diff --git a/26494.patch b/26494.patch new file mode 100644 index 0000000000000000000000000000000000000000..19bc67b55864156ab1be0b2c47c77abddd409d1b --- /dev/null +++ b/26494.patch @@ -0,0 +1,30 @@ +From 6b25470ee28843a49c50442e9d8a98edc842ceca Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 20 Feb 2023 12:00:30 +0900 +Subject: [PATCH] core/manager: run generators directly when we are in initrd + +Some initrd system write files at ourside of /run, /etc, or other +allowed places. This is a kind of workaround, but in most cases, such +sandboxing is not necessary as the filesystem is on ramfs when we are in +initrd. + +Fixes #26488. +--- + src/core/manager.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/manager.c b/src/core/manager.c +index 7b394794b0d4..306477c6e6c2 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -3822,8 +3822,8 @@ static int manager_run_generators(Manager *m) { + /* If we are the system manager, we fork and invoke the generators in a sanitized mount namespace. If + * we are the user manager, let's just execute the generators directly. We might not have the + * necessary privileges, and the system manager has already mounted /tmp/ and everything else for us. +- */ +- if (MANAGER_IS_USER(m)) { ++ * If we are in initrd, let's also execute the generators directly, as we are in ramfs. */ ++ if (MANAGER_IS_USER(m) || in_initrd()) { + r = manager_execute_generators(m, paths, /* remount_ro= */ false); + goto finish; + } diff --git a/30846.patch b/30846.patch new file mode 100644 index 0000000000000000000000000000000000000000..84a4163f9b1f16bad1993a798b2d2a0eef9f0b74 --- /dev/null +++ b/30846.patch @@ -0,0 +1,55 @@ +From 07fd822c59e29b4f5e7dab029ea1186c1b862e3e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 9 Jan 2024 11:28:04 +0100 +Subject: [PATCH] journal: again create user journals for users with high uids + +This effectively reverts a change in 115d5145a257c1a27330acf9f063b5f4d910ca4d +'journald: move uid_for_system_journal() to uid-alloc-range.h', which slipped +in an additional check of uid_is_container(uid). The problem is that that change +is not backwards-compatible at all and very hard for users to handle. +There is no common agreement on mappings of high-range uids. Systemd declares +ownership of a large range for container uids in https://systemd.io/UIDS-GIDS/, +but this is only a recent change and various sites allocated those ranges +in a different way, in particular FreeIPA uses (used?) uids from this range +for human users. On big sites with lots of users changing uids is obviously a +hard problem. We generally assume that uids cannot be "freed" and/or changed +and/or reused safely, so we shouldn't demand the same from others. + +This is somewhat similar to the situation with SYSTEM_ALLOC_UID_MIN / +SYSTEM_UID_MAX, which we tried to define to a fixed value in our code, causing +huge problems for existing systems with were created with a different +definition and couldn't be easily updated. For that case, we added a +configuration time switch and we now parse /etc/login.defs to actually use the +value that is appropriate for the local system. + +Unfortunately, login.defs doesn't have a concept of container allocation ranges +(and we don't have code to parse and use those nonexistent names either), so we +can't tell users to adjust logind.defs to work around the changed definition. + +login.defs has SUB_UID_{MIN,MAX}, but those aren't really the same thing, +because they are used to define where the add allocations for subuids, which is +generally a much smaller range. Maybe we should talk with other folks about +the appropriate allocation ranges and define some new settings in login.defs. +But this would require discussion and coordination with other projects first. + +Actualy, it seems that this change was needed at all. The code in the container +does not log to the outside journal. It talks to its own journald, which does +journal splitting using its internal logic based on shifted uids. So let's +revert the change to fix user systems. + +Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2251843. +--- + src/basic/uid-alloc-range.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/uid-alloc-range.c b/src/basic/uid-alloc-range.c +index 669cb6d56f7be..7b724b7959f60 100644 +--- a/src/basic/uid-alloc-range.c ++++ b/src/basic/uid-alloc-range.c +@@ -127,5 +127,5 @@ bool uid_for_system_journal(uid_t uid) { + + /* Returns true if the specified UID shall get its data stored in the system journal. */ + +- return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY || uid_is_container(uid); ++ return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY; + } diff --git a/systemd.spec b/systemd.spec index 1086e0730139885dc31c81f6c7d7cec9a3a554d4..fd0c808235a301665d04899dda4114223990937d 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 %global __requires_exclude pkg-config %global pkgdir %{_prefix}/lib/systemd @@ -58,6 +58,9 @@ Source24: sysusers.generate-pre.sh Source31: systemd-tests-file-list Source32: systemd-devel-file-list +Patch0001: 26494.patch +Patch0002: 30846.patch +Patch0003: use-system-pam-in-pam-systemd-user.patch Patch0490: use-bfq-scheduler.patch @@ -2167,7 +2170,10 @@ fi %doc docs/DISTRO_PORTING.md docs/HACKING.md %changelog -* Fri Mar 21 2024 Zhenyu Wang - 255 +* Thu Mar 28 2024 Chang Gao - 255-2 +- Fix some errors + +* Fri Mar 21 2024 Zhenyu Wang - 255-1 - update to 255 * Wed Jan 31 2024 wangkaiyuan - 252.4-9 diff --git a/use-system-pam-in-pam-systemd-user.patch b/use-system-pam-in-pam-systemd-user.patch new file mode 100644 index 0000000000000000000000000000000000000000..df820e288c6e4cd210d9838bbb2cf417b12c69fa --- /dev/null +++ b/use-system-pam-in-pam-systemd-user.patch @@ -0,0 +1,31 @@ +From c4b803dc60b63a35c977d39610b7872175ec03bd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 14 Dec 2022 22:24:53 +0100 +Subject: [PATCH] fedora: use system-auth in pam systemd-user + +--- + src/login/systemd-user.in | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in +index 8a3c9e0165..74ef5f2552 100644 +--- a/src/login/systemd-user.in ++++ b/src/login/systemd-user.in +@@ -7,7 +7,7 @@ + -account sufficient pam_systemd_home.so + {% endif %} + account sufficient pam_unix.so no_pass_expiry +-account required pam_permit.so ++account include system-auth + + {% if HAVE_SELINUX %} + session required pam_selinux.so close +@@ -20,4 +20,4 @@ session required pam_namespace.so + -session optional pam_systemd_home.so + {% endif %} + session optional pam_umask.so silent +-session optional pam_systemd.so ++session include system-auth +-- +2.41.0 +