rpms/systemd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

systemd-249-2

Browse Source 
Resolves: #1619292,#1954429,#1959826,#1960703,#1973210,#1973856,#1978639,#1982603,#1984299,#1989472
This commit is contained in:
Lukas Nykryn 2021-08-06 13:28:58 +02:00 committed by Michal Sekletár
parent 6b7a413c41
commit 491a809050
23 changed files with 955 additions and 287 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
0001-logind-set-RemoveIPC-to-false-by-default.patch
View File

@ -1,4 +1,4 @@
From 6897f6efe6d7cee90a817bb31f25e0b4dbb0e370 Mon Sep 17 00:00:00 2001
From 5ce0a9b91add22f2a21f1bc7c0f888307f7e58e8 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 1 Aug 2018 10:58:28 +0200
Subject: [PATCH] logind: set RemoveIPC to false by default
@ -28,7 +28,7 @@ index be62b6b572..bec7ff44af 100644
</variablelist>
diff --git a/src/login/logind-core.c b/src/login/logind-core.c
index 2ecf2120fd..9ad411c575 100644
index 22031f485a..f5e1126adc 100644
--- a/src/login/logind-core.c
+++ b/src/login/logind-core.c
@@ -34,7 +34,7 @@ void manager_reset_config(Manager *m) {
@ -41,7 +41,7 @@ index 2ecf2120fd..9ad411c575 100644
m->user_stop_delay = 10 * USEC_PER_SEC;
diff --git a/src/login/logind.conf.in b/src/login/logind.conf.in
index 76f529c176..b936b6e62d 100644
index 27ba77ce79..f9c5099865 100644
--- a/src/login/logind.conf.in
+++ b/src/login/logind.conf.in
@@ -39,6 +39,6 @@

53
0001-rfkill-don-t-compare-values-of-different-signedness.patch
View File

@ -1,53 +0,0 @@
From 01095757986d9c93151cab01bb39d888c2094a78 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Thu, 13 May 2021 10:52:42 +0200
Subject: [PATCH] rfkill: don't compare values of different signedness
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RFKILL_EVENT_SIZE_V1 is defined as follows in <linux/rfkill.h>.
#define RFKILL_EVENT_SIZE_V1 sizeof(struct rfkill_event)
Avoid warning by casting l to size_t. In both cases we are guaranteed that l can't
be negative hence casting to size_t is fine to do.
../src/rfkill/rfkill.c: In function load_state:
../src/rfkill/rfkill.c:180:15: warning: comparison of integer expressions of different signedness: ssize_t {aka long int} and long unsigned int [-Wsign-compare]
180 | if (l < RFKILL_EVENT_SIZE_V1)
| ^
../src/rfkill/rfkill.c: In function run: ../src/rfkill/rfkill.c:338:23: warning: comparison of integer expressions of different signedness: ssize_t {aka long int} and long unsigned int [-Wsign-compare]
338 | if (l < RFKILL_EVENT_SIZE_V1)
| ^
gcc-11.0.1-0.3.1.el9.x86_64
Related: #1931710
---
src/rfkill/rfkill.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/rfkill/rfkill.c b/src/rfkill/rfkill.c
index e2d1a1be5f..6126e9b0c4 100644
--- a/src/rfkill/rfkill.c
+++ b/src/rfkill/rfkill.c
@@ -177,7 +177,7 @@ static int load_state(Context *c, const struct rfkill_event *event) {
ssize_t l = write(c->rfkill_fd, &we, sizeof we);
if (l < 0)
return log_error_errno(errno, "Failed to restore rfkill state for %i: %m", event->idx);
- if (l < RFKILL_EVENT_SIZE_V1)
+ if ((size_t) l < RFKILL_EVENT_SIZE_V1)
return log_error_errno(SYNTHETIC_ERRNO(EIO),
"Couldn't write rfkill event structure, too short (wrote %zd of %zu bytes).",
l, sizeof we);
@@ -335,7 +335,7 @@ static int run(int argc, char *argv[]) {
break;
}
- if (l < RFKILL_EVENT_SIZE_V1)
+ if ((size_t) l < RFKILL_EVENT_SIZE_V1)
return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short read of struct rfkill_event: (%zd < %d)",
l, RFKILL_EVENT_SIZE_V1);
log_debug("Reading struct rfkill_event: got %zd bytes.", l);

65
0002-basic-unit-name-do-not-use-strdupa-on-a-path.patch Normal file
View File

@ -0,0 +1,65 @@
From d00c14d513bbac6562a5921a2be225cfcc4f794f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 23 Jun 2021 11:46:41 +0200
Subject: [PATCH] basic/unit-name: do not use strdupa() on a path
The path may have unbounded length, for example through a fuse mount.
CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
and each mountpoint is passed to mount_setup_unit(), which calls
unit_name_path_escape() underneath. A local attacker who is able to mount a
filesystem with a very long path can crash systemd and the whole system.
https://bugzilla.redhat.com/show_bug.cgi?id=1970887
The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
can't easily check the length after simplification before doing the
simplification, which in turns uses a copy of the string we can write to.
So we can't reject paths that are too long before doing the duplication.
Hence the most obvious solution is to switch back to strdup(), as before
7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
Resolves: #1984299
(cherry picked from commit 441e0115646d54f080e5c3bb0ba477c892861ab9)
---
src/basic/unit-name.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c
index 284a773483..a22763443f 100644
--- a/src/basic/unit-name.c
+++ b/src/basic/unit-name.c
@@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) {
}
int unit_name_path_escape(const char *f, char **ret) {
- char *p, *s;
+ _cleanup_free_ char *p = NULL;
+ char *s;
assert(f);
assert(ret);
- p = strdupa(f);
+ p = strdup(f);
if (!p)
return -ENOMEM;
@@ -395,13 +396,9 @@ int unit_name_path_escape(const char *f, char **ret) {
if (!path_is_normalized(p))
return -EINVAL;
- /* Truncate trailing slashes */
+ /* Truncate trailing slashes and skip leading slashes */
delete_trailing_chars(p, "/");
-
- /* Truncate leading slashes */
- p = skip_leading_chars(p, "/");
-
- s = unit_name_escape(p);
+ s = unit_name_escape(skip_leading_chars(p, "/"));
}
if (!s)
return -ENOMEM;

30
0002-rfkill-fix-the-format-string-to-prevent-compilation-.patch
View File

@ -1,30 +0,0 @@
From 54f0c86b083a4782e37754d3bbe27d4d81c53d23 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Thu, 13 May 2021 12:10:00 +0200
Subject: [PATCH] rfkill: fix the format string to prevent compilation error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
../src/rfkill/rfkill.c:339:70: error: format %d expects argument of type int, but argument 8 has type long unsigned int [-Werror=format=]
339 | return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short read of struct rfkill_event: (%zd < %d)",
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Resolves: #1931710
---
src/rfkill/rfkill.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/rfkill/rfkill.c b/src/rfkill/rfkill.c
index 6126e9b0c4..0b6ba65c3a 100644
--- a/src/rfkill/rfkill.c
+++ b/src/rfkill/rfkill.c
@@ -336,7 +336,7 @@ static int run(int argc, char *argv[]) {
}
if ((size_t) l < RFKILL_EVENT_SIZE_V1)
- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short read of struct rfkill_event: (%zd < %d)",
+ return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short read of struct rfkill_event: (%zd < %lu)",
l, RFKILL_EVENT_SIZE_V1);
log_debug("Reading struct rfkill_event: got %zd bytes.", l);

39
0003-basic-unit-name-adjust-comments.patch Normal file
View File

@ -0,0 +1,39 @@
From 10a1e767c7bacca5da4ae7260c2a53f7949c3d7e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 23 Jun 2021 11:52:56 +0200
Subject: [PATCH] basic/unit-name: adjust comments
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We already checked for "too long" right above…
Related: #1984299
(cherry picked from commit 4e2544c30bfb95e7cb4d1551ba066b1a56520ad6)
---
src/basic/unit-name.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c
index a22763443f..1deead7458 100644
--- a/src/basic/unit-name.c
+++ b/src/basic/unit-name.c
@@ -528,7 +528,7 @@ int unit_name_from_path(const char *path, const char *suffix, char **ret) {
if (strlen(s) >= UNIT_NAME_MAX) /* Return a slightly more descriptive error for this specific condition */
return -ENAMETOOLONG;
- /* Refuse this if this got too long or for some other reason didn't result in a valid name */
+ /* Refuse if this for some other reason didn't result in a valid name */
if (!unit_name_is_valid(s, UNIT_NAME_PLAIN))
return -EINVAL;
@@ -562,7 +562,7 @@ int unit_name_from_path_instance(const char *prefix, const char *path, const cha
if (strlen(s) >= UNIT_NAME_MAX) /* Return a slightly more descriptive error for this specific condition */
return -ENAMETOOLONG;
- /* Refuse this if this got too long or for some other reason didn't result in a valid name */
+ /* Refuse if this for some other reason didn't result in a valid name */
if (!unit_name_is_valid(s, UNIT_NAME_INSTANCE))
return -EINVAL;

26
0004-Revert-rfkill-fix-the-format-string-to-prevent-compi.patch
View File

@ -1,26 +0,0 @@
From 1a19da5c83ee7775a98324aeff69b06b811e6784 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <fsumsal@redhat.com>
Date: Fri, 14 May 2021 16:25:51 +0200
Subject: [PATCH] Revert "rfkill: fix the format string to prevent compilation
error"
This reverts commit 54f0c86b083a4782e37754d3bbe27d4d81c53d23.
Resolves: #1931710
---
src/rfkill/rfkill.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/rfkill/rfkill.c b/src/rfkill/rfkill.c
index 0b6ba65c3a..6126e9b0c4 100644
--- a/src/rfkill/rfkill.c
+++ b/src/rfkill/rfkill.c
@@ -336,7 +336,7 @@ static int run(int argc, char *argv[]) {
}
if ((size_t) l < RFKILL_EVENT_SIZE_V1)
- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short read of struct rfkill_event: (%zd < %lu)",
+ return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short read of struct rfkill_event: (%zd < %d)",
l, RFKILL_EVENT_SIZE_V1);
log_debug("Reading struct rfkill_event: got %zd bytes.", l);

27
0004-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch Normal file
View File

@ -0,0 +1,27 @@
From ae1b3df445f9f9e27fa6a42602d4eb1db92df7a0 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Thu, 5 Aug 2021 17:11:47 +0200
Subject: [PATCH] tmpfiles: don't create resolv.conf -> stub-resolv.conf
symlink
RHEL-only
Resolves: #1989472
---
tmpfiles.d/etc.conf.in | 3 ---
1 file changed, 3 deletions(-)
diff --git a/tmpfiles.d/etc.conf.in b/tmpfiles.d/etc.conf.in
index 2323fd8cd8..ebdc699c26 100644
--- a/tmpfiles.d/etc.conf.in
+++ b/tmpfiles.d/etc.conf.in
@@ -12,9 +12,6 @@ L+ /etc/mtab - - - - ../proc/self/mounts
{% if HAVE_SMACK_RUN_LABEL %}
t /etc/mtab - - - - security.SMACK64=_
{% endif %}
-{% if ENABLE_RESOLVE %}
-L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf
-{% endif %}
C! /etc/nsswitch.conf - - - -
{% if HAVE_PAM %}
C! /etc/pam.d - - - -

78
0005-Copy-40-redhat.rules-from-RHEL-8.patch Normal file
View File

@ -0,0 +1,78 @@
From ddf558cda4afe6b81586887bcbb8d0ea376c7e71 Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Fri, 2 Jul 2021 13:25:51 +0200
Subject: [PATCH] Copy 40-redhat.rules from RHEL-8
RHEL-only
Resolves: #1978639
---
rules.d/40-redhat.rules | 46 +++++++++++++++++++++++++++++++++++++++++
rules.d/meson.build | 1 +
2 files changed, 47 insertions(+)
create mode 100644 rules.d/40-redhat.rules
diff --git a/rules.d/40-redhat.rules b/rules.d/40-redhat.rules
new file mode 100644
index 0000000000..3c95cd2df0
--- /dev/null
+++ b/rules.d/40-redhat.rules
@@ -0,0 +1,46 @@
+# do not edit this file, it will be overwritten on update
+
+# CPU hotadd request
+SUBSYSTEM=="cpu", ACTION=="add", TEST=="online", ATTR{online}=="0", ATTR{online}="1"
+
+# Memory hotadd request
+SUBSYSTEM!="memory", GOTO="memory_hotplug_end"
+ACTION!="add", GOTO="memory_hotplug_end"
+CONST{arch}=="s390*", GOTO="memory_hotplug_end"
+CONST{arch}=="ppc64*", GOTO="memory_hotplug_end"
+
+ENV{.state}="online"
+CONST{virt}=="none", ENV{.state}="online_movable"
+ATTR{state}=="offline", ATTR{state}="$env{.state}"
+
+LABEL="memory_hotplug_end"
+
+# reload sysctl.conf / sysctl.conf.d settings when the bridge module is loaded
+ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge"
+
+# load SCSI generic (sg) driver
+SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg"
+SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_target", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg"
+
+# Rule for prandom character device node permissions
+KERNEL=="prandom", MODE="0644"
+
+# Rules for creating the ID_PATH for SCSI devices based on the CCW bus
+# using the form: ccw-<BUS_ID>-zfcp-<WWPN>:<LUN>
+#
+ACTION=="remove", GOTO="zfcp_scsi_device_end"
+
+#
+# Set environment variable "ID_ZFCP_BUS" to "1" if the devices
+# (both disk and partition) are SCSI devices based on FCP devices
+#
+KERNEL=="sd*", SUBSYSTEMS=="ccw", DRIVERS=="zfcp", ENV{.ID_ZFCP_BUS}="1"
+
+# For SCSI disks
+KERNEL=="sd*[!0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="disk", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}"
+
+
+# For partitions on a SCSI disk
+KERNEL=="sd*[0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="partition", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}-part%n"
+
+LABEL="zfcp_scsi_device_end"
diff --git a/rules.d/meson.build b/rules.d/meson.build
index 598649a562..72632979fa 100644
--- a/rules.d/meson.build
+++ b/rules.d/meson.build
@@ -5,6 +5,7 @@ install_data(
install_dir : udevrulesdir)
rules = files('''
+ 40-redhat.rules
60-autosuspend.rules
60-block.rules
60-cdrom_id.rules

34
0005-Revert-rfkill-don-t-compare-values-of-different-sign.patch
View File

@ -1,34 +0,0 @@
From 0f0bf5f2adef31405a51a470d1ce268390cf403c Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <fsumsal@redhat.com>
Date: Fri, 14 May 2021 16:25:52 +0200
Subject: [PATCH] Revert "rfkill: don't compare values of different signedness"
This reverts commit 01095757986d9c93151cab01bb39d888c2094a78.
Resolves: #1931710
---
src/rfkill/rfkill.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/rfkill/rfkill.c b/src/rfkill/rfkill.c
index 6126e9b0c4..e2d1a1be5f 100644
--- a/src/rfkill/rfkill.c
+++ b/src/rfkill/rfkill.c
@@ -177,7 +177,7 @@ static int load_state(Context *c, const struct rfkill_event *event) {
ssize_t l = write(c->rfkill_fd, &we, sizeof we);
if (l < 0)
return log_error_errno(errno, "Failed to restore rfkill state for %i: %m", event->idx);
- if ((size_t) l < RFKILL_EVENT_SIZE_V1)
+ if (l < RFKILL_EVENT_SIZE_V1)
return log_error_errno(SYNTHETIC_ERRNO(EIO),
"Couldn't write rfkill event structure, too short (wrote %zd of %zu bytes).",
l, sizeof we);
@@ -335,7 +335,7 @@ static int run(int argc, char *argv[]) {
break;
}
- if ((size_t) l < RFKILL_EVENT_SIZE_V1)
+ if (l < RFKILL_EVENT_SIZE_V1)
return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short read of struct rfkill_event: (%zd < %d)",
l, RFKILL_EVENT_SIZE_V1);
log_debug("Reading struct rfkill_event: got %zd bytes.", l);

47
0006-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch Normal file
View File

@ -0,0 +1,47 @@
From d77095927682f5a6921d3825256743eb8f5e6e1b Mon Sep 17 00:00:00 2001
From: Jan Synacek <jsynacek@redhat.com>
Date: Tue, 15 May 2018 09:24:20 +0200
Subject: [PATCH] Avoid /tmp being mounted as tmpfs without the user's will
Ensure PrivateTmp doesn't require tmpfs through tmp.mount, but rather
adds an After relationship.
RHEL-only
Resolves: #1959826
(cherry picked from commit f58c5ced373c2532b5cc44ba2e0c3a28b41472f2)
---
src/core/unit.c | 7 +------
units/basic.target | 3 ++-
2 files changed, 3 insertions(+), 7 deletions(-)
diff --git a/src/core/unit.c b/src/core/unit.c
index 30afd5a776..d9cd0c229a 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -1266,12 +1266,7 @@ int unit_add_exec_dependencies(Unit *u, ExecContext *c) {
}
if (c->private_tmp) {
-
- /* FIXME: for now we make a special case for /tmp and add a weak dependency on
- * tmp.mount so /tmp being masked is supported. However there's no reason to treat
- * /tmp specifically and masking other mount units should be handled more
- * gracefully too, see PR#16894. */
- r = unit_add_two_dependencies_by_name(u, UNIT_AFTER, UNIT_WANTS, "tmp.mount", true, UNIT_DEPENDENCY_FILE);
+ r = unit_add_dependency_by_name(u, UNIT_AFTER, "tmp.mount", true, UNIT_DEPENDENCY_FILE);
if (r < 0)
return r;
diff --git a/units/basic.target b/units/basic.target
index d8cdd5ac14..9eae0782a2 100644
--- a/units/basic.target
+++ b/units/basic.target
@@ -19,4 +19,5 @@ After=sysinit.target sockets.target paths.target slices.target tmp.mount
# require /var and /var/tmp, but only add a Wants= type dependency on /tmp, as
# we support that unit being masked, and this should not be considered an error.
RequiresMountsFor=/var /var/tmp
-Wants=tmp.mount
+# RHEL-only: Disable /tmp on tmpfs.
+#Wants=tmp.mount

38
0006-rfkill-add-some-casts-to-silence-Werror-sign-compare.patch
View File

@ -1,38 +0,0 @@
From 4b396f2546551c81621531d913e0dfab41be522c Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@microsoft.com>
Date: Tue, 13 Apr 2021 13:17:53 +0100
Subject: [PATCH] rfkill: add some casts to silence -Werror=sign-compare
(cherry picked from commit ab1aa6368a883bce88e3162fee2bea14aacedf23)
Resolves: #1931710
---
src/rfkill/rfkill.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/rfkill/rfkill.c b/src/rfkill/rfkill.c
index e2d1a1be5f..bff1a2886b 100644
--- a/src/rfkill/rfkill.c
+++ b/src/rfkill/rfkill.c
@@ -177,7 +177,7 @@ static int load_state(Context *c, const struct rfkill_event *event) {
ssize_t l = write(c->rfkill_fd, &we, sizeof we);
if (l < 0)
return log_error_errno(errno, "Failed to restore rfkill state for %i: %m", event->idx);
- if (l < RFKILL_EVENT_SIZE_V1)
+ if ((size_t)l < RFKILL_EVENT_SIZE_V1) /* l cannot be < 0 here. Cast to fix -Werror=sign-compare */
return log_error_errno(SYNTHETIC_ERRNO(EIO),
"Couldn't write rfkill event structure, too short (wrote %zd of %zu bytes).",
l, sizeof we);
@@ -335,9 +335,9 @@ static int run(int argc, char *argv[]) {
break;
}
- if (l < RFKILL_EVENT_SIZE_V1)
- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short read of struct rfkill_event: (%zd < %d)",
- l, RFKILL_EVENT_SIZE_V1);
+ if ((size_t)l < RFKILL_EVENT_SIZE_V1) /* l cannot be < 0 here. Cast to fix -Werror=sign-compare */
+ return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short read of struct rfkill_event: (%zd < %zu)",
+ l, (size_t) RFKILL_EVENT_SIZE_V1); /* Casting necessary to make compiling with different kernel versions happy */
log_debug("Reading struct rfkill_event: got %zd bytes.", l);
/* The event structure has more fields. We only care about the first few, so it's OK if we

102
0007-core-allow-omitting-second-part-of-LoadCredentials-a.patch
View File

@ -1,102 +0,0 @@
From 5aa097c851aebc056871485c35e65d8badc8f69f Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 11 Mar 2021 10:02:46 +0100
Subject: [PATCH] core: allow omitting second part of LoadCredentials= argument
This allows "LoadCredentials=foo" to be used as shortcut for
"LoadCredentials=foo:foo", i.e. it's a very short way to inherit a
credential under its original name from the service manager into a
service.
(cherry picked from commit 8a29862e32fc7981fe16fc8dd79ad6863a8dc486)
Resolves: #1949568
---
man/systemd.exec.xml | 30 ++++++++++++++++--------------
src/core/load-fragment.c | 25 +++++++++++++++++--------
2 files changed, 33 insertions(+), 22 deletions(-)
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 5bb9af3e7d..6ae630f615 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -2821,7 +2821,7 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy
<variablelist class='unit-directives'>
<varlistentry>
- <term><varname>LoadCredential=</varname><replaceable>ID</replaceable>:<replaceable>PATH</replaceable></term>
+ <term><varname>LoadCredential=</varname><replaceable>ID</replaceable><optional>:<replaceable>PATH</replaceable></optional></term>
<listitem><para>Pass a credential to the unit. Credentials are limited-size binary or textual objects
that may be passed to unit processes. They are primarily used for passing cryptographic keys (both
@@ -2834,19 +2834,21 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy
environment variable to the unit's processes.</para>
<para>The <varname>LoadCredential=</varname> setting takes a textual ID to use as name for a
- credential plus a file system path. The ID must be a short ASCII string suitable as filename in the
- filesystem, and may be chosen freely by the user. If the specified path is absolute it is opened as
- regular file and the credential data is read from it. If the absolute path refers to an
- <constant>AF_UNIX</constant> stream socket in the file system a connection is made to it (only once
- at unit start-up) and the credential data read from the connection, providing an easy IPC integration
- point for dynamically providing credentials from other services. If the specified path is not
- absolute and itself qualifies as valid credential identifier it is understood to refer to a
- credential that the service manager itself received via the <varname>$CREDENTIALS_DIRECTORY</varname>
- environment variable, which may be used to propagate credentials from an invoking environment (e.g. a
- container manager that invoked the service manager) into a service. The contents of the file/socket
- may be arbitrary binary or textual data, including newline characters and <constant>NUL</constant>
- bytes. This option may be used multiple times, each time defining an additional credential to pass to
- the unit.</para>
+ credential plus a file system path, separated by a colon. The ID must be a short ASCII string
+ suitable as filename in the filesystem, and may be chosen freely by the user. If the specified path
+ is absolute it is opened as regular file and the credential data is read from it. If the absolute
+ path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is made
+ to it (only once at unit start-up) and the credential data read from the connection, providing an
+ easy IPC integration point for dynamically providing credentials from other services. If the
+ specified path is not absolute and itself qualifies as valid credential identifier it is understood
+ to refer to a credential that the service manager itself received via the
+ <varname>$CREDENTIALS_DIRECTORY</varname> environment variable, which may be used to propagate
+ credentials from an invoking environment (e.g. a container manager that invoked the service manager)
+ into a service. The contents of the file/socket may be arbitrary binary or textual data, including
+ newline characters and <constant>NUL</constant> bytes. If the file system path is omitted it is
+ chosen identical to the credential name, i.e. this is a terse way do declare credentials to inherit
+ from the service manager into a service. This option may be used multiple times, each time defining
+ an additional credential to pass to the unit.</para>
<para>The credential files/IPC sockets must be accessible to the service manager, but don't have to
be directly accessible to the unit's processes: the credential data is read and copied into separate,
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index c6fc4fe083..6a998bb801 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -4606,14 +4606,23 @@ int config_parse_load_credential(
log_syntax(unit, LOG_WARNING, filename, line, 0, "Credential name \"%s\" not valid, ignoring.", k);
return 0;
}
- r = unit_full_printf(u, p, &q);
- if (r < 0) {
- log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to resolve unit specifiers in \"%s\", ignoring: %m", p);
- return 0;
- }
- if (path_is_absolute(q) ? !path_is_normalized(q) : !credential_name_valid(q)) {
- log_syntax(unit, LOG_WARNING, filename, line, r, "Credential source \"%s\" not valid, ignoring.", q);
- return 0;
+
+ if (isempty(p)) {
+ /* If only one field field is specified take it as shortcut for inheriting a credential named
+ * the same way from our parent */
+ q = strdup(k);
+ if (!q)
+ return log_oom();
+ } else {
+ r = unit_full_printf(u, p, &q);
+ if (r < 0) {
+ log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to resolve unit specifiers in \"%s\", ignoring: %m", p);
+ return 0;
+ }
+ if (path_is_absolute(q) ? !path_is_normalized(q) : !credential_name_valid(q)) {
+ log_syntax(unit, LOG_WARNING, filename, line, r, "Credential source \"%s\" not valid, ignoring.", q);
+ return 0;
+ }
}
r = strv_consume_pair(&context->load_credentials, TAKE_PTR(k), TAKE_PTR(q));

40
0007-unit-don-t-add-Requires-for-tmp.mount.patch Normal file
View File

@ -0,0 +1,40 @@
From 209af66ef66a67a9cafa5a1d6364ce436cd593aa Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Mon, 5 Sep 2016 12:47:09 +0200
Subject: [PATCH] unit: don't add Requires for tmp.mount
rhel-only
Resolves: #1619292
(cherry picked from commit 03e52d33bbdea731eaa79545bb1d30c5b21abe3d)
---
src/core/mount.c | 2 +-
src/core/unit.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/core/mount.c b/src/core/mount.c
index 053deac14d..1fd3102ad3 100644
--- a/src/core/mount.c
+++ b/src/core/mount.c
@@ -343,7 +343,7 @@ static int mount_add_mount_dependencies(Mount *m) {
if (r < 0)
return r;
- if (UNIT(m)->fragment_path) {
+ if (UNIT(m)->fragment_path && !streq(UNIT(m)->id, "tmp.mount")) {
/* If we have fragment configuration, then make this dependency required */
r = unit_add_dependency(other, UNIT_REQUIRES, UNIT(m), true, UNIT_DEPENDENCY_PATH);
if (r < 0)
diff --git a/src/core/unit.c b/src/core/unit.c
index d9cd0c229a..371dda7e29 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -1506,7 +1506,7 @@ static int unit_add_mount_dependencies(Unit *u) {
if (r < 0)
return r;
- if (m->fragment_path) {
+ if (m->fragment_path && !streq(m->id, "tmp.mount")) {
r = unit_add_dependency(u, UNIT_REQUIRES, m, true, di.origin_mask);
if (r < 0)
return r;

25
0008-units-add-Install-section-to-tmp.mount.patch Normal file
View File

@ -0,0 +1,25 @@
From c54ec17a683866f8e74f0d78c19369a6e86e46f3 Mon Sep 17 00:00:00 2001
From: Jan Synacek <jsynacek@redhat.com>
Date: Tue, 22 Jan 2019 10:28:42 +0100
Subject: [PATCH] units: add [Install] section to tmp.mount
RHEL-only
Related: #1959826
(cherry picked from commit bb3d205bea1c83cbd0e27b504f5f1faa884fb602)
---
units/tmp.mount | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/units/tmp.mount b/units/tmp.mount
index 516bd1621c..fc1812111e 100644
--- a/units/tmp.mount
+++ b/units/tmp.mount
@@ -23,3 +23,7 @@ What=tmpfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,nosuid,nodev,size=50%,nr_inodes=400k
+
+# Make 'systemctl enable tmp.mount' work:
+[Install]
+WantedBy=local-fs.target

29
0009-rc-local-order-after-network-online.target.patch Normal file
View File

@ -0,0 +1,29 @@
From 10c26ebc7cd9bff3d73ff9a89ddec44bde88e4cd Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Thu, 11 Mar 2021 15:48:23 +0100
Subject: [PATCH] rc-local: order after network-online.target
I think this was the intent of commit 91b684c7300879a8d2006038f7d9185d92c3c3bf,
just network-online.target didn't exist back then.
RHEL-only
Resolves: #1954429
---
units/rc-local.service.in | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/units/rc-local.service.in b/units/rc-local.service.in
index 55e83dfe00..0eee722154 100644
--- a/units/rc-local.service.in
+++ b/units/rc-local.service.in
@@ -13,7 +13,8 @@
Description={{RC_LOCAL_PATH}} Compatibility
Documentation=man:systemd-rc-local-generator(8)
ConditionFileIsExecutable={{RC_LOCAL_PATH}}
-After=network.target
+After=network-online.target
+Wants=network-online.target
[Service]
Type=forking

284
0010-ci-drop-CIs-irrelevant-for-downstream.patch Normal file
View File

@ -0,0 +1,284 @@
From b3c617b8d0fb95322e203842d2ac68593a4acdcd Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Sun, 18 Apr 2021 20:46:06 +0200
Subject: [PATCH] ci: drop CIs irrelevant for downstream
* CIFuzz would need a separate project in oss-fuzz
* Coverity would also need a separate project
* the Labeler action is superfluous, since we already have a bot for
that
* mkosi testing on other distros is irrelevant for downstream RHEL
repo
Resolves: #1960703
rhel-only
---
.github/labeler.yml | 38 ------------------
.github/workflows/cifuzz.yml | 47 ----------------------
.github/workflows/coverity.yml | 39 -------------------
.github/workflows/labeler.yml | 13 -------
.github/workflows/mkosi.yml | 58 ----------------------------
.github/workflows/test_mkosi_boot.py | 24 ------------
6 files changed, 219 deletions(-)
delete mode 100644 .github/labeler.yml
delete mode 100644 .github/workflows/cifuzz.yml
delete mode 100644 .github/workflows/coverity.yml
delete mode 100644 .github/workflows/labeler.yml
delete mode 100644 .github/workflows/mkosi.yml
delete mode 100755 .github/workflows/test_mkosi_boot.py
diff --git a/.github/labeler.yml b/.github/labeler.yml
deleted file mode 100644
index 773d575004..0000000000
--- a/.github/labeler.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-hwdb:
- - hwdb.d/**/*
-units:
- - units/**/*
-documentation:
- - NEWS
- - docs/*
-network:
- - src/libsystemd-network/**/*
- - src/network/**/*
-udev:
- - src/udev/**/*
- - src/libudev/*
-selinux:
- - '**/*selinux*'
-apparmor:
- - '**/*apparmor*'
-meson:
- - meson_option.txt
-mkosi:
- - .mkosi/*
- - mkosi.build
-busctl:
- - src/busctl/*
-systemctl:
- - src/systemctl/*
-journal:
- - src/journal/*
-journal-remote:
- - src/journal-remote/*
-portable:
- - src/portable/**/*
-resolve:
- - src/resolve/*
-timedate:
- - src/timedate/*
-timesync:
- - src/timesync/*
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
deleted file mode 100644
index 14d81a67ff..0000000000
--- a/.github/workflows/cifuzz.yml
+++ /dev/null
@@ -1,47 +0,0 @@
----
-# vi: ts=2 sw=2 et:
-# See: https://google.github.io/oss-fuzz/getting-started/continuous-integration/
-
-name: CIFuzz
-on:
- pull_request:
- paths:
- - '**/meson.build'
- - '.github/workflows/**'
- - 'meson_options.txt'
- - 'src/**'
- - 'test/fuzz/**'
- - 'tools/oss-fuzz.sh'
- push:
- branches:
- - main
-jobs:
- Fuzzing:
- runs-on: ubuntu-latest
- if: github.repository == 'systemd/systemd'
- strategy:
- fail-fast: false
- matrix:
- sanitizer: [address, undefined, memory]
- steps:
- - name: Build Fuzzers (${{ matrix.sanitizer }})
- id: build
- uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
- with:
- oss-fuzz-project-name: 'systemd'
- dry-run: false
- allowed-broken-targets-percentage: 0
- sanitizer: ${{ matrix.sanitizer }}
- - name: Run Fuzzers (${{ matrix.sanitizer }})
- uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
- with:
- oss-fuzz-project-name: 'systemd'
- fuzz-seconds: 600
- dry-run: false
- sanitizer: ${{ matrix.sanitizer }}
- - name: Upload Crash
- uses: actions/upload-artifact@v1
- if: failure() && steps.build.outcome == 'success'
- with:
- name: ${{ matrix.sanitizer }}-artifacts
- path: ./out/artifacts
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
deleted file mode 100644
index a0eb0f01fd..0000000000
--- a/.github/workflows/coverity.yml
+++ /dev/null
@@ -1,39 +0,0 @@
----
-# vi: ts=2 sw=2 et:
-#
-name: Coverity
-
-on:
- schedule:
- # Run Coverity daily at midnight
- - cron: '0 0 * * *'
-
-jobs:
- build:
- runs-on: ubuntu-20.04
- if: github.repository == 'systemd/systemd'
- env:
- COVERITY_SCAN_BRANCH_PATTERN: "${{ github.ref}}"
- COVERITY_SCAN_NOTIFICATION_EMAIL: ""
- COVERITY_SCAN_PROJECT_NAME: "${{ github.repository }}"
- # Set in repo settings -> secrets -> repository secrets
- COVERITY_SCAN_TOKEN: "${{ secrets.COVERITY_SCAN_TOKEN }}"
- CURRENT_REF: "${{ github.ref }}"
- steps:
- - name: Repository checkout
- uses: actions/checkout@v1
- # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable
- - name: Set the $COVERITY_SCAN_NOTIFICATION_EMAIL env variable
- run: echo "COVERITY_SCAN_NOTIFICATION_EMAIL=$(git log -1 ${{ github.sha }} --pretty=\"%aE\")" >> $GITHUB_ENV
- - name: Install Coverity tools
- run: tools/get-coverity.sh
- # Reuse the setup phase of the unit test script to avoid code duplication
- - name: Install build dependencies
- run: sudo -E .github/workflows/unit_tests.sh SETUP
- # Preconfigure with meson to prevent Coverity from capturing meson metadata
- - name: Preconfigure the build directory
- run: meson cov-build -Dman=false
- - name: Build
- run: tools/coverity.sh build
- - name: Upload the results
- run: tools/coverity.sh upload
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
deleted file mode 100644
index 76d67a3a5c..0000000000
--- a/.github/workflows/labeler.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-name: "Pull Request Labeler"
-on:
-- pull_request_target
-
-jobs:
- triage:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/labeler@main
- with:
- repo-token: "${{ secrets.GITHUB_TOKEN }}"
- configuration-path: .github/labeler.yml
- sync-labels: "" # This is a workaround for issue 18671
diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
deleted file mode 100644
index babdf7ae6e..0000000000
--- a/.github/workflows/mkosi.yml
+++ /dev/null
@@ -1,58 +0,0 @@
-name: mkosi
-
-# Simple boot tests that build and boot the mkosi images generated by the mkosi config files in .mkosi.
-
-on:
- push:
- branches:
- - main
- pull_request:
- branches:
- - main
-
-jobs:
- ci:
- runs-on: ubuntu-20.04
- strategy:
- fail-fast: false
- matrix:
- distro:
- - arch
- - debian
- - ubuntu
- - fedora
-
- steps:
- - uses: actions/checkout@v2
- - uses: systemd/mkosi@v9
-
- - name: Install
- run: sudo apt-get update && sudo apt-get install --no-install-recommends python3-pexpect python3-jinja2
-
- - name: Symlink
- run: ln -s .mkosi/mkosi.${{ matrix.distro }} mkosi.default
-
- # Ubuntu's systemd-nspawn doesn't support faccessat2() syscall, which is
- # required, since current Arch's glibc implements faccessat() via faccessat2().
- - name: Update systemd-nspawn
- if: ${{ matrix.distro == 'arch' }}
- run: |
- echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list
- sudo apt update
- sudo apt build-dep systemd
- meson build
- ninja -C build
- sudo ln -svf $PWD/build/systemd-nspawn `which systemd-nspawn`
- systemd-nspawn --version
-
- - name: Build ${{ matrix.distro }}
- run: sudo python3 -m mkosi --password= --qemu-headless build
-
- - name: Show ${{ matrix.distro }} image summary
- run: sudo python3 -m mkosi --password= --qemu-headless summary
-
- - name: Boot ${{ matrix.distro }} systemd-nspawn
- run: sudo ./.github/workflows/test_mkosi_boot.py python3 -m mkosi --password= --qemu-headless boot
-
- - name: Boot ${{ matrix.distro }} QEMU
- run: sudo ./.github/workflows/test_mkosi_boot.py python3 -m mkosi --password= --qemu-headless qemu
diff --git a/.github/workflows/test_mkosi_boot.py b/.github/workflows/test_mkosi_boot.py
deleted file mode 100755
index 3418fd3a51..0000000000
--- a/.github/workflows/test_mkosi_boot.py
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/usr/bin/env python3
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-import pexpect
-import sys
-
-
-def run() -> None:
- p = pexpect.spawnu(" ".join(sys.argv[1:]), logfile=sys.stdout, timeout=300)
-
- p.expect("#")
- p.sendline("systemctl poweroff")
-
- p.expect(pexpect.EOF)
-
-
-try:
- run()
-except pexpect.EOF:
- print("UNEXPECTED EOF")
- sys.exit(1)
-except pexpect.TIMEOUT:
- print("TIMED OUT")
- sys.exit(1)

60
0011-ci-reconfigure-Packit-for-RHEL-9.patch Normal file
View File

@ -0,0 +1,60 @@
From b00b4b76e8a7267db2dc54a5d23272a6586770da Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Wed, 9 Jun 2021 15:23:59 +0200
Subject: [PATCH] ci: reconfigure Packit for RHEL 9
Resolves: #1960703
rhel-only
---
.packit.yml | 27 ++++++++++++++++++---------
1 file changed, 18 insertions(+), 9 deletions(-)
diff --git a/.packit.yml b/.packit.yml
index 4545e30e08..3461bccbc5 100644
--- a/.packit.yml
+++ b/.packit.yml
@@ -16,14 +16,12 @@ upstream_tag_template: "v{version}"
actions:
post-upstream-clone:
- # Use the Fedora Rawhide specfile
- - "git clone https://src.fedoraproject.org/rpms/systemd .packit_rpm --depth=1"
+ # Use the CentOS Stream specfile
+ - "git clone https://gitlab.com/redhat/centos-stream/rpms/systemd.git .packit_rpm --depth=1"
# Drop the "sources" file so rebase-helper doesn't think we're a dist-git
- "rm -fv .packit_rpm/sources"
- # Drop backported patches from the specfile, but keep the downstream-only ones
- # - Patch0000-0499: backported patches from upstream
- # - Patch0500-9999: downstream-only patches
- - "sed -ri '/^Patch0[0-4]?[0-9]{0,2}\\:.+\\.patch/d' .packit_rpm/systemd.spec"
+ # Drop all patches, since they're already included in the tarball
+ - "sed -ri '/^Patch[0-9]+:/d' .packit_rpm/systemd.spec"
# Build the RPM with --werror. Even though --werror doesn't work in all
# cases (see [0]), we can't use -Dc_args=/-Dcpp_args= here because of the
# RPM hardening macros, that use $CFLAGS/$CPPFLAGS (see [1]).
@@ -32,11 +30,22 @@ actions:
# [1] https://github.com/systemd/systemd/pull/18908#issuecomment-792250110
- 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec'
+# Available targets can be listed via `copr-cli list-chroots`
jobs:
+# Build test
- job: copr_build
trigger: pull_request
metadata:
targets:
- - fedora-rawhide-aarch64
- - fedora-rawhide-i386
- - fedora-rawhide-x86_64
+ # FIXME: change to CentOS 9 once it's available
+ - fedora-34-x86_64
+ - fedora-34-aarch64
+
+# TODO: can't use TFT yet due to https://pagure.io/fedora-ci/general/issue/184
+# Run tests (via testing farm)
+#- job: tests
+# trigger: pull_request
+# metadata:
+# targets:
+# # FIXME: change to CentOS 9 once it's available
+# - fedora-34-x86_64

27
0012-ci-run-unit-tests-on-z-stream-branches-as-well.patch Normal file
View File

@ -0,0 +1,27 @@
From ef23dd2793c19e9505ab1e70fff20b7ea184dc54 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Thu, 15 Jul 2021 12:23:27 +0200
Subject: [PATCH] ci: run unit tests on z-stream branches as well
Resolves: #1960703
rhel-only
---
.github/workflows/unit_tests.yml | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
index ca1e6e0c30..e560bff830 100644
--- a/.github/workflows/unit_tests.yml
+++ b/.github/workflows/unit_tests.yml
@@ -2,10 +2,7 @@
# vi: ts=2 sw=2 et:
#
name: Unit tests
-on:
- pull_request:
- branches:
- - main
+on: [pull_request]
jobs:
build:

110
0013-Check-return-value-of-pam_get_item-pam_get_data-func.patch Normal file
View File

@ -0,0 +1,110 @@
From a311dc4ade908452d7920452a18ce411af0f6dd3 Mon Sep 17 00:00:00 2001
From: Riccardo Schirone <sirmy15@gmail.com>
Date: Thu, 17 Jun 2021 16:39:23 +0200
Subject: [PATCH] Check return value of pam_get_item/pam_get_data functions
(cherry picked from commit a22cbf85ed9863ba5c86681db89424747119ef0c)
Resolves: #1973210
---
src/login/pam_systemd.c | 66 ++++++++++++++++++++++++++++++++++-------
1 file changed, 55 insertions(+), 11 deletions(-)
diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c
index f8bd17eefe..1b643d52ca 100644
--- a/src/login/pam_systemd.c
+++ b/src/login/pam_systemd.c
@@ -705,7 +705,11 @@ _public_ PAM_EXTERN int pam_sm_open_session(
* "systemd-user" we simply set XDG_RUNTIME_DIR and
* leave. */
- (void) pam_get_item(handle, PAM_SERVICE, (const void**) &service);
+ r = pam_get_item(handle, PAM_SERVICE, (const void**) &service);
+ if (!IN_SET(r, PAM_BAD_ITEM, PAM_SUCCESS)) {
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM service: %s", pam_strerror(handle, r));
+ return r;
+ }
if (streq_ptr(service, "systemd-user")) {
char rt[STRLEN("/run/user/") + DECIMAL_STR_MAX(uid_t)];
@@ -719,10 +723,26 @@ _public_ PAM_EXTERN int pam_sm_open_session(
/* Otherwise, we ask logind to create a session for us */
- (void) pam_get_item(handle, PAM_XDISPLAY, (const void**) &display);
- (void) pam_get_item(handle, PAM_TTY, (const void**) &tty);
- (void) pam_get_item(handle, PAM_RUSER, (const void**) &remote_user);
- (void) pam_get_item(handle, PAM_RHOST, (const void**) &remote_host);
+ r = pam_get_item(handle, PAM_XDISPLAY, (const void**) &display);
+ if (!IN_SET(r, PAM_BAD_ITEM, PAM_SUCCESS)) {
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM XDISPLAY: %s", pam_strerror(handle, r));
+ return r;
+ }
+ r = pam_get_item(handle, PAM_TTY, (const void**) &tty);
+ if (!IN_SET(r, PAM_BAD_ITEM, PAM_SUCCESS)) {
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM TTY: %s", pam_strerror(handle, r));
+ return r;
+ }
+ r = pam_get_item(handle, PAM_RUSER, (const void**) &remote_user);
+ if (!IN_SET(r, PAM_BAD_ITEM, PAM_SUCCESS)) {
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM RUSER: %s", pam_strerror(handle, r));
+ return r;
+ }
+ r = pam_get_item(handle, PAM_RHOST, (const void**) &remote_host);
+ if (!IN_SET(r, PAM_BAD_ITEM, PAM_SUCCESS)) {
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM RHOST: %s", pam_strerror(handle, r));
+ return r;
+ }
seat = getenv_harder(handle, "XDG_SEAT", NULL);
cvtnr = getenv_harder(handle, "XDG_VTNR", NULL);
@@ -789,11 +809,31 @@ _public_ PAM_EXTERN int pam_sm_open_session(
remote = !isempty(remote_host) && !is_localhost(remote_host);
- (void) pam_get_data(handle, "systemd.memory_max", (const void **)&memory_max);
- (void) pam_get_data(handle, "systemd.tasks_max", (const void **)&tasks_max);
- (void) pam_get_data(handle, "systemd.cpu_weight", (const void **)&cpu_weight);
- (void) pam_get_data(handle, "systemd.io_weight", (const void **)&io_weight);
- (void) pam_get_data(handle, "systemd.runtime_max_sec", (const void **)&runtime_max_sec);
+ r = pam_get_data(handle, "systemd.memory_max", (const void **)&memory_max);
+ if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA)) {
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM systemd.memory_max data: %s", pam_strerror(handle, r));
+ return r;
+ }
+ r = pam_get_data(handle, "systemd.tasks_max", (const void **)&tasks_max);
+ if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA)) {
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM systemd.tasks_max data: %s", pam_strerror(handle, r));
+ return r;
+ }
+ r = pam_get_data(handle, "systemd.cpu_weight", (const void **)&cpu_weight);
+ if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA)) {
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM systemd.cpu_weight data: %s", pam_strerror(handle, r));
+ return r;
+ }
+ r = pam_get_data(handle, "systemd.io_weight", (const void **)&io_weight);
+ if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA)) {
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM systemd.io_weight data: %s", pam_strerror(handle, r));
+ return r;
+ }
+ r = pam_get_data(handle, "systemd.runtime_max_sec", (const void **)&runtime_max_sec);
+ if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA)) {
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM systemd.runtime_max_sec data: %s", pam_strerror(handle, r));
+ return r;
+ }
/* Talk to logind over the message bus */
@@ -996,7 +1036,11 @@ _public_ PAM_EXTERN int pam_sm_close_session(
/* Only release session if it wasn't pre-existing when we
* tried to create it */
- (void) pam_get_data(handle, "systemd.existing", &existing);
+ r = pam_get_data(handle, "systemd.existing", &existing);
+ if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA)) {
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM systemd.existing data: %s", pam_strerror(handle, r));
+ return r;
+ }
id = pam_getenv(handle, "XDG_SESSION_ID");
if (id && !existing) {

25
0014-random-util-increase-random-seed-size-to-1024.patch Normal file
View File

@ -0,0 +1,25 @@
From f1266682aca4a2ed3d85017527d1456cbe5d2f2a Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Thu, 15 Jul 2021 11:15:17 +0200
Subject: [PATCH] random-util: increase random seed size to 1024
RHEL-only
Resolves: #1982603
---
src/basic/random-util.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/basic/random-util.h b/src/basic/random-util.h
index e6528ddc7f..fda78552f6 100644
--- a/src/basic/random-util.h
+++ b/src/basic/random-util.h
@@ -34,7 +34,7 @@ static inline uint32_t random_u32(void) {
int rdrand(unsigned long *ret);
/* Some limits on the pool sizes when we deal with the kernel random pool */
-#define RANDOM_POOL_SIZE_MIN 512U
+#define RANDOM_POOL_SIZE_MIN 1024U
#define RANDOM_POOL_SIZE_MAX (10U*1024U*1024U)
size_t random_pool_size(void);

41
0015-journal-don-t-enable-systemd-journald-audit.socket-b.patch Normal file
View File

@ -0,0 +1,41 @@
From d68134590110a93c383a7ae696ccf3717f20682a Mon Sep 17 00:00:00 2001
From: Jan Synacek <jsynacek@redhat.com>
Date: Thu, 2 May 2019 14:11:54 +0200
Subject: [PATCH] journal: don't enable systemd-journald-audit.socket by
default
RHEL-only
Resolves: #1973856
---
units/meson.build | 3 +--
units/systemd-journald.service.in | 2 +-
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/units/meson.build b/units/meson.build
index 17e9ead9c1..68be8d0108 100644
--- a/units/meson.build
+++ b/units/meson.build
@@ -119,8 +119,7 @@ units = [
'sysinit.target.wants/'],
['systemd-journal-gatewayd.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
['systemd-journal-remote.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
- ['systemd-journald-audit.socket', '',
- 'sockets.target.wants/'],
+ ['systemd-journald-audit.socket', ''],
['systemd-journald-dev-log.socket', '',
'sockets.target.wants/'],
['systemd-journald.socket', '',
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index cd17b6b4e7..d981273b07 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -12,7 +12,7 @@ Description=Journal Service
Documentation=man:systemd-journald.service(8) man:journald.conf(5)
DefaultDependencies=no
Requires=systemd-journald.socket
-After=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket syslog.socket
+After=systemd-journald.socket systemd-journald-dev-log.socket syslog.socket
Before=sysinit.target
[Service]

22
0016-journald.conf-don-t-touch-current-audit-settings.patch Normal file
View File

@ -0,0 +1,22 @@
From c040ffc7d27e2952bd6acccc1d8a351f31ba24db Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Thu, 5 Aug 2021 15:26:13 +0200
Subject: [PATCH] journald.conf: don't touch current audit settings
RHEL-only
Related: #1973856
---
src/journal/journald.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/journal/journald.conf b/src/journal/journald.conf
index 5a60a9d39c..3544da2112 100644
--- a/src/journal/journald.conf
+++ b/src/journal/journald.conf
@@ -44,4 +44,4 @@
#MaxLevelWall=emerg
#LineMax=48K
#ReadKMsg=yes
-#Audit=yes
+Audit=

34
systemd.spec
View File

@ -21,7 +21,7 @@
Name: systemd
Url: https://www.freedesktop.org/wiki/Software/systemd
Version: 249
Release: 1%{?dist}
Release: 2%{?dist}
# For a breakdown of the licensing, see README
License: LGPLv2+ and MIT and GPLv2+
Summary: System and Service Manager
@ -78,6 +78,21 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[
# RHEL-specific
Patch0001: 0001-logind-set-RemoveIPC-to-false-by-default.patch
Patch0002: 0002-basic-unit-name-do-not-use-strdupa-on-a-path.patch
Patch0003: 0003-basic-unit-name-adjust-comments.patch
Patch0004: 0004-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch
Patch0005: 0005-Copy-40-redhat.rules-from-RHEL-8.patch
Patch0006: 0006-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch
Patch0007: 0007-unit-don-t-add-Requires-for-tmp.mount.patch
Patch0008: 0008-units-add-Install-section-to-tmp.mount.patch
Patch0009: 0009-rc-local-order-after-network-online.target.patch
Patch0010: 0010-ci-drop-CIs-irrelevant-for-downstream.patch
Patch0011: 0011-ci-reconfigure-Packit-for-RHEL-9.patch
Patch0012: 0012-ci-run-unit-tests-on-z-stream-branches-as-well.patch
Patch0013: 0013-Check-return-value-of-pam_get_item-pam_get_data-func.patch
Patch0014: 0014-random-util-increase-random-seed-size-to-1024.patch
Patch0015: 0015-journal-don-t-enable-systemd-journald-audit.socket-b.patch
Patch0016: 0016-journald.conf-don-t-touch-current-audit-settings.patch
# Downstream-only patches (90009999)
# https://github.com/systemd/systemd/pull/17050
@ -835,6 +850,23 @@ getent passwd systemd-oom &>/dev/null || useradd -r -l -g systemd-oom -d / -s /s
%files standalone-sysusers -f .file-list-standalone-sysusers
%changelog
* Fri Aug 06 2021 systemd maintenance team <systemd-maint@redhat.com> - 249-2
- basic/unit-name: do not use strdupa() on a path (#1984299)
- basic/unit-name: adjust comments (#1984299)
- tmpfiles: don't create resolv.conf -> stub-resolv.conf symlink (#1989472)
- Copy 40-redhat.rules from RHEL-8 (#1978639)
- Avoid /tmp being mounted as tmpfs without the user's will (#1959826)
- unit: don't add Requires for tmp.mount (#1619292)
- units: add [Install] section to tmp.mount (#1959826)
- rc-local: order after network-online.target (#1954429)
- ci: drop CIs irrelevant for downstream (#1960703)
- ci: reconfigure Packit for RHEL 9 (#1960703)
- ci: run unit tests on z-stream branches as well (#1960703)
- Check return value of pam_get_item/pam_get_data functions (#1973210)
- random-util: increase random seed size to 1024 (#1982603)
- journal: don't enable systemd-journald-audit.socket by default (#1973856)
- journald.conf: don't touch current audit settings (#1973856)
* Mon Jul 12 2021 <msekleta@redhat.com> - 249-1
- Rebase to v249 (#1981276)