diff --git a/1292-cryptsetup-generator-refactor-add_crypttab_devices.patch b/1292-cryptsetup-generator-refactor-add_crypttab_devices.patch new file mode 100644 index 0000000..0ac252f --- /dev/null +++ b/1292-cryptsetup-generator-refactor-add_crypttab_devices.patch @@ -0,0 +1,130 @@ +From 01826a6ded513adea1dabeccc6b860baee277482 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 30 May 2024 10:44:36 +0200 +Subject: [PATCH] cryptsetup-generator: refactor add_crypttab_devices() + +Move the processing of a crypttab entry to a separate function. + +No functional changes, just refactoring. + +(cherry picked from commit a07cb7d404582f9c0bfaedb9dd07f93848aa91c6) + +Related: RHEL-127859 +--- + src/cryptsetup/cryptsetup-generator.c | 87 +++++++++++++++------------ + 1 file changed, 49 insertions(+), 38 deletions(-) + +diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c +index 9e8e7e746f..6ab3b85b6b 100644 +--- a/src/cryptsetup/cryptsetup-generator.c ++++ b/src/cryptsetup/cryptsetup-generator.c +@@ -779,6 +779,52 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat + return 0; + } + ++static int add_crypttab_device(const char *name, const char *device, const char *keyspec, const char *options) { ++ _cleanup_free_ char *keyfile = NULL, *keydev = NULL, *headerdev = NULL, *filtered_header = NULL; ++ crypto_device *d = NULL; ++ char *uuid; ++ int r; ++ ++ uuid = startswith(device, "UUID="); ++ if (!uuid) ++ uuid = path_startswith(device, "/dev/disk/by-uuid/"); ++ if (!uuid) ++ uuid = startswith(name, "luks-"); ++ if (uuid) ++ d = hashmap_get(arg_disks, uuid); ++ ++ if (arg_allow_list && !d) { ++ log_info("Not creating device '%s' because it was not specified on the kernel command line.", name); ++ return 0; ++ } ++ ++ r = split_locationspec(keyspec, &keyfile, &keydev); ++ if (r < 0) ++ return r; ++ ++ if (options && (!d || !d->options)) { ++ r = filter_header_device(options, &headerdev, &filtered_header); ++ if (r < 0) ++ return r; ++ options = filtered_header; ++ } ++ ++ r = create_disk(name, ++ device, ++ keyfile, ++ keydev, ++ (d && d->options) ? d->headerdev : headerdev, ++ (d && d->options) ? d->options : options, ++ arg_crypttab); ++ if (r < 0) ++ return r; ++ ++ if (d) ++ d->create = false; ++ ++ return 0; ++} ++ + static int add_crypttab_devices(void) { + _cleanup_fclose_ FILE *f = NULL; + unsigned crypttab_line = 0; +@@ -795,10 +841,8 @@ static int add_crypttab_devices(void) { + } + + for (;;) { +- _cleanup_free_ char *line = NULL, *name = NULL, *device = NULL, *keyspec = NULL, *options = NULL, +- *keyfile = NULL, *keydev = NULL, *headerdev = NULL, *filtered_header = NULL; +- crypto_device *d = NULL; +- char *l, *uuid; ++ _cleanup_free_ char *line = NULL, *name = NULL, *device = NULL, *keyspec = NULL, *options = NULL; ++ char *l; + int k; + + r = read_line(f, LONG_LINE_MAX, &line); +@@ -819,42 +863,9 @@ static int add_crypttab_devices(void) { + continue; + } + +- uuid = startswith(device, "UUID="); +- if (!uuid) +- uuid = path_startswith(device, "/dev/disk/by-uuid/"); +- if (!uuid) +- uuid = startswith(name, "luks-"); +- if (uuid) +- d = hashmap_get(arg_disks, uuid); +- +- if (arg_allow_list && !d) { +- log_info("Not creating device '%s' because it was not specified on the kernel command line.", name); +- continue; +- } +- +- r = split_locationspec(keyspec, &keyfile, &keydev); ++ r = add_crypttab_device(name, device, keyspec, options); + if (r < 0) + return r; +- +- if (options && (!d || !d->options)) { +- r = filter_header_device(options, &headerdev, &filtered_header); +- if (r < 0) +- return r; +- free_and_replace(options, filtered_header); +- } +- +- r = create_disk(name, +- device, +- keyfile, +- keydev, +- (d && d->options) ? d->headerdev : headerdev, +- (d && d->options) ? d->options : options, +- arg_crypttab); +- if (r < 0) +- return r; +- +- if (d) +- d->create = false; + } + + return 0; diff --git a/1293-cryptsetup-generator-continue-parsing-after-error.patch b/1293-cryptsetup-generator-continue-parsing-after-error.patch new file mode 100644 index 0000000..5f116f1 --- /dev/null +++ b/1293-cryptsetup-generator-continue-parsing-after-error.patch @@ -0,0 +1,43 @@ +From 238dadc16fb2bb6ad2fef5602dac5cd2c9aa31ed Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 30 May 2024 10:46:13 +0200 +Subject: [PATCH] cryptsetup-generator: continue parsing after error + +Let's make the crypttab parser more robust and continue even if parsing +of a line failed. + +(cherry picked from commit 83813bae7ae471862ff84b038b5e4eaefae41c98) + +Resolves: RHEL-127859 +--- + src/cryptsetup/cryptsetup-generator.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c +index 6ab3b85b6b..924a403ee5 100644 +--- a/src/cryptsetup/cryptsetup-generator.c ++++ b/src/cryptsetup/cryptsetup-generator.c +@@ -828,7 +828,7 @@ static int add_crypttab_device(const char *name, const char *device, const char + static int add_crypttab_devices(void) { + _cleanup_fclose_ FILE *f = NULL; + unsigned crypttab_line = 0; +- int r; ++ int r, ret = 0; + + if (!arg_read_crypttab) + return 0; +@@ -863,12 +863,10 @@ static int add_crypttab_devices(void) { + continue; + } + +- r = add_crypttab_device(name, device, keyspec, options); +- if (r < 0) +- return r; ++ RET_GATHER(ret, add_crypttab_device(name, device, keyspec, options)); + } + +- return 0; ++ return ret; + } + + static int add_proc_cmdline_devices(void) { diff --git a/1294-cryptsetup-generator-parse-all-cmdline-devices-too.patch b/1294-cryptsetup-generator-parse-all-cmdline-devices-too.patch new file mode 100644 index 0000000..ab8f684 --- /dev/null +++ b/1294-cryptsetup-generator-parse-all-cmdline-devices-too.patch @@ -0,0 +1,39 @@ +From 25a4e8e1d411f56fcee5b53d1620c42f3bba16e6 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 30 May 2024 13:32:20 +0200 +Subject: [PATCH] cryptsetup-generator: parse all cmdline devices too + +(cherry picked from commit 47c703d949e84997d11d657fade68064c04a46c8) + +Related: RHEL-127859 +--- + src/cryptsetup/cryptsetup-generator.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c +index 924a403ee5..1136f5aed7 100644 +--- a/src/cryptsetup/cryptsetup-generator.c ++++ b/src/cryptsetup/cryptsetup-generator.c +@@ -870,7 +870,7 @@ static int add_crypttab_devices(void) { + } + + static int add_proc_cmdline_devices(void) { +- int r; ++ int r, ret = 0; + crypto_device *d; + + HASHMAP_FOREACH(d, arg_disks) { +@@ -896,11 +896,10 @@ static int add_proc_cmdline_devices(void) { + d->headerdev, + d->options ?: arg_default_options, + "/proc/cmdline"); +- if (r < 0) +- return r; ++ RET_GATHER(ret, r); + } + +- return 0; ++ return ret; + } + + DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(crypt_device_hash_ops, char, string_hash_func, string_compare_func, diff --git a/1295-cryptsetup-generator-always-process-cmdline-devices.patch b/1295-cryptsetup-generator-always-process-cmdline-devices.patch new file mode 100644 index 0000000..204ca41 --- /dev/null +++ b/1295-cryptsetup-generator-always-process-cmdline-devices.patch @@ -0,0 +1,33 @@ +From 1ba4f74ed15a3b715eba0f21a12239af6e44146f Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 30 May 2024 13:33:57 +0200 +Subject: [PATCH] cryptsetup-generator: always process cmdline devices + +(cherry picked from commit d181939e2e382631d9b067e0b4cfbf11b709a297) + +Related: RHEL-127859 +--- + src/cryptsetup/cryptsetup-generator.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c +index 1136f5aed7..06292f7f73 100644 +--- a/src/cryptsetup/cryptsetup-generator.c ++++ b/src/cryptsetup/cryptsetup-generator.c +@@ -925,14 +925,9 @@ static int run(const char *dest, const char *dest_early, const char *dest_late) + return 0; + + r = add_crypttab_devices(); +- if (r < 0) +- return r; +- +- r = add_proc_cmdline_devices(); +- if (r < 0) +- return r; ++ RET_GATHER(r, add_proc_cmdline_devices()); + +- return 0; ++ return r; + } + + DEFINE_MAIN_GENERATOR_FUNCTION(run); diff --git a/1296-logind-add-background-light-session-class.patch b/1296-logind-add-background-light-session-class.patch new file mode 100644 index 0000000..18c2c08 --- /dev/null +++ b/1296-logind-add-background-light-session-class.patch @@ -0,0 +1,44 @@ +From a48488d06e60af0d02387488d4de0abbaddf93ad Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 27 Nov 2023 18:39:02 +0100 +Subject: [PATCH] logind: add "background-light" session class + +This is the same as the "background" class, but does *not* pull in a +service manager. It might be useful for things like select cron jobs +that do not intend to call per-user IPC calls. + +Replaces: #23569 +Fixes: #23978 + +(cherry picked from commit b5100c736f1fce2b6b22c07cf2725e4ec3764a75) + +Related: RHEL-109833 +--- + src/login/logind-session.c | 1 + + src/login/logind-session.h | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/login/logind-session.c b/src/login/logind-session.c +index 8c8dd0d43e..5ba1e690ac 100644 +--- a/src/login/logind-session.c ++++ b/src/login/logind-session.c +@@ -1525,6 +1525,7 @@ static const char* const session_class_table[_SESSION_CLASS_MAX] = { + [SESSION_GREETER] = "greeter", + [SESSION_LOCK_SCREEN] = "lock-screen", + [SESSION_BACKGROUND] = "background", ++ [SESSION_BACKGROUND_LIGHT] = "background-light", + }; + + DEFINE_STRING_TABLE_LOOKUP(session_class, SessionClass); +diff --git a/src/login/logind-session.h b/src/login/logind-session.h +index 5ee059aa4f..a02d72c211 100644 +--- a/src/login/logind-session.h ++++ b/src/login/logind-session.h +@@ -23,6 +23,7 @@ typedef enum SessionClass { + SESSION_GREETER, + SESSION_LOCK_SCREEN, + SESSION_BACKGROUND, ++ SESSION_BACKGROUND_LIGHT, /* Like SESSION_BACKGROUND, but without the service manager */ + _SESSION_CLASS_MAX, + _SESSION_CLASS_INVALID = -EINVAL, + } SessionClass; diff --git a/1297-pam_systemd-honor-session-class-provided-via-PAM-env.patch b/1297-pam_systemd-honor-session-class-provided-via-PAM-env.patch new file mode 100644 index 0000000..b18855f --- /dev/null +++ b/1297-pam_systemd-honor-session-class-provided-via-PAM-env.patch @@ -0,0 +1,118 @@ +From d5d08290cf66a0c491a875345902d5c3bfeb6c5a Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Mon, 25 Aug 2025 15:09:36 +0200 +Subject: [PATCH] pam_systemd: honor session class provided via PAM environment + +Replaces #38638 + +Co-authored-by: Lennart Poettering +(cherry picked from commit cf2630acaa87ded5ad99ea30ed4bd895e71ca503) + +Resolves: RHEL-109833 + +[msekleta: this is absolutely minimal version of the ideas implemented in +https://github.com/systemd/systemd/pull/30884. At this point I want to avoid +big/risky backports and what I am proposing here should suffice.] +--- + man/pam_systemd.xml | 11 ++++++++++- + src/login/logind-session.c | 5 +++-- + src/login/logind-user.c | 16 +++++++++++++++- + src/login/pam_systemd.c | 6 ++++-- + 4 files changed, 32 insertions(+), 6 deletions(-) + +diff --git a/man/pam_systemd.xml b/man/pam_systemd.xml +index 60b8577822..55239ea3d7 100644 +--- a/man/pam_systemd.xml ++++ b/man/pam_systemd.xml +@@ -95,8 +95,17 @@ + lock-screen or background. See + sd_session_get_class3 for + details about the session class. +- + ++ If no session class is specified via either the PAM module option or via the ++ $XDG_SESSION_CLASS environment variable, the class is automatically chosen, depending on ++ various session parameters, such as the session type (if known), whether the session has a TTY or X11 ++ display, and the user disposition. Note that various tools allow setting the session class for newly ++ allocated PAM sessions explicitly by means of the $XDG_SESSION_CLASS environment variable. ++ For example, classic UNIX cronjobs support environment variable assignments (see ++ crontab5), ++ which may be used to choose between the background and ++ background-light session class individually per cronjob. ++ + + type= + +diff --git a/src/login/logind-session.c b/src/login/logind-session.c +index 5ba1e690ac..2ad05e3798 100644 +--- a/src/login/logind-session.c ++++ b/src/login/logind-session.c +@@ -680,8 +680,9 @@ static int session_start_scope(Session *s, sd_bus_message *properties, sd_bus_er + s->user->slice, + description, + /* These two have StopWhenUnneeded= set, hence add a dep towards them */ +- STRV_MAKE(s->user->runtime_dir_service, +- s->user->service), ++ s->class == SESSION_BACKGROUND_LIGHT ? ++ STRV_MAKE(s->user->runtime_dir_service) : ++ STRV_MAKE(s->user->runtime_dir_service, s->user->service), + after, + user_record_home_directory(s->user->user_record), + properties, +diff --git a/src/login/logind-user.c b/src/login/logind-user.c +index e02ad754ee..ffa32c6ce5 100644 +--- a/src/login/logind-user.c ++++ b/src/login/logind-user.c +@@ -441,6 +441,19 @@ static int user_update_slice(User *u) { + return 0; + } + ++static bool user_wants_service_manager(User *u) { ++ assert(u); ++ ++ LIST_FOREACH(sessions_by_user, s, u->sessions) ++ if (s->class != SESSION_BACKGROUND_LIGHT) ++ return true; ++ ++ if (user_check_linger_file(u) > 0) ++ return true; ++ ++ return false; ++} ++ + int user_start(User *u) { + assert(u); + +@@ -464,7 +477,8 @@ int user_start(User *u) { + (void) user_update_slice(u); + + /* Start user@UID.service */ +- user_start_service(u); ++ if (user_wants_service_manager(u)) ++ user_start_service(u); + + if (!u->started) { + if (!dual_timestamp_is_set(&u->timestamp)) +diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c +index a288b3602a..c7377e21a8 100644 +--- a/src/login/pam_systemd.c ++++ b/src/login/pam_systemd.c +@@ -753,14 +753,16 @@ _public_ PAM_EXTERN int pam_sm_open_session( + * (as they otherwise even try to update it!) — but cron doesn't actually allocate a TTY for its forked + * off processes.) */ + type = "unspecified"; +- class = "background"; ++ if (isempty(class)) ++ class = "background"; + tty = NULL; + + } else if (streq(tty, "ssh")) { + /* ssh has been setting PAM_TTY to "ssh" (for the same reason as cron does this, see above. For further + * details look for "PAM_TTY_KLUDGE" in the openssh sources). */ + type ="tty"; +- class = "user"; ++ if (isempty(class)) ++ class = "user"; + tty = NULL; /* This one is particularly sad, as this means that ssh sessions — even though usually + * associated with a pty — won't be tracked by their tty in logind. This is because ssh + * does the PAM session registration early for new connections, and registers a pty only diff --git a/systemd.spec b/systemd.spec index 6a7ac49..0f80c0d 100644 --- a/systemd.spec +++ b/systemd.spec @@ -21,7 +21,7 @@ Name: systemd Url: https://systemd.io Version: 252 -Release: 62%{?dist} +Release: 63%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -1374,6 +1374,12 @@ Patch1288: 1288-TEST-07-PID1-add-reprudcer-for-issue-35190.patch Patch1289: 1289-coredump-handle-ENOBUFS-and-EMSGSIZE-the-same-way.patch Patch1290: 1290-ukify-rstrip-and-escape-binary-null-characters-from-.patch Patch1291: 1291-timer-rebase-last_trigger-timestamp-if-needed.patch +Patch1292: 1292-cryptsetup-generator-refactor-add_crypttab_devices.patch +Patch1293: 1293-cryptsetup-generator-continue-parsing-after-error.patch +Patch1294: 1294-cryptsetup-generator-parse-all-cmdline-devices-too.patch +Patch1295: 1295-cryptsetup-generator-always-process-cmdline-devices.patch +Patch1296: 1296-logind-add-background-light-session-class.patch +Patch1297: 1297-pam_systemd-honor-session-class-provided-via-PAM-env.patch # Downstream-only patches (9000–9999) @@ -2251,6 +2257,14 @@ systemd-hwdb update &>/dev/null || : %{_prefix}/lib/dracut/modules.d/70rhel-net-naming-sysattrs/* %changelog +* Thu Nov 27 2025 systemd maintenance team - 252-63 +- cryptsetup-generator: refactor add_crypttab_devices() (RHEL-127859) +- cryptsetup-generator: continue parsing after error (RHEL-127859) +- cryptsetup-generator: parse all cmdline devices too (RHEL-127859) +- cryptsetup-generator: always process cmdline devices (RHEL-127859) +- logind: add "background-light" session class (RHEL-109833) +- pam_systemd: honor session class provided via PAM environment (RHEL-109833) + * Mon Nov 24 2025 systemd maintenance team - 252-62 - ukify: rstrip and escape binary null characters from 'inspect' output (#38607) (RHEL-109558) - timer: rebase last_trigger timestamp if needed (RHEL-118215)