From 1194944ad4a310b22b2c7e84ba1500ac40984b3a Mon Sep 17 00:00:00 2001
From: ZHe <zhonglingh@linux.alibaba.com>
Date: Tue, 19 Mar 2024 16:06:11 +0800
Subject: [PATCH] default enable full delegation on device cgroup

---
 ...group-full-delegation-for-compabilit.patch | 24 ++---
 ...ble-full-delegation-on-device-cgroup.patch | 98 +++++++++++++++++++
 systemd.spec                                  |  9 +-
 3 files changed, 113 insertions(+), 18 deletions(-)
 create mode 100644 20005-default-enable-full-delegation-on-device-cgroup.patch

diff --git a/20003-core-introduce-cgroup-full-delegation-for-compabilit.patch b/20003-core-introduce-cgroup-full-delegation-for-compabilit.patch
index 21c5557..a09eaa2 100644
--- a/20003-core-introduce-cgroup-full-delegation-for-compabilit.patch
+++ b/20003-core-introduce-cgroup-full-delegation-for-compabilit.patch
@@ -1,4 +1,4 @@
-From f25124fabe1ed973840291d46549af6e1c5fad56 Mon Sep 17 00:00:00 2001
+From ce2e0936e03f6cef91a326186978643b93403052 Mon Sep 17 00:00:00 2001
 From: "zhongling.h" <zhongling.h@alibaba-inc.com>
 Date: Fri, 4 Aug 2023 10:08:16 +0800
 Subject: [PATCH] core: introduce cgroup full delegation for compability
@@ -30,15 +30,8 @@ brings what users are already familiar with to systemd-239. If users set
 values under /sys/fs/cgroup without worrying systemd touching these
 values, which is the same as what they expected with systemd-219.
 
----
- src/core/cgroup.c       | 16 ++++++++++++++++
- src/core/main.c         |  4 ++++
- src/core/manager.h      |  1 +
- src/core/system.conf.in |  1 +
- 4 files changed, 22 insertions(+)
-
 diff --git a/src/core/cgroup.c b/src/core/cgroup.c
-index ea92aa6f7b..17e3b90e37 100644
+index 8e474f6..461f9df 100644
 --- a/src/core/cgroup.c
 +++ b/src/core/cgroup.c
 @@ -1692,6 +1692,15 @@ static int unit_create_cgroup(
@@ -57,18 +50,17 @@ index ea92aa6f7b..17e3b90e37 100644
          u->cgroup_enabled_mask = enable_mask;
          u->cgroup_bpf_state = needs_bpf ? UNIT_CGROUP_BPF_ON : UNIT_CGROUP_BPF_OFF;
  
-@@ -1921,6 +1930,10 @@ static int unit_realize_cgroup_now(Unit *u, ManagerState state) {
+@@ -1920,6 +1929,9 @@ static int unit_realize_cgroup_now(Unit *u, ManagerState state) {
+         enable_mask = unit_get_enable_mask(u);
          needs_bpf = unit_get_needs_bpf(u);
  
-         target_mask &= ~CGROUP_MASK_DEVICES;
-+
 +        if (u->manager->full_delegation && unit_cgroup_delegate(u))
 +                target_mask ^= u->cgroup_realized_mask;
 +
          if (unit_has_mask_realized(u, target_mask, enable_mask, needs_bpf))
                  return 0;
  
-@@ -2883,6 +2896,9 @@ int unit_reset_ip_accounting(Unit *u) {
+@@ -2882,6 +2894,9 @@ int unit_reset_ip_accounting(Unit *u) {
  void unit_invalidate_cgroup(Unit *u, CGroupMask m) {
          assert(u);
  
@@ -79,7 +71,7 @@ index ea92aa6f7b..17e3b90e37 100644
                  return;
  
 diff --git a/src/core/main.c b/src/core/main.c
-index 546bf0d870..68daf07077 100644
+index 546bf0d..68daf07 100644
 --- a/src/core/main.c
 +++ b/src/core/main.c
 @@ -142,6 +142,7 @@ static bool reexec_jmp_can = false;
@@ -108,7 +100,7 @@ index 546bf0d870..68daf07077 100644
          manager_set_default_rlimits(m, arg_default_rlimit);
          manager_environment_add(m, NULL, arg_default_environment);
 diff --git a/src/core/manager.h b/src/core/manager.h
-index 98d381bc5b..91f2c05afe 100644
+index 98d381b..91f2c05 100644
 --- a/src/core/manager.h
 +++ b/src/core/manager.h
 @@ -297,6 +297,7 @@ struct Manager {
@@ -120,7 +112,7 @@ index 98d381bc5b..91f2c05afe 100644
          uint64_t default_tasks_max;
          usec_t default_timer_accuracy_usec;
 diff --git a/src/core/system.conf.in b/src/core/system.conf.in
-index 2f6852a89f..6c84a55401 100644
+index 2f6852a..6c84a55 100644
 --- a/src/core/system.conf.in
 +++ b/src/core/system.conf.in
 @@ -67,3 +67,4 @@ DefaultLimitCORE=0:infinity
diff --git a/20005-default-enable-full-delegation-on-device-cgroup.patch b/20005-default-enable-full-delegation-on-device-cgroup.patch
new file mode 100644
index 0000000..bf11aa5
--- /dev/null
+++ b/20005-default-enable-full-delegation-on-device-cgroup.patch
@@ -0,0 +1,98 @@
+From 0c54a1eda08dc8a1c40274c1f90e5e809e054706 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Tue, 19 Mar 2024 15:53:21 +0800
+Subject: [PATCH] default enable full delegation on device cgroup
+
+---
+ src/core/cgroup.c       | 9 +++++++++
+ src/core/main.c         | 3 +++
+ src/core/manager.h      | 1 +
+ src/core/system.conf.in | 1 +
+ 4 files changed, 14 insertions(+)
+
+diff --git a/src/core/cgroup.c b/src/core/cgroup.c
+index 461f9df..bc677d8 100644
+--- a/src/core/cgroup.c
++++ b/src/core/cgroup.c
+@@ -1701,6 +1701,9 @@ static int unit_create_cgroup(
+         if (u->manager->full_delegation && unit_cgroup_delegate(u))
+                 u->cgroup_realized_mask |= unit_get_delegate_mask(u);
+ 
++        if (u->manager->full_delegation_devicecg && unit_cgroup_delegate(u))
++                u->cgroup_realized_mask |= (unit_get_delegate_mask(u) & CGROUP_MASK_DEVICES);
++
+         u->cgroup_enabled_mask = enable_mask;
+         u->cgroup_bpf_state = needs_bpf ? UNIT_CGROUP_BPF_ON : UNIT_CGROUP_BPF_OFF;
+ 
+@@ -1932,6 +1935,9 @@ static int unit_realize_cgroup_now(Unit *u, ManagerState state) {
+         if (u->manager->full_delegation && unit_cgroup_delegate(u))
+                 target_mask ^= u->cgroup_realized_mask;
+ 
++        if (u->manager->full_delegation_devicecg && unit_cgroup_delegate(u))
++                target_mask ^= (u->cgroup_realized_mask & CGROUP_MASK_DEVICES);
++
+         if (unit_has_mask_realized(u, target_mask, enable_mask, needs_bpf))
+                 return 0;
+ 
+@@ -2897,6 +2903,9 @@ void unit_invalidate_cgroup(Unit *u, CGroupMask m) {
+         if (u->manager->full_delegation)
+                 m ^= unit_get_delegate_mask(u); // don't invalidate delegated cgroup
+ 
++        if (u->manager->full_delegation_devicecg)
++                m ^= (unit_get_delegate_mask(u) & CGROUP_MASK_DEVICES); // don't invalidate device cgroup if delegate=yes
++
+         if (!UNIT_HAS_CGROUP_CONTEXT(u))
+                 return;
+ 
+diff --git a/src/core/main.c b/src/core/main.c
+index 68daf07..e27f0a5 100644
+--- a/src/core/main.c
++++ b/src/core/main.c
+@@ -143,6 +143,7 @@ static bool reexec_jmp_inited = false;
+ static sigjmp_buf reexec_jmp_buf;
+ static bool arg_default_cpuset_clone_children = false;
+ static bool arg_full_delegation = false;
++static bool arg_full_delegation_devicecg = true;
+ 
+ static int parse_configuration(const struct rlimit *saved_rlimit_nofile,
+                                const struct rlimit *saved_rlimit_memlock);
+@@ -770,6 +771,7 @@ static int parse_config_file(void) {
+                 { "Manager", "CtrlAltDelBurstAction",     config_parse_emergency_action, 0, &arg_cad_burst_action                  },
+ 		{ "Manager", "DefaultCPUSetCloneChildren",config_parse_bool,             0, &arg_default_cpuset_clone_children     },
+                 { "Manager", "FullDelegation",            config_parse_bool,             0, &arg_full_delegation                   },
++                { "Manager", "FullDelegationDeviceCGroup",config_parse_bool,             0, &arg_full_delegation_devicecg          },
+ 
+                 {}
+         };
+@@ -821,6 +823,7 @@ static void set_manager_defaults(Manager *m) {
+         m->default_tasks_accounting = arg_default_tasks_accounting;
+         m->default_tasks_max = arg_default_tasks_max;
+         m->full_delegation = arg_full_delegation;
++        m->full_delegation_devicecg = arg_full_delegation_devicecg;
+ 
+         manager_set_default_rlimits(m, arg_default_rlimit);
+         manager_environment_add(m, NULL, arg_default_environment);
+diff --git a/src/core/manager.h b/src/core/manager.h
+index 91f2c05..8017d9a 100644
+--- a/src/core/manager.h
++++ b/src/core/manager.h
+@@ -298,6 +298,7 @@ struct Manager {
+         bool default_tasks_accounting;
+         bool default_ip_accounting;
+         bool full_delegation;
++        bool full_delegation_devicecg;
+ 
+         uint64_t default_tasks_max;
+         usec_t default_timer_accuracy_usec;
+diff --git a/src/core/system.conf.in b/src/core/system.conf.in
+index 6c84a55..3f9ef7f 100644
+--- a/src/core/system.conf.in
++++ b/src/core/system.conf.in
+@@ -68,3 +68,4 @@ DefaultLimitCORE=0:infinity
+ #IPAddressAllow=
+ #IPAddressDeny=
+ #FullDelegation=no
++#FullDelegationDeviceCGroup=yes
+-- 
+2.39.3
+
diff --git a/systemd.spec b/systemd.spec
index 0ef8e1c..6bdc75f 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -1,4 +1,4 @@
-%define anolis_release .0.3
+%define anolis_release .0.4
 #global gitcommit 10e465b5321bd53c1fc59ffab27e724535c6bc0f
 %{?gitcommit:%global gitcommitshort %(c=%{gitcommit}; echo ${c:0:7})}
 
@@ -1062,9 +1062,10 @@ Patch10026: 10026-umount-check-LO_FLAGS_AUTOCLEAR-after-LOOP_CLR_FD-cl.patch
 Patch10027: 10027-fix-compilation-without-utmp.patch
 
 Patch20001: 20001-hwdb-parse_hwdb_dot_py.patch
-Patch20002: 20002-cgroup-do-not-refresh-cgroup-devices-config-when-dae.patch
+# Patch20002: 20002-cgroup-do-not-refresh-cgroup-devices-config-when-dae.patch
 Patch20003: 20003-core-introduce-cgroup-full-delegation-for-compabilit.patch
 Patch20004: 20004-Update-vendor-ids-for-ieisystem-0750.patch
+Patch20005: 20005-default-enable-full-delegation-on-device-cgroup.patch
 
 # lifsea only patch
 %if %{defined lifsea_dist}
@@ -1791,6 +1792,10 @@ fi
 %files tests -f .file-list-tests
 
 %changelog
+* Wed Apr 3 2024 zhongling.h <zhonglingh@linux.alibaba.com> - 239-78.0.4
+- Remove patch 20002 as it inhibits systemd device cgroup slice creation
+- Add patch 20005 to enable device cgroup full delegation by default
+
 * Thu Feb 29 2024  yuanhui <yuanhui@linux.alibaba.com> - 239-78.0.3
 - LifseaOS: Add back hostnamectl
 - LifseaOS: Add back timedatectl
-- 
Gitee