import systemd-249-7.el9_b
This commit is contained in:
commit
dce7cb8d0f
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
SOURCES/systemd-249.tar.gz
|
1
.systemd.metadata
Normal file
1
.systemd.metadata
Normal file
@ -0,0 +1 @@
|
||||
7c8e186aa6a81d97f86d62584062d0b560e4559d SOURCES/systemd-249.tar.gz
|
54
SOURCES/0001-logind-set-RemoveIPC-to-false-by-default.patch
Normal file
54
SOURCES/0001-logind-set-RemoveIPC-to-false-by-default.patch
Normal file
@ -0,0 +1,54 @@
|
||||
From 5ce0a9b91add22f2a21f1bc7c0f888307f7e58e8 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Wed, 1 Aug 2018 10:58:28 +0200
|
||||
Subject: [PATCH] logind: set RemoveIPC to false by default
|
||||
|
||||
RHEL-only
|
||||
|
||||
Resolves: #1959836
|
||||
|
||||
(cherry picked from commit 0b3833d6c3b751c6dfb40eeb2ef852984c58f546)
|
||||
---
|
||||
man/logind.conf.xml | 2 +-
|
||||
src/login/logind-core.c | 2 +-
|
||||
src/login/logind.conf.in | 2 +-
|
||||
3 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/man/logind.conf.xml b/man/logind.conf.xml
|
||||
index be62b6b572..bec7ff44af 100644
|
||||
--- a/man/logind.conf.xml
|
||||
+++ b/man/logind.conf.xml
|
||||
@@ -346,7 +346,7 @@
|
||||
user fully logs out. Takes a boolean argument. If enabled, the user may not consume IPC resources after the
|
||||
last of the user's sessions terminated. This covers System V semaphores, shared memory and message queues, as
|
||||
well as POSIX shared memory and message queues. Note that IPC objects of the root user and other system users
|
||||
- are excluded from the effect of this setting. Defaults to <literal>yes</literal>.</para></listitem>
|
||||
+ are excluded from the effect of this setting. Defaults to <literal>no</literal>.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
diff --git a/src/login/logind-core.c b/src/login/logind-core.c
|
||||
index 22031f485a..f5e1126adc 100644
|
||||
--- a/src/login/logind-core.c
|
||||
+++ b/src/login/logind-core.c
|
||||
@@ -34,7 +34,7 @@ void manager_reset_config(Manager *m) {
|
||||
|
||||
m->n_autovts = 6;
|
||||
m->reserve_vt = 6;
|
||||
- m->remove_ipc = true;
|
||||
+ m->remove_ipc = false;
|
||||
m->inhibit_delay_max = 5 * USEC_PER_SEC;
|
||||
m->user_stop_delay = 10 * USEC_PER_SEC;
|
||||
|
||||
diff --git a/src/login/logind.conf.in b/src/login/logind.conf.in
|
||||
index 27ba77ce79..f9c5099865 100644
|
||||
--- a/src/login/logind.conf.in
|
||||
+++ b/src/login/logind.conf.in
|
||||
@@ -39,6 +39,6 @@
|
||||
#IdleActionSec=30min
|
||||
#RuntimeDirectorySize=10%
|
||||
#RuntimeDirectoryInodes=400k
|
||||
-#RemoveIPC=yes
|
||||
+#RemoveIPC=no
|
||||
#InhibitorsMax=8192
|
||||
#SessionsMax=8192
|
@ -0,0 +1,65 @@
|
||||
From d00c14d513bbac6562a5921a2be225cfcc4f794f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Wed, 23 Jun 2021 11:46:41 +0200
|
||||
Subject: [PATCH] basic/unit-name: do not use strdupa() on a path
|
||||
|
||||
The path may have unbounded length, for example through a fuse mount.
|
||||
|
||||
CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
|
||||
ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
|
||||
and each mountpoint is passed to mount_setup_unit(), which calls
|
||||
unit_name_path_escape() underneath. A local attacker who is able to mount a
|
||||
filesystem with a very long path can crash systemd and the whole system.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1970887
|
||||
|
||||
The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
|
||||
can't easily check the length after simplification before doing the
|
||||
simplification, which in turns uses a copy of the string we can write to.
|
||||
So we can't reject paths that are too long before doing the duplication.
|
||||
Hence the most obvious solution is to switch back to strdup(), as before
|
||||
7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
|
||||
|
||||
Resolves: #1984299
|
||||
|
||||
(cherry picked from commit 441e0115646d54f080e5c3bb0ba477c892861ab9)
|
||||
---
|
||||
src/basic/unit-name.c | 13 +++++--------
|
||||
1 file changed, 5 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c
|
||||
index 284a773483..a22763443f 100644
|
||||
--- a/src/basic/unit-name.c
|
||||
+++ b/src/basic/unit-name.c
|
||||
@@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) {
|
||||
}
|
||||
|
||||
int unit_name_path_escape(const char *f, char **ret) {
|
||||
- char *p, *s;
|
||||
+ _cleanup_free_ char *p = NULL;
|
||||
+ char *s;
|
||||
|
||||
assert(f);
|
||||
assert(ret);
|
||||
|
||||
- p = strdupa(f);
|
||||
+ p = strdup(f);
|
||||
if (!p)
|
||||
return -ENOMEM;
|
||||
|
||||
@@ -395,13 +396,9 @@ int unit_name_path_escape(const char *f, char **ret) {
|
||||
if (!path_is_normalized(p))
|
||||
return -EINVAL;
|
||||
|
||||
- /* Truncate trailing slashes */
|
||||
+ /* Truncate trailing slashes and skip leading slashes */
|
||||
delete_trailing_chars(p, "/");
|
||||
-
|
||||
- /* Truncate leading slashes */
|
||||
- p = skip_leading_chars(p, "/");
|
||||
-
|
||||
- s = unit_name_escape(p);
|
||||
+ s = unit_name_escape(skip_leading_chars(p, "/"));
|
||||
}
|
||||
if (!s)
|
||||
return -ENOMEM;
|
39
SOURCES/0003-basic-unit-name-adjust-comments.patch
Normal file
39
SOURCES/0003-basic-unit-name-adjust-comments.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From 10a1e767c7bacca5da4ae7260c2a53f7949c3d7e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Wed, 23 Jun 2021 11:52:56 +0200
|
||||
Subject: [PATCH] basic/unit-name: adjust comments
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
We already checked for "too long" right above…
|
||||
|
||||
Related: #1984299
|
||||
|
||||
(cherry picked from commit 4e2544c30bfb95e7cb4d1551ba066b1a56520ad6)
|
||||
---
|
||||
src/basic/unit-name.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c
|
||||
index a22763443f..1deead7458 100644
|
||||
--- a/src/basic/unit-name.c
|
||||
+++ b/src/basic/unit-name.c
|
||||
@@ -528,7 +528,7 @@ int unit_name_from_path(const char *path, const char *suffix, char **ret) {
|
||||
if (strlen(s) >= UNIT_NAME_MAX) /* Return a slightly more descriptive error for this specific condition */
|
||||
return -ENAMETOOLONG;
|
||||
|
||||
- /* Refuse this if this got too long or for some other reason didn't result in a valid name */
|
||||
+ /* Refuse if this for some other reason didn't result in a valid name */
|
||||
if (!unit_name_is_valid(s, UNIT_NAME_PLAIN))
|
||||
return -EINVAL;
|
||||
|
||||
@@ -562,7 +562,7 @@ int unit_name_from_path_instance(const char *prefix, const char *path, const cha
|
||||
if (strlen(s) >= UNIT_NAME_MAX) /* Return a slightly more descriptive error for this specific condition */
|
||||
return -ENAMETOOLONG;
|
||||
|
||||
- /* Refuse this if this got too long or for some other reason didn't result in a valid name */
|
||||
+ /* Refuse if this for some other reason didn't result in a valid name */
|
||||
if (!unit_name_is_valid(s, UNIT_NAME_INSTANCE))
|
||||
return -EINVAL;
|
||||
|
@ -0,0 +1,27 @@
|
||||
From ae1b3df445f9f9e27fa6a42602d4eb1db92df7a0 Mon Sep 17 00:00:00 2001
|
||||
From: Michal Sekletar <msekleta@redhat.com>
|
||||
Date: Thu, 5 Aug 2021 17:11:47 +0200
|
||||
Subject: [PATCH] tmpfiles: don't create resolv.conf -> stub-resolv.conf
|
||||
symlink
|
||||
|
||||
RHEL-only
|
||||
|
||||
Resolves: #1989472
|
||||
---
|
||||
tmpfiles.d/etc.conf.in | 3 ---
|
||||
1 file changed, 3 deletions(-)
|
||||
|
||||
diff --git a/tmpfiles.d/etc.conf.in b/tmpfiles.d/etc.conf.in
|
||||
index 2323fd8cd8..ebdc699c26 100644
|
||||
--- a/tmpfiles.d/etc.conf.in
|
||||
+++ b/tmpfiles.d/etc.conf.in
|
||||
@@ -12,9 +12,6 @@ L+ /etc/mtab - - - - ../proc/self/mounts
|
||||
{% if HAVE_SMACK_RUN_LABEL %}
|
||||
t /etc/mtab - - - - security.SMACK64=_
|
||||
{% endif %}
|
||||
-{% if ENABLE_RESOLVE %}
|
||||
-L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf
|
||||
-{% endif %}
|
||||
C! /etc/nsswitch.conf - - - -
|
||||
{% if HAVE_PAM %}
|
||||
C! /etc/pam.d - - - -
|
78
SOURCES/0005-Copy-40-redhat.rules-from-RHEL-8.patch
Normal file
78
SOURCES/0005-Copy-40-redhat.rules-from-RHEL-8.patch
Normal file
@ -0,0 +1,78 @@
|
||||
From ddf558cda4afe6b81586887bcbb8d0ea376c7e71 Mon Sep 17 00:00:00 2001
|
||||
From: David Tardon <dtardon@redhat.com>
|
||||
Date: Fri, 2 Jul 2021 13:25:51 +0200
|
||||
Subject: [PATCH] Copy 40-redhat.rules from RHEL-8
|
||||
|
||||
RHEL-only
|
||||
|
||||
Resolves: #1978639
|
||||
---
|
||||
rules.d/40-redhat.rules | 46 +++++++++++++++++++++++++++++++++++++++++
|
||||
rules.d/meson.build | 1 +
|
||||
2 files changed, 47 insertions(+)
|
||||
create mode 100644 rules.d/40-redhat.rules
|
||||
|
||||
diff --git a/rules.d/40-redhat.rules b/rules.d/40-redhat.rules
|
||||
new file mode 100644
|
||||
index 0000000000..3c95cd2df0
|
||||
--- /dev/null
|
||||
+++ b/rules.d/40-redhat.rules
|
||||
@@ -0,0 +1,46 @@
|
||||
+# do not edit this file, it will be overwritten on update
|
||||
+
|
||||
+# CPU hotadd request
|
||||
+SUBSYSTEM=="cpu", ACTION=="add", TEST=="online", ATTR{online}=="0", ATTR{online}="1"
|
||||
+
|
||||
+# Memory hotadd request
|
||||
+SUBSYSTEM!="memory", GOTO="memory_hotplug_end"
|
||||
+ACTION!="add", GOTO="memory_hotplug_end"
|
||||
+CONST{arch}=="s390*", GOTO="memory_hotplug_end"
|
||||
+CONST{arch}=="ppc64*", GOTO="memory_hotplug_end"
|
||||
+
|
||||
+ENV{.state}="online"
|
||||
+CONST{virt}=="none", ENV{.state}="online_movable"
|
||||
+ATTR{state}=="offline", ATTR{state}="$env{.state}"
|
||||
+
|
||||
+LABEL="memory_hotplug_end"
|
||||
+
|
||||
+# reload sysctl.conf / sysctl.conf.d settings when the bridge module is loaded
|
||||
+ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge"
|
||||
+
|
||||
+# load SCSI generic (sg) driver
|
||||
+SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg"
|
||||
+SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_target", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg"
|
||||
+
|
||||
+# Rule for prandom character device node permissions
|
||||
+KERNEL=="prandom", MODE="0644"
|
||||
+
|
||||
+# Rules for creating the ID_PATH for SCSI devices based on the CCW bus
|
||||
+# using the form: ccw-<BUS_ID>-zfcp-<WWPN>:<LUN>
|
||||
+#
|
||||
+ACTION=="remove", GOTO="zfcp_scsi_device_end"
|
||||
+
|
||||
+#
|
||||
+# Set environment variable "ID_ZFCP_BUS" to "1" if the devices
|
||||
+# (both disk and partition) are SCSI devices based on FCP devices
|
||||
+#
|
||||
+KERNEL=="sd*", SUBSYSTEMS=="ccw", DRIVERS=="zfcp", ENV{.ID_ZFCP_BUS}="1"
|
||||
+
|
||||
+# For SCSI disks
|
||||
+KERNEL=="sd*[!0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="disk", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}"
|
||||
+
|
||||
+
|
||||
+# For partitions on a SCSI disk
|
||||
+KERNEL=="sd*[0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="partition", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}-part%n"
|
||||
+
|
||||
+LABEL="zfcp_scsi_device_end"
|
||||
diff --git a/rules.d/meson.build b/rules.d/meson.build
|
||||
index 598649a562..72632979fa 100644
|
||||
--- a/rules.d/meson.build
|
||||
+++ b/rules.d/meson.build
|
||||
@@ -5,6 +5,7 @@ install_data(
|
||||
install_dir : udevrulesdir)
|
||||
|
||||
rules = files('''
|
||||
+ 40-redhat.rules
|
||||
60-autosuspend.rules
|
||||
60-block.rules
|
||||
60-cdrom_id.rules
|
@ -0,0 +1,47 @@
|
||||
From d77095927682f5a6921d3825256743eb8f5e6e1b Mon Sep 17 00:00:00 2001
|
||||
From: Jan Synacek <jsynacek@redhat.com>
|
||||
Date: Tue, 15 May 2018 09:24:20 +0200
|
||||
Subject: [PATCH] Avoid /tmp being mounted as tmpfs without the user's will
|
||||
|
||||
Ensure PrivateTmp doesn't require tmpfs through tmp.mount, but rather
|
||||
adds an After relationship.
|
||||
|
||||
RHEL-only
|
||||
|
||||
Resolves: #1959826
|
||||
|
||||
(cherry picked from commit f58c5ced373c2532b5cc44ba2e0c3a28b41472f2)
|
||||
---
|
||||
src/core/unit.c | 7 +------
|
||||
units/basic.target | 3 ++-
|
||||
2 files changed, 3 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/core/unit.c b/src/core/unit.c
|
||||
index 30afd5a776..d9cd0c229a 100644
|
||||
--- a/src/core/unit.c
|
||||
+++ b/src/core/unit.c
|
||||
@@ -1266,12 +1266,7 @@ int unit_add_exec_dependencies(Unit *u, ExecContext *c) {
|
||||
}
|
||||
|
||||
if (c->private_tmp) {
|
||||
-
|
||||
- /* FIXME: for now we make a special case for /tmp and add a weak dependency on
|
||||
- * tmp.mount so /tmp being masked is supported. However there's no reason to treat
|
||||
- * /tmp specifically and masking other mount units should be handled more
|
||||
- * gracefully too, see PR#16894. */
|
||||
- r = unit_add_two_dependencies_by_name(u, UNIT_AFTER, UNIT_WANTS, "tmp.mount", true, UNIT_DEPENDENCY_FILE);
|
||||
+ r = unit_add_dependency_by_name(u, UNIT_AFTER, "tmp.mount", true, UNIT_DEPENDENCY_FILE);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
diff --git a/units/basic.target b/units/basic.target
|
||||
index d8cdd5ac14..9eae0782a2 100644
|
||||
--- a/units/basic.target
|
||||
+++ b/units/basic.target
|
||||
@@ -19,4 +19,5 @@ After=sysinit.target sockets.target paths.target slices.target tmp.mount
|
||||
# require /var and /var/tmp, but only add a Wants= type dependency on /tmp, as
|
||||
# we support that unit being masked, and this should not be considered an error.
|
||||
RequiresMountsFor=/var /var/tmp
|
||||
-Wants=tmp.mount
|
||||
+# RHEL-only: Disable /tmp on tmpfs.
|
||||
+#Wants=tmp.mount
|
40
SOURCES/0007-unit-don-t-add-Requires-for-tmp.mount.patch
Normal file
40
SOURCES/0007-unit-don-t-add-Requires-for-tmp.mount.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From 209af66ef66a67a9cafa5a1d6364ce436cd593aa Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Nykryn <lnykryn@redhat.com>
|
||||
Date: Mon, 5 Sep 2016 12:47:09 +0200
|
||||
Subject: [PATCH] unit: don't add Requires for tmp.mount
|
||||
|
||||
rhel-only
|
||||
Resolves: #1619292
|
||||
|
||||
(cherry picked from commit 03e52d33bbdea731eaa79545bb1d30c5b21abe3d)
|
||||
---
|
||||
src/core/mount.c | 2 +-
|
||||
src/core/unit.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/core/mount.c b/src/core/mount.c
|
||||
index 053deac14d..1fd3102ad3 100644
|
||||
--- a/src/core/mount.c
|
||||
+++ b/src/core/mount.c
|
||||
@@ -343,7 +343,7 @@ static int mount_add_mount_dependencies(Mount *m) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
- if (UNIT(m)->fragment_path) {
|
||||
+ if (UNIT(m)->fragment_path && !streq(UNIT(m)->id, "tmp.mount")) {
|
||||
/* If we have fragment configuration, then make this dependency required */
|
||||
r = unit_add_dependency(other, UNIT_REQUIRES, UNIT(m), true, UNIT_DEPENDENCY_PATH);
|
||||
if (r < 0)
|
||||
diff --git a/src/core/unit.c b/src/core/unit.c
|
||||
index d9cd0c229a..371dda7e29 100644
|
||||
--- a/src/core/unit.c
|
||||
+++ b/src/core/unit.c
|
||||
@@ -1506,7 +1506,7 @@ static int unit_add_mount_dependencies(Unit *u) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
- if (m->fragment_path) {
|
||||
+ if (m->fragment_path && !streq(m->id, "tmp.mount")) {
|
||||
r = unit_add_dependency(u, UNIT_REQUIRES, m, true, di.origin_mask);
|
||||
if (r < 0)
|
||||
return r;
|
25
SOURCES/0008-units-add-Install-section-to-tmp.mount.patch
Normal file
25
SOURCES/0008-units-add-Install-section-to-tmp.mount.patch
Normal file
@ -0,0 +1,25 @@
|
||||
From c54ec17a683866f8e74f0d78c19369a6e86e46f3 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Synacek <jsynacek@redhat.com>
|
||||
Date: Tue, 22 Jan 2019 10:28:42 +0100
|
||||
Subject: [PATCH] units: add [Install] section to tmp.mount
|
||||
|
||||
RHEL-only
|
||||
|
||||
Related: #1959826
|
||||
(cherry picked from commit bb3d205bea1c83cbd0e27b504f5f1faa884fb602)
|
||||
---
|
||||
units/tmp.mount | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/units/tmp.mount b/units/tmp.mount
|
||||
index 516bd1621c..fc1812111e 100644
|
||||
--- a/units/tmp.mount
|
||||
+++ b/units/tmp.mount
|
||||
@@ -23,3 +23,7 @@ What=tmpfs
|
||||
Where=/tmp
|
||||
Type=tmpfs
|
||||
Options=mode=1777,strictatime,nosuid,nodev,size=50%,nr_inodes=400k
|
||||
+
|
||||
+# Make 'systemctl enable tmp.mount' work:
|
||||
+[Install]
|
||||
+WantedBy=local-fs.target
|
@ -0,0 +1,29 @@
|
||||
From 10c26ebc7cd9bff3d73ff9a89ddec44bde88e4cd Mon Sep 17 00:00:00 2001
|
||||
From: David Tardon <dtardon@redhat.com>
|
||||
Date: Thu, 11 Mar 2021 15:48:23 +0100
|
||||
Subject: [PATCH] rc-local: order after network-online.target
|
||||
|
||||
I think this was the intent of commit 91b684c7300879a8d2006038f7d9185d92c3c3bf,
|
||||
just network-online.target didn't exist back then.
|
||||
|
||||
RHEL-only
|
||||
|
||||
Resolves: #1954429
|
||||
---
|
||||
units/rc-local.service.in | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/units/rc-local.service.in b/units/rc-local.service.in
|
||||
index 55e83dfe00..0eee722154 100644
|
||||
--- a/units/rc-local.service.in
|
||||
+++ b/units/rc-local.service.in
|
||||
@@ -13,7 +13,8 @@
|
||||
Description={{RC_LOCAL_PATH}} Compatibility
|
||||
Documentation=man:systemd-rc-local-generator(8)
|
||||
ConditionFileIsExecutable={{RC_LOCAL_PATH}}
|
||||
-After=network.target
|
||||
+After=network-online.target
|
||||
+Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
284
SOURCES/0010-ci-drop-CIs-irrelevant-for-downstream.patch
Normal file
284
SOURCES/0010-ci-drop-CIs-irrelevant-for-downstream.patch
Normal file
@ -0,0 +1,284 @@
|
||||
From b3c617b8d0fb95322e203842d2ac68593a4acdcd Mon Sep 17 00:00:00 2001
|
||||
From: Frantisek Sumsal <frantisek@sumsal.cz>
|
||||
Date: Sun, 18 Apr 2021 20:46:06 +0200
|
||||
Subject: [PATCH] ci: drop CIs irrelevant for downstream
|
||||
|
||||
* CIFuzz would need a separate project in oss-fuzz
|
||||
* Coverity would also need a separate project
|
||||
* the Labeler action is superfluous, since we already have a bot for
|
||||
that
|
||||
* mkosi testing on other distros is irrelevant for downstream RHEL
|
||||
repo
|
||||
|
||||
Resolves: #1960703
|
||||
rhel-only
|
||||
---
|
||||
.github/labeler.yml | 38 ------------------
|
||||
.github/workflows/cifuzz.yml | 47 ----------------------
|
||||
.github/workflows/coverity.yml | 39 -------------------
|
||||
.github/workflows/labeler.yml | 13 -------
|
||||
.github/workflows/mkosi.yml | 58 ----------------------------
|
||||
.github/workflows/test_mkosi_boot.py | 24 ------------
|
||||
6 files changed, 219 deletions(-)
|
||||
delete mode 100644 .github/labeler.yml
|
||||
delete mode 100644 .github/workflows/cifuzz.yml
|
||||
delete mode 100644 .github/workflows/coverity.yml
|
||||
delete mode 100644 .github/workflows/labeler.yml
|
||||
delete mode 100644 .github/workflows/mkosi.yml
|
||||
delete mode 100755 .github/workflows/test_mkosi_boot.py
|
||||
|
||||
diff --git a/.github/labeler.yml b/.github/labeler.yml
|
||||
deleted file mode 100644
|
||||
index 773d575004..0000000000
|
||||
--- a/.github/labeler.yml
|
||||
+++ /dev/null
|
||||
@@ -1,38 +0,0 @@
|
||||
-hwdb:
|
||||
- - hwdb.d/**/*
|
||||
-units:
|
||||
- - units/**/*
|
||||
-documentation:
|
||||
- - NEWS
|
||||
- - docs/*
|
||||
-network:
|
||||
- - src/libsystemd-network/**/*
|
||||
- - src/network/**/*
|
||||
-udev:
|
||||
- - src/udev/**/*
|
||||
- - src/libudev/*
|
||||
-selinux:
|
||||
- - '**/*selinux*'
|
||||
-apparmor:
|
||||
- - '**/*apparmor*'
|
||||
-meson:
|
||||
- - meson_option.txt
|
||||
-mkosi:
|
||||
- - .mkosi/*
|
||||
- - mkosi.build
|
||||
-busctl:
|
||||
- - src/busctl/*
|
||||
-systemctl:
|
||||
- - src/systemctl/*
|
||||
-journal:
|
||||
- - src/journal/*
|
||||
-journal-remote:
|
||||
- - src/journal-remote/*
|
||||
-portable:
|
||||
- - src/portable/**/*
|
||||
-resolve:
|
||||
- - src/resolve/*
|
||||
-timedate:
|
||||
- - src/timedate/*
|
||||
-timesync:
|
||||
- - src/timesync/*
|
||||
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
|
||||
deleted file mode 100644
|
||||
index 14d81a67ff..0000000000
|
||||
--- a/.github/workflows/cifuzz.yml
|
||||
+++ /dev/null
|
||||
@@ -1,47 +0,0 @@
|
||||
----
|
||||
-# vi: ts=2 sw=2 et:
|
||||
-# See: https://google.github.io/oss-fuzz/getting-started/continuous-integration/
|
||||
-
|
||||
-name: CIFuzz
|
||||
-on:
|
||||
- pull_request:
|
||||
- paths:
|
||||
- - '**/meson.build'
|
||||
- - '.github/workflows/**'
|
||||
- - 'meson_options.txt'
|
||||
- - 'src/**'
|
||||
- - 'test/fuzz/**'
|
||||
- - 'tools/oss-fuzz.sh'
|
||||
- push:
|
||||
- branches:
|
||||
- - main
|
||||
-jobs:
|
||||
- Fuzzing:
|
||||
- runs-on: ubuntu-latest
|
||||
- if: github.repository == 'systemd/systemd'
|
||||
- strategy:
|
||||
- fail-fast: false
|
||||
- matrix:
|
||||
- sanitizer: [address, undefined, memory]
|
||||
- steps:
|
||||
- - name: Build Fuzzers (${{ matrix.sanitizer }})
|
||||
- id: build
|
||||
- uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
|
||||
- with:
|
||||
- oss-fuzz-project-name: 'systemd'
|
||||
- dry-run: false
|
||||
- allowed-broken-targets-percentage: 0
|
||||
- sanitizer: ${{ matrix.sanitizer }}
|
||||
- - name: Run Fuzzers (${{ matrix.sanitizer }})
|
||||
- uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
|
||||
- with:
|
||||
- oss-fuzz-project-name: 'systemd'
|
||||
- fuzz-seconds: 600
|
||||
- dry-run: false
|
||||
- sanitizer: ${{ matrix.sanitizer }}
|
||||
- - name: Upload Crash
|
||||
- uses: actions/upload-artifact@v1
|
||||
- if: failure() && steps.build.outcome == 'success'
|
||||
- with:
|
||||
- name: ${{ matrix.sanitizer }}-artifacts
|
||||
- path: ./out/artifacts
|
||||
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
|
||||
deleted file mode 100644
|
||||
index a0eb0f01fd..0000000000
|
||||
--- a/.github/workflows/coverity.yml
|
||||
+++ /dev/null
|
||||
@@ -1,39 +0,0 @@
|
||||
----
|
||||
-# vi: ts=2 sw=2 et:
|
||||
-#
|
||||
-name: Coverity
|
||||
-
|
||||
-on:
|
||||
- schedule:
|
||||
- # Run Coverity daily at midnight
|
||||
- - cron: '0 0 * * *'
|
||||
-
|
||||
-jobs:
|
||||
- build:
|
||||
- runs-on: ubuntu-20.04
|
||||
- if: github.repository == 'systemd/systemd'
|
||||
- env:
|
||||
- COVERITY_SCAN_BRANCH_PATTERN: "${{ github.ref}}"
|
||||
- COVERITY_SCAN_NOTIFICATION_EMAIL: ""
|
||||
- COVERITY_SCAN_PROJECT_NAME: "${{ github.repository }}"
|
||||
- # Set in repo settings -> secrets -> repository secrets
|
||||
- COVERITY_SCAN_TOKEN: "${{ secrets.COVERITY_SCAN_TOKEN }}"
|
||||
- CURRENT_REF: "${{ github.ref }}"
|
||||
- steps:
|
||||
- - name: Repository checkout
|
||||
- uses: actions/checkout@v1
|
||||
- # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable
|
||||
- - name: Set the $COVERITY_SCAN_NOTIFICATION_EMAIL env variable
|
||||
- run: echo "COVERITY_SCAN_NOTIFICATION_EMAIL=$(git log -1 ${{ github.sha }} --pretty=\"%aE\")" >> $GITHUB_ENV
|
||||
- - name: Install Coverity tools
|
||||
- run: tools/get-coverity.sh
|
||||
- # Reuse the setup phase of the unit test script to avoid code duplication
|
||||
- - name: Install build dependencies
|
||||
- run: sudo -E .github/workflows/unit_tests.sh SETUP
|
||||
- # Preconfigure with meson to prevent Coverity from capturing meson metadata
|
||||
- - name: Preconfigure the build directory
|
||||
- run: meson cov-build -Dman=false
|
||||
- - name: Build
|
||||
- run: tools/coverity.sh build
|
||||
- - name: Upload the results
|
||||
- run: tools/coverity.sh upload
|
||||
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
|
||||
deleted file mode 100644
|
||||
index 76d67a3a5c..0000000000
|
||||
--- a/.github/workflows/labeler.yml
|
||||
+++ /dev/null
|
||||
@@ -1,13 +0,0 @@
|
||||
-name: "Pull Request Labeler"
|
||||
-on:
|
||||
-- pull_request_target
|
||||
-
|
||||
-jobs:
|
||||
- triage:
|
||||
- runs-on: ubuntu-latest
|
||||
- steps:
|
||||
- - uses: actions/labeler@main
|
||||
- with:
|
||||
- repo-token: "${{ secrets.GITHUB_TOKEN }}"
|
||||
- configuration-path: .github/labeler.yml
|
||||
- sync-labels: "" # This is a workaround for issue 18671
|
||||
diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
|
||||
deleted file mode 100644
|
||||
index babdf7ae6e..0000000000
|
||||
--- a/.github/workflows/mkosi.yml
|
||||
+++ /dev/null
|
||||
@@ -1,58 +0,0 @@
|
||||
-name: mkosi
|
||||
-
|
||||
-# Simple boot tests that build and boot the mkosi images generated by the mkosi config files in .mkosi.
|
||||
-
|
||||
-on:
|
||||
- push:
|
||||
- branches:
|
||||
- - main
|
||||
- pull_request:
|
||||
- branches:
|
||||
- - main
|
||||
-
|
||||
-jobs:
|
||||
- ci:
|
||||
- runs-on: ubuntu-20.04
|
||||
- strategy:
|
||||
- fail-fast: false
|
||||
- matrix:
|
||||
- distro:
|
||||
- - arch
|
||||
- - debian
|
||||
- - ubuntu
|
||||
- - fedora
|
||||
-
|
||||
- steps:
|
||||
- - uses: actions/checkout@v2
|
||||
- - uses: systemd/mkosi@v9
|
||||
-
|
||||
- - name: Install
|
||||
- run: sudo apt-get update && sudo apt-get install --no-install-recommends python3-pexpect python3-jinja2
|
||||
-
|
||||
- - name: Symlink
|
||||
- run: ln -s .mkosi/mkosi.${{ matrix.distro }} mkosi.default
|
||||
-
|
||||
- # Ubuntu's systemd-nspawn doesn't support faccessat2() syscall, which is
|
||||
- # required, since current Arch's glibc implements faccessat() via faccessat2().
|
||||
- - name: Update systemd-nspawn
|
||||
- if: ${{ matrix.distro == 'arch' }}
|
||||
- run: |
|
||||
- echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list
|
||||
- sudo apt update
|
||||
- sudo apt build-dep systemd
|
||||
- meson build
|
||||
- ninja -C build
|
||||
- sudo ln -svf $PWD/build/systemd-nspawn `which systemd-nspawn`
|
||||
- systemd-nspawn --version
|
||||
-
|
||||
- - name: Build ${{ matrix.distro }}
|
||||
- run: sudo python3 -m mkosi --password= --qemu-headless build
|
||||
-
|
||||
- - name: Show ${{ matrix.distro }} image summary
|
||||
- run: sudo python3 -m mkosi --password= --qemu-headless summary
|
||||
-
|
||||
- - name: Boot ${{ matrix.distro }} systemd-nspawn
|
||||
- run: sudo ./.github/workflows/test_mkosi_boot.py python3 -m mkosi --password= --qemu-headless boot
|
||||
-
|
||||
- - name: Boot ${{ matrix.distro }} QEMU
|
||||
- run: sudo ./.github/workflows/test_mkosi_boot.py python3 -m mkosi --password= --qemu-headless qemu
|
||||
diff --git a/.github/workflows/test_mkosi_boot.py b/.github/workflows/test_mkosi_boot.py
|
||||
deleted file mode 100755
|
||||
index 3418fd3a51..0000000000
|
||||
--- a/.github/workflows/test_mkosi_boot.py
|
||||
+++ /dev/null
|
||||
@@ -1,24 +0,0 @@
|
||||
-#!/usr/bin/env python3
|
||||
-# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
-
|
||||
-import pexpect
|
||||
-import sys
|
||||
-
|
||||
-
|
||||
-def run() -> None:
|
||||
- p = pexpect.spawnu(" ".join(sys.argv[1:]), logfile=sys.stdout, timeout=300)
|
||||
-
|
||||
- p.expect("#")
|
||||
- p.sendline("systemctl poweroff")
|
||||
-
|
||||
- p.expect(pexpect.EOF)
|
||||
-
|
||||
-
|
||||
-try:
|
||||
- run()
|
||||
-except pexpect.EOF:
|
||||
- print("UNEXPECTED EOF")
|
||||
- sys.exit(1)
|
||||
-except pexpect.TIMEOUT:
|
||||
- print("TIMED OUT")
|
||||
- sys.exit(1)
|
60
SOURCES/0011-ci-reconfigure-Packit-for-RHEL-9.patch
Normal file
60
SOURCES/0011-ci-reconfigure-Packit-for-RHEL-9.patch
Normal file
@ -0,0 +1,60 @@
|
||||
From b00b4b76e8a7267db2dc54a5d23272a6586770da Mon Sep 17 00:00:00 2001
|
||||
From: Frantisek Sumsal <frantisek@sumsal.cz>
|
||||
Date: Wed, 9 Jun 2021 15:23:59 +0200
|
||||
Subject: [PATCH] ci: reconfigure Packit for RHEL 9
|
||||
|
||||
Resolves: #1960703
|
||||
rhel-only
|
||||
---
|
||||
.packit.yml | 27 ++++++++++++++++++---------
|
||||
1 file changed, 18 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/.packit.yml b/.packit.yml
|
||||
index 4545e30e08..3461bccbc5 100644
|
||||
--- a/.packit.yml
|
||||
+++ b/.packit.yml
|
||||
@@ -16,14 +16,12 @@ upstream_tag_template: "v{version}"
|
||||
|
||||
actions:
|
||||
post-upstream-clone:
|
||||
- # Use the Fedora Rawhide specfile
|
||||
- - "git clone https://src.fedoraproject.org/rpms/systemd .packit_rpm --depth=1"
|
||||
+ # Use the CentOS Stream specfile
|
||||
+ - "git clone https://gitlab.com/redhat/centos-stream/rpms/systemd.git .packit_rpm --depth=1"
|
||||
# Drop the "sources" file so rebase-helper doesn't think we're a dist-git
|
||||
- "rm -fv .packit_rpm/sources"
|
||||
- # Drop backported patches from the specfile, but keep the downstream-only ones
|
||||
- # - Patch0000-0499: backported patches from upstream
|
||||
- # - Patch0500-9999: downstream-only patches
|
||||
- - "sed -ri '/^Patch0[0-4]?[0-9]{0,2}\\:.+\\.patch/d' .packit_rpm/systemd.spec"
|
||||
+ # Drop all patches, since they're already included in the tarball
|
||||
+ - "sed -ri '/^Patch[0-9]+:/d' .packit_rpm/systemd.spec"
|
||||
# Build the RPM with --werror. Even though --werror doesn't work in all
|
||||
# cases (see [0]), we can't use -Dc_args=/-Dcpp_args= here because of the
|
||||
# RPM hardening macros, that use $CFLAGS/$CPPFLAGS (see [1]).
|
||||
@@ -32,11 +30,22 @@ actions:
|
||||
# [1] https://github.com/systemd/systemd/pull/18908#issuecomment-792250110
|
||||
- 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec'
|
||||
|
||||
+# Available targets can be listed via `copr-cli list-chroots`
|
||||
jobs:
|
||||
+# Build test
|
||||
- job: copr_build
|
||||
trigger: pull_request
|
||||
metadata:
|
||||
targets:
|
||||
- - fedora-rawhide-aarch64
|
||||
- - fedora-rawhide-i386
|
||||
- - fedora-rawhide-x86_64
|
||||
+ # FIXME: change to CentOS 9 once it's available
|
||||
+ - fedora-34-x86_64
|
||||
+ - fedora-34-aarch64
|
||||
+
|
||||
+# TODO: can't use TFT yet due to https://pagure.io/fedora-ci/general/issue/184
|
||||
+# Run tests (via testing farm)
|
||||
+#- job: tests
|
||||
+# trigger: pull_request
|
||||
+# metadata:
|
||||
+# targets:
|
||||
+# # FIXME: change to CentOS 9 once it's available
|
||||
+# - fedora-34-x86_64
|
@ -0,0 +1,27 @@
|
||||
From ef23dd2793c19e9505ab1e70fff20b7ea184dc54 Mon Sep 17 00:00:00 2001
|
||||
From: Frantisek Sumsal <frantisek@sumsal.cz>
|
||||
Date: Thu, 15 Jul 2021 12:23:27 +0200
|
||||
Subject: [PATCH] ci: run unit tests on z-stream branches as well
|
||||
|
||||
Resolves: #1960703
|
||||
rhel-only
|
||||
---
|
||||
.github/workflows/unit_tests.yml | 5 +----
|
||||
1 file changed, 1 insertion(+), 4 deletions(-)
|
||||
|
||||
diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
|
||||
index ca1e6e0c30..e560bff830 100644
|
||||
--- a/.github/workflows/unit_tests.yml
|
||||
+++ b/.github/workflows/unit_tests.yml
|
||||
@@ -2,10 +2,7 @@
|
||||
# vi: ts=2 sw=2 et:
|
||||
#
|
||||
name: Unit tests
|
||||
-on:
|
||||
- pull_request:
|
||||
- branches:
|
||||
- - main
|
||||
+on: [pull_request]
|
||||
|
||||
jobs:
|
||||
build:
|
@ -0,0 +1,110 @@
|
||||
From a311dc4ade908452d7920452a18ce411af0f6dd3 Mon Sep 17 00:00:00 2001
|
||||
From: Riccardo Schirone <sirmy15@gmail.com>
|
||||
Date: Thu, 17 Jun 2021 16:39:23 +0200
|
||||
Subject: [PATCH] Check return value of pam_get_item/pam_get_data functions
|
||||
|
||||
(cherry picked from commit a22cbf85ed9863ba5c86681db89424747119ef0c)
|
||||
|
||||
Resolves: #1973210
|
||||
---
|
||||
src/login/pam_systemd.c | 66 ++++++++++++++++++++++++++++++++++-------
|
||||
1 file changed, 55 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c
|
||||
index f8bd17eefe..1b643d52ca 100644
|
||||
--- a/src/login/pam_systemd.c
|
||||
+++ b/src/login/pam_systemd.c
|
||||
@@ -705,7 +705,11 @@ _public_ PAM_EXTERN int pam_sm_open_session(
|
||||
* "systemd-user" we simply set XDG_RUNTIME_DIR and
|
||||
* leave. */
|
||||
|
||||
- (void) pam_get_item(handle, PAM_SERVICE, (const void**) &service);
|
||||
+ r = pam_get_item(handle, PAM_SERVICE, (const void**) &service);
|
||||
+ if (!IN_SET(r, PAM_BAD_ITEM, PAM_SUCCESS)) {
|
||||
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM service: %s", pam_strerror(handle, r));
|
||||
+ return r;
|
||||
+ }
|
||||
if (streq_ptr(service, "systemd-user")) {
|
||||
char rt[STRLEN("/run/user/") + DECIMAL_STR_MAX(uid_t)];
|
||||
|
||||
@@ -719,10 +723,26 @@ _public_ PAM_EXTERN int pam_sm_open_session(
|
||||
|
||||
/* Otherwise, we ask logind to create a session for us */
|
||||
|
||||
- (void) pam_get_item(handle, PAM_XDISPLAY, (const void**) &display);
|
||||
- (void) pam_get_item(handle, PAM_TTY, (const void**) &tty);
|
||||
- (void) pam_get_item(handle, PAM_RUSER, (const void**) &remote_user);
|
||||
- (void) pam_get_item(handle, PAM_RHOST, (const void**) &remote_host);
|
||||
+ r = pam_get_item(handle, PAM_XDISPLAY, (const void**) &display);
|
||||
+ if (!IN_SET(r, PAM_BAD_ITEM, PAM_SUCCESS)) {
|
||||
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM XDISPLAY: %s", pam_strerror(handle, r));
|
||||
+ return r;
|
||||
+ }
|
||||
+ r = pam_get_item(handle, PAM_TTY, (const void**) &tty);
|
||||
+ if (!IN_SET(r, PAM_BAD_ITEM, PAM_SUCCESS)) {
|
||||
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM TTY: %s", pam_strerror(handle, r));
|
||||
+ return r;
|
||||
+ }
|
||||
+ r = pam_get_item(handle, PAM_RUSER, (const void**) &remote_user);
|
||||
+ if (!IN_SET(r, PAM_BAD_ITEM, PAM_SUCCESS)) {
|
||||
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM RUSER: %s", pam_strerror(handle, r));
|
||||
+ return r;
|
||||
+ }
|
||||
+ r = pam_get_item(handle, PAM_RHOST, (const void**) &remote_host);
|
||||
+ if (!IN_SET(r, PAM_BAD_ITEM, PAM_SUCCESS)) {
|
||||
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM RHOST: %s", pam_strerror(handle, r));
|
||||
+ return r;
|
||||
+ }
|
||||
|
||||
seat = getenv_harder(handle, "XDG_SEAT", NULL);
|
||||
cvtnr = getenv_harder(handle, "XDG_VTNR", NULL);
|
||||
@@ -789,11 +809,31 @@ _public_ PAM_EXTERN int pam_sm_open_session(
|
||||
|
||||
remote = !isempty(remote_host) && !is_localhost(remote_host);
|
||||
|
||||
- (void) pam_get_data(handle, "systemd.memory_max", (const void **)&memory_max);
|
||||
- (void) pam_get_data(handle, "systemd.tasks_max", (const void **)&tasks_max);
|
||||
- (void) pam_get_data(handle, "systemd.cpu_weight", (const void **)&cpu_weight);
|
||||
- (void) pam_get_data(handle, "systemd.io_weight", (const void **)&io_weight);
|
||||
- (void) pam_get_data(handle, "systemd.runtime_max_sec", (const void **)&runtime_max_sec);
|
||||
+ r = pam_get_data(handle, "systemd.memory_max", (const void **)&memory_max);
|
||||
+ if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA)) {
|
||||
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM systemd.memory_max data: %s", pam_strerror(handle, r));
|
||||
+ return r;
|
||||
+ }
|
||||
+ r = pam_get_data(handle, "systemd.tasks_max", (const void **)&tasks_max);
|
||||
+ if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA)) {
|
||||
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM systemd.tasks_max data: %s", pam_strerror(handle, r));
|
||||
+ return r;
|
||||
+ }
|
||||
+ r = pam_get_data(handle, "systemd.cpu_weight", (const void **)&cpu_weight);
|
||||
+ if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA)) {
|
||||
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM systemd.cpu_weight data: %s", pam_strerror(handle, r));
|
||||
+ return r;
|
||||
+ }
|
||||
+ r = pam_get_data(handle, "systemd.io_weight", (const void **)&io_weight);
|
||||
+ if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA)) {
|
||||
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM systemd.io_weight data: %s", pam_strerror(handle, r));
|
||||
+ return r;
|
||||
+ }
|
||||
+ r = pam_get_data(handle, "systemd.runtime_max_sec", (const void **)&runtime_max_sec);
|
||||
+ if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA)) {
|
||||
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM systemd.runtime_max_sec data: %s", pam_strerror(handle, r));
|
||||
+ return r;
|
||||
+ }
|
||||
|
||||
/* Talk to logind over the message bus */
|
||||
|
||||
@@ -996,7 +1036,11 @@ _public_ PAM_EXTERN int pam_sm_close_session(
|
||||
|
||||
/* Only release session if it wasn't pre-existing when we
|
||||
* tried to create it */
|
||||
- (void) pam_get_data(handle, "systemd.existing", &existing);
|
||||
+ r = pam_get_data(handle, "systemd.existing", &existing);
|
||||
+ if (!IN_SET(r, PAM_SUCCESS, PAM_NO_MODULE_DATA)) {
|
||||
+ pam_syslog(handle, LOG_ERR, "Failed to get PAM systemd.existing data: %s", pam_strerror(handle, r));
|
||||
+ return r;
|
||||
+ }
|
||||
|
||||
id = pam_getenv(handle, "XDG_SESSION_ID");
|
||||
if (id && !existing) {
|
@ -0,0 +1,25 @@
|
||||
From f1266682aca4a2ed3d85017527d1456cbe5d2f2a Mon Sep 17 00:00:00 2001
|
||||
From: David Tardon <dtardon@redhat.com>
|
||||
Date: Thu, 15 Jul 2021 11:15:17 +0200
|
||||
Subject: [PATCH] random-util: increase random seed size to 1024
|
||||
|
||||
RHEL-only
|
||||
|
||||
Resolves: #1982603
|
||||
---
|
||||
src/basic/random-util.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/basic/random-util.h b/src/basic/random-util.h
|
||||
index e6528ddc7f..fda78552f6 100644
|
||||
--- a/src/basic/random-util.h
|
||||
+++ b/src/basic/random-util.h
|
||||
@@ -34,7 +34,7 @@ static inline uint32_t random_u32(void) {
|
||||
int rdrand(unsigned long *ret);
|
||||
|
||||
/* Some limits on the pool sizes when we deal with the kernel random pool */
|
||||
-#define RANDOM_POOL_SIZE_MIN 512U
|
||||
+#define RANDOM_POOL_SIZE_MIN 1024U
|
||||
#define RANDOM_POOL_SIZE_MAX (10U*1024U*1024U)
|
||||
|
||||
size_t random_pool_size(void);
|
@ -0,0 +1,41 @@
|
||||
From d68134590110a93c383a7ae696ccf3717f20682a Mon Sep 17 00:00:00 2001
|
||||
From: Jan Synacek <jsynacek@redhat.com>
|
||||
Date: Thu, 2 May 2019 14:11:54 +0200
|
||||
Subject: [PATCH] journal: don't enable systemd-journald-audit.socket by
|
||||
default
|
||||
|
||||
RHEL-only
|
||||
|
||||
Resolves: #1973856
|
||||
---
|
||||
units/meson.build | 3 +--
|
||||
units/systemd-journald.service.in | 2 +-
|
||||
2 files changed, 2 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/units/meson.build b/units/meson.build
|
||||
index 17e9ead9c1..68be8d0108 100644
|
||||
--- a/units/meson.build
|
||||
+++ b/units/meson.build
|
||||
@@ -119,8 +119,7 @@ units = [
|
||||
'sysinit.target.wants/'],
|
||||
['systemd-journal-gatewayd.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
|
||||
['systemd-journal-remote.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
|
||||
- ['systemd-journald-audit.socket', '',
|
||||
- 'sockets.target.wants/'],
|
||||
+ ['systemd-journald-audit.socket', ''],
|
||||
['systemd-journald-dev-log.socket', '',
|
||||
'sockets.target.wants/'],
|
||||
['systemd-journald.socket', '',
|
||||
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
|
||||
index cd17b6b4e7..d981273b07 100644
|
||||
--- a/units/systemd-journald.service.in
|
||||
+++ b/units/systemd-journald.service.in
|
||||
@@ -12,7 +12,7 @@ Description=Journal Service
|
||||
Documentation=man:systemd-journald.service(8) man:journald.conf(5)
|
||||
DefaultDependencies=no
|
||||
Requires=systemd-journald.socket
|
||||
-After=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket syslog.socket
|
||||
+After=systemd-journald.socket systemd-journald-dev-log.socket syslog.socket
|
||||
Before=sysinit.target
|
||||
|
||||
[Service]
|
@ -0,0 +1,22 @@
|
||||
From c040ffc7d27e2952bd6acccc1d8a351f31ba24db Mon Sep 17 00:00:00 2001
|
||||
From: David Tardon <dtardon@redhat.com>
|
||||
Date: Thu, 5 Aug 2021 15:26:13 +0200
|
||||
Subject: [PATCH] journald.conf: don't touch current audit settings
|
||||
|
||||
RHEL-only
|
||||
|
||||
Related: #1973856
|
||||
---
|
||||
src/journal/journald.conf | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/journal/journald.conf b/src/journal/journald.conf
|
||||
index 5a60a9d39c..3544da2112 100644
|
||||
--- a/src/journal/journald.conf
|
||||
+++ b/src/journal/journald.conf
|
||||
@@ -44,4 +44,4 @@
|
||||
#MaxLevelWall=emerg
|
||||
#LineMax=48K
|
||||
#ReadKMsg=yes
|
||||
-#Audit=yes
|
||||
+Audit=
|
137
SOURCES/0017-Revert-udev-remove-WAIT_FOR-key.patch
Normal file
137
SOURCES/0017-Revert-udev-remove-WAIT_FOR-key.patch
Normal file
@ -0,0 +1,137 @@
|
||||
From ba508dc60d5f62d8821242eebf50efcfbddd1428 Mon Sep 17 00:00:00 2001
|
||||
From: David Tardon <dtardon@redhat.com>
|
||||
Date: Tue, 10 Aug 2021 14:46:16 +0200
|
||||
Subject: [PATCH] Revert "udev: remove WAIT_FOR key"
|
||||
|
||||
This reverts commit f2b8052fb648b788936dd3e85be6a9aca90fbb2f.
|
||||
|
||||
RHEL-only
|
||||
|
||||
Resolves: #1982666
|
||||
---
|
||||
man/udev.xml | 9 +++++++
|
||||
src/udev/udev-rules.c | 56 +++++++++++++++++++++++++++++++++++++++
|
||||
test/rule-syntax-check.py | 2 +-
|
||||
3 files changed, 66 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/man/udev.xml b/man/udev.xml
|
||||
index f6ea2abc12..ce96e201e4 100644
|
||||
--- a/man/udev.xml
|
||||
+++ b/man/udev.xml
|
||||
@@ -592,6 +592,15 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term><varname>WAIT_FOR</varname></term>
|
||||
+ <listitem>
|
||||
+ <para>Wait for a file to become available or until a timeout of
|
||||
+ 10 seconds expires. The path is relative to the sysfs device;
|
||||
+ if no path is specified, this waits for an attribute to appear.</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
<varlistentry>
|
||||
<term><varname>OPTIONS</varname></term>
|
||||
<listitem>
|
||||
diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c
|
||||
index bf997fc0ed..a02a7a1bc6 100644
|
||||
--- a/src/udev/udev-rules.c
|
||||
+++ b/src/udev/udev-rules.c
|
||||
@@ -78,6 +78,7 @@ typedef enum {
|
||||
TK_M_TAG, /* strv, sd_device_get_tag_first(), sd_device_get_tag_next() */
|
||||
TK_M_SUBSYSTEM, /* string, sd_device_get_subsystem() */
|
||||
TK_M_DRIVER, /* string, sd_device_get_driver() */
|
||||
+ TK_M_WAITFOR,
|
||||
TK_M_ATTR, /* string, takes filename through attribute, sd_device_get_sysattr_value(), udev_resolve_subsys_kernel(), etc. */
|
||||
TK_M_SYSCTL, /* string, takes kernel parameter through attribute */
|
||||
|
||||
@@ -415,6 +416,47 @@ static void rule_line_append_token(UdevRuleLine *rule_line, UdevRuleToken *token
|
||||
rule_line->current_token = token;
|
||||
}
|
||||
|
||||
+#define WAIT_LOOP_PER_SECOND 50
|
||||
+static int wait_for_file(sd_device *dev, const char *file, int timeout) {
|
||||
+ char filepath[UDEV_PATH_SIZE];
|
||||
+ char devicepath[UDEV_PATH_SIZE];
|
||||
+ struct stat stats;
|
||||
+ int loop = timeout * WAIT_LOOP_PER_SECOND;
|
||||
+
|
||||
+ /* a relative path is a device attribute */
|
||||
+ devicepath[0] = '\0';
|
||||
+ if (file[0] != '/') {
|
||||
+ const char *val;
|
||||
+ int r;
|
||||
+
|
||||
+ r = sd_device_get_syspath(dev, &val);
|
||||
+ if (r < 0)
|
||||
+ return r;
|
||||
+ strscpyl(devicepath, sizeof(devicepath), val, NULL);
|
||||
+ strscpyl(filepath, sizeof(filepath), devicepath, "/", file, NULL);
|
||||
+ file = filepath;
|
||||
+ }
|
||||
+
|
||||
+ while (--loop) {
|
||||
+ const struct timespec duration = { 0, 1000 * 1000 * 1000 / WAIT_LOOP_PER_SECOND };
|
||||
+
|
||||
+ /* lookup file */
|
||||
+ if (stat(file, &stats) == 0) {
|
||||
+ log_debug("file '%s' appeared after %i loops", file, (timeout * WAIT_LOOP_PER_SECOND) - loop-1);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ /* make sure, the device did not disappear in the meantime */
|
||||
+ if (devicepath[0] != '\0' && stat(devicepath, &stats) != 0) {
|
||||
+ log_debug("device disappeared while waiting for '%s'", file);
|
||||
+ return -2;
|
||||
+ }
|
||||
+ log_debug("wait for '%s' for %i mseconds", file, 1000 / WAIT_LOOP_PER_SECOND);
|
||||
+ nanosleep(&duration, NULL);
|
||||
+ }
|
||||
+ log_debug("waiting for '%s' failed", file);
|
||||
+ return -1;
|
||||
+}
|
||||
+
|
||||
static int rule_line_add_token(UdevRuleLine *rule_line, UdevRuleTokenType type, UdevRuleOperatorType op, char *value, void *data) {
|
||||
UdevRuleToken *token;
|
||||
UdevRuleMatchType match_type = _MATCH_TYPE_INVALID;
|
||||
@@ -957,6 +999,12 @@ static int parse_token(UdevRules *rules, const char *key, char *attr, UdevRuleOp
|
||||
r = rule_line_add_token(rule_line, TK_A_RUN_BUILTIN, op, value, UDEV_BUILTIN_CMD_TO_PTR(cmd));
|
||||
} else
|
||||
return log_token_invalid_attr(rules, key);
|
||||
+ } else if (streq(key, "WAIT_FOR") || streq(key, "WAIT_FOR_SYSFS")) {
|
||||
+ if (op == OP_REMOVE)
|
||||
+ return log_token_invalid_op(rules, key);
|
||||
+
|
||||
+ rule_line_add_token(rule_line, TK_M_WAITFOR, 0, value, NULL);
|
||||
+ return 1;
|
||||
} else if (streq(key, "GOTO")) {
|
||||
if (attr)
|
||||
return log_token_invalid_attr(rules, key);
|
||||
@@ -1643,6 +1691,14 @@ static int udev_rule_apply_token_to_event(
|
||||
|
||||
return token_match_string(token, val);
|
||||
}
|
||||
+ case TK_M_WAITFOR: {
|
||||
+ char filename[UDEV_PATH_SIZE];
|
||||
+ int found;
|
||||
+
|
||||
+ udev_event_apply_format(event, token->value, filename, sizeof(filename), false);
|
||||
+ found = (wait_for_file(event->dev, filename, 10) == 0);
|
||||
+ return found || (token->op == OP_NOMATCH);
|
||||
+ }
|
||||
case TK_M_ATTR:
|
||||
case TK_M_PARENTS_ATTR:
|
||||
return token_match_attr(token, dev, event);
|
||||
diff --git a/test/rule-syntax-check.py b/test/rule-syntax-check.py
|
||||
index 9a9e4d1658..0649bcf58e 100755
|
||||
--- a/test/rule-syntax-check.py
|
||||
+++ b/test/rule-syntax-check.py
|
||||
@@ -20,7 +20,7 @@ no_args_tests = re.compile(r'(ACTION|DEVPATH|KERNELS?|NAME|SYMLINK|SUBSYSTEMS?|D
|
||||
# PROGRAM can also be specified as an assignment.
|
||||
program_assign = re.compile(r'PROGRAM\s*=\s*' + quoted_string_re + '$')
|
||||
args_tests = re.compile(r'(ATTRS?|ENV|CONST|TEST){([a-zA-Z0-9/_.*%-]+)}\s*(?:=|!)=\s*' + quoted_string_re + '$')
|
||||
-no_args_assign = re.compile(r'(NAME|SYMLINK|OWNER|GROUP|MODE|TAG|RUN|LABEL|GOTO|OPTIONS|IMPORT)\s*(?:\+=|:=|=)\s*' + quoted_string_re + '$')
|
||||
+no_args_assign = re.compile(r'(NAME|SYMLINK|OWNER|GROUP|MODE|TAG|RUN|LABEL|GOTO|WAIT_FOR|OPTIONS|IMPORT)\s*(?:\+=|:=|=)\s*' + quoted_string_re + '$')
|
||||
args_assign = re.compile(r'(ATTR|ENV|IMPORT|RUN){([a-zA-Z0-9/_.*%-]+)}\s*(=|\+=)\s*' + quoted_string_re + '$')
|
||||
# Find comma-separated groups, but allow commas that are inside quoted strings.
|
||||
# Using quoted_string_re + '?' so that strings missing the last double quote
|
@ -0,0 +1,94 @@
|
||||
From 7cea77bd5712260277e451d34908f01f14c467c4 Mon Sep 17 00:00:00 2001
|
||||
From: Michal Sekletar <msekleta@redhat.com>
|
||||
Date: Mon, 30 Aug 2021 18:38:09 +0200
|
||||
Subject: [PATCH] boot: don't build bootctl when -Dgnu-efi=false is set
|
||||
|
||||
(cherry picked from commit fbe3a414e1d8f7b05dccf3d24d4fa475eb9c6bc9)
|
||||
|
||||
Resolves: #1972223
|
||||
---
|
||||
meson.build | 8 +++++---
|
||||
shell-completion/bash/meson.build | 2 +-
|
||||
shell-completion/zsh/meson.build | 2 +-
|
||||
units/meson.build | 2 +-
|
||||
4 files changed, 8 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/meson.build b/meson.build
|
||||
index 738879eb21..d28f04607a 100644
|
||||
--- a/meson.build
|
||||
+++ b/meson.build
|
||||
@@ -1608,6 +1608,10 @@ else
|
||||
endif
|
||||
conf.set10('ENABLE_EFI', have)
|
||||
|
||||
+subdir('src/fundamental')
|
||||
+subdir('src/boot/efi')
|
||||
+conf.set10('HAVE_GNU_EFI', have_gnu_efi)
|
||||
+
|
||||
############################################################
|
||||
|
||||
build_bpf_skel_py = find_program('tools/build-bpf-skel.py')
|
||||
@@ -1660,7 +1664,6 @@ includes = [libsystemd_includes, include_directories('src/shared')]
|
||||
|
||||
subdir('po')
|
||||
subdir('catalog')
|
||||
-subdir('src/fundamental')
|
||||
subdir('src/basic')
|
||||
subdir('src/libsystemd')
|
||||
subdir('src/shared')
|
||||
@@ -1751,7 +1754,6 @@ subdir('src/journal')
|
||||
subdir('src/libsystemd-network')
|
||||
|
||||
subdir('src/analyze')
|
||||
-subdir('src/boot/efi')
|
||||
subdir('src/busctl')
|
||||
subdir('src/coredump')
|
||||
subdir('src/cryptenroll')
|
||||
@@ -2145,7 +2147,7 @@ if conf.get('HAVE_PAM') == 1
|
||||
install_dir : rootlibexecdir)
|
||||
endif
|
||||
|
||||
-if conf.get('ENABLE_EFI') == 1 and conf.get('HAVE_BLKID') == 1
|
||||
+if conf.get('HAVE_BLKID') == 1 and conf.get('HAVE_GNU_EFI') == 1
|
||||
public_programs += executable(
|
||||
'bootctl',
|
||||
'src/boot/bootctl.c',
|
||||
diff --git a/shell-completion/bash/meson.build b/shell-completion/bash/meson.build
|
||||
index c26b413d92..bfdd2b01f0 100644
|
||||
--- a/shell-completion/bash/meson.build
|
||||
+++ b/shell-completion/bash/meson.build
|
||||
@@ -33,7 +33,7 @@ items = [['busctl', ''],
|
||||
['systemd-run', ''],
|
||||
['udevadm', ''],
|
||||
['kernel-install', ''],
|
||||
- ['bootctl', 'ENABLE_EFI'],
|
||||
+ ['bootctl', 'HAVE_GNU_EFI'],
|
||||
['coredumpctl', 'ENABLE_COREDUMP'],
|
||||
['homectl', 'ENABLE_HOMED'],
|
||||
['hostnamectl', 'ENABLE_HOSTNAMED'],
|
||||
diff --git a/shell-completion/zsh/meson.build b/shell-completion/zsh/meson.build
|
||||
index f5f9b0f993..3a92f303b8 100644
|
||||
--- a/shell-completion/zsh/meson.build
|
||||
+++ b/shell-completion/zsh/meson.build
|
||||
@@ -28,7 +28,7 @@ items = [['_busctl', ''],
|
||||
['_sd_outputmodes', ''],
|
||||
['_sd_unit_files', ''],
|
||||
['_sd_machines', ''],
|
||||
- ['_bootctl', 'ENABLE_EFI'],
|
||||
+ ['_bootctl', 'HAVE_GNU_EFI'],
|
||||
['_coredumpctl', 'ENABLE_COREDUMP'],
|
||||
['_hostnamectl', 'ENABLE_HOSTNAMED'],
|
||||
['_localectl', 'ENABLE_LOCALED'],
|
||||
diff --git a/units/meson.build b/units/meson.build
|
||||
index 68be8d0108..27a2b60137 100644
|
||||
--- a/units/meson.build
|
||||
+++ b/units/meson.build
|
||||
@@ -102,7 +102,7 @@ units = [
|
||||
['systemd-ask-password-wall.path', '',
|
||||
'multi-user.target.wants/'],
|
||||
['systemd-ask-password-wall.service', ''],
|
||||
- ['systemd-boot-system-token.service', 'ENABLE_EFI',
|
||||
+ ['systemd-boot-system-token.service', 'HAVE_GNU_EFI',
|
||||
'sysinit.target.wants/'],
|
||||
['systemd-coredump.socket', 'ENABLE_COREDUMP',
|
||||
'sockets.target.wants/'],
|
@ -0,0 +1,56 @@
|
||||
From 7938e1e61c57441798d81124fd67b2e9bdd5e525 Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Nykryn <lnykryn@redhat.com>
|
||||
Date: Tue, 12 Feb 2019 16:58:16 +0100
|
||||
Subject: [PATCH] rules: add elevator= kernel command line parameter
|
||||
|
||||
Kernel removed the elevator= option, so let's reintroduce
|
||||
it for rhel8 via udev rule.
|
||||
|
||||
RHEL-only
|
||||
|
||||
Resolves: #1998190
|
||||
---
|
||||
rules.d/40-elevator.rules | 20 ++++++++++++++++++++
|
||||
rules.d/meson.build | 1 +
|
||||
2 files changed, 21 insertions(+)
|
||||
create mode 100644 rules.d/40-elevator.rules
|
||||
|
||||
diff --git a/rules.d/40-elevator.rules b/rules.d/40-elevator.rules
|
||||
new file mode 100644
|
||||
index 0000000000..dbe8fc81a4
|
||||
--- /dev/null
|
||||
+++ b/rules.d/40-elevator.rules
|
||||
@@ -0,0 +1,20 @@
|
||||
+# We aren't adding devices skip the elevator check
|
||||
+ACTION!="add", GOTO="sched_out"
|
||||
+
|
||||
+SUBSYSTEM!="block", GOTO="sched_out"
|
||||
+ENV{DEVTYPE}!="disk", GOTO="sched_out"
|
||||
+
|
||||
+# Technically, dm-multipath can be configured to use an I/O scheduler.
|
||||
+# However, there are races between the 'add' uevent and the linking in
|
||||
+# of the queue/scheduler sysfs file. For now, just skip dm- devices.
|
||||
+KERNEL=="dm-*|md*", GOTO="sched_out"
|
||||
+
|
||||
+# Skip bio-based devices, which don't support an I/O scheduler.
|
||||
+ATTR{queue/scheduler}=="none", GOTO="sched_out"
|
||||
+
|
||||
+# If elevator= is specified on the kernel command line, change the
|
||||
+# scheduler to the one specified.
|
||||
+IMPORT{cmdline}="elevator"
|
||||
+ENV{elevator}!="", ATTR{queue/scheduler}="$env{elevator}"
|
||||
+
|
||||
+LABEL="sched_out"
|
||||
\ No newline at end of file
|
||||
diff --git a/rules.d/meson.build b/rules.d/meson.build
|
||||
index 72632979fa..b41c50cad3 100644
|
||||
--- a/rules.d/meson.build
|
||||
+++ b/rules.d/meson.build
|
||||
@@ -5,6 +5,7 @@ install_data(
|
||||
install_dir : udevrulesdir)
|
||||
|
||||
rules = files('''
|
||||
+ 40-elevator.rules
|
||||
40-redhat.rules
|
||||
60-autosuspend.rules
|
||||
60-block.rules
|
43
SOURCES/0020-sd-device-introduce-device_has_devlink.patch
Normal file
43
SOURCES/0020-sd-device-introduce-device_has_devlink.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From 76aebe6fec5894b05114fdf1e8aee54139bef69e Mon Sep 17 00:00:00 2001
|
||||
From: Yu Watanabe <watanabe.yu+github@gmail.com>
|
||||
Date: Wed, 1 Sep 2021 09:22:15 +0900
|
||||
Subject: [PATCH] sd-device: introduce device_has_devlink()
|
||||
|
||||
(cherry picked from commit b881ce16b9ccae4c3089c82e2ea1781cd9773a4f)
|
||||
|
||||
Related: #1977994
|
||||
---
|
||||
src/libsystemd/sd-device/device-private.h | 1 +
|
||||
src/libsystemd/sd-device/sd-device.c | 7 +++++++
|
||||
2 files changed, 8 insertions(+)
|
||||
|
||||
diff --git a/src/libsystemd/sd-device/device-private.h b/src/libsystemd/sd-device/device-private.h
|
||||
index fe268d7f2f..9bb5eff208 100644
|
||||
--- a/src/libsystemd/sd-device/device-private.h
|
||||
+++ b/src/libsystemd/sd-device/device-private.h
|
||||
@@ -32,6 +32,7 @@ void device_set_db_persist(sd_device *device);
|
||||
void device_set_devlink_priority(sd_device *device, int priority);
|
||||
int device_ensure_usec_initialized(sd_device *device, sd_device *device_old);
|
||||
int device_add_devlink(sd_device *device, const char *devlink);
|
||||
+bool device_has_devlink(sd_device *device, const char *devlink);
|
||||
int device_add_property(sd_device *device, const char *property, const char *value);
|
||||
int device_add_tag(sd_device *device, const char *tag, bool both);
|
||||
void device_remove_tag(sd_device *device, const char *tag);
|
||||
diff --git a/src/libsystemd/sd-device/sd-device.c b/src/libsystemd/sd-device/sd-device.c
|
||||
index 388128bf33..8a9e4a33a1 100644
|
||||
--- a/src/libsystemd/sd-device/sd-device.c
|
||||
+++ b/src/libsystemd/sd-device/sd-device.c
|
||||
@@ -1193,6 +1193,13 @@ int device_add_devlink(sd_device *device, const char *devlink) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
+bool device_has_devlink(sd_device *device, const char *devlink) {
|
||||
+ assert(device);
|
||||
+ assert(devlink);
|
||||
+
|
||||
+ return set_contains(device->devlinks, devlink);
|
||||
+}
|
||||
+
|
||||
static int device_add_property_internal_from_string(sd_device *device, const char *str) {
|
||||
_cleanup_free_ char *key = NULL;
|
||||
char *value;
|
@ -0,0 +1,305 @@
|
||||
From acf81f97412be44d60be03a0a2e3ca62f4a5146b Mon Sep 17 00:00:00 2001
|
||||
From: Yu Watanabe <watanabe.yu+github@gmail.com>
|
||||
Date: Wed, 1 Sep 2021 09:24:15 +0900
|
||||
Subject: [PATCH] udev-node: split out permission handling from udev_node_add()
|
||||
|
||||
And then merge udev_node_add() and udev_node_update_old_links().
|
||||
|
||||
(cherry picked from commit 2f48561e0db3cd63f65e9311b4d69282b4ac605d)
|
||||
|
||||
Related: #1977994
|
||||
---
|
||||
src/udev/udev-event.c | 9 +-
|
||||
src/udev/udev-node.c | 204 +++++++++++++++++++-----------------------
|
||||
src/udev/udev-node.h | 12 ++-
|
||||
3 files changed, 106 insertions(+), 119 deletions(-)
|
||||
|
||||
diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c
|
||||
index b28089be71..8b9f8aecfe 100644
|
||||
--- a/src/udev/udev-event.c
|
||||
+++ b/src/udev/udev-event.c
|
||||
@@ -895,9 +895,6 @@ static int update_devnode(UdevEvent *event) {
|
||||
if (r < 0)
|
||||
return log_device_error_errno(dev, r, "Failed to get devnum: %m");
|
||||
|
||||
- /* remove/update possible left-over symlinks from old database entry */
|
||||
- (void) udev_node_update_old_links(dev, event->dev_db_clone);
|
||||
-
|
||||
if (!uid_is_valid(event->uid)) {
|
||||
r = device_get_devnode_uid(dev, &event->uid);
|
||||
if (r < 0 && r != -ENOENT)
|
||||
@@ -921,7 +918,11 @@ static int update_devnode(UdevEvent *event) {
|
||||
|
||||
bool apply_mac = device_for_action(dev, SD_DEVICE_ADD);
|
||||
|
||||
- return udev_node_add(dev, apply_mac, event->mode, event->uid, event->gid, event->seclabel_list);
|
||||
+ r = udev_node_apply_permissions(dev, apply_mac, event->mode, event->uid, event->gid, event->seclabel_list);
|
||||
+ if (r < 0)
|
||||
+ return log_device_error_errno(dev, r, "Failed to apply devnode permissions: %m");
|
||||
+
|
||||
+ return udev_node_update(dev, event->dev_db_clone);
|
||||
}
|
||||
|
||||
static int event_execute_rules_on_remove(
|
||||
diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
|
||||
index 9e52906571..7cc9ee3670 100644
|
||||
--- a/src/udev/udev-node.c
|
||||
+++ b/src/udev/udev-node.c
|
||||
@@ -356,45 +356,117 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) {
|
||||
return i < LINK_UPDATE_MAX_RETRIES ? 0 : -ELOOP;
|
||||
}
|
||||
|
||||
-int udev_node_update_old_links(sd_device *dev, sd_device *dev_old) {
|
||||
- const char *name;
|
||||
+static int device_get_devpath_by_devnum(sd_device *dev, char **ret) {
|
||||
+ const char *subsystem;
|
||||
+ dev_t devnum;
|
||||
+ int r;
|
||||
+
|
||||
+ assert(dev);
|
||||
+ assert(ret);
|
||||
+
|
||||
+ r = sd_device_get_subsystem(dev, &subsystem);
|
||||
+ if (r < 0)
|
||||
+ return r;
|
||||
+
|
||||
+ r = sd_device_get_devnum(dev, &devnum);
|
||||
+ if (r < 0)
|
||||
+ return r;
|
||||
+
|
||||
+ return device_path_make_major_minor(streq(subsystem, "block") ? S_IFBLK : S_IFCHR, devnum, ret);
|
||||
+}
|
||||
+
|
||||
+int udev_node_update(sd_device *dev, sd_device *dev_old) {
|
||||
+ _cleanup_free_ char *filename = NULL;
|
||||
+ const char *devnode, *devlink;
|
||||
int r;
|
||||
|
||||
assert(dev);
|
||||
assert(dev_old);
|
||||
|
||||
- /* update possible left-over symlinks */
|
||||
- FOREACH_DEVICE_DEVLINK(dev_old, name) {
|
||||
- const char *name_current;
|
||||
- bool found = false;
|
||||
+ r = sd_device_get_devname(dev, &devnode);
|
||||
+ if (r < 0)
|
||||
+ return log_device_debug_errno(dev, r, "Failed to get devnode: %m");
|
||||
|
||||
- /* check if old link name still belongs to this device */
|
||||
- FOREACH_DEVICE_DEVLINK(dev, name_current)
|
||||
- if (streq(name, name_current)) {
|
||||
- found = true;
|
||||
- break;
|
||||
- }
|
||||
+ if (DEBUG_LOGGING) {
|
||||
+ const char *id = NULL;
|
||||
|
||||
- if (found)
|
||||
+ (void) device_get_device_id(dev, &id);
|
||||
+ log_device_debug(dev, "Handling device node '%s', devnum=%s", devnode, strna(id));
|
||||
+ }
|
||||
+
|
||||
+ /* update possible left-over symlinks */
|
||||
+ FOREACH_DEVICE_DEVLINK(dev_old, devlink) {
|
||||
+ /* check if old link name still belongs to this device */
|
||||
+ if (device_has_devlink(dev, devlink))
|
||||
continue;
|
||||
|
||||
log_device_debug(dev,
|
||||
- "Updating old device symlink '%s', which is no longer belonging to this device.",
|
||||
- name);
|
||||
+ "Removing/updating old device symlink '%s', which is no longer belonging to this device.",
|
||||
+ devlink);
|
||||
|
||||
- r = link_update(dev, name, false);
|
||||
+ r = link_update(dev, devlink, /* add = */ false);
|
||||
if (r < 0)
|
||||
log_device_warning_errno(dev, r,
|
||||
- "Failed to update device symlink '%s', ignoring: %m",
|
||||
- name);
|
||||
+ "Failed to remove/update device symlink '%s', ignoring: %m",
|
||||
+ devlink);
|
||||
}
|
||||
|
||||
+ /* create/update symlinks, add symlinks to name index */
|
||||
+ FOREACH_DEVICE_DEVLINK(dev, devlink) {
|
||||
+ r = link_update(dev, devlink, /* add = */ true);
|
||||
+ if (r < 0)
|
||||
+ log_device_warning_errno(dev, r,
|
||||
+ "Failed to create/update device symlink '%s', ignoring: %m",
|
||||
+ devlink);
|
||||
+ }
|
||||
+
|
||||
+ r = device_get_devpath_by_devnum(dev, &filename);
|
||||
+ if (r < 0)
|
||||
+ return log_device_debug_errno(dev, r, "Failed to get device path: %m");
|
||||
+
|
||||
+ /* always add /dev/{block,char}/$major:$minor */
|
||||
+ r = node_symlink(dev, devnode, filename);
|
||||
+ if (r < 0)
|
||||
+ return log_device_warning_errno(dev, r, "Failed to create device symlink '%s': %m", filename);
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+int udev_node_remove(sd_device *dev) {
|
||||
+ _cleanup_free_ char *filename = NULL;
|
||||
+ const char *devlink;
|
||||
+ int r;
|
||||
+
|
||||
+ assert(dev);
|
||||
+
|
||||
+ /* remove/update symlinks, remove symlinks from name index */
|
||||
+ FOREACH_DEVICE_DEVLINK(dev, devlink) {
|
||||
+ r = link_update(dev, devlink, /* add = */ false);
|
||||
+ if (r < 0)
|
||||
+ log_device_warning_errno(dev, r,
|
||||
+ "Failed to remove/update device symlink '%s', ignoring: %m",
|
||||
+ devlink);
|
||||
+ }
|
||||
+
|
||||
+ r = device_get_devpath_by_devnum(dev, &filename);
|
||||
+ if (r < 0)
|
||||
+ return log_device_debug_errno(dev, r, "Failed to get device path: %m");
|
||||
+
|
||||
+ /* remove /dev/{block,char}/$major:$minor */
|
||||
+ if (unlink(filename) < 0 && errno != ENOENT)
|
||||
+ return log_device_debug_errno(dev, errno, "Failed to remove '%s': %m", filename);
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static int node_permissions_apply(sd_device *dev, bool apply_mac,
|
||||
- mode_t mode, uid_t uid, gid_t gid,
|
||||
- OrderedHashmap *seclabel_list) {
|
||||
+int udev_node_apply_permissions(
|
||||
+ sd_device *dev,
|
||||
+ bool apply_mac,
|
||||
+ mode_t mode,
|
||||
+ uid_t uid,
|
||||
+ gid_t gid,
|
||||
+ OrderedHashmap *seclabel_list) {
|
||||
+
|
||||
const char *devnode, *subsystem, *id = NULL;
|
||||
bool apply_mode, apply_uid, apply_gid;
|
||||
_cleanup_close_ int node_fd = -1;
|
||||
@@ -511,95 +583,5 @@ static int node_permissions_apply(sd_device *dev, bool apply_mac,
|
||||
if (r < 0)
|
||||
log_device_debug_errno(dev, r, "Failed to adjust timestamp of node %s: %m", devnode);
|
||||
|
||||
- return r;
|
||||
-}
|
||||
-
|
||||
-static int xsprintf_dev_num_path_from_sd_device(sd_device *dev, char **ret) {
|
||||
- const char *subsystem;
|
||||
- dev_t devnum;
|
||||
- int r;
|
||||
-
|
||||
- assert(ret);
|
||||
-
|
||||
- r = sd_device_get_subsystem(dev, &subsystem);
|
||||
- if (r < 0)
|
||||
- return r;
|
||||
-
|
||||
- r = sd_device_get_devnum(dev, &devnum);
|
||||
- if (r < 0)
|
||||
- return r;
|
||||
-
|
||||
- return device_path_make_major_minor(streq(subsystem, "block") ? S_IFBLK : S_IFCHR, devnum, ret);
|
||||
-}
|
||||
-
|
||||
-int udev_node_add(sd_device *dev, bool apply,
|
||||
- mode_t mode, uid_t uid, gid_t gid,
|
||||
- OrderedHashmap *seclabel_list) {
|
||||
- const char *devnode, *devlink;
|
||||
- _cleanup_free_ char *filename = NULL;
|
||||
- int r;
|
||||
-
|
||||
- assert(dev);
|
||||
-
|
||||
- r = sd_device_get_devname(dev, &devnode);
|
||||
- if (r < 0)
|
||||
- return log_device_debug_errno(dev, r, "Failed to get devnode: %m");
|
||||
-
|
||||
- if (DEBUG_LOGGING) {
|
||||
- const char *id = NULL;
|
||||
-
|
||||
- (void) device_get_device_id(dev, &id);
|
||||
- log_device_debug(dev, "Handling device node '%s', devnum=%s", devnode, strna(id));
|
||||
- }
|
||||
-
|
||||
- r = node_permissions_apply(dev, apply, mode, uid, gid, seclabel_list);
|
||||
- if (r < 0)
|
||||
- return r;
|
||||
-
|
||||
- /* create/update symlinks, add symlinks to name index */
|
||||
- FOREACH_DEVICE_DEVLINK(dev, devlink) {
|
||||
- r = link_update(dev, devlink, true);
|
||||
- if (r < 0)
|
||||
- log_device_warning_errno(dev, r,
|
||||
- "Failed to update device symlink '%s', ignoring: %m",
|
||||
- devlink);
|
||||
- }
|
||||
-
|
||||
- r = xsprintf_dev_num_path_from_sd_device(dev, &filename);
|
||||
- if (r < 0)
|
||||
- return log_device_debug_errno(dev, r, "Failed to get device path: %m");
|
||||
-
|
||||
- /* always add /dev/{block,char}/$major:$minor */
|
||||
- r = node_symlink(dev, devnode, filename);
|
||||
- if (r < 0)
|
||||
- return log_device_warning_errno(dev, r, "Failed to create device symlink '%s': %m", filename);
|
||||
-
|
||||
- return 0;
|
||||
-}
|
||||
-
|
||||
-int udev_node_remove(sd_device *dev) {
|
||||
- _cleanup_free_ char *filename = NULL;
|
||||
- const char *devlink;
|
||||
- int r;
|
||||
-
|
||||
- assert(dev);
|
||||
-
|
||||
- /* remove/update symlinks, remove symlinks from name index */
|
||||
- FOREACH_DEVICE_DEVLINK(dev, devlink) {
|
||||
- r = link_update(dev, devlink, false);
|
||||
- if (r < 0)
|
||||
- log_device_warning_errno(dev, r,
|
||||
- "Failed to update device symlink '%s', ignoring: %m",
|
||||
- devlink);
|
||||
- }
|
||||
-
|
||||
- r = xsprintf_dev_num_path_from_sd_device(dev, &filename);
|
||||
- if (r < 0)
|
||||
- return log_device_debug_errno(dev, r, "Failed to get device path: %m");
|
||||
-
|
||||
- /* remove /dev/{block,char}/$major:$minor */
|
||||
- if (unlink(filename) < 0 && errno != ENOENT)
|
||||
- return log_device_debug_errno(dev, errno, "Failed to remove '%s': %m", filename);
|
||||
-
|
||||
return 0;
|
||||
}
|
||||
diff --git a/src/udev/udev-node.h b/src/udev/udev-node.h
|
||||
index 2349f9c471..a34af77146 100644
|
||||
--- a/src/udev/udev-node.h
|
||||
+++ b/src/udev/udev-node.h
|
||||
@@ -8,10 +8,14 @@
|
||||
|
||||
#include "hashmap.h"
|
||||
|
||||
-int udev_node_add(sd_device *dev, bool apply,
|
||||
- mode_t mode, uid_t uid, gid_t gid,
|
||||
- OrderedHashmap *seclabel_list);
|
||||
+int udev_node_apply_permissions(
|
||||
+ sd_device *dev,
|
||||
+ bool apply_mac,
|
||||
+ mode_t mode,
|
||||
+ uid_t uid,
|
||||
+ gid_t gid,
|
||||
+ OrderedHashmap *seclabel_list);
|
||||
int udev_node_remove(sd_device *dev);
|
||||
-int udev_node_update_old_links(sd_device *dev, sd_device *dev_old);
|
||||
+int udev_node_update(sd_device *dev, sd_device *dev_old);
|
||||
|
||||
size_t udev_node_escape_path(const char *src, char *dest, size_t size);
|
@ -0,0 +1,36 @@
|
||||
From 18d2fb228bc155fc357262ec2dc5713318bab453 Mon Sep 17 00:00:00 2001
|
||||
From: Yu Watanabe <watanabe.yu+github@gmail.com>
|
||||
Date: Wed, 1 Sep 2021 04:14:42 +0900
|
||||
Subject: [PATCH] udev-node: stack directory must exist when adding device node
|
||||
symlink
|
||||
|
||||
(cherry picked from commit 46070dbf26435ba0def099121f46a6253f3f19b6)
|
||||
|
||||
Related: #1977994
|
||||
---
|
||||
src/udev/udev-node.c | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
|
||||
index 7cc9ee3670..4496a2bd9b 100644
|
||||
--- a/src/udev/udev-node.c
|
||||
+++ b/src/udev/udev-node.c
|
||||
@@ -161,12 +161,13 @@ static int link_find_prioritized(sd_device *dev, bool add, const char *stackdir,
|
||||
|
||||
dir = opendir(stackdir);
|
||||
if (!dir) {
|
||||
- if (errno == ENOENT) {
|
||||
- *ret = TAKE_PTR(target);
|
||||
- return !!*ret;
|
||||
- }
|
||||
+ if (add) /* The stack directory must exist. */
|
||||
+ return -errno;
|
||||
+ if (errno != ENOENT)
|
||||
+ return -errno;
|
||||
|
||||
- return -errno;
|
||||
+ *ret = NULL;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
r = device_get_device_id(dev, &id);
|
@ -0,0 +1,250 @@
|
||||
From 9c68b5675ffd11f2a3f9123446b54c2d0eea4682 Mon Sep 17 00:00:00 2001
|
||||
From: Yu Watanabe <watanabe.yu+github@gmail.com>
|
||||
Date: Wed, 1 Sep 2021 04:16:21 +0900
|
||||
Subject: [PATCH] udev-node: save information about device node and priority in
|
||||
symlink
|
||||
|
||||
Previously, we only store device IDs in /run/udev/links, and when
|
||||
creating/removing device node symlink, we create sd_device object
|
||||
corresponds to the IDs and read device node and priority from the
|
||||
object. That requires parsing uevent and udev database files.
|
||||
|
||||
This makes link_find_prioritized() get the most prioritzed device node
|
||||
without parsing the files.
|
||||
|
||||
(cherry picked from commit 377a83f0d80376456d9be203796f66f543a8b943)
|
||||
|
||||
Related: #1977994
|
||||
---
|
||||
src/udev/udev-node.c | 172 ++++++++++++++++++++++++++++++-------------
|
||||
1 file changed, 121 insertions(+), 51 deletions(-)
|
||||
|
||||
diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
|
||||
index 4496a2bd9b..5d6aae0bd4 100644
|
||||
--- a/src/udev/udev-node.c
|
||||
+++ b/src/udev/udev-node.c
|
||||
@@ -18,6 +18,7 @@
|
||||
#include "fs-util.h"
|
||||
#include "hexdecoct.h"
|
||||
#include "mkdir.h"
|
||||
+#include "parse-util.h"
|
||||
#include "path-util.h"
|
||||
#include "selinux-util.h"
|
||||
#include "smack-util.h"
|
||||
@@ -28,9 +29,9 @@
|
||||
#include "udev-node.h"
|
||||
#include "user-util.h"
|
||||
|
||||
-#define CREATE_LINK_MAX_RETRIES 128
|
||||
-#define LINK_UPDATE_MAX_RETRIES 128
|
||||
-#define TOUCH_FILE_MAX_RETRIES 128
|
||||
+#define CREATE_LINK_MAX_RETRIES 128
|
||||
+#define LINK_UPDATE_MAX_RETRIES 128
|
||||
+#define CREATE_STACK_LINK_MAX_RETRIES 128
|
||||
#define UDEV_NODE_HASH_KEY SD_ID128_MAKE(b9,6a,f1,ce,40,31,44,1a,9e,19,ec,8b,ae,f3,e3,2f)
|
||||
|
||||
static int create_symlink(const char *target, const char *slink) {
|
||||
@@ -175,39 +176,67 @@ static int link_find_prioritized(sd_device *dev, bool add, const char *stackdir,
|
||||
return r;
|
||||
|
||||
FOREACH_DIRENT_ALL(dent, dir, break) {
|
||||
- _cleanup_(sd_device_unrefp) sd_device *dev_db = NULL;
|
||||
- const char *devnode;
|
||||
- int db_prio = 0;
|
||||
+ _cleanup_free_ char *path = NULL, *buf = NULL;
|
||||
+ int tmp_prio;
|
||||
|
||||
- if (dent->d_name[0] == '\0')
|
||||
- break;
|
||||
if (dent->d_name[0] == '.')
|
||||
continue;
|
||||
|
||||
- log_device_debug(dev, "Found '%s' claiming '%s'", dent->d_name, stackdir);
|
||||
-
|
||||
- /* did we find ourself? */
|
||||
+ /* skip ourself */
|
||||
if (streq(dent->d_name, id))
|
||||
continue;
|
||||
|
||||
- if (sd_device_new_from_device_id(&dev_db, dent->d_name) < 0)
|
||||
- continue;
|
||||
+ path = path_join(stackdir, dent->d_name);
|
||||
+ if (!path)
|
||||
+ return -ENOMEM;
|
||||
|
||||
- if (sd_device_get_devname(dev_db, &devnode) < 0)
|
||||
- continue;
|
||||
+ if (readlink_malloc(path, &buf) >= 0) {
|
||||
+ char *devnode;
|
||||
|
||||
- if (device_get_devlink_priority(dev_db, &db_prio) < 0)
|
||||
- continue;
|
||||
+ /* New format. The devnode and priority can be obtained from symlink. */
|
||||
|
||||
- if (target && db_prio <= priority)
|
||||
- continue;
|
||||
+ devnode = strchr(buf, ':');
|
||||
+ if (!devnode || devnode == buf)
|
||||
+ continue;
|
||||
|
||||
- log_device_debug(dev_db, "Device claims priority %i for '%s'", db_prio, stackdir);
|
||||
+ *(devnode++) = '\0';
|
||||
+ if (!path_startswith(devnode, "/dev"))
|
||||
+ continue;
|
||||
|
||||
- r = free_and_strdup(&target, devnode);
|
||||
- if (r < 0)
|
||||
- return r;
|
||||
- priority = db_prio;
|
||||
+ if (safe_atoi(buf, &tmp_prio) < 0)
|
||||
+ continue;
|
||||
+
|
||||
+ if (target && tmp_prio <= priority)
|
||||
+ continue;
|
||||
+
|
||||
+ r = free_and_strdup(&target, devnode);
|
||||
+ if (r < 0)
|
||||
+ return r;
|
||||
+ } else {
|
||||
+ _cleanup_(sd_device_unrefp) sd_device *tmp_dev = NULL;
|
||||
+ const char *devnode;
|
||||
+
|
||||
+ /* Old format. The devnode and priority must be obtained from uevent and
|
||||
+ * udev database files. */
|
||||
+
|
||||
+ if (sd_device_new_from_device_id(&tmp_dev, dent->d_name) < 0)
|
||||
+ continue;
|
||||
+
|
||||
+ if (device_get_devlink_priority(tmp_dev, &tmp_prio) < 0)
|
||||
+ continue;
|
||||
+
|
||||
+ if (target && tmp_prio <= priority)
|
||||
+ continue;
|
||||
+
|
||||
+ if (sd_device_get_devname(tmp_dev, &devnode) < 0)
|
||||
+ continue;
|
||||
+
|
||||
+ r = free_and_strdup(&target, devnode);
|
||||
+ if (r < 0)
|
||||
+ return r;
|
||||
+ }
|
||||
+
|
||||
+ priority = tmp_prio;
|
||||
}
|
||||
|
||||
*ret = TAKE_PTR(target);
|
||||
@@ -256,10 +285,72 @@ toolong:
|
||||
return size - 1;
|
||||
}
|
||||
|
||||
+static int update_stack_directory(sd_device *dev, const char *dirname, bool add) {
|
||||
+ _cleanup_free_ char *filename = NULL, *data = NULL, *buf = NULL;
|
||||
+ const char *devname, *id;
|
||||
+ int priority, r;
|
||||
+
|
||||
+ assert(dev);
|
||||
+ assert(dirname);
|
||||
+
|
||||
+ r = device_get_device_id(dev, &id);
|
||||
+ if (r < 0)
|
||||
+ return log_device_debug_errno(dev, r, "Failed to get device id: %m");
|
||||
+
|
||||
+ filename = path_join(dirname, id);
|
||||
+ if (!filename)
|
||||
+ return log_oom_debug();
|
||||
+
|
||||
+ if (!add) {
|
||||
+ if (unlink(filename) < 0 && errno != ENOENT)
|
||||
+ log_device_debug_errno(dev, errno, "Failed to remove %s, ignoring: %m", filename);
|
||||
+
|
||||
+ (void) rmdir(dirname);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ r = sd_device_get_devname(dev, &devname);
|
||||
+ if (r < 0)
|
||||
+ return log_device_debug_errno(dev, r, "Failed to get device node: %m");
|
||||
+
|
||||
+ r = device_get_devlink_priority(dev, &priority);
|
||||
+ if (r < 0)
|
||||
+ return log_device_debug_errno(dev, r, "Failed to get priority of device node symlink: %m");
|
||||
+
|
||||
+ if (asprintf(&data, "%i:%s", priority, devname) < 0)
|
||||
+ return log_oom_debug();
|
||||
+
|
||||
+ if (readlink_malloc(filename, &buf) >= 0 && streq(buf, data))
|
||||
+ return 0;
|
||||
+
|
||||
+ if (unlink(filename) < 0 && errno != ENOENT)
|
||||
+ log_device_debug_errno(dev, errno, "Failed to remove %s, ignoring: %m", filename);
|
||||
+
|
||||
+ for (unsigned j = 0; j < CREATE_STACK_LINK_MAX_RETRIES; j++) {
|
||||
+ /* This may fail with -ENOENT when the parent directory is removed during
|
||||
+ * creating the file by another udevd worker. */
|
||||
+ r = mkdir_p(dirname, 0755);
|
||||
+ if (r == -ENOENT)
|
||||
+ continue;
|
||||
+ if (r < 0)
|
||||
+ return log_device_debug_errno(dev, r, "Failed to create directory %s: %m", dirname);
|
||||
+
|
||||
+ if (symlink(data, filename) < 0) {
|
||||
+ if (errno == ENOENT)
|
||||
+ continue;
|
||||
+ return log_device_debug_errno(dev, errno, "Failed to create symbolic link %s: %m", filename);
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(ELOOP), "Failed to create symbolic link %s: %m", filename);
|
||||
+}
|
||||
+
|
||||
/* manage "stack of names" with possibly specified device priorities */
|
||||
static int link_update(sd_device *dev, const char *slink_in, bool add) {
|
||||
- _cleanup_free_ char *slink = NULL, *filename = NULL, *dirname = NULL;
|
||||
- const char *slink_name, *id;
|
||||
+ _cleanup_free_ char *slink = NULL, *dirname = NULL;
|
||||
+ const char *slink_name;
|
||||
char name_enc[NAME_MAX+1];
|
||||
int i, r, retries;
|
||||
|
||||
@@ -279,35 +370,14 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) {
|
||||
return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL),
|
||||
"Invalid symbolic link of device node: %s", slink);
|
||||
|
||||
- r = device_get_device_id(dev, &id);
|
||||
- if (r < 0)
|
||||
- return log_device_debug_errno(dev, r, "Failed to get device id: %m");
|
||||
-
|
||||
(void) udev_node_escape_path(slink_name, name_enc, sizeof(name_enc));
|
||||
- dirname = path_join("/run/udev/links/", name_enc);
|
||||
+ dirname = path_join("/run/udev/links", name_enc);
|
||||
if (!dirname)
|
||||
return log_oom_debug();
|
||||
|
||||
- filename = path_join(dirname, id);
|
||||
- if (!filename)
|
||||
- return log_oom_debug();
|
||||
-
|
||||
- if (!add) {
|
||||
- if (unlink(filename) < 0 && errno != ENOENT)
|
||||
- log_device_debug_errno(dev, errno, "Failed to remove %s, ignoring: %m", filename);
|
||||
-
|
||||
- (void) rmdir(dirname);
|
||||
- } else {
|
||||
- for (unsigned j = 0; j < TOUCH_FILE_MAX_RETRIES; j++) {
|
||||
- /* This may fail with -ENOENT when the parent directory is removed during
|
||||
- * creating the file by another udevd worker. */
|
||||
- r = touch_file(filename, /* parents= */ true, USEC_INFINITY, UID_INVALID, GID_INVALID, 0444);
|
||||
- if (r != -ENOENT)
|
||||
- break;
|
||||
- }
|
||||
- if (r < 0)
|
||||
- return log_device_debug_errno(dev, r, "Failed to create %s: %m", filename);
|
||||
- }
|
||||
+ r = update_stack_directory(dev, dirname, add);
|
||||
+ if (r < 0)
|
||||
+ return r;
|
||||
|
||||
/* If the database entry is not written yet we will just do one iteration and possibly wrong symlink
|
||||
* will be fixed in the second invocation. */
|
@ -0,0 +1,146 @@
|
||||
From 16a6007cc8881ef19cc97de676d3b2b36b2def82 Mon Sep 17 00:00:00 2001
|
||||
From: Yu Watanabe <watanabe.yu+github@gmail.com>
|
||||
Date: Wed, 1 Sep 2021 12:57:40 +0900
|
||||
Subject: [PATCH] udev-node: always update timestamp of stack directory
|
||||
|
||||
Please see the comments in the code.
|
||||
|
||||
(cherry picked from commit 6df797f75fa08bb1a9e657001229bd47903e6174)
|
||||
|
||||
Related: #1977994
|
||||
---
|
||||
src/udev/udev-node.c | 90 ++++++++++++++++++++++++++++++++++++++++++--
|
||||
1 file changed, 87 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
|
||||
index 5d6aae0bd4..0de848da19 100644
|
||||
--- a/src/udev/udev-node.c
|
||||
+++ b/src/udev/udev-node.c
|
||||
@@ -32,6 +32,7 @@
|
||||
#define CREATE_LINK_MAX_RETRIES 128
|
||||
#define LINK_UPDATE_MAX_RETRIES 128
|
||||
#define CREATE_STACK_LINK_MAX_RETRIES 128
|
||||
+#define UPDATE_TIMESTAMP_MAX_RETRIES 128
|
||||
#define UDEV_NODE_HASH_KEY SD_ID128_MAKE(b9,6a,f1,ce,40,31,44,1a,9e,19,ec,8b,ae,f3,e3,2f)
|
||||
|
||||
static int create_symlink(const char *target, const char *slink) {
|
||||
@@ -285,9 +286,60 @@ toolong:
|
||||
return size - 1;
|
||||
}
|
||||
|
||||
+static int update_timestamp(sd_device *dev, const char *path, struct stat *prev) {
|
||||
+ assert(path);
|
||||
+ assert(prev);
|
||||
+
|
||||
+ /* Even if a symlink in the stack directory is created/removed, the mtime of the directory may
|
||||
+ * not be changed. Why? Let's consider the following situation. For simplicity, let's assume
|
||||
+ * there exist three udev workers (A, B, and C) and all of them calls link_update() for the
|
||||
+ * same devlink simultaneously.
|
||||
+ *
|
||||
+ * 1. B creates/removes a symlink in the stack directory.
|
||||
+ * 2. A calls the first stat() in the loop of link_update().
|
||||
+ * 3. A calls link_find_prioritized().
|
||||
+ * 4. C creates/removes another symlink in the stack directory, so the result of the step 3 is outdated.
|
||||
+ * 5. B and C finish link_update().
|
||||
+ * 6. A creates/removes devlink according to the outdated result in the step 3.
|
||||
+ * 7. A calls the second stat() in the loop of link_update().
|
||||
+ *
|
||||
+ * If these 7 steps are processed in this order within a short time period that kernel's timer
|
||||
+ * does not increase, then even if the contents in the stack directory is changed, the results
|
||||
+ * of two stat() called by A shows the same timestamp, and A cannot detect the change.
|
||||
+ *
|
||||
+ * By calling this function after creating/removing symlinks in the stack directory, the
|
||||
+ * timestamp of the stack directory is always increased at least in the above step 5, so A can
|
||||
+ * detect the update. */
|
||||
+
|
||||
+ if ((prev->st_mode & S_IFMT) == 0)
|
||||
+ return 0; /* Does not exist, or previous stat() failed. */
|
||||
+
|
||||
+ for (unsigned i = 0; i < UPDATE_TIMESTAMP_MAX_RETRIES; i++) {
|
||||
+ struct stat st;
|
||||
+
|
||||
+ if (stat(path, &st) < 0)
|
||||
+ return -errno;
|
||||
+
|
||||
+ if (!stat_inode_unmodified(prev, &st))
|
||||
+ return 0;
|
||||
+
|
||||
+ log_device_debug(dev,
|
||||
+ "%s is modified, but its timestamp is not changed, "
|
||||
+ "updating timestamp after 10ms.",
|
||||
+ path);
|
||||
+
|
||||
+ (void) usleep(10 * USEC_PER_MSEC);
|
||||
+ if (utimensat(AT_FDCWD, path, NULL, 0) < 0)
|
||||
+ return -errno;
|
||||
+ }
|
||||
+
|
||||
+ return -ELOOP;
|
||||
+}
|
||||
+
|
||||
static int update_stack_directory(sd_device *dev, const char *dirname, bool add) {
|
||||
_cleanup_free_ char *filename = NULL, *data = NULL, *buf = NULL;
|
||||
const char *devname, *id;
|
||||
+ struct stat st = {};
|
||||
int priority, r;
|
||||
|
||||
assert(dev);
|
||||
@@ -302,10 +354,31 @@ static int update_stack_directory(sd_device *dev, const char *dirname, bool add)
|
||||
return log_oom_debug();
|
||||
|
||||
if (!add) {
|
||||
- if (unlink(filename) < 0 && errno != ENOENT)
|
||||
- log_device_debug_errno(dev, errno, "Failed to remove %s, ignoring: %m", filename);
|
||||
+ bool unlink_failed = false;
|
||||
+
|
||||
+ if (stat(dirname, &st) < 0) {
|
||||
+ if (errno == ENOENT)
|
||||
+ return 0; /* The stack directory is already removed. That's OK. */
|
||||
+ log_device_debug_errno(dev, errno, "Failed to stat %s, ignoring: %m", dirname);
|
||||
+ }
|
||||
+
|
||||
+ if (unlink(filename) < 0) {
|
||||
+ unlink_failed = true;
|
||||
+ if (errno != ENOENT)
|
||||
+ log_device_debug_errno(dev, errno, "Failed to remove %s, ignoring: %m", filename);
|
||||
+ }
|
||||
+
|
||||
+ if (rmdir(dirname) >= 0 || errno == ENOENT)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (unlink_failed)
|
||||
+ return 0; /* If we failed to remove the symlink, there is almost nothing we can do. */
|
||||
+
|
||||
+ /* The symlink was removed. Check if the timestamp of directory is changed. */
|
||||
+ r = update_timestamp(dev, dirname, &st);
|
||||
+ if (r < 0 && r != -ENOENT)
|
||||
+ return log_device_debug_errno(dev, r, "Failed to update timestamp of %s: %m", dirname);
|
||||
|
||||
- (void) rmdir(dirname);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -335,12 +408,23 @@ static int update_stack_directory(sd_device *dev, const char *dirname, bool add)
|
||||
if (r < 0)
|
||||
return log_device_debug_errno(dev, r, "Failed to create directory %s: %m", dirname);
|
||||
|
||||
+ if (stat(dirname, &st) < 0) {
|
||||
+ if (errno == ENOENT)
|
||||
+ continue;
|
||||
+ return log_device_debug_errno(dev, errno, "Failed to stat %s: %m", dirname);
|
||||
+ }
|
||||
+
|
||||
if (symlink(data, filename) < 0) {
|
||||
if (errno == ENOENT)
|
||||
continue;
|
||||
return log_device_debug_errno(dev, errno, "Failed to create symbolic link %s: %m", filename);
|
||||
}
|
||||
|
||||
+ /* The symlink was created. Check if the timestamp of directory is changed. */
|
||||
+ r = update_timestamp(dev, dirname, &st);
|
||||
+ if (r < 0)
|
||||
+ return log_device_debug_errno(dev, r, "Failed to update timestamp of %s: %m", dirname);
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
@ -0,0 +1,34 @@
|
||||
From 18936c8ee21fabb2036b1849a4bb7f5b64bee897 Mon Sep 17 00:00:00 2001
|
||||
From: Yu Watanabe <watanabe.yu+github@gmail.com>
|
||||
Date: Thu, 2 Sep 2021 06:58:59 +0900
|
||||
Subject: [PATCH] udev-node: assume no new claim to a symlink if
|
||||
/run/udev/links is not updated
|
||||
|
||||
During creating a symlink to a device node, if another device node which
|
||||
requests the same symlink is added/removed, `stat_inode_unmodified()`
|
||||
should always detects that. We do not need to continue the loop
|
||||
unconditionally.
|
||||
|
||||
(cherry picked from commit 8f27311eb2aec2411d1fb7d62e6c9d75d21ae8df)
|
||||
|
||||
Related: #1977994
|
||||
---
|
||||
src/udev/udev-node.c | 5 -----
|
||||
1 file changed, 5 deletions(-)
|
||||
|
||||
diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
|
||||
index 0de848da19..1a34ea8128 100644
|
||||
--- a/src/udev/udev-node.c
|
||||
+++ b/src/udev/udev-node.c
|
||||
@@ -491,11 +491,6 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) {
|
||||
r = node_symlink(dev, target, slink);
|
||||
if (r < 0)
|
||||
return r;
|
||||
- if (r == 1)
|
||||
- /* We have replaced already existing symlink, possibly there is some other device trying
|
||||
- * to claim the same symlink. Let's do one more iteration to give us a chance to fix
|
||||
- * the error if other device actually claims the symlink with higher priority. */
|
||||
- continue;
|
||||
|
||||
/* Skip the second stat() if the first failed, stat_inode_unmodified() would return false regardless. */
|
||||
if ((st1.st_mode & S_IFMT) != 0) {
|
@ -0,0 +1,92 @@
|
||||
From 323f687e53737ccf7687482c31690374da90d8e7 Mon Sep 17 00:00:00 2001
|
||||
From: Yu Watanabe <watanabe.yu+github@gmail.com>
|
||||
Date: Wed, 1 Sep 2021 02:20:33 +0900
|
||||
Subject: [PATCH] udev-node: always atomically create symlink to device node
|
||||
|
||||
By the previous commit, it is not necessary to distinguish if the devlink
|
||||
already exists. Also, I cannot find any significant advantages of the
|
||||
previous complecated logic, that is, first try to create directly, and then
|
||||
fallback to atomically creation. Moreover, such logic increases the chance
|
||||
of conflicts between multiple udev workers.
|
||||
|
||||
This makes devlinks always created atomically. Hopefully, this reduces the
|
||||
conflicts between the workers.
|
||||
|
||||
(cherry picked from commit 242d39ebc1391f4734f6e63ff13764de92bc5f70)
|
||||
|
||||
Related: #1977994
|
||||
---
|
||||
src/udev/udev-node.c | 42 +++++++++---------------------------------
|
||||
1 file changed, 9 insertions(+), 33 deletions(-)
|
||||
|
||||
diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
|
||||
index 1a34ea8128..46c04fe00b 100644
|
||||
--- a/src/udev/udev-node.c
|
||||
+++ b/src/udev/udev-node.c
|
||||
@@ -71,6 +71,13 @@ static int node_symlink(sd_device *dev, const char *node, const char *slink) {
|
||||
assert(node);
|
||||
assert(slink);
|
||||
|
||||
+ if (lstat(slink, &stats) >= 0) {
|
||||
+ if (!S_ISLNK(stats.st_mode))
|
||||
+ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EEXIST),
|
||||
+ "Conflicting inode '%s' found, link to '%s' will not be created.", slink, node);
|
||||
+ } else if (errno != ENOENT)
|
||||
+ return log_device_debug_errno(dev, errno, "Failed to lstat() '%s': %m", slink);
|
||||
+
|
||||
r = path_extract_directory(slink, &slink_dirname);
|
||||
if (r < 0)
|
||||
return log_device_debug_errno(dev, r, "Failed to get parent directory of '%s': %m", slink);
|
||||
@@ -80,41 +87,11 @@ static int node_symlink(sd_device *dev, const char *node, const char *slink) {
|
||||
if (r < 0)
|
||||
return log_device_debug_errno(dev, r, "Failed to get relative path from '%s' to '%s': %m", slink, node);
|
||||
|
||||
- if (lstat(slink, &stats) >= 0) {
|
||||
- _cleanup_free_ char *buf = NULL;
|
||||
-
|
||||
- if (!S_ISLNK(stats.st_mode))
|
||||
- return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EEXIST),
|
||||
- "Conflicting inode '%s' found, link to '%s' will not be created.", slink, node);
|
||||
-
|
||||
- if (readlink_malloc(slink, &buf) >= 0 &&
|
||||
- path_equal(target, buf)) {
|
||||
- /* preserve link with correct target, do not replace node of other device */
|
||||
- log_device_debug(dev, "Preserve already existing symlink '%s' to '%s'", slink, target);
|
||||
-
|
||||
- (void) label_fix(slink, LABEL_IGNORE_ENOENT);
|
||||
- (void) utimensat(AT_FDCWD, slink, NULL, AT_SYMLINK_NOFOLLOW);
|
||||
-
|
||||
- return 0;
|
||||
- }
|
||||
- } else if (errno == ENOENT) {
|
||||
- log_device_debug(dev, "Creating symlink '%s' to '%s'", slink, target);
|
||||
-
|
||||
- r = create_symlink(target, slink);
|
||||
- if (r >= 0)
|
||||
- return 0;
|
||||
-
|
||||
- log_device_debug_errno(dev, r, "Failed to create symlink '%s' to '%s', trying to replace '%s': %m", slink, target, slink);
|
||||
- } else
|
||||
- return log_device_debug_errno(dev, errno, "Failed to lstat() '%s': %m", slink);
|
||||
-
|
||||
- log_device_debug(dev, "Atomically replace '%s'", slink);
|
||||
-
|
||||
r = device_get_device_id(dev, &id);
|
||||
if (r < 0)
|
||||
return log_device_debug_errno(dev, r, "Failed to get device id: %m");
|
||||
- slink_tmp = strjoina(slink, ".tmp-", id);
|
||||
|
||||
+ slink_tmp = strjoina(slink, ".tmp-", id);
|
||||
(void) unlink(slink_tmp);
|
||||
|
||||
r = create_symlink(target, slink_tmp);
|
||||
@@ -127,8 +104,7 @@ static int node_symlink(sd_device *dev, const char *node, const char *slink) {
|
||||
return r;
|
||||
}
|
||||
|
||||
- /* Tell caller that we replaced already existing symlink. */
|
||||
- return 1;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
static int link_find_prioritized(sd_device *dev, bool add, const char *stackdir, char **ret) {
|
@ -0,0 +1,44 @@
|
||||
From 6ecd6fdcc27f374debcce47366c2862967f99463 Mon Sep 17 00:00:00 2001
|
||||
From: Yu Watanabe <watanabe.yu+github@gmail.com>
|
||||
Date: Wed, 1 Sep 2021 09:44:26 +0900
|
||||
Subject: [PATCH] udev-node: check stack directory change even if devlink is
|
||||
removed
|
||||
|
||||
Otherwise, when multiple device additions and removals occur
|
||||
simultaneously, symlink to unexisting devnode may be created.
|
||||
|
||||
Hopefully fixes #19946.
|
||||
|
||||
(cherry picked from commit 1cd4e325693007b3628f1a27297f0ab7114b24b8)
|
||||
|
||||
Related: #1977994
|
||||
---
|
||||
src/udev/udev-node.c | 15 ++++++---------
|
||||
1 file changed, 6 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
|
||||
index 46c04fe00b..28e6e8df94 100644
|
||||
--- a/src/udev/udev-node.c
|
||||
+++ b/src/udev/udev-node.c
|
||||
@@ -468,15 +468,12 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
- /* Skip the second stat() if the first failed, stat_inode_unmodified() would return false regardless. */
|
||||
- if ((st1.st_mode & S_IFMT) != 0) {
|
||||
- r = stat(dirname, &st2);
|
||||
- if (r < 0 && errno != ENOENT)
|
||||
- return log_device_debug_errno(dev, errno, "Failed to stat %s: %m", dirname);
|
||||
-
|
||||
- if (stat_inode_unmodified(&st1, &st2))
|
||||
- break;
|
||||
- }
|
||||
+ if (stat(dirname, &st2) < 0 && errno != ENOENT)
|
||||
+ return log_device_debug_errno(dev, errno, "Failed to stat %s: %m", dirname);
|
||||
+
|
||||
+ if (((st1.st_mode & S_IFMT) == 0 && (st2.st_mode & S_IFMT) == 0) ||
|
||||
+ stat_inode_unmodified(&st1, &st2))
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
return i < LINK_UPDATE_MAX_RETRIES ? 0 : -ELOOP;
|
@ -0,0 +1,32 @@
|
||||
From a075830244f699703a88a492413d931eaeb23a65 Mon Sep 17 00:00:00 2001
|
||||
From: Yu Watanabe <watanabe.yu+github@gmail.com>
|
||||
Date: Thu, 2 Sep 2021 08:23:35 +0900
|
||||
Subject: [PATCH] udev-node: shorten code a bit and update log message
|
||||
|
||||
(cherry picked from commit 8424da2de88ceeed7be8544fb69221f0b0ea84ea)
|
||||
|
||||
Related: #1977994
|
||||
---
|
||||
src/udev/udev-node.c | 5 ++---
|
||||
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
|
||||
index 28e6e8df94..2e7df899e4 100644
|
||||
--- a/src/udev/udev-node.c
|
||||
+++ b/src/udev/udev-node.c
|
||||
@@ -447,13 +447,12 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) {
|
||||
_cleanup_free_ char *target = NULL;
|
||||
struct stat st1 = {}, st2 = {};
|
||||
|
||||
- r = stat(dirname, &st1);
|
||||
- if (r < 0 && errno != ENOENT)
|
||||
+ if (stat(dirname, &st1) < 0 && errno != ENOENT)
|
||||
return log_device_debug_errno(dev, errno, "Failed to stat %s: %m", dirname);
|
||||
|
||||
r = link_find_prioritized(dev, add, dirname, &target);
|
||||
if (r < 0)
|
||||
- return log_device_debug_errno(dev, r, "Failed to determine highest priority for symlink '%s': %m", slink);
|
||||
+ return log_device_debug_errno(dev, r, "Failed to determine device node with the highest priority for '%s': %m", slink);
|
||||
if (r == 0) {
|
||||
log_device_debug(dev, "No reference left for '%s', removing", slink);
|
||||
|
@ -0,0 +1,59 @@
|
||||
From c484f91a87679fb26342408f20e7bdddf316f5a0 Mon Sep 17 00:00:00 2001
|
||||
From: Yu Watanabe <watanabe.yu+github@gmail.com>
|
||||
Date: Wed, 1 Sep 2021 04:34:48 +0900
|
||||
Subject: [PATCH] udev-node: add random delay on conflict in updating device
|
||||
node symlink
|
||||
|
||||
To make multiple workers not update the same device node symlink
|
||||
simultaneously.
|
||||
|
||||
(cherry picked from commit 0063fa23a1384dd4385d03b568dc629916b7e72a)
|
||||
|
||||
Related: #1977994
|
||||
---
|
||||
src/udev/udev-node.c | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
|
||||
index 2e7df899e4..675e6ce313 100644
|
||||
--- a/src/udev/udev-node.c
|
||||
+++ b/src/udev/udev-node.c
|
||||
@@ -20,12 +20,14 @@
|
||||
#include "mkdir.h"
|
||||
#include "parse-util.h"
|
||||
#include "path-util.h"
|
||||
+#include "random-util.h"
|
||||
#include "selinux-util.h"
|
||||
#include "smack-util.h"
|
||||
#include "stat-util.h"
|
||||
#include "stdio-util.h"
|
||||
#include "string-util.h"
|
||||
#include "strxcpyx.h"
|
||||
+#include "time-util.h"
|
||||
#include "udev-node.h"
|
||||
#include "user-util.h"
|
||||
|
||||
@@ -33,6 +35,8 @@
|
||||
#define LINK_UPDATE_MAX_RETRIES 128
|
||||
#define CREATE_STACK_LINK_MAX_RETRIES 128
|
||||
#define UPDATE_TIMESTAMP_MAX_RETRIES 128
|
||||
+#define MAX_RANDOM_DELAY (250 * USEC_PER_MSEC)
|
||||
+#define MIN_RANDOM_DELAY ( 50 * USEC_PER_MSEC)
|
||||
#define UDEV_NODE_HASH_KEY SD_ID128_MAKE(b9,6a,f1,ce,40,31,44,1a,9e,19,ec,8b,ae,f3,e3,2f)
|
||||
|
||||
static int create_symlink(const char *target, const char *slink) {
|
||||
@@ -447,6 +451,14 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) {
|
||||
_cleanup_free_ char *target = NULL;
|
||||
struct stat st1 = {}, st2 = {};
|
||||
|
||||
+ if (i > 0) {
|
||||
+ usec_t delay = MIN_RANDOM_DELAY + random_u64_range(MAX_RANDOM_DELAY - MIN_RANDOM_DELAY);
|
||||
+
|
||||
+ log_device_debug(dev, "Directory %s was updated, retrying to update devlink %s after %s.",
|
||||
+ dirname, slink, FORMAT_TIMESPAN(delay, USEC_PER_MSEC));
|
||||
+ (void) usleep(delay);
|
||||
+ }
|
||||
+
|
||||
if (stat(dirname, &st1) < 0 && errno != ENOENT)
|
||||
return log_device_debug_errno(dev, errno, "Failed to stat %s: %m", dirname);
|
||||
|
@ -0,0 +1,80 @@
|
||||
From 458a6cd748ee5555b6957888b69d475ac3f619c6 Mon Sep 17 00:00:00 2001
|
||||
From: Yu Watanabe <watanabe.yu+github@gmail.com>
|
||||
Date: Wed, 1 Sep 2021 09:29:42 +0900
|
||||
Subject: [PATCH] udev-node: drop redundant trial of devlink creation
|
||||
|
||||
Previously, the devlink was created based on the priority saved in udev
|
||||
database. So, we needed to reevaluate devlinks after database is saved.
|
||||
|
||||
But now the priority is stored in the symlink under /run/udev/links, and
|
||||
the loop of devlink creation is controlled with the timestamp of the
|
||||
directory. So, the double evaluation is not necessary anymore.
|
||||
|
||||
(cherry picked from commit 7920d0a135fb6a08aa0bfc31e9d0a3f589fe7a1f)
|
||||
|
||||
Related: #1977994
|
||||
---
|
||||
src/udev/udev-event.c | 5 +----
|
||||
src/udev/udev-node.c | 12 ++++--------
|
||||
2 files changed, 5 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c
|
||||
index 8b9f8aecfe..c77f55c67e 100644
|
||||
--- a/src/udev/udev-event.c
|
||||
+++ b/src/udev/udev-event.c
|
||||
@@ -1060,10 +1060,7 @@ int udev_event_execute_rules(
|
||||
|
||||
device_set_is_initialized(dev);
|
||||
|
||||
- /* Yes, we run update_devnode() twice, because in the first invocation, that is before update of udev database,
|
||||
- * it could happen that two contenders are replacing each other's symlink. Hence we run it again to make sure
|
||||
- * symlinks point to devices that claim them with the highest priority. */
|
||||
- return update_devnode(event);
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
void udev_event_execute_run(UdevEvent *event, usec_t timeout_usec, int timeout_signal) {
|
||||
diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
|
||||
index 675e6ce313..bb551d86b0 100644
|
||||
--- a/src/udev/udev-node.c
|
||||
+++ b/src/udev/udev-node.c
|
||||
@@ -416,7 +416,7 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) {
|
||||
_cleanup_free_ char *slink = NULL, *dirname = NULL;
|
||||
const char *slink_name;
|
||||
char name_enc[NAME_MAX+1];
|
||||
- int i, r, retries;
|
||||
+ int r;
|
||||
|
||||
assert(dev);
|
||||
assert(slink_in);
|
||||
@@ -443,11 +443,7 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
- /* If the database entry is not written yet we will just do one iteration and possibly wrong symlink
|
||||
- * will be fixed in the second invocation. */
|
||||
- retries = sd_device_get_is_initialized(dev) > 0 ? LINK_UPDATE_MAX_RETRIES : 1;
|
||||
-
|
||||
- for (i = 0; i < retries; i++) {
|
||||
+ for (unsigned i = 0; i < LINK_UPDATE_MAX_RETRIES; i++) {
|
||||
_cleanup_free_ char *target = NULL;
|
||||
struct stat st1 = {}, st2 = {};
|
||||
|
||||
@@ -472,7 +468,7 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) {
|
||||
log_device_debug_errno(dev, errno, "Failed to remove '%s', ignoring: %m", slink);
|
||||
|
||||
(void) rmdir_parents(slink, "/dev");
|
||||
- break;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
r = node_symlink(dev, target, slink);
|
||||
@@ -487,7 +483,7 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
- return i < LINK_UPDATE_MAX_RETRIES ? 0 : -ELOOP;
|
||||
+ return -ELOOP;
|
||||
}
|
||||
|
||||
static int device_get_devpath_by_devnum(sd_device *dev, char **ret) {
|
36
SOURCES/0031-udev-node-simplify-the-example-of-race.patch
Normal file
36
SOURCES/0031-udev-node-simplify-the-example-of-race.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From a5a14281160881fbb39d80a2572a18ecadbeedd5 Mon Sep 17 00:00:00 2001
|
||||
From: Yu Watanabe <watanabe.yu+github@gmail.com>
|
||||
Date: Sun, 12 Sep 2021 16:05:51 +0900
|
||||
Subject: [PATCH] udev-node: simplify the example of race
|
||||
|
||||
(cherry picked from commit 3df566a66723490914ef3bae0ca8046044b70dce)
|
||||
|
||||
Related: #1977994
|
||||
---
|
||||
src/udev/udev-node.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
|
||||
index bb551d86b0..61cb9a449b 100644
|
||||
--- a/src/udev/udev-node.c
|
||||
+++ b/src/udev/udev-node.c
|
||||
@@ -272,14 +272,14 @@ static int update_timestamp(sd_device *dev, const char *path, struct stat *prev)
|
||||
|
||||
/* Even if a symlink in the stack directory is created/removed, the mtime of the directory may
|
||||
* not be changed. Why? Let's consider the following situation. For simplicity, let's assume
|
||||
- * there exist three udev workers (A, B, and C) and all of them calls link_update() for the
|
||||
- * same devlink simultaneously.
|
||||
+ * there exist two udev workers (A and B) and all of them calls link_update() for the same
|
||||
+ * devlink simultaneously.
|
||||
*
|
||||
- * 1. B creates/removes a symlink in the stack directory.
|
||||
+ * 1. A creates/removes a symlink in the stack directory.
|
||||
* 2. A calls the first stat() in the loop of link_update().
|
||||
* 3. A calls link_find_prioritized().
|
||||
- * 4. C creates/removes another symlink in the stack directory, so the result of the step 3 is outdated.
|
||||
- * 5. B and C finish link_update().
|
||||
+ * 4. B creates/removes another symlink in the stack directory, so the result of the step 3 is outdated.
|
||||
+ * 5. B finishes link_update().
|
||||
* 6. A creates/removes devlink according to the outdated result in the step 3.
|
||||
* 7. A calls the second stat() in the loop of link_update().
|
||||
*
|
@ -0,0 +1,59 @@
|
||||
From 735971d9bffeccc0c17311a29909bdf5d693f806 Mon Sep 17 00:00:00 2001
|
||||
From: Yu Watanabe <watanabe.yu+github@gmail.com>
|
||||
Date: Sun, 12 Sep 2021 16:14:27 +0900
|
||||
Subject: [PATCH] udev-node: do not ignore unexpected errors on removing
|
||||
symlink in stack directory
|
||||
|
||||
Only acceptable error here is -ENOENT.
|
||||
|
||||
(cherry picked from commit 0706cdf4ec92d6bd40391da0e81a30d9bf851663)
|
||||
|
||||
Related: #1977994
|
||||
---
|
||||
src/udev/udev-node.c | 23 ++++++++++++++---------
|
||||
1 file changed, 14 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
|
||||
index 61cb9a449b..e1fb387cb9 100644
|
||||
--- a/src/udev/udev-node.c
|
||||
+++ b/src/udev/udev-node.c
|
||||
@@ -334,25 +334,30 @@ static int update_stack_directory(sd_device *dev, const char *dirname, bool add)
|
||||
return log_oom_debug();
|
||||
|
||||
if (!add) {
|
||||
- bool unlink_failed = false;
|
||||
+ int unlink_error = 0, stat_error = 0;
|
||||
|
||||
if (stat(dirname, &st) < 0) {
|
||||
if (errno == ENOENT)
|
||||
return 0; /* The stack directory is already removed. That's OK. */
|
||||
- log_device_debug_errno(dev, errno, "Failed to stat %s, ignoring: %m", dirname);
|
||||
+ stat_error = -errno;
|
||||
}
|
||||
|
||||
- if (unlink(filename) < 0) {
|
||||
- unlink_failed = true;
|
||||
- if (errno != ENOENT)
|
||||
- log_device_debug_errno(dev, errno, "Failed to remove %s, ignoring: %m", filename);
|
||||
- }
|
||||
+ if (unlink(filename) < 0)
|
||||
+ unlink_error = -errno;
|
||||
|
||||
if (rmdir(dirname) >= 0 || errno == ENOENT)
|
||||
return 0;
|
||||
|
||||
- if (unlink_failed)
|
||||
- return 0; /* If we failed to remove the symlink, there is almost nothing we can do. */
|
||||
+ if (unlink_error < 0) {
|
||||
+ if (unlink_error == -ENOENT)
|
||||
+ return 0;
|
||||
+
|
||||
+ /* If we failed to remove the symlink, then there is almost nothing we can do. */
|
||||
+ return log_device_debug_errno(dev, unlink_error, "Failed to remove %s: %m", filename);
|
||||
+ }
|
||||
+
|
||||
+ if (stat_error < 0)
|
||||
+ return log_device_debug_errno(dev, stat_error, "Failed to stat %s: %m", dirname);
|
||||
|
||||
/* The symlink was removed. Check if the timestamp of directory is changed. */
|
||||
r = update_timestamp(dev, dirname, &st);
|
25
SOURCES/0033-basic-time-util-introduce-FORMAT_TIMESPAN.patch
Normal file
25
SOURCES/0033-basic-time-util-introduce-FORMAT_TIMESPAN.patch
Normal file
@ -0,0 +1,25 @@
|
||||
From e1f53e60bdc368c81beba8b6173047ec8149f8e9 Mon Sep 17 00:00:00 2001
|
||||
From: Michal Sekletar <msekleta@redhat.com>
|
||||
Date: Tue, 21 Sep 2021 09:28:29 +0200
|
||||
Subject: [PATCH] basic/time-util: introduce FORMAT_TIMESPAN
|
||||
|
||||
This is cherry-pick of the relevant part from the tree-wide change in
|
||||
5291f26d4a6.
|
||||
|
||||
Related: #1977994
|
||||
---
|
||||
src/basic/time-util.h | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/basic/time-util.h b/src/basic/time-util.h
|
||||
index 2bd947d6a8..8254913930 100644
|
||||
--- a/src/basic/time-util.h
|
||||
+++ b/src/basic/time-util.h
|
||||
@@ -67,6 +67,7 @@ typedef enum TimestampStyle {
|
||||
#define FORMAT_TIMESTAMP_WIDTH 28U /* when outputting, assume this width */
|
||||
#define FORMAT_TIMESTAMP_RELATIVE_MAX 256U
|
||||
#define FORMAT_TIMESPAN_MAX 64U
|
||||
+#define FORMAT_TIMESPAN(t, accuracy) format_timespan((char[FORMAT_TIMESPAN_MAX]){}, FORMAT_TIMESPAN_MAX, t, accuracy)
|
||||
|
||||
#define TIME_T_MAX (time_t)((UINTMAX_C(1) << ((sizeof(time_t) << 3) - 1)) - 1)
|
||||
|
@ -0,0 +1,28 @@
|
||||
From aef14d77e157fd0748ef664c83e55fd3880ea787 Mon Sep 17 00:00:00 2001
|
||||
From: Frantisek Sumsal <frantisek@sumsal.cz>
|
||||
Date: Tue, 21 Sep 2021 22:47:42 +0200
|
||||
Subject: [PATCH] unit: install the systemd-bless-boot.service only if we have
|
||||
gnu-efi
|
||||
|
||||
Follow-up to #20591.
|
||||
|
||||
(cherry picked from commit 220261ef940a126588b20a1765a2501811473839)
|
||||
|
||||
Related: #1972223
|
||||
---
|
||||
units/meson.build | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/units/meson.build b/units/meson.build
|
||||
index 27a2b60137..e06d883cd2 100644
|
||||
--- a/units/meson.build
|
||||
+++ b/units/meson.build
|
||||
@@ -179,7 +179,7 @@ in_units = [
|
||||
['systemd-backlight@.service', 'ENABLE_BACKLIGHT'],
|
||||
['systemd-binfmt.service', 'ENABLE_BINFMT',
|
||||
'sysinit.target.wants/'],
|
||||
- ['systemd-bless-boot.service', 'ENABLE_EFI HAVE_BLKID'],
|
||||
+ ['systemd-bless-boot.service', 'HAVE_GNU_EFI HAVE_BLKID'],
|
||||
['systemd-boot-check-no-failures.service', ''],
|
||||
['systemd-coredump@.service', 'ENABLE_COREDUMP'],
|
||||
['systemd-pstore.service', 'ENABLE_PSTORE'],
|
@ -0,0 +1,26 @@
|
||||
From 532a10738745716620ef6af5813bc9c81c235f07 Mon Sep 17 00:00:00 2001
|
||||
From: Michal Sekletar <msekleta@redhat.com>
|
||||
Date: Wed, 22 Sep 2021 14:38:00 +0200
|
||||
Subject: [PATCH] units: don't enable tmp.mount statically in local-fs.target
|
||||
|
||||
RHEL-only
|
||||
|
||||
Related: #1959826
|
||||
---
|
||||
units/meson.build | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/units/meson.build b/units/meson.build
|
||||
index e06d883cd2..40487d123e 100644
|
||||
--- a/units/meson.build
|
||||
+++ b/units/meson.build
|
||||
@@ -154,8 +154,7 @@ units = [
|
||||
['time-set.target', ''],
|
||||
['time-sync.target', ''],
|
||||
['timers.target', ''],
|
||||
- ['tmp.mount', '',
|
||||
- 'local-fs.target.wants/'],
|
||||
+ ['tmp.mount', ''],
|
||||
['umount.target', ''],
|
||||
['usb-gadget.target', ''],
|
||||
['user.slice', ''],
|
@ -0,0 +1,59 @@
|
||||
From 9ac22ee1e9d1ae32ff2d824e5a0e763a18b36d7e Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Wed, 1 Aug 2018 13:19:39 +0200
|
||||
Subject: [PATCH] pid1: bump DefaultTasksMax to 80% of the kernel pid.max value
|
||||
|
||||
This should be hopefully high enough even for the very big deployments.
|
||||
|
||||
RHEL-only
|
||||
|
||||
Resolves: #1997200
|
||||
---
|
||||
man/systemd-system.conf.xml | 4 ++--
|
||||
src/core/main.c | 2 +-
|
||||
src/core/system.conf.in | 2 +-
|
||||
3 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
|
||||
index c11dd46143..72c8db5890 100644
|
||||
--- a/man/systemd-system.conf.xml
|
||||
+++ b/man/systemd-system.conf.xml
|
||||
@@ -389,10 +389,10 @@
|
||||
<listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
|
||||
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||
for details. This setting applies to all unit types that support resource control settings, with the exception
|
||||
- of slice units. Defaults to 15% of the minimum of <varname>kernel.pid_max=</varname>, <varname>kernel.threads-max=</varname>
|
||||
+ of slice units. Defaults to 80% of the minimum of <varname>kernel.pid_max=</varname>, <varname>kernel.threads-max=</varname>
|
||||
and root cgroup <varname>pids.max</varname>.
|
||||
Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores.
|
||||
- For example with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
|
||||
+ For example with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 26214,
|
||||
but might be greater in other systems or smaller in OS containers.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
diff --git a/src/core/main.c b/src/core/main.c
|
||||
index da6c50a1c4..f4fe7517fd 100644
|
||||
--- a/src/core/main.c
|
||||
+++ b/src/core/main.c
|
||||
@@ -92,7 +92,7 @@
|
||||
#include <sanitizer/lsan_interface.h>
|
||||
#endif
|
||||
|
||||
-#define DEFAULT_TASKS_MAX ((TasksMax) { 15U, 100U }) /* 15% */
|
||||
+#define DEFAULT_TASKS_MAX ((TasksMax) { 80U, 100U }) /* 80% */
|
||||
|
||||
static enum {
|
||||
ACTION_RUN,
|
||||
diff --git a/src/core/system.conf.in b/src/core/system.conf.in
|
||||
index e88280bd0a..f2c75fcd32 100644
|
||||
--- a/src/core/system.conf.in
|
||||
+++ b/src/core/system.conf.in
|
||||
@@ -54,7 +54,7 @@
|
||||
#DefaultBlockIOAccounting=no
|
||||
#DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }}
|
||||
#DefaultTasksAccounting=yes
|
||||
-#DefaultTasksMax=15%
|
||||
+#DefaultTasksMax=80%
|
||||
#DefaultLimitCPU=
|
||||
#DefaultLimitFSIZE=
|
||||
#DefaultLimitDATA=
|
@ -0,0 +1,40 @@
|
||||
From ac965c0ae8c9ffa7d606bce9ffa3052fccbac0ce Mon Sep 17 00:00:00 2001
|
||||
From: Michal Sekletar <msekleta@redhat.com>
|
||||
Date: Tue, 21 Sep 2021 15:01:19 +0200
|
||||
Subject: [PATCH] udev/net-setup-link: change the default MACAddressPolicy to
|
||||
"none"
|
||||
|
||||
While stable MAC address for interface types that don't have the
|
||||
address provided by HW could be useful it also breaks LACP based bonds.
|
||||
Let's err on the side of caution and don't change the MAC address from
|
||||
udev.
|
||||
|
||||
Resolves: #1921094
|
||||
---
|
||||
man/systemd.link.xml | 2 +-
|
||||
test/fuzz/fuzz-link-parser/99-default.link | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/man/systemd.link.xml b/man/systemd.link.xml
|
||||
index 1093e2e0b8..095d8b4873 100644
|
||||
--- a/man/systemd.link.xml
|
||||
+++ b/man/systemd.link.xml
|
||||
@@ -816,7 +816,7 @@
|
||||
|
||||
<programlisting>[Link]
|
||||
NamePolicy=kernel database onboard slot path
|
||||
-MACAddressPolicy=persistent</programlisting>
|
||||
+MACAddressPolicy=none</programlisting>
|
||||
</example>
|
||||
|
||||
<example>
|
||||
diff --git a/test/fuzz/fuzz-link-parser/99-default.link b/test/fuzz/fuzz-link-parser/99-default.link
|
||||
index feb5b1fbb0..3d755898b4 100644
|
||||
--- a/test/fuzz/fuzz-link-parser/99-default.link
|
||||
+++ b/test/fuzz/fuzz-link-parser/99-default.link
|
||||
@@ -9,4 +9,4 @@
|
||||
|
||||
[Link]
|
||||
NamePolicy=keep kernel database onboard slot path
|
||||
-MACAddressPolicy=persistent
|
||||
+MACAddressPolicy=none
|
@ -0,0 +1,24 @@
|
||||
From 19ab86202b9c4366ea5bd5ac820301f0ab6d1f95 Mon Sep 17 00:00:00 2001
|
||||
From: Michal Sekletar <msekleta@redhat.com>
|
||||
Date: Fri, 1 Oct 2021 11:46:23 +0200
|
||||
Subject: [PATCH] udev/net-setup-link: *really* change the default
|
||||
MACAddressPolicy to "none"
|
||||
|
||||
Fix the oversight and change the policy in the link file, i.e. the
|
||||
place where it actually matters.
|
||||
|
||||
Related: #1921094
|
||||
---
|
||||
network/99-default.link | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/network/99-default.link b/network/99-default.link
|
||||
index bca660ac28..31aee37e75 100644
|
||||
--- a/network/99-default.link
|
||||
+++ b/network/99-default.link
|
||||
@@ -13,4 +13,4 @@ OriginalName=*
|
||||
[Link]
|
||||
NamePolicy=keep kernel database onboard slot path
|
||||
AlternativeNamesPolicy=database onboard slot path
|
||||
-MACAddressPolicy=persistent
|
||||
+MACAddressPolicy=none
|
2
SOURCES/10-oomd-defaults.conf
Normal file
2
SOURCES/10-oomd-defaults.conf
Normal file
@ -0,0 +1,2 @@
|
||||
[OOM]
|
||||
DefaultMemoryPressureDurationSec=20s
|
2
SOURCES/10-oomd-root-slice-defaults.conf
Normal file
2
SOURCES/10-oomd-root-slice-defaults.conf
Normal file
@ -0,0 +1,2 @@
|
||||
[Slice]
|
||||
ManagedOOMSwap=kill
|
3
SOURCES/10-oomd-user-service-defaults.conf
Normal file
3
SOURCES/10-oomd-user-service-defaults.conf
Normal file
@ -0,0 +1,3 @@
|
||||
[Service]
|
||||
ManagedOOMMemoryPressure=kill
|
||||
ManagedOOMMemoryPressureLimit=50%
|
51
SOURCES/20-grubby.install
Executable file
51
SOURCES/20-grubby.install
Executable file
@ -0,0 +1,51 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [[ ! -x /sbin/new-kernel-pkg ]]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
COMMAND="$1"
|
||||
KERNEL_VERSION="$2"
|
||||
BOOT_DIR_ABS="$3"
|
||||
KERNEL_IMAGE="$4"
|
||||
|
||||
KERNEL_DIR="${KERNEL_IMAGE%/*}"
|
||||
[[ "$KERNEL_VERSION" == *\+* ]] && flavor=-"${KERNEL_VERSION##*+}"
|
||||
case "$COMMAND" in
|
||||
add)
|
||||
if [[ "${KERNEL_DIR}" != "/boot" ]]; then
|
||||
for i in \
|
||||
"$KERNEL_IMAGE" \
|
||||
"$KERNEL_DIR"/System.map \
|
||||
"$KERNEL_DIR"/config \
|
||||
"$KERNEL_DIR"/zImage.stub \
|
||||
"$KERNEL_DIR"/dtb \
|
||||
; do
|
||||
[[ -e "$i" ]] || continue
|
||||
cp -aT "$i" "/boot/${i##*/}-${KERNEL_VERSION}"
|
||||
command -v restorecon &>/dev/null && \
|
||||
restorecon -R "/boot/${i##*/}-${KERNEL_VERSION}"
|
||||
done
|
||||
# hmac is .vmlinuz-<version>.hmac so needs a special treatment
|
||||
i="$KERNEL_DIR/.${KERNEL_IMAGE##*/}.hmac"
|
||||
if [[ -e "$i" ]]; then
|
||||
cp -a "$i" "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac"
|
||||
command -v restorecon &>/dev/null && \
|
||||
restorecon "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac"
|
||||
fi
|
||||
fi
|
||||
/sbin/new-kernel-pkg --package "kernel${flavor}" --install "$KERNEL_VERSION" || exit $?
|
||||
/sbin/new-kernel-pkg --package "kernel${flavor}" --mkinitrd --dracut --depmod --update "$KERNEL_VERSION" || exit $?
|
||||
/sbin/new-kernel-pkg --package "kernel${flavor}" --rpmposttrans "$KERNEL_VERSION" || exit $?
|
||||
;;
|
||||
remove)
|
||||
/sbin/new-kernel-pkg --package "kernel${flavor+-$flavor}" --rminitrd --rmmoddep --remove "$KERNEL_VERSION" || exit $?
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
|
||||
# skip other installation plugins, if we can't find a boot loader spec conforming setup
|
||||
if ! [[ -d /boot/loader/entries || -L /boot/loader/entries ]]; then
|
||||
exit 77
|
||||
fi
|
42
SOURCES/20-yama-ptrace.conf
Normal file
42
SOURCES/20-yama-ptrace.conf
Normal file
@ -0,0 +1,42 @@
|
||||
# The ptrace system call is used for interprocess services,
|
||||
# communication and introspection (like synchronisation, signaling,
|
||||
# debugging, tracing and profiling) of processes.
|
||||
#
|
||||
# Usage of ptrace is restricted by normal user permissions. Normal
|
||||
# unprivileged processes cannot use ptrace on processes that they
|
||||
# cannot send signals to or processes that are running set-uid or
|
||||
# set-gid. Nevertheless, processes running under the same uid will
|
||||
# usually be able to ptrace one another.
|
||||
#
|
||||
# Fedora enables the Yama security mechanism which restricts ptrace
|
||||
# even further. Sysctl setting kernel.yama.ptrace_scope can have one
|
||||
# of the following values:
|
||||
#
|
||||
# 0 - Normal ptrace security permissions.
|
||||
# 1 - Restricted ptrace. Only child processes plus normal permissions.
|
||||
# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
|
||||
# 3 - No attach. No process may call ptrace at all. Irrevocable.
|
||||
#
|
||||
# For more information see Documentation/security/Yama.txt in the
|
||||
# kernel sources.
|
||||
#
|
||||
# The default is 1., which allows tracing of child processes, but
|
||||
# forbids tracing of arbitrary processes. This allows programs like
|
||||
# gdb or strace to work when the most common way of having the
|
||||
# debugger start the debuggee is used:
|
||||
# gdb /path/to/program ...
|
||||
# Attaching to already running programs is NOT allowed:
|
||||
# gdb -p ...
|
||||
# This default setting is suitable for the common case, because it
|
||||
# reduces the risk that one hacked process can be used to attack other
|
||||
# processes. (For example, a hacked firefox process in a user session
|
||||
# will not be able to ptrace the keyring process and extract passwords
|
||||
# stored only in memory.)
|
||||
#
|
||||
# Developers and administrators might want to disable those protections
|
||||
# to be able to attach debuggers to existing processes. Use
|
||||
# sysctl kernel.yama.ptrace_scope=0
|
||||
# for change the setting temporarily, or copy this file to
|
||||
# /etc/sysctl.d/20-yama-ptrace.conf to set it for future boots.
|
||||
|
||||
kernel.yama.ptrace_scope = 0
|
129
SOURCES/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch
Normal file
129
SOURCES/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch
Normal file
@ -0,0 +1,129 @@
|
||||
From f58b96d3e8d1cb0dd3666bc74fa673918b586612 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Mon, 14 Sep 2020 17:58:03 +0200
|
||||
Subject: [PATCH] test-mountpointutil-util: do not assert in test_mnt_id()
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1803070
|
||||
|
||||
I *think* this a kernel bug: the mnt_id as listed in /proc/self/mountinfo is different
|
||||
than the one we get from /proc/self/fdinfo/. This only matters when both statx and
|
||||
name_to_handle_at are unavailable and we hit the fallback path that goes through fdinfo:
|
||||
|
||||
(gdb) !uname -r
|
||||
5.6.19-200.fc31.ppc64le
|
||||
|
||||
(gdb) !cat /proc/self/mountinfo
|
||||
697 664 253:0 /var/lib/mock/fedora-31-ppc64le/root / rw,relatime shared:298 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
|
||||
698 697 253:0 /var/cache/mock/fedora-31-ppc64le/yum_cache /var/cache/yum rw,relatime shared:299 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
|
||||
699 697 253:0 /var/cache/mock/fedora-31-ppc64le/dnf_cache /var/cache/dnf rw,relatime shared:300 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
|
||||
700 697 0:32 /mock-selinux-plugin.7me9bfpi /proc/filesystems rw,nosuid,nodev shared:301 master:18 - tmpfs tmpfs rw,seclabel <==========================================================
|
||||
701 697 0:41 / /sys ro,nosuid,nodev,noexec,relatime shared:302 - sysfs sysfs ro,seclabel
|
||||
702 701 0:21 / /sys/fs/selinux ro,nosuid,nodev,noexec,relatime shared:306 master:8 - selinuxfs selinuxfs rw
|
||||
703 697 0:42 / /dev rw,nosuid shared:303 - tmpfs tmpfs rw,seclabel,mode=755
|
||||
704 703 0:43 / /dev/shm rw,nosuid,nodev shared:304 - tmpfs tmpfs rw,seclabel
|
||||
705 703 0:45 / /dev/pts rw,nosuid,noexec,relatime shared:307 - devpts devpts rw,seclabel,gid=5,mode=620,ptmxmode=666
|
||||
706 703 0:6 /btrfs-control /dev/btrfs-control rw,nosuid shared:308 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
|
||||
707 703 0:6 /loop-control /dev/loop-control rw,nosuid shared:309 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
|
||||
708 703 0:6 /loop0 /dev/loop0 rw,nosuid shared:310 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
|
||||
709 703 0:6 /loop1 /dev/loop1 rw,nosuid shared:311 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
|
||||
710 703 0:6 /loop10 /dev/loop10 rw,nosuid shared:312 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
|
||||
711 703 0:6 /loop11 /dev/loop11 rw,nosuid shared:313 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
|
||||
712 703 0:6 /loop2 /dev/loop2 rw,nosuid shared:314 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
|
||||
713 703 0:6 /loop3 /dev/loop3 rw,nosuid shared:315 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
|
||||
714 703 0:6 /loop4 /dev/loop4 rw,nosuid shared:316 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
|
||||
715 703 0:6 /loop5 /dev/loop5 rw,nosuid shared:317 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
|
||||
716 703 0:6 /loop6 /dev/loop6 rw,nosuid shared:318 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
|
||||
717 703 0:6 /loop7 /dev/loop7 rw,nosuid shared:319 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
|
||||
718 703 0:6 /loop8 /dev/loop8 rw,nosuid shared:320 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
|
||||
719 703 0:6 /loop9 /dev/loop9 rw,nosuid shared:321 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
|
||||
720 697 0:44 / /run rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755
|
||||
721 720 0:25 /systemd/nspawn/propagate/9cc8a155d0244558b273f773d2b92142 /run/systemd/nspawn/incoming ro master:12 - tmpfs tmpfs rw,seclabel,mode=755
|
||||
722 697 0:32 /mock-resolv.dvml91hp /etc/resolv.conf rw,nosuid,nodev shared:322 master:18 - tmpfs tmpfs rw,seclabel
|
||||
725 697 0:47 / /proc rw,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
|
||||
603 725 0:47 /sys /proc/sys ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
|
||||
604 725 0:44 /systemd/inaccessible/reg /proc/kallsyms ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
|
||||
605 725 0:44 /systemd/inaccessible/reg /proc/kcore ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
|
||||
606 725 0:44 /systemd/inaccessible/reg /proc/keys ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
|
||||
607 725 0:44 /systemd/inaccessible/reg /proc/sysrq-trigger ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
|
||||
608 725 0:44 /systemd/inaccessible/reg /proc/timer_list ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
|
||||
609 725 0:47 /bus /proc/bus ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
|
||||
610 725 0:47 /fs /proc/fs ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
|
||||
611 725 0:47 /irq /proc/irq ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
|
||||
612 725 0:47 /scsi /proc/scsi ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
|
||||
613 703 0:46 / /dev/mqueue rw,nosuid,nodev,noexec,relatime shared:324 - mqueue mqueue rw,seclabel
|
||||
614 701 0:26 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime shared:325 - cgroup2 cgroup rw,seclabel,nsdelegate
|
||||
615 603 0:44 /.#proc-sys-kernel-random-boot-id4fbdce67af46d1c2//deleted /proc/sys/kernel/random/boot_id ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
|
||||
616 725 0:44 /.#proc-sys-kernel-random-boot-id4fbdce67af46d1c2//deleted /proc/sys/kernel/random/boot_id rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755
|
||||
617 725 0:44 /.#proc-kmsg5b7a8bcfe6717139//deleted /proc/kmsg rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755
|
||||
|
||||
The test process does
|
||||
name_to_handle_at("/proc/filesystems") which returns -EOPNOTSUPP, and then
|
||||
openat(AT_FDCWD, "/proc/filesystems") which returns 4, and then
|
||||
read(open("/proc/self/fdinfo/4", ...)) which gives
|
||||
"pos:\t0\nflags:\t012100000\nmnt_id:\t725\n"
|
||||
|
||||
and the "725" is clearly inconsistent with "700" in /proc/self/mountinfo.
|
||||
|
||||
We could either drop the fallback path (and fail name_to_handle_at() is not
|
||||
avaliable) or ignore the error in the test. Not sure what is better. I think
|
||||
this issue only occurs sometimes and with older kernels, so probably continuing
|
||||
with the current flaky implementation is better than ripping out the fallback.
|
||||
|
||||
Another strace:
|
||||
writev(2</dev/pts/0>, [{iov_base="mnt ids of /proc/sys is 603", iov_len=27}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/sys is 603
|
||||
) = 28
|
||||
name_to_handle_at(AT_FDCWD, "/", {handle_bytes=128 => 12, handle_type=129, f_handle=0x52748401000000008b93e20d}, [697], 0) = 0
|
||||
writev(2</dev/pts/0>, [{iov_base="mnt ids of / is 697", iov_len=19}, {iov_base="\n", iov_len=1}], 2mnt ids of / is 697
|
||||
) = 20
|
||||
name_to_handle_at(AT_FDCWD, "/proc/kcore", {handle_bytes=128 => 12, handle_type=1, f_handle=0x92ddcfcd2e802d0100000000}, [605], 0) = 0
|
||||
writev(2</dev/pts/0>, [{iov_base="mnt ids of /proc/kcore is 605", iov_len=29}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/kcore is 605
|
||||
) = 30
|
||||
name_to_handle_at(AT_FDCWD, "/dev", {handle_bytes=128 => 12, handle_type=1, f_handle=0x8ae269160c802d0100000000}, [703], 0) = 0
|
||||
writev(2</dev/pts/0>, [{iov_base="mnt ids of /dev is 703", iov_len=22}, {iov_base="\n", iov_len=1}], 2mnt ids of /dev is 703
|
||||
) = 23
|
||||
name_to_handle_at(AT_FDCWD, "/proc/filesystems", {handle_bytes=128}, 0x7fffe36ddb84, 0) = -1 EOPNOTSUPP (Operation not supported)
|
||||
openat(AT_FDCWD, "/proc/filesystems", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4</proc/filesystems>
|
||||
openat(AT_FDCWD, "/proc/self/fdinfo/4", O_RDONLY|O_CLOEXEC) = 5</proc/20/fdinfo/4>
|
||||
fstat(5</proc/20/fdinfo/4>, {st_mode=S_IFREG|0400, st_size=0, ...}) = 0
|
||||
fstat(5</proc/20/fdinfo/4>, {st_mode=S_IFREG|0400, st_size=0, ...}) = 0
|
||||
read(5</proc/20/fdinfo/4>, "pos:\t0\nflags:\t012100000\nmnt_id:\t725\n", 2048) = 36
|
||||
read(5</proc/20/fdinfo/4>, "", 1024) = 0
|
||||
close(5</proc/20/fdinfo/4>) = 0
|
||||
close(4</proc/filesystems>) = 0
|
||||
writev(2</dev/pts/0>, [{iov_base="mnt ids of /proc/filesystems are 700, 725", iov_len=41}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/filesystems are 700, 725
|
||||
) = 42
|
||||
writev(2</dev/pts/0>, [{iov_base="the other path for mnt id 725 is /proc", iov_len=38}, {iov_base="\n", iov_len=1}], 2the other path for mnt id 725 is /proc
|
||||
) = 39
|
||||
writev(2</dev/pts/0>, [{iov_base="Assertion 'path_equal(p, t)' failed at src/test/test-mountpoint-util.c:94, function test_mnt_id(). Aborting.", iov_len=108}, {iov_base="\n", iov_len=1}], 2Assertion 'path_equal(p, t)' failed at src/test/test-mountpoint-util.c:94, function test_mnt_id(). Aborting.
|
||||
) = 109
|
||||
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
|
||||
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0
|
||||
getpid() = 20
|
||||
gettid() = 20
|
||||
tgkill(20, 20, SIGABRT) = 0
|
||||
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
|
||||
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=20, si_uid=0} ---
|
||||
+++ killed by SIGABRT (core dumped) +++
|
||||
---
|
||||
src/test/test-mountpoint-util.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/test/test-mountpoint-util.c b/src/test/test-mountpoint-util.c
|
||||
index 30b00ae4d8b..ffe5144b04a 100644
|
||||
--- a/src/test/test-mountpoint-util.c
|
||||
+++ b/src/test/test-mountpoint-util.c
|
||||
@@ -89,8 +89,12 @@ static void test_mnt_id(void) {
|
||||
/* The ids don't match? If so, then there are two mounts on the same path, let's check if
|
||||
* that's really the case */
|
||||
char *t = hashmap_get(h, INT_TO_PTR(mnt_id2));
|
||||
- log_debug("the other path for mnt id %i is %s\n", mnt_id2, t);
|
||||
- assert_se(path_equal(p, t));
|
||||
+ log_debug("Path for mnt id %i from /proc/self/mountinfo is %s\n", mnt_id2, t);
|
||||
+
|
||||
+ if (!path_equal(p, t))
|
||||
+ /* Apparent kernel bug in /proc/self/fdinfo */
|
||||
+ log_warning("Bad mount id given for %s: %d, should be %d",
|
||||
+ p, mnt_id2, mnt_id);
|
||||
}
|
||||
}
|
||||
|
16
SOURCES/inittab
Normal file
16
SOURCES/inittab
Normal file
@ -0,0 +1,16 @@
|
||||
# inittab is no longer used.
|
||||
#
|
||||
# ADDING CONFIGURATION HERE WILL HAVE NO EFFECT ON YOUR SYSTEM.
|
||||
#
|
||||
# Ctrl-Alt-Delete is handled by /usr/lib/systemd/system/ctrl-alt-del.target
|
||||
#
|
||||
# systemd uses 'targets' instead of runlevels. By default, there are two main targets:
|
||||
#
|
||||
# multi-user.target: analogous to runlevel 3
|
||||
# graphical.target: analogous to runlevel 5
|
||||
#
|
||||
# To view current default target, run:
|
||||
# systemctl get-default
|
||||
#
|
||||
# To set a default target, run:
|
||||
# systemctl set-default TARGET.target
|
3
SOURCES/libsystemd-shared.abignore
Normal file
3
SOURCES/libsystemd-shared.abignore
Normal file
@ -0,0 +1,3 @@
|
||||
[suppress_file]
|
||||
# This shared object is private to systemd
|
||||
file_name_regexp=libsystemd-shared-.*.so
|
10
SOURCES/macros.sysusers
Normal file
10
SOURCES/macros.sysusers
Normal file
@ -0,0 +1,10 @@
|
||||
# RPM macros for packages creating system accounts
|
||||
#
|
||||
# Turn a sysusers.d file into macros specified by
|
||||
# https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
|
||||
|
||||
%sysusers_requires_compat Requires(pre): shadow-utils
|
||||
|
||||
%sysusers_create_compat() \
|
||||
%(%{_rpmconfigdir}/sysusers.generate-pre.sh %{?*}) \
|
||||
%{nil}
|
101
SOURCES/purge-nobody-user
Executable file
101
SOURCES/purge-nobody-user
Executable file
@ -0,0 +1,101 @@
|
||||
#!/bin/bash -eu
|
||||
|
||||
if [ $UID -ne 0 ]; then
|
||||
echo "WARNING: This script needs to run as root to be effective"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
export SYSTEMD_NSS_BYPASS_SYNTHETIC=1
|
||||
|
||||
if [ "${1:-}" = "--ignore-journal" ]; then
|
||||
shift
|
||||
ignore_journal=1
|
||||
else
|
||||
ignore_journal=0
|
||||
fi
|
||||
|
||||
echo "Checking processes..."
|
||||
if ps h -u 99 | grep .; then
|
||||
echo "ERROR: ps reports processes with UID 99!"
|
||||
exit 2
|
||||
fi
|
||||
echo "... not found"
|
||||
|
||||
echo "Checking UTMP..."
|
||||
if w -h 199 | grep . ; then
|
||||
echo "ERROR: w reports UID 99 as active!"
|
||||
exit 2
|
||||
fi
|
||||
if w -h nobody | grep . ; then
|
||||
echo "ERROR: w reports user nobody as active!"
|
||||
exit 2
|
||||
fi
|
||||
echo "... not found"
|
||||
|
||||
echo "Checking the journal..."
|
||||
if [ "$ignore_journal" = 0 ] && journalctl -q -b -n10 _UID=99 | grep . ; then
|
||||
echo "ERROR: journalctl reports messages from UID 99 in current boot!"
|
||||
exit 2
|
||||
fi
|
||||
echo "... not found"
|
||||
|
||||
echo "Looking for files in /etc, /run, /tmp, and /var..."
|
||||
if find /etc /run /tmp /var -uid 99 -print | grep -m 10 . ; then
|
||||
echo "ERROR: found files belonging to UID 99"
|
||||
exit 2
|
||||
fi
|
||||
echo "... not found"
|
||||
|
||||
echo "Checking if nobody is defined correctly..."
|
||||
if getent passwd nobody |
|
||||
grep '^nobody:[x*]:65534:65534:.*:/:/sbin/nologin';
|
||||
then
|
||||
echo "OK, nothing to do."
|
||||
exit 0
|
||||
else
|
||||
echo "NOTICE: User nobody is not defined correctly"
|
||||
fi
|
||||
|
||||
echo "Checking if nfsnobody or something else is using the uid..."
|
||||
if getent passwd 65534 | grep . ; then
|
||||
echo "NOTICE: will have to remove this user"
|
||||
else
|
||||
echo "... not found"
|
||||
fi
|
||||
|
||||
if [ "${1:-}" = "-x" ]; then
|
||||
if getent passwd nobody >/dev/null; then
|
||||
# this will remove both the user and the group.
|
||||
( set -x
|
||||
userdel nobody
|
||||
)
|
||||
fi
|
||||
|
||||
if getent passwd 65534 >/dev/null; then
|
||||
# Make sure the uid is unused. This should free gid too.
|
||||
name="$(getent passwd 65534 | cut -d: -f1)"
|
||||
( set -x
|
||||
userdel "$name"
|
||||
)
|
||||
fi
|
||||
|
||||
if grep -qE '^(passwd|group):.*\bsss\b' /etc/nsswitch.conf; then
|
||||
echo "Sleeping, so sss can catch up"
|
||||
sleep 3
|
||||
fi
|
||||
|
||||
if getent group 65534; then
|
||||
# Make sure the gid is unused, even if uid wasn't.
|
||||
name="$(getent group 65534 | cut -d: -f1)"
|
||||
( set -x
|
||||
groupdel "$name"
|
||||
)
|
||||
fi
|
||||
|
||||
# systemd-sysusers uses the same gid and uid
|
||||
( set -x
|
||||
systemd-sysusers --inline 'u nobody 65534 "Kernel Overflow User" / /sbin/nologin'
|
||||
)
|
||||
else
|
||||
echo "Pass '-x' to perform changes"
|
||||
fi
|
161
SOURCES/split-files.py
Normal file
161
SOURCES/split-files.py
Normal file
@ -0,0 +1,161 @@
|
||||
import re, sys, os, collections
|
||||
|
||||
buildroot = sys.argv[1]
|
||||
known_files = sys.stdin.read().splitlines()
|
||||
known_files = {line.split()[-1]:line for line in known_files}
|
||||
|
||||
def files(root):
|
||||
os.chdir(root)
|
||||
todo = collections.deque(['.'])
|
||||
while todo:
|
||||
n = todo.pop()
|
||||
files = os.scandir(n)
|
||||
for file in files:
|
||||
yield file
|
||||
if file.is_dir() and not file.is_symlink():
|
||||
todo.append(file)
|
||||
|
||||
o_libs = open('.file-list-libs', 'w')
|
||||
o_udev = open('.file-list-udev', 'w')
|
||||
o_pam = open('.file-list-pam', 'w')
|
||||
o_rpm_macros = open('.file-list-rpm-macros', 'w')
|
||||
o_devel = open('.file-list-devel', 'w')
|
||||
o_container = open('.file-list-container', 'w')
|
||||
o_networkd = open('.file-list-networkd', 'w')
|
||||
o_resolved = open('.file-list-resolved', 'w')
|
||||
o_oomd = open('.file-list-oomd', 'w')
|
||||
o_remote = open('.file-list-remote', 'w')
|
||||
o_tests = open('.file-list-tests', 'w')
|
||||
o_standalone_tmpfiles = open('.file-list-standalone-tmpfiles', 'w')
|
||||
o_standalone_sysusers = open('.file-list-standalone-sysusers', 'w')
|
||||
o_rest = open('.file-list-rest', 'w')
|
||||
for file in files(buildroot):
|
||||
n = file.path[1:]
|
||||
if re.match(r'''/usr/(share|include)$|
|
||||
/usr/share/man(/man.|)$|
|
||||
/usr/share/zsh(/site-functions|)$|
|
||||
/usr/share/dbus-1$|
|
||||
/usr/share/dbus-1/system.d$|
|
||||
/usr/share/dbus-1/(system-|)services$|
|
||||
/usr/share/polkit-1(/actions|/rules.d|)$|
|
||||
/usr/share/pkgconfig$|
|
||||
/usr/share/bash-completion(/completions|)$|
|
||||
/usr(/lib|/lib64|/bin|/sbin|)$|
|
||||
/usr/lib.*/(security|pkgconfig)$|
|
||||
/usr/lib/rpm(/macros.d|)$|
|
||||
/usr/lib/firewalld(/services|)$|
|
||||
/usr/share/(locale|licenses|doc)| # no $
|
||||
/etc(/pam\.d|/xdg|/X11|/X11/xinit|/X11.*\.d|)$|
|
||||
/etc/(dnf|dnf/protected.d)$|
|
||||
/usr/(src|lib/debug)| # no $
|
||||
/run$|
|
||||
/var(/cache|/log|/lib|/run|)$
|
||||
''', n, re.X):
|
||||
continue
|
||||
if '/security/pam_' in n or '/man8/pam_' in n:
|
||||
o = o_pam
|
||||
elif '/rpm/' in n:
|
||||
o = o_rpm_macros
|
||||
elif '/usr/lib/systemd/tests' in n:
|
||||
o = o_tests
|
||||
elif re.search(r'/lib.*\.pc|/man3/|/usr/include|(?<!/libsystemd-shared-...).so$', n):
|
||||
o = o_devel
|
||||
elif re.search(r'''journal-(remote|gateway|upload)|
|
||||
systemd-remote\.conf|
|
||||
/usr/share/systemd/gatewayd|
|
||||
/var/log/journal/remote
|
||||
''', n, re.X):
|
||||
o = o_remote
|
||||
elif re.search(r'''mymachines|
|
||||
machinectl|
|
||||
systemd-nspawn|
|
||||
import-pubring.gpg|
|
||||
systemd-(machined|import|pull)|
|
||||
/machine.slice|
|
||||
/machines.target|
|
||||
var-lib-machines.mount|
|
||||
org.freedesktop.(import|machine)1
|
||||
''', n, re.X):
|
||||
o = o_container
|
||||
elif re.search(r'''/usr/lib/systemd/network/80-|
|
||||
networkd|
|
||||
networkctl|
|
||||
org.freedesktop.network1
|
||||
''', n, re.X):
|
||||
o = o_networkd
|
||||
elif re.search(r'''resolved|
|
||||
resolvectl|
|
||||
org.freedesktop.resolve1|
|
||||
systemd-resolve|
|
||||
nss-resolve
|
||||
''', n, re.X):
|
||||
o = o_resolved
|
||||
elif '.so.' in n:
|
||||
o = o_libs
|
||||
elif re.search(r'''udev(?!\.pc)|
|
||||
hwdb|
|
||||
bootctl|
|
||||
sd-boot|systemd-boot\.|loader.conf|
|
||||
bless-boot|
|
||||
boot-system-token|
|
||||
kernel-install|
|
||||
vconsole|
|
||||
backlight|
|
||||
rfkill|
|
||||
random-seed|
|
||||
modules-load|
|
||||
timesync|
|
||||
cryptsetup|
|
||||
kmod|
|
||||
quota|
|
||||
pstore|
|
||||
sleep|suspend|hibernate|
|
||||
systemd-tmpfiles-setup-dev|
|
||||
network/99-default.link|
|
||||
growfs|makefs|makeswap|mkswap|
|
||||
fsck|
|
||||
repart|
|
||||
gpt-auto|
|
||||
volatile-root|
|
||||
verity-setup|
|
||||
remount-fs|
|
||||
/boot$|
|
||||
/boot/efi|
|
||||
/kernel/|
|
||||
/kernel$|
|
||||
/modprobe.d
|
||||
''', n, re.X):
|
||||
o = o_udev
|
||||
elif re.search(r'''10-oomd-.*defaults\.conf|
|
||||
oomd\.conf|
|
||||
oomctl|
|
||||
org.freedesktop.oom1|
|
||||
systemd-oomd
|
||||
''', n, re.X):
|
||||
o = o_oomd
|
||||
elif n.endswith('.standalone'):
|
||||
if 'tmpfiles' in n:
|
||||
o = o_standalone_tmpfiles
|
||||
elif 'sysusers' in n:
|
||||
o = o_standalone_sysusers
|
||||
else:
|
||||
assert False, 'Found .standalone not belonging to known packages'
|
||||
else:
|
||||
o = o_rest
|
||||
|
||||
if n in known_files:
|
||||
prefix = ' '.join(known_files[n].split()[:-1])
|
||||
if prefix:
|
||||
prefix += ' '
|
||||
elif file.is_dir() and not file.is_symlink():
|
||||
prefix = '%dir '
|
||||
elif 'README' in n:
|
||||
prefix = '%doc '
|
||||
elif n.startswith('/etc'):
|
||||
prefix = '%config(noreplace) '
|
||||
else:
|
||||
prefix = ''
|
||||
|
||||
suffix = '*' if '/man/' in n else ''
|
||||
|
||||
print(f'{prefix}{n}{suffix}', file=o)
|
10
SOURCES/sysctl.conf.README
Normal file
10
SOURCES/sysctl.conf.README
Normal file
@ -0,0 +1,10 @@
|
||||
# sysctl settings are defined through files in
|
||||
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
|
||||
#
|
||||
# Vendors settings live in /usr/lib/sysctl.d/.
|
||||
# To override a whole file, create a new file with the same in
|
||||
# /etc/sysctl.d/ and put new settings there. To override
|
||||
# only specific settings, add a file with a lexically later
|
||||
# name in /etc/sysctl.d/ and put new settings there.
|
||||
#
|
||||
# For more information, see sysctl.conf(5) and sysctl.d(5).
|
6
SOURCES/systemd-journal-gatewayd.xml
Normal file
6
SOURCES/systemd-journal-gatewayd.xml
Normal file
@ -0,0 +1,6 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<service>
|
||||
<short>systemd-journal-gatewayd</short>
|
||||
<description>Journal Gateway Service</description>
|
||||
<port protocol="tcp" port="19531"/>
|
||||
</service>
|
6
SOURCES/systemd-journal-remote.xml
Normal file
6
SOURCES/systemd-journal-remote.xml
Normal file
@ -0,0 +1,6 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<service>
|
||||
<short>systemd-journal-remote</short>
|
||||
<description>Journal Remote Sink</description>
|
||||
<port protocol="tcp" port="19532"/>
|
||||
</service>
|
3
SOURCES/systemd-udev-trigger-no-reload.conf
Normal file
3
SOURCES/systemd-udev-trigger-no-reload.conf
Normal file
@ -0,0 +1,3 @@
|
||||
[Unit]
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1378974#c17
|
||||
RefuseManualStop=true
|
10
SOURCES/systemd-user
Normal file
10
SOURCES/systemd-user
Normal file
@ -0,0 +1,10 @@
|
||||
# This file is part of systemd.
|
||||
#
|
||||
# Used by systemd --user instances.
|
||||
|
||||
account include system-auth
|
||||
|
||||
session required pam_selinux.so close
|
||||
session required pam_selinux.so nottys open
|
||||
session required pam_loginuid.so
|
||||
session include system-auth
|
2
SOURCES/sysusers.attr
Normal file
2
SOURCES/sysusers.attr
Normal file
@ -0,0 +1,2 @@
|
||||
%__sysusers_provides %{_rpmconfigdir}/sysusers.prov
|
||||
%__sysusers_path ^%{_sysusersdir}/.*\\.conf$
|
79
SOURCES/sysusers.generate-pre.sh
Executable file
79
SOURCES/sysusers.generate-pre.sh
Executable file
@ -0,0 +1,79 @@
|
||||
#!/bin/bash
|
||||
|
||||
# This script turns sysuser.d files into scriptlets mandated by Fedora
|
||||
# packaging guidelines. The general idea is to define users using the
|
||||
# declarative syntax but to turn this into traditional scriptlets.
|
||||
|
||||
user() {
|
||||
user="$1"
|
||||
uid="$2"
|
||||
desc="$3"
|
||||
group="$4"
|
||||
home="$5"
|
||||
shell="$6"
|
||||
|
||||
[ "$desc" = '-' ] && desc=
|
||||
[ "$home" = '-' -o "$home" = '' ] && home=/
|
||||
[ "$shell" = '-' -o "$shell" = '' ] && shell=/sbin/nologin
|
||||
|
||||
if [ "$uid" = '-' -o "$uid" = '' ]; then
|
||||
cat <<EOF
|
||||
getent passwd '$user' >/dev/null || \\
|
||||
useradd -r -g '$group' -d '$home' -s '$shell' -c '$desc' '$user'
|
||||
EOF
|
||||
else
|
||||
cat <<EOF
|
||||
if ! getent passwd '$user' >/dev/null ; then
|
||||
if ! getent passwd '$uid' >/dev/null ; then
|
||||
useradd -r -u '$uid' -g '$group' -d '$home' -s /sbin/nologin -c '$desc' '$user'
|
||||
else
|
||||
useradd -r -g '$group' -d '$home' -s /sbin/nologin -c '$desc' '$user'
|
||||
fi
|
||||
fi
|
||||
|
||||
EOF
|
||||
fi
|
||||
}
|
||||
|
||||
group() {
|
||||
group="$1"
|
||||
gid="$2"
|
||||
if [ "$gid" = '-' ]; then
|
||||
cat <<EOF
|
||||
getent group '$group' >/dev/null || groupadd -r '$group'
|
||||
EOF
|
||||
else
|
||||
cat <<EOF
|
||||
getent group '$group' >/dev/null || groupadd -f -g '$gid' -r '$group'
|
||||
EOF
|
||||
fi
|
||||
}
|
||||
|
||||
parse() {
|
||||
while read line || [ "$line" ]; do
|
||||
[ "${line:0:1}" = '#' -o "${line:0:1}" = ';' ] && continue
|
||||
line="${line## *}"
|
||||
[ -z "$line" ] && continue
|
||||
eval arr=( $line )
|
||||
case "${arr[0]}" in
|
||||
('u')
|
||||
group "${arr[1]}" "${arr[2]}"
|
||||
user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}"
|
||||
# TODO: user:group support
|
||||
;;
|
||||
('g')
|
||||
group "${arr[1]}" "${arr[2]}"
|
||||
;;
|
||||
('m')
|
||||
group "${arr[2]}" "-"
|
||||
user "${arr[1]}" "-" "" "${arr[2]}"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
for fn in "$@"; do
|
||||
[ -e "$fn" ] || continue
|
||||
echo "# generated from $(basename $fn)"
|
||||
parse < "$fn"
|
||||
done
|
28
SOURCES/sysusers.prov
Executable file
28
SOURCES/sysusers.prov
Executable file
@ -0,0 +1,28 @@
|
||||
#!/bin/bash
|
||||
|
||||
parse() {
|
||||
while read line; do
|
||||
[ "${line:0:1}" = '#' -o "${line:0:1}" = ';' ] && continue
|
||||
line="${line## *}"
|
||||
[ -z "$line" ] && continue
|
||||
set -- $line
|
||||
case "$1" in
|
||||
('u')
|
||||
echo "user($2)"
|
||||
echo "group($2)"
|
||||
# TODO: user:group support
|
||||
;;
|
||||
('g')
|
||||
echo "group($2)"
|
||||
;;
|
||||
('m')
|
||||
echo "user($2)"
|
||||
echo "group($3)"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
||||
while read fn; do
|
||||
parse < "$fn"
|
||||
done
|
89
SOURCES/triggers.systemd
Normal file
89
SOURCES/triggers.systemd
Normal file
@ -0,0 +1,89 @@
|
||||
# -*- Mode: rpm-spec; indent-tabs-mode: nil -*- */
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
#
|
||||
# This file is part of systemd.
|
||||
#
|
||||
# Copyright 2018 Neal Gompa
|
||||
|
||||
# The contents of this are an example to be copied into systemd.spec.
|
||||
#
|
||||
# Minimum rpm version supported: 4.14.0
|
||||
|
||||
%transfiletriggerin -P 900900 -- /usr/lib/systemd/system /etc/systemd/system
|
||||
# This script will run after any package is initially installed or
|
||||
# upgraded. We care about the case where a package is initially
|
||||
# installed, because other cases are covered by the *un scriptlets,
|
||||
# so sometimes we will reload needlessly.
|
||||
if test -d "/run/systemd/system"; then
|
||||
%{_bindir}/systemctl daemon-reload || :
|
||||
%{_bindir}/systemctl reload-or-restart --marked || :
|
||||
fi
|
||||
|
||||
%transfiletriggerpostun -P 1000100 -- /usr/lib/systemd/system /etc/systemd/system
|
||||
# On removal, we need to run daemon-reload after any units have been
|
||||
# removed.
|
||||
# On upgrade, we need to run daemon-reload after any new unit files
|
||||
# have been installed, but before %postun scripts in packages get
|
||||
# executed.
|
||||
if test -d "/run/systemd/system"; then
|
||||
%{_bindir}/systemctl daemon-reload || :
|
||||
fi
|
||||
|
||||
%transfiletriggerpostun -P 10000 -- /usr/lib/systemd/system /etc/systemd/system
|
||||
# We restart remaining services that should be restarted here.
|
||||
if test -d "/run/systemd/system"; then
|
||||
%{_bindir}/systemctl reload-or-restart --marked || :
|
||||
fi
|
||||
|
||||
%transfiletriggerin -P 1000700 -- /usr/lib/sysusers.d
|
||||
# This script will process files installed in /usr/lib/sysusers.d to create
|
||||
# specified users automatically. The priority is set such that it
|
||||
# will run before the tmpfiles file trigger.
|
||||
if test -d "/run/systemd/system"; then
|
||||
%{_bindir}/systemd-sysusers || :
|
||||
fi
|
||||
|
||||
%transfiletriggerin -P 1000700 udev -- /usr/lib/udev/hwdb.d
|
||||
# This script will automatically invoke hwdb update if files have been
|
||||
# installed or updated in /usr/lib/udev/hwdb.d.
|
||||
if test -d "/run/systemd/system"; then
|
||||
%{_bindir}/systemd-hwdb update || :
|
||||
fi
|
||||
|
||||
%transfiletriggerin -P 1000700 -- /usr/lib/systemd/catalog
|
||||
# This script will automatically invoke journal catalog update if files
|
||||
# have been installed or updated in /usr/lib/systemd/catalog.
|
||||
if test -d "/run/systemd/system"; then
|
||||
%{_bindir}/journalctl --update-catalog || :
|
||||
fi
|
||||
|
||||
%transfiletriggerin -P 1000700 -- /usr/lib/binfmt.d
|
||||
# This script will automatically apply binfmt rules if files have been
|
||||
# installed or updated in /usr/lib/binfmt.d.
|
||||
if test -d "/run/systemd/system"; then
|
||||
# systemd-binfmt might fail if binfmt_misc kernel module is not loaded
|
||||
# during install
|
||||
/usr/lib/systemd/systemd-binfmt || :
|
||||
fi
|
||||
|
||||
%transfiletriggerin -P 1000600 -- /usr/lib/tmpfiles.d
|
||||
# This script will process files installed in /usr/lib/tmpfiles.d to create
|
||||
# tmpfiles automatically. The priority is set such that it will run
|
||||
# after the sysusers file trigger, but before any other triggers.
|
||||
if test -d "/run/systemd/system"; then
|
||||
%{_bindir}/systemd-tmpfiles --create || :
|
||||
fi
|
||||
|
||||
%transfiletriggerin -P 1000600 udev -- /usr/lib/udev/rules.d
|
||||
# This script will automatically update udev with new rules if files
|
||||
# have been installed or updated in /usr/lib/udev/rules.d.
|
||||
if test -e /run/udev/control; then
|
||||
%{_bindir}/udevadm control --reload || :
|
||||
fi
|
||||
|
||||
%transfiletriggerin -P 1000500 -- /usr/lib/sysctl.d
|
||||
# This script will automatically apply sysctl rules if files have been
|
||||
# installed or updated in /usr/lib/sysctl.d.
|
||||
if test -d "/run/systemd/system"; then
|
||||
/usr/lib/systemd/systemd-sysctl || :
|
||||
fi
|
2
SOURCES/yum-protect-systemd.conf
Normal file
2
SOURCES/yum-protect-systemd.conf
Normal file
@ -0,0 +1,2 @@
|
||||
systemd
|
||||
systemd-udev
|
3141
SPECS/systemd.spec
Normal file
3141
SPECS/systemd.spec
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user