diff --git a/1326-integritysetup-Add-support-for-hmac-sha512.patch b/1326-integritysetup-Add-support-for-hmac-sha512.patch new file mode 100644 index 0000000..c7e366e --- /dev/null +++ b/1326-integritysetup-Add-support-for-hmac-sha512.patch @@ -0,0 +1,78 @@ +From 24eef4e6cc9bde4b96d72fbd5b438d774f1ce66a Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Tue, 5 Mar 2024 08:28:40 +0100 +Subject: [PATCH] integritysetup: Add support for hmac-sha512 + +Currently the only supported integrity algorithm using HMAC is 'hmac-sha256'. +Add 'hmac-sha512' to the list of supported algorithms as well. + +(cherry picked from commit 7bf1cfe3b20037f3732d8854833b00f6a3511d95) + +Resolves: RHEL-50213 +--- + man/integritytab.xml | 6 +++--- + src/integritysetup/integrity-util.c | 2 +- + src/integritysetup/integrity-util.h | 1 + + src/integritysetup/integritysetup.c | 2 ++ + 4 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/man/integritytab.xml b/man/integritytab.xml +index 44f0a55929..2c48d2960f 100644 +--- a/man/integritytab.xml ++++ b/man/integritytab.xml +@@ -55,8 +55,8 @@ + + The third field if present contains an absolute filename path to a key file or a - + to specify none. When the filename is present, the "integrity-algorithm" defaults to hmac-sha256 +- with the key length derived from the number of bytes in the key file. At this time the only supported integrity algorithm +- when using key file is hmac-sha256. The maximum size of the key file is 4096 bytes. ++ with the key length derived from the number of bytes in the key file. At this time the only supported integrity algorithms ++ when using key file are hmac-sha256 and hmac-sha512. The maximum size of the key file is 4096 bytes. + + + The fourth field, if present, is a comma-delimited list of options or a - to specify none. The following options are +@@ -101,7 +101,7 @@ + + + +- ++ + + + The algorithm used for integrity checking. The default is crc32c. Must match option used during format. +diff --git a/src/integritysetup/integrity-util.c b/src/integritysetup/integrity-util.c +index 410133b377..934e97fa5e 100644 +--- a/src/integritysetup/integrity-util.c ++++ b/src/integritysetup/integrity-util.c +@@ -7,7 +7,7 @@ + #include "percent-util.h" + + static int supported_integrity_algorithm(char *user_supplied) { +- if (!STR_IN_SET(user_supplied, "crc32", "crc32c", "sha1", "sha256", "hmac-sha256")) ++ if (!STR_IN_SET(user_supplied, "crc32", "crc32c", "sha1", "sha256", "hmac-sha256", "hmac-sha512")) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unsupported integrity algorithm (%s)", user_supplied); + return 0; + } +diff --git a/src/integritysetup/integrity-util.h b/src/integritysetup/integrity-util.h +index 359d2556a4..f701b59273 100644 +--- a/src/integritysetup/integrity-util.h ++++ b/src/integritysetup/integrity-util.h +@@ -15,4 +15,5 @@ int parse_integrity_options( + char **ret_integrity_alg); + + #define DM_HMAC_256 "hmac(sha256)" ++#define DM_HMAC_512 "hmac(sha512)" + #define DM_MAX_KEY_SIZE 4096 /* Maximum size of key allowed for dm-integrity */ +diff --git a/src/integritysetup/integritysetup.c b/src/integritysetup/integritysetup.c +index a602886cb3..674131ed54 100644 +--- a/src/integritysetup/integritysetup.c ++++ b/src/integritysetup/integritysetup.c +@@ -80,6 +80,8 @@ static const char *integrity_algorithm_select(const void *key_file_buf) { + if (arg_integrity_algorithm) { + if (streq("hmac-sha256", arg_integrity_algorithm)) + return DM_HMAC_256; ++ if (streq("hmac-sha512", arg_integrity_algorithm)) ++ return DM_HMAC_512; + return arg_integrity_algorithm; + } else if (key_file_buf) + return DM_HMAC_256; diff --git a/1327-integritysetup-Add-PHMAC-algorithm-to-list-of-known-.patch b/1327-integritysetup-Add-PHMAC-algorithm-to-list-of-known-.patch new file mode 100644 index 0000000..886a20d --- /dev/null +++ b/1327-integritysetup-Add-PHMAC-algorithm-to-list-of-known-.patch @@ -0,0 +1,84 @@ +From 2ce62a32b85b8bc756c34d31d10d343bd2c088f5 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Mon, 4 Mar 2024 09:26:18 +0100 +Subject: [PATCH] integritysetup: Add PHMAC algorithm to list of known + algorithms + +Add the PHMAC integrity algorithm to the list of supported algorithms. + +The PHMAC algorithm is like the regular HMAC algorithm, but it takes a wrapped key +as input. A key for the PHMAC algorithm is an opaque key blob, who's physical size +has nothing to do with the cryptographic size. Currently PHMAC is only available +for the s390x architecture. + +(cherry picked from commit eb7b0d413e5f7ca35e9f6a0b211dd71a710cb60d) + +Resolves: RHEL-50213 +--- + man/integritytab.xml | 4 ++-- + src/integritysetup/integrity-util.c | 2 +- + src/integritysetup/integrity-util.h | 2 ++ + src/integritysetup/integritysetup.c | 4 ++++ + 4 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/man/integritytab.xml b/man/integritytab.xml +index 2c48d2960f..f3f2a823c6 100644 +--- a/man/integritytab.xml ++++ b/man/integritytab.xml +@@ -56,7 +56,7 @@ + The third field if present contains an absolute filename path to a key file or a - + to specify none. When the filename is present, the "integrity-algorithm" defaults to hmac-sha256 + with the key length derived from the number of bytes in the key file. At this time the only supported integrity algorithms +- when using key file are hmac-sha256 and hmac-sha512. The maximum size of the key file is 4096 bytes. ++ when using key file are hmac-sha256, hmac-sha512, phmac-sha256, and hmac-sha512. The maximum size of the key file is 4096 bytes. + + + The fourth field, if present, is a comma-delimited list of options or a - to specify none. The following options are +@@ -101,7 +101,7 @@ + + + +- ++ + + + The algorithm used for integrity checking. The default is crc32c. Must match option used during format. +diff --git a/src/integritysetup/integrity-util.c b/src/integritysetup/integrity-util.c +index 934e97fa5e..c3bfd636ec 100644 +--- a/src/integritysetup/integrity-util.c ++++ b/src/integritysetup/integrity-util.c +@@ -7,7 +7,7 @@ + #include "percent-util.h" + + static int supported_integrity_algorithm(char *user_supplied) { +- if (!STR_IN_SET(user_supplied, "crc32", "crc32c", "sha1", "sha256", "hmac-sha256", "hmac-sha512")) ++ if (!STR_IN_SET(user_supplied, "crc32", "crc32c", "sha1", "sha256", "hmac-sha256", "hmac-sha512", "phmac-sha256", "phmac-sha512")) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unsupported integrity algorithm (%s)", user_supplied); + return 0; + } +diff --git a/src/integritysetup/integrity-util.h b/src/integritysetup/integrity-util.h +index f701b59273..4225834b9b 100644 +--- a/src/integritysetup/integrity-util.h ++++ b/src/integritysetup/integrity-util.h +@@ -16,4 +16,6 @@ int parse_integrity_options( + + #define DM_HMAC_256 "hmac(sha256)" + #define DM_HMAC_512 "hmac(sha512)" ++#define DM_PHMAC_256 "phmac(sha256)" ++#define DM_PHMAC_512 "phmac(sha512)" + #define DM_MAX_KEY_SIZE 4096 /* Maximum size of key allowed for dm-integrity */ +diff --git a/src/integritysetup/integritysetup.c b/src/integritysetup/integritysetup.c +index 674131ed54..fd8a2db9d4 100644 +--- a/src/integritysetup/integritysetup.c ++++ b/src/integritysetup/integritysetup.c +@@ -82,6 +82,10 @@ static const char *integrity_algorithm_select(const void *key_file_buf) { + return DM_HMAC_256; + if (streq("hmac-sha512", arg_integrity_algorithm)) + return DM_HMAC_512; ++ if (streq("phmac-sha256", arg_integrity_algorithm)) ++ return DM_PHMAC_256; ++ if (streq("phmac-sha512", arg_integrity_algorithm)) ++ return DM_PHMAC_512; + return arg_integrity_algorithm; + } else if (key_file_buf) + return DM_HMAC_256; diff --git a/1328-manager-fix-scope-for-environment-generators.patch b/1328-manager-fix-scope-for-environment-generators.patch new file mode 100644 index 0000000..c8a3cf1 --- /dev/null +++ b/1328-manager-fix-scope-for-environment-generators.patch @@ -0,0 +1,27 @@ +From db8eba6c0d1d34086173657cfcd72737d94e8e20 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Wed, 15 Mar 2023 10:20:59 +0100 +Subject: [PATCH] manager: fix scope for environment generators + +fixes regression introduced by 4870133bfa + +(cherry picked from commit 361cacf49e8fd6b0fc983f0ee507c1d22fa00103) + +Resolves: RHEL-159230 +--- + src/core/manager.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/manager.c b/src/core/manager.c +index ec5e374f24..79408b18dc 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -3695,7 +3695,7 @@ static int manager_run_environment_generators(Manager *m) { + if (MANAGER_IS_TEST_RUN(m) && !(m->test_run_flags & MANAGER_TEST_RUN_ENV_GENERATORS)) + return 0; + +- paths = env_generator_binary_paths(MANAGER_IS_SYSTEM(m)); ++ paths = env_generator_binary_paths(m->runtime_scope); + if (!paths) + return log_oom(); + diff --git a/1329-core-validate-input-cgroup-path-more-prudently.patch b/1329-core-validate-input-cgroup-path-more-prudently.patch new file mode 100644 index 0000000..c70968c --- /dev/null +++ b/1329-core-validate-input-cgroup-path-more-prudently.patch @@ -0,0 +1,29 @@ +From f7a9f500ea223e8cee700d0acdc3a298fb3e0a58 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Thu, 26 Feb 2026 11:06:34 +0100 +Subject: [PATCH] core: validate input cgroup path more prudently + +(cherry picked from commit efa6ba2ab625aaa160ac435a09e6482fc63bdbe8) + +Resolves: RHEL-155393 +--- + src/core/dbus-manager.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c +index 3f62b30745..16c9680d80 100644 +--- a/src/core/dbus-manager.c ++++ b/src/core/dbus-manager.c +@@ -666,6 +666,12 @@ static int method_get_unit_by_control_group(sd_bus_message *message, void *userd + if (r < 0) + return r; + ++ if (!path_is_absolute(cgroup)) ++ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Control group path is not absolute: %s", cgroup); ++ ++ if (!path_is_normalized(cgroup)) ++ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Control group path is not normalized: %s", cgroup); ++ + u = manager_get_unit_by_cgroup(m, cgroup); + if (!u) + return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_UNIT, diff --git a/systemd.spec b/systemd.spec index e983b12..e39eff2 100644 --- a/systemd.spec +++ b/systemd.spec @@ -21,7 +21,7 @@ Name: systemd Url: https://systemd.io Version: 252 -Release: 67%{?dist} +Release: 68%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -1408,6 +1408,10 @@ Patch1322: 1322-tmpfiles-teach-tmpfiles-the-new-XDG_STATE_HOME-varia.patch Patch1323: 1323-test-use-XDG_STATE_HOME-for-S-and-L.patch Patch1324: 1324-man-fully-adopt-.local-state.patch Patch1325: 1325-core-only-activate-transaction-that-contain-useful-j.patch +Patch1326: 1326-integritysetup-Add-support-for-hmac-sha512.patch +Patch1327: 1327-integritysetup-Add-PHMAC-algorithm-to-list-of-known-.patch +Patch1328: 1328-manager-fix-scope-for-environment-generators.patch +Patch1329: 1329-core-validate-input-cgroup-path-more-prudently.patch # Downstream-only patches (9000–9999) @@ -2285,6 +2289,12 @@ systemd-hwdb update &>/dev/null || : %{_prefix}/lib/dracut/modules.d/70rhel-net-naming-sysattrs/* %changelog +* Wed Apr 08 2026 systemd maintenance team - 252-68 +- integritysetup: Add support for hmac-sha512 (RHEL-50213) +- integritysetup: Add PHMAC algorithm to list of known algorithms (RHEL-50213) +- manager: fix scope for environment generators (RHEL-159230) +- core: validate input cgroup path more prudently (RHEL-155393) + * Mon Feb 23 2026 systemd maintenance team - 252-67 - core: only activate transaction that contain useful jobs (RHEL-143727)