From 1a5fa31a19c0769033bcfcb284bbeca6e93ef861 Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Tue, 23 Jul 2024 14:39:36 +0200
Subject: [PATCH] systemd-256-8

Resolves: RHEL-40924
---
 ...mounted-as-tmpfs-without-the-user-s-.patch | 23 +++++++++++
 ...nit-don-t-add-Requires-for-tmp.mount.patch | 39 +++++++++++++++++++
 ...its-add-Install-section-to-tmp.mount.patch | 24 ++++++++++++
 ...le-tmp.mount-statically-in-local-fs..patch | 28 +++++++++++++
 systemd.spec                                  | 12 +++++-
 5 files changed, 125 insertions(+), 1 deletion(-)
 create mode 100644 0072-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch
 create mode 100644 0073-unit-don-t-add-Requires-for-tmp.mount.patch
 create mode 100644 0074-units-add-Install-section-to-tmp.mount.patch
 create mode 100644 0075-units-don-t-enable-tmp.mount-statically-in-local-fs..patch

diff --git a/0072-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch b/0072-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch
new file mode 100644
index 0000000..d4434cd
--- /dev/null
+++ b/0072-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch
@@ -0,0 +1,23 @@
+From 352f8ad0bfdd8a41f6aa34e3e43038ae75eedf73 Mon Sep 17 00:00:00 2001
+From: Jan Synacek <jsynacek@redhat.com>
+Date: Tue, 15 May 2018 09:24:20 +0200
+Subject: [PATCH] Avoid /tmp being mounted as tmpfs without the user's will
+
+rhel-only: policy
+
+Related: RHEL-40924
+---
+ units/basic.target | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/units/basic.target b/units/basic.target
+index d8cdd5ac14..9eae0782a2 100644
+--- a/units/basic.target
++++ b/units/basic.target
+@@ -19,4 +19,5 @@ After=sysinit.target sockets.target paths.target slices.target tmp.mount
+ # require /var and /var/tmp, but only add a Wants= type dependency on /tmp, as
+ # we support that unit being masked, and this should not be considered an error.
+ RequiresMountsFor=/var /var/tmp
+-Wants=tmp.mount
++# RHEL-only: Disable /tmp on tmpfs.
++#Wants=tmp.mount
diff --git a/0073-unit-don-t-add-Requires-for-tmp.mount.patch b/0073-unit-don-t-add-Requires-for-tmp.mount.patch
new file mode 100644
index 0000000..c4e7c5a
--- /dev/null
+++ b/0073-unit-don-t-add-Requires-for-tmp.mount.patch
@@ -0,0 +1,39 @@
+From e794e570a50392b503549befb65bc8cac0a29869 Mon Sep 17 00:00:00 2001
+From: Lukas Nykryn <lnykryn@redhat.com>
+Date: Mon, 5 Sep 2016 12:47:09 +0200
+Subject: [PATCH] unit: don't add Requires for tmp.mount
+
+rhel-only: policy
+
+Related: RHEL-40924
+---
+ src/core/mount.c | 2 +-
+ src/core/unit.c  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/mount.c b/src/core/mount.c
+index ebafcafa92..9edb2d47eb 100644
+--- a/src/core/mount.c
++++ b/src/core/mount.c
+@@ -313,7 +313,7 @@ static int mount_add_mount_dependencies(Mount *m) {
+                         if (r < 0)
+                                 return r;
+ 
+-                        if (UNIT(m)->fragment_path) {
++                        if (UNIT(m)->fragment_path && !streq(UNIT(m)->id, "tmp.mount")) {
+                                 /* If we have fragment configuration, then make this dependency required/wanted */
+                                 r = unit_add_dependency(
+                                                 other,
+diff --git a/src/core/unit.c b/src/core/unit.c
+index 0ec5dcaf75..a5556ba462 100644
+--- a/src/core/unit.c
++++ b/src/core/unit.c
+@@ -1544,7 +1544,7 @@ static int unit_add_mount_dependencies(Unit *u) {
+                                         return r;
+                                 changed = changed || r > 0;
+ 
+-                                if (m->fragment_path) {
++                                if (m->fragment_path && !streq(m->id, "tmp.mount")) {
+                                         r = unit_add_dependency(
+                                                         u,
+                                                         unit_mount_dependency_type_to_dependency_type(t),
diff --git a/0074-units-add-Install-section-to-tmp.mount.patch b/0074-units-add-Install-section-to-tmp.mount.patch
new file mode 100644
index 0000000..9095578
--- /dev/null
+++ b/0074-units-add-Install-section-to-tmp.mount.patch
@@ -0,0 +1,24 @@
+From de0e2fde86a7eebbc5c11bb5e4d40d9ab6621ed1 Mon Sep 17 00:00:00 2001
+From: Jan Synacek <jsynacek@redhat.com>
+Date: Tue, 22 Jan 2019 10:28:42 +0100
+Subject: [PATCH] units: add [Install] section to tmp.mount
+
+rhel-only: policy
+
+Related: RHEL-40924
+---
+ units/tmp.mount | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/units/tmp.mount b/units/tmp.mount
+index 896040524a..d7beaa8d14 100644
+--- a/units/tmp.mount
++++ b/units/tmp.mount
+@@ -23,3 +23,7 @@ What=tmpfs
+ Where=/tmp
+ Type=tmpfs
+ Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m
++
++# Make 'systemctl enable tmp.mount' work:
++[Install]
++WantedBy=local-fs.target
diff --git a/0075-units-don-t-enable-tmp.mount-statically-in-local-fs..patch b/0075-units-don-t-enable-tmp.mount-statically-in-local-fs..patch
new file mode 100644
index 0000000..b355b18
--- /dev/null
+++ b/0075-units-don-t-enable-tmp.mount-statically-in-local-fs..patch
@@ -0,0 +1,28 @@
+From 571c902adb894bfff481de4591a56a16add2670b Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Wed, 22 Sep 2021 14:38:00 +0200
+Subject: [PATCH] units: don't enable tmp.mount statically in local-fs.target
+
+rhel-only: policy
+
+Related: RHEL-40924
+---
+ units/meson.build | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/units/meson.build b/units/meson.build
+index b231341a1f..39fa6f42c0 100644
+--- a/units/meson.build
++++ b/units/meson.build
+@@ -761,10 +761,7 @@ units = [
+         { 'file' : 'time-set.target' },
+         { 'file' : 'time-sync.target' },
+         { 'file' : 'timers.target' },
+-        {
+-          'file' : 'tmp.mount',
+-          'symlinks' : ['local-fs.target.wants/'],
+-        },
++        { 'file' : 'tmp.mount' },
+         { 'file' : 'tpm2.target' },
+         { 'file' : 'umount.target' },
+         { 'file' : 'usb-gadget.target' },
diff --git a/systemd.spec b/systemd.spec
index 7d5c51e..cc454b7 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -48,7 +48,7 @@ Url:            https://systemd.io
 # Allow users to specify the version and release when building the rpm by 
 # setting the %%version_override and %%release_override macros.
 Version:        %{?version_override}%{!?version_override:256}
-Release:        7%{?dist}
+Release:        8%{?dist}
 
 %global stable %(c="%version"; [ "$c" = "${c#*.*}" ]; echo $?)
 
@@ -177,6 +177,10 @@ Patch0068: 0068-taint-remove-unused-variable-usr_sbin.patch
 Patch0069: 0069-packit-drop-the-libarchive-workaround.patch
 Patch0070: 0070-packit-drop-the-dependency-on-python3-zstd.patch
 Patch0071: 0071-coredump-by-default-process-and-store-core-files-up-.patch
+Patch0072: 0072-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch
+Patch0073: 0073-unit-don-t-add-Requires-for-tmp.mount.patch
+Patch0074: 0074-units-add-Install-section-to-tmp.mount.patch
+Patch0075: 0075-units-don-t-enable-tmp.mount-statically-in-local-fs..patch
 
 # Downstream-only patches (9000–9999)
 
@@ -1103,6 +1107,12 @@ rm -f .file-list-*
 rm -f %{name}.lang
 
 %changelog
+* Tue Jul 23 2024 systemd maintenance team <systemd-maint@redhat.com> - 256-8
+- Avoid /tmp being mounted as tmpfs without the user's will (RHEL-40924)
+- unit: don't add Requires for tmp.mount (RHEL-40924)
+- units: add [Install] section to tmp.mount (RHEL-40924)
+- units: don't enable tmp.mount statically in local-fs.target (RHEL-40924)
+
 * Mon Jul 22 2024 systemd maintenance team <systemd-maint@redhat.com> - 256-7
 - drop 10-timeout-abort.conf snippet (RHEL-46280)
 - don't ship systemd-userdbd (RHEL-46280)