rpms/systemd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Version 255~rc4

Browse Source
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2023-12-02 09:56:40 +01:00
parent 453bbcb423
commit 268ca6a059
7 changed files with 1 additions and 365 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
0001-Make-sure-we-close-bpf-outer-map-fd-in-systemd-execu.patch
View File

@ -1,31 +0,0 @@
From ef90e8f9db911626c8f5c18c49cf6fe445afdefb Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 30 Nov 2023 11:01:14 +0100
Subject: [PATCH] Make sure we close bpf outer map fd in systemd-executor
Not doing so leaks it into the child service and causes selinux
denials.
---
src/core/execute-serialize.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/core/execute-serialize.c b/src/core/execute-serialize.c
index 56c4f4da8a..6c19cd42a2 100644
--- a/src/core/execute-serialize.c
+++ b/src/core/execute-serialize.c
@@ -1625,6 +1625,12 @@ static int exec_parameters_deserialize(ExecParameters *p, FILE *f, FDSet *fds) {
if (fd < 0)
continue;
+ /* This is special and relies on close-on-exec semantics, make sure it's
+ * there */
+ r = fd_cloexec(fd, true);
+ if (r < 0)
+ return r;
+
p->bpf_outer_map_fd = fd;
} else if ((val = startswith(l, "exec-parameters-notify-socket="))) {
r = free_and_strdup(&p->notify_socket, val);
--
2.43.0

47
0001-core-pass-bpf_outer_map_fd-to-sd-executor-only-if-Re.patch
View File

@ -1,47 +0,0 @@
From 60ef4baeedc34b5c7ab0e2f211684f9b96d63f82 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Thu, 23 Nov 2023 19:08:22 +0000
Subject: [PATCH 1/3] core: pass bpf_outer_map_fd to sd-executor only if
RestrictFileSystems was set
It causes SELinux denials to be raised, so restrict it only where needed
Follow-up for beb4ae87558cae
---
src/core/execute-serialize.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/core/execute-serialize.c b/src/core/execute-serialize.c
index 342883994a..60c121a0d1 100644
--- a/src/core/execute-serialize.c
+++ b/src/core/execute-serialize.c
@@ -1244,7 +1244,7 @@ static bool exec_parameters_is_idle_pipe_set(const ExecParameters *p) {
p->idle_pipe[3] >= 0;
}
-static int exec_parameters_serialize(const ExecParameters *p, FILE *f, FDSet *fds) {
+static int exec_parameters_serialize(const ExecParameters *p, const ExecContext *c, FILE *f, FDSet *fds) {
int r;
assert(f);
@@ -1375,7 +1375,7 @@ static int exec_parameters_serialize(const ExecParameters *p, FILE *f, FDSet *fd
return r;
}
- if (p->bpf_outer_map_fd >= 0) {
+ if (c && exec_context_restrict_filesystems_set(c) && p->bpf_outer_map_fd >= 0) {
r = serialize_fd(f, fds, "exec-parameters-bpf-outer-map-fd", p->bpf_outer_map_fd);
if (r < 0)
return r;
@@ -3860,7 +3860,7 @@ int exec_serialize_invocation(
if (r < 0)
return log_debug_errno(r, "Failed to serialize command: %m");
- r = exec_parameters_serialize(p, f, fds);
+ r = exec_parameters_serialize(p, ctx, f, fds);
if (r < 0)
return log_debug_errno(r, "Failed to serialize parameters: %m");
--
2.43.0

42
0001-meson-always-install-network-example-files.patch
View File

@ -1,42 +0,0 @@
From 518d40b992abca8de5b9136e88748783200535da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Thu, 23 Nov 2023 00:06:29 +0100
Subject: [PATCH] meson: always install network example files
I started working on integrating this in the Fedora package and realized that
the example files should be installed regardless of the renamed files when
default-network=true is used. This is because the renamed files become part of
a different package, and we want to have the other files which are used as
documentation in the main package anyway.
---
network/meson.build | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/network/meson.build b/network/meson.build
index 4f17f7385e..2a472f4f51 100644
--- a/network/meson.build
+++ b/network/meson.build
@@ -18,6 +18,10 @@ if conf.get('ENABLE_NETWORKD') == 1
'80-wifi-station.network.example',
)
+ install_data(
+ example_network_files,
+ install_dir : networkdir)
+
if get_option('default-network')
foreach f : example_network_files
install_data(
@@ -25,12 +29,7 @@ if conf.get('ENABLE_NETWORKD') == 1
rename : fs.replace_suffix(fs.name(f), ''),
install_dir : networkdir)
endforeach
- else
- install_data(
- example_network_files,
- install_dir : networkdir)
endif
-
endif
install_data('99-default.link',

45
0001-units-disable-start-rate-limit-for-systemd-vconsole-.patch
View File

@ -1,45 +0,0 @@
From 4704176795c167d49f87dfea79193913e6c6d939 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Sat, 25 Nov 2023 13:27:17 +0100
Subject: [PATCH] units: disable start rate limit for
systemd-vconsole-setup.service
The unit will be started or restarted a few times during boot, but but it has
StartLimitBurst = DefaultStartLimitBurst = 5, which means that the fifth
restart will already fail. On my laptop, I have exactly 4 restarts, so I don't
hit the limit, but on a slightly different system we will easily hit the limit.
In https://bugzilla.redhat.com/show_bug.cgi?id=2251394, there are five reloads
and we hit the limit.
Since 6ef512c0bb7aeb2000588d7d05e23b4681da8657 we propagate the start counter
over switch-root and daemon reloads, so it's easier to hit the limit during
boot.
In principle there might be systems with lots of vtcon devices, so let's just
allow the unit to be restarted without a limit.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2251394.
---
units/systemd-vconsole-setup.service.in | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/units/systemd-vconsole-setup.service.in b/units/systemd-vconsole-setup.service.in
index 3475d456bc..c6c5bc9130 100644
--- a/units/systemd-vconsole-setup.service.in
+++ b/units/systemd-vconsole-setup.service.in
@@ -17,6 +17,12 @@ DefaultDependencies=no
Before=sysinit.target
Before=initrd-switch-root.target shutdown.target
+# This unit will be restarted by udev whenever a new vtcon device appears or is
+# triggered. Usually that happens just a handful of times during boot, but some
+# systems may have hundreds or thousands of serial consoles connected, so let's
+# just disable the limit altogether.
+StartLimitIntervalSec=0
+
[Service]
Type=oneshot
# This service will be restarted by udev whenever a new vtcon device appears.
--
2.43.0

92
0002-core-remove-redundant-check-when-serializing-FDs.patch
View File

@ -1,92 +0,0 @@
From 2d042c75ffb71f59ebd4689c3972786c29b4bf51 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Thu, 23 Nov 2023 19:14:45 +0000
Subject: [PATCH 2/3] core: remove redundant check when serializing FDs
The helpers already skip if the FD is < 0
---
src/core/execute-serialize.c | 50 ++++++++++++++----------------------
1 file changed, 19 insertions(+), 31 deletions(-)
diff --git a/src/core/execute-serialize.c b/src/core/execute-serialize.c
index 60c121a0d1..56c4f4da8a 100644
--- a/src/core/execute-serialize.c
+++ b/src/core/execute-serialize.c
@@ -1274,11 +1274,9 @@ static int exec_parameters_serialize(const ExecParameters *p, const ExecContext
return r;
}
- if (p->n_socket_fds + p->n_storage_fds > 0) {
- r = serialize_fd_many(f, fds, "exec-parameters-fds", p->fds, p->n_socket_fds + p->n_storage_fds);
- if (r < 0)
- return r;
- }
+ r = serialize_fd_many(f, fds, "exec-parameters-fds", p->fds, p->n_socket_fds + p->n_storage_fds);
+ if (r < 0)
+ return r;
}
r = serialize_strv(f, "exec-parameters-fd-names", p->fd_names);
@@ -1351,31 +1349,23 @@ static int exec_parameters_serialize(const ExecParameters *p, const ExecContext
return r;
}
- if (p->stdin_fd >= 0) {
- r = serialize_fd(f, fds, "exec-parameters-stdin-fd", p->stdin_fd);
- if (r < 0)
- return r;
- }
+ r = serialize_fd(f, fds, "exec-parameters-stdin-fd", p->stdin_fd);
+ if (r < 0)
+ return r;
- if (p->stdout_fd >= 0) {
- r = serialize_fd(f, fds, "exec-parameters-stdout-fd", p->stdout_fd);
- if (r < 0)
- return r;
- }
+ r = serialize_fd(f, fds, "exec-parameters-stdout-fd", p->stdout_fd);
+ if (r < 0)
+ return r;
- if (p->stderr_fd >= 0) {
- r = serialize_fd(f, fds, "exec-parameters-stderr-fd", p->stderr_fd);
- if (r < 0)
- return r;
- }
+ r = serialize_fd(f, fds, "exec-parameters-stderr-fd", p->stderr_fd);
+ if (r < 0)
+ return r;
- if (p->exec_fd >= 0) {
- r = serialize_fd(f, fds, "exec-parameters-exec-fd", p->exec_fd);
- if (r < 0)
- return r;
- }
+ r = serialize_fd(f, fds, "exec-parameters-exec-fd", p->exec_fd);
+ if (r < 0)
+ return r;
- if (c && exec_context_restrict_filesystems_set(c) && p->bpf_outer_map_fd >= 0) {
+ if (c && exec_context_restrict_filesystems_set(c)) {
r = serialize_fd(f, fds, "exec-parameters-bpf-outer-map-fd", p->bpf_outer_map_fd);
if (r < 0)
return r;
@@ -1401,11 +1391,9 @@ static int exec_parameters_serialize(const ExecParameters *p, const ExecContext
if (r < 0)
return r;
- if (p->user_lookup_fd >= 0) {
- r = serialize_fd(f, fds, "exec-parameters-user-lookup-fd", p->user_lookup_fd);
- if (r < 0)
- return r;
- }
+ r = serialize_fd(f, fds, "exec-parameters-user-lookup-fd", p->user_lookup_fd);
+ if (r < 0)
+ return r;
r = serialize_strv(f, "exec-parameters-files-env", p->files_env);
if (r < 0)
--
2.43.0

89
0003-test-add-a-couple-of-tests-for-RestrictFileSystems.patch
View File

@ -1,89 +0,0 @@
From 4a43c2b3a1066247f26d8a6e52ebfc40852a5f7e Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Fri, 24 Nov 2023 16:00:15 +0100
Subject: [PATCH 3/3] test: add a couple of tests for RestrictFileSystems=
---
test/units/testsuite-07.exec-context.sh | 31 +++++++++++++++++++++++++
test/units/util.sh | 19 +++++++++++++++
2 files changed, 50 insertions(+)
diff --git a/test/units/testsuite-07.exec-context.sh b/test/units/testsuite-07.exec-context.sh
index b4118d2fe8..10b425359d 100755
--- a/test/units/testsuite-07.exec-context.sh
+++ b/test/units/testsuite-07.exec-context.sh
@@ -4,6 +4,9 @@
set -eux
set -o pipefail
+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
# Make sure the unit's exec context matches its configuration
# See: https://github.com/systemd/systemd/pull/29552
@@ -284,6 +287,34 @@ systemd-run --wait --pipe "${ARGUMENTS[@]}" \
ulimit -R || exit 0;
: RTTIME; [[ $(ulimit -SR) -eq 666666 ]]; [[ $(ulimit -HR) -eq 666666 ]];'
+# RestrictFileSystems=
+#
+# Note: running instrumented binaries requires at least /proc to be accessible, so let's
+# skip the test when we're running under sanitizers
+if [[ ! -v ASAN_OPTIONS ]] && systemctl --version | grep "+BPF_FRAMEWORK" && kernel_supports_lsm bpf; then
+ ROOTFS="$(df --output=fstype /usr/bin | sed --quiet 2p)"
+ systemd-run --wait --pipe -p RestrictFileSystems="" ls /
+ systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS foo bar" ls /
+ (! systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS" ls /proc)
+ (! systemd-run --wait --pipe -p RestrictFileSystems="foo" ls /)
+ systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS foo bar baz proc" ls /proc
+ systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS @foo @basic-api" ls /proc
+ systemd-run --wait --pipe -p RestrictFileSystems="$ROOTFS @foo @basic-api" ls /sys/fs/cgroup
+
+ systemd-run --wait --pipe -p RestrictFileSystems="~" ls /
+ systemd-run --wait --pipe -p RestrictFileSystems="~proc" ls /
+ systemd-run --wait --pipe -p RestrictFileSystems="~@basic-api" ls /
+ (! systemd-run --wait --pipe -p RestrictFileSystems="~$ROOTFS" ls /)
+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc" ls /proc)
+ (! systemd-run --wait --pipe -p RestrictFileSystems="~@basic-api" ls /proc)
+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc foo @bar @basic-api" ls /proc)
+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc foo @bar @basic-api" ls /sys)
+ systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /
+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /proc)
+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /dev)
+ (! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /sys)
+fi
+
# Ensure that clean-up codepaths work correctly if activation ultimately fails
touch /run/not-a-directory
mkdir /tmp/root
diff --git a/test/units/util.sh b/test/units/util.sh
index fdfb91f8c6..b5ed73237c 100755
--- a/test/units/util.sh
+++ b/test/units/util.sh
@@ -197,3 +197,22 @@ openssl_supports_kdf() {
# but let's do that when/if the need arises
openssl kdf -keylen 16 -kdfopt digest:SHA2-256 -kdfopt key:foo -out /dev/null "$kdf"
}
+
+kernel_supports_lsm() {
+ local lsm="${1:?}"
+ local items item
+
+ if [[ ! -e /sys/kernel/security/lsm ]]; then
+ echo "/sys/kernel/security/lsm doesn't exist, assuming $lsm is not supported"
+ return 1
+ fi
+
+ mapfile -t -d, items </sys/kernel/security/lsm
+ for item in "${items[@]}"; do
+ if [[ "$item" == "$lsm" ]]; then
+ return 0
+ fi
+ done
+
+ return 1
+}
--
2.43.0

20
systemd.spec
View File

@ -35,7 +35,7 @@
Name: systemd
Url: https://systemd.io
%if %{without inplace}
Version: 255~rc3
Version: 255~rc4
%else
# determine the build information from local checkout
Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/')
@ -105,24 +105,6 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[
# Drop when dracut-060 is available.
Patch0001: https://github.com/systemd/systemd/pull/26494.patch
Patch0002: 0001-meson-always-install-network-example-files.patch
# https://github.com/systemd/systemd/pull/30197
# https://bugzilla.redhat.com/show_bug.cgi?id=2251394
# Drop vconsole restart limit to prevent it sometimes failing on boot
Patch0003: 0001-units-disable-start-rate-limit-for-systemd-vconsole-.patch
# https://github.com/systemd/systemd/pull/30170
# https://bugzilla.redhat.com/show_bug.cgi?id=2250930
# restrict use of bpf_outer_map_fd to help avoid selinux denials
Patch0004: 0001-core-pass-bpf_outer_map_fd-to-sd-executor-only-if-Re.patch
Patch0005: 0002-core-remove-redundant-check-when-serializing-FDs.patch
Patch0006: 0003-test-add-a-couple-of-tests-for-RestrictFileSystems.patch
# https://github.com/systemd/systemd/pull/30266
# https://bugzilla.redhat.com/show_bug.cgi?id=2250930
# close bpf_outer_map_fd to avoid selinux denials
Patch0007: 0001-Make-sure-we-close-bpf-outer-map-fd-in-systemd-execu.patch
# Those are downstream-only patches, but we don't want them in packit builds:
# https://bugzilla.redhat.com/show_bug.cgi?id=1738828