rpms/systemd
6
0
Fork 0
Code Issues Pull Requests Releases Activity

systemd-239-80

Browse Source 
Resolves: RHEL-1087,RHEL-18302,RHEL-22426,RHEL-2857,RHEL-5863,RHEL-5991
This commit is contained in:
Jan Macku 2024-02-15 09:11:45 +01:00
parent 2294de3d20
commit cef061bd68
16 changed files with 1473 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
0990-fd-util-rework-how-we-determine-highest-possible-fd.patch Normal file
View File

@ -0,0 +1,70 @@
From 1b547e500207a469a533d819db5b7c6c22516ec3 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 17 Jan 2019 12:23:21 +0100
Subject: [PATCH] fd-util: rework how we determine highest possible fd
(cherry picked from commit 498e265df1c63212ec1a0991c135877a23f1ba4f)
Related: RHEL-18302
---
src/basic/fd-util.c | 37 ++++++++++++++++++++++++++-----------
1 file changed, 26 insertions(+), 11 deletions(-)
diff --git a/src/basic/fd-util.c b/src/basic/fd-util.c
index e085dc23b4..fea93d2039 100644
--- a/src/basic/fd-util.c
+++ b/src/basic/fd-util.c
@@ -188,6 +188,27 @@ _pure_ static bool fd_in_set(int fd, const int fdset[], size_t n_fdset) {
return false;
}
+static int get_max_fd(void) {
+ struct rlimit rl;
+ rlim_t m;
+
+ /* Return the highest possible fd, based RLIMIT_NOFILE, but enforcing FD_SETSIZE-1 as lower boundary
+ * and INT_MAX as upper boundary. */
+
+ if (getrlimit(RLIMIT_NOFILE, &rl) < 0)
+ return -errno;
+
+ m = MAX(rl.rlim_cur, rl.rlim_max);
+ if (m < FD_SETSIZE) /* Let's always cover at least 1024 fds */
+ return FD_SETSIZE-1;
+
+ if (m == RLIM_INFINITY || m > INT_MAX) /* Saturate on overflow. After all fds are "int", hence can
+ * never be above INT_MAX */
+ return INT_MAX;
+
+ return (int) (m - 1);
+}
+
int close_all_fds(const int except[], size_t n_except) {
_cleanup_closedir_ DIR *d = NULL;
struct dirent *de;
@@ -197,20 +218,14 @@ int close_all_fds(const int except[], size_t n_except) {
d = opendir("/proc/self/fd");
if (!d) {
- struct rlimit rl;
int fd, max_fd;
- /* When /proc isn't available (for example in chroots) the fallback is brute forcing through the fd
- * table */
-
- assert_se(getrlimit(RLIMIT_NOFILE, &rl) >= 0);
-
- if (rl.rlim_max == 0)
- return -EINVAL;
+ /* When /proc isn't available (for example in chroots) the fallback is brute forcing through
+ * the fd table */
- /* Let's take special care if the resource limit is set to unlimited, or actually larger than the range
- * of 'int'. Let's avoid implicit overflows. */
- max_fd = (rl.rlim_max == RLIM_INFINITY || rl.rlim_max > INT_MAX) ? INT_MAX : (int) (rl.rlim_max - 1);
+ max_fd = get_max_fd();
+ if (max_fd < 0)
+ return max_fd;
for (fd = 3; fd >= 0; fd = fd < max_fd ? fd + 1 : -1) {
int q;

70
0991-basic-fd-util-refuse-infinite-loop-in-close_all_fds.patch Normal file
View File

@ -0,0 +1,70 @@
From 957edb063f3e9751bbdc05bd973bb2190ab0e917 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Fri, 15 Mar 2019 15:13:25 +0100
Subject: [PATCH] basic/fd-util: refuse "infinite" loop in close_all_fds()
I had a test machine with ulimit -n set to 1073741816 through pam
("session required pam_limits.so set_all", which copies the limits from PID 1,
left over from testing of #10921).
test-execute would "hang" and then fail with a timeout when running
exec-inaccessiblepaths-proc.service. It turns out that the problem was in
close_all_fds(), which would go to the fallback path of doing close()
1073741813 times. Let's just fail if we hit this case. This only matters
for cases where both /proc is inaccessible, and the *soft* limit has been
raised.
(gdb) bt
#0 0x00007f7e2e73fdc8 in close () from target:/lib64/libc.so.6
#1 0x00007f7e2e42cdfd in close_nointr ()
from target:/home/zbyszek/src/systemd-work3/build-rawhide/src/shared/libsystemd-shared-241.so
#2 0x00007f7e2e42d525 in close_all_fds ()
from target:/home/zbyszek/src/systemd-work3/build-rawhide/src/shared/libsystemd-shared-241.so
#3 0x0000000000426e53 in exec_child ()
#4 0x0000000000429578 in exec_spawn ()
#5 0x00000000004ce1ab in service_spawn ()
#6 0x00000000004cff77 in service_enter_start ()
#7 0x00000000004d028f in service_enter_start_pre ()
#8 0x00000000004d16f2 in service_start ()
#9 0x00000000004568f4 in unit_start ()
#10 0x0000000000416987 in test ()
#11 0x0000000000417632 in test_exec_inaccessiblepaths ()
#12 0x0000000000419362 in run_tests ()
#13 0x0000000000419632 in main ()
(cherry picked from commit 6a461d1f59850ff27bd254a3b71fe9ade0523e76)
Related: RHEL-18302
---
src/basic/fd-util.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/basic/fd-util.c b/src/basic/fd-util.c
index fea93d2039..5d0df11d7e 100644
--- a/src/basic/fd-util.c
+++ b/src/basic/fd-util.c
@@ -24,6 +24,10 @@
#include "stdio-util.h"
#include "util.h"
+/* The maximum number of iterations in the loop to close descriptors in the fallback case
+ * when /proc/self/fd/ is inaccessible. */
+#define MAX_FD_LOOP_LIMIT (1024*1024)
+
int close_nointr(int fd) {
assert(fd >= 0);
@@ -227,6 +231,13 @@ int close_all_fds(const int except[], size_t n_except) {
if (max_fd < 0)
return max_fd;
+ /* Refuse to do the loop over more too many elements. It's better to fail immediately than to
+ * spin the CPU for a long time. */
+ if (max_fd > MAX_FD_LOOP_LIMIT)
+ return log_debug_errno(EPERM,
+ "/proc/self/fd is inaccessible. Refusing to loop over %d potential fds.",
+ max_fd);
+
for (fd = 3; fd >= 0; fd = fd < max_fd ? fd + 1 : -1) {
int q;

110
0992-fd-util-split-out-inner-fallback-loop-of-close_all_f.patch Normal file
View File

@ -0,0 +1,110 @@
From c2665abd4cae74f262d9a522b94528841ad141d2 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 12 Oct 2021 15:53:27 +0200
Subject: [PATCH] fd-util: split out inner fallback loop of close_all_fds() as
close_all_fds_without_malloc()
(cherry picked from commit 11966552a88039869972ca4b450f622664bd1c5e)
Related: RHEL-18302
---
src/basic/fd-util.c | 63 +++++++++++++++++++++++++--------------------
src/basic/fd-util.h | 1 +
2 files changed, 36 insertions(+), 28 deletions(-)
diff --git a/src/basic/fd-util.c b/src/basic/fd-util.c
index 5d0df11d7e..7e4611dfda 100644
--- a/src/basic/fd-util.c
+++ b/src/basic/fd-util.c
@@ -213,44 +213,51 @@ static int get_max_fd(void) {
return (int) (m - 1);
}
-int close_all_fds(const int except[], size_t n_except) {
- _cleanup_closedir_ DIR *d = NULL;
- struct dirent *de;
- int r = 0;
+int close_all_fds_without_malloc(const int except[], size_t n_except) {
+ int max_fd, r = 0;
assert(n_except == 0 || except);
- d = opendir("/proc/self/fd");
- if (!d) {
- int fd, max_fd;
+ /* This is the inner fallback core of close_all_fds(). This never calls malloc() or opendir() or so
+ * and hence is safe to be called in signal handler context. Most users should call close_all_fds(),
+ * but when we assume we are called from signal handler context, then use this simpler call
+ * instead. */
- /* When /proc isn't available (for example in chroots) the fallback is brute forcing through
- * the fd table */
+ max_fd = get_max_fd();
+ if (max_fd < 0)
+ return max_fd;
- max_fd = get_max_fd();
- if (max_fd < 0)
- return max_fd;
+ /* Refuse to do the loop over more too many elements. It's better to fail immediately than to
+ * spin the CPU for a long time. */
+ if (max_fd > MAX_FD_LOOP_LIMIT)
+ return log_debug_errno(EPERM,
+ "Refusing to loop over %d potential fds.",
+ max_fd);
- /* Refuse to do the loop over more too many elements. It's better to fail immediately than to
- * spin the CPU for a long time. */
- if (max_fd > MAX_FD_LOOP_LIMIT)
- return log_debug_errno(EPERM,
- "/proc/self/fd is inaccessible. Refusing to loop over %d potential fds.",
- max_fd);
+ for (int fd = 3; fd >= 0; fd = fd < max_fd ? fd + 1 : -1) {
+ int q;
- for (fd = 3; fd >= 0; fd = fd < max_fd ? fd + 1 : -1) {
- int q;
+ if (fd_in_set(fd, except, n_except))
+ continue;
- if (fd_in_set(fd, except, n_except))
- continue;
+ q = close_nointr(fd);
+ if (q < 0 && q != -EBADF && r >= 0)
+ r = q;
+ }
- q = close_nointr(fd);
- if (q < 0 && q != -EBADF && r >= 0)
- r = q;
- }
+ return r;
+}
- return r;
- }
+int close_all_fds(const int except[], size_t n_except) {
+ _cleanup_closedir_ DIR *d = NULL;
+ struct dirent *de;
+ int r = 0;
+
+ assert(n_except == 0 || except);
+
+ d = opendir("/proc/self/fd");
+ if (!d)
+ return close_all_fds_without_malloc(except, n_except); /* ultimate fallback if /proc/ is not available */
FOREACH_DIRENT(de, d, return -errno) {
int fd = -1, q;
diff --git a/src/basic/fd-util.h b/src/basic/fd-util.h
index 8adc959da8..b2837d3588 100644
--- a/src/basic/fd-util.h
+++ b/src/basic/fd-util.h
@@ -54,6 +54,7 @@ int fd_nonblock(int fd, bool nonblock);
int fd_cloexec(int fd, bool cloexec);
int close_all_fds(const int except[], size_t n_except);
+int close_all_fds_without_malloc(const int except[], size_t n_except);
int same_fd(int a, int b);

29
0993-exec-util-use-close_all_fds_without_malloc-from-free.patch Normal file
View File

@ -0,0 +1,29 @@
From 140e598dcf6b86007b1daba42c31253521964b2e Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 29 Jul 2021 16:50:44 +0200
Subject: [PATCH] exec-util: use close_all_fds_without_malloc() from freeze()
(cherry picked from commit ab27b2fe56c6c4bd0295b248448adb1c698e9284)
Resolves: RHEL-18302
---
src/basic/process-util.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/basic/process-util.c b/src/basic/process-util.c
index 6016d83d41..9e2237375d 100644
--- a/src/basic/process-util.c
+++ b/src/basic/process-util.c
@@ -991,8 +991,10 @@ _noreturn_ void freeze(void) {
log_close();
- /* Make sure nobody waits for us on a socket anymore */
- close_all_fds(NULL, 0);
+ /* Make sure nobody waits for us (i.e. on one of our sockets) anymore. Note that we use
+ * close_all_fds_without_malloc() instead of plain close_all_fds() here, since we want this function
+ * to be compatible with being called from signal handlers. */
+ (void) close_all_fds_without_malloc(NULL, 0);
sync();

185
0994-ci-use-source-git-automation-composite-Action.patch Normal file
View File

@ -0,0 +1,185 @@
From 5d0fc67965b48e05c28d0993368a3982efd03b4b Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Fri, 12 Jan 2024 16:01:43 +0100
Subject: [PATCH] ci: use source-git-automation composite Action
This will allow us maintain the source-git automation in separate repo
and reduce the duplication of the code and noise in the systemd repo.
rhel-only
Related: RHEL-1087
---
.../source-git-automation-on-demand.yml | 55 ++------------
.github/workflows/source-git-automation.yml | 72 ++-----------------
2 files changed, 9 insertions(+), 118 deletions(-)
diff --git a/.github/workflows/source-git-automation-on-demand.yml b/.github/workflows/source-git-automation-on-demand.yml
index 948708916d..0c72f9f210 100644
--- a/.github/workflows/source-git-automation-on-demand.yml
+++ b/.github/workflows/source-git-automation-on-demand.yml
@@ -1,5 +1,3 @@
----
-
name: Source git Automation Scheduled/On Demand
on:
schedule:
@@ -59,61 +57,16 @@ jobs:
pr-number: ${{ inputs.pr-number == 0 && fromJSON(needs.gather-pull-requests.outputs.pr-numbers) || fromJSON(needs.gather-pull-requests.outputs.pr-numbers-manual) }}
permissions:
+ # required for merging PRs
contents: write
- statuses: write
- checks: write
+ # required for PR comments and setting labels
pull-requests: write
steps:
- - name: Repository checkout
- uses: actions/checkout@v3
-
- - id: metadata
- name: Gather Pull Request Metadata
- uses: redhat-plumbers-in-action/gather-pull-request-metadata@v1
+ - name: Source-git Automation
+ uses: redhat-plumbers-in-action/source-git-automation@v1
with:
pr-number: ${{ matrix.pr-number }}
-
- - if: ${{ !cancelled() }}
- id: commit-linter
- name: Lint Commits
- uses: redhat-plumbers-in-action/advanced-commit-linter@v2
- with:
- pr-metadata: ${{ steps.metadata.outputs.metadata }}
- token: ${{ secrets.GITHUB_TOKEN }}
-
- # Validates tracker, changes tracker status, updates PR title
- - if: ${{ !cancelled() }}
- id: tracker-validator
- name: Validate Tracker
- uses: redhat-plumbers-in-action/tracker-validator@v1
- with:
- pr-metadata: ${{ steps.metadata.outputs.metadata }}
- component: systemd
- tracker: ${{ fromJSON(steps.commit-linter.outputs.validated-pr-metadata).validation.tracker.id }}
- tracker-type: ${{ fromJSON(steps.commit-linter.outputs.validated-pr-metadata).validation.tracker.type }}
- bugzilla-instance: https://bugzilla.redhat.com
- bugzilla-api-token: ${{ secrets.BUGZILLA_API_TOKEN }}
- jira-instance: https://issues.redhat.com
- jira-api-token: ${{ secrets.JIRA_API_TOKEN }}
- token: ${{ secrets.GITHUB_TOKEN }}
-
- - if: ${{ !cancelled() }}
- name: Pull Request Validator
- uses: redhat-plumbers-in-action/pull-request-validator@v1
- with:
- pr-metadata: ${{ steps.metadata.outputs.metadata }}
- token: ${{ secrets.GITHUB_TOKEN }}
-
- - id: auto-merge
- name: Auto Merge
- uses: redhat-plumbers-in-action/auto-merge@v1
- with:
- pr-metadata: ${{ steps.metadata.outputs.metadata }}
- tracker: ${{ fromJSON(steps.commit-linter.outputs.validated-pr-metadata).validation.tracker.id }}
- tracker-type: ${{ fromJSON(steps.commit-linter.outputs.validated-pr-metadata).validation.tracker.type }}
- bugzilla-instance: https://bugzilla.redhat.com
bugzilla-api-token: ${{ secrets.BUGZILLA_API_TOKEN }}
- jira-instance: https://issues.redhat.com
jira-api-token: ${{ secrets.JIRA_API_TOKEN }}
token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/source-git-automation.yml b/.github/workflows/source-git-automation.yml
index 95819baa8b..b6cefa67b1 100644
--- a/.github/workflows/source-git-automation.yml
+++ b/.github/workflows/source-git-automation.yml
@@ -26,83 +26,21 @@ jobs:
with:
name: pr-metadata
- commit-linter:
+ source-git-automation:
needs: [ download-metadata ]
runs-on: ubuntu-latest
- outputs:
- validated-pr-metadata: ${{ steps.commit-linter.outputs.validated-pr-metadata }}
-
- permissions:
- statuses: write
- checks: write
- pull-requests: write
-
- steps:
- - id: commit-linter
- name: Lint Commits
- uses: redhat-plumbers-in-action/advanced-commit-linter@v2
- with:
- pr-metadata: ${{ needs.download-metadata.outputs.pr-metadata }}
- token: ${{ secrets.GITHUB_TOKEN }}
-
- # Validates tracker, changes tracker status, updates PR title
- tracker-validator:
- if: ${{ !cancelled() }}
- needs: [ download-metadata, commit-linter ]
- runs-on: ubuntu-latest
-
- permissions:
- checks: write
- pull-requests: write
-
- steps:
- - name: Validate Tracker
- uses: redhat-plumbers-in-action/tracker-validator@v1
- with:
- pr-metadata: ${{ needs.download-metadata.outputs.pr-metadata }}
- component: systemd
- tracker: ${{ fromJSON(needs.commit-linter.outputs.validated-pr-metadata).validation.tracker.id }}
- tracker-type: ${{ fromJSON(needs.commit-linter.outputs.validated-pr-metadata).validation.tracker.type }}
- bugzilla-instance: https://bugzilla.redhat.com
- bugzilla-api-token: ${{ secrets.BUGZILLA_API_TOKEN }}
- jira-instance: https://issues.redhat.com
- jira-api-token: ${{ secrets.JIRA_API_TOKEN }}
- token: ${{ secrets.GITHUB_TOKEN }}
-
- pull-request-validator:
- needs: [ download-metadata ]
- runs-on: ubuntu-latest
-
- permissions:
- checks: write
- pull-requests: write
-
- steps:
- - name: Pull Request Validator
- uses: redhat-plumbers-in-action/pull-request-validator@v1
- with:
- pr-metadata: ${{ needs.download-metadata.outputs.pr-metadata }}
- token: ${{ secrets.GITHUB_TOKEN }}
-
- auto-merge:
- needs: [ download-metadata, commit-linter, tracker-validator, pull-request-validator ]
- runs-on: ubuntu-latest
-
permissions:
+ # required for merging PRs
contents: write
- checks: write
+ # required for PR comments and setting labels
pull-requests: write
steps:
- - name: Auto Merge
- uses: redhat-plumbers-in-action/auto-merge@v1
+ - name: Source-git Automation
+ uses: redhat-plumbers-in-action/source-git-automation@v1
with:
pr-metadata: ${{ needs.download-metadata.outputs.pr-metadata }}
- tracker: ${{ fromJSON(needs.commit-linter.outputs.validated-pr-metadata).validation.tracker.id }}
- tracker-type: ${{ fromJSON(needs.commit-linter.outputs.validated-pr-metadata).validation.tracker.type }}
- bugzilla-instance: https://bugzilla.redhat.com
bugzilla-api-token: ${{ secrets.BUGZILLA_API_TOKEN }}
- jira-instance: https://issues.redhat.com
jira-api-token: ${{ secrets.JIRA_API_TOKEN }}
token: ${{ secrets.GITHUB_TOKEN }}

29
0995-ci-increase-the-cron-interval-to-45-minutes.patch Normal file
View File

@ -0,0 +1,29 @@
From fd21fb2e2e3bbbd937d120197b11c740d608fb19 Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Fri, 12 Jan 2024 16:03:09 +0100
Subject: [PATCH] ci: increase the cron interval to 45 minutes
This should help us to avoid hitting the rate limit on the GitHub API.
rhel-only
Related: RHEL-1087
---
.github/workflows/source-git-automation-on-demand.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/source-git-automation-on-demand.yml b/.github/workflows/source-git-automation-on-demand.yml
index 0c72f9f210..6aeee51e6d 100644
--- a/.github/workflows/source-git-automation-on-demand.yml
+++ b/.github/workflows/source-git-automation-on-demand.yml
@@ -1,8 +1,8 @@
name: Source git Automation Scheduled/On Demand
on:
schedule:
- # Workflow runs every 15 minutes
- - cron: '*/15 * * * *'
+ # Workflow runs every 45 minutes
+ - cron: '*/45 * * * *'
workflow_dispatch:
inputs:
pr-number:

31
0996-ci-add-all-Z-Stream-versions-to-array-of-allowed-ver.patch Normal file
View File

@ -0,0 +1,31 @@
From 42e3739198e41c65b986f69a53bc6c93f7e112be Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Fri, 12 Jan 2024 16:04:22 +0100
Subject: [PATCH] ci: add all Z-Stream versions to array of allowed versions
rhel-only
Related: RHEL-1087
---
.github/tracker-validator.yml | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/.github/tracker-validator.yml b/.github/tracker-validator.yml
index 500dce3d92..b09f702dd9 100644
--- a/.github/tracker-validator.yml
+++ b/.github/tracker-validator.yml
@@ -7,8 +7,14 @@ products:
- Red Hat Enterprise Linux 8
- CentOS Stream 8
- rhel-8.2.0
+ - rhel-8.2.0.z
- rhel-8.4.0
+ - rhel-8.4.0.z
- rhel-8.6.0
+ - rhel-8.6.0.z
- rhel-8.8.0
+ - rhel-8.8.0.z
- rhel-8.9.0
+ - rhel-8.9.0.z
- rhel-8.10.0
+ - rhel-8.10.0.z

215
0997-tree-wide-always-declare-bitflag-enums-the-same-way.patch Normal file
View File

@ -0,0 +1,215 @@
From dd3c13f364e03e843d838bf925a5fc85513343ed Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 7 Jan 2019 17:48:28 +0100
Subject: [PATCH] tree-wide: always declare bitflag enums the same way
let's always use the 1 << x syntax. No change of behaviour or even of
the compiled binary.
(cherry picked from commit be0b7a1a66fd269b644124c4633088ab2224d1fb)
Resolves: RHEL-2857
---
src/basic/btrfs-util.h | 16 ++++++++--------
src/basic/cgroup-util.h | 6 +++---
src/basic/extract-word.h | 12 ++++++------
src/basic/unit-name.h | 10 +++++-----
src/libsystemd/sd-bus/bus-dump.h | 4 ++--
src/libsystemd/sd-bus/bus-protocol.h | 12 ++++++------
src/login/logind-inhibit.h | 18 +++++++++---------
src/resolve/resolved-dns-answer.h | 10 +++++-----
8 files changed, 44 insertions(+), 44 deletions(-)
diff --git a/src/basic/btrfs-util.h b/src/basic/btrfs-util.h
index a594387b5a..967627991f 100644
--- a/src/basic/btrfs-util.h
+++ b/src/basic/btrfs-util.h
@@ -27,17 +27,17 @@ typedef struct BtrfsQuotaInfo {
} BtrfsQuotaInfo;
typedef enum BtrfsSnapshotFlags {
- BTRFS_SNAPSHOT_FALLBACK_COPY = 1, /* If the source isn't a subvolume, reflink everything */
- BTRFS_SNAPSHOT_READ_ONLY = 2,
- BTRFS_SNAPSHOT_RECURSIVE = 4,
- BTRFS_SNAPSHOT_QUOTA = 8,
- BTRFS_SNAPSHOT_FALLBACK_DIRECTORY = 16, /* If the destination doesn't support subvolumes, reflink/copy instead */
- BTRFS_SNAPSHOT_FALLBACK_IMMUTABLE = 32, /* When we can't create a subvolume, use the FS_IMMUTABLE attribute for indicating read-only */
+ BTRFS_SNAPSHOT_FALLBACK_COPY = 1 << 0, /* If the source isn't a subvolume, reflink everything */
+ BTRFS_SNAPSHOT_READ_ONLY = 1 << 1,
+ BTRFS_SNAPSHOT_RECURSIVE = 1 << 2,
+ BTRFS_SNAPSHOT_QUOTA = 1 << 3,
+ BTRFS_SNAPSHOT_FALLBACK_DIRECTORY = 1 << 4, /* If the destination doesn't support subvolumes, reflink/copy instead */
+ BTRFS_SNAPSHOT_FALLBACK_IMMUTABLE = 1 << 5, /* When we can't create a subvolume, use the FS_IMMUTABLE attribute for indicating read-only */
} BtrfsSnapshotFlags;
typedef enum BtrfsRemoveFlags {
- BTRFS_REMOVE_RECURSIVE = 1,
- BTRFS_REMOVE_QUOTA = 2,
+ BTRFS_REMOVE_RECURSIVE = 1 << 0,
+ BTRFS_REMOVE_QUOTA = 1 << 1,
} BtrfsRemoveFlags;
int btrfs_is_filesystem(int fd);
diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h
index 1210b38a83..65d2dbd4b6 100644
--- a/src/basic/cgroup-util.h
+++ b/src/basic/cgroup-util.h
@@ -136,9 +136,9 @@ int cg_enumerate_subgroups(const char *controller, const char *path, DIR **_d);
int cg_read_subgroup(DIR *d, char **fn);
typedef enum CGroupFlags {
- CGROUP_SIGCONT = 1,
- CGROUP_IGNORE_SELF = 2,
- CGROUP_REMOVE = 4,
+ CGROUP_SIGCONT = 1 << 0,
+ CGROUP_IGNORE_SELF = 1 << 1,
+ CGROUP_REMOVE = 1 << 2,
} CGroupFlags;
typedef void (*cg_kill_log_func_t)(pid_t pid, int sig, void *userdata);
diff --git a/src/basic/extract-word.h b/src/basic/extract-word.h
index 8c63b7c306..705ebbe95b 100644
--- a/src/basic/extract-word.h
+++ b/src/basic/extract-word.h
@@ -4,12 +4,12 @@
#include "macro.h"
typedef enum ExtractFlags {
- EXTRACT_RELAX = 1,
- EXTRACT_CUNESCAPE = 2,
- EXTRACT_CUNESCAPE_RELAX = 4,
- EXTRACT_QUOTES = 8,
- EXTRACT_DONT_COALESCE_SEPARATORS = 16,
- EXTRACT_RETAIN_ESCAPE = 32,
+ EXTRACT_RELAX = 1 << 0,
+ EXTRACT_CUNESCAPE = 1 << 1,
+ EXTRACT_CUNESCAPE_RELAX = 1 << 2,
+ EXTRACT_QUOTES = 1 << 3,
+ EXTRACT_DONT_COALESCE_SEPARATORS = 1 << 4,
+ EXTRACT_RETAIN_ESCAPE = 1 << 5,
} ExtractFlags;
int extract_first_word(const char **p, char **ret, const char *separators, ExtractFlags flags);
diff --git a/src/basic/unit-name.h b/src/basic/unit-name.h
index 602295af8f..7df532bbc8 100644
--- a/src/basic/unit-name.h
+++ b/src/basic/unit-name.h
@@ -9,9 +9,9 @@
#define UNIT_NAME_MAX 256
typedef enum UnitNameFlags {
- UNIT_NAME_PLAIN = 1, /* Allow foo.service */
- UNIT_NAME_INSTANCE = 2, /* Allow foo@bar.service */
- UNIT_NAME_TEMPLATE = 4, /* Allow foo@.service */
+ UNIT_NAME_PLAIN = 1 << 0, /* Allow foo.service */
+ UNIT_NAME_INSTANCE = 1 << 1, /* Allow foo@bar.service */
+ UNIT_NAME_TEMPLATE = 1 << 2, /* Allow foo@.service */
UNIT_NAME_ANY = UNIT_NAME_PLAIN|UNIT_NAME_INSTANCE|UNIT_NAME_TEMPLATE,
} UnitNameFlags;
@@ -53,8 +53,8 @@ int unit_name_from_path_instance(const char *prefix, const char *path, const cha
int unit_name_to_path(const char *name, char **ret);
typedef enum UnitNameMangle {
- UNIT_NAME_MANGLE_GLOB = 1,
- UNIT_NAME_MANGLE_WARN = 2,
+ UNIT_NAME_MANGLE_GLOB = 1 << 0,
+ UNIT_NAME_MANGLE_WARN = 1 << 1,
} UnitNameMangle;
int unit_name_mangle_with_suffix(const char *name, UnitNameMangle flags, const char *suffix, char **ret);
diff --git a/src/libsystemd/sd-bus/bus-dump.h b/src/libsystemd/sd-bus/bus-dump.h
index 8e47411a45..7c1f81edec 100644
--- a/src/libsystemd/sd-bus/bus-dump.h
+++ b/src/libsystemd/sd-bus/bus-dump.h
@@ -10,8 +10,8 @@
#include "sd-bus.h"
enum {
- BUS_MESSAGE_DUMP_WITH_HEADER = 1,
- BUS_MESSAGE_DUMP_SUBTREE_ONLY = 2,
+ BUS_MESSAGE_DUMP_WITH_HEADER = 1 << 0,
+ BUS_MESSAGE_DUMP_SUBTREE_ONLY = 1 << 1,
};
int bus_message_dump(sd_bus_message *m, FILE *f, unsigned flags);
diff --git a/src/libsystemd/sd-bus/bus-protocol.h b/src/libsystemd/sd-bus/bus-protocol.h
index 20d19d4022..f96d4b39aa 100644
--- a/src/libsystemd/sd-bus/bus-protocol.h
+++ b/src/libsystemd/sd-bus/bus-protocol.h
@@ -57,9 +57,9 @@ enum {
/* Flags */
enum {
- BUS_MESSAGE_NO_REPLY_EXPECTED = 1,
- BUS_MESSAGE_NO_AUTO_START = 2,
- BUS_MESSAGE_ALLOW_INTERACTIVE_AUTHORIZATION = 4,
+ BUS_MESSAGE_NO_REPLY_EXPECTED = 1 << 0,
+ BUS_MESSAGE_NO_AUTO_START = 1 << 1,
+ BUS_MESSAGE_ALLOW_INTERACTIVE_AUTHORIZATION = 1 << 2,
};
/* Header fields */
@@ -81,9 +81,9 @@ enum {
/* RequestName parameters */
enum {
- BUS_NAME_ALLOW_REPLACEMENT = 1,
- BUS_NAME_REPLACE_EXISTING = 2,
- BUS_NAME_DO_NOT_QUEUE = 4
+ BUS_NAME_ALLOW_REPLACEMENT = 1 << 0,
+ BUS_NAME_REPLACE_EXISTING = 1 << 1,
+ BUS_NAME_DO_NOT_QUEUE = 1 << 2,
};
/* RequestName returns */
diff --git a/src/login/logind-inhibit.h b/src/login/logind-inhibit.h
index d358a48559..650587106d 100644
--- a/src/login/logind-inhibit.h
+++ b/src/login/logind-inhibit.h
@@ -4,15 +4,15 @@
typedef struct Inhibitor Inhibitor;
typedef enum InhibitWhat {
- INHIBIT_SHUTDOWN = 1,
- INHIBIT_SLEEP = 2,
- INHIBIT_IDLE = 4,
- INHIBIT_HANDLE_POWER_KEY = 8,
- INHIBIT_HANDLE_SUSPEND_KEY = 16,
- INHIBIT_HANDLE_HIBERNATE_KEY = 32,
- INHIBIT_HANDLE_LID_SWITCH = 64,
- _INHIBIT_WHAT_MAX = 128,
- _INHIBIT_WHAT_INVALID = -1
+ INHIBIT_SHUTDOWN = 1 << 0,
+ INHIBIT_SLEEP = 1 << 1,
+ INHIBIT_IDLE = 1 << 2,
+ INHIBIT_HANDLE_POWER_KEY = 1 << 3,
+ INHIBIT_HANDLE_SUSPEND_KEY = 1 << 4,
+ INHIBIT_HANDLE_HIBERNATE_KEY = 1 << 5,
+ INHIBIT_HANDLE_LID_SWITCH = 1 << 6,
+ _INHIBIT_WHAT_MAX = 1 << 7,
+ _INHIBIT_WHAT_INVALID = -1
} InhibitWhat;
typedef enum InhibitMode {
diff --git a/src/resolve/resolved-dns-answer.h b/src/resolve/resolved-dns-answer.h
index aff594a00e..cc90a82529 100644
--- a/src/resolve/resolved-dns-answer.h
+++ b/src/resolve/resolved-dns-answer.h
@@ -15,11 +15,11 @@ typedef struct DnsAnswerItem DnsAnswerItem;
* Note that we usually encode the empty DnsAnswer object as a simple NULL. */
typedef enum DnsAnswerFlags {
- DNS_ANSWER_AUTHENTICATED = 1, /* Item has been authenticated */
- DNS_ANSWER_CACHEABLE = 2, /* Item is subject to caching */
- DNS_ANSWER_SHARED_OWNER = 4, /* For mDNS: RRset may be owner by multiple peers */
- DNS_ANSWER_CACHE_FLUSH = 8, /* For mDNS: sets cache-flush bit in the rrclass of response records */
- DNS_ANSWER_GOODBYE = 16, /* For mDNS: item is subject to disappear */
+ DNS_ANSWER_AUTHENTICATED = 1 << 0, /* Item has been authenticated */
+ DNS_ANSWER_CACHEABLE = 1 << 1, /* Item is subject to caching */
+ DNS_ANSWER_SHARED_OWNER = 1 << 2, /* For mDNS: RRset may be owner by multiple peers */
+ DNS_ANSWER_CACHE_FLUSH = 1 << 3, /* For mDNS: sets cache-flush bit in the rrclass of response records */
+ DNS_ANSWER_GOODBYE = 1 << 4, /* For mDNS: item is subject to disappear */
} DnsAnswerFlags;
struct DnsAnswerItem {

343
0998-login-Add-KEY_RESTART-handling.patch Normal file
View File

@ -0,0 +1,343 @@
From d3072cec8cec84c6cb6e5771a5084e64f78c7e80 Mon Sep 17 00:00:00 2001
From: Robert Marko <robert.marko@sartura.hr>
Date: Fri, 14 Aug 2020 13:10:18 +0200
Subject: [PATCH] login: Add KEY_RESTART handling
KEY_RESTART is widely used in Linux to indicate device reboot.
So lets handle it in the same fashion as KEY_POWER.
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
(cherry picked from commit adbb2b6afed7858f64f5b940579f6efe79eee997)
Resolves: RHEL-2857
---
man/logind.conf.xml | 26 +++++++++++++++----------
src/login/logind-button.c | 25 +++++++++++++++++++-----
src/login/logind-core.c | 4 ++++
src/login/logind-dbus.c | 1 +
src/login/logind-gperf.gperf | 2 ++
src/login/logind-inhibit.c | 14 ++++++++++++-
src/login/logind-inhibit.h | 3 ++-
src/login/logind.conf.in | 2 ++
src/login/logind.h | 2 ++
src/login/org.freedesktop.login1.policy | 11 +++++++++++
src/systemd/sd-messages.h | 2 ++
11 files changed, 75 insertions(+), 17 deletions(-)
diff --git a/man/logind.conf.xml b/man/logind.conf.xml
index 00b5b1f2e8..56981c1837 100644
--- a/man/logind.conf.xml
+++ b/man/logind.conf.xml
@@ -202,10 +202,11 @@
<term><varname>HandleLidSwitch=</varname></term>
<term><varname>HandleLidSwitchExternalPower=</varname></term>
<term><varname>HandleLidSwitchDocked=</varname></term>
+ <term><varname>HandleRebootKey=</varname></term>
<listitem><para>Controls how logind shall handle the
- system power and sleep keys and the lid switch to trigger
- actions such as system power-off or suspend. Can be one of
+ system power, reboot and sleep keys and the lid switch to trigger
+ actions such as system power-off, reboot or suspend. Can be one of
<literal>ignore</literal>,
<literal>poweroff</literal>,
<literal>reboot</literal>,
@@ -222,7 +223,8 @@
in the respective event. Only input devices with the
<literal>power-switch</literal> udev tag will be watched for
key/lid switch events. <varname>HandlePowerKey=</varname>
- defaults to <literal>poweroff</literal>.
+ defaults to <literal>poweroff</literal>, <varname>HandleRebootKey=</varname>
+ defaults to <literal>reboot</literal>.
<varname>HandleSuspendKey=</varname> and
<varname>HandleLidSwitch=</varname> default to
<literal>suspend</literal>.
@@ -243,7 +245,8 @@
<para>A different application may disable logind's handling of system power and
sleep keys and the lid switch by taking a low-level inhibitor lock
(<literal>handle-power-key</literal>, <literal>handle-suspend-key</literal>,
- <literal>handle-hibernate-key</literal>, <literal>handle-lid-switch</literal>).
+ <literal>handle-hibernate-key</literal>, <literal>handle-lid-switch</literal>,
+ <literal>handle-reboot-switch</literal>).
This is most commonly used by graphical desktop environments
to take over suspend and hibernation handling, and to use their own configuration
mechanisms. If a low-level inhibitor lock is taken, logind will not take any
@@ -256,20 +259,23 @@
<term><varname>SuspendKeyIgnoreInhibited=</varname></term>
<term><varname>HibernateKeyIgnoreInhibited=</varname></term>
<term><varname>LidSwitchIgnoreInhibited=</varname></term>
+ <term><varname>RebootKeyIgnoreInhibited=</varname></term>
<listitem><para>Controls whether actions that <command>systemd-logind</command>
- takes when the power and sleep keys and the lid switch are triggered are subject
- to high-level inhibitor locks ("shutdown", "sleep", "idle"). Low level inhibitor
+ takes when the power, reboot and sleep keys and the lid switch are triggered are subject
+ to high-level inhibitor locks ("shutdown", "reboot", "sleep", "idle"). Low level inhibitor
locks (<literal>handle-power-key</literal>, <literal>handle-suspend-key</literal>,
- <literal>handle-hibernate-key</literal>, <literal>handle-lid-switch</literal>),
+ <literal>handle-hibernate-key</literal>, <literal>handle-lid-switch</literal>,
+ <literal>handle-reboot-key</literal>),
are always honored, irrespective of this setting.</para>
<para>These settings take boolean arguments. If <literal>no</literal>, the
inhibitor locks taken by applications are respected. If <literal>yes</literal>,
- "shutdown", "sleep", and "idle" inhibitor locks are ignored.
+ "shutdown", "reboot" "sleep", and "idle" inhibitor locks are ignored.
<varname>PowerKeyIgnoreInhibited=</varname>,
- <varname>SuspendKeyIgnoreInhibited=</varname>, and
- <varname>HibernateKeyIgnoreInhibited=</varname> default to <literal>no</literal>.
+ <varname>SuspendKeyIgnoreInhibited=</varname>,
+ <varname>HibernateKeyIgnoreInhibited=</varname> and
+ <varname>RebootKeyIgnoreInhibited=</varname> default to <literal>no</literal>.
<varname>LidSwitchIgnoreInhibited=</varname> defaults to <literal>yes</literal>.
This means that when <command>systemd-logind</command> is handling events by
itself (no low level inhibitor locks are taken by another application), the lid
diff --git a/src/login/logind-button.c b/src/login/logind-button.c
index 9944eb2316..48fc004198 100644
--- a/src/login/logind-button.c
+++ b/src/login/logind-button.c
@@ -15,7 +15,7 @@
#include "string-util.h"
#include "util.h"
-#define CONST_MAX4(a, b, c, d) CONST_MAX(CONST_MAX(a, b), CONST_MAX(c, d))
+#define CONST_MAX5(a, b, c, d, e) CONST_MAX(CONST_MAX(a, b), CONST_MAX(CONST_MAX(c, d), e))
#define ULONG_BITS (sizeof(unsigned long)*8)
@@ -159,7 +159,20 @@ static int button_dispatch(sd_event_source *s, int fd, uint32_t revents, void *u
manager_handle_action(b->manager, INHIBIT_HANDLE_POWER_KEY, b->manager->handle_power_key, b->manager->power_key_ignore_inhibited, true);
break;
- /* The kernel is a bit confused here:
+ /* The kernel naming is a bit confusing here:
+ KEY_RESTART was probably introduced for media playback purposes, but
+ is now being predominantly used to indicate device reboot.
+ */
+
+ case KEY_RESTART:
+ log_struct(LOG_INFO,
+ LOG_MESSAGE("Reboot key pressed."),
+ "MESSAGE_ID=" SD_MESSAGE_REBOOT_KEY_STR);
+
+ manager_handle_action(b->manager, INHIBIT_HANDLE_REBOOT_KEY, b->manager->handle_reboot_key, b->manager->reboot_key_ignore_inhibited, true);
+ break;
+
+ /* The kernel naming is a bit confusing here:
KEY_SLEEP = suspend-to-ram, which everybody else calls "suspend"
KEY_SUSPEND = suspend-to-disk, which everybody else calls "hibernate"
@@ -233,7 +246,7 @@ static int button_suitable(Button *b) {
return -errno;
if (bitset_get(types, EV_KEY)) {
- unsigned long keys[CONST_MAX4(KEY_POWER, KEY_POWER2, KEY_SLEEP, KEY_SUSPEND)/ULONG_BITS+1];
+ unsigned long keys[CONST_MAX5(KEY_POWER, KEY_POWER2, KEY_SLEEP, KEY_SUSPEND, KEY_RESTART)/ULONG_BITS+1];
if (ioctl(b->fd, EVIOCGBIT(EV_KEY, sizeof(keys)), keys) < 0)
return -errno;
@@ -241,7 +254,8 @@ static int button_suitable(Button *b) {
if (bitset_get(keys, KEY_POWER) ||
bitset_get(keys, KEY_POWER2) ||
bitset_get(keys, KEY_SLEEP) ||
- bitset_get(keys, KEY_SUSPEND))
+ bitset_get(keys, KEY_SUSPEND) ||
+ bitset_get(keys, KEY_RESTART))
return true;
}
@@ -262,7 +276,7 @@ static int button_suitable(Button *b) {
static int button_set_mask(Button *b) {
unsigned long
types[CONST_MAX(EV_KEY, EV_SW)/ULONG_BITS+1] = {},
- keys[CONST_MAX4(KEY_POWER, KEY_POWER2, KEY_SLEEP, KEY_SUSPEND)/ULONG_BITS+1] = {},
+ keys[CONST_MAX5(KEY_POWER, KEY_POWER2, KEY_SLEEP, KEY_SUSPEND, KEY_RESTART)/ULONG_BITS+1] = {},
switches[CONST_MAX(SW_LID, SW_DOCK)/ULONG_BITS+1] = {};
struct input_mask mask;
@@ -287,6 +301,7 @@ static int button_set_mask(Button *b) {
bitset_put(keys, KEY_POWER2);
bitset_put(keys, KEY_SLEEP);
bitset_put(keys, KEY_SUSPEND);
+ bitset_put(keys, KEY_RESTART);
mask = (struct input_mask) {
.type = EV_KEY,
diff --git a/src/login/logind-core.c b/src/login/logind-core.c
index abe6eecffb..81ec4f2653 100644
--- a/src/login/logind-core.c
+++ b/src/login/logind-core.c
@@ -39,10 +39,12 @@ void manager_reset_config(Manager *m) {
m->handle_lid_switch = HANDLE_SUSPEND;
m->handle_lid_switch_ep = _HANDLE_ACTION_INVALID;
m->handle_lid_switch_docked = HANDLE_IGNORE;
+ m->handle_reboot_key = HANDLE_REBOOT;
m->power_key_ignore_inhibited = false;
m->suspend_key_ignore_inhibited = false;
m->hibernate_key_ignore_inhibited = false;
m->lid_switch_ignore_inhibited = true;
+ m->reboot_key_ignore_inhibited = false;
m->holdoff_timeout_usec = 30 * USEC_PER_SEC;
@@ -698,6 +700,8 @@ bool manager_all_buttons_ignored(Manager *m) {
return false;
if (m->handle_lid_switch_docked != HANDLE_IGNORE)
return false;
+ if (m->handle_reboot_key != HANDLE_IGNORE)
+ return false;
return true;
}
diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
index dbac406035..61fd47999d 100644
--- a/src/login/logind-dbus.c
+++ b/src/login/logind-dbus.c
@@ -2616,6 +2616,7 @@ static int method_inhibit(sd_bus_message *message, void *userdata, sd_bus_error
w == INHIBIT_IDLE ? "org.freedesktop.login1.inhibit-block-idle" :
w == INHIBIT_HANDLE_POWER_KEY ? "org.freedesktop.login1.inhibit-handle-power-key" :
w == INHIBIT_HANDLE_SUSPEND_KEY ? "org.freedesktop.login1.inhibit-handle-suspend-key" :
+ w == INHIBIT_HANDLE_REBOOT_KEY ? "org.freedesktop.login1.inhibit-handle-reboot-key" :
w == INHIBIT_HANDLE_HIBERNATE_KEY ? "org.freedesktop.login1.inhibit-handle-hibernate-key" :
"org.freedesktop.login1.inhibit-handle-lid-switch",
NULL,
diff --git a/src/login/logind-gperf.gperf b/src/login/logind-gperf.gperf
index 214ac5c4a3..c49703698a 100644
--- a/src/login/logind-gperf.gperf
+++ b/src/login/logind-gperf.gperf
@@ -30,10 +30,12 @@ Login.HandleHibernateKey, config_parse_handle_action, 0, offse
Login.HandleLidSwitch, config_parse_handle_action, 0, offsetof(Manager, handle_lid_switch)
Login.HandleLidSwitchExternalPower, config_parse_handle_action, 0, offsetof(Manager, handle_lid_switch_ep)
Login.HandleLidSwitchDocked, config_parse_handle_action, 0, offsetof(Manager, handle_lid_switch_docked)
+Login.HandleRebootKey, config_parse_handle_action, 0, offsetof(Manager, handle_reboot_key)
Login.PowerKeyIgnoreInhibited, config_parse_bool, 0, offsetof(Manager, power_key_ignore_inhibited)
Login.SuspendKeyIgnoreInhibited, config_parse_bool, 0, offsetof(Manager, suspend_key_ignore_inhibited)
Login.HibernateKeyIgnoreInhibited, config_parse_bool, 0, offsetof(Manager, hibernate_key_ignore_inhibited)
Login.LidSwitchIgnoreInhibited, config_parse_bool, 0, offsetof(Manager, lid_switch_ignore_inhibited)
+Login.RebootKeyIgnoreInhibited, config_parse_bool, 0, offsetof(Manager, reboot_key_ignore_inhibited)
Login.HoldoffTimeoutSec, config_parse_sec, 0, offsetof(Manager, holdoff_timeout_usec)
Login.IdleAction, config_parse_handle_action, 0, offsetof(Manager, idle_action)
Login.IdleActionSec, config_parse_sec, 0, offsetof(Manager, idle_action_usec)
diff --git a/src/login/logind-inhibit.c b/src/login/logind-inhibit.c
index b1f45baaca..27b862e7c4 100644
--- a/src/login/logind-inhibit.c
+++ b/src/login/logind-inhibit.c
@@ -405,7 +405,15 @@ bool manager_is_inhibited(
}
const char *inhibit_what_to_string(InhibitWhat w) {
- static thread_local char buffer[97];
+ static thread_local char buffer[STRLEN(
+ "shutdown:"
+ "sleep:"
+ "idle:"
+ "handle-power-key:"
+ "handle-suspend-key:"
+ "handle-hibernate-key:"
+ "handle-lid-switch:"
+ "handle-reboot-key")+1];
char *p;
if (w < 0 || w >= _INHIBIT_WHAT_MAX)
@@ -426,6 +434,8 @@ const char *inhibit_what_to_string(InhibitWhat w) {
p = stpcpy(p, "handle-hibernate-key:");
if (w & INHIBIT_HANDLE_LID_SWITCH)
p = stpcpy(p, "handle-lid-switch:");
+ if (w & INHIBIT_HANDLE_REBOOT_KEY)
+ p = stpcpy(p, "handle-reboot-key:");
if (p > buffer)
*(p-1) = 0;
@@ -455,6 +465,8 @@ InhibitWhat inhibit_what_from_string(const char *s) {
what |= INHIBIT_HANDLE_HIBERNATE_KEY;
else if (l == 17 && strneq(word, "handle-lid-switch", l))
what |= INHIBIT_HANDLE_LID_SWITCH;
+ else if (l == 17 && strneq(word, "handle-reboot-key", l))
+ what |= INHIBIT_HANDLE_REBOOT_KEY;
else
return _INHIBIT_WHAT_INVALID;
}
diff --git a/src/login/logind-inhibit.h b/src/login/logind-inhibit.h
index 650587106d..51095a0bde 100644
--- a/src/login/logind-inhibit.h
+++ b/src/login/logind-inhibit.h
@@ -11,7 +11,8 @@ typedef enum InhibitWhat {
INHIBIT_HANDLE_SUSPEND_KEY = 1 << 4,
INHIBIT_HANDLE_HIBERNATE_KEY = 1 << 5,
INHIBIT_HANDLE_LID_SWITCH = 1 << 6,
- _INHIBIT_WHAT_MAX = 1 << 7,
+ INHIBIT_HANDLE_REBOOT_KEY = 1 << 7,
+ _INHIBIT_WHAT_MAX = 1 << 8,
_INHIBIT_WHAT_INVALID = -1
} InhibitWhat;
diff --git a/src/login/logind.conf.in b/src/login/logind.conf.in
index a62c2b0b57..95f2d48d02 100644
--- a/src/login/logind.conf.in
+++ b/src/login/logind.conf.in
@@ -24,10 +24,12 @@
#HandleLidSwitch=suspend
#HandleLidSwitchExternalPower=suspend
#HandleLidSwitchDocked=ignore
+#HandleRebootKey=reboot
#PowerKeyIgnoreInhibited=no
#SuspendKeyIgnoreInhibited=no
#HibernateKeyIgnoreInhibited=no
#LidSwitchIgnoreInhibited=yes
+#RebootKeyIgnoreInhibited=no
#HoldoffTimeoutSec=30s
#IdleAction=ignore
#IdleActionSec=30min
diff --git a/src/login/logind.h b/src/login/logind.h
index b9b4a5113f..395306ced3 100644
--- a/src/login/logind.h
+++ b/src/login/logind.h
@@ -111,11 +111,13 @@ struct Manager {
HandleAction handle_lid_switch;
HandleAction handle_lid_switch_ep;
HandleAction handle_lid_switch_docked;
+ HandleAction handle_reboot_key;
bool power_key_ignore_inhibited;
bool suspend_key_ignore_inhibited;
bool hibernate_key_ignore_inhibited;
bool lid_switch_ignore_inhibited;
+ bool reboot_key_ignore_inhibited;
bool remove_ipc;
diff --git a/src/login/org.freedesktop.login1.policy b/src/login/org.freedesktop.login1.policy
index 83760e1580..882975849e 100644
--- a/src/login/org.freedesktop.login1.policy
+++ b/src/login/org.freedesktop.login1.policy
@@ -113,6 +113,17 @@
</defaults>
</action>
+ <action id="org.freedesktop.login1.inhibit-handle-reboot-key">
+ <description gettext-domain="systemd">Allow applications to inhibit system handling of the reboot key</description>
+ <message gettext-domain="systemd">Authentication is required for an application to inhibit system handling of the reboot key.</message>
+ <defaults>
+ <allow_any>no</allow_any>
+ <allow_inactive>yes</allow_inactive>
+ <allow_active>yes</allow_active>
+ </defaults>
+ <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.inhibit-handle-suspend-key org.freedesktop.login1.inhibit-handle-hibernate-key org.freedesktop.login1.inhibit-handle-lid-switch</annotate>
+ </action>
+
<action id="org.freedesktop.login1.set-self-linger">
<description gettext-domain="systemd">Allow non-logged-in user to run programs</description>
<message gettext-domain="systemd">Explicit request is required to run programs as a non-logged-in user.</message>
diff --git a/src/systemd/sd-messages.h b/src/systemd/sd-messages.h
index 847b698ba4..3e9584c0b2 100644
--- a/src/systemd/sd-messages.h
+++ b/src/systemd/sd-messages.h
@@ -134,6 +134,8 @@ _SD_BEGIN_DECLARATIONS;
#define SD_MESSAGE_SYSTEM_UNDOCKED_STR SD_ID128_MAKE_STR(51,e1,71,bd,58,52,48,56,81,10,14,4c,51,7c,ca,53)
#define SD_MESSAGE_POWER_KEY SD_ID128_MAKE(b7,2e,a4,a2,88,15,45,a0,b5,0e,20,0e,55,b9,b0,71)
#define SD_MESSAGE_POWER_KEY_STR SD_ID128_MAKE_STR(b7,2e,a4,a2,88,15,45,a0,b5,0e,20,0e,55,b9,b0,71)
+#define SD_MESSAGE_REBOOT_KEY SD_ID128_MAKE(9f,a9,d2,c0,12,13,4e,c3,85,45,1f,fe,31,6f,97,d0)
+#define SD_MESSAGE_REBOOT_KEY_STR SD_ID128_MAKE_STR(9f,a9,d2,c0,12,13,4e,c3,85,45,1f,fe,31,6f,97,d0)
#define SD_MESSAGE_SUSPEND_KEY SD_ID128_MAKE(b7,2e,a4,a2,88,15,45,a0,b5,0e,20,0e,55,b9,b0,72)
#define SD_MESSAGE_SUSPEND_KEY_STR SD_ID128_MAKE_STR(b7,2e,a4,a2,88,15,45,a0,b5,0e,20,0e,55,b9,b0,72)
#define SD_MESSAGE_HIBERNATE_KEY SD_ID128_MAKE(b7,2e,a4,a2,88,15,45,a0,b5,0e,20,0e,55,b9,b0,73)

62
0999-analyze-security-fix-recursive-call-of-syscall_names.patch Normal file
View File

@ -0,0 +1,62 @@
From dd7a5f4144bde111334582eafbc0f358e63854ea Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Fri, 1 Feb 2019 11:49:24 +0100
Subject: [PATCH] analyze security: fix recursive call of
syscall_names_in_filter()
When `syscall_names_in_filter()` is called in itself, it is already
examined with `whitelist`. Or, in other words, `syscall_names_in_filter()`
returns bad or good in boolean. So, the returned value should not be
compared with `whitelist` again.
This replaces #11302.
(cherry picked from commit 95832a0f8c2941df83e72dfc9d37eab20da8b1fa)
Related: RHEL-5991
---
src/analyze/analyze-security.c | 24 +++++++++++-------------
1 file changed, 11 insertions(+), 13 deletions(-)
diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
index 969101c57b..5ef5d52e75 100644
--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@@ -480,26 +480,24 @@ static bool syscall_names_in_filter(Set *s, bool whitelist, const SyscallFilterS
const char *syscall;
NULSTR_FOREACH(syscall, f->value) {
- bool b;
+ int id;
if (syscall[0] == '@') {
const SyscallFilterSet *g;
- assert_se(g = syscall_filter_set_find(syscall));
- b = syscall_names_in_filter(s, whitelist, g);
- } else {
-#if HAVE_SECCOMP
- int id;
- /* Let's see if the system call actually exists on this platform, before complaining */
- id = seccomp_syscall_resolve_name(syscall);
- if (id < 0)
- continue;
-#endif
+ assert_se(g = syscall_filter_set_find(syscall));
+ if (syscall_names_in_filter(s, whitelist, g))
+ return true; /* bad! */
- b = set_contains(s, syscall);
+ continue;
}
- if (whitelist == b) {
+ /* Let's see if the system call actually exists on this platform, before complaining */
+ id = seccomp_syscall_resolve_name(syscall);
+ if (id < 0)
+ continue;
+
+ if (set_contains(s, syscall) == whitelist) {
log_debug("Offending syscall filter item: %s", syscall);
return true; /* bad! */
}

28
1000-analyze-security-do-not-assign-badness-to-filtered-o.patch Normal file
View File

@ -0,0 +1,28 @@
From c8fe27ea2c560a213c3e3968fa76b5dd84e181f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Sat, 1 Aug 2020 11:28:09 +0200
Subject: [PATCH] analyze-security: do not assign badness to filtered-out
syscalls
Fixes #16451, https://bugzilla.redhat.com/show_bug.cgi?id=1856273.
(cherry picked from commit 01ecb3674ad3650bcbb14155b2dcbd4b9f4ed57e)
Resolves: RHEL-5991
---
src/analyze/analyze-security.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
index 5ef5d52e75..7c937e3587 100644
--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@@ -549,7 +549,7 @@ static int assess_system_call_filter(
b = 10;
} else {
(void) asprintf(&d, "System call blacklist defined for service, and %s is included", f->name);
- b = 5;
+ b = 0;
}
}
}

105
1001-analyze-security-include-an-actual-syscall-name-in-t.patch Normal file
View File

@ -0,0 +1,105 @@
From 7aa12839166b5ae2c67d51946008543d016a7733 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Sat, 1 Aug 2020 11:41:57 +0200
Subject: [PATCH] analyze-security: include an actual syscall name in the
message
This information was already available in the debug output, but I think it
is good to include it in the message in the table. This makes it easier to wrap
one's head around the allowlist/denylist filtering.
(cherry picked from commit a9134af2e3ab22eba96228ea6ba440e89213cef2)
Related: RHEL-5991
---
src/analyze/analyze-security.c | 27 +++++++++++++++++----------
1 file changed, 17 insertions(+), 10 deletions(-)
diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
index 7c937e3587..d156aa607a 100644
--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@@ -476,7 +476,7 @@ static int assess_system_call_architectures(
return 0;
}
-static bool syscall_names_in_filter(Set *s, bool whitelist, const SyscallFilterSet *f) {
+static bool syscall_names_in_filter(Set *s, bool whitelist, const SyscallFilterSet *f, const char **ret_offending_syscall) {
const char *syscall;
NULSTR_FOREACH(syscall, f->value) {
@@ -486,7 +486,7 @@ static bool syscall_names_in_filter(Set *s, bool whitelist, const SyscallFilterS
const SyscallFilterSet *g;
assert_se(g = syscall_filter_set_find(syscall));
- if (syscall_names_in_filter(s, whitelist, g))
+ if (syscall_names_in_filter(s, whitelist, g, ret_offending_syscall))
return true; /* bad! */
continue;
@@ -499,10 +499,13 @@ static bool syscall_names_in_filter(Set *s, bool whitelist, const SyscallFilterS
if (set_contains(s, syscall) == whitelist) {
log_debug("Offending syscall filter item: %s", syscall);
+ if (ret_offending_syscall)
+ *ret_offending_syscall = syscall;
return true; /* bad! */
}
}
+ *ret_offending_syscall = NULL;
return false;
}
@@ -513,31 +516,33 @@ static int assess_system_call_filter(
uint64_t *ret_badness,
char **ret_description) {
- const SyscallFilterSet *f;
- char *d = NULL;
- uint64_t b;
-
assert(a);
assert(info);
assert(ret_badness);
assert(ret_description);
assert(a->parameter < _SYSCALL_FILTER_SET_MAX);
- f = syscall_filter_sets + a->parameter;
+ const SyscallFilterSet *f = syscall_filter_sets + a->parameter;
+
+ char *d = NULL;
+ uint64_t b;
if (!info->system_call_filter_whitelist && set_isempty(info->system_call_filter)) {
d = strdup("Service does not filter system calls");
b = 10;
} else {
bool bad;
+ const char *offender = NULL;
log_debug("Analyzing system call filter, checking against: %s", f->name);
- bad = syscall_names_in_filter(info->system_call_filter, info->system_call_filter_whitelist, f);
+ bad = syscall_names_in_filter(info->system_call_filter, info->system_call_filter_whitelist, f, &offender);
log_debug("Result: %s", bad ? "bad" : "good");
if (info->system_call_filter_whitelist) {
if (bad) {
- (void) asprintf(&d, "System call whitelist defined for service, and %s is included", f->name);
+ (void) asprintf(&d, "System call whitelist defined for service, and %s is included "
+ "(e.g. %s is allowed)",
+ f->name, offender);
b = 9;
} else {
(void) asprintf(&d, "System call whitelist defined for service, and %s is not included", f->name);
@@ -545,7 +550,9 @@ static int assess_system_call_filter(
}
} else {
if (bad) {
- (void) asprintf(&d, "System call blacklist defined for service, and %s is not included", f->name);
+ (void) asprintf(&d, "System call blacklist defined for service, and %s is not included "
+ "(e.g. %s is allowed)",
+ f->name, offender);
b = 10;
} else {
(void) asprintf(&d, "System call blacklist defined for service, and %s is included", f->name);

50
1002-udev-net_id-introduce-naming-scheme-for-RHEL-8.10.patch Normal file
View File

@ -0,0 +1,50 @@
From 9d9c3d38451befec0494aea4fdb12c65289b0b46 Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Tue, 23 Jan 2024 15:15:00 +0100
Subject: [PATCH] udev/net_id: introduce naming scheme for RHEL-8.10
rhel-only
Resolves: RHEL-22426
---
man/systemd.net-naming-scheme.xml | 6 ++++++
src/udev/udev-builtin-net_id.c | 2 ++
2 files changed, 8 insertions(+)
diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml
index ddd41646ae..25e8bd9aea 100644
--- a/man/systemd.net-naming-scheme.xml
+++ b/man/systemd.net-naming-scheme.xml
@@ -340,6 +340,12 @@
<para>Same as naming scheme <constant>rhel-8.7</constant>.</para>
</varlistentry>
+ <varlistentry>
+ <term><constant>rhel-8.10</constant></term>
+
+ <para>Same as naming scheme <constant>rhel-8.7</constant>.</para>
+ </varlistentry>
+
<para>Note that <constant>latest</constant> may be used to denote the latest scheme known to this
particular version of systemd.</para>
</variablelist>
diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c
index 0f42c1c007..ece5d29205 100644
--- a/src/udev/udev-builtin-net_id.c
+++ b/src/udev/udev-builtin-net_id.c
@@ -143,6 +143,7 @@ typedef enum NamingSchemeFlags {
NAMING_RHEL_8_7 = NAMING_RHEL_8_4|NAMING_SLOT_FUNCTION_ID|NAMING_16BIT_INDEX,
NAMING_RHEL_8_8 = NAMING_RHEL_8_7,
NAMING_RHEL_8_9 = NAMING_RHEL_8_7,
+ NAMING_RHEL_8_10 = NAMING_RHEL_8_7,
_NAMING_SCHEME_FLAGS_INVALID = -1,
} NamingSchemeFlags;
@@ -165,6 +166,7 @@ static const NamingScheme naming_schemes[] = {
{ "rhel-8.7", NAMING_RHEL_8_7 },
{ "rhel-8.8", NAMING_RHEL_8_8 },
{ "rhel-8.9", NAMING_RHEL_8_9 },
+ { "rhel-8.10", NAMING_RHEL_8_10 },
/* … add more schemes here, as the logic to name devices is updated … */
};

79
1003-doc-add-missing-listitem-to-systemd.net-naming-schem.patch Normal file
View File

@ -0,0 +1,79 @@
From 8ac0c00fa9699f1cd096a4775cf0cf7879b81f37 Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Fri, 9 Feb 2024 14:42:28 +0100
Subject: [PATCH] doc: add missing `<listitem>` to
`systemd.net-naming-scheme.xml`
rhel-only
Related: RHEL-22426
---
man/systemd.net-naming-scheme.xml | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml
index 25e8bd9aea..11ef2ea02f 100644
--- a/man/systemd.net-naming-scheme.xml
+++ b/man/systemd.net-naming-scheme.xml
@@ -276,19 +276,19 @@
<varlistentry>
<term><constant>rhel-8.1</constant></term>
- <para>Same as naming scheme <constant>rhel-8.0</constant>.</para>
+ <listitem><para>Same as naming scheme <constant>rhel-8.0</constant>.</para></listitem>
</varlistentry>
<varlistentry>
<term><constant>rhel-8.2</constant></term>
- <para>Same as naming scheme <constant>rhel-8.0</constant>.</para>
+ <listitem><para>Same as naming scheme <constant>rhel-8.0</constant>.</para></listitem>
</varlistentry>
<varlistentry>
<term><constant>rhel-8.3</constant></term>
- <para>Same as naming scheme <constant>rhel-8.0</constant>.</para>
+ <listitem><para>Same as naming scheme <constant>rhel-8.0</constant>.</para></listitem>
</varlistentry>
<varlistentry>
@@ -304,13 +304,13 @@
<varlistentry>
<term><constant>rhel-8.5</constant></term>
- <para>Same as naming scheme <constant>rhel-8.4</constant>.</para>
+ <listitem><para>Same as naming scheme <constant>rhel-8.4</constant>.</para></listitem>
</varlistentry>
<varlistentry>
<term><constant>rhel-8.6</constant></term>
- <para>Same as naming scheme <constant>rhel-8.4</constant>.</para>
+ <listitem><para>Same as naming scheme <constant>rhel-8.4</constant>.</para></listitem>
</varlistentry>
<varlistentry>
@@ -331,19 +331,19 @@
<varlistentry>
<term><constant>rhel-8.8</constant></term>
- <para>Same as naming scheme <constant>rhel-8.7</constant>.</para>
+ <listitem><para>Same as naming scheme <constant>rhel-8.7</constant>.</para></listitem>
</varlistentry>
<varlistentry>
<term><constant>rhel-8.9</constant></term>
- <para>Same as naming scheme <constant>rhel-8.7</constant>.</para>
+ <listitem><para>Same as naming scheme <constant>rhel-8.7</constant>.</para></listitem>
</varlistentry>
<varlistentry>
<term><constant>rhel-8.10</constant></term>
- <para>Same as naming scheme <constant>rhel-8.7</constant>.</para>
+ <listitem><para>Same as naming scheme <constant>rhel-8.7</constant>.</para></listitem>
</varlistentry>
<para>Note that <constant>latest</constant> may be used to denote the latest scheme known to this

34
1004-service-schedule-cleanup-of-PID-hashmaps-when-we-now.patch Normal file
View File

@ -0,0 +1,34 @@
From 8bf7a6f42efba3ebe59872ba75233e75ffdf7c87 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Mon, 11 Dec 2023 16:09:02 +0100
Subject: [PATCH] service: schedule cleanup of PID hashmaps when we now longer
have main_pid and we are in container
RHEL-only
Resolves: RHEL-5863
---
src/core/service.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/core/service.c b/src/core/service.c
index 0423f2c73e..82c09d59f0 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -34,6 +34,7 @@
#include "string-table.h"
#include "string-util.h"
#include "strv.h"
+#include "virt.h"
#include "unit-name.h"
#include "unit.h"
#include "utf8.h"
@@ -3535,7 +3536,7 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) {
* detect when the cgroup becomes empty. Note that the control process is always
* our child so it's pointless to watch all other processes. */
if (!control_pid_good(s))
- if (!s->main_pid_known || s->main_pid_alien)
+ if (!s->main_pid_known || s->main_pid_alien || (s->main_pid == 0 && detect_container() > 0))
(void) unit_enqueue_rewatch_pids(u);
}

34
systemd.spec
View File

@ -13,7 +13,7 @@
Name: systemd
Url: http://www.freedesktop.org/wiki/Software/systemd
Version: 239
Release: 79%{?dist}
Release: 80%{?dist}
# For a breakdown of the licensing, see README
License: LGPLv2+ and MIT and GPLv2+
Summary: System and Service Manager
@ -1039,6 +1039,21 @@ Patch0986: 0986-fstab-generator-allow-overriding-etc-fstab-with-SYST.patch
Patch0987: 0987-fstab-generator-allow-overriding-path-to-sysroot-etc.patch
Patch0988: 0988-test-backport-TEST-81-GENERATORS-fstab-generator-onl.patch
Patch0989: 0989-resolved-actually-check-authenticated-flag-of-SOA-tr.patch
Patch0990: 0990-fd-util-rework-how-we-determine-highest-possible-fd.patch
Patch0991: 0991-basic-fd-util-refuse-infinite-loop-in-close_all_fds.patch
Patch0992: 0992-fd-util-split-out-inner-fallback-loop-of-close_all_f.patch
Patch0993: 0993-exec-util-use-close_all_fds_without_malloc-from-free.patch
Patch0994: 0994-ci-use-source-git-automation-composite-Action.patch
Patch0995: 0995-ci-increase-the-cron-interval-to-45-minutes.patch
Patch0996: 0996-ci-add-all-Z-Stream-versions-to-array-of-allowed-ver.patch
Patch0997: 0997-tree-wide-always-declare-bitflag-enums-the-same-way.patch
Patch0998: 0998-login-Add-KEY_RESTART-handling.patch
Patch0999: 0999-analyze-security-fix-recursive-call-of-syscall_names.patch
Patch1000: 1000-analyze-security-do-not-assign-badness-to-filtered-o.patch
Patch1001: 1001-analyze-security-include-an-actual-syscall-name-in-t.patch
Patch1002: 1002-udev-net_id-introduce-naming-scheme-for-RHEL-8.10.patch
Patch1003: 1003-doc-add-missing-listitem-to-systemd.net-naming-schem.patch
Patch1004: 1004-service-schedule-cleanup-of-PID-hashmaps-when-we-now.patch
%ifarch %{ix86} x86_64 aarch64
%global have_gnu_efi 1
@ -1669,6 +1684,23 @@ fi
%files tests -f .file-list-tests
%changelog
* Thu Feb 15 2024 systemd maintenance team <systemd-maint@redhat.com> - 239-80
- fd-util: rework how we determine highest possible fd (RHEL-18302)
- basic/fd-util: refuse "infinite" loop in close_all_fds() (RHEL-18302)
- fd-util: split out inner fallback loop of close_all_fds() as close_all_fds_without_malloc() (RHEL-18302)
- exec-util: use close_all_fds_without_malloc() from freeze() (RHEL-18302)
- ci: use source-git-automation composite Action (RHEL-1087)
- ci: increase the cron interval to 45 minutes (RHEL-1087)
- ci: add all Z-Stream versions to array of allowed versions (RHEL-1087)
- tree-wide: always declare bitflag enums the same way (RHEL-2857)
- login: Add KEY_RESTART handling (RHEL-2857)
- analyze security: fix recursive call of syscall_names_in_filter() (RHEL-5991)
- analyze-security: do not assign badness to filtered-out syscalls (RHEL-5991)
- analyze-security: include an actual syscall name in the message (RHEL-5991)
- udev/net_id: introduce naming scheme for RHEL-8.10 (RHEL-22426)
- doc: add missing `<listitem>` to `systemd.net-naming-scheme.xml` (RHEL-22426)
- service: schedule cleanup of PID hashmaps when we now longer have main_pid and we are in container (RHEL-5863)
* Mon Jan 08 2024 systemd maintenance team <systemd-maint@redhat.com> - 239-79
- ci: Extend source-git-automation (RHEL-1087)
- ci: add missing configuration for commit linter (RHEL-1087)