Update to v233
This commit is contained in:
parent
4877912f6e
commit
bb41272694
@ -1,28 +0,0 @@
|
||||
From 55edef4fb8c4c0b6536ad824ef05ce412a701c6a Mon Sep 17 00:00:00 2001
|
||||
From: Martin Pitt <martin.pitt@ubuntu.com>
|
||||
Date: Thu, 3 Nov 2016 23:15:33 +0200
|
||||
Subject: [PATCH] build-sys: link test-seccomp against seccomp libs (#4560)
|
||||
|
||||
Fixes build error on recent toolchains:
|
||||
|
||||
../src/test/test-seccomp.c:35: error: undefined reference to 'seccomp_arch_native'
|
||||
collect2: error: ld returned 1 exit status
|
||||
(cherry picked from commit e2df6e90b239cbc1d14f5e63a9ba3abb08a2e787)
|
||||
---
|
||||
Makefile.am | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index f7652c2346..f2d8bf57f7 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -2038,7 +2038,8 @@ test_seccomp_SOURCES = \
|
||||
src/test/test-seccomp.c
|
||||
|
||||
test_seccomp_LDADD = \
|
||||
- libsystemd-shared.la
|
||||
+ libsystemd-shared.la \
|
||||
+ $(SECCOMP_LIBS)
|
||||
|
||||
test_namespace_LDADD = \
|
||||
libcore.la
|
@ -1,35 +0,0 @@
|
||||
From a9facbdf54ed3397365f1f4203afa4f606ce7234 Mon Sep 17 00:00:00 2001
|
||||
From: Yu Watanabe <watanabe.yu+github@gmail.com>
|
||||
Date: Fri, 4 Nov 2016 21:58:41 +0900
|
||||
Subject: [PATCH] kernel-install: use exit instead of return (#4565)
|
||||
|
||||
/bin/kernel-install: line 143: return: can only `return' from a function or sourced script
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1391829
|
||||
(cherry picked from commit 9156493171cf2d78e1ac1a3746c385b0e281acf1)
|
||||
---
|
||||
src/kernel-install/kernel-install | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/kernel-install/kernel-install b/src/kernel-install/kernel-install
|
||||
index 0c0ee718ac..a95b9717f0 100644
|
||||
--- a/src/kernel-install/kernel-install
|
||||
+++ b/src/kernel-install/kernel-install
|
||||
@@ -127,7 +127,7 @@ case $COMMAND in
|
||||
"$f" add "$KERNEL_VERSION" "$BOOT_DIR_ABS" "$KERNEL_IMAGE"
|
||||
x=$?
|
||||
if [[ $x == $SKIP_REMAINING ]]; then
|
||||
- return 0
|
||||
+ exit 0
|
||||
fi
|
||||
((ret+=$x))
|
||||
fi
|
||||
@@ -140,7 +140,7 @@ case $COMMAND in
|
||||
"$f" remove "$KERNEL_VERSION" "$BOOT_DIR_ABS"
|
||||
x=$?
|
||||
if [[ $x == $SKIP_REMAINING ]]; then
|
||||
- return 0
|
||||
+ exit 0
|
||||
fi
|
||||
((ret+=$x))
|
||||
fi
|
@ -1,30 +0,0 @@
|
||||
From 045473ceb4999997f44fd1e4e1a3e5530b6fb828 Mon Sep 17 00:00:00 2001
|
||||
From: Martin Pitt <martin.pitt@ubuntu.com>
|
||||
Date: Tue, 8 Nov 2016 05:31:55 +0100
|
||||
Subject: [PATCH] nspawn: fix exit code for --help and --version (#4609)
|
||||
|
||||
Commit b006762 inverted the initial exit code which is relevant for --help and
|
||||
--version without a particular reason. For these special options, parse_argv()
|
||||
returns 0 so that our main() immediately skips to the end without adjusting
|
||||
"ret". Otherwise, if an actual container is being started, ret is set on error
|
||||
in run(), which still provides the "non-zero exit on error" behaviour.
|
||||
|
||||
Fixes #4605.
|
||||
(cherry picked from commit cfed63f60dd7412c199652825ed172c319b02b3c)
|
||||
---
|
||||
src/nspawn/nspawn.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
|
||||
index c56af6e6f4..c8fc011907 100644
|
||||
--- a/src/nspawn/nspawn.c
|
||||
+++ b/src/nspawn/nspawn.c
|
||||
@@ -4033,7 +4033,7 @@ int main(int argc, char *argv[]) {
|
||||
bool root_device_rw = true, home_device_rw = true, srv_device_rw = true;
|
||||
_cleanup_close_ int master = -1, image_fd = -1;
|
||||
_cleanup_fdset_free_ FDSet *fds = NULL;
|
||||
- int r, n_fd_passed, loop_nr = -1, ret = EXIT_FAILURE;
|
||||
+ int r, n_fd_passed, loop_nr = -1, ret = EXIT_SUCCESS;
|
||||
char veth_name[IFNAMSIZ] = "";
|
||||
bool secondary = false, remove_subvol = false;
|
||||
pid_t pid = 0;
|
@ -1,37 +0,0 @@
|
||||
From fb36bef4e4884a62b70cd98f7d2d52abf8091106 Mon Sep 17 00:00:00 2001
|
||||
From: Martin Pitt <martin.pitt@ubuntu.com>
|
||||
Date: Thu, 10 Nov 2016 05:33:13 +0100
|
||||
Subject: [PATCH] core: don't use the unified hierarchy for the systemd cgroup
|
||||
yet (#4628)
|
||||
|
||||
Too many things don't get along with the unified hierarchy yet:
|
||||
|
||||
* https://github.com/opencontainers/runc/issues/1175
|
||||
* https://github.com/docker/docker/issues/28109
|
||||
* https://github.com/lxc/lxc/issues/1280
|
||||
|
||||
So revert the default to the legacy hierarchy for now. Developers of the above
|
||||
software can opt into the unified hierarchy with
|
||||
"systemd.legacy_systemd_cgroup_controller=0".
|
||||
(cherry picked from commit 843d5baf6aad6c53fc00ea8d95d83209a4f92de1)
|
||||
---
|
||||
src/basic/cgroup-util.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
|
||||
index cede835920..134e6e3664 100644
|
||||
--- a/src/basic/cgroup-util.c
|
||||
+++ b/src/basic/cgroup-util.c
|
||||
@@ -2423,10 +2423,10 @@ bool cg_is_unified_systemd_controller_wanted(void) {
|
||||
|
||||
r = get_proc_cmdline_key("systemd.legacy_systemd_cgroup_controller=", &value);
|
||||
if (r < 0)
|
||||
- return true;
|
||||
+ return false;
|
||||
|
||||
if (r == 0)
|
||||
- wanted = true;
|
||||
+ wanted = false;
|
||||
else
|
||||
wanted = parse_boolean(value) <= 0;
|
||||
}
|
@ -1,332 +0,0 @@
|
||||
From d14d851c73c1fecbf361db94c48156e02d61c4e8 Mon Sep 17 00:00:00 2001
|
||||
From: Djalal Harouni <tixxdz@opendz.org>
|
||||
Date: Sun, 6 Nov 2016 22:51:49 +0100
|
||||
Subject: [PATCH] core: make RootDirectory= and ProtectKernelModules= work
|
||||
|
||||
Instead of having two fields inside BindMount struct where one is stack
|
||||
based and the other one is heap, use one field to store the full path
|
||||
and updated it when we chase symlinks. This way we avoid dealing with
|
||||
both at the same time.
|
||||
|
||||
This makes RootDirectory= work with ProtectHome= and ProtectKernelModules=yes
|
||||
|
||||
Fixes: https://github.com/systemd/systemd/issues/4567
|
||||
(cherry picked from commit f0a4feb0a5318e52107b0df63997a9b13f5be668)
|
||||
---
|
||||
src/core/namespace.c | 142 +++++++++++++++++++++++++++++++--------------------
|
||||
1 file changed, 86 insertions(+), 56 deletions(-)
|
||||
|
||||
diff --git a/src/core/namespace.c b/src/core/namespace.c
|
||||
index 1195e9a854..c45c120193 100644
|
||||
--- a/src/core/namespace.c
|
||||
+++ b/src/core/namespace.c
|
||||
@@ -58,8 +58,7 @@ typedef enum MountMode {
|
||||
} MountMode;
|
||||
|
||||
typedef struct BindMount {
|
||||
- const char *path; /* stack memory, doesn't need to be freed explicitly */
|
||||
- char *chased; /* malloc()ed memory, needs to be freed */
|
||||
+ char *path;
|
||||
MountMode mode;
|
||||
bool ignore; /* Ignore if path does not exist */
|
||||
} BindMount;
|
||||
@@ -155,12 +154,27 @@ static const TargetMount protect_system_strict_table[] = {
|
||||
{ "/root", READWRITE, true }, /* ProtectHome= */
|
||||
};
|
||||
|
||||
-static void set_bind_mount(BindMount **p, const char *path, MountMode mode, bool ignore) {
|
||||
+static void set_bind_mount(BindMount **p, char *path, MountMode mode, bool ignore) {
|
||||
(*p)->path = path;
|
||||
(*p)->mode = mode;
|
||||
(*p)->ignore = ignore;
|
||||
}
|
||||
|
||||
+static int append_one_mount(BindMount **p, const char *root_directory,
|
||||
+ const char *path, MountMode mode, bool ignore) {
|
||||
+ char *lpath;
|
||||
+ assert(p);
|
||||
+
|
||||
+ lpath = prefix_root(root_directory, path);
|
||||
+ if (!lpath)
|
||||
+ return -ENOMEM;
|
||||
+
|
||||
+ set_bind_mount(p, lpath, mode, ignore);
|
||||
+ (*p)++;
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static int append_mounts(BindMount **p, char **strv, MountMode mode) {
|
||||
char **i;
|
||||
|
||||
@@ -168,6 +182,7 @@ static int append_mounts(BindMount **p, char **strv, MountMode mode) {
|
||||
|
||||
STRV_FOREACH(i, strv) {
|
||||
bool ignore = false;
|
||||
+ char *path;
|
||||
|
||||
if (IN_SET(mode, INACCESSIBLE, READONLY, READWRITE) && startswith(*i, "-")) {
|
||||
(*i)++;
|
||||
@@ -177,7 +192,11 @@ static int append_mounts(BindMount **p, char **strv, MountMode mode) {
|
||||
if (!path_is_absolute(*i))
|
||||
return -EINVAL;
|
||||
|
||||
- set_bind_mount(p, *i, mode, ignore);
|
||||
+ path = strdup(*i);
|
||||
+ if (!path)
|
||||
+ return -ENOMEM;
|
||||
+
|
||||
+ set_bind_mount(p, path, mode, ignore);
|
||||
(*p)++;
|
||||
}
|
||||
|
||||
@@ -196,7 +215,11 @@ static int append_target_mounts(BindMount **p, const char *root_directory, const
|
||||
* declaration we do not support "-" at the beginning.
|
||||
*/
|
||||
const TargetMount *m = &mounts[i];
|
||||
- const char *path = prefix_roota(root_directory, m->path);
|
||||
+ char *path;
|
||||
+
|
||||
+ path = prefix_root(root_directory, m->path);
|
||||
+ if (!path)
|
||||
+ return -ENOMEM;
|
||||
|
||||
if (!path_is_absolute(path))
|
||||
return -EINVAL;
|
||||
@@ -309,6 +332,7 @@ static void drop_duplicates(BindMount *m, unsigned *n) {
|
||||
* above. */
|
||||
if (previous && path_equal(f->path, previous->path)) {
|
||||
log_debug("%s is duplicate.", f->path);
|
||||
+ f->path = mfree(f->path);
|
||||
continue;
|
||||
}
|
||||
|
||||
@@ -336,6 +360,7 @@ static void drop_inaccessible(BindMount *m, unsigned *n) {
|
||||
* it, as inaccessible paths really should drop the entire subtree. */
|
||||
if (clear && path_startswith(f->path, clear)) {
|
||||
log_debug("%s is masked by %s.", f->path, clear);
|
||||
+ f->path = mfree(f->path);
|
||||
continue;
|
||||
}
|
||||
|
||||
@@ -375,6 +400,7 @@ static void drop_nop(BindMount *m, unsigned *n) {
|
||||
/* We found it, let's see if it's the same mode, if so, we can drop this entry */
|
||||
if (found && p->mode == f->mode) {
|
||||
log_debug("%s is redundant by %s", f->path, p->path);
|
||||
+ f->path = mfree(f->path);
|
||||
continue;
|
||||
}
|
||||
}
|
||||
@@ -401,6 +427,7 @@ static void drop_outside_root(const char *root_directory, BindMount *m, unsigned
|
||||
|
||||
if (!path_startswith(f->path, root_directory)) {
|
||||
log_debug("%s is outside of root directory.", f->path);
|
||||
+ f->path = mfree(f->path);
|
||||
continue;
|
||||
}
|
||||
|
||||
@@ -652,18 +679,21 @@ static int chase_all_symlinks(const char *root_directory, BindMount *m, unsigned
|
||||
* can't resolve the path, and which have been marked for such removal. */
|
||||
|
||||
for (f = m, t = m; f < m+*n; f++) {
|
||||
-
|
||||
- r = chase_symlinks(f->path, root_directory, &f->chased);
|
||||
- if (r == -ENOENT && f->ignore) /* Doesn't exist? Then remove it! */
|
||||
+ _cleanup_free_ char *chased = NULL;
|
||||
+ r = chase_symlinks(f->path, root_directory, &chased);
|
||||
+ if (r == -ENOENT && f->ignore) {
|
||||
+ /* Doesn't exist? Then remove it! */
|
||||
+ f->path = mfree(f->path);
|
||||
continue;
|
||||
+ }
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Failed to chase symlinks for %s: %m", f->path);
|
||||
|
||||
- if (path_equal(f->path, f->chased))
|
||||
- f->chased = mfree(f->chased);
|
||||
- else {
|
||||
- log_debug("Chased %s → %s", f->path, f->chased);
|
||||
- f->path = f->chased;
|
||||
+ if (!path_equal(f->path, chased)) {
|
||||
+ log_debug("Chased %s → %s", f->path, chased);
|
||||
+ r = free_and_strdup(&f->path, chased);
|
||||
+ if (r < 0)
|
||||
+ return r;
|
||||
}
|
||||
|
||||
*t = *f;
|
||||
@@ -724,96 +754,96 @@ int setup_namespace(
|
||||
|
||||
BindMount *m, *mounts = NULL;
|
||||
bool make_slave = false;
|
||||
- unsigned n;
|
||||
+ unsigned n_mounts;
|
||||
int r = 0;
|
||||
|
||||
if (mount_flags == 0)
|
||||
mount_flags = MS_SHARED;
|
||||
|
||||
- n = namespace_calculate_mounts(ns_info,
|
||||
- read_write_paths,
|
||||
- read_only_paths,
|
||||
- inaccessible_paths,
|
||||
- tmp_dir, var_tmp_dir,
|
||||
- protect_home, protect_system);
|
||||
+ n_mounts = namespace_calculate_mounts(ns_info,
|
||||
+ read_write_paths,
|
||||
+ read_only_paths,
|
||||
+ inaccessible_paths,
|
||||
+ tmp_dir, var_tmp_dir,
|
||||
+ protect_home, protect_system);
|
||||
|
||||
/* Set mount slave mode */
|
||||
- if (root_directory || n > 0)
|
||||
+ if (root_directory || n_mounts > 0)
|
||||
make_slave = true;
|
||||
|
||||
- if (n > 0) {
|
||||
- m = mounts = (BindMount *) alloca0(n * sizeof(BindMount));
|
||||
+ if (n_mounts > 0) {
|
||||
+ m = mounts = (BindMount *) alloca0(n_mounts * sizeof(BindMount));
|
||||
r = append_mounts(&m, read_write_paths, READWRITE);
|
||||
if (r < 0)
|
||||
- return r;
|
||||
+ goto finish;
|
||||
|
||||
r = append_mounts(&m, read_only_paths, READONLY);
|
||||
if (r < 0)
|
||||
- return r;
|
||||
+ goto finish;
|
||||
|
||||
r = append_mounts(&m, inaccessible_paths, INACCESSIBLE);
|
||||
if (r < 0)
|
||||
- return r;
|
||||
+ goto finish;
|
||||
|
||||
if (tmp_dir) {
|
||||
- m->path = prefix_roota(root_directory, "/tmp");
|
||||
- m->mode = PRIVATE_TMP;
|
||||
- m++;
|
||||
+ r = append_one_mount(&m, root_directory, "/tmp", PRIVATE_TMP, false);
|
||||
+ if (r < 0)
|
||||
+ goto finish;
|
||||
}
|
||||
|
||||
if (var_tmp_dir) {
|
||||
- m->path = prefix_roota(root_directory, "/var/tmp");
|
||||
- m->mode = PRIVATE_VAR_TMP;
|
||||
- m++;
|
||||
+ r = append_one_mount(&m, root_directory, "/var/tmp", PRIVATE_VAR_TMP, false);
|
||||
+ if (r < 0)
|
||||
+ goto finish;
|
||||
}
|
||||
|
||||
if (ns_info->private_dev) {
|
||||
- m->path = prefix_roota(root_directory, "/dev");
|
||||
- m->mode = PRIVATE_DEV;
|
||||
- m++;
|
||||
+ r = append_one_mount(&m, root_directory, "/dev", PRIVATE_DEV, false);
|
||||
+ if (r < 0)
|
||||
+ goto finish;
|
||||
}
|
||||
|
||||
if (ns_info->protect_kernel_tunables) {
|
||||
r = append_protect_kernel_tunables(&m, root_directory);
|
||||
if (r < 0)
|
||||
- return r;
|
||||
+ goto finish;
|
||||
}
|
||||
|
||||
if (ns_info->protect_kernel_modules) {
|
||||
r = append_protect_kernel_modules(&m, root_directory);
|
||||
if (r < 0)
|
||||
- return r;
|
||||
+ goto finish;
|
||||
}
|
||||
|
||||
if (ns_info->protect_control_groups) {
|
||||
- m->path = prefix_roota(root_directory, "/sys/fs/cgroup");
|
||||
- m->mode = READONLY;
|
||||
- m++;
|
||||
+ r = append_one_mount(&m, root_directory, "/sys/fs/cgroup", READONLY, false);
|
||||
+ if (r < 0)
|
||||
+ goto finish;
|
||||
}
|
||||
|
||||
r = append_protect_home(&m, root_directory, protect_home);
|
||||
if (r < 0)
|
||||
- return r;
|
||||
+ goto finish;
|
||||
|
||||
r = append_protect_system(&m, root_directory, protect_system);
|
||||
if (r < 0)
|
||||
- return r;
|
||||
+ goto finish;
|
||||
|
||||
- assert(mounts + n == m);
|
||||
+ assert(mounts + n_mounts == m);
|
||||
|
||||
/* Resolve symlinks manually first, as mount() will always follow them relative to the host's
|
||||
* root. Moreover we want to suppress duplicates based on the resolved paths. This of course is a bit
|
||||
* racy. */
|
||||
- r = chase_all_symlinks(root_directory, mounts, &n);
|
||||
+ r = chase_all_symlinks(root_directory, mounts, &n_mounts);
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
|
||||
- qsort(mounts, n, sizeof(BindMount), mount_path_compare);
|
||||
+ qsort(mounts, n_mounts, sizeof(BindMount), mount_path_compare);
|
||||
|
||||
- drop_duplicates(mounts, &n);
|
||||
- drop_outside_root(root_directory, mounts, &n);
|
||||
- drop_inaccessible(mounts, &n);
|
||||
- drop_nop(mounts, &n);
|
||||
+ drop_duplicates(mounts, &n_mounts);
|
||||
+ drop_outside_root(root_directory, mounts, &n_mounts);
|
||||
+ drop_inaccessible(mounts, &n_mounts);
|
||||
+ drop_nop(mounts, &n_mounts);
|
||||
}
|
||||
|
||||
if (unshare(CLONE_NEWNS) < 0) {
|
||||
@@ -843,25 +873,25 @@ int setup_namespace(
|
||||
}
|
||||
}
|
||||
|
||||
- if (n > 0) {
|
||||
+ if (n_mounts > 0) {
|
||||
char **blacklist;
|
||||
unsigned j;
|
||||
|
||||
/* First round, add in all special mounts we need */
|
||||
- for (m = mounts; m < mounts + n; ++m) {
|
||||
+ for (m = mounts; m < mounts + n_mounts; ++m) {
|
||||
r = apply_mount(m, tmp_dir, var_tmp_dir);
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
}
|
||||
|
||||
/* Create a blacklist we can pass to bind_mount_recursive() */
|
||||
- blacklist = newa(char*, n+1);
|
||||
- for (j = 0; j < n; j++)
|
||||
+ blacklist = newa(char*, n_mounts+1);
|
||||
+ for (j = 0; j < n_mounts; j++)
|
||||
blacklist[j] = (char*) mounts[j].path;
|
||||
blacklist[j] = NULL;
|
||||
|
||||
/* Second round, flip the ro bits if necessary. */
|
||||
- for (m = mounts; m < mounts + n; ++m) {
|
||||
+ for (m = mounts; m < mounts + n_mounts; ++m) {
|
||||
r = make_read_only(m, blacklist);
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
@@ -886,8 +916,8 @@ int setup_namespace(
|
||||
r = 0;
|
||||
|
||||
finish:
|
||||
- for (m = mounts; m < mounts + n; m++)
|
||||
- free(m->chased);
|
||||
+ for (m = mounts; m < mounts + n_mounts; m++)
|
||||
+ free(m->path);
|
||||
|
||||
return r;
|
||||
}
|
@ -1,34 +0,0 @@
|
||||
From d7270c1642fa81b34b266d33412a842edc42c64c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Mon, 7 Nov 2016 08:54:47 -0500
|
||||
Subject: [PATCH] nspawn: avoid one strdup by using free_and_replace
|
||||
|
||||
(cherry picked from commit 49fedb4094b69d279095ef8ce8d9203161aed5d9)
|
||||
---
|
||||
src/core/namespace.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/core/namespace.c b/src/core/namespace.c
|
||||
index c45c120193..524416ecbd 100644
|
||||
--- a/src/core/namespace.c
|
||||
+++ b/src/core/namespace.c
|
||||
@@ -678,8 +678,9 @@ static int chase_all_symlinks(const char *root_directory, BindMount *m, unsigned
|
||||
* chase the symlinks on our own first. This call wil do so for all entries and remove all entries where we
|
||||
* can't resolve the path, and which have been marked for such removal. */
|
||||
|
||||
- for (f = m, t = m; f < m+*n; f++) {
|
||||
+ for (f = m, t = m; f < m + *n; f++) {
|
||||
_cleanup_free_ char *chased = NULL;
|
||||
+
|
||||
r = chase_symlinks(f->path, root_directory, &chased);
|
||||
if (r == -ENOENT && f->ignore) {
|
||||
/* Doesn't exist? Then remove it! */
|
||||
@@ -691,7 +692,7 @@ static int chase_all_symlinks(const char *root_directory, BindMount *m, unsigned
|
||||
|
||||
if (!path_equal(f->path, chased)) {
|
||||
log_debug("Chased %s → %s", f->path, chased);
|
||||
- r = free_and_strdup(&f->path, chased);
|
||||
+ r = free_and_replace(f->path, chased);
|
||||
if (r < 0)
|
||||
return r;
|
||||
}
|
@ -1,60 +0,0 @@
|
||||
From ff699dcd6f4e665119afa7ac0a9446907d02c966 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Mon, 7 Nov 2016 08:57:30 -0500
|
||||
Subject: [PATCH] nspawn: slight simplification
|
||||
|
||||
(cherry picked from commit 46c3230dd0985062f06341809faa05e73fa1ccd1)
|
||||
---
|
||||
src/core/namespace.c | 18 +++++++-----------
|
||||
1 file changed, 7 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/core/namespace.c b/src/core/namespace.c
|
||||
index 524416ecbd..b18fcf3e29 100644
|
||||
--- a/src/core/namespace.c
|
||||
+++ b/src/core/namespace.c
|
||||
@@ -154,10 +154,10 @@ static const TargetMount protect_system_strict_table[] = {
|
||||
{ "/root", READWRITE, true }, /* ProtectHome= */
|
||||
};
|
||||
|
||||
-static void set_bind_mount(BindMount **p, char *path, MountMode mode, bool ignore) {
|
||||
- (*p)->path = path;
|
||||
- (*p)->mode = mode;
|
||||
- (*p)->ignore = ignore;
|
||||
+static void set_bind_mount(BindMount *p, char *path, MountMode mode, bool ignore) {
|
||||
+ p->path = path;
|
||||
+ p->mode = mode;
|
||||
+ p->ignore = ignore;
|
||||
}
|
||||
|
||||
static int append_one_mount(BindMount **p, const char *root_directory,
|
||||
@@ -169,9 +169,7 @@ static int append_one_mount(BindMount **p, const char *root_directory,
|
||||
if (!lpath)
|
||||
return -ENOMEM;
|
||||
|
||||
- set_bind_mount(p, lpath, mode, ignore);
|
||||
- (*p)++;
|
||||
-
|
||||
+ set_bind_mount((*p)++, lpath, mode, ignore);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -196,8 +194,7 @@ static int append_mounts(BindMount **p, char **strv, MountMode mode) {
|
||||
if (!path)
|
||||
return -ENOMEM;
|
||||
|
||||
- set_bind_mount(p, path, mode, ignore);
|
||||
- (*p)++;
|
||||
+ set_bind_mount((*p)++, path, mode, ignore);
|
||||
}
|
||||
|
||||
return 0;
|
||||
@@ -224,8 +221,7 @@ static int append_target_mounts(BindMount **p, const char *root_directory, const
|
||||
if (!path_is_absolute(path))
|
||||
return -EINVAL;
|
||||
|
||||
- set_bind_mount(p, path, m->mode, m->ignore);
|
||||
- (*p)++;
|
||||
+ set_bind_mount((*p)++, path, m->mode, m->ignore);
|
||||
}
|
||||
|
||||
return 0;
|
@ -1,119 +0,0 @@
|
||||
From f28e754a5b0400d439cb3a9a3d288191f5a742ed Mon Sep 17 00:00:00 2001
|
||||
From: Djalal Harouni <tixxdz@opendz.org>
|
||||
Date: Thu, 10 Nov 2016 18:11:37 +0100
|
||||
Subject: [PATCH] core:namespace: count and free failed paths inside
|
||||
chase_all_symlinks() (#4619)
|
||||
|
||||
This certainly fixes a bug that was introduced by PR
|
||||
https://github.com/systemd/systemd/pull/4594 that intended to fix
|
||||
https://github.com/systemd/systemd/issues/4567.
|
||||
|
||||
The fix was not complete. This patch makes sure that we count and free
|
||||
all paths that fail inside chase_all_symlinks().
|
||||
|
||||
Fixes https://github.com/systemd/systemd/issues/4567
|
||||
(cherry picked from commit 1d54cd5d255065c8659ca68d2591e810e6104714)
|
||||
---
|
||||
src/core/namespace.c | 32 ++++++++++++++++++--------------
|
||||
1 file changed, 18 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/core/namespace.c b/src/core/namespace.c
|
||||
index b18fcf3e29..49a50c7b61 100644
|
||||
--- a/src/core/namespace.c
|
||||
+++ b/src/core/namespace.c
|
||||
@@ -322,7 +322,7 @@ static void drop_duplicates(BindMount *m, unsigned *n) {
|
||||
|
||||
/* Drops duplicate entries. Expects that the array is properly ordered already. */
|
||||
|
||||
- for (f = m, t = m, previous = NULL; f < m+*n; f++) {
|
||||
+ for (f = m, t = m, previous = NULL; f < m + *n; f++) {
|
||||
|
||||
/* The first one wins (which is the one with the more restrictive mode), see mount_path_compare()
|
||||
* above. */
|
||||
@@ -350,7 +350,7 @@ static void drop_inaccessible(BindMount *m, unsigned *n) {
|
||||
/* Drops all entries obstructed by another entry further up the tree. Expects that the array is properly
|
||||
* ordered already. */
|
||||
|
||||
- for (f = m, t = m; f < m+*n; f++) {
|
||||
+ for (f = m, t = m; f < m + *n; f++) {
|
||||
|
||||
/* If we found a path set for INACCESSIBLE earlier, and this entry has it as prefix we should drop
|
||||
* it, as inaccessible paths really should drop the entire subtree. */
|
||||
@@ -378,7 +378,7 @@ static void drop_nop(BindMount *m, unsigned *n) {
|
||||
/* Drops all entries which have an immediate parent that has the same type, as they are redundant. Assumes the
|
||||
* list is ordered by prefixes. */
|
||||
|
||||
- for (f = m, t = m; f < m+*n; f++) {
|
||||
+ for (f = m, t = m; f < m + *n; f++) {
|
||||
|
||||
/* Only suppress such subtrees for READONLY and READWRITE entries */
|
||||
if (IN_SET(f->mode, READONLY, READWRITE)) {
|
||||
@@ -414,12 +414,13 @@ static void drop_outside_root(const char *root_directory, BindMount *m, unsigned
|
||||
assert(m);
|
||||
assert(n);
|
||||
|
||||
+ /* Nothing to do */
|
||||
if (!root_directory)
|
||||
return;
|
||||
|
||||
/* Drops all mounts that are outside of the root directory. */
|
||||
|
||||
- for (f = m, t = m; f < m+*n; f++) {
|
||||
+ for (f = m, t = m; f < m + *n; f++) {
|
||||
|
||||
if (!path_startswith(f->path, root_directory)) {
|
||||
log_debug("%s is outside of root directory.", f->path);
|
||||
@@ -663,9 +664,10 @@ static int make_read_only(BindMount *m, char **blacklist) {
|
||||
return r;
|
||||
}
|
||||
|
||||
+/* Chase symlinks and remove failed paths from mounts */
|
||||
static int chase_all_symlinks(const char *root_directory, BindMount *m, unsigned *n) {
|
||||
BindMount *f, *t;
|
||||
- int r;
|
||||
+ int r = 0;
|
||||
|
||||
assert(m);
|
||||
assert(n);
|
||||
@@ -675,22 +677,24 @@ static int chase_all_symlinks(const char *root_directory, BindMount *m, unsigned
|
||||
* can't resolve the path, and which have been marked for such removal. */
|
||||
|
||||
for (f = m, t = m; f < m + *n; f++) {
|
||||
+ int k;
|
||||
_cleanup_free_ char *chased = NULL;
|
||||
|
||||
- r = chase_symlinks(f->path, root_directory, &chased);
|
||||
- if (r == -ENOENT && f->ignore) {
|
||||
- /* Doesn't exist? Then remove it! */
|
||||
+ k = chase_symlinks(f->path, root_directory, &chased);
|
||||
+ if (k < 0) {
|
||||
+ /* Get only real errors */
|
||||
+ if (r >= 0 && (k != -ENOENT || !f->ignore))
|
||||
+ r = k;
|
||||
+
|
||||
+ log_debug_errno(r, "Failed to chase symlinks for %s: %m", f->path);
|
||||
+ /* Doesn't exist or failed? Then remove it and continue! */
|
||||
f->path = mfree(f->path);
|
||||
continue;
|
||||
}
|
||||
- if (r < 0)
|
||||
- return log_debug_errno(r, "Failed to chase symlinks for %s: %m", f->path);
|
||||
|
||||
if (!path_equal(f->path, chased)) {
|
||||
log_debug("Chased %s → %s", f->path, chased);
|
||||
- r = free_and_replace(f->path, chased);
|
||||
- if (r < 0)
|
||||
- return r;
|
||||
+ free_and_replace(f->path, chased);
|
||||
}
|
||||
|
||||
*t = *f;
|
||||
@@ -698,7 +702,7 @@ static int chase_all_symlinks(const char *root_directory, BindMount *m, unsigned
|
||||
}
|
||||
|
||||
*n = t - m;
|
||||
- return 0;
|
||||
+ return r;
|
||||
}
|
||||
|
||||
static unsigned namespace_calculate_mounts(
|
@ -1,29 +0,0 @@
|
||||
From 7d7017a583a014c239cf8f68d484f22f67ca80ac Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Fri, 11 Nov 2016 10:54:54 -0500
|
||||
Subject: [PATCH] basic/virt: fix userns check on CONFIG_USER_NS=n kernel
|
||||
(#4651)
|
||||
|
||||
ENOENT should be treated as "false", but because of the broken errno check it
|
||||
was treated as an error. So ConditionVirtualization=user-namespaces probably
|
||||
returned the correct answer, but only by accident.
|
||||
|
||||
Fixes #4608.
|
||||
(cherry picked from commit abd67ce74858491565cde157c7b08fda43d3279c)
|
||||
---
|
||||
src/basic/virt.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/basic/virt.c b/src/basic/virt.c
|
||||
index 69b0f96183..d8d57381ad 100644
|
||||
--- a/src/basic/virt.c
|
||||
+++ b/src/basic/virt.c
|
||||
@@ -496,7 +496,7 @@ static int userns_has_mapping(const char *name) {
|
||||
f = fopen(name, "re");
|
||||
if (!f) {
|
||||
log_debug_errno(errno, "Failed to open %s: %m", name);
|
||||
- return errno == -ENOENT ? false : -errno;
|
||||
+ return errno == ENOENT ? false : -errno;
|
||||
}
|
||||
|
||||
n = getline(&buf, &n_allocated, f);
|
@ -1,41 +0,0 @@
|
||||
From 986e777a9e8f34b16b3bc9ea50479dba8559a845 Mon Sep 17 00:00:00 2001
|
||||
From: akochetkov <al.kochet@gmail.com>
|
||||
Date: Fri, 11 Nov 2016 20:50:46 +0300
|
||||
Subject: [PATCH] timesyncd: clear ADJ_MAXERROR to keep STA_UNSYNC cleared
|
||||
after jump adjust (#4626)
|
||||
|
||||
NTP use jump adjust if system has incorrect time read from RTC during boot.
|
||||
It is desireble to update RTC time as soon as NTP set correct system time.
|
||||
Sometimes kernel failed to update RTC due to STA_UNSYNC get set before RTC
|
||||
update finised. In that case RTC time wouldn't be updated within long time.
|
||||
The commit makes RTC updates stable.
|
||||
|
||||
When NTP do jump time adjust using ADJ_SETOFFSET it clears STA_UNSYNC flag.
|
||||
If don't clear ADJ_MAXERROR, STA_UNSYNC will be set again by kernel within
|
||||
1 second (by second_overflow() function). STA_UNSYNC flag prevent RTC updates
|
||||
in kernel. Sometimes the kernel is able to update RTC withing 1 second,
|
||||
but sometimes it falied.
|
||||
(cherry picked from commit 5f36e3d30375cf04292bbc1bf3f4d7512cf80139)
|
||||
---
|
||||
src/timesync/timesyncd-manager.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/timesync/timesyncd-manager.c b/src/timesync/timesyncd-manager.c
|
||||
index d5e16db3a0..419f0fa279 100644
|
||||
--- a/src/timesync/timesyncd-manager.c
|
||||
+++ b/src/timesync/timesyncd-manager.c
|
||||
@@ -330,11 +330,13 @@ static int manager_adjust_clock(Manager *m, double offset, int leap_sec) {
|
||||
tmx.esterror = 0;
|
||||
log_debug(" adjust (slew): %+.3f sec", offset);
|
||||
} else {
|
||||
- tmx.modes = ADJ_STATUS | ADJ_NANO | ADJ_SETOFFSET;
|
||||
+ tmx.modes = ADJ_STATUS | ADJ_NANO | ADJ_SETOFFSET | ADJ_MAXERROR | ADJ_ESTERROR;
|
||||
|
||||
/* ADJ_NANO uses nanoseconds in the microseconds field */
|
||||
tmx.time.tv_sec = (long)offset;
|
||||
tmx.time.tv_usec = (offset - tmx.time.tv_sec) * NSEC_PER_SEC;
|
||||
+ tmx.maxerror = 0;
|
||||
+ tmx.esterror = 0;
|
||||
|
||||
/* the kernel expects -0.3s as {-1, 7000.000.000} */
|
||||
if (tmx.time.tv_usec < 0) {
|
@ -1,23 +0,0 @@
|
||||
From 8f8eacd358dcac603173d66525b4741616c76997 Mon Sep 17 00:00:00 2001
|
||||
From: Maks Naumov <maksqwe1@ukr.net>
|
||||
Date: Mon, 14 Nov 2016 12:33:43 +0200
|
||||
Subject: [PATCH] link: fix offload features initialization (#4639)
|
||||
|
||||
(cherry picked from commit 45d34fa7fb9f587f09e8cca882966050b4cbb5be)
|
||||
---
|
||||
src/udev/net/link-config.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/udev/net/link-config.c b/src/udev/net/link-config.c
|
||||
index ece9248c2a..fa8fe1fb9a 100644
|
||||
--- a/src/udev/net/link-config.c
|
||||
+++ b/src/udev/net/link-config.c
|
||||
@@ -168,7 +168,7 @@ static int load_link(link_config_ctx *ctx, const char *filename) {
|
||||
link->wol = _WOL_INVALID;
|
||||
link->duplex = _DUP_INVALID;
|
||||
|
||||
- memset(&link->features, -1, _NET_DEV_FEAT_MAX);
|
||||
+ memset(&link->features, -1, sizeof(link->features));
|
||||
|
||||
r = config_parse(NULL, filename, file,
|
||||
"Match\0Link\0Ethernet\0",
|
@ -1,48 +0,0 @@
|
||||
From b291d260e0ebc7a7528f37e97e8b404968f34e18 Mon Sep 17 00:00:00 2001
|
||||
From: Martin Ejdestig <marejde@gmail.com>
|
||||
Date: Tue, 22 Nov 2016 01:21:00 +0100
|
||||
Subject: [PATCH] sd-event: fix sd_event_source_get_priority() (#4712)
|
||||
|
||||
To properly store priority in passed in pointer and return 0 for success.
|
||||
Also add a test for verifying that it works correctly.
|
||||
(cherry picked from commit 6680b8d118490bbb3e5522729ec50d9975088fd5)
|
||||
---
|
||||
src/libsystemd/sd-event/sd-event.c | 3 ++-
|
||||
src/libsystemd/sd-event/test-event.c | 3 +++
|
||||
2 files changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c
|
||||
index 9857f8b1fc..f94959adac 100644
|
||||
--- a/src/libsystemd/sd-event/sd-event.c
|
||||
+++ b/src/libsystemd/sd-event/sd-event.c
|
||||
@@ -1539,7 +1539,8 @@ _public_ int sd_event_source_get_priority(sd_event_source *s, int64_t *priority)
|
||||
assert_return(s, -EINVAL);
|
||||
assert_return(!event_pid_changed(s->event), -ECHILD);
|
||||
|
||||
- return s->priority;
|
||||
+ *priority = s->priority;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
_public_ int sd_event_source_set_priority(sd_event_source *s, int64_t priority) {
|
||||
diff --git a/src/libsystemd/sd-event/test-event.c b/src/libsystemd/sd-event/test-event.c
|
||||
index 289114490c..c0e5e06a18 100644
|
||||
--- a/src/libsystemd/sd-event/test-event.c
|
||||
+++ b/src/libsystemd/sd-event/test-event.c
|
||||
@@ -172,6 +172,7 @@ static void test_basic(void) {
|
||||
static const char ch = 'x';
|
||||
int a[2] = { -1, -1 }, b[2] = { -1, -1}, d[2] = { -1, -1}, k[2] = { -1, -1 };
|
||||
uint64_t event_now;
|
||||
+ int64_t priority;
|
||||
|
||||
assert_se(pipe(a) >= 0);
|
||||
assert_se(pipe(b) >= 0);
|
||||
@@ -209,6 +210,8 @@ static void test_basic(void) {
|
||||
assert_se(sd_event_add_exit(e, &q, exit_handler, INT_TO_PTR('g')) >= 0);
|
||||
|
||||
assert_se(sd_event_source_set_priority(x, 99) >= 0);
|
||||
+ assert_se(sd_event_source_get_priority(x, &priority) >= 0);
|
||||
+ assert_se(priority == 99);
|
||||
assert_se(sd_event_source_set_enabled(y, SD_EVENT_ONESHOT) >= 0);
|
||||
assert_se(sd_event_source_set_prepare(x, prepare_handler) >= 0);
|
||||
assert_se(sd_event_source_set_priority(z, 50) >= 0);
|
@ -1,42 +0,0 @@
|
||||
From 25cd9391929a46f1f38daf6aa4421de6a1afc47e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Wed, 23 Nov 2016 10:18:30 -0500
|
||||
Subject: [PATCH] build-sys: check for lz4 in the old and new numbering scheme
|
||||
(#4717)
|
||||
|
||||
lz4 upstream decided to switch to an incompatible numbering scheme
|
||||
(1.7.3 follows 131, to match the so version).
|
||||
PKG_CHECK_MODULES does not allow two version matches for the same package,
|
||||
so e.g. lz4 < 10 || lz4 >= 125 cannot be used. Check twice, once for
|
||||
"new" numbers (anything below 10 is assume to be new), once for the "old"
|
||||
numbers (anything above >= 125). This assumes that the "new" versioning
|
||||
will not get to 10 to quickly. I think that's a safe assumption, lz4 is a
|
||||
mature project.
|
||||
|
||||
Fixed #4690.
|
||||
(cherry picked from commit 3d4cf7de48a74726694abbaa09f9804b845ff3ba)
|
||||
---
|
||||
configure.ac | 9 ++++++---
|
||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 0b10fc7de7..1928e65bde 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -623,10 +623,13 @@ AM_CONDITIONAL(HAVE_BZIP2, [test "$have_bzip2" = "yes"])
|
||||
have_lz4=no
|
||||
AC_ARG_ENABLE(lz4, AS_HELP_STRING([--disable-lz4], [Disable optional LZ4 support]))
|
||||
AS_IF([test "x$enable_lz4" != "xno"], [
|
||||
- PKG_CHECK_MODULES(LZ4, [ liblz4 >= 125 ],
|
||||
- [AC_DEFINE(HAVE_LZ4, 1, [Define in LZ4 is available])
|
||||
+ PKG_CHECK_MODULES(LZ4, [ liblz4 < 10 ],
|
||||
+ [AC_DEFINE(HAVE_LZ4, 1, [Define if LZ4 is available])
|
||||
have_lz4=yes],
|
||||
- have_lz4=no)
|
||||
+ [PKG_CHECK_MODULES(LZ4, [ liblz4 >= 125 ],
|
||||
+ [AC_DEFINE(HAVE_LZ4, 1, [Define if LZ4 is available])
|
||||
+ have_lz4=yes],
|
||||
+ have_lz4=no)])
|
||||
AS_IF([test "x$have_lz4" = xno -a "x$enable_lz4" = xyes],
|
||||
[AC_MSG_ERROR([*** LZ4 support requested but libraries not found])])
|
||||
])
|
@ -1,28 +0,0 @@
|
||||
From 23c3ed8b2c0875c9f2a3e3b4e4d69af8cd49d9a2 Mon Sep 17 00:00:00 2001
|
||||
From: Susant Sahani <ssahani@users.noreply.github.com>
|
||||
Date: Wed, 23 Nov 2016 21:03:01 +0530
|
||||
Subject: [PATCH] networkd: fix size of MTUBytes so that it does not overwrites
|
||||
ARP (#4707)
|
||||
|
||||
config_parse_iec_size overwrites the next varible that is ARP.
|
||||
Now the mtu is unsigned . Make it size_t .
|
||||
|
||||
Fixes #4644
|
||||
(cherry picked from commit b8b40317d0355bc70bb23a6240a36f3630c4952b)
|
||||
---
|
||||
src/network/networkd-network.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/network/networkd-network.h b/src/network/networkd-network.h
|
||||
index 42fc82d392..11ff34b5b5 100644
|
||||
--- a/src/network/networkd-network.h
|
||||
+++ b/src/network/networkd-network.h
|
||||
@@ -173,7 +173,7 @@ struct Network {
|
||||
IPv6PrivacyExtensions ipv6_privacy_extensions;
|
||||
|
||||
struct ether_addr *mac;
|
||||
- unsigned mtu;
|
||||
+ size_t mtu;
|
||||
int arp;
|
||||
uint32_t iaid;
|
||||
DUID duid;
|
@ -1,47 +0,0 @@
|
||||
From 409612865dd716752da4785b5d8cb75a24cebab4 Mon Sep 17 00:00:00 2001
|
||||
From: Franck Bui <fbui@suse.com>
|
||||
Date: Wed, 23 Nov 2016 16:31:24 +0100
|
||||
Subject: [PATCH] core: consider SIGTERM as a clean exit status for
|
||||
initrd-switch-root.service (#4713)
|
||||
|
||||
Since commit 1f0958f640b8717, systemd considers SIGTERM for short-running
|
||||
services (aka Type=oneshot) as a failure.
|
||||
|
||||
This can be an issue with initrd-switch-root.service as the command run by this
|
||||
service (in order to switch to the new rootfs) may still be running when
|
||||
systemd does the switch.
|
||||
|
||||
However PID1 sends SIGTERM to all remaining processes right before
|
||||
switching and initrd-switch-root.service can be one of those.
|
||||
|
||||
After systemd is reexecuted and its previous state is deserialized, systemd
|
||||
notices that initrd-switch-root.service was killed with SIGTERM and considers
|
||||
this as a failure which leads to the emergency shell.
|
||||
|
||||
To prevent this, this patch teaches systemd to consider a SIGTERM exit as a
|
||||
clean one for this service.
|
||||
|
||||
It also removes "KillMode=none" since this is pretty useless as the service is
|
||||
never stopped by systemd but it either exits normally or it's killed by a
|
||||
SIGTERM as described previously.
|
||||
(cherry picked from commit a4021390fef27f4136497328f2e35e79bc88855d)
|
||||
---
|
||||
units/initrd-switch-root.service.in | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/units/initrd-switch-root.service.in b/units/initrd-switch-root.service.in
|
||||
index 82893dafb1..b89f2348c7 100644
|
||||
--- a/units/initrd-switch-root.service.in
|
||||
+++ b/units/initrd-switch-root.service.in
|
||||
@@ -17,4 +17,10 @@ AllowIsolate=yes
|
||||
Type=oneshot
|
||||
# we have to use "--force" here, otherwise systemd would umount /run
|
||||
ExecStart=@rootbindir@/systemctl --no-block --force switch-root /sysroot
|
||||
-KillMode=none
|
||||
+
|
||||
+# Just before switching to the new rootfs, systemd might send us a TERM signal
|
||||
+# depending on how fast we are to execute the main command and exit. If we get
|
||||
+# the SIGTERM signal that simply means that we succeed but haven't got enough
|
||||
+# time to exit properly. Since systemd considers SIGTERM as a failure for
|
||||
+# short-running process (aka Type=oneshot), instruct it to ignore this case.
|
||||
+SuccessExitStatus=SIGTERM
|
@ -1,73 +0,0 @@
|
||||
From 0e2e7e8269dacd5845150170d3d47c2d677474ab Mon Sep 17 00:00:00 2001
|
||||
From: Franck Bui <fbui@suse.com>
|
||||
Date: Thu, 24 Nov 2016 18:52:04 +0100
|
||||
Subject: [PATCH] core: make sure initrd-switch-root command survives PID1's
|
||||
killing spree (#4730)
|
||||
|
||||
This is a different way to implement the fix proposed by commit
|
||||
a4021390fef27f4136497328f suggested by Lennart Poettering.
|
||||
|
||||
In this patch we instruct PID1 to not kill "systemctl switch-root" command
|
||||
started by initrd-switch-root service using the "argv[0][0]='@'" trick.
|
||||
|
||||
See: https://www.freedesktop.org/wiki/Software/systemd/RootStorageDaemons/ for
|
||||
more details.
|
||||
|
||||
We had to backup argv[0] because argv is modified by dispatch_verb().
|
||||
(cherry picked from commit acc28e2e3037d689d6481e4664925cf31d4d087b)
|
||||
---
|
||||
src/systemctl/systemctl.c | 10 ++++++++++
|
||||
units/initrd-switch-root.service.in | 8 +-------
|
||||
2 files changed, 11 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c
|
||||
index dd3b931cd6..a2b667481d 100644
|
||||
--- a/src/systemctl/systemctl.c
|
||||
+++ b/src/systemctl/systemctl.c
|
||||
@@ -142,6 +142,7 @@ static const char *arg_kill_who = NULL;
|
||||
static int arg_signal = SIGTERM;
|
||||
static char *arg_root = NULL;
|
||||
static usec_t arg_when = 0;
|
||||
+static char *argv_cmdline = NULL;
|
||||
static enum action {
|
||||
_ACTION_INVALID,
|
||||
ACTION_SYSTEMCTL,
|
||||
@@ -5584,6 +5585,13 @@ static int switch_root(int argc, char *argv[], void *userdata) {
|
||||
init = NULL;
|
||||
}
|
||||
|
||||
+ /* Instruct PID1 to exclude us from its killing spree applied during
|
||||
+ * the transition from the initrd to the main system otherwise we would
|
||||
+ * exit with a failure status even though the switch to the new root
|
||||
+ * has succeed. */
|
||||
+ if (in_initrd())
|
||||
+ argv_cmdline[0] = '@';
|
||||
+
|
||||
r = acquire_bus(BUS_MANAGER, &bus);
|
||||
if (r < 0)
|
||||
return r;
|
||||
@@ -8324,6 +8332,8 @@ static int logind_cancel_shutdown(void) {
|
||||
int main(int argc, char*argv[]) {
|
||||
int r;
|
||||
|
||||
+ argv_cmdline = argv[0];
|
||||
+
|
||||
setlocale(LC_ALL, "");
|
||||
log_parse_environment();
|
||||
log_open();
|
||||
diff --git a/units/initrd-switch-root.service.in b/units/initrd-switch-root.service.in
|
||||
index b89f2348c7..82893dafb1 100644
|
||||
--- a/units/initrd-switch-root.service.in
|
||||
+++ b/units/initrd-switch-root.service.in
|
||||
@@ -17,10 +17,4 @@ AllowIsolate=yes
|
||||
Type=oneshot
|
||||
# we have to use "--force" here, otherwise systemd would umount /run
|
||||
ExecStart=@rootbindir@/systemctl --no-block --force switch-root /sysroot
|
||||
-
|
||||
-# Just before switching to the new rootfs, systemd might send us a TERM signal
|
||||
-# depending on how fast we are to execute the main command and exit. If we get
|
||||
-# the SIGTERM signal that simply means that we succeed but haven't got enough
|
||||
-# time to exit properly. Since systemd considers SIGTERM as a failure for
|
||||
-# short-running process (aka Type=oneshot), instruct it to ignore this case.
|
||||
-SuccessExitStatus=SIGTERM
|
||||
+KillMode=none
|
@ -1,30 +0,0 @@
|
||||
From 4392ebaa516ef068809bb7f3d8a58b68f2face4f Mon Sep 17 00:00:00 2001
|
||||
From: Waldemar Brodkorb <wbx-github@users.noreply.github.com>
|
||||
Date: Fri, 25 Nov 2016 11:24:58 +0100
|
||||
Subject: [PATCH] fix journald startup problem when code is compiled with
|
||||
-DNDEBUG (#4735)
|
||||
|
||||
Similar to this patch from here:
|
||||
http://systemd-devel.freedesktop.narkive.com/AvfCbi6c/patch-0-3-using-assert-se-on-actions-with-side-effects-on-test-cases
|
||||
|
||||
If the code is compiled with -DNDEBUG which is the default for
|
||||
some embedded buildsystems, systemd-journald does not startup
|
||||
and silently fails.
|
||||
(cherry picked from commit 9bab3b65b0ad625ebbf50583c46f5c7c35b18a70)
|
||||
---
|
||||
src/journal/journald-server.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
|
||||
index 908c7b8eeb..c0987625cd 100644
|
||||
--- a/src/journal/journald-server.c
|
||||
+++ b/src/journal/journald-server.c
|
||||
@@ -1480,7 +1480,7 @@ static int setup_signals(Server *s) {
|
||||
|
||||
assert(s);
|
||||
|
||||
- assert(sigprocmask_many(SIG_SETMASK, NULL, SIGINT, SIGTERM, SIGUSR1, SIGUSR2, SIGRTMIN+1, -1) >= 0);
|
||||
+ assert_se(sigprocmask_many(SIG_SETMASK, NULL, SIGINT, SIGTERM, SIGUSR1, SIGUSR2, SIGRTMIN+1, -1) >= 0);
|
||||
|
||||
r = sd_event_add_signal(s->event, &s->sigusr1_event_source, SIGUSR1, dispatch_sigusr1, s);
|
||||
if (r < 0)
|
@ -1,33 +0,0 @@
|
||||
From 9dd94c0ac4b29250e0c06f2bbd8e73cc2072da7d Mon Sep 17 00:00:00 2001
|
||||
From: Dave Reisner <d@falconindy.com>
|
||||
Date: Sun, 27 Nov 2016 17:05:39 -0500
|
||||
Subject: [PATCH] device: Avoid calling unit_free(NULL) in device setup logic
|
||||
(#4748)
|
||||
|
||||
Since a581e45ae8f9bb5c, there's a few function calls to
|
||||
unit_new_for_name which will unit_free on failure. Prior to this commit,
|
||||
a failure would result in calling unit_free with a NULL unit, and hit an
|
||||
assertion failure, seen at least via device_setup_unit:
|
||||
|
||||
Assertion 'u' failed at src/core/unit.c:519, function unit_free(). Aborting.
|
||||
|
||||
Fixes #4747
|
||||
https://bugs.archlinux.org/task/51950
|
||||
(cherry picked from commit d112eae7da77899be245ab52aa1747d4675549f1)
|
||||
---
|
||||
src/core/device.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/core/device.c b/src/core/device.c
|
||||
index bd87a447cd..4b9e84aeb6 100644
|
||||
--- a/src/core/device.c
|
||||
+++ b/src/core/device.c
|
||||
@@ -365,7 +365,7 @@ static int device_setup_unit(Manager *m, struct udev_device *dev, const char *pa
|
||||
fail:
|
||||
log_unit_warning_errno(u, r, "Failed to set up device unit: %m");
|
||||
|
||||
- if (delete)
|
||||
+ if (delete && u)
|
||||
unit_free(u);
|
||||
|
||||
return r;
|
@ -1,24 +0,0 @@
|
||||
From 9b01faa700c80007d2a25f92dc704b3e1aaf365d Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Wagner <wagi@monom.org>
|
||||
Date: Mon, 28 Nov 2016 18:24:26 +0100
|
||||
Subject: [PATCH] udevd: check correct return value of fcntl() (#4758)
|
||||
|
||||
This looks like a copy&paste error from the code block above.
|
||||
(cherry picked from commit a92cf7840ffefc279bc5cc409197d13752dec6e7)
|
||||
---
|
||||
src/udev/udevd.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/udev/udevd.c b/src/udev/udevd.c
|
||||
index badbab6205..c97c52e962 100644
|
||||
--- a/src/udev/udevd.c
|
||||
+++ b/src/udev/udevd.c
|
||||
@@ -1345,7 +1345,7 @@ static int listen_fds(int *rctrl, int *rnetlink) {
|
||||
return log_error_errno(netlink_fd, "could not get uevent fd: %m");
|
||||
|
||||
netlink_fd = fcntl(fd, F_DUPFD_CLOEXEC, 3);
|
||||
- if (ctrl_fd < 0)
|
||||
+ if (netlink_fd < 0)
|
||||
return log_error_errno(errno, "could not dup netlink fd: %m");
|
||||
}
|
||||
|
@ -1,24 +0,0 @@
|
||||
From c9b991db38bc74ad36b1f584c5f7fdafc0278564 Mon Sep 17 00:00:00 2001
|
||||
From: Franck Bui <fbui@suse.com>
|
||||
Date: Wed, 30 Nov 2016 18:27:42 +0100
|
||||
Subject: [PATCH] systemctl: fix 'is-enabled' exit status on failure when
|
||||
executed in chroot (#4773)
|
||||
|
||||
(cherry picked from commit c5024cd05c194b93ae960bf38e567d3d998f2a03)
|
||||
---
|
||||
src/systemctl/systemctl.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c
|
||||
index a2b667481d..4edc690f5c 100644
|
||||
--- a/src/systemctl/systemctl.c
|
||||
+++ b/src/systemctl/systemctl.c
|
||||
@@ -6384,7 +6384,7 @@ static int unit_is_enabled(int argc, char *argv[], void *userdata) {
|
||||
|
||||
r = unit_file_get_state(arg_scope, arg_root, *name, &state);
|
||||
if (r < 0)
|
||||
- return log_error_errno(state, "Failed to get unit file state for %s: %m", *name);
|
||||
+ return log_error_errno(r, "Failed to get unit file state for %s: %m", *name);
|
||||
|
||||
if (IN_SET(state,
|
||||
UNIT_FILE_ENABLED,
|
@ -1,30 +0,0 @@
|
||||
From dc28516400f7f56a4a6fbc8ab6740d2dc98f99ea Mon Sep 17 00:00:00 2001
|
||||
From: Franck Bui <fbui@suse.com>
|
||||
Date: Fri, 2 Dec 2016 18:40:10 +0100
|
||||
Subject: [PATCH] journal: make sure to initially populate the space info cache
|
||||
(#4807)
|
||||
|
||||
Make sure to populate the cache in cache_space_refresh() at least once
|
||||
otherwise it's possible that the system boots fast enough (and the journal
|
||||
flush service is finished) before the invalidate cache timeout (30 us) has
|
||||
expired.
|
||||
|
||||
Fixes: #4790
|
||||
(cherry picked from commit 3099caf2b5bb9498b1d0227c40926435ca81f26f)
|
||||
---
|
||||
src/journal/journald-server.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
|
||||
index c0987625cd..1d2fce8dc7 100644
|
||||
--- a/src/journal/journald-server.c
|
||||
+++ b/src/journal/journald-server.c
|
||||
@@ -144,7 +144,7 @@ static int cache_space_refresh(Server *s, JournalStorage *storage) {
|
||||
|
||||
ts = now(CLOCK_MONOTONIC);
|
||||
|
||||
- if (space->timestamp + RECHECK_SPACE_USEC > ts)
|
||||
+ if (space->timestamp != 0 && space->timestamp + RECHECK_SPACE_USEC > ts)
|
||||
return 0;
|
||||
|
||||
r = determine_path_usage(s, storage->path, &vfs_used, &vfs_avail);
|
@ -1,47 +0,0 @@
|
||||
From 783168312d5b7b29535488d785fdd4a849436368 Mon Sep 17 00:00:00 2001
|
||||
From: Susant Sahani <ssahani@users.noreply.github.com>
|
||||
Date: Mon, 5 Dec 2016 20:01:48 +0530
|
||||
Subject: [PATCH] networkd: link_enter_configured remove assert (#4800)
|
||||
|
||||
When we are in link_enter_configured we assume that the
|
||||
link->state should be LINK_STATE_SETTING_ROUTES but in some
|
||||
situation it's LINK_STATlE_SETTING_ADDRESSES.
|
||||
|
||||
Just ignore the wrong state.
|
||||
|
||||
Also since the return value not used any where
|
||||
make link_enter_configured return type void.
|
||||
|
||||
Fixes: #4746
|
||||
(cherry picked from commit e3a7b04848a438f7b5a9a2bf5d7e0e59c5c49a00)
|
||||
---
|
||||
src/network/networkd-link.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
|
||||
index aefe7335b9..4dfbe0bf7e 100644
|
||||
--- a/src/network/networkd-link.c
|
||||
+++ b/src/network/networkd-link.c
|
||||
@@ -686,18 +686,18 @@ static Address* link_find_dhcp_server_address(Link *link) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
-static int link_enter_configured(Link *link) {
|
||||
+static void link_enter_configured(Link *link) {
|
||||
assert(link);
|
||||
assert(link->network);
|
||||
- assert(link->state == LINK_STATE_SETTING_ROUTES);
|
||||
+
|
||||
+ if (link->state != LINK_STATE_SETTING_ROUTES)
|
||||
+ return;
|
||||
|
||||
log_link_info(link, "Configured");
|
||||
|
||||
link_set_state(link, LINK_STATE_CONFIGURED);
|
||||
|
||||
link_dirty(link);
|
||||
-
|
||||
- return 0;
|
||||
}
|
||||
|
||||
void link_check_ready(Link *link) {
|
@ -1,25 +0,0 @@
|
||||
From 09dc7999c275723f7e364386cd85e8f698e744c9 Mon Sep 17 00:00:00 2001
|
||||
From: Kieran Colford <kieran@kcolford.com>
|
||||
Date: Tue, 6 Dec 2016 04:46:13 -0500
|
||||
Subject: [PATCH] rules: consider MMC device partitions with partition number >
|
||||
9 (#4831)
|
||||
|
||||
Add entries for extra partitions found on MMC devices (common in Chromebooks).
|
||||
(cherry picked from commit 471b9850ee10dea07233af485e125897d2d35a00)
|
||||
---
|
||||
rules/60-persistent-storage.rules | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/rules/60-persistent-storage.rules b/rules/60-persistent-storage.rules
|
||||
index c13d05cdb1..bbd52e825e 100644
|
||||
--- a/rules/60-persistent-storage.rules
|
||||
+++ b/rules/60-persistent-storage.rules
|
||||
@@ -54,7 +54,7 @@ KERNEL=="sd*[0-9]", ATTRS{ieee1394_id}=="?*", SYMLINK+="disk/by-id/ieee1394-$att
|
||||
# MMC
|
||||
KERNEL=="mmcblk[0-9]", SUBSYSTEMS=="mmc", ATTRS{name}=="?*", ATTRS{serial}=="?*", \
|
||||
ENV{ID_NAME}="$attr{name}", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="disk/by-id/mmc-$env{ID_NAME}_$env{ID_SERIAL}"
|
||||
-KERNEL=="mmcblk[0-9]p[0-9]", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/mmc-$env{ID_NAME}_$env{ID_SERIAL}-part%n"
|
||||
+KERNEL=="mmcblk[0-9]p[0-9]*", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/mmc-$env{ID_NAME}_$env{ID_SERIAL}-part%n"
|
||||
|
||||
# Memstick
|
||||
KERNEL=="msblk[0-9]|mspblk[0-9]", SUBSYSTEMS=="memstick", ATTRS{name}=="?*", ATTRS{serial}=="?*", \
|
@ -1,23 +0,0 @@
|
||||
From 331ea131a5d1b942603c01225758c29f9ca98feb Mon Sep 17 00:00:00 2001
|
||||
From: Wim de With <register@wimdewith.com>
|
||||
Date: Sat, 10 Dec 2016 05:33:58 +0100
|
||||
Subject: [PATCH] nspawn: add missing -E to getopt_long (#4860)
|
||||
|
||||
(cherry picked from commit 2e1f244efd2dfc1a60d032bef3d88b9ba6e0444b)
|
||||
---
|
||||
src/nspawn/nspawn.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
|
||||
index c8fc011907..81573be95a 100644
|
||||
--- a/src/nspawn/nspawn.c
|
||||
+++ b/src/nspawn/nspawn.c
|
||||
@@ -472,7 +472,7 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
assert(argc >= 0);
|
||||
assert(argv);
|
||||
|
||||
- while ((c = getopt_long(argc, argv, "+hD:u:abL:M:jS:Z:qi:xp:nU", options, NULL)) >= 0)
|
||||
+ while ((c = getopt_long(argc, argv, "+hD:u:abL:M:jS:Z:qi:xp:nUE:", options, NULL)) >= 0)
|
||||
|
||||
switch (c) {
|
||||
|
@ -1,24 +0,0 @@
|
||||
From f04a5c9d6a733f44d8f88dcea4ec340ec2d1d2c4 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Sat, 10 Dec 2016 13:01:22 -0500
|
||||
Subject: [PATCH] build-sys: define arm as secondary architecture for arm64
|
||||
|
||||
Completely unstested. Fixes #4862.
|
||||
|
||||
(cherry picked from commit b7cac52779d52eff6ed03103922ffe1208a7baa9)
|
||||
---
|
||||
src/basic/architecture.h | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/basic/architecture.h b/src/basic/architecture.h
|
||||
index 5a77c31932..b329df2f6d 100644
|
||||
--- a/src/basic/architecture.h
|
||||
+++ b/src/basic/architecture.h
|
||||
@@ -150,6 +150,7 @@ int uname_architecture(void);
|
||||
# else
|
||||
# define native_architecture() ARCHITECTURE_ARM64
|
||||
# define LIB_ARCH_TUPLE "aarch64-linux-gnu"
|
||||
+# define SECONDARY_ARCHITECTURE ARCHITECTURE_ARM
|
||||
# endif
|
||||
#elif defined(__arm__)
|
||||
# if __BYTE_ORDER == __BIG_ENDIAN
|
@ -1,75 +0,0 @@
|
||||
From 92f6078aeadec4dfd0e4e9e2ef14b0f7794141cc Mon Sep 17 00:00:00 2001
|
||||
From: Andrey Ulanov <aulanov@gmail.com>
|
||||
Date: Mon, 12 Dec 2016 17:38:18 -0800
|
||||
Subject: [PATCH] nspawn: when getting SIGCHLD make sure it's from the first
|
||||
child (#4855)
|
||||
|
||||
When getting SIGCHLD we should not assume that it was the first
|
||||
child forked from system-nspawn that has died as it may also be coming
|
||||
from an orphan process. This change adds a signal handler that ignores
|
||||
SIGCHLD unless it came from the first containerized child - the real
|
||||
child.
|
||||
|
||||
Before this change the problem can be reproduced as follows:
|
||||
|
||||
$ sudo systemd-nspawn --directory=/container-root --share-system
|
||||
Press ^] three times within 1s to kill container.
|
||||
[root@andreyu-coreos ~]# { true & } &
|
||||
[1] 22201
|
||||
[root@andreyu-coreos ~]#
|
||||
Container root-fedora-latest terminated by signal KILL
|
||||
(cherry picked from commit 6916b164642d8bb4938878f4284f8ee5ccf3efd6)
|
||||
---
|
||||
src/nspawn/nspawn.c | 25 +++++++++++++++++++++++--
|
||||
1 file changed, 23 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
|
||||
index 81573be95a..503265545b 100644
|
||||
--- a/src/nspawn/nspawn.c
|
||||
+++ b/src/nspawn/nspawn.c
|
||||
@@ -38,6 +38,7 @@
|
||||
#include <sys/personality.h>
|
||||
#include <sys/prctl.h>
|
||||
#include <sys/types.h>
|
||||
+#include <sys/wait.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "sd-daemon.h"
|
||||
@@ -2538,6 +2539,26 @@ static int on_orderly_shutdown(sd_event_source *s, const struct signalfd_siginfo
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static int on_sigchld(sd_event_source *s, const struct signalfd_siginfo *ssi, void *userdata) {
|
||||
+ for (;;) {
|
||||
+ siginfo_t si = {};
|
||||
+ if (waitid(P_ALL, 0, &si, WNOHANG|WNOWAIT|WEXITED) < 0)
|
||||
+ return log_error_errno(errno, "Failed to waitid(): %m");
|
||||
+ if (si.si_pid == 0) /* No pending children. */
|
||||
+ break;
|
||||
+ if (si.si_pid == PTR_TO_PID(userdata)) {
|
||||
+ /* The main process we care for has exited. Return from
|
||||
+ * signal handler but leave the zombie. */
|
||||
+ sd_event_exit(sd_event_source_get_event(s), 0);
|
||||
+ break;
|
||||
+ }
|
||||
+ /* Reap all other children. */
|
||||
+ (void) waitid(P_PID, si.si_pid, &si, WNOHANG|WEXITED);
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static int determine_names(void) {
|
||||
int r;
|
||||
|
||||
@@ -3952,8 +3973,8 @@ static int run(int master,
|
||||
sd_event_add_signal(event, NULL, SIGTERM, NULL, NULL);
|
||||
}
|
||||
|
||||
- /* simply exit on sigchld */
|
||||
- sd_event_add_signal(event, NULL, SIGCHLD, NULL, NULL);
|
||||
+ /* Exit when the child exits */
|
||||
+ sd_event_add_signal(event, NULL, SIGCHLD, on_sigchld, PID_TO_PTR(*pid));
|
||||
|
||||
if (arg_expose_ports) {
|
||||
r = expose_port_watch_rtnl(event, rtnl_socket_pair[0], on_address_change, exposed, &rtnl);
|
@ -1,28 +0,0 @@
|
||||
From 1fd8d16fb95b883c927fc8ec73b343b4edba5e6b Mon Sep 17 00:00:00 2001
|
||||
From: Lennart Poettering <lennart@poettering.net>
|
||||
Date: Tue, 6 Dec 2016 19:35:31 +0100
|
||||
Subject: [PATCH] =?UTF-8?q?machinectl:=20make=20"machinectl=20-E=20?=
|
||||
=?UTF-8?q?=E2=80=A6=20shell"=20work?=
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Fixes: #4823
|
||||
(cherry picked from commit 61f638e5446d0d4a5b5e7f81c174e4f072bd01f7)
|
||||
---
|
||||
src/machine/machinectl.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/machine/machinectl.c b/src/machine/machinectl.c
|
||||
index 7b9be3b425..d54caecf46 100644
|
||||
--- a/src/machine/machinectl.c
|
||||
+++ b/src/machine/machinectl.c
|
||||
@@ -2756,7 +2756,7 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
assert(argv);
|
||||
|
||||
for (;;) {
|
||||
- static const char option_string[] = "-hp:als:H:M:qn:o:";
|
||||
+ static const char option_string[] = "-hp:als:H:M:qn:o:E:";
|
||||
|
||||
c = getopt_long(argc, argv, option_string + reorder, options, NULL);
|
||||
if (c < 0)
|
@ -1,54 +0,0 @@
|
||||
From 59ebe5b42ccd7cacbf5975f8ddc1aa42c78e45db Mon Sep 17 00:00:00 2001
|
||||
From: Lennart Poettering <lennart@poettering.net>
|
||||
Date: Tue, 6 Dec 2016 19:36:30 +0100
|
||||
Subject: [PATCH] sysv-generator: properly translate sysv facilities
|
||||
|
||||
We used the wrong return value in one case, so that our translations were
|
||||
thrown away.
|
||||
|
||||
While we are at it, make sure to always initialize *ret on successful function
|
||||
exits.
|
||||
|
||||
Fixes: #4762
|
||||
(cherry picked from commit e932f5407ef5ad05d25d7dfefa4cda0fe81cc346)
|
||||
---
|
||||
src/sysv-generator/sysv-generator.c | 10 +++++++---
|
||||
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/sysv-generator/sysv-generator.c b/src/sysv-generator/sysv-generator.c
|
||||
index c2c80175a2..212cf7a988 100644
|
||||
--- a/src/sysv-generator/sysv-generator.c
|
||||
+++ b/src/sysv-generator/sysv-generator.c
|
||||
@@ -292,8 +292,10 @@ static int sysv_translate_facility(SysvStub *s, unsigned line, const char *name,
|
||||
if (!streq(table[i], n))
|
||||
continue;
|
||||
|
||||
- if (!table[i+1])
|
||||
+ if (!table[i+1]) {
|
||||
+ *ret = NULL;
|
||||
return 0;
|
||||
+ }
|
||||
|
||||
m = strdup(table[i+1]);
|
||||
if (!m)
|
||||
@@ -312,7 +314,7 @@ static int sysv_translate_facility(SysvStub *s, unsigned line, const char *name,
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "[%s:%u] Could not build name for facility %s: %m", s->path, line, name);
|
||||
|
||||
- return r;
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
/* Strip ".sh" suffix from file name for comparison */
|
||||
@@ -324,8 +326,10 @@ static int sysv_translate_facility(SysvStub *s, unsigned line, const char *name,
|
||||
}
|
||||
|
||||
/* Names equaling the file name of the services are redundant */
|
||||
- if (streq_ptr(n, filename))
|
||||
+ if (streq_ptr(n, filename)) {
|
||||
+ *ret = NULL;
|
||||
return 0;
|
||||
+ }
|
||||
|
||||
/* Everything else we assume to be normal service names */
|
||||
m = sysv_translate_name(n);
|
@ -1,40 +0,0 @@
|
||||
From eac04c9feff868c79f7d8438ef66aeb6f2a8a6c9 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Sun, 18 Dec 2016 07:21:19 -0500
|
||||
Subject: [PATCH] core: downgrade "Time has been changed" to debug (#4906)
|
||||
|
||||
That message is emitted by every systemd instance on every resume:
|
||||
Dec 06 08:03:38 laptop systemd[1]: Time has been changed
|
||||
Dec 06 08:03:38 laptop systemd[823]: Time has been changed
|
||||
Dec 06 08:03:38 laptop systemd[916]: Time has been changed
|
||||
Dec 07 08:00:32 laptop systemd[1]: Time has been changed
|
||||
Dec 07 08:00:32 laptop systemd[823]: Time has been changed
|
||||
Dec 07 08:00:32 laptop systemd[916]: Time has been changed
|
||||
-- Reboot --
|
||||
Dec 07 08:02:46 laptop systemd[836]: Time has been changed
|
||||
Dec 07 08:02:46 laptop systemd[1]: Time has been changed
|
||||
Dec 07 08:02:46 laptop systemd[926]: Time has been changed
|
||||
Dec 07 19:48:12 laptop systemd[1]: Time has been changed
|
||||
Dec 07 19:48:12 laptop systemd[836]: Time has been changed
|
||||
Dec 07 19:48:12 laptop systemd[926]: Time has been changed
|
||||
...
|
||||
|
||||
Fixes #4896.
|
||||
(cherry picked from commit a80c1575065c3e3cbf97fd97993ff98598fa01bb)
|
||||
---
|
||||
src/core/manager.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/core/manager.c b/src/core/manager.c
|
||||
index ffccfdcd5e..322e69a69c 100644
|
||||
--- a/src/core/manager.c
|
||||
+++ b/src/core/manager.c
|
||||
@@ -2145,7 +2145,7 @@ static int manager_dispatch_time_change_fd(sd_event_source *source, int fd, uint
|
||||
assert(m);
|
||||
assert(m->time_change_fd == fd);
|
||||
|
||||
- log_struct(LOG_INFO,
|
||||
+ log_struct(LOG_DEBUG,
|
||||
LOG_MESSAGE_ID(SD_MESSAGE_TIME_CHANGE),
|
||||
LOG_MESSAGE("Time has been changed"),
|
||||
NULL);
|
@ -1,25 +0,0 @@
|
||||
From d3d04283c458c1313ed87a12af538d8e0540e88d Mon Sep 17 00:00:00 2001
|
||||
From: Graeme Lawes <graemelawes@gmail.com>
|
||||
Date: Sun, 25 Dec 2016 06:14:41 -0500
|
||||
Subject: [PATCH] machinectl: handle EOPNOTSUPP from print_addresses (#4979)
|
||||
|
||||
Print addresses returns EOPNOTSUPP, not ENOSYS, when trying to print
|
||||
addresses for non-container machines.
|
||||
(cherry picked from commit 3a0a40d1667e53b623e891527871e9f3ee6cb7b4)
|
||||
---
|
||||
src/machine/machinectl.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/machine/machinectl.c b/src/machine/machinectl.c
|
||||
index d54caecf46..f84226f58f 100644
|
||||
--- a/src/machine/machinectl.c
|
||||
+++ b/src/machine/machinectl.c
|
||||
@@ -326,7 +326,7 @@ static int list_machines(int argc, char *argv[], void *userdata) {
|
||||
(int) max_version_id, strdash_if_empty(machines[j].version_id));
|
||||
|
||||
r = print_addresses(bus, machines[j].name, 0, "", prefix, arg_addrs);
|
||||
- if (r == -ENOSYS)
|
||||
+ if (r == -EOPNOTSUPP)
|
||||
printf("-\n");
|
||||
}
|
||||
|
@ -1,27 +0,0 @@
|
||||
From 511b40e49641a8f59014472ce8e96a7ef61f3cad Mon Sep 17 00:00:00 2001
|
||||
From: Lennart Poettering <lennart@poettering.net>
|
||||
Date: Thu, 29 Dec 2016 10:38:52 +0100
|
||||
Subject: [PATCH] units: fix condition for
|
||||
systemd-journal-catalog-update.service (#4990)
|
||||
|
||||
The service is supposed to regenerate the catalog index whenever /usr is
|
||||
updated, but /var is not. Hence the ConditionNeedsUpdate= line should
|
||||
actually reference /var, as that's where the index file is located.
|
||||
(cherry picked from commit 73c729d76871a64840a4d89fc61a5a64cc96e596)
|
||||
---
|
||||
units/systemd-journal-catalog-update.service.in | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/units/systemd-journal-catalog-update.service.in b/units/systemd-journal-catalog-update.service.in
|
||||
index 6370dd478f..276f052b1a 100644
|
||||
--- a/units/systemd-journal-catalog-update.service.in
|
||||
+++ b/units/systemd-journal-catalog-update.service.in
|
||||
@@ -12,7 +12,7 @@ DefaultDependencies=no
|
||||
Conflicts=shutdown.target
|
||||
After=local-fs.target
|
||||
Before=sysinit.target shutdown.target systemd-update-done.service
|
||||
-ConditionNeedsUpdate=/etc
|
||||
+ConditionNeedsUpdate=/var
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
@ -1,57 +0,0 @@
|
||||
From 6eda08fbff4f911c5884876a33708cf17fa28a8b Mon Sep 17 00:00:00 2001
|
||||
From: Lennart Poettering <lennart@poettering.net>
|
||||
Date: Thu, 29 Dec 2016 11:21:37 +0100
|
||||
Subject: [PATCH] core: fix sockaddr length calculation for sockaddr_pretty()
|
||||
(#4966)
|
||||
|
||||
Let's simply store the socket address length in the SocketPeer object so
|
||||
that we can use it when invoking sockaddr_pretty():
|
||||
|
||||
This fixes the issue described in #4943, but avoids calling
|
||||
getpeername() twice.
|
||||
(cherry picked from commit 41733ae1e0035c538505bc5be1ca5d67a80b4a82)
|
||||
---
|
||||
src/core/socket.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/core/socket.c b/src/core/socket.c
|
||||
index 0b1c4acfec..fe2020008f 100644
|
||||
--- a/src/core/socket.c
|
||||
+++ b/src/core/socket.c
|
||||
@@ -64,6 +64,7 @@ struct SocketPeer {
|
||||
|
||||
Socket *socket;
|
||||
union sockaddr_union peer;
|
||||
+ socklen_t peer_salen;
|
||||
};
|
||||
|
||||
static const UnitActiveState state_translation_table[_SOCKET_STATE_MAX] = {
|
||||
@@ -490,8 +491,10 @@ static void peer_address_hash_func(const void *p, struct siphash *state) {
|
||||
|
||||
if (s->peer.sa.sa_family == AF_INET)
|
||||
siphash24_compress(&s->peer.in.sin_addr, sizeof(s->peer.in.sin_addr), state);
|
||||
- else
|
||||
+ else if (s->peer.sa.sa_family == AF_INET6)
|
||||
siphash24_compress(&s->peer.in6.sin6_addr, sizeof(s->peer.in6.sin6_addr), state);
|
||||
+ else
|
||||
+ assert_not_reached("Unknown address family.");
|
||||
}
|
||||
|
||||
static int peer_address_compare_func(const void *a, const void *b) {
|
||||
@@ -609,6 +612,7 @@ int socket_acquire_peer(Socket *s, int fd, SocketPeer **p) {
|
||||
return log_oom();
|
||||
|
||||
remote->peer = sa.peer;
|
||||
+ remote->peer_salen = salen;
|
||||
|
||||
r = set_put(s->peers_by_address, remote);
|
||||
if (r < 0)
|
||||
@@ -2196,7 +2200,7 @@ static void socket_enter_running(Socket *s, int cfd) {
|
||||
} else if (r > 0 && p->n_ref > s->max_connections_per_source) {
|
||||
_cleanup_free_ char *t = NULL;
|
||||
|
||||
- sockaddr_pretty(&p->peer.sa, FAMILY_ADDRESS_SIZE(p->peer.sa.sa_family), true, false, &t);
|
||||
+ (void) sockaddr_pretty(&p->peer.sa, p->peer_salen, true, false, &t);
|
||||
|
||||
log_unit_warning(UNIT(s),
|
||||
"Too many incoming connections (%u) from source %s, dropping connection.",
|
@ -1,40 +0,0 @@
|
||||
From 83d9a6e89af9caebe109c5f309c7bc2d82bd8fc4 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Synacek <jan.synacek@gmail.com>
|
||||
Date: Tue, 3 Jan 2017 21:34:36 +0100
|
||||
Subject: [PATCH] shared: fix double free in unmask (#5005)
|
||||
|
||||
Easily reproducible:
|
||||
1) systemctl mask foo
|
||||
2) systemctl unmask foo foo
|
||||
|
||||
The problem here is that the *i that is put into todo[] is later freed
|
||||
in strv_uniq(), which is not directly visible from this patch. Somewhere
|
||||
further in the code, the string that *i pointed to is freed again. That
|
||||
happens only when multiple services with the same name/path are specified.
|
||||
(cherry picked from commit dc7dd61de610e9330abe7014860acfa733887d5e)
|
||||
---
|
||||
src/shared/install.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/shared/install.c b/src/shared/install.c
|
||||
index 96fba6e25b..5f0eec3ccb 100644
|
||||
--- a/src/shared/install.c
|
||||
+++ b/src/shared/install.c
|
||||
@@ -1861,7 +1861,7 @@ int unit_file_unmask(
|
||||
|
||||
_cleanup_lookup_paths_free_ LookupPaths paths = {};
|
||||
_cleanup_set_free_free_ Set *remove_symlinks_to = NULL;
|
||||
- _cleanup_free_ char **todo = NULL;
|
||||
+ _cleanup_strv_free_ char **todo = NULL;
|
||||
size_t n_todo = 0, n_allocated = 0;
|
||||
const char *config_path;
|
||||
char **i;
|
||||
@@ -1899,7 +1899,7 @@ int unit_file_unmask(
|
||||
if (!GREEDY_REALLOC0(todo, n_allocated, n_todo + 2))
|
||||
return -ENOMEM;
|
||||
|
||||
- todo[n_todo++] = *i;
|
||||
+ todo[n_todo++] = strdup(*i);
|
||||
}
|
||||
|
||||
strv_uniq(todo);
|
@ -1,117 +0,0 @@
|
||||
From a4ead9514b411945f9525ac33901db2b557ce9d0 Mon Sep 17 00:00:00 2001
|
||||
From: Evgeny Vereshchagin <evvers@ya.ru>
|
||||
Date: Mon, 9 Jan 2017 04:46:11 +0000
|
||||
Subject: [PATCH] shared: fix double free in link
|
||||
|
||||
Fixes:
|
||||
```
|
||||
touch hola.service
|
||||
systemctl link $(pwd)/hola.service $(pwd)/hola.service
|
||||
```
|
||||
|
||||
```
|
||||
==1==ERROR: AddressSanitizer: attempting double-free on 0x60300002c560 in thread T0 (systemd):
|
||||
#0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00)
|
||||
#1 0x7fc8c90ebd3b in strv_clear src/basic/strv.c:83
|
||||
#2 0x7fc8c90ebdb6 in strv_free src/basic/strv.c:89
|
||||
#3 0x55637c758c77 in strv_freep src/basic/strv.h:37
|
||||
#4 0x55637c763ba9 in method_enable_unit_files_generic src/core/dbus-manager.c:1960
|
||||
#5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001
|
||||
#6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418
|
||||
#7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255
|
||||
#8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371
|
||||
#9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563
|
||||
#10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605
|
||||
#11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837
|
||||
#12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856
|
||||
#13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126
|
||||
#14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268
|
||||
#15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627
|
||||
#16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686
|
||||
#17 0x55637c6b5257 in manager_loop src/core/manager.c:2274
|
||||
#18 0x55637c6a2194 in main src/core/main.c:1920
|
||||
#19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400)
|
||||
#20 0x55637c697339 in _start (/usr/lib/systemd/systemd+0xcd339)
|
||||
|
||||
0x60300002c560 is located 0 bytes inside of 19-byte region [0x60300002c560,0x60300002c573)
|
||||
freed by thread T0 (systemd) here:
|
||||
#0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00)
|
||||
#1 0x7fc8c90ee320 in strv_remove src/basic/strv.c:630
|
||||
#2 0x7fc8c90ee190 in strv_uniq src/basic/strv.c:602
|
||||
#3 0x7fc8c9180533 in unit_file_link src/shared/install.c:1996
|
||||
#4 0x55637c763b25 in method_enable_unit_files_generic src/core/dbus-manager.c:1985
|
||||
#5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001
|
||||
#6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418
|
||||
#7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255
|
||||
#8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371
|
||||
#9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563
|
||||
#10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605
|
||||
#11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837
|
||||
#12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856
|
||||
#13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126
|
||||
#14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268
|
||||
#15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627
|
||||
#16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686
|
||||
#17 0x55637c6b5257 in manager_loop src/core/manager.c:2274
|
||||
#18 0x55637c6a2194 in main src/core/main.c:1920
|
||||
#19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400)
|
||||
|
||||
previously allocated by thread T0 (systemd) here:
|
||||
#0 0x7fc8c95b0160 in strdup (/lib64/libasan.so.3+0x5a160)
|
||||
#1 0x7fc8c90edf32 in strv_extend src/basic/strv.c:552
|
||||
#2 0x7fc8c923ae41 in bus_message_read_strv_extend src/libsystemd/sd-bus/bus-message.c:5578
|
||||
#3 0x7fc8c923b0de in sd_bus_message_read_strv src/libsystemd/sd-bus/bus-message.c:5600
|
||||
#4 0x55637c7639d1 in method_enable_unit_files_generic src/core/dbus-manager.c:1969
|
||||
#5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001
|
||||
#6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418
|
||||
#7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255
|
||||
#8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371
|
||||
#9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563
|
||||
#10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605
|
||||
#11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837
|
||||
#12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856
|
||||
#13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126
|
||||
#14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268
|
||||
#15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627
|
||||
#16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686
|
||||
#17 0x55637c6b5257 in manager_loop src/core/manager.c:2274
|
||||
#18 0x55637c6a2194 in main src/core/main.c:1920
|
||||
#19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400)
|
||||
|
||||
SUMMARY: AddressSanitizer: double-free (/lib64/libasan.so.3+0xc6b00) in free
|
||||
==1==ABORTING
|
||||
```
|
||||
|
||||
Closes #5015
|
||||
|
||||
(cherry picked from commit 8af35ba681116eb79a46e3dbd65b166c1efd6164)
|
||||
---
|
||||
src/shared/install.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/shared/install.c b/src/shared/install.c
|
||||
index 5f0eec3ccb..64fe522ebb 100644
|
||||
--- a/src/shared/install.c
|
||||
+++ b/src/shared/install.c
|
||||
@@ -1947,7 +1947,7 @@ int unit_file_link(
|
||||
unsigned *n_changes) {
|
||||
|
||||
_cleanup_lookup_paths_free_ LookupPaths paths = {};
|
||||
- _cleanup_free_ char **todo = NULL;
|
||||
+ _cleanup_strv_free_ char **todo = NULL;
|
||||
size_t n_todo = 0, n_allocated = 0;
|
||||
const char *config_path;
|
||||
char **i;
|
||||
@@ -1996,7 +1996,11 @@ int unit_file_link(
|
||||
if (!GREEDY_REALLOC0(todo, n_allocated, n_todo + 2))
|
||||
return -ENOMEM;
|
||||
|
||||
- todo[n_todo++] = *i;
|
||||
+ todo[n_todo] = strdup(*i);
|
||||
+ if (!todo[n_todo])
|
||||
+ return -ENOMEM;
|
||||
+
|
||||
+ n_todo++;
|
||||
}
|
||||
|
||||
strv_uniq(todo);
|
@ -1,29 +0,0 @@
|
||||
From acfeb54e985d6f4d589c574ba5d467fbe4d556b7 Mon Sep 17 00:00:00 2001
|
||||
From: Evgeny Vereshchagin <evvers@ya.ru>
|
||||
Date: Mon, 9 Jan 2017 22:45:41 +0000
|
||||
Subject: [PATCH] shared: check strdup != NULL
|
||||
|
||||
This is a follow-up for dc7dd61de610e9330
|
||||
|
||||
(cherry picked from commit d054eae6c954baa857170bb60072c8a2ecea0d6b)
|
||||
---
|
||||
src/shared/install.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/shared/install.c b/src/shared/install.c
|
||||
index 64fe522ebb..0bb47ac527 100644
|
||||
--- a/src/shared/install.c
|
||||
+++ b/src/shared/install.c
|
||||
@@ -1899,7 +1899,11 @@ int unit_file_unmask(
|
||||
if (!GREEDY_REALLOC0(todo, n_allocated, n_todo + 2))
|
||||
return -ENOMEM;
|
||||
|
||||
- todo[n_todo++] = strdup(*i);
|
||||
+ todo[n_todo] = strdup(*i);
|
||||
+ if (!todo[n_todo])
|
||||
+ return -ENOMEM;
|
||||
+
|
||||
+ n_todo++;
|
||||
}
|
||||
|
||||
strv_uniq(todo);
|
@ -1,57 +0,0 @@
|
||||
From fba761f0bc86d37119bd18f7bc231e2d9f5d94a7 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Thu, 12 Jan 2017 04:16:20 -0500
|
||||
Subject: [PATCH] rpm triggers: do nothing if systemd is not running (#5065)
|
||||
|
||||
If we are running in a chroot/container/..., we would print a useless warning about
|
||||
not being able to communicate with systemd. Trying to do daemon-reload is pointless
|
||||
in those cases, so let's just skip all actions in that case.
|
||||
|
||||
The check uses /run/system/system, as recommended by sd_booted(3).
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1411299
|
||||
(cherry picked from commit 13749f547357f8e9ec398680548f818dea3aba1c)
|
||||
---
|
||||
src/core/triggers.systemd.in | 22 +++++++++++++---------
|
||||
1 file changed, 13 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/core/triggers.systemd.in b/src/core/triggers.systemd.in
|
||||
index 0d8c303136..f8c8cbc5f9 100644
|
||||
--- a/src/core/triggers.systemd.in
|
||||
+++ b/src/core/triggers.systemd.in
|
||||
@@ -27,11 +27,13 @@
|
||||
-- installed, because other cases are covered by the *un scriptlets,
|
||||
-- so sometimes we will reload needlessly.
|
||||
|
||||
-pid = posix.fork()
|
||||
-if pid == 0 then
|
||||
- assert(posix.exec("%{_bindir}/systemctl", "daemon-reload"))
|
||||
-elseif pid > 0 then
|
||||
- posix.wait(pid)
|
||||
+if posix.access("/run/systemd/system") then
|
||||
+ pid = posix.fork()
|
||||
+ if pid == 0 then
|
||||
+ assert(posix.exec("%{_bindir}/systemctl", "daemon-reload"))
|
||||
+ elseif pid > 0 then
|
||||
+ posix.wait(pid)
|
||||
+ end
|
||||
end
|
||||
|
||||
%transfiletriggerun -p <lua> -- @systemunitdir@ /etc/systemd/system
|
||||
@@ -48,10 +50,12 @@ end
|
||||
-- file in %transfiletriggerun and execute the daemon-reload in
|
||||
-- the first %filetriggerpostun.
|
||||
|
||||
-posix.mkdir("%{_localstatedir}/lib")
|
||||
-posix.mkdir("%{_localstatedir}/lib/rpm-state")
|
||||
-posix.mkdir("%{_localstatedir}/lib/rpm-state/systemd")
|
||||
-io.open("%{_localstatedir}/lib/rpm-state/systemd/needs-reload", "w")
|
||||
+if posix.access("/run/systemd/system") then
|
||||
+ posix.mkdir("%{_localstatedir}/lib")
|
||||
+ posix.mkdir("%{_localstatedir}/lib/rpm-state")
|
||||
+ posix.mkdir("%{_localstatedir}/lib/rpm-state/systemd")
|
||||
+ io.open("%{_localstatedir}/lib/rpm-state/systemd/needs-reload", "w")
|
||||
+end
|
||||
|
||||
%filetriggerpostun -P 1000100 -p <lua> -- @systemunitdir@ /etc/systemd/system
|
||||
if posix.access("%{_localstatedir}/lib/rpm-state/systemd/needs-reload") then
|
@ -1,53 +0,0 @@
|
||||
From f1e5bbe0ef234b5e6c8a2cd7f601a75a7678cd27 Mon Sep 17 00:00:00 2001
|
||||
From: Michal Schmidt <mschmidt@redhat.com>
|
||||
Date: Fri, 16 Dec 2016 18:14:47 +0100
|
||||
Subject: [PATCH] kernel-install: avoid process substitution
|
||||
|
||||
bash implements process substitution using /dev/fd/N (this is documented
|
||||
in man bash). We'd like kernel-install to work in chrooted RPM
|
||||
scriptlets without /dev.
|
||||
|
||||
We can use here-strings instead. bash uses temporary files to implement
|
||||
those.
|
||||
|
||||
(cherry picked from commit db1e2bfc4f049261ae2d407568ff39569b36d98c)
|
||||
---
|
||||
src/kernel-install/kernel-install | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/kernel-install/kernel-install b/src/kernel-install/kernel-install
|
||||
index a95b9717f0..c7d9f4eea9 100644
|
||||
--- a/src/kernel-install/kernel-install
|
||||
+++ b/src/kernel-install/kernel-install
|
||||
@@ -34,7 +34,7 @@ dropindirs_sort()
|
||||
local -a files
|
||||
local f d i
|
||||
|
||||
- readarray -t files < <(
|
||||
+ readarray -t files <<<"$(
|
||||
for d in "$@"; do
|
||||
for i in "$d/"*"$suffix"; do
|
||||
if [[ -e "$i" ]]; then
|
||||
@@ -42,7 +42,7 @@ dropindirs_sort()
|
||||
fi
|
||||
done
|
||||
done | sort -Vu
|
||||
- )
|
||||
+ )"
|
||||
|
||||
for f in "${files[@]}"; do
|
||||
for d in "$@"; do
|
||||
@@ -104,11 +104,11 @@ fi
|
||||
|
||||
ret=0
|
||||
|
||||
-readarray -t PLUGINS < <(
|
||||
+readarray -t PLUGINS <<<"$(
|
||||
dropindirs_sort ".install" \
|
||||
"/etc/kernel/install.d" \
|
||||
"/usr/lib/kernel/install.d"
|
||||
-)
|
||||
+)"
|
||||
|
||||
case $COMMAND in
|
||||
add)
|
@ -1,41 +0,0 @@
|
||||
From 3f40c958104c4a83a32ad303cd7153f79cb7a6a8 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Wed, 11 Jan 2017 14:45:19 -0500
|
||||
Subject: [PATCH] shell-completion: redirect all errors from systemctl to
|
||||
/dev/null
|
||||
|
||||
Completion scripts should not generate errors, ever.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1409649
|
||||
(cherry picked from commit 99171d2fdf720ebb64fee75db4177af5d048d0f9)
|
||||
---
|
||||
shell-completion/bash/systemctl.in | 2 +-
|
||||
shell-completion/zsh/_systemctl.in | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/shell-completion/bash/systemctl.in b/shell-completion/bash/systemctl.in
|
||||
index dcf71a1f51..34589e2888 100644
|
||||
--- a/shell-completion/bash/systemctl.in
|
||||
+++ b/shell-completion/bash/systemctl.in
|
||||
@@ -19,7 +19,7 @@
|
||||
|
||||
__systemctl() {
|
||||
local mode=$1; shift 1
|
||||
- systemctl $mode --full --no-legend "$@"
|
||||
+ systemctl $mode --full --no-legend "$@" 2>/dev/null
|
||||
}
|
||||
|
||||
__systemd_properties() {
|
||||
diff --git a/shell-completion/zsh/_systemctl.in b/shell-completion/zsh/_systemctl.in
|
||||
index 03a1c930b0..d77a2df74e 100644
|
||||
--- a/shell-completion/zsh/_systemctl.in
|
||||
+++ b/shell-completion/zsh/_systemctl.in
|
||||
@@ -91,7 +91,7 @@
|
||||
|
||||
__systemctl()
|
||||
{
|
||||
- systemctl $_sys_service_mgr --full --no-legend --no-pager "$@"
|
||||
+ systemctl $_sys_service_mgr --full --no-legend --no-pager "$@" 2>/dev/null
|
||||
}
|
||||
|
||||
|
@ -1,26 +0,0 @@
|
||||
From 7770e9fc69d7545b4ebf77567cce3f8b85c7ccf7 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Sun, 15 Jan 2017 11:51:48 -0500
|
||||
Subject: [PATCH] cryptsetup: fix unitialized variable
|
||||
|
||||
CID #1368416.
|
||||
|
||||
Coverity web interface is back, yay!
|
||||
|
||||
(cherry picked from commit 6fefc0eded00974e5b2862bd5efc7ef975c6a318)
|
||||
---
|
||||
src/cryptsetup/cryptsetup.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
|
||||
index ff5a3f36fb..a90bee81bb 100644
|
||||
--- a/src/cryptsetup/cryptsetup.c
|
||||
+++ b/src/cryptsetup/cryptsetup.c
|
||||
@@ -752,6 +752,7 @@ int main(int argc, char *argv[]) {
|
||||
|
||||
} else {
|
||||
log_error("Unknown verb %s.", argv[1]);
|
||||
+ r = -EINVAL;
|
||||
goto finish;
|
||||
}
|
||||
|
@ -1,28 +0,0 @@
|
||||
From 3a087e730c2be5d6abe8f9775a707af925e2520b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Sun, 15 Jan 2017 13:27:37 -0500
|
||||
Subject: [PATCH] systemctl: uninitalized variable
|
||||
|
||||
CID #1368270.
|
||||
|
||||
Easily reproduced with COLUMNS=50 ./systemctl --no-pager.
|
||||
|
||||
(cherry picked from commit 43479f8d21a770cdb4870087fcec446b3d845cbc)
|
||||
---
|
||||
src/systemctl/systemctl.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c
|
||||
index 4edc690f5c..1a4a201740 100644
|
||||
--- a/src/systemctl/systemctl.c
|
||||
+++ b/src/systemctl/systemctl.c
|
||||
@@ -467,7 +467,8 @@ static int output_units_list(const UnitInfo *unit_infos, unsigned c) {
|
||||
id_len += incr;
|
||||
desc_len += MIN(extra_len - incr, max_desc_len - desc_len);
|
||||
}
|
||||
- }
|
||||
+ } else
|
||||
+ desc_len = 0;
|
||||
} else {
|
||||
id_len = max_id_len;
|
||||
desc_len = max_desc_len;
|
@ -1,29 +0,0 @@
|
||||
From 176e36e83f44d5486945afa9beffc1e32799d546 Mon Sep 17 00:00:00 2001
|
||||
From: Namhyung Kim <namhyung@gmail.com>
|
||||
Date: Sat, 21 Jan 2017 16:36:20 +0900
|
||||
Subject: [PATCH] bash_completion: journalctl: add missing options
|
||||
|
||||
The --no-hostname and --vacuum-files were missing, add them.
|
||||
|
||||
(cherry picked from commit ed52c971bfa546bfe1f8b329a41ac06077464fb6)
|
||||
---
|
||||
shell-completion/bash/journalctl | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/shell-completion/bash/journalctl b/shell-completion/bash/journalctl
|
||||
index a999a10df1..ded92cb73a 100644
|
||||
--- a/shell-completion/bash/journalctl
|
||||
+++ b/shell-completion/bash/journalctl
|
||||
@@ -42,10 +42,10 @@ _journalctl() {
|
||||
--version --list-catalog --update-catalog --list-boots
|
||||
--show-cursor --dmesg -k --pager-end -e -r --reverse
|
||||
--utc -x --catalog --no-full --force --dump-catalog
|
||||
- --flush --rotate --sync'
|
||||
+ --flush --rotate --sync --no-hostname'
|
||||
[ARG]='-b --boot --this-boot -D --directory --file -F --field
|
||||
-M --machine -o --output -u --unit --user-unit -p --priority
|
||||
- --vacuum-size --vacuum-time'
|
||||
+ --vacuum-size --vacuum-time --vacuum-files'
|
||||
[ARGUNKNOWN]='-c --cursor --interval -n --lines -S --since -U --until
|
||||
--after-cursor --verify-key -t --identifier
|
||||
--root'
|
@ -1,26 +0,0 @@
|
||||
From 5efdac319bea6c000b17af77b7d1b3ba1dce6432 Mon Sep 17 00:00:00 2001
|
||||
From: Namhyung Kim <namhyung@gmail.com>
|
||||
Date: Sat, 21 Jan 2017 16:38:23 +0900
|
||||
Subject: [PATCH] bash_completion: journalctl: Complete -t option values
|
||||
|
||||
The -t or --identifier requires a syslog identifier.
|
||||
|
||||
(cherry picked from commit 28b6b5de3f6c8943e83afe4e213cdb6a8c7e1a72)
|
||||
---
|
||||
shell-completion/bash/journalctl | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/shell-completion/bash/journalctl b/shell-completion/bash/journalctl
|
||||
index ded92cb73a..c90a114497 100644
|
||||
--- a/shell-completion/bash/journalctl
|
||||
+++ b/shell-completion/bash/journalctl
|
||||
@@ -82,6 +82,9 @@ _journalctl() {
|
||||
--user-unit)
|
||||
comps=$(journalctl -F '_SYSTEMD_USER_UNIT' 2>/dev/null)
|
||||
;;
|
||||
+ --identifier|-t)
|
||||
+ comps=$(journalctl -F 'SYSLOG_IDENTIFIER' 2>/dev/null)
|
||||
+ ;;
|
||||
*)
|
||||
return 0
|
||||
;;
|
@ -1,74 +0,0 @@
|
||||
From d8386bfd28676e1c6fd88deaf203eb1cd7585233 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?=D0=90=D0=BB=D0=B5=D0=BA=D1=81=D0=B0=D0=BD=D0=B4=D1=80=20?=
|
||||
=?UTF-8?q?=D0=A2=D0=B8=D1=85=D0=BE=D0=BD=D0=BE=D0=B2?=
|
||||
<disarmer.mk@gmail.com>
|
||||
Date: Sat, 21 Jan 2017 23:53:09 +0400
|
||||
Subject: [PATCH] Fixi caching in zsh completion (#5122)
|
||||
|
||||
I found several issues with zsh completion code:
|
||||
|
||||
1. typo in cache filename: "SYS_ALL_PROPRTIES", so cache just not loading from this file
|
||||
2. cache stored in one file, despite user or system mode. So it can be loaded later in wrong mode
|
||||
3. most serious problem: broken logic - it retrieves cache when _cache_invalid is true
|
||||
|
||||
How to reproduce: type "systemctl --user status <TAB>" and you will see user units. Then press
|
||||
control+C and type "systemctl --system status <TAB>" in same session and you'll see user units again
|
||||
(cherry picked from commit 88e4dbd505ed4f8480b1f3b837b3c2ac55f1b1dd)
|
||||
---
|
||||
shell-completion/zsh/_systemctl.in | 18 +++++++++---------
|
||||
1 file changed, 9 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/shell-completion/zsh/_systemctl.in b/shell-completion/zsh/_systemctl.in
|
||||
index d77a2df74e..553216da5e 100644
|
||||
--- a/shell-completion/zsh/_systemctl.in
|
||||
+++ b/shell-completion/zsh/_systemctl.in
|
||||
@@ -98,11 +98,11 @@ __systemctl()
|
||||
# Fills the unit list
|
||||
_systemctl_all_units()
|
||||
{
|
||||
- if ( [[ ${+_sys_all_units} -eq 0 ]] || _cache_invalid SYS_ALL_UNITS ) &&
|
||||
- ! _retrieve_cache SYS_ALL_UNITS;
|
||||
+ if ( [[ ${+_sys_all_units} -eq 0 ]] || _cache_invalid SYS_ALL_UNITS$_sys_service_mgr ) ||
|
||||
+ ! _retrieve_cache SYS_ALL_UNITS$_sys_service_mgr;
|
||||
then
|
||||
_sys_all_units=( ${${(f)"$(__systemctl list-units --all)"}%% *} )
|
||||
- _store_cache SYS_ALL_UNITS _sys_all_units
|
||||
+ _store_cache SYS_ALL_UNITS$_sys_service_mgr _sys_all_units
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -111,14 +111,14 @@ _systemctl_really_all_units()
|
||||
{
|
||||
local -a all_unit_files;
|
||||
local -a really_all_units;
|
||||
- if ( [[ ${+_sys_really_all_units} -eq 0 ]] || _cache_invalid SYS_REALLY_ALL_UNITS ) &&
|
||||
- ! _retrieve_cache SYS_REALLY_ALL_UNITS;
|
||||
+ if ( [[ ${+_sys_really_all_units} -eq 0 ]] || _cache_invalid SYS_REALLY_ALL_UNITS$_sys_service_mgr ) ||
|
||||
+ ! _retrieve_cache SYS_REALLY_ALL_UNITS$_sys_service_mgr;
|
||||
then
|
||||
all_unit_files=( ${${(f)"$(__systemctl list-unit-files)"}%% *} )
|
||||
_systemctl_all_units
|
||||
really_all_units=($_sys_all_units $all_unit_files)
|
||||
_sys_really_all_units=(${(u)really_all_units})
|
||||
- _store_cache SYS_REALLY_ALL_UNITS _sys_really_all_units
|
||||
+ _store_cache SYS_REALLY_ALL_UNITS$_sys_service_mgr _sys_really_all_units
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -330,13 +330,13 @@ _unit_types() {
|
||||
}
|
||||
|
||||
_unit_properties() {
|
||||
- if ( [[ ${+_sys_all_properties} -eq 0 ]] || _cache_invalid SYS_ALL_PROPERTIES ) &&
|
||||
- ! _retrieve_cache SYS_ALL_PROPERTIES;
|
||||
+ if ( [[ ${+_sys_all_properties} -eq 0 ]] || _cache_invalid SYS_ALL_PROPERTIES$_sys_service_mgr ) ||
|
||||
+ ! _retrieve_cache SYS_ALL_PROPERTIES$_sys_service_mgr;
|
||||
then
|
||||
_sys_all_properties=( ${${(M)${(f)"$(__systemctl show --all;
|
||||
@rootlibexecdir@/systemd --dump-configuration-items)"}##[[:alnum:]]##=*}%%=*}
|
||||
)
|
||||
- _store_cache SYS_ALL_PROPRTIES _sys_all_properties
|
||||
+ _store_cache SYS_ALL_PROPERTIES$_sys_service_mgr _sys_all_properties
|
||||
fi
|
||||
_values -s , "${_sys_all_properties[@]}"
|
||||
}
|
@ -1,23 +0,0 @@
|
||||
From 59ce906fbeabbf3c519ee22fb4b653b2acb8fff1 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Synacek <jan.synacek@gmail.com>
|
||||
Date: Wed, 25 Jan 2017 13:44:04 +0100
|
||||
Subject: [PATCH] bash-completion: add support for --now (#5155)
|
||||
|
||||
(cherry picked from commit 0067c7b29ab996bf99cf1bafe63c118b9b6d5b56)
|
||||
---
|
||||
shell-completion/bash/systemctl.in | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/shell-completion/bash/systemctl.in b/shell-completion/bash/systemctl.in
|
||||
index 34589e2888..7765010869 100644
|
||||
--- a/shell-completion/bash/systemctl.in
|
||||
+++ b/shell-completion/bash/systemctl.in
|
||||
@@ -124,7 +124,7 @@ _systemctl () {
|
||||
|
||||
local -A OPTS=(
|
||||
[STANDALONE]='--all -a --reverse --after --before --defaults --force -f --full -l --global
|
||||
- --help -h --no-ask-password --no-block --no-legend --no-pager --no-reload --no-wall
|
||||
+ --help -h --no-ask-password --no-block --no-legend --no-pager --no-reload --no-wall --now
|
||||
--quiet -q --privileged -P --system --user --version --runtime --recursive -r --firmware-setup
|
||||
--show-types -i --ignore-inhibitors --plain'
|
||||
[ARG]='--host -H --kill-who --property -p --signal -s --type -t --state --job-mode --root
|
@ -1,35 +0,0 @@
|
||||
From 0cb96989634afde3f1b7b86420e003a34dcf5551 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Tue, 24 Jan 2017 22:21:16 -0500
|
||||
Subject: [PATCH] core/dbus: fix two strv memleaks
|
||||
|
||||
job_dbus_path and unit_dbus_path both allocate new strings, so we should use
|
||||
strv_free.
|
||||
|
||||
(cherry picked from commit f0c03de85afa93d1df2bb533a46748e7f4264af6)
|
||||
---
|
||||
src/core/dbus.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/core/dbus.c b/src/core/dbus.c
|
||||
index 070974fe66..c6fcd01138 100644
|
||||
--- a/src/core/dbus.c
|
||||
+++ b/src/core/dbus.c
|
||||
@@ -477,7 +477,7 @@ static int bus_kill_context_find(sd_bus *bus, const char *path, const char *inte
|
||||
}
|
||||
|
||||
static int bus_job_enumerate(sd_bus *bus, const char *path, void *userdata, char ***nodes, sd_bus_error *error) {
|
||||
- _cleanup_free_ char **l = NULL;
|
||||
+ _cleanup_strv_free_ char **l = NULL;
|
||||
Manager *m = userdata;
|
||||
unsigned k = 0;
|
||||
Iterator i;
|
||||
@@ -504,7 +504,7 @@ static int bus_job_enumerate(sd_bus *bus, const char *path, void *userdata, char
|
||||
}
|
||||
|
||||
static int bus_unit_enumerate(sd_bus *bus, const char *path, void *userdata, char ***nodes, sd_bus_error *error) {
|
||||
- _cleanup_free_ char **l = NULL;
|
||||
+ _cleanup_strv_free_ char **l = NULL;
|
||||
Manager *m = userdata;
|
||||
unsigned k = 0;
|
||||
Iterator i;
|
@ -1,37 +0,0 @@
|
||||
From f2f5c4de715e65db93d57d7bcafe9caef3f7a79e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Tue, 24 Jan 2017 22:24:07 -0500
|
||||
Subject: [PATCH] core/execute: fix strv memleak
|
||||
|
||||
compile_read_write_paths() returns a normal strv from strv_copy(), and
|
||||
setup_namespace() uses it read-only, so we should use strv_free to deallocate.
|
||||
|
||||
(cherry picked from commit 06ec51d8ef30dce3c7f864633ba3a9888d18fed6)
|
||||
---
|
||||
src/core/execute.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/core/execute.c b/src/core/execute.c
|
||||
index f13ca30395..38cd486d82 100644
|
||||
--- a/src/core/execute.c
|
||||
+++ b/src/core/execute.c
|
||||
@@ -1984,8 +1984,8 @@ static int compile_read_write_paths(
|
||||
_cleanup_strv_free_ char **l = NULL;
|
||||
char **rt;
|
||||
|
||||
- /* Compile the list of writable paths. This is the combination of the explicitly configured paths, plus all
|
||||
- * runtime directories. */
|
||||
+ /* Compile the list of writable paths. This is the combination of
|
||||
+ * the explicitly configured paths, plus all runtime directories. */
|
||||
|
||||
if (strv_isempty(context->read_write_paths) &&
|
||||
strv_isempty(context->runtime_directory)) {
|
||||
@@ -2018,7 +2018,7 @@ static int apply_mount_namespace(Unit *u, const ExecContext *context,
|
||||
const ExecParameters *params,
|
||||
ExecRuntime *runtime) {
|
||||
int r;
|
||||
- _cleanup_free_ char **rw = NULL;
|
||||
+ _cleanup_strv_free_ char **rw = NULL;
|
||||
char *tmp = NULL, *var = NULL;
|
||||
const char *root_dir = NULL;
|
||||
NameSpaceInfo ns_info = {
|
@ -1,25 +0,0 @@
|
||||
From f0dc398e4862dffc768be3a8fc59c5c5a012a5e6 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Tue, 24 Jan 2017 22:27:21 -0500
|
||||
Subject: [PATCH] resolve: fix strv memleak
|
||||
|
||||
sd_bus_message_read_strv() returns a normal strv...
|
||||
|
||||
(cherry picked from commit c6d92582205065e4924b9f0cb1428f4a5f210fd4)
|
||||
---
|
||||
src/resolve/resolved-link-bus.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/resolve/resolved-link-bus.c b/src/resolve/resolved-link-bus.c
|
||||
index 364812250f..59cd6cf1cb 100644
|
||||
--- a/src/resolve/resolved-link-bus.c
|
||||
+++ b/src/resolve/resolved-link-bus.c
|
||||
@@ -462,7 +462,7 @@ int bus_link_method_set_dnssec(sd_bus_message *message, void *userdata, sd_bus_e
|
||||
|
||||
int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, void *userdata, sd_bus_error *error) {
|
||||
_cleanup_set_free_free_ Set *ns = NULL;
|
||||
- _cleanup_free_ char **ntas = NULL;
|
||||
+ _cleanup_strv_free_ char **ntas = NULL;
|
||||
Link *l = userdata;
|
||||
int r;
|
||||
char **i;
|
@ -1,27 +0,0 @@
|
||||
From b6700f38b414fa8e97a29fae221d8f02af4b3375 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Fri, 27 Jan 2017 00:45:38 -0500
|
||||
Subject: [PATCH] nspawn: fix clobbering of selinux context arg
|
||||
|
||||
First bug fixed by gcc 7. Yikes.
|
||||
|
||||
(cherry picked from commit 2e8977b198882fb8c99366ab2944572aa8998dc0)
|
||||
---
|
||||
src/nspawn/nspawn.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
|
||||
index 503265545b..0e2f4d59a5 100644
|
||||
--- a/src/nspawn/nspawn.c
|
||||
+++ b/src/nspawn/nspawn.c
|
||||
@@ -658,9 +658,8 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
r = free_and_strdup(&arg_machine, optarg);
|
||||
if (r < 0)
|
||||
return log_oom();
|
||||
-
|
||||
- break;
|
||||
}
|
||||
+ break;
|
||||
|
||||
case 'Z':
|
||||
arg_selinux_context = optarg;
|
@ -1,29 +0,0 @@
|
||||
From d30213c50db935f63987447d44d637bc9a00bf71 Mon Sep 17 00:00:00 2001
|
||||
From: Martin Pitt <martin.pitt@ubuntu.com>
|
||||
Date: Wed, 30 Nov 2016 09:20:15 +0100
|
||||
Subject: [PATCH] parse_hwdb: fix to work with pyparsing 2.1.10
|
||||
|
||||
pyparsing 2.1.10 fixed the handling of LineStart to really just apply to line
|
||||
starts and not ignore whitespace and comments any more. Adjust EMPTYLINE to
|
||||
this.
|
||||
|
||||
Many thanks to Paul McGuire for pointing this out!
|
||||
|
||||
(cherry picked from commit f644a6da7a6f11d20116842e2ce1c7e9c0b0ad64)
|
||||
---
|
||||
hwdb/parse_hwdb.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hwdb/parse_hwdb.py b/hwdb/parse_hwdb.py
|
||||
index 5d4c5ea64d..5856d12af7 100755
|
||||
--- a/hwdb/parse_hwdb.py
|
||||
+++ b/hwdb/parse_hwdb.py
|
||||
@@ -56,7 +56,7 @@ except ImportError:
|
||||
lru_cache = lambda: (lambda f: f)
|
||||
|
||||
EOL = LineEnd().suppress()
|
||||
-EMPTYLINE = LineStart() + LineEnd()
|
||||
+EMPTYLINE = LineEnd()
|
||||
COMMENTLINE = pythonStyleComment + EOL
|
||||
INTEGER = Word(nums)
|
||||
REAL = Combine((INTEGER + Optional('.' + Optional(INTEGER))) ^ ('.' + INTEGER))
|
@ -1,133 +0,0 @@
|
||||
From 53ae6296386a754ed74a1d3fbd88f39ab7a89f0d Mon Sep 17 00:00:00 2001
|
||||
From: Lennart Poettering <lennart@poettering.net>
|
||||
Date: Mon, 12 Dec 2016 20:54:45 +0100
|
||||
Subject: [PATCH] journald: don't flush to /var/log/journal before we get asked
|
||||
to
|
||||
|
||||
This changes journald to not write to /var/log/journal until it received
|
||||
SIGUSR1 for the first time, thus having been requested to flush the runtime
|
||||
journal to disk.
|
||||
|
||||
This makes the journal work nicer with systems which have the root file system
|
||||
writable early, but still need to rearrange /var before journald should start
|
||||
writing and creating files to it, for example because ACLs need to be applied
|
||||
first, or because /var is to be mounted from another file system, NFS or tmpfs
|
||||
(as is the case for systemd.volatile=state).
|
||||
|
||||
Before this change we required setupts with /var split out to mount the root
|
||||
disk read-only early on, and ship an /etc/fstab that remounted it writable only
|
||||
after having placed /var at the right place. But even that was racy for various
|
||||
preparations as journald might end up accessing the file system before it was
|
||||
entirely set up, as soon as it was writable.
|
||||
|
||||
With this change we make scheduling when to start writing to /var/log/journal
|
||||
explicit. This means persistent mode now requires
|
||||
systemd-journal-flush.service in the mix to work, as otherwise journald would
|
||||
never write to the directory.
|
||||
|
||||
See: #1397
|
||||
(cherry picked from commit f78273c8dacf678cc8fd7387f678e6344a99405c)
|
||||
---
|
||||
src/journal/journald-server.c | 21 +++++++++++----------
|
||||
src/journal/journald-server.h | 2 +-
|
||||
src/journal/journald.c | 2 +-
|
||||
3 files changed, 13 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
|
||||
index 1d2fce8dc7..ced0ad6f21 100644
|
||||
--- a/src/journal/journald-server.c
|
||||
+++ b/src/journal/journald-server.c
|
||||
@@ -283,17 +283,16 @@ static int open_journal(
|
||||
}
|
||||
|
||||
static bool flushed_flag_is_set(void) {
|
||||
- return (access("/run/systemd/journal/flushed", F_OK) >= 0);
|
||||
+ return access("/run/systemd/journal/flushed", F_OK) >= 0;
|
||||
}
|
||||
|
||||
static int system_journal_open(Server *s, bool flush_requested) {
|
||||
- bool flushed = false;
|
||||
const char *fn;
|
||||
int r = 0;
|
||||
|
||||
if (!s->system_journal &&
|
||||
- (s->storage == STORAGE_PERSISTENT || s->storage == STORAGE_AUTO) &&
|
||||
- (flush_requested || (flushed = flushed_flag_is_set()))) {
|
||||
+ IN_SET(s->storage, STORAGE_PERSISTENT, STORAGE_AUTO) &&
|
||||
+ (flush_requested || flushed_flag_is_set())) {
|
||||
|
||||
/* If in auto mode: first try to create the machine
|
||||
* path, but not the prefix.
|
||||
@@ -326,8 +325,8 @@ static int system_journal_open(Server *s, bool flush_requested) {
|
||||
* Perform an implicit flush to var, leaving the runtime
|
||||
* journal closed, now that the system journal is back.
|
||||
*/
|
||||
- if (s->runtime_journal && flushed)
|
||||
- (void) server_flush_to_var(s);
|
||||
+ if (!flush_requested)
|
||||
+ (void) server_flush_to_var(s, true);
|
||||
}
|
||||
|
||||
if (!s->runtime_journal &&
|
||||
@@ -1183,7 +1182,7 @@ finish:
|
||||
dispatch_message_real(s, iovec, n, m, ucred, tv, label, label_len, unit_id, priority, object_pid);
|
||||
}
|
||||
|
||||
-int server_flush_to_var(Server *s) {
|
||||
+int server_flush_to_var(Server *s, bool require_flag_file) {
|
||||
sd_id128_t machine;
|
||||
sd_journal *j = NULL;
|
||||
char ts[FORMAT_TIMESPAN_MAX];
|
||||
@@ -1193,13 +1192,15 @@ int server_flush_to_var(Server *s) {
|
||||
|
||||
assert(s);
|
||||
|
||||
- if (s->storage != STORAGE_AUTO &&
|
||||
- s->storage != STORAGE_PERSISTENT)
|
||||
+ if (!IN_SET(s->storage, STORAGE_AUTO, STORAGE_PERSISTENT))
|
||||
return 0;
|
||||
|
||||
if (!s->runtime_journal)
|
||||
return 0;
|
||||
|
||||
+ if (require_flag_file && !flushed_flag_is_set())
|
||||
+ return 0;
|
||||
+
|
||||
(void) system_journal_open(s, true);
|
||||
|
||||
if (!s->system_journal)
|
||||
@@ -1411,7 +1412,7 @@ static int dispatch_sigusr1(sd_event_source *es, const struct signalfd_siginfo *
|
||||
|
||||
log_info("Received request to flush runtime journal from PID " PID_FMT, si->ssi_pid);
|
||||
|
||||
- (void) server_flush_to_var(s);
|
||||
+ (void) server_flush_to_var(s, false);
|
||||
server_sync(s);
|
||||
server_vacuum(s, false);
|
||||
|
||||
diff --git a/src/journal/journald-server.h b/src/journal/journald-server.h
|
||||
index 99d91496be..de1c48f805 100644
|
||||
--- a/src/journal/journald-server.h
|
||||
+++ b/src/journal/journald-server.h
|
||||
@@ -197,7 +197,7 @@ void server_sync(Server *s);
|
||||
int server_vacuum(Server *s, bool verbose);
|
||||
void server_rotate(Server *s);
|
||||
int server_schedule_sync(Server *s, int priority);
|
||||
-int server_flush_to_var(Server *s);
|
||||
+int server_flush_to_var(Server *s, bool require_flag_file);
|
||||
void server_maybe_append_tags(Server *s);
|
||||
int server_process_datagram(sd_event_source *es, int fd, uint32_t revents, void *userdata);
|
||||
void server_space_usage_message(Server *s, JournalStorage *storage);
|
||||
diff --git a/src/journal/journald.c b/src/journal/journald.c
|
||||
index 7f47ca22dd..9ac21457f6 100644
|
||||
--- a/src/journal/journald.c
|
||||
+++ b/src/journal/journald.c
|
||||
@@ -52,7 +52,7 @@ int main(int argc, char *argv[]) {
|
||||
goto finish;
|
||||
|
||||
server_vacuum(&server, false);
|
||||
- server_flush_to_var(&server);
|
||||
+ server_flush_to_var(&server, true);
|
||||
server_flush_dev_kmsg(&server);
|
||||
|
||||
log_debug("systemd-journald running as pid "PID_FMT, getpid());
|
File diff suppressed because it is too large
Load Diff
@ -1,869 +0,0 @@
|
||||
From d262fb5809de27d51e9d6b97c6b114804c2b95c5 Mon Sep 17 00:00:00 2001
|
||||
From: Lennart Poettering <lennart@poettering.net>
|
||||
Date: Tue, 1 Nov 2016 20:25:19 -0600
|
||||
Subject: [PATCH] core: add new RestrictNamespaces= unit file setting
|
||||
|
||||
This new setting permits restricting whether namespaces may be created and
|
||||
managed by processes started by a unit. It installs a seccomp filter blocking
|
||||
certain invocations of unshare(), clone() and setns().
|
||||
|
||||
RestrictNamespaces=no is the default, and does not restrict namespaces in any
|
||||
way. RestrictNamespaces=yes takes away the ability to create or manage any kind
|
||||
of namspace. "RestrictNamespaces=mnt ipc" restricts the creation of namespaces
|
||||
so that only mount and IPC namespaces may be created/managed, but no other
|
||||
kind of namespaces.
|
||||
|
||||
This setting should be improve security quite a bit as in particular user
|
||||
namespacing was a major source of CVEs in the kernel in the past, and is
|
||||
accessible to unprivileged processes. With this setting the entire attack
|
||||
surface may be removed for system services that do not make use of namespaces.
|
||||
|
||||
(cherry picked from commit add005357d535681c7075ced8eec2b6e61b43728)
|
||||
---
|
||||
Makefile.am | 4 +-
|
||||
TODO | 6 --
|
||||
man/systemd.exec.xml | 50 +++++++++-----
|
||||
src/core/dbus-execute.c | 21 ++++++
|
||||
src/core/execute.c | 30 ++++++++
|
||||
src/core/execute.h | 9 +++
|
||||
src/core/load-fragment-gperf.gperf.m4 | 2 +
|
||||
src/core/load-fragment.c | 49 +++++++++++++
|
||||
src/core/load-fragment.h | 1 +
|
||||
src/shared/bus-unit-util.c | 25 +++++++
|
||||
src/shared/nsflags.c | 126 ++++++++++++++++++++++++++++++++++
|
||||
src/shared/nsflags.h | 49 +++++++++++++
|
||||
src/shared/seccomp-util.c | 89 ++++++++++++++++++++++++
|
||||
src/shared/seccomp-util.h | 2 +
|
||||
src/test/test-seccomp.c | 94 +++++++++++++++++++++++++
|
||||
15 files changed, 534 insertions(+), 23 deletions(-)
|
||||
create mode 100644 src/shared/nsflags.c
|
||||
create mode 100644 src/shared/nsflags.h
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index f2d8bf57f7..1031e797b3 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -1046,7 +1046,9 @@ libshared_la_SOURCES = \
|
||||
src/shared/tests.h \
|
||||
src/shared/tests.c \
|
||||
src/shared/fdset.c \
|
||||
- src/shared/fdset.h
|
||||
+ src/shared/fdset.h \
|
||||
+ src/shared/nsflags.h \
|
||||
+ src/shared/nsflags.c
|
||||
|
||||
if HAVE_UTMP
|
||||
libshared_la_SOURCES += \
|
||||
diff --git a/TODO b/TODO
|
||||
index c8266a549d..164e33708e 100644
|
||||
--- a/TODO
|
||||
+++ b/TODO
|
||||
@@ -59,14 +59,10 @@ Features:
|
||||
|
||||
* define gpt header bits to select volatility mode
|
||||
|
||||
-* nspawn: mount loopback filesystems with "discard"
|
||||
-
|
||||
* ProtectKernelLogs= (drops CAP_SYSLOG, add seccomp for syslog() syscall, and DeviceAllow to /dev/kmsg) in service files
|
||||
|
||||
* ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc
|
||||
|
||||
-* ProtectKernelModules= (drops CAP_SYS_MODULE and filters the kmod syscalls)
|
||||
-
|
||||
* ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away)
|
||||
|
||||
* ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave)
|
||||
@@ -88,8 +84,6 @@ Features:
|
||||
|
||||
* Add RootImage= for mounting a disk image or file as root directory
|
||||
|
||||
-* RestrictNamespaces= or so in services (taking away the ability to create namespaces, with setns, unshare, clone)
|
||||
-
|
||||
* make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things
|
||||
|
||||
* journalctl: make sure -f ends when the container indicated by -M terminates
|
||||
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
|
||||
index 3c350df11f..33bca1bfb0 100644
|
||||
--- a/man/systemd.exec.xml
|
||||
+++ b/man/systemd.exec.xml
|
||||
@@ -1234,22 +1234,16 @@
|
||||
<varlistentry>
|
||||
<term><varname>NoNewPrivileges=</varname></term>
|
||||
|
||||
- <listitem><para>Takes a boolean argument. If true, ensures that the service
|
||||
- process and all its children can never gain new privileges. This option is more
|
||||
- powerful than the respective secure bits flags (see above), as it also prohibits
|
||||
- UID changes of any kind. This is the simplest and most effective way to ensure that
|
||||
- a process and its children can never elevate privileges again. Defaults to false,
|
||||
- but in the user manager instance certain settings force
|
||||
- <varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting.
|
||||
- Those is the case when <varname>SystemCallFilter=</varname>,
|
||||
- <varname>SystemCallArchitectures=</varname>,
|
||||
- <varname>RestrictAddressFamilies=</varname>,
|
||||
- <varname>PrivateDevices=</varname>,
|
||||
- <varname>ProtectKernelTunables=</varname>,
|
||||
- <varname>ProtectKernelModules=</varname>,
|
||||
- <varname>MemoryDenyWriteExecute=</varname>, or
|
||||
- <varname>RestrictRealtime=</varname> are specified.
|
||||
- </para></listitem>
|
||||
+ <listitem><para>Takes a boolean argument. If true, ensures that the service process and all its children can
|
||||
+ never gain new privileges through <function>execve()</function> (e.g. via setuid or setgid bits, or filesystem
|
||||
+ capabilities). This is the simplest and most effective way to ensure that a process and its children can never
|
||||
+ elevate privileges again. Defaults to false, but in the user manager instance certain settings force
|
||||
+ <varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting. This is the case when
|
||||
+ <varname>SystemCallFilter=</varname>, <varname>SystemCallArchitectures=</varname>,
|
||||
+ <varname>RestrictAddressFamilies=</varname>, <varname>RestrictNamespaces=</varname>,
|
||||
+ <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>,
|
||||
+ <varname>ProtectKernelModules=</varname>, <varname>MemoryDenyWriteExecute=</varname>, or
|
||||
+ <varname>RestrictRealtime=</varname> are specified.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
@@ -1462,6 +1456,30 @@
|
||||
logging. This does not affect commands prefixed with <literal>+</literal>.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term><varname>RestrictNamespaces=</varname></term>
|
||||
+
|
||||
+ <listitem><para>Restricts access to Linux namespace functionality for the processes of this unit. For details
|
||||
+ about Linux namespaces, see
|
||||
+ <citerefentry><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>. Either takes a
|
||||
+ boolean argument, or a space-separated list of namespace type identifiers. If false (the default), no
|
||||
+ restrictions on namespace creation and switching are made. If true, access to any kind of namespacing is
|
||||
+ prohibited. Otherwise, a space-separated list of namespace type identifiers must be specified, consisting of
|
||||
+ any combination of: <constant>cgroup</constant>, <constant>ipc</constant>, <constant>net</constant>,
|
||||
+ <constant>mnt</constant>, <constant>pid</constant>, <constant>user</constant> and <constant>uts</constant>. Any
|
||||
+ namespace type listed is made accessible to the unit's processes, access to namespace types not listed is
|
||||
+ prohibited (whitelisting). By prepending the list with a single tilda character (<literal>~</literal>) the
|
||||
+ effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are
|
||||
+ permitted (blacklisting). If the empty string is assigned, the default namespace restrictions are applied,
|
||||
+ which is equivalent to false. Internally, this setting limits access to the
|
||||
+ <citerefentry><refentrytitle>unshare</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
|
||||
+ <citerefentry><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry> and
|
||||
+ <citerefentry><refentrytitle>setns</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls, taking
|
||||
+ the specified flags parameters into account. Note that — if this option is used — in addition to restricting
|
||||
+ creation and switching of the specified types of namespaces (or all of them, if true) access to the
|
||||
+ <function>setns()</function> system call with a zero flags parameter is prohibited.</para></listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
<varlistentry>
|
||||
<term><varname>ProtectKernelModules=</varname></term>
|
||||
|
||||
diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
|
||||
index 03f23780c1..d7bb0496a0 100644
|
||||
--- a/src/core/dbus-execute.c
|
||||
+++ b/src/core/dbus-execute.c
|
||||
@@ -781,6 +781,7 @@ const sd_bus_vtable bus_exec_vtable[] = {
|
||||
SD_BUS_PROPERTY("RuntimeDirectory", "as", NULL, offsetof(ExecContext, runtime_directory), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("MemoryDenyWriteExecute", "b", bus_property_get_bool, offsetof(ExecContext, memory_deny_write_execute), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("RestrictRealtime", "b", bus_property_get_bool, offsetof(ExecContext, restrict_realtime), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
+ SD_BUS_PROPERTY("RestrictNamespace", "t", bus_property_get_ulong, offsetof(ExecContext, restrict_namespaces), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_VTABLE_END
|
||||
};
|
||||
|
||||
@@ -1591,7 +1592,27 @@ int bus_exec_context_set_transient_property(
|
||||
}
|
||||
|
||||
return 1;
|
||||
+ } else if (streq(name, "RestrictNamespaces")) {
|
||||
+ uint64_t flags;
|
||||
|
||||
+ r = sd_bus_message_read(message, "t", &flags);
|
||||
+ if (r < 0)
|
||||
+ return r;
|
||||
+ if ((flags & NAMESPACE_FLAGS_ALL) != flags)
|
||||
+ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Unknown namespace types");
|
||||
+
|
||||
+ if (mode != UNIT_CHECK) {
|
||||
+ _cleanup_free_ char *s = NULL;
|
||||
+
|
||||
+ r = namespace_flag_to_string_many(flags, &s);
|
||||
+ if (r < 0)
|
||||
+ return r;
|
||||
+
|
||||
+ c->restrict_namespaces = flags;
|
||||
+ unit_write_drop_in_private_format(u, mode, name, "%s=%s", name, s);
|
||||
+ }
|
||||
+
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
ri = rlimit_from_string(name);
|
||||
diff --git a/src/core/execute.c b/src/core/execute.c
|
||||
index 224382b581..59ce0774c4 100644
|
||||
--- a/src/core/execute.c
|
||||
+++ b/src/core/execute.c
|
||||
@@ -1534,6 +1534,18 @@ static int apply_private_devices(const Unit *u, const ExecContext *c) {
|
||||
return seccomp_load_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM));
|
||||
}
|
||||
|
||||
+static int apply_restrict_namespaces(Unit *u, const ExecContext *c) {
|
||||
+ assert(c);
|
||||
+
|
||||
+ if (!exec_context_restrict_namespaces_set(c))
|
||||
+ return 0;
|
||||
+
|
||||
+ if (skip_seccomp_unavailable(u, "RestrictNamespaces="))
|
||||
+ return 0;
|
||||
+
|
||||
+ return seccomp_restrict_namespaces(c->restrict_namespaces);
|
||||
+}
|
||||
+
|
||||
#endif
|
||||
|
||||
static void do_idle_pipe_dance(int idle_pipe[4]) {
|
||||
@@ -2183,6 +2195,7 @@ static bool context_has_no_new_privileges(const ExecContext *c) {
|
||||
return context_has_address_families(c) || /* we need NNP if we have any form of seccomp and are unprivileged */
|
||||
c->memory_deny_write_execute ||
|
||||
c->restrict_realtime ||
|
||||
+ exec_context_restrict_namespaces_set(c) ||
|
||||
c->protect_kernel_tunables ||
|
||||
c->protect_kernel_modules ||
|
||||
c->private_devices ||
|
||||
@@ -2764,6 +2777,12 @@ static int exec_child(
|
||||
}
|
||||
}
|
||||
|
||||
+ r = apply_restrict_namespaces(unit, context);
|
||||
+ if (r < 0) {
|
||||
+ *exit_status = EXIT_SECCOMP;
|
||||
+ return r;
|
||||
+ }
|
||||
+
|
||||
if (context->protect_kernel_tunables) {
|
||||
r = apply_protect_sysctl(unit, context);
|
||||
if (r < 0) {
|
||||
@@ -2947,6 +2966,7 @@ void exec_context_init(ExecContext *c) {
|
||||
c->personality = PERSONALITY_INVALID;
|
||||
c->runtime_directory_mode = 0755;
|
||||
c->capability_bounding_set = CAP_ALL;
|
||||
+ c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
|
||||
}
|
||||
|
||||
void exec_context_done(ExecContext *c) {
|
||||
@@ -3244,6 +3264,7 @@ static void strv_fprintf(FILE *f, char **l) {
|
||||
void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
|
||||
char **e, **d;
|
||||
unsigned i;
|
||||
+ int r;
|
||||
|
||||
assert(c);
|
||||
assert(f);
|
||||
@@ -3524,6 +3545,15 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
|
||||
fputc('\n', f);
|
||||
}
|
||||
|
||||
+ if (exec_context_restrict_namespaces_set(c)) {
|
||||
+ _cleanup_free_ char *s = NULL;
|
||||
+
|
||||
+ r = namespace_flag_to_string_many(c->restrict_namespaces, &s);
|
||||
+ if (r >= 0)
|
||||
+ fprintf(f, "%sRestrictNamespaces: %s\n",
|
||||
+ prefix, s);
|
||||
+ }
|
||||
+
|
||||
if (c->syscall_errno > 0)
|
||||
fprintf(f,
|
||||
"%sSystemCallErrorNumber: %s\n",
|
||||
diff --git a/src/core/execute.h b/src/core/execute.h
|
||||
index c7d0f7761e..56f880cffe 100644
|
||||
--- a/src/core/execute.h
|
||||
+++ b/src/core/execute.h
|
||||
@@ -35,6 +35,7 @@ typedef struct ExecParameters ExecParameters;
|
||||
#include "list.h"
|
||||
#include "missing.h"
|
||||
#include "namespace.h"
|
||||
+#include "nsflags.h"
|
||||
|
||||
typedef enum ExecUtmpMode {
|
||||
EXEC_UTMP_INIT,
|
||||
@@ -195,6 +196,8 @@ struct ExecContext {
|
||||
|
||||
unsigned long personality;
|
||||
|
||||
+ unsigned long restrict_namespaces; /* The CLONE_NEWxyz flags permitted to the unit's processes */
|
||||
+
|
||||
Set *syscall_filter;
|
||||
Set *syscall_archs;
|
||||
int syscall_errno;
|
||||
@@ -216,6 +219,12 @@ struct ExecContext {
|
||||
bool no_new_privileges_set:1;
|
||||
};
|
||||
|
||||
+static inline bool exec_context_restrict_namespaces_set(const ExecContext *c) {
|
||||
+ assert(c);
|
||||
+
|
||||
+ return (c->restrict_namespaces & NAMESPACE_FLAGS_ALL) != NAMESPACE_FLAGS_ALL;
|
||||
+}
|
||||
+
|
||||
typedef enum ExecFlags {
|
||||
EXEC_CONFIRM_SPAWN = 1U << 0,
|
||||
EXEC_APPLY_PERMISSIONS = 1U << 1,
|
||||
diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
|
||||
index af2f9d960b..cb2f384f47 100644
|
||||
--- a/src/core/load-fragment-gperf.gperf.m4
|
||||
+++ b/src/core/load-fragment-gperf.gperf.m4
|
||||
@@ -57,12 +57,14 @@ m4_ifdef(`HAVE_SECCOMP',
|
||||
$1.SystemCallArchitectures, config_parse_syscall_archs, 0, offsetof($1, exec_context.syscall_archs)
|
||||
$1.SystemCallErrorNumber, config_parse_syscall_errno, 0, offsetof($1, exec_context)
|
||||
$1.MemoryDenyWriteExecute, config_parse_bool, 0, offsetof($1, exec_context.memory_deny_write_execute)
|
||||
+$1.RestrictNamespaces, config_parse_restrict_namespaces, 0, offsetof($1, exec_context.restrict_namespaces)
|
||||
$1.RestrictRealtime, config_parse_bool, 0, offsetof($1, exec_context.restrict_realtime)
|
||||
$1.RestrictAddressFamilies, config_parse_address_families, 0, offsetof($1, exec_context)',
|
||||
`$1.SystemCallFilter, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
|
||||
$1.SystemCallArchitectures, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
|
||||
$1.SystemCallErrorNumber, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
|
||||
$1.MemoryDenyWriteExecute, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
|
||||
+$1.RestrictNamespaces, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
|
||||
$1.RestrictRealtime, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
|
||||
$1.RestrictAddressFamilies, config_parse_warn_compat, DISABLED_CONFIGURATION, 0')
|
||||
$1.LimitCPU, config_parse_limit, RLIMIT_CPU, offsetof($1, exec_context.rlimit)
|
||||
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
|
||||
index cbc826809e..e0fa484c1e 100644
|
||||
--- a/src/core/load-fragment.c
|
||||
+++ b/src/core/load-fragment.c
|
||||
@@ -2905,6 +2905,54 @@ int config_parse_address_families(
|
||||
if (!isempty(state))
|
||||
log_syntax(unit, LOG_ERR, filename, line, 0, "Trailing garbage, ignoring.");
|
||||
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+int config_parse_restrict_namespaces(
|
||||
+ const char *unit,
|
||||
+ const char *filename,
|
||||
+ unsigned line,
|
||||
+ const char *section,
|
||||
+ unsigned section_line,
|
||||
+ const char *lvalue,
|
||||
+ int ltype,
|
||||
+ const char *rvalue,
|
||||
+ void *data,
|
||||
+ void *userdata) {
|
||||
+
|
||||
+ ExecContext *c = data;
|
||||
+ bool invert = false;
|
||||
+ int r;
|
||||
+
|
||||
+ if (isempty(rvalue)) {
|
||||
+ /* Reset to the default. */
|
||||
+ c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ if (rvalue[0] == '~') {
|
||||
+ invert = true;
|
||||
+ rvalue++;
|
||||
+ }
|
||||
+
|
||||
+ r = parse_boolean(rvalue);
|
||||
+ if (r > 0)
|
||||
+ c->restrict_namespaces = 0;
|
||||
+ else if (r == 0)
|
||||
+ c->restrict_namespaces = NAMESPACE_FLAGS_ALL;
|
||||
+ else {
|
||||
+ /* Not a boolean argument, in this case it's a list of namespace types. */
|
||||
+
|
||||
+ r = namespace_flag_from_string_many(rvalue, &c->restrict_namespaces);
|
||||
+ if (r < 0) {
|
||||
+ log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse namespace type string, ignoring: %s", rvalue);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (invert)
|
||||
+ c->restrict_namespaces = (~c->restrict_namespaces) & NAMESPACE_FLAGS_ALL;
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
@@ -4327,6 +4375,7 @@ void unit_dump_config_items(FILE *f) {
|
||||
{ config_parse_syscall_archs, "ARCHS" },
|
||||
{ config_parse_syscall_errno, "ERRNO" },
|
||||
{ config_parse_address_families, "FAMILIES" },
|
||||
+ { config_parse_restrict_namespaces, "NAMESPACES" },
|
||||
#endif
|
||||
{ config_parse_cpu_shares, "SHARES" },
|
||||
{ config_parse_cpu_weight, "WEIGHT" },
|
||||
diff --git a/src/core/load-fragment.h b/src/core/load-fragment.h
|
||||
index c05f205c37..1cff815a50 100644
|
||||
--- a/src/core/load-fragment.h
|
||||
+++ b/src/core/load-fragment.h
|
||||
@@ -116,6 +116,7 @@ int config_parse_fdname(const char *unit, const char *filename, unsigned line, c
|
||||
int config_parse_sec_fix_0(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_user_group(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_user_group_strv(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
+int config_parse_restrict_namespaces(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
|
||||
/* gperf prototypes */
|
||||
const struct ConfigPerfItem* load_fragment_gperf_lookup(const char *key, unsigned length);
|
||||
diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c
|
||||
index f639e0e832..35e2c8f18e 100644
|
||||
--- a/src/shared/bus-unit-util.c
|
||||
+++ b/src/shared/bus-unit-util.c
|
||||
@@ -27,6 +27,7 @@
|
||||
#include "hashmap.h"
|
||||
#include "list.h"
|
||||
#include "locale-util.h"
|
||||
+#include "nsflags.h"
|
||||
#include "parse-util.h"
|
||||
#include "path-util.h"
|
||||
#include "process-util.h"
|
||||
@@ -553,6 +554,30 @@ int bus_append_unit_property_assignment(sd_bus_message *m, const char *assignmen
|
||||
|
||||
r = sd_bus_message_close_container(m);
|
||||
|
||||
+ } else if (streq(field, "RestrictNamespaces")) {
|
||||
+ bool invert = false;
|
||||
+ uint64_t flags = 0;
|
||||
+
|
||||
+ if (eq[0] == '~') {
|
||||
+ invert = true;
|
||||
+ eq++;
|
||||
+ }
|
||||
+
|
||||
+ r = parse_boolean(eq);
|
||||
+ if (r > 0)
|
||||
+ flags = 0;
|
||||
+ else if (r == 0)
|
||||
+ flags = NAMESPACE_FLAGS_ALL;
|
||||
+ else {
|
||||
+ r = namespace_flag_from_string_many(eq, &flags);
|
||||
+ if (r < 0)
|
||||
+ return log_error_errno(r, "Failed to parse %s value %s.", field, eq);
|
||||
+ }
|
||||
+
|
||||
+ if (invert)
|
||||
+ flags = (~flags) & NAMESPACE_FLAGS_ALL;
|
||||
+
|
||||
+ r = sd_bus_message_append(m, "v", "t", flags);
|
||||
} else {
|
||||
log_error("Unknown assignment %s.", assignment);
|
||||
return -EINVAL;
|
||||
diff --git a/src/shared/nsflags.c b/src/shared/nsflags.c
|
||||
new file mode 100644
|
||||
index 0000000000..8fcbe97ba7
|
||||
--- /dev/null
|
||||
+++ b/src/shared/nsflags.c
|
||||
@@ -0,0 +1,126 @@
|
||||
+/***
|
||||
+ This file is part of systemd.
|
||||
+
|
||||
+ Copyright 2016 Lennart Poettering
|
||||
+
|
||||
+ systemd is free software; you can redistribute it and/or modify it
|
||||
+ under the terms of the GNU Lesser General Public License as published by
|
||||
+ the Free Software Foundation; either version 2.1 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ systemd is distributed in the hope that it will be useful, but
|
||||
+ WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ Lesser General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU Lesser General Public License
|
||||
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
||||
+***/
|
||||
+
|
||||
+#include <sched.h>
|
||||
+
|
||||
+#include "alloc-util.h"
|
||||
+#include "extract-word.h"
|
||||
+#include "nsflags.h"
|
||||
+#include "seccomp-util.h"
|
||||
+#include "string-util.h"
|
||||
+
|
||||
+const struct namespace_flag_map namespace_flag_map[] = {
|
||||
+ { CLONE_NEWCGROUP, "cgroup" },
|
||||
+ { CLONE_NEWIPC, "ipc" },
|
||||
+ { CLONE_NEWNET, "net" },
|
||||
+ /* So, the mount namespace flag is called CLONE_NEWNS for historical reasons. Let's expose it here under a more
|
||||
+ * explanatory name: "mnt". This is in-line with how the kernel exposes namespaces in /proc/$PID/ns. */
|
||||
+ { CLONE_NEWNS, "mnt" },
|
||||
+ { CLONE_NEWPID, "pid" },
|
||||
+ { CLONE_NEWUSER, "user" },
|
||||
+ { CLONE_NEWUTS, "uts" },
|
||||
+ {}
|
||||
+};
|
||||
+
|
||||
+const char* namespace_flag_to_string(unsigned long flag) {
|
||||
+ unsigned i;
|
||||
+
|
||||
+ flag &= NAMESPACE_FLAGS_ALL;
|
||||
+
|
||||
+ for (i = 0; namespace_flag_map[i].name; i++)
|
||||
+ if (flag == namespace_flag_map[i].flag)
|
||||
+ return namespace_flag_map[i].name;
|
||||
+
|
||||
+ return NULL; /* either unknown namespace flag, or a combination of many. This call supports neither. */
|
||||
+}
|
||||
+
|
||||
+unsigned long namespace_flag_from_string(const char *name) {
|
||||
+ unsigned i;
|
||||
+
|
||||
+ if (isempty(name))
|
||||
+ return 0;
|
||||
+
|
||||
+ for (i = 0; namespace_flag_map[i].name; i++)
|
||||
+ if (streq(name, namespace_flag_map[i].name))
|
||||
+ return namespace_flag_map[i].flag;
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+int namespace_flag_from_string_many(const char *name, unsigned long *ret) {
|
||||
+ unsigned long flags = 0;
|
||||
+ int r;
|
||||
+
|
||||
+ assert_se(ret);
|
||||
+
|
||||
+ if (!name) {
|
||||
+ *ret = 0;
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ for (;;) {
|
||||
+ _cleanup_free_ char *word = NULL;
|
||||
+ unsigned long f;
|
||||
+
|
||||
+ r = extract_first_word(&name, &word, NULL, 0);
|
||||
+ if (r < 0)
|
||||
+ return r;
|
||||
+ if (r == 0)
|
||||
+ break;
|
||||
+
|
||||
+ f = namespace_flag_from_string(word);
|
||||
+ if (f == 0)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ flags |= f;
|
||||
+ }
|
||||
+
|
||||
+ *ret = flags;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+int namespace_flag_to_string_many(unsigned long flags, char **ret) {
|
||||
+ _cleanup_free_ char *s = NULL;
|
||||
+ unsigned i;
|
||||
+
|
||||
+ for (i = 0; namespace_flag_map[i].name; i++) {
|
||||
+ if ((flags & namespace_flag_map[i].flag) != namespace_flag_map[i].flag)
|
||||
+ continue;
|
||||
+
|
||||
+ if (!s) {
|
||||
+ s = strdup(namespace_flag_map[i].name);
|
||||
+ if (!s)
|
||||
+ return -ENOMEM;
|
||||
+ } else {
|
||||
+ if (!strextend(&s, " ", namespace_flag_map[i].name, NULL))
|
||||
+ return -ENOMEM;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!s) {
|
||||
+ s = strdup("");
|
||||
+ if (!s)
|
||||
+ return -ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ *ret = s;
|
||||
+ s = NULL;
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/src/shared/nsflags.h b/src/shared/nsflags.h
|
||||
new file mode 100644
|
||||
index 0000000000..152ab8b936
|
||||
--- /dev/null
|
||||
+++ b/src/shared/nsflags.h
|
||||
@@ -0,0 +1,49 @@
|
||||
+#pragma once
|
||||
+
|
||||
+/***
|
||||
+ This file is part of systemd.
|
||||
+
|
||||
+ Copyright 2016 Lennart Poettering
|
||||
+
|
||||
+ systemd is free software; you can redistribute it and/or modify it
|
||||
+ under the terms of the GNU Lesser General Public License as published by
|
||||
+ the Free Software Foundation; either version 2.1 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ systemd is distributed in the hope that it will be useful, but
|
||||
+ WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ Lesser General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU Lesser General Public License
|
||||
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
||||
+***/
|
||||
+
|
||||
+#include <sched.h>
|
||||
+
|
||||
+#include "missing.h"
|
||||
+
|
||||
+/* The combination of all namespace flags defined by the kernel. The right type for this isn't clear. setns() and
|
||||
+ * unshare() expect these flags to be passed as (signed) "int", while clone() wants them as "unsigned long". The latter
|
||||
+ * is definitely more appropriate for a flags parameter, and also the larger type of the two, hence let's stick to that
|
||||
+ * here. */
|
||||
+#define NAMESPACE_FLAGS_ALL \
|
||||
+ ((unsigned long) (CLONE_NEWCGROUP| \
|
||||
+ CLONE_NEWIPC| \
|
||||
+ CLONE_NEWNET| \
|
||||
+ CLONE_NEWNS| \
|
||||
+ CLONE_NEWPID| \
|
||||
+ CLONE_NEWUSER| \
|
||||
+ CLONE_NEWUTS))
|
||||
+
|
||||
+const char* namespace_flag_to_string(unsigned long flag);
|
||||
+unsigned long namespace_flag_from_string(const char *name);
|
||||
+int namespace_flag_from_string_many(const char *name, unsigned long *ret);
|
||||
+int namespace_flag_to_string_many(unsigned long flags, char **ret);
|
||||
+
|
||||
+struct namespace_flag_map {
|
||||
+ unsigned long flag;
|
||||
+ const char *name;
|
||||
+};
|
||||
+
|
||||
+extern const struct namespace_flag_map namespace_flag_map[];
|
||||
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
|
||||
index c9b24f1065..55b97e1efb 100644
|
||||
--- a/src/shared/seccomp-util.c
|
||||
+++ b/src/shared/seccomp-util.c
|
||||
@@ -23,7 +23,9 @@
|
||||
#include <sys/prctl.h>
|
||||
#include <linux/seccomp.h>
|
||||
|
||||
+#include "alloc-util.h"
|
||||
#include "macro.h"
|
||||
+#include "nsflags.h"
|
||||
#include "seccomp-util.h"
|
||||
#include "string-util.h"
|
||||
#include "util.h"
|
||||
@@ -574,5 +576,92 @@ int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set
|
||||
finish:
|
||||
seccomp_release(seccomp);
|
||||
return r;
|
||||
+}
|
||||
+
|
||||
+int seccomp_restrict_namespaces(unsigned long retain) {
|
||||
+ scmp_filter_ctx seccomp;
|
||||
+ unsigned i;
|
||||
+ int r;
|
||||
+
|
||||
+ if (log_get_max_level() >= LOG_DEBUG) {
|
||||
+ _cleanup_free_ char *s = NULL;
|
||||
+
|
||||
+ (void) namespace_flag_to_string_many(retain, &s);
|
||||
+ log_debug("Restricting namespace to: %s.", strna(s));
|
||||
+ }
|
||||
+
|
||||
+ /* NOOP? */
|
||||
+ if ((retain & NAMESPACE_FLAGS_ALL) == NAMESPACE_FLAGS_ALL)
|
||||
+ return 0;
|
||||
+
|
||||
+ r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
|
||||
+ if (r < 0)
|
||||
+ return r;
|
||||
+
|
||||
+ if ((retain & NAMESPACE_FLAGS_ALL) == 0)
|
||||
+ /* If every single kind of namespace shall be prohibited, then let's block the whole setns() syscall
|
||||
+ * altogether. */
|
||||
+ r = seccomp_rule_add(
|
||||
+ seccomp,
|
||||
+ SCMP_ACT_ERRNO(EPERM),
|
||||
+ SCMP_SYS(setns),
|
||||
+ 0);
|
||||
+ else
|
||||
+ /* Otherwise, block only the invocations with the appropriate flags in the loop below, but also the
|
||||
+ * special invocation with a zero flags argument, right here. */
|
||||
+ r = seccomp_rule_add(
|
||||
+ seccomp,
|
||||
+ SCMP_ACT_ERRNO(EPERM),
|
||||
+ SCMP_SYS(setns),
|
||||
+ 1,
|
||||
+ SCMP_A1(SCMP_CMP_EQ, 0));
|
||||
+ if (r < 0)
|
||||
+ goto finish;
|
||||
+
|
||||
+ for (i = 0; namespace_flag_map[i].name; i++) {
|
||||
+ unsigned long f;
|
||||
+
|
||||
+ f = namespace_flag_map[i].flag;
|
||||
+ if ((retain & f) == f) {
|
||||
+ log_debug("Permitting %s.", namespace_flag_map[i].name);
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ log_debug("Blocking %s.", namespace_flag_map[i].name);
|
||||
+
|
||||
+ r = seccomp_rule_add(
|
||||
+ seccomp,
|
||||
+ SCMP_ACT_ERRNO(EPERM),
|
||||
+ SCMP_SYS(unshare),
|
||||
+ 1,
|
||||
+ SCMP_A0(SCMP_CMP_MASKED_EQ, f, f));
|
||||
+ if (r < 0)
|
||||
+ goto finish;
|
||||
+
|
||||
+ r = seccomp_rule_add(
|
||||
+ seccomp,
|
||||
+ SCMP_ACT_ERRNO(EPERM),
|
||||
+ SCMP_SYS(clone),
|
||||
+ 1,
|
||||
+ SCMP_A0(SCMP_CMP_MASKED_EQ, f, f));
|
||||
+ if (r < 0)
|
||||
+ goto finish;
|
||||
+
|
||||
+ if ((retain & NAMESPACE_FLAGS_ALL) != 0) {
|
||||
+ r = seccomp_rule_add(
|
||||
+ seccomp,
|
||||
+ SCMP_ACT_ERRNO(EPERM),
|
||||
+ SCMP_SYS(setns),
|
||||
+ 1,
|
||||
+ SCMP_A1(SCMP_CMP_MASKED_EQ, f, f));
|
||||
+ if (r < 0)
|
||||
+ goto finish;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ r = seccomp_load(seccomp);
|
||||
|
||||
+finish:
|
||||
+ seccomp_release(seccomp);
|
||||
+ return r;
|
||||
}
|
||||
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
|
||||
index 8e209efef2..e325dab628 100644
|
||||
--- a/src/shared/seccomp-util.h
|
||||
+++ b/src/shared/seccomp-util.h
|
||||
@@ -64,3 +64,5 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name);
|
||||
int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action);
|
||||
|
||||
int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action);
|
||||
+
|
||||
+int seccomp_restrict_namespaces(unsigned long retain);
|
||||
diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
|
||||
index 43d1567288..beb6a7f422 100644
|
||||
--- a/src/test/test-seccomp.c
|
||||
+++ b/src/test/test-seccomp.c
|
||||
@@ -20,10 +20,15 @@
|
||||
#include <stdlib.h>
|
||||
#include <sys/eventfd.h>
|
||||
#include <unistd.h>
|
||||
+#include <sched.h>
|
||||
|
||||
+#include "alloc-util.h"
|
||||
#include "fd-util.h"
|
||||
#include "macro.h"
|
||||
+#include "missing.h"
|
||||
+#include "nsflags.h"
|
||||
#include "process-util.h"
|
||||
+#include "raw-clone.h"
|
||||
#include "seccomp-util.h"
|
||||
#include "string-util.h"
|
||||
#include "util.h"
|
||||
@@ -125,12 +130,101 @@ static void test_filter_sets(void) {
|
||||
}
|
||||
}
|
||||
|
||||
+static void test_restrict_namespace(void) {
|
||||
+ _cleanup_free_ char *s = NULL;
|
||||
+ pid_t pid;
|
||||
+ unsigned long ul;
|
||||
+
|
||||
+ assert_se(namespace_flag_to_string(0) == NULL);
|
||||
+ assert_se(streq(namespace_flag_to_string(CLONE_NEWNS), "mnt"));
|
||||
+ assert_se(namespace_flag_to_string(CLONE_NEWNS|CLONE_NEWIPC) == NULL);
|
||||
+ assert_se(streq(namespace_flag_to_string(CLONE_NEWCGROUP), "cgroup"));
|
||||
+
|
||||
+ assert_se(namespace_flag_from_string("mnt") == CLONE_NEWNS);
|
||||
+ assert_se(namespace_flag_from_string(NULL) == 0);
|
||||
+ assert_se(namespace_flag_from_string("") == 0);
|
||||
+ assert_se(namespace_flag_from_string("uts") == CLONE_NEWUTS);
|
||||
+ assert_se(namespace_flag_from_string(namespace_flag_to_string(CLONE_NEWUTS)) == CLONE_NEWUTS);
|
||||
+ assert_se(streq(namespace_flag_to_string(namespace_flag_from_string("ipc")), "ipc"));
|
||||
+
|
||||
+ assert_se(namespace_flag_from_string_many(NULL, &ul) == 0 && ul == 0);
|
||||
+ assert_se(namespace_flag_from_string_many("", &ul) == 0 && ul == 0);
|
||||
+ assert_se(namespace_flag_from_string_many("mnt uts ipc", &ul) == 0 && ul == (CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC));
|
||||
+
|
||||
+ assert_se(namespace_flag_to_string_many(NAMESPACE_FLAGS_ALL, &s) == 0);
|
||||
+ assert_se(streq(s, "cgroup ipc net mnt pid user uts"));
|
||||
+ assert_se(namespace_flag_from_string_many(s, &ul) == 0 && ul == NAMESPACE_FLAGS_ALL);
|
||||
+
|
||||
+ if (!is_seccomp_available())
|
||||
+ return;
|
||||
+
|
||||
+ if (geteuid() != 0)
|
||||
+ return;
|
||||
+
|
||||
+ pid = fork();
|
||||
+ assert_se(pid >= 0);
|
||||
+
|
||||
+ if (pid == 0) {
|
||||
+
|
||||
+ assert_se(seccomp_restrict_namespaces(CLONE_NEWNS|CLONE_NEWNET) >= 0);
|
||||
+
|
||||
+ assert_se(unshare(CLONE_NEWNS) == 0);
|
||||
+ assert_se(unshare(CLONE_NEWNET) == 0);
|
||||
+ assert_se(unshare(CLONE_NEWUTS) == -1);
|
||||
+ assert_se(errno == EPERM);
|
||||
+ assert_se(unshare(CLONE_NEWIPC) == -1);
|
||||
+ assert_se(errno == EPERM);
|
||||
+ assert_se(unshare(CLONE_NEWNET|CLONE_NEWUTS) == -1);
|
||||
+ assert_se(errno == EPERM);
|
||||
+
|
||||
+ /* We use fd 0 (stdin) here, which of course will fail with EINVAL on setns(). Except of course our
|
||||
+ * seccomp filter worked, and hits first and makes it return EPERM */
|
||||
+ assert_se(setns(0, CLONE_NEWNS) == -1);
|
||||
+ assert_se(errno == EINVAL);
|
||||
+ assert_se(setns(0, CLONE_NEWNET) == -1);
|
||||
+ assert_se(errno == EINVAL);
|
||||
+ assert_se(setns(0, CLONE_NEWUTS) == -1);
|
||||
+ assert_se(errno == EPERM);
|
||||
+ assert_se(setns(0, CLONE_NEWIPC) == -1);
|
||||
+ assert_se(errno == EPERM);
|
||||
+ assert_se(setns(0, CLONE_NEWNET|CLONE_NEWUTS) == -1);
|
||||
+ assert_se(errno == EPERM);
|
||||
+ assert_se(setns(0, 0) == -1);
|
||||
+ assert_se(errno == EPERM);
|
||||
+
|
||||
+ pid = raw_clone(CLONE_NEWNS);
|
||||
+ assert_se(pid >= 0);
|
||||
+ if (pid == 0)
|
||||
+ _exit(EXIT_SUCCESS);
|
||||
+ pid = raw_clone(CLONE_NEWNET);
|
||||
+ assert_se(pid >= 0);
|
||||
+ if (pid == 0)
|
||||
+ _exit(EXIT_SUCCESS);
|
||||
+ pid = raw_clone(CLONE_NEWUTS);
|
||||
+ assert_se(pid < 0);
|
||||
+ assert_se(errno == EPERM);
|
||||
+ pid = raw_clone(CLONE_NEWIPC);
|
||||
+ assert_se(pid < 0);
|
||||
+ assert_se(errno == EPERM);
|
||||
+ pid = raw_clone(CLONE_NEWNET|CLONE_NEWUTS);
|
||||
+ assert_se(pid < 0);
|
||||
+ assert_se(errno == EPERM);
|
||||
+
|
||||
+ _exit(EXIT_SUCCESS);
|
||||
+ }
|
||||
+
|
||||
+ assert_se(wait_for_terminate_and_warn("nsseccomp", pid, true) == EXIT_SUCCESS);
|
||||
+}
|
||||
+
|
||||
int main(int argc, char *argv[]) {
|
||||
|
||||
+ log_set_max_level(LOG_DEBUG);
|
||||
+
|
||||
test_seccomp_arch_to_string();
|
||||
test_architecture_table();
|
||||
test_syscall_filter_set_find();
|
||||
test_filter_sets();
|
||||
+ test_restrict_namespace();
|
||||
|
||||
return 0;
|
||||
}
|
File diff suppressed because it is too large
Load Diff
@ -1,300 +0,0 @@
|
||||
From 79a5d862a7abe903f456a75d6d1ca3c11adfa379 Mon Sep 17 00:00:00 2001
|
||||
From: Mike Gilbert <floppymaster@gmail.com>
|
||||
Date: Tue, 10 Jan 2017 02:39:05 -0500
|
||||
Subject: [PATCH] build-sys: add check for gperf lookup function signature
|
||||
(#5055)
|
||||
|
||||
gperf-3.1 generates lookup functions that take a size_t length
|
||||
parameter instead of unsigned int. Test for this at configure time.
|
||||
|
||||
Fixes: https://github.com/systemd/systemd/issues/5039
|
||||
(cherry picked from commit c9f7b4d356a453a01aa77a6bb74ca7ef49732c08)
|
||||
---
|
||||
configure.ac | 22 ++++++++++++++++++++++
|
||||
src/basic/af-list.c | 2 +-
|
||||
src/basic/arphrd-list.c | 2 +-
|
||||
src/basic/cap-list.c | 2 +-
|
||||
src/basic/errno-list.c | 2 +-
|
||||
src/core/load-fragment.h | 2 +-
|
||||
src/journal/journald-server.h | 2 +-
|
||||
src/login/logind.h | 2 +-
|
||||
src/network/networkd-conf.h | 2 +-
|
||||
src/network/networkd-netdev.h | 2 +-
|
||||
src/network/networkd-network.h | 2 +-
|
||||
src/nspawn/nspawn-settings.h | 2 +-
|
||||
src/resolve/dns-type.c | 2 +-
|
||||
src/resolve/resolved-conf.h | 2 +-
|
||||
src/test/test-af-list.c | 2 +-
|
||||
src/test/test-arphrd-list.c | 2 +-
|
||||
src/timesync/timesyncd-conf.h | 2 +-
|
||||
src/udev/net/link-config.h | 2 +-
|
||||
src/udev/udev-builtin-keyboard.c | 2 +-
|
||||
19 files changed, 40 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 1928e65bde..5c639e32d4 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -258,6 +258,28 @@ AC_CHECK_SIZEOF(rlim_t,,[
|
||||
#include <sys/resource.h>
|
||||
])
|
||||
|
||||
+GPERF_TEST="$(echo foo,bar | ${GPERF} -L ANSI-C)"
|
||||
+
|
||||
+AC_COMPILE_IFELSE(
|
||||
+ [AC_LANG_PROGRAM([
|
||||
+ #include <string.h>
|
||||
+ const char * in_word_set(const char *, size_t);
|
||||
+ $GPERF_TEST]
|
||||
+ )],
|
||||
+ [GPERF_LEN_TYPE=size_t],
|
||||
+ [AC_COMPILE_IFELSE(
|
||||
+ [AC_LANG_PROGRAM([
|
||||
+ #include <string.h>
|
||||
+ const char * in_word_set(const char *, unsigned);
|
||||
+ $GPERF_TEST]
|
||||
+ )],
|
||||
+ [GPERF_LEN_TYPE=unsigned],
|
||||
+ [AC_MSG_ERROR([** unable to determine gperf len type])]
|
||||
+ )]
|
||||
+)
|
||||
+
|
||||
+AC_DEFINE_UNQUOTED([GPERF_LEN_TYPE], [$GPERF_LEN_TYPE], [gperf len type])
|
||||
+
|
||||
# ------------------------------------------------------------------------------
|
||||
# we use python to build the man page index
|
||||
have_python=no
|
||||
diff --git a/src/basic/af-list.c b/src/basic/af-list.c
|
||||
index 3fac9c508b..4b291d177b 100644
|
||||
--- a/src/basic/af-list.c
|
||||
+++ b/src/basic/af-list.c
|
||||
@@ -23,7 +23,7 @@
|
||||
#include "af-list.h"
|
||||
#include "macro.h"
|
||||
|
||||
-static const struct af_name* lookup_af(register const char *str, register unsigned int len);
|
||||
+static const struct af_name* lookup_af(register const char *str, register GPERF_LEN_TYPE len);
|
||||
|
||||
#include "af-from-name.h"
|
||||
#include "af-to-name.h"
|
||||
diff --git a/src/basic/arphrd-list.c b/src/basic/arphrd-list.c
|
||||
index 6792d1ee3f..2d598dc66f 100644
|
||||
--- a/src/basic/arphrd-list.c
|
||||
+++ b/src/basic/arphrd-list.c
|
||||
@@ -23,7 +23,7 @@
|
||||
#include "arphrd-list.h"
|
||||
#include "macro.h"
|
||||
|
||||
-static const struct arphrd_name* lookup_arphrd(register const char *str, register unsigned int len);
|
||||
+static const struct arphrd_name* lookup_arphrd(register const char *str, register GPERF_LEN_TYPE len);
|
||||
|
||||
#include "arphrd-from-name.h"
|
||||
#include "arphrd-to-name.h"
|
||||
diff --git a/src/basic/cap-list.c b/src/basic/cap-list.c
|
||||
index 3e773a06f5..d68cc78d05 100644
|
||||
--- a/src/basic/cap-list.c
|
||||
+++ b/src/basic/cap-list.c
|
||||
@@ -26,7 +26,7 @@
|
||||
#include "parse-util.h"
|
||||
#include "util.h"
|
||||
|
||||
-static const struct capability_name* lookup_capability(register const char *str, register unsigned int len);
|
||||
+static const struct capability_name* lookup_capability(register const char *str, register GPERF_LEN_TYPE len);
|
||||
|
||||
#include "cap-from-name.h"
|
||||
#include "cap-to-name.h"
|
||||
diff --git a/src/basic/errno-list.c b/src/basic/errno-list.c
|
||||
index 31b66bad5e..c6a01eec8b 100644
|
||||
--- a/src/basic/errno-list.c
|
||||
+++ b/src/basic/errno-list.c
|
||||
@@ -23,7 +23,7 @@
|
||||
#include "macro.h"
|
||||
|
||||
static const struct errno_name* lookup_errno(register const char *str,
|
||||
- register unsigned int len);
|
||||
+ register GPERF_LEN_TYPE len);
|
||||
|
||||
#include "errno-from-name.h"
|
||||
#include "errno-to-name.h"
|
||||
diff --git a/src/core/load-fragment.h b/src/core/load-fragment.h
|
||||
index 1cff815a50..e78219786a 100644
|
||||
--- a/src/core/load-fragment.h
|
||||
+++ b/src/core/load-fragment.h
|
||||
@@ -119,7 +119,7 @@ int config_parse_user_group_strv(const char *unit, const char *filename, unsigne
|
||||
int config_parse_restrict_namespaces(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
|
||||
/* gperf prototypes */
|
||||
-const struct ConfigPerfItem* load_fragment_gperf_lookup(const char *key, unsigned length);
|
||||
+const struct ConfigPerfItem* load_fragment_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
|
||||
extern const char load_fragment_gperf_nulstr[];
|
||||
|
||||
typedef enum Disabled {
|
||||
diff --git a/src/journal/journald-server.h b/src/journal/journald-server.h
|
||||
index de1c48f805..716e758b7c 100644
|
||||
--- a/src/journal/journald-server.h
|
||||
+++ b/src/journal/journald-server.h
|
||||
@@ -179,7 +179,7 @@ void server_dispatch_message(Server *s, struct iovec *iovec, unsigned n, unsigne
|
||||
void server_driver_message(Server *s, sd_id128_t message_id, const char *format, ...) _printf_(3,0) _sentinel_;
|
||||
|
||||
/* gperf lookup function */
|
||||
-const struct ConfigPerfItem* journald_gperf_lookup(const char *key, unsigned length);
|
||||
+const struct ConfigPerfItem* journald_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
|
||||
|
||||
int config_parse_storage(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
|
||||
diff --git a/src/login/logind.h b/src/login/logind.h
|
||||
index 086fa1eeb5..7556ee2e48 100644
|
||||
--- a/src/login/logind.h
|
||||
+++ b/src/login/logind.h
|
||||
@@ -182,7 +182,7 @@ int manager_unit_is_active(Manager *manager, const char *unit);
|
||||
int manager_job_is_active(Manager *manager, const char *path);
|
||||
|
||||
/* gperf lookup function */
|
||||
-const struct ConfigPerfItem* logind_gperf_lookup(const char *key, unsigned length);
|
||||
+const struct ConfigPerfItem* logind_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
|
||||
|
||||
int manager_set_lid_switch_ignore(Manager *m, usec_t until);
|
||||
|
||||
diff --git a/src/network/networkd-conf.h b/src/network/networkd-conf.h
|
||||
index c7bfb42a72..00ddb7672a 100644
|
||||
--- a/src/network/networkd-conf.h
|
||||
+++ b/src/network/networkd-conf.h
|
||||
@@ -23,7 +23,7 @@
|
||||
|
||||
int manager_parse_config_file(Manager *m);
|
||||
|
||||
-const struct ConfigPerfItem* networkd_gperf_lookup(const char *key, unsigned length);
|
||||
+const struct ConfigPerfItem* networkd_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
|
||||
|
||||
int config_parse_duid_type(
|
||||
const char *unit,
|
||||
diff --git a/src/network/networkd-netdev.h b/src/network/networkd-netdev.h
|
||||
index 70ff947b99..37c7431213 100644
|
||||
--- a/src/network/networkd-netdev.h
|
||||
+++ b/src/network/networkd-netdev.h
|
||||
@@ -175,7 +175,7 @@ NetDevKind netdev_kind_from_string(const char *d) _pure_;
|
||||
int config_parse_netdev_kind(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
|
||||
/* gperf */
|
||||
-const struct ConfigPerfItem* network_netdev_gperf_lookup(const char *key, unsigned length);
|
||||
+const struct ConfigPerfItem* network_netdev_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
|
||||
|
||||
/* Macros which append INTERFACE= to the message */
|
||||
|
||||
diff --git a/src/network/networkd-network.h b/src/network/networkd-network.h
|
||||
index 11ff34b5b5..e39127b7b8 100644
|
||||
--- a/src/network/networkd-network.h
|
||||
+++ b/src/network/networkd-network.h
|
||||
@@ -236,7 +236,7 @@ int config_parse_dhcp_route_table(const char *unit, const char *filename, unsign
|
||||
/* Legacy IPv4LL support */
|
||||
int config_parse_ipv4ll(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
|
||||
-const struct ConfigPerfItem* network_network_gperf_lookup(const char *key, unsigned length);
|
||||
+const struct ConfigPerfItem* network_network_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
|
||||
|
||||
extern const sd_bus_vtable network_vtable[];
|
||||
|
||||
diff --git a/src/nspawn/nspawn-settings.h b/src/nspawn/nspawn-settings.h
|
||||
index 231e6d7266..4ae34f8e28 100644
|
||||
--- a/src/nspawn/nspawn-settings.h
|
||||
+++ b/src/nspawn/nspawn-settings.h
|
||||
@@ -103,7 +103,7 @@ bool settings_private_network(Settings *s);
|
||||
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC(Settings*, settings_free);
|
||||
|
||||
-const struct ConfigPerfItem* nspawn_gperf_lookup(const char *key, unsigned length);
|
||||
+const struct ConfigPerfItem* nspawn_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
|
||||
|
||||
int config_parse_capability(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_id128(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
diff --git a/src/resolve/dns-type.c b/src/resolve/dns-type.c
|
||||
index aaf5ed62c1..d89ae28dcd 100644
|
||||
--- a/src/resolve/dns-type.c
|
||||
+++ b/src/resolve/dns-type.c
|
||||
@@ -29,7 +29,7 @@ typedef const struct {
|
||||
} dns_type;
|
||||
|
||||
static const struct dns_type_name *
|
||||
-lookup_dns_type (register const char *str, register unsigned int len);
|
||||
+lookup_dns_type (register const char *str, register GPERF_LEN_TYPE len);
|
||||
|
||||
#include "dns_type-from-name.h"
|
||||
#include "dns_type-to-name.h"
|
||||
diff --git a/src/resolve/resolved-conf.h b/src/resolve/resolved-conf.h
|
||||
index fc425a36b2..8184d6cadf 100644
|
||||
--- a/src/resolve/resolved-conf.h
|
||||
+++ b/src/resolve/resolved-conf.h
|
||||
@@ -41,7 +41,7 @@ int manager_parse_search_domains_and_warn(Manager *m, const char *string);
|
||||
int manager_add_dns_server_by_string(Manager *m, DnsServerType type, const char *word);
|
||||
int manager_parse_dns_server_string_and_warn(Manager *m, DnsServerType type, const char *string);
|
||||
|
||||
-const struct ConfigPerfItem* resolved_gperf_lookup(const char *key, unsigned length);
|
||||
+const struct ConfigPerfItem* resolved_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
|
||||
|
||||
int config_parse_dns_servers(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_search_domains(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
diff --git a/src/test/test-af-list.c b/src/test/test-af-list.c
|
||||
index aeaa0929b1..e2479133de 100644
|
||||
--- a/src/test/test-af-list.c
|
||||
+++ b/src/test/test-af-list.c
|
||||
@@ -24,7 +24,7 @@
|
||||
#include "string-util.h"
|
||||
#include "util.h"
|
||||
|
||||
-static const struct af_name* lookup_af(register const char *str, register unsigned int len);
|
||||
+static const struct af_name* lookup_af(register const char *str, register GPERF_LEN_TYPE len);
|
||||
|
||||
#include "af-from-name.h"
|
||||
#include "af-list.h"
|
||||
diff --git a/src/test/test-arphrd-list.c b/src/test/test-arphrd-list.c
|
||||
index f3989ad201..8f4f342faa 100644
|
||||
--- a/src/test/test-arphrd-list.c
|
||||
+++ b/src/test/test-arphrd-list.c
|
||||
@@ -24,7 +24,7 @@
|
||||
#include "string-util.h"
|
||||
#include "util.h"
|
||||
|
||||
-static const struct arphrd_name* lookup_arphrd(register const char *str, register unsigned int len);
|
||||
+static const struct arphrd_name* lookup_arphrd(register const char *str, register GPERF_LEN_TYPE len);
|
||||
|
||||
#include "arphrd-from-name.h"
|
||||
#include "arphrd-list.h"
|
||||
diff --git a/src/timesync/timesyncd-conf.h b/src/timesync/timesyncd-conf.h
|
||||
index cba0724b1b..0280697e9c 100644
|
||||
--- a/src/timesync/timesyncd-conf.h
|
||||
+++ b/src/timesync/timesyncd-conf.h
|
||||
@@ -22,7 +22,7 @@
|
||||
#include "conf-parser.h"
|
||||
#include "timesyncd-manager.h"
|
||||
|
||||
-const struct ConfigPerfItem* timesyncd_gperf_lookup(const char *key, unsigned length);
|
||||
+const struct ConfigPerfItem* timesyncd_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
|
||||
|
||||
int manager_parse_server_string(Manager *m, ServerType type, const char *string);
|
||||
|
||||
diff --git a/src/udev/net/link-config.h b/src/udev/net/link-config.h
|
||||
index 91cc0357c4..b0d8ceb76a 100644
|
||||
--- a/src/udev/net/link-config.h
|
||||
+++ b/src/udev/net/link-config.h
|
||||
@@ -93,7 +93,7 @@ const char *mac_policy_to_string(MACPolicy p) _const_;
|
||||
MACPolicy mac_policy_from_string(const char *p) _pure_;
|
||||
|
||||
/* gperf lookup function */
|
||||
-const struct ConfigPerfItem* link_config_gperf_lookup(const char *key, unsigned length);
|
||||
+const struct ConfigPerfItem* link_config_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
|
||||
|
||||
int config_parse_mac_policy(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_name_policy(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
diff --git a/src/udev/udev-builtin-keyboard.c b/src/udev/udev-builtin-keyboard.c
|
||||
index aa10beafb0..09024116f2 100644
|
||||
--- a/src/udev/udev-builtin-keyboard.c
|
||||
+++ b/src/udev/udev-builtin-keyboard.c
|
||||
@@ -29,7 +29,7 @@
|
||||
#include "string-util.h"
|
||||
#include "udev.h"
|
||||
|
||||
-static const struct key *keyboard_lookup_key(const char *str, unsigned len);
|
||||
+static const struct key *keyboard_lookup_key(const char *str, GPERF_LEN_TYPE len);
|
||||
#include "keyboard-keys-from-name.h"
|
||||
|
||||
static int install_force_release(struct udev_device *dev, const unsigned *release, unsigned release_count) {
|
@ -1,24 +0,0 @@
|
||||
From ce4f32f42dcb91120445d2858baa9fd81abd5292 Mon Sep 17 00:00:00 2001
|
||||
From: Ivan Shapovalov <intelfx@intelfx.name>
|
||||
Date: Sun, 29 Jan 2017 23:33:37 +0400
|
||||
Subject: [PATCH] journal-gatewayd: actually recognize -D as a synonym for
|
||||
--directory (#5180)
|
||||
|
||||
(cherry picked from commit 554597a1b27ad0a81f4ad0884b348d475e89cb9e)
|
||||
---
|
||||
src/journal-remote/journal-gatewayd.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/journal-remote/journal-gatewayd.c b/src/journal-remote/journal-gatewayd.c
|
||||
index f75a6f06d2..be6d41c31b 100644
|
||||
--- a/src/journal-remote/journal-gatewayd.c
|
||||
+++ b/src/journal-remote/journal-gatewayd.c
|
||||
@@ -912,7 +912,7 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
assert(argc >= 0);
|
||||
assert(argv);
|
||||
|
||||
- while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
|
||||
+ while ((c = getopt_long(argc, argv, "hD:", options, NULL)) >= 0)
|
||||
|
||||
switch(c) {
|
||||
|
@ -1,24 +0,0 @@
|
||||
From ff1720307554405a422281591dba9b79f085799b Mon Sep 17 00:00:00 2001
|
||||
From: Yi EungJun <semtlenori@gmail.com>
|
||||
Date: Tue, 31 Jan 2017 00:24:06 +0900
|
||||
Subject: [PATCH] journal-gatewayd: return -EINVAL if ARG_TRUST and HAVE_GNUTLS
|
||||
(#5181)
|
||||
|
||||
This bug was introduced by 1aa1e59.
|
||||
(cherry picked from commit 3ab2feefd7d1918e8f0d0edaea46a87cbed0f211)
|
||||
---
|
||||
src/journal-remote/journal-gatewayd.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/journal-remote/journal-gatewayd.c b/src/journal-remote/journal-gatewayd.c
|
||||
index be6d41c31b..c7c6224421 100644
|
||||
--- a/src/journal-remote/journal-gatewayd.c
|
||||
+++ b/src/journal-remote/journal-gatewayd.c
|
||||
@@ -958,6 +958,7 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
break;
|
||||
#else
|
||||
log_error("Option --trust is not available.");
|
||||
+ return -EINVAL;
|
||||
#endif
|
||||
case 'D':
|
||||
arg_directory = optarg;
|
@ -1,32 +0,0 @@
|
||||
From 228523c0b9f077d60a4744776a73ff29b4c18dd2 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Sat, 28 Jan 2017 21:18:31 -0500
|
||||
Subject: [PATCH] systemctl: always avoid being killed when doing switch-root
|
||||
|
||||
The same logic as described in acc28e2e3037d689d6481e applies to any time we are
|
||||
switching root, to just set the flag unconditionally.
|
||||
|
||||
(cherry picked from commit b3ad0ff48c154ed056a6bded2adac609395a9439)
|
||||
---
|
||||
src/systemctl/systemctl.c | 8 +++-----
|
||||
1 file changed, 3 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c
|
||||
index b598a2a19d..4f528f6079 100644
|
||||
--- a/src/systemctl/systemctl.c
|
||||
+++ b/src/systemctl/systemctl.c
|
||||
@@ -5587,11 +5587,9 @@ static int switch_root(int argc, char *argv[], void *userdata) {
|
||||
}
|
||||
|
||||
/* Instruct PID1 to exclude us from its killing spree applied during
|
||||
- * the transition from the initrd to the main system otherwise we would
|
||||
- * exit with a failure status even though the switch to the new root
|
||||
- * has succeed. */
|
||||
- if (in_initrd())
|
||||
- argv_cmdline[0] = '@';
|
||||
+ * the transition. Otherwise we would exit with a failure status even
|
||||
+ * though the switch to the new root has succeed. */
|
||||
+ argv_cmdline[0] = '@';
|
||||
|
||||
r = acquire_bus(BUS_MANAGER, &bus);
|
||||
if (r < 0)
|
@ -1,43 +0,0 @@
|
||||
From 60532427251167b8cb2a733e19eb25ecac5c1632 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Mon, 30 Jan 2017 13:06:10 -0500
|
||||
Subject: [PATCH] systemctl: ignore SIGTERM after switch root
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1414904#c14 and #c15.
|
||||
(cherry picked from commit 8a7a9ceab204fb02fd5d93a765b36b31efeb9beb)
|
||||
---
|
||||
src/systemctl/systemctl.c | 13 ++++++++++++-
|
||||
1 file changed, 12 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c
|
||||
index 4f528f6079..d68c06d9d4 100644
|
||||
--- a/src/systemctl/systemctl.c
|
||||
+++ b/src/systemctl/systemctl.c
|
||||
@@ -5595,6 +5595,14 @@ static int switch_root(int argc, char *argv[], void *userdata) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
+ /* If we are slow to exit after the root switch, the new systemd instance
|
||||
+ * will send us a signal to terminate. Just ignore it and exit normally.
|
||||
+ * This way the unit does not end up as failed.
|
||||
+ */
|
||||
+ r = ignore_signals(SIGTERM, -1);
|
||||
+ if (r < 0)
|
||||
+ log_warning_errno(r, "Failed to change disposition of SIGTERM to ignore: %m");
|
||||
+
|
||||
log_debug("Switching root - root: %s; init: %s", root, strna(init));
|
||||
|
||||
r = sd_bus_call_method(
|
||||
@@ -5606,8 +5614,11 @@ static int switch_root(int argc, char *argv[], void *userdata) {
|
||||
&error,
|
||||
NULL,
|
||||
"ss", root, init);
|
||||
- if (r < 0)
|
||||
+ if (r < 0) {
|
||||
+ (void) default_signals(SIGTERM, -1);
|
||||
+
|
||||
return log_error_errno(r, "Failed to switch root: %s", bus_error_message(&error, r));
|
||||
+ }
|
||||
|
||||
return 0;
|
||||
}
|
@ -1,34 +0,0 @@
|
||||
From 007cdfc4cd2ce5ffe0a1b5eb6a5481d1b06c5184 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Tue, 31 Jan 2017 00:34:33 -0500
|
||||
Subject: [PATCH] units: restore Before dependencies for
|
||||
systemd-vconsole-setup.service
|
||||
|
||||
When the service is run in the initramfs, it is possible for it to get started
|
||||
and not be fast enough to exit before the root switch happens. It is started
|
||||
multiple times (depending on the consoles being detected), and runs
|
||||
asynchronously, so this is quite likely. It'll then get killed by killall(),
|
||||
and systemd will consider the service failed. To avoid all this, just wait
|
||||
for the service to terminate on it's own.
|
||||
|
||||
Before=initrd-switch-root.target should be good for the initramfs, and
|
||||
Before=shutdown.tuarget should be good for the real system, although it's
|
||||
unlikely to make any difference there.
|
||||
|
||||
(cherry picked from commit 750e550eba362096d56a35104c6a32631aa67b8e)
|
||||
---
|
||||
units/systemd-vconsole-setup.service.in | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/units/systemd-vconsole-setup.service.in b/units/systemd-vconsole-setup.service.in
|
||||
index 2bd1fd1a5d..8bb75c6a4f 100644
|
||||
--- a/units/systemd-vconsole-setup.service.in
|
||||
+++ b/units/systemd-vconsole-setup.service.in
|
||||
@@ -9,6 +9,7 @@
|
||||
Description=Setup Virtual Console
|
||||
Documentation=man:systemd-vconsole-setup.service(8) man:vconsole.conf(5)
|
||||
DefaultDependencies=no
|
||||
+Before=initrd-switch-root.target shutdown.target
|
||||
ConditionPathExists=/dev/tty0
|
||||
|
||||
[Service]
|
@ -1,49 +0,0 @@
|
||||
From 79efa8e7ab4282c8c5e3a917531d5c42452377a5 Mon Sep 17 00:00:00 2001
|
||||
From: Evgeny Vereshchagin <evvers@ya.ru>
|
||||
Date: Tue, 31 Jan 2017 19:04:20 +0300
|
||||
Subject: [PATCH] coredump: really extract container cmdline (#5167)
|
||||
|
||||
Fixes:
|
||||
```
|
||||
root# systemd-nspawn -D ./cont/ --register=no /bin/sh -c '/bin/sh -c "kill -ABRT \$\$"'
|
||||
...
|
||||
Container cont failed with error code 134.
|
||||
|
||||
root# journalctl MESSAGE_ID=fc2e22bc6ee647b6b90729ab34a250b1 -o verbose | grep -i container_cmdline
|
||||
...prints nothing...
|
||||
...should be COREDUMP_CONTAINER_CMDLINE=systemd-nspawn -D ./cont/ --register=no /bin/sh -c /bin/sh -c "kill -ABRT \$\$"
|
||||
```
|
||||
|
||||
Also, fixes CID #1368263
|
||||
```
|
||||
==352== 130 bytes in 1 blocks are definitely lost in loss record 1 of 2
|
||||
==352== at 0x4C2ED5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
|
||||
==352== by 0x4ED8581: greedy_realloc (alloc-util.c:57)
|
||||
==352== by 0x4ECAAD5: get_process_cmdline (process-util.c:147)
|
||||
==352== by 0x10E385: get_process_container_parent_cmdline (coredump.c:645)
|
||||
==352== by 0x112949: process_kernel (coredump.c:1240)
|
||||
==352== by 0x113003: main (coredump.c:1297)
|
||||
==352==
|
||||
```
|
||||
(cherry picked from commit d3cba4eaf618ced1935a96e721b2fbcbad7694bb)
|
||||
---
|
||||
src/coredump/coredump.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c
|
||||
index 6bd0e925eb..1c5e72c835 100644
|
||||
--- a/src/coredump/coredump.c
|
||||
+++ b/src/coredump/coredump.c
|
||||
@@ -642,7 +642,11 @@ static int get_process_container_parent_cmdline(pid_t pid, char** cmdline) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
- return get_process_cmdline(container_pid, 0, false, cmdline);
|
||||
+ r = get_process_cmdline(container_pid, 0, false, cmdline);
|
||||
+ if (r < 0)
|
||||
+ return r;
|
||||
+
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static int change_uid_gid(const char *context[]) {
|
@ -1,50 +0,0 @@
|
||||
From 758503b1c24a43de5e0ad40c3e0299a4c5df0238 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Synacek <jsynacek@redhat.com>
|
||||
Date: Tue, 14 Feb 2017 10:21:53 +0100
|
||||
Subject: [PATCH] machinectl: make sure that inability to get OS version isn't
|
||||
consider fatal for machine list (#4972)
|
||||
|
||||
Fixes: #4918
|
||||
|
||||
(cherry picked from commit 4b2419165ce409ee55ce96a926302f89685f2293)
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/1419501
|
||||
---
|
||||
src/machine/machinectl.c | 16 ++++++----------
|
||||
1 file changed, 6 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/src/machine/machinectl.c b/src/machine/machinectl.c
|
||||
index f84226f58f..2aab754406 100644
|
||||
--- a/src/machine/machinectl.c
|
||||
+++ b/src/machine/machinectl.c
|
||||
@@ -242,24 +242,20 @@ static int list_machines(int argc, char *argv[], void *userdata) {
|
||||
if (name[0] == '.' && !arg_all)
|
||||
continue;
|
||||
|
||||
- if (!GREEDY_REALLOC(machines, n_allocated, n_machines + 1)) {
|
||||
+ if (!GREEDY_REALLOC0(machines, n_allocated, n_machines + 1)) {
|
||||
r = log_oom();
|
||||
goto out;
|
||||
}
|
||||
|
||||
- machines[n_machines].os = NULL;
|
||||
- machines[n_machines].version_id = NULL;
|
||||
- r = get_os_release_property(bus, name,
|
||||
- "ID\0" "VERSION_ID\0",
|
||||
- &machines[n_machines].os,
|
||||
- &machines[n_machines].version_id);
|
||||
- if (r < 0)
|
||||
- goto out;
|
||||
-
|
||||
machines[n_machines].name = name;
|
||||
machines[n_machines].class = class;
|
||||
machines[n_machines].service = service;
|
||||
|
||||
+ (void) get_os_release_property(bus, name,
|
||||
+ "ID\0" "VERSION_ID\0",
|
||||
+ &machines[n_machines].os,
|
||||
+ &machines[n_machines].version_id);
|
||||
+
|
||||
l = strlen(name);
|
||||
if (l > max_name)
|
||||
max_name = l;
|
@ -1,23 +0,0 @@
|
||||
From b8ef421ff36209dd21c4dbe74c71ae56dce6751c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Tue, 14 Feb 2017 18:40:55 -0500
|
||||
Subject: [PATCH] test-ipcrm: use configured nobody user name
|
||||
|
||||
"nfsnobody" is now obsolete.
|
||||
---
|
||||
src/test/test-ipcrm.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/test/test-ipcrm.c b/src/test/test-ipcrm.c
|
||||
index 463e135e2b..ce6c7aa18a 100644
|
||||
--- a/src/test/test-ipcrm.c
|
||||
+++ b/src/test/test-ipcrm.c
|
||||
@@ -24,7 +24,7 @@
|
||||
int main(int argc, char *argv[]) {
|
||||
uid_t uid;
|
||||
int r;
|
||||
- const char* name = argv[1] ?: "nfsnobody";
|
||||
+ const char* name = argv[1] ?: NOBODY_USER_NAME;
|
||||
|
||||
r = get_user_creds(&name, &uid, NULL, NULL, NULL);
|
||||
if (r < 0) {
|
443
hwdb.patch
443
hwdb.patch
@ -1,443 +0,0 @@
|
||||
From 108c060c5521309b9448e3a7905b50dd505f36a8 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Fri, 11 Mar 2016 17:06:17 -0500
|
||||
Subject: [PATCH] update hwdb
|
||||
|
||||
---
|
||||
|
||||
diff --git a/hwdb/60-evdev.hwdb b/hwdb/60-evdev.hwdb
|
||||
index 0b692a1b5d..fd9078393b 100644
|
||||
--- a/hwdb/60-evdev.hwdb
|
||||
+++ b/hwdb/60-evdev.hwdb
|
||||
@@ -15,7 +15,7 @@
|
||||
# To add local entries, create a new file
|
||||
# /etc/udev/hwdb.d/61-evdev-local.hwdb
|
||||
# and add your rules there. To load the new rules execute (as root):
|
||||
-# udevadm hwdb --update
|
||||
+# systemd-hwdb update
|
||||
# udevadm trigger /dev/input/eventXX
|
||||
# where /dev/input/eventXX is the device in question. If in
|
||||
# doubt, simply use /dev/input/event* to reload all input rules.
|
||||
@@ -93,6 +93,14 @@ evdev:input:b0003v05ACp025B*
|
||||
#########################################
|
||||
# ASUS
|
||||
#########################################
|
||||
+
|
||||
+# Asus VivoBook E402SA
|
||||
+evdev:name:Elan Touchpad:dmi:*svnASUSTeKCOMPUTERINC.:pnE402SA*
|
||||
+ EVDEV_ABS_00=::29
|
||||
+ EVDEV_ABS_01=::29
|
||||
+ EVDEV_ABS_35=::29
|
||||
+ EVDEV_ABS_36=::29
|
||||
+
|
||||
# Asus K52JT
|
||||
evdev:name:ETPS/2 Elantech Touchpad:dmi:bvn*:bvr*:bd*:svnASUSTeKComputerInc.:pnK52JT:*
|
||||
EVDEV_ABS_00=::18
|
||||
@@ -100,7 +108,8 @@ evdev:name:ETPS/2 Elantech Touchpad:dmi:bvn*:bvr*:bd*:svnASUSTeKComputerInc.:pnK
|
||||
EVDEV_ABS_35=::18
|
||||
EVDEV_ABS_36=::16
|
||||
|
||||
-evdev:name:ETPS/2 Elantech Touchpad:dmi:*:svnASUSTeKCOMPUTERINC.:pnX550CC:*
|
||||
+# Asus X550CC and S550CB
|
||||
+evdev:name:ETPS/2 Elantech Touchpad:dmi:*:svnASUSTeKCOMPUTERINC.:pn?550C?:*
|
||||
EVDEV_ABS_00=::31
|
||||
EVDEV_ABS_01=::30
|
||||
EVDEV_ABS_35=::31
|
||||
@@ -136,6 +145,13 @@ evdev:name:AlpsPS/2 ALPS DualPoint TouchPad:dmi:bvn*:bvr*:bd*:svnDellInc.:pnLati
|
||||
EVDEV_ABS_35=76:1815:22
|
||||
EVDEV_ABS_36=131:1330:30
|
||||
|
||||
+# Dell Latitude E6320
|
||||
+evdev:name:AlpsPS/2 ALPS DualPoint TouchPad:dmi:bvn*:bvr*:bd*:svnDellInc.:pnLatitudeE6320*
|
||||
+ EVDEV_ABS_00=79:1841:22
|
||||
+ EVDEV_ABS_01=140:1325:29
|
||||
+ EVDEV_ABS_35=79:1841:22
|
||||
+ EVDEV_ABS_36=140:1325:29
|
||||
+
|
||||
# Dell Precision 5510
|
||||
evdev:name:SynPS/2 Synaptics TouchPad:dmi:bvn*:bvr*:bd*:svnDellInc.:pnPrecision5510*
|
||||
EVDEV_ABS_00=::42
|
||||
@@ -184,10 +200,31 @@ evdev:name:SynPS/2 Synaptics TouchPad*:dmi:*svnHewlett-Packard:pnHPPaviliondm4*
|
||||
EVDEV_ABS_35=1360:5563:47
|
||||
EVDEV_ABS_36=1269:4618:61
|
||||
|
||||
+# HP Pavilion dv7
|
||||
+evdev:name:SynPS/2 Synaptics TouchPad*:dmi:*svnHewlett-Packard:pnHPPaviliondv7*
|
||||
+ EVDEV_ABS_00=1068:5805:44
|
||||
+ EVDEV_ABS_01=1197:4890:57
|
||||
+ EVDEV_ABS_35=1068:5805:44
|
||||
+ EVDEV_ABS_36=1197:4890:57
|
||||
+
|
||||
+# HP Spectre
|
||||
+evdev:name:SynPS/2 Synaptics TouchPad:dmi:i*svnHP:pnHPSpectreNotebook*
|
||||
+ EVDEV_ABS_00=1205:5691:47
|
||||
+ EVDEV_ABS_01=1083:4808:65
|
||||
+ EVDEV_ABS_35=1205:5691:47
|
||||
+ EVDEV_ABS_36=1083:4808:65
|
||||
+
|
||||
#########################################
|
||||
# Lenovo
|
||||
#########################################
|
||||
|
||||
+# Lenovo B590
|
||||
+evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO*:pvrLenovoB590*
|
||||
+ EVDEV_ABS_00=1243:5759:48
|
||||
+ EVDEV_ABS_01=1130:4832:65
|
||||
+ EVDEV_ABS_35=1243:5759:48
|
||||
+ EVDEV_ABS_36=1130:4832:65
|
||||
+
|
||||
# Lenovo E530
|
||||
evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO:pn*ThinkPadEdgeE530*
|
||||
EVDEV_ABS_00=1241:5703:49
|
||||
@@ -217,6 +254,20 @@ evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO*:pvrThinkPad??40?:*
|
||||
EVDEV_ABS_35=::41
|
||||
EVDEV_ABS_36=::37
|
||||
|
||||
+# Lenovo ThinkPad T430
|
||||
+evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO*:pvrThinkPadT430*
|
||||
+ EVDEV_ABS_00=1250:5631:58
|
||||
+ EVDEV_ABS_01=1309:4826:78
|
||||
+ EVDEV_ABS_35=1250:5631:58
|
||||
+ EVDEV_ABS_36=1309:4826:78
|
||||
+
|
||||
+# Lenovo Thinkpad Carbon X1 4th gen. and X1 Yoga 1st gen.
|
||||
+evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO*:pvrThinkPadX1Carbon4th*
|
||||
+ EVDEV_ABS_00=1262:5679:44
|
||||
+ EVDEV_ABS_01=1101:4824:65
|
||||
+ EVDEV_ABS_35=1262:5679:44
|
||||
+ EVDEV_ABS_36=1101:4824:65
|
||||
+
|
||||
# Lenovo T460
|
||||
evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO*:pn*ThinkPad*T460*
|
||||
EVDEV_ABS_00=1266:5677:44
|
||||
@@ -236,6 +287,13 @@ evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO:*pvrLenovoV360*
|
||||
EVDEV_ABS_00=1243:5927:60
|
||||
EVDEV_ABS_01=902:5330:108
|
||||
|
||||
+# Lenovo W530
|
||||
+evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO:*pvrThinkPadW530*
|
||||
+ EVDEV_ABS_00=1250:5631:59
|
||||
+ EVDEV_ABS_01=1205:4834:81
|
||||
+ EVDEV_ABS_35=1250:5631:59
|
||||
+ EVDEV_ABS_36=1205:4834:81
|
||||
+
|
||||
# Lenovo X220 series
|
||||
evdev:name:SynPS/2 Synaptics TouchPad:dmi:*svnLENOVO:*pvrThinkPadX220*
|
||||
EVDEV_ABS_00=1316:5627:58
|
||||
@@ -279,3 +337,12 @@ evdev:name:ETPS/2 Elantech Touchpad:dmi:*svnSAMSUNGELECTRONICSCO.,LTD.:pn305V4A/
|
||||
EVDEV_ABS_01=0:1116:24
|
||||
EVDEV_ABS_35=0:2480:28
|
||||
EVDEV_ABS_36=0:1116:24
|
||||
+
|
||||
+#########################################
|
||||
+# Toshiba
|
||||
+#########################################
|
||||
+
|
||||
+# Toshiba Tecra M11
|
||||
+evdev:name:AlpsPS/2 ALPS DualPoint TouchPad:dmi:*svnTOSHIBA:pnTECRAM11*
|
||||
+ EVDEV_ABS_00=90:962:11
|
||||
+ EVDEV_ABS_01=51:681:14
|
||||
diff --git a/hwdb/60-keyboard.hwdb b/hwdb/60-keyboard.hwdb
|
||||
index 9c87aecd30..c8452f47d0 100644
|
||||
--- a/hwdb/60-keyboard.hwdb
|
||||
+++ b/hwdb/60-keyboard.hwdb
|
||||
@@ -4,7 +4,7 @@
|
||||
# scan codes to add to the AT keyboard's 'force-release' list.
|
||||
#
|
||||
# The lookup keys are composed in:
|
||||
-# 60-keyboard.rules
|
||||
+# 60-evdev.rules
|
||||
#
|
||||
# Note: The format of the "evdev:" prefix match key is a
|
||||
# contract between the rules file and the hardware data, it might
|
||||
@@ -18,17 +18,19 @@
|
||||
# ZZZZ is the bus-id (see /usr/include/linux/input.h BUS_*), YYYY, XXXX and
|
||||
# WWW are the 4-digit hex uppercase vendor, product and version ID and VVVV
|
||||
# is an arbitrary length input-modalias describing the device capabilities.
|
||||
+# The vendor, product and version ID for a device node "eventX" is listed
|
||||
+# in /sys/class/input/eventX/device/id.
|
||||
#
|
||||
# - AT keyboard DMI data matches:
|
||||
# evdev:atkbd:dmi:bvn*:bvr*:bd*:svn<vendor>:pn<product>:pvr*
|
||||
# <vendor> and <product> are the firmware-provided strings
|
||||
-# exported by the kernel DMI modalias.
|
||||
+# exported by the kernel DMI modalias, see /sys/class/dmi/id/modalias
|
||||
#
|
||||
# - Input driver device name and DMI data match:
|
||||
# evdev:name:<input device name>:dmi:bvn*:bvr*:bd*:svn<vendor>:pn*
|
||||
# <input device name> is the name device specified by the
|
||||
# driver, <vendor> is the firmware-provided string exported
|
||||
-# by the kernel DMI modalias.
|
||||
+# by the kernel DMI modalias, see /sys/class/dmi/id/modalias
|
||||
#
|
||||
# Scan codes are specified as:
|
||||
# KEYBOARD_KEY_<hex scan code>=<key code identifier>
|
||||
@@ -42,11 +44,18 @@
|
||||
#
|
||||
# To debug key presses and access scan code mapping data of
|
||||
# an input device use the commonly available tool: evtest(1).
|
||||
+
|
||||
+# A device with a fixed keyboard layout that must not be changed by
|
||||
+# the desktop environment may specify that layout as:
|
||||
+# XKB_FIXED_LAYOUT="us"
|
||||
+# XKB_FIXED_VARIANT=""
|
||||
+# Examples of such devices: the Yubikey or other key-code generating
|
||||
+# devices.
|
||||
#
|
||||
# To update this file, create a new file
|
||||
# /etc/udev/hwdb.d/70-keyboard.hwdb
|
||||
# and add your rules there. To load the new rules execute (as root):
|
||||
-# udevadm hwdb --update
|
||||
+# systemd-hwdb update
|
||||
# udevadm trigger /dev/input/eventXX
|
||||
# where /dev/input/eventXX is the keyboard in question. If in
|
||||
# doubt, simply use /dev/input/event* to reload all input rules.
|
||||
@@ -275,7 +284,7 @@ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnDell*:pnXPS12-9Q33*:pvr*
|
||||
evdev:name:Dell WMI hotkeys:dmi:bvn*:bvr*:bd*:svnDell*:pnLatitude*
|
||||
# Dell Precision microphone mute
|
||||
evdev:name:Dell WMI hotkeys:dmi:bvn*:bvr*:bd*:svnDell*:pnPrecision*
|
||||
- KEYBOARD_KEY_150=f20 # Mic mute toggle, should be micmute
|
||||
+ KEYBOARD_KEY_100150=f20 # Mic mute toggle, should be micmute
|
||||
|
||||
###########################################################
|
||||
# Everex
|
||||
@@ -415,6 +424,10 @@ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHewlett-Packard*:pnHP*Pavilion*dv7*Notebook*PC:
|
||||
KEYBOARD_KEY_c6=break
|
||||
KEYBOARD_KEY_94=reserved
|
||||
|
||||
+# Pavilion x360 13 (Prevents random airplane mode activation)
|
||||
+evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHewlett-Packard*:pn*[pP][aA][vV][iI][lL][iI][oO][nN]*13*x360*:pvr*
|
||||
+ KEYBOARD_KEY_d7=unknown
|
||||
+
|
||||
# Elitebook
|
||||
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHewlett-Packard*:pn*Compaq*:pvr*
|
||||
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHewlett-Packard*:pn*EliteBook*:pvr*
|
||||
@@ -858,6 +871,7 @@ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnMicro-Star*:pn*:pvr*
|
||||
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnMICRO-STAR*:pn*U-100*:pvr*
|
||||
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnMICRO-STAR*:pn*U100*:pvr*
|
||||
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnMICRO-STAR*:pn*N033:*
|
||||
+evdev:atkbd:dmi:bvn*:bvr*:bd*:svnMicro-Star*:pn*VR420*:pvr*
|
||||
KEYBOARD_KEY_f7=reserved
|
||||
KEYBOARD_KEY_f8=reserved
|
||||
|
||||
@@ -1239,3 +1253,18 @@ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnDIXONSP:pnDIXON*:pvr*
|
||||
KEYBOARD_KEY_a0=! # mute
|
||||
KEYBOARD_KEY_ae=! # volume down
|
||||
KEYBOARD_KEY_b0=! # volume up
|
||||
+
|
||||
+###########################################################
|
||||
+# Fixed layout devices
|
||||
+###########################################################
|
||||
+
|
||||
+# Yubico Yubico Yubikey II"
|
||||
+evdev:input:b0003v1050p0010*
|
||||
+# Yubico Yubikey NEO OTP+CCID
|
||||
+evdev:input:b0003v1050p0111*
|
||||
+# Yubico Yubikey NEO OTP+U2F+CCID
|
||||
+evdev:input:b0003v1050p0116*
|
||||
+# OKE Electron Company USB barcode reader
|
||||
+evdev:input:b0003v05FEp1010*
|
||||
+ XKB_FIXED_LAYOUT="us"
|
||||
+ XKB_FIXED_VARIANT=""
|
||||
diff --git a/hwdb/60-sensor.hwdb b/hwdb/60-sensor.hwdb
|
||||
new file mode 100644
|
||||
index 0000000000..3160cf77e8
|
||||
--- /dev/null
|
||||
+++ b/hwdb/60-sensor.hwdb
|
||||
@@ -0,0 +1,45 @@
|
||||
+# This file is part of systemd.
|
||||
+#
|
||||
+# The lookup keys are composed in:
|
||||
+# 60-sensor.rules
|
||||
+#
|
||||
+# Note: The format of the "sensor:" prefix match key is a
|
||||
+# contract between the rules file and the hardware data, it might
|
||||
+# change in later revisions to support more or better matches, it
|
||||
+# is not necessarily expected to be a stable ABI.
|
||||
+#
|
||||
+# Match string formats:
|
||||
+# sensor:modalias:<parent device modalias>:dmi:<dmi string>
|
||||
+#
|
||||
+# To add local entries, create a new file
|
||||
+# /etc/udev/hwdb.d/61-sensor-local.hwdb
|
||||
+# and add your rules there. To load the new rules execute (as root):
|
||||
+# systemd-hwdb update
|
||||
+# udevadm trigger `dirname $(udevadm info -n "/dev/iio:deviceXXX" -q path)`
|
||||
+# where /dev/iio:deviceXXX is the device in question.
|
||||
+#
|
||||
+# If your changes are generally applicable, preferably send them as a pull
|
||||
+# request to
|
||||
+# https://github.com/systemd/systemd
|
||||
+# or create a bug report on https://github.com/systemd/systemd/issues and
|
||||
+# include your new rules, a description of the device, and the output of
|
||||
+# udevadm info --export-db
|
||||
+#
|
||||
+# Allowed properties are:
|
||||
+# ACCEL_MOUNT_MATRIX=<matrix>
|
||||
+#
|
||||
+# where <matrix> is a mount-matrix in the format specified in the IIO
|
||||
+# subsystem[1]. The default, when unset, is equivalent to:
|
||||
+# ACCEL_MOUNT_MATRIX=1, 0, 0; 0, 1, 0; 0, 0, 1
|
||||
+# eg. the identity matrix.
|
||||
+#
|
||||
+# [1]: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=dfc57732ad38f93ae6232a3b4e64fd077383a0f1
|
||||
+
|
||||
+#
|
||||
+# Sort by brand, model
|
||||
+
|
||||
+#########################################
|
||||
+# Winbook
|
||||
+#########################################
|
||||
+sensor:modalias:acpi:BMA250*:dmi:*svn*WinBook*:*pn*TW100*
|
||||
+ ACCEL_MOUNT_MATRIX=0, -1, 0; -1, 0, 0; 0, 0, 0
|
||||
diff --git a/hwdb/70-mouse.hwdb b/hwdb/70-mouse.hwdb
|
||||
index bf3d134c46..772534f495 100644
|
||||
--- a/hwdb/70-mouse.hwdb
|
||||
+++ b/hwdb/70-mouse.hwdb
|
||||
@@ -31,7 +31,7 @@
|
||||
# To add local entries, create a new file
|
||||
# /etc/udev/hwdb.d/71-mouse-local.hwdb
|
||||
# and add your rules there. To load the new rules execute (as root):
|
||||
-# udevadm hwdb --update
|
||||
+# systemd-hwdb update
|
||||
# udevadm trigger /dev/input/eventXX
|
||||
# where /dev/input/eventXX is the mouse in question. If in
|
||||
# doubt, simply use /dev/input/event* to reload all input rules.
|
||||
@@ -50,6 +50,8 @@
|
||||
# MOUSE_WHEEL_CLICK_ANGLE_HORIZONTAL
|
||||
# MOUSE_WHEEL_CLICK_COUNT
|
||||
# MOUSE_WHEEL_CLICK_COUNT_HORIZONTAL
|
||||
+# MOUSE_WHEEL_TILT_HORIZONTAL
|
||||
+# MOUSE_WHEEL_TILT_VERTICAL
|
||||
#
|
||||
#########################################
|
||||
# ID_INPUT_TRACKBALL #
|
||||
@@ -134,6 +136,26 @@
|
||||
# MOUSE_WHEEL_CLICK_COUNT_HORIZONTAL works the same way but also follows the
|
||||
# rules of MOUSE_WHEEL_CLICK_ANGLE_HORIZONTAL.
|
||||
|
||||
+#########################################
|
||||
+# MOUSE_WHEEL_TILT_HORIZONTAL #
|
||||
+# MOUSE_WHEEL_TILT_VERTICAL #
|
||||
+#########################################
|
||||
+#
|
||||
+# Indicates that the respective axis is not a mouse wheel rotation but a
|
||||
+# tilt along that axis. Wheel tilt is most commonly used for horizontal
|
||||
+# scroll wheel emulation on mice with only a single vertical wheel.
|
||||
+#
|
||||
+# The vertical and horizontal Axes are independently marked as tilt axes,
|
||||
+# for example it is permitted to have a MOUSE_WHEEL_CLICK_COUNT or
|
||||
+# MOUSE_WHEEL_CLICK_ANGLE for the vertical axis and mark the horizontal axis
|
||||
+# marked as as MOUSE_WHEEL_TILT_HORIZONTAL.
|
||||
+#
|
||||
+# It is a bug to have either CLICK_COUNT or CLICK_ANGLE set on the same axis
|
||||
+# as WHEEL_TILT. Applications should give priority to WHEEL_TILT and ignore
|
||||
+# other settings.
|
||||
+#
|
||||
+# This is a flag only, permitted values: 0 or 1
|
||||
+
|
||||
#
|
||||
# Sort by brand, type (usb, bluetooth), DPI, frequency.
|
||||
# For mice with switchable resolution, sort by the starred entry.
|
||||
@@ -346,6 +368,10 @@ mouse:usb:v046dpc24c:name:Logitech G400s Optical Gaming Mouse:
|
||||
mouse:usb:v046dpc07e:name:Logitech Gaming Mouse G402:
|
||||
MOUSE_DPI=400@1000 *800@1000 1600@1000 3200@1000
|
||||
|
||||
+# Logitech G502 Proteus Spectrum
|
||||
+mouse:usb:v046dpc332:name:Logitech Gaming Mouse G502:
|
||||
+ MOUSE_DPI=1200@1000 *2400@1000 3200@1000 6400@1000
|
||||
+
|
||||
# Logitech B605 Wireless Mouse (also M505)
|
||||
mouse:usb:v046dp101d:name:Logitech B605:
|
||||
mouse:usb:v046dp101d:name:Logitech M505:
|
||||
@@ -416,6 +442,10 @@ mouse:usb:v046dpc52b:name:Logitech Unifying Device. Wireless PID:4026:
|
||||
mouse:usb:v046dpc068:name:Logitech G500:
|
||||
MOUSE_DPI=*1600@500 2600@500 3600@500
|
||||
|
||||
+# Logitech TrackMan Wheel (USB)
|
||||
+mouse:usb:v046dpc404:name:Logitech Trackball:
|
||||
+ MOUSE_DPI=300@125
|
||||
+
|
||||
# Logitech MX1000 Laser Cordless Mouse
|
||||
mouse:bluetooth:v046dpb003:name:Logitech MX1000 mouse:
|
||||
MOUSE_DPI=800@80
|
||||
@@ -464,6 +494,10 @@ mouse:bluetooth:v045ep0702:name:Microsoft Wireless Laser Mouse 8000:
|
||||
mouse:bluetooth:v045ep07f3:name:Arc Touch Mouse SE:
|
||||
MOUSE_DPI=1000@2000
|
||||
|
||||
+# Microsoft Surface Mouse
|
||||
+mouse:bluetooth:v0000p0000:name:Surface Mouse:
|
||||
+ MOUSE_DPI=2000@2000
|
||||
+
|
||||
##########################################
|
||||
# Mionix
|
||||
##########################################
|
||||
@@ -497,6 +531,10 @@ mouse:bluetooth:v056ep0061:name:Laser BTmouse:
|
||||
mouse:usb:v1532p0042:name:Razer Razer Abyssus:
|
||||
MOUSE_DPI=3500@1000
|
||||
|
||||
+# Razer DeathAdder Black Edition
|
||||
+mouse:usb:v1532p0029:name:Razer Razer DeathAdder:
|
||||
+ MOUSE_DPI=3500@1000
|
||||
+
|
||||
##########################################
|
||||
# Roccat
|
||||
##########################################
|
||||
diff --git a/hwdb/70-pointingstick.hwdb b/hwdb/70-pointingstick.hwdb
|
||||
index e18ef28290..cfdfef567a 100644
|
||||
--- a/hwdb/70-pointingstick.hwdb
|
||||
+++ b/hwdb/70-pointingstick.hwdb
|
||||
@@ -18,16 +18,19 @@
|
||||
# ZZZZ is the bus-id (see /usr/include/linux/input.h BUS_*), YYYY, XXXX and
|
||||
# WWW are the 4-digit hex uppercase vendor, product and version ID and VVVV
|
||||
# is an arbitrary length input-modalias describing the device capabilities.
|
||||
+# The vendor, product and version ID for a device node "eventX" is listed
|
||||
+# in /sys/class/input/eventX/device/id.
|
||||
#
|
||||
# - Input driver device name and DMI data match:
|
||||
# evdev:name:<input device name>:dmi:bvn*:bvr*:bd*:svn<vendor>:pn*
|
||||
# <input device name> is the name device specified by the driver,
|
||||
-# <vendor> is the firmware-provided string from the kernel DMI modalias.
|
||||
+# <vendor> is the firmware-provided string from the kernel DMI modalias,
|
||||
+# see /sys/class/dmi/id/modalias
|
||||
#
|
||||
# To add local entries, create a new file
|
||||
# /etc/udev/hwdb.d/71-pointingstick-local.hwdb
|
||||
# and add your rules there. To load the new rules execute (as root):
|
||||
-# udevadm hwdb --update
|
||||
+# systemd-hwdb update
|
||||
# udevadm trigger /dev/input/eventXX
|
||||
# where /dev/input/eventXX is the pointingstick in question. If in
|
||||
# doubt, simply use /dev/input/event* to reload all input rules.
|
||||
@@ -95,6 +98,8 @@ evdev:name:*DualPoint Stick:dmi:bvn*:bvr*:bd*:svnDellInc.:pnLatitudeE7470*:pvr*
|
||||
# Lenovo
|
||||
#########################################
|
||||
|
||||
+# Lenovo Thinkpad X220
|
||||
+evdev:name:TPPS/2 IBM TrackPoint:dmi:bvn*:bvr*:bd*:svnLENOVO:pn*:pvrThinkPadX220:*
|
||||
# Lenovo Thinkpad X230
|
||||
evdev:name:TPPS/2 IBM TrackPoint:dmi:bvn*:bvr*:bd*:svnLENOVO:pn*:pvrThinkPadX230:*
|
||||
# Lenovo Thinkpad X230 tablet
|
||||
diff --git a/hwdb/70-touchpad.hwdb b/hwdb/70-touchpad.hwdb
|
||||
index 11f3f96f04..82a4b7a575 100644
|
||||
--- a/hwdb/70-touchpad.hwdb
|
||||
+++ b/hwdb/70-touchpad.hwdb
|
||||
@@ -18,7 +18,7 @@
|
||||
# To add local entries, create a new file
|
||||
# /etc/udev/hwdb.d/71-touchpad-local.hwdb
|
||||
# and add your rules there. To load the new rules execute (as root):
|
||||
-# udevadm hwdb --update
|
||||
+# systemd-hwdb update
|
||||
# udevadm trigger /dev/input/eventXX
|
||||
# where /dev/input/eventXX is the touchpad in question. If in
|
||||
# doubt, simply use /dev/input/event* to reload all input rules.
|
||||
@@ -47,3 +47,9 @@ touchpad:usb:*
|
||||
###########################################################
|
||||
touchpad:usb:v05ac*
|
||||
ID_INPUT_TOUCHPAD_INTEGRATION=internal
|
||||
+
|
||||
+###########################################################
|
||||
+# Wacom
|
||||
+###########################################################
|
||||
+touchpad:usb:v056a*
|
||||
+ ID_INPUT_TOUCHPAD_INTEGRATION=external
|
2
sources
2
sources
@ -1 +1 @@
|
||||
3e3a0b14050eff62e68be72142181730 systemd-232.tar.gz
|
||||
SHA512 (systemd-233.tar.gz) = 5ad5329ea116d973cf67096f7e7ad28e9ea0905696e9451291f1d25e5064f4a9bfcfae87e912996c6a38397e9f4a148d4ccecfa9b70f7ecdf04deadb61784c8e
|
||||
|
130
systemd.spec
130
systemd.spec
@ -8,11 +8,12 @@
|
||||
|
||||
%global pkgdir %{_prefix}/lib/systemd
|
||||
%global system_unit_dir %{pkgdir}/system
|
||||
%global user_unit_dir %{pkgdir}/user
|
||||
|
||||
Name: systemd
|
||||
Url: http://www.freedesktop.org/wiki/Software/systemd
|
||||
Version: 232
|
||||
Release: 15%{?gitcommit:.git%{gitcommitshort}}%{?dist}
|
||||
Version: 233
|
||||
Release: 1%{?gitcommit:.git%{gitcommitshort}}%{?dist}
|
||||
# For a breakdown of the licensing, see README
|
||||
License: LGPLv2+ and MIT and GPLv2+
|
||||
Summary: System and Service Manager
|
||||
@ -39,75 +40,11 @@ Source10: systemd-udev-trigger-no-reload.conf
|
||||
Source11: 20-grubby.install
|
||||
Source12: https://raw.githubusercontent.com/systemd/systemd/1000522a60ceade446773c67031b47a566d4a70d/src/login/systemd-user.m4
|
||||
|
||||
# GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v232..v232-stable
|
||||
# GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v233..v233-stable
|
||||
# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done|xclip
|
||||
|
||||
Patch0001: 0001-build-sys-link-test-seccomp-against-seccomp-libs-456.patch
|
||||
Patch0002: 0002-kernel-install-use-exit-instead-of-return-4565.patch
|
||||
Patch0003: 0003-nspawn-fix-exit-code-for-help-and-version-4609.patch
|
||||
Patch0004: 0004-core-don-t-use-the-unified-hierarchy-for-the-systemd.patch
|
||||
Patch0005: 0005-core-make-RootDirectory-and-ProtectKernelModules-wor.patch
|
||||
Patch0006: 0006-nspawn-avoid-one-strdup-by-using-free_and_replace.patch
|
||||
Patch0007: 0007-nspawn-slight-simplification.patch
|
||||
Patch0008: 0008-core-namespace-count-and-free-failed-paths-inside-ch.patch
|
||||
Patch0009: 0009-basic-virt-fix-userns-check-on-CONFIG_USER_NS-n-kern.patch
|
||||
Patch0010: 0010-timesyncd-clear-ADJ_MAXERROR-to-keep-STA_UNSYNC-clea.patch
|
||||
Patch0011: 0011-link-fix-offload-features-initialization-4639.patch
|
||||
Patch0012: 0012-sd-event-fix-sd_event_source_get_priority-4712.patch
|
||||
Patch0013: 0013-build-sys-check-for-lz4-in-the-old-and-new-numbering.patch
|
||||
Patch0014: 0014-networkd-fix-size-of-MTUBytes-so-that-it-does-not-ov.patch
|
||||
Patch0015: 0015-core-consider-SIGTERM-as-a-clean-exit-status-for-ini.patch
|
||||
Patch0016: 0016-core-make-sure-initrd-switch-root-command-survives-P.patch
|
||||
Patch0017: 0017-fix-journald-startup-problem-when-code-is-compiled-w.patch
|
||||
Patch0018: 0018-device-Avoid-calling-unit_free-NULL-in-device-setup-.patch
|
||||
Patch0019: 0019-udevd-check-correct-return-value-of-fcntl-4758.patch
|
||||
Patch0020: 0020-systemctl-fix-is-enabled-exit-status-on-failure-when.patch
|
||||
Patch0021: 0021-journal-make-sure-to-initially-populate-the-space-in.patch
|
||||
Patch0022: 0022-networkd-link_enter_configured-remove-assert-4800.patch
|
||||
Patch0023: 0023-rules-consider-MMC-device-partitions-with-partition-.patch
|
||||
Patch0024: 0024-nspawn-add-missing-E-to-getopt_long-4860.patch
|
||||
Patch0025: 0025-build-sys-define-arm-as-secondary-architecture-for-a.patch
|
||||
Patch0026: 0026-nspawn-when-getting-SIGCHLD-make-sure-it-s-from-the-.patch
|
||||
Patch0027: 0027-machinectl-make-machinectl-E-shell-work.patch
|
||||
Patch0028: 0028-sysv-generator-properly-translate-sysv-facilities.patch
|
||||
Patch0029: 0029-core-downgrade-Time-has-been-changed-to-debug-4906.patch
|
||||
Patch0030: 0030-machinectl-handle-EOPNOTSUPP-from-print_addresses-49.patch
|
||||
Patch0031: 0031-units-fix-condition-for-systemd-journal-catalog-upda.patch
|
||||
Patch0032: 0032-core-fix-sockaddr-length-calculation-for-sockaddr_pr.patch
|
||||
Patch0033: 0033-shared-fix-double-free-in-unmask-5005.patch
|
||||
Patch0034: 0034-shared-fix-double-free-in-link.patch
|
||||
Patch0035: 0035-shared-check-strdup-NULL.patch
|
||||
Patch0036: 0036-rpm-triggers-do-nothing-if-systemd-is-not-running-50.patch
|
||||
Patch0037: 0037-kernel-install-avoid-process-substitution.patch
|
||||
Patch0038: 0038-shell-completion-redirect-all-errors-from-systemctl-.patch
|
||||
Patch0039: 0039-cryptsetup-fix-unitialized-variable.patch
|
||||
Patch0040: 0040-systemctl-uninitalized-variable.patch
|
||||
Patch0041: 0041-bash_completion-journalctl-add-missing-options.patch
|
||||
Patch0042: 0042-bash_completion-journalctl-Complete-t-option-values.patch
|
||||
Patch0043: 0043-Fixi-caching-in-zsh-completion-5122.patch
|
||||
Patch0044: 0044-bash-completion-add-support-for-now-5155.patch
|
||||
Patch0045: 0045-core-dbus-fix-two-strv-memleaks.patch
|
||||
Patch0046: 0046-core-execute-fix-strv-memleak.patch
|
||||
Patch0047: 0047-resolve-fix-strv-memleak.patch
|
||||
Patch0048: 0048-nspawn-fix-clobbering-of-selinux-context-arg.patch
|
||||
Patch0049: 0049-parse_hwdb-fix-to-work-with-pyparsing-2.1.10.patch
|
||||
Patch0050: 0050-journald-don-t-flush-to-var-log-journal-before-we-ge.patch
|
||||
Patch0051: 0051-tree-wide-drop-NULL-sentinel-from-strjoin.patch
|
||||
Patch0052: 0052-core-add-new-RestrictNamespaces-unit-file-setting.patch
|
||||
Patch0053: 0053-seccomp-rework-seccomp-code-to-improve-compat-with-s.patch
|
||||
Patch0054: 0054-build-sys-add-check-for-gperf-lookup-function-signat.patch
|
||||
Patch0055: 0055-journal-gatewayd-actually-recognize-D-as-a-synonym-f.patch
|
||||
Patch0056: 0056-journal-gatewayd-return-EINVAL-if-ARG_TRUST-and-HAVE.patch
|
||||
Patch0057: 0057-systemctl-always-avoid-being-killed-when-doing-switc.patch
|
||||
Patch0058: 0058-systemctl-ignore-SIGTERM-after-switch-root.patch
|
||||
Patch0059: 0059-units-restore-Before-dependencies-for-systemd-vconso.patch
|
||||
Patch0060: 0060-coredump-really-extract-container-cmdline-5167.patch
|
||||
Patch0061: 0061-machinectl-make-sure-that-inability-to-get-OS-versio.patch
|
||||
# GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-01-30} hwdb/[67]* > hwdb.patch
|
||||
|
||||
Patch0068: 0068-test-ipcrm-use-configured-nobody-user-name.patch
|
||||
|
||||
# GIT_DIR=../../src/systemd/.git git diffab -M v232..master@{2017-01-30} hwdb/[67]* > hwdb.patch
|
||||
Patch0997: hwdb.patch
|
||||
Patch0998: 0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
|
||||
|
||||
%global num_patches %{lua: c=0; for i,p in ipairs(patches) do c=c+1; end; print(c);}
|
||||
@ -301,6 +238,15 @@ and to write journal files from serialized journal contents.
|
||||
This package contains systemd-journal-gatewayd,
|
||||
systemd-journal-remote, and systemd-journal-upload.
|
||||
|
||||
%package tests
|
||||
Summary: Internal unit tests for systemd
|
||||
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||
License: LGPLv2+
|
||||
|
||||
%description tests
|
||||
"Installed tests" that are usually run as part of the build system.
|
||||
They can be useful to test systemd internals.
|
||||
|
||||
%prep
|
||||
%setup -q %{?gitcommit:-n %{name}-%{gitcommit}}
|
||||
|
||||
@ -370,7 +316,7 @@ CONFIGURE_OPTS=(
|
||||
make %{?_smp_mflags} GCC_COLORS="" V=1
|
||||
|
||||
%install
|
||||
%make_install
|
||||
%make_install install-tests
|
||||
|
||||
find %{buildroot} \( -name '*.a' -o -name '*.la' \) -delete
|
||||
|
||||
@ -460,12 +406,13 @@ install -Dm0644 -t %{buildroot}%{system_unit_dir}/systemd-udev-trigger.service.d
|
||||
|
||||
install -Dm0755 -t %{buildroot}%{_prefix}/lib/kernel/install.d/ %{SOURCE11}
|
||||
|
||||
mkdir -p %{buildroot}/etc/polkit-1/localauthority/10-vendor.d
|
||||
mv %{buildroot}/var/lib/polkit-1/localauthority/10-vendor.d/systemd-networkd.pkla \
|
||||
%{buildroot}/etc/polkit-1/localauthority/10-vendor.d/
|
||||
|
||||
%find_lang %{name}
|
||||
|
||||
%check
|
||||
sed -i '33i \
|
||||
sys.exit(77)' hwdb/parse_hwdb.py
|
||||
|
||||
make check %{?_smp_mflags} VERBOSE=1 || { cat test-suite.log; exit 1; }
|
||||
|
||||
# Check for botched translations (https://bugzilla.redhat.com/show_bug.cgi?id=1226566)
|
||||
@ -655,7 +602,6 @@ getent passwd systemd-journal-upload &>/dev/null || useradd -r -l -g systemd-jou
|
||||
%license LICENSE.GPL2 LICENSE.LGPL2.1
|
||||
%dir %{_sysconfdir}/systemd
|
||||
%dir %{_sysconfdir}/systemd/system
|
||||
%{_sysconfdir}/systemd/system/ctrl-alt-del.target
|
||||
%ghost %dir %{_sysconfdir}/systemd/system/basic.target.wants
|
||||
%ghost %dir %{_sysconfdir}/systemd/system/bluetooth.target.wants
|
||||
%ghost %dir %{_sysconfdir}/systemd/system/default.target.wants
|
||||
@ -688,6 +634,7 @@ getent passwd systemd-journal-upload &>/dev/null || useradd -r -l -g systemd-jou
|
||||
%exclude %{pkgdir}/system-generators/systemd-gpt-auto-generator
|
||||
%exclude %{pkgdir}/system-generators/systemd-hibernate-resume-generator
|
||||
%{pkgdir}/user-generators
|
||||
%{pkgdir}/user-environment-generators
|
||||
%dir %{pkgdir}/system-shutdown
|
||||
%dir %{pkgdir}/system-sleep
|
||||
%dir %{pkgdir}/catalog
|
||||
@ -697,8 +644,18 @@ getent passwd systemd-journal-upload &>/dev/null || useradd -r -l -g systemd-jou
|
||||
%dir %{_prefix}/lib/sysctl.d
|
||||
%dir %{_prefix}/lib/modules-load.d
|
||||
%dir %{_prefix}/lib/binfmt.d
|
||||
%dir %{_prefix}/lib/environment.d
|
||||
%{_prefix}/lib/environment.d/99-environment.conf
|
||||
%dir %{_prefix}/lib/kernel
|
||||
%dir %{_datadir}/systemd
|
||||
%dir %{_datadir}/dbus-1/system.d
|
||||
%{_datadir}/dbus-1/system.d/org.freedesktop.systemd1.conf
|
||||
%{_datadir}/dbus-1/system.d/org.freedesktop.hostname1.conf
|
||||
%{_datadir}/dbus-1/system.d/org.freedesktop.login1.conf
|
||||
%{_datadir}/dbus-1/system.d/org.freedesktop.locale1.conf
|
||||
%{_datadir}/dbus-1/system.d/org.freedesktop.timedate1.conf
|
||||
%{_datadir}/dbus-1/system.d/org.freedesktop.resolve1.conf
|
||||
%{_datadir}/dbus-1/system.d/org.freedesktop.network1.conf
|
||||
%dir %{_datadir}/pkgconfig
|
||||
%dir %{_datadir}/zsh
|
||||
%dir %{_datadir}/zsh/site-functions
|
||||
@ -716,20 +673,13 @@ getent passwd systemd-journal-upload &>/dev/null || useradd -r -l -g systemd-jou
|
||||
%ghost %attr(0664,root,utmp) %{_localstatedir}/run/utmp
|
||||
%ghost %attr(0664,root,utmp) %{_localstatedir}/log/wtmp
|
||||
%ghost %attr(0600,root,utmp) %{_localstatedir}/log/btmp
|
||||
%dir %{_sysconfdir}/dbus-1/system.d
|
||||
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.systemd1.conf
|
||||
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.hostname1.conf
|
||||
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.login1.conf
|
||||
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.locale1.conf
|
||||
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.timedate1.conf
|
||||
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.resolve1.conf
|
||||
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.network1.conf
|
||||
%config(noreplace) %{_sysconfdir}/systemd/system.conf
|
||||
%config(noreplace) %{_sysconfdir}/systemd/user.conf
|
||||
%config(noreplace) %{_sysconfdir}/systemd/logind.conf
|
||||
%config(noreplace) %{_sysconfdir}/systemd/journald.conf
|
||||
%config(noreplace) %{_sysconfdir}/systemd/resolved.conf
|
||||
%config(noreplace) %{_sysconfdir}/systemd/coredump.conf
|
||||
%config(noreplace) %{_sysconfdir}/systemd/system/dbus-org.freedesktop.resolve1.service
|
||||
%config(noreplace) %{_sysconfdir}/yum/protected.d/systemd.conf
|
||||
%config(noreplace) %{_sysconfdir}/pam.d/systemd-user
|
||||
%{_rpmconfigdir}/macros.d/macros.systemd
|
||||
@ -762,6 +712,7 @@ getent passwd systemd-journal-upload &>/dev/null || useradd -r -l -g systemd-jou
|
||||
%{_bindir}/systemd-inhibit
|
||||
%{_bindir}/systemd-machine-id-setup
|
||||
%{_bindir}/systemd-mount
|
||||
%{_bindir}/systemd-umount
|
||||
%{_bindir}/systemd-notify
|
||||
%{_bindir}/systemd-path
|
||||
%{_bindir}/systemd-resolve
|
||||
@ -775,7 +726,7 @@ getent passwd systemd-journal-upload &>/dev/null || useradd -r -l -g systemd-jou
|
||||
%{pkgdir}/systemd
|
||||
%{pkgdir}/libsystemd-shared-%{version}.so
|
||||
%{system_unit_dir}
|
||||
%{pkgdir}/user
|
||||
%{user_unit_dir}
|
||||
%{pkgdir}/resolv.conf
|
||||
%exclude %{system_unit_dir}/*udev*
|
||||
%exclude %{system_unit_dir}/*/*udev*
|
||||
@ -896,11 +847,14 @@ getent passwd systemd-journal-upload &>/dev/null || useradd -r -l -g systemd-jou
|
||||
%{_datadir}/dbus-1/system-services/org.freedesktop.network1.service
|
||||
%dir %{_datadir}/polkit-1
|
||||
%dir %{_datadir}/polkit-1/actions
|
||||
%dir %{_datadir}/polkit-1/rules.d
|
||||
%{_datadir}/polkit-1/actions/org.freedesktop.systemd1.policy
|
||||
%{_datadir}/polkit-1/actions/org.freedesktop.hostname1.policy
|
||||
%{_datadir}/polkit-1/actions/org.freedesktop.login1.policy
|
||||
%{_datadir}/polkit-1/actions/org.freedesktop.locale1.policy
|
||||
%{_datadir}/polkit-1/actions/org.freedesktop.timedate1.policy
|
||||
%{_datadir}/polkit-1/rules.d/systemd-networkd.rules
|
||||
/etc/polkit-1/localauthority/10-vendor.d/systemd-networkd.pkla
|
||||
%{_datadir}/pkgconfig/systemd.pc
|
||||
%{_datadir}/pkgconfig/udev.pc
|
||||
%{_datadir}/bash-completion/completions/*
|
||||
@ -1024,8 +978,6 @@ getent passwd systemd-journal-upload &>/dev/null || useradd -r -l -g systemd-jou
|
||||
%{_mandir}/man[1578]/systemd-sleep*
|
||||
|
||||
%files container
|
||||
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.machine1.conf
|
||||
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.import1.conf
|
||||
%{_libdir}/libnss_mymachines.so.2
|
||||
%{_bindir}/machinectl
|
||||
%{_bindir}/systemd-nspawn
|
||||
@ -1048,6 +1000,9 @@ getent passwd systemd-journal-upload &>/dev/null || useradd -r -l -g systemd-jou
|
||||
%{pkgdir}/systemd-pull
|
||||
%{pkgdir}/network/80-container-ve.network
|
||||
%{pkgdir}/network/80-container-vz.network
|
||||
%{_datadir}/dbus-1/system.d/org.freedesktop.import1.conf
|
||||
%{_datadir}/dbus-1/system.d/org.freedesktop.machine1.conf
|
||||
%{_datadir}/dbus-1/system-services/org.freedesktop.import1.service
|
||||
%{_datadir}/dbus-1/system-services/org.freedesktop.machine1.service
|
||||
%{_datadir}/dbus-1/system-services/org.freedesktop.import1.service
|
||||
%{_datadir}/polkit-1/actions/org.freedesktop.import1.policy
|
||||
@ -1079,7 +1034,14 @@ getent passwd systemd-journal-upload &>/dev/null || useradd -r -l -g systemd-jou
|
||||
%{_mandir}/man[1578]/systemd-journal-upload*
|
||||
%{_mandir}/man[1578]/systemd-journal-gateway*
|
||||
|
||||
%files tests
|
||||
%{pkgdir}/tests
|
||||
|
||||
%changelog
|
||||
* Thu Mar 2 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 233-1
|
||||
- New upstream release (#1416201, #1405439, #1420753, many others)
|
||||
- New systemd-tests subpackage with "installed tests"
|
||||
|
||||
* Thu Feb 16 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 232-15
|
||||
- Add %%ghost %%dir entries for .wants dirs of our targets (#1422894)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user