rpms
/
systemd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to v233

This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2017-03-02 11:30:49 -05:00
parent 4877912f6e
commit bb41272694
65 changed files with 47 additions and 8513 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
0001-build-sys-link-test-seccomp-against-seccomp-libs-456.patch
View File

@ -1,28 +0,0 @@
From 55edef4fb8c4c0b6536ad824ef05ce412a701c6a Mon Sep 17 00:00:00 2001
From: Martin Pitt <martin.pitt@ubuntu.com>
Date: Thu, 3 Nov 2016 23:15:33 +0200
Subject: [PATCH] build-sys: link test-seccomp against seccomp libs (#4560)
Fixes build error on recent toolchains:
../src/test/test-seccomp.c:35: error: undefined reference to 'seccomp_arch_native'
collect2: error: ld returned 1 exit status
(cherry picked from commit e2df6e90b239cbc1d14f5e63a9ba3abb08a2e787)
---
Makefile.am | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
index f7652c2346..f2d8bf57f7 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2038,7 +2038,8 @@ test_seccomp_SOURCES = \
src/test/test-seccomp.c
test_seccomp_LDADD = \
- libsystemd-shared.la
+ libsystemd-shared.la \
+ $(SECCOMP_LIBS)
test_namespace_LDADD = \
libcore.la

35
0002-kernel-install-use-exit-instead-of-return-4565.patch
View File

@ -1,35 +0,0 @@
From a9facbdf54ed3397365f1f4203afa4f606ce7234 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Fri, 4 Nov 2016 21:58:41 +0900
Subject: [PATCH] kernel-install: use exit instead of return (#4565)
/bin/kernel-install: line 143: return: can only `return' from a function or sourced script
https://bugzilla.redhat.com/show_bug.cgi?id=1391829
(cherry picked from commit 9156493171cf2d78e1ac1a3746c385b0e281acf1)
---
src/kernel-install/kernel-install | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/kernel-install/kernel-install b/src/kernel-install/kernel-install
index 0c0ee718ac..a95b9717f0 100644
--- a/src/kernel-install/kernel-install
+++ b/src/kernel-install/kernel-install
@@ -127,7 +127,7 @@ case $COMMAND in
"$f" add "$KERNEL_VERSION" "$BOOT_DIR_ABS" "$KERNEL_IMAGE"
x=$?
if [[ $x == $SKIP_REMAINING ]]; then
- return 0
+ exit 0
fi
((ret+=$x))
fi
@@ -140,7 +140,7 @@ case $COMMAND in
"$f" remove "$KERNEL_VERSION" "$BOOT_DIR_ABS"
x=$?
if [[ $x == $SKIP_REMAINING ]]; then
- return 0
+ exit 0
fi
((ret+=$x))
fi

30
0003-nspawn-fix-exit-code-for-help-and-version-4609.patch
View File

@ -1,30 +0,0 @@
From 045473ceb4999997f44fd1e4e1a3e5530b6fb828 Mon Sep 17 00:00:00 2001
From: Martin Pitt <martin.pitt@ubuntu.com>
Date: Tue, 8 Nov 2016 05:31:55 +0100
Subject: [PATCH] nspawn: fix exit code for --help and --version (#4609)
Commit b006762 inverted the initial exit code which is relevant for --help and
--version without a particular reason. For these special options, parse_argv()
returns 0 so that our main() immediately skips to the end without adjusting
"ret". Otherwise, if an actual container is being started, ret is set on error
in run(), which still provides the "non-zero exit on error" behaviour.
Fixes #4605.
(cherry picked from commit cfed63f60dd7412c199652825ed172c319b02b3c)
---
src/nspawn/nspawn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index c56af6e6f4..c8fc011907 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -4033,7 +4033,7 @@ int main(int argc, char *argv[]) {
bool root_device_rw = true, home_device_rw = true, srv_device_rw = true;
_cleanup_close_ int master = -1, image_fd = -1;
_cleanup_fdset_free_ FDSet *fds = NULL;
- int r, n_fd_passed, loop_nr = -1, ret = EXIT_FAILURE;
+ int r, n_fd_passed, loop_nr = -1, ret = EXIT_SUCCESS;
char veth_name[IFNAMSIZ] = "";
bool secondary = false, remove_subvol = false;
pid_t pid = 0;

37
0004-core-don-t-use-the-unified-hierarchy-for-the-systemd.patch
View File

@ -1,37 +0,0 @@
From fb36bef4e4884a62b70cd98f7d2d52abf8091106 Mon Sep 17 00:00:00 2001
From: Martin Pitt <martin.pitt@ubuntu.com>
Date: Thu, 10 Nov 2016 05:33:13 +0100
Subject: [PATCH] core: don't use the unified hierarchy for the systemd cgroup
yet (#4628)
Too many things don't get along with the unified hierarchy yet:
* https://github.com/opencontainers/runc/issues/1175
* https://github.com/docker/docker/issues/28109
* https://github.com/lxc/lxc/issues/1280
So revert the default to the legacy hierarchy for now. Developers of the above
software can opt into the unified hierarchy with
"systemd.legacy_systemd_cgroup_controller=0".
(cherry picked from commit 843d5baf6aad6c53fc00ea8d95d83209a4f92de1)
---
src/basic/cgroup-util.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
index cede835920..134e6e3664 100644
--- a/src/basic/cgroup-util.c
+++ b/src/basic/cgroup-util.c
@@ -2423,10 +2423,10 @@ bool cg_is_unified_systemd_controller_wanted(void) {
r = get_proc_cmdline_key("systemd.legacy_systemd_cgroup_controller=", &value);
if (r < 0)
- return true;
+ return false;
if (r == 0)
- wanted = true;
+ wanted = false;
else
wanted = parse_boolean(value) <= 0;
}

332
0005-core-make-RootDirectory-and-ProtectKernelModules-wor.patch
View File

@ -1,332 +0,0 @@
From d14d851c73c1fecbf361db94c48156e02d61c4e8 Mon Sep 17 00:00:00 2001
From: Djalal Harouni <tixxdz@opendz.org>
Date: Sun, 6 Nov 2016 22:51:49 +0100
Subject: [PATCH] core: make RootDirectory= and ProtectKernelModules= work
Instead of having two fields inside BindMount struct where one is stack
based and the other one is heap, use one field to store the full path
and updated it when we chase symlinks. This way we avoid dealing with
both at the same time.
This makes RootDirectory= work with ProtectHome= and ProtectKernelModules=yes
Fixes: https://github.com/systemd/systemd/issues/4567
(cherry picked from commit f0a4feb0a5318e52107b0df63997a9b13f5be668)
---
src/core/namespace.c | 142 +++++++++++++++++++++++++++++++--------------------
1 file changed, 86 insertions(+), 56 deletions(-)
diff --git a/src/core/namespace.c b/src/core/namespace.c
index 1195e9a854..c45c120193 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -58,8 +58,7 @@ typedef enum MountMode {
} MountMode;
typedef struct BindMount {
- const char *path; /* stack memory, doesn't need to be freed explicitly */
- char *chased; /* malloc()ed memory, needs to be freed */
+ char *path;
MountMode mode;
bool ignore; /* Ignore if path does not exist */
} BindMount;
@@ -155,12 +154,27 @@ static const TargetMount protect_system_strict_table[] = {
{ "/root", READWRITE, true }, /* ProtectHome= */
};
-static void set_bind_mount(BindMount **p, const char *path, MountMode mode, bool ignore) {
+static void set_bind_mount(BindMount **p, char *path, MountMode mode, bool ignore) {
(*p)->path = path;
(*p)->mode = mode;
(*p)->ignore = ignore;
}
+static int append_one_mount(BindMount **p, const char *root_directory,
+ const char *path, MountMode mode, bool ignore) {
+ char *lpath;
+ assert(p);
+
+ lpath = prefix_root(root_directory, path);
+ if (!lpath)
+ return -ENOMEM;
+
+ set_bind_mount(p, lpath, mode, ignore);
+ (*p)++;
+
+ return 0;
+}
+
static int append_mounts(BindMount **p, char **strv, MountMode mode) {
char **i;
@@ -168,6 +182,7 @@ static int append_mounts(BindMount **p, char **strv, MountMode mode) {
STRV_FOREACH(i, strv) {
bool ignore = false;
+ char *path;
if (IN_SET(mode, INACCESSIBLE, READONLY, READWRITE) && startswith(*i, "-")) {
(*i)++;
@@ -177,7 +192,11 @@ static int append_mounts(BindMount **p, char **strv, MountMode mode) {
if (!path_is_absolute(*i))
return -EINVAL;
- set_bind_mount(p, *i, mode, ignore);
+ path = strdup(*i);
+ if (!path)
+ return -ENOMEM;
+
+ set_bind_mount(p, path, mode, ignore);
(*p)++;
}
@@ -196,7 +215,11 @@ static int append_target_mounts(BindMount **p, const char *root_directory, const
* declaration we do not support "-" at the beginning.
*/
const TargetMount *m = &mounts[i];
- const char *path = prefix_roota(root_directory, m->path);
+ char *path;
+
+ path = prefix_root(root_directory, m->path);
+ if (!path)
+ return -ENOMEM;
if (!path_is_absolute(path))
return -EINVAL;
@@ -309,6 +332,7 @@ static void drop_duplicates(BindMount *m, unsigned *n) {
* above. */
if (previous && path_equal(f->path, previous->path)) {
log_debug("%s is duplicate.", f->path);
+ f->path = mfree(f->path);
continue;
}
@@ -336,6 +360,7 @@ static void drop_inaccessible(BindMount *m, unsigned *n) {
* it, as inaccessible paths really should drop the entire subtree. */
if (clear && path_startswith(f->path, clear)) {
log_debug("%s is masked by %s.", f->path, clear);
+ f->path = mfree(f->path);
continue;
}
@@ -375,6 +400,7 @@ static void drop_nop(BindMount *m, unsigned *n) {
/* We found it, let's see if it's the same mode, if so, we can drop this entry */
if (found && p->mode == f->mode) {
log_debug("%s is redundant by %s", f->path, p->path);
+ f->path = mfree(f->path);
continue;
}
}
@@ -401,6 +427,7 @@ static void drop_outside_root(const char *root_directory, BindMount *m, unsigned
if (!path_startswith(f->path, root_directory)) {
log_debug("%s is outside of root directory.", f->path);
+ f->path = mfree(f->path);
continue;
}
@@ -652,18 +679,21 @@ static int chase_all_symlinks(const char *root_directory, BindMount *m, unsigned
* can't resolve the path, and which have been marked for such removal. */
for (f = m, t = m; f < m+*n; f++) {
-
- r = chase_symlinks(f->path, root_directory, &f->chased);
- if (r == -ENOENT && f->ignore) /* Doesn't exist? Then remove it! */
+ _cleanup_free_ char *chased = NULL;
+ r = chase_symlinks(f->path, root_directory, &chased);
+ if (r == -ENOENT && f->ignore) {
+ /* Doesn't exist? Then remove it! */
+ f->path = mfree(f->path);
continue;
+ }
if (r < 0)
return log_debug_errno(r, "Failed to chase symlinks for %s: %m", f->path);
- if (path_equal(f->path, f->chased))
- f->chased = mfree(f->chased);
- else {
- log_debug("Chased %s → %s", f->path, f->chased);
- f->path = f->chased;
+ if (!path_equal(f->path, chased)) {
+ log_debug("Chased %s → %s", f->path, chased);
+ r = free_and_strdup(&f->path, chased);
+ if (r < 0)
+ return r;
}
*t = *f;
@@ -724,96 +754,96 @@ int setup_namespace(
BindMount *m, *mounts = NULL;
bool make_slave = false;
- unsigned n;
+ unsigned n_mounts;
int r = 0;
if (mount_flags == 0)
mount_flags = MS_SHARED;
- n = namespace_calculate_mounts(ns_info,
- read_write_paths,
- read_only_paths,
- inaccessible_paths,
- tmp_dir, var_tmp_dir,
- protect_home, protect_system);
+ n_mounts = namespace_calculate_mounts(ns_info,
+ read_write_paths,
+ read_only_paths,
+ inaccessible_paths,
+ tmp_dir, var_tmp_dir,
+ protect_home, protect_system);
/* Set mount slave mode */
- if (root_directory || n > 0)
+ if (root_directory || n_mounts > 0)
make_slave = true;
- if (n > 0) {
- m = mounts = (BindMount *) alloca0(n * sizeof(BindMount));
+ if (n_mounts > 0) {
+ m = mounts = (BindMount *) alloca0(n_mounts * sizeof(BindMount));
r = append_mounts(&m, read_write_paths, READWRITE);
if (r < 0)
- return r;
+ goto finish;
r = append_mounts(&m, read_only_paths, READONLY);
if (r < 0)
- return r;
+ goto finish;
r = append_mounts(&m, inaccessible_paths, INACCESSIBLE);
if (r < 0)
- return r;
+ goto finish;
if (tmp_dir) {
- m->path = prefix_roota(root_directory, "/tmp");
- m->mode = PRIVATE_TMP;
- m++;
+ r = append_one_mount(&m, root_directory, "/tmp", PRIVATE_TMP, false);
+ if (r < 0)
+ goto finish;
}
if (var_tmp_dir) {
- m->path = prefix_roota(root_directory, "/var/tmp");
- m->mode = PRIVATE_VAR_TMP;
- m++;
+ r = append_one_mount(&m, root_directory, "/var/tmp", PRIVATE_VAR_TMP, false);
+ if (r < 0)
+ goto finish;
}
if (ns_info->private_dev) {
- m->path = prefix_roota(root_directory, "/dev");
- m->mode = PRIVATE_DEV;
- m++;
+ r = append_one_mount(&m, root_directory, "/dev", PRIVATE_DEV, false);
+ if (r < 0)
+ goto finish;
}
if (ns_info->protect_kernel_tunables) {
r = append_protect_kernel_tunables(&m, root_directory);
if (r < 0)
- return r;
+ goto finish;
}
if (ns_info->protect_kernel_modules) {
r = append_protect_kernel_modules(&m, root_directory);
if (r < 0)
- return r;
+ goto finish;
}
if (ns_info->protect_control_groups) {
- m->path = prefix_roota(root_directory, "/sys/fs/cgroup");
- m->mode = READONLY;
- m++;
+ r = append_one_mount(&m, root_directory, "/sys/fs/cgroup", READONLY, false);
+ if (r < 0)
+ goto finish;
}
r = append_protect_home(&m, root_directory, protect_home);
if (r < 0)
- return r;
+ goto finish;
r = append_protect_system(&m, root_directory, protect_system);
if (r < 0)
- return r;
+ goto finish;
- assert(mounts + n == m);
+ assert(mounts + n_mounts == m);
/* Resolve symlinks manually first, as mount() will always follow them relative to the host's
* root. Moreover we want to suppress duplicates based on the resolved paths. This of course is a bit
* racy. */
- r = chase_all_symlinks(root_directory, mounts, &n);
+ r = chase_all_symlinks(root_directory, mounts, &n_mounts);
if (r < 0)
goto finish;
- qsort(mounts, n, sizeof(BindMount), mount_path_compare);
+ qsort(mounts, n_mounts, sizeof(BindMount), mount_path_compare);
- drop_duplicates(mounts, &n);
- drop_outside_root(root_directory, mounts, &n);
- drop_inaccessible(mounts, &n);
- drop_nop(mounts, &n);
+ drop_duplicates(mounts, &n_mounts);
+ drop_outside_root(root_directory, mounts, &n_mounts);
+ drop_inaccessible(mounts, &n_mounts);
+ drop_nop(mounts, &n_mounts);
}
if (unshare(CLONE_NEWNS) < 0) {
@@ -843,25 +873,25 @@ int setup_namespace(
}
}
- if (n > 0) {
+ if (n_mounts > 0) {
char **blacklist;
unsigned j;
/* First round, add in all special mounts we need */
- for (m = mounts; m < mounts + n; ++m) {
+ for (m = mounts; m < mounts + n_mounts; ++m) {
r = apply_mount(m, tmp_dir, var_tmp_dir);
if (r < 0)
goto finish;
}
/* Create a blacklist we can pass to bind_mount_recursive() */
- blacklist = newa(char*, n+1);
- for (j = 0; j < n; j++)
+ blacklist = newa(char*, n_mounts+1);
+ for (j = 0; j < n_mounts; j++)
blacklist[j] = (char*) mounts[j].path;
blacklist[j] = NULL;
/* Second round, flip the ro bits if necessary. */
- for (m = mounts; m < mounts + n; ++m) {
+ for (m = mounts; m < mounts + n_mounts; ++m) {
r = make_read_only(m, blacklist);
if (r < 0)
goto finish;
@@ -886,8 +916,8 @@ int setup_namespace(
r = 0;
finish:
- for (m = mounts; m < mounts + n; m++)
- free(m->chased);
+ for (m = mounts; m < mounts + n_mounts; m++)
+ free(m->path);
return r;
}

34
0006-nspawn-avoid-one-strdup-by-using-free_and_replace.patch
View File

@ -1,34 +0,0 @@
From d7270c1642fa81b34b266d33412a842edc42c64c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Mon, 7 Nov 2016 08:54:47 -0500
Subject: [PATCH] nspawn: avoid one strdup by using free_and_replace
(cherry picked from commit 49fedb4094b69d279095ef8ce8d9203161aed5d9)
---
src/core/namespace.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/core/namespace.c b/src/core/namespace.c
index c45c120193..524416ecbd 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -678,8 +678,9 @@ static int chase_all_symlinks(const char *root_directory, BindMount *m, unsigned
* chase the symlinks on our own first. This call wil do so for all entries and remove all entries where we
* can't resolve the path, and which have been marked for such removal. */
- for (f = m, t = m; f < m+*n; f++) {
+ for (f = m, t = m; f < m + *n; f++) {
_cleanup_free_ char *chased = NULL;
+
r = chase_symlinks(f->path, root_directory, &chased);
if (r == -ENOENT && f->ignore) {
/* Doesn't exist? Then remove it! */
@@ -691,7 +692,7 @@ static int chase_all_symlinks(const char *root_directory, BindMount *m, unsigned
if (!path_equal(f->path, chased)) {
log_debug("Chased %s → %s", f->path, chased);
- r = free_and_strdup(&f->path, chased);
+ r = free_and_replace(f->path, chased);
if (r < 0)
return r;
}

60
0007-nspawn-slight-simplification.patch
View File

@ -1,60 +0,0 @@
From ff699dcd6f4e665119afa7ac0a9446907d02c966 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Mon, 7 Nov 2016 08:57:30 -0500
Subject: [PATCH] nspawn: slight simplification
(cherry picked from commit 46c3230dd0985062f06341809faa05e73fa1ccd1)
---
src/core/namespace.c | 18 +++++++-----------
1 file changed, 7 insertions(+), 11 deletions(-)
diff --git a/src/core/namespace.c b/src/core/namespace.c
index 524416ecbd..b18fcf3e29 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -154,10 +154,10 @@ static const TargetMount protect_system_strict_table[] = {
{ "/root", READWRITE, true }, /* ProtectHome= */
};
-static void set_bind_mount(BindMount **p, char *path, MountMode mode, bool ignore) {
- (*p)->path = path;
- (*p)->mode = mode;
- (*p)->ignore = ignore;
+static void set_bind_mount(BindMount *p, char *path, MountMode mode, bool ignore) {
+ p->path = path;
+ p->mode = mode;
+ p->ignore = ignore;
}
static int append_one_mount(BindMount **p, const char *root_directory,
@@ -169,9 +169,7 @@ static int append_one_mount(BindMount **p, const char *root_directory,
if (!lpath)
return -ENOMEM;
- set_bind_mount(p, lpath, mode, ignore);
- (*p)++;
-
+ set_bind_mount((*p)++, lpath, mode, ignore);
return 0;
}
@@ -196,8 +194,7 @@ static int append_mounts(BindMount **p, char **strv, MountMode mode) {
if (!path)
return -ENOMEM;
- set_bind_mount(p, path, mode, ignore);
- (*p)++;
+ set_bind_mount((*p)++, path, mode, ignore);
}
return 0;
@@ -224,8 +221,7 @@ static int append_target_mounts(BindMount **p, const char *root_directory, const
if (!path_is_absolute(path))
return -EINVAL;
- set_bind_mount(p, path, m->mode, m->ignore);
- (*p)++;
+ set_bind_mount((*p)++, path, m->mode, m->ignore);
}
return 0;

119
0008-core-namespace-count-and-free-failed-paths-inside-ch.patch
View File

@ -1,119 +0,0 @@
From f28e754a5b0400d439cb3a9a3d288191f5a742ed Mon Sep 17 00:00:00 2001
From: Djalal Harouni <tixxdz@opendz.org>
Date: Thu, 10 Nov 2016 18:11:37 +0100
Subject: [PATCH] core:namespace: count and free failed paths inside
chase_all_symlinks() (#4619)
This certainly fixes a bug that was introduced by PR
https://github.com/systemd/systemd/pull/4594 that intended to fix
https://github.com/systemd/systemd/issues/4567.
The fix was not complete. This patch makes sure that we count and free
all paths that fail inside chase_all_symlinks().
Fixes https://github.com/systemd/systemd/issues/4567
(cherry picked from commit 1d54cd5d255065c8659ca68d2591e810e6104714)
---
src/core/namespace.c | 32 ++++++++++++++++++--------------
1 file changed, 18 insertions(+), 14 deletions(-)
diff --git a/src/core/namespace.c b/src/core/namespace.c
index b18fcf3e29..49a50c7b61 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -322,7 +322,7 @@ static void drop_duplicates(BindMount *m, unsigned *n) {
/* Drops duplicate entries. Expects that the array is properly ordered already. */
- for (f = m, t = m, previous = NULL; f < m+*n; f++) {
+ for (f = m, t = m, previous = NULL; f < m + *n; f++) {
/* The first one wins (which is the one with the more restrictive mode), see mount_path_compare()
* above. */
@@ -350,7 +350,7 @@ static void drop_inaccessible(BindMount *m, unsigned *n) {
/* Drops all entries obstructed by another entry further up the tree. Expects that the array is properly
* ordered already. */
- for (f = m, t = m; f < m+*n; f++) {
+ for (f = m, t = m; f < m + *n; f++) {
/* If we found a path set for INACCESSIBLE earlier, and this entry has it as prefix we should drop
* it, as inaccessible paths really should drop the entire subtree. */
@@ -378,7 +378,7 @@ static void drop_nop(BindMount *m, unsigned *n) {
/* Drops all entries which have an immediate parent that has the same type, as they are redundant. Assumes the
* list is ordered by prefixes. */
- for (f = m, t = m; f < m+*n; f++) {
+ for (f = m, t = m; f < m + *n; f++) {
/* Only suppress such subtrees for READONLY and READWRITE entries */
if (IN_SET(f->mode, READONLY, READWRITE)) {
@@ -414,12 +414,13 @@ static void drop_outside_root(const char *root_directory, BindMount *m, unsigned
assert(m);
assert(n);
+ /* Nothing to do */
if (!root_directory)
return;
/* Drops all mounts that are outside of the root directory. */
- for (f = m, t = m; f < m+*n; f++) {
+ for (f = m, t = m; f < m + *n; f++) {
if (!path_startswith(f->path, root_directory)) {
log_debug("%s is outside of root directory.", f->path);
@@ -663,9 +664,10 @@ static int make_read_only(BindMount *m, char **blacklist) {
return r;
}
+/* Chase symlinks and remove failed paths from mounts */
static int chase_all_symlinks(const char *root_directory, BindMount *m, unsigned *n) {
BindMount *f, *t;
- int r;
+ int r = 0;
assert(m);
assert(n);
@@ -675,22 +677,24 @@ static int chase_all_symlinks(const char *root_directory, BindMount *m, unsigned
* can't resolve the path, and which have been marked for such removal. */
for (f = m, t = m; f < m + *n; f++) {
+ int k;
_cleanup_free_ char *chased = NULL;
- r = chase_symlinks(f->path, root_directory, &chased);
- if (r == -ENOENT && f->ignore) {
- /* Doesn't exist? Then remove it! */
+ k = chase_symlinks(f->path, root_directory, &chased);
+ if (k < 0) {
+ /* Get only real errors */
+ if (r >= 0 && (k != -ENOENT || !f->ignore))
+ r = k;
+
+ log_debug_errno(r, "Failed to chase symlinks for %s: %m", f->path);
+ /* Doesn't exist or failed? Then remove it and continue! */
f->path = mfree(f->path);
continue;
}
- if (r < 0)
- return log_debug_errno(r, "Failed to chase symlinks for %s: %m", f->path);
if (!path_equal(f->path, chased)) {
log_debug("Chased %s → %s", f->path, chased);
- r = free_and_replace(f->path, chased);
- if (r < 0)
- return r;
+ free_and_replace(f->path, chased);
}
*t = *f;
@@ -698,7 +702,7 @@ static int chase_all_symlinks(const char *root_directory, BindMount *m, unsigned
}
*n = t - m;
- return 0;
+ return r;
}
static unsigned namespace_calculate_mounts(

29
0009-basic-virt-fix-userns-check-on-CONFIG_USER_NS-n-kern.patch
View File

@ -1,29 +0,0 @@
From 7d7017a583a014c239cf8f68d484f22f67ca80ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Fri, 11 Nov 2016 10:54:54 -0500
Subject: [PATCH] basic/virt: fix userns check on CONFIG_USER_NS=n kernel
(#4651)
ENOENT should be treated as "false", but because of the broken errno check it
was treated as an error. So ConditionVirtualization=user-namespaces probably
returned the correct answer, but only by accident.
Fixes #4608.
(cherry picked from commit abd67ce74858491565cde157c7b08fda43d3279c)
---
src/basic/virt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/basic/virt.c b/src/basic/virt.c
index 69b0f96183..d8d57381ad 100644
--- a/src/basic/virt.c
+++ b/src/basic/virt.c
@@ -496,7 +496,7 @@ static int userns_has_mapping(const char *name) {
f = fopen(name, "re");
if (!f) {
log_debug_errno(errno, "Failed to open %s: %m", name);
- return errno == -ENOENT ? false : -errno;
+ return errno == ENOENT ? false : -errno;
}
n = getline(&buf, &n_allocated, f);

41
0010-timesyncd-clear-ADJ_MAXERROR-to-keep-STA_UNSYNC-clea.patch
View File

@ -1,41 +0,0 @@
From 986e777a9e8f34b16b3bc9ea50479dba8559a845 Mon Sep 17 00:00:00 2001
From: akochetkov <al.kochet@gmail.com>
Date: Fri, 11 Nov 2016 20:50:46 +0300
Subject: [PATCH] timesyncd: clear ADJ_MAXERROR to keep STA_UNSYNC cleared
after jump adjust (#4626)
NTP use jump adjust if system has incorrect time read from RTC during boot.
It is desireble to update RTC time as soon as NTP set correct system time.
Sometimes kernel failed to update RTC due to STA_UNSYNC get set before RTC
update finised. In that case RTC time wouldn't be updated within long time.
The commit makes RTC updates stable.
When NTP do jump time adjust using ADJ_SETOFFSET it clears STA_UNSYNC flag.
If don't clear ADJ_MAXERROR, STA_UNSYNC will be set again by kernel within
1 second (by second_overflow() function). STA_UNSYNC flag prevent RTC updates
in kernel. Sometimes the kernel is able to update RTC withing 1 second,
but sometimes it falied.
(cherry picked from commit 5f36e3d30375cf04292bbc1bf3f4d7512cf80139)
---
src/timesync/timesyncd-manager.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/timesync/timesyncd-manager.c b/src/timesync/timesyncd-manager.c
index d5e16db3a0..419f0fa279 100644
--- a/src/timesync/timesyncd-manager.c
+++ b/src/timesync/timesyncd-manager.c
@@ -330,11 +330,13 @@ static int manager_adjust_clock(Manager *m, double offset, int leap_sec) {
tmx.esterror = 0;
log_debug(" adjust (slew): %+.3f sec", offset);
} else {
- tmx.modes = ADJ_STATUS | ADJ_NANO | ADJ_SETOFFSET;
+ tmx.modes = ADJ_STATUS | ADJ_NANO | ADJ_SETOFFSET | ADJ_MAXERROR | ADJ_ESTERROR;
/* ADJ_NANO uses nanoseconds in the microseconds field */
tmx.time.tv_sec = (long)offset;
tmx.time.tv_usec = (offset - tmx.time.tv_sec) * NSEC_PER_SEC;
+ tmx.maxerror = 0;
+ tmx.esterror = 0;
/* the kernel expects -0.3s as {-1, 7000.000.000} */
if (tmx.time.tv_usec < 0) {

23
0011-link-fix-offload-features-initialization-4639.patch
View File

@ -1,23 +0,0 @@
From 8f8eacd358dcac603173d66525b4741616c76997 Mon Sep 17 00:00:00 2001
From: Maks Naumov <maksqwe1@ukr.net>
Date: Mon, 14 Nov 2016 12:33:43 +0200
Subject: [PATCH] link: fix offload features initialization (#4639)
(cherry picked from commit 45d34fa7fb9f587f09e8cca882966050b4cbb5be)
---
src/udev/net/link-config.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/udev/net/link-config.c b/src/udev/net/link-config.c
index ece9248c2a..fa8fe1fb9a 100644
--- a/src/udev/net/link-config.c
+++ b/src/udev/net/link-config.c
@@ -168,7 +168,7 @@ static int load_link(link_config_ctx *ctx, const char *filename) {
link->wol = _WOL_INVALID;
link->duplex = _DUP_INVALID;
- memset(&link->features, -1, _NET_DEV_FEAT_MAX);
+ memset(&link->features, -1, sizeof(link->features));
r = config_parse(NULL, filename, file,
"Match\0Link\0Ethernet\0",

48
0012-sd-event-fix-sd_event_source_get_priority-4712.patch
View File

@ -1,48 +0,0 @@
From b291d260e0ebc7a7528f37e97e8b404968f34e18 Mon Sep 17 00:00:00 2001
From: Martin Ejdestig <marejde@gmail.com>
Date: Tue, 22 Nov 2016 01:21:00 +0100
Subject: [PATCH] sd-event: fix sd_event_source_get_priority() (#4712)
To properly store priority in passed in pointer and return 0 for success.
Also add a test for verifying that it works correctly.
(cherry picked from commit 6680b8d118490bbb3e5522729ec50d9975088fd5)
---
src/libsystemd/sd-event/sd-event.c | 3 ++-
src/libsystemd/sd-event/test-event.c | 3 +++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c
index 9857f8b1fc..f94959adac 100644
--- a/src/libsystemd/sd-event/sd-event.c
+++ b/src/libsystemd/sd-event/sd-event.c
@@ -1539,7 +1539,8 @@ _public_ int sd_event_source_get_priority(sd_event_source *s, int64_t *priority)
assert_return(s, -EINVAL);
assert_return(!event_pid_changed(s->event), -ECHILD);
- return s->priority;
+ *priority = s->priority;
+ return 0;
}
_public_ int sd_event_source_set_priority(sd_event_source *s, int64_t priority) {
diff --git a/src/libsystemd/sd-event/test-event.c b/src/libsystemd/sd-event/test-event.c
index 289114490c..c0e5e06a18 100644
--- a/src/libsystemd/sd-event/test-event.c
+++ b/src/libsystemd/sd-event/test-event.c
@@ -172,6 +172,7 @@ static void test_basic(void) {
static const char ch = 'x';
int a[2] = { -1, -1 }, b[2] = { -1, -1}, d[2] = { -1, -1}, k[2] = { -1, -1 };
uint64_t event_now;
+ int64_t priority;
assert_se(pipe(a) >= 0);
assert_se(pipe(b) >= 0);
@@ -209,6 +210,8 @@ static void test_basic(void) {
assert_se(sd_event_add_exit(e, &q, exit_handler, INT_TO_PTR('g')) >= 0);
assert_se(sd_event_source_set_priority(x, 99) >= 0);
+ assert_se(sd_event_source_get_priority(x, &priority) >= 0);
+ assert_se(priority == 99);
assert_se(sd_event_source_set_enabled(y, SD_EVENT_ONESHOT) >= 0);
assert_se(sd_event_source_set_prepare(x, prepare_handler) >= 0);
assert_se(sd_event_source_set_priority(z, 50) >= 0);

42
0013-build-sys-check-for-lz4-in-the-old-and-new-numbering.patch
View File

@ -1,42 +0,0 @@
From 25cd9391929a46f1f38daf6aa4421de6a1afc47e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 23 Nov 2016 10:18:30 -0500
Subject: [PATCH] build-sys: check for lz4 in the old and new numbering scheme
(#4717)
lz4 upstream decided to switch to an incompatible numbering scheme
(1.7.3 follows 131, to match the so version).
PKG_CHECK_MODULES does not allow two version matches for the same package,
so e.g. lz4 < 10 || lz4 >= 125 cannot be used. Check twice, once for
"new" numbers (anything below 10 is assume to be new), once for the "old"
numbers (anything above >= 125). This assumes that the "new" versioning
will not get to 10 to quickly. I think that's a safe assumption, lz4 is a
mature project.
Fixed #4690.
(cherry picked from commit 3d4cf7de48a74726694abbaa09f9804b845ff3ba)
---
configure.ac | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index 0b10fc7de7..1928e65bde 100644
--- a/configure.ac
+++ b/configure.ac
@@ -623,10 +623,13 @@ AM_CONDITIONAL(HAVE_BZIP2, [test "$have_bzip2" = "yes"])
have_lz4=no
AC_ARG_ENABLE(lz4, AS_HELP_STRING([--disable-lz4], [Disable optional LZ4 support]))
AS_IF([test "x$enable_lz4" != "xno"], [
- PKG_CHECK_MODULES(LZ4, [ liblz4 >= 125 ],
- [AC_DEFINE(HAVE_LZ4, 1, [Define in LZ4 is available])
+ PKG_CHECK_MODULES(LZ4, [ liblz4 < 10 ],
+ [AC_DEFINE(HAVE_LZ4, 1, [Define if LZ4 is available])
have_lz4=yes],
- have_lz4=no)
+ [PKG_CHECK_MODULES(LZ4, [ liblz4 >= 125 ],
+ [AC_DEFINE(HAVE_LZ4, 1, [Define if LZ4 is available])
+ have_lz4=yes],
+ have_lz4=no)])
AS_IF([test "x$have_lz4" = xno -a "x$enable_lz4" = xyes],
[AC_MSG_ERROR([*** LZ4 support requested but libraries not found])])
])

28
0014-networkd-fix-size-of-MTUBytes-so-that-it-does-not-ov.patch
View File

@ -1,28 +0,0 @@
From 23c3ed8b2c0875c9f2a3e3b4e4d69af8cd49d9a2 Mon Sep 17 00:00:00 2001
From: Susant Sahani <ssahani@users.noreply.github.com>
Date: Wed, 23 Nov 2016 21:03:01 +0530
Subject: [PATCH] networkd: fix size of MTUBytes so that it does not overwrites
ARP (#4707)
config_parse_iec_size overwrites the next varible that is ARP.
Now the mtu is unsigned . Make it size_t .
Fixes #4644
(cherry picked from commit b8b40317d0355bc70bb23a6240a36f3630c4952b)
---
src/network/networkd-network.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/network/networkd-network.h b/src/network/networkd-network.h
index 42fc82d392..11ff34b5b5 100644
--- a/src/network/networkd-network.h
+++ b/src/network/networkd-network.h
@@ -173,7 +173,7 @@ struct Network {
IPv6PrivacyExtensions ipv6_privacy_extensions;
struct ether_addr *mac;
- unsigned mtu;
+ size_t mtu;
int arp;
uint32_t iaid;
DUID duid;

47
0015-core-consider-SIGTERM-as-a-clean-exit-status-for-ini.patch
View File

@ -1,47 +0,0 @@
From 409612865dd716752da4785b5d8cb75a24cebab4 Mon Sep 17 00:00:00 2001
From: Franck Bui <fbui@suse.com>
Date: Wed, 23 Nov 2016 16:31:24 +0100
Subject: [PATCH] core: consider SIGTERM as a clean exit status for
initrd-switch-root.service (#4713)
Since commit 1f0958f640b8717, systemd considers SIGTERM for short-running
services (aka Type=oneshot) as a failure.
This can be an issue with initrd-switch-root.service as the command run by this
service (in order to switch to the new rootfs) may still be running when
systemd does the switch.
However PID1 sends SIGTERM to all remaining processes right before
switching and initrd-switch-root.service can be one of those.
After systemd is reexecuted and its previous state is deserialized, systemd
notices that initrd-switch-root.service was killed with SIGTERM and considers
this as a failure which leads to the emergency shell.
To prevent this, this patch teaches systemd to consider a SIGTERM exit as a
clean one for this service.
It also removes "KillMode=none" since this is pretty useless as the service is
never stopped by systemd but it either exits normally or it's killed by a
SIGTERM as described previously.
(cherry picked from commit a4021390fef27f4136497328f2e35e79bc88855d)
---
units/initrd-switch-root.service.in | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/units/initrd-switch-root.service.in b/units/initrd-switch-root.service.in
index 82893dafb1..b89f2348c7 100644
--- a/units/initrd-switch-root.service.in
+++ b/units/initrd-switch-root.service.in
@@ -17,4 +17,10 @@ AllowIsolate=yes
Type=oneshot
# we have to use "--force" here, otherwise systemd would umount /run
ExecStart=@rootbindir@/systemctl --no-block --force switch-root /sysroot
-KillMode=none
+
+# Just before switching to the new rootfs, systemd might send us a TERM signal
+# depending on how fast we are to execute the main command and exit. If we get
+# the SIGTERM signal that simply means that we succeed but haven't got enough
+# time to exit properly. Since systemd considers SIGTERM as a failure for
+# short-running process (aka Type=oneshot), instruct it to ignore this case.
+SuccessExitStatus=SIGTERM

73
0016-core-make-sure-initrd-switch-root-command-survives-P.patch
View File

@ -1,73 +0,0 @@
From 0e2e7e8269dacd5845150170d3d47c2d677474ab Mon Sep 17 00:00:00 2001
From: Franck Bui <fbui@suse.com>
Date: Thu, 24 Nov 2016 18:52:04 +0100
Subject: [PATCH] core: make sure initrd-switch-root command survives PID1's
killing spree (#4730)
This is a different way to implement the fix proposed by commit
a4021390fef27f4136497328f suggested by Lennart Poettering.
In this patch we instruct PID1 to not kill "systemctl switch-root" command
started by initrd-switch-root service using the "argv[0][0]='@'" trick.
See: https://www.freedesktop.org/wiki/Software/systemd/RootStorageDaemons/ for
more details.
We had to backup argv[0] because argv is modified by dispatch_verb().
(cherry picked from commit acc28e2e3037d689d6481e4664925cf31d4d087b)
---
src/systemctl/systemctl.c | 10 ++++++++++
units/initrd-switch-root.service.in | 8 +-------
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c
index dd3b931cd6..a2b667481d 100644
--- a/src/systemctl/systemctl.c
+++ b/src/systemctl/systemctl.c
@@ -142,6 +142,7 @@ static const char *arg_kill_who = NULL;
static int arg_signal = SIGTERM;
static char *arg_root = NULL;
static usec_t arg_when = 0;
+static char *argv_cmdline = NULL;
static enum action {
_ACTION_INVALID,
ACTION_SYSTEMCTL,
@@ -5584,6 +5585,13 @@ static int switch_root(int argc, char *argv[], void *userdata) {
init = NULL;
}
+ /* Instruct PID1 to exclude us from its killing spree applied during
+ * the transition from the initrd to the main system otherwise we would
+ * exit with a failure status even though the switch to the new root
+ * has succeed. */
+ if (in_initrd())
+ argv_cmdline[0] = '@';
+
r = acquire_bus(BUS_MANAGER, &bus);
if (r < 0)
return r;
@@ -8324,6 +8332,8 @@ static int logind_cancel_shutdown(void) {
int main(int argc, char*argv[]) {
int r;
+ argv_cmdline = argv[0];
+
setlocale(LC_ALL, "");
log_parse_environment();
log_open();
diff --git a/units/initrd-switch-root.service.in b/units/initrd-switch-root.service.in
index b89f2348c7..82893dafb1 100644
--- a/units/initrd-switch-root.service.in
+++ b/units/initrd-switch-root.service.in
@@ -17,10 +17,4 @@ AllowIsolate=yes
Type=oneshot
# we have to use "--force" here, otherwise systemd would umount /run
ExecStart=@rootbindir@/systemctl --no-block --force switch-root /sysroot
-
-# Just before switching to the new rootfs, systemd might send us a TERM signal
-# depending on how fast we are to execute the main command and exit. If we get
-# the SIGTERM signal that simply means that we succeed but haven't got enough
-# time to exit properly. Since systemd considers SIGTERM as a failure for
-# short-running process (aka Type=oneshot), instruct it to ignore this case.
-SuccessExitStatus=SIGTERM
+KillMode=none

30
0017-fix-journald-startup-problem-when-code-is-compiled-w.patch
View File

@ -1,30 +0,0 @@
From 4392ebaa516ef068809bb7f3d8a58b68f2face4f Mon Sep 17 00:00:00 2001
From: Waldemar Brodkorb <wbx-github@users.noreply.github.com>
Date: Fri, 25 Nov 2016 11:24:58 +0100
Subject: [PATCH] fix journald startup problem when code is compiled with
-DNDEBUG (#4735)
Similar to this patch from here:
http://systemd-devel.freedesktop.narkive.com/AvfCbi6c/patch-0-3-using-assert-se-on-actions-with-side-effects-on-test-cases
If the code is compiled with -DNDEBUG which is the default for
some embedded buildsystems, systemd-journald does not startup
and silently fails.
(cherry picked from commit 9bab3b65b0ad625ebbf50583c46f5c7c35b18a70)
---
src/journal/journald-server.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 908c7b8eeb..c0987625cd 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -1480,7 +1480,7 @@ static int setup_signals(Server *s) {
assert(s);
- assert(sigprocmask_many(SIG_SETMASK, NULL, SIGINT, SIGTERM, SIGUSR1, SIGUSR2, SIGRTMIN+1, -1) >= 0);
+ assert_se(sigprocmask_many(SIG_SETMASK, NULL, SIGINT, SIGTERM, SIGUSR1, SIGUSR2, SIGRTMIN+1, -1) >= 0);
r = sd_event_add_signal(s->event, &s->sigusr1_event_source, SIGUSR1, dispatch_sigusr1, s);
if (r < 0)

33
0018-device-Avoid-calling-unit_free-NULL-in-device-setup-.patch
View File

@ -1,33 +0,0 @@
From 9dd94c0ac4b29250e0c06f2bbd8e73cc2072da7d Mon Sep 17 00:00:00 2001
From: Dave Reisner <d@falconindy.com>
Date: Sun, 27 Nov 2016 17:05:39 -0500
Subject: [PATCH] device: Avoid calling unit_free(NULL) in device setup logic
(#4748)
Since a581e45ae8f9bb5c, there's a few function calls to
unit_new_for_name which will unit_free on failure. Prior to this commit,
a failure would result in calling unit_free with a NULL unit, and hit an
assertion failure, seen at least via device_setup_unit:
Assertion 'u' failed at src/core/unit.c:519, function unit_free(). Aborting.
Fixes #4747
https://bugs.archlinux.org/task/51950
(cherry picked from commit d112eae7da77899be245ab52aa1747d4675549f1)
---
src/core/device.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/core/device.c b/src/core/device.c
index bd87a447cd..4b9e84aeb6 100644
--- a/src/core/device.c
+++ b/src/core/device.c
@@ -365,7 +365,7 @@ static int device_setup_unit(Manager *m, struct udev_device *dev, const char *pa
fail:
log_unit_warning_errno(u, r, "Failed to set up device unit: %m");
- if (delete)
+ if (delete && u)
unit_free(u);
return r;

24
0019-udevd-check-correct-return-value-of-fcntl-4758.patch
View File

@ -1,24 +0,0 @@
From 9b01faa700c80007d2a25f92dc704b3e1aaf365d Mon Sep 17 00:00:00 2001
From: Daniel Wagner <wagi@monom.org>
Date: Mon, 28 Nov 2016 18:24:26 +0100
Subject: [PATCH] udevd: check correct return value of fcntl() (#4758)
This looks like a copy&paste error from the code block above.
(cherry picked from commit a92cf7840ffefc279bc5cc409197d13752dec6e7)
---
src/udev/udevd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/udev/udevd.c b/src/udev/udevd.c
index badbab6205..c97c52e962 100644
--- a/src/udev/udevd.c
+++ b/src/udev/udevd.c
@@ -1345,7 +1345,7 @@ static int listen_fds(int *rctrl, int *rnetlink) {
return log_error_errno(netlink_fd, "could not get uevent fd: %m");
netlink_fd = fcntl(fd, F_DUPFD_CLOEXEC, 3);
- if (ctrl_fd < 0)
+ if (netlink_fd < 0)
return log_error_errno(errno, "could not dup netlink fd: %m");
}

24
0020-systemctl-fix-is-enabled-exit-status-on-failure-when.patch
View File

@ -1,24 +0,0 @@
From c9b991db38bc74ad36b1f584c5f7fdafc0278564 Mon Sep 17 00:00:00 2001
From: Franck Bui <fbui@suse.com>
Date: Wed, 30 Nov 2016 18:27:42 +0100
Subject: [PATCH] systemctl: fix 'is-enabled' exit status on failure when
executed in chroot (#4773)
(cherry picked from commit c5024cd05c194b93ae960bf38e567d3d998f2a03)
---
src/systemctl/systemctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c
index a2b667481d..4edc690f5c 100644
--- a/src/systemctl/systemctl.c
+++ b/src/systemctl/systemctl.c
@@ -6384,7 +6384,7 @@ static int unit_is_enabled(int argc, char *argv[], void *userdata) {
r = unit_file_get_state(arg_scope, arg_root, *name, &state);
if (r < 0)
- return log_error_errno(state, "Failed to get unit file state for %s: %m", *name);
+ return log_error_errno(r, "Failed to get unit file state for %s: %m", *name);
if (IN_SET(state,
UNIT_FILE_ENABLED,

30
0021-journal-make-sure-to-initially-populate-the-space-in.patch
View File

@ -1,30 +0,0 @@
From dc28516400f7f56a4a6fbc8ab6740d2dc98f99ea Mon Sep 17 00:00:00 2001
From: Franck Bui <fbui@suse.com>
Date: Fri, 2 Dec 2016 18:40:10 +0100
Subject: [PATCH] journal: make sure to initially populate the space info cache
(#4807)
Make sure to populate the cache in cache_space_refresh() at least once
otherwise it's possible that the system boots fast enough (and the journal
flush service is finished) before the invalidate cache timeout (30 us) has
expired.
Fixes: #4790
(cherry picked from commit 3099caf2b5bb9498b1d0227c40926435ca81f26f)
---
src/journal/journald-server.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index c0987625cd..1d2fce8dc7 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -144,7 +144,7 @@ static int cache_space_refresh(Server *s, JournalStorage *storage) {
ts = now(CLOCK_MONOTONIC);
- if (space->timestamp + RECHECK_SPACE_USEC > ts)
+ if (space->timestamp != 0 && space->timestamp + RECHECK_SPACE_USEC > ts)
return 0;
r = determine_path_usage(s, storage->path, &vfs_used, &vfs_avail);

47
0022-networkd-link_enter_configured-remove-assert-4800.patch
View File

@ -1,47 +0,0 @@
From 783168312d5b7b29535488d785fdd4a849436368 Mon Sep 17 00:00:00 2001
From: Susant Sahani <ssahani@users.noreply.github.com>
Date: Mon, 5 Dec 2016 20:01:48 +0530
Subject: [PATCH] networkd: link_enter_configured remove assert (#4800)
When we are in link_enter_configured we assume that the
link->state should be LINK_STATE_SETTING_ROUTES but in some
situation it's LINK_STATlE_SETTING_ADDRESSES.
Just ignore the wrong state.
Also since the return value not used any where
make link_enter_configured return type void.
Fixes: #4746
(cherry picked from commit e3a7b04848a438f7b5a9a2bf5d7e0e59c5c49a00)
---
src/network/networkd-link.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
index aefe7335b9..4dfbe0bf7e 100644
--- a/src/network/networkd-link.c
+++ b/src/network/networkd-link.c
@@ -686,18 +686,18 @@ static Address* link_find_dhcp_server_address(Link *link) {
return NULL;
}
-static int link_enter_configured(Link *link) {
+static void link_enter_configured(Link *link) {
assert(link);
assert(link->network);
- assert(link->state == LINK_STATE_SETTING_ROUTES);
+
+ if (link->state != LINK_STATE_SETTING_ROUTES)
+ return;
log_link_info(link, "Configured");
link_set_state(link, LINK_STATE_CONFIGURED);
link_dirty(link);
-
- return 0;
}
void link_check_ready(Link *link) {

25
0023-rules-consider-MMC-device-partitions-with-partition-.patch
View File

@ -1,25 +0,0 @@
From 09dc7999c275723f7e364386cd85e8f698e744c9 Mon Sep 17 00:00:00 2001
From: Kieran Colford <kieran@kcolford.com>
Date: Tue, 6 Dec 2016 04:46:13 -0500
Subject: [PATCH] rules: consider MMC device partitions with partition number >
9 (#4831)
Add entries for extra partitions found on MMC devices (common in Chromebooks).
(cherry picked from commit 471b9850ee10dea07233af485e125897d2d35a00)
---
rules/60-persistent-storage.rules | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rules/60-persistent-storage.rules b/rules/60-persistent-storage.rules
index c13d05cdb1..bbd52e825e 100644
--- a/rules/60-persistent-storage.rules
+++ b/rules/60-persistent-storage.rules
@@ -54,7 +54,7 @@ KERNEL=="sd*[0-9]", ATTRS{ieee1394_id}=="?*", SYMLINK+="disk/by-id/ieee1394-$att
# MMC
KERNEL=="mmcblk[0-9]", SUBSYSTEMS=="mmc", ATTRS{name}=="?*", ATTRS{serial}=="?*", \
ENV{ID_NAME}="$attr{name}", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/mmc-$env{ID_NAME}_$env{ID_SERIAL}"
-KERNEL=="mmcblk[0-9]p[0-9]", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/mmc-$env{ID_NAME}_$env{ID_SERIAL}-part%n"
+KERNEL=="mmcblk[0-9]p[0-9]*", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/mmc-$env{ID_NAME}_$env{ID_SERIAL}-part%n"
# Memstick
KERNEL=="msblk[0-9]|mspblk[0-9]", SUBSYSTEMS=="memstick", ATTRS{name}=="?*", ATTRS{serial}=="?*", \

23
0024-nspawn-add-missing-E-to-getopt_long-4860.patch
View File

@ -1,23 +0,0 @@
From 331ea131a5d1b942603c01225758c29f9ca98feb Mon Sep 17 00:00:00 2001
From: Wim de With <register@wimdewith.com>
Date: Sat, 10 Dec 2016 05:33:58 +0100
Subject: [PATCH] nspawn: add missing -E to getopt_long (#4860)
(cherry picked from commit 2e1f244efd2dfc1a60d032bef3d88b9ba6e0444b)
---
src/nspawn/nspawn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index c8fc011907..81573be95a 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -472,7 +472,7 @@ static int parse_argv(int argc, char *argv[]) {
assert(argc >= 0);
assert(argv);
- while ((c = getopt_long(argc, argv, "+hD:u:abL:M:jS:Z:qi:xp:nU", options, NULL)) >= 0)
+ while ((c = getopt_long(argc, argv, "+hD:u:abL:M:jS:Z:qi:xp:nUE:", options, NULL)) >= 0)
switch (c) {

24
0025-build-sys-define-arm-as-secondary-architecture-for-a.patch
View File

@ -1,24 +0,0 @@
From f04a5c9d6a733f44d8f88dcea4ec340ec2d1d2c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Sat, 10 Dec 2016 13:01:22 -0500
Subject: [PATCH] build-sys: define arm as secondary architecture for arm64
Completely unstested. Fixes #4862.
(cherry picked from commit b7cac52779d52eff6ed03103922ffe1208a7baa9)
---
src/basic/architecture.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/basic/architecture.h b/src/basic/architecture.h
index 5a77c31932..b329df2f6d 100644
--- a/src/basic/architecture.h
+++ b/src/basic/architecture.h
@@ -150,6 +150,7 @@ int uname_architecture(void);
# else
# define native_architecture() ARCHITECTURE_ARM64
# define LIB_ARCH_TUPLE "aarch64-linux-gnu"
+# define SECONDARY_ARCHITECTURE ARCHITECTURE_ARM
# endif
#elif defined(__arm__)
# if __BYTE_ORDER == __BIG_ENDIAN

75
0026-nspawn-when-getting-SIGCHLD-make-sure-it-s-from-the-.patch
View File

@ -1,75 +0,0 @@
From 92f6078aeadec4dfd0e4e9e2ef14b0f7794141cc Mon Sep 17 00:00:00 2001
From: Andrey Ulanov <aulanov@gmail.com>
Date: Mon, 12 Dec 2016 17:38:18 -0800
Subject: [PATCH] nspawn: when getting SIGCHLD make sure it's from the first
child (#4855)
When getting SIGCHLD we should not assume that it was the first
child forked from system-nspawn that has died as it may also be coming
from an orphan process. This change adds a signal handler that ignores
SIGCHLD unless it came from the first containerized child - the real
child.
Before this change the problem can be reproduced as follows:
$ sudo systemd-nspawn --directory=/container-root --share-system
Press ^] three times within 1s to kill container.
[root@andreyu-coreos ~]# { true & } &
[1] 22201
[root@andreyu-coreos ~]#
Container root-fedora-latest terminated by signal KILL
(cherry picked from commit 6916b164642d8bb4938878f4284f8ee5ccf3efd6)
---
src/nspawn/nspawn.c | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 81573be95a..503265545b 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -38,6 +38,7 @@
#include <sys/personality.h>
#include <sys/prctl.h>
#include <sys/types.h>
+#include <sys/wait.h>
#include <unistd.h>
#include "sd-daemon.h"
@@ -2538,6 +2539,26 @@ static int on_orderly_shutdown(sd_event_source *s, const struct signalfd_siginfo
return 0;
}
+static int on_sigchld(sd_event_source *s, const struct signalfd_siginfo *ssi, void *userdata) {
+ for (;;) {
+ siginfo_t si = {};
+ if (waitid(P_ALL, 0, &si, WNOHANG|WNOWAIT|WEXITED) < 0)
+ return log_error_errno(errno, "Failed to waitid(): %m");
+ if (si.si_pid == 0) /* No pending children. */
+ break;
+ if (si.si_pid == PTR_TO_PID(userdata)) {
+ /* The main process we care for has exited. Return from
+ * signal handler but leave the zombie. */
+ sd_event_exit(sd_event_source_get_event(s), 0);
+ break;
+ }
+ /* Reap all other children. */
+ (void) waitid(P_PID, si.si_pid, &si, WNOHANG|WEXITED);
+ }
+
+ return 0;
+}
+
static int determine_names(void) {
int r;
@@ -3952,8 +3973,8 @@ static int run(int master,
sd_event_add_signal(event, NULL, SIGTERM, NULL, NULL);
}
- /* simply exit on sigchld */
- sd_event_add_signal(event, NULL, SIGCHLD, NULL, NULL);
+ /* Exit when the child exits */
+ sd_event_add_signal(event, NULL, SIGCHLD, on_sigchld, PID_TO_PTR(*pid));
if (arg_expose_ports) {
r = expose_port_watch_rtnl(event, rtnl_socket_pair[0], on_address_change, exposed, &rtnl);

28
0027-machinectl-make-machinectl-E-shell-work.patch
View File

@ -1,28 +0,0 @@
From 1fd8d16fb95b883c927fc8ec73b343b4edba5e6b Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 6 Dec 2016 19:35:31 +0100
Subject: [PATCH] =?UTF-8?q?machinectl:=20make=20"machinectl=20-E=20?=
=?UTF-8?q?=E2=80=A6=20shell"=20work?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: #4823
(cherry picked from commit 61f638e5446d0d4a5b5e7f81c174e4f072bd01f7)
---
src/machine/machinectl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/machine/machinectl.c b/src/machine/machinectl.c
index 7b9be3b425..d54caecf46 100644
--- a/src/machine/machinectl.c
+++ b/src/machine/machinectl.c
@@ -2756,7 +2756,7 @@ static int parse_argv(int argc, char *argv[]) {
assert(argv);
for (;;) {
- static const char option_string[] = "-hp:als:H:M:qn:o:";
+ static const char option_string[] = "-hp:als:H:M:qn:o:E:";
c = getopt_long(argc, argv, option_string + reorder, options, NULL);
if (c < 0)

54
0028-sysv-generator-properly-translate-sysv-facilities.patch
View File

@ -1,54 +0,0 @@
From 59ebe5b42ccd7cacbf5975f8ddc1aa42c78e45db Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 6 Dec 2016 19:36:30 +0100
Subject: [PATCH] sysv-generator: properly translate sysv facilities
We used the wrong return value in one case, so that our translations were
thrown away.
While we are at it, make sure to always initialize *ret on successful function
exits.
Fixes: #4762
(cherry picked from commit e932f5407ef5ad05d25d7dfefa4cda0fe81cc346)
---
src/sysv-generator/sysv-generator.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/sysv-generator/sysv-generator.c b/src/sysv-generator/sysv-generator.c
index c2c80175a2..212cf7a988 100644
--- a/src/sysv-generator/sysv-generator.c
+++ b/src/sysv-generator/sysv-generator.c
@@ -292,8 +292,10 @@ static int sysv_translate_facility(SysvStub *s, unsigned line, const char *name,
if (!streq(table[i], n))
continue;
- if (!table[i+1])
+ if (!table[i+1]) {
+ *ret = NULL;
return 0;
+ }
m = strdup(table[i+1]);
if (!m)
@@ -312,7 +314,7 @@ static int sysv_translate_facility(SysvStub *s, unsigned line, const char *name,
if (r < 0)
return log_error_errno(r, "[%s:%u] Could not build name for facility %s: %m", s->path, line, name);
- return r;
+ return 1;
}
/* Strip ".sh" suffix from file name for comparison */
@@ -324,8 +326,10 @@ static int sysv_translate_facility(SysvStub *s, unsigned line, const char *name,
}
/* Names equaling the file name of the services are redundant */
- if (streq_ptr(n, filename))
+ if (streq_ptr(n, filename)) {
+ *ret = NULL;
return 0;
+ }
/* Everything else we assume to be normal service names */
m = sysv_translate_name(n);

40
0029-core-downgrade-Time-has-been-changed-to-debug-4906.patch
View File

@ -1,40 +0,0 @@
From eac04c9feff868c79f7d8438ef66aeb6f2a8a6c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Sun, 18 Dec 2016 07:21:19 -0500
Subject: [PATCH] core: downgrade "Time has been changed" to debug (#4906)
That message is emitted by every systemd instance on every resume:
Dec 06 08:03:38 laptop systemd[1]: Time has been changed
Dec 06 08:03:38 laptop systemd[823]: Time has been changed
Dec 06 08:03:38 laptop systemd[916]: Time has been changed
Dec 07 08:00:32 laptop systemd[1]: Time has been changed
Dec 07 08:00:32 laptop systemd[823]: Time has been changed
Dec 07 08:00:32 laptop systemd[916]: Time has been changed
-- Reboot --
Dec 07 08:02:46 laptop systemd[836]: Time has been changed
Dec 07 08:02:46 laptop systemd[1]: Time has been changed
Dec 07 08:02:46 laptop systemd[926]: Time has been changed
Dec 07 19:48:12 laptop systemd[1]: Time has been changed
Dec 07 19:48:12 laptop systemd[836]: Time has been changed
Dec 07 19:48:12 laptop systemd[926]: Time has been changed
...
Fixes #4896.
(cherry picked from commit a80c1575065c3e3cbf97fd97993ff98598fa01bb)
---
src/core/manager.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/core/manager.c b/src/core/manager.c
index ffccfdcd5e..322e69a69c 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -2145,7 +2145,7 @@ static int manager_dispatch_time_change_fd(sd_event_source *source, int fd, uint
assert(m);
assert(m->time_change_fd == fd);
- log_struct(LOG_INFO,
+ log_struct(LOG_DEBUG,
LOG_MESSAGE_ID(SD_MESSAGE_TIME_CHANGE),
LOG_MESSAGE("Time has been changed"),
NULL);

25
0030-machinectl-handle-EOPNOTSUPP-from-print_addresses-49.patch
View File

@ -1,25 +0,0 @@
From d3d04283c458c1313ed87a12af538d8e0540e88d Mon Sep 17 00:00:00 2001
From: Graeme Lawes <graemelawes@gmail.com>
Date: Sun, 25 Dec 2016 06:14:41 -0500
Subject: [PATCH] machinectl: handle EOPNOTSUPP from print_addresses (#4979)
Print addresses returns EOPNOTSUPP, not ENOSYS, when trying to print
addresses for non-container machines.
(cherry picked from commit 3a0a40d1667e53b623e891527871e9f3ee6cb7b4)
---
src/machine/machinectl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/machine/machinectl.c b/src/machine/machinectl.c
index d54caecf46..f84226f58f 100644
--- a/src/machine/machinectl.c
+++ b/src/machine/machinectl.c
@@ -326,7 +326,7 @@ static int list_machines(int argc, char *argv[], void *userdata) {
(int) max_version_id, strdash_if_empty(machines[j].version_id));
r = print_addresses(bus, machines[j].name, 0, "", prefix, arg_addrs);
- if (r == -ENOSYS)
+ if (r == -EOPNOTSUPP)
printf("-\n");
}

27
0031-units-fix-condition-for-systemd-journal-catalog-upda.patch
View File

@ -1,27 +0,0 @@
From 511b40e49641a8f59014472ce8e96a7ef61f3cad Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 29 Dec 2016 10:38:52 +0100
Subject: [PATCH] units: fix condition for
systemd-journal-catalog-update.service (#4990)
The service is supposed to regenerate the catalog index whenever /usr is
updated, but /var is not. Hence the ConditionNeedsUpdate= line should
actually reference /var, as that's where the index file is located.
(cherry picked from commit 73c729d76871a64840a4d89fc61a5a64cc96e596)
---
units/systemd-journal-catalog-update.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/units/systemd-journal-catalog-update.service.in b/units/systemd-journal-catalog-update.service.in
index 6370dd478f..276f052b1a 100644
--- a/units/systemd-journal-catalog-update.service.in
+++ b/units/systemd-journal-catalog-update.service.in
@@ -12,7 +12,7 @@ DefaultDependencies=no
Conflicts=shutdown.target
After=local-fs.target
Before=sysinit.target shutdown.target systemd-update-done.service
-ConditionNeedsUpdate=/etc
+ConditionNeedsUpdate=/var
[Service]
Type=oneshot

57
0032-core-fix-sockaddr-length-calculation-for-sockaddr_pr.patch
View File

@ -1,57 +0,0 @@
From 6eda08fbff4f911c5884876a33708cf17fa28a8b Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 29 Dec 2016 11:21:37 +0100
Subject: [PATCH] core: fix sockaddr length calculation for sockaddr_pretty()
(#4966)
Let's simply store the socket address length in the SocketPeer object so
that we can use it when invoking sockaddr_pretty():
This fixes the issue described in #4943, but avoids calling
getpeername() twice.
(cherry picked from commit 41733ae1e0035c538505bc5be1ca5d67a80b4a82)
---
src/core/socket.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/core/socket.c b/src/core/socket.c
index 0b1c4acfec..fe2020008f 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -64,6 +64,7 @@ struct SocketPeer {
Socket *socket;
union sockaddr_union peer;
+ socklen_t peer_salen;
};
static const UnitActiveState state_translation_table[_SOCKET_STATE_MAX] = {
@@ -490,8 +491,10 @@ static void peer_address_hash_func(const void *p, struct siphash *state) {
if (s->peer.sa.sa_family == AF_INET)
siphash24_compress(&s->peer.in.sin_addr, sizeof(s->peer.in.sin_addr), state);
- else
+ else if (s->peer.sa.sa_family == AF_INET6)
siphash24_compress(&s->peer.in6.sin6_addr, sizeof(s->peer.in6.sin6_addr), state);
+ else
+ assert_not_reached("Unknown address family.");
}
static int peer_address_compare_func(const void *a, const void *b) {
@@ -609,6 +612,7 @@ int socket_acquire_peer(Socket *s, int fd, SocketPeer **p) {
return log_oom();
remote->peer = sa.peer;
+ remote->peer_salen = salen;
r = set_put(s->peers_by_address, remote);
if (r < 0)
@@ -2196,7 +2200,7 @@ static void socket_enter_running(Socket *s, int cfd) {
} else if (r > 0 && p->n_ref > s->max_connections_per_source) {
_cleanup_free_ char *t = NULL;
- sockaddr_pretty(&p->peer.sa, FAMILY_ADDRESS_SIZE(p->peer.sa.sa_family), true, false, &t);
+ (void) sockaddr_pretty(&p->peer.sa, p->peer_salen, true, false, &t);
log_unit_warning(UNIT(s),
"Too many incoming connections (%u) from source %s, dropping connection.",

40
0033-shared-fix-double-free-in-unmask-5005.patch
View File

@ -1,40 +0,0 @@
From 83d9a6e89af9caebe109c5f309c7bc2d82bd8fc4 Mon Sep 17 00:00:00 2001
From: Jan Synacek <jan.synacek@gmail.com>
Date: Tue, 3 Jan 2017 21:34:36 +0100
Subject: [PATCH] shared: fix double free in unmask (#5005)
Easily reproducible:
1) systemctl mask foo
2) systemctl unmask foo foo
The problem here is that the *i that is put into todo[] is later freed
in strv_uniq(), which is not directly visible from this patch. Somewhere
further in the code, the string that *i pointed to is freed again. That
happens only when multiple services with the same name/path are specified.
(cherry picked from commit dc7dd61de610e9330abe7014860acfa733887d5e)
---
src/shared/install.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/shared/install.c b/src/shared/install.c
index 96fba6e25b..5f0eec3ccb 100644
--- a/src/shared/install.c
+++ b/src/shared/install.c
@@ -1861,7 +1861,7 @@ int unit_file_unmask(
_cleanup_lookup_paths_free_ LookupPaths paths = {};
_cleanup_set_free_free_ Set *remove_symlinks_to = NULL;
- _cleanup_free_ char **todo = NULL;
+ _cleanup_strv_free_ char **todo = NULL;
size_t n_todo = 0, n_allocated = 0;
const char *config_path;
char **i;
@@ -1899,7 +1899,7 @@ int unit_file_unmask(
if (!GREEDY_REALLOC0(todo, n_allocated, n_todo + 2))
return -ENOMEM;
- todo[n_todo++] = *i;
+ todo[n_todo++] = strdup(*i);
}
strv_uniq(todo);

117
0034-shared-fix-double-free-in-link.patch
View File

@ -1,117 +0,0 @@
From a4ead9514b411945f9525ac33901db2b557ce9d0 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Mon, 9 Jan 2017 04:46:11 +0000
Subject: [PATCH] shared: fix double free in link
Fixes:
```
touch hola.service
systemctl link $(pwd)/hola.service $(pwd)/hola.service
```
```
==1==ERROR: AddressSanitizer: attempting double-free on 0x60300002c560 in thread T0 (systemd):
#0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00)
#1 0x7fc8c90ebd3b in strv_clear src/basic/strv.c:83
#2 0x7fc8c90ebdb6 in strv_free src/basic/strv.c:89
#3 0x55637c758c77 in strv_freep src/basic/strv.h:37
#4 0x55637c763ba9 in method_enable_unit_files_generic src/core/dbus-manager.c:1960
#5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001
#6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418
#7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255
#8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371
#9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563
#10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605
#11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837
#12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856
#13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126
#14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268
#15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627
#16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686
#17 0x55637c6b5257 in manager_loop src/core/manager.c:2274
#18 0x55637c6a2194 in main src/core/main.c:1920
#19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400)
#20 0x55637c697339 in _start (/usr/lib/systemd/systemd+0xcd339)
0x60300002c560 is located 0 bytes inside of 19-byte region [0x60300002c560,0x60300002c573)
freed by thread T0 (systemd) here:
#0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00)
#1 0x7fc8c90ee320 in strv_remove src/basic/strv.c:630
#2 0x7fc8c90ee190 in strv_uniq src/basic/strv.c:602
#3 0x7fc8c9180533 in unit_file_link src/shared/install.c:1996
#4 0x55637c763b25 in method_enable_unit_files_generic src/core/dbus-manager.c:1985
#5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001
#6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418
#7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255
#8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371
#9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563
#10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605
#11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837
#12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856
#13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126
#14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268
#15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627
#16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686
#17 0x55637c6b5257 in manager_loop src/core/manager.c:2274
#18 0x55637c6a2194 in main src/core/main.c:1920
#19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400)
previously allocated by thread T0 (systemd) here:
#0 0x7fc8c95b0160 in strdup (/lib64/libasan.so.3+0x5a160)
#1 0x7fc8c90edf32 in strv_extend src/basic/strv.c:552
#2 0x7fc8c923ae41 in bus_message_read_strv_extend src/libsystemd/sd-bus/bus-message.c:5578
#3 0x7fc8c923b0de in sd_bus_message_read_strv src/libsystemd/sd-bus/bus-message.c:5600
#4 0x55637c7639d1 in method_enable_unit_files_generic src/core/dbus-manager.c:1969
#5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001
#6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418
#7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255
#8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371
#9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563
#10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605
#11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837
#12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856
#13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126
#14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268
#15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627
#16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686
#17 0x55637c6b5257 in manager_loop src/core/manager.c:2274
#18 0x55637c6a2194 in main src/core/main.c:1920
#19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400)
SUMMARY: AddressSanitizer: double-free (/lib64/libasan.so.3+0xc6b00) in free
==1==ABORTING
```
Closes #5015
(cherry picked from commit 8af35ba681116eb79a46e3dbd65b166c1efd6164)
---
src/shared/install.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/shared/install.c b/src/shared/install.c
index 5f0eec3ccb..64fe522ebb 100644
--- a/src/shared/install.c
+++ b/src/shared/install.c
@@ -1947,7 +1947,7 @@ int unit_file_link(
unsigned *n_changes) {
_cleanup_lookup_paths_free_ LookupPaths paths = {};
- _cleanup_free_ char **todo = NULL;
+ _cleanup_strv_free_ char **todo = NULL;
size_t n_todo = 0, n_allocated = 0;
const char *config_path;
char **i;
@@ -1996,7 +1996,11 @@ int unit_file_link(
if (!GREEDY_REALLOC0(todo, n_allocated, n_todo + 2))
return -ENOMEM;
- todo[n_todo++] = *i;
+ todo[n_todo] = strdup(*i);
+ if (!todo[n_todo])
+ return -ENOMEM;
+
+ n_todo++;
}
strv_uniq(todo);

29
0035-shared-check-strdup-NULL.patch
View File

@ -1,29 +0,0 @@
From acfeb54e985d6f4d589c574ba5d467fbe4d556b7 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Mon, 9 Jan 2017 22:45:41 +0000
Subject: [PATCH] shared: check strdup != NULL
This is a follow-up for dc7dd61de610e9330
(cherry picked from commit d054eae6c954baa857170bb60072c8a2ecea0d6b)
---
src/shared/install.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/shared/install.c b/src/shared/install.c
index 64fe522ebb..0bb47ac527 100644
--- a/src/shared/install.c
+++ b/src/shared/install.c
@@ -1899,7 +1899,11 @@ int unit_file_unmask(
if (!GREEDY_REALLOC0(todo, n_allocated, n_todo + 2))
return -ENOMEM;
- todo[n_todo++] = strdup(*i);
+ todo[n_todo] = strdup(*i);
+ if (!todo[n_todo])
+ return -ENOMEM;
+
+ n_todo++;
}
strv_uniq(todo);

57
0036-rpm-triggers-do-nothing-if-systemd-is-not-running-50.patch
View File

@ -1,57 +0,0 @@
From fba761f0bc86d37119bd18f7bc231e2d9f5d94a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Thu, 12 Jan 2017 04:16:20 -0500
Subject: [PATCH] rpm triggers: do nothing if systemd is not running (#5065)
If we are running in a chroot/container/..., we would print a useless warning about
not being able to communicate with systemd. Trying to do daemon-reload is pointless
in those cases, so let's just skip all actions in that case.
The check uses /run/system/system, as recommended by sd_booted(3).
https://bugzilla.redhat.com/show_bug.cgi?id=1411299
(cherry picked from commit 13749f547357f8e9ec398680548f818dea3aba1c)
---
src/core/triggers.systemd.in | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/src/core/triggers.systemd.in b/src/core/triggers.systemd.in
index 0d8c303136..f8c8cbc5f9 100644
--- a/src/core/triggers.systemd.in
+++ b/src/core/triggers.systemd.in
@@ -27,11 +27,13 @@
-- installed, because other cases are covered by the *un scriptlets,
-- so sometimes we will reload needlessly.
-pid = posix.fork()
-if pid == 0 then
- assert(posix.exec("%{_bindir}/systemctl", "daemon-reload"))
-elseif pid > 0 then
- posix.wait(pid)
+if posix.access("/run/systemd/system") then
+ pid = posix.fork()
+ if pid == 0 then
+ assert(posix.exec("%{_bindir}/systemctl", "daemon-reload"))
+ elseif pid > 0 then
+ posix.wait(pid)
+ end
end
%transfiletriggerun -p <lua> -- @systemunitdir@ /etc/systemd/system
@@ -48,10 +50,12 @@ end
-- file in %transfiletriggerun and execute the daemon-reload in
-- the first %filetriggerpostun.
-posix.mkdir("%{_localstatedir}/lib")
-posix.mkdir("%{_localstatedir}/lib/rpm-state")
-posix.mkdir("%{_localstatedir}/lib/rpm-state/systemd")
-io.open("%{_localstatedir}/lib/rpm-state/systemd/needs-reload", "w")
+if posix.access("/run/systemd/system") then
+ posix.mkdir("%{_localstatedir}/lib")
+ posix.mkdir("%{_localstatedir}/lib/rpm-state")
+ posix.mkdir("%{_localstatedir}/lib/rpm-state/systemd")
+ io.open("%{_localstatedir}/lib/rpm-state/systemd/needs-reload", "w")
+end
%filetriggerpostun -P 1000100 -p <lua> -- @systemunitdir@ /etc/systemd/system
if posix.access("%{_localstatedir}/lib/rpm-state/systemd/needs-reload") then

53
0037-kernel-install-avoid-process-substitution.patch
View File

@ -1,53 +0,0 @@
From f1e5bbe0ef234b5e6c8a2cd7f601a75a7678cd27 Mon Sep 17 00:00:00 2001
From: Michal Schmidt <mschmidt@redhat.com>
Date: Fri, 16 Dec 2016 18:14:47 +0100
Subject: [PATCH] kernel-install: avoid process substitution
bash implements process substitution using /dev/fd/N (this is documented
in man bash). We'd like kernel-install to work in chrooted RPM
scriptlets without /dev.
We can use here-strings instead. bash uses temporary files to implement
those.
(cherry picked from commit db1e2bfc4f049261ae2d407568ff39569b36d98c)
---
src/kernel-install/kernel-install | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/kernel-install/kernel-install b/src/kernel-install/kernel-install
index a95b9717f0..c7d9f4eea9 100644
--- a/src/kernel-install/kernel-install
+++ b/src/kernel-install/kernel-install
@@ -34,7 +34,7 @@ dropindirs_sort()
local -a files
local f d i
- readarray -t files < <(
+ readarray -t files <<<"$(
for d in "$@"; do
for i in "$d/"*"$suffix"; do
if [[ -e "$i" ]]; then
@@ -42,7 +42,7 @@ dropindirs_sort()
fi
done
done | sort -Vu
- )
+ )"
for f in "${files[@]}"; do
for d in "$@"; do
@@ -104,11 +104,11 @@ fi
ret=0
-readarray -t PLUGINS < <(
+readarray -t PLUGINS <<<"$(
dropindirs_sort ".install" \
"/etc/kernel/install.d" \
"/usr/lib/kernel/install.d"
-)
+)"
case $COMMAND in
add)

41
0038-shell-completion-redirect-all-errors-from-systemctl-.patch
View File

@ -1,41 +0,0 @@
From 3f40c958104c4a83a32ad303cd7153f79cb7a6a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 11 Jan 2017 14:45:19 -0500
Subject: [PATCH] shell-completion: redirect all errors from systemctl to
/dev/null
Completion scripts should not generate errors, ever.
https://bugzilla.redhat.com/show_bug.cgi?id=1409649
(cherry picked from commit 99171d2fdf720ebb64fee75db4177af5d048d0f9)
---
shell-completion/bash/systemctl.in | 2 +-
shell-completion/zsh/_systemctl.in | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/shell-completion/bash/systemctl.in b/shell-completion/bash/systemctl.in
index dcf71a1f51..34589e2888 100644
--- a/shell-completion/bash/systemctl.in
+++ b/shell-completion/bash/systemctl.in
@@ -19,7 +19,7 @@
__systemctl() {
local mode=$1; shift 1
- systemctl $mode --full --no-legend "$@"
+ systemctl $mode --full --no-legend "$@" 2>/dev/null
}
__systemd_properties() {
diff --git a/shell-completion/zsh/_systemctl.in b/shell-completion/zsh/_systemctl.in
index 03a1c930b0..d77a2df74e 100644
--- a/shell-completion/zsh/_systemctl.in
+++ b/shell-completion/zsh/_systemctl.in
@@ -91,7 +91,7 @@
__systemctl()
{
- systemctl $_sys_service_mgr --full --no-legend --no-pager "$@"
+ systemctl $_sys_service_mgr --full --no-legend --no-pager "$@" 2>/dev/null
}

26
0039-cryptsetup-fix-unitialized-variable.patch
View File

@ -1,26 +0,0 @@
From 7770e9fc69d7545b4ebf77567cce3f8b85c7ccf7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Sun, 15 Jan 2017 11:51:48 -0500
Subject: [PATCH] cryptsetup: fix unitialized variable
CID #1368416.
Coverity web interface is back, yay!
(cherry picked from commit 6fefc0eded00974e5b2862bd5efc7ef975c6a318)
---
src/cryptsetup/cryptsetup.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index ff5a3f36fb..a90bee81bb 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -752,6 +752,7 @@ int main(int argc, char *argv[]) {
} else {
log_error("Unknown verb %s.", argv[1]);
+ r = -EINVAL;
goto finish;
}

28
0040-systemctl-uninitalized-variable.patch
View File

@ -1,28 +0,0 @@
From 3a087e730c2be5d6abe8f9775a707af925e2520b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Sun, 15 Jan 2017 13:27:37 -0500
Subject: [PATCH] systemctl: uninitalized variable
CID #1368270.
Easily reproduced with COLUMNS=50 ./systemctl --no-pager.
(cherry picked from commit 43479f8d21a770cdb4870087fcec446b3d845cbc)
---
src/systemctl/systemctl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c
index 4edc690f5c..1a4a201740 100644
--- a/src/systemctl/systemctl.c
+++ b/src/systemctl/systemctl.c
@@ -467,7 +467,8 @@ static int output_units_list(const UnitInfo *unit_infos, unsigned c) {
id_len += incr;
desc_len += MIN(extra_len - incr, max_desc_len - desc_len);
}
- }
+ } else
+ desc_len = 0;
} else {
id_len = max_id_len;
desc_len = max_desc_len;

29
0041-bash_completion-journalctl-add-missing-options.patch
View File

@ -1,29 +0,0 @@
From 176e36e83f44d5486945afa9beffc1e32799d546 Mon Sep 17 00:00:00 2001
From: Namhyung Kim <namhyung@gmail.com>
Date: Sat, 21 Jan 2017 16:36:20 +0900
Subject: [PATCH] bash_completion: journalctl: add missing options
The --no-hostname and --vacuum-files were missing, add them.
(cherry picked from commit ed52c971bfa546bfe1f8b329a41ac06077464fb6)
---
shell-completion/bash/journalctl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/shell-completion/bash/journalctl b/shell-completion/bash/journalctl
index a999a10df1..ded92cb73a 100644
--- a/shell-completion/bash/journalctl
+++ b/shell-completion/bash/journalctl
@@ -42,10 +42,10 @@ _journalctl() {
--version --list-catalog --update-catalog --list-boots
--show-cursor --dmesg -k --pager-end -e -r --reverse
--utc -x --catalog --no-full --force --dump-catalog
- --flush --rotate --sync'
+ --flush --rotate --sync --no-hostname'
[ARG]='-b --boot --this-boot -D --directory --file -F --field
-M --machine -o --output -u --unit --user-unit -p --priority
- --vacuum-size --vacuum-time'
+ --vacuum-size --vacuum-time --vacuum-files'
[ARGUNKNOWN]='-c --cursor --interval -n --lines -S --since -U --until
--after-cursor --verify-key -t --identifier
--root'

26
0042-bash_completion-journalctl-Complete-t-option-values.patch
View File

@ -1,26 +0,0 @@
From 5efdac319bea6c000b17af77b7d1b3ba1dce6432 Mon Sep 17 00:00:00 2001
From: Namhyung Kim <namhyung@gmail.com>
Date: Sat, 21 Jan 2017 16:38:23 +0900
Subject: [PATCH] bash_completion: journalctl: Complete -t option values
The -t or --identifier requires a syslog identifier.
(cherry picked from commit 28b6b5de3f6c8943e83afe4e213cdb6a8c7e1a72)
---
shell-completion/bash/journalctl | 3 +++
1 file changed, 3 insertions(+)
diff --git a/shell-completion/bash/journalctl b/shell-completion/bash/journalctl
index ded92cb73a..c90a114497 100644
--- a/shell-completion/bash/journalctl
+++ b/shell-completion/bash/journalctl
@@ -82,6 +82,9 @@ _journalctl() {
--user-unit)
comps=$(journalctl -F '_SYSTEMD_USER_UNIT' 2>/dev/null)
;;
+ --identifier|-t)
+ comps=$(journalctl -F 'SYSLOG_IDENTIFIER' 2>/dev/null)
+ ;;
*)
return 0
;;

74
0043-Fixi-caching-in-zsh-completion-5122.patch
View File

@ -1,74 +0,0 @@
From d8386bfd28676e1c6fd88deaf203eb1cd7585233 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=90=D0=BB=D0=B5=D0=BA=D1=81=D0=B0=D0=BD=D0=B4=D1=80=20?=
=?UTF-8?q?=D0=A2=D0=B8=D1=85=D0=BE=D0=BD=D0=BE=D0=B2?=
<disarmer.mk@gmail.com>
Date: Sat, 21 Jan 2017 23:53:09 +0400
Subject: [PATCH] Fixi caching in zsh completion (#5122)
I found several issues with zsh completion code:
1. typo in cache filename: "SYS_ALL_PROPRTIES", so cache just not loading from this file
2. cache stored in one file, despite user or system mode. So it can be loaded later in wrong mode
3. most serious problem: broken logic - it retrieves cache when _cache_invalid is true
How to reproduce: type "systemctl --user status <TAB>" and you will see user units. Then press
control+C and type "systemctl --system status <TAB>" in same session and you'll see user units again
(cherry picked from commit 88e4dbd505ed4f8480b1f3b837b3c2ac55f1b1dd)
---
shell-completion/zsh/_systemctl.in | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/shell-completion/zsh/_systemctl.in b/shell-completion/zsh/_systemctl.in
index d77a2df74e..553216da5e 100644
--- a/shell-completion/zsh/_systemctl.in
+++ b/shell-completion/zsh/_systemctl.in
@@ -98,11 +98,11 @@ __systemctl()
# Fills the unit list
_systemctl_all_units()
{
- if ( [[ ${+_sys_all_units} -eq 0 ]] || _cache_invalid SYS_ALL_UNITS ) &&
- ! _retrieve_cache SYS_ALL_UNITS;
+ if ( [[ ${+_sys_all_units} -eq 0 ]] || _cache_invalid SYS_ALL_UNITS$_sys_service_mgr ) ||
+ ! _retrieve_cache SYS_ALL_UNITS$_sys_service_mgr;
then
_sys_all_units=( ${${(f)"$(__systemctl list-units --all)"}%% *} )
- _store_cache SYS_ALL_UNITS _sys_all_units
+ _store_cache SYS_ALL_UNITS$_sys_service_mgr _sys_all_units
fi
}
@@ -111,14 +111,14 @@ _systemctl_really_all_units()
{
local -a all_unit_files;
local -a really_all_units;
- if ( [[ ${+_sys_really_all_units} -eq 0 ]] || _cache_invalid SYS_REALLY_ALL_UNITS ) &&
- ! _retrieve_cache SYS_REALLY_ALL_UNITS;
+ if ( [[ ${+_sys_really_all_units} -eq 0 ]] || _cache_invalid SYS_REALLY_ALL_UNITS$_sys_service_mgr ) ||
+ ! _retrieve_cache SYS_REALLY_ALL_UNITS$_sys_service_mgr;
then
all_unit_files=( ${${(f)"$(__systemctl list-unit-files)"}%% *} )
_systemctl_all_units
really_all_units=($_sys_all_units $all_unit_files)
_sys_really_all_units=(${(u)really_all_units})
- _store_cache SYS_REALLY_ALL_UNITS _sys_really_all_units
+ _store_cache SYS_REALLY_ALL_UNITS$_sys_service_mgr _sys_really_all_units
fi
}
@@ -330,13 +330,13 @@ _unit_types() {
}
_unit_properties() {
- if ( [[ ${+_sys_all_properties} -eq 0 ]] || _cache_invalid SYS_ALL_PROPERTIES ) &&
- ! _retrieve_cache SYS_ALL_PROPERTIES;
+ if ( [[ ${+_sys_all_properties} -eq 0 ]] || _cache_invalid SYS_ALL_PROPERTIES$_sys_service_mgr ) ||
+ ! _retrieve_cache SYS_ALL_PROPERTIES$_sys_service_mgr;
then
_sys_all_properties=( ${${(M)${(f)"$(__systemctl show --all;
@rootlibexecdir@/systemd --dump-configuration-items)"}##[[:alnum:]]##=*}%%=*}
)
- _store_cache SYS_ALL_PROPRTIES _sys_all_properties
+ _store_cache SYS_ALL_PROPERTIES$_sys_service_mgr _sys_all_properties
fi
_values -s , "${_sys_all_properties[@]}"
}

23
0044-bash-completion-add-support-for-now-5155.patch
View File

@ -1,23 +0,0 @@
From 59ce906fbeabbf3c519ee22fb4b653b2acb8fff1 Mon Sep 17 00:00:00 2001
From: Jan Synacek <jan.synacek@gmail.com>
Date: Wed, 25 Jan 2017 13:44:04 +0100
Subject: [PATCH] bash-completion: add support for --now (#5155)
(cherry picked from commit 0067c7b29ab996bf99cf1bafe63c118b9b6d5b56)
---
shell-completion/bash/systemctl.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shell-completion/bash/systemctl.in b/shell-completion/bash/systemctl.in
index 34589e2888..7765010869 100644
--- a/shell-completion/bash/systemctl.in
+++ b/shell-completion/bash/systemctl.in
@@ -124,7 +124,7 @@ _systemctl () {
local -A OPTS=(
[STANDALONE]='--all -a --reverse --after --before --defaults --force -f --full -l --global
- --help -h --no-ask-password --no-block --no-legend --no-pager --no-reload --no-wall
+ --help -h --no-ask-password --no-block --no-legend --no-pager --no-reload --no-wall --now
--quiet -q --privileged -P --system --user --version --runtime --recursive -r --firmware-setup
--show-types -i --ignore-inhibitors --plain'
[ARG]='--host -H --kill-who --property -p --signal -s --type -t --state --job-mode --root

35
0045-core-dbus-fix-two-strv-memleaks.patch
View File

@ -1,35 +0,0 @@
From 0cb96989634afde3f1b7b86420e003a34dcf5551 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 24 Jan 2017 22:21:16 -0500
Subject: [PATCH] core/dbus: fix two strv memleaks
job_dbus_path and unit_dbus_path both allocate new strings, so we should use
strv_free.
(cherry picked from commit f0c03de85afa93d1df2bb533a46748e7f4264af6)
---
src/core/dbus.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/core/dbus.c b/src/core/dbus.c
index 070974fe66..c6fcd01138 100644
--- a/src/core/dbus.c
+++ b/src/core/dbus.c
@@ -477,7 +477,7 @@ static int bus_kill_context_find(sd_bus *bus, const char *path, const char *inte
}
static int bus_job_enumerate(sd_bus *bus, const char *path, void *userdata, char ***nodes, sd_bus_error *error) {
- _cleanup_free_ char **l = NULL;
+ _cleanup_strv_free_ char **l = NULL;
Manager *m = userdata;
unsigned k = 0;
Iterator i;
@@ -504,7 +504,7 @@ static int bus_job_enumerate(sd_bus *bus, const char *path, void *userdata, char
}
static int bus_unit_enumerate(sd_bus *bus, const char *path, void *userdata, char ***nodes, sd_bus_error *error) {
- _cleanup_free_ char **l = NULL;
+ _cleanup_strv_free_ char **l = NULL;
Manager *m = userdata;
unsigned k = 0;
Iterator i;

37
0046-core-execute-fix-strv-memleak.patch
View File

@ -1,37 +0,0 @@
From f2f5c4de715e65db93d57d7bcafe9caef3f7a79e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 24 Jan 2017 22:24:07 -0500
Subject: [PATCH] core/execute: fix strv memleak
compile_read_write_paths() returns a normal strv from strv_copy(), and
setup_namespace() uses it read-only, so we should use strv_free to deallocate.
(cherry picked from commit 06ec51d8ef30dce3c7f864633ba3a9888d18fed6)
---
src/core/execute.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/core/execute.c b/src/core/execute.c
index f13ca30395..38cd486d82 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1984,8 +1984,8 @@ static int compile_read_write_paths(
_cleanup_strv_free_ char **l = NULL;
char **rt;
- /* Compile the list of writable paths. This is the combination of the explicitly configured paths, plus all
- * runtime directories. */
+ /* Compile the list of writable paths. This is the combination of
+ * the explicitly configured paths, plus all runtime directories. */
if (strv_isempty(context->read_write_paths) &&
strv_isempty(context->runtime_directory)) {
@@ -2018,7 +2018,7 @@ static int apply_mount_namespace(Unit *u, const ExecContext *context,
const ExecParameters *params,
ExecRuntime *runtime) {
int r;
- _cleanup_free_ char **rw = NULL;
+ _cleanup_strv_free_ char **rw = NULL;
char *tmp = NULL, *var = NULL;
const char *root_dir = NULL;
NameSpaceInfo ns_info = {

25
0047-resolve-fix-strv-memleak.patch
View File

@ -1,25 +0,0 @@
From f0dc398e4862dffc768be3a8fc59c5c5a012a5e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 24 Jan 2017 22:27:21 -0500
Subject: [PATCH] resolve: fix strv memleak
sd_bus_message_read_strv() returns a normal strv...
(cherry picked from commit c6d92582205065e4924b9f0cb1428f4a5f210fd4)
---
src/resolve/resolved-link-bus.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/resolve/resolved-link-bus.c b/src/resolve/resolved-link-bus.c
index 364812250f..59cd6cf1cb 100644
--- a/src/resolve/resolved-link-bus.c
+++ b/src/resolve/resolved-link-bus.c
@@ -462,7 +462,7 @@ int bus_link_method_set_dnssec(sd_bus_message *message, void *userdata, sd_bus_e
int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, void *userdata, sd_bus_error *error) {
_cleanup_set_free_free_ Set *ns = NULL;
- _cleanup_free_ char **ntas = NULL;
+ _cleanup_strv_free_ char **ntas = NULL;
Link *l = userdata;
int r;
char **i;

27
0048-nspawn-fix-clobbering-of-selinux-context-arg.patch
View File

@ -1,27 +0,0 @@
From b6700f38b414fa8e97a29fae221d8f02af4b3375 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Fri, 27 Jan 2017 00:45:38 -0500
Subject: [PATCH] nspawn: fix clobbering of selinux context arg
First bug fixed by gcc 7. Yikes.
(cherry picked from commit 2e8977b198882fb8c99366ab2944572aa8998dc0)
---
src/nspawn/nspawn.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 503265545b..0e2f4d59a5 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -658,9 +658,8 @@ static int parse_argv(int argc, char *argv[]) {
r = free_and_strdup(&arg_machine, optarg);
if (r < 0)
return log_oom();
-
- break;
}
+ break;
case 'Z':
arg_selinux_context = optarg;

29
0049-parse_hwdb-fix-to-work-with-pyparsing-2.1.10.patch
View File

@ -1,29 +0,0 @@
From d30213c50db935f63987447d44d637bc9a00bf71 Mon Sep 17 00:00:00 2001
From: Martin Pitt <martin.pitt@ubuntu.com>
Date: Wed, 30 Nov 2016 09:20:15 +0100
Subject: [PATCH] parse_hwdb: fix to work with pyparsing 2.1.10
pyparsing 2.1.10 fixed the handling of LineStart to really just apply to line
starts and not ignore whitespace and comments any more. Adjust EMPTYLINE to
this.
Many thanks to Paul McGuire for pointing this out!
(cherry picked from commit f644a6da7a6f11d20116842e2ce1c7e9c0b0ad64)
---
hwdb/parse_hwdb.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hwdb/parse_hwdb.py b/hwdb/parse_hwdb.py
index 5d4c5ea64d..5856d12af7 100755
--- a/hwdb/parse_hwdb.py
+++ b/hwdb/parse_hwdb.py
@@ -56,7 +56,7 @@ except ImportError:
lru_cache = lambda: (lambda f: f)
EOL = LineEnd().suppress()
-EMPTYLINE = LineStart() + LineEnd()
+EMPTYLINE = LineEnd()
COMMENTLINE = pythonStyleComment + EOL
INTEGER = Word(nums)
REAL = Combine((INTEGER + Optional('.' + Optional(INTEGER))) ^ ('.' + INTEGER))

133
0050-journald-don-t-flush-to-var-log-journal-before-we-ge.patch
View File

@ -1,133 +0,0 @@
From 53ae6296386a754ed74a1d3fbd88f39ab7a89f0d Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 12 Dec 2016 20:54:45 +0100
Subject: [PATCH] journald: don't flush to /var/log/journal before we get asked
to
This changes journald to not write to /var/log/journal until it received
SIGUSR1 for the first time, thus having been requested to flush the runtime
journal to disk.
This makes the journal work nicer with systems which have the root file system
writable early, but still need to rearrange /var before journald should start
writing and creating files to it, for example because ACLs need to be applied
first, or because /var is to be mounted from another file system, NFS or tmpfs
(as is the case for systemd.volatile=state).
Before this change we required setupts with /var split out to mount the root
disk read-only early on, and ship an /etc/fstab that remounted it writable only
after having placed /var at the right place. But even that was racy for various
preparations as journald might end up accessing the file system before it was
entirely set up, as soon as it was writable.
With this change we make scheduling when to start writing to /var/log/journal
explicit. This means persistent mode now requires
systemd-journal-flush.service in the mix to work, as otherwise journald would
never write to the directory.
See: #1397
(cherry picked from commit f78273c8dacf678cc8fd7387f678e6344a99405c)
---
src/journal/journald-server.c | 21 +++++++++++----------
src/journal/journald-server.h | 2 +-
src/journal/journald.c | 2 +-
3 files changed, 13 insertions(+), 12 deletions(-)
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 1d2fce8dc7..ced0ad6f21 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -283,17 +283,16 @@ static int open_journal(
}
static bool flushed_flag_is_set(void) {
- return (access("/run/systemd/journal/flushed", F_OK) >= 0);
+ return access("/run/systemd/journal/flushed", F_OK) >= 0;
}
static int system_journal_open(Server *s, bool flush_requested) {
- bool flushed = false;
const char *fn;
int r = 0;
if (!s->system_journal &&
- (s->storage == STORAGE_PERSISTENT || s->storage == STORAGE_AUTO) &&
- (flush_requested || (flushed = flushed_flag_is_set()))) {
+ IN_SET(s->storage, STORAGE_PERSISTENT, STORAGE_AUTO) &&
+ (flush_requested || flushed_flag_is_set())) {
/* If in auto mode: first try to create the machine
* path, but not the prefix.
@@ -326,8 +325,8 @@ static int system_journal_open(Server *s, bool flush_requested) {
* Perform an implicit flush to var, leaving the runtime
* journal closed, now that the system journal is back.
*/
- if (s->runtime_journal && flushed)
- (void) server_flush_to_var(s);
+ if (!flush_requested)
+ (void) server_flush_to_var(s, true);
}
if (!s->runtime_journal &&
@@ -1183,7 +1182,7 @@ finish:
dispatch_message_real(s, iovec, n, m, ucred, tv, label, label_len, unit_id, priority, object_pid);
}
-int server_flush_to_var(Server *s) {
+int server_flush_to_var(Server *s, bool require_flag_file) {
sd_id128_t machine;
sd_journal *j = NULL;
char ts[FORMAT_TIMESPAN_MAX];
@@ -1193,13 +1192,15 @@ int server_flush_to_var(Server *s) {
assert(s);
- if (s->storage != STORAGE_AUTO &&
- s->storage != STORAGE_PERSISTENT)
+ if (!IN_SET(s->storage, STORAGE_AUTO, STORAGE_PERSISTENT))
return 0;
if (!s->runtime_journal)
return 0;
+ if (require_flag_file && !flushed_flag_is_set())
+ return 0;
+
(void) system_journal_open(s, true);
if (!s->system_journal)
@@ -1411,7 +1412,7 @@ static int dispatch_sigusr1(sd_event_source *es, const struct signalfd_siginfo *
log_info("Received request to flush runtime journal from PID " PID_FMT, si->ssi_pid);
- (void) server_flush_to_var(s);
+ (void) server_flush_to_var(s, false);
server_sync(s);
server_vacuum(s, false);
diff --git a/src/journal/journald-server.h b/src/journal/journald-server.h
index 99d91496be..de1c48f805 100644
--- a/src/journal/journald-server.h
+++ b/src/journal/journald-server.h
@@ -197,7 +197,7 @@ void server_sync(Server *s);
int server_vacuum(Server *s, bool verbose);
void server_rotate(Server *s);
int server_schedule_sync(Server *s, int priority);
-int server_flush_to_var(Server *s);
+int server_flush_to_var(Server *s, bool require_flag_file);
void server_maybe_append_tags(Server *s);
int server_process_datagram(sd_event_source *es, int fd, uint32_t revents, void *userdata);
void server_space_usage_message(Server *s, JournalStorage *storage);
diff --git a/src/journal/journald.c b/src/journal/journald.c
index 7f47ca22dd..9ac21457f6 100644
--- a/src/journal/journald.c
+++ b/src/journal/journald.c
@@ -52,7 +52,7 @@ int main(int argc, char *argv[]) {
goto finish;
server_vacuum(&server, false);
- server_flush_to_var(&server);
+ server_flush_to_var(&server, true);
server_flush_dev_kmsg(&server);
log_debug("systemd-journald running as pid "PID_FMT, getpid());

2118
0051-tree-wide-drop-NULL-sentinel-from-strjoin.patch
View File

File diff suppressed because it is too large Load Diff

869
0052-core-add-new-RestrictNamespaces-unit-file-setting.patch
View File

@ -1,869 +0,0 @@
From d262fb5809de27d51e9d6b97c6b114804c2b95c5 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 1 Nov 2016 20:25:19 -0600
Subject: [PATCH] core: add new RestrictNamespaces= unit file setting
This new setting permits restricting whether namespaces may be created and
managed by processes started by a unit. It installs a seccomp filter blocking
certain invocations of unshare(), clone() and setns().
RestrictNamespaces=no is the default, and does not restrict namespaces in any
way. RestrictNamespaces=yes takes away the ability to create or manage any kind
of namspace. "RestrictNamespaces=mnt ipc" restricts the creation of namespaces
so that only mount and IPC namespaces may be created/managed, but no other
kind of namespaces.
This setting should be improve security quite a bit as in particular user
namespacing was a major source of CVEs in the kernel in the past, and is
accessible to unprivileged processes. With this setting the entire attack
surface may be removed for system services that do not make use of namespaces.
(cherry picked from commit add005357d535681c7075ced8eec2b6e61b43728)
---
Makefile.am | 4 +-
TODO | 6 --
man/systemd.exec.xml | 50 +++++++++-----
src/core/dbus-execute.c | 21 ++++++
src/core/execute.c | 30 ++++++++
src/core/execute.h | 9 +++
src/core/load-fragment-gperf.gperf.m4 | 2 +
src/core/load-fragment.c | 49 +++++++++++++
src/core/load-fragment.h | 1 +
src/shared/bus-unit-util.c | 25 +++++++
src/shared/nsflags.c | 126 ++++++++++++++++++++++++++++++++++
src/shared/nsflags.h | 49 +++++++++++++
src/shared/seccomp-util.c | 89 ++++++++++++++++++++++++
src/shared/seccomp-util.h | 2 +
src/test/test-seccomp.c | 94 +++++++++++++++++++++++++
15 files changed, 534 insertions(+), 23 deletions(-)
create mode 100644 src/shared/nsflags.c
create mode 100644 src/shared/nsflags.h
diff --git a/Makefile.am b/Makefile.am
index f2d8bf57f7..1031e797b3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1046,7 +1046,9 @@ libshared_la_SOURCES = \
src/shared/tests.h \
src/shared/tests.c \
src/shared/fdset.c \
- src/shared/fdset.h
+ src/shared/fdset.h \
+ src/shared/nsflags.h \
+ src/shared/nsflags.c
if HAVE_UTMP
libshared_la_SOURCES += \
diff --git a/TODO b/TODO
index c8266a549d..164e33708e 100644
--- a/TODO
+++ b/TODO
@@ -59,14 +59,10 @@ Features:
* define gpt header bits to select volatility mode
-* nspawn: mount loopback filesystems with "discard"
-
* ProtectKernelLogs= (drops CAP_SYSLOG, add seccomp for syslog() syscall, and DeviceAllow to /dev/kmsg) in service files
* ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc
-* ProtectKernelModules= (drops CAP_SYS_MODULE and filters the kmod syscalls)
-
* ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away)
* ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave)
@@ -88,8 +84,6 @@ Features:
* Add RootImage= for mounting a disk image or file as root directory
-* RestrictNamespaces= or so in services (taking away the ability to create namespaces, with setns, unshare, clone)
-
* make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things
* journalctl: make sure -f ends when the container indicated by -M terminates
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 3c350df11f..33bca1bfb0 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1234,22 +1234,16 @@
<varlistentry>
<term><varname>NoNewPrivileges=</varname></term>
- <listitem><para>Takes a boolean argument. If true, ensures that the service
- process and all its children can never gain new privileges. This option is more
- powerful than the respective secure bits flags (see above), as it also prohibits
- UID changes of any kind. This is the simplest and most effective way to ensure that
- a process and its children can never elevate privileges again. Defaults to false,
- but in the user manager instance certain settings force
- <varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting.
- Those is the case when <varname>SystemCallFilter=</varname>,
- <varname>SystemCallArchitectures=</varname>,
- <varname>RestrictAddressFamilies=</varname>,
- <varname>PrivateDevices=</varname>,
- <varname>ProtectKernelTunables=</varname>,
- <varname>ProtectKernelModules=</varname>,
- <varname>MemoryDenyWriteExecute=</varname>, or
- <varname>RestrictRealtime=</varname> are specified.
- </para></listitem>
+ <listitem><para>Takes a boolean argument. If true, ensures that the service process and all its children can
+ never gain new privileges through <function>execve()</function> (e.g. via setuid or setgid bits, or filesystem
+ capabilities). This is the simplest and most effective way to ensure that a process and its children can never
+ elevate privileges again. Defaults to false, but in the user manager instance certain settings force
+ <varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting. This is the case when
+ <varname>SystemCallFilter=</varname>, <varname>SystemCallArchitectures=</varname>,
+ <varname>RestrictAddressFamilies=</varname>, <varname>RestrictNamespaces=</varname>,
+ <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>,
+ <varname>ProtectKernelModules=</varname>, <varname>MemoryDenyWriteExecute=</varname>, or
+ <varname>RestrictRealtime=</varname> are specified.</para></listitem>
</varlistentry>
<varlistentry>
@@ -1462,6 +1456,30 @@
logging. This does not affect commands prefixed with <literal>+</literal>.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>RestrictNamespaces=</varname></term>
+
+ <listitem><para>Restricts access to Linux namespace functionality for the processes of this unit. For details
+ about Linux namespaces, see
+ <citerefentry><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>. Either takes a
+ boolean argument, or a space-separated list of namespace type identifiers. If false (the default), no
+ restrictions on namespace creation and switching are made. If true, access to any kind of namespacing is
+ prohibited. Otherwise, a space-separated list of namespace type identifiers must be specified, consisting of
+ any combination of: <constant>cgroup</constant>, <constant>ipc</constant>, <constant>net</constant>,
+ <constant>mnt</constant>, <constant>pid</constant>, <constant>user</constant> and <constant>uts</constant>. Any
+ namespace type listed is made accessible to the unit's processes, access to namespace types not listed is
+ prohibited (whitelisting). By prepending the list with a single tilda character (<literal>~</literal>) the
+ effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are
+ permitted (blacklisting). If the empty string is assigned, the default namespace restrictions are applied,
+ which is equivalent to false. Internally, this setting limits access to the
+ <citerefentry><refentrytitle>unshare</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry> and
+ <citerefentry><refentrytitle>setns</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls, taking
+ the specified flags parameters into account. Note that — if this option is used — in addition to restricting
+ creation and switching of the specified types of namespaces (or all of them, if true) access to the
+ <function>setns()</function> system call with a zero flags parameter is prohibited.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>ProtectKernelModules=</varname></term>
diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index 03f23780c1..d7bb0496a0 100644
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -781,6 +781,7 @@ const sd_bus_vtable bus_exec_vtable[] = {
SD_BUS_PROPERTY("RuntimeDirectory", "as", NULL, offsetof(ExecContext, runtime_directory), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("MemoryDenyWriteExecute", "b", bus_property_get_bool, offsetof(ExecContext, memory_deny_write_execute), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("RestrictRealtime", "b", bus_property_get_bool, offsetof(ExecContext, restrict_realtime), SD_BUS_VTABLE_PROPERTY_CONST),
+ SD_BUS_PROPERTY("RestrictNamespace", "t", bus_property_get_ulong, offsetof(ExecContext, restrict_namespaces), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_VTABLE_END
};
@@ -1591,7 +1592,27 @@ int bus_exec_context_set_transient_property(
}
return 1;
+ } else if (streq(name, "RestrictNamespaces")) {
+ uint64_t flags;
+ r = sd_bus_message_read(message, "t", &flags);
+ if (r < 0)
+ return r;
+ if ((flags & NAMESPACE_FLAGS_ALL) != flags)
+ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Unknown namespace types");
+
+ if (mode != UNIT_CHECK) {
+ _cleanup_free_ char *s = NULL;
+
+ r = namespace_flag_to_string_many(flags, &s);
+ if (r < 0)
+ return r;
+
+ c->restrict_namespaces = flags;
+ unit_write_drop_in_private_format(u, mode, name, "%s=%s", name, s);
+ }
+
+ return 1;
}
ri = rlimit_from_string(name);
diff --git a/src/core/execute.c b/src/core/execute.c
index 224382b581..59ce0774c4 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1534,6 +1534,18 @@ static int apply_private_devices(const Unit *u, const ExecContext *c) {
return seccomp_load_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
}
+static int apply_restrict_namespaces(Unit *u, const ExecContext *c) {
+ assert(c);
+
+ if (!exec_context_restrict_namespaces_set(c))
+ return 0;
+
+ if (skip_seccomp_unavailable(u, "RestrictNamespaces="))
+ return 0;
+
+ return seccomp_restrict_namespaces(c->restrict_namespaces);
+}
+
#endif
static void do_idle_pipe_dance(int idle_pipe[4]) {
@@ -2183,6 +2195,7 @@ static bool context_has_no_new_privileges(const ExecContext *c) {
return context_has_address_families(c) || /* we need NNP if we have any form of seccomp and are unprivileged */
c->memory_deny_write_execute ||
c->restrict_realtime ||
+ exec_context_restrict_namespaces_set(c) ||
c->protect_kernel_tunables ||
c->protect_kernel_modules ||
c->private_devices ||
@@ -2764,6 +2777,12 @@ static int exec_child(
}
}
+ r = apply_restrict_namespaces(unit, context);
+ if (r < 0) {
+ *exit_status = EXIT_SECCOMP;
+ return r;
+ }
+
if (context->protect_kernel_tunables) {
r = apply_protect_sysctl(unit, context);
if (r < 0) {
@@ -2947,6 +2966,7 @@ void exec_context_init(ExecContext *c) {
c->personality = PERSONALITY_INVALID;
c->runtime_directory_mode = 0755;
c->capability_bounding_set = CAP_ALL;
+ c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
}
void exec_context_done(ExecContext *c) {
@@ -3244,6 +3264,7 @@ static void strv_fprintf(FILE *f, char **l) {
void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
char **e, **d;
unsigned i;
+ int r;
assert(c);
assert(f);
@@ -3524,6 +3545,15 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
fputc('\n', f);
}
+ if (exec_context_restrict_namespaces_set(c)) {
+ _cleanup_free_ char *s = NULL;
+
+ r = namespace_flag_to_string_many(c->restrict_namespaces, &s);
+ if (r >= 0)
+ fprintf(f, "%sRestrictNamespaces: %s\n",
+ prefix, s);
+ }
+
if (c->syscall_errno > 0)
fprintf(f,
"%sSystemCallErrorNumber: %s\n",
diff --git a/src/core/execute.h b/src/core/execute.h
index c7d0f7761e..56f880cffe 100644
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -35,6 +35,7 @@ typedef struct ExecParameters ExecParameters;
#include "list.h"
#include "missing.h"
#include "namespace.h"
+#include "nsflags.h"
typedef enum ExecUtmpMode {
EXEC_UTMP_INIT,
@@ -195,6 +196,8 @@ struct ExecContext {
unsigned long personality;
+ unsigned long restrict_namespaces; /* The CLONE_NEWxyz flags permitted to the unit's processes */
+
Set *syscall_filter;
Set *syscall_archs;
int syscall_errno;
@@ -216,6 +219,12 @@ struct ExecContext {
bool no_new_privileges_set:1;
};
+static inline bool exec_context_restrict_namespaces_set(const ExecContext *c) {
+ assert(c);
+
+ return (c->restrict_namespaces & NAMESPACE_FLAGS_ALL) != NAMESPACE_FLAGS_ALL;
+}
+
typedef enum ExecFlags {
EXEC_CONFIRM_SPAWN = 1U << 0,
EXEC_APPLY_PERMISSIONS = 1U << 1,
diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
index af2f9d960b..cb2f384f47 100644
--- a/src/core/load-fragment-gperf.gperf.m4
+++ b/src/core/load-fragment-gperf.gperf.m4
@@ -57,12 +57,14 @@ m4_ifdef(`HAVE_SECCOMP',
$1.SystemCallArchitectures, config_parse_syscall_archs, 0, offsetof($1, exec_context.syscall_archs)
$1.SystemCallErrorNumber, config_parse_syscall_errno, 0, offsetof($1, exec_context)
$1.MemoryDenyWriteExecute, config_parse_bool, 0, offsetof($1, exec_context.memory_deny_write_execute)
+$1.RestrictNamespaces, config_parse_restrict_namespaces, 0, offsetof($1, exec_context.restrict_namespaces)
$1.RestrictRealtime, config_parse_bool, 0, offsetof($1, exec_context.restrict_realtime)
$1.RestrictAddressFamilies, config_parse_address_families, 0, offsetof($1, exec_context)',
`$1.SystemCallFilter, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
$1.SystemCallArchitectures, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
$1.SystemCallErrorNumber, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
$1.MemoryDenyWriteExecute, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
+$1.RestrictNamespaces, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
$1.RestrictRealtime, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
$1.RestrictAddressFamilies, config_parse_warn_compat, DISABLED_CONFIGURATION, 0')
$1.LimitCPU, config_parse_limit, RLIMIT_CPU, offsetof($1, exec_context.rlimit)
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index cbc826809e..e0fa484c1e 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -2905,6 +2905,54 @@ int config_parse_address_families(
if (!isempty(state))
log_syntax(unit, LOG_ERR, filename, line, 0, "Trailing garbage, ignoring.");
+ return 0;
+}
+
+int config_parse_restrict_namespaces(
+ const char *unit,
+ const char *filename,
+ unsigned line,
+ const char *section,
+ unsigned section_line,
+ const char *lvalue,
+ int ltype,
+ const char *rvalue,
+ void *data,
+ void *userdata) {
+
+ ExecContext *c = data;
+ bool invert = false;
+ int r;
+
+ if (isempty(rvalue)) {
+ /* Reset to the default. */
+ c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
+ return 0;
+ }
+
+ if (rvalue[0] == '~') {
+ invert = true;
+ rvalue++;
+ }
+
+ r = parse_boolean(rvalue);
+ if (r > 0)
+ c->restrict_namespaces = 0;
+ else if (r == 0)
+ c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
+ else {
+ /* Not a boolean argument, in this case it's a list of namespace types. */
+
+ r = namespace_flag_from_string_many(rvalue, &c->restrict_namespaces);
+ if (r < 0) {
+ log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse namespace type string, ignoring: %s", rvalue);
+ return 0;
+ }
+ }
+
+ if (invert)
+ c->restrict_namespaces = (~c->restrict_namespaces) & NAMESPACE_FLAGS_ALL;
+
return 0;
}
#endif
@@ -4327,6 +4375,7 @@ void unit_dump_config_items(FILE *f) {
{ config_parse_syscall_archs, "ARCHS" },
{ config_parse_syscall_errno, "ERRNO" },
{ config_parse_address_families, "FAMILIES" },
+ { config_parse_restrict_namespaces, "NAMESPACES" },
#endif
{ config_parse_cpu_shares, "SHARES" },
{ config_parse_cpu_weight, "WEIGHT" },
diff --git a/src/core/load-fragment.h b/src/core/load-fragment.h
index c05f205c37..1cff815a50 100644
--- a/src/core/load-fragment.h
+++ b/src/core/load-fragment.h
@@ -116,6 +116,7 @@ int config_parse_fdname(const char *unit, const char *filename, unsigned line, c
int config_parse_sec_fix_0(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_user_group(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_user_group_strv(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
+int config_parse_restrict_namespaces(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
/* gperf prototypes */
const struct ConfigPerfItem* load_fragment_gperf_lookup(const char *key, unsigned length);
diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c
index f639e0e832..35e2c8f18e 100644
--- a/src/shared/bus-unit-util.c
+++ b/src/shared/bus-unit-util.c
@@ -27,6 +27,7 @@
#include "hashmap.h"
#include "list.h"
#include "locale-util.h"
+#include "nsflags.h"
#include "parse-util.h"
#include "path-util.h"
#include "process-util.h"
@@ -553,6 +554,30 @@ int bus_append_unit_property_assignment(sd_bus_message *m, const char *assignmen
r = sd_bus_message_close_container(m);
+ } else if (streq(field, "RestrictNamespaces")) {
+ bool invert = false;
+ uint64_t flags = 0;
+
+ if (eq[0] == '~') {
+ invert = true;
+ eq++;
+ }
+
+ r = parse_boolean(eq);
+ if (r > 0)
+ flags = 0;
+ else if (r == 0)
+ flags = NAMESPACE_FLAGS_ALL;
+ else {
+ r = namespace_flag_from_string_many(eq, &flags);
+ if (r < 0)
+ return log_error_errno(r, "Failed to parse %s value %s.", field, eq);
+ }
+
+ if (invert)
+ flags = (~flags) & NAMESPACE_FLAGS_ALL;
+
+ r = sd_bus_message_append(m, "v", "t", flags);
} else {
log_error("Unknown assignment %s.", assignment);
return -EINVAL;
diff --git a/src/shared/nsflags.c b/src/shared/nsflags.c
new file mode 100644
index 0000000000..8fcbe97ba7
--- /dev/null
+++ b/src/shared/nsflags.c
@@ -0,0 +1,126 @@
+/***
+ This file is part of systemd.
+
+ Copyright 2016 Lennart Poettering
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <sched.h>
+
+#include "alloc-util.h"
+#include "extract-word.h"
+#include "nsflags.h"
+#include "seccomp-util.h"
+#include "string-util.h"
+
+const struct namespace_flag_map namespace_flag_map[] = {
+ { CLONE_NEWCGROUP, "cgroup" },
+ { CLONE_NEWIPC, "ipc" },
+ { CLONE_NEWNET, "net" },
+ /* So, the mount namespace flag is called CLONE_NEWNS for historical reasons. Let's expose it here under a more
+ * explanatory name: "mnt". This is in-line with how the kernel exposes namespaces in /proc/$PID/ns. */
+ { CLONE_NEWNS, "mnt" },
+ { CLONE_NEWPID, "pid" },
+ { CLONE_NEWUSER, "user" },
+ { CLONE_NEWUTS, "uts" },
+ {}
+};
+
+const char* namespace_flag_to_string(unsigned long flag) {
+ unsigned i;
+
+ flag &= NAMESPACE_FLAGS_ALL;
+
+ for (i = 0; namespace_flag_map[i].name; i++)
+ if (flag == namespace_flag_map[i].flag)
+ return namespace_flag_map[i].name;
+
+ return NULL; /* either unknown namespace flag, or a combination of many. This call supports neither. */
+}
+
+unsigned long namespace_flag_from_string(const char *name) {
+ unsigned i;
+
+ if (isempty(name))
+ return 0;
+
+ for (i = 0; namespace_flag_map[i].name; i++)
+ if (streq(name, namespace_flag_map[i].name))
+ return namespace_flag_map[i].flag;
+
+ return 0;
+}
+
+int namespace_flag_from_string_many(const char *name, unsigned long *ret) {
+ unsigned long flags = 0;
+ int r;
+
+ assert_se(ret);
+
+ if (!name) {
+ *ret = 0;
+ return 0;
+ }
+
+ for (;;) {
+ _cleanup_free_ char *word = NULL;
+ unsigned long f;
+
+ r = extract_first_word(&name, &word, NULL, 0);
+ if (r < 0)
+ return r;
+ if (r == 0)
+ break;
+
+ f = namespace_flag_from_string(word);
+ if (f == 0)
+ return -EINVAL;
+
+ flags |= f;
+ }
+
+ *ret = flags;
+ return 0;
+}
+
+int namespace_flag_to_string_many(unsigned long flags, char **ret) {
+ _cleanup_free_ char *s = NULL;
+ unsigned i;
+
+ for (i = 0; namespace_flag_map[i].name; i++) {
+ if ((flags & namespace_flag_map[i].flag) != namespace_flag_map[i].flag)
+ continue;
+
+ if (!s) {
+ s = strdup(namespace_flag_map[i].name);
+ if (!s)
+ return -ENOMEM;
+ } else {
+ if (!strextend(&s, " ", namespace_flag_map[i].name, NULL))
+ return -ENOMEM;
+ }
+ }
+
+ if (!s) {
+ s = strdup("");
+ if (!s)
+ return -ENOMEM;
+ }
+
+ *ret = s;
+ s = NULL;
+
+ return 0;
+}
diff --git a/src/shared/nsflags.h b/src/shared/nsflags.h
new file mode 100644
index 0000000000..152ab8b936
--- /dev/null
+++ b/src/shared/nsflags.h
@@ -0,0 +1,49 @@
+#pragma once
+
+/***
+ This file is part of systemd.
+
+ Copyright 2016 Lennart Poettering
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <sched.h>
+
+#include "missing.h"
+
+/* The combination of all namespace flags defined by the kernel. The right type for this isn't clear. setns() and
+ * unshare() expect these flags to be passed as (signed) "int", while clone() wants them as "unsigned long". The latter
+ * is definitely more appropriate for a flags parameter, and also the larger type of the two, hence let's stick to that
+ * here. */
+#define NAMESPACE_FLAGS_ALL \
+ ((unsigned long) (CLONE_NEWCGROUP| \
+ CLONE_NEWIPC| \
+ CLONE_NEWNET| \
+ CLONE_NEWNS| \
+ CLONE_NEWPID| \
+ CLONE_NEWUSER| \
+ CLONE_NEWUTS))
+
+const char* namespace_flag_to_string(unsigned long flag);
+unsigned long namespace_flag_from_string(const char *name);
+int namespace_flag_from_string_many(const char *name, unsigned long *ret);
+int namespace_flag_to_string_many(unsigned long flags, char **ret);
+
+struct namespace_flag_map {
+ unsigned long flag;
+ const char *name;
+};
+
+extern const struct namespace_flag_map namespace_flag_map[];
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index c9b24f1065..55b97e1efb 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -23,7 +23,9 @@
#include <sys/prctl.h>
#include <linux/seccomp.h>
+#include "alloc-util.h"
#include "macro.h"
+#include "nsflags.h"
#include "seccomp-util.h"
#include "string-util.h"
#include "util.h"
@@ -574,5 +576,92 @@ int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set
finish:
seccomp_release(seccomp);
return r;
+}
+
+int seccomp_restrict_namespaces(unsigned long retain) {
+ scmp_filter_ctx seccomp;
+ unsigned i;
+ int r;
+
+ if (log_get_max_level() >= LOG_DEBUG) {
+ _cleanup_free_ char *s = NULL;
+
+ (void) namespace_flag_to_string_many(retain, &s);
+ log_debug("Restricting namespace to: %s.", strna(s));
+ }
+
+ /* NOOP? */
+ if ((retain & NAMESPACE_FLAGS_ALL) == NAMESPACE_FLAGS_ALL)
+ return 0;
+
+ r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
+ if (r < 0)
+ return r;
+
+ if ((retain & NAMESPACE_FLAGS_ALL) == 0)
+ /* If every single kind of namespace shall be prohibited, then let's block the whole setns() syscall
+ * altogether. */
+ r = seccomp_rule_add(
+ seccomp,
+ SCMP_ACT_ERRNO(EPERM),
+ SCMP_SYS(setns),
+ 0);
+ else
+ /* Otherwise, block only the invocations with the appropriate flags in the loop below, but also the
+ * special invocation with a zero flags argument, right here. */
+ r = seccomp_rule_add(
+ seccomp,
+ SCMP_ACT_ERRNO(EPERM),
+ SCMP_SYS(setns),
+ 1,
+ SCMP_A1(SCMP_CMP_EQ, 0));
+ if (r < 0)
+ goto finish;
+
+ for (i = 0; namespace_flag_map[i].name; i++) {
+ unsigned long f;
+
+ f = namespace_flag_map[i].flag;
+ if ((retain & f) == f) {
+ log_debug("Permitting %s.", namespace_flag_map[i].name);
+ continue;
+ }
+
+ log_debug("Blocking %s.", namespace_flag_map[i].name);
+
+ r = seccomp_rule_add(
+ seccomp,
+ SCMP_ACT_ERRNO(EPERM),
+ SCMP_SYS(unshare),
+ 1,
+ SCMP_A0(SCMP_CMP_MASKED_EQ, f, f));
+ if (r < 0)
+ goto finish;
+
+ r = seccomp_rule_add(
+ seccomp,
+ SCMP_ACT_ERRNO(EPERM),
+ SCMP_SYS(clone),
+ 1,
+ SCMP_A0(SCMP_CMP_MASKED_EQ, f, f));
+ if (r < 0)
+ goto finish;
+
+ if ((retain & NAMESPACE_FLAGS_ALL) != 0) {
+ r = seccomp_rule_add(
+ seccomp,
+ SCMP_ACT_ERRNO(EPERM),
+ SCMP_SYS(setns),
+ 1,
+ SCMP_A1(SCMP_CMP_MASKED_EQ, f, f));
+ if (r < 0)
+ goto finish;
+ }
+ }
+
+ r = seccomp_load(seccomp);
+finish:
+ seccomp_release(seccomp);
+ return r;
}
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 8e209efef2..e325dab628 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -64,3 +64,5 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name);
int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action);
int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action);
+
+int seccomp_restrict_namespaces(unsigned long retain);
diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
index 43d1567288..beb6a7f422 100644
--- a/src/test/test-seccomp.c
+++ b/src/test/test-seccomp.c
@@ -20,10 +20,15 @@
#include <stdlib.h>
#include <sys/eventfd.h>
#include <unistd.h>
+#include <sched.h>
+#include "alloc-util.h"
#include "fd-util.h"
#include "macro.h"
+#include "missing.h"
+#include "nsflags.h"
#include "process-util.h"
+#include "raw-clone.h"
#include "seccomp-util.h"
#include "string-util.h"
#include "util.h"
@@ -125,12 +130,101 @@ static void test_filter_sets(void) {
}
}
+static void test_restrict_namespace(void) {
+ _cleanup_free_ char *s = NULL;
+ pid_t pid;
+ unsigned long ul;
+
+ assert_se(namespace_flag_to_string(0) == NULL);
+ assert_se(streq(namespace_flag_to_string(CLONE_NEWNS), "mnt"));
+ assert_se(namespace_flag_to_string(CLONE_NEWNS|CLONE_NEWIPC) == NULL);
+ assert_se(streq(namespace_flag_to_string(CLONE_NEWCGROUP), "cgroup"));
+
+ assert_se(namespace_flag_from_string("mnt") == CLONE_NEWNS);
+ assert_se(namespace_flag_from_string(NULL) == 0);
+ assert_se(namespace_flag_from_string("") == 0);
+ assert_se(namespace_flag_from_string("uts") == CLONE_NEWUTS);
+ assert_se(namespace_flag_from_string(namespace_flag_to_string(CLONE_NEWUTS)) == CLONE_NEWUTS);
+ assert_se(streq(namespace_flag_to_string(namespace_flag_from_string("ipc")), "ipc"));
+
+ assert_se(namespace_flag_from_string_many(NULL, &ul) == 0 && ul == 0);
+ assert_se(namespace_flag_from_string_many("", &ul) == 0 && ul == 0);
+ assert_se(namespace_flag_from_string_many("mnt uts ipc", &ul) == 0 && ul == (CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC));
+
+ assert_se(namespace_flag_to_string_many(NAMESPACE_FLAGS_ALL, &s) == 0);
+ assert_se(streq(s, "cgroup ipc net mnt pid user uts"));
+ assert_se(namespace_flag_from_string_many(s, &ul) == 0 && ul == NAMESPACE_FLAGS_ALL);
+
+ if (!is_seccomp_available())
+ return;
+
+ if (geteuid() != 0)
+ return;
+
+ pid = fork();
+ assert_se(pid >= 0);
+
+ if (pid == 0) {
+
+ assert_se(seccomp_restrict_namespaces(CLONE_NEWNS|CLONE_NEWNET) >= 0);
+
+ assert_se(unshare(CLONE_NEWNS) == 0);
+ assert_se(unshare(CLONE_NEWNET) == 0);
+ assert_se(unshare(CLONE_NEWUTS) == -1);
+ assert_se(errno == EPERM);
+ assert_se(unshare(CLONE_NEWIPC) == -1);
+ assert_se(errno == EPERM);
+ assert_se(unshare(CLONE_NEWNET|CLONE_NEWUTS) == -1);
+ assert_se(errno == EPERM);
+
+ /* We use fd 0 (stdin) here, which of course will fail with EINVAL on setns(). Except of course our
+ * seccomp filter worked, and hits first and makes it return EPERM */
+ assert_se(setns(0, CLONE_NEWNS) == -1);
+ assert_se(errno == EINVAL);
+ assert_se(setns(0, CLONE_NEWNET) == -1);
+ assert_se(errno == EINVAL);
+ assert_se(setns(0, CLONE_NEWUTS) == -1);
+ assert_se(errno == EPERM);
+ assert_se(setns(0, CLONE_NEWIPC) == -1);
+ assert_se(errno == EPERM);
+ assert_se(setns(0, CLONE_NEWNET|CLONE_NEWUTS) == -1);
+ assert_se(errno == EPERM);
+ assert_se(setns(0, 0) == -1);
+ assert_se(errno == EPERM);
+
+ pid = raw_clone(CLONE_NEWNS);
+ assert_se(pid >= 0);
+ if (pid == 0)
+ _exit(EXIT_SUCCESS);
+ pid = raw_clone(CLONE_NEWNET);
+ assert_se(pid >= 0);
+ if (pid == 0)
+ _exit(EXIT_SUCCESS);
+ pid = raw_clone(CLONE_NEWUTS);
+ assert_se(pid < 0);
+ assert_se(errno == EPERM);
+ pid = raw_clone(CLONE_NEWIPC);
+ assert_se(pid < 0);
+ assert_se(errno == EPERM);
+ pid = raw_clone(CLONE_NEWNET|CLONE_NEWUTS);
+ assert_se(pid < 0);
+ assert_se(errno == EPERM);
+
+ _exit(EXIT_SUCCESS);
+ }
+
+ assert_se(wait_for_terminate_and_warn("nsseccomp", pid, true) == EXIT_SUCCESS);
+}
+
int main(int argc, char *argv[]) {
+ log_set_max_level(LOG_DEBUG);
+
test_seccomp_arch_to_string();
test_architecture_table();
test_syscall_filter_set_find();
test_filter_sets();
+ test_restrict_namespace();
return 0;
}

2018
0053-seccomp-rework-seccomp-code-to-improve-compat-with-s.patch
View File

File diff suppressed because it is too large Load Diff

300
0054-build-sys-add-check-for-gperf-lookup-function-signat.patch
View File

@ -1,300 +0,0 @@
From 79a5d862a7abe903f456a75d6d1ca3c11adfa379 Mon Sep 17 00:00:00 2001
From: Mike Gilbert <floppymaster@gmail.com>
Date: Tue, 10 Jan 2017 02:39:05 -0500
Subject: [PATCH] build-sys: add check for gperf lookup function signature
(#5055)
gperf-3.1 generates lookup functions that take a size_t length
parameter instead of unsigned int. Test for this at configure time.
Fixes: https://github.com/systemd/systemd/issues/5039
(cherry picked from commit c9f7b4d356a453a01aa77a6bb74ca7ef49732c08)
---
configure.ac | 22 ++++++++++++++++++++++
src/basic/af-list.c | 2 +-
src/basic/arphrd-list.c | 2 +-
src/basic/cap-list.c | 2 +-
src/basic/errno-list.c | 2 +-
src/core/load-fragment.h | 2 +-
src/journal/journald-server.h | 2 +-
src/login/logind.h | 2 +-
src/network/networkd-conf.h | 2 +-
src/network/networkd-netdev.h | 2 +-
src/network/networkd-network.h | 2 +-
src/nspawn/nspawn-settings.h | 2 +-
src/resolve/dns-type.c | 2 +-
src/resolve/resolved-conf.h | 2 +-
src/test/test-af-list.c | 2 +-
src/test/test-arphrd-list.c | 2 +-
src/timesync/timesyncd-conf.h | 2 +-
src/udev/net/link-config.h | 2 +-
src/udev/udev-builtin-keyboard.c | 2 +-
19 files changed, 40 insertions(+), 18 deletions(-)
diff --git a/configure.ac b/configure.ac
index 1928e65bde..5c639e32d4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -258,6 +258,28 @@ AC_CHECK_SIZEOF(rlim_t,,[
#include <sys/resource.h>
])
+GPERF_TEST="$(echo foo,bar | ${GPERF} -L ANSI-C)"
+
+AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM([
+ #include <string.h>
+ const char * in_word_set(const char *, size_t);
+ $GPERF_TEST]
+ )],
+ [GPERF_LEN_TYPE=size_t],
+ [AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM([
+ #include <string.h>
+ const char * in_word_set(const char *, unsigned);
+ $GPERF_TEST]
+ )],
+ [GPERF_LEN_TYPE=unsigned],
+ [AC_MSG_ERROR([** unable to determine gperf len type])]
+ )]
+)
+
+AC_DEFINE_UNQUOTED([GPERF_LEN_TYPE], [$GPERF_LEN_TYPE], [gperf len type])
+
# ------------------------------------------------------------------------------
# we use python to build the man page index
have_python=no
diff --git a/src/basic/af-list.c b/src/basic/af-list.c
index 3fac9c508b..4b291d177b 100644
--- a/src/basic/af-list.c
+++ b/src/basic/af-list.c
@@ -23,7 +23,7 @@
#include "af-list.h"
#include "macro.h"
-static const struct af_name* lookup_af(register const char *str, register unsigned int len);
+static const struct af_name* lookup_af(register const char *str, register GPERF_LEN_TYPE len);
#include "af-from-name.h"
#include "af-to-name.h"
diff --git a/src/basic/arphrd-list.c b/src/basic/arphrd-list.c
index 6792d1ee3f..2d598dc66f 100644
--- a/src/basic/arphrd-list.c
+++ b/src/basic/arphrd-list.c
@@ -23,7 +23,7 @@
#include "arphrd-list.h"
#include "macro.h"
-static const struct arphrd_name* lookup_arphrd(register const char *str, register unsigned int len);
+static const struct arphrd_name* lookup_arphrd(register const char *str, register GPERF_LEN_TYPE len);
#include "arphrd-from-name.h"
#include "arphrd-to-name.h"
diff --git a/src/basic/cap-list.c b/src/basic/cap-list.c
index 3e773a06f5..d68cc78d05 100644
--- a/src/basic/cap-list.c
+++ b/src/basic/cap-list.c
@@ -26,7 +26,7 @@
#include "parse-util.h"
#include "util.h"
-static const struct capability_name* lookup_capability(register const char *str, register unsigned int len);
+static const struct capability_name* lookup_capability(register const char *str, register GPERF_LEN_TYPE len);
#include "cap-from-name.h"
#include "cap-to-name.h"
diff --git a/src/basic/errno-list.c b/src/basic/errno-list.c
index 31b66bad5e..c6a01eec8b 100644
--- a/src/basic/errno-list.c
+++ b/src/basic/errno-list.c
@@ -23,7 +23,7 @@
#include "macro.h"
static const struct errno_name* lookup_errno(register const char *str,
- register unsigned int len);
+ register GPERF_LEN_TYPE len);
#include "errno-from-name.h"
#include "errno-to-name.h"
diff --git a/src/core/load-fragment.h b/src/core/load-fragment.h
index 1cff815a50..e78219786a 100644
--- a/src/core/load-fragment.h
+++ b/src/core/load-fragment.h
@@ -119,7 +119,7 @@ int config_parse_user_group_strv(const char *unit, const char *filename, unsigne
int config_parse_restrict_namespaces(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
/* gperf prototypes */
-const struct ConfigPerfItem* load_fragment_gperf_lookup(const char *key, unsigned length);
+const struct ConfigPerfItem* load_fragment_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
extern const char load_fragment_gperf_nulstr[];
typedef enum Disabled {
diff --git a/src/journal/journald-server.h b/src/journal/journald-server.h
index de1c48f805..716e758b7c 100644
--- a/src/journal/journald-server.h
+++ b/src/journal/journald-server.h
@@ -179,7 +179,7 @@ void server_dispatch_message(Server *s, struct iovec *iovec, unsigned n, unsigne
void server_driver_message(Server *s, sd_id128_t message_id, const char *format, ...) _printf_(3,0) _sentinel_;
/* gperf lookup function */
-const struct ConfigPerfItem* journald_gperf_lookup(const char *key, unsigned length);
+const struct ConfigPerfItem* journald_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
int config_parse_storage(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
diff --git a/src/login/logind.h b/src/login/logind.h
index 086fa1eeb5..7556ee2e48 100644
--- a/src/login/logind.h
+++ b/src/login/logind.h
@@ -182,7 +182,7 @@ int manager_unit_is_active(Manager *manager, const char *unit);
int manager_job_is_active(Manager *manager, const char *path);
/* gperf lookup function */
-const struct ConfigPerfItem* logind_gperf_lookup(const char *key, unsigned length);
+const struct ConfigPerfItem* logind_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
int manager_set_lid_switch_ignore(Manager *m, usec_t until);
diff --git a/src/network/networkd-conf.h b/src/network/networkd-conf.h
index c7bfb42a72..00ddb7672a 100644
--- a/src/network/networkd-conf.h
+++ b/src/network/networkd-conf.h
@@ -23,7 +23,7 @@
int manager_parse_config_file(Manager *m);
-const struct ConfigPerfItem* networkd_gperf_lookup(const char *key, unsigned length);
+const struct ConfigPerfItem* networkd_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
int config_parse_duid_type(
const char *unit,
diff --git a/src/network/networkd-netdev.h b/src/network/networkd-netdev.h
index 70ff947b99..37c7431213 100644
--- a/src/network/networkd-netdev.h
+++ b/src/network/networkd-netdev.h
@@ -175,7 +175,7 @@ NetDevKind netdev_kind_from_string(const char *d) _pure_;
int config_parse_netdev_kind(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
/* gperf */
-const struct ConfigPerfItem* network_netdev_gperf_lookup(const char *key, unsigned length);
+const struct ConfigPerfItem* network_netdev_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
/* Macros which append INTERFACE= to the message */
diff --git a/src/network/networkd-network.h b/src/network/networkd-network.h
index 11ff34b5b5..e39127b7b8 100644
--- a/src/network/networkd-network.h
+++ b/src/network/networkd-network.h
@@ -236,7 +236,7 @@ int config_parse_dhcp_route_table(const char *unit, const char *filename, unsign
/* Legacy IPv4LL support */
int config_parse_ipv4ll(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
-const struct ConfigPerfItem* network_network_gperf_lookup(const char *key, unsigned length);
+const struct ConfigPerfItem* network_network_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
extern const sd_bus_vtable network_vtable[];
diff --git a/src/nspawn/nspawn-settings.h b/src/nspawn/nspawn-settings.h
index 231e6d7266..4ae34f8e28 100644
--- a/src/nspawn/nspawn-settings.h
+++ b/src/nspawn/nspawn-settings.h
@@ -103,7 +103,7 @@ bool settings_private_network(Settings *s);
DEFINE_TRIVIAL_CLEANUP_FUNC(Settings*, settings_free);
-const struct ConfigPerfItem* nspawn_gperf_lookup(const char *key, unsigned length);
+const struct ConfigPerfItem* nspawn_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
int config_parse_capability(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_id128(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
diff --git a/src/resolve/dns-type.c b/src/resolve/dns-type.c
index aaf5ed62c1..d89ae28dcd 100644
--- a/src/resolve/dns-type.c
+++ b/src/resolve/dns-type.c
@@ -29,7 +29,7 @@ typedef const struct {
} dns_type;
static const struct dns_type_name *
-lookup_dns_type (register const char *str, register unsigned int len);
+lookup_dns_type (register const char *str, register GPERF_LEN_TYPE len);
#include "dns_type-from-name.h"
#include "dns_type-to-name.h"
diff --git a/src/resolve/resolved-conf.h b/src/resolve/resolved-conf.h
index fc425a36b2..8184d6cadf 100644
--- a/src/resolve/resolved-conf.h
+++ b/src/resolve/resolved-conf.h
@@ -41,7 +41,7 @@ int manager_parse_search_domains_and_warn(Manager *m, const char *string);
int manager_add_dns_server_by_string(Manager *m, DnsServerType type, const char *word);
int manager_parse_dns_server_string_and_warn(Manager *m, DnsServerType type, const char *string);
-const struct ConfigPerfItem* resolved_gperf_lookup(const char *key, unsigned length);
+const struct ConfigPerfItem* resolved_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
int config_parse_dns_servers(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_search_domains(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
diff --git a/src/test/test-af-list.c b/src/test/test-af-list.c
index aeaa0929b1..e2479133de 100644
--- a/src/test/test-af-list.c
+++ b/src/test/test-af-list.c
@@ -24,7 +24,7 @@
#include "string-util.h"
#include "util.h"
-static const struct af_name* lookup_af(register const char *str, register unsigned int len);
+static const struct af_name* lookup_af(register const char *str, register GPERF_LEN_TYPE len);
#include "af-from-name.h"
#include "af-list.h"
diff --git a/src/test/test-arphrd-list.c b/src/test/test-arphrd-list.c
index f3989ad201..8f4f342faa 100644
--- a/src/test/test-arphrd-list.c
+++ b/src/test/test-arphrd-list.c
@@ -24,7 +24,7 @@
#include "string-util.h"
#include "util.h"
-static const struct arphrd_name* lookup_arphrd(register const char *str, register unsigned int len);
+static const struct arphrd_name* lookup_arphrd(register const char *str, register GPERF_LEN_TYPE len);
#include "arphrd-from-name.h"
#include "arphrd-list.h"
diff --git a/src/timesync/timesyncd-conf.h b/src/timesync/timesyncd-conf.h
index cba0724b1b..0280697e9c 100644
--- a/src/timesync/timesyncd-conf.h
+++ b/src/timesync/timesyncd-conf.h
@@ -22,7 +22,7 @@
#include "conf-parser.h"
#include "timesyncd-manager.h"
-const struct ConfigPerfItem* timesyncd_gperf_lookup(const char *key, unsigned length);
+const struct ConfigPerfItem* timesyncd_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
int manager_parse_server_string(Manager *m, ServerType type, const char *string);
diff --git a/src/udev/net/link-config.h b/src/udev/net/link-config.h
index 91cc0357c4..b0d8ceb76a 100644
--- a/src/udev/net/link-config.h
+++ b/src/udev/net/link-config.h
@@ -93,7 +93,7 @@ const char *mac_policy_to_string(MACPolicy p) _const_;
MACPolicy mac_policy_from_string(const char *p) _pure_;
/* gperf lookup function */
-const struct ConfigPerfItem* link_config_gperf_lookup(const char *key, unsigned length);
+const struct ConfigPerfItem* link_config_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
int config_parse_mac_policy(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_name_policy(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
diff --git a/src/udev/udev-builtin-keyboard.c b/src/udev/udev-builtin-keyboard.c
index aa10beafb0..09024116f2 100644
--- a/src/udev/udev-builtin-keyboard.c
+++ b/src/udev/udev-builtin-keyboard.c
@@ -29,7 +29,7 @@
#include "string-util.h"
#include "udev.h"
-static const struct key *keyboard_lookup_key(const char *str, unsigned len);
+static const struct key *keyboard_lookup_key(const char *str, GPERF_LEN_TYPE len);
#include "keyboard-keys-from-name.h"
static int install_force_release(struct udev_device *dev, const unsigned *release, unsigned release_count) {

24
0055-journal-gatewayd-actually-recognize-D-as-a-synonym-f.patch
View File

@ -1,24 +0,0 @@
From ce4f32f42dcb91120445d2858baa9fd81abd5292 Mon Sep 17 00:00:00 2001
From: Ivan Shapovalov <intelfx@intelfx.name>
Date: Sun, 29 Jan 2017 23:33:37 +0400
Subject: [PATCH] journal-gatewayd: actually recognize -D as a synonym for
--directory (#5180)
(cherry picked from commit 554597a1b27ad0a81f4ad0884b348d475e89cb9e)
---
src/journal-remote/journal-gatewayd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/journal-remote/journal-gatewayd.c b/src/journal-remote/journal-gatewayd.c
index f75a6f06d2..be6d41c31b 100644
--- a/src/journal-remote/journal-gatewayd.c
+++ b/src/journal-remote/journal-gatewayd.c
@@ -912,7 +912,7 @@ static int parse_argv(int argc, char *argv[]) {
assert(argc >= 0);
assert(argv);
- while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
+ while ((c = getopt_long(argc, argv, "hD:", options, NULL)) >= 0)
switch(c) {

24
0056-journal-gatewayd-return-EINVAL-if-ARG_TRUST-and-HAVE.patch
View File

@ -1,24 +0,0 @@
From ff1720307554405a422281591dba9b79f085799b Mon Sep 17 00:00:00 2001
From: Yi EungJun <semtlenori@gmail.com>
Date: Tue, 31 Jan 2017 00:24:06 +0900
Subject: [PATCH] journal-gatewayd: return -EINVAL if ARG_TRUST and HAVE_GNUTLS
(#5181)
This bug was introduced by 1aa1e59.
(cherry picked from commit 3ab2feefd7d1918e8f0d0edaea46a87cbed0f211)
---
src/journal-remote/journal-gatewayd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/journal-remote/journal-gatewayd.c b/src/journal-remote/journal-gatewayd.c
index be6d41c31b..c7c6224421 100644
--- a/src/journal-remote/journal-gatewayd.c
+++ b/src/journal-remote/journal-gatewayd.c
@@ -958,6 +958,7 @@ static int parse_argv(int argc, char *argv[]) {
break;
#else
log_error("Option --trust is not available.");
+ return -EINVAL;
#endif
case 'D':
arg_directory = optarg;

32
0057-systemctl-always-avoid-being-killed-when-doing-switc.patch
View File

@ -1,32 +0,0 @@
From 228523c0b9f077d60a4744776a73ff29b4c18dd2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Sat, 28 Jan 2017 21:18:31 -0500
Subject: [PATCH] systemctl: always avoid being killed when doing switch-root
The same logic as described in acc28e2e3037d689d6481e applies to any time we are
switching root, to just set the flag unconditionally.
(cherry picked from commit b3ad0ff48c154ed056a6bded2adac609395a9439)
---
src/systemctl/systemctl.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c
index b598a2a19d..4f528f6079 100644
--- a/src/systemctl/systemctl.c
+++ b/src/systemctl/systemctl.c
@@ -5587,11 +5587,9 @@ static int switch_root(int argc, char *argv[], void *userdata) {
}
/* Instruct PID1 to exclude us from its killing spree applied during
- * the transition from the initrd to the main system otherwise we would
- * exit with a failure status even though the switch to the new root
- * has succeed. */
- if (in_initrd())
- argv_cmdline[0] = '@';
+ * the transition. Otherwise we would exit with a failure status even
+ * though the switch to the new root has succeed. */
+ argv_cmdline[0] = '@';
r = acquire_bus(BUS_MANAGER, &bus);
if (r < 0)

43
0058-systemctl-ignore-SIGTERM-after-switch-root.patch
View File

@ -1,43 +0,0 @@
From 60532427251167b8cb2a733e19eb25ecac5c1632 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Mon, 30 Jan 2017 13:06:10 -0500
Subject: [PATCH] systemctl: ignore SIGTERM after switch root
https://bugzilla.redhat.com/show_bug.cgi?id=1414904#c14 and #c15.
(cherry picked from commit 8a7a9ceab204fb02fd5d93a765b36b31efeb9beb)
---
src/systemctl/systemctl.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c
index 4f528f6079..d68c06d9d4 100644
--- a/src/systemctl/systemctl.c
+++ b/src/systemctl/systemctl.c
@@ -5595,6 +5595,14 @@ static int switch_root(int argc, char *argv[], void *userdata) {
if (r < 0)
return r;
+ /* If we are slow to exit after the root switch, the new systemd instance
+ * will send us a signal to terminate. Just ignore it and exit normally.
+ * This way the unit does not end up as failed.
+ */
+ r = ignore_signals(SIGTERM, -1);
+ if (r < 0)
+ log_warning_errno(r, "Failed to change disposition of SIGTERM to ignore: %m");
+
log_debug("Switching root - root: %s; init: %s", root, strna(init));
r = sd_bus_call_method(
@@ -5606,8 +5614,11 @@ static int switch_root(int argc, char *argv[], void *userdata) {
&error,
NULL,
"ss", root, init);
- if (r < 0)
+ if (r < 0) {
+ (void) default_signals(SIGTERM, -1);
+
return log_error_errno(r, "Failed to switch root: %s", bus_error_message(&error, r));
+ }
return 0;
}

34
0059-units-restore-Before-dependencies-for-systemd-vconso.patch
View File

@ -1,34 +0,0 @@
From 007cdfc4cd2ce5ffe0a1b5eb6a5481d1b06c5184 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 31 Jan 2017 00:34:33 -0500
Subject: [PATCH] units: restore Before dependencies for
systemd-vconsole-setup.service
When the service is run in the initramfs, it is possible for it to get started
and not be fast enough to exit before the root switch happens. It is started
multiple times (depending on the consoles being detected), and runs
asynchronously, so this is quite likely. It'll then get killed by killall(),
and systemd will consider the service failed. To avoid all this, just wait
for the service to terminate on it's own.
Before=initrd-switch-root.target should be good for the initramfs, and
Before=shutdown.tuarget should be good for the real system, although it's
unlikely to make any difference there.
(cherry picked from commit 750e550eba362096d56a35104c6a32631aa67b8e)
---
units/systemd-vconsole-setup.service.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/units/systemd-vconsole-setup.service.in b/units/systemd-vconsole-setup.service.in
index 2bd1fd1a5d..8bb75c6a4f 100644
--- a/units/systemd-vconsole-setup.service.in
+++ b/units/systemd-vconsole-setup.service.in
@@ -9,6 +9,7 @@
Description=Setup Virtual Console
Documentation=man:systemd-vconsole-setup.service(8) man:vconsole.conf(5)
DefaultDependencies=no
+Before=initrd-switch-root.target shutdown.target
ConditionPathExists=/dev/tty0
[Service]

49
0060-coredump-really-extract-container-cmdline-5167.patch
View File

@ -1,49 +0,0 @@
From 79efa8e7ab4282c8c5e3a917531d5c42452377a5 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Tue, 31 Jan 2017 19:04:20 +0300
Subject: [PATCH] coredump: really extract container cmdline (#5167)
Fixes:
```
root# systemd-nspawn -D ./cont/ --register=no /bin/sh -c '/bin/sh -c "kill -ABRT \$\$"'
...
Container cont failed with error code 134.
root# journalctl MESSAGE_ID=fc2e22bc6ee647b6b90729ab34a250b1 -o verbose | grep -i container_cmdline
...prints nothing...
...should be COREDUMP_CONTAINER_CMDLINE=systemd-nspawn -D ./cont/ --register=no /bin/sh -c /bin/sh -c "kill -ABRT \$\$"
```
Also, fixes CID #1368263
```
==352== 130 bytes in 1 blocks are definitely lost in loss record 1 of 2
==352== at 0x4C2ED5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==352== by 0x4ED8581: greedy_realloc (alloc-util.c:57)
==352== by 0x4ECAAD5: get_process_cmdline (process-util.c:147)
==352== by 0x10E385: get_process_container_parent_cmdline (coredump.c:645)
==352== by 0x112949: process_kernel (coredump.c:1240)
==352== by 0x113003: main (coredump.c:1297)
==352==
```
(cherry picked from commit d3cba4eaf618ced1935a96e721b2fbcbad7694bb)
---
src/coredump/coredump.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c
index 6bd0e925eb..1c5e72c835 100644
--- a/src/coredump/coredump.c
+++ b/src/coredump/coredump.c
@@ -642,7 +642,11 @@ static int get_process_container_parent_cmdline(pid_t pid, char** cmdline) {
if (r < 0)
return r;
- return get_process_cmdline(container_pid, 0, false, cmdline);
+ r = get_process_cmdline(container_pid, 0, false, cmdline);
+ if (r < 0)
+ return r;
+
+ return 1;
}
static int change_uid_gid(const char *context[]) {

50
0061-machinectl-make-sure-that-inability-to-get-OS-versio.patch
View File

@ -1,50 +0,0 @@
From 758503b1c24a43de5e0ad40c3e0299a4c5df0238 Mon Sep 17 00:00:00 2001
From: Jan Synacek <jsynacek@redhat.com>
Date: Tue, 14 Feb 2017 10:21:53 +0100
Subject: [PATCH] machinectl: make sure that inability to get OS version isn't
consider fatal for machine list (#4972)
Fixes: #4918
(cherry picked from commit 4b2419165ce409ee55ce96a926302f89685f2293)
Resolves: https://bugzilla.redhat.com/1419501
---
src/machine/machinectl.c | 16 ++++++----------
1 file changed, 6 insertions(+), 10 deletions(-)
diff --git a/src/machine/machinectl.c b/src/machine/machinectl.c
index f84226f58f..2aab754406 100644
--- a/src/machine/machinectl.c
+++ b/src/machine/machinectl.c
@@ -242,24 +242,20 @@ static int list_machines(int argc, char *argv[], void *userdata) {
if (name[0] == '.' && !arg_all)
continue;
- if (!GREEDY_REALLOC(machines, n_allocated, n_machines + 1)) {
+ if (!GREEDY_REALLOC0(machines, n_allocated, n_machines + 1)) {
r = log_oom();
goto out;
}
- machines[n_machines].os = NULL;
- machines[n_machines].version_id = NULL;
- r = get_os_release_property(bus, name,
- "ID\0" "VERSION_ID\0",
- &machines[n_machines].os,
- &machines[n_machines].version_id);
- if (r < 0)
- goto out;
-
machines[n_machines].name = name;
machines[n_machines].class = class;
machines[n_machines].service = service;
+ (void) get_os_release_property(bus, name,
+ "ID\0" "VERSION_ID\0",
+ &machines[n_machines].os,
+ &machines[n_machines].version_id);
+
l = strlen(name);
if (l > max_name)
max_name = l;

23
0068-test-ipcrm-use-configured-nobody-user-name.patch
View File

@ -1,23 +0,0 @@
From b8ef421ff36209dd21c4dbe74c71ae56dce6751c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 14 Feb 2017 18:40:55 -0500
Subject: [PATCH] test-ipcrm: use configured nobody user name
"nfsnobody" is now obsolete.
---
src/test/test-ipcrm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/test/test-ipcrm.c b/src/test/test-ipcrm.c
index 463e135e2b..ce6c7aa18a 100644
--- a/src/test/test-ipcrm.c
+++ b/src/test/test-ipcrm.c
@@ -24,7 +24,7 @@
int main(int argc, char *argv[]) {
uid_t uid;
int r;
- const char* name = argv[1] ?: "nfsnobody";
+ const char* name = argv[1] ?: NOBODY_USER_NAME;
r = get_user_creds(&name, &uid, NULL, NULL, NULL);
if (r < 0) {

443
hwdb.patch
View File

@ -1,443 +0,0 @@
From 108c060c5521309b9448e3a7905b50dd505f36a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Fri, 11 Mar 2016 17:06:17 -0500
Subject: [PATCH] update hwdb
---
diff --git a/hwdb/60-evdev.hwdb b/hwdb/60-evdev.hwdb
index 0b692a1b5d..fd9078393b 100644
--- a/hwdb/60-evdev.hwdb
+++ b/hwdb/60-evdev.hwdb
@@ -15,7 +15,7 @@
# To add local entries, create a new file
# /etc/udev/hwdb.d/61-evdev-local.hwdb
# and add your rules there. To load the new rules execute (as root):
-# udevadm hwdb --update
+# systemd-hwdb update
# udevadm trigger /dev/input/eventXX
# where /dev/input/eventXX is the device in question. If in
# doubt, simply use /dev/input/event* to reload all input rules.
@@ -93,6 +93,14 @@ evdev:input:b0003v05ACp025B*
#########################################
# ASUS
#########################################
+
+# Asus VivoBook E402SA
+evdev:name:Elan Touchpad:dmi:*svnASUSTeKCOMPUTERINC.:pnE402SA*
+ EVDEV_ABS_00=::29
+ EVDEV_ABS_01=::29
+ EVDEV_ABS_35=::29
+ EVDEV_ABS_36=::29
+
# Asus K52JT
evdev:name:ETPS/2 Elantech Touchpad:dmi:bvn*:bvr*:bd*:svnASUSTeKComputerInc.:pnK52JT:*
EVDEV_ABS_00=::18
@@ -100,7 +108,8 @@ evdev:name:ETPS/2 Elantech Touchpad:dmi:bvn*:bvr*:bd*:svnASUSTeKComputerInc.:pnK
EVDEV_ABS_35=::18
EVDEV_ABS_36=::16
-evdev:name:ETPS/2 Elantech Touchpad:dmi:*:svnASUSTeKCOMPUTERINC.:pnX550CC:*
+# Asus X550CC and S550CB
+evdev:name:ETPS/2 Elantech Touchpad:dmi:*:svnASUSTeKCOMPUTERINC.:pn?550C?:*
EVDEV_ABS_00=::31
EVDEV_ABS_01=::30
EVDEV_ABS_35=::31
@@ -136,6 +145,13 @@ evdev:name:AlpsPS/2 ALPS DualPoint TouchPad:dmi:bvn*:bvr*:bd*:svnDellInc.:pnLati
EVDEV_ABS_35=76:1815:22
EVDEV_ABS_36=131:1330:30
+# Dell Latitude E6320
+evdev:name:AlpsPS/2 ALPS DualPoint TouchPad:dmi:bvn*:bvr*:bd*:svnDellInc.:pnLatitudeE6320*
+ EVDEV_ABS_00=79:1841:22
+ EVDEV_ABS_01=140:1325:29
+ EVDEV_ABS_35=79:1841:22
+ EVDEV_ABS_36=140:1325:29
+
# Dell Precision 5510
evdev:name:SynPS/2 Synaptics TouchPad:dmi:bvn*:bvr*:bd*:svnDellInc.:pnPrecision5510*
EVDEV_ABS_00=::42
@@ -184,10 +200,31 @@ evdev:name:SynPS/2 Synaptics TouchPad*:dmi:*svnHewlett-Packard:pnHPPaviliondm4*
EVDEV_ABS_35=1360:5563:47
EVDEV_ABS_36=1269:4618:61
+# HP Pavilion dv7
+evdev:name:SynPS/2 Synaptics TouchPad*:dmi:*svnHewlett-Packard:pnHPPaviliondv7*
+ EVDEV_ABS_00=1068:5805:44
+ EVDEV_ABS_01=1197:4890:57
+ EVDEV_ABS_35=1068:5805:44
+ EVDEV_ABS_36=1197:4890:57
+
+# HP Spectre
+evdev:name:SynPS/2 Synaptics TouchPad:dmi:i*svnHP:pnHPSpectreNotebook*
+ EVDEV_ABS_00=1205:5691:47
+ EVDEV_ABS_01=1083:4808:65
+ EVDEV_ABS_35=1205:5691:47
+ EVDEV_ABS_36=1083:4808:65
+
#########################################
# Lenovo
#########################################
+# Lenovo B590
+evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO*:pvrLenovoB590*
+ EVDEV_ABS_00=1243:5759:48
+ EVDEV_ABS_01=1130:4832:65
+ EVDEV_ABS_35=1243:5759:48
+ EVDEV_ABS_36=1130:4832:65
+
# Lenovo E530
evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO:pn*ThinkPadEdgeE530*
EVDEV_ABS_00=1241:5703:49
@@ -217,6 +254,20 @@ evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO*:pvrThinkPad??40?:*
EVDEV_ABS_35=::41
EVDEV_ABS_36=::37
+# Lenovo ThinkPad T430
+evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO*:pvrThinkPadT430*
+ EVDEV_ABS_00=1250:5631:58
+ EVDEV_ABS_01=1309:4826:78
+ EVDEV_ABS_35=1250:5631:58
+ EVDEV_ABS_36=1309:4826:78
+
+# Lenovo Thinkpad Carbon X1 4th gen. and X1 Yoga 1st gen.
+evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO*:pvrThinkPadX1Carbon4th*
+ EVDEV_ABS_00=1262:5679:44
+ EVDEV_ABS_01=1101:4824:65
+ EVDEV_ABS_35=1262:5679:44
+ EVDEV_ABS_36=1101:4824:65
+
# Lenovo T460
evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO*:pn*ThinkPad*T460*
EVDEV_ABS_00=1266:5677:44
@@ -236,6 +287,13 @@ evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO:*pvrLenovoV360*
EVDEV_ABS_00=1243:5927:60
EVDEV_ABS_01=902:5330:108
+# Lenovo W530
+evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO:*pvrThinkPadW530*
+ EVDEV_ABS_00=1250:5631:59
+ EVDEV_ABS_01=1205:4834:81
+ EVDEV_ABS_35=1250:5631:59
+ EVDEV_ABS_36=1205:4834:81
+
# Lenovo X220 series
evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO:*pvrThinkPadX220*
EVDEV_ABS_00=1316:5627:58
@@ -279,3 +337,12 @@ evdev:name:ETPS/2 Elantech Touchpad:dmi:*svnSAMSUNGELECTRONICSCO.,LTD.:pn305V4A/
EVDEV_ABS_01=0:1116:24
EVDEV_ABS_35=0:2480:28
EVDEV_ABS_36=0:1116:24
+
+#########################################
+# Toshiba
+#########################################
+
+# Toshiba Tecra M11
+evdev:name:AlpsPS/2 ALPS DualPoint TouchPad:dmi:*svnTOSHIBA:pnTECRAM11*
+ EVDEV_ABS_00=90:962:11
+ EVDEV_ABS_01=51:681:14
diff --git a/hwdb/60-keyboard.hwdb b/hwdb/60-keyboard.hwdb
index 9c87aecd30..c8452f47d0 100644
--- a/hwdb/60-keyboard.hwdb
+++ b/hwdb/60-keyboard.hwdb
@@ -4,7 +4,7 @@
# scan codes to add to the AT keyboard's 'force-release' list.
#
# The lookup keys are composed in:
-# 60-keyboard.rules
+# 60-evdev.rules
#
# Note: The format of the "evdev:" prefix match key is a
# contract between the rules file and the hardware data, it might
@@ -18,17 +18,19 @@
# ZZZZ is the bus-id (see /usr/include/linux/input.h BUS_*), YYYY, XXXX and
# WWW are the 4-digit hex uppercase vendor, product and version ID and VVVV
# is an arbitrary length input-modalias describing the device capabilities.
+# The vendor, product and version ID for a device node "eventX" is listed
+# in /sys/class/input/eventX/device/id.
#
# - AT keyboard DMI data matches:
# evdev:atkbd:dmi:bvn*:bvr*:bd*:svn<vendor>:pn<product>:pvr*
# <vendor> and <product> are the firmware-provided strings
-# exported by the kernel DMI modalias.
+# exported by the kernel DMI modalias, see /sys/class/dmi/id/modalias
#
# - Input driver device name and DMI data match:
# evdev:name:<input device name>:dmi:bvn*:bvr*:bd*:svn<vendor>:pn*
# <input device name> is the name device specified by the
# driver, <vendor> is the firmware-provided string exported
-# by the kernel DMI modalias.
+# by the kernel DMI modalias, see /sys/class/dmi/id/modalias
#
# Scan codes are specified as:
# KEYBOARD_KEY_<hex scan code>=<key code identifier>
@@ -42,11 +44,18 @@
#
# To debug key presses and access scan code mapping data of
# an input device use the commonly available tool: evtest(1).
+
+# A device with a fixed keyboard layout that must not be changed by
+# the desktop environment may specify that layout as:
+# XKB_FIXED_LAYOUT="us"
+# XKB_FIXED_VARIANT=""
+# Examples of such devices: the Yubikey or other key-code generating
+# devices.
#
# To update this file, create a new file
# /etc/udev/hwdb.d/70-keyboard.hwdb
# and add your rules there. To load the new rules execute (as root):
-# udevadm hwdb --update
+# systemd-hwdb update
# udevadm trigger /dev/input/eventXX
# where /dev/input/eventXX is the keyboard in question. If in
# doubt, simply use /dev/input/event* to reload all input rules.
@@ -275,7 +284,7 @@ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnDell*:pnXPS12-9Q33*:pvr*
evdev:name:Dell WMI hotkeys:dmi:bvn*:bvr*:bd*:svnDell*:pnLatitude*
# Dell Precision microphone mute
evdev:name:Dell WMI hotkeys:dmi:bvn*:bvr*:bd*:svnDell*:pnPrecision*
- KEYBOARD_KEY_150=f20 # Mic mute toggle, should be micmute
+ KEYBOARD_KEY_100150=f20 # Mic mute toggle, should be micmute
###########################################################
# Everex
@@ -415,6 +424,10 @@ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHewlett-Packard*:pnHP*Pavilion*dv7*Notebook*PC:
KEYBOARD_KEY_c6=break
KEYBOARD_KEY_94=reserved
+# Pavilion x360 13 (Prevents random airplane mode activation)
+evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHewlett-Packard*:pn*[pP][aA][vV][iI][lL][iI][oO][nN]*13*x360*:pvr*
+ KEYBOARD_KEY_d7=unknown
+
# Elitebook
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHewlett-Packard*:pn*Compaq*:pvr*
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHewlett-Packard*:pn*EliteBook*:pvr*
@@ -858,6 +871,7 @@ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnMicro-Star*:pn*:pvr*
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnMICRO-STAR*:pn*U-100*:pvr*
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnMICRO-STAR*:pn*U100*:pvr*
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnMICRO-STAR*:pn*N033:*
+evdev:atkbd:dmi:bvn*:bvr*:bd*:svnMicro-Star*:pn*VR420*:pvr*
KEYBOARD_KEY_f7=reserved
KEYBOARD_KEY_f8=reserved
@@ -1239,3 +1253,18 @@ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnDIXONSP:pnDIXON*:pvr*
KEYBOARD_KEY_a0=! # mute
KEYBOARD_KEY_ae=! # volume down
KEYBOARD_KEY_b0=! # volume up
+
+###########################################################
+# Fixed layout devices
+###########################################################
+
+# Yubico Yubico Yubikey II"
+evdev:input:b0003v1050p0010*
+# Yubico Yubikey NEO OTP+CCID
+evdev:input:b0003v1050p0111*
+# Yubico Yubikey NEO OTP+U2F+CCID
+evdev:input:b0003v1050p0116*
+# OKE Electron Company USB barcode reader
+evdev:input:b0003v05FEp1010*
+ XKB_FIXED_LAYOUT="us"
+ XKB_FIXED_VARIANT=""
diff --git a/hwdb/60-sensor.hwdb b/hwdb/60-sensor.hwdb
new file mode 100644
index 0000000000..3160cf77e8
--- /dev/null
+++ b/hwdb/60-sensor.hwdb
@@ -0,0 +1,45 @@
+# This file is part of systemd.
+#
+# The lookup keys are composed in:
+# 60-sensor.rules
+#
+# Note: The format of the "sensor:" prefix match key is a
+# contract between the rules file and the hardware data, it might
+# change in later revisions to support more or better matches, it
+# is not necessarily expected to be a stable ABI.
+#
+# Match string formats:
+# sensor:modalias:<parent device modalias>:dmi:<dmi string>
+#
+# To add local entries, create a new file
+# /etc/udev/hwdb.d/61-sensor-local.hwdb
+# and add your rules there. To load the new rules execute (as root):
+# systemd-hwdb update
+# udevadm trigger `dirname $(udevadm info -n "/dev/iio:deviceXXX" -q path)`
+# where /dev/iio:deviceXXX is the device in question.
+#
+# If your changes are generally applicable, preferably send them as a pull
+# request to
+# https://github.com/systemd/systemd
+# or create a bug report on https://github.com/systemd/systemd/issues and
+# include your new rules, a description of the device, and the output of
+# udevadm info --export-db
+#
+# Allowed properties are:
+# ACCEL_MOUNT_MATRIX=<matrix>
+#
+# where <matrix> is a mount-matrix in the format specified in the IIO
+# subsystem[1]. The default, when unset, is equivalent to:
+# ACCEL_MOUNT_MATRIX=1, 0, 0; 0, 1, 0; 0, 0, 1
+# eg. the identity matrix.
+#
+# [1]: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=dfc57732ad38f93ae6232a3b4e64fd077383a0f1
+
+#
+# Sort by brand, model
+
+#########################################
+# Winbook
+#########################################
+sensor:modalias:acpi:BMA250*:dmi:*svn*WinBook*:*pn*TW100*
+ ACCEL_MOUNT_MATRIX=0, -1, 0; -1, 0, 0; 0, 0, 0
diff --git a/hwdb/70-mouse.hwdb b/hwdb/70-mouse.hwdb
index bf3d134c46..772534f495 100644
--- a/hwdb/70-mouse.hwdb
+++ b/hwdb/70-mouse.hwdb
@@ -31,7 +31,7 @@
# To add local entries, create a new file
# /etc/udev/hwdb.d/71-mouse-local.hwdb
# and add your rules there. To load the new rules execute (as root):
-# udevadm hwdb --update
+# systemd-hwdb update
# udevadm trigger /dev/input/eventXX
# where /dev/input/eventXX is the mouse in question. If in
# doubt, simply use /dev/input/event* to reload all input rules.
@@ -50,6 +50,8 @@
# MOUSE_WHEEL_CLICK_ANGLE_HORIZONTAL
# MOUSE_WHEEL_CLICK_COUNT
# MOUSE_WHEEL_CLICK_COUNT_HORIZONTAL
+# MOUSE_WHEEL_TILT_HORIZONTAL
+# MOUSE_WHEEL_TILT_VERTICAL
#
#########################################
# ID_INPUT_TRACKBALL #
@@ -134,6 +136,26 @@
# MOUSE_WHEEL_CLICK_COUNT_HORIZONTAL works the same way but also follows the
# rules of MOUSE_WHEEL_CLICK_ANGLE_HORIZONTAL.
+#########################################
+# MOUSE_WHEEL_TILT_HORIZONTAL #
+# MOUSE_WHEEL_TILT_VERTICAL #
+#########################################
+#
+# Indicates that the respective axis is not a mouse wheel rotation but a
+# tilt along that axis. Wheel tilt is most commonly used for horizontal
+# scroll wheel emulation on mice with only a single vertical wheel.
+#
+# The vertical and horizontal Axes are independently marked as tilt axes,
+# for example it is permitted to have a MOUSE_WHEEL_CLICK_COUNT or
+# MOUSE_WHEEL_CLICK_ANGLE for the vertical axis and mark the horizontal axis
+# marked as as MOUSE_WHEEL_TILT_HORIZONTAL.
+#
+# It is a bug to have either CLICK_COUNT or CLICK_ANGLE set on the same axis
+# as WHEEL_TILT. Applications should give priority to WHEEL_TILT and ignore
+# other settings.
+#
+# This is a flag only, permitted values: 0 or 1
+
#
# Sort by brand, type (usb, bluetooth), DPI, frequency.
# For mice with switchable resolution, sort by the starred entry.
@@ -346,6 +368,10 @@ mouse:usb:v046dpc24c:name:Logitech G400s Optical Gaming Mouse:
mouse:usb:v046dpc07e:name:Logitech Gaming Mouse G402:
MOUSE_DPI=400@1000 *800@1000 1600@1000 3200@1000
+# Logitech G502 Proteus Spectrum
+mouse:usb:v046dpc332:name:Logitech Gaming Mouse G502:
+ MOUSE_DPI=1200@1000 *2400@1000 3200@1000 6400@1000
+
# Logitech B605 Wireless Mouse (also M505)
mouse:usb:v046dp101d:name:Logitech B605:
mouse:usb:v046dp101d:name:Logitech M505:
@@ -416,6 +442,10 @@ mouse:usb:v046dpc52b:name:Logitech Unifying Device. Wireless PID:4026:
mouse:usb:v046dpc068:name:Logitech G500:
MOUSE_DPI=*1600@500 2600@500 3600@500
+# Logitech TrackMan Wheel (USB)
+mouse:usb:v046dpc404:name:Logitech Trackball:
+ MOUSE_DPI=300@125
+
# Logitech MX1000 Laser Cordless Mouse
mouse:bluetooth:v046dpb003:name:Logitech MX1000 mouse:
MOUSE_DPI=800@80
@@ -464,6 +494,10 @@ mouse:bluetooth:v045ep0702:name:Microsoft Wireless Laser Mouse 8000:
mouse:bluetooth:v045ep07f3:name:Arc Touch Mouse SE:
MOUSE_DPI=1000@2000
+# Microsoft Surface Mouse
+mouse:bluetooth:v0000p0000:name:Surface Mouse:
+ MOUSE_DPI=2000@2000
+
##########################################
# Mionix
##########################################
@@ -497,6 +531,10 @@ mouse:bluetooth:v056ep0061:name:Laser BTmouse:
mouse:usb:v1532p0042:name:Razer Razer Abyssus:
MOUSE_DPI=3500@1000
+# Razer DeathAdder Black Edition
+mouse:usb:v1532p0029:name:Razer Razer DeathAdder:
+ MOUSE_DPI=3500@1000
+
##########################################
# Roccat
##########################################
diff --git a/hwdb/70-pointingstick.hwdb b/hwdb/70-pointingstick.hwdb
index e18ef28290..cfdfef567a 100644
--- a/hwdb/70-pointingstick.hwdb
+++ b/hwdb/70-pointingstick.hwdb
@@ -18,16 +18,19 @@
# ZZZZ is the bus-id (see /usr/include/linux/input.h BUS_*), YYYY, XXXX and
# WWW are the 4-digit hex uppercase vendor, product and version ID and VVVV
# is an arbitrary length input-modalias describing the device capabilities.
+# The vendor, product and version ID for a device node "eventX" is listed
+# in /sys/class/input/eventX/device/id.
#
# - Input driver device name and DMI data match:
# evdev:name:<input device name>:dmi:bvn*:bvr*:bd*:svn<vendor>:pn*
# <input device name> is the name device specified by the driver,
-# <vendor> is the firmware-provided string from the kernel DMI modalias.
+# <vendor> is the firmware-provided string from the kernel DMI modalias,
+# see /sys/class/dmi/id/modalias
#
# To add local entries, create a new file
# /etc/udev/hwdb.d/71-pointingstick-local.hwdb
# and add your rules there. To load the new rules execute (as root):
-# udevadm hwdb --update
+# systemd-hwdb update
# udevadm trigger /dev/input/eventXX
# where /dev/input/eventXX is the pointingstick in question. If in
# doubt, simply use /dev/input/event* to reload all input rules.
@@ -95,6 +98,8 @@ evdev:name:*DualPoint Stick:dmi:bvn*:bvr*:bd*:svnDellInc.:pnLatitudeE7470*:pvr*
# Lenovo
#########################################
+# Lenovo Thinkpad X220
+evdev:name:TPPS/2 IBM TrackPoint:dmi:bvn*:bvr*:bd*:svnLENOVO:pn*:pvrThinkPadX220:*
# Lenovo Thinkpad X230
evdev:name:TPPS/2 IBM TrackPoint:dmi:bvn*:bvr*:bd*:svnLENOVO:pn*:pvrThinkPadX230:*
# Lenovo Thinkpad X230 tablet
diff --git a/hwdb/70-touchpad.hwdb b/hwdb/70-touchpad.hwdb
index 11f3f96f04..82a4b7a575 100644
--- a/hwdb/70-touchpad.hwdb
+++ b/hwdb/70-touchpad.hwdb
@@ -18,7 +18,7 @@
# To add local entries, create a new file
# /etc/udev/hwdb.d/71-touchpad-local.hwdb
# and add your rules there. To load the new rules execute (as root):
-# udevadm hwdb --update
+# systemd-hwdb update
# udevadm trigger /dev/input/eventXX
# where /dev/input/eventXX is the touchpad in question. If in
# doubt, simply use /dev/input/event* to reload all input rules.
@@ -47,3 +47,9 @@ touchpad:usb:*
###########################################################
touchpad:usb:v05ac*
ID_INPUT_TOUCHPAD_INTEGRATION=internal
+
+###########################################################
+# Wacom
+###########################################################
+touchpad:usb:v056a*
+ ID_INPUT_TOUCHPAD_INTEGRATION=external

2
sources
View File

@ -1 +1 @@
3e3a0b14050eff62e68be72142181730 systemd-232.tar.gz
SHA512 (systemd-233.tar.gz) = 5ad5329ea116d973cf67096f7e7ad28e9ea0905696e9451291f1d25e5064f4a9bfcfae87e912996c6a38397e9f4a148d4ccecfa9b70f7ecdf04deadb61784c8e

130
systemd.spec
View File

@ -8,11 +8,12 @@
%global pkgdir %{_prefix}/lib/systemd
%global system_unit_dir %{pkgdir}/system
%global user_unit_dir %{pkgdir}/user
Name: systemd
Url: http://www.freedesktop.org/wiki/Software/systemd
Version: 232
Release: 15%{?gitcommit:.git%{gitcommitshort}}%{?dist}
Version: 233
Release: 1%{?gitcommit:.git%{gitcommitshort}}%{?dist}
# For a breakdown of the licensing, see README
License: LGPLv2+ and MIT and GPLv2+
Summary: System and Service Manager
@ -39,75 +40,11 @@ Source10: systemd-udev-trigger-no-reload.conf
Source11: 20-grubby.install
Source12: https://raw.githubusercontent.com/systemd/systemd/1000522a60ceade446773c67031b47a566d4a70d/src/login/systemd-user.m4
# GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v232..v232-stable
# GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v233..v233-stable
# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done|xclip
Patch0001: 0001-build-sys-link-test-seccomp-against-seccomp-libs-456.patch
Patch0002: 0002-kernel-install-use-exit-instead-of-return-4565.patch
Patch0003: 0003-nspawn-fix-exit-code-for-help-and-version-4609.patch
Patch0004: 0004-core-don-t-use-the-unified-hierarchy-for-the-systemd.patch
Patch0005: 0005-core-make-RootDirectory-and-ProtectKernelModules-wor.patch
Patch0006: 0006-nspawn-avoid-one-strdup-by-using-free_and_replace.patch
Patch0007: 0007-nspawn-slight-simplification.patch
Patch0008: 0008-core-namespace-count-and-free-failed-paths-inside-ch.patch
Patch0009: 0009-basic-virt-fix-userns-check-on-CONFIG_USER_NS-n-kern.patch
Patch0010: 0010-timesyncd-clear-ADJ_MAXERROR-to-keep-STA_UNSYNC-clea.patch
Patch0011: 0011-link-fix-offload-features-initialization-4639.patch
Patch0012: 0012-sd-event-fix-sd_event_source_get_priority-4712.patch
Patch0013: 0013-build-sys-check-for-lz4-in-the-old-and-new-numbering.patch
Patch0014: 0014-networkd-fix-size-of-MTUBytes-so-that-it-does-not-ov.patch
Patch0015: 0015-core-consider-SIGTERM-as-a-clean-exit-status-for-ini.patch
Patch0016: 0016-core-make-sure-initrd-switch-root-command-survives-P.patch
Patch0017: 0017-fix-journald-startup-problem-when-code-is-compiled-w.patch
Patch0018: 0018-device-Avoid-calling-unit_free-NULL-in-device-setup-.patch
Patch0019: 0019-udevd-check-correct-return-value-of-fcntl-4758.patch
Patch0020: 0020-systemctl-fix-is-enabled-exit-status-on-failure-when.patch
Patch0021: 0021-journal-make-sure-to-initially-populate-the-space-in.patch
Patch0022: 0022-networkd-link_enter_configured-remove-assert-4800.patch
Patch0023: 0023-rules-consider-MMC-device-partitions-with-partition-.patch
Patch0024: 0024-nspawn-add-missing-E-to-getopt_long-4860.patch
Patch0025: 0025-build-sys-define-arm-as-secondary-architecture-for-a.patch
Patch0026: 0026-nspawn-when-getting-SIGCHLD-make-sure-it-s-from-the-.patch
Patch0027: 0027-machinectl-make-machinectl-E-shell-work.patch
Patch0028: 0028-sysv-generator-properly-translate-sysv-facilities.patch
Patch0029: 0029-core-downgrade-Time-has-been-changed-to-debug-4906.patch
Patch0030: 0030-machinectl-handle-EOPNOTSUPP-from-print_addresses-49.patch
Patch0031: 0031-units-fix-condition-for-systemd-journal-catalog-upda.patch
Patch0032: 0032-core-fix-sockaddr-length-calculation-for-sockaddr_pr.patch
Patch0033: 0033-shared-fix-double-free-in-unmask-5005.patch
Patch0034: 0034-shared-fix-double-free-in-link.patch
Patch0035: 0035-shared-check-strdup-NULL.patch
Patch0036: 0036-rpm-triggers-do-nothing-if-systemd-is-not-running-50.patch
Patch0037: 0037-kernel-install-avoid-process-substitution.patch
Patch0038: 0038-shell-completion-redirect-all-errors-from-systemctl-.patch
Patch0039: 0039-cryptsetup-fix-unitialized-variable.patch
Patch0040: 0040-systemctl-uninitalized-variable.patch
Patch0041: 0041-bash_completion-journalctl-add-missing-options.patch
Patch0042: 0042-bash_completion-journalctl-Complete-t-option-values.patch
Patch0043: 0043-Fixi-caching-in-zsh-completion-5122.patch
Patch0044: 0044-bash-completion-add-support-for-now-5155.patch
Patch0045: 0045-core-dbus-fix-two-strv-memleaks.patch
Patch0046: 0046-core-execute-fix-strv-memleak.patch
Patch0047: 0047-resolve-fix-strv-memleak.patch
Patch0048: 0048-nspawn-fix-clobbering-of-selinux-context-arg.patch
Patch0049: 0049-parse_hwdb-fix-to-work-with-pyparsing-2.1.10.patch
Patch0050: 0050-journald-don-t-flush-to-var-log-journal-before-we-ge.patch
Patch0051: 0051-tree-wide-drop-NULL-sentinel-from-strjoin.patch
Patch0052: 0052-core-add-new-RestrictNamespaces-unit-file-setting.patch
Patch0053: 0053-seccomp-rework-seccomp-code-to-improve-compat-with-s.patch
Patch0054: 0054-build-sys-add-check-for-gperf-lookup-function-signat.patch
Patch0055: 0055-journal-gatewayd-actually-recognize-D-as-a-synonym-f.patch
Patch0056: 0056-journal-gatewayd-return-EINVAL-if-ARG_TRUST-and-HAVE.patch
Patch0057: 0057-systemctl-always-avoid-being-killed-when-doing-switc.patch
Patch0058: 0058-systemctl-ignore-SIGTERM-after-switch-root.patch
Patch0059: 0059-units-restore-Before-dependencies-for-systemd-vconso.patch
Patch0060: 0060-coredump-really-extract-container-cmdline-5167.patch
Patch0061: 0061-machinectl-make-sure-that-inability-to-get-OS-versio.patch
# GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-01-30} hwdb/[67]* > hwdb.patch
Patch0068: 0068-test-ipcrm-use-configured-nobody-user-name.patch
# GIT_DIR=../../src/systemd/.git git diffab -M v232..master@{2017-01-30} hwdb/[67]* > hwdb.patch
Patch0997: hwdb.patch
Patch0998: 0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
%global num_patches %{lua: c=0; for i,p in ipairs(patches) do c=c+1; end; print(c);}
@ -301,6 +238,15 @@ and to write journal files from serialized journal contents.
This package contains systemd-journal-gatewayd,
systemd-journal-remote, and systemd-journal-upload.
%package tests
Summary: Internal unit tests for systemd
Requires: %{name}%{?_isa} = %{version}-%{release}
License: LGPLv2+
%description tests
"Installed tests" that are usually run as part of the build system.
They can be useful to test systemd internals.
%prep
%setup -q %{?gitcommit:-n %{name}-%{gitcommit}}
@ -370,7 +316,7 @@ CONFIGURE_OPTS=(
make %{?_smp_mflags} GCC_COLORS="" V=1
%install
%make_install
%make_install install-tests
find %{buildroot} \( -name '*.a' -o -name '*.la' \) -delete
@ -460,12 +406,13 @@ install -Dm0644 -t %{buildroot}%{system_unit_dir}/systemd-udev-trigger.service.d
install -Dm0755 -t %{buildroot}%{_prefix}/lib/kernel/install.d/ %{SOURCE11}
mkdir -p %{buildroot}/etc/polkit-1/localauthority/10-vendor.d
mv %{buildroot}/var/lib/polkit-1/localauthority/10-vendor.d/systemd-networkd.pkla \
%{buildroot}/etc/polkit-1/localauthority/10-vendor.d/
%find_lang %{name}
%check
sed -i '33i \
sys.exit(77)' hwdb/parse_hwdb.py
make check %{?_smp_mflags} VERBOSE=1 || { cat test-suite.log; exit 1; }
# Check for botched translations (https://bugzilla.redhat.com/show_bug.cgi?id=1226566)
@ -655,7 +602,6 @@ getent passwd systemd-journal-upload &>/dev/null || useradd -r -l -g systemd-jou
%license LICENSE.GPL2 LICENSE.LGPL2.1
%dir %{_sysconfdir}/systemd
%dir %{_sysconfdir}/systemd/system
%{_sysconfdir}/systemd/system/ctrl-alt-del.target
%ghost %dir %{_sysconfdir}/systemd/system/basic.target.wants
%ghost %dir %{_sysconfdir}/systemd/system/bluetooth.target.wants
%ghost %dir %{_sysconfdir}/systemd/system/default.target.wants
@ -688,6 +634,7 @@ getent passwd systemd-journal-upload &>/dev/null || useradd -r -l -g systemd-jou
%exclude %{pkgdir}/system-generators/systemd-gpt-auto-generator
%exclude %{pkgdir}/system-generators/systemd-hibernate-resume-generator
%{pkgdir}/user-generators
%{pkgdir}/user-environment-generators
%dir %{pkgdir}/system-shutdown
%dir %{pkgdir}/system-sleep
%dir %{pkgdir}/catalog
@ -697,8 +644,18 @@ getent passwd systemd-journal-upload &>/dev/null || useradd -r -l -g systemd-jou
%dir %{_prefix}/lib/sysctl.d
%dir %{_prefix}/lib/modules-load.d
%dir %{_prefix}/lib/binfmt.d
%dir %{_prefix}/lib/environment.d
%{_prefix}/lib/environment.d/99-environment.conf
%dir %{_prefix}/lib/kernel
%dir %{_datadir}/systemd
%dir %{_datadir}/dbus-1/system.d
%{_datadir}/dbus-1/system.d/org.freedesktop.systemd1.conf
%{_datadir}/dbus-1/system.d/org.freedesktop.hostname1.conf
%{_datadir}/dbus-1/system.d/org.freedesktop.login1.conf
%{_datadir}/dbus-1/system.d/org.freedesktop.locale1.conf
%{_datadir}/dbus-1/system.d/org.freedesktop.timedate1.conf
%{_datadir}/dbus-1/system.d/org.freedesktop.resolve1.conf
%{_datadir}/dbus-1/system.d/org.freedesktop.network1.conf
%dir %{_datadir}/pkgconfig
%dir %{_datadir}/zsh
%dir %{_datadir}/zsh/site-functions
@ -716,20 +673,13 @@ getent passwd systemd-journal-upload &>/dev/null || useradd -r -l -g systemd-jou
%ghost %attr(0664,root,utmp) %{_localstatedir}/run/utmp
%ghost %attr(0664,root,utmp) %{_localstatedir}/log/wtmp
%ghost %attr(0600,root,utmp) %{_localstatedir}/log/btmp
%dir %{_sysconfdir}/dbus-1/system.d
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.systemd1.conf
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.hostname1.conf
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.login1.conf
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.locale1.conf
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.timedate1.conf
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.resolve1.conf
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.network1.conf
%config(noreplace) %{_sysconfdir}/systemd/system.conf
%config(noreplace) %{_sysconfdir}/systemd/user.conf
%config(noreplace) %{_sysconfdir}/systemd/logind.conf
%config(noreplace) %{_sysconfdir}/systemd/journald.conf
%config(noreplace) %{_sysconfdir}/systemd/resolved.conf
%config(noreplace) %{_sysconfdir}/systemd/coredump.conf
%config(noreplace) %{_sysconfdir}/systemd/system/dbus-org.freedesktop.resolve1.service
%config(noreplace) %{_sysconfdir}/yum/protected.d/systemd.conf
%config(noreplace) %{_sysconfdir}/pam.d/systemd-user
%{_rpmconfigdir}/macros.d/macros.systemd
@ -762,6 +712,7 @@ getent passwd systemd-journal-upload &>/dev/null || useradd -r -l -g systemd-jou
%{_bindir}/systemd-inhibit
%{_bindir}/systemd-machine-id-setup
%{_bindir}/systemd-mount
%{_bindir}/systemd-umount
%{_bindir}/systemd-notify
%{_bindir}/systemd-path
%{_bindir}/systemd-resolve
@ -775,7 +726,7 @@ getent passwd systemd-journal-upload &>/dev/null || useradd -r -l -g systemd-jou
%{pkgdir}/systemd
%{pkgdir}/libsystemd-shared-%{version}.so
%{system_unit_dir}
%{pkgdir}/user
%{user_unit_dir}
%{pkgdir}/resolv.conf
%exclude %{system_unit_dir}/*udev*
%exclude %{system_unit_dir}/*/*udev*
@ -896,11 +847,14 @@ getent passwd systemd-journal-upload &>/dev/null || useradd -r -l -g systemd-jou
%{_datadir}/dbus-1/system-services/org.freedesktop.network1.service
%dir %{_datadir}/polkit-1
%dir %{_datadir}/polkit-1/actions
%dir %{_datadir}/polkit-1/rules.d
%{_datadir}/polkit-1/actions/org.freedesktop.systemd1.policy
%{_datadir}/polkit-1/actions/org.freedesktop.hostname1.policy
%{_datadir}/polkit-1/actions/org.freedesktop.login1.policy
%{_datadir}/polkit-1/actions/org.freedesktop.locale1.policy
%{_datadir}/polkit-1/actions/org.freedesktop.timedate1.policy
%{_datadir}/polkit-1/rules.d/systemd-networkd.rules
/etc/polkit-1/localauthority/10-vendor.d/systemd-networkd.pkla
%{_datadir}/pkgconfig/systemd.pc
%{_datadir}/pkgconfig/udev.pc
%{_datadir}/bash-completion/completions/*
@ -1024,8 +978,6 @@ getent passwd systemd-journal-upload &>/dev/null || useradd -r -l -g systemd-jou
%{_mandir}/man[1578]/systemd-sleep*
%files container
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.machine1.conf
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.import1.conf
%{_libdir}/libnss_mymachines.so.2
%{_bindir}/machinectl
%{_bindir}/systemd-nspawn
@ -1048,6 +1000,9 @@ getent passwd systemd-journal-upload &>/dev/null || useradd -r -l -g systemd-jou
%{pkgdir}/systemd-pull
%{pkgdir}/network/80-container-ve.network
%{pkgdir}/network/80-container-vz.network
%{_datadir}/dbus-1/system.d/org.freedesktop.import1.conf
%{_datadir}/dbus-1/system.d/org.freedesktop.machine1.conf
%{_datadir}/dbus-1/system-services/org.freedesktop.import1.service
%{_datadir}/dbus-1/system-services/org.freedesktop.machine1.service
%{_datadir}/dbus-1/system-services/org.freedesktop.import1.service
%{_datadir}/polkit-1/actions/org.freedesktop.import1.policy
@ -1079,7 +1034,14 @@ getent passwd systemd-journal-upload &>/dev/null || useradd -r -l -g systemd-jou
%{_mandir}/man[1578]/systemd-journal-upload*
%{_mandir}/man[1578]/systemd-journal-gateway*
%files tests
%{pkgdir}/tests
%changelog
* Thu Mar 2 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 233-1
- New upstream release (#1416201, #1405439, #1420753, many others)
- New systemd-tests subpackage with "installed tests"
* Thu Feb 16 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 232-15
- Add %%ghost %%dir entries for .wants dirs of our targets (#1422894)