From 98ea23b9aca78e9025d80405ea16bcb4e3fa844f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Mon, 5 Mar 2018 22:31:56 +0100
Subject: [PATCH] Update to v238

---
 ...on-t-install-BLS-kernel-images-if-de.patch |  33 ------
 sources                                       |   2 +-
 systemd-typecast-usbids.patch                 |  26 ----
 systemd.spec                                  |  27 ++---
 triggers.systemd                              | 112 ++++++++++++++++--
 5 files changed, 115 insertions(+), 85 deletions(-)
 delete mode 100644 0999-kernel-install-Don-t-install-BLS-kernel-images-if-de.patch
 delete mode 100644 systemd-typecast-usbids.patch

diff --git a/0999-kernel-install-Don-t-install-BLS-kernel-images-if-de.patch b/0999-kernel-install-Don-t-install-BLS-kernel-images-if-de.patch
deleted file mode 100644
index c26ec4f..0000000
--- a/0999-kernel-install-Don-t-install-BLS-kernel-images-if-de.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From cc3fa810197881a48c3fa8a1e6a1f97f5c251581 Mon Sep 17 00:00:00 2001
-From: Javier Martinez Canillas <javierm@redhat.com>
-Date: Tue, 27 Feb 2018 21:18:55 +0100
-Subject: [PATCH 1/1] kernel-install: Don't install BLS kernel images if dest
- dir doesn't exist
-
-The script shouldn't rely on a previous script exiting with a status code
-that prevents it to be executed. Instead, should check if the destination
-directory for the BLS kernel image exists and exit otherwise.
-
-Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
----
- src/kernel-install/90-loaderentry.install | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/kernel-install/90-loaderentry.install b/src/kernel-install/90-loaderentry.install
-index 305ea8f5c97f..a271cdb8a03e 100644
---- a/src/kernel-install/90-loaderentry.install
-+++ b/src/kernel-install/90-loaderentry.install
-@@ -11,6 +11,10 @@ if ! [[ $KERNEL_INSTALL_MACHINE_ID ]]; then
-     exit 0
- fi
- 
-+if ! [[ -d "$BOOT_DIR_ABS" ]]; then
-+    exit 0
-+fi
-+
- MACHINE_ID=$KERNEL_INSTALL_MACHINE_ID
- 
- BOOT_DIR="/$MACHINE_ID/$KERNEL_VERSION"
--- 
-2.14.3
-
diff --git a/sources b/sources
index df48775..9b3646e 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (systemd-84c8da5.tar.gz) = 0d46bde746afb2678dfe2ce803091f7c30517db35532256e18a960996689cfcbf3e5391a16752093e2fb3594313771056d7cc16ee0f0c0ab4d170c28466dbb3c
+SHA512 (systemd-238.tar.gz) = c0f272b022308d3bd94679184e102a8dc85de55310bda205a458ea33c77c7733e5c8c8e5b15f786ba3e0ce59e7c6a9bf0d5a0950517c6b91e0f345950129b9c8
diff --git a/systemd-typecast-usbids.patch b/systemd-typecast-usbids.patch
deleted file mode 100644
index 1ccd3ed..0000000
--- a/systemd-typecast-usbids.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 68b2813a0b6dcf8ff8f8eb36aa225ae90661e67e Mon Sep 17 00:00:00 2001
-From: Fedora systemd team <systemd-maint@redhat.com>
-Date: Thu, 22 Feb 2018 12:45:31 +0100
-Subject: [PATCH] Typecast USB IDs
-
-Signed-off-by: Fedora systemd team <systemd-maint@redhat.com>
----
- src/udev/udev-builtin-hwdb.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/udev/udev-builtin-hwdb.c b/src/udev/udev-builtin-hwdb.c
-index ca7f7c2..d3556e4 100644
---- a/src/udev/udev-builtin-hwdb.c
-+++ b/src/udev/udev-builtin-hwdb.c
-@@ -77,7 +77,7 @@ static const char *modalias_usb(struct udev_device *dev, char *s, size_t size) {
-         pn = strtol(p, NULL, 16);
-         if (pn <= 0)
-                 return NULL;
--        snprintf(s, size, "usb:v%04Xp%04X*", vn, pn);
-+        snprintf(s, size, "usb:v%04Xp%04X*", (uint16_t)vn, (uint16_t)pn);
-         return s;
- }
- 
--- 
-2.16.2
-
diff --git a/systemd.spec b/systemd.spec
index fcc8ab0..73ff869 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -1,4 +1,4 @@
-%global gitcommit 84c8da5ed92282f8ef51d5d4f8e1630c37fef3e9
+#global gitcommit 10e465b5321bd53c1fc59ffab27e724535c6bc0f
 %{?gitcommit:%global gitcommitshort %(c=%{gitcommit}; echo ${c:0:7})}
 
 # We ship a .pc file but don't want to have a dep on pkg-config. We
@@ -12,8 +12,8 @@
 
 Name:           systemd
 Url:            http://www.freedesktop.org/wiki/Software/systemd
-Version:        237
-Release:        7%{?gitcommit:.git%{gitcommitshort}}%{?dist}
+Version:        238
+Release:        1%{?gitcommit:.git%{gitcommitshort}}%{?dist}
 # For a breakdown of the licensing, see README
 License:        LGPLv2+ and MIT and GPLv2+
 Summary:        System and Service Manager
@@ -48,10 +48,7 @@ i=1; for j in 00*patch; do printf "Patch%04d:      %s\n" $i $j; i=$((i+1));done|
 GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[67]* hwdb/parse_hwdb.py > hwdb.patch
 %endif
 
-Patch1:         systemd-typecast-usbids.patch
-
 Patch0998:      0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
-Patch0999:      0999-kernel-install-Don-t-install-BLS-kernel-images-if-de.patch
 
 %global num_patches %{lua: c=0; for i,p in ipairs(patches) do c=c+1; end; print(c);}
 
@@ -324,6 +321,8 @@ CONFIGURE_OPTS=(
         -Dusers-gid=100
         -Dnobody-user=nobody
         -Dnobody-group=nobody
+        -Dsplit-usr=false
+        -Dsplit-bin=true
         -Db_lto=false
 )
 
@@ -342,16 +341,6 @@ fi
 mkdir -p %{buildroot}/%{_sbindir}
 ln -sf ../bin/udevadm %{buildroot}%{_sbindir}/udevadm
 
-# Create SysV compatibility symlinks. systemctl/systemd are smart
-# enough to detect in which way they are called.
-ln -s ../lib/systemd/systemd %{buildroot}%{_sbindir}/init
-ln -s ../bin/systemctl %{buildroot}%{_sbindir}/reboot
-ln -s ../bin/systemctl %{buildroot}%{_sbindir}/halt
-ln -s ../bin/systemctl %{buildroot}%{_sbindir}/poweroff
-ln -s ../bin/systemctl %{buildroot}%{_sbindir}/shutdown
-ln -s ../bin/systemctl %{buildroot}%{_sbindir}/telinit
-ln -s ../bin/systemctl %{buildroot}%{_sbindir}/runlevel
-
 # Compatiblity and documentation files
 touch %{buildroot}/etc/crypttab
 chmod 600 %{buildroot}/etc/crypttab
@@ -712,6 +701,12 @@ fi
 %files tests -f .file-list-tests
 
 %changelog
+* Mon Mar  5 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 238-1
+- Update to latest version
+- This fixes a hard-to-trigger potential vulnerability (CVE-2018-6954)
+- New transfiletriggers are installed for udev hwdb and rules, the journal
+  catalog, sysctl.d, binfmt.d, sysusers.d, tmpfiles.d.
+
 * Tue Feb 27 2018 Javier Martinez Canillas <javierm@redhat.com> - 234-7.git84c8da5
 - Add patch to install kernel images for GRUB BootLoaderSpec support
 
diff --git a/triggers.systemd b/triggers.systemd
index 6640c47..e76e269 100644
--- a/triggers.systemd
+++ b/triggers.systemd
@@ -1,8 +1,10 @@
 #  -*- Mode: rpm-spec; indent-tabs-mode: nil -*- */
+#  SPDX-License-Identifier: LGPL-2.1+
 #
 #  This file is part of systemd.
 #
 #  Copyright 2015 Zbigniew Jędrzejewski-Szmek
+#  Copyright 2018 Neal Gompa
 #
 #  systemd is free software; you can redistribute it and/or modify it
 #  under the terms of the GNU Lesser General Public License as published by
@@ -18,6 +20,8 @@
 #  along with systemd; If not, see <http://www.gnu.org/licenses/>.
 
 # The contents of this are an example to be copied into systemd.spec.
+#
+# Minimum rpm version supported: 4.13.0
 
 %transfiletriggerin -P 900900 -p <lua> -- /usr/lib/systemd/system /etc/systemd/system
 -- This script will run after any package is initially installed or
@@ -25,11 +29,13 @@
 -- installed, because other cases are covered by the *un scriptlets,
 -- so sometimes we will reload needlessly.
 
-pid = posix.fork()
-if pid == 0 then
-    assert(posix.exec("%{_bindir}/systemctl", "daemon-reload"))
-elseif pid > 0 then
-    posix.wait(pid)
+if posix.access("/run/systemd/system") then
+    pid = posix.fork()
+    if pid == 0 then
+        assert(posix.exec("%{_bindir}/systemctl", "daemon-reload"))
+    elseif pid > 0 then
+        posix.wait(pid)
+    end
 end
 
 %transfiletriggerun -p <lua> -- /usr/lib/systemd/system /etc/systemd/system
@@ -46,10 +52,12 @@ end
 -- file in %transfiletriggerun and execute the daemon-reload in
 -- the first %filetriggerpostun.
 
-posix.mkdir("%{_localstatedir}/lib")
-posix.mkdir("%{_localstatedir}/lib/rpm-state")
-posix.mkdir("%{_localstatedir}/lib/rpm-state/systemd")
-io.open("%{_localstatedir}/lib/rpm-state/systemd/needs-reload", "w")
+if posix.access("/run/systemd/system") then
+    posix.mkdir("%{_localstatedir}/lib")
+    posix.mkdir("%{_localstatedir}/lib/rpm-state")
+    posix.mkdir("%{_localstatedir}/lib/rpm-state/systemd")
+    io.open("%{_localstatedir}/lib/rpm-state/systemd/needs-reload", "w")
+end
 
 %filetriggerpostun -P 1000100 -p <lua> -- /usr/lib/systemd/system /etc/systemd/system
 if posix.access("%{_localstatedir}/lib/rpm-state/systemd/needs-reload") then
@@ -62,3 +70,89 @@ if posix.access("%{_localstatedir}/lib/rpm-state/systemd/needs-reload") then
         posix.wait(pid)
     end
 end
+
+%transfiletriggerin -P 100700 -p <lua> -- /usr/lib/sysusers.d
+-- This script will process files installed in /usr/lib/sysusers.d to create
+-- specified users automatically. The priority is set such that it
+-- will run before the tmpfiles file trigger.
+if posix.access("/run/systemd/system") then
+    pid = posix.fork()
+    if pid == 0 then
+        assert(posix.exec("%{_bindir}/systemd-sysusers"))
+    elseif pid > 0 then
+        posix.wait(pid)
+    end
+end
+
+%transfiletriggerin -P 100500 --  /usr/lib/tmpfiles.d
+-- This script will process files installed in /usr/lib/tmpfiles.d to create
+-- tmpfiles automatically. The priority is set such that it will run
+-- after the sysusers file trigger, but before any other triggers.
+if posix.access("/run/systemd/system") then
+    pid = posix.fork()
+    if pid == 0 then
+        assert(posix.exec("%{_bindir}/systemd-tmpfiles", "--create"))
+    elseif pid > 0 then
+        posix.wait(pid)
+    end
+end
+
+%transfiletriggerin --  /usr/lib/udev/hwdb.d
+-- This script will automatically invoke hwdb update if files have been
+-- installed or updated in /usr/lib/udev/hwdb.d.
+if posix.access("/run/systemd/system") then
+    pid = posix.fork()
+    if pid == 0 then
+        assert(posix.exec("%{_bindir}/systemd-hwdb", "update"))
+    elseif pid > 0 then
+        posix.wait(pid)
+    end
+end
+
+%transfiletriggerin --  /usr/lib/systemd/catalog
+-- This script will automatically invoke journal catalog update if files
+-- have been installed or updated in /usr/lib/systemd/catalog.
+if posix.access("/run/systemd/system") then
+    pid = posix.fork()
+    if pid == 0 then
+        assert(posix.exec("%{_bindir}/journalctl", "--update-catalog"))
+    elseif pid > 0 then
+        posix.wait(pid)
+    end
+end
+
+%transfiletriggerin -- /usr/lib/udev/rules.d
+-- This script will automatically update udev with new rules if files
+-- have been installed or updated in /usr/lib/udev/rules.d.
+if posix.access("/run/systemd/system") then
+    pid = posix.fork()
+    if pid == 0 then
+        assert(posix.exec("%{_bindir}/udevadm", "control", "--reload"))
+    elseif pid > 0 then
+        posix.wait(pid)
+    end
+end
+
+%transfiletriggerin -- /usr/lib/sysctl.d
+-- This script will automatically apply sysctl rules if files have been
+-- installed or updated in /usr/lib/sysctl.d.
+if posix.access("/run/systemd/system") then
+    pid = posix.fork()
+    if pid == 0 then
+        assert(posix.exec("/usr/lib/systemd/systemd-sysctl"))
+    elseif pid > 0 then
+        posix.wait(pid)
+    end
+end
+
+%transfiletriggerin -- /usr/lib/binfmt.d
+-- This script will automatically apply binfmt rules if files have been
+-- installed or updated in /usr/lib/binfmt.d.
+if posix.access("/run/systemd/system") then
+    pid = posix.fork()
+    if pid == 0 then
+        assert(posix.exec("/usr/lib/systemd/systemd-binfmt"))
+    elseif pid > 0 then
+        posix.wait(pid)
+    end
+end