import systemd-239-82.el8_10.1

i8c changed/i8c/systemd-239-82.el8_10.1
MSVSphere Packaging Team 6 months ago
parent aa41892ec0
commit c8fc9c39c7

@ -0,0 +1,117 @@
From f896e672ec6101ccbb21108345946e834455a25f Mon Sep 17 00:00:00 2001
From: Franck Bui <fbui@suse.com>
Date: Fri, 3 Apr 2020 10:00:25 +0200
Subject: [PATCH] pid1: by default make user units inherit their umask from the
user manager
This patch changes the way user managers set the default umask for the units it
manages.
Indeed one can expect that if user manager's umask is redefined through PAM
(via /etc/login.defs or pam_umask), all its children including the units it
spawns have their umask set to the new value.
Hence make user units inherit their umask value from their parent instead of
the hard coded value 0022 but allow them to override this value via their unit
file.
Note that reexecuting managers with 'systemctl daemon-reexec' after changing
UMask= has no effect. To take effect managers need to be restarted with
'systemct restart' instead. This behavior was already present before this
patch.
Fixes #6077.
(cherry picked from commit 5e37d1930b41b24c077ce37c6db0e36c745106c7)
Related: RHEL-28048
---
man/systemd.exec.xml | 9 +++++++--
src/basic/process-util.c | 17 +++++++++++++++++
src/basic/process-util.h | 1 +
src/core/unit.c | 12 ++++++++++--
4 files changed, 35 insertions(+), 4 deletions(-)
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index b04b4ba552..844c1ce94b 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -590,8 +590,13 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
<term><varname>UMask=</varname></term>
<listitem><para>Controls the file mode creation mask. Takes an access mode in octal notation. See
- <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry> for details. Defaults
- to 0022.</para></listitem>
+ <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
+ details. Defaults to 0022 for system units. For units of the user service manager the default value
+ is inherited from the user instance (whose default is inherited from the system service manager, and
+ thus also is 0022). Hence changing the default value of a user instance, either via
+ <varname>UMask=</varname> or via a PAM module, will affect the user instance itself and all user
+ units started by the user instance unless a user unit has specified its own
+ <varname>UMask=</varname>.</para></listitem>
</varlistentry>
<varlistentry>
diff --git a/src/basic/process-util.c b/src/basic/process-util.c
index 9e2237375d..af44bfab3e 100644
--- a/src/basic/process-util.c
+++ b/src/basic/process-util.c
@@ -657,6 +657,23 @@ int get_process_ppid(pid_t pid, pid_t *ret) {
return 0;
}
+int get_process_umask(pid_t pid, mode_t *umask) {
+ _cleanup_free_ char *m = NULL;
+ const char *p;
+ int r;
+
+ assert(umask);
+ assert(pid >= 0);
+
+ p = procfs_file_alloca(pid, "status");
+
+ r = get_proc_field(p, "Umask", WHITESPACE, &m);
+ if (r == -ENOENT)
+ return -ESRCH;
+
+ return parse_mode(m, umask);
+}
+
int wait_for_terminate(pid_t pid, siginfo_t *status) {
siginfo_t dummy;
diff --git a/src/basic/process-util.h b/src/basic/process-util.h
index a3bd2851b4..9059aad4cc 100644
--- a/src/basic/process-util.h
+++ b/src/basic/process-util.h
@@ -41,6 +41,7 @@ int get_process_cwd(pid_t pid, char **cwd);
int get_process_root(pid_t pid, char **root);
int get_process_environ(pid_t pid, char **environ);
int get_process_ppid(pid_t pid, pid_t *ppid);
+int get_process_umask(pid_t pid, mode_t *umask);
int wait_for_terminate(pid_t pid, siginfo_t *status);
diff --git a/src/core/unit.c b/src/core/unit.c
index 76fb9f8075..d3459dcdd0 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -167,8 +167,16 @@ static void unit_init(Unit *u) {
if (ec) {
exec_context_init(ec);
- ec->keyring_mode = MANAGER_IS_SYSTEM(u->manager) ?
- EXEC_KEYRING_SHARED : EXEC_KEYRING_INHERIT;
+ if (MANAGER_IS_SYSTEM(u->manager))
+ ec->keyring_mode = EXEC_KEYRING_SHARED;
+ else {
+ ec->keyring_mode = EXEC_KEYRING_INHERIT;
+
+ /* User manager might have its umask redefined by PAM or UMask=. In this
+ * case let the units it manages inherit this value by default. They can
+ * still tune this value through their own unit file */
+ (void) get_process_umask(getpid_cached(), &ec->umask);
+ }
}
kc = unit_get_kill_context(u);

@ -0,0 +1,28 @@
From 49dbe60d4b3c6f111911c8217bc5e7da5a4ba0d0 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Wed, 31 May 2023 18:50:12 +0200
Subject: [PATCH] pam: add call to pam_umask
Setting umask for user sessions via UMASK setting in /etc/login.defs is
a well-known feature. Let's make sure that user manager also runs with
this umask value.
Follow-up for 5e37d1930b41b24c077ce37c6db0e36c745106c7.
(cherry picked from commit 159f1b78576ce91c3932f4867f07361a530875d3)
Resolves: RHEL-28048
---
src/login/systemd-user.m4 | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/login/systemd-user.m4 b/src/login/systemd-user.m4
index eb291beaed..a194a636d6 100644
--- a/src/login/systemd-user.m4
+++ b/src/login/systemd-user.m4
@@ -10,4 +10,5 @@ session required pam_selinux.so nottys open
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session required pam_namespace.so
+session optional pam_umask.so silent
session optional pam_systemd.so

@ -0,0 +1,81 @@
From 045ba12c6337760f0a7f8b0ceb9f998b309e025f Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Fri, 9 Feb 2024 14:48:02 +0100
Subject: [PATCH] ci: deploy systemd man to GitHub Pages
rhel-only
Related: RHEL-32494
Co-authored-by: Frantisek Sumsal <frantisek@sumsal.cz>
---
.github/workflows/deploy-man-pages.yml | 60 ++++++++++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 .github/workflows/deploy-man-pages.yml
diff --git a/.github/workflows/deploy-man-pages.yml b/.github/workflows/deploy-man-pages.yml
new file mode 100644
index 0000000000..9da38a1687
--- /dev/null
+++ b/.github/workflows/deploy-man-pages.yml
@@ -0,0 +1,60 @@
+name: Deploy systemd man to Pages
+
+on:
+ push:
+ branches: [ rhel-8.10.0 ]
+ paths:
+ - man/*
+ - .github/workflows/deploy-man-pages.yml
+ schedule:
+ # Run every Monday at 4:00 AM UTC
+ - cron: 0 4 * * 1
+ workflow_dispatch:
+
+permissions:
+ contents: read
+
+# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
+# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
+concurrency:
+ group: pages
+ cancel-in-progress: false
+
+jobs:
+ # Single deploy job since we're just deploying
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+
+ permissions:
+ pages: write
+ id-token: write
+
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Install dependencies
+ run: |
+ RELEASE="$(lsb_release -cs)"
+ sudo add-apt-repository -y --no-update --enable-source
+ sudo apt-get -y update
+ sudo apt-get -y build-dep systemd
+
+ - name: Build HTML man pages
+ run: |
+ meson setup build
+ ninja -C build man/html
+
+ - name: Setup Pages
+ uses: actions/configure-pages@v4
+
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v3
+ with:
+ path: ./build/man
+
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v4

@ -0,0 +1,24 @@
From 604d2f1c8b6ecb46be7f70c5be7ae6fc6be04cab Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Thu, 11 Apr 2024 10:14:51 +0200
Subject: [PATCH] ci(src-git): update list of supported products
rhel-only
Related: RHEL-32494
---
.github/tracker-validator.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/tracker-validator.yml b/.github/tracker-validator.yml
index b09f702dd9..1bb684e722 100644
--- a/.github/tracker-validator.yml
+++ b/.github/tracker-validator.yml
@@ -16,5 +16,5 @@ products:
- rhel-8.8.0.z
- rhel-8.9.0
- rhel-8.9.0.z
- - rhel-8.10.0
- - rhel-8.10.0.z
+ - rhel-8.10
+ - rhel-8.10.z

@ -9,4 +9,5 @@ session required pam_selinux.so close
session required pam_selinux.so nottys open
session required pam_loginuid.so
session required pam_namespace.so
session optional pam_umask.so silent
session include system-auth

@ -13,7 +13,7 @@
Name: systemd
Url: http://www.freedesktop.org/wiki/Software/systemd
Version: 239
Release: 82%{?dist}
Release: 82%{?dist}.1
# For a breakdown of the licensing, see README
License: LGPLv2+ and MIT and GPLv2+
Summary: System and Service Manager
@ -1059,6 +1059,10 @@ Patch1006: 1006-ci-add-configuration-for-regression-sniffer-GA.patch
Patch1007: 1007-coredump-actually-store-parsed-unit-in-the-context.patch
Patch1008: 1008-resolved-limit-the-number-of-signature-validations-i.patch
Patch1009: 1009-resolved-reduce-the-maximum-nsec3-iterations-to-100.patch
Patch1010: 1010-pid1-by-default-make-user-units-inherit-their-umask-.patch
Patch1011: 1011-pam-add-call-to-pam_umask.patch
Patch1012: 1012-ci-deploy-systemd-man-to-GitHub-Pages.patch
Patch1013: 1013-ci-src-git-update-list-of-supported-products.patch
%ifarch %{ix86} x86_64 aarch64
%global have_gnu_efi 1
@ -1689,6 +1693,12 @@ fi
%files tests -f .file-list-tests
%changelog
* Thu Apr 11 2024 systemd maintenance team <systemd-maint@redhat.com> - 239-82.1
- pid1: by default make user units inherit their umask from the user manager (RHEL-28048)
- pam: add call to pam_umask (RHEL-28048)
- ci: deploy systemd man to GitHub Pages (RHEL-32494)
- ci(src-git): update list of supported products (RHEL-32494)
* Thu Mar 07 2024 systemd maintenance team <systemd-maint@redhat.com> - 239-82
- ci: add configuration for regression sniffer GA (RHEL-1087)
- coredump: actually store parsed unit in the context (RHEL-18302)

Loading…
Cancel
Save