From 96407411c4a4140a90319ad07fad3e4970f8adee Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 14 Jan 2025 10:45:36 +0100 Subject: [PATCH] systemd-252-50 Resolves: RHEL-3906,RHEL-56793,RHEL-59088,RHEL-5956,RHEL-70103 --- ...eate-user-journals-for-users-with-hi.patch | 61 ++++++++++ ...anslate-unit-instances-to-paths-when.patch | 105 ++++++++++++++++++ 1093-test-systemctl-enable-fix-typo.patch | 27 +++++ ...device-symlink-properly-on-udev-acti.patch | 44 ++++++++ ...warning-about-missing-proc-only-as-d.patch | 26 +++++ ...e-of-uninitialized-TPM2B_PUBLIC-data.patch | 36 ++++++ systemd.spec | 16 ++- 7 files changed, 314 insertions(+), 1 deletion(-) create mode 100644 1091-journal-again-create-user-journals-for-users-with-hi.patch create mode 100644 1092-install-don-t-translate-unit-instances-to-paths-when.patch create mode 100644 1093-test-systemctl-enable-fix-typo.patch create mode 100644 1094-udev-Handle-PTP-device-symlink-properly-on-udev-acti.patch create mode 100644 1095-systemctl-print-warning-about-missing-proc-only-as-d.patch create mode 100644 1096-repart-avoid-use-of-uninitialized-TPM2B_PUBLIC-data.patch diff --git a/1091-journal-again-create-user-journals-for-users-with-hi.patch b/1091-journal-again-create-user-journals-for-users-with-hi.patch new file mode 100644 index 0000000..d70d246 --- /dev/null +++ b/1091-journal-again-create-user-journals-for-users-with-hi.patch @@ -0,0 +1,61 @@ +From abe0be8631e7a07ff542442a4a7433ebdfc85b87 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 9 Jan 2024 11:28:04 +0100 +Subject: [PATCH] journal: again create user journals for users with high uids + +This effectively reverts a change in 115d5145a257c1a27330acf9f063b5f4d910ca4d +'journald: move uid_for_system_journal() to uid-alloc-range.h', which slipped +in an additional check of uid_is_container(uid). The problem is that that change +is not backwards-compatible at all and very hard for users to handle. +There is no common agreement on mappings of high-range uids. Systemd declares +ownership of a large range for container uids in https://systemd.io/UIDS-GIDS/, +but this is only a recent change and various sites allocated those ranges +in a different way, in particular FreeIPA uses (used?) uids from this range +for human users. On big sites with lots of users changing uids is obviously a +hard problem. We generally assume that uids cannot be "freed" and/or changed +and/or reused safely, so we shouldn't demand the same from others. + +This is somewhat similar to the situation with SYSTEM_ALLOC_UID_MIN / +SYSTEM_UID_MAX, which we tried to define to a fixed value in our code, causing +huge problems for existing systems with were created with a different +definition and couldn't be easily updated. For that case, we added a +configuration time switch and we now parse /etc/login.defs to actually use the +value that is appropriate for the local system. + +Unfortunately, login.defs doesn't have a concept of container allocation ranges +(and we don't have code to parse and use those nonexistent names either), so we +can't tell users to adjust logind.defs to work around the changed definition. + +login.defs has SUB_UID_{MIN,MAX}, but those aren't really the same thing, +because they are used to define where the add allocations for subuids, which is +generally a much smaller range. Maybe we should talk with other folks about +the appropriate allocation ranges and define some new settings in login.defs. +But this would require discussion and coordination with other projects first. + +Actualy, it seems that this change was needed at all. The code in the container +does not log to the outside journal. It talks to its own journald, which does +journal splitting using its internal logic based on shifted uids. So let's +revert the change to fix user systems. + +Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2251843. + +Upstream PR: https://github.com/systemd/systemd/pull/30846 + +rhel-only: bugfix + +Resolves: RHEL-70103 +--- + src/basic/uid-alloc-range.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/uid-alloc-range.c b/src/basic/uid-alloc-range.c +index 8b3741e438..507ca8a17e 100644 +--- a/src/basic/uid-alloc-range.c ++++ b/src/basic/uid-alloc-range.c +@@ -127,5 +127,5 @@ bool uid_for_system_journal(uid_t uid) { + + /* Returns true if the specified UID shall get its data stored in the system journal. */ + +- return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY || uid_is_container(uid); ++ return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY; + } diff --git a/1092-install-don-t-translate-unit-instances-to-paths-when.patch b/1092-install-don-t-translate-unit-instances-to-paths-when.patch new file mode 100644 index 0000000..977ac0e --- /dev/null +++ b/1092-install-don-t-translate-unit-instances-to-paths-when.patch @@ -0,0 +1,105 @@ +From e60e2e0344001483c85424698546e9465614befb Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 6 Dec 2023 16:24:21 +0100 +Subject: [PATCH] install: don't translate unit instances to paths when + reenabling them +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +For unit instances install_info_discover() returns path to the template, +which then generates confusing errors when passed to +do_unit_file_enable(): + +~# build/systemctl --root=/tmp/systemctl-test.N9ysbz reenable templ1@two.service +Unit name: templ1@two.service; p: /etc/systemd/system/templ1@.service +Removed "/tmp/systemctl-test.N9ysbz/etc/systemd/system/services.target.wants/templ1@two.service". +Failed to reenable templ1@.service, destination unit services.target is a non-template unit. + +This can also be seen with a different reproducer using getty@.service +and a simple bind mount to / - there's no error this time, but it tries +to create a symlink for the default instance (from DefaultInstance=tty1), +which is also incorrect: + +~# SYSTEMD_LOG_LEVEL=debug systemctl --root /mnt/bindroot/ reenable getty@test.service +Symlink /mnt/bindroot/etc/systemd/system/getty.target.wants/getty@tty1.service → /usr/lib/systemd/system/getty@.service already exists + +Follow-up to: 29a7c59abbe +Resolves upstream issue #24740 + +(cherry picked from commit fe6e0cfa19dd1de4ac599ae207182fd556adcfa7) + +Resolves: RHEL-5956 +--- + src/shared/install.c | 2 +- + test/test-systemctl-enable.sh | 30 +++++++++++++++++++++++++++++- + 2 files changed, 30 insertions(+), 2 deletions(-) + +diff --git a/src/shared/install.c b/src/shared/install.c +index 8d4aa5ab2c..eaad368d1c 100644 +--- a/src/shared/install.c ++++ b/src/shared/install.c +@@ -2875,7 +2875,7 @@ static int normalize_linked_files( + return log_debug_errno(SYNTHETIC_ERRNO(EISDIR), + "Unexpected path to a directory \"%s\", refusing.", *a); + +- if (!is_path(*a)) { ++ if (!is_path(*a) && !unit_name_is_valid(*a, UNIT_NAME_INSTANCE)) { + r = install_info_discover(&ctx, lp, n, SEARCH_LOAD|SEARCH_FOLLOW_CONFIG_SYMLINKS, &i, NULL, NULL); + if (r < 0) + log_debug_errno(r, "Failed to discover unit \"%s\", operating on name: %m", n); +diff --git a/test/test-systemctl-enable.sh b/test/test-systemctl-enable.sh +index 7d5667f297..a0a183e92b 100644 +--- a/test/test-systemctl-enable.sh ++++ b/test/test-systemctl-enable.sh +@@ -97,7 +97,7 @@ test ! -e "$root/etc/systemd/system/test1-badalias.target" + test ! -e "$root/etc/systemd/system/test1-badalias.socket" + test -h "$root/etc/systemd/system/test1-goodalias2.service" + +-: '-------aliases in reeanble----------------------------------' ++: '-------aliases in reeanable----------------------------------' + ( ! "$systemctl" --root="$root" reenable test1 ) + test -h "$root/etc/systemd/system/default.target.wants/test1.service" + test ! -e "$root/etc/systemd/system/test1-goodalias.service" +@@ -246,6 +246,29 @@ islink "$root/etc/systemd/system/paths.target.wants/link1.path" "/link1.path" + islink "$root/etc/systemd/system/link1.path" "/link1.path" + islink "$root/etc/systemd/system/paths.target.wants/link1.path" "/link1.path" + ++: '-------link instance and enable-------------------------------------' ++cat >"$root/link-instance@.service" <"$root/link3.suffix" < +Date: Fri, 15 Dec 2023 16:01:35 +0100 +Subject: [PATCH] test-systemctl-enable: fix typo + +Follow-up for fe6e0cfa19dd1de4ac599ae207182fd556adcfa7. + +(cherry picked from commit 88cc9cc7bc0d12b2a424cc8e88fc8699efc3ed04) + +Related: RHEL-5956 +--- + test/test-systemctl-enable.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/test-systemctl-enable.sh b/test/test-systemctl-enable.sh +index a0a183e92b..7d82c38613 100644 +--- a/test/test-systemctl-enable.sh ++++ b/test/test-systemctl-enable.sh +@@ -97,7 +97,7 @@ test ! -e "$root/etc/systemd/system/test1-badalias.target" + test ! -e "$root/etc/systemd/system/test1-badalias.socket" + test -h "$root/etc/systemd/system/test1-goodalias2.service" + +-: '-------aliases in reeanable----------------------------------' ++: '-------aliases in reenable----------------------------------' + ( ! "$systemctl" --root="$root" reenable test1 ) + test -h "$root/etc/systemd/system/default.target.wants/test1.service" + test ! -e "$root/etc/systemd/system/test1-goodalias.service" diff --git a/1094-udev-Handle-PTP-device-symlink-properly-on-udev-acti.patch b/1094-udev-Handle-PTP-device-symlink-properly-on-udev-acti.patch new file mode 100644 index 0000000..cdcb2f8 --- /dev/null +++ b/1094-udev-Handle-PTP-device-symlink-properly-on-udev-acti.patch @@ -0,0 +1,44 @@ +From b29215773c179d29cbd009fa5dbe608537842eee Mon Sep 17 00:00:00 2001 +From: Chengen Du +Date: Mon, 12 Aug 2024 11:41:52 +0800 +Subject: [PATCH] udev: Handle PTP device symlink properly on udev action + 'change' + +PTP device symlink creation rules are currently executed only when the +udev action is 'add'. If a user reloads the rules and runs the udevadm +trigger command to reapply changes, the symlink may be deleted, which +can prevent the chronyd service from restarting properly. + +Signed-off-by: Chengen Du +(cherry picked from commit 6bd12be3fa7761f190e17efdbdbff4440da7528b) + +Resolves: RHEL-59088 +--- + rules.d/50-udev-default.rules.in | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/rules.d/50-udev-default.rules.in b/rules.d/50-udev-default.rules.in +index ab29f6a17f..3543a0ee0d 100644 +--- a/rules.d/50-udev-default.rules.in ++++ b/rules.d/50-udev-default.rules.in +@@ -21,6 +21,9 @@ ENV{MODALIAS}!="", IMPORT{builtin}="hwdb --subsystem=$env{SUBSYSTEM}" + + SUBSYSTEM=="net", IMPORT{builtin}="net_driver" + ++SUBSYSTEM=="ptp", ATTR{clock_name}=="KVM virtual PTP", SYMLINK+="ptp_kvm" ++SUBSYSTEM=="ptp", ATTR{clock_name}=="hyperv", SYMLINK+="ptp_hyperv" ++ + ACTION!="add", GOTO="default_end" + + SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666" +@@ -109,10 +112,6 @@ KERNEL=="vhost-net", GROUP="kvm", MODE="{{DEV_KVM_MODE}}", OPTIONS+="static_node + + KERNEL=="udmabuf", GROUP="kvm" + +-SUBSYSTEM=="ptp", ATTR{clock_name}=="KVM virtual PTP", SYMLINK += "ptp_kvm" +- +-SUBSYSTEM=="ptp", ATTR{clock_name}=="hyperv", SYMLINK += "ptp_hyperv" +- + SUBSYSTEM!="dmi", GOTO="dmi_end" + ENV{ID_SYS_VENDOR_IS_RUBBISH}!="1", ENV{ID_VENDOR}="$attr{sys_vendor}" + ENV{ID_SYSFS_ATTRIBUTE_MODEL}=="", ENV{ID_PRODUCT_NAME_IS_RUBBISH}!="1", ENV{ID_MODEL}="$attr{product_name}" diff --git a/1095-systemctl-print-warning-about-missing-proc-only-as-d.patch b/1095-systemctl-print-warning-about-missing-proc-only-as-d.patch new file mode 100644 index 0000000..e84f4ec --- /dev/null +++ b/1095-systemctl-print-warning-about-missing-proc-only-as-d.patch @@ -0,0 +1,26 @@ +From 79d0bc06110b46171990990afb5e1cdd56920324 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Mon, 6 Jan 2025 10:44:25 +0100 +Subject: [PATCH] systemctl: print warning about missing /proc only as debug + message + +rhel-only: bugfix + +Resolves: RHEL-3906 +--- + src/systemctl/systemctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c +index 3f2b0029ca..883a5b75f4 100644 +--- a/src/systemctl/systemctl.c ++++ b/src/systemctl/systemctl.c +@@ -1156,7 +1156,7 @@ static int run(int argc, char *argv[]) { + goto finish; + + if (proc_mounted() == 0) +- log_full(arg_no_warn ? LOG_DEBUG : LOG_WARNING, ++ log_full(LOG_DEBUG, + "%s%s/proc/ is not mounted. This is not a supported mode of operation. Please fix\n" + "your invocation environment to mount /proc/ and /sys/ properly. Proceeding anyway.\n" + "Your mileage may vary.", diff --git a/1096-repart-avoid-use-of-uninitialized-TPM2B_PUBLIC-data.patch b/1096-repart-avoid-use-of-uninitialized-TPM2B_PUBLIC-data.patch new file mode 100644 index 0000000..e362550 --- /dev/null +++ b/1096-repart-avoid-use-of-uninitialized-TPM2B_PUBLIC-data.patch @@ -0,0 +1,36 @@ +From 834137e727d27a0fa1247a5233db033a9074265b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 17 Oct 2023 16:45:52 +0100 +Subject: [PATCH] repart: avoid use of uninitialized TPM2B_PUBLIC data +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The 'TPM2B public' struct is only initialized if the public key +is non-NULL, however, it is unconditionally passed to +tpm2_calculate_sealing_policy, resulting in use of uninitialized +data. If the uninitialized data is lucky enough to be all zeroes, +this results eventually results in an error message from +tpm2_calculate_name about an unsupported nameAlg field value. + +Signed-off-by: Daniel P. Berrangé +(cherry picked from commit a3ad5c3140b941d3703c63c902e58f4e2d295829) + +Resolves: RHEL-56793 +--- + src/partition/repart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/partition/repart.c b/src/partition/repart.c +index eeb31a6160..5db931e7bc 100644 +--- a/src/partition/repart.c ++++ b/src/partition/repart.c +@@ -3073,7 +3073,7 @@ static int partition_encrypt( + } + + TPM2B_DIGEST policy = TPM2B_DIGEST_MAKE(NULL, TPM2_SHA256_DIGEST_SIZE); +- r = tpm2_calculate_sealing_policy(arg_tpm2_hash_pcr_values, arg_tpm2_n_hash_pcr_values, &public, /* use_pin= */ false, &policy); ++ r = tpm2_calculate_sealing_policy(arg_tpm2_hash_pcr_values, arg_tpm2_n_hash_pcr_values, pubkey ? &public : NULL, /* use_pin= */ false, &policy); + if (r < 0) + return log_error_errno(r, "Could not calculate sealing policy digest: %m"); + diff --git a/systemd.spec b/systemd.spec index 1cec014..fef7596 100644 --- a/systemd.spec +++ b/systemd.spec @@ -21,7 +21,7 @@ Name: systemd Url: https://systemd.io Version: 252 -Release: 49%{?dist} +Release: 50%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -1173,6 +1173,12 @@ Patch1087: 1087-hwdb-comment-out-the-entry-for-Logitech-MX-Keys-for-.patch Patch1088: 1088-60-sensor.hwdb-Loosen-model-mask-to-include-entire-s.patch Patch1089: 1089-Correct-ACCEL_MOUNT_MATRIX-for-Chuwi-Hi10-Max.patch Patch1090: 1090-hwdb-Add-macro-keys-for-HP-430-Programmable-Wireless.patch +Patch1091: 1091-journal-again-create-user-journals-for-users-with-hi.patch +Patch1092: 1092-install-don-t-translate-unit-instances-to-paths-when.patch +Patch1093: 1093-test-systemctl-enable-fix-typo.patch +Patch1094: 1094-udev-Handle-PTP-device-symlink-properly-on-udev-acti.patch +Patch1095: 1095-systemctl-print-warning-about-missing-proc-only-as-d.patch +Patch1096: 1096-repart-avoid-use-of-uninitialized-TPM2B_PUBLIC-data.patch # Downstream-only patches (9000–9999) @@ -2050,6 +2056,14 @@ systemd-hwdb update &>/dev/null || : %{_prefix}/lib/dracut/modules.d/70rhel-net-naming-sysattrs/* %changelog +* Tue Jan 14 2025 systemd maintenance team - 252-50 +- journal: again create user journals for users with high uids (RHEL-70103) +- install: don't translate unit instances to paths when reenabling them (RHEL-5956) +- test-systemctl-enable: fix typo (RHEL-5956) +- udev: Handle PTP device symlink properly on udev action 'change' (RHEL-59088) +- systemctl: print warning about missing /proc only as debug message (RHEL-3906) +- repart: avoid use of uninitialized TPM2B_PUBLIC data (RHEL-56793) + * Tue Jan 07 2025 systemd maintenance team - 252-49 - logind: tighten for which classes of sessions we do stop-on-idle (RHEL-24340) - Fix configuration for Packit 1.0.0 (RHEL-70884)