Compare commits
No commits in common. "c8" and "c8-beta" have entirely different histories.
@ -272,7 +272,7 @@ new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..52469650b5498a45d5d95bd9d933c989cfb47ca7
|
||||
GIT binary patch
|
||||
literal 32
|
||||
dcmd1#|DTBg0(2Mzp)7_%1_lO=#KJO70RUP<1jGOU
|
||||
ccmd1#|DTBg0(2Mzp)7_%AVVXuuuM|`09r!?!~g&Q
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
||||
@ -154,12 +154,12 @@ new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..c371824ffb604708619fd0713e8fca609bac18f7
|
||||
GIT binary patch
|
||||
literal 534
|
||||
zcmZ{h&q~8U5Qo2QZE3}mh({^(l3ZG?FW}9quQ2JKSO_L$Rwany#n(16yNQ%S=d$~o
|
||||
z*`1khrf|3~2l*xZ0M3;-U`e#0Q_g^={kAgCz$q8Nt}HXD7w=MRO7o9T_$MxBsVbVQ
|
||||
zsLDt4_Sq!9Nt>kcX_KUxB&w-}_VOx;`c0Wyz6l^R_4WQGkDWxj0j5BV%;tATdc{;T
|
||||
zNxV;0?Z^1PSGWa+QHL{=ni0@L7-!XS+Pg}s5SN|b)(~pjJo+4FBd2|i(<}!R=Mf{!
|
||||
zc+vGEB0(FA<<7D!=vAlJ>vhog!1WQ+VgGi2mZGqQTmfy{w!dxLT1ngKpsQ^&>=~AJ
|
||||
L>FxXRA@2SU8?;@l
|
||||
zcmZ{h!A`?442GSJP20o?A&zJgm*%p<cmZx)c?GB2N~MZabq0zMhzqX`{7ze`LYk$&
|
||||
z_LnqH{-ic!J`GWMLG(>T#&`l!4rxq{&>8YmwQrOs;B(}I_m11m8`nFp<MR{a3sX`q
|
||||
z!cs!Q@A35`W+B>`#ek1>oQYVSs`!XH?7Y=}3y9Ye+UliL9^x9s66$8wH+TPdOG`n|
|
||||
z5Uhx<nM2)KiEdF(J5Ct}Xa*iksL!VNssA<Hq<KDseGAsT^*)9kK$?O39;dyGTv
|
||||
zLhpD3X)k6@tX`CzbBVV-7e$fy9()CjJ&n(=^)uJCKFB5Xi}-<1ru7po5XlEJ?uByQ
|
||||
MaEPzRhwknF02{PjtN;K2
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
||||
@ -27,7 +27,7 @@ new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..410cf38c1ec2156680e80160825b883fb4f12aa9
|
||||
GIT binary patch
|
||||
literal 53
|
||||
zcmZo;U|{$U0h1UQ7#dg^8UFug{?7ygZ4BH@stjCQpUNT`SQ!}@7#LI;7(l839<dJW
|
||||
ucmZo;U|{$U0h55t23AHOm-#;v2(&S9GpRCgaeXR_WB`f-fhq$7NEHAcu@3A2
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
||||
@ -18,7 +18,7 @@ new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..04e871fbcbddfe0642bd6855228bf8da163ad6e3
|
||||
GIT binary patch
|
||||
literal 71
|
||||
vcmZo;U}$4tu#$oUW@d)JzyAOK|Nk!=6Z5a^r8k=xq8a~7VHJl7GBN-FkAWQ*
|
||||
ucmZo;U}$4tu#$oUW@d)Jzy1TkUp6M@U)f7<HZepq{+E)%CJqy1WB>q<fgKkB
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
||||
@ -90,12 +90,12 @@ new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..2df70fd7cb6f0e632c4d5c2358091309a5cd3edc
|
||||
GIT binary patch
|
||||
literal 534
|
||||
zcmZ{h&q@P9490)c+S-aI5sy;vvU_Q@zJNDRg0GP6pLJnzm(8jyqImJO9m&jAO2J$*
|
||||
zUouI)FDV`F(?Na)-+*%!4p<Ov=#(SivDnlW893z>*j800&HPQub!GAKKk<pnS*VKU
|
||||
zDys6{y?%5_+ofI7wP}~6nIx*Ir3!hGMB8<hTE7V(Gi{sVIgd=DT>?`eW@cA62YAU;
|
||||
zGfCPuRke!oA6K{rh7kv!Ny7-(i7=gYuhah3Qir^3+f4&uw(Vor!))Yqug8R`C4plj
|
||||
z2|PrH7;)gF$F}2n&qqW8HZ4}3Wm&+>9<NrbfNz0|15Nw<?foQWX$Lt6y!Zacdv7Cc
|
||||
U-k_gtRCXE`J>Oto_jmF3zffXT%>V!Z
|
||||
zcmZ{h!A`?442GSJjTUi2h$EV`OM6*iyZ|>&NW6m6ZC#~`RCNGV2*icg27V{4hLEuI
|
||||
z*Z%6nv6IG-c{fDW8PO*Z8RG~@1*A4LLPziq^|n=>fKTCf&ROnOFWhXL{-6KzKQR>*
|
||||
zA}kdo{MtXi^_lPUKI=U`x#dhG*Hq0<i2cUpS}%ckA-=00E9KEH5u{MeESA@QculFG
|
||||
zruVss?wLceSE4J#)5yVN0GffvA#~1mm{Zra+=e{w{I&z@*?J#i4Is_HhZ+f`nuHx|
|
||||
zld${fh;=jUB)V|NE5y2-nFH%A%GTPz>w(L%415E=fPT+(I2*knx96tO2RVnnVP6o!
|
||||
Yuz#WfEX)Cqd!b_JHzYppZsXhk08nC8%>V!Z
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
||||
@ -155,7 +155,7 @@ new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..f1bf3229effc982c8b129182fe60739efe3c5013
|
||||
GIT binary patch
|
||||
literal 157
|
||||
ncmd1#|DTC5gMmSSfq{X+#27@<0i?K?r!r_H;sF^M8JYqB1XvKp
|
||||
mcmd1#|DTC5gMmSS0SHWtK_neOii>$FgGM4Akdcw0DF6TjSP;el
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
@ -165,11 +165,11 @@ new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..c975f906eef521a3cfac5627c8b371ee55aa0e6c
|
||||
GIT binary patch
|
||||
literal 534
|
||||
zcmcJL!AitH5JcY?cTL2TA0P`}W-hzxe+d3UhusZ<#R=(A8ANaXw{#{eB8VsZ(p1+>
|
||||
zbyXi6?%hFm2_JxS5eIB2RXODpc<6V7O-`J00qkRJWn90=VH<6}{AFIdj*Y5lr=lva
|
||||
z`S~sTltcD8i4ScKUNsoi%aeFb+Zar*24tma>>s=0q|_DA0EJmy-~PaNG}?+!DX7|y
|
||||
z<(F5u0jh$h-pa@VIEJvC!<^IJ4Khr;?9*<9X}8_usA08m`c0#zF%md4lfZpxh#3dY
|
||||
VXKXiK&wfN?!j`4_|80LCm`{c%O;`W`
|
||||
zcmcJL!Ab-%42J(Y?m8o$d;nSS(q4Ae_Yi!A47)oFEOwaGU5e<<_x8`!K@h}~fslMn
|
||||
zn)c7Z!M!`6y9Pc0I2S?0hHh3l#W~|szZ;Ct$XAT}7+V?FCpm1RoiBemuU&_Ys%S@7
|
||||
zdCkYS>{AZe=OjL~Ie67zrCwgdYud(O^J==RG>!dpXFS^tlZIX@tK0h@{D4MV@hJsW
|
||||
zyR)R1zXEs6tHM*H04&I}2-7)y>9oE<hN&+5v>VCxw(Vn{LBxXmJ)=frMcRdZlJ-~v
|
||||
b#4gh=OPF@NW^U~wGO=l?@b9nvy<mI-hA2%~
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
||||
@ -34,7 +34,7 @@ new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..2ae1a8715a12c65fba27d8e60216112a99b0ace7
|
||||
GIT binary patch
|
||||
literal 93
|
||||
ycmd1FDP>|PH8L_fX@m*{@Bvh%Mn*<y-~Mfw-1Yb0f5rv|1_p*!1_ljAO#uK!niIVM
|
||||
wcmd1FDP>|PH8L_f3B<@i03SeB2xg~!`?q0o*WZ8t85<aYpp}6^gHcle07aS;y#N3J
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
||||
@ -119,7 +119,7 @@ new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..9d3fa0035fd360a37833e8b58cc4aea90df9de83
|
||||
GIT binary patch
|
||||
literal 28
|
||||
jcmd1#|DTDG;s1Xo1_lO(c?v8H3=HXv3>t|^Wtsv2fcytC
|
||||
fcmd1#|DTDG0Z1?a!8`>PAeqj{pplqVrYQgbfcytC
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
||||
@ -80,7 +80,7 @@ new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..26262e1149825a114a89bf9cee5aeca0be463984
|
||||
GIT binary patch
|
||||
literal 41
|
||||
rcmd1#|DTC5gMmSSfq{X+#F&GD5yW6%U}R!o&`3;7%uED<3{3$5oTCSm
|
||||
rcmd1#|DTC5gMmSS0SHWtIT#p03<d^9CI$wL#Kgo*AWlro&=ddwoTCSm
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
||||
@ -50,9 +50,9 @@ new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..6a20265a39e1b4a318b50aee2b13727ddc4113bf
|
||||
GIT binary patch
|
||||
literal 534
|
||||
zcmchUu?oUK5JcZ{1TU6;fM{uB;eYrM3o%g$ImiX<?DEOhCwrI9%ED|jv+T0V%=Ci1
|
||||
z1iBr}z|jqQ$G=lbSZ(SITnnK4LbgjUz!`8OU^6EX2ecvNl}aKN@YKEucxoH|au`t6
|
||||
m{ODr$(RRB1>)V?0R#5Vll9?G!=D#<3h|~BOx{^q#obLyFdn%^@
|
||||
zcmc~{WMHggWMD`aVqj=xU|>*W&P&W-;Q0Fg|9>Elfq|V9OfmRED27Bi2!jjC2Wn-|
|
||||
z17hYPAOVtNW-Ml42GVKy`9P9^ffdMS1=8h-IVt%J91NTwNgyEFV4&K>#6$*=MMgl(
|
||||
r%#fH?l1eMv=;=K=_yi-CK!KUB2_%6r0c0u^mlS2@rGxk|0FGY(dwVLU
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
||||
@ -21,7 +21,7 @@ new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..aa0c6ff7f7b6d2e3fa4358716ee1d05ba74cefc0
|
||||
GIT binary patch
|
||||
literal 89
|
||||
scmc~<lEK8lpj%j2SeRL+$)KTG#-IVBK^P>65Y0yx#SOrwlxYe80GQ+)G5`Po
|
||||
scmc~<lEK8lpj!w8nPr*`8k%Jc8Xy{kL4pX;d}L9u6jlOkN|~kr0GQ+)G5`Po
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
||||
@ -31,10 +31,10 @@ new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..5faf3308e7ac9c14d66422169e74ba8c05ad7319
|
||||
GIT binary patch
|
||||
literal 534
|
||||
zcmd6ku?oU46h+UoDhf`1fCw&jsp1#7Ik@->DcVvfrZh#J#KqBnmZV7$7gz6+mv?!&
|
||||
z_r8>Z+y(L}JOL4n04rKVV(0^h;#ApAPYe?v(>hgka#iI~+kPS!#wJzEriqR5!xnpp
|
||||
zfC|>MWu~=`Ej0qv+%$D@&clT5&44k`GV@p9{C%<cQW|!CK;1eKr<<yp0T7JZES1ml
|
||||
o;mdn=FS(o_oGt&+v-joBpD|VC)}XQ`b^8s&D_aCScH8#v-+dcTo&W#<
|
||||
zcmd5(y$ZrW3{L#Rf|Cy*1sA)t;uE+zxcCZJw53qIqj#v2xH$UGez{(yI63-3NWO$5
|
||||
zU+!uqzB5rdCwdYQvnEi=V1glA8o?i`lMy}upTQSe=c-Assy=GTr+lHv=4$0!Vy$EX
|
||||
z_LzYX&1*Ob(W(=vPGKsxuBpzYaDn6&un5*x;uk`Xz?Yk^O%qgGJ(zd<Eb+@AlE$ca
|
||||
sLgf|{Zt3X?n*AhyXRr3JnuD(2&Q!)fgDPC^-?wYdB<S$iZQH+p1AQA$o&W#<
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
||||
@ -94,7 +94,7 @@ new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..b3fee9e07af4f925697a549bbc8ffc03a277fac0
|
||||
GIT binary patch
|
||||
literal 40
|
||||
pcmc~{Vqj!oU|>jp`TxHd0|Ns)V==>j2ng-#xmY$WCw2;m3ji$f6YT&1
|
||||
mcmc~{Vqjzdg7laF|BC@>cE)0c{}2$`*K@IKT2AZ~5ElR}@e}O;
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
||||
@ -487,8 +487,8 @@ new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..48757cba682ffddd5a1ddd8988bb8bcdc7db0a7a
|
||||
GIT binary patch
|
||||
literal 71
|
||||
zcmZQ&<YZgO$jUDHK=ZjMgDPVw<5Z4Drm2jj9F2@qSxXsNIV2f1Sto)-m?tt$Wh><n
|
||||
ZWl&9JWtU{oOl@S~WG>~H%CV8@000zh4^IF9
|
||||
zcmZQ&<YZgO$jUDHK=ZjMgDPVw<5Z4Drm2jj9F2@qSxXsNIV2f1Sto)-m?tt$Wh><X
|
||||
Xs!9c_XV6S-WZ+~j<(SH`k?8;c6l@Pq
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
||||
@ -18,7 +18,7 @@ index 0000000000000000000000000000000000000000..424ae5cb010aa519758e6af90cc98179
|
||||
GIT binary patch
|
||||
literal 1847
|
||||
zcmXps(lIeJ&@nVNGBPkSGqo_&(Y4M<t>jX0aSiiycD2<{NiEaQE6vG)izFLb8I!<a
|
||||
W7zLwX6yN|3IK)T6C>RBU7XSc|I~Vl;
|
||||
b7zLvtFd70lLcjrs_^9w`2#kin;0*x)kUJOk
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
||||
@ -17,8 +17,8 @@ new file mode 100644
|
||||
index 0000000000000000000000000000000000000000..19887a1fec9fc29b1f7da8a2d1c5ea5054f2bc02
|
||||
GIT binary patch
|
||||
literal 112
|
||||
zcmXpq)Zrxx80r}680lCOP-~&{)k?wIfGehgOM!tQroxI#A*RAAHHJ&UB*rAhgn<hH
|
||||
DAnpwr
|
||||
zcmXpq)Zrxx80r}680lCOP-~&{)k?wIfGehgOM!tQroxI#0Z63Aa4DF?03ibx03hxS
|
||||
A82|tP
|
||||
|
||||
literal 0
|
||||
HcmV?d00001
|
||||
|
||||
@ -1,20 +0,0 @@
|
||||
From ca150b92be2e0edf3bfafe88ee79a419e7e11aaa Mon Sep 17 00:00:00 2001
|
||||
From: Jan Macku <jamacku@redhat.com>
|
||||
Date: Mon, 4 Mar 2024 13:40:45 +0100
|
||||
Subject: [PATCH] ci: add configuration for regression sniffer GA
|
||||
|
||||
rhel-only
|
||||
|
||||
Related: RHEL-1087
|
||||
---
|
||||
.github/regression-sniffer.yml | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
create mode 100644 .github/regression-sniffer.yml
|
||||
|
||||
diff --git a/.github/regression-sniffer.yml b/.github/regression-sniffer.yml
|
||||
new file mode 100644
|
||||
index 0000000000..3824028e92
|
||||
--- /dev/null
|
||||
+++ b/.github/regression-sniffer.yml
|
||||
@@ -0,0 +1 @@
|
||||
+upstream: systemd/systemd
|
||||
@ -1,35 +0,0 @@
|
||||
From ccaa361e04719efc6bcf7f3201cc9e6a869677d8 Mon Sep 17 00:00:00 2001
|
||||
From: Michal Sekletar <msekleta@redhat.com>
|
||||
Date: Mon, 4 Mar 2024 14:40:32 +0100
|
||||
Subject: [PATCH] coredump: actually store parsed unit in the context
|
||||
|
||||
RHEL-only
|
||||
|
||||
Related: RHEL-18302
|
||||
---
|
||||
src/coredump/coredump.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c
|
||||
index d8acd2d3a7..7af8e97877 100644
|
||||
--- a/src/coredump/coredump.c
|
||||
+++ b/src/coredump/coredump.c
|
||||
@@ -1262,6 +1262,8 @@ static int gather_pid_metadata(
|
||||
context->meta[CONTEXT_EXE] = t;
|
||||
|
||||
if (cg_pid_get_unit(pid, &t) >= 0) {
|
||||
+ context->meta[CONTEXT_UNIT] = t;
|
||||
+
|
||||
if (!is_journald_crash(context)) {
|
||||
/* OK, now we know it's not the journal, hence we can make use of it now. */
|
||||
log_set_target(LOG_TARGET_JOURNAL_OR_KMSG);
|
||||
@@ -1275,8 +1277,7 @@ static int gather_pid_metadata(
|
||||
}
|
||||
|
||||
set_iovec_string_field(iovec, n_iovec, "COREDUMP_UNIT=", context->meta[CONTEXT_UNIT]);
|
||||
- } else
|
||||
- context->meta[CONTEXT_UNIT] = t;
|
||||
+ }
|
||||
|
||||
if (cg_pid_get_user_unit(pid, &t) >= 0)
|
||||
set_iovec_field_free(iovec, n_iovec, "COREDUMP_USER_UNIT=", t);
|
||||
@ -1,184 +0,0 @@
|
||||
From 899e3c43d6ac9d97c3cb9340b778427391def4ac Mon Sep 17 00:00:00 2001
|
||||
From: Jacek Migacz <jmigacz@redhat.com>
|
||||
Date: Mon, 26 Feb 2024 13:47:24 +0100
|
||||
Subject: [PATCH] resolved: limit the number of signature validations in a
|
||||
transaction
|
||||
|
||||
It has been demonstrated that tolerating an unbounded number of dnssec
|
||||
signature validations is a bad idea. It is easy for a maliciously
|
||||
crafted DNS reply to contain as many keytag collisions as desired,
|
||||
causing us to iterate every dnskey and signature combination in vain.
|
||||
|
||||
The solution is to impose a maximum number of validations we will
|
||||
tolerate. While collisions are not hard to craft, I still expect they
|
||||
are unlikely in the wild so it should be safe to pick fairly small
|
||||
values.
|
||||
|
||||
Here two limits are imposed: one on the maximum number of invalid
|
||||
signatures encountered per rrset, and another on the total number of
|
||||
validations performed per transaction.
|
||||
|
||||
(cherry picked from commit 67d0ce8843d612a2245d0966197d4f528b911b66)
|
||||
|
||||
Resolves: RHEL-26644
|
||||
---
|
||||
src/resolve/resolved-dns-dnssec.c | 16 ++++++++++++++--
|
||||
src/resolve/resolved-dns-dnssec.h | 9 ++++++++-
|
||||
src/resolve/resolved-dns-transaction.c | 19 ++++++++++++++++---
|
||||
3 files changed, 38 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
|
||||
index 0a6f482cc1..5dbfbc94c7 100644
|
||||
--- a/src/resolve/resolved-dns-dnssec.c
|
||||
+++ b/src/resolve/resolved-dns-dnssec.c
|
||||
@@ -996,6 +996,7 @@ int dnssec_verify_rrset_search(
|
||||
DnsResourceRecord **ret_rrsig) {
|
||||
|
||||
bool found_rrsig = false, found_invalid = false, found_expired_rrsig = false, found_unsupported_algorithm = false;
|
||||
+ unsigned nvalidations = 0;
|
||||
DnsResourceRecord *rrsig;
|
||||
int r;
|
||||
|
||||
@@ -1041,6 +1042,14 @@ int dnssec_verify_rrset_search(
|
||||
if (realtime == USEC_INFINITY)
|
||||
realtime = now(CLOCK_REALTIME);
|
||||
|
||||
+ /* Have we seen an unreasonable number of invalid signaures? */
|
||||
+ if (nvalidations > DNSSEC_INVALID_MAX) {
|
||||
+ if (ret_rrsig)
|
||||
+ *ret_rrsig = NULL;
|
||||
+ *result = DNSSEC_TOO_MANY_VALIDATIONS;
|
||||
+ return (int) nvalidations;
|
||||
+ }
|
||||
+
|
||||
/* Yay, we found a matching RRSIG with a matching
|
||||
* DNSKEY, awesome. Now let's verify all entries of
|
||||
* the RRSet against the RRSIG and DNSKEY
|
||||
@@ -1050,6 +1059,8 @@ int dnssec_verify_rrset_search(
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
+ nvalidations++;
|
||||
+
|
||||
switch (one_result) {
|
||||
|
||||
case DNSSEC_VALIDATED:
|
||||
@@ -1060,7 +1071,7 @@ int dnssec_verify_rrset_search(
|
||||
*ret_rrsig = rrsig;
|
||||
|
||||
*result = one_result;
|
||||
- return 0;
|
||||
+ return (int) nvalidations;
|
||||
|
||||
case DNSSEC_INVALID:
|
||||
/* If the signature is invalid, let's try another
|
||||
@@ -1107,7 +1118,7 @@ int dnssec_verify_rrset_search(
|
||||
if (ret_rrsig)
|
||||
*ret_rrsig = NULL;
|
||||
|
||||
- return 0;
|
||||
+ return (int) nvalidations;
|
||||
}
|
||||
|
||||
int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key) {
|
||||
@@ -2301,6 +2312,7 @@ static const char* const dnssec_result_table[_DNSSEC_RESULT_MAX] = {
|
||||
[DNSSEC_FAILED_AUXILIARY] = "failed-auxiliary",
|
||||
[DNSSEC_NSEC_MISMATCH] = "nsec-mismatch",
|
||||
[DNSSEC_INCOMPATIBLE_SERVER] = "incompatible-server",
|
||||
+ [DNSSEC_TOO_MANY_VALIDATIONS] = "too-many-validations",
|
||||
};
|
||||
DEFINE_STRING_TABLE_LOOKUP(dnssec_result, DnssecResult);
|
||||
|
||||
diff --git a/src/resolve/resolved-dns-dnssec.h b/src/resolve/resolved-dns-dnssec.h
|
||||
index dfee7232c0..4d6abee084 100644
|
||||
--- a/src/resolve/resolved-dns-dnssec.h
|
||||
+++ b/src/resolve/resolved-dns-dnssec.h
|
||||
@@ -9,12 +9,13 @@ typedef enum DnssecVerdict DnssecVerdict;
|
||||
#include "resolved-dns-rr.h"
|
||||
|
||||
enum DnssecResult {
|
||||
- /* These five are returned by dnssec_verify_rrset() */
|
||||
+ /* These six are returned by dnssec_verify_rrset() */
|
||||
DNSSEC_VALIDATED,
|
||||
DNSSEC_VALIDATED_WILDCARD, /* Validated via a wildcard RRSIG, further NSEC/NSEC3 checks necessary */
|
||||
DNSSEC_INVALID,
|
||||
DNSSEC_SIGNATURE_EXPIRED,
|
||||
DNSSEC_UNSUPPORTED_ALGORITHM,
|
||||
+ DNSSEC_TOO_MANY_VALIDATIONS,
|
||||
|
||||
/* These two are added by dnssec_verify_rrset_search() */
|
||||
DNSSEC_NO_SIGNATURE,
|
||||
@@ -45,6 +46,12 @@ enum DnssecVerdict {
|
||||
/* The longest digest we'll ever generate, of all digest algorithms we support */
|
||||
#define DNSSEC_HASH_SIZE_MAX (MAX(20, 32))
|
||||
|
||||
+/* The most invalid signatures we will tolerate for a single rrset */
|
||||
+#define DNSSEC_INVALID_MAX 5
|
||||
+
|
||||
+/* The total number of signature validations we will tolerate for a single transaction */
|
||||
+#define DNSSEC_VALIDATION_MAX 64
|
||||
+
|
||||
int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok);
|
||||
int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig);
|
||||
|
||||
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
|
||||
index 6f614d7493..1ca6c9abc8 100644
|
||||
--- a/src/resolve/resolved-dns-transaction.c
|
||||
+++ b/src/resolve/resolved-dns-transaction.c
|
||||
@@ -2870,11 +2870,14 @@ static int dnssec_validate_records(
|
||||
DnsTransaction *t,
|
||||
Phase phase,
|
||||
bool *have_nsec,
|
||||
+ unsigned *nvalidations,
|
||||
DnsAnswer **validated) {
|
||||
|
||||
DnsResourceRecord *rr;
|
||||
int r;
|
||||
|
||||
+ assert(nvalidations);
|
||||
+
|
||||
/* Returns negative on error, 0 if validation failed, 1 to restart validation, 2 when finished. */
|
||||
|
||||
DNS_ANSWER_FOREACH(rr, t->answer) {
|
||||
@@ -2909,6 +2912,7 @@ static int dnssec_validate_records(
|
||||
r = dnssec_verify_rrset_search(t->answer, rr->key, t->validated_keys, USEC_INFINITY, &result, &rrsig);
|
||||
if (r < 0)
|
||||
return r;
|
||||
+ *nvalidations += r;
|
||||
|
||||
log_debug("Looking at %s: %s", strna(dns_resource_record_to_string(rr)), dnssec_result_to_string(result));
|
||||
|
||||
@@ -3086,7 +3090,8 @@ static int dnssec_validate_records(
|
||||
DNSSEC_SIGNATURE_EXPIRED,
|
||||
DNSSEC_NO_SIGNATURE))
|
||||
manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, rr->key);
|
||||
- else /* DNSSEC_MISSING_KEY or DNSSEC_UNSUPPORTED_ALGORITHM */
|
||||
+ else /* DNSSEC_MISSING_KEY, DNSSEC_UNSUPPORTED_ALGORITHM,
|
||||
+ or DNSSEC_TOO_MANY_VALIDATIONS */
|
||||
manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, rr->key);
|
||||
|
||||
/* This is a primary response to our question, and it failed validation.
|
||||
@@ -3180,13 +3185,21 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
|
||||
return r;
|
||||
|
||||
phase = DNSSEC_PHASE_DNSKEY;
|
||||
- for (;;) {
|
||||
+ for (unsigned nvalidations = 0;;) {
|
||||
bool have_nsec = false;
|
||||
|
||||
- r = dnssec_validate_records(t, phase, &have_nsec, &validated);
|
||||
+ r = dnssec_validate_records(t, phase, &have_nsec, &nvalidations, &validated);
|
||||
if (r <= 0)
|
||||
return r;
|
||||
|
||||
+ if (nvalidations > DNSSEC_VALIDATION_MAX) {
|
||||
+ /* This reply requires an onerous number of signature validations to verify. Let's
|
||||
+ * not waste our time trying, as this shouldn't happen for well-behaved domains
|
||||
+ * anyway. */
|
||||
+ t->answer_dnssec_result = DNSSEC_TOO_MANY_VALIDATIONS;
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
/* Try again as long as we managed to achieve something */
|
||||
if (r == 1)
|
||||
continue;
|
||||
@ -1,34 +0,0 @@
|
||||
From 92124e84be68005be92cce046c7c679b98199d66 Mon Sep 17 00:00:00 2001
|
||||
From: Jacek Migacz <jmigacz@redhat.com>
|
||||
Date: Mon, 26 Feb 2024 13:56:36 +0100
|
||||
Subject: [PATCH] resolved: reduce the maximum nsec3 iterations to 100
|
||||
|
||||
According to RFC9267, the 2500 value is not helpful, and in fact it can
|
||||
be harmful to permit a large number of iterations. Combined with limits
|
||||
on the number of signature validations, I expect this will mitigate the
|
||||
impact of maliciously crafted domains designed to cause excessive
|
||||
cryptographic work.
|
||||
|
||||
(cherry picked from commit eba291124bc11f03732d1fc468db3bfac069f9cb)
|
||||
|
||||
Related: RHEL-26644
|
||||
---
|
||||
src/resolve/resolved-dns-dnssec.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
|
||||
index 5dbfbc94c7..5a0540568c 100644
|
||||
--- a/src/resolve/resolved-dns-dnssec.c
|
||||
+++ b/src/resolve/resolved-dns-dnssec.c
|
||||
@@ -22,8 +22,9 @@
|
||||
/* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */
|
||||
#define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE)
|
||||
|
||||
-/* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value */
|
||||
-#define NSEC3_ITERATIONS_MAX 2500
|
||||
+/* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value, but
|
||||
+ * RFC9276 § 3.2 says that we should reduce the acceptable iteration count */
|
||||
+#define NSEC3_ITERATIONS_MAX 100
|
||||
|
||||
/*
|
||||
* The DNSSEC Chain of trust:
|
||||
@ -1,117 +0,0 @@
|
||||
From f896e672ec6101ccbb21108345946e834455a25f Mon Sep 17 00:00:00 2001
|
||||
From: Franck Bui <fbui@suse.com>
|
||||
Date: Fri, 3 Apr 2020 10:00:25 +0200
|
||||
Subject: [PATCH] pid1: by default make user units inherit their umask from the
|
||||
user manager
|
||||
|
||||
This patch changes the way user managers set the default umask for the units it
|
||||
manages.
|
||||
|
||||
Indeed one can expect that if user manager's umask is redefined through PAM
|
||||
(via /etc/login.defs or pam_umask), all its children including the units it
|
||||
spawns have their umask set to the new value.
|
||||
|
||||
Hence make user units inherit their umask value from their parent instead of
|
||||
the hard coded value 0022 but allow them to override this value via their unit
|
||||
file.
|
||||
|
||||
Note that reexecuting managers with 'systemctl daemon-reexec' after changing
|
||||
UMask= has no effect. To take effect managers need to be restarted with
|
||||
'systemct restart' instead. This behavior was already present before this
|
||||
patch.
|
||||
|
||||
Fixes #6077.
|
||||
|
||||
(cherry picked from commit 5e37d1930b41b24c077ce37c6db0e36c745106c7)
|
||||
|
||||
Related: RHEL-28048
|
||||
---
|
||||
man/systemd.exec.xml | 9 +++++++--
|
||||
src/basic/process-util.c | 17 +++++++++++++++++
|
||||
src/basic/process-util.h | 1 +
|
||||
src/core/unit.c | 12 ++++++++++--
|
||||
4 files changed, 35 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
|
||||
index b04b4ba552..844c1ce94b 100644
|
||||
--- a/man/systemd.exec.xml
|
||||
+++ b/man/systemd.exec.xml
|
||||
@@ -590,8 +590,13 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
|
||||
<term><varname>UMask=</varname></term>
|
||||
|
||||
<listitem><para>Controls the file mode creation mask. Takes an access mode in octal notation. See
|
||||
- <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry> for details. Defaults
|
||||
- to 0022.</para></listitem>
|
||||
+ <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
|
||||
+ details. Defaults to 0022 for system units. For units of the user service manager the default value
|
||||
+ is inherited from the user instance (whose default is inherited from the system service manager, and
|
||||
+ thus also is 0022). Hence changing the default value of a user instance, either via
|
||||
+ <varname>UMask=</varname> or via a PAM module, will affect the user instance itself and all user
|
||||
+ units started by the user instance unless a user unit has specified its own
|
||||
+ <varname>UMask=</varname>.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
diff --git a/src/basic/process-util.c b/src/basic/process-util.c
|
||||
index 9e2237375d..af44bfab3e 100644
|
||||
--- a/src/basic/process-util.c
|
||||
+++ b/src/basic/process-util.c
|
||||
@@ -657,6 +657,23 @@ int get_process_ppid(pid_t pid, pid_t *ret) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
+int get_process_umask(pid_t pid, mode_t *umask) {
|
||||
+ _cleanup_free_ char *m = NULL;
|
||||
+ const char *p;
|
||||
+ int r;
|
||||
+
|
||||
+ assert(umask);
|
||||
+ assert(pid >= 0);
|
||||
+
|
||||
+ p = procfs_file_alloca(pid, "status");
|
||||
+
|
||||
+ r = get_proc_field(p, "Umask", WHITESPACE, &m);
|
||||
+ if (r == -ENOENT)
|
||||
+ return -ESRCH;
|
||||
+
|
||||
+ return parse_mode(m, umask);
|
||||
+}
|
||||
+
|
||||
int wait_for_terminate(pid_t pid, siginfo_t *status) {
|
||||
siginfo_t dummy;
|
||||
|
||||
diff --git a/src/basic/process-util.h b/src/basic/process-util.h
|
||||
index a3bd2851b4..9059aad4cc 100644
|
||||
--- a/src/basic/process-util.h
|
||||
+++ b/src/basic/process-util.h
|
||||
@@ -41,6 +41,7 @@ int get_process_cwd(pid_t pid, char **cwd);
|
||||
int get_process_root(pid_t pid, char **root);
|
||||
int get_process_environ(pid_t pid, char **environ);
|
||||
int get_process_ppid(pid_t pid, pid_t *ppid);
|
||||
+int get_process_umask(pid_t pid, mode_t *umask);
|
||||
|
||||
int wait_for_terminate(pid_t pid, siginfo_t *status);
|
||||
|
||||
diff --git a/src/core/unit.c b/src/core/unit.c
|
||||
index 76fb9f8075..d3459dcdd0 100644
|
||||
--- a/src/core/unit.c
|
||||
+++ b/src/core/unit.c
|
||||
@@ -167,8 +167,16 @@ static void unit_init(Unit *u) {
|
||||
if (ec) {
|
||||
exec_context_init(ec);
|
||||
|
||||
- ec->keyring_mode = MANAGER_IS_SYSTEM(u->manager) ?
|
||||
- EXEC_KEYRING_SHARED : EXEC_KEYRING_INHERIT;
|
||||
+ if (MANAGER_IS_SYSTEM(u->manager))
|
||||
+ ec->keyring_mode = EXEC_KEYRING_SHARED;
|
||||
+ else {
|
||||
+ ec->keyring_mode = EXEC_KEYRING_INHERIT;
|
||||
+
|
||||
+ /* User manager might have its umask redefined by PAM or UMask=. In this
|
||||
+ * case let the units it manages inherit this value by default. They can
|
||||
+ * still tune this value through their own unit file */
|
||||
+ (void) get_process_umask(getpid_cached(), &ec->umask);
|
||||
+ }
|
||||
}
|
||||
|
||||
kc = unit_get_kill_context(u);
|
||||
@ -1,28 +0,0 @@
|
||||
From 49dbe60d4b3c6f111911c8217bc5e7da5a4ba0d0 Mon Sep 17 00:00:00 2001
|
||||
From: Michal Sekletar <msekleta@redhat.com>
|
||||
Date: Wed, 31 May 2023 18:50:12 +0200
|
||||
Subject: [PATCH] pam: add call to pam_umask
|
||||
|
||||
Setting umask for user sessions via UMASK setting in /etc/login.defs is
|
||||
a well-known feature. Let's make sure that user manager also runs with
|
||||
this umask value.
|
||||
|
||||
Follow-up for 5e37d1930b41b24c077ce37c6db0e36c745106c7.
|
||||
|
||||
(cherry picked from commit 159f1b78576ce91c3932f4867f07361a530875d3)
|
||||
|
||||
Resolves: RHEL-28048
|
||||
---
|
||||
src/login/systemd-user.m4 | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/login/systemd-user.m4 b/src/login/systemd-user.m4
|
||||
index eb291beaed..a194a636d6 100644
|
||||
--- a/src/login/systemd-user.m4
|
||||
+++ b/src/login/systemd-user.m4
|
||||
@@ -10,4 +10,5 @@ session required pam_selinux.so nottys open
|
||||
session required pam_loginuid.so
|
||||
session optional pam_keyinit.so force revoke
|
||||
session required pam_namespace.so
|
||||
+session optional pam_umask.so silent
|
||||
session optional pam_systemd.so
|
||||
@ -1,81 +0,0 @@
|
||||
From 045ba12c6337760f0a7f8b0ceb9f998b309e025f Mon Sep 17 00:00:00 2001
|
||||
From: Jan Macku <jamacku@redhat.com>
|
||||
Date: Fri, 9 Feb 2024 14:48:02 +0100
|
||||
Subject: [PATCH] ci: deploy systemd man to GitHub Pages
|
||||
|
||||
rhel-only
|
||||
|
||||
Related: RHEL-32494
|
||||
|
||||
Co-authored-by: Frantisek Sumsal <frantisek@sumsal.cz>
|
||||
---
|
||||
.github/workflows/deploy-man-pages.yml | 60 ++++++++++++++++++++++++++
|
||||
1 file changed, 60 insertions(+)
|
||||
create mode 100644 .github/workflows/deploy-man-pages.yml
|
||||
|
||||
diff --git a/.github/workflows/deploy-man-pages.yml b/.github/workflows/deploy-man-pages.yml
|
||||
new file mode 100644
|
||||
index 0000000000..9da38a1687
|
||||
--- /dev/null
|
||||
+++ b/.github/workflows/deploy-man-pages.yml
|
||||
@@ -0,0 +1,60 @@
|
||||
+name: Deploy systemd man to Pages
|
||||
+
|
||||
+on:
|
||||
+ push:
|
||||
+ branches: [ rhel-8.10.0 ]
|
||||
+ paths:
|
||||
+ - man/*
|
||||
+ - .github/workflows/deploy-man-pages.yml
|
||||
+ schedule:
|
||||
+ # Run every Monday at 4:00 AM UTC
|
||||
+ - cron: 0 4 * * 1
|
||||
+ workflow_dispatch:
|
||||
+
|
||||
+permissions:
|
||||
+ contents: read
|
||||
+
|
||||
+# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
|
||||
+# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
|
||||
+concurrency:
|
||||
+ group: pages
|
||||
+ cancel-in-progress: false
|
||||
+
|
||||
+jobs:
|
||||
+ # Single deploy job since we're just deploying
|
||||
+ deploy:
|
||||
+ environment:
|
||||
+ name: github-pages
|
||||
+ url: ${{ steps.deployment.outputs.page_url }}
|
||||
+ runs-on: ubuntu-latest
|
||||
+
|
||||
+ permissions:
|
||||
+ pages: write
|
||||
+ id-token: write
|
||||
+
|
||||
+ steps:
|
||||
+ - uses: actions/checkout@v4
|
||||
+
|
||||
+ - name: Install dependencies
|
||||
+ run: |
|
||||
+ RELEASE="$(lsb_release -cs)"
|
||||
+ sudo add-apt-repository -y --no-update --enable-source
|
||||
+ sudo apt-get -y update
|
||||
+ sudo apt-get -y build-dep systemd
|
||||
+
|
||||
+ - name: Build HTML man pages
|
||||
+ run: |
|
||||
+ meson setup build
|
||||
+ ninja -C build man/html
|
||||
+
|
||||
+ - name: Setup Pages
|
||||
+ uses: actions/configure-pages@v4
|
||||
+
|
||||
+ - name: Upload artifact
|
||||
+ uses: actions/upload-pages-artifact@v3
|
||||
+ with:
|
||||
+ path: ./build/man
|
||||
+
|
||||
+ - name: Deploy to GitHub Pages
|
||||
+ id: deployment
|
||||
+ uses: actions/deploy-pages@v4
|
||||
@ -1,24 +0,0 @@
|
||||
From 604d2f1c8b6ecb46be7f70c5be7ae6fc6be04cab Mon Sep 17 00:00:00 2001
|
||||
From: Jan Macku <jamacku@redhat.com>
|
||||
Date: Thu, 11 Apr 2024 10:14:51 +0200
|
||||
Subject: [PATCH] ci(src-git): update list of supported products
|
||||
|
||||
rhel-only
|
||||
|
||||
Related: RHEL-32494
|
||||
---
|
||||
.github/tracker-validator.yml | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/.github/tracker-validator.yml b/.github/tracker-validator.yml
|
||||
index b09f702dd9..1bb684e722 100644
|
||||
--- a/.github/tracker-validator.yml
|
||||
+++ b/.github/tracker-validator.yml
|
||||
@@ -16,5 +16,5 @@ products:
|
||||
- rhel-8.8.0.z
|
||||
- rhel-8.9.0
|
||||
- rhel-8.9.0.z
|
||||
- - rhel-8.10.0
|
||||
- - rhel-8.10.0.z
|
||||
+ - rhel-8.10
|
||||
+ - rhel-8.10.z
|
||||
@ -1,29 +0,0 @@
|
||||
From 0e66d8f81574b13402b7356bf8261739c4b8b90e Mon Sep 17 00:00:00 2001
|
||||
From: Jan Macku <jamacku@redhat.com>
|
||||
Date: Thu, 25 Apr 2024 15:00:33 +0200
|
||||
Subject: [PATCH] ci: update actions/upload-artifact to `v4`
|
||||
|
||||
`v3` will be deprecated soon, so update to `v4`.
|
||||
|
||||
https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/
|
||||
|
||||
rhel-only
|
||||
|
||||
Related: RHEL-32494
|
||||
---
|
||||
.github/workflows/gather-metadata.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/.github/workflows/gather-metadata.yml b/.github/workflows/gather-metadata.yml
|
||||
index f432f41811..08ad813971 100644
|
||||
--- a/.github/workflows/gather-metadata.yml
|
||||
+++ b/.github/workflows/gather-metadata.yml
|
||||
@@ -22,7 +22,7 @@ jobs:
|
||||
uses: redhat-plumbers-in-action/gather-pull-request-metadata@v1
|
||||
|
||||
- name: Upload artifact with gathered metadata
|
||||
- uses: actions/upload-artifact@v3
|
||||
+ uses: actions/upload-artifact@v4
|
||||
with:
|
||||
name: pr-metadata
|
||||
path: ${{ steps.Metadata.outputs.metadata-file }}
|
||||
@ -1,24 +0,0 @@
|
||||
From 72040693da79d7ef3d1f210866ee1f651b720247 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Macku <jamacku@redhat.com>
|
||||
Date: Thu, 25 Apr 2024 16:31:18 +0200
|
||||
Subject: [PATCH] ci: drop unused variable
|
||||
|
||||
rhel-only
|
||||
|
||||
Related: RHEL-32494
|
||||
---
|
||||
.github/workflows/deploy-man-pages.yml | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/.github/workflows/deploy-man-pages.yml b/.github/workflows/deploy-man-pages.yml
|
||||
index 9da38a1687..c65c9b62ee 100644
|
||||
--- a/.github/workflows/deploy-man-pages.yml
|
||||
+++ b/.github/workflows/deploy-man-pages.yml
|
||||
@@ -37,7 +37,6 @@ jobs:
|
||||
|
||||
- name: Install dependencies
|
||||
run: |
|
||||
- RELEASE="$(lsb_release -cs)"
|
||||
sudo add-apt-repository -y --no-update --enable-source
|
||||
sudo apt-get -y update
|
||||
sudo apt-get -y build-dep systemd
|
||||
@ -1,30 +0,0 @@
|
||||
From df87420725157953268ed099c3c97989288db1fa Mon Sep 17 00:00:00 2001
|
||||
From: Frantisek Sumsal <fsumsal@redhat.com>
|
||||
Date: Wed, 13 Mar 2024 12:13:23 +0100
|
||||
Subject: [PATCH] ci: reduce ASLR entropy
|
||||
|
||||
The latest GH Action runners started using 32-bit entropy for ASLR,
|
||||
which makes it incompatible with llvm-14. This was fixed in later llvm
|
||||
releases, but these aren't available on Ubuntu Jammy (22.04). Let's
|
||||
reduce the ASLR entropy to 28-bit, which should make llvm happy again,
|
||||
until the issue is resolved.
|
||||
|
||||
See: actions/runner-images#9491
|
||||
---
|
||||
.github/workflows/unit_tests.yml | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
|
||||
index f397e8ed6e..814e17b6bf 100644
|
||||
--- a/.github/workflows/unit_tests.yml
|
||||
+++ b/.github/workflows/unit_tests.yml
|
||||
@@ -18,6 +18,9 @@ jobs:
|
||||
steps:
|
||||
- name: Repository checkout
|
||||
uses: actions/checkout@v1
|
||||
+ # FIXME: drop once https://github.com/actions/runner-images/issues/9491 is resolved
|
||||
+ - name: Reduce ASLR entropy
|
||||
+ run: sudo sysctl -w vm.mmap_rnd_bits=28
|
||||
- name: Install build dependencies
|
||||
run: sudo -E .github/workflows/unit_tests.sh SETUP
|
||||
- name: Build & test (${{ env.CENTOS_RELEASE }} / ${{ matrix.phase }})
|
||||
@ -1,89 +0,0 @@
|
||||
From a4e0b7ab90c8bc6ecb7bd883f19e5a5834ae9058 Mon Sep 17 00:00:00 2001
|
||||
From: Frantisek Sumsal <fsumsal@redhat.com>
|
||||
Date: Wed, 13 Mar 2024 12:41:17 +0100
|
||||
Subject: [PATCH] test: skip the symlink part of test_touch_file() in GH
|
||||
Actions
|
||||
|
||||
Our (RHEL 8) touch_file() is not clever enough and does chmod() on a
|
||||
symlink, which fails with EOPNOTSUPP on newer kernels. This is not an
|
||||
issue on the RHEL 8 kernel, where doing chmod() on a symlink works
|
||||
(albeit only on tmpfs) but in GH Actions we run in a container, and with
|
||||
the underlying kernel doing chmod() on a symlink fails even on tmpfs:
|
||||
|
||||
RHEL 8:
|
||||
~# mount -t tmpfs tmpfs /tmp
|
||||
~# (cd /tmp; ln -s symlink dangling; ln -s /etc/os-release symlink)
|
||||
~# (cd /var/tmp; ln -s symlink dangling; ln -s /etc/os-release symlink)
|
||||
~# gcc -o main main.c -D_GNU_SOURCE
|
||||
~# ./main /tmp/dangling
|
||||
chmod(/proc/self/fd/3)=0 (0)
|
||||
~# ./main /tmp/symlink
|
||||
chmod(/proc/self/fd/3)=0 (0)
|
||||
~# ./main /var/tmp/dangling
|
||||
chmod(/proc/self/fd/3)=-1 (95)
|
||||
~# ./main /var/tmp/symlink
|
||||
chmod(/proc/self/fd/3)=-1 (95)
|
||||
|
||||
Newer kernel:
|
||||
~# uname -r
|
||||
6.7.4-200.fc39.x86_64
|
||||
~# ./main /tmp/dangling
|
||||
chmod(/proc/self/fd/3)=-1 (95)
|
||||
~# ./main /tmp/symlink
|
||||
chmod(/proc/self/fd/3)=-1 (95)
|
||||
~# ./main /var/tmp/dangling
|
||||
chmod(/proc/self/fd/3)=-1 (95)
|
||||
~# ./main /var/tmp/symlink
|
||||
chmod(/proc/self/fd/3)=-1 (95)
|
||||
|
||||
Backporting the necessary patches would be way too risky so late in the
|
||||
RHEL 8 cycle, so let's just skip the offending test when running in GH
|
||||
Actions. To do that we have to jump through a couple of hoops, since
|
||||
RHEL 8 systemd can't detect docker. Oh well.
|
||||
|
||||
See: #434
|
||||
|
||||
RHEL-only
|
||||
---
|
||||
src/test/test-fs-util.c | 21 ++++++++++++---------
|
||||
1 file changed, 12 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/test/test-fs-util.c b/src/test/test-fs-util.c
|
||||
index aa32629f62..a3428f8c0d 100644
|
||||
--- a/src/test/test-fs-util.c
|
||||
+++ b/src/test/test-fs-util.c
|
||||
@@ -15,6 +15,7 @@
|
||||
#include "stdio-util.h"
|
||||
#include "string-util.h"
|
||||
#include "strv.h"
|
||||
+#include "tests.h"
|
||||
#include "user-util.h"
|
||||
#include "util.h"
|
||||
#include "virt.h"
|
||||
@@ -544,15 +545,17 @@ static void test_touch_file(void) {
|
||||
assert_se(timespec_load(&st.st_mtim) == test_mtime);
|
||||
}
|
||||
|
||||
- a = strjoina(p, "/lnk");
|
||||
- assert_se(symlink("target", a) >= 0);
|
||||
- assert_se(touch_file(a, false, test_mtime, test_uid, test_gid, 0640) >= 0);
|
||||
- assert_se(lstat(a, &st) >= 0);
|
||||
- assert_se(st.st_uid == test_uid);
|
||||
- assert_se(st.st_gid == test_gid);
|
||||
- assert_se(S_ISLNK(st.st_mode));
|
||||
- assert_se((st.st_mode & 0777) == 0640);
|
||||
- assert_se(timespec_load(&st.st_mtim) == test_mtime);
|
||||
+ if (!streq_ptr(ci_environment(), "github-actions")) {
|
||||
+ a = strjoina(p, "/lnk");
|
||||
+ assert_se(symlink("target", a) >= 0);
|
||||
+ assert_se(touch_file(a, false, test_mtime, test_uid, test_gid, 0640) >= 0);
|
||||
+ assert_se(lstat(a, &st) >= 0);
|
||||
+ assert_se(st.st_uid == test_uid);
|
||||
+ assert_se(st.st_gid == test_gid);
|
||||
+ assert_se(S_ISLNK(st.st_mode));
|
||||
+ assert_se((st.st_mode & 0777) == 0640);
|
||||
+ assert_se(timespec_load(&st.st_mtim) == test_mtime);
|
||||
+ }
|
||||
}
|
||||
|
||||
static void test_unlinkat_deallocate(void) {
|
||||
@ -1,53 +0,0 @@
|
||||
From dd794489f97baf760d03b32e4e3188b5af799436 Mon Sep 17 00:00:00 2001
|
||||
From: Michal Sekletar <msekleta@redhat.com>
|
||||
Date: Wed, 7 Sep 2022 17:37:34 +0200
|
||||
Subject: [PATCH] core: add possibility to not track certain unit types
|
||||
|
||||
(cherry picked from commit 88e4bfa62bd2561e04a90dc009e7a3865e0878fb)
|
||||
|
||||
Related: RHEL-5877
|
||||
---
|
||||
src/core/unit.c | 18 ++++++++++++++++++
|
||||
1 file changed, 18 insertions(+)
|
||||
|
||||
diff --git a/src/core/unit.c b/src/core/unit.c
|
||||
index d3459dcdd0..ac960ef0c8 100644
|
||||
--- a/src/core/unit.c
|
||||
+++ b/src/core/unit.c
|
||||
@@ -18,6 +18,7 @@
|
||||
#include "dbus-unit.h"
|
||||
#include "dbus.h"
|
||||
#include "dropin.h"
|
||||
+#include "env-util.h"
|
||||
#include "escape.h"
|
||||
#include "execute.h"
|
||||
#include "fd-util.h"
|
||||
@@ -4786,11 +4787,28 @@ int unit_setup_dynamic_creds(Unit *u) {
|
||||
}
|
||||
|
||||
bool unit_type_supported(UnitType t) {
|
||||
+ static int8_t cache[_UNIT_TYPE_MAX] = {}; /* -1: disabled, 1: enabled: 0: don't know */
|
||||
+ int r;
|
||||
+
|
||||
if (_unlikely_(t < 0))
|
||||
return false;
|
||||
if (_unlikely_(t >= _UNIT_TYPE_MAX))
|
||||
return false;
|
||||
|
||||
+ if (cache[t] == 0) {
|
||||
+ char *e;
|
||||
+
|
||||
+ e = strjoina("SYSTEMD_SUPPORT_", unit_type_to_string(t));
|
||||
+
|
||||
+ r = getenv_bool(ascii_strupper(e));
|
||||
+ if (r < 0 && r != -ENXIO)
|
||||
+ log_debug_errno(r, "Failed to parse $%s, ignoring: %m", e);
|
||||
+
|
||||
+ cache[t] = r == 0 ? -1 : 1;
|
||||
+ }
|
||||
+ if (cache[t] < 0)
|
||||
+ return false;
|
||||
+
|
||||
if (!unit_vtable[t]->supported)
|
||||
return true;
|
||||
|
||||
@ -1,50 +0,0 @@
|
||||
From c87954f7ee7859524c60e6ca724c68b0a35e26ce Mon Sep 17 00:00:00 2001
|
||||
From: Michal Sekletar <msekleta@redhat.com>
|
||||
Date: Tue, 12 Dec 2023 19:03:39 +0100
|
||||
Subject: [PATCH] logind: don't setup idle session watch for lock-screen and
|
||||
greeter
|
||||
|
||||
Reason to skip the idle session logic for these session classes is that
|
||||
they are idle by default.
|
||||
|
||||
(cherry picked from commit 508b4786e8592e82eb4832549f74aaa54335d14c)
|
||||
|
||||
Resolves: RHEL-19215
|
||||
---
|
||||
man/logind.conf.xml | 9 +++++----
|
||||
src/login/logind-session.c | 2 +-
|
||||
2 files changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/man/logind.conf.xml b/man/logind.conf.xml
|
||||
index 56981c1837..6cb41b6955 100644
|
||||
--- a/man/logind.conf.xml
|
||||
+++ b/man/logind.conf.xml
|
||||
@@ -343,10 +343,11 @@
|
||||
<term><varname>StopIdleSessionSec=</varname></term>
|
||||
|
||||
<listitem><para>Specifies a timeout in seconds, or a time span value after which
|
||||
- <filename>systemd-logind</filename> checks the idle state of all sessions. Every session that is idle for
|
||||
- longer then the timeout will be stopped. Defaults to <literal>infinity</literal>
|
||||
- (<filename>systemd-logind</filename> is not checking the idle state of sessions). For details about the syntax
|
||||
- of time spans, see
|
||||
+ <filename>systemd-logind</filename> checks the idle state of all sessions. Every session that is idle
|
||||
+ for longer than the timeout will be stopped. Note that this option doesn't apply to
|
||||
+ <literal>greeter</literal> or <literal>lock-screen</literal> sessions. Defaults to
|
||||
+ <literal>infinity</literal> (<filename>systemd-logind</filename> is not checking the idle state
|
||||
+ of sessions). For details about the syntax of time spans, see
|
||||
<citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
diff --git a/src/login/logind-session.c b/src/login/logind-session.c
|
||||
index 4edc4b9b88..57b9696d1d 100644
|
||||
--- a/src/login/logind-session.c
|
||||
+++ b/src/login/logind-session.c
|
||||
@@ -713,7 +713,7 @@ static int session_setup_stop_on_idle_timer(Session *s) {
|
||||
|
||||
assert(s);
|
||||
|
||||
- if (s->manager->stop_idle_session_usec == USEC_INFINITY)
|
||||
+ if (s->manager->stop_idle_session_usec == USEC_INFINITY || IN_SET(s->class, SESSION_GREETER, SESSION_LOCK_SCREEN))
|
||||
return 0;
|
||||
|
||||
r = sd_event_add_time_relative(
|
||||
@ -1,47 +0,0 @@
|
||||
From 77a215ecaca4e927a3465ac5f502d5873ef942ef Mon Sep 17 00:00:00 2001
|
||||
From: Lennart Poettering <lennart@poettering.net>
|
||||
Date: Thu, 4 Jan 2024 13:40:00 +0100
|
||||
Subject: [PATCH] logind: tighten for which classes of sessions we do
|
||||
stop-on-idle
|
||||
|
||||
We only want to do this for fully set up, interactive sessions, i.e.
|
||||
user and user-early, but not for any others, hence restrict the rules a
|
||||
bit.
|
||||
|
||||
Follow-up for: 508b4786e8592e82eb4832549f74aaa54335d14c
|
||||
|
||||
(cherry picked from commit ad23439eae718ac3634f260be0d29e01445983a8)
|
||||
|
||||
Related: RHEL-19215
|
||||
---
|
||||
src/login/logind-session.c | 2 +-
|
||||
src/login/logind-session.h | 3 +++
|
||||
2 files changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/login/logind-session.c b/src/login/logind-session.c
|
||||
index 57b9696d1d..9ec7bd3344 100644
|
||||
--- a/src/login/logind-session.c
|
||||
+++ b/src/login/logind-session.c
|
||||
@@ -713,7 +713,7 @@ static int session_setup_stop_on_idle_timer(Session *s) {
|
||||
|
||||
assert(s);
|
||||
|
||||
- if (s->manager->stop_idle_session_usec == USEC_INFINITY || IN_SET(s->class, SESSION_GREETER, SESSION_LOCK_SCREEN))
|
||||
+ if (s->manager->stop_idle_session_usec == USEC_INFINITY || !SESSION_CLASS_CAN_STOP_ON_IDLE(s->class))
|
||||
return 0;
|
||||
|
||||
r = sd_event_add_time_relative(
|
||||
diff --git a/src/login/logind-session.h b/src/login/logind-session.h
|
||||
index 0557696761..955cd7de92 100644
|
||||
--- a/src/login/logind-session.h
|
||||
+++ b/src/login/logind-session.h
|
||||
@@ -26,6 +26,9 @@ typedef enum SessionClass {
|
||||
_SESSION_CLASS_INVALID = -1
|
||||
} SessionClass;
|
||||
|
||||
+/* Which sessions classes should be subject to stop-in-idle */
|
||||
+#define SESSION_CLASS_CAN_STOP_ON_IDLE(class) (IN_SET((class), SESSION_USER))
|
||||
+
|
||||
typedef enum SessionType {
|
||||
SESSION_UNSPECIFIED,
|
||||
SESSION_TTY,
|
||||
@ -1,27 +0,0 @@
|
||||
From 3aae10768d08007dc087306431da60f85087ae57 Mon Sep 17 00:00:00 2001
|
||||
From: Frantisek Sumsal <frantisek@sumsal.cz>
|
||||
Date: Wed, 26 Jun 2024 13:16:27 +0200
|
||||
Subject: [PATCH] ci: point C8S containers to the Vault
|
||||
|
||||
Temporarily point repos in C8S containers to the Vault (since C8S is
|
||||
EOL), until we figure out a _proper_ solution.
|
||||
|
||||
Related: RHEL-1087
|
||||
---
|
||||
.github/workflows/unit_tests.sh | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/.github/workflows/unit_tests.sh b/.github/workflows/unit_tests.sh
|
||||
index 3859433720..7cc7da164c 100755
|
||||
--- a/.github/workflows/unit_tests.sh
|
||||
+++ b/.github/workflows/unit_tests.sh
|
||||
@@ -138,6 +138,9 @@ for phase in "${PHASES[@]}"; do
|
||||
|
||||
# Beautiful workaround for Fedora's version of Docker
|
||||
sleep 1
|
||||
+ # FIXME?: Point C8S repos to the Vault, since C8S is EOL
|
||||
+ $DOCKER_EXEC bash -xec "sed -i 's/^mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*"
|
||||
+ $DOCKER_EXEC bash -xec "sed -i 's|#baseurl=http://mirror.centos.org|baseurl=https://vault.centos.org|g' /etc/yum.repos.d/CentOS-*"
|
||||
$DOCKER_EXEC dnf makecache
|
||||
# Install and enable EPEL
|
||||
$DOCKER_EXEC dnf -q -y install epel-release dnf-utils "${ADDITIONAL_DEPS[@]}"
|
||||
@ -9,5 +9,4 @@ session required pam_selinux.so close
|
||||
session required pam_selinux.so nottys open
|
||||
session required pam_loginuid.so
|
||||
session required pam_namespace.so
|
||||
session optional pam_umask.so silent
|
||||
session include system-auth
|
||||
|
||||
@ -13,7 +13,7 @@
|
||||
Name: systemd
|
||||
Url: http://www.freedesktop.org/wiki/Software/systemd
|
||||
Version: 239
|
||||
Release: 82%{?dist}.3
|
||||
Release: 81%{?dist}
|
||||
# For a breakdown of the licensing, see README
|
||||
License: LGPLv2+ and MIT and GPLv2+
|
||||
Summary: System and Service Manager
|
||||
@ -1055,22 +1055,6 @@ Patch1002: 1002-udev-net_id-introduce-naming-scheme-for-RHEL-8.10.patch
|
||||
Patch1003: 1003-doc-add-missing-listitem-to-systemd.net-naming-schem.patch
|
||||
Patch1004: 1004-service-schedule-cleanup-of-PID-hashmaps-when-we-now.patch
|
||||
Patch1005: 1005-man-update-link-to-RHEL-documentation.patch
|
||||
Patch1006: 1006-ci-add-configuration-for-regression-sniffer-GA.patch
|
||||
Patch1007: 1007-coredump-actually-store-parsed-unit-in-the-context.patch
|
||||
Patch1008: 1008-resolved-limit-the-number-of-signature-validations-i.patch
|
||||
Patch1009: 1009-resolved-reduce-the-maximum-nsec3-iterations-to-100.patch
|
||||
Patch1010: 1010-pid1-by-default-make-user-units-inherit-their-umask-.patch
|
||||
Patch1011: 1011-pam-add-call-to-pam_umask.patch
|
||||
Patch1012: 1012-ci-deploy-systemd-man-to-GitHub-Pages.patch
|
||||
Patch1013: 1013-ci-src-git-update-list-of-supported-products.patch
|
||||
Patch1014: 1014-ci-update-actions-upload-artifact-to-v4.patch
|
||||
Patch1015: 1015-ci-drop-unused-variable.patch
|
||||
Patch1016: 1016-ci-reduce-ASLR-entropy.patch
|
||||
Patch1017: 1017-test-skip-the-symlink-part-of-test_touch_file-in-GH-.patch
|
||||
Patch1018: 1018-core-add-possibility-to-not-track-certain-unit-types.patch
|
||||
Patch1019: 1019-logind-don-t-setup-idle-session-watch-for-lock-scree.patch
|
||||
Patch1020: 1020-logind-tighten-for-which-classes-of-sessions-we-do-s.patch
|
||||
Patch1021: 1021-ci-point-C8S-containers-to-the-Vault.patch
|
||||
|
||||
%ifarch %{ix86} x86_64 aarch64
|
||||
%global have_gnu_efi 1
|
||||
@ -1524,6 +1508,10 @@ chmod g+s /run/log/journal/ /run/log/journal/`cat /etc/machine-id 2>/dev/null` /
|
||||
# Apply ACL to the journal directory
|
||||
setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ &>/dev/null || :
|
||||
|
||||
# Stop-gap until rsyslog.rpm does this on its own. (This is supposed
|
||||
# to fail when the link already exists)
|
||||
ln -s /usr/lib/systemd/system/rsyslog.service /etc/systemd/system/syslog.service &>/dev/null || :
|
||||
|
||||
# Remove spurious /etc/fstab entries from very old installations
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1009023
|
||||
if [ -e /etc/fstab ]; then
|
||||
@ -1697,29 +1685,6 @@ fi
|
||||
%files tests -f .file-list-tests
|
||||
|
||||
%changelog
|
||||
* Thu Nov 07 2024 systemd maintenance team <systemd-maint@redhat.com> - 239-82.3
|
||||
- ci: update actions/upload-artifact to `v4` (RHEL-32494)
|
||||
- ci: drop unused variable (RHEL-32494)
|
||||
- core: add possibility to not track certain unit types (RHEL-5877)
|
||||
- logind: don't setup idle session watch for lock-screen and greeter (RHEL-19215)
|
||||
- logind: tighten for which classes of sessions we do stop-on-idle (RHEL-19215)
|
||||
- ci: point C8S containers to the Vault (RHEL-1087)
|
||||
|
||||
* Tue Jul 23 2024 systemd maintenance team <systemd-maint@redhat.com> - 239-82.2
|
||||
- spec: do not create symlink /etc/systemd/system/syslog.service (RHEL-13179)
|
||||
|
||||
* Thu Apr 11 2024 systemd maintenance team <systemd-maint@redhat.com> - 239-82.1
|
||||
- pid1: by default make user units inherit their umask from the user manager (RHEL-28048)
|
||||
- pam: add call to pam_umask (RHEL-28048)
|
||||
- ci: deploy systemd man to GitHub Pages (RHEL-32494)
|
||||
- ci(src-git): update list of supported products (RHEL-32494)
|
||||
|
||||
* Thu Mar 07 2024 systemd maintenance team <systemd-maint@redhat.com> - 239-82
|
||||
- ci: add configuration for regression sniffer GA (RHEL-1087)
|
||||
- coredump: actually store parsed unit in the context (RHEL-18302)
|
||||
- resolved: limit the number of signature validations in a transaction (RHEL-26644)
|
||||
- resolved: reduce the maximum nsec3 iterations to 100 (RHEL-26644)
|
||||
|
||||
* Mon Feb 26 2024 systemd maintenance team <systemd-maint@redhat.com> - 239-81
|
||||
- man: update link to RHEL documentation (RHEL-26355)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user