diff --git a/SOURCES/1010-pid1-by-default-make-user-units-inherit-their-umask-.patch b/SOURCES/1010-pid1-by-default-make-user-units-inherit-their-umask-.patch new file mode 100644 index 0000000..d008ac8 --- /dev/null +++ b/SOURCES/1010-pid1-by-default-make-user-units-inherit-their-umask-.patch @@ -0,0 +1,117 @@ +From f896e672ec6101ccbb21108345946e834455a25f Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Fri, 3 Apr 2020 10:00:25 +0200 +Subject: [PATCH] pid1: by default make user units inherit their umask from the + user manager + +This patch changes the way user managers set the default umask for the units it +manages. + +Indeed one can expect that if user manager's umask is redefined through PAM +(via /etc/login.defs or pam_umask), all its children including the units it +spawns have their umask set to the new value. + +Hence make user units inherit their umask value from their parent instead of +the hard coded value 0022 but allow them to override this value via their unit +file. + +Note that reexecuting managers with 'systemctl daemon-reexec' after changing +UMask= has no effect. To take effect managers need to be restarted with +'systemct restart' instead. This behavior was already present before this +patch. + +Fixes #6077. + +(cherry picked from commit 5e37d1930b41b24c077ce37c6db0e36c745106c7) + +Related: RHEL-28048 +--- + man/systemd.exec.xml | 9 +++++++-- + src/basic/process-util.c | 17 +++++++++++++++++ + src/basic/process-util.h | 1 + + src/core/unit.c | 12 ++++++++++-- + 4 files changed, 35 insertions(+), 4 deletions(-) + +diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml +index b04b4ba552..844c1ce94b 100644 +--- a/man/systemd.exec.xml ++++ b/man/systemd.exec.xml +@@ -590,8 +590,13 @@ CapabilityBoundingSet=~CAP_B CAP_C + UMask= + + Controls the file mode creation mask. Takes an access mode in octal notation. See +- umask2 for details. Defaults +- to 0022. ++ umask2 for ++ details. Defaults to 0022 for system units. For units of the user service manager the default value ++ is inherited from the user instance (whose default is inherited from the system service manager, and ++ thus also is 0022). Hence changing the default value of a user instance, either via ++ UMask= or via a PAM module, will affect the user instance itself and all user ++ units started by the user instance unless a user unit has specified its own ++ UMask=. + + + +diff --git a/src/basic/process-util.c b/src/basic/process-util.c +index 9e2237375d..af44bfab3e 100644 +--- a/src/basic/process-util.c ++++ b/src/basic/process-util.c +@@ -657,6 +657,23 @@ int get_process_ppid(pid_t pid, pid_t *ret) { + return 0; + } + ++int get_process_umask(pid_t pid, mode_t *umask) { ++ _cleanup_free_ char *m = NULL; ++ const char *p; ++ int r; ++ ++ assert(umask); ++ assert(pid >= 0); ++ ++ p = procfs_file_alloca(pid, "status"); ++ ++ r = get_proc_field(p, "Umask", WHITESPACE, &m); ++ if (r == -ENOENT) ++ return -ESRCH; ++ ++ return parse_mode(m, umask); ++} ++ + int wait_for_terminate(pid_t pid, siginfo_t *status) { + siginfo_t dummy; + +diff --git a/src/basic/process-util.h b/src/basic/process-util.h +index a3bd2851b4..9059aad4cc 100644 +--- a/src/basic/process-util.h ++++ b/src/basic/process-util.h +@@ -41,6 +41,7 @@ int get_process_cwd(pid_t pid, char **cwd); + int get_process_root(pid_t pid, char **root); + int get_process_environ(pid_t pid, char **environ); + int get_process_ppid(pid_t pid, pid_t *ppid); ++int get_process_umask(pid_t pid, mode_t *umask); + + int wait_for_terminate(pid_t pid, siginfo_t *status); + +diff --git a/src/core/unit.c b/src/core/unit.c +index 76fb9f8075..d3459dcdd0 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -167,8 +167,16 @@ static void unit_init(Unit *u) { + if (ec) { + exec_context_init(ec); + +- ec->keyring_mode = MANAGER_IS_SYSTEM(u->manager) ? +- EXEC_KEYRING_SHARED : EXEC_KEYRING_INHERIT; ++ if (MANAGER_IS_SYSTEM(u->manager)) ++ ec->keyring_mode = EXEC_KEYRING_SHARED; ++ else { ++ ec->keyring_mode = EXEC_KEYRING_INHERIT; ++ ++ /* User manager might have its umask redefined by PAM or UMask=. In this ++ * case let the units it manages inherit this value by default. They can ++ * still tune this value through their own unit file */ ++ (void) get_process_umask(getpid_cached(), &ec->umask); ++ } + } + + kc = unit_get_kill_context(u); diff --git a/SOURCES/1011-pam-add-call-to-pam_umask.patch b/SOURCES/1011-pam-add-call-to-pam_umask.patch new file mode 100644 index 0000000..d4ea11c --- /dev/null +++ b/SOURCES/1011-pam-add-call-to-pam_umask.patch @@ -0,0 +1,28 @@ +From 49dbe60d4b3c6f111911c8217bc5e7da5a4ba0d0 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 31 May 2023 18:50:12 +0200 +Subject: [PATCH] pam: add call to pam_umask + +Setting umask for user sessions via UMASK setting in /etc/login.defs is +a well-known feature. Let's make sure that user manager also runs with +this umask value. + +Follow-up for 5e37d1930b41b24c077ce37c6db0e36c745106c7. + +(cherry picked from commit 159f1b78576ce91c3932f4867f07361a530875d3) + +Resolves: RHEL-28048 +--- + src/login/systemd-user.m4 | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/login/systemd-user.m4 b/src/login/systemd-user.m4 +index eb291beaed..a194a636d6 100644 +--- a/src/login/systemd-user.m4 ++++ b/src/login/systemd-user.m4 +@@ -10,4 +10,5 @@ session required pam_selinux.so nottys open + session required pam_loginuid.so + session optional pam_keyinit.so force revoke + session required pam_namespace.so ++session optional pam_umask.so silent + session optional pam_systemd.so diff --git a/SOURCES/1012-ci-deploy-systemd-man-to-GitHub-Pages.patch b/SOURCES/1012-ci-deploy-systemd-man-to-GitHub-Pages.patch new file mode 100644 index 0000000..1808f97 --- /dev/null +++ b/SOURCES/1012-ci-deploy-systemd-man-to-GitHub-Pages.patch @@ -0,0 +1,81 @@ +From 045ba12c6337760f0a7f8b0ceb9f998b309e025f Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Fri, 9 Feb 2024 14:48:02 +0100 +Subject: [PATCH] ci: deploy systemd man to GitHub Pages + +rhel-only + +Related: RHEL-32494 + +Co-authored-by: Frantisek Sumsal +--- + .github/workflows/deploy-man-pages.yml | 60 ++++++++++++++++++++++++++ + 1 file changed, 60 insertions(+) + create mode 100644 .github/workflows/deploy-man-pages.yml + +diff --git a/.github/workflows/deploy-man-pages.yml b/.github/workflows/deploy-man-pages.yml +new file mode 100644 +index 0000000000..9da38a1687 +--- /dev/null ++++ b/.github/workflows/deploy-man-pages.yml +@@ -0,0 +1,60 @@ ++name: Deploy systemd man to Pages ++ ++on: ++ push: ++ branches: [ rhel-8.10.0 ] ++ paths: ++ - man/* ++ - .github/workflows/deploy-man-pages.yml ++ schedule: ++ # Run every Monday at 4:00 AM UTC ++ - cron: 0 4 * * 1 ++ workflow_dispatch: ++ ++permissions: ++ contents: read ++ ++# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. ++# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. ++concurrency: ++ group: pages ++ cancel-in-progress: false ++ ++jobs: ++ # Single deploy job since we're just deploying ++ deploy: ++ environment: ++ name: github-pages ++ url: ${{ steps.deployment.outputs.page_url }} ++ runs-on: ubuntu-latest ++ ++ permissions: ++ pages: write ++ id-token: write ++ ++ steps: ++ - uses: actions/checkout@v4 ++ ++ - name: Install dependencies ++ run: | ++ RELEASE="$(lsb_release -cs)" ++ sudo add-apt-repository -y --no-update --enable-source ++ sudo apt-get -y update ++ sudo apt-get -y build-dep systemd ++ ++ - name: Build HTML man pages ++ run: | ++ meson setup build ++ ninja -C build man/html ++ ++ - name: Setup Pages ++ uses: actions/configure-pages@v4 ++ ++ - name: Upload artifact ++ uses: actions/upload-pages-artifact@v3 ++ with: ++ path: ./build/man ++ ++ - name: Deploy to GitHub Pages ++ id: deployment ++ uses: actions/deploy-pages@v4 diff --git a/SOURCES/1013-ci-src-git-update-list-of-supported-products.patch b/SOURCES/1013-ci-src-git-update-list-of-supported-products.patch new file mode 100644 index 0000000..ecb2591 --- /dev/null +++ b/SOURCES/1013-ci-src-git-update-list-of-supported-products.patch @@ -0,0 +1,24 @@ +From 604d2f1c8b6ecb46be7f70c5be7ae6fc6be04cab Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 11 Apr 2024 10:14:51 +0200 +Subject: [PATCH] ci(src-git): update list of supported products + +rhel-only + +Related: RHEL-32494 +--- + .github/tracker-validator.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/.github/tracker-validator.yml b/.github/tracker-validator.yml +index b09f702dd9..1bb684e722 100644 +--- a/.github/tracker-validator.yml ++++ b/.github/tracker-validator.yml +@@ -16,5 +16,5 @@ products: + - rhel-8.8.0.z + - rhel-8.9.0 + - rhel-8.9.0.z +- - rhel-8.10.0 +- - rhel-8.10.0.z ++ - rhel-8.10 ++ - rhel-8.10.z diff --git a/SOURCES/systemd-user b/SOURCES/systemd-user index d1f64c1..6749b68 100644 --- a/SOURCES/systemd-user +++ b/SOURCES/systemd-user @@ -9,4 +9,5 @@ session required pam_selinux.so close session required pam_selinux.so nottys open session required pam_loginuid.so session required pam_namespace.so +session optional pam_umask.so silent session include system-auth diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec index 5c98c78..bf4a6f0 100644 --- a/SPECS/systemd.spec +++ b/SPECS/systemd.spec @@ -13,7 +13,7 @@ Name: systemd Url: http://www.freedesktop.org/wiki/Software/systemd Version: 239 -Release: 82%{?dist}.inferit.1 +Release: 82%{?dist}.1.inferit # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -1029,6 +1029,40 @@ Patch0976: 0976-tmpfiles-don-t-complain-if-we-can-t-enable-pstore-in.patch Patch0977: 0977-pstore-don-t-enable-crash_kexec_post_notifiers-by-de.patch Patch0978: 0978-core-when-Delegate-yes-is-set-for-a-unit-run-ExecSta.patch Patch0979: 0979-man-link-Delegate-documentation-up-with-the-markdown.patch +Patch0980: 0980-ci-Extend-source-git-automation.patch +Patch0981: 0981-ci-add-missing-configuration-for-commit-linter.patch +Patch0982: 0982-ci-add-Red-Hat-Enterprise-Linux-8-to-the-list-of-sup.patch +Patch0983: 0983-ci-enable-source-git-automation-to-validate-reviews-.patch +Patch0984: 0984-ci-remove-Mergify-config-replaced-by-Pull-Request-Va.patch +Patch0985: 0985-ci-enable-auto-merge-GH-Action.patch +Patch0986: 0986-fstab-generator-allow-overriding-etc-fstab-with-SYST.patch +Patch0987: 0987-fstab-generator-allow-overriding-path-to-sysroot-etc.patch +Patch0988: 0988-test-backport-TEST-81-GENERATORS-fstab-generator-onl.patch +Patch0989: 0989-resolved-actually-check-authenticated-flag-of-SOA-tr.patch +Patch0990: 0990-fd-util-rework-how-we-determine-highest-possible-fd.patch +Patch0991: 0991-basic-fd-util-refuse-infinite-loop-in-close_all_fds.patch +Patch0992: 0992-fd-util-split-out-inner-fallback-loop-of-close_all_f.patch +Patch0993: 0993-exec-util-use-close_all_fds_without_malloc-from-free.patch +Patch0994: 0994-ci-use-source-git-automation-composite-Action.patch +Patch0995: 0995-ci-increase-the-cron-interval-to-45-minutes.patch +Patch0996: 0996-ci-add-all-Z-Stream-versions-to-array-of-allowed-ver.patch +Patch0997: 0997-tree-wide-always-declare-bitflag-enums-the-same-way.patch +Patch0998: 0998-login-Add-KEY_RESTART-handling.patch +Patch0999: 0999-analyze-security-fix-recursive-call-of-syscall_names.patch +Patch1000: 1000-analyze-security-do-not-assign-badness-to-filtered-o.patch +Patch1001: 1001-analyze-security-include-an-actual-syscall-name-in-t.patch +Patch1002: 1002-udev-net_id-introduce-naming-scheme-for-RHEL-8.10.patch +Patch1003: 1003-doc-add-missing-listitem-to-systemd.net-naming-schem.patch +Patch1004: 1004-service-schedule-cleanup-of-PID-hashmaps-when-we-now.patch +Patch1005: 1005-man-update-link-to-RHEL-documentation.patch +Patch1006: 1006-ci-add-configuration-for-regression-sniffer-GA.patch +Patch1007: 1007-coredump-actually-store-parsed-unit-in-the-context.patch +Patch1008: 1008-resolved-limit-the-number-of-signature-validations-i.patch +Patch1009: 1009-resolved-reduce-the-maximum-nsec3-iterations-to-100.patch +Patch1010: 1010-pid1-by-default-make-user-units-inherit-their-umask-.patch +Patch1011: 1011-pam-add-call-to-pam_umask.patch +Patch1012: 1012-ci-deploy-systemd-man-to-GitHub-Pages.patch +Patch1013: 1013-ci-src-git-update-list-of-supported-products.patch %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 @@ -1662,12 +1696,21 @@ fi %files tests -f .file-list-tests %changelog +* Wed Jul 03 2024 Sergey Cherevko 239-82.1.inferit +- Update to 239-82.1 + * Tue Jul 02 2024 Sergey Cherevko 239-82.inferit.1 - Fixed squares instead of Russian characters in the console * Thu May 23 2024 Sergey Cherevko - 239-82.inferit - Rebuilt for MSVSphere 8.10 +* Thu Apr 11 2024 systemd maintenance team - 239-82.1 +- pid1: by default make user units inherit their umask from the user manager (RHEL-28048) +- pam: add call to pam_umask (RHEL-28048) +- ci: deploy systemd man to GitHub Pages (RHEL-32494) +- ci(src-git): update list of supported products (RHEL-32494) + * Thu Mar 07 2024 systemd maintenance team - 239-82 - ci: add configuration for regression sniffer GA (RHEL-1087) - coredump: actually store parsed unit in the context (RHEL-18302)