diff --git a/SOURCES/0839-basic-recognize-pdfs-filesystem-as-a-network-filesys.patch b/SOURCES/0839-basic-recognize-pdfs-filesystem-as-a-network-filesys.patch new file mode 100644 index 0000000..c7f889f --- /dev/null +++ b/SOURCES/0839-basic-recognize-pdfs-filesystem-as-a-network-filesys.patch @@ -0,0 +1,32 @@ +From 2fe9fb3e844d7991105c40d4363eed9069a6837d Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Fri, 18 Nov 2022 16:16:36 +0100 +Subject: [PATCH] basic: recognize pdfs filesystem as a network filesystem + +Fujitsu advises their users to always use _netdev mount option with pdfs +mounts. Hence it makes sense to simply consider pdfs mounts as network +filesystem mounts. + +https://software.fujitsu.com/jp/manual/manualfiles/m130027/j2ul1563/02enz200/j1563-02-06-02-02.html + +RHEL-only + +Resolves: #2094661 +--- + src/basic/mount-util.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/basic/mount-util.c b/src/basic/mount-util.c +index e7f9e514c2..983566b46b 100644 +--- a/src/basic/mount-util.c ++++ b/src/basic/mount-util.c +@@ -634,7 +634,8 @@ bool fstype_is_network(const char *fstype) { + "glusterfs", + "pvfs2", /* OrangeFS */ + "ocfs2", +- "lustre"); ++ "lustre", ++ "pdfs"); + } + + bool fstype_is_api_vfs(const char *fstype) { diff --git a/SOURCES/0840-core-move-reset_arguments-to-the-end-of-main-s-finis.patch b/SOURCES/0840-core-move-reset_arguments-to-the-end-of-main-s-finis.patch new file mode 100644 index 0000000..a2696f8 --- /dev/null +++ b/SOURCES/0840-core-move-reset_arguments-to-the-end-of-main-s-finis.patch @@ -0,0 +1,49 @@ +From 4bb425eea9f3037a583a23d99f15aa71562f2481 Mon Sep 17 00:00:00 2001 +From: Anita Zhang +Date: Thu, 17 Sep 2020 01:49:17 -0700 +Subject: [PATCH] core: move reset_arguments() to the end of main's finish + +Fixes #16991 + +fb39af4ce42d7ef9af63009f271f404038703704 replaced `free_arguments()` with +`reset_arguments()`, which frees arg_* variables as before, but also resets all +of them to the default values. `reset_arguments()` was positioned +in such a way that it overrode some arg_* values still in use at shutdown. + +To avoid further unintentional resets, I moved `reset_arguments()` +right before the return, when nothing else will be using the arg_* variables. + +(cherry picked from commit 7d9eea2bd3d4f83668c7a78754d201b226acbf1e) + +Resolves: #2127131 +--- + src/core/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/core/main.c b/src/core/main.c +index bfd4c531a7..cfa6fec930 100644 +--- a/src/core/main.c ++++ b/src/core/main.c +@@ -2631,7 +2631,6 @@ finish: + m = manager_free(m); + } + +- reset_arguments(); + mac_selinux_finish(); + + if (reexecute) +@@ -2656,6 +2655,7 @@ finish: + * in become_shutdown() so normally we cannot free them yet. */ + watchdog_free_device(); + arg_watchdog_device = mfree(arg_watchdog_device); ++ reset_arguments(); + return retval; + } + #endif +@@ -2677,5 +2677,6 @@ finish: + freeze_or_reboot(); + } + ++ reset_arguments(); + return retval; + } diff --git a/SOURCES/0841-manager-move-inc.-of-n_reloading-into-a-function.patch b/SOURCES/0841-manager-move-inc.-of-n_reloading-into-a-function.patch new file mode 100644 index 0000000..799bd04 --- /dev/null +++ b/SOURCES/0841-manager-move-inc.-of-n_reloading-into-a-function.patch @@ -0,0 +1,91 @@ +From 708c394b7ca35fe2328fa0760696ff95caab8ff8 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 29 Nov 2022 16:15:47 +0100 +Subject: [PATCH] manager: move inc. of n_reloading into a function + +[dtardon: This is inspired by commit d147e2b66b4d6b71db1bc59b62286b2eb9c3d29f , +but it does just the minimal change needed for the next commit.] + +Related: #2136869 +--- + src/core/main.c | 2 +- + src/core/manager.c | 12 ++++++++---- + src/core/manager.h | 1 + + 3 files changed, 10 insertions(+), 5 deletions(-) + +diff --git a/src/core/main.c b/src/core/main.c +index cfa6fec930..c3e2ce8956 100644 +--- a/src/core/main.c ++++ b/src/core/main.c +@@ -1131,7 +1131,7 @@ static int prepare_reexecute(Manager *m, FILE **_f, FDSet **_fds, bool switching + return log_error_errno(r, "Failed to create serialization file: %m"); + + /* Make sure nothing is really destructed when we shut down */ +- m->n_reloading++; ++ manager_reloading_start(m); + bus_manager_send_reloading(m, true); + + fds = fdset_new(); +diff --git a/src/core/manager.c b/src/core/manager.c +index f4611e6f8f..f923cbce37 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -1578,6 +1578,10 @@ static void manager_preset_all(Manager *m) { + log_info("Populated /etc with preset unit settings."); + } + ++void manager_reloading_start(Manager *m) { ++ m->n_reloading++; ++} ++ + int manager_startup(Manager *m, FILE *serialization, FDSet *fds) { + int r; + +@@ -1609,7 +1613,7 @@ int manager_startup(Manager *m, FILE *serialization, FDSet *fds) { + * this is already known, so we increase the counter here + * already */ + if (serialization) +- m->n_reloading++; ++ manager_reloading_start(m); + + /* First, enumerate what we can from all config files */ + dual_timestamp_get(m->timestamps + MANAGER_TIMESTAMP_UNITS_LOAD_START); +@@ -3093,7 +3097,7 @@ int manager_serialize(Manager *m, FILE *f, FDSet *fds, bool switching_root) { + assert(f); + assert(fds); + +- m->n_reloading++; ++ manager_reloading_start(m); + + fprintf(f, "current-job-id=%"PRIu32"\n", m->current_job_id); + fprintf(f, "n-installed-jobs=%u\n", m->n_installed_jobs); +@@ -3211,7 +3215,7 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) { + + log_debug("Deserializing state..."); + +- m->n_reloading++; ++ manager_reloading_start(m); + + for (;;) { + _cleanup_free_ char *line = NULL; +@@ -3455,7 +3459,7 @@ int manager_reload(Manager *m) { + if (r < 0) + return r; + +- m->n_reloading++; ++ manager_reloading_start(m); + bus_manager_send_reloading(m, true); + + fds = fdset_new(); +diff --git a/src/core/manager.h b/src/core/manager.h +index 3f2cfc5e2e..adbbb518cb 100644 +--- a/src/core/manager.h ++++ b/src/core/manager.h +@@ -386,6 +386,7 @@ int manager_new(UnitFileScope scope, unsigned test_run_flags, Manager **m); + Manager* manager_free(Manager *m); + DEFINE_TRIVIAL_CLEANUP_FUNC(Manager*, manager_free); + ++void manager_reloading_start(Manager *m); + int manager_startup(Manager *m, FILE *serialization, FDSet *fds); + + Job *manager_get_job(Manager *m, uint32_t id); diff --git a/SOURCES/0842-core-Add-new-DBUS-properties-UnitsReloadStartTimesta.patch b/SOURCES/0842-core-Add-new-DBUS-properties-UnitsReloadStartTimesta.patch new file mode 100644 index 0000000..dd27bfa --- /dev/null +++ b/SOURCES/0842-core-Add-new-DBUS-properties-UnitsReloadStartTimesta.patch @@ -0,0 +1,59 @@ +From 22eb8fbdab14e5b1b11a4d84c83bef97317e1d2a Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 2 Sep 2021 16:37:13 +0200 +Subject: [PATCH] core: Add new DBUS properties UnitsReloadStartTimestamp and + UnitsLoadTimestampMontonic + +(cherry picked from commit 49fbe940a429c3d8807bacdfce03af834275257c) + +Related: #2136869 +--- + src/core/dbus-manager.c | 1 + + src/core/manager.c | 2 ++ + src/core/manager.h | 1 + + 3 files changed, 4 insertions(+) + +diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c +index 5b1ed3646e..8a41eda4a6 100644 +--- a/src/core/dbus-manager.c ++++ b/src/core/dbus-manager.c +@@ -2486,6 +2486,7 @@ const sd_bus_vtable bus_manager_vtable[] = { + BUS_PROPERTY_DUAL_TIMESTAMP("GeneratorsFinishTimestamp", offsetof(Manager, timestamps[MANAGER_TIMESTAMP_GENERATORS_FINISH]), SD_BUS_VTABLE_PROPERTY_CONST), + BUS_PROPERTY_DUAL_TIMESTAMP("UnitsLoadStartTimestamp", offsetof(Manager, timestamps[MANAGER_TIMESTAMP_UNITS_LOAD_START]), SD_BUS_VTABLE_PROPERTY_CONST), + BUS_PROPERTY_DUAL_TIMESTAMP("UnitsLoadFinishTimestamp", offsetof(Manager, timestamps[MANAGER_TIMESTAMP_UNITS_LOAD_FINISH]), SD_BUS_VTABLE_PROPERTY_CONST), ++ BUS_PROPERTY_DUAL_TIMESTAMP("UnitsLoadTimestamp", offsetof(Manager, timestamps[MANAGER_TIMESTAMP_UNITS_LOAD]), SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_WRITABLE_PROPERTY("LogLevel", "s", property_get_log_level, property_set_log_level, 0, 0), + SD_BUS_WRITABLE_PROPERTY("LogTarget", "s", property_get_log_target, property_set_log_target, 0, 0), + SD_BUS_PROPERTY("NNames", "u", property_get_hashmap_size, offsetof(Manager, units), 0), +diff --git a/src/core/manager.c b/src/core/manager.c +index f923cbce37..8aa398cac8 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -1580,6 +1580,7 @@ static void manager_preset_all(Manager *m) { + + void manager_reloading_start(Manager *m) { + m->n_reloading++; ++ dual_timestamp_get(m->timestamps + MANAGER_TIMESTAMP_UNITS_LOAD); + } + + int manager_startup(Manager *m, FILE *serialization, FDSet *fds) { +@@ -4622,6 +4623,7 @@ static const char *const manager_timestamp_table[_MANAGER_TIMESTAMP_MAX] = { + [MANAGER_TIMESTAMP_GENERATORS_FINISH] = "generators-finish", + [MANAGER_TIMESTAMP_UNITS_LOAD_START] = "units-load-start", + [MANAGER_TIMESTAMP_UNITS_LOAD_FINISH] = "units-load-finish", ++ [MANAGER_TIMESTAMP_UNITS_LOAD] = "units-load", + }; + + DEFINE_STRING_TABLE_LOOKUP(manager_timestamp, ManagerTimestamp); +diff --git a/src/core/manager.h b/src/core/manager.h +index adbbb518cb..98d381bc5b 100644 +--- a/src/core/manager.h ++++ b/src/core/manager.h +@@ -67,6 +67,7 @@ typedef enum ManagerTimestamp { + MANAGER_TIMESTAMP_GENERATORS_FINISH, + MANAGER_TIMESTAMP_UNITS_LOAD_START, + MANAGER_TIMESTAMP_UNITS_LOAD_FINISH, ++ MANAGER_TIMESTAMP_UNITS_LOAD, + _MANAGER_TIMESTAMP_MAX, + _MANAGER_TIMESTAMP_INVALID = -1, + } ManagerTimestamp; diff --git a/SOURCES/0843-core-Indicate-the-time-when-the-manager-started-load.patch b/SOURCES/0843-core-Indicate-the-time-when-the-manager-started-load.patch new file mode 100644 index 0000000..4a05d20 --- /dev/null +++ b/SOURCES/0843-core-Indicate-the-time-when-the-manager-started-load.patch @@ -0,0 +1,29 @@ +From f2de5398b0a1ebb3e6390506368c11329b843524 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 2 Sep 2021 16:50:50 +0200 +Subject: [PATCH] core: Indicate the time when the manager started loading + units the last time + +(cherry picked from commit 15b9243c0d7f6d1531fa65dbc01bd11e8e6c12ca) + +Resolves: #2136869 +--- + src/core/manager.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/core/manager.c b/src/core/manager.c +index 8aa398cac8..a9cd51b624 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -3554,6 +3554,11 @@ int manager_reload(Manager *m) { + /* Let's finally catch up with any changes that took place while we were reloading/reexecing */ + manager_catchup(m); + ++ /* Create a file which will indicate when the manager started loading units the last time. */ ++ (void) touch_file("/run/systemd/systemd-units-load", false, ++ m->timestamps[MANAGER_TIMESTAMP_UNITS_LOAD].realtime ?: now(CLOCK_REALTIME), ++ UID_INVALID, GID_INVALID, 0444); ++ + /* Sync current state of bus names with our set of listening units */ + q = manager_enqueue_sync_bus_names(m); + if (q < 0 && r >= 0) diff --git a/SOURCES/0844-core-do-not-touch-run-systemd-systemd-units-load-fro.patch b/SOURCES/0844-core-do-not-touch-run-systemd-systemd-units-load-fro.patch new file mode 100644 index 0000000..db62e35 --- /dev/null +++ b/SOURCES/0844-core-do-not-touch-run-systemd-systemd-units-load-fro.patch @@ -0,0 +1,34 @@ +From 3c2d2345814935cea8525e802e764fb2949eb3df Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 27 Dec 2021 18:22:43 +0000 +Subject: [PATCH] core: do not touch /run/systemd/systemd-units-load from user + session instances + +Follow-up for: https://github.com/systemd/systemd/commit/15b9243c0d7f6d1531fa65dbc01bd11e8e6c12ca +Fixes: https://github.com/systemd/systemd/issues/21911 + +(cherry picked from commit 4b3ad81bfafcd97acb06db463495e348d159d8e6) + +Related: #2136869 +--- + src/core/manager.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/core/manager.c b/src/core/manager.c +index a9cd51b624..e083596e58 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -3555,9 +3555,10 @@ int manager_reload(Manager *m) { + manager_catchup(m); + + /* Create a file which will indicate when the manager started loading units the last time. */ +- (void) touch_file("/run/systemd/systemd-units-load", false, +- m->timestamps[MANAGER_TIMESTAMP_UNITS_LOAD].realtime ?: now(CLOCK_REALTIME), +- UID_INVALID, GID_INVALID, 0444); ++ if (MANAGER_IS_SYSTEM(m)) ++ (void) touch_file("/run/systemd/systemd-units-load", false, ++ m->timestamps[MANAGER_TIMESTAMP_UNITS_LOAD].realtime ?: now(CLOCK_REALTIME), ++ UID_INVALID, GID_INVALID, 0444); + + /* Sync current state of bus names with our set of listening units */ + q = manager_enqueue_sync_bus_names(m); diff --git a/SOURCES/0845-sysctl-downgrade-message-when-we-have-no-permission.patch b/SOURCES/0845-sysctl-downgrade-message-when-we-have-no-permission.patch new file mode 100644 index 0000000..9e3d1e8 --- /dev/null +++ b/SOURCES/0845-sysctl-downgrade-message-when-we-have-no-permission.patch @@ -0,0 +1,49 @@ +From ffe4233155085b479c69abe844a34de212b8e5e1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 16 Jan 2020 14:45:28 +0100 +Subject: [PATCH] sysctl: downgrade message when we have no permission + +We need to run sysctl also in containers, because the network +subtree is namespaces and may legitimately be writable. But logging +all "errors" at notice level creates unwanted noise. + +Also downgrade message about missing sysctls to log_info. This might also be +relatively common when configuration is targeted at different kernel +versions. With log_debug it'll still end up in the logs, but isn't really worth +of "notice" most of the time. + +https://bugzilla.redhat.com/show_bug.cgi?id=1609806 +(cherry picked from commit 32458cc9687c1b60ff0f22c0e71da93ce78b1534) + +Resolves: #2158160 +--- + src/sysctl/sysctl.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/src/sysctl/sysctl.c b/src/sysctl/sysctl.c +index 4c85d6887f..dc14e1aaf1 100644 +--- a/src/sysctl/sysctl.c ++++ b/src/sysctl/sysctl.c +@@ -82,13 +82,15 @@ static int apply_all(OrderedHashmap *sysctl_options) { + k = sysctl_write(option->key, option->value); + if (k < 0) { + /* If the sysctl is not available in the kernel or we are running with reduced +- * privileges and cannot write it, then log about the issue at LOG_NOTICE level, and +- * proceed without failing. (EROFS is treated as a permission problem here, since +- * that's how container managers usually protected their sysctls.) In all other cases +- * log an error and make the tool fail. */ +- +- if (IN_SET(k, -EPERM, -EACCES, -EROFS, -ENOENT) || option->ignore_failure) +- log_notice_errno(k, "Couldn't write '%s' to '%s', ignoring: %m", option->value, option->key); ++ * privileges and cannot write it, then log about the issue, and proceed without ++ * failing. (EROFS is treated as a permission problem here, since that's how ++ * container managers usually protected their sysctls.) In all other cases log an ++ * error and make the tool fail. */ ++ ++ if (option->ignore_failure || k == -EROFS || ERRNO_IS_PRIVILEGE(k)) ++ log_debug_errno(k, "Couldn't write '%s' to '%s', ignoring: %m", option->value, option->key); ++ else if (k == -ENOENT) ++ log_info_errno(k, "Couldn't write '%s' to '%s', ignoring: %m", option->value, option->key); + else { + log_error_errno(k, "Couldn't write '%s' to '%s': %m", option->value, option->key); + if (r == 0) diff --git a/SOURCES/0846-core-respect-SELinuxContext-for-socket-creation.patch b/SOURCES/0846-core-respect-SELinuxContext-for-socket-creation.patch new file mode 100644 index 0000000..dbdd058 --- /dev/null +++ b/SOURCES/0846-core-respect-SELinuxContext-for-socket-creation.patch @@ -0,0 +1,53 @@ +From 1f408c8d9739b1038012eeec7bf0f918c8095bc4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Fri, 23 Sep 2022 19:00:22 +0200 +Subject: [PATCH] core: respect SELinuxContext= for socket creation + +On socket creation respect the SELinuxContext= setting of the associated +service, such that the initial created socket has the same label as the +future process accepting the connection (since w.r.t SELinux sockets +normally have the same label as the owning process). + +Triggered by #24702 + +(cherry picked from commit 599b384924bbef9f8f7fa5700c6fa35a404d9a98) + +Related: #2136738 +--- + src/core/socket.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/core/socket.c b/src/core/socket.c +index 9d47ca2616..d1ca0a07c5 100644 +--- a/src/core/socket.c ++++ b/src/core/socket.c +@@ -1427,6 +1427,7 @@ fail: + static int socket_determine_selinux_label(Socket *s, char **ret) { + Service *service; + ExecCommand *c; ++ const char *exec_context; + _cleanup_free_ char *path = NULL; + int r; + +@@ -1448,8 +1449,20 @@ static int socket_determine_selinux_label(Socket *s, char **ret) { + + if (!UNIT_ISSET(s->service)) + goto no_label; +- + service = SERVICE(UNIT_DEREF(s->service)); ++ ++ exec_context = service->exec_context.selinux_context; ++ if (exec_context) { ++ char *con; ++ ++ con = strdup(exec_context); ++ if (!con) ++ return -ENOMEM; ++ ++ *ret = TAKE_PTR(con); ++ return 0; ++ } ++ + c = service->exec_command[SERVICE_EXEC_START]; + if (!c) + goto no_label; diff --git a/SOURCES/0847-manager-use-target-process-context-to-set-socket-con.patch b/SOURCES/0847-manager-use-target-process-context-to-set-socket-con.patch new file mode 100644 index 0000000..d10bdca --- /dev/null +++ b/SOURCES/0847-manager-use-target-process-context-to-set-socket-con.patch @@ -0,0 +1,128 @@ +From 3f90090e70a5fa81bced17792fe08d9c46324da9 Mon Sep 17 00:00:00 2001 +From: "Ted X. Toth" +Date: Thu, 13 Oct 2022 12:58:26 -0700 +Subject: [PATCH] manager: use target process context to set socket context + +Use target process context to set socket context when using SELinuxContextFromNet +not systemd's context. Currently when using the SELinuxContextFromNet option for +a socket activated services, systemd calls getcon_raw which returns init_t and +uses the resulting context to compute the context to be passed to the +setsockcreatecon call. A socket of type init_t is created and listened on and +this means that SELinux policy cannot be written to control which processes +(SELinux types) can connect to the socket since the ref policy allows all +'types' to connect to sockets of the type init_t. When security accessors see +that any process can connect to a socket this raises serious concerns. I have +spoken with SELinux contributors in person and on the mailing list and the +consensus is that the best solution is to use the target executables context +when computing the sockets context in all cases. + +[zjs review/comment: + +This removes the branch that was added in 16115b0a7b7cdf08fb38084d857d572d8a9088dc. +16115b0a7b7cdf08fb38084d857d572d8a9088dc did two things: it had the branch here +in 'socket_determine_selinux_label()' and a code in 'exec_child()' to call +'label_get_child_mls_label(socket_fd, command->path, &label)'. + +Before this patch, the flow was: +''' +mac_selinux_get_child_mls_label: + peercon = getpeercon_raw(socket_fd); + if (!exec_label) + exec_label = getfilecon_raw(exe); + +socket_open_fds: + if (params->selinux_context_net) # + label = mac_selinux_get_our_label(); # this part is removed + else # + label = mac_selinux_get_create_label_from_exe(path); + socket_address_listen_in_cgroup(s, &p->address, label); + +exec_child(): + exec_context = mac_selinux_get_child_mls_label(fd, executable, context->selinux_context); + setexeccon(exec_context); +''' +] + +(cherry picked from commit 29dbc62d74f7b7881dc3136e68e03a03ea055b36) + +Resolves: #2136738 +--- + src/core/socket.c | 58 ++++++++++++++++++++--------------------------- + 1 file changed, 24 insertions(+), 34 deletions(-) + +diff --git a/src/core/socket.c b/src/core/socket.c +index d1ca0a07c5..8aa5463b25 100644 +--- a/src/core/socket.c ++++ b/src/core/socket.c +@@ -1434,47 +1434,37 @@ static int socket_determine_selinux_label(Socket *s, char **ret) { + assert(s); + assert(ret); + +- if (s->selinux_context_from_net) { +- /* If this is requested, get label from the network label */ +- +- r = mac_selinux_get_our_label(ret); +- if (r == -EOPNOTSUPP) +- goto no_label; +- +- } else { +- /* Otherwise, get it from the executable we are about to start */ +- r = socket_instantiate_service(s); +- if (r < 0) +- return r; ++ r = socket_instantiate_service(s); ++ if (r < 0) ++ return r; + +- if (!UNIT_ISSET(s->service)) +- goto no_label; +- service = SERVICE(UNIT_DEREF(s->service)); ++ if (!UNIT_ISSET(s->service)) ++ goto no_label; ++ service = SERVICE(UNIT_DEREF(s->service)); + +- exec_context = service->exec_context.selinux_context; +- if (exec_context) { +- char *con; ++ exec_context = service->exec_context.selinux_context; ++ if (exec_context) { ++ char *con; + +- con = strdup(exec_context); +- if (!con) +- return -ENOMEM; ++ con = strdup(exec_context); ++ if (!con) ++ return -ENOMEM; + +- *ret = TAKE_PTR(con); +- return 0; +- } ++ *ret = TAKE_PTR(con); ++ return 0; ++ } + +- c = service->exec_command[SERVICE_EXEC_START]; +- if (!c) +- goto no_label; ++ c = service->exec_command[SERVICE_EXEC_START]; ++ if (!c) ++ goto no_label; + +- r = chase_symlinks(c->path, service->exec_context.root_directory, CHASE_PREFIX_ROOT, &path); +- if (r < 0) +- goto no_label; ++ r = chase_symlinks(c->path, service->exec_context.root_directory, CHASE_PREFIX_ROOT, &path); ++ if (r < 0) ++ goto no_label; + +- r = mac_selinux_get_create_label_from_exe(path, ret); +- if (IN_SET(r, -EPERM, -EOPNOTSUPP)) +- goto no_label; +- } ++ r = mac_selinux_get_create_label_from_exe(path, ret); ++ if (IN_SET(r, -EPERM, -EOPNOTSUPP)) ++ goto no_label; + + return r; + diff --git a/SOURCES/0848-virt-detect-Amazon-EC2-Nitro-instance.patch b/SOURCES/0848-virt-detect-Amazon-EC2-Nitro-instance.patch new file mode 100644 index 0000000..fc3d0bd --- /dev/null +++ b/SOURCES/0848-virt-detect-Amazon-EC2-Nitro-instance.patch @@ -0,0 +1,142 @@ +From 6ffd3de2ccc5901974f292c9694829e25441060d Mon Sep 17 00:00:00 2001 +From: Bertrand Jacquin +Date: Sun, 11 Oct 2020 21:25:00 +0100 +Subject: [PATCH] virt: detect Amazon EC2 Nitro instance + +Amazon EC2 Nitro hypervisor is technically based on KVM[1], which +systemd-detect-virt identify propely from CPUID. However the lack of +CPUID on aarch64 (A1, T4 instance type) prevents a correct +identification, impacting hostnamectl and systemd-random-seed. Instead +it's possible to identify virtualization from DMI vendor ID. + +Prior to this commit: + # hostnamectl + Static hostname: n/a + Transient hostname: ip-10-97-8-12 + Icon name: computer + Machine ID: 8e3772fbcfa3dd6f330a12ff5df5a63b + Boot ID: b7b7e2fe0079448db664839df59f9817 + Operating System: Gentoo/Linux + Kernel: Linux 5.4.69-longterm + Architecture: arm64 + +After this commit: + # hostnamectl + Static hostname: n/a + Transient hostname: ip-10-97-8-12 + Icon name: computer-vm + Chassis: vm + Machine ID: 8e3772fbcfa3dd6f330a12ff5df5a63b + Boot ID: bd04da57084e41078f20541101867113 + Virtualization: amazon + Operating System: Gentoo/Linux + Kernel: Linux 5.4.69-longterm + Architecture: arm64 + +[1] https://aws.amazon.com/ec2/faqs/ + +(cherry picked from commit b6eca3731dd92b009b182f188936e1c2544574da) + +Resolves: #2117948 +--- + man/systemd-detect-virt.xml | 7 ++++++- + man/systemd.unit.xml | 1 + + src/basic/virt.c | 8 +++++--- + src/basic/virt.h | 1 + + src/test/test-condition.c | 1 + + 5 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/man/systemd-detect-virt.xml b/man/systemd-detect-virt.xml +index 6beb2c2aa1..61c210e24d 100644 +--- a/man/systemd-detect-virt.xml ++++ b/man/systemd-detect-virt.xml +@@ -72,7 +72,12 @@ + + + kvm +- Linux KVM kernel virtual machine, with whatever software, except Oracle Virtualbox ++ Linux KVM kernel virtual machine, in combination with QEMU. Not used for other virtualizers using the KVM interfaces, such as Oracle VirtualBox or Amazon EC2 Nitro, see below. ++ ++ ++ ++ amazon ++ Amazon EC2 Nitro using Linux KVM + + + +diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml +index 6f213ccd56..5207a5bb3c 100644 +--- a/man/systemd.unit.xml ++++ b/man/systemd.unit.xml +@@ -1068,6 +1068,7 @@ + virtualization solution, or one of + qemu, + kvm, ++ amazon, + zvm, + vmware, + microsoft, +diff --git a/src/basic/virt.c b/src/basic/virt.c +index 8d862b6d67..78c68d66e0 100644 +--- a/src/basic/virt.c ++++ b/src/basic/virt.c +@@ -147,6 +147,7 @@ static int detect_vm_dmi(void) { + int id; + } dmi_vendor_table[] = { + { "KVM", VIRTUALIZATION_KVM }, ++ { "Amazon EC2", VIRTUALIZATION_AMAZON }, + { "QEMU", VIRTUALIZATION_QEMU }, + /* http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1009458 */ + { "VMware", VIRTUALIZATION_VMWARE }, +@@ -339,8 +340,8 @@ int detect_vm(void) { + + /* We have to use the correct order here: + * +- * → First, try to detect Oracle Virtualbox, even if it uses KVM, as well as Xen even if it cloaks as Microsoft +- * Hyper-V. ++ * → First, try to detect Oracle Virtualbox and Amazon EC2 Nitro, even if they use KVM, as well as Xen even if ++ * it cloaks as Microsoft Hyper-V. + * + * → Second, try to detect from CPUID, this will report KVM for whatever software is used even if info in DMI is + * overwritten. +@@ -348,7 +349,7 @@ int detect_vm(void) { + * → Third, try to detect from DMI. */ + + dmi = detect_vm_dmi(); +- if (IN_SET(dmi, VIRTUALIZATION_ORACLE, VIRTUALIZATION_XEN)) { ++ if (IN_SET(dmi, VIRTUALIZATION_ORACLE, VIRTUALIZATION_XEN, VIRTUALIZATION_AMAZON)) { + r = dmi; + goto finish; + } +@@ -631,6 +632,7 @@ int running_in_chroot(void) { + static const char *const virtualization_table[_VIRTUALIZATION_MAX] = { + [VIRTUALIZATION_NONE] = "none", + [VIRTUALIZATION_KVM] = "kvm", ++ [VIRTUALIZATION_AMAZON] = "amazon", + [VIRTUALIZATION_QEMU] = "qemu", + [VIRTUALIZATION_BOCHS] = "bochs", + [VIRTUALIZATION_XEN] = "xen", +diff --git a/src/basic/virt.h b/src/basic/virt.h +index 640b3ed779..ed4ff063e0 100644 +--- a/src/basic/virt.h ++++ b/src/basic/virt.h +@@ -10,6 +10,7 @@ enum { + + VIRTUALIZATION_VM_FIRST, + VIRTUALIZATION_KVM = VIRTUALIZATION_VM_FIRST, ++ VIRTUALIZATION_AMAZON, + VIRTUALIZATION_QEMU, + VIRTUALIZATION_BOCHS, + VIRTUALIZATION_XEN, +diff --git a/src/test/test-condition.c b/src/test/test-condition.c +index 24395dafc6..29ea63c4ff 100644 +--- a/src/test/test-condition.c ++++ b/src/test/test-condition.c +@@ -510,6 +510,7 @@ static void test_condition_test_virtualization(void) { + + NULSTR_FOREACH(virt, + "kvm\0" ++ "amazon\0" + "qemu\0" + "bochs\0" + "xen\0" diff --git a/SOURCES/0849-machine-id-setup-generate-machine-id-from-DMI-produc.patch b/SOURCES/0849-machine-id-setup-generate-machine-id-from-DMI-produc.patch new file mode 100644 index 0000000..12f1b77 --- /dev/null +++ b/SOURCES/0849-machine-id-setup-generate-machine-id-from-DMI-produc.patch @@ -0,0 +1,37 @@ +From e320f72150829228f10ec24f3fba34d5377c5120 Mon Sep 17 00:00:00 2001 +From: Bertrand Jacquin +Date: Sun, 11 Oct 2020 22:25:56 +0100 +Subject: [PATCH] machine-id-setup: generate machine-id from DMI product ID on + Amazon EC2 + +Amazon EC2 Nitro hypervisor is technically based on KVM[1]. + +[1] https://aws.amazon.com/ec2/faqs/ + +(cherry picked from commit 382a46d129899ca9027b07c325102cab173dd563) + +Related: #2117948 +--- + src/core/machine-id-setup.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/core/machine-id-setup.c b/src/core/machine-id-setup.c +index 11528f83c4..fe2abc4e68 100644 +--- a/src/core/machine-id-setup.c ++++ b/src/core/machine-id-setup.c +@@ -57,11 +57,11 @@ static int generate_machine_id(const char *root, sd_id128_t *ret) { + return 0; + } + +- } else if (detect_vm() == VIRTUALIZATION_KVM) { ++ } else if (IN_SET(detect_vm(), VIRTUALIZATION_KVM, VIRTUALIZATION_AMAZON, VIRTUALIZATION_QEMU)) { + +- /* If we are not running in a container, see if we are +- * running in qemu/kvm and a machine ID was passed in +- * via -uuid on the qemu/kvm command line */ ++ /* If we are not running in a container, see if we are running in a VM that provides ++ * a system UUID via the SMBIOS/DMI interfaces. Such environments include QEMU/KVM ++ * with the -uuid on the qemu command line or the Amazon EC2 Nitro hypervisor. */ + + if (id128_read("/sys/class/dmi/id/product_uuid", ID128_UUID, ret) >= 0) { + log_info("Initializing machine ID from KVM UUID."); diff --git a/SOURCES/0850-virt-use-string-table-to-detect-VM-or-container.patch b/SOURCES/0850-virt-use-string-table-to-detect-VM-or-container.patch new file mode 100644 index 0000000..f0990a6 --- /dev/null +++ b/SOURCES/0850-virt-use-string-table-to-detect-VM-or-container.patch @@ -0,0 +1,134 @@ +From efa2cdb699df3e5d5d7180e50f3ebfff74788c5c Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 7 Jan 2020 11:49:39 +0900 +Subject: [PATCH] virt: use string table to detect VM or container + +(cherry picked from commit 735ea55f5cd87a82757a8911edd80fba799b46ee) + +Related: #2117948 +--- + src/basic/virt.c | 73 ++++++++++++++++++++++-------------------------- + 1 file changed, 33 insertions(+), 40 deletions(-) + +diff --git a/src/basic/virt.c b/src/basic/virt.c +index 78c68d66e0..6e4c702051 100644 +--- a/src/basic/virt.c ++++ b/src/basic/virt.c +@@ -22,27 +22,26 @@ + #include "string-util.h" + #include "virt.h" + ++static const char *const vm_table[_VIRTUALIZATION_MAX] = { ++ [VIRTUALIZATION_XEN] = "XenVMMXenVMM", ++ [VIRTUALIZATION_KVM] = "KVMKVMKVM", ++ [VIRTUALIZATION_QEMU] = "TCGTCGTCGTCG", ++ /* http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1009458 */ ++ [VIRTUALIZATION_VMWARE] = "VMwareVMware", ++ /* https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs */ ++ [VIRTUALIZATION_MICROSOFT] = "Microsoft Hv", ++ /* https://wiki.freebsd.org/bhyve */ ++ [VIRTUALIZATION_BHYVE] = "bhyve bhyve ", ++ [VIRTUALIZATION_QNX] = "QNXQVMBSQG", ++}; ++ ++DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(vm, int); ++ + static int detect_vm_cpuid(void) { + + /* CPUID is an x86 specific interface. */ + #if defined(__i386__) || defined(__x86_64__) + +- static const struct { +- const char *cpuid; +- int id; +- } cpuid_vendor_table[] = { +- { "XenVMMXenVMM", VIRTUALIZATION_XEN }, +- { "KVMKVMKVM", VIRTUALIZATION_KVM }, +- { "TCGTCGTCGTCG", VIRTUALIZATION_QEMU }, +- /* http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1009458 */ +- { "VMwareVMware", VIRTUALIZATION_VMWARE }, +- /* https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs */ +- { "Microsoft Hv", VIRTUALIZATION_MICROSOFT }, +- /* https://wiki.freebsd.org/bhyve */ +- { "bhyve bhyve ", VIRTUALIZATION_BHYVE }, +- { "QNXQVMBSQG", VIRTUALIZATION_QNX }, +- }; +- + uint32_t eax, ebx, ecx, edx; + bool hypervisor; + +@@ -59,7 +58,7 @@ static int detect_vm_cpuid(void) { + uint32_t sig32[3]; + char text[13]; + } sig = {}; +- unsigned j; ++ int v; + + /* There is a hypervisor, see what it is */ + __cpuid(0x40000000U, eax, ebx, ecx, edx); +@@ -70,11 +69,11 @@ static int detect_vm_cpuid(void) { + + log_debug("Virtualization found, CPUID=%s", sig.text); + +- for (j = 0; j < ELEMENTSOF(cpuid_vendor_table); j ++) +- if (streq(sig.text, cpuid_vendor_table[j].cpuid)) +- return cpuid_vendor_table[j].id; ++ v = vm_from_string(sig.text); ++ if (v < 0) ++ return VIRTUALIZATION_VM_OTHER; + +- return VIRTUALIZATION_VM_OTHER; ++ return v; + } + #endif + log_debug("No virtualization found in CPUID"); +@@ -434,22 +433,20 @@ finish: + return r; + } + +-int detect_container(void) { +- static const struct { +- const char *value; +- int id; +- } value_table[] = { +- { "lxc", VIRTUALIZATION_LXC }, +- { "lxc-libvirt", VIRTUALIZATION_LXC_LIBVIRT }, +- { "systemd-nspawn", VIRTUALIZATION_SYSTEMD_NSPAWN }, +- { "docker", VIRTUALIZATION_DOCKER }, +- { "rkt", VIRTUALIZATION_RKT }, +- }; ++static const char *const container_table[_VIRTUALIZATION_MAX] = { ++ [VIRTUALIZATION_LXC] = "lxc", ++ [VIRTUALIZATION_LXC_LIBVIRT] = "lxc-libvirt", ++ [VIRTUALIZATION_SYSTEMD_NSPAWN] = "systemd-nspawn", ++ [VIRTUALIZATION_DOCKER] = "docker", ++ [VIRTUALIZATION_RKT] = "rkt", ++}; ++ ++DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(container, int); + ++int detect_container(void) { + static thread_local int cached_found = _VIRTUALIZATION_INVALID; + _cleanup_free_ char *m = NULL; + const char *e = NULL; +- unsigned j; + int r; + + if (cached_found >= 0) +@@ -522,13 +519,9 @@ int detect_container(void) { + goto finish; + + translate_name: +- for (j = 0; j < ELEMENTSOF(value_table); j++) +- if (streq(e, value_table[j].value)) { +- r = value_table[j].id; +- goto finish; +- } +- +- r = VIRTUALIZATION_CONTAINER_OTHER; ++ r = container_from_string(e); ++ if (r < 0) ++ r = VIRTUALIZATION_CONTAINER_OTHER; + + finish: + log_debug("Found container virtualization %s.", virtualization_to_string(r)); diff --git a/SOURCES/0851-fileio-introduce-read_full_virtual_file-for-reading-.patch b/SOURCES/0851-fileio-introduce-read_full_virtual_file-for-reading-.patch new file mode 100644 index 0000000..84b09c9 --- /dev/null +++ b/SOURCES/0851-fileio-introduce-read_full_virtual_file-for-reading-.patch @@ -0,0 +1,194 @@ +From 7a3843972ea290daf1bec5e1133db654749b8c02 Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Tue, 22 Oct 2019 16:09:21 +0200 +Subject: [PATCH] fileio: introduce read_full_virtual_file() for reading + virtual files in sysfs, procfs + +Virtual filesystems such as sysfs or procfs use kernfs, and kernfs can work +with two sorts of virtual files. + +One sort uses "seq_file", and the results of the first read are buffered for +the second read. The other sort uses "raw" reads which always go direct to the +device. + +In the later case, the content of the virtual file must be retrieved with a +single read otherwise subsequent read might get the new value instead of +finding EOF immediately. That's the reason why the usage of fread(3) is +prohibited in this case as it always performs a second call to read(2) looking +for EOF which is subject to the race described previously. + +Fixes: #13585. +(cherry picked from commit 21b40f16622f171a9969dc334d74fb5eb2f575c2) + +Related: #2117948 +--- + src/basic/fileio.c | 115 ++++++++++++++++++++++++++- + src/basic/fileio.h | 1 + + src/libsystemd/sd-device/sd-device.c | 2 +- + 3 files changed, 113 insertions(+), 5 deletions(-) + +diff --git a/src/basic/fileio.c b/src/basic/fileio.c +index 6b0bad5b71..733fb42463 100644 +--- a/src/basic/fileio.c ++++ b/src/basic/fileio.c +@@ -276,6 +276,113 @@ int verify_file(const char *fn, const char *blob, bool accept_extra_nl) { + return 1; + } + ++int read_full_virtual_file(const char *filename, char **ret_contents, size_t *ret_size) { ++ _cleanup_free_ char *buf = NULL; ++ _cleanup_close_ int fd = -1; ++ struct stat st; ++ size_t n, size; ++ int n_retries; ++ char *p; ++ ++ assert(ret_contents); ++ ++ /* Virtual filesystems such as sysfs or procfs use kernfs, and kernfs can work ++ * with two sorts of virtual files. One sort uses "seq_file", and the results of ++ * the first read are buffered for the second read. The other sort uses "raw" ++ * reads which always go direct to the device. In the latter case, the content of ++ * the virtual file must be retrieved with a single read otherwise a second read ++ * might get the new value instead of finding EOF immediately. That's the reason ++ * why the usage of fread(3) is prohibited in this case as it always performs a ++ * second call to read(2) looking for EOF. See issue 13585. */ ++ ++ fd = open(filename, O_RDONLY|O_CLOEXEC); ++ if (fd < 0) ++ return -errno; ++ ++ /* Start size for files in /proc which usually report a file size of 0. */ ++ size = LINE_MAX / 2; ++ ++ /* Limit the number of attempts to read the number of bytes returned by fstat(). */ ++ n_retries = 3; ++ ++ for (;;) { ++ if (n_retries <= 0) ++ return -EIO; ++ ++ if (fstat(fd, &st) < 0) ++ return -errno; ++ ++ if (!S_ISREG(st.st_mode)) ++ return -EBADF; ++ ++ /* Be prepared for files from /proc which generally report a file size of 0. */ ++ if (st.st_size > 0) { ++ size = st.st_size; ++ n_retries--; ++ } else ++ size = size * 2; ++ ++ if (size > READ_FULL_BYTES_MAX) ++ return -E2BIG; ++ ++ p = realloc(buf, size + 1); ++ if (!p) ++ return -ENOMEM; ++ buf = TAKE_PTR(p); ++ ++ for (;;) { ++ ssize_t k; ++ ++ /* Read one more byte so we can detect whether the content of the ++ * file has already changed or the guessed size for files from /proc ++ * wasn't large enough . */ ++ k = read(fd, buf, size + 1); ++ if (k >= 0) { ++ n = k; ++ break; ++ } ++ ++ if (errno != -EINTR) ++ return -errno; ++ } ++ ++ /* Consider a short read as EOF */ ++ if (n <= size) ++ break; ++ ++ /* Hmm... either we read too few bytes from /proc or less likely the content ++ * of the file might have been changed (and is now bigger) while we were ++ * processing, let's try again either with a bigger guessed size or the new ++ * file size. */ ++ ++ if (lseek(fd, 0, SEEK_SET) < 0) ++ return -errno; ++ } ++ ++ if (n < size) { ++ p = realloc(buf, n + 1); ++ if (!p) ++ return -ENOMEM; ++ buf = TAKE_PTR(p); ++ } ++ ++ if (!ret_size) { ++ /* Safety check: if the caller doesn't want to know the size of what we ++ * just read it will rely on the trailing NUL byte. But if there's an ++ * embedded NUL byte, then we should refuse operation as otherwise ++ * there'd be ambiguity about what we just read. */ ++ ++ if (memchr(buf, 0, n)) ++ return -EBADMSG; ++ } else ++ *ret_size = n; ++ ++ buf[n] = 0; ++ *ret_contents = TAKE_PTR(buf); ++ ++ return 0; ++} ++ + int read_full_stream(FILE *f, char **contents, size_t *size) { + _cleanup_free_ char *buf = NULL; + struct stat st; +@@ -300,9 +407,9 @@ int read_full_stream(FILE *f, char **contents, size_t *size) { + if (st.st_size > READ_FULL_BYTES_MAX) + return -E2BIG; + +- /* Start with the right file size, but be prepared for files from /proc which generally report a file +- * size of 0. Note that we increase the size to read here by one, so that the first read attempt +- * already makes us notice the EOF. */ ++ /* Start with the right file size. Note that we increase the size ++ * to read here by one, so that the first read attempt already ++ * makes us notice the EOF. */ + if (st.st_size > 0) + n = st.st_size + 1; + } +@@ -986,7 +1093,7 @@ int get_proc_field(const char *filename, const char *pattern, const char *termin + assert(pattern); + assert(field); + +- r = read_full_file(filename, &status, NULL); ++ r = read_full_virtual_file(filename, &status, NULL); + if (r < 0) + return r; + +diff --git a/src/basic/fileio.h b/src/basic/fileio.h +index 77e6206e95..c6ad375b8d 100644 +--- a/src/basic/fileio.h ++++ b/src/basic/fileio.h +@@ -38,6 +38,7 @@ int write_string_filef(const char *fn, WriteStringFileFlags flags, const char *f + int read_one_line_file(const char *fn, char **line); + int read_full_file(const char *fn, char **contents, size_t *size); + int read_full_stream(FILE *f, char **contents, size_t *size); ++int read_full_virtual_file(const char *filename, char **ret_contents, size_t *ret_size); + + int verify_file(const char *fn, const char *blob, bool accept_extra_nl); + +diff --git a/src/libsystemd/sd-device/sd-device.c b/src/libsystemd/sd-device/sd-device.c +index be29053f8c..49750ba9d7 100644 +--- a/src/libsystemd/sd-device/sd-device.c ++++ b/src/libsystemd/sd-device/sd-device.c +@@ -1798,7 +1798,7 @@ _public_ int sd_device_get_sysattr_value(sd_device *device, const char *sysattr, + size_t size; + + /* read attribute value */ +- r = read_full_file(path, &value, &size); ++ r = read_full_virtual_file(path, &value, &size); + if (r < 0) + return r; + diff --git a/SOURCES/0852-Use-BIOS-characteristics-to-distinguish-EC2-bare-met.patch b/SOURCES/0852-Use-BIOS-characteristics-to-distinguish-EC2-bare-met.patch new file mode 100644 index 0000000..bf84a18 --- /dev/null +++ b/SOURCES/0852-Use-BIOS-characteristics-to-distinguish-EC2-bare-met.patch @@ -0,0 +1,118 @@ +From 44cbd79562ed55a8b0f2e5b5dc708265568ed9f8 Mon Sep 17 00:00:00 2001 +From: Noah Meyerhans +Date: Fri, 30 Apr 2021 09:30:52 -0700 +Subject: [PATCH] Use BIOS characteristics to distinguish EC2 bare-metal from + VMs + +DMI vendor information fields do not provide enough information for us to +distinguish between Amazon EC2 virtual machines and bare-metal instances. +SMBIOS provides a BIOS Information +table (https://www.dmtf.org/sites/default/files/standards/documents/DSP0134_3.4.0.pdf +Ch. 7) that provides a field to indicate that the current machine is a virtual +machine. On EC2 virtual machine instances, this field is set, while bare-metal +instances leave this unset, so we inspect the field via the kernel's +/sys/firemware/dmi/entries interface. + +Fixes #18929 + +(cherry picked from commit ce35037928f4c4c931088256853f07804ec7d235) + +Related: #2117948 +--- + src/basic/virt.c | 65 +++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 61 insertions(+), 4 deletions(-) + +diff --git a/src/basic/virt.c b/src/basic/virt.c +index 6e4c702051..00d1c894e6 100644 +--- a/src/basic/virt.c ++++ b/src/basic/virt.c +@@ -22,6 +22,12 @@ + #include "string-util.h" + #include "virt.h" + ++enum { ++ SMBIOS_VM_BIT_SET, ++ SMBIOS_VM_BIT_UNSET, ++ SMBIOS_VM_BIT_UNKNOWN, ++}; ++ + static const char *const vm_table[_VIRTUALIZATION_MAX] = { + [VIRTUALIZATION_XEN] = "XenVMMXenVMM", + [VIRTUALIZATION_KVM] = "KVMKVMKVM", +@@ -131,9 +137,8 @@ static int detect_vm_device_tree(void) { + #endif + } + +-static int detect_vm_dmi(void) { + #if defined(__i386__) || defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) +- ++static int detect_vm_dmi_vendor(void) { + static const char *const dmi_vendors[] = { + "/sys/class/dmi/id/product_name", /* Test this before sys_vendor to detect KVM over QEMU */ + "/sys/class/dmi/id/sys_vendor", +@@ -179,11 +184,63 @@ static int detect_vm_dmi(void) { + return dmi_vendor_table[j].id; + } + } +-#endif ++ return VIRTUALIZATION_NONE; ++} ++ ++static int detect_vm_smbios(void) { ++ /* The SMBIOS BIOS Charateristics Extension Byte 2 (Section 2.1.2.2 of ++ * https://www.dmtf.org/sites/default/files/standards/documents/DSP0134_3.4.0.pdf), specifies that ++ * the 4th bit being set indicates a VM. The BIOS Characteristics table is exposed via the kernel in ++ * /sys/firmware/dmi/entries/0-0. Note that in the general case, this bit being unset should not ++ * imply that the system is running on bare-metal. For example, QEMU 3.1.0 (with or without KVM) ++ * with SeaBIOS does not set this bit. */ ++ _cleanup_free_ char *s = NULL; ++ size_t readsize; ++ int r; ++ ++ r = read_full_virtual_file("/sys/firmware/dmi/entries/0-0/raw", &s, &readsize); ++ if (r < 0) { ++ log_debug_errno(r, "Unable to read /sys/firmware/dmi/entries/0-0/raw, ignoring: %m"); ++ return SMBIOS_VM_BIT_UNKNOWN; ++ } ++ if (readsize < 20 || s[1] < 20) { ++ /* The spec indicates that byte 1 contains the size of the table, 0x12 + the number of ++ * extension bytes. The data we're interested in is in extension byte 2, which would be at ++ * 0x13. If we didn't read that much data, or if the BIOS indicates that we don't have that ++ * much data, we don't infer anything from the SMBIOS. */ ++ log_debug("Only read %zu bytes from /sys/firmware/dmi/entries/0-0/raw (expected 20)", readsize); ++ return SMBIOS_VM_BIT_UNKNOWN; ++ } + +- log_debug("No virtualization found in DMI"); ++ uint8_t byte = (uint8_t) s[19]; ++ if (byte & (1U<<4)) { ++ log_debug("DMI BIOS Extension table indicates virtualization"); ++ return SMBIOS_VM_BIT_SET; ++ } ++ log_debug("DMI BIOS Extension table does not indicate virtualization"); ++ return SMBIOS_VM_BIT_UNSET; ++} ++#endif /* defined(__i386__) || defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) */ ++ ++static int detect_vm_dmi(void) { ++#if defined(__i386__) || defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) ++ ++ int r; ++ r = detect_vm_dmi_vendor(); + ++ /* The DMI vendor tables in /sys/class/dmi/id don't help us distinguish between Amazon EC2 ++ * virtual machines and bare-metal instances, so we need to look at SMBIOS. */ ++ if (r == VIRTUALIZATION_AMAZON && detect_vm_smbios() == SMBIOS_VM_BIT_UNSET) ++ return VIRTUALIZATION_NONE; ++ ++ /* If we haven't identified a VM, but the firmware indicates that there is one, indicate as much. We ++ * have no further information about what it is. */ ++ if (r == VIRTUALIZATION_NONE && detect_vm_smbios() == SMBIOS_VM_BIT_SET) ++ return VIRTUALIZATION_VM_OTHER; ++ return r; ++#else + return VIRTUALIZATION_NONE; ++#endif + } + + static int detect_vm_xen(void) { diff --git a/SOURCES/0853-device-drop-refuse_after.patch b/SOURCES/0853-device-drop-refuse_after.patch new file mode 100644 index 0000000..80e5c62 --- /dev/null +++ b/SOURCES/0853-device-drop-refuse_after.patch @@ -0,0 +1,37 @@ +From bb9d00035c00b8590c389e66b5d94334bbb7379d Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Mon, 30 Mar 2020 10:49:29 +0200 +Subject: [PATCH] device: drop refuse_after + +Scheduling devices after a given unit can be useful to start device *jobs* at a +specific time in the transaction, see commit 4195077ab4c823c. + +This (hidden) change was introduced by commit eef85c4a3f8054d2. + +(cherry picked from commit b862c25716520d9381d5a841dba0f0c14e9c970a) + +[dtardon: This picks just the minimal relevant change from +c80a9a33d04fb4381327a69ce929c94a9f1d0e6c and +b862c25716520d9381d5a841dba0f0c14e9c970a] + +Resolves: #2043524 +--- + src/core/unit.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/core/unit.c b/src/core/unit.c +index dfe0c243ef..9be2a0c326 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -2841,8 +2841,9 @@ int unit_add_dependency( + return 0; + } + +- if ((d == UNIT_BEFORE && other->type == UNIT_DEVICE) || +- (d == UNIT_AFTER && u->type == UNIT_DEVICE)) { ++ /* Note that ordering a device unit after a unit is permitted since it ++ * allows to start its job running timeout at a specific time. */ ++ if (d == UNIT_BEFORE && other->type == UNIT_DEVICE) { + log_unit_warning(u, "Dependency Before=%s ignored (.device units cannot be delayed)", other->id); + return 0; + } diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec index c2302aa..6079af7 100644 --- a/SPECS/systemd.spec +++ b/SPECS/systemd.spec @@ -13,7 +13,7 @@ Name: systemd Url: http://www.freedesktop.org/wiki/Software/systemd Version: 239 -Release: 69%{?dist} +Release: 70%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -888,6 +888,21 @@ Patch0835: 0835-Fix-build-with-httpd-0.9.71.patch Patch0836: 0836-ci-replace-LGTM-with-CodeQL.patch Patch0837: 0837-ci-mergify-Update-policy-Drop-LGTM-checks.patch Patch0838: 0838-time-util-fix-buffer-over-run.patch +Patch0839: 0839-basic-recognize-pdfs-filesystem-as-a-network-filesys.patch +Patch0840: 0840-core-move-reset_arguments-to-the-end-of-main-s-finis.patch +Patch0841: 0841-manager-move-inc.-of-n_reloading-into-a-function.patch +Patch0842: 0842-core-Add-new-DBUS-properties-UnitsReloadStartTimesta.patch +Patch0843: 0843-core-Indicate-the-time-when-the-manager-started-load.patch +Patch0844: 0844-core-do-not-touch-run-systemd-systemd-units-load-fro.patch +Patch0845: 0845-sysctl-downgrade-message-when-we-have-no-permission.patch +Patch0846: 0846-core-respect-SELinuxContext-for-socket-creation.patch +Patch0847: 0847-manager-use-target-process-context-to-set-socket-con.patch +Patch0848: 0848-virt-detect-Amazon-EC2-Nitro-instance.patch +Patch0849: 0849-machine-id-setup-generate-machine-id-from-DMI-produc.patch +Patch0850: 0850-virt-use-string-table-to-detect-VM-or-container.patch +Patch0851: 0851-fileio-introduce-read_full_virtual_file-for-reading-.patch +Patch0852: 0852-Use-BIOS-characteristics-to-distinguish-EC2-bare-met.patch +Patch0853: 0853-device-drop-refuse_after.patch %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 @@ -1517,6 +1532,23 @@ fi %files tests -f .file-list-tests %changelog +* Mon Jan 16 2023 systemd maintenance team - 239-70 +- basic: recognize pdfs filesystem as a network filesystem (#2094661) +- core: move reset_arguments() to the end of main's finish (#2127131) +- manager: move inc. of n_reloading into a function (#2136869) +- core: Add new DBUS properties UnitsReloadStartTimestamp and UnitsLoadTimestampMontonic (#2136869) +- core: Indicate the time when the manager started loading units the last time (#2136869) +- core: do not touch /run/systemd/systemd-units-load from user session instances (#2136869) +- sysctl: downgrade message when we have no permission (#2158160) +- core: respect SELinuxContext= for socket creation (#2136738) +- manager: use target process context to set socket context (#2136738) +- virt: detect Amazon EC2 Nitro instance (#2117948) +- machine-id-setup: generate machine-id from DMI product ID on Amazon EC2 (#2117948) +- virt: use string table to detect VM or container (#2117948) +- fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (#2117948) +- Use BIOS characteristics to distinguish EC2 bare-metal from VMs (#2117948) +- device: drop refuse_after (#2043524) + * Tue Nov 08 2022 systemd maintenance team - 239-69 - logind: optionally watch utmp for login data (#2122288) - logind: add hashtable for finding session by leader PID (#2122288)