Debrand for AlmaLinux
This commit is contained in:
commit
d4407d0797
@ -0,0 +1,90 @@
|
||||
From ac160a968eb734f18e662bb48254e5200489df77 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Tue, 6 May 2025 11:14:10 +0200
|
||||
Subject: [PATCH] man: reword the description of "secure pager" handling
|
||||
|
||||
The existing description was not *wrong*, but it was a bit muddled. Let's
|
||||
reorder the text to give a short intro and then describe what the options
|
||||
actually do and the clear "true" and "false" cases first, and then describe
|
||||
autodetection.
|
||||
|
||||
Related to https://yeswehack.com/vulnerability-center/reports/346802.
|
||||
|
||||
(cherry picked from commit 718dbdb2ca4458cf91711cd9a7de3a972e46658e)
|
||||
|
||||
Related: RHEL-102939
|
||||
---
|
||||
man/common-variables.xml | 58 ++++++++++++++++++++++++++--------------
|
||||
1 file changed, 38 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/man/common-variables.xml b/man/common-variables.xml
|
||||
index 2d26bf7242..9f322dbf23 100644
|
||||
--- a/man/common-variables.xml
|
||||
+++ b/man/common-variables.xml
|
||||
@@ -167,28 +167,46 @@
|
||||
<varlistentry id='lesssecure'>
|
||||
<term><varname>$SYSTEMD_PAGERSECURE</varname></term>
|
||||
|
||||
- <listitem><para>Takes a boolean argument. When true, the "secure" mode of the pager is enabled; if
|
||||
- false, disabled. If <varname>$SYSTEMD_PAGERSECURE</varname> is not set at all, secure mode is enabled
|
||||
- if the effective UID is not the same as the owner of the login session, see
|
||||
- <citerefentry project='man-pages'><refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>
|
||||
- and <citerefentry><refentrytitle>sd_pid_get_owner_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
|
||||
- In secure mode, <option>LESSSECURE=1</option> will be set when invoking the pager, and the pager shall
|
||||
- disable commands that open or create new files or start new subprocesses. When
|
||||
- <varname>$SYSTEMD_PAGERSECURE</varname> is not set at all, pagers which are not known to implement
|
||||
- secure mode will not be used. (Currently only
|
||||
- <citerefentry project='man-pages'><refentrytitle>less</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
||||
- implements secure mode.)</para>
|
||||
-
|
||||
- <para>Note: when commands are invoked with elevated privileges, for example under <citerefentry
|
||||
+ <listitem>
|
||||
+ <para>Common pager commands like <citerefentry
|
||||
+ project='man-pages'><refentrytitle>less</refentrytitle><manvolnum>1</manvolnum></citerefentry>, in
|
||||
+ addition to "paging", i.e. scrolling through the output, support opening of or writing to other files
|
||||
+ and running arbitrary shell commands. When commands are invoked with elevated privileges, for example
|
||||
+ under <citerefentry
|
||||
project='man-pages'><refentrytitle>sudo</refentrytitle><manvolnum>8</manvolnum></citerefentry> or
|
||||
<citerefentry
|
||||
- project='die-net'><refentrytitle>pkexec</refentrytitle><manvolnum>1</manvolnum></citerefentry>, care
|
||||
- must be taken to ensure that unintended interactive features are not enabled. "Secure" mode for the
|
||||
- pager may be enabled automatically as describe above. Setting <varname>SYSTEMD_PAGERSECURE=0</varname>
|
||||
- or not removing it from the inherited environment allows the user to invoke arbitrary commands. Note
|
||||
- that if the <varname>$SYSTEMD_PAGER</varname> or <varname>$PAGER</varname> variables are to be
|
||||
- honoured, <varname>$SYSTEMD_PAGERSECURE</varname> must be set too. It might be reasonable to completely
|
||||
- disable the pager using <option>--no-pager</option> instead.</para></listitem>
|
||||
+ project='die-net'><refentrytitle>pkexec</refentrytitle><manvolnum>1</manvolnum></citerefentry>, the
|
||||
+ pager becomes a security boundary. Care must be taken that only programs with strictly limited
|
||||
+ functionality are used as pagers, and unintended interactive features like opening or creation of new
|
||||
+ files or starting of subprocesses are not allowed. "Secure mode" for the pager may be enabled as
|
||||
+ described below, <emphasis>if the pager supports that</emphasis> (most pagers are not written in a way
|
||||
+ that takes this into consideration). It is recommended to either explicitly enable "secure mode" or to
|
||||
+ completely disable the pager using <option>--no-pager</option> or <varname>PAGER=cat</varname> when
|
||||
+ allowing untrusted users to execute commands with elevated privileges.</para>
|
||||
+
|
||||
+ <para>This option takes a boolean argument. When set to true, the "secure mode" of the pager is
|
||||
+ enabled. In "secure mode", <option>LESSSECURE=1</option> will be set when invoking the pager, which
|
||||
+ instructs the pager to disable commands that open or create new files or start new subprocesses.
|
||||
+ Currently only <citerefentry
|
||||
+ project='man-pages'><refentrytitle>less</refentrytitle><manvolnum>1</manvolnum></citerefentry> is known
|
||||
+ to understand this variable and implement "secure mode".</para>
|
||||
+
|
||||
+ <para>When set to false, no limitation is placed on the pager. Setting
|
||||
+ <varname>SYSTEMD_PAGERSECURE=0</varname> or not removing it from the inherited environment may allow
|
||||
+ the user to invoke arbitrary commands.</para>
|
||||
+
|
||||
+ <para>When <varname>$SYSTEMD_PAGERSECURE</varname> is not set, systemd tools attempt to automatically
|
||||
+ figure out if "secure mode" should be enabled and whether the pager supports it. "Secure mode" is
|
||||
+ enabled if the effective UID is not the same as the owner of the login session, see
|
||||
+ <citerefentry project='man-pages'><refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>
|
||||
+ and
|
||||
+ <citerefentry><refentrytitle>sd_pid_get_owner_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
|
||||
+ In this case, <varname>SYSTEMD_PAGERSECURE=1</varname> will be set and pagers which are not known to
|
||||
+ implement "secure mode" will not be used at all.</para>
|
||||
+
|
||||
+ <para>Note that if the <varname>$SYSTEMD_PAGER</varname> or <varname>$PAGER</varname> variables are to
|
||||
+ be honoured, <varname>$SYSTEMD_PAGERSECURE</varname> must be set too.</para>
|
||||
+ </listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry id='colors'>
|
||||
132
0684-pager-also-check-for-SUDO_UID.patch
Normal file
132
0684-pager-also-check-for-SUDO_UID.patch
Normal file
@ -0,0 +1,132 @@
|
||||
From 517489471d6f314e834a6ee675974151ce2e0234 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Tue, 6 May 2025 14:29:02 +0200
|
||||
Subject: [PATCH] pager: also check for $SUDO_UID
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This returns to the original approach proposed in
|
||||
https://github.com/systemd/systemd/pull/17270. After review, the approach was
|
||||
changed to use sd_pid_get_owner_uid() instead. Back then, when running in a
|
||||
typical graphical session, sd_pid_get_owner_uid() would usually return the user
|
||||
UID, and when running under sudo, geteuid() would return 0, so we'd trigger the
|
||||
secure path.
|
||||
|
||||
sudo may allocate a new session if is invoked outside of a session (depending
|
||||
on the PAM config). Since nowadays desktop environments usually start the user
|
||||
shell through user units, the typical shell in a terminal emulator is not part
|
||||
of a session, and when sudo is invoked, a new session is allocated, and
|
||||
sd_pid_get_owner_uid() returns 0 too. Technically, the code still works as
|
||||
documented in the man page, but in the common case, it doesn't do the expected
|
||||
thing.
|
||||
|
||||
$ build/test-sd-login |& rg 'get_(owner_uid|cgroup|session)'
|
||||
sd_pid_get_session(0) → No data available
|
||||
sd_pid_get_owner_uid(0) → 1000
|
||||
sd_pid_get_cgroup(0) → /user.slice/user-1000.slice/user@1000.service/app.slice/app-ghostty-transient-5088.scope/surfaces/556FAF50BA40.scope
|
||||
|
||||
$ sudo build/test-sd-login |& rg 'get_(owner_uid|cgroup|session)'
|
||||
sd_pid_get_session(0) → c289
|
||||
sd_pid_get_owner_uid(0) → 0
|
||||
sd_pid_get_cgroup(0) → /user.slice/user-0.slice/session-c289.scope
|
||||
|
||||
I think it's worth checking for sudo because it is a common case used by users.
|
||||
There obviously are other mechanims, so the man page is extended to say that
|
||||
only some common mechanisms are supported, and to (again) recommend setting
|
||||
SYSTEMD_LESSSECURE explicitly. The other option would be to set "secure mode"
|
||||
by default. But this would create an inconvenience for users doing the right
|
||||
thing, running systemctl and other tools directly, because then they can't run
|
||||
privileged commands from the pager, e.g. to save the output to a file. (Or the
|
||||
user would need to explicitly set SYSTEMD_LESSSECURE. One option would be to
|
||||
set it always in the environment and to rely on sudo and other tools stripping
|
||||
it from the environment before running privileged code. But that is also fairly
|
||||
fragile and it obviously relies on the user doing a complicated setup to
|
||||
support a fairly common use case. I think this decreases usability of the
|
||||
system quite a bit. I don't think we should build solutions that work in
|
||||
priniciple, but are painfully inconvenient in common cases.)
|
||||
|
||||
Fixes https://yeswehack.com/vulnerability-center/reports/346802.
|
||||
|
||||
Also see https://github.com/polkit-org/polkit/pull/562, which adds support for
|
||||
$SUDO_UID/$SUDO_GID to pkexec.
|
||||
|
||||
(cherry picked from commit cd93478af8b9dc69478d5667f113b67d175090fa)
|
||||
|
||||
Resolves: RHEL-102939
|
||||
---
|
||||
man/common-variables.xml | 13 ++++++++++---
|
||||
src/shared/pager.c | 29 +++++++++++++++++++----------
|
||||
2 files changed, 29 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/man/common-variables.xml b/man/common-variables.xml
|
||||
index 9f322dbf23..825cfe57e9 100644
|
||||
--- a/man/common-variables.xml
|
||||
+++ b/man/common-variables.xml
|
||||
@@ -200,9 +200,16 @@
|
||||
enabled if the effective UID is not the same as the owner of the login session, see
|
||||
<citerefentry project='man-pages'><refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum></citerefentry>
|
||||
and
|
||||
- <citerefentry><refentrytitle>sd_pid_get_owner_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
|
||||
- In this case, <varname>SYSTEMD_PAGERSECURE=1</varname> will be set and pagers which are not known to
|
||||
- implement "secure mode" will not be used at all.</para>
|
||||
+ <citerefentry><refentrytitle>sd_pid_get_owner_uid</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
+ or when running under
|
||||
+ <citerefentry><refentrytitle>sudo</refentrytitle><manvolnum>8</manvolnum></citerefentry> or similar
|
||||
+ tools (<varname>$SUDO_UID</varname> is set <footnote>
|
||||
+ <para>It is recommended for other tools to set and check <varname>$SUDO_UID</varname> as appropriate,
|
||||
+ treating it is a common interface.</para></footnote>). In those cases,
|
||||
+ <varname>SYSTEMD_PAGERSECURE=1</varname> will be set and pagers which are not known to implement
|
||||
+ "secure mode" will not be used at all. Note that this autodetection only covers the most common
|
||||
+ mechanisms to elevate privileges and is intended as convenience. It is recommended to explicitly set
|
||||
+ <varname>$SYSTEMD_PAGERSECURE</varname> or disable the pager.</para>
|
||||
|
||||
<para>Note that if the <varname>$SYSTEMD_PAGER</varname> or <varname>$PAGER</varname> variables are to
|
||||
be honoured, <varname>$SYSTEMD_PAGERSECURE</varname> must be set too.</para>
|
||||
diff --git a/src/shared/pager.c b/src/shared/pager.c
|
||||
index 9b8ae76700..f1043ec132 100644
|
||||
--- a/src/shared/pager.c
|
||||
+++ b/src/shared/pager.c
|
||||
@@ -82,6 +82,22 @@ static int no_quit_on_interrupt(int exe_name_fd, const char *less_opts) {
|
||||
return r;
|
||||
}
|
||||
|
||||
+static bool running_with_escalated_privileges(void) {
|
||||
+ int r;
|
||||
+
|
||||
+ if (getenv("SUDO_UID"))
|
||||
+ return true;
|
||||
+
|
||||
+ uid_t uid;
|
||||
+ r = sd_pid_get_owner_uid(0, &uid);
|
||||
+ if (r < 0) {
|
||||
+ log_debug_errno(r, "sd_pid_get_owner_uid() failed, enabling pager secure mode: %m");
|
||||
+ return true;
|
||||
+ }
|
||||
+
|
||||
+ return uid != geteuid();
|
||||
+}
|
||||
+
|
||||
void pager_open(PagerFlags flags) {
|
||||
_cleanup_close_pair_ int fd[2] = EBADF_PAIR, exe_name_pipe[2] = EBADF_PAIR;
|
||||
_cleanup_strv_free_ char **pager_args = NULL;
|
||||
@@ -177,16 +193,9 @@ void pager_open(PagerFlags flags) {
|
||||
* know to be good. */
|
||||
int use_secure_mode = secure_getenv_bool("SYSTEMD_PAGERSECURE");
|
||||
bool trust_pager = use_secure_mode >= 0;
|
||||
- if (use_secure_mode == -ENXIO) {
|
||||
- uid_t uid;
|
||||
-
|
||||
- r = sd_pid_get_owner_uid(0, &uid);
|
||||
- if (r < 0)
|
||||
- log_debug_errno(r, "sd_pid_get_owner_uid() failed, enabling pager secure mode: %m");
|
||||
-
|
||||
- use_secure_mode = r < 0 || uid != geteuid();
|
||||
-
|
||||
- } else if (use_secure_mode < 0) {
|
||||
+ if (use_secure_mode == -ENXIO)
|
||||
+ use_secure_mode = running_with_escalated_privileges();
|
||||
+ else if (use_secure_mode < 0) {
|
||||
log_warning_errno(use_secure_mode, "Unable to parse $SYSTEMD_PAGERSECURE, assuming true: %m");
|
||||
use_secure_mode = true;
|
||||
}
|
||||
@ -0,0 +1,38 @@
|
||||
From fef6198a931a9d7538c0c93a446fd02ffc52fc79 Mon Sep 17 00:00:00 2001
|
||||
From: David Tardon <dtardon@redhat.com>
|
||||
Date: Thu, 25 Jun 2026 14:26:45 +0200
|
||||
Subject: [PATCH] Revert "mount-setup: tune down log level if usrquota is not
|
||||
supported, apply usrquota when smack is in use too"
|
||||
|
||||
This reverts commit d5642d888c6bc1b8014b727b6b1b4851a0829239.
|
||||
|
||||
Reverts: RHEL-143028
|
||||
---
|
||||
src/shared/mount-setup.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/shared/mount-setup.c b/src/shared/mount-setup.c
|
||||
index 4c5151c7db..93e646d045 100644
|
||||
--- a/src/shared/mount-setup.c
|
||||
+++ b/src/shared/mount-setup.c
|
||||
@@ -90,7 +90,7 @@ static const MountPoint mount_table[] = {
|
||||
{ "smackfs", "/sys/fs/smackfs", "smackfs", "smackfsdef=*", MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||
mac_smack_use, MNT_FATAL },
|
||||
{ "tmpfs", "/dev/shm", "tmpfs", "mode=01777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
||||
- mac_smack_use, MNT_FATAL|MNT_USRQUOTA_GRACEFUL },
|
||||
+ mac_smack_use, MNT_FATAL },
|
||||
#endif
|
||||
{ "tmpfs", "/dev/shm", "tmpfs", "mode=01777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
||||
NULL, MNT_FATAL|MNT_IN_CONTAINER|MNT_USRQUOTA_GRACEFUL },
|
||||
@@ -194,9 +194,9 @@ static int mount_one(const MountPoint *p, bool relabel) {
|
||||
if (FLAGS_SET(p->mode, MNT_USRQUOTA_GRACEFUL)) {
|
||||
r = mount_option_supported(p->type, "usrquota", /* value= */ NULL);
|
||||
if (r < 0)
|
||||
- log_full_errno(priority, r, "Unable to determine whether %s supports 'usrquota' mount option, assuming not: %m", p->type);
|
||||
+ log_warning_errno(r, "Unable to determine whether %s supports 'usrquota' mount option, assuming not: %m", p->type);
|
||||
else if (r == 0)
|
||||
- log_debug("Not enabling 'usrquota' on '%s' as kernel lacks support for it.", p->where);
|
||||
+ log_info("Not enabling 'usrquota' on '%s' as kernel lacks support for it.", p->where);
|
||||
else {
|
||||
if (!strextend_with_separator(&extend_options, ",", p->options ?: POINTER_MAX, "usrquota"))
|
||||
return log_oom();
|
||||
@ -0,0 +1,72 @@
|
||||
From 05f890fb4841d10372aee1413340013e701ee210 Mon Sep 17 00:00:00 2001
|
||||
From: David Tardon <dtardon@redhat.com>
|
||||
Date: Thu, 25 Jun 2026 14:28:13 +0200
|
||||
Subject: [PATCH] Revert "nspawn: enable usrquota support on /tmp/ and
|
||||
/dev/shm/"
|
||||
|
||||
This reverts commit b9cfb8c02ec36304e0a3ba730363a6dd747dd26a.
|
||||
|
||||
Reverts: RHEL-143028
|
||||
---
|
||||
src/nspawn/nspawn-mount.c | 21 ++-------------------
|
||||
src/nspawn/nspawn-mount.h | 1 -
|
||||
2 files changed, 2 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
|
||||
index cd5a634ec0..c233cdf600 100644
|
||||
--- a/src/nspawn/nspawn-mount.c
|
||||
+++ b/src/nspawn/nspawn-mount.c
|
||||
@@ -592,7 +592,7 @@ int mount_all(const char *dest,
|
||||
|
||||
/* Then we list outer child mounts (i.e. mounts applied *before* entering user namespacing when we are privileged) */
|
||||
{ "tmpfs", "/tmp", "tmpfs", "mode=01777" NESTED_TMPFS_LIMITS, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
||||
- MOUNT_FATAL|MOUNT_APPLY_TMPFS_TMP|MOUNT_MKDIR|MOUNT_USRQUOTA_GRACEFUL },
|
||||
+ MOUNT_FATAL|MOUNT_APPLY_TMPFS_TMP|MOUNT_MKDIR },
|
||||
{ "tmpfs", "/sys", "tmpfs", "mode=0555" TMPFS_LIMITS_SYS, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||
MOUNT_FATAL|MOUNT_APPLY_APIVFS_NETNS|MOUNT_MKDIR|MOUNT_PRIVILEGED },
|
||||
{ "sysfs", "/sys", "sysfs", NULL, SYS_DEFAULT_MOUNT_FLAGS,
|
||||
@@ -602,7 +602,7 @@ int mount_all(const char *dest,
|
||||
{ "tmpfs", "/dev", "tmpfs", "mode=0755" TMPFS_LIMITS_PRIVATE_DEV, MS_NOSUID|MS_STRICTATIME,
|
||||
MOUNT_FATAL|MOUNT_MKDIR },
|
||||
{ "tmpfs", "/dev/shm", "tmpfs", "mode=01777" NESTED_TMPFS_LIMITS, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
||||
- MOUNT_FATAL|MOUNT_MKDIR|MOUNT_USRQUOTA_GRACEFUL },
|
||||
+ MOUNT_FATAL|MOUNT_MKDIR },
|
||||
{ "tmpfs", "/run", "tmpfs", "mode=0755" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
||||
MOUNT_FATAL|MOUNT_MKDIR },
|
||||
{ "/run/host", "/run/host", NULL, NULL, MS_BIND,
|
||||
@@ -710,23 +710,6 @@ int mount_all(const char *dest,
|
||||
o = options;
|
||||
}
|
||||
|
||||
- if (FLAGS_SET(m->mount_settings, MOUNT_USRQUOTA_GRACEFUL)) {
|
||||
- r = mount_option_supported(m->type, /* key= */ "usrquota", /* value= */ NULL);
|
||||
- if (r < 0)
|
||||
- log_warning_errno(r, "Failed to determine if '%s' supports 'usrquota', assuming it doesn't: %m", m->type);
|
||||
- else if (r == 0)
|
||||
- log_debug("Kernel doesn't support 'usrquota' on '%s', not including in mount options for '%s'.", m->type, m->where);
|
||||
- else {
|
||||
- _cleanup_free_ char *joined = NULL;
|
||||
-
|
||||
- if (!strextend_with_separator(&joined, ",", o ?: POINTER_MAX, "usrquota"))
|
||||
- return log_oom();
|
||||
-
|
||||
- free_and_replace(options, joined);
|
||||
- o = options;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
if (FLAGS_SET(m->mount_settings, MOUNT_PREFIX_ROOT)) {
|
||||
/* Optionally prefix the mount source with the root dir. This is useful in bind
|
||||
* mounts to be created within the container image before we transition into it. Note
|
||||
diff --git a/src/nspawn/nspawn-mount.h b/src/nspawn/nspawn-mount.h
|
||||
index 529fa16658..5f66bc7328 100644
|
||||
--- a/src/nspawn/nspawn-mount.h
|
||||
+++ b/src/nspawn/nspawn-mount.h
|
||||
@@ -21,7 +21,6 @@ typedef enum MountSettingsMask {
|
||||
MOUNT_PREFIX_ROOT = 1 << 10,/* if set, prefix the source path with the container's root directory */
|
||||
MOUNT_FOLLOW_SYMLINKS = 1 << 11,/* if set, we'll follow symlinks for the mount target */
|
||||
MOUNT_PRIVILEGED = 1 << 12,/* if set, we'll only mount this in the outer child if we are running in privileged mode */
|
||||
- MOUNT_USRQUOTA_GRACEFUL = 1 << 13,/* if set, append "usrquota" to mount options if kernel tmpfs supports that */
|
||||
} MountSettingsMask;
|
||||
|
||||
typedef enum CustomMountType {
|
||||
25
0687-Revert-units-enable-usrquota-support-on-tmp.patch
Normal file
25
0687-Revert-units-enable-usrquota-support-on-tmp.patch
Normal file
@ -0,0 +1,25 @@
|
||||
From 9da37815ff97c67a890f2e74893a7e79d45bded9 Mon Sep 17 00:00:00 2001
|
||||
From: David Tardon <dtardon@redhat.com>
|
||||
Date: Thu, 25 Jun 2026 14:28:48 +0200
|
||||
Subject: [PATCH] Revert "units: enable usrquota support on /tmp/"
|
||||
|
||||
This reverts commit bc192261e4801ad27a8610fea4e10010d705bfc0.
|
||||
|
||||
Reverts: RHEL-143028
|
||||
---
|
||||
units/tmp.mount | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/units/tmp.mount b/units/tmp.mount
|
||||
index 373b131211..d7beaa8d14 100644
|
||||
--- a/units/tmp.mount
|
||||
+++ b/units/tmp.mount
|
||||
@@ -22,7 +22,7 @@ After=swap.target
|
||||
What=tmpfs
|
||||
Where=/tmp
|
||||
Type=tmpfs
|
||||
-Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m,x-systemd.graceful-option=usrquota
|
||||
+Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m
|
||||
|
||||
# Make 'systemctl enable tmp.mount' work:
|
||||
[Install]
|
||||
75
0688-Revert-pid1-enable-usrquota-support-on-dev-shm.patch
Normal file
75
0688-Revert-pid1-enable-usrquota-support-on-dev-shm.patch
Normal file
@ -0,0 +1,75 @@
|
||||
From 1d0d81d776f35dc0c5c2f98fbf546fee06fdf2ff Mon Sep 17 00:00:00 2001
|
||||
From: David Tardon <dtardon@redhat.com>
|
||||
Date: Thu, 25 Jun 2026 14:29:22 +0200
|
||||
Subject: [PATCH] Revert "pid1: enable usrquota support on /dev/shm"
|
||||
|
||||
This reverts commit 75f712d4fb8d5b05f28eda98e9ae44512ba6d7f8.
|
||||
|
||||
Reverts: RHEL-143028
|
||||
---
|
||||
src/shared/mount-setup.c | 33 ++++++++-------------------------
|
||||
1 file changed, 8 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/src/shared/mount-setup.c b/src/shared/mount-setup.c
|
||||
index 93e646d045..e7a315a420 100644
|
||||
--- a/src/shared/mount-setup.c
|
||||
+++ b/src/shared/mount-setup.c
|
||||
@@ -34,12 +34,11 @@
|
||||
#include "virt.h"
|
||||
|
||||
typedef enum MountMode {
|
||||
- MNT_NONE = 0,
|
||||
- MNT_FATAL = 1 << 0,
|
||||
- MNT_IN_CONTAINER = 1 << 1,
|
||||
- MNT_CHECK_WRITABLE = 1 << 2,
|
||||
- MNT_FOLLOW_SYMLINK = 1 << 3,
|
||||
- MNT_USRQUOTA_GRACEFUL = 1 << 4,
|
||||
+ MNT_NONE = 0,
|
||||
+ MNT_FATAL = 1 << 0,
|
||||
+ MNT_IN_CONTAINER = 1 << 1,
|
||||
+ MNT_CHECK_WRITABLE = 1 << 2,
|
||||
+ MNT_FOLLOW_SYMLINK = 1 << 3,
|
||||
} MountMode;
|
||||
|
||||
typedef struct MountPoint {
|
||||
@@ -93,7 +92,7 @@ static const MountPoint mount_table[] = {
|
||||
mac_smack_use, MNT_FATAL },
|
||||
#endif
|
||||
{ "tmpfs", "/dev/shm", "tmpfs", "mode=01777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
||||
- NULL, MNT_FATAL|MNT_IN_CONTAINER|MNT_USRQUOTA_GRACEFUL },
|
||||
+ NULL, MNT_FATAL|MNT_IN_CONTAINER },
|
||||
{ "devpts", "/dev/pts", "devpts", "mode=" STRINGIFY(TTY_MODE) ",gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
|
||||
NULL, MNT_IN_CONTAINER },
|
||||
#if ENABLE_SMACK
|
||||
@@ -189,29 +188,13 @@ static int mount_one(const MountPoint *p, bool relabel) {
|
||||
else
|
||||
(void) mkdir_p(p->where, 0755);
|
||||
|
||||
- _cleanup_free_ char *extend_options = NULL;
|
||||
- const char *o = p->options;
|
||||
- if (FLAGS_SET(p->mode, MNT_USRQUOTA_GRACEFUL)) {
|
||||
- r = mount_option_supported(p->type, "usrquota", /* value= */ NULL);
|
||||
- if (r < 0)
|
||||
- log_warning_errno(r, "Unable to determine whether %s supports 'usrquota' mount option, assuming not: %m", p->type);
|
||||
- else if (r == 0)
|
||||
- log_info("Not enabling 'usrquota' on '%s' as kernel lacks support for it.", p->where);
|
||||
- else {
|
||||
- if (!strextend_with_separator(&extend_options, ",", p->options ?: POINTER_MAX, "usrquota"))
|
||||
- return log_oom();
|
||||
-
|
||||
- o = extend_options;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
log_debug("Mounting %s to %s of type %s with options %s.",
|
||||
p->what,
|
||||
p->where,
|
||||
p->type,
|
||||
- strna(o));
|
||||
+ strna(p->options));
|
||||
|
||||
- r = mount_verbose_full(priority, p->what, p->where, p->type, p->flags, o, FLAGS_SET(p->mode, MNT_FOLLOW_SYMLINK));
|
||||
+ r = mount_verbose_full(priority, p->what, p->where, p->type, p->flags, p->options, FLAGS_SET(p->mode, MNT_FOLLOW_SYMLINK));
|
||||
if (r < 0)
|
||||
return FLAGS_SET(p->mode, MNT_FATAL) ? r : 0;
|
||||
|
||||
@ -0,0 +1,88 @@
|
||||
From 99af961154502ebce7b0c99875f131af9dc19955 Mon Sep 17 00:00:00 2001
|
||||
From: Yu Watanabe <watanabe.yu+github@gmail.com>
|
||||
Date: Thu, 12 Mar 2026 07:14:44 +0900
|
||||
Subject: [PATCH] Revert "udev-builtin-net-id: print cescaped bad attributes"
|
||||
|
||||
This reverts commit 7c4047957ef58744ecfad6d277f7c45d430f6d70.
|
||||
|
||||
This is not necessary, as bad characters are already filtered.
|
||||
|
||||
(cherry picked from commit c6ea72e39a8d829b1bd65f15f6dd7d1c2b6d04c3)
|
||||
|
||||
Resolves: RHEL-180922
|
||||
---
|
||||
src/udev/udev-builtin-net_id.c | 19 +++++++------------
|
||||
1 file changed, 7 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c
|
||||
index fd39a90c87..0d3c62f4b5 100644
|
||||
--- a/src/udev/udev-builtin-net_id.c
|
||||
+++ b/src/udev/udev-builtin-net_id.c
|
||||
@@ -28,7 +28,6 @@
|
||||
#include "device-private.h"
|
||||
#include "device-util.h"
|
||||
#include "dirent-util.h"
|
||||
-#include "escape.h"
|
||||
#include "ether-addr-util.h"
|
||||
#include "fd-util.h"
|
||||
#include "fileio.h"
|
||||
@@ -46,12 +45,6 @@
|
||||
#define ONBOARD_14BIT_INDEX_MAX ((1U << 14) - 1)
|
||||
#define ONBOARD_16BIT_INDEX_MAX ((1U << 16) - 1)
|
||||
|
||||
-static int log_invalid_device_attr(sd_device *dev, const char *attr, const char *value) {
|
||||
- _cleanup_free_ char *escaped = cescape(value);
|
||||
- return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL),
|
||||
- "Invalid %s value '%s'.", attr, strnull(escaped));
|
||||
-}
|
||||
-
|
||||
/* skip intermediate virtio devices */
|
||||
static sd_device *device_skip_virtio(sd_device *dev) {
|
||||
/* there can only ever be one virtio bus per parent device, so we can
|
||||
@@ -245,7 +238,7 @@ static int get_port_specifier(sd_device *dev, bool fallback_to_dev_id, char **re
|
||||
}
|
||||
|
||||
if (!utf8_is_valid(phys_port_name) || string_has_cc(phys_port_name, /* ok= */ NULL))
|
||||
- return log_invalid_device_attr(dev, "phys_port_name", phys_port_name);
|
||||
+ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name");
|
||||
|
||||
/* Otherwise, use phys_port_name as is. */
|
||||
buf = strjoin("n", phys_port_name);
|
||||
@@ -352,7 +345,7 @@ static int names_pci_onboard_label(UdevEvent *event, sd_device *pci_dev, const c
|
||||
return log_device_debug_errno(pci_dev, r, "Failed to get PCI onboard label: %m");
|
||||
|
||||
if (!utf8_is_valid(label) || string_has_cc(label, /* ok= */ NULL))
|
||||
- return log_invalid_device_attr(dev, "label", label);
|
||||
+ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid label");
|
||||
|
||||
char str[ALTIFNAMSIZ];
|
||||
if (snprintf_ok(str, sizeof str, "%s%s",
|
||||
@@ -758,7 +751,8 @@ static int names_vio(UdevEvent *event, const char *prefix) {
|
||||
"VIO bus ID and slot ID have invalid length: %s", s);
|
||||
|
||||
if (!in_charset(s, HEXDIGITS))
|
||||
- return log_invalid_device_attr(dev, "VIO bus ID and slot ID", s);
|
||||
+ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL),
|
||||
+ "VIO bus ID and slot ID contain invalid characters: %s", s);
|
||||
|
||||
/* Parse only slot ID (the last 4 hexdigits). */
|
||||
r = safe_atou_full(s + 4, 16, &slotid);
|
||||
@@ -814,7 +808,8 @@ static int names_platform(UdevEvent *event, const char *prefix) {
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
if (!in_charset(vendor, validchars))
|
||||
- return log_invalid_device_attr(dev, "platform vendor", vendor);
|
||||
+ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(ENOENT),
|
||||
+ "Platform vendor contains invalid characters: %s", vendor);
|
||||
|
||||
ascii_strlower(vendor);
|
||||
|
||||
@@ -1270,7 +1265,7 @@ static int names_netdevsim(UdevEvent *event, const char *prefix) {
|
||||
return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EOPNOTSUPP),
|
||||
"The 'phys_port_name' attribute is empty.");
|
||||
if (!utf8_is_valid(phys_port_name) || string_has_cc(phys_port_name, /* ok= */ NULL))
|
||||
- return log_invalid_device_attr(dev, "phys_port_name", phys_port_name);
|
||||
+ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name");
|
||||
|
||||
char str[ALTIFNAMSIZ];
|
||||
if (snprintf_ok(str, sizeof str, "%si%un%s", prefix, addr, phys_port_name))
|
||||
@ -0,0 +1,71 @@
|
||||
From 890fa2263270063b5db76e950db13c1df19ee00f Mon Sep 17 00:00:00 2001
|
||||
From: Frantisek Sumsal <frantisek@sumsal.cz>
|
||||
Date: Tue, 24 Mar 2026 14:29:27 +0100
|
||||
Subject: [PATCH] homectl: apply all --member-of= groups from a comma-separated
|
||||
list
|
||||
|
||||
Commit 0e1ede4b4b6d1ce6b5b6cda5f803e4f1b5aa4a03 introduced a bug where
|
||||
we'd always fetch the "original" (empty) list of groups when processing
|
||||
a comma-separated list of groups from the --member-of= option, so only
|
||||
the last group from the list would get applied. This bug was then later
|
||||
(in 316e9887f2a48bd1c4efa3e31b4bfbaeb22de3a3) refactored into a separate
|
||||
function.
|
||||
|
||||
Follow-up for 0e1ede4b4b6d1ce6b5b6cda5f803e4f1b5aa4a03.
|
||||
Fixes: #41286
|
||||
|
||||
(cherry picked from commit f912de93125bcf0b6c59770503424bcafc683e78)
|
||||
|
||||
Resolves: RHEL-180924
|
||||
---
|
||||
src/home/homectl.c | 2 +-
|
||||
test/units/TEST-46-HOMED.sh | 23 +++++++++++++++++++++++
|
||||
2 files changed, 24 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/home/homectl.c b/src/home/homectl.c
|
||||
index c99663ffea..d6eb04a1e5 100644
|
||||
--- a/src/home/homectl.c
|
||||
+++ b/src/home/homectl.c
|
||||
@@ -4080,7 +4080,7 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
if (!valid_user_group_name(word, 0))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid group name %s.", word);
|
||||
|
||||
- mo = sd_json_variant_ref(sd_json_variant_by_key(arg_identity_extra, "memberOf"));
|
||||
+ mo = sd_json_variant_ref(sd_json_variant_by_key(*(match_identity ?: &arg_identity_extra), "memberOf"));
|
||||
|
||||
r = sd_json_variant_strv(mo, &list);
|
||||
if (r < 0)
|
||||
diff --git a/test/units/TEST-46-HOMED.sh b/test/units/TEST-46-HOMED.sh
|
||||
index 998a52c76a..544dedfb0a 100755
|
||||
--- a/test/units/TEST-46-HOMED.sh
|
||||
+++ b/test/units/TEST-46-HOMED.sh
|
||||
@@ -82,6 +82,29 @@ inspect test-user
|
||||
SYSTEMD_LOG_LEVEL=debug PASSWORD=yPN4N0fYNKUkOq NEWPASSWORD=xEhErW0ndafV4s homectl passwd test-user
|
||||
inspect test-user
|
||||
|
||||
+# --member-of=
|
||||
+systemd-sysusers --inline "g test-group1" "g test-group2"
|
||||
+# Single group
|
||||
+PASSWORD=xEhErW0ndafV4s homectl update test-user --member-of="test-group1"
|
||||
+[[ "$(homectl inspect -j test-user | jq -c .memberOf)" == '["test-group1"]' ]]
|
||||
+# Multiple groups
|
||||
+PASSWORD=xEhErW0ndafV4s homectl update test-user --member-of="test-group1,test-group2"
|
||||
+[[ "$(homectl inspect -j test-user | jq -c .memberOf)" == '["test-group1","test-group2"]' ]]
|
||||
+# Empty argument
|
||||
+PASSWORD=xEhErW0ndafV4s homectl update test-user --member-of=
|
||||
+[[ "$(homectl inspect -j test-user | jq -c .memberOf)" == 'null' ]]
|
||||
+# Argument shenanigans
|
||||
+# - only separators
|
||||
+(! PASSWORD=xEhErW0ndafV4s homectl update test-user --member-of=",,,,,,,,,,,,,,,,,,")
|
||||
+# - invalid group
|
||||
+(! PASSWORD=xEhErW0ndafV4s homectl update test-user --member-of="test-group1,inv@lid.group?")
|
||||
+# - separators & valid groups
|
||||
+PASSWORD=xEhErW0ndafV4s homectl update test-user --member-of=",,,,,test-group1,,,,,,,,,,,,,,test-group2,"
|
||||
+[[ "$(homectl inspect -j test-user | jq -c .memberOf)" == '["test-group1","test-group2"]' ]]
|
||||
+# - duplicate groups
|
||||
+PASSWORD=xEhErW0ndafV4s homectl update test-user --member-of="test-group2,test-group1,test-group1,test-group2"
|
||||
+[[ "$(homectl inspect -j test-user | jq -c .memberOf)" == '["test-group1","test-group2"]' ]]
|
||||
+
|
||||
homectl deactivate test-user
|
||||
inspect test-user
|
||||
|
||||
@ -0,0 +1,75 @@
|
||||
From 535334a89f042af82de1284f4142c5966fbf1519 Mon Sep 17 00:00:00 2001
|
||||
From: Yu Watanabe <watanabe.yu+github@gmail.com>
|
||||
Date: Tue, 13 Jan 2026 15:48:56 +0900
|
||||
Subject: [PATCH] udevadm: gracefully handle when a maked file is specified to
|
||||
udevadm verify/cat
|
||||
|
||||
Previously, since 7cb4508c5af465ab1be1b103e6c2b613eb58e63c, if a masked
|
||||
file is specified, the commands failed.
|
||||
Let's warn that the file is masked and ignore the file.
|
||||
|
||||
(cherry picked from commit 782569afd05b97143938ec294b5a28b4f2ffb75c)
|
||||
|
||||
Resolves: RHEL-180917
|
||||
---
|
||||
src/udev/udevadm-util.c | 11 +++++++++++
|
||||
test/units/TEST-17-UDEV.10.sh | 2 +-
|
||||
test/units/TEST-17-UDEV.11.sh | 3 +--
|
||||
3 files changed, 13 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/udev/udevadm-util.c b/src/udev/udevadm-util.c
|
||||
index 4aa5e6b6d7..4c6c76dd54 100644
|
||||
--- a/src/udev/udevadm-util.c
|
||||
+++ b/src/udev/udevadm-util.c
|
||||
@@ -149,6 +149,12 @@ static int search_rules_file_in_conf_dirs(const char *s, const char *root, char
|
||||
if (!path)
|
||||
return log_oom();
|
||||
|
||||
+ r = null_or_empty_path_with_root(path, root);
|
||||
+ if (r > 0) {
|
||||
+ log_warning("File '%s%s' is a mask, ignoring.", empty_to_root(root), skip_leading_slash(path));
|
||||
+ return 1; /* Found masked file. */
|
||||
+ }
|
||||
+
|
||||
r = chase(path, root, CHASE_PREFIX_ROOT | CHASE_MUST_BE_REGULAR, &resolved, /* ret_fd = */ NULL);
|
||||
if (r == -ENOENT)
|
||||
continue;
|
||||
@@ -183,6 +189,11 @@ static int search_rules_file(const char *s, const char *root, char ***files) {
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to chase \"%s\": %m", s);
|
||||
|
||||
+ if (null_or_empty(&st)) {
|
||||
+ log_warning("File '%s%s' is a mask, ignoring.", empty_to_root(root), skip_leading_slash(s));
|
||||
+ return 0; /* Found masked file. */
|
||||
+ }
|
||||
+
|
||||
r = stat_verify_regular(&st);
|
||||
if (r == -EISDIR) {
|
||||
_cleanup_strv_free_ char **files_in_dir = NULL;
|
||||
diff --git a/test/units/TEST-17-UDEV.10.sh b/test/units/TEST-17-UDEV.10.sh
|
||||
index 68d310a8e5..b81b8a9b1f 100755
|
||||
--- a/test/units/TEST-17-UDEV.10.sh
|
||||
+++ b/test/units/TEST-17-UDEV.10.sh
|
||||
@@ -38,7 +38,7 @@ udevadm cat 99-systemd
|
||||
udevadm cat 99-systemd.rules
|
||||
udevadm cat /usr/lib/udev/rules.d/99-systemd.rules
|
||||
udevadm cat /usr/lib/udev/rules.d
|
||||
-(! udevadm cat /dev/null)
|
||||
+udevadm cat /dev/null
|
||||
udevadm cat --config
|
||||
udevadm cat -h
|
||||
|
||||
diff --git a/test/units/TEST-17-UDEV.11.sh b/test/units/TEST-17-UDEV.11.sh
|
||||
index f0ab20e5c9..ff15343827 100755
|
||||
--- a/test/units/TEST-17-UDEV.11.sh
|
||||
+++ b/test/units/TEST-17-UDEV.11.sh
|
||||
@@ -116,8 +116,7 @@ assert_1 --resolve-names=now
|
||||
assert_1 ./nosuchfile
|
||||
# Failed to parse rules file ./nosuchfile: No such file or directory
|
||||
assert_1 ./nosuchfile /dev/null
|
||||
-# '/dev/null' is neither a regular file nor a directory: File descriptor in bad state
|
||||
-assert_1 /dev/null
|
||||
+assert_0 /dev/null
|
||||
|
||||
rules_dir='etc/udev/rules.d'
|
||||
mkdir -p "${rules_dir}"
|
||||
24
systemd.spec
24
systemd.spec
@ -48,7 +48,7 @@ Url: https://systemd.io
|
||||
# Allow users to specify the version and release when building the rpm by
|
||||
# setting the %%version_override and %%release_override macros.
|
||||
Version: %{?version_override}%{!?version_override:257}
|
||||
Release: 27%{?dist}.alma.1
|
||||
Release: 28%{?dist}.alma.1
|
||||
|
||||
%global stable %(c="%version"; [ "$c" = "${c#*.*}" ]; echo $?)
|
||||
|
||||
@ -792,6 +792,15 @@ Patch0679: 0679-udev-net_id-introduce-naming-scheme-for-RHEL-10.3.patch
|
||||
Patch0680: 0680-Tag-accel-devices-for-uaccess-render.patch
|
||||
Patch0681: 0681-udev-tag-kfd-devices-for-xaccess-render-40888.patch
|
||||
Patch0682: 0682-fstab-generator-fix-spurious-quota-warning-for-xfs.patch
|
||||
Patch0683: 0683-man-reword-the-description-of-secure-pager-handling.patch
|
||||
Patch0684: 0684-pager-also-check-for-SUDO_UID.patch
|
||||
Patch0685: 0685-Revert-mount-setup-tune-down-log-level-if-usrquota-i.patch
|
||||
Patch0686: 0686-Revert-nspawn-enable-usrquota-support-on-tmp-and-dev.patch
|
||||
Patch0687: 0687-Revert-units-enable-usrquota-support-on-tmp.patch
|
||||
Patch0688: 0688-Revert-pid1-enable-usrquota-support-on-dev-shm.patch
|
||||
Patch0689: 0689-Revert-udev-builtin-net-id-print-cescaped-bad-attrib.patch
|
||||
Patch0690: 0690-homectl-apply-all-member-of-groups-from-a-comma-sepa.patch
|
||||
Patch0691: 0691-udevadm-gracefully-handle-when-a-maked-file-is-speci.patch
|
||||
|
||||
# Downstream-only patches (9000–9999)
|
||||
%endif
|
||||
@ -1743,9 +1752,20 @@ rm -f .file-list-*
|
||||
rm -f %{name}.lang
|
||||
|
||||
%changelog
|
||||
* Tue Jun 16 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 257-27.alma.1
|
||||
* Thu Jul 02 2026 Andrew Lukoshko <alukoshko@almalinux.org> - 257-28.alma.1
|
||||
- Debrand for AlmaLinux
|
||||
|
||||
* Wed Jul 01 2026 systemd maintenance team <systemd-maint@redhat.com> - 257-28
|
||||
- man: reword the description of "secure pager" handling (RHEL-102939)
|
||||
- pager: also check for $SUDO_UID (RHEL-102939)
|
||||
- Revert "mount-setup: tune down log level if usrquota is not supported, apply usrquota when smack is in use too" (RHEL-143028)
|
||||
- Revert "nspawn: enable usrquota support on /tmp/ and /dev/shm/" (RHEL-143028)
|
||||
- Revert "units: enable usrquota support on /tmp/" (RHEL-143028)
|
||||
- Revert "pid1: enable usrquota support on /dev/shm" (RHEL-143028)
|
||||
- Revert "udev-builtin-net-id: print cescaped bad attributes" (RHEL-180922)
|
||||
- homectl: apply all --member-of= groups from a comma-separated list (RHEL-180924)
|
||||
- udevadm: gracefully handle when a maked file is specified to udevadm verify/cat (RHEL-180917)
|
||||
|
||||
* Mon Jun 15 2026 systemd maintenance team <systemd-maint@redhat.com> - 257-27
|
||||
- Do not build efi stub on i686 anymore (RHEL-176073)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user