rpms
/
systemd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:imports/c9-beta/systemd-250-3.el9
Branches Tags
rpms:c8
rpms:a9
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:c9s
rpms:c8s
rpms:a8a
rpms:imports/c8/systemd-239-82.el8
rpms:imports/c8/systemd-239-82.el8_10
rpms:changed/a9/systemd-252-32.el9_4.alma.1
rpms:imports/c9/systemd-252-32.el9_4
rpms:imports/c8/systemd-239-78.el8
rpms:imports/c9/systemd-252-18.el9
rpms:imports/c8-beta/systemd-239-78.el8
rpms:imports/c9-beta/systemd-252-18.el9
rpms:imports/c8/systemd-239-74.el8_8.5
rpms:imports/c8/systemd-239-74.el8_8.3
rpms:imports/c9/systemd-252-14.el9_2.3
rpms:imports/c8/systemd-239-74.el8_8.2
rpms:imports/c9/systemd-252-14.el9_2.1
rpms:imports/c8/systemd-239-74.el8_8
rpms:imports/c9/systemd-252-13.el9_2
rpms:imports/c9-beta/systemd-252-8.el9
rpms:imports/c8-beta/systemd-239-72.el8
rpms:imports/c8s/systemd-239-74.el8_8
rpms:imports/c8s/systemd-239-73.el8
rpms:imports/c9/systemd-250-12.el9_1.3
rpms:imports/c8/systemd-239-68.el8_7.4
rpms:imports/c8s/systemd-239-72.el8
rpms:imports/c8s/systemd-239-71.el8
rpms:imports/c9/systemd-250-12.el9_1.1
rpms:imports/c8s/systemd-239-70.el8
rpms:imports/c8/systemd-239-68.el8_7.2
rpms:imports/c8/systemd-239-68.el8_7.1
rpms:changed/a8a/systemd-239-68.el8.alma
rpms:imports/c9/systemd-250-12.el9_1
rpms:imports/c8s/systemd-239-69.el8
rpms:imports/c8/systemd-239-68.el8
rpms:imports/c8/systemd-239-58.el8_6.8
rpms:imports/c8s/systemd-239-68.el8
rpms:imports/c9-beta/systemd-250-11.el9
rpms:imports/c8-beta/systemd-239-67.el8
rpms:imports/c9/systemd-250-6.el9_0.1
rpms:imports/c8/systemd-239-58.el8_6.7
rpms:imports/c8/systemd-239-58.el8_6.4
rpms:imports/c8s/systemd-239-67.el8
rpms:imports/c8s/systemd-239-65.el8
rpms:imports/c8/systemd-239-58.el8_6.3
rpms:imports/c8s/systemd-239-62.el8
rpms:imports/c8s/systemd-239-60.el8
rpms:imports/c8s/systemd-239-59.el8
rpms:imports/c9/systemd-250-6.el9_0
rpms:imports/c8s/systemd-239-58.el8_6.1
rpms:imports/c8/systemd-239-58.el8
rpms:imports/c9-beta/systemd-250-4.el9
rpms:imports/c8-beta/systemd-239-58.el8
rpms:imports/c8/systemd-239-51.el8_5.5
rpms:imports/c9-beta/systemd-250-3.el9
rpms:imports/c8s/systemd-239-58.el8
rpms:imports/c8s/systemd-239-56.el8
rpms:imports/c8s/systemd-239-55.el8
rpms:imports/c8/systemd-239-51.el8_5.2
rpms:imports/c8/systemd-239-51.el8_5.3
rpms:imports/c9-beta/systemd-249-9.el9
rpms:imports/c9-beta/systemd-249-7.el9_b
rpms:imports/c8s/systemd-239-54.el8
rpms:imports/c8/systemd-239-51.el8
rpms:imports/c8-beta/systemd-239-50.el8
rpms:imports/c8-beta/systemd-239-44.el8
rpms:imports/c8-beta/systemd-239-36.el8
rpms:imports/c8-beta/systemd-239-21.el8
rpms:imports/c8-beta/systemd-239-15.el8
rpms:imports/c8s/systemd-239-51.el8
rpms:imports/c8s/systemd-239-50.el8
rpms:imports/c8s/systemd-239-49.el8
rpms:imports/c8s/systemd-239-48.el8
rpms:imports/c8s/systemd-239-45.el8_4.1
rpms:imports/c8s/systemd-239-45.el8
rpms:imports/c8/systemd-239-45.el8_4.3
rpms:imports/c8/systemd-239-45.el8_4.2
rpms:imports/c8/systemd-239-45.el8_4.1
rpms:imports/c8/systemd-239-45.el8
rpms:imports/c8/systemd-239-41.el8_3.2
...
compare: rpms:c8
Branches Tags
rpms:c8
rpms:a9
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:c9s
rpms:c8s
rpms:a8a
rpms:imports/c8/systemd-239-82.el8
rpms:imports/c8/systemd-239-82.el8_10
rpms:changed/a9/systemd-252-32.el9_4.alma.1
rpms:imports/c9/systemd-252-32.el9_4
rpms:imports/c8/systemd-239-78.el8
rpms:imports/c9/systemd-252-18.el9
rpms:imports/c8-beta/systemd-239-78.el8
rpms:imports/c9-beta/systemd-252-18.el9
rpms:imports/c8/systemd-239-74.el8_8.5
rpms:imports/c8/systemd-239-74.el8_8.3
rpms:imports/c9/systemd-252-14.el9_2.3
rpms:imports/c8/systemd-239-74.el8_8.2
rpms:imports/c9/systemd-252-14.el9_2.1
rpms:imports/c8/systemd-239-74.el8_8
rpms:imports/c9/systemd-252-13.el9_2
rpms:imports/c9-beta/systemd-252-8.el9
rpms:imports/c8-beta/systemd-239-72.el8
rpms:imports/c8s/systemd-239-74.el8_8
rpms:imports/c8s/systemd-239-73.el8
rpms:imports/c9/systemd-250-12.el9_1.3
rpms:imports/c8/systemd-239-68.el8_7.4
rpms:imports/c8s/systemd-239-72.el8
rpms:imports/c8s/systemd-239-71.el8
rpms:imports/c9/systemd-250-12.el9_1.1
rpms:imports/c8s/systemd-239-70.el8
rpms:imports/c8/systemd-239-68.el8_7.2
rpms:imports/c8/systemd-239-68.el8_7.1
rpms:changed/a8a/systemd-239-68.el8.alma
rpms:imports/c9/systemd-250-12.el9_1
rpms:imports/c8s/systemd-239-69.el8
rpms:imports/c8/systemd-239-68.el8
rpms:imports/c8/systemd-239-58.el8_6.8
rpms:imports/c8s/systemd-239-68.el8
rpms:imports/c9-beta/systemd-250-11.el9
rpms:imports/c8-beta/systemd-239-67.el8
rpms:imports/c9/systemd-250-6.el9_0.1
rpms:imports/c8/systemd-239-58.el8_6.7
rpms:imports/c8/systemd-239-58.el8_6.4
rpms:imports/c8s/systemd-239-67.el8
rpms:imports/c8s/systemd-239-65.el8
rpms:imports/c8/systemd-239-58.el8_6.3
rpms:imports/c8s/systemd-239-62.el8
rpms:imports/c8s/systemd-239-60.el8
rpms:imports/c8s/systemd-239-59.el8
rpms:imports/c9/systemd-250-6.el9_0
rpms:imports/c8s/systemd-239-58.el8_6.1
rpms:imports/c8/systemd-239-58.el8
rpms:imports/c9-beta/systemd-250-4.el9
rpms:imports/c8-beta/systemd-239-58.el8
rpms:imports/c8/systemd-239-51.el8_5.5
rpms:imports/c9-beta/systemd-250-3.el9
rpms:imports/c8s/systemd-239-58.el8
rpms:imports/c8s/systemd-239-56.el8
rpms:imports/c8s/systemd-239-55.el8
rpms:imports/c8/systemd-239-51.el8_5.2
rpms:imports/c8/systemd-239-51.el8_5.3
rpms:imports/c9-beta/systemd-249-9.el9
rpms:imports/c9-beta/systemd-249-7.el9_b
rpms:imports/c8s/systemd-239-54.el8
rpms:imports/c8/systemd-239-51.el8
rpms:imports/c8-beta/systemd-239-50.el8
rpms:imports/c8-beta/systemd-239-44.el8
rpms:imports/c8-beta/systemd-239-36.el8
rpms:imports/c8-beta/systemd-239-21.el8
rpms:imports/c8-beta/systemd-239-15.el8
rpms:imports/c8s/systemd-239-51.el8
rpms:imports/c8s/systemd-239-50.el8
rpms:imports/c8s/systemd-239-49.el8
rpms:imports/c8s/systemd-239-48.el8
rpms:imports/c8s/systemd-239-45.el8_4.1
rpms:imports/c8s/systemd-239-45.el8
rpms:imports/c8/systemd-239-45.el8_4.3
rpms:imports/c8/systemd-239-45.el8_4.2
rpms:imports/c8/systemd-239-45.el8_4.1
rpms:imports/c8/systemd-239-45.el8
rpms:imports/c8/systemd-239-41.el8_3.2

No commits in common. "imports/c9-beta/systemd-250-3.el9" and "c8" have entirely different histories.
imports/c9 ... c8

1043 changed files with 216747 additions and 3333 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/systemd-250.tar.gz
SOURCES/systemd-239.tar.gz

2
.systemd.metadata
View File

@ -1 +1 @@
3b9db821b29a577d004c8823f4ff7a054c81a39c SOURCES/systemd-250.tar.gz
8803baa484cbe36680463c8c5e6febeff074b8e7 SOURCES/systemd-239.tar.gz

105
SOURCES/0001-build-sys-Detect-whether-struct-statx-is-defined-in-.patch Normal file
View File

@ -0,0 +1,105 @@
From 79df4db3fd122f5040bdf2225c3047375de3b0d2 Mon Sep 17 00:00:00 2001
From: Filipe Brandenburger <filbranden@google.com>
Date: Sun, 15 Jul 2018 22:43:35 -0700
Subject: [PATCH] build-sys: Detect whether struct statx is defined in
sys/stat.h
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Starting with glibc 2.27.9000-36.fc29, include file sys/stat.h will have a
definition for struct statx, in which case include file linux/stat.h should be
avoided, in order to prevent a duplicate definition.
In file included from ../src/basic/missing.h:18,
from ../src/basic/util.h:28,
from ../src/basic/hashmap.h:10,
from ../src/shared/bus-util.h:12,
from ../src/libsystemd/sd-bus/bus-creds.c:11:
/usr/include/linux/stat.h:99:8: error: redefinition of struct statx
struct statx {
^~~~~
In file included from /usr/include/sys/stat.h:446,
from ../src/basic/util.h:19,
from ../src/basic/hashmap.h:10,
from ../src/shared/bus-util.h:12,
from ../src/libsystemd/sd-bus/bus-creds.c:11:
/usr/include/bits/statx.h:36:8: note: originally defined here
struct statx
^~~~~
Extend our meson.build to look for struct statx when only sys/stat.h is
included and, in that case, do not include linux/stat.h anymore.
Tested that systemd builds correctly when using a glibc version that includes a
definition for struct statx.
glibc Fedora RPM update:
https://src.fedoraproject.org/rpms/glibc/c/28cb5d31fc1e5887912283c889689c47076278ae
glibc upstream commit:
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=fd70af45528d59a00eb3190ef6706cb299488fcd
---
meson.build | 5 +++++
src/basic/missing.h | 5 ++++-
src/basic/xattr-util.c | 1 -
3 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/meson.build b/meson.build
index 04331dd41a..a0e7240708 100644
--- a/meson.build
+++ b/meson.build
@@ -425,6 +425,7 @@ decl_headers = '''
#include <sys/stat.h>
'''
# FIXME: key_serial_t is only defined in keyutils.h, this is bound to fail
+# FIXME: these should use -D_GNU_SOURCE, since that is defined at build time
foreach decl : ['char16_t',
'char32_t',
@@ -439,6 +440,10 @@ foreach decl : ['char16_t',
conf.set10('HAVE_' + decl.underscorify().to_upper(), have)
endforeach
+conf.set10('HAVE_STRUCT_STATX_IN_SYS_STAT_H', cc.sizeof('struct statx', prefix : '''
+#include <sys/stat.h>
+''', args : '-D_GNU_SOURCE') > 0)
+
foreach decl : [['IFLA_INET6_ADDR_GEN_MODE', 'linux/if_link.h'],
['IN6_ADDR_GEN_MODE_STABLE_PRIVACY', 'linux/if_link.h'],
['IFLA_VRF_TABLE', 'linux/if_link.h'],
diff --git a/src/basic/missing.h b/src/basic/missing.h
index 71a07d0574..14ad3d4914 100644
--- a/src/basic/missing.h
+++ b/src/basic/missing.h
@@ -15,7 +15,6 @@
#include <linux/neighbour.h>
#include <linux/oom.h>
#include <linux/rtnetlink.h>
-#include <linux/stat.h>
#include <net/ethernet.h>
#include <stdlib.h>
#include <sys/resource.h>
@@ -25,6 +24,10 @@
#include <uchar.h>
#include <unistd.h>
+#if !HAVE_STRUCT_STATX_IN_SYS_STAT_H
+#include <linux/stat.h>
+#endif
+
#if HAVE_AUDIT
#include <libaudit.h>
#endif
diff --git a/src/basic/xattr-util.c b/src/basic/xattr-util.c
index c5c55ea846..0ee0979837 100644
--- a/src/basic/xattr-util.c
+++ b/src/basic/xattr-util.c
@@ -2,7 +2,6 @@
#include <errno.h>
#include <fcntl.h>
-#include <linux/stat.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>

24
SOURCES/0001-logind-set-RemoveIPC-to-false-by-default.patch → SOURCES/0002-logind-set-RemoveIPC-to-false-by-default.patch
View File

@ -1,11 +1,9 @@
From 5a66d993a5be88524d9952193b053eac607a5c17 Mon Sep 17 00:00:00 2001
From 0b3833d6c3b751c6dfb40eeb2ef852984c58f546 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 1 Aug 2018 10:58:28 +0200
Subject: [PATCH] logind: set RemoveIPC to false by default
RHEL-only
Resolves: #1959836
Resolves: #1523233
---
man/logind.conf.xml | 2 +-
src/login/logind-core.c | 2 +-
@ -13,10 +11,10 @@ Resolves: #1959836
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/man/logind.conf.xml b/man/logind.conf.xml
index 3045c1b9ba..96fa076239 100644
index 9e88764c6f..7d7e869a26 100644
--- a/man/logind.conf.xml
+++ b/man/logind.conf.xml
@@ -354,7 +354,7 @@
@@ -319,7 +319,7 @@
user fully logs out. Takes a boolean argument. If enabled, the user may not consume IPC resources after the
last of the user's sessions terminated. This covers System V semaphores, shared memory and message queues, as
well as POSIX shared memory and message queues. Note that IPC objects of the root user and other system users
@ -26,26 +24,26 @@ index 3045c1b9ba..96fa076239 100644
</variablelist>
diff --git a/src/login/logind-core.c b/src/login/logind-core.c
index 254a1a69fb..616c08132a 100644
index dbae4bf5af..511e3acf8f 100644
--- a/src/login/logind-core.c
+++ b/src/login/logind-core.c
@@ -34,7 +34,7 @@ void manager_reset_config(Manager *m) {
@@ -25,7 +25,7 @@ void manager_reset_config(Manager *m) {
m->n_autovts = 6;
m->reserve_vt = 6;
- m->remove_ipc = true;
+ m->remove_ipc = false;
m->inhibit_delay_max = 5 * USEC_PER_SEC;
m->user_stop_delay = 10 * USEC_PER_SEC;
m->handle_power_key = HANDLE_POWEROFF;
m->handle_suspend_key = HANDLE_SUSPEND;
diff --git a/src/login/logind.conf.in b/src/login/logind.conf.in
index 2d084e134d..79d685b3de 100644
index 1029e29bc7..c7346f9819 100644
--- a/src/login/logind.conf.in
+++ b/src/login/logind.conf.in
@@ -40,6 +40,6 @@
@@ -32,6 +32,6 @@
#IdleAction=ignore
#IdleActionSec=30min
#RuntimeDirectorySize=10%
#RuntimeDirectoryInodes=400k
-#RemoveIPC=yes
+#RemoveIPC=no
#InhibitorsMax=8192

43
SOURCES/0002-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch
View File

@ -1,43 +0,0 @@
From 92b6ae2097ae90355775217529d2fd55f7b84e31 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Thu, 5 Aug 2021 17:11:47 +0200
Subject: [PATCH] tmpfiles: don't create resolv.conf -> stub-resolv.conf
symlink
RHEL-only
Resolves: #1989472
---
tmpfiles.d/meson.build | 1 -
tmpfiles.d/systemd-resolve.conf | 10 ----------
2 files changed, 11 deletions(-)
delete mode 100644 tmpfiles.d/systemd-resolve.conf
diff --git a/tmpfiles.d/meson.build b/tmpfiles.d/meson.build
index b8d3919025..6ae9e3e0b8 100644
--- a/tmpfiles.d/meson.build
+++ b/tmpfiles.d/meson.build
@@ -7,7 +7,6 @@ files = [['README', ''],
['journal-nocow.conf', ''],
['systemd-nologin.conf', 'HAVE_PAM'],
['systemd-nspawn.conf', 'ENABLE_MACHINED'],
- ['systemd-resolve.conf', 'ENABLE_RESOLVE'],
['systemd-tmp.conf', ''],
['portables.conf', 'ENABLE_PORTABLED'],
['systemd-pstore.conf', 'ENABLE_PSTORE'],
diff --git a/tmpfiles.d/systemd-resolve.conf b/tmpfiles.d/systemd-resolve.conf
deleted file mode 100644
index cb1c56d6a6..0000000000
--- a/tmpfiles.d/systemd-resolve.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-# This file is part of systemd.
-#
-# systemd is free software; you can redistribute it and/or modify it
-# under the terms of the GNU Lesser General Public License as published by
-# the Free Software Foundation; either version 2.1 of the License, or
-# (at your option) any later version.
-
-# See tmpfiles.d(5) for details
-
-L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf

78
SOURCES/0003-Copy-40-redhat.rules-from-RHEL-8.patch
View File

@ -1,78 +0,0 @@
From 24f033a2a5c03848ae518278c8025e13130146af Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Fri, 2 Jul 2021 13:25:51 +0200
Subject: [PATCH] Copy 40-redhat.rules from RHEL-8
RHEL-only
Resolves: #1978639
---
rules.d/40-redhat.rules | 46 +++++++++++++++++++++++++++++++++++++++++
rules.d/meson.build | 1 +
2 files changed, 47 insertions(+)
create mode 100644 rules.d/40-redhat.rules
diff --git a/rules.d/40-redhat.rules b/rules.d/40-redhat.rules
new file mode 100644
index 0000000000..3c95cd2df0
--- /dev/null
+++ b/rules.d/40-redhat.rules
@@ -0,0 +1,46 @@
+# do not edit this file, it will be overwritten on update
+
+# CPU hotadd request
+SUBSYSTEM=="cpu", ACTION=="add", TEST=="online", ATTR{online}=="0", ATTR{online}="1"
+
+# Memory hotadd request
+SUBSYSTEM!="memory", GOTO="memory_hotplug_end"
+ACTION!="add", GOTO="memory_hotplug_end"
+CONST{arch}=="s390*", GOTO="memory_hotplug_end"
+CONST{arch}=="ppc64*", GOTO="memory_hotplug_end"
+
+ENV{.state}="online"
+CONST{virt}=="none", ENV{.state}="online_movable"
+ATTR{state}=="offline", ATTR{state}="$env{.state}"
+
+LABEL="memory_hotplug_end"
+
+# reload sysctl.conf / sysctl.conf.d settings when the bridge module is loaded
+ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge"
+
+# load SCSI generic (sg) driver
+SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg"
+SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_target", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg"
+
+# Rule for prandom character device node permissions
+KERNEL=="prandom", MODE="0644"
+
+# Rules for creating the ID_PATH for SCSI devices based on the CCW bus
+# using the form: ccw-<BUS_ID>-zfcp-<WWPN>:<LUN>
+#
+ACTION=="remove", GOTO="zfcp_scsi_device_end"
+
+#
+# Set environment variable "ID_ZFCP_BUS" to "1" if the devices
+# (both disk and partition) are SCSI devices based on FCP devices
+#
+KERNEL=="sd*", SUBSYSTEMS=="ccw", DRIVERS=="zfcp", ENV{.ID_ZFCP_BUS}="1"
+
+# For SCSI disks
+KERNEL=="sd*[!0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="disk", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}"
+
+
+# For partitions on a SCSI disk
+KERNEL=="sd*[0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="partition", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}-part%n"
+
+LABEL="zfcp_scsi_device_end"
diff --git a/rules.d/meson.build b/rules.d/meson.build
index 5cecddb34f..c5c3590b29 100644
--- a/rules.d/meson.build
+++ b/rules.d/meson.build
@@ -5,6 +5,7 @@ install_data(
install_dir : udevrulesdir)
rules = files('''
+ 40-redhat.rules
60-autosuspend.rules
60-block.rules
60-cdrom_id.rules

53
SOURCES/0003-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch Normal file
View File

@ -0,0 +1,53 @@
From b924c79720cc2bf2edf75fa3ff43bb4954fccf1f Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 1 Aug 2018 13:19:39 +0200
Subject: [PATCH] pid1: bump DefaultTasksMax to 80% of the kernel pid.max value
This should be hopefully high enough even for the very big deployments.
Resolves: #1523236
---
man/systemd-system.conf.xml | 2 +-
src/basic/cgroup-util.h | 2 +-
src/core/system.conf.in | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
index a914ef2523..085086200a 100644
--- a/man/systemd-system.conf.xml
+++ b/man/systemd-system.conf.xml
@@ -339,7 +339,7 @@
<listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details. This setting applies to all unit types that support resource control settings, with the exception
- of slice units. Defaults to 15%, which equals 4915 with the kernel's defaults on the host, but might be smaller
+ of slice units. Defaults to 80%, which equals 26214 with the kernel's defaults on the host, but might be smaller
in OS containers.</para></listitem>
</varlistentry>
diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h
index 1a28a8163a..f10c26ad51 100644
--- a/src/basic/cgroup-util.h
+++ b/src/basic/cgroup-util.h
@@ -100,7 +100,7 @@ static inline bool CGROUP_BLKIO_WEIGHT_IS_OK(uint64_t x) {
}
/* Default resource limits */
-#define DEFAULT_TASKS_MAX_PERCENTAGE 15U /* 15% of PIDs, 4915 on default settings */
+#define DEFAULT_TASKS_MAX_PERCENTAGE 80U /* 80% of PIDs, 26214 on default settings */
#define DEFAULT_USER_TASKS_MAX_PERCENTAGE 33U /* 33% of PIDs, 10813 on default settings */
typedef enum CGroupUnified {
diff --git a/src/core/system.conf.in b/src/core/system.conf.in
index f0a59a79a5..653ec6b8c9 100644
--- a/src/core/system.conf.in
+++ b/src/core/system.conf.in
@@ -45,7 +45,7 @@
#DefaultBlockIOAccounting=no
#DefaultMemoryAccounting=@MEMORY_ACCOUNTING_DEFAULT@
#DefaultTasksAccounting=yes
-#DefaultTasksMax=15%
+#DefaultTasksMax=80%
#DefaultLimitCPU=
#DefaultLimitFSIZE=
#DefaultLimitDATA=

44
SOURCES/0004-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch
View File

@ -1,4 +1,4 @@
From c9ca30a1debbdf24ab6fcbe1aa1ec7ac5f222cb4 Mon Sep 17 00:00:00 2001
From f58c5ced373c2532b5cc44ba2e0c3a28b41472f2 Mon Sep 17 00:00:00 2001
From: Jan Synacek <jsynacek@redhat.com>
Date: Tue, 15 May 2018 09:24:20 +0200
Subject: [PATCH] Avoid /tmp being mounted as tmpfs without the user's will
@ -6,34 +6,40 @@ Subject: [PATCH] Avoid /tmp being mounted as tmpfs without the user's will
Ensure PrivateTmp doesn't require tmpfs through tmp.mount, but rather
adds an After relationship.
RHEL-only
rhel-only
Resolves: #1959826
Resolves: #1578772
---
src/core/unit.c | 7 +------
units/basic.target | 3 ++-
2 files changed, 3 insertions(+), 7 deletions(-)
src/core/unit.c | 12 ++++++------
units/basic.target | 3 ++-
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/src/core/unit.c b/src/core/unit.c
index b1f1f5c82c..3a8251e2b8 100644
index 113205bf25..c9f756c9c7 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -1280,12 +1280,7 @@ int unit_add_exec_dependencies(Unit *u, ExecContext *c) {
}
@@ -982,13 +982,13 @@ int unit_add_exec_dependencies(Unit *u, ExecContext *c) {
return 0;
if (c->private_tmp) {
-
- /* FIXME: for now we make a special case for /tmp and add a weak dependency on
- * tmp.mount so /tmp being masked is supported. However there's no reason to treat
- * /tmp specifically and masking other mount units should be handled more
- * gracefully too, see PR#16894. */
- r = unit_add_two_dependencies_by_name(u, UNIT_AFTER, UNIT_WANTS, "tmp.mount", true, UNIT_DEPENDENCY_FILE);
+ r = unit_add_dependency_by_name(u, UNIT_AFTER, "tmp.mount", true, UNIT_DEPENDENCY_FILE);
if (r < 0)
return r;
- const char *p;
+ r = unit_add_dependency_by_name(u, UNIT_AFTER, "tmp.mount", NULL, true, UNIT_DEPENDENCY_FILE);
+ if (r < 0)
+ return r;
- FOREACH_STRING(p, "/tmp", "/var/tmp") {
- r = unit_require_mounts_for(u, p, UNIT_DEPENDENCY_FILE);
- if (r < 0)
- return r;
- }
+ r = unit_require_mounts_for(u, "/var/tmp", UNIT_DEPENDENCY_FILE);
+ if (r < 0)
+ return r;
r = unit_add_dependency_by_name(u, UNIT_AFTER, SPECIAL_TMPFILES_SETUP_SERVICE, NULL, true, UNIT_DEPENDENCY_FILE);
if (r < 0)
diff --git a/units/basic.target b/units/basic.target
index d8cdd5ac14..9eae0782a2 100644
index 4f44292249..8fc7c73ef2 100644
--- a/units/basic.target
+++ b/units/basic.target
@@ -19,4 +19,5 @@ After=sysinit.target sockets.target paths.target slices.target tmp.mount

35
SOURCES/0005-pid1-bump-maximum-number-of-process-in-user-slice-to.patch Normal file
View File

@ -0,0 +1,35 @@
From c7f77dfd2bfa593bfbbdf82eea8b600ca1b46f4c Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 1 Aug 2018 17:17:07 +0200
Subject: [PATCH] pid1: bump maximum number of process in user slice to 80% of
pid_max
Related: #1523236
---
src/basic/cgroup-util.h | 2 +-
units/user-.slice.d/10-defaults.conf | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h
index f10c26ad51..26e3ae0404 100644
--- a/src/basic/cgroup-util.h
+++ b/src/basic/cgroup-util.h
@@ -101,7 +101,7 @@ static inline bool CGROUP_BLKIO_WEIGHT_IS_OK(uint64_t x) {
/* Default resource limits */
#define DEFAULT_TASKS_MAX_PERCENTAGE 80U /* 80% of PIDs, 26214 on default settings */
-#define DEFAULT_USER_TASKS_MAX_PERCENTAGE 33U /* 33% of PIDs, 10813 on default settings */
+#define DEFAULT_USER_TASKS_MAX_PERCENTAGE 80U /* 80% of PIDs, 26214 on default settings */
typedef enum CGroupUnified {
CGROUP_UNIFIED_UNKNOWN = -1,
diff --git a/units/user-.slice.d/10-defaults.conf b/units/user-.slice.d/10-defaults.conf
index 95ab11b30b..efc9d37c8e 100644
--- a/units/user-.slice.d/10-defaults.conf
+++ b/units/user-.slice.d/10-defaults.conf
@@ -12,4 +12,4 @@ Description=User Slice of UID %j
After=systemd-user-sessions.service
[Slice]
-TasksMax=33%
+TasksMax=80%

38
SOURCES/0005-unit-don-t-add-Requires-for-tmp.mount.patch
View File

@ -1,38 +0,0 @@
From ba6b7f1b4409b337b5b4ffc47259ad5c43c436c4 Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Mon, 5 Sep 2016 12:47:09 +0200
Subject: [PATCH] unit: don't add Requires for tmp.mount
rhel-only
Resolves: #1619292
---
src/core/mount.c | 2 +-
src/core/unit.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/core/mount.c b/src/core/mount.c
index 0170406351..4d407ca4e5 100644
--- a/src/core/mount.c
+++ b/src/core/mount.c
@@ -335,7 +335,7 @@ static int mount_add_mount_dependencies(Mount *m) {
if (r < 0)
return r;
- if (UNIT(m)->fragment_path) {
+ if (UNIT(m)->fragment_path && !streq(UNIT(m)->id, "tmp.mount")) {
/* If we have fragment configuration, then make this dependency required */
r = unit_add_dependency(other, UNIT_REQUIRES, UNIT(m), true, UNIT_DEPENDENCY_PATH);
if (r < 0)
diff --git a/src/core/unit.c b/src/core/unit.c
index 3a8251e2b8..d2adb447b6 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -1520,7 +1520,7 @@ static int unit_add_mount_dependencies(Unit *u) {
if (r < 0)
return r;
- if (m->fragment_path) {
+ if (m->fragment_path && !streq(m->id, "tmp.mount")) {
r = unit_add_dependency(u, UNIT_REQUIRES, m, true, di.origin_mask);
if (r < 0)
return r;

33
SOURCES/0006-rules-automatically-online-hot-plugged-CPUs.patch Normal file
View File

@ -0,0 +1,33 @@
From 787420ac2ba9c404e13db08601946bde263523f8 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Mon, 22 Sep 2014 07:41:06 +0200
Subject: [PATCH] rules: automatically online hot-plugged CPUs
Related: #1523227
---
rules/40-redhat.rules | 3 +++
rules/meson.build | 1 +
2 files changed, 4 insertions(+)
create mode 100644 rules/40-redhat.rules
diff --git a/rules/40-redhat.rules b/rules/40-redhat.rules
new file mode 100644
index 0000000000..2b494e57cf
--- /dev/null
+++ b/rules/40-redhat.rules
@@ -0,0 +1,3 @@
+# do not edit this file, it will be overwritten on update
+
+SUBSYSTEM=="cpu", ACTION=="add", TEST=="online", ATTR{online}=="0", ATTR{online}="1"
diff --git a/rules/meson.build b/rules/meson.build
index b6a32ba77e..e7e4362c0c 100644
--- a/rules/meson.build
+++ b/rules/meson.build
@@ -1,6 +1,7 @@
# SPDX-License-Identifier: LGPL-2.1+
rules = files('''
+ 40-redhat.rules
60-block.rules
60-cdrom_id.rules
60-drm.rules

37
SOURCES/0007-rules-add-rule-for-naming-Dell-iDRAC-USB-Virtual-NIC.patch Normal file
View File

@ -0,0 +1,37 @@
From 2991b22f5f40a66ad1cc088e502e7f40ae1806c2 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Mon, 22 Sep 2014 07:53:52 +0200
Subject: [PATCH] rules: add rule for naming Dell iDRAC USB Virtual NIC as
'idrac'
Related: #1523227
---
rules/73-idrac.rules | 6 ++++++
rules/meson.build | 1 +
2 files changed, 7 insertions(+)
create mode 100644 rules/73-idrac.rules
diff --git a/rules/73-idrac.rules b/rules/73-idrac.rules
new file mode 100644
index 0000000000..d67fc425b1
--- /dev/null
+++ b/rules/73-idrac.rules
@@ -0,0 +1,6 @@
+# do not edit this file, it will be overwritten on update
+
+# On Dell PowerEdge systems, the iDRAC7 and later support a USB Virtual NIC
+# with terminates in the iDRAC. Help identify this with 'idrac'
+
+ACTION=="add", SUBSYSTEM=="net", SUBSYSTEMS=="usb", ATTRS{idVendor}=="413c", ATTRS{idProduct}=="a102", NAME="idrac"
diff --git a/rules/meson.build b/rules/meson.build
index e7e4362c0c..e04a18aca6 100644
--- a/rules/meson.build
+++ b/rules/meson.build
@@ -17,6 +17,7 @@ rules = files('''
70-joystick.rules
70-mouse.rules
70-touchpad.rules
+ 73-idrac.rules
75-net-description.rules
75-probe_mtd.rules
78-sound-card.rules

298
SOURCES/0008-ci-drop-CIs-irrelevant-for-downstream.patch
View File

@ -1,298 +0,0 @@
From b9c7cd794733257a17b2eb9eadc716007e509ca9 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Sun, 18 Apr 2021 20:46:06 +0200
Subject: [PATCH] ci: drop CIs irrelevant for downstream
* CIFuzz would need a separate project in oss-fuzz
* Coverity would also need a separate project
* the Labeler action is superfluous, since we already have a bot for
that
* mkosi testing on other distros is irrelevant for downstream RHEL
repo
Resolves: #1960703
rhel-only
---
.github/labeler.yml | 40 -----------------
.github/workflows/cifuzz.yml | 55 -----------------------
.github/workflows/coverity.yml | 43 ------------------
.github/workflows/labeler.yml | 23 ----------
.github/workflows/mkosi.yml | 80 ----------------------------------
5 files changed, 241 deletions(-)
delete mode 100644 .github/labeler.yml
delete mode 100644 .github/workflows/cifuzz.yml
delete mode 100644 .github/workflows/coverity.yml
delete mode 100644 .github/workflows/labeler.yml
delete mode 100644 .github/workflows/mkosi.yml
diff --git a/.github/labeler.yml b/.github/labeler.yml
deleted file mode 100644
index 7d128f42d6..0000000000
--- a/.github/labeler.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-hwdb:
- - hwdb.d/**/*
-units:
- - units/**/*
-documentation:
- - NEWS
- - docs/*
-network:
- - src/libsystemd-network/**/*
- - src/network/**/*
-udev:
- - src/udev/**/*
- - src/libudev/*
-selinux:
- - '**/*selinux*'
-apparmor:
- - '**/*apparmor*'
-meson:
- - meson_option.txt
-mkosi:
- - .mkosi/*
- - mkosi.build
-busctl:
- - src/busctl/*
-systemctl:
- - src/systemctl/*
-journal:
- - src/journal/*
-journal-remote:
- - src/journal-remote/*
-portable:
- - src/portable/**/*
-resolve:
- - src/resolve/*
-timedate:
- - src/timedate/*
-timesync:
- - src/timesync/*
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
deleted file mode 100644
index 11ea788a47..0000000000
--- a/.github/workflows/cifuzz.yml
+++ /dev/null
@@ -1,55 +0,0 @@
----
-# vi: ts=2 sw=2 et:
-# SPDX-License-Identifier: LGPL-2.1-or-later
-# See: https://google.github.io/oss-fuzz/getting-started/continuous-integration/
-
-name: CIFuzz
-
-permissions:
- contents: read
-
-on:
- pull_request:
- paths:
- - '**/meson.build'
- - '.github/workflows/**'
- - 'meson_options.txt'
- - 'src/**'
- - 'test/fuzz/**'
- - 'tools/oss-fuzz.sh'
- push:
- branches:
- - main
-jobs:
- Fuzzing:
- runs-on: ubuntu-latest
- if: github.repository == 'systemd/systemd'
- concurrency:
- group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
- cancel-in-progress: true
- strategy:
- fail-fast: false
- matrix:
- sanitizer: [address, undefined, memory]
- steps:
- - name: Build Fuzzers (${{ matrix.sanitizer }})
- id: build
- uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
- with:
- oss-fuzz-project-name: 'systemd'
- dry-run: false
- allowed-broken-targets-percentage: 0
- sanitizer: ${{ matrix.sanitizer }}
- - name: Run Fuzzers (${{ matrix.sanitizer }})
- uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
- with:
- oss-fuzz-project-name: 'systemd'
- fuzz-seconds: 600
- dry-run: false
- sanitizer: ${{ matrix.sanitizer }}
- - name: Upload Crash
- uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2
- if: failure() && steps.build.outcome == 'success'
- with:
- name: ${{ matrix.sanitizer }}-artifacts
- path: ./out/artifacts
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
deleted file mode 100644
index a164d16fbf..0000000000
--- a/.github/workflows/coverity.yml
+++ /dev/null
@@ -1,43 +0,0 @@
----
-# vi: ts=2 sw=2 et:
-# SPDX-License-Identifier: LGPL-2.1-or-later
-#
-name: Coverity
-
-on:
- schedule:
- # Run Coverity daily at midnight
- - cron: '0 0 * * *'
-
-permissions:
- contents: read
-
-jobs:
- build:
- runs-on: ubuntu-20.04
- if: github.repository == 'systemd/systemd'
- env:
- COVERITY_SCAN_BRANCH_PATTERN: "${{ github.ref}}"
- COVERITY_SCAN_NOTIFICATION_EMAIL: ""
- COVERITY_SCAN_PROJECT_NAME: "${{ github.repository }}"
- # Set in repo settings -> secrets -> repository secrets
- COVERITY_SCAN_TOKEN: "${{ secrets.COVERITY_SCAN_TOKEN }}"
- CURRENT_REF: "${{ github.ref }}"
- steps:
- - name: Repository checkout
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
- # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable
- - name: Set the $COVERITY_SCAN_NOTIFICATION_EMAIL env variable
- run: echo "COVERITY_SCAN_NOTIFICATION_EMAIL=$(git log -1 ${{ github.sha }} --pretty=\"%aE\")" >> $GITHUB_ENV
- - name: Install Coverity tools
- run: tools/get-coverity.sh
- # Reuse the setup phase of the unit test script to avoid code duplication
- - name: Install build dependencies
- run: sudo -E .github/workflows/unit_tests.sh SETUP
- # Preconfigure with meson to prevent Coverity from capturing meson metadata
- - name: Preconfigure the build directory
- run: meson cov-build -Dman=false
- - name: Build
- run: tools/coverity.sh build
- - name: Upload the results
- run: tools/coverity.sh upload
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
deleted file mode 100644
index 34d9d63d42..0000000000
--- a/.github/workflows/labeler.yml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-# vi: ts=2 sw=2 et:
-# SPDX-License-Identifier: LGPL-2.1-or-later
-#
-name: "Pull Request Labeler"
-
-on:
-- pull_request_target
-
-permissions:
- contents: read
-
-jobs:
- triage:
- runs-on: ubuntu-latest
- permissions:
- pull-requests: write
- steps:
- - uses: actions/labeler@69da01b8e0929f147b8943611bee75ee4175a49e
- with:
- repo-token: "${{ secrets.GITHUB_TOKEN }}"
- configuration-path: .github/labeler.yml
- sync-labels: "" # This is a workaround for issue 18671
diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
deleted file mode 100644
index 8fd6c72e26..0000000000
--- a/.github/workflows/mkosi.yml
+++ /dev/null
@@ -1,80 +0,0 @@
----
-# vi: ts=2 sw=2 et:
-# SPDX-License-Identifier: LGPL-2.1-or-later
-# Simple boot tests that build and boot the mkosi images generated by the mkosi config files in mkosi.default.d/.
-name: mkosi
-
-on:
- push:
- branches:
- - main
- - v[0-9]+-stable
- pull_request:
- branches:
- - main
- - v[0-9]+-stable
-
-permissions:
- contents: read
-
-env:
- # Enable debug logging in systemd, but keep udev's log level to info,
- # since it's _very_ verbose in the QEMU task
- KERNEL_CMDLINE: "systemd.unit=mkosi-check-and-shutdown.service !quiet systemd.log_level=debug systemd.log_target=console udev.log_level=info systemd.default_standard_output=journal+console"
-
-jobs:
- ci:
- runs-on: ubuntu-20.04
- concurrency:
- group: ${{ github.workflow }}-${{ matrix.distro }}-${{ github.ref }}
- cancel-in-progress: true
- strategy:
- fail-fast: false
- matrix:
- distro:
- - arch
- - debian
- - ubuntu
- - fedora
- - opensuse
-
- steps:
- - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
- - uses: systemd/mkosi@4d64fc8134f93d87ac584183e7762ac1d0efa0e5
-
- - name: Install
- run: sudo apt-get update && sudo apt-get install --no-install-recommends python3-pexpect python3-jinja2
-
- - name: Configure
- run: echo -e "[Distribution]\nDistribution=${{ matrix.distro }}\n" >mkosi.default
-
- # Ubuntu's systemd-nspawn doesn't support faccessat2() syscall, which is
- # required, since current Arch's glibc implements faccessat() via faccessat2().
- - name: Update systemd-nspawn
- if: ${{ matrix.distro == 'arch' }}
- run: |
- echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list
- sudo apt update
- sudo apt build-dep systemd
- meson build
- ninja -C build
- sudo ln -svf $PWD/build/systemd-nspawn `which systemd-nspawn`
- systemd-nspawn --version
-
- - name: Build ${{ matrix.distro }}
- run: ./.github/workflows/run_mkosi.sh --build-environment=CI_BUILD=1 --kernel-command-line "${{ env.KERNEL_CMDLINE }}" build
-
- - name: Show ${{ matrix.distro }} image summary
- run: ./.github/workflows/run_mkosi.sh summary
-
- - name: Boot ${{ matrix.distro }} systemd-nspawn
- run: ./.github/workflows/run_mkosi.sh boot ${{ env.KERNEL_CMDLINE }}
-
- - name: Check ${{ matrix.distro }} systemd-nspawn
- run: ./.github/workflows/run_mkosi.sh shell bash -c "[[ -e /testok ]] || { cat /failed-services; exit 1; }"
-
- - name: Boot ${{ matrix.distro }} QEMU
- run: ./.github/workflows/run_mkosi.sh qemu
-
- - name: Check ${{ matrix.distro }} QEMU
- run: ./.github/workflows/run_mkosi.sh shell bash -c "[[ -e /testok ]] || { cat /failed-services; exit 1; }"

22
SOURCES/0008-rules-enable-memory-hotplug.patch Normal file
View File

@ -0,0 +1,22 @@
From d5215083fa1d10f1624ab2f0fb5ba420a2594938 Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Wed, 13 May 2015 16:56:44 +0200
Subject: [PATCH] rules: enable memory hotplug
Related: #1523227
---
rules/40-redhat.rules | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/rules/40-redhat.rules b/rules/40-redhat.rules
index 2b494e57cf..8231caae98 100644
--- a/rules/40-redhat.rules
+++ b/rules/40-redhat.rules
@@ -1,3 +1,7 @@
# do not edit this file, it will be overwritten on update
+# CPU hotadd request
SUBSYSTEM=="cpu", ACTION=="add", TEST=="online", ATTR{online}=="0", ATTR{online}="1"
+
+# Memory hotadd request
+SUBSYSTEM=="memory", ACTION=="add", ATTR{state}=="offline", ATTR{state}="online"

61
SOURCES/0009-ci-reconfigure-Packit-for-RHEL-9.patch
View File

@ -1,61 +0,0 @@
From d931821a263e34805f825cf12a0a0fcde9beda99 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Wed, 9 Jun 2021 15:23:59 +0200
Subject: [PATCH] ci: reconfigure Packit for RHEL 9
Resolves: #1960703
rhel-only
---
.packit.yml | 28 ++++++++++++++++++----------
1 file changed, 18 insertions(+), 10 deletions(-)
diff --git a/.packit.yml b/.packit.yml
index 962c77913e..3461bccbc5 100644
--- a/.packit.yml
+++ b/.packit.yml
@@ -16,14 +16,12 @@ upstream_tag_template: "v{version}"
actions:
post-upstream-clone:
- # Use the Fedora Rawhide specfile
- - "git clone https://src.fedoraproject.org/rpms/systemd .packit_rpm --depth=1"
+ # Use the CentOS Stream specfile
+ - "git clone https://gitlab.com/redhat/centos-stream/rpms/systemd.git .packit_rpm --depth=1"
# Drop the "sources" file so rebase-helper doesn't think we're a dist-git
- "rm -fv .packit_rpm/sources"
- # Drop backported patches from the specfile, but keep the downstream-only ones
- # - Patch0000-0499: backported patches from upstream
- # - Patch0500-9999: downstream-only patches
- - "sed -ri '/^Patch0[0-4]?[0-9]{0,2}\\:.+\\.patch/d' .packit_rpm/systemd.spec"
+ # Drop all patches, since they're already included in the tarball
+ - "sed -ri '/^Patch[0-9]+:/d' .packit_rpm/systemd.spec"
# Build the RPM with --werror. Even though --werror doesn't work in all
# cases (see [0]), we can't use -Dc_args=/-Dcpp_args= here because of the
# RPM hardening macros, that use $CFLAGS/$CPPFLAGS (see [1]).
@@ -32,12 +30,22 @@ actions:
# [1] https://github.com/systemd/systemd/pull/18908#issuecomment-792250110
- 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec'
+# Available targets can be listed via `copr-cli list-chroots`
jobs:
+# Build test
- job: copr_build
trigger: pull_request
metadata:
targets:
- - fedora-rawhide-aarch64
- - fedora-rawhide-i386
- - fedora-rawhide-ppc64le
- - fedora-rawhide-x86_64
+ # FIXME: change to CentOS 9 once it's available
+ - fedora-34-x86_64
+ - fedora-34-aarch64
+
+# TODO: can't use TFT yet due to https://pagure.io/fedora-ci/general/issue/184
+# Run tests (via testing farm)
+#- job: tests
+# trigger: pull_request
+# metadata:
+# targets:
+# # FIXME: change to CentOS 9 once it's available
+# - fedora-34-x86_64

22
SOURCES/0009-rules-reload-sysctl-settings-when-the-bridge-module-.patch Normal file
View File

@ -0,0 +1,22 @@
From 4a7602e27a50828ac8a0eb6b83a1c2c722af652d Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Wed, 13 May 2015 17:11:48 +0200
Subject: [PATCH] rules: reload sysctl settings when the bridge module is
loaded
Related: #1523227
---
rules/40-redhat.rules | 3 +++
1 file changed, 3 insertions(+)
diff --git a/rules/40-redhat.rules b/rules/40-redhat.rules
index 8231caae98..556a3a3a90 100644
--- a/rules/40-redhat.rules
+++ b/rules/40-redhat.rules
@@ -5,3 +5,6 @@ SUBSYSTEM=="cpu", ACTION=="add", TEST=="online", ATTR{online}=="0", ATTR{online}
# Memory hotadd request
SUBSYSTEM=="memory", ACTION=="add", ATTR{state}=="offline", ATTR{state}="online"
+
+# reload sysctl.conf / sysctl.conf.d settings when the bridge module is loaded
+ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge"

28
SOURCES/0010-ci-run-unit-tests-on-z-stream-branches-as-well.patch
View File

@ -1,28 +0,0 @@
From 785b53d7b16c6c56638029e8b4f59c436f1394b8 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Thu, 15 Jul 2021 12:23:27 +0200
Subject: [PATCH] ci: run unit tests on z-stream branches as well
Resolves: #1960703
rhel-only
---
.github/workflows/unit_tests.yml | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
index d4a4f3c723..2afde5d59d 100644
--- a/.github/workflows/unit_tests.yml
+++ b/.github/workflows/unit_tests.yml
@@ -3,11 +3,7 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
#
name: Unit tests
-on:
- pull_request:
- branches:
- - main
- - v[0-9]+-stable
+on: [pull_request]
permissions:
contents: read

21
SOURCES/0010-rules-load-sg-module.patch Normal file
View File

@ -0,0 +1,21 @@
From a42b57dc8b265f183a8fb6fe9ae32a9d77cbb7c5 Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Wed, 20 May 2015 12:34:18 +0200
Subject: [PATCH] rules: load sg module
Related: #1523227
---
rules/40-redhat.rules | 3 +++
1 file changed, 3 insertions(+)
diff --git a/rules/40-redhat.rules b/rules/40-redhat.rules
index 556a3a3a90..305e752285 100644
--- a/rules/40-redhat.rules
+++ b/rules/40-redhat.rules
@@ -8,3 +8,6 @@ SUBSYSTEM=="memory", ACTION=="add", ATTR{state}=="offline", ATTR{state}="online"
# reload sysctl.conf / sysctl.conf.d settings when the bridge module is loaded
ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge"
+
+# load SCSI generic (sg) driver
+SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg"

25
SOURCES/0011-random-util-increase-random-seed-size-to-1024.patch
View File

@ -1,25 +0,0 @@
From c1555a7d38235cca32492c4606e30028dc008b35 Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Thu, 15 Jul 2021 11:15:17 +0200
Subject: [PATCH] random-util: increase random seed size to 1024
RHEL-only
Resolves: #1982603
---
src/basic/random-util.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/basic/random-util.h b/src/basic/random-util.h
index e6528ddc7f..fda78552f6 100644
--- a/src/basic/random-util.h
+++ b/src/basic/random-util.h
@@ -34,7 +34,7 @@ static inline uint32_t random_u32(void) {
int rdrand(unsigned long *ret);
/* Some limits on the pool sizes when we deal with the kernel random pool */
-#define RANDOM_POOL_SIZE_MIN 512U
+#define RANDOM_POOL_SIZE_MIN 1024U
#define RANDOM_POOL_SIZE_MAX (10U*1024U*1024U)
size_t random_pool_size(void);

21
SOURCES/0011-rules-prandom-character-device-node-permissions.patch Normal file
View File

@ -0,0 +1,21 @@
From 21c96c3781f473cdbfe7acdb1affba75b50081f1 Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Tue, 22 Sep 2015 12:28:28 +0200
Subject: [PATCH] rules: prandom character device node permissions
Related: #1523227
---
rules/40-redhat.rules | 3 +++
1 file changed, 3 insertions(+)
diff --git a/rules/40-redhat.rules b/rules/40-redhat.rules
index 305e752285..9a48adde19 100644
--- a/rules/40-redhat.rules
+++ b/rules/40-redhat.rules
@@ -11,3 +11,6 @@ ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/sys
# load SCSI generic (sg) driver
SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg"
+
+# Rule for prandom character device node permissions
+KERNEL=="prandom", MODE="0644"

22
SOURCES/0012-rules-load-sg-driver-also-when-scsi_target-appears-4.patch Normal file
View File

@ -0,0 +1,22 @@
From fab2dff96f59e0851884b4ef32dccab763f5eef1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Nykr=C3=BDn?= <lnykryn@redhat.com>
Date: Thu, 18 Aug 2016 14:51:19 +0200
Subject: [PATCH] rules: load sg driver also when scsi_target appears (#45)
Related: #1523227
---
rules/40-redhat.rules | 1 +
1 file changed, 1 insertion(+)
diff --git a/rules/40-redhat.rules b/rules/40-redhat.rules
index 9a48adde19..3335fe5075 100644
--- a/rules/40-redhat.rules
+++ b/rules/40-redhat.rules
@@ -11,6 +11,7 @@ ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/sys
# load SCSI generic (sg) driver
SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg"
+SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_target", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg"
# Rule for prandom character device node permissions
KERNEL=="prandom", MODE="0644"

22
SOURCES/0013-journald.conf-don-t-touch-current-audit-settings.patch
View File

@ -1,22 +0,0 @@
From 56d9b62ce456e8c0e520bda3447db38864983173 Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Thu, 5 Aug 2021 15:26:13 +0200
Subject: [PATCH] journald.conf: don't touch current audit settings
RHEL-only
Related: #1973856
---
src/journal/journald.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/journal/journald.conf b/src/journal/journald.conf
index 5a60a9d39c..3544da2112 100644
--- a/src/journal/journald.conf
+++ b/src/journal/journald.conf
@@ -44,4 +44,4 @@
#MaxLevelWall=emerg
#LineMax=48K
#ReadKMsg=yes
-#Audit=yes
+Audit=

23
SOURCES/0013-rules-don-t-hoplug-memory-on-s390x.patch Normal file
View File

@ -0,0 +1,23 @@
From fd091394e52cd652ff5163735b2a91a8c0efe415 Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Tue, 13 Sep 2016 13:18:38 +0200
Subject: [PATCH] rules: don't hoplug memory on s390x
Related: #1523227
---
rules/40-redhat.rules | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rules/40-redhat.rules b/rules/40-redhat.rules
index 3335fe5075..4c56950dab 100644
--- a/rules/40-redhat.rules
+++ b/rules/40-redhat.rules
@@ -4,7 +4,7 @@
SUBSYSTEM=="cpu", ACTION=="add", TEST=="online", ATTR{online}=="0", ATTR{online}="1"
# Memory hotadd request
-SUBSYSTEM=="memory", ACTION=="add", ATTR{state}=="offline", ATTR{state}="online"
+SUBSYSTEM=="memory", ACTION=="add", PROGRAM="/usr/bin/systemd-detect-virt", RESULT!="zvm", ATTR{state}=="offline", ATTR{state}="online"
# reload sysctl.conf / sysctl.conf.d settings when the bridge module is loaded
ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge"

137
SOURCES/0014-Revert-udev-remove-WAIT_FOR-key.patch
View File

@ -1,137 +0,0 @@
From 2843766767452a69dade1ef8ab2d1d3e5e68a1d3 Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Tue, 10 Aug 2021 14:46:16 +0200
Subject: [PATCH] Revert "udev: remove WAIT_FOR key"
This reverts commit f2b8052fb648b788936dd3e85be6a9aca90fbb2f.
RHEL-only
Resolves: #1982666
---
man/udev.xml | 9 +++++++
src/udev/udev-rules.c | 56 +++++++++++++++++++++++++++++++++++++++
test/rule-syntax-check.py | 2 +-
3 files changed, 66 insertions(+), 1 deletion(-)
diff --git a/man/udev.xml b/man/udev.xml
index f6ea2abc12..ce96e201e4 100644
--- a/man/udev.xml
+++ b/man/udev.xml
@@ -592,6 +592,15 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>WAIT_FOR</varname></term>
+ <listitem>
+ <para>Wait for a file to become available or until a timeout of
+ 10 seconds expires. The path is relative to the sysfs device;
+ if no path is specified, this waits for an attribute to appear.</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>OPTIONS</varname></term>
<listitem>
diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c
index 1a384d6b38..243a792662 100644
--- a/src/udev/udev-rules.c
+++ b/src/udev/udev-rules.c
@@ -79,6 +79,7 @@ typedef enum {
TK_M_TAG, /* strv, sd_device_get_tag_first(), sd_device_get_tag_next() */
TK_M_SUBSYSTEM, /* string, sd_device_get_subsystem() */
TK_M_DRIVER, /* string, sd_device_get_driver() */
+ TK_M_WAITFOR,
TK_M_ATTR, /* string, takes filename through attribute, sd_device_get_sysattr_value(), udev_resolve_subsys_kernel(), etc. */
TK_M_SYSCTL, /* string, takes kernel parameter through attribute */
@@ -416,6 +417,47 @@ static void rule_line_append_token(UdevRuleLine *rule_line, UdevRuleToken *token
rule_line->current_token = token;
}
+#define WAIT_LOOP_PER_SECOND 50
+static int wait_for_file(sd_device *dev, const char *file, int timeout) {
+ char filepath[UDEV_PATH_SIZE];
+ char devicepath[UDEV_PATH_SIZE];
+ struct stat stats;
+ int loop = timeout * WAIT_LOOP_PER_SECOND;
+
+ /* a relative path is a device attribute */
+ devicepath[0] = '\0';
+ if (file[0] != '/') {
+ const char *val;
+ int r;
+
+ r = sd_device_get_syspath(dev, &val);
+ if (r < 0)
+ return r;
+ strscpyl(devicepath, sizeof(devicepath), val, NULL);
+ strscpyl(filepath, sizeof(filepath), devicepath, "/", file, NULL);
+ file = filepath;
+ }
+
+ while (--loop) {
+ const struct timespec duration = { 0, 1000 * 1000 * 1000 / WAIT_LOOP_PER_SECOND };
+
+ /* lookup file */
+ if (stat(file, &stats) == 0) {
+ log_debug("file '%s' appeared after %i loops", file, (timeout * WAIT_LOOP_PER_SECOND) - loop-1);
+ return 0;
+ }
+ /* make sure, the device did not disappear in the meantime */
+ if (devicepath[0] != '\0' && stat(devicepath, &stats) != 0) {
+ log_debug("device disappeared while waiting for '%s'", file);
+ return -2;
+ }
+ log_debug("wait for '%s' for %i mseconds", file, 1000 / WAIT_LOOP_PER_SECOND);
+ nanosleep(&duration, NULL);
+ }
+ log_debug("waiting for '%s' failed", file);
+ return -1;
+}
+
static int rule_line_add_token(UdevRuleLine *rule_line, UdevRuleTokenType type, UdevRuleOperatorType op, char *value, void *data) {
UdevRuleToken *token;
UdevRuleMatchType match_type = _MATCH_TYPE_INVALID;
@@ -958,6 +1000,12 @@ static int parse_token(UdevRules *rules, const char *key, char *attr, UdevRuleOp
r = rule_line_add_token(rule_line, TK_A_RUN_BUILTIN, op, value, UDEV_BUILTIN_CMD_TO_PTR(cmd));
} else
return log_token_invalid_attr(rules, key);
+ } else if (streq(key, "WAIT_FOR") || streq(key, "WAIT_FOR_SYSFS")) {
+ if (op == OP_REMOVE)
+ return log_token_invalid_op(rules, key);
+
+ rule_line_add_token(rule_line, TK_M_WAITFOR, 0, value, NULL);
+ return 1;
} else if (streq(key, "GOTO")) {
if (attr)
return log_token_invalid_attr(rules, key);
@@ -1643,6 +1691,14 @@ static int udev_rule_apply_token_to_event(
return token_match_string(token, val);
}
+ case TK_M_WAITFOR: {
+ char filename[UDEV_PATH_SIZE];
+ int found;
+
+ udev_event_apply_format(event, token->value, filename, sizeof(filename), false);
+ found = (wait_for_file(event->dev, filename, 10) == 0);
+ return found || (token->op == OP_NOMATCH);
+ }
case TK_M_ATTR:
case TK_M_PARENTS_ATTR:
return token_match_attr(token, dev, event);
diff --git a/test/rule-syntax-check.py b/test/rule-syntax-check.py
index 9a9e4d1658..0649bcf58e 100755
--- a/test/rule-syntax-check.py
+++ b/test/rule-syntax-check.py
@@ -20,7 +20,7 @@ no_args_tests = re.compile(r'(ACTION|DEVPATH|KERNELS?|NAME|SYMLINK|SUBSYSTEMS?|D
# PROGRAM can also be specified as an assignment.
program_assign = re.compile(r'PROGRAM\s*=\s*' + quoted_string_re + '$')
args_tests = re.compile(r'(ATTRS?|ENV|CONST|TEST){([a-zA-Z0-9/_.*%-]+)}\s*(?:=|!)=\s*' + quoted_string_re + '$')
-no_args_assign = re.compile(r'(NAME|SYMLINK|OWNER|GROUP|MODE|TAG|RUN|LABEL|GOTO|OPTIONS|IMPORT)\s*(?:\+=|:=|=)\s*' + quoted_string_re + '$')
+no_args_assign = re.compile(r'(NAME|SYMLINK|OWNER|GROUP|MODE|TAG|RUN|LABEL|GOTO|WAIT_FOR|OPTIONS|IMPORT)\s*(?:\+=|:=|=)\s*' + quoted_string_re + '$')
args_assign = re.compile(r'(ATTR|ENV|IMPORT|RUN){([a-zA-Z0-9/_.*%-]+)}\s*(=|\+=)\s*' + quoted_string_re + '$')
# Find comma-separated groups, but allow commas that are inside quoted strings.
# Using quoted_string_re + '?' so that strings missing the last double quote

24
SOURCES/0014-rules-disable-auto-online-of-hot-plugged-memory-on-I.patch Normal file
View File

@ -0,0 +1,24 @@
From a0802638f02b964cb9d2d68bad009561b2bcc910 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Fri, 16 Sep 2016 14:45:01 +0200
Subject: [PATCH] rules: disable auto-online of hot-plugged memory on IBM z
Systems
Related: #1523227
---
rules/40-redhat.rules | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rules/40-redhat.rules b/rules/40-redhat.rules
index 4c56950dab..c3df320234 100644
--- a/rules/40-redhat.rules
+++ b/rules/40-redhat.rules
@@ -4,7 +4,7 @@
SUBSYSTEM=="cpu", ACTION=="add", TEST=="online", ATTR{online}=="0", ATTR{online}="1"
# Memory hotadd request
-SUBSYSTEM=="memory", ACTION=="add", PROGRAM="/usr/bin/systemd-detect-virt", RESULT!="zvm", ATTR{state}=="offline", ATTR{state}="online"
+SUBSYSTEM=="memory", ACTION=="add", PROGRAM=="/bin/uname -p", RESULT!="s390*", ATTR{state}=="offline", ATTR{state}="online"
# reload sysctl.conf / sysctl.conf.d settings when the bridge module is loaded
ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge"

25
SOURCES/0015-Really-don-t-enable-systemd-journald-audit.socket.patch
View File

@ -1,25 +0,0 @@
From 9a0acc0b292d283b4507c6b749396c019af7e4ab Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Wed, 25 Aug 2021 16:03:04 +0200
Subject: [PATCH] Really don't enable systemd-journald-audit.socket
RHEL-only
Resolves: #1973856
---
units/systemd-journald.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index d981273b07..f190dff5fb 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -33,7 +33,7 @@ RestrictRealtime=yes
RestrictSUIDSGID=yes
RuntimeDirectory=systemd/journal
RuntimeDirectoryPreserve=yes
-Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
+Sockets=systemd-journald.socket systemd-journald-dev-log.socket
StandardOutput=null
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM

39
SOURCES/0015-rules-introduce-old-style-by-path-symlinks-for-FCP-b.patch Normal file
View File

@ -0,0 +1,39 @@
From 0c5b8096cb23701f8048dba33a38e1b55249cab3 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Wed, 28 Mar 2018 17:22:30 +0200
Subject: [PATCH] rules: introduce old-style by-path symlinks for FCP based
SCSI devices
Related: #1523227
---
rules/40-redhat.rules | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/rules/40-redhat.rules b/rules/40-redhat.rules
index c3df320234..8ac96933c3 100644
--- a/rules/40-redhat.rules
+++ b/rules/40-redhat.rules
@@ -15,3 +15,23 @@ SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_target", TEST!="[module/sg]", RUN+="/sbin
# Rule for prandom character device node permissions
KERNEL=="prandom", MODE="0644"
+
+# Rules for creating the ID_PATH for SCSI devices based on the CCW bus
+# using the form: ccw-<BUS_ID>-zfcp-<WWPN>:<LUN>
+#
+ACTION=="remove", GOTO="zfcp_scsi_device_end"
+
+#
+# Set environment variable "ID_ZFCP_BUS" to "1" if the devices
+# (both disk and partition) are SCSI devices based on FCP devices
+#
+KERNEL=="sd*", SUBSYSTEMS=="ccw", DRIVERS=="zfcp", ENV{.ID_ZFCP_BUS}="1"
+
+# For SCSI disks
+KERNEL=="sd*[!0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="disk", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}"
+
+
+# For partitions on a SCSI disk
+KERNEL=="sd*[0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="partition", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}-part%n"
+
+LABEL="zfcp_scsi_device_end"

123
SOURCES/0016-Revert-udev-remove-WAIT_FOR-key.patch Normal file
View File

@ -0,0 +1,123 @@
From 1bb734a44952a51285057409ba7b1c3e7a162cea Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Thu, 2 Aug 2018 13:16:49 +0200
Subject: [PATCH] Revert "udev: remove WAIT_FOR key"
This reverts commit f2b8052fb648b788936dd3e85be6a9aca90fbb2f.
Resolves: #1523213
---
man/udev.xml | 9 +++++++
src/udev/udev-rules.c | 50 +++++++++++++++++++++++++++++++++++++++
test/rule-syntax-check.py | 2 +-
3 files changed, 60 insertions(+), 1 deletion(-)
diff --git a/man/udev.xml b/man/udev.xml
index 15e6d8eae1..bdf901a8f0 100644
--- a/man/udev.xml
+++ b/man/udev.xml
@@ -515,6 +515,15 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>WAIT_FOR</varname></term>
+ <listitem>
+ <para>Wait for a file to become available or until a timeout of
+ 10 seconds expires. The path is relative to the sysfs device;
+ if no path is specified, this waits for an attribute to appear.</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>OPTIONS</varname></term>
<listitem>
diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c
index f029395884..58af863f3d 100644
--- a/src/udev/udev-rules.c
+++ b/src/udev/udev-rules.c
@@ -676,6 +676,41 @@ static int import_parent_into_properties(struct udev_device *dev, const char *fi
return 0;
}
+#define WAIT_LOOP_PER_SECOND 50
+static int wait_for_file(struct udev_device *dev, const char *file, int timeout) {
+ char filepath[UTIL_PATH_SIZE];
+ char devicepath[UTIL_PATH_SIZE];
+ struct stat stats;
+ int loop = timeout * WAIT_LOOP_PER_SECOND;
+
+ /* a relative path is a device attribute */
+ devicepath[0] = '\0';
+ if (file[0] != '/') {
+ strscpyl(devicepath, sizeof(devicepath), udev_device_get_syspath(dev), NULL);
+ strscpyl(filepath, sizeof(filepath), devicepath, "/", file, NULL);
+ file = filepath;
+ }
+
+ while (--loop) {
+ const struct timespec duration = { 0, 1000 * 1000 * 1000 / WAIT_LOOP_PER_SECOND };
+
+ /* lookup file */
+ if (stat(file, &stats) == 0) {
+ log_debug("file '%s' appeared after %i loops", file, (timeout * WAIT_LOOP_PER_SECOND) - loop-1);
+ return 0;
+ }
+ /* make sure, the device did not disappear in the meantime */
+ if (devicepath[0] != '\0' && stat(devicepath, &stats) != 0) {
+ log_debug("device disappeared while waiting for '%s'", file);
+ return -2;
+ }
+ log_debug("wait for '%s' for %i mseconds", file, 1000 / WAIT_LOOP_PER_SECOND);
+ nanosleep(&duration, NULL);
+ }
+ log_debug("waiting for '%s' failed", file);
+ return -1;
+}
+
static void attr_subst_subdir(char *attr, size_t len) {
const char *pos, *tail, *path;
_cleanup_closedir_ DIR *dir = NULL;
@@ -1284,7 +1319,12 @@ static void add_rule(struct udev_rules *rules, char *line,
rule_add_key(&rule_tmp, TK_A_RUN_PROGRAM, op, value, &cmd);
} else
LOG_RULE_ERROR("ignoring unknown %s{} type '%s'", "RUN", attr);
+ } else if (streq(key, "WAIT_FOR") || streq(key, "WAIT_FOR_SYSFS")) {
+ if (op == OP_REMOVE)
+ LOG_AND_RETURN("invalid %s operation", key);
+ rule_add_key(&rule_tmp, TK_M_WAITFOR, 0, value, NULL);
+ continue;
} else if (streq(key, "LABEL")) {
if (op == OP_REMOVE)
LOG_AND_RETURN("invalid %s operation", key);
@@ -1838,6 +1878,16 @@ void udev_rules_apply_to_event(struct udev_rules *rules,
if (match_key(rules, cur, udev_device_get_driver(event->dev)) != 0)
goto nomatch;
break;
+ case TK_M_WAITFOR: {
+ char filename[UTIL_PATH_SIZE];
+ int found;
+
+ udev_event_apply_format(event, rules_str(rules, cur->key.value_off), filename, sizeof(filename), false);
+ found = (wait_for_file(event->dev, filename, 10) == 0);
+ if (!found && (cur->key.op != OP_NOMATCH))
+ goto nomatch;
+ break;
+ }
case TK_M_ATTR:
if (match_attr(rules, event->dev, event, cur) != 0)
goto nomatch;
diff --git a/test/rule-syntax-check.py b/test/rule-syntax-check.py
index dfb06d9ed9..706d93632e 100755
--- a/test/rule-syntax-check.py
+++ b/test/rule-syntax-check.py
@@ -18,7 +18,7 @@ if not rules_files:
quoted_string_re = r'"(?:[^\\"]|\\.)*"'
no_args_tests = re.compile(r'(ACTION|DEVPATH|KERNELS?|NAME|SYMLINK|SUBSYSTEMS?|DRIVERS?|TAG|PROGRAM|RESULT|TEST)\s*(?:=|!)=\s*' + quoted_string_re + '$')
args_tests = re.compile(r'(ATTRS?|ENV|TEST){([a-zA-Z0-9/_.*%-]+)}\s*(?:=|!)=\s*' + quoted_string_re + '$')
-no_args_assign = re.compile(r'(NAME|SYMLINK|OWNER|GROUP|MODE|TAG|RUN|LABEL|GOTO|OPTIONS|IMPORT)\s*(?:\+=|:=|=)\s*' + quoted_string_re + '$')
+no_args_assign = re.compile(r'(NAME|SYMLINK|OWNER|GROUP|MODE|TAG|RUN|LABEL|GOTO|WAIT_FOR|OPTIONS|IMPORT)\s*(?:\+=|:=|=)\s*' + quoted_string_re + '$')
args_assign = re.compile(r'(ATTR|ENV|IMPORT|RUN){([a-zA-Z0-9/_.*%-]+)}\s*(=|\+=)\s*' + quoted_string_re + '$')
# Find comma-separated groups, but allow commas that are inside quoted strings.
# Using quoted_string_re + '?' so that strings missing the last double quote

22
SOURCES/0017-net_setup_link-allow-renaming-interfaces-that-were-r.patch Normal file
View File

@ -0,0 +1,22 @@
From ab0228c3d6ceba20cf89ceb1b16b7e314aaaf989 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Tue, 7 Aug 2018 10:38:33 +0200
Subject: [PATCH] net_setup_link: allow renaming interfaces that were renamed
previously
---
src/udev/net/link-config.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/udev/net/link-config.c b/src/udev/net/link-config.c
index cec4f4f779..5113586457 100644
--- a/src/udev/net/link-config.c
+++ b/src/udev/net/link-config.c
@@ -306,7 +306,6 @@ static bool should_rename(struct udev_device *device, bool respect_predictable)
switch (type) {
case NET_NAME_USER:
- case NET_NAME_RENAMED:
/* these were already named by userspace, do not touch again */
return false;
case NET_NAME_PREDICTABLE:

26
SOURCES/0017-units-don-t-enable-tmp.mount-statically-in-local-fs..patch
View File

@ -1,26 +0,0 @@
From 41ccc595538752f04f88c80fe7a9e283d4ef12c4 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Wed, 22 Sep 2021 14:38:00 +0200
Subject: [PATCH] units: don't enable tmp.mount statically in local-fs.target
RHEL-only
Related: #2000927
---
units/meson.build | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/units/meson.build b/units/meson.build
index 69d53f4259..9eb535858a 100644
--- a/units/meson.build
+++ b/units/meson.build
@@ -159,8 +159,7 @@ units = [
['time-set.target', ''],
['time-sync.target', ''],
['timers.target', ''],
- ['tmp.mount', '',
- 'local-fs.target.wants/'],
+ ['tmp.mount', ''],
['umount.target', ''],
['usb-gadget.target', ''],
['user.slice', ''],

59
SOURCES/0018-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch
View File

@ -1,59 +0,0 @@
From 4ec48c87803916e90a8f30afae6c8bdee5bb9ba5 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 1 Aug 2018 13:19:39 +0200
Subject: [PATCH] pid1: bump DefaultTasksMax to 80% of the kernel pid.max value
This should be hopefully high enough even for the very big deployments.
RHEL-only
Resolves: #2003031
---
man/systemd-system.conf.xml | 4 ++--
src/core/main.c | 2 +-
src/core/system.conf.in | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
index 3805a010e2..b8e2b65625 100644
--- a/man/systemd-system.conf.xml
+++ b/man/systemd-system.conf.xml
@@ -404,10 +404,10 @@
<listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details. This setting applies to all unit types that support resource control settings, with the exception
- of slice units. Defaults to 15% of the minimum of <varname>kernel.pid_max=</varname>, <varname>kernel.threads-max=</varname>
+ of slice units. Defaults to 80% of the minimum of <varname>kernel.pid_max=</varname>, <varname>kernel.threads-max=</varname>
and root cgroup <varname>pids.max</varname>.
Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores.
- For example with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
+ For example with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 26214,
but might be greater in other systems or smaller in OS containers.</para></listitem>
</varlistentry>
diff --git a/src/core/main.c b/src/core/main.c
index 57aedb9b93..7ea848ebeb 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -98,7 +98,7 @@
#include <sanitizer/lsan_interface.h>
#endif
-#define DEFAULT_TASKS_MAX ((TasksMax) { 15U, 100U }) /* 15% */
+#define DEFAULT_TASKS_MAX ((TasksMax) { 80U, 100U }) /* 80% */
static enum {
ACTION_RUN,
diff --git a/src/core/system.conf.in b/src/core/system.conf.in
index 96fb64d2c1..c0dc6a7e17 100644
--- a/src/core/system.conf.in
+++ b/src/core/system.conf.in
@@ -54,7 +54,7 @@
#DefaultBlockIOAccounting=no
#DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }}
#DefaultTasksAccounting=yes
-#DefaultTasksMax=15%
+#DefaultTasksMax=80%
#DefaultLimitCPU=
#DefaultLimitFSIZE=
#DefaultLimitDATA=

23
SOURCES/0018-units-drop-DynamicUser-yes-from-systemd-resolved.ser.patch Normal file
View File

@ -0,0 +1,23 @@
From b61e8046ebcb28225423fc0073183d68d4c577c4 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Thu, 9 Aug 2018 15:28:44 +0200
Subject: [PATCH] units: drop DynamicUser=yes from systemd-resolved.service
We don't really need DynamicUser since we add systemd-resolve user
from rpm script
---
units/systemd-resolved.service.in | 1 -
1 file changed, 1 deletion(-)
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index 9982ecebff..aaed406ab2 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -26,7 +26,6 @@ RestartSec=0
ExecStart=!!@rootlibexecdir@/systemd-resolved
WatchdogSec=3min
User=systemd-resolve
-DynamicUser=yes
CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
PrivateDevices=yes

73
SOURCES/0019-journal-remove-journal-audit-socket.patch Normal file
View File

@ -0,0 +1,73 @@
From 8618ef2fb30b4139c9bec4e45fb499cd8192a87f Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Thu, 9 Aug 2018 23:23:00 +0200
Subject: [PATCH] journal: remove journal audit socket
Resolves: #1614554
---
units/meson.build | 2 --
units/systemd-journald-audit.socket | 22 ----------------------
units/systemd-journald.service.in | 4 ++--
3 files changed, 2 insertions(+), 26 deletions(-)
delete mode 100644 units/systemd-journald-audit.socket
diff --git a/units/meson.build b/units/meson.build
index e4ac6ced64..e54a84ccbf 100644
--- a/units/meson.build
+++ b/units/meson.build
@@ -89,8 +89,6 @@ units = [
'sockets.target.wants/'],
['systemd-journal-gatewayd.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
['systemd-journal-remote.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
- ['systemd-journald-audit.socket', '',
- 'sockets.target.wants/'],
['systemd-journald-dev-log.socket', '',
'sockets.target.wants/'],
['systemd-journald.socket', '',
diff --git a/units/systemd-journald-audit.socket b/units/systemd-journald-audit.socket
deleted file mode 100644
index cb8b774963..0000000000
--- a/units/systemd-journald-audit.socket
+++ /dev/null
@@ -1,22 +0,0 @@
-# SPDX-License-Identifier: LGPL-2.1+
-#
-# This file is part of systemd.
-#
-# systemd is free software; you can redistribute it and/or modify it
-# under the terms of the GNU Lesser General Public License as published by
-# the Free Software Foundation; either version 2.1 of the License, or
-# (at your option) any later version.
-
-[Unit]
-Description=Journal Audit Socket
-Documentation=man:systemd-journald.service(8) man:journald.conf(5)
-DefaultDependencies=no
-Before=sockets.target
-ConditionSecurity=audit
-ConditionCapability=CAP_AUDIT_READ
-
-[Socket]
-Service=systemd-journald.service
-ReceiveBuffer=128M
-ListenNetlink=audit 1
-PassCredentials=yes
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 52939e6820..8f5021d0de 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -12,12 +12,12 @@ Description=Journal Service
Documentation=man:systemd-journald.service(8) man:journald.conf(5)
DefaultDependencies=no
Requires=systemd-journald.socket
-After=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket syslog.socket
+After=systemd-journald.socket systemd-journald-dev-log.socket syslog.socket
Before=sysinit.target
[Service]
Type=notify
-Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
+Sockets=systemd-journald.socket systemd-journald-dev-log.socket
ExecStart=@rootlibexecdir@/systemd-journald
Restart=always
RestartSec=0

117
SOURCES/0020-bus-move-BUS_DONT_DESTROY-calls-after-asserts.patch Normal file
View File

@ -0,0 +1,117 @@
From c6903d1b42d1773fda4df6676618489ad760a2a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 18 Jul 2018 12:16:33 +0200
Subject: [PATCH] bus: move BUS_DONT_DESTROY calls after asserts
It's not useful to bump the reference count before checking if the object is
NULL. Thanks to d40f5cc498 we can do this ;).
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1576084,
https://bugzilla.redhat.com/show_bug.cgi?id=1575340,
https://bugzilla.redhat.com/show_bug.cgi?id=1575350. I'm not sure why those two
people hit this code path, while most people don't. At least we won't abort.
(cherry picked from commit 7ae8edcd03f74da123298330b76c3fc5425042ef)
Resolves: #1610397
---
src/libsystemd/sd-bus/bus-objects.c | 15 ++++++++-------
src/libsystemd/sd-bus/sd-bus.c | 3 ++-
2 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/src/libsystemd/sd-bus/bus-objects.c b/src/libsystemd/sd-bus/bus-objects.c
index 9609834fa9..a18ff88b07 100644
--- a/src/libsystemd/sd-bus/bus-objects.c
+++ b/src/libsystemd/sd-bus/bus-objects.c
@@ -2090,7 +2090,6 @@ _public_ int sd_bus_emit_properties_changed_strv(
const char *interface,
char **names) {
- BUS_DONT_DESTROY(bus);
bool found_interface = false;
char *prefix;
int r;
@@ -2111,6 +2110,8 @@ _public_ int sd_bus_emit_properties_changed_strv(
if (names && names[0] == NULL)
return 0;
+ BUS_DONT_DESTROY(bus);
+
do {
bus->nodes_modified = false;
@@ -2310,8 +2311,6 @@ static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *p
}
_public_ int sd_bus_emit_object_added(sd_bus *bus, const char *path) {
- BUS_DONT_DESTROY(bus);
-
_cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
struct node *object_manager;
int r;
@@ -2341,6 +2340,8 @@ _public_ int sd_bus_emit_object_added(sd_bus *bus, const char *path) {
if (r == 0)
return -ESRCH;
+ BUS_DONT_DESTROY(bus);
+
do {
bus->nodes_modified = false;
m = sd_bus_message_unref(m);
@@ -2481,8 +2482,6 @@ static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char
}
_public_ int sd_bus_emit_object_removed(sd_bus *bus, const char *path) {
- BUS_DONT_DESTROY(bus);
-
_cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
struct node *object_manager;
int r;
@@ -2512,6 +2511,8 @@ _public_ int sd_bus_emit_object_removed(sd_bus *bus, const char *path) {
if (r == 0)
return -ESRCH;
+ BUS_DONT_DESTROY(bus);
+
do {
bus->nodes_modified = false;
m = sd_bus_message_unref(m);
@@ -2645,8 +2646,6 @@ static int interfaces_added_append_one(
}
_public_ int sd_bus_emit_interfaces_added_strv(sd_bus *bus, const char *path, char **interfaces) {
- BUS_DONT_DESTROY(bus);
-
_cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
struct node *object_manager;
char **i;
@@ -2669,6 +2668,8 @@ _public_ int sd_bus_emit_interfaces_added_strv(sd_bus *bus, const char *path, ch
if (r == 0)
return -ESRCH;
+ BUS_DONT_DESTROY(bus);
+
do {
bus->nodes_modified = false;
m = sd_bus_message_unref(m);
diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c
index 089b51a6d9..7f03528b89 100644
--- a/src/libsystemd/sd-bus/sd-bus.c
+++ b/src/libsystemd/sd-bus/sd-bus.c
@@ -2883,7 +2883,6 @@ finish:
}
static int bus_process_internal(sd_bus *bus, bool hint_priority, int64_t priority, sd_bus_message **ret) {
- BUS_DONT_DESTROY(bus);
int r;
/* Returns 0 when we didn't do anything. This should cause the
@@ -2899,6 +2898,8 @@ static int bus_process_internal(sd_bus *bus, bool hint_priority, int64_t priorit
assert_return(!bus->current_message, -EBUSY);
assert(!bus->current_slot);
+ BUS_DONT_DESTROY(bus);
+
switch (bus->state) {
case BUS_UNSET:

27
SOURCES/0020-ci-use-C9S-chroots-in-Packit.patch
View File

@ -1,27 +0,0 @@
From 402595e7b0668b8fe44b5b00b1dd45ba9cc42b82 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Thu, 4 Nov 2021 12:31:32 +0100
Subject: [PATCH] ci: use C9S chroots in Packit
rhel-only
Related: #2017035
---
.packit.yml | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/.packit.yml b/.packit.yml
index 3461bccbc5..ce8782aae2 100644
--- a/.packit.yml
+++ b/.packit.yml
@@ -37,9 +37,8 @@ jobs:
trigger: pull_request
metadata:
targets:
- # FIXME: change to CentOS 9 once it's available
- - fedora-34-x86_64
- - fedora-34-aarch64
+ - centos-stream-9-x86_64
+ - centos-stream-9-aarch64
# TODO: can't use TFT yet due to https://pagure.io/fedora-ci/general/issue/184
# Run tests (via testing farm)

23
SOURCES/0021-random-seed-raise-POOL_SIZE_MIN-constant-to-1024.patch Normal file
View File

@ -0,0 +1,23 @@
From 56f614a5d6305dc1d304c30438db5b394d16e2da Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Fri, 12 Oct 2018 13:58:34 +0000
Subject: [PATCH] random-seed: raise POOL_SIZE_MIN constant to 1024
Resolves: #1619268
---
src/random-seed/random-seed.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/random-seed/random-seed.c b/src/random-seed/random-seed.c
index 223b56306c..adc9f298c1 100644
--- a/src/random-seed/random-seed.c
+++ b/src/random-seed/random-seed.c
@@ -14,7 +14,7 @@
#include "string-util.h"
#include "util.h"
-#define POOL_SIZE_MIN 512
+#define POOL_SIZE_MIN 1024
int main(int argc, char *argv[]) {
_cleanup_close_ int seed_fd = -1, random_fd = -1;

30
SOURCES/0022-Treat-EPERM-as-not-available-too.patch
View File

@ -1,30 +0,0 @@
From 3c54c67a7fc65dc5b49b2452739c19b94eeb98a9 Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Tue, 21 Dec 2021 10:46:17 +0100
Subject: [PATCH] Treat EPERM as "not available" too
We need to do this because idmapped mounts habe been disabled in RHEL-9
kernel: https://bugzilla.redhat.com/show_bug.cgi?id=2018141 .
RHEL-only
Fixes #55
Related: #2017035
---
src/nspawn/nspawn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 8f17ab8810..9225c8f162 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -3780,7 +3780,7 @@ static int outer_child(
arg_uid_shift != 0) {
r = remount_idmap(directory, arg_uid_shift, arg_uid_range);
- if (r == -EINVAL || ERRNO_IS_NOT_SUPPORTED(r)) {
+ if (IN_SET(r, -EINVAL, -EPERM) || ERRNO_IS_NOT_SUPPORTED(r)) {
/* This might fail because the kernel or file system doesn't support idmapping. We
* can't really distinguish this nicely, nor do we have any guarantees about the
* error codes we see, could be EOPNOTSUPP or EINVAL. */

119
SOURCES/0022-cryptsetup-add-support-for-sector-size-option-9936.patch Normal file
View File

@ -0,0 +1,119 @@
From a046230cfb7e02938e3ad2ac85515636b319651e Mon Sep 17 00:00:00 2001
From: Dimitri John Ledkov <xnox@ubuntu.com>
Date: Wed, 29 Aug 2018 15:38:09 +0100
Subject: [PATCH] cryptsetup: add support for sector-size= option (#9936)
Bug-Ubuntu: https://launchpad.net/bugs/1776626
Closes #8881.
(cherry picked from commit a9fc640671ef60ac949f1ace6fa687ff242fc233)
Resolves: #1572563
---
man/crypttab.xml | 9 +++++++++
meson.build | 6 ++++++
src/cryptsetup/cryptsetup.c | 30 ++++++++++++++++++++++++++++++
3 files changed, 45 insertions(+)
diff --git a/man/crypttab.xml b/man/crypttab.xml
index dcaf03d2ca..3574ce00da 100644
--- a/man/crypttab.xml
+++ b/man/crypttab.xml
@@ -250,6 +250,15 @@
option.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>sector-size=</option></term>
+
+ <listitem><para>Specifies the sector size in bytes. See
+ <citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ for possible values and the default value of this
+ option.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>swap</option></term>
diff --git a/meson.build b/meson.build
index a0e7240708..f308db2631 100644
--- a/meson.build
+++ b/meson.build
@@ -927,11 +927,17 @@ if want_libcryptsetup != 'false' and not fuzzer_build
version : '>= 1.6.0',
required : want_libcryptsetup == 'true')
have = libcryptsetup.found()
+ have_sector = cc.has_member(
+ 'struct crypt_params_plain',
+ 'sector_size',
+ prefix : '#include <libcryptsetup.h>')
else
have = false
+ have_sector = false
libcryptsetup = []
endif
conf.set10('HAVE_LIBCRYPTSETUP', have)
+conf.set10('HAVE_LIBCRYPTSETUP_SECTOR_SIZE', have_sector)
want_libcurl = get_option('libcurl')
if want_libcurl != 'false' and not fuzzer_build
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index 832168184a..87008cb969 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -23,10 +23,14 @@
/* internal helper */
#define ANY_LUKS "LUKS"
+/* as in src/cryptsetup.h */
+#define CRYPT_SECTOR_SIZE 512
+#define CRYPT_MAX_SECTOR_SIZE 4096
static const char *arg_type = NULL; /* ANY_LUKS, CRYPT_LUKS1, CRYPT_LUKS2, CRYPT_TCRYPT or CRYPT_PLAIN */
static char *arg_cipher = NULL;
static unsigned arg_key_size = 0;
+static unsigned arg_sector_size = CRYPT_SECTOR_SIZE;
static int arg_key_slot = CRYPT_ANY_SLOT;
static unsigned arg_keyfile_size = 0;
static uint64_t arg_keyfile_offset = 0;
@@ -86,6 +90,29 @@ static int parse_one_option(const char *option) {
arg_key_size /= 8;
+ } else if ((val = startswith(option, "sector-size="))) {
+
+#if HAVE_LIBCRYPTSETUP_SECTOR_SIZE
+ r = safe_atou(val, &arg_sector_size);
+ if (r < 0) {
+ log_error_errno(r, "Failed to parse %s, ignoring: %m", option);
+ return 0;
+ }
+
+ if (arg_sector_size % 2) {
+ log_error("sector-size= not a multiple of 2, ignoring.");
+ return 0;
+ }
+
+ if (arg_sector_size < CRYPT_SECTOR_SIZE || arg_sector_size > CRYPT_MAX_SECTOR_SIZE) {
+ log_error("sector-size= is outside of %u and %u, ignoring.", CRYPT_SECTOR_SIZE, CRYPT_MAX_SECTOR_SIZE);
+ return 0;
+ }
+#else
+ log_error("sector-size= is not supported, compiled with old libcryptsetup.");
+ return 0;
+#endif
+
} else if ((val = startswith(option, "key-slot="))) {
arg_type = ANY_LUKS;
@@ -471,6 +498,9 @@ static int attach_luks_or_plain(struct crypt_device *cd,
struct crypt_params_plain params = {
.offset = arg_offset,
.skip = arg_skip,
+#if HAVE_LIBCRYPTSETUP_SECTOR_SIZE
+ .sector_size = arg_sector_size,
+#endif
};
const char *cipher, *cipher_mode;
_cleanup_free_ char *truncated_cipher = NULL;

29
SOURCES/0023-cryptsetup-do-not-define-arg_sector_size-if-libgcryp.patch Normal file
View File

@ -0,0 +1,29 @@
From 96b6171376bfdb7417143a2026beda059fe3e22f Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Sat, 1 Sep 2018 23:47:46 +0900
Subject: [PATCH] cryptsetup: do not define arg_sector_size if libgcrypt is
v1.x (#9990)
Follow-up for #9936.
(cherry picked from commit 645461f0cf6ec91e5b0b571559fb4cc4898192bc)
Related: #1572563
---
src/cryptsetup/cryptsetup.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index 87008cb969..abeba44ee8 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -30,7 +30,9 @@
static const char *arg_type = NULL; /* ANY_LUKS, CRYPT_LUKS1, CRYPT_LUKS2, CRYPT_TCRYPT or CRYPT_PLAIN */
static char *arg_cipher = NULL;
static unsigned arg_key_size = 0;
+#if HAVE_LIBCRYPTSETUP_SECTOR_SIZE
static unsigned arg_sector_size = CRYPT_SECTOR_SIZE;
+#endif
static int arg_key_slot = CRYPT_ANY_SLOT;
static unsigned arg_keyfile_size = 0;
static uint64_t arg_keyfile_offset = 0;

39
SOURCES/0023-test-copy-portable-profiles-into-the-image-if-they-d.patch
View File

@ -1,39 +0,0 @@
From 324d99159e1e64d78a580073626f5b645f1c3639 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Mon, 31 Jan 2022 14:19:09 +0100
Subject: [PATCH] test: copy portable profiles into the image if they don't
exist there
If we're built with `-Dportable=false`, the portable profiles won't get
installed into the image. Since we need only the profile files and
nothing else, let's copy them into the image explicitly in such case.
(cherry picked from commit 6f73ef8b30803ac1be1b2607aec1a89d778caa9a)
Related: #2017035
---
test/test-functions | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/test/test-functions b/test/test-functions
index 218d0e6888..35d8f074a9 100644
--- a/test/test-functions
+++ b/test/test-functions
@@ -1151,6 +1151,17 @@ install_systemd() {
mkdir -p "$initdir/etc/systemd/system/service.d/"
echo -e "[Service]\nProtectSystem=no\nProtectHome=no\n" >"$initdir/etc/systemd/system/service.d/gcov-override.conf"
fi
+
+ # If we're built with -Dportabled=false, tests with systemd-analyze
+ # --profile will fail. Since we need just the profile (text) files, let's
+ # copy them into the image if they don't exist there.
+ local portable_dir="${initdir:?}${ROOTLIBDIR:?}/portable"
+ if [[ ! -d "$portable_dir/profile/strict" ]]; then
+ dinfo "Couldn't find portable profiles in the test image"
+ dinfo "Copying them directly from the source tree"
+ mkdir -p "$portable_dir"
+ cp -frv "${SOURCE_DIR:?}/src/portable/profile" "$portable_dir"
+ fi
}
get_ldpath() {

43
SOURCES/0024-test-introduce-get_cgroup_hierarchy-helper.patch
View File

@ -1,43 +0,0 @@
From 16908e1ec833d857cb418712c382c6f604426b36 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Tue, 1 Feb 2022 20:18:29 +0100
Subject: [PATCH] test: introduce `get_cgroup_hierarchy() helper
which returns the host's cgroup hierarchy (unified, hybrid, or legacy).
(cherry picked from commit f723740871bd3eb89d16a526a1ff77c04bb3787a)
Related: #2047768
---
test/test-functions | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/test/test-functions b/test/test-functions
index 35d8f074a9..4827b6bedf 100644
--- a/test/test-functions
+++ b/test/test-functions
@@ -1996,6 +1996,24 @@ import_initdir() {
export initdir
}
+get_cgroup_hierarchy() {
+ case "$(stat -c '%T' -f /sys/fs/cgroup)" in
+ cgroup2fs)
+ echo "unified"
+ ;;
+ tmpfs)
+ if [[ -d /sys/fs/cgroup/unified && "$(stat -c '%T' -f /sys/fs/cgroup/unified)" == cgroup2fs ]]; then
+ echo "hybrid"
+ else
+ echo "legacy"
+ fi
+ ;;
+ *)
+ dfatal "Failed to determine host's cgroup hierarchy"
+ exit 1
+ esac
+}
+
## @brief Converts numeric logging level to the first letter of level name.
#
# @param lvl Numeric logging level in range from 1 to 6.

112
SOURCES/0024-units-don-t-enable-per-service-IP-firewall-by-defaul.patch Normal file
View File

@ -0,0 +1,112 @@
From e143339ac712f745727951973417ce93b5d06d78 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Fri, 12 Oct 2018 14:50:09 +0000
Subject: [PATCH] units: don't enable per-service IP firewall by default
Resolves: #1630219
---
units/systemd-coredump@.service.in | 1 -
units/systemd-hostnamed.service.in | 1 -
units/systemd-journald.service.in | 1 -
units/systemd-localed.service.in | 1 -
units/systemd-logind.service.in | 1 -
units/systemd-machined.service.in | 1 -
units/systemd-portabled.service.in | 1 -
units/systemd-timedated.service.in | 1 -
units/systemd-udevd.service.in | 1 -
9 files changed, 9 deletions(-)
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index 215696ecd1..68a68a5055 100644
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -37,5 +37,4 @@ SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
LockPersonality=yes
-IPAddressDeny=any
StateDirectory=systemd/coredump
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index da74b4fe8b..4e5470dd29 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -33,5 +33,4 @@ SystemCallFilter=@system-service sethostname
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
LockPersonality=yes
-IPAddressDeny=any
ReadWritePaths=/etc
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 8f5021d0de..2d5fd0120d 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -33,7 +33,6 @@ SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
LockPersonality=yes
-IPAddressDeny=any
# Increase the default a bit in order to allow many simultaneous
# services being run since we keep one fd open per service. Also, when
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index a24e61a0cd..ce043db154 100644
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -33,5 +33,4 @@ SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
LockPersonality=yes
-IPAddressDeny=any
ReadWritePaths=/etc
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 5e090bcf23..6953fac55b 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -34,7 +34,6 @@ SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
LockPersonality=yes
-IPAddressDeny=any
FileDescriptorStoreMax=512
# Increase the default a bit in order to allow many simultaneous
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 1200a90a61..dec2c4b0dc 100644
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -27,7 +27,6 @@ SystemCallFilter=@system-service @mount
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
LockPersonality=yes
-IPAddressDeny=any
# Note that machined cannot be placed in a mount namespace, since it
# needs access to the host's mount namespace in order to implement the
diff --git a/units/systemd-portabled.service.in b/units/systemd-portabled.service.in
index a868f61dba..64f14071e8 100644
--- a/units/systemd-portabled.service.in
+++ b/units/systemd-portabled.service.in
@@ -23,4 +23,3 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
LockPersonality=yes
-IPAddressDeny=any
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 906bb4326c..662b39557a 100644
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -31,5 +31,4 @@ SystemCallFilter=@system-service @clock
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
LockPersonality=yes
-IPAddressDeny=any
ReadWritePaths=/etc
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 6a3814e5d9..fd9ead3bb8 100644
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -33,4 +33,3 @@ SystemCallFilter=@system-service @module @raw-io
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
LockPersonality=yes
-IPAddressDeny=any

45
SOURCES/0025-bus-message-do-not-crash-on-message-with-a-string-of.patch Normal file
View File

@ -0,0 +1,45 @@
From 87922b7adc47f311e89b21e37b26ee300a401e1d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Mon, 9 Jul 2018 13:21:44 +0200
Subject: [PATCH] bus-message: do not crash on message with a string of zero
length
We'd calculate the "real" length of the string as 'item_size - 1', which does
not work out well when item_size == 0.
(cherry picked from commit 81b6e63029eefcb0ec03a3a7c248490e38106073)
Resolves: #1635439
---
src/libsystemd/sd-bus/bus-message.c | 6 ++++++
.../crash-29ed3c202e0ffade3cad42c8bbeb6cc68a21eb8e | Bin 0 -> 51 bytes
2 files changed, 6 insertions(+)
create mode 100644 test/fuzz/fuzz-bus-message/crash-29ed3c202e0ffade3cad42c8bbeb6cc68a21eb8e
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
index 8d92bc2002..381034f5f8 100644
--- a/src/libsystemd/sd-bus/bus-message.c
+++ b/src/libsystemd/sd-bus/bus-message.c
@@ -3312,6 +3312,12 @@ _public_ int sd_bus_message_read_basic(sd_bus_message *m, char type, void *p) {
if (IN_SET(type, SD_BUS_TYPE_STRING, SD_BUS_TYPE_OBJECT_PATH, SD_BUS_TYPE_SIGNATURE)) {
bool ok;
+ /* D-Bus spec: The marshalling formats for the string-like types all end
+ * with a single zero (NUL) byte, but that byte is not considered to be part
+ * of the text. */
+ if (c->item_size == 0)
+ return -EBADMSG;
+
r = message_peek_body(m, &rindex, 1, c->item_size, &q);
if (r < 0)
return r;
diff --git a/test/fuzz/fuzz-bus-message/crash-29ed3c202e0ffade3cad42c8bbeb6cc68a21eb8e b/test/fuzz/fuzz-bus-message/crash-29ed3c202e0ffade3cad42c8bbeb6cc68a21eb8e
new file mode 100644
index 0000000000000000000000000000000000000000..4488f0a6c685b5d43eddbe41a0c6a3b6be9b02e2
GIT binary patch
literal 51
fcmc~1WMC4sJpJnr13KV`0|t%6q+%$@&=ddw)CUPg
literal 0
HcmV?d00001

30
SOURCES/0025-test-require-unified-cgroup-hierarchy-for-TEST-56.patch
View File

@ -1,30 +0,0 @@
From 523e72e97d7c945114b54b726eaab0d379fb35fb Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Tue, 1 Feb 2022 20:25:00 +0100
Subject: [PATCH] test: require unified cgroup hierarchy for TEST-56
since cgroup empty notifications are unreliable in legacy cgroups.
See: systemd/systemd#22320
Complements: systemd/systemd#22344
(cherry picked from commit e2620820188428de7086f5e8ac41305177f70954)
Related: #2047768
---
test/TEST-56-EXIT-TYPE/test.sh | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/test/TEST-56-EXIT-TYPE/test.sh b/test/TEST-56-EXIT-TYPE/test.sh
index 0f84dca1ba..37475e817e 100755
--- a/test/TEST-56-EXIT-TYPE/test.sh
+++ b/test/TEST-56-EXIT-TYPE/test.sh
@@ -6,4 +6,9 @@ TEST_DESCRIPTION="test ExitType=cgroup"
# shellcheck source=test/test-functions
. "${TEST_BASE_DIR:?}/test-functions"
+if [[ "$(get_cgroup_hierarchy)" != unified ]]; then
+ echo "This test requires unified cgroup hierarchy, skipping..."
+ exit 0
+fi
+
do_test "$@"

279
SOURCES/0026-Introduce-free_and_strndup-and-use-it-in-bus-message.patch Normal file
View File

@ -0,0 +1,279 @@
From 26de3af817b0c5746cb61b798ae8e138e01ea17c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Mon, 9 Jul 2018 07:03:01 +0200
Subject: [PATCH] Introduce free_and_strndup and use it in bus-message.c
v2: fix error in free_and_strndup()
When the orignal and copied message were the same, but shorter than specified
length l, memory read past the end of the buffer would be performed. A test
case is included: a string that had an embedded NUL ("q\0") is used to replace
"q".
v3: Fix one more bug in free_and_strndup and add tests.
v4: Some style fixed based on review, one more use of free_and_replace, and
make the tests more comprehensive.
(cherry picked from commit 7f546026abbdc56c453a577e52d57159458c3e9c)
Resolves: #1635428
---
src/basic/string-util.c | 28 +++++++-
src/basic/string-util.h | 1 +
src/libsystemd/sd-bus/bus-message.c | 34 ++++------
src/test/test-string-util.c | 62 ++++++++++++++++++
...h-b88ad9ecf4aacf4a0caca5b5543953265367f084 | Bin 0 -> 32 bytes
5 files changed, 103 insertions(+), 22 deletions(-)
create mode 100644 test/fuzz/fuzz-bus-message/crash-b88ad9ecf4aacf4a0caca5b5543953265367f084
diff --git a/src/basic/string-util.c b/src/basic/string-util.c
index 0a40683493..dfa739996f 100644
--- a/src/basic/string-util.c
+++ b/src/basic/string-util.c
@@ -1004,7 +1004,7 @@ int free_and_strdup(char **p, const char *s) {
assert(p);
- /* Replaces a string pointer with an strdup()ed new string,
+ /* Replaces a string pointer with a strdup()ed new string,
* possibly freeing the old one. */
if (streq_ptr(*p, s))
@@ -1023,6 +1023,32 @@ int free_and_strdup(char **p, const char *s) {
return 1;
}
+int free_and_strndup(char **p, const char *s, size_t l) {
+ char *t;
+
+ assert(p);
+ assert(s || l == 0);
+
+ /* Replaces a string pointer with a strndup()ed new string,
+ * freeing the old one. */
+
+ if (!*p && !s)
+ return 0;
+
+ if (*p && s && strneq(*p, s, l) && (l > strlen(*p) || (*p)[l] == '\0'))
+ return 0;
+
+ if (s) {
+ t = strndup(s, l);
+ if (!t)
+ return -ENOMEM;
+ } else
+ t = NULL;
+
+ free_and_replace(*p, t);
+ return 1;
+}
+
#if !HAVE_EXPLICIT_BZERO
/*
* Pointer to memset is volatile so that compiler must de-reference
diff --git a/src/basic/string-util.h b/src/basic/string-util.h
index c0cc4e78d7..96a9260f93 100644
--- a/src/basic/string-util.h
+++ b/src/basic/string-util.h
@@ -176,6 +176,7 @@ char *strrep(const char *s, unsigned n);
int split_pair(const char *s, const char *sep, char **l, char **r);
int free_and_strdup(char **p, const char *s);
+int free_and_strndup(char **p, const char *s, size_t l);
/* Normal memmem() requires haystack to be nonnull, which is annoying for zero-length buffers */
static inline void *memmem_safe(const void *haystack, size_t haystacklen, const void *needle, size_t needlelen) {
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
index 381034f5f8..7c8bad2bdd 100644
--- a/src/libsystemd/sd-bus/bus-message.c
+++ b/src/libsystemd/sd-bus/bus-message.c
@@ -4175,20 +4175,19 @@ _public_ int sd_bus_message_peek_type(sd_bus_message *m, char *type, const char
if (contents) {
size_t l;
- char *sig;
r = signature_element_length(c->signature+c->index+1, &l);
if (r < 0)
return r;
- assert(l >= 1);
+ /* signature_element_length does verification internally */
- sig = strndup(c->signature + c->index + 1, l);
- if (!sig)
+ assert(l >= 1);
+ if (free_and_strndup(&c->peeked_signature,
+ c->signature + c->index + 1, l) < 0)
return -ENOMEM;
- free(c->peeked_signature);
- *contents = c->peeked_signature = sig;
+ *contents = c->peeked_signature;
}
if (type)
@@ -4201,19 +4200,17 @@ _public_ int sd_bus_message_peek_type(sd_bus_message *m, char *type, const char
if (contents) {
size_t l;
- char *sig;
r = signature_element_length(c->signature+c->index, &l);
if (r < 0)
return r;
assert(l >= 2);
- sig = strndup(c->signature + c->index + 1, l - 2);
- if (!sig)
+ if (free_and_strndup(&c->peeked_signature,
+ c->signature + c->index + 1, l - 2) < 0)
return -ENOMEM;
- free(c->peeked_signature);
- *contents = c->peeked_signature = sig;
+ *contents = c->peeked_signature;
}
if (type)
@@ -4253,9 +4250,8 @@ _public_ int sd_bus_message_peek_type(sd_bus_message *m, char *type, const char
if (k > c->item_size)
return -EBADMSG;
- free(c->peeked_signature);
- c->peeked_signature = strndup((char*) q + 1, k - 1);
- if (!c->peeked_signature)
+ if (free_and_strndup(&c->peeked_signature,
+ (char*) q + 1, k - 1) < 0)
return -ENOMEM;
if (!signature_is_valid(c->peeked_signature, true))
@@ -5085,25 +5081,21 @@ int bus_message_parse_fields(sd_bus_message *m) {
if (*p == 0) {
size_t l;
- char *c;
/* We found the beginning of the signature
* string, yay! We require the body to be a
* structure, so verify it and then strip the
* opening/closing brackets. */
- l = ((char*) m->footer + m->footer_accessible) - p - (1 + sz);
+ l = (char*) m->footer + m->footer_accessible - p - (1 + sz);
if (l < 2 ||
p[1] != SD_BUS_TYPE_STRUCT_BEGIN ||
p[1 + l - 1] != SD_BUS_TYPE_STRUCT_END)
return -EBADMSG;
- c = strndup(p + 1 + 1, l - 2);
- if (!c)
+ if (free_and_strndup(&m->root_container.signature,
+ p + 1 + 1, l - 2) < 0)
return -ENOMEM;
-
- free(m->root_container.signature);
- m->root_container.signature = c;
break;
}
diff --git a/src/test/test-string-util.c b/src/test/test-string-util.c
index 3e72ce2c0a..43a6b14c34 100644
--- a/src/test/test-string-util.c
+++ b/src/test/test-string-util.c
@@ -5,6 +5,7 @@
#include "macro.h"
#include "string-util.h"
#include "strv.h"
+#include "tests.h"
#include "utf8.h"
static void test_string_erase(void) {
@@ -30,6 +31,64 @@ static void test_string_erase(void) {
assert_se(x[9] == '\0');
}
+static void test_free_and_strndup_one(char **t, const char *src, size_t l, const char *expected, bool change) {
+ int r;
+
+ log_debug("%s: \"%s\", \"%s\", %zd (expect \"%s\", %s)",
+ __func__, strnull(*t), strnull(src), l, strnull(expected), yes_no(change));
+
+ r = free_and_strndup(t, src, l);
+ assert_se(streq_ptr(*t, expected));
+ assert_se(r == change); /* check that change occurs only when necessary */
+}
+
+static void test_free_and_strndup(void) {
+ static const struct test_case {
+ const char *src;
+ size_t len;
+ const char *expected;
+ } cases[] = {
+ {"abc", 0, ""},
+ {"abc", 0, ""},
+ {"abc", 1, "a"},
+ {"abc", 2, "ab"},
+ {"abc", 3, "abc"},
+ {"abc", 4, "abc"},
+ {"abc", 5, "abc"},
+ {"abc", 5, "abc"},
+ {"abc", 4, "abc"},
+ {"abc", 3, "abc"},
+ {"abc", 2, "ab"},
+ {"abc", 1, "a"},
+ {"abc", 0, ""},
+
+ {"", 0, ""},
+ {"", 1, ""},
+ {"", 2, ""},
+ {"", 0, ""},
+ {"", 1, ""},
+ {"", 2, ""},
+ {"", 2, ""},
+ {"", 1, ""},
+ {"", 0, ""},
+
+ {NULL, 0, NULL},
+
+ {"foo", 3, "foo"},
+ {"foobar", 6, "foobar"},
+ };
+
+ _cleanup_free_ char *t = NULL;
+ const char *prev_expected = t;
+
+ for (unsigned i = 0; i < ELEMENTSOF(cases); i++) {
+ test_free_and_strndup_one(&t,
+ cases[i].src, cases[i].len, cases[i].expected,
+ !streq_ptr(cases[i].expected, prev_expected));
+ prev_expected = t;
+ }
+}
+
static void test_ascii_strcasecmp_n(void) {
assert_se(ascii_strcasecmp_n("", "", 0) == 0);
@@ -497,7 +556,10 @@ static void test_memory_startswith(void) {
}
int main(int argc, char *argv[]) {
+ test_setup_logging(LOG_DEBUG);
+
test_string_erase();
+ test_free_and_strndup();
test_ascii_strcasecmp_n();
test_ascii_strcasecmp_nn();
test_cellescape();
diff --git a/test/fuzz/fuzz-bus-message/crash-b88ad9ecf4aacf4a0caca5b5543953265367f084 b/test/fuzz/fuzz-bus-message/crash-b88ad9ecf4aacf4a0caca5b5543953265367f084
new file mode 100644
index 0000000000000000000000000000000000000000..52469650b5498a45d5d95bd9d933c989cfb47ca7
GIT binary patch
literal 32
ccmd1#|DTBg0(2Mzp)7_%AVVXuuuM|`09r!?!~g&Q
literal 0
HcmV?d00001

671
SOURCES/0026-tests-rework-test-macros-to-not-take-code-as-paramet.patch
View File

@ -1,671 +0,0 @@
From 845417e653b42b8f3928c68955bd6416f2fa4509 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 1 Feb 2022 12:06:59 +0100
Subject: [PATCH] tests: rework test macros to not take code as parameters
C macros are nasty. We use them, but we try to be conservative with
them. In particular passing literal, complex code blocks as argument is
icky, because of "," handling of C, and also because it's quite a
challange for most code highlighters and similar. Hence, let's avoid
that. Using macros for genreating functions is OK but if so, the
parameters should be simple words, not full code blocks.
hence, rework DEFINE_CUSTOM_TEST_MAIN() to take a function name instead
of code block as argument.
As side-effect this also fixes a bunch of cases where we might end up
returning a negative value from main().
Some uses of DEFINE_CUSTOM_TEST_MAIN() inserted local variables into the
main() functions, these are replaced by static variables, and their
destructors by the static destructor logic.
This doesn't fix any bugs or so, it's just supposed to make the code
easier to work with and improve it easthetically.
Or in other words: let's use macros where it really makes sense, but
let's not go overboard with it.
(And yes, FOREACH_DIRENT() is another one of those macros that take
code, and I dislike that too and regret I ever added that.)
(cherry picked from commit 99839c7ebd4b83a5b0d5982d669cfe10d1252e1f)
Related: #2017035
---
src/shared/tests.h | 25 +++++++++++++-----
src/test/test-barrier.c | 46 +++++++++++++++++----------------
src/test/test-cgroup-setup.c | 15 ++++++-----
src/test/test-chown-rec.c | 15 ++++++-----
src/test/test-format-table.c | 14 +++++-----
src/test/test-fs-util.c | 7 ++++-
src/test/test-hashmap.c | 16 +++++++++---
src/test/test-install-root.c | 14 +++++++---
src/test/test-load-fragment.c | 21 ++++++++-------
src/test/test-mountpoint-util.c | 30 +++++++++++----------
src/test/test-namespace.c | 15 ++++++-----
src/test/test-proc-cmdline.c | 15 ++++++-----
src/test/test-process-util.c | 7 ++++-
src/test/test-sd-hwdb.c | 21 ++++++++-------
src/test/test-serialize.c | 16 ++++++------
src/test/test-sleep.c | 15 ++++++-----
src/test/test-stat-util.c | 7 ++++-
src/test/test-time-util.c | 6 +++--
src/test/test-unit-file.c | 7 ++++-
src/test/test-unit-name.c | 21 ++++++++-------
src/test/test-unit-serialize.c | 21 ++++++++-------
src/test/test-utf8.c | 7 ++++-
22 files changed, 215 insertions(+), 146 deletions(-)
diff --git a/src/shared/tests.h b/src/shared/tests.h
index 3b93aab498..59448f38f6 100644
--- a/src/shared/tests.h
+++ b/src/shared/tests.h
@@ -6,6 +6,7 @@
#include "sd-daemon.h"
#include "macro.h"
+#include "static-destruct.h"
#include "util.h"
static inline bool manager_errno_skip_test(int r) {
@@ -109,15 +110,27 @@ static inline int run_test_table(void) {
return r;
}
+static inline int test_nop(void) {
+ return EXIT_SUCCESS;
+}
+
#define DEFINE_CUSTOM_TEST_MAIN(log_level, intro, outro) \
int main(int argc, char *argv[]) { \
- int _r = EXIT_SUCCESS; \
+ int _r, _q; \
test_setup_logging(log_level); \
save_argc_argv(argc, argv); \
- intro; \
- _r = run_test_table(); \
- outro; \
- return _r; \
+ _r = intro(); \
+ if (_r == EXIT_SUCCESS) \
+ _r = run_test_table(); \
+ _q = outro(); \
+ static_destruct(); \
+ if (_r < 0) \
+ return EXIT_FAILURE; \
+ if (_r != EXIT_SUCCESS) \
+ return _r; \
+ if (_q < 0) \
+ return EXIT_FAILURE; \
+ return _q; \
}
-#define DEFINE_TEST_MAIN(log_level) DEFINE_CUSTOM_TEST_MAIN(log_level, , )
+#define DEFINE_TEST_MAIN(log_level) DEFINE_CUSTOM_TEST_MAIN(log_level, test_nop, test_nop)
diff --git a/src/test/test-barrier.c b/src/test/test-barrier.c
index 8998282afb..b87538806a 100644
--- a/src/test/test-barrier.c
+++ b/src/test/test-barrier.c
@@ -421,25 +421,27 @@ TEST_BARRIER(barrier_pending_exit,
}),
TEST_BARRIER_WAIT_SUCCESS(pid2));
-DEFINE_CUSTOM_TEST_MAIN(
- LOG_INFO,
- ({
- if (!slow_tests_enabled())
- return log_tests_skipped("slow tests are disabled");
-
- /*
- * This test uses real-time alarms and sleeps to test for CPU races
- * explicitly. This is highly fragile if your system is under load. We
- * already increased the BASE_TIME value to make the tests more robust,
- * but that just makes the test take significantly longer. Given the recent
- * issues when running the test in a virtualized environments, limit it
- * to bare metal machines only, to minimize false-positives in CIs.
- */
- int v = detect_virtualization();
- if (IN_SET(v, -EPERM, -EACCES))
- return log_tests_skipped("Cannot detect virtualization");
-
- if (v != VIRTUALIZATION_NONE)
- return log_tests_skipped("This test requires a baremetal machine");
- }),
- /* no outro */);
+
+static int intro(void) {
+ if (!slow_tests_enabled())
+ return log_tests_skipped("slow tests are disabled");
+
+ /*
+ * This test uses real-time alarms and sleeps to test for CPU races explicitly. This is highly
+ * fragile if your system is under load. We already increased the BASE_TIME value to make the tests
+ * more robust, but that just makes the test take significantly longer. Given the recent issues when
+ * running the test in a virtualized environments, limit it to bare metal machines only, to minimize
+ * false-positives in CIs.
+ */
+
+ int v = detect_virtualization();
+ if (IN_SET(v, -EPERM, -EACCES))
+ return log_tests_skipped("Cannot detect virtualization");
+
+ if (v != VIRTUALIZATION_NONE)
+ return log_tests_skipped("This test requires a baremetal machine");
+
+ return EXIT_SUCCESS;
+ }
+
+DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
diff --git a/src/test/test-cgroup-setup.c b/src/test/test-cgroup-setup.c
index 018992f96d..6f93647685 100644
--- a/src/test/test-cgroup-setup.c
+++ b/src/test/test-cgroup-setup.c
@@ -64,10 +64,11 @@ TEST(is_wanted) {
test_is_wanted_print_one(false);
}
-DEFINE_CUSTOM_TEST_MAIN(
- LOG_DEBUG,
- ({
- if (access("/proc/cmdline", R_OK) < 0 && ERRNO_IS_PRIVILEGE(errno))
- return log_tests_skipped("can't read /proc/cmdline");
- }),
- /* no outro */);
+static int intro(void) {
+ if (access("/proc/cmdline", R_OK) < 0 && ERRNO_IS_PRIVILEGE(errno))
+ return log_tests_skipped("can't read /proc/cmdline");
+
+ return EXIT_SUCCESS;
+}
+
+DEFINE_CUSTOM_TEST_MAIN(LOG_DEBUG, intro, test_nop);
diff --git a/src/test/test-chown-rec.c b/src/test/test-chown-rec.c
index 53d44566d5..691cfe767f 100644
--- a/src/test/test-chown-rec.c
+++ b/src/test/test-chown-rec.c
@@ -149,10 +149,11 @@ TEST(chown_recursive) {
assert_se(!has_xattr(p));
}
-DEFINE_CUSTOM_TEST_MAIN(
- LOG_DEBUG,
- ({
- if (geteuid() != 0)
- return log_tests_skipped("not running as root");
- }),
- /* no outro */);
+static int intro(void) {
+ if (geteuid() != 0)
+ return log_tests_skipped("not running as root");
+
+ return EXIT_SUCCESS;
+}
+
+DEFINE_CUSTOM_TEST_MAIN(LOG_DEBUG, intro, test_nop);
diff --git a/src/test/test-format-table.c b/src/test/test-format-table.c
index a3b29ca337..7515a74c12 100644
--- a/src/test/test-format-table.c
+++ b/src/test/test-format-table.c
@@ -529,10 +529,10 @@ TEST(table) {
"5min 5min \n"));
}
-DEFINE_CUSTOM_TEST_MAIN(
- LOG_INFO,
- ({
- assert_se(setenv("SYSTEMD_COLORS", "0", 1) >= 0);
- assert_se(setenv("COLUMNS", "40", 1) >= 0);
- }),
- /* no outro */);
+static int intro(void) {
+ assert_se(setenv("SYSTEMD_COLORS", "0", 1) >= 0);
+ assert_se(setenv("COLUMNS", "40", 1) >= 0);
+ return EXIT_SUCCESS;
+}
+
+DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
diff --git a/src/test/test-fs-util.c b/src/test/test-fs-util.c
index 0e0d91d04e..da5a16b4bc 100644
--- a/src/test/test-fs-util.c
+++ b/src/test/test-fs-util.c
@@ -968,4 +968,9 @@ TEST(open_mkdir_at) {
assert_se(subsubdir_fd >= 0);
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, arg_test_dir = argv[1], /* no outro */);
+static int intro(void) {
+ arg_test_dir = saved_argv[1];
+ return EXIT_SUCCESS;
+}
+
+DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
diff --git a/src/test/test-hashmap.c b/src/test/test-hashmap.c
index cba0c33a8a..4dc155d818 100644
--- a/src/test/test-hashmap.c
+++ b/src/test/test-hashmap.c
@@ -158,7 +158,15 @@ TEST(hashmap_put_strdup_null) {
/* This variable allows us to assert that the tests from different compilation units were actually run. */
int n_extern_tests_run = 0;
-DEFINE_CUSTOM_TEST_MAIN(
- LOG_INFO,
- assert_se(n_extern_tests_run == 0),
- assert_se(n_extern_tests_run == 2)); /* Ensure hashmap and ordered_hashmap were tested. */
+static int intro(void) {
+ assert_se(n_extern_tests_run == 0);
+ return EXIT_SUCCESS;
+}
+
+static int outro(void) {
+ /* Ensure hashmap and ordered_hashmap were tested. */
+ assert_se(n_extern_tests_run == 2);
+ return EXIT_SUCCESS;
+}
+
+DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, outro);
diff --git a/src/test/test-install-root.c b/src/test/test-install-root.c
index ba715e6d7e..f540a832bd 100644
--- a/src/test/test-install-root.c
+++ b/src/test/test-install-root.c
@@ -11,8 +11,11 @@
#include "special.h"
#include "string-util.h"
#include "tests.h"
+#include "tmpfile-util.h"
-static char root[] = "/tmp/rootXXXXXX";
+static char *root = NULL;
+
+STATIC_DESTRUCTOR_REGISTER(root, rm_rf_physical_and_freep);
TEST(basic_mask_and_enable) {
const char *p;
@@ -1239,10 +1242,10 @@ TEST(verify_alias) {
verify_one(&di_inst_template, "goo.target.conf/plain.service", -EXDEV, NULL);
}
-static void setup_root(void) {
+static int intro(void) {
const char *p;
- assert_se(mkdtemp(root));
+ assert_se(mkdtemp_malloc("/tmp/rootXXXXXX", &root) >= 0);
p = strjoina(root, "/usr/lib/systemd/system/");
assert_se(mkdir_p(p, 0755) >= 0);
@@ -1264,6 +1267,9 @@ static void setup_root(void) {
p = strjoina(root, "/usr/lib/systemd/system/graphical.target");
assert_se(write_string_file(p, "# pretty much empty", WRITE_STRING_FILE_CREATE) >= 0);
+
+ return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, setup_root(), assert_se(rm_rf(root, REMOVE_ROOT|REMOVE_PHYSICAL) >= 0));
+
+DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
diff --git a/src/test/test-load-fragment.c b/src/test/test-load-fragment.c
index e878979a89..2e105df56a 100644
--- a/src/test/test-load-fragment.c
+++ b/src/test/test-load-fragment.c
@@ -30,6 +30,10 @@
/* Nontrivial value serves as a placeholder to check that parsing function (didn't) change it */
#define CGROUP_LIMIT_DUMMY 3
+static char *runtime_dir = NULL;
+
+STATIC_DESTRUCTOR_REGISTER(runtime_dir, rm_rf_physical_and_freep);
+
TEST_RET(unit_file_get_set) {
int r;
Hashmap *h;
@@ -894,15 +898,12 @@ TEST(unit_is_recursive_template_dependency) {
assert_se(unit_is_likely_recursive_template_dependency(u, "foobar@foobar@123.mount", "foobar@%n.mount") == 0);
}
-DEFINE_CUSTOM_TEST_MAIN(
- LOG_INFO,
+static int intro(void) {
+ if (enter_cgroup_subroot(NULL) == -ENOMEDIUM)
+ return log_tests_skipped("cgroupfs not available");
- _cleanup_(rm_rf_physical_and_freep) char *runtime_dir = NULL;
- ({
- if (enter_cgroup_subroot(NULL) == -ENOMEDIUM)
- return log_tests_skipped("cgroupfs not available");
-
- assert_se(runtime_dir = setup_fake_runtime_dir());
- }),
+ assert_se(runtime_dir = setup_fake_runtime_dir());
+ return EXIT_SUCCESS;
+}
- /* no outro */);
+DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
diff --git a/src/test/test-mountpoint-util.c b/src/test/test-mountpoint-util.c
index 9515d8cf7b..102d2850bf 100644
--- a/src/test/test-mountpoint-util.c
+++ b/src/test/test-mountpoint-util.c
@@ -298,17 +298,19 @@ TEST(fd_is_mount_point) {
assert_se(IN_SET(fd_is_mount_point(fd, "root/", 0), -ENOENT, 0));
}
-DEFINE_CUSTOM_TEST_MAIN(
- LOG_DEBUG,
- ({
- /* let's move into our own mount namespace with all propagation from the host turned off, so
- * that /proc/self/mountinfo is static and constant for the whole time our test runs. */
- if (unshare(CLONE_NEWNS) < 0) {
- if (!ERRNO_IS_PRIVILEGE(errno))
- return log_error_errno(errno, "Failed to detach mount namespace: %m");
-
- log_notice("Lacking privilege to create separate mount namespace, proceeding in originating mount namespace.");
- } else
- assert_se(mount(NULL, "/", NULL, MS_PRIVATE | MS_REC, NULL) >= 0);
- }),
- /* no outro */);
+static int intro(void) {
+ /* let's move into our own mount namespace with all propagation from the host turned off, so
+ * that /proc/self/mountinfo is static and constant for the whole time our test runs. */
+
+ if (unshare(CLONE_NEWNS) < 0) {
+ if (!ERRNO_IS_PRIVILEGE(errno))
+ return log_error_errno(errno, "Failed to detach mount namespace: %m");
+
+ log_notice("Lacking privilege to create separate mount namespace, proceeding in originating mount namespace.");
+ } else
+ assert_se(mount(NULL, "/", NULL, MS_PRIVATE | MS_REC, NULL) >= 0);
+
+ return EXIT_SUCCESS;
+}
+
+DEFINE_CUSTOM_TEST_MAIN(LOG_DEBUG, intro, test_nop);
diff --git a/src/test/test-namespace.c b/src/test/test-namespace.c
index 8df5533d6e..f9e34f3bfa 100644
--- a/src/test/test-namespace.c
+++ b/src/test/test-namespace.c
@@ -220,10 +220,11 @@ TEST(protect_kernel_logs) {
assert_se(wait_for_terminate_and_check("ns-kernellogs", pid, WAIT_LOG) == EXIT_SUCCESS);
}
-DEFINE_CUSTOM_TEST_MAIN(
- LOG_INFO,
- ({
- if (!have_namespaces())
- return log_tests_skipped("Don't have namespace support");
- }),
- /* no outro */);
+static int intro(void) {
+ if (!have_namespaces())
+ return log_tests_skipped("Don't have namespace support");
+
+ return EXIT_SUCCESS;
+}
+
+DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
diff --git a/src/test/test-proc-cmdline.c b/src/test/test-proc-cmdline.c
index 1c8c9b80b7..064b4d838f 100644
--- a/src/test/test-proc-cmdline.c
+++ b/src/test/test-proc-cmdline.c
@@ -247,10 +247,11 @@ TEST(proc_cmdline_key_startswith) {
assert_se(!proc_cmdline_key_startswith("foo-bar", "foo_xx"));
}
-DEFINE_CUSTOM_TEST_MAIN(
- LOG_INFO,
- ({
- if (access("/proc/cmdline", R_OK) < 0 && ERRNO_IS_PRIVILEGE(errno))
- return log_tests_skipped("can't read /proc/cmdline");
- }),
- /* no outro */);
+static int intro(void) {
+ if (access("/proc/cmdline", R_OK) < 0 && ERRNO_IS_PRIVILEGE(errno))
+ return log_tests_skipped("can't read /proc/cmdline");
+
+ return EXIT_SUCCESS;
+}
+
+DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
diff --git a/src/test/test-process-util.c b/src/test/test-process-util.c
index 06a640b1cc..8661934929 100644
--- a/src/test/test-process-util.c
+++ b/src/test/test-process-util.c
@@ -895,4 +895,9 @@ TEST(set_oom_score_adjust) {
assert_se(b == a);
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, log_show_color(true), /* no outro */);
+static int intro(void) {
+ log_show_color(true);
+ return EXIT_SUCCESS;
+}
+
+DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
diff --git a/src/test/test-sd-hwdb.c b/src/test/test-sd-hwdb.c
index 7961c17c4a..88992a6c2b 100644
--- a/src/test/test-sd-hwdb.c
+++ b/src/test/test-sd-hwdb.c
@@ -52,12 +52,15 @@ TEST(basic_enumerate) {
assert_se(len1 == len2);
}
-DEFINE_CUSTOM_TEST_MAIN(
- LOG_DEBUG,
- ({
- _cleanup_(sd_hwdb_unrefp) sd_hwdb *hwdb = NULL;
- int r = sd_hwdb_new(&hwdb);
- if (r == -ENOENT || ERRNO_IS_PRIVILEGE(r))
- return log_tests_skipped_errno(r, "cannot open hwdb");
- }),
- /* no outro */);
+static int intro(void) {
+ _cleanup_(sd_hwdb_unrefp) sd_hwdb *hwdb = NULL;
+ int r;
+
+ r = sd_hwdb_new(&hwdb);
+ if (r == -ENOENT || ERRNO_IS_PRIVILEGE(r))
+ return log_tests_skipped_errno(r, "cannot open hwdb");
+
+ return EXIT_SUCCESS;
+}
+
+DEFINE_CUSTOM_TEST_MAIN(LOG_DEBUG, intro, test_nop);
diff --git a/src/test/test-serialize.c b/src/test/test-serialize.c
index fb04b3e7fa..9aeb6c5920 100644
--- a/src/test/test-serialize.c
+++ b/src/test/test-serialize.c
@@ -10,7 +10,7 @@
#include "tests.h"
#include "tmpfile-util.h"
-char long_string[LONG_LINE_MAX+1];
+static char long_string[LONG_LINE_MAX+1];
TEST(serialize_item) {
_cleanup_(unlink_tempfilep) char fn[] = "/tmp/test-serialize.XXXXXX";
@@ -189,10 +189,10 @@ TEST(serialize_environment) {
assert_se(strv_equal(env, env2));
}
-DEFINE_CUSTOM_TEST_MAIN(
- LOG_INFO,
- ({
- memset(long_string, 'x', sizeof(long_string)-1);
- char_array_0(long_string);
- }),
- /* no outro */);
+static int intro(void) {
+ memset(long_string, 'x', sizeof(long_string)-1);
+ char_array_0(long_string);
+ return EXIT_SUCCESS;
+}
+
+DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
diff --git a/src/test/test-sleep.c b/src/test/test-sleep.c
index 183ad4f7b7..f56e7e0167 100644
--- a/src/test/test-sleep.c
+++ b/src/test/test-sleep.c
@@ -118,10 +118,11 @@ TEST(sleep) {
log_info("Suspend-then-Hibernate configured and possible: %s", r >= 0 ? yes_no(r) : strerror_safe(r));
}
-DEFINE_CUSTOM_TEST_MAIN(
- LOG_DEBUG,
- ({
- if (getuid() != 0)
- log_warning("This program is unlikely to work for unprivileged users");
- }),
- /* no outro */);
+static int intro(void) {
+ if (getuid() != 0)
+ log_warning("This program is unlikely to work for unprivileged users");
+
+ return EXIT_SUCCESS;
+}
+
+DEFINE_CUSTOM_TEST_MAIN(LOG_DEBUG, intro, test_nop);
diff --git a/src/test/test-stat-util.c b/src/test/test-stat-util.c
index 0f7b3ca3ce..2965ee679f 100644
--- a/src/test/test-stat-util.c
+++ b/src/test/test-stat-util.c
@@ -236,4 +236,9 @@ TEST(dir_is_empty) {
assert_se(dir_is_empty_at(AT_FDCWD, empty_dir) > 0);
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, log_show_color(true), /* no outro */);
+static int intro(void) {
+ log_show_color(true);
+ return EXIT_SUCCESS;
+}
+
+DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
diff --git a/src/test/test-time-util.c b/src/test/test-time-util.c
index 4d0131827e..f21d8b7794 100644
--- a/src/test/test-time-util.c
+++ b/src/test/test-time-util.c
@@ -588,7 +588,7 @@ TEST(map_clock_usec) {
}
}
-static void setup_test(void) {
+static int intro(void) {
log_info("realtime=" USEC_FMT "\n"
"monotonic=" USEC_FMT "\n"
"boottime=" USEC_FMT "\n",
@@ -603,6 +603,8 @@ static void setup_test(void) {
uintmax_t x = TIME_T_MAX;
x++;
assert_se((time_t) x < 0);
+
+ return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, setup_test(), /* no outro */);
+DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
diff --git a/src/test/test-unit-file.c b/src/test/test-unit-file.c
index 0f8c25c218..6c9f245c7e 100644
--- a/src/test/test-unit-file.c
+++ b/src/test/test-unit-file.c
@@ -102,4 +102,9 @@ TEST(runlevel_to_target) {
assert_se(streq_ptr(runlevel_to_target("rd.rescue"), SPECIAL_RESCUE_TARGET));
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_DEBUG, log_show_color(true), /* no outro */);
+static int intro(void) {
+ log_show_color(true);
+ return EXIT_SUCCESS;
+}
+
+DEFINE_CUSTOM_TEST_MAIN(LOG_DEBUG, intro, test_nop);
diff --git a/src/test/test-unit-name.c b/src/test/test-unit-name.c
index 6bde9e090d..1f65407e5f 100644
--- a/src/test/test-unit-name.c
+++ b/src/test/test-unit-name.c
@@ -23,6 +23,10 @@
#include "user-util.h"
#include "util.h"
+static char *runtime_dir = NULL;
+
+STATIC_DESTRUCTOR_REGISTER(runtime_dir, rm_rf_physical_and_freep);
+
static void test_unit_name_is_valid_one(const char *name, UnitNameFlags flags, bool expected) {
log_info("%s ( %s%s%s ): %s",
name,
@@ -844,15 +848,12 @@ TEST(unit_name_prefix_equal) {
assert_se(!unit_name_prefix_equal("a", "a"));
}
-DEFINE_CUSTOM_TEST_MAIN(
- LOG_INFO,
+static int intro(void) {
+ if (enter_cgroup_subroot(NULL) == -ENOMEDIUM)
+ return log_tests_skipped("cgroupfs not available");
- _cleanup_(rm_rf_physical_and_freep) char *runtime_dir = NULL;
- ({
- if (enter_cgroup_subroot(NULL) == -ENOMEDIUM)
- return log_tests_skipped("cgroupfs not available");
-
- assert_se(runtime_dir = setup_fake_runtime_dir());
- }),
+ assert_se(runtime_dir = setup_fake_runtime_dir());
+ return EXIT_SUCCESS;
+}
- /* no outro */);
+DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
diff --git a/src/test/test-unit-serialize.c b/src/test/test-unit-serialize.c
index 899fdc000c..5d39176db2 100644
--- a/src/test/test-unit-serialize.c
+++ b/src/test/test-unit-serialize.c
@@ -4,6 +4,10 @@
#include "service.h"
#include "tests.h"
+static char *runtime_dir = NULL;
+
+STATIC_DESTRUCTOR_REGISTER(runtime_dir, rm_rf_physical_and_freep);
+
#define EXEC_START_ABSOLUTE \
"ExecStart 0 /bin/sh \"sh\" \"-e\" \"-x\" \"-c\" \"systemctl --state=failed --no-legend --no-pager >/failed ; systemctl daemon-reload ; echo OK >/testok\""
#define EXEC_START_RELATIVE \
@@ -48,15 +52,12 @@ TEST(deserialize_exec_command) {
test_deserialize_exec_command_one(m, "control-command", "ExecWhat 11 /a/b c d e", -EINVAL);
}
-DEFINE_CUSTOM_TEST_MAIN(
- LOG_DEBUG,
+static int intro(void) {
+ if (enter_cgroup_subroot(NULL) == -ENOMEDIUM)
+ return log_tests_skipped("cgroupfs not available");
- _cleanup_(rm_rf_physical_and_freep) char *runtime_dir = NULL;
- ({
- if (enter_cgroup_subroot(NULL) == -ENOMEDIUM)
- return log_tests_skipped("cgroupfs not available");
-
- assert_se(runtime_dir = setup_fake_runtime_dir());
- }),
+ assert_se(runtime_dir = setup_fake_runtime_dir());
+ return EXIT_SUCCESS;
+}
- /* no outro */);
+DEFINE_CUSTOM_TEST_MAIN(LOG_DEBUG, intro, test_nop);
diff --git a/src/test/test-utf8.c b/src/test/test-utf8.c
index a21fcd6fd2..1b31d1f852 100644
--- a/src/test/test-utf8.c
+++ b/src/test/test-utf8.c
@@ -231,4 +231,9 @@ TEST(utf8_to_utf16) {
}
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, log_show_color(true), /* no outro */);
+static int intro(void) {
+ log_show_color(true);
+ return EXIT_SUCCESS;
+}
+
+DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);

300
SOURCES/0027-test-allow-to-set-NULL-to-intro-or-outro.patch
View File

@ -1,300 +0,0 @@
From 0be677fb6663ab6bfd02eae6ad32e7f031cfde0f Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 2 Feb 2022 11:06:41 +0900
Subject: [PATCH] test: allow to set NULL to intro or outro
Addresses https://github.com/systemd/systemd/pull/22338#discussion_r796741033.
(cherry picked from commit e85fdacc8ad7d91f140a135aaa3fd5372d3fa47c)
Related: #2017035
---
src/shared/tests.h | 45 +++++++++++++++++----------------
src/test/test-barrier.c | 2 +-
src/test/test-cgroup-setup.c | 2 +-
src/test/test-chown-rec.c | 2 +-
src/test/test-format-table.c | 2 +-
src/test/test-fs-util.c | 2 +-
src/test/test-hashmap.c | 2 +-
src/test/test-install-root.c | 2 +-
src/test/test-load-fragment.c | 2 +-
src/test/test-mountpoint-util.c | 2 +-
src/test/test-namespace.c | 2 +-
src/test/test-proc-cmdline.c | 2 +-
src/test/test-process-util.c | 2 +-
src/test/test-sd-hwdb.c | 2 +-
src/test/test-serialize.c | 2 +-
src/test/test-sleep.c | 2 +-
src/test/test-stat-util.c | 2 +-
src/test/test-time-util.c | 2 +-
src/test/test-unit-file.c | 2 +-
src/test/test-unit-name.c | 2 +-
src/test/test-unit-serialize.c | 2 +-
src/test/test-utf8.c | 2 +-
22 files changed, 44 insertions(+), 43 deletions(-)
diff --git a/src/shared/tests.h b/src/shared/tests.h
index 59448f38f6..ef6acd368e 100644
--- a/src/shared/tests.h
+++ b/src/shared/tests.h
@@ -110,27 +110,28 @@ static inline int run_test_table(void) {
return r;
}
-static inline int test_nop(void) {
- return EXIT_SUCCESS;
-}
-
-#define DEFINE_CUSTOM_TEST_MAIN(log_level, intro, outro) \
- int main(int argc, char *argv[]) { \
- int _r, _q; \
- test_setup_logging(log_level); \
- save_argc_argv(argc, argv); \
- _r = intro(); \
- if (_r == EXIT_SUCCESS) \
- _r = run_test_table(); \
- _q = outro(); \
- static_destruct(); \
- if (_r < 0) \
- return EXIT_FAILURE; \
- if (_r != EXIT_SUCCESS) \
- return _r; \
- if (_q < 0) \
- return EXIT_FAILURE; \
- return _q; \
+#define DEFINE_TEST_MAIN_FULL(log_level, intro, outro) \
+ int main(int argc, char *argv[]) { \
+ int (*_intro)(void) = intro; \
+ int (*_outro)(void) = outro; \
+ int _r, _q; \
+ test_setup_logging(log_level); \
+ save_argc_argv(argc, argv); \
+ _r = _intro ? _intro() : EXIT_SUCCESS; \
+ if (_r == EXIT_SUCCESS) \
+ _r = run_test_table(); \
+ _q = _outro ? _outro() : EXIT_SUCCESS; \
+ static_destruct(); \
+ if (_r < 0) \
+ return EXIT_FAILURE; \
+ if (_r != EXIT_SUCCESS) \
+ return _r; \
+ if (_q < 0) \
+ return EXIT_FAILURE; \
+ return _q; \
}
-#define DEFINE_TEST_MAIN(log_level) DEFINE_CUSTOM_TEST_MAIN(log_level, test_nop, test_nop)
+#define DEFINE_TEST_MAIN_WITH_INTRO(log_level, intro) \
+ DEFINE_TEST_MAIN_FULL(log_level, intro, NULL)
+#define DEFINE_TEST_MAIN(log_level) \
+ DEFINE_TEST_MAIN_FULL(log_level, NULL, NULL)
diff --git a/src/test/test-barrier.c b/src/test/test-barrier.c
index b87538806a..bbd7e2bddb 100644
--- a/src/test/test-barrier.c
+++ b/src/test/test-barrier.c
@@ -444,4 +444,4 @@ static int intro(void) {
return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
+DEFINE_TEST_MAIN_WITH_INTRO(LOG_INFO, intro);
diff --git a/src/test/test-cgroup-setup.c b/src/test/test-cgroup-setup.c
index 6f93647685..c377ff0a00 100644
--- a/src/test/test-cgroup-setup.c
+++ b/src/test/test-cgroup-setup.c
@@ -71,4 +71,4 @@ static int intro(void) {
return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_DEBUG, intro, test_nop);
+DEFINE_TEST_MAIN_WITH_INTRO(LOG_DEBUG, intro);
diff --git a/src/test/test-chown-rec.c b/src/test/test-chown-rec.c
index 691cfe767f..97711f58b0 100644
--- a/src/test/test-chown-rec.c
+++ b/src/test/test-chown-rec.c
@@ -156,4 +156,4 @@ static int intro(void) {
return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_DEBUG, intro, test_nop);
+DEFINE_TEST_MAIN_WITH_INTRO(LOG_DEBUG, intro);
diff --git a/src/test/test-format-table.c b/src/test/test-format-table.c
index 7515a74c12..1b4963d928 100644
--- a/src/test/test-format-table.c
+++ b/src/test/test-format-table.c
@@ -535,4 +535,4 @@ static int intro(void) {
return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
+DEFINE_TEST_MAIN_WITH_INTRO(LOG_INFO, intro);
diff --git a/src/test/test-fs-util.c b/src/test/test-fs-util.c
index da5a16b4bc..602ce75f98 100644
--- a/src/test/test-fs-util.c
+++ b/src/test/test-fs-util.c
@@ -973,4 +973,4 @@ static int intro(void) {
return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
+DEFINE_TEST_MAIN_WITH_INTRO(LOG_INFO, intro);
diff --git a/src/test/test-hashmap.c b/src/test/test-hashmap.c
index 4dc155d818..dbf762cc0b 100644
--- a/src/test/test-hashmap.c
+++ b/src/test/test-hashmap.c
@@ -169,4 +169,4 @@ static int outro(void) {
return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, outro);
+DEFINE_TEST_MAIN_FULL(LOG_INFO, intro, outro);
diff --git a/src/test/test-install-root.c b/src/test/test-install-root.c
index f540a832bd..f718689c3a 100644
--- a/src/test/test-install-root.c
+++ b/src/test/test-install-root.c
@@ -1272,4 +1272,4 @@ static int intro(void) {
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
+DEFINE_TEST_MAIN_WITH_INTRO(LOG_INFO, intro);
diff --git a/src/test/test-load-fragment.c b/src/test/test-load-fragment.c
index 2e105df56a..1bd68c7e0a 100644
--- a/src/test/test-load-fragment.c
+++ b/src/test/test-load-fragment.c
@@ -906,4 +906,4 @@ static int intro(void) {
return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
+DEFINE_TEST_MAIN_WITH_INTRO(LOG_INFO, intro);
diff --git a/src/test/test-mountpoint-util.c b/src/test/test-mountpoint-util.c
index 102d2850bf..4d140c42b6 100644
--- a/src/test/test-mountpoint-util.c
+++ b/src/test/test-mountpoint-util.c
@@ -313,4 +313,4 @@ static int intro(void) {
return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_DEBUG, intro, test_nop);
+DEFINE_TEST_MAIN_WITH_INTRO(LOG_DEBUG, intro);
diff --git a/src/test/test-namespace.c b/src/test/test-namespace.c
index f9e34f3bfa..7a634adca9 100644
--- a/src/test/test-namespace.c
+++ b/src/test/test-namespace.c
@@ -227,4 +227,4 @@ static int intro(void) {
return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
+DEFINE_TEST_MAIN_WITH_INTRO(LOG_INFO, intro);
diff --git a/src/test/test-proc-cmdline.c b/src/test/test-proc-cmdline.c
index 064b4d838f..1f43bb3eb0 100644
--- a/src/test/test-proc-cmdline.c
+++ b/src/test/test-proc-cmdline.c
@@ -254,4 +254,4 @@ static int intro(void) {
return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
+DEFINE_TEST_MAIN_WITH_INTRO(LOG_INFO, intro);
diff --git a/src/test/test-process-util.c b/src/test/test-process-util.c
index 8661934929..7a8adad50c 100644
--- a/src/test/test-process-util.c
+++ b/src/test/test-process-util.c
@@ -900,4 +900,4 @@ static int intro(void) {
return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
+DEFINE_TEST_MAIN_WITH_INTRO(LOG_INFO, intro);
diff --git a/src/test/test-sd-hwdb.c b/src/test/test-sd-hwdb.c
index 88992a6c2b..4251e2a809 100644
--- a/src/test/test-sd-hwdb.c
+++ b/src/test/test-sd-hwdb.c
@@ -63,4 +63,4 @@ static int intro(void) {
return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_DEBUG, intro, test_nop);
+DEFINE_TEST_MAIN_WITH_INTRO(LOG_DEBUG, intro);
diff --git a/src/test/test-serialize.c b/src/test/test-serialize.c
index 9aeb6c5920..bcf2e843b0 100644
--- a/src/test/test-serialize.c
+++ b/src/test/test-serialize.c
@@ -195,4 +195,4 @@ static int intro(void) {
return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
+DEFINE_TEST_MAIN_WITH_INTRO(LOG_INFO, intro);
diff --git a/src/test/test-sleep.c b/src/test/test-sleep.c
index f56e7e0167..5aebcdd935 100644
--- a/src/test/test-sleep.c
+++ b/src/test/test-sleep.c
@@ -125,4 +125,4 @@ static int intro(void) {
return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_DEBUG, intro, test_nop);
+DEFINE_TEST_MAIN_WITH_INTRO(LOG_DEBUG, intro);
diff --git a/src/test/test-stat-util.c b/src/test/test-stat-util.c
index 2965ee679f..7f633ab259 100644
--- a/src/test/test-stat-util.c
+++ b/src/test/test-stat-util.c
@@ -241,4 +241,4 @@ static int intro(void) {
return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
+DEFINE_TEST_MAIN_WITH_INTRO(LOG_INFO, intro);
diff --git a/src/test/test-time-util.c b/src/test/test-time-util.c
index f21d8b7794..554693834b 100644
--- a/src/test/test-time-util.c
+++ b/src/test/test-time-util.c
@@ -607,4 +607,4 @@ static int intro(void) {
return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
+DEFINE_TEST_MAIN_WITH_INTRO(LOG_INFO, intro);
diff --git a/src/test/test-unit-file.c b/src/test/test-unit-file.c
index 6c9f245c7e..cc08a4ae4b 100644
--- a/src/test/test-unit-file.c
+++ b/src/test/test-unit-file.c
@@ -107,4 +107,4 @@ static int intro(void) {
return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_DEBUG, intro, test_nop);
+DEFINE_TEST_MAIN_WITH_INTRO(LOG_DEBUG, intro);
diff --git a/src/test/test-unit-name.c b/src/test/test-unit-name.c
index 1f65407e5f..8cd0e0b4a1 100644
--- a/src/test/test-unit-name.c
+++ b/src/test/test-unit-name.c
@@ -856,4 +856,4 @@ static int intro(void) {
return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
+DEFINE_TEST_MAIN_WITH_INTRO(LOG_INFO, intro);
diff --git a/src/test/test-unit-serialize.c b/src/test/test-unit-serialize.c
index 5d39176db2..3ef15f3b1e 100644
--- a/src/test/test-unit-serialize.c
+++ b/src/test/test-unit-serialize.c
@@ -60,4 +60,4 @@ static int intro(void) {
return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_DEBUG, intro, test_nop);
+DEFINE_TEST_MAIN_WITH_INTRO(LOG_DEBUG, intro);
diff --git a/src/test/test-utf8.c b/src/test/test-utf8.c
index 1b31d1f852..7337b81227 100644
--- a/src/test/test-utf8.c
+++ b/src/test/test-utf8.c
@@ -236,4 +236,4 @@ static int intro(void) {
return EXIT_SUCCESS;
}
-DEFINE_CUSTOM_TEST_MAIN(LOG_INFO, intro, test_nop);
+DEFINE_TEST_MAIN_WITH_INTRO(LOG_INFO, intro);

34
SOURCES/0027-tests-backport-test_setup_logging.patch Normal file
View File

@ -0,0 +1,34 @@
From ab6a1bdf3519d4344dee4e0225c74fc1198c8a60 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Mon, 15 Oct 2018 10:54:11 +0000
Subject: [PATCH] tests: backport test_setup_logging()
Related: #1635428
---
src/shared/tests.c | 6 ++++++
src/shared/tests.h | 1 +
2 files changed, 7 insertions(+)
diff --git a/src/shared/tests.c b/src/shared/tests.c
index 6b3df0aa07..b10343650f 100644
--- a/src/shared/tests.c
+++ b/src/shared/tests.c
@@ -54,3 +54,9 @@ const char* get_testdata_dir(const char *suffix) {
strncpy(testdir + strlen(testdir), suffix, sizeof(testdir) - strlen(testdir) - 1);
return testdir;
}
+
+void test_setup_logging(int level) {
+ log_set_max_level(level);
+ log_parse_environment();
+ log_open();
+}
diff --git a/src/shared/tests.h b/src/shared/tests.h
index b88135ed93..cad21169f8 100644
--- a/src/shared/tests.h
+++ b/src/shared/tests.h
@@ -3,3 +3,4 @@
char* setup_fake_runtime_dir(void);
const char* get_testdata_dir(const char *suffix);
+void test_setup_logging(int level);

23
SOURCES/0028-journal-change-support-URL-shown-in-the-catalog-entr.patch Normal file
View File

@ -0,0 +1,23 @@
From 80d5f0e2057717e9e5588edcabac95b8c238795c Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Mon, 15 Oct 2018 10:55:50 +0000
Subject: [PATCH] journal: change support URL shown in the catalog entries
Resolves: #1550548
---
meson_options.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meson_options.txt b/meson_options.txt
index 16c1f2b2fa..ab2a658713 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -205,7 +205,7 @@ option('ntp-servers', type : 'string',
value : 'time1.google.com time2.google.com time3.google.com time4.google.com')
option('support-url', type : 'string',
description : 'the support URL to show in catalog entries included in systemd',
- value : 'https://lists.freedesktop.org/mailman/listinfo/systemd-devel')
+ value : 'https://access.redhat.com/support')
option('www-target', type : 'string',
description : 'the address and dir to upload docs too',
value : 'www.freedesktop.org:/srv/www.freedesktop.org/www/software/systemd')

48
SOURCES/0029-resolved-create-etc-resolv.conf-symlink-at-runtime.patch Normal file
View File

@ -0,0 +1,48 @@
From e0f2dd42fb02aa5767d38714c95ac10fb683ad67 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Fri, 11 Mar 2016 17:06:17 -0500
Subject: [PATCH] resolved: create /etc/resolv.conf symlink at runtime
If the symlink doesn't exists, and we are being started, let's
create it to provie name resolution.
If it exists, do nothing. In particular, if it is a broken symlink,
we cannot really know if the administator configured it to point to
a location used by some service that hasn't started yet, so we
don't touch it in that case either.
https://bugzilla.redhat.com/show_bug.cgi?id=1313085
---
src/resolve/resolved.c | 4 ++++
tmpfiles.d/etc.conf.m4 | 3 ---
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c
index c01e53e9da..f3d96df458 100644
--- a/src/resolve/resolved.c
+++ b/src/resolve/resolved.c
@@ -53,6 +53,10 @@ int main(int argc, char *argv[]) {
/* Drop privileges, but only if we have been started as root. If we are not running as root we assume all
* privileges are already dropped. */
if (getuid() == 0) {
+ r = symlink("../run/systemd/resolve/resolv.conf", "/etc/resolv.conf");
+ if (r < 0 && errno != EEXIST)
+ log_warning_errno(errno,
+ "Could not create /etc/resolv.conf symlink: %m");
/* Drop privileges, but keep three caps. Note that we drop those too, later on (see below) */
r = drop_privileges(uid, gid,
diff --git a/tmpfiles.d/etc.conf.m4 b/tmpfiles.d/etc.conf.m4
index df8d42101c..928105ea8d 100644
--- a/tmpfiles.d/etc.conf.m4
+++ b/tmpfiles.d/etc.conf.m4
@@ -13,9 +13,6 @@ L+ /etc/mtab - - - - ../proc/self/mounts
m4_ifdef(`HAVE_SMACK_RUN_LABEL',
t /etc/mtab - - - - security.SMACK64=_
)m4_dnl
-m4_ifdef(`ENABLE_RESOLVE',
-L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf
-)m4_dnl
C /etc/nsswitch.conf - - - -
m4_ifdef(`HAVE_PAM',
C /etc/pam.d - - - -

27
SOURCES/0030-dissect-image-use-right-comparison-function.patch Normal file
View File

@ -0,0 +1,27 @@
From e615b80f3fda82ac7fe628800a9ff2103788bd05 Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Tue, 9 Oct 2018 13:50:55 +0200
Subject: [PATCH] dissect-image: use right comparison function
fstype can be NULL here.
(cherry picked from commit 4db1879acdc0b853e1a7e6e650b6feb917175fac)
Resolves: #1602706
---
src/shared/dissect-image.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index fa1cf26ee1..e076c8e7db 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -230,7 +230,7 @@ int dissect_image(
.node = TAKE_PTR(n),
};
- m->encrypted = streq(fstype, "crypto_LUKS");
+ m->encrypted = streq_ptr(fstype, "crypto_LUKS");
*ret = TAKE_PTR(m);

60
SOURCES/0031-login-avoid-leak-of-name-returned-by-uid_to_name.patch Normal file
View File

@ -0,0 +1,60 @@
From 8fdca31b41a6470ceda8e0a84f90a1e5ca28aa5c Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Tue, 9 Oct 2018 17:26:19 +0200
Subject: [PATCH] login: avoid leak of name returned by uid_to_name()
(cherry picked from commit e99742ef3e9d847da04e71fec0eb426063b25068)
Resolves: #1602706
---
src/login/logind-dbus.c | 4 +++-
src/login/logind-utmp.c | 6 +++---
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
index 13298cc855..dca7f4a30f 100644
--- a/src/login/logind-dbus.c
+++ b/src/login/logind-dbus.c
@@ -2155,6 +2155,7 @@ static int method_cancel_scheduled_shutdown(sd_bus_message *message, void *userd
if (cancelled && m->enable_wall_messages) {
_cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL;
+ _cleanup_free_ char *username = NULL;
const char *tty = NULL;
uid_t uid = 0;
int r;
@@ -2165,8 +2166,9 @@ static int method_cancel_scheduled_shutdown(sd_bus_message *message, void *userd
(void) sd_bus_creds_get_tty(creds, &tty);
}
+ username = uid_to_name(uid);
utmp_wall("The system shutdown has been cancelled",
- uid_to_name(uid), tty, logind_wall_tty_filter, m);
+ username, tty, logind_wall_tty_filter, m);
}
return sd_bus_reply_method_return(message, "b", cancelled);
diff --git a/src/login/logind-utmp.c b/src/login/logind-utmp.c
index 71ebdfcfb1..8bdd4ab6bf 100644
--- a/src/login/logind-utmp.c
+++ b/src/login/logind-utmp.c
@@ -61,7 +61,7 @@ bool logind_wall_tty_filter(const char *tty, void *userdata) {
static int warn_wall(Manager *m, usec_t n) {
char date[FORMAT_TIMESTAMP_MAX] = {};
- _cleanup_free_ char *l = NULL;
+ _cleanup_free_ char *l = NULL, *username = NULL;
usec_t left;
int r;
@@ -83,8 +83,8 @@ static int warn_wall(Manager *m, usec_t n) {
return 0;
}
- utmp_wall(l, uid_to_name(m->scheduled_shutdown_uid),
- m->scheduled_shutdown_tty, logind_wall_tty_filter, m);
+ username = uid_to_name(m->scheduled_shutdown_uid);
+ utmp_wall(l, username, m->scheduled_shutdown_tty, logind_wall_tty_filter, m);
return 1;
}

36
SOURCES/0032-firewall-util-add-an-assert-that-we-re-not-overwriti.patch Normal file
View File

@ -0,0 +1,36 @@
From fbe394e9166ddfe847dcac0eab0fcbd3c225dc33 Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Wed, 10 Oct 2018 09:33:28 +0200
Subject: [PATCH] firewall-util: add an assert that we're not overwriting a
buffer
... like commit f28501279d2c28fdbb31d8273b723e9bf71d3b98 does for
out_interface.
(cherry picked from commit 0b777d20e9a3868b12372ffce8040d1be063cec7)
Resolves: #1602706
---
src/shared/firewall-util.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/shared/firewall-util.c b/src/shared/firewall-util.c
index eb4f5ff616..cba52fb419 100644
--- a/src/shared/firewall-util.c
+++ b/src/shared/firewall-util.c
@@ -50,8 +50,14 @@ static int entry_fill_basics(
entry->ip.proto = protocol;
if (in_interface) {
+ size_t l;
+
+ l = strlen(in_interface);
+ assert(l < sizeof entry->ip.iniface);
+ assert(l < sizeof entry->ip.iniface_mask);
+
strcpy(entry->ip.iniface, in_interface);
- memset(entry->ip.iniface_mask, 0xFF, strlen(in_interface)+1);
+ memset(entry->ip.iniface_mask, 0xFF, l + 1);
}
if (source) {
entry->ip.src = source->in;

29
SOURCES/0033-journal-file-avoid-calling-ftruncate-with-invalid-fd.patch Normal file
View File

@ -0,0 +1,29 @@
From ebdb96247433d920b391672e019da9402aabd351 Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Wed, 10 Oct 2018 13:56:54 +0200
Subject: [PATCH] journal-file: avoid calling ftruncate with invalid fd
This can happen if journal_file_close is called from the failure
handling code of journal_file_open before f->fd was established.
(cherry picked from commit c52368509f48e556be5a4c7a171361b656a25e02)
Resolves: #1602706
---
src/journal/journal-file.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c
index 62e7f68a13..efc3ee052b 100644
--- a/src/journal/journal-file.c
+++ b/src/journal/journal-file.c
@@ -1846,6 +1846,9 @@ static int journal_file_append_entry_internal(
void journal_file_post_change(JournalFile *f) {
assert(f);
+ if (f->fd < 0)
+ return;
+
/* inotify() does not receive IN_MODIFY events from file
* accesses done via mmap(). After each access we hence
* trigger IN_MODIFY by truncating the journal file to its

33
SOURCES/0034-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch Normal file
View File

@ -0,0 +1,33 @@
From c232bc1f346a6af9777c216d01f7940898ae1650 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 19 Oct 2018 12:12:33 +0200
Subject: [PATCH] dhcp6: make sure we have enough space for the DHCP6 option
header
Fixes a vulnerability originally discovered by Felix Wilhelm from
Google.
CVE-2018-15688
LP: #1795921
https://bugzilla.redhat.com/show_bug.cgi?id=1639067
(cherry-picked from commit 4dac5eaba4e419b29c97da38a8b1f82336c2c892)
Resolves: #1643363
---
src/libsystemd-network/dhcp6-option.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c
index 18196b1257..0979497299 100644
--- a/src/libsystemd-network/dhcp6-option.c
+++ b/src/libsystemd-network/dhcp6-option.c
@@ -103,7 +103,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) {
return -EINVAL;
}
- if (*buflen < len)
+ if (*buflen < offsetof(DHCP6Option, data) + len)
return -ENOBUFS;
ia_hdr = *buf;

133
SOURCES/0035-core-rename-queued_message-pending_reload_message.patch Normal file
View File

@ -0,0 +1,133 @@
From 35a23324975ac6ee0bbd3408394f992007b7a439 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 13 Nov 2018 11:59:06 +0100
Subject: [PATCH] =?UTF-8?q?core:=20rename=20queued=5Fmessage=20=E2=86=92?=
=?UTF-8?q?=20pending=5Freload=5Fmessage?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This field is only used for pending Reload() replies, hence let's rename
it to be more descriptive and precise.
No change in behaviour.
(cherry picked from commit 209de5256b7ba8600c3e73a85a43b86708998d65)
Resolves: #1647359
---
src/core/dbus-manager.c | 4 ++--
src/core/dbus.c | 12 ++++++------
src/core/dbus.h | 2 +-
src/core/manager.c | 6 +++---
src/core/manager.h | 2 +-
5 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index 4ed68af1e0..d39c9b28c4 100644
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -1329,8 +1329,8 @@ static int method_reload(sd_bus_message *message, void *userdata, sd_bus_error *
* is finished. That way the caller knows when the reload
* finished. */
- assert(!m->queued_message);
- r = sd_bus_message_new_method_return(message, &m->queued_message);
+ assert(!m->pending_reload_message);
+ r = sd_bus_message_new_method_return(message, &m->pending_reload_message);
if (r < 0)
return r;
diff --git a/src/core/dbus.c b/src/core/dbus.c
index bf5917696e..256a410215 100644
--- a/src/core/dbus.c
+++ b/src/core/dbus.c
@@ -47,23 +47,23 @@
static void destroy_bus(Manager *m, sd_bus **bus);
-int bus_send_queued_message(Manager *m) {
+int bus_send_pending_reload_message(Manager *m) {
int r;
assert(m);
- if (!m->queued_message)
+ if (!m->pending_reload_message)
return 0;
/* If we cannot get rid of this message we won't dispatch any
* D-Bus messages, so that we won't end up wanting to queue
* another message. */
- r = sd_bus_send(NULL, m->queued_message, NULL);
+ r = sd_bus_send(NULL, m->pending_reload_message, NULL);
if (r < 0)
log_warning_errno(r, "Failed to send queued message: %m");
- m->queued_message = sd_bus_message_unref(m->queued_message);
+ m->pending_reload_message = sd_bus_message_unref(m->pending_reload_message);
return 0;
}
@@ -1079,8 +1079,8 @@ static void destroy_bus(Manager *m, sd_bus **bus) {
u->bus_track = sd_bus_track_unref(u->bus_track);
/* Get rid of queued message on this bus */
- if (m->queued_message && sd_bus_message_get_bus(m->queued_message) == *bus)
- m->queued_message = sd_bus_message_unref(m->queued_message);
+ if (m->pending_reload_message && sd_bus_message_get_bus(m->pending_reload_message) == *bus)
+ m->pending_reload_message = sd_bus_message_unref(m->pending_reload_message);
/* Possibly flush unwritten data, but only if we are
* unprivileged, since we don't want to sync here */
diff --git a/src/core/dbus.h b/src/core/dbus.h
index 382a96da7d..f1c0fa86c0 100644
--- a/src/core/dbus.h
+++ b/src/core/dbus.h
@@ -5,7 +5,7 @@
#include "manager.h"
-int bus_send_queued_message(Manager *m);
+int bus_send_pending_reload_message(Manager *m);
int bus_init_private(Manager *m);
int bus_init_api(Manager *m);
diff --git a/src/core/manager.c b/src/core/manager.c
index 930df4e23a..a24bfcacdf 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -2078,7 +2078,7 @@ static unsigned manager_dispatch_dbus_queue(Manager *m) {
return 0;
/* Anything to do at all? */
- if (!m->dbus_unit_queue && !m->dbus_job_queue && !m->send_reloading_done && !m->queued_message)
+ if (!m->dbus_unit_queue && !m->dbus_job_queue && !m->send_reloading_done && !m->pending_reload_message)
return 0;
/* Do we have overly many messages queued at the moment? If so, let's not enqueue more on top, let's sit this
@@ -2123,8 +2123,8 @@ static unsigned manager_dispatch_dbus_queue(Manager *m) {
n++, budget--;
}
- if (budget > 0 && m->queued_message) {
- bus_send_queued_message(m);
+ if (budget > 0 && m->pending_reload_message) {
+ bus_send_pending_reload_message(m);
n++;
}
diff --git a/src/core/manager.h b/src/core/manager.h
index ea5d425030..c7f4d66ecd 100644
--- a/src/core/manager.h
+++ b/src/core/manager.h
@@ -215,7 +215,7 @@ struct Manager {
/* This is used during reloading: before the reload we queue
* the reply message here, and afterwards we send it */
- sd_bus_message *queued_message;
+ sd_bus_message *pending_reload_message;
Hashmap *watch_bus; /* D-Bus names => Unit object n:1 */

36
SOURCES/0036-core-when-we-can-t-send-the-pending-reload-message-s.patch Normal file
View File

@ -0,0 +1,36 @@
From 52a474cf15bf2b0edb449750eb63eb8cdb9a3780 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 13 Nov 2018 12:00:42 +0100
Subject: [PATCH] core: when we can't send the pending reload message, say we
ignore it in the warning we log
No change in behaviour, just better wording.
(cherry picked from commit 4b66bccab004221b903b43b4c224442bfa3e9ac7)
Resolves: #1647359
---
src/core/dbus.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/src/core/dbus.c b/src/core/dbus.c
index 256a410215..346a440c5d 100644
--- a/src/core/dbus.c
+++ b/src/core/dbus.c
@@ -55,13 +55,12 @@ int bus_send_pending_reload_message(Manager *m) {
if (!m->pending_reload_message)
return 0;
- /* If we cannot get rid of this message we won't dispatch any
- * D-Bus messages, so that we won't end up wanting to queue
- * another message. */
+ /* If we cannot get rid of this message we won't dispatch any D-Bus messages, so that we won't end up wanting
+ * to queue another message. */
r = sd_bus_send(NULL, m->pending_reload_message, NULL);
if (r < 0)
- log_warning_errno(r, "Failed to send queued message: %m");
+ log_warning_errno(r, "Failed to send queued message, ignoring: %m");
m->pending_reload_message = sd_bus_message_unref(m->pending_reload_message);

114
SOURCES/0037-core-make-sure-we-don-t-throttle-change-signal-gener.patch Normal file
View File

@ -0,0 +1,114 @@
From 0412acb95ffac94d5916ee19991cc7194e55953c Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 13 Nov 2018 12:48:49 +0100
Subject: [PATCH] core: make sure we don't throttle change signal generator
when a reload is pending
Fixes: #10627
(cherry picked from commit b8d381c47776ea0440af175cbe0c02cb743bde08)
Resolves: #1647359
---
src/core/manager.c | 64 ++++++++++++++++++++++++++++------------------
1 file changed, 39 insertions(+), 25 deletions(-)
diff --git a/src/core/manager.c b/src/core/manager.c
index a24bfcacdf..3b2fe11e87 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -2074,56 +2074,70 @@ static unsigned manager_dispatch_dbus_queue(Manager *m) {
assert(m);
+ /* Avoid recursion */
if (m->dispatching_dbus_queue)
return 0;
- /* Anything to do at all? */
- if (!m->dbus_unit_queue && !m->dbus_job_queue && !m->send_reloading_done && !m->pending_reload_message)
- return 0;
+ /* When we are reloading, let's not wait with generating signals, since we need to exit the manager as quickly
+ * as we can. There's no point in throttling generation of signals in that case. */
+ if (MANAGER_IS_RELOADING(m) || m->send_reloading_done || m->pending_reload_message)
+ budget = (unsigned) -1; /* infinite budget in this case */
+ else {
+ /* Anything to do at all? */
+ if (!m->dbus_unit_queue && !m->dbus_job_queue)
+ return 0;
- /* Do we have overly many messages queued at the moment? If so, let's not enqueue more on top, let's sit this
- * cycle out, and process things in a later cycle when the queues got a bit emptier. */
- if (manager_bus_n_queued_write(m) > MANAGER_BUS_BUSY_THRESHOLD)
- return 0;
+ /* Do we have overly many messages queued at the moment? If so, let's not enqueue more on top, let's
+ * sit this cycle out, and process things in a later cycle when the queues got a bit emptier. */
+ if (manager_bus_n_queued_write(m) > MANAGER_BUS_BUSY_THRESHOLD)
+ return 0;
- /* Only process a certain number of units/jobs per event loop iteration. Even if the bus queue wasn't overly
- * full before this call we shouldn't increase it in size too wildly in one step, and we shouldn't monopolize
- * CPU time with generating these messages. Note the difference in counting of this "budget" and the
- * "threshold" above: the "budget" is decreased only once per generated message, regardless how many
- * busses/direct connections it is enqueued on, while the "threshold" is applied to each queued instance of bus
- * message, i.e. if the same message is enqueued to five busses/direct connections it will be counted five
- * times. This difference in counting ("references" vs. "instances") is primarily a result of the fact that
- * it's easier to implement it this way, however it also reflects the thinking that the "threshold" should put
- * a limit on used queue memory, i.e. space, while the "budget" should put a limit on time. Also note that
- * the "threshold" is currently chosen much higher than the "budget". */
- budget = MANAGER_BUS_MESSAGE_BUDGET;
+ /* Only process a certain number of units/jobs per event loop iteration. Even if the bus queue wasn't
+ * overly full before this call we shouldn't increase it in size too wildly in one step, and we
+ * shouldn't monopolize CPU time with generating these messages. Note the difference in counting of
+ * this "budget" and the "threshold" above: the "budget" is decreased only once per generated message,
+ * regardless how many busses/direct connections it is enqueued on, while the "threshold" is applied to
+ * each queued instance of bus message, i.e. if the same message is enqueued to five busses/direct
+ * connections it will be counted five times. This difference in counting ("references"
+ * vs. "instances") is primarily a result of the fact that it's easier to implement it this way,
+ * however it also reflects the thinking that the "threshold" should put a limit on used queue memory,
+ * i.e. space, while the "budget" should put a limit on time. Also note that the "threshold" is
+ * currently chosen much higher than the "budget". */
+ budget = MANAGER_BUS_MESSAGE_BUDGET;
+ }
m->dispatching_dbus_queue = true;
- while (budget > 0 && (u = m->dbus_unit_queue)) {
+ while (budget != 0 && (u = m->dbus_unit_queue)) {
assert(u->in_dbus_queue);
bus_unit_send_change_signal(u);
- n++, budget--;
+ n++;
+
+ if (budget != (unsigned) -1)
+ budget--;
}
- while (budget > 0 && (j = m->dbus_job_queue)) {
+ while (budget != 0 && (j = m->dbus_job_queue)) {
assert(j->in_dbus_queue);
bus_job_send_change_signal(j);
- n++, budget--;
+ n++;
+
+ if (budget != (unsigned) -1)
+ budget--;
}
m->dispatching_dbus_queue = false;
- if (budget > 0 && m->send_reloading_done) {
+ if (m->send_reloading_done) {
m->send_reloading_done = false;
bus_manager_send_reloading(m, false);
- n++, budget--;
+ n++;
}
- if (budget > 0 && m->pending_reload_message) {
+ if (m->pending_reload_message) {
bus_send_pending_reload_message(m);
n++;
}

45
SOURCES/0038-proc-cmdline-introduce-PROC_CMDLINE_RD_STRICT.patch Normal file
View File

@ -0,0 +1,45 @@
From 84b15a8a493424efa8c9eaa9a44a23c3c59742bd Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Thu, 25 Oct 2018 16:21:26 +0200
Subject: [PATCH] proc-cmdline: introduce PROC_CMDLINE_RD_STRICT
Our current set of flags allows an option to be either
use just in initrd or both in initrd and normal system.
This new flag is intended to be used in the case where
you want apply some settings just in initrd or just
in normal system.
(cherry picked from commit ed58820d7669971762dd887dc117d922c23f2543)
Related: #1643429
---
src/basic/proc-cmdline.c | 3 ++-
src/basic/proc-cmdline.h | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/basic/proc-cmdline.c b/src/basic/proc-cmdline.c
index add481c2ae..530ac37460 100644
--- a/src/basic/proc-cmdline.c
+++ b/src/basic/proc-cmdline.c
@@ -72,7 +72,8 @@ int proc_cmdline_parse(proc_cmdline_parse_t parse_item, void *data, unsigned fla
if (flags & PROC_CMDLINE_STRIP_RD_PREFIX)
key = q;
- }
+ } else if (in_initrd() && flags & PROC_CMDLINE_RD_STRICT)
+ continue;
value = strchr(key, '=');
if (value)
diff --git a/src/basic/proc-cmdline.h b/src/basic/proc-cmdline.h
index 4a9e6e0f62..140200dbf4 100644
--- a/src/basic/proc-cmdline.h
+++ b/src/basic/proc-cmdline.h
@@ -8,6 +8,7 @@
enum {
PROC_CMDLINE_STRIP_RD_PREFIX = 1,
PROC_CMDLINE_VALUE_OPTIONAL = 2,
+ PROC_CMDLINE_RD_STRICT = 4
};
typedef int (*proc_cmdline_parse_t)(const char *key, const char *value, void *data);

77
SOURCES/0039-debug-generator-introduce-rd.-version-of-all-options.patch Normal file
View File

@ -0,0 +1,77 @@
From 55798355455b9255458d6a705f8766c4dbe3ef73 Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Thu, 25 Oct 2018 16:34:00 +0200
Subject: [PATCH] debug-generator: introduce rd.* version of all options
(cherry picked from commit a7dd6d04b07f58df5c0294743d76df0be0b4b928)
Resolves: #1643429
---
man/systemd-debug-generator.xml | 27 +++++++++++++++++++--------
src/debug-generator/debug-generator.c | 2 +-
2 files changed, 20 insertions(+), 9 deletions(-)
diff --git a/man/systemd-debug-generator.xml b/man/systemd-debug-generator.xml
index d5cf4109b0..fa88e8ac01 100644
--- a/man/systemd-debug-generator.xml
+++ b/man/systemd-debug-generator.xml
@@ -33,27 +33,38 @@
that reads the kernel command line and understands three
options:</para>
- <para>If the <option>systemd.mask=</option> option is specified
- and followed by a unit name, this unit is masked for the runtime,
- similar to the effect of
+ <para>If the <option>systemd.mask=</option> or <option>rd.systemd.mask=</option>
+ option is specified and followed by a unit name, this unit is
+ masked for the runtime, similar to the effect of
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
<command>mask</command> command. This is useful to boot with
certain units removed from the initial boot transaction for
- debugging system startup. May be specified more than once.</para>
+ debugging system startup. May be specified more than once.
+ <option>rd.systemd.mask=</option> is honored only by initial
+ RAM disk (initrd) while <option>systemd.mask=</option> is
+ honored only in the main system.</para>
- <para>If the <option>systemd.wants=</option> option is specified
+ <para>If the <option>systemd.wants=</option> or
+ <option>rd.systemd.wants=</option> option is specified
and followed by a unit name, a start job for this unit is added to
the initial transaction. This is useful to start one or more
- additional units at boot. May be specified more than once.</para>
+ additional units at boot. May be specified more than once.
+ <option>rd.systemd.wants=</option> is honored only by initial
+ RAM disk (initrd) while <option>systemd.wants=</option> is
+ honored only in the main system.</para>
- <para>If the <option>systemd.debug_shell</option> option is
+ <para>If the <option>systemd.debug_shell</option> or
+ <option>rd.systemd.debug_shell</option> option is
specified, the debug shell service
<literal>debug-shell.service</literal> is pulled into the boot
transaction. It will spawn a debug shell on tty9 during early
system startup. Note that the shell may also be turned on
persistently by enabling it with
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
- <command>enable</command> command.</para>
+ <command>enable</command> command.
+ <option>rd.systemd.debug_shell=</option> is honored only by initial
+ RAM disk (initrd) while <option>systemd.debug_shell</option> is
+ honored only in the main system.</para>
<para><filename>systemd-debug-generator</filename> implements
<citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
diff --git a/src/debug-generator/debug-generator.c b/src/debug-generator/debug-generator.c
index dd6ab94fa2..800d31cebe 100644
--- a/src/debug-generator/debug-generator.c
+++ b/src/debug-generator/debug-generator.c
@@ -154,7 +154,7 @@ int main(int argc, char *argv[]) {
umask(0022);
- r = proc_cmdline_parse(parse_proc_cmdline_item, NULL, 0);
+ r = proc_cmdline_parse(parse_proc_cmdline_item, NULL, PROC_CMDLINE_RD_STRICT | PROC_CMDLINE_STRIP_RD_PREFIX);
if (r < 0)
log_warning_errno(r, "Failed to parse kernel command line, ignoring: %m");

213
SOURCES/0040-chown-recursive-let-s-rework-the-recursive-logic-to-.patch Normal file
View File

@ -0,0 +1,213 @@
From 107d75ca9394481bd045385fc45f2ee65b30ad16 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 19 Oct 2018 11:26:59 +0200
Subject: [PATCH] chown-recursive: let's rework the recursive logic to use
O_PATH
That way we can pin a specific inode and analyze it and manipulate it
without it being swapped out beneath our hands.
Fixes a vulnerability originally found by Jann Horn from Google.
CVE-2018-15687
LP: #1796692
https://bugzilla.redhat.com/show_bug.cgi?id=1639076
(cherry-picked from commit 5de6cce58b3e8b79239b6e83653459d91af6e57c)
Resolves: #1643368
---
src/core/chown-recursive.c | 146 ++++++++++++++++++-------------------
1 file changed, 70 insertions(+), 76 deletions(-)
diff --git a/src/core/chown-recursive.c b/src/core/chown-recursive.c
index c4794501c2..27c64489b5 100644
--- a/src/core/chown-recursive.c
+++ b/src/core/chown-recursive.c
@@ -1,17 +1,19 @@
/* SPDX-License-Identifier: LGPL-2.1+ */
-#include <sys/types.h>
-#include <sys/stat.h>
#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
-#include "user-util.h"
-#include "macro.h"
-#include "fd-util.h"
-#include "dirent-util.h"
#include "chown-recursive.h"
+#include "dirent-util.h"
+#include "fd-util.h"
+#include "macro.h"
+#include "stdio-util.h"
+#include "strv.h"
+#include "user-util.h"
-static int chown_one(int fd, const char *name, const struct stat *st, uid_t uid, gid_t gid) {
- int r;
+static int chown_one(int fd, const struct stat *st, uid_t uid, gid_t gid) {
+ char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
assert(fd >= 0);
assert(st);
@@ -20,90 +22,82 @@ static int chown_one(int fd, const char *name, const struct stat *st, uid_t uid,
(!gid_is_valid(gid) || st->st_gid == gid))
return 0;
- if (name)
- r = fchownat(fd, name, uid, gid, AT_SYMLINK_NOFOLLOW);
- else
- r = fchown(fd, uid, gid);
- if (r < 0)
- return -errno;
+ /* We change ownership through the /proc/self/fd/%i path, so that we have a stable reference that works with
+ * O_PATH. (Note: fchown() and fchmod() do not work with O_PATH, the kernel refuses that. */
+ xsprintf(procfs_path, "/proc/self/fd/%i", fd);
- /* The linux kernel alters the mode in some cases of chown(). Let's undo this. */
- if (name) {
- if (!S_ISLNK(st->st_mode))
- r = fchmodat(fd, name, st->st_mode, 0);
- else /* There's currently no AT_SYMLINK_NOFOLLOW for fchmodat() */
- r = 0;
- } else
- r = fchmod(fd, st->st_mode);
- if (r < 0)
+ if (chown(procfs_path, uid, gid) < 0)
return -errno;
+ /* The linux kernel alters the mode in some cases of chown(). Let's undo this. We do this only for non-symlinks
+ * however. That's because for symlinks the access mode is ignored anyway and because on some kernels/file
+ * systems trying to change the access mode will succeed but has no effect while on others it actively
+ * fails. */
+ if (!S_ISLNK(st->st_mode))
+ if (chmod(procfs_path, st->st_mode & 07777) < 0)
+ return -errno;
+
return 1;
}
static int chown_recursive_internal(int fd, const struct stat *st, uid_t uid, gid_t gid) {
+ _cleanup_closedir_ DIR *d = NULL;
bool changed = false;
+ struct dirent *de;
int r;
assert(fd >= 0);
assert(st);
- if (S_ISDIR(st->st_mode)) {
- _cleanup_closedir_ DIR *d = NULL;
- struct dirent *de;
-
- d = fdopendir(fd);
- if (!d) {
- r = -errno;
- goto finish;
- }
- fd = -1;
-
- FOREACH_DIRENT_ALL(de, d, r = -errno; goto finish) {
- struct stat fst;
-
- if (dot_or_dot_dot(de->d_name))
- continue;
-
- if (fstatat(dirfd(d), de->d_name, &fst, AT_SYMLINK_NOFOLLOW) < 0) {
- r = -errno;
- goto finish;
- }
-
- if (S_ISDIR(fst.st_mode)) {
- int subdir_fd;
-
- subdir_fd = openat(dirfd(d), de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
- if (subdir_fd < 0) {
- r = -errno;
- goto finish;
- }
-
- r = chown_recursive_internal(subdir_fd, &fst, uid, gid);
- if (r < 0)
- goto finish;
- if (r > 0)
- changed = true;
- } else {
- r = chown_one(dirfd(d), de->d_name, &fst, uid, gid);
- if (r < 0)
- goto finish;
- if (r > 0)
- changed = true;
- }
+ d = fdopendir(fd);
+ if (!d) {
+ safe_close(fd);
+ return -errno;
+ }
+
+ FOREACH_DIRENT_ALL(de, d, return -errno) {
+ _cleanup_close_ int path_fd = -1;
+ struct stat fst;
+
+ if (dot_or_dot_dot(de->d_name))
+ continue;
+
+ /* Let's pin the child inode we want to fix now with an O_PATH fd, so that it cannot be swapped out
+ * while we manipulate it. */
+ path_fd = openat(dirfd(d), de->d_name, O_PATH|O_CLOEXEC|O_NOFOLLOW);
+ if (path_fd < 0)
+ return -errno;
+
+ if (fstat(path_fd, &fst) < 0)
+ return -errno;
+
+ if (S_ISDIR(fst.st_mode)) {
+ int subdir_fd;
+
+ /* Convert it to a "real" (i.e. non-O_PATH) fd now */
+ subdir_fd = fd_reopen(path_fd, O_RDONLY|O_CLOEXEC|O_NOATIME);
+ if (subdir_fd < 0)
+ return subdir_fd;
+
+ r = chown_recursive_internal(subdir_fd, &fst, uid, gid); /* takes possession of subdir_fd even on failure */
+ if (r < 0)
+ return r;
+ if (r > 0)
+ changed = true;
+ } else {
+ r = chown_one(path_fd, &fst, uid, gid);
+ if (r < 0)
+ return r;
+ if (r > 0)
+ changed = true;
}
+ }
- r = chown_one(dirfd(d), NULL, st, uid, gid);
- } else
- r = chown_one(fd, NULL, st, uid, gid);
+ r = chown_one(dirfd(d), st, uid, gid);
if (r < 0)
- goto finish;
+ return r;
- r = r > 0 || changed;
-
-finish:
- safe_close(fd);
- return r;
+ return r > 0 || changed;
}
int path_chown_recursive(const char *path, uid_t uid, gid_t gid) {
@@ -111,7 +105,7 @@ int path_chown_recursive(const char *path, uid_t uid, gid_t gid) {
struct stat st;
int r;
- fd = open(path, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
+ fd = open(path, O_RDONLY|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
if (fd < 0)
return -errno;

58
SOURCES/0041-chown-recursive-also-drop-ACLs-when-recursively-chow.patch Normal file
View File

@ -0,0 +1,58 @@
From bbe9ac11d8d4a8511214605509a593fb9f04ffaa Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 19 Oct 2018 11:28:40 +0200
Subject: [PATCH] chown-recursive: also drop ACLs when recursively chown()ing
Let's better be safe than sorry and also drop ACLs.
(cherry-picked from commit f89bc84f3242449cbc308892c87573b131f121df)
Related: #1643368
---
src/core/chown-recursive.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/src/core/chown-recursive.c b/src/core/chown-recursive.c
index 27c64489b5..447b771267 100644
--- a/src/core/chown-recursive.c
+++ b/src/core/chown-recursive.c
@@ -3,6 +3,7 @@
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/types.h>
+#include <sys/xattr.h>
#include "chown-recursive.h"
#include "dirent-util.h"
@@ -14,6 +15,7 @@
static int chown_one(int fd, const struct stat *st, uid_t uid, gid_t gid) {
char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
+ const char *n;
assert(fd >= 0);
assert(st);
@@ -26,13 +28,19 @@ static int chown_one(int fd, const struct stat *st, uid_t uid, gid_t gid) {
* O_PATH. (Note: fchown() and fchmod() do not work with O_PATH, the kernel refuses that. */
xsprintf(procfs_path, "/proc/self/fd/%i", fd);
+ /* Drop any ACL if there is one */
+ FOREACH_STRING(n, "system.posix_acl_access", "system.posix_acl_default")
+ if (removexattr(procfs_path, n) < 0)
+ if (!IN_SET(errno, ENODATA, EOPNOTSUPP, ENOSYS, ENOTTY))
+ return -errno;
+
if (chown(procfs_path, uid, gid) < 0)
return -errno;
- /* The linux kernel alters the mode in some cases of chown(). Let's undo this. We do this only for non-symlinks
- * however. That's because for symlinks the access mode is ignored anyway and because on some kernels/file
- * systems trying to change the access mode will succeed but has no effect while on others it actively
- * fails. */
+ /* The linux kernel alters the mode in some cases of chown(), as well when we change ACLs. Let's undo this. We
+ * do this only for non-symlinks however. That's because for symlinks the access mode is ignored anyway and
+ * because on some kernels/file systems trying to change the access mode will succeed but has no effect while
+ * on others it actively fails. */
if (!S_ISLNK(st->st_mode))
if (chmod(procfs_path, st->st_mode & 07777) < 0)
return -errno;

34
SOURCES/0042-chown-recursive-TAKE_FD-is-your-friend.patch Normal file
View File

@ -0,0 +1,34 @@
From c9630164b869e109bf2960968fc583449ccf0875 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 19 Oct 2018 11:42:11 +0200
Subject: [PATCH] chown-recursive: TAKE_FD() is your friend
(cherry-picked from commit cd6b7d50c337b3676a3d5fc2188ff298dcbdb939)
Related: #1643368
---
src/core/chown-recursive.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/src/core/chown-recursive.c b/src/core/chown-recursive.c
index 447b771267..7767301f7d 100644
--- a/src/core/chown-recursive.c
+++ b/src/core/chown-recursive.c
@@ -111,7 +111,6 @@ static int chown_recursive_internal(int fd, const struct stat *st, uid_t uid, gi
int path_chown_recursive(const char *path, uid_t uid, gid_t gid) {
_cleanup_close_ int fd = -1;
struct stat st;
- int r;
fd = open(path, O_RDONLY|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
if (fd < 0)
@@ -130,8 +129,5 @@ int path_chown_recursive(const char *path, uid_t uid, gid_t gid) {
(!gid_is_valid(gid) || st.st_gid == gid))
return 0;
- r = chown_recursive_internal(fd, &st, uid, gid);
- fd = -1; /* we donated the fd to the call, regardless if it succeeded or failed */
-
- return r;
+ return chown_recursive_internal(TAKE_FD(fd), &st, uid, gid); /* we donate the fd to the call, regardless if it succeeded or failed */
}

200
SOURCES/0043-test-add-test-case-for-recursive-chown-ing.patch Normal file
View File

@ -0,0 +1,200 @@
From b53f89d56a5b7528735ddf335f8b47ab3e1a947a Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 19 Oct 2018 11:31:37 +0200
Subject: [PATCH] test: add test case for recursive chown()ing
[msekleta: I removed call to log_test_skipped() and replaced it with older construct log_info() + return EXIT_TEST_SKIP]
(cherry-picked from commit cb9e44db36caefcbb8ee7a12e14217305ed69ff2)
Related: #1643368
---
src/test/meson.build | 5 ++
src/test/test-chown-rec.c | 162 ++++++++++++++++++++++++++++++++++++++
2 files changed, 167 insertions(+)
create mode 100644 src/test/test-chown-rec.c
diff --git a/src/test/meson.build b/src/test/meson.build
index 7da7e3a22c..b982251b1f 100644
--- a/src/test/meson.build
+++ b/src/test/meson.build
@@ -60,6 +60,11 @@ tests += [
libmount,
libblkid]],
+ [['src/test/test-chown-rec.c'],
+ [libcore,
+ libshared],
+ []],
+
[['src/test/test-job-type.c'],
[libcore,
libshared],
diff --git a/src/test/test-chown-rec.c b/src/test/test-chown-rec.c
new file mode 100644
index 0000000000..f16d4d4ba2
--- /dev/null
+++ b/src/test/test-chown-rec.c
@@ -0,0 +1,162 @@
+/* SPDX-License-Identifier: LGPL-2.1+ */
+
+#include <sys/xattr.h>
+
+#include "alloc-util.h"
+#include "chown-recursive.h"
+#include "fileio.h"
+#include "log.h"
+#include "rm-rf.h"
+#include "string-util.h"
+#include "tests.h"
+
+static const uint8_t acl[] = {
+ 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x07, 0x00,
+ 0xff, 0xff, 0xff, 0xff, 0x02, 0x00, 0x07, 0x00,
+ 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x07, 0x00,
+ 0xff, 0xff, 0xff, 0xff, 0x10, 0x00, 0x07, 0x00,
+ 0xff, 0xff, 0xff, 0xff, 0x20, 0x00, 0x05, 0x00,
+ 0xff, 0xff, 0xff, 0xff,
+};
+
+static const uint8_t default_acl[] = {
+ 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x07, 0x00,
+ 0xff, 0xff, 0xff, 0xff, 0x04, 0x00, 0x07, 0x00,
+ 0xff, 0xff, 0xff, 0xff, 0x08, 0x00, 0x07, 0x00,
+ 0x04, 0x00, 0x00, 0x00, 0x10, 0x00, 0x07, 0x00,
+ 0xff, 0xff, 0xff, 0xff, 0x20, 0x00, 0x05, 0x00,
+ 0xff, 0xff, 0xff, 0xff,
+};
+
+static bool has_xattr(const char *p) {
+ char buffer[sizeof(acl) * 4];
+
+ if (lgetxattr(p, "system.posix_acl_access", buffer, sizeof(buffer)) < 0) {
+ if (IN_SET(errno, EOPNOTSUPP, ENOTTY, ENODATA, ENOSYS))
+ return false;
+ }
+
+ return true;
+}
+
+static void test_chown_recursive(void) {
+ _cleanup_(rm_rf_physical_and_freep) char *t = NULL;
+ struct stat st;
+ const char *p;
+
+ umask(022);
+ assert_se(mkdtemp_malloc(NULL, &t) >= 0);
+
+ p = strjoina(t, "/dir");
+ assert_se(mkdir(p, 0777) >= 0);
+ assert_se(lstat(p, &st) >= 0);
+ assert_se(S_ISDIR(st.st_mode));
+ assert_se((st.st_mode & 07777) == 0755);
+ assert_se(st.st_uid == 0);
+ assert_se(st.st_gid == 0);
+ assert_se(!has_xattr(p));
+
+ p = strjoina(t, "/dir/symlink");
+ assert_se(symlink("../../", p) >= 0);
+ assert_se(lstat(p, &st) >= 0);
+ assert_se(S_ISLNK(st.st_mode));
+ assert_se((st.st_mode & 07777) == 0777);
+ assert_se(st.st_uid == 0);
+ assert_se(st.st_gid == 0);
+ assert_se(!has_xattr(p));
+
+ p = strjoina(t, "/dir/reg");
+ assert_se(mknod(p, S_IFREG|0777, 0) >= 0);
+ assert_se(lstat(p, &st) >= 0);
+ assert_se(S_ISREG(st.st_mode));
+ assert_se((st.st_mode & 07777) == 0755);
+ assert_se(st.st_uid == 0);
+ assert_se(st.st_gid == 0);
+ assert_se(!has_xattr(p));
+
+ p = strjoina(t, "/dir/sock");
+ assert_se(mknod(p, S_IFSOCK|0777, 0) >= 0);
+ assert_se(lstat(p, &st) >= 0);
+ assert_se(S_ISSOCK(st.st_mode));
+ assert_se((st.st_mode & 07777) == 0755);
+ assert_se(st.st_uid == 0);
+ assert_se(st.st_gid == 0);
+ assert_se(!has_xattr(p));
+
+ p = strjoina(t, "/dir/fifo");
+ assert_se(mknod(p, S_IFIFO|0777, 0) >= 0);
+ assert_se(lstat(p, &st) >= 0);
+ assert_se(S_ISFIFO(st.st_mode));
+ assert_se((st.st_mode & 07777) == 0755);
+ assert_se(st.st_uid == 0);
+ assert_se(st.st_gid == 0);
+ assert_se(!has_xattr(p));
+
+ /* We now apply an xattr to the dir, and check it again */
+ p = strjoina(t, "/dir");
+ assert_se(setxattr(p, "system.posix_acl_access", acl, sizeof(acl), 0) >= 0);
+ assert_se(setxattr(p, "system.posix_acl_default", default_acl, sizeof(default_acl), 0) >= 0);
+ assert_se(lstat(p, &st) >= 0);
+ assert_se(S_ISDIR(st.st_mode));
+ assert_se((st.st_mode & 07777) == 0775); /* acl change changed the mode too */
+ assert_se(st.st_uid == 0);
+ assert_se(st.st_gid == 0);
+ assert_se(has_xattr(p));
+
+ assert_se(path_chown_recursive(t, 1, 2) >= 0);
+
+ p = strjoina(t, "/dir");
+ assert_se(lstat(p, &st) >= 0);
+ assert_se(S_ISDIR(st.st_mode));
+ assert_se((st.st_mode & 07777) == 0775);
+ assert_se(st.st_uid == 1);
+ assert_se(st.st_gid == 2);
+ assert_se(!has_xattr(p));
+
+ p = strjoina(t, "/dir/symlink");
+ assert_se(lstat(p, &st) >= 0);
+ assert_se(S_ISLNK(st.st_mode));
+ assert_se((st.st_mode & 07777) == 0777);
+ assert_se(st.st_uid == 1);
+ assert_se(st.st_gid == 2);
+ assert_se(!has_xattr(p));
+
+ p = strjoina(t, "/dir/reg");
+ assert_se(lstat(p, &st) >= 0);
+ assert_se(S_ISREG(st.st_mode));
+ assert_se((st.st_mode & 07777) == 0755);
+ assert_se(st.st_uid == 1);
+ assert_se(st.st_gid == 2);
+ assert_se(!has_xattr(p));
+
+ p = strjoina(t, "/dir/sock");
+ assert_se(lstat(p, &st) >= 0);
+ assert_se(S_ISSOCK(st.st_mode));
+ assert_se((st.st_mode & 07777) == 0755);
+ assert_se(st.st_uid == 1);
+ assert_se(st.st_gid == 2);
+ assert_se(!has_xattr(p));
+
+ p = strjoina(t, "/dir/fifo");
+ assert_se(lstat(p, &st) >= 0);
+ assert_se(S_ISFIFO(st.st_mode));
+ assert_se((st.st_mode & 07777) == 0755);
+ assert_se(st.st_uid == 1);
+ assert_se(st.st_gid == 2);
+ assert_se(!has_xattr(p));
+}
+
+int main(int argc, char *argv[]) {
+ log_set_max_level(LOG_DEBUG);
+ log_parse_environment();
+ log_open();
+
+ if (geteuid() != 0) {
+ log_info("not running as root");
+ return EXIT_TEST_SKIP;
+ }
+
+ test_chown_recursive();
+
+ return EXIT_SUCCESS;
+}

32
SOURCES/0044-Revert-sysctl.d-request-ECN-on-both-in-and-outgoing-.patch Normal file
View File

@ -0,0 +1,32 @@
From 730ce6562f8a5f4a61d1ed3ffb4d65fa27b728fc Mon Sep 17 00:00:00 2001
From: Thomas Hindoe Paaboel Andersen <phomes@gmail.com>
Date: Fri, 17 Aug 2018 21:31:05 +0200
Subject: [PATCH] Revert "sysctl.d: request ECN on both in and outgoing
connections"
Turning on ECN still causes slow or broken network on linux. Our tcp
is not yet ready for wide spread use of ECN.
This reverts commit 919472741dba6ad0a3f6c2b76d390a02d0e2fdc3.
(cherry picked from commit 1e190dfd5bb95036f937ef1dc46f43eb0a146612)
Resolves: #1619790
---
sysctl.d/50-default.conf | 3 ---
1 file changed, 3 deletions(-)
diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
index b67ae87ca6..e263cf0628 100644
--- a/sysctl.d/50-default.conf
+++ b/sysctl.d/50-default.conf
@@ -33,9 +33,6 @@ net.ipv4.conf.all.promote_secondaries = 1
# Fair Queue CoDel packet scheduler to fight bufferbloat
net.core.default_qdisc = fq_codel
-# Request Explicit Congestion Notification (ECN) on both in and outgoing connections
-net.ipv4.tcp_ecn = 1
-
# Enable hard and soft link protection
fs.protected_hardlinks = 1
fs.protected_symlinks = 1

84
SOURCES/0045-detect-virt-do-not-try-to-read-all-of-proc-cpuinfo.patch Normal file
View File

@ -0,0 +1,84 @@
From 886e5b028953404f2d924b561c0689d3e50dbbf4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Thu, 13 Sep 2018 09:24:36 +0200
Subject: [PATCH] detect-virt: do not try to read all of /proc/cpuinfo
Quoting https://github.com/systemd/systemd/issues/10074:
> detect_vm_uml() reads /proc/cpuinfo with read_full_file()
> read_full_file() has a file max limit size of READ_FULL_BYTES_MAX=(4U*1024U*1024U)
> Unfortunately, the size of my /proc/cpuinfo is bigger, approximately:
> echo $(( 4* $(cat /proc/cpuinfo | wc -c)))
> 9918072
> This causes read_full_file() to fail and the Condition test fallout.
Let's just read line by line until we find an intersting line. This also
helps if not running under UML, because we avoid reading as much data.
(cherry picked from commit 6058516a14ada1748313af6783f5b4e7e3006654)
Resolves: #1631532
---
src/basic/virt.c | 38 ++++++++++++++++++++++++++++----------
1 file changed, 28 insertions(+), 10 deletions(-)
diff --git a/src/basic/virt.c b/src/basic/virt.c
index d347732bb3..e05b3e6d99 100644
--- a/src/basic/virt.c
+++ b/src/basic/virt.c
@@ -11,6 +11,7 @@
#include "alloc-util.h"
#include "dirent-util.h"
+#include "def.h"
#include "env-util.h"
#include "fd-util.h"
#include "fileio.h"
@@ -259,21 +260,38 @@ static int detect_vm_hypervisor(void) {
}
static int detect_vm_uml(void) {
- _cleanup_free_ char *cpuinfo_contents = NULL;
+ _cleanup_fclose_ FILE *f = NULL;
int r;
/* Detect User-Mode Linux by reading /proc/cpuinfo */
- r = read_full_file("/proc/cpuinfo", &cpuinfo_contents, NULL);
- if (r == -ENOENT) {
- log_debug("/proc/cpuinfo not found, assuming no UML virtualization.");
- return VIRTUALIZATION_NONE;
+ f = fopen("/proc/cpuinfo", "re");
+ if (!f) {
+ if (errno == ENOENT) {
+ log_debug("/proc/cpuinfo not found, assuming no UML virtualization.");
+ return VIRTUALIZATION_NONE;
+ }
+ return -errno;
}
- if (r < 0)
- return r;
- if (strstr(cpuinfo_contents, "\nvendor_id\t: User Mode Linux\n")) {
- log_debug("UML virtualization found in /proc/cpuinfo");
- return VIRTUALIZATION_UML;
+ for (;;) {
+ _cleanup_free_ char *line = NULL;
+ const char *t;
+
+ r = read_line(f, LONG_LINE_MAX, &line);
+ if (r < 0)
+ return r;
+ if (r == 0)
+ break;
+
+ t = startswith(line, "vendor_id\t: ");
+ if (t) {
+ if (startswith(t, "User Mode Linux")) {
+ log_debug("UML virtualization found in /proc/cpuinfo");
+ return VIRTUALIZATION_UML;
+ }
+
+ break;
+ }
}
log_debug("UML virtualization not found in /proc/cpuinfo.");

166
SOURCES/0046-sd-bus-unify-three-code-paths-which-free-struct-bus_.patch Normal file
View File

@ -0,0 +1,166 @@
From eb141ba81158feb74118da4e7a3f2266b11ffe10 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Mon, 9 Jul 2018 08:06:28 +0200
Subject: [PATCH] sd-bus: unify three code-paths which free struct
bus_container
We didn't free one of the fields in two of the places.
$ valgrind --show-leak-kinds=all --leak-check=full \
build/fuzz-bus-message \
test/fuzz/fuzz-bus-message/leak-c09c0e2256d43bc5e2d02748c8d8760e7bc25d20
...
==14457== HEAP SUMMARY:
==14457== in use at exit: 3 bytes in 1 blocks
==14457== total heap usage: 509 allocs, 508 frees, 51,016 bytes allocated
==14457==
==14457== 3 bytes in 1 blocks are definitely lost in loss record 1 of 1
==14457== at 0x4C2EBAB: malloc (vg_replace_malloc.c:299)
==14457== by 0x53AFE79: strndup (in /usr/lib64/libc-2.27.so)
==14457== by 0x4F52EB8: free_and_strndup (string-util.c:1039)
==14457== by 0x4F8E1AB: sd_bus_message_peek_type (bus-message.c:4193)
==14457== by 0x4F76CB5: bus_message_dump (bus-dump.c:144)
==14457== by 0x108F12: LLVMFuzzerTestOneInput (fuzz-bus-message.c:24)
==14457== by 0x1090F7: main (fuzz-main.c:34)
==14457==
==14457== LEAK SUMMARY:
==14457== definitely lost: 3 bytes in 1 blocks
(cherry picked from commit 6d1e0f4fcba8d6f425da3dc91805db95399b3c8b)
Resolves: #1635435
---
src/libsystemd/sd-bus/bus-message.c | 64 +++++++++---------
...k-c09c0e2256d43bc5e2d02748c8d8760e7bc25d20 | Bin 0 -> 534 bytes
2 files changed, 32 insertions(+), 32 deletions(-)
create mode 100644 test/fuzz/fuzz-bus-message/leak-c09c0e2256d43bc5e2d02748c8d8760e7bc25d20
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
index 7c8bad2bdd..d55cb14843 100644
--- a/src/libsystemd/sd-bus/bus-message.c
+++ b/src/libsystemd/sd-bus/bus-message.c
@@ -77,19 +77,38 @@ static void message_reset_parts(sd_bus_message *m) {
m->cached_rindex_part_begin = 0;
}
-static void message_reset_containers(sd_bus_message *m) {
- unsigned i;
+static struct bus_container *message_get_container(sd_bus_message *m) {
+ assert(m);
+
+ if (m->n_containers == 0)
+ return &m->root_container;
+
+ assert(m->containers);
+ return m->containers + m->n_containers - 1;
+}
+
+static void message_free_last_container(sd_bus_message *m) {
+ struct bus_container *c;
+
+ c = message_get_container(m);
+
+ free(c->signature);
+ free(c->peeked_signature);
+ free(c->offsets);
+
+ /* Move to previous container, but not if we are on root container */
+ if (m->n_containers > 0)
+ m->n_containers--;
+}
+static void message_reset_containers(sd_bus_message *m) {
assert(m);
- for (i = 0; i < m->n_containers; i++) {
- free(m->containers[i].signature);
- free(m->containers[i].offsets);
- }
+ while (m->n_containers > 0)
+ message_free_last_container(m);
m->containers = mfree(m->containers);
-
- m->n_containers = m->containers_allocated = 0;
+ m->containers_allocated = 0;
m->root_container.index = 0;
}
@@ -112,10 +131,8 @@ static sd_bus_message* message_free(sd_bus_message *m) {
free(m->iovec);
message_reset_containers(m);
- free(m->root_container.signature);
- free(m->root_container.offsets);
-
- free(m->root_container.peeked_signature);
+ assert(m->n_containers == 0);
+ message_free_last_container(m);
bus_creds_done(&m->creds);
return mfree(m);
@@ -1113,16 +1130,6 @@ _public_ int sd_bus_message_set_allow_interactive_authorization(sd_bus_message *
return 0;
}
-static struct bus_container *message_get_container(sd_bus_message *m) {
- assert(m);
-
- if (m->n_containers == 0)
- return &m->root_container;
-
- assert(m->containers);
- return m->containers + m->n_containers - 1;
-}
-
struct bus_body_part *message_append_part(sd_bus_message *m) {
struct bus_body_part *part;
@@ -4108,13 +4115,9 @@ _public_ int sd_bus_message_exit_container(sd_bus_message *m) {
return -EBUSY;
}
- free(c->signature);
- free(c->peeked_signature);
- free(c->offsets);
- m->n_containers--;
+ message_free_last_container(m);
c = message_get_container(m);
-
saved = c->index;
c->index = c->saved_index;
r = container_next_item(m, c, &m->rindex);
@@ -4132,16 +4135,13 @@ static void message_quit_container(sd_bus_message *m) {
assert(m->sealed);
assert(m->n_containers > 0);
- c = message_get_container(m);
-
/* Undo seeks */
+ c = message_get_container(m);
assert(m->rindex >= c->before);
m->rindex = c->before;
/* Free container */
- free(c->signature);
- free(c->offsets);
- m->n_containers--;
+ message_free_last_container(m);
/* Correct index of new top-level container */
c = message_get_container(m);
diff --git a/test/fuzz/fuzz-bus-message/leak-c09c0e2256d43bc5e2d02748c8d8760e7bc25d20 b/test/fuzz/fuzz-bus-message/leak-c09c0e2256d43bc5e2d02748c8d8760e7bc25d20
new file mode 100644
index 0000000000000000000000000000000000000000..c371824ffb604708619fd0713e8fca609bac18f7
GIT binary patch
literal 534
zcmZ{h!A`?442GSJP20o?A&zJgm*%p<cmZx)c?GB2N~MZabq0zMhzqX`{7ze`LYk$&
z_LnqH{-ic!J`GWMLG(>T#&`l!4rxq{&>8YmwQrOs;B(}I_m11m8`nFp<MR{a3sX`q
z!cs!Q@A35`W+B>`#ek1>oQYVSs`!XH?7Y=}3y9Ye+UliL9^x9s66$8wH+TPdOG`n|
z5Uhx<nM2)KiEdF(J5Ct}Xa*iksL!VNssA<Hq<KDseGAsT^*)9kK$?O39;dyGT&#2v
zLhpD3X)k6@tX`CzbBVV-7e$fy9()CjJ&n(=^)uJCKFB5Xi}-<1ru7po5XlEJ?uByQ
MaEPzRhwknF02{PjtN;K2
literal 0
HcmV?d00001

27
SOURCES/0047-sd-bus-properly-initialize-containers.patch Normal file
View File

@ -0,0 +1,27 @@
From 220a60a61a91153fd8e49e58884b9b0b904888f6 Mon Sep 17 00:00:00 2001
From: Jan Synacek <jsynacek@redhat.com>
Date: Wed, 31 Oct 2018 12:50:19 +0100
Subject: [PATCH] sd-bus: properly initialize containers
Fixes a SIGSEGV introduced by commit 38a5315a3a6fab745d8c86ff9e486faaf50b28d1.
The same problem doesn't exist upstream, as the container structure
there is initialized using a compound literal, which is zeroed out by
default.
Related: #1635435
---
src/libsystemd/sd-bus/bus-message.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
index d55cb14843..780c8c6185 100644
--- a/src/libsystemd/sd-bus/bus-message.c
+++ b/src/libsystemd/sd-bus/bus-message.c
@@ -2004,6 +2004,7 @@ _public_ int sd_bus_message_open_container(
w = m->containers + m->n_containers++;
w->enclosing = type;
w->signature = TAKE_PTR(signature);
+ w->peeked_signature = NULL;
w->index = 0;
w->array_size = array_size;
w->before = before;

240
SOURCES/0048-cryptsetup-generator-introduce-basic-keydev-support.patch Normal file
View File

@ -0,0 +1,240 @@
From 0977e6b34fb5f28fc94f1df32261742881fa9bbe Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Thu, 30 Aug 2018 08:45:11 +0000
Subject: [PATCH] cryptsetup-generator: introduce basic keydev support
Dracut has a support for unlocking encrypted drives with keyfile stored
on the external drive. This support is included in the generated initrd
only if systemd module is not included.
When systemd is used in initrd then attachment of encrypted drives is
handled by systemd-cryptsetup tools. Our generator has support for
keyfile, however, it didn't support keyfile on the external block
device (keydev).
This commit introduces basic keydev support. Keydev can be specified per
luks.uuid on the kernel command line. Keydev is automatically mounted
during boot and we look for keyfile in the keydev
mountpoint (i.e. keyfile path is prefixed with the keydev mount point
path). After crypt device is attached we automatically unmount
where keyfile resides.
Example:
rd.luks.key=70bc876b-f627-4038-9049-3080d79d2165=/key:LABEL=KEYDEV
(cherry-picked from commit 70f5f48eb891b12e969577b464de61e15a2593da)
Resolves: #1656869
---
man/systemd-cryptsetup-generator.xml | 14 ++++
src/cryptsetup/cryptsetup-generator.c | 105 +++++++++++++++++++++++++-
2 files changed, 115 insertions(+), 4 deletions(-)
diff --git a/man/systemd-cryptsetup-generator.xml b/man/systemd-cryptsetup-generator.xml
index c37ee76b87..e30d69bfe7 100644
--- a/man/systemd-cryptsetup-generator.xml
+++ b/man/systemd-cryptsetup-generator.xml
@@ -144,6 +144,20 @@
to the one specified by <varname>rd.luks.key=</varname> or
<varname>luks.key=</varname> of the corresponding UUID, or the
password file that was specified without a UUID.</para>
+
+ <para>It is also possible to specify an external device which
+ should be mounted before we attempt to unlock the LUKS device.
+ systemd-cryptsetup will use password file stored on that
+ device. Device containing password file is specified by
+ appending colon and a device identifier to the password file
+ path. For example,
+ <varname>rd.luks.uuid=</varname>b40f1abf-2a53-400a-889a-2eccc27eaa40
+ <varname>rd.luks.key=</varname>b40f1abf-2a53-400a-889a-2eccc27eaa40=/keyfile:LABEL=keydev.
+ Hence, in this case, we will attempt to mount file system
+ residing on the block device with label <literal>keydev</literal>.
+ This syntax is for now only supported on a per-device basis,
+ i.e. you have to specify LUKS device UUID.</para>
+
<para><varname>rd.luks.key=</varname>
is honored only by initial RAM disk
(initrd) while
diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c
index f5a81829b9..8c7a76e789 100644
--- a/src/cryptsetup/cryptsetup-generator.c
+++ b/src/cryptsetup/cryptsetup-generator.c
@@ -24,6 +24,7 @@
typedef struct crypto_device {
char *uuid;
char *keyfile;
+ char *keydev;
char *name;
char *options;
bool create;
@@ -37,14 +38,71 @@ static Hashmap *arg_disks = NULL;
static char *arg_default_options = NULL;
static char *arg_default_keyfile = NULL;
+static int generate_keydev_mount(const char *name, const char *keydev, char **unit, char **mount) {
+ _cleanup_free_ char *u = NULL, *what = NULL, *where = NULL;
+ _cleanup_fclose_ FILE *f = NULL;
+ int r;
+
+ assert(name);
+ assert(keydev);
+ assert(unit);
+ assert(mount);
+
+ r = mkdir_parents("/run/systemd/cryptsetup", 0755);
+ if (r < 0)
+ return r;
+
+ r = mkdir("/run/systemd/cryptsetup", 0700);
+ if (r < 0)
+ return r;
+
+ where = strjoin("/run/systemd/cryptsetup/keydev-", name);
+ if (!where)
+ return -ENOMEM;
+
+ r = mkdir(where, 0700);
+ if (r < 0)
+ return r;
+
+ r = unit_name_from_path(where, ".mount", &u);
+ if (r < 0)
+ return r;
+
+ r = generator_open_unit_file(arg_dest, NULL, u, &f);
+ if (r < 0)
+ return r;
+
+ what = fstab_node_to_udev_node(keydev);
+ if (!what)
+ return -ENOMEM;
+
+ fprintf(f,
+ "[Unit]\n"
+ "DefaultDependencies=no\n\n"
+ "[Mount]\n"
+ "What=%s\n"
+ "Where=%s\n"
+ "Options=ro\n", what, where);
+
+ r = fflush_and_check(f);
+ if (r < 0)
+ return r;
+
+ *unit = TAKE_PTR(u);
+ *mount = TAKE_PTR(where);
+
+ return 0;
+}
+
static int create_disk(
const char *name,
const char *device,
+ const char *keydev,
const char *password,
const char *options) {
_cleanup_free_ char *n = NULL, *d = NULL, *u = NULL, *e = NULL,
- *filtered = NULL, *u_escaped = NULL, *password_escaped = NULL, *filtered_escaped = NULL, *name_escaped = NULL;
+ *filtered = NULL, *u_escaped = NULL, *password_escaped = NULL, *filtered_escaped = NULL, *name_escaped = NULL, *keydev_mount = NULL;
_cleanup_fclose_ FILE *f = NULL;
const char *dmname;
bool noauto, nofail, tmp, swap, netdev;
@@ -94,6 +152,9 @@ static int create_disk(
return log_oom();
}
+ if (keydev && !password)
+ return log_error_errno(-EINVAL, "Keydev is specified, but path to the password file is missing: %m");
+
r = generator_open_unit_file(arg_dest, NULL, n, &f);
if (r < 0)
return r;
@@ -109,6 +170,20 @@ static int create_disk(
"After=%s\n",
netdev ? "remote-fs-pre.target" : "cryptsetup-pre.target");
+ if (keydev) {
+ _cleanup_free_ char *unit = NULL, *p = NULL;
+
+ r = generate_keydev_mount(name, keydev, &unit, &keydev_mount);
+ if (r < 0)
+ return log_error_errno(r, "Failed to generate keydev mount unit: %m");
+
+ p = prefix_root(keydev_mount, password_escaped);
+ if (!p)
+ return log_oom();
+
+ free_and_replace(password_escaped, p);
+ }
+
if (!nofail)
fprintf(f,
"Before=%s\n",
@@ -186,6 +261,11 @@ static int create_disk(
"ExecStartPost=/sbin/mkswap '/dev/mapper/%s'\n",
name_escaped);
+ if (keydev)
+ fprintf(f,
+ "ExecStartPost=" UMOUNT_PATH " %s\n\n",
+ keydev_mount);
+
r = fflush_and_check(f);
if (r < 0)
return log_error_errno(r, "Failed to write unit file %s: %m", n);
@@ -221,6 +301,7 @@ static int create_disk(
static void crypt_device_free(crypto_device *d) {
free(d->uuid);
free(d->keyfile);
+ free(d->keydev);
free(d->name);
free(d->options);
free(d);
@@ -309,11 +390,27 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat
r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
if (r == 2) {
+ char *c;
+ _cleanup_free_ char *keyfile = NULL, *keydev = NULL;
+
d = get_crypto_device(uuid);
if (!d)
return log_oom();
- free_and_replace(d->keyfile, uuid_value);
+ c = strrchr(uuid_value, ':');
+ if (!c)
+ /* No keydev specified */
+ return free_and_replace(d->keyfile, uuid_value);
+
+ *c = '\0';
+ keyfile = strdup(uuid_value);
+ keydev = strdup(++c);
+
+ if (!keyfile || !keydev)
+ return log_oom();
+
+ free_and_replace(d->keyfile, keyfile);
+ free_and_replace(d->keydev, keydev);
} else if (free_and_strdup(&arg_default_keyfile, value) < 0)
return log_oom();
@@ -394,7 +491,7 @@ static int add_crypttab_devices(void) {
continue;
}
- r = create_disk(name, device, keyfile, (d && d->options) ? d->options : options);
+ r = create_disk(name, device, NULL, keyfile, (d && d->options) ? d->options : options);
if (r < 0)
return r;
@@ -434,7 +531,7 @@ static int add_proc_cmdline_devices(void) {
else
options = "timeout=0";
- r = create_disk(d->name, device, d->keyfile ?: arg_default_keyfile, options);
+ r = create_disk(d->name, device, d->keydev, d->keyfile ?: arg_default_keyfile, options);
if (r < 0)
return r;
}

33
SOURCES/0049-cryptsetup-don-t-use-m-if-there-s-no-error-to-show.patch Normal file
View File

@ -0,0 +1,33 @@
From 95bfd1d2f52698604e44c17dba2082f61b5f8eab Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 5 Oct 2018 22:37:37 +0200
Subject: [PATCH] cryptsetup: don't use %m if there's no error to show
We are not the ones receiving an error here, but the ones generating it,
hence we shouldn't show it with %m, that's just confusing, as it
suggests we received an error from some other call.
(cherry-picked from commit 2abe64666e544be6499f870618185f8819b4c152)
Related: #1656869
---
src/cryptsetup/cryptsetup-generator.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c
index 8c7a76e789..52391bd185 100644
--- a/src/cryptsetup/cryptsetup-generator.c
+++ b/src/cryptsetup/cryptsetup-generator.c
@@ -152,8 +152,10 @@ static int create_disk(
return log_oom();
}
- if (keydev && !password)
- return log_error_errno(-EINVAL, "Keydev is specified, but path to the password file is missing: %m");
+ if (keydev && !password) {
+ log_error("Key device is specified, but path to the password file is missing.");
+ return -EINVAL;
+ }
r = generator_open_unit_file(arg_dest, NULL, n, &f);
if (r < 0)

38
SOURCES/0050-cryptsetup-generator-don-t-return-error-if-target-di.patch Normal file
View File

@ -0,0 +1,38 @@
From 81df5f597257bd2579246de6182c4949b27396eb Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Tue, 4 Sep 2018 19:51:14 +0200
Subject: [PATCH] cryptsetup-generator: don't return error if target directory
already exists
(cherry-picked from commit 579875bc4a59b917fa32519e3d96d56dc591ad1e)
Related: #1656869
---
src/cryptsetup/cryptsetup-generator.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c
index 52391bd185..03c513c26e 100644
--- a/src/cryptsetup/cryptsetup-generator.c
+++ b/src/cryptsetup/cryptsetup-generator.c
@@ -53,16 +53,16 @@ static int generate_keydev_mount(const char *name, const char *keydev, char **un
return r;
r = mkdir("/run/systemd/cryptsetup", 0700);
- if (r < 0)
- return r;
+ if (r < 0 && errno != EEXIST)
+ return -errno;
where = strjoin("/run/systemd/cryptsetup/keydev-", name);
if (!where)
return -ENOMEM;
r = mkdir(where, 0700);
- if (r < 0)
- return r;
+ if (r < 0 && errno != EEXIST)
+ return -errno;
r = unit_name_from_path(where, ".mount", &u);
if (r < 0)

129
SOURCES/0051-cryptsetup-generator-allow-whitespace-characters-in-.patch Normal file
View File

@ -0,0 +1,129 @@
From 2a4d58bb2ab9ba5487785cc167932440a4f0c13d Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Tue, 4 Sep 2018 20:03:34 +0200
Subject: [PATCH] cryptsetup-generator: allow whitespace characters in keydev
specification
For example, <luks.uuid>=/keyfile:LABEL="KEYFILE FS" previously wouldn't
work, because we truncated label at the first whitespace character,
i.e. LABEL="KEYFILE".
(cherry-picked from commit 7949dfa73a44ae6524779689483d12243dfbcfdf)
Related: #1656869
---
src/cryptsetup/cryptsetup-generator.c | 64 ++++++++++++++++++---------
1 file changed, 43 insertions(+), 21 deletions(-)
diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c
index 03c513c26e..52c1262728 100644
--- a/src/cryptsetup/cryptsetup-generator.c
+++ b/src/cryptsetup/cryptsetup-generator.c
@@ -5,11 +5,13 @@
#include "alloc-util.h"
#include "dropin.h"
+#include "escape.h"
#include "fd-util.h"
#include "fileio.h"
#include "fstab-util.h"
#include "generator.h"
#include "hashmap.h"
+#include "id128-util.h"
#include "log.h"
#include "mkdir.h"
#include "parse-util.h"
@@ -39,7 +41,7 @@ static char *arg_default_options = NULL;
static char *arg_default_keyfile = NULL;
static int generate_keydev_mount(const char *name, const char *keydev, char **unit, char **mount) {
- _cleanup_free_ char *u = NULL, *what = NULL, *where = NULL;
+ _cleanup_free_ char *u = NULL, *what = NULL, *where = NULL, *name_escaped = NULL;
_cleanup_fclose_ FILE *f = NULL;
int r;
@@ -56,7 +58,11 @@ static int generate_keydev_mount(const char *name, const char *keydev, char **un
if (r < 0 && errno != EEXIST)
return -errno;
- where = strjoin("/run/systemd/cryptsetup/keydev-", name);
+ name_escaped = cescape(name);
+ if (!name_escaped)
+ return -ENOMEM;
+
+ where = strjoin("/run/systemd/cryptsetup/keydev-", name_escaped);
if (!where)
return -ENOMEM;
@@ -386,36 +392,52 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat
return log_oom();
} else if (streq(key, "luks.key")) {
+ size_t n;
+ _cleanup_free_ char *keyfile = NULL, *keydev = NULL;
+ char *c;
+ const char *keyspec;
if (proc_cmdline_value_missing(key, value))
return 0;
- r = sscanf(value, "%m[0-9a-fA-F-]=%ms", &uuid, &uuid_value);
- if (r == 2) {
- char *c;
- _cleanup_free_ char *keyfile = NULL, *keydev = NULL;
+ n = strspn(value, LETTERS DIGITS "-");
+ if (value[n] != '=') {
+ if (free_and_strdup(&arg_default_keyfile, value) < 0)
+ return log_oom();
+ return 0;
+ }
- d = get_crypto_device(uuid);
- if (!d)
- return log_oom();
+ uuid = strndup(value, n);
+ if (!uuid)
+ return log_oom();
- c = strrchr(uuid_value, ':');
- if (!c)
- /* No keydev specified */
- return free_and_replace(d->keyfile, uuid_value);
+ if (!id128_is_valid(uuid)) {
+ log_warning("Failed to parse luks.key= kernel command line switch. UUID is invalid, ignoring.");
+ return 0;
+ }
+
+ d = get_crypto_device(uuid);
+ if (!d)
+ return log_oom();
- *c = '\0';
- keyfile = strdup(uuid_value);
- keydev = strdup(++c);
+ keyspec = value + n + 1;
+ c = strrchr(keyspec, ':');
+ if (c) {
+ *c = '\0';
+ keyfile = strdup(keyspec);
+ keydev = strdup(c + 1);
if (!keyfile || !keydev)
return log_oom();
+ } else {
+ /* No keydev specified */
+ keyfile = strdup(keyspec);
+ if (!keyfile)
+ return log_oom();
+ }
- free_and_replace(d->keyfile, keyfile);
- free_and_replace(d->keydev, keydev);
- } else if (free_and_strdup(&arg_default_keyfile, value) < 0)
- return log_oom();
-
+ free_and_replace(d->keyfile, keyfile);
+ free_and_replace(d->keydev, keydev);
} else if (streq(key, "luks.name")) {
if (proc_cmdline_value_missing(key, value))

25
SOURCES/0052-rules-watch-metadata-changes-on-DASD-devices.patch Normal file
View File

@ -0,0 +1,25 @@
From c16785e970b83590fc9de4ea0f7e410470d88db5 Mon Sep 17 00:00:00 2001
From: Vojtech Trefny <vtrefny@redhat.com>
Date: Tue, 4 Dec 2018 16:47:36 +0100
Subject: [PATCH] rules: watch metadata changes on DASD devices
To make sure the change event is emitted and udev db is updated
after metadata changes.
(cherry picked from commit 38397c8ce044fdc0138c9919168a856c0e16f720)
Resolves: #1638676
---
rules/60-block.rules | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rules/60-block.rules b/rules/60-block.rules
index 343fc06f85..a1458e9188 100644
--- a/rules/60-block.rules
+++ b/rules/60-block.rules
@@ -8,4 +8,4 @@ ACTION=="add", SUBSYSTEM=="module", KERNEL=="block", ATTR{parameters/events_dfl_
ACTION=="change", SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST=="block", ATTR{block/*/uevent}="change"
# watch metadata changes, caused by tools closing the device node which was opened for writing
-ACTION!="remove", SUBSYSTEM=="block", KERNEL=="loop*|nvme*|sd*|vd*|xvd*|pmem*|mmcblk*", OPTIONS+="watch"
+ACTION!="remove", SUBSYSTEM=="block", KERNEL=="loop*|nvme*|sd*|vd*|xvd*|pmem*|mmcblk*|dasd*", OPTIONS+="watch"

41
SOURCES/0053-sysctl.d-switch-net.ipv4.conf.all.rp_filter-from-1-t.patch Normal file
View File

@ -0,0 +1,41 @@
From 75c9af80cf3529c76988451e63f98010c86f48f1 Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Wed, 28 Nov 2018 11:44:20 +0100
Subject: [PATCH] sysctl.d: switch net.ipv4.conf.all.rp_filter from 1 to 2
This switches the RFC3704 Reverse Path filtering from Strict mode to Loose
mode. The Strict mode breaks some pretty common and reasonable use cases,
such as keeping connections via one default route alive after another one
appears (e.g. plugging an Ethernet cable when connected via Wi-Fi).
The strict filter also makes it impossible for NetworkManager to do
connectivity check on a newly arriving default route (it starts with a
higher metric and is bumped lower if there's connectivity).
Kernel's default is 0 (no filter), but a Loose filter is good enough. The
few use cases where a Strict mode could make sense can easily override
this.
The distributions that don't care about the client use cases and prefer a
strict filter could just ship a custom configuration in
/usr/lib/sysctl.d/ to override this.
Cherry-picked from: 230450d4e4f1f5fc9fa4295ed9185eea5b6ea16e
Resolves: #1653824
---
sysctl.d/50-default.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
index e263cf0628..b0645f33e7 100644
--- a/sysctl.d/50-default.conf
+++ b/sysctl.d/50-default.conf
@@ -22,7 +22,7 @@ kernel.sysrq = 16
kernel.core_uses_pid = 1
# Source route verification
-net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.all.rp_filter = 2
# Do not accept source routing
net.ipv4.conf.all.accept_source_route = 0

36
SOURCES/0054-tests-explicitly-enable-user-namespaces-for-TEST-13-.patch Normal file
View File

@ -0,0 +1,36 @@
From e8ead61e1c0a919a97df64b14dbd572ef7c830d2 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Sat, 15 Dec 2018 20:22:31 +0100
Subject: [PATCH] tests: explicitly enable user namespaces for
TEST-13-NSPAWN-SMOKE
Cherry-picked from: 67f5c0c776ce9449ad21e9854665573a05141fd4
---
test/TEST-13-NSPAWN-SMOKE/test.sh | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/test/TEST-13-NSPAWN-SMOKE/test.sh b/test/TEST-13-NSPAWN-SMOKE/test.sh
index 6a0cb42eaf..c0789b5d20 100755
--- a/test/TEST-13-NSPAWN-SMOKE/test.sh
+++ b/test/TEST-13-NSPAWN-SMOKE/test.sh
@@ -18,7 +18,7 @@ test_setup() {
eval $(udevadm info --export --query=env --name=${LOOPDEV}p2)
setup_basic_environment
- dracut_install busybox chmod rmdir unshare ip
+ dracut_install busybox chmod rmdir unshare ip sysctl
cp create-busybox-container $initdir/
@@ -63,6 +63,11 @@ if [[ -f /proc/1/ns/cgroup ]]; then
fi
is_user_ns_supported=no
+# On some systems (e.g. CentOS 7) the default limit for user namespaces
+# is set to 0, which causes the following unshare syscall to fail, even
+# with enabled user namespaces support. By setting this value explicitly
+# we can ensure the user namespaces support to be detected correctly.
+sysctl -w user.max_user_namespaces=10000
if unshare -U sh -c :; then
is_user_ns_supported=yes
fi

122
SOURCES/0055-nspawn-beef-up-netns-checking-a-bit-for-compat-with-.patch Normal file
View File

@ -0,0 +1,122 @@
From 2115fcc1e673079fe76e949ac0904267075c25a4 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 31 Oct 2018 13:04:20 +0100
Subject: [PATCH] nspawn: beef up netns checking a bit, for compat with old
kernels
Fixes: #10544
Cherry-picked from: 6619ad889da260cf83079cc74a85d571acd1df5a
---
src/basic/stat-util.c | 40 +++++++++++++++++++++++++++++++++++----
src/nspawn/nspawn.c | 8 +++++---
src/test/test-stat-util.c | 15 +++++++++++++++
3 files changed, 56 insertions(+), 7 deletions(-)
diff --git a/src/basic/stat-util.c b/src/basic/stat-util.c
index 07154e25bb..26aee9bad6 100644
--- a/src/basic/stat-util.c
+++ b/src/basic/stat-util.c
@@ -204,15 +204,47 @@ int fd_is_network_fs(int fd) {
}
int fd_is_network_ns(int fd) {
+ struct statfs s;
int r;
- r = fd_is_fs_type(fd, NSFS_MAGIC);
- if (r <= 0)
- return r;
+ /* Checks whether the specified file descriptor refers to a network namespace. On old kernels there's no nice
+ * way to detect that, hence on those we'll return a recognizable error (EUCLEAN), so that callers can handle
+ * this somewhat nicely.
+ *
+ * This function returns > 0 if the fd definitely refers to a network namespace, 0 if it definitely does not
+ * refer to a network namespace, -EUCLEAN if we can't determine, and other negative error codes on error. */
+
+ if (fstatfs(fd, &s) < 0)
+ return -errno;
+
+ if (!is_fs_type(&s, NSFS_MAGIC)) {
+ /* On really old kernels, there was no "nsfs", and network namespace sockets belonged to procfs
+ * instead. Handle that in a somewhat smart way. */
+
+ if (is_fs_type(&s, PROC_SUPER_MAGIC)) {
+ struct statfs t;
+
+ /* OK, so it is procfs. Let's see if our own network namespace is procfs, too. If so, then the
+ * passed fd might refer to a network namespace, but we can't know for sure. In that case,
+ * return a recognizable error. */
+
+ if (statfs("/proc/self/ns/net", &t) < 0)
+ return -errno;
+
+ if (s.f_type == t.f_type)
+ return -EUCLEAN; /* It's possible, we simply don't know */
+ }
+
+ return 0; /* No! */
+ }
r = ioctl(fd, NS_GET_NSTYPE);
- if (r < 0)
+ if (r < 0) {
+ if (errno == ENOTTY) /* Old kernels didn't know this ioctl, let's also return a recognizable error in that case */
+ return -EUCLEAN;
+
return -errno;
+ }
return r == CLONE_NEWNET;
}
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 56877bd932..8aec893a69 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -3701,10 +3701,12 @@ static int run(int master,
return log_error_errno(errno, "Cannot open file %s: %m", arg_network_namespace_path);
r = fd_is_network_ns(netns_fd);
- if (r < 0 && r != -ENOTTY)
+ if (r == -EUCLEAN)
+ log_debug_errno(r, "Cannot determine if passed network namespace path '%s' really refers to a network namespace, assuming it does.", arg_network_namespace_path);
+ else if (r < 0)
return log_error_errno(r, "Failed to check %s fs type: %m", arg_network_namespace_path);
- if (r == 0) {
- log_error("Path %s doesn't refer to a network namespace", arg_network_namespace_path);
+ else if (r == 0) {
+ log_error("Path %s doesn't refer to a network namespace, refusing.", arg_network_namespace_path);
return -EINVAL;
}
}
diff --git a/src/test/test-stat-util.c b/src/test/test-stat-util.c
index 43f56a6c20..2b0564d8a0 100644
--- a/src/test/test-stat-util.c
+++ b/src/test/test-stat-util.c
@@ -67,11 +67,26 @@ static void test_path_is_temporary_fs(void) {
assert_se(path_is_temporary_fs("/i-dont-exist") == -ENOENT);
}
+static void test_fd_is_network_ns(void) {
+ _cleanup_close_ int fd = -1;
+ assert_se(fd_is_network_ns(STDIN_FILENO) == 0);
+ assert_se(fd_is_network_ns(STDERR_FILENO) == 0);
+ assert_se(fd_is_network_ns(STDOUT_FILENO) == 0);
+
+ assert_se((fd = open("/proc/self/ns/mnt", O_CLOEXEC|O_RDONLY)) >= 0);
+ assert_se(IN_SET(fd_is_network_ns(fd), 0, -EUCLEAN));
+ fd = safe_close(fd);
+
+ assert_se((fd = open("/proc/self/ns/net", O_CLOEXEC|O_RDONLY)) >= 0);
+ assert_se(IN_SET(fd_is_network_ns(fd), 1, -EUCLEAN));
+}
+
int main(int argc, char *argv[]) {
test_files_same();
test_is_symlink();
test_path_is_fs_type();
test_path_is_temporary_fs();
+ test_fd_is_network_ns();
return 0;
}

93
SOURCES/0056-test-Drop-SKIP_INITRD-for-QEMU-based-tests.patch Normal file
View File

@ -0,0 +1,93 @@
From 13d819cc795d8c3695ce7288436ad569366073f6 Mon Sep 17 00:00:00 2001
From: Michael Biebl <biebl@debian.org>
Date: Mon, 16 Jul 2018 11:27:44 +0200
Subject: [PATCH] test: Drop SKIP_INITRD for QEMU-based tests
Not all distros support booting without an initrd. E.g. the Debian
kernel builds ext4 as a module and so relies on an initrd to
successfully start the QEMU-based images.
Cherry-picked from: c2d4da002095fe6f86f89a508a81e48fb6d3196f
---
test/TEST-08-ISSUE-2730/test.sh | 1 -
test/TEST-09-ISSUE-2691/test.sh | 1 -
test/TEST-10-ISSUE-2467/test.sh | 1 -
test/TEST-11-ISSUE-3166/test.sh | 1 -
test/TEST-13-NSPAWN-SMOKE/test.sh | 2 +-
test/TEST-14-MACHINE-ID/test.sh | 2 +-
6 files changed, 2 insertions(+), 6 deletions(-)
diff --git a/test/TEST-08-ISSUE-2730/test.sh b/test/TEST-08-ISSUE-2730/test.sh
index 68159c331f..90bf133c6a 100755
--- a/test/TEST-08-ISSUE-2730/test.sh
+++ b/test/TEST-08-ISSUE-2730/test.sh
@@ -6,7 +6,6 @@ TEST_DESCRIPTION="https://github.com/systemd/systemd/issues/2730"
TEST_NO_NSPAWN=1
. $TEST_BASE_DIR/test-functions
-SKIP_INITRD=yes
QEMU_TIMEOUT=180
FSTYPE=ext4
diff --git a/test/TEST-09-ISSUE-2691/test.sh b/test/TEST-09-ISSUE-2691/test.sh
index 4c3e9496b4..9b5990bc60 100755
--- a/test/TEST-09-ISSUE-2691/test.sh
+++ b/test/TEST-09-ISSUE-2691/test.sh
@@ -6,7 +6,6 @@ TEST_DESCRIPTION="https://github.com/systemd/systemd/issues/2691"
TEST_NO_NSPAWN=1
. $TEST_BASE_DIR/test-functions
-SKIP_INITRD=yes
QEMU_TIMEOUT=90
test_setup() {
diff --git a/test/TEST-10-ISSUE-2467/test.sh b/test/TEST-10-ISSUE-2467/test.sh
index 2f95e9062d..e61f5acd3c 100755
--- a/test/TEST-10-ISSUE-2467/test.sh
+++ b/test/TEST-10-ISSUE-2467/test.sh
@@ -5,7 +5,6 @@ set -e
TEST_DESCRIPTION="https://github.com/systemd/systemd/issues/2467"
. $TEST_BASE_DIR/test-functions
-SKIP_INITRD=yes
test_setup() {
create_empty_image
diff --git a/test/TEST-11-ISSUE-3166/test.sh b/test/TEST-11-ISSUE-3166/test.sh
index 4602bdfc98..8aae4d5ed9 100755
--- a/test/TEST-11-ISSUE-3166/test.sh
+++ b/test/TEST-11-ISSUE-3166/test.sh
@@ -6,7 +6,6 @@ TEST_DESCRIPTION="https://github.com/systemd/systemd/issues/3166"
TEST_NO_NSPAWN=1
. $TEST_BASE_DIR/test-functions
-SKIP_INITRD=yes
test_setup() {
create_empty_image
diff --git a/test/TEST-13-NSPAWN-SMOKE/test.sh b/test/TEST-13-NSPAWN-SMOKE/test.sh
index c0789b5d20..a676384bfc 100755
--- a/test/TEST-13-NSPAWN-SMOKE/test.sh
+++ b/test/TEST-13-NSPAWN-SMOKE/test.sh
@@ -4,7 +4,7 @@
set -e
TEST_DESCRIPTION="systemd-nspawn smoke test"
TEST_NO_NSPAWN=1
-SKIP_INITRD=yes
+
. $TEST_BASE_DIR/test-functions
test_setup() {
diff --git a/test/TEST-14-MACHINE-ID/test.sh b/test/TEST-14-MACHINE-ID/test.sh
index 7342645bc5..62003b91b6 100755
--- a/test/TEST-14-MACHINE-ID/test.sh
+++ b/test/TEST-14-MACHINE-ID/test.sh
@@ -4,7 +4,7 @@
set -e
TEST_DESCRIPTION="/etc/machine-id testing"
TEST_NO_NSPAWN=1
-SKIP_INITRD=yes
+
. $TEST_BASE_DIR/test-functions
test_setup() {

42
SOURCES/0057-meson-rename-Ddebug-to-Ddebug-extra.patch Normal file
View File

@ -0,0 +1,42 @@
From 9c1b72de44e68ad80be7c0b98df110e7b127072d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Sun, 19 Aug 2018 19:11:30 +0200
Subject: [PATCH] meson: rename -Ddebug to -Ddebug-extra
Meson added -Doptimization and -Ddebug options, which obviously causes
a conflict with our -Ddebug options. Let's rename it.
Fixes #9883.
Cherry-picked from: 8f6b442a78d0b485f044742ad90b2e8271b4e68e
---
meson.build | 2 +-
meson_options.txt | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/meson.build b/meson.build
index f308db2631..ebc55872c9 100644
--- a/meson.build
+++ b/meson.build
@@ -769,7 +769,7 @@ substs.set('DEBUGTTY', get_option('debug-tty'))
enable_debug_hashmap = false
enable_debug_mmap_cache = false
-foreach name : get_option('debug')
+foreach name : get_option('debug-extra')
if name == 'hashmap'
enable_debug_hashmap = true
elif name == 'mmap-cache'
diff --git a/meson_options.txt b/meson_options.txt
index ab2a658713..5716f45ccf 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -46,7 +46,7 @@ option('debug-shell', type : 'string', value : '/bin/sh',
description : 'path to debug shell binary')
option('debug-tty', type : 'string', value : '/dev/tty9',
description : 'specify the tty device for debug shell')
-option('debug', type : 'array', choices : ['hashmap', 'mmap-cache'], value : [],
+option('debug-extra', type : 'array', choices : ['hashmap', 'mmap-cache'], value : [],
description : 'enable extra debugging')
option('memory-accounting-default', type : 'boolean',
description : 'enable MemoryAccounting= by default')

38
SOURCES/0058-meson-check-whether-gnutls-supports-TCP-fast-open.patch Normal file
View File

@ -0,0 +1,38 @@
From b6943446f8ffde53ce059b5e869c22bed8926827 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon, 25 Jun 2018 22:40:40 +0900
Subject: [PATCH] meson: check whether gnutls supports TCP fast open
Fixes #9403
Cherry-picked from: f02582f69fe1e7663a87ba80bd4f90d5d23ee75f
---
README | 1 +
meson.build | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/README b/README
index 2cde08c37e..7d06e04800 100644
--- a/README
+++ b/README
@@ -154,6 +154,7 @@ REQUIREMENTS:
libmicrohttpd (optional)
libpython (optional)
libidn2 or libidn (optional)
+ gnutls >= 3.1.4 (optional, >= 3.5.3 is necessary to support DNS-over-TLS)
elfutils >= 158 (optional)
polkit (optional)
pkg-config
diff --git a/meson.build b/meson.build
index ebc55872c9..d58926c981 100644
--- a/meson.build
+++ b/meson.build
@@ -1148,7 +1148,7 @@ substs.set('DEFAULT_DNSSEC_MODE', default_dnssec)
dns_over_tls = get_option('dns-over-tls')
if dns_over_tls != 'false'
- have = conf.get('HAVE_GNUTLS') == 1
+ have = libgnutls != [] and libgnutls.version().version_compare('>=3.5.3')
if dns_over_tls == 'true' and not have
error('DNS-over-TLS support was requested, but dependencies are not available')
endif

24
SOURCES/0059-unit-don-t-add-Requires-for-tmp.mount.patch Normal file
View File

@ -0,0 +1,24 @@
From 03e52d33bbdea731eaa79545bb1d30c5b21abe3d Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Mon, 5 Sep 2016 12:47:09 +0200
Subject: [PATCH] unit: don't add Requires for tmp.mount
rhel-only
Resolves: #1619292
---
src/core/unit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/core/unit.c b/src/core/unit.c
index c9f756c9c7..721d8d60a3 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -1421,7 +1421,7 @@ static int unit_add_mount_dependencies(Unit *u) {
if (r < 0)
return r;
- if (m->fragment_path) {
+ if (m->fragment_path && !streq(m->id, "tmp.mount")) {
r = unit_add_dependency(u, UNIT_REQUIRES, m, true, di.origin_mask);
if (r < 0)
return r;

42
SOURCES/0060-tests-drop-the-precondition-check-for-inherited-flag.patch Normal file
View File

@ -0,0 +1,42 @@
From 1d43806017a0df257fef8ed6f79e12ee69c5bc20 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Thu, 8 Nov 2018 09:40:13 +0100
Subject: [PATCH] tests: drop the precondition check for inherited flag
Docker's default capability set has the inherited flag already
set - that breaks tests which expect otherwise. Let's just
drop the check and run the test anyway.
Fixes #10663
Cherry-picked from: c446b8486d9ed18d1bc780948ae9ee8a53fa4c3f
---
src/test/test-capability.c | 8 --------
1 file changed, 8 deletions(-)
diff --git a/src/test/test-capability.c b/src/test/test-capability.c
index af6d808b6d..72975cef94 100644
--- a/src/test/test-capability.c
+++ b/src/test/test-capability.c
@@ -180,8 +180,6 @@ static void test_update_inherited_set(void) {
caps = cap_get_proc();
assert_se(caps);
- assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
- assert(fv == CAP_CLEAR);
set = (UINT64_C(1) << CAP_CHOWN);
@@ -197,12 +195,6 @@ static void test_set_ambient_caps(void) {
uint64_t set = 0;
cap_flag_value_t fv;
- caps = cap_get_proc();
- assert_se(caps);
- assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv));
- assert(fv == CAP_CLEAR);
- cap_free(caps);
-
assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 0);
set = (UINT64_C(1) << CAP_CHOWN);

234
SOURCES/0061-core-when-deserializing-state-always-use-read_line-L.patch Normal file
View File

@ -0,0 +1,234 @@
From 55a1c766445750aaefe28bd7bea454f5f1cff9bb Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 17 Oct 2018 18:36:24 +0200
Subject: [PATCH] =?UTF-8?q?core:=20when=20deserializing=20state=20always?=
=?UTF-8?q?=20use=20read=5Fline(=E2=80=A6,=20LONG=5FLINE=5FMAX,=20?=
=?UTF-8?q?=E2=80=A6)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This should be much better than fgets(), as we can read substantially
longer lines and overly long lines result in proper errors.
Fixes a vulnerability discovered by Jann Horn at Google.
CVE-2018-15686
LP: #1796402
https://bugzilla.redhat.com/show_bug.cgi?id=1639071
(cherry picked from commit 8948b3415d762245ebf5e19d80b97d4d8cc208c1)
Resolves: CVE-2018-15686
---
src/core/job.c | 19 +++++++++++--------
src/core/manager.c | 47 ++++++++++++++++++++--------------------------
src/core/unit.c | 34 +++++++++++++++++----------------
src/core/unit.h | 2 +-
4 files changed, 50 insertions(+), 52 deletions(-)
diff --git a/src/core/job.c b/src/core/job.c
index 734756b666..8552ffb704 100644
--- a/src/core/job.c
+++ b/src/core/job.c
@@ -10,6 +10,7 @@
#include "dbus-job.h"
#include "dbus.h"
#include "escape.h"
+#include "fileio.h"
#include "job.h"
#include "log.h"
#include "macro.h"
@@ -1091,24 +1092,26 @@ int job_serialize(Job *j, FILE *f) {
}
int job_deserialize(Job *j, FILE *f) {
+ int r;
+
assert(j);
assert(f);
for (;;) {
- char line[LINE_MAX], *l, *v;
+ _cleanup_free_ char *line = NULL;
+ char *l, *v;
size_t k;
- if (!fgets(line, sizeof(line), f)) {
- if (feof(f))
- return 0;
- return -errno;
- }
+ r = read_line(f, LONG_LINE_MAX, &line);
+ if (r < 0)
+ return log_error_errno(r, "Failed to read serialization line: %m");
+ if (r == 0)
+ return 0;
- char_array_0(line);
l = strstrip(line);
/* End marker */
- if (l[0] == 0)
+ if (isempty(l))
return 0;
k = strcspn(l, "=");
diff --git a/src/core/manager.c b/src/core/manager.c
index 3b2fe11e87..c83e296cf3 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -3144,22 +3144,17 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) {
m->n_reloading++;
for (;;) {
- char line[LINE_MAX];
+ _cleanup_free_ char *line = NULL;
const char *val, *l;
- if (!fgets(line, sizeof(line), f)) {
- if (feof(f))
- r = 0;
- else
- r = -errno;
-
- goto finish;
- }
+ r = read_line(f, LONG_LINE_MAX, &line);
+ if (r < 0)
+ return log_error_errno(r, "Failed to read serialization line: %m");
+ if (r == 0)
+ break;
- char_array_0(line);
l = strstrip(line);
-
- if (l[0] == 0)
+ if (isempty(l)) /* end marker */
break;
if ((val = startswith(l, "current-job-id="))) {
@@ -3326,29 +3321,27 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) {
}
for (;;) {
- Unit *u;
- char name[UNIT_NAME_MAX+2];
+ _cleanup_free_ char *line = NULL;
const char* unit_name;
+ Unit *u;
/* Start marker */
- if (!fgets(name, sizeof(name), f)) {
- if (feof(f))
- r = 0;
- else
- r = -errno;
-
- goto finish;
- }
+ r = read_line(f, LONG_LINE_MAX, &line);
+ if (r < 0)
+ return log_error_errno(r, "Failed to read serialization line: %m");
+ if (r == 0)
+ break;
- char_array_0(name);
- unit_name = strstrip(name);
+ unit_name = strstrip(line);
r = manager_load_unit(m, unit_name, NULL, NULL, &u);
if (r < 0) {
log_notice_errno(r, "Failed to load unit \"%s\", skipping deserialization: %m", unit_name);
- if (r == -ENOMEM)
- goto finish;
- unit_deserialize_skip(f);
+
+ r = unit_deserialize_skip(f);
+ if (r < 0)
+ return r;
+
continue;
}
diff --git a/src/core/unit.c b/src/core/unit.c
index 721d8d60a3..cc43ddc4f1 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -3368,21 +3368,19 @@ int unit_deserialize(Unit *u, FILE *f, FDSet *fds) {
assert(fds);
for (;;) {
- char line[LINE_MAX], *l, *v;
+ _cleanup_free_ char *line = NULL;
CGroupIPAccountingMetric m;
+ char *l, *v;
size_t k;
- if (!fgets(line, sizeof(line), f)) {
- if (feof(f))
- return 0;
- return -errno;
- }
+ r = read_line(f, LONG_LINE_MAX, &line);
+ if (r < 0)
+ return log_error_errno(r, "Failed to read serialization line: %m");
+ if (r == 0) /* eof */
+ break;
- char_array_0(line);
l = strstrip(line);
-
- /* End marker */
- if (isempty(l))
+ if (isempty(l)) /* End marker */
break;
k = strcspn(l, "=");
@@ -3657,23 +3655,27 @@ int unit_deserialize(Unit *u, FILE *f, FDSet *fds) {
return 0;
}
-void unit_deserialize_skip(FILE *f) {
+int unit_deserialize_skip(FILE *f) {
+ int r;
assert(f);
/* Skip serialized data for this unit. We don't know what it is. */
for (;;) {
- char line[LINE_MAX], *l;
+ _cleanup_free_ char *line = NULL;
+ char *l;
- if (!fgets(line, sizeof line, f))
- return;
+ r = read_line(f, LONG_LINE_MAX, &line);
+ if (r < 0)
+ return log_error_errno(r, "Failed to read serialization line: %m");
+ if (r == 0)
+ return 0;
- char_array_0(line);
l = strstrip(line);
/* End marker */
if (isempty(l))
- return;
+ return 1;
}
}
diff --git a/src/core/unit.h b/src/core/unit.h
index b3131eba1b..e1a60da244 100644
--- a/src/core/unit.h
+++ b/src/core/unit.h
@@ -679,7 +679,7 @@ bool unit_can_serialize(Unit *u) _pure_;
int unit_serialize(Unit *u, FILE *f, FDSet *fds, bool serialize_jobs);
int unit_deserialize(Unit *u, FILE *f, FDSet *fds);
-void unit_deserialize_skip(FILE *f);
+int unit_deserialize_skip(FILE *f);
int unit_serialize_item(Unit *u, FILE *f, const char *key, const char *value);
int unit_serialize_item_escaped(Unit *u, FILE *f, const char *key, const char *value);

44
SOURCES/0062-core-enforce-a-limit-on-STATUS-texts-recvd-from-serv.patch Normal file
View File

@ -0,0 +1,44 @@
From 6abfec31acae53943896b309db4a09a1cecac9a3 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 17 Oct 2018 18:37:48 +0200
Subject: [PATCH] core: enforce a limit on STATUS= texts recvd from services
Let's better be safe than sorry, and put a limit on what we receive.
(cherry picked from commit 3eac1bcae9284fb8b18f4b82156c0e85ddb004e5)
Related: CVE-2018-15686
---
src/core/service.c | 8 ++++++--
src/core/service.h | 2 ++
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/core/service.c b/src/core/service.c
index db1356c417..db17221888 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -3549,8 +3549,12 @@ static void service_notify_message(
_cleanup_free_ char *t = NULL;
if (!isempty(e)) {
- if (!utf8_is_valid(e))
- log_unit_warning(u, "Status message in notification message is not UTF-8 clean.");
+ /* Note that this size limit check is mostly paranoia: since the datagram size we are willing
+ * to process is already limited to NOTIFY_BUFFER_MAX, this limit here should never be hit. */
+ if (strlen(e) > STATUS_TEXT_MAX)
+ log_unit_warning(u, "Status message overly long (%zu > %u), ignoring.", strlen(e), STATUS_TEXT_MAX);
+ else if (!utf8_is_valid(e))
+ log_unit_warning(u, "Status message in notification message is not UTF-8 clean, ignoring.");
else {
t = strdup(e);
if (!t)
diff --git a/src/core/service.h b/src/core/service.h
index 9c06e91883..a142b09f0d 100644
--- a/src/core/service.h
+++ b/src/core/service.h
@@ -202,3 +202,5 @@ const char* service_result_to_string(ServiceResult i) _const_;
ServiceResult service_result_from_string(const char *s) _pure_;
DEFINE_CAST(SERVICE, Service);
+
+#define STATUS_TEXT_MAX (16U*1024U)

257
SOURCES/0063-travis-enable-Travis-CI-on-CentOS-7.patch Normal file
View File

@ -0,0 +1,257 @@
From 5638e18196be1fabd9e78d4c506402bf700fe569 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <fsumsal@redhat.com>
Date: Mon, 7 Jan 2019 15:49:45 +0100
Subject: [PATCH] travis: enable Travis CI on CentOS 7
(cherry picked from commit 2014cb51b6dfe1f7f0b98e62311398c2bf801c2b)
---
.travis.yml | 86 ++++++++++-----------------------------------
ci/travis-centos.sh | 69 ++++++++++++++++++++++++++++++++++++
ci/travis_wait.bash | 61 ++++++++++++++++++++++++++++++++
3 files changed, 149 insertions(+), 67 deletions(-)
create mode 100755 ci/travis-centos.sh
create mode 100644 ci/travis_wait.bash
diff --git a/.travis.yml b/.travis.yml
index d980038181..fc63887324 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,77 +1,29 @@
sudo: required
-
services:
- docker
-language: c
+env:
+ global:
+ - CI_ROOT="$TRAVIS_BUILD_DIR/ci/"
jobs:
include:
- - stage: coverity scan
- before_script:
- - sudo apt-get update
+ - stage: Build & test
+ name: CentOS 7
+ language: bash
+ env:
+ - CENTOS_RELEASE="centos7"
+ - CONT_NAME="systemd-centos-$CENTOS_RELEASE"
+ - DOCKER_EXEC="docker exec -ti $CONT_NAME"
+ before_install:
- sudo apt-get -y -o Dpkg::Options::="--force-confnew" install docker-ce
- docker --version
- - env > .env
- env:
- - COVERITY_SCAN_PROJECT_NAME="$TRAVIS_REPO_SLUG"
- - COVERITY_SCAN_NOTIFICATION_EMAIL="${AUTHOR_EMAIL}"
- - COVERITY_SCAN_BRANCH_PATTERN="$TRAVIS_BRANCH"
- # Encrypted token for systemd/systemd Coverity Scan Analysis,
- # generated by "travis encrypt -r systemd/systemd COVERITY_SCAN_TOKEN=<TOKEN>"
- - secure: "lM0IVP2zOG5Ywk3YCbDCQL4WioyzzwtdtpZ+hKDy4BWCZDBJ/FVwIeBsXdMDvlTa3xi+GQ1b7kS2OmTfmG4aSlhU7isuH8SMq1Y4GR5AxfhkR+irUA1A1fntlvhbjIumDGW5wjs0Dt8KogMWS+ZD4eGE59lrVO/TrhMzIe1eHENVLFQJdNq+ZJXU8wxMfHf8lXk0xA8SJTid0XvZBNc4JN6pjJRA8LaOrMNhQYfygFmVQ598kwlu7gf5vbCKFPnIgJAxdIhz12XS9utGohV28IYj9d1DdUGUT+ar3OfADj3X8KFBP4Ymc02pcln3wVgdPtrDbFZh1R9jbmfdXGAH/6tTOJVn8aFySS2Vq9QiBiprWdPsAOLcWMNhnp0lMkASxs9/W26nU7Czo8VbAVWXM1w35plDpnDGR6lk/06dmOZpqu5p3AYr5xIKACIAdPDn0rNpnSWqC750WZ8ZWbHnKuZC5TWML7scVaPiEi7D7rbwqML2rdwx4ZoTZmCHiGByXCIWTfhf0JNQAix5WW3znl+BmDesumPgPj2mX+y6J1WYJrIz12m7qh7KhV/a1ODKM+I91A9rkOA/bPnmhmSSUR7CwgvZt1fC/VwBnaFFtAz9/70kN9Q8tDBXtXidExZwh1e3t5vDG72k3lXwNqpKRvdW3LOxK6lFvqEdMWVUJls="
+ install:
+ - $CI_ROOT/travis-centos.sh SETUP
script:
- # Copy content of CI_DIR into WORKDIR
- - find $CI_DIR -maxdepth 1 -type f -exec cp -t . {} +
- # Build container for current user
- - $CI_SCRIPT_DIR/build-docker-image.sh
-
- # For kernel version 4.8+
- - sudo sysctl vsyscall=emulate || true
- # Prepare environment for Coverity tool
- - |
- PLATFORM=`uname`
- export TOOL_BASE="/tmp/coverity-scan-analysis"
- export SCAN_URL="https://scan.coverity.com"
- export UPLOAD_URL="https://scan.coverity.com/builds"
- export TOOL_ARCHIVE="/tmp/cov-analysis-${PLATFORM}.tgz"
-
- # Get Coverity tool
- - $CI_TOOL_DIR/get-coverity.sh
- - TOOL_DIR="$(find $TOOL_BASE -type d -name 'cov-analysis*')"
-
- # Export env variables for Coverity scan
- - env | grep -E "TRAVIS|COV|TOOL|URL" > .cov-env
- - |
- docker run -dit --env-file .cov-env \
- -v ${TOOL_BASE}:${TOOL_BASE}:ro \
- --name travis_coverity_scan coverity-${TRAVIS_COMMIT}:latest bash
- # Make sure Coverity script is executable
- - docker cp tools/coverity.sh travis_coverity_scan:/usr/local/bin
- # Preconfigure with meson to prevent Coverity from capturing meson metadata
- # Set compiler flag to prevent emit failure
- - docker exec -it travis_coverity_scan sh -c "CFLAGS='-D_Float128=long\ double -D_Float64=double -D_Float64x=long\ double -D_Float32=float -D_Float32x=double' meson cov-build -Dman=false"
- # Run Coverity Analysis
- - docker exec -it travis_coverity_scan coverity.sh build
- - docker exec -it travis_coverity_scan coverity.sh upload
-
-# Specify the order of stages and conditions
-stages:
- - name: coverity scan
- if: type = cron
-
-env:
- global:
- - ADMIN_EMAIL=macermak@redhat.com
-
- - AUTHOR_NAME="$(git log -1 $TRAVIS_COMMIT --pretty=\"%aN\")"
- - AUTHOR_EMAIL="$(git log -1 $TRAVIS_COMMIT --pretty=\"%aE\")"
-
- - CI_DIR="$TRAVIS_BUILD_DIR/travis-ci"
- - CI_TOOL_DIR="$CI_DIR/tools"
- - CI_SCRIPT_DIR="$CI_DIR/scripts"
-
-notifications:
- email:
- recipients:
- - ${ADMIN_EMAIL}
+ - set -e
+ # Build systemd
+ - $CI_ROOT/travis-centos.sh RUN
+ - set +e
+ after_script:
+ - $CI_ROOT/travis-centos.sh CLEANUP
diff --git a/ci/travis-centos.sh b/ci/travis-centos.sh
new file mode 100755
index 0000000000..60bbdf14c2
--- /dev/null
+++ b/ci/travis-centos.sh
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+# Run this script from the root of the systemd's git repository
+# or set REPO_ROOT to a correct path.
+#
+# Example execution on Fedora:
+# dnf install docker
+# systemctl start docker
+# export CONT_NAME="my-fancy-container"
+# ci/travis-centos.sh SETUP RUN CLEANUP
+
+PHASES=(${@:-SETUP RUN CLEANUP})
+CENTOS_RELEASE="${CENTOS_RELEASE:-latest}"
+CONT_NAME="${CONT_NAME:-centos-$CENTOS_RELEASE-$RANDOM}"
+DOCKER_EXEC="${DOCKER_EXEC:-docker exec -it $CONT_NAME}"
+DOCKER_RUN="${DOCKER_RUN:-docker run}"
+REPO_ROOT="${REPO_ROOT:-$PWD}"
+ADDITIONAL_DEPS=(yum-utils iputils hostname libasan libubsan clang llvm)
+
+function info() {
+ echo -e "\033[33;1m$1\033[0m"
+}
+
+set -e
+
+source "$(dirname $0)/travis_wait.bash"
+
+for phase in "${PHASES[@]}"; do
+ case $phase in
+ SETUP)
+ info "Setup phase"
+ info "Using Travis $CENTOS_RELEASE"
+ # Pull a Docker image and start a new container
+ docker pull centos:$CENTOS_RELEASE
+ info "Starting container $CONT_NAME"
+ $DOCKER_RUN -v $REPO_ROOT:/build:rw \
+ -w /build --privileged=true --name $CONT_NAME \
+ -dit --net=host centos:$CENTOS_RELEASE /sbin/init
+ # Beautiful workaround for Fedora's version of Docker
+ sleep 1
+ $DOCKER_EXEC yum makecache
+ # Install necessary build/test requirements
+ $DOCKER_EXEC yum -y --exclude selinux-policy\* upgrade
+ $DOCKER_EXEC yum -y install "${ADDITIONAL_DEPS[@]}"
+ $DOCKER_EXEC yum-builddep -y systemd
+ ;;
+ RUN)
+ info "Run phase"
+ # Build systemd
+ $DOCKER_EXEC ./autogen.sh
+ $DOCKER_EXEC ./configure --disable-timesyncd --disable-kdbus --disable-terminal \
+ --enable-gtk-doc --enable-compat-libs --disable-sysusers \
+ --disable-ldconfig --enable-lz4 --with-sysvinit-path=/etc/rc.d/init.d
+ $DOCKER_EXEC make
+ if ! $DOCKER_EXEC make check; then
+ $DOCKER_EXEC cat test-suite.log
+ exit 1
+ fi
+ ;;
+ CLEANUP)
+ info "Cleanup phase"
+ docker stop $CONT_NAME
+ docker rm -f $CONT_NAME
+ ;;
+ *)
+ echo >&2 "Unknown phase '$phase'"
+ exit 1
+ esac
+done
diff --git a/ci/travis_wait.bash b/ci/travis_wait.bash
new file mode 100644
index 0000000000..acf6ad15e4
--- /dev/null
+++ b/ci/travis_wait.bash
@@ -0,0 +1,61 @@
+# This was borrowed from https://github.com/travis-ci/travis-build/tree/master/lib/travis/build/bash
+# to get around https://github.com/travis-ci/travis-ci/issues/9979. It should probably be removed
+# as soon as Travis CI has started to provide an easy way to export the functions to bash scripts.
+
+travis_jigger() {
+ local cmd_pid="${1}"
+ shift
+ local timeout="${1}"
+ shift
+ local count=0
+
+ echo -e "\\n"
+
+ while [[ "${count}" -lt "${timeout}" ]]; do
+ count="$((count + 1))"
+ echo -ne "Still running (${count} of ${timeout}): ${*}\\r"
+ sleep 60
+ done
+
+ echo -e "\\n${ANSI_RED}Timeout (${timeout} minutes) reached. Terminating \"${*}\"${ANSI_RESET}\\n"
+ kill -9 "${cmd_pid}"
+}
+
+travis_wait() {
+ local timeout="${1}"
+
+ if [[ "${timeout}" =~ ^[0-9]+$ ]]; then
+ shift
+ else
+ timeout=20
+ fi
+
+ local cmd=("${@}")
+ local log_file="travis_wait_${$}.log"
+
+ "${cmd[@]}" &>"${log_file}" &
+ local cmd_pid="${!}"
+
+ travis_jigger "${!}" "${timeout}" "${cmd[@]}" &
+ local jigger_pid="${!}"
+ local result
+
+ {
+ set +e
+ wait "${cmd_pid}" 2>/dev/null
+ result="${?}"
+ ps -p"${jigger_pid}" &>/dev/null && kill "${jigger_pid}"
+ set -e
+ }
+
+ if [[ "${result}" -eq 0 ]]; then
+ echo -e "\\n${ANSI_GREEN}The command ${cmd[*]} exited with ${result}.${ANSI_RESET}"
+ else
+ echo -e "\\n${ANSI_RED}The command ${cmd[*]} exited with ${result}.${ANSI_RESET}"
+ fi
+
+ echo -e "\\n${ANSI_GREEN}Log:${ANSI_RESET}\\n"
+ cat "${log_file}"
+
+ return "${result}"
+}

175
SOURCES/0064-travis-RHEL8-support.patch Normal file
View File

@ -0,0 +1,175 @@
From 45b0a38b47e07186dfe35095c7d8b1e4c2524d80 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <fsumsal@redhat.com>
Date: Mon, 14 Jan 2019 14:49:32 +0100
Subject: [PATCH] travis: RHEL8 support
(cherry picked from commit e5c78840b2b124400f56cb5fbaf2357cd8901218)
---
.travis.yml | 8 +-
...ravis-centos.sh => travis-centos-rhel7.sh} | 0
ci/travis-centos-rhel8.sh | 130 ++++++++++++++++++
3 files changed, 135 insertions(+), 3 deletions(-)
rename ci/{travis-centos.sh => travis-centos-rhel7.sh} (100%)
create mode 100755 ci/travis-centos-rhel8.sh
diff --git a/.travis.yml b/.travis.yml
index fc63887324..1c4e6f9728 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -19,11 +19,13 @@ jobs:
- sudo apt-get -y -o Dpkg::Options::="--force-confnew" install docker-ce
- docker --version
install:
- - $CI_ROOT/travis-centos.sh SETUP
+ - RHEL_VERSION="rhel7"
+ - [ -f meson.build ] && RHEL_VERSION="rhel8"
+ - $CI_ROOT/travis-centos-${RHEL_VERSION}.sh SETUP
script:
- set -e
# Build systemd
- - $CI_ROOT/travis-centos.sh RUN
+ - $CI_ROOT/travis-centos-${RHEL_VERSION}.sh RUN
- set +e
after_script:
- - $CI_ROOT/travis-centos.sh CLEANUP
+ - $CI_ROOT/travis-centos-${RHEL_VERSION}.sh CLEANUP
diff --git a/ci/travis-centos.sh b/ci/travis-centos-rhel7.sh
similarity index 100%
rename from ci/travis-centos.sh
rename to ci/travis-centos-rhel7.sh
diff --git a/ci/travis-centos-rhel8.sh b/ci/travis-centos-rhel8.sh
new file mode 100755
index 0000000000..968603f949
--- /dev/null
+++ b/ci/travis-centos-rhel8.sh
@@ -0,0 +1,130 @@
+#!/bin/bash
+
+# Run this script from the root of the systemd's git repository
+# or set REPO_ROOT to a correct path.
+#
+# Example execution on Fedora:
+# dnf install docker
+# systemctl start docker
+# export CONT_NAME="my-fancy-container"
+# ci/travis-centos.sh SETUP RUN CLEANUP
+
+PHASES=(${@:-SETUP RUN CLEANUP})
+CENTOS_RELEASE="${CENTOS_RELEASE:-latest}"
+CONT_NAME="${CONT_NAME:-centos-$CENTOS_RELEASE-$RANDOM}"
+DOCKER_EXEC="${DOCKER_EXEC:-docker exec -it $CONT_NAME}"
+DOCKER_RUN="${DOCKER_RUN:-docker run}"
+REPO_ROOT="${REPO_ROOT:-$PWD}"
+ADDITIONAL_DEPS=(systemd-ci-environment libidn2-devel python-lxml python36 ninja-build libasan net-tools strace nc busybox e2fsprogs quota dnsmasq)
+# Repo with additional depencencies to compile newer systemd on CentOS 7
+COPR_REPO="https://copr.fedorainfracloud.org/coprs/mrc0mmand/systemd-centos-ci/repo/epel-7/mrc0mmand-systemd-centos-ci-epel-7.repo"
+COPR_REPO_PATH="/etc/yum.repos.d/${COPR_REPO##*/}"
+
+function info() {
+ echo -e "\033[33;1m$1\033[0m"
+}
+
+set -e
+
+source "$(dirname $0)/travis_wait.bash"
+
+for phase in "${PHASES[@]}"; do
+ case $phase in
+ SETUP)
+ info "Setup phase"
+ info "Using Travis $CENTOS_RELEASE"
+ # Pull a Docker image and start a new container
+ docker pull centos:$CENTOS_RELEASE
+ info "Starting container $CONT_NAME"
+ $DOCKER_RUN -v $REPO_ROOT:/build:rw \
+ -w /build --privileged=true --name $CONT_NAME \
+ -dit --net=host centos:$CENTOS_RELEASE /sbin/init
+ # Beautiful workaround for Fedora's version of Docker
+ sleep 1
+ $DOCKER_EXEC yum makecache
+ $DOCKER_EXEC curl "$COPR_REPO" -o "$COPR_REPO_PATH"
+ $DOCKER_EXEC yum -q -y install epel-release yum-utils
+ $DOCKER_EXEC yum-config-manager -q --enable epel
+ $DOCKER_EXEC yum -y --exclude selinux-policy\* upgrade
+ # Install necessary build/test requirements
+ $DOCKER_EXEC yum -y install "${ADDITIONAL_DEPS[@]}"
+ $DOCKER_EXEC python3.6 -m ensurepip
+ $DOCKER_EXEC python3.6 -m pip install meson
+ # Create necessary symlinks
+ $DOCKER_EXEC ln --force -s /usr/bin/python3.6 /usr/bin/python3
+ $DOCKER_EXEC ln --force -s /usr/bin/ninja-build /usr/bin/ninja
+ ;;
+ RUN)
+ info "Run phase"
+ # Build systemd
+ CONFIGURE_OPTS=(
+ # RHEL8 options
+ -Dsysvinit-path=/etc/rc.d/init.d
+ -Drc-local=/etc/rc.d/rc.local
+ -Ddns-servers=''
+ -Ddev-kvm-mode=0666
+ -Dkmod=true
+ -Dxkbcommon=true
+ -Dblkid=true
+ -Dseccomp=true
+ -Dima=true
+ -Dselinux=true
+ -Dapparmor=false
+ -Dpolkit=true
+ -Dxz=true
+ -Dzlib=true
+ -Dbzip2=true
+ -Dlz4=true
+ -Dpam=true
+ -Dacl=true
+ -Dsmack=true
+ -Dgcrypt=true
+ -Daudit=true
+ -Delfutils=true
+ -Dlibcryptsetup=true
+ -Delfutils=true
+ -Dqrencode=false
+ -Dgnutls=true
+ -Dmicrohttpd=true
+ -Dlibidn2=true
+ -Dlibiptc=true
+ -Dlibcurl=true
+ -Defi=true
+ -Dtpm=true
+ -Dhwdb=true
+ -Dsysusers=true
+ -Ddefault-kill-user-processes=false
+ -Dtests=unsafe
+ -Dinstall-tests=true
+ -Dtty-gid=5
+ -Dusers-gid=100
+ -Dnobody-user=nobody
+ -Dnobody-group=nobody
+ -Dsplit-usr=false
+ -Dsplit-bin=true
+ -Db_lto=false
+ -Dnetworkd=false
+ -Dtimesyncd=false
+ -Ddefault-hierarchy=legacy
+ # Custom options
+ -Dslow-tests=true
+ -Dtests=unsafe
+ -Dinstall-tests=true
+ )
+ docker exec -it -e CFLAGS='-g -O0 -ftrapv' $CONT_NAME meson build "${CONFIGURE_OPTS[@]}"
+ $DOCKER_EXEC ninja -v -C build
+ # "Mask" the udev-test.pl, as it requires newer version of systemd-detect-virt
+ # and it's pointless to run it on a VM in a Docker container...
+ echo -ne "#!/usr/bin/perl\nexit(0);\n" > "test/udev-test.pl"
+ $DOCKER_EXEC ninja -C build test
+ ;;
+ CLEANUP)
+ info "Cleanup phase"
+ docker stop $CONT_NAME
+ docker rm -f $CONT_NAME
+ ;;
+ *)
+ echo >&2 "Unknown phase '$phase'"
+ exit 1
+ esac
+done

37
SOURCES/0065-travis-drop-the-SELinux-Fedora-workaround.patch Normal file
View File

@ -0,0 +1,37 @@
From 2d674d48e9ca48e3bb126f20b59334100d926a23 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <fsumsal@redhat.com>
Date: Tue, 15 Jan 2019 11:03:45 +0100
Subject: [PATCH] travis: drop the SELinux Fedora workaround
(cherry picked from commit 90399c456fe8cf726fc04fb7be9e2a01f9ca0eae)
---
ci/travis-centos-rhel7.sh | 2 +-
ci/travis-centos-rhel8.sh | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/ci/travis-centos-rhel7.sh b/ci/travis-centos-rhel7.sh
index 60bbdf14c2..b1b3de1cc2 100755
--- a/ci/travis-centos-rhel7.sh
+++ b/ci/travis-centos-rhel7.sh
@@ -40,7 +40,7 @@ for phase in "${PHASES[@]}"; do
sleep 1
$DOCKER_EXEC yum makecache
# Install necessary build/test requirements
- $DOCKER_EXEC yum -y --exclude selinux-policy\* upgrade
+ $DOCKER_EXEC yum -y upgrade
$DOCKER_EXEC yum -y install "${ADDITIONAL_DEPS[@]}"
$DOCKER_EXEC yum-builddep -y systemd
;;
diff --git a/ci/travis-centos-rhel8.sh b/ci/travis-centos-rhel8.sh
index 968603f949..8eda5e982f 100755
--- a/ci/travis-centos-rhel8.sh
+++ b/ci/travis-centos-rhel8.sh
@@ -45,7 +45,7 @@ for phase in "${PHASES[@]}"; do
$DOCKER_EXEC curl "$COPR_REPO" -o "$COPR_REPO_PATH"
$DOCKER_EXEC yum -q -y install epel-release yum-utils
$DOCKER_EXEC yum-config-manager -q --enable epel
- $DOCKER_EXEC yum -y --exclude selinux-policy\* upgrade
+ $DOCKER_EXEC yum -y upgrade
# Install necessary build/test requirements
$DOCKER_EXEC yum -y install "${ADDITIONAL_DEPS[@]}"
$DOCKER_EXEC python3.6 -m ensurepip

24
SOURCES/0066-travis-fix-syntax-error-in-.travis.yml.patch Normal file
View File

@ -0,0 +1,24 @@
From a7f87d13f6f7dd92e1f1f7617df531fa34c70b6d Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <fsumsal@redhat.com>
Date: Tue, 15 Jan 2019 14:35:27 +0100
Subject: [PATCH] travis: fix syntax error in .travis.yml
(cherry picked from commit 7f9d44f527ea214347f7d3b3b067f84df53feed7)
---
.travis.yml | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index 1c4e6f9728..c5c9c345a9 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -19,8 +19,7 @@ jobs:
- sudo apt-get -y -o Dpkg::Options::="--force-confnew" install docker-ce
- docker --version
install:
- - RHEL_VERSION="rhel7"
- - [ -f meson.build ] && RHEL_VERSION="rhel8"
+ - if [ -f meson.build ]; then RHEL_VERSION=rhel8; else RHEL_VERSION=rhel7; fi
- $CI_ROOT/travis-centos-${RHEL_VERSION}.sh SETUP
script:
- set -e

40
SOURCES/0067-travis-reboot-the-container-before-running-tests.patch Normal file
View File

@ -0,0 +1,40 @@
From 63e71bda5a00c04c16f330cfc0e6f91e7dcead59 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <fsumsal@redhat.com>
Date: Thu, 17 Jan 2019 12:03:10 +0100
Subject: [PATCH] travis: reboot the container before running tests
---
ci/travis-centos-rhel7.sh | 4 ++++
ci/travis-centos-rhel8.sh | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/ci/travis-centos-rhel7.sh b/ci/travis-centos-rhel7.sh
index b1b3de1cc2..73416798ed 100755
--- a/ci/travis-centos-rhel7.sh
+++ b/ci/travis-centos-rhel7.sh
@@ -52,6 +52,10 @@ for phase in "${PHASES[@]}"; do
--enable-gtk-doc --enable-compat-libs --disable-sysusers \
--disable-ldconfig --enable-lz4 --with-sysvinit-path=/etc/rc.d/init.d
$DOCKER_EXEC make
+ # Let's install the new systemd and "reboot" the container to avoid
+ # unexpected fails due to incompatibilities with older systemd
+ $DOCKER_EXEC make install
+ docker restart $CONT_NAME
if ! $DOCKER_EXEC make check; then
$DOCKER_EXEC cat test-suite.log
exit 1
diff --git a/ci/travis-centos-rhel8.sh b/ci/travis-centos-rhel8.sh
index 8eda5e982f..1f72d984e0 100755
--- a/ci/travis-centos-rhel8.sh
+++ b/ci/travis-centos-rhel8.sh
@@ -113,6 +113,10 @@ for phase in "${PHASES[@]}"; do
)
docker exec -it -e CFLAGS='-g -O0 -ftrapv' $CONT_NAME meson build "${CONFIGURE_OPTS[@]}"
$DOCKER_EXEC ninja -v -C build
+ # Let's install the new systemd and "reboot" the container to avoid
+ # unexpected fails due to incompatibilities with older systemd
+ $DOCKER_EXEC ninja -C build install
+ docker restart $CONT_NAME
# "Mask" the udev-test.pl, as it requires newer version of systemd-detect-virt
# and it's pointless to run it on a VM in a Docker container...
echo -ne "#!/usr/bin/perl\nexit(0);\n" > "test/udev-test.pl"

35
SOURCES/0068-coredump-remove-duplicate-MESSAGE-prefix-from-messag.patch Normal file
View File

@ -0,0 +1,35 @@
From af43906bb0c8f2bb3b135d68d56ea2fa58fa9e60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 5 Dec 2018 17:33:15 +0100
Subject: [PATCH] coredump: remove duplicate MESSAGE= prefix from message
systemd-coredump[9982]: MESSAGE=Process 771 (systemd-journal) of user 0 dumped core.
systemd-coredump[9982]: Coredump diverted to /var/lib/systemd/coredump/core...
log_dispatch() calls log_dispatch_internal() which calls write_to_journal()
which appends MESSAGE= on its own.
(cherry-picked from commit 4f62556d71206ac814a020a954b397d4940e14c3)
Related: #1664976
---
src/coredump/coredump.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c
index 20a1cbdd45..d7dd81c1b4 100644
--- a/src/coredump/coredump.c
+++ b/src/coredump/coredump.c
@@ -789,9 +789,10 @@ log:
return log_oom();
if (journald_crash) {
- /* We cannot log to the journal, so just print the MESSAGE.
+ /* We cannot log to the journal, so just print the message.
* The target was set previously to something safe. */
- log_dispatch(LOG_ERR, 0, core_message);
+ assert(startswith(core_message, "MESSAGE="));
+ log_dispatch(LOG_ERR, 0, core_message + strlen("MESSAGE="));
return 0;
}

34
SOURCES/0069-journald-remove-unnecessary.patch Normal file
View File

@ -0,0 +1,34 @@
From 285e4d2ce6a8836ce7bf2e889d43b7272f7ccc1b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 5 Dec 2018 17:53:50 +0100
Subject: [PATCH] journald: remove unnecessary {}
(cherry-picked from commit bc2762a309132a34db1797d8b5792d5747a94484)
Related: #1664976
---
src/journal/journald-server.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 4f1550ec5b..ce2446a2f1 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -1124,8 +1124,7 @@ int server_process_datagram(sd_event_source *es, int fd, uint32_t revents, void
return log_error_errno(errno, "recvmsg() failed: %m");
}
- CMSG_FOREACH(cmsg, &msghdr) {
-
+ CMSG_FOREACH(cmsg, &msghdr)
if (cmsg->cmsg_level == SOL_SOCKET &&
cmsg->cmsg_type == SCM_CREDENTIALS &&
cmsg->cmsg_len == CMSG_LEN(sizeof(struct ucred)))
@@ -1143,7 +1142,6 @@ int server_process_datagram(sd_event_source *es, int fd, uint32_t revents, void
fds = (int*) CMSG_DATA(cmsg);
n_fds = (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int);
}
- }
/* And a trailing NUL, just in case */
s->buffer[n] = 0;

202
SOURCES/0070-journald-do-not-store-the-iovec-entry-for-process-co.patch Normal file
View File

@ -0,0 +1,202 @@
From b6c10945e68949edc6418f48ca7b1b748fefabe1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 5 Dec 2018 18:38:39 +0100
Subject: [PATCH] journald: do not store the iovec entry for process
commandline on stack
This fixes a crash where we would read the commandline, whose length is under
control of the sending program, and then crash when trying to create a stack
allocation for it.
CVE-2018-16864
https://bugzilla.redhat.com/show_bug.cgi?id=1653855
The message actually doesn't get written to disk, because
journal_file_append_entry() returns -E2BIG.
(cherry-picked from commit 084eeb865ca63887098e0945fb4e93c852b91b0f)
Resolves: #1664976
---
src/basic/io-util.c | 10 ++++++++++
src/basic/io-util.h | 2 ++
src/coredump/coredump.c | 31 +++++++++++--------------------
src/journal/journald-server.c | 25 +++++++++++++++----------
4 files changed, 38 insertions(+), 30 deletions(-)
diff --git a/src/basic/io-util.c b/src/basic/io-util.c
index 1f64cc933b..575398fbe6 100644
--- a/src/basic/io-util.c
+++ b/src/basic/io-util.c
@@ -8,6 +8,7 @@
#include <unistd.h>
#include "io-util.h"
+#include "string-util.h"
#include "time-util.h"
int flush_fd(int fd) {
@@ -252,3 +253,12 @@ ssize_t sparse_write(int fd, const void *p, size_t sz, size_t run_length) {
return q - (const uint8_t*) p;
}
+
+char* set_iovec_string_field(struct iovec *iovec, size_t *n_iovec, const char *field, const char *value) {
+ char *x;
+
+ x = strappend(field, value);
+ if (x)
+ iovec[(*n_iovec)++] = IOVEC_MAKE_STRING(x);
+ return x;
+}
diff --git a/src/basic/io-util.h b/src/basic/io-util.h
index ed189b5820..792a64ad5e 100644
--- a/src/basic/io-util.h
+++ b/src/basic/io-util.h
@@ -71,3 +71,5 @@ static inline bool FILE_SIZE_VALID_OR_INFINITY(uint64_t l) {
#define IOVEC_MAKE(base, len) (struct iovec) IOVEC_INIT(base, len)
#define IOVEC_INIT_STRING(string) IOVEC_INIT((char*) string, strlen(string))
#define IOVEC_MAKE_STRING(string) (struct iovec) IOVEC_INIT_STRING(string)
+
+char* set_iovec_string_field(struct iovec *iovec, size_t *n_iovec, const char *field, const char *value);
diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c
index d7dd81c1b4..ffa88f612d 100644
--- a/src/coredump/coredump.c
+++ b/src/coredump/coredump.c
@@ -1054,19 +1054,10 @@ static int send_iovec(const struct iovec iovec[], size_t n_iovec, int input_fd)
return 0;
}
-static char* set_iovec_field(struct iovec *iovec, size_t *n_iovec, const char *field, const char *value) {
- char *x;
-
- x = strappend(field, value);
- if (x)
- iovec[(*n_iovec)++] = IOVEC_MAKE_STRING(x);
- return x;
-}
-
static char* set_iovec_field_free(struct iovec *iovec, size_t *n_iovec, const char *field, char *value) {
char *x;
- x = set_iovec_field(iovec, n_iovec, field, value);
+ x = set_iovec_string_field(iovec, n_iovec, field, value);
free(value);
return x;
}
@@ -1116,36 +1107,36 @@ static int gather_pid_metadata(
disable_coredumps();
}
- set_iovec_field(iovec, n_iovec, "COREDUMP_UNIT=", context[CONTEXT_UNIT]);
+ set_iovec_string_field(iovec, n_iovec, "COREDUMP_UNIT=", context[CONTEXT_UNIT]);
}
if (cg_pid_get_user_unit(pid, &t) >= 0)
set_iovec_field_free(iovec, n_iovec, "COREDUMP_USER_UNIT=", t);
/* The next few are mandatory */
- if (!set_iovec_field(iovec, n_iovec, "COREDUMP_PID=", context[CONTEXT_PID]))
+ if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_PID=", context[CONTEXT_PID]))
return log_oom();
- if (!set_iovec_field(iovec, n_iovec, "COREDUMP_UID=", context[CONTEXT_UID]))
+ if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_UID=", context[CONTEXT_UID]))
return log_oom();
- if (!set_iovec_field(iovec, n_iovec, "COREDUMP_GID=", context[CONTEXT_GID]))
+ if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_GID=", context[CONTEXT_GID]))
return log_oom();
- if (!set_iovec_field(iovec, n_iovec, "COREDUMP_SIGNAL=", context[CONTEXT_SIGNAL]))
+ if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_SIGNAL=", context[CONTEXT_SIGNAL]))
return log_oom();
- if (!set_iovec_field(iovec, n_iovec, "COREDUMP_RLIMIT=", context[CONTEXT_RLIMIT]))
+ if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_RLIMIT=", context[CONTEXT_RLIMIT]))
return log_oom();
- if (!set_iovec_field(iovec, n_iovec, "COREDUMP_HOSTNAME=", context[CONTEXT_HOSTNAME]))
+ if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_HOSTNAME=", context[CONTEXT_HOSTNAME]))
return log_oom();
- if (!set_iovec_field(iovec, n_iovec, "COREDUMP_COMM=", context[CONTEXT_COMM]))
+ if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_COMM=", context[CONTEXT_COMM]))
return log_oom();
if (context[CONTEXT_EXE] &&
- !set_iovec_field(iovec, n_iovec, "COREDUMP_EXE=", context[CONTEXT_EXE]))
+ !set_iovec_string_field(iovec, n_iovec, "COREDUMP_EXE=", context[CONTEXT_EXE]))
return log_oom();
if (sd_pid_get_session(pid, &t) >= 0)
@@ -1213,7 +1204,7 @@ static int gather_pid_metadata(
iovec[(*n_iovec)++] = IOVEC_MAKE_STRING(t);
if (safe_atoi(context[CONTEXT_SIGNAL], &signo) >= 0 && SIGNAL_VALID(signo))
- set_iovec_field(iovec, n_iovec, "COREDUMP_SIGNAL_NAME=SIG", signal_to_string(signo));
+ set_iovec_string_field(iovec, n_iovec, "COREDUMP_SIGNAL_NAME=SIG", signal_to_string(signo));
return 0; /* we successfully acquired all metadata */
}
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index ce2446a2f1..8de45552f6 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -753,6 +753,7 @@ static void dispatch_message_real(
pid_t object_pid) {
char source_time[sizeof("_SOURCE_REALTIME_TIMESTAMP=") + DECIMAL_STR_MAX(usec_t)];
+ _cleanup_free_ char *cmdline1 = NULL, *cmdline2 = NULL;
uid_t journal_uid;
ClientContext *o;
@@ -769,20 +770,23 @@ static void dispatch_message_real(
IOVEC_ADD_NUMERIC_FIELD(iovec, n, c->uid, uid_t, uid_is_valid, UID_FMT, "_UID");
IOVEC_ADD_NUMERIC_FIELD(iovec, n, c->gid, gid_t, gid_is_valid, GID_FMT, "_GID");
- IOVEC_ADD_STRING_FIELD(iovec, n, c->comm, "_COMM");
- IOVEC_ADD_STRING_FIELD(iovec, n, c->exe, "_EXE");
- IOVEC_ADD_STRING_FIELD(iovec, n, c->cmdline, "_CMDLINE");
- IOVEC_ADD_STRING_FIELD(iovec, n, c->capeff, "_CAP_EFFECTIVE");
+ IOVEC_ADD_STRING_FIELD(iovec, n, c->comm, "_COMM"); /* At most TASK_COMM_LENGTH (16 bytes) */
+ IOVEC_ADD_STRING_FIELD(iovec, n, c->exe, "_EXE"); /* A path, so at most PATH_MAX (4096 bytes) */
- IOVEC_ADD_SIZED_FIELD(iovec, n, c->label, c->label_size, "_SELINUX_CONTEXT");
+ if (c->cmdline)
+ /* At most _SC_ARG_MAX (2MB usually), which is too much to put on stack.
+ * Let's use a heap allocation for this one. */
+ cmdline1 = set_iovec_string_field(iovec, &n, "_CMDLINE=", c->cmdline);
+ IOVEC_ADD_STRING_FIELD(iovec, n, c->capeff, "_CAP_EFFECTIVE"); /* Read from /proc/.../status */
+ IOVEC_ADD_SIZED_FIELD(iovec, n, c->label, c->label_size, "_SELINUX_CONTEXT");
IOVEC_ADD_NUMERIC_FIELD(iovec, n, c->auditid, uint32_t, audit_session_is_valid, "%" PRIu32, "_AUDIT_SESSION");
IOVEC_ADD_NUMERIC_FIELD(iovec, n, c->loginuid, uid_t, uid_is_valid, UID_FMT, "_AUDIT_LOGINUID");
- IOVEC_ADD_STRING_FIELD(iovec, n, c->cgroup, "_SYSTEMD_CGROUP");
+ IOVEC_ADD_STRING_FIELD(iovec, n, c->cgroup, "_SYSTEMD_CGROUP"); /* A path */
IOVEC_ADD_STRING_FIELD(iovec, n, c->session, "_SYSTEMD_SESSION");
IOVEC_ADD_NUMERIC_FIELD(iovec, n, c->owner_uid, uid_t, uid_is_valid, UID_FMT, "_SYSTEMD_OWNER_UID");
- IOVEC_ADD_STRING_FIELD(iovec, n, c->unit, "_SYSTEMD_UNIT");
+ IOVEC_ADD_STRING_FIELD(iovec, n, c->unit, "_SYSTEMD_UNIT"); /* Unit names are bounded by UNIT_NAME_MAX */
IOVEC_ADD_STRING_FIELD(iovec, n, c->user_unit, "_SYSTEMD_USER_UNIT");
IOVEC_ADD_STRING_FIELD(iovec, n, c->slice, "_SYSTEMD_SLICE");
IOVEC_ADD_STRING_FIELD(iovec, n, c->user_slice, "_SYSTEMD_USER_SLICE");
@@ -803,13 +807,14 @@ static void dispatch_message_real(
IOVEC_ADD_NUMERIC_FIELD(iovec, n, o->uid, uid_t, uid_is_valid, UID_FMT, "OBJECT_UID");
IOVEC_ADD_NUMERIC_FIELD(iovec, n, o->gid, gid_t, gid_is_valid, GID_FMT, "OBJECT_GID");
+ /* See above for size limits, only ->cmdline may be large, so use a heap allocation for it. */
IOVEC_ADD_STRING_FIELD(iovec, n, o->comm, "OBJECT_COMM");
IOVEC_ADD_STRING_FIELD(iovec, n, o->exe, "OBJECT_EXE");
- IOVEC_ADD_STRING_FIELD(iovec, n, o->cmdline, "OBJECT_CMDLINE");
- IOVEC_ADD_STRING_FIELD(iovec, n, o->capeff, "OBJECT_CAP_EFFECTIVE");
+ if (o->cmdline)
+ cmdline2 = set_iovec_string_field(iovec, &n, "OBJECT_CMDLINE=", o->cmdline);
+ IOVEC_ADD_STRING_FIELD(iovec, n, o->capeff, "OBJECT_CAP_EFFECTIVE");
IOVEC_ADD_SIZED_FIELD(iovec, n, o->label, o->label_size, "OBJECT_SELINUX_CONTEXT");
-
IOVEC_ADD_NUMERIC_FIELD(iovec, n, o->auditid, uint32_t, audit_session_is_valid, "%" PRIu32, "OBJECT_AUDIT_SESSION");
IOVEC_ADD_NUMERIC_FIELD(iovec, n, o->loginuid, uid_t, uid_is_valid, UID_FMT, "OBJECT_AUDIT_LOGINUID");

159
SOURCES/0071-basic-process-util-limit-command-line-lengths-to-_SC.patch Normal file
View File

@ -0,0 +1,159 @@
From 6298317e2d0dffb1ff4ecebedb8709645de36b6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 5 Dec 2018 18:48:23 +0100
Subject: [PATCH] basic/process-util: limit command line lengths to _SC_ARG_MAX
This affects systemd-journald and systemd-coredump.
Example entry:
$ journalctl -o export -n1 'MESSAGE=Something logged'
__CURSOR=s=976542d120c649f494471be317829ef9;i=34e;b=4871e4c474574ce4a462dfe3f1c37f06;m=c7d0c37dd2;t=57c4ac58f3b98;x=67598e942bd23dc0
__REALTIME_TIMESTAMP=1544035467475864
__MONOTONIC_TIMESTAMP=858200964562
_BOOT_ID=4871e4c474574ce4a462dfe3f1c37f06
PRIORITY=6
_UID=1000
_GID=1000
_CAP_EFFECTIVE=0
_SELINUX_CONTEXT=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
_AUDIT_SESSION=1
_AUDIT_LOGINUID=1000
_SYSTEMD_OWNER_UID=1000
_SYSTEMD_UNIT=user@1000.service
_SYSTEMD_SLICE=user-1000.slice
_SYSTEMD_USER_SLICE=-.slice
_SYSTEMD_INVOCATION_ID=1c4a469986d448719cb0f9141a10810e
_MACHINE_ID=08a5690a2eed47cf92ac0a5d2e3cf6b0
_HOSTNAME=krowka
_TRANSPORT=syslog
SYSLOG_FACILITY=17
SYSLOG_IDENTIFIER=syslog-caller
MESSAGE=Something logged
_COMM=poc
_EXE=/home/zbyszek/src/systemd-work3/poc
_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/gnome-terminal-server.service
_SYSTEMD_USER_UNIT=gnome-terminal-server.service
SYSLOG_PID=4108
SYSLOG_TIMESTAMP=Dec 5 19:44:27
_PID=4108
_CMDLINE=./poc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>
_SOURCE_REALTIME_TIMESTAMP=1544035467475848
$ journalctl -o export -n1 'MESSAGE=Something logged' --output-fields=_CMDLINE|wc
6 2053 2097410
2MB might be hard for some clients to use meaningfully, but OTOH, it is
important to log the full commandline sometimes. For example, when the program
is crashing, the exact argument list is useful.
(cherry-picked from commit 2d5d2e0cc5171c6795d2a485841474345d9e30ab)
Related: #1664976
---
src/basic/process-util.c | 73 ++++++++++++++--------------------------
1 file changed, 25 insertions(+), 48 deletions(-)
diff --git a/src/basic/process-util.c b/src/basic/process-util.c
index 0a4f917cbd..a20f1e3ccf 100644
--- a/src/basic/process-util.c
+++ b/src/basic/process-util.c
@@ -128,6 +128,13 @@ int get_process_cmdline(pid_t pid, size_t max_length, bool comm_fallback, char *
(void) __fsetlocking(f, FSETLOCKING_BYCALLER);
+ if (max_length == 0) {
+ /* This is supposed to be a safety guard against runaway command lines. */
+ long l = sysconf(_SC_ARG_MAX);
+ assert(l > 0);
+ max_length = l;
+ }
+
if (max_length == 1) {
/* If there's only room for one byte, return the empty string */
@@ -138,32 +145,6 @@ int get_process_cmdline(pid_t pid, size_t max_length, bool comm_fallback, char *
*line = ans;
return 0;
- } else if (max_length == 0) {
- size_t len = 0, allocated = 0;
-
- while ((c = getc(f)) != EOF) {
-
- if (!GREEDY_REALLOC(ans, allocated, len+3)) {
- free(ans);
- return -ENOMEM;
- }
-
- if (isprint(c)) {
- if (space) {
- ans[len++] = ' ';
- space = false;
- }
-
- ans[len++] = c;
- } else if (len > 0)
- space = true;
- }
-
- if (len > 0)
- ans[len] = '\0';
- else
- ans = mfree(ans);
-
} else {
bool dotdotdot = false;
size_t left;
@@ -235,34 +216,30 @@ int get_process_cmdline(pid_t pid, size_t max_length, bool comm_fallback, char *
if (h < 0)
return h;
- if (max_length == 0)
- ans = strjoin("[", t, "]");
- else {
- size_t l;
-
- l = strlen(t);
+ size_t l = strlen(t);
- if (l + 3 <= max_length)
- ans = strjoin("[", t, "]");
- else if (max_length <= 6) {
+ if (l + 3 <= max_length) {
+ ans = strjoin("[", t, "]");
+ if (!ans)
+ return -ENOMEM;
- ans = new(char, max_length);
- if (!ans)
- return -ENOMEM;
+ } else if (max_length <= 6) {
+ ans = new(char, max_length);
+ if (!ans)
+ return -ENOMEM;
- memcpy(ans, "[...]", max_length-1);
- ans[max_length-1] = 0;
- } else {
- t[max_length - 6] = 0;
+ memcpy(ans, "[...]", max_length-1);
+ ans[max_length-1] = 0;
+ } else {
+ t[max_length - 6] = 0;
- /* Chop off final spaces */
- delete_trailing_chars(t, WHITESPACE);
+ /* Chop off final spaces */
+ delete_trailing_chars(t, WHITESPACE);
- ans = strjoin("[", t, "...]");
- }
+ ans = strjoin("[", t, "...]");
+ if (!ans)
+ return -ENOMEM;
}
- if (!ans)
- return -ENOMEM;
}
*line = ans;

33
SOURCES/0072-coredump-fix-message-when-we-fail-to-save-a-journald.patch Normal file
View File

@ -0,0 +1,33 @@
From 04326c02ca80666e66a5da8e6a46c2fc4476000c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 5 Dec 2018 21:34:24 +0100
Subject: [PATCH] coredump: fix message when we fail to save a journald
coredump
If creation of the message failed, we'd write a bogus entry:
systemd-coredump[1400]: Cannot store coredump of 416 (systemd-journal): No space left on device
systemd-coredump[1400]: MESSAGE=Process 416 (systemd-journal) of user 0 dumped core.
systemd-coredump[1400]: Coredump diverted to
(cherry-picked from commit f0136e09221364f931c3a3b715da4e4d3ee9f2ac)
Related: #1664976
---
src/coredump/coredump.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c
index ffa88f612d..2a130e8838 100644
--- a/src/coredump/coredump.c
+++ b/src/coredump/coredump.c
@@ -783,8 +783,8 @@ log:
core_message = strjoin("MESSAGE=Process ", context[CONTEXT_PID],
" (", context[CONTEXT_COMM], ") of user ",
context[CONTEXT_UID], " dumped core.",
- journald_crash ? "\nCoredump diverted to " : NULL,
- journald_crash ? filename : NULL);
+ journald_crash && filename ? "\nCoredump diverted to " : NULL,
+ journald_crash && filename ? filename : NULL);
if (!core_message)
return log_oom();

104
SOURCES/0073-procfs-util-expose-functionality-to-query-total-memo.patch Normal file
View File

@ -0,0 +1,104 @@
From 60b831ef50e435b66ddd99e635a5112e121c7cb3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 22 Jan 2019 15:43:07 +0100
Subject: [PATCH] procfs-util: expose functionality to query total memory
procfs_memory_get_current is renamed to procfs_memory_get_used, because
"current" can mean anything, including total memory, used memory, and free
memory, as long as the value is up to date.
No functional change.
(cherry-picked from commit c482724aa5c5d0b1391fcf958a9a3ea6ce73a085)
Related: #1664976
---
src/basic/procfs-util.c | 9 +++++----
src/basic/procfs-util.h | 5 ++++-
src/cgtop/cgtop.c | 2 +-
src/core/cgroup.c | 2 +-
src/test/test-procfs-util.c | 2 +-
5 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/src/basic/procfs-util.c b/src/basic/procfs-util.c
index a159e344b3..7aaf95bfce 100644
--- a/src/basic/procfs-util.c
+++ b/src/basic/procfs-util.c
@@ -201,13 +201,11 @@ int procfs_cpu_get_usage(nsec_t *ret) {
return 0;
}
-int procfs_memory_get_current(uint64_t *ret) {
+int procfs_memory_get(uint64_t *ret_total, uint64_t *ret_used) {
uint64_t mem_total = UINT64_MAX, mem_free = UINT64_MAX;
_cleanup_fclose_ FILE *f = NULL;
int r;
- assert(ret);
-
f = fopen("/proc/meminfo", "re");
if (!f)
return -errno;
@@ -262,6 +260,9 @@ int procfs_memory_get_current(uint64_t *ret) {
if (mem_free > mem_total)
return -EINVAL;
- *ret = (mem_total - mem_free) * 1024U;
+ if (ret_total)
+ *ret_total = mem_total * 1024U;
+ if (ret_used)
+ *ret_used = (mem_total - mem_free) * 1024U;
return 0;
}
diff --git a/src/basic/procfs-util.h b/src/basic/procfs-util.h
index f697ed92bc..5a44e9eff7 100644
--- a/src/basic/procfs-util.h
+++ b/src/basic/procfs-util.h
@@ -11,4 +11,7 @@ int procfs_tasks_get_current(uint64_t *ret);
int procfs_cpu_get_usage(nsec_t *ret);
-int procfs_memory_get_current(uint64_t *ret);
+int procfs_memory_get(uint64_t *ret_total, uint64_t *ret_used);
+static inline int procfs_memory_get_used(uint64_t *ret) {
+ return procfs_memory_get(NULL, ret);
+}
diff --git a/src/cgtop/cgtop.c b/src/cgtop/cgtop.c
index 8dda08ab4c..792b13a43d 100644
--- a/src/cgtop/cgtop.c
+++ b/src/cgtop/cgtop.c
@@ -297,7 +297,7 @@ static int process(
} else if (streq(controller, "memory")) {
if (is_root_cgroup(path)) {
- r = procfs_memory_get_current(&g->memory);
+ r = procfs_memory_get_used(&g->memory);
if (r < 0)
return r;
} else {
diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index bb02436203..62ab41a288 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -2402,7 +2402,7 @@ int unit_get_memory_current(Unit *u, uint64_t *ret) {
/* The root cgroup doesn't expose this information, let's get it from /proc instead */
if (unit_has_root_cgroup(u))
- return procfs_memory_get_current(ret);
+ return procfs_memory_get_used(ret);
if ((u->cgroup_realized_mask & CGROUP_MASK_MEMORY) == 0)
return -ENODATA;
diff --git a/src/test/test-procfs-util.c b/src/test/test-procfs-util.c
index 08af380cc7..1d0612985b 100644
--- a/src/test/test-procfs-util.c
+++ b/src/test/test-procfs-util.c
@@ -18,7 +18,7 @@ int main(int argc, char *argv[]) {
assert_se(procfs_cpu_get_usage(&nsec) >= 0);
log_info("Current system CPU time: %s", format_timespan(buf, sizeof(buf), nsec/NSEC_PER_USEC, 1));
- assert_se(procfs_memory_get_current(&v) >= 0);
+ assert_se(procfs_memory_get_used(&v) >= 0);
log_info("Current memory usage: %s", format_bytes(buf, sizeof(buf), v));
assert_se(procfs_tasks_get_current(&v) >= 0);

114
SOURCES/0074-basic-prioq-add-prioq_peek_item.patch Normal file
View File

@ -0,0 +1,114 @@
From ee14a2bd3d95b5d15e4d72ee2582b366e5009a86 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Sat, 26 Jan 2019 11:27:18 +0100
Subject: [PATCH] basic/prioq: add prioq_peek_item()
(cherry-picked from commit ef21b3b5bf824e652addf850bcfd9374c7b33ce8)
Related: #1664976
---
src/basic/prioq.c | 7 +++----
src/basic/prioq.h | 8 +++++++-
src/test/test-prioq.c | 23 +++++++++++++++++------
3 files changed, 27 insertions(+), 11 deletions(-)
diff --git a/src/basic/prioq.c b/src/basic/prioq.c
index ef28a086d1..0bf58c1f16 100644
--- a/src/basic/prioq.c
+++ b/src/basic/prioq.c
@@ -259,15 +259,14 @@ int prioq_reshuffle(Prioq *q, void *data, unsigned *idx) {
return 1;
}
-void *prioq_peek(Prioq *q) {
-
+void *prioq_peek_by_index(Prioq *q, unsigned idx) {
if (!q)
return NULL;
- if (q->n_items <= 0)
+ if (idx >= q->n_items)
return NULL;
- return q->items[0].data;
+ return q->items[idx].data;
}
void *prioq_pop(Prioq *q) {
diff --git a/src/basic/prioq.h b/src/basic/prioq.h
index e036175260..c381523525 100644
--- a/src/basic/prioq.h
+++ b/src/basic/prioq.h
@@ -18,8 +18,14 @@ int prioq_put(Prioq *q, void *data, unsigned *idx);
int prioq_remove(Prioq *q, void *data, unsigned *idx);
int prioq_reshuffle(Prioq *q, void *data, unsigned *idx);
-void *prioq_peek(Prioq *q) _pure_;
+void *prioq_peek_by_index(Prioq *q, unsigned idx) _pure_;
+static inline void *prioq_peek(Prioq *q) {
+ return prioq_peek_by_index(q, 0);
+}
void *prioq_pop(Prioq *q);
+#define PRIOQ_FOREACH_ITEM(q, p) \
+ for (unsigned _i = 0; (p = prioq_peek_by_index(q, _i)); _i++)
+
unsigned prioq_size(Prioq *q) _pure_;
bool prioq_isempty(Prioq *q) _pure_;
diff --git a/src/test/test-prioq.c b/src/test/test-prioq.c
index 89c41d8ce7..ece13808ed 100644
--- a/src/test/test-prioq.c
+++ b/src/test/test-prioq.c
@@ -87,6 +87,7 @@ static void test_struct(void) {
Set *s;
unsigned previous = 0, i;
int r;
+ struct test *t;
srand(0);
@@ -96,9 +97,12 @@ static void test_struct(void) {
s = set_new(&test_hash_ops);
assert_se(s);
- for (i = 0; i < SET_SIZE; i++) {
- struct test *t;
+ assert_se(prioq_peek(q) == NULL);
+ assert_se(prioq_peek_by_index(q, 0) == NULL);
+ assert_se(prioq_peek_by_index(q, 1) == NULL);
+ assert_se(prioq_peek_by_index(q, (unsigned) -1) == NULL);
+ for (i = 0; i < SET_SIZE; i++) {
t = new0(struct test, 1);
assert_se(t);
t->value = (unsigned) rand();
@@ -112,9 +116,18 @@ static void test_struct(void) {
}
}
- for (;;) {
- struct test *t;
+ for (i = 0; i < SET_SIZE; i++)
+ assert_se(prioq_peek_by_index(q, i));
+ assert_se(prioq_peek_by_index(q, SET_SIZE) == NULL);
+
+ unsigned count = 0;
+ PRIOQ_FOREACH_ITEM(q, t) {
+ assert_se(t);
+ count++;
+ }
+ assert_se(count == SET_SIZE);
+ for (;;) {
t = set_steal_first(s);
if (!t)
break;
@@ -126,8 +139,6 @@ static void test_struct(void) {
}
for (i = 0; i < SET_SIZE * 3 / 4; i++) {
- struct test *t;
-
assert_se(prioq_size(q) == (SET_SIZE * 3 / 4) - i);
t = prioq_pop(q);

81
SOURCES/0075-journal-limit-the-number-of-entries-in-the-cache-bas.patch Normal file
View File

@ -0,0 +1,81 @@
From de72fa6b0582b95216215cc1400412fe91bc8ba3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 22 Jan 2019 16:12:52 +0100
Subject: [PATCH] journal: limit the number of entries in the cache based on
available memory
This is far from perfect, but should give mostly reasonable values. My
assumption is that if somebody has a few hundred MB of memory, they are
unlikely to have thousands of processes logging. A hundred would already be a
lot. So let's scale the cache size propritionally to the total memory size,
with clamping on both ends.
The formula gives 64 cache entries for each GB of RAM.
(cherry-picked from commit b12a480829c5ca8f4d4fa9cde8716b5f2f12a3ad)
Related: #1664976
---
src/journal/journald-context.c | 35 ++++++++++++++++++++++++++++++++--
1 file changed, 33 insertions(+), 2 deletions(-)
diff --git a/src/journal/journald-context.c b/src/journal/journald-context.c
index ce07de1bfb..0f0dc1de4d 100644
--- a/src/journal/journald-context.c
+++ b/src/journal/journald-context.c
@@ -14,6 +14,7 @@
#include "journal-util.h"
#include "journald-context.h"
#include "process-util.h"
+#include "procfs-util.h"
#include "string-util.h"
#include "syslog-util.h"
#include "unaligned.h"
@@ -58,7 +59,37 @@
/* Keep at most 16K entries in the cache. (Note though that this limit may be violated if enough streams pin entries in
* the cache, in which case we *do* permit this limit to be breached. That's safe however, as the number of stream
* clients itself is limited.) */
-#define CACHE_MAX (16*1024)
+#define CACHE_MAX_FALLBACK 128U
+#define CACHE_MAX_MAX (16*1024U)
+#define CACHE_MAX_MIN 64U
+
+static size_t cache_max(void) {
+ static size_t cached = -1;
+
+ if (cached == (size_t) -1) {
+ uint64_t mem_total;
+ int r;
+
+ r = procfs_memory_get(&mem_total, NULL);
+ if (r < 0) {
+ log_warning_errno(r, "Cannot query /proc/meminfo for MemTotal: %m");
+ cached = CACHE_MAX_FALLBACK;
+ } else {
+ /* Cache entries are usually a few kB, but the process cmdline is controlled by the
+ * user and can be up to _SC_ARG_MAX, usually 2MB. Let's say that approximately up to
+ * 1/8th of memory may be used by the cache.
+ *
+ * In the common case, this formula gives 64 cache entries for each GB of RAM.
+ */
+ long l = sysconf(_SC_ARG_MAX);
+ assert(l > 0);
+
+ cached = CLAMP(mem_total / 8 / (uint64_t) l, CACHE_MAX_MIN, CACHE_MAX_MAX);
+ }
+ }
+
+ return cached;
+}
static int client_context_compare(const void *a, const void *b) {
const ClientContext *x = a, *y = b;
@@ -587,7 +618,7 @@ static int client_context_get_internal(
return 0;
}
- client_context_try_shrink_to(s, CACHE_MAX-1);
+ client_context_try_shrink_to(s, cache_max()-1);
r = client_context_new(s, pid, &c);
if (r < 0)

77
SOURCES/0076-journald-periodically-drop-cache-for-all-dead-PIDs.patch Normal file
View File

@ -0,0 +1,77 @@
From 8da81d2aba2768ced497790cc05b9f73c6268833 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 22 Jan 2019 17:30:48 +0100
Subject: [PATCH] journald: periodically drop cache for all dead PIDs
In normal use, this allow us to drop dead entries from the cache and reduces
the cache size so that we don't evict entries unnecessarily. The time limit is
there mostly to serve as a guard against malicious logging from many different
PIDs.
(cherry-picked from commit 91714a7f427a6c9c5c3be8b3819fee45050028f3)
Related: #1664976
---
src/journal/journald-context.c | 28 ++++++++++++++++++++++++++--
src/journal/journald-server.h | 2 ++
2 files changed, 28 insertions(+), 2 deletions(-)
diff --git a/src/journal/journald-context.c b/src/journal/journald-context.c
index 0f0dc1de4d..51f79fd803 100644
--- a/src/journal/journald-context.c
+++ b/src/journal/journald-context.c
@@ -541,15 +541,39 @@ refresh:
}
static void client_context_try_shrink_to(Server *s, size_t limit) {
+ ClientContext *c;
+ usec_t t;
+
assert(s);
+ /* Flush any cache entries for PIDs that have already moved on. Don't do this
+ * too often, since it's a slow process. */
+ t = now(CLOCK_MONOTONIC);
+ if (s->last_cache_pid_flush + MAX_USEC < t) {
+ unsigned n = prioq_size(s->client_contexts_lru), idx = 0;
+
+ /* We do a number of iterations based on the initial size of the prioq. When we remove an
+ * item, a new item is moved into its places, and items to the right might be reshuffled.
+ */
+ for (unsigned i = 0; i < n; i++) {
+ c = prioq_peek_by_index(s->client_contexts_lru, idx);
+
+ assert(c->n_ref == 0);
+
+ if (!pid_is_unwaited(c->pid))
+ client_context_free(s, c);
+ else
+ idx ++;
+ }
+
+ s->last_cache_pid_flush = t;
+ }
+
/* Bring the number of cache entries below the indicated limit, so that we can create a new entry without
* breaching the limit. Note that we only flush out entries that aren't pinned here. This means the number of
* cache entries may very well grow beyond the limit, if all entries stored remain pinned. */
while (hashmap_size(s->client_contexts) > limit) {
- ClientContext *c;
-
c = prioq_pop(s->client_contexts_lru);
if (!c)
break; /* All remaining entries are pinned, give up */
diff --git a/src/journal/journald-server.h b/src/journal/journald-server.h
index 983be8bb89..c6c9b1fb1d 100644
--- a/src/journal/journald-server.h
+++ b/src/journal/journald-server.h
@@ -163,6 +163,8 @@ struct Server {
Hashmap *client_contexts;
Prioq *client_contexts_lru;
+ usec_t last_cache_pid_flush;
+
ClientContext *my_context; /* the context of journald itself */
ClientContext *pid1_context; /* the context of PID 1 */
};

71
SOURCES/0077-process-util-don-t-use-overly-large-buffer-to-store-.patch Normal file
View File

@ -0,0 +1,71 @@
From 9b9b6d8c7b10c069d36f85bd17f144011282cb58 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Tue, 22 Jan 2019 14:29:50 +0100
Subject: [PATCH] process-util: don't use overly large buffer to store process
command line
Allocate new string as a return value and free our "scratch pad"
buffer that is potentially much larger than needed (up to
_SC_ARG_MAX).
Fixes #11502
(cherry-picked from commit eb1ec489eef8a32918bbfc56a268c9d10464584d)
Related: #1664976
---
src/basic/process-util.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/src/basic/process-util.c b/src/basic/process-util.c
index a20f1e3ccf..aa3eff779a 100644
--- a/src/basic/process-util.c
+++ b/src/basic/process-util.c
@@ -101,7 +101,8 @@ int get_process_comm(pid_t pid, char **ret) {
int get_process_cmdline(pid_t pid, size_t max_length, bool comm_fallback, char **line) {
_cleanup_fclose_ FILE *f = NULL;
bool space = false;
- char *k, *ans = NULL;
+ char *k;
+ _cleanup_free_ char *ans = NULL;
const char *p;
int c;
@@ -142,7 +143,7 @@ int get_process_cmdline(pid_t pid, size_t max_length, bool comm_fallback, char *
if (!ans)
return -ENOMEM;
- *line = ans;
+ *line = TAKE_PTR(ans);
return 0;
} else {
@@ -207,7 +208,7 @@ int get_process_cmdline(pid_t pid, size_t max_length, bool comm_fallback, char *
_cleanup_free_ char *t = NULL;
int h;
- free(ans);
+ ans = mfree(ans);
if (!comm_fallback)
return -ENOENT;
@@ -240,9 +241,18 @@ int get_process_cmdline(pid_t pid, size_t max_length, bool comm_fallback, char *
if (!ans)
return -ENOMEM;
}
+
+ *line = TAKE_PTR(ans);
+ return 0;
}
- *line = ans;
+ k = realloc(ans, strlen(ans) + 1);
+ if (!k)
+ return -ENOMEM;
+
+ ans = NULL;
+ *line = k;
+
return 0;
}

26
SOURCES/0078-Revert-sysctl.d-switch-net.ipv4.conf.all.rp_filter-f.patch Normal file
View File

@ -0,0 +1,26 @@
From 47b256d63ac092137fe44e27560a14ee4aa5b7c8 Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Fri, 8 Feb 2019 10:54:34 +0100
Subject: [PATCH] Revert "sysctl.d: switch net.ipv4.conf.all.rp_filter from 1
to 2"
This reverts commit 75c9af80cf3529c76988451e63f98010c86f48f1.
Resolves: #1653824
---
sysctl.d/50-default.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf
index b0645f33e7..e263cf0628 100644
--- a/sysctl.d/50-default.conf
+++ b/sysctl.d/50-default.conf
@@ -22,7 +22,7 @@ kernel.sysrq = 16
kernel.core_uses_pid = 1
# Source route verification
-net.ipv4.conf.all.rp_filter = 2
+net.ipv4.conf.all.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.all.accept_source_route = 0

68
SOURCES/0079-journal-fix-syslog_parse_identifier.patch Normal file
View File

@ -0,0 +1,68 @@
From d355618518f26bd045df81a52dade79ac3079f3f Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 8 Aug 2018 15:06:36 +0900
Subject: [PATCH] journal: fix syslog_parse_identifier()
Fixes #9829.
(cherry-picked from commit a6aadf4ae0bae185dc4c414d492a4a781c80ffe5)
Resolves: #1664978
---
src/journal/journald-syslog.c | 6 +++---
src/journal/test-journal-syslog.c | 10 ++++++++--
2 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c
index 9dea116722..97711ac7a3 100644
--- a/src/journal/journald-syslog.c
+++ b/src/journal/journald-syslog.c
@@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid)
e = l;
l--;
- if (p[l-1] == ']') {
+ if (l > 0 && p[l-1] == ']') {
size_t k = l-1;
for (;;) {
@@ -219,8 +219,8 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid)
if (t)
*identifier = t;
- if (strchr(WHITESPACE, p[e]))
- e++;
+ e += strspn(p + e, WHITESPACE);
+
*buf = p + e;
return e;
}
diff --git a/src/journal/test-journal-syslog.c b/src/journal/test-journal-syslog.c
index 9ba86f6c8a..05f759817e 100644
--- a/src/journal/test-journal-syslog.c
+++ b/src/journal/test-journal-syslog.c
@@ -5,8 +5,8 @@
#include "macro.h"
#include "string-util.h"
-static void test_syslog_parse_identifier(const char* str,
- const char *ident, const char*pid, int ret) {
+static void test_syslog_parse_identifier(const char *str,
+ const char *ident, const char *pid, int ret) {
const char *buf = str;
_cleanup_free_ char *ident2 = NULL, *pid2 = NULL;
int ret2;
@@ -21,7 +21,13 @@ static void test_syslog_parse_identifier(const char* str,
int main(void) {
test_syslog_parse_identifier("pidu[111]: xxx", "pidu", "111", 11);
test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, 6);
+ test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, 7);
test_syslog_parse_identifier("pidu xxx", NULL, NULL, 0);
+ test_syslog_parse_identifier(":", "", NULL, 1);
+ test_syslog_parse_identifier(": ", "", NULL, 3);
+ test_syslog_parse_identifier("pidu:", "pidu", NULL, 5);
+ test_syslog_parse_identifier("pidu: ", "pidu", NULL, 6);
+ test_syslog_parse_identifier("pidu : ", NULL, NULL, 0);
return 0;
}

Some files were not shown because too many files have changed in this diff Show More