From 49f2d9b03df3df3cfbef4fdaa36da49dc89a3f4b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Mar 2023 09:30:11 +0000 Subject: [PATCH] import systemd-252-8.el9 --- .gitignore | 1 + .systemd.metadata | 1 + ...-macro-Simply-case-macros-for-IN_SET.patch | 78 + SOURCES/0002-macro-fix-indentation.patch | 25 + ...ouple-of-sanity-tests-for-journalctl.patch | 61 + .../0004-man-fix-typo-found-by-Lintian.patch | 25 + SOURCES/0005-test-add-x-to-assert.sh.patch | 19 + ...-negative-value-for-EVDEV_ABS_-prope.patch | 25 + ...lved-fix-typo-in-feature-level-table.patch | 24 + ...age-Mark-_coverage__exit-as-noreturn.patch | 28 + ...ace-Add-hidepid-subset-support-check.patch | 154 + ...-couple-of-sanity-tests-for-loginctl.patch | 75 + ...-TEST-26-SETENV-to-TEST-26-SYSTEMCTL.patch | 48 + ...couple-of-sanity-tests-for-systemctl.patch | 251 ++ ...and-BLS-have-moved-to-uapi-group.org.patch | 1192 +++++ ...x-memleak-in-GetUnitFileLinks-method.patch | 49 + ...ect-Markers-property-name-for-markin.patch | 42 + ...r-extend-systemctl-s-sanity-coverage.patch | 115 + ...y-coverage-for-systemd-analyze-verbs.patch | 131 + ...et-properties-based-on-usb-subsystem.patch | 37 + ...ant-call-of-usb_id-and-assignment-of.patch | 30 + ...safe-guard-for-setting-by-id-symlink.patch | 26 + ...acy-deprecated-systemd-analyze-verbs.patch | 45 + ...ple-of-previously-missed-analyze-cod.patch | 56 + ...-sanity-coverage-for-auxiliary-utils.patch | 371 ++ ...gfault-when-locale-messages-is-passe.patch | 56 + ...s-make-test-execute-pass-on-openSUSE.patch | 76 + ...minor-simplification-in-test-execute.patch | 150 + ...-do-not-fail-if-provision.conf-fails.patch | 29 + ...0-loaderentry-do-not-add-multiple-sy.patch | 31 + ...that-subsystem-is-enabled-in-Conditi.patch | 120 + ...-the-Semaphore-repositories-recursiv.patch | 52 + ...0-loaderentry-do-not-override-an-exi.patch | 29 + ...kip-50-depmod-if-depmod-is-not-avail.patch | 28 + ...t-network-generator-is-not-a-generat.patch | 38 + ...fstab-generator-adjust-PATH-for-fsck.patch | 64 + ...035-loop-util-open-lock-fd-read-only.patch | 30 + ...e-non-existent-paths-in-inst_recursi.patch | 30 + ...installation-when-locale-gen-is-used.patch | 46 + ...est-fix-keymaps-installation-on-Arch.patch | 71 + ...-test-utmp.c-only-if-UTMP-is-enabled.patch | 43 + SOURCES/0040-Create-CNAME.patch | 19 + ...default-TCTI-to-be-device-with-param.patch | 46 + ...tra-validation-of-device-string-befo.patch | 52 + SOURCES/0043-boot-Fix-error-message.patch | 25 + SOURCES/0044-boot-Fix-memory-leak.patch | 25 + ...t-Do-not-require-a-loaded-image-path.patch | 88 + ...Manually-convert-filepaths-if-needed.patch | 75 + ...7-boot-Rework-security-arch-override.patch | 433 ++ ...ace-firmware-security-hooks-directly.patch | 185 + ....c-Use-net-if.h-for-getting-IFF_LOOP.patch | 31 + ...tend-SYSTEMD_IN_INITRD-to-accept-non.patch | 111 + ...p-cleanup-if-root-is-not-tmpfs-ramfs.patch | 124 + ...r-check-battery-existence-and-status.patch | 106 + ...do-not-show-unit-properties-with-all.patch | 34 + ...c-machine-id-in-kernel-install-25388.patch | 46 + ...ake-sd_journal_previous-next-return-.patch | 83 + ...rectly-handle-saved-default-patterns.patch | 29 + ...-Fix-Error-Esys-invalid-ESAPI-handle.patch | 82 + ...0058-Handle-MACHINE_ID-uninitialized.patch | 31 + ...ss-fix-copy-and-paste-error-buf-buf2.patch | 26 + SOURCES/0060-boot-measure-fix-oom-check.patch | 25 + ...ed_rr_get_interval_time64-through-se.patch | 57 + ...ht-conditionalization-when-setting-u.patch | 26 + ...nfiguring-127.0.0.1-as-per-interface.patch | 34 + ...-format-strings-for-trigger-metadata.patch | 50 + ...eck-printf-arguments-to-strv_extendf.patch | 30 + ...-resolved-Fix-OpenSSL-error-messages.patch | 139 + ...fi-try-to-reconfigure-when-connected.patch | 70 + ...w-root-owned-cgroups-to-set-ManagedO.patch | 38 + ...eachable-test-case-in-test-oomd-util.patch | 36 + ...a-few-more-useful-debug-log-messages.patch | 48 + ...ct-discard-no-also-for-block-devices.patch | 43 + ...uto-root-logic-also-works-in-UKIs-bo.patch | 92 + ...st-kernel-install-only-when-Dkernel-.patch | 32 + ...boot-Silence-driver-reconnect-errors.patch | 55 + ...image-do-not-try-to-close-invalid-fd.patch | 124 + ...ctl-make-boot-entry-id-logged-in-hex.patch | 33 + ...e-log-message-when-firmware-reports-.patch | 28 + ...ow-we-handle-referenced-but-absent-E.patch | 37 + ...trv_make_nulstr-always-returns-a-val.patch | 44 + ...finish-instead-of-return-in-bus_add_.patch | 28 + ...de-and-ignore-error-on-retrieving-PA.patch | 56 + ...de-device-sysname-in-the-log-message.patch | 114 + ...info-level-when-some-allowed-failure.patch | 191 + ...in_set-and-thus-close_all_fds-handle.patch | 47 + ...-util-add-new-fd_cloexec_many-helper.patch | 55 + ...-new-FORK_CLOEXEC_OFF-flag-for-disab.patch | 49 + SOURCES/0087-dissect-fix-fsck.patch | 71 + SOURCES/0088-core-update-audit-messages.patch | 31 + ...nd-set-RemoveIPC-to-false-by-default.patch | 53 + ...reate-resolv.conf-stub-resolv.conf-s.patch | 43 + ...091-Copy-40-redhat.rules-from-RHEL-8.patch | 80 + ...mounted-as-tmpfs-without-the-user-s-.patch | 45 + ...nit-don-t-add-Requires-for-tmp.mount.patch | 38 + ...its-add-Install-section-to-tmp.mount.patch | 24 + ...al-order-after-network-online.target.patch | 29 + ...i-drop-CIs-irrelevant-for-downstream.patch | 303 ++ ...097-ci-reconfigure-Packit-for-RHEL-9.patch | 44 + ...t-tests-on-z-stream-branches-as-well.patch | 28 + ...il-increase-random-seed-size-to-1024.patch | 25 + ...able-systemd-journald-audit.socket-b.patch | 41 + ...f-don-t-touch-current-audit-settings.patch | 22 + ...0102-Revert-udev-remove-WAIT_FOR-key.patch | 137 + ...enable-systemd-journald-audit.socket.patch | 25 + ...evator-kernel-command-line-parameter.patch | 58 + ...le-tmp.mount-statically-in-local-fs..patch | 26 + ...tTasksMax-to-80-of-the-kernel-pid.ma.patch | 59 + ...-set-core-ulimit-to-0-like-on-RHEL-7.patch | 25 + .../0108-ci-use-C9S-chroots-in-Packit.patch | 28 + ...109-Treat-EPERM-as-not-available-too.patch | 30 + ...ink-change-the-default-MACAddressPol.patch | 53 + ...em-Administrator-s-Guide-in-systemct.patch | 35 + .../0112-Net-naming-scheme-for-RHEL-9.0.patch | 56 + ...g-level-of-messages-about-use-of-Kil.patch | 40 + ...0114-ci-Mergify-configuration-update.patch | 97 + .../0115-ci-Mergify-fix-copy-paste-bug.patch | 34 + .../0116-ci-Mergify-Add-ci-waived-logic.patch | 104 + ...d-slot-based-names-only-for-single-f.patch | 50 + ...ev-net_id-add-rhel-9.1-naming-scheme.patch | 55 + ...ifferential-ShellCheck-config-to-run.patch | 32 + ...rgify-Update-policy-Drop-LGTM-checks.patch | 87 + ...121-test-sd-device-skip-misc-devices.patch | 24 + ...tp-if-systemd-timesyncd-is-not-avail.patch | 29 + ...M-for-unavailable-idmapped-mounts-as.patch | 26 + ...-test-don-t-test-buses-we-don-t-ship.patch | 52 + ...ck-in-chase_symlinks_and_opendir-for.patch | 43 + ...-can-use-SHA1-MD-for-signing-before-.patch | 69 + ...-cleanups-for-efivar_get-and-friends.patch | 188 + ...ix-false-maybe-uninitialized-warning.patch | 64 + ...-wide-modernizations-with-RET_NERRNO.patch | 115 + ...us-handle-EINTR-return-from-bus_poll.patch | 90 + ...-bridge-don-t-be-bothered-with-EINTR.patch | 32 + ...dle-EINTR-gracefully-when-waiting-fo.patch | 50 + ...e-EINTR-from-poll-gracefully-as-succ.patch | 36 + ...EINTR-returned-from-fd_wait_for_even.patch | 79 + ...TR-gracefully-when-waiting-for-devic.patch | 31 + ...-wtmp-fix-error-in-case-isatty-fails.patch | 28 + ...-EINTR-gracefully-when-waiting-to-wr.patch | 59 + ...-util-document-EINTR-situation-a-bit.patch | 48 + ...al-util-Set-OPOST-when-setting-ONLCR.patch | 44 + ...-cgtop-Do-not-rewrite-P-or-k-options.patch | 67 + ...tests-for-systemd-cgtop-args-parsing.patch | 33 + ...resolved-remove-inappropriate-assert.patch | 36 + SOURCES/0143-boot-Add-xstrn8_to_16.patch | 164 + SOURCES/0144-boot-Use-xstr8_to_16.patch | 214 + ...-Use-xstr8_to_16-for-path-conversion.patch | 218 + SOURCES/0146-stub-Fix-cmdline-handling.patch | 284 ++ ...y-LoadOptions-when-run-from-EFI-shel.patch | 121 + ...T_MANAGER_POLICY_PROTOCOL-to-connect.patch | 75 + ...all-partitions-drivers-are-connected.patch | 27 + .../0150-boot-improve-support-for-qemu.patch | 225 + ...-page-add-section-for-virtual-machin.patch | 40 + ...do-full-driver-initialization-in-VMs.patch | 51 + ...ISSECT_IMAGE_ADD_PARTITION_DEVICES-D.patch | 303 ++ ...ci-Mergify-v252-configuration-update.patch | 158 + ...un-GitHub-workflows-on-rhel-branches.patch | 62 + ...rop-scorecards-workflow-not-relevant.patch | 89 + ...wapon-to-reinitialize-swap-if-needed.patch | 29 + SOURCES/0158-coredump-adjust-whitespace.patch | 101 + ...allow-user-to-access-coredumps-with-.patch | 383 ++ ...-fallback-in-chase_symlinks_and_open.patch | 43 + ...-util-add-warning-sign-special-glyph.patch | 72 + ...en-converting-directory-O_PATH-fd-to.patch | 27 + ...a-clear-warning-if-people-invoke-sys.patch | 39 + ...check-cat-config-operation-in-chroot.patch | 48 + SOURCES/0165-TEST-65-use-v-more.patch | 64 + ...f-trying-to-disable-a-unit-with-no-i.patch | 227 + ...suppress-the-warning-of-no-install-i.patch | 136 + ...te-helper-use-no-warn-when-disabling.patch | 44 + ...ss-warning-about-missing-proc-when-n.patch | 80 + ...ell-completion-systemctl-add-no-warn.patch | 38 + ...71-core-unit-drop-doubled-empty-line.patch | 24 + ...-dependency-to-the-unit-being-merged.patch | 66 + ...gic-of-dropping-self-referencing-dep.patch | 32 + ...4-core-unit-merge-two-loops-into-one.patch | 96 + ...se-for-sysv-generator-and-invalid-de.patch | 148 + ...-merge-unit-names-after-merging-deps.patch | 45 + SOURCES/0177-core-unit-fix-log-message.patch | 113 + ...itly-create-the-etc-init.d-directory.patch | 34 + ...support-a-non-default-SysV-directory.patch | 97 + ...rtfn_info-provide-physical-PCI-devic.patch | 29 + ...per_check_device_units-log-unit-name.patch | 40 + ...182-test-add-a-testcase-for-lvextend.patch | 45 + ...segv-triggered-by-status-query-26279.patch | 36 + .../0184-test-create-config-under-run.patch | 31 + ...dd-tests-for-mDNS-and-LLMNR-settings.patch | 96 + ...ce-the-_localdnsstub-and-_localdnspr.patch | 278 ++ ...e-monitoring-service-to-become-activ.patch | 65 + ...st-suppress-echo-in-monitor_check_rr.patch | 38 + ...-for-the-monitoring-service-to-becom.patch | 34 + ...eck-almost-all-journal-entries-since.patch | 113 + ...over-IPv6-in-the-resolved-test-suite.patch | 449 ++ ...e-of-SRV-records-to-check-service-re.patch | 77 + ...est-add-a-test-for-the-OPENPGPKEY-RR.patch | 52 + ...-don-t-hang-indefinitely-on-no-match.patch | 25 + ...5-test-ndisc-fix-memleak-and-fd-leak.patch | 139 + SOURCES/0196-test-unit-name-fix-fd-leak.patch | 33 + ...service-start-timeout-if-we-run-with.patch | 57 + ...lient-side-timeout-in-sd-bus-as-well.patch | 49 + ...p-the-container-spawn-timeout-to-60s.patch | 28 + SOURCES/0200-network-fix-memleak.patch | 55 + ...tl-fix-introspecting-DBus-properties.patch | 64 + ...202-busctl-simplify-peeking-the-type.patch | 82 + ...undant-call-of-socket_ipv6_is_suppor.patch | 29 + ...e-link_get_llmnr_support-and-link_ge.patch | 181 + ...effective-supporting-levels-of-mDNS-.patch | 42 + ...if-the-global-mDNS-or-LLMNR-support-.patch | 89 + ...ble-per-link-mDNS-setting-by-default.patch | 71 + ...myhostname-fix-inverted-condition-in.patch | 27 + ...o-not-return-empty-result-with-NSS_S.patch | 34 + ...eep-rename-hibernate_delay_sec-_usec.patch | 64 + ...eries_capacity_by_name-does-not-retu.patch | 80 + ...essary-temporal-vaiable-and-initiali.patch | 42 + ...sleep-introduce-SuspendEstimationSec.patch | 270 ++ SOURCES/0214-sleep-coding-style-fixlets.patch | 28 + SOURCES/0215-sleep-simplify-code-a-bit.patch | 66 + SOURCES/0216-sleep-fix-indentation.patch | 33 + ...only-existing-and-non-device-batteri.patch | 50 + ...ing-to-a-unit-also-keep-units-runnin.patch | 78 + ...introduce-naming-scheme-for-RHEL-9.2.patch | 55 + ...-actually-run-the-static-destructors.patch | 68 + ...-executable-stack-bit-from-.elf-file.patch | 51 + ...-early-if-specifier-expansion-failed.patch | 40 + .../0223-test-add-coverage-for-26467.patch | 34 + .../0224-test-add-coverage-for-24177.patch | 70 + ...ake-stopping-of-idle-session-visible.patch | 26 + ...Fix-return-value-in-bump_entry_array.patch | 26 + SOURCES/10-oomd-defaults.conf | 2 + SOURCES/10-oomd-root-slice-defaults.conf | 2 + SOURCES/10-oomd-user-service-defaults.conf | 3 + SOURCES/20-grubby.install | 51 + SOURCES/20-yama-ptrace.conf | 42 + SOURCES/inittab | 16 + SOURCES/libsystemd-shared.abignore | 3 + SOURCES/macros.sysusers | 10 + SOURCES/purge-nobody-user | 101 + SOURCES/rc.local | 14 + SOURCES/split-files.py | 196 + SOURCES/sysctl.conf.README | 10 + SOURCES/systemd-journal-gatewayd.xml | 6 + SOURCES/systemd-journal-remote.xml | 6 + SOURCES/systemd-udev-trigger-no-reload.conf | 3 + SOURCES/systemd-user | 11 + SOURCES/sysusers.attr | 2 + SOURCES/sysusers.generate-pre.sh | 79 + SOURCES/sysusers.prov | 28 + SOURCES/triggers.systemd | 89 + SOURCES/yum-protect-systemd.conf | 2 + SPECS/systemd.spec | 3856 +++++++++++++++++ 250 files changed, 22203 insertions(+) create mode 100644 .gitignore create mode 100644 .systemd.metadata create mode 100644 SOURCES/0001-macro-Simply-case-macros-for-IN_SET.patch create mode 100644 SOURCES/0002-macro-fix-indentation.patch create mode 100644 SOURCES/0003-test-add-a-couple-of-sanity-tests-for-journalctl.patch create mode 100644 SOURCES/0004-man-fix-typo-found-by-Lintian.patch create mode 100644 SOURCES/0005-test-add-x-to-assert.sh.patch create mode 100644 SOURCES/0006-parse_hwdb-allow-negative-value-for-EVDEV_ABS_-prope.patch create mode 100644 SOURCES/0007-resolved-fix-typo-in-feature-level-table.patch create mode 100644 SOURCES/0008-coverage-Mark-_coverage__exit-as-noreturn.patch create mode 100644 SOURCES/0009-namespace-Add-hidepid-subset-support-check.patch create mode 100644 SOURCES/0010-test-add-a-couple-of-sanity-tests-for-loginctl.patch create mode 100644 SOURCES/0011-test-rename-TEST-26-SETENV-to-TEST-26-SYSTEMCTL.patch create mode 100644 SOURCES/0012-test-add-a-couple-of-sanity-tests-for-systemctl.patch create mode 100644 SOURCES/0013-docs-DPS-and-BLS-have-moved-to-uapi-group.org.patch create mode 100644 SOURCES/0014-core-fix-memleak-in-GetUnitFileLinks-method.patch create mode 100644 SOURCES/0015-man-use-the-correct-Markers-property-name-for-markin.patch create mode 100644 SOURCES/0016-test-further-extend-systemctl-s-sanity-coverage.patch create mode 100644 SOURCES/0017-test-add-a-sanity-coverage-for-systemd-analyze-verbs.patch create mode 100644 SOURCES/0018-udev-first-set-properties-based-on-usb-subsystem.patch create mode 100644 SOURCES/0019-udev-drop-redundant-call-of-usb_id-and-assignment-of.patch create mode 100644 SOURCES/0020-udev-add-safe-guard-for-setting-by-id-symlink.patch create mode 100644 SOURCES/0021-test-cover-legacy-deprecated-systemd-analyze-verbs.patch create mode 100644 SOURCES/0022-test-cover-a-couple-of-previously-missed-analyze-cod.patch create mode 100644 SOURCES/0023-test-introduce-sanity-coverage-for-auxiliary-utils.patch create mode 100644 SOURCES/0024-firstboot-fix-segfault-when-locale-messages-is-passe.patch create mode 100644 SOURCES/0025-tests-make-test-execute-pass-on-openSUSE.patch create mode 100644 SOURCES/0026-tests-minor-simplification-in-test-execute.patch create mode 100644 SOURCES/0027-tmpfiles.d-do-not-fail-if-provision.conf-fails.patch create mode 100644 SOURCES/0028-kernel-install-90-loaderentry-do-not-add-multiple-sy.patch create mode 100644 SOURCES/0029-condition-Check-that-subsystem-is-enabled-in-Conditi.patch create mode 100644 SOURCES/0030-semaphore-remove-the-Semaphore-repositories-recursiv.patch create mode 100644 SOURCES/0031-kernel-install-90-loaderentry-do-not-override-an-exi.patch create mode 100644 SOURCES/0032-kernel-install-skip-50-depmod-if-depmod-is-not-avail.patch create mode 100644 SOURCES/0033-man-add-note-that-network-generator-is-not-a-generat.patch create mode 100644 SOURCES/0034-test-fstab-generator-adjust-PATH-for-fsck.patch create mode 100644 SOURCES/0035-loop-util-open-lock-fd-read-only.patch create mode 100644 SOURCES/0036-test-don-t-ignore-non-existent-paths-in-inst_recursi.patch create mode 100644 SOURCES/0037-test-fix-locale-installation-when-locale-gen-is-used.patch create mode 100644 SOURCES/0038-test-fix-keymaps-installation-on-Arch.patch create mode 100644 SOURCES/0039-test-compile-test-utmp.c-only-if-UTMP-is-enabled.patch create mode 100644 SOURCES/0040-Create-CNAME.patch create mode 100644 SOURCES/0041-tpm2-util-force-default-TCTI-to-be-device-with-param.patch create mode 100644 SOURCES/0042-tpm2-add-some-extra-validation-of-device-string-befo.patch create mode 100644 SOURCES/0043-boot-Fix-error-message.patch create mode 100644 SOURCES/0044-boot-Fix-memory-leak.patch create mode 100644 SOURCES/0045-boot-Do-not-require-a-loaded-image-path.patch create mode 100644 SOURCES/0046-boot-Manually-convert-filepaths-if-needed.patch create mode 100644 SOURCES/0047-boot-Rework-security-arch-override.patch create mode 100644 SOURCES/0048-boot-Replace-firmware-security-hooks-directly.patch create mode 100644 SOURCES/0049-networkd-ipv4acd.c-Use-net-if.h-for-getting-IFF_LOOP.patch create mode 100644 SOURCES/0050-Revert-initrd-extend-SYSTEMD_IN_INITRD-to-accept-non.patch create mode 100644 SOURCES/0051-pid1-skip-cleanup-if-root-is-not-tmpfs-ramfs.patch create mode 100644 SOURCES/0052-ac-power-check-battery-existence-and-status.patch create mode 100644 SOURCES/0053-systemctl-do-not-show-unit-properties-with-all.patch create mode 100644 SOURCES/0054-Fix-reading-etc-machine-id-in-kernel-install-25388.patch create mode 100644 SOURCES/0055-Revert-journal-Make-sd_journal_previous-next-return-.patch create mode 100644 SOURCES/0056-boot-Correctly-handle-saved-default-patterns.patch create mode 100644 SOURCES/0057-shared-tpm2-util-Fix-Error-Esys-invalid-ESAPI-handle.patch create mode 100644 SOURCES/0058-Handle-MACHINE_ID-uninitialized.patch create mode 100644 SOURCES/0059-fuzz-fuzz-compress-fix-copy-and-paste-error-buf-buf2.patch create mode 100644 SOURCES/0060-boot-measure-fix-oom-check.patch create mode 100644 SOURCES/0061-nspawn-allow-sched_rr_get_interval_time64-through-se.patch create mode 100644 SOURCES/0062-resolved-use-right-conditionalization-when-setting-u.patch create mode 100644 SOURCES/0063-resolved-when-configuring-127.0.0.1-as-per-interface.patch create mode 100644 SOURCES/0064-manager-fix-format-strings-for-trigger-metadata.patch create mode 100644 SOURCES/0065-basic-strv-check-printf-arguments-to-strv_extendf.patch create mode 100644 SOURCES/0066-resolved-Fix-OpenSSL-error-messages.patch create mode 100644 SOURCES/0067-network-wifi-try-to-reconfigure-when-connected.patch create mode 100644 SOURCES/0068-oomd-always-allow-root-owned-cgroups-to-set-ManagedO.patch create mode 100644 SOURCES/0069-oomd-fix-unreachable-test-case-in-test-oomd-util.patch create mode 100644 SOURCES/0070-portable-add-a-few-more-useful-debug-log-messages.patch create mode 100644 SOURCES/0071-repart-respect-discard-no-also-for-block-devices.patch create mode 100644 SOURCES/0072-udev-make-sure-auto-root-logic-also-works-in-UKIs-bo.patch create mode 100644 SOURCES/0073-meson-install-test-kernel-install-only-when-Dkernel-.patch create mode 100644 SOURCES/0074-boot-Silence-driver-reconnect-errors.patch create mode 100644 SOURCES/0075-dissect-image-do-not-try-to-close-invalid-fd.patch create mode 100644 SOURCES/0076-bootctl-make-boot-entry-id-logged-in-hex.patch create mode 100644 SOURCES/0077-bootctl-downgrade-log-message-when-firmware-reports-.patch create mode 100644 SOURCES/0078-bootctl-rework-how-we-handle-referenced-but-absent-E.patch create mode 100644 SOURCES/0079-strv-Make-sure-strv_make_nulstr-always-returns-a-val.patch create mode 100644 SOURCES/0080-sd-bus-Use-goto-finish-instead-of-return-in-bus_add_.patch create mode 100644 SOURCES/0081-find-esp-downgrade-and-ignore-error-on-retrieving-PA.patch create mode 100644 SOURCES/0082-find-esp-include-device-sysname-in-the-log-message.patch create mode 100644 SOURCES/0083-tmpfiles-log-at-info-level-when-some-allowed-failure.patch create mode 100644 SOURCES/0084-fd-util-make-fd_in_set-and-thus-close_all_fds-handle.patch create mode 100644 SOURCES/0085-fd-util-add-new-fd_cloexec_many-helper.patch create mode 100644 SOURCES/0086-process-util-add-new-FORK_CLOEXEC_OFF-flag-for-disab.patch create mode 100644 SOURCES/0087-dissect-fix-fsck.patch create mode 100644 SOURCES/0088-core-update-audit-messages.patch create mode 100644 SOURCES/0089-logind-set-RemoveIPC-to-false-by-default.patch create mode 100644 SOURCES/0090-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch create mode 100644 SOURCES/0091-Copy-40-redhat.rules-from-RHEL-8.patch create mode 100644 SOURCES/0092-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch create mode 100644 SOURCES/0093-unit-don-t-add-Requires-for-tmp.mount.patch create mode 100644 SOURCES/0094-units-add-Install-section-to-tmp.mount.patch create mode 100644 SOURCES/0095-rc-local-order-after-network-online.target.patch create mode 100644 SOURCES/0096-ci-drop-CIs-irrelevant-for-downstream.patch create mode 100644 SOURCES/0097-ci-reconfigure-Packit-for-RHEL-9.patch create mode 100644 SOURCES/0098-ci-run-unit-tests-on-z-stream-branches-as-well.patch create mode 100644 SOURCES/0099-random-util-increase-random-seed-size-to-1024.patch create mode 100644 SOURCES/0100-journal-don-t-enable-systemd-journald-audit.socket-b.patch create mode 100644 SOURCES/0101-journald.conf-don-t-touch-current-audit-settings.patch create mode 100644 SOURCES/0102-Revert-udev-remove-WAIT_FOR-key.patch create mode 100644 SOURCES/0103-Really-don-t-enable-systemd-journald-audit.socket.patch create mode 100644 SOURCES/0104-rules-add-elevator-kernel-command-line-parameter.patch create mode 100644 SOURCES/0105-units-don-t-enable-tmp.mount-statically-in-local-fs..patch create mode 100644 SOURCES/0106-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch create mode 100644 SOURCES/0107-set-core-ulimit-to-0-like-on-RHEL-7.patch create mode 100644 SOURCES/0108-ci-use-C9S-chroots-in-Packit.patch create mode 100644 SOURCES/0109-Treat-EPERM-as-not-available-too.patch create mode 100644 SOURCES/0110-udev-net-setup-link-change-the-default-MACAddressPol.patch create mode 100644 SOURCES/0111-man-mention-System-Administrator-s-Guide-in-systemct.patch create mode 100644 SOURCES/0112-Net-naming-scheme-for-RHEL-9.0.patch create mode 100644 SOURCES/0113-core-decrease-log-level-of-messages-about-use-of-Kil.patch create mode 100644 SOURCES/0114-ci-Mergify-configuration-update.patch create mode 100644 SOURCES/0115-ci-Mergify-fix-copy-paste-bug.patch create mode 100644 SOURCES/0116-ci-Mergify-Add-ci-waived-logic.patch create mode 100644 SOURCES/0117-udev-net_id-avoid-slot-based-names-only-for-single-f.patch create mode 100644 SOURCES/0118-udev-net_id-add-rhel-9.1-naming-scheme.patch create mode 100644 SOURCES/0119-ci-lint-Update-Differential-ShellCheck-config-to-run.patch create mode 100644 SOURCES/0120-ci-mergify-Update-policy-Drop-LGTM-checks.patch create mode 100644 SOURCES/0121-test-sd-device-skip-misc-devices.patch create mode 100644 SOURCES/0122-test-skip-test_ntp-if-systemd-timesyncd-is-not-avail.patch create mode 100644 SOURCES/0123-test-accept-EPERM-for-unavailable-idmapped-mounts-as.patch create mode 100644 SOURCES/0124-test-don-t-test-buses-we-don-t-ship.patch create mode 100644 SOURCES/0125-basic-add-fallback-in-chase_symlinks_and_opendir-for.patch create mode 100644 SOURCES/0126-test-check-if-we-can-use-SHA1-MD-for-signing-before-.patch create mode 100644 SOURCES/0127-boot-cleanups-for-efivar_get-and-friends.patch create mode 100644 SOURCES/0128-boot-fix-false-maybe-uninitialized-warning.patch create mode 100644 SOURCES/0129-tree-wide-modernizations-with-RET_NERRNO.patch create mode 100644 SOURCES/0130-sd-bus-handle-EINTR-return-from-bus_poll.patch create mode 100644 SOURCES/0131-stdio-bridge-don-t-be-bothered-with-EINTR.patch create mode 100644 SOURCES/0132-varlink-also-handle-EINTR-gracefully-when-waiting-fo.patch create mode 100644 SOURCES/0133-sd-netlink-handle-EINTR-from-poll-gracefully-as-succ.patch create mode 100644 SOURCES/0134-resolved-handle-EINTR-returned-from-fd_wait_for_even.patch create mode 100644 SOURCES/0135-homed-handle-EINTR-gracefully-when-waiting-for-devic.patch create mode 100644 SOURCES/0136-utmp-wtmp-fix-error-in-case-isatty-fails.patch create mode 100644 SOURCES/0137-utmp-wtmp-handle-EINTR-gracefully-when-waiting-to-wr.patch create mode 100644 SOURCES/0138-io-util-document-EINTR-situation-a-bit.patch create mode 100644 SOURCES/0139-terminal-util-Set-OPOST-when-setting-ONLCR.patch create mode 100644 SOURCES/0140-cgtop-Do-not-rewrite-P-or-k-options.patch create mode 100644 SOURCES/0141-test-Add-tests-for-systemd-cgtop-args-parsing.patch create mode 100644 SOURCES/0142-resolved-remove-inappropriate-assert.patch create mode 100644 SOURCES/0143-boot-Add-xstrn8_to_16.patch create mode 100644 SOURCES/0144-boot-Use-xstr8_to_16.patch create mode 100644 SOURCES/0145-boot-Use-xstr8_to_16-for-path-conversion.patch create mode 100644 SOURCES/0146-stub-Fix-cmdline-handling.patch create mode 100644 SOURCES/0147-stub-Detect-empty-LoadOptions-when-run-from-EFI-shel.patch create mode 100644 SOURCES/0148-boot-Use-EFI_BOOT_MANAGER_POLICY_PROTOCOL-to-connect.patch create mode 100644 SOURCES/0149-boot-Make-sure-all-partitions-drivers-are-connected.patch create mode 100644 SOURCES/0150-boot-improve-support-for-qemu.patch create mode 100644 SOURCES/0151-systemd-boot-man-page-add-section-for-virtual-machin.patch create mode 100644 SOURCES/0152-boot-Only-do-full-driver-initialization-in-VMs.patch create mode 100644 SOURCES/0153-dissect-rework-DISSECT_IMAGE_ADD_PARTITION_DEVICES-D.patch create mode 100644 SOURCES/0154-ci-Mergify-v252-configuration-update.patch create mode 100644 SOURCES/0155-ci-Run-GitHub-workflows-on-rhel-branches.patch create mode 100644 SOURCES/0156-ci-Drop-scorecards-workflow-not-relevant.patch create mode 100644 SOURCES/0157-swap-tell-swapon-to-reinitialize-swap-if-needed.patch create mode 100644 SOURCES/0158-coredump-adjust-whitespace.patch create mode 100644 SOURCES/0159-coredump-do-not-allow-user-to-access-coredumps-with-.patch create mode 100644 SOURCES/0160-Revert-basic-add-fallback-in-chase_symlinks_and_open.patch create mode 100644 SOURCES/0161-glyph-util-add-warning-sign-special-glyph.patch create mode 100644 SOURCES/0162-chase-symlink-when-converting-directory-O_PATH-fd-to.patch create mode 100644 SOURCES/0163-systemctl-print-a-clear-warning-if-people-invoke-sys.patch create mode 100644 SOURCES/0164-TEST-65-check-cat-config-operation-in-chroot.patch create mode 100644 SOURCES/0165-TEST-65-use-v-more.patch create mode 100644 SOURCES/0166-systemctl-warn-if-trying-to-disable-a-unit-with-no-i.patch create mode 100644 SOURCES/0167-systemctl-allow-suppress-the-warning-of-no-install-i.patch create mode 100644 SOURCES/0168-rpm-systemd-update-helper-use-no-warn-when-disabling.patch create mode 100644 SOURCES/0169-systemctl-suppress-warning-about-missing-proc-when-n.patch create mode 100644 SOURCES/0170-shell-completion-systemctl-add-no-warn.patch create mode 100644 SOURCES/0171-core-unit-drop-doubled-empty-line.patch create mode 100644 SOURCES/0172-core-unit-drop-dependency-to-the-unit-being-merged.patch create mode 100644 SOURCES/0173-core-unit-fix-logic-of-dropping-self-referencing-dep.patch create mode 100644 SOURCES/0174-core-unit-merge-two-loops-into-one.patch create mode 100644 SOURCES/0175-test-add-test-case-for-sysv-generator-and-invalid-de.patch create mode 100644 SOURCES/0176-core-unit-merge-unit-names-after-merging-deps.patch create mode 100644 SOURCES/0177-core-unit-fix-log-message.patch create mode 100644 SOURCES/0178-test-explicitly-create-the-etc-init.d-directory.patch create mode 100644 SOURCES/0179-test-support-a-non-default-SysV-directory.patch create mode 100644 SOURCES/0180-udev-make-get_virtfn_info-provide-physical-PCI-devic.patch create mode 100644 SOURCES/0181-test-make-helper_check_device_units-log-unit-name.patch create mode 100644 SOURCES/0182-test-add-a-testcase-for-lvextend.patch create mode 100644 SOURCES/0183-pid1-fix-segv-triggered-by-status-query-26279.patch create mode 100644 SOURCES/0184-test-create-config-under-run.patch create mode 100644 SOURCES/0185-test-add-tests-for-mDNS-and-LLMNR-settings.patch create mode 100644 SOURCES/0186-resolved-introduce-the-_localdnsstub-and-_localdnspr.patch create mode 100644 SOURCES/0187-test-wait-for-the-monitoring-service-to-become-activ.patch create mode 100644 SOURCES/0188-test-suppress-echo-in-monitor_check_rr.patch create mode 100644 SOURCES/0189-Revert-test-wait-for-the-monitoring-service-to-becom.patch create mode 100644 SOURCES/0190-test-show-and-check-almost-all-journal-entries-since.patch create mode 100644 SOURCES/0191-test-cover-IPv6-in-the-resolved-test-suite.patch create mode 100644 SOURCES/0192-test-add-a-couple-of-SRV-records-to-check-service-re.patch create mode 100644 SOURCES/0193-test-add-a-test-for-the-OPENPGPKEY-RR.patch create mode 100644 SOURCES/0194-test-don-t-hang-indefinitely-on-no-match.patch create mode 100644 SOURCES/0195-test-ndisc-fix-memleak-and-fd-leak.patch create mode 100644 SOURCES/0196-test-unit-name-fix-fd-leak.patch create mode 100644 SOURCES/0197-test-bump-D-Bus-service-start-timeout-if-we-run-with.patch create mode 100644 SOURCES/0198-test-bump-the-client-side-timeout-in-sd-bus-as-well.patch create mode 100644 SOURCES/0199-test-bump-the-container-spawn-timeout-to-60s.patch create mode 100644 SOURCES/0200-network-fix-memleak.patch create mode 100644 SOURCES/0201-busctl-fix-introspecting-DBus-properties.patch create mode 100644 SOURCES/0202-busctl-simplify-peeking-the-type.patch create mode 100644 SOURCES/0203-resolve-drop-redundant-call-of-socket_ipv6_is_suppor.patch create mode 100644 SOURCES/0204-resolve-introduce-link_get_llmnr_support-and-link_ge.patch create mode 100644 SOURCES/0205-resolve-provide-effective-supporting-levels-of-mDNS-.patch create mode 100644 SOURCES/0206-resolvectl-warn-if-the-global-mDNS-or-LLMNR-support-.patch create mode 100644 SOURCES/0207-resolve-enable-per-link-mDNS-setting-by-default.patch create mode 100644 SOURCES/0208-nss-myhostname-fix-inverted-condition-in.patch create mode 100644 SOURCES/0209-nss-myhostname-do-not-return-empty-result-with-NSS_S.patch create mode 100644 SOURCES/0210-sleep-rename-hibernate_delay_sec-_usec.patch create mode 100644 SOURCES/0211-sleep-fetch_batteries_capacity_by_name-does-not-retu.patch create mode 100644 SOURCES/0212-sleep-drop-unnecessary-temporal-vaiable-and-initiali.patch create mode 100644 SOURCES/0213-sleep-introduce-SuspendEstimationSec.patch create mode 100644 SOURCES/0214-sleep-coding-style-fixlets.patch create mode 100644 SOURCES/0215-sleep-simplify-code-a-bit.patch create mode 100644 SOURCES/0216-sleep-fix-indentation.patch create mode 100644 SOURCES/0217-sleep-enumerate-only-existing-and-non-device-batteri.patch create mode 100644 SOURCES/0218-core-when-isolating-to-a-unit-also-keep-units-runnin.patch create mode 100644 SOURCES/0219-udev-net_id-introduce-naming-scheme-for-RHEL-9.2.patch create mode 100644 SOURCES/0220-journalctl-actually-run-the-static-destructors.patch create mode 100644 SOURCES/0221-efi-drop-executable-stack-bit-from-.elf-file.patch create mode 100644 SOURCES/0222-install-fail-early-if-specifier-expansion-failed.patch create mode 100644 SOURCES/0223-test-add-coverage-for-26467.patch create mode 100644 SOURCES/0224-test-add-coverage-for-24177.patch create mode 100644 SOURCES/0225-logind-session-make-stopping-of-idle-session-visible.patch create mode 100644 SOURCES/0226-journal-file-Fix-return-value-in-bump_entry_array.patch create mode 100644 SOURCES/10-oomd-defaults.conf create mode 100644 SOURCES/10-oomd-root-slice-defaults.conf create mode 100644 SOURCES/10-oomd-user-service-defaults.conf create mode 100755 SOURCES/20-grubby.install create mode 100644 SOURCES/20-yama-ptrace.conf create mode 100644 SOURCES/inittab create mode 100644 SOURCES/libsystemd-shared.abignore create mode 100644 SOURCES/macros.sysusers create mode 100755 SOURCES/purge-nobody-user create mode 100644 SOURCES/rc.local create mode 100644 SOURCES/split-files.py create mode 100644 SOURCES/sysctl.conf.README create mode 100644 SOURCES/systemd-journal-gatewayd.xml create mode 100644 SOURCES/systemd-journal-remote.xml create mode 100644 SOURCES/systemd-udev-trigger-no-reload.conf create mode 100644 SOURCES/systemd-user create mode 100644 SOURCES/sysusers.attr create mode 100755 SOURCES/sysusers.generate-pre.sh create mode 100755 SOURCES/sysusers.prov create mode 100644 SOURCES/triggers.systemd create mode 100644 SOURCES/yum-protect-systemd.conf create mode 100644 SPECS/systemd.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1e7d69d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/systemd-252.tar.gz diff --git a/.systemd.metadata b/.systemd.metadata new file mode 100644 index 0000000..9d85202 --- /dev/null +++ b/.systemd.metadata @@ -0,0 +1 @@ +7c961dc6e8bb950825b85129f59dc80f4536cabb SOURCES/systemd-252.tar.gz diff --git a/SOURCES/0001-macro-Simply-case-macros-for-IN_SET.patch b/SOURCES/0001-macro-Simply-case-macros-for-IN_SET.patch new file mode 100644 index 0000000..7df76bd --- /dev/null +++ b/SOURCES/0001-macro-Simply-case-macros-for-IN_SET.patch @@ -0,0 +1,78 @@ +From 87bf366c97be1c811c4bfdf80b48d6c3e35da76a Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Tue, 25 Oct 2022 19:55:08 +0200 +Subject: [PATCH] macro: Simply case macros for IN_SET + +The CASE param would normally provide the operation for the compiler to +do in this macro magic. But in this case CASE_F_1 was hardcoding the +operation, making the parameter moot. +This just removes the somewhat pointless parameter instead of fixing +the one case. These macros are used for IN_SET case labels only and +not named generically anyways. + +(cherry picked from commit 790f4dda74d7ecdb4e57101a37cc9f2f9236bef6) + +Related #2138081 +--- + src/fundamental/macro-fundamental.h | 43 ++++++++++++++--------------- + 1 file changed, 21 insertions(+), 22 deletions(-) + +diff --git a/src/fundamental/macro-fundamental.h b/src/fundamental/macro-fundamental.h +index 2536c741c6..63f4c49e78 100644 +--- a/src/fundamental/macro-fundamental.h ++++ b/src/fundamental/macro-fundamental.h +@@ -251,33 +251,32 @@ + (UNIQ_T(X, xq) / UNIQ_T(Y, yq) + !!(UNIQ_T(X, xq) % UNIQ_T(Y, yq))); \ + }) + +-#define CASE_F(X) case X: +-#define CASE_F_1(CASE, X) CASE_F(X) +-#define CASE_F_2(CASE, X, ...) CASE(X) CASE_F_1(CASE, __VA_ARGS__) +-#define CASE_F_3(CASE, X, ...) CASE(X) CASE_F_2(CASE, __VA_ARGS__) +-#define CASE_F_4(CASE, X, ...) CASE(X) CASE_F_3(CASE, __VA_ARGS__) +-#define CASE_F_5(CASE, X, ...) CASE(X) CASE_F_4(CASE, __VA_ARGS__) +-#define CASE_F_6(CASE, X, ...) CASE(X) CASE_F_5(CASE, __VA_ARGS__) +-#define CASE_F_7(CASE, X, ...) CASE(X) CASE_F_6(CASE, __VA_ARGS__) +-#define CASE_F_8(CASE, X, ...) CASE(X) CASE_F_7(CASE, __VA_ARGS__) +-#define CASE_F_9(CASE, X, ...) CASE(X) CASE_F_8(CASE, __VA_ARGS__) +-#define CASE_F_10(CASE, X, ...) CASE(X) CASE_F_9(CASE, __VA_ARGS__) +-#define CASE_F_11(CASE, X, ...) CASE(X) CASE_F_10(CASE, __VA_ARGS__) +-#define CASE_F_12(CASE, X, ...) CASE(X) CASE_F_11(CASE, __VA_ARGS__) +-#define CASE_F_13(CASE, X, ...) CASE(X) CASE_F_12(CASE, __VA_ARGS__) +-#define CASE_F_14(CASE, X, ...) CASE(X) CASE_F_13(CASE, __VA_ARGS__) +-#define CASE_F_15(CASE, X, ...) CASE(X) CASE_F_14(CASE, __VA_ARGS__) +-#define CASE_F_16(CASE, X, ...) CASE(X) CASE_F_15(CASE, __VA_ARGS__) +-#define CASE_F_17(CASE, X, ...) CASE(X) CASE_F_16(CASE, __VA_ARGS__) +-#define CASE_F_18(CASE, X, ...) CASE(X) CASE_F_17(CASE, __VA_ARGS__) +-#define CASE_F_19(CASE, X, ...) CASE(X) CASE_F_18(CASE, __VA_ARGS__) +-#define CASE_F_20(CASE, X, ...) CASE(X) CASE_F_19(CASE, __VA_ARGS__) ++#define CASE_F_1(X) case X: ++#define CASE_F_2(X, ...) case X: CASE_F_1( __VA_ARGS__) ++#define CASE_F_3(X, ...) case X: CASE_F_2( __VA_ARGS__) ++#define CASE_F_4(X, ...) case X: CASE_F_3( __VA_ARGS__) ++#define CASE_F_5(X, ...) case X: CASE_F_4( __VA_ARGS__) ++#define CASE_F_6(X, ...) case X: CASE_F_5( __VA_ARGS__) ++#define CASE_F_7(X, ...) case X: CASE_F_6( __VA_ARGS__) ++#define CASE_F_8(X, ...) case X: CASE_F_7( __VA_ARGS__) ++#define CASE_F_9(X, ...) case X: CASE_F_8( __VA_ARGS__) ++#define CASE_F_10(X, ...) case X: CASE_F_9( __VA_ARGS__) ++#define CASE_F_11(X, ...) case X: CASE_F_10( __VA_ARGS__) ++#define CASE_F_12(X, ...) case X: CASE_F_11( __VA_ARGS__) ++#define CASE_F_13(X, ...) case X: CASE_F_12( __VA_ARGS__) ++#define CASE_F_14(X, ...) case X: CASE_F_13( __VA_ARGS__) ++#define CASE_F_15(X, ...) case X: CASE_F_14( __VA_ARGS__) ++#define CASE_F_16(X, ...) case X: CASE_F_15( __VA_ARGS__) ++#define CASE_F_17(X, ...) case X: CASE_F_16( __VA_ARGS__) ++#define CASE_F_18(X, ...) case X: CASE_F_17( __VA_ARGS__) ++#define CASE_F_19(X, ...) case X: CASE_F_18( __VA_ARGS__) ++#define CASE_F_20(X, ...) case X: CASE_F_19( __VA_ARGS__) + + #define GET_CASE_F(_1,_2,_3,_4,_5,_6,_7,_8,_9,_10,_11,_12,_13,_14,_15,_16,_17,_18,_19,_20,NAME,...) NAME + #define FOR_EACH_MAKE_CASE(...) \ + GET_CASE_F(__VA_ARGS__,CASE_F_20,CASE_F_19,CASE_F_18,CASE_F_17,CASE_F_16,CASE_F_15,CASE_F_14,CASE_F_13,CASE_F_12,CASE_F_11, \ + CASE_F_10,CASE_F_9,CASE_F_8,CASE_F_7,CASE_F_6,CASE_F_5,CASE_F_4,CASE_F_3,CASE_F_2,CASE_F_1) \ +- (CASE_F,__VA_ARGS__) ++ (__VA_ARGS__) + + #define IN_SET(x, ...) \ + ({ \ diff --git a/SOURCES/0002-macro-fix-indentation.patch b/SOURCES/0002-macro-fix-indentation.patch new file mode 100644 index 0000000..e58e576 --- /dev/null +++ b/SOURCES/0002-macro-fix-indentation.patch @@ -0,0 +1,25 @@ +From 0c372e24bb30c25beccd76c071baca22258e71c9 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 26 Oct 2022 03:28:08 +0900 +Subject: [PATCH] macro: fix indentation + +(cherry picked from commit e967926b092d8635b3da28fc4ca492009e32228f) + +Related #2138081 +--- + src/fundamental/macro-fundamental.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/fundamental/macro-fundamental.h b/src/fundamental/macro-fundamental.h +index 63f4c49e78..faab16ab31 100644 +--- a/src/fundamental/macro-fundamental.h ++++ b/src/fundamental/macro-fundamental.h +@@ -290,7 +290,7 @@ + switch (x) { \ + FOR_EACH_MAKE_CASE(__VA_ARGS__) \ + _found = true; \ +- break; \ ++ break; \ + default: \ + break; \ + } \ diff --git a/SOURCES/0003-test-add-a-couple-of-sanity-tests-for-journalctl.patch b/SOURCES/0003-test-add-a-couple-of-sanity-tests-for-journalctl.patch new file mode 100644 index 0000000..8fd729b --- /dev/null +++ b/SOURCES/0003-test-add-a-couple-of-sanity-tests-for-journalctl.patch @@ -0,0 +1,61 @@ +From 5ac8c56f111f2875467422c851a05891c0ec7d1b Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Mon, 31 Oct 2022 12:11:59 +0100 +Subject: [PATCH] test: add a couple of sanity tests for journalctl + +(cherry picked from commit ca46781c5ffa3aaa7a8fb6f09976357d003c4aae) + +Related #2138081 +--- + test/units/testsuite-04.sh | 38 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 38 insertions(+) + +diff --git a/test/units/testsuite-04.sh b/test/units/testsuite-04.sh +index b5468cbea4..fdc3273fea 100755 +--- a/test/units/testsuite-04.sh ++++ b/test/units/testsuite-04.sh +@@ -119,6 +119,44 @@ systemctl start silent-success + journalctl --sync + [[ -z "$(journalctl -b -q -u silent-success.service)" ]] + ++# Exercise the matching machinery ++SYSTEMD_LOG_LEVEL=debug journalctl -b -n 1 /dev/null /dev/zero /dev/null /dev/null /dev/null ++journalctl -b -n 1 /bin/true /bin/false ++journalctl -b -n 1 /bin/true + /bin/false ++journalctl -b -n 1 -r --unit "systemd*" ++ ++systemd-run --user -M "testuser@.host" /bin/echo hello ++journalctl --sync ++journalctl -b -n 1 -r --user-unit "*" ++ ++(! journalctl -b /dev/lets-hope-this-doesnt-exist) ++(! journalctl -b /dev/null /dev/zero /dev/this-also-shouldnt-exist) ++(! journalctl -b --unit "this-unit-should-not-exist*") ++ ++# Facilities & priorities ++journalctl --facility help ++journalctl --facility kern -n 1 ++journalctl --facility syslog --priority 0..3 -n 1 ++journalctl --facility syslog --priority 3..0 -n 1 ++journalctl --facility user --priority 0..0 -n 1 ++journalctl --facility daemon --priority warning -n 1 ++journalctl --facility daemon --priority warning..info -n 1 ++journalctl --facility daemon --priority notice..crit -n 1 ++journalctl --facility daemon --priority 5..crit -n 1 ++ ++(! journalctl --facility hopefully-an-unknown-facility) ++(! journalctl --priority hello-world) ++(! journalctl --priority 0..128) ++(! journalctl --priority 0..systemd) ++ ++# Other options ++journalctl --disk-usage ++journalctl --dmesg -n 1 ++journalctl --fields ++journalctl --list-boots ++journalctl --update-catalog ++journalctl --list-catalog ++ + # Add new tests before here, the journald restarts below + # may make tests flappy. + diff --git a/SOURCES/0004-man-fix-typo-found-by-Lintian.patch b/SOURCES/0004-man-fix-typo-found-by-Lintian.patch new file mode 100644 index 0000000..ee1fc6a --- /dev/null +++ b/SOURCES/0004-man-fix-typo-found-by-Lintian.patch @@ -0,0 +1,25 @@ +From b1a2687cf5b419d6928d024f26aabe1de8ff7727 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 31 Oct 2022 21:17:47 +0000 +Subject: [PATCH] man: fix typo found by Lintian + +(cherry picked from commit 84033dd40588dbf4f57a746c141fe7d111247a93) + +Related #2138081 +--- + man/loader.conf.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/man/loader.conf.xml b/man/loader.conf.xml +index 3ee42cdb73..7f173aec61 100644 +--- a/man/loader.conf.xml ++++ b/man/loader.conf.xml +@@ -236,7 +236,7 @@ + + The different sets of variables can be set up under /loader/keys/NAME + where NAME is the name that is going to be used as the name of the entry. +- This allows to ship multiple sets of Secure Boot variables and choose which one to enroll at runtime. ++ This allows one to ship multiple sets of Secure Boot variables and choose which one to enroll at runtime. + + Supported secure boot variables are one database for authorized images, one key exchange key (KEK) + and one platform key (PK). For more information, refer to the UEFI specification, diff --git a/SOURCES/0005-test-add-x-to-assert.sh.patch b/SOURCES/0005-test-add-x-to-assert.sh.patch new file mode 100644 index 0000000..05da9d6 --- /dev/null +++ b/SOURCES/0005-test-add-x-to-assert.sh.patch @@ -0,0 +1,19 @@ +From 3d2fc0517d43ff2c5c6fc03ebb68ef9429be5fd4 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 31 Oct 2022 21:18:53 +0000 +Subject: [PATCH] test: add +x to assert.sh + +The script has a shebang and .sh extension, so make it executable + +W: systemd-tests: script-not-executable [usr/lib/systemd/tests/testdata/units/assert.sh] +(cherry picked from commit fb4f7271d9f75a44756b110706cdb53b82f407ce) + +Related #2138081 +--- + test/units/assert.sh | 0 + 1 file changed, 0 insertions(+), 0 deletions(-) + mode change 100644 => 100755 test/units/assert.sh + +diff --git a/test/units/assert.sh b/test/units/assert.sh +old mode 100644 +new mode 100755 diff --git a/SOURCES/0006-parse_hwdb-allow-negative-value-for-EVDEV_ABS_-prope.patch b/SOURCES/0006-parse_hwdb-allow-negative-value-for-EVDEV_ABS_-prope.patch new file mode 100644 index 0000000..475f90b --- /dev/null +++ b/SOURCES/0006-parse_hwdb-allow-negative-value-for-EVDEV_ABS_-prope.patch @@ -0,0 +1,25 @@ +From a2cb8467652ca36bd5420dc685d5e6b76014c3e1 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 1 Nov 2022 13:10:20 +0900 +Subject: [PATCH] parse_hwdb: allow negative value for EVDEV_ABS_ properties + +(cherry picked from commit f0b75cda5a3eac3fe953fd1a429a39e077387997) + +Related #2138081 +--- + hwdb.d/parse_hwdb.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hwdb.d/parse_hwdb.py b/hwdb.d/parse_hwdb.py +index c0dde75650..5a1ae5a6a0 100755 +--- a/hwdb.d/parse_hwdb.py ++++ b/hwdb.d/parse_hwdb.py +@@ -202,7 +202,7 @@ def property_grammar(): + ] + abs_props = [Regex(r'EVDEV_ABS_[0-9a-f]{2}')('NAME') + - Suppress('=') - +- Word(nums + ':')('VALUE') ++ Word('-' + nums + ':')('VALUE') + ] + + grammar = Or(fixed_props + kbd_props + abs_props) + EOL diff --git a/SOURCES/0007-resolved-fix-typo-in-feature-level-table.patch b/SOURCES/0007-resolved-fix-typo-in-feature-level-table.patch new file mode 100644 index 0000000..ecb09f5 --- /dev/null +++ b/SOURCES/0007-resolved-fix-typo-in-feature-level-table.patch @@ -0,0 +1,24 @@ +From 07aa3fcbb7b4e4cca7b2e9be6e038ab92bfc5fdc Mon Sep 17 00:00:00 2001 +From: Youfu Zhang <1315097+zhangyoufu@users.noreply.github.com> +Date: Tue, 1 Nov 2022 13:18:25 +0800 +Subject: [PATCH] resolved: fix typo in feature level table + +(cherry picked from commit 2ab0042854934827e61076c6e42c7381fdf78fdf) + +Related #2138081 +--- + src/resolve/resolved-dns-server.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c +index 9b74a8d6d8..04a4f53ed0 100644 +--- a/src/resolve/resolved-dns-server.c ++++ b/src/resolve/resolved-dns-server.c +@@ -1087,6 +1087,6 @@ static const char* const dns_server_feature_level_table[_DNS_SERVER_FEATURE_LEVE + [DNS_SERVER_FEATURE_LEVEL_EDNS0] = "UDP+EDNS0", + [DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN] = "TLS+EDNS0", + [DNS_SERVER_FEATURE_LEVEL_DO] = "UDP+EDNS0+DO", +- [DNS_SERVER_FEATURE_LEVEL_TLS_DO] = "TLS+EDNS0+D0", ++ [DNS_SERVER_FEATURE_LEVEL_TLS_DO] = "TLS+EDNS0+DO", + }; + DEFINE_STRING_TABLE_LOOKUP(dns_server_feature_level, DnsServerFeatureLevel); diff --git a/SOURCES/0008-coverage-Mark-_coverage__exit-as-noreturn.patch b/SOURCES/0008-coverage-Mark-_coverage__exit-as-noreturn.patch new file mode 100644 index 0000000..cc41699 --- /dev/null +++ b/SOURCES/0008-coverage-Mark-_coverage__exit-as-noreturn.patch @@ -0,0 +1,28 @@ +From a1f18876d5f7122c9f94af9a84f1324f50dba0ed Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Tue, 1 Nov 2022 09:43:32 +0100 +Subject: [PATCH] coverage: Mark _coverage__exit as noreturn + +../src/basic/coverage.h:15:48: warning: function '_coverage__exit' could +be declared with attribute 'noreturn' [-Wmissing-noreturn] + +(cherry picked from commit 0bab5534b334677652bb69fe15eaa54ce84cbe7d) + +Related #2138081 +--- + src/basic/coverage.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/coverage.h b/src/basic/coverage.h +index 3ef02cf70e..640bddc485 100644 +--- a/src/basic/coverage.h ++++ b/src/basic/coverage.h +@@ -12,7 +12,7 @@ + extern void _exit(int); + extern void __gcov_dump(void); + +-static inline void _coverage__exit(int status) { ++static inline _Noreturn void _coverage__exit(int status) { + __gcov_dump(); + _exit(status); + } diff --git a/SOURCES/0009-namespace-Add-hidepid-subset-support-check.patch b/SOURCES/0009-namespace-Add-hidepid-subset-support-check.patch new file mode 100644 index 0000000..34a609c --- /dev/null +++ b/SOURCES/0009-namespace-Add-hidepid-subset-support-check.patch @@ -0,0 +1,154 @@ +From 6ab61ac93e534aec1ea4d16e77c1c355c8286e64 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Thu, 27 Oct 2022 13:14:12 +0200 +Subject: [PATCH] namespace: Add hidepid/subset support check + +Using fsopen()/fsconfig(), we can check if hidepid/subset are supported to +avoid the noisy logs from the kernel if they aren't supported. This works +on centos/redhat 8 as well since they've backported fsopen()/fsconfig(). + +(cherry picked from commit 1c265fcd5963603d338233840129ecad8d9c1420) + +Related #2138081 +--- + meson.build | 2 ++ + src/basic/missing_syscall.h | 40 +++++++++++++++++++++++++++++++ + src/core/namespace.c | 47 ++++++++++++++++++++++++++++++++----- + 3 files changed, 83 insertions(+), 6 deletions(-) + +diff --git a/meson.build b/meson.build +index 76ad51d3fb..7750534466 100644 +--- a/meson.build ++++ b/meson.build +@@ -606,6 +606,8 @@ foreach ident : [ + ['mount_setattr', '''#include '''], + ['move_mount', '''#include '''], + ['open_tree', '''#include '''], ++ ['fsopen', '''#include '''], ++ ['fsconfig', '''#include '''], + ['getdents64', '''#include '''], + ] + +diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h +index 793d111c55..d54e59fdf9 100644 +--- a/src/basic/missing_syscall.h ++++ b/src/basic/missing_syscall.h +@@ -593,6 +593,46 @@ static inline int missing_move_mount( + + /* ======================================================================= */ + ++#if !HAVE_FSOPEN ++ ++#ifndef FSOPEN_CLOEXEC ++#define FSOPEN_CLOEXEC 0x00000001 ++#endif ++ ++static inline int missing_fsopen(const char *fsname, unsigned flags) { ++# if defined __NR_fsopen && __NR_fsopen >= 0 ++ return syscall(__NR_fsopen, fsname, flags); ++# else ++ errno = ENOSYS; ++ return -1; ++# endif ++} ++ ++# define fsopen missing_fsopen ++#endif ++ ++/* ======================================================================= */ ++ ++#if !HAVE_FSCONFIG ++ ++#ifndef FSCONFIG_SET_STRING ++#define FSCONFIG_SET_STRING 1 /* Set parameter, supplying a string value */ ++#endif ++ ++static inline int missing_fsconfig(int fd, unsigned cmd, const char *key, const void *value, int aux) { ++# if defined __NR_fsconfig && __NR_fsconfig >= 0 ++ return syscall(__NR_fsconfig, fd, cmd, key, value, aux); ++# else ++ errno = ENOSYS; ++ return -1; ++# endif ++} ++ ++# define fsconfig missing_fsconfig ++#endif ++ ++/* ======================================================================= */ ++ + #if !HAVE_GETDENTS64 + + static inline ssize_t missing_getdents64(int fd, void *buffer, size_t length) { +diff --git a/src/core/namespace.c b/src/core/namespace.c +index c3cced7410..852be3bdde 100644 +--- a/src/core/namespace.c ++++ b/src/core/namespace.c +@@ -26,6 +26,7 @@ + #include "list.h" + #include "loop-util.h" + #include "loopback-setup.h" ++#include "missing_syscall.h" + #include "mkdir-label.h" + #include "mount-util.h" + #include "mountpoint-util.h" +@@ -1073,6 +1074,27 @@ static int mount_sysfs(const MountEntry *m) { + return 1; + } + ++static bool mount_option_supported(const char *fstype, const char *key, const char *value) { ++ _cleanup_close_ int fd = -1; ++ int r; ++ ++ /* This function assumes support by default. Only if the fsconfig() call fails with -EINVAL/-EOPNOTSUPP ++ * will it report that the option/value is not supported. */ ++ ++ fd = fsopen(fstype, FSOPEN_CLOEXEC); ++ if (fd < 0) { ++ if (errno != ENOSYS) ++ log_debug_errno(errno, "Failed to open superblock context for '%s': %m", fstype); ++ return true; /* If fsopen() fails for whatever reason, assume the value is supported. */ ++ } ++ ++ r = fsconfig(fd, FSCONFIG_SET_STRING, key, value, 0); ++ if (r < 0 && !IN_SET(errno, EINVAL, EOPNOTSUPP, ENOSYS)) ++ log_debug_errno(errno, "Failed to set '%s=%s' on '%s' superblock context: %m", key, value, fstype); ++ ++ return r >= 0 || !IN_SET(errno, EINVAL, EOPNOTSUPP); ++} ++ + static int mount_procfs(const MountEntry *m, const NamespaceInfo *ns_info) { + _cleanup_free_ char *opts = NULL; + const char *entry_path; +@@ -1090,12 +1112,25 @@ static int mount_procfs(const MountEntry *m, const NamespaceInfo *ns_info) { + * per-instance, we'll exclusively use the textual value for hidepid=, since support was + * added in the same commit: if it's supported it is thus also per-instance. */ + +- opts = strjoin("hidepid=", +- ns_info->protect_proc == PROTECT_PROC_DEFAULT ? "off" : +- protect_proc_to_string(ns_info->protect_proc), +- ns_info->proc_subset == PROC_SUBSET_PID ? ",subset=pid" : ""); +- if (!opts) +- return -ENOMEM; ++ const char *hpv = ns_info->protect_proc == PROTECT_PROC_DEFAULT ? ++ "off" : ++ protect_proc_to_string(ns_info->protect_proc); ++ ++ /* hidepid= support was added in 5.8, so we can use fsconfig()/fsopen() (which were added in ++ * 5.2) to check if hidepid= is supported. This avoids a noisy dmesg log by the kernel when ++ * trying to use hidepid= on systems where it isn't supported. The same applies for subset=. ++ * fsopen()/fsconfig() was also backported on some distros which allows us to detect ++ * hidepid=/subset= support in even more scenarios. */ ++ ++ if (mount_option_supported("proc", "hidepid", hpv)) { ++ opts = strjoin("hidepid=", hpv); ++ if (!opts) ++ return -ENOMEM; ++ } ++ ++ if (ns_info->proc_subset == PROC_SUBSET_PID && mount_option_supported("proc", "subset", "pid")) ++ if (!strextend_with_separator(&opts, ",", "subset=pid")) ++ return -ENOMEM; + } + + entry_path = mount_entry_path(m); diff --git a/SOURCES/0010-test-add-a-couple-of-sanity-tests-for-loginctl.patch b/SOURCES/0010-test-add-a-couple-of-sanity-tests-for-loginctl.patch new file mode 100644 index 0000000..16aa83d --- /dev/null +++ b/SOURCES/0010-test-add-a-couple-of-sanity-tests-for-loginctl.patch @@ -0,0 +1,75 @@ +From 07f188e9ca17345af904e6549c03b1c57d34405a Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 1 Nov 2022 09:17:58 +0100 +Subject: [PATCH] test: add a couple of sanity tests for loginctl + +(cherry picked from commit 70e9066bc2eaf159e9cde7d95bbee99e44f3045a) + +Related #2138081 +--- + test/units/testsuite-35.sh | 45 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 45 insertions(+) + +diff --git a/test/units/testsuite-35.sh b/test/units/testsuite-35.sh +index 4ef0f0c11c..85925f2471 100755 +--- a/test/units/testsuite-35.sh ++++ b/test/units/testsuite-35.sh +@@ -338,6 +338,50 @@ EOF + assert_eq "$(loginctl --no-legend | awk '$3=="logind-test-user" { print $5 }')" "tty2" + } + ++test_sanity_check() { ++ # Exercise basic loginctl options ++ ++ if [[ ! -c /dev/tty2 ]]; then ++ echo "/dev/tty2 does not exist, skipping test ${FUNCNAME[0]}." ++ return ++ fi ++ ++ trap cleanup_session RETURN ++ create_session ++ ++ # Run most of the loginctl commands from a user session to make ++ # the seat/session autodetection work-ish ++ systemd-run --user --pipe --wait -M "logind-test-user@.host" bash -eux <<\EOF ++ loginctl list-sessions ++ loginctl session-status ++ loginctl show-session ++ loginctl show-session -P DelayInhibited ++ ++ # We're not in the same session scope, so in this case we need to specify ++ # the session ID explicitly ++ session=$(loginctl --no-legend | awk '$3 == "logind-test-user" { print $1; exit; }') ++ loginctl kill-session --signal=SIGCONT "$session" ++ # FIXME(?) ++ #loginctl kill-session --signal=SIGCONT --kill-who=leader "$session" ++ ++ loginctl list-users ++ loginctl user-status ++ loginctl show-user -a ++ loginctl show-user -P IdleAction ++ loginctl kill-user --signal=SIGCONT "" ++ ++ loginctl list-seats ++ loginctl seat-status ++ loginctl show-seat ++ loginctl show-seat -P IdleActionUSec ++EOF ++ ++ # Requires root privileges ++ loginctl lock-sessions ++ loginctl unlock-sessions ++ loginctl flush-devices ++} ++ + test_session() { + local dev + +@@ -537,6 +581,7 @@ test_properties + test_started + test_suspend_on_lid + test_shutdown ++test_sanity_check + test_session + test_lock_idle_action + test_session_properties diff --git a/SOURCES/0011-test-rename-TEST-26-SETENV-to-TEST-26-SYSTEMCTL.patch b/SOURCES/0011-test-rename-TEST-26-SETENV-to-TEST-26-SYSTEMCTL.patch new file mode 100644 index 0000000..db89638 --- /dev/null +++ b/SOURCES/0011-test-rename-TEST-26-SETENV-to-TEST-26-SYSTEMCTL.patch @@ -0,0 +1,48 @@ +From 66a9a36c3bcd5709c30ac1f2be998eea034a9f6d Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 1 Nov 2022 17:53:42 +0100 +Subject: [PATCH] test: rename TEST-26-SETENV to TEST-26-SYSTEMCTL + +(cherry picked from commit c5c258ae0a4a0cfc829ed07ff96c7fab79b6ca71) + +Related #2138081 +--- + test/{TEST-26-SETENV => TEST-26-SYSTEMCTL}/Makefile | 0 + test/{TEST-26-SETENV => TEST-26-SYSTEMCTL}/test.sh | 2 +- + test/units/testsuite-26.service | 2 +- + 3 files changed, 2 insertions(+), 2 deletions(-) + rename test/{TEST-26-SETENV => TEST-26-SYSTEMCTL}/Makefile (100%) + rename test/{TEST-26-SETENV => TEST-26-SYSTEMCTL}/test.sh (79%) + +diff --git a/test/TEST-26-SETENV/Makefile b/test/TEST-26-SYSTEMCTL/Makefile +similarity index 100% +rename from test/TEST-26-SETENV/Makefile +rename to test/TEST-26-SYSTEMCTL/Makefile +diff --git a/test/TEST-26-SETENV/test.sh b/test/TEST-26-SYSTEMCTL/test.sh +similarity index 79% +rename from test/TEST-26-SETENV/test.sh +rename to test/TEST-26-SYSTEMCTL/test.sh +index b38e37bfce..64accf850f 100755 +--- a/test/TEST-26-SETENV/test.sh ++++ b/test/TEST-26-SYSTEMCTL/test.sh +@@ -2,7 +2,7 @@ + # SPDX-License-Identifier: LGPL-2.1-or-later + set -e + +-TEST_DESCRIPTION="test setenv" ++TEST_DESCRIPTION="systemctl-related tests" + + # shellcheck source=test/test-functions + . "${TEST_BASE_DIR:?}/test-functions" +diff --git a/test/units/testsuite-26.service b/test/units/testsuite-26.service +index aa553b61a6..d8fdaffb06 100644 +--- a/test/units/testsuite-26.service ++++ b/test/units/testsuite-26.service +@@ -1,6 +1,6 @@ + # SPDX-License-Identifier: LGPL-2.1-or-later + [Unit] +-Description=TEST-26-SETENV ++Description=TEST-26-SYSTEMCTL + + [Service] + ExecStartPre=rm -f /failed /testok diff --git a/SOURCES/0012-test-add-a-couple-of-sanity-tests-for-systemctl.patch b/SOURCES/0012-test-add-a-couple-of-sanity-tests-for-systemctl.patch new file mode 100644 index 0000000..3d03956 --- /dev/null +++ b/SOURCES/0012-test-add-a-couple-of-sanity-tests-for-systemctl.patch @@ -0,0 +1,251 @@ +From 680d2b33d3b2a0bed17c2c1594690155bdb910bb Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 1 Nov 2022 20:47:37 +0100 +Subject: [PATCH] test: add a couple of sanity tests for systemctl + +(cherry picked from commit d16684fe13e1d56e55df19b57b6c01b9a9303086) + +Related #2138081 +--- + test/units/testsuite-26.sh | 209 +++++++++++++++++++++++++++++++++++-- + 1 file changed, 202 insertions(+), 7 deletions(-) + +diff --git a/test/units/testsuite-26.sh b/test/units/testsuite-26.sh +index ad08415317..b83f85917b 100755 +--- a/test/units/testsuite-26.sh ++++ b/test/units/testsuite-26.sh +@@ -3,32 +3,227 @@ + set -eux + set -o pipefail + ++at_exit() { ++ if [[ -v UNIT_NAME && -e "/usr/lib/systemd/system/$UNIT_NAME" ]]; then ++ rm -fv "/usr/lib/systemd/system/$UNIT_NAME" ++ fi ++} ++ ++trap at_exit EXIT ++ ++# Create a simple unit file for testing ++# Note: the service file is created under /usr on purpose to test ++# the 'revert' verb as well ++UNIT_NAME="systemctl-test-$RANDOM.service" ++cat >"/usr/lib/systemd/system/$UNIT_NAME" <<\EOF ++[Unit] ++Description=systemctl test ++ ++[Service] ++ExecStart=sleep infinity ++ExecReload=true ++ ++# For systemctl clean ++CacheDirectory=%n ++ConfigurationDirectory=%n ++LogsDirectory=%n ++RuntimeDirectory=%n ++StateDirectory=%n ++ ++[Install] ++WantedBy=multi-user.target ++EOF ++ ++# Configure the preset setting for the unit file ++mkdir /run/systemd/system-preset/ ++echo "disable $UNIT_NAME" >/run/systemd/system-preset/99-systemd-test.preset ++ ++systemctl daemon-reload ++ ++# Argument help ++systemctl --state help ++systemctl --signal help ++systemctl --type help ++ ++# list-dependencies ++systemctl list-dependencies systemd-journald ++systemctl list-dependencies --after systemd-journald ++systemctl list-dependencies --before systemd-journald ++systemctl list-dependencies --after --reverse systemd-journald ++systemctl list-dependencies --before --reverse systemd-journald ++systemctl list-dependencies --plain systemd-journald ++ ++# list-* verbs ++systemctl list-units ++systemctl list-units --recursive ++systemctl list-units --type=socket ++systemctl list-units --type=service,timer ++systemctl list-units --legend=yes -a "systemd-*" ++systemctl list-units --state=active ++systemctl list-units --with-dependencies systemd-journald.service ++systemctl list-units --with-dependencies --after systemd-journald.service ++systemctl list-units --with-dependencies --before --reverse systemd-journald.service ++systemctl list-sockets ++systemctl list-sockets --legend=no -a "*journal*" ++systemctl list-sockets --show-types ++systemctl list-sockets --state=listening ++systemctl list-timers -a -l ++systemctl list-unit-files ++systemctl list-unit-files "*journal*" ++systemctl list-jobs ++systemctl list-jobs --after ++systemctl list-jobs --before ++systemctl list-jobs --after --before ++systemctl list-jobs "*" ++ ++# Basic service management ++systemctl start --show-transaction "$UNIT_NAME" ++systemctl status -n 5 "$UNIT_NAME" ++systemctl is-active "$UNIT_NAME" ++systemctl reload -T "$UNIT_NAME" ++systemctl restart -T "$UNIT_NAME" ++systemctl try-restart --show-transaction "$UNIT_NAME" ++systemctl try-reload-or-restart --show-transaction "$UNIT_NAME" ++systemctl kill "$UNIT_NAME" ++(! systemctl is-active "$UNIT_NAME") ++systemctl restart "$UNIT_NAME" ++systemctl is-active "$UNIT_NAME" ++systemctl restart "$UNIT_NAME" ++systemctl stop "$UNIT_NAME" ++(! systemctl is-active "$UNIT_NAME") ++ ++# enable/disable/preset ++(! systemctl is-enabled "$UNIT_NAME") ++systemctl enable "$UNIT_NAME" ++systemctl is-enabled -l "$UNIT_NAME" ++# We created a preset file for this unit above with a "disable" policy ++systemctl preset "$UNIT_NAME" ++(! systemctl is-enabled "$UNIT_NAME") ++systemctl reenable "$UNIT_NAME" ++systemctl is-enabled "$UNIT_NAME" ++systemctl preset --preset-mode=enable-only "$UNIT_NAME" ++systemctl is-enabled "$UNIT_NAME" ++systemctl preset --preset-mode=disable-only "$UNIT_NAME" ++(! systemctl is-enabled "$UNIT_NAME") ++systemctl enable --runtime "$UNIT_NAME" ++[[ -e "/run/systemd/system/multi-user.target.wants/$UNIT_NAME" ]] ++systemctl is-enabled "$UNIT_NAME" ++systemctl disable "$UNIT_NAME" ++# The unit should be still enabled, as we didn't use the --runtime switch ++systemctl is-enabled "$UNIT_NAME" ++systemctl disable --runtime "$UNIT_NAME" ++(! systemctl is-enabled "$UNIT_NAME") ++ ++# mask/unmask/revert ++systemctl disable "$UNIT_NAME" ++[[ "$(systemctl is-enabled "$UNIT_NAME")" == disabled ]] ++systemctl mask "$UNIT_NAME" ++[[ "$(systemctl is-enabled "$UNIT_NAME")" == masked ]] ++systemctl unmask "$UNIT_NAME" ++[[ "$(systemctl is-enabled "$UNIT_NAME")" == disabled ]] ++systemctl mask "$UNIT_NAME" ++[[ "$(systemctl is-enabled "$UNIT_NAME")" == masked ]] ++systemctl revert "$UNIT_NAME" ++[[ "$(systemctl is-enabled "$UNIT_NAME")" == disabled ]] ++systemctl mask --runtime "$UNIT_NAME" ++[[ "$(systemctl is-enabled "$UNIT_NAME")" == masked-runtime ]] ++# This should be a no-op without the --runtime switch ++systemctl unmask "$UNIT_NAME" ++[[ "$(systemctl is-enabled "$UNIT_NAME")" == masked-runtime ]] ++systemctl unmask --runtime "$UNIT_NAME" ++[[ "$(systemctl is-enabled "$UNIT_NAME")" == disabled ]] ++ ++# add-wants/add-requires ++(! systemctl show -P Wants "$UNIT_NAME" | grep "systemd-journald.service") ++systemctl add-wants "$UNIT_NAME" "systemd-journald.service" ++systemctl show -P Wants "$UNIT_NAME" | grep "systemd-journald.service" ++(! systemctl show -P Requires "$UNIT_NAME" | grep "systemd-journald.service") ++systemctl add-requires "$UNIT_NAME" "systemd-journald.service" ++systemctl show -P Requires "$UNIT_NAME" | grep "systemd-journald.service" ++ ++# set-property ++systemctl set-property "$UNIT_NAME" IPAccounting=yes MemoryMax=1234567 ++systemctl cat "$UNIT_NAME" ++# These properties should be saved to a persistent storage ++grep -r "IPAccounting=yes" "/etc/systemd/system.control/${UNIT_NAME}.d/" ++grep -r "MemoryMax=1234567" "/etc/systemd/system.control/${UNIT_NAME}.d" ++systemctl revert "$UNIT_NAME" ++(! grep -r "IPAccounting=" "/etc/systemd/system.control/${UNIT_NAME}.d/") ++(! grep -r "MemoryMax=" "/etc/systemd/system.control/${UNIT_NAME}.d/") ++# Same stuff, but with --runtime, which should use /run ++systemctl set-property --runtime "$UNIT_NAME" CPUAccounting=no CPUQuota=10% ++systemctl cat "$UNIT_NAME" ++grep -r "CPUAccounting=no" "/run/systemd/system.control/${UNIT_NAME}.d/" ++grep -r "CPUQuota=10%" "/run/systemd/system.control/${UNIT_NAME}.d/" ++systemctl revert "$UNIT_NAME" ++(! grep -r "CPUAccounting=" "/run/systemd/system.control/${UNIT_NAME}.d/") ++(! grep -r "CPUQuota=" "/run/systemd/system.control/${UNIT_NAME}.d/") ++ ++# Failed-unit related tests ++systemd-run --unit "failed.service" /bin/false ++systemctl is-failed failed.service ++systemctl --state=failed | grep failed.service ++systemctl --failed | grep failed.service ++systemctl reset-failed "fail*.service" ++(! systemctl is-failed failed.service) ++ ++# clean ++systemctl restart "$UNIT_NAME" ++systemctl stop "$UNIT_NAME" ++# Check if the directories from *Directory= directives exist ++# (except RuntimeDirectory= in /run, which is removed when the unit is stopped) ++for path in /var/lib /var/cache /var/log /etc; do ++ [[ -e "$path/$UNIT_NAME" ]] ++done ++# Run the cleanup ++for what in "" configuration state cache logs runtime all; do ++ systemctl clean ${what:+--what="$what"} "$UNIT_NAME" ++done ++# All respective directories should be removed ++for path in /run /var/lib /var/cache /var/log /etc; do ++ [[ ! -e "$path/$UNIT_NAME" ]] ++done ++ ++# --timestamp ++for value in pretty us µs utc us+utc µs+utc; do ++ systemctl show -P KernelTimestamp --timestamp="$value" ++done ++ ++# Aux verbs & assorted checks ++systemctl is-active "*-journald.service" ++systemctl cat "*journal*" ++systemctl cat "$UNIT_NAME" ++systemctl help "$UNIT_NAME" ++ ++# show/set-environment + # Make sure PATH is set + systemctl show-environment | grep -q '^PATH=' +- + # Let's add an entry and override a built-in one + systemctl set-environment PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/testaddition FOO=BAR +- + # Check that both are set + systemctl show-environment | grep -q '^PATH=.*testaddition$' + systemctl show-environment | grep -q '^FOO=BAR$' +- + systemctl daemon-reload +- + # Check again after the reload + systemctl show-environment | grep -q '^PATH=.*testaddition$' + systemctl show-environment | grep -q '^FOO=BAR$' +- + # Check that JSON output is supported + systemctl show-environment --output=json | grep -q '^{.*"FOO":"BAR".*}$' +- + # Drop both + systemctl unset-environment FOO PATH +- + # Check that one is gone and the other reverted to the built-in + systemctl show-environment | grep '^FOO=$' && exit 1 + systemctl show-environment | grep '^PATH=.*testaddition$' && exit 1 + systemctl show-environment | grep -q '^PATH=' ++# Check import-environment ++export IMPORT_THIS=hello ++export IMPORT_THIS_TOO=world ++systemctl import-environment IMPORT_THIS IMPORT_THIS_TOO ++systemctl show-environment | grep "^IMPORT_THIS=$IMPORT_THIS" ++systemctl show-environment | grep "^IMPORT_THIS_TOO=$IMPORT_THIS_TOO" ++systemctl unset-environment IMPORT_THIS IMPORT_THIS_TOO ++(! systemctl show-environment | grep "^IMPORT_THIS=") ++(! systemctl show-environment | grep "^IMPORT_THIS_TOO=") + + echo OK >/testok + diff --git a/SOURCES/0013-docs-DPS-and-BLS-have-moved-to-uapi-group.org.patch b/SOURCES/0013-docs-DPS-and-BLS-have-moved-to-uapi-group.org.patch new file mode 100644 index 0000000..3572a6c --- /dev/null +++ b/SOURCES/0013-docs-DPS-and-BLS-have-moved-to-uapi-group.org.patch @@ -0,0 +1,1192 @@ +From 3c3d99309e5e8dfd1c6a7c48dc3810e30b77fefc Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 1 Nov 2022 21:55:23 +0000 +Subject: [PATCH] docs: DPS and BLS have moved to uapi-group.org + +(cherry picked from commit 729a49288153d341d5c4edd5d701421bb766135c) + +Related #2138081 +--- + docs/BOOT_LOADER_SPECIFICATION.md | 745 +----------------------------- + docs/DISCOVERABLE_PARTITIONS.md | 424 +---------------- + 2 files changed, 2 insertions(+), 1167 deletions(-) + +diff --git a/docs/BOOT_LOADER_SPECIFICATION.md b/docs/BOOT_LOADER_SPECIFICATION.md +index 9188033768..33066b2875 100644 +--- a/docs/BOOT_LOADER_SPECIFICATION.md ++++ b/docs/BOOT_LOADER_SPECIFICATION.md +@@ -1,744 +1 @@ +---- +-title: Boot Loader Specification +-category: Booting +-layout: default +-SPDX-License-Identifier: LGPL-2.1-or-later +---- +- +-# The Boot Loader Specification +- +-This document defines a set of file formats and naming conventions that allow +-the boot loader menu entries to be shared between multiple operating systems +-and boot loaders installed on one device. +- +-Operating systems cooperatively manage boot loader menu entry directories that +-contain drop-in files, making multi-boot scenarios easy to support. Boot menu +-entries are defined via two simple formats that can be understood by different +-boot loader implementations, operating systems, and userspace programs. The +-same scheme can be used to prepare OS media for cases where the firmware +-includes a boot loader. +- +-## Target Audience +- +-The target audience for this specification is: +- +-* Boot loader developers, to write a boot loader that directly reads its +- menu entries from these files +-* Firmware developers, to add generic boot loading support directly to the +- firmware itself +-* OS installer developers, to create appropriate partitions and set up the +- initial boot loader menu entries +-* Distribution developers, to create appropriate menu entry snippets when +- installing or updating kernel packages +-* UI developers, to implement user interfaces that list and select among the +- available boot options +- +-## The Partitions +- +-Everything described below is located on one or two partitions. The boot loader +-or user-space programs reading the boot loader menu entries should locate them +-in the following manner: +- +-* On disks with an MBR partition table: +- +- * The boot partition — a partition with the type ID of `0xEA` — shall be used +- as the single location for boot loader menu entries. +- +-* On disks with GPT (GUID Partition Table) +- +- * The EFI System Partition (ESP for short) — a partition with a GPT type GUID +- of `c12a7328-f81f-11d2-ba4b-00a0c93ec93b` — may be used as one of two locations for +- boot loader menu entries. +- +- * Optionally, an Extended Boot Loader Partition (XBOOTLDR partition for +- short) — a partition with GPT type GUID of +- `bc13c2ff-59e6-4262-a352-b275fd6f7172` — may be used as the second of two +- locations for boot loader menu entries. This partition must be located on +- the same disk as the ESP. +- +-There may be at most one partition of each of the types listed above on the +-same disk. +- +-**Note:** _These partitions are **shared** among all OS installations on the +-same disk. Instead of maintaining one boot partition per installed OS (as +-`/boot/` was traditionally handled), all installed OSes use the same place for +-boot loader menu entries._ +- +-For systems where the firmware is able to read file systems directly, the ESP +-must — and the MBR boot and GPT XBOOTLDR partition should — be a file system +-readable by the firmware. For most systems this means VFAT (16 or 32 +-bit). Applications accessing both partitions should hence not assume that +-fancier file system features such as symlinks, hardlinks, access control or +-case sensitivity are supported. +- +-### The `$BOOT` Partition Placeholder +- +-In the text below, the placeholder `$BOOT` will be used to refer to the +-partition determined as follows: +- +- 1. On disks with an MBR partition table: → the boot partition, as described above +- +- 2. On disks with a GPT partition table: → the XBOOTLDR partition if it exists +- +- 3. Otherwise, on disks with a GPT partition table: → the ESP +- +-`$BOOT` is the *primary* place to put boot menu entry resources into, but +-typically not the only one. Most importantly, boot loaders should also pick up +-menu entries from the ESP, even if XBOOTLDR exists (for details see below). +- +-### Creating These Partitions +- +-An installer for an operating system should use this logic when selecting or +-creating partitions: +- +- * If a boot partition (in case of MBR) or an XBOOTLDR partition (in case of +- GPT) already exists it should be used as `$BOOT` and used as primary +- location to place boot loader menu resources in. +- +- * Otherwise, if on GPT and an ESP is found and it is large enough (let's say +- at least 1G) it should be used as `$BOOT` and used as primary location to +- place boot loader menu resources in. +- +- * Otherwise, if on GPT and neither XBOOTLDR nor ESP exist, an ESP should be +- created of the appropriate size and be used as `$BOOT`, and used as primary +- location to place boot loader menu resources in. +- +- * Otherwise, a boot partition (in case of MBR) or XBOOTLDR partition (in case +- of GPT) should be created of an appropriate size, and be used as `$BOOT`, +- and used as primary location to place boot loader menu resources in. +- +-These partitions shall be determined during _installation time_, and +-`/etc/fstab` entries may be created. +- +-### Mount Points +- +-It is recommended to mount `$BOOT` to `/boot/`, and the ESP to `/efi/`. If +-`$BOOT` and the ESP are the same, then either a bind mount or a symlink should +-be established making the partition available under both paths. +- +-(Mounting the ESP to `/boot/efi/`, as was traditionally done, is not +-recommended. Such a nested setup complicates an implementation via direct +-`autofs` mounts — as implemented by `systemd` for example —, as establishing +-the inner `autofs` will trigger the outer one. Mounting the two partitions via +-`autofs` is recommended because the simple VFAT file system has weak data +-integrity properties and should remain unmounted whenever possible.) +- +-## Boot Loader Entries +- +-This specification defines two types of boot loader entries. The first type is +-text based, very simple, and suitable for a variety of firmware, architecture +-and image types ("Type #1"). The second type is specific to EFI, but allows +-single-file images that embed all metadata in the kernel binary itself, which +-is useful to cryptographically sign them as one file for the purpose of +-SecureBoot ("Type #2"). +- +-Not all boot loader entries will apply to all systems. For example, Type #1 +-entries that use the `efi` key and all Type #2 entries only apply to EFI +-systems. Entries using the `architecture` key might specify an architecture that +-doesn't match the local one. Boot loaders should ignore all entries that don't +-match the local platform and what the boot loader can support, and hide them +-from the user. Only entries matching the feature set of boot loader and system +-shall be considered and displayed. This allows image builders to put together +-images that transparently support multiple different architectures. +- +-Note that the three partitions described above are not supposed to be the +-exclusive territory of this specification. This specification only defines +-semantics of the `/loader/entries/` directory (along with the companion file +-`/loader/entries.srel`) and the `/EFI/Linux/` directory inside the file system, +-but it doesn't intend to define contents of the rest of the file system. Boot +-loaders, firmware, and other software implementing this specification may +-choose to place other files and directories in the same file system. For +-example, boot loaders that implement this specification might install their own +-boot code on the same partition; this is particularly common in the case of the +-ESP. Implementations of this specification must be able to operate correctly if +-files or directories other than `/loader/entries/` and `/EFI/Linux/` are found +-in the top level directory. Implementations that add their own files or +-directories to the file systems should use well-named directories, to make name +-collisions between multiple users of the file system unlikely. +- +-### Type #1 Boot Loader Specification Entries +- +-`/loader/entries/` in `$BOOT` is the primary directory containing Type #1 +-drop-in snippets defining boot entries, one `.conf` file for each boot menu +-item. Each OS may provide one or more such entries. +- +-If the ESP is separate from `$BOOT` it may also contain a `/loader/entries/` +-directory, where the boot loader should look for boot entry snippets, as an +-additional source. The boot loader should enumerate both directories and +-present a merged list to the user. Note that this is done for compatibility +-only: while boot loaders should look in both places, OSes should only add their +-files to `$BOOT`. +- +-**Note:** _In all cases the `/loader/entries/` directory should be located +-directly in the root of the file system. Specifically, the `/loader/entries/` +-directory should **not** be located under the `/EFI/` subdirectory on the ESP._ +- +-The file name of the boot entry snippets is used for identification of the boot +-item but shall never be presented to the user in the UI. The file name may be +-chosen freely but should be unique enough to avoid clashes between OS +-installations. More specifically, it is suggested to include the `entry-token` +-(see +-[kernel-install](https://www.freedesktop.org/software/systemd/man/kernel-install.html)) +-or machine ID (see +-[/etc/machine-id](https://www.freedesktop.org/software/systemd/man/machine-id.html)), +-and the kernel version (as returned by `uname -r`, including the OS +-identifier), so that the whole filename is +-`$BOOT/loader/entries/-.conf`. +- +-Example: `$BOOT/loader/entries/6a9857a393724b7a981ebb5b8495b9ea-3.8.0-2.fc19.x86_64.conf`. +- +-In order to maximize compatibility with file system implementations and +-restricted boot loader environments, and to minimize conflicting character use +-with other programs, file names shall be chosen from a restricted character +-set: ASCII upper and lower case characters, digits, "+", "-", "_" and ".". +-Also, the file names should have a length of at least one and at most 255 +-characters (including the file name suffix). +- +-These boot loader menu snippets shall be UNIX-style text files (i.e. lines +-separated by a single newline character), in the UTF-8 encoding. The +-boot loader menu snippets are loosely inspired by Grub1's configuration syntax. +-Lines beginning with "#" are used for comments and shall be ignored. The first +-word of a line is used as key and is separated by one or more spaces from the +-value. +- +-#### Type #1 Boot Loader Entry Keys +- +-The following keys are recognized: +- +-* `title` is a human-readable title for this menu item to be displayed in the +- boot menu. It is a good idea to initialize this from the `PRETTY_NAME=` of +- [os-release](https://www.freedesktop.org/software/systemd/man/os-release.html). +- This name should be descriptive and does not have to be unique. If a boot +- loader discovers two entries with the same title it should show more than +- just the raw title in the UI, for example by appending the `version` +- field. This field is optional. +- +- Example: `title Fedora 18 (Spherical Cow)` +- +-* `version` is a human-readable version for this menu item. This is usually the +- kernel version and is intended for use by OSes to install multiple kernel +- versions with the same `title` field. This field is used for sorting entries, +- so that the boot loader can order entries by age or select the newest one +- automatically. This field is optional. +- +- See [Sorting](#sorting) below. +- +- Example: `version 3.7.2-201.fc18.x86_64` +- +-* `machine-id` is the machine ID of the OS. This can be used by boot loaders +- and applications to filter out boot entries, for example to show only a +- single newest kernel per OS, to group items by OS, or to filter out the +- currently booted OS when showing only other installed operating systems. +- This ID shall be formatted as 32 lower case hexadecimal characters +- (i.e. without any UUID formatting). This key is optional. +- +- Example: `machine-id 4098b3f648d74c13b1f04ccfba7798e8` +- +-* `sort-key` is a short string used for sorting entries on display. This should +- typically be initialized from the `IMAGE_ID=` or `ID=` fields of +- [os-release](https://www.freedesktop.org/software/systemd/man/os-release.html), +- possibly with an additional suffix. This field is optional. +- +- Example: `sort-key fedora` +- +-* `linux` is the Linux kernel image to execute and takes a path relative to the +- root of the file system containing the boot entry snippet itself. It is +- recommended that every distribution creates an entry-token/machine-id and +- version specific subdirectory and places its kernels and initrd images there +- (see below). +- +- Example: `linux /6a9857a393724b7a981ebb5b8495b9ea/3.8.0-2.fc19.x86_64/linux` +- +-* `initrd` is the initrd `cpio` image to use when executing the kernel. This key +- may appear more than once in which case all specified images are used, in the +- order they are listed. +- +- Example: `initrd 6a9857a393724b7a981ebb5b8495b9ea/3.8.0-2.fc19.x86_64/initrd` +- +-* `efi` refers to an arbitrary EFI program. If this key is set, and the system +- is not an EFI system, this entry should be hidden. +- +-* `options` shall contain kernel parameters to pass to the Linux kernel to +- spawn. This key is optional and may appear more than once in which case all +- specified parameters are combined in the order they are listed. +- +- Example: `options root=UUID=6d3376e4-fc93-4509-95ec-a21d68011da2 quiet` +- +-* `devicetree` refers to the binary device tree to use when executing the +- kernel. This key is optional. +- +- Example: `devicetree 6a9857a393724b7a981ebb5b8495b9ea/3.8.0-2.fc19.armv7hl/tegra20-paz00.dtb` +- +-* `devicetree-overlay` refers to a list of device tree overlays that should be +- applied by the boot loader. Multiple overlays are separated by spaces and +- applied in the same order as they are listed. This key is optional but +- depends on the `devicetree` key. +- +- Example: `devicetree-overlay /6a9857a393724b7a981ebb5b8495b9ea/overlays/overlay_A.dtbo /6a9857a393724b7a981ebb5b8495b9ea/overlays/overlay_B.dtbo` +- +-* `architecture` refers to the architecture this entry is for. The argument +- should be an architecture identifier, using the architecture vocabulary +- defined by the EFI specification (i.e. `IA32`, `x64`, `IA64`, `ARM`, `AA64`, +- …). If specified and it does not match the local system architecture this +- entry should be hidden. The comparison should be done case-insensitively. +- +- Example: `architecture aa64` +- +-Each boot loader menu entry drop-in snippet must include at least a `linux` or an `efi` +-key. Here is an example for a complete drop-in file: +- +- # /boot/loader/entries/6a9857a393724b7a981ebb5b8495b9ea-3.8.0-2.fc19.x86_64.conf +- title Fedora 19 (Rawhide) +- sort-key fedora +- machine-id 6a9857a393724b7a981ebb5b8495b9ea +- version 3.8.0-2.fc19.x86_64 +- options root=UUID=6d3376e4-fc93-4509-95ec-a21d68011da2 quiet +- architecture x64 +- linux /6a9857a393724b7a981ebb5b8495b9ea/3.8.0-2.fc19.x86_64/linux +- initrd /6a9857a393724b7a981ebb5b8495b9ea/3.8.0-2.fc19.x86_64/initrd +- +-On EFI systems all Linux kernel images should be EFI images. In order to +-increase compatibility with EFI systems it is highly recommended only to +-install EFI kernel images, even on non-EFI systems, if that's applicable and +-supported on the specific architecture. +- +-Conversely, in order to increase compatibility it is recommended to install +-generic kernel images that make few assumptions about the firmware they run on, +-i.e. it is a good idea that both images shipped as UEFI PE images and those +-which are not don't make unnecessary assumption on the underlying firmware, +-i.e. don't hard depend on legacy BIOS calls or UEFI boot services. +- +-When Type #1 boot loader menu entry snippets refer to other files (for `linux`, +-`initrd`, `efi`, `devicetree`, and `devicetree-overlay`), those files must be +-located on the same partition, and the paths must be absolute paths relative to +-the root of that file system. The naming of those files can be chosen by the +-installer. A recommended scheme is described in the next section. Paths should +-be normalized, i.e. not include `..`, `.` or a sequence of more than one +-`/`. Paths may be prefixed with a `/`, but this is optional and has the same +-effect as paths without it: all paths are always relative to the root directory +-of the partition they are referenced from. +- +-Even though the backing file system is typically case-insensitive (i.e. VFAT) +-it is strongly recommended to reference files in the casing actually used for +-the directories/files, so that placing these files on other file systems is +-still safe and robust. +- +-### Recommended Directory Layout for Additional Files +- +-It is recommended to place the kernel and other other files comprising a single +-boot loader entry in a separate directory: +-`///`. This naming scheme uses the same +-elements as the boot loader menu entry snippet, providing the same level of +-uniqueness. +- +-Example: `$BOOT/6a9857a393724b7a981ebb5b8495b9ea/3.8.0-2.fc19.x86_64/linux` +- `$BOOT/6a9857a393724b7a981ebb5b8495b9ea/3.8.0-2.fc19.x86_64/initrd` +- +-Other naming schemes are possible. In particular, traditionally a flat naming +-scheme with files in the root directory was used. This is not recommended +-because it is hard to avoid conflicts in a multi-boot installation. +- +-### Standard-conformance Marker File +- +-Unfortunately, there are implementations of boot loading infrastructure that +-are also using the `/loader/entries/` directory, but install files that do not +-follow this specification. In order to minimize confusion, a boot loader +-implementation may place the file `/loader/entries.srel` next to the +-`/loader/entries/` directory containing the ASCII string `type1` (followed by a +-UNIX newline). Tools that need to determine whether an existing directory +-implements the semantics described here may check for this file and contents: +-if it exists and contains the mentioned string, it shall assume a +-standards-compliant implementation is in place. If it exists but contains a +-different string it shall assume other semantics are implemented. If the file +-does not exist, no assumptions should be made. +- +-### Type #2 EFI Unified Kernel Images +- +-A unified kernel image is a single EFI PE executable combining an EFI stub +-loader, a kernel image, an initrd image, and the kernel command line. See +-[systemd-stub(7)](https://www.freedesktop.org/software/systemd/man/systemd-stub.html) +-for details. The primary place for such unified images is the `/EFI/Linux/` +-directory in `$BOOT`. Operating systems should place unified EFI kernels only +-in the `$BOOT` partition. Boot loaders should also look in the `/EFI/Linux/` of +-the ESP — if it is different from `$BOOT` — and present a merged list of menu +-entries from both partitions. Regardless if placed in the primary or secondary +-location: the files must have the extension `.efi`. Support for images of this +-type is of course specific to systems with EFI firmware. Ignore this section if +-you work on systems not supporting EFI. +- +-Type #2 file names should be chosen from the same restricted character set as +-Type #1 described above (but with the file name suffix of `.efi` instead of +-`.conf`). +- +-Images of this type have the advantage that all metadata and payload that makes +-up the boot entry is contained in a single PE file that can be signed +-cryptographically as one for the purpose of EFI SecureBoot. +- +-A valid unified kernel image in the `/EFI/Linux/` directory must contain two PE sections: +- +-* `.cmdline` section with the kernel command line, +-* `.osrel` section with an embedded copy of the +- [os-release](https://www.freedesktop.org/software/systemd/man/os-release.html) +- file describing the image. +- +-The `PRETTY_NAME=` and `VERSION_ID=` fields in the embedded `os-release` file +-are used the same as `title` and `version` in the Type #1 entries. The +-`.cmdline` section is used instead of the `options` field. `linux` and `initrd` +-fields are not necessary, and there is no counterpart for the `machine-id` +-field. +- +-On EFI, any such images shall be added to the list of valid boot entries. +- +-### Additional Notes +- +-Note that these boot entry snippets and unified kernels do not need to be the +-only menu entry sources for a boot loader. It may extend this list of +-entries with additional items from other configuration files (for example its +-own native configuration files) or automatically detected other entries without +-explicit configuration. +- +-To make this explicitly clear: this specification is designed with "free" +-operating systems in mind, starting Windows or MacOS is out of focus with these +-boot loader menu entry snippets, use boot-loader specific solutions for +-that. In the text above, if we say "OS" we hence imply "free", i.e. primarily +-Linux (though this could be easily be extended to the BSDs and whatnot). +- +-Note that all paths used in the boot loader menu entry snippets use a +-Unix-style "/" as path separator. This needs to be converted to an EFI-style +-"\\" separator in EFI boot loaders. +- +- +-## Locating Boot Entries +- +-A _boot loader_ locates the XBOOTLDR partition and the ESP, then simply reads +-all the files `/loader/entries/*.conf` in them, and populates its boot menu +-(and handle gracefully if one of the two partitions is missing). On EFI, it +-then extends this with any unified kernel images found in `/EFI/Linux/*.efi` in +-the two partitions. It may also add additional entries, for example a "Reboot +-into firmware" option. Optionally it may sort the menu based on the +-`sort-key`, `machine-id` and `version` fields, and possibly others. It uses the +-file name to identify specific items, for example in case it supports storing +-away default entry information somewhere. A boot loader should generally not +-modify these files. +- +-For "Boot Loader Specification Entries" (Type #1), the _kernel package +-installer_ installs the kernel and initrd images to `$BOOT`. It is recommended +-to place these files in a vendor and OS and installation specific directory. It +-then generates a boot loader menu entry snippet, placing it in +-`$BOOT/loader/entries/xyz.conf`, with "xyz" as concatenation of +-entry-token/machine-id and version information (see above). The files created +-by a kernel package are tied to the kernel package and should be removed along +-with it. +- +-For "EFI Unified Kernel Images" (Type #2), the vendor or kernel package +-installer should create the combined image and drop it into +-`$BOOT/EFI/Linux/`. This file is also tied to the kernel package and should be +-removed along with it. +- +-A _UI application_ intended to show available boot options shall operate +-similarly to a boot loader (and thus search both `$BOOT` and the ESP if +-distinct), but might apply additional filters, for example by filtering the +-booted OS via the machine ID, or by suppressing all but the newest kernel +-versions. +- +-An _OS installer_ picks the right place for `$BOOT` as defined above (possibly +-creating a partition and file system for it) and creates the `/loader/entries/` +-directory and the `/loader/entries.srel` file in it (the latter only if the +-directory didn't exist yet). It then installs an appropriate boot loader that +-can read these snippets. Finally, it installs one or more kernel packages. +- +-## Boot counting +- +-The main idea is that when boot entries are initially installed, they are +-marked as "indeterminate" and assigned a number of boot attempts. Each time the +-boot loader tries to boot an entry, it decreases this count by one. If the +-operating system considers the boot as successful, it removes the counter +-altogether and the entry becomes "good". Otherwise, once the assigned number of +-boots is exhausted, the entry is marked as "bad". +- +-Which boots are "successful" is determined by the operating system. systemd +-provides a generic mechanism that can be extended with arbitrary checks and +-actions, see [Automatic Boot Assessment](AUTOMATIC_BOOT_ASSESSMENT.md), but the +-boot counting mechanism described in this specification can also be used with +-other implementations. +- +-The boot counting data is stored in the name of the boot loader entry. A boot +-loader entry file name may contain a plus (`+`) followed by a number. This may +-optionally be followed by a minus (`-`) followed by a second number. The dot +-(`.`) and file name suffix (`conf` of `efi`) must immediately follow. Boot +-counting is enabled for entries which match this pattern. +- +-The first number is the "tries left" counter signifying how many attempts to boot +-this entry shall still be made. The second number is the "tries done" counter, +-showing how many failed attempts to boot it have already been made. Each time +-a boot loader entry marked this way is booted, the first counter is decremented, +-and the second one incremented. (If the second counter is missing, +-then it is assumed to be equivalent to zero.) If the "tries left" counter is +-above zero the entry is still considered "indeterminate". A boot entry with the +-"tries left" counter at zero is considered "bad". +- +-If the boot attempt completed successfully the entry's counters are removed +-from the name (entry state becomes "good"), thus turning off boot counting for +-this entry. +- +-## Sorting +- +-The boot loader menu should generally show entries in some order meaningful to +-the user. The `title` key is free-form and not suitable to be used as the +-primary sorting key. Instead, the boot loader should use the following rules: +- +-1. Entries which are subject to boot counting and are marked as "bad", should +- be sorted later than all other entries. Entries which are marked as +- "indeterminate" or "good" (or were not subject to boot counting at all), +- are thus sorted earlier. +- +-2. If `sort-key` is set on both entries, use in order of priority, +- the `sort-key` (A-Z, increasing [alphanumerical order](#alphanumerical-order)), +- `machine-id` (A-Z, increasing alphanumerical order), +- and `version` keys (decreasing [version order](#version-order)). +- +-3. If `sort-key` is set on one entry, it sorts earlier. +- +-4. At the end, if necessary, when `sort-key` is not set or those fields are not +- set or are all equal, the boot loader should sort using the file name of the +- entry (decreasing version sort), with the suffix removed. +- +-**Note:** _This description assumes that the boot loader shows entries in a +-traditional menu, with newest and "best" entries at the top, thus entries with +-a higher version number are sorter *earlier*. The boot loader is free to +-use a different direction (or none at all) during display._ +- +-**Note:** _The boot loader should allow booting "bad" entries, e.g. in case no +-other entries are left or they are unusable for other reasons. It may +-deemphasize or hide such entries by default._ +- +-**Note:** _"Bad" boot entries have a suffix of "+0-`n`", where `n` is the +-number of failed boot attempts. Removal of the suffix is not necessary for +-comparisons described by the last point above. In the unlikely scenario that we +-have multiple such boot entries that differ only by the boot counting data, we +-would sort them by `n`._ +- +-### Alphanumerical Order +- +-Free-form strings and machine IDs should be compared using a method equivalent +-to [strcmp(3)](https://man7.org/linux/man-pages/man3/strcmp.3.html) on their +-UTF-8 representations. If just one of the strings is unspecified or empty, it +-compares lower. If both strings are unspecified or empty, they compare equal. +- +-### Version Order +- +-The following method should be used to compare version strings. The algorithm +-is based on rpm's `rpmvercmp()`, but not identical. +- +-ASCII letters (`a-z`, `A-Z`) and digits (`0-9`) form alphanumerical components of the version. +-Minus (`-`) separates the version and release parts. +-Dot (`.`) separates parts of version or release. +-Tilde (`~`) is a prefix that always compares lower. +-Caret (`^`) is a prefix that always compares higher. +- +-Both strings are compared from the beginning until the end, or until the +-strings are found to compare as different. In a loop: +-1. Any characters which are outside of the set of listed above (`a-z`, `A-Z`, `0-9`, `-`, `.`, `~`, `^`) +- are skipped in both strings. In particular, this means that non-ASCII characters +- that are Unicode digits or letters are skipped too. +-2. If one of the strings has ended: if the other string hasn't, the string that +- has remaining characters compares higher. Otherwise, the strings compare +- equal. +-3. If the remaining part of one of strings starts with `~`: +- if other remaining part does not start with `~`, +- the string with `~` compares lower. Otherwise, both tilde characters are skipped. +-4. The check from point 2. is repeated here. +-5. If the remaining part of one of strings starts with `-`: +- if the other remaining part does not start with `-`, +- the string with `-` compares lower. Otherwise, both minus characters are skipped. +-6. If the remaining part of one of strings starts with `^`: +- if the other remaining part does not start with `^`, +- the string with `^` compares higher. Otherwise, both caret characters are skipped. +-6. If the remaining part of one of strings starts with `.`: +- if the other remaining part does not start with `.`, +- the string with `.` compares lower. Otherwise, both dot characters are skipped. +-7. If either of the remaining parts starts with a digit, numerical prefixes are +- compared numerically. Any leading zeroes are skipped. +- The numerical prefixes (until the first non-digit character) are evaluated as numbers. +- If one of the prefixes is empty, it evaluates as 0. +- If the numbers are different, the string with the bigger number compares higher. +- Otherwise, the comparison continues at the following characters at point 1. +-8. Leading alphabetical prefixes are compared alphabetically. +- The substrings are compared letter-by-letter. +- If both letters are the same, the comparison continues with the next letter. +- Capital letters compare lower than lower-case letters (`A < a`). +- When the end of one substring has been reached (a non-letter character or the end +- of the whole string), if the other substring has remaining letters, it compares higher. +- Otherwise, the comparison continues at the following characters at point 1. +- +-Examples (with '' meaning the empty string): +- +-* `11 == 11` +-* `systemd-123 == systemd-123` +-* `bar-123 < foo-123` +-* `123a > 123` +-* `123.a > 123` +-* `123.a < 123.b` +-* `123a > 123.a` +-* `11α == 11β` +-* `A < a` +-* '' < `0` +-* `0.` > `0` +-* `0.0` > `0` +-* `0` < `~` +-* '' < `~` +- +-Note: [systemd-analyze](https://www.freedesktop.org/software/systemd/man/systemd-analyze.html) +-implements this version comparison algorithm as +-``` +-systemd-analyze compare-versions +-``` +- +-## Additional discussion +- +-### Why is there a need for this specification? +- +-This specification brings the following advantages: +- +-* Installation of new boot entries is more robust, as no explicit rewriting of +- configuration files is required. +- +-* It allows an out-of-the-box boot experience on any platform without the need +- of traditional firmware mechanisms (e.g. BIOS calls, UEFI Boot Services). +- +-* It improves dual-boot scenarios. Without cooperation, multiple Linux +- installations tend to fight over which boot loader becomes the primary one in +- possession of the MBR or the boot partition, and only that one installation +- can then update the boot loader configuration. Other Linux installs have to +- be manually configured to never touch the MBR and instead install a +- chain-loaded boot loader in their own partition headers. In this new scheme +- all installations share a loader directory and no manual configuration has to +- take place. All participants implicitly cooperate due to removal of name +- collisions and can install/remove their own boot menu entries without +- interfering with the entries of other installed operating systems. +- +-* Drop-in directories are now pretty ubiquitous on Linux as an easy way to +- extend boot loader menus without having to edit, regenerate or manipulate +- configuration files. For the sake of uniformity, we should do the same for +- the boot menu. +- +-* Userspace code can sanely parse boot loader menu entries which is essential +- with modern firmware which does not necessarily initialize USB keyboards +- during boot, which makes boot menus hard to reach for the user. If userspace +- code can parse the boot loader menu entries too, UI can be written that +- select a boot menu item to boot into before rebooting the machine, thus not +- requiring interactivity during early boot. +- +-* To unify and thus simplify menu entries of the various boot loaders, which +- makes configuration of the boot loading process easier for users, +- administrators, and developers alike. +- +-* For boot loaders with configuration _scripts_ such as grub2, adopting this +- spec allows for mostly static scripts that are generated only once at first +- installation, but then do not need to be updated anymore as that is done via +- drop-in files exclusively. +- +-### Why not simply rely on the EFI boot menu logic? +- +-EFI is not ubiquitous, especially not in embedded systems. But even on systems +-with EFI, which provides a boot options logic that can offer similar +-functionality, this specification is still needed for the following reasons: +- +-* The various EFI implementations implement the boot order/boot item logic to +- different levels. Some firmware implementations do not offer a boot menu at +- all and instead unconditionally follow the EFI boot order, booting the first +- item that is working. +- +-* If the firmware setup is used to reset data, usually all EFI boot entries +- are lost, making the system entirely unbootable, as the firmware setups +- generally do not offer a UI to define additional boot items. By placing the +- menu item information on disk, it is always available, even if the firmware +- configuration is lost. +- +-* Harddisk images should be movable between machines and be bootable without +- requiring firmware configuration. This also requires that the list +- of boot options is defined on disk, and not in EFI variables alone. +- +-* EFI is not universal yet (especially on non-x86 platforms), this +- specification is useful both for EFI and non-EFI boot loaders. +- +-* Many EFI systems disable USB support during early boot to optimize boot +- times, thus making keyboard input unavailable in the EFI menu. It is thus +- useful if the OS UI has a standardized way to discover available boot options +- which can be booted to. +- +-### Why is the version comparison logic so complicated? +- +-The `sort-key` allows us to group entries by "operating system", e.g. all +-versions of Fedora together, no matter if they identify themselves as "Fedora +-Workstation" or "Fedora Rawhide (prerelease)". The `sort-key` was introduced +-only recently, so we need to provide a meaningful order for entries both with +-and without it. Since it is a new concept, it is assumed that entries with +-`sort-key` are newer. +- +-In a traditional menu with entries displayed vertically, we want names to be +-sorter alpabetically (CentOS, Debian, Fedora, OpenSUSE, …), it would be strange +-to have them in reverse order. But when multiple kernels are available for the +-same installation, we want to display the latest kernel with highest priority, +-i.e. earlier in the list. +- +-### Why do you use file renames to store the counter? Why not a regular file? +- +-Mainly two reasons: it's relatively likely that renames can be implemented +-atomically even in simpler file systems, as renaming generally avoids +-allocating or releasing data blocks. Writing to file contents has a much bigger +-chance to be result in incomplete or corrupt data. Moreover renaming has the +-benefit that the boot count metadata is directly attached to the boot loader +-entry file, and thus the lifecycle of the metadata and the entry itself are +-bound together. This means no additional clean-up needs to take place to drop +-the boot loader counting information for an entry when it is removed. +- +-### Why not use EFI variables for storing the boot counter? +- +-The memory chips used to back the persistent EFI variables are generally not of +-the highest quality, hence shouldn't be written to more than necessary. This +-means we can't really use it for changes made regularly during boot, but should +-use it only for seldom-made configuration changes. +- +-### Out of Focus +- +-There are a couple of items that are out of focus for this specification: +- +-* If userspace can figure out the available boot options, then this is only +- useful so much: we'd still need to come up with a way how userspace could +- communicate to the boot loader the default boot loader entry temporarily or +- persistently. Defining a common scheme for this is certainly a good idea, but +- out of focus for this specification. +- +-* This specification is just about "Free" Operating systems. Hooking in other +- operating systems (like Windows and macOS) into the boot menu is a different +- story and should probably happen outside of this specification. For example, +- boot loaders might choose to detect other available OSes dynamically at +- runtime without explicit configuration (like `systemd-boot` does it), or via +- native configuration (for example via explicit Grub2 configuration generated +- once at installation). +- +-* This specification leaves undefined what to do about systems which are +- upgraded from an OS that does not implement this specification. As the +- previous boot loader logic was largely handled by in distribution-specific +- ways we probably should leave the upgrade path (and whether there actually is +- one) to the distributions. The simplest solution might be to simply continue +- with the old scheme for old installations and use this new scheme only for +- new installations. +- +-* Referencing kernels or initrds on other partitions other than the partition +- containing the Type #1 boot loader entry. This is by design, as specifying +- other partitions or devices would require a non-trivial language for denoting +- device paths. In particular this means that on non-EFI systems boot loader +- menu entry snippets following this specification cannot be used to spawn +- other operating systems (such as Windows). +- +- +-## Links +- +-[GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table)
+-[Boot Loader Interface](BOOT_LOADER_INTERFACE.md)
+-[Discoverable Partitions Specification](DISCOVERABLE_PARTITIONS.md)
+-[`systemd-boot(7)`](https://www.freedesktop.org/software/systemd/man/systemd-boot.html)
+-[`bootctl(1)`](https://www.freedesktop.org/software/systemd/man/bootctl.html)
+-[`systemd-gpt-auto-generator(8)`](https://www.freedesktop.org/software/systemd/man/systemd-gpt-auto-generator.html) ++[This content has moved to the UAPI group website](https://uapi-group.org/specifications/specs/boot_loader_specification/) +diff --git a/docs/DISCOVERABLE_PARTITIONS.md b/docs/DISCOVERABLE_PARTITIONS.md +index efd20533a5..bc05b6cc5a 100644 +--- a/docs/DISCOVERABLE_PARTITIONS.md ++++ b/docs/DISCOVERABLE_PARTITIONS.md +@@ -1,423 +1 @@ +---- +-title: Discoverable Partitions Specification +-category: Concepts +-layout: default +-SPDX-License-Identifier: LGPL-2.1-or-later +---- +-# The Discoverable Partitions Specification (DPS) +- +-_TL;DR: Let's automatically discover, mount and enable the root partition, +-`/home/`, `/srv/`, `/var/` and `/var/tmp/` and the swap partitions based on +-GUID Partition Tables (GPT)!_ +- +-This specification describes the use of GUID Partition Table (GPT) UUIDs to +-enable automatic discovery of partitions and their intended mountpoints. +-Traditionally Linux has made little use of partition types, mostly just +-defining one UUID for file system/data partitions and another one for swap +-partitions. With this specification, we introduce additional partition types +-for specific uses. This has many benefits: +- +-* OS installers can automatically discover and make sense of partitions of +- existing Linux installations. +-* The OS can discover and mount the necessary file systems with a non-existent +- or incomplete `/etc/fstab` file and without the `root=` kernel command line +- option. +-* Container managers (such as nspawn and libvirt-lxc) can introspect and set up +- file systems contained in GPT disk images automatically and mount them to the +- right places, thus allowing booting the same, identical images on bare metal +- and in Linux containers. This enables true, natural portability of disk +- images between physical machines and Linux containers. +-* As a help to administrators and users partition manager tools can show more +- descriptive information about partitions tables. +- +-Note that the OS side of this specification is currently implemented in +-[systemd](https://systemd.io/) 211 and newer in the +-[systemd-gpt-auto-generator(8)](https://www.freedesktop.org/software/systemd/man/systemd-gpt-auto-generator.html) +-generator tool. Note that automatic discovery of the root only works if the +-boot loader communicates this information to the OS, by implementing the +-[Boot Loader Interface](BOOT_LOADER_INTERFACE.md). +- +-## Defined Partition Type UUIDs +- +-| Name | Partition Type UUID | Allowed File Systems | Explanation | +-|------|---------------------|----------------------|-------------| +-| _Root Partition (Alpha)_ | `6523f8ae-3eb1-4e2a-a05a-18b695ae656f` `SD_GPT_ROOT_ALPHA` | Any native, optionally in LUKS | On systems with matching architecture, the first partition with this type UUID on the disk containing the active EFI ESP is automatically mounted to the root directory `/`. If the partition is encrypted with LUKS or has dm-verity integrity data (see below), the device mapper file will be named `/dev/mapper/root`. | +-| _Root Partition (ARC)_ | `d27f46ed-2919-4cb8-bd25-9531f3c16534` `SD_GPT_ROOT_ARC` | ditto | ditto | +-| _Root Partition (32-bit ARM)_ | `69dad710-2ce4-4e3c-b16c-21a1d49abed3` `SD_GPT_ROOT_ARM` | ditto | ditto | +-| _Root Partition (64-bit ARM/AArch64)_ | `b921b045-1df0-41c3-af44-4c6f280d3fae` `SD_GPT_ROOT_ARM64` | ditto | ditto | +-| _Root Partition (Itanium/IA-64)_ | `993d8d3d-f80e-4225-855a-9daf8ed7ea97` `SD_GPT_ROOT_IA64` | ditto | ditto | +-| _Root Partition (LoongArch 64-bit)_ | `77055800-792c-4f94-b39a-98c91b762bb6` `SD_GPT_ROOT_LOONGARCH64` | ditto | ditto | +-| _Root Partition (32-bit MIPS LittleEndian (mipsel))_ | `37c58c8a-d913-4156-a25f-48b1b64e07f0` `SD_GPT_ROOT_MIPS_LE` | ditto | ditto | +-| _Root Partition (64-bit MIPS LittleEndian (mips64el))_ | `700bda43-7a34-4507-b179-eeb93d7a7ca3` `SD_GPT_ROOT_MIPS64_LE` | ditto | ditto | +-| _Root Partition (HPPA/PARISC)_ | `1aacdb3b-5444-4138-bd9e-e5c2239b2346` `SD_GPT_ROOT_PARISC` | ditto | ditto | +-| _Root Partition (32-bit PowerPC)_ | `1de3f1ef-fa98-47b5-8dcd-4a860a654d78` `SD_GPT_ROOT_PPC` | ditto | ditto | +-| _Root Partition (64-bit PowerPC BigEndian)_ | `912ade1d-a839-4913-8964-a10eee08fbd2` `SD_GPT_ROOT_PPC64` | ditto | ditto | +-| _Root Partition (64-bit PowerPC LittleEndian)_ | `c31c45e6-3f39-412e-80fb-4809c4980599` `SD_GPT_ROOT_PPC64_LE` | ditto | ditto | +-| _Root Partition (RISC-V 32-bit)_ | `60d5a7fe-8e7d-435c-b714-3dd8162144e1` `SD_GPT_ROOT_RISCV32` | ditto | ditto | +-| _Root Partition (RISC-V 64-bit)_ | `72ec70a6-cf74-40e6-bd49-4bda08e8f224` `SD_GPT_ROOT_RISCV64` | ditto | ditto | +-| _Root Partition (s390)_ | `08a7acea-624c-4a20-91e8-6e0fa67d23f9` `SD_GPT_ROOT_S390` | ditto | ditto | +-| _Root Partition (s390x)_ | `5eead9a9-fe09-4a1e-a1d7-520d00531306` `SD_GPT_ROOT_S390X` | ditto | ditto | +-| _Root Partition (TILE-Gx)_ | `c50cdd70-3862-4cc3-90e1-809a8c93ee2c` `SD_GPT_ROOT_TILEGX` | ditto | ditto | +-| _Root Partition (x86)_ | `44479540-f297-41b2-9af7-d131d5f0458a` `SD_GPT_ROOT_X86` | ditto | ditto | +-| _Root Partition (amd64/x86_64)_ | `4f68bce3-e8cd-4db1-96e7-fbcaf984b709` `SD_GPT_ROOT_X86_64` | ditto | ditto | +-| _`/usr/` Partition (Alpha)_ | `e18cf08c-33ec-4c0d-8246-c6c6fb3da024` `SD_GPT_USR_ALPHA` | Any native, optionally in LUKS | Similar semantics to root partition, but just the `/usr/` partition. | +-| _`/usr/` Partition (ARC)_ | `7978a683-6316-4922-bbee-38bff5a2fecc` `SD_GPT_USR_ARC` | ditto | ditto | +-| _`/usr/` Partition (32-bit ARM)_ | `7d0359a3-02b3-4f0a-865c-654403e70625` `SD_GPT_USR_ARM` | ditto | ditto | +-| _`/usr/` Partition (64-bit ARM/AArch64)_ | `b0e01050-ee5f-4390-949a-9101b17104e9` `SD_GPT_USR_ARM64` | ditto | ditto | +-| _`/usr/` Partition (Itanium/IA-64)_ | `4301d2a6-4e3b-4b2a-bb94-9e0b2c4225ea` `SD_GPT_USR_IA64` | ditto | ditto | +-| _`/usr/` Partition (LoongArch 64-bit)_ | `e611c702-575c-4cbe-9a46-434fa0bf7e3f` `SD_GPT_USR_LOONGARCH64` | ditto | ditto | +-| _`/usr/` Partition (32-bit MIPS LittleEndian (mipsel))_ | `0f4868e9-9952-4706-979f-3ed3a473e947` `SD_GPT_USR_MIPS_LE` | ditto | ditto | +-| _`/usr/` Partition (64-bit MIPS LittleEndian (mips64el))_ | `c97c1f32-ba06-40b4-9f22-236061b08aa8` `SD_GPT_USR_MIPS64_LE` | ditto | ditto | +-| _`/usr/` Partition (HPPA/PARISC)_ | `dc4a4480-6917-4262-a4ec-db9384949f25` `SD_GPT_USR_PARISC` | ditto | ditto | +-| _`/usr/` Partition (32-bit PowerPC)_ | `7d14fec5-cc71-415d-9d6c-06bf0b3c3eaf` `SD_GPT_USR_PPC` | ditto | ditto | +-| _`/usr/` Partition (64-bit PowerPC BigEndian)_ | `2c9739e2-f068-46b3-9fd0-01c5a9afbcca` `SD_GPT_USR_PPC64` | ditto | ditto | +-| _`/usr/` Partition (64-bit PowerPC LittleEndian)_ | `15bb03af-77e7-4d4a-b12b-c0d084f7491c` `SD_GPT_USR_PPC64_LE` | ditto | ditto | +-| _`/usr/` Partition (RISC-V 32-bit)_ | `b933fb22-5c3f-4f91-af90-e2bb0fa50702` `SD_GPT_USR_RISCV32` | ditto | ditto | +-| _`/usr/` Partition (RISC-V 64-bit)_ | `beaec34b-8442-439b-a40b-984381ed097d` `SD_GPT_USR_RISCV64` | ditto | ditto | +-| _`/usr/` Partition (s390)_ | `cd0f869b-d0fb-4ca0-b141-9ea87cc78d66` `SD_GPT_USR_S390` | ditto | ditto | +-| _`/usr/` Partition (s390x)_ | `8a4f5770-50aa-4ed3-874a-99b710db6fea` `SD_GPT_USR_S390X` | ditto | ditto | +-| _`/usr/` Partition (TILE-Gx)_ | `55497029-c7c1-44cc-aa39-815ed1558630` `SD_GPT_USR_TILEGX` | ditto | ditto | +-| _`/usr/` Partition (x86)_ | `75250d76-8cc6-458e-bd66-bd47cc81a812` `SD_GPT_USR_X86` | ditto | ditto | +-| _`/usr/` Partition (amd64/x86_64)_ | `8484680c-9521-48c6-9c11-b0720656f69e` `SD_GPT_USR_X86_64` | ditto | ditto | +-| _Root Verity Partition (Alpha)_ | `fc56d9e9-e6e5-4c06-be32-e74407ce09a5` `SD_GPT_ROOT_ALPHA_VERITY` | A dm-verity superblock followed by hash data | Contains dm-verity integrity hash data for the matching root partition. If this feature is used the partition UUID of the root partition should be the first 128 bits of the root hash of the dm-verity hash data, and the partition UUID of this dm-verity partition should be the final 128 bits of it, so that the root partition and its Verity partition can be discovered easily, simply by specifying the root hash. | +-| _Root Verity Partition (ARC)_ | `24b2d975-0f97-4521-afa1-cd531e421b8d` `SD_GPT_ROOT_ARC_VERITY` | ditto | ditto | +-| _Root Verity Partition (32-bit ARM)_ | `7386cdf2-203c-47a9-a498-f2ecce45a2d6` `SD_GPT_ROOT_ARM_VERITY` | ditto | ditto | +-| _Root Verity Partition (64-bit ARM/AArch64)_ | `df3300ce-d69f-4c92-978c-9bfb0f38d820` `SD_GPT_ROOT_ARM64_VERITY` | ditto | ditto | +-| _Root Verity Partition (Itanium/IA-64)_ | `86ed10d5-b607-45bb-8957-d350f23d0571` `SD_GPT_ROOT_IA64_VERITY` | ditto | ditto | +-| _Root Verity Partition (LoongArch 64-bit)_ | `f3393b22-e9af-4613-a948-9d3bfbd0c535` `SD_GPT_ROOT_LOONGARCH64_VERITY` | ditto | ditto | +-| _Root Verity Partition (32-bit MIPS LittleEndian (mipsel))_ | `d7d150d2-2a04-4a33-8f12-16651205ff7b` `SD_GPT_ROOT_MIPS_LE_VERITY` | ditto | ditto | +-| _Root Verity Partition (64-bit MIPS LittleEndian (mips64el))_ | `16b417f8-3e06-4f57-8dd2-9b5232f41aa6` `SD_GPT_ROOT_MIPS64_LE_VERITY` | ditto | ditto | +-| _Root Verity Partition (HPPA/PARISC)_ | `d212a430-fbc5-49f9-a983-a7feef2b8d0e` `SD_GPT_ROOT_PARISC_VERITY` | ditto | ditto | +-| _Root Verity Partition (64-bit PowerPC LittleEndian)_ | `906bd944-4589-4aae-a4e4-dd983917446a` `SD_GPT_ROOT_PPC64_LE_VERITY` | ditto | ditto | +-| _Root Verity Partition (64-bit PowerPC BigEndian)_ | `9225a9a3-3c19-4d89-b4f6-eeff88f17631` `SD_GPT_ROOT_PPC64_VERITY` | ditto | ditto | +-| _Root Verity Partition (32-bit PowerPC)_ | `98cfe649-1588-46dc-b2f0-add147424925` `SD_GPT_ROOT_PPC_VERITY` | ditto | ditto | +-| _Root Verity Partition (RISC-V 32-bit)_ | `ae0253be-1167-4007-ac68-43926c14c5de` `SD_GPT_ROOT_RISCV32_VERITY` | ditto | ditto | +-| _Root Verity Partition (RISC-V 64-bit)_ | `b6ed5582-440b-4209-b8da-5ff7c419ea3d` `SD_GPT_ROOT_RISCV64_VERITY` | ditto | ditto | +-| _Root Verity Partition (s390)_ | `7ac63b47-b25c-463b-8df8-b4a94e6c90e1` `SD_GPT_ROOT_S390_VERITY` | ditto | ditto | +-| _Root Verity Partition (s390x)_ | `b325bfbe-c7be-4ab8-8357-139e652d2f6b` `SD_GPT_ROOT_S390X_VERITY` | ditto | ditto | +-| _Root Verity Partition (TILE-Gx)_ | `966061ec-28e4-4b2e-b4a5-1f0a825a1d84` `SD_GPT_ROOT_TILEGX_VERITY` | ditto | ditto | +-| _Root Verity Partition (amd64/x86_64)_ | `2c7357ed-ebd2-46d9-aec1-23d437ec2bf5` `SD_GPT_ROOT_X86_64_VERITY` | ditto | ditto | +-| _Root Verity Partition (x86)_ | `d13c5d3b-b5d1-422a-b29f-9454fdc89d76` `SD_GPT_ROOT_X86_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (Alpha)_ | `8cce0d25-c0d0-4a44-bd87-46331bf1df67` `SD_GPT_USR_ALPHA_VERITY` | A dm-verity superblock followed by hash data | Similar semantics to root Verity partition, but just for the `/usr/` partition. | +-| _`/usr/` Verity Partition (ARC)_ | `fca0598c-d880-4591-8c16-4eda05c7347c` `SD_GPT_USR_ARC_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (32-bit ARM)_ | `c215d751-7bcd-4649-be90-6627490a4c05` `SD_GPT_USR_ARM_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (64-bit ARM/AArch64)_ | `6e11a4e7-fbca-4ded-b9e9-e1a512bb664e` `SD_GPT_USR_ARM64_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (Itanium/IA-64)_ | `6a491e03-3be7-4545-8e38-83320e0ea880` `SD_GPT_USR_IA64_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (LoongArch 64-bit)_ | `f46b2c26-59ae-48f0-9106-c50ed47f673d` `SD_GPT_USR_LOONGARCH64_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (32-bit MIPS LittleEndian (mipsel))_ | `46b98d8d-b55c-4e8f-aab3-37fca7f80752` `SD_GPT_USR_MIPS_LE_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (64-bit MIPS LittleEndian (mips64el))_ | `3c3d61fe-b5f3-414d-bb71-8739a694a4ef` `SD_GPT_USR_MIPS64_LE_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (HPPA/PARISC)_ | `5843d618-ec37-48d7-9f12-cea8e08768b2` `SD_GPT_USR_PARISC_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (64-bit PowerPC LittleEndian)_ | `ee2b9983-21e8-4153-86d9-b6901a54d1ce` `SD_GPT_USR_PPC64_LE_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (64-bit PowerPC BigEndian)_ | `bdb528a5-a259-475f-a87d-da53fa736a07` `SD_GPT_USR_PPC64_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (32-bit PowerPC)_ | `df765d00-270e-49e5-bc75-f47bb2118b09` `SD_GPT_USR_PPC_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (RISC-V 32-bit)_ | `cb1ee4e3-8cd0-4136-a0a4-aa61a32e8730` `SD_GPT_USR_RISCV32_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (RISC-V 64-bit)_ | `8f1056be-9b05-47c4-81d6-be53128e5b54` `SD_GPT_USR_RISCV64_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (s390)_ | `b663c618-e7bc-4d6d-90aa-11b756bb1797` `SD_GPT_USR_S390_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (s390x)_ | `31741cc4-1a2a-4111-a581-e00b447d2d06` `SD_GPT_USR_S390X_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (TILE-Gx)_ | `2fb4bf56-07fa-42da-8132-6b139f2026ae` `SD_GPT_USR_TILEGX_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (amd64/x86_64)_ | `77ff5f63-e7b6-4633-acf4-1565b864c0e6` `SD_GPT_USR_X86_64_VERITY` | ditto | ditto | +-| _`/usr/` Verity Partition (x86)_ | `8f461b0d-14ee-4e81-9aa9-049b6fb97abd` `SD_GPT_USR_X86_VERITY` | ditto | ditto | +-| _Root Verity Signature Partition (Alpha)_ | `d46495b7-a053-414f-80f7-700c99921ef8` `SD_GPT_ROOT_ALPHA_VERITY_SIG` | A serialized JSON object, see below | Contains a root hash and a PKCS#7 signature for it, permitting signed dm-verity GPT images. | +-| _Root Verity Signature Partition (ARC)_ | `143a70ba-cbd3-4f06-919f-6c05683a78bc` `SD_GPT_ROOT_ARC_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (32-bit ARM)_ | `42b0455f-eb11-491d-98d3-56145ba9d037` `SD_GPT_ROOT_ARM_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (64-bit ARM/AArch64)_ | `6db69de6-29f4-4758-a7a5-962190f00ce3` `SD_GPT_ROOT_ARM64_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (Itanium/IA-64)_ | `e98b36ee-32ba-4882-9b12-0ce14655f46a` `SD_GPT_ROOT_IA64_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (LoongArch 64-bit)_ | `5afb67eb-ecc8-4f85-ae8e-ac1e7c50e7d0` `SD_GPT_ROOT_LOONGARCH64_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (32-bit MIPS LittleEndian (mipsel))_ | `c919cc1f-4456-4eff-918c-f75e94525ca5` `SD_GPT_ROOT_MIPS_LE_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (64-bit MIPS LittleEndian (mips64el))_ | `904e58ef-5c65-4a31-9c57-6af5fc7c5de7` `SD_GPT_ROOT_MIPS64_LE_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (HPPA/PARISC)_ | `15de6170-65d3-431c-916e-b0dcd8393f25` `SD_GPT_ROOT_PARISC_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (64-bit PowerPC LittleEndian)_ | `d4a236e7-e873-4c07-bf1d-bf6cf7f1c3c6` `SD_GPT_ROOT_PPC64_LE_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (64-bit PowerPC BigEndian)_ | `f5e2c20c-45b2-4ffa-bce9-2a60737e1aaf` `SD_GPT_ROOT_PPC64_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (32-bit PowerPC)_ | `1b31b5aa-add9-463a-b2ed-bd467fc857e7` `SD_GPT_ROOT_PPC_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (RISC-V 32-bit)_ | `3a112a75-8729-4380-b4cf-764d79934448` `SD_GPT_ROOT_RISCV32_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (RISC-V 64-bit)_ | `efe0f087-ea8d-4469-821a-4c2a96a8386a` `SD_GPT_ROOT_RISCV64_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (s390)_ | `3482388e-4254-435a-a241-766a065f9960` `SD_GPT_ROOT_S390_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (s390x)_ | `c80187a5-73a3-491a-901a-017c3fa953e9` `SD_GPT_ROOT_S390X_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (TILE-Gx)_ | `b3671439-97b0-4a53-90f7-2d5a8f3ad47b` `SD_GPT_ROOT_TILEGX_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (amd64/x86_64)_ | `41092b05-9fc8-4523-994f-2def0408b176` `SD_GPT_ROOT_X86_64_VERITY_SIG` | ditto | ditto | +-| _Root Verity Signature Partition (x86)_ | `5996fc05-109c-48de-808b-23fa0830b676` `SD_GPT_ROOT_X86_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (Alpha)_ | `5c6e1c76-076a-457a-a0fe-f3b4cd21ce6e` `SD_GPT_USR_ALPHA_VERITY_SIG` | A serialized JSON object, see below | Similar semantics to root Verity signature partition, but just for the `/usr/` partition. | +-| _`/usr/` Verity Signature Partition (ARC)_ | `94f9a9a1-9971-427a-a400-50cb297f0f35` `SD_GPT_USR_ARC_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (32-bit ARM)_ | `d7ff812f-37d1-4902-a810-d76ba57b975a` `SD_GPT_USR_ARM_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (64-bit ARM/AArch64)_ | `c23ce4ff-44bd-4b00-b2d4-b41b3419e02a` `SD_GPT_USR_ARM64_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (Itanium/IA-64)_ | `8de58bc2-2a43-460d-b14e-a76e4a17b47f` `SD_GPT_USR_IA64_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (LoongArch 64-bit)_ | `b024f315-d330-444c-8461-44bbde524e99` `SD_GPT_USR_LOONGARCH64_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (32-bit MIPS LittleEndian (mipsel))_ | `3e23ca0b-a4bc-4b4e-8087-5ab6a26aa8a9` `SD_GPT_USR_MIPS_LE_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (64-bit MIPS LittleEndian (mips64el))_ | `f2c2c7ee-adcc-4351-b5c6-ee9816b66e16` `SD_GPT_USR_MIPS64_LE_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (HPPA/PARISC)_ | `450dd7d1-3224-45ec-9cf2-a43a346d71ee` `SD_GPT_USR_PARISC_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (64-bit PowerPC LittleEndian)_ | `c8bfbd1e-268e-4521-8bba-bf314c399557` `SD_GPT_USR_PPC64_LE_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (64-bit PowerPC BigEndian)_ | `0b888863-d7f8-4d9e-9766-239fce4d58af` `SD_GPT_USR_PPC64_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (32-bit PowerPC)_ | `7007891d-d371-4a80-86a4-5cb875b9302e` `SD_GPT_USR_PPC_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (RISC-V 32-bit)_ | `c3836a13-3137-45ba-b583-b16c50fe5eb4` `SD_GPT_USR_RISCV32_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (RISC-V 64-bit)_ | `d2f9000a-7a18-453f-b5cd-4d32f77a7b32` `SD_GPT_USR_RISCV64_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (s390)_ | `17440e4f-a8d0-467f-a46e-3912ae6ef2c5` `SD_GPT_USR_S390_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (s390x)_ | `3f324816-667b-46ae-86ee-9b0c0c6c11b4` `SD_GPT_USR_S390X_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (TILE-Gx)_ | `4ede75e2-6ccc-4cc8-b9c7-70334b087510` `SD_GPT_USR_TILEGX_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (amd64/x86_64)_ | `e7bb33fb-06cf-4e81-8273-e543b413e2e2` `SD_GPT_USR_X86_64_VERITY_SIG` | ditto | ditto | +-| _`/usr/` Verity Signature Partition (x86)_ | `974a71c0-de41-43c3-be5d-5c5ccd1ad2c0` `SD_GPT_USR_X86_VERITY_SIG` | ditto | ditto | +-| _EFI System Partition_ | `c12a7328-f81f-11d2-ba4b-00a0c93ec93b` `SD_GPT_ESP` | VFAT | The ESP used for the current boot is automatically mounted to `/efi/` (or `/boot/` as fallback), unless a different partition is mounted there (possibly via `/etc/fstab`, or because the Extended Boot Loader Partition — see below — exists) or the directory is non-empty on the root disk. This partition type is defined by the [UEFI Specification](http://www.uefi.org/specifications). | +-| _Extended Boot Loader Partition_ | `bc13c2ff-59e6-4262-a352-b275fd6f7172` `SD_GPT_XBOOTLDR` | Typically VFAT | The Extended Boot Loader Partition (XBOOTLDR) used for the current boot is automatically mounted to `/boot/`, unless a different partition is mounted there (possibly via `/etc/fstab`) or the directory is non-empty on the root disk. This partition type is defined by the [Boot Loader Specification](https://systemd.io/BOOT_LOADER_SPECIFICATION). | +-| _Swap_ | `0657fd6d-a4ab-43c4-84e5-0933c84b4f4f` `SD_GPT_SWAP` | Swap, optionally in LUKS | All swap partitions on the disk containing the root partition are automatically enabled. If the partition is encrypted with LUKS, the device mapper file will be named `/dev/mapper/swap`. This partition type predates the Discoverable Partitions Specification. | +-| _Home Partition_ | `933ac7e1-2eb4-4f13-b844-0e14e2aef915` `SD_GPT_HOME` | Any native, optionally in LUKS | The first partition with this type UUID on the disk containing the root partition is automatically mounted to `/home/`. If the partition is encrypted with LUKS, the device mapper file will be named `/dev/mapper/home`. | +-| _Server Data Partition_ | `3b8f8425-20e0-4f3b-907f-1a25a76f98e8` `SD_GPT_SRV` | Any native, optionally in LUKS | The first partition with this type UUID on the disk containing the root partition is automatically mounted to `/srv/`. If the partition is encrypted with LUKS, the device mapper file will be named `/dev/mapper/srv`. | +-| _Variable Data Partition_ | `4d21b016-b534-45c2-a9fb-5c16e091fd2d` `SD_GPT_VAR` | Any native, optionally in LUKS | The first partition with this type UUID on the disk containing the root partition is automatically mounted to `/var/` — under the condition that its partition UUID matches the first 128 bits of `HMAC-SHA256(machine-id, 0x4d21b016b53445c2a9fb5c16e091fd2d)` (i.e. the SHA256 HMAC hash of the binary type UUID keyed by the machine ID as read from [`/etc/machine-id`](https://www.freedesktop.org/software/systemd/man/machine-id.html). This special requirement is made because `/var/` (unlike the other partition types listed here) is inherently private to a specific installation and cannot possibly be shared between multiple OS installations on the same disk, and thus should be bound to a specific instance of the OS, identified by its machine ID. If the partition is encrypted with LUKS, the device mapper file will be named `/dev/mapper/var`. | +-| _Temporary Data Partition_ | `7ec6f557-3bc5-4aca-b293-16ef5df639d1` `SD_GPT_TMP` | Any native, optionally in LUKS | The first partition with this type UUID on the disk containing the root partition is automatically mounted to `/var/tmp/`. If the partition is encrypted with LUKS, the device mapper file will be named `/dev/mapper/tmp`. Note that the intended mount point is indeed `/var/tmp/`, not `/tmp/`. The latter is typically maintained in memory via `tmpfs` and does not require a partition on disk. In some cases it might be desirable to make `/tmp/` persistent too, in which case it is recommended to make it a symlink or bind mount to `/var/tmp/`, thus not requiring its own partition type UUID. | +-| _Per-user Home Partition_ | `773f91ef-66d4-49b5-bd83-d683bf40ad16` `SD_GPT_USER_HOME` | Any native, optionally in LUKS | A home partition of a user, managed by [`systemd-homed`](https://www.freedesktop.org/software/systemd/man/systemd-homed.html). | +-| _Generic Linux Data Partition_ | `0fc63daf-8483-4772-8e79-3d69d8477de4` `SD_GPT_LINUX_GENERIC` | Any native, optionally in LUKS | No automatic mounting takes place for other Linux data partitions. This partition type should be used for all partitions that carry Linux file systems. The installer needs to mount them explicitly via entries in `/etc/fstab`. Optionally, these partitions may be encrypted with LUKS. This partition type predates the Discoverable Partitions Specification. | +- +-Other GPT type IDs might be used on Linux, for example to mark software RAID or +-LVM partitions. The definitions of those GPT types is outside of the scope of +-this specification. +- +-[systemd-id128(1)](https://www.freedesktop.org/software/systemd/man/systemd-id128.html)'s +-`show` command may be used to list those GPT partition type UUIDs. +- +-## Partition Names +- +-For partitions of the types listed above it is recommended to use +-human-friendly, descriptive partition names in the GPT partition table, for +-example "*Home*", "*Server* *Data*", "*Fedora* *Root*" and similar, possibly +-localized. +- +-For the Root/Verity/Verity signature partitions it might make sense to use a +-versioned naming scheme reflecting the OS name and its version, +-e.g. "fooOS_2021.4" or similar. +- +-## Partition Attribute Flags +- +-This specification defines three GPT partition attribute flags that may be set +-for the partition types defined above: +- +-1. For the root, `/usr/`, Verity, Verity signature, home, server data, variable +- data, temporary data, swap, and extended boot loader partitions, the +- partition flag bit 63 ("*no-auto*", *SD_GPT_FLAG_NO_AUTO*) may be used to +- turn off auto-discovery for the specific partition. If set, the partition +- will not be automatically mounted or enabled. +- +-2. For the root, `/usr/`, Verity, Verity signature home, server data, variable +- data, temporary data and extended boot loader partitions, the partition flag +- bit 60 ("*read-only*", *SD_GPT_FLAG_READ_ONLY*) may be used to mark a +- partition for read-only mounts only. If set, the partition will be mounted +- read-only instead of read-write. Note that the variable data partition and +- the temporary data partition will generally not be able to serve their +- purpose if marked read-only, since by their very definition they are +- supposed to be mutable. (The home and server data partitions are generally +- assumed to be mutable as well, but the requirement for them is not equally +- strong.) Because of that, while the read-only flag is defined and supported, +- it's almost never a good idea to actually use it for these partitions. Also +- note that Verity and signature partitions are by their semantics always +- read-only. The flag is hence of little effect for them, and it is +- recommended to set it unconditionally for the Verity and signature partition +- types. +- +-3. For the root, `/usr/`, home, server data, variable data, temporary data and +- extended boot loader partitions, the partition flag bit 59 +- ("*grow-file-system*", *SD_GPT_FLAG_GROWFS*) may be used to mark a partition +- for automatic growing of the contained file system to the size of the +- partition when mounted. Tools that automatically mount disk image with a GPT +- partition table are suggested to implicitly grow the contained file system +- to the partition size they are contained in, if they are found to be +- smaller. This flag is without effect on partitions marked "*read-only*". +- +-Note that the first two flag definitions happen to correspond nicely to the +-same ones used by Microsoft Basic Data Partitions. +- +-All three of these flags generally affect only auto-discovery and automatic +-mounting of disk images. If partitions marked with these flags are mounted +-using low-level commands like +-[mount(8)](https://man7.org/linux/man-pages/man2/mount.8.html) or directly with +-[mount(2)](https://man7.org/linux/man-pages/man2/mount.2.html), they typically +-have no effect. +- +-## Verity +- +-The Root/`/usr/` partition types and their matching Verity and Verity signature +-partitions enable relatively automatic handling of `dm-verity` protected +-setups. These types are defined with two modes of operation in mind: +- +-1. A trusted Verity root hash is passed in externally, for example is specified +- on the kernel command line that is signed along with the kernel image using +- SecureBoot PE signing (which in turn is tested against a set of +- firmware-provided set of signing keys). If so, discovery and setup of a +- Verity volume may be fully automatic: if the root partition's UUID is chosen +- to match the first 128 bit of the root hash, and the matching Verity +- partition UUIDs is chosen to match the last 128bit of the root hash, then +- automatic discovery and match-up of the two partitions is possible, as the +- root hash is enough to both find the partitions and then combine them in a +- Verity volume. In this mode a Verity signature partition is not used and +- unnecessary. +- +-2. A Verity signature partition is included on the disk, with a signature to be +- tested against a system-provided set of signing keys. The signature +- partition primarily contains two fields: the root hash to use, and a PKCS#7 +- signature of it, using a signature key trusted by the OS. If so, discovery +- and setup of a Verity volume may be fully automatic. First, the specified +- root hash is validated with the signature and the OS-provided trusted +- keys. If the signature checks out the root hash is then used in the same way +- as in the first mode of operation described above. +- +-Both modes of operation may be combined in a single image. This is particularly +-useful for images that shall be usable in two different contexts: for example +-an image that shall be able to boot directly on UEFI systems (in which +-case it makes sense to include the root hash on the kernel command line that is +-included in the signed kernel image to boot, as per mode of operation #1 +-above), but also be able to used as image for a container engine (such as +-`systemd-nspawn`), which can use the signature partition to validate the image, +-without making use of the signed kernel image (and thus following mode of +-operation #2). +- +-The Verity signature partition's contents should be a serialized JSON object in +-text form, padded with NUL bytes to the next multiple of 4096 bytes in +-size. Currently three fields are defined for the JSON object: +- +-1. The (mandatory) `rootHash` field should be a string containing the Verity root hash, +- formatted as series of (lowercase) hex characters. +- +-2. The (mandatory) `signature` field should be a string containing the PKCS#7 +- signature of the root hash, in Base64-encoded DER format. This should be the +- same format used by the Linux kernel's dm-verity signature logic, i.e. the +- signed data should be the exact string representation of the hash, as stored +- in `rootHash` above. +- +-3. The (optional) `certificateFingerprint` field should be a string containing +- a SHA256 fingerprint of the X.509 certificate in DER format for the key that +- signed the root hash, formatted as series of (lowercase) hex characters (no `:` +- separators or such). +- +-More fields might be added in later revisions of this specification. +- +-## Suggested Mode of Operation +- +-An *installer* that repartitions the hard disk _should_ use the above UUID +-partition types for appropriate partitions it creates. +- +-An *installer* which supports a "manual partitioning" interface _may_ choose to +-pre-populate the interface with swap, `/home/`, `/srv/`, `/var/tmp/` partitions +-of pre-existing Linux installations, identified with the GPT type UUIDs +-above. The installer should not pre-populate such an interface with any +-identified root, `/usr` or `/var/` partition unless the intention is to +-overwrite an existing operating system that might be installed. +- +-An *installer* _may_ omit creating entries in `/etc/fstab` for root, `/home/`, +-`/srv/`, `/var/`, `/var/tmp` and for the swap partitions if they use these UUID +-partition types, and are the first partitions on the disk of each type. If the +-ESP shall be mounted to `/efi/` (or `/boot/`), it may additionally omit +-creating the entry for it in `/etc/fstab`. If the EFI partition shall not be +-mounted to `/efi/` or `/boot/`, it _must_ create `/etc/fstab` entries for them. +-If other partitions are used (for example for `/usr/local/` or +-`/var/lib/mysql/`), the installer _must_ register these in `/etc/fstab`. The +-`root=` parameter passed to the kernel by the boot loader may be omitted if the +-root partition is the first one on the disk of its type. If the root partition +-is not the first one on the disk, the `root=` parameter _must_ be passed to the +-kernel by the boot loader. An installer that mounts a root, `/usr/`, `/home/`, +-`/srv/`, `/var/`, or `/var/tmp/` file system with the partition types defined +-as above which contains a LUKS header _must_ call the device mapper device +-"root", "usr", "home", "srv", "var" or "tmp", respectively. This is necessary +-to ensure that the automatic discovery will never result in different device +-mapper names than any static configuration by the installer, thus eliminating +-possible naming conflicts and ambiguities. +- +-An *operating* *system* _should_ automatically discover and mount the first +-root partition that does not have the no-auto flag set (as described above) by +-scanning the disk containing the currently used EFI ESP. It _should_ +-automatically discover and mount the first `/usr/`, `/home/`, `/srv/`, `/var/`, +-`/var/tmp/` and swap partitions that do not have the no-auto flag set by +-scanning the disk containing the discovered root partition. It should +-automatically discover and mount the partition containing the currently used +-EFI ESP to `/efi/` (or `/boot/` as fallback). It should automatically discover +-and mount the partition containing the currently used Extended Boot Loader +-Partition to `/boot/`. It _should not_ discover or automatically mount +-partitions with other UUID partition types, or partitions located on other +-disks, or partitions with the no-auto flag set. User configuration shall +-always override automatic discovery and mounting. If a root, `/usr/`, +-`/home/`, `/srv/`, `/boot/`, `/var/`, `/var/tmp/`, `/efi/`, `/boot/` or swap +-partition is listed in `/etc/fstab` or with `root=` on the kernel command line, +-it _must_ take precedence over automatically discovered partitions. If a +-`/home/`, `/usr/`, `/srv/`, `/boot/`, `/var/`, `/var/tmp/`, `/efi/` or `/boot/` +-directory is found to be populated already in the root partition, the automatic +-discovery _must not_ mount any discovered file system over it. Optionally, in +-case of the root, `/usr/` and their Verity partitions instead of strictly +-mounting the first suitable partition an OS might choose to mount the partition +-whose label compares the highest according to `strverscmp()` or similar logic, +-in order to implement a simple partition-based A/B versioning scheme. The +-precise rules are left for the implementation to decide, but when in doubt +-earlier partitions (by their index) should always win over later partitions if +-the label comparison is inconclusive. +- +-A *container* *manager* should automatically discover and mount the root, +-`/usr/`, `/home/`, `/srv/`, `/var/`, `/var/tmp/` partitions inside a container +-disk image. It may choose to mount any discovered ESP and/or XBOOTLDR +-partition to `/efi/` or `/boot/`. It should ignore any swap should they be +-included in a container disk image. +- +-If a btrfs file system is automatically discovered and mounted by the operating +-system/container manager it will be mounted with its *default* subvolume. The +-installer should make sure to set the default subvolume correctly using "btrfs +-subvolume set-default". +- +-## Sharing of File Systems between Installations +- +-If two Linux-based operating systems are installed on the same disk, the scheme +-above suggests that they may share the swap, `/home/`, `/srv/`, `/var/tmp/`, +-ESP, XBOOTLDR. However, they should each have their own root, `/usr/` and +-`/var/` partition. +- +-## Frequently Asked Questions +- +-### Why are you taking my `/etc/fstab` away? +- +-We are not. `/etc/fstab` always overrides automatic discovery and is indeed +-mentioned in the specifications. We are simply trying to make the boot and +-installation processes of Linux a bit more robust and self-descriptive. +- +-### Why did you only define the root partition for these listed architectures? +- +-Please submit a patch that adds appropriate partition type UUIDs for the +-architecture of your choice should they be missing so far. The only reason they +-aren't defined yet is that nobody submitted them yet. +- +-### Why define distinct root partition UUIDs for the various architectures? +- +-This allows disk images that may be booted on multiple architectures to use +-discovery of the appropriate root partition on each architecture. +- +-### Doesn't this break multi-boot scenarios? +- +-No, it doesn't. The specification says that installers may not stop creating +-`/etc/fstab` or stop including `root=` on the kernel command line, unless the used +-partitions are the first ones of their type on the disk. Additionally, +-`/etc/fstab` and `root=` both override automatic discovery. Multi-boot is hence +-well supported, since it doesn't change anything for anything but the first +-installation. +- +-That all said, it's not expected that generic installers generally stop setting +-`root=` and creating `/etc/fstab` anyway. The option to drop these configuration +-bits is primarily something for appliance-like devices. However, generic +-installers should *still* set the right GPT partition types for the partitions +-they create so that container managers, partition tools and administrators can +-benefit. Phrased differently, this specification introduces A) the +-*recommendation* to use the newly defined partition types to tag things +-properly and B) the *option* to then drop `root=` and `/etc/fstab`. While we +-advertise A) to *all* installers, we only propose B) for simpler, +-appliance-like installations. +- +-### What partitioning tools will create a DPS-compliant partition table? +- +-As of util-linux 2.25.2, the `fdisk` tool provides type codes to create the +-root, home, and swap partitions that the DPS expects. By default, `fdisk` will +-create an old-style MBR, not a GPT, so typing `l` to list partition types will +-not show the choices to let you set the correct UUID. Make sure to first create +-an empty GPT, then type `l` in order for the DPS-compliant type codes to be +-available. +- +-The `gdisk` tool (from version 1.0.5 onward) and its variants (`sgdisk`, +-`cgdisk`) also support creation of partitions with a matching type code. +- +-## Links +- +-[Boot Loader Specification](BOOT_LOADER_SPECIFICATION.md)
+-[Boot Loader Interface](BOOT_LOADER_INTERFACE.md)
+-[Safely Building Images](BUILDING_IMAGES.md)
+-[`systemd-boot(7)`](https://www.freedesktop.org/software/systemd/man/systemd-boot.html)
+-[`bootctl(1)`](https://www.freedesktop.org/software/systemd/man/bootctl.html)
+-[`systemd-gpt-auto-generator(8)`](https://www.freedesktop.org/software/systemd/man/systemd-gpt-auto-generator.html) ++[This content has moved to the UAPI group website](https://uapi-group.org/specifications/specs/discoverable_partitions_specification/) diff --git a/SOURCES/0014-core-fix-memleak-in-GetUnitFileLinks-method.patch b/SOURCES/0014-core-fix-memleak-in-GetUnitFileLinks-method.patch new file mode 100644 index 0000000..2e2aed4 --- /dev/null +++ b/SOURCES/0014-core-fix-memleak-in-GetUnitFileLinks-method.patch @@ -0,0 +1,49 @@ +From a9424191821c8c967edd7dd92a19d02ff5bbca87 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 2 Nov 2022 07:06:46 +0900 +Subject: [PATCH] core: fix memleak in GetUnitFileLinks method + +(cherry picked from commit a12ba535fa677e642c7ba19e81062ed6e9365ceb) + +Related #2138081 +--- + src/core/dbus-manager.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c +index 919aa58cde..88f098ec86 100644 +--- a/src/core/dbus-manager.c ++++ b/src/core/dbus-manager.c +@@ -2647,21 +2647,27 @@ static int method_get_unit_file_links(sd_bus_message *message, void *userdata, s + (runtime ? UNIT_FILE_RUNTIME : 0); + + r = unit_file_disable(LOOKUP_SCOPE_SYSTEM, flags, NULL, p, &changes, &n_changes); +- if (r < 0) +- return log_error_errno(r, "Failed to get file links for %s: %m", name); ++ if (r < 0) { ++ log_error_errno(r, "Failed to get file links for %s: %m", name); ++ goto finish; ++ } + + for (i = 0; i < n_changes; i++) + if (changes[i].type == INSTALL_CHANGE_UNLINK) { + r = sd_bus_message_append(reply, "s", changes[i].path); + if (r < 0) +- return r; ++ goto finish; + } + + r = sd_bus_message_close_container(reply); + if (r < 0) +- return r; ++ goto finish; + +- return sd_bus_send(NULL, reply, NULL); ++ r = sd_bus_send(NULL, reply, NULL); ++ ++finish: ++ install_changes_free(changes, n_changes); ++ return r; + } + + static int method_get_job_waiting(sd_bus_message *message, void *userdata, sd_bus_error *error) { diff --git a/SOURCES/0015-man-use-the-correct-Markers-property-name-for-markin.patch b/SOURCES/0015-man-use-the-correct-Markers-property-name-for-markin.patch new file mode 100644 index 0000000..36a2571 --- /dev/null +++ b/SOURCES/0015-man-use-the-correct-Markers-property-name-for-markin.patch @@ -0,0 +1,42 @@ +From ada95dd4f4c0014815a2c3162de6297107569b05 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 2 Nov 2022 11:48:23 +0100 +Subject: [PATCH] man: use the correct 'Markers' property name for marking + units + +Follow-up to c9615f7352 and 70666e28a1. + +(cherry picked from commit 1ca1bb03dec9ae3e8d734bd40eeb60210ffd7a0a) + +Related #2138081 +--- + man/org.freedesktop.systemd1.xml | 2 +- + man/systemctl.xml | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml +index cbd552bd99..5e08b35234 100644 +--- a/man/org.freedesktop.systemd1.xml ++++ b/man/org.freedesktop.systemd1.xml +@@ -1250,7 +1250,7 @@ node /org/freedesktop/systemd1 { + "ReloadOrRestart" flavors attempt a reload if the unit supports it and use a restart otherwise. + + EnqueueMarkedJobs() creates reload/restart jobs for units which have been +- appropriately marked, see Marks property above. This is equivalent to calling ++ appropriately marked, see Markers property above. This is equivalent to calling + TryRestartUnit() or ReloadOrTryRestartUnit() for the marked + units. + +diff --git a/man/systemctl.xml b/man/systemctl.xml +index 4d4f6c3992..997925892d 100644 +--- a/man/systemctl.xml ++++ b/man/systemctl.xml +@@ -2386,7 +2386,7 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err + Only allowed with reload-or-restart. Enqueues restart jobs for all + units that have the needs-restart mark, and reload jobs for units that have the + needs-reload mark. When a unit marked for reload does not support reload, restart +- will be queued. Those properties can be set using set-property Marks. ++ will be queued. Those properties can be set using set-property Markers=…. + + Unless is used, systemctl will wait for the + queued jobs to finish. diff --git a/SOURCES/0016-test-further-extend-systemctl-s-sanity-coverage.patch b/SOURCES/0016-test-further-extend-systemctl-s-sanity-coverage.patch new file mode 100644 index 0000000..e50d9b5 --- /dev/null +++ b/SOURCES/0016-test-further-extend-systemctl-s-sanity-coverage.patch @@ -0,0 +1,115 @@ +From cce2e337e37524df5ff81e758dbcfa91bf8b696a Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 2 Nov 2022 11:44:00 +0100 +Subject: [PATCH] test: further extend systemctl's sanity coverage + +Also, fix a race condition introduced by d16684fe13: +``` +[ 16.904218] H testsuite-26.sh[394]: + systemd-run --unit failed.service /bin/false +[ 16.964783] H systemd[845]: failed.service: Executing: /bin/false +[ 16.965062] H systemd[1]: Started failed.service. +[ 16.965462] H testsuite-26.sh[844]: Running as unit: failed.service +[ 16.966390] H testsuite-26.sh[394]: + systemctl is-failed failed.service +[ 16.977970] H testsuite-26.sh[846]: active +[ 16.978403] H systemd[1]: failed.service: Main process exited, code=exited, status=1/FAILURE +[ 16.978478] H systemd[1]: failed.service: Failed with result 'exit-code'. +``` + +(cherry picked from commit 23f3a6f5ff864fd26063c6c35fdaa6d85de566c7) + +Related #2138081 +--- + test/units/testsuite-26.sh | 61 +++++++++++++++++++++++++++++++++++++- + 1 file changed, 60 insertions(+), 1 deletion(-) + +diff --git a/test/units/testsuite-26.sh b/test/units/testsuite-26.sh +index b83f85917b..7c7a12b1ae 100755 +--- a/test/units/testsuite-26.sh ++++ b/test/units/testsuite-26.sh +@@ -58,6 +58,9 @@ systemctl list-units + systemctl list-units --recursive + systemctl list-units --type=socket + systemctl list-units --type=service,timer ++# Compat: --type= allows load states for compatibility reasons ++systemctl list-units --type=loaded ++systemctl list-units --type=loaded,socket + systemctl list-units --legend=yes -a "systemd-*" + systemctl list-units --state=active + systemctl list-units --with-dependencies systemd-journald.service +@@ -160,7 +163,7 @@ systemctl revert "$UNIT_NAME" + (! grep -r "CPUQuota=" "/run/systemd/system.control/${UNIT_NAME}.d/") + + # Failed-unit related tests +-systemd-run --unit "failed.service" /bin/false ++(! systemd-run --wait --unit "failed.service" /bin/false) + systemctl is-failed failed.service + systemctl --state=failed | grep failed.service + systemctl --failed | grep failed.service +@@ -189,11 +192,67 @@ for value in pretty us µs utc us+utc µs+utc; do + systemctl show -P KernelTimestamp --timestamp="$value" + done + ++# set-default/get-default ++target="$(systemctl get-default)" ++systemctl set-default emergency.target ++[[ "$(systemctl get-default)" == emergency.target ]] ++systemctl set-default "$target" ++[[ "$(systemctl get-default)" == "$target" ]] ++ ++# show/status ++systemctl show --property "" ++# Pick a heavily sandboxed unit for the best effect on coverage ++systemctl show systemd-logind.service ++systemctl status ++# Ignore the exit code in this case, as it might try to load non-existing units ++systemctl status -a >/dev/null || : ++systemctl status -a --state active,running,plugged >/dev/null ++systemctl status "systemd-*.timer" ++systemctl status "systemd-journald*.socket" ++systemctl status "sys-devices-*-ttyS0.device" ++systemctl status -- -.mount ++ ++# --marked ++systemctl restart "$UNIT_NAME" ++systemctl set-property "$UNIT_NAME" Markers=needs-restart ++systemctl show -P Markers "$UNIT_NAME" | grep needs-restart ++systemctl reload-or-restart --marked ++(! systemctl show -P Markers "$UNIT_NAME" | grep needs-restart) ++ ++# --dry-run with destructive verbs ++# kexec is skipped intentionally, as it requires a bit more involved setup ++VERBS=( ++ default ++ emergency ++ exit ++ halt ++ hibernate ++ hybrid-sleep ++ poweroff ++ reboot ++ rescue ++ suspend ++ suspend-then-hibernate ++) ++ ++for verb in "${VERBS[@]}"; do ++ systemctl --dry-run "$verb" ++ ++ if [[ "$verb" =~ (halt|poweroff|reboot) ]]; then ++ systemctl --dry-run --message "Hello world" "$verb" ++ systemctl --dry-run --no-wall "$verb" ++ systemctl --dry-run -f "$verb" ++ systemctl --dry-run -ff "$verb" ++ fi ++done ++ + # Aux verbs & assorted checks + systemctl is-active "*-journald.service" + systemctl cat "*journal*" + systemctl cat "$UNIT_NAME" + systemctl help "$UNIT_NAME" ++systemctl service-watchdogs ++systemctl service-watchdogs "$(systemctl service-watchdogs)" + + # show/set-environment + # Make sure PATH is set diff --git a/SOURCES/0017-test-add-a-sanity-coverage-for-systemd-analyze-verbs.patch b/SOURCES/0017-test-add-a-sanity-coverage-for-systemd-analyze-verbs.patch new file mode 100644 index 0000000..e194f13 --- /dev/null +++ b/SOURCES/0017-test-add-a-sanity-coverage-for-systemd-analyze-verbs.patch @@ -0,0 +1,131 @@ +From d68d785ba0e3ecd59a2678fe00fbd7b1bde90622 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 2 Nov 2022 17:51:51 +0100 +Subject: [PATCH] test: add a sanity coverage for systemd-analyze verbs + +(cherry picked from commit 6c83054c0133eb53245e479d71589dceff76cf74) + +Related #2138081 +--- + test/units/testsuite-65.sh | 108 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 108 insertions(+) + +diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh +index 64ce629f3b..ece6b8734e 100755 +--- a/test/units/testsuite-65.sh ++++ b/test/units/testsuite-65.sh +@@ -9,6 +9,114 @@ set -eux + systemd-analyze log-level debug + export SYSTEMD_LOG_LEVEL=debug + ++# Sanity checks ++# ++# We can't really test time, blame, critical-chain and plot verbs here, as ++# the testsuite service is a part of the boot transaction, so let's assume ++# they fail ++systemd-analyze || : ++systemd-analyze time || : ++systemd-analyze blame || : ++systemd-analyze critical-chain || : ++systemd-analyze plot >/dev/null || : ++# dot ++systemd-analyze dot >/dev/null ++systemd-analyze dot systemd-journald.service >/dev/null ++systemd-analyze dot systemd-journald.service systemd-logind.service >/dev/null ++systemd-analyze dot --from-pattern="*" --from-pattern="*.service" systemd-journald.service >/dev/null ++systemd-analyze dot --to-pattern="*" --to-pattern="*.service" systemd-journald.service >/dev/null ++systemd-analyze dot --from-pattern="*.service" --to-pattern="*.service" systemd-journald.service >/dev/null ++systemd-analyze dot --order systemd-journald.service systemd-logind.service >/dev/null ++systemd-analyze dot --require systemd-journald.service systemd-logind.service >/dev/null ++systemd-analyze dot "systemd-*.service" >/dev/null ++(! systemd-analyze dot systemd-journald.service systemd-logind.service "*" bbb ccc) ++# dump ++systemd-analyze dump >/dev/null ++systemd-analyze dump "*" >/dev/null ++systemd-analyze dump "*.socket" >/dev/null ++systemd-analyze dump systemd-journald.service >/dev/null ++(! systemd-analyze dump "") ++# unit-paths ++systemd-analyze unit-paths ++systemd-analyze unit-paths --user ++systemd-analyze unit-paths --global ++# exist-status ++systemd-analyze exit-status ++systemd-analyze exit-status STDOUT BPF ++systemd-analyze exit-status 0 1 {63..65} ++(! systemd-analyze exit-status STDOUT BPF "hello*") ++# capability ++systemd-analyze capability ++systemd-analyze capability cap_chown CAP_KILL ++systemd-analyze capability 0 1 {30..32} ++(! systemd-analyze capability cap_chown CAP_KILL "hello*") ++# condition ++mkdir -p /run/systemd/system ++UNIT_NAME="analyze-condition-$RANDOM.service" ++cat >"/run/systemd/system/$UNIT_NAME" <1.0 ++ConditionPathExists=/etc/os-release ++ ++[Service] ++ExecStart=/bin/true ++EOF ++systemctl daemon-reload ++systemd-analyze condition --unit="$UNIT_NAME" ++systemd-analyze condition 'ConditionKernelVersion = ! <4.0' \ ++ 'ConditionKernelVersion = >=3.1' \ ++ 'ConditionACPower=|false' \ ++ 'ConditionArchitecture=|!arm' \ ++ 'AssertPathExists=/etc/os-release' ++(! systemd-analyze condition 'ConditionArchitecture=|!arm' 'AssertXYZ=foo') ++(! systemd-analyze condition 'ConditionKernelVersion=<1.0') ++(! systemd-analyze condition 'AssertKernelVersion=<1.0') ++# syscall-filter ++systemd-analyze syscall-filter >/dev/null ++systemd-analyze syscall-filter @chown @sync ++systemd-analyze syscall-filter @sync @sync @sync ++(! systemd-analyze syscall-filter @chown @sync @foobar) ++# filesystems (requires libbpf support) ++if systemctl --version | grep "+BPF_FRAMEWORK"; then ++ systemd-analyze filesystems >/dev/null ++ systemd-analyze filesystems @basic-api ++ systemd-analyze filesystems @basic-api @basic-api @basic-api ++ (! systemd-analyze filesystems @basic-api @basic-api @foobar @basic-api) ++fi ++# calendar ++systemd-analyze calendar '*-2-29 0:0:0' ++systemd-analyze calendar --iterations=5 '*-2-29 0:0:0' ++systemd-analyze calendar '*-* *:*:*' ++systemd-analyze calendar --iterations=5 '*-* *:*:*' ++systemd-analyze calendar --iterations=50 '*-* *:*:*' ++systemd-analyze calendar --iterations=0 '*-* *:*:*' ++systemd-analyze calendar --base-time=yesterday --iterations=5 '*-* *:*:*' ++(! systemd-analyze calendar --iterations=0 '*-* 99:*:*') ++(! systemd-analyze calendar --base-time=never '*-* *:*:*') ++(! systemd-analyze calendar 1) ++(! systemd-analyze calendar "") ++# timestamp ++systemd-analyze timestamp now ++systemd-analyze timestamp -- -1 ++systemd-analyze timestamp yesterday now tomorrow ++(! systemd-analyze timestamp yesterday never tomorrow) ++(! systemd-analyze timestamp 1) ++(! systemd-analyze timestamp "") ++# timespan ++systemd-analyze timespan 1 ++systemd-analyze timespan 1s 300s '1year 0.000001s' ++(! systemd-analyze timespan 1s 300s aaaaaa '1year 0.000001s') ++(! systemd-analyze timespan -- -1) ++(! systemd-analyze timespan "") ++# cat-config ++systemd-analyze cat-config systemd/system.conf >/dev/null ++systemd-analyze cat-config /etc/systemd/system.conf >/dev/null ++systemd-analyze cat-config systemd/system.conf systemd/journald.conf >/dev/null ++systemd-analyze cat-config systemd/system.conf foo/bar systemd/journald.conf >/dev/null ++systemd-analyze cat-config foo/bar ++ + mkdir -p /tmp/img/usr/lib/systemd/system/ + mkdir -p /tmp/img/opt/ + diff --git a/SOURCES/0018-udev-first-set-properties-based-on-usb-subsystem.patch b/SOURCES/0018-udev-first-set-properties-based-on-usb-subsystem.patch new file mode 100644 index 0000000..8f9c37e --- /dev/null +++ b/SOURCES/0018-udev-first-set-properties-based-on-usb-subsystem.patch @@ -0,0 +1,37 @@ +From 080747ee6685b9c5877073c5120375e7a04d8216 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 3 Nov 2022 09:39:36 +0900 +Subject: [PATCH] udev: first set properties based on usb subsystem + +After 479da1107a0d4e2f7ef5cd938512b87a0e45f180, the usb_id builtin +command does not set ID_SERIAL if ID_BUS is already set. +Before the commit, all properties set based on pci bus were overwritten +by the usb_id, hence now it is sufficient setting them only when ID_BUS is +not set yet. + +Fixes #25238. + +(cherry picked from commit 01e704eba982fbc1517287cd261d229ff8e0a779) + +Related #2138081 +--- + rules.d/60-serial.rules | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/rules.d/60-serial.rules b/rules.d/60-serial.rules +index f303e27fd5..c133f26109 100644 +--- a/rules.d/60-serial.rules ++++ b/rules.d/60-serial.rules +@@ -3,9 +3,10 @@ + ACTION=="remove", GOTO="serial_end" + SUBSYSTEM!="tty", GOTO="serial_end" + +-SUBSYSTEMS=="pci", ENV{ID_BUS}="pci", ENV{ID_VENDOR_ID}="$attr{vendor}", ENV{ID_MODEL_ID}="$attr{device}" +-SUBSYSTEMS=="pci", IMPORT{builtin}="hwdb --subsystem=pci" + SUBSYSTEMS=="usb", IMPORT{builtin}="usb_id", IMPORT{builtin}="hwdb --subsystem=usb" ++SUBSYSTEMS=="pci", ENV{ID_BUS}=="", ENV{ID_BUS}="pci", \ ++ ENV{ID_VENDOR_ID}="$attr{vendor}", ENV{ID_MODEL_ID}="$attr{device}", \ ++ IMPORT{builtin}="hwdb --subsystem=pci" + + # /dev/serial/by-path/, /dev/serial/by-id/ for USB devices + KERNEL!="ttyUSB[0-9]*|ttyACM[0-9]*", GOTO="serial_end" diff --git a/SOURCES/0019-udev-drop-redundant-call-of-usb_id-and-assignment-of.patch b/SOURCES/0019-udev-drop-redundant-call-of-usb_id-and-assignment-of.patch new file mode 100644 index 0000000..8cc2c38 --- /dev/null +++ b/SOURCES/0019-udev-drop-redundant-call-of-usb_id-and-assignment-of.patch @@ -0,0 +1,30 @@ +From 35ec16bfef92d072edacad892fc138b3595ee69b Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 3 Nov 2022 09:43:14 +0900 +Subject: [PATCH] udev: drop redundant call of usb_id and assignment of + ID_USB_INTERFACE_NUM + +The usb_id builtin command is already called in the above, and the +command sets the ID_USB_INTERFACE_NUM property. + +(cherry picked from commit b2e53f5a0f12db65c88404477fedee5c57d201ba) + +Related #2138081 +--- + rules.d/60-serial.rules | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/rules.d/60-serial.rules b/rules.d/60-serial.rules +index c133f26109..2c1488e930 100644 +--- a/rules.d/60-serial.rules ++++ b/rules.d/60-serial.rules +@@ -17,9 +17,7 @@ IMPORT{builtin}="path_id" + ENV{ID_PATH}=="?*", ENV{.ID_PORT}=="", SYMLINK+="serial/by-path/$env{ID_PATH}" + ENV{ID_PATH}=="?*", ENV{.ID_PORT}=="?*", SYMLINK+="serial/by-path/$env{ID_PATH}-port$env{.ID_PORT}" + +-IMPORT{builtin}="usb_id" + ENV{ID_SERIAL}=="", GOTO="serial_end" +-SUBSYSTEMS=="usb", ENV{ID_USB_INTERFACE_NUM}="$attr{bInterfaceNumber}" + ENV{ID_USB_INTERFACE_NUM}=="", GOTO="serial_end" + ENV{.ID_PORT}=="", SYMLINK+="serial/by-id/$env{ID_BUS}-$env{ID_SERIAL}-if$env{ID_USB_INTERFACE_NUM}" + ENV{.ID_PORT}=="?*", SYMLINK+="serial/by-id/$env{ID_BUS}-$env{ID_SERIAL}-if$env{ID_USB_INTERFACE_NUM}-port$env{.ID_PORT}" diff --git a/SOURCES/0020-udev-add-safe-guard-for-setting-by-id-symlink.patch b/SOURCES/0020-udev-add-safe-guard-for-setting-by-id-symlink.patch new file mode 100644 index 0000000..975ad03 --- /dev/null +++ b/SOURCES/0020-udev-add-safe-guard-for-setting-by-id-symlink.patch @@ -0,0 +1,26 @@ +From 03bb31bbb875e20da7ae37eb44e98d244823e0e7 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 3 Nov 2022 09:52:23 +0900 +Subject: [PATCH] udev: add safe guard for setting by-id symlink + +The ID_BUS property is necessary for creating by-id symlinks. + +(cherry picked from commit 5286da064c97d2ac934cb301066aaa8605a3c8f9) + +Related #2138081 +--- + rules.d/60-serial.rules | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/rules.d/60-serial.rules b/rules.d/60-serial.rules +index 2c1488e930..a0e66323a9 100644 +--- a/rules.d/60-serial.rules ++++ b/rules.d/60-serial.rules +@@ -17,6 +17,7 @@ IMPORT{builtin}="path_id" + ENV{ID_PATH}=="?*", ENV{.ID_PORT}=="", SYMLINK+="serial/by-path/$env{ID_PATH}" + ENV{ID_PATH}=="?*", ENV{.ID_PORT}=="?*", SYMLINK+="serial/by-path/$env{ID_PATH}-port$env{.ID_PORT}" + ++ENV{ID_BUS}=="", GOTO="serial_end" + ENV{ID_SERIAL}=="", GOTO="serial_end" + ENV{ID_USB_INTERFACE_NUM}=="", GOTO="serial_end" + ENV{.ID_PORT}=="", SYMLINK+="serial/by-id/$env{ID_BUS}-$env{ID_SERIAL}-if$env{ID_USB_INTERFACE_NUM}" diff --git a/SOURCES/0021-test-cover-legacy-deprecated-systemd-analyze-verbs.patch b/SOURCES/0021-test-cover-legacy-deprecated-systemd-analyze-verbs.patch new file mode 100644 index 0000000..af66167 --- /dev/null +++ b/SOURCES/0021-test-cover-legacy-deprecated-systemd-analyze-verbs.patch @@ -0,0 +1,45 @@ +From 266baa71dbb336d9c2eb1e4e7db3983477cc6ce0 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 3 Nov 2022 10:59:38 +0100 +Subject: [PATCH] test: cover legacy/deprecated systemd-analyze verbs + +They're no longer documented since 26e1e97345 but still work. + +(cherry picked from commit 926d95cd4c209b8c292829511542b11d7c43e662) + +Related #2138081 +--- + test/units/testsuite-65.sh | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh +index ece6b8734e..89406a108e 100755 +--- a/test/units/testsuite-65.sh ++++ b/test/units/testsuite-65.sh +@@ -6,7 +6,7 @@ set -eux + # shellcheck source=test/units/assert.sh + . "$(dirname "$0")"/assert.sh + +-systemd-analyze log-level debug ++systemctl log-level debug + export SYSTEMD_LOG_LEVEL=debug + + # Sanity checks +@@ -19,6 +19,17 @@ systemd-analyze time || : + systemd-analyze blame || : + systemd-analyze critical-chain || : + systemd-analyze plot >/dev/null || : ++# legacy/deprecated options (moved to systemctl, but still usable from analyze) ++systemd-analyze log-level ++systemd-analyze log-level "$(systemctl log-level)" ++systemd-analyze get-log-level ++systemd-analyze set-log-level "$(systemctl log-level)" ++systemd-analyze log-target ++systemd-analyze log-target "$(systemctl log-target)" ++systemd-analyze get-log-target ++systemd-analyze set-log-target "$(systemctl log-target)" ++systemd-analyze service-watchdogs ++systemd-analyze service-watchdogs "$(systemctl service-watchdogs)" + # dot + systemd-analyze dot >/dev/null + systemd-analyze dot systemd-journald.service >/dev/null diff --git a/SOURCES/0022-test-cover-a-couple-of-previously-missed-analyze-cod.patch b/SOURCES/0022-test-cover-a-couple-of-previously-missed-analyze-cod.patch new file mode 100644 index 0000000..f5a3f00 --- /dev/null +++ b/SOURCES/0022-test-cover-a-couple-of-previously-missed-analyze-cod.patch @@ -0,0 +1,56 @@ +From 37614533602981aa3757cd3e847f184fdae1432e Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 3 Nov 2022 11:33:13 +0100 +Subject: [PATCH] test: cover a couple of previously missed analyze code paths + +(cherry picked from commit 8b1879bcd0ed1168f5ad35a3dd0e213a31a2ee42) + +Related #2138081 +--- + test/units/testsuite-65.sh | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh +index 89406a108e..1f34308b44 100755 +--- a/test/units/testsuite-65.sh ++++ b/test/units/testsuite-65.sh +@@ -45,8 +45,16 @@ systemd-analyze dot "systemd-*.service" >/dev/null + systemd-analyze dump >/dev/null + systemd-analyze dump "*" >/dev/null + systemd-analyze dump "*.socket" >/dev/null ++systemd-analyze dump "*.socket" "*.service" aaaaaaa ... >/dev/null + systemd-analyze dump systemd-journald.service >/dev/null + (! systemd-analyze dump "") ++# unit-files ++systemd-analyze unit-files >/dev/null ++systemd-analyze unit-files systemd-journald.service >/dev/null ++systemd-analyze unit-files "*" >/dev/null ++systemd-analyze unit-files "*" aaaaaa "*.service" "*.target" >/dev/null ++systemd-analyze unit-files --user >/dev/null ++systemd-analyze unit-files --user "*" aaaaaa "*.service" "*.target" >/dev/null + # unit-paths + systemd-analyze unit-paths + systemd-analyze unit-paths --user +@@ -103,6 +111,7 @@ systemd-analyze calendar '*-* *:*:*' + systemd-analyze calendar --iterations=5 '*-* *:*:*' + systemd-analyze calendar --iterations=50 '*-* *:*:*' + systemd-analyze calendar --iterations=0 '*-* *:*:*' ++systemd-analyze calendar --iterations=5 '01-01-22 01:00:00' + systemd-analyze calendar --base-time=yesterday --iterations=5 '*-* *:*:*' + (! systemd-analyze calendar --iterations=0 '*-* 99:*:*') + (! systemd-analyze calendar --base-time=never '*-* *:*:*') +@@ -114,12 +123,14 @@ systemd-analyze timestamp -- -1 + systemd-analyze timestamp yesterday now tomorrow + (! systemd-analyze timestamp yesterday never tomorrow) + (! systemd-analyze timestamp 1) ++(! systemd-analyze timestamp '*-2-29 0:0:0') + (! systemd-analyze timestamp "") + # timespan + systemd-analyze timespan 1 + systemd-analyze timespan 1s 300s '1year 0.000001s' + (! systemd-analyze timespan 1s 300s aaaaaa '1year 0.000001s') + (! systemd-analyze timespan -- -1) ++(! systemd-analyze timespan '*-2-29 0:0:0') + (! systemd-analyze timespan "") + # cat-config + systemd-analyze cat-config systemd/system.conf >/dev/null diff --git a/SOURCES/0023-test-introduce-sanity-coverage-for-auxiliary-utils.patch b/SOURCES/0023-test-introduce-sanity-coverage-for-auxiliary-utils.patch new file mode 100644 index 0000000..a5816ba --- /dev/null +++ b/SOURCES/0023-test-introduce-sanity-coverage-for-auxiliary-utils.patch @@ -0,0 +1,371 @@ +From e0d51a65a8bbe8c86af4bb843a5f9ac7d590fa01 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 3 Nov 2022 13:13:03 +0100 +Subject: [PATCH] test: introduce sanity coverage for auxiliary utils + +(cherry picked from commit d1020334fd15e0cffe68cb4d7e862a36253cc481) + +Related #2138081 +--- + test/TEST-74-AUX-UTILS/Makefile | 1 + + test/TEST-74-AUX-UTILS/test.sh | 10 ++ + test/units/testsuite-74.cgls.sh | 26 +++++ + test/units/testsuite-74.cgtop.sh | 32 ++++++ + test/units/testsuite-74.delta.sh | 59 +++++++++++ + test/units/testsuite-74.firstboot.sh | 145 +++++++++++++++++++++++++++ + test/units/testsuite-74.service | 8 ++ + test/units/testsuite-74.sh | 14 +++ + 8 files changed, 295 insertions(+) + create mode 120000 test/TEST-74-AUX-UTILS/Makefile + create mode 100755 test/TEST-74-AUX-UTILS/test.sh + create mode 100755 test/units/testsuite-74.cgls.sh + create mode 100755 test/units/testsuite-74.cgtop.sh + create mode 100755 test/units/testsuite-74.delta.sh + create mode 100755 test/units/testsuite-74.firstboot.sh + create mode 100644 test/units/testsuite-74.service + create mode 100755 test/units/testsuite-74.sh + +diff --git a/test/TEST-74-AUX-UTILS/Makefile b/test/TEST-74-AUX-UTILS/Makefile +new file mode 120000 +index 0000000000..e9f93b1104 +--- /dev/null ++++ b/test/TEST-74-AUX-UTILS/Makefile +@@ -0,0 +1 @@ ++../TEST-01-BASIC/Makefile +\ No newline at end of file +diff --git a/test/TEST-74-AUX-UTILS/test.sh b/test/TEST-74-AUX-UTILS/test.sh +new file mode 100755 +index 0000000000..f422c89141 +--- /dev/null ++++ b/test/TEST-74-AUX-UTILS/test.sh +@@ -0,0 +1,10 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++set -e ++ ++TEST_DESCRIPTION="Tests for auxiliary utilities" ++ ++# shellcheck source=test/test-functions ++. "${TEST_BASE_DIR:?}/test-functions" ++ ++do_test "$@" +diff --git a/test/units/testsuite-74.cgls.sh b/test/units/testsuite-74.cgls.sh +new file mode 100755 +index 0000000000..120570c9cc +--- /dev/null ++++ b/test/units/testsuite-74.cgls.sh +@@ -0,0 +1,26 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++set -eux ++set -o pipefail ++ ++systemd-cgls ++systemd-cgls --all --full ++systemd-cgls -k ++systemd-cgls --xattr=yes ++systemd-cgls --xattr=no ++systemd-cgls --cgroup-id=yes ++systemd-cgls --cgroup-id=no ++ ++systemd-cgls /system.slice/systemd-journald.service ++systemd-cgls /system.slice/systemd-journald.service /init.scope ++systemd-cgls /sys/fs/cgroup/system.slice/systemd-journald.service /init.scope ++(cd /sys/fs/cgroup/init.scope && systemd-cgls) ++systemd-cgls --unit=systemd-journald.service ++# There's most likely no user session running, so we need to create one ++systemd-run --user --wait --pipe -M testuser@.host systemd-cgls --user-unit=app.slice ++ ++(! systemd-cgls /foo/bar) ++(! systemd-cgls --unit=hello.world) ++(! systemd-cgls --user-unit=hello.world) ++(! systemd-cgls --xattr=foo) ++(! systemd-cgls --cgroup-id=foo) +diff --git a/test/units/testsuite-74.cgtop.sh b/test/units/testsuite-74.cgtop.sh +new file mode 100755 +index 0000000000..8141ec1b1f +--- /dev/null ++++ b/test/units/testsuite-74.cgtop.sh +@@ -0,0 +1,32 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++set -eux ++set -o pipefail ++ ++# Without tty attached cgtop should default to --iterations=1 ++systemd-cgtop ++systemd-cgtop --iterations=1 ++# Same as --iterations=1 ++systemd-cgtop -1 ++systemd-cgtop --delay=1ms ++systemd-cgtop --raw ++systemd-cgtop --batch ++systemd-cgtop --cpu=percentage ++systemd-cgtop --cpu=time ++systemd-cgtop -P ++systemd-cgtop -k ++# FIXME: https://github.com/systemd/systemd/issues/25248 ++#systemd-cgtop --recursive=no ++systemd-cgtop --depth=0 ++systemd-cgtop --depth=100 ++ ++for order in path tasks cpu memory io; do ++ systemd-cgtop --order="$order" ++done ++systemd-cgtop -p -t -c -m -i ++ ++(! systemd-cgtop --cpu=foo) ++(! systemd-cgtop --order=foo) ++(! systemd-cgtop --depth=-1) ++(! systemd-cgtop --recursive=foo) ++(! systemd-cgtop --delay=1foo) +diff --git a/test/units/testsuite-74.delta.sh b/test/units/testsuite-74.delta.sh +new file mode 100755 +index 0000000000..a0e1cb52dd +--- /dev/null ++++ b/test/units/testsuite-74.delta.sh +@@ -0,0 +1,59 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++set -eux ++set -o pipefail ++ ++at_exit() { ++ rm -rfv /{run,etc}/systemd/system/delta-test* ++} ++ ++trap at_exit EXIT ++ ++# Create a couple of supporting units with overrides ++# ++# Extended unit ++cat >"/run/systemd/system/delta-test-unit-extended.service" <"/run/systemd/system/delta-test-unit-extended.service.d/override.conf" <>/etc/systemd/system/delta-test-unit-overridden.service ++# Overridden but equivalent unit ++ln -srfv /run/systemd/system/delta-test-unit-extended.service /run/systemd/system/delta-test-unit-equivalent.service ++ln -sfv /run/systemd/system/delta-test-unit-extended.service /etc/systemd/system/delta-test-unit-equivalent.service ++# Redirected unit ++ln -srfv /run/systemd/system/delta-test-unit-extended.service /run/systemd/system/delta-test-unit-redirected.service ++ln -sfv /run/systemd/system/delta-test-unit-overidden.service /etc/systemd/system/delta-test-unit-extended.service ++ ++systemctl daemon-reload ++ ++systemd-delta ++systemd-delta /run ++systemd-delta systemd/system ++systemd-delta /run systemd/system /run ++systemd-delta /run foo/bar hello/world systemd/system /run ++systemd-delta foo/bar ++systemd-delta --diff=true ++systemd-delta --diff=false ++ ++for type in masked equivalent redirected overridden extended unchanged; do ++ systemd-delta --type="$type" ++ systemd-delta --type="$type" /run ++done ++systemd-delta --type=equivalent,redirected ++ ++(! systemd-delta --diff=foo) ++(! systemd-delta --type=foo) ++(! systemd-delta --type=equivalent,redirected,foo) +diff --git a/test/units/testsuite-74.firstboot.sh b/test/units/testsuite-74.firstboot.sh +new file mode 100755 +index 0000000000..02f9f5cd7a +--- /dev/null ++++ b/test/units/testsuite-74.firstboot.sh +@@ -0,0 +1,145 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++set -eux ++set -o pipefail ++ ++if ! command -v systemd-firstboot >/dev/null; then ++ echo "systemd-firstboot not found, skipping the test" ++ exit 0 ++fi ++ ++at_exit() { ++ if [[ -v ROOT && -n "$ROOT" ]]; then ++ ls -lR "$ROOT" ++ rm -fr "$ROOT" ++ fi ++} ++ ++trap at_exit EXIT ++ ++# Generated via `mkpasswd -m sha-512 -S foobarsalt password1` ++# shellcheck disable=SC2016 ++ROOT_HASHED_PASSWORD1='$6$foobarsalt$YbwdaATX6IsFxvWbY3QcZj2gB31R/LFRFrjlFrJtTTqFtSfn4dfOAg/km2k4Sl.a2g7LOYDo31wMTaEsCo9j41' ++# Generated via `mkpasswd -m sha-512 -S foobarsalt password2` ++# shellcheck disable=SC2016 ++ROOT_HASHED_PASSWORD2='$6$foobarsalt$q.P2932zYMLbKnjFwIxPI8y3iuxeuJ2BgE372LcZMMnj3Gcg/9mJg2LPKUl.ha0TG/.fRNNnRQcLfzM0SNot3.' ++ ++# Create a minimal root so we don't modify the testbed ++ROOT=test-root ++mkdir -p "$ROOT/bin" ++# Dummy shell for --root-shell= ++touch "$ROOT/bin/fooshell" "$ROOT/bin/barshell" ++ ++systemd-firstboot --root="$ROOT" --locale=foo ++grep -q "LANG=foo" "$ROOT/etc/locale.conf" ++rm -fv "$ROOT/etc/locale.conf" ++# FIXME: https://github.com/systemd/systemd/issues/25249 ++#systemd-firstboot --root="$ROOT" --locale-messages=foo ++#grep -q "LC_MESSAGES=foo" "$ROOT/etc/locale.conf" ++#rm -fv "$ROOT/etc/locale.conf" ++systemd-firstboot --root="$ROOT" --locale=foo --locale-messages=bar ++grep -q "LANG=foo" "$ROOT/etc/locale.conf" ++grep -q "LC_MESSAGES=bar" "$ROOT/etc/locale.conf" ++ ++systemd-firstboot --root="$ROOT" --keymap=foo ++grep -q "KEYMAP=foo" "$ROOT/etc/vconsole.conf" ++ ++systemd-firstboot --root="$ROOT" --timezone=Europe/Berlin ++readlink "$ROOT/etc/localtime" | grep -q "Europe/Berlin" ++ ++systemd-firstboot --root="$ROOT" --hostname "foobar" ++grep -q "foobar" "$ROOT/etc/hostname" ++ ++systemd-firstboot --root="$ROOT" --machine-id=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ++grep -q "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "$ROOT/etc/machine-id" ++ ++rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" ++systemd-firstboot --root="$ROOT" --root-password=foo ++grep -q "^root:x:0:0:" "$ROOT/etc/passwd" ++grep -q "^root:" "$ROOT/etc/shadow" ++rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" ++echo "foo" >root.passwd ++systemd-firstboot --root="$ROOT" --root-password-file=root.passwd ++grep -q "^root:x:0:0:" "$ROOT/etc/passwd" ++grep -q "^root:" "$ROOT/etc/shadow" ++rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" root.passwd ++# Set the shell together with the password, as firstboot won't touch ++# /etc/passwd if it already exists ++systemd-firstboot --root="$ROOT" --root-password-hashed="$ROOT_HASHED_PASSWORD1" --root-shell=/bin/fooshell ++grep -q "^root:x:0:0:.*:/bin/fooshell$" "$ROOT/etc/passwd" ++grep -q "^root:$ROOT_HASHED_PASSWORD1:" "$ROOT/etc/shadow" ++ ++systemd-firstboot --root="$ROOT" --kernel-command-line="foo.bar=42" ++grep -q "foo.bar=42" "$ROOT/etc/kernel/cmdline" ++ ++# Configs should not get overwritten if they exist unless --force is used ++systemd-firstboot --root="$ROOT" \ ++ --locale=locale-overwrite \ ++ --locale-messages=messages-overwrite \ ++ --keymap=keymap-overwrite \ ++ --timezone=CET \ ++ --hostname=hostname-overwrite \ ++ --machine-id=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb \ ++ --root-password-hashed="$ROOT_HASHED_PASSWORD2" \ ++ --root-shell=/bin/barshell \ ++ --kernel-command-line="hello.world=0" ++grep -q "LANG=foo" "$ROOT/etc/locale.conf" ++grep -q "LC_MESSAGES=bar" "$ROOT/etc/locale.conf" ++grep -q "KEYMAP=foo" "$ROOT/etc/vconsole.conf" ++readlink "$ROOT/etc/localtime" | grep -q "Europe/Berlin$" ++grep -q "foobar" "$ROOT/etc/hostname" ++grep -q "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "$ROOT/etc/machine-id" ++grep -q "^root:x:0:0:.*:/bin/fooshell$" "$ROOT/etc/passwd" ++grep -q "^root:$ROOT_HASHED_PASSWORD1:" "$ROOT/etc/shadow" ++grep -q "foo.bar=42" "$ROOT/etc/kernel/cmdline" ++ ++# The same thing, but now with --force ++systemd-firstboot --root="$ROOT" --force \ ++ --locale=locale-overwrite \ ++ --locale-messages=messages-overwrite \ ++ --keymap=keymap-overwrite \ ++ --timezone=CET \ ++ --hostname=hostname-overwrite \ ++ --machine-id=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb \ ++ --root-password-hashed="$ROOT_HASHED_PASSWORD2" \ ++ --root-shell=/bin/barshell \ ++ --kernel-command-line="hello.world=0" ++grep -q "LANG=locale-overwrite" "$ROOT/etc/locale.conf" ++grep -q "LC_MESSAGES=messages-overwrite" "$ROOT/etc/locale.conf" ++grep -q "KEYMAP=keymap-overwrite" "$ROOT/etc/vconsole.conf" ++readlink "$ROOT/etc/localtime" | grep -q "/CET$" ++grep -q "hostname-overwrite" "$ROOT/etc/hostname" ++grep -q "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" "$ROOT/etc/machine-id" ++grep -q "^root:x:0:0:.*:/bin/barshell$" "$ROOT/etc/passwd" ++grep -q "^root:$ROOT_HASHED_PASSWORD2:" "$ROOT/etc/shadow" ++grep -q "hello.world=0" "$ROOT/etc/kernel/cmdline" ++ ++# --copy-* options ++rm -fr "$ROOT" ++mkdir "$ROOT" ++# Copy everything at once (--copy) ++systemd-firstboot --root="$ROOT" --copy ++diff /etc/locale.conf "$ROOT/etc/locale.conf" ++diff <(awk -F: '/^root/ { print $7; }' /etc/passwd) <(awk -F: '/^root/ { print $7; }' "$ROOT/etc/passwd") ++diff <(awk -F: '/^root/ { print $2; }' /etc/shadow) <(awk -F: '/^root/ { print $2; }' "$ROOT/etc/shadow") ++[[ -e /etc/vconsole.conf ]] && diff /etc/vconsole.conf "$ROOT/etc/vconsole.conf" ++[[ -e /etc/localtime ]] && diff <(readlink /etc/localtime) <(readlink "$ROOT/etc/localtime") ++rm -fr "$ROOT" ++mkdir "$ROOT" ++# Copy everything at once, but now by using separate switches ++systemd-firstboot --root="$ROOT" --copy-locale --copy-keymap --copy-timezone --copy-root-password --copy-root-shell ++diff /etc/locale.conf "$ROOT/etc/locale.conf" ++diff <(awk -F: '/^root/ { print $7; }' /etc/passwd) <(awk -F: '/^root/ { print $7; }' "$ROOT/etc/passwd") ++diff <(awk -F: '/^root/ { print $2; }' /etc/shadow) <(awk -F: '/^root/ { print $2; }' "$ROOT/etc/shadow") ++[[ -e /etc/vconsole.conf ]] && diff /etc/vconsole.conf "$ROOT/etc/vconsole.conf" ++[[ -e /etc/localtime ]] && diff <(readlink /etc/localtime) <(readlink "$ROOT/etc/localtime") ++ ++# Assorted tests ++rm -fr "$ROOT" ++mkdir "$ROOT" ++ ++systemd-firstboot --root="$ROOT" --setup-machine-id ++grep -E "[a-z0-9]{32}" "$ROOT/etc/machine-id" ++ ++systemd-firstboot --root="$ROOT" --delete-root-password ++diff <(echo) <(awk -F: '/^root/ { print $2; }' "$ROOT/etc/shadow") +diff --git a/test/units/testsuite-74.service b/test/units/testsuite-74.service +new file mode 100644 +index 0000000000..f782132a92 +--- /dev/null ++++ b/test/units/testsuite-74.service +@@ -0,0 +1,8 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++[Unit] ++Description=TEST-74-AUX-UTILS ++ ++[Service] ++ExecStartPre=rm -f /failed /testok ++ExecStart=/usr/lib/systemd/tests/testdata/units/%N.sh ++Type=oneshot +diff --git a/test/units/testsuite-74.sh b/test/units/testsuite-74.sh +new file mode 100755 +index 0000000000..13c767e490 +--- /dev/null ++++ b/test/units/testsuite-74.sh +@@ -0,0 +1,14 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++set -eux ++set -o pipefail ++ ++: >/failed ++ ++for script in "${0%.sh}".*.sh; do ++ echo "Running $script" ++ "./$script" ++done ++ ++touch /testok ++rm /failed diff --git a/SOURCES/0024-firstboot-fix-segfault-when-locale-messages-is-passe.patch b/SOURCES/0024-firstboot-fix-segfault-when-locale-messages-is-passe.patch new file mode 100644 index 0000000..3e841db --- /dev/null +++ b/SOURCES/0024-firstboot-fix-segfault-when-locale-messages-is-passe.patch @@ -0,0 +1,56 @@ +From 1ef6ffdf0923095752665c7ff6062514dfa6c6bf Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 4 Nov 2022 00:01:16 +0000 +Subject: [PATCH] firstboot: fix segfault when --locale-messages= is passed + without --locale= + +\#0 __strcmp_evex () at ../sysdeps/x86_64/multiarch/strcmp-evex.S:295 +No locals. +\#1 0x0000557444eb172b in process_locale () at ../src/firstboot/firstboot.c:342 + etc_localeconf = 0x7ffd40217b80 "/root/root/etc/locale.conf" + locales = {0x0, 0x0, 0x0} + i = 0 + r = + __PRETTY_FUNCTION__ = "process_locale" + __func__ = "process_locale" +\#2 0x0000557444eaff93 in run (argv=0x7ffd40217d98, argc=3) at ../src/firstboot/firstboot.c:1401 + loop_device = 0x0 + unlink_dir = 0x0 + r = + loop_device = + unlink_dir = + r = + __func__ = + __PRETTY_FUNCTION__ = + enabled = + _error = + _level = + _e = + _level = + _e = +\#3 main (argc=3, argv=0x7ffd40217d98) at ../src/firstboot/firstboot.c:1432 + r = + __PRETTY_FUNCTION__ = "main" + +Fixes https://github.com/systemd/systemd/issues/25249 + +(cherry picked from commit 4c4a73ce068ef16cfe7ad07c7c3386ac1dbc58fe) + +Related #2138081 +--- + src/firstboot/firstboot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c +index 065ee896cd..63db78b52d 100644 +--- a/src/firstboot/firstboot.c ++++ b/src/firstboot/firstboot.c +@@ -339,7 +339,7 @@ static int process_locale(void) { + + if (!isempty(arg_locale)) + locales[i++] = strjoina("LANG=", arg_locale); +- if (!isempty(arg_locale_messages) && !streq(arg_locale_messages, arg_locale)) ++ if (!isempty(arg_locale_messages) && !streq_ptr(arg_locale_messages, arg_locale)) + locales[i++] = strjoina("LC_MESSAGES=", arg_locale_messages); + + if (i == 0) diff --git a/SOURCES/0025-tests-make-test-execute-pass-on-openSUSE.patch b/SOURCES/0025-tests-make-test-execute-pass-on-openSUSE.patch new file mode 100644 index 0000000..1d42aaa --- /dev/null +++ b/SOURCES/0025-tests-make-test-execute-pass-on-openSUSE.patch @@ -0,0 +1,76 @@ +From 1d41d2789bb67f5909d6974d2fd916e462a0a5cf Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Fri, 4 Nov 2022 12:24:10 +0100 +Subject: [PATCH] tests: make test-execute pass on openSUSE + +In my understanding user group "3" (aka "sys") is kept for historical reasons +but not really useful these days. That's probably explained why this group +isn't defined on openSUSE. + +Hence let's drop reference to this user group, this shouldn't lessen the +revelance of the test since SupplementaryGroups= is still tested with 2 other +groups. + +(cherry picked from commit d723b0467d7b8c5c772086d5352442f3fca4368d) + +Related #2138081 +--- + test/test-execute/exec-dynamicuser-supplementarygroups.service | 3 +-- + ...plementarygroups-multiple-groups-default-group-user.service | 3 +-- + .../exec-supplementarygroups-multiple-groups-withgid.service | 3 +-- + .../exec-supplementarygroups-multiple-groups-withuid.service | 3 +-- + 4 files changed, 4 insertions(+), 8 deletions(-) + +diff --git a/test/test-execute/exec-dynamicuser-supplementarygroups.service b/test/test-execute/exec-dynamicuser-supplementarygroups.service +index fb0b57bc00..53ba0ec7cb 100644 +--- a/test/test-execute/exec-dynamicuser-supplementarygroups.service ++++ b/test/test-execute/exec-dynamicuser-supplementarygroups.service +@@ -5,7 +5,6 @@ Description=Test DynamicUser with SupplementaryGroups= + [Service] + ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' + ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1' +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "3" && HAVE=1; done; test "$$HAVE" -eq 1' + Type=oneshot + DynamicUser=yes +-SupplementaryGroups=1 2 3 ++SupplementaryGroups=1 2 +diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service b/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service +index 362e539287..4cb0326320 100644 +--- a/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service ++++ b/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service +@@ -6,7 +6,6 @@ Description=Test for Supplementary Group with multiple groups without Group and + ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "%G" && HAVE=1; done; test "$$HAVE" -eq 1' + ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' + ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1' +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "3" && HAVE=1; done; test "$$HAVE" -eq 1' + ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "%G" && test "$$(id -u)" = "%U"' + Type=oneshot +-SupplementaryGroups=1 2 3 ++SupplementaryGroups=1 2 +diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service b/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service +index ff3fdc8142..e11743d754 100644 +--- a/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service ++++ b/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service +@@ -5,8 +5,7 @@ Description=Test for Supplementary Group with multiple groups and Group=1 + [Service] + ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' + ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1' +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "3" && HAVE=1; done; test "$$HAVE" -eq 1' + ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "%U"' + Type=oneshot + Group=1 +-SupplementaryGroups=1 2 3 ++SupplementaryGroups=1 2 +diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service b/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service +index f35ff84765..3efbbfb0f9 100644 +--- a/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service ++++ b/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service +@@ -5,7 +5,6 @@ Description=Test for Supplementary Group with multiple groups and Uid=1 + [Service] + ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' + ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1' +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "3" && HAVE=1; done; test "$$HAVE" -eq 1' + Type=oneshot + User=1 +-SupplementaryGroups=1 2 3 ++SupplementaryGroups=1 2 diff --git a/SOURCES/0026-tests-minor-simplification-in-test-execute.patch b/SOURCES/0026-tests-minor-simplification-in-test-execute.patch new file mode 100644 index 0000000..9c97139 --- /dev/null +++ b/SOURCES/0026-tests-minor-simplification-in-test-execute.patch @@ -0,0 +1,150 @@ +From 5685a8b01abf34ec5da7c43a99ede6e3bb7394eb Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Fri, 4 Nov 2022 12:50:04 +0100 +Subject: [PATCH] tests: minor simplification in test-execute + +No functional change. + +(cherry picked from commit 09415aef940f4a471da7cb899b9a66f1504d7c77) + +Related #2138081 +--- + ...xec-dynamicuser-fixeduser-one-supplementarygroup.service | 2 +- + test/test-execute/exec-dynamicuser-fixeduser.service | 2 +- + .../exec-dynamicuser-supplementarygroups.service | 4 ++-- + ...mentarygroups-multiple-groups-default-group-user.service | 6 +++--- + ...exec-supplementarygroups-multiple-groups-withgid.service | 4 ++-- + ...exec-supplementarygroups-multiple-groups-withuid.service | 4 ++-- + .../exec-supplementarygroups-single-group-user.service | 2 +- + .../exec-supplementarygroups-single-group.service | 2 +- + test/test-execute/exec-supplementarygroups.service | 4 ++-- + 9 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service b/test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service +index 0c2a218be0..bbb1af5fb3 100644 +--- a/test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service ++++ b/test/test-execute/exec-dynamicuser-fixeduser-one-supplementarygroup.service +@@ -3,7 +3,7 @@ + Description=Test DynamicUser with User= and SupplementaryGroups= + + [Service] +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' + ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "1"' + Type=oneshot + User=1 +diff --git a/test/test-execute/exec-dynamicuser-fixeduser.service b/test/test-execute/exec-dynamicuser-fixeduser.service +index 061bbd2b93..c5828c2a93 100644 +--- a/test/test-execute/exec-dynamicuser-fixeduser.service ++++ b/test/test-execute/exec-dynamicuser-fixeduser.service +@@ -3,7 +3,7 @@ + Description=Test DynamicUser with User= + + [Service] +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' + ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "1"' + Type=oneshot + User=1 +diff --git a/test/test-execute/exec-dynamicuser-supplementarygroups.service b/test/test-execute/exec-dynamicuser-supplementarygroups.service +index 53ba0ec7cb..d601af272e 100644 +--- a/test/test-execute/exec-dynamicuser-supplementarygroups.service ++++ b/test/test-execute/exec-dynamicuser-supplementarygroups.service +@@ -3,8 +3,8 @@ + Description=Test DynamicUser with SupplementaryGroups= + + [Service] +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "2" && exit 0; done; exit 1' + Type=oneshot + DynamicUser=yes + SupplementaryGroups=1 2 +diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service b/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service +index 4cb0326320..0ecc34441c 100644 +--- a/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service ++++ b/test/test-execute/exec-supplementarygroups-multiple-groups-default-group-user.service +@@ -3,9 +3,9 @@ + Description=Test for Supplementary Group with multiple groups without Group and User + + [Service] +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "%G" && HAVE=1; done; test "$$HAVE" -eq 1' +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "%G" && exit 0; done; exit 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "2" && exit 0; done; exit 1' + ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "%G" && test "$$(id -u)" = "%U"' + Type=oneshot + SupplementaryGroups=1 2 +diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service b/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service +index e11743d754..cd1021bbdf 100644 +--- a/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service ++++ b/test/test-execute/exec-supplementarygroups-multiple-groups-withgid.service +@@ -3,8 +3,8 @@ + Description=Test for Supplementary Group with multiple groups and Group=1 + + [Service] +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "2" && exit 0; done; exit 1' + ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "%U"' + Type=oneshot + Group=1 +diff --git a/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service b/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service +index 3efbbfb0f9..7913a2c2ed 100644 +--- a/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service ++++ b/test/test-execute/exec-supplementarygroups-multiple-groups-withuid.service +@@ -3,8 +3,8 @@ + Description=Test for Supplementary Group with multiple groups and Uid=1 + + [Service] +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "2" && HAVE=1; done; test "$$HAVE" -eq 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "2" && exit 0; done; exit 1' + Type=oneshot + User=1 + SupplementaryGroups=1 2 +diff --git a/test/test-execute/exec-supplementarygroups-single-group-user.service b/test/test-execute/exec-supplementarygroups-single-group-user.service +index aae71d0a30..ee4017e74e 100644 +--- a/test/test-execute/exec-supplementarygroups-single-group-user.service ++++ b/test/test-execute/exec-supplementarygroups-single-group-user.service +@@ -3,7 +3,7 @@ + Description=Test for Supplementary Group with only one group and uid 1 + + [Service] +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' + ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "1"' + Type=oneshot + User=1 +diff --git a/test/test-execute/exec-supplementarygroups-single-group.service b/test/test-execute/exec-supplementarygroups-single-group.service +index c870774382..62275201cc 100644 +--- a/test/test-execute/exec-supplementarygroups-single-group.service ++++ b/test/test-execute/exec-supplementarygroups-single-group.service +@@ -3,7 +3,7 @@ + Description=Test for Supplementary Group with only one group + + [Service] +-ExecStart=/bin/sh -x -c 'HAVE=; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' + ExecStart=/bin/sh -x -c 'test "$$(id -g)" = "1" && test "$$(id -u)" = "0"' + Type=oneshot + Group=1 +diff --git a/test/test-execute/exec-supplementarygroups.service b/test/test-execute/exec-supplementarygroups.service +index 75601eab57..03406c3ee8 100644 +--- a/test/test-execute/exec-supplementarygroups.service ++++ b/test/test-execute/exec-supplementarygroups.service +@@ -3,7 +3,7 @@ + Description=Test for Supplementary Group + + [Service] +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "%G" && HAVE=1; done; test "$$HAVE" -eq 1' +-ExecStart=/bin/sh -x -c 'HAVE=0; for g in $$(id -G); do test "$$g" = "1" && HAVE=1; done; test "$$HAVE" -eq 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "%G" && exit 0; done; exit 1' ++ExecStart=/bin/sh -x -c 'for g in $$(id -G); do test "$$g" = "1" && exit 0; done; exit 1' + Type=oneshot + SupplementaryGroups=1 diff --git a/SOURCES/0027-tmpfiles.d-do-not-fail-if-provision.conf-fails.patch b/SOURCES/0027-tmpfiles.d-do-not-fail-if-provision.conf-fails.patch new file mode 100644 index 0000000..11c83c2 --- /dev/null +++ b/SOURCES/0027-tmpfiles.d-do-not-fail-if-provision.conf-fails.patch @@ -0,0 +1,29 @@ +From 6d8f91ab2f7db862d95d0565bad3aaf4279c00bc Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 3 Nov 2022 20:10:57 +0000 +Subject: [PATCH] tmpfiles.d: do not fail if provision.conf fails + +On a read-only filesystem creating /root/.ssh might fail, but that's ok. +Do not fail the run, as this is only needed to add the credential, which +is a separate step. + +(cherry picked from commit e0fc9be37e4d15e2c322eb8281692c2639dac023) + +Related #2138081 +--- + tmpfiles.d/provision.conf | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tmpfiles.d/provision.conf b/tmpfiles.d/provision.conf +index 3c56f42d58..093104aaaf 100644 +--- a/tmpfiles.d/provision.conf ++++ b/tmpfiles.d/provision.conf +@@ -17,6 +17,6 @@ f^ /etc/issue.d/50-provision.conf - - - - login.issue + f^ /etc/hosts - - - - network.hosts + + # Provision SSH key for root +-d /root :0700 root :root - +-d /root/.ssh :0700 root :root - ++d- /root :0700 root :root - ++d- /root/.ssh :0700 root :root - + f^ /root/.ssh/authorized_keys :0600 root :root - ssh.authorized_keys.root diff --git a/SOURCES/0028-kernel-install-90-loaderentry-do-not-add-multiple-sy.patch b/SOURCES/0028-kernel-install-90-loaderentry-do-not-add-multiple-sy.patch new file mode 100644 index 0000000..3b9a8a6 --- /dev/null +++ b/SOURCES/0028-kernel-install-90-loaderentry-do-not-add-multiple-sy.patch @@ -0,0 +1,31 @@ +From d3b559f5e561750e6c50449b2ca84b40abeb492d Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Fri, 4 Nov 2022 09:57:24 +0100 +Subject: [PATCH] kernel-install/90-loaderentry: do not add multiple + systemd.machine_id options + +Do not unconditionally add a new systemd.machine_id command line option, first +check if it already exists with the expected value. + +Fixes #25203 + +(cherry picked from commit 981502c5cc9ce32c3f77ff74aad87cd6f0da3b16) + +Related #2138081 +--- + src/kernel-install/90-loaderentry.install | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/kernel-install/90-loaderentry.install b/src/kernel-install/90-loaderentry.install +index 743af33aa9..ea75e1b0d8 100755 +--- a/src/kernel-install/90-loaderentry.install ++++ b/src/kernel-install/90-loaderentry.install +@@ -85,7 +85,7 @@ BOOT_OPTIONS="${BOOT_OPTIONS% }" + # command line with the machine ID we use, so that the machine ID remains + # stable, even during factory reset, in the initrd (where the system's machine + # ID is not directly accessible yet), and if the root file system is volatile. +-if [ "$ENTRY_TOKEN" = "$MACHINE_ID" ]; then ++if [ "$ENTRY_TOKEN" = "$MACHINE_ID" ] && ! echo "$BOOT_OPTIONS" | grep -q "systemd.machine_id=$MACHINE_ID"; then + BOOT_OPTIONS="$BOOT_OPTIONS systemd.machine_id=$MACHINE_ID" + fi + diff --git a/SOURCES/0029-condition-Check-that-subsystem-is-enabled-in-Conditi.patch b/SOURCES/0029-condition-Check-that-subsystem-is-enabled-in-Conditi.patch new file mode 100644 index 0000000..44e715c --- /dev/null +++ b/SOURCES/0029-condition-Check-that-subsystem-is-enabled-in-Conditi.patch @@ -0,0 +1,120 @@ +From 1b7dfe48d6d66cad5d0368b8e8b387a4d9586ccd Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Thu, 27 Oct 2022 11:12:10 +0200 +Subject: [PATCH] condition: Check that subsystem is enabled in + ConditionSecurity=tpm2 + +Instead of succeeding when either the firmware reports a TPM device +or we find a TPM device, let's check that the firmware reports a TPM +device and the TPM subsystem is enabled in the kernel. + +To check whether the subsystem enabled, we check if the relevant +subdirectory in /sys exists at all. + +(cherry picked from commit 300bba79c22e4be1effe2faad0e59ac725d396a1) + +Related #2138081 +--- + man/systemd-creds.xml | 4 ++-- + src/creds/creds.c | 6 ++++-- + src/shared/condition.c | 9 ++++----- + src/shared/tpm2-util.c | 6 +++++- + src/shared/tpm2-util.h | 11 ++++++----- + 5 files changed, 21 insertions(+), 15 deletions(-) + +diff --git a/man/systemd-creds.xml b/man/systemd-creds.xml +index 1e5632e63d..003fbcd463 100644 +--- a/man/systemd-creds.xml ++++ b/man/systemd-creds.xml +@@ -175,8 +175,8 @@ + by the OS kernel drivers and by userspace (i.e. systemd) this prints yes and exits + with exit status zero. If no such device is discovered/supported/used, prints + no. Otherwise prints partial. In either of these two cases +- exits with non-zero exit status. It also shows three lines indicating separately whether drivers, +- firmware and the system discovered/support/use TPM2. ++ exits with non-zero exit status. It also shows four lines indicating separately whether firmware, ++ drivers, the system and the kernel discovered/support/use TPM2. + + Combine with to suppress the output. + +diff --git a/src/creds/creds.c b/src/creds/creds.c +index 5586fd776a..a755a52c34 100644 +--- a/src/creds/creds.c ++++ b/src/creds/creds.c +@@ -637,10 +637,12 @@ static int verb_has_tpm2(int argc, char **argv, void *userdata) { + + printf("%sfirmware\n" + "%sdriver\n" +- "%ssystem\n", ++ "%ssystem\n" ++ "%ssubsystem\n", + plus_minus(s & TPM2_SUPPORT_FIRMWARE), + plus_minus(s & TPM2_SUPPORT_DRIVER), +- plus_minus(s & TPM2_SUPPORT_SYSTEM)); ++ plus_minus(s & TPM2_SUPPORT_SYSTEM), ++ plus_minus(s & TPM2_SUPPORT_SUBSYSTEM)); + } + + /* Return inverted bit flags. So that TPM2_SUPPORT_FULL becomes EXIT_SUCCESS and the other values +diff --git a/src/shared/condition.c b/src/shared/condition.c +index 310ffcbdc6..a23d6a3e45 100644 +--- a/src/shared/condition.c ++++ b/src/shared/condition.c +@@ -664,14 +664,13 @@ static int condition_test_ac_power(Condition *c, char **env) { + } + + static int has_tpm2(void) { +- /* Checks whether the system has at least one TPM2 resource manager device, i.e. at least one "tpmrm" +- * class device. Alternatively, we are also happy if the firmware reports support (this is to cover +- * for cases where we simply haven't loaded the driver for it yet, i.e. during early boot where we +- * very likely want to use this condition check). ++ /* Checks whether the kernel has the TPM subsystem enabled and the firmware reports support. Note ++ * we don't check for actual TPM devices, since we might not have loaded the driver for it yet, i.e. ++ * during early boot where we very likely want to use this condition check). + * + * Note that we don't check if we ourselves are built with TPM2 support here! */ + +- return (tpm2_support() & (TPM2_SUPPORT_DRIVER|TPM2_SUPPORT_FIRMWARE)) != 0; ++ return FLAGS_SET(tpm2_support(), TPM2_SUPPORT_SUBSYSTEM|TPM2_SUPPORT_FIRMWARE); + } + + static int condition_test_security(Condition *c, char **env) { +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index 13e92c4144..65e8d48347 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -2189,7 +2189,11 @@ Tpm2Support tpm2_support(void) { + if (r != -ENOENT) + log_debug_errno(r, "Unable to test whether /sys/class/tpmrm/ exists and is populated, assuming it is not: %m"); + } else if (r == 0) /* populated! */ +- support |= TPM2_SUPPORT_DRIVER; ++ support |= TPM2_SUPPORT_SUBSYSTEM|TPM2_SUPPORT_DRIVER; ++ else ++ /* If the directory exists but is empty, we know the subsystem is enabled but no ++ * driver has been loaded yet. */ ++ support |= TPM2_SUPPORT_SUBSYSTEM; + } + + if (efi_has_tpm2()) +diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h +index 048c28d6ca..c240335ae6 100644 +--- a/src/shared/tpm2-util.h ++++ b/src/shared/tpm2-util.h +@@ -137,11 +137,12 @@ typedef struct { + typedef enum Tpm2Support { + /* NOTE! The systemd-creds tool returns these flags 1:1 as exit status. Hence these flags are pretty + * much ABI! Hence, be extra careful when changing/extending these definitions. */ +- TPM2_SUPPORT_NONE = 0, /* no support */ +- TPM2_SUPPORT_FIRMWARE = 1 << 0, /* firmware reports TPM2 was used */ +- TPM2_SUPPORT_DRIVER = 1 << 1, /* the kernel has a driver loaded for it */ +- TPM2_SUPPORT_SYSTEM = 1 << 2, /* we support it ourselves */ +- TPM2_SUPPORT_FULL = TPM2_SUPPORT_FIRMWARE|TPM2_SUPPORT_DRIVER|TPM2_SUPPORT_SYSTEM, ++ TPM2_SUPPORT_NONE = 0, /* no support */ ++ TPM2_SUPPORT_FIRMWARE = 1 << 0, /* firmware reports TPM2 was used */ ++ TPM2_SUPPORT_DRIVER = 1 << 1, /* the kernel has a driver loaded for it */ ++ TPM2_SUPPORT_SYSTEM = 1 << 2, /* we support it ourselves */ ++ TPM2_SUPPORT_SUBSYSTEM = 1 << 3, /* the kernel has the tpm subsystem enabled */ ++ TPM2_SUPPORT_FULL = TPM2_SUPPORT_FIRMWARE|TPM2_SUPPORT_DRIVER|TPM2_SUPPORT_SYSTEM|TPM2_SUPPORT_SUBSYSTEM, + } Tpm2Support; + + Tpm2Support tpm2_support(void); diff --git a/SOURCES/0030-semaphore-remove-the-Semaphore-repositories-recursiv.patch b/SOURCES/0030-semaphore-remove-the-Semaphore-repositories-recursiv.patch new file mode 100644 index 0000000..dc3513d --- /dev/null +++ b/SOURCES/0030-semaphore-remove-the-Semaphore-repositories-recursiv.patch @@ -0,0 +1,52 @@ +From f0839034c9910529f368e60262b5653afad58f63 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Mon, 7 Nov 2022 16:39:12 +0100 +Subject: [PATCH] semaphore: remove the Semaphore repositories recursively + +The list of disabled repositories was recently converted from a single +file into a directory with separate repository files, so let's adjust +the setup script accordingly. + +``` +$ ls -lR /etc/apt/sources.list.d/ +/etc/apt/sources.list.d/: +total 36 +-rw-r--r-- 1 root root 76 Nov 3 10:28 azure-cli.list +-rw-r--r-- 1 root root 72 Nov 3 10:22 bazel.list +drwxr-xr-x 2 root root 4096 Nov 3 10:31 disabled +-rw-r--r-- 1 root root 113 Nov 3 10:13 docker-source.list +-rw-r--r-- 1 root root 367 Nov 3 10:28 github_git-lfs.list +-rw-r--r-- 1 root root 111 Nov 3 10:25 google-chrome-source.list +-rw-r--r-- 1 root root 64 Nov 3 10:14 google-cloud-sdk.list +-rw-r--r-- 1 root root 54 Nov 3 10:23 helm-stable-debian.list +-rw-r--r-- 1 root root 89 Nov 3 10:29 yarn-source.list + +/etc/apt/sources.list.d/disabled: +total 20 +-rw-r--r-- 1 root root 100 Nov 3 10:23 devel_kubic_libcontainers_stable.list +-rw-r--r-- 1 root root 103 Nov 3 10:27 git.list +-rw-r--r-- 1 root root 105 Nov 3 10:22 gradle.list +-rw-r--r-- 1 root root 118 Nov 3 10:13 pypy.list +-rw-r--r-- 1 root root 104 Nov 3 10:13 python.list +``` + +(cherry picked from commit 610eb3f8260ecbb161db5186a5e27417f3110a68) + +Related #2138081 +--- + .semaphore/semaphore-runner.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.semaphore/semaphore-runner.sh b/.semaphore/semaphore-runner.sh +index 98fd7b4411..b0d32bd136 100755 +--- a/.semaphore/semaphore-runner.sh ++++ b/.semaphore/semaphore-runner.sh +@@ -55,7 +55,7 @@ for phase in "${PHASES[@]}"; do + case "$phase" in + SETUP) + # remove semaphore repos, some of them don't work and cause error messages +- sudo rm -f /etc/apt/sources.list.d/* ++ sudo rm -rf /etc/apt/sources.list.d/* + + # enable backports for latest LXC + echo "deb http://archive.ubuntu.com/ubuntu $UBUNTU_RELEASE-backports main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list.d/backports.list diff --git a/SOURCES/0031-kernel-install-90-loaderentry-do-not-override-an-exi.patch b/SOURCES/0031-kernel-install-90-loaderentry-do-not-override-an-exi.patch new file mode 100644 index 0000000..7715845 --- /dev/null +++ b/SOURCES/0031-kernel-install-90-loaderentry-do-not-override-an-exi.patch @@ -0,0 +1,29 @@ +From c440081c968c93d527d441f4d106e0acad9540eb Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Mon, 7 Nov 2022 15:25:25 +0100 +Subject: [PATCH] kernel-install/90-loaderentry: do not override an existing + systemd.machine_id + +If the systemd.machine_id command line option is already set, do not override +it. + +(cherry picked from commit 802d9219aa19d759113dd6cd1e91b2bb661fe9ba) + +Related #2138081 +--- + src/kernel-install/90-loaderentry.install | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/kernel-install/90-loaderentry.install b/src/kernel-install/90-loaderentry.install +index ea75e1b0d8..41a05534b9 100755 +--- a/src/kernel-install/90-loaderentry.install ++++ b/src/kernel-install/90-loaderentry.install +@@ -85,7 +85,7 @@ BOOT_OPTIONS="${BOOT_OPTIONS% }" + # command line with the machine ID we use, so that the machine ID remains + # stable, even during factory reset, in the initrd (where the system's machine + # ID is not directly accessible yet), and if the root file system is volatile. +-if [ "$ENTRY_TOKEN" = "$MACHINE_ID" ] && ! echo "$BOOT_OPTIONS" | grep -q "systemd.machine_id=$MACHINE_ID"; then ++if [ "$ENTRY_TOKEN" = "$MACHINE_ID" ] && ! echo "$BOOT_OPTIONS" | grep -q "systemd.machine_id="; then + BOOT_OPTIONS="$BOOT_OPTIONS systemd.machine_id=$MACHINE_ID" + fi + diff --git a/SOURCES/0032-kernel-install-skip-50-depmod-if-depmod-is-not-avail.patch b/SOURCES/0032-kernel-install-skip-50-depmod-if-depmod-is-not-avail.patch new file mode 100644 index 0000000..6847cc2 --- /dev/null +++ b/SOURCES/0032-kernel-install-skip-50-depmod-if-depmod-is-not-avail.patch @@ -0,0 +1,28 @@ +From d1abf107c5b4c661886001de996bf03587bb35c1 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 7 Nov 2022 16:28:33 +0000 +Subject: [PATCH] kernel-install: skip 50-depmod if depmod is not available + +Images might be built without any kernel module, and without +installing depmod as it is not needed. Skip it. + +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023607 +(cherry picked from commit cda4d00dfcbcd075cef95341f8a466f0c4ee8e1d) + +Related #2138081 +--- + src/kernel-install/50-depmod.install | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/kernel-install/50-depmod.install b/src/kernel-install/50-depmod.install +index d4b991cfd6..43bd87c7ed 100755 +--- a/src/kernel-install/50-depmod.install ++++ b/src/kernel-install/50-depmod.install +@@ -26,6 +26,7 @@ KERNEL_VERSION="${2:?}" + case "$COMMAND" in + add) + [ -d "/lib/modules/$KERNEL_VERSION/kernel" ] || exit 0 ++ command -v depmod >/dev/null || exit 0 + [ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] && echo "+depmod -a $KERNEL_VERSION" + exec depmod -a "$KERNEL_VERSION" + ;; diff --git a/SOURCES/0033-man-add-note-that-network-generator-is-not-a-generat.patch b/SOURCES/0033-man-add-note-that-network-generator-is-not-a-generat.patch new file mode 100644 index 0000000..e0a1d28 --- /dev/null +++ b/SOURCES/0033-man-add-note-that-network-generator-is-not-a-generat.patch @@ -0,0 +1,38 @@ +From 04cdbacc26c7e38d3bd684235b51c79ab64b6026 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 8 Nov 2022 11:07:02 +0100 +Subject: [PATCH] man: add note that network-generator is not a generator + +Also fix indentation. + +(cherry picked from commit 2fa6574e835566c2aa5cbf4167ecee316f71bf98) + +Related #2138081 +--- + man/systemd-network-generator.service.xml | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/man/systemd-network-generator.service.xml b/man/systemd-network-generator.service.xml +index 6b7e2564d4..2ddeadfc54 100644 +--- a/man/systemd-network-generator.service.xml ++++ b/man/systemd-network-generator.service.xml +@@ -41,10 +41,17 @@ + + + Files are generated in /run/systemd/network/. ++ ++ Note: despite the name, this generator executes as a normal systemd service and is ++ not an implementation of the ++ systemd.generator7 ++ concept. + + +- Kernel command line options +- This tool understands the following options: ++ ++ Kernel command line options ++ ++ This tool understands the following options: + + + diff --git a/SOURCES/0034-test-fstab-generator-adjust-PATH-for-fsck.patch b/SOURCES/0034-test-fstab-generator-adjust-PATH-for-fsck.patch new file mode 100644 index 0000000..1cd1c0c --- /dev/null +++ b/SOURCES/0034-test-fstab-generator-adjust-PATH-for-fsck.patch @@ -0,0 +1,64 @@ +From 054da791c98fba7e11079e94c9b9fe0b1ca4e8d4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Fri, 4 Nov 2022 15:48:50 +0100 +Subject: [PATCH] test: fstab-generator: adjust PATH for fsck + +fsck(8) is located in /usr/sib/ on Debian sid: + + stdout: + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-01-dev-nfs.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-02-dhcp.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-03-dhcp6.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-04-nfs.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-05-nfs4.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-06-ipv4.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-07-ipv6.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-08-implicit-nfs.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-09-cifs.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-10-iscsi.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-11-live.input + *** Running /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-12-dev-sdx.input + --- /dev/fd/63 2022-11-04 15:39:13.131532174 +0100 + +++ /dev/fd/62 2022-11-04 15:39:13.131532174 +0100 + @@ -6,3 +6,4 @@ + initrd-usr-fs.target.requires + initrd-usr-fs.target.requires/sysroot.mount + sysroot.mount + +systemd-fsck-root.service + **** Unexpected output for /home/christian/Coding/workspaces/systemd/test/testdata/test-fstab-generator/test-12-dev-sdx.input + stderr: + Skipping root directory handling, as root on NFS was requested. + Skipping root directory handling, as root on NFS was requested. + Skipping root directory handling, as root on NFS was requested. + Skipping root directory handling, as root on NFS was requested. + Skipping root directory handling, as root on NFS was requested. + Skipping root directory handling, as root on NFS was requested. + Skipping root directory handling, as root on NFS was requested. + Skipping root directory handling, as root on NFS was requested. + Skipping root directory handling, as root on CIFS was requested. + Skipping root directory handling, as root on iSCSI was requested. + Skipping root directory handling, as root on live image was requested. + Found entry what=/dev/sdx1 where=/sysroot type=n/a opts=ro + Checking was requested for /dev/sdx1, but the fsck command does not exist. + +(cherry picked from commit a45efc9e4b574a85176610496f2ac7ae769364bb) + +Related #2138081 +--- + test/test-fstab-generator.sh | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/test/test-fstab-generator.sh b/test/test-fstab-generator.sh +index 0c977645e3..7c060dfac7 100755 +--- a/test/test-fstab-generator.sh ++++ b/test/test-fstab-generator.sh +@@ -14,6 +14,9 @@ fi + + src="$(dirname "$0")/testdata/test-fstab-generator" + ++# fsck(8) is located in /usr/sbin on Debian ++PATH=$PATH:/usr/sbin ++ + for f in "$src"/test-*.input; do + echo "*** Running $f" + diff --git a/SOURCES/0035-loop-util-open-lock-fd-read-only.patch b/SOURCES/0035-loop-util-open-lock-fd-read-only.patch new file mode 100644 index 0000000..3fc3fe3 --- /dev/null +++ b/SOURCES/0035-loop-util-open-lock-fd-read-only.patch @@ -0,0 +1,30 @@ +From ba5d26d85d0c4250b10a46a5c9cd3a3e1f0ce43b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Fri, 4 Nov 2022 19:36:31 +0100 +Subject: [PATCH] loop-util: open lock fd read-only + +flock(2) works with file descriptors opened with O_RDONLY. + +This affects SELinux systems where access to block devices is quite +restricted to avoid bypasses on filesystem objects. + +(cherry picked from commit 3e6b7d2626de9c0faf8b34b2629e8d6d8fa85a7d) + +Related #2138081 +--- + src/shared/loop-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/loop-util.c b/src/shared/loop-util.c +index 731ce29112..fb7e80b1b5 100644 +--- a/src/shared/loop-util.c ++++ b/src/shared/loop-util.c +@@ -77,7 +77,7 @@ static int open_lock_fd(int primary_fd, int operation) { + assert(primary_fd >= 0); + assert(IN_SET(operation & ~LOCK_NB, LOCK_SH, LOCK_EX)); + +- lock_fd = fd_reopen(primary_fd, O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY); ++ lock_fd = fd_reopen(primary_fd, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_NOCTTY); + if (lock_fd < 0) + return lock_fd; + diff --git a/SOURCES/0036-test-don-t-ignore-non-existent-paths-in-inst_recursi.patch b/SOURCES/0036-test-don-t-ignore-non-existent-paths-in-inst_recursi.patch new file mode 100644 index 0000000..eeeb288 --- /dev/null +++ b/SOURCES/0036-test-don-t-ignore-non-existent-paths-in-inst_recursi.patch @@ -0,0 +1,30 @@ +From ca92c2e035d5702f23f9a8d1cd705425b5605822 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Mon, 7 Nov 2022 11:55:29 +0100 +Subject: [PATCH] test: don't ignore non-existent paths in inst_recursive() + +The process substitution in the while loop hides errors raised by the +find utility, which might (and did), in turn, hide errors in test setup. + +(cherry picked from commit eb5d7730e1b3b1bddecb80be37e5a4c938183f61) + +Related #2138081 +--- + test/test-functions | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/test/test-functions b/test/test-functions +index 16d9da637b..80ce383e64 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -2773,6 +2773,10 @@ inst_recursive() { + local p item + + for p in "$@"; do ++ # Make sure the source exists, as the process substitution below ++ # suppresses errors ++ stat "$p" >/dev/null || return 1 ++ + while read -r item; do + if [[ -d "$item" ]]; then + inst_dir "$item" diff --git a/SOURCES/0037-test-fix-locale-installation-when-locale-gen-is-used.patch b/SOURCES/0037-test-fix-locale-installation-when-locale-gen-is-used.patch new file mode 100644 index 0000000..be0488e --- /dev/null +++ b/SOURCES/0037-test-fix-locale-installation-when-locale-gen-is-used.patch @@ -0,0 +1,46 @@ +From ea8b80cdc0dfd0ad92301a0e421df4d3110fe09c Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Mon, 7 Nov 2022 11:57:59 +0100 +Subject: [PATCH] test: fix locale installation when locale-gen is used + +locale-gen might merge all compiled locales into a simple archive, so we +need to install it as well if necessary. + +(cherry picked from commit 0c416ea01bc14adff10f4fc5415a36bd2d48f604) + +Related #2138081 +--- + test/test-functions | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/test/test-functions b/test/test-functions +index 80ce383e64..45ca472916 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -1988,14 +1988,19 @@ install_locales() { + inst /usr/share/i18n/SUPPORTED || : + inst_recursive /usr/share/i18n/charmaps + inst_recursive /usr/share/i18n/locales +- inst_recursive /usr/share/locale/en +- inst_recursive /usr/share/locale/en_* ++ inst_recursive /usr/share/locale/en* ++ inst_recursive /usr/share/locale/de* ++ image_install /usr/share/locale/locale.alias ++ # locale-gen might either generate each locale separately or merge them ++ # into a single archive ++ if ! (inst_recursive /usr/lib/locale/C.*8 /usr/lib/locale/en_*8 || ++ image_install /usr/lib/locale/locale-archive); then ++ dfatal "Failed to install required locales" ++ exit 1 ++ fi ++ else ++ inst_recursive /usr/lib/locale/C.*8 /usr/lib/locale/en_*8 + fi +- +- inst_recursive /usr/lib/locale/C.utf8 +- inst_recursive /usr/lib/locale/C.UTF-8 +- inst_recursive /usr/lib/locale/en_*.utf8 +- inst_recursive /usr/lib/locale/en_*.UTF-8 + } + + # shellcheck disable=SC2120 diff --git a/SOURCES/0038-test-fix-keymaps-installation-on-Arch.patch b/SOURCES/0038-test-fix-keymaps-installation-on-Arch.patch new file mode 100644 index 0000000..4832575 --- /dev/null +++ b/SOURCES/0038-test-fix-keymaps-installation-on-Arch.patch @@ -0,0 +1,71 @@ +From bec9d65390249d4e88f5095e751283645a2a4c08 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Mon, 7 Nov 2022 12:07:27 +0100 +Subject: [PATCH] test: fix keymaps installation on Arch + +Where the keymaps live under /usr/share/kbd/keymaps/. + +(cherry picked from commit 1edad89399e7cbee230878589ac618103c157ec7) + +Related #2138081 +--- + test/test-functions | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/test/test-functions b/test/test-functions +index 45ca472916..194cd682bb 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -2007,7 +2007,8 @@ install_locales() { + install_keymaps() { + local i p + local -a prefix=( +- "/usr" ++ "/usr/lib" ++ "/usr/share" + ) + + dinfo "Install console keymaps" +@@ -2016,7 +2017,7 @@ install_keymaps() { + && [[ "$(meson configure "${BUILD_DIR:?}" | grep 'split-usr' | awk '{ print $2 }')" == "true" ]] \ + || [[ ! -L /lib ]]; then + prefix+=( +- "" ++ "/lib" + ) + fi + +@@ -2025,12 +2026,12 @@ install_keymaps() { + # The first three paths may be deprecated. + # It seems now the last three paths are used by many distributions. + for i in \ +- "$p"/lib/kbd/keymaps/include/* \ +- "$p"/lib/kbd/keymaps/i386/include/* \ +- "$p"/lib/kbd/keymaps/i386/qwerty/us.* \ +- "$p"/lib/kbd/keymaps/legacy/include/* \ +- "$p"/lib/kbd/keymaps/legacy/i386/qwerty/us.* \ +- "$p"/lib/kbd/keymaps/xkb/us*; do ++ "$p"/kbd/keymaps/include/* \ ++ "$p"/kbd/keymaps/i386/include/* \ ++ "$p"/kbd/keymaps/i386/qwerty/us.* \ ++ "$p"/kbd/keymaps/legacy/include/* \ ++ "$p"/kbd/keymaps/legacy/i386/qwerty/us.* \ ++ "$p"/kbd/keymaps/xkb/us*; do + [[ -f "$i" ]] || continue + inst "$i" + done +@@ -2039,10 +2040,10 @@ install_keymaps() { + # When it takes any argument, then install more keymaps. + for p in "${prefix[@]}"; do + for i in \ +- "$p"/lib/kbd/keymaps/include/* \ +- "$p"/lib/kbd/keymaps/i386/*/* \ +- "$p"/lib/kbd/keymaps/legacy/i386/*/* \ +- "$p"/lib/kbd/keymaps/xkb/*; do ++ "$p"/kbd/keymaps/include/* \ ++ "$p"/kbd/keymaps/i386/*/* \ ++ "$p"/kbd/keymaps/legacy/i386/*/* \ ++ "$p"/kbd/keymaps/xkb/*; do + [[ -f "$i" ]] || continue + inst "$i" + done diff --git a/SOURCES/0039-test-compile-test-utmp.c-only-if-UTMP-is-enabled.patch b/SOURCES/0039-test-compile-test-utmp.c-only-if-UTMP-is-enabled.patch new file mode 100644 index 0000000..db6f229 --- /dev/null +++ b/SOURCES/0039-test-compile-test-utmp.c-only-if-UTMP-is-enabled.patch @@ -0,0 +1,43 @@ +From d63a1edb6bef959e8d6a481464a809badcc3a2eb Mon Sep 17 00:00:00 2001 +From: Torsten Hilbrich +Date: Mon, 7 Nov 2022 08:38:58 +0100 +Subject: [PATCH] test: compile test-utmp.c only if UTMP is enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When compiling with -D utmp=false the compilation fails with: + +../../git/systemd/src/test/test-utmp.c: In function ‘test_dump_run_utmp’: +../../git/systemd/src/test/test-utmp.c:21:9: error: cleanup argument not a function + 21 | _unused_ _cleanup_(utxent_cleanup) bool utmpx = false; + | ^~~~~~~~ +../../git/systemd/src/test/test-utmp.c:23:17: error: implicit declaration of function ‘utxent_start’ [-Werror=implicit-function-declaration] + 23 | utmpx = utxent_start(); + | ^~~~~~~~~~~~ + +any many other errors + +Add a conditional to compile test-utmp.c only if ENABLE_UTMP is true. + +(cherry picked from commit 41cac2a8b98fc5faebe942c697b17e109822342d) + +Related: #2138081 +--- + src/test/meson.build | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/test/meson.build b/src/test/meson.build +index 86fc1d4fc0..2a4dfe26db 100644 +--- a/src/test/meson.build ++++ b/src/test/meson.build +@@ -622,7 +622,8 @@ tests += [ + + [files('test-journal-importer.c')], + +- [files('test-utmp.c')], ++ [files('test-utmp.c'), ++ [], [], [], 'ENABLE_UTMP'], + + [files('test-udev.c'), + [libudevd_core, diff --git a/SOURCES/0040-Create-CNAME.patch b/SOURCES/0040-Create-CNAME.patch new file mode 100644 index 0000000..aa2780d --- /dev/null +++ b/SOURCES/0040-Create-CNAME.patch @@ -0,0 +1,19 @@ +From d9328ee5e53d1901af9396ae3e0b2dd05f731781 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 14 Nov 2022 09:25:37 +0100 +Subject: [PATCH] Create CNAME + +Related: #2138081 +--- + docs/CNAME | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 docs/CNAME + +diff --git a/docs/CNAME b/docs/CNAME +new file mode 100644 +index 0000000000..cdcf4d9a52 +--- /dev/null ++++ b/docs/CNAME +@@ -0,0 +1 @@ ++systemd.io +\ No newline at end of file diff --git a/SOURCES/0041-tpm2-util-force-default-TCTI-to-be-device-with-param.patch b/SOURCES/0041-tpm2-util-force-default-TCTI-to-be-device-with-param.patch new file mode 100644 index 0000000..1de7853 --- /dev/null +++ b/SOURCES/0041-tpm2-util-force-default-TCTI-to-be-device-with-param.patch @@ -0,0 +1,46 @@ +From 31f0c1b06bfd90d52009b59b9a4bf26c297790a7 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 14 Nov 2022 17:26:49 +0100 +Subject: [PATCH] tpm2-util: force default TCTI to be "device" with parameter + "/dev/tpmrm0" + +Apparently some distros default to tss-abmrd. Let's bypass that and +always go to the kernel resource manager. + +abmrd cannot really work for us, since we want to access the TPM already +in earliest boot i.e. in environments the abmrd service is not available +in. + +Fixes: #25352 +(cherry picked from commit 34906680afe60d724ea435b79b9b830a4bf2e7e9) + +Related: #2138081 +--- + src/shared/tpm2-util.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index 65e8d48347..9d73316146 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -152,8 +152,19 @@ int tpm2_context_init(const char *device, struct tpm2_context *ret) { + if (r < 0) + return log_error_errno(r, "TPM2 support not installed: %m"); + +- if (!device) ++ if (!device) { + device = secure_getenv("SYSTEMD_TPM2_DEVICE"); ++ if (device) ++ /* Setting the env var to an empty string forces tpm2-tss' own device picking ++ * logic to be used. */ ++ device = empty_to_null(device); ++ else ++ /* If nothing was specified explicitly, we'll use a hardcoded default: the "device" tcti ++ * driver and the "/dev/tpmrm0" device. We do this since on some distributions the tpm2-abrmd ++ * might be used and we really don't want that, since it is a system service and that creates ++ * various ordering issues/deadlocks during early boot. */ ++ device = "device:/dev/tpmrm0"; ++ } + + if (device) { + const char *param, *driver, *fn; diff --git a/SOURCES/0042-tpm2-add-some-extra-validation-of-device-string-befo.patch b/SOURCES/0042-tpm2-add-some-extra-validation-of-device-string-befo.patch new file mode 100644 index 0000000..41c05aa --- /dev/null +++ b/SOURCES/0042-tpm2-add-some-extra-validation-of-device-string-befo.patch @@ -0,0 +1,52 @@ +From 5b20ba25259da453a2aac5e65978a11bc2d048ed Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 15 Nov 2022 23:01:04 +0100 +Subject: [PATCH] tpm2: add some extra validation of device string before using + it + +Let's add some extra validation before constructing and using the .so +name to load. This isn't really security sensitive, given that we +used secure_getenv() to get the device string (and it thus should have +been come from a trusted source) but let's better be safe than sorry. + +(cherry picked from commit 50a085143fa8f5dd6b6b3cef8a6ea2ec7c53ed0d) + +Related: #2138081 +--- + src/shared/tpm2-util.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index 9d73316146..4d0df944a9 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -174,15 +174,27 @@ int tpm2_context_init(const char *device, struct tpm2_context *ret) { + + param = strchr(device, ':'); + if (param) { ++ /* Syntax #1: Pair of driver string and arbitrary parameter */ + driver = strndupa_safe(device, param - device); ++ if (isempty(driver)) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name is empty, refusing."); ++ + param++; +- } else { ++ } else if (path_is_absolute(device) && path_is_valid(device)) { ++ /* Syntax #2: TPM device node */ + driver = "device"; + param = device; +- } ++ } else ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid TPM2 driver string, refusing."); ++ ++ log_debug("Using TPM2 TCTI driver '%s' with device '%s'.", driver, param); + + fn = strjoina("libtss2-tcti-", driver, ".so.0"); + ++ /* Better safe than sorry, let's refuse strings that cannot possibly be valid driver early, before going to disk. */ ++ if (!filename_is_valid(fn)) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name '%s' not valid, refusing.", driver); ++ + dl = dlopen(fn, RTLD_NOW); + if (!dl) + return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to load %s: %s", fn, dlerror()); diff --git a/SOURCES/0043-boot-Fix-error-message.patch b/SOURCES/0043-boot-Fix-error-message.patch new file mode 100644 index 0000000..e5eb228 --- /dev/null +++ b/SOURCES/0043-boot-Fix-error-message.patch @@ -0,0 +1,25 @@ +From 2fdb15b3053d20282d7f3c20a7a4d2bd96d9a39b Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Sun, 13 Nov 2022 16:14:17 +0100 +Subject: [PATCH] boot: Fix error message + +(cherry picked from commit 6ee4aa22140dd8d51b1a18882eb4220629b8dd8f) + +Related: #2138081 +--- + src/boot/efi/boot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index 4150b16ecf..84f4cc11a3 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -2678,7 +2678,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { + + err = device_path_to_str(loaded_image->FilePath, &loaded_image_path); + if (err != EFI_SUCCESS) +- return log_error_status_stall(err, L"Error getting loaded image path: %m"); ++ return log_error_status_stall(err, L"Error getting loaded image path: %r", err); + + export_variables(loaded_image, loaded_image_path, init_usec); + diff --git a/SOURCES/0044-boot-Fix-memory-leak.patch b/SOURCES/0044-boot-Fix-memory-leak.patch new file mode 100644 index 0000000..5e62484 --- /dev/null +++ b/SOURCES/0044-boot-Fix-memory-leak.patch @@ -0,0 +1,25 @@ +From 58a3aaaad640bee3cca79a644422489e184b49c1 Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Mon, 14 Nov 2022 14:18:26 +0100 +Subject: [PATCH] boot: Fix memory leak + +(cherry picked from commit b7b327f856b3782f28be561d612d66ff406c7789) + +Related: #2138081 +--- + src/boot/efi/boot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index 84f4cc11a3..17d4ec2d09 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -2650,7 +2650,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { + EFI_LOADED_IMAGE_PROTOCOL *loaded_image; + _cleanup_(file_closep) EFI_FILE *root_dir = NULL; + _cleanup_(config_free) Config config = {}; +- char16_t *loaded_image_path; ++ _cleanup_free_ char16_t *loaded_image_path = NULL; + EFI_STATUS err; + uint64_t init_usec; + bool menu = false; diff --git a/SOURCES/0045-boot-Do-not-require-a-loaded-image-path.patch b/SOURCES/0045-boot-Do-not-require-a-loaded-image-path.patch new file mode 100644 index 0000000..b878368 --- /dev/null +++ b/SOURCES/0045-boot-Do-not-require-a-loaded-image-path.patch @@ -0,0 +1,88 @@ +From 8cbb38625364640f390b2df2cda44ff3877fb16d Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Mon, 14 Nov 2022 14:37:13 +0100 +Subject: [PATCH] boot: Do not require a loaded image path + +If the device path to text protocol is not available (looking angrily at +Apple) we would fail to boot because we cannot get the loaded image +path. As this is only used for cosmetic purposes, we can just silently +continue. + +Fixes: #25363 +(cherry picked from commit af7ef648cddeb96da525de2410565d166f75cc96) + +Related: #2138081 +--- + src/boot/efi/boot.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index 17d4ec2d09..b490a1d972 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -471,7 +471,6 @@ static void print_status(Config *config, char16_t *loaded_image_path) { + _cleanup_free_ char16_t *device_part_uuid = NULL; + + assert(config); +- assert(loaded_image_path); + + clear_screen(COLOR_NORMAL); + console_query_mode(&x_max, &y_max); +@@ -619,7 +618,6 @@ static bool menu_run( + + assert(config); + assert(chosen_entry); +- assert(loaded_image_path); + + EFI_STATUS err; + UINTN visible_max = 0; +@@ -1478,7 +1476,7 @@ static void config_entry_add_type1( + entry->loader = xstra_to_path(value); + + /* do not add an entry for ourselves */ +- if (loaded_image_path && strcaseeq16(entry->loader, loaded_image_path)) { ++ if (strcaseeq16(entry->loader, loaded_image_path)) { + entry->type = LOADER_UNDEFINED; + break; + } +@@ -1908,12 +1906,11 @@ static ConfigEntry *config_entry_add_loader_auto( + assert(root_dir); + assert(id); + assert(title); +- assert(loader || loaded_image_path); + + if (!config->auto_entries) + return NULL; + +- if (loaded_image_path) { ++ if (!loader) { + loader = L"\\EFI\\BOOT\\BOOT" EFI_MACHINE_TYPE_NAME ".efi"; + + /* We are trying to add the default EFI loader here, +@@ -2562,7 +2559,6 @@ static void export_variables( + char16_t uuid[37]; + + assert(loaded_image); +- assert(loaded_image_path); + + efivar_set_time_usec(LOADER_GUID, L"LoaderTimeInitUSec", init_usec); + efivar_set(LOADER_GUID, L"LoaderInfo", L"systemd-boot " GIT_VERSION, 0); +@@ -2591,7 +2587,6 @@ static void config_load_all_entries( + + assert(config); + assert(loaded_image); +- assert(loaded_image_path); + assert(root_dir); + + config_load_defaults(config, root_dir); +@@ -2676,9 +2671,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { + if (err != EFI_SUCCESS) + return log_error_status_stall(err, L"Error getting a LoadedImageProtocol handle: %r", err); + +- err = device_path_to_str(loaded_image->FilePath, &loaded_image_path); +- if (err != EFI_SUCCESS) +- return log_error_status_stall(err, L"Error getting loaded image path: %r", err); ++ (void) device_path_to_str(loaded_image->FilePath, &loaded_image_path); + + export_variables(loaded_image, loaded_image_path, init_usec); + diff --git a/SOURCES/0046-boot-Manually-convert-filepaths-if-needed.patch b/SOURCES/0046-boot-Manually-convert-filepaths-if-needed.patch new file mode 100644 index 0000000..55596aa --- /dev/null +++ b/SOURCES/0046-boot-Manually-convert-filepaths-if-needed.patch @@ -0,0 +1,75 @@ +From 806165285b822436023df84ca0a3e5b28a3099d6 Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Mon, 14 Nov 2022 15:24:32 +0100 +Subject: [PATCH] boot: Manually convert filepaths if needed + +The conversion of a filepath device path to text is needed for the stub +loader to find credential files. + +(cherry picked from commit 679007044fbbcf82c66cf20b99f2f5086b7df6b4) + +Related: #2138081 +--- + src/boot/efi/util.c | 40 ++++++++++++++++++++++++++++++++++++---- + 1 file changed, 36 insertions(+), 4 deletions(-) + +diff --git a/src/boot/efi/util.c b/src/boot/efi/util.c +index 5547d288de..57436dbf0c 100644 +--- a/src/boot/efi/util.c ++++ b/src/boot/efi/util.c +@@ -772,19 +772,51 @@ EFI_STATUS make_file_device_path(EFI_HANDLE device, const char16_t *file, EFI_DE + EFI_STATUS device_path_to_str(const EFI_DEVICE_PATH *dp, char16_t **ret) { + EFI_DEVICE_PATH_TO_TEXT_PROTOCOL *dp_to_text; + EFI_STATUS err; ++ _cleanup_free_ char16_t *str = NULL; + + assert(dp); + assert(ret); + + err = BS->LocateProtocol(&(EFI_GUID) EFI_DEVICE_PATH_TO_TEXT_PROTOCOL_GUID, NULL, (void **) &dp_to_text); +- if (err != EFI_SUCCESS) +- return err; ++ if (err != EFI_SUCCESS) { ++ /* If the device path to text protocol is not available we can still do a best-effort attempt ++ * to convert it ourselves if we are given filepath-only device path. */ ++ ++ size_t size = 0; ++ for (const EFI_DEVICE_PATH *node = dp; !IsDevicePathEnd(node); ++ node = NextDevicePathNode(node)) { ++ ++ if (DevicePathType(node) != MEDIA_DEVICE_PATH || ++ DevicePathSubType(node) != MEDIA_FILEPATH_DP) ++ return err; ++ ++ size_t path_size = DevicePathNodeLength(node); ++ if (path_size <= offsetof(FILEPATH_DEVICE_PATH, PathName) || path_size % sizeof(char16_t)) ++ return EFI_INVALID_PARAMETER; ++ path_size -= offsetof(FILEPATH_DEVICE_PATH, PathName); ++ ++ _cleanup_free_ char16_t *old = str; ++ str = xmalloc(size + path_size); ++ if (old) { ++ memcpy(str, old, size); ++ str[size / sizeof(char16_t) - 1] = '\\'; ++ } ++ ++ memcpy(str + (size / sizeof(char16_t)), ++ ((uint8_t *) node) + offsetof(FILEPATH_DEVICE_PATH, PathName), ++ path_size); ++ size += path_size; ++ } ++ ++ *ret = TAKE_PTR(str); ++ return EFI_SUCCESS; ++ } + +- char16_t *str = dp_to_text->ConvertDevicePathToText(dp, false, false); ++ str = dp_to_text->ConvertDevicePathToText(dp, false, false); + if (!str) + return EFI_OUT_OF_RESOURCES; + +- *ret = str; ++ *ret = TAKE_PTR(str); + return EFI_SUCCESS; + } + diff --git a/SOURCES/0047-boot-Rework-security-arch-override.patch b/SOURCES/0047-boot-Rework-security-arch-override.patch new file mode 100644 index 0000000..5a77743 --- /dev/null +++ b/SOURCES/0047-boot-Rework-security-arch-override.patch @@ -0,0 +1,433 @@ +From 519625977d19b7842d9b2ded8be12ed0aecbaefc Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Tue, 15 Nov 2022 18:22:38 +0100 +Subject: [PATCH] boot: Rework security arch override + +This simplifies the caller interface for security arch overrides by only +having to pass a validator and an optional context. + +(cherry picked from commit 5489c13bae119dc5f6e65be8d7f241aa7d54c023) + +Related: #2138081 +--- + src/boot/efi/linux.c | 61 ++++++++------------- + src/boot/efi/secure-boot.c | 105 +++++++++++++++++++++++++++++-------- + src/boot/efi/secure-boot.h | 28 +++------- + src/boot/efi/shim.c | 104 +++++++++++------------------------- + 4 files changed, 146 insertions(+), 152 deletions(-) + +diff --git a/src/boot/efi/linux.c b/src/boot/efi/linux.c +index 75b9507709..dd7eb48c8c 100644 +--- a/src/boot/efi/linux.c ++++ b/src/boot/efi/linux.c +@@ -20,35 +20,26 @@ + #define STUB_PAYLOAD_GUID \ + { 0x55c5d1f8, 0x04cd, 0x46b5, { 0x8a, 0x20, 0xe5, 0x6c, 0xbb, 0x30, 0x52, 0xd0 } } + +-static EFIAPI EFI_STATUS security_hook( +- const SecurityOverride *this, uint32_t authentication_status, const EFI_DEVICE_PATH *file) { ++typedef struct { ++ const void *addr; ++ size_t len; ++ const EFI_DEVICE_PATH *device_path; ++} ValidationContext; + +- assert(this); +- assert(this->hook == security_hook); ++static bool validate_payload( ++ const void *ctx, const EFI_DEVICE_PATH *device_path, const void *file_buffer, size_t file_size) { + +- if (file == this->payload_device_path) +- return EFI_SUCCESS; ++ const ValidationContext *payload = ASSERT_PTR(ctx); + +- return this->original_security->FileAuthenticationState( +- this->original_security, authentication_status, file); +-} +- +-static EFIAPI EFI_STATUS security2_hook( +- const SecurityOverride *this, +- const EFI_DEVICE_PATH *device_path, +- void *file_buffer, +- size_t file_size, +- BOOLEAN boot_policy) { +- +- assert(this); +- assert(this->hook == security2_hook); ++ if (device_path != payload->device_path) ++ return false; + +- if (file_buffer == this->payload && file_size == this->payload_len && +- device_path == this->payload_device_path) +- return EFI_SUCCESS; ++ /* Security arch (1) protocol does not provide a file buffer. Instead we are supposed to fetch the payload ++ * ourselves, which is not needed as we already have everything in memory and the device paths match. */ ++ if (file_buffer && (file_buffer != payload->addr || file_size != payload->len)) ++ return false; + +- return this->original_security2->FileAuthentication( +- this->original_security2, device_path, file_buffer, file_size, boot_policy); ++ return true; + } + + static EFI_STATUS load_image(EFI_HANDLE parent, const void *source, size_t len, EFI_HANDLE *ret_image) { +@@ -79,19 +70,13 @@ static EFI_STATUS load_image(EFI_HANDLE parent, const void *source, size_t len, + + /* We want to support unsigned kernel images as payload, which is safe to do under secure boot + * because it is embedded in this stub loader (and since it is already running it must be trusted). */ +- SecurityOverride security_override = { +- .hook = security_hook, +- .payload = source, +- .payload_len = len, +- .payload_device_path = &payload_device_path.payload.Header, +- }, security2_override = { +- .hook = security2_hook, +- .payload = source, +- .payload_len = len, +- .payload_device_path = &payload_device_path.payload.Header, +- }; +- +- install_security_override(&security_override, &security2_override); ++ install_security_override( ++ validate_payload, ++ &(ValidationContext) { ++ .addr = source, ++ .len = len, ++ .device_path = &payload_device_path.payload.Header, ++ }); + + EFI_STATUS ret = BS->LoadImage( + /*BootPolicy=*/false, +@@ -101,7 +86,7 @@ static EFI_STATUS load_image(EFI_HANDLE parent, const void *source, size_t len, + len, + ret_image); + +- uninstall_security_override(&security_override, &security2_override); ++ uninstall_security_override(); + + return ret; + } +diff --git a/src/boot/efi/secure-boot.c b/src/boot/efi/secure-boot.c +index 171b2c96b3..0e615c55e0 100644 +--- a/src/boot/efi/secure-boot.c ++++ b/src/boot/efi/secure-boot.c +@@ -127,10 +127,60 @@ out_deallocate: + return err; + } + +-static EFI_STATUS install_security_override_one(EFI_GUID guid, SecurityOverride *override) { ++static struct SecurityOverride { ++ /* Our own security arch instances that we register onto original_handle, thereby replacing the ++ * firmware provided instances. */ ++ EFI_SECURITY_ARCH_PROTOCOL override; ++ EFI_SECURITY2_ARCH_PROTOCOL override2; ++ ++ /* These are saved so we can uninstall our own instance later. */ ++ EFI_HANDLE original_handle, original_handle2; ++ EFI_SECURITY_ARCH_PROTOCOL *original_security; ++ EFI_SECURITY2_ARCH_PROTOCOL *original_security2; ++ ++ security_validator_t validator; ++ const void *validator_ctx; ++} security_override; ++ ++static EFIAPI EFI_STATUS security_hook( ++ const EFI_SECURITY_ARCH_PROTOCOL *this, ++ uint32_t authentication_status, ++ const EFI_DEVICE_PATH *file) { ++ ++ assert(security_override.validator); ++ assert(security_override.original_security); ++ ++ if (security_override.validator(security_override.validator_ctx, file, NULL, 0)) ++ return EFI_SUCCESS; ++ ++ return security_override.original_security->FileAuthenticationState( ++ security_override.original_security, authentication_status, file); ++} ++ ++static EFIAPI EFI_STATUS security2_hook( ++ const EFI_SECURITY2_ARCH_PROTOCOL *this, ++ const EFI_DEVICE_PATH *device_path, ++ void *file_buffer, ++ size_t file_size, ++ BOOLEAN boot_policy) { ++ ++ assert(security_override.validator); ++ assert(security_override.original_security2); ++ ++ if (security_override.validator(security_override.validator_ctx, device_path, file_buffer, file_size)) ++ return EFI_SUCCESS; ++ ++ return security_override.original_security2->FileAuthentication( ++ security_override.original_security2, device_path, file_buffer, file_size, boot_policy); ++} ++ ++static EFI_STATUS install_security_override_one( ++ EFI_GUID guid, void *override, EFI_HANDLE *ret_original_handle, void **ret_original_security) { + EFI_STATUS err; + + assert(override); ++ assert(ret_original_handle); ++ assert(ret_original_security); + + _cleanup_free_ EFI_HANDLE *handles = NULL; + size_t n_handles = 0; +@@ -152,8 +202,8 @@ static EFI_STATUS install_security_override_one(EFI_GUID guid, SecurityOverride + if (err != EFI_SUCCESS) + return log_error_status_stall(err, u"Error overriding security arch protocol: %r", err); + +- override->original = security; +- override->original_handle = handles[0]; ++ *ret_original_security = security; ++ *ret_original_handle = handles[0]; + return EFI_SUCCESS; + } + +@@ -161,35 +211,46 @@ static EFI_STATUS install_security_override_one(EFI_GUID guid, SecurityOverride + * Specification) with the provided override instances. If not running in secure boot or the protocols are + * not available nothing happens. The override instances are provided with the necessary info to undo this + * in uninstall_security_override(). */ +-void install_security_override(SecurityOverride *override, SecurityOverride *override2) { +- assert(override); +- assert(override2); ++void install_security_override(security_validator_t validator, const void *validator_ctx) { ++ assert(validator); + + if (!secure_boot_enabled()) + return; + +- (void) install_security_override_one((EFI_GUID) EFI_SECURITY_ARCH_PROTOCOL_GUID, override); +- (void) install_security_override_one((EFI_GUID) EFI_SECURITY2_ARCH_PROTOCOL_GUID, override2); +-} ++ security_override = (struct SecurityOverride) { ++ { .FileAuthenticationState = security_hook, }, ++ { .FileAuthentication = security2_hook, }, ++ .validator = validator, ++ .validator_ctx = validator_ctx, ++ }; + +-void uninstall_security_override(SecurityOverride *override, SecurityOverride *override2) { +- assert(override); +- assert(override2); ++ (void) install_security_override_one( ++ (EFI_GUID) EFI_SECURITY_ARCH_PROTOCOL_GUID, ++ &security_override.override, ++ &security_override.original_handle, ++ (void **) &security_override.original_security); ++ (void) install_security_override_one( ++ (EFI_GUID) EFI_SECURITY2_ARCH_PROTOCOL_GUID, ++ &security_override.override2, ++ &security_override.original_handle2, ++ (void **) &security_override.original_security2); ++} + ++void uninstall_security_override(void) { + /* We use assert_se here to guarantee the system is not in a weird state in the unlikely case of an + * error restoring the original protocols. */ + +- if (override->original_handle) ++ if (security_override.original_handle) + assert_se(BS->ReinstallProtocolInterface( +- override->original_handle, +- &(EFI_GUID) EFI_SECURITY_ARCH_PROTOCOL_GUID, +- override, +- override->original) == EFI_SUCCESS); ++ security_override.original_handle, ++ &(EFI_GUID) EFI_SECURITY_ARCH_PROTOCOL_GUID, ++ &security_override.override, ++ security_override.original_security) == EFI_SUCCESS); + +- if (override2->original_handle) ++ if (security_override.original_handle2) + assert_se(BS->ReinstallProtocolInterface( +- override2->original_handle, +- &(EFI_GUID) EFI_SECURITY2_ARCH_PROTOCOL_GUID, +- override2, +- override2->original) == EFI_SUCCESS); ++ security_override.original_handle2, ++ &(EFI_GUID) EFI_SECURITY2_ARCH_PROTOCOL_GUID, ++ &security_override.override2, ++ security_override.original_security2) == EFI_SUCCESS); + } +diff --git a/src/boot/efi/secure-boot.h b/src/boot/efi/secure-boot.h +index 91b6770edb..e98de81c2a 100644 +--- a/src/boot/efi/secure-boot.h ++++ b/src/boot/efi/secure-boot.h +@@ -17,23 +17,11 @@ SecureBootMode secure_boot_mode(void); + + EFI_STATUS secure_boot_enroll_at(EFI_FILE *root_dir, const char16_t *path); + +-typedef struct { +- void *hook; +- +- /* End of EFI_SECURITY_ARCH(2)_PROTOCOL. The rest is our own protocol instance data. */ +- +- EFI_HANDLE original_handle; +- union { +- void *original; +- EFI_SECURITY_ARCH_PROTOCOL *original_security; +- EFI_SECURITY2_ARCH_PROTOCOL *original_security2; +- }; +- +- /* Used by the stub to identify the embedded image. */ +- const void *payload; +- size_t payload_len; +- const EFI_DEVICE_PATH *payload_device_path; +-} SecurityOverride; +- +-void install_security_override(SecurityOverride *override, SecurityOverride *override2); +-void uninstall_security_override(SecurityOverride *override, SecurityOverride *override2); ++typedef bool (*security_validator_t)( ++ const void *ctx, ++ const EFI_DEVICE_PATH *device_path, ++ const void *file_buffer, ++ size_t file_size); ++ ++void install_security_override(security_validator_t validator, const void *validator_ctx); ++void uninstall_security_override(void); +diff --git a/src/boot/efi/shim.c b/src/boot/efi/shim.c +index 3ae058cb84..ac224336bc 100644 +--- a/src/boot/efi/shim.c ++++ b/src/boot/efi/shim.c +@@ -23,7 +23,7 @@ + #endif + + struct ShimLock { +- EFI_STATUS __sysv_abi__ (*shim_verify) (void *buffer, uint32_t size); ++ EFI_STATUS __sysv_abi__ (*shim_verify) (const void *buffer, uint32_t size); + + /* context is actually a struct for the PE header, but it isn't needed so void is sufficient just do define the interface + * see shim.c/shim.h and PeHeader.h in the github shim repo */ +@@ -41,79 +41,45 @@ bool shim_loaded(void) { + return BS->LocateProtocol((EFI_GUID*) SHIM_LOCK_GUID, NULL, (void**) &shim_lock) == EFI_SUCCESS; + } + +-static bool shim_validate(void *data, uint32_t size) { +- struct ShimLock *shim_lock; +- +- if (!data) +- return false; +- +- if (BS->LocateProtocol((EFI_GUID*) SHIM_LOCK_GUID, NULL, (void**) &shim_lock) != EFI_SUCCESS) +- return false; +- +- if (!shim_lock) +- return false; +- +- return shim_lock->shim_verify(data, size) == EFI_SUCCESS; +-} +- +-static EFIAPI EFI_STATUS security2_hook( +- const SecurityOverride *this, +- const EFI_DEVICE_PATH *device_path, +- void *file_buffer, +- UINTN file_size, +- BOOLEAN boot_policy) { +- +- assert(this); +- assert(this->hook == security2_hook); +- +- if (shim_validate(file_buffer, file_size)) +- return EFI_SUCCESS; +- +- return this->original_security2->FileAuthentication( +- this->original_security2, device_path, file_buffer, file_size, boot_policy); +-} +- +-static EFIAPI EFI_STATUS security_hook( +- const SecurityOverride *this, +- uint32_t authentication_status, +- const EFI_DEVICE_PATH *device_path) { ++static bool shim_validate( ++ const void *ctx, const EFI_DEVICE_PATH *device_path, const void *file_buffer, size_t file_size) { + + EFI_STATUS err; ++ _cleanup_free_ char *file_buffer_owned = NULL; + +- assert(this); +- assert(this->hook == security_hook); ++ if (!file_buffer) { ++ if (!device_path) ++ return false; + +- if (!device_path) +- return this->original_security->FileAuthenticationState( +- this->original_security, authentication_status, device_path); ++ EFI_HANDLE device_handle; ++ EFI_DEVICE_PATH *file_dp = (EFI_DEVICE_PATH *) device_path; ++ err = BS->LocateDevicePath(&FileSystemProtocol, &file_dp, &device_handle); ++ if (err != EFI_SUCCESS) ++ return false; + +- EFI_HANDLE device_handle; +- EFI_DEVICE_PATH *dp = (EFI_DEVICE_PATH *) device_path; +- err = BS->LocateDevicePath(&FileSystemProtocol, &dp, &device_handle); +- if (err != EFI_SUCCESS) +- return err; ++ _cleanup_(file_closep) EFI_FILE *root = NULL; ++ err = open_volume(device_handle, &root); ++ if (err != EFI_SUCCESS) ++ return false; + +- _cleanup_(file_closep) EFI_FILE *root = NULL; +- err = open_volume(device_handle, &root); +- if (err != EFI_SUCCESS) +- return err; ++ _cleanup_free_ char16_t *dp_str = NULL; ++ err = device_path_to_str(file_dp, &dp_str); ++ if (err != EFI_SUCCESS) ++ return false; + +- _cleanup_free_ char16_t *dp_str = NULL; +- err = device_path_to_str(dp, &dp_str); +- if (err != EFI_SUCCESS) +- return err; ++ err = file_read(root, dp_str, 0, 0, &file_buffer_owned, &file_size); ++ if (err != EFI_SUCCESS) ++ return false; + +- char *file_buffer; +- size_t file_size; +- err = file_read(root, dp_str, 0, 0, &file_buffer, &file_size); +- if (err != EFI_SUCCESS) +- return err; ++ file_buffer = file_buffer_owned; ++ } + +- if (shim_validate(file_buffer, file_size)) +- return EFI_SUCCESS; ++ struct ShimLock *shim_lock; ++ err = BS->LocateProtocol((EFI_GUID *) SHIM_LOCK_GUID, NULL, (void **) &shim_lock); ++ if (err != EFI_SUCCESS) ++ return false; + +- return this->original_security->FileAuthenticationState( +- this->original_security, authentication_status, device_path); ++ return shim_lock->shim_verify(file_buffer, file_size) == EFI_SUCCESS; + } + + EFI_STATUS shim_load_image(EFI_HANDLE parent, const EFI_DEVICE_PATH *device_path, EFI_HANDLE *ret_image) { +@@ -122,20 +88,14 @@ EFI_STATUS shim_load_image(EFI_HANDLE parent, const EFI_DEVICE_PATH *device_path + + bool have_shim = shim_loaded(); + +- SecurityOverride security_override = { +- .hook = security_hook, +- }, security2_override = { +- .hook = security2_hook, +- }; +- + if (have_shim) +- install_security_override(&security_override, &security2_override); ++ install_security_override(shim_validate, NULL); + + EFI_STATUS ret = BS->LoadImage( + /*BootPolicy=*/false, parent, (EFI_DEVICE_PATH *) device_path, NULL, 0, ret_image); + + if (have_shim) +- uninstall_security_override(&security_override, &security2_override); ++ uninstall_security_override(); + + return ret; + } diff --git a/SOURCES/0048-boot-Replace-firmware-security-hooks-directly.patch b/SOURCES/0048-boot-Replace-firmware-security-hooks-directly.patch new file mode 100644 index 0000000..ee3bd53 --- /dev/null +++ b/SOURCES/0048-boot-Replace-firmware-security-hooks-directly.patch @@ -0,0 +1,185 @@ +From 8d0b70887a09b9d4a8b669620579d3b6780f0755 Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Tue, 15 Nov 2022 18:53:02 +0100 +Subject: [PATCH] boot: Replace firmware security hooks directly + +For some firmware, replacing their own security arch instance with our +override using ReinstallProtocolInterface() is not enough as they will +not use it. This commit goes back to how this was done before by +directly modifying the security protocols. + +Fixes: #25336 +(cherry picked from commit 967a868563996e928f1fade5bcafc82a7219742b) + +Related: #2138081 +--- + src/boot/efi/secure-boot.c | 119 +++++++++++++------------------------ + 1 file changed, 40 insertions(+), 79 deletions(-) + +diff --git a/src/boot/efi/secure-boot.c b/src/boot/efi/secure-boot.c +index 0e615c55e0..65457bf423 100644 +--- a/src/boot/efi/secure-boot.c ++++ b/src/boot/efi/secure-boot.c +@@ -128,15 +128,10 @@ out_deallocate: + } + + static struct SecurityOverride { +- /* Our own security arch instances that we register onto original_handle, thereby replacing the +- * firmware provided instances. */ +- EFI_SECURITY_ARCH_PROTOCOL override; +- EFI_SECURITY2_ARCH_PROTOCOL override2; +- +- /* These are saved so we can uninstall our own instance later. */ +- EFI_HANDLE original_handle, original_handle2; +- EFI_SECURITY_ARCH_PROTOCOL *original_security; +- EFI_SECURITY2_ARCH_PROTOCOL *original_security2; ++ EFI_SECURITY_ARCH_PROTOCOL *security; ++ EFI_SECURITY2_ARCH_PROTOCOL *security2; ++ EFI_SECURITY_FILE_AUTHENTICATION_STATE original_hook; ++ EFI_SECURITY2_FILE_AUTHENTICATION original_hook2; + + security_validator_t validator; + const void *validator_ctx; +@@ -148,13 +143,13 @@ static EFIAPI EFI_STATUS security_hook( + const EFI_DEVICE_PATH *file) { + + assert(security_override.validator); +- assert(security_override.original_security); ++ assert(security_override.security); ++ assert(security_override.original_hook); + + if (security_override.validator(security_override.validator_ctx, file, NULL, 0)) + return EFI_SUCCESS; + +- return security_override.original_security->FileAuthenticationState( +- security_override.original_security, authentication_status, file); ++ return security_override.original_hook(security_override.security, authentication_status, file); + } + + static EFIAPI EFI_STATUS security2_hook( +@@ -165,92 +160,58 @@ static EFIAPI EFI_STATUS security2_hook( + BOOLEAN boot_policy) { + + assert(security_override.validator); +- assert(security_override.original_security2); ++ assert(security_override.security2); ++ assert(security_override.original_hook2); + + if (security_override.validator(security_override.validator_ctx, device_path, file_buffer, file_size)) + return EFI_SUCCESS; + +- return security_override.original_security2->FileAuthentication( +- security_override.original_security2, device_path, file_buffer, file_size, boot_policy); ++ return security_override.original_hook2( ++ security_override.security2, device_path, file_buffer, file_size, boot_policy); + } + +-static EFI_STATUS install_security_override_one( +- EFI_GUID guid, void *override, EFI_HANDLE *ret_original_handle, void **ret_original_security) { ++/* This replaces the platform provided security arch protocols hooks (defined in the UEFI Platform ++ * Initialization Specification) with our own that uses the given validator to decide if a image is to be ++ * trusted. If not running in secure boot or the protocols are not available nothing happens. The override ++ * must be removed with uninstall_security_override() after LoadImage() has been called. ++ * ++ * This is a hack as we do not own the security protocol instances and modifying them is not an official part ++ * of their spec. But there is little else we can do to circumvent secure boot short of implementing our own ++ * PE loader. We could replace the firmware instances with our own instance using ++ * ReinstallProtocolInterface(), but some firmware will still use the old ones. */ ++void install_security_override(security_validator_t validator, const void *validator_ctx) { + EFI_STATUS err; + +- assert(override); +- assert(ret_original_handle); +- assert(ret_original_security); +- +- _cleanup_free_ EFI_HANDLE *handles = NULL; +- size_t n_handles = 0; +- +- err = BS->LocateHandleBuffer(ByProtocol, &guid, NULL, &n_handles, &handles); +- if (err != EFI_SUCCESS) +- /* No security arch protocol around? */ +- return err; +- +- /* There should only ever be one security arch protocol instance, but let's be paranoid here. */ +- assert(n_handles == 1); +- +- void *security = NULL; +- err = BS->LocateProtocol(&guid, NULL, &security); +- if (err != EFI_SUCCESS) +- return log_error_status_stall(err, u"Error getting security arch protocol: %r", err); +- +- err = BS->ReinstallProtocolInterface(handles[0], &guid, security, override); +- if (err != EFI_SUCCESS) +- return log_error_status_stall(err, u"Error overriding security arch protocol: %r", err); +- +- *ret_original_security = security; +- *ret_original_handle = handles[0]; +- return EFI_SUCCESS; +-} +- +-/* This replaces the platform provided security arch protocols (defined in the UEFI Platform Initialization +- * Specification) with the provided override instances. If not running in secure boot or the protocols are +- * not available nothing happens. The override instances are provided with the necessary info to undo this +- * in uninstall_security_override(). */ +-void install_security_override(security_validator_t validator, const void *validator_ctx) { + assert(validator); + + if (!secure_boot_enabled()) + return; + + security_override = (struct SecurityOverride) { +- { .FileAuthenticationState = security_hook, }, +- { .FileAuthentication = security2_hook, }, + .validator = validator, + .validator_ctx = validator_ctx, + }; + +- (void) install_security_override_one( +- (EFI_GUID) EFI_SECURITY_ARCH_PROTOCOL_GUID, +- &security_override.override, +- &security_override.original_handle, +- (void **) &security_override.original_security); +- (void) install_security_override_one( +- (EFI_GUID) EFI_SECURITY2_ARCH_PROTOCOL_GUID, +- &security_override.override2, +- &security_override.original_handle2, +- (void **) &security_override.original_security2); ++ EFI_SECURITY_ARCH_PROTOCOL *security = NULL; ++ err = BS->LocateProtocol(&(EFI_GUID) EFI_SECURITY_ARCH_PROTOCOL_GUID, NULL, (void **) &security); ++ if (err == EFI_SUCCESS) { ++ security_override.security = security; ++ security_override.original_hook = security->FileAuthenticationState; ++ security->FileAuthenticationState = security_hook; ++ } ++ ++ EFI_SECURITY2_ARCH_PROTOCOL *security2 = NULL; ++ err = BS->LocateProtocol(&(EFI_GUID) EFI_SECURITY2_ARCH_PROTOCOL_GUID, NULL, (void **) &security2); ++ if (err == EFI_SUCCESS) { ++ security_override.security2 = security2; ++ security_override.original_hook2 = security2->FileAuthentication; ++ security2->FileAuthentication = security2_hook; ++ } + } + + void uninstall_security_override(void) { +- /* We use assert_se here to guarantee the system is not in a weird state in the unlikely case of an +- * error restoring the original protocols. */ +- +- if (security_override.original_handle) +- assert_se(BS->ReinstallProtocolInterface( +- security_override.original_handle, +- &(EFI_GUID) EFI_SECURITY_ARCH_PROTOCOL_GUID, +- &security_override.override, +- security_override.original_security) == EFI_SUCCESS); +- +- if (security_override.original_handle2) +- assert_se(BS->ReinstallProtocolInterface( +- security_override.original_handle2, +- &(EFI_GUID) EFI_SECURITY2_ARCH_PROTOCOL_GUID, +- &security_override.override2, +- security_override.original_security2) == EFI_SUCCESS); ++ if (security_override.original_hook) ++ security_override.security->FileAuthenticationState = security_override.original_hook; ++ if (security_override.original_hook2) ++ security_override.security2->FileAuthentication = security_override.original_hook2; + } diff --git a/SOURCES/0049-networkd-ipv4acd.c-Use-net-if.h-for-getting-IFF_LOOP.patch b/SOURCES/0049-networkd-ipv4acd.c-Use-net-if.h-for-getting-IFF_LOOP.patch new file mode 100644 index 0000000..789b812 --- /dev/null +++ b/SOURCES/0049-networkd-ipv4acd.c-Use-net-if.h-for-getting-IFF_LOOP.patch @@ -0,0 +1,31 @@ +From a43bf9f897002744610a9ea5ce7bdc91c3e3dc83 Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Tue, 8 Nov 2022 12:21:35 -0800 +Subject: [PATCH] networkd-ipv4acd.c: Use net/if.h for getting IFF_LOOPBACK + definition + +This helps in avoiding compiling errors on musl. Definition of +IFF_LOOPBACK is the reason for including linux/if_arp.h, this however +could be obtained from net/if.h glibc header equally and makes it +portable as well. + +(cherry picked from commit 239e4a42a69c31e55e58618d800e0d68c68931d3) + +Related: #2138081 +--- + src/network/networkd-ipv4acd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/network/networkd-ipv4acd.c b/src/network/networkd-ipv4acd.c +index 4127657ebd..877dee00ec 100644 +--- a/src/network/networkd-ipv4acd.c ++++ b/src/network/networkd-ipv4acd.c +@@ -1,6 +1,7 @@ + /* SPDX-License-Identifier: LGPL-2.1-or-later */ + +-#include ++#include /* IFF_LOOPBACK */ ++#include /* ARPHRD_ETHER */ + + #include "sd-dhcp-client.h" + #include "sd-ipv4acd.h" diff --git a/SOURCES/0050-Revert-initrd-extend-SYSTEMD_IN_INITRD-to-accept-non.patch b/SOURCES/0050-Revert-initrd-extend-SYSTEMD_IN_INITRD-to-accept-non.patch new file mode 100644 index 0000000..c730373 --- /dev/null +++ b/SOURCES/0050-Revert-initrd-extend-SYSTEMD_IN_INITRD-to-accept-non.patch @@ -0,0 +1,111 @@ +From 94f9a80db599dcc298f3058e5cf2bb60c4972228 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 24 Nov 2022 13:58:39 +0100 +Subject: [PATCH] Revert "initrd: extend SYSTEMD_IN_INITRD to accept non-ramfs + rootfs" + +This reverts commit 1f22621ba33f8089d2ae5fbcaf8b3970dd68aaf0. + +This is a replacement for b1fd5cd4eda02a323db93d7daa97f5138f89677d. See that +commit for details. + +Related: #2138081 +--- + docs/ENVIRONMENT.md | 10 +++------- + src/basic/util.c | 47 ++++++++------------------------------------- + 2 files changed, 11 insertions(+), 46 deletions(-) + +diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md +index a840dd0c90..ab3add6031 100644 +--- a/docs/ENVIRONMENT.md ++++ b/docs/ENVIRONMENT.md +@@ -73,13 +73,9 @@ All tools: + (relevant in particular for the system manager and `systemd-hostnamed`). + Must be a valid hostname (either a single label or a FQDN). + +-* `$SYSTEMD_IN_INITRD=[auto|lenient|0|1]` — if set, specifies initrd detection +- method. Defaults to `auto`. Behavior is defined as follows: +- `auto`: Checks if `/etc/initrd-release` exists, and a temporary fs is mounted +- on `/`. If both conditions meet, then it's in initrd. +- `lenient`: Similar to `auto`, but the rootfs check is skipped. +- `0|1`: Simply overrides initrd detection. This is useful for debugging and +- testing initrd-only programs in the main system. ++* `$SYSTEMD_IN_INITRD` — takes a boolean. If set, overrides initrd detection. ++ This is useful for debugging and testing initrd-only programs in the main ++ system. + + * `$SYSTEMD_BUS_TIMEOUT=SECS` — specifies the maximum time to wait for method call + completion. If no time unit is specified, assumes seconds. The usual other units +diff --git a/src/basic/util.c b/src/basic/util.c +index d7ef382737..981f917fab 100644 +--- a/src/basic/util.c ++++ b/src/basic/util.c +@@ -52,13 +52,11 @@ int prot_from_flags(int flags) { + + bool in_initrd(void) { + int r; +- const char *e; +- bool lenient = false; + + if (saved_in_initrd >= 0) + return saved_in_initrd; + +- /* We have two checks here: ++ /* We make two checks here: + * + * 1. the flag file /etc/initrd-release must exist + * 2. the root file system must be a memory file system +@@ -66,46 +64,17 @@ bool in_initrd(void) { + * The second check is extra paranoia, since misdetecting an + * initrd can have bad consequences due the initrd + * emptying when transititioning to the main systemd. +- * +- * If env var $SYSTEMD_IN_INITRD is not set or set to "auto", +- * both checks are used. If it's set to "lenient", only check +- * 1 is used. If set to a boolean value, then the boolean +- * value is returned. + */ + +- e = secure_getenv("SYSTEMD_IN_INITRD"); +- if (e) { +- if (streq(e, "lenient")) +- lenient = true; +- else if (!streq(e, "auto")) { +- r = parse_boolean(e); +- if (r >= 0) { +- saved_in_initrd = r > 0; +- return saved_in_initrd; +- } +- log_debug_errno(r, "Failed to parse $SYSTEMD_IN_INITRD, ignoring: %m"); +- } +- } +- +- if (!lenient) { +- r = path_is_temporary_fs("/"); +- if (r < 0) +- log_debug_errno(r, "Couldn't determine if / is a temporary file system: %m"); ++ r = getenv_bool_secure("SYSTEMD_IN_INITRD"); ++ if (r < 0 && r != -ENXIO) ++ log_debug_errno(r, "Failed to parse $SYSTEMD_IN_INITRD, ignoring: %m"); + ++ if (r >= 0) + saved_in_initrd = r > 0; +- } +- +- r = access("/etc/initrd-release", F_OK); +- if (r >= 0) { +- if (saved_in_initrd == 0) +- log_debug("/etc/initrd-release exists, but it's not an initrd."); +- else +- saved_in_initrd = 1; +- } else { +- if (errno != ENOENT) +- log_debug_errno(errno, "Failed to test if /etc/initrd-release exists: %m"); +- saved_in_initrd = 0; +- } ++ else ++ saved_in_initrd = access("/etc/initrd-release", F_OK) >= 0 && ++ path_is_temporary_fs("/") > 0; + + return saved_in_initrd; + } diff --git a/SOURCES/0051-pid1-skip-cleanup-if-root-is-not-tmpfs-ramfs.patch b/SOURCES/0051-pid1-skip-cleanup-if-root-is-not-tmpfs-ramfs.patch new file mode 100644 index 0000000..83e511c --- /dev/null +++ b/SOURCES/0051-pid1-skip-cleanup-if-root-is-not-tmpfs-ramfs.patch @@ -0,0 +1,124 @@ +From 7b6a09c47f1fee035c4b42840fabf65edce12aa8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 7 Nov 2022 12:40:20 +0100 +Subject: [PATCH] pid1: skip cleanup if root is not tmpfs/ramfs + +in_initrd() was really doing two things: checking if we're in the initrd, and +also verifying that the initrd is set up correctly. But this second check is +complicated, in particular it would return false for overlayfs, even with an +upper tmpfs layer. It also doesn't support the use case of having an initial +initrd with tmpfs, and then transitioning into an intermediate initrd that is +e.g. a DDI, i.e. a filesystem possibly with verity arranged as a disk image. + +We don't need to check if we're in initrd in every program. Instead, concerns +are separated: +- in_initrd() just does a simple check for /etc/initrd-release. +- When doing cleanup, pid1 checks if it's on a tmpfs before starting to wipe + the old root. The only case where we want to remove the old root is when + we're on a plain tempory filesystem. With an overlay, we'd be creating + whiteout files, which is not very useful. (*) + +This should resolve https://bugzilla.redhat.com/show_bug.cgi?id=2137631 +which is caused by systemd refusing to treat the system as an initrd because +overlayfs is used. + +(*) I think the idea of keeping the initrd fs around for shutdown is outdated. +We should just have a completely separate exitrd that is unpacked when we want +to shut down. This way, we don't waste memory at runtime, and we also don't +transition to a potentially older version of systemd. But we don't have support +for this yet. + +This replaces 0fef5b0f0bd9ded1ae7bcb3e4e4b2893e36c51a6. + +(cherry picked from commit a940f507fbe1c81d6787dc0b7ce232c39818eec9) + +Related: #2138081 +--- + src/basic/util.c | 19 ++++++++----------- + src/shared/switch-root.c | 22 ++++++++++++---------- + 2 files changed, 20 insertions(+), 21 deletions(-) + +diff --git a/src/basic/util.c b/src/basic/util.c +index 981f917fab..e6aaa2dc9b 100644 +--- a/src/basic/util.c ++++ b/src/basic/util.c +@@ -56,14 +56,8 @@ bool in_initrd(void) { + if (saved_in_initrd >= 0) + return saved_in_initrd; + +- /* We make two checks here: +- * +- * 1. the flag file /etc/initrd-release must exist +- * 2. the root file system must be a memory file system +- * +- * The second check is extra paranoia, since misdetecting an +- * initrd can have bad consequences due the initrd +- * emptying when transititioning to the main systemd. ++ /* If /etc/initrd-release exists, we're in an initrd. ++ * This can be overridden by setting SYSTEMD_IN_INITRD=0|1. + */ + + r = getenv_bool_secure("SYSTEMD_IN_INITRD"); +@@ -72,9 +66,12 @@ bool in_initrd(void) { + + if (r >= 0) + saved_in_initrd = r > 0; +- else +- saved_in_initrd = access("/etc/initrd-release", F_OK) >= 0 && +- path_is_temporary_fs("/") > 0; ++ else { ++ r = access("/etc/initrd-release", F_OK); ++ if (r < 0 && errno != ENOENT) ++ log_debug_errno(r, "Failed to check if /etc/initrd-release exists, assuming it does not: %m"); ++ saved_in_initrd = r >= 0; ++ } + + return saved_in_initrd; + } +diff --git a/src/shared/switch-root.c b/src/shared/switch-root.c +index 1a444841fa..4cad3551a6 100644 +--- a/src/shared/switch-root.c ++++ b/src/shared/switch-root.c +@@ -32,7 +32,6 @@ int switch_root(const char *new_root, + + _cleanup_free_ char *resolved_old_root_after = NULL; + _cleanup_close_ int old_root_fd = -1; +- bool old_root_remove; + int r; + + assert(new_root); +@@ -42,12 +41,16 @@ int switch_root(const char *new_root, + return 0; + + /* Check if we shall remove the contents of the old root */ +- old_root_remove = in_initrd(); +- if (old_root_remove) { +- old_root_fd = open("/", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_NOCTTY|O_DIRECTORY); +- if (old_root_fd < 0) +- return log_error_errno(errno, "Failed to open root directory: %m"); +- } ++ old_root_fd = open("/", O_RDONLY | O_CLOEXEC | O_DIRECTORY); ++ if (old_root_fd < 0) ++ return log_error_errno(errno, "Failed to open root directory: %m"); ++ r = fd_is_temporary_fs(old_root_fd); ++ if (r < 0) ++ return log_error_errno(r, "Failed to stat root directory: %m"); ++ if (r > 0) ++ log_debug("Root directory is on tmpfs, will do cleanup later."); ++ else ++ old_root_fd = safe_close(old_root_fd); + + /* Determine where we shall place the old root after the transition */ + r = chase_symlinks(old_root_after, new_root, CHASE_PREFIX_ROOT|CHASE_NONEXISTENT, &resolved_old_root_after, NULL); +@@ -117,9 +120,8 @@ int switch_root(const char *new_root, + struct stat rb; + + if (fstat(old_root_fd, &rb) < 0) +- log_warning_errno(errno, "Failed to stat old root directory, leaving: %m"); +- else +- (void) rm_rf_children(TAKE_FD(old_root_fd), 0, &rb); /* takes possession of the dir fd, even on failure */ ++ return log_error_errno(errno, "Failed to stat old root directory: %m"); ++ (void) rm_rf_children(TAKE_FD(old_root_fd), 0, &rb); /* takes possession of the dir fd, even on failure */ + } + + return 0; diff --git a/SOURCES/0052-ac-power-check-battery-existence-and-status.patch b/SOURCES/0052-ac-power-check-battery-existence-and-status.patch new file mode 100644 index 0000000..0c186a2 --- /dev/null +++ b/SOURCES/0052-ac-power-check-battery-existence-and-status.patch @@ -0,0 +1,106 @@ +From 2ac7d7a818788110342a99978680485fbe27cc25 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 11 Nov 2022 13:54:03 +0900 +Subject: [PATCH] ac-power: check battery existence and status + +If a battery is not present or its status is not discharging, then +the battery should not be used as a power source. +Let's count batteries currently discharging. + +Fixes #25316. + +(cherry picked from commit 1c03f7f4ba419aa65997e90accc0d935ae1cfbc5) + +Related: #2138081 +--- + src/shared/udev-util.c | 58 ++++++++++++++++++++++++++++++++---------- + 1 file changed, 44 insertions(+), 14 deletions(-) + +diff --git a/src/shared/udev-util.c b/src/shared/udev-util.c +index aac02cd61b..7d95353452 100644 +--- a/src/shared/udev-util.c ++++ b/src/shared/udev-util.c +@@ -642,9 +642,46 @@ static int device_is_power_sink(sd_device *device) { + return found_sink || !found_source; + } + ++static bool battery_is_discharging(sd_device *d) { ++ const char *val; ++ int r; ++ ++ assert(d); ++ ++ r = sd_device_get_sysattr_value(d, "scope", &val); ++ if (r < 0) { ++ if (r != -ENOENT) ++ log_device_debug_errno(d, r, "Failed to read 'scope' sysfs attribute, ignoring: %m"); ++ } else if (streq(val, "Device")) { ++ log_device_debug(d, "The power supply is a device battery, ignoring device."); ++ return false; ++ } ++ ++ r = device_get_sysattr_bool(d, "present"); ++ if (r < 0) ++ log_device_debug_errno(d, r, "Failed to read 'present' sysfs attribute, assuming the battery is present: %m"); ++ else if (r == 0) { ++ log_device_debug(d, "The battery is not present, ignoring the power supply."); ++ return false; ++ } ++ ++ /* Possible values: "Unknown", "Charging", "Discharging", "Not charging", "Full" */ ++ r = sd_device_get_sysattr_value(d, "status", &val); ++ if (r < 0) { ++ log_device_debug_errno(d, r, "Failed to read 'status' sysfs attribute, assuming the battery is discharging: %m"); ++ return true; ++ } ++ if (!streq(val, "Discharging")) { ++ log_device_debug(d, "The battery status is '%s', assuming the battery is not used as a power source of this machine.", val); ++ return false; ++ } ++ ++ return true; ++} ++ + int on_ac_power(void) { + _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL; +- bool found_ac_online = false, found_battery = false; ++ bool found_ac_online = false, found_discharging_battery = false; + sd_device *d; + int r; + +@@ -686,17 +723,10 @@ int on_ac_power(void) { + } + + if (streq(val, "Battery")) { +- r = sd_device_get_sysattr_value(d, "scope", &val); +- if (r < 0) { +- if (r != -ENOENT) +- log_device_debug_errno(d, r, "Failed to read 'scope' sysfs attribute, ignoring: %m"); +- } else if (streq(val, "Device")) { +- log_device_debug(d, "The power supply is a device battery, ignoring device."); +- continue; ++ if (battery_is_discharging(d)) { ++ found_discharging_battery = true; ++ log_device_debug(d, "The power supply is a battery and currently discharging."); + } +- +- found_battery = true; +- log_device_debug(d, "The power supply is battery."); + continue; + } + +@@ -713,11 +743,11 @@ int on_ac_power(void) { + if (found_ac_online) { + log_debug("Found at least one online non-battery power supply, system is running on AC."); + return true; +- } else if (found_battery) { +- log_debug("Found battery and no online power sources, assuming system is running from battery."); ++ } else if (found_discharging_battery) { ++ log_debug("Found at least one discharging battery and no online power sources, assuming system is running from battery."); + return false; + } else { +- log_debug("No power supply reported online and no battery, assuming system is running on AC."); ++ log_debug("No power supply reported online and no discharging battery found, assuming system is running on AC."); + return true; + } + } diff --git a/SOURCES/0053-systemctl-do-not-show-unit-properties-with-all.patch b/SOURCES/0053-systemctl-do-not-show-unit-properties-with-all.patch new file mode 100644 index 0000000..eee52a5 --- /dev/null +++ b/SOURCES/0053-systemctl-do-not-show-unit-properties-with-all.patch @@ -0,0 +1,34 @@ +From c2317e2a2be2dd39266b82712ec9569a86f7fde3 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 13 Nov 2022 21:10:56 +0900 +Subject: [PATCH] systemctl: do not show unit properties with --all + +Fixes a bug introduced by a6e334649d4bdff0c6f664e98666b2223aa21a8b. + +Fixes #25343. + +(cherry picked from commit 0b51a1c8c4c77f98a8c234cd2c7a7849329be027) + +Related: #2138081 +--- + src/systemctl/systemctl-show.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/systemctl/systemctl-show.c b/src/systemctl/systemctl-show.c +index 8d3db98c0a..24c7d564b8 100644 +--- a/src/systemctl/systemctl-show.c ++++ b/src/systemctl/systemctl-show.c +@@ -2207,9 +2207,10 @@ int verb_show(int argc, char *argv[], void *userdata) { + + if (!arg_states && !arg_types) { + if (show_mode == SYSTEMCTL_SHOW_PROPERTIES) +- r = show_one(bus, "/org/freedesktop/systemd1", NULL, show_mode, &new_line, &ellipsized); +- else +- r = show_system_status(bus); ++ /* systemctl show --all → show properties of the manager */ ++ return show_one(bus, "/org/freedesktop/systemd1", NULL, show_mode, &new_line, &ellipsized); ++ ++ r = show_system_status(bus); + if (r < 0) + return r; + diff --git a/SOURCES/0054-Fix-reading-etc-machine-id-in-kernel-install-25388.patch b/SOURCES/0054-Fix-reading-etc-machine-id-in-kernel-install-25388.patch new file mode 100644 index 0000000..be70de1 --- /dev/null +++ b/SOURCES/0054-Fix-reading-etc-machine-id-in-kernel-install-25388.patch @@ -0,0 +1,46 @@ +From abbfdf2aa3e17a84d0f4075f125e670defaf7296 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marcus=20Sch=C3=A4fer?= +Date: Wed, 16 Nov 2022 00:17:19 +0100 +Subject: [PATCH] Fix reading /etc/machine-id in kernel-install (#25388) + +* Fix reading /etc/machine-id in kernel-install + +The kernel-install script has code to read the contents of +/etc/machine-id into the MACHINE_ID variable. Depending +on the variable content kernel-install either logs the +value or creates a new machine id via 'systemd-id128 new'. +In that logic there is one issue. If the file /etc/machine-id +exists but is empty, the script tries to call read on an +empty file which return with an exit code != 0. As the +script code also uses 'set -e', kernel-install will exit at +this point which is unexpected. + +The condition of an empty /etc/machine-id file exists for +example when building OS images, which should initialize the +system id on first boot but not staticly inside of the image. +afaik an empty /etc/machine-id is also a common approach +to make systemd indicate that it should create a new system +id. Because of this, the commit makes sure the reading of +/etc/machine-id does not fail in any case such that the +handling of the MACHINE_ID variable takes place. + +(cherry picked from commit 883e7cbfc0dba6c81338e7924419b5cbb0cba0b2) + +Related: #2138081 +--- + src/kernel-install/kernel-install.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/kernel-install/kernel-install.in b/src/kernel-install/kernel-install.in +index 22eb4d2be1..bba22f8a20 100755 +--- a/src/kernel-install/kernel-install.in ++++ b/src/kernel-install/kernel-install.in +@@ -158,7 +158,7 @@ if [ -z "$MACHINE_ID" ] && [ -f /etc/machine-info ]; then + [ -n "$MACHINE_ID" ] && \ + log_verbose "machine-id $MACHINE_ID acquired from /etc/machine-info" + fi +-if [ -z "$MACHINE_ID" ] && [ -f /etc/machine-id ]; then ++if [ -z "$MACHINE_ID" ] && [ -s /etc/machine-id ]; then + read -r MACHINE_ID +Date: Mon, 14 Nov 2022 12:45:47 +0100 +Subject: [PATCH] Revert "journal: Make sd_journal_previous/next() return 0 at + HEAD/TAIL" + +This commit broke backwards compatibility so let's revert it until +we find a better solution. + +This reverts commit 977ad21b5b8f6323515297bd8995dcaaca0905df. + +(cherry picked from commit 1db6dbb1dcdacfd7d2b4c84562fc6e77bc8c43a5) + +Related: #2138081 +--- + src/journal/test-journal-interleaving.c | 4 ---- + src/libsystemd/sd-journal/sd-journal.c | 8 ++++---- + 2 files changed, 4 insertions(+), 8 deletions(-) + +diff --git a/src/journal/test-journal-interleaving.c b/src/journal/test-journal-interleaving.c +index 378bf162ca..b3ae4b8143 100644 +--- a/src/journal/test-journal-interleaving.c ++++ b/src/journal/test-journal-interleaving.c +@@ -158,7 +158,6 @@ static void test_skip_one(void (*setup)(void)) { + */ + assert_ret(sd_journal_open_directory(&j, t, 0)); + assert_ret(sd_journal_seek_head(j)); +- assert_ret(sd_journal_previous(j) == 0); + assert_ret(sd_journal_next(j)); + test_check_numbers_down(j, 4); + sd_journal_close(j); +@@ -167,7 +166,6 @@ static void test_skip_one(void (*setup)(void)) { + */ + assert_ret(sd_journal_open_directory(&j, t, 0)); + assert_ret(sd_journal_seek_tail(j)); +- assert_ret(sd_journal_next(j) == 0); + assert_ret(sd_journal_previous(j)); + test_check_numbers_up(j, 4); + sd_journal_close(j); +@@ -176,7 +174,6 @@ static void test_skip_one(void (*setup)(void)) { + */ + assert_ret(sd_journal_open_directory(&j, t, 0)); + assert_ret(sd_journal_seek_tail(j)); +- assert_ret(sd_journal_next(j) == 0); + assert_ret(r = sd_journal_previous_skip(j, 4)); + assert_se(r == 4); + test_check_numbers_down(j, 4); +@@ -186,7 +183,6 @@ static void test_skip_one(void (*setup)(void)) { + */ + assert_ret(sd_journal_open_directory(&j, t, 0)); + assert_ret(sd_journal_seek_head(j)); +- assert_ret(sd_journal_previous(j) == 0); + assert_ret(r = sd_journal_next_skip(j, 4)); + assert_se(r == 4); + test_check_numbers_up(j, 4); +diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c +index 53c0b2a01e..1e4d128f05 100644 +--- a/src/libsystemd/sd-journal/sd-journal.c ++++ b/src/libsystemd/sd-journal/sd-journal.c +@@ -606,9 +606,9 @@ static int find_location_for_match( + /* FIXME: missing: find by monotonic */ + + if (j->current_location.type == LOCATION_HEAD) +- return direction == DIRECTION_DOWN ? journal_file_next_entry_for_data(f, d, DIRECTION_DOWN, ret, offset) : 0; ++ return journal_file_next_entry_for_data(f, d, DIRECTION_DOWN, ret, offset); + if (j->current_location.type == LOCATION_TAIL) +- return direction == DIRECTION_UP ? journal_file_next_entry_for_data(f, d, DIRECTION_UP, ret, offset) : 0; ++ return journal_file_next_entry_for_data(f, d, DIRECTION_UP, ret, offset); + if (j->current_location.seqnum_set && sd_id128_equal(j->current_location.seqnum_id, f->header->seqnum_id)) + return journal_file_move_to_entry_by_seqnum_for_data(f, d, j->current_location.seqnum, direction, ret, offset); + if (j->current_location.monotonic_set) { +@@ -701,9 +701,9 @@ static int find_location_with_matches( + /* No matches is simple */ + + if (j->current_location.type == LOCATION_HEAD) +- return direction == DIRECTION_DOWN ? journal_file_next_entry(f, 0, DIRECTION_DOWN, ret, offset) : 0; ++ return journal_file_next_entry(f, 0, DIRECTION_DOWN, ret, offset); + if (j->current_location.type == LOCATION_TAIL) +- return direction == DIRECTION_UP ? journal_file_next_entry(f, 0, DIRECTION_UP, ret, offset) : 0; ++ return journal_file_next_entry(f, 0, DIRECTION_UP, ret, offset); + if (j->current_location.seqnum_set && sd_id128_equal(j->current_location.seqnum_id, f->header->seqnum_id)) + return journal_file_move_to_entry_by_seqnum(f, j->current_location.seqnum, direction, ret, offset); + if (j->current_location.monotonic_set) { diff --git a/SOURCES/0056-boot-Correctly-handle-saved-default-patterns.patch b/SOURCES/0056-boot-Correctly-handle-saved-default-patterns.patch new file mode 100644 index 0000000..1820864 --- /dev/null +++ b/SOURCES/0056-boot-Correctly-handle-saved-default-patterns.patch @@ -0,0 +1,29 @@ +From f740d67fd0ed36bc3318d724ccb1fdfca2f04125 Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Sun, 4 Sep 2022 00:22:23 +0200 +Subject: [PATCH] boot: Correctly handle @saved default patterns + +(cherry picked from commit 7941f11acb67c4f8ec857a791a51f3148af67b32) + +Related: #2138081 +--- + src/shared/bootspec.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/shared/bootspec.c b/src/shared/bootspec.c +index 6a34b10c04..d3cfb41a12 100644 +--- a/src/shared/bootspec.c ++++ b/src/shared/bootspec.c +@@ -994,6 +994,12 @@ static int boot_config_find(const BootConfig *config, const char *id) { + if (!id) + return -1; + ++ if (id[0] == '@') { ++ if (!strcaseeq(id, "@saved")) ++ return -1; ++ id = config->entry_selected; ++ } ++ + for (size_t i = 0; i < config->n_entries; i++) + if (fnmatch(id, config->entries[i].id, FNM_CASEFOLD) == 0) + return i; diff --git a/SOURCES/0057-shared-tpm2-util-Fix-Error-Esys-invalid-ESAPI-handle.patch b/SOURCES/0057-shared-tpm2-util-Fix-Error-Esys-invalid-ESAPI-handle.patch new file mode 100644 index 0000000..220358d --- /dev/null +++ b/SOURCES/0057-shared-tpm2-util-Fix-Error-Esys-invalid-ESAPI-handle.patch @@ -0,0 +1,82 @@ +From fda254c954d6a543e1977edc1d283c915ee43adc Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Tue, 15 Nov 2022 14:57:23 +0100 +Subject: [PATCH] shared/tpm2-util: Fix "Error: Esys invalid ESAPI handle + (40000001)" warning + +systemd-cryptenroll complains (but succeeds!) upon binding to a signed PCR +policy: + +$ systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto + --tpm2-public-key=... --tpm2-signature=..." /tmp/tmp.img + +ERROR:esys:src/tss2-esys/esys_iutil.c:394:iesys_handle_to_tpm_handle() Error: Esys invalid ESAPI handle (40000001). +WARNING:esys:src/tss2-esys/esys_iutil.c:415:iesys_is_platform_handle() Convert handle from TPM2_RH to ESYS_TR, got: 0x40000001 +ERROR:esys:src/tss2-esys/esys_iutil.c:394:iesys_handle_to_tpm_handle() Error: Esys invalid ESAPI handle (40000001). +WARNING:esys:src/tss2-esys/esys_iutil.c:415:iesys_is_platform_handle() Convert handle from TPM2_RH to ESYS_TR, got: 0x4000000 +New TPM2 token enrolled as key slot 1. + +The problem seems to be that Esys_LoadExternal() function from tpm2-tss +expects a 'ESYS_TR_RH*' constant specifying the requested hierarchy and not +a 'TPM2_RH_*' one (see Esys_LoadExternal() -> Esys_LoadExternal_Async() -> +iesys_handle_to_tpm_handle() call chain). + +It all works because Esys_LoadExternal_Async() falls back to using the +supplied values when iesys_handle_to_tpm_handle() fails: + + r = iesys_handle_to_tpm_handle(hierarchy, &tpm_hierarchy); + if (r != TSS2_RC_SUCCESS) { + ... + tpm_hierarchy = hierarchy; + } + +Note, TPM2_RH_OWNER was used on purpose to support older tpm2-tss versions +(pre https://github.com/tpm2-software/tpm2-tss/pull/1531), use meson magic +to preserve compatibility. + +Signed-off-by: Vitaly Kuznetsov +(cherry picked from commit 155c51293d5bf37f54c65fd0a66ea29e6eedd580) + +Related: #2138081 +--- + meson.build | 3 +++ + src/shared/tpm2-util.c | 6 ++++++ + 2 files changed, 9 insertions(+) + +diff --git a/meson.build b/meson.build +index 7750534466..015849af49 100644 +--- a/meson.build ++++ b/meson.build +@@ -1474,11 +1474,14 @@ if want_tpm2 != 'false' and not skip_deps + tpm2 = dependency('tss2-esys tss2-rc tss2-mu', + required : want_tpm2 == 'true') + have = tpm2.found() ++ have_esys3 = tpm2.version().version_compare('>= 3.0.0') + else + have = false ++ have_esys3 = false + tpm2 = [] + endif + conf.set10('HAVE_TPM2', have) ++conf.set10('HAVE_TSS2_ESYS3', have_esys3) + + want_elfutils = get_option('elfutils') + if want_elfutils != 'false' and not skip_deps +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index 4d0df944a9..8171b3e9e9 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -1117,7 +1117,13 @@ static int tpm2_make_policy_session( + ESYS_TR_NONE, + NULL, + &pubkey_tpm2, ++#if HAVE_TSS2_ESYS3 ++ /* tpm2-tss >= 3.0.0 requires a ESYS_TR_RH_* constant specifying the requested ++ * hierarchy, older versions need TPM2_RH_* instead. */ ++ ESYS_TR_RH_OWNER, ++#else + TPM2_RH_OWNER, ++#endif + &pubkey_handle); + if (rc != TSS2_RC_SUCCESS) { + r = log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), diff --git a/SOURCES/0058-Handle-MACHINE_ID-uninitialized.patch b/SOURCES/0058-Handle-MACHINE_ID-uninitialized.patch new file mode 100644 index 0000000..4112cd2 --- /dev/null +++ b/SOURCES/0058-Handle-MACHINE_ID-uninitialized.patch @@ -0,0 +1,31 @@ +From 89adb54468aff192fccc9dce793e24d98b26d994 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marcus=20Sch=C3=A4fer?= +Date: Wed, 16 Nov 2022 16:25:08 +0100 +Subject: [PATCH] Handle MACHINE_ID=uninitialized + +systemd supports /etc/machine-id to be set to: uninitialized +In this case the expectation is that systemd creates a new +machine ID and replaces the value 'uninitialized' with the +effective machine id. In the scope of kernel-install we +should also enforce the creation of a new machine id in this +condition + +(cherry picked from commit 305dd91adfde332e7e5c1b2470edb32774f9a032) + +Related: #2138081 +--- + src/kernel-install/kernel-install.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/kernel-install/kernel-install.in b/src/kernel-install/kernel-install.in +index bba22f8a20..fa2c0d5276 100755 +--- a/src/kernel-install/kernel-install.in ++++ b/src/kernel-install/kernel-install.in +@@ -160,6 +160,7 @@ if [ -z "$MACHINE_ID" ] && [ -f /etc/machine-info ]; then + fi + if [ -z "$MACHINE_ID" ] && [ -s /etc/machine-id ]; then + read -r MACHINE_ID +Date: Fri, 18 Nov 2022 06:03:41 +0000 +Subject: [PATCH] fuzz: fuzz-compress: fix copy-and-paste error: buf -> buf2 + (#25431) + +(cherry picked from commit f54f6d88b1235487eb7f0c634c488edc7813579a) + +Related: #2138081 +--- + src/fuzz/fuzz-compress.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/fuzz/fuzz-compress.c b/src/fuzz/fuzz-compress.c +index 712ab3ffa9..10956cc548 100644 +--- a/src/fuzz/fuzz-compress.c ++++ b/src/fuzz/fuzz-compress.c +@@ -55,7 +55,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + + size_t sw_alloc = MAX(h->sw_alloc, 1u); + buf2 = malloc(sw_alloc); +- if (!buf) { ++ if (!buf2) { + log_oom(); + return 0; + } diff --git a/SOURCES/0060-boot-measure-fix-oom-check.patch b/SOURCES/0060-boot-measure-fix-oom-check.patch new file mode 100644 index 0000000..180638c --- /dev/null +++ b/SOURCES/0060-boot-measure-fix-oom-check.patch @@ -0,0 +1,25 @@ +From 944fa2afca2bd6bd4d1d5aecd265fd4756ee44e2 Mon Sep 17 00:00:00 2001 +From: Li kunyu +Date: Fri, 18 Nov 2022 16:10:24 +0900 +Subject: [PATCH] boot/measure: fix oom check + +(cherry picked from commit fc0cc6db1ecbaa16513125d3fd1a7d11e391a8ee) + +Related: #2138081 +--- + src/boot/measure.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/boot/measure.c b/src/boot/measure.c +index 4f16acedf0..0bbd386449 100644 +--- a/src/boot/measure.c ++++ b/src/boot/measure.c +@@ -897,7 +897,7 @@ static int verb_sign(int argc, char *argv[], void *userdata) { + } + + _cleanup_free_ void *sig = malloc(ss); +- if (!ss) { ++ if (!sig) { + r = log_oom(); + goto finish; + } diff --git a/SOURCES/0061-nspawn-allow-sched_rr_get_interval_time64-through-se.patch b/SOURCES/0061-nspawn-allow-sched_rr_get_interval_time64-through-se.patch new file mode 100644 index 0000000..ebc0641 --- /dev/null +++ b/SOURCES/0061-nspawn-allow-sched_rr_get_interval_time64-through-se.patch @@ -0,0 +1,57 @@ +From b2d259a82329e37b0f369e9951f19a067cb8bfb4 Mon Sep 17 00:00:00 2001 +From: Sam James +Date: Fri, 18 Nov 2022 07:18:18 +0000 +Subject: [PATCH] nspawn: allow sched_rr_get_interval_time64 through seccomp + filter + +We only allow a selected subset of syscalls from nspawn containers +and don't list any time64 variants (needed for 32-bit arches when +built using TIME_BITS=64, which is relatively new). + +We allow sched_rr_get_interval which cpython's test suite makes +use of, but we don't allow sched_rr_get_interval_time64. + +The test failures when run in an arm32 nspawn container on an arm64 host +were as follows: +``` +====================================================================== +ERROR: test_sched_rr_get_interval (test.test_posix.PosixTester.test_sched_rr_get_interval) +---------------------------------------------------------------------- +Traceback (most recent call last): + File "/var/tmp/portage/dev-lang/python-3.11.0_p1/work/Python-3.11.0/Lib/test/test_posix.py", line 1180, in test_sched_rr_get_interval + interval = posix.sched_rr_get_interval(0) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +PermissionError: [Errno 1] Operation not permitted +``` + +Then strace showed: +``` +sched_rr_get_interval_time64(0, 0xffbbd4a0) = -1 EPERM (Operation not permitted) +``` + +This appears to be the only time64 syscall that isn't already included one of +the sets listed in nspawn-seccomp.c that has a non-time64 variant. Checked +over each of the time64 syscalls known to systemd and verified that none +of the others had a non-time64-variant whitelisted in nspawn other than +sched_rr_get_interval. + +Bug: https://bugs.gentoo.org/880131 +(cherry picked from commit b9e7f22c2d80930cad36ae53e66e42a2996dca4a) + +Related: #2138081 +--- + src/nspawn/nspawn-seccomp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c +index 77f4c2ac88..27044fadd2 100644 +--- a/src/nspawn/nspawn-seccomp.c ++++ b/src/nspawn/nspawn-seccomp.c +@@ -88,6 +88,7 @@ static int add_syscall_filters( + { 0, "sched_getparam" }, + { 0, "sched_getscheduler" }, + { 0, "sched_rr_get_interval" }, ++ { 0, "sched_rr_get_interval_time64" }, + { 0, "sched_yield" }, + { 0, "seccomp" }, + { 0, "sendfile" }, diff --git a/SOURCES/0062-resolved-use-right-conditionalization-when-setting-u.patch b/SOURCES/0062-resolved-use-right-conditionalization-when-setting-u.patch new file mode 100644 index 0000000..d0a3a96 --- /dev/null +++ b/SOURCES/0062-resolved-use-right-conditionalization-when-setting-u.patch @@ -0,0 +1,26 @@ +From 39974d2ee3b1e514e9d2cf25e4a11447d4dfee53 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 18 Nov 2022 16:52:01 +0100 +Subject: [PATCH] resolved: use right conditionalization when setting unicast + ifindex on UDP sockets + +(cherry picked from commit 5faaed5b62d5ed88d8df2802c5ab4d3ab2eb755a) + +Related: #2138081 +--- + src/resolve/resolved-dns-scope.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c +index 852829569d..4f744499aa 100644 +--- a/src/resolve/resolved-dns-scope.c ++++ b/src/resolve/resolved-dns-scope.c +@@ -424,7 +424,7 @@ static int dns_scope_socket( + return r; + } + +- if (s->link) { ++ if (ifindex != 0) { + r = socket_set_unicast_if(fd, sa.sa.sa_family, ifindex); + if (r < 0) + return r; diff --git a/SOURCES/0063-resolved-when-configuring-127.0.0.1-as-per-interface.patch b/SOURCES/0063-resolved-when-configuring-127.0.0.1-as-per-interface.patch new file mode 100644 index 0000000..0d760ca --- /dev/null +++ b/SOURCES/0063-resolved-when-configuring-127.0.0.1-as-per-interface.patch @@ -0,0 +1,34 @@ +From d8d96bce62e8597b8d35bed1d9e9cb103336fd6b Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 18 Nov 2022 16:52:06 +0100 +Subject: [PATCH] resolved: when configuring 127.0.0.1 as per-interface DNS + server, contact it via "lo" always + +ussually if you specify a DNS server on some interface then we'll use +that interface to talk to it. Let's override this for localhost +addresses, as they only really make sense on "lo". + +Fixes: #25397 +(cherry picked from commit 6e32414a66ff8dbcef233981a7066684d903ee9f) + +Related: #2138081 +--- + src/resolve/resolved-dns-server.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c +index 04a4f53ed0..8ff513fa33 100644 +--- a/src/resolve/resolved-dns-server.c ++++ b/src/resolve/resolved-dns-server.c +@@ -648,6 +648,11 @@ int dns_server_adjust_opt(DnsServer *server, DnsPacket *packet, DnsServerFeature + int dns_server_ifindex(const DnsServer *s) { + assert(s); + ++ /* For loopback addresses, go via the loopback interface, regardless which interface this is linked ++ * to. */ ++ if (in_addr_is_localhost(s->family, &s->address)) ++ return LOOPBACK_IFINDEX; ++ + /* The link ifindex always takes precedence */ + if (s->link) + return s->link->ifindex; diff --git a/SOURCES/0064-manager-fix-format-strings-for-trigger-metadata.patch b/SOURCES/0064-manager-fix-format-strings-for-trigger-metadata.patch new file mode 100644 index 0000000..e62e697 --- /dev/null +++ b/SOURCES/0064-manager-fix-format-strings-for-trigger-metadata.patch @@ -0,0 +1,50 @@ +From bca4fe362cb2198f964d33c5a0fb27298d8e9ad8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 21 Nov 2022 20:03:08 +0100 +Subject: [PATCH] manager: fix format strings for trigger metadata + +Fixup for c8bc7519c888a99134f88f8c82353246d3c0cc5d. + +(cherry picked from commit 6457ce15be84cf3c304d1ba47b89bacc2f60bf6e) + +Related: #2138081 +--- + src/core/timer.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/core/timer.c b/src/core/timer.c +index 8bd430b931..b6810c8599 100644 +--- a/src/core/timer.c ++++ b/src/core/timer.c +@@ -948,11 +948,11 @@ static int activation_details_timer_append_env(ActivationDetails *details, char + if (!dual_timestamp_is_set(&t->last_trigger)) + return 0; + +- r = strv_extendf(strv, "TRIGGER_TIMER_REALTIME_USEC=%" USEC_FMT, t->last_trigger.realtime); ++ r = strv_extendf(strv, "TRIGGER_TIMER_REALTIME_USEC=" USEC_FMT, t->last_trigger.realtime); + if (r < 0) + return r; + +- r = strv_extendf(strv, "TRIGGER_TIMER_MONOTONIC_USEC=%" USEC_FMT, t->last_trigger.monotonic); ++ r = strv_extendf(strv, "TRIGGER_TIMER_MONOTONIC_USEC=" USEC_FMT, t->last_trigger.monotonic); + if (r < 0) + return r; + +@@ -974,7 +974,7 @@ static int activation_details_timer_append_pair(ActivationDetails *details, char + if (r < 0) + return r; + +- r = strv_extendf(strv, "%" USEC_FMT, t->last_trigger.realtime); ++ r = strv_extendf(strv, USEC_FMT, t->last_trigger.realtime); + if (r < 0) + return r; + +@@ -982,7 +982,7 @@ static int activation_details_timer_append_pair(ActivationDetails *details, char + if (r < 0) + return r; + +- r = strv_extendf(strv, "%" USEC_FMT, t->last_trigger.monotonic); ++ r = strv_extendf(strv, USEC_FMT, t->last_trigger.monotonic); + if (r < 0) + return r; + diff --git a/SOURCES/0065-basic-strv-check-printf-arguments-to-strv_extendf.patch b/SOURCES/0065-basic-strv-check-printf-arguments-to-strv_extendf.patch new file mode 100644 index 0000000..ae7fdec --- /dev/null +++ b/SOURCES/0065-basic-strv-check-printf-arguments-to-strv_extendf.patch @@ -0,0 +1,30 @@ +From c103428e24f002e495412a5f9a0b919f4b92c2b7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 21 Nov 2022 20:06:55 +0100 +Subject: [PATCH] basic/strv: check printf arguments to strv_extendf() + +The second argument to _printf_() specifies where the arguments start. We need to +use 0 in two cases: when the args in a va_list and can't be checked, and with journald +logging functions which accept multiple format strings with multiple argument sets, +which the _printf_ checker does not understand. But strv_extendf() can be checked. + +(cherry picked from commit 400102ec91aa3404848a04f49a43d49e1a181708) + +Related: #2138081 +--- + src/basic/strv.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/strv.h b/src/basic/strv.h +index d6f5ac6ba5..6c9fa47943 100644 +--- a/src/basic/strv.h ++++ b/src/basic/strv.h +@@ -45,7 +45,7 @@ static inline int strv_extend(char ***l, const char *value) { + return strv_extend_with_size(l, NULL, value); + } + +-int strv_extendf(char ***l, const char *format, ...) _printf_(2,0); ++int strv_extendf(char ***l, const char *format, ...) _printf_(2,3); + int strv_extend_front(char ***l, const char *value); + + int strv_push_with_size(char ***l, size_t *n, char *value); diff --git a/SOURCES/0066-resolved-Fix-OpenSSL-error-messages.patch b/SOURCES/0066-resolved-Fix-OpenSSL-error-messages.patch new file mode 100644 index 0000000..2ea5e78 --- /dev/null +++ b/SOURCES/0066-resolved-Fix-OpenSSL-error-messages.patch @@ -0,0 +1,139 @@ +From 57bdd8a488d544282dcc71e6a23987ded71ac64d Mon Sep 17 00:00:00 2001 +From: Benjamin Fogle +Date: Thu, 17 Nov 2022 09:52:50 -0500 +Subject: [PATCH] resolved: Fix OpenSSL error messages + +(cherry picked from commit f4a49d1c58578cb8d759dc6266a23d1acabdc38f) + +Related: #2138081 +--- + src/resolve/resolved-dnstls-openssl.c | 65 +++++++++++---------------- + 1 file changed, 26 insertions(+), 39 deletions(-) + +diff --git a/src/resolve/resolved-dnstls-openssl.c b/src/resolve/resolved-dnstls-openssl.c +index 4d3a88c8da..4a0132ad3d 100644 +--- a/src/resolve/resolved-dnstls-openssl.c ++++ b/src/resolve/resolved-dnstls-openssl.c +@@ -14,6 +14,19 @@ + #include "resolved-dnstls.h" + #include "resolved-manager.h" + ++static char *dnstls_error_string(int ssl_error, char *buf, size_t count) { ++ assert(buf || count == 0); ++ if (ssl_error == SSL_ERROR_SSL) ++ ERR_error_string_n(ERR_get_error(), buf, count); ++ else ++ snprintf(buf, count, "SSL_get_error()=%d", ssl_error); ++ return buf; ++} ++ ++#define DNSTLS_ERROR_BUFSIZE 256 ++#define DNSTLS_ERROR_STRING(error) \ ++ dnstls_error_string((error), (char[DNSTLS_ERROR_BUFSIZE]){}, DNSTLS_ERROR_BUFSIZE) ++ + static int dnstls_flush_write_buffer(DnsStream *stream) { + ssize_t ss; + +@@ -97,26 +110,18 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) { + + if (server->server_name) { + r = SSL_set_tlsext_host_name(s, server->server_name); +- if (r <= 0) { +- char errbuf[256]; +- +- error = ERR_get_error(); +- ERR_error_string_n(error, errbuf, sizeof(errbuf)); +- return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set server name: %s", errbuf); +- } ++ if (r <= 0) ++ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), ++ "Failed to set server name: %s", DNSTLS_ERROR_STRING(SSL_ERROR_SSL)); + } + + ERR_clear_error(); + stream->dnstls_data.handshake = SSL_do_handshake(s); + if (stream->dnstls_data.handshake <= 0) { + error = SSL_get_error(s, stream->dnstls_data.handshake); +- if (!IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) { +- char errbuf[256]; +- +- ERR_error_string_n(error, errbuf, sizeof(errbuf)); ++ if (!IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) + return log_debug_errno(SYNTHETIC_ERRNO(ECONNREFUSED), +- "Failed to invoke SSL_do_handshake: %s", errbuf); +- } ++ "Failed to invoke SSL_do_handshake: %s", DNSTLS_ERROR_STRING(error)); + } + + stream->encrypted = true; +@@ -177,12 +182,8 @@ int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) { + } else if (error == SSL_ERROR_SYSCALL) { + if (errno > 0) + log_debug_errno(errno, "Failed to invoke SSL_shutdown, ignoring: %m"); +- } else { +- char errbuf[256]; +- +- ERR_error_string_n(error, errbuf, sizeof(errbuf)); +- log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf); +- } ++ } else ++ log_debug("Failed to invoke SSL_shutdown, ignoring: %s", DNSTLS_ERROR_STRING(error)); + } + + stream->dnstls_events = 0; +@@ -206,14 +207,10 @@ int dnstls_stream_on_io(DnsStream *stream, uint32_t revents) { + return r; + + return -EAGAIN; +- } else { +- char errbuf[256]; +- +- ERR_error_string_n(error, errbuf, sizeof(errbuf)); ++ } else + return log_debug_errno(SYNTHETIC_ERRNO(ECONNREFUSED), + "Failed to invoke SSL_do_handshake: %s", +- errbuf); +- } ++ DNSTLS_ERROR_STRING(error)); + } + + stream->dnstls_events = 0; +@@ -275,12 +272,8 @@ int dnstls_stream_shutdown(DnsStream *stream, int error) { + } else if (ssl_error == SSL_ERROR_SYSCALL) { + if (errno > 0) + log_debug_errno(errno, "Failed to invoke SSL_shutdown, ignoring: %m"); +- } else { +- char errbuf[256]; +- +- ERR_error_string_n(ssl_error, errbuf, sizeof(errbuf)); +- log_debug("Failed to invoke SSL_shutdown, ignoring: %s", errbuf); +- } ++ } else ++ log_debug("Failed to invoke SSL_shutdown, ignoring: %s", DNSTLS_ERROR_STRING(ssl_error)); + } + + stream->dnstls_events = 0; +@@ -307,10 +300,7 @@ static ssize_t dnstls_stream_write(DnsStream *stream, const char *buf, size_t co + stream->dnstls_events = 0; + ss = 0; + } else { +- char errbuf[256]; +- +- ERR_error_string_n(error, errbuf, sizeof(errbuf)); +- log_debug("Failed to invoke SSL_write: %s", errbuf); ++ log_debug("Failed to invoke SSL_write: %s", DNSTLS_ERROR_STRING(error)); + stream->dnstls_events = 0; + ss = -EPIPE; + } +@@ -375,10 +365,7 @@ ssize_t dnstls_stream_read(DnsStream *stream, void *buf, size_t count) { + stream->dnstls_events = 0; + ss = 0; + } else { +- char errbuf[256]; +- +- ERR_error_string_n(error, errbuf, sizeof(errbuf)); +- log_debug("Failed to invoke SSL_read: %s", errbuf); ++ log_debug("Failed to invoke SSL_read: %s", DNSTLS_ERROR_STRING(error)); + stream->dnstls_events = 0; + ss = -EPIPE; + } diff --git a/SOURCES/0067-network-wifi-try-to-reconfigure-when-connected.patch b/SOURCES/0067-network-wifi-try-to-reconfigure-when-connected.patch new file mode 100644 index 0000000..f585174 --- /dev/null +++ b/SOURCES/0067-network-wifi-try-to-reconfigure-when-connected.patch @@ -0,0 +1,70 @@ +From ff7e9a0e3bf9229b2ea55ac0e832358fe13b97b4 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 22 Nov 2022 14:24:32 +0900 +Subject: [PATCH] network: wifi: try to reconfigure when connected + +Sometimes, RTM_NEWLINK message with carrier is received earlier than +NL80211_CMD_CONNECT. To make SSID= or other WiFi related settings in +[Match] section work, let's try to reconfigure the interface. + +Fixes a bug introduced by 96f5f9ef9a1ba5146d3357c1548fb675d3bd5b68. + +Fixes #25384. + +(cherry picked from commit 8a4ad01a72481a6a7c0309064dd2dbd814818c94) + +Related: #2138081 +--- + src/network/networkd-link.c | 2 +- + src/network/networkd-link.h | 1 + + src/network/networkd-wifi.c | 12 ++++++++++++ + 3 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index 00e4e451ef..788c7957d3 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -1178,7 +1178,7 @@ static int link_get_network(Link *link, Network **ret) { + return -ENOENT; + } + +-static int link_reconfigure_impl(Link *link, bool force) { ++int link_reconfigure_impl(Link *link, bool force) { + Network *network = NULL; + NetDev *netdev = NULL; + int r; +diff --git a/src/network/networkd-link.h b/src/network/networkd-link.h +index 9f1cdca312..65b0164106 100644 +--- a/src/network/networkd-link.h ++++ b/src/network/networkd-link.h +@@ -234,6 +234,7 @@ int link_stop_engines(Link *link, bool may_keep_dhcp); + const char* link_state_to_string(LinkState s) _const_; + LinkState link_state_from_string(const char *s) _pure_; + ++int link_reconfigure_impl(Link *link, bool force); + int link_reconfigure(Link *link, bool force); + int link_reconfigure_after_sleep(Link *link); + +diff --git a/src/network/networkd-wifi.c b/src/network/networkd-wifi.c +index 4bf798a9eb..62cbca0cf9 100644 +--- a/src/network/networkd-wifi.c ++++ b/src/network/networkd-wifi.c +@@ -269,6 +269,18 @@ int manager_genl_process_nl80211_mlme(sd_netlink *genl, sd_netlink_message *mess + if (link->wlan_iftype == NL80211_IFTYPE_STATION && link->ssid) + log_link_info(link, "Connected WiFi access point: %s (%s)", + link->ssid, ETHER_ADDR_TO_STR(&link->bssid)); ++ ++ /* Sometimes, RTM_NEWLINK message with carrier is received earlier than NL80211_CMD_CONNECT. ++ * To make SSID= or other WiFi related settings in [Match] section work, let's try to ++ * reconfigure the interface. */ ++ if (link->ssid && link_has_carrier(link)) { ++ r = link_reconfigure_impl(link, /* force = */ false); ++ if (r < 0) { ++ log_link_warning_errno(link, r, "Failed to reconfigure interface: %m"); ++ link_enter_failed(link); ++ return 0; ++ } ++ } + break; + } + case NL80211_CMD_DISCONNECT: diff --git a/SOURCES/0068-oomd-always-allow-root-owned-cgroups-to-set-ManagedO.patch b/SOURCES/0068-oomd-always-allow-root-owned-cgroups-to-set-ManagedO.patch new file mode 100644 index 0000000..0bd251e --- /dev/null +++ b/SOURCES/0068-oomd-always-allow-root-owned-cgroups-to-set-ManagedO.patch @@ -0,0 +1,38 @@ +From 6135d6239a40edb260dde80e5662d3e062dde0bd Mon Sep 17 00:00:00 2001 +From: Nick Rosbrook +Date: Tue, 22 Nov 2022 10:33:55 -0500 +Subject: [PATCH] oomd: always allow root-owned cgroups to set + ManagedOOMPreference + +Commit 652a4efb66a ("oomd: loosen the restriction on ManagedOOMPreference") +made the change to allow ManagedOOMPreference on a cgroup candidate when +the monitored cgroup and cgroup candidate are owned by the same user. + +The commit assumed that this check was sufficient to continue allowing +ManagedOOMPreference on all cgroups owned by root. However, it caused a +regression for unprivileged LXD containers where e.g. /sys/fs/cgroup is +owned by nobody (uid=65534). + +Fix this by explicitly allowing the ManagedOOMPreference if uid == 0 in +oomd_fetch_cgroup_oom_preference(). + +(cherry picked from commit 89186093485b52ca957d17842fc1f7c87958454a) + +Related: #2138081 +--- + src/oom/oomd-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/oom/oomd-util.c b/src/oom/oomd-util.c +index 1fc81d1843..70a1dc941e 100644 +--- a/src/oom/oomd-util.c ++++ b/src/oom/oomd-util.c +@@ -164,7 +164,7 @@ int oomd_fetch_cgroup_oom_preference(OomdCGroupContext *ctx, const char *prefix) + if (r < 0) + return log_debug_errno(r, "Failed to get owner/group from %s: %m", ctx->path); + +- if (uid == prefix_uid) { ++ if (uid == prefix_uid || uid == 0) { + /* Ignore most errors when reading the xattr since it is usually unset and cgroup xattrs are only used + * as an optional feature of systemd-oomd (and the system might not even support them). */ + r = cg_get_xattr_bool(SYSTEMD_CGROUP_CONTROLLER, ctx->path, "user.oomd_avoid"); diff --git a/SOURCES/0069-oomd-fix-unreachable-test-case-in-test-oomd-util.patch b/SOURCES/0069-oomd-fix-unreachable-test-case-in-test-oomd-util.patch new file mode 100644 index 0000000..addff9f --- /dev/null +++ b/SOURCES/0069-oomd-fix-unreachable-test-case-in-test-oomd-util.patch @@ -0,0 +1,36 @@ +From 7706a5f2d35c6192a557fe7a72f76ea4e2591daf Mon Sep 17 00:00:00 2001 +From: Nick Rosbrook +Date: Tue, 22 Nov 2022 11:30:03 -0500 +Subject: [PATCH] oomd: fix unreachable test case in test-oomd-util + +This conditional with !empty_or_root(ctx->path) always returns false +because the most recent oomd_cgroup_context_acquire() call was with the +root cgroup. Make sure this test case can be reached by checking cgroup +instead of ctx->path. + +While here, use an unused uid (61183) instead of the nobody uid so the +test case does not fail in unprivileged LXD containers. + +(cherry picked from commit f05bcc18941eef5c2f93cfa06660eb06e0dc4c55) + +Related: #2138081 +--- + src/oom/test-oomd-util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/oom/test-oomd-util.c b/src/oom/test-oomd-util.c +index 176e3a8d69..faa75c5578 100644 +--- a/src/oom/test-oomd-util.c ++++ b/src/oom/test-oomd-util.c +@@ -475,9 +475,9 @@ static void test_oomd_fetch_cgroup_oom_preference(void) { + + /* Assert that avoid/omit are not set if the cgroup and prefix are not + * owned by the same user.*/ +- if (test_xattrs && !empty_or_root(ctx->path)) { ++ if (test_xattrs && !empty_or_root(cgroup)) { + ctx = oomd_cgroup_context_free(ctx); +- assert_se(cg_set_access(SYSTEMD_CGROUP_CONTROLLER, cgroup, 65534, 0) >= 0); ++ assert_se(cg_set_access(SYSTEMD_CGROUP_CONTROLLER, cgroup, 61183, 0) >= 0); + assert_se(oomd_cgroup_context_acquire(cgroup, &ctx) == 0); + + assert_se(oomd_fetch_cgroup_oom_preference(ctx, NULL) == 0); diff --git a/SOURCES/0070-portable-add-a-few-more-useful-debug-log-messages.patch b/SOURCES/0070-portable-add-a-few-more-useful-debug-log-messages.patch new file mode 100644 index 0000000..c3a9207 --- /dev/null +++ b/SOURCES/0070-portable-add-a-few-more-useful-debug-log-messages.patch @@ -0,0 +1,48 @@ +From e44e907f58d3c89e0de01e8ff4e25079f1ca505e Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 23 Nov 2022 16:06:48 +0000 +Subject: [PATCH] portable: add a few more useful debug log messages + +When attaching and /etc/systemd/system.attached can't be created or used +(eg: dead symlink) the logs are pretty much useless as even at debug +level there's no indication of what is going wrong. +Add some debug logs, and return a more specific error string over D-Bus. + +(cherry picked from commit 80d95fcd6e1947a7887b96b22a32dbca115baac9) + +Related: #2138081 +--- + src/portable/portable.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/portable/portable.c b/src/portable/portable.c +index be906f786c..fbc4497014 100644 +--- a/src/portable/portable.c ++++ b/src/portable/portable.c +@@ -1131,7 +1131,7 @@ static int attach_unit_file( + (void) mkdir_parents(where, 0755); + if (mkdir(where, 0755) < 0) { + if (errno != EEXIST) +- return -errno; ++ return log_debug_errno(errno, "Failed to create attach directory %s: %m", where); + } else + (void) portable_changes_add(changes, n_changes, PORTABLE_MKDIR, where, NULL); + +@@ -1145,7 +1145,7 @@ static int attach_unit_file( + + if (mkdir(dropin_dir, 0755) < 0) { + if (errno != EEXIST) +- return -errno; ++ return log_debug_errno(errno, "Failed to create drop-in directory %s: %m", dropin_dir); + } else + (void) portable_changes_add(changes, n_changes, PORTABLE_MKDIR, dropin_dir, NULL); + +@@ -1392,7 +1392,7 @@ int portable_attach( + r = attach_unit_file(&paths, image->path, image->type, extension_images, + item, profile, flags, changes, n_changes); + if (r < 0) +- return r; ++ return sd_bus_error_set_errnof(error, r, "Failed to attach unit '%s': %m", item->name); + } + + /* We don't care too much for the image symlink, it's just a convenience thing, it's not necessary for proper diff --git a/SOURCES/0071-repart-respect-discard-no-also-for-block-devices.patch b/SOURCES/0071-repart-respect-discard-no-also-for-block-devices.patch new file mode 100644 index 0000000..57b016e --- /dev/null +++ b/SOURCES/0071-repart-respect-discard-no-also-for-block-devices.patch @@ -0,0 +1,43 @@ +From 44843b307d9acbe4f17b7af710cf66932667533a Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 22 Nov 2022 16:24:54 +0000 +Subject: [PATCH] repart: respect --discard=no also for block devices + +It's only used to avoid BLKDISCARD on individual partitions at the moment. +It can take a lot of time to run on very slow devices, so avoid it for +them too. + +(cherry picked from commit 0dce448bbc97c861520c287b01d632b887442925) + +Related: #2138081 +--- + src/partition/repart.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/src/partition/repart.c b/src/partition/repart.c +index 8e3cfece89..c4ca9840c8 100644 +--- a/src/partition/repart.c ++++ b/src/partition/repart.c +@@ -4387,13 +4387,15 @@ static int context_write_partition_table( + + log_info("Wiped block device."); + +- r = context_discard_range(context, 0, context->total); +- if (r == -EOPNOTSUPP) +- log_info("Storage does not support discard, not discarding entire block device data."); +- else if (r < 0) +- return log_error_errno(r, "Failed to discard entire block device: %m"); +- else if (r > 0) +- log_info("Discarded entire block device."); ++ if (arg_discard) { ++ r = context_discard_range(context, 0, context->total); ++ if (r == -EOPNOTSUPP) ++ log_info("Storage does not support discard, not discarding entire block device data."); ++ else if (r < 0) ++ return log_error_errno(r, "Failed to discard entire block device: %m"); ++ else if (r > 0) ++ log_info("Discarded entire block device."); ++ } + } + + r = fdisk_get_partitions(context->fdisk_context, &original_table); diff --git a/SOURCES/0072-udev-make-sure-auto-root-logic-also-works-in-UKIs-bo.patch b/SOURCES/0072-udev-make-sure-auto-root-logic-also-works-in-UKIs-bo.patch new file mode 100644 index 0000000..9b50d61 --- /dev/null +++ b/SOURCES/0072-udev-make-sure-auto-root-logic-also-works-in-UKIs-bo.patch @@ -0,0 +1,92 @@ +From e3dfedee10cb0c348d748bf438c76e5c3623ad69 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 21 Nov 2022 15:32:22 +0100 +Subject: [PATCH] udev: make sure auto-root logic also works in UKIs booted + from XBOOTLDR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If no root= switch is specified on the kernel command line we'll use the +root disk on which the partition the LoaderDevicePartUUID efi var is +located – as long as that partition is an ESP. Let's slightly liberalize +that and also allow it if that partition is an XBOOTLDR partition. This +ensures that UKIs spawned directly from XBOOTLDR work the same as those +from the ESP. + +(Note that this makes no difference if sd-boot is in the mix, as in that +case LoaderDevicePartUUID is always set to the ESP, as that's where +sd-boot is located, and sd-boot will set the var first, sd-stub will +only set it later if it#s not set yet.) + +(cherry picked from commit e4cb147a2e230a4a0b804c3e70f2692a5e2fd698) + +Related: #2138081 +--- + src/udev/udev-builtin-blkid.c | 27 +++++++++++++-------------- + 1 file changed, 13 insertions(+), 14 deletions(-) + +diff --git a/src/udev/udev-builtin-blkid.c b/src/udev/udev-builtin-blkid.c +index 92ea43eef0..9f5646ffdd 100644 +--- a/src/udev/udev-builtin-blkid.c ++++ b/src/udev/udev-builtin-blkid.c +@@ -120,14 +120,14 @@ static int find_gpt_root(sd_device *dev, blkid_probe pr, bool test) { + #if defined(SD_GPT_ROOT_NATIVE) && ENABLE_EFI + + _cleanup_free_ char *root_id = NULL, *root_label = NULL; +- bool found_esp = false; ++ bool found_esp_or_xbootldr = false; + int r; + + assert(pr); + +- /* Iterate through the partitions on this disk, and see if the +- * EFI ESP we booted from is on it. If so, find the first root +- * disk, and add a property indicating its partition UUID. */ ++ /* Iterate through the partitions on this disk, and see if the UEFI ESP or XBOOTLDR partition we ++ * booted from is on it. If so, find the first root disk, and add a property indicating its partition ++ * UUID. */ + + errno = 0; + blkid_partlist pl = blkid_probe_get_partitions(pr); +@@ -157,21 +157,20 @@ static int find_gpt_root(sd_device *dev, blkid_probe pr, bool test) { + if (sd_id128_from_string(stype, &type) < 0) + continue; + +- if (sd_id128_equal(type, SD_GPT_ESP)) { +- sd_id128_t id, esp; ++ if (sd_id128_in_set(type, SD_GPT_ESP, SD_GPT_XBOOTLDR)) { ++ sd_id128_t id, esp_or_xbootldr; + +- /* We found an ESP, let's see if it matches +- * the ESP we booted from. */ ++ /* We found an ESP or XBOOTLDR, let's see if it matches the ESP/XBOOTLDR we booted from. */ + + if (sd_id128_from_string(sid, &id) < 0) + continue; + +- r = efi_loader_get_device_part_uuid(&esp); ++ r = efi_loader_get_device_part_uuid(&esp_or_xbootldr); + if (r < 0) + return r; + +- if (sd_id128_equal(id, esp)) +- found_esp = true; ++ if (sd_id128_equal(id, esp_or_xbootldr)) ++ found_esp_or_xbootldr = true; + + } else if (sd_id128_equal(type, SD_GPT_ROOT_NATIVE)) { + unsigned long long flags; +@@ -195,9 +194,9 @@ static int find_gpt_root(sd_device *dev, blkid_probe pr, bool test) { + } + } + +- /* We found the ESP on this disk, and also found a root +- * partition, nice! Let's export its UUID */ +- if (found_esp && root_id) ++ /* We found the ESP/XBOOTLDR on this disk, and also found a root partition, nice! Let's export its ++ * UUID */ ++ if (found_esp_or_xbootldr && root_id) + udev_builtin_add_property(dev, test, "ID_PART_GPT_AUTO_ROOT_UUID", root_id); + #endif + diff --git a/SOURCES/0073-meson-install-test-kernel-install-only-when-Dkernel-.patch b/SOURCES/0073-meson-install-test-kernel-install-only-when-Dkernel-.patch new file mode 100644 index 0000000..4db4f55 --- /dev/null +++ b/SOURCES/0073-meson-install-test-kernel-install-only-when-Dkernel-.patch @@ -0,0 +1,32 @@ +From 812e979fe66e9c1a768fbcee3f568234fec2cded Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Tue, 15 Nov 2022 09:04:42 +0100 +Subject: [PATCH] meson: install test-kernel-install only when + -Dkernel-install=true + +This patch fixes the following build failure: + + meson.build:3853:8: ERROR: Unknown variable "test_kernel_install_sh". + +Fixes #25432. + +(cherry picked from commit cc77a56532ddb59770e8312fc1b9954b0b135e72) + +Related: #2138081 +--- + meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/meson.build b/meson.build +index 015849af49..35704947e3 100644 +--- a/meson.build ++++ b/meson.build +@@ -3841,7 +3841,7 @@ exe = custom_target( + install_dir : bindir) + public_programs += exe + +-if want_tests != 'false' ++if want_tests != 'false' and want_kernel_install + test('test-kernel-install', + test_kernel_install_sh, + args : [exe.full_path(), loaderentry_install]) diff --git a/SOURCES/0074-boot-Silence-driver-reconnect-errors.patch b/SOURCES/0074-boot-Silence-driver-reconnect-errors.patch new file mode 100644 index 0000000..f9c0cf8 --- /dev/null +++ b/SOURCES/0074-boot-Silence-driver-reconnect-errors.patch @@ -0,0 +1,55 @@ +From 1dc423e2c194eec07a04b666533cd39e74eab6de Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Sat, 12 Nov 2022 16:24:53 +0100 +Subject: [PATCH] boot: Silence driver reconnect errors + +(cherry picked from commit 98ac5192d5feddae19f6f5ceb60aa3751a30676b) + +Related: #2138081 +--- + src/boot/efi/drivers.c | 28 +++++++++++++--------------- + 1 file changed, 13 insertions(+), 15 deletions(-) + +diff --git a/src/boot/efi/drivers.c b/src/boot/efi/drivers.c +index 39b65e74a6..7f2057f5a1 100644 +--- a/src/boot/efi/drivers.c ++++ b/src/boot/efi/drivers.c +@@ -51,25 +51,23 @@ static EFI_STATUS load_one_driver( + } + + EFI_STATUS reconnect_all_drivers(void) { +- _cleanup_free_ EFI_HANDLE *handles = NULL; +- UINTN n_handles = 0; +- EFI_STATUS err; ++ _cleanup_free_ EFI_HANDLE *handles = NULL; ++ size_t n_handles = 0; ++ EFI_STATUS err; + +- /* Reconnects all handles, so that any loaded drivers can take effect. */ ++ /* Reconnects all handles, so that any loaded drivers can take effect. */ + +- err = BS->LocateHandleBuffer(AllHandles, NULL, NULL, &n_handles, &handles); +- if (err != EFI_SUCCESS) +- return log_error_status_stall(err, L"Failed to get list of handles: %r", err); ++ err = BS->LocateHandleBuffer(AllHandles, NULL, NULL, &n_handles, &handles); ++ if (err != EFI_SUCCESS) ++ return log_error_status_stall(err, L"Failed to get list of handles: %r", err); + +- for (UINTN i = 0; i < n_handles; i++) { +- err = BS->ConnectController(handles[i], NULL, NULL, true); +- if (err == EFI_NOT_FOUND) /* No drivers for this handle */ +- continue; +- if (err != EFI_SUCCESS) +- log_error_status_stall(err, L"Failed to reconnect handle %" PRIuN L", ignoring: %r", i, err); +- } ++ for (size_t i = 0; i < n_handles; i++) ++ /* Some firmware gives us some bogus handles (or they might become bad due to ++ * reconnecting everything). Security policy may also prevent us from doing so too. ++ * There is nothing we can realistically do on errors anyways, so just ignore them. */ ++ (void) BS->ConnectController(handles[i], NULL, NULL, true); + +- return EFI_SUCCESS; ++ return EFI_SUCCESS; + } + + EFI_STATUS load_drivers( diff --git a/SOURCES/0075-dissect-image-do-not-try-to-close-invalid-fd.patch b/SOURCES/0075-dissect-image-do-not-try-to-close-invalid-fd.patch new file mode 100644 index 0000000..24613d1 --- /dev/null +++ b/SOURCES/0075-dissect-image-do-not-try-to-close-invalid-fd.patch @@ -0,0 +1,124 @@ +From c67164cf2c6aed29f70a98ef9050503e56aba952 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 13 Nov 2022 19:25:02 +0900 +Subject: [PATCH] dissect-image: do not try to close invalid fd + +Fixes a bug introduced by f7725647bb41c3398a867f139efe526efe8aa1b3. + +Hopefully fixes #25348. + +(cherry picked from commit 088377e0920a3785e7926f2ed382810836480ae6) + +Related: #2138081 +--- + src/shared/dissect-image.c | 58 +++++++++++++------------------------- + src/shared/dissect-image.h | 6 ++++ + 2 files changed, 26 insertions(+), 38 deletions(-) + +diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c +index 2989d31d3c..6a991c877a 100644 +--- a/src/shared/dissect-image.c ++++ b/src/shared/dissect-image.c +@@ -1010,19 +1010,13 @@ static int dissect_image( + log_debug("No root partition found of the native architecture, falling back to a root " + "partition of the secondary architecture."); + +- m->partitions[PARTITION_ROOT] = m->partitions[PARTITION_ROOT_SECONDARY]; +- zero(m->partitions[PARTITION_ROOT_SECONDARY]); +- m->partitions[PARTITION_ROOT_VERITY] = m->partitions[PARTITION_ROOT_SECONDARY_VERITY]; +- zero(m->partitions[PARTITION_ROOT_SECONDARY_VERITY]); +- m->partitions[PARTITION_ROOT_VERITY_SIG] = m->partitions[PARTITION_ROOT_SECONDARY_VERITY_SIG]; +- zero(m->partitions[PARTITION_ROOT_SECONDARY_VERITY_SIG]); +- +- m->partitions[PARTITION_USR] = m->partitions[PARTITION_USR_SECONDARY]; +- zero(m->partitions[PARTITION_USR_SECONDARY]); +- m->partitions[PARTITION_USR_VERITY] = m->partitions[PARTITION_USR_SECONDARY_VERITY]; +- zero(m->partitions[PARTITION_USR_SECONDARY_VERITY]); +- m->partitions[PARTITION_USR_VERITY_SIG] = m->partitions[PARTITION_USR_SECONDARY_VERITY_SIG]; +- zero(m->partitions[PARTITION_USR_SECONDARY_VERITY_SIG]); ++ m->partitions[PARTITION_ROOT] = TAKE_PARTITION(m->partitions[PARTITION_ROOT_SECONDARY]); ++ m->partitions[PARTITION_ROOT_VERITY] = TAKE_PARTITION(m->partitions[PARTITION_ROOT_SECONDARY_VERITY]); ++ m->partitions[PARTITION_ROOT_VERITY_SIG] = TAKE_PARTITION(m->partitions[PARTITION_ROOT_SECONDARY_VERITY_SIG]); ++ ++ m->partitions[PARTITION_USR] = TAKE_PARTITION(m->partitions[PARTITION_USR_SECONDARY]); ++ m->partitions[PARTITION_USR_VERITY] = TAKE_PARTITION(m->partitions[PARTITION_USR_SECONDARY_VERITY]); ++ m->partitions[PARTITION_USR_VERITY_SIG] = TAKE_PARTITION(m->partitions[PARTITION_USR_SECONDARY_VERITY_SIG]); + + m->partitions[PARTITION_ROOT_OTHER].found = false; + m->partitions[PARTITION_ROOT_OTHER_VERITY].found = false; +@@ -1044,19 +1038,13 @@ static int dissect_image( + "falling back to a root partition of a non-native architecture (%s).", + architecture_to_string(m->partitions[PARTITION_ROOT_OTHER].architecture)); + +- m->partitions[PARTITION_ROOT] = m->partitions[PARTITION_ROOT_OTHER]; +- zero(m->partitions[PARTITION_ROOT_OTHER]); +- m->partitions[PARTITION_ROOT_VERITY] = m->partitions[PARTITION_ROOT_OTHER_VERITY]; +- zero(m->partitions[PARTITION_ROOT_OTHER_VERITY]); +- m->partitions[PARTITION_ROOT_VERITY_SIG] = m->partitions[PARTITION_ROOT_OTHER_VERITY_SIG]; +- zero(m->partitions[PARTITION_ROOT_OTHER_VERITY_SIG]); +- +- m->partitions[PARTITION_USR] = m->partitions[PARTITION_USR_OTHER]; +- zero(m->partitions[PARTITION_USR_OTHER]); +- m->partitions[PARTITION_USR_VERITY] = m->partitions[PARTITION_USR_OTHER_VERITY]; +- zero(m->partitions[PARTITION_USR_OTHER_VERITY]); +- m->partitions[PARTITION_USR_VERITY_SIG] = m->partitions[PARTITION_USR_OTHER_VERITY_SIG]; +- zero(m->partitions[PARTITION_USR_OTHER_VERITY_SIG]); ++ m->partitions[PARTITION_ROOT] = TAKE_PARTITION(m->partitions[PARTITION_ROOT_OTHER]); ++ m->partitions[PARTITION_ROOT_VERITY] = TAKE_PARTITION(m->partitions[PARTITION_ROOT_OTHER_VERITY]); ++ m->partitions[PARTITION_ROOT_VERITY_SIG] = TAKE_PARTITION(m->partitions[PARTITION_ROOT_OTHER_VERITY_SIG]); ++ ++ m->partitions[PARTITION_USR] = TAKE_PARTITION(m->partitions[PARTITION_USR_OTHER]); ++ m->partitions[PARTITION_USR_VERITY] = TAKE_PARTITION(m->partitions[PARTITION_USR_OTHER_VERITY]); ++ m->partitions[PARTITION_USR_VERITY_SIG] = TAKE_PARTITION(m->partitions[PARTITION_USR_OTHER_VERITY_SIG]); + } + + /* Hmm, we found a signature partition but no Verity data? Something is off. */ +@@ -1083,12 +1071,9 @@ static int dissect_image( + "partition of the secondary architecture."); + + /* Upgrade secondary arch to primary */ +- m->partitions[PARTITION_USR] = m->partitions[PARTITION_USR_SECONDARY]; +- zero(m->partitions[PARTITION_USR_SECONDARY]); +- m->partitions[PARTITION_USR_VERITY] = m->partitions[PARTITION_USR_SECONDARY_VERITY]; +- zero(m->partitions[PARTITION_USR_SECONDARY_VERITY]); +- m->partitions[PARTITION_USR_VERITY_SIG] = m->partitions[PARTITION_USR_SECONDARY_VERITY_SIG]; +- zero(m->partitions[PARTITION_USR_SECONDARY_VERITY_SIG]); ++ m->partitions[PARTITION_USR] = TAKE_PARTITION(m->partitions[PARTITION_USR_SECONDARY]); ++ m->partitions[PARTITION_USR_VERITY] = TAKE_PARTITION(m->partitions[PARTITION_USR_SECONDARY_VERITY]); ++ m->partitions[PARTITION_USR_VERITY_SIG] = TAKE_PARTITION(m->partitions[PARTITION_USR_SECONDARY_VERITY_SIG]); + + m->partitions[PARTITION_USR_OTHER].found = false; + m->partitions[PARTITION_USR_OTHER_VERITY].found = false; +@@ -1105,12 +1090,9 @@ static int dissect_image( + architecture_to_string(m->partitions[PARTITION_ROOT_OTHER].architecture)); + + /* Upgrade other arch to primary */ +- m->partitions[PARTITION_USR] = m->partitions[PARTITION_USR_OTHER]; +- zero(m->partitions[PARTITION_USR_OTHER]); +- m->partitions[PARTITION_USR_VERITY] = m->partitions[PARTITION_USR_OTHER_VERITY]; +- zero(m->partitions[PARTITION_USR_OTHER_VERITY]); +- m->partitions[PARTITION_USR_VERITY_SIG] = m->partitions[PARTITION_USR_OTHER_VERITY_SIG]; +- zero(m->partitions[PARTITION_USR_OTHER_VERITY_SIG]); ++ m->partitions[PARTITION_USR] = TAKE_PARTITION(m->partitions[PARTITION_USR_OTHER]); ++ m->partitions[PARTITION_USR_VERITY] = TAKE_PARTITION(m->partitions[PARTITION_USR_OTHER_VERITY]); ++ m->partitions[PARTITION_USR_VERITY_SIG] = TAKE_PARTITION(m->partitions[PARTITION_USR_OTHER_VERITY_SIG]); + } + + /* Hmm, we found a signature partition but no Verity data? Something is off. */ +diff --git a/src/shared/dissect-image.h b/src/shared/dissect-image.h +index 8007b544e7..f2278c4dfa 100644 +--- a/src/shared/dissect-image.h ++++ b/src/shared/dissect-image.h +@@ -40,6 +40,12 @@ struct DissectedPartition { + .architecture = _ARCHITECTURE_INVALID, \ + .mount_node_fd = -1, \ + }) ++#define TAKE_PARTITION(p) \ ++ ({ \ ++ DissectedPartition *_pp = &(p), _p = *_pp; \ ++ *_pp = DISSECTED_PARTITION_NULL; \ ++ _p; \ ++ }) + + typedef enum PartitionDesignator { + PARTITION_ROOT, diff --git a/SOURCES/0076-bootctl-make-boot-entry-id-logged-in-hex.patch b/SOURCES/0076-bootctl-make-boot-entry-id-logged-in-hex.patch new file mode 100644 index 0000000..9f93892 --- /dev/null +++ b/SOURCES/0076-bootctl-make-boot-entry-id-logged-in-hex.patch @@ -0,0 +1,33 @@ +From 29180c67635d3a6e4d5fd340ff9251724c803a65 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 13 Nov 2022 14:36:01 +0900 +Subject: [PATCH] bootctl: make boot entry id logged in hex + +To make consistent with the printed boot id below and other tools e.g. +efibootmgr. + +(cherry picked from commit a7dcb75c539dd5bb69b72e47c820fe79c794409a) + +Related: #2138081 +--- + src/boot/bootctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/boot/bootctl.c b/src/boot/bootctl.c +index b53df11764..64a4b74715 100644 +--- a/src/boot/bootctl.c ++++ b/src/boot/bootctl.c +@@ -586,11 +586,11 @@ static int print_efi_option(uint16_t id, int *n_printed, bool in_order) { + + r = efi_get_boot_option(id, &title, &partition, &path, &active); + if (r < 0) +- return log_error_errno(r, "Failed to read boot option %u: %m", id); ++ return log_error_errno(r, "Failed to read boot option 0x%04X: %m", id); + + /* print only configured entries with partition information */ + if (!path || sd_id128_is_null(partition)) { +- log_debug("Ignoring boot entry %u without partition information.", id); ++ log_debug("Ignoring boot entry 0x%04X without partition information.", id); + return 0; + } + diff --git a/SOURCES/0077-bootctl-downgrade-log-message-when-firmware-reports-.patch b/SOURCES/0077-bootctl-downgrade-log-message-when-firmware-reports-.patch new file mode 100644 index 0000000..ee2db0a --- /dev/null +++ b/SOURCES/0077-bootctl-downgrade-log-message-when-firmware-reports-.patch @@ -0,0 +1,28 @@ +From 6164408188766a31e778ec670239482db886d9be Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 13 Nov 2022 14:41:08 +0900 +Subject: [PATCH] bootctl: downgrade log message when firmware reports + non-existent or invalid boot entry + +Fixes #25359. + +(cherry picked from commit 78bfeeae508a554483de02b52aa2e5afdc341e1a) + +Related: #2138081 +--- + src/boot/bootctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/boot/bootctl.c b/src/boot/bootctl.c +index 64a4b74715..a5811adf20 100644 +--- a/src/boot/bootctl.c ++++ b/src/boot/bootctl.c +@@ -586,7 +586,7 @@ static int print_efi_option(uint16_t id, int *n_printed, bool in_order) { + + r = efi_get_boot_option(id, &title, &partition, &path, &active); + if (r < 0) +- return log_error_errno(r, "Failed to read boot option 0x%04X: %m", id); ++ return log_debug_errno(r, "Failed to read boot option 0x%04X: %m", id); + + /* print only configured entries with partition information */ + if (!path || sd_id128_is_null(partition)) { diff --git a/SOURCES/0078-bootctl-rework-how-we-handle-referenced-but-absent-E.patch b/SOURCES/0078-bootctl-rework-how-we-handle-referenced-but-absent-E.patch new file mode 100644 index 0000000..b4e5bcc --- /dev/null +++ b/SOURCES/0078-bootctl-rework-how-we-handle-referenced-but-absent-E.patch @@ -0,0 +1,37 @@ +From 23ede492fbea1bd1440d84cef6dd68bb46d2e5fb Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 18 Nov 2022 18:05:53 +0100 +Subject: [PATCH] bootctl: rework how we handle referenced but absent EFI boot + entries + +Follow-up for #25368. + +Let's consider ENOENT an expected error, and just debug log about it +(though, let's suffix it with `, ignoring.`). All other errors will log +loudly, as they are unexpected errors. + +(cherry picked from commit af1bed8e83c3d380d1eb0b9147684b76d1ee4df0) + +Related: #2138081 +--- + src/boot/bootctl.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/boot/bootctl.c b/src/boot/bootctl.c +index a5811adf20..7da48b4ca4 100644 +--- a/src/boot/bootctl.c ++++ b/src/boot/bootctl.c +@@ -585,8 +585,12 @@ static int print_efi_option(uint16_t id, int *n_printed, bool in_order) { + assert(n_printed); + + r = efi_get_boot_option(id, &title, &partition, &path, &active); ++ if (r == -ENOENT) { ++ log_debug_errno(r, "Boot option 0x%04X referenced but missing, ignoring: %m", id); ++ return 0; ++ } + if (r < 0) +- return log_debug_errno(r, "Failed to read boot option 0x%04X: %m", id); ++ return log_error_errno(r, "Failed to read boot option 0x%04X: %m", id); + + /* print only configured entries with partition information */ + if (!path || sd_id128_is_null(partition)) { diff --git a/SOURCES/0079-strv-Make-sure-strv_make_nulstr-always-returns-a-val.patch b/SOURCES/0079-strv-Make-sure-strv_make_nulstr-always-returns-a-val.patch new file mode 100644 index 0000000..259ca2d --- /dev/null +++ b/SOURCES/0079-strv-Make-sure-strv_make_nulstr-always-returns-a-val.patch @@ -0,0 +1,44 @@ +From c59555a86d3fcd2b8d644885134e19fe864251e5 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 11 Nov 2022 11:26:54 +0100 +Subject: [PATCH] strv: Make sure strv_make_nulstr() always returns a valid + nulstr + +strv_make_nulstr() is documented to always return a valid nulstr, +but if the input is `NULL` we return a string terminated with only +a single NUL terminator, so let's fix that and always terminate the +resulting string with two NUL bytes. + +(cherry picked from commit 5ea173a91b2093664a9ebb9add678edd6f5d1efd) + +Related: #2138081 +--- + src/basic/strv.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/basic/strv.c b/src/basic/strv.c +index eea34ca68d..24fc56a1a5 100644 +--- a/src/basic/strv.c ++++ b/src/basic/strv.c +@@ -721,7 +721,7 @@ int strv_make_nulstr(char * const *l, char **ret, size_t *ret_size) { + } + + if (!m) { +- m = new0(char, 1); ++ m = new0(char, 2); + if (!m) + return -ENOMEM; + n = 1; +@@ -730,11 +730,9 @@ int strv_make_nulstr(char * const *l, char **ret, size_t *ret_size) { + m[n] = '\0'; + + assert(n > 0); +- *ret = m; ++ *ret = TAKE_PTR(m); + *ret_size = n - 1; + +- m = NULL; +- + return 0; + } + diff --git a/SOURCES/0080-sd-bus-Use-goto-finish-instead-of-return-in-bus_add_.patch b/SOURCES/0080-sd-bus-Use-goto-finish-instead-of-return-in-bus_add_.patch new file mode 100644 index 0000000..bbe4900 --- /dev/null +++ b/SOURCES/0080-sd-bus-Use-goto-finish-instead-of-return-in-bus_add_.patch @@ -0,0 +1,28 @@ +From 7da1d4780b1dae16369fa5191832ec26d24a2ace Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 11 Nov 2022 11:09:28 +0100 +Subject: [PATCH] sd-bus: Use goto finish instead of return in + bus_add_match_full + +Fixes #25340 + +(cherry picked from commit 0f3c342903d1a09577378912717539b530af1fcf) + +Related: #2138081 +--- + src/libsystemd/sd-bus/sd-bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c +index 3803a2c4c4..bc716afabf 100644 +--- a/src/libsystemd/sd-bus/sd-bus.c ++++ b/src/libsystemd/sd-bus/sd-bus.c +@@ -3529,7 +3529,7 @@ static int bus_add_match_full( + s); + + if (r < 0) +- return r; ++ goto finish; + + /* Make the slot of the match call floating now. We need the reference, but we don't + * want that this match pins the bus object, hence we first create it non-floating, but diff --git a/SOURCES/0081-find-esp-downgrade-and-ignore-error-on-retrieving-PA.patch b/SOURCES/0081-find-esp-downgrade-and-ignore-error-on-retrieving-PA.patch new file mode 100644 index 0000000..e2c3ae6 --- /dev/null +++ b/SOURCES/0081-find-esp-downgrade-and-ignore-error-on-retrieving-PA.patch @@ -0,0 +1,56 @@ +From 2edd56af85a0360df8bc49a6ee19e0f1051a2d68 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 11 Nov 2022 09:34:17 +0900 +Subject: [PATCH] find-esp: downgrade and ignore error on retrieving + PART_ENTRY_SCHEME when searching + +Fixes #25332. + +(cherry picked from commit 01f234c6f5672926d6cfe4fbfcdb48326ce06250) + +Related: #2138081 +--- + src/shared/find-esp.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/src/shared/find-esp.c b/src/shared/find-esp.c +index dfe0574aba..aa0b02cc2f 100644 +--- a/src/shared/find-esp.c ++++ b/src/shared/find-esp.c +@@ -177,7 +177,9 @@ static int verify_esp_udev( + + r = sd_device_get_property_value(d, "ID_PART_ENTRY_SCHEME", &v); + if (r < 0) +- return log_error_errno(r, "Failed to get device property: %m"); ++ return log_full_errno(searching && r == -ENOENT ? LOG_DEBUG : LOG_ERR, ++ searching && r == -ENOENT ? SYNTHETIC_ERRNO(EADDRNOTAVAIL) : r, ++ "Failed to get device property: %m"); + if (!streq(v, "gpt")) + return log_full_errno(searching ? LOG_DEBUG : LOG_ERR, + SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV), +@@ -572,10 +574,11 @@ static int verify_xbootldr_blkid( + else if (r != 0) + return log_error_errno(errno ?: SYNTHETIC_ERRNO(EIO), "%s: Failed to probe file system: %m", node); + +- errno = 0; + r = blkid_probe_lookup_value(b, "PART_ENTRY_SCHEME", &type, NULL); + if (r != 0) +- return log_error_errno(errno ?: SYNTHETIC_ERRNO(EIO), "%s: Failed to probe PART_ENTRY_SCHEME: %m", node); ++ return log_full_errno(searching ? LOG_DEBUG : LOG_ERR, ++ searching ? SYNTHETIC_ERRNO(EADDRNOTAVAIL) : SYNTHETIC_ERRNO(EIO), ++ "%s: Failed to probe PART_ENTRY_SCHEME: %m", node); + if (streq(type, "gpt")) { + + errno = 0; +@@ -638,7 +641,10 @@ static int verify_xbootldr_udev( + + r = sd_device_get_property_value(d, "ID_PART_ENTRY_SCHEME", &type); + if (r < 0) +- return log_device_error_errno(d, r, "Failed to query ID_PART_ENTRY_SCHEME: %m"); ++ return log_device_full_errno(d, ++ searching && r == -ENOENT ? LOG_DEBUG : LOG_ERR, ++ searching && r == -ENOENT ? SYNTHETIC_ERRNO(EADDRNOTAVAIL) : r, ++ "Failed to query ID_PART_ENTRY_SCHEME: %m"); + + if (streq(type, "gpt")) { + diff --git a/SOURCES/0082-find-esp-include-device-sysname-in-the-log-message.patch b/SOURCES/0082-find-esp-include-device-sysname-in-the-log-message.patch new file mode 100644 index 0000000..70290cf --- /dev/null +++ b/SOURCES/0082-find-esp-include-device-sysname-in-the-log-message.patch @@ -0,0 +1,114 @@ +From 0f7bee592dfc80fd1a682a280399fdb493ea5e6d Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 13 Nov 2022 13:27:36 +0900 +Subject: [PATCH] find-esp: include device sysname in the log message + +(cherry picked from commit 388d14659d250545125f8e950e3abb6eb8682c61) + +Related: #2138081 +--- + src/shared/find-esp.c | 52 +++++++++++++++++++++++-------------------- + 1 file changed, 28 insertions(+), 24 deletions(-) + +diff --git a/src/shared/find-esp.c b/src/shared/find-esp.c +index aa0b02cc2f..fa234c8b5f 100644 +--- a/src/shared/find-esp.c ++++ b/src/shared/find-esp.c +@@ -165,61 +165,65 @@ static int verify_esp_udev( + + r = sd_device_get_devname(d, &node); + if (r < 0) +- return log_error_errno(r, "Failed to get device node: %m"); ++ return log_device_error_errno(d, r, "Failed to get device node: %m"); + + r = sd_device_get_property_value(d, "ID_FS_TYPE", &v); + if (r < 0) +- return log_error_errno(r, "Failed to get device property: %m"); ++ return log_device_error_errno(d, r, "Failed to get device property: %m"); + if (!streq(v, "vfat")) +- return log_full_errno(searching ? LOG_DEBUG : LOG_ERR, +- SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV), +- "File system \"%s\" is not FAT.", node ); ++ return log_device_full_errno(d, ++ searching ? LOG_DEBUG : LOG_ERR, ++ SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV), ++ "File system \"%s\" is not FAT.", node ); + + r = sd_device_get_property_value(d, "ID_PART_ENTRY_SCHEME", &v); + if (r < 0) +- return log_full_errno(searching && r == -ENOENT ? LOG_DEBUG : LOG_ERR, +- searching && r == -ENOENT ? SYNTHETIC_ERRNO(EADDRNOTAVAIL) : r, +- "Failed to get device property: %m"); ++ return log_device_full_errno(d, ++ searching && r == -ENOENT ? LOG_DEBUG : LOG_ERR, ++ searching && r == -ENOENT ? SYNTHETIC_ERRNO(EADDRNOTAVAIL) : r, ++ "Failed to get device property: %m"); + if (!streq(v, "gpt")) +- return log_full_errno(searching ? LOG_DEBUG : LOG_ERR, +- SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV), +- "File system \"%s\" is not on a GPT partition table.", node); ++ return log_device_full_errno(d, ++ searching ? LOG_DEBUG : LOG_ERR, ++ SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV), ++ "File system \"%s\" is not on a GPT partition table.", node); + + r = sd_device_get_property_value(d, "ID_PART_ENTRY_TYPE", &v); + if (r < 0) +- return log_error_errno(r, "Failed to get device property: %m"); ++ return log_device_error_errno(d, r, "Failed to get device property: %m"); + if (sd_id128_string_equal(v, SD_GPT_ESP) <= 0) +- return log_full_errno(searching ? LOG_DEBUG : LOG_ERR, +- SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV), +- "File system \"%s\" has wrong type for an EFI System Partition (ESP).", node); ++ return log_device_full_errno(d, ++ searching ? LOG_DEBUG : LOG_ERR, ++ SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV), ++ "File system \"%s\" has wrong type for an EFI System Partition (ESP).", node); + + r = sd_device_get_property_value(d, "ID_PART_ENTRY_UUID", &v); + if (r < 0) +- return log_error_errno(r, "Failed to get device property: %m"); ++ return log_device_error_errno(d, r, "Failed to get device property: %m"); + r = sd_id128_from_string(v, &uuid); + if (r < 0) +- return log_error_errno(r, "Partition \"%s\" has invalid UUID \"%s\".", node, v); ++ return log_device_error_errno(d, r, "Partition \"%s\" has invalid UUID \"%s\".", node, v); + + r = sd_device_get_property_value(d, "ID_PART_ENTRY_NUMBER", &v); + if (r < 0) +- return log_error_errno(r, "Failed to get device property: %m"); ++ return log_device_error_errno(d, r, "Failed to get device property: %m"); + r = safe_atou32(v, &part); + if (r < 0) +- return log_error_errno(r, "Failed to parse PART_ENTRY_NUMBER field."); ++ return log_device_error_errno(d, r, "Failed to parse PART_ENTRY_NUMBER field."); + + r = sd_device_get_property_value(d, "ID_PART_ENTRY_OFFSET", &v); + if (r < 0) +- return log_error_errno(r, "Failed to get device property: %m"); ++ return log_device_error_errno(d, r, "Failed to get device property: %m"); + r = safe_atou64(v, &pstart); + if (r < 0) +- return log_error_errno(r, "Failed to parse PART_ENTRY_OFFSET field."); ++ return log_device_error_errno(d, r, "Failed to parse PART_ENTRY_OFFSET field."); + + r = sd_device_get_property_value(d, "ID_PART_ENTRY_SIZE", &v); + if (r < 0) +- return log_error_errno(r, "Failed to get device property: %m"); ++ return log_device_error_errno(d, r, "Failed to get device property: %m"); + r = safe_atou64(v, &psize); + if (r < 0) +- return log_error_errno(r, "Failed to parse PART_ENTRY_SIZE field."); ++ return log_device_error_errno(d, r, "Failed to parse PART_ENTRY_SIZE field."); + + if (ret_part) + *ret_part = part; +@@ -637,7 +641,7 @@ static int verify_xbootldr_udev( + + r = sd_device_get_devname(d, &node); + if (r < 0) +- return log_error_errno(r, "Failed to get device node: %m"); ++ return log_device_error_errno(d, r, "Failed to get device node: %m"); + + r = sd_device_get_property_value(d, "ID_PART_ENTRY_SCHEME", &type); + if (r < 0) diff --git a/SOURCES/0083-tmpfiles-log-at-info-level-when-some-allowed-failure.patch b/SOURCES/0083-tmpfiles-log-at-info-level-when-some-allowed-failure.patch new file mode 100644 index 0000000..6a0e338 --- /dev/null +++ b/SOURCES/0083-tmpfiles-log-at-info-level-when-some-allowed-failure.patch @@ -0,0 +1,191 @@ +From 2f79547e8bbb5434a84c0b07c30fff63b351590c Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 10 Nov 2022 15:47:19 +0000 +Subject: [PATCH] tmpfiles: log at info level when some allowed failures occur + +In provision.conf we ship: + +d- /root :0700 root :root - +d- /root/.ssh :0700 root :root - + +These are allowed to fail, for example on a read-only filesystem. But they still +log at error level, which is annoying and gets flagged. Tune those specific errors +down to info. + +There are likely more that could be tuned down, but the important thing is to cover +the tmpfiles.d that we ship right now. + +Before: + +$ echo -e "d- /root :0700 root :root - \nd- /root/.ssh :0700 root :root -" | SYSTEMD_LOG_LEVEL=err build/systemd-tmpfiles --root=/tmp/img --create - +Failed to create directory or subvolume "/tmp/img/root": Read-only file system +Failed to open path '/tmp/img/root': No such file or directory +$ + +After: + +$ echo -e "d- /root :0700 root :root - \nd- /root/.ssh :0700 root :root -" | SYSTEMD_LOG_LEVEL=err build/systemd-tmpfiles --root=/tmp/img --create - +$ + +(cherry picked from commit 244c2a8344c01e94cd9bdf835de998b89bc53179) + +Related: #2138081 +--- + src/tmpfiles/tmpfiles.c | 49 +++++++++++++++++++++++++++-------------- + 1 file changed, 33 insertions(+), 16 deletions(-) + +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index 784b895577..18bb75715b 100644 +--- a/src/tmpfiles/tmpfiles.c ++++ b/src/tmpfiles/tmpfiles.c +@@ -961,22 +961,34 @@ shortcut: + return label_fix_full(fd, /* inode_path= */ NULL, /* label_path= */ path, 0); + } + +-static int path_open_parent_safe(const char *path) { ++static int path_open_parent_safe(const char *path, bool allow_failure) { + _cleanup_free_ char *dn = NULL; + int r, fd; + + if (!path_is_normalized(path)) +- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to open parent of '%s': path not normalized.", path); ++ return log_full_errno(allow_failure ? LOG_INFO : LOG_ERR, ++ SYNTHETIC_ERRNO(EINVAL), ++ "Failed to open parent of '%s': path not normalized%s.", ++ path, ++ allow_failure ? ", ignoring" : ""); + + r = path_extract_directory(path, &dn); + if (r < 0) +- return log_error_errno(r, "Unable to determine parent directory of '%s': %m", path); ++ return log_full_errno(allow_failure ? LOG_INFO : LOG_ERR, ++ r, ++ "Unable to determine parent directory of '%s'%s: %m", ++ path, ++ allow_failure ? ", ignoring" : ""); + +- r = chase_symlinks(dn, arg_root, CHASE_SAFE|CHASE_WARN, NULL, &fd); ++ r = chase_symlinks(dn, arg_root, allow_failure ? CHASE_SAFE : CHASE_SAFE|CHASE_WARN, NULL, &fd); + if (r == -ENOLINK) /* Unsafe symlink: already covered by CHASE_WARN */ + return r; + if (r < 0) +- return log_error_errno(r, "Failed to open path '%s': %m", dn); ++ return log_full_errno(allow_failure ? LOG_INFO : LOG_ERR, ++ r, ++ "Failed to open path '%s'%s: %m", ++ dn, ++ allow_failure ? ", ignoring" : ""); + + return fd; + } +@@ -1431,7 +1443,7 @@ static int write_one_file(Item *i, const char *path, CreationMode creation) { + + /* Validate the path and keep the fd on the directory for opening the file so we're sure that it + * can't be changed behind our back. */ +- dir_fd = path_open_parent_safe(path); ++ dir_fd = path_open_parent_safe(path, i->allow_failure); + if (dir_fd < 0) + return dir_fd; + +@@ -1481,7 +1493,7 @@ static int create_file(Item *i, const char *path) { + + /* Validate the path and keep the fd on the directory for opening the file so we're sure that it + * can't be changed behind our back. */ +- dir_fd = path_open_parent_safe(path); ++ dir_fd = path_open_parent_safe(path, i->allow_failure); + if (dir_fd < 0) + return dir_fd; + +@@ -1549,7 +1561,7 @@ static int truncate_file(Item *i, const char *path) { + + /* Validate the path and keep the fd on the directory for opening the file so we're sure that it + * can't be changed behind our back. */ +- dir_fd = path_open_parent_safe(path); ++ dir_fd = path_open_parent_safe(path, i->allow_failure); + if (dir_fd < 0) + return dir_fd; + +@@ -1628,7 +1640,7 @@ static int copy_files(Item *i) { + + /* Validate the path and use the returned directory fd for copying the target so we're sure that the + * path can't be changed behind our back. */ +- dfd = path_open_parent_safe(i->path); ++ dfd = path_open_parent_safe(i->path, i->allow_failure); + if (dfd < 0) + return dfd; + +@@ -1664,6 +1676,7 @@ static int create_directory_or_subvolume( + const char *path, + mode_t mode, + bool subvol, ++ bool allow_failure, + struct stat *ret_st, + CreationMode *ret_creation) { + +@@ -1679,7 +1692,7 @@ static int create_directory_or_subvolume( + if (r < 0) + return log_error_errno(r, "Failed to extract filename from path '%s': %m", path); + +- pfd = path_open_parent_safe(path); ++ pfd = path_open_parent_safe(path, allow_failure); + if (pfd < 0) + return pfd; + +@@ -1720,7 +1733,11 @@ static int create_directory_or_subvolume( + + /* Then look at the original error */ + if (r < 0) +- return log_error_errno(r, "Failed to create directory or subvolume \"%s\": %m", path); ++ return log_full_errno(allow_failure ? LOG_INFO : LOG_ERR, ++ r, ++ "Failed to create directory or subvolume \"%s\"%s: %m", ++ path, ++ allow_failure ? ", ignoring" : ""); + + return log_error_errno(errno, "Failed to open directory/subvolume we just created '%s': %m", path); + } +@@ -1748,7 +1765,7 @@ static int create_directory(Item *i, const char *path) { + assert(i); + assert(IN_SET(i->type, CREATE_DIRECTORY, TRUNCATE_DIRECTORY)); + +- fd = create_directory_or_subvolume(path, i->mode, /* subvol= */ false, &st, &creation); ++ fd = create_directory_or_subvolume(path, i->mode, /* subvol= */ false, i->allow_failure, &st, &creation); + if (fd == -EEXIST) + return 0; + if (fd < 0) +@@ -1766,7 +1783,7 @@ static int create_subvolume(Item *i, const char *path) { + assert(i); + assert(IN_SET(i->type, CREATE_SUBVOLUME, CREATE_SUBVOLUME_NEW_QUOTA, CREATE_SUBVOLUME_INHERIT_QUOTA)); + +- fd = create_directory_or_subvolume(path, i->mode, /* subvol = */ true, &st, &creation); ++ fd = create_directory_or_subvolume(path, i->mode, /* subvol = */ true, i->allow_failure, &st, &creation); + if (fd == -EEXIST) + return 0; + if (fd < 0) +@@ -1845,7 +1862,7 @@ static int create_device(Item *i, mode_t file_type) { + + /* Validate the path and use the returned directory fd for copying the target so we're sure that the + * path can't be changed behind our back. */ +- dfd = path_open_parent_safe(i->path); ++ dfd = path_open_parent_safe(i->path, i->allow_failure); + if (dfd < 0) + return dfd; + +@@ -1947,7 +1964,7 @@ static int create_fifo(Item *i) { + if (r == O_DIRECTORY) + return log_error_errno(SYNTHETIC_ERRNO(EISDIR), "Cannot open path '%s' for creating FIFO, is a directory.", i->path); + +- pfd = path_open_parent_safe(i->path); ++ pfd = path_open_parent_safe(i->path, i->allow_failure); + if (pfd < 0) + return pfd; + +@@ -2032,7 +2049,7 @@ static int create_symlink(Item *i) { + if (r == O_DIRECTORY) + return log_error_errno(SYNTHETIC_ERRNO(EISDIR), "Cannot open path '%s' for creating FIFO, is a directory.", i->path); + +- pfd = path_open_parent_safe(i->path); ++ pfd = path_open_parent_safe(i->path, i->allow_failure); + if (pfd < 0) + return pfd; + diff --git a/SOURCES/0084-fd-util-make-fd_in_set-and-thus-close_all_fds-handle.patch b/SOURCES/0084-fd-util-make-fd_in_set-and-thus-close_all_fds-handle.patch new file mode 100644 index 0000000..90ba257 --- /dev/null +++ b/SOURCES/0084-fd-util-make-fd_in_set-and-thus-close_all_fds-handle.patch @@ -0,0 +1,47 @@ +From 60fa029fe83af62f27bf833dc86c0aeeb76b412b Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 4 Nov 2022 18:19:29 +0100 +Subject: [PATCH] fd-util: make fd_in_set() (and thus close_all_fds()) handle + invalidated fds in the array + +let's handle gracefully if fds in the specified array are already +invalidated (i.e. negative). This is handy when putting together arrays +on the fly. + +(cherry picked from commit d11c14a9817f6561a30d96d8faea126a4c811af8) + +Related: #2138081 +--- + src/basic/fd-util.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/basic/fd-util.c b/src/basic/fd-util.c +index cee20a9a81..6ed04449bf 100644 +--- a/src/basic/fd-util.c ++++ b/src/basic/fd-util.c +@@ -177,9 +177,13 @@ int fd_cloexec(int fd, bool cloexec) { + _pure_ static bool fd_in_set(int fd, const int fdset[], size_t n_fdset) { + assert(n_fdset == 0 || fdset); + +- for (size_t i = 0; i < n_fdset; i++) ++ for (size_t i = 0; i < n_fdset; i++) { ++ if (fdset[i] < 0) ++ continue; ++ + if (fdset[i] == fd) + return true; ++ } + + return false; + } +@@ -252,6 +256,10 @@ static int close_all_fds_special_case(const int except[], size_t n_except) { + if (!have_close_range) + return 0; + ++ if (n_except == 1 && except[0] < 0) /* Minor optimization: if we only got one fd, and it's invalid, ++ * we got none */ ++ n_except = 0; ++ + switch (n_except) { + + case 0: diff --git a/SOURCES/0085-fd-util-add-new-fd_cloexec_many-helper.patch b/SOURCES/0085-fd-util-add-new-fd_cloexec_many-helper.patch new file mode 100644 index 0000000..f4fe208 --- /dev/null +++ b/SOURCES/0085-fd-util-add-new-fd_cloexec_many-helper.patch @@ -0,0 +1,55 @@ +From b9223cd76c73fa5cf3ed19a2238980047bf13826 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 4 Nov 2022 18:20:19 +0100 +Subject: [PATCH] fd-util: add new fd_cloexec_many() helper + +(cherry picked from commit ed18c22c989495aab36512f03449222cfcf79aa7) + +Related: #2138081 +--- + src/basic/fd-util.c | 19 +++++++++++++++++++ + src/basic/fd-util.h | 1 + + 2 files changed, 20 insertions(+) + +diff --git a/src/basic/fd-util.c b/src/basic/fd-util.c +index 6ed04449bf..66bb7569bb 100644 +--- a/src/basic/fd-util.c ++++ b/src/basic/fd-util.c +@@ -174,6 +174,25 @@ int fd_cloexec(int fd, bool cloexec) { + return RET_NERRNO(fcntl(fd, F_SETFD, nflags)); + } + ++int fd_cloexec_many(const int fds[], size_t n_fds, bool cloexec) { ++ int ret = 0, r; ++ ++ assert(n_fds == 0 || fds); ++ ++ for (size_t i = 0; i < n_fds; i++) { ++ if (fds[i] < 0) /* Skip gracefully over already invalidated fds */ ++ continue; ++ ++ r = fd_cloexec(fds[i], cloexec); ++ if (r < 0 && ret >= 0) /* Continue going, but return first error */ ++ ret = r; ++ else ++ ret = 1; /* report if we did anything */ ++ } ++ ++ return ret; ++} ++ + _pure_ static bool fd_in_set(int fd, const int fdset[], size_t n_fdset) { + assert(n_fdset == 0 || fdset); + +diff --git a/src/basic/fd-util.h b/src/basic/fd-util.h +index d9896e27e8..29c7d86f27 100644 +--- a/src/basic/fd-util.h ++++ b/src/basic/fd-util.h +@@ -56,6 +56,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(DIR*, closedir, NULL); + + int fd_nonblock(int fd, bool nonblock); + int fd_cloexec(int fd, bool cloexec); ++int fd_cloexec_many(const int fds[], size_t n_fds, bool cloexec); + + int get_max_fd(void); + diff --git a/SOURCES/0086-process-util-add-new-FORK_CLOEXEC_OFF-flag-for-disab.patch b/SOURCES/0086-process-util-add-new-FORK_CLOEXEC_OFF-flag-for-disab.patch new file mode 100644 index 0000000..1a5a22f --- /dev/null +++ b/SOURCES/0086-process-util-add-new-FORK_CLOEXEC_OFF-flag-for-disab.patch @@ -0,0 +1,49 @@ +From 4fb6e9eddc7487a965b3e051115f9bb1d0413342 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 4 Nov 2022 18:20:47 +0100 +Subject: [PATCH] process-util: add new FORK_CLOEXEC_OFF flag for disabling + O_CLOEXEC on remaining fds + +Often the fds that shall stay around in the child shall be passed +to a process over execve(), hence add an option to explicitly disable +O_CLOEXEC on them in the child. + +(cherry picked from commit 981cfbe046297a18f2cb115ef81202f3bd68d2a3) + +Related: #2138081 +--- + src/basic/process-util.c | 8 ++++++++ + src/basic/process-util.h | 1 + + 2 files changed, 9 insertions(+) + +diff --git a/src/basic/process-util.c b/src/basic/process-util.c +index fb0b38fa49..0213f5913f 100644 +--- a/src/basic/process-util.c ++++ b/src/basic/process-util.c +@@ -1372,6 +1372,14 @@ int safe_fork_full( + } + } + ++ if (flags & FORK_CLOEXEC_OFF) { ++ r = fd_cloexec_many(except_fds, n_except_fds, false); ++ if (r < 0) { ++ log_full_errno(prio, r, "Failed to turn off O_CLOEXEC on file descriptors: %m"); ++ _exit(EXIT_FAILURE); ++ } ++ } ++ + /* When we were asked to reopen the logs, do so again now */ + if (flags & FORK_REOPEN_LOG) { + log_open(); +diff --git a/src/basic/process-util.h b/src/basic/process-util.h +index f8c374a310..ed2f73673e 100644 +--- a/src/basic/process-util.h ++++ b/src/basic/process-util.h +@@ -150,6 +150,7 @@ typedef enum ForkFlags { + FORK_STDOUT_TO_STDERR = 1 << 11, /* Make stdout a copy of stderr */ + FORK_FLUSH_STDIO = 1 << 12, /* fflush() stdout (and stderr) before forking */ + FORK_NEW_USERNS = 1 << 13, /* Run child in its own user namespace */ ++ FORK_CLOEXEC_OFF = 1 << 14, /* In the child: turn off O_CLOEXEC on all fds in except_fds[] */ + } ForkFlags; + + int safe_fork_full(const char *name, const int except_fds[], size_t n_except_fds, ForkFlags flags, pid_t *ret_pid); diff --git a/SOURCES/0087-dissect-fix-fsck.patch b/SOURCES/0087-dissect-fix-fsck.patch new file mode 100644 index 0000000..40f9916 --- /dev/null +++ b/SOURCES/0087-dissect-fix-fsck.patch @@ -0,0 +1,71 @@ +From 7f0f2caa082e7490c160b2c992a094116474a95f Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 4 Nov 2022 18:26:42 +0100 +Subject: [PATCH] dissect: fix fsck + +Since f7725647bb41c3398a867f139efe526efe8aa1b3 when dissecting a disk +image we operate with fds to the device nodes in question wherever we +can. This includes when we fork off fsck, where we pass a /proc/self/fd/ +path as argument. This only works if we keep that fd open however and +disable O_CLOEXEC on the fd. Hence do so, and fix fsck this way. + +(Without this, all fsck will fail, since the fd path is invalid) + +(cherry picked from commit f8ab781223bcb0330ee4499b879a62e84fee313e) + +Related: #2138081 +--- + src/shared/dissect-image.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c +index 6a991c877a..7676636723 100644 +--- a/src/shared/dissect-image.c ++++ b/src/shared/dissect-image.c +@@ -1309,11 +1309,11 @@ static int is_loop_device(const char *path) { + return true; + } + +-static int run_fsck(const char *node, const char *fstype) { ++static int run_fsck(int node_fd, const char *fstype) { + int r, exit_status; + pid_t pid; + +- assert(node); ++ assert(node_fd >= 0); + assert(fstype); + + r = fsck_exists_for_fstype(fstype); +@@ -1322,16 +1322,20 @@ static int run_fsck(const char *node, const char *fstype) { + return 0; + } + if (r == 0) { +- log_debug("Not checking partition %s, as fsck for %s does not exist.", node, fstype); ++ log_debug("Not checking partition %s, as fsck for %s does not exist.", FORMAT_PROC_FD_PATH(node_fd), fstype); + return 0; + } + +- r = safe_fork("(fsck)", FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_RLIMIT_NOFILE_SAFE|FORK_DEATHSIG|FORK_NULL_STDIO, &pid); ++ r = safe_fork_full( ++ "(fsck)", ++ &node_fd, 1, /* Leave the node fd open */ ++ FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_RLIMIT_NOFILE_SAFE|FORK_DEATHSIG|FORK_NULL_STDIO|FORK_CLOEXEC_OFF, ++ &pid); + if (r < 0) + return log_debug_errno(r, "Failed to fork off fsck: %m"); + if (r == 0) { + /* Child */ +- execl("/sbin/fsck", "/sbin/fsck", "-aT", node, NULL); ++ execl("/sbin/fsck", "/sbin/fsck", "-aT", FORMAT_PROC_FD_PATH(node_fd), NULL); + log_open(); + log_debug_errno(errno, "Failed to execl() fsck: %m"); + _exit(FSCK_OPERATIONAL_ERROR); +@@ -1421,7 +1425,7 @@ static int mount_partition( + rw = m->rw && !(flags & DISSECT_IMAGE_MOUNT_READ_ONLY); + + if (FLAGS_SET(flags, DISSECT_IMAGE_FSCK) && rw) { +- r = run_fsck(node, fstype); ++ r = run_fsck(m->mount_node_fd, fstype); + if (r < 0) + return r; + } diff --git a/SOURCES/0088-core-update-audit-messages.patch b/SOURCES/0088-core-update-audit-messages.patch new file mode 100644 index 0000000..ff52e58 --- /dev/null +++ b/SOURCES/0088-core-update-audit-messages.patch @@ -0,0 +1,31 @@ +From 0a191f8306b4439049fcac8eea206835c144215e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Fri, 4 Nov 2022 16:30:57 +0100 +Subject: [PATCH] core: update audit messages + +Pass getuid() instead of literal `0` as auid, since user session +managers also issue audit messages on SELinux denials. + +(cherry picked from commit c826b7ef3272157167a5c9d493e9672f00d84b98) + +Related: #2138081 +--- + src/core/selinux-access.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c +index c69baa8a1a..c1744cff92 100644 +--- a/src/core/selinux-access.c ++++ b/src/core/selinux-access.c +@@ -113,9 +113,9 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) { + + if (r >= 0) { + if (type == SELINUX_AVC) +- audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0); ++ audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, getuid()); + else if (type == SELINUX_ERROR) +- audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, 0); ++ audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, getuid()); + + return 0; + } diff --git a/SOURCES/0089-logind-set-RemoveIPC-to-false-by-default.patch b/SOURCES/0089-logind-set-RemoveIPC-to-false-by-default.patch new file mode 100644 index 0000000..1f91c9f --- /dev/null +++ b/SOURCES/0089-logind-set-RemoveIPC-to-false-by-default.patch @@ -0,0 +1,53 @@ +From 49fab9715ce09b86652e9855555e4ab4fc185220 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 1 Aug 2018 10:58:28 +0200 +Subject: [PATCH] logind: set RemoveIPC to false by default + +RHEL-only + +Related: #2138081 +--- + man/logind.conf.xml | 2 +- + src/login/logind-core.c | 2 +- + src/login/logind.conf.in | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/man/logind.conf.xml b/man/logind.conf.xml +index 9682add08c..1a87cf6baf 100644 +--- a/man/logind.conf.xml ++++ b/man/logind.conf.xml +@@ -341,7 +341,7 @@ + user fully logs out. Takes a boolean argument. If enabled, the user may not consume IPC resources after the + last of the user's sessions terminated. This covers System V semaphores, shared memory and message queues, as + well as POSIX shared memory and message queues. Note that IPC objects of the root user and other system users +- are excluded from the effect of this setting. Defaults to yes. ++ are excluded from the effect of this setting. Defaults to no. + + + +diff --git a/src/login/logind-core.c b/src/login/logind-core.c +index 02adc81909..b5050c54c4 100644 +--- a/src/login/logind-core.c ++++ b/src/login/logind-core.c +@@ -34,7 +34,7 @@ void manager_reset_config(Manager *m) { + + m->n_autovts = 6; + m->reserve_vt = 6; +- m->remove_ipc = true; ++ m->remove_ipc = false; + m->inhibit_delay_max = 5 * USEC_PER_SEC; + m->user_stop_delay = 10 * USEC_PER_SEC; + +diff --git a/src/login/logind.conf.in b/src/login/logind.conf.in +index 0b10df6839..09c363817a 100644 +--- a/src/login/logind.conf.in ++++ b/src/login/logind.conf.in +@@ -43,7 +43,7 @@ + #IdleActionSec=30min + #RuntimeDirectorySize=10% + #RuntimeDirectoryInodesMax= +-#RemoveIPC=yes ++#RemoveIPC=no + #InhibitorsMax=8192 + #SessionsMax=8192 + #StopIdleSessionSec=infinity diff --git a/SOURCES/0090-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch b/SOURCES/0090-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch new file mode 100644 index 0000000..aa07282 --- /dev/null +++ b/SOURCES/0090-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch @@ -0,0 +1,43 @@ +From efe2c6703e3132dafaa29c1a7d3e3db4a683ed15 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Thu, 5 Aug 2021 17:11:47 +0200 +Subject: [PATCH] tmpfiles: don't create resolv.conf -> stub-resolv.conf + symlink + +RHEL-only + +Related: #2138081 +--- + tmpfiles.d/meson.build | 1 - + tmpfiles.d/systemd-resolve.conf | 10 ---------- + 2 files changed, 11 deletions(-) + delete mode 100644 tmpfiles.d/systemd-resolve.conf + +diff --git a/tmpfiles.d/meson.build b/tmpfiles.d/meson.build +index ca1abbf3fe..179c71d375 100644 +--- a/tmpfiles.d/meson.build ++++ b/tmpfiles.d/meson.build +@@ -10,7 +10,6 @@ files = [['README', ''], + ['systemd-nologin.conf', 'HAVE_PAM'], + ['systemd-nspawn.conf', 'ENABLE_MACHINED'], + ['systemd-pstore.conf', 'ENABLE_PSTORE'], +- ['systemd-resolve.conf', 'ENABLE_RESOLVE'], + ['systemd-tmp.conf', ''], + ['tmp.conf', ''], + ['x11.conf', ''], +diff --git a/tmpfiles.d/systemd-resolve.conf b/tmpfiles.d/systemd-resolve.conf +deleted file mode 100644 +index cb1c56d6a6..0000000000 +--- a/tmpfiles.d/systemd-resolve.conf ++++ /dev/null +@@ -1,10 +0,0 @@ +-# This file is part of systemd. +-# +-# systemd is free software; you can redistribute it and/or modify it +-# under the terms of the GNU Lesser General Public License as published by +-# the Free Software Foundation; either version 2.1 of the License, or +-# (at your option) any later version. +- +-# See tmpfiles.d(5) for details +- +-L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf diff --git a/SOURCES/0091-Copy-40-redhat.rules-from-RHEL-8.patch b/SOURCES/0091-Copy-40-redhat.rules-from-RHEL-8.patch new file mode 100644 index 0000000..5d4c145 --- /dev/null +++ b/SOURCES/0091-Copy-40-redhat.rules-from-RHEL-8.patch @@ -0,0 +1,80 @@ +From 6b5b5fefcb68cb53427747be4984531bdeddcf7e Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Fri, 2 Jul 2021 13:25:51 +0200 +Subject: [PATCH] Copy 40-redhat.rules from RHEL-8 + +RHEL-only + +Related: #2138081 +--- + rules.d/40-redhat.rules | 46 +++++++++++++++++++++++++++++++++++++++++ + rules.d/meson.build | 3 ++- + 2 files changed, 48 insertions(+), 1 deletion(-) + create mode 100644 rules.d/40-redhat.rules + +diff --git a/rules.d/40-redhat.rules b/rules.d/40-redhat.rules +new file mode 100644 +index 0000000000..3c95cd2df0 +--- /dev/null ++++ b/rules.d/40-redhat.rules +@@ -0,0 +1,46 @@ ++# do not edit this file, it will be overwritten on update ++ ++# CPU hotadd request ++SUBSYSTEM=="cpu", ACTION=="add", TEST=="online", ATTR{online}=="0", ATTR{online}="1" ++ ++# Memory hotadd request ++SUBSYSTEM!="memory", GOTO="memory_hotplug_end" ++ACTION!="add", GOTO="memory_hotplug_end" ++CONST{arch}=="s390*", GOTO="memory_hotplug_end" ++CONST{arch}=="ppc64*", GOTO="memory_hotplug_end" ++ ++ENV{.state}="online" ++CONST{virt}=="none", ENV{.state}="online_movable" ++ATTR{state}=="offline", ATTR{state}="$env{.state}" ++ ++LABEL="memory_hotplug_end" ++ ++# reload sysctl.conf / sysctl.conf.d settings when the bridge module is loaded ++ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge" ++ ++# load SCSI generic (sg) driver ++SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg" ++SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_target", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg" ++ ++# Rule for prandom character device node permissions ++KERNEL=="prandom", MODE="0644" ++ ++# Rules for creating the ID_PATH for SCSI devices based on the CCW bus ++# using the form: ccw--zfcp-: ++# ++ACTION=="remove", GOTO="zfcp_scsi_device_end" ++ ++# ++# Set environment variable "ID_ZFCP_BUS" to "1" if the devices ++# (both disk and partition) are SCSI devices based on FCP devices ++# ++KERNEL=="sd*", SUBSYSTEMS=="ccw", DRIVERS=="zfcp", ENV{.ID_ZFCP_BUS}="1" ++ ++# For SCSI disks ++KERNEL=="sd*[!0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="disk", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}" ++ ++ ++# For partitions on a SCSI disk ++KERNEL=="sd*[0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="partition", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}-part%n" ++ ++LABEL="zfcp_scsi_device_end" +diff --git a/rules.d/meson.build b/rules.d/meson.build +index 8d2878a36d..70f48e877b 100644 +--- a/rules.d/meson.build ++++ b/rules.d/meson.build +@@ -5,7 +5,8 @@ install_data( + install_dir : udevrulesdir) + + rules = [ +- [files('60-autosuspend.rules', ++ [files('40-redhat.rules', ++ '60-autosuspend.rules', + '60-block.rules', + '60-cdrom_id.rules', + '60-drm.rules', diff --git a/SOURCES/0092-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch b/SOURCES/0092-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch new file mode 100644 index 0000000..e510c2e --- /dev/null +++ b/SOURCES/0092-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch @@ -0,0 +1,45 @@ +From 711aca5f4820c2345489136cbbde7428d9f9da1b Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Tue, 15 May 2018 09:24:20 +0200 +Subject: [PATCH] Avoid /tmp being mounted as tmpfs without the user's will + +Ensure PrivateTmp doesn't require tmpfs through tmp.mount, but rather +adds an After relationship. + +RHEL-only + +Related: #2138081 +--- + src/core/unit.c | 7 +------ + units/basic.target | 3 ++- + 2 files changed, 3 insertions(+), 7 deletions(-) + +diff --git a/src/core/unit.c b/src/core/unit.c +index d08c73613b..1fad0b0ac8 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -1301,12 +1301,7 @@ int unit_add_exec_dependencies(Unit *u, ExecContext *c) { + } + + if (c->private_tmp) { +- +- /* FIXME: for now we make a special case for /tmp and add a weak dependency on +- * tmp.mount so /tmp being masked is supported. However there's no reason to treat +- * /tmp specifically and masking other mount units should be handled more +- * gracefully too, see PR#16894. */ +- r = unit_add_two_dependencies_by_name(u, UNIT_AFTER, UNIT_WANTS, "tmp.mount", true, UNIT_DEPENDENCY_FILE); ++ r = unit_add_dependency_by_name(u, UNIT_AFTER, "tmp.mount", true, UNIT_DEPENDENCY_FILE); + if (r < 0) + return r; + +diff --git a/units/basic.target b/units/basic.target +index d8cdd5ac14..9eae0782a2 100644 +--- a/units/basic.target ++++ b/units/basic.target +@@ -19,4 +19,5 @@ After=sysinit.target sockets.target paths.target slices.target tmp.mount + # require /var and /var/tmp, but only add a Wants= type dependency on /tmp, as + # we support that unit being masked, and this should not be considered an error. + RequiresMountsFor=/var /var/tmp +-Wants=tmp.mount ++# RHEL-only: Disable /tmp on tmpfs. ++#Wants=tmp.mount diff --git a/SOURCES/0093-unit-don-t-add-Requires-for-tmp.mount.patch b/SOURCES/0093-unit-don-t-add-Requires-for-tmp.mount.patch new file mode 100644 index 0000000..2d28be0 --- /dev/null +++ b/SOURCES/0093-unit-don-t-add-Requires-for-tmp.mount.patch @@ -0,0 +1,38 @@ +From c5f1cc8f23dfe545c0d03eae88bbd91e8a1db226 Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Mon, 5 Sep 2016 12:47:09 +0200 +Subject: [PATCH] unit: don't add Requires for tmp.mount + +rhel-only +Related: #2138081 +--- + src/core/mount.c | 2 +- + src/core/unit.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/mount.c b/src/core/mount.c +index 5e8a6ead61..ba55f7dd86 100644 +--- a/src/core/mount.c ++++ b/src/core/mount.c +@@ -336,7 +336,7 @@ static int mount_add_mount_dependencies(Mount *m) { + if (r < 0) + return r; + +- if (UNIT(m)->fragment_path) { ++ if (UNIT(m)->fragment_path && !streq(UNIT(m)->id, "tmp.mount")) { + /* If we have fragment configuration, then make this dependency required */ + r = unit_add_dependency(other, UNIT_REQUIRES, UNIT(m), true, UNIT_DEPENDENCY_PATH); + if (r < 0) +diff --git a/src/core/unit.c b/src/core/unit.c +index 1fad0b0ac8..5af44aaf4a 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -1541,7 +1541,7 @@ static int unit_add_mount_dependencies(Unit *u) { + return r; + changed = changed || r > 0; + +- if (m->fragment_path) { ++ if (m->fragment_path && !streq(m->id, "tmp.mount")) { + r = unit_add_dependency(u, UNIT_REQUIRES, m, true, di.origin_mask); + if (r < 0) + return r; diff --git a/SOURCES/0094-units-add-Install-section-to-tmp.mount.patch b/SOURCES/0094-units-add-Install-section-to-tmp.mount.patch new file mode 100644 index 0000000..e683e51 --- /dev/null +++ b/SOURCES/0094-units-add-Install-section-to-tmp.mount.patch @@ -0,0 +1,24 @@ +From 90aa9644404fa40e67a158a383cc81ec0d6ab0f5 Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Tue, 22 Jan 2019 10:28:42 +0100 +Subject: [PATCH] units: add [Install] section to tmp.mount + +RHEL-only + +Related: #2138081 +--- + units/tmp.mount | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/units/tmp.mount b/units/tmp.mount +index 734acea237..b9a41cd803 100644 +--- a/units/tmp.mount ++++ b/units/tmp.mount +@@ -23,3 +23,7 @@ What=tmpfs + Where=/tmp + Type=tmpfs + Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m ++ ++# Make 'systemctl enable tmp.mount' work: ++[Install] ++WantedBy=local-fs.target diff --git a/SOURCES/0095-rc-local-order-after-network-online.target.patch b/SOURCES/0095-rc-local-order-after-network-online.target.patch new file mode 100644 index 0000000..6f23065 --- /dev/null +++ b/SOURCES/0095-rc-local-order-after-network-online.target.patch @@ -0,0 +1,29 @@ +From 6eb6434d8d203e19f5fb58d3d0ec561088b691e9 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 11 Mar 2021 15:48:23 +0100 +Subject: [PATCH] rc-local: order after network-online.target + +I think this was the intent of commit 91b684c7300879a8d2006038f7d9185d92c3c3bf, +just network-online.target didn't exist back then. + +RHEL-only + +Related: #2138081 +--- + units/rc-local.service.in | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/units/rc-local.service.in b/units/rc-local.service.in +index 55e83dfe00..0eee722154 100644 +--- a/units/rc-local.service.in ++++ b/units/rc-local.service.in +@@ -13,7 +13,8 @@ + Description={{RC_LOCAL_PATH}} Compatibility + Documentation=man:systemd-rc-local-generator(8) + ConditionFileIsExecutable={{RC_LOCAL_PATH}} +-After=network.target ++After=network-online.target ++Wants=network-online.target + + [Service] + Type=forking diff --git a/SOURCES/0096-ci-drop-CIs-irrelevant-for-downstream.patch b/SOURCES/0096-ci-drop-CIs-irrelevant-for-downstream.patch new file mode 100644 index 0000000..b38ede8 --- /dev/null +++ b/SOURCES/0096-ci-drop-CIs-irrelevant-for-downstream.patch @@ -0,0 +1,303 @@ +From 36f9fb0c7e19bda07ce6de5f4b04f58a5da2f122 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Sun, 18 Apr 2021 20:46:06 +0200 +Subject: [PATCH] ci: drop CIs irrelevant for downstream + + * CIFuzz would need a separate project in oss-fuzz + * Coverity would also need a separate project + * the Labeler action is superfluous, since we already have a bot for + that + * mkosi testing on other distros is irrelevant for downstream RHEL + repo + +Related: #2138081 +rhel-only +--- + .github/labeler.yml | 40 --------------- + .github/workflows/cifuzz.yml | 62 ----------------------- + .github/workflows/coverity.yml | 30 ------------ + .github/workflows/labeler.yml | 24 --------- + .github/workflows/mkosi.yml | 90 ---------------------------------- + 5 files changed, 246 deletions(-) + delete mode 100644 .github/labeler.yml + delete mode 100644 .github/workflows/cifuzz.yml + delete mode 100644 .github/workflows/coverity.yml + delete mode 100644 .github/workflows/labeler.yml + delete mode 100644 .github/workflows/mkosi.yml + +diff --git a/.github/labeler.yml b/.github/labeler.yml +deleted file mode 100644 +index 7d128f42d6..0000000000 +--- a/.github/labeler.yml ++++ /dev/null +@@ -1,40 +0,0 @@ +-# SPDX-License-Identifier: LGPL-2.1-or-later +- +-hwdb: +- - hwdb.d/**/* +-units: +- - units/**/* +-documentation: +- - NEWS +- - docs/* +-network: +- - src/libsystemd-network/**/* +- - src/network/**/* +-udev: +- - src/udev/**/* +- - src/libudev/* +-selinux: +- - '**/*selinux*' +-apparmor: +- - '**/*apparmor*' +-meson: +- - meson_option.txt +-mkosi: +- - .mkosi/* +- - mkosi.build +-busctl: +- - src/busctl/* +-systemctl: +- - src/systemctl/* +-journal: +- - src/journal/* +-journal-remote: +- - src/journal-remote/* +-portable: +- - src/portable/**/* +-resolve: +- - src/resolve/* +-timedate: +- - src/timedate/* +-timesync: +- - src/timesync/* +diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml +deleted file mode 100644 +index 25731abc5a..0000000000 +--- a/.github/workflows/cifuzz.yml ++++ /dev/null +@@ -1,62 +0,0 @@ +---- +-# vi: ts=2 sw=2 et: +-# SPDX-License-Identifier: LGPL-2.1-or-later +-# See: https://google.github.io/oss-fuzz/getting-started/continuous-integration/ +- +-name: CIFuzz +- +-permissions: +- contents: read +- +-on: +- pull_request: +- paths: +- - '**/meson.build' +- - '.github/workflows/**' +- - 'meson_options.txt' +- - 'src/**' +- - 'test/fuzz/**' +- - 'tools/oss-fuzz.sh' +- push: +- branches: +- - main +-jobs: +- Fuzzing: +- runs-on: ubuntu-latest +- if: github.repository == 'systemd/systemd' +- concurrency: +- group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ matrix.architecture }}-${{ github.ref }} +- cancel-in-progress: true +- strategy: +- fail-fast: false +- matrix: +- sanitizer: [address, undefined, memory] +- architecture: [x86_64] +- include: +- - sanitizer: address +- architecture: i386 +- steps: +- - name: Build Fuzzers (${{ matrix.sanitizer }}) +- id: build +- uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master +- with: +- oss-fuzz-project-name: 'systemd' +- dry-run: false +- allowed-broken-targets-percentage: 0 +- # keep-unaffected-fuzz-targets should be removed once https://github.com/google/oss-fuzz/issues/7011 is fixed +- keep-unaffected-fuzz-targets: true +- sanitizer: ${{ matrix.sanitizer }} +- architecture: ${{ matrix.architecture }} +- - name: Run Fuzzers (${{ matrix.sanitizer }}) +- uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master +- with: +- oss-fuzz-project-name: 'systemd' +- fuzz-seconds: 600 +- dry-run: false +- sanitizer: ${{ matrix.sanitizer }} +- - name: Upload Crash +- uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 +- if: failure() && steps.build.outcome == 'success' +- with: +- name: ${{ matrix.sanitizer }}-${{ matrix.architecture }}-artifacts +- path: ./out/artifacts +diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml +deleted file mode 100644 +index 3fbebc6bbf..0000000000 +--- a/.github/workflows/coverity.yml ++++ /dev/null +@@ -1,30 +0,0 @@ +---- +-# vi: ts=2 sw=2 et: +-# SPDX-License-Identifier: LGPL-2.1-or-later +-# +-name: Coverity +- +-on: +- schedule: +- # Run Coverity daily at midnight +- - cron: '0 0 * * *' +- +-permissions: +- contents: read +- +-jobs: +- build: +- runs-on: ubuntu-22.04 +- if: github.repository == 'systemd/systemd' +- env: +- # Set in repo settings -> secrets -> actions +- COVERITY_SCAN_TOKEN: "${{ secrets.COVERITY_SCAN_TOKEN }}" +- COVERITY_SCAN_NOTIFICATION_EMAIL: "${{ secrets.COVERITY_SCAN_NOTIFICATION_EMAIL }}" +- steps: +- - name: Repository checkout +- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b +- # Reuse the setup phase of the unit test script to avoid code duplication +- - name: Install build dependencies +- run: sudo -E .github/workflows/unit_tests.sh SETUP +- - name: Build & upload the results +- run: tools/coverity.sh +diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml +deleted file mode 100644 +index 35766df591..0000000000 +--- a/.github/workflows/labeler.yml ++++ /dev/null +@@ -1,24 +0,0 @@ +---- +-# vi: ts=2 sw=2 et: +-# SPDX-License-Identifier: LGPL-2.1-or-later +-# +-name: "Pull Request Labeler" +- +-on: +-- pull_request_target +- +-permissions: +- contents: read +- +-jobs: +- triage: +- if: github.event.repository.name != 'systemd-security' +- runs-on: ubuntu-latest +- permissions: +- pull-requests: write +- steps: +- - uses: actions/labeler@e54e5b338fbd6e6cdb5d60f51c22335fc57c401e +- with: +- repo-token: "${{ secrets.GITHUB_TOKEN }}" +- configuration-path: .github/labeler.yml +- sync-labels: "" # This is a workaround for issue 18671 +diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml +deleted file mode 100644 +index 2a1163aa07..0000000000 +--- a/.github/workflows/mkosi.yml ++++ /dev/null +@@ -1,90 +0,0 @@ +---- +-# vi: ts=2 sw=2 et: +-# SPDX-License-Identifier: LGPL-2.1-or-later +-# Simple boot tests that build and boot the mkosi images generated by the mkosi config files in mkosi.default.d/. +-name: mkosi +- +-on: +- push: +- branches: +- - main +- - v[0-9]+-stable +- pull_request: +- branches: +- - main +- - v[0-9]+-stable +- +-permissions: +- contents: read +- +-env: +- # Enable debug logging in systemd, but keep udev's log level to info, +- # since it's _very_ verbose in the QEMU task +- # Disable the ISC DHCP servers, as they are failing in Ubuntu +- KERNEL_CMDLINE: "systemd.unit=mkosi-check-and-shutdown.service !quiet systemd.log_level=debug systemd.log_target=console udev.log_level=info systemd.default_standard_output=journal+console systemd.mask=isc-dhcp-server6.service systemd.mask=isc-dhcp-server.service" +- +-jobs: +- ci: +- runs-on: ubuntu-22.04 +- concurrency: +- group: ${{ github.workflow }}-${{ matrix.distro }}-${{ matrix.release }}-${{ github.ref }} +- cancel-in-progress: true +- strategy: +- fail-fast: false +- matrix: +- include: +- - distro: arch +- release: rolling +- - distro: debian +- release: testing +- - distro: ubuntu +- release: jammy +- - distro: fedora +- release: "37" +- - distro: fedora +- release: rawhide +- - distro: opensuse +- release: tumbleweed +- - distro: centos_epel +- release: 9-stream +- - distro: centos_epel +- release: 8-stream +- +- steps: +- - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b +- - uses: systemd/mkosi@792cbc60eb2dc4a58d66bb3c212bf92f8d50f6ea +- +- - name: Install +- run: sudo apt-get update && sudo apt-get install --no-install-recommends python3-pexpect python3-jinja2 +- +- - name: Configure +- run: | +- tee mkosi.default <<- EOF +- [Distribution] +- Distribution=${{ matrix.distro }} +- Release=${{ matrix.release }} +- +- [Content] +- Environment=CI_BUILD=1 +- +- [Output] +- KernelCommandLine=${{ env.KERNEL_CMDLINE }} +- EOF +- +- - name: Build ${{ matrix.distro }} +- run: sudo python3 -m mkosi build +- +- - name: Show ${{ matrix.distro }} image summary +- run: sudo python3 -m mkosi summary +- +- - name: Boot ${{ matrix.distro }} systemd-nspawn +- run: sudo python3 -m mkosi boot ${{ env.KERNEL_CMDLINE }} +- +- - name: Check ${{ matrix.distro }} systemd-nspawn +- run: sudo python3 -m mkosi shell bash -c "[[ -e /testok ]] || { cat /failed-services; exit 1; }" +- +- - name: Boot ${{ matrix.distro }} QEMU +- run: sudo timeout -k 30 10m python3 -m mkosi qemu +- +- - name: Check ${{ matrix.distro }} QEMU +- run: sudo python3 -m mkosi shell bash -c "[[ -e /testok ]] || { cat /failed-services; exit 1; }" diff --git a/SOURCES/0097-ci-reconfigure-Packit-for-RHEL-9.patch b/SOURCES/0097-ci-reconfigure-Packit-for-RHEL-9.patch new file mode 100644 index 0000000..be65372 --- /dev/null +++ b/SOURCES/0097-ci-reconfigure-Packit-for-RHEL-9.patch @@ -0,0 +1,44 @@ +From 16f2d0c4a25a717a9a0b49903a55db1263156055 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 9 Jun 2021 15:23:59 +0200 +Subject: [PATCH] ci: reconfigure Packit for RHEL 9 + +Related: #2138081 +rhel-only +--- + .packit.yml | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/.packit.yml b/.packit.yml +index a7502b25b4..d0eebab181 100644 +--- a/.packit.yml ++++ b/.packit.yml +@@ -17,14 +17,12 @@ srpm_build_deps: [] + + actions: + post-upstream-clone: +- # Use the Fedora Rawhide specfile +- - "git clone https://src.fedoraproject.org/rpms/systemd .packit_rpm --depth=1" ++ # Use the CentOS Stream specfile ++ - "git clone https://gitlab.com/redhat/centos-stream/rpms/systemd.git .packit_rpm --depth=1" + # Drop the "sources" file so rebase-helper doesn't think we're a dist-git + - "rm -fv .packit_rpm/sources" +- # Drop backported patches from the specfile, but keep the downstream-only ones +- # - Patch(0000-0499): backported patches from upstream +- # - Patch0500-9999: downstream-only patches +- - "sed -ri '/^Patch(0[0-4]?[0-9]{0,2})?\\:.+\\.patch/d' .packit_rpm/systemd.spec" ++ # Drop all patches, since they're already included in the tarball ++ - "sed -ri '/^Patch[0-9]+:/d' .packit_rpm/systemd.spec" + # Build the RPM with --werror. Even though --werror doesn't work in all + # cases (see [0]), we can't use -Dc_args=/-Dcpp_args= here because of the + # RPM hardening macros, that use $CFLAGS/$CPPFLAGS (see [1]). +@@ -33,7 +31,9 @@ actions: + # [1] https://github.com/systemd/systemd/pull/18908#issuecomment-792250110 + - 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec' + ++# Available targets can be listed via `copr-cli list-chroots` + jobs: ++# Build test + - job: copr_build + trigger: pull_request + metadata: diff --git a/SOURCES/0098-ci-run-unit-tests-on-z-stream-branches-as-well.patch b/SOURCES/0098-ci-run-unit-tests-on-z-stream-branches-as-well.patch new file mode 100644 index 0000000..9d894c3 --- /dev/null +++ b/SOURCES/0098-ci-run-unit-tests-on-z-stream-branches-as-well.patch @@ -0,0 +1,28 @@ +From 9fd32478c32d9a96b62b992586b201cd4f509bc5 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 15 Jul 2021 12:23:27 +0200 +Subject: [PATCH] ci: run unit tests on z-stream branches as well + +Related: #2138081 +rhel-only +--- + .github/workflows/unit_tests.yml | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml +index cd6c33eb64..ca4464e95d 100644 +--- a/.github/workflows/unit_tests.yml ++++ b/.github/workflows/unit_tests.yml +@@ -3,11 +3,7 @@ + # SPDX-License-Identifier: LGPL-2.1-or-later + # + name: Unit tests +-on: +- pull_request: +- branches: +- - main +- - v[0-9]+-stable ++on: [pull_request] + + permissions: + contents: read diff --git a/SOURCES/0099-random-util-increase-random-seed-size-to-1024.patch b/SOURCES/0099-random-util-increase-random-seed-size-to-1024.patch new file mode 100644 index 0000000..6e90ff7 --- /dev/null +++ b/SOURCES/0099-random-util-increase-random-seed-size-to-1024.patch @@ -0,0 +1,25 @@ +From 216f6490af452a774ef882319083858248248da8 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 15 Jul 2021 11:15:17 +0200 +Subject: [PATCH] random-util: increase random seed size to 1024 + +RHEL-only + +Related: #2138081 +--- + src/basic/random-util.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/random-util.h b/src/basic/random-util.h +index 2d99807272..7e6f66df4d 100644 +--- a/src/basic/random-util.h ++++ b/src/basic/random-util.h +@@ -21,7 +21,7 @@ static inline uint32_t random_u32(void) { + } + + /* Some limits on the pool sizes when we deal with the kernel random pool */ +-#define RANDOM_POOL_SIZE_MIN 32U ++#define RANDOM_POOL_SIZE_MIN 1024U + #define RANDOM_POOL_SIZE_MAX (10U*1024U*1024U) + + size_t random_pool_size(void); diff --git a/SOURCES/0100-journal-don-t-enable-systemd-journald-audit.socket-b.patch b/SOURCES/0100-journal-don-t-enable-systemd-journald-audit.socket-b.patch new file mode 100644 index 0000000..19e8b1d --- /dev/null +++ b/SOURCES/0100-journal-don-t-enable-systemd-journald-audit.socket-b.patch @@ -0,0 +1,41 @@ +From 44740b947ed0b34ed9848dae276ec1d448340ce9 Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Thu, 2 May 2019 14:11:54 +0200 +Subject: [PATCH] journal: don't enable systemd-journald-audit.socket by + default + +RHEL-only + +Related: #2138081 +--- + units/meson.build | 3 +-- + units/systemd-journald.service.in | 2 +- + 2 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/units/meson.build b/units/meson.build +index 25e9209b4d..b224701eb9 100644 +--- a/units/meson.build ++++ b/units/meson.build +@@ -123,8 +123,7 @@ units = [ + 'sysinit.target.wants/'], + ['systemd-journal-gatewayd.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'], + ['systemd-journal-remote.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'], +- ['systemd-journald-audit.socket', '', +- 'sockets.target.wants/'], ++ ['systemd-journald-audit.socket', ''], + ['systemd-journald-dev-log.socket', '', + 'sockets.target.wants/'], + ['systemd-journald.socket', '', +diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in +index 38ba3e2856..e8be031de5 100644 +--- a/units/systemd-journald.service.in ++++ b/units/systemd-journald.service.in +@@ -12,7 +12,7 @@ Description=Journal Service + Documentation=man:systemd-journald.service(8) man:journald.conf(5) + DefaultDependencies=no + Requires=systemd-journald.socket +-After=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket syslog.socket ++After=systemd-journald.socket systemd-journald-dev-log.socket syslog.socket + Before=sysinit.target + + # Mount and swap units need the journal socket units. If they were removed by diff --git a/SOURCES/0101-journald.conf-don-t-touch-current-audit-settings.patch b/SOURCES/0101-journald.conf-don-t-touch-current-audit-settings.patch new file mode 100644 index 0000000..d939bc2 --- /dev/null +++ b/SOURCES/0101-journald.conf-don-t-touch-current-audit-settings.patch @@ -0,0 +1,22 @@ +From 5222b89ef6f281f0a4eb55589d2d62e8e2b6352b Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 5 Aug 2021 15:26:13 +0200 +Subject: [PATCH] journald.conf: don't touch current audit settings + +RHEL-only + +Related: #2138081 +--- + src/journal/journald.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/journal/journald.conf b/src/journal/journald.conf +index 5a60a9d39c..3544da2112 100644 +--- a/src/journal/journald.conf ++++ b/src/journal/journald.conf +@@ -44,4 +44,4 @@ + #MaxLevelWall=emerg + #LineMax=48K + #ReadKMsg=yes +-#Audit=yes ++Audit= diff --git a/SOURCES/0102-Revert-udev-remove-WAIT_FOR-key.patch b/SOURCES/0102-Revert-udev-remove-WAIT_FOR-key.patch new file mode 100644 index 0000000..56a2dbb --- /dev/null +++ b/SOURCES/0102-Revert-udev-remove-WAIT_FOR-key.patch @@ -0,0 +1,137 @@ +From ddaf24341a512a9891226e85c13d51d7e2cfcb01 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 10 Aug 2021 14:46:16 +0200 +Subject: [PATCH] Revert "udev: remove WAIT_FOR key" + +This reverts commit f2b8052fb648b788936dd3e85be6a9aca90fbb2f. + +RHEL-only + +Related: #2138081 +--- + man/udev.xml | 9 +++++++ + src/udev/udev-rules.c | 56 +++++++++++++++++++++++++++++++++++++++ + test/rule-syntax-check.py | 2 +- + 3 files changed, 66 insertions(+), 1 deletion(-) + +diff --git a/man/udev.xml b/man/udev.xml +index 142f295f3e..5b096c7ef2 100644 +--- a/man/udev.xml ++++ b/man/udev.xml +@@ -592,6 +592,15 @@ + + + ++ ++ WAIT_FOR ++ ++ Wait for a file to become available or until a timeout of ++ 10 seconds expires. The path is relative to the sysfs device; ++ if no path is specified, this waits for an attribute to appear. ++ ++ ++ + + OPTIONS + +diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c +index f44a174d1f..a8473041c3 100644 +--- a/src/udev/udev-rules.c ++++ b/src/udev/udev-rules.c +@@ -79,6 +79,7 @@ typedef enum { + TK_M_TAG, /* strv, sd_device_get_tag_first(), sd_device_get_tag_next() */ + TK_M_SUBSYSTEM, /* string, sd_device_get_subsystem() */ + TK_M_DRIVER, /* string, sd_device_get_driver() */ ++ TK_M_WAITFOR, + TK_M_ATTR, /* string, takes filename through attribute, sd_device_get_sysattr_value(), udev_resolve_subsys_kernel(), etc. */ + TK_M_SYSCTL, /* string, takes kernel parameter through attribute */ + +@@ -411,6 +412,47 @@ static void rule_line_append_token(UdevRuleLine *rule_line, UdevRuleToken *token + rule_line->current_token = token; + } + ++#define WAIT_LOOP_PER_SECOND 50 ++static int wait_for_file(sd_device *dev, const char *file, int timeout) { ++ char filepath[UDEV_PATH_SIZE]; ++ char devicepath[UDEV_PATH_SIZE]; ++ struct stat stats; ++ int loop = timeout * WAIT_LOOP_PER_SECOND; ++ ++ /* a relative path is a device attribute */ ++ devicepath[0] = '\0'; ++ if (file[0] != '/') { ++ const char *val; ++ int r; ++ ++ r = sd_device_get_syspath(dev, &val); ++ if (r < 0) ++ return r; ++ strscpyl(devicepath, sizeof(devicepath), val, NULL); ++ strscpyl(filepath, sizeof(filepath), devicepath, "/", file, NULL); ++ file = filepath; ++ } ++ ++ while (--loop) { ++ const struct timespec duration = { 0, 1000 * 1000 * 1000 / WAIT_LOOP_PER_SECOND }; ++ ++ /* lookup file */ ++ if (stat(file, &stats) == 0) { ++ log_debug("file '%s' appeared after %i loops", file, (timeout * WAIT_LOOP_PER_SECOND) - loop-1); ++ return 0; ++ } ++ /* make sure, the device did not disappear in the meantime */ ++ if (devicepath[0] != '\0' && stat(devicepath, &stats) != 0) { ++ log_debug("device disappeared while waiting for '%s'", file); ++ return -2; ++ } ++ log_debug("wait for '%s' for %i mseconds", file, 1000 / WAIT_LOOP_PER_SECOND); ++ nanosleep(&duration, NULL); ++ } ++ log_debug("waiting for '%s' failed", file); ++ return -1; ++} ++ + static int rule_line_add_token(UdevRuleLine *rule_line, UdevRuleTokenType type, UdevRuleOperatorType op, char *value, void *data) { + UdevRuleToken *token; + UdevRuleMatchType match_type = _MATCH_TYPE_INVALID; +@@ -953,6 +995,12 @@ static int parse_token(UdevRules *rules, const char *key, char *attr, UdevRuleOp + r = rule_line_add_token(rule_line, TK_A_RUN_BUILTIN, op, value, UDEV_BUILTIN_CMD_TO_PTR(cmd)); + } else + return log_token_invalid_attr(rules, key); ++ } else if (streq(key, "WAIT_FOR") || streq(key, "WAIT_FOR_SYSFS")) { ++ if (op == OP_REMOVE) ++ return log_token_invalid_op(rules, key); ++ ++ rule_line_add_token(rule_line, TK_M_WAITFOR, 0, value, NULL); ++ return 1; + } else if (streq(key, "GOTO")) { + if (attr) + return log_token_invalid_attr(rules, key); +@@ -1670,6 +1718,14 @@ static int udev_rule_apply_token_to_event( + + return token_match_string(token, val); + } ++ case TK_M_WAITFOR: { ++ char filename[UDEV_PATH_SIZE]; ++ int found; ++ ++ udev_event_apply_format(event, token->value, filename, sizeof(filename), false, NULL); ++ found = (wait_for_file(event->dev, filename, 10) == 0); ++ return found || (token->op == OP_NOMATCH); ++ } + case TK_M_ATTR: + case TK_M_PARENTS_ATTR: + return token_match_attr(rules, token, dev, event); +diff --git a/test/rule-syntax-check.py b/test/rule-syntax-check.py +index ec1c75a854..5543931064 100755 +--- a/test/rule-syntax-check.py ++++ b/test/rule-syntax-check.py +@@ -18,7 +18,7 @@ no_args_tests = re.compile(r'(ACTION|DEVPATH|KERNELS?|NAME|SYMLINK|SUBSYSTEMS?|D + # PROGRAM can also be specified as an assignment. + program_assign = re.compile(r'PROGRAM\s*=\s*' + quoted_string_re + '$') + args_tests = re.compile(r'(ATTRS?|ENV|CONST|TEST){([a-zA-Z0-9/_.*%-]+)}\s*(?:=|!)=\s*' + quoted_string_re + '$') +-no_args_assign = re.compile(r'(NAME|SYMLINK|OWNER|GROUP|MODE|TAG|RUN|LABEL|GOTO|OPTIONS|IMPORT)\s*(?:\+=|:=|=)\s*' + quoted_string_re + '$') ++no_args_assign = re.compile(r'(NAME|SYMLINK|OWNER|GROUP|MODE|TAG|RUN|LABEL|GOTO|WAIT_FOR|OPTIONS|IMPORT)\s*(?:\+=|:=|=)\s*' + quoted_string_re + '$') + args_assign = re.compile(r'(ATTR|ENV|IMPORT|RUN){([a-zA-Z0-9/_.*%-]+)}\s*(=|\+=)\s*' + quoted_string_re + '$') + # Find comma-separated groups, but allow commas that are inside quoted strings. + # Using quoted_string_re + '?' so that strings missing the last double quote diff --git a/SOURCES/0103-Really-don-t-enable-systemd-journald-audit.socket.patch b/SOURCES/0103-Really-don-t-enable-systemd-journald-audit.socket.patch new file mode 100644 index 0000000..05c3ee0 --- /dev/null +++ b/SOURCES/0103-Really-don-t-enable-systemd-journald-audit.socket.patch @@ -0,0 +1,25 @@ +From e715ac2104707b6a8744fa54b1e4419a07ff88f6 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Wed, 25 Aug 2021 16:03:04 +0200 +Subject: [PATCH] Really don't enable systemd-journald-audit.socket + +RHEL-only + +Related: #2138081 +--- + units/systemd-journald.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in +index e8be031de5..ee8bdcb9ca 100644 +--- a/units/systemd-journald.service.in ++++ b/units/systemd-journald.service.in +@@ -38,7 +38,7 @@ RestrictRealtime=yes + RestrictSUIDSGID=yes + RuntimeDirectory=systemd/journal + RuntimeDirectoryPreserve=yes +-Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket ++Sockets=systemd-journald.socket systemd-journald-dev-log.socket + StandardOutput=null + SystemCallArchitectures=native + SystemCallErrorNumber=EPERM diff --git a/SOURCES/0104-rules-add-elevator-kernel-command-line-parameter.patch b/SOURCES/0104-rules-add-elevator-kernel-command-line-parameter.patch new file mode 100644 index 0000000..8ead8b8 --- /dev/null +++ b/SOURCES/0104-rules-add-elevator-kernel-command-line-parameter.patch @@ -0,0 +1,58 @@ +From 9ffd83c333bdc7741bfa1a73b3461f1b51208c5f Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Tue, 12 Feb 2019 16:58:16 +0100 +Subject: [PATCH] rules: add elevator= kernel command line parameter + +Kernel removed the elevator= option, so let's reintroduce +it for rhel8 via udev rule. + +RHEL-only + +Related: #2138081 +--- + rules.d/40-elevator.rules | 20 ++++++++++++++++++++ + rules.d/meson.build | 3 ++- + 2 files changed, 22 insertions(+), 1 deletion(-) + create mode 100644 rules.d/40-elevator.rules + +diff --git a/rules.d/40-elevator.rules b/rules.d/40-elevator.rules +new file mode 100644 +index 0000000000..dbe8fc81a4 +--- /dev/null ++++ b/rules.d/40-elevator.rules +@@ -0,0 +1,20 @@ ++# We aren't adding devices skip the elevator check ++ACTION!="add", GOTO="sched_out" ++ ++SUBSYSTEM!="block", GOTO="sched_out" ++ENV{DEVTYPE}!="disk", GOTO="sched_out" ++ ++# Technically, dm-multipath can be configured to use an I/O scheduler. ++# However, there are races between the 'add' uevent and the linking in ++# of the queue/scheduler sysfs file. For now, just skip dm- devices. ++KERNEL=="dm-*|md*", GOTO="sched_out" ++ ++# Skip bio-based devices, which don't support an I/O scheduler. ++ATTR{queue/scheduler}=="none", GOTO="sched_out" ++ ++# If elevator= is specified on the kernel command line, change the ++# scheduler to the one specified. ++IMPORT{cmdline}="elevator" ++ENV{elevator}!="", ATTR{queue/scheduler}="$env{elevator}" ++ ++LABEL="sched_out" +\ No newline at end of file +diff --git a/rules.d/meson.build b/rules.d/meson.build +index 70f48e877b..4e88400d02 100644 +--- a/rules.d/meson.build ++++ b/rules.d/meson.build +@@ -5,7 +5,8 @@ install_data( + install_dir : udevrulesdir) + + rules = [ +- [files('40-redhat.rules', ++ [files('40-elevator.rules', ++ '40-redhat.rules', + '60-autosuspend.rules', + '60-block.rules', + '60-cdrom_id.rules', diff --git a/SOURCES/0105-units-don-t-enable-tmp.mount-statically-in-local-fs..patch b/SOURCES/0105-units-don-t-enable-tmp.mount-statically-in-local-fs..patch new file mode 100644 index 0000000..bf998d7 --- /dev/null +++ b/SOURCES/0105-units-don-t-enable-tmp.mount-statically-in-local-fs..patch @@ -0,0 +1,26 @@ +From 19524651b38a0db99447ca5df181d69240d75d47 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 22 Sep 2021 14:38:00 +0200 +Subject: [PATCH] units: don't enable tmp.mount statically in local-fs.target + +RHEL-only + +Related: #2138081 +--- + units/meson.build | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/units/meson.build b/units/meson.build +index b224701eb9..eae7394731 100644 +--- a/units/meson.build ++++ b/units/meson.build +@@ -160,8 +160,7 @@ units = [ + ['time-set.target', ''], + ['time-sync.target', ''], + ['timers.target', ''], +- ['tmp.mount', '', +- 'local-fs.target.wants/'], ++ ['tmp.mount', ''], + ['umount.target', ''], + ['usb-gadget.target', ''], + ['user.slice', ''], diff --git a/SOURCES/0106-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch b/SOURCES/0106-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch new file mode 100644 index 0000000..47d4bbe --- /dev/null +++ b/SOURCES/0106-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch @@ -0,0 +1,59 @@ +From 6e6aaec20c62887fa5c5c4bf47a9c2238f8f027f Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 1 Aug 2018 13:19:39 +0200 +Subject: [PATCH] pid1: bump DefaultTasksMax to 80% of the kernel pid.max value + +This should be hopefully high enough even for the very big deployments. + +RHEL-only + +Related: #2138081 +--- + man/systemd-system.conf.xml | 4 ++-- + src/core/main.c | 2 +- + src/core/system.conf.in | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml +index ac21c31d9a..00de04d426 100644 +--- a/man/systemd-system.conf.xml ++++ b/man/systemd-system.conf.xml +@@ -461,10 +461,10 @@ + Configure the default value for the per-unit TasksMax= setting. See + systemd.resource-control5 + for details. This setting applies to all unit types that support resource control settings, with the exception +- of slice units. Defaults to 15% of the minimum of kernel.pid_max=, kernel.threads-max= ++ of slice units. Defaults to 80% of the minimum of kernel.pid_max=, kernel.threads-max= + and root cgroup pids.max. + Kernel has a default value for kernel.pid_max= and an algorithm of counting in case of more than 32 cores. +- For example with the default kernel.pid_max=, DefaultTasksMax= defaults to 4915, ++ For example with the default kernel.pid_max=, DefaultTasksMax= defaults to 26214, + but might be greater in other systems or smaller in OS containers. + + +diff --git a/src/core/main.c b/src/core/main.c +index 14a4f81452..d3ec526e7e 100644 +--- a/src/core/main.c ++++ b/src/core/main.c +@@ -100,7 +100,7 @@ + #include + #endif + +-#define DEFAULT_TASKS_MAX ((TasksMax) { 15U, 100U }) /* 15% */ ++#define DEFAULT_TASKS_MAX ((TasksMax) { 80U, 100U }) /* 80% */ + + static enum { + ACTION_RUN, +diff --git a/src/core/system.conf.in b/src/core/system.conf.in +index 71a5869ec0..5d1f6d24f0 100644 +--- a/src/core/system.conf.in ++++ b/src/core/system.conf.in +@@ -56,7 +56,7 @@ + #DefaultIPAccounting=no + #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }} + #DefaultTasksAccounting=yes +-#DefaultTasksMax=15% ++#DefaultTasksMax=80% + #DefaultLimitCPU= + #DefaultLimitFSIZE= + #DefaultLimitDATA= diff --git a/SOURCES/0107-set-core-ulimit-to-0-like-on-RHEL-7.patch b/SOURCES/0107-set-core-ulimit-to-0-like-on-RHEL-7.patch new file mode 100644 index 0000000..b0137ae --- /dev/null +++ b/SOURCES/0107-set-core-ulimit-to-0-like-on-RHEL-7.patch @@ -0,0 +1,25 @@ +From 7b1eb758d1f87bfd98dbb8037a842ceedb245815 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Mon, 25 Jan 2021 16:19:56 +0100 +Subject: [PATCH] set core ulimit to 0 like on RHEL-7 + +RHEL-only + +Related: #2138081 +--- + src/core/system.conf.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/system.conf.in b/src/core/system.conf.in +index 5d1f6d24f0..624746e512 100644 +--- a/src/core/system.conf.in ++++ b/src/core/system.conf.in +@@ -61,7 +61,7 @@ + #DefaultLimitFSIZE= + #DefaultLimitDATA= + #DefaultLimitSTACK= +-#DefaultLimitCORE= ++DefaultLimitCORE=0:infinity + #DefaultLimitRSS= + #DefaultLimitNOFILE=1024:{{HIGH_RLIMIT_NOFILE}} + #DefaultLimitAS= diff --git a/SOURCES/0108-ci-use-C9S-chroots-in-Packit.patch b/SOURCES/0108-ci-use-C9S-chroots-in-Packit.patch new file mode 100644 index 0000000..f1b418f --- /dev/null +++ b/SOURCES/0108-ci-use-C9S-chroots-in-Packit.patch @@ -0,0 +1,28 @@ +From 395bf82a5950b7e3bfe974d3f4d52ee2fb5a9e56 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 4 Nov 2021 12:31:32 +0100 +Subject: [PATCH] ci: use C9S chroots in Packit + +rhel-only +Related: #2138081 +--- + .packit.yml | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/.packit.yml b/.packit.yml +index d0eebab181..35938f3586 100644 +--- a/.packit.yml ++++ b/.packit.yml +@@ -38,8 +38,7 @@ jobs: + trigger: pull_request + metadata: + targets: +- - fedora-rawhide-aarch64 +- - fedora-rawhide-i386 +- - fedora-rawhide-ppc64le +- - fedora-rawhide-s390x +- - fedora-rawhide-x86_64 ++ - centos-stream-9-aarch64 ++ - centos-stream-9-ppc64le ++ - centos-stream-9-s390x ++ - centos-stream-9-x86_64 diff --git a/SOURCES/0109-Treat-EPERM-as-not-available-too.patch b/SOURCES/0109-Treat-EPERM-as-not-available-too.patch new file mode 100644 index 0000000..a514554 --- /dev/null +++ b/SOURCES/0109-Treat-EPERM-as-not-available-too.patch @@ -0,0 +1,30 @@ +From 9e51ecd3ec0484d7ffefb0ceaf242e96b31195bb Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 21 Dec 2021 10:46:17 +0100 +Subject: [PATCH] Treat EPERM as "not available" too + +We need to do this because idmapped mounts habe been disabled in RHEL-9 +kernel: https://bugzilla.redhat.com/show_bug.cgi?id=2018141 . + +RHEL-only + +Fixes #55 + +Related: #2138081 +--- + src/nspawn/nspawn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index 01a67b5553..93d646ed56 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -3806,7 +3806,7 @@ static int outer_child( + arg_uid_shift != 0) { + + r = remount_idmap(directory, arg_uid_shift, arg_uid_range, UID_INVALID, REMOUNT_IDMAPPING_HOST_ROOT); +- if (r == -EINVAL || ERRNO_IS_NOT_SUPPORTED(r)) { ++ if (IN_SET(r, -EINVAL, -EPERM) || ERRNO_IS_NOT_SUPPORTED(r)) { + /* This might fail because the kernel or file system doesn't support idmapping. We + * can't really distinguish this nicely, nor do we have any guarantees about the + * error codes we see, could be EOPNOTSUPP or EINVAL. */ diff --git a/SOURCES/0110-udev-net-setup-link-change-the-default-MACAddressPol.patch b/SOURCES/0110-udev-net-setup-link-change-the-default-MACAddressPol.patch new file mode 100644 index 0000000..7acbcf6 --- /dev/null +++ b/SOURCES/0110-udev-net-setup-link-change-the-default-MACAddressPol.patch @@ -0,0 +1,53 @@ +From c150bc4cc27d560970fd34cf2347142325e7704a Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Tue, 21 Sep 2021 15:01:19 +0200 +Subject: [PATCH] udev/net-setup-link: change the default MACAddressPolicy to + "none" + +While stable MAC address for interface types that don't have the +address provided by HW could be useful it also breaks LACP based bonds. +Let's err on the side of caution and don't change the MAC address from +udev. + +RHEL-only + +Related: #2138081 +--- + man/systemd.link.xml | 2 +- + network/99-default.link | 2 +- + test/fuzz/fuzz-link-parser/99-default.link | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/man/systemd.link.xml b/man/systemd.link.xml +index cc55b02b18..69e0ac779c 100644 +--- a/man/systemd.link.xml ++++ b/man/systemd.link.xml +@@ -1117,7 +1117,7 @@ + + [Link] + NamePolicy=kernel database onboard slot path +-MACAddressPolicy=persistent ++MACAddressPolicy=none + + + +diff --git a/network/99-default.link b/network/99-default.link +index 429ac31e80..083bdb5659 100644 +--- a/network/99-default.link ++++ b/network/99-default.link +@@ -17,4 +17,4 @@ OriginalName=* + [Link] + NamePolicy=keep kernel database onboard slot path + AlternativeNamesPolicy=database onboard slot path +-MACAddressPolicy=persistent ++MACAddressPolicy=none +diff --git a/test/fuzz/fuzz-link-parser/99-default.link b/test/fuzz/fuzz-link-parser/99-default.link +index feb5b1fbb0..3d755898b4 100644 +--- a/test/fuzz/fuzz-link-parser/99-default.link ++++ b/test/fuzz/fuzz-link-parser/99-default.link +@@ -9,4 +9,4 @@ + + [Link] + NamePolicy=keep kernel database onboard slot path +-MACAddressPolicy=persistent ++MACAddressPolicy=none diff --git a/SOURCES/0111-man-mention-System-Administrator-s-Guide-in-systemct.patch b/SOURCES/0111-man-mention-System-Administrator-s-Guide-in-systemct.patch new file mode 100644 index 0000000..b138880 --- /dev/null +++ b/SOURCES/0111-man-mention-System-Administrator-s-Guide-in-systemct.patch @@ -0,0 +1,35 @@ +From 5b2c931fb85d79db5a369a46eaeaf4ba297cbeef Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Thu, 28 Aug 2014 15:12:10 +0200 +Subject: [PATCH] man: mention System Administrator's Guide in systemctl + manpage + +RHEL-only + +Related: #2138081 +--- + man/systemctl.xml | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/man/systemctl.xml b/man/systemctl.xml +index 997925892d..f743c182fe 100644 +--- a/man/systemctl.xml ++++ b/man/systemctl.xml +@@ -2496,6 +2496,17 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err + + + ++ ++ Examples ++ ++ For examples how to use systemctl in comparsion ++ with old service and chkconfig command please see: ++ ++ Managing System Services ++ ++ ++ ++ + + See Also + diff --git a/SOURCES/0112-Net-naming-scheme-for-RHEL-9.0.patch b/SOURCES/0112-Net-naming-scheme-for-RHEL-9.0.patch new file mode 100644 index 0000000..57b2cfd --- /dev/null +++ b/SOURCES/0112-Net-naming-scheme-for-RHEL-9.0.patch @@ -0,0 +1,56 @@ +From 9e03c4d6c1245af87569cb337c4fd82d873ea5c7 Mon Sep 17 00:00:00 2001 +From: Jacek Migacz +Date: Thu, 3 Feb 2022 23:46:09 +0100 +Subject: [PATCH] Net naming scheme for RHEL-9.0 + +RHEL-only + +Related: #2138081 +--- + man/systemd.net-naming-scheme.xml | 7 +++++++ + src/shared/netif-naming-scheme.c | 1 + + src/shared/netif-naming-scheme.h | 1 + + 3 files changed, 9 insertions(+) + +diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml +index 8aac42b49d..8c2017a0ce 100644 +--- a/man/systemd.net-naming-scheme.xml ++++ b/man/systemd.net-naming-scheme.xml +@@ -448,6 +448,13 @@ + + + ++ ++ rhel-9.0 ++ ++ Same as naming scheme v250. ++ ++ ++ + + + Note that latest may be used to denote the latest scheme known (to this +diff --git a/src/shared/netif-naming-scheme.c b/src/shared/netif-naming-scheme.c +index 18748e5376..c5b8ddfcf9 100644 +--- a/src/shared/netif-naming-scheme.c ++++ b/src/shared/netif-naming-scheme.c +@@ -25,6 +25,7 @@ static const NamingScheme naming_schemes[] = { + { "v250", NAMING_V250 }, + { "v251", NAMING_V251 }, + { "v252", NAMING_V252 }, ++ { "rhel-9.0", NAMING_RHEL_9_0 }, + /* … add more schemes here, as the logic to name devices is updated … */ + + EXTRA_NET_NAMING_MAP +diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h +index 4fa9170969..b5fa1f0ef0 100644 +--- a/src/shared/netif-naming-scheme.h ++++ b/src/shared/netif-naming-scheme.h +@@ -51,6 +51,7 @@ typedef enum NamingSchemeFlags { + NAMING_V250 = NAMING_V249 | NAMING_XEN_VIF, + NAMING_V251 = NAMING_V250 | NAMING_BRIDGE_MULTIFUNCTION_SLOT, + NAMING_V252 = NAMING_V251 | NAMING_DEVICETREE_ALIASES, ++ NAMING_RHEL_9_0 = NAMING_V250, + + EXTRA_NET_NAMING_SCHEMES + diff --git a/SOURCES/0113-core-decrease-log-level-of-messages-about-use-of-Kil.patch b/SOURCES/0113-core-decrease-log-level-of-messages-about-use-of-Kil.patch new file mode 100644 index 0000000..2bef6e0 --- /dev/null +++ b/SOURCES/0113-core-decrease-log-level-of-messages-about-use-of-Kil.patch @@ -0,0 +1,40 @@ +From 1db882cea4fe51183076d11893e9efe855310948 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Tue, 22 Feb 2022 13:24:11 +0100 +Subject: [PATCH] core: decrease log level of messages about use of + KillMode=none + +RHEL-only + +Related: #2138081 +--- + src/core/load-fragment.c | 2 +- + src/core/unit.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c +index 1a5895346d..0b5c8acee4 100644 +--- a/src/core/load-fragment.c ++++ b/src/core/load-fragment.c +@@ -834,7 +834,7 @@ int config_parse_kill_mode( + } + + if (m == KILL_NONE) +- log_syntax(unit, LOG_WARNING, filename, line, 0, ++ log_syntax(unit, LOG_DEBUG, filename, line, 0, + "Unit uses KillMode=none. " + "This is unsafe, as it disables systemd's process lifecycle management for the service. " + "Please update the service to use a safer KillMode=, such as 'mixed' or 'control-group'. " +diff --git a/src/core/unit.c b/src/core/unit.c +index 5af44aaf4a..4bb7e2d498 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -5510,7 +5510,7 @@ int unit_log_leftover_process_start(pid_t pid, int sig, void *userdata) { + + /* During start we print a warning */ + +- log_unit_warning(userdata, ++ log_unit_debug(userdata, + "Found left-over process " PID_FMT " (%s) in control group while starting unit. Ignoring.\n" + "This usually indicates unclean termination of a previous run, or service implementation deficiencies.", + pid, strna(comm)); diff --git a/SOURCES/0114-ci-Mergify-configuration-update.patch b/SOURCES/0114-ci-Mergify-configuration-update.patch new file mode 100644 index 0000000..95d41c1 --- /dev/null +++ b/SOURCES/0114-ci-Mergify-configuration-update.patch @@ -0,0 +1,97 @@ +From a2e1634b7c8f0f422975799de0d09f898c82d742 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Mon, 30 May 2022 15:19:16 +0200 +Subject: [PATCH] ci(Mergify): configuration update + +Add rules for `needs-ci` label management + +RHEL-only + +Related: #2138081 +--- + .mergify.yml | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 76 insertions(+) + create mode 100644 .mergify.yml + +diff --git a/.mergify.yml b/.mergify.yml +new file mode 100644 +index 0000000000..c06e0fb1be +--- /dev/null ++++ b/.mergify.yml +@@ -0,0 +1,76 @@ ++# doc: https://docs.mergify.com ++--- ++ ++pull_request_rules: ++ - name: Add `needs-ci` label on CI fail ++ conditions: ++ - or: ++ # Build test ++ - -check-success=build (gcc, 10, bfd) ++ - -check-success=build (gcc, 11, gold) ++ - -check-success=build (clang, 11, bfd) ++ - -check-success=build (clang, 12, gold) ++ - -check-success=build (clang, 13, lld) ++ # Unit tests ++ - -check-success=build (GCC, auto) ++ - -check-success=build (GCC_ASAN_UBSAN, auto) ++ - -check-success=build (CLANG, auto) ++ - -check-success=build (CLANG_ASAN_UBSAN, auto) ++ - -check-success=build (GCC, openssl) ++ - -check-success=build (CLANG, gcrypt) ++ # CentOS CI ++ - -check-success=CentOS CI (CentOS Stream 9) ++ - -check-success=CentOS CI (CentOS Stream 9 + sanitizers) ++ # LGTM ++ - and: ++ - "-check-success=LGTM analysis: JavaScript" ++ - "-check-neutral=LGTM analysis: JavaScript" ++ - and: ++ - "-check-success=LGTM analysis: Python" ++ - "-check-neutral=LGTM analysis: Python" ++ - and: ++ - "-check-success=LGTM analysis: C/C++" ++ - "-check-neutral=LGTM analysis: Python" ++ # Packit ++ - -check-success=rpm-build:centos-stream-9-aarch64 ++ - -check-success=rpm-build:centos-stream-9-x86_64 ++ actions: ++ label: ++ add: ++ - needs-ci ++ ++ - name: Remove `needs-ci` label on CI success ++ conditions: ++ # Build test ++ - check-success=build (gcc, 10, bfd) ++ - check-success=build (gcc, 11, gold) ++ - check-success=build (clang, 11, bfd) ++ - check-success=build (clang, 12, gold) ++ - check-success=build (clang, 13, lld) ++ # Unit tests ++ - check-success=build (GCC, auto) ++ - check-success=build (GCC_ASAN_UBSAN, auto) ++ - check-success=build (CLANG, auto) ++ - check-success=build (CLANG_ASAN_UBSAN, auto) ++ - check-success=build (GCC, openssl) ++ - check-success=build (CLANG, gcrypt) ++ # CentOS CI ++ - check-success=CentOS CI (CentOS Stream 9) ++ - check-success=CentOS CI (CentOS Stream 9 + sanitizers) ++ # LGTM ++ - or: ++ - "check-success=LGTM analysis: JavaScript" ++ - "check-neutral=LGTM analysis: JavaScript" ++ - or: ++ - "check-success=LGTM analysis: Python" ++ - "check-neutral=LGTM analysis: Python" ++ - or: ++ - "check-success=LGTM analysis: C/C++" ++ - "check-neutral=LGTM analysis: Python" ++ # Packit ++ - check-success=rpm-build:centos-stream-9-aarch64 ++ - check-success=rpm-build:centos-stream-9-x86_64 ++ actions: ++ label: ++ remove: ++ - needs-ci diff --git a/SOURCES/0115-ci-Mergify-fix-copy-paste-bug.patch b/SOURCES/0115-ci-Mergify-fix-copy-paste-bug.patch new file mode 100644 index 0000000..048f662 --- /dev/null +++ b/SOURCES/0115-ci-Mergify-fix-copy-paste-bug.patch @@ -0,0 +1,34 @@ +From 44637741bccdcabc8257ffee1996afeadf441690 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Mon, 6 Jun 2022 15:39:22 +0200 +Subject: [PATCH] ci(Mergify): fix copy&paste bug + +RHEL-only + +Related: #2138081 +--- + .mergify.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/.mergify.yml b/.mergify.yml +index c06e0fb1be..b7852b201c 100644 +--- a/.mergify.yml ++++ b/.mergify.yml +@@ -30,7 +30,7 @@ pull_request_rules: + - "-check-neutral=LGTM analysis: Python" + - and: + - "-check-success=LGTM analysis: C/C++" +- - "-check-neutral=LGTM analysis: Python" ++ - "-check-neutral=LGTM analysis: C/C++" + # Packit + - -check-success=rpm-build:centos-stream-9-aarch64 + - -check-success=rpm-build:centos-stream-9-x86_64 +@@ -66,7 +66,7 @@ pull_request_rules: + - "check-neutral=LGTM analysis: Python" + - or: + - "check-success=LGTM analysis: C/C++" +- - "check-neutral=LGTM analysis: Python" ++ - "check-neutral=LGTM analysis: C/C++" + # Packit + - check-success=rpm-build:centos-stream-9-aarch64 + - check-success=rpm-build:centos-stream-9-x86_64 diff --git a/SOURCES/0116-ci-Mergify-Add-ci-waived-logic.patch b/SOURCES/0116-ci-Mergify-Add-ci-waived-logic.patch new file mode 100644 index 0000000..3387169 --- /dev/null +++ b/SOURCES/0116-ci-Mergify-Add-ci-waived-logic.patch @@ -0,0 +1,104 @@ +From 9fee3c33a05596de1658eb0099cd04cbf0a5d99a Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Tue, 19 Jul 2022 12:29:28 +0200 +Subject: [PATCH] ci(Mergify): Add `ci-waived` logic + +RHEL-only + +Related: #2138081 +--- + .mergify.yml | 66 ++++++++++++++++++++++++++++------------------------ + 1 file changed, 35 insertions(+), 31 deletions(-) + +diff --git a/.mergify.yml b/.mergify.yml +index b7852b201c..be25e52c76 100644 +--- a/.mergify.yml ++++ b/.mergify.yml +@@ -4,6 +4,7 @@ + pull_request_rules: + - name: Add `needs-ci` label on CI fail + conditions: ++ - label!=ci-waived + - or: + # Build test + - -check-success=build (gcc, 10, bfd) +@@ -31,9 +32,9 @@ pull_request_rules: + - and: + - "-check-success=LGTM analysis: C/C++" + - "-check-neutral=LGTM analysis: C/C++" +- # Packit +- - -check-success=rpm-build:centos-stream-9-aarch64 +- - -check-success=rpm-build:centos-stream-9-x86_64 ++ # Packit ++ - -check-success=rpm-build:centos-stream-9-aarch64 ++ - -check-success=rpm-build:centos-stream-9-x86_64 + actions: + label: + add: +@@ -41,35 +42,38 @@ pull_request_rules: + + - name: Remove `needs-ci` label on CI success + conditions: +- # Build test +- - check-success=build (gcc, 10, bfd) +- - check-success=build (gcc, 11, gold) +- - check-success=build (clang, 11, bfd) +- - check-success=build (clang, 12, gold) +- - check-success=build (clang, 13, lld) +- # Unit tests +- - check-success=build (GCC, auto) +- - check-success=build (GCC_ASAN_UBSAN, auto) +- - check-success=build (CLANG, auto) +- - check-success=build (CLANG_ASAN_UBSAN, auto) +- - check-success=build (GCC, openssl) +- - check-success=build (CLANG, gcrypt) +- # CentOS CI +- - check-success=CentOS CI (CentOS Stream 9) +- - check-success=CentOS CI (CentOS Stream 9 + sanitizers) +- # LGTM + - or: +- - "check-success=LGTM analysis: JavaScript" +- - "check-neutral=LGTM analysis: JavaScript" +- - or: +- - "check-success=LGTM analysis: Python" +- - "check-neutral=LGTM analysis: Python" +- - or: +- - "check-success=LGTM analysis: C/C++" +- - "check-neutral=LGTM analysis: C/C++" +- # Packit +- - check-success=rpm-build:centos-stream-9-aarch64 +- - check-success=rpm-build:centos-stream-9-x86_64 ++ - label=ci-waived ++ - and: ++ # Build test ++ - check-success=build (gcc, 10, bfd) ++ - check-success=build (gcc, 11, gold) ++ - check-success=build (clang, 11, bfd) ++ - check-success=build (clang, 12, gold) ++ - check-success=build (clang, 13, lld) ++ # Unit tests ++ - check-success=build (GCC, auto) ++ - check-success=build (GCC_ASAN_UBSAN, auto) ++ - check-success=build (CLANG, auto) ++ - check-success=build (CLANG_ASAN_UBSAN, auto) ++ - check-success=build (GCC, openssl) ++ - check-success=build (CLANG, gcrypt) ++ # CentOS CI ++ - check-success=CentOS CI (CentOS Stream 9) ++ - check-success=CentOS CI (CentOS Stream 9 + sanitizers) ++ # LGTM ++ - or: ++ - "check-success=LGTM analysis: JavaScript" ++ - "check-neutral=LGTM analysis: JavaScript" ++ - or: ++ - "check-success=LGTM analysis: Python" ++ - "check-neutral=LGTM analysis: Python" ++ - or: ++ - "check-success=LGTM analysis: C/C++" ++ - "check-neutral=LGTM analysis: C/C++" ++ # Packit ++ - check-success=rpm-build:centos-stream-9-aarch64 ++ - check-success=rpm-build:centos-stream-9-x86_64 + actions: + label: + remove: diff --git a/SOURCES/0117-udev-net_id-avoid-slot-based-names-only-for-single-f.patch b/SOURCES/0117-udev-net_id-avoid-slot-based-names-only-for-single-f.patch new file mode 100644 index 0000000..0a6dad7 --- /dev/null +++ b/SOURCES/0117-udev-net_id-avoid-slot-based-names-only-for-single-f.patch @@ -0,0 +1,50 @@ +From 6a3afa1a7e302ae414fbfa64b3da281aa56d64ed Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 23 Mar 2022 17:34:12 +0100 +Subject: [PATCH] udev/net_id: avoid slot based names only for single function + devices + +If we have two or more devices that share the same slot but they are +also multifunction then it is OK to use the slot information even if it +is the same for all of them. Name conflict will be avoided because we +will append function number and form names like, ens1f1, ens1f2... + +(cherry picked from commit 66425daf2c68793adf24a48a26d58add8662e83f) + +Related: #2138081 +--- + man/systemd.net-naming-scheme.xml | 7 ++++++- + src/shared/netif-naming-scheme.h | 2 +- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml +index 8c2017a0ce..e5268be38e 100644 +--- a/man/systemd.net-naming-scheme.xml ++++ b/man/systemd.net-naming-scheme.xml +@@ -451,7 +451,12 @@ + + rhel-9.0 + +- Same as naming scheme v250. ++ Since version v247 we no longer set ++ ID_NET_NAME_SLOT if we detect that a PCI device associated with a slot is a PCI ++ bridge as that would create naming conflict when there are more child devices on that bridge. Now, ++ this is relaxed and we will use slot information to generate the name based on it but only if ++ the PCI device has multiple functions. This is safe because distinct function number is a part of ++ the device name for multifunction devices. + + + +diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h +index b5fa1f0ef0..fd3ae1b7f5 100644 +--- a/src/shared/netif-naming-scheme.h ++++ b/src/shared/netif-naming-scheme.h +@@ -51,7 +51,7 @@ typedef enum NamingSchemeFlags { + NAMING_V250 = NAMING_V249 | NAMING_XEN_VIF, + NAMING_V251 = NAMING_V250 | NAMING_BRIDGE_MULTIFUNCTION_SLOT, + NAMING_V252 = NAMING_V251 | NAMING_DEVICETREE_ALIASES, +- NAMING_RHEL_9_0 = NAMING_V250, ++ NAMING_RHEL_9_0 = NAMING_V250 | NAMING_BRIDGE_MULTIFUNCTION_SLOT, + + EXTRA_NET_NAMING_SCHEMES + diff --git a/SOURCES/0118-udev-net_id-add-rhel-9.1-naming-scheme.patch b/SOURCES/0118-udev-net_id-add-rhel-9.1-naming-scheme.patch new file mode 100644 index 0000000..a432f5f --- /dev/null +++ b/SOURCES/0118-udev-net_id-add-rhel-9.1-naming-scheme.patch @@ -0,0 +1,55 @@ +From 35ff2c23e2b95d7f1264259de17028d1b7472b87 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 24 Aug 2022 17:18:47 +0200 +Subject: [PATCH] udev/net_id: add "rhel-9.1" naming scheme + +RHEL-only + +Related: #2138081 +--- + man/systemd.net-naming-scheme.xml | 6 ++++++ + src/shared/netif-naming-scheme.c | 1 + + src/shared/netif-naming-scheme.h | 1 + + 3 files changed, 8 insertions(+) + +diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml +index e5268be38e..ca8ba7010e 100644 +--- a/man/systemd.net-naming-scheme.xml ++++ b/man/systemd.net-naming-scheme.xml +@@ -460,6 +460,12 @@ + + + ++ ++ rhel-9.1 ++ ++ Same as naming scheme rhel-9.0. ++ ++ + + + Note that latest may be used to denote the latest scheme known (to this +diff --git a/src/shared/netif-naming-scheme.c b/src/shared/netif-naming-scheme.c +index c5b8ddfcf9..a20b990f2e 100644 +--- a/src/shared/netif-naming-scheme.c ++++ b/src/shared/netif-naming-scheme.c +@@ -26,6 +26,7 @@ static const NamingScheme naming_schemes[] = { + { "v251", NAMING_V251 }, + { "v252", NAMING_V252 }, + { "rhel-9.0", NAMING_RHEL_9_0 }, ++ { "rhel-9.1", NAMING_RHEL_9_1 }, + /* … add more schemes here, as the logic to name devices is updated … */ + + EXTRA_NET_NAMING_MAP +diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h +index fd3ae1b7f5..d70c19ade3 100644 +--- a/src/shared/netif-naming-scheme.h ++++ b/src/shared/netif-naming-scheme.h +@@ -52,6 +52,7 @@ typedef enum NamingSchemeFlags { + NAMING_V251 = NAMING_V250 | NAMING_BRIDGE_MULTIFUNCTION_SLOT, + NAMING_V252 = NAMING_V251 | NAMING_DEVICETREE_ALIASES, + NAMING_RHEL_9_0 = NAMING_V250 | NAMING_BRIDGE_MULTIFUNCTION_SLOT, ++ NAMING_RHEL_9_1 = NAMING_RHEL_9_0, + + EXTRA_NET_NAMING_SCHEMES + diff --git a/SOURCES/0119-ci-lint-Update-Differential-ShellCheck-config-to-run.patch b/SOURCES/0119-ci-lint-Update-Differential-ShellCheck-config-to-run.patch new file mode 100644 index 0000000..7f67fea --- /dev/null +++ b/SOURCES/0119-ci-lint-Update-Differential-ShellCheck-config-to-run.patch @@ -0,0 +1,32 @@ +From 60f571cb17f4147b2794eed7c272dc34e08e397f Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Tue, 16 Aug 2022 14:34:49 +0200 +Subject: [PATCH] ci(lint): Update Differential ShellCheck config to run on + Z-stream branches + +RHEL-only + +Related: #2138081 +--- + .github/workflows/differential-shellcheck.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.github/workflows/differential-shellcheck.yml b/.github/workflows/differential-shellcheck.yml +index 20ce681632..47ec23731d 100644 +--- a/.github/workflows/differential-shellcheck.yml ++++ b/.github/workflows/differential-shellcheck.yml +@@ -6,13 +6,13 @@ on: + pull_request: + branches: + - main ++ - rhel-9.*.0 + + permissions: + contents: read + + jobs: + lint: +- if: github.event.repository.name != 'systemd-security' + runs-on: ubuntu-latest + + permissions: diff --git a/SOURCES/0120-ci-mergify-Update-policy-Drop-LGTM-checks.patch b/SOURCES/0120-ci-mergify-Update-policy-Drop-LGTM-checks.patch new file mode 100644 index 0000000..66f45a8 --- /dev/null +++ b/SOURCES/0120-ci-mergify-Update-policy-Drop-LGTM-checks.patch @@ -0,0 +1,87 @@ +From a7be2c1e61d67f53f9eb90eb3937fa946ccef101 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Wed, 21 Sep 2022 15:36:26 +0200 +Subject: [PATCH] ci(mergify): Update policy - Drop LGTM checks + +rhel-only + +Related: #2138081 +--- + .github/workflows/differential-shellcheck.yml | 1 + + .mergify.yml | 34 +++++++------------ + 2 files changed, 13 insertions(+), 22 deletions(-) + +diff --git a/.github/workflows/differential-shellcheck.yml b/.github/workflows/differential-shellcheck.yml +index 47ec23731d..105f92d1c9 100644 +--- a/.github/workflows/differential-shellcheck.yml ++++ b/.github/workflows/differential-shellcheck.yml +@@ -13,6 +13,7 @@ permissions: + + jobs: + lint: ++ name: Differential ShellCheck + runs-on: ubuntu-latest + + permissions: +diff --git a/.mergify.yml b/.mergify.yml +index be25e52c76..ddc79a1d7a 100644 +--- a/.mergify.yml ++++ b/.mergify.yml +@@ -22,24 +22,19 @@ pull_request_rules: + # CentOS CI + - -check-success=CentOS CI (CentOS Stream 9) + - -check-success=CentOS CI (CentOS Stream 9 + sanitizers) +- # LGTM +- - and: +- - "-check-success=LGTM analysis: JavaScript" +- - "-check-neutral=LGTM analysis: JavaScript" +- - and: +- - "-check-success=LGTM analysis: Python" +- - "-check-neutral=LGTM analysis: Python" +- - and: +- - "-check-success=LGTM analysis: C/C++" +- - "-check-neutral=LGTM analysis: C/C++" ++ # CodeQL ++ - -check-success=CodeQL + # Packit + - -check-success=rpm-build:centos-stream-9-aarch64 + - -check-success=rpm-build:centos-stream-9-x86_64 ++ # Other ++ - -check-success=Lint Code Base ++ - -check-success=Differential ShellCheck + actions: + label: + add: + - needs-ci +- ++ + - name: Remove `needs-ci` label on CI success + conditions: + - or: +@@ -61,20 +56,15 @@ pull_request_rules: + # CentOS CI + - check-success=CentOS CI (CentOS Stream 9) + - check-success=CentOS CI (CentOS Stream 9 + sanitizers) +- # LGTM +- - or: +- - "check-success=LGTM analysis: JavaScript" +- - "check-neutral=LGTM analysis: JavaScript" +- - or: +- - "check-success=LGTM analysis: Python" +- - "check-neutral=LGTM analysis: Python" +- - or: +- - "check-success=LGTM analysis: C/C++" +- - "check-neutral=LGTM analysis: C/C++" ++ # CodeQL ++ - check-success=CodeQL + # Packit + - check-success=rpm-build:centos-stream-9-aarch64 + - check-success=rpm-build:centos-stream-9-x86_64 ++ # Other ++ - check-success=Lint Code Base ++ - check-success=Differential ShellCheck + actions: + label: + remove: +- - needs-ci ++ - needs-ci diff --git a/SOURCES/0121-test-sd-device-skip-misc-devices.patch b/SOURCES/0121-test-sd-device-skip-misc-devices.patch new file mode 100644 index 0000000..45fd4ce --- /dev/null +++ b/SOURCES/0121-test-sd-device-skip-misc-devices.patch @@ -0,0 +1,24 @@ +From c6b52050b8da6f5e7cdd2f057141af236288e78b Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Mon, 31 Oct 2022 10:58:11 +0100 +Subject: [PATCH] test-sd-device: skip "misc" devices + +rhel-only + +Related: #2138081 +--- + src/libsystemd/sd-device/test-sd-device.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/libsystemd/sd-device/test-sd-device.c b/src/libsystemd/sd-device/test-sd-device.c +index 4ab8b3894a..a1bcf18059 100644 +--- a/src/libsystemd/sd-device/test-sd-device.c ++++ b/src/libsystemd/sd-device/test-sd-device.c +@@ -204,6 +204,7 @@ TEST(sd_device_enumerator_devices) { + /* On CentOS CI, systemd-networkd-tests.py may be running when this test is invoked. The networkd + * test creates and removes many network interfaces, and may interfere with this test. */ + assert_se(sd_device_enumerator_add_match_subsystem(e, "net", false) >= 0); ++ assert_se(sd_device_enumerator_add_match_subsystem(e, "misc", false) >= 0); + FOREACH_DEVICE(e, d) + test_sd_device_one(d); + } diff --git a/SOURCES/0122-test-skip-test_ntp-if-systemd-timesyncd-is-not-avail.patch b/SOURCES/0122-test-skip-test_ntp-if-systemd-timesyncd-is-not-avail.patch new file mode 100644 index 0000000..48646bd --- /dev/null +++ b/SOURCES/0122-test-skip-test_ntp-if-systemd-timesyncd-is-not-avail.patch @@ -0,0 +1,29 @@ +From 5488431dcbea41bec11f0b1ad0a3769489f68c39 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 23 Nov 2022 15:16:41 +0100 +Subject: [PATCH] test: skip test_ntp if systemd-timesyncd is not available + +We don't ship timesyncd on RHEL, so let's skip the test there. + +rhel-only +Related: #2138081 +--- + test/units/testsuite-45.sh | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/test/units/testsuite-45.sh b/test/units/testsuite-45.sh +index 24e888c587..7e757e4b00 100755 +--- a/test/units/testsuite-45.sh ++++ b/test/units/testsuite-45.sh +@@ -201,6 +201,11 @@ wait_mon() { + } + + test_ntp() { ++ if ! systemctl list-unit-files -q systemd-timesyncd.service; then ++ echo "systemd-timesyncd is not available, skipping the test..." ++ return 0 ++ fi ++ + # timesyncd has ConditionVirtualization=!container by default; drop/mock that for testing + if systemd-detect-virt --container --quiet; then + systemctl disable --quiet --now systemd-timesyncd diff --git a/SOURCES/0123-test-accept-EPERM-for-unavailable-idmapped-mounts-as.patch b/SOURCES/0123-test-accept-EPERM-for-unavailable-idmapped-mounts-as.patch new file mode 100644 index 0000000..2418174 --- /dev/null +++ b/SOURCES/0123-test-accept-EPERM-for-unavailable-idmapped-mounts-as.patch @@ -0,0 +1,26 @@ +From d2ccb0bf2b2078e13fc4cb1c2e2eb8079fa57df0 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 24 Nov 2022 15:19:59 +0100 +Subject: [PATCH] test: accept EPERM for unavailable idmapped mounts as well + +Follow-up for 3c54c67a7fc65dc5b49b2452739c19b94eeb98a9. + +rhel-only +Related: #2138081 +--- + test/units/testsuite-13.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/units/testsuite-13.sh b/test/units/testsuite-13.sh +index 4ad7431e42..2b6e6df8a3 100755 +--- a/test/units/testsuite-13.sh ++++ b/test/units/testsuite-13.sh +@@ -74,7 +74,7 @@ function check_rootidmap { + --register=no -D "$_root" \ + --bind=/tmp/rootidmapdir:/mnt:rootidmap \ + /bin/sh -c "$_command" |& tee nspawn.out; then +- if grep -q "Failed to map ids for bind mount.*: Function not implemented" nspawn.out; then ++ if grep -Eq "Failed to map ids for bind mount.*: (Function not implemented|Operation not permitted)" nspawn.out; then + echo "idmapped mounts are not supported, skipping the test..." + return 0 + fi diff --git a/SOURCES/0124-test-don-t-test-buses-we-don-t-ship.patch b/SOURCES/0124-test-don-t-test-buses-we-don-t-ship.patch new file mode 100644 index 0000000..011e419 --- /dev/null +++ b/SOURCES/0124-test-don-t-test-buses-we-don-t-ship.patch @@ -0,0 +1,52 @@ +From a8a0c31123f7a8c1c317bb1a83548f15b02974d0 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 24 Nov 2022 15:23:12 +0100 +Subject: [PATCH] test: don't test buses we don't ship + +rhel-only +Related: #2138081 +--- + test/units/testsuite-21.sh | 18 ++---------------- + 1 file changed, 2 insertions(+), 16 deletions(-) + +diff --git a/test/units/testsuite-21.sh b/test/units/testsuite-21.sh +index d931e63167..e7d97ae06e 100755 +--- a/test/units/testsuite-21.sh ++++ b/test/units/testsuite-21.sh +@@ -27,13 +27,13 @@ systemctl log-level info + # TODO + # * check for possibly newly introduced buses? + BUS_LIST=( +- org.freedesktop.home1 ++# org.freedesktop.home1 + org.freedesktop.hostname1 + org.freedesktop.import1 + org.freedesktop.locale1 + org.freedesktop.login1 + org.freedesktop.machine1 +- org.freedesktop.portable1 ++# org.freedesktop.portable1 + org.freedesktop.resolve1 + org.freedesktop.systemd1 + org.freedesktop.timedate1 +@@ -46,20 +46,6 @@ if tail -n +1 /proc/pressure/{cpu,io,memory}; then + ) + fi + +-# Some services require specific conditions: +-# - systemd-timesyncd can't run in a container +-# - systemd-networkd can run in a container if it has CAP_NET_ADMIN capability +-if ! systemd-detect-virt --container; then +- BUS_LIST+=( +- org.freedesktop.network1 +- org.freedesktop.timesync1 +- ) +-elif busctl introspect org.freedesktop.network1 / &>/dev/null; then +- BUS_LIST+=( +- org.freedesktop.network1 +- ) +-fi +- + SESSION_BUS_LIST=( + org.freedesktop.systemd1 + ) diff --git a/SOURCES/0125-basic-add-fallback-in-chase_symlinks_and_opendir-for.patch b/SOURCES/0125-basic-add-fallback-in-chase_symlinks_and_opendir-for.patch new file mode 100644 index 0000000..f67e0f5 --- /dev/null +++ b/SOURCES/0125-basic-add-fallback-in-chase_symlinks_and_opendir-for.patch @@ -0,0 +1,43 @@ +From 47c0c5108b39d01283ba040c41d556b160d45a55 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 30 Nov 2022 18:01:01 +0100 +Subject: [PATCH] basic: add fallback in chase_symlinks_and_opendir() for cases + when /proc is not mounted + +rhel-only + +Related: #2138081 +--- + src/basic/chase-symlinks.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/src/basic/chase-symlinks.c b/src/basic/chase-symlinks.c +index afab54f067..c09aab389e 100644 +--- a/src/basic/chase-symlinks.c ++++ b/src/basic/chase-symlinks.c +@@ -466,14 +466,22 @@ int chase_symlinks_and_opendir( + return 0; + } + +- r = chase_symlinks(path, root, chase_flags, ret_path ? &p : NULL, &path_fd); ++ r = chase_symlinks(path, root, chase_flags, &p, &path_fd); + if (r < 0) + return r; + assert(path_fd >= 0); + + d = opendir(FORMAT_PROC_FD_PATH(path_fd)); +- if (!d) +- return -errno; ++ if (!d) { ++ /* Hmm, we have the fd already but we got ENOENT, most likely /proc is not mounted. ++ * Let's try opendir() again on the full path. */ ++ if (errno == ENOENT) { ++ d = opendir(p); ++ if (!d) ++ return -errno; ++ } else ++ return -errno; ++ } + + if (ret_path) + *ret_path = TAKE_PTR(p); diff --git a/SOURCES/0126-test-check-if-we-can-use-SHA1-MD-for-signing-before-.patch b/SOURCES/0126-test-check-if-we-can-use-SHA1-MD-for-signing-before-.patch new file mode 100644 index 0000000..ba13b70 --- /dev/null +++ b/SOURCES/0126-test-check-if-we-can-use-SHA1-MD-for-signing-before-.patch @@ -0,0 +1,69 @@ +From 17cc25a2d7c2ebe75e18cf813d539e5997610e25 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Fri, 2 Dec 2022 12:48:26 +0100 +Subject: [PATCH] test: check if we can use SHA1 MD for signing before using it + +Some distributions have started phasing out SHA1, which breaks +the systemd-measure test case in its current form. Let's make sure we +can use SHA1 for signing beforehand to mitigate this. + +Spotted on RHEL 9, where SHA1 signatures are disallowed by [0]: +``` +openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out "/tmp/pcrsign-private.pem" +... +openssl rsa -pubout -in "/tmp/pcrsign-private.pem" -out "/tmp/pcrsign-public.pem" +writing RSA key +/usr/lib/systemd/systemd-measure sign --current --bank=sha1 --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" +Failed to initialize signature context. +``` + +[0] https://gitlab.com/redhat/centos-stream/rpms/openssl/-/blob/c9s/0049-Selectively-disallow-SHA1-signatures.patch + +(cherry picked from commit d19e5540f20c78caa949ff33050b4a530cae1982) + +Related: #2141979 +--- + test/units/testsuite-70.sh | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/test/units/testsuite-70.sh b/test/units/testsuite-70.sh +index b1cf7e83c4..89cd2a3f82 100755 +--- a/test/units/testsuite-70.sh ++++ b/test/units/testsuite-70.sh +@@ -102,8 +102,17 @@ if [ -e /usr/lib/systemd/systemd-measure ] && \ + openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out "/tmp/pcrsign-private.pem" + openssl rsa -pubout -in "/tmp/pcrsign-private.pem" -out "/tmp/pcrsign-public.pem" + ++ MEASURE_BANKS=("--bank=sha256") ++ # Check if SHA1 signatures are supported ++ # ++ # Some distros have started phasing out SHA1, so make sure the SHA1 ++ # signatures are supported before trying to use them. ++ if echo hello | openssl dgst -sign /tmp/pcrsign-private.pem -sha1 >/dev/null; then ++ MEASURE_BANKS+=("--bank=sha1") ++ fi ++ + # Sign current PCR state with it +- /usr/lib/systemd/systemd-measure sign --current --bank=sha1 --bank=sha256 --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: | tee "/tmp/pcrsign.sig" ++ /usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: | tee "/tmp/pcrsign.sig" + dd if=/dev/urandom of=/tmp/pcrtestdata bs=1024 count=64 + systemd-creds encrypt /tmp/pcrtestdata /tmp/pcrtestdata.encrypted --with-key=host+tpm2-with-public-key --tpm2-public-key="/tmp/pcrsign-public.pem" + systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig" | cmp - /tmp/pcrtestdata +@@ -113,7 +122,7 @@ if [ -e /usr/lib/systemd/systemd-measure ] && \ + systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig" > /dev/null && { echo 'unexpected success'; exit 1; } + + # Sign new PCR state, decrypting should work now. +- /usr/lib/systemd/systemd-measure sign --current --bank=sha1 --bank=sha256 --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: > "/tmp/pcrsign.sig2" ++ /usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: > "/tmp/pcrsign.sig2" + systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig2" | cmp - /tmp/pcrtestdata + + # Now, do the same, but with a cryptsetup binding +@@ -135,7 +144,7 @@ if [ -e /usr/lib/systemd/systemd-measure ] && \ + SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1 && { echo 'unexpected success'; exit 1; } + + # But once we sign the current PCRs, we should be able to unlock again +- /usr/lib/systemd/systemd-measure sign --current --bank=sha1 --bank=sha256 --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: > "/tmp/pcrsign.sig3" ++ /usr/lib/systemd/systemd-measure sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: > "/tmp/pcrsign.sig3" + SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig3",headless=1 + /usr/lib/systemd/systemd-cryptsetup detach test-volume2 + SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 /usr/lib/systemd/systemd-cryptsetup attach test-volume2 $img - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig3",headless=1 diff --git a/SOURCES/0127-boot-cleanups-for-efivar_get-and-friends.patch b/SOURCES/0127-boot-cleanups-for-efivar_get-and-friends.patch new file mode 100644 index 0000000..e7145dd --- /dev/null +++ b/SOURCES/0127-boot-cleanups-for-efivar_get-and-friends.patch @@ -0,0 +1,188 @@ +From a83ec37232ca1ea817b3446b905f9e880223de21 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 6 Dec 2022 13:06:57 +0900 +Subject: [PATCH] boot: cleanups for efivar_get() and friends + +- rename function arguments for storing results, and support the case + that they are NULL, +- return earlier on error, +- always validate read size in efivar_get_uint32_le() and efivar_get_uint64_le(). + +(cherry picked from commit 9e406b1141da2d93b73428910f2504850631a3ee) + +Related: #2141979 +--- + src/boot/efi/util.c | 63 ++++++++++++++++++++++++--------------------- + src/boot/efi/util.h | 6 ++--- + 2 files changed, 37 insertions(+), 32 deletions(-) + +diff --git a/src/boot/efi/util.c b/src/boot/efi/util.c +index 57436dbf0c..3eba2ade07 100644 +--- a/src/boot/efi/util.c ++++ b/src/boot/efi/util.c +@@ -91,7 +91,7 @@ EFI_STATUS efivar_set_uint64_le(const EFI_GUID *vendor, const char16_t *name, ui + return efivar_set_raw(vendor, name, buf, sizeof(buf), flags); + } + +-EFI_STATUS efivar_get(const EFI_GUID *vendor, const char16_t *name, char16_t **value) { ++EFI_STATUS efivar_get(const EFI_GUID *vendor, const char16_t *name, char16_t **ret) { + _cleanup_free_ char16_t *buf = NULL; + EFI_STATUS err; + char16_t *val; +@@ -108,12 +108,12 @@ EFI_STATUS efivar_get(const EFI_GUID *vendor, const char16_t *name, char16_t **v + if ((size % sizeof(char16_t)) != 0) + return EFI_INVALID_PARAMETER; + +- if (!value) ++ if (!ret) + return EFI_SUCCESS; + + /* Return buffer directly if it happens to be NUL terminated already */ + if (size >= sizeof(char16_t) && buf[size / sizeof(char16_t) - 1] == 0) { +- *value = TAKE_PTR(buf); ++ *ret = TAKE_PTR(buf); + return EFI_SUCCESS; + } + +@@ -123,18 +123,17 @@ EFI_STATUS efivar_get(const EFI_GUID *vendor, const char16_t *name, char16_t **v + memcpy(val, buf, size); + val[size / sizeof(char16_t) - 1] = 0; /* NUL terminate */ + +- *value = val; ++ *ret = val; + return EFI_SUCCESS; + } + +-EFI_STATUS efivar_get_uint_string(const EFI_GUID *vendor, const char16_t *name, UINTN *i) { ++EFI_STATUS efivar_get_uint_string(const EFI_GUID *vendor, const char16_t *name, UINTN *ret) { + _cleanup_free_ char16_t *val = NULL; + EFI_STATUS err; + uint64_t u; + + assert(vendor); + assert(name); +- assert(i); + + err = efivar_get(vendor, name, &val); + if (err != EFI_SUCCESS) +@@ -143,7 +142,8 @@ EFI_STATUS efivar_get_uint_string(const EFI_GUID *vendor, const char16_t *name, + if (!parse_number16(val, &u, NULL) || u > UINTN_MAX) + return EFI_INVALID_PARAMETER; + +- *i = u; ++ if (ret) ++ *ret = u; + return EFI_SUCCESS; + } + +@@ -156,15 +156,17 @@ EFI_STATUS efivar_get_uint32_le(const EFI_GUID *vendor, const char16_t *name, ui + assert(name); + + err = efivar_get_raw(vendor, name, &buf, &size); +- if (err == EFI_SUCCESS && ret) { +- if (size != sizeof(uint32_t)) +- return EFI_BUFFER_TOO_SMALL; ++ if (err != EFI_SUCCESS) ++ return err; + ++ if (size != sizeof(uint32_t)) ++ return EFI_BUFFER_TOO_SMALL; ++ ++ if (ret) + *ret = (uint32_t) buf[0] << 0U | (uint32_t) buf[1] << 8U | (uint32_t) buf[2] << 16U | + (uint32_t) buf[3] << 24U; +- } + +- return err; ++ return EFI_SUCCESS; + } + + EFI_STATUS efivar_get_uint64_le(const EFI_GUID *vendor, const char16_t *name, uint64_t *ret) { +@@ -176,19 +178,21 @@ EFI_STATUS efivar_get_uint64_le(const EFI_GUID *vendor, const char16_t *name, ui + assert(name); + + err = efivar_get_raw(vendor, name, &buf, &size); +- if (err == EFI_SUCCESS && ret) { +- if (size != sizeof(uint64_t)) +- return EFI_BUFFER_TOO_SMALL; ++ if (err != EFI_SUCCESS) ++ return err; ++ ++ if (size != sizeof(uint64_t)) ++ return EFI_BUFFER_TOO_SMALL; + ++ if (ret) + *ret = (uint64_t) buf[0] << 0U | (uint64_t) buf[1] << 8U | (uint64_t) buf[2] << 16U | + (uint64_t) buf[3] << 24U | (uint64_t) buf[4] << 32U | (uint64_t) buf[5] << 40U | + (uint64_t) buf[6] << 48U | (uint64_t) buf[7] << 56U; +- } + +- return err; ++ return EFI_SUCCESS; + } + +-EFI_STATUS efivar_get_raw(const EFI_GUID *vendor, const char16_t *name, char **buffer, UINTN *size) { ++EFI_STATUS efivar_get_raw(const EFI_GUID *vendor, const char16_t *name, char **ret, UINTN *ret_size) { + _cleanup_free_ char *buf = NULL; + UINTN l; + EFI_STATUS err; +@@ -200,16 +204,15 @@ EFI_STATUS efivar_get_raw(const EFI_GUID *vendor, const char16_t *name, char **b + buf = xmalloc(l); + + err = RT->GetVariable((char16_t *) name, (EFI_GUID *) vendor, NULL, &l, buf); +- if (err == EFI_SUCCESS) { +- +- if (buffer) +- *buffer = TAKE_PTR(buf); ++ if (err != EFI_SUCCESS) ++ return err; + +- if (size) +- *size = l; +- } ++ if (ret) ++ *ret = TAKE_PTR(buf); ++ if (ret_size) ++ *ret_size = l; + +- return err; ++ return EFI_SUCCESS; + } + + EFI_STATUS efivar_get_boolean_u8(const EFI_GUID *vendor, const char16_t *name, bool *ret) { +@@ -219,13 +222,15 @@ EFI_STATUS efivar_get_boolean_u8(const EFI_GUID *vendor, const char16_t *name, b + + assert(vendor); + assert(name); +- assert(ret); + + err = efivar_get_raw(vendor, name, &b, &size); +- if (err == EFI_SUCCESS) ++ if (err != EFI_SUCCESS) ++ return err; ++ ++ if (ret) + *ret = *b > 0; + +- return err; ++ return EFI_SUCCESS; + } + + void efivar_set_time_usec(const EFI_GUID *vendor, const char16_t *name, uint64_t usec) { +diff --git a/src/boot/efi/util.h b/src/boot/efi/util.h +index b33c50f9fc..994cf52ad6 100644 +--- a/src/boot/efi/util.h ++++ b/src/boot/efi/util.h +@@ -105,9 +105,9 @@ EFI_STATUS efivar_set_uint32_le(const EFI_GUID *vendor, const char16_t *NAME, ui + EFI_STATUS efivar_set_uint64_le(const EFI_GUID *vendor, const char16_t *name, uint64_t value, uint32_t flags); + void efivar_set_time_usec(const EFI_GUID *vendor, const char16_t *name, uint64_t usec); + +-EFI_STATUS efivar_get(const EFI_GUID *vendor, const char16_t *name, char16_t **value); +-EFI_STATUS efivar_get_raw(const EFI_GUID *vendor, const char16_t *name, char **buffer, UINTN *size); +-EFI_STATUS efivar_get_uint_string(const EFI_GUID *vendor, const char16_t *name, UINTN *i); ++EFI_STATUS efivar_get(const EFI_GUID *vendor, const char16_t *name, char16_t **ret); ++EFI_STATUS efivar_get_raw(const EFI_GUID *vendor, const char16_t *name, char **ret, UINTN *ret_size); ++EFI_STATUS efivar_get_uint_string(const EFI_GUID *vendor, const char16_t *name, UINTN *ret); + EFI_STATUS efivar_get_uint32_le(const EFI_GUID *vendor, const char16_t *name, uint32_t *ret); + EFI_STATUS efivar_get_uint64_le(const EFI_GUID *vendor, const char16_t *name, uint64_t *ret); + EFI_STATUS efivar_get_boolean_u8(const EFI_GUID *vendor, const char16_t *name, bool *ret); diff --git a/SOURCES/0128-boot-fix-false-maybe-uninitialized-warning.patch b/SOURCES/0128-boot-fix-false-maybe-uninitialized-warning.patch new file mode 100644 index 0000000..79a9734 --- /dev/null +++ b/SOURCES/0128-boot-fix-false-maybe-uninitialized-warning.patch @@ -0,0 +1,64 @@ +From fdb8d8dee1821dc91c44b8f8195f959b9eae12ee Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 6 Dec 2022 12:57:43 +0900 +Subject: [PATCH] boot: fix false maybe-uninitialized warning + +Fixes #25641. + +(cherry picked from commit febe556191c739fb79a22cf742dd447c75e90446) + +Related: #2141979 +--- + src/boot/efi/boot.c | 4 ++-- + src/boot/efi/cpio.c | 2 +- + src/boot/efi/secure-boot.c | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index b490a1d972..db6ca97df4 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -1572,7 +1572,7 @@ static EFI_STATUS efivar_get_timeout(const char16_t *var, uint32_t *ret_value) { + + static void config_load_defaults(Config *config, EFI_FILE *root_dir) { + _cleanup_free_ char *content = NULL; +- UINTN value; ++ UINTN value = 0; /* avoid false maybe-uninitialized warning */ + EFI_STATUS err; + + assert(root_dir); +@@ -2258,7 +2258,7 @@ static void config_load_xbootldr( + EFI_HANDLE *device) { + + _cleanup_(file_closep) EFI_FILE *root_dir = NULL; +- EFI_HANDLE new_device; ++ EFI_HANDLE new_device = NULL; /* avoid false maybe-uninitialized warning */ + EFI_STATUS err; + + assert(config); +diff --git a/src/boot/efi/cpio.c b/src/boot/efi/cpio.c +index 648f9f000f..1dbfe5f380 100644 +--- a/src/boot/efi/cpio.c ++++ b/src/boot/efi/cpio.c +@@ -485,7 +485,7 @@ EFI_STATUS pack_cpio( + + for (UINTN i = 0; i < n_items; i++) { + _cleanup_free_ char *content = NULL; +- UINTN contentsize; ++ UINTN contentsize = 0; /* avoid false maybe-uninitialized warning */ + + err = file_read(extra_dir, items[i], 0, 0, &content, &contentsize); + if (err != EFI_SUCCESS) { +diff --git a/src/boot/efi/secure-boot.c b/src/boot/efi/secure-boot.c +index 65457bf423..6212868134 100644 +--- a/src/boot/efi/secure-boot.c ++++ b/src/boot/efi/secure-boot.c +@@ -6,7 +6,7 @@ + #include "util.h" + + bool secure_boot_enabled(void) { +- bool secure; ++ bool secure = false; /* avoid false maybe-uninitialized warning */ + EFI_STATUS err; + + err = efivar_get_boolean_u8(EFI_GLOBAL_GUID, L"SecureBoot", &secure); diff --git a/SOURCES/0129-tree-wide-modernizations-with-RET_NERRNO.patch b/SOURCES/0129-tree-wide-modernizations-with-RET_NERRNO.patch new file mode 100644 index 0000000..c906c4d --- /dev/null +++ b/SOURCES/0129-tree-wide-modernizations-with-RET_NERRNO.patch @@ -0,0 +1,115 @@ +From f0c8da5396c02e2a935e9e8de1e8c08956feb672 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 22 Nov 2022 12:14:33 +0100 +Subject: [PATCH] tree-wide: modernizations with RET_NERRNO() + +(cherry picked from commit 108dfff2c7aebadb78e485ed564caf559367bf7c) + +Related: #2137584 +--- + src/shared/ask-password-api.c | 30 +++++++++++++----------------- + src/shared/barrier.c | 4 +--- + 2 files changed, 14 insertions(+), 20 deletions(-) + +diff --git a/src/shared/ask-password-api.c b/src/shared/ask-password-api.c +index 17474fe0be..871af2ec99 100644 +--- a/src/shared/ask-password-api.c ++++ b/src/shared/ask-password-api.c +@@ -230,8 +230,7 @@ int ask_password_plymouth( + if (notify < 0) + return -errno; + +- r = inotify_add_watch(notify, flag_file, IN_ATTRIB); /* for the link count */ +- if (r < 0) ++ if (inotify_add_watch(notify, flag_file, IN_ATTRIB) < 0) /* for the link count */ + return -errno; + } + +@@ -239,8 +238,7 @@ int ask_password_plymouth( + if (fd < 0) + return -errno; + +- r = connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un)); +- if (r < 0) ++ if (connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un)) < 0) + return -errno; + + if (FLAGS_SET(flags, ASK_PASSWORD_ACCEPT_CACHED)) { +@@ -464,10 +462,9 @@ int ask_password_tty( + new_termios.c_cc[VMIN] = 1; + new_termios.c_cc[VTIME] = 0; + +- if (tcsetattr(ttyfd, TCSADRAIN, &new_termios) < 0) { +- r = -errno; ++ r = RET_NERRNO(tcsetattr(ttyfd, TCSADRAIN, &new_termios)); ++ if (r < 0) + goto finish; +- } + + reset_tty = true; + } +@@ -491,11 +488,11 @@ int ask_password_tty( + else + timeout = USEC_INFINITY; + +- if (flag_file) +- if (access(flag_file, F_OK) < 0) { +- r = -errno; ++ if (flag_file) { ++ r = RET_NERRNO(access(flag_file, F_OK)); ++ if (r < 0) + goto finish; +- } ++ } + + r = ppoll_usec(pollfd, notify >= 0 ? 2 : 1, timeout); + if (r == -EINTR) +@@ -747,10 +744,10 @@ int ask_password_agent( + r = -errno; + goto finish; + } +- if (inotify_add_watch(notify, "/run/systemd/ask-password", IN_ATTRIB /* for mtime */) < 0) { +- r = -errno; ++ ++ r = RET_NERRNO(inotify_add_watch(notify, "/run/systemd/ask-password", IN_ATTRIB /* for mtime */)); ++ if (r < 0) + goto finish; +- } + } + + fd = mkostemp_safe(temp); +@@ -813,10 +810,9 @@ int ask_password_agent( + final[sizeof(final)-10] = 's'; + final[sizeof(final)-9] = 'k'; + +- if (rename(temp, final) < 0) { +- r = -errno; ++ r = RET_NERRNO(rename(temp, final)); ++ if (r < 0) + goto finish; +- } + + zero(pollfd); + pollfd[FD_SOCKET].fd = socket_fd; +diff --git a/src/shared/barrier.c b/src/shared/barrier.c +index cbe54a60cd..d76a61a5db 100644 +--- a/src/shared/barrier.c ++++ b/src/shared/barrier.c +@@ -92,7 +92,6 @@ + */ + int barrier_create(Barrier *b) { + _unused_ _cleanup_(barrier_destroyp) Barrier *staging = b; +- int r; + + assert(b); + +@@ -104,8 +103,7 @@ int barrier_create(Barrier *b) { + if (b->them < 0) + return -errno; + +- r = pipe2(b->pipe, O_CLOEXEC | O_NONBLOCK); +- if (r < 0) ++ if (pipe2(b->pipe, O_CLOEXEC | O_NONBLOCK) < 0) + return -errno; + + staging = NULL; diff --git a/SOURCES/0130-sd-bus-handle-EINTR-return-from-bus_poll.patch b/SOURCES/0130-sd-bus-handle-EINTR-return-from-bus_poll.patch new file mode 100644 index 0000000..de3a980 --- /dev/null +++ b/SOURCES/0130-sd-bus-handle-EINTR-return-from-bus_poll.patch @@ -0,0 +1,90 @@ +From d56013fb245dc2878ee91bbb937a91850050ada3 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 21 Nov 2022 17:42:04 +0100 +Subject: [PATCH] sd-bus: handle -EINTR return from bus_poll() + +In sd_bus_wait(), let's convert EINTR to a return code of 0, thus asking +the caller do loop again and enter sd_bus_process() again (which will +not find any queued events). This way we'll not return an error on +something that isn't really an error. This should typically make sure +things are properly handled by the caller, magically, without eating up +the event entirely, and still giving the caller time to run some code if +they want. + +(cherry picked from commit 3022916b4d2483452c3ddbbac9ee7c4372b1cb46) + +Resolves: #2137584 +--- + src/libsystemd/sd-bus/bus-socket.c | 5 ++++- + src/libsystemd/sd-bus/sd-bus.c | 18 +++++++++++++++--- + 2 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c +index c94befef73..253f41c636 100644 +--- a/src/libsystemd/sd-bus/bus-socket.c ++++ b/src/libsystemd/sd-bus/bus-socket.c +@@ -1308,8 +1308,11 @@ int bus_socket_process_opening(sd_bus *b) { + assert(b->state == BUS_OPENING); + + events = fd_wait_for_event(b->output_fd, POLLOUT, 0); +- if (events < 0) ++ if (events < 0) { ++ if (ERRNO_IS_TRANSIENT(events)) ++ return 0; + return events; ++ } + if (!(events & (POLLOUT|POLLERR|POLLHUP))) + return 0; + +diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c +index bc716afabf..c3a1bae295 100644 +--- a/src/libsystemd/sd-bus/sd-bus.c ++++ b/src/libsystemd/sd-bus/sd-bus.c +@@ -2465,8 +2465,11 @@ _public_ int sd_bus_call( + left = UINT64_MAX; + + r = bus_poll(bus, true, left); +- if (r < 0) ++ if (r < 0) { ++ if (ERRNO_IS_TRANSIENT(r)) ++ continue; + goto fail; ++ } + if (r == 0) { + r = -ETIMEDOUT; + goto fail; +@@ -3321,6 +3324,7 @@ static int bus_poll(sd_bus *bus, bool need_more, uint64_t timeout_usec) { + } + + _public_ int sd_bus_wait(sd_bus *bus, uint64_t timeout_usec) { ++ int r; + + assert_return(bus, -EINVAL); + assert_return(bus = bus_resolve(bus), -ENOPKG); +@@ -3335,7 +3339,11 @@ _public_ int sd_bus_wait(sd_bus *bus, uint64_t timeout_usec) { + if (bus->rqueue_size > 0) + return 0; + +- return bus_poll(bus, false, timeout_usec); ++ r = bus_poll(bus, false, timeout_usec); ++ if (r < 0 && ERRNO_IS_TRANSIENT(r)) ++ return 1; /* treat EINTR as success, but let's exit, so that the caller will call back into us soon. */ ++ ++ return r; + } + + _public_ int sd_bus_flush(sd_bus *bus) { +@@ -3377,8 +3385,12 @@ _public_ int sd_bus_flush(sd_bus *bus) { + return 0; + + r = bus_poll(bus, false, UINT64_MAX); +- if (r < 0) ++ if (r < 0) { ++ if (ERRNO_IS_TRANSIENT(r)) ++ continue; ++ + return r; ++ } + } + } + diff --git a/SOURCES/0131-stdio-bridge-don-t-be-bothered-with-EINTR.patch b/SOURCES/0131-stdio-bridge-don-t-be-bothered-with-EINTR.patch new file mode 100644 index 0000000..21680ca --- /dev/null +++ b/SOURCES/0131-stdio-bridge-don-t-be-bothered-with-EINTR.patch @@ -0,0 +1,32 @@ +From b277e35fdb56560110e8b96fb90042ff2e19a2c5 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 22 Nov 2022 12:18:07 +0100 +Subject: [PATCH] stdio-bridge: don't be bothered with EINTR + +We handle signals via signal handlers, hence no need to be concerned +about EINTR. + +(cherry picked from commit 7c75f34131772781f690860de797d3e35fd0bed9) + +Related: #2137584 +--- + src/stdio-bridge/stdio-bridge.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/stdio-bridge/stdio-bridge.c b/src/stdio-bridge/stdio-bridge.c +index c851059a09..1b94374b4b 100644 +--- a/src/stdio-bridge/stdio-bridge.c ++++ b/src/stdio-bridge/stdio-bridge.c +@@ -242,8 +242,11 @@ static int run(int argc, char *argv[]) { + }; + + r = ppoll_usec(p, ELEMENTSOF(p), t); +- if (r < 0) ++ if (r < 0) { ++ if (ERRNO_IS_TRANSIENT(r)) /* don't be bothered by signals, i.e. EINTR */ ++ continue; + return log_error_errno(r, "ppoll() failed: %m"); ++ } + } + + return 0; diff --git a/SOURCES/0132-varlink-also-handle-EINTR-gracefully-when-waiting-fo.patch b/SOURCES/0132-varlink-also-handle-EINTR-gracefully-when-waiting-fo.patch new file mode 100644 index 0000000..ac1f3a9 --- /dev/null +++ b/SOURCES/0132-varlink-also-handle-EINTR-gracefully-when-waiting-fo.patch @@ -0,0 +1,50 @@ +From e95dd8e99188377bb6351fc0a4ceb4e790612044 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 22 Nov 2022 12:42:46 +0100 +Subject: [PATCH] varlink: also handle EINTR gracefully when waiting for EIO + via ppoll() + +(cherry picked from commit 6976bf5cd614761eb4bd57d39e24f7eca1d6b863) + +Related: #2137584 +--- + src/shared/varlink.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/shared/varlink.c b/src/shared/varlink.c +index 4f7ac97689..4d2cfee491 100644 +--- a/src/shared/varlink.c ++++ b/src/shared/varlink.c +@@ -1025,7 +1025,7 @@ static void handle_revents(Varlink *v, int revents) { + if ((revents & (POLLOUT|POLLHUP)) == 0) + return; + +- varlink_log(v, "Anynchronous connection completed."); ++ varlink_log(v, "Asynchronous connection completed."); + v->connecting = false; + } else { + /* Note that we don't care much about POLLIN/POLLOUT here, we'll just try reading and writing +@@ -1075,6 +1075,9 @@ int varlink_wait(Varlink *v, usec_t timeout) { + return events; + + r = fd_wait_for_event(fd, events, t); ++ if (r < 0 && ERRNO_IS_TRANSIENT(r)) /* Treat EINTR as not a timeout, but also nothing happened, and ++ * the caller gets a chance to call back into us */ ++ return 1; + if (r <= 0) + return r; + +@@ -1161,8 +1164,12 @@ int varlink_flush(Varlink *v) { + } + + r = fd_wait_for_event(v->fd, POLLOUT, USEC_INFINITY); +- if (r < 0) ++ if (r < 0) { ++ if (ERRNO_IS_TRANSIENT(r)) ++ continue; ++ + return varlink_log_errno(v, r, "Poll failed on fd: %m"); ++ } + + assert(r != 0); + diff --git a/SOURCES/0133-sd-netlink-handle-EINTR-from-poll-gracefully-as-succ.patch b/SOURCES/0133-sd-netlink-handle-EINTR-from-poll-gracefully-as-succ.patch new file mode 100644 index 0000000..7a314f9 --- /dev/null +++ b/SOURCES/0133-sd-netlink-handle-EINTR-from-poll-gracefully-as-succ.patch @@ -0,0 +1,36 @@ +From cd822ff6ef904e3e25060e77556670784b0b1aea Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 22 Nov 2022 13:00:48 +0100 +Subject: [PATCH] sd-netlink: handle EINTR from poll() gracefully, as success + +(cherry picked from commit 69858785335afffc51bc03127beb53332c0fb983) + +Related: #2137584 +--- + src/libsystemd/sd-netlink/sd-netlink.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/libsystemd/sd-netlink/sd-netlink.c b/src/libsystemd/sd-netlink/sd-netlink.c +index feb751a848..b99abae640 100644 +--- a/src/libsystemd/sd-netlink/sd-netlink.c ++++ b/src/libsystemd/sd-netlink/sd-netlink.c +@@ -464,13 +464,18 @@ static int netlink_poll(sd_netlink *nl, bool need_more, usec_t timeout_usec) { + } + + int sd_netlink_wait(sd_netlink *nl, uint64_t timeout_usec) { ++ int r; ++ + assert_return(nl, -EINVAL); + assert_return(!netlink_pid_changed(nl), -ECHILD); + + if (nl->rqueue_size > 0) + return 0; + +- return netlink_poll(nl, false, timeout_usec); ++ r = netlink_poll(nl, false, timeout_usec); ++ if (r < 0 && ERRNO_IS_TRANSIENT(r)) /* Convert EINTR to "something happened" and give user a chance to run some code before calling back into us */ ++ return 1; ++ return r; + } + + static int timeout_compare(const void *a, const void *b) { diff --git a/SOURCES/0134-resolved-handle-EINTR-returned-from-fd_wait_for_even.patch b/SOURCES/0134-resolved-handle-EINTR-returned-from-fd_wait_for_even.patch new file mode 100644 index 0000000..f2da989 --- /dev/null +++ b/SOURCES/0134-resolved-handle-EINTR-returned-from-fd_wait_for_even.patch @@ -0,0 +1,79 @@ +From 471b70bca8f1a77b1d5402e190b00a61aa0d58b0 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 22 Nov 2022 12:28:19 +0100 +Subject: [PATCH] resolved: handle -EINTR returned from fd_wait_for_event() + better + +We might get signals for various reasons (for example, somebody asking +us to reload caches via a signal), hence let's handle this gracefully. + +(cherry picked from commit 6d66a221685c15798e796d9738f73fdb1fdccdb2) + +Related: #2137584 +--- + src/resolve/resolved-manager.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c +index f62efa87aa..1c9048670b 100644 +--- a/src/resolve/resolved-manager.c ++++ b/src/resolve/resolved-manager.c +@@ -868,11 +868,14 @@ int manager_recv(Manager *m, int fd, DnsProtocol protocol, DnsPacket **ret) { + } + + static int sendmsg_loop(int fd, struct msghdr *mh, int flags) { ++ usec_t end; + int r; + + assert(fd >= 0); + assert(mh); + ++ end = usec_add(now(CLOCK_MONOTONIC), SEND_TIMEOUT_USEC); ++ + for (;;) { + if (sendmsg(fd, mh, flags) >= 0) + return 0; +@@ -881,20 +884,26 @@ static int sendmsg_loop(int fd, struct msghdr *mh, int flags) { + if (errno != EAGAIN) + return -errno; + +- r = fd_wait_for_event(fd, POLLOUT, SEND_TIMEOUT_USEC); +- if (r < 0) ++ r = fd_wait_for_event(fd, POLLOUT, LESS_BY(end, now(CLOCK_MONOTONIC))); ++ if (r < 0) { ++ if (ERRNO_IS_TRANSIENT(r)) ++ continue; + return r; ++ } + if (r == 0) + return -ETIMEDOUT; + } + } + + static int write_loop(int fd, void *message, size_t length) { ++ usec_t end; + int r; + + assert(fd >= 0); + assert(message); + ++ end = usec_add(now(CLOCK_MONOTONIC), SEND_TIMEOUT_USEC); ++ + for (;;) { + if (write(fd, message, length) >= 0) + return 0; +@@ -903,9 +912,12 @@ static int write_loop(int fd, void *message, size_t length) { + if (errno != EAGAIN) + return -errno; + +- r = fd_wait_for_event(fd, POLLOUT, SEND_TIMEOUT_USEC); +- if (r < 0) ++ r = fd_wait_for_event(fd, POLLOUT, LESS_BY(end, now(CLOCK_MONOTONIC))); ++ if (r < 0) { ++ if (ERRNO_IS_TRANSIENT(r)) ++ continue; + return r; ++ } + if (r == 0) + return -ETIMEDOUT; + } diff --git a/SOURCES/0135-homed-handle-EINTR-gracefully-when-waiting-for-devic.patch b/SOURCES/0135-homed-handle-EINTR-gracefully-when-waiting-for-devic.patch new file mode 100644 index 0000000..b9836b1 --- /dev/null +++ b/SOURCES/0135-homed-handle-EINTR-gracefully-when-waiting-for-devic.patch @@ -0,0 +1,31 @@ +From b546d82758e0149fd235d2ff8f9c4fdc8d0bd29c Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 22 Nov 2022 12:55:10 +0100 +Subject: [PATCH] homed: handle EINTR gracefully when waiting for device node + +(cherry picked from commit f3d9278f38f0a9e03ed29215f27d8ca21c1fa6a1) + +Related: #2137584 +--- + src/home/homework-luks.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/home/homework-luks.c b/src/home/homework-luks.c +index 97fb5a1051..5e1d5bbd65 100644 +--- a/src/home/homework-luks.c ++++ b/src/home/homework-luks.c +@@ -2017,9 +2017,12 @@ static int wait_for_devlink(const char *path) { + if (w >= until) + return log_error_errno(SYNTHETIC_ERRNO(ETIMEDOUT), "Device link %s still hasn't shown up, giving up.", path); + +- r = fd_wait_for_event(inotify_fd, POLLIN, usec_sub_unsigned(until, w)); +- if (r < 0) ++ r = fd_wait_for_event(inotify_fd, POLLIN, until - w); ++ if (r < 0) { ++ if (ERRNO_IS_TRANSIENT(r)) ++ continue; + return log_error_errno(r, "Failed to watch inotify: %m"); ++ } + + (void) flush_fd(inotify_fd); + } diff --git a/SOURCES/0136-utmp-wtmp-fix-error-in-case-isatty-fails.patch b/SOURCES/0136-utmp-wtmp-fix-error-in-case-isatty-fails.patch new file mode 100644 index 0000000..aa0162f --- /dev/null +++ b/SOURCES/0136-utmp-wtmp-fix-error-in-case-isatty-fails.patch @@ -0,0 +1,28 @@ +From 7c2898cac4e05e24b24743e5d7d738f437d1e6f8 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 22 Nov 2022 12:56:38 +0100 +Subject: [PATCH] utmp-wtmp: fix error in case isatty() fails + +(cherry picked from commit 80b780ba178a84b248ecee47eef82358480c9492) + +Related: #2137584 +--- + src/shared/utmp-wtmp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/shared/utmp-wtmp.c b/src/shared/utmp-wtmp.c +index d2c8473c60..20add0e81b 100644 +--- a/src/shared/utmp-wtmp.c ++++ b/src/shared/utmp-wtmp.c +@@ -292,8 +292,10 @@ static int write_to_terminal(const char *tty, const char *message) { + assert(message); + + fd = open(tty, O_WRONLY|O_NONBLOCK|O_NOCTTY|O_CLOEXEC); +- if (fd < 0 || !isatty(fd)) ++ if (fd < 0) + return -errno; ++ if (!isatty(fd)) ++ return -ENOTTY; + + p = message; + left = strlen(message); diff --git a/SOURCES/0137-utmp-wtmp-handle-EINTR-gracefully-when-waiting-to-wr.patch b/SOURCES/0137-utmp-wtmp-handle-EINTR-gracefully-when-waiting-to-wr.patch new file mode 100644 index 0000000..2747b09 --- /dev/null +++ b/SOURCES/0137-utmp-wtmp-handle-EINTR-gracefully-when-waiting-to-wr.patch @@ -0,0 +1,59 @@ +From 62686ccc4631b6a5f73722fd7f1dcaca8782431c Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 22 Nov 2022 12:56:55 +0100 +Subject: [PATCH] utmp-wtmp: handle EINTR gracefully when waiting to write to + tty + +(cherry picked from commit 22ecfa83123dbfa2322346ac4e25ad2193a3b10c) + +Related: #2137584 +--- + src/shared/utmp-wtmp.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/shared/utmp-wtmp.c b/src/shared/utmp-wtmp.c +index 20add0e81b..37a5bf7990 100644 +--- a/src/shared/utmp-wtmp.c ++++ b/src/shared/utmp-wtmp.c +@@ -12,6 +12,7 @@ + #include + + #include "alloc-util.h" ++#include "errno-util.h" + #include "fd-util.h" + #include "hostname-util.h" + #include "io-util.h" +@@ -300,7 +301,7 @@ static int write_to_terminal(const char *tty, const char *message) { + p = message; + left = strlen(message); + +- end = now(CLOCK_MONOTONIC) + TIMEOUT_USEC; ++ end = usec_add(now(CLOCK_MONOTONIC), TIMEOUT_USEC); + + while (left > 0) { + ssize_t n; +@@ -308,19 +309,21 @@ static int write_to_terminal(const char *tty, const char *message) { + int k; + + t = now(CLOCK_MONOTONIC); +- + if (t >= end) + return -ETIME; + + k = fd_wait_for_event(fd, POLLOUT, end - t); +- if (k < 0) ++ if (k < 0) { ++ if (ERRNO_IS_TRANSIENT(k)) ++ continue; + return k; ++ } + if (k == 0) + return -ETIME; + + n = write(fd, p, left); + if (n < 0) { +- if (errno == EAGAIN) ++ if (ERRNO_IS_TRANSIENT(errno)) + continue; + + return -errno; diff --git a/SOURCES/0138-io-util-document-EINTR-situation-a-bit.patch b/SOURCES/0138-io-util-document-EINTR-situation-a-bit.patch new file mode 100644 index 0000000..2b2db91 --- /dev/null +++ b/SOURCES/0138-io-util-document-EINTR-situation-a-bit.patch @@ -0,0 +1,48 @@ +From 3850d27f47a887a958ded828f6ce8de4e791037c Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 22 Nov 2022 15:23:34 +0100 +Subject: [PATCH] io-util: document EINTR situation a bit + +(cherry picked from commit ffbcc8d423671ad2fe827e4823a8032dc1f0a8b3) + +Related: #2137584 +--- + src/basic/io-util.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/src/basic/io-util.c b/src/basic/io-util.c +index cdad939aa6..f642beca3a 100644 +--- a/src/basic/io-util.c ++++ b/src/basic/io-util.c +@@ -161,6 +161,21 @@ int ppoll_usec(struct pollfd *fds, size_t nfds, usec_t timeout) { + + assert(fds || nfds == 0); + ++ /* This is a wrapper around ppoll() that does primarily two things: ++ * ++ * ✅ Takes a usec_t instead of a struct timespec ++ * ++ * ✅ Guarantees that if an invalid fd is specified we return EBADF (i.e. converts POLLNVAL to ++ * EBADF). This is done because EBADF is a programming error usually, and hence should bubble up ++ * as error, and not be eaten up as non-error POLLNVAL event. ++ * ++ * ⚠️ ⚠️ ⚠️ Note that this function does not add any special handling for EINTR. Don't forget ++ * poll()/ppoll() will return with EINTR on any received signal always, there is no automatic ++ * restarting via SA_RESTART available. Thus, typically you want to handle EINTR not as an error, ++ * but just as reason to restart things, under the assumption you use a more appropriate mechanism ++ * to handle signals, such as signalfd() or signal handlers. ⚠️ ⚠️ ⚠️ ++ */ ++ + if (nfds == 0) + return 0; + +@@ -188,6 +203,9 @@ int fd_wait_for_event(int fd, int event, usec_t timeout) { + }; + int r; + ++ /* ⚠️ ⚠️ ⚠️ Keep in mind you almost certainly want to handle -EINTR gracefully in the caller, see ++ * ppoll_usec() above! ⚠️ ⚠️ ⚠️ */ ++ + r = ppoll_usec(&pollfd, 1, timeout); + if (r <= 0) + return r; diff --git a/SOURCES/0139-terminal-util-Set-OPOST-when-setting-ONLCR.patch b/SOURCES/0139-terminal-util-Set-OPOST-when-setting-ONLCR.patch new file mode 100644 index 0000000..5435222 --- /dev/null +++ b/SOURCES/0139-terminal-util-Set-OPOST-when-setting-ONLCR.patch @@ -0,0 +1,44 @@ +From c5e4b6b9b2a1dea35f58f3e1c3313bca76a90162 Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Wed, 30 Nov 2022 14:07:29 -0500 +Subject: [PATCH] terminal-util: Set OPOST when setting ONLCR + +reset_terminal_fd sets certain minimum required terminal attributes +that systemd relies on. + +One of those attributes is `ONLCR` which ensures that when a new line +is sent to the terminal, that the cursor not only moves to the next +line, but also moves to the very beginning of that line. + +In order for `ONLCR` to work, the terminal needs to perform output +post-processing. That requires an additional attribute, `OPOST`, +which reset_terminal_fd currently fails to ensure is set. + +In most cases `OPOST` (and `ONLCR` actually) are both set anyway, so +it's not an issue, but it could be a problem if, e.g., the terminal was +put in raw mode by a program and the program unexpectedly died before +restoring settings. + +This commit ensures when `ONLCR` is set `OPOST` is set too, which is +the only thing that really makes sense to do. + +(cherry picked from commit 9fe26523a189435d75b9d745188e09c17928d89e) + +Related: #2138081 +--- + src/basic/terminal-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/terminal-util.c b/src/basic/terminal-util.c +index 0c092597eb..a75234f354 100644 +--- a/src/basic/terminal-util.c ++++ b/src/basic/terminal-util.c +@@ -269,7 +269,7 @@ int reset_terminal_fd(int fd, bool switch_to_text) { + + termios.c_iflag &= ~(IGNBRK | BRKINT | ISTRIP | INLCR | IGNCR | IUCLC); + termios.c_iflag |= ICRNL | IMAXBEL | IUTF8; +- termios.c_oflag |= ONLCR; ++ termios.c_oflag |= ONLCR | OPOST; + termios.c_cflag |= CREAD; + termios.c_lflag = ISIG | ICANON | IEXTEN | ECHO | ECHOE | ECHOK | ECHOCTL | ECHOPRT | ECHOKE; + diff --git a/SOURCES/0140-cgtop-Do-not-rewrite-P-or-k-options.patch b/SOURCES/0140-cgtop-Do-not-rewrite-P-or-k-options.patch new file mode 100644 index 0000000..aad192e --- /dev/null +++ b/SOURCES/0140-cgtop-Do-not-rewrite-P-or-k-options.patch @@ -0,0 +1,67 @@ +From 1672b8dd340c4d4aa6398a08b15b36368ba442ec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Koutn=C3=BD?= +Date: Fri, 25 Nov 2022 17:50:27 +0100 +Subject: [PATCH] cgtop: Do not rewrite -P or -k options + +--recursive=no will overwrite possible -P or -k option hence making the +recursive disabling impossible. + +Check what counting types the system supports (encoded in the ordering +of our enum) of and pick whatever user requests but is also supported. + +Fixes: #25248 +(cherry picked from commit 48600b3524afe05d0faa8a5c88b5aaa53b801199) + +Related: #2138081 +--- + src/cgtop/cgtop.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/src/cgtop/cgtop.c b/src/cgtop/cgtop.c +index 95c3987525..8a51a9371b 100644 +--- a/src/cgtop/cgtop.c ++++ b/src/cgtop/cgtop.c +@@ -55,6 +55,12 @@ typedef struct Group { + uint64_t io_input_bps, io_output_bps; + } Group; + ++typedef enum PidsCount { ++ COUNT_USERSPACE_PROCESSES, ++ COUNT_ALL_PROCESSES, ++ COUNT_PIDS, ++} PidsCount; ++ + static unsigned arg_depth = 3; + static unsigned arg_iterations = UINT_MAX; + static bool arg_batch = false; +@@ -65,11 +71,7 @@ static char* arg_root = NULL; + static bool arg_recursive = true; + static bool arg_recursive_unset = false; + +-static enum { +- COUNT_PIDS, +- COUNT_USERSPACE_PROCESSES, +- COUNT_ALL_PROCESSES, +-} arg_count = COUNT_PIDS; ++static PidsCount arg_count = COUNT_PIDS; + + static enum { + ORDER_PATH, +@@ -915,6 +917,7 @@ static int run(int argc, char *argv[]) { + usec_t last_refresh = 0; + bool quit = false, immediate_refresh = false; + _cleanup_free_ char *root = NULL; ++ PidsCount possible_count; + CGroupMask mask; + int r; + +@@ -928,7 +931,8 @@ static int run(int argc, char *argv[]) { + if (r < 0) + return log_error_errno(r, "Failed to determine supported controllers: %m"); + +- arg_count = (mask & CGROUP_MASK_PIDS) ? COUNT_PIDS : COUNT_USERSPACE_PROCESSES; ++ possible_count = (mask & CGROUP_MASK_PIDS) ? COUNT_PIDS : COUNT_ALL_PROCESSES; ++ arg_count = MIN(possible_count, arg_count); + + if (arg_recursive_unset && arg_count == COUNT_PIDS) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), diff --git a/SOURCES/0141-test-Add-tests-for-systemd-cgtop-args-parsing.patch b/SOURCES/0141-test-Add-tests-for-systemd-cgtop-args-parsing.patch new file mode 100644 index 0000000..9b40058 --- /dev/null +++ b/SOURCES/0141-test-Add-tests-for-systemd-cgtop-args-parsing.patch @@ -0,0 +1,33 @@ +From ba43ad7ae9db3e06debd9fd0b1653fc695322093 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Koutn=C3=BD?= +Date: Fri, 25 Nov 2022 18:14:22 +0100 +Subject: [PATCH] test: Add tests for systemd-cgtop args parsing + +(cherry picked from commit d4e32838e875539ad6991b75b083c9563eddc3ed) + +Related: #2138081 +--- + test/units/testsuite-74.cgtop.sh | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/test/units/testsuite-74.cgtop.sh b/test/units/testsuite-74.cgtop.sh +index 8141ec1b1f..6f08362e7c 100755 +--- a/test/units/testsuite-74.cgtop.sh ++++ b/test/units/testsuite-74.cgtop.sh +@@ -15,8 +15,8 @@ systemd-cgtop --cpu=percentage + systemd-cgtop --cpu=time + systemd-cgtop -P + systemd-cgtop -k +-# FIXME: https://github.com/systemd/systemd/issues/25248 +-#systemd-cgtop --recursive=no ++systemd-cgtop --recursive=no -P ++systemd-cgtop --recursive=no -k + systemd-cgtop --depth=0 + systemd-cgtop --depth=100 + +@@ -29,4 +29,5 @@ systemd-cgtop -p -t -c -m -i + (! systemd-cgtop --order=foo) + (! systemd-cgtop --depth=-1) + (! systemd-cgtop --recursive=foo) ++(! systemd-cgtop --recursive=no) + (! systemd-cgtop --delay=1foo) diff --git a/SOURCES/0142-resolved-remove-inappropriate-assert.patch b/SOURCES/0142-resolved-remove-inappropriate-assert.patch new file mode 100644 index 0000000..fe78037 --- /dev/null +++ b/SOURCES/0142-resolved-remove-inappropriate-assert.patch @@ -0,0 +1,36 @@ +From 87b1eac151e5bbb9322d3213072dc2e5fba24f4e Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 24 Nov 2022 18:42:08 +0100 +Subject: [PATCH] resolved: remove inappropriate assert() + +A NULL Bitmap object is by all our code considered identical to an empty +bitmap. Hence let's remove the entirely unnecessary assert(). + +The assert() can be triggered if debug monitoring is used an an empty +NSEC or NSEC3 RR is included in an answer resolved returns. + +it's not really a security issue since enabling debug monitoring is a +manual step requiring root privileges, that is off by default. Moreover, +it's a "clean" assert(), i.e. the worst that happens is tha a coredump +is generated and resolved restarted. + +Fixes: #25449 +(cherry picked from commit fb896517aeecc2a8ec16586a34a0249606eb9f66) + +Related: #2138081 +--- + src/resolve/resolved-dns-rr.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-rr.c b/src/resolve/resolved-dns-rr.c +index 8123ca1f98..d47cdbbd8e 100644 +--- a/src/resolve/resolved-dns-rr.c ++++ b/src/resolve/resolved-dns-rr.c +@@ -1865,7 +1865,6 @@ static int type_bitmap_to_json(Bitmap *b, JsonVariant **ret) { + unsigned t; + int r; + +- assert(b); + assert(ret); + + BITMAP_FOREACH(t, b) { diff --git a/SOURCES/0143-boot-Add-xstrn8_to_16.patch b/SOURCES/0143-boot-Add-xstrn8_to_16.patch new file mode 100644 index 0000000..4822e32 --- /dev/null +++ b/SOURCES/0143-boot-Add-xstrn8_to_16.patch @@ -0,0 +1,164 @@ +From c48d12fc0abb8f113ed386c47bf02451ea8f853d Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Tue, 22 Nov 2022 15:55:07 +0100 +Subject: [PATCH] boot: Add xstrn8_to_16 + +(cherry picked from commit 8ad7deffa95d33b5849ad6589dd52ab12e645edc) + +Related: #2138081 +--- + src/boot/efi/efi-string.c | 78 +++++++++++++++++++++++++++++++++- + src/boot/efi/efi-string.h | 5 +++ + src/boot/efi/test-efi-string.c | 27 ++++++++++++ + 3 files changed, 109 insertions(+), 1 deletion(-) + +diff --git a/src/boot/efi/efi-string.c b/src/boot/efi/efi-string.c +index b877c6f224..2ba15673c9 100644 +--- a/src/boot/efi/efi-string.c ++++ b/src/boot/efi/efi-string.c +@@ -9,7 +9,8 @@ + # include "util.h" + #else + # include +-# include "macro.h" ++# include "alloc-util.h" ++# define xnew(t, n) ASSERT_SE_PTR(new(t, n)) + # define xmalloc(n) ASSERT_SE_PTR(malloc(n)) + #endif + +@@ -138,6 +139,81 @@ DEFINE_STRCHR(char16_t, strchr16); + DEFINE_STRNDUP(char, xstrndup8, strnlen8); + DEFINE_STRNDUP(char16_t, xstrndup16, strnlen16); + ++static unsigned utf8_to_unichar(const char *utf8, size_t n, char32_t *c) { ++ char32_t unichar; ++ unsigned len; ++ ++ assert(utf8); ++ assert(c); ++ ++ if (!(utf8[0] & 0x80)) { ++ *c = utf8[0]; ++ return 1; ++ } else if ((utf8[0] & 0xe0) == 0xc0) { ++ len = 2; ++ unichar = utf8[0] & 0x1f; ++ } else if ((utf8[0] & 0xf0) == 0xe0) { ++ len = 3; ++ unichar = utf8[0] & 0x0f; ++ } else if ((utf8[0] & 0xf8) == 0xf0) { ++ len = 4; ++ unichar = utf8[0] & 0x07; ++ } else if ((utf8[0] & 0xfc) == 0xf8) { ++ len = 5; ++ unichar = utf8[0] & 0x03; ++ } else if ((utf8[0] & 0xfe) == 0xfc) { ++ len = 6; ++ unichar = utf8[0] & 0x01; ++ } else { ++ *c = UINT32_MAX; ++ return 1; ++ } ++ ++ if (len > n) { ++ *c = UINT32_MAX; ++ return len; ++ } ++ ++ for (unsigned i = 1; i < len; i++) { ++ if ((utf8[i] & 0xc0) != 0x80) { ++ *c = UINT32_MAX; ++ return len; ++ } ++ unichar <<= 6; ++ unichar |= utf8[i] & 0x3f; ++ } ++ ++ *c = unichar; ++ return len; ++} ++ ++/* Convert UTF-8 to UCS-2, skipping any invalid or short byte sequences. */ ++char16_t *xstrn8_to_16(const char *str8, size_t n) { ++ if (!str8 || n == 0) ++ return NULL; ++ ++ size_t i = 0; ++ char16_t *str16 = xnew(char16_t, n + 1); ++ ++ while (n > 0 && *str8 != '\0') { ++ char32_t unichar; ++ ++ size_t utf8len = utf8_to_unichar(str8, n, &unichar); ++ str8 += utf8len; ++ n = LESS_BY(n, utf8len); ++ ++ switch (unichar) { ++ case 0 ... 0xd7ffU: ++ case 0xe000U ... 0xffffU: ++ str16[i++] = unichar; ++ break; ++ } ++ } ++ ++ str16[i] = '\0'; ++ return str16; ++} ++ + static bool efi_fnmatch_prefix(const char16_t *p, const char16_t *h, const char16_t **ret_p, const char16_t **ret_h) { + assert(p); + assert(h); +diff --git a/src/boot/efi/efi-string.h b/src/boot/efi/efi-string.h +index 1ebd5fd6b7..9b2a9ad1c5 100644 +--- a/src/boot/efi/efi-string.h ++++ b/src/boot/efi/efi-string.h +@@ -99,6 +99,11 @@ static inline char16_t *xstrdup16(const char16_t *s) { + return xstrndup16(s, SIZE_MAX); + } + ++char16_t *xstrn8_to_16(const char *str8, size_t n); ++static inline char16_t *xstr8_to_16(const char *str8) { ++ return xstrn8_to_16(str8, strlen8(str8)); ++} ++ + bool efi_fnmatch(const char16_t *pattern, const char16_t *haystack); + + bool parse_number8(const char *s, uint64_t *ret_u, const char **ret_tail); +diff --git a/src/boot/efi/test-efi-string.c b/src/boot/efi/test-efi-string.c +index 2b2359fe5c..7b43e1d629 100644 +--- a/src/boot/efi/test-efi-string.c ++++ b/src/boot/efi/test-efi-string.c +@@ -324,6 +324,33 @@ TEST(xstrdup16) { + free(s); + } + ++TEST(xstrn8_to_16) { ++ char16_t *s = NULL; ++ ++ assert_se(xstrn8_to_16(NULL, 1) == NULL); ++ assert_se(xstrn8_to_16("a", 0) == NULL); ++ ++ assert_se(s = xstrn8_to_16("", 1)); ++ assert_se(streq16(s, u"")); ++ free(s); ++ ++ assert_se(s = xstrn8_to_16("1", 1)); ++ assert_se(streq16(s, u"1")); ++ free(s); ++ ++ assert_se(s = xstr8_to_16("abcxyzABCXYZ09 .,-_#*!\"§$%&/()=?`~")); ++ assert_se(streq16(s, u"abcxyzABCXYZ09 .,-_#*!\"§$%&/()=?`~")); ++ free(s); ++ ++ assert_se(s = xstr8_to_16("ÿⱿ𝇉 😺")); ++ assert_se(streq16(s, u"ÿⱿ ")); ++ free(s); ++ ++ assert_se(s = xstrn8_to_16("¶¶", 3)); ++ assert_se(streq16(s, u"¶")); ++ free(s); ++} ++ + #define TEST_FNMATCH_ONE(pattern, haystack, expect) \ + ({ \ + assert_se(fnmatch(pattern, haystack, 0) == (expect ? 0 : FNM_NOMATCH)); \ diff --git a/SOURCES/0144-boot-Use-xstr8_to_16.patch b/SOURCES/0144-boot-Use-xstr8_to_16.patch new file mode 100644 index 0000000..6eae3bb --- /dev/null +++ b/SOURCES/0144-boot-Use-xstr8_to_16.patch @@ -0,0 +1,214 @@ +From 2ccf2637e7b3caa147962976178bb347fa227946 Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Tue, 22 Nov 2022 16:03:03 +0100 +Subject: [PATCH] boot: Use xstr8_to_16 + +(cherry picked from commit aee515bbb58496272a6d975858aa26a355c4fb90) + +Related: #2138081 +--- + src/boot/efi/boot.c | 30 +++++++++++++++--------------- + src/boot/efi/linux.c | 2 +- + src/boot/efi/measure.c | 2 +- + src/boot/efi/util.c | 30 ------------------------------ + src/boot/efi/util.h | 1 - + 5 files changed, 17 insertions(+), 48 deletions(-) + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index db6ca97df4..013df67e49 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -1205,7 +1205,7 @@ static void config_defaults_load_from_file(Config *config, char *content) { + continue; + } + free(config->entry_default_config); +- config->entry_default_config = xstra_to_str(value); ++ config->entry_default_config = xstr8_to_16(value); + continue; + } + +@@ -1440,25 +1440,25 @@ static void config_entry_add_type1( + while ((line = line_get_key_value(content, " \t", &pos, &key, &value))) { + if (streq8(key, "title")) { + free(entry->title); +- entry->title = xstra_to_str(value); ++ entry->title = xstr8_to_16(value); + continue; + } + + if (streq8(key, "sort-key")) { + free(entry->sort_key); +- entry->sort_key = xstra_to_str(value); ++ entry->sort_key = xstr8_to_16(value); + continue; + } + + if (streq8(key, "version")) { + free(entry->version); +- entry->version = xstra_to_str(value); ++ entry->version = xstr8_to_16(value); + continue; + } + + if (streq8(key, "machine-id")) { + free(entry->machine_id); +- entry->machine_id = xstra_to_str(value); ++ entry->machine_id = xstr8_to_16(value); + continue; + } + +@@ -1511,7 +1511,7 @@ static void config_entry_add_type1( + if (streq8(key, "options")) { + _cleanup_free_ char16_t *new = NULL; + +- new = xstra_to_str(value); ++ new = xstr8_to_16(value); + if (entry->options) { + char16_t *s = xpool_print(L"%s %s", entry->options, new); + free(entry->options); +@@ -2157,49 +2157,49 @@ static void config_entry_add_unified( + while ((line = line_get_key_value(content, "=", &pos, &key, &value))) { + if (streq8(key, "PRETTY_NAME")) { + free(os_pretty_name); +- os_pretty_name = xstra_to_str(value); ++ os_pretty_name = xstr8_to_16(value); + continue; + } + + if (streq8(key, "IMAGE_ID")) { + free(os_image_id); +- os_image_id = xstra_to_str(value); ++ os_image_id = xstr8_to_16(value); + continue; + } + + if (streq8(key, "NAME")) { + free(os_name); +- os_name = xstra_to_str(value); ++ os_name = xstr8_to_16(value); + continue; + } + + if (streq8(key, "ID")) { + free(os_id); +- os_id = xstra_to_str(value); ++ os_id = xstr8_to_16(value); + continue; + } + + if (streq8(key, "IMAGE_VERSION")) { + free(os_image_version); +- os_image_version = xstra_to_str(value); ++ os_image_version = xstr8_to_16(value); + continue; + } + + if (streq8(key, "VERSION")) { + free(os_version); +- os_version = xstra_to_str(value); ++ os_version = xstr8_to_16(value); + continue; + } + + if (streq8(key, "VERSION_ID")) { + free(os_version_id); +- os_version_id = xstra_to_str(value); ++ os_version_id = xstr8_to_16(value); + continue; + } + + if (streq8(key, "BUILD_ID")) { + free(os_build_id); +- os_build_id = xstra_to_str(value); ++ os_build_id = xstr8_to_16(value); + continue; + } + } +@@ -2248,7 +2248,7 @@ static void config_entry_add_unified( + if (content[szs[SECTION_CMDLINE] - 1] == '\n') + content[szs[SECTION_CMDLINE] - 1] = '\0'; + +- entry->options = xstra_to_str(content); ++ entry->options = xstr8_to_16(content); + } + } + } +diff --git a/src/boot/efi/linux.c b/src/boot/efi/linux.c +index dd7eb48c8c..668510fca3 100644 +--- a/src/boot/efi/linux.c ++++ b/src/boot/efi/linux.c +@@ -133,7 +133,7 @@ EFI_STATUS linux_exec( + return log_error_status_stall(err, u"Error getting kernel loaded image protocol: %r", err); + + if (cmdline) { +- loaded_image->LoadOptions = xstra_to_str(cmdline); ++ loaded_image->LoadOptions = xstrn8_to_16(cmdline, cmdline_len); + loaded_image->LoadOptionsSize = strsize16(loaded_image->LoadOptions); + } + +diff --git a/src/boot/efi/measure.c b/src/boot/efi/measure.c +index 9a16920787..6da07d917e 100644 +--- a/src/boot/efi/measure.c ++++ b/src/boot/efi/measure.c +@@ -187,7 +187,7 @@ EFI_STATUS tpm_log_event_ascii(uint32_t pcrindex, EFI_PHYSICAL_ADDRESS buffer, U + _cleanup_free_ char16_t *c = NULL; + + if (description) +- c = xstra_to_str(description); ++ c = xstr8_to_16(description); + + return tpm_log_event(pcrindex, buffer, buffer_size, c, ret_measured); + } +diff --git a/src/boot/efi/util.c b/src/boot/efi/util.c +index 3eba2ade07..b727d6de7e 100644 +--- a/src/boot/efi/util.c ++++ b/src/boot/efi/util.c +@@ -303,36 +303,6 @@ static int utf8_to_16(const char *stra, char16_t *c) { + return len; + } + +-char16_t *xstra_to_str(const char *stra) { +- UINTN strlen; +- UINTN len; +- UINTN i; +- char16_t *str; +- +- assert(stra); +- +- len = strlen8(stra); +- str = xnew(char16_t, len + 1); +- +- strlen = 0; +- i = 0; +- while (i < len) { +- int utf8len; +- +- utf8len = utf8_to_16(stra + i, str + strlen); +- if (utf8len <= 0) { +- /* invalid utf8 sequence, skip the garbage */ +- i++; +- continue; +- } +- +- strlen++; +- i += utf8len; +- } +- str[strlen] = '\0'; +- return str; +-} +- + char16_t *xstra_to_path(const char *stra) { + char16_t *str; + UINTN strlen; +diff --git a/src/boot/efi/util.h b/src/boot/efi/util.h +index 994cf52ad6..d78feac39c 100644 +--- a/src/boot/efi/util.h ++++ b/src/boot/efi/util.h +@@ -113,7 +113,6 @@ EFI_STATUS efivar_get_uint64_le(const EFI_GUID *vendor, const char16_t *name, ui + EFI_STATUS efivar_get_boolean_u8(const EFI_GUID *vendor, const char16_t *name, bool *ret); + + char16_t *xstra_to_path(const char *stra); +-char16_t *xstra_to_str(const char *stra); + + EFI_STATUS file_read(EFI_FILE *dir, const char16_t *name, UINTN off, UINTN size, char **content, UINTN *content_size); + diff --git a/SOURCES/0145-boot-Use-xstr8_to_16-for-path-conversion.patch b/SOURCES/0145-boot-Use-xstr8_to_16-for-path-conversion.patch new file mode 100644 index 0000000..5e4c706 --- /dev/null +++ b/SOURCES/0145-boot-Use-xstr8_to_16-for-path-conversion.patch @@ -0,0 +1,218 @@ +From 57474bf255aafb683f4bb38e5bcb88cf48f07882 Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Tue, 22 Nov 2022 16:30:44 +0100 +Subject: [PATCH] boot: Use xstr8_to_16 for path conversion + +(cherry picked from commit 7444e10611671abac35be3ab9fe9697cd4c90d62) + +Related: #2138081 +--- + src/boot/efi/boot.c | 8 ++-- + src/boot/efi/cpio.c | 19 +-------- + src/boot/efi/util.c | 102 ++++++++------------------------------------ + src/boot/efi/util.h | 3 +- + 4 files changed, 24 insertions(+), 108 deletions(-) + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index 013df67e49..581043df01 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -1465,7 +1465,7 @@ static void config_entry_add_type1( + if (streq8(key, "linux")) { + free(entry->loader); + entry->type = LOADER_LINUX; +- entry->loader = xstra_to_path(value); ++ entry->loader = xstr8_to_path(value); + entry->key = 'l'; + continue; + } +@@ -1473,7 +1473,7 @@ static void config_entry_add_type1( + if (streq8(key, "efi")) { + entry->type = LOADER_EFI; + free(entry->loader); +- entry->loader = xstra_to_path(value); ++ entry->loader = xstr8_to_path(value); + + /* do not add an entry for ourselves */ + if (strcaseeq16(entry->loader, loaded_image_path)) { +@@ -1494,7 +1494,7 @@ static void config_entry_add_type1( + + if (streq8(key, "devicetree")) { + free(entry->devicetree); +- entry->devicetree = xstra_to_path(value); ++ entry->devicetree = xstr8_to_path(value); + continue; + } + +@@ -1503,7 +1503,7 @@ static void config_entry_add_type1( + entry->initrd, + n_initrd == 0 ? 0 : (n_initrd + 1) * sizeof(uint16_t *), + (n_initrd + 2) * sizeof(uint16_t *)); +- entry->initrd[n_initrd++] = xstra_to_path(value); ++ entry->initrd[n_initrd++] = xstr8_to_path(value); + entry->initrd[n_initrd] = NULL; + continue; + } +diff --git a/src/boot/efi/cpio.c b/src/boot/efi/cpio.c +index 1dbfe5f380..79b5d4327b 100644 +--- a/src/boot/efi/cpio.c ++++ b/src/boot/efi/cpio.c +@@ -359,24 +359,7 @@ static char16_t *get_dropin_dir(const EFI_DEVICE_PATH *file_path) { + if (device_path_to_str(file_path, &file_path_str) != EFI_SUCCESS) + return NULL; + +- for (char16_t *i = file_path_str, *fixed = i;; i++) { +- if (*i == '\0') { +- *fixed = '\0'; +- break; +- } +- +- /* Fix device path node separator. */ +- if (*i == '/') +- *i = '\\'; +- +- /* Double '\' is not allowed in EFI file paths. */ +- if (fixed != file_path_str && fixed[-1] == '\\' && *i == '\\') +- continue; +- +- *fixed = *i; +- fixed++; +- } +- ++ convert_efi_path(file_path_str); + return xpool_print(u"%s.extra.d", file_path_str); + } + +diff --git a/src/boot/efi/util.c b/src/boot/efi/util.c +index b727d6de7e..3268c511d0 100644 +--- a/src/boot/efi/util.c ++++ b/src/boot/efi/util.c +@@ -249,97 +249,29 @@ void efivar_set_time_usec(const EFI_GUID *vendor, const char16_t *name, uint64_t + efivar_set(vendor, name, str, 0); + } + +-static int utf8_to_16(const char *stra, char16_t *c) { +- char16_t unichar; +- UINTN len; +- +- assert(stra); +- assert(c); +- +- if (!(stra[0] & 0x80)) +- len = 1; +- else if ((stra[0] & 0xe0) == 0xc0) +- len = 2; +- else if ((stra[0] & 0xf0) == 0xe0) +- len = 3; +- else if ((stra[0] & 0xf8) == 0xf0) +- len = 4; +- else if ((stra[0] & 0xfc) == 0xf8) +- len = 5; +- else if ((stra[0] & 0xfe) == 0xfc) +- len = 6; +- else +- return -1; +- +- switch (len) { +- case 1: +- unichar = stra[0]; +- break; +- case 2: +- unichar = stra[0] & 0x1f; +- break; +- case 3: +- unichar = stra[0] & 0x0f; +- break; +- case 4: +- unichar = stra[0] & 0x07; +- break; +- case 5: +- unichar = stra[0] & 0x03; +- break; +- case 6: +- unichar = stra[0] & 0x01; +- break; +- } +- +- for (UINTN i = 1; i < len; i++) { +- if ((stra[i] & 0xc0) != 0x80) +- return -1; +- unichar <<= 6; +- unichar |= stra[i] & 0x3f; +- } +- +- *c = unichar; +- return len; +-} +- +-char16_t *xstra_to_path(const char *stra) { +- char16_t *str; +- UINTN strlen; +- UINTN len; +- UINTN i; +- +- assert(stra); ++void convert_efi_path(char16_t *path) { ++ assert(path); + +- len = strlen8(stra); +- str = xnew(char16_t, len + 2); ++ for (size_t i = 0, fixed = 0;; i++) { ++ /* Fix device path node separator. */ ++ path[fixed] = (path[i] == '/') ? '\\' : path[i]; + +- str[0] = '\\'; +- strlen = 1; +- i = 0; +- while (i < len) { +- int utf8len; +- +- utf8len = utf8_to_16(stra + i, str + strlen); +- if (utf8len <= 0) { +- /* invalid utf8 sequence, skip the garbage */ +- i++; ++ /* Double '\' is not allowed in EFI file paths. */ ++ if (fixed > 0 && path[fixed - 1] == '\\' && path[fixed] == '\\') + continue; +- } + +- if (str[strlen] == '/') +- str[strlen] = '\\'; +- if (str[strlen] == '\\' && str[strlen-1] == '\\') { +- /* skip double slashes */ +- i += utf8len; +- continue; +- } ++ if (path[i] == '\0') ++ break; + +- strlen++; +- i += utf8len; ++ fixed++; + } +- str[strlen] = '\0'; +- return str; ++} ++ ++char16_t *xstr8_to_path(const char *str8) { ++ assert(str8); ++ char16_t *path = xstr8_to_16(str8); ++ convert_efi_path(path); ++ return path; + } + + EFI_STATUS file_read(EFI_FILE *dir, const char16_t *name, UINTN off, UINTN size, char **ret, UINTN *ret_size) { +diff --git a/src/boot/efi/util.h b/src/boot/efi/util.h +index d78feac39c..e4ab8138c4 100644 +--- a/src/boot/efi/util.h ++++ b/src/boot/efi/util.h +@@ -112,7 +112,8 @@ EFI_STATUS efivar_get_uint32_le(const EFI_GUID *vendor, const char16_t *name, ui + EFI_STATUS efivar_get_uint64_le(const EFI_GUID *vendor, const char16_t *name, uint64_t *ret); + EFI_STATUS efivar_get_boolean_u8(const EFI_GUID *vendor, const char16_t *name, bool *ret); + +-char16_t *xstra_to_path(const char *stra); ++void convert_efi_path(char16_t *path); ++char16_t *xstr8_to_path(const char *stra); + + EFI_STATUS file_read(EFI_FILE *dir, const char16_t *name, UINTN off, UINTN size, char **content, UINTN *content_size); + diff --git a/SOURCES/0146-stub-Fix-cmdline-handling.patch b/SOURCES/0146-stub-Fix-cmdline-handling.patch new file mode 100644 index 0000000..c2d77e0 --- /dev/null +++ b/SOURCES/0146-stub-Fix-cmdline-handling.patch @@ -0,0 +1,284 @@ +From 9489991adc3313efff58837010e53db80aebdd1b Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Tue, 22 Nov 2022 17:42:38 +0100 +Subject: [PATCH] stub: Fix cmdline handling + +This fixes some bugs that could lead to garbage getting appended to the +command line passed to the kernel: + 1. The .cmdline section is not guaranteed to be NUL-terminated, but it + was used as if it was. + 2. The conversion of the command line to ASCII that was passed to the + stub ate the NUL at the end. + 3. LoadOptions is not guaranteed to be a NUL-terminated EFI string (it + really should be and generally always is, though). + +This also fixes the inconsistent mangling of the command line. If the +.cmdline section was used ASCII controls chars (new lines in particular) +would not be converted to spaces. + +As part of this commit, we optimize conversion for the generic code +instead of the (deprecated) EFI handover protocol. Previously we would +convert to ASCII/UTF-8 and then back to EFI string for the (now) default +generic code path. Instead we now convert to EFI string and mangle that +back to ASCII in the EFI handover protocol path. + +(cherry picked from commit 927ebebe588970fa2dd082a0daaef246229f009b) + +Related: #2138081 +--- + src/boot/efi/boot.c | 10 ++++------ + src/boot/efi/linux.c | 12 ++++++------ + src/boot/efi/linux.h | 17 +++++++++++------ + src/boot/efi/linux_x86.c | 21 ++++++++++++++------- + src/boot/efi/stub.c | 38 +++++++++++++++++--------------------- + src/boot/efi/util.c | 7 +++++++ + src/boot/efi/util.h | 1 + + 7 files changed, 60 insertions(+), 46 deletions(-) + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index 581043df01..426bdc3cc2 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -2242,13 +2242,11 @@ static void config_entry_add_unified( + content = mfree(content); + + /* read the embedded cmdline file */ +- err = file_read(linux_dir, f->FileName, offs[SECTION_CMDLINE], szs[SECTION_CMDLINE], &content, NULL); ++ size_t cmdline_len; ++ err = file_read(linux_dir, f->FileName, offs[SECTION_CMDLINE], szs[SECTION_CMDLINE], &content, &cmdline_len); + if (err == EFI_SUCCESS) { +- /* chomp the newline */ +- if (content[szs[SECTION_CMDLINE] - 1] == '\n') +- content[szs[SECTION_CMDLINE] - 1] = '\0'; +- +- entry->options = xstr8_to_16(content); ++ entry->options = xstrn8_to_16(content, cmdline_len); ++ mangle_stub_cmdline(entry->options); + } + } + } +diff --git a/src/boot/efi/linux.c b/src/boot/efi/linux.c +index 668510fca3..48801f9dd8 100644 +--- a/src/boot/efi/linux.c ++++ b/src/boot/efi/linux.c +@@ -93,15 +93,16 @@ static EFI_STATUS load_image(EFI_HANDLE parent, const void *source, size_t len, + + EFI_STATUS linux_exec( + EFI_HANDLE parent, +- const char *cmdline, UINTN cmdline_len, +- const void *linux_buffer, UINTN linux_length, +- const void *initrd_buffer, UINTN initrd_length) { ++ const char16_t *cmdline, ++ const void *linux_buffer, ++ size_t linux_length, ++ const void *initrd_buffer, ++ size_t initrd_length) { + + uint32_t compat_address; + EFI_STATUS err; + + assert(parent); +- assert(cmdline || cmdline_len == 0); + assert(linux_buffer && linux_length > 0); + assert(initrd_buffer || initrd_length == 0); + +@@ -113,7 +114,6 @@ EFI_STATUS linux_exec( + return linux_exec_efi_handover( + parent, + cmdline, +- cmdline_len, + linux_buffer, + linux_length, + initrd_buffer, +@@ -133,7 +133,7 @@ EFI_STATUS linux_exec( + return log_error_status_stall(err, u"Error getting kernel loaded image protocol: %r", err); + + if (cmdline) { +- loaded_image->LoadOptions = xstrn8_to_16(cmdline, cmdline_len); ++ loaded_image->LoadOptions = (void *) cmdline; + loaded_image->LoadOptionsSize = strsize16(loaded_image->LoadOptions); + } + +diff --git a/src/boot/efi/linux.h b/src/boot/efi/linux.h +index 19e5f5c4a8..f0a6a37ed1 100644 +--- a/src/boot/efi/linux.h ++++ b/src/boot/efi/linux.h +@@ -2,14 +2,19 @@ + #pragma once + + #include ++#include + + EFI_STATUS linux_exec( + EFI_HANDLE parent, +- const char *cmdline, UINTN cmdline_len, +- const void *linux_buffer, UINTN linux_length, +- const void *initrd_buffer, UINTN initrd_length); ++ const char16_t *cmdline, ++ const void *linux_buffer, ++ size_t linux_length, ++ const void *initrd_buffer, ++ size_t initrd_length); + EFI_STATUS linux_exec_efi_handover( + EFI_HANDLE parent, +- const char *cmdline, UINTN cmdline_len, +- const void *linux_buffer, UINTN linux_length, +- const void *initrd_buffer, UINTN initrd_length); ++ const char16_t *cmdline, ++ const void *linux_buffer, ++ size_t linux_length, ++ const void *initrd_buffer, ++ size_t initrd_length); +diff --git a/src/boot/efi/linux_x86.c b/src/boot/efi/linux_x86.c +index 64336ce348..6a5e431107 100644 +--- a/src/boot/efi/linux_x86.c ++++ b/src/boot/efi/linux_x86.c +@@ -126,12 +126,13 @@ static void linux_efi_handover(EFI_HANDLE parent, uintptr_t kernel, BootParams * + + EFI_STATUS linux_exec_efi_handover( + EFI_HANDLE parent, +- const char *cmdline, UINTN cmdline_len, +- const void *linux_buffer, UINTN linux_length, +- const void *initrd_buffer, UINTN initrd_length) { ++ const char16_t *cmdline, ++ const void *linux_buffer, ++ size_t linux_length, ++ const void *initrd_buffer, ++ size_t initrd_length) { + + assert(parent); +- assert(cmdline || cmdline_len == 0); + assert(linux_buffer); + assert(initrd_buffer || initrd_length == 0); + +@@ -185,14 +186,20 @@ EFI_STATUS linux_exec_efi_handover( + + _cleanup_pages_ Pages cmdline_pages = {}; + if (cmdline) { ++ size_t len = MIN(strlen16(cmdline), image_params->hdr.cmdline_size); ++ + cmdline_pages = xmalloc_pages( + can_4g ? AllocateAnyPages : AllocateMaxAddress, + EfiLoaderData, +- EFI_SIZE_TO_PAGES(cmdline_len + 1), ++ EFI_SIZE_TO_PAGES(len + 1), + CMDLINE_PTR_MAX); + +- memcpy(PHYSICAL_ADDRESS_TO_POINTER(cmdline_pages.addr), cmdline, cmdline_len); +- ((char *) PHYSICAL_ADDRESS_TO_POINTER(cmdline_pages.addr))[cmdline_len] = 0; ++ /* Convert cmdline to ASCII. */ ++ char *cmdline8 = PHYSICAL_ADDRESS_TO_POINTER(cmdline_pages.addr); ++ for (size_t i = 0; i < len; i++) ++ cmdline8[i] = cmdline[i] <= 0x7E ? cmdline[i] : ' '; ++ cmdline8[len] = '\0'; ++ + boot_params->hdr.cmd_line_ptr = (uint32_t) cmdline_pages.addr; + boot_params->ext_cmd_line_ptr = cmdline_pages.addr >> 32; + assert(can_4g || cmdline_pages.addr <= CMDLINE_PTR_MAX); +diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c +index a842c5c679..841a0e41bd 100644 +--- a/src/boot/efi/stub.c ++++ b/src/boot/efi/stub.c +@@ -132,14 +132,13 @@ static void export_variables(EFI_LOADED_IMAGE_PROTOCOL *loaded_image) { + + EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { + _cleanup_free_ void *credential_initrd = NULL, *global_credential_initrd = NULL, *sysext_initrd = NULL, *pcrsig_initrd = NULL, *pcrpkey_initrd = NULL; +- UINTN credential_initrd_size = 0, global_credential_initrd_size = 0, sysext_initrd_size = 0, pcrsig_initrd_size = 0, pcrpkey_initrd_size = 0; +- UINTN cmdline_len = 0, linux_size, initrd_size, dt_size; ++ size_t credential_initrd_size = 0, global_credential_initrd_size = 0, sysext_initrd_size = 0, pcrsig_initrd_size = 0, pcrpkey_initrd_size = 0; ++ size_t linux_size, initrd_size, dt_size; + EFI_PHYSICAL_ADDRESS linux_base, initrd_base, dt_base; + _cleanup_(devicetree_cleanup) struct devicetree_state dt_state = {}; + EFI_LOADED_IMAGE_PROTOCOL *loaded_image; +- UINTN addrs[_UNIFIED_SECTION_MAX] = {}, szs[_UNIFIED_SECTION_MAX] = {}; +- char *cmdline = NULL; +- _cleanup_free_ char *cmdline_owned = NULL; ++ size_t addrs[_UNIFIED_SECTION_MAX] = {}, szs[_UNIFIED_SECTION_MAX] = {}; ++ _cleanup_free_ char16_t *cmdline = NULL; + int sections_measured = -1, parameters_measured = -1; + bool sysext_measured = false, m; + EFI_STATUS err; +@@ -208,32 +207,29 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { + /* Show splash screen as early as possible */ + graphics_splash((const uint8_t*) loaded_image->ImageBase + addrs[UNIFIED_SECTION_SPLASH], szs[UNIFIED_SECTION_SPLASH]); + +- if (szs[UNIFIED_SECTION_CMDLINE] > 0) { +- cmdline = (char *) loaded_image->ImageBase + addrs[UNIFIED_SECTION_CMDLINE]; +- cmdline_len = szs[UNIFIED_SECTION_CMDLINE]; +- } +- + /* if we are not in secure boot mode, or none was provided, accept a custom command line and replace + * the built-in one. We also do a superficial check whether first character of passed command line + * is printable character (for compat with some Dell systems which fill in garbage?). */ +- if ((!secure_boot_enabled() || cmdline_len == 0) && +- loaded_image->LoadOptionsSize > 0 && ++ if ((!secure_boot_enabled() || szs[UNIFIED_SECTION_CMDLINE] == 0) && ++ loaded_image->LoadOptionsSize > sizeof(char16_t) && + ((char16_t *) loaded_image->LoadOptions)[0] > 0x1F) { +- cmdline_len = (loaded_image->LoadOptionsSize / sizeof(char16_t)) * sizeof(char); +- cmdline = cmdline_owned = xnew(char, cmdline_len); +- +- for (UINTN i = 0; i < cmdline_len; i++) { +- char16_t c = ((char16_t *) loaded_image->LoadOptions)[i]; +- cmdline[i] = c > 0x1F && c < 0x7F ? c : ' '; /* convert non-printable and non_ASCII characters to spaces. */ +- } ++ /* Note that LoadOptions is a void*, so it could be anything! */ ++ cmdline = xstrndup16( ++ loaded_image->LoadOptions, loaded_image->LoadOptionsSize / sizeof(char16_t)); ++ mangle_stub_cmdline(cmdline); + + /* Let's measure the passed kernel command line into the TPM. Note that this possibly + * duplicates what we already did in the boot menu, if that was already used. However, since + * we want the boot menu to support an EFI binary, and want to this stub to be usable from + * any boot menu, let's measure things anyway. */ + m = false; +- (void) tpm_log_load_options(loaded_image->LoadOptions, &m); ++ (void) tpm_log_load_options(cmdline, &m); + parameters_measured = m; ++ } else if (szs[UNIFIED_SECTION_CMDLINE] > 0) { ++ cmdline = xstrn8_to_16( ++ (char *) loaded_image->ImageBase + addrs[UNIFIED_SECTION_CMDLINE], ++ szs[UNIFIED_SECTION_CMDLINE]); ++ mangle_stub_cmdline(cmdline); + } + + export_variables(loaded_image); +@@ -374,7 +370,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { + log_error_stall(L"Error loading embedded devicetree: %r", err); + } + +- err = linux_exec(image, cmdline, cmdline_len, ++ err = linux_exec(image, cmdline, + PHYSICAL_ADDRESS_TO_POINTER(linux_base), linux_size, + PHYSICAL_ADDRESS_TO_POINTER(initrd_base), initrd_size); + graphics_mode(false); +diff --git a/src/boot/efi/util.c b/src/boot/efi/util.c +index 3268c511d0..1f07fbc38c 100644 +--- a/src/boot/efi/util.c ++++ b/src/boot/efi/util.c +@@ -274,6 +274,13 @@ char16_t *xstr8_to_path(const char *str8) { + return path; + } + ++void mangle_stub_cmdline(char16_t *cmdline) { ++ for (; *cmdline != '\0'; cmdline++) ++ /* Convert ASCII control characters to spaces. */ ++ if (*cmdline <= 0x1F) ++ *cmdline = ' '; ++} ++ + EFI_STATUS file_read(EFI_FILE *dir, const char16_t *name, UINTN off, UINTN size, char **ret, UINTN *ret_size) { + _cleanup_(file_closep) EFI_FILE *handle = NULL; + _cleanup_free_ char *buf = NULL; +diff --git a/src/boot/efi/util.h b/src/boot/efi/util.h +index e4ab8138c4..f58d24fce1 100644 +--- a/src/boot/efi/util.h ++++ b/src/boot/efi/util.h +@@ -114,6 +114,7 @@ EFI_STATUS efivar_get_boolean_u8(const EFI_GUID *vendor, const char16_t *name, b + + void convert_efi_path(char16_t *path); + char16_t *xstr8_to_path(const char *stra); ++void mangle_stub_cmdline(char16_t *cmdline); + + EFI_STATUS file_read(EFI_FILE *dir, const char16_t *name, UINTN off, UINTN size, char **content, UINTN *content_size); + diff --git a/SOURCES/0147-stub-Detect-empty-LoadOptions-when-run-from-EFI-shel.patch b/SOURCES/0147-stub-Detect-empty-LoadOptions-when-run-from-EFI-shel.patch new file mode 100644 index 0000000..f3cabf5 --- /dev/null +++ b/SOURCES/0147-stub-Detect-empty-LoadOptions-when-run-from-EFI-shel.patch @@ -0,0 +1,121 @@ +From c287f39f5df561968c4cb7712750e5ed23c02b29 Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Wed, 2 Nov 2022 10:25:32 +0100 +Subject: [PATCH] stub: Detect empty LoadOptions when run from EFI shell + +The EFI shell will pass the entire command line to the application it +starts, which includes the file path of the stub binary. This prevents +us from using the built-in cmdline if the command line is otherwise +empty. + +Fortunately, the EFI shell registers a protocol on any images it starts +this way. The protocol even lets us access the args individually, making +it easy to strip the stub path off. + +Fixes: #25201 +(cherry picked from commit b17f3b3d8077ab6827549a123ac636d655fe8d4d) + +Related: #2138081 +--- + src/boot/efi/missing_efi.h | 13 +++++++++ + src/boot/efi/stub.c | 59 +++++++++++++++++++++++++++++++------- + 2 files changed, 61 insertions(+), 11 deletions(-) + +diff --git a/src/boot/efi/missing_efi.h b/src/boot/efi/missing_efi.h +index f9169248ec..250c84c248 100644 +--- a/src/boot/efi/missing_efi.h ++++ b/src/boot/efi/missing_efi.h +@@ -385,3 +385,16 @@ typedef struct _EFI_CONSOLE_CONTROL_PROTOCOL { + { 0xd719b2cb, 0x3d3a, 0x4596, {0xa3, 0xbc, 0xda, 0xd0, 0xe, 0x67, 0x65, 0x6f }} + + #endif ++ ++#ifndef EFI_SHELL_PARAMETERS_PROTOCOL_GUID ++# define EFI_SHELL_PARAMETERS_PROTOCOL_GUID \ ++ { 0x752f3136, 0x4e16, 0x4fdc, { 0xa2, 0x2a, 0xe5, 0xf4, 0x68, 0x12, 0xf4, 0xca } } ++ ++typedef struct { ++ CHAR16 **Argv; ++ UINTN Argc; ++ void *StdIn; ++ void *StdOut; ++ void *StdErr; ++} EFI_SHELL_PARAMETERS_PROTOCOL; ++#endif +diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c +index 841a0e41bd..7c42a16c70 100644 +--- a/src/boot/efi/stub.c ++++ b/src/boot/efi/stub.c +@@ -130,6 +130,53 @@ static void export_variables(EFI_LOADED_IMAGE_PROTOCOL *loaded_image) { + (void) efivar_set_uint64_le(LOADER_GUID, L"StubFeatures", stub_features, 0); + } + ++static bool use_load_options( ++ EFI_HANDLE stub_image, ++ EFI_LOADED_IMAGE_PROTOCOL *loaded_image, ++ bool have_cmdline, ++ char16_t **ret) { ++ ++ assert(stub_image); ++ assert(loaded_image); ++ assert(ret); ++ ++ /* We only allow custom command lines if we aren't in secure boot or if no cmdline was baked into ++ * the stub image. */ ++ if (secure_boot_enabled() && have_cmdline) ++ return false; ++ ++ /* We also do a superficial check whether first character of passed command line ++ * is printable character (for compat with some Dell systems which fill in garbage?). */ ++ if (loaded_image->LoadOptionsSize < sizeof(char16_t) || ((char16_t *) loaded_image->LoadOptions)[0] <= 0x1F) ++ return false; ++ ++ /* The UEFI shell registers EFI_SHELL_PARAMETERS_PROTOCOL onto images it runs. This lets us know that ++ * LoadOptions starts with the stub binary path which we want to strip off. */ ++ EFI_SHELL_PARAMETERS_PROTOCOL *shell; ++ if (BS->HandleProtocol(stub_image, &(EFI_GUID) EFI_SHELL_PARAMETERS_PROTOCOL_GUID, (void **) &shell) ++ != EFI_SUCCESS) { ++ /* Not running from EFI shell, use entire LoadOptions. Note that LoadOptions is a void*, so ++ * it could be anything! */ ++ *ret = xstrndup16(loaded_image->LoadOptions, loaded_image->LoadOptionsSize / sizeof(char16_t)); ++ mangle_stub_cmdline(*ret); ++ return true; ++ } ++ ++ if (shell->Argc < 2) ++ /* No arguments were provided? Then we fall back to built-in cmdline. */ ++ return false; ++ ++ /* Assemble the command line ourselves without our stub path. */ ++ *ret = xstrdup16(shell->Argv[1]); ++ for (size_t i = 2; i < shell->Argc; i++) { ++ _cleanup_free_ char16_t *old = *ret; ++ *ret = xpool_print(u"%s %s", old, shell->Argv[i]); ++ } ++ ++ mangle_stub_cmdline(*ret); ++ return true; ++} ++ + EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { + _cleanup_free_ void *credential_initrd = NULL, *global_credential_initrd = NULL, *sysext_initrd = NULL, *pcrsig_initrd = NULL, *pcrpkey_initrd = NULL; + size_t credential_initrd_size = 0, global_credential_initrd_size = 0, sysext_initrd_size = 0, pcrsig_initrd_size = 0, pcrpkey_initrd_size = 0; +@@ -207,17 +254,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { + /* Show splash screen as early as possible */ + graphics_splash((const uint8_t*) loaded_image->ImageBase + addrs[UNIFIED_SECTION_SPLASH], szs[UNIFIED_SECTION_SPLASH]); + +- /* if we are not in secure boot mode, or none was provided, accept a custom command line and replace +- * the built-in one. We also do a superficial check whether first character of passed command line +- * is printable character (for compat with some Dell systems which fill in garbage?). */ +- if ((!secure_boot_enabled() || szs[UNIFIED_SECTION_CMDLINE] == 0) && +- loaded_image->LoadOptionsSize > sizeof(char16_t) && +- ((char16_t *) loaded_image->LoadOptions)[0] > 0x1F) { +- /* Note that LoadOptions is a void*, so it could be anything! */ +- cmdline = xstrndup16( +- loaded_image->LoadOptions, loaded_image->LoadOptionsSize / sizeof(char16_t)); +- mangle_stub_cmdline(cmdline); +- ++ if (use_load_options(image, loaded_image, szs[UNIFIED_SECTION_CMDLINE] > 0, &cmdline)) { + /* Let's measure the passed kernel command line into the TPM. Note that this possibly + * duplicates what we already did in the boot menu, if that was already used. However, since + * we want the boot menu to support an EFI binary, and want to this stub to be usable from diff --git a/SOURCES/0148-boot-Use-EFI_BOOT_MANAGER_POLICY_PROTOCOL-to-connect.patch b/SOURCES/0148-boot-Use-EFI_BOOT_MANAGER_POLICY_PROTOCOL-to-connect.patch new file mode 100644 index 0000000..929f1db --- /dev/null +++ b/SOURCES/0148-boot-Use-EFI_BOOT_MANAGER_POLICY_PROTOCOL-to-connect.patch @@ -0,0 +1,75 @@ +From 071cef46b87b605f8b4918a95dcecae08b843e23 Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Sun, 27 Nov 2022 13:38:18 +0100 +Subject: [PATCH] boot: Use EFI_BOOT_MANAGER_POLICY_PROTOCOL to connect console + devices + +(cherry picked from commit b99bf5811850afdb2502ba37251c48348da63c82) + +Related: #2138081 +--- + src/boot/efi/console.c | 16 ++++++++++++++++ + src/boot/efi/missing_efi.h | 19 +++++++++++++++++++ + 2 files changed, 35 insertions(+) + +diff --git a/src/boot/efi/console.c b/src/boot/efi/console.c +index 14c0008afb..cd980fd535 100644 +--- a/src/boot/efi/console.c ++++ b/src/boot/efi/console.c +@@ -12,6 +12,20 @@ + #define VERTICAL_MAX_OK 1080 + #define VIEWPORT_RATIO 10 + ++static EFI_STATUS console_connect(void) { ++ EFI_BOOT_MANAGER_POLICY_PROTOCOL *boot_policy; ++ EFI_STATUS err; ++ ++ /* This should make console devices appear/fully initialize on fastboot firmware. */ ++ ++ err = BS->LocateProtocol( ++ &(EFI_GUID) EFI_BOOT_MANAGER_POLICY_PROTOCOL_GUID, NULL, (void **) &boot_policy); ++ if (err != EFI_SUCCESS) ++ return err; ++ ++ return boot_policy->ConnectDeviceClass(boot_policy, &(EFI_GUID) EFI_BOOT_MANAGER_POLICY_CONSOLE_GUID); ++} ++ + static inline void event_closep(EFI_EVENT *event) { + if (!*event) + return; +@@ -47,6 +61,8 @@ EFI_STATUS console_key_read(uint64_t *key, uint64_t timeout_usec) { + assert(key); + + if (!checked) { ++ console_connect(); ++ + /* Get the *first* TextInputEx device.*/ + err = BS->LocateProtocol(&SimpleTextInputExProtocol, NULL, (void **) &extraInEx); + if (err != EFI_SUCCESS || BS->CheckEvent(extraInEx->WaitForKeyEx) == EFI_INVALID_PARAMETER) +diff --git a/src/boot/efi/missing_efi.h b/src/boot/efi/missing_efi.h +index 250c84c248..b446e0399f 100644 +--- a/src/boot/efi/missing_efi.h ++++ b/src/boot/efi/missing_efi.h +@@ -398,3 +398,22 @@ typedef struct { + void *StdErr; + } EFI_SHELL_PARAMETERS_PROTOCOL; + #endif ++ ++#ifndef EFI_BOOT_MANAGER_POLICY_PROTOCOL_GUID ++#define EFI_BOOT_MANAGER_POLICY_PROTOCOL_GUID \ ++ { 0xFEDF8E0C, 0xE147, 0x11E3, { 0x99, 0x03, 0xB8, 0xE8, 0x56, 0x2C, 0xBA, 0xFA } } ++#define EFI_BOOT_MANAGER_POLICY_CONSOLE_GUID \ ++ { 0xCAB0E94C, 0xE15F, 0x11E3, { 0x91, 0x8D, 0xB8, 0xE8, 0x56, 0x2C, 0xBA, 0xFA } } ++ ++typedef struct EFI_BOOT_MANAGER_POLICY_PROTOCOL EFI_BOOT_MANAGER_POLICY_PROTOCOL; ++struct EFI_BOOT_MANAGER_POLICY_PROTOCOL { ++ UINT64 Revision; ++ EFI_STATUS (EFIAPI *ConnectDevicePath)( ++ EFI_BOOT_MANAGER_POLICY_PROTOCOL *This, ++ EFI_DEVICE_PATH *DevicePath, ++ BOOLEAN Recursive); ++ EFI_STATUS (EFIAPI *ConnectDeviceClass)( ++ EFI_BOOT_MANAGER_POLICY_PROTOCOL *This, ++ EFI_GUID *Class); ++}; ++#endif diff --git a/SOURCES/0149-boot-Make-sure-all-partitions-drivers-are-connected.patch b/SOURCES/0149-boot-Make-sure-all-partitions-drivers-are-connected.patch new file mode 100644 index 0000000..13fce87 --- /dev/null +++ b/SOURCES/0149-boot-Make-sure-all-partitions-drivers-are-connected.patch @@ -0,0 +1,27 @@ +From 57b58ec8a72f00a66b43e7975ed3825dc28b851f Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Sun, 27 Nov 2022 13:53:30 +0100 +Subject: [PATCH] boot: Make sure all partitions drivers are connected + +(cherry picked from commit 7f19be808c9cb9cabcaf1e48ccff875fa8191d3a) + +Related: #2138081 +--- + src/boot/efi/xbootldr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/boot/efi/xbootldr.c b/src/boot/efi/xbootldr.c +index e5b9ca7268..7fef909312 100644 +--- a/src/boot/efi/xbootldr.c ++++ b/src/boot/efi/xbootldr.c +@@ -201,6 +201,10 @@ static EFI_STATUS find_device(EFI_HANDLE *device, EFI_DEVICE_PATH **ret_device_p + if (err != EFI_SUCCESS) + return err; + ++ /* The drivers for other partitions on this drive may not be initialized on fastboot firmware, so we ++ * have to ask the firmware to do just that. */ ++ (void) BS->ConnectController(disk_handle, NULL, NULL, true); ++ + err = BS->HandleProtocol(disk_handle, &BlockIoProtocol, (void **)&block_io); + if (err != EFI_SUCCESS) + return err; diff --git a/SOURCES/0150-boot-improve-support-for-qemu.patch b/SOURCES/0150-boot-improve-support-for-qemu.patch new file mode 100644 index 0000000..f586008 --- /dev/null +++ b/SOURCES/0150-boot-improve-support-for-qemu.patch @@ -0,0 +1,225 @@ +From e2065196eb434008cfcba7c889138f58f7d492d7 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 9 Sep 2022 13:12:04 +0200 +Subject: [PATCH] boot: improve support for qemu + +systemd-boot expects being loaded from ESP and is quite unhappy in case +the loaded image device path is something else. When running on qemu +this can easily happen though. Case one is direct kernel boot, i.e. +loading via 'qemu -kernel systemd-bootx64.efi'. Case two is sd-boot +being added to the ovmf firmware image and being loaded from there. + +This patch detects both cases and goes inspect all file systems known to +the firmware, trying to find the ESP. When present the +VMMBootOrderNNNN variables are used to inspect the file systems in the +given order. + +(cherry picked from commit 8fec4f95be7a323410f9853b6773c810ba6c7152) + +Related: #2138081 +--- + src/boot/efi/boot.c | 10 ++- + src/boot/efi/meson.build | 1 + + src/boot/efi/vmm.c | 130 +++++++++++++++++++++++++++++++++++++++ + src/boot/efi/vmm.h | 8 +++ + 4 files changed, 148 insertions(+), 1 deletion(-) + create mode 100644 src/boot/efi/vmm.c + create mode 100644 src/boot/efi/vmm.h + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index 426bdc3cc2..e182ee7840 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -16,6 +16,7 @@ + #include "linux.h" + #include "measure.h" + #include "pe.h" ++#include "vmm.h" + #include "random-seed.h" + #include "secure-boot.h" + #include "shim.h" +@@ -2639,6 +2640,13 @@ static void config_load_all_entries( + config_default_entry_select(config); + } + ++static EFI_STATUS discover_root_dir(EFI_LOADED_IMAGE_PROTOCOL *loaded_image, EFI_FILE **ret_dir) { ++ if (is_direct_boot(loaded_image->DeviceHandle)) ++ return vmm_open(&loaded_image->DeviceHandle, ret_dir); ++ else ++ return open_volume(loaded_image->DeviceHandle, ret_dir); ++} ++ + EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { + EFI_LOADED_IMAGE_PROTOCOL *loaded_image; + _cleanup_(file_closep) EFI_FILE *root_dir = NULL; +@@ -2673,7 +2681,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { + + export_variables(loaded_image, loaded_image_path, init_usec); + +- err = open_volume(loaded_image->DeviceHandle, &root_dir); ++ err = discover_root_dir(loaded_image, &root_dir); + if (err != EFI_SUCCESS) + return log_error_status_stall(err, L"Unable to open root directory: %r", err); + +diff --git a/src/boot/efi/meson.build b/src/boot/efi/meson.build +index 395386d3ed..0de43993a4 100644 +--- a/src/boot/efi/meson.build ++++ b/src/boot/efi/meson.build +@@ -389,6 +389,7 @@ systemd_boot_sources = files( + 'boot.c', + 'drivers.c', + 'random-seed.c', ++ 'vmm.c', + 'shim.c', + 'xbootldr.c', + ) +diff --git a/src/boot/efi/vmm.c b/src/boot/efi/vmm.c +new file mode 100644 +index 0000000000..b1bfd778fc +--- /dev/null ++++ b/src/boot/efi/vmm.c +@@ -0,0 +1,130 @@ ++/* SPDX-License-Identifier: LGPL-2.1-or-later */ ++ ++#include ++#include ++#include ++ ++#include "drivers.h" ++#include "efi-string.h" ++#include "string-util-fundamental.h" ++#include "util.h" ++ ++#define QEMU_KERNEL_LOADER_FS_MEDIA_GUID \ ++ { 0x1428f772, 0xb64a, 0x441e, {0xb8, 0xc3, 0x9e, 0xbd, 0xd7, 0xf8, 0x93, 0xc7 }} ++ ++#define VMM_BOOT_ORDER_GUID \ ++ { 0x668f4529, 0x63d0, 0x4bb5, {0xb6, 0x5d, 0x6f, 0xbb, 0x9d, 0x36, 0xa4, 0x4a }} ++ ++/* detect direct boot */ ++bool is_direct_boot(EFI_HANDLE device) { ++ EFI_STATUS err; ++ VENDOR_DEVICE_PATH *dp; ++ ++ err = BS->HandleProtocol(device, &DevicePathProtocol, (void **) &dp); ++ if (err != EFI_SUCCESS) ++ return false; ++ ++ /* 'qemu -kernel systemd-bootx64.efi' */ ++ if (dp->Header.Type == MEDIA_DEVICE_PATH && ++ dp->Header.SubType == MEDIA_VENDOR_DP && ++ memcmp(&dp->Guid, &(EFI_GUID)QEMU_KERNEL_LOADER_FS_MEDIA_GUID, sizeof(EFI_GUID)) == 0) ++ return true; ++ ++ /* loaded from firmware volume (sd-boot added to ovmf) */ ++ if (dp->Header.Type == MEDIA_DEVICE_PATH && ++ dp->Header.SubType == MEDIA_PIWG_FW_VOL_DP) ++ return true; ++ ++ return false; ++} ++ ++static bool device_path_startswith(const EFI_DEVICE_PATH *dp, const EFI_DEVICE_PATH *start) { ++ if (!start) ++ return true; ++ if (!dp) ++ return false; ++ for (;;) { ++ if (IsDevicePathEnd(start)) ++ return true; ++ if (IsDevicePathEnd(dp)) ++ return false; ++ size_t l1 = DevicePathNodeLength(start); ++ size_t l2 = DevicePathNodeLength(dp); ++ if (l1 != l2) ++ return false; ++ if (memcmp(dp, start, l1) != 0) ++ return false; ++ start = NextDevicePathNode(start); ++ dp = NextDevicePathNode(dp); ++ } ++} ++ ++/* ++ * Try find ESP when not loaded from ESP ++ * ++ * Inspect all filesystems known to the firmware, try find the ESP. In case VMMBootOrderNNNN variables are ++ * present they are used to inspect the filesystems in the specified order. When nothing was found or the ++ * variables are not present the function will do one final search pass over all filesystems. ++ * ++ * Recent OVMF builds store the qemu boot order (as specified using the bootindex property on the qemu ++ * command line) in VMMBootOrderNNNN. The variables contain a device path. ++ * ++ * Example qemu command line: ++ * qemu -virtio-scsi-pci,addr=14.0 -device scsi-cd,scsi-id=4,bootindex=1 ++ * ++ * Resulting variable: ++ * VMMBootOrder0000 = PciRoot(0x0)/Pci(0x14,0x0)/Scsi(0x4,0x0) ++ */ ++EFI_STATUS vmm_open(EFI_HANDLE *ret_vmm_dev, EFI_FILE **ret_vmm_dir) { ++ _cleanup_free_ EFI_HANDLE *handles = NULL; ++ size_t n_handles; ++ EFI_STATUS err, dp_err; ++ ++ assert(ret_vmm_dev); ++ assert(ret_vmm_dir); ++ ++ /* find all file system handles */ ++ err = BS->LocateHandleBuffer(ByProtocol, &FileSystemProtocol, NULL, &n_handles, &handles); ++ if (err != EFI_SUCCESS) ++ return err; ++ ++ for (size_t order = 0;; order++) { ++ _cleanup_free_ EFI_DEVICE_PATH *dp = NULL; ++ char16_t order_str[STRLEN("VMMBootOrder") + 4 + 1]; ++ ++ SPrint(order_str, sizeof(order_str), u"VMMBootOrder%04x", order); ++ dp_err = efivar_get_raw(&(EFI_GUID)VMM_BOOT_ORDER_GUID, order_str, (char**)&dp, NULL); ++ ++ for (size_t i = 0; i < n_handles; i++) { ++ _cleanup_(file_closep) EFI_FILE *root_dir = NULL, *efi_dir = NULL; ++ EFI_DEVICE_PATH *fs; ++ ++ err = BS->HandleProtocol(handles[i], &DevicePathProtocol, (void **) &fs); ++ if (err != EFI_SUCCESS) ++ return err; ++ ++ /* check against VMMBootOrderNNNN (if set) */ ++ if (dp_err == EFI_SUCCESS && !device_path_startswith(fs, dp)) ++ continue; ++ ++ err = open_volume(handles[i], &root_dir); ++ if (err != EFI_SUCCESS) ++ continue; ++ ++ /* simple ESP check */ ++ err = root_dir->Open(root_dir, &efi_dir, (char16_t*) u"\\EFI", ++ EFI_FILE_MODE_READ, ++ EFI_FILE_READ_ONLY | EFI_FILE_DIRECTORY); ++ if (err != EFI_SUCCESS) ++ continue; ++ ++ *ret_vmm_dev = handles[i]; ++ *ret_vmm_dir = TAKE_PTR(root_dir); ++ return EFI_SUCCESS; ++ } ++ ++ if (dp_err != EFI_SUCCESS) ++ return EFI_NOT_FOUND; ++ } ++ assert_not_reached(); ++} +diff --git a/src/boot/efi/vmm.h b/src/boot/efi/vmm.h +new file mode 100644 +index 0000000000..7bac1a324a +--- /dev/null ++++ b/src/boot/efi/vmm.h +@@ -0,0 +1,8 @@ ++/* SPDX-License-Identifier: LGPL-2.1-or-later */ ++#pragma once ++ ++#include ++#include ++ ++bool is_direct_boot(EFI_HANDLE device); ++EFI_STATUS vmm_open(EFI_HANDLE *ret_qemu_dev, EFI_FILE **ret_qemu_dir); diff --git a/SOURCES/0151-systemd-boot-man-page-add-section-for-virtual-machin.patch b/SOURCES/0151-systemd-boot-man-page-add-section-for-virtual-machin.patch new file mode 100644 index 0000000..7fac54a --- /dev/null +++ b/SOURCES/0151-systemd-boot-man-page-add-section-for-virtual-machin.patch @@ -0,0 +1,40 @@ +From 236e3846e8497f2f7e5c4dfcfc9ff2e922fd02a0 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 4 Oct 2022 15:01:39 +0200 +Subject: [PATCH] systemd-boot man page: add section for virtual machines + +(cherry picked from commit 941d418d19397bd20c570729877a5dfa37d762b2) + +Related: #2138081 +--- + man/systemd-boot.xml | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/man/systemd-boot.xml b/man/systemd-boot.xml +index 0eee532f90..57b66803fa 100644 +--- a/man/systemd-boot.xml ++++ b/man/systemd-boot.xml +@@ -525,6 +525,23 @@ + /etc/kernel/tries when a boot loader entry is first created. + + ++ ++ Using systemd-boot in virtual machines. ++ ++ When using qemu with OVMF (UEFI Firmware for virtual machines) the switch ++ works not only for linux kernels, but for any EFI binary, including sd-boot and unified linux ++ kernels. Example command line for loading sd-boot on x64: ++ ++ ++ qemu-system-x86_64 [ ... ] ++ -kernel /usr/lib/systemd/boot/efi/systemd-bootx64.efi ++ ++ ++ systemd-boot will detect that it was started directly instead of being loaded from ESP and will ++ search for the ESP in that case, taking into account boot order information from the hypervisor (if ++ available). ++ ++ + + See Also + diff --git a/SOURCES/0152-boot-Only-do-full-driver-initialization-in-VMs.patch b/SOURCES/0152-boot-Only-do-full-driver-initialization-in-VMs.patch new file mode 100644 index 0000000..096ae37 --- /dev/null +++ b/SOURCES/0152-boot-Only-do-full-driver-initialization-in-VMs.patch @@ -0,0 +1,51 @@ +From 7dec74695751b70a8a86eb647062e7d5a5157446 Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Sun, 27 Nov 2022 13:56:18 +0100 +Subject: [PATCH] boot: Only do full driver initialization in VMs + +Doing the reconnect dance on some real firmware creates huge delays on +boot. This should not be needed anymore as we now ask the firmware to +make console devices and xbootldr partitions available explicitly in a +more targeted fashion. + +Fixes: #25510 +(cherry picked from commit f6d59e2ebfc1bf50683a2e640aad501c372a50e4) + +Related: #2138081 +--- + src/boot/efi/boot.c | 6 ------ + src/boot/efi/vmm.c | 4 ++++ + 2 files changed, 4 insertions(+), 6 deletions(-) + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index e182ee7840..5944451e6a 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -2662,12 +2662,6 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { + /* Uncomment the next line if you need to wait for debugger. */ + // debug_break(); + +- /* The firmware may skip initializing some devices for the sake of a faster boot. This is especially +- * true for fastboot enabled firmwares. But this means that things we use like input devices or the +- * xbootldr partition may not be available yet. Reconnect all drivers should hopefully make the +- * firmware initialize everything we need. */ +- (void) reconnect_all_drivers(); +- + err = BS->OpenProtocol(image, + &LoadedImageProtocol, + (void **)&loaded_image, +diff --git a/src/boot/efi/vmm.c b/src/boot/efi/vmm.c +index b1bfd778fc..2260b217b7 100644 +--- a/src/boot/efi/vmm.c ++++ b/src/boot/efi/vmm.c +@@ -83,6 +83,10 @@ EFI_STATUS vmm_open(EFI_HANDLE *ret_vmm_dev, EFI_FILE **ret_vmm_dir) { + assert(ret_vmm_dev); + assert(ret_vmm_dir); + ++ /* Make sure all file systems have been initialized. Only do this in VMs as this is slow ++ * on some real firmwares. */ ++ (void) reconnect_all_drivers(); ++ + /* find all file system handles */ + err = BS->LocateHandleBuffer(ByProtocol, &FileSystemProtocol, NULL, &n_handles, &handles); + if (err != EFI_SUCCESS) diff --git a/SOURCES/0153-dissect-rework-DISSECT_IMAGE_ADD_PARTITION_DEVICES-D.patch b/SOURCES/0153-dissect-rework-DISSECT_IMAGE_ADD_PARTITION_DEVICES-D.patch new file mode 100644 index 0000000..c7d02ec --- /dev/null +++ b/SOURCES/0153-dissect-rework-DISSECT_IMAGE_ADD_PARTITION_DEVICES-D.patch @@ -0,0 +1,303 @@ +From 4d081a18d324e2010b6c46d468f693b1186c4275 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 30 Nov 2022 17:17:20 +0100 +Subject: [PATCH] dissect: rework DISSECT_IMAGE_ADD_PARTITION_DEVICES + + DISSECT_IMAGE_OPEN_PARTITION_DEVICES + +Curently, these two flags were implied by dissect_loop_device(), but +that's not right, because this means systemd-gpt-auto-generator will +dissect the root block device with these flags set and that's not +desirable: the generator should not cause the partition devices to be +created (we don't intend to use them right-away after all, but expect +udev to find/probe them first, and then mount them though .mount units). +And there's no point in opening the partition devices, since we do not +intend to mount them via fds either. + +Hence, rework this: instead of implying the flags, specify them +explicitly. + +While we are at it, let's also rename the flags to make them more +descriptive: + +DISSECT_IMAGE_MANAGE_PARTITION_DEVICES becomes +DISSECT_IMAGE_ADD_PARTITION_DEVICES, since that's really all this does: +add the partition devices via BLKPG. + +DISSECT_IMAGE_OPEN_PARTITION_DEVICES becomes +DISSECT_IMAGE_PIN_PARTITION_DEVICES, since we not only open the devices, +but keep the devices open continously (i.e. we "pin" them). + +Also, drop the DISSECT_IMAGE_BLOCK_DEVICE combination flag, since it is +misleading, i.e. it suggests it was appropriate to specify on all +dissected blocking devices, but that's precisely not the case, see the +systemd-gpt-auto-generator case. My guess is that the confusion around +this was actually the cause for this bug we are addressing here. + +Fixes: #25528 +(cherry picked from commit 73d88b806b92efa0738bb6bcccbf105441f6d8cb) + +Related: #2138081 +--- + src/core/namespace.c | 4 +++- + src/dissect/dissect.c | 4 +++- + src/gpt-auto-generator/gpt-auto-generator.c | 5 +++++ + src/nspawn/nspawn.c | 4 +++- + src/portable/portable.c | 4 +++- + src/shared/discover-image.c | 4 +++- + src/shared/dissect-image.c | 23 +++++++++++++-------- + src/shared/dissect-image.h | 6 ++---- + src/sysext/sysext.c | 4 +++- + src/test/test-loop-block.c | 6 +++--- + 10 files changed, 42 insertions(+), 22 deletions(-) + +diff --git a/src/core/namespace.c b/src/core/namespace.c +index 852be3bdde..96b05303eb 100644 +--- a/src/core/namespace.c ++++ b/src/core/namespace.c +@@ -2051,7 +2051,9 @@ int setup_namespace( + DISSECT_IMAGE_RELAX_VAR_CHECK | + DISSECT_IMAGE_FSCK | + DISSECT_IMAGE_USR_NO_ROOT | +- DISSECT_IMAGE_GROWFS; ++ DISSECT_IMAGE_GROWFS | ++ DISSECT_IMAGE_ADD_PARTITION_DEVICES | ++ DISSECT_IMAGE_PIN_PARTITION_DEVICES; + size_t n_mounts; + int r; + +diff --git a/src/dissect/dissect.c b/src/dissect/dissect.c +index c465115fc7..c1d731dc82 100644 +--- a/src/dissect/dissect.c ++++ b/src/dissect/dissect.c +@@ -60,7 +60,9 @@ static DissectImageFlags arg_flags = + DISSECT_IMAGE_RELAX_VAR_CHECK | + DISSECT_IMAGE_FSCK | + DISSECT_IMAGE_USR_NO_ROOT | +- DISSECT_IMAGE_GROWFS; ++ DISSECT_IMAGE_GROWFS | ++ DISSECT_IMAGE_PIN_PARTITION_DEVICES | ++ DISSECT_IMAGE_ADD_PARTITION_DEVICES; + static VeritySettings arg_verity_settings = VERITY_SETTINGS_DEFAULT; + static JsonFormatFlags arg_json_format_flags = JSON_FORMAT_OFF; + static PagerFlags arg_pager_flags = 0; +diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c +index 0fb53bb9ea..143faa0c39 100644 +--- a/src/gpt-auto-generator/gpt-auto-generator.c ++++ b/src/gpt-auto-generator/gpt-auto-generator.c +@@ -665,6 +665,11 @@ static int enumerate_partitions(dev_t devnum) { + NULL, NULL, + DISSECT_IMAGE_GPT_ONLY| + DISSECT_IMAGE_USR_NO_ROOT, ++ /* NB! Unlike most other places where we dissect block devices we do not use ++ * DISSECT_IMAGE_ADD_PARTITION_DEVICES here: we want that the kernel finds the ++ * devices, and udev probes them before we mount them via .mount units much later ++ * on. And thus we also don't set DISSECT_IMAGE_PIN_PARTITION_DEVICES here, because ++ * we don't actually mount anything immediately. */ + &m); + if (r == -ENOPKG) { + log_debug_errno(r, "No suitable partition table found, ignoring."); +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index 93d646ed56..57723aa3cf 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -5657,7 +5657,9 @@ static int run(int argc, char *argv[]) { + DISSECT_IMAGE_GENERIC_ROOT | + DISSECT_IMAGE_REQUIRE_ROOT | + DISSECT_IMAGE_RELAX_VAR_CHECK | +- DISSECT_IMAGE_USR_NO_ROOT; ++ DISSECT_IMAGE_USR_NO_ROOT | ++ DISSECT_IMAGE_ADD_PARTITION_DEVICES | ++ DISSECT_IMAGE_PIN_PARTITION_DEVICES; + assert(arg_image); + assert(!arg_template); + +diff --git a/src/portable/portable.c b/src/portable/portable.c +index fbc4497014..570751f05b 100644 +--- a/src/portable/portable.c ++++ b/src/portable/portable.c +@@ -375,7 +375,9 @@ static int portable_extract_by_path( + DISSECT_IMAGE_REQUIRE_ROOT | + DISSECT_IMAGE_DISCARD_ON_LOOP | + DISSECT_IMAGE_RELAX_VAR_CHECK | +- DISSECT_IMAGE_USR_NO_ROOT, ++ DISSECT_IMAGE_USR_NO_ROOT | ++ DISSECT_IMAGE_ADD_PARTITION_DEVICES | ++ DISSECT_IMAGE_PIN_PARTITION_DEVICES, + &m); + if (r == -ENOPKG) + sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Couldn't identify a suitable partition table or file system in '%s'.", path); +diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c +index fad95f7f43..5d740de266 100644 +--- a/src/shared/discover-image.c ++++ b/src/shared/discover-image.c +@@ -1203,7 +1203,9 @@ int image_read_metadata(Image *i) { + DISSECT_IMAGE_REQUIRE_ROOT | + DISSECT_IMAGE_RELAX_VAR_CHECK | + DISSECT_IMAGE_READ_ONLY | +- DISSECT_IMAGE_USR_NO_ROOT, ++ DISSECT_IMAGE_USR_NO_ROOT | ++ DISSECT_IMAGE_ADD_PARTITION_DEVICES | ++ DISSECT_IMAGE_PIN_PARTITION_DEVICES, + &m); + if (r < 0) + return r; +diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c +index 7676636723..462ee4b3e8 100644 +--- a/src/shared/dissect-image.c ++++ b/src/shared/dissect-image.c +@@ -436,7 +436,7 @@ static int dissect_image( + const char *fstype = NULL, *options = NULL; + _cleanup_close_ int mount_node_fd = -1; + +- if (FLAGS_SET(flags, DISSECT_IMAGE_OPEN_PARTITION_DEVICES)) { ++ if (FLAGS_SET(flags, DISSECT_IMAGE_PIN_PARTITION_DEVICES)) { + mount_node_fd = open_partition(devname, /* is_partition = */ false, m->loop); + if (mount_node_fd < 0) + return mount_node_fd; +@@ -505,7 +505,7 @@ static int dissect_image( + if (verity && verity->data_path) + return -EBADR; + +- if (FLAGS_SET(flags, DISSECT_IMAGE_MANAGE_PARTITION_DEVICES)) { ++ if (FLAGS_SET(flags, DISSECT_IMAGE_ADD_PARTITION_DEVICES)) { + /* Safety check: refuse block devices that carry a partition table but for which the kernel doesn't + * do partition scanning. */ + r = blockdev_partscan_enabled(fd); +@@ -574,7 +574,7 @@ static int dissect_image( + * Kernel returns EBUSY if there's already a partition by that number or an overlapping + * partition already existent. */ + +- if (FLAGS_SET(flags, DISSECT_IMAGE_MANAGE_PARTITION_DEVICES)) { ++ if (FLAGS_SET(flags, DISSECT_IMAGE_ADD_PARTITION_DEVICES)) { + r = block_device_add_partition(fd, node, nr, (uint64_t) start * 512, (uint64_t) size * 512); + if (r < 0) { + if (r != -EBUSY) +@@ -871,7 +871,7 @@ static int dissect_image( + dissected_partition_done(m->partitions + designator); + } + +- if (FLAGS_SET(flags, DISSECT_IMAGE_OPEN_PARTITION_DEVICES)) { ++ if (FLAGS_SET(flags, DISSECT_IMAGE_PIN_PARTITION_DEVICES)) { + mount_node_fd = open_partition(node, /* is_partition = */ true, m->loop); + if (mount_node_fd < 0) + return mount_node_fd; +@@ -945,7 +945,7 @@ static int dissect_image( + if (m->partitions[PARTITION_XBOOTLDR].found) + continue; + +- if (FLAGS_SET(flags, DISSECT_IMAGE_OPEN_PARTITION_DEVICES)) { ++ if (FLAGS_SET(flags, DISSECT_IMAGE_PIN_PARTITION_DEVICES)) { + mount_node_fd = open_partition(node, /* is_partition = */ true, m->loop); + if (mount_node_fd < 0) + return mount_node_fd; +@@ -1127,7 +1127,7 @@ static int dissect_image( + _cleanup_free_ char *o = NULL; + const char *options; + +- if (FLAGS_SET(flags, DISSECT_IMAGE_OPEN_PARTITION_DEVICES)) { ++ if (FLAGS_SET(flags, DISSECT_IMAGE_PIN_PARTITION_DEVICES)) { + mount_node_fd = open_partition(generic_node, /* is_partition = */ true, m->loop); + if (mount_node_fd < 0) + return mount_node_fd; +@@ -1232,7 +1232,6 @@ int dissect_image_file( + int r; + + assert(path); +- assert((flags & DISSECT_IMAGE_BLOCK_DEVICE) == 0); + assert(ret); + + fd = open(path, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_NOCTTY); +@@ -3036,7 +3035,7 @@ int dissect_loop_device( + + m->loop = loop_device_ref(loop); + +- r = dissect_image(m, loop->fd, loop->node, verity, mount_options, flags | DISSECT_IMAGE_BLOCK_DEVICE); ++ r = dissect_image(m, loop->fd, loop->node, verity, mount_options, flags); + if (r < 0) + return r; + +@@ -3199,6 +3198,10 @@ int mount_image_privately_interactively( + assert(ret_directory); + assert(ret_loop_device); + ++ /* We intend to mount this right-away, hence add the partitions if needed and pin them*/ ++ flags |= DISSECT_IMAGE_ADD_PARTITION_DEVICES | ++ DISSECT_IMAGE_PIN_PARTITION_DEVICES; ++ + r = verity_settings_load(&verity, image, NULL, NULL); + if (r < 0) + return log_error_errno(r, "Failed to load root hash data: %m"); +@@ -3321,7 +3324,9 @@ int verity_dissect_and_mount( + return log_debug_errno(r, "Failed to load root hash: %m"); + + dissect_image_flags = (verity.data_path ? DISSECT_IMAGE_NO_PARTITION_TABLE : 0) | +- (relax_extension_release_check ? DISSECT_IMAGE_RELAX_SYSEXT_CHECK : 0); ++ (relax_extension_release_check ? DISSECT_IMAGE_RELAX_SYSEXT_CHECK : 0) | ++ DISSECT_IMAGE_ADD_PARTITION_DEVICES | ++ DISSECT_IMAGE_PIN_PARTITION_DEVICES; + + /* Note that we don't use loop_device_make here, as the FD is most likely O_PATH which would not be + * accepted by LOOP_CONFIGURE, so just let loop_device_make_by_path reopen it as a regular FD. */ +diff --git a/src/shared/dissect-image.h b/src/shared/dissect-image.h +index f2278c4dfa..631d4c7a04 100644 +--- a/src/shared/dissect-image.h ++++ b/src/shared/dissect-image.h +@@ -214,10 +214,8 @@ typedef enum DissectImageFlags { + DISSECT_IMAGE_MOUNT_READ_ONLY, + DISSECT_IMAGE_GROWFS = 1 << 18, /* Grow file systems in partitions marked for that to the size of the partitions after mount */ + DISSECT_IMAGE_MOUNT_IDMAPPED = 1 << 19, /* Mount mounts with kernel 5.12-style userns ID mapping, if file system type doesn't support uid=/gid= */ +- DISSECT_IMAGE_MANAGE_PARTITION_DEVICES = 1 << 20, /* Manage partition devices, e.g. probe each partition in more detail */ +- DISSECT_IMAGE_OPEN_PARTITION_DEVICES = 1 << 21, /* Open dissected partitions and decrypted partitions */ +- DISSECT_IMAGE_BLOCK_DEVICE = DISSECT_IMAGE_MANAGE_PARTITION_DEVICES | +- DISSECT_IMAGE_OPEN_PARTITION_DEVICES, ++ DISSECT_IMAGE_ADD_PARTITION_DEVICES = 1 << 20, /* Create partition devices via BLKPG_ADD_PARTITION */ ++ DISSECT_IMAGE_PIN_PARTITION_DEVICES = 1 << 21, /* Open dissected partitions and decrypted partitions and pin them by fd */ + DISSECT_IMAGE_RELAX_SYSEXT_CHECK = 1 << 22, /* Don't insist that the extension-release file name matches the image name */ + } DissectImageFlags; + +diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c +index 0875099d5f..c57293b0e5 100644 +--- a/src/sysext/sysext.c ++++ b/src/sysext/sysext.c +@@ -520,7 +520,9 @@ static int merge_subprocess(Hashmap *images, const char *workspace) { + DISSECT_IMAGE_GENERIC_ROOT | + DISSECT_IMAGE_REQUIRE_ROOT | + DISSECT_IMAGE_MOUNT_ROOT_ONLY | +- DISSECT_IMAGE_USR_NO_ROOT; ++ DISSECT_IMAGE_USR_NO_ROOT | ++ DISSECT_IMAGE_ADD_PARTITION_DEVICES | ++ DISSECT_IMAGE_PIN_PARTITION_DEVICES; + + r = verity_settings_load(&verity_settings, img->path, NULL, NULL); + if (r < 0) +diff --git a/src/test/test-loop-block.c b/src/test/test-loop-block.c +index e2b97dd56f..af2a9683a4 100644 +--- a/src/test/test-loop-block.c ++++ b/src/test/test-loop-block.c +@@ -71,7 +71,7 @@ static void* thread_func(void *ptr) { + + log_notice("Acquired loop device %s, will mount on %s", loop->node, mounted); + +- r = dissect_loop_device(loop, NULL, NULL, DISSECT_IMAGE_READ_ONLY, &dissected); ++ r = dissect_loop_device(loop, NULL, NULL, DISSECT_IMAGE_READ_ONLY|DISSECT_IMAGE_ADD_PARTITION_DEVICES|DISSECT_IMAGE_PIN_PARTITION_DEVICES, &dissected); + if (r < 0) + log_error_errno(r, "Failed dissect loopback device %s: %m", loop->node); + assert_se(r >= 0); +@@ -220,7 +220,7 @@ static int run(int argc, char *argv[]) { + assert_se(loop_device_make(fd, O_RDWR, 0, UINT64_MAX, 0, LO_FLAGS_PARTSCAN, LOCK_EX, &loop) >= 0); + + #if HAVE_BLKID +- assert_se(dissect_loop_device(loop, NULL, NULL, 0, &dissected) >= 0); ++ assert_se(dissect_loop_device(loop, NULL, NULL, DISSECT_IMAGE_ADD_PARTITION_DEVICES|DISSECT_IMAGE_PIN_PARTITION_DEVICES, &dissected) >= 0); + verify_dissected_image(dissected); + + FOREACH_STRING(fs, "vfat", "ext4") { +@@ -246,7 +246,7 @@ static int run(int argc, char *argv[]) { + assert_se(make_filesystem(dissected->partitions[PARTITION_HOME].node, "ext4", "home", NULL, id, true) >= 0); + + dissected = dissected_image_unref(dissected); +- assert_se(dissect_loop_device(loop, NULL, NULL, 0, &dissected) >= 0); ++ assert_se(dissect_loop_device(loop, NULL, NULL, DISSECT_IMAGE_ADD_PARTITION_DEVICES|DISSECT_IMAGE_PIN_PARTITION_DEVICES, &dissected) >= 0); + verify_dissected_image(dissected); + + assert_se(mkdtemp_malloc(NULL, &mounted) >= 0); diff --git a/SOURCES/0154-ci-Mergify-v252-configuration-update.patch b/SOURCES/0154-ci-Mergify-v252-configuration-update.patch new file mode 100644 index 0000000..0f73990 --- /dev/null +++ b/SOURCES/0154-ci-Mergify-v252-configuration-update.patch @@ -0,0 +1,158 @@ +From cdfc360ed871f54faa6d10c0fe9cf4cd28061a28 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 8 Dec 2022 15:42:41 +0100 +Subject: [PATCH] ci(Mergify): v252 configuration update + +rhel-only + +Related: #2138081 +--- + .mergify.yml | 101 +++++++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 89 insertions(+), 12 deletions(-) + +diff --git a/.mergify.yml b/.mergify.yml +index ddc79a1d7a..bc1743e8ea 100644 +--- a/.mergify.yml ++++ b/.mergify.yml +@@ -2,23 +2,31 @@ + --- + + pull_request_rules: +- - name: Add `needs-ci` label on CI fail ++ - name: Add `needs-ci` label on CI fail - v252 + conditions: ++ # Policy is relevant for rhel-9.2.0 branches and newer & main branch ++ - base~=^main$|^rhel-9.([2-9]|\d{2,}).0$ + - label!=ci-waived + - or: + # Build test +- - -check-success=build (gcc, 10, bfd) +- - -check-success=build (gcc, 11, gold) +- - -check-success=build (clang, 11, bfd) +- - -check-success=build (clang, 12, gold) +- - -check-success=build (clang, 13, lld) ++ - -check-success=build (gcc, 11, bfd, gcrypt) ++ - -check-success=build (gcc, 12, gold, openssl) ++ - -check-success=build (clang, 13, mold, gcrypt) ++ - -check-success=build (clang, 14, lld, openssl) ++ - -check-success=build (clang, 15, bfd, auto) + # Unit tests + - -check-success=build (GCC, auto) + - -check-success=build (GCC_ASAN_UBSAN, auto) + - -check-success=build (CLANG, auto) ++ - -check-success=build (CLANG_RELEASE, auto) + - -check-success=build (CLANG_ASAN_UBSAN, auto) ++ - -check-success=build (CLANG_ASAN_UBSAN_NO_DEPS, auto) + - -check-success=build (GCC, openssl) + - -check-success=build (CLANG, gcrypt) ++ # ClusterFuzzingLite ++ - -check-success=PR (address) ++ - -check-success=PR (undefined) ++ - -check-success=PR (memory) + # CentOS CI + - -check-success=CentOS CI (CentOS Stream 9) + - -check-success=CentOS CI (CentOS Stream 9 + sanitizers) +@@ -35,24 +43,62 @@ pull_request_rules: + add: + - needs-ci + +- - name: Remove `needs-ci` label on CI success ++ - name: Add `needs-ci` label on CI fail - v250 + conditions: ++ # Policy is relevant branches before rhel-9.2.0 ++ - base~=^rhel-9.0.0-beta$|^rhel-9.[0-1].0$ ++ - label!=ci-waived ++ - or: ++ # Build test ++ - -check-success=build (gcc, 10, bfd) ++ - -check-success=build (gcc, 11, gold) ++ - -check-success=build (clang, 11, bfd) ++ - -check-success=build (clang, 12, gold) ++ - -check-success=build (clang, 13, lld) ++ # Unit tests ++ - -check-success=build (GCC, auto) ++ - -check-success=build (GCC_ASAN_UBSAN, auto) ++ - -check-success=build (CLANG, auto) ++ - -check-success=build (CLANG_ASAN_UBSAN, auto) ++ - -check-success=build (GCC, openssl) ++ - -check-success=build (CLANG, gcrypt) ++ # CentOS CI ++ - -check-success=CentOS CI (CentOS Stream 9) ++ - -check-success=CentOS CI (CentOS Stream 9 + sanitizers) ++ # Packit ++ - -check-success=rpm-build:centos-stream-9-aarch64 ++ - -check-success=rpm-build:centos-stream-9-x86_64 ++ actions: ++ label: ++ add: ++ - needs-ci ++ ++ - name: Remove `needs-ci` label on CI success - v252 ++ conditions: ++ # Policy is relevant for rhel-9.2.0 branches and newer & main branch ++ - base~=^main$|^rhel-9.([2-9]|\d{2,}).0$ + - or: + - label=ci-waived + - and: + # Build test +- - check-success=build (gcc, 10, bfd) +- - check-success=build (gcc, 11, gold) +- - check-success=build (clang, 11, bfd) +- - check-success=build (clang, 12, gold) +- - check-success=build (clang, 13, lld) ++ - check-success=build (gcc, 11, bfd, gcrypt) ++ - check-success=build (gcc, 12, gold, openssl) ++ - check-success=build (clang, 13, mold, gcrypt) ++ - check-success=build (clang, 14, lld, openssl) ++ - check-success=build (clang, 15, bfd, auto) + # Unit tests + - check-success=build (GCC, auto) + - check-success=build (GCC_ASAN_UBSAN, auto) + - check-success=build (CLANG, auto) ++ - check-success=build (CLANG_RELEASE, auto) + - check-success=build (CLANG_ASAN_UBSAN, auto) ++ - check-success=build (CLANG_ASAN_UBSAN_NO_DEPS, auto) + - check-success=build (GCC, openssl) + - check-success=build (CLANG, gcrypt) ++ # ClusterFuzzingLite ++ - check-success=PR (address) ++ - check-success=PR (undefined) ++ - check-success=PR (memory) + # CentOS CI + - check-success=CentOS CI (CentOS Stream 9) + - check-success=CentOS CI (CentOS Stream 9 + sanitizers) +@@ -68,3 +114,34 @@ pull_request_rules: + label: + remove: + - needs-ci ++ ++ - name: Remove `needs-ci` label on CI success - v250 ++ conditions: ++ # Policy is relevant branches before rhel-9.2.0 ++ - base~=^rhel-9.0.0-beta$|^rhel-9.[0-1].0$ ++ - or: ++ - label=ci-waived ++ - and: ++ # Build test ++ - check-success=build (gcc, 10, bfd) ++ - check-success=build (gcc, 11, gold) ++ - check-success=build (clang, 11, bfd) ++ - check-success=build (clang, 12, gold) ++ - check-success=build (clang, 13, lld) ++ # Unit tests ++ - check-success=build (GCC, auto) ++ - check-success=build (GCC_ASAN_UBSAN, auto) ++ - check-success=build (CLANG, auto) ++ - check-success=build (CLANG_ASAN_UBSAN, auto) ++ - check-success=build (GCC, openssl) ++ - check-success=build (CLANG, gcrypt) ++ # CentOS CI ++ - check-success=CentOS CI (CentOS Stream 9) ++ - check-success=CentOS CI (CentOS Stream 9 + sanitizers) ++ # Packit ++ - check-success=rpm-build:centos-stream-9-aarch64 ++ - check-success=rpm-build:centos-stream-9-x86_64 ++ actions: ++ label: ++ remove: ++ - needs-ci diff --git a/SOURCES/0155-ci-Run-GitHub-workflows-on-rhel-branches.patch b/SOURCES/0155-ci-Run-GitHub-workflows-on-rhel-branches.patch new file mode 100644 index 0000000..c563bae --- /dev/null +++ b/SOURCES/0155-ci-Run-GitHub-workflows-on-rhel-branches.patch @@ -0,0 +1,62 @@ +From 70dcdd6dfcda08486201442f225f7d8c9980e047 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 8 Dec 2022 15:52:30 +0100 +Subject: [PATCH] ci: Run GitHub workflows on rhel branches + +rhel-only + +Related: #2138081 +--- + .github/workflows/cflite_pr.yml | 2 +- + .github/workflows/codeql.yml | 4 ++-- + .github/workflows/linter.yml | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/.github/workflows/cflite_pr.yml b/.github/workflows/cflite_pr.yml +index a35a97f046..500be1c2cf 100644 +--- a/.github/workflows/cflite_pr.yml ++++ b/.github/workflows/cflite_pr.yml +@@ -7,7 +7,7 @@ on: + pull_request: + branches: + - main +- - v[0-9]+-stable ++ - rhel-9.*.0 + + permissions: read-all + +diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml +index b531753cab..e8236b1857 100644 +--- a/.github/workflows/codeql.yml ++++ b/.github/workflows/codeql.yml +@@ -8,7 +8,7 @@ on: + pull_request: + branches: + - main +- - v[0-9]+-stable ++ - rhel-9.*.0 + paths: + - '**/meson.build' + - '.github/**/codeql*' +@@ -18,7 +18,7 @@ on: + push: + branches: + - main +- - v[0-9]+-stable ++ - rhel-9.*.0 + + permissions: + contents: read +diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml +index 180cfbfdba..eddd350122 100644 +--- a/.github/workflows/linter.yml ++++ b/.github/workflows/linter.yml +@@ -8,7 +8,7 @@ on: + pull_request: + branches: + - main +- - v[0-9]+-stable ++ - rhel-9.*.0 + + permissions: + contents: read diff --git a/SOURCES/0156-ci-Drop-scorecards-workflow-not-relevant.patch b/SOURCES/0156-ci-Drop-scorecards-workflow-not-relevant.patch new file mode 100644 index 0000000..40340c9 --- /dev/null +++ b/SOURCES/0156-ci-Drop-scorecards-workflow-not-relevant.patch @@ -0,0 +1,89 @@ +From e28f0b746d630230cf6256215f9388de7f3f6dd7 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 8 Dec 2022 16:00:58 +0100 +Subject: [PATCH] ci: Drop scorecards workflow, not relevant + +rhel-only + +Related: #2138081 +--- + .github/workflows/scorecards.yml | 70 -------------------------------- + 1 file changed, 70 deletions(-) + delete mode 100644 .github/workflows/scorecards.yml + +diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml +deleted file mode 100644 +index 911ac5a35e..0000000000 +--- a/.github/workflows/scorecards.yml ++++ /dev/null +@@ -1,70 +0,0 @@ +---- +-# vi: ts=2 sw=2 et: +-# SPDX-License-Identifier: LGPL-2.1-or-later +-name: Scorecards supply-chain security +-on: +- # Only the default branch is supported. +- branch_protection_rule: +- schedule: +- - cron: '15 21 * * 6' +- push: +- branches: +- - main +- pull_request: +- branches: +- - main +- paths: +- - '.github/workflows/scorecards.yml' +- +-# Declare default permissions as read only. +-permissions: read-all +- +-jobs: +- analysis: +- name: Scorecards analysis +- if: github.repository == 'systemd/systemd' +- runs-on: ubuntu-latest +- permissions: +- # Needed to upload the results to code-scanning dashboard. +- security-events: write +- # Used to receive a badge. +- id-token: write +- +- steps: +- - name: Checkout code +- uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 +- with: +- persist-credentials: false +- +- - name: Run analysis +- uses: ossf/scorecard-action@e363bfca00e752f91de7b7d2a77340e2e523cb18 # tag=v2.0.4 +- with: +- results_file: results.sarif +- results_format: sarif +- # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if: +- # - you want to enable the Branch-Protection check on a *public* repository, or +- # - you are installing Scorecards on a *private* repository +- # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. +- # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} +- +- # Publish the results for public repositories to enable scorecard badges. For more details, see +- # https://github.com/ossf/scorecard-action#publishing-results. +- # For private repositories, `publish_results` will automatically be set to `false`, regardless +- # of the value entered here. +- publish_results: ${{ github.event_name != 'pull_request' }} +- +- # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF +- # format to the repository Actions tab. +- - name: Upload artifact +- uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0 +- with: +- name: SARIF file +- path: results.sarif +- retention-days: 5 +- +- # Upload the results to GitHub's code scanning dashboard. +- - name: Upload to code-scanning +- if: github.event_name != 'pull_request' +- uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26 +- with: +- sarif_file: results.sarif diff --git a/SOURCES/0157-swap-tell-swapon-to-reinitialize-swap-if-needed.patch b/SOURCES/0157-swap-tell-swapon-to-reinitialize-swap-if-needed.patch new file mode 100644 index 0000000..83ff24c --- /dev/null +++ b/SOURCES/0157-swap-tell-swapon-to-reinitialize-swap-if-needed.patch @@ -0,0 +1,29 @@ +From 94bab389194116ab10a68bca3d72c5b06f332645 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Mon, 12 Dec 2022 16:21:30 +0100 +Subject: [PATCH] swap: tell swapon to reinitialize swap if needed + +If the page size of a swap space doesn't match the page size of the +currently running kernel, swapon will fail. Let's instruct it to +reinitialize the swap space instead. + +(cherry picked from commit cc137d53e36da5e57b060be5e621864f572b2cac) + +Resolves: #2151993 +--- + src/core/swap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/swap.c b/src/core/swap.c +index 2196793ad1..5c83c4780f 100644 +--- a/src/core/swap.c ++++ b/src/core/swap.c +@@ -827,7 +827,7 @@ static void swap_enter_activating(Swap *s) { + } + } + +- r = exec_command_set(s->control_command, "/sbin/swapon", NULL); ++ r = exec_command_set(s->control_command, "/sbin/swapon", "--fixpgsz", NULL); + if (r < 0) + goto fail; + diff --git a/SOURCES/0158-coredump-adjust-whitespace.patch b/SOURCES/0158-coredump-adjust-whitespace.patch new file mode 100644 index 0000000..b6dba41 --- /dev/null +++ b/SOURCES/0158-coredump-adjust-whitespace.patch @@ -0,0 +1,101 @@ +From e611a79647dd2ec68b8d5553d8aa566e79cd9f6e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 29 Nov 2022 09:00:16 +0100 +Subject: [PATCH] coredump: adjust whitespace + +(cherry picked from commit 510a146634f3e095b34e2a26023b1b1f99dcb8c0) + +Related: #2155517 +--- + src/coredump/coredump.c | 56 ++++++++++++++++++++--------------------- + 1 file changed, 28 insertions(+), 28 deletions(-) + +diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c +index 98e7492811..7a181bdeeb 100644 +--- a/src/coredump/coredump.c ++++ b/src/coredump/coredump.c +@@ -110,16 +110,16 @@ enum { + }; + + static const char * const meta_field_names[_META_MAX] = { +- [META_ARGV_PID] = "COREDUMP_PID=", +- [META_ARGV_UID] = "COREDUMP_UID=", +- [META_ARGV_GID] = "COREDUMP_GID=", +- [META_ARGV_SIGNAL] = "COREDUMP_SIGNAL=", +- [META_ARGV_TIMESTAMP] = "COREDUMP_TIMESTAMP=", +- [META_ARGV_RLIMIT] = "COREDUMP_RLIMIT=", +- [META_ARGV_HOSTNAME] = "COREDUMP_HOSTNAME=", +- [META_COMM] = "COREDUMP_COMM=", +- [META_EXE] = "COREDUMP_EXE=", +- [META_UNIT] = "COREDUMP_UNIT=", ++ [META_ARGV_PID] = "COREDUMP_PID=", ++ [META_ARGV_UID] = "COREDUMP_UID=", ++ [META_ARGV_GID] = "COREDUMP_GID=", ++ [META_ARGV_SIGNAL] = "COREDUMP_SIGNAL=", ++ [META_ARGV_TIMESTAMP] = "COREDUMP_TIMESTAMP=", ++ [META_ARGV_RLIMIT] = "COREDUMP_RLIMIT=", ++ [META_ARGV_HOSTNAME] = "COREDUMP_HOSTNAME=", ++ [META_COMM] = "COREDUMP_COMM=", ++ [META_EXE] = "COREDUMP_EXE=", ++ [META_UNIT] = "COREDUMP_UNIT=", + }; + + typedef struct Context { +@@ -138,9 +138,9 @@ typedef enum CoredumpStorage { + } CoredumpStorage; + + static const char* const coredump_storage_table[_COREDUMP_STORAGE_MAX] = { +- [COREDUMP_STORAGE_NONE] = "none", ++ [COREDUMP_STORAGE_NONE] = "none", + [COREDUMP_STORAGE_EXTERNAL] = "external", +- [COREDUMP_STORAGE_JOURNAL] = "journal", ++ [COREDUMP_STORAGE_JOURNAL] = "journal", + }; + + DEFINE_PRIVATE_STRING_TABLE_LOOKUP(coredump_storage, CoredumpStorage); +@@ -156,13 +156,13 @@ static uint64_t arg_max_use = UINT64_MAX; + + static int parse_config(void) { + static const ConfigTableItem items[] = { +- { "Coredump", "Storage", config_parse_coredump_storage, 0, &arg_storage }, +- { "Coredump", "Compress", config_parse_bool, 0, &arg_compress }, +- { "Coredump", "ProcessSizeMax", config_parse_iec_uint64, 0, &arg_process_size_max }, +- { "Coredump", "ExternalSizeMax", config_parse_iec_uint64_infinity, 0, &arg_external_size_max }, +- { "Coredump", "JournalSizeMax", config_parse_iec_size, 0, &arg_journal_size_max }, +- { "Coredump", "KeepFree", config_parse_iec_uint64, 0, &arg_keep_free }, +- { "Coredump", "MaxUse", config_parse_iec_uint64, 0, &arg_max_use }, ++ { "Coredump", "Storage", config_parse_coredump_storage, 0, &arg_storage }, ++ { "Coredump", "Compress", config_parse_bool, 0, &arg_compress }, ++ { "Coredump", "ProcessSizeMax", config_parse_iec_uint64, 0, &arg_process_size_max }, ++ { "Coredump", "ExternalSizeMax", config_parse_iec_uint64_infinity, 0, &arg_external_size_max }, ++ { "Coredump", "JournalSizeMax", config_parse_iec_size, 0, &arg_journal_size_max }, ++ { "Coredump", "KeepFree", config_parse_iec_uint64, 0, &arg_keep_free }, ++ { "Coredump", "MaxUse", config_parse_iec_uint64, 0, &arg_max_use }, + {} + }; + +@@ -208,15 +208,15 @@ static int fix_acl(int fd, uid_t uid) { + static int fix_xattr(int fd, const Context *context) { + + static const char * const xattrs[_META_MAX] = { +- [META_ARGV_PID] = "user.coredump.pid", +- [META_ARGV_UID] = "user.coredump.uid", +- [META_ARGV_GID] = "user.coredump.gid", +- [META_ARGV_SIGNAL] = "user.coredump.signal", +- [META_ARGV_TIMESTAMP] = "user.coredump.timestamp", +- [META_ARGV_RLIMIT] = "user.coredump.rlimit", +- [META_ARGV_HOSTNAME] = "user.coredump.hostname", +- [META_COMM] = "user.coredump.comm", +- [META_EXE] = "user.coredump.exe", ++ [META_ARGV_PID] = "user.coredump.pid", ++ [META_ARGV_UID] = "user.coredump.uid", ++ [META_ARGV_GID] = "user.coredump.gid", ++ [META_ARGV_SIGNAL] = "user.coredump.signal", ++ [META_ARGV_TIMESTAMP] = "user.coredump.timestamp", ++ [META_ARGV_RLIMIT] = "user.coredump.rlimit", ++ [META_ARGV_HOSTNAME] = "user.coredump.hostname", ++ [META_COMM] = "user.coredump.comm", ++ [META_EXE] = "user.coredump.exe", + }; + + int r = 0; diff --git a/SOURCES/0159-coredump-do-not-allow-user-to-access-coredumps-with-.patch b/SOURCES/0159-coredump-do-not-allow-user-to-access-coredumps-with-.patch new file mode 100644 index 0000000..6fadae5 --- /dev/null +++ b/SOURCES/0159-coredump-do-not-allow-user-to-access-coredumps-with-.patch @@ -0,0 +1,383 @@ +From e86a03c4f201745a683cfe1549a202d5ae636b07 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 28 Nov 2022 12:12:55 +0100 +Subject: [PATCH] coredump: do not allow user to access coredumps with changed + uid/gid/capabilities + +When the user starts a program which elevates its permissions via setuid, +setgid, or capabilities set on the file, it may access additional information +which would then be visible in the coredump. We shouldn't make the the coredump +visible to the user in such cases. + +Reported-by: Matthias Gerstner + +This reads the /proc//auxv file and attaches it to the process metadata as +PROC_AUXV. Before the coredump is submitted, it is parsed and if either +at_secure was set (which the kernel will do for processes that are setuid, +setgid, or setcap), or if the effective uid/gid don't match uid/gid, the file +is not made accessible to the user. If we can't access this data, we assume the +file should not be made accessible either. In principle we could also access +the auxv data from a note in the core file, but that is much more complex and +it seems better to use the stand-alone file that is provided by the kernel. + +Attaching auxv is both convient for this patch (because this way it's passed +between the stages along with other fields), but I think it makes sense to save +it in general. + +We use the information early in the core file to figure out if the program was +32-bit or 64-bit and its endianness. This way we don't need heuristics to guess +whether the format of the auxv structure. This test might reject some cases on +fringe architecutes. But the impact would be limited: we just won't grant the +user permissions to view the coredump file. If people report that we're missing +some cases, we can always enhance this to support more architectures. + +I tested auxv parsing on amd64, 32-bit program on amd64, arm64, arm32, and +ppc64el, but not the whole coredump handling. + +(cherry picked from commit 3e4d0f6cf99f8677edd6a237382a65bfe758de03) + +Resolves: #2155517 +--- + src/basic/io-util.h | 9 ++ + src/coredump/coredump.c | 196 +++++++++++++++++++++++++++++++++++++--- + 2 files changed, 192 insertions(+), 13 deletions(-) + +diff --git a/src/basic/io-util.h b/src/basic/io-util.h +index 39728e06bc..3afb134266 100644 +--- a/src/basic/io-util.h ++++ b/src/basic/io-util.h +@@ -91,7 +91,16 @@ struct iovec_wrapper *iovw_new(void); + struct iovec_wrapper *iovw_free(struct iovec_wrapper *iovw); + struct iovec_wrapper *iovw_free_free(struct iovec_wrapper *iovw); + void iovw_free_contents(struct iovec_wrapper *iovw, bool free_vectors); ++ + int iovw_put(struct iovec_wrapper *iovw, void *data, size_t len); ++static inline int iovw_consume(struct iovec_wrapper *iovw, void *data, size_t len) { ++ /* Move data into iovw or free on error */ ++ int r = iovw_put(iovw, data, len); ++ if (r < 0) ++ free(data); ++ return r; ++} ++ + int iovw_put_string_field(struct iovec_wrapper *iovw, const char *field, const char *value); + int iovw_put_string_field_free(struct iovec_wrapper *iovw, const char *field, char *value); + void iovw_rebase(struct iovec_wrapper *iovw, char *old, char *new); +diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c +index 7a181bdeeb..ea3d8c415a 100644 +--- a/src/coredump/coredump.c ++++ b/src/coredump/coredump.c +@@ -4,6 +4,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -106,6 +107,7 @@ enum { + + META_EXE = _META_MANDATORY_MAX, + META_UNIT, ++ META_PROC_AUXV, + _META_MAX + }; + +@@ -120,10 +122,12 @@ static const char * const meta_field_names[_META_MAX] = { + [META_COMM] = "COREDUMP_COMM=", + [META_EXE] = "COREDUMP_EXE=", + [META_UNIT] = "COREDUMP_UNIT=", ++ [META_PROC_AUXV] = "COREDUMP_PROC_AUXV=", + }; + + typedef struct Context { + const char *meta[_META_MAX]; ++ size_t meta_size[_META_MAX]; + pid_t pid; + bool is_pid1; + bool is_journald; +@@ -185,13 +189,16 @@ static uint64_t storage_size_max(void) { + return 0; + } + +-static int fix_acl(int fd, uid_t uid) { ++static int fix_acl(int fd, uid_t uid, bool allow_user) { ++ assert(fd >= 0); ++ assert(uid_is_valid(uid)); + + #if HAVE_ACL + int r; + +- assert(fd >= 0); +- assert(uid_is_valid(uid)); ++ /* We don't allow users to read coredumps if the uid or capabilities were changed. */ ++ if (!allow_user) ++ return 0; + + if (uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY) + return 0; +@@ -251,7 +258,8 @@ static int fix_permissions( + const char *filename, + const char *target, + const Context *context, +- uid_t uid) { ++ uid_t uid, ++ bool allow_user) { + + int r; + +@@ -261,7 +269,7 @@ static int fix_permissions( + + /* Ignore errors on these */ + (void) fchmod(fd, 0640); +- (void) fix_acl(fd, uid); ++ (void) fix_acl(fd, uid, allow_user); + (void) fix_xattr(fd, context); + + r = fsync_full(fd); +@@ -331,6 +339,153 @@ static int make_filename(const Context *context, char **ret) { + return 0; + } + ++static int parse_auxv64( ++ const uint64_t *auxv, ++ size_t size_bytes, ++ int *at_secure, ++ uid_t *uid, ++ uid_t *euid, ++ gid_t *gid, ++ gid_t *egid) { ++ ++ assert(auxv || size_bytes == 0); ++ ++ if (size_bytes % (2 * sizeof(uint64_t)) != 0) ++ return log_warning_errno(SYNTHETIC_ERRNO(EIO), "Incomplete auxv structure (%zu bytes).", size_bytes); ++ ++ size_t words = size_bytes / sizeof(uint64_t); ++ ++ /* Note that we set output variables even on error. */ ++ ++ for (size_t i = 0; i + 1 < words; i += 2) ++ switch (auxv[i]) { ++ case AT_SECURE: ++ *at_secure = auxv[i + 1] != 0; ++ break; ++ case AT_UID: ++ *uid = auxv[i + 1]; ++ break; ++ case AT_EUID: ++ *euid = auxv[i + 1]; ++ break; ++ case AT_GID: ++ *gid = auxv[i + 1]; ++ break; ++ case AT_EGID: ++ *egid = auxv[i + 1]; ++ break; ++ case AT_NULL: ++ if (auxv[i + 1] != 0) ++ goto error; ++ return 0; ++ } ++ error: ++ return log_warning_errno(SYNTHETIC_ERRNO(ENODATA), ++ "AT_NULL terminator not found, cannot parse auxv structure."); ++} ++ ++static int parse_auxv32( ++ const uint32_t *auxv, ++ size_t size_bytes, ++ int *at_secure, ++ uid_t *uid, ++ uid_t *euid, ++ gid_t *gid, ++ gid_t *egid) { ++ ++ assert(auxv || size_bytes == 0); ++ ++ size_t words = size_bytes / sizeof(uint32_t); ++ ++ if (size_bytes % (2 * sizeof(uint32_t)) != 0) ++ return log_warning_errno(SYNTHETIC_ERRNO(EIO), "Incomplete auxv structure (%zu bytes).", size_bytes); ++ ++ /* Note that we set output variables even on error. */ ++ ++ for (size_t i = 0; i + 1 < words; i += 2) ++ switch (auxv[i]) { ++ case AT_SECURE: ++ *at_secure = auxv[i + 1] != 0; ++ break; ++ case AT_UID: ++ *uid = auxv[i + 1]; ++ break; ++ case AT_EUID: ++ *euid = auxv[i + 1]; ++ break; ++ case AT_GID: ++ *gid = auxv[i + 1]; ++ break; ++ case AT_EGID: ++ *egid = auxv[i + 1]; ++ break; ++ case AT_NULL: ++ if (auxv[i + 1] != 0) ++ goto error; ++ return 0; ++ } ++ error: ++ return log_warning_errno(SYNTHETIC_ERRNO(ENODATA), ++ "AT_NULL terminator not found, cannot parse auxv structure."); ++} ++ ++static int grant_user_access(int core_fd, const Context *context) { ++ int at_secure = -1; ++ uid_t uid = UID_INVALID, euid = UID_INVALID; ++ uid_t gid = GID_INVALID, egid = GID_INVALID; ++ int r; ++ ++ assert(core_fd >= 0); ++ assert(context); ++ ++ if (!context->meta[META_PROC_AUXV]) ++ return log_warning_errno(SYNTHETIC_ERRNO(ENODATA), "No auxv data, not adjusting permissions."); ++ ++ uint8_t elf[EI_NIDENT]; ++ errno = 0; ++ if (pread(core_fd, &elf, sizeof(elf), 0) != sizeof(elf)) ++ return log_warning_errno(errno_or_else(EIO), ++ "Failed to pread from coredump fd: %s", STRERROR_OR_EOF(errno)); ++ ++ if (elf[EI_MAG0] != ELFMAG0 || ++ elf[EI_MAG1] != ELFMAG1 || ++ elf[EI_MAG2] != ELFMAG2 || ++ elf[EI_MAG3] != ELFMAG3 || ++ elf[EI_VERSION] != EV_CURRENT) ++ return log_info_errno(SYNTHETIC_ERRNO(EUCLEAN), ++ "Core file does not have ELF header, not adjusting permissions."); ++ if (!IN_SET(elf[EI_CLASS], ELFCLASS32, ELFCLASS64) || ++ !IN_SET(elf[EI_DATA], ELFDATA2LSB, ELFDATA2MSB)) ++ return log_info_errno(SYNTHETIC_ERRNO(EUCLEAN), ++ "Core file has strange ELF class, not adjusting permissions."); ++ ++ if ((elf[EI_DATA] == ELFDATA2LSB) != (__BYTE_ORDER == __LITTLE_ENDIAN)) ++ return log_info_errno(SYNTHETIC_ERRNO(EUCLEAN), ++ "Core file has non-native endianness, not adjusting permissions."); ++ ++ if (elf[EI_CLASS] == ELFCLASS64) ++ r = parse_auxv64((const uint64_t*) context->meta[META_PROC_AUXV], ++ context->meta_size[META_PROC_AUXV], ++ &at_secure, &uid, &euid, &gid, &egid); ++ else ++ r = parse_auxv32((const uint32_t*) context->meta[META_PROC_AUXV], ++ context->meta_size[META_PROC_AUXV], ++ &at_secure, &uid, &euid, &gid, &egid); ++ if (r < 0) ++ return r; ++ ++ /* We allow access if we got all the data and at_secure is not set and ++ * the uid/gid matches euid/egid. */ ++ bool ret = ++ at_secure == 0 && ++ uid != UID_INVALID && euid != UID_INVALID && uid == euid && ++ gid != GID_INVALID && egid != GID_INVALID && gid == egid; ++ log_debug("Will %s access (uid="UID_FMT " euid="UID_FMT " gid="GID_FMT " egid="GID_FMT " at_secure=%s)", ++ ret ? "permit" : "restrict", ++ uid, euid, gid, egid, yes_no(at_secure)); ++ return ret; ++} ++ + static int save_external_coredump( + const Context *context, + int input_fd, +@@ -453,6 +608,8 @@ static int save_external_coredump( + context->meta[META_ARGV_PID], context->meta[META_COMM]); + truncated = r == 1; + ++ bool allow_user = grant_user_access(fd, context) > 0; ++ + #if HAVE_COMPRESSION + if (arg_compress) { + _cleanup_(unlink_and_freep) char *tmp_compressed = NULL; +@@ -490,7 +647,7 @@ static int save_external_coredump( + uncompressed_size += partial_uncompressed_size; + } + +- r = fix_permissions(fd_compressed, tmp_compressed, fn_compressed, context, uid); ++ r = fix_permissions(fd_compressed, tmp_compressed, fn_compressed, context, uid, allow_user); + if (r < 0) + return r; + +@@ -517,7 +674,7 @@ static int save_external_coredump( + "SIZE_LIMIT=%"PRIu64, max_size, + "MESSAGE_ID=" SD_MESSAGE_TRUNCATED_CORE_STR); + +- r = fix_permissions(fd, tmp, fn, context, uid); ++ r = fix_permissions(fd, tmp, fn, context, uid, allow_user); + if (r < 0) + return log_error_errno(r, "Failed to fix permissions and finalize coredump %s into %s: %m", coredump_tmpfile_name(tmp), fn); + +@@ -765,7 +922,7 @@ static int change_uid_gid(const Context *context) { + } + + static int submit_coredump( +- Context *context, ++ const Context *context, + struct iovec_wrapper *iovw, + int input_fd) { + +@@ -944,16 +1101,15 @@ static int save_context(Context *context, const struct iovec_wrapper *iovw) { + struct iovec *iovec = iovw->iovec + n; + + for (size_t i = 0; i < ELEMENTSOF(meta_field_names); i++) { +- char *p; +- + /* Note that these strings are NUL terminated, because we made sure that a + * trailing NUL byte is in the buffer, though not included in the iov_len + * count (see process_socket() and gather_pid_metadata_*()) */ + assert(((char*) iovec->iov_base)[iovec->iov_len] == 0); + +- p = startswith(iovec->iov_base, meta_field_names[i]); ++ const char *p = startswith(iovec->iov_base, meta_field_names[i]); + if (p) { + context->meta[i] = p; ++ context->meta_size[i] = iovec->iov_len - strlen(meta_field_names[i]); + break; + } + } +@@ -1190,6 +1346,7 @@ static int gather_pid_metadata(struct iovec_wrapper *iovw, Context *context) { + uid_t owner_uid; + pid_t pid; + char *t; ++ size_t size; + const char *p; + int r; + +@@ -1254,13 +1411,26 @@ static int gather_pid_metadata(struct iovec_wrapper *iovw, Context *context) { + (void) iovw_put_string_field_free(iovw, "COREDUMP_PROC_LIMITS=", t); + + p = procfs_file_alloca(pid, "cgroup"); +- if (read_full_virtual_file(p, &t, NULL) >=0) ++ if (read_full_virtual_file(p, &t, NULL) >= 0) + (void) iovw_put_string_field_free(iovw, "COREDUMP_PROC_CGROUP=", t); + + p = procfs_file_alloca(pid, "mountinfo"); +- if (read_full_virtual_file(p, &t, NULL) >=0) ++ if (read_full_virtual_file(p, &t, NULL) >= 0) + (void) iovw_put_string_field_free(iovw, "COREDUMP_PROC_MOUNTINFO=", t); + ++ /* We attach /proc/auxv here. ELF coredumps also contain a note for this (NT_AUXV), see elf(5). */ ++ p = procfs_file_alloca(pid, "auxv"); ++ if (read_full_virtual_file(p, &t, &size) >= 0) { ++ char *buf = malloc(strlen("COREDUMP_PROC_AUXV=") + size + 1); ++ if (buf) { ++ /* Add a dummy terminator to make save_context() happy. */ ++ *((uint8_t*) mempcpy(stpcpy(buf, "COREDUMP_PROC_AUXV="), t, size)) = '\0'; ++ (void) iovw_consume(iovw, buf, size + strlen("COREDUMP_PROC_AUXV=")); ++ } ++ ++ free(t); ++ } ++ + if (get_process_cwd(pid, &t) >= 0) + (void) iovw_put_string_field_free(iovw, "COREDUMP_CWD=", t); + diff --git a/SOURCES/0160-Revert-basic-add-fallback-in-chase_symlinks_and_open.patch b/SOURCES/0160-Revert-basic-add-fallback-in-chase_symlinks_and_open.patch new file mode 100644 index 0000000..7713be9 --- /dev/null +++ b/SOURCES/0160-Revert-basic-add-fallback-in-chase_symlinks_and_open.patch @@ -0,0 +1,43 @@ +From eb9135c9499f6be627323929df48bc9efc93926a Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 8 Dec 2022 10:56:42 +0100 +Subject: [PATCH] Revert "basic: add fallback in chase_symlinks_and_opendir() + for cases when /proc is not mounted" + +This reverts commit 47c0c5108b39d01283ba040c41d556b160d45a55. + +Related: #2138081 +--- + src/basic/chase-symlinks.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +diff --git a/src/basic/chase-symlinks.c b/src/basic/chase-symlinks.c +index c09aab389e..afab54f067 100644 +--- a/src/basic/chase-symlinks.c ++++ b/src/basic/chase-symlinks.c +@@ -466,22 +466,14 @@ int chase_symlinks_and_opendir( + return 0; + } + +- r = chase_symlinks(path, root, chase_flags, &p, &path_fd); ++ r = chase_symlinks(path, root, chase_flags, ret_path ? &p : NULL, &path_fd); + if (r < 0) + return r; + assert(path_fd >= 0); + + d = opendir(FORMAT_PROC_FD_PATH(path_fd)); +- if (!d) { +- /* Hmm, we have the fd already but we got ENOENT, most likely /proc is not mounted. +- * Let's try opendir() again on the full path. */ +- if (errno == ENOENT) { +- d = opendir(p); +- if (!d) +- return -errno; +- } else +- return -errno; +- } ++ if (!d) ++ return -errno; + + if (ret_path) + *ret_path = TAKE_PTR(p); diff --git a/SOURCES/0161-glyph-util-add-warning-sign-special-glyph.patch b/SOURCES/0161-glyph-util-add-warning-sign-special-glyph.patch new file mode 100644 index 0000000..c46d475 --- /dev/null +++ b/SOURCES/0161-glyph-util-add-warning-sign-special-glyph.patch @@ -0,0 +1,72 @@ +From 008cc31066925ca8ef69ad6a03d20bb4ed299a41 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 2 Dec 2022 23:50:48 +0100 +Subject: [PATCH] glyph-util: add warning sign special glyph + +(cherry picked from commit 03c16b9784151275e71db3f9a25dc42206f1b5d3) + +Related: #2138081 +--- + src/basic/glyph-util.c | 4 +++- + src/basic/glyph-util.h | 1 + + src/test/test-locale-util.c | 3 ++- + 3 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/basic/glyph-util.c b/src/basic/glyph-util.c +index 67f2270daf..de1224f04f 100644 +--- a/src/basic/glyph-util.c ++++ b/src/basic/glyph-util.c +@@ -71,6 +71,7 @@ const char *special_glyph(SpecialGlyph code) { + [SPECIAL_GLYPH_RECYCLING] = "~", + [SPECIAL_GLYPH_DOWNLOAD] = "\\", + [SPECIAL_GLYPH_SPARKLES] = "*", ++ [SPECIAL_GLYPH_WARNING_SIGN] = "!", + }, + + /* UTF-8 */ +@@ -124,10 +125,11 @@ const char *special_glyph(SpecialGlyph code) { + /* This emoji is a single character cell glyph in Unicode, and two in ASCII */ + [SPECIAL_GLYPH_TOUCH] = u8"👆", /* actually called: BACKHAND INDEX POINTING UP */ + +- /* These three emojis are single character cell glyphs in Unicode and also in ASCII. */ ++ /* These four emojis are single character cell glyphs in Unicode and also in ASCII. */ + [SPECIAL_GLYPH_RECYCLING] = u8"♻️", /* actually called: UNIVERSAL RECYCLNG SYMBOL */ + [SPECIAL_GLYPH_DOWNLOAD] = u8"⤵️", /* actually called: RIGHT ARROW CURVING DOWN */ + [SPECIAL_GLYPH_SPARKLES] = u8"✨", ++ [SPECIAL_GLYPH_WARNING_SIGN] = u8"⚠️", + }, + }; + +diff --git a/src/basic/glyph-util.h b/src/basic/glyph-util.h +index 621d7a85b7..b64639622e 100644 +--- a/src/basic/glyph-util.h ++++ b/src/basic/glyph-util.h +@@ -44,6 +44,7 @@ typedef enum SpecialGlyph { + SPECIAL_GLYPH_RECYCLING, + SPECIAL_GLYPH_DOWNLOAD, + SPECIAL_GLYPH_SPARKLES, ++ SPECIAL_GLYPH_WARNING_SIGN, + _SPECIAL_GLYPH_MAX, + _SPECIAL_GLYPH_INVALID = -EINVAL, + } SpecialGlyph; +diff --git a/src/test/test-locale-util.c b/src/test/test-locale-util.c +index 9f50c6227f..f38100401c 100644 +--- a/src/test/test-locale-util.c ++++ b/src/test/test-locale-util.c +@@ -83,7 +83,7 @@ TEST(keymaps) { + + #define dump_glyph(x) log_info(STRINGIFY(x) ": %s", special_glyph(x)) + TEST(dump_special_glyphs) { +- assert_cc(SPECIAL_GLYPH_SPARKLES + 1 == _SPECIAL_GLYPH_MAX); ++ assert_cc(SPECIAL_GLYPH_WARNING_SIGN + 1 == _SPECIAL_GLYPH_MAX); + + log_info("is_locale_utf8: %s", yes_no(is_locale_utf8())); + +@@ -120,6 +120,7 @@ TEST(dump_special_glyphs) { + dump_glyph(SPECIAL_GLYPH_RECYCLING); + dump_glyph(SPECIAL_GLYPH_DOWNLOAD); + dump_glyph(SPECIAL_GLYPH_SPARKLES); ++ dump_glyph(SPECIAL_GLYPH_WARNING_SIGN); + } + + DEFINE_TEST_MAIN(LOG_INFO); diff --git a/SOURCES/0162-chase-symlink-when-converting-directory-O_PATH-fd-to.patch b/SOURCES/0162-chase-symlink-when-converting-directory-O_PATH-fd-to.patch new file mode 100644 index 0000000..3ba6254 --- /dev/null +++ b/SOURCES/0162-chase-symlink-when-converting-directory-O_PATH-fd-to.patch @@ -0,0 +1,27 @@ +From 2bd9f97275480842c99117123daab69cbb8f45f4 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 2 Dec 2022 23:50:57 +0100 +Subject: [PATCH] chase-symlink: when converting directory O_PATH fd to real + fd, don't bother with /proc/ + +Replaces: #25581 +(cherry picked from commit 2075b6dd394e09a0f203b9cc7e3253908397f933) + +Related: #2138081 +--- + src/basic/chase-symlinks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/chase-symlinks.c b/src/basic/chase-symlinks.c +index afab54f067..ac55311f4d 100644 +--- a/src/basic/chase-symlinks.c ++++ b/src/basic/chase-symlinks.c +@@ -471,7 +471,7 @@ int chase_symlinks_and_opendir( + return r; + assert(path_fd >= 0); + +- d = opendir(FORMAT_PROC_FD_PATH(path_fd)); ++ d = xopendirat(path_fd, ".", O_NOFOLLOW); + if (!d) + return -errno; + diff --git a/SOURCES/0163-systemctl-print-a-clear-warning-if-people-invoke-sys.patch b/SOURCES/0163-systemctl-print-a-clear-warning-if-people-invoke-sys.patch new file mode 100644 index 0000000..fa43830 --- /dev/null +++ b/SOURCES/0163-systemctl-print-a-clear-warning-if-people-invoke-sys.patch @@ -0,0 +1,39 @@ +From d98adab06485b0da23294f8a5db4f94b40988e2a Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 2 Dec 2022 23:52:12 +0100 +Subject: [PATCH] systemctl: print a clear warning if people invoke systemctl + without /proc/ + +(cherry picked from commit 0f958c8d4fc13ed1c1af928b2a7d91d31c7576eb) + +Related: #2138081 +--- + src/systemctl/systemctl.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c +index 5858c3f6d3..91954d91e6 100644 +--- a/src/systemctl/systemctl.c ++++ b/src/systemctl/systemctl.c +@@ -20,6 +20,7 @@ + #include "rlimit-util.h" + #include "sigbus.h" + #include "signal-util.h" ++#include "stat-util.h" + #include "string-table.h" + #include "systemctl-add-dependency.h" + #include "systemctl-cancel-job.h" +@@ -1146,6 +1147,13 @@ static int run(int argc, char *argv[]) { + if (r <= 0) + goto finish; + ++ if (proc_mounted() == 0) ++ log_warning("%s%s/proc/ is not mounted. This is not a supported mode of operation. Please fix\n" ++ "your invocation environment to mount /proc/ and /sys/ properly. Proceeding anyway.\n" ++ "Your mileage may vary.", ++ emoji_enabled() ? special_glyph(SPECIAL_GLYPH_WARNING_SIGN) : "", ++ emoji_enabled() ? " " : ""); ++ + if (arg_action != ACTION_SYSTEMCTL && running_in_chroot() > 0) { + if (!arg_quiet) + log_info("Running in chroot, ignoring request."); diff --git a/SOURCES/0164-TEST-65-check-cat-config-operation-in-chroot.patch b/SOURCES/0164-TEST-65-check-cat-config-operation-in-chroot.patch new file mode 100644 index 0000000..52a3d4a --- /dev/null +++ b/SOURCES/0164-TEST-65-check-cat-config-operation-in-chroot.patch @@ -0,0 +1,48 @@ +From 3be1c0fa543f024319a03e89decedc6106cb4e02 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 5 Dec 2022 13:52:28 +0100 +Subject: [PATCH] TEST-65: check cat-config operation in chroot + +This verifies the fix in 2075b6dd394e09a0f203b9cc7e3253908397f933. + +(cherry picked from commit a7eed3eca3d7bc022d870258deb2f738b9527c6d) + +Related: #2138081 +--- + test/test-functions | 1 + + test/units/testsuite-65.sh | 10 ++++++++++ + 2 files changed, 11 insertions(+) + +diff --git a/test/test-functions b/test/test-functions +index 194cd682bb..94e11a686a 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -158,6 +158,7 @@ BASICTOOLS=( + cat + chmod + chown ++ chroot + cmp + cryptsetup + cut +diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh +index 1f34308b44..ebe1f57b52 100755 +--- a/test/units/testsuite-65.sh ++++ b/test/units/testsuite-65.sh +@@ -139,6 +139,16 @@ systemd-analyze cat-config systemd/system.conf systemd/journald.conf >/dev/null + systemd-analyze cat-config systemd/system.conf foo/bar systemd/journald.conf >/dev/null + systemd-analyze cat-config foo/bar + ++if [[ ! -v ASAN_OPTIONS ]]; then ++ # check that systemd-analyze cat-config paths work in a chroot ++ mkdir -p /tmp/root ++ mount --bind / /tmp/root ++ systemd-analyze cat-config systemd/system-preset >/tmp/out1 ++ chroot /tmp/root systemd-analyze cat-config systemd/system-preset >/tmp/out2 ++ diff /tmp/out{1,2} ++fi ++ ++# verify + mkdir -p /tmp/img/usr/lib/systemd/system/ + mkdir -p /tmp/img/opt/ + diff --git a/SOURCES/0165-TEST-65-use-v-more.patch b/SOURCES/0165-TEST-65-use-v-more.patch new file mode 100644 index 0000000..5ce2ece --- /dev/null +++ b/SOURCES/0165-TEST-65-use-v-more.patch @@ -0,0 +1,64 @@ +From fa44b8d1e6b0d5e0ef4dfcb01e26e7907068bfa3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 7 Dec 2022 09:52:35 +0100 +Subject: [PATCH] TEST-65: use [[ -v ]] more + +It's a bashism, but we use other bash features anyway, and it's cleaner +and much less verbose. + +(cherry picked from commit 1f9caf28cafbec89b93b8e6b641d387ac5acdd24) + +Related: #2138081 +--- + test/units/testsuite-64.sh | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/test/units/testsuite-64.sh b/test/units/testsuite-64.sh +index 7673036335..fd1ad7c041 100755 +--- a/test/units/testsuite-64.sh ++++ b/test/units/testsuite-64.sh +@@ -192,7 +192,7 @@ testcase_nvme_subsystem() { + testcase_virtio_scsi_identically_named_partitions() { + local num + +- if [[ -n "${ASAN_OPTIONS:-}" ]] || [[ "$(systemd-detect-virt -v)" == "qemu" ]]; then ++ if [[ -v ASAN_OPTIONS || "$(systemd-detect-virt -v)" == "qemu" ]]; then + num=$((4 * 4)) + else + num=$((16 * 8)) +@@ -305,7 +305,7 @@ testcase_simultaneous_events() { + local -a devices symlinks + local -A running + +- if [[ -n "${ASAN_OPTIONS:-}" ]] || [[ "$(systemd-detect-virt -v)" == "qemu" ]]; then ++ if [[ -v ASAN_OPTIONS || "$(systemd-detect-virt -v)" == "qemu" ]]; then + num_part=2 + iterations=10 + timeout=240 +@@ -400,7 +400,7 @@ testcase_lvm_basic() { + /dev/disk/by-id/ata-foobar_deadbeeflvm{0..3} + ) + +- if [[ -n "${ASAN_OPTIONS:-}" ]] || [[ "$(systemd-detect-virt -v)" == "qemu" ]]; then ++ if [[ -v ASAN_OPTIONS || "$(systemd-detect-virt -v)" == "qemu" ]]; then + timeout=180 + else + timeout=30 +@@ -453,7 +453,7 @@ testcase_lvm_basic() { + helper_check_device_units + + # Same as above, but now with more "stress" +- if [[ -n "${ASAN_OPTIONS:-}" ]] || [[ "$(systemd-detect-virt -v)" == "qemu" ]]; then ++ if [[ -v ASAN_OPTIONS || "$(systemd-detect-virt -v)" == "qemu" ]]; then + iterations=10 + else + iterations=50 +@@ -478,7 +478,7 @@ testcase_lvm_basic() { + helper_check_device_units + + # Create & remove LVs in a loop, i.e. with more "stress" +- if [[ -n "${ASAN_OPTIONS:-}" ]]; then ++ if [[ -v ASAN_OPTIONS ]]; then + iterations=8 + partitions=16 + elif [[ "$(systemd-detect-virt -v)" == "qemu" ]]; then diff --git a/SOURCES/0166-systemctl-warn-if-trying-to-disable-a-unit-with-no-i.patch b/SOURCES/0166-systemctl-warn-if-trying-to-disable-a-unit-with-no-i.patch new file mode 100644 index 0000000..8049f63 --- /dev/null +++ b/SOURCES/0166-systemctl-warn-if-trying-to-disable-a-unit-with-no-i.patch @@ -0,0 +1,227 @@ +From 201c651eaaf886064987272cc88b03995fd2715d Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Fri, 18 Nov 2022 15:43:34 +0800 +Subject: [PATCH] systemctl: warn if trying to disable a unit with no install + info + +Trying to disable a unit with no install info is mostly useless, so +adding a warning like we do for enable (with the new dbus method +'DisableUnitFilesWithFlagsAndInstallInfo()'). Note that it would +still find and remove symlinks to the unit in /etc, regardless of +whether it has install info or not, just like before. And if there are +actually files to remove, we suppress the warning. + +Fixes #17689 + +(cherry picked from commit bf1bea43f15b04152a3948702ba1695a0835c2bf) + +Related: #2141979 +--- + man/org.freedesktop.systemd1.xml | 13 ++++++++++++- + src/core/dbus-manager.c | 21 ++++++++++++++++----- + src/shared/install.c | 21 +++++++++++++++++---- + src/systemctl/systemctl-enable.c | 15 ++++++++++----- + 4 files changed, 55 insertions(+), 15 deletions(-) + +diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml +index 5e08b35234..c2f70870c7 100644 +--- a/man/org.freedesktop.systemd1.xml ++++ b/man/org.freedesktop.systemd1.xml +@@ -209,6 +209,10 @@ node /org/freedesktop/systemd1 { + DisableUnitFilesWithFlags(in as files, + in t flags, + out a(sss) changes); ++ DisableUnitFilesWithFlagsAndInstallInfo(in as files, ++ in t flags, ++ out b carries_install_info, ++ out a(sss) changes); + ReenableUnitFiles(in as files, + in b runtime, + in b force, +@@ -916,6 +920,8 @@ node /org/freedesktop/systemd1 { + + + ++ ++ + + + +@@ -1417,7 +1423,7 @@ node /org/freedesktop/systemd1 { + enabled for runtime only (true, /run/), or persistently (false, + /etc/). The second one controls whether symlinks pointing to other units shall be + replaced if necessary. This method returns one boolean and an array of the changes made. The boolean +- signals whether the unit files contained any enablement information (i.e. an [Install]) section. The ++ signals whether the unit files contained any enablement information (i.e. an [Install] section). The + changes array consists of structures with three strings: the type of the change (one of + symlink or unlink), the file name of the symlink and the + destination of the symlink. Note that most of the following calls return a changes list in the same +@@ -1440,6 +1446,11 @@ node /org/freedesktop/systemd1 { + replaced if necessary. SD_SYSTEMD_UNIT_PORTABLE will add or remove the symlinks in + /etc/systemd/system.attached and /run/systemd/system.attached. + ++ DisableUnitFilesWithFlagsAndInstallInfo() is similar to ++ DisableUnitFilesWithFlags() and takes the same arguments, but returns ++ a boolean to indicate whether the unit files contain any enablement information, like ++ EnableUnitFiles(). The changes made are still returned in an array. ++ + Similarly, ReenableUnitFiles() applies the changes to one or more units that + would result from disabling and enabling the unit quickly one after the other in an atomic + fashion. This is useful to apply updated [Install] information contained in unit files. +diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c +index 88f098ec86..2db12721a1 100644 +--- a/src/core/dbus-manager.c ++++ b/src/core/dbus-manager.c +@@ -2425,6 +2425,7 @@ static int method_disable_unit_files_generic( + sd_bus_message *message, + Manager *m, + int (*call)(LookupScope scope, UnitFileFlags flags, const char *root_dir, char *files[], InstallChange **changes, size_t *n_changes), ++ bool carries_install_info, + sd_bus_error *error) { + + _cleanup_strv_free_ char **l = NULL; +@@ -2440,7 +2441,8 @@ static int method_disable_unit_files_generic( + if (r < 0) + return r; + +- if (sd_bus_message_is_method_call(message, NULL, "DisableUnitFilesWithFlags")) { ++ if (sd_bus_message_is_method_call(message, NULL, "DisableUnitFilesWithFlags") || ++ sd_bus_message_is_method_call(message, NULL, "DisableUnitFilesWithFlagsAndInstallInfo")) { + uint64_t raw_flags; + + r = sd_bus_message_read(message, "t", &raw_flags); +@@ -2469,19 +2471,23 @@ static int method_disable_unit_files_generic( + if (r < 0) + return install_error(error, r, changes, n_changes); + +- return reply_install_changes_and_free(m, message, -1, changes, n_changes, error); ++ return reply_install_changes_and_free(m, message, carries_install_info ? r : -1, changes, n_changes, error); + } + + static int method_disable_unit_files_with_flags(sd_bus_message *message, void *userdata, sd_bus_error *error) { +- return method_disable_unit_files_generic(message, userdata, unit_file_disable, error); ++ return method_disable_unit_files_generic(message, userdata, unit_file_disable, /* carries_install_info = */ false, error); ++} ++ ++static int method_disable_unit_files_with_flags_and_install_info(sd_bus_message *message, void *userdata, sd_bus_error *error) { ++ return method_disable_unit_files_generic(message, userdata, unit_file_disable, /* carries_install_info = */ true, error); + } + + static int method_disable_unit_files(sd_bus_message *message, void *userdata, sd_bus_error *error) { +- return method_disable_unit_files_generic(message, userdata, unit_file_disable, error); ++ return method_disable_unit_files_generic(message, userdata, unit_file_disable, /* carries_install_info = */ false, error); + } + + static int method_unmask_unit_files(sd_bus_message *message, void *userdata, sd_bus_error *error) { +- return method_disable_unit_files_generic(message, userdata, unit_file_unmask, error); ++ return method_disable_unit_files_generic(message, userdata, unit_file_unmask, /* carries_install_info = */ false, error); + } + + static int method_revert_unit_files(sd_bus_message *message, void *userdata, sd_bus_error *error) { +@@ -3194,6 +3200,11 @@ const sd_bus_vtable bus_manager_vtable[] = { + SD_BUS_RESULT("a(sss)", changes), + method_disable_unit_files_with_flags, + SD_BUS_VTABLE_UNPRIVILEGED), ++ SD_BUS_METHOD_WITH_ARGS("DisableUnitFilesWithFlagsAndInstallInfo", ++ SD_BUS_ARGS("as", files, "t", flags), ++ SD_BUS_RESULT("b", carries_install_info, "a(sss)", changes), ++ method_disable_unit_files_with_flags_and_install_info, ++ SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD_WITH_ARGS("ReenableUnitFiles", + SD_BUS_ARGS("as", files, "b", runtime, "b", force), + SD_BUS_RESULT("b", carries_install_info, "a(sss)", changes), +diff --git a/src/shared/install.c b/src/shared/install.c +index 834a1c59e3..4b610b20a5 100644 +--- a/src/shared/install.c ++++ b/src/shared/install.c +@@ -2790,25 +2790,38 @@ static int do_unit_file_disable( + + _cleanup_(install_context_done) InstallContext ctx = { .scope = scope }; + _cleanup_set_free_free_ Set *remove_symlinks_to = NULL; ++ InstallInfo *info; ++ bool has_install_info = false; + int r; + + STRV_FOREACH(name, names) { + if (!unit_name_is_valid(*name, UNIT_NAME_ANY)) + return install_changes_add(changes, n_changes, -EUCLEAN, *name, NULL); + +- r = install_info_add(&ctx, *name, NULL, lp->root_dir, /* auxiliary= */ false, NULL); ++ r = install_info_add(&ctx, *name, NULL, lp->root_dir, /* auxiliary= */ false, &info); ++ if (r >= 0) ++ r = install_info_traverse(&ctx, lp, info, SEARCH_LOAD|SEARCH_FOLLOW_CONFIG_SYMLINKS, NULL); ++ + if (r < 0) +- return r; ++ return install_changes_add(changes, n_changes, r, *name, NULL); ++ ++ /* If we enable multiple units, some with install info and others without, ++ * the "empty [Install] section" warning is not shown. Let's make the behavior ++ * of disable align with that. */ ++ has_install_info = has_install_info || install_info_has_rules(info) || install_info_has_also(info); + } + + r = install_context_mark_for_removal(&ctx, lp, &remove_symlinks_to, config_path, changes, n_changes); ++ if (r >= 0) ++ r = remove_marked_symlinks(remove_symlinks_to, config_path, lp, flags & UNIT_FILE_DRY_RUN, changes, n_changes); ++ + if (r < 0) + return r; + +- return remove_marked_symlinks(remove_symlinks_to, config_path, lp, flags & UNIT_FILE_DRY_RUN, changes, n_changes); ++ /* The warning is shown only if it's a no-op */ ++ return install_changes_have_modification(*changes, *n_changes) || has_install_info; + } + +- + int unit_file_disable( + LookupScope scope, + UnitFileFlags flags, +diff --git a/src/systemctl/systemctl-enable.c b/src/systemctl/systemctl-enable.c +index 5be4c0c725..aea66872de 100644 +--- a/src/systemctl/systemctl-enable.c ++++ b/src/systemctl/systemctl-enable.c +@@ -109,9 +109,10 @@ int verb_enable(int argc, char *argv[], void *userdata) { + if (streq(verb, "enable")) { + r = unit_file_enable(arg_scope, flags, arg_root, names, &changes, &n_changes); + carries_install_info = r; +- } else if (streq(verb, "disable")) ++ } else if (streq(verb, "disable")) { + r = unit_file_disable(arg_scope, flags, arg_root, names, &changes, &n_changes); +- else if (streq(verb, "reenable")) { ++ carries_install_info = r; ++ } else if (streq(verb, "reenable")) { + r = unit_file_reenable(arg_scope, flags, arg_root, names, &changes, &n_changes); + carries_install_info = r; + } else if (streq(verb, "link")) +@@ -165,7 +166,8 @@ int verb_enable(int argc, char *argv[], void *userdata) { + method = "EnableUnitFiles"; + expect_carries_install_info = true; + } else if (streq(verb, "disable")) { +- method = "DisableUnitFiles"; ++ method = "DisableUnitFilesWithFlagsAndInstallInfo"; ++ expect_carries_install_info = true; + send_force = false; + } else if (streq(verb, "reenable")) { + method = "ReenableUnitFiles"; +@@ -208,7 +210,10 @@ int verb_enable(int argc, char *argv[], void *userdata) { + } + + if (send_runtime) { +- r = sd_bus_message_append(m, "b", arg_runtime); ++ if (streq(method, "DisableUnitFilesWithFlagsAndInstallInfo")) ++ r = sd_bus_message_append(m, "t", arg_runtime ? UNIT_FILE_RUNTIME : 0); ++ else ++ r = sd_bus_message_append(m, "b", arg_runtime); + if (r < 0) + return bus_log_create_error(r); + } +@@ -245,7 +250,7 @@ int verb_enable(int argc, char *argv[], void *userdata) { + if (carries_install_info == 0 && !ignore_carries_install_info) + log_notice("The unit files have no installation config (WantedBy=, RequiredBy=, Also=,\n" + "Alias= settings in the [Install] section, and DefaultInstance= for template\n" +- "units). This means they are not meant to be enabled using systemctl.\n" ++ "units). This means they are not meant to be enabled or disabled using systemctl.\n" + " \n" /* trick: the space is needed so that the line does not get stripped from output */ + "Possible reasons for having this kind of units are:\n" + "%1$s A unit may be statically enabled by being symlinked from another unit's\n" diff --git a/SOURCES/0167-systemctl-allow-suppress-the-warning-of-no-install-i.patch b/SOURCES/0167-systemctl-allow-suppress-the-warning-of-no-install-i.patch new file mode 100644 index 0000000..6c25260 --- /dev/null +++ b/SOURCES/0167-systemctl-allow-suppress-the-warning-of-no-install-i.patch @@ -0,0 +1,136 @@ +From 79c16ad7a09623b987a50a0d04a61fed41e45a77 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sun, 27 Nov 2022 21:18:44 +0800 +Subject: [PATCH] systemctl: allow suppress the warning of no install info + using --no-warn + +In cases like packaging scripts, it might be desired to use +enable/disable on units without install info. So, adding an +option '--no-warn' to suppress the warning. + +(cherry picked from commit 108d35ac7d435b4f1378a9c0fa50858263475e09) + +Related: #2141979 +--- + man/systemctl.xml | 18 ++++++++++++++++-- + src/systemctl/systemctl-enable.c | 2 +- + src/systemctl/systemctl.c | 9 +++++++++ + src/systemctl/systemctl.h | 1 + + 4 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/man/systemctl.xml b/man/systemctl.xml +index f743c182fe..d909dc4db4 100644 +--- a/man/systemctl.xml ++++ b/man/systemctl.xml +@@ -771,6 +771,9 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err + account. + + ++ When using this operation on units without install information, a warning about it is shown. ++ can be used to suppress the warning. ++ + Enabling units should not be confused with starting (activating) units, as done by the + start command. Enabling and starting units is orthogonal: units may be enabled without + being started and started without being enabled. Enabling simply hooks the unit into various suggested +@@ -814,8 +817,8 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err + executed. This output may be suppressed by passing . + + +- This command honors , , +- and in a similar way as enable. ++ This command honors , , , ++ and in a similar way as enable. + + + +@@ -1997,6 +2000,17 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err + + + ++ ++ ++ ++ ++ Don't generate the warning shown by default when using ++ enable or disable on units ++ without install information (i.e. don't have or have an empty ++ [Install] section). ++ ++ ++ + + + +diff --git a/src/systemctl/systemctl-enable.c b/src/systemctl/systemctl-enable.c +index aea66872de..86d9f602fa 100644 +--- a/src/systemctl/systemctl-enable.c ++++ b/src/systemctl/systemctl-enable.c +@@ -67,7 +67,7 @@ int verb_enable(int argc, char *argv[], void *userdata) { + InstallChange *changes = NULL; + size_t n_changes = 0; + int carries_install_info = -1; +- bool ignore_carries_install_info = arg_quiet; ++ bool ignore_carries_install_info = arg_quiet || arg_no_warn; + int r; + + if (!argv[1]) +diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c +index 91954d91e6..57e9966d3c 100644 +--- a/src/systemctl/systemctl.c ++++ b/src/systemctl/systemctl.c +@@ -83,6 +83,7 @@ bool arg_show_types = false; + int arg_check_inhibitors = -1; + bool arg_dry_run = false; + bool arg_quiet = false; ++bool arg_no_warn = false; + bool arg_full = false; + bool arg_recursive = false; + bool arg_with_dependencies = false; +@@ -276,6 +277,8 @@ static int systemctl_help(void) { + " kexec, suspend, hibernate, suspend-then-hibernate,\n" + " hybrid-sleep, default, rescue, emergency, and exit.\n" + " -q --quiet Suppress output\n" ++ " --no-warn Don't generate warning when trying to enable/disable\n" ++ " units without install information\n" + " --wait For (re)start, wait until service stopped again\n" + " For is-system-running, wait until startup is completed\n" + " --no-block Do not wait until operation finished\n" +@@ -432,6 +435,7 @@ static int systemctl_parse_argv(int argc, char *argv[]) { + ARG_READ_ONLY, + ARG_MKDIR, + ARG_MARKED, ++ ARG_NO_WARN, + }; + + static const struct option options[] = { +@@ -464,6 +468,7 @@ static int systemctl_parse_argv(int argc, char *argv[]) { + { "no-wall", no_argument, NULL, ARG_NO_WALL }, + { "dry-run", no_argument, NULL, ARG_DRY_RUN }, + { "quiet", no_argument, NULL, 'q' }, ++ { "no-warn", no_argument, NULL, ARG_NO_WARN }, + { "root", required_argument, NULL, ARG_ROOT }, + { "image", required_argument, NULL, ARG_IMAGE }, + { "force", no_argument, NULL, 'f' }, +@@ -925,6 +930,10 @@ static int systemctl_parse_argv(int argc, char *argv[]) { + arg_marked = true; + break; + ++ case ARG_NO_WARN: ++ arg_no_warn = true; ++ break; ++ + case '.': + /* Output an error mimicking getopt, and print a hint afterwards */ + log_error("%s: invalid option -- '.'", program_invocation_name); +diff --git a/src/systemctl/systemctl.h b/src/systemctl/systemctl.h +index 2454c4c714..1a7a6e28d3 100644 +--- a/src/systemctl/systemctl.h ++++ b/src/systemctl/systemctl.h +@@ -65,6 +65,7 @@ extern bool arg_show_types; + extern int arg_check_inhibitors; + extern bool arg_dry_run; + extern bool arg_quiet; ++extern bool arg_no_warn; + extern bool arg_full; + extern bool arg_recursive; + extern bool arg_with_dependencies; diff --git a/SOURCES/0168-rpm-systemd-update-helper-use-no-warn-when-disabling.patch b/SOURCES/0168-rpm-systemd-update-helper-use-no-warn-when-disabling.patch new file mode 100644 index 0000000..bc54cb6 --- /dev/null +++ b/SOURCES/0168-rpm-systemd-update-helper-use-no-warn-when-disabling.patch @@ -0,0 +1,44 @@ +From 4161593c24ea24f03bc89d74147e7209dc02ba80 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sat, 3 Dec 2022 20:27:47 +0800 +Subject: [PATCH] rpm/systemd-update-helper: use --no-warn when disabling units + +Suppress the "empty [Install] section" warning (see #25437). + +(cherry picked from commit 0acb1459a15f5b4d3a9bd2e7bf52661ca7bdebf0) + +Related: #2141979 +--- + src/rpm/systemd-update-helper.in | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/rpm/systemd-update-helper.in b/src/rpm/systemd-update-helper.in +index ab8cdc0ff9..b35d952fab 100755 +--- a/src/rpm/systemd-update-helper.in ++++ b/src/rpm/systemd-update-helper.in +@@ -19,21 +19,21 @@ case "$command" in + + remove-system-units) + if [ -d /run/systemd/system ]; then +- systemctl --no-reload disable --now "$@" ++ systemctl --no-reload disable --now --no-warn "$@" + else +- systemctl --no-reload disable "$@" ++ systemctl --no-reload disable --no-warn "$@" + fi + ;; + + remove-user-units) +- systemctl --global disable "$@" ++ systemctl --global disable --no-warn "$@" + + [ -d /run/systemd/system ] || exit 0 + + users=$(systemctl list-units 'user@*' --legend=no | sed -n -r 's/.*user@([0-9]+).service.*/\1/p') + for user in $users; do + SYSTEMD_BUS_TIMEOUT={{UPDATE_HELPER_USER_TIMEOUT}} \ +- systemctl --user -M "$user@" disable --now "$@" & ++ systemctl --user -M "$user@" disable --now --no-warn "$@" & + done + wait + ;; diff --git a/SOURCES/0169-systemctl-suppress-warning-about-missing-proc-when-n.patch b/SOURCES/0169-systemctl-suppress-warning-about-missing-proc-when-n.patch new file mode 100644 index 0000000..2f3a8ee --- /dev/null +++ b/SOURCES/0169-systemctl-suppress-warning-about-missing-proc-when-n.patch @@ -0,0 +1,80 @@ +From 02fbe7d4c9bd34134c12978726b036ec1ceea839 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 7 Dec 2022 13:59:01 +0900 +Subject: [PATCH] systemctl: suppress warning about missing /proc/ when + --no-warn + +Follow-up for 0f958c8d4fc13ed1c1af928b2a7d91d31c7576eb. + +systemctl is called many times by dnf or so, and missing /proc/ is not +a user's fault, but package manager's issue. +With this commit, we can suppress the warning by updating rpm macros if +necessary. + +(cherry picked from commit 91dfb74ef5e38625dada2c2a6ae30152e64c3f5b) + +Related: #2141979 +--- + man/systemctl.xml | 16 ++++++++++++---- + src/systemctl/systemctl.c | 14 +++++++------- + 2 files changed, 19 insertions(+), 11 deletions(-) + +diff --git a/man/systemctl.xml b/man/systemctl.xml +index d909dc4db4..b73d4ac048 100644 +--- a/man/systemctl.xml ++++ b/man/systemctl.xml +@@ -2004,10 +2004,18 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err + + + +- Don't generate the warning shown by default when using +- enable or disable on units +- without install information (i.e. don't have or have an empty +- [Install] section). ++ Don't generate the warnings shown by default in the following cases: ++ ++ ++ when systemctl is invoked without procfs mounted on ++ /proc/, ++ ++ ++ when using enable or disable on units without ++ install information (i.e. don't have or have an empty [Install] section). ++ ++ ++ + + + +diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c +index 57e9966d3c..3f2b0029ca 100644 +--- a/src/systemctl/systemctl.c ++++ b/src/systemctl/systemctl.c +@@ -277,8 +277,7 @@ static int systemctl_help(void) { + " kexec, suspend, hibernate, suspend-then-hibernate,\n" + " hybrid-sleep, default, rescue, emergency, and exit.\n" + " -q --quiet Suppress output\n" +- " --no-warn Don't generate warning when trying to enable/disable\n" +- " units without install information\n" ++ " --no-warn Suppress several warnings shown by default\n" + " --wait For (re)start, wait until service stopped again\n" + " For is-system-running, wait until startup is completed\n" + " --no-block Do not wait until operation finished\n" +@@ -1157,11 +1156,12 @@ static int run(int argc, char *argv[]) { + goto finish; + + if (proc_mounted() == 0) +- log_warning("%s%s/proc/ is not mounted. This is not a supported mode of operation. Please fix\n" +- "your invocation environment to mount /proc/ and /sys/ properly. Proceeding anyway.\n" +- "Your mileage may vary.", +- emoji_enabled() ? special_glyph(SPECIAL_GLYPH_WARNING_SIGN) : "", +- emoji_enabled() ? " " : ""); ++ log_full(arg_no_warn ? LOG_DEBUG : LOG_WARNING, ++ "%s%s/proc/ is not mounted. This is not a supported mode of operation. Please fix\n" ++ "your invocation environment to mount /proc/ and /sys/ properly. Proceeding anyway.\n" ++ "Your mileage may vary.", ++ emoji_enabled() ? special_glyph(SPECIAL_GLYPH_WARNING_SIGN) : "", ++ emoji_enabled() ? " " : ""); + + if (arg_action != ACTION_SYSTEMCTL && running_in_chroot() > 0) { + if (!arg_quiet) diff --git a/SOURCES/0170-shell-completion-systemctl-add-no-warn.patch b/SOURCES/0170-shell-completion-systemctl-add-no-warn.patch new file mode 100644 index 0000000..fc30e3e --- /dev/null +++ b/SOURCES/0170-shell-completion-systemctl-add-no-warn.patch @@ -0,0 +1,38 @@ +From 282bb5b70e6ff146ba81fea82d85d1e3f0cebc77 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 13 Dec 2022 09:05:11 +0900 +Subject: [PATCH] shell-completion: systemctl: add --no-warn + +(cherry picked from commit 93b0ec8bc533e8e8245560152c57e9c5dfb906bf) + +Related: #2141979 +--- + shell-completion/bash/systemctl.in | 2 +- + shell-completion/zsh/_systemctl.in | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/shell-completion/bash/systemctl.in b/shell-completion/bash/systemctl.in +index f935960c77..3c64467e2f 100644 +--- a/shell-completion/bash/systemctl.in ++++ b/shell-completion/bash/systemctl.in +@@ -128,7 +128,7 @@ _systemctl () { + [STANDALONE]='--all -a --reverse --after --before --defaults --force -f --full -l --global + --help -h --no-ask-password --no-block --legend=no --no-pager --no-reload --no-wall --now + --quiet -q --system --user --version --runtime --recursive -r --firmware-setup +- --show-types --plain --failed --value --fail --dry-run --wait' ++ --show-types --plain --failed --value --fail --dry-run --wait --no-warn' + [ARG]='--host -H --kill-whom --property -p --signal -s --type -t --state --job-mode --root + --preset-mode -n --lines -o --output -M --machine --message --timestamp --check-inhibitors' + ) +diff --git a/shell-completion/zsh/_systemctl.in b/shell-completion/zsh/_systemctl.in +index d471743030..2811582236 100644 +--- a/shell-completion/zsh/_systemctl.in ++++ b/shell-completion/zsh/_systemctl.in +@@ -480,6 +480,7 @@ _arguments -s \ + '--show-types[When showing sockets, show socket type]' \ + '--check-inhibitors[Specify if inhibitors should be checked]:mode:_systemctl_check_inhibitors' \ + {-q,--quiet}'[Suppress output]' \ ++ '--no-warn[Suppress several warnings shown by default]' \ + '--no-block[Do not wait until operation finished]' \ + '--legend=no[Do not print a legend, i.e. the column headers and the footer with hints]' \ + '--no-pager[Do not pipe output into a pager]' \ diff --git a/SOURCES/0171-core-unit-drop-doubled-empty-line.patch b/SOURCES/0171-core-unit-drop-doubled-empty-line.patch new file mode 100644 index 0000000..4247ca0 --- /dev/null +++ b/SOURCES/0171-core-unit-drop-doubled-empty-line.patch @@ -0,0 +1,24 @@ +From bc9f6f765f772e8535325c224d2023165bc53e5c Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 15 Nov 2022 12:54:11 +0900 +Subject: [PATCH] core/unit: drop doubled empty line + +(cherry picked from commit ca1999a24c88b2460240aaff8095c2db7491f77c) + +Related: #2160477 +--- + src/core/unit.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/core/unit.c b/src/core/unit.c +index 4bb7e2d498..4cde5c4b4e 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -720,7 +720,6 @@ Unit* unit_free(Unit *u) { + if (u->on_console) + manager_unref_console(u->manager); + +- + fdset_free(u->initial_socket_bind_link_fds); + #if BPF_FRAMEWORK + bpf_link_free(u->ipv4_socket_bind_link); diff --git a/SOURCES/0172-core-unit-drop-dependency-to-the-unit-being-merged.patch b/SOURCES/0172-core-unit-drop-dependency-to-the-unit-being-merged.patch new file mode 100644 index 0000000..3cba262 --- /dev/null +++ b/SOURCES/0172-core-unit-drop-dependency-to-the-unit-being-merged.patch @@ -0,0 +1,66 @@ +From 82e78c509c9eab33c1dbf2bc445f91b67b2f118f Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 16 Nov 2022 03:08:22 +0900 +Subject: [PATCH] core/unit: drop dependency to the unit being merged + +Fixes a bug in 15ed3c3a188cf7fa5a60ae508fc7a3ed048d2220. + +Fixes #24990. Also, hopefully fixes #24577. + +(cherry picked from commit c8b3b524134539846917269ddd644ee93a35623f) + +Related: #2160477 +--- + src/core/unit.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/src/core/unit.c b/src/core/unit.c +index 4cde5c4b4e..ae9f688ad2 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -1043,10 +1043,10 @@ static int unit_add_dependency_hashmap( + return unit_per_dependency_type_hashmap_update(per_type, other, origin_mask, destination_mask); + } + +-static void unit_merge_dependencies( +- Unit *u, +- Unit *other) { +- ++static void unit_merge_dependencies(Unit *u, Unit *other) { ++ Hashmap *deps; ++ void *dt; /* Actually of type UnitDependency, except that we don't bother casting it here, ++ * since the hashmaps all want it as void pointer. */ + int r; + + assert(u); +@@ -1055,12 +1055,19 @@ static void unit_merge_dependencies( + if (u == other) + return; + ++ /* First, remove dependency to other. */ ++ HASHMAP_FOREACH_KEY(deps, dt, u->dependencies) { ++ if (hashmap_remove(deps, other)) ++ unit_maybe_warn_about_dependency(u, other->id, UNIT_DEPENDENCY_FROM_PTR(dt)); ++ ++ if (hashmap_isempty(deps)) ++ hashmap_free(hashmap_remove(u->dependencies, dt)); ++ } ++ + for (;;) { + _cleanup_(hashmap_freep) Hashmap *other_deps = NULL; + UnitDependencyInfo di_back; + Unit *back; +- void *dt; /* Actually of type UnitDependency, except that we don't bother casting it here, +- * since the hashmaps all want it as void pointer. */ + + /* Let's focus on one dependency type at a time, that 'other' has defined. */ + other_deps = hashmap_steal_first_key_and_value(other->dependencies, &dt); +@@ -1102,8 +1109,6 @@ static void unit_merge_dependencies( + * them per type wholesale. */ + r = hashmap_put(u->dependencies, dt, other_deps); + if (r == -EEXIST) { +- Hashmap *deps; +- + /* The target unit already has dependencies of this type, let's then merge this individually. */ + + assert_se(deps = hashmap_get(u->dependencies, dt)); diff --git a/SOURCES/0173-core-unit-fix-logic-of-dropping-self-referencing-dep.patch b/SOURCES/0173-core-unit-fix-logic-of-dropping-self-referencing-dep.patch new file mode 100644 index 0000000..684c98c --- /dev/null +++ b/SOURCES/0173-core-unit-fix-logic-of-dropping-self-referencing-dep.patch @@ -0,0 +1,32 @@ +From 1d12983063afc64709894d80b7adcf6609aa9a43 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 15 Nov 2022 23:08:35 +0900 +Subject: [PATCH] core/unit: fix logic of dropping self-referencing + dependencies + +Fixes a bug in 15ed3c3a188cf7fa5a60ae508fc7a3ed048d2220. + +(cherry picked from commit 53e0e6ef0eea396bb432cbfc1f2f6ea1272ff1f1) + +Related: #2160477 +--- + src/core/unit.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/core/unit.c b/src/core/unit.c +index ae9f688ad2..dbbf818622 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -1130,10 +1130,11 @@ static void unit_merge_dependencies(Unit *u, Unit *other) { + } + } else { + assert_se(r >= 0); +- TAKE_PTR(other_deps); + + if (hashmap_remove(other_deps, u)) + unit_maybe_warn_about_dependency(u, other->id, UNIT_DEPENDENCY_FROM_PTR(dt)); ++ ++ TAKE_PTR(other_deps); + } + } + diff --git a/SOURCES/0174-core-unit-merge-two-loops-into-one.patch b/SOURCES/0174-core-unit-merge-two-loops-into-one.patch new file mode 100644 index 0000000..a8250dc --- /dev/null +++ b/SOURCES/0174-core-unit-merge-two-loops-into-one.patch @@ -0,0 +1,96 @@ +From 471e4ee0b4fa9c7e9a5ea875fbf22de77fdd25d0 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 17 Nov 2022 12:46:45 +0900 +Subject: [PATCH] core/unit: merge two loops into one + +No functional change, just refactoring. + +(cherry picked from commit 4b7918a65cc2571a2b3fc166229e1b8db463e217) + +Related: #2160477 +--- + src/core/unit.c | 47 +++++++++++++++-------------------------------- + 1 file changed, 15 insertions(+), 32 deletions(-) + +diff --git a/src/core/unit.c b/src/core/unit.c +index dbbf818622..6b49edc2de 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -1047,7 +1047,6 @@ static void unit_merge_dependencies(Unit *u, Unit *other) { + Hashmap *deps; + void *dt; /* Actually of type UnitDependency, except that we don't bother casting it here, + * since the hashmaps all want it as void pointer. */ +- int r; + + assert(u); + assert(other); +@@ -1074,6 +1073,8 @@ static void unit_merge_dependencies(Unit *u, Unit *other) { + if (!other_deps) + break; /* done! */ + ++ deps = hashmap_get(u->dependencies, dt); ++ + /* Now iterate through all dependencies of this dependency type, of 'other'. We refer to the + * referenced units as 'back'. */ + HASHMAP_FOREACH_KEY(di_back.data, back, other_deps) { +@@ -1084,6 +1085,7 @@ static void unit_merge_dependencies(Unit *u, Unit *other) { + /* This is a dependency pointing back to the unit we want to merge with? + * Suppress it (but warn) */ + unit_maybe_warn_about_dependency(u, other->id, UNIT_DEPENDENCY_FROM_PTR(dt)); ++ hashmap_remove(other_deps, back); + continue; + } + +@@ -1102,40 +1104,21 @@ static void unit_merge_dependencies(Unit *u, Unit *other) { + di_move.origin_mask, + di_move.destination_mask) >= 0); + } +- } + +- /* Now all references towards 'other' of the current type 'dt' are corrected to point to +- * 'u'. Lets's now move the deps of type 'dt' from 'other' to 'u'. First, let's try to move +- * them per type wholesale. */ +- r = hashmap_put(u->dependencies, dt, other_deps); +- if (r == -EEXIST) { + /* The target unit already has dependencies of this type, let's then merge this individually. */ +- +- assert_se(deps = hashmap_get(u->dependencies, dt)); +- +- for (;;) { +- UnitDependencyInfo di_move; +- +- /* Get first dep */ +- di_move.data = hashmap_steal_first_key_and_value(other_deps, (void**) &back); +- if (!di_move.data) +- break; /* done */ +- if (back == u) { +- /* Would point back to us, ignore */ +- unit_maybe_warn_about_dependency(u, other->id, UNIT_DEPENDENCY_FROM_PTR(dt)); +- continue; +- } +- +- assert_se(unit_per_dependency_type_hashmap_update(deps, back, di_move.origin_mask, di_move.destination_mask) >= 0); +- } +- } else { +- assert_se(r >= 0); +- +- if (hashmap_remove(other_deps, u)) +- unit_maybe_warn_about_dependency(u, other->id, UNIT_DEPENDENCY_FROM_PTR(dt)); +- +- TAKE_PTR(other_deps); ++ if (deps) ++ assert_se(unit_per_dependency_type_hashmap_update( ++ deps, ++ back, ++ di_back.origin_mask, ++ di_back.destination_mask) >= 0); + } ++ ++ /* Now all references towards 'other' of the current type 'dt' are corrected to point to 'u'. ++ * Lets's now move the deps of type 'dt' from 'other' to 'u'. If the unit does not have ++ * dependencies of this type, let's move them per type wholesale. */ ++ if (!deps) ++ assert_se(hashmap_put(u->dependencies, dt, TAKE_PTR(other_deps)) >= 0); + } + + other->dependencies = hashmap_free(other->dependencies); diff --git a/SOURCES/0175-test-add-test-case-for-sysv-generator-and-invalid-de.patch b/SOURCES/0175-test-add-test-case-for-sysv-generator-and-invalid-de.patch new file mode 100644 index 0000000..c4c0d1a --- /dev/null +++ b/SOURCES/0175-test-add-test-case-for-sysv-generator-and-invalid-de.patch @@ -0,0 +1,148 @@ +From 55e11475d421f90cc5c7290c6b5d394f952ba577 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 15 Nov 2022 21:52:10 +0900 +Subject: [PATCH] test: add test case for sysv-generator and invalid dependency + +(cherry picked from commit 5f882cc3ab32636d9242effb2cefad20d92d2ec2) + +Related: #2160477 +--- + test/units/testsuite-26.sh | 116 ++++++++++++++++++++++++++++++++++++- + 1 file changed, 114 insertions(+), 2 deletions(-) + +diff --git a/test/units/testsuite-26.sh b/test/units/testsuite-26.sh +index 7c7a12b1ae..a8e7a5abaa 100755 +--- a/test/units/testsuite-26.sh ++++ b/test/units/testsuite-26.sh +@@ -3,10 +3,18 @@ + set -eux + set -o pipefail + ++# shellcheck source=test/units/assert.sh ++. "$(dirname "$0")"/assert.sh ++ ++: >/failed ++ + at_exit() { + if [[ -v UNIT_NAME && -e "/usr/lib/systemd/system/$UNIT_NAME" ]]; then + rm -fv "/usr/lib/systemd/system/$UNIT_NAME" + fi ++ ++ rm -f /etc/init.d/issue-24990 ++ return 0 + } + + trap at_exit EXIT +@@ -284,6 +292,110 @@ systemctl unset-environment IMPORT_THIS IMPORT_THIS_TOO + (! systemctl show-environment | grep "^IMPORT_THIS=") + (! systemctl show-environment | grep "^IMPORT_THIS_TOO=") + +-echo OK >/testok ++# test for sysv-generator (issue #24990) ++if [[ -x /usr/lib/systemd/system-generators/systemd-sysv-generator ]]; then ++ ++ # invalid dependency ++ cat >/etc/init.d/issue-24990 <<\EOF ++#!/bin/bash ++ ++### BEGIN INIT INFO ++# Provides:test1 test2 ++# Required-Start:test1 $remote_fs $network ++# Required-Stop:test1 $remote_fs $network ++# Description:Test ++# Short-Description: Test ++### END INIT INFO ++ ++case "$1" in ++ start) ++ echo "Starting issue-24990.service" ++ sleep 1000 & ++ ;; ++ stop) ++ echo "Stopping issue-24990.service" ++ sleep 10 & ++ ;; ++ *) ++ echo "Usage: service test {start|stop|restart|status}" ++ ;; ++esac ++EOF ++ ++ chmod +x /etc/init.d/issue-24990 ++ systemctl daemon-reload ++ [[ -L /run/systemd/generator.late/test1.service ]] ++ [[ -L /run/systemd/generator.late/test2.service ]] ++ assert_eq "$(readlink -f /run/systemd/generator.late/test1.service)" "/run/systemd/generator.late/issue-24990.service" ++ assert_eq "$(readlink -f /run/systemd/generator.late/test2.service)" "/run/systemd/generator.late/issue-24990.service" ++ output=$(systemctl cat issue-24990) ++ assert_in "SourcePath=/etc/init.d/issue-24990" "$output" ++ assert_in "Description=LSB: Test" "$output" ++ assert_in "After=test1.service" "$output" ++ assert_in "After=remote-fs.target" "$output" ++ assert_in "After=network-online.target" "$output" ++ assert_in "Wants=network-online.target" "$output" ++ assert_in "ExecStart=/etc/init.d/issue-24990 start" "$output" ++ assert_in "ExecStop=/etc/init.d/issue-24990 stop" "$output" ++ systemctl status issue-24990 || : ++ systemctl show issue-24990 ++ assert_not_in "issue-24990.service" "$(systemctl show --property=After --value)" ++ assert_not_in "issue-24990.service" "$(systemctl show --property=Before --value)" ++ ++ if ! systemctl is-active network-online.target; then ++ systemctl start network-online.target ++ fi ++ ++ systemctl restart issue-24990 ++ systemctl stop issue-24990 ++ ++ # valid dependency ++ cat >/etc/init.d/issue-24990 <<\EOF ++#!/bin/bash ++ ++### BEGIN INIT INFO ++# Provides:test1 test2 ++# Required-Start:$remote_fs ++# Required-Stop:$remote_fs ++# Description:Test ++# Short-Description: Test ++### END INIT INFO ++ ++case "$1" in ++ start) ++ echo "Starting issue-24990.service" ++ sleep 1000 & ++ ;; ++ stop) ++ echo "Stopping issue-24990.service" ++ sleep 10 & ++ ;; ++ *) ++ echo "Usage: service test {start|stop|restart|status}" ++ ;; ++esac ++EOF ++ ++ chmod +x /etc/init.d/issue-24990 ++ systemctl daemon-reload ++ [[ -L /run/systemd/generator.late/test1.service ]] ++ [[ -L /run/systemd/generator.late/test2.service ]] ++ assert_eq "$(readlink -f /run/systemd/generator.late/test1.service)" "/run/systemd/generator.late/issue-24990.service" ++ assert_eq "$(readlink -f /run/systemd/generator.late/test2.service)" "/run/systemd/generator.late/issue-24990.service" ++ output=$(systemctl cat issue-24990) ++ assert_in "SourcePath=/etc/init.d/issue-24990" "$output" ++ assert_in "Description=LSB: Test" "$output" ++ assert_in "After=remote-fs.target" "$output" ++ assert_in "ExecStart=/etc/init.d/issue-24990 start" "$output" ++ assert_in "ExecStop=/etc/init.d/issue-24990 stop" "$output" ++ systemctl status issue-24990 || : ++ systemctl show issue-24990 ++ assert_not_in "issue-24990.service" "$(systemctl show --property=After --value)" ++ assert_not_in "issue-24990.service" "$(systemctl show --property=Before --value)" ++ ++ systemctl restart issue-24990 ++ systemctl stop issue-24990 ++fi + +-exit 0 ++touch /testok ++rm /failed diff --git a/SOURCES/0176-core-unit-merge-unit-names-after-merging-deps.patch b/SOURCES/0176-core-unit-merge-unit-names-after-merging-deps.patch new file mode 100644 index 0000000..75585f4 --- /dev/null +++ b/SOURCES/0176-core-unit-merge-unit-names-after-merging-deps.patch @@ -0,0 +1,45 @@ +From 48455fa876129bf33df06d2e758fb0fbda510d5b Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 16 Nov 2022 03:18:30 +0900 +Subject: [PATCH] core/unit: merge unit names after merging deps + +Before: +systemd[1]: issue-24990.service: Dependency Before=n/a dropped, merged into issue-24990.service +After: +systemd[1]: issue-24990.service: Dependency Before=test1.service dropped, merged into issue-24990.service + +(cherry picked from commit 1d0c81a05b1605a5fc3db44d5a157a1d6876eda9) + +Related: #2160477 +--- + src/core/unit.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/core/unit.c b/src/core/unit.c +index 6b49edc2de..d1929bbf69 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -1164,11 +1164,6 @@ int unit_merge(Unit *u, Unit *other) { + if (r < 0) + return r; + +- /* Merge names */ +- r = unit_merge_names(u, other); +- if (r < 0) +- return r; +- + /* Redirect all references */ + while (other->refs_by_target) + unit_ref_set(other->refs_by_target, other->refs_by_target->source, u); +@@ -1176,6 +1171,11 @@ int unit_merge(Unit *u, Unit *other) { + /* Merge dependencies */ + unit_merge_dependencies(u, other); + ++ /* Merge names. It is better to do that after merging deps, otherwise the log message contains n/a. */ ++ r = unit_merge_names(u, other); ++ if (r < 0) ++ return r; ++ + other->load_state = UNIT_MERGED; + other->merged_into = u; + diff --git a/SOURCES/0177-core-unit-fix-log-message.patch b/SOURCES/0177-core-unit-fix-log-message.patch new file mode 100644 index 0000000..ead6ae9 --- /dev/null +++ b/SOURCES/0177-core-unit-fix-log-message.patch @@ -0,0 +1,113 @@ +From 883e46f2e4255b92a338c9d4004a8b4740cdbcaf Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 15 Nov 2022 22:59:01 +0900 +Subject: [PATCH] core/unit: fix log message + +As you can see in the below, the dropped dependency Before=issue-24990.service +is not logged, but the dependency Before=test1.service which is not owned by +the units generated by the TEST-26 is logged. + +Before: +systemd[1]: issue-24990.service: Dependency After=test1.service dropped, merged into issue-24990.service +systemd[1]: issue-24990.service: Dependency Before=test1.service dropped, merged into issue-24990.service + +After: +systemd[1]: issue-24990.service: Dependency After=test1.service is dropped, as test1.service is merged into issue-24990.service. +systemd[1]: issue-24990.service: Dependency Before=issue-24990.service in test1.service is dropped, as test1.service is merged into issue-24990.service. + +(cherry picked from commit ed9911630e4bca844381d7caeb850dad9a9fa122) + +Related: #2160477 +--- + src/core/unit.c | 49 ++++++++++++++++++++++--------------------------- + 1 file changed, 22 insertions(+), 27 deletions(-) + +diff --git a/src/core/unit.c b/src/core/unit.c +index d1929bbf69..c319e99d71 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -936,29 +936,17 @@ static int unit_reserve_dependencies(Unit *u, Unit *other) { + return 0; + } + +-static void unit_maybe_warn_about_dependency( +- Unit *u, +- const char *other_id, +- UnitDependency dependency) { +- +- assert(u); +- ++static bool unit_should_warn_about_dependency(UnitDependency dependency) { + /* Only warn about some unit types */ +- if (!IN_SET(dependency, +- UNIT_CONFLICTS, +- UNIT_CONFLICTED_BY, +- UNIT_BEFORE, +- UNIT_AFTER, +- UNIT_ON_SUCCESS, +- UNIT_ON_FAILURE, +- UNIT_TRIGGERS, +- UNIT_TRIGGERED_BY)) +- return; +- +- if (streq_ptr(u->id, other_id)) +- log_unit_warning(u, "Dependency %s=%s dropped", unit_dependency_to_string(dependency), u->id); +- else +- log_unit_warning(u, "Dependency %s=%s dropped, merged into %s", unit_dependency_to_string(dependency), strna(other_id), u->id); ++ return IN_SET(dependency, ++ UNIT_CONFLICTS, ++ UNIT_CONFLICTED_BY, ++ UNIT_BEFORE, ++ UNIT_AFTER, ++ UNIT_ON_SUCCESS, ++ UNIT_ON_FAILURE, ++ UNIT_TRIGGERS, ++ UNIT_TRIGGERED_BY); + } + + static int unit_per_dependency_type_hashmap_update( +@@ -1056,8 +1044,10 @@ static void unit_merge_dependencies(Unit *u, Unit *other) { + + /* First, remove dependency to other. */ + HASHMAP_FOREACH_KEY(deps, dt, u->dependencies) { +- if (hashmap_remove(deps, other)) +- unit_maybe_warn_about_dependency(u, other->id, UNIT_DEPENDENCY_FROM_PTR(dt)); ++ if (hashmap_remove(deps, other) && unit_should_warn_about_dependency(UNIT_DEPENDENCY_FROM_PTR(dt))) ++ log_unit_warning(u, "Dependency %s=%s is dropped, as %s is merged into %s.", ++ unit_dependency_to_string(UNIT_DEPENDENCY_FROM_PTR(dt)), ++ other->id, other->id, u->id); + + if (hashmap_isempty(deps)) + hashmap_free(hashmap_remove(u->dependencies, dt)); +@@ -1084,7 +1074,11 @@ static void unit_merge_dependencies(Unit *u, Unit *other) { + if (back == u) { + /* This is a dependency pointing back to the unit we want to merge with? + * Suppress it (but warn) */ +- unit_maybe_warn_about_dependency(u, other->id, UNIT_DEPENDENCY_FROM_PTR(dt)); ++ if (unit_should_warn_about_dependency(UNIT_DEPENDENCY_FROM_PTR(dt))) ++ log_unit_warning(u, "Dependency %s=%s in %s is dropped, as %s is merged into %s.", ++ unit_dependency_to_string(UNIT_DEPENDENCY_FROM_PTR(dt)), ++ u->id, other->id, other->id, u->id); ++ + hashmap_remove(other_deps, back); + continue; + } +@@ -3049,7 +3043,6 @@ int unit_add_dependency( + [UNIT_IN_SLICE] = UNIT_SLICE_OF, + [UNIT_SLICE_OF] = UNIT_IN_SLICE, + }; +- Unit *original_u = u, *original_other = other; + UnitDependencyAtom a; + int r; + +@@ -3068,7 +3061,9 @@ int unit_add_dependency( + + /* We won't allow dependencies on ourselves. We will not consider them an error however. */ + if (u == other) { +- unit_maybe_warn_about_dependency(original_u, original_other->id, d); ++ if (unit_should_warn_about_dependency(d)) ++ log_unit_warning(u, "Dependency %s=%s is dropped.", ++ unit_dependency_to_string(d), u->id); + return 0; + } + diff --git a/SOURCES/0178-test-explicitly-create-the-etc-init.d-directory.patch b/SOURCES/0178-test-explicitly-create-the-etc-init.d-directory.patch new file mode 100644 index 0000000..e8becc0 --- /dev/null +++ b/SOURCES/0178-test-explicitly-create-the-etc-init.d-directory.patch @@ -0,0 +1,34 @@ +From 0bdf4aaa0d8cdc6b2721d09fe630bf6185903a0d Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 12 Jan 2023 19:19:28 +0100 +Subject: [PATCH] test: explicitly create the /etc/init.d directory + +On RHEL/CentOS/Fedora this directory is provided by the chkconfig or +initscripts package, which might not be installed: + +testsuite-26.sh[1225]: + [[ -x /usr/lib/systemd/system-generators/systemd-sysv-generator ]] +testsuite-26.sh[1225]: + cat +testsuite-26.sh[2330]: /usr/lib/systemd/tests/testdata/units/testsuite-26.sh: line 299: /etc/init.d/issue-24990: No such file or directory + +Follow-up to 5f882cc3ab32636d9242effb2cefad20d92d2ec2. + +(cherry picked from commit 7fcf0fab078ed92a4f6c3c3658c0a9dfd67c9601) + +Related: #2160477 +--- + test/units/testsuite-26.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/units/testsuite-26.sh b/test/units/testsuite-26.sh +index a8e7a5abaa..37ae6069bc 100755 +--- a/test/units/testsuite-26.sh ++++ b/test/units/testsuite-26.sh +@@ -294,7 +294,7 @@ systemctl unset-environment IMPORT_THIS IMPORT_THIS_TOO + + # test for sysv-generator (issue #24990) + if [[ -x /usr/lib/systemd/system-generators/systemd-sysv-generator ]]; then +- ++ mkdir -p /etc/init.d + # invalid dependency + cat >/etc/init.d/issue-24990 <<\EOF + #!/bin/bash diff --git a/SOURCES/0179-test-support-a-non-default-SysV-directory.patch b/SOURCES/0179-test-support-a-non-default-SysV-directory.patch new file mode 100644 index 0000000..8c9c4a3 --- /dev/null +++ b/SOURCES/0179-test-support-a-non-default-SysV-directory.patch @@ -0,0 +1,97 @@ +From 956944405391b5bbb8a4fee9ad93e14bf908f0a9 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Fri, 13 Jan 2023 20:10:42 +0100 +Subject: [PATCH] test: support a non-default SysV directory + +Since the directory is configurable via -Dsysvinit-path= during build, +it makes the test fail on Fedora/RHEL/CentOS, where it's set to +/etc/rc.d/init.d, instead of the default /etc/init.d. Since we can't get +the value at runtime (in a reasonable manner), let's just support the +two most common paths for now. + +Follow up to 7fcf0fab078ed92a4f6c3c3658c0a9dfd67c9601. + +(cherry picked from commit fc2a0bc05e0429e468c7eaad52998292105fe7fb) + +Related: #2160477 +--- + test/units/testsuite-26.sh | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/test/units/testsuite-26.sh b/test/units/testsuite-26.sh +index 37ae6069bc..916a6704d7 100755 +--- a/test/units/testsuite-26.sh ++++ b/test/units/testsuite-26.sh +@@ -294,9 +294,12 @@ systemctl unset-environment IMPORT_THIS IMPORT_THIS_TOO + + # test for sysv-generator (issue #24990) + if [[ -x /usr/lib/systemd/system-generators/systemd-sysv-generator ]]; then +- mkdir -p /etc/init.d ++ # This is configurable via -Dsysvinit-path=, but we can't get the value ++ # at runtime, so let's just support the two most common paths for now. ++ [[ -d /etc/rc.d/init.d ]] && SYSVINIT_PATH="/etc/rc.d/init.d" || SYSVINIT_PATH="/etc/init.d" ++ + # invalid dependency +- cat >/etc/init.d/issue-24990 <<\EOF ++ cat >"${SYSVINIT_PATH:?}/issue-24990" <<\EOF + #!/bin/bash + + ### BEGIN INIT INFO +@@ -322,21 +325,21 @@ case "$1" in + esac + EOF + +- chmod +x /etc/init.d/issue-24990 ++ chmod +x "$SYSVINIT_PATH/issue-24990" + systemctl daemon-reload + [[ -L /run/systemd/generator.late/test1.service ]] + [[ -L /run/systemd/generator.late/test2.service ]] + assert_eq "$(readlink -f /run/systemd/generator.late/test1.service)" "/run/systemd/generator.late/issue-24990.service" + assert_eq "$(readlink -f /run/systemd/generator.late/test2.service)" "/run/systemd/generator.late/issue-24990.service" + output=$(systemctl cat issue-24990) +- assert_in "SourcePath=/etc/init.d/issue-24990" "$output" ++ assert_in "SourcePath=$SYSVINIT_PATH/issue-24990" "$output" + assert_in "Description=LSB: Test" "$output" + assert_in "After=test1.service" "$output" + assert_in "After=remote-fs.target" "$output" + assert_in "After=network-online.target" "$output" + assert_in "Wants=network-online.target" "$output" +- assert_in "ExecStart=/etc/init.d/issue-24990 start" "$output" +- assert_in "ExecStop=/etc/init.d/issue-24990 stop" "$output" ++ assert_in "ExecStart=$SYSVINIT_PATH/issue-24990 start" "$output" ++ assert_in "ExecStop=$SYSVINIT_PATH/issue-24990 stop" "$output" + systemctl status issue-24990 || : + systemctl show issue-24990 + assert_not_in "issue-24990.service" "$(systemctl show --property=After --value)" +@@ -350,7 +353,7 @@ EOF + systemctl stop issue-24990 + + # valid dependency +- cat >/etc/init.d/issue-24990 <<\EOF ++ cat >"$SYSVINIT_PATH/issue-24990" <<\EOF + #!/bin/bash + + ### BEGIN INIT INFO +@@ -376,18 +379,18 @@ case "$1" in + esac + EOF + +- chmod +x /etc/init.d/issue-24990 ++ chmod +x "$SYSVINIT_PATH/issue-24990" + systemctl daemon-reload + [[ -L /run/systemd/generator.late/test1.service ]] + [[ -L /run/systemd/generator.late/test2.service ]] + assert_eq "$(readlink -f /run/systemd/generator.late/test1.service)" "/run/systemd/generator.late/issue-24990.service" + assert_eq "$(readlink -f /run/systemd/generator.late/test2.service)" "/run/systemd/generator.late/issue-24990.service" + output=$(systemctl cat issue-24990) +- assert_in "SourcePath=/etc/init.d/issue-24990" "$output" ++ assert_in "SourcePath=$SYSVINIT_PATH/issue-24990" "$output" + assert_in "Description=LSB: Test" "$output" + assert_in "After=remote-fs.target" "$output" +- assert_in "ExecStart=/etc/init.d/issue-24990 start" "$output" +- assert_in "ExecStop=/etc/init.d/issue-24990 stop" "$output" ++ assert_in "ExecStart=$SYSVINIT_PATH/issue-24990 start" "$output" ++ assert_in "ExecStop=$SYSVINIT_PATH/issue-24990 stop" "$output" + systemctl status issue-24990 || : + systemctl show issue-24990 + assert_not_in "issue-24990.service" "$(systemctl show --property=After --value)" diff --git a/SOURCES/0180-udev-make-get_virtfn_info-provide-physical-PCI-devic.patch b/SOURCES/0180-udev-make-get_virtfn_info-provide-physical-PCI-devic.patch new file mode 100644 index 0000000..d1cbe0c --- /dev/null +++ b/SOURCES/0180-udev-make-get_virtfn_info-provide-physical-PCI-devic.patch @@ -0,0 +1,29 @@ +From fe2d716926d6b800be8775251826453b9a2808da Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 1 Feb 2023 23:39:43 +0900 +Subject: [PATCH] udev: make get_virtfn_info() provide physical PCI device + +Fixes a bug introduced by 78463c6c4fdcb703bc0dc694c3ea77df3c5624e0. + +Fixes #25545. + +(cherry picked from commit cf74e2e16fb06b7de9e3875c6462290998fb06bd) + +Resolves: #2159448 +--- + src/udev/udev-builtin-net_id.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c +index 7504123700..d4e9dcb60d 100644 +--- a/src/udev/udev-builtin-net_id.c ++++ b/src/udev/udev-builtin-net_id.c +@@ -144,7 +144,7 @@ static int get_virtfn_info(sd_device *pcidev, sd_device **ret_physfn_pcidev, cha + if (!suffix) + return -ENOMEM; + +- *ret_physfn_pcidev = sd_device_ref(child); ++ *ret_physfn_pcidev = sd_device_ref(physfn_pcidev); + *ret_suffix = suffix; + return 0; + } diff --git a/SOURCES/0181-test-make-helper_check_device_units-log-unit-name.patch b/SOURCES/0181-test-make-helper_check_device_units-log-unit-name.patch new file mode 100644 index 0000000..d91a1dc --- /dev/null +++ b/SOURCES/0181-test-make-helper_check_device_units-log-unit-name.patch @@ -0,0 +1,40 @@ +From 54c173eb34da7c94953ed3556b448da13a4dc5fa Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 1 Feb 2023 23:03:54 +0900 +Subject: [PATCH] test: make helper_check_device_units() log unit name + +(cherry picked from commit 5479d0f83a80810c475b14fbaf61872f4df6b20e) + +Related: #2138081 +--- + test/units/testsuite-64.sh | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/test/units/testsuite-64.sh b/test/units/testsuite-64.sh +index fd1ad7c041..c572671c20 100755 +--- a/test/units/testsuite-64.sh ++++ b/test/units/testsuite-64.sh +@@ -89,6 +89,8 @@ check_device_unit() {( + path="${2?}" + unit=$(systemd-escape --path --suffix=device "$path") + ++ [[ "$log_level" == 1 ]] && echo "INFO: check_device_unit($unit)" ++ + syspath=$(systemctl show --value --property SysFSPath "$unit" 2>/dev/null) + if [[ -z "$syspath" ]]; then + [[ "$log_level" == 1 ]] && echo >&2 "ERROR: $unit not found." +@@ -156,12 +158,11 @@ helper_check_device_units() {( + + local i + +- for ((i = 0; i < 20; i++)); do +- (( i == 0 )) || sleep .5 +- ++ for (( i = 0; i < 20; i++ )); do + if check_device_units 0 "$@"; then + return 0 + fi ++ sleep .5 + done + + check_device_units 1 "$@" diff --git a/SOURCES/0182-test-add-a-testcase-for-lvextend.patch b/SOURCES/0182-test-add-a-testcase-for-lvextend.patch new file mode 100644 index 0000000..a92d0e9 --- /dev/null +++ b/SOURCES/0182-test-add-a-testcase-for-lvextend.patch @@ -0,0 +1,45 @@ +From 0894f502ad5a89a98a0a88ee739c0c5f516338c2 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 1 Feb 2023 21:25:40 +0900 +Subject: [PATCH] test: add a testcase for lvextend + +For RHBZ#2158628 (https://bugzilla.redhat.com/show_bug.cgi?id=2158628) + +(cherry picked from commit d60e3482613d26e559fc4dc5a56b8edaa765a318) + +Related: #2138081 +--- + test/units/testsuite-64.sh | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/test/units/testsuite-64.sh b/test/units/testsuite-64.sh +index c572671c20..4017f61f59 100755 +--- a/test/units/testsuite-64.sh ++++ b/test/units/testsuite-64.sh +@@ -425,6 +425,26 @@ testcase_lvm_basic() { + helper_check_device_symlinks "/dev/disk" "/dev/$vgroup" + helper_check_device_units + ++ # Mount mypart1 through by-label devlink ++ mkdir -p /tmp/mypart1-mount-point ++ mount /dev/disk/by-label/mylvpart1 /tmp/mypart1-mount-point ++ timeout 30 bash -c "while ! systemctl -q is-active /tmp/mypart1-mount-point; do sleep .2; done" ++ # Extend the partition and check if the device and mount units are still active. ++ # See https://bugzilla.redhat.com/show_bug.cgi?id=2158628 ++ # Note, the test below may be unstable with LVM2 without the following patch: ++ # https://github.com/lvmteam/lvm2/pull/105 ++ # But, to reproduce the issue, udevd must start to process the first 'change' uevent ++ # earlier than extending the volume has been finished, and in most case, the extension ++ # is hopefully fast. ++ lvm lvextend -y --size 8M "/dev/$vgroup/mypart1" ++ udevadm wait --settle --timeout="$timeout" "/dev/disk/by-label/mylvpart1" ++ timeout 30 bash -c "while ! systemctl -q is-active '/dev/$vgroup/mypart1'; do sleep .2; done" ++ timeout 30 bash -c "while ! systemctl -q is-active /tmp/mypart1-mount-point; do sleep .2; done" ++ # Umount the partition, otherwise the underlying device unit will stay in ++ # the inactive state and not be collected, and helper_check_device_units() will fail. ++ systemctl show /tmp/mypart1-mount-point ++ umount /tmp/mypart1-mount-point ++ + # Rename partitions (see issue #24518) + lvm lvrename "/dev/$vgroup/mypart1" renamed1 + lvm lvrename "/dev/$vgroup/mypart2" renamed2 diff --git a/SOURCES/0183-pid1-fix-segv-triggered-by-status-query-26279.patch b/SOURCES/0183-pid1-fix-segv-triggered-by-status-query-26279.patch new file mode 100644 index 0000000..3396665 --- /dev/null +++ b/SOURCES/0183-pid1-fix-segv-triggered-by-status-query-26279.patch @@ -0,0 +1,36 @@ +From ba575dced76ed7420c8eaa77942e31b134927524 Mon Sep 17 00:00:00 2001 +From: Robin Humble +Date: Wed, 1 Feb 2023 23:36:48 +1100 +Subject: [PATCH] pid1: fix segv triggered by status query (#26279) + +If any query makes it to the end of install_info_follow() then I think symlink_target is set to NULL. +If that is followed by -EXDEV from unit_file_load_or_readlink(), then that causes basename(NULL) +which segfaults pid 1. + +This is triggered by eg. "systemctl status crond" in RHEL9 if + +/etc/systemd/system/crond.service + -> /ram/etc/systemd/system/crond.service + -> /usr/lib/systemd/system/.crond.service.blah.blah + -> /usr/lib/systemd/system/crond.service + +(cherry picked from commit 19cfda9fc3c60de21a362ebb56bcb9f4a9855e85) + +Related: #2138081 +--- + src/shared/install.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/install.c b/src/shared/install.c +index 4b610b20a5..a760726628 100644 +--- a/src/shared/install.c ++++ b/src/shared/install.c +@@ -1653,7 +1653,7 @@ static int install_info_traverse( + r = install_info_follow(ctx, i, lp, flags, + /* If linked, don't look at the target name */ + /* ignore_different_name= */ i->install_mode == INSTALL_MODE_LINKED); +- if (r == -EXDEV) { ++ if (r == -EXDEV && i->symlink_target) { + _cleanup_free_ char *buffer = NULL; + const char *bn; + diff --git a/SOURCES/0184-test-create-config-under-run.patch b/SOURCES/0184-test-create-config-under-run.patch new file mode 100644 index 0000000..863068f --- /dev/null +++ b/SOURCES/0184-test-create-config-under-run.patch @@ -0,0 +1,31 @@ +From e99dcd2e9e9547d84c0bfc1dc4c68f1fe2f56f62 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 10 Nov 2022 15:51:30 +0900 +Subject: [PATCH] test: create config under /run + +(cherry picked from commit e4b3f0dfe91ae0b95f30594c7671be39c0a599b1) + +Related: #2138081 +--- + test/units/testsuite-75.sh | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh +index 04a8b6e9cc..53ceced641 100755 +--- a/test/units/testsuite-75.sh ++++ b/test/units/testsuite-75.sh +@@ -79,11 +79,13 @@ DNSSEC=allow-downgrade + DNS=10.0.0.1 + EOF + ++mkdir -p /run/systemd/resolved.conf.d + { ++ echo "[Resolve]" + echo "FallbackDNS=" + echo "DNSSEC=allow-downgrade" + echo "DNSOverTLS=opportunistic" +-} >>/etc/systemd/resolved.conf ++} >/run/systemd/resolved.conf.d/test.conf + ln -svf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf + # Override the default NTA list, which turns off DNSSEC validation for (among + # others) the test. domain diff --git a/SOURCES/0185-test-add-tests-for-mDNS-and-LLMNR-settings.patch b/SOURCES/0185-test-add-tests-for-mDNS-and-LLMNR-settings.patch new file mode 100644 index 0000000..7540f88 --- /dev/null +++ b/SOURCES/0185-test-add-tests-for-mDNS-and-LLMNR-settings.patch @@ -0,0 +1,96 @@ +From 0845d4d0f5a37493d3da68624aba1a576382e961 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 10 Nov 2022 15:52:57 +0900 +Subject: [PATCH] test: add tests for mDNS and LLMNR settings + +(cherry picked from commit b77899af0d75ea59c35ba454d869fa759fe7b3a1) + +Related: #2138081 +--- + test/units/testsuite-75.sh | 73 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 73 insertions(+) + +diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh +index 53ceced641..1a656fcdc1 100755 +--- a/test/units/testsuite-75.sh ++++ b/test/units/testsuite-75.sh +@@ -55,6 +55,79 @@ echo nameserver 10.0.3.1 10.0.3.2 | "$RESOLVCONF" -a hoge.inet.ipsec.192.168.35 + echo nameserver 10.0.3.3 10.0.3.4 | "$RESOLVCONF" -a hoge.foo.dhcp + assert_in '10.0.3.1 10.0.3.2' "$(resolvectl dns hoge)" + assert_in '10.0.3.3 10.0.3.4' "$(resolvectl dns hoge.foo)" ++ ++# Tests for mDNS and LLMNR settings ++mkdir -p /run/systemd/resolved.conf.d ++{ ++ echo "[Resolve]" ++ echo "MulticastDNS=yes" ++ echo "LLMNR=yes" ++} >/run/systemd/resolved.conf.d/mdns-llmnr.conf ++systemctl restart systemd-resolved.service ++systemctl service-log-level systemd-resolved.service debug ++# make sure networkd is not running. ++systemctl stop systemd-networkd.service ++# defaults to yes (both the global and per-link settings are yes) ++assert_in 'yes' "$(resolvectl mdns hoge)" ++assert_in 'yes' "$(resolvectl llmnr hoge)" ++# set per-link setting ++resolvectl mdns hoge yes ++resolvectl llmnr hoge yes ++assert_in 'yes' "$(resolvectl mdns hoge)" ++assert_in 'yes' "$(resolvectl llmnr hoge)" ++resolvectl mdns hoge resolve ++resolvectl llmnr hoge resolve ++assert_in 'resolve' "$(resolvectl mdns hoge)" ++assert_in 'resolve' "$(resolvectl llmnr hoge)" ++resolvectl mdns hoge no ++resolvectl llmnr hoge no ++assert_in 'no' "$(resolvectl mdns hoge)" ++assert_in 'no' "$(resolvectl llmnr hoge)" ++# downgrade global setting to resolve ++{ ++ echo "[Resolve]" ++ echo "MulticastDNS=resolve" ++ echo "LLMNR=resolve" ++} >/run/systemd/resolved.conf.d/mdns-llmnr.conf ++systemctl restart systemd-resolved.service ++systemctl service-log-level systemd-resolved.service debug ++# set per-link setting ++resolvectl mdns hoge yes ++resolvectl llmnr hoge yes ++assert_in 'resolve' "$(resolvectl mdns hoge)" ++assert_in 'resolve' "$(resolvectl llmnr hoge)" ++resolvectl mdns hoge resolve ++resolvectl llmnr hoge resolve ++assert_in 'resolve' "$(resolvectl mdns hoge)" ++assert_in 'resolve' "$(resolvectl llmnr hoge)" ++resolvectl mdns hoge no ++resolvectl llmnr hoge no ++assert_in 'no' "$(resolvectl mdns hoge)" ++assert_in 'no' "$(resolvectl llmnr hoge)" ++# downgrade global setting to no ++{ ++ echo "[Resolve]" ++ echo "MulticastDNS=no" ++ echo "LLMNR=no" ++} >/run/systemd/resolved.conf.d/mdns-llmnr.conf ++systemctl restart systemd-resolved.service ++systemctl service-log-level systemd-resolved.service debug ++# set per-link setting ++resolvectl mdns hoge yes ++resolvectl llmnr hoge yes ++assert_in 'no' "$(resolvectl mdns hoge)" ++assert_in 'no' "$(resolvectl llmnr hoge)" ++resolvectl mdns hoge resolve ++resolvectl llmnr hoge resolve ++assert_in 'no' "$(resolvectl mdns hoge)" ++assert_in 'no' "$(resolvectl llmnr hoge)" ++resolvectl mdns hoge no ++resolvectl llmnr hoge no ++assert_in 'no' "$(resolvectl mdns hoge)" ++assert_in 'no' "$(resolvectl llmnr hoge)" ++ ++# Cleanup ++rm -f /run/systemd/resolved.conf.d/mdns-llmnr.conf + ip link del hoge + ip link del hoge.foo + diff --git a/SOURCES/0186-resolved-introduce-the-_localdnsstub-and-_localdnspr.patch b/SOURCES/0186-resolved-introduce-the-_localdnsstub-and-_localdnspr.patch new file mode 100644 index 0000000..a1b2d5e --- /dev/null +++ b/SOURCES/0186-resolved-introduce-the-_localdnsstub-and-_localdnspr.patch @@ -0,0 +1,278 @@ +From 677b20b6738ee287d1b882815b3bcca67754e003 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 25 Nov 2022 12:15:56 +0100 +Subject: [PATCH] resolved: introduce the _localdnsstub and _localdnsproxy + special hostnames for 127.0.0.54 + 127.0.0.53 + +Let's give these special IP addresses names. After all name resolution +is our job here. + +Fixes: #23623 +(cherry picked from commit 17f244e8f9de008ea1c6e0880bdc924b95a66e2b) + +Related: #2138081 +--- + man/resolvectl.xml | 11 +-- + man/systemd-resolved.service.xml | 6 ++ + src/basic/hostname-util.h | 8 ++ + src/resolve/resolvectl.c | 6 +- + src/resolve/resolved-dns-scope.c | 7 +- + src/resolve/resolved-dns-synthesize.c | 110 +++++++++++++++++++++++++- + test/units/testsuite-75.sh | 11 +++ + 7 files changed, 147 insertions(+), 12 deletions(-) + +diff --git a/man/resolvectl.xml b/man/resolvectl.xml +index 2cb855c360..c966ca67bd 100644 +--- a/man/resolvectl.xml ++++ b/man/resolvectl.xml +@@ -323,11 +323,12 @@ + + Takes a boolean parameter; used in conjunction with query. If true + (the default), select domains are resolved on the local system, among them +- localhost, _gateway and _outbound, or +- entries from /etc/hosts. If false these domains are not resolved locally, and +- either fail (in case of localhost, _gateway or +- _outbound and suchlike) or go to the network via regular DNS/mDNS/LLMNR lookups +- (in case of /etc/hosts entries). ++ localhost, _gateway, _outbound, ++ _localdnsstub and _localdnsproxy or entries from ++ /etc/hosts. If false these domains are not resolved locally, and either fail (in ++ case of localhost, _gateway or _outbound and ++ suchlike) or go to the network via regular DNS/mDNS/LLMNR lookups (in case of ++ /etc/hosts entries). + + + +diff --git a/man/systemd-resolved.service.xml b/man/systemd-resolved.service.xml +index 7f30fa6536..c006c03b53 100644 +--- a/man/systemd-resolved.service.xml ++++ b/man/systemd-resolved.service.xml +@@ -118,6 +118,12 @@ + local default gateway configured. This assigns a stable hostname to the local outbound IP addresses, + useful for referencing them independently of the current network configuration state. + ++ The hostname _localdnsstub is resolved to the IP address 127.0.0.53, ++ i.e. the address the local DNS stub (see above) is listening on. ++ ++ The hostname _localdnsproxy is resolved to the IP address 127.0.0.54, ++ i.e. the address the local DNS proxy (see above) is listening on. ++ + The mappings defined in /etc/hosts are resolved to their + configured addresses and back, but they will not affect lookups for non-address types (like MX). + Support for /etc/hosts may be disabled with ReadEtcHosts=no, +diff --git a/src/basic/hostname-util.h b/src/basic/hostname-util.h +index a00b852395..bcac3d9fb0 100644 +--- a/src/basic/hostname-util.h ++++ b/src/basic/hostname-util.h +@@ -60,4 +60,12 @@ static inline bool is_outbound_hostname(const char *hostname) { + return STRCASE_IN_SET(hostname, "_outbound", "_outbound."); + } + ++static inline bool is_dns_stub_hostname(const char *hostname) { ++ return STRCASE_IN_SET(hostname, "_localdnsstub", "_localdnsstub."); ++} ++ ++static inline bool is_dns_proxy_stub_hostname(const char *hostname) { ++ return STRCASE_IN_SET(hostname, "_localdnsproxy", "_localdnsproxy."); ++} ++ + int get_pretty_hostname(char **ret); +diff --git a/src/resolve/resolvectl.c b/src/resolve/resolvectl.c +index b07761a495..2a7347ca27 100644 +--- a/src/resolve/resolvectl.c ++++ b/src/resolve/resolvectl.c +@@ -478,7 +478,11 @@ static bool single_label_nonsynthetic(const char *name) { + if (!dns_name_is_single_label(name)) + return false; + +- if (is_localhost(name) || is_gateway_hostname(name)) ++ if (is_localhost(name) || ++ is_gateway_hostname(name) || ++ is_outbound_hostname(name) || ++ is_dns_stub_hostname(name) || ++ is_dns_proxy_stub_hostname(name)) + return false; + + r = resolve_system_hostname(NULL, &first_label); +diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c +index 4f744499aa..607109ee0f 100644 +--- a/src/resolve/resolved-dns-scope.c ++++ b/src/resolve/resolved-dns-scope.c +@@ -635,8 +635,11 @@ DnsScopeMatch dns_scope_good_domain( + if (dns_name_dont_resolve(domain)) + return DNS_SCOPE_NO; + +- /* Never go to network for the _gateway or _outbound domain — they're something special, synthesized locally. */ +- if (is_gateway_hostname(domain) || is_outbound_hostname(domain)) ++ /* Never go to network for the _gateway, _outbound, _localdnsstub, _localdnsproxy domain — they're something special, synthesized locally. */ ++ if (is_gateway_hostname(domain) || ++ is_outbound_hostname(domain) || ++ is_dns_stub_hostname(domain) || ++ is_dns_proxy_stub_hostname(domain)) + return DNS_SCOPE_NO; + + switch (s->protocol) { +diff --git a/src/resolve/resolved-dns-synthesize.c b/src/resolve/resolved-dns-synthesize.c +index b3442ad906..fa8b4a5760 100644 +--- a/src/resolve/resolved-dns-synthesize.c ++++ b/src/resolve/resolved-dns-synthesize.c +@@ -356,7 +356,90 @@ static int synthesize_gateway_rr( + return 1; /* > 0 means: we have some gateway */ + } + +-static int synthesize_gateway_ptr(Manager *m, int af, const union in_addr_union *address, int ifindex, DnsAnswer **answer) { ++static int synthesize_dns_stub_rr( ++ Manager *m, ++ const DnsResourceKey *key, ++ in_addr_t addr, ++ DnsAnswer **answer) { ++ ++ _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL; ++ int r; ++ ++ assert(m); ++ assert(key); ++ assert(answer); ++ ++ if (!IN_SET(key->type, DNS_TYPE_A, DNS_TYPE_ANY)) ++ return 1; /* we still consider ourselves the owner of this name */ ++ ++ r = dns_answer_reserve(answer, 1); ++ if (r < 0) ++ return r; ++ ++ rr = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_A, dns_resource_key_name(key)); ++ if (!rr) ++ return -ENOMEM; ++ ++ rr->a.in_addr.s_addr = htobe32(addr); ++ ++ r = dns_answer_add(*answer, rr, LOOPBACK_IFINDEX, DNS_ANSWER_AUTHENTICATED, NULL); ++ if (r < 0) ++ return r; ++ ++ return 1; ++} ++ ++static int synthesize_dns_stub_ptr( ++ Manager *m, ++ int af, ++ const union in_addr_union *address, ++ DnsAnswer **answer) { ++ ++ int r; ++ ++ assert(m); ++ assert(address); ++ assert(answer); ++ ++ if (af != AF_INET) ++ return 0; ++ ++ if (address->in.s_addr == htobe32(INADDR_DNS_STUB)) { ++ ++ r = dns_answer_reserve(answer, 1); ++ if (r < 0) ++ return r; ++ ++ r = answer_add_ptr(answer, "53.0.0.127.in-addr.arpa", "_localdnsstub", LOOPBACK_IFINDEX, DNS_ANSWER_AUTHENTICATED); ++ if (r < 0) ++ return r; ++ ++ return 1; ++ } ++ ++ if (address->in.s_addr == htobe32(INADDR_DNS_PROXY_STUB)) { ++ ++ r = dns_answer_reserve(answer, 1); ++ if (r < 0) ++ return r; ++ ++ r = answer_add_ptr(answer, "54.0.0.127.in-addr.arpa", "_localdnsproxy", LOOPBACK_IFINDEX, DNS_ANSWER_AUTHENTICATED); ++ if (r < 0) ++ return r; ++ ++ return 1; ++ } ++ ++ return 0; ++} ++ ++static int synthesize_gateway_ptr( ++ Manager *m, ++ int af, ++ const union in_addr_union *address, ++ int ifindex, ++ DnsAnswer **answer) { ++ + _cleanup_free_ struct local_address *addresses = NULL; + int n; + +@@ -437,7 +520,22 @@ int dns_synthesize_answer( + continue; + } + +- } else if ((dns_name_endswith(name, "127.in-addr.arpa") > 0 && dns_name_equal(name, "2.0.0.127.in-addr.arpa") == 0) || ++ } else if (is_dns_stub_hostname(name)) { ++ ++ r = synthesize_dns_stub_rr(m, key, INADDR_DNS_STUB, &answer); ++ if (r < 0) ++ return log_error_errno(r, "Failed to synthesize local DNS stub RRs: %m"); ++ ++ } else if (is_dns_proxy_stub_hostname(name)) { ++ ++ r = synthesize_dns_stub_rr(m, key, INADDR_DNS_PROXY_STUB, &answer); ++ if (r < 0) ++ return log_error_errno(r, "Failed to synthesize local DNS stub RRs: %m"); ++ ++ } else if ((dns_name_endswith(name, "127.in-addr.arpa") > 0 && ++ dns_name_equal(name, "2.0.0.127.in-addr.arpa") == 0 && ++ dns_name_equal(name, "53.0.0.127.in-addr.arpa") == 0 && ++ dns_name_equal(name, "54.0.0.127.in-addr.arpa") == 0) || + dns_name_equal(name, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0) { + + r = synthesize_localhost_ptr(m, key, ifindex, &answer); +@@ -445,7 +543,7 @@ int dns_synthesize_answer( + return log_error_errno(r, "Failed to synthesize localhost PTR RRs: %m"); + + } else if (dns_name_address(name, &af, &address) > 0) { +- int v, w; ++ int v, w, u; + + if (getenv_bool("SYSTEMD_RESOLVED_SYNTHESIZE_HOSTNAME") == 0) + continue; +@@ -458,7 +556,11 @@ int dns_synthesize_answer( + if (w < 0) + return log_error_errno(w, "Failed to synthesize gateway hostname PTR RR: %m"); + +- if (v == 0 && w == 0) /* This IP address is neither a local one nor a gateway */ ++ u = synthesize_dns_stub_ptr(m, af, &address, &answer); ++ if (u < 0) ++ return log_error_errno(u, "Failed to synthesize local stub hostname PTR PR: %m"); ++ ++ if (v == 0 && w == 0 && u == 0) /* This IP address is neither a local one, nor a gateway, nor a stub address */ + continue; + + /* Note that we never synthesize reverse PTR for _outbound, since those are local +diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh +index 1a656fcdc1..0c68e0636f 100755 +--- a/test/units/testsuite-75.sh ++++ b/test/units/testsuite-75.sh +@@ -56,6 +56,17 @@ echo nameserver 10.0.3.3 10.0.3.4 | "$RESOLVCONF" -a hoge.foo.dhcp + assert_in '10.0.3.1 10.0.3.2' "$(resolvectl dns hoge)" + assert_in '10.0.3.3 10.0.3.4' "$(resolvectl dns hoge.foo)" + ++# Tests for _localdnsstub and _localdnsproxy ++assert_in '127.0.0.53' "$(resolvectl query _localdnsstub)" ++assert_in '_localdnsstub' "$(resolvectl query 127.0.0.53)" ++assert_in '127.0.0.54' "$(resolvectl query _localdnsproxy)" ++assert_in '_localdnsproxy' "$(resolvectl query 127.0.0.54)" ++ ++assert_in '127.0.0.53' "$(dig @127.0.0.53 _localdnsstub)" ++assert_in '_localdnsstub' "$(dig @127.0.0.53 -x 127.0.0.53)" ++assert_in '127.0.0.54' "$(dig @127.0.0.53 _localdnsproxy)" ++assert_in '_localdnsproxy' "$(dig @127.0.0.53 -x 127.0.0.54)" ++ + # Tests for mDNS and LLMNR settings + mkdir -p /run/systemd/resolved.conf.d + { diff --git a/SOURCES/0187-test-wait-for-the-monitoring-service-to-become-activ.patch b/SOURCES/0187-test-wait-for-the-monitoring-service-to-become-activ.patch new file mode 100644 index 0000000..b0dec38 --- /dev/null +++ b/SOURCES/0187-test-wait-for-the-monitoring-service-to-become-activ.patch @@ -0,0 +1,65 @@ +From 874959f2d9dfadd027f3d7e399ef8a32a408e1c8 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 7 Dec 2022 20:44:07 +0100 +Subject: [PATCH] test: wait for the monitoring service to become active +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Otherwise we might start querying resolved too early, causing the +monitoring service to miss stuff: + +``` +[ 1103.149474] testsuite-75.sh[35]: + systemd-run -u resmontest.service -p Type=notify resolvectl monitor +[ 1103.353803] testsuite-75.sh[423]: Running as unit: resmontest.service +[ 1103.353989] testsuite-75.sh[35]: + knotc zone-begin test. +[ 1103.354160] testsuite-75.sh[425]: OK +... +[ 1103.355298] testsuite-75.sh[35]: + knotc reload +[ 1103.355363] testsuite-75.sh[438]: Reloaded +[ 1103.355536] testsuite-75.sh[35]: + : '--- nss-resolve/nss-myhostname tests' +[ 1103.355536] testsuite-75.sh[35]: + run getent -s resolve hosts ns1.unsigned.test +[ 1103.356127] testsuite-75.sh[443]: + getent -s resolve hosts ns1.unsigned.test +[ 1103.356505] testsuite-75.sh[444]: + tee /tmp/tmp.bXg5Uj5Jkk +[ 1103.359591] resolvectl[424]: → Q: ns1.unsigned.test IN AAAA +[ 1103.359591] resolvectl[424]: ← S: success +[ 1103.359850] testsuite-75.sh[444]: 10.0.0.1 ns1.unsigned.test +[ 1103.359939] resolvectl[424]: → Q: ns1.unsigned.test IN A +[ 1103.359939] resolvectl[424]: ← S: success +[ 1103.359939] resolvectl[424]: ← A: ns1.unsigned.test IN A 10.0.0.1 +[ 1103.360149] testsuite-75.sh[35]: + grep -qE '^10\.0\.0\.1\s+ns1\.unsigned\.test' /tmp/tmp.bXg5Uj5Jkk +[ 1103.362119] systemd[1]: Starting resmontest.service... +[ 1103.362633] systemd[1]: Started resmontest.service. +[ 1103.363263] testsuite-75.sh[35]: + monitor_check_rr 'ns1.unsigned.test IN A 10.0.0.1' +[ 1103.363263] testsuite-75.sh[35]: + local 'match=ns1.unsigned.test IN A 10.0.0.1' +[ 1103.363377] testsuite-75.sh[35]: + set +o pipefail +[ 1103.363836] testsuite-75.sh[458]: + journalctl -u resmontest.service -f --full +[ 1103.364042] testsuite-75.sh[459]: + grep -m1 'ns1.unsigned.test IN A 10.0.0.1' +... +Trying to halt container. Send SIGTERM again to trigger immediate termination. +Container TEST-75 terminated by signal KILL. +``` + +(cherry picked from commit 5dd34c2604567320707625bc009cf01c3769605f) + +Related: #2138081 +--- + test/units/testsuite-75.sh | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh +index 0c68e0636f..d2062c7b05 100755 +--- a/test/units/testsuite-75.sh ++++ b/test/units/testsuite-75.sh +@@ -212,6 +212,11 @@ resolvectl log-level debug + + # Start monitoring queries + systemd-run -u resmontest.service -p Type=notify resolvectl monitor ++# Wait for the monitoring service to become active ++for _ in {0..9}; do ++ [[ "$(systemctl show -P ActiveState resmontest.service)" == "active" ]] && break ++ sleep .5 ++done + + # We need to manually propagate the DS records of onlinesign.test. to the parent + # zone, since they're generated online diff --git a/SOURCES/0188-test-suppress-echo-in-monitor_check_rr.patch b/SOURCES/0188-test-suppress-echo-in-monitor_check_rr.patch new file mode 100644 index 0000000..15ec829 --- /dev/null +++ b/SOURCES/0188-test-suppress-echo-in-monitor_check_rr.patch @@ -0,0 +1,38 @@ +From b6f459c221004de9753569e2ec5ee5f887fc8b51 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 15 Dec 2022 15:28:56 +0900 +Subject: [PATCH] test: suppress echo in monitor_check_rr() + +(cherry picked from commit ef09861a0b0aa7c6a948f4e008e2fea312bc68d6) + +Related: #2138081 +--- + test/units/testsuite-75.sh | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh +index d2062c7b05..d0c7133412 100755 +--- a/test/units/testsuite-75.sh ++++ b/test/units/testsuite-75.sh +@@ -16,17 +16,17 @@ run() { + "$@" |& tee "$RUN_OUT" + } + +-monitor_check_rr() { ++monitor_check_rr() ( ++ set +x ++ set +o pipefail + local match="${1:?}" + + # Wait until the first mention of the specified log message is + # displayed. We turn off pipefail for this, since we don't care about the + # lhs of this pipe expression, we only care about the rhs' result to be + # clean +- set +o pipefail + journalctl -u resmontest.service -f --full | grep -m1 "$match" +- set -o pipefail +-} ++) + + # Test for resolvectl, resolvconf + systemctl unmask systemd-resolved.service diff --git a/SOURCES/0189-Revert-test-wait-for-the-monitoring-service-to-becom.patch b/SOURCES/0189-Revert-test-wait-for-the-monitoring-service-to-becom.patch new file mode 100644 index 0000000..d0c9303 --- /dev/null +++ b/SOURCES/0189-Revert-test-wait-for-the-monitoring-service-to-becom.patch @@ -0,0 +1,34 @@ +From 058fab8aaad9fc6ececc647e369bf447a8327a4a Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 15 Dec 2022 16:28:52 +0900 +Subject: [PATCH] Revert "test: wait for the monitoring service to become + active" + +This reverts commit 5dd34c2604567320707625bc009cf01c3769605f. + +`resolvectl monitor` sends notify event, and systemd-run wait for the +service being in active state. Hence, the loop is not necessary. + +(cherry picked from commit 133708b8790ab79e35ade63506c16e4d1e79a025) + +Related: #2138081 +--- + test/units/testsuite-75.sh | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh +index d0c7133412..844dbaebcc 100755 +--- a/test/units/testsuite-75.sh ++++ b/test/units/testsuite-75.sh +@@ -212,11 +212,6 @@ resolvectl log-level debug + + # Start monitoring queries + systemd-run -u resmontest.service -p Type=notify resolvectl monitor +-# Wait for the monitoring service to become active +-for _ in {0..9}; do +- [[ "$(systemctl show -P ActiveState resmontest.service)" == "active" ]] && break +- sleep .5 +-done + + # We need to manually propagate the DS records of onlinesign.test. to the parent + # zone, since they're generated online diff --git a/SOURCES/0190-test-show-and-check-almost-all-journal-entries-since.patch b/SOURCES/0190-test-show-and-check-almost-all-journal-entries-since.patch new file mode 100644 index 0000000..48e73b9 --- /dev/null +++ b/SOURCES/0190-test-show-and-check-almost-all-journal-entries-since.patch @@ -0,0 +1,113 @@ +From 3e7bcbb274618a0d3cea9027db4e6abb1207f27d Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 16 Dec 2022 01:11:39 +0900 +Subject: [PATCH] test: show and check almost all journal entries since the + relevant command being invoked +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +For some reasons, journal timestamps from other sources sometimes +inconsistent. For example, +``` +$ journalctl --file system.journal -o short-monotonic -u resmontest.service +[ 1112.168109] ns1.unsigned.test resolvectl[419]: → Q: ns1.unsigned.test IN AAAA +[ 1112.168109] ns1.unsigned.test resolvectl[419]: ← S: success +[ 1112.168109] ns1.unsigned.test resolvectl[419]: → Q: ns1.unsigned.test IN A +[ 1112.168109] ns1.unsigned.test resolvectl[419]: ← S: success +[ 1112.168109] ns1.unsigned.test resolvectl[419]: ← A: ns1.unsigned.test IN A 10.0.0.1 +[ 1112.171961] ns1.unsigned.test systemd[1]: resmontest.service: Failed to load configuration: No such file or directory +[ 1112.172223] ns1.unsigned.test systemd[1]: resmontest.service: Trying to enqueue job resmontest.service/start/fail +[ 1112.179866] ns1.unsigned.test systemd[1]: resmontest.service: Installed new job resmontest.service/start as 312 +[ 1112.179894] ns1.unsigned.test systemd[1]: resmontest.service: Enqueued job resmontest.service/start as 312 +[ 1112.180389] ns1.unsigned.test systemd[1]: resmontest.service: Will spawn child (service_enter_start): /usr/bin/resolvectl +[ 1112.180418] ns1.unsigned.test systemd[1]: resmontest.service: Passing 0 fds to service +[ 1112.180447] ns1.unsigned.test systemd[1]: resmontest.service: About to execute /usr/bin/resolvectl monitor +[ 1112.180477] ns1.unsigned.test systemd[1]: resmontest.service: Forked /usr/bin/resolvectl as 419 +[ 1112.180619] ns1.unsigned.test systemd[1]: resmontest.service: Changed dead -> start +[ 1112.180651] ns1.unsigned.test systemd[1]: Starting resmontest.service... +[ 1112.180799] ns1.unsigned.test systemd[419]: resmontest.service: Kernel keyring access prohibited, ignoring. +[ 1112.180895] ns1.unsigned.test systemd[419]: resmontest.service: Executing: /usr/bin/resolvectl monitor +[ 1112.181383] ns1.unsigned.test systemd[1]: resmontest.service: Got notification message from PID 419 (READY=1) +[ 1112.181413] ns1.unsigned.test systemd[1]: resmontest.service: Changed start -> running +[ 1112.181441] ns1.unsigned.test systemd[1]: resmontest.service: Job 312 resmontest.service/start finished, result=done +[ 1112.181469] ns1.unsigned.test systemd[1]: Started resmontest.service. +``` +In such case, `journalctl -f` may not show the entries what we are interested in. + +Fixes #25749. (At least, workarond for the issue.) + +(cherry picked from commit ad48ff12bd0f7b19dc6bfa33c96221fd9c22e89c) + +Related: #2138081 +--- + test/units/testsuite-75.sh | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh +index 844dbaebcc..852caac605 100755 +--- a/test/units/testsuite-75.sh ++++ b/test/units/testsuite-75.sh +@@ -19,13 +19,14 @@ run() { + monitor_check_rr() ( + set +x + set +o pipefail +- local match="${1:?}" ++ local since="${1:?}" ++ local match="${2:?}" + + # Wait until the first mention of the specified log message is + # displayed. We turn off pipefail for this, since we don't care about the + # lhs of this pipe expression, we only care about the rhs' result to be + # clean +- journalctl -u resmontest.service -f --full | grep -m1 "$match" ++ journalctl -u resmontest.service --since "$since" -f --full | grep -m1 "$match" + ) + + # Test for resolvectl, resolvconf +@@ -232,9 +233,10 @@ knotc reload + + : "--- nss-resolve/nss-myhostname tests" + # Sanity check ++TIMESTAMP=$(date '+%F %T') + run getent -s resolve hosts ns1.unsigned.test + grep -qE "^10\.0\.0\.1\s+ns1\.unsigned\.test" "$RUN_OUT" +-monitor_check_rr "ns1.unsigned.test IN A 10.0.0.1" ++monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1" + + # Issue: https://github.com/systemd/systemd/issues/18812 + # PR: https://github.com/systemd/systemd/pull/18896 +@@ -324,15 +326,16 @@ run delv dupe.signed.test + grep -qF "; fully validated" "$RUN_OUT" + + # Test resolution of CNAME chains ++TIMESTAMP=$(date '+%F %T') + run resolvectl query -t A cname-chain.signed.test + grep -qF "follow14.final.signed.test IN A 10.0.0.14" "$RUN_OUT" + grep -qF "authenticated: yes" "$RUN_OUT" + +-monitor_check_rr "follow10.so.close.signed.test IN CNAME follow11.yet.so.far.signed.test" +-monitor_check_rr "follow11.yet.so.far.signed.test IN CNAME follow12.getting.hot.signed.test" +-monitor_check_rr "follow12.getting.hot.signed.test IN CNAME follow13.almost.final.signed.test" +-monitor_check_rr "follow13.almost.final.signed.test IN CNAME follow14.final.signed.test" +-monitor_check_rr "follow14.final.signed.test IN A 10.0.0.14" ++monitor_check_rr "$TIMESTAMP" "follow10.so.close.signed.test IN CNAME follow11.yet.so.far.signed.test" ++monitor_check_rr "$TIMESTAMP" "follow11.yet.so.far.signed.test IN CNAME follow12.getting.hot.signed.test" ++monitor_check_rr "$TIMESTAMP" "follow12.getting.hot.signed.test IN CNAME follow13.almost.final.signed.test" ++monitor_check_rr "$TIMESTAMP" "follow13.almost.final.signed.test IN CNAME follow14.final.signed.test" ++monitor_check_rr "$TIMESTAMP" "follow14.final.signed.test IN A 10.0.0.14" + + # Non-existing RR + CNAME chain + run dig +dnssec AAAA cname-chain.signed.test +@@ -370,9 +373,10 @@ grep -qF 'this.should.be.authenticated.wild.onlinesign.test IN TXT "this is an o + grep -qF "authenticated: yes" "$RUN_OUT" + + # Resolve via dbus method ++TIMESTAMP=$(date '+%F %T') + run busctl call org.freedesktop.resolve1 /org/freedesktop/resolve1 org.freedesktop.resolve1.Manager ResolveHostname 'isit' 0 secondsub.onlinesign.test 0 0 + grep -qF '10 0 0 134 "secondsub.onlinesign.test"' "$RUN_OUT" +-monitor_check_rr "secondsub.onlinesign.test IN A 10.0.0.134" ++monitor_check_rr "$TIMESTAMP" "secondsub.onlinesign.test IN A 10.0.0.134" + + : "--- ZONE: untrusted.test (DNSSEC without propagated DS records) ---" + run dig +short untrusted.test diff --git a/SOURCES/0191-test-cover-IPv6-in-the-resolved-test-suite.patch b/SOURCES/0191-test-cover-IPv6-in-the-resolved-test-suite.patch new file mode 100644 index 0000000..c14e688 --- /dev/null +++ b/SOURCES/0191-test-cover-IPv6-in-the-resolved-test-suite.patch @@ -0,0 +1,449 @@ +From 6aa57233e5981473efb4fdc4351d8f407b0b5384 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Fri, 8 Jul 2022 13:36:03 +0200 +Subject: [PATCH] test: cover IPv6 in the resolved test suite + +(cherry picked from commit 5c9111fe779b44745256279052786e9cc499e57a) + +Related: #2138081 +--- + test/knot-data/knot.conf | 3 + + test/knot-data/zones/onlinesign.test.zone | 15 ++- + test/knot-data/zones/root.zone | 8 +- + test/knot-data/zones/signed.test.zone | 23 ++-- + test/knot-data/zones/test.zone | 12 +- + test/knot-data/zones/unsigned.test.zone | 12 +- + test/knot-data/zones/untrusted.test.zone | 11 +- + test/units/testsuite-75.sh | 135 ++++++++++++++++++---- + 8 files changed, 169 insertions(+), 50 deletions(-) + +diff --git a/test/knot-data/knot.conf b/test/knot-data/knot.conf +index e3de69d0f4..6ea0cca3db 100644 +--- a/test/knot-data/knot.conf ++++ b/test/knot-data/knot.conf +@@ -4,6 +4,7 @@ server: + rundir: "/run/knot" + user: knot:knot + listen: 10.0.0.1@53 ++ listen: fd00:dead:beef:cafe::1@53 + + log: + - target: syslog +@@ -15,11 +16,13 @@ database: + acl: + - id: update_acl + address: 10.0.0.0/24 ++ address: fd00:dead:beef:cafe::/64 + action: update + + remote: + - id: parent_zone_server + address: 10.0.0.1@53 ++ address: fd00:dead:beef:cafe::1@53 + + submission: + - id: parent_zone_sbm +diff --git a/test/knot-data/zones/onlinesign.test.zone b/test/knot-data/zones/onlinesign.test.zone +index c12c6b3396..c8662fa3ed 100644 +--- a/test/knot-data/zones/onlinesign.test.zone ++++ b/test/knot-data/zones/onlinesign.test.zone +@@ -11,12 +11,17 @@ $ORIGIN onlinesign.test. + ) + + ; NS info +- NS ns1.unsigned.test. ++ NS ns1.unsigned.test. + +- TXT "hello from onlinesign" ++ TXT "hello from onlinesign" + +-*.wild TXT "this is an onlinesign wildcard" ++*.wild TXT "this is an onlinesign wildcard" + + ; No A/AAAA record for the $ORIGIN +-sub A 10.0.0.133 +-secondsub A 10.0.0.134 ++sub A 10.0.0.133 ++secondsub A 10.0.0.134 ++ ++dual A 10.0.0.135 ++dual AAAA fd00:dead:beef:cafe::135 ++ ++ipv6 AAAA fd00:dead:beef:cafe::136 +diff --git a/test/knot-data/zones/root.zone b/test/knot-data/zones/root.zone +index 72439fdc55..f601e8676d 100644 +--- a/test/knot-data/zones/root.zone ++++ b/test/knot-data/zones/root.zone +@@ -8,7 +8,9 @@ $TTL 300 + 1D ; minimum TTL + ) + +-. NS ns1.unsigned.test +-ns1.unsigned.test A 10.0.0.1 ++. NS ns1.unsigned.test ++; NS glue records ++ns1.unsigned.test A 10.0.0.1 ++ns1.unsigned.test AAAA fd00:dead:beef:cafe::1 + +-test NS ns1.unsigned.test ++test NS ns1.unsigned.test +diff --git a/test/knot-data/zones/signed.test.zone b/test/knot-data/zones/signed.test.zone +index 38d8e2aa13..fa6706205a 100644 +--- a/test/knot-data/zones/signed.test.zone ++++ b/test/knot-data/zones/signed.test.zone +@@ -11,18 +11,27 @@ $ORIGIN signed.test. + ) + + ; NS info +- NS ns1.unsigned.test. ++ NS ns1.unsigned.test. + +-*.wild TXT "this is a wildcard" ++*.wild TXT "this is a wildcard" + +-@ MX 10 mail.signed.test. ++@ MX 10 mail.signed.test. + +- A 10.0.0.10 +-mail A 10.0.0.11 ++ A 10.0.0.10 ++mail A 10.0.0.11 ++mail AAAA fd00:dead:beef:cafe::11 + + ; https://github.com/systemd/systemd/issues/22002 +-dupe A 10.0.0.12 +-dupe A 10.0.0.13 ++dupe A 10.0.0.12 ++dupe A 10.0.0.13 ++dupe-ipv6 AAAA fd00:dead:beef:cafe::12 ++dupe-ipv6 AAAA fd00:dead:beef:cafe::13 ++dupe-mixed A 10.0.0.15 ++dupe-mixed A 10.0.0.16 ++dupe-mixed A 10.0.0.17 ++dupe-mixed AAAA fd00:dead:beef:cafe::15 ++dupe-mixed AAAA fd00:dead:beef:cafe::16 ++dupe-mixed AAAA fd00:dead:beef:cafe::17 + + ; CNAME_REDIRECTS_MAX is 16, so let's test something close to that + cname-chain CNAME follow1.signed.test. +diff --git a/test/knot-data/zones/test.zone b/test/knot-data/zones/test.zone +index 6cc2633082..ba5fcebc2d 100644 +--- a/test/knot-data/zones/test.zone ++++ b/test/knot-data/zones/test.zone +@@ -11,9 +11,11 @@ $ORIGIN test. + ) + + ; NS info +-@ NS ns1.unsigned +-ns1.signed A 10.0.0.1 ++@ NS ns1.unsigned ++; NS glue records ++ns1.unsigned A 10.0.0.1 ++ns1.unsigned AAAA fd00:dead:beef:cafe::1 + +-onlinesign NS ns1.unsigned +-signed NS ns1.unsigned +-unsigned NS ns1.unsigned ++onlinesign NS ns1.unsigned ++signed NS ns1.unsigned ++unsigned NS ns1.unsigned +diff --git a/test/knot-data/zones/unsigned.test.zone b/test/knot-data/zones/unsigned.test.zone +index 87d9437e2c..c5445d7672 100644 +--- a/test/knot-data/zones/unsigned.test.zone ++++ b/test/knot-data/zones/unsigned.test.zone +@@ -11,10 +11,12 @@ $ORIGIN unsigned.test. + ) + + ; NS info +-@ NS ns1.unsigned.test. +-ns1 A 10.0.0.1 ++@ NS ns1 ++ns1 A 10.0.0.1 ++ns1 AAAA fd00:dead:beef:cafe::1 + +-@ MX 15 mail.unsigned.test. ++@ MX 15 mail.unsigned.test. + +- A 10.0.0.101 +-mail A 10.0.0.111 ++ A 10.0.0.101 ++ AAAA fd00:dead:beef:cafe::101 ++mail A 10.0.0.111 +diff --git a/test/knot-data/zones/untrusted.test.zone b/test/knot-data/zones/untrusted.test.zone +index 6d29bd77fe..cf0dec5296 100644 +--- a/test/knot-data/zones/untrusted.test.zone ++++ b/test/knot-data/zones/untrusted.test.zone +@@ -11,11 +11,12 @@ $ORIGIN untrusted.test. + ) + + ; NS info +-@ NS ns1.unsigned.test. ++@ NS ns1.unsigned.test. + +-*.wild TXT "this is an untrusted wildcard" ++*.wild TXT "this is an untrusted wildcard" + +-@ MX 10 mail.untrusted.test. ++@ MX 10 mail.untrusted.test. + +- A 10.0.0.121 +-mail A 10.0.0.121 ++ A 10.0.0.121 ++ AAAA fd00:dead:beef:cafe::121 ++mail A 10.0.0.122 +diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh +index 852caac605..76b8f5b3c7 100755 +--- a/test/units/testsuite-75.sh ++++ b/test/units/testsuite-75.sh +@@ -2,6 +2,12 @@ + # SPDX-License-Identifier: LGPL-2.1-or-later + # vi: ts=4 sw=4 tw=0 et: + ++# TODO: ++# - IPv6-only stack ++# - mDNS ++# - LLMNR ++# - DoT/DoH ++ + set -eux + set -o pipefail + +@@ -16,6 +22,15 @@ run() { + "$@" |& tee "$RUN_OUT" + } + ++disable_ipv6() { ++ sysctl -w net.ipv6.conf.all.disable_ipv6=1 ++} ++ ++enable_ipv6() { ++ sysctl -w net.ipv6.conf.all.disable_ipv6=0 ++ networkctl reconfigure dns0 ++} ++ + monitor_check_rr() ( + set +x + set +o pipefail +@@ -146,7 +161,10 @@ ip link del hoge.foo + ### SETUP ### + # Configure network + hostnamectl hostname ns1.unsigned.test +-echo "10.0.0.1 ns1.unsigned.test" >>/etc/hosts ++{ ++ echo "10.0.0.1 ns1.unsigned.test" ++ echo "fd00:dead:beef:cafe::1 ns1.unsigned.test" ++} >>/etc/hosts + + mkdir -p /etc/systemd/network + cat >/etc/systemd/network/dns0.netdev < +Date: Fri, 8 Jul 2022 18:12:47 +0200 +Subject: [PATCH] test: add a couple of SRV records to check service resolution + +(cherry picked from commit 3095bd2ccaf55f7c20567b990844dc2d9b451376) + +Related: #2138081 +--- + test/knot-data/zones/signed.test.zone | 8 ++++++++ + test/knot-data/zones/untrusted.test.zone | 4 ++++ + test/units/testsuite-75.sh | 17 +++++++++++++++++ + 3 files changed, 29 insertions(+) + +diff --git a/test/knot-data/zones/signed.test.zone b/test/knot-data/zones/signed.test.zone +index fa6706205a..6ddeb0048e 100644 +--- a/test/knot-data/zones/signed.test.zone ++++ b/test/knot-data/zones/signed.test.zone +@@ -49,3 +49,11 @@ follow11.yet.so.far CNAME follow12.getting.hot.signed.test. + follow12.getting.hot CNAME follow13.almost.final.signed.test. + follow13.almost.final CNAME follow14.final.signed.test. + follow14.final A 10.0.0.14 ++ ++myservice A 10.0.0.20 ++myservice AAAA fd00:dead:beef:cafe::17 ++_mysvc._tcp SRV 10 5 1234 myservice ++ ++_invalidsvc._udp SRV 5 5 1111 invalidservice ++ ++_untrustedsvc._udp SRV 5 5 1111 myservice.untrusted.test. +diff --git a/test/knot-data/zones/untrusted.test.zone b/test/knot-data/zones/untrusted.test.zone +index cf0dec5296..a0dca62ca8 100644 +--- a/test/knot-data/zones/untrusted.test.zone ++++ b/test/knot-data/zones/untrusted.test.zone +@@ -20,3 +20,7 @@ $ORIGIN untrusted.test. + A 10.0.0.121 + AAAA fd00:dead:beef:cafe::121 + mail A 10.0.0.122 ++ ++myservice A 10.0.0.123 ++ AAAA fd00:dead:beef:cafe::123 ++_mysvc._tcp SRV 10 5 1234 myservice +diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh +index 76b8f5b3c7..66cc6c9d66 100755 +--- a/test/units/testsuite-75.sh ++++ b/test/units/testsuite-75.sh +@@ -367,6 +367,19 @@ grep -qF "status: NXDOMAIN" "$RUN_OUT" + run resolvectl query -t TXT this.should.be.authenticated.wild.signed.test + grep -qF 'this.should.be.authenticated.wild.signed.test IN TXT "this is a wildcard"' "$RUN_OUT" + grep -qF "authenticated: yes" "$RUN_OUT" ++# Check SRV support ++run resolvectl service _mysvc._tcp signed.test ++grep -qF "myservice.signed.test:1234" "$RUN_OUT" ++grep -qF "10.0.0.20" "$RUN_OUT" ++grep -qF "fd00:dead:beef:cafe::17" "$RUN_OUT" ++grep -qF "authenticated: yes" "$RUN_OUT" ++(! run resolvectl service _invalidsvc._udp signed.test) ++grep -qE "invalidservice\.signed\.test' not found" "$RUN_OUT" ++run resolvectl service _untrustedsvc._udp signed.test ++grep -qF "myservice.untrusted.test:1111" "$RUN_OUT" ++grep -qF "10.0.0.123" "$RUN_OUT" ++grep -qF "fd00:dead:beef:cafe::123" "$RUN_OUT" ++grep -qF "authenticated: yes" "$RUN_OUT" + + # DNSSEC validation with multiple records of the same type for the same name + # Issue: https://github.com/systemd/systemd/issues/22002 +@@ -479,6 +492,10 @@ grep -qF "untrusted.test:" "$RUN_OUT" + grep -qF "10.0.0.121" "$RUN_OUT" + grep -qF "fd00:dead:beef:cafe::121" "$RUN_OUT" + grep -qF "authenticated: no" "$RUN_OUT" ++run resolvectl service _mysvc._tcp untrusted.test ++grep -qF "myservice.untrusted.test:1234" "$RUN_OUT" ++grep -qF "10.0.0.123" "$RUN_OUT" ++grep -qF "fd00:dead:beef:cafe::123" "$RUN_OUT" + + # Issue: https://github.com/systemd/systemd/issues/19472 + # 1) Query for a non-existing RR should return NOERROR + NSEC (?), not NXDOMAIN diff --git a/SOURCES/0193-test-add-a-test-for-the-OPENPGPKEY-RR.patch b/SOURCES/0193-test-add-a-test-for-the-OPENPGPKEY-RR.patch new file mode 100644 index 0000000..d01c312 --- /dev/null +++ b/SOURCES/0193-test-add-a-test-for-the-OPENPGPKEY-RR.patch @@ -0,0 +1,52 @@ +From c1a79dbfdf667e965d8d390e6d395b64de1e2253 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Fri, 8 Jul 2022 20:23:13 +0200 +Subject: [PATCH] test: add a test for the OPENPGPKEY RR + +(cherry picked from commit 05bb428952d0a91c53398e8b20801af9fb7530f1) + +Related: #2138081 +--- + test/knot-data/zones/signed.test.zone | 14 ++++++++++++++ + test/units/testsuite-75.sh | 6 ++++++ + 2 files changed, 20 insertions(+) + +diff --git a/test/knot-data/zones/signed.test.zone b/test/knot-data/zones/signed.test.zone +index 6ddeb0048e..a2baac4284 100644 +--- a/test/knot-data/zones/signed.test.zone ++++ b/test/knot-data/zones/signed.test.zone +@@ -57,3 +57,17 @@ _mysvc._tcp SRV 10 5 1234 myservice + _invalidsvc._udp SRV 5 5 1111 invalidservice + + _untrustedsvc._udp SRV 5 5 1111 myservice.untrusted.test. ++ ++; OPENPGPKEY RR for mr.smith@signed.test ++; The hash was generated using `echo -ne mr.smith | sha256sum | head -c56` ++; and exported via `gpg --export mr.smith | base64` ++5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey OPENPGPKEY ( ++ mDMEYshhzhYJKwYBBAHaRw8BAQdAuU2RxKaycSdaR5YZ/q+/yoHeil/1WNRDVbpjPSd6QBa0GW1y ++ LnNtaXRoQHNpZ25lZC50ZXN0LnpvbmWImQQTFggAQRYhBIOXLJwlwowvXQVeJ3d9yvMKUDBWBQJi ++ yGHOAhsDBQkDwmcABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEHd9yvMKUDBWo6MA/2oC ++ zdnzMlK9gM5bNCFfPyagJfFfv7fW1l7WXTve6FJtAP0faW24ahE1okjmrsTUwqZHvDThysW5zTSt ++ j49S3JQDA7g4BGLIYc4SCisGAQQBl1UBBQEBB0CuNcTAt5AUE3seFN/Gm2euC+8dgtztyzoO/78K ++ ictFLAMBCAeIeAQYFggAIBYhBIOXLJwlwowvXQVeJ3d9yvMKUDBWBQJiyGHOAhsMAAoJEHd9yvMK ++ UDBWtxkA/jlbUgHpSoTKFNNTeXYbTz9jnoupe9eT4O3tU55ofwO7AQCa5ntSIuzDJ1E2iy7oOLOZ ++ m2ocNqpC7SULHhSKYfUWDg== ++) +diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh +index 66cc6c9d66..d36cab2923 100755 +--- a/test/units/testsuite-75.sh ++++ b/test/units/testsuite-75.sh +@@ -380,6 +380,12 @@ grep -qF "myservice.untrusted.test:1111" "$RUN_OUT" + grep -qF "10.0.0.123" "$RUN_OUT" + grep -qF "fd00:dead:beef:cafe::123" "$RUN_OUT" + grep -qF "authenticated: yes" "$RUN_OUT" ++# Check OPENPGPKEY support ++run delv -t OPENPGPKEY 5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey.signed.test ++grep -qF "; fully validated" "$RUN_OUT" ++run resolvectl openpgp mr.smith@signed.test ++grep -qF "5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey.signed.test" "$RUN_OUT" ++grep -qF "authenticated: yes" "$RUN_OUT" + + # DNSSEC validation with multiple records of the same type for the same name + # Issue: https://github.com/systemd/systemd/issues/22002 diff --git a/SOURCES/0194-test-don-t-hang-indefinitely-on-no-match.patch b/SOURCES/0194-test-don-t-hang-indefinitely-on-no-match.patch new file mode 100644 index 0000000..3d67f31 --- /dev/null +++ b/SOURCES/0194-test-don-t-hang-indefinitely-on-no-match.patch @@ -0,0 +1,25 @@ +From 3da691ba7ed23db37930dff5452fe3c3dcd9a963 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Fri, 27 Jan 2023 14:29:42 +0100 +Subject: [PATCH] test: don't hang indefinitely on no match + +(cherry picked from commit 270e9dcdb8c7f0f3c8b56803d0ef7bbf867b9fd1) + +Related: #2138081 +--- + test/units/testsuite-75.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh +index d36cab2923..ddd86d09bb 100755 +--- a/test/units/testsuite-75.sh ++++ b/test/units/testsuite-75.sh +@@ -41,7 +41,7 @@ monitor_check_rr() ( + # displayed. We turn off pipefail for this, since we don't care about the + # lhs of this pipe expression, we only care about the rhs' result to be + # clean +- journalctl -u resmontest.service --since "$since" -f --full | grep -m1 "$match" ++ timeout -v 30s journalctl -u resmontest.service --since "$since" -f --full | grep -m1 "$match" + ) + + # Test for resolvectl, resolvconf diff --git a/SOURCES/0195-test-ndisc-fix-memleak-and-fd-leak.patch b/SOURCES/0195-test-ndisc-fix-memleak-and-fd-leak.patch new file mode 100644 index 0000000..fd2c6e5 --- /dev/null +++ b/SOURCES/0195-test-ndisc-fix-memleak-and-fd-leak.patch @@ -0,0 +1,139 @@ +From 1d93f12c7068dedf9393f8d4d86335e1f40537c3 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 20 Jan 2023 14:37:12 +0900 +Subject: [PATCH] test-ndisc: fix memleak and fd leak + +Fixes issues reported at #22576. + +(cherry picked from commit 86d82cb8885afaac374225b945b2efc2a013cb7e) + +Related: #2138081 +--- + src/libsystemd-network/test-ndisc-ra.c | 20 ++++++-------------- + src/libsystemd-network/test-ndisc-rs.c | 21 ++++++++------------- + 2 files changed, 14 insertions(+), 27 deletions(-) + +diff --git a/src/libsystemd-network/test-ndisc-ra.c b/src/libsystemd-network/test-ndisc-ra.c +index 001df4d473..bd8c0fd426 100644 +--- a/src/libsystemd-network/test-ndisc-ra.c ++++ b/src/libsystemd-network/test-ndisc-ra.c +@@ -53,7 +53,6 @@ static uint8_t advertisement[] = { + + static bool test_stopped; + static int test_fd[2]; +-static sd_event_source *recv_router_advertisement; + static struct { + struct in6_addr address; + unsigned char prefixlen; +@@ -281,9 +280,9 @@ static int radv_recv(sd_event_source *s, int fd, uint32_t revents, void *userdat + } + + TEST(ra) { +- sd_event *e; +- sd_radv *ra; +- unsigned i; ++ _cleanup_(sd_event_unrefp) sd_event *e = NULL; ++ _cleanup_(sd_event_source_unrefp) sd_event_source *recv_router_advertisement = NULL; ++ _cleanup_(sd_radv_unrefp) sd_radv *ra = NULL; + + assert_se(socketpair(AF_UNIX, SOCK_SEQPACKET | SOCK_CLOEXEC | SOCK_NONBLOCK, 0, test_fd) >= 0); + +@@ -303,7 +302,7 @@ TEST(ra) { + assert_se(sd_radv_set_rdnss(ra, 60, &test_rdnss, 1) >= 0); + assert_se(sd_radv_set_dnssl(ra, 60, (char **)test_dnssl) >= 0); + +- for (i = 0; i < ELEMENTSOF(prefix); i++) { ++ for (unsigned i = 0; i < ELEMENTSOF(prefix); i++) { + sd_radv_prefix *p; + + printf("Test prefix %u\n", i); +@@ -324,8 +323,8 @@ TEST(ra) { + assert_se(!p); + } + +- assert_se(sd_event_add_io(e, &recv_router_advertisement, test_fd[0], +- EPOLLIN, radv_recv, ra) >= 0); ++ assert_se(sd_event_add_io(e, &recv_router_advertisement, test_fd[0], EPOLLIN, radv_recv, ra) >= 0); ++ assert_se(sd_event_source_set_io_fd_own(recv_router_advertisement, true) >= 0); + + assert_se(sd_event_add_time_relative(e, NULL, CLOCK_BOOTTIME, + 2 * USEC_PER_SEC, 0, +@@ -334,13 +333,6 @@ TEST(ra) { + assert_se(sd_radv_start(ra) >= 0); + + assert_se(sd_event_loop(e) >= 0); +- +- ra = sd_radv_unref(ra); +- assert_se(!ra); +- +- close(test_fd[0]); +- +- sd_event_unref(e); + } + + DEFINE_TEST_MAIN(LOG_DEBUG); +diff --git a/src/libsystemd-network/test-ndisc-rs.c b/src/libsystemd-network/test-ndisc-rs.c +index 3c679f60b5..e501b64377 100644 +--- a/src/libsystemd-network/test-ndisc-rs.c ++++ b/src/libsystemd-network/test-ndisc-rs.c +@@ -10,6 +10,7 @@ + #include "sd-ndisc.h" + + #include "alloc-util.h" ++#include "fd-util.h" + #include "hexdecoct.h" + #include "icmp6-util.h" + #include "socket-util.h" +@@ -255,8 +256,8 @@ static void test_callback(sd_ndisc *nd, sd_ndisc_event_t event, sd_ndisc_router + } + + TEST(rs) { +- sd_event *e; +- sd_ndisc *nd; ++ _cleanup_(sd_event_unrefp) sd_event *e = NULL; ++ _cleanup_(sd_ndisc_unrefp) sd_ndisc *nd = NULL; + + send_ra_function = send_ra; + +@@ -279,17 +280,13 @@ TEST(rs) { + assert_se(sd_ndisc_start(nd) >= 0); + assert_se(sd_ndisc_start(nd) >= 0); + assert_se(sd_ndisc_stop(nd) >= 0); ++ test_fd[1] = safe_close(test_fd[1]); + + assert_se(sd_ndisc_start(nd) >= 0); + + assert_se(sd_event_loop(e) >= 0); + +- nd = sd_ndisc_unref(nd); +- assert_se(!nd); +- +- close(test_fd[1]); +- +- sd_event_unref(e); ++ test_fd[1] = safe_close(test_fd[1]); + } + + static int test_timeout_value(uint8_t flags) { +@@ -342,8 +339,8 @@ static int test_timeout_value(uint8_t flags) { + } + + TEST(timeout) { +- sd_event *e; +- sd_ndisc *nd; ++ _cleanup_(sd_event_unrefp) sd_event *e = NULL; ++ _cleanup_(sd_ndisc_unrefp) sd_ndisc *nd = NULL; + + send_ra_function = test_timeout_value; + +@@ -367,9 +364,7 @@ TEST(timeout) { + + assert_se(sd_event_loop(e) >= 0); + +- nd = sd_ndisc_unref(nd); +- +- sd_event_unref(e); ++ test_fd[1] = safe_close(test_fd[1]); + } + + DEFINE_TEST_MAIN(LOG_DEBUG); diff --git a/SOURCES/0196-test-unit-name-fix-fd-leak.patch b/SOURCES/0196-test-unit-name-fix-fd-leak.patch new file mode 100644 index 0000000..272bfaa --- /dev/null +++ b/SOURCES/0196-test-unit-name-fix-fd-leak.patch @@ -0,0 +1,33 @@ +From a1ab44a859080aebd79355f58e57739ce4225e97 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 20 Jan 2023 14:54:44 +0900 +Subject: [PATCH] test-unit-name: fix fd leak + +Fixes an issue reported at https://github.com/systemd/systemd/issues/22576#issuecomment-1396774385. + +(cherry picked from commit 36f73b6c67afd9c826e612b751ea8f9249da7985) + +Related: #2138081 +--- + src/test/test-unit-name.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/test/test-unit-name.c b/src/test/test-unit-name.c +index 43fdb15d1c..eec4831b4e 100644 +--- a/src/test/test-unit-name.c ++++ b/src/test/test-unit-name.c +@@ -241,11 +241,13 @@ TEST_RET(unit_printf, .sd_booted = true) { + *user, *group, *uid, *gid, *home, *shell, + *tmp_dir, *var_tmp_dir; + _cleanup_(manager_freep) Manager *m = NULL; ++ _cleanup_close_ int fd = -EBADF; + Unit *u; + int r; + + _cleanup_(unlink_tempfilep) char filename[] = "/tmp/test-unit_printf.XXXXXX"; +- assert_se(mkostemp_safe(filename) >= 0); ++ fd = mkostemp_safe(filename); ++ assert_se(fd >= 0); + + /* Using the specifier functions is admittedly a bit circular, but we don't want to reimplement the + * logic a second time. We're at least testing that the hookup works. */ diff --git a/SOURCES/0197-test-bump-D-Bus-service-start-timeout-if-we-run-with.patch b/SOURCES/0197-test-bump-D-Bus-service-start-timeout-if-we-run-with.patch new file mode 100644 index 0000000..ba9252a --- /dev/null +++ b/SOURCES/0197-test-bump-D-Bus-service-start-timeout-if-we-run-with.patch @@ -0,0 +1,57 @@ +From f2a1b51350d535cbb6ed3a3d11071651e54f5c3c Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 17 Jan 2023 18:04:30 +0100 +Subject: [PATCH] test: bump D-Bus service start timeout if we run without + accel + +The default (25s) doesn't seem to be enough in some cases (especially +in VMs without acceleration), causing spurious timeouts: + +[ 174.297658] dbus-daemon[647]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' requested by ':1.0' (uid=0 pid=645 comm="hostnamectl " label="kernel") +[ 184.202313] systemd[1]: systemd-update-utmp-runlevel.service: Consumed 1.253s CPU time. +[ 197.335422] systemd[1]: Started dbus.service. +[ 199.211468] testsuite-71.sh[639]: + assert_in 'Static hostname: H' '' +[ 199.347192] dbus-daemon[647]: [system] Failed to activate service 'org.freedesktop.hostname1': timed out (service_start_timeout=25000ms) +[ 199.394879] testsuite-71.sh[657]: + set +ex +[ 199.438918] testsuite-71.sh[657]: FAIL: 'Static hostname: H' not found in: +[ 200.966006] systemd-logind[631]: Watching system buttons on /dev/input/event0 (Power Button) +[ 201.008178] systemd-logind[631]: Watching system buttons on /dev/input/event1 (AT Translated Set 2 keyboard) +[ 201.034106] systemd-logind[631]: New seat seat0. +[ 201.238267] sh[658]: + systemctl poweroff --no-block +[ 201.329890] systemd[1]: Starting systemd-hostnamed.service... +[ 202.156622] systemd[1]: systemd-update-utmp-runlevel.service: Deactivated successfully. +[ 204.818913] hostnamectl[645]: Failed to query system properties: Connection timed out +[ 205.195583] systemd[1]: testsuite-71.service: Main process exited, code=exited, status=1/FAILURE +[ 205.227237] systemd[1]: testsuite-71.service: Failed with result 'exit-code'. +[ 205.712780] systemd[1]: Failed to start testsuite-71.service. + +(cherry picked from commit c78d18215b3e5b0f0896ddb1d0d72c666b5e830b) + +Related: #2138081 +--- + test/test-functions | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/test/test-functions b/test/test-functions +index 94e11a686a..6e4ea80d89 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -1909,6 +1909,18 @@ install_dbus() { + + + EOF ++ ++ # If we run without KVM, bump the service start timeout ++ if ! get_bool "$QEMU_KVM"; then ++ cat >"$initdir/etc/dbus-1/system.d/service.timeout.conf" < ++ ++ ++ 60000 ++ ++EOF ++ fi + } + + install_user_dbus() { diff --git a/SOURCES/0198-test-bump-the-client-side-timeout-in-sd-bus-as-well.patch b/SOURCES/0198-test-bump-the-client-side-timeout-in-sd-bus-as-well.patch new file mode 100644 index 0000000..793739b --- /dev/null +++ b/SOURCES/0198-test-bump-the-client-side-timeout-in-sd-bus-as-well.patch @@ -0,0 +1,49 @@ +From 922c24e6b2074d63dd5554f2f0015a680958293e Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Mon, 23 Jan 2023 18:40:38 +0100 +Subject: [PATCH] test: bump the client-side timeout in sd-bus as well + +Since c78d18215b D-Bus services now have 60s to start, but the client +side (sd-bus) still waits only for 25s before giving up: + +``` +[ 226.196380] testsuite-71.sh[556]: + assert_in 'Static hostname: H' '' +[ 226.332965] testsuite-71.sh[576]: + set +ex +[ 226.332965] testsuite-71.sh[576]: FAIL: 'Static hostname: H' not found in: +[ 228.910782] sh[577]: + systemctl poweroff --no-block +[ 232.255584] hostnamectl[565]: Failed to query system properties: Connection timed out +[ 236.827514] systemd[1]: end.service: Consumed 2.131s CPU time. +[ 237.476969] dbus-daemon[566]: [system] Successfully activated service 'org.freedesktop.hostname1' +[ 237.516308] systemd[1]: system-modprobe.slice: Consumed 1.533s CPU time. +[ 237.794635] systemd[1]: testsuite-71.service: Main process exited, code=exited, status=1/FAILURE +[ 237.818469] systemd[1]: testsuite-71.service: Failed with result 'exit-code'. +[ 237.931415] systemd[1]: Failed to start testsuite-71.service. +[ 238.000833] systemd[1]: testsuite-71.service: Consumed 5.651s CPU time. +[ 238.181030] systemd[1]: Reached target testsuite.target. +``` + +Let's override the timeout in sd-bus as well to mitigate this. + +Follow-up to c78d18215b3e5b0f0896ddb1d0d72c666b5e830b. + +(cherry picked from commit e0cbb739113b9e2fbb67b27099430c351f03315c) + +Related: #2138081 +--- + test/test-functions | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/test/test-functions b/test/test-functions +index 6e4ea80d89..1608644cbb 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -1920,6 +1920,9 @@ EOF + 60000 + + EOF ++ # Bump the client-side timeout in sd-bus as well ++ mkdir -p "$initdir/etc/systemd/system.conf.d" ++ echo -e '[Manager]\nDefaultEnvironment=SYSTEMD_BUS_TIMEOUT=60' >"$initdir/etc/systemd/system.conf.d/bus-timeout.conf" + fi + } + diff --git a/SOURCES/0199-test-bump-the-container-spawn-timeout-to-60s.patch b/SOURCES/0199-test-bump-the-container-spawn-timeout-to-60s.patch new file mode 100644 index 0000000..7ee431e --- /dev/null +++ b/SOURCES/0199-test-bump-the-container-spawn-timeout-to-60s.patch @@ -0,0 +1,28 @@ +From 5b859cca580ee9c050486024ebd8cfdb34049008 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Mon, 23 Jan 2023 19:13:49 +0100 +Subject: [PATCH] test: bump the container spawn timeout to 60s + +As 30s might be not enough on busy systems (and we already bumped the +reboot timeout from 30s to 60s for this reason). + +(cherry picked from commit d932022ddfe021b1c49ffaf4d7dfe4093656f0c5) + +Related: #2138081 +--- + test/test-shutdown.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/test-shutdown.py b/test/test-shutdown.py +index e181f976be..13e18ecbaa 100755 +--- a/test/test-shutdown.py ++++ b/test/test-shutdown.py +@@ -17,7 +17,7 @@ def run(args): + logger.info("spawning test") + console = pexpect.spawn(args.command, args.arg, env={ + "TERM": "linux", +- }, encoding='utf-8', timeout=30) ++ }, encoding='utf-8', timeout=60) + + if args.verbose: + console.logfile = sys.stdout diff --git a/SOURCES/0200-network-fix-memleak.patch b/SOURCES/0200-network-fix-memleak.patch new file mode 100644 index 0000000..7fbbc98 --- /dev/null +++ b/SOURCES/0200-network-fix-memleak.patch @@ -0,0 +1,55 @@ +From 44d34632660f8456b7ca09510ed1b469541fac65 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 16 Jan 2023 22:07:06 +0900 +Subject: [PATCH] network: fix memleak + +Fixes a bug introduced by af2aea8bb64b0dc42ecbe5549216eb567681a803. + +Fixes #25883 and #25891. + +(cherry picked from commit 303dfa73b389e8f6dc58954e867c21724c1446f7) + +Related: #2138081 +--- + src/network/networkd-address.c | 6 +++++- + src/network/networkd-route.c | 6 +++++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c +index 259cd312c9..4f8f95cba6 100644 +--- a/src/network/networkd-address.c ++++ b/src/network/networkd-address.c +@@ -1189,9 +1189,13 @@ int link_request_address( + + (void) address_get(link, address, &existing); + +- if (address->lifetime_valid_usec == 0) ++ if (address->lifetime_valid_usec == 0) { ++ if (consume_object) ++ address_free(address); ++ + /* The requested address is outdated. Let's remove it. */ + return address_remove_and_drop(existing); ++ } + + if (!existing) { + _cleanup_(address_freep) Address *tmp = NULL; +diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c +index d1f3bab092..5214a8ad2c 100644 +--- a/src/network/networkd-route.c ++++ b/src/network/networkd-route.c +@@ -1437,9 +1437,13 @@ int link_request_route( + + (void) route_get(link->manager, link, route, &existing); + +- if (route->lifetime_usec == 0) ++ if (route->lifetime_usec == 0) { ++ if (consume_object) ++ route_free(route); ++ + /* The requested route is outdated. Let's remove it. */ + return route_remove_and_drop(existing); ++ } + + if (!existing) { + _cleanup_(route_freep) Route *tmp = NULL; diff --git a/SOURCES/0201-busctl-fix-introspecting-DBus-properties.patch b/SOURCES/0201-busctl-fix-introspecting-DBus-properties.patch new file mode 100644 index 0000000..8e5b3a4 --- /dev/null +++ b/SOURCES/0201-busctl-fix-introspecting-DBus-properties.patch @@ -0,0 +1,64 @@ +From 25e4d71e788ee7467e1d764c631de44d599e2b1c Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 13 Jan 2023 14:12:31 +0900 +Subject: [PATCH] busctl: fix introspecting DBus properties + +Follow-up for f2f7785d7a47ffa48ac929648794e1288509ddd8. + +Fixes #26033. + +(cherry picked from commit 2cbb171d20a07ec0a25296f167b0385de102d74e) + +Related: #2138081 +--- + src/busctl/busctl.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/src/busctl/busctl.c b/src/busctl/busctl.c +index f57a5d605d..cc2d0e3458 100644 +--- a/src/busctl/busctl.c ++++ b/src/busctl/busctl.c +@@ -1022,10 +1022,11 @@ static int introspect(int argc, char **argv, void *userdata) { + + for (;;) { + Member *z; +- _cleanup_free_ char *buf = NULL; ++ _cleanup_free_ char *buf = NULL, *signature = NULL; + _cleanup_fclose_ FILE *mf = NULL; + size_t sz = 0; +- const char *name; ++ const char *name, *contents; ++ char type; + + r = sd_bus_message_enter_container(reply, 'e', "sv"); + if (r < 0) +@@ -1042,6 +1043,21 @@ static int introspect(int argc, char **argv, void *userdata) { + if (r < 0) + return bus_log_parse_error(r); + ++ r = sd_bus_message_peek_type(reply, &type, &contents); ++ if (r <= 0) ++ return bus_log_parse_error(r == 0 ? EINVAL : r); ++ ++ if (type == SD_BUS_TYPE_STRUCT_BEGIN) ++ signature = strjoin(CHAR_TO_STR(SD_BUS_TYPE_STRUCT_BEGIN), contents, CHAR_TO_STR(SD_BUS_TYPE_STRUCT_END)); ++ else if (type == SD_BUS_TYPE_DICT_ENTRY_BEGIN) ++ signature = strjoin(CHAR_TO_STR(SD_BUS_TYPE_DICT_ENTRY_BEGIN), contents, CHAR_TO_STR(SD_BUS_TYPE_DICT_ENTRY_END)); ++ else if (contents) ++ signature = strjoin(CHAR_TO_STR(type), contents); ++ else ++ signature = strdup(CHAR_TO_STR(type)); ++ if (!signature) ++ return log_oom(); ++ + mf = open_memstream_unlocked(&buf, &sz); + if (!mf) + return log_oom(); +@@ -1055,6 +1071,7 @@ static int introspect(int argc, char **argv, void *userdata) { + z = set_get(members, &((Member) { + .type = "property", + .interface = m->interface, ++ .signature = signature, + .name = (char*) name })); + if (z) + free_and_replace(z->value, buf); diff --git a/SOURCES/0202-busctl-simplify-peeking-the-type.patch b/SOURCES/0202-busctl-simplify-peeking-the-type.patch new file mode 100644 index 0000000..6c0cc51 --- /dev/null +++ b/SOURCES/0202-busctl-simplify-peeking-the-type.patch @@ -0,0 +1,82 @@ +From ae1806eea8c688c6561b5f7dcbaa6f682233b73e Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 16 Jan 2023 14:16:14 +0100 +Subject: [PATCH] busctl: simplify peeking the type + +let's peek the type before we enter the variant, not after, so that we +can reuse it as-is, instead having to recombine it later. + +Follow-up for: #26049 + +(cherry picked from commit ec56edf55c26ed2c65cf8e86b81ab0b516c94dd9) + +Related: #2138081 +--- + src/busctl/busctl.c | 30 ++++++++++-------------------- + 1 file changed, 10 insertions(+), 20 deletions(-) + +diff --git a/src/busctl/busctl.c b/src/busctl/busctl.c +index cc2d0e3458..901b0e15f6 100644 +--- a/src/busctl/busctl.c ++++ b/src/busctl/busctl.c +@@ -1021,17 +1021,16 @@ static int introspect(int argc, char **argv, void *userdata) { + return bus_log_parse_error(r); + + for (;;) { +- Member *z; +- _cleanup_free_ char *buf = NULL, *signature = NULL; + _cleanup_fclose_ FILE *mf = NULL; +- size_t sz = 0; ++ _cleanup_free_ char *buf = NULL; + const char *name, *contents; ++ size_t sz = 0; ++ Member *z; + char type; + + r = sd_bus_message_enter_container(reply, 'e', "sv"); + if (r < 0) + return bus_log_parse_error(r); +- + if (r == 0) + break; + +@@ -1039,24 +1038,15 @@ static int introspect(int argc, char **argv, void *userdata) { + if (r < 0) + return bus_log_parse_error(r); + +- r = sd_bus_message_enter_container(reply, 'v', NULL); ++ r = sd_bus_message_peek_type(reply, &type, &contents); + if (r < 0) + return bus_log_parse_error(r); ++ if (type != 'v') ++ return bus_log_parse_error(EINVAL); + +- r = sd_bus_message_peek_type(reply, &type, &contents); +- if (r <= 0) +- return bus_log_parse_error(r == 0 ? EINVAL : r); +- +- if (type == SD_BUS_TYPE_STRUCT_BEGIN) +- signature = strjoin(CHAR_TO_STR(SD_BUS_TYPE_STRUCT_BEGIN), contents, CHAR_TO_STR(SD_BUS_TYPE_STRUCT_END)); +- else if (type == SD_BUS_TYPE_DICT_ENTRY_BEGIN) +- signature = strjoin(CHAR_TO_STR(SD_BUS_TYPE_DICT_ENTRY_BEGIN), contents, CHAR_TO_STR(SD_BUS_TYPE_DICT_ENTRY_END)); +- else if (contents) +- signature = strjoin(CHAR_TO_STR(type), contents); +- else +- signature = strdup(CHAR_TO_STR(type)); +- if (!signature) +- return log_oom(); ++ r = sd_bus_message_enter_container(reply, 'v', contents); ++ if (r < 0) ++ return bus_log_parse_error(r); + + mf = open_memstream_unlocked(&buf, &sz); + if (!mf) +@@ -1071,7 +1061,7 @@ static int introspect(int argc, char **argv, void *userdata) { + z = set_get(members, &((Member) { + .type = "property", + .interface = m->interface, +- .signature = signature, ++ .signature = (char*) contents, + .name = (char*) name })); + if (z) + free_and_replace(z->value, buf); diff --git a/SOURCES/0203-resolve-drop-redundant-call-of-socket_ipv6_is_suppor.patch b/SOURCES/0203-resolve-drop-redundant-call-of-socket_ipv6_is_suppor.patch new file mode 100644 index 0000000..f5b41ed --- /dev/null +++ b/SOURCES/0203-resolve-drop-redundant-call-of-socket_ipv6_is_suppor.patch @@ -0,0 +1,29 @@ +From fb589eae3231c6d968b116774097c90a64755f19 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 4 Nov 2022 12:53:07 +0900 +Subject: [PATCH] resolve: drop redundant call of socket_ipv6_is_supported() + +As link_relevant() is called with AF_INET6, which returns true only when +the link has at least one relevant IPv6 address. + +(cherry picked from commit f6e4aa7b0370c8b39739e9d5dda780932489507a) + +Related: #2138081 +--- + src/resolve/resolved-link.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c +index 9ab55eb82e..409d725686 100644 +--- a/src/resolve/resolved-link.c ++++ b/src/resolve/resolved-link.c +@@ -152,8 +152,7 @@ void link_allocate_scopes(Link *l) { + + if (link_relevant(l, AF_INET6, true) && + l->llmnr_support != RESOLVE_SUPPORT_NO && +- l->manager->llmnr_support != RESOLVE_SUPPORT_NO && +- socket_ipv6_is_supported()) { ++ l->manager->llmnr_support != RESOLVE_SUPPORT_NO) { + if (!l->llmnr_ipv6_scope) { + r = dns_scope_new(l->manager, &l->llmnr_ipv6_scope, l, DNS_PROTOCOL_LLMNR, AF_INET6); + if (r < 0) diff --git a/SOURCES/0204-resolve-introduce-link_get_llmnr_support-and-link_ge.patch b/SOURCES/0204-resolve-introduce-link_get_llmnr_support-and-link_ge.patch new file mode 100644 index 0000000..e9838bf --- /dev/null +++ b/SOURCES/0204-resolve-introduce-link_get_llmnr_support-and-link_ge.patch @@ -0,0 +1,181 @@ +From d34f971ad09e43f583ff570e26c87e6cdc83d69d Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 4 Nov 2022 12:53:07 +0900 +Subject: [PATCH] resolve: introduce link_get_llmnr_support() and + link_get_mdns_support() + +(cherry picked from commit bce459e3275249574f2142236275b2c33a9f88e3) + +Related: #2138081 +--- + src/resolve/resolved-link.c | 49 ++++++++++++++++++++++--------------- + src/resolve/resolved-link.h | 3 +++ + src/shared/resolve-util.h | 3 ++- + 3 files changed, 34 insertions(+), 21 deletions(-) + +diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c +index 409d725686..86112f3a3b 100644 +--- a/src/resolve/resolved-link.c ++++ b/src/resolve/resolved-link.c +@@ -140,8 +140,7 @@ void link_allocate_scopes(Link *l) { + l->unicast_scope = dns_scope_free(l->unicast_scope); + + if (link_relevant(l, AF_INET, true) && +- l->llmnr_support != RESOLVE_SUPPORT_NO && +- l->manager->llmnr_support != RESOLVE_SUPPORT_NO) { ++ link_get_llmnr_support(l) != RESOLVE_SUPPORT_NO) { + if (!l->llmnr_ipv4_scope) { + r = dns_scope_new(l->manager, &l->llmnr_ipv4_scope, l, DNS_PROTOCOL_LLMNR, AF_INET); + if (r < 0) +@@ -151,8 +150,7 @@ void link_allocate_scopes(Link *l) { + l->llmnr_ipv4_scope = dns_scope_free(l->llmnr_ipv4_scope); + + if (link_relevant(l, AF_INET6, true) && +- l->llmnr_support != RESOLVE_SUPPORT_NO && +- l->manager->llmnr_support != RESOLVE_SUPPORT_NO) { ++ link_get_llmnr_support(l) != RESOLVE_SUPPORT_NO) { + if (!l->llmnr_ipv6_scope) { + r = dns_scope_new(l->manager, &l->llmnr_ipv6_scope, l, DNS_PROTOCOL_LLMNR, AF_INET6); + if (r < 0) +@@ -162,8 +160,7 @@ void link_allocate_scopes(Link *l) { + l->llmnr_ipv6_scope = dns_scope_free(l->llmnr_ipv6_scope); + + if (link_relevant(l, AF_INET, true) && +- l->mdns_support != RESOLVE_SUPPORT_NO && +- l->manager->mdns_support != RESOLVE_SUPPORT_NO) { ++ link_get_mdns_support(l) != RESOLVE_SUPPORT_NO) { + if (!l->mdns_ipv4_scope) { + r = dns_scope_new(l->manager, &l->mdns_ipv4_scope, l, DNS_PROTOCOL_MDNS, AF_INET); + if (r < 0) +@@ -173,8 +170,7 @@ void link_allocate_scopes(Link *l) { + l->mdns_ipv4_scope = dns_scope_free(l->mdns_ipv4_scope); + + if (link_relevant(l, AF_INET6, true) && +- l->mdns_support != RESOLVE_SUPPORT_NO && +- l->manager->mdns_support != RESOLVE_SUPPORT_NO) { ++ link_get_mdns_support(l) != RESOLVE_SUPPORT_NO) { + if (!l->mdns_ipv6_scope) { + r = dns_scope_new(l->manager, &l->mdns_ipv6_scope, l, DNS_PROTOCOL_MDNS, AF_INET6); + if (r < 0) +@@ -191,8 +187,7 @@ void link_add_rrs(Link *l, bool force_remove) { + link_address_add_rrs(a, force_remove); + + if (!force_remove && +- l->mdns_support == RESOLVE_SUPPORT_YES && +- l->manager->mdns_support == RESOLVE_SUPPORT_YES) { ++ link_get_mdns_support(l) == RESOLVE_SUPPORT_YES) { + + if (l->mdns_ipv4_scope) { + r = dns_scope_add_dnssd_services(l->mdns_ipv4_scope); +@@ -651,13 +646,13 @@ int link_update(Link *l) { + if (r < 0) + return r; + +- if (l->llmnr_support != RESOLVE_SUPPORT_NO) { ++ if (link_get_llmnr_support(l) != RESOLVE_SUPPORT_NO) { + r = manager_llmnr_start(l->manager); + if (r < 0) + return r; + } + +- if (l->mdns_support != RESOLVE_SUPPORT_NO) { ++ if (link_get_mdns_support(l) != RESOLVE_SUPPORT_NO) { + r = manager_mdns_start(l->manager); + if (r < 0) + return r; +@@ -802,6 +797,24 @@ bool link_dnssec_supported(Link *l) { + return true; + } + ++ResolveSupport link_get_llmnr_support(Link *link) { ++ assert(link); ++ assert(link->manager); ++ ++ /* This provides the effective LLMNR support level for the link, instead of the 'internal' per-link setting. */ ++ ++ return MIN(link->llmnr_support, link->manager->llmnr_support); ++} ++ ++ResolveSupport link_get_mdns_support(Link *link) { ++ assert(link); ++ assert(link->manager); ++ ++ /* This provides the effective mDNS support level for the link, instead of the 'internal' per-link setting. */ ++ ++ return MIN(link->mdns_support, link->manager->mdns_support); ++} ++ + int link_address_new(Link *l, LinkAddress **ret, int family, const union in_addr_union *in_addr) { + LinkAddress *a; + +@@ -885,8 +898,7 @@ void link_address_add_rrs(LinkAddress *a, bool force_remove) { + if (!force_remove && + link_address_relevant(a, true) && + a->link->llmnr_ipv4_scope && +- a->link->llmnr_support == RESOLVE_SUPPORT_YES && +- a->link->manager->llmnr_support == RESOLVE_SUPPORT_YES) { ++ link_get_llmnr_support(a->link) == RESOLVE_SUPPORT_YES) { + + if (!a->link->manager->llmnr_host_ipv4_key) { + a->link->manager->llmnr_host_ipv4_key = dns_resource_key_new(DNS_CLASS_IN, DNS_TYPE_A, a->link->manager->llmnr_hostname); +@@ -939,8 +951,7 @@ void link_address_add_rrs(LinkAddress *a, bool force_remove) { + if (!force_remove && + link_address_relevant(a, true) && + a->link->mdns_ipv4_scope && +- a->link->mdns_support == RESOLVE_SUPPORT_YES && +- a->link->manager->mdns_support == RESOLVE_SUPPORT_YES) { ++ link_get_mdns_support(a->link) == RESOLVE_SUPPORT_YES) { + if (!a->link->manager->mdns_host_ipv4_key) { + a->link->manager->mdns_host_ipv4_key = dns_resource_key_new(DNS_CLASS_IN, DNS_TYPE_A, a->link->manager->mdns_hostname); + if (!a->link->manager->mdns_host_ipv4_key) { +@@ -995,8 +1006,7 @@ void link_address_add_rrs(LinkAddress *a, bool force_remove) { + if (!force_remove && + link_address_relevant(a, true) && + a->link->llmnr_ipv6_scope && +- a->link->llmnr_support == RESOLVE_SUPPORT_YES && +- a->link->manager->llmnr_support == RESOLVE_SUPPORT_YES) { ++ link_get_llmnr_support(a->link) == RESOLVE_SUPPORT_YES) { + + if (!a->link->manager->llmnr_host_ipv6_key) { + a->link->manager->llmnr_host_ipv6_key = dns_resource_key_new(DNS_CLASS_IN, DNS_TYPE_AAAA, a->link->manager->llmnr_hostname); +@@ -1049,8 +1059,7 @@ void link_address_add_rrs(LinkAddress *a, bool force_remove) { + if (!force_remove && + link_address_relevant(a, true) && + a->link->mdns_ipv6_scope && +- a->link->mdns_support == RESOLVE_SUPPORT_YES && +- a->link->manager->mdns_support == RESOLVE_SUPPORT_YES) { ++ link_get_mdns_support(a->link) == RESOLVE_SUPPORT_YES) { + + if (!a->link->manager->mdns_host_ipv6_key) { + a->link->manager->mdns_host_ipv6_key = dns_resource_key_new(DNS_CLASS_IN, DNS_TYPE_AAAA, a->link->manager->mdns_hostname); +diff --git a/src/resolve/resolved-link.h b/src/resolve/resolved-link.h +index b5299e0b5b..d2043a1000 100644 +--- a/src/resolve/resolved-link.h ++++ b/src/resolve/resolved-link.h +@@ -104,6 +104,9 @@ bool link_dnssec_supported(Link *l); + + DnsOverTlsMode link_get_dns_over_tls_mode(Link *l); + ++ResolveSupport link_get_llmnr_support(Link *link); ++ResolveSupport link_get_mdns_support(Link *link); ++ + int link_save_user(Link *l); + int link_load_user(Link *l); + void link_remove_user(Link *l); +diff --git a/src/shared/resolve-util.h b/src/shared/resolve-util.h +index d9ab387301..e58173d864 100644 +--- a/src/shared/resolve-util.h ++++ b/src/shared/resolve-util.h +@@ -25,10 +25,11 @@ typedef enum ResolveSupport ResolveSupport; + typedef enum DnssecMode DnssecMode; + typedef enum DnsOverTlsMode DnsOverTlsMode; + ++/* Do not change the order, see link_get_llmnr_support() or link_get_mdns_support(). */ + enum ResolveSupport { + RESOLVE_SUPPORT_NO, +- RESOLVE_SUPPORT_YES, + RESOLVE_SUPPORT_RESOLVE, ++ RESOLVE_SUPPORT_YES, + _RESOLVE_SUPPORT_MAX, + _RESOLVE_SUPPORT_INVALID = -EINVAL, + }; diff --git a/SOURCES/0205-resolve-provide-effective-supporting-levels-of-mDNS-.patch b/SOURCES/0205-resolve-provide-effective-supporting-levels-of-mDNS-.patch new file mode 100644 index 0000000..52ed54f --- /dev/null +++ b/SOURCES/0205-resolve-provide-effective-supporting-levels-of-mDNS-.patch @@ -0,0 +1,42 @@ +From f04078d864c969c7694a2cd131ca9eff75c15ce8 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 4 Nov 2022 12:53:07 +0900 +Subject: [PATCH] resolve: provide effective supporting levels of mDNS and + LLMNR + +The per-link settings are ignored if the feature is disabled by the global setting. +Let's announce the effective level, to make not users confused. + +Closes #24863. + +(cherry picked from commit dc167037c4e7407bf597a65224c736874abeca11) + +Related: #2138081 +--- + src/resolve/resolved-link-bus.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-link-bus.c b/src/resolve/resolved-link-bus.c +index a817b1b453..1f7d092112 100644 +--- a/src/resolve/resolved-link-bus.c ++++ b/src/resolve/resolved-link-bus.c +@@ -22,6 +22,8 @@ + + static BUS_DEFINE_PROPERTY_GET(property_get_dnssec_supported, "b", Link, link_dnssec_supported); + static BUS_DEFINE_PROPERTY_GET2(property_get_dnssec_mode, "s", Link, link_get_dnssec_mode, dnssec_mode_to_string); ++static BUS_DEFINE_PROPERTY_GET2(property_get_llmnr_support, "s", Link, link_get_llmnr_support, resolve_support_to_string); ++static BUS_DEFINE_PROPERTY_GET2(property_get_mdns_support, "s", Link, link_get_mdns_support, resolve_support_to_string); + + static int property_get_dns_over_tls_mode( + sd_bus *bus, +@@ -864,8 +866,8 @@ static const sd_bus_vtable link_vtable[] = { + SD_BUS_PROPERTY("CurrentDNSServerEx", "(iayqs)", property_get_current_dns_server_ex, offsetof(Link, current_dns_server), 0), + SD_BUS_PROPERTY("Domains", "a(sb)", property_get_domains, 0, 0), + SD_BUS_PROPERTY("DefaultRoute", "b", property_get_default_route, 0, 0), +- SD_BUS_PROPERTY("LLMNR", "s", bus_property_get_resolve_support, offsetof(Link, llmnr_support), 0), +- SD_BUS_PROPERTY("MulticastDNS", "s", bus_property_get_resolve_support, offsetof(Link, mdns_support), 0), ++ SD_BUS_PROPERTY("LLMNR", "s", property_get_llmnr_support, 0, 0), ++ SD_BUS_PROPERTY("MulticastDNS", "s", property_get_mdns_support, 0, 0), + SD_BUS_PROPERTY("DNSOverTLS", "s", property_get_dns_over_tls_mode, 0, 0), + SD_BUS_PROPERTY("DNSSEC", "s", property_get_dnssec_mode, 0, 0), + SD_BUS_PROPERTY("DNSSECNegativeTrustAnchors", "as", property_get_ntas, 0, 0), diff --git a/SOURCES/0206-resolvectl-warn-if-the-global-mDNS-or-LLMNR-support-.patch b/SOURCES/0206-resolvectl-warn-if-the-global-mDNS-or-LLMNR-support-.patch new file mode 100644 index 0000000..e7e7aff --- /dev/null +++ b/SOURCES/0206-resolvectl-warn-if-the-global-mDNS-or-LLMNR-support-.patch @@ -0,0 +1,89 @@ +From 4b911f2d385feb8153dacaf923108fc6d00fa149 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 4 Nov 2022 13:11:55 +0900 +Subject: [PATCH] resolvectl: warn if the global mDNS or LLMNR support level is + lower than the requested one + +(cherry picked from commit c38a03df4af78721f45947ffa2013554d81954a4) + +Related: #2138081 +--- + src/resolve/resolvectl.c | 37 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 37 insertions(+) + +diff --git a/src/resolve/resolvectl.c b/src/resolve/resolvectl.c +index 2a7347ca27..c52773508f 100644 +--- a/src/resolve/resolvectl.c ++++ b/src/resolve/resolvectl.c +@@ -32,6 +32,7 @@ + #include "pretty-print.h" + #include "process-util.h" + #include "resolvconf-compat.h" ++#include "resolve-util.h" + #include "resolvectl.h" + #include "resolved-def.h" + #include "resolved-dns-packet.h" +@@ -2280,6 +2281,8 @@ static int verb_default_route(int argc, char **argv, void *userdata) { + + static int verb_llmnr(int argc, char **argv, void *userdata) { + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; ++ _cleanup_free_ char *global_llmnr_support_str = NULL; ++ ResolveSupport global_llmnr_support, llmnr_support; + sd_bus *bus = ASSERT_PTR(userdata); + int r; + +@@ -2295,6 +2298,22 @@ static int verb_llmnr(int argc, char **argv, void *userdata) { + if (argc < 3) + return status_ifindex(bus, arg_ifindex, NULL, STATUS_LLMNR, NULL); + ++ llmnr_support = resolve_support_from_string(argv[2]); ++ if (llmnr_support < 0) ++ return log_error_errno(llmnr_support, "Invalid LLMNR setting: %s", argv[2]); ++ ++ r = bus_get_property_string(bus, bus_resolve_mgr, "LLMNR", &error, &global_llmnr_support_str); ++ if (r < 0) ++ return log_error_errno(r, "Failed to get the global LLMNR support state: %s", bus_error_message(&error, r)); ++ ++ global_llmnr_support = resolve_support_from_string(global_llmnr_support_str); ++ if (global_llmnr_support < 0) ++ return log_error_errno(global_llmnr_support, "Received invalid global LLMNR setting: %s", global_llmnr_support_str); ++ ++ if (global_llmnr_support < llmnr_support) ++ log_warning("Setting LLMNR support level \"%s\" for \"%s\", but the global support level is \"%s\".", ++ argv[2], arg_ifname, global_llmnr_support_str); ++ + r = bus_call_method(bus, bus_resolve_mgr, "SetLinkLLMNR", &error, NULL, "is", arg_ifindex, argv[2]); + if (r < 0 && sd_bus_error_has_name(&error, BUS_ERROR_LINK_BUSY)) { + sd_bus_error_free(&error); +@@ -2314,6 +2333,8 @@ static int verb_llmnr(int argc, char **argv, void *userdata) { + + static int verb_mdns(int argc, char **argv, void *userdata) { + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; ++ _cleanup_free_ char *global_mdns_support_str = NULL; ++ ResolveSupport global_mdns_support, mdns_support; + sd_bus *bus = ASSERT_PTR(userdata); + int r; + +@@ -2329,6 +2350,22 @@ static int verb_mdns(int argc, char **argv, void *userdata) { + if (argc < 3) + return status_ifindex(bus, arg_ifindex, NULL, STATUS_MDNS, NULL); + ++ mdns_support = resolve_support_from_string(argv[2]); ++ if (mdns_support < 0) ++ return log_error_errno(mdns_support, "Invalid mDNS setting: %s", argv[2]); ++ ++ r = bus_get_property_string(bus, bus_resolve_mgr, "MulticastDNS", &error, &global_mdns_support_str); ++ if (r < 0) ++ return log_error_errno(r, "Failed to get the global mDNS support state: %s", bus_error_message(&error, r)); ++ ++ global_mdns_support = resolve_support_from_string(global_mdns_support_str); ++ if (global_mdns_support < 0) ++ return log_error_errno(global_mdns_support, "Received invalid global mDNS setting: %s", global_mdns_support_str); ++ ++ if (global_mdns_support < mdns_support) ++ log_warning("Setting mDNS support level \"%s\" for \"%s\", but the global support level is \"%s\".", ++ argv[2], arg_ifname, global_mdns_support_str); ++ + r = bus_call_method(bus, bus_resolve_mgr, "SetLinkMulticastDNS", &error, NULL, "is", arg_ifindex, argv[2]); + if (r < 0 && sd_bus_error_has_name(&error, BUS_ERROR_LINK_BUSY)) { + sd_bus_error_free(&error); diff --git a/SOURCES/0207-resolve-enable-per-link-mDNS-setting-by-default.patch b/SOURCES/0207-resolve-enable-per-link-mDNS-setting-by-default.patch new file mode 100644 index 0000000..7daa0e6 --- /dev/null +++ b/SOURCES/0207-resolve-enable-per-link-mDNS-setting-by-default.patch @@ -0,0 +1,71 @@ +From 11132a6c20b64eb14a3386ff480086b5bae72146 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 4 Nov 2022 12:06:21 +0900 +Subject: [PATCH] resolve: enable per-link mDNS setting by default + +Otherwise, if the link is not managed by systemd-networkd, mDNS cannot +be enabled without calling `resolvectl` explicitly. + +Fixes #25252. + +(cherry picked from commit e31540196b8fb136a8f197c7a26d851bd0b93329) + +Related: #2138081 +--- + src/resolve/resolved-link-bus.c | 2 +- + src/resolve/resolved-link.c | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/resolve/resolved-link-bus.c b/src/resolve/resolved-link-bus.c +index 1f7d092112..9b6d14f20c 100644 +--- a/src/resolve/resolved-link-bus.c ++++ b/src/resolve/resolved-link-bus.c +@@ -562,7 +562,7 @@ int bus_link_method_set_mdns(sd_bus_message *message, void *userdata, sd_bus_err + return r; + + if (isempty(mdns)) +- mode = RESOLVE_SUPPORT_NO; ++ mode = RESOLVE_SUPPORT_YES; + else { + mode = resolve_support_from_string(mdns); + if (mode < 0) +diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c +index 86112f3a3b..d41f6f3e54 100644 +--- a/src/resolve/resolved-link.c ++++ b/src/resolve/resolved-link.c +@@ -37,7 +37,7 @@ int link_new(Manager *m, Link **ret, int ifindex) { + .ifindex = ifindex, + .default_route = -1, + .llmnr_support = RESOLVE_SUPPORT_YES, +- .mdns_support = RESOLVE_SUPPORT_NO, ++ .mdns_support = RESOLVE_SUPPORT_YES, + .dnssec_mode = _DNSSEC_MODE_INVALID, + .dns_over_tls_mode = _DNS_OVER_TLS_MODE_INVALID, + .operstate = IF_OPER_UNKNOWN, +@@ -64,7 +64,7 @@ void link_flush_settings(Link *l) { + + l->default_route = -1; + l->llmnr_support = RESOLVE_SUPPORT_YES; +- l->mdns_support = RESOLVE_SUPPORT_NO; ++ l->mdns_support = RESOLVE_SUPPORT_YES; + l->dnssec_mode = _DNSSEC_MODE_INVALID; + l->dns_over_tls_mode = _DNS_OVER_TLS_MODE_INVALID; + +@@ -354,7 +354,7 @@ static int link_update_mdns_support(Link *l) { + + assert(l); + +- l->mdns_support = RESOLVE_SUPPORT_NO; ++ l->mdns_support = RESOLVE_SUPPORT_YES; + + r = sd_network_link_get_mdns(l->ifindex, &b); + if (r == -ENODATA) +@@ -1156,7 +1156,7 @@ static bool link_needs_save(Link *l) { + return false; + + if (l->llmnr_support != RESOLVE_SUPPORT_YES || +- l->mdns_support != RESOLVE_SUPPORT_NO || ++ l->mdns_support != RESOLVE_SUPPORT_YES || + l->dnssec_mode != _DNSSEC_MODE_INVALID || + l->dns_over_tls_mode != _DNS_OVER_TLS_MODE_INVALID) + return true; diff --git a/SOURCES/0208-nss-myhostname-fix-inverted-condition-in.patch b/SOURCES/0208-nss-myhostname-fix-inverted-condition-in.patch new file mode 100644 index 0000000..9f6b7f1 --- /dev/null +++ b/SOURCES/0208-nss-myhostname-fix-inverted-condition-in.patch @@ -0,0 +1,27 @@ +From 0858da8425a71641fe32222bc91c060856dcb217 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 9 Feb 2023 05:55:42 +0900 +Subject: [PATCH] nss-myhostname: fix inverted condition in + +Fixes a bug introduced by db50d326a46beca3cc24b6354b6e1b3591902d45. + +(cherry picked from commit a3b993ca3fb6fc0b837745c1ae82aca684951842) + +Resolves: #2167468 +--- + src/nss-myhostname/nss-myhostname.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/nss-myhostname/nss-myhostname.c b/src/nss-myhostname/nss-myhostname.c +index 120e76be45..93db9d16e7 100644 +--- a/src/nss-myhostname/nss-myhostname.c ++++ b/src/nss-myhostname/nss-myhostname.c +@@ -460,7 +460,7 @@ enum nss_status _nss_myhostname_gethostbyaddr2_r( + } else { + assert(af == AF_INET6); + +- if (socket_ipv6_is_enabled()) ++ if (!socket_ipv6_is_enabled()) + goto not_found; + + if (memcmp(addr, LOCALADDRESS_IPV6, 16) == 0) { diff --git a/SOURCES/0209-nss-myhostname-do-not-return-empty-result-with-NSS_S.patch b/SOURCES/0209-nss-myhostname-do-not-return-empty-result-with-NSS_S.patch new file mode 100644 index 0000000..69576e1 --- /dev/null +++ b/SOURCES/0209-nss-myhostname-do-not-return-empty-result-with-NSS_S.patch @@ -0,0 +1,34 @@ +From 86bbeff62982404dc76e79d3dad8a8c59308d017 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 9 Feb 2023 06:07:13 +0900 +Subject: [PATCH] nss-myhostname: do not return empty result with + NSS_STATUS_SUCCESS + +Fixes a bug introduced by db50d326a46beca3cc24b6354b6e1b3591902d45. + +Fixes RHBZ#2167468 (https://bugzilla.redhat.com/show_bug.cgi?id=2167468). + +(cherry picked from commit 1c3762937e9184c9abbc8d5541b4228841ccc24f) + +Resolves: #2167468 +--- + src/nss-myhostname/nss-myhostname.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/nss-myhostname/nss-myhostname.c b/src/nss-myhostname/nss-myhostname.c +index 93db9d16e7..d574e98a71 100644 +--- a/src/nss-myhostname/nss-myhostname.c ++++ b/src/nss-myhostname/nss-myhostname.c +@@ -345,9 +345,10 @@ enum nss_status _nss_myhostname_gethostbyname3_r( + return NSS_STATUS_UNAVAIL; + } + ++ if (af == AF_INET6 && !socket_ipv6_is_enabled()) ++ goto not_found; ++ + if (is_localhost(name)) { +- if (af == AF_INET6 && !socket_ipv6_is_enabled()) +- goto not_found; + + canonical = "localhost"; + local_address_ipv4 = htobe32(INADDR_LOOPBACK); diff --git a/SOURCES/0210-sleep-rename-hibernate_delay_sec-_usec.patch b/SOURCES/0210-sleep-rename-hibernate_delay_sec-_usec.patch new file mode 100644 index 0000000..c5cff39 --- /dev/null +++ b/SOURCES/0210-sleep-rename-hibernate_delay_sec-_usec.patch @@ -0,0 +1,64 @@ +From 51a4778726edd7dfad18e7354bda1d77730c8dd8 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 13 Nov 2022 23:59:49 +0900 +Subject: [PATCH] sleep: rename hibernate_delay_sec -> _usec + +(cherry picked from commit 3d23df005e06b3616049686be82deff55788d3c4) + +Related: #2151612 +--- + src/shared/sleep-config.c | 6 +++--- + src/shared/sleep-config.h | 2 +- + src/sleep/sleep.c | 2 +- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/shared/sleep-config.c b/src/shared/sleep-config.c +index efc066c4f2..359d293fd0 100644 +--- a/src/shared/sleep-config.c ++++ b/src/shared/sleep-config.c +@@ -82,7 +82,7 @@ int parse_sleep_config(SleepConfig **ret_sleep_config) { + { "Sleep", "HybridSleepMode", config_parse_strv, 0, sc->modes + SLEEP_HYBRID_SLEEP }, + { "Sleep", "HybridSleepState", config_parse_strv, 0, sc->states + SLEEP_HYBRID_SLEEP }, + +- { "Sleep", "HibernateDelaySec", config_parse_sec, 0, &sc->hibernate_delay_sec }, ++ { "Sleep", "HibernateDelaySec", config_parse_sec, 0, &sc->hibernate_delay_usec }, + {} + }; + +@@ -113,8 +113,8 @@ int parse_sleep_config(SleepConfig **ret_sleep_config) { + sc->modes[SLEEP_HYBRID_SLEEP] = strv_new("suspend", "platform", "shutdown"); + if (!sc->states[SLEEP_HYBRID_SLEEP]) + sc->states[SLEEP_HYBRID_SLEEP] = strv_new("disk"); +- if (sc->hibernate_delay_sec == 0) +- sc->hibernate_delay_sec = 2 * USEC_PER_HOUR; ++ if (sc->hibernate_delay_usec == 0) ++ sc->hibernate_delay_usec = 2 * USEC_PER_HOUR; + + /* ensure values set for all required fields */ + if (!sc->states[SLEEP_SUSPEND] || !sc->modes[SLEEP_HIBERNATE] +diff --git a/src/shared/sleep-config.h b/src/shared/sleep-config.h +index 6645c3e596..226fab4b9f 100644 +--- a/src/shared/sleep-config.h ++++ b/src/shared/sleep-config.h +@@ -19,7 +19,7 @@ typedef struct SleepConfig { + bool allow[_SLEEP_OPERATION_MAX]; + char **modes[_SLEEP_OPERATION_MAX]; + char **states[_SLEEP_OPERATION_MAX]; +- usec_t hibernate_delay_sec; ++ usec_t hibernate_delay_usec; + } SleepConfig; + + SleepConfig* free_sleep_config(SleepConfig *sc); +diff --git a/src/sleep/sleep.c b/src/sleep/sleep.c +index 3461d3e45f..7679f2e3be 100644 +--- a/src/sleep/sleep.c ++++ b/src/sleep/sleep.c +@@ -275,7 +275,7 @@ static int custom_timer_suspend(const SleepConfig *sleep_config) { + while (battery_is_low() == 0) { + _cleanup_close_ int tfd = -1; + struct itimerspec ts = {}; +- usec_t suspend_interval = sleep_config->hibernate_delay_sec, before_timestamp = 0, after_timestamp = 0, total_suspend_interval; ++ usec_t suspend_interval = sleep_config->hibernate_delay_usec, before_timestamp = 0, after_timestamp = 0, total_suspend_interval; + bool woken_by_timer; + + tfd = timerfd_create(CLOCK_BOOTTIME_ALARM, TFD_NONBLOCK|TFD_CLOEXEC); diff --git a/SOURCES/0211-sleep-fetch_batteries_capacity_by_name-does-not-retu.patch b/SOURCES/0211-sleep-fetch_batteries_capacity_by_name-does-not-retu.patch new file mode 100644 index 0000000..04a2efa --- /dev/null +++ b/SOURCES/0211-sleep-fetch_batteries_capacity_by_name-does-not-retu.patch @@ -0,0 +1,80 @@ +From d46e3dedada3d57db518ae3f9f857fd26050a4dd Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 14 Nov 2022 08:31:09 +0900 +Subject: [PATCH] sleep: fetch_batteries_capacity_by_name() does not return + -ENOENT + +(cherry picked from commit d812e104c7c62648747d3ffe37db33dde319d15c) + +Related: #2151612 +--- + src/sleep/sleep.c | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +diff --git a/src/sleep/sleep.c b/src/sleep/sleep.c +index 7679f2e3be..11a2ba507d 100644 +--- a/src/sleep/sleep.c ++++ b/src/sleep/sleep.c +@@ -275,21 +275,16 @@ static int custom_timer_suspend(const SleepConfig *sleep_config) { + while (battery_is_low() == 0) { + _cleanup_close_ int tfd = -1; + struct itimerspec ts = {}; +- usec_t suspend_interval = sleep_config->hibernate_delay_usec, before_timestamp = 0, after_timestamp = 0, total_suspend_interval; ++ usec_t suspend_interval = sleep_config->hibernate_delay_usec, total_suspend_interval; + bool woken_by_timer; + + tfd = timerfd_create(CLOCK_BOOTTIME_ALARM, TFD_NONBLOCK|TFD_CLOEXEC); + if (tfd < 0) + return log_error_errno(errno, "Error creating timerfd: %m"); + +- /* Store current battery capacity and current time before suspension */ ++ /* Store current battery capacity before suspension */ + r = fetch_batteries_capacity_by_name(&last_capacity); +- if (r >= 0) +- before_timestamp = now(CLOCK_BOOTTIME); +- else if (r == -ENOENT) +- /* In case of no battery, system suspend interval will be set to HibernateDelaySec=. */ +- log_debug_errno(r, "Suspend Interval value set to %s: %m", FORMAT_TIMESPAN(suspend_interval, USEC_PER_SEC)); +- else ++ if (r < 0) + return log_error_errno(r, "Error fetching battery capacity percentage: %m"); + + r = get_total_suspend_interval(last_capacity, &total_suspend_interval); +@@ -298,6 +293,8 @@ static int custom_timer_suspend(const SleepConfig *sleep_config) { + else + suspend_interval = total_suspend_interval; + ++ usec_t before_timestamp = now(CLOCK_BOOTTIME); ++ + log_debug("Set timerfd wake alarm for %s", FORMAT_TIMESPAN(suspend_interval, USEC_PER_SEC)); + /* Wake alarm for system with or without battery to hibernate or estimate discharge rate whichever is applicable */ + timespec_store(&ts.it_value, suspend_interval); +@@ -316,18 +313,22 @@ static int custom_timer_suspend(const SleepConfig *sleep_config) { + woken_by_timer = FLAGS_SET(r, POLLIN); + + r = fetch_batteries_capacity_by_name(¤t_capacity); +- if (r < 0) { ++ if (r < 0 || hashmap_isempty(current_capacity)) { + /* In case of no battery or error while getting charge level, no need to measure +- * discharge rate. Instead system should wakeup if it is manual wakeup or +- * hibernate if this is a timer wakeup. */ +- log_debug_errno(r, "Battery capacity percentage unavailable, cannot estimate discharge rate: %m"); ++ * discharge rate. Instead the system should wake up if it is manual wakeup or ++ * hibernate if this is a timer wakeup. */ ++ if (r < 0) ++ log_debug_errno(r, "Battery capacity percentage unavailable, cannot estimate discharge rate: %m"); ++ else ++ log_debug("No battery found."); + if (!woken_by_timer) + return 0; + break; + } + +- after_timestamp = now(CLOCK_BOOTTIME); +- log_debug("Attempting to estimate battery discharge rate after wakeup from %s sleep", FORMAT_TIMESPAN(after_timestamp - before_timestamp, USEC_PER_HOUR)); ++ usec_t after_timestamp = now(CLOCK_BOOTTIME); ++ log_debug("Attempting to estimate battery discharge rate after wakeup from %s sleep", ++ FORMAT_TIMESPAN(after_timestamp - before_timestamp, USEC_PER_HOUR)); + + if (after_timestamp != before_timestamp) { + r = estimate_battery_discharge_rate_per_hour(last_capacity, current_capacity, before_timestamp, after_timestamp); diff --git a/SOURCES/0212-sleep-drop-unnecessary-temporal-vaiable-and-initiali.patch b/SOURCES/0212-sleep-drop-unnecessary-temporal-vaiable-and-initiali.patch new file mode 100644 index 0000000..915e98b --- /dev/null +++ b/SOURCES/0212-sleep-drop-unnecessary-temporal-vaiable-and-initiali.patch @@ -0,0 +1,42 @@ +From 176ceed28620a9358c5528a039b74211187bcf13 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 14 Nov 2022 00:09:34 +0900 +Subject: [PATCH] sleep: drop unnecessary temporal vaiable and initialization + +(cherry picked from commit 2ed56afeb3c26596dbe44858559c92307778ff82) + +Related: #2151612 +--- + src/sleep/sleep.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/src/sleep/sleep.c b/src/sleep/sleep.c +index 11a2ba507d..039b123dcc 100644 +--- a/src/sleep/sleep.c ++++ b/src/sleep/sleep.c +@@ -275,7 +275,7 @@ static int custom_timer_suspend(const SleepConfig *sleep_config) { + while (battery_is_low() == 0) { + _cleanup_close_ int tfd = -1; + struct itimerspec ts = {}; +- usec_t suspend_interval = sleep_config->hibernate_delay_usec, total_suspend_interval; ++ usec_t suspend_interval; + bool woken_by_timer; + + tfd = timerfd_create(CLOCK_BOOTTIME_ALARM, TFD_NONBLOCK|TFD_CLOEXEC); +@@ -287,11 +287,12 @@ static int custom_timer_suspend(const SleepConfig *sleep_config) { + if (r < 0) + return log_error_errno(r, "Error fetching battery capacity percentage: %m"); + +- r = get_total_suspend_interval(last_capacity, &total_suspend_interval); +- if (r < 0) ++ r = get_total_suspend_interval(last_capacity, &suspend_interval); ++ if (r < 0) { + log_debug_errno(r, "Failed to estimate suspend interval using previous discharge rate, ignoring: %m"); +- else +- suspend_interval = total_suspend_interval; ++ /* In case of no battery or any errors, system suspend interval will be set to HibernateDelaySec=. */ ++ suspend_interval = sleep_config->hibernate_delay_usec; ++ } + + usec_t before_timestamp = now(CLOCK_BOOTTIME); + diff --git a/SOURCES/0213-sleep-introduce-SuspendEstimationSec.patch b/SOURCES/0213-sleep-introduce-SuspendEstimationSec.patch new file mode 100644 index 0000000..2535f35 --- /dev/null +++ b/SOURCES/0213-sleep-introduce-SuspendEstimationSec.patch @@ -0,0 +1,270 @@ +From db8a187c67e4829e39fe28e25003816b64db80db Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 14 Nov 2022 02:08:05 +0900 +Subject: [PATCH] sleep: introduce SuspendEstimationSec= + +Before v252, HibernateDelaySec= specifies the maximum timespan that the +system in suspend state, and the system hibernate after the timespan. + +However, after 96d662fa4c8cab24da57523c5e49e6ef3967fc13, the setting is +repurposed as the default interval to measure battery charge level and +estimate the battery discharging late. And if the system has enough +battery capacity, then the system will stay in suspend state and not +hibernate even if the time passed. See issue #25269. + +To keep the backward compatibility, let's introduce another setting +SuspendEstimationSec= for controlling the interval to measure +battery charge level, and make HibernateDelaySec= work as of v251. + +This also drops implementation details from the man page. + +Fixes #25269. + +(cherry picked from commit 4f58b656d92b09a953b7cffcfd1ee6d5136a57ed) + +Resolves: #2151612 +--- + man/systemd-sleep.conf.xml | 58 ++++++++++++++++++++------------------ + src/shared/sleep-config.c | 11 ++++++-- + src/shared/sleep-config.h | 3 ++ + src/sleep/sleep.c | 48 ++++++++++++++++++++++--------- + src/sleep/sleep.conf | 3 +- + 5 files changed, 77 insertions(+), 46 deletions(-) + +diff --git a/man/systemd-sleep.conf.xml b/man/systemd-sleep.conf.xml +index be04f2cdf1..79ebef1fef 100644 +--- a/man/systemd-sleep.conf.xml ++++ b/man/systemd-sleep.conf.xml +@@ -77,29 +77,16 @@ + + suspend-then-hibernate + +- A low power state where initially user.slice unit is freezed. +- If the hardware supports low-battery alarms (ACPI _BTP), then the system is +- first suspended (the state is stored in RAM) and then hibernates if the system +- is woken up by the hardware via ACPI low-battery signal. Unit user.slice is +- thawed when system returns from hibernation. If the hardware does not support +- low-battery alarms (ACPI _BTP), then the system is suspended based on battery's +- current percentage capacity. If the current battery capacity is higher than 5%, the +- system suspends for interval calculated using battery discharge rate per hour or +- HibernateDelaySec= +- if former is not available. +- Battery discharge rate per hour is stored in a file which is created after +- initial suspend-resume cycle. The value is calculated using battery decreasing +- charge level over a timespan for which system was suspended. For each battery +- connected to the system, there is a unique entry. After RTC alarm wakeup from +- suspend, battery discharge rate per hour is again estimated. If the current battery +- charge level is equal to or less than 5%, the system will be hibernated (the state +- is then stored on disk) else the system goes back to suspend for the interval +- calculated using battery discharge rate per hour. +- In case of manual wakeup, if the battery was discharged while the system was +- suspended, the battery discharge rate is estimated and stored on the filesystem. +- In case the system is woken up by the hardware via the ACPI low-battery signal, +- then it hibernates. +- ++ ++ A low power state where the system is initially suspended (the state is stored in ++ RAM). If the system supports low-battery alarms (ACPI _BTP), then the system will be woken up by ++ the ACPI low-battery signal and hibernated (the state is then stored on disk). Also, if not ++ interrupted within the timespan specified by HibernateDelaySec= or the estimated ++ timespan until the system battery charge level goes down to 5%, then the system will be woken up by the ++ RTC alarm and hibernated. The estimated timespan is calculated from the change of the battery ++ capacity level after the time specified by SuspendEstimationSec= or when ++ the system is woken up from the suspend. ++ + + + +@@ -189,13 +176,28 @@ + uses the value of SuspendState= when suspending and the value of HibernateState= when hibernating. + + ++ + + HibernateDelaySec= +- The amount of time the system spends in suspend mode +- before the RTC alarm wakes the system, before the battery discharge rate +- can be estimated and used instead to calculate the suspension interval. +- systemd-suspend-then-hibernate.service8. Defaults +- to 2h. ++ ++ ++ The amount of time the system spends in suspend mode before the system is ++ automatically put into hibernate mode. Only used by ++ systemd-suspend-then-hibernate.service8. ++ If the system has a battery, then defaults to the estimated timespan until the system battery charge level goes down to 5%. ++ If the system has no battery, then defaults to 2h. ++ ++ ++ ++ ++ SuspendEstimationSec= ++ ++ ++ The RTC alarm will wake the system after the specified timespan to measure the system battery ++ capacity level and estimate battery discharging rate, which is used for estimating timespan until the system battery charge ++ level goes down to 5%. Only used by ++ systemd-suspend-then-hibernate.service8. ++ Defaults to 2h. + + + +diff --git a/src/shared/sleep-config.c b/src/shared/sleep-config.c +index 359d293fd0..74653effa2 100644 +--- a/src/shared/sleep-config.c ++++ b/src/shared/sleep-config.c +@@ -65,10 +65,14 @@ int parse_sleep_config(SleepConfig **ret_sleep_config) { + int allow_suspend = -1, allow_hibernate = -1, + allow_s2h = -1, allow_hybrid_sleep = -1; + +- sc = new0(SleepConfig, 1); ++ sc = new(SleepConfig, 1); + if (!sc) + return log_oom(); + ++ *sc = (SleepConfig) { ++ .hibernate_delay_usec = USEC_INFINITY, ++ }; ++ + const ConfigTableItem items[] = { + { "Sleep", "AllowSuspend", config_parse_tristate, 0, &allow_suspend }, + { "Sleep", "AllowHibernation", config_parse_tristate, 0, &allow_hibernate }, +@@ -83,6 +87,7 @@ int parse_sleep_config(SleepConfig **ret_sleep_config) { + { "Sleep", "HybridSleepState", config_parse_strv, 0, sc->states + SLEEP_HYBRID_SLEEP }, + + { "Sleep", "HibernateDelaySec", config_parse_sec, 0, &sc->hibernate_delay_usec }, ++ { "Sleep", "SuspendEstimationSec", config_parse_sec, 0, &sc->suspend_estimation_usec }, + {} + }; + +@@ -113,8 +118,8 @@ int parse_sleep_config(SleepConfig **ret_sleep_config) { + sc->modes[SLEEP_HYBRID_SLEEP] = strv_new("suspend", "platform", "shutdown"); + if (!sc->states[SLEEP_HYBRID_SLEEP]) + sc->states[SLEEP_HYBRID_SLEEP] = strv_new("disk"); +- if (sc->hibernate_delay_usec == 0) +- sc->hibernate_delay_usec = 2 * USEC_PER_HOUR; ++ if (sc->suspend_estimation_usec == 0) ++ sc->suspend_estimation_usec = DEFAULT_SUSPEND_ESTIMATION_USEC; + + /* ensure values set for all required fields */ + if (!sc->states[SLEEP_SUSPEND] || !sc->modes[SLEEP_HIBERNATE] +diff --git a/src/shared/sleep-config.h b/src/shared/sleep-config.h +index 226fab4b9f..480e90c95b 100644 +--- a/src/shared/sleep-config.h ++++ b/src/shared/sleep-config.h +@@ -6,6 +6,8 @@ + #include "hashmap.h" + #include "time-util.h" + ++#define DEFAULT_SUSPEND_ESTIMATION_USEC (1 * USEC_PER_HOUR) ++ + typedef enum SleepOperation { + SLEEP_SUSPEND, + SLEEP_HIBERNATE, +@@ -20,6 +22,7 @@ typedef struct SleepConfig { + char **modes[_SLEEP_OPERATION_MAX]; + char **states[_SLEEP_OPERATION_MAX]; + usec_t hibernate_delay_usec; ++ usec_t suspend_estimation_usec; + } SleepConfig; + + SleepConfig* free_sleep_config(SleepConfig *sc); +diff --git a/src/sleep/sleep.c b/src/sleep/sleep.c +index 039b123dcc..0bbea9e856 100644 +--- a/src/sleep/sleep.c ++++ b/src/sleep/sleep.c +@@ -268,10 +268,13 @@ static int execute( + + static int custom_timer_suspend(const SleepConfig *sleep_config) { + _cleanup_hashmap_free_ Hashmap *last_capacity = NULL, *current_capacity = NULL; ++ usec_t hibernate_timestamp; + int r; + + assert(sleep_config); + ++ hibernate_timestamp = usec_add(now(CLOCK_BOOTTIME), sleep_config->hibernate_delay_usec); ++ + while (battery_is_low() == 0) { + _cleanup_close_ int tfd = -1; + struct itimerspec ts = {}; +@@ -287,14 +290,25 @@ static int custom_timer_suspend(const SleepConfig *sleep_config) { + if (r < 0) + return log_error_errno(r, "Error fetching battery capacity percentage: %m"); + +- r = get_total_suspend_interval(last_capacity, &suspend_interval); +- if (r < 0) { +- log_debug_errno(r, "Failed to estimate suspend interval using previous discharge rate, ignoring: %m"); +- /* In case of no battery or any errors, system suspend interval will be set to HibernateDelaySec=. */ +- suspend_interval = sleep_config->hibernate_delay_usec; ++ if (hashmap_isempty(last_capacity)) ++ /* In case of no battery, system suspend interval will be set to HibernateDelaySec= or 2 hours. */ ++ suspend_interval = timestamp_is_set(hibernate_timestamp) ? sleep_config->hibernate_delay_usec : DEFAULT_SUSPEND_ESTIMATION_USEC; ++ else { ++ r = get_total_suspend_interval(last_capacity, &suspend_interval); ++ if (r < 0) { ++ log_debug_errno(r, "Failed to estimate suspend interval using previous discharge rate, ignoring: %m"); ++ /* In case of any errors, especially when we do not know the battery ++ * discharging rate, system suspend interval will be set to ++ * SuspendEstimationSec=. */ ++ suspend_interval = sleep_config->suspend_estimation_usec; ++ } + } + ++ /* Do not suspend more than HibernateDelaySec= */ + usec_t before_timestamp = now(CLOCK_BOOTTIME); ++ suspend_interval = MIN(suspend_interval, usec_sub_unsigned(hibernate_timestamp, before_timestamp)); ++ if (suspend_interval <= 0) ++ break; /* system should hibernate */ + + log_debug("Set timerfd wake alarm for %s", FORMAT_TIMESPAN(suspend_interval, USEC_PER_SEC)); + /* Wake alarm for system with or without battery to hibernate or estimate discharge rate whichever is applicable */ +@@ -377,7 +391,7 @@ static int freeze_thaw_user_slice(const char **method) { + + static int execute_s2h(const SleepConfig *sleep_config) { + _unused_ _cleanup_(freeze_thaw_user_slice) const char *auto_method_thaw = NULL; +- int r, k; ++ int r; + + assert(sleep_config); + +@@ -387,15 +401,21 @@ static int execute_s2h(const SleepConfig *sleep_config) { + else + auto_method_thaw = "ThawUnit"; /* from now on we want automatic thawing */; + +- r = check_wakeup_type(); +- if (r < 0) +- log_debug_errno(r, "Failed to check hardware wakeup type, ignoring: %m"); +- +- k = battery_trip_point_alarm_exists(); +- if (k < 0) +- log_debug_errno(k, "Failed to check whether acpi_btp support is enabled or not, ignoring: %m"); ++ /* Only check if we have automated battery alarms if HibernateDelaySec= is not set, as in that case ++ * we'll busy poll for the configured interval instead */ ++ if (!timestamp_is_set(sleep_config->hibernate_delay_usec)) { ++ r = check_wakeup_type(); ++ if (r < 0) ++ log_debug_errno(r, "Failed to check hardware wakeup type, ignoring: %m"); ++ else { ++ r = battery_trip_point_alarm_exists(); ++ if (r < 0) ++ log_debug_errno(r, "Failed to check whether acpi_btp support is enabled or not, ignoring: %m"); ++ } ++ } else ++ r = 0; /* Force fallback path */ + +- if (r >= 0 && k > 0) { ++ if (r > 0) { /* If we have both wakeup alarms and battery trip point support, use them */ + log_debug("Attempting to suspend..."); + r = execute(sleep_config, SLEEP_SUSPEND, NULL); + if (r < 0) +diff --git a/src/sleep/sleep.conf b/src/sleep/sleep.conf +index a3d31140d8..4c8e8b9680 100644 +--- a/src/sleep/sleep.conf ++++ b/src/sleep/sleep.conf +@@ -23,4 +23,5 @@ + #HibernateState=disk + #HybridSleepMode=suspend platform shutdown + #HybridSleepState=disk +-#HibernateDelaySec=120min ++#HibernateDelaySec= ++#SuspendEstimationSec=60min diff --git a/SOURCES/0214-sleep-coding-style-fixlets.patch b/SOURCES/0214-sleep-coding-style-fixlets.patch new file mode 100644 index 0000000..d2e12f1 --- /dev/null +++ b/SOURCES/0214-sleep-coding-style-fixlets.patch @@ -0,0 +1,28 @@ +From 583e9f1af5642643f11bc1cab26989a4f1dff776 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 14 Nov 2022 02:44:13 +0900 +Subject: [PATCH] sleep: coding style fixlets + +(cherry picked from commit 3c3f46013ed53aba1aad5b51844434713fa5a0e9) + +Related: #2151612 +--- + src/sleep/sleep.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/sleep/sleep.c b/src/sleep/sleep.c +index 0bbea9e856..bfd8ef3670 100644 +--- a/src/sleep/sleep.c ++++ b/src/sleep/sleep.c +@@ -430,9 +430,9 @@ static int execute_s2h(const SleepConfig *sleep_config) { + return 0; + } else { + r = custom_timer_suspend(sleep_config); +- if(r < 0) ++ if (r < 0) + return log_debug_errno(r, "Suspend cycle with manual battery discharge rate estimation failed: %m"); +- if(r == 0) ++ if (r == 0) + /* manual wakeup */ + return 0; + } diff --git a/SOURCES/0215-sleep-simplify-code-a-bit.patch b/SOURCES/0215-sleep-simplify-code-a-bit.patch new file mode 100644 index 0000000..78c4a09 --- /dev/null +++ b/SOURCES/0215-sleep-simplify-code-a-bit.patch @@ -0,0 +1,66 @@ +From d46e822fad4b5d43d5e53e21c7de3168bb547ded Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 14 Nov 2022 02:46:53 +0900 +Subject: [PATCH] sleep: simplify code a bit + +- use device_get_sysattr_int(), +- drop redundant log message. + +(cherry picked from commit 3d9ca76f368b7b198be3471dd28ed32b35114ace) + +Related: #2151612 +--- + src/shared/sleep-config.c | 20 +++++--------------- + 1 file changed, 5 insertions(+), 15 deletions(-) + +diff --git a/src/shared/sleep-config.c b/src/shared/sleep-config.c +index 74653effa2..25c3bd2925 100644 +--- a/src/shared/sleep-config.c ++++ b/src/shared/sleep-config.c +@@ -22,6 +22,7 @@ + #include "btrfs-util.h" + #include "conf-parser.h" + #include "def.h" ++#include "device-private.h" + #include "device-util.h" + #include "devnum-util.h" + #include "env-util.h" +@@ -170,18 +171,13 @@ static int get_capacity_by_name(Hashmap *capacities_by_name, const char *name) { + + /* Battery percentage capacity fetched from capacity file and if in range 0-100 then returned */ + static int read_battery_capacity_percentage(sd_device *dev) { +- const char *power_supply_capacity; + int battery_capacity, r; + + assert(dev); + +- r = sd_device_get_property_value(dev, "POWER_SUPPLY_CAPACITY", &power_supply_capacity); ++ r = device_get_sysattr_int(dev, "capacity", &battery_capacity); + if (r < 0) +- return log_device_debug_errno(dev, r, "Failed to read battery capacity: %m"); +- +- r = safe_atoi(power_supply_capacity, &battery_capacity); +- if (r < 0) +- return log_device_debug_errno(dev, r, "Failed to parse battery capacity: %m"); ++ return log_device_debug_errno(dev, r, "Failed to read/parse POWER_SUPPLY_CAPACITY: %m"); + + if (battery_capacity < 0 || battery_capacity > 100) + return log_device_debug_errno(dev, SYNTHETIC_ERRNO(ERANGE), "Invalid battery capacity"); +@@ -203,15 +199,9 @@ int battery_is_low(void) { + if (r < 0) + return log_debug_errno(r, "Failed to initialize battery enumerator: %m"); + +- FOREACH_DEVICE(e, dev) { +- r = read_battery_capacity_percentage(dev); +- if (r < 0) { +- log_device_debug_errno(dev, r, "Failed to get battery capacity, ignoring: %m"); +- continue; +- } +- if (r > BATTERY_LOW_CAPACITY_LEVEL) ++ FOREACH_DEVICE(e, dev) ++ if (read_battery_capacity_percentage(dev) > BATTERY_LOW_CAPACITY_LEVEL) + return false; +- } + + return true; + } diff --git a/SOURCES/0216-sleep-fix-indentation.patch b/SOURCES/0216-sleep-fix-indentation.patch new file mode 100644 index 0000000..5d63167 --- /dev/null +++ b/SOURCES/0216-sleep-fix-indentation.patch @@ -0,0 +1,33 @@ +From 57eb0c1c4903901717b4a81dd674aabb2c0ab2b3 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 14 Nov 2022 02:52:55 +0900 +Subject: [PATCH] sleep: fix indentation + +(cherry picked from commit 3332cfe1764e3c15d9af2ef68097d0f698fddb3d) + +Related: #2151612 +--- + src/shared/sleep-config.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/shared/sleep-config.c b/src/shared/sleep-config.c +index 25c3bd2925..4c08e97c8a 100644 +--- a/src/shared/sleep-config.c ++++ b/src/shared/sleep-config.c +@@ -388,11 +388,11 @@ static int put_battery_discharge_rate(int estimated_battery_discharge_rate, uint + estimated_battery_discharge_rate); + + r = write_string_filef( +- DISCHARGE_RATE_FILEPATH, +- WRITE_STRING_FILE_CREATE | WRITE_STRING_FILE_MKDIR_0755 | (trunc ? WRITE_STRING_FILE_TRUNCATE : 0), +- "%"PRIu64" %d", +- system_hash_id, +- estimated_battery_discharge_rate); ++ DISCHARGE_RATE_FILEPATH, ++ WRITE_STRING_FILE_CREATE | WRITE_STRING_FILE_MKDIR_0755 | (trunc ? WRITE_STRING_FILE_TRUNCATE : 0), ++ "%"PRIu64" %d", ++ system_hash_id, ++ estimated_battery_discharge_rate); + if (r < 0) + return log_debug_errno(r, "Failed to update %s: %m", DISCHARGE_RATE_FILEPATH); + diff --git a/SOURCES/0217-sleep-enumerate-only-existing-and-non-device-batteri.patch b/SOURCES/0217-sleep-enumerate-only-existing-and-non-device-batteri.patch new file mode 100644 index 0000000..f8352ae --- /dev/null +++ b/SOURCES/0217-sleep-enumerate-only-existing-and-non-device-batteri.patch @@ -0,0 +1,50 @@ +From 49d626105a5739bf7fa725f578d02b8873c282c7 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 14 Nov 2022 02:54:50 +0900 +Subject: [PATCH] sleep: enumerate only existing and non-device batteries + +The enumerator is now mostly consistent with on_ac_power() in +udev-util.c. + +(cherry picked from commit fe8e0f8e7989fe5cead5ad0e225dc0888ff10140) + +Related: #2151612 +--- + src/shared/sleep-config.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/src/shared/sleep-config.c b/src/shared/sleep-config.c +index 4c08e97c8a..2d55e7c860 100644 +--- a/src/shared/sleep-config.c ++++ b/src/shared/sleep-config.c +@@ -143,16 +143,27 @@ static int battery_enumerator_new(sd_device_enumerator **ret) { + if (r < 0) + return r; + +- r = sd_device_enumerator_add_match_subsystem(e, "power_supply", /* match= */ true); ++ r = sd_device_enumerator_add_match_subsystem(e, "power_supply", /* match = */ true); + if (r < 0) + return r; + +- r = sd_device_enumerator_add_match_property(e, "POWER_SUPPLY_TYPE", "Battery"); ++ r = sd_device_enumerator_allow_uninitialized(e); + if (r < 0) + return r; + +- *ret = TAKE_PTR(e); ++ r = sd_device_enumerator_add_match_sysattr(e, "type", "Battery", /* match = */ true); ++ if (r < 0) ++ return r; ++ ++ r = sd_device_enumerator_add_match_sysattr(e, "present", "1", /* match = */ true); ++ if (r < 0) ++ return r; + ++ r = sd_device_enumerator_add_match_sysattr(e, "scope", "Device", /* match = */ false); ++ if (r < 0) ++ return r; ++ ++ *ret = TAKE_PTR(e); + return 0; + } + diff --git a/SOURCES/0218-core-when-isolating-to-a-unit-also-keep-units-runnin.patch b/SOURCES/0218-core-when-isolating-to-a-unit-also-keep-units-runnin.patch new file mode 100644 index 0000000..64a052e --- /dev/null +++ b/SOURCES/0218-core-when-isolating-to-a-unit-also-keep-units-runnin.patch @@ -0,0 +1,78 @@ +From 9be28013e62ae471151fdc1f181e21cbd1e72dbd Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 10 Feb 2023 13:38:08 +0100 +Subject: [PATCH] core: when isolating to a unit, also keep units running that + are triggered by units we keep running + +Inspired by: #26364 + +(this might even "fix" #26364, but without debug logs it's hard to make +such claims) + +Fixes: #23055 +(cherry picked from commit 32d6707dd1692d41e12f5469dfdcbc10f14d6619) + +Resolves: #1952378 +--- + src/core/transaction.c | 33 +++++++++++++++++++++++++++------ + 1 file changed, 27 insertions(+), 6 deletions(-) + +diff --git a/src/core/transaction.c b/src/core/transaction.c +index bafbb80b47..8ec853d58d 100644 +--- a/src/core/transaction.c ++++ b/src/core/transaction.c +@@ -1092,6 +1092,20 @@ fail: + return r; + } + ++static bool shall_stop_on_isolate(Transaction *tr, Unit *u) { ++ assert(tr); ++ assert(u); ++ ++ if (u->ignore_on_isolate) ++ return false; ++ ++ /* Is there already something listed for this? */ ++ if (hashmap_get(tr->jobs, u)) ++ return false; ++ ++ return true; ++} ++ + int transaction_add_isolate_jobs(Transaction *tr, Manager *m) { + Unit *u; + char *k; +@@ -1101,20 +1115,27 @@ int transaction_add_isolate_jobs(Transaction *tr, Manager *m) { + assert(m); + + HASHMAP_FOREACH_KEY(u, k, m->units) { ++ Unit *o; + +- /* ignore aliases */ ++ /* Ignore aliases */ + if (u->id != k) + continue; + +- if (u->ignore_on_isolate) ++ /* No need to stop inactive units */ ++ if (UNIT_IS_INACTIVE_OR_FAILED(unit_active_state(u)) && !u->job) + continue; + +- /* No need to stop inactive jobs */ +- if (UNIT_IS_INACTIVE_OR_FAILED(unit_active_state(u)) && !u->job) ++ if (!shall_stop_on_isolate(tr, u)) + continue; + +- /* Is there already something listed for this? */ +- if (hashmap_get(tr->jobs, u)) ++ /* Keep units that are triggered by units we want to keep around. */ ++ bool keep = false; ++ UNIT_FOREACH_DEPENDENCY(o, u, UNIT_ATOM_TRIGGERED_BY) ++ if (!shall_stop_on_isolate(tr, o)) { ++ keep = true; ++ break; ++ } ++ if (keep) + continue; + + r = transaction_add_job_and_dependencies(tr, JOB_STOP, u, tr->anchor_job, true, false, false, false, NULL); diff --git a/SOURCES/0219-udev-net_id-introduce-naming-scheme-for-RHEL-9.2.patch b/SOURCES/0219-udev-net_id-introduce-naming-scheme-for-RHEL-9.2.patch new file mode 100644 index 0000000..ee77a68 --- /dev/null +++ b/SOURCES/0219-udev-net_id-introduce-naming-scheme-for-RHEL-9.2.patch @@ -0,0 +1,55 @@ +From edbd954a140b097e3fc4c9246bda88a43692122b Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 16 Feb 2023 16:08:57 +0100 +Subject: [PATCH] udev/net_id: introduce naming scheme for RHEL-9.2 + +RHEL-only + +Resolves: #2170500 +--- + man/systemd.net-naming-scheme.xml | 6 ++++++ + src/shared/netif-naming-scheme.c | 1 + + src/shared/netif-naming-scheme.h | 1 + + 3 files changed, 8 insertions(+) + +diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml +index ca8ba7010e..0886369c9b 100644 +--- a/man/systemd.net-naming-scheme.xml ++++ b/man/systemd.net-naming-scheme.xml +@@ -466,6 +466,12 @@ + Same as naming scheme rhel-9.0. + + ++ ++ rhel-9.2 ++ ++ Same as naming scheme rhel-9.0. ++ ++ + + + Note that latest may be used to denote the latest scheme known (to this +diff --git a/src/shared/netif-naming-scheme.c b/src/shared/netif-naming-scheme.c +index a20b990f2e..d846c794a8 100644 +--- a/src/shared/netif-naming-scheme.c ++++ b/src/shared/netif-naming-scheme.c +@@ -27,6 +27,7 @@ static const NamingScheme naming_schemes[] = { + { "v252", NAMING_V252 }, + { "rhel-9.0", NAMING_RHEL_9_0 }, + { "rhel-9.1", NAMING_RHEL_9_1 }, ++ { "rhel-9.2", NAMING_RHEL_9_2 }, + /* … add more schemes here, as the logic to name devices is updated … */ + + EXTRA_NET_NAMING_MAP +diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h +index d70c19ade3..3e35c5e2fa 100644 +--- a/src/shared/netif-naming-scheme.h ++++ b/src/shared/netif-naming-scheme.h +@@ -53,6 +53,7 @@ typedef enum NamingSchemeFlags { + NAMING_V252 = NAMING_V251 | NAMING_DEVICETREE_ALIASES, + NAMING_RHEL_9_0 = NAMING_V250 | NAMING_BRIDGE_MULTIFUNCTION_SLOT, + NAMING_RHEL_9_1 = NAMING_RHEL_9_0, ++ NAMING_RHEL_9_2 = NAMING_RHEL_9_0, + + EXTRA_NET_NAMING_SCHEMES + diff --git a/SOURCES/0220-journalctl-actually-run-the-static-destructors.patch b/SOURCES/0220-journalctl-actually-run-the-static-destructors.patch new file mode 100644 index 0000000..f41e481 --- /dev/null +++ b/SOURCES/0220-journalctl-actually-run-the-static-destructors.patch @@ -0,0 +1,68 @@ +From f0f59e43e9d1c5a6f9f7e03f07850ee40bac0ab3 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 15 Feb 2023 18:08:35 +0100 +Subject: [PATCH] journalctl: actually run the static destructors + +In journalctl we don't run the static destructors defined via +the STATIC_DESTRUCTOR_REGISTER() macro, since it requires a corresponding +static_destruct() call. In most cases this is handled by +the DEFINE_(TEST_)?MAIN*() macros, but journalctl defines its own main +function, so let's handle that as well. + +$ valgrind --suppressions=valgrind.supp --show-leak-kinds=all --leak-check=full build/journalctl --no-pager -u system.slice -n 10 >/dev/null +==2778093== Memcheck, a memory error detector +==2778093== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. +==2778093== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info +==2778093== Command: build/journalctl --no-pager -u system.slice -n 10 +==2778093== +==2778093== +==2778093== HEAP SUMMARY: +==2778093== in use at exit: 8,221 bytes in 4 blocks +==2778093== total heap usage: 458 allocs, 454 frees, 255,182 bytes allocated +==2778093== +==2778093== 13 bytes in 1 blocks are still reachable in loss record 1 of 4 +==2778093== at 0x484586F: malloc (vg_replace_malloc.c:381) +==2778093== by 0x4DA256D: strdup (strdup.c:42) +==2778093== by 0x4ADB747: strv_extend_with_size (strv.c:544) +==2778093== by 0x405386: strv_extend (strv.h:45) +==2778093== by 0x40816F: parse_argv (journalctl.c:933) +==2778093== by 0x40EAB5: main (journalctl.c:2111) +==2778093== +==2778093== 16 bytes in 1 blocks are still reachable in loss record 2 of 4 +==2778093== at 0x484578A: malloc (vg_replace_malloc.c:380) +==2778093== by 0x484A70B: realloc (vg_replace_malloc.c:1437) +==2778093== by 0x4ADB2A3: strv_push_with_size (strv.c:423) +==2778093== by 0x4ADB620: strv_consume_with_size (strv.c:496) +==2778093== by 0x4ADB770: strv_extend_with_size (strv.c:548) +==2778093== by 0x405386: strv_extend (strv.h:45) +==2778093== by 0x40816F: parse_argv (journalctl.c:933) +==2778093== by 0x40EAB5: main (journalctl.c:2111) +==2778093== +==2778093== LEAK SUMMARY: +==2778093== definitely lost: 0 bytes in 0 blocks +==2778093== indirectly lost: 0 bytes in 0 blocks +==2778093== possibly lost: 0 bytes in 0 blocks +==2778093== still reachable: 29 bytes in 2 blocks +==2778093== suppressed: 8,192 bytes in 2 blocks +==2778093== +==2778093== For lists of detected and suppressed errors, rerun with: -s +==2778093== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) + +(cherry picked from commit 9259d71d505ba1771ba5e3caa522da50bdc58bed) + +Related: #2122500 +--- + src/journal/journalctl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c +index 11de07fcfa..e9faa24cae 100644 +--- a/src/journal/journalctl.c ++++ b/src/journal/journalctl.c +@@ -2746,5 +2746,6 @@ finish: + * in scripts and such */ + r = -ENOENT; + ++ static_destruct(); + return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS; + } diff --git a/SOURCES/0221-efi-drop-executable-stack-bit-from-.elf-file.patch b/SOURCES/0221-efi-drop-executable-stack-bit-from-.elf-file.patch new file mode 100644 index 0000000..fa2fa7c --- /dev/null +++ b/SOURCES/0221-efi-drop-executable-stack-bit-from-.elf-file.patch @@ -0,0 +1,51 @@ +From cc318cd6ccfe9833ab9c1cde4041ac5dd9f97a3b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 21 Feb 2023 09:16:29 +0100 +Subject: [PATCH] efi: drop executable-stack bit from .elf file +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +An rpminspect test in Fedora/RHEL is flagging our stub files as having an +executable stack. The check is correct: + +$ readelf --wide --program-headers build/src/boot/efi/linuxx64.elf.stub | rg -i stack + GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RWE 0x10 + +It seems to be just an omission in the linker script… None of the objects that +are linked into the stub are marked as requiring an executable stack: + +$ readelf --wide --sections build/src/boot/efi/*.c.o \ + /usr/lib/gnuefi/x64/libgnuefi.a \ + /usr/lib/gnuefi/x64/libefi.a \ + /usr/lib/gcc/x86_64-redhat-linux/12/libgcc.a \ + | rg '.note.GNU-stack.*X' +(nothing) + +On aarch64 we end up with a nonexecutable stack, but on ia32 and x64 we get one, +so this might be just a matter of defaults in the linker. It doesn't matter +greatly, but let's mark the stack as non-executable to avoid the warning. + +Note: '-Wl,-z' is not needed, things work with just '-z'. + +RHEL-only +for now, as the patch is not yet in upstream +https://github.com/systemd/systemd/pull/26511 + +Related: #2140646 +--- + src/boot/efi/meson.build | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/boot/efi/meson.build b/src/boot/efi/meson.build +index 0de43993a4..00f3361d66 100644 +--- a/src/boot/efi/meson.build ++++ b/src/boot/efi/meson.build +@@ -266,6 +266,7 @@ efi_ldflags = [ + '-Wl,--warn-common', + '-Wl,-Bsymbolic', + '-z', 'nocombreloc', ++ '-z', 'noexecstack', + efi_crt0, + ] + diff --git a/SOURCES/0222-install-fail-early-if-specifier-expansion-failed.patch b/SOURCES/0222-install-fail-early-if-specifier-expansion-failed.patch new file mode 100644 index 0000000..4ce214f --- /dev/null +++ b/SOURCES/0222-install-fail-early-if-specifier-expansion-failed.patch @@ -0,0 +1,40 @@ +From b9fb1769f8b6de65abf1f57a85b0d0a22f84c754 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 21 Feb 2023 14:10:33 +0100 +Subject: [PATCH] install: fail early if specifier expansion failed + +Before: + +systemd[1]: Assertion 'path' failed at src/shared/install.c:288, function install_changes_add(). Aborting. +systemd[1]: Caught from our own process. +systemd[1]: Caught , dumped core as pid 2525. +systemd[1]: Freezing execution + +After: + +Failed to enable unit: Invalid specifier in user-%J.service + +Fixes #26467. + +Follow-up for: f5a0162 + +(cherry picked from commit f8979e869812988835f6951fb73a68e30a4c608c) + +Related: #2138081 +--- + src/shared/install.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/shared/install.c b/src/shared/install.c +index a760726628..8d4aa5ab2c 100644 +--- a/src/shared/install.c ++++ b/src/shared/install.c +@@ -1982,6 +1982,8 @@ static int install_info_symlink_wants( + install_changes_add(changes, n_changes, q, *s, NULL); + if (r >= 0) + r = q; ++ ++ continue; + } + + if (!unit_name_is_valid(dst, valid_dst_type)) { diff --git a/SOURCES/0223-test-add-coverage-for-26467.patch b/SOURCES/0223-test-add-coverage-for-26467.patch new file mode 100644 index 0000000..fad76ea --- /dev/null +++ b/SOURCES/0223-test-add-coverage-for-26467.patch @@ -0,0 +1,34 @@ +From 4dbbdc956cb49804f9b451081eb7c442a689b1f1 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 21 Feb 2023 19:15:13 +0100 +Subject: [PATCH] test: add coverage for #26467 + +(cherry picked from commit 4190124b3ca005830d893303bbc563baaf9984ed) + +Related: #2138081 +--- + test/units/testsuite-26.sh | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/test/units/testsuite-26.sh b/test/units/testsuite-26.sh +index 916a6704d7..debee91dde 100755 +--- a/test/units/testsuite-26.sh ++++ b/test/units/testsuite-26.sh +@@ -400,5 +400,17 @@ EOF + systemctl stop issue-24990 + fi + ++# %J in WantedBy= causes ABRT (#26467) ++cat >/run/systemd/system/test-WantedBy.service < +Date: Wed, 22 Feb 2023 16:43:42 +0100 +Subject: [PATCH] test: add coverage for #24177 + +Original issue: https://bugzilla.redhat.com/show_bug.cgi?id=1985288 + +(cherry picked from commit 6299b6e5e6df32516fcaba9a93d966bad9043748) + +Related: #1985288 +--- + test/units/testsuite-64.sh | 38 +++++++++++++++++++++++++++++++++++++- + 1 file changed, 37 insertions(+), 1 deletion(-) + +diff --git a/test/units/testsuite-64.sh b/test/units/testsuite-64.sh +index 4017f61f59..201a673d06 100755 +--- a/test/units/testsuite-64.sh ++++ b/test/units/testsuite-64.sh +@@ -417,7 +417,7 @@ testcase_lvm_basic() { + lvm vgs + lvm vgchange -ay "$vgroup" + lvm lvcreate -y -L 4M "$vgroup" -n mypart1 +- lvm lvcreate -y -L 8M "$vgroup" -n mypart2 ++ lvm lvcreate -y -L 32M "$vgroup" -n mypart2 + lvm lvs + udevadm wait --settle --timeout="$timeout" "/dev/$vgroup/mypart1" "/dev/$vgroup/mypart2" + mkfs.ext4 -L mylvpart1 "/dev/$vgroup/mypart1" +@@ -461,6 +461,42 @@ testcase_lvm_basic() { + helper_check_device_symlinks "/dev/disk" "/dev/$vgroup" + helper_check_device_units + ++ # Do not "unready" suspended encrypted devices w/o superblock info ++ # See: ++ # - https://github.com/systemd/systemd/pull/24177 ++ # - https://bugzilla.redhat.com/show_bug.cgi?id=1985288 ++ dd if=/dev/urandom of=/etc/lvm_keyfile bs=64 count=1 iflag=fullblock ++ chmod 0600 /etc/lvm_keyfile ++ # Intentionally use weaker cipher-related settings, since we don't care ++ # about security here as it's a throwaway LUKS partition ++ cryptsetup luksFormat -q --use-urandom --pbkdf pbkdf2 --pbkdf-force-iterations 1000 \ ++ "/dev/$vgroup/mypart2" /etc/lvm_keyfile ++ # Mount the LUKS partition & create a filesystem on it ++ mkdir -p /tmp/lvmluksmnt ++ cryptsetup open --key-file=/etc/lvm_keyfile "/dev/$vgroup/mypart2" "lvmluksmap" ++ udevadm wait --settle --timeout="$timeout" "/dev/mapper/lvmluksmap" ++ mkfs.ext4 -L lvmluksfs "/dev/mapper/lvmluksmap" ++ udevadm wait --settle --timeout="$timeout" "/dev/disk/by-label/lvmluksfs" ++ # Make systemd "interested" in the mount by adding it to /etc/fstab ++ echo "/dev/disk/by-label/lvmluksfs /tmp/lvmluksmnt ext4 defaults 0 2" >>/etc/fstab ++ systemctl daemon-reload ++ mount "/tmp/lvmluksmnt" ++ mountpoint "/tmp/lvmluksmnt" ++ # Temporarily suspend the LUKS device and trigger udev - basically what `cryptsetup resize` ++ # does but in a more deterministic way suitable for a test/reproducer ++ for _ in {0..5}; do ++ dmsetup suspend "/dev/mapper/lvmluksmap" ++ udevadm trigger -v --settle "/dev/mapper/lvmluksmap" ++ dmsetup resume "/dev/mapper/lvmluksmap" ++ # The mount should survive this sequence of events ++ mountpoint "/tmp/lvmluksmnt" ++ done ++ # Cleanup ++ umount "/tmp/lvmluksmnt" ++ cryptsetup close "/dev/mapper/lvmluksmap" ++ sed -i "/lvmluksfs/d" "/etc/fstab" ++ systemctl daemon-reload ++ + # Disable the VG and check symlinks... + lvm vgchange -an "$vgroup" + udevadm wait --settle --timeout="$timeout" --removed "/dev/$vgroup" "/dev/disk/by-label/mylvpart1" diff --git a/SOURCES/0225-logind-session-make-stopping-of-idle-session-visible.patch b/SOURCES/0225-logind-session-make-stopping-of-idle-session-visible.patch new file mode 100644 index 0000000..4cba77f --- /dev/null +++ b/SOURCES/0225-logind-session-make-stopping-of-idle-session-visible.patch @@ -0,0 +1,26 @@ +From 0687c94b36c59b77f0e64137aadd2094f77cb9c3 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 21 Feb 2023 10:41:47 +0100 +Subject: [PATCH] logind-session: make stopping of idle session visible to + admins + +(cherry picked from commit 6269ffe7ee8a659df7336a2582054ecd9eecf4b1) + +Resolves: #2172401 +--- + src/login/logind-session.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/login/logind-session.c b/src/login/logind-session.c +index 5bd4abc474..709a585013 100644 +--- a/src/login/logind-session.c ++++ b/src/login/logind-session.c +@@ -711,7 +711,7 @@ static int session_dispatch_stop_on_idle(sd_event_source *source, uint64_t t, vo + + idle = session_get_idle_hint(s, &ts); + if (idle) { +- log_debug("Session \"%s\" of user \"%s\" is idle, stopping.", s->id, s->user->user_record->user_name); ++ log_info("Session \"%s\" of user \"%s\" is idle, stopping.", s->id, s->user->user_record->user_name); + + return session_stop(s, /* force */ true); + } diff --git a/SOURCES/0226-journal-file-Fix-return-value-in-bump_entry_array.patch b/SOURCES/0226-journal-file-Fix-return-value-in-bump_entry_array.patch new file mode 100644 index 0000000..d91b005 --- /dev/null +++ b/SOURCES/0226-journal-file-Fix-return-value-in-bump_entry_array.patch @@ -0,0 +1,26 @@ +From acf4f21936ad6153ba53f2d798967e57473be8bc Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Thu, 23 Feb 2023 15:40:38 +0100 +Subject: [PATCH] journal-file: Fix return value in bump_entry_array() + +(cherry picked from commit 0399902440fbaea5b163254f70be57dbedb7131e) + +Resolves: #2173682 +--- + src/libsystemd/sd-journal/journal-file.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c +index c1ec6bb1d8..c489436a1e 100644 +--- a/src/libsystemd/sd-journal/journal-file.c ++++ b/src/libsystemd/sd-journal/journal-file.c +@@ -2410,7 +2410,8 @@ static int bump_entry_array( + + if (direction == DIRECTION_DOWN) { + assert(o); +- return le64toh(o->entry_array.next_entry_array_offset); ++ *ret = le64toh(o->entry_array.next_entry_array_offset); ++ return 0; + } + + /* Entry array chains are a singly linked list, so to find the previous array in the chain, we have diff --git a/SOURCES/10-oomd-defaults.conf b/SOURCES/10-oomd-defaults.conf new file mode 100644 index 0000000..0254657 --- /dev/null +++ b/SOURCES/10-oomd-defaults.conf @@ -0,0 +1,2 @@ +[OOM] +DefaultMemoryPressureDurationSec=20s diff --git a/SOURCES/10-oomd-root-slice-defaults.conf b/SOURCES/10-oomd-root-slice-defaults.conf new file mode 100644 index 0000000..49958e8 --- /dev/null +++ b/SOURCES/10-oomd-root-slice-defaults.conf @@ -0,0 +1,2 @@ +[Slice] +ManagedOOMSwap=kill diff --git a/SOURCES/10-oomd-user-service-defaults.conf b/SOURCES/10-oomd-user-service-defaults.conf new file mode 100644 index 0000000..94d5c87 --- /dev/null +++ b/SOURCES/10-oomd-user-service-defaults.conf @@ -0,0 +1,3 @@ +[Service] +ManagedOOMMemoryPressure=kill +ManagedOOMMemoryPressureLimit=50% diff --git a/SOURCES/20-grubby.install b/SOURCES/20-grubby.install new file mode 100755 index 0000000..e059125 --- /dev/null +++ b/SOURCES/20-grubby.install @@ -0,0 +1,51 @@ +#!/bin/bash + +if [[ ! -x /sbin/new-kernel-pkg ]]; then + exit 0 +fi + +COMMAND="$1" +KERNEL_VERSION="$2" +BOOT_DIR_ABS="$3" +KERNEL_IMAGE="$4" + +KERNEL_DIR="${KERNEL_IMAGE%/*}" +[[ "$KERNEL_VERSION" == *\+* ]] && flavor=-"${KERNEL_VERSION##*+}" +case "$COMMAND" in + add) + if [[ "${KERNEL_DIR}" != "/boot" ]]; then + for i in \ + "$KERNEL_IMAGE" \ + "$KERNEL_DIR"/System.map \ + "$KERNEL_DIR"/config \ + "$KERNEL_DIR"/zImage.stub \ + "$KERNEL_DIR"/dtb \ + ; do + [[ -e "$i" ]] || continue + cp -aT "$i" "/boot/${i##*/}-${KERNEL_VERSION}" + command -v restorecon &>/dev/null && \ + restorecon -R "/boot/${i##*/}-${KERNEL_VERSION}" + done + # hmac is .vmlinuz-.hmac so needs a special treatment + i="$KERNEL_DIR/.${KERNEL_IMAGE##*/}.hmac" + if [[ -e "$i" ]]; then + cp -a "$i" "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac" + command -v restorecon &>/dev/null && \ + restorecon "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac" + fi + fi + /sbin/new-kernel-pkg --package "kernel${flavor}" --install "$KERNEL_VERSION" || exit $? + /sbin/new-kernel-pkg --package "kernel${flavor}" --mkinitrd --dracut --depmod --update "$KERNEL_VERSION" || exit $? + /sbin/new-kernel-pkg --package "kernel${flavor}" --rpmposttrans "$KERNEL_VERSION" || exit $? + ;; + remove) + /sbin/new-kernel-pkg --package "kernel${flavor+-$flavor}" --rminitrd --rmmoddep --remove "$KERNEL_VERSION" || exit $? + ;; + *) + ;; +esac + +# skip other installation plugins, if we can't find a boot loader spec conforming setup +if ! [[ -d /boot/loader/entries || -L /boot/loader/entries ]]; then + exit 77 +fi diff --git a/SOURCES/20-yama-ptrace.conf b/SOURCES/20-yama-ptrace.conf new file mode 100644 index 0000000..4fbaf97 --- /dev/null +++ b/SOURCES/20-yama-ptrace.conf @@ -0,0 +1,42 @@ +# The ptrace system call is used for interprocess services, +# communication and introspection (like synchronisation, signaling, +# debugging, tracing and profiling) of processes. +# +# Usage of ptrace is restricted by normal user permissions. Normal +# unprivileged processes cannot use ptrace on processes that they +# cannot send signals to or processes that are running set-uid or +# set-gid. Nevertheless, processes running under the same uid will +# usually be able to ptrace one another. +# +# Fedora enables the Yama security mechanism which restricts ptrace +# even further. Sysctl setting kernel.yama.ptrace_scope can have one +# of the following values: +# +# 0 - Normal ptrace security permissions. +# 1 - Restricted ptrace. Only child processes plus normal permissions. +# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE. +# 3 - No attach. No process may call ptrace at all. Irrevocable. +# +# For more information see Documentation/security/Yama.txt in the +# kernel sources. +# +# The default is 1., which allows tracing of child processes, but +# forbids tracing of arbitrary processes. This allows programs like +# gdb or strace to work when the most common way of having the +# debugger start the debuggee is used: +# gdb /path/to/program ... +# Attaching to already running programs is NOT allowed: +# gdb -p ... +# This default setting is suitable for the common case, because it +# reduces the risk that one hacked process can be used to attack other +# processes. (For example, a hacked firefox process in a user session +# will not be able to ptrace the keyring process and extract passwords +# stored only in memory.) +# +# Developers and administrators might want to disable those protections +# to be able to attach debuggers to existing processes. Use +# sysctl kernel.yama.ptrace_scope=0 +# for change the setting temporarily, or copy this file to +# /etc/sysctl.d/20-yama-ptrace.conf to set it for future boots. + +kernel.yama.ptrace_scope = 0 diff --git a/SOURCES/inittab b/SOURCES/inittab new file mode 100644 index 0000000..3f5e83c --- /dev/null +++ b/SOURCES/inittab @@ -0,0 +1,16 @@ +# inittab is no longer used. +# +# ADDING CONFIGURATION HERE WILL HAVE NO EFFECT ON YOUR SYSTEM. +# +# Ctrl-Alt-Delete is handled by /usr/lib/systemd/system/ctrl-alt-del.target +# +# systemd uses 'targets' instead of runlevels. By default, there are two main targets: +# +# multi-user.target: analogous to runlevel 3 +# graphical.target: analogous to runlevel 5 +# +# To view current default target, run: +# systemctl get-default +# +# To set a default target, run: +# systemctl set-default TARGET.target diff --git a/SOURCES/libsystemd-shared.abignore b/SOURCES/libsystemd-shared.abignore new file mode 100644 index 0000000..e412d8b --- /dev/null +++ b/SOURCES/libsystemd-shared.abignore @@ -0,0 +1,3 @@ +[suppress_file] +# This shared object is private to systemd +file_name_regexp=libsystemd-shared-.*.so diff --git a/SOURCES/macros.sysusers b/SOURCES/macros.sysusers new file mode 100644 index 0000000..d8d8c1d --- /dev/null +++ b/SOURCES/macros.sysusers @@ -0,0 +1,10 @@ +# RPM macros for packages creating system accounts +# +# Turn a sysusers.d file into macros specified by +# https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation + +%sysusers_requires_compat Requires(pre): shadow-utils + +%sysusers_create_compat() \ +%(%{_rpmconfigdir}/sysusers.generate-pre.sh %{?*}) \ +%{nil} diff --git a/SOURCES/purge-nobody-user b/SOURCES/purge-nobody-user new file mode 100755 index 0000000..66404fe --- /dev/null +++ b/SOURCES/purge-nobody-user @@ -0,0 +1,101 @@ +#!/bin/bash -eu + +if [ $UID -ne 0 ]; then + echo "WARNING: This script needs to run as root to be effective" + exit 1 +fi + +export SYSTEMD_NSS_BYPASS_SYNTHETIC=1 + +if [ "${1:-}" = "--ignore-journal" ]; then + shift + ignore_journal=1 +else + ignore_journal=0 +fi + +echo "Checking processes..." +if ps h -u 99 | grep .; then + echo "ERROR: ps reports processes with UID 99!" + exit 2 +fi +echo "... not found" + +echo "Checking UTMP..." +if w -h 199 | grep . ; then + echo "ERROR: w reports UID 99 as active!" + exit 2 +fi +if w -h nobody | grep . ; then + echo "ERROR: w reports user nobody as active!" + exit 2 +fi +echo "... not found" + +echo "Checking the journal..." +if [ "$ignore_journal" = 0 ] && journalctl -q -b -n10 _UID=99 | grep . ; then + echo "ERROR: journalctl reports messages from UID 99 in current boot!" + exit 2 +fi +echo "... not found" + +echo "Looking for files in /etc, /run, /tmp, and /var..." +if find /etc /run /tmp /var -uid 99 -print | grep -m 10 . ; then + echo "ERROR: found files belonging to UID 99" + exit 2 +fi +echo "... not found" + +echo "Checking if nobody is defined correctly..." +if getent passwd nobody | + grep '^nobody:[x*]:65534:65534:.*:/:/sbin/nologin'; +then + echo "OK, nothing to do." + exit 0 +else + echo "NOTICE: User nobody is not defined correctly" +fi + +echo "Checking if nfsnobody or something else is using the uid..." +if getent passwd 65534 | grep . ; then + echo "NOTICE: will have to remove this user" +else + echo "... not found" +fi + +if [ "${1:-}" = "-x" ]; then + if getent passwd nobody >/dev/null; then + # this will remove both the user and the group. + ( set -x + userdel nobody + ) + fi + + if getent passwd 65534 >/dev/null; then + # Make sure the uid is unused. This should free gid too. + name="$(getent passwd 65534 | cut -d: -f1)" + ( set -x + userdel "$name" + ) + fi + + if grep -qE '^(passwd|group):.*\bsss\b' /etc/nsswitch.conf; then + echo "Sleeping, so sss can catch up" + sleep 3 + fi + + if getent group 65534; then + # Make sure the gid is unused, even if uid wasn't. + name="$(getent group 65534 | cut -d: -f1)" + ( set -x + groupdel "$name" + ) + fi + + # systemd-sysusers uses the same gid and uid + ( set -x + systemd-sysusers --inline 'u nobody 65534 "Kernel Overflow User" / /sbin/nologin' + ) +else + echo "Pass '-x' to perform changes" +fi diff --git a/SOURCES/rc.local b/SOURCES/rc.local new file mode 100644 index 0000000..4666070 --- /dev/null +++ b/SOURCES/rc.local @@ -0,0 +1,14 @@ +#!/bin/bash +# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES +# +# It is highly advisable to create own systemd services or udev rules +# to run scripts during boot instead of using this file. +# +# In contrast to previous versions due to parallel execution during boot +# this script will NOT be run after all other services. +# +# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure +# that this script will be executed during boot. + +touch /var/lock/subsys/local + diff --git a/SOURCES/split-files.py b/SOURCES/split-files.py new file mode 100644 index 0000000..ebef1a0 --- /dev/null +++ b/SOURCES/split-files.py @@ -0,0 +1,196 @@ +import re, sys, os, collections + +buildroot = sys.argv[1] +known_files = sys.stdin.read().splitlines() +known_files = {line.split()[-1]:line for line in known_files} + +def files(root): + os.chdir(root) + todo = collections.deque(['.']) + while todo: + n = todo.pop() + files = os.scandir(n) + for file in files: + yield file + if file.is_dir() and not file.is_symlink(): + todo.append(file) + +o_libs = open('.file-list-libs', 'w') +o_udev = open('.file-list-udev', 'w') +o_boot = open('.file-list-boot', 'w') +o_pam = open('.file-list-pam', 'w') +o_rpm_macros = open('.file-list-rpm-macros', 'w') +o_devel = open('.file-list-devel', 'w') +o_container = open('.file-list-container', 'w') +o_networkd = open('.file-list-networkd', 'w') +o_oomd = open('.file-list-oomd', 'w') +o_remote = open('.file-list-remote', 'w') +o_resolve = open('.file-list-resolve', 'w') +o_tests = open('.file-list-tests', 'w') +o_standalone_tmpfiles = open('.file-list-standalone-tmpfiles', 'w') +o_standalone_sysusers = open('.file-list-standalone-sysusers', 'w') +o_main = open('.file-list-main', 'w') +for file in files(buildroot): + n = file.path[1:] + if re.match(r'''/usr/(share|include)$| + /usr/share/man(/man.|)$| + /usr/share/zsh(/site-functions|)$| + /usr/share/dbus-1$| + /usr/share/dbus-1/system.d$| + /usr/share/dbus-1/(system-|)services$| + /usr/share/polkit-1(/actions|/rules.d|)$| + /usr/share/pkgconfig$| + /usr/share/bash-completion(/completions|)$| + /usr(/lib|/lib64|/bin|/sbin|)$| + /usr/lib.*/(security|pkgconfig)$| + /usr/lib/rpm(/macros.d|)$| + /usr/lib/firewalld(/services|)$| + /usr/share/(locale|licenses|doc)| # no $ + /etc(/pam\.d|/xdg|/X11|/X11/xinit|/X11.*\.d|)$| + /etc/(dnf|dnf/protected.d)$| + /usr/(src|lib/debug)| # no $ + /run$| + /var(/cache|/log|/lib|/run|)$ + ''', n, re.X): + continue + if '/security/pam_' in n or '/man8/pam_' in n: + o = o_pam + elif '/rpm/' in n: + o = o_rpm_macros + elif '/usr/lib/systemd/tests' in n: + o = o_tests + elif re.search(r'/libsystemd-(shared|core)-.*\.so$', n): + o = o_main + elif re.search(r'/libcryptsetup-token-systemd-.*\.so$', n): + o = o_udev + elif re.search(r'/lib.*\.pc|/man3/|/usr/include|\.so$', n): + o = o_devel + elif re.search(r'''journal-(remote|gateway|upload)| + systemd-remote\.conf| + /usr/share/systemd/gatewayd| + /var/log/journal/remote + ''', n, re.X): + o = o_remote + + elif re.search(r'''mymachines| + machinectl| + systemd-nspawn| + import-pubring.gpg| + systemd-(machined|import|pull)| + /machine.slice| + /machines.target| + var-lib-machines.mount| + org.freedesktop.(import|machine)1 + ''', n, re.X): + o = o_container + + elif re.search(r'''/usr/lib/systemd/network/80-| + networkd| + networkctl| + org.freedesktop.network1| + sysusers\.d/systemd-network.conf| + tmpfiles\.d/systemd-network.conf| + systemd\.network| + systemd\.netdev + ''', n, re.X): + o = o_networkd + + elif '.so.' in n: + o = o_libs + + elif re.search(r'''udev(?!\.pc)| + hwdb| + bootctl| + boot-update| + sd-boot|systemd-boot\.|loader.conf| + bless-boot| + boot-system-token| + kernel-install| + vconsole| + backlight| + rfkill| + random-seed| + modules-load| + timesync| + crypttab| + cryptenroll| + cryptsetup| + kmod| + quota| + pstore| + sleep|suspend|hibernate| + systemd-tmpfiles-setup-dev| + network/99-default.link| + growfs|makefs|makeswap|mkswap| + fsck| + repart| + gpt-auto| + volatile-root| + veritysetup| + integritysetup| + integritytab| + remount-fs| + /initrd| + systemd-pcrphase| + systemd-measure| + /boot$| + /kernel/| + /kernel$| + /modprobe.d| + binfmt| + sysctl| + coredump| + homed|home1| + portabled|portable1 + ''', n, re.X): # coredumpctl, homectl, portablectl are included in the main package because + # they can be used to interact with remote daemons. Also, the user could be + # confused if those user-facing binaries are not available. + o = o_udev + + elif re.search(r'''/boot/efi''', n, re.X): + o = o_boot + + elif re.search(r'''resolved|resolve1| + resolvectl| + systemd-resolve| + resolvconf| + systemd\.(positive|negative)| + nss-resolve + ''', n, re.X): # resolvectl and nss-resolve are in the main package. + o = o_resolve + + elif re.search(r'''10-oomd-.*defaults\.conf| + oomd\.conf| + oomctl| + org.freedesktop.oom1| + systemd-oomd + ''', n, re.X): + o = o_oomd + + elif n.endswith('.standalone'): + if 'tmpfiles' in n: + o = o_standalone_tmpfiles + elif 'sysusers' in n: + o = o_standalone_sysusers + else: + assert False, 'Found .standalone not belonging to known packages' + + else: + o = o_main + + if n in known_files: + prefix = ' '.join(known_files[n].split()[:-1]) + if prefix: + prefix += ' ' + elif file.is_dir() and not file.is_symlink(): + prefix = '%dir ' + elif 'README' in n: + prefix = '%doc ' + elif n.startswith('/etc'): + prefix = '%config(noreplace) ' + else: + prefix = '' + + suffix = '*' if '/man/' in n else '' + + print(f'{prefix}{n}{suffix}', file=o) diff --git a/SOURCES/sysctl.conf.README b/SOURCES/sysctl.conf.README new file mode 100644 index 0000000..41c0c41 --- /dev/null +++ b/SOURCES/sysctl.conf.README @@ -0,0 +1,10 @@ +# sysctl settings are defined through files in +# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/. +# +# Vendors settings live in /usr/lib/sysctl.d/. +# To override a whole file, create a new file with the same in +# /etc/sysctl.d/ and put new settings there. To override +# only specific settings, add a file with a lexically later +# name in /etc/sysctl.d/ and put new settings there. +# +# For more information, see sysctl.conf(5) and sysctl.d(5). diff --git a/SOURCES/systemd-journal-gatewayd.xml b/SOURCES/systemd-journal-gatewayd.xml new file mode 100644 index 0000000..a1b400c --- /dev/null +++ b/SOURCES/systemd-journal-gatewayd.xml @@ -0,0 +1,6 @@ + + + systemd-journal-gatewayd + Journal Gateway Service + + diff --git a/SOURCES/systemd-journal-remote.xml b/SOURCES/systemd-journal-remote.xml new file mode 100644 index 0000000..e115a12 --- /dev/null +++ b/SOURCES/systemd-journal-remote.xml @@ -0,0 +1,6 @@ + + + systemd-journal-remote + Journal Remote Sink + + diff --git a/SOURCES/systemd-udev-trigger-no-reload.conf b/SOURCES/systemd-udev-trigger-no-reload.conf new file mode 100644 index 0000000..c879427 --- /dev/null +++ b/SOURCES/systemd-udev-trigger-no-reload.conf @@ -0,0 +1,3 @@ +[Unit] +# https://bugzilla.redhat.com/show_bug.cgi?id=1378974#c17 +RefuseManualStop=true diff --git a/SOURCES/systemd-user b/SOURCES/systemd-user new file mode 100644 index 0000000..8607d4f --- /dev/null +++ b/SOURCES/systemd-user @@ -0,0 +1,11 @@ +# This file is part of systemd. +# +# Used by systemd --user instances. + +account sufficient pam_unix.so no_pass_expiry +account include system-auth + +session required pam_selinux.so close +session required pam_selinux.so nottys open +session required pam_loginuid.so +session include system-auth diff --git a/SOURCES/sysusers.attr b/SOURCES/sysusers.attr new file mode 100644 index 0000000..367c137 --- /dev/null +++ b/SOURCES/sysusers.attr @@ -0,0 +1,2 @@ +%__sysusers_provides %{_rpmconfigdir}/sysusers.prov +%__sysusers_path ^%{_sysusersdir}/.*\\.conf$ diff --git a/SOURCES/sysusers.generate-pre.sh b/SOURCES/sysusers.generate-pre.sh new file mode 100755 index 0000000..6c481c3 --- /dev/null +++ b/SOURCES/sysusers.generate-pre.sh @@ -0,0 +1,79 @@ +#!/bin/bash + +# This script turns sysuser.d files into scriptlets mandated by Fedora +# packaging guidelines. The general idea is to define users using the +# declarative syntax but to turn this into traditional scriptlets. + +user() { + user="$1" + uid="$2" + desc="$3" + group="$4" + home="$5" + shell="$6" + +[ "$desc" = '-' ] && desc= +[ "$home" = '-' -o "$home" = '' ] && home=/ +[ "$shell" = '-' -o "$shell" = '' ] && shell=/sbin/nologin + +if [ "$uid" = '-' -o "$uid" = '' ]; then + cat </dev/null || \\ + useradd -r -g '$group' -d '$home' -s '$shell' -c '$desc' '$user' +EOF +else + cat </dev/null ; then + if ! getent passwd '$uid' >/dev/null ; then + useradd -r -u '$uid' -g '$group' -d '$home' -s /sbin/nologin -c '$desc' '$user' + else + useradd -r -g '$group' -d '$home' -s /sbin/nologin -c '$desc' '$user' + fi +fi + +EOF +fi +} + +group() { + group="$1" + gid="$2" +if [ "$gid" = '-' ]; then + cat </dev/null || groupadd -r '$group' +EOF +else + cat </dev/null || groupadd -f -g '$gid' -r '$group' +EOF +fi +} + +parse() { + while read line || [ "$line" ]; do + [ "${line:0:1}" = '#' -o "${line:0:1}" = ';' ] && continue + line="${line## *}" + [ -z "$line" ] && continue + eval arr=( $line ) + case "${arr[0]}" in + ('u') + group "${arr[1]}" "${arr[2]}" + user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}" + # TODO: user:group support + ;; + ('g') + group "${arr[1]}" "${arr[2]}" + ;; + ('m') + group "${arr[2]}" "-" + user "${arr[1]}" "-" "" "${arr[2]}" + ;; + esac + done +} + +for fn in "$@"; do + [ -e "$fn" ] || continue + echo "# generated from $(basename $fn)" + parse < "$fn" +done diff --git a/SOURCES/sysusers.prov b/SOURCES/sysusers.prov new file mode 100755 index 0000000..a6eda5d --- /dev/null +++ b/SOURCES/sysusers.prov @@ -0,0 +1,28 @@ +#!/bin/bash + +parse() { + while read line; do + [ "${line:0:1}" = '#' -o "${line:0:1}" = ';' ] && continue + line="${line## *}" + [ -z "$line" ] && continue + set -- $line + case "$1" in + ('u') + echo "user($2)" + echo "group($2)" + # TODO: user:group support + ;; + ('g') + echo "group($2)" + ;; + ('m') + echo "user($2)" + echo "group($3)" + ;; + esac + done +} + +while read fn; do + parse < "$fn" +done diff --git a/SOURCES/triggers.systemd b/SOURCES/triggers.systemd new file mode 100644 index 0000000..6c57d71 --- /dev/null +++ b/SOURCES/triggers.systemd @@ -0,0 +1,89 @@ +# -*- Mode: rpm-spec; indent-tabs-mode: nil -*- */ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# Copyright 2018 Neal Gompa + +# The contents of this are an example to be copied into systemd.spec. +# +# Minimum rpm version supported: 4.14.0 + +%transfiletriggerin -P 900900 -- /usr/lib/systemd/system /etc/systemd/system +# This script will run after any package is initially installed or +# upgraded. We care about the case where a package is initially +# installed, because other cases are covered by the *un scriptlets, +# so sometimes we will reload needlessly. +if test -d "/run/systemd/system"; then + %{_bindir}/systemctl daemon-reload || : + %{_bindir}/systemctl reload-or-restart --marked || : +fi + +%transfiletriggerpostun -P 1000100 -- /usr/lib/systemd/system /etc/systemd/system +# On removal, we need to run daemon-reload after any units have been +# removed. +# On upgrade, we need to run daemon-reload after any new unit files +# have been installed, but before %postun scripts in packages get +# executed. +if test -d "/run/systemd/system"; then + %{_bindir}/systemctl daemon-reload || : +fi + +%transfiletriggerpostun -P 10000 -- /usr/lib/systemd/system /etc/systemd/system +# We restart remaining services that should be restarted here. +if test -d "/run/systemd/system"; then + %{_bindir}/systemctl reload-or-restart --marked || : +fi + +%transfiletriggerin -P 1000700 -- /usr/lib/sysusers.d +# This script will process files installed in /usr/lib/sysusers.d to create +# specified users automatically. The priority is set such that it +# will run before the tmpfiles file trigger. +if test -d "/run/systemd/system"; then + %{_bindir}/systemd-sysusers || : +fi + +%transfiletriggerin -P 1000700 udev -- /usr/lib/udev/hwdb.d +# This script will automatically invoke hwdb update if files have been +# installed or updated in /usr/lib/udev/hwdb.d. +if test -d "/run/systemd/system"; then + %{_bindir}/systemd-hwdb update || : +fi + +%transfiletriggerin -P 1000700 -- /usr/lib/systemd/catalog +# This script will automatically invoke journal catalog update if files +# have been installed or updated in /usr/lib/systemd/catalog. +if test -d "/run/systemd/system"; then + %{_bindir}/journalctl --update-catalog || : +fi + +%transfiletriggerin -P 1000700 -- /usr/lib/binfmt.d +# This script will automatically apply binfmt rules if files have been +# installed or updated in /usr/lib/binfmt.d. +if test -d "/run/systemd/system"; then + # systemd-binfmt might fail if binfmt_misc kernel module is not loaded + # during install + /usr/lib/systemd/systemd-binfmt || : +fi + +%transfiletriggerin -P 1000600 -- /usr/lib/tmpfiles.d +# This script will process files installed in /usr/lib/tmpfiles.d to create +# tmpfiles automatically. The priority is set such that it will run +# after the sysusers file trigger, but before any other triggers. +if test -d "/run/systemd/system"; then + %{_bindir}/systemd-tmpfiles --create || : +fi + +%transfiletriggerin -P 1000600 udev -- /usr/lib/udev/rules.d +# This script will automatically update udev with new rules if files +# have been installed or updated in /usr/lib/udev/rules.d. +if test -e /run/udev/control; then + %{_bindir}/udevadm control --reload || : +fi + +%transfiletriggerin -P 1000500 -- /usr/lib/sysctl.d +# This script will automatically apply sysctl rules if files have been +# installed or updated in /usr/lib/sysctl.d. +if test -d "/run/systemd/system"; then + /usr/lib/systemd/systemd-sysctl || : +fi diff --git a/SOURCES/yum-protect-systemd.conf b/SOURCES/yum-protect-systemd.conf new file mode 100644 index 0000000..39426d7 --- /dev/null +++ b/SOURCES/yum-protect-systemd.conf @@ -0,0 +1,2 @@ +systemd +systemd-udev diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec new file mode 100644 index 0000000..6e3807f --- /dev/null +++ b/SPECS/systemd.spec @@ -0,0 +1,3856 @@ +#global commit e8dc52766e1fdb4f8c09c3ab654d1270e1090c8d +%{?commit:%global shortcommit %(c=%{commit}; echo ${c:0:7})} + +#global stable 1 + +# We ship a .pc file but don't want to have a dep on pkg-config. We +# strip the automatically generated dep here and instead co-own the +# directory. +%global __requires_exclude pkg-config + +%global pkgdir %{_prefix}/lib/systemd +%global system_unit_dir %{pkgdir}/system +%global user_unit_dir %{pkgdir}/user + +# Bootstrap may be needed to break intercircular dependencies with +# cryptsetup, e.g. when re-building cryptsetup on a json-c SONAME-bump. +%bcond_with bootstrap +%bcond_without tests +%bcond_without lto + +Name: systemd +Url: https://systemd.io +Version: 252 +Release: 8%{?dist} +# For a breakdown of the licensing, see README +License: LGPLv2+ and MIT and GPLv2+ +Summary: System and Service Manager + +# download tarballs with "spectool -g systemd.spec" +%if %{defined commit} +Source0: https://github.com/systemd/systemd%{?stable:-stable}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz +%else +%if 0%{?stable} +Source0: https://github.com/systemd/systemd-stable/archive/v%{version_no_tilde}/%{name}-%{version_no_tilde}.tar.gz +%else +Source0: https://github.com/systemd/systemd/archive/v%{version_no_tilde}/%{name}-%{version_no_tilde}.tar.gz +%endif +%endif +# This file must be available before %%prep. +# It is generated during systemd build and can be found in build/src/core/. +Source1: triggers.systemd +Source2: split-files.py +Source3: purge-nobody-user + +# Prevent accidental removal of the systemd package +Source4: yum-protect-systemd.conf + +Source5: inittab +Source6: sysctl.conf.README +Source7: systemd-journal-remote.xml +Source8: systemd-journal-gatewayd.xml +Source9: 20-yama-ptrace.conf +Source10: systemd-udev-trigger-no-reload.conf +Source11: 20-grubby.install +Source12: systemd-user +Source13: libsystemd-shared.abignore + +Source14: 10-oomd-defaults.conf +Source15: 10-oomd-root-slice-defaults.conf +Source16: 10-oomd-user-service-defaults.conf + +Source21: macros.sysusers +Source22: sysusers.attr +Source23: sysusers.prov +Source24: sysusers.generate-pre.sh +Source25: rc.local + +%if 0 +GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v235..v235-stable +i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done|xclip +GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[67]* hwdb/parse_hwdb.py > hwdb.patch +%endif + +# Backports of patches from upstream (0000–0499) +# +# Any patches which are "in preparation" upstream should be listed +# here, rather than in the next section. Packit CI will drop any +# patches in this range before applying upstream pull requests. + +# RHEL-specific +Patch0001: 0001-macro-Simply-case-macros-for-IN_SET.patch +Patch0002: 0002-macro-fix-indentation.patch +Patch0003: 0003-test-add-a-couple-of-sanity-tests-for-journalctl.patch +Patch0004: 0004-man-fix-typo-found-by-Lintian.patch +Patch0005: 0005-test-add-x-to-assert.sh.patch +Patch0006: 0006-parse_hwdb-allow-negative-value-for-EVDEV_ABS_-prope.patch +Patch0007: 0007-resolved-fix-typo-in-feature-level-table.patch +Patch0008: 0008-coverage-Mark-_coverage__exit-as-noreturn.patch +Patch0009: 0009-namespace-Add-hidepid-subset-support-check.patch +Patch0010: 0010-test-add-a-couple-of-sanity-tests-for-loginctl.patch +Patch0011: 0011-test-rename-TEST-26-SETENV-to-TEST-26-SYSTEMCTL.patch +Patch0012: 0012-test-add-a-couple-of-sanity-tests-for-systemctl.patch +Patch0013: 0013-docs-DPS-and-BLS-have-moved-to-uapi-group.org.patch +Patch0014: 0014-core-fix-memleak-in-GetUnitFileLinks-method.patch +Patch0015: 0015-man-use-the-correct-Markers-property-name-for-markin.patch +Patch0016: 0016-test-further-extend-systemctl-s-sanity-coverage.patch +Patch0017: 0017-test-add-a-sanity-coverage-for-systemd-analyze-verbs.patch +Patch0018: 0018-udev-first-set-properties-based-on-usb-subsystem.patch +Patch0019: 0019-udev-drop-redundant-call-of-usb_id-and-assignment-of.patch +Patch0020: 0020-udev-add-safe-guard-for-setting-by-id-symlink.patch +Patch0021: 0021-test-cover-legacy-deprecated-systemd-analyze-verbs.patch +Patch0022: 0022-test-cover-a-couple-of-previously-missed-analyze-cod.patch +Patch0023: 0023-test-introduce-sanity-coverage-for-auxiliary-utils.patch +Patch0024: 0024-firstboot-fix-segfault-when-locale-messages-is-passe.patch +Patch0025: 0025-tests-make-test-execute-pass-on-openSUSE.patch +Patch0026: 0026-tests-minor-simplification-in-test-execute.patch +Patch0027: 0027-tmpfiles.d-do-not-fail-if-provision.conf-fails.patch +Patch0028: 0028-kernel-install-90-loaderentry-do-not-add-multiple-sy.patch +Patch0029: 0029-condition-Check-that-subsystem-is-enabled-in-Conditi.patch +Patch0030: 0030-semaphore-remove-the-Semaphore-repositories-recursiv.patch +Patch0031: 0031-kernel-install-90-loaderentry-do-not-override-an-exi.patch +Patch0032: 0032-kernel-install-skip-50-depmod-if-depmod-is-not-avail.patch +Patch0033: 0033-man-add-note-that-network-generator-is-not-a-generat.patch +Patch0034: 0034-test-fstab-generator-adjust-PATH-for-fsck.patch +Patch0035: 0035-loop-util-open-lock-fd-read-only.patch +Patch0036: 0036-test-don-t-ignore-non-existent-paths-in-inst_recursi.patch +Patch0037: 0037-test-fix-locale-installation-when-locale-gen-is-used.patch +Patch0038: 0038-test-fix-keymaps-installation-on-Arch.patch +Patch0039: 0039-test-compile-test-utmp.c-only-if-UTMP-is-enabled.patch +Patch0040: 0040-Create-CNAME.patch +Patch0041: 0041-tpm2-util-force-default-TCTI-to-be-device-with-param.patch +Patch0042: 0042-tpm2-add-some-extra-validation-of-device-string-befo.patch +Patch0043: 0043-boot-Fix-error-message.patch +Patch0044: 0044-boot-Fix-memory-leak.patch +Patch0045: 0045-boot-Do-not-require-a-loaded-image-path.patch +Patch0046: 0046-boot-Manually-convert-filepaths-if-needed.patch +Patch0047: 0047-boot-Rework-security-arch-override.patch +Patch0048: 0048-boot-Replace-firmware-security-hooks-directly.patch +Patch0049: 0049-networkd-ipv4acd.c-Use-net-if.h-for-getting-IFF_LOOP.patch +Patch0050: 0050-Revert-initrd-extend-SYSTEMD_IN_INITRD-to-accept-non.patch +Patch0051: 0051-pid1-skip-cleanup-if-root-is-not-tmpfs-ramfs.patch +Patch0052: 0052-ac-power-check-battery-existence-and-status.patch +Patch0053: 0053-systemctl-do-not-show-unit-properties-with-all.patch +Patch0054: 0054-Fix-reading-etc-machine-id-in-kernel-install-25388.patch +Patch0055: 0055-Revert-journal-Make-sd_journal_previous-next-return-.patch +Patch0056: 0056-boot-Correctly-handle-saved-default-patterns.patch +Patch0057: 0057-shared-tpm2-util-Fix-Error-Esys-invalid-ESAPI-handle.patch +Patch0058: 0058-Handle-MACHINE_ID-uninitialized.patch +Patch0059: 0059-fuzz-fuzz-compress-fix-copy-and-paste-error-buf-buf2.patch +Patch0060: 0060-boot-measure-fix-oom-check.patch +Patch0061: 0061-nspawn-allow-sched_rr_get_interval_time64-through-se.patch +Patch0062: 0062-resolved-use-right-conditionalization-when-setting-u.patch +Patch0063: 0063-resolved-when-configuring-127.0.0.1-as-per-interface.patch +Patch0064: 0064-manager-fix-format-strings-for-trigger-metadata.patch +Patch0065: 0065-basic-strv-check-printf-arguments-to-strv_extendf.patch +Patch0066: 0066-resolved-Fix-OpenSSL-error-messages.patch +Patch0067: 0067-network-wifi-try-to-reconfigure-when-connected.patch +Patch0068: 0068-oomd-always-allow-root-owned-cgroups-to-set-ManagedO.patch +Patch0069: 0069-oomd-fix-unreachable-test-case-in-test-oomd-util.patch +Patch0070: 0070-portable-add-a-few-more-useful-debug-log-messages.patch +Patch0071: 0071-repart-respect-discard-no-also-for-block-devices.patch +Patch0072: 0072-udev-make-sure-auto-root-logic-also-works-in-UKIs-bo.patch +Patch0073: 0073-meson-install-test-kernel-install-only-when-Dkernel-.patch +Patch0074: 0074-boot-Silence-driver-reconnect-errors.patch +Patch0075: 0075-dissect-image-do-not-try-to-close-invalid-fd.patch +Patch0076: 0076-bootctl-make-boot-entry-id-logged-in-hex.patch +Patch0077: 0077-bootctl-downgrade-log-message-when-firmware-reports-.patch +Patch0078: 0078-bootctl-rework-how-we-handle-referenced-but-absent-E.patch +Patch0079: 0079-strv-Make-sure-strv_make_nulstr-always-returns-a-val.patch +Patch0080: 0080-sd-bus-Use-goto-finish-instead-of-return-in-bus_add_.patch +Patch0081: 0081-find-esp-downgrade-and-ignore-error-on-retrieving-PA.patch +Patch0082: 0082-find-esp-include-device-sysname-in-the-log-message.patch +Patch0083: 0083-tmpfiles-log-at-info-level-when-some-allowed-failure.patch +Patch0084: 0084-fd-util-make-fd_in_set-and-thus-close_all_fds-handle.patch +Patch0085: 0085-fd-util-add-new-fd_cloexec_many-helper.patch +Patch0086: 0086-process-util-add-new-FORK_CLOEXEC_OFF-flag-for-disab.patch +Patch0087: 0087-dissect-fix-fsck.patch +Patch0088: 0088-core-update-audit-messages.patch +Patch0089: 0089-logind-set-RemoveIPC-to-false-by-default.patch +Patch0090: 0090-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch +Patch0091: 0091-Copy-40-redhat.rules-from-RHEL-8.patch +Patch0092: 0092-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch +Patch0093: 0093-unit-don-t-add-Requires-for-tmp.mount.patch +Patch0094: 0094-units-add-Install-section-to-tmp.mount.patch +Patch0095: 0095-rc-local-order-after-network-online.target.patch +Patch0096: 0096-ci-drop-CIs-irrelevant-for-downstream.patch +Patch0097: 0097-ci-reconfigure-Packit-for-RHEL-9.patch +Patch0098: 0098-ci-run-unit-tests-on-z-stream-branches-as-well.patch +Patch0099: 0099-random-util-increase-random-seed-size-to-1024.patch +Patch0100: 0100-journal-don-t-enable-systemd-journald-audit.socket-b.patch +Patch0101: 0101-journald.conf-don-t-touch-current-audit-settings.patch +Patch0102: 0102-Revert-udev-remove-WAIT_FOR-key.patch +Patch0103: 0103-Really-don-t-enable-systemd-journald-audit.socket.patch +Patch0104: 0104-rules-add-elevator-kernel-command-line-parameter.patch +Patch0105: 0105-units-don-t-enable-tmp.mount-statically-in-local-fs..patch +Patch0106: 0106-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch +Patch0107: 0107-set-core-ulimit-to-0-like-on-RHEL-7.patch +Patch0108: 0108-ci-use-C9S-chroots-in-Packit.patch +Patch0109: 0109-Treat-EPERM-as-not-available-too.patch +Patch0110: 0110-udev-net-setup-link-change-the-default-MACAddressPol.patch +Patch0111: 0111-man-mention-System-Administrator-s-Guide-in-systemct.patch +Patch0112: 0112-Net-naming-scheme-for-RHEL-9.0.patch +Patch0113: 0113-core-decrease-log-level-of-messages-about-use-of-Kil.patch +Patch0114: 0114-ci-Mergify-configuration-update.patch +Patch0115: 0115-ci-Mergify-fix-copy-paste-bug.patch +Patch0116: 0116-ci-Mergify-Add-ci-waived-logic.patch +Patch0117: 0117-udev-net_id-avoid-slot-based-names-only-for-single-f.patch +Patch0118: 0118-udev-net_id-add-rhel-9.1-naming-scheme.patch +Patch0119: 0119-ci-lint-Update-Differential-ShellCheck-config-to-run.patch +Patch0120: 0120-ci-mergify-Update-policy-Drop-LGTM-checks.patch +Patch0121: 0121-test-sd-device-skip-misc-devices.patch +Patch0122: 0122-test-skip-test_ntp-if-systemd-timesyncd-is-not-avail.patch +Patch0123: 0123-test-accept-EPERM-for-unavailable-idmapped-mounts-as.patch +Patch0124: 0124-test-don-t-test-buses-we-don-t-ship.patch +Patch0125: 0125-basic-add-fallback-in-chase_symlinks_and_opendir-for.patch +Patch0126: 0126-test-check-if-we-can-use-SHA1-MD-for-signing-before-.patch +Patch0127: 0127-boot-cleanups-for-efivar_get-and-friends.patch +Patch0128: 0128-boot-fix-false-maybe-uninitialized-warning.patch +Patch0129: 0129-tree-wide-modernizations-with-RET_NERRNO.patch +Patch0130: 0130-sd-bus-handle-EINTR-return-from-bus_poll.patch +Patch0131: 0131-stdio-bridge-don-t-be-bothered-with-EINTR.patch +Patch0132: 0132-varlink-also-handle-EINTR-gracefully-when-waiting-fo.patch +Patch0133: 0133-sd-netlink-handle-EINTR-from-poll-gracefully-as-succ.patch +Patch0134: 0134-resolved-handle-EINTR-returned-from-fd_wait_for_even.patch +Patch0135: 0135-homed-handle-EINTR-gracefully-when-waiting-for-devic.patch +Patch0136: 0136-utmp-wtmp-fix-error-in-case-isatty-fails.patch +Patch0137: 0137-utmp-wtmp-handle-EINTR-gracefully-when-waiting-to-wr.patch +Patch0138: 0138-io-util-document-EINTR-situation-a-bit.patch +Patch0139: 0139-terminal-util-Set-OPOST-when-setting-ONLCR.patch +Patch0140: 0140-cgtop-Do-not-rewrite-P-or-k-options.patch +Patch0141: 0141-test-Add-tests-for-systemd-cgtop-args-parsing.patch +Patch0142: 0142-resolved-remove-inappropriate-assert.patch +Patch0143: 0143-boot-Add-xstrn8_to_16.patch +Patch0144: 0144-boot-Use-xstr8_to_16.patch +Patch0145: 0145-boot-Use-xstr8_to_16-for-path-conversion.patch +Patch0146: 0146-stub-Fix-cmdline-handling.patch +Patch0147: 0147-stub-Detect-empty-LoadOptions-when-run-from-EFI-shel.patch +Patch0148: 0148-boot-Use-EFI_BOOT_MANAGER_POLICY_PROTOCOL-to-connect.patch +Patch0149: 0149-boot-Make-sure-all-partitions-drivers-are-connected.patch +Patch0150: 0150-boot-improve-support-for-qemu.patch +Patch0151: 0151-systemd-boot-man-page-add-section-for-virtual-machin.patch +Patch0152: 0152-boot-Only-do-full-driver-initialization-in-VMs.patch +Patch0153: 0153-dissect-rework-DISSECT_IMAGE_ADD_PARTITION_DEVICES-D.patch +Patch0154: 0154-ci-Mergify-v252-configuration-update.patch +Patch0155: 0155-ci-Run-GitHub-workflows-on-rhel-branches.patch +Patch0156: 0156-ci-Drop-scorecards-workflow-not-relevant.patch +Patch0157: 0157-swap-tell-swapon-to-reinitialize-swap-if-needed.patch +Patch0158: 0158-coredump-adjust-whitespace.patch +Patch0159: 0159-coredump-do-not-allow-user-to-access-coredumps-with-.patch +Patch0160: 0160-Revert-basic-add-fallback-in-chase_symlinks_and_open.patch +Patch0161: 0161-glyph-util-add-warning-sign-special-glyph.patch +Patch0162: 0162-chase-symlink-when-converting-directory-O_PATH-fd-to.patch +Patch0163: 0163-systemctl-print-a-clear-warning-if-people-invoke-sys.patch +Patch0164: 0164-TEST-65-check-cat-config-operation-in-chroot.patch +Patch0165: 0165-TEST-65-use-v-more.patch +Patch0166: 0166-systemctl-warn-if-trying-to-disable-a-unit-with-no-i.patch +Patch0167: 0167-systemctl-allow-suppress-the-warning-of-no-install-i.patch +Patch0168: 0168-rpm-systemd-update-helper-use-no-warn-when-disabling.patch +Patch0169: 0169-systemctl-suppress-warning-about-missing-proc-when-n.patch +Patch0170: 0170-shell-completion-systemctl-add-no-warn.patch +Patch0171: 0171-core-unit-drop-doubled-empty-line.patch +Patch0172: 0172-core-unit-drop-dependency-to-the-unit-being-merged.patch +Patch0173: 0173-core-unit-fix-logic-of-dropping-self-referencing-dep.patch +Patch0174: 0174-core-unit-merge-two-loops-into-one.patch +Patch0175: 0175-test-add-test-case-for-sysv-generator-and-invalid-de.patch +Patch0176: 0176-core-unit-merge-unit-names-after-merging-deps.patch +Patch0177: 0177-core-unit-fix-log-message.patch +Patch0178: 0178-test-explicitly-create-the-etc-init.d-directory.patch +Patch0179: 0179-test-support-a-non-default-SysV-directory.patch +Patch0180: 0180-udev-make-get_virtfn_info-provide-physical-PCI-devic.patch +Patch0181: 0181-test-make-helper_check_device_units-log-unit-name.patch +Patch0182: 0182-test-add-a-testcase-for-lvextend.patch +Patch0183: 0183-pid1-fix-segv-triggered-by-status-query-26279.patch +Patch0184: 0184-test-create-config-under-run.patch +Patch0185: 0185-test-add-tests-for-mDNS-and-LLMNR-settings.patch +Patch0186: 0186-resolved-introduce-the-_localdnsstub-and-_localdnspr.patch +Patch0187: 0187-test-wait-for-the-monitoring-service-to-become-activ.patch +Patch0188: 0188-test-suppress-echo-in-monitor_check_rr.patch +Patch0189: 0189-Revert-test-wait-for-the-monitoring-service-to-becom.patch +Patch0190: 0190-test-show-and-check-almost-all-journal-entries-since.patch +Patch0191: 0191-test-cover-IPv6-in-the-resolved-test-suite.patch +Patch0192: 0192-test-add-a-couple-of-SRV-records-to-check-service-re.patch +Patch0193: 0193-test-add-a-test-for-the-OPENPGPKEY-RR.patch +Patch0194: 0194-test-don-t-hang-indefinitely-on-no-match.patch +Patch0195: 0195-test-ndisc-fix-memleak-and-fd-leak.patch +Patch0196: 0196-test-unit-name-fix-fd-leak.patch +Patch0197: 0197-test-bump-D-Bus-service-start-timeout-if-we-run-with.patch +Patch0198: 0198-test-bump-the-client-side-timeout-in-sd-bus-as-well.patch +Patch0199: 0199-test-bump-the-container-spawn-timeout-to-60s.patch +Patch0200: 0200-network-fix-memleak.patch +Patch0201: 0201-busctl-fix-introspecting-DBus-properties.patch +Patch0202: 0202-busctl-simplify-peeking-the-type.patch +Patch0203: 0203-resolve-drop-redundant-call-of-socket_ipv6_is_suppor.patch +Patch0204: 0204-resolve-introduce-link_get_llmnr_support-and-link_ge.patch +Patch0205: 0205-resolve-provide-effective-supporting-levels-of-mDNS-.patch +Patch0206: 0206-resolvectl-warn-if-the-global-mDNS-or-LLMNR-support-.patch +Patch0207: 0207-resolve-enable-per-link-mDNS-setting-by-default.patch +Patch0208: 0208-nss-myhostname-fix-inverted-condition-in.patch +Patch0209: 0209-nss-myhostname-do-not-return-empty-result-with-NSS_S.patch +Patch0210: 0210-sleep-rename-hibernate_delay_sec-_usec.patch +Patch0211: 0211-sleep-fetch_batteries_capacity_by_name-does-not-retu.patch +Patch0212: 0212-sleep-drop-unnecessary-temporal-vaiable-and-initiali.patch +Patch0213: 0213-sleep-introduce-SuspendEstimationSec.patch +Patch0214: 0214-sleep-coding-style-fixlets.patch +Patch0215: 0215-sleep-simplify-code-a-bit.patch +Patch0216: 0216-sleep-fix-indentation.patch +Patch0217: 0217-sleep-enumerate-only-existing-and-non-device-batteri.patch +Patch0218: 0218-core-when-isolating-to-a-unit-also-keep-units-runnin.patch +Patch0219: 0219-udev-net_id-introduce-naming-scheme-for-RHEL-9.2.patch +Patch0220: 0220-journalctl-actually-run-the-static-destructors.patch +Patch0221: 0221-efi-drop-executable-stack-bit-from-.elf-file.patch +Patch0222: 0222-install-fail-early-if-specifier-expansion-failed.patch +Patch0223: 0223-test-add-coverage-for-26467.patch +Patch0224: 0224-test-add-coverage-for-24177.patch +Patch0225: 0225-logind-session-make-stopping-of-idle-session-visible.patch +Patch0226: 0226-journal-file-Fix-return-value-in-bump_entry_array.patch + +# Downstream-only patches (9000–9999) + +%ifarch %{ix86} x86_64 aarch64 +%global have_gnu_efi 1 +%endif + +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: coreutils +BuildRequires: libcap-devel +BuildRequires: libmount-devel +BuildRequires: libfdisk-devel +BuildRequires: pam-devel +BuildRequires: libselinux-devel +BuildRequires: audit-libs-devel +%if %{without bootstrap} +BuildRequires: cryptsetup-devel +%endif +BuildRequires: dbus-devel +# /usr/bin/getfacl is needed by test-acl-util +BuildRequires: acl +BuildRequires: libacl-devel +BuildRequires: gobject-introspection-devel +BuildRequires: libblkid-devel +BuildRequires: xz-devel +BuildRequires: xz +BuildRequires: lz4-devel +BuildRequires: lz4 +BuildRequires: bzip2-devel +BuildRequires: libzstd-devel +BuildRequires: libidn2-devel +BuildRequires: libcurl-devel +BuildRequires: kmod-devel +BuildRequires: elfutils-devel +BuildRequires: openssl-devel +BuildRequires: libgcrypt-devel +BuildRequires: libgpg-error-devel +BuildRequires: gnutls-devel +BuildRequires: libmicrohttpd-devel +BuildRequires: libxkbcommon-devel +BuildRequires: libxslt +BuildRequires: docbook-style-xsl +BuildRequires: pkgconfig +BuildRequires: gperf +BuildRequires: gawk +BuildRequires: tree +BuildRequires: hostname +BuildRequires: python3dist(lxml) +BuildRequires: python3dist(jinja2) +BuildRequires: firewalld-filesystem +BuildRequires: libseccomp-devel +BuildRequires: meson >= 0.43 +BuildRequires: gettext +# We use RUNNING_ON_VALGRIND in tests, so the headers need to be available +BuildRequires: valgrind-devel +BuildRequires: pkgconfig(bash-completion) +BuildRequires: pkgconfig(tss2-esys) +BuildRequires: pkgconfig(tss2-rc) +BuildRequires: pkgconfig(tss2-mu) +BuildRequires: perl +BuildRequires: perl(IPC::SysV) +BuildRequires: git-core +%if 0%{?have_gnu_efi} +BuildRequires: gnu-efi gnu-efi-devel +%endif + +Requires(post): coreutils +Requires(post): sed +Requires(post): acl +Requires(post): grep +# systemd-machine-id-setup requires libssl +Requires(post): openssl-libs +Requires(pre): coreutils +Requires(pre): /usr/bin/getent +Requires(pre): /usr/sbin/groupadd +Requires: dbus >= 1.9.18 +Requires: %{name}-pam = %{version}-%{release} +Requires: %{name}-rpm-macros = %{version}-%{release} +Requires: %{name}-libs = %{version}-%{release} +Requires: util-linux +Provides: /bin/systemctl +Provides: /sbin/shutdown +Provides: syslog +Provides: systemd-units = %{version}-%{release} +Obsoletes: system-setup-keyboard < 0.9 +Provides: system-setup-keyboard = 0.9 +# systemd-sysv-convert was removed in f20: https://fedorahosted.org/fpc/ticket/308 +Obsoletes: systemd-sysv < 206 +# self-obsoletes so that dnf will install new subpackages on upgrade (#1260394) +Obsoletes: %{name} < 246.6-2 +Provides: systemd-sysv = 206 +Conflicts: initscripts < 9.56.1 +%if 0%{?fedora} +Conflicts: fedora-release < 23-0.12 +%endif +Obsoletes: timedatex < 0.6-3 +Provides: timedatex = 0.6-3 +Conflicts: %{name}-standalone-tmpfiles < %{version}-%{release}^ +Obsoletes: %{name}-standalone-tmpfiles < %{version}-%{release}^ +Conflicts: %{name}-standalone-sysusers < %{version}-%{release}^ +Obsoletes: %{name}-standalone-sysusers < %{version}-%{release}^ + +# Requires deps for stuff that is dlopen()ed +Requires: pcre2%{?_isa} + +%description +systemd is a system and service manager that runs as PID 1 and starts +the rest of the system. It provides aggressive parallelization +capabilities, uses socket and D-Bus activation for starting services, +offers on-demand starting of daemons, keeps track of processes using +Linux control groups, maintains mount and automount points, and +implements an elaborate transactional dependency-based service control +logic. systemd supports SysV and LSB init scripts and works as a +replacement for sysvinit. Other parts of this package are a logging daemon, +utilities to control basic system configuration like the hostname, +date, locale, maintain a list of logged-in users, system accounts, +runtime directories and settings, and daemons to manage simple network +configuration, network time synchronization, log forwarding, and name +resolution. +%if 0%{?stable} +This package was built from the %{version}-stable branch of systemd. +%endif + +%package libs +Summary: systemd libraries +License: LGPLv2+ and MIT +Obsoletes: libudev < 183 +Obsoletes: systemd < 185-4 +Conflicts: systemd < 185-4 +Obsoletes: systemd-compat-libs < 230 +Obsoletes: nss-myhostname < 0.4 +Provides: nss-myhostname = 0.4 +Provides: nss-myhostname%{_isa} = 0.4 +Requires(post): coreutils +Requires(post): sed +Requires(post): grep +Requires(post): /usr/bin/getent + +%description libs +Libraries for systemd and udev. + +%package pam +Summary: systemd PAM module +Requires: %{name} = %{version}-%{release} + +%description pam +Systemd PAM module registers the session with systemd-logind. + +%package rpm-macros +Summary: Macros that define paths and scriptlets related to systemd +BuildArch: noarch + +%description rpm-macros +Just the definitions of rpm macros. + +See +https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd +for information how to use those macros. + +%package devel +Summary: Development headers for systemd +License: LGPLv2+ and MIT +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: libudev-devel = %{version} +Provides: libudev-devel%{_isa} = %{version} +Obsoletes: libudev-devel < 183 +# Fake dependency to make sure systemd-pam is pulled into multilib (#1414153) +Requires: %{name}-pam = %{version}-%{release} + +%description devel +Development headers and auxiliary files for developing applications linking +to libudev or libsystemd. + +%package udev +Summary: Rule-based device node and kernel event manager +License: LGPLv2+ + +Requires: systemd%{?_isa} = %{version}-%{release} +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +Requires(post): grep +Requires: kmod >= 18-4 +# https://bodhi.fedoraproject.org/updates/FEDORA-2020-dd43dd05b1 +Obsoletes: systemd < 245.6-1 +Provides: udev = %{version} +Provides: udev%{_isa} = %{version} +Obsoletes: udev < 183 + +# https://bugzilla.redhat.com/show_bug.cgi?id=1377733#c9 +Suggests: systemd-bootchart +# https://bugzilla.redhat.com/show_bug.cgi?id=1408878 +Requires: kbd + +# Requires deps for stuff that is dlopen()ed +Requires: cryptsetup-libs%{?_isa} +# https://bugzilla.redhat.com/show_bug.cgi?id=2017541 +Requires: tpm2-tss%{?_isa} + +# https://bugzilla.redhat.com/show_bug.cgi?id=1753381 +Provides: u2f-hidraw-policy = 1.0.2-40 +Obsoletes: u2f-hidraw-policy < 1.0.2-40 + +# self-obsoletes to install both packages after split of systemd-boot +Obsoletes: systemd-udev < 252-8 + +%description udev +This package contains systemd-udev and the rules and hardware database +needed to manage device nodes. This package is necessary on physical +machines and in virtual machines, but not in containers. + +%if 0%{?have_gnu_efi} +%package boot-unsigned +Summary: UEFI boot manager (unsigned version) + +Provides: systemd-boot-unsigned-%{efi_arch} = %version-%release +Provides: systemd-boot = %version-%release +Provides: systemd-boot%{_isa} = %version-%release +# A provides with just the version, no release or dist, used to build systemd-boot +Provides: version(systemd-boot-unsigned) = %version +Provides: version(systemd-boot-unsigned)%{_isa} = %version + +# self-obsoletes to install both packages after split of systemd-boot +Obsoletes: systemd-udev < 252-8 + +%description boot-unsigned +systemd-boot (short: sd-boot) is a simple UEFI boot manager. It provides a +graphical menu to select the entry to boot and an editor for the kernel command +line. systemd-boot supports systems with UEFI firmware only. + +This package contains the unsigned version. Install systemd-boot instead to get +the version that works with Secure Boot. +%endif + +%package container +# Name is the same as in Debian +Summary: Tools for containers and VMs +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +# obsolete parent package so that dnf will install new subpackage on upgrade (#1260394) +Obsoletes: %{name} < 229-5 +License: LGPLv2+ + +%description container +Systemd tools to spawn and manage containers and virtual machines. + +This package contains systemd-nspawn, machinectl, systemd-machined, +and systemd-importd. + +%package journal-remote +# Name is the same as in Debian +Summary: Tools to send journal events over the network +Requires: %{name}%{?_isa} = %{version}-%{release} +License: LGPLv2+ +Requires(pre): /usr/bin/getent +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +Requires: firewalld-filesystem +Provides: %{name}-journal-gateway = %{version}-%{release} +Provides: %{name}-journal-gateway%{_isa} = %{version}-%{release} +Obsoletes: %{name}-journal-gateway < 227-7 + +%description journal-remote +Programs to forward journal entries over the network, using encrypted HTTP, +and to write journal files from serialized journal contents. + +This package contains systemd-journal-gatewayd, +systemd-journal-remote, and systemd-journal-upload. + +%package resolved +Summary: System daemon that provides network name resolution to local applications +Requires: %{name}%{?_isa} = %{version}-%{release} +License: LGPLv2+ + +%description resolved +systemd-resolved is a system service that provides network name +resolution to local applications. It implements a caching and +validating DNS/DNSSEC stub resolver, as well as an LLMNR and +MulticastDNS resolver and responder. + +%package oomd +Summary: A userspace out-of-memory (OOM) killer +Requires: %{name}%{?_isa} = %{version}-%{release} +License: LGPLv2+ +Provides: %{name}-oomd-defaults = %{version}-%{release} + +%description oomd +systemd-oomd is a system service that uses cgroups-v2 and pressure stall +information (PSI) to monitor and take action on processes before an OOM +occurs in kernel space. + +%package standalone-tmpfiles +Summary: Standalone tmpfiles binary for use in non-systemd systems +RemovePathPostfixes: .standalone + +%description standalone-tmpfiles +Standalone tmpfiles binary with no dependencies on the systemd-shared library +or other libraries from systemd-libs. This package conflicts with the main +systemd package and is meant for use in non-systemd systems. + +%package standalone-sysusers +Summary: Standalone sysusers binary for use in non-systemd systems +RemovePathPostfixes: .standalone + +%description standalone-sysusers +Standalone sysusers binary with no dependencies on the systemd-shared library +or other libraries from systemd-libs. This package conflicts with the main +systemd package and is meant for use in non-systemd systems. + +%prep +%autosetup -n %{?commit:%{name}%{?stable:-stable}-%{commit}}%{!?commit:%{name}%{?stable:-stable}-%{version_no_tilde}} -S git_am -p1 + +%build +%define ntpvendor %(source /etc/os-release; echo ${ID}) +%{!?ntpvendor: echo 'NTP vendor zone is not set!'; exit 1} + +CONFIGURE_OPTS=( + -Dmode=release + -Dsysvinit-path=/etc/rc.d/init.d + -Drc-local=/etc/rc.d/rc.local + -Dntp-servers='0.%{ntpvendor}.pool.ntp.org 1.%{ntpvendor}.pool.ntp.org 2.%{ntpvendor}.pool.ntp.org 3.%{ntpvendor}.pool.ntp.org' + -Ddns-servers= + -Duser-path=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin + -Dservice-watchdog=3min + -Ddev-kvm-mode=0666 + -Dkmod=true + -Dxkbcommon=true + -Dblkid=true + -Dfdisk=true + -Dseccomp=true + -Dima=true + -Dselinux=true + -Dapparmor=false + -Dpolkit=true + -Dxz=true + -Dzlib=true + -Dbzip2=true + -Dlz4=true + -Dzstd=true + -Dpam=true + -Dacl=true + -Dsmack=true + -Dopenssl=true + -Dcryptolib=openssl + -Dp11kit=true + -Dgcrypt=true + -Daudit=true + -Delfutils=true +%if %{without bootstrap} + -Dlibcryptsetup=true +%else + -Dlibcryptsetup=false +%endif + -Delfutils=true + -Dpwquality=false + -Dqrencode=false + -Dgnutls=true + -Dmicrohttpd=true + -Dlibidn2=true + -Dlibiptc=false + -Dlibcurl=true + -Dlibfido2=false + -Defi=true + -Dgnu-efi=%[%{?have_gnu_efi}?"true":"false"] + -Dtpm=true + -Dtpm2=true + -Dhwdb=true + -Dsysusers=true + -Dstandalone-binaries=true + -Ddefault-kill-user-processes=false + -Dtests=unsafe + -Dinstall-tests=false + -Dtty-gid=5 + -Dusers-gid=100 + -Dnobody-user=nobody + -Dnobody-group=nobody + -Dcompat-mutable-uid-boundaries=true + -Dsplit-usr=false + -Dsplit-bin=true +%if %{with lto} + -Db_lto=true +%else + -Db_lto=false +%endif + -Db_ndebug=false + -Dman=true + -Dversion-tag=%{version}-%{release} +%if 0%{?fedora} + -Dfallback-hostname=fedora +%else + -Dfallback-hostname=localhost +%endif + -Ddefault-dnssec=no + # https://bugzilla.redhat.com/show_bug.cgi?id=1867830 + -Ddefault-mdns=no + -Ddefault-llmnr=resolve + -Doomd=true + -Dtimesyncd=false + -Dhomed=false + -Duserdb=false + -Dportabled=false + -Dnetworkd=false + -Dsupport-url=https://access.redhat.com/support + -Ddefault-net-naming-scheme=rhel-9.0 +) + +%if %{without lto} +%global _lto_cflags %nil +%endif + +%meson "${CONFIGURE_OPTS[@]}" + +new_triggers=%{_vpath_builddir}/src/rpm/triggers.systemd.sh +if ! diff -u %{SOURCE1} ${new_triggers}; then + echo -e "\n\n\nWARNING: triggers.systemd in Source1 is different!" + echo -e " cp $PWD/${new_triggers} %{SOURCE1}\n\n\n" + sleep 5 +fi + +%meson_build + +%install +%meson_install + +# udev links +mkdir -p %{buildroot}/%{_sbindir} +ln -sf ../bin/udevadm %{buildroot}%{_sbindir}/udevadm + +# Compatiblity and documentation files +touch %{buildroot}/etc/crypttab +chmod 600 %{buildroot}/etc/crypttab + +# /etc/initab +install -Dm0644 -t %{buildroot}/etc/ %{SOURCE5} + +# /etc/sysctl.conf compat +install -Dm0644 %{SOURCE6} %{buildroot}/etc/sysctl.conf +ln -s ../sysctl.conf %{buildroot}/etc/sysctl.d/99-sysctl.conf + +# Make sure these directories are properly owned +mkdir -p %{buildroot}%{system_unit_dir}/basic.target.wants +mkdir -p %{buildroot}%{system_unit_dir}/default.target.wants +mkdir -p %{buildroot}%{system_unit_dir}/dbus.target.wants +mkdir -p %{buildroot}%{system_unit_dir}/syslog.target.wants +mkdir -p %{buildroot}/run +mkdir -p %{buildroot}%{_localstatedir}/log +touch %{buildroot}%{_localstatedir}/log/lastlog +chmod 0664 %{buildroot}%{_localstatedir}/log/lastlog +touch %{buildroot}/run/utmp +touch %{buildroot}%{_localstatedir}/log/{w,b}tmp + +# Make sure the user generators dir exists too +mkdir -p %{buildroot}%{pkgdir}/system-generators +mkdir -p %{buildroot}%{pkgdir}/user-generators + +# Create new-style configuration files so that we can ghost-own them +touch %{buildroot}%{_sysconfdir}/hostname +touch %{buildroot}%{_sysconfdir}/vconsole.conf +touch %{buildroot}%{_sysconfdir}/locale.conf +touch %{buildroot}%{_sysconfdir}/machine-id +touch %{buildroot}%{_sysconfdir}/machine-info +touch %{buildroot}%{_sysconfdir}/localtime +mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d +touch %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/00-keyboard.conf + +# Make sure the shutdown/sleep drop-in dirs exist +mkdir -p %{buildroot}%{pkgdir}/system-shutdown/ +mkdir -p %{buildroot}%{pkgdir}/system-sleep/ + +# Make sure directories in /var exist +mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/coredump +mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/catalog +mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/backlight +mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/rfkill +mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/linger +mkdir -p %{buildroot}%{_localstatedir}/lib/private +mkdir -p %{buildroot}%{_localstatedir}/log/private +mkdir -p %{buildroot}%{_localstatedir}/cache/private +mkdir -p %{buildroot}%{_localstatedir}/lib/private/systemd/journal-upload +ln -s ../private/systemd/journal-upload %{buildroot}%{_localstatedir}/lib/systemd/journal-upload +mkdir -p %{buildroot}%{_localstatedir}/log/journal +touch %{buildroot}%{_localstatedir}/lib/systemd/catalog/database +touch %{buildroot}%{_sysconfdir}/udev/hwdb.bin +touch %{buildroot}%{_localstatedir}/lib/systemd/random-seed +touch %{buildroot}%{_localstatedir}/lib/private/systemd/journal-upload/state + +# Install rc.local +mkdir -p %{buildroot}%{_sysconfdir}/rc.d/ +install -m 0644 %{SOURCE25} %{buildroot}%{_sysconfdir}/rc.d/rc.local +ln -s rc.d/rc.local %{buildroot}%{_sysconfdir}/rc.local + +# Install yum protection fragment +install -Dm0644 %{SOURCE4} %{buildroot}/etc/dnf/protected.d/systemd.conf + +install -Dm0644 -t %{buildroot}/usr/lib/firewalld/services/ %{SOURCE7} %{SOURCE8} + +# Restore systemd-user pam config from before "removal of Fedora-specific bits" +install -Dm0644 -t %{buildroot}/etc/pam.d/ %{SOURCE12} + +# Install additional docs +# https://bugzilla.redhat.com/show_bug.cgi?id=1234951 +install -Dm0644 -t %{buildroot}%{_pkgdocdir}/ %{SOURCE9} + +# https://bugzilla.redhat.com/show_bug.cgi?id=1378974 +install -Dm0644 -t %{buildroot}%{system_unit_dir}/systemd-udev-trigger.service.d/ %{SOURCE10} + +# A temporary work-around for https://bugzilla.redhat.com/show_bug.cgi?id=1663040 +mkdir -p %{buildroot}%{system_unit_dir}/systemd-hostnamed.service.d/ +cat >%{buildroot}%{system_unit_dir}/systemd-hostnamed.service.d/disable-privatedevices.conf </dev/null || groupadd -r -g 11 cdrom &>/dev/null || : +getent group utmp &>/dev/null || groupadd -r -g 22 utmp &>/dev/null || : +getent group tape &>/dev/null || groupadd -r -g 33 tape &>/dev/null || : +getent group dialout &>/dev/null || groupadd -r -g 18 dialout &>/dev/null || : +getent group input &>/dev/null || groupadd -r input &>/dev/null || : +getent group kvm &>/dev/null || groupadd -r -g 36 kvm &>/dev/null || : +getent group render &>/dev/null || groupadd -r render &>/dev/null || : +getent group systemd-journal &>/dev/null || groupadd -r -g 190 systemd-journal 2>&1 || : + +getent group systemd-coredump &>/dev/null || groupadd -r systemd-coredump 2>&1 || : +getent passwd systemd-coredump &>/dev/null || useradd -r -l -g systemd-coredump -d / -s /sbin/nologin -c "systemd Core Dumper" systemd-coredump &>/dev/null || : + + +%post +systemd-machine-id-setup &>/dev/null || : + +systemctl daemon-reexec &>/dev/null || { + # systemd v239 had bug #9553 in D-Bus authentication of the private socket, + # which was later fixed in v240 by #9625. + # + # The end result is that a `systemctl daemon-reexec` call as root will fail + # when upgrading from systemd v239, which means the system will not start + # running the new version of systemd after this post install script runs. + # + # To work around this issue, let's fall back to using a `kill -TERM 1` to + # re-execute the daemon when the `systemctl daemon-reexec` call fails. + # + # In order to prevent issues when the reason why the daemon-reexec failed is + # not the aforementioned bug, let's only use this fallback when: + # - we're upgrading this RPM package; and + # - we confirm that systemd is running as PID1 on this system. + if [ $1 -gt 1 ] && [ -d /run/systemd/system ] ; then + kill -TERM 1 &>/dev/null || : + fi +} + +if [ $1 -eq 1 ]; then + [ -w %{_localstatedir} ] && journalctl --update-catalog || : + systemd-tmpfiles --create &>/dev/null || : +fi + +# Make sure new journal files will be owned by the "systemd-journal" group +machine_id=$(cat /etc/machine-id 2>/dev/null) +chgrp systemd-journal /{run,var}/log/journal/{,${machine_id}} &>/dev/null || : +chmod g+s /{run,var}/log/journal/{,${machine_id}} &>/dev/null || : + +# Apply ACL to the journal directory +setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ &>/dev/null || : + +[ $1 -eq 1 ] || exit 0 + +# We reset the enablement of all services upon initial installation +# https://bugzilla.redhat.com/show_bug.cgi?id=1118740#c23 +# This will fix up enablement of any preset services that got installed +# before systemd due to rpm ordering problems: +# https://bugzilla.redhat.com/show_bug.cgi?id=1647172. +# We also do this for user units, see +# https://fedoraproject.org/wiki/Changes/Systemd_presets_for_user_units. +systemctl preset-all &>/dev/null || : +systemctl --global preset-all &>/dev/null || : + +%postun +if [ $1 -eq 1 ]; then + [ -w %{_localstatedir} ] && journalctl --update-catalog || : + systemd-tmpfiles --create &>/dev/null || : +fi + +%systemd_postun_with_restart systemd-timedated.service systemd-hostnamed.service systemd-journald.service systemd-localed.service + +%post libs +%{?ldconfig} + +function mod_nss() { + if [ -f "$1" ] ; then + # Add nss-systemd to passwd and group + grep -E -q '^(passwd|group):.* systemd' "$1" || + sed -i.bak -r -e ' + s/^(passwd|group):(.*)/\1:\2 systemd/ + ' "$1" &>/dev/null || : + fi +} + +FILE="$(readlink /etc/nsswitch.conf || echo /etc/nsswitch.conf)" +if [ "$FILE" = "/etc/authselect/nsswitch.conf" ] && authselect check &>/dev/null; then + mod_nss "/etc/authselect/user-nsswitch.conf" + authselect apply-changes &> /dev/null || : +else + mod_nss "$FILE" + # also apply the same changes to user-nsswitch.conf to affect + # possible future authselect configuration + mod_nss "/etc/authselect/user-nsswitch.conf" +fi + +# check if nobody or nfsnobody is defined +export SYSTEMD_NSS_BYPASS_SYNTHETIC=1 +if getent passwd nfsnobody &>/dev/null; then + test -f /etc/systemd/dont-synthesize-nobody || { + echo 'Detected system with nfsnobody defined, creating /etc/systemd/dont-synthesize-nobody' + mkdir -p /etc/systemd || : + : >/etc/systemd/dont-synthesize-nobody || : + } +elif getent passwd nobody 2>/dev/null | grep -v 'nobody:[x*]:65534:65534:.*:/:/sbin/nologin' &>/dev/null; then + test -f /etc/systemd/dont-synthesize-nobody || { + echo 'Detected system with incompatible nobody defined, creating /etc/systemd/dont-synthesize-nobody' + mkdir -p /etc/systemd || : + : >/etc/systemd/dont-synthesize-nobody || : + } +fi + +%{?ldconfig:%postun libs -p %ldconfig} + +%global udev_services systemd-udev{d,-settle,-trigger}.service systemd-udevd-{control,kernel}.socket %{?have_gnu_efi:systemd-boot-update.service} + +%post udev +# Move old stuff around in /var/lib +mv %{_localstatedir}/lib/random-seed %{_localstatedir}/lib/systemd/random-seed &>/dev/null +mv %{_localstatedir}/lib/backlight %{_localstatedir}/lib/systemd/backlight &>/dev/null + +udevadm hwdb --update &>/dev/null + +%systemd_post %udev_services + +# Try to save the random seed, but don't complain if /dev/urandom is unavailable +/usr/lib/systemd/systemd-random-seed save 2>&1 | \ + grep -v 'Failed to open /dev/urandom' || : + +# Replace obsolete keymaps +# https://bugzilla.redhat.com/show_bug.cgi?id=1151958 +grep -q -E '^KEYMAP="?fi-latin[19]"?' /etc/vconsole.conf 2>/dev/null && + sed -i.rpm.bak -r 's/^KEYMAP="?fi-latin[19]"?/KEYMAP="fi"/' /etc/vconsole.conf || : + +%preun udev +%systemd_preun %udev_services + +%postun udev +# Restart some services. +# Others are either oneshot services, or sockets, and restarting them causes issues (#1378974) +%systemd_postun_with_restart systemd-udevd.service + +%pre journal-remote +getent group systemd-journal-remote &>/dev/null || groupadd -r systemd-journal-remote 2>&1 || : +getent passwd systemd-journal-remote &>/dev/null || useradd -r -l -g systemd-journal-remote -d %{_localstatedir}/log/journal/remote -s /sbin/nologin -c "Journal Remote" systemd-journal-remote &>/dev/null || : + +%post journal-remote +%systemd_post systemd-journal-gatewayd.socket systemd-journal-gatewayd.service systemd-journal-remote.socket systemd-journal-remote.service systemd-journal-upload.service +%firewalld_reload + +%preun journal-remote +%systemd_preun systemd-journal-gatewayd.socket systemd-journal-gatewayd.service systemd-journal-remote.socket systemd-journal-remote.service systemd-journal-upload.service +if [ $1 -eq 1 ] ; then + if [ -f %{_localstatedir}/lib/systemd/journal-upload/state -a ! -L %{_localstatedir}/lib/systemd/journal-upload ] ; then + mkdir -p %{_localstatedir}/lib/private/systemd/journal-upload + mv %{_localstatedir}/lib/systemd/journal-upload/state %{_localstatedir}/lib/private/systemd/journal-upload/. + rmdir %{_localstatedir}/lib/systemd/journal-upload || : + fi +fi + +%postun journal-remote +%systemd_postun_with_restart systemd-journal-gatewayd.service systemd-journal-remote.service systemd-journal-upload.service +%firewalld_reload + +%pre resolved +getent group systemd-resolve &>/dev/null || groupadd -r -g 193 systemd-resolve 2>&1 || : +getent passwd systemd-resolve &>/dev/null || useradd -r -u 193 -l -g systemd-resolve -d / -s /sbin/nologin -c "systemd Resolver" systemd-resolve &>/dev/null || : + +%preun resolved +%systemd_preun systemd-resolved.service + +%post resolved +%systemd_post systemd-resolved.service + +%postun resolved +%systemd_postun_with_restart systemd-resolved.service + +%pre oomd +getent group systemd-oom &>/dev/null || groupadd -r systemd-oom 2>&1 || : +getent passwd systemd-oom &>/dev/null || useradd -r -l -g systemd-oom -d / -s /sbin/nologin -c "systemd Userspace OOM Killer" systemd-oom &>/dev/null || : + +%preun oomd +%systemd_preun systemd-oomd.service + +%post oomd +%systemd_post systemd-oomd.service + +%postun oomd +%systemd_postun_with_restart systemd-oomd.service + +%global _docdir_fmt %{name} + +%files -f %{name}.lang -f .file-list-main +%doc %{_pkgdocdir} +%exclude %{_pkgdocdir}/LICENSE.* +%license LICENSE.GPL2 LICENSE.LGPL2.1 +%ghost %dir %attr(0755,-,-) /etc/systemd/system/basic.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/bluetooth.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/default.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/getty.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/graphical.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/local-fs.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/machines.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/multi-user.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/network-online.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/printer.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/remote-fs.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/sockets.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/sysinit.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/system-update.target.wants +%ghost %dir %attr(0755,-,-) /etc/systemd/system/timers.target.wants +%ghost %dir %attr(0755,-,-) /var/lib/rpm-state/systemd + +%files libs -f .file-list-libs +%license LICENSE.LGPL2.1 + +%files pam -f .file-list-pam + +%files rpm-macros -f .file-list-rpm-macros + +%files devel -f .file-list-devel + +%files udev -f .file-list-udev + +%if 0%{?have_gnu_efi} +%files boot-unsigned -f .file-list-boot +%endif + +%files container -f .file-list-container + +%files journal-remote -f .file-list-remote + +%files resolved -f .file-list-resolve + +%files oomd -f .file-list-oomd + +%files standalone-tmpfiles -f .file-list-standalone-tmpfiles + +%files standalone-sysusers -f .file-list-standalone-sysusers + +%changelog +* Mon Feb 27 2023 systemd maintenance team - 252-8 +- journal-file: Fix return value in bump_entry_array() (#2173682) + +* Mon Feb 27 2023 systemd maintenance team - 252-7 +- test: add coverage for #24177 (#1985288) +- logind-session: make stopping of idle session visible to admins (#2172401) + +* Wed Feb 22 2023 systemd maintenance team - 252-6 +- journalctl: actually run the static destructors (#2122500) +- efi: drop executable-stack bit from .elf file (#2140646) +- install: fail early if specifier expansion failed (#2138081) +- test: add coverage for #26467 (#2138081) + +* Fri Feb 17 2023 systemd maintenance team - 252-5 +- nss-myhostname: fix inverted condition in (#2167468) +- nss-myhostname: do not return empty result with NSS_STATUS_SUCCESS (#2167468) +- sleep: rename hibernate_delay_sec -> _usec (#2151612) +- sleep: fetch_batteries_capacity_by_name() does not return -ENOENT (#2151612) +- sleep: drop unnecessary temporal vaiable and initialization (#2151612) +- sleep: introduce SuspendEstimationSec= (#2151612) +- sleep: coding style fixlets (#2151612) +- sleep: simplify code a bit (#2151612) +- sleep: fix indentation (#2151612) +- sleep: enumerate only existing and non-device batteries (#2151612) +- core: when isolating to a unit, also keep units running that are triggered by units we keep running (#1952378) +- udev/net_id: introduce naming scheme for RHEL-9.2 (#2170500) + +* Mon Feb 06 2023 systemd maintenance team - 252-4 +- udev: make get_virtfn_info() provide physical PCI device (#2159448) +- test: make helper_check_device_units() log unit name (#2138081) +- test: add a testcase for lvextend (#2138081) +- pid1: fix segv triggered by status query (#26279) (#2138081) +- test: create config under /run (#2138081) +- test: add tests for mDNS and LLMNR settings (#2138081) +- resolved: introduce the _localdnsstub and _localdnsproxy special hostnames for 127.0.0.54 + 127.0.0.53 (#2138081) +- test: wait for the monitoring service to become active (#2138081) +- test: suppress echo in monitor_check_rr() (#2138081) +- Revert "test: wait for the monitoring service to become active" (#2138081) +- test: show and check almost all journal entries since the relevant command being invoked (#2138081) +- test: cover IPv6 in the resolved test suite (#2138081) +- test: add a couple of SRV records to check service resolution (#2138081) +- test: add a test for the OPENPGPKEY RR (#2138081) +- test: don't hang indefinitely on no match (#2138081) +- test-ndisc: fix memleak and fd leak (#2138081) +- test-unit-name: fix fd leak (#2138081) +- test: bump D-Bus service start timeout if we run without accel (#2138081) +- test: bump the client-side timeout in sd-bus as well (#2138081) +- test: bump the container spawn timeout to 60s (#2138081) +- network: fix memleak (#2138081) +- busctl: fix introspecting DBus properties (#2138081) +- busctl: simplify peeking the type (#2138081) +- resolve: drop redundant call of socket_ipv6_is_supported() (#2138081) +- resolve: introduce link_get_llmnr_support() and link_get_mdns_support() (#2138081) +- resolve: provide effective supporting levels of mDNS and LLMNR (#2138081) +- resolvectl: warn if the global mDNS or LLMNR support level is lower than the requested one (#2138081) +- resolve: enable per-link mDNS setting by default (#2138081) + +* Mon Jan 16 2023 systemd maintenance team - 252-3 +- swap: tell swapon to reinitialize swap if needed (#2151993) +- coredump: adjust whitespace (#2155517) +- coredump: do not allow user to access coredumps with changed uid/gid/capabilities (#2155517) +- Revert "basic: add fallback in chase_symlinks_and_opendir() for cases when /proc is not mounted" (#2138081) +- glyph-util: add warning sign special glyph (#2138081) +- chase-symlink: when converting directory O_PATH fd to real fd, don't bother with /proc/ (#2138081) +- systemctl: print a clear warning if people invoke systemctl without /proc/ (#2138081) +- TEST-65: check cat-config operation in chroot (#2138081) +- TEST-65: use [[ -v ]] more (#2138081) +- systemctl: warn if trying to disable a unit with no install info (#2141979) +- systemctl: allow suppress the warning of no install info using --no-warn (#2141979) +- rpm/systemd-update-helper: use --no-warn when disabling units (#2141979) +- systemctl: suppress warning about missing /proc/ when --no-warn (#2141979) +- shell-completion: systemctl: add --no-warn (#2141979) +- core/unit: drop doubled empty line (#2160477) +- core/unit: drop dependency to the unit being merged (#2160477) +- core/unit: fix logic of dropping self-referencing dependencies (#2160477) +- core/unit: merge two loops into one (#2160477) +- test: add test case for sysv-generator and invalid dependency (#2160477) +- core/unit: merge unit names after merging deps (#2160477) +- core/unit: fix log message (#2160477) +- test: explicitly create the /etc/init.d directory (#2160477) +- test: support a non-default SysV directory (#2160477) + +* Fri Dec 09 2022 systemd maintenance team - 252-2 +- test: check if we can use SHA1 MD for signing before using it (#2141979) +- boot: cleanups for efivar_get() and friends (#2141979) +- boot: fix false maybe-uninitialized warning (#2141979) +- tree-wide: modernizations with RET_NERRNO() (#2137584) +- sd-bus: handle -EINTR return from bus_poll() (#2137584) +- stdio-bridge: don't be bothered with EINTR (#2137584) +- varlink: also handle EINTR gracefully when waiting for EIO via ppoll() (#2137584) +- sd-netlink: handle EINTR from poll() gracefully, as success (#2137584) +- resolved: handle -EINTR returned from fd_wait_for_event() better (#2137584) +- homed: handle EINTR gracefully when waiting for device node (#2137584) +- utmp-wtmp: fix error in case isatty() fails (#2137584) +- utmp-wtmp: handle EINTR gracefully when waiting to write to tty (#2137584) +- io-util: document EINTR situation a bit (#2137584) +- terminal-util: Set OPOST when setting ONLCR (#2138081) +- cgtop: Do not rewrite -P or -k options (#2138081) +- test: Add tests for systemd-cgtop args parsing (#2138081) +- resolved: remove inappropriate assert() (#2138081) +- boot: Add xstrn8_to_16 (#2138081) +- boot: Use xstr8_to_16 (#2138081) +- boot: Use xstr8_to_16 for path conversion (#2138081) +- stub: Fix cmdline handling (#2138081) +- stub: Detect empty LoadOptions when run from EFI shell (#2138081) +- boot: Use EFI_BOOT_MANAGER_POLICY_PROTOCOL to connect console devices (#2138081) +- boot: Make sure all partitions drivers are connected (#2138081) +- boot: improve support for qemu (#2138081) +- systemd-boot man page: add section for virtual machines (#2138081) +- boot: Only do full driver initialization in VMs (#2138081) +- dissect: rework DISSECT_IMAGE_ADD_PARTITION_DEVICES + DISSECT_IMAGE_OPEN_PARTITION_DEVICES (#2138081) +- ci(Mergify): v252 configuration update (#2138081) +- ci: Run GitHub workflows on rhel branches (#2138081) +- ci: Drop scorecards workflow, not relevant (#2138081) + +* Fri Dec 02 2022 systemd maintenance team - 252-1 +- Rebase to systemd v252 + systemd-stable v252.2 (#2138081) + +* Fri Dec 02 2022 systemd maintenance team - 250-13 +- build systemd-boot EFI tools (#2140646) + +* Thu Aug 25 2022 systemd maintenance team - 250-11 +- scope: allow unprivileged delegation on scopes (#2120604) +- udev/net_id: add "rhel-9.1" naming scheme (#2121144) + +* Mon Aug 22 2022 systemd maintenance team - 250-10 +- shared/install: fix crash when reenable is called without --root (#2120222) + +* Thu Aug 18 2022 systemd maintenance team - 250-9 +- Revert "shared/install: create relative symlinks for enablement and aliasing" (#2118668) +- glyph-util: add new glyphs for up/down arrows (#2118297) +- tree-wide: allow ASCII fallback for → in logs (#2118297) +- tree-wide: allow ASCII fallback for … in logs (#2118297) +- core: allow to set default timeout for devices (#2116681) +- man: document DefaultDeviceTimeoutSec= (#2116681) +- man: update dbus docs (#2116681) +- hwdb: 60-keyboard: Fix volume-button mapping on Asus TF103C (#2087778) +- hwdb: CH Pro Pedals not classified correctly due to no buttons (#2087778) +- hwdb: Add accel orientation quirk for the GPD Pocket 3 (#2087778) +- hostname: Allow overriding the chassis type from hwdb (#2087778) +- hwdb: Add Microsoft Surface Pro 1 chassis quirk (#2087778) +- hwdb: treat logitech craft keyboard as a keyboard (#2087778) +- test: frequency in mouse DPI is optional (#2087778) +- hwdb: add two Elecom trackballs (#2087778) +- hwdb: add new database file for PDA devices (#2087778) +- hwdb: add support for Surface Laptop 2 & 3 (#22303) (#2087778) +- hwdb: add HP calculators (#2087778) +- hwbd: 60-sensor.hwdb: Add Pipo W2Pro (#2087778) +- hwdb: 60-keyboard: Support the buttons on CZC P10T tablet (#2087778) +- hwdb: add CST Laser Trackball (#22583) (#2087778) +- hwdb: Force release calculator key on all HP OMEN laptops (#2087778) +- Add support for NEC VersaPro VG-S (#2087778) +- Fix mic mute on Acer TravelMate B311-31 (#22677) (#2087778) +- Add AV production controllers to hwdb and add uaccess (#2087778) +- hwdb: Add AV production access to Elgado Stream Deck devices (#2087778) +- Add HP Elitebook 2760p support (#22766) (#2087778) +- hwdb: Add mic mute key mapping for HP Elite x360 (#2087778) +- hwdb: fix parser to work with newer pyparsing (#2087778) +- hwdb: update for v251 (#2087778) +- hwdb: update autosuspend entries (#2087778) +- hwdb: drop boilerplate about match patterns being unstable (#2087778) +- hwdb: Update 60-keyboard.hwdb (#23074) (#2087778) +- hwdb: 60-keyboard: Add Acer Aspire One AO532h keymappings (#2087778) +- hwdb 60-keyboard Add HP/Compaq KBR0133 (#2087778) +- hwdb: add resolutions for the Vaio FE14 touchpad (#23136) (#2087778) +- hwdb: Remap micmute to f20 for ASUS WMI hotkeys (#2087778) +- hwdb: Fix rotation for HP Pro Tablet 408 G1 (#2087778) +- hwdb: add keyboard mapping for HP ProBook 11G2 (#2087778) +- hwdb: make sure "ninja update-hwdb" works on f35 (#2087778) +- hwbd: run "update-hwdb" for v251-rc2 (#2087778) +- hwdb: run "ninja update-hwdb-autosuspend" for v251-rc2 (#2087778) +- Fix orientation detection for Asus Transformer T100TAF, copied T100TA rule (#2087778) +- Fix orientation detection for HP Pavilion X2 10-k010nr (#2087778) +- fix typo (#2087778) +- Adding a description of the keyboard shortcut Fn+F12 for the HP EliteBook 845 G7 device. (#23253) (#2087778) +- hwdb: run "update-hwdb" (#2087778) +- hwdb: add rammus accelerometer support (#2087778) +- Add support to set autosuspend delay via hwdb (#2087778) +- Set autosuspend delay for Fibocom LG850-GL (#2087778) +- Add HUION Inspiroy H420X to hwdb (#2087778) +- hwdb: run 'update-hwdb' for v251-rc3 (#2087778) +- hwdb: add touchpad parameters for Lenovo T15g Gen1 (#23373) (#2087778) +- hwdb: Add accel orientation for the I15-TG (#2087778) +- hwdb: fix accelerometer mount matrix for Aquarius NS483 (#2087778) +- hwdb: Add Google Hangouts Meet speakermic (#2087778) +- hwdb: update via ninja -C build update-hwdb (#2087778) +- hwdb: Add Google Meet speakermic (#2087778) +- hwdb: Add accel orientation quirk for the Aya Neo Next (#2087778) +- hwdb: Add HP Dev One (#2087778) +- hwdb: analyzers: remove generic "STM Device in DFU Mode" (#2087778) +- hwdb: Add Lenovo ThinkPad C13 Yoga (#2087778) +- Fix automatic screen rotation for Asus Transformer T100TAM (#2087778) +- hwdb: Add Acer Aspire A317-33 (#24050) (#2087778) +- Add ACCEL_MOUNT_MATRIX for OXP Mini (#2087778) +- Added DERE DBook D10 (#24173) (#2087778) +- hwdb: analyzers: Clarify the type of devices we want listed (#2087778) +- hwdb: Add Greaseweazle "drives" to the list of analyzers (#2087778) +- hwdb: Apply existing accel orientation quirk to all Chromebooks (#2087778) + +* Wed Jul 20 2022 systemd maintenance team - 250-8 +- core: shorten long unit names that are based on paths and append path hash at the end (#2083493) +- tests: add test case for long unit names (#2083493) +- tests: reflect that we can now handle devices with very long sysfs paths (#2083493) +- test: extend the "hashed" unit names coverage a bit (#2083493) +- Revert "kernel-install: also remove modules.builtin.alias.bin" (#2065061) +- Revert "kernel-install: prefer /boot over /boot/efi for $BOOT_ROOT" (#2065061) +- kernel-install: 50-depmod: port to /bin/sh (#2065061) +- kernel-install: 90-loaderentry: port to /bin/sh (#2065061) +- kernel-install: fix shellcheck (#2065061) +- kernel-install: port to /bin/sh (#2065061) +- kernel-install: 90-loaderentry: error out on nonexistent initrds instead of swallowing them quietly (#2065061) +- kernel-install: don't pull out KERNEL_IMAGE (#2065061) +- kernel-install: prefer /boot over /boot/efi for $BOOT_ROOT (#2065061) +- kernel-install: also remove modules.builtin.alias.bin (#2065061) +- kernel-install: add new variable $KERNEL_INSTALL_INITRD_GENERATOR (#2065061) +- kernel-install: k-i already creates $ENTRY_DIR_ABS, no need to do it again (#2065061) +- kernel-install: prefix errors with "Error:", exit immediately (#2065061) +- kernel-install: add "$KERNEL_INSTALL_STAGING_AREA" directory (#2065061) +- kernel-install: add missing log line (#2065061) +- kernel-install: don't try to persist used machine ID locally (#2065061) +- kernel-install: add a new $ENTRY_TOKEN variable for naming boot entries (#2065061) +- kernel-install: only generate systemd.boot_id= in kernel command line if used for naming the boot loader spec files/dirs (#2065061) +- kernel-install: search harder for kernel image/initrd drop-in dir (#2065061) +- kernel-install: add new "inspect" verb, showing paths and parameters we discovered (#2065061) +- ci(Mergify): configuration update (#2087652) +- ci(Mergify): fix copy&paste bug (#2087652) +- shared: Fix memory leak in bus_append_execute_property() (#2087652) +- fuzz: no longer skip empty files (#2087652) +- networkctl: open the bus just once (#2087652) +- json: align table (#2087652) +- fuzz-json: optionally allow logging and output (#2087652) +- shared/json: reduce scope of variables (#2087652) +- fuzz-json: also do sorting and normalizing and other easy calls (#2087652) +- shared/json: wrap long comments (#2087652) +- shared/json: fix memory leak on failed normalization (#2087652) +- shared/json: add helper to ref first, unref second (#2087652) +- basic/alloc-util: remove unnecessary parens (#2087652) +- fuzz-json: also try self-merge operations (#2087652) +- shared/json: fix another memleak in normalization (#2087652) +- shared/json: fix memleak in sort (#2087652) +- execute: fix resource leak (#2087652) +- tests: ignore dbus-broker-launcher (#2087652) +- core/timer: fix memleak (#2087652) +- timedatectl: fix a memory leak (#2087652) +- test: fix file descriptor leak in test-psi-util (#2087652) +- test: fix file descriptor leak in test-tmpfiles.c (#2087652) +- test: fix file descriptor leak in test-fs-util (#2087652) +- test: fix file descriptor leak in test-oomd-util (#2087652) +- test: fix file descriptor leak in test-catalog (#2087652) +- test: make masking of supplementary services configurable (#2087652) +- test: fuzz our dbus interfaces with dfuzzer (#2087652) +- test: skip TEST-21-DFUZZER without ASan (#2087652) +- core: annotate Reexecute() as NoReply (#2087652) +- test: always force a new image for dfuzzer (#2087652) +- test: make dfuzzer less verbose (#2087652) +- test: drop the at_exit() coredump check (#2087652) +- test: make the shutdown routine a bit more "robust" (#2087652) +- tree-wide: drop manually-crafted message for missing variables (#2087652) +- test: allow overriding $QEMU_MEM when running w/ ASan (#2087652) +- test: don't test buses we don't ship (#2087652) +- shutdown: get only active md arrays. (#2047682) +- bus: Use OrderedSet for introspection (#2068131) +- logind-session-dbus: allow to set display name via dbus (#2100340) +- ci: limit which env variables we pass through `sudo` (#2087652) +- ci(Mergify): Add `ci-waived` logic (#2087652) +- json: use unsigned for refernce counter (#2087652) +- macro: check over flow in reference counter (#2087652) +- sd-bus: fix reference counter to be incremented (#2087652) +- sd-bus: introduce ref/unref function for track_item (#2087652) +- sd-bus: do not read unused value (#2087652) +- sd-bus: do not return negative errno when unknown name is specified (#2087652) +- sd-bus: use hashmap_contains() and drop unnecessary cast (#2087652) +- test: shorten code a bit (#2087652) +- test: add several tests for track item (#2087652) +- core/slice: make slice_freezer_action() return 0 if freezing state is unchanged (#2087652) +- core/unit: fix use-after-free (#2087652) +- core/timer: fix potential use-after-free (#2087652) +- core: command argument can be longer than PATH_MAX (#2073994) +- shared/install: consistently use 'lp' as the name for the LookupPaths instance (#2082131) +- shared/specifier: treat NULL the same as "" (#2082131) +- shared/install: do not print aliases longer than UNIT_NAME_MAX (#2082131) +- shared/install-printf: drop now-unused install_path_printf() (#2082131) +- strv: declare iterator of FOREACH_STRING() in the loop (#2082131) +- basic/unit-file: split out the subroutine for symlink verification (#2082131) +- basic/stat-util: add null_or_empty_path_with_root() (#2082131) +- shared/install: reuse the standard symlink verification subroutine (#2082131) +- shared/install: add a bit more quoting (#2082131) +- test: add test for systemctl link & enable (#2082131) +- tests: add helper for creating tempfiles with content (#2082131) +- man: clarify the descriptions of aliases and linked unit files (#2082131) +- basic: add new variable $SYSTEMD_OS_RELEASE to override location of os-release (#2082131) +- test-os-util: add basic tests for os-release parsing (#2082131) +- basic/env-file: make load-env-file deduplicate entries with the same key (#2082131) +- man/os-release: add a note about repeating entries (#2082131) +- shared/specifier: clarify and add test for missing data (#2082131) +- shared/specifier: provide proper error messages when specifiers fail to read files (#2082131) +- shared/install: provide proper error messages when invalid specifiers are used (#2082131) +- shared/install: move scope into InstallContext (#2082131) +- shared/specifier: fix %u/%U/%g/%G when called as unprivileged user (#2082131) +- shared/install: simplify unit_file_dump_changes() (#2082131) +- shared/install: propagate errors about invalid aliases and such too (#2082131) +- shared/install: return failure when enablement fails, but process as much as possible (#2082131) +- systemctl: fix silent failure when --root is not found (#2082131) +- shared/install: also check for self-aliases during installation and ignore them (#2082131) +- docs: Correct WantedBy= regarding template units (#2082131) +- man: fix invalid description of template handling in WantedBy= (#2082131) +- shared/install: drop unnecessary casts (#2082131) +- strv: make iterator in STRV_FOREACH() declaread in the loop (#2082131) +- core: ExecContext::restrict_filesystems is set of string (#2082131) +- install: when linking a file, create the link first or abort (#2082131) +- shared/install: split unit_file_{disable,enable}() so _reenable doesn't do setup twice (#2082131) +- shared/install: fix reenable on linked unit files (#2082131) +- test-systemctl-enable: extend the test for repeated WantedBy/RequiredBy (#2082131) +- shared/install: when we fail to chase a symlink, show some logs (#2082131) +- shared/install: do not try to resolve symlinks outside of root directory (#2082131) +- test-systemctl-enable: enhance the test for unit file linking (#2082131) +- shared/install: skip unnecessary chasing of symlinks in disable (#2082131) +- shared/install: also remove symlinks like .wants/foo@one.service → ../foo@one.service (#2082131) +- shared/install: create relative symlinks for enablement and aliasing (#2082131) +- shared/install: when looking for symlinks in .wants/.requires, ignore symlink target (#2082131) +- shared/install: stop passing duplicate root argument to install_name_printf() (#2082131) +- basic/unit-file: reverse negative conditional (#2082131) +- shared/install: split UNIT_FILE_SYMLINK into two states (#2082131) +- shared/install: fix handling of a linked unit file (#2082131) +- test-systemctl-enable: make shellcheck happy (#2082131) +- shared/install: when creating symlinks, accept different but equivalent symlinks (#2082131) +- test-systemctl-enable: use magic syntax to allow inverted tests (#2082131) +- test-systemctl-enable: also use freshly-built systemd-id128 (#2082131) +- test-systemctl-enable: disable the test for %a for now (#2082131) +- Rename UnitFileScope to LookupScope (#2082131) +- core: handle lookup paths being symlinks (#2082131) +- shared/install: use correct cleanup function (#2082131) +- udev/net_id: avoid slot based names only for single function devices (#2073003) +- test: import logind test from debian/ubuntu test suite (#2087652) +- test: drop redundant IMAGE_NAME= (#2087652) +- test: import timedated test from debian/ubuntu test suite (#2087652) +- test: introduce assert_not_in() helper function (#2087652) +- test: drop unnecessary --no-pager option (#2087652) +- test: support debian/ubuntu specific timezone config file (#2087652) +- test: import hostnamed tests from debian/ubuntu test suite (#2087652) +- locale-util: fix memleak on failure (#2087652) +- locale-util: check if enumerated locales are valid (#2087652) +- locale-util: align locale entries (#2087652) +- core: inline an iterator variable (#2087652) +- locale-setup: merge locale handling in PID1 and localed (#2087652) +- locale: rename keymap-util.[ch] -> localed-util.[ch] (#2087652) +- test: add one more path to search keymaps (#2087652) +- test: introduce inst_recursive() helper function (#2087652) +- hmac/sha256: move size define to sha256.h (#2087652) +- tpm2: support policies with PIN (#2087652) +- cryptenroll: add support for TPM2 pin (#2087652) +- cryptsetup: add support for TPM2 pin (#2087652) +- cryptsetup: add libcryptsetup TPM2 PIN support (#2087652) +- cryptenroll: add TPM2 PIN documentation (#2087652) +- cryptsetup: add manual TPM2 PIN configuration (#2087652) +- cryptenroll: add tests for TPM2 unlocking (#2087652) +- env-util: replace unsetenv_erase() by new getenv_steal_erase() helper (#2087652) +- test: install libxkbcommon and x11 keymaps (#2087652) +- test: install C.UTF-8 and English locales (#2087652) +- test: import localed tests from debian/ubuntu test suite (#2087652) +- unit: check for mount rate limiting before checking active state (#2087652) +- tests: make sure we delay running mount start jobs when /p/s/mountinfo is rate limited (#2087652) +- test: insert space in for loop (#2087652) +- test: move "do" at the end of line (#2087652) +- test: use trap RETURN (#2087652) +- test: ignore the error about our own libraries missing during image creation (#2087652) +- test: wrap binaries using systemd DSOs when running w/ ASan (#2087652) +- test: set $ASAN_RT_PATH along with $LD_PRELOAD to the ASan runtime DSO (#2087652) +- test: drop all LD_PRELOAD-related ASan workarounds (#2087652) +- test: don't wrap binaries built with ASan (#2087652) +- test: send stdout/stderr of testsuite units to journal & console (#2087652) +- test: make the busy loop in TEST-02 less verbose (#2087652) +- test: always wrap useradd/userdel when running w/ ASan (#2087652) +- test: don't flush debug logs to the console (#2087652) +- test: fix a couple of issues found by shellcheck (#2087652) +- test: pass the initdir to check_result_{qemu,nspawn} hooks (#2087652) +- test: run the custom check hooks before common checks (#2087652) +- test: check journal directly instead of capturing console output (#2087652) +- test: use saved process PID instead of %% (#2087652) +- test: account for ADDR_NO_RANDOMIZE if it's set (#2087652) +- fuzz-bcd: silence warning about always-true comparison (#2087652) +- test: disable test_ntp on RHEL (#2087652) +- core: do not filter out systemd.unit= and run-level specifier from kernel command line (#2087652) +- test: add a simple test for daemon-reexec (#2087652) +- test: install /usr/libexec/vi as well (#2087652) +- test: resize the terminal automagically with INTERACTIVE_DEBUG=yes (#2087652) +- test: create an ASan wrapper for `getent` and `su` (#2087652) +- test: mark partition bootable (#2087652) +- test: bump the data partition size if we don't strip binaries (#2087652) +- test: use PBKDF2 with capped iterations instead of Argon2 (#2087652) +- locale: drop unnecessary allocation (#2087652) + +* Wed Apr 20 2022 systemd maintenance team - 250-7 +- test: check systemd RPM macros (#2017035) +- test: do not assume x86-64 arch in TEST-58-REPART (#2017035) +- tests: add repart tests for block devices with 1024, 2048, 4096 byte sector sizes (#2017035) +- test: accept both unpadded and padded partition sizes (#2017035) +- test: lvm 2.03.15 dropped the static autoactivation (#2017035) +- test: accept GC'ed units in newer LVM (#2017035) +- shared: Add more dlopen() tests (#2017035) +- systemctl: Show how long a service ran for after it exited in status output (#2017035) +- time-util: introduce TIMESTAMP_UNIX (#2017035) +- systemctl,man: update docs for `--timestamp=` (#2017035) +- systemctl: make `--timestamp=` affect the `show` verb as well (#2017035) +- tests: allow running all the services with SYSTEMD_LOG_LEVEL (#2017035) +- coredump: raise the coredump save size on 64bit systems to 32G (and lower it to 1G on 32bit systems) (#2017035) +- repart: fix sector size handling (#2017035) +- mkdir: allow to create directory whose path contains symlink (#2017035) +- mkdir: CHASE_NONEXISTENT cannot used in chase_symlinks_and_stat() (#2017035) +- meson: move efi file lists closer to where they are used (#2017035) +- meson: move efi summary() section to src/boot/efi (#2017035) +- meson: report SBAT settings (#2017035) +- boot: Build BCD parser only on arches supported by Windows (#2017035) +- meson: Remove efi-cc option (#2017035) +- meson: Get objcopy location from compiler (#2017035) +- meson: Use files() for source lists for boot and fundamental (#2017035) +- meson: Use files() for tests (#2017035) +- tests: add fuzz-bcd (#2017035) +- meson: Use files() for fuzzers (#2017035) +- meson: Add check argument to remaining run_command() calls (#2017035) +- meson: Use echo to list files (#2017035) +- test: add a test for mkdir_p() (#2017035) +- util: another set of CVE-2021-4034 assert()s (#2017035) +- basic: update CIFS magic (#2017035) +- shared: be extra paranoid and check if argc > 0 (#2017035) +- core: check if argc > 0 and argv[0] is set (#2017035) +- core: check argc/argv uncoditionally (#2017035) +- test: temporary workaround for #21819 (#2017035) +- test: don't leak local variable to outer scopes (#2017035) +- tree-wide: don't use strjoina() on getenv() values (#2017035) +- man: clarify Environmentfile format (#2017035) +- test-load-fragment: add a basic test for config_parse_unit_env_file() (#2017035) +- core/execute: use _cleanup_ in exec_context_load_environment() (#2017035) +- test-env-file: add tests for quoting in env files (#2017035) + +* Wed Feb 23 2022 systemd maintenance team - 250-4 +- udev/net-setup-link: change the default MACAddressPolicy to "none" (#2009237) +- man: mention System Administrator's Guide in systemctl manpage (#1982596) +- Net naming scheme for RHEL-9.0 (#2052106) +- core: decrease log level of messages about use of KillMode=none (#2013213) +- ci: replace apt-key with signed-by (#2013213) +- ci: fix clang-13 installation (#2013213) + +* Tue Feb 08 2022 systemd maintenance team - 250-3 +- Treat EPERM as "not available" too (#2017035) +- test: copy portable profiles into the image if they don't exist there (#2017035) +- test: introduce `get_cgroup_hierarchy() helper (#2047768) +- test: require unified cgroup hierarchy for TEST-56 (#2047768) +- tests: rework test macros to not take code as parameters (#2017035) +- test: allow to set NULL to intro or outro (#2017035) + +* Tue Feb 01 2022 Michal Sekletar - 250-2 +- spec: make sure version string starts with version number (#2049054) + +* Mon Jan 31 2022 Jan Macku - 250-1 +- Rebase to v250 (#2047768) + +* Thu Nov 18 2021 systemd maintenance team - 249-9 +- test: don't install test-network-generator-conversion.sh w/o networkd (#2017035) +- meson.build: change operator combining bools from + to and (#2017035) +- openssl-util: use EVP API to get RSA bits (#2016042) +- procfs-util: fix confusion wrt. quantity limit and maximum value (#2017035) +- test-process-util: also add EROFS to the list of "good" errors (#2017035) +- ci: use C9S chroots in Packit (#2017035) +- test-mountpointutil-util: do not assert in test_mnt_id() (#2017035) +- core/mount: add implicit unit dependencies even if when mount unit is generated from /proc/self/mountinfo (#2019468) +- Drop Patch9001 - https://github.com/systemd/systemd/pull/17050 - Replaced by Patch0046 + +* Tue Oct 12 2021 systemd maintenance team - 249-8 +- Really don't enable systemd-journald-audit.socket (#1973856) +- rules: add elevator= kernel command line parameter (#2003002) +- boot: don't build bootctl when -Dgnu-efi=false is set (#2003130) +- unit: install the systemd-bless-boot.service only if we have gnu-efi (#2003130) +- units: don't enable tmp.mount statically in local-fs.target (#2000927) +- pid1: bump DefaultTasksMax to 80% of the kernel pid.max value (#2003031) +- sd-device: introduce device_has_devlink() (#2005024) +- udev-node: split out permission handling from udev_node_add() (#2005024) +- udev-node: stack directory must exist when adding device node symlink (#2005024) +- udev-node: save information about device node and priority in symlink (#2005024) +- udev-node: always update timestamp of stack directory (#2005024) +- udev-node: assume no new claim to a symlink if /run/udev/links is not updated (#2005024) +- udev-node: always atomically create symlink to device node (#2005024) +- udev-node: check stack directory change even if devlink is removed (#2005024) +- udev-node: shorten code a bit and update log message (#2005024) +- udev-node: add random delay on conflict in updating device node symlink (#2005024) +- udev-node: drop redundant trial of devlink creation (#2005024) +- udev-node: simplify the example of race (#2005024) +- udev-node: do not ignore unexpected errors on removing symlink in stack directory (#2005024) +- basic/time-util: introduce FORMAT_TIMESPAN (#2005024) +- udev/net-setup-link: change the default MACAddressPolicy to "none" (#2009237) +- set core ulimit to 0 like on RHEL-7 (#1998509) + +* Fri Aug 20 2021 systemd maintenance team - 249-4 +- Revert "udev: remove WAIT_FOR key" (#1982666) + +* Tue Aug 10 2021 Mohan Boddu +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Fri Aug 06 2021 systemd maintenance team - 249-2 +- basic/unit-name: do not use strdupa() on a path (#1984299) +- basic/unit-name: adjust comments (#1984299) +- tmpfiles: don't create resolv.conf -> stub-resolv.conf symlink (#1989472) +- Copy 40-redhat.rules from RHEL-8 (#1978639) +- Avoid /tmp being mounted as tmpfs without the user's will (#1959826) +- unit: don't add Requires for tmp.mount (#1619292) +- units: add [Install] section to tmp.mount (#1959826) +- rc-local: order after network-online.target (#1954429) +- ci: drop CIs irrelevant for downstream (#1960703) +- ci: reconfigure Packit for RHEL 9 (#1960703) +- ci: run unit tests on z-stream branches as well (#1960703) +- Check return value of pam_get_item/pam_get_data functions (#1973210) +- random-util: increase random seed size to 1024 (#1982603) +- journal: don't enable systemd-journald-audit.socket by default (#1973856) +- journald.conf: don't touch current audit settings (#1973856) + +* Mon Jul 12 2021 - 249-1 +- Rebase to v249 (#1981276) + +* Thu Jun 17 2021 systemd maintenance team - 248-7 +- core: allow omitting second part of LoadCredentials= argument (#1949568) + +* Tue Jun 15 2021 Mohan Boddu - 248-6 +- Rebuilt for RHEL 9 BETA for openssl 3.0 (#1971065) + +* Mon May 17 2021 systemd maintenance team - 248-5 +- Revert "rfkill: fix the format string to prevent compilation error" (#1931710) +- Revert "rfkill: don't compare values of different signedness" (#1931710) +- rfkill: add some casts to silence -Werror=sign-compare (#1931710) + +* Fri May 14 2021 systemd maintenance team - 248-4 +- logind: set RemoveIPC to false by default (#1959836) + +* Fri May 14 2021 systemd maintenance team - 248-3 +- rfkill: don't compare values of different signedness (#1931710) +- rfkill: fix the format string to prevent compilation error (#1931710) + +* Fri Apr 16 2021 Mohan Boddu +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Wed Mar 31 2021 Zbigniew Jędrzejewski-Szmek - 248-1 +- Latest upstream release, see + https://github.com/systemd/systemd/blob/v248/NEWS. +- The changes since -rc4 are rather small, various fixes all over the place. + A fix to how systemd-oomd selects a candidate to kill, and more debug logging + to make this more transparent. + +* Tue Mar 30 2021 Anita Zhang - 248~rc4-6 +- Increase oomd user memory pressure limit to 50% (#1941170) + +* Fri Mar 26 2021 Zbigniew Jędrzejewski-Szmek - 248~rc4-5 +- Do not preset systemd-networkd.service and systemd-networkd-wait-online.service + on upgrades from before systemd-networkd was split out (#1943263) +- In nsswitch.conf, move nss-myhostname to the front, before nss-mdns4 (#1943199) + +* Wed Mar 24 2021 Zbigniew Jędrzejewski-Szmek - 248~rc4-4 +- Revert patch that seems to cause problems with dns resolution + (see comments on https://bodhi.fedoraproject.org/updates/FEDORA-2021-1c1a870ceb) + +* Mon Mar 22 2021 Zbigniew Jędrzejewski-Szmek - 248~rc4-3 +- Fix hang when processing timers during DST switch in Europe/Dublin timezone (#1941335) +- Fix returning combined IPv4/IPv6 responses from systemd-resolved cache (#1940715) + (But note that the disablement of caching added previously is + retained until we can do more testing.) +- Minor fix to interface naming by udev +- Fix for systemd-repart --size + +* Fri Mar 19 2021 Adam Williamson - 248~rc4-2 +- Disable resolved cache via config snippet (#1940715) + +* Thu Mar 18 2021 Yu Watanabe - 248~rc4-1 +- Latest upstream prelease, see + https://github.com/systemd/systemd/blob/v248-rc4/NEWS. +- A bunch of documentation updates, correctness fixes, and systemd-networkd + features. +- Resolves #1933137, #1935084, #1933873, #1931181, #1933335, #1935062, #1927148. + +* Tue Mar 16 2021 Adam Williamson - 248~rc2-8 +- Drop the resolved cache disablement config snippet + +* Tue Mar 16 2021 Adam Williamson - 248~rc2-7 +- Backport PR #19009 to fix CNAME redirect resolving some more (#1933433) + +* Fri Mar 12 2021 Adam Williamson - 248~rc2-6 +- Disable resolved cache via config snippet (#1933433) + +* Thu Mar 11 2021 Zbigniew Jędrzejewski-Szmek - 248~rc2-5 +- Fix crash in pid1 during daemon-reexec (#1931034) + +* Fri Mar 05 2021 Adam Williamson - 248~rc2-3 +- Fix stub resolver CNAME chain resolving (#1933433) + +* Mon Mar 01 2021 Josh Boyer - 248~rc2-2 +- Don't set the fallback hostname to Fedora on non-Fedora OSes + +* Tue Feb 23 2021 Zbigniew Jędrzejewski-Szmek - 248~rc2-1 +- Latest upstream prelease, just a bunch of small fixes. +- Fixes #1931957. + +* Tue Feb 23 2021 Zbigniew Jędrzejewski-Szmek - 248~rc1-2 +- Rebuild with the newest scriptlets + +* Tue Feb 23 2021 Zbigniew Jędrzejewski-Szmek - 248~rc1-1 +- Latest upstream prerelease, see + https://github.com/systemd/systemd/blob/v248-rc1/NEWS. +- Fixes #1614751 by only restarting services at the end of transcation. + Various packages need to be rebuilt to have the updated macros. +- Fixes #1879028, though probably not completely. +- Fixes #1925805, #1928235. + +* Wed Feb 17 2021 Michel Alexandre Salim - 247.3-3 +- Increase oomd user memory pressure limit to 10% (#1929856) + +* Fri Feb 5 2021 Anita Zhang - 247.3-2 +- Changes for https://fedoraproject.org/wiki/Changes/EnableSystemdOomd. +- Backports consist primarily of PR #18361, #18444, and #18401 (plus some + additional ones to handle merge conflicts). +- Create systemd-oomd-defaults subpackage to install unit drop-ins that will + configure systemd-oomd to monitor and act. + +* Tue Feb 2 2021 Zbigniew Jędrzejewski-Szmek - 247.3-1 +- Minor stable release +- Fixes #1895937, #1813219, #1903106. + +* Wed Jan 27 2021 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Jan 13 2021 Zbigniew Jędrzejewski-Szmek - 247.2-2 +- Fix bfq patch again (#1813219) + +* Wed Dec 23 2020 Jonathan Underwood - 247.2-2 +- Add patch to enable crypttab to support disabling of luks read and + write workqueues (corresponding to + https://github.com/systemd/systemd/pull/18062/). + +* Wed Dec 16 2020 Zbigniew Jędrzejewski-Szmek - 247.2-1 +- Minor stable release +- Fixes #1908071. + +* Tue Dec 8 2020 Zbigniew Jędrzejewski-Szmek - 247.1-3 +- Rebuild with fallback hostname change reverted. + +* Fri Dec 04 2020 Bastien Nocera - 247.1-2 +- Unset fallback-hostname as plenty of applications expected localhost + to mean "default hostname" without ever standardising it (#1892235) + +* Tue Dec 1 2020 Zbigniew Jędrzejewski-Szmek - 247.1-1 +- Latest stable release +- Fixes #1902819. +- Files to configure networking with systemd-networkd in a VM or container are + moved to systemd-networkd subpackage. (They were previously in the -container + subpackage, which is for container/VM management.) + +* Thu Nov 26 2020 Zbigniew Jędrzejewski-Szmek - 247-1 +- Update to the latest version +- #1900878 should be fixed + +* Tue Oct 20 2020 Zbigniew Jędrzejewski-Szmek - 247~rc2 +- New upstream pre-release. See + https://github.com/systemd/systemd/blob/v247-rc1/NEWS. + Many smaller and bigger improvements and features are introduced. + (#1885101, #1890632, #1879216) + + A backwards-incompatible change affects PCI network devices which + are connected through a bridge which is itself associated with a + slot. When more than one device was associated with the same slot, + one of the devices would pseudo-randomly get named after the slot. + That name is now not generated at all. This changed behaviour is + causes the net naming scheme to be changed to "v247". To restore + previous behaviour, specify net.naming-scheme=v245. + + systemd-oomd is built, but should not be considered "production + ready" at this point. Testing and bug reports are welcome. + +* Wed Sep 30 2020 Dusty Mabe - 246.6-3 +- Try to make files in subpackages (especially the networkd subpackage) + more appropriate. + +* Thu Sep 24 2020 Filipe Brandenburger - 246.6-2 +- Build a package with standalone binaries for non-systemd systems. + For now, only systemd-sysusers is included. + +* Thu Sep 24 2020 Christian Glombek - 246.6-2 +- Split out networkd sub-package and add to main package as recommended dependency + +* Sun Sep 20 2020 Zbigniew Jędrzejewski-Szmek - 246.6-1 +- Update to latest stable release (various minor fixes: manager, + networking, bootct, kernel-install, systemd-dissect, systemd-homed, + fstab-generator, documentation) (#1876905) +- Do not fail in test because of kernel bug (#1803070) + +* Sun Sep 13 2020 Zbigniew Jędrzejewski-Szmek - 246.5-1 +- Update to latest stable release (a bunch of small network-related + fixes in systemd-networkd and socket handling, documentation updates, + a bunch of fixes for error handling). +- Also remove existing file when creating /etc/resolv.conf symlink + upon installation (#1873856 again) + +* Wed Sep 2 2020 Zbigniew Jędrzejewski-Szmek - 246.4-1 +- Update to latest stable version: a rework of how the unit cache mtime works + (hopefully #1872068, #1871327, #1867930), plus various fixes to + systemd-resolved, systemd-dissect, systemd-analyze, systemd-ask-password-agent, + systemd-networkd, systemd-homed, systemd-machine-id-setup, presets for + instantiated units, documentation and shell completions. +- Create /etc/resolv.conf symlink upon installation (#1873856) +- Move nss-mdns before nss-resolve in /etc/nsswitch.conf and disable + mdns by default in systemd-resolved (#1867830) + +* Wed Aug 26 2020 Zbigniew Jędrzejewski-Szmek - 246.3-1 +- Update to bugfix version (some networkd fixes, minor documentation + fixes, relax handling of various error conditions, other fixlets for + bugs without bugzilla numbers). + +* Mon Aug 17 2020 Zbigniew Jędrzejewski-Szmek - 246.2-1 +- A few minor bugfixes +- Adjust seccomp filter for kernel 5.8 and glibc 2.32 (#1869030) +- Create /etc/resolv.conf symlink on upgrade (#1867865) + +* Fri Aug 7 2020 Zbigniew Jędrzejewski-Szmek - 246.1-1 +- A few minor bugfixes +- Remove /etc/resolv.conf on upgrades (if managed by NetworkManager), so + that systemd-resolved can take over the management of the symlink. + +* Thu Jul 30 2020 Zbigniew Jędrzejewski-Szmek - 246-1 +- Update to released version. Only some minor bugfixes since the pre-release. + +* Sun Jul 26 2020 Zbigniew Jędrzejewski-Szmek - 246~rc2-2 +- Make /tmp be 50% of RAM again (#1856514) +- Re-run 'systemctl preset systemd-resolved' on upgrades. + /etc/resolv.conf is not modified, by a hint is emitted if it is + managed by NetworkManager. + +* Fri Jul 24 2020 Zbigniew Jędrzejewski-Szmek - 246~rc2-1 +- New pre-release with incremental fixes + (#1856037, #1858845, #1856122, #1857783) +- Enable systemd-resolved (with DNSSEC disabled by default, and LLMNR + and mDNS support in resolve-only mode by default). + See https://fedoraproject.org/wiki/Changes/systemd-resolved. + +* Thu Jul 9 2020 Zbigniew Jędrzejewski-Szmek - 246~rc1-1 +- New upstream release, see + https://raw.githubusercontent.com/systemd/systemd/v246-rc1/NEWS. + + This release includes many new unit settings, related inter alia to + cgroupsv2 freezer support and cpu affinity, encryption and verification. + systemd-networkd has a ton of new functionality and many other tools gained + smaller enhancements. systemd-homed gained FIDO2 support. + + Documentation has been significantly improved: sd-bus and sd-hwdb + libraries are now fully documented; man pages have been added for + the D-BUS APIs of systemd daemons and various new interfaces. + + Closes #1392925, #1790972, #1197886, #1525593. + +* Wed Jun 24 2020 Bastien Nocera - 245.6-3 +- Set fallback-hostname to fedora so that unset hostnames are still + recognisable (#1392925) + +* Tue Jun 2 2020 Zbigniew Jędrzejewski-Szmek - 245.6-2 +- Add self-obsoletes to fix upgrades from F31 + +* Sun May 31 2020 Zbigniew Jędrzejewski-Szmek - 245.6-1 +- Update to latest stable version (some documentation updates, minor + memory correctness issues) (#1815605, #1827467, #1842067) + +* Tue Apr 21 2020 Björn Esser - 245.5-2 +- Add explicit BuildRequires: acl +- Bootstrapping for json-c SONAME bump + +* Fri Apr 17 2020 Zbigniew Jędrzejewski-Szmek - 245.5-1 +- Update to latest stable version (#1819313, #1815412, #1800875) + +* Thu Apr 16 2020 Björn Esser - 245.4-2 +- Add bootstrap option to break circular deps on cryptsetup + +* Wed Apr 1 2020 Zbigniew Jędrzejewski-Szmek - 245.4-1 +- Update to latest stable version (#1814454) + +* Thu Mar 26 2020 Zbigniew Jędrzejewski-Szmek - 245.3-1 +- Update to latest stable version (no issue that got reported in bugzilla) + +* Wed Mar 18 2020 Zbigniew Jędrzejewski-Szmek - 245.2-1 +- Update to latest stable version (a few bug fixes for random things) (#1798776) + +* Fri Mar 6 2020 Zbigniew Jędrzejewski-Szmek - 245-1 +- Update to latest version (#1807485) + +* Wed Feb 26 2020 Zbigniew Jędrzejewski-Szmek - 245~rc2-1 +- Modify the downstream udev rule to use bfq to only apply to disks (#1803500) +- "Upgrade" dependency on kbd package from Recommends to Requires (#1408878) +- Move systemd-bless-boot.service and systemd-boot-system-token.service to + systemd-udev subpackage (#1807462) +- Move a bunch of other services to systemd-udev: + systemd-pstore.service, all fsck-related functionality, + systemd-volatile-root.service, systemd-verity-setup.service, and a few + other related files. +- Fix daemon-reload rule to not kill non-systemd pid1 (#1803240) +- Fix namespace-related failure when starting systemd-homed (#1807465) and + group lookup failure in nss_systemd (#1809147) +- Drop autogenerated BOOT_IMAGE= parameter from stored kernel command lines + (#1716164) +- Don't require /proc to be mounted for systemd-sysusers to work (#1807768) + +* Fri Feb 21 2020 Filipe Brandenburger - 245~rc1-4 +- Update daemon-reexec fallback to check whether the system is booted with + systemd as PID 1 and check whether we're upgrading before using kill -TERM + on PID 1 (#1803240) + +* Tue Feb 18 2020 Adam Williamson - 245~rc1-3 +- Revert 097537f0 to fix plymouth etc. running when they shouldn't (#1803293) + +* Fri Feb 7 2020 Zbigniew Jędrzejewski-Szmek - 245~rc1-2 +- Add default 'disable *' preset for user units (#1792474, #1468501), + see https://fedoraproject.org/wiki/Changes/Systemd_presets_for_user_units. +- Add macro to generate "compat" scriptlets based off sysusers.d format + and autogenerate user() and group() virtual provides (#1792462), + see https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format. +- Revert patch to udev rules causing regression with usb hubs (#1800820). + +* Wed Feb 5 2020 Zbigniew Jędrzejewski-Szmek - 245~rc1-1 +- New upstream release, see + https://raw.githubusercontent.com/systemd/systemd/v245-rc1/NEWS. + + This release includes completely new functionality: systemd-repart, + systemd-homed, user reconds in json, and multi-instantiable + journald, and a partial rework of internal communcation to use + varlink, and bunch of more incremental changes. + + The "predictable" interface name naming scheme is changed, + net.naming-scheme= can be used to undo the change. The change applies + to container interface names on the host. + +- Fixes #1774242, #1787089, #1798414/CVE-2020-1712. + +* Fri Jan 31 2020 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Sat Dec 21 2019 - 244.1-2 +- Disable service watchdogs (for systemd units) + +* Sun Dec 15 2019 - 244.1-1 +- Update to latest stable batch (systemd-networkd fixups, better + support for seccomp on s390x, minor cleanups to documentation). +- Drop patch to revert addition of NoNewPrivileges to systemd units + +* Fri Nov 29 2019 Zbigniew Jędrzejewski-Szmek - 244-1 +- Update to latest version. Just minor bugs fixed since the pre-release. + +* Fri Nov 22 2019 Zbigniew Jędrzejewski-Szmek - 244~rc1-1 +- Update to latest pre-release version, + see https://github.com/systemd/systemd/blob/master/NEWS#L3. + Biggest items: cgroups v2 cpuset controller, fido_id builtin in udev, + systemd-networkd does not create a default route for link local addressing, + systemd-networkd supports dynamic reconfiguration and a bunch of new settings. + Network files support matching on WLAN SSID and BSSID. +- Better error messages when preset/enable/disable are used with a glob (#1763488) +- u2f-hidraw-policy package is obsoleted (#1753381) + +* Tue Nov 19 2019 Zbigniew Jędrzejewski-Szmek - 243.4 +- Latest bugfix release. Systemd-stable snapshots will now be numbered. +- Fix broken PrivateDevices filter on big-endian, s390x in particular (#1769148) +- systemd-modules-load.service should only warn, not fail, on error (#1254340) +- Fix incorrect certificate validation with DNS over TLS (#1771725, #1771726, + CVE-2018-21029) +- Fix regression with crypttab keys with colons +- Various memleaks and minor memory access issues, warning adjustments + +* Fri Oct 18 2019 Adam Williamson - 243-4.gitef67743 +- Backport PR #13792 to fix nomodeset+BIOS CanGraphical bug (#1728240) + +* Thu Oct 10 2019 Zbigniew Jędrzejewski-Szmek - 243-3.gitef67743 +- Various minor documentation and error message cleanups +- Do not use cgroup v1 hierarchy in nspawn on groups v2 (#1756143) + +* Sat Sep 21 2019 Zbigniew Jędrzejewski-Szmek - 243-2.gitfab6f01 +- Backport a bunch of patches (memory access issues, improvements to error + reporting and handling in networkd, some misleading man page contents #1751363) +- Fix permissions on static nodes (#1740664) +- Make systemd-networks follow the RFC for DHPCv6 and radv timeouts +- Fix one crash in systemd-resolved (#1703598) +- Make journal catalog creation reproducible (avoid unordered hashmap use) +- Mark the accelerometer in HP laptops as part of the laptop base +- Fix relabeling of directories with relabel-extra.d/ +- Fix potential stuck noop jobs in pid1 +- Obsolete timedatex package (#1735584) + +* Tue Sep 3 2019 Zbigniew Jędrzejewski-Szmek - 243-1 +- Update to latest release +- Emission of Session property-changed notifications from logind is fixed + (this was breaking the switching of sessions to and from gnome). +- Security issue: unprivileged users were allowed to change DNS + servers configured in systemd-resolved. Now proper polkit authorization + is required. + +* Mon Aug 26 2019 Adam Williamson - 243~rc2-2 +- Backport PR #13406 to solve PATH ordering issue (#1744059) + +* Thu Aug 22 2019 Zbigniew Jędrzejewski-Szmek - 243~rc2-1 +- Update to latest pre-release. Fixes #1740113, #1717712. +- The default scheduler for disks is set to BFQ (1738828) +- The default cgroup hierarchy is set to unified (cgroups v2) (#1732114). + Use systemd.unified-cgroup-hierarchy=0 on the kernel command line to revert. + See https://fedoraproject.org/wiki/Changes/CGroupsV2. + +* Wed Aug 07 2019 Adam Williamson - 243~rc1-2 +- Backport PR #1737362 so we own /etc/systemd/system again (#1737362) + +* Tue Jul 30 2019 Zbigniew Jędrzejewski-Szmek - 243~rc1-1 +- Update to latest version (#1715699, #1696373, #1711065, #1718192) + +* Sat Jul 27 2019 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sat Jul 20 2019 Zbigniew Jędrzejewski-Szmek - 242-6.git9d34e79 +- Ignore bad rdrand output on AMD CPUs (#1729268) +- A bunch of backported patches from upstream: documentation, memory + access fixups, command output tweaks (#1708996) + +* Tue Jun 25 2019 Björn Esser - 242-5.git7a6d834 +- Rebuilt (libqrencode.so.4) + +* Tue Jun 25 2019 Miro Hrončok - 242-4.git7a6d834 +- Rebuilt for iptables update (libip4tc.so.2) + +* Fri Apr 26 2019 Zbigniew Jędrzejewski-Szmek - 242-3.git7a6d834 +- Add symbol to mark vtable format changes (anything using sd_add_object_vtable + or sd_add_fallback_vtable needs to be rebuilt) +- Fix wireguard ListenPort handling in systemd-networkd +- Fix hang in flush_accept (#1702358) +- Fix handling of RUN keys in udevd +- Some documentation and shell completion updates and minor fixes + +* Tue Apr 16 2019 Adam Williamson - 242-2 +- Rebuild with Meson fix for #1699099 + +* Thu Apr 11 2019 Zbigniew Jędrzejewski-Szmek - 242-1 +- Update to latest release +- Make scriptlet failure non-fatal + +* Tue Apr 9 2019 Zbigniew Jędrzejewski-Szmek - 242~rc4-1 +- Update to latest prerelease + +* Thu Apr 4 2019 Zbigniew Jędrzejewski-Szmek - 242~rc3-1 +- Update to latest prerelease + +* Wed Apr 3 2019 Zbigniew Jędrzejewski-Szmek - 242~rc2-1 +- Update to the latest prerelease. +- The bug reported on latest update that systemd-resolved and systemd-networkd are + re-enabled after upgrade is fixed. + +* Fri Mar 29 2019 Zbigniew Jędrzejewski-Szmek - 241-4.gitcbf14c9 +- Backport various patches from the v241..v242 range: + kernel-install will not create the boot loader entry automatically (#1648907), + various bash completion improvements (#1183769), + memory leaks and such (#1685286). + +* Thu Mar 14 2019 Zbigniew Jędrzejewski-Szmek - 241-3.gitc1f8ff8 +- Declare hyperv and framebuffer devices master-of-seat again (#1683197) + +* Wed Feb 20 2019 Zbigniew Jędrzejewski-Szmek - 241-2.gita09c170 +- Prevent buffer overread in systemd-udevd +- Properly validate dbus paths received over dbus (#1678394, CVE-2019-6454) + +* Sat Feb 9 2019 Zbigniew Jędrzejewski-Szmek - 241~rc2-2 +- Turn LTO back on + +* Tue Feb 5 2019 Zbigniew Jędrzejewski-Szmek - 241~rc2-1 +- Update to latest release -rc2 + +* Sun Feb 03 2019 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sun Jan 27 2019 Yu Watanabe - 241~rc1-2 +- Backport a patch for kernel-install + +* Sat Jan 26 2019 Zbigniew Jędrzejewski-Szmek - 241~rc1-1 +- Update to latest release -rc1 + +* Tue Jan 15 2019 Zbigniew Jędrzejewski-Szmek - 240-6.gitf02b547 +- Add a work-around for #1663040 + +* Mon Jan 14 2019 Björn Esser +- Rebuilt for libcrypt.so.2 (#1666033) + +* Fri Jan 11 2019 Zbigniew Jędrzejewski-Szmek - 240-4.gitf02b547 +- Add a work-around for selinux issue on live images (#1663040) + +* Fri Jan 11 2019 Zbigniew Jędrzejewski-Szmek - 240-3.gitf02b547 +- systemd-journald and systemd-journal-remote reject entries which + contain too many fields (CVE-2018-16865, #1664973) and set limits on the + process' command line length (CVE-2018-16864, #1664972) +- $DBUS_SESSION_BUS_ADDRESS is again exported by pam_systemd (#1662857) +- A fix for systemd-udevd crash (#1662303) + +* Sat Dec 22 2018 Zbigniew Jędrzejewski-Szmek - 240-2 +- Add two more patches that revert recent udev changes + +* Fri Dec 21 2018 Zbigniew Jędrzejewski-Szmek - 240-1 +- Update to latest release + See https://github.com/systemd/systemd/blob/master/NEWS for the list of changes. + +* Mon Dec 17 2018 Zbigniew Jędrzejewski-Szmek - 239-10.git9f3aed1 +- Hibernation checks for resume= are rescinded (#1645870) +- Various patches: + - memory issues in logind, networkd, journald (#1653068), sd-device, etc. + - Adaptations for newer meson, lz4, kernel + - Fixes for misleading bugs in documentation +- net.ipv4.conf.all.rp_filter is changed from 1 to 2 + +* Thu Nov 29 2018 Zbigniew Jędrzejewski-Szmek +- Adjust scriptlets to modify /etc/authselect/user-nsswitch.conf + (see https://github.com/pbrezina/authselect/issues/77) +- Drop old scriptlets for nsswitch.conf modifications for nss-mymachines and nss-resolve + +* Sun Nov 18 2018 Alejandro Domínguez Muñoz +- Remove link creation for rsyslog.service + +* Thu Nov 8 2018 Adam Williamson - 239-9.git9f3aed1 +- Go back to using systemctl preset-all in %%post (#1647172, #1118740) + +* Mon Nov 5 2018 Adam Williamson - 239-8.git9f3aed1 +- Requires(post) openssl-libs to fix live image build machine-id issue + See: https://pagure.io/dusty/failed-composes/issue/960 + +* Mon Nov 5 2018 Yu Watanabe +- Set proper attributes to private directories + +* Fri Nov 2 2018 Zbigniew Jędrzejewski-Szmek - 239-7.git9f3aed1 +- Split out the rpm macros into systemd-rpm-macros subpackage (#1645298) + +* Sun Oct 28 2018 Zbigniew Jędrzejewski-Szmek - 239-6.git9f3aed1 +- Fix a local vulnerability from a race condition in chown-recursive (CVE-2018-15687, #1639076) +- Fix a local vulnerability from invalid handling of long lines in state deserialization (CVE-2018-15686, #1639071) +- Fix a remote vulnerability in DHCPv6 in systemd-networkd (CVE-2018-15688, #1639067) +- The DHCP server is started only when link is UP +- DHCPv6 prefix delegation is improved +- Downgrade logging of various messages and add loging in other places +- Many many fixes in error handling and minor memory leaks and such +- Fix typos and omissions in documentation +- Typo in %%_environmnentdir rpm macro is fixed (with backwards compatiblity preserved) +- Matching by MACAddress= in systemd-networkd is fixed +- Creation of user runtime directories is improved, and the user + manager is only stopped after 10 s after the user logs out (#1642460 and other bugs) +- systemd units systemd-timesyncd, systemd-resolved, systemd-networkd are switched back to use DynamicUser=0 +- Aliases are now resolved when loading modules from pid1. This is a (redundant) fix for a brief kernel regression. +- "systemctl --wait start" exits immediately if no valid units are named +- zram devices are not considered as candidates for hibernation +- ECN is not requested for both in- and out-going connections (the sysctl overide for net.ipv4.tcp_ecn is removed) +- Various smaller improvements to unit ordering and dependencies +- generators are now called with the manager's environment +- Handling of invalid (intentionally corrupt) dbus messages is improved, fixing potential local DOS avenues +- The target of symlinks links in .wants/ and .requires/ is now ignored. This fixes an issue where + the unit file would sometimes be loaded from such a symlink, leading to non-deterministic unit contents. +- Filtering of kernel threads is improved. This fixes an issues with newer kernels where hybrid kernel/user + threads are used by bpfilter. +- "noresume" can be used on the kernel command line to force normal boot even if a hibernation images is present +- Hibernation is not advertised if resume= is not present on the kernenl command line +- Hibernation/Suspend/... modes can be disabled using AllowSuspend=, + AllowHibernation=, AllowSuspendThenHibernate=, AllowHybridSleep= +- LOGO= and DOCUMENTATION_URL= are documented for the os-release file +- The hashmap mempool is now only used internally in systemd, and is disabled for external users of the systemd libraries +- Additional state is serialized/deserialized when logind is restarted, fixing the handling of user objects +- Catalog entries for the journal are improved (#1639482) +- If suspend fails, the post-suspend hooks are still called. +- Various build issues on less-common architectures are fixed + +* Wed Oct 3 2018 Jan Synáček - 239-5 +- Fix meson using -Ddebug, which results in FTBFS +- Fix line_begins() to accept word matching full string (#1631840) + +* Mon Sep 10 2018 Zbigniew Jędrzejewski-Szmek - 239-4 +- Move /etc/yum/protected.d/systemd.conf to /etc/dnf/ (#1626969) + +* Wed Jul 18 2018 Terje Rosten - 239-3 +- Ignore return value from systemd-binfmt in scriptlet (#1565425) + +* Sun Jul 15 2018 Filipe Brandenburger +- Override systemd-user PAM config in install and not prep + +* Sat Jul 14 2018 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jun 25 2018 Zbigniew Jędrzejewski-Szmek +- Rebuild for Python 3.7 again + +* Fri Jun 22 2018 Zbigniew Jędrzejewski-Szmek - 239-1 +- Update to latest version, mostly bug fixes and new functionality, + very little breaking changes. See + https://github.com/systemd/systemd/blob/v239/NEWS for details. + +* Tue Jun 19 2018 Miro Hrončok +- Rebuilt for Python 3.7 + +* Fri May 11 2018 Zbigniew Jędrzejewski-Szmek - 238-8.git0e0aa59 +- Backport a number of patches (documentation, hwdb updates) +- Fixes for tmpfiles 'e' entries +- systemd-networkd crashes +- XEN virtualization detection on hyper-v +- Avoid relabelling /sys/fs/cgroup if not needed (#1576240) + +* Wed Apr 18 2018 Zbigniew Jędrzejewski-Szmek - 238-7.fc28.1 +- Allow fake Delegate= setting on slices (#1568594) + +* Wed Mar 28 2018 Zbigniew Jędrzejewski-Szmek - 238-7 +- Move udev transfiletriggers to the right package, fix quoting + +* Tue Mar 27 2018 Colin Walters - 238-6 +- Use shell for triggers; see https://github.com/systemd/systemd/pull/8550 + This fixes compatibility with rpm-ostree. + +* Tue Mar 20 2018 Zbigniew Jędrzejewski-Szmek - 238-5 +- Backport patch to revert inadvertent change of "predictable" interface name (#1558027) + +* Fri Mar 16 2018 Zbigniew Jędrzejewski-Szmek - 238-4 +- Do not close dbus connection during dbus reload call (#1554578) + +* Wed Mar 7 2018 Zbigniew Jędrzejewski-Szmek - 238-3 +- Revert the patches for GRUB BootLoaderSpec support +- Add patch for /etc/machine-id creation (#1552843) + +* Tue Mar 6 2018 Yu Watanabe - 238-2 +- Fix transfiletrigger script (#1551793) + +* Mon Mar 5 2018 Zbigniew Jędrzejewski-Szmek - 238-1 +- Update to latest version +- This fixes a hard-to-trigger potential vulnerability (CVE-2018-6954) +- New transfiletriggers are installed for udev hwdb and rules, the journal + catalog, sysctl.d, binfmt.d, sysusers.d, tmpfiles.d. + +* Tue Feb 27 2018 Javier Martinez Canillas - 237-7.git84c8da5 +- Add patch to install kernel images for GRUB BootLoaderSpec support + +* Sat Feb 24 2018 Zbigniew Jędrzejewski-Szmek - 237-6.git84c8da5 +- Create /etc/systemd in %%post libs if necessary (#1548607) + +* Fri Feb 23 2018 Adam Williamson - 237-5.git84c8da5 +- Use : not touch to create file in -libs %%post + +* Thu Feb 22 2018 Patrick Uiterwijk - 237-4.git84c8da5 +- Add coreutils dep for systemd-libs %%post +- Add patch to typecast USB IDs to avoid compile failure + +* Wed Feb 21 2018 Zbigniew Jędrzejewski-Szmek - 237-3.git84c8da5 +- Update some patches for test skipping that were updated upstream + before merging +- Add /usr/lib/systemd/purge-nobody-user — a script to check if nobody is defined + correctly and possibly replace existing mappings + +* Tue Feb 20 2018 Zbigniew Jędrzejewski-Szmek - 237-2.gitdff4849 +- Backport a bunch of patches, most notably for the journal and various + memory issues. Some minor build fixes. +- Switch to new ldconfig macros that do nothing in F28+ +- /etc/systemd/dont-synthesize-nobody is created in %%post if nfsnobody + or nobody users are defined (#1537262) + +* Fri Feb 9 2018 Zbigniew Jędrzejeweski-Szmek - 237-1.git78bd769 +- Update to first stable snapshot (various minor memory leaks and misaccesses, + some documentation bugs, build fixes). + +* Sun Jan 28 2018 Zbigniew Jędrzejewski-Szmek - 237-1 +- Update to latest version + +* Sun Jan 21 2018 Björn Esser - 236-4.git3e14c4c +- Add patch to include if needed + +* Sat Jan 20 2018 Björn Esser - 236-3.git3e14c4c +- Rebuilt for switch to libxcrypt + +* Thu Jan 11 2018 Zbigniew Jędrzejewski-Szmek - 236-2.git23e14c4 +- Backport a bunch of bugfixes from upstream (#1531502, #1531381, #1526621 + various memory corruptions in systemd-networkd) +- /dev/kvm is marked as a static node which fixes permissions on s390x + and ppc64 (#1532382) + +* Fri Dec 15 2017 Zbigniew Jędrzejewski-Szmek - 236-1 +- Update to latest version + +* Mon Dec 11 2017 Zbigniew Jędrzejewski-Szmek - 235-5.git4a0e928 +- Update to latest git snapshot, do not build for realz +- Switch to libidn2 again (#1449145) + +* Tue Nov 07 2017 Zbigniew Jędrzejewski-Szmek - 235-4 +- Rebuild for cryptsetup-2.0.0-0.2.fc28 + +* Wed Oct 25 2017 Zbigniew Jędrzejewski-Szmek - 235-3 +- Backport a bunch of patches, including LP#172535 + +* Wed Oct 18 2017 Zbigniew Jędrzejewski-Szmek - 235-2 +- Patches for cryptsetup _netdev + +* Fri Oct 6 2017 Zbigniew Jędrzejewski-Szmek - 235-1 +- Update to latest version + +* Tue Sep 26 2017 Nathaniel McCallum - 234-8 +- Backport /etc/crypttab _netdev feature from upstream + +* Thu Sep 21 2017 Michal Sekletar - 234-7 +- Make sure to remove all device units sharing the same sysfs path (#1475570) + +* Mon Sep 18 2017 Zbigniew Jędrzejewski-Szmek - 234-6 +- Bump xslt recursion limit for libxslt-1.30 + +* Mon Jul 31 2017 Zbigniew Jędrzejewski-Szmek - 234-5 +- Backport more patches (#1476005, hopefully #1462378) + +* Thu Jul 27 2017 Fedora Release Engineering +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Jul 17 2017 Zbigniew Jędrzejewski-Szmek - 234-3 +- Fix x-systemd.timeout=0 in /etc/fstab (#1462378) +- Minor patches (memleaks, --help fixes, seccomp on arm64) + +* Thu Jul 13 2017 Zbigniew Jędrzejewski-Szmek - 234-2 +- Create kvm group (#1431876) + +* Thu Jul 13 2017 Zbigniew Jędrzejewski-Szmek - 234-1 +- Latest release + +* Sat Jul 1 2017 Zbigniew Jędrzejewski-Szmek - 233-7.git74d8f1c +- Update to snapshot +- Build with meson again + +* Tue Jun 27 2017 Zbigniew Jędrzejewski-Szmek - 233-6 +- Fix an out-of-bounds write in systemd-resolved (CVE-2017-9445) + +* Fri Jun 16 2017 Zbigniew Jędrzejewski-Szmek - 233-5.gitec36d05 +- Update to snapshot version, build with meson + +* Thu Jun 15 2017 Zbigniew Jędrzejewski-Szmek - 233-4 +- Backport a bunch of small fixes (memleaks, wrong format strings, + man page clarifications, shell completion) +- Fix systemd-resolved crash on crafted DNS packet (CVE-2017-9217, #1455493) +- Fix systemd-vconsole-setup.service error on systems with no VGA console (#1272686) +- Drop soft-static uid for systemd-journal-gateway +- Use ID from /etc/os-release as ntpvendor + +* Thu Mar 16 2017 Michal Sekletar - 233-3 +- Backport bugfixes from upstream +- Don't return error when machinectl couldn't figure out container IP addresses (#1419501) + +* Thu Mar 2 2017 Zbigniew Jędrzejewski-Szmek - 233-2 +- Fix installation conflict with polkit + +* Thu Mar 2 2017 Zbigniew Jędrzejewski-Szmek - 233-1 +- New upstream release (#1416201, #1405439, #1420753, many others) +- New systemd-tests subpackage with "installed tests" + +* Thu Feb 16 2017 Zbigniew Jędrzejewski-Szmek - 232-15 +- Add %%ghost %%dir entries for .wants dirs of our targets (#1422894) + +* Tue Feb 14 2017 Zbigniew Jędrzejewski-Szmek - 232-14 +- Ignore the hwdb parser test + +* Tue Feb 14 2017 Jan Synáček - 232-14 +- machinectl fails when virtual machine is running (#1419501) + +* Sat Feb 11 2017 Fedora Release Engineering - 232-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Jan 31 2017 Zbigniew Jędrzejewski-Szmek - 232-12 +- Backport patch for initrd-switch-root.service getting killed (#1414904) +- Fix sd-journal-gatewayd -D, --trust, and COREDUMP_CONTAINER_CMDLINE + extraction by sd-coredump. + +* Sun Jan 29 2017 zbyszek - 232-11 +- Backport a number of patches (#1411299, #1413075, #1415745, + ##1415358, #1416588, #1408884) +- Fix various memleaks and unitialized variable access +- Shell completion enhancements +- Enable TPM logging by default (#1411156) +- Update hwdb (#1270124) + +* Thu Jan 19 2017 Adam Williamson - 232-10 +- Backport fix for boot failure in initrd-switch-root (#1414904) + +* Wed Jan 18 2017 Zbigniew Jędrzejewski-Szmek - 232-9 +- Add fake dependency on systemd-pam to systemd-devel to ensure systemd-pam + is available as multilib (#1414153) + +* Tue Jan 17 2017 Zbigniew Jędrzejewski-Szmek - 232-8 +- Fix buildsystem to check for lz4 correctly (#1404406) + +* Wed Jan 11 2017 Zbigniew Jędrzejewski-Szmek - 232-7 +- Various small tweaks to scriplets + +* Sat Jan 07 2017 Kevin Fenzi - 232-6 +- Fix scriptlets to never fail in libs post + +* Fri Jan 06 2017 Kevin Fenzi - 232-5 +- Add patch from Michal Schmidt to avoid process substitution (#1392236) + +* Sun Nov 6 2016 Zbigniew Jędrzejewski-Szmek - 232-4 +- Rebuild (#1392236) + +* Fri Nov 4 2016 Zbigniew Jędrzejewski-Szmek - 232-3 +- Make /etc/dbus-1/system.d directory non-%%ghost + +* Fri Nov 4 2016 Zbigniew Jędrzejewski-Szmek - 232-2 +- Fix kernel-install (#1391829) +- Restore previous systemd-user PAM config (#1391836) +- Move journal-upload.conf.5 from systemd main to journal-remote subpackage (#1391833) +- Fix permissions on /var/lib/systemd/journal-upload (#1262665) + +* Thu Nov 3 2016 Zbigniew Jędrzejewski-Szmek - 232-1 +- Update to latest version (#998615, #1181922, #1374371, #1390704, #1384150, #1287161) +- Add %%{_isa} to Provides on arch-full packages (#1387912) +- Create systemd-coredump user in %%pre (#1309574) +- Replace grubby patch with a short-circuiting install.d "plugin" +- Enable nss-systemd in the passwd, group lines in nsswith.conf +- Add [!UNAVAIL=return] fallback after nss-resolve in hosts line in nsswith.conf +- Move systemd-nspawn man pages to the right subpackage (#1391703) + +* Tue Oct 18 2016 Jan Synáček - 231-11 +- SPC - Cannot restart host operating from container (#1384523) + +* Sun Oct 9 2016 Zbigniew Jędrzejewski-Szmek - 231-10 +- Do not recreate /var/log/journal on upgrades (#1383066) +- Move nss-myhostname provides to systemd-libs (#1383271) + +* Fri Oct 7 2016 Zbigniew Jędrzejewski-Szmek - 231-9 +- Fix systemctl set-default (#1374371) +- Prevent systemd-udev-trigger.service from restarting (follow-up for #1378974) + +* Tue Oct 4 2016 Zbigniew Jędrzejewski-Szmek - 231-8 +- Apply fix for #1378974 + +* Mon Oct 3 2016 Zbigniew Jędrzejewski-Szmek - 231-7 +- Apply patches properly + +* Thu Sep 29 2016 Zbigniew Jędrzejewski-Szmek - 231-6 +- Better fix for (#1380286) + +* Thu Sep 29 2016 Zbigniew Jędrzejewski-Szmek - 231-5 +- Denial-of-service bug against pid1 (#1380286) + +* Thu Aug 25 2016 Zbigniew Jędrzejewski-Szmek - 231-4 +- Fix preset-all (#1363858) +- Fix issue with daemon-reload messing up graphics (#1367766) +- A few other bugfixes + +* Wed Aug 03 2016 Adam Williamson - 231-3 +- Revert preset-all change, it broke stuff (#1363858) + +* Wed Jul 27 2016 Zbigniew Jędrzejewski-Szmek - 231-2 +- Call preset-all on initial installation (#1118740) +- Fix botched Recommends for libxkbcommon + +* Tue Jul 26 2016 Zbigniew Jędrzejewski-Szmek - 231-1 +- Update to latest version + +* Wed Jun 8 2016 Zbigniew Jędrzejewski-Szmek - 230-3 +- Update to latest git snapshot (fixes for systemctl set-default, + polkit lingering policy, reversal of the framebuffer rules, + unaligned access fixes, fix for StartupBlockIOWeight-over-dbus). + Those changes are interspersed with other changes and new features + (mostly in lldp, networkd, and nspawn). Some of those new features + might not work, but I think that existing functionality should not + be broken, so it seems worthwile to update to the snapshot. + +* Sat May 21 2016 Zbigniew Jędrzejewski-Szmek - 230-2 +- Remove systemd-compat-libs on upgrade + +* Sat May 21 2016 Zbigniew Jędrzejewski-Szmek - 230-1 +- New version +- Drop compat-libs +- Require libxkbcommon explictly, since the automatic dependency will + not be generated anymore + +* Tue Apr 26 2016 Zbigniew Jędrzejewski-Szmek - 229-15 +- Remove duplicated entries in -container %%files (#1330395) + +* Fri Apr 22 2016 Zbigniew Jędrzejewski-Szmek - 229-14 +- Move installation of udev services to udev subpackage (#1329023) + +* Mon Apr 18 2016 Zbigniew Jędrzejewski-Szmek - 229-13 +- Split out systemd-pam subpackage (#1327402) + +* Mon Apr 18 2016 Harald Hoyer - 229-12 +- move more binaries and services from the main package to subpackages + +* Mon Apr 18 2016 Harald Hoyer - 229-11 +- move more binaries and services from the main package to subpackages + +* Mon Apr 18 2016 Harald Hoyer - 229-10 +- move device dependant stuff to the udev subpackage + +* Tue Mar 22 2016 Zbigniew Jędrzejewski-Szmek - 229-9 +- Add myhostname to /etc/nsswitch.conf (#1318303) + +* Mon Mar 21 2016 Harald Hoyer - 229-8 +- fixed kernel-install for copying files for grubby +Resolves: rhbz#1299019 + +* Thu Mar 17 2016 Zbigniew Jędrzejewski-Szmek - 229-7 +- Moar patches (#1316964, #1317928) +- Move vconsole-setup and tmpfiles-setup-dev bits to systemd-udev +- Protect systemd-udev from deinstallation + +* Fri Mar 11 2016 Zbigniew Jędrzejewski-Szmek - 229-6 +- Create /etc/resolv.conf symlink from systemd-resolved (#1313085) + +* Fri Mar 4 2016 Zbigniew Jędrzejewski-Szmek - 229-5 +- Split out systemd-container subpackage (#1163412) +- Split out system-udev subpackage +- Add various bugfix patches, incl. a tentative fix for #1308771 + +* Tue Mar 1 2016 Peter Robinson 229-4 +- Power64 and s390(x) now have libseccomp support +- aarch64 has gnu-efi + +* Tue Feb 23 2016 Jan Synáček - 229-3 +- Fix build failures on ppc64 (#1310800) + +* Tue Feb 16 2016 Dennis Gilmore - 229-2 +- revert: fixed kernel-install for copying files for grubby +Resolves: rhbz#1299019 +- this causes the dtb files to not get installed at all and the fdtdir +- line in extlinux.conf to not get updated correctly + +* Thu Feb 11 2016 Michal Sekletar - 229-1 +- New upstream release + +* Thu Feb 11 2016 Harald Hoyer - 228-10.gite35a787 +- fixed kernel-install for copying files for grubby +Resolves: rhbz#1299019 + +* Fri Feb 05 2016 Fedora Release Engineering - 228-9.gite35a787 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jan 27 2016 Peter Robinson 228-8.gite35a787 +- Rebuild for binutils on aarch64 fix + +* Fri Jan 08 2016 Dan Horák - 228-7.gite35a787 +- apply the conflict with fedora-release only in Fedora + +* Thu Dec 10 2015 Jan Synáček - 228-6.gite35a787 +- Fix rawhide build failures on ppc64 (#1286249) + +* Sun Nov 29 2015 Zbigniew Jędrzejewski-Szmek - 228-6.gite35a787 +- Create /etc/systemd/network (#1286397) + +* Thu Nov 26 2015 Zbigniew Jędrzejewski-Szmek - 228-5.gite35a787 +- Do not install nss modules by default + +* Tue Nov 24 2015 Zbigniew Jędrzejewski-Szmek - 228-4.gite35a787 +- Update to latest upstream git: there is a bunch of fixes + (nss-mymachines overflow bug, networkd fixes, more completions are + properly installed), mixed with some new resolved features. +- Rework file triggers so that they always run before daemons are restarted + +* Thu Nov 19 2015 Zbigniew Jędrzejewski-Szmek - 228-3 +- Enable rpm file triggers for daemon-reload + +* Thu Nov 19 2015 Zbigniew Jędrzejewski-Szmek - 228-2 +- Fix version number in obsoleted package name (#1283452) + +* Wed Nov 18 2015 Kay Sievers - 228-1 +- New upstream release + +* Thu Nov 12 2015 Zbigniew Jędrzejewski-Szmek - 227-7 +- Rename journal-gateway subpackage to journal-remote +- Ignore the access mode on /var/log/journal (#1048424) +- Do not assume fstab is present (#1281606) + +* Wed Nov 11 2015 Fedora Release Engineering - 227-6 +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Tue Nov 10 2015 Lukáš Nykrýn - 227-5 +- Rebuild for libmicrohttpd soname bump + +* Fri Nov 06 2015 Robert Kuska - 227-4 +- Rebuilt for Python3.5 rebuild + +* Wed Nov 4 2015 Zbigniew Jędrzejewski-Szmek - 227-3 +- Fix syntax in kernel-install (#1277264) + +* Tue Nov 03 2015 Michal Schmidt - 227-2 +- Rebuild for libmicrohttpd soname bump. + +* Wed Oct 7 2015 Kay Sievers - 227-1 +- New upstream release + +* Fri Sep 18 2015 Jan Synáček - 226-3 +- user systemd-journal-upload should be in systemd-journal group (#1262743) + +* Fri Sep 18 2015 Kay Sievers - 226-2 +- Add selinux to system-user PAM config + +* Tue Sep 8 2015 Kay Sievers - 226-1 +- New upstream release + +* Thu Aug 27 2015 Kay Sievers - 225-1 +- New upstream release + +* Fri Jul 31 2015 Kay Sievers - 224-1 +- New upstream release + +* Wed Jul 29 2015 Kay Sievers - 223-2 +- update to git snapshot + +* Wed Jul 29 2015 Kay Sievers - 223-1 +- New upstream release + +* Thu Jul 9 2015 Zbigniew Jędrzejewski-Szmek - 222-2 +- Remove python subpackages (python-systemd in now standalone) + +* Tue Jul 7 2015 Kay Sievers - 222-1 +- New upstream release + +* Mon Jul 6 2015 Kay Sievers - 221-5.git619b80a +- update to git snapshot + +* Mon Jul 6 2015 Zbigniew Jędrzejewski-Szmek - 221-4.git604f02a +- Add example file with yama config (#1234951) + +* Sun Jul 5 2015 Kay Sievers - 221-3.git604f02a +- update to git snapshot + +* Mon Jun 22 2015 Kay Sievers - 221-2 +- build systemd-boot EFI tools + +* Fri Jun 19 2015 Lennart Poettering - 221-1 +- New upstream release +- Undoes botched translation check, should be reinstated later? + +* Fri Jun 19 2015 Fedora Release Engineering - 220-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Thu Jun 11 2015 Peter Robinson 220-9 +- The gold linker is now fixed on aarch64 + +* Tue Jun 9 2015 Zbigniew Jędrzejewski-Szmek - 220-8 +- Remove gudev which is now provided as separate package (libgudev) +- Fix for spurious selinux denials (#1224211) +- Udev change events (#1225905) +- Patches for some potential crashes +- ProtectSystem=yes does not touch /home +- Man page fixes, hwdb updates, shell completion updates +- Restored persistent device symlinks for bcache, xen block devices +- Tag all DRM cards as master-of-seat + +* Tue Jun 09 2015 Harald Hoyer 220-7 +- fix udev block device watch + +* Tue Jun 09 2015 Harald Hoyer 220-6 +- add support for network disk encryption + +* Sun Jun 7 2015 Peter Robinson 220-5 +- Disable gold on aarch64 until it's fixed (tracked in rhbz #1225156) + +* Sat May 30 2015 Zbigniew Jędrzejewski-Szmek - 220-4 +- systemd-devel should require systemd-libs, not the main package (#1226301) +- Check for botched translations (#1226566) +- Make /etc/udev/hwdb.d part of the rpm (#1226379) + +* Thu May 28 2015 Richard W.M. Jones - 220-3 +- Add patch to fix udev --daemon not cleaning child processes + (upstream commit 86c3bece38bcf5). + +* Wed May 27 2015 Richard W.M. Jones - 220-2 +- Add patch to fix udev --daemon crash (upstream commit 040e689654ef08). + +* Thu May 21 2015 Lennart Poettering - 220-1 +- New upstream release +- Drop /etc/mtab hack, as that's apparently fixed in mock now (#1116158) +- Remove ghosting for /etc/systemd/system/runlevel*.target, these + targets are not configurable anymore in systemd upstream +- Drop work-around for #1002806, since this is solved upstream now + +* Wed May 20 2015 Dennis Gilmore - 219-15 +- fix up the conflicts version for fedora-release + +* Wed May 20 2015 Zbigniew Jędrzejewski-Szmek - 219-14 +- Remove presets (#1221340) +- Fix (potential) crash and memory leak in timedated, locking failure + in systemd-nspawn, crash in resolved. +- journalctl --list-boots should be faster +- zsh completions are improved +- various ommissions in docs are corrected (#1147651) +- VARIANT and VARIANT_ID fields in os-release are documented +- systemd-fsck-root.service is generated in the initramfs (#1201979, #1107818) +- systemd-tmpfiles should behave better on read-only file systems (#1207083) + +* Wed Apr 29 2015 Zbigniew Jędrzejewski-Szmek - 219-13 +- Patches for some outstanding annoyances +- Small keyboard hwdb updates + +* Wed Apr 8 2015 Zbigniew Jędrzejewski-Szmek - 219-12 +- Tighten requirements between subpackages (#1207381). + +* Sun Mar 22 2015 Zbigniew Jędrzejewski-Szmek - 219-11 +- Move all parts systemd-journal-{remote,upload} to + systemd-journal-gatewayd subpackage (#1193143). +- Create /var/lib/systemd/journal-upload directory (#1193145). +- Cut out lots of stupid messages at debug level which were obscuring more + important stuff. +- Apply "tentative" state for devices only when they are added, not removed. +- Ignore invalid swap pri= settings (#1204336) +- Fix SELinux check for timedated operations to enable/disable ntp (#1014315) +- Fix comparing of filesystem paths (#1184016) + +* Sat Mar 14 2015 Zbigniew Jędrzejewski-Szmek - 219-10 +- Fixes for bugs 1186018, 1195294, 1185604, 1196452. +- Hardware database update. +- Documentation fixes. +- A fix for journalctl performance regression. +- Fix detection of inability to open files in journalctl. +- Detect SuperH architecture properly. +- The first of duplicate lines in tmpfiles wins again. +- Do vconsole setup after loading vconsole driver, not fbcon. +- Fix problem where some units were restarted during systemd reexec. +- Fix race in udevadm settle tripping up NetworkManager. +- Downgrade various log messages. +- Fix issue where journal-remote would process some messages with a delay. +- GPT /srv partition autodiscovery is fixed. +- Reconfigure old Finnish keymaps in post (#1151958) + +* Tue Mar 10 2015 Jan Synáček - 219-9 +- Buttons on Lenovo X6* tablets broken (#1198939) + +* Tue Mar 3 2015 Zbigniew Jędrzejewski-Szmek - 219-8 +- Reworked device handling (#1195761) +- ACL handling fixes (with a script in %%post) +- Various log messages downgraded (#1184712) +- Allow PIE on s390 again (#1197721) + +* Wed Feb 25 2015 Michal Schmidt - 219-7 +- arm: reenable lto. gcc-5.0.0-0.16 fixed the crash (#1193212) + +* Tue Feb 24 2015 Colin Walters - 219-6 +- Revert patch that breaks Atomic/OSTree (#1195761) + +* Fri Feb 20 2015 Michal Schmidt - 219-5 +- Undo the resolv.conf workaround, Aim for a proper fix in Rawhide. + +* Fri Feb 20 2015 Michal Schmidt - 219-4 +- Revive fedora-disable-resolv.conf-symlink.patch to unbreak composes. + +* Wed Feb 18 2015 Michal Schmidt - 219-3 +- arm: disabling gold did not help; disable lto instead (#1193212) + +* Tue Feb 17 2015 Peter Jones - 219-2 +- Update 90-default.present for dbxtool. + +* Mon Feb 16 2015 Lennart Poettering - 219-1 +- New upstream release +- This removes the sysctl/bridge hack, a different solution needs to be found for this (see #634736) +- This removes the /etc/resolv.conf hack, anaconda needs to fix their handling of /etc/resolv.conf as symlink +- This enables "%%check" +- disable gold on arm, as that is broken (see #1193212) + +* Mon Feb 16 2015 Peter Robinson 218-6 +- aarch64 now has seccomp support + +* Thu Feb 05 2015 Michal Schmidt - 218-5 +- Don't overwrite systemd.macros with unrelated Source file. + +* Thu Feb 5 2015 Jan Synáček - 218-4 +- Add a touchpad hwdb (#1189319) + +* Thu Jan 15 2015 Zbigniew Jędrzejewski-Szmek - 218-4 +- Enable xkbcommon dependency to allow checking of keymaps +- Fix permissions of /var/log/journal (#1048424) +- Enable timedatex in presets (#1187072) +- Disable rpcbind in presets (#1099595) + +* Wed Jan 7 2015 Jan Synáček - 218-3 +- RFE: journal: automatically rotate the file if it is unlinked (#1171719) + +* Mon Jan 05 2015 Zbigniew Jędrzejewski-Szmek - 218-3 +- Add firewall description files (#1176626) + +* Thu Dec 18 2014 Jan Synáček - 218-2 +- systemd-nspawn doesn't work on s390/s390x (#1175394) + +* Wed Dec 10 2014 Lennart Poettering - 218-1 +- New upstream release +- Enable "nss-mymachines" in /etc/nsswitch.conf + +* Thu Nov 06 2014 Zbigniew Jędrzejewski-Szmek - 217-4 +- Change libgudev1 to only require systemd-libs (#727499), there's + no need to require full systemd stack. +- Fixes for bugs #1159448, #1152220, #1158035. +- Bash completions updates to allow propose more units for start/restart, + and completions for set-default,get-default. +- Again allow systemctl enable of instances. +- Hardware database update and fixes. +- Udev crash on invalid options and kernel commandline timeout parsing are fixed. +- Add "embedded" chassis type. +- Sync before 'reboot -f'. +- Fix restarting of timer units. + +* Wed Nov 05 2014 Michal Schmidt - 217-3 +- Fix hanging journal flush (#1159641) + +* Fri Oct 31 2014 Michal Schmidt - 217-2 +- Fix ordering cycles involving systemd-journal-flush.service and + remote-fs.target (#1159117) + +* Tue Oct 28 2014 Lennart Poettering - 217-1 +- New upstream release + +* Fri Oct 17 2014 Zbigniew Jędrzejewski-Szmek - 216-12 +- Drop PackageKit.service from presets (#1154126) + +* Mon Oct 13 2014 Zbigniew Jędrzejewski-Szmek - 216-11 +- Conflict with old versions of initscripts (#1152183) +- Remove obsolete Finnish keymap (#1151958) + +* Fri Oct 10 2014 Zbigniew Jędrzejewski-Szmek - 216-10 +- Fix a problem with voluntary daemon exits and some other bugs + (#1150477, #1095962, #1150289) + +* Fri Oct 03 2014 Zbigniew Jędrzejewski-Szmek - 216-9 +- Update to latest git, but without the readahead removal patch + (#1114786, #634736) + +* Wed Oct 01 2014 Kay Sievers - 216-8 +- revert "don't reset selinux context during CHANGE events" + +* Wed Oct 01 2014 Lukáš Nykrýn - 216-7 +- add temporary workaround for #1147910 +- don't reset selinux context during CHANGE events + +* Wed Sep 10 2014 Michal Schmidt - 216-6 +- Update timesyncd with patches to avoid hitting NTP pool too often. + +* Tue Sep 09 2014 Michal Schmidt - 216-5 +- Use common CONFIGURE_OPTS for build2 and build3. +- Configure timesyncd with NTP servers from Fedora/RHEL vendor zone. + +* Wed Sep 03 2014 Zbigniew Jędrzejewski-Szmek - 216-4 +- Move config files for sd-j-remote/upload to sd-journal-gateway subpackage (#1136580) + +* Thu Aug 28 2014 Peter Robinson 216-3 +- Drop no LTO build option for aarch64/s390 now it's fixed in binutils (RHBZ 1091611) + +* Thu Aug 21 2014 Zbigniew Jędrzejewski-Szmek - 216-2 +- Re-add patch to disable resolve.conf symlink (#1043119) + +* Wed Aug 20 2014 Lennart Poettering - 216-1 +- New upstream release + +* Mon Aug 18 2014 Fedora Release Engineering - 215-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Aug 13 2014 Dan Horák 215-11 +- disable LTO also on s390(x) + +* Sat Aug 09 2014 Harald Hoyer 215-10 +- fixed PPC64LE + +* Wed Aug 6 2014 Tom Callaway - 215-9 +- fix license handling + +* Wed Jul 30 2014 Zbigniew Jędrzejewski-Szmek - 215-8 +- Create systemd-journal-remote and systemd-journal-upload users (#1118907) + +* Thu Jul 24 2014 Zbigniew Jędrzejewski-Szmek - 215-7 +- Split out systemd-compat-libs subpackage + +* Tue Jul 22 2014 Kalev Lember - 215-6 +- Rebuilt for gobject-introspection 1.41.4 + +* Mon Jul 21 2014 Zbigniew Jędrzejewski-Szmek - 215-5 +- Fix SELinux context of /etc/passwd-, /etc/group-, /etc/.updated (#1121806) +- Add missing BR so gnutls and elfutils are used + +* Sat Jul 19 2014 Zbigniew Jędrzejewski-Szmek - 215-4 +- Various man page updates +- Static device node logic is conditionalized on CAP_SYS_MODULES instead of CAP_MKNOD + for better behaviour in containers +- Some small networkd link handling fixes +- vconsole-setup runs setfont before loadkeys (https://bugs.freedesktop.org/show_bug.cgi?id=80685) +- New systemd-escape tool +- XZ compression settings are tweaked to greatly improve journald performance +- "watch" is accepted as chassis type +- Various sysusers fixes, most importantly correct selinux labels +- systemd-timesyncd bug fix (https://bugs.freedesktop.org/show_bug.cgi?id=80932) +- Shell completion improvements +- New udev tag ID_SOFTWARE_RADIO can be used to instruct logind to allow user access +- XEN and s390 virtualization is properly detected + +* Mon Jul 07 2014 Colin Walters - 215-3 +- Add patch to disable resolve.conf symlink (#1043119) + +* Sun Jul 06 2014 Zbigniew Jędrzejewski-Szmek - 215-2 +- Move systemd-journal-remote to systemd-journal-gateway package (#1114688) +- Disable /etc/mtab handling temporarily (#1116158) + +* Thu Jul 03 2014 Lennart Poettering - 215-1 +- New upstream release +- Enable coredump logic (which abrt would normally override) + +* Sun Jun 29 2014 Peter Robinson 214-5 +- On aarch64 disable LTO as it still has issues on that arch + +* Thu Jun 26 2014 Zbigniew Jędrzejewski-Szmek - 214-4 +- Bugfixes (#996133, #1112908) + +* Mon Jun 23 2014 Zbigniew Jędrzejewski-Szmek - 214-3 +- Actually create input group (#1054549) + +* Sun Jun 22 2014 Zbigniew Jędrzejewski-Szmek - 214-2 +- Do not restart systemd-logind on upgrades (#1110697) +- Add some patches (#1081429, #1054549, #1108568, #928962) + +* Wed Jun 11 2014 Lennart Poettering - 214-1 +- New upstream release +- Get rid of "floppy" group, since udev uses "disk" now +- Reenable LTO + +* Sun Jun 08 2014 Fedora Release Engineering - 213-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed May 28 2014 Kay Sievers - 213-3 +- fix systemd-timesync user creation + +* Wed May 28 2014 Michal Sekletar - 213-2 +- Create temporary files after installation (#1101983) +- Add sysstat-collect.timer, sysstat-summary.timer to preset policy (#1101621) + +* Wed May 28 2014 Kay Sievers - 213-1 +- New upstream release + +* Tue May 27 2014 Kalev Lember - 212-6 +- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 + +* Fri May 23 2014 Adam Williamson - 212-5 +- revert change from 212-4, causes boot fail on single CPU boxes (RHBZ 1095891) + +* Wed May 07 2014 Kay Sievers - 212-4 +- add netns udev workaround + +* Wed May 07 2014 Michal Sekletar - 212-3 +- enable uuidd.socket by default (#1095353) + +* Sat Apr 26 2014 Peter Robinson 212-2 +- Disable building with -flto for the moment due to gcc 4.9 issues (RHBZ 1091611) + +* Tue Mar 25 2014 Lennart Poettering - 212-1 +- New upstream release + +* Mon Mar 17 2014 Peter Robinson 211-2 +- Explicitly define which upstream platforms support libseccomp + +* Tue Mar 11 2014 Lennart Poettering - 211-1 +- New upstream release + +* Mon Mar 10 2014 Zbigniew Jędrzejewski-Szmek - 210-8 +- Fix logind unpriviledged reboot issue and a few other minor fixes +- Limit generator execution time +- Recognize buttonless joystick types + +* Fri Mar 07 2014 Karsten Hopp 210-7 +- ppc64le needs link warnings disabled, too + +* Fri Mar 07 2014 Karsten Hopp 210-6 +- move ifarch ppc64le to correct place (libseccomp req) + +* Fri Mar 07 2014 Zbigniew Jędrzejewski-Szmek - 210-5 +- Bugfixes: #1047568, #1047039, #1071128, #1073402 +- Bash completions for more systemd tools +- Bluetooth database update +- Manpage fixes + +* Thu Mar 06 2014 Zbigniew Jędrzejewski-Szmek - 210-4 +- Apply work-around for ppc64le too (#1073647). + +* Sat Mar 01 2014 Zbigniew Jędrzejewski-Szmek - 210-3 +- Backport a few patches, add completion for systemd-nspawn. + +* Fri Feb 28 2014 Zbigniew Jędrzejewski-Szmek - 210-3 +- Apply work-arounds for ppc/ppc64 for bugs 1071278 and 1071284 + +* Mon Feb 24 2014 Lennart Poettering - 210-2 +- Check more services against preset list and enable by default + +* Mon Feb 24 2014 Lennart Poettering - 210-1 +- new upstream release + +* Sun Feb 23 2014 Zbigniew Jędrzejewski-Szmek - 209-2.gitf01de96 +- Enable dnssec-triggerd.service by default (#1060754) + +* Sun Feb 23 2014 Kay Sievers - 209-2.gitf01de96 +- git snapshot to sort out ARM build issues + +* Thu Feb 20 2014 Lennart Poettering - 209-1 +- new upstream release + +* Tue Feb 18 2014 Zbigniew Jędrzejewski-Szmek - 208-15 +- Make gpsd lazily activated (#1066421) + +* Mon Feb 17 2014 Zbigniew Jędrzejewski-Szmek - 208-14 +- Back out patch which causes user manager to be destroyed when unneeded + and spams logs (#1053315) + +* Sun Feb 16 2014 Zbigniew Jędrzejewski-Szmek - 208-13 +- A different fix for #1023820 taken from Mageia +- Backported fix for #997031 +- Hardward database updates, man pages improvements, a few small memory + leaks, utf-8 correctness and completion fixes +- Support for key-slot option in crypttab + +* Sat Jan 25 2014 Ville Skyttä - 208-12 +- Own the %%{_prefix}/lib/kernel(/*) and %%{_datadir}/zsh(/*) dirs. + +* Tue Dec 03 2013 Zbigniew Jędrzejewski-Szmek - 208-11 +- Backport a few fixes, relevant documentation updates, and HWDB changes + (#1051797, #1051768, #1047335, #1047304, #1047186, #1045849, #1043304, + #1043212, #1039351, #1031325, #1023820, #1017509, #953077) +- Flip journalctl to --full by default (#984758) + +* Tue Dec 03 2013 Zbigniew Jędrzejewski-Szmek - 208-9 +- Apply two patches for #1026860 + +* Tue Dec 03 2013 Zbigniew Jędrzejewski-Szmek - 208-8 +- Bump release to stay ahead of f20 + +* Tue Dec 03 2013 Zbigniew Jędrzejewski-Szmek - 208-7 +- Backport patches (#1023041, #1036845, #1006386?) +- HWDB update +- Some small new features: nspawn --drop-capability=, running PID 1 under + valgrind, "yearly" and "annually" in calendar specifications +- Some small documentation and logging updates + +* Tue Nov 19 2013 Zbigniew Jędrzejewski-Szmek - 208-6 +- Bump release to stay ahead of f20 + +* Tue Nov 19 2013 Zbigniew Jędrzejewski-Szmek - 208-5 +- Use unit name in PrivateTmp= directories (#957439) +- Update manual pages, completion scripts, and hardware database +- Configurable Timeouts/Restarts default values +- Support printing of timestamps on the console +- Fix some corner cases in detecting when writing to the console is safe +- Python API: convert keyword values to string, fix sd_is_booted() wrapper +- Do not tread missing /sbin/fsck.btrfs as an error (#1015467) +- Allow masking of fsck units +- Advertise hibernation to swap files +- Fix SO_REUSEPORT settings +- Prefer converted xkb keymaps to legacy keymaps (#981805, #1026872) +- Make use of newer kmod +- Assorted bugfixes: #1017161, #967521, #988883, #1027478, #821723, #1014303 + +* Tue Oct 22 2013 Zbigniew Jędrzejewski-Szmek - 208-4 +- Add temporary fix for #1002806 + +* Mon Oct 21 2013 Zbigniew Jędrzejewski-Szmek - 208-3 +- Backport a bunch of fixes and hwdb updates + +* Wed Oct 2 2013 Lennart Poettering - 208-2 +- Move old random seed and backlight files into the right place + +* Wed Oct 2 2013 Lennart Poettering - 208-1 +- New upstream release + +* Thu Sep 26 2013 Zbigniew Jędrzejewski-Szmek 207-5 +- Do not create /var/var/... dirs + +* Wed Sep 18 2013 Zbigniew Jędrzejewski-Szmek 207-4 +- Fix policykit authentication +- Resolves: rhbz#1006680 + +* Tue Sep 17 2013 Harald Hoyer 207-3 +- fixed login +- Resolves: rhbz#1005233 + +* Mon Sep 16 2013 Harald Hoyer 207-2 +- add some upstream fixes for 207 +- fixed swap activation +- Resolves: rhbz#1008604 + +* Fri Sep 13 2013 Lennart Poettering - 207-1 +- New upstream release + +* Fri Sep 06 2013 Harald Hoyer 206-11 +- support "debug" kernel command line parameter +- journald: fix fd leak in journal_file_empty +- journald: fix vacuuming of archived journals +- libudev: enumerate - do not try to match against an empty subsystem +- cgtop: fixup the online help +- libudev: fix memleak when enumerating childs + +* Wed Sep 04 2013 Harald Hoyer 206-10 +- Do not require grubby, lorax now takes care of grubby +- cherry-picked a lot of patches from upstream + +* Tue Aug 27 2013 Dennis Gilmore - 206-9 +- Require grubby, Fedora installs require grubby, +- kernel-install took over from new-kernel-pkg +- without the Requires we are unable to compose Fedora +- everyone else says that since kernel-install took over +- it is responsible for ensuring that grubby is in place +- this is really what we want for Fedora + +* Tue Aug 27 2013 Kay Sievers - 206-8 +- Revert "Require grubby its needed by kernel-install" + +* Mon Aug 26 2013 Dennis Gilmore 206-7 +- Require grubby its needed by kernel-install + +* Thu Aug 22 2013 Harald Hoyer 206-6 +- kernel-install now understands kernel flavors like PAE + +* Tue Aug 20 2013 Rex Dieter - 206-5 +- add sddm.service to preset file (#998978) + +* Fri Aug 16 2013 Zbigniew Jędrzejewski-Szmek - 206-4 +- Filter out provides for private python modules. +- Add requires on kmod >= 14 (#990994). + +* Sun Aug 11 2013 Zbigniew Jedrzejewski-Szmek - 206-3 +- New systemd-python3 package (#976427). +- Add ownership of a few directories that we create (#894202). + +* Sun Aug 04 2013 Fedora Release Engineering - 206-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Jul 23 2013 Kay Sievers - 206-1 +- New upstream release + Resolves (#984152) + +* Wed Jul 3 2013 Lennart Poettering - 205-1 +- New upstream release + +* Wed Jun 26 2013 Michal Schmidt 204-10 +- Split systemd-journal-gateway subpackage (#908081). + +* Mon Jun 24 2013 Michal Schmidt 204-9 +- Rename nm_dispatcher to NetworkManager-dispatcher in default preset (#977433) + +* Fri Jun 14 2013 Harald Hoyer 204-8 +- fix, which helps to sucessfully browse journals with + duplicated seqnums + +* Fri Jun 14 2013 Harald Hoyer 204-7 +- fix duplicate message ID bug +Resolves: rhbz#974132 + +* Thu Jun 06 2013 Harald Hoyer 204-6 +- introduce 99-default-disable.preset + +* Thu Jun 6 2013 Lennart Poettering - 204-5 +- Rename 90-display-manager.preset to 85-display-manager.preset so that it actually takes precedence over 90-default.preset's "disable *" line (#903690) + +* Tue May 28 2013 Harald Hoyer 204-4 +- Fix kernel-install (#965897) + +* Wed May 22 2013 Kay Sievers - 204-3 +- Fix kernel-install (#965897) + +* Thu May 9 2013 Lennart Poettering - 204-2 +- New upstream release +- disable isdn by default (#959793) + +* Tue May 07 2013 Harald Hoyer 203-2 +- forward port kernel-install-grubby.patch + +* Tue May 7 2013 Lennart Poettering - 203-1 +- New upstream release + +* Wed Apr 24 2013 Harald Hoyer 202-3 +- fix ENOENT for getaddrinfo +- Resolves: rhbz#954012 rhbz#956035 +- crypt-setup-generator: correctly check return of strdup +- logind-dbus: initialize result variable +- prevent library underlinking + +* Fri Apr 19 2013 Harald Hoyer 202-2 +- nspawn create empty /etc/resolv.conf if necessary +- python wrapper: add sd_journal_add_conjunction() +- fix s390 booting +- Resolves: rhbz#953217 + +* Thu Apr 18 2013 Lennart Poettering - 202-1 +- New upstream release + +* Tue Apr 09 2013 Michal Schmidt - 201-2 +- Automatically discover whether to run autoreconf and add autotools and git + BuildRequires based on the presence of patches to be applied. +- Use find -delete. + +* Mon Apr 8 2013 Lennart Poettering - 201-1 +- New upstream release + +* Mon Apr 8 2013 Lennart Poettering - 200-4 +- Update preset file + +* Fri Mar 29 2013 Lennart Poettering - 200-3 +- Remove NetworkManager-wait-online.service from presets file again, it should default to off + +* Fri Mar 29 2013 Lennart Poettering - 200-2 +- New upstream release + +* Tue Mar 26 2013 Lennart Poettering - 199-2 +- Add NetworkManager-wait-online.service to the presets file + +* Tue Mar 26 2013 Lennart Poettering - 199-1 +- New upstream release + +* Mon Mar 18 2013 Michal Schmidt 198-7 +- Drop /usr/s?bin/ prefixes. + +* Fri Mar 15 2013 Harald Hoyer 198-6 +- run autogen to pickup all changes + +* Fri Mar 15 2013 Harald Hoyer 198-5 +- do not mount anything, when not running as pid 1 +- add initrd.target for systemd in the initrd + +* Wed Mar 13 2013 Harald Hoyer 198-4 +- fix switch-root and local-fs.target problem +- patch kernel-install to use grubby, if available + +* Fri Mar 08 2013 Harald Hoyer 198-3 +- add Conflict with dracut < 026 because of the new switch-root isolate + +* Thu Mar 7 2013 Lennart Poettering - 198-2 +- Create required users + +* Thu Mar 7 2013 Lennart Poettering - 198-1 +- New release +- Enable journal persistancy by default + +* Sun Feb 10 2013 Peter Robinson 197-3 +- Bump for ARM + +* Fri Jan 18 2013 Michal Schmidt - 197-2 +- Added qemu-guest-agent.service to presets (Lennart, #885406). +- Add missing pygobject3-base to systemd-analyze deps (Lennart). +- Do not require hwdata, it is all in the hwdb now (Kay). +- Drop dependency on dbus-python. + +* Tue Jan 8 2013 Lennart Poettering - 197-1 +- New upstream release + +* Mon Dec 10 2012 Michal Schmidt - 196-4 +- Enable rngd.service by default (#857765). + +* Mon Dec 10 2012 Michal Schmidt - 196-3 +- Disable hardening on s390(x) because PIE is broken there and produces + text relocations with __thread (#868839). + +* Wed Dec 05 2012 Michal Schmidt - 196-2 +- added spice-vdagentd.service to presets (Lennart, #876237) +- BR cryptsetup-devel instead of the legacy cryptsetup-luks-devel provide name + (requested by Milan Brož). +- verbose make to see the actual build flags + +* Wed Nov 21 2012 Lennart Poettering - 196-1 +- New upstream release + +* Tue Nov 20 2012 Lennart Poettering - 195-8 +- https://bugzilla.redhat.com/show_bug.cgi?id=873459 +- https://bugzilla.redhat.com/show_bug.cgi?id=878093 + +* Thu Nov 15 2012 Michal Schmidt - 195-7 +- Revert udev killing cgroup patch for F18 Beta. +- https://bugzilla.redhat.com/show_bug.cgi?id=873576 + +* Fri Nov 09 2012 Michal Schmidt - 195-6 +- Fix cyclical dep between systemd and systemd-libs. +- Avoid broken build of test-journal-syslog. +- https://bugzilla.redhat.com/show_bug.cgi?id=873387 +- https://bugzilla.redhat.com/show_bug.cgi?id=872638 + +* Thu Oct 25 2012 Kay Sievers - 195-5 +- require 'sed', limit HOSTNAME= match + +* Wed Oct 24 2012 Michal Schmidt - 195-4 +- add dmraid-activation.service to the default preset +- add yum protected.d fragment +- https://bugzilla.redhat.com/show_bug.cgi?id=869619 +- https://bugzilla.redhat.com/show_bug.cgi?id=869717 + +* Wed Oct 24 2012 Kay Sievers - 195-3 +- Migrate /etc/sysconfig/ i18n, keyboard, network files/variables to + systemd native files + +* Tue Oct 23 2012 Lennart Poettering - 195-2 +- Provide syslog because the journal is fine as a syslog implementation + +* Tue Oct 23 2012 Lennart Poettering - 195-1 +- New upstream release +- https://bugzilla.redhat.com/show_bug.cgi?id=831665 +- https://bugzilla.redhat.com/show_bug.cgi?id=847720 +- https://bugzilla.redhat.com/show_bug.cgi?id=858693 +- https://bugzilla.redhat.com/show_bug.cgi?id=863481 +- https://bugzilla.redhat.com/show_bug.cgi?id=864629 +- https://bugzilla.redhat.com/show_bug.cgi?id=864672 +- https://bugzilla.redhat.com/show_bug.cgi?id=864674 +- https://bugzilla.redhat.com/show_bug.cgi?id=865128 +- https://bugzilla.redhat.com/show_bug.cgi?id=866346 +- https://bugzilla.redhat.com/show_bug.cgi?id=867407 +- https://bugzilla.redhat.com/show_bug.cgi?id=868603 + +* Wed Oct 10 2012 Michal Schmidt - 194-2 +- Add scriptlets for migration away from systemd-timedated-ntp.target + +* Wed Oct 3 2012 Lennart Poettering - 194-1 +- New upstream release +- https://bugzilla.redhat.com/show_bug.cgi?id=859614 +- https://bugzilla.redhat.com/show_bug.cgi?id=859655 + +* Fri Sep 28 2012 Lennart Poettering - 193-1 +- New upstream release + +* Tue Sep 25 2012 Lennart Poettering - 192-1 +- New upstream release + +* Fri Sep 21 2012 Lennart Poettering - 191-2 +- Fix journal mmap header prototype definition to fix compilation on 32bit + +* Fri Sep 21 2012 Lennart Poettering - 191-1 +- New upstream release +- Enable all display managers by default, as discussed with Adam Williamson + +* Thu Sep 20 2012 Lennart Poettering - 190-1 +- New upstream release +- Take possession of /etc/localtime, and remove /etc/sysconfig/clock +- https://bugzilla.redhat.com/show_bug.cgi?id=858780 +- https://bugzilla.redhat.com/show_bug.cgi?id=858787 +- https://bugzilla.redhat.com/show_bug.cgi?id=858771 +- https://bugzilla.redhat.com/show_bug.cgi?id=858754 +- https://bugzilla.redhat.com/show_bug.cgi?id=858746 +- https://bugzilla.redhat.com/show_bug.cgi?id=858266 +- https://bugzilla.redhat.com/show_bug.cgi?id=858224 +- https://bugzilla.redhat.com/show_bug.cgi?id=857670 +- https://bugzilla.redhat.com/show_bug.cgi?id=856975 +- https://bugzilla.redhat.com/show_bug.cgi?id=855863 +- https://bugzilla.redhat.com/show_bug.cgi?id=851970 +- https://bugzilla.redhat.com/show_bug.cgi?id=851275 +- https://bugzilla.redhat.com/show_bug.cgi?id=851131 +- https://bugzilla.redhat.com/show_bug.cgi?id=847472 +- https://bugzilla.redhat.com/show_bug.cgi?id=847207 +- https://bugzilla.redhat.com/show_bug.cgi?id=846483 +- https://bugzilla.redhat.com/show_bug.cgi?id=846085 +- https://bugzilla.redhat.com/show_bug.cgi?id=845973 +- https://bugzilla.redhat.com/show_bug.cgi?id=845194 +- https://bugzilla.redhat.com/show_bug.cgi?id=845028 +- https://bugzilla.redhat.com/show_bug.cgi?id=844630 +- https://bugzilla.redhat.com/show_bug.cgi?id=839736 +- https://bugzilla.redhat.com/show_bug.cgi?id=835848 +- https://bugzilla.redhat.com/show_bug.cgi?id=831740 +- https://bugzilla.redhat.com/show_bug.cgi?id=823485 +- https://bugzilla.redhat.com/show_bug.cgi?id=821813 +- https://bugzilla.redhat.com/show_bug.cgi?id=807886 +- https://bugzilla.redhat.com/show_bug.cgi?id=802198 +- https://bugzilla.redhat.com/show_bug.cgi?id=767795 +- https://bugzilla.redhat.com/show_bug.cgi?id=767561 +- https://bugzilla.redhat.com/show_bug.cgi?id=752774 +- https://bugzilla.redhat.com/show_bug.cgi?id=732874 +- https://bugzilla.redhat.com/show_bug.cgi?id=858735 + +* Thu Sep 13 2012 Lennart Poettering - 189-4 +- Don't pull in pkg-config as dep +- https://bugzilla.redhat.com/show_bug.cgi?id=852828 + +* Wed Sep 12 2012 Lennart Poettering - 189-3 +- Update preset policy +- Rename preset policy file from 99-default.preset to 90-default.preset so that people can order their own stuff after the Fedora default policy if they wish + +* Thu Aug 23 2012 Lennart Poettering - 189-2 +- Update preset policy +- https://bugzilla.redhat.com/show_bug.cgi?id=850814 + +* Thu Aug 23 2012 Lennart Poettering - 189-1 +- New upstream release + +* Thu Aug 16 2012 Ray Strode 188-4 +- more scriptlet fixes + (move dm migration logic to %%posttrans so the service + files it's looking for are available at the time + the logic is run) + +* Sat Aug 11 2012 Lennart Poettering - 188-3 +- Remount file systems MS_PRIVATE before switching roots +- https://bugzilla.redhat.com/show_bug.cgi?id=847418 + +* Wed Aug 08 2012 Rex Dieter - 188-2 +- fix scriptlets + +* Wed Aug 8 2012 Lennart Poettering - 188-1 +- New upstream release +- Enable gdm and avahi by default via the preset file +- Convert /etc/sysconfig/desktop to display-manager.service symlink +- Enable hardened build + +* Mon Jul 30 2012 Kay Sievers - 187-3 +- Obsolete: system-setup-keyboard + +* Wed Jul 25 2012 Kalev Lember - 187-2 +- Run ldconfig for the new -libs subpackage + +* Thu Jul 19 2012 Lennart Poettering - 187-1 +- New upstream release + +* Mon Jul 09 2012 Harald Hoyer 186-2 +- fixed dracut conflict version + +* Tue Jul 3 2012 Lennart Poettering - 186-1 +- New upstream release + +* Fri Jun 22 2012 Nils Philippsen - 185-7.gite7aee75 +- add obsoletes/conflicts so multilib systemd -> systemd-libs updates work + +* Thu Jun 14 2012 Michal Schmidt - 185-6.gite7aee75 +- Update to current git + +* Wed Jun 06 2012 Kay Sievers - 185-5.gita2368a3 +- disable plymouth in configure, to drop the .wants/ symlinks + +* Wed Jun 06 2012 Michal Schmidt - 185-4.gita2368a3 +- Update to current git snapshot + - Add systemd-readahead-analyze + - Drop upstream patch +- Split systemd-libs +- Drop duplicate doc files +- Fixed License headers of subpackages + +* Wed Jun 06 2012 Ray Strode - 185-3 +- Drop plymouth files +- Conflict with old plymouth + +* Tue Jun 05 2012 Kay Sievers - 185-2 +- selinux udev labeling fix +- conflict with older dracut versions for new udev file names + +* Mon Jun 04 2012 Kay Sievers - 185-1 +- New upstream release + - udev selinux labeling fixes + - new man pages + - systemctl help + +* Thu May 31 2012 Lennart Poettering - 184-1 +- New upstream release + +* Thu May 24 2012 Kay Sievers - 183-1 +- New upstream release including udev merge. + +* Wed Mar 28 2012 Michal Schmidt - 44-4 +- Add triggers from Bill Nottingham to correct the damage done by + the obsoleted systemd-units's preun scriptlet (#807457). + +* Mon Mar 26 2012 Dennis Gilmore - 44-3 +- apply patch from upstream so we can build systemd on arm and ppc +- and likely the rest of the secondary arches + +* Tue Mar 20 2012 Michal Schmidt - 44-2 +- Don't build the gtk parts anymore. They're moving into systemd-ui. +- Remove a dead patch file. + +* Fri Mar 16 2012 Lennart Poettering - 44-1 +- New upstream release +- Closes #798760, #784921, #783134, #768523, #781735 + +* Mon Feb 27 2012 Dennis Gilmore - 43-2 +- don't conflict with fedora-release systemd never actually provided +- /etc/os-release so there is no actual conflict + +* Wed Feb 15 2012 Lennart Poettering - 43-1 +- New upstream release +- Closes #789758, #790260, #790522 + +* Sat Feb 11 2012 Lennart Poettering - 42-1 +- New upstream release +- Save a bit of entropy during system installation (#789407) +- Don't own /etc/os-release anymore, leave that to fedora-release + +* Thu Feb 9 2012 Adam Williamson - 41-2 +- rebuild for fixed binutils + +* Thu Feb 9 2012 Lennart Poettering - 41-1 +- New upstream release + +* Tue Feb 7 2012 Lennart Poettering - 40-1 +- New upstream release + +* Thu Jan 26 2012 Kay Sievers - 39-3 +- provide /sbin/shutdown + +* Wed Jan 25 2012 Harald Hoyer 39-2 +- increment release + +* Wed Jan 25 2012 Kay Sievers - 39-1.1 +- install everything in /usr + https://fedoraproject.org/wiki/Features/UsrMove + +* Wed Jan 25 2012 Lennart Poettering - 39-1 +- New upstream release + +* Sun Jan 22 2012 Michal Schmidt - 38-6.git9fa2f41 +- Update to a current git snapshot. +- Resolves: #781657 + +* Sun Jan 22 2012 Michal Schmidt - 38-5 +- Build against libgee06. Reenable gtk tools. +- Delete unused patches. +- Add easy building of git snapshots. +- Remove legacy spec file elements. +- Don't mention implicit BuildRequires. +- Configure with --disable-static. +- Merge -units into the main package. +- Move section 3 manpages to -devel. +- Fix unowned directory. +- Run ldconfig in scriptlets. +- Split systemd-analyze to a subpackage. + +* Sat Jan 21 2012 Dan Horák - 38-4 +- fix build on big-endians + +* Wed Jan 11 2012 Lennart Poettering - 38-3 +- Disable building of gtk tools for now + +* Wed Jan 11 2012 Lennart Poettering - 38-2 +- Fix a few (build) dependencies + +* Wed Jan 11 2012 Lennart Poettering - 38-1 +- New upstream release + +* Tue Nov 15 2011 Michal Schmidt - 37-4 +- Run authconfig if /etc/pam.d/system-auth is not a symlink. +- Resolves: #753160 + +* Wed Nov 02 2011 Michal Schmidt - 37-3 +- Fix remote-fs-pre.target and its ordering. +- Resolves: #749940 + +* Wed Oct 19 2011 Michal Schmidt - 37-2 +- A couple of fixes from upstream: +- Fix a regression in bash-completion reported in Bodhi. +- Fix a crash in isolating. +- Resolves: #717325 + +* Tue Oct 11 2011 Lennart Poettering - 37-1 +- New upstream release +- Resolves: #744726, #718464, #713567, #713707, #736756 + +* Thu Sep 29 2011 Michal Schmidt - 36-5 +- Undo the workaround. Kay says it does not belong in systemd. +- Unresolves: #741655 + +* Thu Sep 29 2011 Michal Schmidt - 36-4 +- Workaround for the crypto-on-lvm-on-crypto disk layout +- Resolves: #741655 + +* Sun Sep 25 2011 Michal Schmidt - 36-3 +- Revert an upstream patch that caused ordering cycles +- Resolves: #741078 + +* Fri Sep 23 2011 Lennart Poettering - 36-2 +- Add /etc/timezone to ghosted files + +* Fri Sep 23 2011 Lennart Poettering - 36-1 +- New upstream release +- Resolves: #735013, #736360, #737047, #737509, #710487, #713384 + +* Thu Sep 1 2011 Lennart Poettering - 35-1 +- New upstream release +- Update post scripts +- Resolves: #726683, #713384, #698198, #722803, #727315, #729997, #733706, #734611 + +* Thu Aug 25 2011 Lennart Poettering - 34-1 +- New upstream release + +* Fri Aug 19 2011 Harald Hoyer 33-2 +- fix ABRT on service file reloading +- Resolves: rhbz#732020 + +* Wed Aug 3 2011 Lennart Poettering - 33-1 +- New upstream release + +* Fri Jul 29 2011 Lennart Poettering - 32-1 +- New upstream release + +* Wed Jul 27 2011 Lennart Poettering - 31-2 +- Fix access mode of modprobe file, restart logind after upgrade + +* Wed Jul 27 2011 Lennart Poettering - 31-1 +- New upstream release + +* Wed Jul 13 2011 Lennart Poettering - 30-1 +- New upstream release + +* Thu Jun 16 2011 Lennart Poettering - 29-1 +- New upstream release + +* Mon Jun 13 2011 Michal Schmidt - 28-4 +- Apply patches from current upstream. +- Fixes memory size detection on 32-bit with >4GB RAM (BZ712341) + +* Wed Jun 08 2011 Michal Schmidt - 28-3 +- Apply patches from current upstream +- https://bugzilla.redhat.com/show_bug.cgi?id=709909 +- https://bugzilla.redhat.com/show_bug.cgi?id=710839 +- https://bugzilla.redhat.com/show_bug.cgi?id=711015 + +* Sat May 28 2011 Lennart Poettering - 28-2 +- Pull in nss-myhostname + +* Thu May 26 2011 Lennart Poettering - 28-1 +- New upstream release + +* Wed May 25 2011 Lennart Poettering - 26-2 +- Bugfix release +- https://bugzilla.redhat.com/show_bug.cgi?id=707507 +- https://bugzilla.redhat.com/show_bug.cgi?id=707483 +- https://bugzilla.redhat.com/show_bug.cgi?id=705427 +- https://bugzilla.redhat.com/show_bug.cgi?id=707577 + +* Sat Apr 30 2011 Lennart Poettering - 26-1 +- New upstream release +- https://bugzilla.redhat.com/show_bug.cgi?id=699394 +- https://bugzilla.redhat.com/show_bug.cgi?id=698198 +- https://bugzilla.redhat.com/show_bug.cgi?id=698674 +- https://bugzilla.redhat.com/show_bug.cgi?id=699114 +- https://bugzilla.redhat.com/show_bug.cgi?id=699128 + +* Thu Apr 21 2011 Lennart Poettering - 25-1 +- New upstream release +- https://bugzilla.redhat.com/show_bug.cgi?id=694788 +- https://bugzilla.redhat.com/show_bug.cgi?id=694321 +- https://bugzilla.redhat.com/show_bug.cgi?id=690253 +- https://bugzilla.redhat.com/show_bug.cgi?id=688661 +- https://bugzilla.redhat.com/show_bug.cgi?id=682662 +- https://bugzilla.redhat.com/show_bug.cgi?id=678555 +- https://bugzilla.redhat.com/show_bug.cgi?id=628004 + +* Wed Apr 6 2011 Lennart Poettering - 24-1 +- New upstream release +- https://bugzilla.redhat.com/show_bug.cgi?id=694079 +- https://bugzilla.redhat.com/show_bug.cgi?id=693289 +- https://bugzilla.redhat.com/show_bug.cgi?id=693274 +- https://bugzilla.redhat.com/show_bug.cgi?id=693161 + +* Tue Apr 5 2011 Lennart Poettering - 23-1 +- New upstream release +- Include systemd-sysv-convert + +* Fri Apr 1 2011 Lennart Poettering - 22-1 +- New upstream release + +* Wed Mar 30 2011 Lennart Poettering - 21-2 +- The quota services are now pulled in by mount points, hence no need to enable them explicitly + +* Tue Mar 29 2011 Lennart Poettering - 21-1 +- New upstream release + +* Mon Mar 28 2011 Matthias Clasen - 20-2 +- Apply upstream patch to not send untranslated messages to plymouth + +* Tue Mar 8 2011 Lennart Poettering - 20-1 +- New upstream release + +* Tue Mar 1 2011 Lennart Poettering - 19-1 +- New upstream release + +* Wed Feb 16 2011 Lennart Poettering - 18-1 +- New upstream release + +* Mon Feb 14 2011 Bill Nottingham - 17-6 +- bump upstart obsoletes (#676815) + +* Wed Feb 9 2011 Tom Callaway - 17-5 +- add macros.systemd file for %%{_unitdir} + +* Wed Feb 09 2011 Fedora Release Engineering - 17-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Feb 9 2011 Lennart Poettering - 17-3 +- Fix popen() of systemctl, #674916 + +* Mon Feb 7 2011 Bill Nottingham - 17-2 +- add epoch to readahead obsolete + +* Sat Jan 22 2011 Lennart Poettering - 17-1 +- New upstream release + +* Tue Jan 18 2011 Lennart Poettering - 16-2 +- Drop console.conf again, since it is not shipped in pamtmp.conf + +* Sat Jan 8 2011 Lennart Poettering - 16-1 +- New upstream release + +* Thu Nov 25 2010 Lennart Poettering - 15-1 +- New upstream release + +* Thu Nov 25 2010 Lennart Poettering - 14-1 +- Upstream update +- Enable hwclock-load by default +- Obsolete readahead +- Enable /var/run and /var/lock on tmpfs + +* Fri Nov 19 2010 Lennart Poettering - 13-1 +- new upstream release + +* Wed Nov 17 2010 Bill Nottingham 12-3 +- Fix clash + +* Wed Nov 17 2010 Lennart Poettering - 12-2 +- Don't clash with initscripts for now, so that we don't break the builders + +* Wed Nov 17 2010 Lennart Poettering - 12-1 +- New upstream release + +* Fri Nov 12 2010 Matthias Clasen - 11-2 +- Rebuild with newer vala, libnotify + +* Thu Oct 7 2010 Lennart Poettering - 11-1 +- New upstream release + +* Wed Sep 29 2010 Jesse Keating - 10-6 +- Rebuilt for gcc bug 634757 + +* Thu Sep 23 2010 Bill Nottingham - 10-5 +- merge -sysvinit into main package + +* Mon Sep 20 2010 Bill Nottingham - 10-4 +- obsolete upstart-sysvinit too + +* Fri Sep 17 2010 Bill Nottingham - 10-3 +- Drop upstart requires + +* Tue Sep 14 2010 Lennart Poettering - 10-2 +- Enable audit +- https://bugzilla.redhat.com/show_bug.cgi?id=633771 + +* Tue Sep 14 2010 Lennart Poettering - 10-1 +- New upstream release +- https://bugzilla.redhat.com/show_bug.cgi?id=630401 +- https://bugzilla.redhat.com/show_bug.cgi?id=630225 +- https://bugzilla.redhat.com/show_bug.cgi?id=626966 +- https://bugzilla.redhat.com/show_bug.cgi?id=623456 + +* Fri Sep 3 2010 Bill Nottingham - 9-3 +- move fedora-specific units to initscripts; require newer version thereof + +* Fri Sep 3 2010 Lennart Poettering - 9-2 +- Add missing tarball + +* Fri Sep 3 2010 Lennart Poettering - 9-1 +- New upstream version +- Closes 501720, 614619, 621290, 626443, 626477, 627014, 627785, 628913 + +* Fri Aug 27 2010 Lennart Poettering - 8-3 +- Reexecute after installation, take ownership of /var/run/user +- https://bugzilla.redhat.com/show_bug.cgi?id=627457 +- https://bugzilla.redhat.com/show_bug.cgi?id=627634 + +* Thu Aug 26 2010 Lennart Poettering - 8-2 +- Properly create default.target link + +* Wed Aug 25 2010 Lennart Poettering - 8-1 +- New upstream release + +* Thu Aug 12 2010 Lennart Poettering - 7-3 +- Fix https://bugzilla.redhat.com/show_bug.cgi?id=623561 + +* Thu Aug 12 2010 Lennart Poettering - 7-2 +- Fix https://bugzilla.redhat.com/show_bug.cgi?id=623430 + +* Tue Aug 10 2010 Lennart Poettering - 7-1 +- New upstream release + +* Fri Aug 6 2010 Lennart Poettering - 6-2 +- properly hide output on package installation +- pull in coreutils during package installtion + +* Fri Aug 6 2010 Lennart Poettering - 6-1 +- New upstream release +- Fixes #621200 + +* Wed Aug 4 2010 Lennart Poettering - 5-2 +- Add tarball + +* Wed Aug 4 2010 Lennart Poettering - 5-1 +- Prepare release 5 + +* Tue Jul 27 2010 Bill Nottingham - 4-4 +- Add 'sysvinit-userspace' provide to -sysvinit package to fix upgrade/install (#618537) + +* Sat Jul 24 2010 Lennart Poettering - 4-3 +- Add libselinux to build dependencies + +* Sat Jul 24 2010 Lennart Poettering - 4-2 +- Use the right tarball + +* Sat Jul 24 2010 Lennart Poettering - 4-1 +- New upstream release, and make default + +* Tue Jul 13 2010 Lennart Poettering - 3-3 +- Used wrong tarball + +* Tue Jul 13 2010 Lennart Poettering - 3-2 +- Own /cgroup jointly with libcgroup, since we don't dpend on it anymore + +* Tue Jul 13 2010 Lennart Poettering - 3-1 +- New upstream release + +* Fri Jul 9 2010 Lennart Poettering - 2-0 +- New upstream release + +* Wed Jul 7 2010 Lennart Poettering - 1-0 +- First upstream release + +* Tue Jun 29 2010 Lennart Poettering - 0-0.7.20100629git4176e5 +- New snapshot +- Split off -units package where other packages can depend on without pulling in the whole of systemd + +* Tue Jun 22 2010 Lennart Poettering - 0-0.6.20100622gita3723b +- Add missing libtool dependency. + +* Tue Jun 22 2010 Lennart Poettering - 0-0.5.20100622gita3723b +- Update snapshot + +* Mon Jun 14 2010 Rahul Sundaram - 0-0.4.20100614git393024 +- Pull the latest snapshot that fixes a segfault. Resolves rhbz#603231 + +* Fri Jun 11 2010 Rahul Sundaram - 0-0.3.20100610git2f198e +- More minor fixes as per review + +* Thu Jun 10 2010 Rahul Sundaram - 0-0.2.20100610git2f198e +- Spec improvements from David Hollis + +* Wed Jun 09 2010 Rahul Sundaram - 0-0.1.20090609git2f198e +- Address review comments + +* Tue Jun 01 2010 Rahul Sundaram - 0-0.0.git2010-06-02 +- Initial spec (adopted from Kay Sievers)