++ b/src/boot/bootctl.c +@@ -586,11 +586,11 @@ static int print_efi_option(uint16_t id, int *n_printed, bool in_order) { + + r = efi_get_boot_option(id, &title, &partition, &path, &active); + if (r < 0) +- return log_error_errno(r, "Failed to read boot option %u: %m", id); ++ return log_error_errno(r, "Failed to read boot option 0x%04X: %m", id); + + /* print only configured entries with partition information */ + if (!path || sd_id128_is_null(partition)) { +- log_debug("Ignoring boot entry %u without partition information.", id); ++ log_debug("Ignoring boot entry 0x%04X without partition information.", id); + return 0; + } + +-- +2.38.1 + diff --git a/0076-bootctl-downgrade-log-message-when-firmware-reports-.patch b/0076-bootctl-downgrade-log-message-when-firmware-reports-.patch new file mode 100644 index 0000000..69ba701 --- /dev/null +++ b/0076-bootctl-downgrade-log-message-when-firmware-reports-.patch @@ -0,0 +1,31 @@ +From 6164408188766a31e778ec670239482db886d9be Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 13 Nov 2022 14:41:08 +0900 +Subject: [PATCH] bootctl: downgrade log message when firmware reports + non-existent or invalid boot entry + +Fixes #25359. + +(cherry picked from commit 78bfeeae508a554483de02b52aa2e5afdc341e1a) + +Related: #2138081 +--- + src/boot/bootctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/boot/bootctl.c b/src/boot/bootctl.c +index 64a4b74715..a5811adf20 100644 +--- a/src/boot/bootctl.c ++++ b/src/boot/bootctl.c +@@ -586,7 +586,7 @@ static int print_efi_option(uint16_t id, int *n_printed, bool in_order) { + + r = efi_get_boot_option(id, &title, &partition, &path, &active); + if (r < 0) +- return log_error_errno(r, "Failed to read boot option 0x%04X: %m", id); ++ return log_debug_errno(r, "Failed to read boot option 0x%04X: %m", id); + + /* print only configured entries with partition information */ + if (!path || sd_id128_is_null(partition)) { +-- +2.38.1 + diff --git a/0077-bootctl-rework-how-we-handle-referenced-but-absent-E.patch b/0077-bootctl-rework-how-we-handle-referenced-but-absent-E.patch new file mode 100644 index 0000000..68b3866 --- /dev/null +++ b/0077-bootctl-rework-how-we-handle-referenced-but-absent-E.patch @@ -0,0 +1,40 @@ +From 23ede492fbea1bd1440d84cef6dd68bb46d2e5fb Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 18 Nov 2022 18:05:53 +0100 +Subject: [PATCH] bootctl: rework how we handle referenced but absent EFI boot + entries + +Follow-up for #25368. + +Let's consider ENOENT an expected error, and just debug log about it +(though, let's suffix it with `, ignoring.`). All other errors will log +loudly, as they are unexpected errors. + +(cherry picked from commit af1bed8e83c3d380d1eb0b9147684b76d1ee4df0) + +Related: #2138081 +--- + src/boot/bootctl.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/boot/bootctl.c b/src/boot/bootctl.c +index a5811adf20..7da48b4ca4 100644 +--- a/src/boot/bootctl.c ++++ b/src/boot/bootctl.c +@@ -585,8 +585,12 @@ static int print_efi_option(uint16_t id, int *n_printed, bool in_order) { + assert(n_printed); + + r = efi_get_boot_option(id, &title, &partition, &path, &active); ++ if (r == -ENOENT) { ++ log_debug_errno(r, "Boot option 0x%04X referenced but missing, ignoring: %m", id); ++ return 0; ++ } + if (r < 0) +- return log_debug_errno(r, "Failed to read boot option 0x%04X: %m", id); ++ return log_error_errno(r, "Failed to read boot option 0x%04X: %m", id); + + /* print only configured entries with partition information */ + if (!path || sd_id128_is_null(partition)) { +-- +2.38.1 + diff --git a/0078-strv-Make-sure-strv_make_nulstr-always-returns-a-val.patch b/0078-strv-Make-sure-strv_make_nulstr-always-returns-a-val.patch new file mode 100644 index 0000000..6dd8d10 --- /dev/null +++ b/0078-strv-Make-sure-strv_make_nulstr-always-returns-a-val.patch @@ -0,0 +1,47 @@ +From c59555a86d3fcd2b8d644885134e19fe864251e5 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 11 Nov 2022 11:26:54 +0100 +Subject: [PATCH] strv: Make sure strv_make_nulstr() always returns a valid + nulstr + +strv_make_nulstr() is documented to always return a valid nulstr, +but if the input is `NULL` we return a string terminated with only +a single NUL terminator, so let's fix that and always terminate the +resulting string with two NUL bytes. + +(cherry picked from commit 5ea173a91b2093664a9ebb9add678edd6f5d1efd) + +Related: #2138081 +--- + src/basic/strv.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/basic/strv.c b/src/basic/strv.c +index eea34ca68d..24fc56a1a5 100644 +--- a/src/basic/strv.c ++++ b/src/basic/strv.c +@@ -721,7 +721,7 @@ int strv_make_nulstr(char * const *l, char **ret, size_t *ret_size) { + } + + if (!m) { +- m = new0(char, 1); ++ m = new0(char, 2); + if (!m) + return -ENOMEM; + n = 1; +@@ -730,11 +730,9 @@ int strv_make_nulstr(char * const *l, char **ret, size_t *ret_size) { + m[n] = '\0'; + + assert(n > 0); +- *ret = m; ++ *ret = TAKE_PTR(m); + *ret_size = n - 1; + +- m = NULL; +- + return 0; + } + +-- +2.38.1 + diff --git a/0079-sd-bus-Use-goto-finish-instead-of-return-in-bus_add_.patch b/0079-sd-bus-Use-goto-finish-instead-of-return-in-bus_add_.patch new file mode 100644 index 0000000..91328c8 --- /dev/null +++ b/0079-sd-bus-Use-goto-finish-instead-of-return-in-bus_add_.patch @@ -0,0 +1,31 @@ +From 7da1d4780b1dae16369fa5191832ec26d24a2ace Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 11 Nov 2022 11:09:28 +0100 +Subject: [PATCH] sd-bus: Use goto finish instead of return in + bus_add_match_full + +Fixes #25340 + +(cherry picked from commit 0f3c342903d1a09577378912717539b530af1fcf) + +Related: #2138081 +--- + src/libsystemd/sd-bus/sd-bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c +index 3803a2c4c4..bc716afabf 100644 +--- a/src/libsystemd/sd-bus/sd-bus.c ++++ b/src/libsystemd/sd-bus/sd-bus.c +@@ -3529,7 +3529,7 @@ static int bus_add_match_full( + s); + + if (r < 0) +- return r; ++ goto finish; + + /* Make the slot of the match call floating now. We need the reference, but we don't + * want that this match pins the bus object, hence we first create it non-floating, but +-- +2.38.1 + diff --git a/0080-find-esp-downgrade-and-ignore-error-on-retrieving-PA.patch b/0080-find-esp-downgrade-and-ignore-error-on-retrieving-PA.patch new file mode 100644 index 0000000..4415ab6 --- /dev/null +++ b/0080-find-esp-downgrade-and-ignore-error-on-retrieving-PA.patch @@ -0,0 +1,59 @@ +From 2edd56af85a0360df8bc49a6ee19e0f1051a2d68 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 11 Nov 2022 09:34:17 +0900 +Subject: [PATCH] find-esp: downgrade and ignore error on retrieving + PART_ENTRY_SCHEME when searching + +Fixes #25332. + +(cherry picked from commit 01f234c6f5672926d6cfe4fbfcdb48326ce06250) + +Related: #2138081 +--- + src/shared/find-esp.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/src/shared/find-esp.c b/src/shared/find-esp.c +index dfe0574aba..aa0b02cc2f 100644 +--- a/src/shared/find-esp.c ++++ b/src/shared/find-esp.c +@@ -177,7 +177,9 @@ static int verify_esp_udev( + + r = sd_device_get_property_value(d, "ID_PART_ENTRY_SCHEME", &v); + if (r < 0) +- return log_error_errno(r, "Failed to get device property: %m"); ++ return log_full_errno(searching && r == -ENOENT ? LOG_DEBUG : LOG_ERR, ++ searching && r == -ENOENT ? SYNTHETIC_ERRNO(EADDRNOTAVAIL) : r, ++ "Failed to get device property: %m"); + if (!streq(v, "gpt")) + return log_full_errno(searching ? LOG_DEBUG : LOG_ERR, + SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV), +@@ -572,10 +574,11 @@ static int verify_xbootldr_blkid( + else if (r != 0) + return log_error_errno(errno ?: SYNTHETIC_ERRNO(EIO), "%s: Failed to probe file system: %m", node); + +- errno = 0; + r = blkid_probe_lookup_value(b, "PART_ENTRY_SCHEME", &type, NULL); + if (r != 0) +- return log_error_errno(errno ?: SYNTHETIC_ERRNO(EIO), "%s: Failed to probe PART_ENTRY_SCHEME: %m", node); ++ return log_full_errno(searching ? LOG_DEBUG : LOG_ERR, ++ searching ? SYNTHETIC_ERRNO(EADDRNOTAVAIL) : SYNTHETIC_ERRNO(EIO), ++ "%s: Failed to probe PART_ENTRY_SCHEME: %m", node); + if (streq(type, "gpt")) { + + errno = 0; +@@ -638,7 +641,10 @@ static int verify_xbootldr_udev( + + r = sd_device_get_property_value(d, "ID_PART_ENTRY_SCHEME", &type); + if (r < 0) +- return log_device_error_errno(d, r, "Failed to query ID_PART_ENTRY_SCHEME: %m"); ++ return log_device_full_errno(d, ++ searching && r == -ENOENT ? LOG_DEBUG : LOG_ERR, ++ searching && r == -ENOENT ? SYNTHETIC_ERRNO(EADDRNOTAVAIL) : r, ++ "Failed to query ID_PART_ENTRY_SCHEME: %m"); + + if (streq(type, "gpt")) { + +-- +2.38.1 + diff --git a/0081-find-esp-include-device-sysname-in-the-log-message.patch b/0081-find-esp-include-device-sysname-in-the-log-message.patch new file mode 100644 index 0000000..d897dbe --- /dev/null +++ b/0081-find-esp-include-device-sysname-in-the-log-message.patch @@ -0,0 +1,117 @@ +From 0f7bee592dfc80fd1a682a280399fdb493ea5e6d Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 13 Nov 2022 13:27:36 +0900 +Subject: [PATCH] find-esp: include device sysname in the log message + +(cherry picked from commit 388d14659d250545125f8e950e3abb6eb8682c61) + +Related: #2138081 +--- + src/shared/find-esp.c | 52 +++++++++++++++++++++++-------------------- + 1 file changed, 28 insertions(+), 24 deletions(-) + +diff --git a/src/shared/find-esp.c b/src/shared/find-esp.c +index aa0b02cc2f..fa234c8b5f 100644 +--- a/src/shared/find-esp.c ++++ b/src/shared/find-esp.c +@@ -165,61 +165,65 @@ static int verify_esp_udev( + + r = sd_device_get_devname(d, &node); + if (r < 0) +- return log_error_errno(r, "Failed to get device node: %m"); ++ return log_device_error_errno(d, r, "Failed to get device node: %m"); + + r = sd_device_get_property_value(d, "ID_FS_TYPE", &v); + if (r < 0) +- return log_error_errno(r, "Failed to get device property: %m"); ++ return log_device_error_errno(d, r, "Failed to get device property: %m"); + if (!streq(v, "vfat")) +- return log_full_errno(searching ? LOG_DEBUG : LOG_ERR, +- SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV), +- "File system \"%s\" is not FAT.", node ); ++ return log_device_full_errno(d, ++ searching ? LOG_DEBUG : LOG_ERR, ++ SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV), ++ "File system \"%s\" is not FAT.", node ); + + r = sd_device_get_property_value(d, "ID_PART_ENTRY_SCHEME", &v); + if (r < 0) +- return log_full_errno(searching && r == -ENOENT ? LOG_DEBUG : LOG_ERR, +- searching && r == -ENOENT ? SYNTHETIC_ERRNO(EADDRNOTAVAIL) : r, +- "Failed to get device property: %m"); ++ return log_device_full_errno(d, ++ searching && r == -ENOENT ? LOG_DEBUG : LOG_ERR, ++ searching && r == -ENOENT ? SYNTHETIC_ERRNO(EADDRNOTAVAIL) : r, ++ "Failed to get device property: %m"); + if (!streq(v, "gpt")) +- return log_full_errno(searching ? LOG_DEBUG : LOG_ERR, +- SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV), +- "File system \"%s\" is not on a GPT partition table.", node); ++ return log_device_full_errno(d, ++ searching ? LOG_DEBUG : LOG_ERR, ++ SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV), ++ "File system \"%s\" is not on a GPT partition table.", node); + + r = sd_device_get_property_value(d, "ID_PART_ENTRY_TYPE", &v); + if (r < 0) +- return log_error_errno(r, "Failed to get device property: %m"); ++ return log_device_error_errno(d, r, "Failed to get device property: %m"); + if (sd_id128_string_equal(v, SD_GPT_ESP) <= 0) +- return log_full_errno(searching ? LOG_DEBUG : LOG_ERR, +- SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV), +- "File system \"%s\" has wrong type for an EFI System Partition (ESP).", node); ++ return log_device_full_errno(d, ++ searching ? LOG_DEBUG : LOG_ERR, ++ SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV), ++ "File system \"%s\" has wrong type for an EFI System Partition (ESP).", node); + + r = sd_device_get_property_value(d, "ID_PART_ENTRY_UUID", &v); + if (r < 0) +- return log_error_errno(r, "Failed to get device property: %m"); ++ return log_device_error_errno(d, r, "Failed to get device property: %m"); + r = sd_id128_from_string(v, &uuid); + if (r < 0) +- return log_error_errno(r, "Partition \"%s\" has invalid UUID \"%s\".", node, v); ++ return log_device_error_errno(d, r, "Partition \"%s\" has invalid UUID \"%s\".", node, v); + + r = sd_device_get_property_value(d, "ID_PART_ENTRY_NUMBER", &v); + if (r < 0) +- return log_error_errno(r, "Failed to get device property: %m"); ++ return log_device_error_errno(d, r, "Failed to get device property: %m"); + r = safe_atou32(v, &part); + if (r < 0) +- return log_error_errno(r, "Failed to parse PART_ENTRY_NUMBER field."); ++ return log_device_error_errno(d, r, "Failed to parse PART_ENTRY_NUMBER field."); + + r = sd_device_get_property_value(d, "ID_PART_ENTRY_OFFSET", &v); + if (r < 0) +- return log_error_errno(r, "Failed to get device property: %m"); ++ return log_device_error_errno(d, r, "Failed to get device property: %m"); + r = safe_atou64(v, &pstart); + if (r < 0) +- return log_error_errno(r, "Failed to parse PART_ENTRY_OFFSET field."); ++ return log_device_error_errno(d, r, "Failed to parse PART_ENTRY_OFFSET field."); + + r = sd_device_get_property_value(d, "ID_PART_ENTRY_SIZE", &v); + if (r < 0) +- return log_error_errno(r, "Failed to get device property: %m"); ++ return log_device_error_errno(d, r, "Failed to get device property: %m"); + r = safe_atou64(v, &psize); + if (r < 0) +- return log_error_errno(r, "Failed to parse PART_ENTRY_SIZE field."); ++ return log_device_error_errno(d, r, "Failed to parse PART_ENTRY_SIZE field."); + + if (ret_part) + *ret_part = part; +@@ -637,7 +641,7 @@ static int verify_xbootldr_udev( + + r = sd_device_get_devname(d, &node); + if (r < 0) +- return log_error_errno(r, "Failed to get device node: %m"); ++ return log_device_error_errno(d, r, "Failed to get device node: %m"); + + r = sd_device_get_property_value(d, "ID_PART_ENTRY_SCHEME", &type); + if (r < 0) +-- +2.38.1 + diff --git a/0082-tmpfiles-log-at-info-level-when-some-allowed-failure.patch b/0082-tmpfiles-log-at-info-level-when-some-allowed-failure.patch new file mode 100644 index 0000000..7e29e72 --- /dev/null +++ b/0082-tmpfiles-log-at-info-level-when-some-allowed-failure.patch @@ -0,0 +1,194 @@ +From 2f79547e8bbb5434a84c0b07c30fff63b351590c Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 10 Nov 2022 15:47:19 +0000 +Subject: [PATCH] tmpfiles: log at info level when some allowed failures occur + +In provision.conf we ship: + +d- /root :0700 root :root - +d- /root/.ssh :0700 root :root - + +These are allowed to fail, for example on a read-only filesystem. But they still +log at error level, which is annoying and gets flagged. Tune those specific errors +down to info. + +There are likely more that could be tuned down, but the important thing is to cover +the tmpfiles.d that we ship right now. + +Before: + +$ echo -e "d- /root :0700 root :root - \nd- /root/.ssh :0700 root :root -" | SYSTEMD_LOG_LEVEL=err build/systemd-tmpfiles --root=/tmp/img --create - +Failed to create directory or subvolume "/tmp/img/root": Read-only file system +Failed to open path '/tmp/img/root': No such file or directory +$ + +After: + +$ echo -e "d- /root :0700 root :root - \nd- /root/.ssh :0700 root :root -" | SYSTEMD_LOG_LEVEL=err build/systemd-tmpfiles --root=/tmp/img --create - +$ + +(cherry picked from commit 244c2a8344c01e94cd9bdf835de998b89bc53179) + +Related: #2138081 +--- + src/tmpfiles/tmpfiles.c | 49 +++++++++++++++++++++++++++-------------- + 1 file changed, 33 insertions(+), 16 deletions(-) + +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index 784b895577..18bb75715b 100644 +--- a/src/tmpfiles/tmpfiles.c ++++ b/src/tmpfiles/tmpfiles.c +@@ -961,22 +961,34 @@ shortcut: + return label_fix_full(fd, /* inode_path= */ NULL, /* label_path= */ path, 0); + } + +-static int path_open_parent_safe(const char *path) { ++static int path_open_parent_safe(const char *path, bool allow_failure) { + _cleanup_free_ char *dn = NULL; + int r, fd; + + if (!path_is_normalized(path)) +- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to open parent of '%s': path not normalized.", path); ++ return log_full_errno(allow_failure ? LOG_INFO : LOG_ERR, ++ SYNTHETIC_ERRNO(EINVAL), ++ "Failed to open parent of '%s': path not normalized%s.", ++ path, ++ allow_failure ? ", ignoring" : ""); + + r = path_extract_directory(path, &dn); + if (r < 0) +- return log_error_errno(r, "Unable to determine parent directory of '%s': %m", path); ++ return log_full_errno(allow_failure ? LOG_INFO : LOG_ERR, ++ r, ++ "Unable to determine parent directory of '%s'%s: %m", ++ path, ++ allow_failure ? ", ignoring" : ""); + +- r = chase_symlinks(dn, arg_root, CHASE_SAFE|CHASE_WARN, NULL, &fd); ++ r = chase_symlinks(dn, arg_root, allow_failure ? CHASE_SAFE : CHASE_SAFE|CHASE_WARN, NULL, &fd); + if (r == -ENOLINK) /* Unsafe symlink: already covered by CHASE_WARN */ + return r; + if (r < 0) +- return log_error_errno(r, "Failed to open path '%s': %m", dn); ++ return log_full_errno(allow_failure ? LOG_INFO : LOG_ERR, ++ r, ++ "Failed to open path '%s'%s: %m", ++ dn, ++ allow_failure ? ", ignoring" : ""); + + return fd; + } +@@ -1431,7 +1443,7 @@ static int write_one_file(Item *i, const char *path, CreationMode creation) { + + /* Validate the path and keep the fd on the directory for opening the file so we're sure that it + * can't be changed behind our back. */ +- dir_fd = path_open_parent_safe(path); ++ dir_fd = path_open_parent_safe(path, i->allow_failure); + if (dir_fd < 0) + return dir_fd; + +@@ -1481,7 +1493,7 @@ static int create_file(Item *i, const char *path) { + + /* Validate the path and keep the fd on the directory for opening the file so we're sure that it + * can't be changed behind our back. */ +- dir_fd = path_open_parent_safe(path); ++ dir_fd = path_open_parent_safe(path, i->allow_failure); + if (dir_fd < 0) + return dir_fd; + +@@ -1549,7 +1561,7 @@ static int truncate_file(Item *i, const char *path) { + + /* Validate the path and keep the fd on the directory for opening the file so we're sure that it + * can't be changed behind our back. */ +- dir_fd = path_open_parent_safe(path); ++ dir_fd = path_open_parent_safe(path, i->allow_failure); + if (dir_fd < 0) + return dir_fd; + +@@ -1628,7 +1640,7 @@ static int copy_files(Item *i) { + + /* Validate the path and use the returned directory fd for copying the target so we're sure that the + * path can't be changed behind our back. */ +- dfd = path_open_parent_safe(i->path); ++ dfd = path_open_parent_safe(i->path, i->allow_failure); + if (dfd < 0) + return dfd; + +@@ -1664,6 +1676,7 @@ static int create_directory_or_subvolume( + const char *path, + mode_t mode, + bool subvol, ++ bool allow_failure, + struct stat *ret_st, + CreationMode *ret_creation) { + +@@ -1679,7 +1692,7 @@ static int create_directory_or_subvolume( + if (r < 0) + return log_error_errno(r, "Failed to extract filename from path '%s': %m", path); + +- pfd = path_open_parent_safe(path); ++ pfd = path_open_parent_safe(path, allow_failure); + if (pfd < 0) + return pfd; + +@@ -1720,7 +1733,11 @@ static int create_directory_or_subvolume( + + /* Then look at the original error */ + if (r < 0) +- return log_error_errno(r, "Failed to create directory or subvolume \"%s\": %m", path); ++ return log_full_errno(allow_failure ? LOG_INFO : LOG_ERR, ++ r, ++ "Failed to create directory or subvolume \"%s\"%s: %m", ++ path, ++ allow_failure ? ", ignoring" : ""); + + return log_error_errno(errno, "Failed to open directory/subvolume we just created '%s': %m", path); + } +@@ -1748,7 +1765,7 @@ static int create_directory(Item *i, const char *path) { + assert(i); + assert(IN_SET(i->type, CREATE_DIRECTORY, TRUNCATE_DIRECTORY)); + +- fd = create_directory_or_subvolume(path, i->mode, /* subvol= */ false, &st, &creation); ++ fd = create_directory_or_subvolume(path, i->mode, /* subvol= */ false, i->allow_failure, &st, &creation); + if (fd == -EEXIST) + return 0; + if (fd < 0) +@@ -1766,7 +1783,7 @@ static int create_subvolume(Item *i, const char *path) { + assert(i); + assert(IN_SET(i->type, CREATE_SUBVOLUME, CREATE_SUBVOLUME_NEW_QUOTA, CREATE_SUBVOLUME_INHERIT_QUOTA)); + +- fd = create_directory_or_subvolume(path, i->mode, /* subvol = */ true, &st, &creation); ++ fd = create_directory_or_subvolume(path, i->mode, /* subvol = */ true, i->allow_failure, &st, &creation); + if (fd == -EEXIST) + return 0; + if (fd < 0) +@@ -1845,7 +1862,7 @@ static int create_device(Item *i, mode_t file_type) { + + /* Validate the path and use the returned directory fd for copying the target so we're sure that the + * path can't be changed behind our back. */ +- dfd = path_open_parent_safe(i->path); ++ dfd = path_open_parent_safe(i->path, i->allow_failure); + if (dfd < 0) + return dfd; + +@@ -1947,7 +1964,7 @@ static int create_fifo(Item *i) { + if (r == O_DIRECTORY) + return log_error_errno(SYNTHETIC_ERRNO(EISDIR), "Cannot open path '%s' for creating FIFO, is a directory.", i->path); + +- pfd = path_open_parent_safe(i->path); ++ pfd = path_open_parent_safe(i->path, i->allow_failure); + if (pfd < 0) + return pfd; + +@@ -2032,7 +2049,7 @@ static int create_symlink(Item *i) { + if (r == O_DIRECTORY) + return log_error_errno(SYNTHETIC_ERRNO(EISDIR), "Cannot open path '%s' for creating FIFO, is a directory.", i->path); + +- pfd = path_open_parent_safe(i->path); ++ pfd = path_open_parent_safe(i->path, i->allow_failure); + if (pfd < 0) + return pfd; + +-- +2.38.1 + diff --git a/0083-fd-util-make-fd_in_set-and-thus-close_all_fds-handle.patch b/0083-fd-util-make-fd_in_set-and-thus-close_all_fds-handle.patch new file mode 100644 index 0000000..8d8ad16 --- /dev/null +++ b/0083-fd-util-make-fd_in_set-and-thus-close_all_fds-handle.patch @@ -0,0 +1,50 @@ +From 60fa029fe83af62f27bf833dc86c0aeeb76b412b Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 4 Nov 2022 18:19:29 +0100 +Subject: [PATCH] fd-util: make fd_in_set() (and thus close_all_fds()) handle + invalidated fds in the array + +let's handle gracefully if fds in the specified array are already +invalidated (i.e. negative). This is handy when putting together arrays +on the fly. + +(cherry picked from commit d11c14a9817f6561a30d96d8faea126a4c811af8) + +Related: #2138081 +--- + src/basic/fd-util.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/basic/fd-util.c b/src/basic/fd-util.c +index cee20a9a81..6ed04449bf 100644 +--- a/src/basic/fd-util.c ++++ b/src/basic/fd-util.c +@@ -177,9 +177,13 @@ int fd_cloexec(int fd, bool cloexec) { + _pure_ static bool fd_in_set(int fd, const int fdset[], size_t n_fdset) { + assert(n_fdset == 0 || fdset); + +- for (size_t i = 0; i < n_fdset; i++) ++ for (size_t i = 0; i < n_fdset; i++) { ++ if (fdset[i] < 0) ++ continue; ++ + if (fdset[i] == fd) + return true; ++ } + + return false; + } +@@ -252,6 +256,10 @@ static int close_all_fds_special_case(const int except[], size_t n_except) { + if (!have_close_range) + return 0; + ++ if (n_except == 1 && except[0] < 0) /* Minor optimization: if we only got one fd, and it's invalid, ++ * we got none */ ++ n_except = 0; ++ + switch (n_except) { + + case 0: +-- +2.38.1 + diff --git a/0084-fd-util-add-new-fd_cloexec_many-helper.patch b/0084-fd-util-add-new-fd_cloexec_many-helper.patch new file mode 100644 index 0000000..93ce208 --- /dev/null +++ b/0084-fd-util-add-new-fd_cloexec_many-helper.patch @@ -0,0 +1,58 @@ +From b9223cd76c73fa5cf3ed19a2238980047bf13826 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 4 Nov 2022 18:20:19 +0100 +Subject: [PATCH] fd-util: add new fd_cloexec_many() helper + +(cherry picked from commit ed18c22c989495aab36512f03449222cfcf79aa7) + +Related: #2138081 +--- + src/basic/fd-util.c | 19 +++++++++++++++++++ + src/basic/fd-util.h | 1 + + 2 files changed, 20 insertions(+) + +diff --git a/src/basic/fd-util.c b/src/basic/fd-util.c +index 6ed04449bf..66bb7569bb 100644 +--- a/src/basic/fd-util.c ++++ b/src/basic/fd-util.c +@@ -174,6 +174,25 @@ int fd_cloexec(int fd, bool cloexec) { + return RET_NERRNO(fcntl(fd, F_SETFD, nflags)); + } + ++int fd_cloexec_many(const int fds[], size_t n_fds, bool cloexec) { ++ int ret = 0, r; ++ ++ assert(n_fds == 0 || fds); ++ ++ for (size_t i = 0; i < n_fds; i++) { ++ if (fds[i] < 0) /* Skip gracefully over already invalidated fds */ ++ continue; ++ ++ r = fd_cloexec(fds[i], cloexec); ++ if (r < 0 && ret >= 0) /* Continue going, but return first error */ ++ ret = r; ++ else ++ ret = 1; /* report if we did anything */ ++ } ++ ++ return ret; ++} ++ + _pure_ static bool fd_in_set(int fd, const int fdset[], size_t n_fdset) { + assert(n_fdset == 0 || fdset); + +diff --git a/src/basic/fd-util.h b/src/basic/fd-util.h +index d9896e27e8..29c7d86f27 100644 +--- a/src/basic/fd-util.h ++++ b/src/basic/fd-util.h +@@ -56,6 +56,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(DIR*, closedir, NULL); + + int fd_nonblock(int fd, bool nonblock); + int fd_cloexec(int fd, bool cloexec); ++int fd_cloexec_many(const int fds[], size_t n_fds, bool cloexec); + + int get_max_fd(void); + +-- +2.38.1 + diff --git a/0085-process-util-add-new-FORK_CLOEXEC_OFF-flag-for-disab.patch b/0085-process-util-add-new-FORK_CLOEXEC_OFF-flag-for-disab.patch new file mode 100644 index 0000000..a855b1b --- /dev/null +++ b/0085-process-util-add-new-FORK_CLOEXEC_OFF-flag-for-disab.patch @@ -0,0 +1,52 @@ +From 4fb6e9eddc7487a965b3e051115f9bb1d0413342 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 4 Nov 2022 18:20:47 +0100 +Subject: [PATCH] process-util: add new FORK_CLOEXEC_OFF flag for disabling + O_CLOEXEC on remaining fds + +Often the fds that shall stay around in the child shall be passed +to a process over execve(), hence add an option to explicitly disable +O_CLOEXEC on them in the child. + +(cherry picked from commit 981cfbe046297a18f2cb115ef81202f3bd68d2a3) + +Related: #2138081 +--- + src/basic/process-util.c | 8 ++++++++ + src/basic/process-util.h | 1 + + 2 files changed, 9 insertions(+) + +diff --git a/src/basic/process-util.c b/src/basic/process-util.c +index fb0b38fa49..0213f5913f 100644 +--- a/src/basic/process-util.c ++++ b/src/basic/process-util.c +@@ -1372,6 +1372,14 @@ int safe_fork_full( + } + } + ++ if (flags & FORK_CLOEXEC_OFF) { ++ r = fd_cloexec_many(except_fds, n_except_fds, false); ++ if (r < 0) { ++ log_full_errno(prio, r, "Failed to turn off O_CLOEXEC on file descriptors: %m"); ++ _exit(EXIT_FAILURE); ++ } ++ } ++ + /* When we were asked to reopen the logs, do so again now */ + if (flags & FORK_REOPEN_LOG) { + log_open(); +diff --git a/src/basic/process-util.h b/src/basic/process-util.h +index f8c374a310..ed2f73673e 100644 +--- a/src/basic/process-util.h ++++ b/src/basic/process-util.h +@@ -150,6 +150,7 @@ typedef enum ForkFlags { + FORK_STDOUT_TO_STDERR = 1 << 11, /* Make stdout a copy of stderr */ + FORK_FLUSH_STDIO = 1 << 12, /* fflush() stdout (and stderr) before forking */ + FORK_NEW_USERNS = 1 << 13, /* Run child in its own user namespace */ ++ FORK_CLOEXEC_OFF = 1 << 14, /* In the child: turn off O_CLOEXEC on all fds in except_fds[] */ + } ForkFlags; + + int safe_fork_full(const char *name, const int except_fds[], size_t n_except_fds, ForkFlags flags, pid_t *ret_pid); +-- +2.38.1 + diff --git a/0086-dissect-fix-fsck.patch b/0086-dissect-fix-fsck.patch new file mode 100644 index 0000000..224d974 --- /dev/null +++ b/0086-dissect-fix-fsck.patch @@ -0,0 +1,74 @@ +From 7f0f2caa082e7490c160b2c992a094116474a95f Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 4 Nov 2022 18:26:42 +0100 +Subject: [PATCH] dissect: fix fsck + +Since f7725647bb41c3398a867f139efe526efe8aa1b3 when dissecting a disk +image we operate with fds to the device nodes in question wherever we +can. This includes when we fork off fsck, where we pass a /proc/self/fd/ +path as argument. This only works if we keep that fd open however and +disable O_CLOEXEC on the fd. Hence do so, and fix fsck this way. + +(Without this, all fsck will fail, since the fd path is invalid) + +(cherry picked from commit f8ab781223bcb0330ee4499b879a62e84fee313e) + +Related: #2138081 +--- + src/shared/dissect-image.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c +index 6a991c877a..7676636723 100644 +--- a/src/shared/dissect-image.c ++++ b/src/shared/dissect-image.c +@@ -1309,11 +1309,11 @@ static int is_loop_device(const char *path) { + return true; + } + +-static int run_fsck(const char *node, const char *fstype) { ++static int run_fsck(int node_fd, const char *fstype) { + int r, exit_status; + pid_t pid; + +- assert(node); ++ assert(node_fd >= 0); + assert(fstype); + + r = fsck_exists_for_fstype(fstype); +@@ -1322,16 +1322,20 @@ static int run_fsck(const char *node, const char *fstype) { + return 0; + } + if (r == 0) { +- log_debug("Not checking partition %s, as fsck for %s does not exist.", node, fstype); ++ log_debug("Not checking partition %s, as fsck for %s does not exist.", FORMAT_PROC_FD_PATH(node_fd), fstype); + return 0; + } + +- r = safe_fork("(fsck)", FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_RLIMIT_NOFILE_SAFE|FORK_DEATHSIG|FORK_NULL_STDIO, &pid); ++ r = safe_fork_full( ++ "(fsck)", ++ &node_fd, 1, /* Leave the node fd open */ ++ FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_RLIMIT_NOFILE_SAFE|FORK_DEATHSIG|FORK_NULL_STDIO|FORK_CLOEXEC_OFF, ++ &pid); + if (r < 0) + return log_debug_errno(r, "Failed to fork off fsck: %m"); + if (r == 0) { + /* Child */ +- execl("/sbin/fsck", "/sbin/fsck", "-aT", node, NULL); ++ execl("/sbin/fsck", "/sbin/fsck", "-aT", FORMAT_PROC_FD_PATH(node_fd), NULL); + log_open(); + log_debug_errno(errno, "Failed to execl() fsck: %m"); + _exit(FSCK_OPERATIONAL_ERROR); +@@ -1421,7 +1425,7 @@ static int mount_partition( + rw = m->rw && !(flags & DISSECT_IMAGE_MOUNT_READ_ONLY); + + if (FLAGS_SET(flags, DISSECT_IMAGE_FSCK) && rw) { +- r = run_fsck(node, fstype); ++ r = run_fsck(m->mount_node_fd, fstype); + if (r < 0) + return r; + } +-- +2.38.1 + diff --git a/0087-core-update-audit-messages.patch b/0087-core-update-audit-messages.patch new file mode 100644 index 0000000..4ee7e49 --- /dev/null +++ b/0087-core-update-audit-messages.patch @@ -0,0 +1,34 @@ +From 0a191f8306b4439049fcac8eea206835c144215e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Fri, 4 Nov 2022 16:30:57 +0100 +Subject: [PATCH] core: update audit messages + +Pass getuid() instead of literal `0` as auid, since user session +managers also issue audit messages on SELinux denials. + +(cherry picked from commit c826b7ef3272157167a5c9d493e9672f00d84b98) + +Related: #2138081 +--- + src/core/selinux-access.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c +index c69baa8a1a..c1744cff92 100644 +--- a/src/core/selinux-access.c ++++ b/src/core/selinux-access.c +@@ -113,9 +113,9 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) { + + if (r >= 0) { + if (type == SELINUX_AVC) +- audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0); ++ audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, getuid()); + else if (type == SELINUX_ERROR) +- audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, 0); ++ audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, getuid()); + + return 0; + } +-- +2.38.1 + diff --git a/0088-logind-set-RemoveIPC-to-false-by-default.patch b/0088-logind-set-RemoveIPC-to-false-by-default.patch new file mode 100644 index 0000000..1fce86c --- /dev/null +++ b/0088-logind-set-RemoveIPC-to-false-by-default.patch @@ -0,0 +1,56 @@ +From 49fab9715ce09b86652e9855555e4ab4fc185220 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 1 Aug 2018 10:58:28 +0200 +Subject: [PATCH] logind: set RemoveIPC to false by default + +RHEL-only + +Related: #2138081 +--- + man/logind.conf.xml | 2 +- + src/login/logind-core.c | 2 +- + src/login/logind.conf.in | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/man/logind.conf.xml b/man/logind.conf.xml +index 9682add08c..1a87cf6baf 100644 +--- a/man/logind.conf.xml ++++ b/man/logind.conf.xml +@@ -341,7 +341,7 @@ + user fully logs out. Takes a boolean argument. If enabled, the user may not consume IPC resources after the + last of the user's sessions terminated. This covers System V semaphores, shared memory and message queues, as + well as POSIX shared memory and message queues. Note that IPC objects of the root user and other system users +- are excluded from the effect of this setting. Defaults to yes. ++ are excluded from the effect of this setting. Defaults to no. + + + +diff --git a/src/login/logind-core.c b/src/login/logind-core.c +index 02adc81909..b5050c54c4 100644 +--- a/src/login/logind-core.c ++++ b/src/login/logind-core.c +@@ -34,7 +34,7 @@ void manager_reset_config(Manager *m) { + + m->n_autovts = 6; + m->reserve_vt = 6; +- m->remove_ipc = true; ++ m->remove_ipc = false; + m->inhibit_delay_max = 5 * USEC_PER_SEC; + m->user_stop_delay = 10 * USEC_PER_SEC; + +diff --git a/src/login/logind.conf.in b/src/login/logind.conf.in +index 0b10df6839..09c363817a 100644 +--- a/src/login/logind.conf.in ++++ b/src/login/logind.conf.in +@@ -43,7 +43,7 @@ + #IdleActionSec=30min + #RuntimeDirectorySize=10% + #RuntimeDirectoryInodesMax= +-#RemoveIPC=yes ++#RemoveIPC=no + #InhibitorsMax=8192 + #SessionsMax=8192 + #StopIdleSessionSec=infinity +-- +2.38.1 + diff --git a/0089-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch b/0089-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch new file mode 100644 index 0000000..a65d148 --- /dev/null +++ b/0089-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch @@ -0,0 +1,46 @@ +From efe2c6703e3132dafaa29c1a7d3e3db4a683ed15 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Thu, 5 Aug 2021 17:11:47 +0200 +Subject: [PATCH] tmpfiles: don't create resolv.conf -> stub-resolv.conf + symlink + +RHEL-only + +Related: #2138081 +--- + tmpfiles.d/meson.build | 1 - + tmpfiles.d/systemd-resolve.conf | 10 ---------- + 2 files changed, 11 deletions(-) + delete mode 100644 tmpfiles.d/systemd-resolve.conf + +diff --git a/tmpfiles.d/meson.build b/tmpfiles.d/meson.build +index ca1abbf3fe..179c71d375 100644 +--- a/tmpfiles.d/meson.build ++++ b/tmpfiles.d/meson.build +@@ -10,7 +10,6 @@ files = [['README', ''], + ['systemd-nologin.conf', 'HAVE_PAM'], + ['systemd-nspawn.conf', 'ENABLE_MACHINED'], + ['systemd-pstore.conf', 'ENABLE_PSTORE'], +- ['systemd-resolve.conf', 'ENABLE_RESOLVE'], + ['systemd-tmp.conf', ''], + ['tmp.conf', ''], + ['x11.conf', ''], +diff --git a/tmpfiles.d/systemd-resolve.conf b/tmpfiles.d/systemd-resolve.conf +deleted file mode 100644 +index cb1c56d6a6..0000000000 +--- a/tmpfiles.d/systemd-resolve.conf ++++ /dev/null +@@ -1,10 +0,0 @@ +-# This file is part of systemd. +-# +-# systemd is free software; you can redistribute it and/or modify it +-# under the terms of the GNU Lesser General Public License as published by +-# the Free Software Foundation; either version 2.1 of the License, or +-# (at your option) any later version. +- +-# See tmpfiles.d(5) for details +- +-L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf +-- +2.38.1 + diff --git a/0090-Copy-40-redhat.rules-from-RHEL-8.patch b/0090-Copy-40-redhat.rules-from-RHEL-8.patch new file mode 100644 index 0000000..c383f0c --- /dev/null +++ b/0090-Copy-40-redhat.rules-from-RHEL-8.patch @@ -0,0 +1,83 @@ +From 6b5b5fefcb68cb53427747be4984531bdeddcf7e Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Fri, 2 Jul 2021 13:25:51 +0200 +Subject: [PATCH] Copy 40-redhat.rules from RHEL-8 + +RHEL-only + +Related: #2138081 +--- + rules.d/40-redhat.rules | 46 +++++++++++++++++++++++++++++++++++++++++ + rules.d/meson.build | 3 ++- + 2 files changed, 48 insertions(+), 1 deletion(-) + create mode 100644 rules.d/40-redhat.rules + +diff --git a/rules.d/40-redhat.rules b/rules.d/40-redhat.rules +new file mode 100644 +index 0000000000..3c95cd2df0 +--- /dev/null ++++ b/rules.d/40-redhat.rules +@@ -0,0 +1,46 @@ ++# do not edit this file, it will be overwritten on update ++ ++# CPU hotadd request ++SUBSYSTEM=="cpu", ACTION=="add", TEST=="online", ATTR{online}=="0", ATTR{online}="1" ++ ++# Memory hotadd request ++SUBSYSTEM!="memory", GOTO="memory_hotplug_end" ++ACTION!="add", GOTO="memory_hotplug_end" ++CONST{arch}=="s390*", GOTO="memory_hotplug_end" ++CONST{arch}=="ppc64*", GOTO="memory_hotplug_end" ++ ++ENV{.state}="online" ++CONST{virt}=="none", ENV{.state}="online_movable" ++ATTR{state}=="offline", ATTR{state}="$env{.state}" ++ ++LABEL="memory_hotplug_end" ++ ++# reload sysctl.conf / sysctl.conf.d settings when the bridge module is loaded ++ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge" ++ ++# load SCSI generic (sg) driver ++SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg" ++SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_target", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg" ++ ++# Rule for prandom character device node permissions ++KERNEL=="prandom", MODE="0644" ++ ++# Rules for creating the ID_PATH for SCSI devices based on the CCW bus ++# using the form: ccw--zfcp-: ++# ++ACTION=="remove", GOTO="zfcp_scsi_device_end" ++ ++# ++# Set environment variable "ID_ZFCP_BUS" to "1" if the devices ++# (both disk and partition) are SCSI devices based on FCP devices ++# ++KERNEL=="sd*", SUBSYSTEMS=="ccw", DRIVERS=="zfcp", ENV{.ID_ZFCP_BUS}="1" ++ ++# For SCSI disks ++KERNEL=="sd*[!0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="disk", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}" ++ ++ ++# For partitions on a SCSI disk ++KERNEL=="sd*[0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="partition", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}-part%n" ++ ++LABEL="zfcp_scsi_device_end" +diff --git a/rules.d/meson.build b/rules.d/meson.build +index 8d2878a36d..70f48e877b 100644 +--- a/rules.d/meson.build ++++ b/rules.d/meson.build +@@ -5,7 +5,8 @@ install_data( + install_dir : udevrulesdir) + + rules = [ +- [files('60-autosuspend.rules', ++ [files('40-redhat.rules', ++ '60-autosuspend.rules', + '60-block.rules', + '60-cdrom_id.rules', + '60-drm.rules', +-- +2.38.1 + diff --git a/0091-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch b/0091-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch new file mode 100644 index 0000000..3afe02c --- /dev/null +++ b/0091-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch @@ -0,0 +1,48 @@ +From 711aca5f4820c2345489136cbbde7428d9f9da1b Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Tue, 15 May 2018 09:24:20 +0200 +Subject: [PATCH] Avoid /tmp being mounted as tmpfs without the user's will + +Ensure PrivateTmp doesn't require tmpfs through tmp.mount, but rather +adds an After relationship. + +RHEL-only + +Related: #2138081 +--- + src/core/unit.c | 7 +------ + units/basic.target | 3 ++- + 2 files changed, 3 insertions(+), 7 deletions(-) + +diff --git a/src/core/unit.c b/src/core/unit.c +index d08c73613b..1fad0b0ac8 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -1301,12 +1301,7 @@ int unit_add_exec_dependencies(Unit *u, ExecContext *c) { + } + + if (c->private_tmp) { +- +- /* FIXME: for now we make a special case for /tmp and add a weak dependency on +- * tmp.mount so /tmp being masked is supported. However there's no reason to treat +- * /tmp specifically and masking other mount units should be handled more +- * gracefully too, see PR#16894. */ +- r = unit_add_two_dependencies_by_name(u, UNIT_AFTER, UNIT_WANTS, "tmp.mount", true, UNIT_DEPENDENCY_FILE); ++ r = unit_add_dependency_by_name(u, UNIT_AFTER, "tmp.mount", true, UNIT_DEPENDENCY_FILE); + if (r < 0) + return r; + +diff --git a/units/basic.target b/units/basic.target +index d8cdd5ac14..9eae0782a2 100644 +--- a/units/basic.target ++++ b/units/basic.target +@@ -19,4 +19,5 @@ After=sysinit.target sockets.target paths.target slices.target tmp.mount + # require /var and /var/tmp, but only add a Wants= type dependency on /tmp, as + # we support that unit being masked, and this should not be considered an error. + RequiresMountsFor=/var /var/tmp +-Wants=tmp.mount ++# RHEL-only: Disable /tmp on tmpfs. ++#Wants=tmp.mount +-- +2.38.1 + diff --git a/0092-unit-don-t-add-Requires-for-tmp.mount.patch b/0092-unit-don-t-add-Requires-for-tmp.mount.patch new file mode 100644 index 0000000..560965b --- /dev/null +++ b/0092-unit-don-t-add-Requires-for-tmp.mount.patch @@ -0,0 +1,41 @@ +From c5f1cc8f23dfe545c0d03eae88bbd91e8a1db226 Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Mon, 5 Sep 2016 12:47:09 +0200 +Subject: [PATCH] unit: don't add Requires for tmp.mount + +rhel-only +Related: #2138081 +--- + src/core/mount.c | 2 +- + src/core/unit.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/mount.c b/src/core/mount.c +index 5e8a6ead61..ba55f7dd86 100644 +--- a/src/core/mount.c ++++ b/src/core/mount.c +@@ -336,7 +336,7 @@ static int mount_add_mount_dependencies(Mount *m) { + if (r < 0) + return r; + +- if (UNIT(m)->fragment_path) { ++ if (UNIT(m)->fragment_path && !streq(UNIT(m)->id, "tmp.mount")) { + /* If we have fragment configuration, then make this dependency required */ + r = unit_add_dependency(other, UNIT_REQUIRES, UNIT(m), true, UNIT_DEPENDENCY_PATH); + if (r < 0) +diff --git a/src/core/unit.c b/src/core/unit.c +index 1fad0b0ac8..5af44aaf4a 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -1541,7 +1541,7 @@ static int unit_add_mount_dependencies(Unit *u) { + return r; + changed = changed || r > 0; + +- if (m->fragment_path) { ++ if (m->fragment_path && !streq(m->id, "tmp.mount")) { + r = unit_add_dependency(u, UNIT_REQUIRES, m, true, di.origin_mask); + if (r < 0) + return r; +-- +2.38.1 + diff --git a/0093-units-add-Install-section-to-tmp.mount.patch b/0093-units-add-Install-section-to-tmp.mount.patch new file mode 100644 index 0000000..567ed17 --- /dev/null +++ b/0093-units-add-Install-section-to-tmp.mount.patch @@ -0,0 +1,27 @@ +From 90aa9644404fa40e67a158a383cc81ec0d6ab0f5 Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Tue, 22 Jan 2019 10:28:42 +0100 +Subject: [PATCH] units: add [Install] section to tmp.mount + +RHEL-only + +Related: #2138081 +--- + units/tmp.mount | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/units/tmp.mount b/units/tmp.mount +index 734acea237..b9a41cd803 100644 +--- a/units/tmp.mount ++++ b/units/tmp.mount +@@ -23,3 +23,7 @@ What=tmpfs + Where=/tmp + Type=tmpfs + Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m ++ ++# Make 'systemctl enable tmp.mount' work: ++[Install] ++WantedBy=local-fs.target +-- +2.38.1 + diff --git a/0094-rc-local-order-after-network-online.target.patch b/0094-rc-local-order-after-network-online.target.patch new file mode 100644 index 0000000..5d051ee --- /dev/null +++ b/0094-rc-local-order-after-network-online.target.patch @@ -0,0 +1,32 @@ +From 6eb6434d8d203e19f5fb58d3d0ec561088b691e9 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 11 Mar 2021 15:48:23 +0100 +Subject: [PATCH] rc-local: order after network-online.target + +I think this was the intent of commit 91b684c7300879a8d2006038f7d9185d92c3c3bf, +just network-online.target didn't exist back then. + +RHEL-only + +Related: #2138081 +--- + units/rc-local.service.in | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/units/rc-local.service.in b/units/rc-local.service.in +index 55e83dfe00..0eee722154 100644 +--- a/units/rc-local.service.in ++++ b/units/rc-local.service.in +@@ -13,7 +13,8 @@ + Description={{RC_LOCAL_PATH}} Compatibility + Documentation=man:systemd-rc-local-generator(8) + ConditionFileIsExecutable={{RC_LOCAL_PATH}} +-After=network.target ++After=network-online.target ++Wants=network-online.target + + [Service] + Type=forking +-- +2.38.1 + diff --git a/0095-ci-drop-CIs-irrelevant-for-downstream.patch b/0095-ci-drop-CIs-irrelevant-for-downstream.patch new file mode 100644 index 0000000..f4c7914 --- /dev/null +++ b/0095-ci-drop-CIs-irrelevant-for-downstream.patch @@ -0,0 +1,306 @@ +From 36f9fb0c7e19bda07ce6de5f4b04f58a5da2f122 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Sun, 18 Apr 2021 20:46:06 +0200 +Subject: [PATCH] ci: drop CIs irrelevant for downstream + + * CIFuzz would need a separate project in oss-fuzz + * Coverity would also need a separate project + * the Labeler action is superfluous, since we already have a bot for + that + * mkosi testing on other distros is irrelevant for downstream RHEL + repo + +Related: #2138081 +rhel-only +--- + .github/labeler.yml | 40 --------------- + .github/workflows/cifuzz.yml | 62 ----------------------- + .github/workflows/coverity.yml | 30 ------------ + .github/workflows/labeler.yml | 24 --------- + .github/workflows/mkosi.yml | 90 ---------------------------------- + 5 files changed, 246 deletions(-) + delete mode 100644 .github/labeler.yml + delete mode 100644 .github/workflows/cifuzz.yml + delete mode 100644 .github/workflows/coverity.yml + delete mode 100644 .github/workflows/labeler.yml + delete mode 100644 .github/workflows/mkosi.yml + +diff --git a/.github/labeler.yml b/.github/labeler.yml +deleted file mode 100644 +index 7d128f42d6..0000000000 +--- a/.github/labeler.yml ++++ /dev/null +@@ -1,40 +0,0 @@ +-# SPDX-License-Identifier: LGPL-2.1-or-later +- +-hwdb: +- - hwdb.d/**/* +-units: +- - units/**/* +-documentation: +- - NEWS +- - docs/* +-network: +- - src/libsystemd-network/**/* +- - src/network/**/* +-udev: +- - src/udev/**/* +- - src/libudev/* +-selinux: +- - '**/*selinux*' +-apparmor: +- - '**/*apparmor*' +-meson: +- - meson_option.txt +-mkosi: +- - .mkosi/* +- - mkosi.build +-busctl: +- - src/busctl/* +-systemctl: +- - src/systemctl/* +-journal: +- - src/journal/* +-journal-remote: +- - src/journal-remote/* +-portable: +- - src/portable/**/* +-resolve: +- - src/resolve/* +-timedate: +- - src/timedate/* +-timesync: +- - src/timesync/* +diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml +deleted file mode 100644 +index 25731abc5a..0000000000 +--- a/.github/workflows/cifuzz.yml ++++ /dev/null +@@ -1,62 +0,0 @@ +---- +-# vi: ts=2 sw=2 et: +-# SPDX-License-Identifier: LGPL-2.1-or-later +-# See: https://google.github.io/oss-fuzz/getting-started/continuous-integration/ +- +-name: CIFuzz +- +-permissions: +- contents: read +- +-on: +- pull_request: +- paths: +- - '**/meson.build' +- - '.github/workflows/**' +- - 'meson_options.txt' +- - 'src/**' +- - 'test/fuzz/**' +- - 'tools/oss-fuzz.sh' +- push: +- branches: +- - main +-jobs: +- Fuzzing: +- runs-on: ubuntu-latest +- if: github.repository == 'systemd/systemd' +- concurrency: +- group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ matrix.architecture }}-${{ github.ref }} +- cancel-in-progress: true +- strategy: +- fail-fast: false +- matrix: +- sanitizer: [address, undefined, memory] +- architecture: [x86_64] +- include: +- - sanitizer: address +- architecture: i386 +- steps: +- - name: Build Fuzzers (${{ matrix.sanitizer }}) +- id: build +- uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master +- with: +- oss-fuzz-project-name: 'systemd' +- dry-run: false +- allowed-broken-targets-percentage: 0 +- # keep-unaffected-fuzz-targets should be removed once https://github.com/google/oss-fuzz/issues/7011 is fixed +- keep-unaffected-fuzz-targets: true +- sanitizer: ${{ matrix.sanitizer }} +- architecture: ${{ matrix.architecture }} +- - name: Run Fuzzers (${{ matrix.sanitizer }}) +- uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master +- with: +- oss-fuzz-project-name: 'systemd' +- fuzz-seconds: 600 +- dry-run: false +- sanitizer: ${{ matrix.sanitizer }} +- - name: Upload Crash +- uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 +- if: failure() && steps.build.outcome == 'success' +- with: +- name: ${{ matrix.sanitizer }}-${{ matrix.architecture }}-artifacts +- path: ./out/artifacts +diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml +deleted file mode 100644 +index 3fbebc6bbf..0000000000 +--- a/.github/workflows/coverity.yml ++++ /dev/null +@@ -1,30 +0,0 @@ +---- +-# vi: ts=2 sw=2 et: +-# SPDX-License-Identifier: LGPL-2.1-or-later +-# +-name: Coverity +- +-on: +- schedule: +- # Run Coverity daily at midnight +- - cron: '0 0 * * *' +- +-permissions: +- contents: read +- +-jobs: +- build: +- runs-on: ubuntu-22.04 +- if: github.repository == 'systemd/systemd' +- env: +- # Set in repo settings -> secrets -> actions +- COVERITY_SCAN_TOKEN: "${{ secrets.COVERITY_SCAN_TOKEN }}" +- COVERITY_SCAN_NOTIFICATION_EMAIL: "${{ secrets.COVERITY_SCAN_NOTIFICATION_EMAIL }}" +- steps: +- - name: Repository checkout +- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b +- # Reuse the setup phase of the unit test script to avoid code duplication +- - name: Install build dependencies +- run: sudo -E .github/workflows/unit_tests.sh SETUP +- - name: Build & upload the results +- run: tools/coverity.sh +diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml +deleted file mode 100644 +index 35766df591..0000000000 +--- a/.github/workflows/labeler.yml ++++ /dev/null +@@ -1,24 +0,0 @@ +---- +-# vi: ts=2 sw=2 et: +-# SPDX-License-Identifier: LGPL-2.1-or-later +-# +-name: "Pull Request Labeler" +- +-on: +-- pull_request_target +- +-permissions: +- contents: read +- +-jobs: +- triage: +- if: github.event.repository.name != 'systemd-security' +- runs-on: ubuntu-latest +- permissions: +- pull-requests: write +- steps: +- - uses: actions/labeler@e54e5b338fbd6e6cdb5d60f51c22335fc57c401e +- with: +- repo-token: "${{ secrets.GITHUB_TOKEN }}" +- configuration-path: .github/labeler.yml +- sync-labels: "" # This is a workaround for issue 18671 +diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml +deleted file mode 100644 +index 2a1163aa07..0000000000 +--- a/.github/workflows/mkosi.yml ++++ /dev/null +@@ -1,90 +0,0 @@ +---- +-# vi: ts=2 sw=2 et: +-# SPDX-License-Identifier: LGPL-2.1-or-later +-# Simple boot tests that build and boot the mkosi images generated by the mkosi config files in mkosi.default.d/. +-name: mkosi +- +-on: +- push: +- branches: +- - main +- - v[0-9]+-stable +- pull_request: +- branches: +- - main +- - v[0-9]+-stable +- +-permissions: +- contents: read +- +-env: +- # Enable debug logging in systemd, but keep udev's log level to info, +- # since it's _very_ verbose in the QEMU task +- # Disable the ISC DHCP servers, as they are failing in Ubuntu +- KERNEL_CMDLINE: "systemd.unit=mkosi-check-and-shutdown.service !quiet systemd.log_level=debug systemd.log_target=console udev.log_level=info systemd.default_standard_output=journal+console systemd.mask=isc-dhcp-server6.service systemd.mask=isc-dhcp-server.service" +- +-jobs: +- ci: +- runs-on: ubuntu-22.04 +- concurrency: +- group: ${{ github.workflow }}-${{ matrix.distro }}-${{ matrix.release }}-${{ github.ref }} +- cancel-in-progress: true +- strategy: +- fail-fast: false +- matrix: +- include: +- - distro: arch +- release: rolling +- - distro: debian +- release: testing +- - distro: ubuntu +- release: jammy +- - distro: fedora +- release: "37" +- - distro: fedora +- release: rawhide +- - distro: opensuse +- release: tumbleweed +- - distro: centos_epel +- release: 9-stream +- - distro: centos_epel +- release: 8-stream +- +- steps: +- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b +- - uses: systemd/mkosi@792cbc60eb2dc4a58d66bb3c212bf92f8d50f6ea +- +- - name: Install +- run: sudo apt-get update && sudo apt-get install --no-install-recommends python3-pexpect python3-jinja2 +- +- - name: Configure +- run: | +- tee mkosi.default <<- EOF +- [Distribution] +- Distribution=${{ matrix.distro }} +- Release=${{ matrix.release }} +- +- [Content] +- Environment=CI_BUILD=1 +- +- [Output] +- KernelCommandLine=${{ env.KERNEL_CMDLINE }} +- EOF +- +- - name: Build ${{ matrix.distro }} +- run: sudo python3 -m mkosi build +- +- - name: Show ${{ matrix.distro }} image summary +- run: sudo python3 -m mkosi summary +- +- - name: Boot ${{ matrix.distro }} systemd-nspawn +- run: sudo python3 -m mkosi boot ${{ env.KERNEL_CMDLINE }} +- +- - name: Check ${{ matrix.distro }} systemd-nspawn +- run: sudo python3 -m mkosi shell bash -c "[[ -e /testok ]] || { cat /failed-services; exit 1; }" +- +- - name: Boot ${{ matrix.distro }} QEMU +- run: sudo timeout -k 30 10m python3 -m mkosi qemu +- +- - name: Check ${{ matrix.distro }} QEMU +- run: sudo python3 -m mkosi shell bash -c "[[ -e /testok ]] || { cat /failed-services; exit 1; }" +-- +2.38.1 + diff --git a/0096-ci-reconfigure-Packit-for-RHEL-9.patch b/0096-ci-reconfigure-Packit-for-RHEL-9.patch new file mode 100644 index 0000000..bcbcd10 --- /dev/null +++ b/0096-ci-reconfigure-Packit-for-RHEL-9.patch @@ -0,0 +1,47 @@ +From 16f2d0c4a25a717a9a0b49903a55db1263156055 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 9 Jun 2021 15:23:59 +0200 +Subject: [PATCH] ci: reconfigure Packit for RHEL 9 + +Related: #2138081 +rhel-only +--- + .packit.yml | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/.packit.yml b/.packit.yml +index a7502b25b4..d0eebab181 100644 +--- a/.packit.yml ++++ b/.packit.yml +@@ -17,14 +17,12 @@ srpm_build_deps: [] + + actions: + post-upstream-clone: +- # Use the Fedora Rawhide specfile +- - "git clone https://src.fedoraproject.org/rpms/systemd .packit_rpm --depth=1" ++ # Use the CentOS Stream specfile ++ - "git clone https://gitlab.com/redhat/centos-stream/rpms/systemd.git .packit_rpm --depth=1" + # Drop the "sources" file so rebase-helper doesn't think we're a dist-git + - "rm -fv .packit_rpm/sources" +- # Drop backported patches from the specfile, but keep the downstream-only ones +- # - Patch(0000-0499): backported patches from upstream +- # - Patch0500-9999: downstream-only patches +- - "sed -ri '/^Patch(0[0-4]?[0-9]{0,2})?\\:.+\\.patch/d' .packit_rpm/systemd.spec" ++ # Drop all patches, since they're already included in the tarball ++ - "sed -ri '/^Patch[0-9]+:/d' .packit_rpm/systemd.spec" + # Build the RPM with --werror. Even though --werror doesn't work in all + # cases (see [0]), we can't use -Dc_args=/-Dcpp_args= here because of the + # RPM hardening macros, that use $CFLAGS/$CPPFLAGS (see [1]). +@@ -33,7 +31,9 @@ actions: + # [1] https://github.com/systemd/systemd/pull/18908#issuecomment-792250110 + - 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec' + ++# Available targets can be listed via `copr-cli list-chroots` + jobs: ++# Build test + - job: copr_build + trigger: pull_request + metadata: +-- +2.38.1 + diff --git a/0097-ci-run-unit-tests-on-z-stream-branches-as-well.patch b/0097-ci-run-unit-tests-on-z-stream-branches-as-well.patch new file mode 100644 index 0000000..bbceb73 --- /dev/null +++ b/0097-ci-run-unit-tests-on-z-stream-branches-as-well.patch @@ -0,0 +1,31 @@ +From 9fd32478c32d9a96b62b992586b201cd4f509bc5 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 15 Jul 2021 12:23:27 +0200 +Subject: [PATCH] ci: run unit tests on z-stream branches as well + +Related: #2138081 +rhel-only +--- + .github/workflows/unit_tests.yml | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml +index cd6c33eb64..ca4464e95d 100644 +--- a/.github/workflows/unit_tests.yml ++++ b/.github/workflows/unit_tests.yml +@@ -3,11 +3,7 @@ + # SPDX-License-Identifier: LGPL-2.1-or-later + # + name: Unit tests +-on: +- pull_request: +- branches: +- - main +- - v[0-9]+-stable ++on: [pull_request] + + permissions: + contents: read +-- +2.38.1 + diff --git a/0098-random-util-increase-random-seed-size-to-1024.patch b/0098-random-util-increase-random-seed-size-to-1024.patch new file mode 100644 index 0000000..4929b3f --- /dev/null +++ b/0098-random-util-increase-random-seed-size-to-1024.patch @@ -0,0 +1,28 @@ +From 216f6490af452a774ef882319083858248248da8 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 15 Jul 2021 11:15:17 +0200 +Subject: [PATCH] random-util: increase random seed size to 1024 + +RHEL-only + +Related: #2138081 +--- + src/basic/random-util.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/random-util.h b/src/basic/random-util.h +index 2d99807272..7e6f66df4d 100644 +--- a/src/basic/random-util.h ++++ b/src/basic/random-util.h +@@ -21,7 +21,7 @@ static inline uint32_t random_u32(void) { + } + + /* Some limits on the pool sizes when we deal with the kernel random pool */ +-#define RANDOM_POOL_SIZE_MIN 32U ++#define RANDOM_POOL_SIZE_MIN 1024U + #define RANDOM_POOL_SIZE_MAX (10U*1024U*1024U) + + size_t random_pool_size(void); +-- +2.38.1 + diff --git a/0099-journal-don-t-enable-systemd-journald-audit.socket-b.patch b/0099-journal-don-t-enable-systemd-journald-audit.socket-b.patch new file mode 100644 index 0000000..263a8ac --- /dev/null +++ b/0099-journal-don-t-enable-systemd-journald-audit.socket-b.patch @@ -0,0 +1,44 @@ +From 44740b947ed0b34ed9848dae276ec1d448340ce9 Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Thu, 2 May 2019 14:11:54 +0200 +Subject: [PATCH] journal: don't enable systemd-journald-audit.socket by + default + +RHEL-only + +Related: #2138081 +--- + units/meson.build | 3 +-- + units/systemd-journald.service.in | 2 +- + 2 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/units/meson.build b/units/meson.build +index 25e9209b4d..b224701eb9 100644 +--- a/units/meson.build ++++ b/units/meson.build +@@ -123,8 +123,7 @@ units = [ + 'sysinit.target.wants/'], + ['systemd-journal-gatewayd.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'], + ['systemd-journal-remote.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'], +- ['systemd-journald-audit.socket', '', +- 'sockets.target.wants/'], ++ ['systemd-journald-audit.socket', ''], + ['systemd-journald-dev-log.socket', '', + 'sockets.target.wants/'], + ['systemd-journald.socket', '', +diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in +index 38ba3e2856..e8be031de5 100644 +--- a/units/systemd-journald.service.in ++++ b/units/systemd-journald.service.in +@@ -12,7 +12,7 @@ Description=Journal Service + Documentation=man:systemd-journald.service(8) man:journald.conf(5) + DefaultDependencies=no + Requires=systemd-journald.socket +-After=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket syslog.socket ++After=systemd-journald.socket systemd-journald-dev-log.socket syslog.socket + Before=sysinit.target + + # Mount and swap units need the journal socket units. If they were removed by +-- +2.38.1 + diff --git a/0100-journald.conf-don-t-touch-current-audit-settings.patch b/0100-journald.conf-don-t-touch-current-audit-settings.patch new file mode 100644 index 0000000..13bb5d3 --- /dev/null +++ b/0100-journald.conf-don-t-touch-current-audit-settings.patch @@ -0,0 +1,25 @@ +From 5222b89ef6f281f0a4eb55589d2d62e8e2b6352b Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 5 Aug 2021 15:26:13 +0200 +Subject: [PATCH] journald.conf: don't touch current audit settings + +RHEL-only + +Related: #2138081 +--- + src/journal/journald.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/journal/journald.conf b/src/journal/journald.conf +index 5a60a9d39c..3544da2112 100644 +--- a/src/journal/journald.conf ++++ b/src/journal/journald.conf +@@ -44,4 +44,4 @@ + #MaxLevelWall=emerg + #LineMax=48K + #ReadKMsg=yes +-#Audit=yes ++Audit= +-- +2.38.1 + diff --git a/0101-Revert-udev-remove-WAIT_FOR-key.patch b/0101-Revert-udev-remove-WAIT_FOR-key.patch new file mode 100644 index 0000000..ae99960 --- /dev/null +++ b/0101-Revert-udev-remove-WAIT_FOR-key.patch @@ -0,0 +1,140 @@ +From ddaf24341a512a9891226e85c13d51d7e2cfcb01 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 10 Aug 2021 14:46:16 +0200 +Subject: [PATCH] Revert "udev: remove WAIT_FOR key" + +This reverts commit f2b8052fb648b788936dd3e85be6a9aca90fbb2f. + +RHEL-only + +Related: #2138081 +--- + man/udev.xml | 9 +++++++ + src/udev/udev-rules.c | 56 +++++++++++++++++++++++++++++++++++++++ + test/rule-syntax-check.py | 2 +- + 3 files changed, 66 insertions(+), 1 deletion(-) + +diff --git a/man/udev.xml b/man/udev.xml +index 142f295f3e..5b096c7ef2 100644 +--- a/man/udev.xml ++++ b/man/udev.xml +@@ -592,6 +592,15 @@ + + + ++ ++ WAIT_FOR ++ ++ Wait for a file to become available or until a timeout of ++ 10 seconds expires. The path is relative to the sysfs device; ++ if no path is specified, this waits for an attribute to appear. ++ ++ ++ + + OPTIONS + +diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c +index f44a174d1f..a8473041c3 100644 +--- a/src/udev/udev-rules.c ++++ b/src/udev/udev-rules.c +@@ -79,6 +79,7 @@ typedef enum { + TK_M_TAG, /* strv, sd_device_get_tag_first(), sd_device_get_tag_next() */ + TK_M_SUBSYSTEM, /* string, sd_device_get_subsystem() */ + TK_M_DRIVER, /* string, sd_device_get_driver() */ ++ TK_M_WAITFOR, + TK_M_ATTR, /* string, takes filename through attribute, sd_device_get_sysattr_value(), udev_resolve_subsys_kernel(), etc. */ + TK_M_SYSCTL, /* string, takes kernel parameter through attribute */ + +@@ -411,6 +412,47 @@ static void rule_line_append_token(UdevRuleLine *rule_line, UdevRuleToken *token + rule_line->current_token = token; + } + ++#define WAIT_LOOP_PER_SECOND 50 ++static int wait_for_file(sd_device *dev, const char *file, int timeout) { ++ char filepath[UDEV_PATH_SIZE]; ++ char devicepath[UDEV_PATH_SIZE]; ++ struct stat stats; ++ int loop = timeout * WAIT_LOOP_PER_SECOND; ++ ++ /* a relative path is a device attribute */ ++ devicepath[0] = '\0'; ++ if (file[0] != '/') { ++ const char *val; ++ int r; ++ ++ r = sd_device_get_syspath(dev, &val); ++ if (r < 0) ++ return r; ++ strscpyl(devicepath, sizeof(devicepath), val, NULL); ++ strscpyl(filepath, sizeof(filepath), devicepath, "/", file, NULL); ++ file = filepath; ++ } ++ ++ while (--loop) { ++ const struct timespec duration = { 0, 1000 * 1000 * 1000 / WAIT_LOOP_PER_SECOND }; ++ ++ /* lookup file */ ++ if (stat(file, &stats) == 0) { ++ log_debug("file '%s' appeared after %i loops", file, (timeout * WAIT_LOOP_PER_SECOND) - loop-1); ++ return 0; ++ } ++ /* make sure, the device did not disappear in the meantime */ ++ if (devicepath[0] != '\0' && stat(devicepath, &stats) != 0) { ++ log_debug("device disappeared while waiting for '%s'", file); ++ return -2; ++ } ++ log_debug("wait for '%s' for %i mseconds", file, 1000 / WAIT_LOOP_PER_SECOND); ++ nanosleep(&duration, NULL); ++ } ++ log_debug("waiting for '%s' failed", file); ++ return -1; ++} ++ + static int rule_line_add_token(UdevRuleLine *rule_line, UdevRuleTokenType type, UdevRuleOperatorType op, char *value, void *data) { + UdevRuleToken *token; + UdevRuleMatchType match_type = _MATCH_TYPE_INVALID; +@@ -953,6 +995,12 @@ static int parse_token(UdevRules *rules, const char *key, char *attr, UdevRuleOp + r = rule_line_add_token(rule_line, TK_A_RUN_BUILTIN, op, value, UDEV_BUILTIN_CMD_TO_PTR(cmd)); + } else + return log_token_invalid_attr(rules, key); ++ } else if (streq(key, "WAIT_FOR") || streq(key, "WAIT_FOR_SYSFS")) { ++ if (op == OP_REMOVE) ++ return log_token_invalid_op(rules, key); ++ ++ rule_line_add_token(rule_line, TK_M_WAITFOR, 0, value, NULL); ++ return 1; + } else if (streq(key, "GOTO")) { + if (attr) + return log_token_invalid_attr(rules, key); +@@ -1670,6 +1718,14 @@ static int udev_rule_apply_token_to_event( + + return token_match_string(token, val); + } ++ case TK_M_WAITFOR: { ++ char filename[UDEV_PATH_SIZE]; ++ int found; ++ ++ udev_event_apply_format(event, token->value, filename, sizeof(filename), false, NULL); ++ found = (wait_for_file(event->dev, filename, 10) == 0); ++ return found || (token->op == OP_NOMATCH); ++ } + case TK_M_ATTR: + case TK_M_PARENTS_ATTR: + return token_match_attr(rules, token, dev, event); +diff --git a/test/rule-syntax-check.py b/test/rule-syntax-check.py +index ec1c75a854..5543931064 100755 +--- a/test/rule-syntax-check.py ++++ b/test/rule-syntax-check.py +@@ -18,7 +18,7 @@ no_args_tests = re.compile(r'(ACTION|DEVPATH|KERNELS?|NAME|SYMLINK|SUBSYSTEMS?|D + # PROGRAM can also be specified as an assignment. + program_assign = re.compile(r'PROGRAM\s*=\s*' + quoted_string_re + '$') + args_tests = re.compile(r'(ATTRS?|ENV|CONST|TEST){([a-zA-Z0-9/_.*%-]+)}\s*(?:=|!)=\s*' + quoted_string_re + '$') +-no_args_assign = re.compile(r'(NAME|SYMLINK|OWNER|GROUP|MODE|TAG|RUN|LABEL|GOTO|OPTIONS|IMPORT)\s*(?:\+=|:=|=)\s*' + quoted_string_re + '$') ++no_args_assign = re.compile(r'(NAME|SYMLINK|OWNER|GROUP|MODE|TAG|RUN|LABEL|GOTO|WAIT_FOR|OPTIONS|IMPORT)\s*(?:\+=|:=|=)\s*' + quoted_string_re + '$') + args_assign = re.compile(r'(ATTR|ENV|IMPORT|RUN){([a-zA-Z0-9/_.*%-]+)}\s*(=|\+=)\s*' + quoted_string_re + '$') + # Find comma-separated groups, but allow commas that are inside quoted strings. + # Using quoted_string_re + '?' so that strings missing the last double quote +-- +2.38.1 + diff --git a/0102-Really-don-t-enable-systemd-journald-audit.socket.patch b/0102-Really-don-t-enable-systemd-journald-audit.socket.patch new file mode 100644 index 0000000..0dc49eb --- /dev/null +++ b/0102-Really-don-t-enable-systemd-journald-audit.socket.patch @@ -0,0 +1,28 @@ +From e715ac2104707b6a8744fa54b1e4419a07ff88f6 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Wed, 25 Aug 2021 16:03:04 +0200 +Subject: [PATCH] Really don't enable systemd-journald-audit.socket + +RHEL-only + +Related: #2138081 +--- + units/systemd-journald.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in +index e8be031de5..ee8bdcb9ca 100644 +--- a/units/systemd-journald.service.in ++++ b/units/systemd-journald.service.in +@@ -38,7 +38,7 @@ RestrictRealtime=yes + RestrictSUIDSGID=yes + RuntimeDirectory=systemd/journal + RuntimeDirectoryPreserve=yes +-Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket ++Sockets=systemd-journald.socket systemd-journald-dev-log.socket + StandardOutput=null + SystemCallArchitectures=native + SystemCallErrorNumber=EPERM +-- +2.38.1 + diff --git a/0103-rules-add-elevator-kernel-command-line-parameter.patch b/0103-rules-add-elevator-kernel-command-line-parameter.patch new file mode 100644 index 0000000..8cf47ed --- /dev/null +++ b/0103-rules-add-elevator-kernel-command-line-parameter.patch @@ -0,0 +1,61 @@ +From 9ffd83c333bdc7741bfa1a73b3461f1b51208c5f Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Tue, 12 Feb 2019 16:58:16 +0100 +Subject: [PATCH] rules: add elevator= kernel command line parameter + +Kernel removed the elevator= option, so let's reintroduce +it for rhel8 via udev rule. + +RHEL-only + +Related: #2138081 +--- + rules.d/40-elevator.rules | 20 ++++++++++++++++++++ + rules.d/meson.build | 3 ++- + 2 files changed, 22 insertions(+), 1 deletion(-) + create mode 100644 rules.d/40-elevator.rules + +diff --git a/rules.d/40-elevator.rules b/rules.d/40-elevator.rules +new file mode 100644 +index 0000000000..dbe8fc81a4 +--- /dev/null ++++ b/rules.d/40-elevator.rules +@@ -0,0 +1,20 @@ ++# We aren't adding devices skip the elevator check ++ACTION!="add", GOTO="sched_out" ++ ++SUBSYSTEM!="block", GOTO="sched_out" ++ENV{DEVTYPE}!="disk", GOTO="sched_out" ++ ++# Technically, dm-multipath can be configured to use an I/O scheduler. ++# However, there are races between the 'add' uevent and the linking in ++# of the queue/scheduler sysfs file. For now, just skip dm- devices. ++KERNEL=="dm-*|md*", GOTO="sched_out" ++ ++# Skip bio-based devices, which don't support an I/O scheduler. ++ATTR{queue/scheduler}=="none", GOTO="sched_out" ++ ++# If elevator= is specified on the kernel command line, change the ++# scheduler to the one specified. ++IMPORT{cmdline}="elevator" ++ENV{elevator}!="", ATTR{queue/scheduler}="$env{elevator}" ++ ++LABEL="sched_out" +\ No newline at end of file +diff --git a/rules.d/meson.build b/rules.d/meson.build +index 70f48e877b..4e88400d02 100644 +--- a/rules.d/meson.build ++++ b/rules.d/meson.build +@@ -5,7 +5,8 @@ install_data( + install_dir : udevrulesdir) + + rules = [ +- [files('40-redhat.rules', ++ [files('40-elevator.rules', ++ '40-redhat.rules', + '60-autosuspend.rules', + '60-block.rules', + '60-cdrom_id.rules', +-- +2.38.1 + diff --git a/0104-units-don-t-enable-tmp.mount-statically-in-local-fs..patch b/0104-units-don-t-enable-tmp.mount-statically-in-local-fs..patch new file mode 100644 index 0000000..1c7fad3 --- /dev/null +++ b/0104-units-don-t-enable-tmp.mount-statically-in-local-fs..patch @@ -0,0 +1,29 @@ +From 19524651b38a0db99447ca5df181d69240d75d47 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 22 Sep 2021 14:38:00 +0200 +Subject: [PATCH] units: don't enable tmp.mount statically in local-fs.target + +RHEL-only + +Related: #2138081 +--- + units/meson.build | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/units/meson.build b/units/meson.build +index b224701eb9..eae7394731 100644 +--- a/units/meson.build ++++ b/units/meson.build +@@ -160,8 +160,7 @@ units = [ + ['time-set.target', ''], + ['time-sync.target', ''], + ['timers.target', ''], +- ['tmp.mount', '', +- 'local-fs.target.wants/'], ++ ['tmp.mount', ''], + ['umount.target', ''], + ['usb-gadget.target', ''], + ['user.slice', ''], +-- +2.38.1 + diff --git a/0105-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch b/0105-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch new file mode 100644 index 0000000..597f53f --- /dev/null +++ b/0105-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch @@ -0,0 +1,62 @@ +From 6e6aaec20c62887fa5c5c4bf47a9c2238f8f027f Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 1 Aug 2018 13:19:39 +0200 +Subject: [PATCH] pid1: bump DefaultTasksMax to 80% of the kernel pid.max value + +This should be hopefully high enough even for the very big deployments. + +RHEL-only + +Related: #2138081 +--- + man/systemd-system.conf.xml | 4 ++-- + src/core/main.c | 2 +- + src/core/system.conf.in | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml +index ac21c31d9a..00de04d426 100644 +--- a/man/systemd-system.conf.xml ++++ b/man/systemd-system.conf.xml +@@ -461,10 +461,10 @@ + Configure the default value for the per-unit TasksMax= setting. See + systemd.resource-control5 + for details. This setting applies to all unit types that support resource control settings, with the exception +- of slice units. Defaults to 15% of the minimum of kernel.pid_max=, kernel.threads-max= ++ of slice units. Defaults to 80% of the minimum of kernel.pid_max=, kernel.threads-max= + and root cgroup pids.max. + Kernel has a default value for kernel.pid_max= and an algorithm of counting in case of more than 32 cores. +- For example with the default kernel.pid_max=, DefaultTasksMax= defaults to 4915, ++ For example with the default kernel.pid_max=, DefaultTasksMax= defaults to 26214, + but might be greater in other systems or smaller in OS containers. + + +diff --git a/src/core/main.c b/src/core/main.c +index 14a4f81452..d3ec526e7e 100644 +--- a/src/core/main.c ++++ b/src/core/main.c +@@ -100,7 +100,7 @@ + #include + #endif + +-#define DEFAULT_TASKS_MAX ((TasksMax) { 15U, 100U }) /* 15% */ ++#define DEFAULT_TASKS_MAX ((TasksMax) { 80U, 100U }) /* 80% */ + + static enum { + ACTION_RUN, +diff --git a/src/core/system.conf.in b/src/core/system.conf.in +index 71a5869ec0..5d1f6d24f0 100644 +--- a/src/core/system.conf.in ++++ b/src/core/system.conf.in +@@ -56,7 +56,7 @@ + #DefaultIPAccounting=no + #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }} + #DefaultTasksAccounting=yes +-#DefaultTasksMax=15% ++#DefaultTasksMax=80% + #DefaultLimitCPU= + #DefaultLimitFSIZE= + #DefaultLimitDATA= +-- +2.38.1 + diff --git a/0106-set-core-ulimit-to-0-like-on-RHEL-7.patch b/0106-set-core-ulimit-to-0-like-on-RHEL-7.patch new file mode 100644 index 0000000..8dc9a67 --- /dev/null +++ b/0106-set-core-ulimit-to-0-like-on-RHEL-7.patch @@ -0,0 +1,28 @@ +From 7b1eb758d1f87bfd98dbb8037a842ceedb245815 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Mon, 25 Jan 2021 16:19:56 +0100 +Subject: [PATCH] set core ulimit to 0 like on RHEL-7 + +RHEL-only + +Related: #2138081 +--- + src/core/system.conf.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/system.conf.in b/src/core/system.conf.in +index 5d1f6d24f0..624746e512 100644 +--- a/src/core/system.conf.in ++++ b/src/core/system.conf.in +@@ -61,7 +61,7 @@ + #DefaultLimitFSIZE= + #DefaultLimitDATA= + #DefaultLimitSTACK= +-#DefaultLimitCORE= ++DefaultLimitCORE=0:infinity + #DefaultLimitRSS= + #DefaultLimitNOFILE=1024:{{HIGH_RLIMIT_NOFILE}} + #DefaultLimitAS= +-- +2.38.1 + diff --git a/0107-ci-use-C9S-chroots-in-Packit.patch b/0107-ci-use-C9S-chroots-in-Packit.patch new file mode 100644 index 0000000..d8a832d --- /dev/null +++ b/0107-ci-use-C9S-chroots-in-Packit.patch @@ -0,0 +1,31 @@ +From 395bf82a5950b7e3bfe974d3f4d52ee2fb5a9e56 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 4 Nov 2021 12:31:32 +0100 +Subject: [PATCH] ci: use C9S chroots in Packit + +rhel-only +Related: #2138081 +--- + .packit.yml | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/.packit.yml b/.packit.yml +index d0eebab181..35938f3586 100644 +--- a/.packit.yml ++++ b/.packit.yml +@@ -38,8 +38,7 @@ jobs: + trigger: pull_request + metadata: + targets: +- - fedora-rawhide-aarch64 +- - fedora-rawhide-i386 +- - fedora-rawhide-ppc64le +- - fedora-rawhide-s390x +- - fedora-rawhide-x86_64 ++ - centos-stream-9-aarch64 ++ - centos-stream-9-ppc64le ++ - centos-stream-9-s390x ++ - centos-stream-9-x86_64 +-- +2.38.1 + diff --git a/0108-Treat-EPERM-as-not-available-too.patch b/0108-Treat-EPERM-as-not-available-too.patch new file mode 100644 index 0000000..8e97837 --- /dev/null +++ b/0108-Treat-EPERM-as-not-available-too.patch @@ -0,0 +1,33 @@ +From 9e51ecd3ec0484d7ffefb0ceaf242e96b31195bb Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 21 Dec 2021 10:46:17 +0100 +Subject: [PATCH] Treat EPERM as "not available" too + +We need to do this because idmapped mounts habe been disabled in RHEL-9 +kernel: https://bugzilla.redhat.com/show_bug.cgi?id=2018141 . + +RHEL-only + +Fixes #55 + +Related: #2138081 +--- + src/nspawn/nspawn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index 01a67b5553..93d646ed56 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -3806,7 +3806,7 @@ static int outer_child( + arg_uid_shift != 0) { + + r = remount_idmap(directory, arg_uid_shift, arg_uid_range, UID_INVALID, REMOUNT_IDMAPPING_HOST_ROOT); +- if (r == -EINVAL || ERRNO_IS_NOT_SUPPORTED(r)) { ++ if (IN_SET(r, -EINVAL, -EPERM) || ERRNO_IS_NOT_SUPPORTED(r)) { + /* This might fail because the kernel or file system doesn't support idmapping. We + * can't really distinguish this nicely, nor do we have any guarantees about the + * error codes we see, could be EOPNOTSUPP or EINVAL. */ +-- +2.38.1 + diff --git a/0109-udev-net-setup-link-change-the-default-MACAddressPol.patch b/0109-udev-net-setup-link-change-the-default-MACAddressPol.patch new file mode 100644 index 0000000..7724090 --- /dev/null +++ b/0109-udev-net-setup-link-change-the-default-MACAddressPol.patch @@ -0,0 +1,56 @@ +From c150bc4cc27d560970fd34cf2347142325e7704a Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Tue, 21 Sep 2021 15:01:19 +0200 +Subject: [PATCH] udev/net-setup-link: change the default MACAddressPolicy to + "none" + +While stable MAC address for interface types that don't have the +address provided by HW could be useful it also breaks LACP based bonds. +Let's err on the side of caution and don't change the MAC address from +udev. + +RHEL-only + +Related: #2138081 +--- + man/systemd.link.xml | 2 +- + network/99-default.link | 2 +- + test/fuzz/fuzz-link-parser/99-default.link | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/man/systemd.link.xml b/man/systemd.link.xml +index cc55b02b18..69e0ac779c 100644 +--- a/man/systemd.link.xml ++++ b/man/systemd.link.xml +@@ -1117,7 +1117,7 @@ + + [Link] + NamePolicy=kernel database onboard slot path +-MACAddressPolicy=persistent ++MACAddressPolicy=none + + + +diff --git a/network/99-default.link b/network/99-default.link +index 429ac31e80..083bdb5659 100644 +--- a/network/99-default.link ++++ b/network/99-default.link +@@ -17,4 +17,4 @@ OriginalName=* + [Link] + NamePolicy=keep kernel database onboard slot path + AlternativeNamesPolicy=database onboard slot path +-MACAddressPolicy=persistent ++MACAddressPolicy=none +diff --git a/test/fuzz/fuzz-link-parser/99-default.link b/test/fuzz/fuzz-link-parser/99-default.link +index feb5b1fbb0..3d755898b4 100644 +--- a/test/fuzz/fuzz-link-parser/99-default.link ++++ b/test/fuzz/fuzz-link-parser/99-default.link +@@ -9,4 +9,4 @@ + + [Link] + NamePolicy=keep kernel database onboard slot path +-MACAddressPolicy=persistent ++MACAddressPolicy=none +-- +2.38.1 + diff --git a/0110-man-mention-System-Administrator-s-Guide-in-systemct.patch b/0110-man-mention-System-Administrator-s-Guide-in-systemct.patch new file mode 100644 index 0000000..218d853 --- /dev/null +++ b/0110-man-mention-System-Administrator-s-Guide-in-systemct.patch @@ -0,0 +1,38 @@ +From 5b2c931fb85d79db5a369a46eaeaf4ba297cbeef Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Thu, 28 Aug 2014 15:12:10 +0200 +Subject: [PATCH] man: mention System Administrator's Guide in systemctl + manpage + +RHEL-only + +Related: #2138081 +--- + man/systemctl.xml | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/man/systemctl.xml b/man/systemctl.xml +index 997925892d..f743c182fe 100644 +--- a/man/systemctl.xml ++++ b/man/systemctl.xml +@@ -2496,6 +2496,17 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err + + + ++ ++ Examples ++ ++ For examples how to use systemctl in comparsion ++ with old service and chkconfig command please see: ++ ++ Managing System Services ++ ++ ++ ++ + + See Also + +-- +2.38.1 + diff --git a/0111-Net-naming-scheme-for-RHEL-9.0.patch b/0111-Net-naming-scheme-for-RHEL-9.0.patch new file mode 100644 index 0000000..3dd63a6 --- /dev/null +++ b/0111-Net-naming-scheme-for-RHEL-9.0.patch @@ -0,0 +1,59 @@ +From 9e03c4d6c1245af87569cb337c4fd82d873ea5c7 Mon Sep 17 00:00:00 2001 +From: Jacek Migacz +Date: Thu, 3 Feb 2022 23:46:09 +0100 +Subject: [PATCH] Net naming scheme for RHEL-9.0 + +RHEL-only + +Related: #2138081 +--- + man/systemd.net-naming-scheme.xml | 7 +++++++ + src/shared/netif-naming-scheme.c | 1 + + src/shared/netif-naming-scheme.h | 1 + + 3 files changed, 9 insertions(+) + +diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml +index 8aac42b49d..8c2017a0ce 100644 +--- a/man/systemd.net-naming-scheme.xml ++++ b/man/systemd.net-naming-scheme.xml +@@ -448,6 +448,13 @@ + + + ++ ++ rhel-9.0 ++ ++ Same as naming scheme v250. ++ ++ ++ + + + Note that latest may be used to denote the latest scheme known (to this +diff --git a/src/shared/netif-naming-scheme.c b/src/shared/netif-naming-scheme.c +index 18748e5376..c5b8ddfcf9 100644 +--- a/src/shared/netif-naming-scheme.c ++++ b/src/shared/netif-naming-scheme.c +@@ -25,6 +25,7 @@ static const NamingScheme naming_schemes[] = { + { "v250", NAMING_V250 }, + { "v251", NAMING_V251 }, + { "v252", NAMING_V252 }, ++ { "rhel-9.0", NAMING_RHEL_9_0 }, + /* … add more schemes here, as the logic to name devices is updated … */ + + EXTRA_NET_NAMING_MAP +diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h +index 4fa9170969..b5fa1f0ef0 100644 +--- a/src/shared/netif-naming-scheme.h ++++ b/src/shared/netif-naming-scheme.h +@@ -51,6 +51,7 @@ typedef enum NamingSchemeFlags { + NAMING_V250 = NAMING_V249 | NAMING_XEN_VIF, + NAMING_V251 = NAMING_V250 | NAMING_BRIDGE_MULTIFUNCTION_SLOT, + NAMING_V252 = NAMING_V251 | NAMING_DEVICETREE_ALIASES, ++ NAMING_RHEL_9_0 = NAMING_V250, + + EXTRA_NET_NAMING_SCHEMES + +-- +2.38.1 + diff --git a/0112-core-decrease-log-level-of-messages-about-use-of-Kil.patch b/0112-core-decrease-log-level-of-messages-about-use-of-Kil.patch new file mode 100644 index 0000000..bc28e43 --- /dev/null +++ b/0112-core-decrease-log-level-of-messages-about-use-of-Kil.patch @@ -0,0 +1,43 @@ +From 1db882cea4fe51183076d11893e9efe855310948 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Tue, 22 Feb 2022 13:24:11 +0100 +Subject: [PATCH] core: decrease log level of messages about use of + KillMode=none + +RHEL-only + +Related: #2138081 +--- + src/core/load-fragment.c | 2 +- + src/core/unit.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c +index 1a5895346d..0b5c8acee4 100644 +--- a/src/core/load-fragment.c ++++ b/src/core/load-fragment.c +@@ -834,7 +834,7 @@ int config_parse_kill_mode( + } + + if (m == KILL_NONE) +- log_syntax(unit, LOG_WARNING, filename, line, 0, ++ log_syntax(unit, LOG_DEBUG, filename, line, 0, + "Unit uses KillMode=none. " + "This is unsafe, as it disables systemd's process lifecycle management for the service. " + "Please update the service to use a safer KillMode=, such as 'mixed' or 'control-group'. " +diff --git a/src/core/unit.c b/src/core/unit.c +index 5af44aaf4a..4bb7e2d498 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -5510,7 +5510,7 @@ int unit_log_leftover_process_start(pid_t pid, int sig, void *userdata) { + + /* During start we print a warning */ + +- log_unit_warning(userdata, ++ log_unit_debug(userdata, + "Found left-over process " PID_FMT " (%s) in control group while starting unit. Ignoring.\n" + "This usually indicates unclean termination of a previous run, or service implementation deficiencies.", + pid, strna(comm)); +-- +2.38.1 + diff --git a/0113-ci-Mergify-configuration-update.patch b/0113-ci-Mergify-configuration-update.patch new file mode 100644 index 0000000..69e8c11 --- /dev/null +++ b/0113-ci-Mergify-configuration-update.patch @@ -0,0 +1,100 @@ +From a2e1634b7c8f0f422975799de0d09f898c82d742 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Mon, 30 May 2022 15:19:16 +0200 +Subject: [PATCH] ci(Mergify): configuration update + +Add rules for `needs-ci` label management + +RHEL-only + +Related: #2138081 +--- + .mergify.yml | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 76 insertions(+) + create mode 100644 .mergify.yml + +diff --git a/.mergify.yml b/.mergify.yml +new file mode 100644 +index 0000000000..c06e0fb1be +--- /dev/null ++++ b/.mergify.yml +@@ -0,0 +1,76 @@ ++# doc: https://docs.mergify.com ++--- ++ ++pull_request_rules: ++ - name: Add `needs-ci` label on CI fail ++ conditions: ++ - or: ++ # Build test ++ - -check-success=build (gcc, 10, bfd) ++ - -check-success=build (gcc, 11, gold) ++ - -check-success=build (clang, 11, bfd) ++ - -check-success=build (clang, 12, gold) ++ - -check-success=build (clang, 13, lld) ++ # Unit tests ++ - -check-success=build (GCC, auto) ++ - -check-success=build (GCC_ASAN_UBSAN, auto) ++ - -check-success=build (CLANG, auto) ++ - -check-success=build (CLANG_ASAN_UBSAN, auto) ++ - -check-success=build (GCC, openssl) ++ - -check-success=build (CLANG, gcrypt) ++ # CentOS CI ++ - -check-success=CentOS CI (CentOS Stream 9) ++ - -check-success=CentOS CI (CentOS Stream 9 + sanitizers) ++ # LGTM ++ - and: ++ - "-check-success=LGTM analysis: JavaScript" ++ - "-check-neutral=LGTM analysis: JavaScript" ++ - and: ++ - "-check-success=LGTM analysis: Python" ++ - "-check-neutral=LGTM analysis: Python" ++ - and: ++ - "-check-success=LGTM analysis: C/C++" ++ - "-check-neutral=LGTM analysis: Python" ++ # Packit ++ - -check-success=rpm-build:centos-stream-9-aarch64 ++ - -check-success=rpm-build:centos-stream-9-x86_64 ++ actions: ++ label: ++ add: ++ - needs-ci ++ ++ - name: Remove `needs-ci` label on CI success ++ conditions: ++ # Build test ++ - check-success=build (gcc, 10, bfd) ++ - check-success=build (gcc, 11, gold) ++ - check-success=build (clang, 11, bfd) ++ - check-success=build (clang, 12, gold) ++ - check-success=build (clang, 13, lld) ++ # Unit tests ++ - check-success=build (GCC, auto) ++ - check-success=build (GCC_ASAN_UBSAN, auto) ++ - check-success=build (CLANG, auto) ++ - check-success=build (CLANG_ASAN_UBSAN, auto) ++ - check-success=build (GCC, openssl) ++ - check-success=build (CLANG, gcrypt) ++ # CentOS CI ++ - check-success=CentOS CI (CentOS Stream 9) ++ - check-success=CentOS CI (CentOS Stream 9 + sanitizers) ++ # LGTM ++ - or: ++ - "check-success=LGTM analysis: JavaScript" ++ - "check-neutral=LGTM analysis: JavaScript" ++ - or: ++ - "check-success=LGTM analysis: Python" ++ - "check-neutral=LGTM analysis: Python" ++ - or: ++ - "check-success=LGTM analysis: C/C++" ++ - "check-neutral=LGTM analysis: Python" ++ # Packit ++ - check-success=rpm-build:centos-stream-9-aarch64 ++ - check-success=rpm-build:centos-stream-9-x86_64 ++ actions: ++ label: ++ remove: ++ - needs-ci +-- +2.38.1 + diff --git a/0114-ci-Mergify-fix-copy-paste-bug.patch b/0114-ci-Mergify-fix-copy-paste-bug.patch new file mode 100644 index 0000000..73a7a74 --- /dev/null +++ b/0114-ci-Mergify-fix-copy-paste-bug.patch @@ -0,0 +1,37 @@ +From 44637741bccdcabc8257ffee1996afeadf441690 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Mon, 6 Jun 2022 15:39:22 +0200 +Subject: [PATCH] ci(Mergify): fix copy&paste bug + +RHEL-only + +Related: #2138081 +--- + .mergify.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/.mergify.yml b/.mergify.yml +index c06e0fb1be..b7852b201c 100644 +--- a/.mergify.yml ++++ b/.mergify.yml +@@ -30,7 +30,7 @@ pull_request_rules: + - "-check-neutral=LGTM analysis: Python" + - and: + - "-check-success=LGTM analysis: C/C++" +- - "-check-neutral=LGTM analysis: Python" ++ - "-check-neutral=LGTM analysis: C/C++" + # Packit + - -check-success=rpm-build:centos-stream-9-aarch64 + - -check-success=rpm-build:centos-stream-9-x86_64 +@@ -66,7 +66,7 @@ pull_request_rules: + - "check-neutral=LGTM analysis: Python" + - or: + - "check-success=LGTM analysis: C/C++" +- - "check-neutral=LGTM analysis: Python" ++ - "check-neutral=LGTM analysis: C/C++" + # Packit + - check-success=rpm-build:centos-stream-9-aarch64 + - check-success=rpm-build:centos-stream-9-x86_64 +-- +2.38.1 + diff --git a/0115-ci-Mergify-Add-ci-waived-logic.patch b/0115-ci-Mergify-Add-ci-waived-logic.patch new file mode 100644 index 0000000..1caf82a --- /dev/null +++ b/0115-ci-Mergify-Add-ci-waived-logic.patch @@ -0,0 +1,107 @@ +From 9fee3c33a05596de1658eb0099cd04cbf0a5d99a Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Tue, 19 Jul 2022 12:29:28 +0200 +Subject: [PATCH] ci(Mergify): Add `ci-waived` logic + +RHEL-only + +Related: #2138081 +--- + .mergify.yml | 66 ++++++++++++++++++++++++++++------------------------ + 1 file changed, 35 insertions(+), 31 deletions(-) + +diff --git a/.mergify.yml b/.mergify.yml +index b7852b201c..be25e52c76 100644 +--- a/.mergify.yml ++++ b/.mergify.yml +@@ -4,6 +4,7 @@ + pull_request_rules: + - name: Add `needs-ci` label on CI fail + conditions: ++ - label!=ci-waived + - or: + # Build test + - -check-success=build (gcc, 10, bfd) +@@ -31,9 +32,9 @@ pull_request_rules: + - and: + - "-check-success=LGTM analysis: C/C++" + - "-check-neutral=LGTM analysis: C/C++" +- # Packit +- - -check-success=rpm-build:centos-stream-9-aarch64 +- - -check-success=rpm-build:centos-stream-9-x86_64 ++ # Packit ++ - -check-success=rpm-build:centos-stream-9-aarch64 ++ - -check-success=rpm-build:centos-stream-9-x86_64 + actions: + label: + add: +@@ -41,35 +42,38 @@ pull_request_rules: + + - name: Remove `needs-ci` label on CI success + conditions: +- # Build test +- - check-success=build (gcc, 10, bfd) +- - check-success=build (gcc, 11, gold) +- - check-success=build (clang, 11, bfd) +- - check-success=build (clang, 12, gold) +- - check-success=build (clang, 13, lld) +- # Unit tests +- - check-success=build (GCC, auto) +- - check-success=build (GCC_ASAN_UBSAN, auto) +- - check-success=build (CLANG, auto) +- - check-success=build (CLANG_ASAN_UBSAN, auto) +- - check-success=build (GCC, openssl) +- - check-success=build (CLANG, gcrypt) +- # CentOS CI +- - check-success=CentOS CI (CentOS Stream 9) +- - check-success=CentOS CI (CentOS Stream 9 + sanitizers) +- # LGTM + - or: +- - "check-success=LGTM analysis: JavaScript" +- - "check-neutral=LGTM analysis: JavaScript" +- - or: +- - "check-success=LGTM analysis: Python" +- - "check-neutral=LGTM analysis: Python" +- - or: +- - "check-success=LGTM analysis: C/C++" +- - "check-neutral=LGTM analysis: C/C++" +- # Packit +- - check-success=rpm-build:centos-stream-9-aarch64 +- - check-success=rpm-build:centos-stream-9-x86_64 ++ - label=ci-waived ++ - and: ++ # Build test ++ - check-success=build (gcc, 10, bfd) ++ - check-success=build (gcc, 11, gold) ++ - check-success=build (clang, 11, bfd) ++ - check-success=build (clang, 12, gold) ++ - check-success=build (clang, 13, lld) ++ # Unit tests ++ - check-success=build (GCC, auto) ++ - check-success=build (GCC_ASAN_UBSAN, auto) ++ - check-success=build (CLANG, auto) ++ - check-success=build (CLANG_ASAN_UBSAN, auto) ++ - check-success=build (GCC, openssl) ++ - check-success=build (CLANG, gcrypt) ++ # CentOS CI ++ - check-success=CentOS CI (CentOS Stream 9) ++ - check-success=CentOS CI (CentOS Stream 9 + sanitizers) ++ # LGTM ++ - or: ++ - "check-success=LGTM analysis: JavaScript" ++ - "check-neutral=LGTM analysis: JavaScript" ++ - or: ++ - "check-success=LGTM analysis: Python" ++ - "check-neutral=LGTM analysis: Python" ++ - or: ++ - "check-success=LGTM analysis: C/C++" ++ - "check-neutral=LGTM analysis: C/C++" ++ # Packit ++ - check-success=rpm-build:centos-stream-9-aarch64 ++ - check-success=rpm-build:centos-stream-9-x86_64 + actions: + label: + remove: +-- +2.38.1 + diff --git a/0116-udev-net_id-avoid-slot-based-names-only-for-single-f.patch b/0116-udev-net_id-avoid-slot-based-names-only-for-single-f.patch new file mode 100644 index 0000000..8572c25 --- /dev/null +++ b/0116-udev-net_id-avoid-slot-based-names-only-for-single-f.patch @@ -0,0 +1,53 @@ +From 6a3afa1a7e302ae414fbfa64b3da281aa56d64ed Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 23 Mar 2022 17:34:12 +0100 +Subject: [PATCH] udev/net_id: avoid slot based names only for single function + devices + +If we have two or more devices that share the same slot but they are +also multifunction then it is OK to use the slot information even if it +is the same for all of them. Name conflict will be avoided because we +will append function number and form names like, ens1f1, ens1f2... + +(cherry picked from commit 66425daf2c68793adf24a48a26d58add8662e83f) + +Related: #2138081 +--- + man/systemd.net-naming-scheme.xml | 7 ++++++- + src/shared/netif-naming-scheme.h | 2 +- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml +index 8c2017a0ce..e5268be38e 100644 +--- a/man/systemd.net-naming-scheme.xml ++++ b/man/systemd.net-naming-scheme.xml +@@ -451,7 +451,12 @@ + + rhel-9.0 + +- Same as naming scheme v250. ++ Since version v247 we no longer set ++ ID_NET_NAME_SLOT if we detect that a PCI device associated with a slot is a PCI ++ bridge as that would create naming conflict when there are more child devices on that bridge. Now, ++ this is relaxed and we will use slot information to generate the name based on it but only if ++ the PCI device has multiple functions. This is safe because distinct function number is a part of ++ the device name for multifunction devices. + + + +diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h +index b5fa1f0ef0..fd3ae1b7f5 100644 +--- a/src/shared/netif-naming-scheme.h ++++ b/src/shared/netif-naming-scheme.h +@@ -51,7 +51,7 @@ typedef enum NamingSchemeFlags { + NAMING_V250 = NAMING_V249 | NAMING_XEN_VIF, + NAMING_V251 = NAMING_V250 | NAMING_BRIDGE_MULTIFUNCTION_SLOT, + NAMING_V252 = NAMING_V251 | NAMING_DEVICETREE_ALIASES, +- NAMING_RHEL_9_0 = NAMING_V250, ++ NAMING_RHEL_9_0 = NAMING_V250 | NAMING_BRIDGE_MULTIFUNCTION_SLOT, + + EXTRA_NET_NAMING_SCHEMES + +-- +2.38.1 + diff --git a/0117-udev-net_id-add-rhel-9.1-naming-scheme.patch b/0117-udev-net_id-add-rhel-9.1-naming-scheme.patch new file mode 100644 index 0000000..5573aa8 --- /dev/null +++ b/0117-udev-net_id-add-rhel-9.1-naming-scheme.patch @@ -0,0 +1,58 @@ +From 35ff2c23e2b95d7f1264259de17028d1b7472b87 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 24 Aug 2022 17:18:47 +0200 +Subject: [PATCH] udev/net_id: add "rhel-9.1" naming scheme + +RHEL-only + +Related: #2138081 +--- + man/systemd.net-naming-scheme.xml | 6 ++++++ + src/shared/netif-naming-scheme.c | 1 + + src/shared/netif-naming-scheme.h | 1 + + 3 files changed, 8 insertions(+) + +diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml +index e5268be38e..ca8ba7010e 100644 +--- a/man/systemd.net-naming-scheme.xml ++++ b/man/systemd.net-naming-scheme.xml +@@ -460,6 +460,12 @@ + + + ++ ++ rhel-9.1 ++ ++ Same as naming scheme rhel-9.0. ++ ++ + + + Note that latest may be used to denote the latest scheme known (to this +diff --git a/src/shared/netif-naming-scheme.c b/src/shared/netif-naming-scheme.c +index c5b8ddfcf9..a20b990f2e 100644 +--- a/src/shared/netif-naming-scheme.c ++++ b/src/shared/netif-naming-scheme.c +@@ -26,6 +26,7 @@ static const NamingScheme naming_schemes[] = { + { "v251", NAMING_V251 }, + { "v252", NAMING_V252 }, + { "rhel-9.0", NAMING_RHEL_9_0 }, ++ { "rhel-9.1", NAMING_RHEL_9_1 }, + /* … add more schemes here, as the logic to name devices is updated … */ + + EXTRA_NET_NAMING_MAP +diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h +index fd3ae1b7f5..d70c19ade3 100644 +--- a/src/shared/netif-naming-scheme.h ++++ b/src/shared/netif-naming-scheme.h +@@ -52,6 +52,7 @@ typedef enum NamingSchemeFlags { + NAMING_V251 = NAMING_V250 | NAMING_BRIDGE_MULTIFUNCTION_SLOT, + NAMING_V252 = NAMING_V251 | NAMING_DEVICETREE_ALIASES, + NAMING_RHEL_9_0 = NAMING_V250 | NAMING_BRIDGE_MULTIFUNCTION_SLOT, ++ NAMING_RHEL_9_1 = NAMING_RHEL_9_0, + + EXTRA_NET_NAMING_SCHEMES + +-- +2.38.1 + diff --git a/0118-ci-lint-Update-Differential-ShellCheck-config-to-run.patch b/0118-ci-lint-Update-Differential-ShellCheck-config-to-run.patch new file mode 100644 index 0000000..9399f8a --- /dev/null +++ b/0118-ci-lint-Update-Differential-ShellCheck-config-to-run.patch @@ -0,0 +1,35 @@ +From 60f571cb17f4147b2794eed7c272dc34e08e397f Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Tue, 16 Aug 2022 14:34:49 +0200 +Subject: [PATCH] ci(lint): Update Differential ShellCheck config to run on + Z-stream branches + +RHEL-only + +Related: #2138081 +--- + .github/workflows/differential-shellcheck.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.github/workflows/differential-shellcheck.yml b/.github/workflows/differential-shellcheck.yml +index 20ce681632..47ec23731d 100644 +--- a/.github/workflows/differential-shellcheck.yml ++++ b/.github/workflows/differential-shellcheck.yml +@@ -6,13 +6,13 @@ on: + pull_request: + branches: + - main ++ - rhel-9.*.0 + + permissions: + contents: read + + jobs: + lint: +- if: github.event.repository.name != 'systemd-security' + runs-on: ubuntu-latest + + permissions: +-- +2.38.1 + diff --git a/0119-ci-mergify-Update-policy-Drop-LGTM-checks.patch b/0119-ci-mergify-Update-policy-Drop-LGTM-checks.patch new file mode 100644 index 0000000..9333822 --- /dev/null +++ b/0119-ci-mergify-Update-policy-Drop-LGTM-checks.patch @@ -0,0 +1,90 @@ +From a7be2c1e61d67f53f9eb90eb3937fa946ccef101 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Wed, 21 Sep 2022 15:36:26 +0200 +Subject: [PATCH] ci(mergify): Update policy - Drop LGTM checks + +rhel-only + +Related: #2138081 +--- + .github/workflows/differential-shellcheck.yml | 1 + + .mergify.yml | 34 +++++++------------ + 2 files changed, 13 insertions(+), 22 deletions(-) + +diff --git a/.github/workflows/differential-shellcheck.yml b/.github/workflows/differential-shellcheck.yml +index 47ec23731d..105f92d1c9 100644 +--- a/.github/workflows/differential-shellcheck.yml ++++ b/.github/workflows/differential-shellcheck.yml +@@ -13,6 +13,7 @@ permissions: + + jobs: + lint: ++ name: Differential ShellCheck + runs-on: ubuntu-latest + + permissions: +diff --git a/.mergify.yml b/.mergify.yml +index be25e52c76..ddc79a1d7a 100644 +--- a/.mergify.yml ++++ b/.mergify.yml +@@ -22,24 +22,19 @@ pull_request_rules: + # CentOS CI + - -check-success=CentOS CI (CentOS Stream 9) + - -check-success=CentOS CI (CentOS Stream 9 + sanitizers) +- # LGTM +- - and: +- - "-check-success=LGTM analysis: JavaScript" +- - "-check-neutral=LGTM analysis: JavaScript" +- - and: +- - "-check-success=LGTM analysis: Python" +- - "-check-neutral=LGTM analysis: Python" +- - and: +- - "-check-success=LGTM analysis: C/C++" +- - "-check-neutral=LGTM analysis: C/C++" ++ # CodeQL ++ - -check-success=CodeQL + # Packit + - -check-success=rpm-build:centos-stream-9-aarch64 + - -check-success=rpm-build:centos-stream-9-x86_64 ++ # Other ++ - -check-success=Lint Code Base ++ - -check-success=Differential ShellCheck + actions: + label: + add: + - needs-ci +- ++ + - name: Remove `needs-ci` label on CI success + conditions: + - or: +@@ -61,20 +56,15 @@ pull_request_rules: + # CentOS CI + - check-success=CentOS CI (CentOS Stream 9) + - check-success=CentOS CI (CentOS Stream 9 + sanitizers) +- # LGTM +- - or: +- - "check-success=LGTM analysis: JavaScript" +- - "check-neutral=LGTM analysis: JavaScript" +- - or: +- - "check-success=LGTM analysis: Python" +- - "check-neutral=LGTM analysis: Python" +- - or: +- - "check-success=LGTM analysis: C/C++" +- - "check-neutral=LGTM analysis: C/C++" ++ # CodeQL ++ - check-success=CodeQL + # Packit + - check-success=rpm-build:centos-stream-9-aarch64 + - check-success=rpm-build:centos-stream-9-x86_64 ++ # Other ++ - check-success=Lint Code Base ++ - check-success=Differential ShellCheck + actions: + label: + remove: +- - needs-ci ++ - needs-ci +-- +2.38.1 + diff --git a/0120-test-sd-device-skip-misc-devices.patch b/0120-test-sd-device-skip-misc-devices.patch new file mode 100644 index 0000000..578544e --- /dev/null +++ b/0120-test-sd-device-skip-misc-devices.patch @@ -0,0 +1,27 @@ +From c6b52050b8da6f5e7cdd2f057141af236288e78b Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Mon, 31 Oct 2022 10:58:11 +0100 +Subject: [PATCH] test-sd-device: skip "misc" devices + +rhel-only + +Related: #2138081 +--- + src/libsystemd/sd-device/test-sd-device.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/libsystemd/sd-device/test-sd-device.c b/src/libsystemd/sd-device/test-sd-device.c +index 4ab8b3894a..a1bcf18059 100644 +--- a/src/libsystemd/sd-device/test-sd-device.c ++++ b/src/libsystemd/sd-device/test-sd-device.c +@@ -204,6 +204,7 @@ TEST(sd_device_enumerator_devices) { + /* On CentOS CI, systemd-networkd-tests.py may be running when this test is invoked. The networkd + * test creates and removes many network interfaces, and may interfere with this test. */ + assert_se(sd_device_enumerator_add_match_subsystem(e, "net", false) >= 0); ++ assert_se(sd_device_enumerator_add_match_subsystem(e, "misc", false) >= 0); + FOREACH_DEVICE(e, d) + test_sd_device_one(d); + } +-- +2.38.1 + diff --git a/0121-test-skip-test_ntp-if-systemd-timesyncd-is-not-avail.patch b/0121-test-skip-test_ntp-if-systemd-timesyncd-is-not-avail.patch new file mode 100644 index 0000000..935274f --- /dev/null +++ b/0121-test-skip-test_ntp-if-systemd-timesyncd-is-not-avail.patch @@ -0,0 +1,32 @@ +From 5488431dcbea41bec11f0b1ad0a3769489f68c39 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 23 Nov 2022 15:16:41 +0100 +Subject: [PATCH] test: skip test_ntp if systemd-timesyncd is not available + +We don't ship timesyncd on RHEL, so let's skip the test there. + +rhel-only +Related: #2138081 +--- + test/units/testsuite-45.sh | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/test/units/testsuite-45.sh b/test/units/testsuite-45.sh +index 24e888c587..7e757e4b00 100755 +--- a/test/units/testsuite-45.sh ++++ b/test/units/testsuite-45.sh +@@ -201,6 +201,11 @@ wait_mon() { + } + + test_ntp() { ++ if ! systemctl list-unit-files -q systemd-timesyncd.service; then ++ echo "systemd-timesyncd is not available, skipping the test..." ++ return 0 ++ fi ++ + # timesyncd has ConditionVirtualization=!container by default; drop/mock that for testing + if systemd-detect-virt --container --quiet; then + systemctl disable --quiet --now systemd-timesyncd +-- +2.38.1 + diff --git a/0122-test-accept-EPERM-for-unavailable-idmapped-mounts-as.patch b/0122-test-accept-EPERM-for-unavailable-idmapped-mounts-as.patch new file mode 100644 index 0000000..b3f26f8 --- /dev/null +++ b/0122-test-accept-EPERM-for-unavailable-idmapped-mounts-as.patch @@ -0,0 +1,29 @@ +From d2ccb0bf2b2078e13fc4cb1c2e2eb8079fa57df0 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 24 Nov 2022 15:19:59 +0100 +Subject: [PATCH] test: accept EPERM for unavailable idmapped mounts as well + +Follow-up for 3c54c67a7fc65dc5b49b2452739c19b94eeb98a9. + +rhel-only +Related: #2138081 +--- + test/units/testsuite-13.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/units/testsuite-13.sh b/test/units/testsuite-13.sh +index 4ad7431e42..2b6e6df8a3 100755 +--- a/test/units/testsuite-13.sh ++++ b/test/units/testsuite-13.sh +@@ -74,7 +74,7 @@ function check_rootidmap { + --register=no -D "$_root" \ + --bind=/tmp/rootidmapdir:/mnt:rootidmap \ + /bin/sh -c "$_command" |& tee nspawn.out; then +- if grep -q "Failed to map ids for bind mount.*: Function not implemented" nspawn.out; then ++ if grep -Eq "Failed to map ids for bind mount.*: (Function not implemented|Operation not permitted)" nspawn.out; then + echo "idmapped mounts are not supported, skipping the test..." + return 0 + fi +-- +2.38.1 + diff --git a/0123-test-don-t-test-buses-we-don-t-ship.patch b/0123-test-don-t-test-buses-we-don-t-ship.patch new file mode 100644 index 0000000..8932a53 --- /dev/null +++ b/0123-test-don-t-test-buses-we-don-t-ship.patch @@ -0,0 +1,55 @@ +From a8a0c31123f7a8c1c317bb1a83548f15b02974d0 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 24 Nov 2022 15:23:12 +0100 +Subject: [PATCH] test: don't test buses we don't ship + +rhel-only +Related: #2138081 +--- + test/units/testsuite-21.sh | 18 ++---------------- + 1 file changed, 2 insertions(+), 16 deletions(-) + +diff --git a/test/units/testsuite-21.sh b/test/units/testsuite-21.sh +index d931e63167..e7d97ae06e 100755 +--- a/test/units/testsuite-21.sh ++++ b/test/units/testsuite-21.sh +@@ -27,13 +27,13 @@ systemctl log-level info + # TODO + # * check for possibly newly introduced buses? + BUS_LIST=( +- org.freedesktop.home1 ++# org.freedesktop.home1 + org.freedesktop.hostname1 + org.freedesktop.import1 + org.freedesktop.locale1 + org.freedesktop.login1 + org.freedesktop.machine1 +- org.freedesktop.portable1 ++# org.freedesktop.portable1 + org.freedesktop.resolve1 + org.freedesktop.systemd1 + org.freedesktop.timedate1 +@@ -46,20 +46,6 @@ if tail -n +1 /proc/pressure/{cpu,io,memory}; then + ) + fi + +-# Some services require specific conditions: +-# - systemd-timesyncd can't run in a container +-# - systemd-networkd can run in a container if it has CAP_NET_ADMIN capability +-if ! systemd-detect-virt --container; then +- BUS_LIST+=( +- org.freedesktop.network1 +- org.freedesktop.timesync1 +- ) +-elif busctl introspect org.freedesktop.network1 / &>/dev/null; then +- BUS_LIST+=( +- org.freedesktop.network1 +- ) +-fi +- + SESSION_BUS_LIST=( + org.freedesktop.systemd1 + ) +-- +2.38.1 + diff --git a/0124-basic-add-fallback-in-chase_symlinks_and_opendir-for.patch b/0124-basic-add-fallback-in-chase_symlinks_and_opendir-for.patch new file mode 100644 index 0000000..2c6b16a --- /dev/null +++ b/0124-basic-add-fallback-in-chase_symlinks_and_opendir-for.patch @@ -0,0 +1,46 @@ +From 47c0c5108b39d01283ba040c41d556b160d45a55 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 30 Nov 2022 18:01:01 +0100 +Subject: [PATCH] basic: add fallback in chase_symlinks_and_opendir() for cases + when /proc is not mounted + +rhel-only + +Related: #2138081 +--- + src/basic/chase-symlinks.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/src/basic/chase-symlinks.c b/src/basic/chase-symlinks.c +index afab54f067..c09aab389e 100644 +--- a/src/basic/chase-symlinks.c ++++ b/src/basic/chase-symlinks.c +@@ -466,14 +466,22 @@ int chase_symlinks_and_opendir( + return 0; + } + +- r = chase_symlinks(path, root, chase_flags, ret_path ? &p : NULL, &path_fd); ++ r = chase_symlinks(path, root, chase_flags, &p, &path_fd); + if (r < 0) + return r; + assert(path_fd >= 0); + + d = opendir(FORMAT_PROC_FD_PATH(path_fd)); +- if (!d) +- return -errno; ++ if (!d) { ++ /* Hmm, we have the fd already but we got ENOENT, most likely /proc is not mounted. ++ * Let's try opendir() again on the full path. */ ++ if (errno == ENOENT) { ++ d = opendir(p); ++ if (!d) ++ return -errno; ++ } else ++ return -errno; ++ } + + if (ret_path) + *ret_path = TAKE_PTR(p); +-- +2.38.1 + diff --git a/sources b/sources index 66a9519..728cdb1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-250.tar.gz) = b618d86357c85f27a0af416af5818767af2233255a4a40b8f6a0bd690971ae1936a8ec32eaa84034f03aebfdc9a84d1f74b6f4c37a4db46d0851e636266f9cd4 +SHA512 (systemd-252.tar.gz) = c9a5f4e3d11cf6a73b0f0d34f7e8f380b9b39bd4e8dd540affcba2eb24b777943f90662eb6ca2bd24276eb5d502312fcc2f097ec242ed1ca79603dbbde19ec7f diff --git a/systemd.spec b/systemd.spec index e457b88..a34443e 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1,4 +1,4 @@ -#global commit c4b843473a75fb38ed5bf54e9d3cfb1cb3719efa +#global commit e8dc52766e1fdb4f8c09c3ab654d1270e1090c8d %{?commit:%global shortcommit %(c=%{commit}; echo ${c:0:7})} #global stable 1 @@ -20,8 +20,8 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 250 -Release: 13%{?dist} +Version: 252 +Release: 1%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -78,343 +78,130 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # patches in this range before applying upstream pull requests. # RHEL-specific -Patch0001: 0001-logind-set-RemoveIPC-to-false-by-default.patch -Patch0002: 0002-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch -Patch0003: 0003-Copy-40-redhat.rules-from-RHEL-8.patch -Patch0004: 0004-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch -Patch0005: 0005-unit-don-t-add-Requires-for-tmp.mount.patch -Patch0006: 0006-units-add-Install-section-to-tmp.mount.patch -Patch0007: 0007-rc-local-order-after-network-online.target.patch -Patch0008: 0008-ci-drop-CIs-irrelevant-for-downstream.patch -Patch0009: 0009-ci-reconfigure-Packit-for-RHEL-9.patch -Patch0010: 0010-ci-run-unit-tests-on-z-stream-branches-as-well.patch -Patch0011: 0011-random-util-increase-random-seed-size-to-1024.patch -Patch0012: 0012-journal-don-t-enable-systemd-journald-audit.socket-b.patch -Patch0013: 0013-journald.conf-don-t-touch-current-audit-settings.patch -Patch0014: 0014-Revert-udev-remove-WAIT_FOR-key.patch -Patch0015: 0015-Really-don-t-enable-systemd-journald-audit.socket.patch -Patch0016: 0016-rules-add-elevator-kernel-command-line-parameter.patch -Patch0017: 0017-units-don-t-enable-tmp.mount-statically-in-local-fs..patch -Patch0018: 0018-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch -Patch0019: 0019-set-core-ulimit-to-0-like-on-RHEL-7.patch -Patch0020: 0020-ci-use-C9S-chroots-in-Packit.patch -Patch0021: 0021-test-mountpointutil-util-do-not-assert-in-test_mnt_i.patch -Patch0022: 0022-Treat-EPERM-as-not-available-too.patch -Patch0023: 0023-test-copy-portable-profiles-into-the-image-if-they-d.patch -Patch0024: 0024-test-introduce-get_cgroup_hierarchy-helper.patch -Patch0025: 0025-test-require-unified-cgroup-hierarchy-for-TEST-56.patch -Patch0026: 0026-tests-rework-test-macros-to-not-take-code-as-paramet.patch -Patch0027: 0027-test-allow-to-set-NULL-to-intro-or-outro.patch -Patch0028: 0028-udev-net-setup-link-change-the-default-MACAddressPol.patch -Patch0029: 0029-man-mention-System-Administrator-s-Guide-in-systemct.patch -Patch0030: 0030-Net-naming-scheme-for-RHEL-9.0.patch -Patch0031: 0031-core-decrease-log-level-of-messages-about-use-of-Kil.patch -Patch0032: 0032-ci-replace-apt-key-with-signed-by.patch -Patch0033: 0033-ci-fix-clang-13-installation.patch -Patch0034: 0034-test-check-systemd-RPM-macros.patch -Patch0035: 0035-test-do-not-assume-x86-64-arch-in-TEST-58-REPART.patch -Patch0036: 0036-tests-add-repart-tests-for-block-devices-with-1024-2.patch -Patch0037: 0037-test-accept-both-unpadded-and-padded-partition-sizes.patch -Patch0038: 0038-test-lvm-2.03.15-dropped-the-static-autoactivation.patch -Patch0039: 0039-test-accept-GC-ed-units-in-newer-LVM.patch -Patch0040: 0040-shared-Add-more-dlopen-tests.patch -Patch0041: 0041-systemctl-Show-how-long-a-service-ran-for-after-it-e.patch -Patch0042: 0042-time-util-introduce-TIMESTAMP_UNIX.patch -Patch0043: 0043-systemctl-man-update-docs-for-timestamp.patch -Patch0044: 0044-systemctl-make-timestamp-affect-the-show-verb-as-wel.patch -Patch0045: 0045-tests-allow-running-all-the-services-with-SYSTEMD_LO.patch -Patch0046: 0046-coredump-raise-the-coredump-save-size-on-64bit-syste.patch -Patch0047: 0047-repart-fix-sector-size-handling.patch -Patch0048: 0048-mkdir-allow-to-create-directory-whose-path-contains-.patch -Patch0049: 0049-mkdir-CHASE_NONEXISTENT-cannot-used-in-chase_symlink.patch -Patch0050: 0050-meson-move-efi-file-lists-closer-to-where-they-are-u.patch -Patch0051: 0051-meson-move-efi-summary-section-to-src-boot-efi.patch -Patch0052: 0052-meson-report-SBAT-settings.patch -Patch0053: 0053-boot-Build-BCD-parser-only-on-arches-supported-by-Wi.patch -Patch0054: 0054-meson-Remove-efi-cc-option.patch -Patch0055: 0055-meson-Get-objcopy-location-from-compiler.patch -Patch0056: 0056-meson-Use-files-for-source-lists-for-boot-and-fundam.patch -Patch0057: 0057-meson-Use-files-for-tests.patch -Patch0058: 0058-tests-add-fuzz-bcd.patch -Patch0059: 0059-meson-Use-files-for-fuzzers.patch -Patch0060: 0060-meson-Add-check-argument-to-remaining-run_command-ca.patch -Patch0061: 0061-meson-Use-echo-to-list-files.patch -Patch0062: 0062-test-add-a-test-for-mkdir_p.patch -Patch0063: 0063-util-another-set-of-CVE-2021-4034-assert-s.patch -Patch0064: 0064-basic-update-CIFS-magic.patch -Patch0065: 0065-shared-be-extra-paranoid-and-check-if-argc-0.patch -Patch0066: 0066-core-check-if-argc-0-and-argv-0-is-set.patch -Patch0067: 0067-core-check-argc-argv-uncoditionally.patch -Patch0068: 0068-test-temporary-workaround-for-21819.patch -Patch0069: 0069-test-don-t-leak-local-variable-to-outer-scopes.patch -Patch0070: 0070-tree-wide-don-t-use-strjoina-on-getenv-values.patch -Patch0071: 0071-man-clarify-Environmentfile-format.patch -Patch0072: 0072-test-load-fragment-add-a-basic-test-for-config_parse.patch -Patch0073: 0073-core-execute-use-_cleanup_-in-exec_context_load_envi.patch -Patch0074: 0074-test-env-file-add-tests-for-quoting-in-env-files.patch -Patch0075: 0075-core-shorten-long-unit-names-that-are-based-on-paths.patch -Patch0076: 0076-tests-add-test-case-for-long-unit-names.patch -Patch0077: 0077-tests-reflect-that-we-can-now-handle-devices-with-ve.patch -Patch0078: 0078-test-extend-the-hashed-unit-names-coverage-a-bit.patch -Patch0079: 0079-Revert-kernel-install-also-remove-modules.builtin.al.patch -Patch0080: 0080-Revert-kernel-install-prefer-boot-over-boot-efi-for-.patch -Patch0081: 0081-kernel-install-50-depmod-port-to-bin-sh.patch -Patch0082: 0082-kernel-install-90-loaderentry-port-to-bin-sh.patch -Patch0083: 0083-kernel-install-fix-shellcheck.patch -Patch0084: 0084-kernel-install-port-to-bin-sh.patch -Patch0085: 0085-kernel-install-90-loaderentry-error-out-on-nonexiste.patch -Patch0086: 0086-kernel-install-don-t-pull-out-KERNEL_IMAGE.patch -Patch0087: 0087-kernel-install-prefer-boot-over-boot-efi-for-BOOT_RO.patch -Patch0088: 0088-kernel-install-also-remove-modules.builtin.alias.bin.patch -Patch0089: 0089-kernel-install-add-new-variable-KERNEL_INSTALL_INITR.patch -Patch0090: 0090-kernel-install-k-i-already-creates-ENTRY_DIR_ABS-no-.patch -Patch0091: 0091-kernel-install-prefix-errors-with-Error-exit-immedia.patch -Patch0092: 0092-kernel-install-add-KERNEL_INSTALL_STAGING_AREA-direc.patch -Patch0093: 0093-kernel-install-add-missing-log-line.patch -Patch0094: 0094-kernel-install-don-t-try-to-persist-used-machine-ID-.patch -Patch0095: 0095-kernel-install-add-a-new-ENTRY_TOKEN-variable-for-na.patch -Patch0096: 0096-kernel-install-only-generate-systemd.boot_id-in-kern.patch -Patch0097: 0097-kernel-install-search-harder-for-kernel-image-initrd.patch -Patch0098: 0098-kernel-install-add-new-inspect-verb-showing-paths-an.patch -Patch0099: 0099-ci-Mergify-configuration-update.patch -Patch0100: 0100-ci-Mergify-fix-copy-paste-bug.patch -Patch0101: 0101-shared-Fix-memory-leak-in-bus_append_execute_propert.patch -Patch0102: 0102-fuzz-no-longer-skip-empty-files.patch -Patch0103: 0103-networkctl-open-the-bus-just-once.patch -Patch0104: 0104-json-align-table.patch -Patch0105: 0105-fuzz-json-optionally-allow-logging-and-output.patch -Patch0106: 0106-shared-json-reduce-scope-of-variables.patch -Patch0107: 0107-fuzz-json-also-do-sorting-and-normalizing-and-other-.patch -Patch0108: 0108-shared-json-wrap-long-comments.patch -Patch0109: 0109-shared-json-fix-memory-leak-on-failed-normalization.patch -Patch0110: 0110-shared-json-add-helper-to-ref-first-unref-second.patch -Patch0111: 0111-basic-alloc-util-remove-unnecessary-parens.patch -Patch0112: 0112-fuzz-json-also-try-self-merge-operations.patch -Patch0113: 0113-shared-json-fix-another-memleak-in-normalization.patch -Patch0114: 0114-shared-json-fix-memleak-in-sort.patch -Patch0115: 0115-execute-fix-resource-leak.patch -Patch0116: 0116-tests-ignore-dbus-broker-launcher.patch -Patch0117: 0117-core-timer-fix-memleak.patch -Patch0118: 0118-timedatectl-fix-a-memory-leak.patch -Patch0119: 0119-test-fix-file-descriptor-leak-in-test-psi-util.patch -Patch0120: 0120-test-fix-file-descriptor-leak-in-test-tmpfiles.c.patch -Patch0121: 0121-test-fix-file-descriptor-leak-in-test-fs-util.patch -Patch0122: 0122-test-fix-file-descriptor-leak-in-test-oomd-util.patch -Patch0123: 0123-test-fix-file-descriptor-leak-in-test-catalog.patch -Patch0124: 0124-test-make-masking-of-supplementary-services-configur.patch -Patch0125: 0125-test-fuzz-our-dbus-interfaces-with-dfuzzer.patch -Patch0126: 0126-test-skip-TEST-21-DFUZZER-without-ASan.patch -Patch0127: 0127-core-annotate-Reexecute-as-NoReply.patch -Patch0128: 0128-test-always-force-a-new-image-for-dfuzzer.patch -Patch0129: 0129-test-make-dfuzzer-less-verbose.patch -Patch0130: 0130-test-drop-the-at_exit-coredump-check.patch -Patch0131: 0131-test-make-the-shutdown-routine-a-bit-more-robust.patch -Patch0132: 0132-tree-wide-drop-manually-crafted-message-for-missing-.patch -Patch0133: 0133-test-allow-overriding-QEMU_MEM-when-running-w-ASan.patch -Patch0134: 0134-test-don-t-test-buses-we-don-t-ship.patch -Patch0135: 0135-shutdown-get-only-active-md-arrays.patch -Patch0136: 0136-bus-Use-OrderedSet-for-introspection.patch -Patch0137: 0137-logind-session-dbus-allow-to-set-display-name-via-db.patch -Patch0138: 0138-ci-limit-which-env-variables-we-pass-through-sudo.patch -Patch0139: 0139-ci-Mergify-Add-ci-waived-logic.patch -Patch0140: 0140-json-use-unsigned-for-refernce-counter.patch -Patch0141: 0141-macro-check-over-flow-in-reference-counter.patch -Patch0142: 0142-sd-bus-fix-reference-counter-to-be-incremented.patch -Patch0143: 0143-sd-bus-introduce-ref-unref-function-for-track_item.patch -Patch0144: 0144-sd-bus-do-not-read-unused-value.patch -Patch0145: 0145-sd-bus-do-not-return-negative-errno-when-unknown-nam.patch -Patch0146: 0146-sd-bus-use-hashmap_contains-and-drop-unnecessary-cas.patch -Patch0147: 0147-test-shorten-code-a-bit.patch -Patch0148: 0148-test-add-several-tests-for-track-item.patch -Patch0149: 0149-core-slice-make-slice_freezer_action-return-0-if-fre.patch -Patch0150: 0150-core-unit-fix-use-after-free.patch -Patch0151: 0151-core-timer-fix-potential-use-after-free.patch -Patch0152: 0152-core-command-argument-can-be-longer-than-PATH_MAX.patch -Patch0153: 0153-shared-install-consistently-use-lp-as-the-name-for-t.patch -Patch0154: 0154-shared-specifier-treat-NULL-the-same-as.patch -Patch0155: 0155-shared-install-do-not-print-aliases-longer-than-UNIT.patch -Patch0156: 0156-shared-install-printf-drop-now-unused-install_path_p.patch -Patch0157: 0157-strv-declare-iterator-of-FOREACH_STRING-in-the-loop.patch -Patch0158: 0158-basic-unit-file-split-out-the-subroutine-for-symlink.patch -Patch0159: 0159-basic-stat-util-add-null_or_empty_path_with_root.patch -Patch0160: 0160-shared-install-reuse-the-standard-symlink-verificati.patch -Patch0161: 0161-shared-install-add-a-bit-more-quoting.patch -Patch0162: 0162-test-add-test-for-systemctl-link-enable.patch -Patch0163: 0163-tests-add-helper-for-creating-tempfiles-with-content.patch -Patch0164: 0164-man-clarify-the-descriptions-of-aliases-and-linked-u.patch -Patch0165: 0165-basic-add-new-variable-SYSTEMD_OS_RELEASE-to-overrid.patch -Patch0166: 0166-test-os-util-add-basic-tests-for-os-release-parsing.patch -Patch0167: 0167-basic-env-file-make-load-env-file-deduplicate-entrie.patch -Patch0168: 0168-man-os-release-add-a-note-about-repeating-entries.patch -Patch0169: 0169-shared-specifier-clarify-and-add-test-for-missing-da.patch -Patch0170: 0170-shared-specifier-provide-proper-error-messages-when-.patch -Patch0171: 0171-shared-install-provide-proper-error-messages-when-in.patch -Patch0172: 0172-shared-install-move-scope-into-InstallContext.patch -Patch0173: 0173-shared-specifier-fix-u-U-g-G-when-called-as-unprivil.patch -Patch0174: 0174-shared-install-simplify-unit_file_dump_changes.patch -Patch0175: 0175-shared-install-propagate-errors-about-invalid-aliase.patch -Patch0176: 0176-shared-install-return-failure-when-enablement-fails-.patch -Patch0177: 0177-systemctl-fix-silent-failure-when-root-is-not-found.patch -Patch0178: 0178-shared-install-also-check-for-self-aliases-during-in.patch -Patch0179: 0179-docs-Correct-WantedBy-regarding-template-units.patch -Patch0180: 0180-man-fix-invalid-description-of-template-handling-in-.patch -Patch0181: 0181-shared-install-drop-unnecessary-casts.patch -Patch0182: 0182-strv-make-iterator-in-STRV_FOREACH-declaread-in-the-.patch -Patch0183: 0183-core-ExecContext-restrict_filesystems-is-set-of-stri.patch -Patch0184: 0184-install-when-linking-a-file-create-the-link-first-or.patch -Patch0185: 0185-shared-install-split-unit_file_-disable-enable-so-_r.patch -Patch0186: 0186-shared-install-fix-reenable-on-linked-unit-files.patch -Patch0187: 0187-test-systemctl-enable-extend-the-test-for-repeated-W.patch -Patch0188: 0188-shared-install-when-we-fail-to-chase-a-symlink-show-.patch -Patch0189: 0189-shared-install-do-not-try-to-resolve-symlinks-outsid.patch -Patch0190: 0190-test-systemctl-enable-enhance-the-test-for-unit-file.patch -Patch0191: 0191-shared-install-skip-unnecessary-chasing-of-symlinks-.patch -Patch0192: 0192-shared-install-also-remove-symlinks-like-.wants-foo-.patch -Patch0193: 0193-shared-install-create-relative-symlinks-for-enableme.patch -Patch0194: 0194-shared-install-when-looking-for-symlinks-in-.wants-..patch -Patch0195: 0195-shared-install-stop-passing-duplicate-root-argument-.patch -Patch0196: 0196-basic-unit-file-reverse-negative-conditional.patch -Patch0197: 0197-shared-install-split-UNIT_FILE_SYMLINK-into-two-stat.patch -Patch0198: 0198-shared-install-fix-handling-of-a-linked-unit-file.patch -Patch0199: 0199-test-systemctl-enable-make-shellcheck-happy.patch -Patch0200: 0200-shared-install-when-creating-symlinks-accept-differe.patch -Patch0201: 0201-test-systemctl-enable-use-magic-syntax-to-allow-inve.patch -Patch0202: 0202-test-systemctl-enable-also-use-freshly-built-systemd.patch -Patch0203: 0203-test-systemctl-enable-disable-the-test-for-a-for-now.patch -Patch0204: 0204-Rename-UnitFileScope-to-LookupScope.patch -Patch0205: 0205-core-handle-lookup-paths-being-symlinks.patch -Patch0206: 0206-shared-install-use-correct-cleanup-function.patch -Patch0207: 0207-udev-net_id-avoid-slot-based-names-only-for-single-f.patch -Patch0208: 0208-test-import-logind-test-from-debian-ubuntu-test-suit.patch -Patch0209: 0209-test-drop-redundant-IMAGE_NAME.patch -Patch0210: 0210-test-import-timedated-test-from-debian-ubuntu-test-s.patch -Patch0211: 0211-test-introduce-assert_not_in-helper-function.patch -Patch0212: 0212-test-drop-unnecessary-no-pager-option.patch -Patch0213: 0213-test-support-debian-ubuntu-specific-timezone-config-.patch -Patch0214: 0214-test-import-hostnamed-tests-from-debian-ubuntu-test-.patch -Patch0215: 0215-locale-util-fix-memleak-on-failure.patch -Patch0216: 0216-locale-util-check-if-enumerated-locales-are-valid.patch -Patch0217: 0217-locale-util-align-locale-entries.patch -Patch0218: 0218-core-inline-an-iterator-variable.patch -Patch0219: 0219-locale-setup-merge-locale-handling-in-PID1-and-local.patch -Patch0220: 0220-locale-rename-keymap-util.-ch-localed-util.-ch.patch -Patch0221: 0221-test-add-one-more-path-to-search-keymaps.patch -Patch0222: 0222-test-introduce-inst_recursive-helper-function.patch -Patch0223: 0223-hmac-sha256-move-size-define-to-sha256.h.patch -Patch0224: 0224-tpm2-support-policies-with-PIN.patch -Patch0225: 0225-cryptenroll-add-support-for-TPM2-pin.patch -Patch0226: 0226-cryptsetup-add-support-for-TPM2-pin.patch -Patch0227: 0227-cryptsetup-add-libcryptsetup-TPM2-PIN-support.patch -Patch0228: 0228-cryptenroll-add-TPM2-PIN-documentation.patch -Patch0229: 0229-cryptsetup-add-manual-TPM2-PIN-configuration.patch -Patch0230: 0230-cryptenroll-add-tests-for-TPM2-unlocking.patch -Patch0231: 0231-env-util-replace-unsetenv_erase-by-new-getenv_steal_.patch -Patch0232: 0232-test-install-libxkbcommon-and-x11-keymaps.patch -Patch0233: 0233-test-install-C.UTF-8-and-English-locales.patch -Patch0234: 0234-test-import-localed-tests-from-debian-ubuntu-test-su.patch -Patch0235: 0235-unit-check-for-mount-rate-limiting-before-checking-a.patch -Patch0236: 0236-tests-make-sure-we-delay-running-mount-start-jobs-wh.patch -Patch0237: 0237-test-insert-space-in-for-loop.patch -Patch0238: 0238-test-move-do-at-the-end-of-line.patch -Patch0239: 0239-test-use-trap-RETURN.patch -Patch0240: 0240-test-ignore-the-error-about-our-own-libraries-missin.patch -Patch0241: 0241-test-wrap-binaries-using-systemd-DSOs-when-running-w.patch -Patch0242: 0242-test-set-ASAN_RT_PATH-along-with-LD_PRELOAD-to-the-A.patch -Patch0243: 0243-test-drop-all-LD_PRELOAD-related-ASan-workarounds.patch -Patch0244: 0244-test-don-t-wrap-binaries-built-with-ASan.patch -Patch0245: 0245-test-send-stdout-stderr-of-testsuite-units-to-journa.patch -Patch0246: 0246-test-make-the-busy-loop-in-TEST-02-less-verbose.patch -Patch0247: 0247-test-always-wrap-useradd-userdel-when-running-w-ASan.patch -Patch0248: 0248-test-don-t-flush-debug-logs-to-the-console.patch -Patch0249: 0249-test-fix-a-couple-of-issues-found-by-shellcheck.patch -Patch0250: 0250-test-pass-the-initdir-to-check_result_-qemu-nspawn-h.patch -Patch0251: 0251-test-run-the-custom-check-hooks-before-common-checks.patch -Patch0252: 0252-test-check-journal-directly-instead-of-capturing-con.patch -Patch0253: 0253-test-use-saved-process-PID-instead-of.patch -Patch0254: 0254-test-account-for-ADDR_NO_RANDOMIZE-if-it-s-set.patch -Patch0255: 0255-fuzz-bcd-silence-warning-about-always-true-compariso.patch -Patch0256: 0256-test-disable-test_ntp-on-RHEL.patch -Patch0257: 0257-core-do-not-filter-out-systemd.unit-and-run-level-sp.patch -Patch0258: 0258-test-add-a-simple-test-for-daemon-reexec.patch -Patch0259: 0259-test-install-usr-libexec-vi-as-well.patch -Patch0260: 0260-test-resize-the-terminal-automagically-with-INTERACT.patch -Patch0261: 0261-test-create-an-ASan-wrapper-for-getent-and-su.patch -Patch0262: 0262-test-mark-partition-bootable.patch -Patch0263: 0263-test-bump-the-data-partition-size-if-we-don-t-strip-.patch -Patch0264: 0264-test-use-PBKDF2-with-capped-iterations-instead-of-Ar.patch -Patch0265: 0265-locale-drop-unnecessary-allocation.patch -Patch0266: 0266-Revert-shared-install-create-relative-symlinks-for-e.patch -Patch0267: 0267-glyph-util-add-new-glyphs-for-up-down-arrows.patch -Patch0268: 0268-tree-wide-allow-ASCII-fallback-for-in-logs.patch -Patch0269: 0269-tree-wide-allow-ASCII-fallback-for-in-logs.patch -Patch0270: 0270-core-allow-to-set-default-timeout-for-devices.patch -Patch0271: 0271-man-document-DefaultDeviceTimeoutSec.patch -Patch0272: 0272-man-update-dbus-docs.patch -Patch0273: 0273-hwdb-60-keyboard-Fix-volume-button-mapping-on-Asus-T.patch -Patch0274: 0274-hwdb-CH-Pro-Pedals-not-classified-correctly-due-to-n.patch -Patch0275: 0275-hwdb-Add-accel-orientation-quirk-for-the-GPD-Pocket-.patch -Patch0276: 0276-hostname-Allow-overriding-the-chassis-type-from-hwdb.patch -Patch0277: 0277-hwdb-Add-Microsoft-Surface-Pro-1-chassis-quirk.patch -Patch0278: 0278-hwdb-treat-logitech-craft-keyboard-as-a-keyboard.patch -Patch0279: 0279-test-frequency-in-mouse-DPI-is-optional.patch -Patch0280: 0280-hwdb-add-two-Elecom-trackballs.patch -Patch0281: 0281-hwdb-add-new-database-file-for-PDA-devices.patch -Patch0282: 0282-hwdb-add-support-for-Surface-Laptop-2-3-22303.patch -Patch0283: 0283-hwdb-add-HP-calculators.patch -Patch0284: 0284-hwbd-60-sensor.hwdb-Add-Pipo-W2Pro.patch -Patch0285: 0285-hwdb-60-keyboard-Support-the-buttons-on-CZC-P10T-tab.patch -Patch0286: 0286-hwdb-add-CST-Laser-Trackball-22583.patch -Patch0287: 0287-hwdb-Force-release-calculator-key-on-all-HP-OMEN-lap.patch -Patch0288: 0288-Add-support-for-NEC-VersaPro-VG-S.patch -Patch0289: 0289-Fix-mic-mute-on-Acer-TravelMate-B311-31-22677.patch -Patch0290: 0290-Add-AV-production-controllers-to-hwdb-and-add-uacces.patch -Patch0291: 0291-hwdb-Add-AV-production-access-to-Elgado-Stream-Deck-.patch -Patch0292: 0292-Add-HP-Elitebook-2760p-support-22766.patch -Patch0293: 0293-hwdb-Add-mic-mute-key-mapping-for-HP-Elite-x360.patch -Patch0294: 0294-hwdb-fix-parser-to-work-with-newer-pyparsing.patch -Patch0295: 0295-hwdb-update-for-v251.patch -Patch0296: 0296-hwdb-update-autosuspend-entries.patch -Patch0297: 0297-hwdb-drop-boilerplate-about-match-patterns-being-uns.patch -Patch0298: 0298-hwdb-Update-60-keyboard.hwdb-23074.patch -Patch0299: 0299-hwdb-60-keyboard-Add-Acer-Aspire-One-AO532h-keymappi.patch -Patch0300: 0300-hwdb-60-keyboard-Add-HP-Compaq-KBR0133.patch -Patch0301: 0301-hwdb-add-resolutions-for-the-Vaio-FE14-touchpad-2313.patch -Patch0302: 0302-hwdb-Remap-micmute-to-f20-for-ASUS-WMI-hotkeys.patch -Patch0303: 0303-hwdb-Fix-rotation-for-HP-Pro-Tablet-408-G1.patch -Patch0304: 0304-hwdb-add-keyboard-mapping-for-HP-ProBook-11G2.patch -Patch0305: 0305-hwdb-make-sure-ninja-update-hwdb-works-on-f35.patch -Patch0306: 0306-hwbd-run-update-hwdb-for-v251-rc2.patch -Patch0307: 0307-hwdb-run-ninja-update-hwdb-autosuspend-for-v251-rc2.patch -Patch0308: 0308-Fix-orientation-detection-for-Asus-Transformer-T100T.patch -Patch0309: 0309-Fix-orientation-detection-for-HP-Pavilion-X2-10-k010.patch -Patch0310: 0310-fix-typo.patch -Patch0311: 0311-Adding-a-description-of-the-keyboard-shortcut-Fn-F12.patch -Patch0312: 0312-hwdb-run-update-hwdb.patch -Patch0313: 0313-hwdb-add-rammus-accelerometer-support.patch -Patch0314: 0314-Add-support-to-set-autosuspend-delay-via-hwdb.patch -Patch0315: 0315-Set-autosuspend-delay-for-Fibocom-LG850-GL.patch -Patch0316: 0316-Add-HUION-Inspiroy-H420X-to-hwdb.patch -Patch0317: 0317-hwdb-run-update-hwdb-for-v251-rc3.patch -Patch0318: 0318-hwdb-add-touchpad-parameters-for-Lenovo-T15g-Gen1-23.patch -Patch0319: 0319-hwdb-Add-accel-orientation-for-the-I15-TG.patch -Patch0320: 0320-hwdb-fix-accelerometer-mount-matrix-for-Aquarius-NS4.patch -Patch0321: 0321-hwdb-Add-Google-Hangouts-Meet-speakermic.patch -Patch0322: 0322-hwdb-update-via-ninja-C-build-update-hwdb.patch -Patch0323: 0323-hwdb-Add-Google-Meet-speakermic.patch -Patch0324: 0324-hwdb-Add-accel-orientation-quirk-for-the-Aya-Neo-Nex.patch -Patch0325: 0325-hwdb-Add-HP-Dev-One.patch -Patch0326: 0326-hwdb-analyzers-remove-generic-STM-Device-in-DFU-Mode.patch -Patch0327: 0327-hwdb-Add-Lenovo-ThinkPad-C13-Yoga.patch -Patch0328: 0328-Fix-automatic-screen-rotation-for-Asus-Transformer-T.patch -Patch0329: 0329-hwdb-Add-Acer-Aspire-A317-33-24050.patch -Patch0330: 0330-Add-ACCEL_MOUNT_MATRIX-for-OXP-Mini.patch -Patch0331: 0331-Added-DERE-DBook-D10-24173.patch -Patch0332: 0332-hwdb-analyzers-Clarify-the-type-of-devices-we-want-l.patch -Patch0333: 0333-hwdb-Add-Greaseweazle-drives-to-the-list-of-analyzer.patch -Patch0334: 0334-hwdb-Apply-existing-accel-orientation-quirk-to-all-C.patch -Patch0335: 0335-shared-install-fix-crash-when-reenable-is-called-wit.patch -Patch0336: 0336-scope-allow-unprivileged-delegation-on-scopes.patch -Patch0337: 0337-udev-net_id-add-rhel-9.1-naming-scheme.patch +Patch0001: 0001-macro-fix-indentation.patch +Patch0002: 0002-test-add-a-couple-of-sanity-tests-for-journalctl.patch +Patch0003: 0003-man-fix-typo-found-by-Lintian.patch +Patch0004: 0004-test-add-x-to-assert.sh.patch +Patch0005: 0005-parse_hwdb-allow-negative-value-for-EVDEV_ABS_-prope.patch +Patch0006: 0006-resolved-fix-typo-in-feature-level-table.patch +Patch0007: 0007-coverage-Mark-_coverage__exit-as-noreturn.patch +Patch0008: 0008-namespace-Add-hidepid-subset-support-check.patch +Patch0009: 0009-test-add-a-couple-of-sanity-tests-for-loginctl.patch +Patch0010: 0010-test-rename-TEST-26-SETENV-to-TEST-26-SYSTEMCTL.patch +Patch0011: 0011-test-add-a-couple-of-sanity-tests-for-systemctl.patch +Patch0012: 0012-docs-DPS-and-BLS-have-moved-to-uapi-group.org.patch +Patch0013: 0013-core-fix-memleak-in-GetUnitFileLinks-method.patch +Patch0014: 0014-man-use-the-correct-Markers-property-name-for-markin.patch +Patch0015: 0015-test-further-extend-systemctl-s-sanity-coverage.patch +Patch0016: 0016-test-add-a-sanity-coverage-for-systemd-analyze-verbs.patch +Patch0017: 0017-udev-first-set-properties-based-on-usb-subsystem.patch +Patch0018: 0018-udev-drop-redundant-call-of-usb_id-and-assignment-of.patch +Patch0019: 0019-udev-add-safe-guard-for-setting-by-id-symlink.patch +Patch0020: 0020-test-cover-legacy-deprecated-systemd-analyze-verbs.patch +Patch0021: 0021-test-cover-a-couple-of-previously-missed-analyze-cod.patch +Patch0022: 0022-test-introduce-sanity-coverage-for-auxiliary-utils.patch +Patch0023: 0023-firstboot-fix-segfault-when-locale-messages-is-passe.patch +Patch0024: 0024-tests-make-test-execute-pass-on-openSUSE.patch +Patch0025: 0025-tests-minor-simplification-in-test-execute.patch +Patch0026: 0026-tmpfiles.d-do-not-fail-if-provision.conf-fails.patch +Patch0027: 0027-kernel-install-90-loaderentry-do-not-add-multiple-sy.patch +Patch0028: 0028-condition-Check-that-subsystem-is-enabled-in-Conditi.patch +Patch0029: 0029-semaphore-remove-the-Semaphore-repositories-recursiv.patch +Patch0030: 0030-kernel-install-90-loaderentry-do-not-override-an-exi.patch +Patch0031: 0031-kernel-install-skip-50-depmod-if-depmod-is-not-avail.patch +Patch0032: 0032-man-add-note-that-network-generator-is-not-a-generat.patch +Patch0033: 0033-test-fstab-generator-adjust-PATH-for-fsck.patch +Patch0034: 0034-loop-util-open-lock-fd-read-only.patch +Patch0035: 0035-test-don-t-ignore-non-existent-paths-in-inst_recursi.patch +Patch0036: 0036-test-fix-locale-installation-when-locale-gen-is-used.patch +Patch0037: 0037-test-fix-keymaps-installation-on-Arch.patch +Patch0038: 0038-test-compile-test-utmp.c-only-if-UTMP-is-enabled.patch +Patch0039: 0039-Create-CNAME.patch +Patch0040: 0040-tpm2-util-force-default-TCTI-to-be-device-with-param.patch +Patch0041: 0041-tpm2-add-some-extra-validation-of-device-string-befo.patch +Patch0042: 0042-boot-Fix-error-message.patch +Patch0043: 0043-boot-Fix-memory-leak.patch +Patch0044: 0044-boot-Do-not-require-a-loaded-image-path.patch +Patch0045: 0045-boot-Manually-convert-filepaths-if-needed.patch +Patch0046: 0046-boot-Rework-security-arch-override.patch +Patch0047: 0047-boot-Replace-firmware-security-hooks-directly.patch +Patch0048: 0048-networkd-ipv4acd.c-Use-net-if.h-for-getting-IFF_LOOP.patch +Patch0049: 0049-Revert-initrd-extend-SYSTEMD_IN_INITRD-to-accept-non.patch +Patch0050: 0050-pid1-skip-cleanup-if-root-is-not-tmpfs-ramfs.patch +Patch0051: 0051-ac-power-check-battery-existence-and-status.patch +Patch0052: 0052-systemctl-do-not-show-unit-properties-with-all.patch +Patch0053: 0053-Fix-reading-etc-machine-id-in-kernel-install-25388.patch +Patch0054: 0054-Revert-journal-Make-sd_journal_previous-next-return-.patch +Patch0055: 0055-boot-Correctly-handle-saved-default-patterns.patch +Patch0056: 0056-shared-tpm2-util-Fix-Error-Esys-invalid-ESAPI-handle.patch +Patch0057: 0057-Handle-MACHINE_ID-uninitialized.patch +Patch0058: 0058-fuzz-fuzz-compress-fix-copy-and-paste-error-buf-buf2.patch +Patch0059: 0059-boot-measure-fix-oom-check.patch +Patch0060: 0060-nspawn-allow-sched_rr_get_interval_time64-through-se.patch +Patch0061: 0061-resolved-use-right-conditionalization-when-setting-u.patch +Patch0062: 0062-resolved-when-configuring-127.0.0.1-as-per-interface.patch +Patch0063: 0063-manager-fix-format-strings-for-trigger-metadata.patch +Patch0064: 0064-basic-strv-check-printf-arguments-to-strv_extendf.patch +Patch0065: 0065-resolved-Fix-OpenSSL-error-messages.patch +Patch0066: 0066-network-wifi-try-to-reconfigure-when-connected.patch +Patch0067: 0067-oomd-always-allow-root-owned-cgroups-to-set-ManagedO.patch +Patch0068: 0068-oomd-fix-unreachable-test-case-in-test-oomd-util.patch +Patch0069: 0069-portable-add-a-few-more-useful-debug-log-messages.patch +Patch0070: 0070-repart-respect-discard-no-also-for-block-devices.patch +Patch0071: 0071-udev-make-sure-auto-root-logic-also-works-in-UKIs-bo.patch +Patch0072: 0072-meson-install-test-kernel-install-only-when-Dkernel-.patch +Patch0073: 0073-boot-Silence-driver-reconnect-errors.patch +Patch0074: 0074-dissect-image-do-not-try-to-close-invalid-fd.patch +Patch0075: 0075-bootctl-make-boot-entry-id-logged-in-hex.patch +Patch0076: 0076-bootctl-downgrade-log-message-when-firmware-reports-.patch +Patch0077: 0077-bootctl-rework-how-we-handle-referenced-but-absent-E.patch +Patch0078: 0078-strv-Make-sure-strv_make_nulstr-always-returns-a-val.patch +Patch0079: 0079-sd-bus-Use-goto-finish-instead-of-return-in-bus_add_.patch +Patch0080: 0080-find-esp-downgrade-and-ignore-error-on-retrieving-PA.patch +Patch0081: 0081-find-esp-include-device-sysname-in-the-log-message.patch +Patch0082: 0082-tmpfiles-log-at-info-level-when-some-allowed-failure.patch +Patch0083: 0083-fd-util-make-fd_in_set-and-thus-close_all_fds-handle.patch +Patch0084: 0084-fd-util-add-new-fd_cloexec_many-helper.patch +Patch0085: 0085-process-util-add-new-FORK_CLOEXEC_OFF-flag-for-disab.patch +Patch0086: 0086-dissect-fix-fsck.patch +Patch0087: 0087-core-update-audit-messages.patch +Patch0088: 0088-logind-set-RemoveIPC-to-false-by-default.patch +Patch0089: 0089-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch +Patch0090: 0090-Copy-40-redhat.rules-from-RHEL-8.patch +Patch0091: 0091-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch +Patch0092: 0092-unit-don-t-add-Requires-for-tmp.mount.patch +Patch0093: 0093-units-add-Install-section-to-tmp.mount.patch +Patch0094: 0094-rc-local-order-after-network-online.target.patch +Patch0095: 0095-ci-drop-CIs-irrelevant-for-downstream.patch +Patch0096: 0096-ci-reconfigure-Packit-for-RHEL-9.patch +Patch0097: 0097-ci-run-unit-tests-on-z-stream-branches-as-well.patch +Patch0098: 0098-random-util-increase-random-seed-size-to-1024.patch +Patch0099: 0099-journal-don-t-enable-systemd-journald-audit.socket-b.patch +Patch0100: 0100-journald.conf-don-t-touch-current-audit-settings.patch +Patch0101: 0101-Revert-udev-remove-WAIT_FOR-key.patch +Patch0102: 0102-Really-don-t-enable-systemd-journald-audit.socket.patch +Patch0103: 0103-rules-add-elevator-kernel-command-line-parameter.patch +Patch0104: 0104-units-don-t-enable-tmp.mount-statically-in-local-fs..patch +Patch0105: 0105-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch +Patch0106: 0106-set-core-ulimit-to-0-like-on-RHEL-7.patch +Patch0107: 0107-ci-use-C9S-chroots-in-Packit.patch +Patch0108: 0108-Treat-EPERM-as-not-available-too.patch +Patch0109: 0109-udev-net-setup-link-change-the-default-MACAddressPol.patch +Patch0110: 0110-man-mention-System-Administrator-s-Guide-in-systemct.patch +Patch0111: 0111-Net-naming-scheme-for-RHEL-9.0.patch +Patch0112: 0112-core-decrease-log-level-of-messages-about-use-of-Kil.patch +Patch0113: 0113-ci-Mergify-configuration-update.patch +Patch0114: 0114-ci-Mergify-fix-copy-paste-bug.patch +Patch0115: 0115-ci-Mergify-Add-ci-waived-logic.patch +Patch0116: 0116-udev-net_id-avoid-slot-based-names-only-for-single-f.patch +Patch0117: 0117-udev-net_id-add-rhel-9.1-naming-scheme.patch +Patch0118: 0118-ci-lint-Update-Differential-ShellCheck-config-to-run.patch +Patch0119: 0119-ci-mergify-Update-policy-Drop-LGTM-checks.patch +Patch0120: 0120-test-sd-device-skip-misc-devices.patch +Patch0121: 0121-test-skip-test_ntp-if-systemd-timesyncd-is-not-avail.patch +Patch0122: 0122-test-accept-EPERM-for-unavailable-idmapped-mounts-as.patch +Patch0123: 0123-test-don-t-test-buses-we-don-t-ship.patch +Patch0124: 0124-basic-add-fallback-in-chase_symlinks_and_opendir-for.patch # Downstream-only patches (9000–9999) @@ -477,6 +264,7 @@ BuildRequires: pkgconfig(tss2-rc) BuildRequires: pkgconfig(tss2-mu) BuildRequires: perl BuildRequires: perl(IPC::SysV) +BuildRequires: git-core %if 0%{?have_gnu_efi} BuildRequires: gnu-efi gnu-efi-devel %endif @@ -702,7 +490,7 @@ or other libraries from systemd-libs. This package conflicts with the main systemd package and is meant for use in non-systemd systems. %prep -%autosetup -n %{?commit:%{name}%{?stable:-stable}-%{commit}}%{!?commit:%{name}%{?stable:-stable}-%{version_no_tilde}} -p1 +%autosetup -n %{?commit:%{name}%{?stable:-stable}-%{commit}}%{!?commit:%{name}%{?stable:-stable}-%{version_no_tilde}} -S git_am -p1 %build %define ntpvendor %(source /etc/os-release; echo ${ID}) @@ -1205,6 +993,9 @@ getent passwd systemd-oom &>/dev/null || useradd -r -l -g systemd-oom -d / -s /s %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Fri Dec 02 2022 systemd maintenance team - 252-1 +- Rebase to systemd v252 + systemd-stable v252.2 (#2138081) + * Fri Dec 02 2022 systemd maintenance team - 250-13 - build systemd-boot EFI tools (#2140646)