rpms/systemd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

systemd-252-68

Browse Source 
Resolves: RHEL-50213, RHEL-159230, RHEL-155393
This commit is contained in:
Jan Macku 2026-04-08 08:33:16 +02:00
parent f953917f6a
commit 7bd1a8cae9
5 changed files with 229 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
1326-integritysetup-Add-support-for-hmac-sha512.patch Normal file
View File

@ -0,0 +1,78 @@
From 24eef4e6cc9bde4b96d72fbd5b438d774f1ce66a Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue, 5 Mar 2024 08:28:40 +0100
Subject: [PATCH] integritysetup: Add support for hmac-sha512
Currently the only supported integrity algorithm using HMAC is 'hmac-sha256'.
Add 'hmac-sha512' to the list of supported algorithms as well.
(cherry picked from commit 7bf1cfe3b20037f3732d8854833b00f6a3511d95)
Resolves: RHEL-50213
---
man/integritytab.xml | 6 +++---
src/integritysetup/integrity-util.c | 2 +-
src/integritysetup/integrity-util.h | 1 +
src/integritysetup/integritysetup.c | 2 ++
4 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/man/integritytab.xml b/man/integritytab.xml
index 44f0a55929..2c48d2960f 100644
--- a/man/integritytab.xml
+++ b/man/integritytab.xml
@@ -55,8 +55,8 @@
<para>The third field if present contains an absolute filename path to a key file or a <literal>-</literal>
to specify none. When the filename is present, the "integrity-algorithm" defaults to <literal>hmac-sha256</literal>
- with the key length derived from the number of bytes in the key file. At this time the only supported integrity algorithm
- when using key file is hmac-sha256. The maximum size of the key file is 4096 bytes.
+ with the key length derived from the number of bytes in the key file. At this time the only supported integrity algorithms
+ when using key file are hmac-sha256 and hmac-sha512. The maximum size of the key file is 4096 bytes.
</para>
<para>The fourth field, if present, is a comma-delimited list of options or a <literal>-</literal> to specify none. The following options are
@@ -101,7 +101,7 @@
</varlistentry>
<varlistentry>
- <term><option>integrity-algorithm=[crc32c|crc32|sha1|sha256|hmac-sha256]</option></term>
+ <term><option>integrity-algorithm=[crc32c|crc32|sha1|sha256|hmac-sha256|hmac-sha512]</option></term>
<listitem><para>
The algorithm used for integrity checking. The default is crc32c. Must match option used during format.
diff --git a/src/integritysetup/integrity-util.c b/src/integritysetup/integrity-util.c
index 410133b377..934e97fa5e 100644
--- a/src/integritysetup/integrity-util.c
+++ b/src/integritysetup/integrity-util.c
@@ -7,7 +7,7 @@
#include "percent-util.h"
static int supported_integrity_algorithm(char *user_supplied) {
- if (!STR_IN_SET(user_supplied, "crc32", "crc32c", "sha1", "sha256", "hmac-sha256"))
+ if (!STR_IN_SET(user_supplied, "crc32", "crc32c", "sha1", "sha256", "hmac-sha256", "hmac-sha512"))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unsupported integrity algorithm (%s)", user_supplied);
return 0;
}
diff --git a/src/integritysetup/integrity-util.h b/src/integritysetup/integrity-util.h
index 359d2556a4..f701b59273 100644
--- a/src/integritysetup/integrity-util.h
+++ b/src/integritysetup/integrity-util.h
@@ -15,4 +15,5 @@ int parse_integrity_options(
char **ret_integrity_alg);
#define DM_HMAC_256 "hmac(sha256)"
+#define DM_HMAC_512 "hmac(sha512)"
#define DM_MAX_KEY_SIZE 4096 /* Maximum size of key allowed for dm-integrity */
diff --git a/src/integritysetup/integritysetup.c b/src/integritysetup/integritysetup.c
index a602886cb3..674131ed54 100644
--- a/src/integritysetup/integritysetup.c
+++ b/src/integritysetup/integritysetup.c
@@ -80,6 +80,8 @@ static const char *integrity_algorithm_select(const void *key_file_buf) {
if (arg_integrity_algorithm) {
if (streq("hmac-sha256", arg_integrity_algorithm))
return DM_HMAC_256;
+ if (streq("hmac-sha512", arg_integrity_algorithm))
+ return DM_HMAC_512;
return arg_integrity_algorithm;
} else if (key_file_buf)
return DM_HMAC_256;

84
1327-integritysetup-Add-PHMAC-algorithm-to-list-of-known-.patch Normal file
View File

@ -0,0 +1,84 @@
From 2ce62a32b85b8bc756c34d31d10d343bd2c088f5 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 4 Mar 2024 09:26:18 +0100
Subject: [PATCH] integritysetup: Add PHMAC algorithm to list of known
algorithms
Add the PHMAC integrity algorithm to the list of supported algorithms.
The PHMAC algorithm is like the regular HMAC algorithm, but it takes a wrapped key
as input. A key for the PHMAC algorithm is an opaque key blob, who's physical size
has nothing to do with the cryptographic size. Currently PHMAC is only available
for the s390x architecture.
(cherry picked from commit eb7b0d413e5f7ca35e9f6a0b211dd71a710cb60d)
Resolves: RHEL-50213
---
man/integritytab.xml | 4 ++--
src/integritysetup/integrity-util.c | 2 +-
src/integritysetup/integrity-util.h | 2 ++
src/integritysetup/integritysetup.c | 4 ++++
4 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/man/integritytab.xml b/man/integritytab.xml
index 2c48d2960f..f3f2a823c6 100644
--- a/man/integritytab.xml
+++ b/man/integritytab.xml
@@ -56,7 +56,7 @@
<para>The third field if present contains an absolute filename path to a key file or a <literal>-</literal>
to specify none. When the filename is present, the "integrity-algorithm" defaults to <literal>hmac-sha256</literal>
with the key length derived from the number of bytes in the key file. At this time the only supported integrity algorithms
- when using key file are hmac-sha256 and hmac-sha512. The maximum size of the key file is 4096 bytes.
+ when using key file are hmac-sha256, hmac-sha512, phmac-sha256, and hmac-sha512. The maximum size of the key file is 4096 bytes.
</para>
<para>The fourth field, if present, is a comma-delimited list of options or a <literal>-</literal> to specify none. The following options are
@@ -101,7 +101,7 @@
</varlistentry>
<varlistentry>
- <term><option>integrity-algorithm=[crc32c|crc32|sha1|sha256|hmac-sha256|hmac-sha512]</option></term>
+ <term><option>integrity-algorithm=[crc32c|crc32|sha1|sha256|hmac-sha256|hmac-sha512|phmac-sha256|phmac-sha512]</option></term>
<listitem><para>
The algorithm used for integrity checking. The default is crc32c. Must match option used during format.
diff --git a/src/integritysetup/integrity-util.c b/src/integritysetup/integrity-util.c
index 934e97fa5e..c3bfd636ec 100644
--- a/src/integritysetup/integrity-util.c
+++ b/src/integritysetup/integrity-util.c
@@ -7,7 +7,7 @@
#include "percent-util.h"
static int supported_integrity_algorithm(char *user_supplied) {
- if (!STR_IN_SET(user_supplied, "crc32", "crc32c", "sha1", "sha256", "hmac-sha256", "hmac-sha512"))
+ if (!STR_IN_SET(user_supplied, "crc32", "crc32c", "sha1", "sha256", "hmac-sha256", "hmac-sha512", "phmac-sha256", "phmac-sha512"))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unsupported integrity algorithm (%s)", user_supplied);
return 0;
}
diff --git a/src/integritysetup/integrity-util.h b/src/integritysetup/integrity-util.h
index f701b59273..4225834b9b 100644
--- a/src/integritysetup/integrity-util.h
+++ b/src/integritysetup/integrity-util.h
@@ -16,4 +16,6 @@ int parse_integrity_options(
#define DM_HMAC_256 "hmac(sha256)"
#define DM_HMAC_512 "hmac(sha512)"
+#define DM_PHMAC_256 "phmac(sha256)"
+#define DM_PHMAC_512 "phmac(sha512)"
#define DM_MAX_KEY_SIZE 4096 /* Maximum size of key allowed for dm-integrity */
diff --git a/src/integritysetup/integritysetup.c b/src/integritysetup/integritysetup.c
index 674131ed54..fd8a2db9d4 100644
--- a/src/integritysetup/integritysetup.c
+++ b/src/integritysetup/integritysetup.c
@@ -82,6 +82,10 @@ static const char *integrity_algorithm_select(const void *key_file_buf) {
return DM_HMAC_256;
if (streq("hmac-sha512", arg_integrity_algorithm))
return DM_HMAC_512;
+ if (streq("phmac-sha256", arg_integrity_algorithm))
+ return DM_PHMAC_256;
+ if (streq("phmac-sha512", arg_integrity_algorithm))
+ return DM_PHMAC_512;
return arg_integrity_algorithm;
} else if (key_file_buf)
return DM_HMAC_256;

27
1328-manager-fix-scope-for-environment-generators.patch Normal file
View File

@ -0,0 +1,27 @@
From db8eba6c0d1d34086173657cfcd72737d94e8e20 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Wed, 15 Mar 2023 10:20:59 +0100
Subject: [PATCH] manager: fix scope for environment generators
fixes regression introduced by 4870133bfa
(cherry picked from commit 361cacf49e8fd6b0fc983f0ee507c1d22fa00103)
Resolves: RHEL-159230
---
src/core/manager.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/core/manager.c b/src/core/manager.c
index ec5e374f24..79408b18dc 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -3695,7 +3695,7 @@ static int manager_run_environment_generators(Manager *m) {
if (MANAGER_IS_TEST_RUN(m) && !(m->test_run_flags & MANAGER_TEST_RUN_ENV_GENERATORS))
return 0;
- paths = env_generator_binary_paths(MANAGER_IS_SYSTEM(m));
+ paths = env_generator_binary_paths(m->runtime_scope);
if (!paths)
return log_oom();

29
1329-core-validate-input-cgroup-path-more-prudently.patch Normal file
View File

@ -0,0 +1,29 @@
From f7a9f500ea223e8cee700d0acdc3a298fb3e0a58 Mon Sep 17 00:00:00 2001
From: Mike Yuan <me@yhndnzj.com>
Date: Thu, 26 Feb 2026 11:06:34 +0100
Subject: [PATCH] core: validate input cgroup path more prudently
(cherry picked from commit efa6ba2ab625aaa160ac435a09e6482fc63bdbe8)
Resolves: RHEL-155393
---
src/core/dbus-manager.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index 3f62b30745..16c9680d80 100644
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -666,6 +666,12 @@ static int method_get_unit_by_control_group(sd_bus_message *message, void *userd
if (r < 0)
return r;
+ if (!path_is_absolute(cgroup))
+ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Control group path is not absolute: %s", cgroup);
+
+ if (!path_is_normalized(cgroup))
+ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Control group path is not normalized: %s", cgroup);
+
u = manager_get_unit_by_cgroup(m, cgroup);
if (!u)
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_UNIT,

12
systemd.spec
View File

@ -21,7 +21,7 @@
Name: systemd
Url: https://systemd.io
Version: 252
Release: 67%{?dist}
Release: 68%{?dist}
# For a breakdown of the licensing, see README
License: LGPLv2+ and MIT and GPLv2+
Summary: System and Service Manager
@ -1408,6 +1408,10 @@ Patch1322: 1322-tmpfiles-teach-tmpfiles-the-new-XDG_STATE_HOME-varia.patch
Patch1323: 1323-test-use-XDG_STATE_HOME-for-S-and-L.patch
Patch1324: 1324-man-fully-adopt-.local-state.patch
Patch1325: 1325-core-only-activate-transaction-that-contain-useful-j.patch
Patch1326: 1326-integritysetup-Add-support-for-hmac-sha512.patch
Patch1327: 1327-integritysetup-Add-PHMAC-algorithm-to-list-of-known-.patch
Patch1328: 1328-manager-fix-scope-for-environment-generators.patch
Patch1329: 1329-core-validate-input-cgroup-path-more-prudently.patch
# Downstream-only patches (90009999)
@ -2285,6 +2289,12 @@ systemd-hwdb update &>/dev/null || :
%{_prefix}/lib/dracut/modules.d/70rhel-net-naming-sysattrs/*
%changelog
* Wed Apr 08 2026 systemd maintenance team <systemd-maint@redhat.com> - 252-68
- integritysetup: Add support for hmac-sha512 (RHEL-50213)
- integritysetup: Add PHMAC algorithm to list of known algorithms (RHEL-50213)
- manager: fix scope for environment generators (RHEL-159230)
- core: validate input cgroup path more prudently (RHEL-155393)
* Mon Feb 23 2026 systemd maintenance team <systemd-maint@redhat.com> - 252-67
- core: only activate transaction that contain useful jobs (RHEL-143727)