diff --git a/0001-logind-set-RemoveIPC-to-false-by-default.patch b/0001-logind-set-RemoveIPC-to-false-by-default.patch index bc767e4..e4709e6 100644 --- a/0001-logind-set-RemoveIPC-to-false-by-default.patch +++ b/0001-logind-set-RemoveIPC-to-false-by-default.patch @@ -1,4 +1,4 @@ -From 6897f6efe6d7cee90a817bb31f25e0b4dbb0e370 Mon Sep 17 00:00:00 2001 +From 5ce0a9b91add22f2a21f1bc7c0f888307f7e58e8 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Wed, 1 Aug 2018 10:58:28 +0200 Subject: [PATCH] logind: set RemoveIPC to false by default @@ -28,7 +28,7 @@ index be62b6b572..bec7ff44af 100644 diff --git a/src/login/logind-core.c b/src/login/logind-core.c -index 2ecf2120fd..9ad411c575 100644 +index 22031f485a..f5e1126adc 100644 --- a/src/login/logind-core.c +++ b/src/login/logind-core.c @@ -34,7 +34,7 @@ void manager_reset_config(Manager *m) { @@ -41,7 +41,7 @@ index 2ecf2120fd..9ad411c575 100644 m->user_stop_delay = 10 * USEC_PER_SEC; diff --git a/src/login/logind.conf.in b/src/login/logind.conf.in -index 76f529c176..b936b6e62d 100644 +index 27ba77ce79..f9c5099865 100644 --- a/src/login/logind.conf.in +++ b/src/login/logind.conf.in @@ -39,6 +39,6 @@ diff --git a/0001-rfkill-don-t-compare-values-of-different-signedness.patch b/0001-rfkill-don-t-compare-values-of-different-signedness.patch deleted file mode 100644 index b534b07..0000000 --- a/0001-rfkill-don-t-compare-values-of-different-signedness.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 01095757986d9c93151cab01bb39d888c2094a78 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Thu, 13 May 2021 10:52:42 +0200 -Subject: [PATCH] rfkill: don't compare values of different signedness -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -RFKILL_EVENT_SIZE_V1 is defined as follows in . - - #define RFKILL_EVENT_SIZE_V1 sizeof(struct rfkill_event) - -Avoid warning by casting l to size_t. In both cases we are guaranteed that l can't -be negative hence casting to size_t is fine to do. - -../src/rfkill/rfkill.c: In function ‘load_state’: -../src/rfkill/rfkill.c:180:15: warning: comparison of integer expressions of different signedness: ‘ssize_t’ {aka ‘long int’} and ‘long unsigned int’ [-Wsign-compare] - 180 | if (l < RFKILL_EVENT_SIZE_V1) - | ^ - -../src/rfkill/rfkill.c: In function ‘run’: ../src/rfkill/rfkill.c:338:23: warning: comparison of integer expressions of different signedness: ‘ssize_t’ {aka ‘long int’} and ‘long unsigned int’ [-Wsign-compare] - 338 | if (l < RFKILL_EVENT_SIZE_V1) - | ^ - -gcc-11.0.1-0.3.1.el9.x86_64 - -Related: #1931710 ---- - src/rfkill/rfkill.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/rfkill/rfkill.c b/src/rfkill/rfkill.c -index e2d1a1be5f..6126e9b0c4 100644 ---- a/src/rfkill/rfkill.c -+++ b/src/rfkill/rfkill.c -@@ -177,7 +177,7 @@ static int load_state(Context *c, const struct rfkill_event *event) { - ssize_t l = write(c->rfkill_fd, &we, sizeof we); - if (l < 0) - return log_error_errno(errno, "Failed to restore rfkill state for %i: %m", event->idx); -- if (l < RFKILL_EVENT_SIZE_V1) -+ if ((size_t) l < RFKILL_EVENT_SIZE_V1) - return log_error_errno(SYNTHETIC_ERRNO(EIO), - "Couldn't write rfkill event structure, too short (wrote %zd of %zu bytes).", - l, sizeof we); -@@ -335,7 +335,7 @@ static int run(int argc, char *argv[]) { - break; - } - -- if (l < RFKILL_EVENT_SIZE_V1) -+ if ((size_t) l < RFKILL_EVENT_SIZE_V1) - return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short read of struct rfkill_event: (%zd < %d)", - l, RFKILL_EVENT_SIZE_V1); - log_debug("Reading struct rfkill_event: got %zd bytes.", l); diff --git a/0002-basic-unit-name-do-not-use-strdupa-on-a-path.patch b/0002-basic-unit-name-do-not-use-strdupa-on-a-path.patch new file mode 100644 index 0000000..dd0f6bc --- /dev/null +++ b/0002-basic-unit-name-do-not-use-strdupa-on-a-path.patch @@ -0,0 +1,65 @@ +From d00c14d513bbac6562a5921a2be225cfcc4f794f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 23 Jun 2021 11:46:41 +0200 +Subject: [PATCH] basic/unit-name: do not use strdupa() on a path + +The path may have unbounded length, for example through a fuse mount. + +CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and +ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo +and each mountpoint is passed to mount_setup_unit(), which calls +unit_name_path_escape() underneath. A local attacker who is able to mount a +filesystem with a very long path can crash systemd and the whole system. + +https://bugzilla.redhat.com/show_bug.cgi?id=1970887 + +The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we +can't easily check the length after simplification before doing the +simplification, which in turns uses a copy of the string we can write to. +So we can't reject paths that are too long before doing the duplication. +Hence the most obvious solution is to switch back to strdup(), as before +7410616cd9dbbec97cf98d75324da5cda2b2f7a2. + +Resolves: #1984299 + +(cherry picked from commit 441e0115646d54f080e5c3bb0ba477c892861ab9) +--- + src/basic/unit-name.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c +index 284a773483..a22763443f 100644 +--- a/src/basic/unit-name.c ++++ b/src/basic/unit-name.c +@@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) { + } + + int unit_name_path_escape(const char *f, char **ret) { +- char *p, *s; ++ _cleanup_free_ char *p = NULL; ++ char *s; + + assert(f); + assert(ret); + +- p = strdupa(f); ++ p = strdup(f); + if (!p) + return -ENOMEM; + +@@ -395,13 +396,9 @@ int unit_name_path_escape(const char *f, char **ret) { + if (!path_is_normalized(p)) + return -EINVAL; + +- /* Truncate trailing slashes */ ++ /* Truncate trailing slashes and skip leading slashes */ + delete_trailing_chars(p, "/"); +- +- /* Truncate leading slashes */ +- p = skip_leading_chars(p, "/"); +- +- s = unit_name_escape(p); ++ s = unit_name_escape(skip_leading_chars(p, "/")); + } + if (!s) + return -ENOMEM; diff --git a/0002-rfkill-fix-the-format-string-to-prevent-compilation-.patch b/0002-rfkill-fix-the-format-string-to-prevent-compilation-.patch deleted file mode 100644 index 4b01401..0000000 --- a/0002-rfkill-fix-the-format-string-to-prevent-compilation-.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 54f0c86b083a4782e37754d3bbe27d4d81c53d23 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Thu, 13 May 2021 12:10:00 +0200 -Subject: [PATCH] rfkill: fix the format string to prevent compilation error -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -../src/rfkill/rfkill.c:339:70: error: format ‘%d’ expects argument of type ‘int’, but argument 8 has type ‘long unsigned int’ [-Werror=format=] - 339 | return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short read of struct rfkill_event: (%zd < %d)", - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Resolves: #1931710 ---- - src/rfkill/rfkill.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/rfkill/rfkill.c b/src/rfkill/rfkill.c -index 6126e9b0c4..0b6ba65c3a 100644 ---- a/src/rfkill/rfkill.c -+++ b/src/rfkill/rfkill.c -@@ -336,7 +336,7 @@ static int run(int argc, char *argv[]) { - } - - if ((size_t) l < RFKILL_EVENT_SIZE_V1) -- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short read of struct rfkill_event: (%zd < %d)", -+ return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short read of struct rfkill_event: (%zd < %lu)", - l, RFKILL_EVENT_SIZE_V1); - log_debug("Reading struct rfkill_event: got %zd bytes.", l); - diff --git a/0003-basic-unit-name-adjust-comments.patch b/0003-basic-unit-name-adjust-comments.patch new file mode 100644 index 0000000..9c97b6b --- /dev/null +++ b/0003-basic-unit-name-adjust-comments.patch @@ -0,0 +1,39 @@ +From 10a1e767c7bacca5da4ae7260c2a53f7949c3d7e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 23 Jun 2021 11:52:56 +0200 +Subject: [PATCH] basic/unit-name: adjust comments +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We already checked for "too long" right above… + +Related: #1984299 + +(cherry picked from commit 4e2544c30bfb95e7cb4d1551ba066b1a56520ad6) +--- + src/basic/unit-name.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c +index a22763443f..1deead7458 100644 +--- a/src/basic/unit-name.c ++++ b/src/basic/unit-name.c +@@ -528,7 +528,7 @@ int unit_name_from_path(const char *path, const char *suffix, char **ret) { + if (strlen(s) >= UNIT_NAME_MAX) /* Return a slightly more descriptive error for this specific condition */ + return -ENAMETOOLONG; + +- /* Refuse this if this got too long or for some other reason didn't result in a valid name */ ++ /* Refuse if this for some other reason didn't result in a valid name */ + if (!unit_name_is_valid(s, UNIT_NAME_PLAIN)) + return -EINVAL; + +@@ -562,7 +562,7 @@ int unit_name_from_path_instance(const char *prefix, const char *path, const cha + if (strlen(s) >= UNIT_NAME_MAX) /* Return a slightly more descriptive error for this specific condition */ + return -ENAMETOOLONG; + +- /* Refuse this if this got too long or for some other reason didn't result in a valid name */ ++ /* Refuse if this for some other reason didn't result in a valid name */ + if (!unit_name_is_valid(s, UNIT_NAME_INSTANCE)) + return -EINVAL; + diff --git a/0004-Revert-rfkill-fix-the-format-string-to-prevent-compi.patch b/0004-Revert-rfkill-fix-the-format-string-to-prevent-compi.patch deleted file mode 100644 index 238b94f..0000000 --- a/0004-Revert-rfkill-fix-the-format-string-to-prevent-compi.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 1a19da5c83ee7775a98324aeff69b06b811e6784 Mon Sep 17 00:00:00 2001 -From: Frantisek Sumsal -Date: Fri, 14 May 2021 16:25:51 +0200 -Subject: [PATCH] Revert "rfkill: fix the format string to prevent compilation - error" - -This reverts commit 54f0c86b083a4782e37754d3bbe27d4d81c53d23. - -Resolves: #1931710 ---- - src/rfkill/rfkill.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/rfkill/rfkill.c b/src/rfkill/rfkill.c -index 0b6ba65c3a..6126e9b0c4 100644 ---- a/src/rfkill/rfkill.c -+++ b/src/rfkill/rfkill.c -@@ -336,7 +336,7 @@ static int run(int argc, char *argv[]) { - } - - if ((size_t) l < RFKILL_EVENT_SIZE_V1) -- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short read of struct rfkill_event: (%zd < %lu)", -+ return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short read of struct rfkill_event: (%zd < %d)", - l, RFKILL_EVENT_SIZE_V1); - log_debug("Reading struct rfkill_event: got %zd bytes.", l); - diff --git a/0004-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch b/0004-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch new file mode 100644 index 0000000..118e7da --- /dev/null +++ b/0004-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch @@ -0,0 +1,27 @@ +From ae1b3df445f9f9e27fa6a42602d4eb1db92df7a0 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Thu, 5 Aug 2021 17:11:47 +0200 +Subject: [PATCH] tmpfiles: don't create resolv.conf -> stub-resolv.conf + symlink + +RHEL-only + +Resolves: #1989472 +--- + tmpfiles.d/etc.conf.in | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/tmpfiles.d/etc.conf.in b/tmpfiles.d/etc.conf.in +index 2323fd8cd8..ebdc699c26 100644 +--- a/tmpfiles.d/etc.conf.in ++++ b/tmpfiles.d/etc.conf.in +@@ -12,9 +12,6 @@ L+ /etc/mtab - - - - ../proc/self/mounts + {% if HAVE_SMACK_RUN_LABEL %} + t /etc/mtab - - - - security.SMACK64=_ + {% endif %} +-{% if ENABLE_RESOLVE %} +-L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf +-{% endif %} + C! /etc/nsswitch.conf - - - - + {% if HAVE_PAM %} + C! /etc/pam.d - - - - diff --git a/0005-Copy-40-redhat.rules-from-RHEL-8.patch b/0005-Copy-40-redhat.rules-from-RHEL-8.patch new file mode 100644 index 0000000..9ed88a8 --- /dev/null +++ b/0005-Copy-40-redhat.rules-from-RHEL-8.patch @@ -0,0 +1,78 @@ +From ddf558cda4afe6b81586887bcbb8d0ea376c7e71 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Fri, 2 Jul 2021 13:25:51 +0200 +Subject: [PATCH] Copy 40-redhat.rules from RHEL-8 + +RHEL-only + +Resolves: #1978639 +--- + rules.d/40-redhat.rules | 46 +++++++++++++++++++++++++++++++++++++++++ + rules.d/meson.build | 1 + + 2 files changed, 47 insertions(+) + create mode 100644 rules.d/40-redhat.rules + +diff --git a/rules.d/40-redhat.rules b/rules.d/40-redhat.rules +new file mode 100644 +index 0000000000..3c95cd2df0 +--- /dev/null ++++ b/rules.d/40-redhat.rules +@@ -0,0 +1,46 @@ ++# do not edit this file, it will be overwritten on update ++ ++# CPU hotadd request ++SUBSYSTEM=="cpu", ACTION=="add", TEST=="online", ATTR{online}=="0", ATTR{online}="1" ++ ++# Memory hotadd request ++SUBSYSTEM!="memory", GOTO="memory_hotplug_end" ++ACTION!="add", GOTO="memory_hotplug_end" ++CONST{arch}=="s390*", GOTO="memory_hotplug_end" ++CONST{arch}=="ppc64*", GOTO="memory_hotplug_end" ++ ++ENV{.state}="online" ++CONST{virt}=="none", ENV{.state}="online_movable" ++ATTR{state}=="offline", ATTR{state}="$env{.state}" ++ ++LABEL="memory_hotplug_end" ++ ++# reload sysctl.conf / sysctl.conf.d settings when the bridge module is loaded ++ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge" ++ ++# load SCSI generic (sg) driver ++SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg" ++SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_target", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg" ++ ++# Rule for prandom character device node permissions ++KERNEL=="prandom", MODE="0644" ++ ++# Rules for creating the ID_PATH for SCSI devices based on the CCW bus ++# using the form: ccw--zfcp-: ++# ++ACTION=="remove", GOTO="zfcp_scsi_device_end" ++ ++# ++# Set environment variable "ID_ZFCP_BUS" to "1" if the devices ++# (both disk and partition) are SCSI devices based on FCP devices ++# ++KERNEL=="sd*", SUBSYSTEMS=="ccw", DRIVERS=="zfcp", ENV{.ID_ZFCP_BUS}="1" ++ ++# For SCSI disks ++KERNEL=="sd*[!0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="disk", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}" ++ ++ ++# For partitions on a SCSI disk ++KERNEL=="sd*[0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="partition", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}-part%n" ++ ++LABEL="zfcp_scsi_device_end" +diff --git a/rules.d/meson.build b/rules.d/meson.build +index 598649a562..72632979fa 100644 +--- a/rules.d/meson.build ++++ b/rules.d/meson.build +@@ -5,6 +5,7 @@ install_data( + install_dir : udevrulesdir) + + rules = files(''' ++ 40-redhat.rules + 60-autosuspend.rules + 60-block.rules + 60-cdrom_id.rules diff --git a/0005-Revert-rfkill-don-t-compare-values-of-different-sign.patch b/0005-Revert-rfkill-don-t-compare-values-of-different-sign.patch deleted file mode 100644 index 12fa532..0000000 --- a/0005-Revert-rfkill-don-t-compare-values-of-different-sign.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 0f0bf5f2adef31405a51a470d1ce268390cf403c Mon Sep 17 00:00:00 2001 -From: Frantisek Sumsal -Date: Fri, 14 May 2021 16:25:52 +0200 -Subject: [PATCH] Revert "rfkill: don't compare values of different signedness" - -This reverts commit 01095757986d9c93151cab01bb39d888c2094a78. - -Resolves: #1931710 ---- - src/rfkill/rfkill.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/rfkill/rfkill.c b/src/rfkill/rfkill.c -index 6126e9b0c4..e2d1a1be5f 100644 ---- a/src/rfkill/rfkill.c -+++ b/src/rfkill/rfkill.c -@@ -177,7 +177,7 @@ static int load_state(Context *c, const struct rfkill_event *event) { - ssize_t l = write(c->rfkill_fd, &we, sizeof we); - if (l < 0) - return log_error_errno(errno, "Failed to restore rfkill state for %i: %m", event->idx); -- if ((size_t) l < RFKILL_EVENT_SIZE_V1) -+ if (l < RFKILL_EVENT_SIZE_V1) - return log_error_errno(SYNTHETIC_ERRNO(EIO), - "Couldn't write rfkill event structure, too short (wrote %zd of %zu bytes).", - l, sizeof we); -@@ -335,7 +335,7 @@ static int run(int argc, char *argv[]) { - break; - } - -- if ((size_t) l < RFKILL_EVENT_SIZE_V1) -+ if (l < RFKILL_EVENT_SIZE_V1) - return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short read of struct rfkill_event: (%zd < %d)", - l, RFKILL_EVENT_SIZE_V1); - log_debug("Reading struct rfkill_event: got %zd bytes.", l); diff --git a/0006-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch b/0006-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch new file mode 100644 index 0000000..9d16eb4 --- /dev/null +++ b/0006-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch @@ -0,0 +1,47 @@ +From d77095927682f5a6921d3825256743eb8f5e6e1b Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Tue, 15 May 2018 09:24:20 +0200 +Subject: [PATCH] Avoid /tmp being mounted as tmpfs without the user's will + +Ensure PrivateTmp doesn't require tmpfs through tmp.mount, but rather +adds an After relationship. + +RHEL-only + +Resolves: #1959826 + +(cherry picked from commit f58c5ced373c2532b5cc44ba2e0c3a28b41472f2) +--- + src/core/unit.c | 7 +------ + units/basic.target | 3 ++- + 2 files changed, 3 insertions(+), 7 deletions(-) + +diff --git a/src/core/unit.c b/src/core/unit.c +index 30afd5a776..d9cd0c229a 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -1266,12 +1266,7 @@ int unit_add_exec_dependencies(Unit *u, ExecContext *c) { + } + + if (c->private_tmp) { +- +- /* FIXME: for now we make a special case for /tmp and add a weak dependency on +- * tmp.mount so /tmp being masked is supported. However there's no reason to treat +- * /tmp specifically and masking other mount units should be handled more +- * gracefully too, see PR#16894. */ +- r = unit_add_two_dependencies_by_name(u, UNIT_AFTER, UNIT_WANTS, "tmp.mount", true, UNIT_DEPENDENCY_FILE); ++ r = unit_add_dependency_by_name(u, UNIT_AFTER, "tmp.mount", true, UNIT_DEPENDENCY_FILE); + if (r < 0) + return r; + +diff --git a/units/basic.target b/units/basic.target +index d8cdd5ac14..9eae0782a2 100644 +--- a/units/basic.target ++++ b/units/basic.target +@@ -19,4 +19,5 @@ After=sysinit.target sockets.target paths.target slices.target tmp.mount + # require /var and /var/tmp, but only add a Wants= type dependency on /tmp, as + # we support that unit being masked, and this should not be considered an error. + RequiresMountsFor=/var /var/tmp +-Wants=tmp.mount ++# RHEL-only: Disable /tmp on tmpfs. ++#Wants=tmp.mount diff --git a/0006-rfkill-add-some-casts-to-silence-Werror-sign-compare.patch b/0006-rfkill-add-some-casts-to-silence-Werror-sign-compare.patch deleted file mode 100644 index 9b4fef2..0000000 --- a/0006-rfkill-add-some-casts-to-silence-Werror-sign-compare.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 4b396f2546551c81621531d913e0dfab41be522c Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Tue, 13 Apr 2021 13:17:53 +0100 -Subject: [PATCH] rfkill: add some casts to silence -Werror=sign-compare - -(cherry picked from commit ab1aa6368a883bce88e3162fee2bea14aacedf23) - -Resolves: #1931710 ---- - src/rfkill/rfkill.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/rfkill/rfkill.c b/src/rfkill/rfkill.c -index e2d1a1be5f..bff1a2886b 100644 ---- a/src/rfkill/rfkill.c -+++ b/src/rfkill/rfkill.c -@@ -177,7 +177,7 @@ static int load_state(Context *c, const struct rfkill_event *event) { - ssize_t l = write(c->rfkill_fd, &we, sizeof we); - if (l < 0) - return log_error_errno(errno, "Failed to restore rfkill state for %i: %m", event->idx); -- if (l < RFKILL_EVENT_SIZE_V1) -+ if ((size_t)l < RFKILL_EVENT_SIZE_V1) /* l cannot be < 0 here. Cast to fix -Werror=sign-compare */ - return log_error_errno(SYNTHETIC_ERRNO(EIO), - "Couldn't write rfkill event structure, too short (wrote %zd of %zu bytes).", - l, sizeof we); -@@ -335,9 +335,9 @@ static int run(int argc, char *argv[]) { - break; - } - -- if (l < RFKILL_EVENT_SIZE_V1) -- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short read of struct rfkill_event: (%zd < %d)", -- l, RFKILL_EVENT_SIZE_V1); -+ if ((size_t)l < RFKILL_EVENT_SIZE_V1) /* l cannot be < 0 here. Cast to fix -Werror=sign-compare */ -+ return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short read of struct rfkill_event: (%zd < %zu)", -+ l, (size_t) RFKILL_EVENT_SIZE_V1); /* Casting necessary to make compiling with different kernel versions happy */ - log_debug("Reading struct rfkill_event: got %zd bytes.", l); - - /* The event structure has more fields. We only care about the first few, so it's OK if we diff --git a/0007-core-allow-omitting-second-part-of-LoadCredentials-a.patch b/0007-core-allow-omitting-second-part-of-LoadCredentials-a.patch deleted file mode 100644 index b21b108..0000000 --- a/0007-core-allow-omitting-second-part-of-LoadCredentials-a.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 5aa097c851aebc056871485c35e65d8badc8f69f Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Thu, 11 Mar 2021 10:02:46 +0100 -Subject: [PATCH] core: allow omitting second part of LoadCredentials= argument - -This allows "LoadCredentials=foo" to be used as shortcut for -"LoadCredentials=foo:foo", i.e. it's a very short way to inherit a -credential under its original name from the service manager into a -service. - -(cherry picked from commit 8a29862e32fc7981fe16fc8dd79ad6863a8dc486) - -Resolves: #1949568 ---- - man/systemd.exec.xml | 30 ++++++++++++++++-------------- - src/core/load-fragment.c | 25 +++++++++++++++++-------- - 2 files changed, 33 insertions(+), 22 deletions(-) - -diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml -index 5bb9af3e7d..6ae630f615 100644 ---- a/man/systemd.exec.xml -+++ b/man/systemd.exec.xml -@@ -2821,7 +2821,7 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy - - - -- LoadCredential=ID:PATH -+ LoadCredential=ID:PATH - - Pass a credential to the unit. Credentials are limited-size binary or textual objects - that may be passed to unit processes. They are primarily used for passing cryptographic keys (both -@@ -2834,19 +2834,21 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy - environment variable to the unit's processes. - - The LoadCredential= setting takes a textual ID to use as name for a -- credential plus a file system path. The ID must be a short ASCII string suitable as filename in the -- filesystem, and may be chosen freely by the user. If the specified path is absolute it is opened as -- regular file and the credential data is read from it. If the absolute path refers to an -- AF_UNIX stream socket in the file system a connection is made to it (only once -- at unit start-up) and the credential data read from the connection, providing an easy IPC integration -- point for dynamically providing credentials from other services. If the specified path is not -- absolute and itself qualifies as valid credential identifier it is understood to refer to a -- credential that the service manager itself received via the $CREDENTIALS_DIRECTORY -- environment variable, which may be used to propagate credentials from an invoking environment (e.g. a -- container manager that invoked the service manager) into a service. The contents of the file/socket -- may be arbitrary binary or textual data, including newline characters and NUL -- bytes. This option may be used multiple times, each time defining an additional credential to pass to -- the unit. -+ credential plus a file system path, separated by a colon. The ID must be a short ASCII string -+ suitable as filename in the filesystem, and may be chosen freely by the user. If the specified path -+ is absolute it is opened as regular file and the credential data is read from it. If the absolute -+ path refers to an AF_UNIX stream socket in the file system a connection is made -+ to it (only once at unit start-up) and the credential data read from the connection, providing an -+ easy IPC integration point for dynamically providing credentials from other services. If the -+ specified path is not absolute and itself qualifies as valid credential identifier it is understood -+ to refer to a credential that the service manager itself received via the -+ $CREDENTIALS_DIRECTORY environment variable, which may be used to propagate -+ credentials from an invoking environment (e.g. a container manager that invoked the service manager) -+ into a service. The contents of the file/socket may be arbitrary binary or textual data, including -+ newline characters and NUL bytes. If the file system path is omitted it is -+ chosen identical to the credential name, i.e. this is a terse way do declare credentials to inherit -+ from the service manager into a service. This option may be used multiple times, each time defining -+ an additional credential to pass to the unit. - - The credential files/IPC sockets must be accessible to the service manager, but don't have to - be directly accessible to the unit's processes: the credential data is read and copied into separate, -diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c -index c6fc4fe083..6a998bb801 100644 ---- a/src/core/load-fragment.c -+++ b/src/core/load-fragment.c -@@ -4606,14 +4606,23 @@ int config_parse_load_credential( - log_syntax(unit, LOG_WARNING, filename, line, 0, "Credential name \"%s\" not valid, ignoring.", k); - return 0; - } -- r = unit_full_printf(u, p, &q); -- if (r < 0) { -- log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to resolve unit specifiers in \"%s\", ignoring: %m", p); -- return 0; -- } -- if (path_is_absolute(q) ? !path_is_normalized(q) : !credential_name_valid(q)) { -- log_syntax(unit, LOG_WARNING, filename, line, r, "Credential source \"%s\" not valid, ignoring.", q); -- return 0; -+ -+ if (isempty(p)) { -+ /* If only one field field is specified take it as shortcut for inheriting a credential named -+ * the same way from our parent */ -+ q = strdup(k); -+ if (!q) -+ return log_oom(); -+ } else { -+ r = unit_full_printf(u, p, &q); -+ if (r < 0) { -+ log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to resolve unit specifiers in \"%s\", ignoring: %m", p); -+ return 0; -+ } -+ if (path_is_absolute(q) ? !path_is_normalized(q) : !credential_name_valid(q)) { -+ log_syntax(unit, LOG_WARNING, filename, line, r, "Credential source \"%s\" not valid, ignoring.", q); -+ return 0; -+ } - } - - r = strv_consume_pair(&context->load_credentials, TAKE_PTR(k), TAKE_PTR(q)); diff --git a/0007-unit-don-t-add-Requires-for-tmp.mount.patch b/0007-unit-don-t-add-Requires-for-tmp.mount.patch new file mode 100644 index 0000000..b2bbe9e --- /dev/null +++ b/0007-unit-don-t-add-Requires-for-tmp.mount.patch @@ -0,0 +1,40 @@ +From 209af66ef66a67a9cafa5a1d6364ce436cd593aa Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Mon, 5 Sep 2016 12:47:09 +0200 +Subject: [PATCH] unit: don't add Requires for tmp.mount + +rhel-only +Resolves: #1619292 + +(cherry picked from commit 03e52d33bbdea731eaa79545bb1d30c5b21abe3d) +--- + src/core/mount.c | 2 +- + src/core/unit.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/mount.c b/src/core/mount.c +index 053deac14d..1fd3102ad3 100644 +--- a/src/core/mount.c ++++ b/src/core/mount.c +@@ -343,7 +343,7 @@ static int mount_add_mount_dependencies(Mount *m) { + if (r < 0) + return r; + +- if (UNIT(m)->fragment_path) { ++ if (UNIT(m)->fragment_path && !streq(UNIT(m)->id, "tmp.mount")) { + /* If we have fragment configuration, then make this dependency required */ + r = unit_add_dependency(other, UNIT_REQUIRES, UNIT(m), true, UNIT_DEPENDENCY_PATH); + if (r < 0) +diff --git a/src/core/unit.c b/src/core/unit.c +index d9cd0c229a..371dda7e29 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -1506,7 +1506,7 @@ static int unit_add_mount_dependencies(Unit *u) { + if (r < 0) + return r; + +- if (m->fragment_path) { ++ if (m->fragment_path && !streq(m->id, "tmp.mount")) { + r = unit_add_dependency(u, UNIT_REQUIRES, m, true, di.origin_mask); + if (r < 0) + return r; diff --git a/0008-units-add-Install-section-to-tmp.mount.patch b/0008-units-add-Install-section-to-tmp.mount.patch new file mode 100644 index 0000000..21e4dc8 --- /dev/null +++ b/0008-units-add-Install-section-to-tmp.mount.patch @@ -0,0 +1,25 @@ +From c54ec17a683866f8e74f0d78c19369a6e86e46f3 Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Tue, 22 Jan 2019 10:28:42 +0100 +Subject: [PATCH] units: add [Install] section to tmp.mount + +RHEL-only + +Related: #1959826 +(cherry picked from commit bb3d205bea1c83cbd0e27b504f5f1faa884fb602) +--- + units/tmp.mount | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/units/tmp.mount b/units/tmp.mount +index 516bd1621c..fc1812111e 100644 +--- a/units/tmp.mount ++++ b/units/tmp.mount +@@ -23,3 +23,7 @@ What=tmpfs + Where=/tmp + Type=tmpfs + Options=mode=1777,strictatime,nosuid,nodev,size=50%,nr_inodes=400k ++ ++# Make 'systemctl enable tmp.mount' work: ++[Install] ++WantedBy=local-fs.target diff --git a/0009-rc-local-order-after-network-online.target.patch b/0009-rc-local-order-after-network-online.target.patch new file mode 100644 index 0000000..718e879 --- /dev/null +++ b/0009-rc-local-order-after-network-online.target.patch @@ -0,0 +1,29 @@ +From 10c26ebc7cd9bff3d73ff9a89ddec44bde88e4cd Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 11 Mar 2021 15:48:23 +0100 +Subject: [PATCH] rc-local: order after network-online.target + +I think this was the intent of commit 91b684c7300879a8d2006038f7d9185d92c3c3bf, +just network-online.target didn't exist back then. + +RHEL-only + +Resolves: #1954429 +--- + units/rc-local.service.in | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/units/rc-local.service.in b/units/rc-local.service.in +index 55e83dfe00..0eee722154 100644 +--- a/units/rc-local.service.in ++++ b/units/rc-local.service.in +@@ -13,7 +13,8 @@ + Description={{RC_LOCAL_PATH}} Compatibility + Documentation=man:systemd-rc-local-generator(8) + ConditionFileIsExecutable={{RC_LOCAL_PATH}} +-After=network.target ++After=network-online.target ++Wants=network-online.target + + [Service] + Type=forking diff --git a/0010-ci-drop-CIs-irrelevant-for-downstream.patch b/0010-ci-drop-CIs-irrelevant-for-downstream.patch new file mode 100644 index 0000000..d6494e8 --- /dev/null +++ b/0010-ci-drop-CIs-irrelevant-for-downstream.patch @@ -0,0 +1,284 @@ +From b3c617b8d0fb95322e203842d2ac68593a4acdcd Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Sun, 18 Apr 2021 20:46:06 +0200 +Subject: [PATCH] ci: drop CIs irrelevant for downstream + + * CIFuzz would need a separate project in oss-fuzz + * Coverity would also need a separate project + * the Labeler action is superfluous, since we already have a bot for + that + * mkosi testing on other distros is irrelevant for downstream RHEL + repo + +Resolves: #1960703 +rhel-only +--- + .github/labeler.yml | 38 ------------------ + .github/workflows/cifuzz.yml | 47 ---------------------- + .github/workflows/coverity.yml | 39 ------------------- + .github/workflows/labeler.yml | 13 ------- + .github/workflows/mkosi.yml | 58 ---------------------------- + .github/workflows/test_mkosi_boot.py | 24 ------------ + 6 files changed, 219 deletions(-) + delete mode 100644 .github/labeler.yml + delete mode 100644 .github/workflows/cifuzz.yml + delete mode 100644 .github/workflows/coverity.yml + delete mode 100644 .github/workflows/labeler.yml + delete mode 100644 .github/workflows/mkosi.yml + delete mode 100755 .github/workflows/test_mkosi_boot.py + +diff --git a/.github/labeler.yml b/.github/labeler.yml +deleted file mode 100644 +index 773d575004..0000000000 +--- a/.github/labeler.yml ++++ /dev/null +@@ -1,38 +0,0 @@ +-hwdb: +- - hwdb.d/**/* +-units: +- - units/**/* +-documentation: +- - NEWS +- - docs/* +-network: +- - src/libsystemd-network/**/* +- - src/network/**/* +-udev: +- - src/udev/**/* +- - src/libudev/* +-selinux: +- - '**/*selinux*' +-apparmor: +- - '**/*apparmor*' +-meson: +- - meson_option.txt +-mkosi: +- - .mkosi/* +- - mkosi.build +-busctl: +- - src/busctl/* +-systemctl: +- - src/systemctl/* +-journal: +- - src/journal/* +-journal-remote: +- - src/journal-remote/* +-portable: +- - src/portable/**/* +-resolve: +- - src/resolve/* +-timedate: +- - src/timedate/* +-timesync: +- - src/timesync/* +diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml +deleted file mode 100644 +index 14d81a67ff..0000000000 +--- a/.github/workflows/cifuzz.yml ++++ /dev/null +@@ -1,47 +0,0 @@ +---- +-# vi: ts=2 sw=2 et: +-# See: https://google.github.io/oss-fuzz/getting-started/continuous-integration/ +- +-name: CIFuzz +-on: +- pull_request: +- paths: +- - '**/meson.build' +- - '.github/workflows/**' +- - 'meson_options.txt' +- - 'src/**' +- - 'test/fuzz/**' +- - 'tools/oss-fuzz.sh' +- push: +- branches: +- - main +-jobs: +- Fuzzing: +- runs-on: ubuntu-latest +- if: github.repository == 'systemd/systemd' +- strategy: +- fail-fast: false +- matrix: +- sanitizer: [address, undefined, memory] +- steps: +- - name: Build Fuzzers (${{ matrix.sanitizer }}) +- id: build +- uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master +- with: +- oss-fuzz-project-name: 'systemd' +- dry-run: false +- allowed-broken-targets-percentage: 0 +- sanitizer: ${{ matrix.sanitizer }} +- - name: Run Fuzzers (${{ matrix.sanitizer }}) +- uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master +- with: +- oss-fuzz-project-name: 'systemd' +- fuzz-seconds: 600 +- dry-run: false +- sanitizer: ${{ matrix.sanitizer }} +- - name: Upload Crash +- uses: actions/upload-artifact@v1 +- if: failure() && steps.build.outcome == 'success' +- with: +- name: ${{ matrix.sanitizer }}-artifacts +- path: ./out/artifacts +diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml +deleted file mode 100644 +index a0eb0f01fd..0000000000 +--- a/.github/workflows/coverity.yml ++++ /dev/null +@@ -1,39 +0,0 @@ +---- +-# vi: ts=2 sw=2 et: +-# +-name: Coverity +- +-on: +- schedule: +- # Run Coverity daily at midnight +- - cron: '0 0 * * *' +- +-jobs: +- build: +- runs-on: ubuntu-20.04 +- if: github.repository == 'systemd/systemd' +- env: +- COVERITY_SCAN_BRANCH_PATTERN: "${{ github.ref}}" +- COVERITY_SCAN_NOTIFICATION_EMAIL: "" +- COVERITY_SCAN_PROJECT_NAME: "${{ github.repository }}" +- # Set in repo settings -> secrets -> repository secrets +- COVERITY_SCAN_TOKEN: "${{ secrets.COVERITY_SCAN_TOKEN }}" +- CURRENT_REF: "${{ github.ref }}" +- steps: +- - name: Repository checkout +- uses: actions/checkout@v1 +- # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable +- - name: Set the $COVERITY_SCAN_NOTIFICATION_EMAIL env variable +- run: echo "COVERITY_SCAN_NOTIFICATION_EMAIL=$(git log -1 ${{ github.sha }} --pretty=\"%aE\")" >> $GITHUB_ENV +- - name: Install Coverity tools +- run: tools/get-coverity.sh +- # Reuse the setup phase of the unit test script to avoid code duplication +- - name: Install build dependencies +- run: sudo -E .github/workflows/unit_tests.sh SETUP +- # Preconfigure with meson to prevent Coverity from capturing meson metadata +- - name: Preconfigure the build directory +- run: meson cov-build -Dman=false +- - name: Build +- run: tools/coverity.sh build +- - name: Upload the results +- run: tools/coverity.sh upload +diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml +deleted file mode 100644 +index 76d67a3a5c..0000000000 +--- a/.github/workflows/labeler.yml ++++ /dev/null +@@ -1,13 +0,0 @@ +-name: "Pull Request Labeler" +-on: +-- pull_request_target +- +-jobs: +- triage: +- runs-on: ubuntu-latest +- steps: +- - uses: actions/labeler@main +- with: +- repo-token: "${{ secrets.GITHUB_TOKEN }}" +- configuration-path: .github/labeler.yml +- sync-labels: "" # This is a workaround for issue 18671 +diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml +deleted file mode 100644 +index babdf7ae6e..0000000000 +--- a/.github/workflows/mkosi.yml ++++ /dev/null +@@ -1,58 +0,0 @@ +-name: mkosi +- +-# Simple boot tests that build and boot the mkosi images generated by the mkosi config files in .mkosi. +- +-on: +- push: +- branches: +- - main +- pull_request: +- branches: +- - main +- +-jobs: +- ci: +- runs-on: ubuntu-20.04 +- strategy: +- fail-fast: false +- matrix: +- distro: +- - arch +- - debian +- - ubuntu +- - fedora +- +- steps: +- - uses: actions/checkout@v2 +- - uses: systemd/mkosi@v9 +- +- - name: Install +- run: sudo apt-get update && sudo apt-get install --no-install-recommends python3-pexpect python3-jinja2 +- +- - name: Symlink +- run: ln -s .mkosi/mkosi.${{ matrix.distro }} mkosi.default +- +- # Ubuntu's systemd-nspawn doesn't support faccessat2() syscall, which is +- # required, since current Arch's glibc implements faccessat() via faccessat2(). +- - name: Update systemd-nspawn +- if: ${{ matrix.distro == 'arch' }} +- run: | +- echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list +- sudo apt update +- sudo apt build-dep systemd +- meson build +- ninja -C build +- sudo ln -svf $PWD/build/systemd-nspawn `which systemd-nspawn` +- systemd-nspawn --version +- +- - name: Build ${{ matrix.distro }} +- run: sudo python3 -m mkosi --password= --qemu-headless build +- +- - name: Show ${{ matrix.distro }} image summary +- run: sudo python3 -m mkosi --password= --qemu-headless summary +- +- - name: Boot ${{ matrix.distro }} systemd-nspawn +- run: sudo ./.github/workflows/test_mkosi_boot.py python3 -m mkosi --password= --qemu-headless boot +- +- - name: Boot ${{ matrix.distro }} QEMU +- run: sudo ./.github/workflows/test_mkosi_boot.py python3 -m mkosi --password= --qemu-headless qemu +diff --git a/.github/workflows/test_mkosi_boot.py b/.github/workflows/test_mkosi_boot.py +deleted file mode 100755 +index 3418fd3a51..0000000000 +--- a/.github/workflows/test_mkosi_boot.py ++++ /dev/null +@@ -1,24 +0,0 @@ +-#!/usr/bin/env python3 +-# SPDX-License-Identifier: LGPL-2.1-or-later +- +-import pexpect +-import sys +- +- +-def run() -> None: +- p = pexpect.spawnu(" ".join(sys.argv[1:]), logfile=sys.stdout, timeout=300) +- +- p.expect("#") +- p.sendline("systemctl poweroff") +- +- p.expect(pexpect.EOF) +- +- +-try: +- run() +-except pexpect.EOF: +- print("UNEXPECTED EOF") +- sys.exit(1) +-except pexpect.TIMEOUT: +- print("TIMED OUT") +- sys.exit(1) diff --git a/0011-ci-reconfigure-Packit-for-RHEL-9.patch b/0011-ci-reconfigure-Packit-for-RHEL-9.patch new file mode 100644 index 0000000..42c1361 --- /dev/null +++ b/0011-ci-reconfigure-Packit-for-RHEL-9.patch @@ -0,0 +1,60 @@ +From b00b4b76e8a7267db2dc54a5d23272a6586770da Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 9 Jun 2021 15:23:59 +0200 +Subject: [PATCH] ci: reconfigure Packit for RHEL 9 + +Resolves: #1960703 +rhel-only +--- + .packit.yml | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/.packit.yml b/.packit.yml +index 4545e30e08..3461bccbc5 100644 +--- a/.packit.yml ++++ b/.packit.yml +@@ -16,14 +16,12 @@ upstream_tag_template: "v{version}" + + actions: + post-upstream-clone: +- # Use the Fedora Rawhide specfile +- - "git clone https://src.fedoraproject.org/rpms/systemd .packit_rpm --depth=1" ++ # Use the CentOS Stream specfile ++ - "git clone https://gitlab.com/redhat/centos-stream/rpms/systemd.git .packit_rpm --depth=1" + # Drop the "sources" file so rebase-helper doesn't think we're a dist-git + - "rm -fv .packit_rpm/sources" +- # Drop backported patches from the specfile, but keep the downstream-only ones +- # - Patch0000-0499: backported patches from upstream +- # - Patch0500-9999: downstream-only patches +- - "sed -ri '/^Patch0[0-4]?[0-9]{0,2}\\:.+\\.patch/d' .packit_rpm/systemd.spec" ++ # Drop all patches, since they're already included in the tarball ++ - "sed -ri '/^Patch[0-9]+:/d' .packit_rpm/systemd.spec" + # Build the RPM with --werror. Even though --werror doesn't work in all + # cases (see [0]), we can't use -Dc_args=/-Dcpp_args= here because of the + # RPM hardening macros, that use $CFLAGS/$CPPFLAGS (see [1]). +@@ -32,11 +30,22 @@ actions: + # [1] https://github.com/systemd/systemd/pull/18908#issuecomment-792250110 + - 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec' + ++# Available targets can be listed via `copr-cli list-chroots` + jobs: ++# Build test + - job: copr_build + trigger: pull_request + metadata: + targets: +- - fedora-rawhide-aarch64 +- - fedora-rawhide-i386 +- - fedora-rawhide-x86_64 ++ # FIXME: change to CentOS 9 once it's available ++ - fedora-34-x86_64 ++ - fedora-34-aarch64 ++ ++# TODO: can't use TFT yet due to https://pagure.io/fedora-ci/general/issue/184 ++# Run tests (via testing farm) ++#- job: tests ++# trigger: pull_request ++# metadata: ++# targets: ++# # FIXME: change to CentOS 9 once it's available ++# - fedora-34-x86_64 diff --git a/0012-ci-run-unit-tests-on-z-stream-branches-as-well.patch b/0012-ci-run-unit-tests-on-z-stream-branches-as-well.patch new file mode 100644 index 0000000..73a663c --- /dev/null +++ b/0012-ci-run-unit-tests-on-z-stream-branches-as-well.patch @@ -0,0 +1,27 @@ +From ef23dd2793c19e9505ab1e70fff20b7ea184dc54 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 15 Jul 2021 12:23:27 +0200 +Subject: [PATCH] ci: run unit tests on z-stream branches as well + +Resolves: #1960703 +rhel-only +--- + .github/workflows/unit_tests.yml | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml +index ca1e6e0c30..e560bff830 100644 +--- a/.github/workflows/unit_tests.yml ++++ b/.github/workflows/unit_tests.yml +@@ -2,10 +2,7 @@ + # vi: ts=2 sw=2 et: + # + name: Unit tests +-on: +- pull_request: +- branches: +- - main ++on: [pull_request] + + jobs: + build: diff --git a/0013-Check-return-value-of-pam_get_item-pam_get_data-func.patch b/0013-Check-return-value-of-pam_get_item-pam_get_data-func.patch new file mode 100644 index 0000000..fad17cd --- /dev/null +++ b/0013-Check-return-value-of-pam_get_item-pam_get_data-func.patch @@ -0,0 +1,110 @@ +From a311dc4ade908452d7920452a18ce411af0f6dd3 Mon Sep 17 00:00:00 2001 +From: Riccardo Schirone +Date: Thu, 17 Jun 2021 16:39:23 +0200 +Subject: [PATCH] Check return value of pam_get_item/pam_get_data functions + +(cherry picked from commit a22cbf85ed9863ba5c86681db89424747119ef0c) + +Resolves: #1973210 +--- + src/login/pam_systemd.c | 66 ++++++++++++++++++++++++++++++++++------- + 1 file changed, 55 insertions(+), 11 deletions(-) + +diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c +index f8bd17eefe..1b643d52ca 100644 +--- a/src/login/pam_systemd.c ++++ b/src/login/pam_systemd.c +@@ -705,7 +705,11 @@ _public_ PAM_EXTERN int pam_sm_open_session( + * "systemd-user" we simply set XDG_RUNTIME_DIR and + * leave. */ + +- (void) pam_get_item(handle, PAM_SERVICE, (const void**) &service); ++ r = pam_get_item(handle, PAM_SERVICE, (const void**) &service); ++ if (!IN_SET(r, PAM_BAD_ITEM, PAM_SUCCESS)) { ++ pam_syslog(handle, LOG_ERR, "Failed to get PAM service: %s", pam_strerror(handle, r)); ++ return r; ++ } + if (streq_ptr(service, "systemd-user")) { + char rt[STRLEN("/run/user/") + DECIMAL_STR_MAX(uid_t)]; + +@@ -719,10 +723,26 @@ _public_ PAM_EXTERN int pam_sm_open_session( + + /* Otherwise, we ask logind to create a session for us */ + +- (void) pam_get_item(handle, PAM_XDISPLAY, (const void**) &display); +- (void) pam_get_item(handle, PAM_TTY, (const void**) &tty); +- (void) pam_get_item(handle, PAM_RUSER, (const void**) &remote_user); +- (void) pam_get_item(handle, PAM_RHOST, (const void**) &remote_host); ++ r = pam_get_item(handle, PAM_XDISPLAY, (const void**) &display); ++ if (!IN_SET(r, PAM_BAD_ITEM, PAM_SUCCESS)) { ++ pam_syslog(handle, LOG_ERR, "Failed to get PAM XDISPLAY: %s", pam_strerror(handle, r)); ++ return r; ++ } ++ r = pam_get_item(handle, PAM_TTY, (const void**) &tty); ++ if (!IN_SET(r, PAM_BAD_ITEM, PAM_SUCCESS)) { ++ pam_syslog(handle, LOG_ERR, "Failed to get PAM TTY: %s", pam_strerror(handle, r)); ++ return r; ++ } ++ r = pam_get_item(handle, PAM_RUSER, (const void**) &remote_user); ++ if (!IN_SET(r, PAM_BAD_ITEM, PAM_SUCCESS)) { ++ pam_syslog(handle, LOG_ERR, "Failed to get PAM RUSER: %s", pam_strerror(handle, r)); ++ return r; ++ } ++ r = pam_get_item(handle, PAM_RHOST, (const void**) &remote_host); ++ if (!IN_SET(r, PAM_BAD_ITEM, PAM_SUCCESS)) { ++ pam_syslog(handle, LOG_ERR, "Failed to get PAM RHOST: %s", pam_strerror(handle, r)); ++ return r; ++ } + + seat = getenv_harder(handle, "XDG_SEAT", NULL); + cvtnr = getenv_harder(handle, "XDG_VTNR", NULL); +@@ -789,11 +809,31 @@ _public_ PAM_EXTERN int pam_sm_open_session( + + remote = !isempty(remote_host) && !is_localhost(remote_host); + +- (void) pam_get_data(handle, "systemd.memory_max", (const void **)&memory_max); +- (void) pam_get_data(handle, "systemd.tasks_max", (const void **)&tasks_max); +- (void) pam_get_data(handle, "systemd.cpu_weight", (const void **)&cpu_weight); +- (void) pam_get_data(handle, "systemd.io_weight", (const void **)&io_weight); +- (void) pam_get_data(handle, "systemd.runtime_max_sec", (const void **)&runtime_max_sec); ++ r = pam_get_data(handle, "systemd.memory_max", (const void **)&memory_max); ++ if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA)) { ++ pam_syslog(handle, LOG_ERR, "Failed to get PAM systemd.memory_max data: %s", pam_strerror(handle, r)); ++ return r; ++ } ++ r = pam_get_data(handle, "systemd.tasks_max", (const void **)&tasks_max); ++ if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA)) { ++ pam_syslog(handle, LOG_ERR, "Failed to get PAM systemd.tasks_max data: %s", pam_strerror(handle, r)); ++ return r; ++ } ++ r = pam_get_data(handle, "systemd.cpu_weight", (const void **)&cpu_weight); ++ if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA)) { ++ pam_syslog(handle, LOG_ERR, "Failed to get PAM systemd.cpu_weight data: %s", pam_strerror(handle, r)); ++ return r; ++ } ++ r = pam_get_data(handle, "systemd.io_weight", (const void **)&io_weight); ++ if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA)) { ++ pam_syslog(handle, LOG_ERR, "Failed to get PAM systemd.io_weight data: %s", pam_strerror(handle, r)); ++ return r; ++ } ++ r = pam_get_data(handle, "systemd.runtime_max_sec", (const void **)&runtime_max_sec); ++ if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA)) { ++ pam_syslog(handle, LOG_ERR, "Failed to get PAM systemd.runtime_max_sec data: %s", pam_strerror(handle, r)); ++ return r; ++ } + + /* Talk to logind over the message bus */ + +@@ -996,7 +1036,11 @@ _public_ PAM_EXTERN int pam_sm_close_session( + + /* Only release session if it wasn't pre-existing when we + * tried to create it */ +- (void) pam_get_data(handle, "systemd.existing", &existing); ++ r = pam_get_data(handle, "systemd.existing", &existing); ++ if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA)) { ++ pam_syslog(handle, LOG_ERR, "Failed to get PAM systemd.existing data: %s", pam_strerror(handle, r)); ++ return r; ++ } + + id = pam_getenv(handle, "XDG_SESSION_ID"); + if (id && !existing) { diff --git a/0014-random-util-increase-random-seed-size-to-1024.patch b/0014-random-util-increase-random-seed-size-to-1024.patch new file mode 100644 index 0000000..b02c53b --- /dev/null +++ b/0014-random-util-increase-random-seed-size-to-1024.patch @@ -0,0 +1,25 @@ +From f1266682aca4a2ed3d85017527d1456cbe5d2f2a Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 15 Jul 2021 11:15:17 +0200 +Subject: [PATCH] random-util: increase random seed size to 1024 + +RHEL-only + +Resolves: #1982603 +--- + src/basic/random-util.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/random-util.h b/src/basic/random-util.h +index e6528ddc7f..fda78552f6 100644 +--- a/src/basic/random-util.h ++++ b/src/basic/random-util.h +@@ -34,7 +34,7 @@ static inline uint32_t random_u32(void) { + int rdrand(unsigned long *ret); + + /* Some limits on the pool sizes when we deal with the kernel random pool */ +-#define RANDOM_POOL_SIZE_MIN 512U ++#define RANDOM_POOL_SIZE_MIN 1024U + #define RANDOM_POOL_SIZE_MAX (10U*1024U*1024U) + + size_t random_pool_size(void); diff --git a/0015-journal-don-t-enable-systemd-journald-audit.socket-b.patch b/0015-journal-don-t-enable-systemd-journald-audit.socket-b.patch new file mode 100644 index 0000000..f1bc9c2 --- /dev/null +++ b/0015-journal-don-t-enable-systemd-journald-audit.socket-b.patch @@ -0,0 +1,41 @@ +From d68134590110a93c383a7ae696ccf3717f20682a Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Thu, 2 May 2019 14:11:54 +0200 +Subject: [PATCH] journal: don't enable systemd-journald-audit.socket by + default + +RHEL-only + +Resolves: #1973856 +--- + units/meson.build | 3 +-- + units/systemd-journald.service.in | 2 +- + 2 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/units/meson.build b/units/meson.build +index 17e9ead9c1..68be8d0108 100644 +--- a/units/meson.build ++++ b/units/meson.build +@@ -119,8 +119,7 @@ units = [ + 'sysinit.target.wants/'], + ['systemd-journal-gatewayd.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'], + ['systemd-journal-remote.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'], +- ['systemd-journald-audit.socket', '', +- 'sockets.target.wants/'], ++ ['systemd-journald-audit.socket', ''], + ['systemd-journald-dev-log.socket', '', + 'sockets.target.wants/'], + ['systemd-journald.socket', '', +diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in +index cd17b6b4e7..d981273b07 100644 +--- a/units/systemd-journald.service.in ++++ b/units/systemd-journald.service.in +@@ -12,7 +12,7 @@ Description=Journal Service + Documentation=man:systemd-journald.service(8) man:journald.conf(5) + DefaultDependencies=no + Requires=systemd-journald.socket +-After=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket syslog.socket ++After=systemd-journald.socket systemd-journald-dev-log.socket syslog.socket + Before=sysinit.target + + [Service] diff --git a/0016-journald.conf-don-t-touch-current-audit-settings.patch b/0016-journald.conf-don-t-touch-current-audit-settings.patch new file mode 100644 index 0000000..a71beac --- /dev/null +++ b/0016-journald.conf-don-t-touch-current-audit-settings.patch @@ -0,0 +1,22 @@ +From c040ffc7d27e2952bd6acccc1d8a351f31ba24db Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 5 Aug 2021 15:26:13 +0200 +Subject: [PATCH] journald.conf: don't touch current audit settings + +RHEL-only + +Related: #1973856 +--- + src/journal/journald.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/journal/journald.conf b/src/journal/journald.conf +index 5a60a9d39c..3544da2112 100644 +--- a/src/journal/journald.conf ++++ b/src/journal/journald.conf +@@ -44,4 +44,4 @@ + #MaxLevelWall=emerg + #LineMax=48K + #ReadKMsg=yes +-#Audit=yes ++Audit= diff --git a/systemd.spec b/systemd.spec index 25fb6ab..a0b4ab0 100644 --- a/systemd.spec +++ b/systemd.spec @@ -21,7 +21,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 249 -Release: 1%{?dist} +Release: 2%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -78,6 +78,21 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # RHEL-specific Patch0001: 0001-logind-set-RemoveIPC-to-false-by-default.patch +Patch0002: 0002-basic-unit-name-do-not-use-strdupa-on-a-path.patch +Patch0003: 0003-basic-unit-name-adjust-comments.patch +Patch0004: 0004-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch +Patch0005: 0005-Copy-40-redhat.rules-from-RHEL-8.patch +Patch0006: 0006-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch +Patch0007: 0007-unit-don-t-add-Requires-for-tmp.mount.patch +Patch0008: 0008-units-add-Install-section-to-tmp.mount.patch +Patch0009: 0009-rc-local-order-after-network-online.target.patch +Patch0010: 0010-ci-drop-CIs-irrelevant-for-downstream.patch +Patch0011: 0011-ci-reconfigure-Packit-for-RHEL-9.patch +Patch0012: 0012-ci-run-unit-tests-on-z-stream-branches-as-well.patch +Patch0013: 0013-Check-return-value-of-pam_get_item-pam_get_data-func.patch +Patch0014: 0014-random-util-increase-random-seed-size-to-1024.patch +Patch0015: 0015-journal-don-t-enable-systemd-journald-audit.socket-b.patch +Patch0016: 0016-journald.conf-don-t-touch-current-audit-settings.patch # Downstream-only patches (9000–9999) # https://github.com/systemd/systemd/pull/17050 @@ -835,6 +850,23 @@ getent passwd systemd-oom &>/dev/null || useradd -r -l -g systemd-oom -d / -s /s %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Fri Aug 06 2021 systemd maintenance team - 249-2 +- basic/unit-name: do not use strdupa() on a path (#1984299) +- basic/unit-name: adjust comments (#1984299) +- tmpfiles: don't create resolv.conf -> stub-resolv.conf symlink (#1989472) +- Copy 40-redhat.rules from RHEL-8 (#1978639) +- Avoid /tmp being mounted as tmpfs without the user's will (#1959826) +- unit: don't add Requires for tmp.mount (#1619292) +- units: add [Install] section to tmp.mount (#1959826) +- rc-local: order after network-online.target (#1954429) +- ci: drop CIs irrelevant for downstream (#1960703) +- ci: reconfigure Packit for RHEL 9 (#1960703) +- ci: run unit tests on z-stream branches as well (#1960703) +- Check return value of pam_get_item/pam_get_data functions (#1973210) +- random-util: increase random seed size to 1024 (#1982603) +- journal: don't enable systemd-journald-audit.socket by default (#1973856) +- journald.conf: don't touch current audit settings (#1973856) + * Mon Jul 12 2021 - 249-1 - Rebase to v249 (#1981276)