From 25de3296b336a5438b4678edc52e80cf004671d6 Mon Sep 17 00:00:00 2001 From: Renbo Date: Wed, 9 Oct 2024 13:38:21 +0800 Subject: [PATCH 01/19] update to systemd-239-82.2.src.rpm Signed-off-by: Renbo --- ...ull-reference-case-in-load_from_path.patch | 34 -- ...-t-pass-null-directive-argument-to-s.patch | 25 -- ...roduce-EXIT_EXCEPTION-mapping-to-255.patch | 52 --- ...e-PID-1-in-containers-exit-with-non-.patch | 52 --- ...t-go-into-freeze-when-systemd-crashd.patch | 103 ------ ...ge-the-system-mount-propagation-to-s.patch | 62 ---- ...-definition-of-CGROUP_CONTROLLER_TO_.patch | 26 -- ...only-siblings-that-got-realized-once.patch | 46 --- ...g-item-to-support-setting-the-value-.patch | 120 ------- ...9-systemd-anolis-support-loongarch64.patch | 56 ---- ...x-coredump-when-compiled-under-GCC10.patch | 56 ---- 10011-hwdb-add-Iluvatar-CoreX.patch | 44 --- 10012-seccomp-add-loongarch-support.patch | 101 ------ ...FLAGS_AUTOCLEAR-after-LOOP_CLR_FD-cl.patch | 69 ---- ...ding-a-full-file-into-memory-refuse-.patch | 120 ------- ...explicit_bzero_safe-for-explicit-mem.patch | 61 ---- ...util-introduce-erase_and_free-helper.patch | 48 --- ...READ_FULL_FILE_SECURE-flag-for-readi.patch | 207 ------------ ...roduce-warn_file_is_world_accessible.patch | 67 ---- ...l_file_full-also-warns-when-file-is-.patch | 64 ---- ...x-memory-leak-if-READ_FULL_FILE_SECU.patch | 30 -- ...icit-flag-for-generating-world-execu.patch | 44 --- ..._fd-parameter-to-read_full_file_full.patch | 142 --------- ...ort-for-read_full_file-on-AF_UNIX-st.patch | 271 ---------------- ...READ_FULL_FILE_CONNECT_SOCKET-to-all.patch | 181 ----------- ...ad_full_file_full-to-read-from-offse.patch | 246 -------------- ...-cryptsetup-s-main-key-file-logic-ov.patch | 95 ------ 10027-fix-compilation-without-utmp.patch | 24 -- ...ly-simplify-caching-of-cgroups-membe.patch | 228 ------------- ...udev-remove-old-device-on-move-event.patch | 68 ---- 20001-hwdb-parse_hwdb_dot_py.patch | 299 ------------------ ...fresh-cgroup-devices-config-when-dae.patch | 26 -- ...group-full-delegation-for-compabilit.patch | 125 -------- ...Update-vendor-ids-for-ieisystem-0750.patch | 27 -- ...ble-full-delegation-on-device-cgroup.patch | 98 ------ 20006-systemd-Add-sw64.patch | 85 ----- 20007-add-seccomp-support-for-sw_64.patch | 96 ------ ...t-test-test-seccomp-support-on-sw_64.patch | 43 --- ...group-FullDelegation-FullDelegationD.patch | 163 ---------- ...ormation-from-hostnamed-in-plot-even.patch | 101 ------ ...nd-a-requirement-of-user-runtime-dir.patch | 44 --- ...pendency-of-libcryptsetup-if-HAVE_LI.patch | 40 --- ...group-path-which-not-created-by-syst.patch | 31 -- README.md | 13 - systemd.spec | 267 ++-------------- 45 files changed, 29 insertions(+), 4171 deletions(-) delete mode 100644 10000-core-fix-a-null-reference-case-in-load_from_path.patch delete mode 100644 10001-sysctl-Don-t-pass-null-directive-argument-to-s.patch delete mode 100644 10002-exit-status-introduce-EXIT_EXCEPTION-mapping-to-255.patch delete mode 100644 10003-main-don-t-freeze-PID-1-in-containers-exit-with-non-.patch delete mode 100644 10004-Do-not-go-into-freeze-when-systemd-crashd.patch delete mode 100644 10005-mount-setup-change-the-system-mount-propagation-to-s.patch delete mode 100644 10006-cgroup-util-make-definition-of-CGROUP_CONTROLLER_TO_.patch delete mode 100644 10007-cgroup-update-only-siblings-that-got-realized-once.patch delete mode 100644 10008-core-add-a-config-item-to-support-setting-the-value-.patch delete mode 100644 10009-systemd-anolis-support-loongarch64.patch delete mode 100644 10010-test-catalog-Fix-coredump-when-compiled-under-GCC10.patch delete mode 100644 10011-hwdb-add-Iluvatar-CoreX.patch delete mode 100644 10012-seccomp-add-loongarch-support.patch delete mode 100644 10013-umount-check-LO_FLAGS_AUTOCLEAR-after-LOOP_CLR_FD-cl.patch delete mode 100644 10014-fileio-when-reading-a-full-file-into-memory-refuse-.patch delete mode 100644 10015-util-introduce-explicit_bzero_safe-for-explicit-mem.patch delete mode 100644 10016-util-introduce-erase_and_free-helper.patch delete mode 100644 10017-util-introduce-READ_FULL_FILE_SECURE-flag-for-readi.patch delete mode 100644 10018-fileio-introduce-warn_file_is_world_accessible.patch delete mode 100644 10019-fileio-read_full_file_full-also-warns-when-file-is-.patch delete mode 100644 10020-basic-fileio-Fix-memory-leak-if-READ_FULL_FILE_SECU.patch delete mode 100644 10021-fileio-add-explicit-flag-for-generating-world-execu.patch delete mode 100644 10022-fileio-add-dir_fd-parameter-to-read_full_file_full.patch delete mode 100644 10023-fileio-add-support-for-read_full_file-on-AF_UNIX-st.patch delete mode 100644 10024-fileio-beef-up-READ_FULL_FILE_CONNECT_SOCKET-to-all.patch delete mode 100644 10025-fileio-teach-read_full_file_full-to-read-from-offse.patch delete mode 100644 10026-cryptsetup-port-cryptsetup-s-main-key-file-logic-ov.patch delete mode 100644 10027-fix-compilation-without-utmp.patch delete mode 100644 10028-cgroup-drastically-simplify-caching-of-cgroups-membe.patch delete mode 100644 10029-core-udev-remove-old-device-on-move-event.patch delete mode 100644 20001-hwdb-parse_hwdb_dot_py.patch delete mode 100644 20002-cgroup-do-not-refresh-cgroup-devices-config-when-dae.patch delete mode 100644 20003-core-introduce-cgroup-full-delegation-for-compabilit.patch delete mode 100644 20004-Update-vendor-ids-for-ieisystem-0750.patch delete mode 100644 20005-default-enable-full-delegation-on-device-cgroup.patch delete mode 100644 20006-systemd-Add-sw64.patch delete mode 100644 20007-add-seccomp-support-for-sw_64.patch delete mode 100644 20008-Fix-unit-test-test-seccomp-support-on-sw_64.patch delete mode 100644 20009-core-introduce-cgroup-FullDelegation-FullDelegationD.patch delete mode 100644 91000-analyze-show-information-from-hostnamed-in-plot-even.patch delete mode 100644 92000-meson-Make-logind-a-requirement-of-user-runtime-dir.patch delete mode 100644 92001-shared-Remove-dependency-of-libcryptsetup-if-HAVE_LI.patch delete mode 100644 92002-Do-not-remove-cgroup-path-which-not-created-by-syst.patch delete mode 100644 README.md diff --git a/10000-core-fix-a-null-reference-case-in-load_from_path.patch b/10000-core-fix-a-null-reference-case-in-load_from_path.patch deleted file mode 100644 index e15690c..0000000 --- a/10000-core-fix-a-null-reference-case-in-load_from_path.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 11e4aae398f9d26c7c4e54bfa6621f80a3ed2100 Mon Sep 17 00:00:00 2001 -From: Wen Yang -Date: Tue, 19 Apr 2022 11:04:47 +0800 -Subject: [PATCH] fix a null reference case in load_from_path() - ---- - src/core/load-fragment.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c -index c0b1fd4..f59a040 100644 ---- a/src/core/load-fragment.c -+++ b/src/core/load-fragment.c -@@ -4477,7 +4477,6 @@ static int load_from_path(Unit *u, const char *path) { - r = open_follow(&filename, &f, symlink_names, &id); - if (r >= 0) - break; -- filename = mfree(filename); - - /* ENOENT means that the file is missing or is a dangling symlink. - * ENOTDIR means that one of paths we expect to be is a directory -@@ -4486,7 +4485,8 @@ static int load_from_path(Unit *u, const char *path) { - */ - if (r == -EACCES) - log_debug_errno(r, "Cannot access \"%s\": %m", filename); -- else if (!IN_SET(r, -ENOENT, -ENOTDIR)) -+ filename = mfree(filename); -+ if (!IN_SET(r, -ENOENT, -ENOTDIR)) - return r; - - /* Empty the symlink names for the next run */ --- -2.27.0 - diff --git a/10001-sysctl-Don-t-pass-null-directive-argument-to-s.patch b/10001-sysctl-Don-t-pass-null-directive-argument-to-s.patch deleted file mode 100644 index ec09ee4..0000000 --- a/10001-sysctl-Don-t-pass-null-directive-argument-to-s.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 1b3f7805ed7c193e17cb5bad4f4f19c2f72f3d08 Mon Sep 17 00:00:00 2001 -From: Khem Raj -Date: Tue, 19 Apr 2022 11:16:42 +0800 -Subject: [PATCH] sysctl: Don't pass null directive argument to '%s' - ---- - src/sysctl/sysctl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/sysctl/sysctl.c b/src/sysctl/sysctl.c -index 4c85d68..e756eff 100644 ---- a/src/sysctl/sysctl.c -+++ b/src/sysctl/sysctl.c -@@ -160,7 +160,7 @@ static int parse_file(OrderedHashmap *sysctl_options, const char *path, bool ign - - value = strchr(p, '='); - if (!value) { -- log_error("Line is not an assignment at '%s:%u': %s", path, c, value); -+ log_error("Line is not an assignment at '%s:%u': %s", path, c, p); - - if (r == 0) - r = -EINVAL; --- -2.27.0 - diff --git a/10002-exit-status-introduce-EXIT_EXCEPTION-mapping-to-255.patch b/10002-exit-status-introduce-EXIT_EXCEPTION-mapping-to-255.patch deleted file mode 100644 index 66539a0..0000000 --- a/10002-exit-status-introduce-EXIT_EXCEPTION-mapping-to-255.patch +++ /dev/null @@ -1,52 +0,0 @@ -From f7940c9cdf872d7504aca9637e9fd14328b2b726 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 19 Apr 2022 11:26:10 +0800 -Subject: [PATCH] exit-status: introduce EXIT_EXCEPTION mapping to 255 - ---- - src/basic/exit-status.c | 9 ++++++--- - src/basic/exit-status.h | 1 + - 2 files changed, 7 insertions(+), 3 deletions(-) - -diff --git a/src/basic/exit-status.c b/src/basic/exit-status.c -index 0a7a53b..8b67d44 100644 ---- a/src/basic/exit-status.c -+++ b/src/basic/exit-status.c -@@ -19,9 +19,9 @@ const char* exit_status_to_string(int status, ExitStatusLevel level) { - * 79…199 │ (Currently unmapped) - * 200…241 │ systemd's private error codes (might be extended to 254 in future development) - * 242…254 │ (Currently unmapped, but see above) -- * 255 │ (We should probably stay away from that one, it's frequently used by applications to indicate an -- * │ exit reason that cannot really be expressed in a single exit status value — such as a propagated -- * │ signal or such) -+ * 255 │ EXIT_EXCEPTION (We use this to propagate exit-by-signal events. It's frequently used by others apps (like bash) -+ * │ to indicate exit reason that cannot really be expressed in a single exit status value — such as a propagated -+ * │ signal or such, and we follow that logic here.) - */ - - switch (status) { /* We always cover the ISO C ones */ -@@ -158,6 +158,9 @@ const char* exit_status_to_string(int status, ExitStatusLevel level) { - - case EXIT_NUMA_POLICY: - return "NUMA_POLICY"; -+ -+ case EXIT_EXCEPTION: -+ return "EXCEPTION"; - } - } - -diff --git a/src/basic/exit-status.h b/src/basic/exit-status.h -index dc284aa..e923247 100644 ---- a/src/basic/exit-status.h -+++ b/src/basic/exit-status.h -@@ -70,6 +70,7 @@ enum { - EXIT_LOGS_DIRECTORY, /* 240 */ - EXIT_CONFIGURATION_DIRECTORY, - EXIT_NUMA_POLICY, -+ EXIT_EXCEPTION = 255, /* Whenever we want to propagate an abnormal/signal exit, in line with bash */ - }; - - typedef enum ExitStatusLevel { --- -2.27.0 - diff --git a/10003-main-don-t-freeze-PID-1-in-containers-exit-with-non-.patch b/10003-main-don-t-freeze-PID-1-in-containers-exit-with-non-.patch deleted file mode 100644 index 026fc66..0000000 --- a/10003-main-don-t-freeze-PID-1-in-containers-exit-with-non-.patch +++ /dev/null @@ -1,52 +0,0 @@ -From dffb92b5520a4b539f0466d4161fcaacc6ba5ba8 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 19 Apr 2022 11:34:27 +0800 -Subject: [PATCH] main: don't freeze PID 1 in containers, exit with - ---- - src/core/main.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/src/core/main.c b/src/core/main.c -index d897155..0aec5d1 100644 ---- a/src/core/main.c -+++ b/src/core/main.c -@@ -139,7 +139,13 @@ static NUMAPolicy arg_numa_policy; - static int parse_configuration(const struct rlimit *saved_rlimit_nofile, - const struct rlimit *saved_rlimit_memlock); - --_noreturn_ static void freeze_or_reboot(void) { -+_noreturn_ static void freeze_or_exit_or_reboot(void) { -+ /* If we are running in a contianer, let's prefer exiting, after all we can propagate an exit code to the -+ * container manager, and thus inform it that something went wrong. */ -+ if (detect_container() > 0) { -+ log_emergency("Exiting PID 1..."); -+ exit(EXIT_EXCEPTION); -+ } - - if (arg_crash_reboot) { - log_notice("Rebooting in 10s..."); -@@ -247,7 +253,7 @@ _noreturn_ static void crash(int sig) { - } - } - -- freeze_or_reboot(); -+ freeze_or_exit_or_reboot(); - } - - static void install_crash_handler(void) { -@@ -2664,9 +2670,9 @@ finish: - if (error_message) - manager_status_printf(NULL, STATUS_TYPE_EMERGENCY, - ANSI_HIGHLIGHT_RED "!!!!!!" ANSI_NORMAL, -- "%s, freezing.", error_message); -- freeze_or_reboot(); -+ "%s.", error_message); -+ freeze_or_exit_or_reboot(); - } - - reset_arguments(); - return retval; --- -2.27.0 - diff --git a/10004-Do-not-go-into-freeze-when-systemd-crashd.patch b/10004-Do-not-go-into-freeze-when-systemd-crashd.patch deleted file mode 100644 index 1cb12cc..0000000 --- a/10004-Do-not-go-into-freeze-when-systemd-crashd.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 64072aab92ff6489a2e460a9bdd1cfefa587264b Mon Sep 17 00:00:00 2001 -From: Yuanhong Peng -Date: Tue, 19 Apr 2022 13:36:09 +0800 -Subject: [PATCH] Do not go into freeze when systemd crashd - ---- - src/core/main.c | 41 ++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 40 insertions(+), 1 deletion(-) - -diff --git a/src/core/main.c b/src/core/main.c -index 0aec5d1..db91151 100644 ---- a/src/core/main.c -+++ b/src/core/main.c -@@ -3,6 +3,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -10,6 +11,7 @@ - #include - #include - #include -+#include - #include - #if HAVE_SECCOMP - #include -@@ -135,10 +137,41 @@ static sd_id128_t arg_machine_id; - static EmergencyAction arg_cad_burst_action; - static CPUSet arg_cpu_affinity; - static NUMAPolicy arg_numa_policy; -+static bool reexec_jmp_can = false; -+static bool reexec_jmp_inited = false; -+static sigjmp_buf reexec_jmp_buf; - - static int parse_configuration(const struct rlimit *saved_rlimit_nofile, - const struct rlimit *saved_rlimit_memlock); - -+static void reexec_handler(int sig) { -+ reexec_jmp_can = true; -+} -+ -+_noreturn_ static void freeze_wait_upgrade(void) { -+ struct sigaction sa; -+ sigset_t ss; -+ -+ sigemptyset(&ss); -+ sigaddset(&ss, SIGTERM); -+ sigprocmask(SIG_UNBLOCK, &ss, NULL); -+ -+ sa.sa_handler = reexec_handler; -+ sa.sa_flags = SA_RESTART; -+ sigaction(SIGTERM, &sa, NULL); -+ -+ log_error("freeze_wait_upgrade: %d\n", reexec_jmp_inited); -+ reexec_jmp_can = false; -+ while(1) { -+ usleep(10000); -+ if (reexec_jmp_inited && reexec_jmp_can) { -+ log_error("goto manager_reexecute.\n"); -+ siglongjmp(reexec_jmp_buf, 1); -+ } -+ waitpid(-1, NULL, WNOHANG); -+ } -+} -+ - _noreturn_ static void freeze_or_exit_or_reboot(void) { - /* If we are running in a contianer, let's prefer exiting, after all we can propagate an exit code to the - * container manager, and thus inform it that something went wrong. */ -@@ -157,7 +190,8 @@ _noreturn_ static void freeze_or_exit_or_reboot(void) { - } - - log_emergency("Freezing execution."); -- freeze(); -+ freeze_wait_upgrade(); -+ - } - - _noreturn_ static void crash(int sig) { -@@ -1667,6 +1701,10 @@ static int invoke_main_loop( - assert(ret_switch_root_init); - assert(ret_error_message); - -+ reexec_jmp_inited = true; -+ if (sigsetjmp(reexec_jmp_buf, 1)) -+ goto manager_reexecute; -+ - for (;;) { - r = manager_loop(m); - if (r < 0) { -@@ -1709,6 +1747,7 @@ static int invoke_main_loop( - - case MANAGER_REEXECUTE: - -+manager_reexecute: - r = prepare_reexecute(m, &arg_serialization, ret_fds, false); - if (r < 0) { - *ret_error_message = "Failed to prepare for reexecution"; --- -2.27.0 - diff --git a/10005-mount-setup-change-the-system-mount-propagation-to-s.patch b/10005-mount-setup-change-the-system-mount-propagation-to-s.patch deleted file mode 100644 index fa95141..0000000 --- a/10005-mount-setup-change-the-system-mount-propagation-to-s.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 0c7f29561634f9374c0d9042304f4d4caa4242f0 Mon Sep 17 00:00:00 2001 -From: Wen Yang -Date: Tue, 19 Apr 2022 13:50:04 +0800 -Subject: [PATCH] mount-setup: change the system mount propagation to - ---- - src/core/main.c | 2 +- - src/core/mount-setup.c | 4 ++-- - src/core/mount-setup.h | 2 +- - 3 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/core/main.c b/src/core/main.c -index db91151..81dae1c 100644 ---- a/src/core/main.c -+++ b/src/core/main.c -@@ -2519,7 +2519,7 @@ int main(int argc, char *argv[]) { - if (!skip_setup) - kmod_setup(); - -- r = mount_setup(loaded_policy); -+ r = mount_setup(loaded_policy, skip_setup); - if (r < 0) { - error_message = "Failed to mount API filesystems"; - goto finish; -diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c -index a659458..9f9f953 100644 ---- a/src/core/mount-setup.c -+++ b/src/core/mount-setup.c -@@ -400,7 +400,7 @@ static int relabel_cgroup_filesystems(void) { - } - #endif - --int mount_setup(bool loaded_policy) { -+int mount_setup(bool loaded_policy, bool leave_propagation) { - int r = 0; - - r = mount_points_setup(ELEMENTSOF(mount_table), loaded_policy); -@@ -444,7 +444,7 @@ int mount_setup(bool loaded_policy) { - * needed. Note that we set this only when we are invoked directly by the kernel. If we are invoked by a - * container manager we assume the container manager knows what it is doing (for example, because it set up - * some directories with different propagation modes). */ -- if (detect_container() <= 0) -+ if (detect_container() <= 0 && !leave_propagation) - if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0) - log_warning_errno(errno, "Failed to set up the root directory for shared mount propagation: %m"); - -diff --git a/src/core/mount-setup.h b/src/core/mount-setup.h -index 43cd890..7a011b2 100644 ---- a/src/core/mount-setup.h -+++ b/src/core/mount-setup.h -@@ -4,7 +4,7 @@ - #include - - int mount_setup_early(void); --int mount_setup(bool loaded_policy); -+int mount_setup(bool loaded_policy, bool leave_propagation); - - int mount_cgroup_controllers(char ***join_controllers); - --- -2.27.0 - diff --git a/10006-cgroup-util-make-definition-of-CGROUP_CONTROLLER_TO_.patch b/10006-cgroup-util-make-definition-of-CGROUP_CONTROLLER_TO_.patch deleted file mode 100644 index 9a5fa6e..0000000 --- a/10006-cgroup-util-make-definition-of-CGROUP_CONTROLLER_TO_.patch +++ /dev/null @@ -1,26 +0,0 @@ -From d449667a6a545a46647911838731e8e46a5a39ed Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 19 Apr 2022 13:56:39 +0800 -Subject: [PATCH] cgroup-util: make definition of CGROUP_CONTROLLER_TO_MASK() - unsigned - ---- - src/basic/cgroup-util.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h -index 1210b38..76659c3 100644 ---- a/src/basic/cgroup-util.h -+++ b/src/basic/cgroup-util.h -@@ -31,7 +31,7 @@ typedef enum CGroupController { - _CGROUP_CONTROLLER_INVALID = -1, - } CGroupController; - --#define CGROUP_CONTROLLER_TO_MASK(c) (1 << (c)) -+#define CGROUP_CONTROLLER_TO_MASK(c) (1U << (c)) - - /* A bit mask of well known cgroup controllers */ - typedef enum CGroupMask { --- -2.27.0 - diff --git a/10007-cgroup-update-only-siblings-that-got-realized-once.patch b/10007-cgroup-update-only-siblings-that-got-realized-once.patch deleted file mode 100644 index 068f21c..0000000 --- a/10007-cgroup-update-only-siblings-that-got-realized-once.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 841539281bed5187d2f773097eefb0bb3c5057ec Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 19 Apr 2022 14:03:12 +0800 -Subject: [PATCH] cgroup: update only siblings that got realized once - ---- - src/core/cgroup.c | 16 +++++++++++++++- - 1 file changed, 15 insertions(+), 1 deletion(-) - -diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index f02cc31..e0e0a98 100644 ---- a/src/core/cgroup.c -+++ b/src/core/cgroup.c -@@ -1980,7 +1980,16 @@ static void unit_add_siblings_to_cgroup_realize_queue(Unit *u) { - Unit *slice; - - /* This adds the siblings of the specified unit and the siblings of all parent units to the cgroup -- * queue. (But neither the specified unit itself nor the parents.) */ -+ * queue. (But neither the specified unit itself nor the parents.) -+ * -+ * Propagation of realization "side-ways" (i.e. towards siblings) is in relevant on cgroup-v1 where -+ * scheduling become very weird if two units that own processes reside in the same slice, but one is -+ * realized in the "cpu" hierarchy and once is not (for example because one has CPUWeight= set and -+ * the other does not), because that means processes need to be scheduled against groups. Let's avoid -+ * this asymmetry by always ensuring that units below a slice that are realized at all are hence -+ * always realized in *all* their hierarchies, and it is sufficient for a unit's sibling to be -+ * realized for a unit to be realized too. */ -+ - - while ((slice = UNIT_DEREF(u->slice))) { - Iterator i; -@@ -1996,6 +2005,11 @@ static void unit_add_siblings_to_cgroup_realize_queue(Unit *u) { - if (UNIT_IS_INACTIVE_OR_FAILED(unit_active_state(m))) - continue; - -+ /* We only enqueue siblings if they were realized once at least, in the main -+ * hierarchy. */ -+ if (!m->cgroup_realized) -+ continue; -+ - /* If the unit doesn't need any new controllers and has current ones realized, it - * doesn't need any changes. */ - if (unit_has_mask_realized(m, --- -2.27.0 - diff --git a/10008-core-add-a-config-item-to-support-setting-the-value-.patch b/10008-core-add-a-config-item-to-support-setting-the-value-.patch deleted file mode 100644 index 272d61b..0000000 --- a/10008-core-add-a-config-item-to-support-setting-the-value-.patch +++ /dev/null @@ -1,120 +0,0 @@ -From f21d63650318791f29f56dc26f23acb5b53620a6 Mon Sep 17 00:00:00 2001 -From:Yuanhong Peng -Date: Tue, 19 Apr 2022 14:13:49 +0800 -Subject: [PATCH] core: add a config item to support setting the value - ---- - src/core/main.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 69 insertions(+) - -diff --git a/src/core/main.c b/src/core/main.c -index 81dae1c..0712423 100644 ---- a/src/core/main.c -+++ b/src/core/main.c -@@ -140,6 +140,7 @@ static NUMAPolicy arg_numa_policy; - static bool reexec_jmp_can = false; - static bool reexec_jmp_inited = false; - static sigjmp_buf reexec_jmp_buf; -+static bool arg_default_cpuset_clone_children = false; - - static int parse_configuration(const struct rlimit *saved_rlimit_nofile, - const struct rlimit *saved_rlimit_memlock); -@@ -527,6 +528,14 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat - return 0; - - parse_path_argument_and_warn(value, false, &arg_watchdog_device); -+ -+ } else if (proc_cmdline_key_streq(key, "systemd.cpuset_clone_children") && value) { -+ -+ r = parse_boolean(value); -+ if (r < 0) -+ log_warning("Failed to parse cpuset_clone_children switch %s. Ignoring.", value); -+ else -+ arg_default_cpuset_clone_children = r; - - } else if (streq(key, "quiet") && !value) { - -@@ -756,6 +765,7 @@ static int parse_config_file(void) { - { "Manager", "DefaultTasksAccounting", config_parse_bool, 0, &arg_default_tasks_accounting }, - { "Manager", "DefaultTasksMax", config_parse_tasks_max, 0, &arg_default_tasks_max }, - { "Manager", "CtrlAltDelBurstAction", config_parse_emergency_action, 0, &arg_cad_burst_action }, -+ { "Manager", "DefaultCPUSetCloneChildren",config_parse_bool, 0, &arg_default_cpuset_clone_children }, - {} - }; - -@@ -1872,6 +1882,64 @@ static void log_execution_mode(bool *ret_first_boot) { - } - } - -+static bool is_use_triple_cgroup(void) { -+ const char * path ="/sys/fs/cgroup/cpuset"; -+ _cleanup_strv_free_ char **l = NULL; -+ char buf[128] = {0}; -+ int r; -+ -+ r = is_symlink(path); -+ if (r <= 0) -+ return false; -+ -+ r = readlink(path, buf, sizeof(buf)); -+ if (r < 0 || (unsigned int)r >= sizeof(buf)) -+ return false; -+ -+ buf[r] = '\0'; -+ l = strv_split(buf, ","); -+ if (!l) -+ return false; -+ -+ strv_sort(l); -+ if (strv_length(l) != 3) -+ return false; -+ -+ if (streq(l[0],"cpu") && streq(l[1], "cpuacct") && -+ streq(l[2], "cpuset")) { -+ log_debug(PACKAGE_STRING " use_triple_cgroup: %s", buf); -+ return true; -+ } -+ return false; -+} -+ -+static int ali_handle_cpuset_clone_children(void) -+{ -+ const char *file = "/sys/fs/cgroup/cpuset/cgroup.clone_children"; -+ _cleanup_free_ char *buf = NULL; -+ int r; -+ -+ r = read_one_line_file(file, &buf); -+ if (r < 0) { -+ log_warning_errno(r, "Cannot read %s: %m", file); -+ return r; -+ } -+ -+ if (streq(buf, "1") && arg_default_cpuset_clone_children) -+ return 0; -+ -+ if (streq(buf, "0") && (!arg_default_cpuset_clone_children)) -+ return 0; -+ -+ if (!is_use_triple_cgroup()) -+ return 0; -+ -+ r = write_string_file(file, one_zero(arg_default_cpuset_clone_children), 0); -+ log_info(PACKAGE_STRING " set %s to %s, ret=%d", file, one_zero(arg_default_cpuset_clone_children), r); -+ return r; -+} -+ -+ - static int initialize_runtime( - bool skip_setup, - struct rlimit *saved_rlimit_nofile, -@@ -1906,6 +1974,7 @@ static int initialize_runtime( - return r; - } - -+ ali_handle_cpuset_clone_children(); - status_welcome(); - hostname_setup(); - machine_id_setup(NULL, arg_machine_id, NULL); --- -2.27.0 - diff --git a/10009-systemd-anolis-support-loongarch64.patch b/10009-systemd-anolis-support-loongarch64.patch deleted file mode 100644 index b76c8e0..0000000 --- a/10009-systemd-anolis-support-loongarch64.patch +++ /dev/null @@ -1,56 +0,0 @@ -From c8b7c2b34bd451cd9d5904fc215ad14893008a03 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Tue, 19 Apr 2022 14:25:05 +0800 -Subject: [PATCH] support loongarch64 for systemd - ---- - src/basic/architecture.c | 3 +++ - src/basic/architecture.h | 4 ++++ - 2 files changed, 7 insertions(+) - -diff --git a/src/basic/architecture.c b/src/basic/architecture.c -index 85837b5..96bbf97 100644 ---- a/src/basic/architecture.c -+++ b/src/basic/architecture.c -@@ -118,6 +118,8 @@ int uname_architecture(void) { - #elif defined(__arc__) - { "arc", ARCHITECTURE_ARC }, - { "arceb", ARCHITECTURE_ARC_BE }, -+#elif defined(__loongarch64) -+ { "loongarch64", ARCHITECTURE_LOONGARCH64 }, - #else - #error "Please register your architecture here!" - #endif -@@ -173,6 +175,7 @@ static const char *const architecture_table[_ARCHITECTURE_MAX] = { - [ARCHITECTURE_RISCV64] = "riscv64", - [ARCHITECTURE_ARC] = "arc", - [ARCHITECTURE_ARC_BE] = "arc-be", -+ [ARCHITECTURE_LOONGARCH64] = "loongarch64", - }; - - DEFINE_STRING_TABLE_LOOKUP(architecture, int); -diff --git a/src/basic/architecture.h b/src/basic/architecture.h -index 443e890..22e9108 100644 ---- a/src/basic/architecture.h -+++ b/src/basic/architecture.h -@@ -44,6 +44,7 @@ enum { - ARCHITECTURE_RISCV64, - ARCHITECTURE_ARC, - ARCHITECTURE_ARC_BE, -+ ARCHITECTURE_LOONGARCH64, - _ARCHITECTURE_MAX, - _ARCHITECTURE_INVALID = -1 - }; -@@ -229,6 +230,9 @@ int uname_architecture(void); - # define native_architecture() ARCHITECTURE_ARC - # define LIB_ARCH_TUPLE "arc-linux" - # endif -+#elif defined(__loongarch64) -+# define native_architecture() ARCHITECTURE_LOONGARCH64 -+# define LIB_ARCH_TUPLE "loongarch64-linux-gnu" - #else - # error "Please register your architecture here!" - #endif --- -2.27.0 - diff --git a/10010-test-catalog-Fix-coredump-when-compiled-under-GCC10.patch b/10010-test-catalog-Fix-coredump-when-compiled-under-GCC10.patch deleted file mode 100644 index d4054b4..0000000 --- a/10010-test-catalog-Fix-coredump-when-compiled-under-GCC10.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 5209a26aa917aa54b09ee18394ad46ee601e77be Mon Sep 17 00:00:00 2001 -From: Yuanhong Peng -Date: Tue, 17 May 2022 21:34:34 +0800 -Subject: [PATCH] test-catalog: Fix coredump when compiled under GCC10 - -According to the documentation: -https://gcc.gnu.org/gcc-9/porting_to.html#complit: - -The `catalog_dirs` produced by STRV_MAKE(..) marco relies on -the extended lifetime feature which is fixed by GCC9. - -Signed-off-by: Yuanhong Peng ---- - src/journal/test-catalog.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/src/journal/test-catalog.c b/src/journal/test-catalog.c -index 0c4da29..2ce92af 100644 ---- a/src/journal/test-catalog.c -+++ b/src/journal/test-catalog.c -@@ -201,7 +201,8 @@ static void test_catalog_file_lang(void) { - - int main(int argc, char *argv[]) { - _cleanup_(unlink_tempfilep) char database[] = "/tmp/test-catalog.XXXXXX"; -- _cleanup_free_ char *text = NULL, *catalog_dir = NULL; -+ _cleanup_free_ char *text = NULL; -+ char *catalog_dir = CATALOG_DIR; - int r; - - setlocale(LC_ALL, "de_DE.UTF-8"); -@@ -214,10 +215,9 @@ int main(int argc, char *argv[]) { - * If it is not, e.g. installed by systemd-tests package, then use installed catalogs. */ - if (test_is_running_from_builddir(NULL)) { - assert_se(catalog_dir = path_join(NULL, ABS_BUILD_DIR, "catalog")); -- catalog_dirs = STRV_MAKE(catalog_dir); -- } else -- catalog_dirs = STRV_MAKE(CATALOG_DIR); -+ } - -+ catalog_dirs = STRV_MAKE(catalog_dir); - assert_se(access(catalog_dirs[0], F_OK) >= 0); - log_notice("Using catalog directory '%s'", catalog_dirs[0]); - -@@ -242,5 +242,9 @@ int main(int argc, char *argv[]) { - assert_se(catalog_get(database, SD_MESSAGE_COREDUMP, &text) >= 0); - printf(">>>%s<<<\n", text); - -+ /* Only in this case, catalog_dir is malloced */ -+ if (test_is_running_from_builddir(NULL)) -+ free(catalog_dir); -+ - return 0; - } --- -2.27.0 - diff --git a/10011-hwdb-add-Iluvatar-CoreX.patch b/10011-hwdb-add-Iluvatar-CoreX.patch deleted file mode 100644 index e08657c..0000000 --- a/10011-hwdb-add-Iluvatar-CoreX.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 28e47526dce925e6f32cf79825d38fd10e1f442a Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Tue, 26 Jul 2022 22:01:58 +0800 -Subject: [PATCH] hwdb: add Iluvatar CoreX - -Signed-off-by: rpm-build ---- - hwdb/20-pci-vendor-model.hwdb | 6 ++++++ - hwdb/pci.ids | 2 ++ - 2 files changed, 8 insertions(+) - -diff --git a/hwdb/20-pci-vendor-model.hwdb b/hwdb/20-pci-vendor-model.hwdb -index 0020046..78926f8 100644 ---- a/hwdb/20-pci-vendor-model.hwdb -+++ b/hwdb/20-pci-vendor-model.hwdb -@@ -71141,6 +71141,12 @@ pci:v00001EEC* - pci:v00001EFB* - ID_VENDOR_FROM_DATABASE=Flexxon Pte Ltd - -+pci:v00001E3E* -+ ID_VENDOR_FROM_DATABASE=Iluvatar CoreX -+ -+pci:v00001E3Ed00000001* -+ ID_MODEL_FROM_DATABASE=Iluvatar BI-V100 -+ - pci:v00001FC0* - ID_VENDOR_FROM_DATABASE=Ascom (Finland) Oy - -diff --git a/hwdb/pci.ids b/hwdb/pci.ids -index 40ee143..d6661c7 100644 ---- a/hwdb/pci.ids -+++ b/hwdb/pci.ids -@@ -21543,6 +21543,8 @@ - 0003 alst4x - 1dfc JSC NT-COM - 1181 TDM 8 Port E1/T1/J1 Adapter -+1e3e Iluvatar CoreX -+ 0001 Iluvatar BI-V100 - # nee Tumsan Oy - 1fc0 Ascom (Finland) Oy - 0300 E2200 Dual E1/Rawpipe Card --- -2.27.0 - diff --git a/10012-seccomp-add-loongarch-support.patch b/10012-seccomp-add-loongarch-support.patch deleted file mode 100644 index 6aba34f..0000000 --- a/10012-seccomp-add-loongarch-support.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 4c7025f5198be3d055c0e5ad68d364a57e8a7dcc Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Thu, 22 Sep 2022 10:33:54 +0800 -Subject: [PATCH] seccomp: add loongarch support - ---- - src/shared/seccomp-util.c | 18 +++++++++++++----- - 1 file changed, 13 insertions(+), 5 deletions(-) - -diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c -index c57c409..1eec0be 100644 ---- a/src/shared/seccomp-util.c -+++ b/src/shared/seccomp-util.c -@@ -42,6 +42,8 @@ const uint32_t seccomp_local_archs[] = { - SCMP_ARCH_AARCH64, /* native */ - #elif defined(__arm__) - SCMP_ARCH_ARM, -+#elif defined(__loongarch__) -+ SCMP_ARCH_LOONGARCH64, - #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32 - SCMP_ARCH_MIPSEL, - SCMP_ARCH_MIPS, /* native */ -@@ -114,6 +116,8 @@ const char* seccomp_arch_to_string(uint32_t c) { - return "arm"; - case SCMP_ARCH_AARCH64: - return "arm64"; -+ case SCMP_ARCH_LOONGARCH64: -+ return "loongarch64"; - case SCMP_ARCH_MIPS: - return "mips"; - case SCMP_ARCH_MIPS64: -@@ -159,6 +163,8 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) { - *ret = SCMP_ARCH_ARM; - else if (streq(n, "arm64")) - *ret = SCMP_ARCH_AARCH64; -+ else if (streq(n, "loongarch64")) -+ *ret = SCMP_ARCH_LOONGARCH64; - else if (streq(n, "mips")) - *ret = SCMP_ARCH_MIPS; - else if (streq(n, "mips64")) -@@ -1206,7 +1212,7 @@ int seccomp_protect_sysctl(void) { - - log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch)); - -- if (IN_SET(arch, SCMP_ARCH_X32, SCMP_ARCH_AARCH64)) -+ if (IN_SET(arch, SCMP_ARCH_X32, SCMP_ARCH_AARCH64, SCMP_ARCH_LOONGARCH64)) - /* No _sysctl syscall */ - continue; - -@@ -1251,6 +1257,7 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) { - case SCMP_ARCH_X32: - case SCMP_ARCH_ARM: - case SCMP_ARCH_AARCH64: -+ case SCMP_ARCH_LOONGARCH64: - case SCMP_ARCH_MIPSEL64N32: - case SCMP_ARCH_MIPS64N32: - case SCMP_ARCH_MIPSEL64: -@@ -1496,7 +1503,7 @@ static int add_seccomp_syscall_filter(scmp_filter_ctx seccomp, - } - - /* For known architectures, check that syscalls are indeed defined or not. */ --#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) -+#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || defined(__loongarch__) - assert_cc(SCMP_SYS(shmget) > 0); - assert_cc(SCMP_SYS(shmat) > 0); - assert_cc(SCMP_SYS(shmdt) > 0); -@@ -1543,13 +1550,14 @@ int seccomp_memory_deny_write_execute(void) { - case SCMP_ARCH_X86_64: - case SCMP_ARCH_X32: - case SCMP_ARCH_AARCH64: -+ case SCMP_ARCH_LOONGARCH64: - filter_syscall = SCMP_SYS(mmap); /* amd64, x32, and arm64 have only mmap */ - shmat_syscall = SCMP_SYS(shmat); - break; - - /* Please add more definitions here, if you port systemd to other architectures! */ - --#if !defined(__i386__) && !defined(__x86_64__) && !defined(__powerpc__) && !defined(__powerpc64__) && !defined(__arm__) && !defined(__aarch64__) -+#if !defined(__i386__) && !defined(__x86_64__) && !defined(__powerpc__) && !defined(__powerpc64__) && !defined(__arm__) && !defined(__aarch64__) && !defined(__loongarch__) - #warning "Consider adding the right mmap() syscall definitions here!" - #endif - } -@@ -1573,13 +1581,13 @@ int seccomp_memory_deny_write_execute(void) { - if (r < 0) - continue; - } -- -+ if (!IN_SET(arch, SCMP_ARCH_LOONGARCH64)){ - r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(mprotect), - 1, - SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC)); - if (r < 0) - continue; -- -+ } - #ifdef __NR_pkey_mprotect - r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(pkey_mprotect), - 1, --- -2.27.0 - diff --git a/10013-umount-check-LO_FLAGS_AUTOCLEAR-after-LOOP_CLR_FD-cl.patch b/10013-umount-check-LO_FLAGS_AUTOCLEAR-after-LOOP_CLR_FD-cl.patch deleted file mode 100644 index fbc76ac..0000000 --- a/10013-umount-check-LO_FLAGS_AUTOCLEAR-after-LOOP_CLR_FD-cl.patch +++ /dev/null @@ -1,69 +0,0 @@ -From b877c3b06f15a025748b9f09621ddf1bd00cacce Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 20 Dec 2019 17:58:03 +0100 -Subject: [PATCH] umount: check LO_FLAGS_AUTOCLEAR after LOOP_CLR_FD claimed - success - -Fixes: #14410 -Replaces: #14386 - -For Lifsea-ng, this patch fixes the problem that the system occasionally -fail to shutdown caused by /sysroot unable to umount. - ---- - systemd-239/src/core/umount.c | 29 ++++++++++++++++++++++------- - 1 file changed, 22 insertions(+), 7 deletions(-) - -diff --git a/src/core/umount.c b/src/core/umount.c -index 241fe6f..4400b3c 100644 ---- a/src/core/umount.c -+++ b/src/core/umount.c -@@ -334,23 +334,38 @@ static int dm_list_get(MountPoint **head) { - - static int delete_loopback(const char *device) { - _cleanup_close_ int fd = -1; -- int r; -+ struct loop_info64 info; - - assert(device); - - fd = open(device, O_RDONLY|O_CLOEXEC); - if (fd < 0) - return errno == ENOENT ? 0 : -errno; -+ -+ if (ioctl(fd, LOOP_CLR_FD, 0) < 0) { -+ if (errno == ENXIO) /* Nothing bound, didn't do anything */ -+ return 0; -+ -+ return -errno; -+ } - -- r = ioctl(fd, LOOP_CLR_FD, 0); -- if (r >= 0) -+ if (ioctl(fd, LOOP_GET_STATUS64, &info) < 0) { -+ /* If the LOOP_CLR_FD above succeeded we'll see ENXIO here. */ -+ if (errno == ENXIO) -+ log_debug("Successfully detached loopback device %s.", device); -+ else -+ log_debug_errno(errno, "Failed to invoke LOOP_GET_STATUS64 on loopback device %s, ignoring: %m", device); /* the LOOP_CLR_FD at least worked, let's hope for the best */ - return 1; -+ } - -- /* ENXIO: not bound, so no error */ -- if (errno == ENXIO) -- return 0; -+ /* Linux makes LOOP_CLR_FD succeed whenever LO_FLAGS_AUTOCLEAR is set without actually doing -+ * anything. Very confusing. Let's hence not claim we did anything in this case. */ -+ if (FLAGS_SET(info.lo_flags, LO_FLAGS_AUTOCLEAR)) -+ log_debug("Successfully called LOOP_CLR_FD on a loopback device %s with autoclear set, which is a NOP.", device); -+ else -+ log_debug("Weird, LOOP_CLR_FD succeeded but the device is still attached on %s.", device); - -- return -errno; -+ return -EBUSY; /* Nothing changed, the device is still attached, hence it apparently is still busy */; - } - - static int delete_dm(dev_t devnum) { --- -2.31.1 - diff --git a/10014-fileio-when-reading-a-full-file-into-memory-refuse-.patch b/10014-fileio-when-reading-a-full-file-into-memory-refuse-.patch deleted file mode 100644 index f2eeed5..0000000 --- a/10014-fileio-when-reading-a-full-file-into-memory-refuse-.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 9f181efdd59bd3e9134cf94007953562ca8b57fa Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Sat, 15 Dec 2018 12:25:32 +0100 -Subject: [PATCH] fileio: when reading a full file into memory, refuse inner - NUL bytes - -Just some extra care to avoid any ambiguities in what we read. - -(cherry picked from commit beb90929913354eec50c3524086fe70d14f97e2f) - -Signed-off-by: Guorui Yu ---- - src/basic/fileio.c | 25 +++++++++++++++++++------ - src/test/test-unit-file.c | 10 +++++----- - 2 files changed, 24 insertions(+), 11 deletions(-) - -diff --git a/src/basic/fileio.c b/src/basic/fileio.c -index 733fb42463..9fef97ff0c 100644 ---- a/src/basic/fileio.c -+++ b/src/basic/fileio.c -@@ -383,16 +383,20 @@ int read_full_virtual_file(const char *filename, char **ret_contents, size_t *re - return 0; - } - --int read_full_stream(FILE *f, char **contents, size_t *size) { -+int read_full_stream( -+ FILE *f, -+ char **ret_contents, -+ size_t *ret_size) { -+ - _cleanup_free_ char *buf = NULL; - struct stat st; - size_t n, l; - int fd; - - assert(f); -- assert(contents); -+ assert(ret_contents); - -- n = LINE_MAX; -+ n = LINE_MAX; /* Start size */ - - fd = fileno(f); - if (fd >= 0) { /* If the FILE* object is backed by an fd (as opposed to memory or such, see fmemopen(), let's -@@ -448,11 +452,20 @@ int read_full_stream(FILE *f, char **contents, size_t *size) { - n = MIN(n * 2, READ_FULL_BYTES_MAX); - } - -+ if (!ret_size) { -+ /* Safety check: if the caller doesn't want to know the size of what we just read it will rely on the -+ * trailing NUL byte. But if there's an embedded NUL byte, then we should refuse operation as otherwise -+ * there'd be ambiguity about what we just read. */ -+ -+ if (memchr(buf, 0, l)) -+ return -EBADMSG; -+ } -+ - buf[l] = 0; -- *contents = TAKE_PTR(buf); -+ *ret_contents = TAKE_PTR(buf); - -- if (size) -- *size = l; -+ if (ret_size) -+ *ret_size = l; - - return 0; - } -diff --git a/src/test/test-unit-file.c b/src/test/test-unit-file.c -index 09b0179fa1..e64a27dd39 100644 ---- a/src/test/test-unit-file.c -+++ b/src/test/test-unit-file.c -@@ -532,7 +532,7 @@ static void test_load_env_file_1(void) { - - fd = mkostemp_safe(name); - assert_se(fd >= 0); -- assert_se(write(fd, env_file_1, sizeof(env_file_1)) == sizeof(env_file_1)); -+ assert_se(write(fd, env_file_1, strlen(env_file_1)) == strlen(env_file_1)); - - r = load_env_file(NULL, name, NULL, &data); - assert_se(r == 0); -@@ -554,7 +554,7 @@ static void test_load_env_file_2(void) { - - fd = mkostemp_safe(name); - assert_se(fd >= 0); -- assert_se(write(fd, env_file_2, sizeof(env_file_2)) == sizeof(env_file_2)); -+ assert_se(write(fd, env_file_2, strlen(env_file_2)) == strlen(env_file_2)); - - r = load_env_file(NULL, name, NULL, &data); - assert_se(r == 0); -@@ -571,7 +571,7 @@ static void test_load_env_file_3(void) { - - fd = mkostemp_safe(name); - assert_se(fd >= 0); -- assert_se(write(fd, env_file_3, sizeof(env_file_3)) == sizeof(env_file_3)); -+ assert_se(write(fd, env_file_3, strlen(env_file_3)) == strlen(env_file_3)); - - r = load_env_file(NULL, name, NULL, &data); - assert_se(r == 0); -@@ -586,7 +586,7 @@ static void test_load_env_file_4(void) { - - fd = mkostemp_safe(name); - assert_se(fd >= 0); -- assert_se(write(fd, env_file_4, sizeof(env_file_4)) == sizeof(env_file_4)); -+ assert_se(write(fd, env_file_4, strlen(env_file_4)) == strlen(env_file_4)); - - r = load_env_file(NULL, name, NULL, &data); - assert_se(r == 0); -@@ -605,7 +605,7 @@ static void test_load_env_file_5(void) { - - fd = mkostemp_safe(name); - assert_se(fd >= 0); -- assert_se(write(fd, env_file_5, sizeof(env_file_5)) == sizeof(env_file_5)); -+ assert_se(write(fd, env_file_5, strlen(env_file_5)) == strlen(env_file_5)); - - r = load_env_file(NULL, name, NULL, &data); - assert_se(r == 0); --- -2.39.1 - diff --git a/10015-util-introduce-explicit_bzero_safe-for-explicit-mem.patch b/10015-util-introduce-explicit_bzero_safe-for-explicit-mem.patch deleted file mode 100644 index c0ec4be..0000000 --- a/10015-util-introduce-explicit_bzero_safe-for-explicit-mem.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 17037ec625fca9e9a473a33954d011065f0088e3 Mon Sep 17 00:00:00 2001 -From: Guorui Yu -Date: Fri, 23 Jun 2023 13:01:24 +0800 -Subject: [PATCH] util: introduce explicit_bzero_safe for explicit memset - -(cherry picked from commit f441ae81ef70e9bdfddbb9e0a276bbb8ca2151d4) - -Signed-off-by: Guorui Yu ---- - src/basic/util.c | 18 ++++++++++++++++++ - src/basic/util.h | 11 +++++++++++ - 2 files changed, 29 insertions(+) - -diff --git a/src/basic/util.c b/src/basic/util.c -index 548e3652cc..bdfaca4aed 100644 ---- a/src/basic/util.c -+++ b/src/basic/util.c -@@ -684,3 +684,21 @@ void disable_coredumps(void) { - if (r < 0) - log_debug_errno(r, "Failed to turn off coredumps, ignoring: %m"); - } -+ -+#if !HAVE_EXPLICIT_BZERO -+/* -+ * The pointer to memset() is volatile so that compiler must de-reference the pointer and can't assume that -+ * it points to any function in particular (such as memset(), which it then might further "optimize"). This -+ * approach is inspired by openssl's crypto/mem_clr.c. -+ */ -+typedef void *(*memset_t)(void *,int,size_t); -+ -+static volatile memset_t memset_func = memset; -+ -+void* explicit_bzero_safe(void *p, size_t l) { -+ if (l > 0) -+ memset_func(p, '\0', l); -+ -+ return p; -+} -+#endif -diff --git a/src/basic/util.h b/src/basic/util.h -index 195f02cf5f..ab3314f82e 100644 ---- a/src/basic/util.h -+++ b/src/basic/util.h -@@ -240,3 +240,14 @@ int version(void); - int str_verscmp(const char *s1, const char *s2); - - void disable_coredumps(void); -+ -+#if HAVE_EXPLICIT_BZERO -+static inline void* explicit_bzero_safe(void *p, size_t l) { -+ if (l > 0) -+ explicit_bzero(p, l); -+ -+ return p; -+} -+#else -+void *explicit_bzero_safe(void *p, size_t l); -+#endif --- -2.39.1 - diff --git a/10016-util-introduce-erase_and_free-helper.patch b/10016-util-introduce-erase_and_free-helper.patch deleted file mode 100644 index 43c42fc..0000000 --- a/10016-util-introduce-erase_and_free-helper.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 7c48fe64e3f1cdc61d9191d5e004d56d5244aa2c Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Thu, 8 Aug 2019 19:53:17 +0200 -Subject: [PATCH] util: introduce erase_and_free() helper - -(cherry picked from commit a20dda788d5a0f3b300e0d8bb34e45be335e2915) - -Signed-off-by: Guorui Yu ---- - src/basic/util.h | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/src/basic/util.h b/src/basic/util.h -index ab3314f82e..4f4877b6b0 100644 ---- a/src/basic/util.h -+++ b/src/basic/util.h -@@ -5,6 +5,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -251,3 +252,20 @@ static inline void* explicit_bzero_safe(void *p, size_t l) { - #else - void *explicit_bzero_safe(void *p, size_t l); - #endif -+ -+static inline void* erase_and_free(void *p) { -+ size_t l; -+ -+ if (!p) -+ return NULL; -+ -+ l = malloc_usable_size(p); -+ explicit_bzero_safe(p, l); -+ free(p); -+ -+ return NULL; -+} -+ -+static inline void erase_and_freep(void *p) { -+ erase_and_free(*(void**) p); -+} --- -2.39.1 - diff --git a/10017-util-introduce-READ_FULL_FILE_SECURE-flag-for-readi.patch b/10017-util-introduce-READ_FULL_FILE_SECURE-flag-for-readi.patch deleted file mode 100644 index a37d579..0000000 --- a/10017-util-introduce-READ_FULL_FILE_SECURE-flag-for-readi.patch +++ /dev/null @@ -1,207 +0,0 @@ -From bc781489901fc6447cbd27b8d33f4f4439d6a5db Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Mon, 8 Apr 2019 02:22:40 +0900 -Subject: [PATCH] util: introduce READ_FULL_FILE_SECURE flag for reading secure - data - -(cherry picked from commit e0721f97b05c0a5f782233711ea95c1e02ccba44) - -[Guorui Yu: include util.h for explicit_bzero_safe] -Signed-off-by: Guorui Yu ---- - src/basic/fileio.c | 68 ++++++++++++++++++++++++++++++++-------------- - src/basic/fileio.h | 16 +++++++++-- - 2 files changed, 60 insertions(+), 24 deletions(-) - -diff --git a/src/basic/fileio.c b/src/basic/fileio.c -index 9fef97ff0c..cf7c92ebc7 100644 ---- a/src/basic/fileio.c -+++ b/src/basic/fileio.c -@@ -35,6 +35,7 @@ - #include "time-util.h" - #include "umask-util.h" - #include "utf8.h" -+#include "util.h" - - #define READ_FULL_BYTES_MAX (4U*1024U*1024U) - -@@ -383,26 +384,27 @@ int read_full_virtual_file(const char *filename, char **ret_contents, size_t *re - return 0; - } - --int read_full_stream( -+int read_full_stream_full( - FILE *f, -+ ReadFullFileFlags flags, - char **ret_contents, - size_t *ret_size) { - - _cleanup_free_ char *buf = NULL; - struct stat st; -- size_t n, l; -- int fd; -+ size_t n, n_next, l; -+ int fd, r; - - assert(f); - assert(ret_contents); - -- n = LINE_MAX; /* Start size */ -+ n_next = LINE_MAX; /* Start size */ - - fd = fileno(f); - if (fd >= 0) { /* If the FILE* object is backed by an fd (as opposed to memory or such, see fmemopen(), let's - * optimize our buffering) */ - -- if (fstat(fileno(f), &st) < 0) -+ if (fstat(fd, &st) < 0) - return -errno; - - if (S_ISREG(st.st_mode)) { -@@ -415,27 +417,41 @@ int read_full_stream( - * to read here by one, so that the first read attempt already - * makes us notice the EOF. */ - if (st.st_size > 0) -- n = st.st_size + 1; -+ n_next = st.st_size + 1; - } - } - -- l = 0; -+ n = l = 0; - for (;;) { - char *t; - size_t k; - -- t = realloc(buf, n + 1); -- if (!t) -- return -ENOMEM; -+ if (flags & READ_FULL_FILE_SECURE) { -+ t = malloc(n_next + 1); -+ if (!t) { -+ r = -ENOMEM; -+ goto finalize; -+ } -+ memcpy_safe(t, buf, n); -+ explicit_bzero_safe(buf, n); -+ } else { -+ t = realloc(buf, n_next + 1); -+ if (!t) -+ return -ENOMEM; -+ } - - buf = t; -+ n = n_next; -+ - errno = 0; - k = fread(buf + l, 1, n - l, f); - if (k > 0) - l += k; - -- if (ferror(f)) -- return errno > 0 ? -errno : -EIO; -+ if (ferror(f)) { -+ r = errno > 0 ? -errno : -EIO; -+ goto finalize; -+ } - - if (feof(f)) - break; -@@ -446,10 +462,12 @@ int read_full_stream( - assert(l == n); - - /* Safety check */ -- if (n >= READ_FULL_BYTES_MAX) -- return -E2BIG; -+ if (n >= READ_FULL_BYTES_MAX) { -+ r = -E2BIG; -+ goto finalize; -+ } - -- n = MIN(n * 2, READ_FULL_BYTES_MAX); -+ n_next = MIN(n * 2, READ_FULL_BYTES_MAX); - } - - if (!ret_size) { -@@ -457,8 +475,10 @@ int read_full_stream( - * trailing NUL byte. But if there's an embedded NUL byte, then we should refuse operation as otherwise - * there'd be ambiguity about what we just read. */ - -- if (memchr(buf, 0, l)) -- return -EBADMSG; -+ if (memchr(buf, 0, l)) { -+ r = -EBADMSG; -+ goto finalize; -+ } - } - - buf[l] = 0; -@@ -468,21 +488,27 @@ int read_full_stream( - *ret_size = l; - - return 0; -+ -+finalize: -+ if (flags & READ_FULL_FILE_SECURE) -+ explicit_bzero_safe(buf, n); -+ -+ return r; - } - --int read_full_file(const char *fn, char **contents, size_t *size) { -+int read_full_file_full(const char *filename, ReadFullFileFlags flags, char **contents, size_t *size) { - _cleanup_fclose_ FILE *f = NULL; - -- assert(fn); -+ assert(filename); - assert(contents); - -- f = fopen(fn, "re"); -+ f = fopen(filename, "re"); - if (!f) - return -errno; - - (void) __fsetlocking(f, FSETLOCKING_BYCALLER); - -- return read_full_stream(f, contents, size); -+ return read_full_stream_full(f, flags, contents, size); - } - - static int parse_env_file_internal( -diff --git a/src/basic/fileio.h b/src/basic/fileio.h -index c6ad375b8d..06649ef7e6 100644 ---- a/src/basic/fileio.h -+++ b/src/basic/fileio.h -@@ -24,6 +24,10 @@ typedef enum { - - } WriteStringFileFlags; - -+typedef enum { -+ READ_FULL_FILE_SECURE = 1 << 0, -+} ReadFullFileFlags; -+ - int write_string_stream_ts(FILE *f, const char *line, WriteStringFileFlags flags, struct timespec *ts); - static inline int write_string_stream(FILE *f, const char *line, WriteStringFileFlags flags) { - return write_string_stream_ts(f, line, flags, NULL); -@@ -35,9 +39,15 @@ static inline int write_string_file(const char *fn, const char *line, WriteStrin - - int write_string_filef(const char *fn, WriteStringFileFlags flags, const char *format, ...) _printf_(3, 4); - --int read_one_line_file(const char *fn, char **line); --int read_full_file(const char *fn, char **contents, size_t *size); --int read_full_stream(FILE *f, char **contents, size_t *size); -+int read_one_line_file(const char *filename, char **line); -+int read_full_file_full(const char *filename, ReadFullFileFlags flags, char **contents, size_t *size); -+static inline int read_full_file(const char *filename, char **contents, size_t *size) { -+ return read_full_file_full(filename, 0, contents, size); -+} -+int read_full_stream_full(FILE *f, ReadFullFileFlags flags, char **contents, size_t *size); -+static inline int read_full_stream(FILE *f, char **contents, size_t *size) { -+ return read_full_stream_full(f, 0, contents, size); -+} - int read_full_virtual_file(const char *filename, char **ret_contents, size_t *ret_size); - - int verify_file(const char *fn, const char *blob, bool accept_extra_nl); --- -2.39.1 - diff --git a/10018-fileio-introduce-warn_file_is_world_accessible.patch b/10018-fileio-introduce-warn_file_is_world_accessible.patch deleted file mode 100644 index 02f9518..0000000 --- a/10018-fileio-introduce-warn_file_is_world_accessible.patch +++ /dev/null @@ -1,67 +0,0 @@ -From e4c4f0bc712e43776c4f58712f47260711607098 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Mon, 8 Apr 2019 03:48:30 +0900 -Subject: [PATCH] fileio: introduce warn_file_is_world_accessible() - -(cherry picked from commit fc0895034d4811e8c6b263c0d902b31535613d76) - -Signed-off-by: Guorui Yu ---- - src/basic/fileio.c | 25 +++++++++++++++++++++++++ - src/basic/fileio.h | 3 +++ - 2 files changed, 28 insertions(+) - -diff --git a/src/basic/fileio.c b/src/basic/fileio.c -index cf7c92ebc7..2e74aac554 100644 ---- a/src/basic/fileio.c -+++ b/src/basic/fileio.c -@@ -1797,3 +1797,28 @@ int read_line(FILE *f, size_t limit, char **ret) { - - return (int) count; - } -+ -+int warn_file_is_world_accessible(const char *filename, struct stat *st, const char *unit, unsigned line) { -+ struct stat _st; -+ -+ if (!filename) -+ return 0; -+ -+ if (!st) { -+ if (stat(filename, &_st) < 0) -+ return -errno; -+ st = &_st; -+ } -+ -+ if ((st->st_mode & S_IRWXO) == 0) -+ return 0; -+ -+ if (unit) -+ log_syntax(unit, LOG_WARNING, filename, line, 0, -+ "%s has %04o mode that is too permissive, please adjust the access mode.", -+ filename, st->st_mode & 07777); -+ else -+ log_warning("%s has %04o mode that is too permissive, please adjust the access mode.", -+ filename, st->st_mode & 07777); -+ return 0; -+} -diff --git a/src/basic/fileio.h b/src/basic/fileio.h -index 06649ef7e6..2c9ce4355b 100644 ---- a/src/basic/fileio.h -+++ b/src/basic/fileio.h -@@ -5,6 +5,7 @@ - #include - #include - #include -+#include - #include - - #include "macro.h" -@@ -105,3 +106,5 @@ int read_nul_string(FILE *f, char **ret); - int mkdtemp_malloc(const char *template, char **ret); - - int read_line(FILE *f, size_t limit, char **ret); -+ -+int warn_file_is_world_accessible(const char *filename, struct stat *st, const char *unit, unsigned line); --- -2.39.1 - diff --git a/10019-fileio-read_full_file_full-also-warns-when-file-is-.patch b/10019-fileio-read_full_file_full-also-warns-when-file-is-.patch deleted file mode 100644 index af813a5..0000000 --- a/10019-fileio-read_full_file_full-also-warns-when-file-is-.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 0dbf69ccdfa7b1f99935c3932445fbfa16dbbe75 Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Mon, 8 Apr 2019 14:15:10 +0900 -Subject: [PATCH] fileio: read_full_file_full() also warns when file is world - readable and secure flag is set - -(cherry picked from commit 65dcd394d8223bc6bc194f3fe5bd70fed9d9a4fe) - -Signed-off-by: Guorui Yu ---- - src/basic/fileio.c | 6 +++++- - src/basic/fileio.h | 4 ++-- - 2 files changed, 7 insertions(+), 3 deletions(-) - -diff --git a/src/basic/fileio.c b/src/basic/fileio.c -index 2e74aac554..3abeb0d7f4 100644 ---- a/src/basic/fileio.c -+++ b/src/basic/fileio.c -@@ -386,6 +386,7 @@ int read_full_virtual_file(const char *filename, char **ret_contents, size_t *re - - int read_full_stream_full( - FILE *f, -+ const char *filename, - ReadFullFileFlags flags, - char **ret_contents, - size_t *ret_size) { -@@ -418,6 +419,9 @@ int read_full_stream_full( - * makes us notice the EOF. */ - if (st.st_size > 0) - n_next = st.st_size + 1; -+ -+ if (flags & READ_FULL_FILE_SECURE) -+ (void) warn_file_is_world_accessible(filename, &st, NULL, 0); - } - } - -@@ -508,7 +512,7 @@ int read_full_file_full(const char *filename, ReadFullFileFlags flags, char **co - - (void) __fsetlocking(f, FSETLOCKING_BYCALLER); - -- return read_full_stream_full(f, flags, contents, size); -+ return read_full_stream_full(f, filename, flags, contents, size); - } - - static int parse_env_file_internal( -diff --git a/src/basic/fileio.h b/src/basic/fileio.h -index 2c9ce4355b..3e572dc0de 100644 ---- a/src/basic/fileio.h -+++ b/src/basic/fileio.h -@@ -45,9 +45,9 @@ int read_full_file_full(const char *filename, ReadFullFileFlags flags, char **co - static inline int read_full_file(const char *filename, char **contents, size_t *size) { - return read_full_file_full(filename, 0, contents, size); - } --int read_full_stream_full(FILE *f, ReadFullFileFlags flags, char **contents, size_t *size); -+int read_full_stream_full(FILE *f, const char *filename, ReadFullFileFlags flags, char **contents, size_t *size); - static inline int read_full_stream(FILE *f, char **contents, size_t *size) { -- return read_full_stream_full(f, 0, contents, size); -+ return read_full_stream_full(f, NULL, 0, contents, size); - } - int read_full_virtual_file(const char *filename, char **ret_contents, size_t *ret_size); - --- -2.39.1 - diff --git a/10020-basic-fileio-Fix-memory-leak-if-READ_FULL_FILE_SECU.patch b/10020-basic-fileio-Fix-memory-leak-if-READ_FULL_FILE_SECU.patch deleted file mode 100644 index e434089..0000000 --- a/10020-basic-fileio-Fix-memory-leak-if-READ_FULL_FILE_SECU.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 14e0760c251fd5fc51731f7b58079c73f5055d64 Mon Sep 17 00:00:00 2001 -From: Benjamin Robin -Date: Sun, 14 Apr 2019 17:21:27 +0200 -Subject: [PATCH] basic/fileio: Fix memory leak if READ_FULL_FILE_SECURE flag - is used - -The memory leak introduced in #12223 (15f8f02) - -(cherry picked from commit 315a51982af2d480de9f7539346f30425e37a01e) - -Signed-off-by: Guorui Yu ---- - src/basic/fileio.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/basic/fileio.c b/src/basic/fileio.c -index 3abeb0d7f4..bb804e3afa 100644 ---- a/src/basic/fileio.c -+++ b/src/basic/fileio.c -@@ -438,6 +438,7 @@ int read_full_stream_full( - } - memcpy_safe(t, buf, n); - explicit_bzero_safe(buf, n); -+ buf = mfree(buf); - } else { - t = realloc(buf, n_next + 1); - if (!t) --- -2.39.1 - diff --git a/10021-fileio-add-explicit-flag-for-generating-world-execu.patch b/10021-fileio-add-explicit-flag-for-generating-world-execu.patch deleted file mode 100644 index 1a93b5a..0000000 --- a/10021-fileio-add-explicit-flag-for-generating-world-execu.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 1e0dcd6fa1abea9c561f46556f7f7561b2a46e62 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 17 Jul 2020 11:53:22 +0200 -Subject: [PATCH] fileio: add explicit flag for generating world executable - warning when reading file - -(cherry picked from commit 684aa979f1c4ce5f75ccdc131f32fc0434999918) - -Signed-off-by: Guorui Yu ---- - src/basic/fileio.c | 2 +- - src/basic/fileio.h | 3 ++- - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/basic/fileio.c b/src/basic/fileio.c -index bb804e3afa..833c55b030 100644 ---- a/src/basic/fileio.c -+++ b/src/basic/fileio.c -@@ -420,7 +420,7 @@ int read_full_stream_full( - if (st.st_size > 0) - n_next = st.st_size + 1; - -- if (flags & READ_FULL_FILE_SECURE) -+ if (flags & READ_FULL_FILE_WARN_WORLD_READABLE) - (void) warn_file_is_world_accessible(filename, &st, NULL, 0); - } - } -diff --git a/src/basic/fileio.h b/src/basic/fileio.h -index 3e572dc0de..be10ac77b6 100644 ---- a/src/basic/fileio.h -+++ b/src/basic/fileio.h -@@ -26,7 +26,8 @@ typedef enum { - } WriteStringFileFlags; - - typedef enum { -- READ_FULL_FILE_SECURE = 1 << 0, -+ READ_FULL_FILE_SECURE = 1 << 0, -+ READ_FULL_FILE_WARN_WORLD_READABLE = 1 << 3, - } ReadFullFileFlags; - - int write_string_stream_ts(FILE *f, const char *line, WriteStringFileFlags flags, struct timespec *ts); --- -2.39.1 - diff --git a/10022-fileio-add-dir_fd-parameter-to-read_full_file_full.patch b/10022-fileio-add-dir_fd-parameter-to-read_full_file_full.patch deleted file mode 100644 index f6dc153..0000000 --- a/10022-fileio-add-dir_fd-parameter-to-read_full_file_full.patch +++ /dev/null @@ -1,142 +0,0 @@ -From 3f4ca11498028756ebde239ae469c0f88e5d3ecc Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Tue, 8 Jan 2019 18:29:36 +0100 -Subject: [PATCH] fileio: add 'dir_fd' parameter to read_full_file_full() - -Let's introduce an "at" version of read_full_file(). - -(cherry picked from commit f6be4db4530b7cfea191227c141343a4fb10d4c6) - -Signed-off-by: Guorui Yu ---- - src/basic/fileio.c | 84 +++++++++++++++++++++++++++++++++++++++++++--- - src/basic/fileio.h | 5 +-- - 2 files changed, 83 insertions(+), 6 deletions(-) - -diff --git a/src/basic/fileio.c b/src/basic/fileio.c -index 833c55b030..d7da834a74 100644 ---- a/src/basic/fileio.c -+++ b/src/basic/fileio.c -@@ -501,15 +501,91 @@ finalize: - return r; - } - --int read_full_file_full(const char *filename, ReadFullFileFlags flags, char **contents, size_t *size) { -+static int mode_to_flags(const char *mode) { -+ const char *p; -+ int flags; -+ -+ if ((p = startswith(mode, "r+"))) -+ flags = O_RDWR; -+ else if ((p = startswith(mode, "r"))) -+ flags = O_RDONLY; -+ else if ((p = startswith(mode, "w+"))) -+ flags = O_RDWR|O_CREAT|O_TRUNC; -+ else if ((p = startswith(mode, "w"))) -+ flags = O_WRONLY|O_CREAT|O_TRUNC; -+ else if ((p = startswith(mode, "a+"))) -+ flags = O_RDWR|O_CREAT|O_APPEND; -+ else if ((p = startswith(mode, "a"))) -+ flags = O_WRONLY|O_CREAT|O_APPEND; -+ else -+ return -EINVAL; -+ -+ for (; *p != 0; p++) { -+ -+ switch (*p) { -+ -+ case 'e': -+ flags |= O_CLOEXEC; -+ break; -+ -+ case 'x': -+ flags |= O_EXCL; -+ break; -+ -+ case 'm': -+ /* ignore this here, fdopen() might care later though */ -+ break; -+ -+ case 'c': /* not sure what to do about this one */ -+ default: -+ return -EINVAL; -+ } -+ } -+ -+ return flags; -+} -+ -+static int xfopenat(int dir_fd, const char *path, const char *mode, int flags, FILE **ret) { -+ FILE *f; -+ -+ /* A combination of fopen() with openat() */ -+ -+ if (dir_fd == AT_FDCWD && flags == 0) { -+ f = fopen(path, mode); -+ if (!f) -+ return -errno; -+ } else { -+ int fd, mode_flags; -+ -+ mode_flags = mode_to_flags(mode); -+ if (mode_flags < 0) -+ return mode_flags; -+ -+ fd = openat(dir_fd, path, mode_flags | flags); -+ if (fd < 0) -+ return -errno; -+ -+ f = fdopen(fd, mode); -+ if (!f) { -+ safe_close(fd); -+ return -errno; -+ } -+ } -+ -+ *ret = f; -+ return 0; -+} -+ -+int read_full_file_full(int dir_fd, const char *filename, ReadFullFileFlags flags, char **contents, size_t *size) { - _cleanup_fclose_ FILE *f = NULL; -+ int r; - - assert(filename); - assert(contents); - -- f = fopen(filename, "re"); -- if (!f) -- return -errno; -+ r = xfopenat(dir_fd, filename, "re", 0, &f); -+ if (r < 0) -+ return r; - - (void) __fsetlocking(f, FSETLOCKING_BYCALLER); - -diff --git a/src/basic/fileio.h b/src/basic/fileio.h -index be10ac77b6..916ddc5e47 100644 ---- a/src/basic/fileio.h -+++ b/src/basic/fileio.h -@@ -6,6 +6,7 @@ - #include - #include - #include -+#include - #include - - #include "macro.h" -@@ -42,9 +43,9 @@ static inline int write_string_file(const char *fn, const char *line, WriteStrin - int write_string_filef(const char *fn, WriteStringFileFlags flags, const char *format, ...) _printf_(3, 4); - - int read_one_line_file(const char *filename, char **line); --int read_full_file_full(const char *filename, ReadFullFileFlags flags, char **contents, size_t *size); -+int read_full_file_full(int dir_fd, const char *filename, ReadFullFileFlags flags, char **contents, size_t *size); - static inline int read_full_file(const char *filename, char **contents, size_t *size) { -- return read_full_file_full(filename, 0, contents, size); -+ return read_full_file_full(AT_FDCWD, filename, 0, contents, size); - } - int read_full_stream_full(FILE *f, const char *filename, ReadFullFileFlags flags, char **contents, size_t *size); - static inline int read_full_stream(FILE *f, char **contents, size_t *size) { --- -2.39.1 - diff --git a/10023-fileio-add-support-for-read_full_file-on-AF_UNIX-st.patch b/10023-fileio-add-support-for-read_full_file-on-AF_UNIX-st.patch deleted file mode 100644 index bb392bc..0000000 --- a/10023-fileio-add-support-for-read_full_file-on-AF_UNIX-st.patch +++ /dev/null @@ -1,271 +0,0 @@ -From 054669a4cc4897792b6c209fd55ab1fc1d7b9bd5 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 17 Jul 2020 12:26:01 +0200 -Subject: [PATCH] fileio: add support for read_full_file() on AF_UNIX stream - sockets - -Optionally, teach read_full_file() the ability to connect to an AF_UNIX -socket if the specified path points to one. - -(cherry picked from commit 412b888ec803cdf96fb1d005bb245d20abdb8f2e) - -[Guorui Yu: Adds sockaddr_un_set_path function to socket-util.{c,h}] -Signed-off-by: Guorui Yu ---- - src/basic/fileio.c | 62 +++++++++++++++++++++++++++++++++++------ - src/basic/fileio.h | 1 + - src/basic/socket-util.c | 42 ++++++++++++++++++++++++++++ - src/basic/socket-util.h | 1 + - src/test/test-fileio.c | 50 +++++++++++++++++++++++++++++++++ - 5 files changed, 147 insertions(+), 9 deletions(-) - -diff --git a/src/basic/fileio.c b/src/basic/fileio.c -index d7da834a74..9cb0a2bd28 100644 ---- a/src/basic/fileio.c -+++ b/src/basic/fileio.c -@@ -27,6 +27,7 @@ - #include "missing.h" - #include "parse-util.h" - #include "path-util.h" -+#include "socket-util.h" - #include "process-util.h" - #include "random-util.h" - #include "stdio-util.h" -@@ -450,21 +451,18 @@ int read_full_stream_full( - - errno = 0; - k = fread(buf + l, 1, n - l, f); -- if (k > 0) -- l += k; -+ -+ assert(k <= n - l); -+ l += k; - - if (ferror(f)) { - r = errno > 0 ? -errno : -EIO; - goto finalize; - } -- - if (feof(f)) - break; - -- /* We aren't expecting fread() to return a short read outside -- * of (error && eof), assert buffer is full and enlarge buffer. -- */ -- assert(l == n); -+ assert(k > 0); /* we can't have read zero bytes because that would have been EOF */ - - /* Safety check */ - if (n >= READ_FULL_BYTES_MAX) { -@@ -584,8 +582,54 @@ int read_full_file_full(int dir_fd, const char *filename, ReadFullFileFlags flag - assert(contents); - - r = xfopenat(dir_fd, filename, "re", 0, &f); -- if (r < 0) -- return r; -+ if (r < 0) { -+ _cleanup_close_ int dfd = -1, sk = -1; -+ union sockaddr_union sa; -+ -+ /* ENXIO is what Linux returns if we open a node that is an AF_UNIX socket */ -+ if (r != -ENXIO) -+ return r; -+ -+ /* If this is enabled, let's try to connect to it */ -+ if (!FLAGS_SET(flags, READ_FULL_FILE_CONNECT_SOCKET)) -+ return -ENXIO; -+ -+ if (dir_fd == AT_FDCWD) -+ r = sockaddr_un_set_path(&sa.un, filename); -+ else { -+ char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)]; -+ -+ /* If we shall operate relative to some directory, then let's use O_PATH first to -+ * open the socket inode, and then connect to it via /proc/self/fd/. We have to do -+ * this since there's not connectat() that takes a directory fd as first arg. */ -+ -+ dfd = openat(dir_fd, filename, O_PATH|O_CLOEXEC); -+ if (dfd < 0) -+ return -errno; -+ -+ xsprintf(procfs_path, "/proc/self/fd/%i", dfd); -+ r = sockaddr_un_set_path(&sa.un, procfs_path); -+ } -+ if (r < 0) -+ return r; -+ -+ sk = socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0); -+ if (sk < 0) -+ return -errno; -+ -+ if (connect(sk, &sa.sa, SOCKADDR_UN_LEN(sa.un)) < 0) -+ return errno == ENOTSOCK ? -ENXIO : -errno; /* propagate original error if this is -+ * not a socket after all */ -+ -+ if (shutdown(sk, SHUT_WR) < 0) -+ return -errno; -+ -+ f = fdopen(sk, "r"); -+ if (!f) -+ return -errno; -+ -+ TAKE_FD(sk); -+ } - - (void) __fsetlocking(f, FSETLOCKING_BYCALLER); - -diff --git a/src/basic/fileio.h b/src/basic/fileio.h -index 916ddc5e47..1a16e0fd13 100644 ---- a/src/basic/fileio.h -+++ b/src/basic/fileio.h -@@ -29,6 +29,7 @@ typedef enum { - typedef enum { - READ_FULL_FILE_SECURE = 1 << 0, - READ_FULL_FILE_WARN_WORLD_READABLE = 1 << 3, -+ READ_FULL_FILE_CONNECT_SOCKET = 1 << 4, - } ReadFullFileFlags; - - int write_string_stream_ts(FILE *f, const char *line, WriteStringFileFlags flags, struct timespec *ts); -diff --git a/src/basic/socket-util.c b/src/basic/socket-util.c -index 7f8066123b..427c8b89bb 100644 ---- a/src/basic/socket-util.c -+++ b/src/basic/socket-util.c -@@ -1253,6 +1253,48 @@ int socket_ioctl_fd(void) { - return fd; - } - -+int sockaddr_un_set_path(struct sockaddr_un *ret, const char *path) { -+ size_t l; -+ -+ assert(ret); -+ assert(path); -+ -+ /* Initialize ret->sun_path from the specified argument. This will interpret paths starting with '@' as -+ * abstract namespace sockets, and those starting with '/' as regular filesystem sockets. It won't accept -+ * anything else (i.e. no relative paths), to avoid ambiguities. Note that this function cannot be used to -+ * reference paths in the abstract namespace that include NUL bytes in the name. */ -+ -+ l = strlen(path); -+ if (l < 2) -+ return -EINVAL; -+ if (!IN_SET(path[0], '/', '@')) -+ return -EINVAL; -+ -+ /* Don't allow paths larger than the space in sockaddr_un. Note that we are a tiny bit more restrictive than -+ * the kernel is: we insist on NUL termination (both for abstract namespace and regular file system socket -+ * addresses!), which the kernel doesn't. We do this to reduce chance of incompatibility with other apps that -+ * do not expect non-NUL terminated file system path*/ -+ if (l+1 > sizeof(ret->sun_path)) -+ return -EINVAL; -+ -+ *ret = (struct sockaddr_un) { -+ .sun_family = AF_UNIX, -+ }; -+ -+ if (path[0] == '@') { -+ /* Abstract namespace socket */ -+ memcpy(ret->sun_path + 1, path + 1, l); /* copy *with* trailing NUL byte */ -+ return (int) (offsetof(struct sockaddr_un, sun_path) + l); /* 🔥 *don't* 🔥 include trailing NUL in size */ -+ -+ } else { -+ assert(path[0] == '/'); -+ -+ /* File system socket */ -+ memcpy(ret->sun_path, path, l + 1); /* copy *with* trailing NUL byte */ -+ return (int) (offsetof(struct sockaddr_un, sun_path) + l + 1); /* include trailing NUL in size */ -+ } -+} -+ - int socket_pass_pktinfo(int fd, bool b) { - int af; - socklen_t sl = sizeof(af); -diff --git a/src/basic/socket-util.h b/src/basic/socket-util.h -index 30baba6c03..36edc58caf 100644 ---- a/src/basic/socket-util.h -+++ b/src/basic/socket-util.h -@@ -186,6 +186,7 @@ struct cmsghdr* cmsg_find(struct msghdr *mh, int level, int type, socklen_t leng - }) - - int socket_ioctl_fd(void); -+int sockaddr_un_set_path(struct sockaddr_un *ret, const char *path); - - static inline int setsockopt_int(int fd, int level, int optname, int value) { - if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0) -diff --git a/src/test/test-fileio.c b/src/test/test-fileio.c -index 14ba075144..82b7cb1242 100644 ---- a/src/test/test-fileio.c -+++ b/src/test/test-fileio.c -@@ -14,6 +14,8 @@ - #include "io-util.h" - #include "parse-util.h" - #include "process-util.h" -+#include "rm-rf.h" -+#include "socket-util.h" - #include "string-util.h" - #include "strv.h" - #include "util.h" -@@ -709,6 +711,53 @@ static void test_read_line3(void) { - assert_se(read_line(f, LINE_MAX, NULL) == 0); - } - -+static void test_read_full_file_socket(void) { -+ _cleanup_(rm_rf_physical_and_freep) char *z = NULL; -+ _cleanup_close_ int listener = -1; -+ _cleanup_free_ char *data = NULL; -+ union sockaddr_union sa; -+ const char *j; -+ size_t size; -+ pid_t pid; -+ int r; -+ -+ log_info("/* %s */", __func__); -+ -+ listener = socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0); -+ assert_se(listener >= 0); -+ -+ assert_se(mkdtemp_malloc(NULL, &z) >= 0); -+ j = strjoina(z, "/socket"); -+ -+ assert_se(sockaddr_un_set_path(&sa.un, j) >= 0); -+ -+ assert_se(bind(listener, &sa.sa, SOCKADDR_UN_LEN(sa.un)) >= 0); -+ assert_se(listen(listener, 1) >= 0); -+ -+ r = safe_fork("(server)", FORK_DEATHSIG|FORK_LOG, &pid); -+ assert_se(r >= 0); -+ if (r == 0) { -+ _cleanup_close_ int rfd = -1; -+ /* child */ -+ -+ rfd = accept4(listener, NULL, 0, SOCK_CLOEXEC); -+ assert_se(rfd >= 0); -+ -+#define TEST_STR "This is a test\nreally." -+ -+ assert_se(write(rfd, TEST_STR, strlen(TEST_STR)) == strlen(TEST_STR)); -+ _exit(EXIT_SUCCESS); -+ } -+ -+ assert_se(read_full_file_full(AT_FDCWD, j, 0, &data, &size) == -ENXIO); -+ assert_se(read_full_file_full(AT_FDCWD, j, READ_FULL_FILE_CONNECT_SOCKET, &data, &size) >= 0); -+ assert_se(size == strlen(TEST_STR)); -+ assert_se(streq(data, TEST_STR)); -+ -+ assert_se(wait_for_terminate_and_check("(server)", pid, WAIT_LOG) >= 0); -+#undef TEST_STR -+} -+ - int main(int argc, char *argv[]) { - log_set_max_level(LOG_DEBUG); - log_parse_environment(); -@@ -733,6 +782,7 @@ int main(int argc, char *argv[]) { - test_read_line(); - test_read_line2(); - test_read_line3(); -+ test_read_full_file_socket(); - - return 0; - } --- -2.39.1 - diff --git a/10024-fileio-beef-up-READ_FULL_FILE_CONNECT_SOCKET-to-all.patch b/10024-fileio-beef-up-READ_FULL_FILE_CONNECT_SOCKET-to-all.patch deleted file mode 100644 index 2edc538..0000000 --- a/10024-fileio-beef-up-READ_FULL_FILE_CONNECT_SOCKET-to-all.patch +++ /dev/null @@ -1,181 +0,0 @@ -From 0717de25e6508b10ea034fa1b96675f18100ac01 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Mon, 2 Nov 2020 12:07:51 +0100 -Subject: [PATCH] fileio: beef up READ_FULL_FILE_CONNECT_SOCKET to allow - setting sender socket name - -This beefs up the READ_FULL_FILE_CONNECT_SOCKET logic of -read_full_file_full() a bit: when used a sender socket name may be -specified. If specified as NULL behaviour is as before: the client -socket name is picked by the kernel. But if specified as non-NULL the -client can pick a socket name to use when connecting. This is useful to -communicate a minimal amount of metainformation from client to server, -outside of the transport payload. - -Specifically, these beefs up the service credential logic to pass an -abstract AF_UNIX socket name as client socket name when connecting via -READ_FULL_FILE_CONNECT_SOCKET, that includes the requesting unit name -and the eventual credential name. This allows servers implementing the -trivial credential socket logic to distinguish clients: via a simple -getpeername() it can be determined which unit is requesting a -credential, and which credential specifically. - -Example: with this patch in place, in a unit file "waldo.service" a -configuration line like the following: - - LoadCredential=foo:/run/quux/creds.sock - -will result in a connection to the AF_UNIX socket /run/quux/creds.sock, -originating from an abstract namespace AF_UNIX socket: - - @$RANDOM/unit/waldo.service/foo - -(The $RANDOM is replaced by some randomized string. This is included in -the socket name order to avoid namespace squatting issues: the abstract -socket namespace is open to unprivileged users after all, and care needs -to be taken not to use guessable names) - -The services listening on the /run/quux/creds.sock socket may thus -easily retrieve the name of the unit the credential is requested for -plus the credential name, via a simpler getpeername(), discarding the -random preifx and the /unit/ string. - -This logic uses "/" as separator between the fields, since both unit -names and credential names appear in the file system, and thus are -designed to use "/" as outer separators. Given that it's a good safe -choice to use as separators here, too avoid any conflicts. - -This is a minimal patch only: the new logic is used only for the unit -file credential logic. For other places where we use -READ_FULL_FILE_CONNECT_SOCKET it is probably a good idea to use this -scheme too, but this should be done carefully in later patches, since -the socket names become API that way, and we should determine the right -amount of info to pass over. - -(cherry picked from commit 142e9756c98c69cdd5d03df4028700acb5739f72) - -Signed-off-by: Guorui Yu ---- - src/basic/fileio.c | 22 +++++++++++++++++++++- - src/basic/fileio.h | 4 ++-- - src/test/test-fileio.c | 19 ++++++++++++++++--- - 3 files changed, 39 insertions(+), 6 deletions(-) - -diff --git a/src/basic/fileio.c b/src/basic/fileio.c -index 9cb0a2bd28..35eaa3c1c7 100644 ---- a/src/basic/fileio.c -+++ b/src/basic/fileio.c -@@ -574,7 +574,13 @@ static int xfopenat(int dir_fd, const char *path, const char *mode, int flags, F - return 0; - } - --int read_full_file_full(int dir_fd, const char *filename, ReadFullFileFlags flags, char **contents, size_t *size) { -+int read_full_file_full( -+ int dir_fd, -+ const char *filename, -+ ReadFullFileFlags flags, -+ const char *bind_name, -+ char **contents, size_t *size) { -+ - _cleanup_fclose_ FILE *f = NULL; - int r; - -@@ -617,6 +623,20 @@ int read_full_file_full(int dir_fd, const char *filename, ReadFullFileFlags flag - if (sk < 0) - return -errno; - -+ if (bind_name) { -+ /* If the caller specified a socket name to bind to, do so before connecting. This is -+ * useful to communicate some minor, short meta-information token from the client to -+ * the server. */ -+ union sockaddr_union bsa; -+ -+ r = sockaddr_un_set_path(&bsa.un, bind_name); -+ if (r < 0) -+ return r; -+ -+ if (bind(sk, &bsa.sa, r) < 0) -+ return r; -+ } -+ - if (connect(sk, &sa.sa, SOCKADDR_UN_LEN(sa.un)) < 0) - return errno == ENOTSOCK ? -ENXIO : -errno; /* propagate original error if this is - * not a socket after all */ -diff --git a/src/basic/fileio.h b/src/basic/fileio.h -index 1a16e0fd13..82897e209c 100644 ---- a/src/basic/fileio.h -+++ b/src/basic/fileio.h -@@ -44,9 +44,9 @@ static inline int write_string_file(const char *fn, const char *line, WriteStrin - int write_string_filef(const char *fn, WriteStringFileFlags flags, const char *format, ...) _printf_(3, 4); - - int read_one_line_file(const char *filename, char **line); --int read_full_file_full(int dir_fd, const char *filename, ReadFullFileFlags flags, char **contents, size_t *size); -+int read_full_file_full(int dir_fd, const char *filename, ReadFullFileFlags flags, const char *bind_name, char **contents, size_t *size); - static inline int read_full_file(const char *filename, char **contents, size_t *size) { -- return read_full_file_full(AT_FDCWD, filename, 0, contents, size); -+ return read_full_file_full(AT_FDCWD, filename, 0, NULL, contents, size); - } - int read_full_stream_full(FILE *f, const char *filename, ReadFullFileFlags flags, char **contents, size_t *size); - static inline int read_full_stream(FILE *f, char **contents, size_t *size) { -diff --git a/src/test/test-fileio.c b/src/test/test-fileio.c -index 82b7cb1242..5ec70eec14 100644 ---- a/src/test/test-fileio.c -+++ b/src/test/test-fileio.c -@@ -14,6 +14,7 @@ - #include "io-util.h" - #include "parse-util.h" - #include "process-util.h" -+#include "random-util.h" - #include "rm-rf.h" - #include "socket-util.h" - #include "string-util.h" -@@ -714,7 +715,7 @@ static void test_read_line3(void) { - static void test_read_full_file_socket(void) { - _cleanup_(rm_rf_physical_and_freep) char *z = NULL; - _cleanup_close_ int listener = -1; -- _cleanup_free_ char *data = NULL; -+ _cleanup_free_ char *data = NULL, *clientname = NULL; - union sockaddr_union sa; - const char *j; - size_t size; -@@ -734,23 +735,35 @@ static void test_read_full_file_socket(void) { - assert_se(bind(listener, &sa.sa, SOCKADDR_UN_LEN(sa.un)) >= 0); - assert_se(listen(listener, 1) >= 0); - -+ /* Bind the *client* socket to some randomized name, to verify that this works correctly. */ -+ assert_se(asprintf(&clientname, "@%" PRIx64 "/test-bindname", random_u64()) >= 0); -+ - r = safe_fork("(server)", FORK_DEATHSIG|FORK_LOG, &pid); - assert_se(r >= 0); - if (r == 0) { -+ union sockaddr_union peer = {}; -+ socklen_t peerlen = sizeof(peer); - _cleanup_close_ int rfd = -1; - /* child */ - - rfd = accept4(listener, NULL, 0, SOCK_CLOEXEC); - assert_se(rfd >= 0); - -+ assert_se(getpeername(rfd, &peer.sa, &peerlen) >= 0); -+ -+ assert_se(peer.un.sun_family == AF_UNIX); -+ assert_se(peerlen > offsetof(struct sockaddr_un, sun_path)); -+ assert_se(peer.un.sun_path[0] == 0); -+ assert_se(streq(peer.un.sun_path + 1, clientname + 1)); -+ - #define TEST_STR "This is a test\nreally." - - assert_se(write(rfd, TEST_STR, strlen(TEST_STR)) == strlen(TEST_STR)); - _exit(EXIT_SUCCESS); - } - -- assert_se(read_full_file_full(AT_FDCWD, j, 0, &data, &size) == -ENXIO); -- assert_se(read_full_file_full(AT_FDCWD, j, READ_FULL_FILE_CONNECT_SOCKET, &data, &size) >= 0); -+ assert_se(read_full_file_full(AT_FDCWD, j, 0, NULL, &data, &size) == -ENXIO); -+ assert_se(read_full_file_full(AT_FDCWD, j, READ_FULL_FILE_CONNECT_SOCKET, clientname, &data, &size) >= 0); - assert_se(size == strlen(TEST_STR)); - assert_se(streq(data, TEST_STR)); - --- -2.39.1 - diff --git a/10025-fileio-teach-read_full_file_full-to-read-from-offse.patch b/10025-fileio-teach-read_full_file_full-to-read-from-offse.patch deleted file mode 100644 index 08e8f40..0000000 --- a/10025-fileio-teach-read_full_file_full-to-read-from-offse.patch +++ /dev/null @@ -1,246 +0,0 @@ -From 5be0e8a2c3e683c195fd872979d6e5741c80d13f Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Wed, 4 Nov 2020 20:25:06 +0100 -Subject: [PATCH] fileio: teach read_full_file_full() to read from offset/with - maximum size - -(cherry picked from commit 7399b3f8083b65db4cb9acb17e4b5c897ba7946d) - -Signed-off-by: Guorui Yu ---- - src/basic/fileio.c | 60 ++++++++++++++++++++++++++++++------------ - src/basic/fileio.h | 12 ++++----- - src/test/test-fileio.c | 49 ++++++++++++++++++++++++++++++++-- - 3 files changed, 96 insertions(+), 25 deletions(-) - -diff --git a/src/basic/fileio.c b/src/basic/fileio.c -index 35eaa3c1c7..c14f9797bd 100644 ---- a/src/basic/fileio.c -+++ b/src/basic/fileio.c -@@ -388,44 +388,58 @@ int read_full_virtual_file(const char *filename, char **ret_contents, size_t *re - int read_full_stream_full( - FILE *f, - const char *filename, -+ uint64_t offset, -+ size_t size, - ReadFullFileFlags flags, - char **ret_contents, - size_t *ret_size) { - - _cleanup_free_ char *buf = NULL; -- struct stat st; - size_t n, n_next, l; - int fd, r; - - assert(f); - assert(ret_contents); - -- n_next = LINE_MAX; /* Start size */ -+ if (offset != UINT64_MAX && offset > LONG_MAX) -+ return -ERANGE; -+ -+ n_next = size != SIZE_MAX ? size : LINE_MAX; /* Start size */ - - fd = fileno(f); -- if (fd >= 0) { /* If the FILE* object is backed by an fd (as opposed to memory or such, see fmemopen(), let's -- * optimize our buffering) */ -+ if (fd >= 0) { /* If the FILE* object is backed by an fd (as opposed to memory or such, see -+ * fmemopen()), let's optimize our buffering */ -+ struct stat st; - - if (fstat(fd, &st) < 0) - return -errno; - - if (S_ISREG(st.st_mode)) { -- -- /* Safety check */ -- if (st.st_size > READ_FULL_BYTES_MAX) -- return -E2BIG; -- -- /* Start with the right file size. Note that we increase the size -- * to read here by one, so that the first read attempt already -- * makes us notice the EOF. */ -- if (st.st_size > 0) -- n_next = st.st_size + 1; -+ if (size == SIZE_MAX) { -+ uint64_t rsize = -+ LESS_BY((uint64_t) st.st_size, offset == UINT64_MAX ? 0 : offset); -+ -+ /* Safety check */ -+ if (rsize > READ_FULL_BYTES_MAX) -+ return -E2BIG; -+ -+ /* Start with the right file size. Note that we increase the size to read -+ * here by one, so that the first read attempt already makes us notice the -+ * EOF. If the reported size of the file is zero, we avoid this logic -+ * however, since quite likely it might be a virtual file in procfs that all -+ * report a zero file size. */ -+ if (st.st_size > 0) -+ n_next = rsize + 1; -+ } - - if (flags & READ_FULL_FILE_WARN_WORLD_READABLE) - (void) warn_file_is_world_accessible(filename, &st, NULL, 0); - } - } - -+ if (offset != UINT64_MAX && fseek(f, offset, SEEK_SET) < 0) -+ return -errno; -+ - n = l = 0; - for (;;) { - char *t; -@@ -462,6 +476,11 @@ int read_full_stream_full( - if (feof(f)) - break; - -+ if (size != SIZE_MAX) { /* If we got asked to read some specific size, we already sized the buffer right, hence leave */ -+ assert(l == size); -+ break; -+ } -+ - assert(k > 0); /* we can't have read zero bytes because that would have been EOF */ - - /* Safety check */ -@@ -577,15 +596,18 @@ static int xfopenat(int dir_fd, const char *path, const char *mode, int flags, F - int read_full_file_full( - int dir_fd, - const char *filename, -+ uint64_t offset, -+ size_t size, - ReadFullFileFlags flags, - const char *bind_name, -- char **contents, size_t *size) { -+ char **ret_contents, -+ size_t *ret_size) { - - _cleanup_fclose_ FILE *f = NULL; - int r; - - assert(filename); -- assert(contents); -+ assert(ret_contents); - - r = xfopenat(dir_fd, filename, "re", 0, &f); - if (r < 0) { -@@ -600,6 +622,10 @@ int read_full_file_full( - if (!FLAGS_SET(flags, READ_FULL_FILE_CONNECT_SOCKET)) - return -ENXIO; - -+ /* Seeking is not supported on AF_UNIX sockets */ -+ if (offset != UINT64_MAX) -+ return -ESPIPE; -+ - if (dir_fd == AT_FDCWD) - r = sockaddr_un_set_path(&sa.un, filename); - else { -@@ -653,7 +679,7 @@ int read_full_file_full( - - (void) __fsetlocking(f, FSETLOCKING_BYCALLER); - -- return read_full_stream_full(f, filename, flags, contents, size); -+ return read_full_stream_full(f, filename, offset, size, flags, ret_contents, ret_size); - } - - static int parse_env_file_internal( -diff --git a/src/basic/fileio.h b/src/basic/fileio.h -index 82897e209c..03150ce776 100644 ---- a/src/basic/fileio.h -+++ b/src/basic/fileio.h -@@ -44,13 +44,13 @@ static inline int write_string_file(const char *fn, const char *line, WriteStrin - int write_string_filef(const char *fn, WriteStringFileFlags flags, const char *format, ...) _printf_(3, 4); - - int read_one_line_file(const char *filename, char **line); --int read_full_file_full(int dir_fd, const char *filename, ReadFullFileFlags flags, const char *bind_name, char **contents, size_t *size); --static inline int read_full_file(const char *filename, char **contents, size_t *size) { -- return read_full_file_full(AT_FDCWD, filename, 0, NULL, contents, size); -+int read_full_file_full(int dir_fd, const char *filename, uint64_t offset, size_t size, ReadFullFileFlags flags, const char *bind_name, char **ret_contents, size_t *ret_size); -+static inline int read_full_file(const char *filename, char **ret_contents, size_t *ret_size) { -+ return read_full_file_full(AT_FDCWD, filename, UINT64_MAX, SIZE_MAX, 0, NULL, ret_contents, ret_size); - } --int read_full_stream_full(FILE *f, const char *filename, ReadFullFileFlags flags, char **contents, size_t *size); --static inline int read_full_stream(FILE *f, char **contents, size_t *size) { -- return read_full_stream_full(f, NULL, 0, contents, size); -+int read_full_stream_full(FILE *f, const char *filename, uint64_t offset, size_t size, ReadFullFileFlags flags, char **ret_contents, size_t *ret_size); -+static inline int read_full_stream(FILE *f, char **ret_contents, size_t *ret_size) { -+ return read_full_stream_full(f, NULL, UINT64_MAX, SIZE_MAX, 0, ret_contents, ret_size); - } - int read_full_virtual_file(const char *filename, char **ret_contents, size_t *ret_size); - -diff --git a/src/test/test-fileio.c b/src/test/test-fileio.c -index 5ec70eec14..5d0006149b 100644 ---- a/src/test/test-fileio.c -+++ b/src/test/test-fileio.c -@@ -762,8 +762,8 @@ static void test_read_full_file_socket(void) { - _exit(EXIT_SUCCESS); - } - -- assert_se(read_full_file_full(AT_FDCWD, j, 0, NULL, &data, &size) == -ENXIO); -- assert_se(read_full_file_full(AT_FDCWD, j, READ_FULL_FILE_CONNECT_SOCKET, clientname, &data, &size) >= 0); -+ assert_se(read_full_file_full(AT_FDCWD, j, UINT64_MAX, SIZE_MAX, 0, NULL, &data, &size) == -ENXIO); -+ assert_se(read_full_file_full(AT_FDCWD, j, UINT64_MAX, SIZE_MAX, READ_FULL_FILE_CONNECT_SOCKET, clientname, &data, &size) >= 0); - assert_se(size == strlen(TEST_STR)); - assert_se(streq(data, TEST_STR)); - -@@ -771,6 +771,50 @@ static void test_read_full_file_socket(void) { - #undef TEST_STR - } - -+static void test_read_full_file_offset_size(void) { -+ _cleanup_fclose_ FILE *f = NULL; -+ _cleanup_(unlink_and_freep) char *fn = NULL; -+ _cleanup_free_ char *rbuf = NULL; -+ size_t rbuf_size; -+ uint8_t buf[4711]; -+ -+ random_bytes(buf, sizeof(buf)); -+ -+ assert_se(tempfn_random_child(NULL, NULL, &fn) >= 0); -+ assert_se(f = fopen(fn, "we")); -+ assert_se(fwrite(buf, 1, sizeof(buf), f) == sizeof(buf)); -+ assert_se(fflush_and_check(f) >= 0); -+ -+ assert_se(read_full_file_full(AT_FDCWD, fn, UINT64_MAX, SIZE_MAX, 0, NULL, &rbuf, &rbuf_size) >= 0); -+ assert_se(rbuf_size == sizeof(buf)); -+ assert_se(memcmp(buf, rbuf, rbuf_size) == 0); -+ rbuf = mfree(rbuf); -+ -+ assert_se(read_full_file_full(AT_FDCWD, fn, UINT64_MAX, 128, 0, NULL, &rbuf, &rbuf_size) >= 0); -+ assert_se(rbuf_size == 128); -+ assert_se(memcmp(buf, rbuf, rbuf_size) == 0); -+ rbuf = mfree(rbuf); -+ -+ assert_se(read_full_file_full(AT_FDCWD, fn, 1234, SIZE_MAX, 0, NULL, &rbuf, &rbuf_size) >= 0); -+ assert_se(rbuf_size == sizeof(buf) - 1234); -+ assert_se(memcmp(buf + 1234, rbuf, rbuf_size) == 0); -+ rbuf = mfree(rbuf); -+ -+ assert_se(read_full_file_full(AT_FDCWD, fn, 2345, 777, 0, NULL, &rbuf, &rbuf_size) >= 0); -+ assert_se(rbuf_size == 777); -+ assert_se(memcmp(buf + 2345, rbuf, rbuf_size) == 0); -+ rbuf = mfree(rbuf); -+ -+ assert_se(read_full_file_full(AT_FDCWD, fn, 4700, 20, 0, NULL, &rbuf, &rbuf_size) >= 0); -+ assert_se(rbuf_size == 11); -+ assert_se(memcmp(buf + 4700, rbuf, rbuf_size) == 0); -+ rbuf = mfree(rbuf); -+ -+ assert_se(read_full_file_full(AT_FDCWD, fn, 10000, 99, 0, NULL, &rbuf, &rbuf_size) >= 0); -+ assert_se(rbuf_size == 0); -+ rbuf = mfree(rbuf); -+} -+ - int main(int argc, char *argv[]) { - log_set_max_level(LOG_DEBUG); - log_parse_environment(); -@@ -796,6 +840,7 @@ int main(int argc, char *argv[]) { - test_read_line2(); - test_read_line3(); - test_read_full_file_socket(); -+ test_read_full_file_offset_size(); - - return 0; - } --- -2.39.1 - diff --git a/10026-cryptsetup-port-cryptsetup-s-main-key-file-logic-ov.patch b/10026-cryptsetup-port-cryptsetup-s-main-key-file-logic-ov.patch deleted file mode 100644 index bb66170..0000000 --- a/10026-cryptsetup-port-cryptsetup-s-main-key-file-logic-ov.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 8ef03861b75cf0a70511760c395cb4bd228c37b9 Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Wed, 4 Nov 2020 17:24:53 +0100 -Subject: [PATCH] cryptsetup: port cryptsetup's main key file logic over to - read_full_file_full() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Previously, we'd load the file with libcryptsetup's calls. Let's do that -in our own, so that we can make use of READ_FULL_FILE_CONNECT_SOCKET, -i.e. read in keys via AF_UNIX sockets, so that people can plug key -providers into our logic. - -This provides functionality similar to Debian's keyscript= crypttab -option (see → #3007), as it allows key scripts to be run as socket -activated services, that have stdout connected to the activated socket. -In contrast to traditional keyscript= support this logic runs stuff out -of process however, which is beneficial, since it allows sandboxing and -similar. - -(cherry picked from commit 165a476841ff1aa3aab3508771db9495ab073c7a) - -Signed-off-by: Guorui Yu ---- - src/cryptsetup/cryptsetup.c | 37 ++++++++++++++++++++++++++++++++----- - 1 file changed, 32 insertions(+), 5 deletions(-) - -diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c -index 11162eb722..9251e0eba8 100644 ---- a/src/cryptsetup/cryptsetup.c -+++ b/src/cryptsetup/cryptsetup.c -@@ -17,6 +17,7 @@ - #include "mount-util.h" - #include "parse-util.h" - #include "path-util.h" -+#include "random-util.h" - #include "string-util.h" - #include "strv.h" - #include "util.h" -@@ -480,6 +481,15 @@ static int attach_tcrypt( - return 0; - } - -+static char *make_bindname(const char *volume) { -+ char *s; -+ -+ if (asprintf(&s, "@%" PRIx64"/cryptsetup/%s", random_u64(), volume) < 0) -+ return NULL; -+ -+ return s; -+} -+ - static int attach_luks_or_plain(struct crypt_device *cd, - const char *name, - const char *key_file, -@@ -553,13 +563,30 @@ static int attach_luks_or_plain(struct crypt_device *cd, - crypt_get_device_name(cd)); - - if (key_file) { -- r = crypt_activate_by_keyfile_offset(cd, name, arg_key_slot, key_file, arg_keyfile_size, arg_keyfile_offset, flags); -- if (r == -EPERM) { -- log_error_errno(r, "Failed to activate with key file '%s'. (Key data incorrect?)", key_file); -+ _cleanup_(erase_and_freep) char *kfdata = NULL; -+ _cleanup_free_ char *bindname = NULL; -+ size_t kfsize; -+ -+ /* If we read the key via AF_UNIX, make this client recognizable */ -+ bindname = make_bindname(name); -+ if (!bindname) -+ return log_oom(); -+ -+ r = read_full_file_full( -+ AT_FDCWD, key_file, -+ arg_keyfile_offset == 0 ? UINT64_MAX : arg_keyfile_offset, -+ arg_keyfile_size == 0 ? SIZE_MAX : arg_keyfile_size, -+ READ_FULL_FILE_SECURE|READ_FULL_FILE_WARN_WORLD_READABLE|READ_FULL_FILE_CONNECT_SOCKET, -+ bindname, -+ &kfdata, &kfsize); -+ if (r == -ENOENT) { -+ log_error_errno(r, "Failed to activate, key file '%s' missing.", key_file); - return -EAGAIN; /* Log actual error, but return EAGAIN */ - } -- if (r == -EINVAL) { -- log_error_errno(r, "Failed to activate with key file '%s'. (Key file missing?)", key_file); -+ -+ r = crypt_activate_by_passphrase(cd, name, arg_key_slot, kfdata, kfsize, flags); -+ if (r == -EPERM) { -+ log_error_errno(r, "Failed to activate with key file '%s'. (Key data incorrect?)", key_file); - return -EAGAIN; /* Log actual error, but return EAGAIN */ - } - if (r < 0) --- -2.39.1 - diff --git a/10027-fix-compilation-without-utmp.patch b/10027-fix-compilation-without-utmp.patch deleted file mode 100644 index 4526be3..0000000 --- a/10027-fix-compilation-without-utmp.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 813c9418ca8f6eabd179feace3f115b874e6a1a6 Mon Sep 17 00:00:00 2001 -From: Steven Allen -Date: Wed, 7 Nov 2018 07:44:36 -0800 -Subject: [PATCH] fix compilation without utmp - ---- - src/login/logind-core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/login/logind-core.c b/src/login/logind-core.c -index abe6eec..519abf5 100644 ---- a/src/login/logind-core.c -+++ b/src/login/logind-core.c -@@ -779,7 +779,7 @@ int manager_read_utmp(Manager *m) { - endutxent(); - return r; - #else -- return 0 -+ return 0; - #endif - } - --- -2.39.3 diff --git a/10028-cgroup-drastically-simplify-caching-of-cgroups-membe.patch b/10028-cgroup-drastically-simplify-caching-of-cgroups-membe.patch deleted file mode 100644 index d69f0ba..0000000 --- a/10028-cgroup-drastically-simplify-caching-of-cgroups-membe.patch +++ /dev/null @@ -1,228 +0,0 @@ -From 5af8805872809e6de4cc4d9495cb1a904772ab4e Mon Sep 17 00:00:00 2001 -From: Lennart Poettering -Date: Fri, 23 Nov 2018 01:07:34 +0100 -Subject: [PATCH] cgroup: drastically simplify caching of cgroups members mask - -Previously we tried to be smart: when a new unit appeared and it only -added controllers to the cgroup mask we'd update the cached members mask -in all parents by ORing in the controller flags in their cached values. -Unfortunately this was quite broken, as we missed some conditions when -this cache had to be reset (for example, when a unit got unloaded), -moreover the optimization doesn't work when a controller is removed -anyway (as in that case there's no other way for the parent to iterate -though all children if any other, remaining child unit still needs it). -Hence, let's simplify the logic substantially: instead of updating the -cache on the right events (which we didn't get right), let's simply -invalidate the cache, and generate it lazily when we encounter it later. -This should actually result in better behaviour as we don't have to -calculate the new members mask for a whole subtree whever we have the -suspicion something changed, but can delay it to the point where we -actually need the members mask. - -This allows us to simplify things quite a bit, which is good, since -validating this cache for correctness is hard enough. - -Fixes: #9512 ---- - src/core/cgroup.c | 49 +++++------------------------------------ - src/core/cgroup.h | 2 +- - src/core/dbus-mount.c | 2 +- - src/core/dbus-scope.c | 2 +- - src/core/dbus-service.c | 2 +- - src/core/dbus-slice.c | 2 +- - src/core/dbus-socket.c | 2 +- - src/core/dbus-swap.c | 2 +- - src/core/unit.c | 3 ++- - src/core/unit.h | 2 -- - 10 files changed, 14 insertions(+), 54 deletions(-) - -diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index 6a5606f..d569077 100644 ---- a/src/core/cgroup.c -+++ b/src/core/cgroup.c -@@ -1450,53 +1450,12 @@ bool unit_get_needs_bpf(Unit *u) { - return false; - } - --/* Recurse from a unit up through its containing slices, propagating -- * mask bits upward. A unit is also member of itself. */ --void unit_update_cgroup_members_masks(Unit *u) { -- CGroupMask m; -- bool more; -- -+void unit_invalidate_cgroup_members_masks(Unit *u) { - assert(u); -- -- /* Calculate subtree mask */ -- m = unit_get_subtree_mask(u); -- -- /* See if anything changed from the previous invocation. If -- * not, we're done. */ -- if (u->cgroup_subtree_mask_valid && m == u->cgroup_subtree_mask) -- return; -- -- more = -- u->cgroup_subtree_mask_valid && -- ((m & ~u->cgroup_subtree_mask) != 0) && -- ((~m & u->cgroup_subtree_mask) == 0); -- -- u->cgroup_subtree_mask = m; -- u->cgroup_subtree_mask_valid = true; -- -- if (UNIT_ISSET(u->slice)) { -- Unit *s = UNIT_DEREF(u->slice); -- -- if (more) -- /* There's more set now than before. We -- * propagate the new mask to the parent's mask -- * (not caring if it actually was valid or -- * not). */ -- -- s->cgroup_members_mask |= m; -- -- else -- /* There's less set now than before (or we -- * don't know), we need to recalculate -- * everything, so let's invalidate the -- * parent's members mask */ -- -- s->cgroup_members_mask_valid = false; -- -- /* And now make sure that this change also hits our -- * grandparents */ -- unit_update_cgroup_members_masks(s); -- } -+ /* Recurse invalidate the member masks cache all the way up the tree */ -+ u->cgroup_members_mask_valid = false; -+ if (UNIT_ISSET(u->slice)) -+ unit_invalidate_cgroup_members_masks(UNIT_DEREF(u->slice)); - } - - const char *unit_get_realized_cgroup_path(Unit *u, CGroupMask mask) { -diff --git a/src/core/cgroup.h b/src/core/cgroup.h -index 36ea77f..a2e1644 100644 ---- a/src/core/cgroup.h -+++ b/src/core/cgroup.h -@@ -181,7 +181,7 @@ CGroupMask unit_get_enable_mask(Unit *u); - - bool unit_get_needs_bpf(Unit *u); - --void unit_update_cgroup_members_masks(Unit *u); -+void unit_invalidate_cgroup_members_masks(Unit *u); - - const char *unit_get_realized_cgroup_path(Unit *u, CGroupMask mask); - char *unit_default_cgroup_path(Unit *u); - -diff --git a/src/core/dbus-mount.c b/src/core/dbus-mount.c -index 3f98d3ecf0..b6d61627eb 100644 ---- a/src/core/dbus-mount.c -+++ b/src/core/dbus-mount.c -@@ -145,7 +145,7 @@ int bus_mount_set_property( - int bus_mount_commit_properties(Unit *u) { - assert(u); - -- unit_update_cgroup_members_masks(u); -+ unit_invalidate_cgroup_members_masks(u); - unit_realize_cgroup(u); - - return 0; -diff --git a/src/core/dbus-scope.c b/src/core/dbus-scope.c -index 5d9fe98857..bb807df2e9 100644 ---- a/src/core/dbus-scope.c -+++ b/src/core/dbus-scope.c -@@ -186,7 +186,7 @@ int bus_scope_set_property( - int bus_scope_commit_properties(Unit *u) { - assert(u); - -- unit_update_cgroup_members_masks(u); -+ unit_invalidate_cgroup_members_masks(u); - unit_realize_cgroup(u); - - return 0; -diff --git a/src/core/dbus-service.c b/src/core/dbus-service.c -index fdf6120610..10f53ef401 100644 ---- a/src/core/dbus-service.c -+++ b/src/core/dbus-service.c -@@ -424,7 +424,7 @@ int bus_service_set_property( - int bus_service_commit_properties(Unit *u) { - assert(u); - -- unit_update_cgroup_members_masks(u); -+ unit_invalidate_cgroup_members_masks(u); - unit_realize_cgroup(u); - - return 0; -diff --git a/src/core/dbus-slice.c b/src/core/dbus-slice.c -index 722a5688a5..effd5fa5d7 100644 ---- a/src/core/dbus-slice.c -+++ b/src/core/dbus-slice.c -@@ -28,7 +28,7 @@ int bus_slice_set_property( - int bus_slice_commit_properties(Unit *u) { - assert(u); - -- unit_update_cgroup_members_masks(u); -+ unit_invalidate_cgroup_members_masks(u); - unit_realize_cgroup(u); - - return 0; -diff --git a/src/core/dbus-socket.c b/src/core/dbus-socket.c -index 4ea5b6c6e5..3819653908 100644 ---- a/src/core/dbus-socket.c -+++ b/src/core/dbus-socket.c -@@ -461,7 +461,7 @@ int bus_socket_set_property( - int bus_socket_commit_properties(Unit *u) { - assert(u); - -- unit_update_cgroup_members_masks(u); -+ unit_invalidate_cgroup_members_masks(u); - unit_realize_cgroup(u); - - return 0; -diff --git a/src/core/dbus-swap.c b/src/core/dbus-swap.c -index b272d10113..353fa20132 100644 ---- a/src/core/dbus-swap.c -+++ b/src/core/dbus-swap.c -@@ -63,7 +63,7 @@ int bus_swap_set_property( - int bus_swap_commit_properties(Unit *u) { - assert(u); - -- unit_update_cgroup_members_masks(u); -+ unit_invalidate_cgroup_members_masks(u); - unit_realize_cgroup(u); - - return 0; -diff --git a/src/core/unit.c b/src/core/unit.c -index 392cc2d7c5..a8c0f08e95 100644 ---- a/src/core/unit.c -+++ b/src/core/unit.c -@@ -1547,7 +1547,8 @@ int unit_load(Unit *u) { - if (u->job_running_timeout != USEC_INFINITY && u->job_running_timeout > u->job_timeout) - log_unit_warning(u, "JobRunningTimeoutSec= is greater than JobTimeoutSec=, it has no effect."); - -- unit_update_cgroup_members_masks(u); -+ /* We finished loading, let's ensure our parents recalculate the members mask */ -+ unit_invalidate_cgroup_members_masks(u); - } - - assert((u->load_state != UNIT_MERGED) == !u->merged_into); -diff --git a/src/core/unit.h b/src/core/unit.h -index b8b9147..e2dd794 100644 ---- a/src/core/unit.h -+++ b/src/core/unit.h -@@ -265,7 +265,6 @@ typedef struct Unit { - char *cgroup_path; - CGroupMask cgroup_realized_mask; - CGroupMask cgroup_enabled_mask; -- CGroupMask cgroup_subtree_mask; - CGroupMask cgroup_members_mask; - int cgroup_inotify_wd; - -@@ -341,7 +340,6 @@ typedef struct Unit { - - bool cgroup_realized:1; - bool cgroup_members_mask_valid:1; -- bool cgroup_subtree_mask_valid:1; - - UnitCGroupBPFState cgroup_bpf_state:2; - - diff --git a/10029-core-udev-remove-old-device-on-move-event.patch b/10029-core-udev-remove-old-device-on-move-event.patch deleted file mode 100644 index 40481d4..0000000 --- a/10029-core-udev-remove-old-device-on-move-event.patch +++ /dev/null @@ -1,68 +0,0 @@ -From ec336943fad7cf191d2168a2e683a5985abb2fa8 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Tue, 24 Sep 2024 06:37:25 +0000 -Subject: [PATCH] core, udev: remove old device on move event - -https://github.com/systemd/systemd/pull/16968/ ---- - src/core/device.c | 30 ++++++++++++++++++++++++++++++ - 1 file changed, 30 insertions(+) - -diff --git a/src/core/device.c b/src/core/device.c -index 71b7c1e..dcb47c2 100644 ---- a/src/core/device.c -+++ b/src/core/device.c -@@ -18,6 +18,9 @@ - #include "udev-util.h" - #include "unit-name.h" - #include "unit.h" -+#include "device-util.h" -+#include "sd-device.h" -+#include "libudev-device-internal.h" - - static const UnitActiveState state_translation_table[_DEVICE_STATE_MAX] = { - [DEVICE_DEAD] = UNIT_INACTIVE, -@@ -902,6 +905,29 @@ static void device_propagate_reload_by_sysfs(Manager *m, const char *sysfs) { - } - } - -+static int device_remove_old(Manager *m, sd_device *dev) { -+ _cleanup_free_ char *syspath_old = NULL, *e = NULL; -+ const char *devpath_old; -+ int r; -+ -+ r = sd_device_get_property_value(dev, "DEVPATH_OLD", &devpath_old); -+ if (r < 0) { -+ log_device_debug_errno(dev, r, "Failed to get DEVPATH_OLD= property on 'move' uevent, ignoring: %m"); -+ return 0; -+ } -+ -+ syspath_old = path_join(NULL, "/sys", devpath_old); -+ if (!syspath_old) -+ return log_oom(); -+ -+ r = unit_name_from_path(syspath_old, ".device", &e); -+ if (r < 0) -+ return log_device_error_errno(dev, r, "Failed to generate unit name from old device path: %m"); -+ -+ device_update_found_by_sysfs(m, syspath_old, 0, DEVICE_FOUND_UDEV|DEVICE_FOUND_MOUNT|DEVICE_FOUND_SWAP); -+ return 0; -+} -+ - static int device_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata) { - _cleanup_(udev_device_unrefp) struct udev_device *dev = NULL; - Manager *m = userdata; -@@ -939,6 +965,10 @@ static int device_dispatch_io(sd_event_source *source, int fd, uint32_t revents, - return 0; - } - -+ if (streq(action, "move")) { -+ (void) device_remove_old(m, dev->device); -+ } -+ - if (streq(action, "change")) - device_propagate_reload_by_sysfs(m, sysfs); - --- -2.43.5 - diff --git a/20001-hwdb-parse_hwdb_dot_py.patch b/20001-hwdb-parse_hwdb_dot_py.patch deleted file mode 100644 index 71bf1c5..0000000 --- a/20001-hwdb-parse_hwdb_dot_py.patch +++ /dev/null @@ -1,299 +0,0 @@ -From: rpm-build -Date: Thu, 28 Apr 2022 01:49:39 +0000 -Subject: [PATCH] Update upstream parse_hwdb.py to fix parse-hwdb error - -This patch does not correspond to a specific commit from upstream. Instead, it -is directly taken from - -https://github.com/systemd/systemd/blob/f2c36c0e2445fa95ba109017d4b768b2fd825c43/hwdb.d/parse_hwdb.py. - -This patch allows systemd-udev to parse newer hwdb. Hwdb is updated mostly -because of new hardware. Therefore, this patch allows systemd-udev to recongnize -these new hardware. - ---- -diff -uNrp systemd-239.orig/hwdb/parse_hwdb.py systemd-239/hwdb/parse_hwdb.py ---- systemd-239.orig/hwdb/parse_hwdb.py 2022-04-28 11:32:08.740731756 +0800 -+++ systemd-239/hwdb/parse_hwdb.py 2022-04-28 11:32:08.741731786 +0800 -@@ -1,6 +1,5 @@ - #!/usr/bin/env python3 --# -*- Mode: python; coding: utf-8; indent-tabs-mode: nil -*- */ --# SPDX-License-Identifier: MIT -+# SPDX-License-Identifier: MIT - # - # This file is distributed under the MIT license, see below. - # -@@ -30,12 +29,11 @@ import sys - import os - - try: -- from pyparsing import (Word, White, Literal, ParserElement, Regex, -- LineStart, LineEnd, -+ from pyparsing import (Word, White, Literal, ParserElement, Regex, LineEnd, - OneOrMore, Combine, Or, Optional, Suppress, Group, - nums, alphanums, printables, -- stringEnd, pythonStyleComment, QuotedString, -- ParseBaseException) -+ stringEnd, pythonStyleComment, -+ ParseBaseException, __diag__) - except ImportError: - print('pyparsing is not available') - sys.exit(77) -@@ -52,33 +50,61 @@ except ImportError: - # don't do caching on old python - lru_cache = lambda: (lambda f: f) - -+__diag__.warn_multiple_tokens_in_named_alternation = True -+__diag__.warn_ungrouped_named_tokens_in_collection = True -+__diag__.warn_name_set_on_empty_Forward = True -+__diag__.warn_on_multiple_string_args_to_oneof = True -+__diag__.enable_debug_on_named_expressions = True -+ - EOL = LineEnd().suppress() - EMPTYLINE = LineEnd() - COMMENTLINE = pythonStyleComment + EOL - INTEGER = Word(nums) --STRING = QuotedString('"') - REAL = Combine((INTEGER + Optional('.' + Optional(INTEGER))) ^ ('.' + INTEGER)) - SIGNED_REAL = Combine(Optional(Word('-+')) + REAL) - UDEV_TAG = Word(string.ascii_uppercase, alphanums + '_') - -+# Those patterns are used in type-specific matches - TYPES = {'mouse': ('usb', 'bluetooth', 'ps2', '*'), - 'evdev': ('name', 'atkbd', 'input'), -+ 'fb': ('pci'), - 'id-input': ('modalias'), - 'touchpad': ('i8042', 'rmi', 'bluetooth', 'usb'), - 'joystick': ('i8042', 'rmi', 'bluetooth', 'usb'), - 'keyboard': ('name', ), - 'sensor': ('modalias', ), -+ 'ieee1394-unit-function' : ('node', ), -+ 'camera': ('usb'), - } - -+# Patterns that are used to set general properties on a device -+GENERAL_MATCHES = {'acpi', -+ 'bluetooth', -+ 'usb', -+ 'pci', -+ 'sdio', -+ 'vmbus', -+ 'OUI', -+ 'ieee1394', -+ } -+ -+def upperhex_word(length): -+ return Word(nums + 'ABCDEF', exact=length) -+ - @lru_cache() - def hwdb_grammar(): - ParserElement.setDefaultWhitespaceChars('') - - prefix = Or(category + ':' + Or(conn) + ':' - for category, conn in TYPES.items()) -- matchline = Combine(prefix + Word(printables + ' ' + '®')) + EOL -+ -+ matchline_typed = Combine(prefix + Word(printables + ' ' + '®')) -+ matchline_general = Combine(Or(GENERAL_MATCHES) + ':' + Word(printables + ' ' + '®')) -+ matchline = (matchline_typed | matchline_general) + EOL -+ - propertyline = (White(' ', exact=1).suppress() + -- Combine(UDEV_TAG - '=' - Word(alphanums + '_=:@*.!-;, "') - Optional(pythonStyleComment)) + -+ Combine(UDEV_TAG - '=' - Optional(Word(alphanums + '_=:@*.!-;, "/')) -+ - Optional(pythonStyleComment)) + - EOL) - propertycomment = White(' ', exact=1) + pythonStyleComment + EOL - -@@ -87,7 +113,7 @@ def hwdb_grammar(): - (EMPTYLINE ^ stringEnd()).suppress()) - commentgroup = OneOrMore(COMMENTLINE).suppress() - EMPTYLINE.suppress() - -- grammar = OneOrMore(group('GROUPS*') ^ commentgroup) + stringEnd() -+ grammar = OneOrMore(Group(group)('GROUPS*') ^ commentgroup) + stringEnd() - - return grammar - -@@ -95,39 +121,57 @@ def hwdb_grammar(): - def property_grammar(): - ParserElement.setDefaultWhitespaceChars(' ') - -- dpi_setting = (Optional('*')('DEFAULT') + INTEGER('DPI') + Suppress('@') + INTEGER('HZ'))('SETTINGS*') -+ dpi_setting = Group(Optional('*')('DEFAULT') + INTEGER('DPI') + Optional(Suppress('@') + INTEGER('HZ')))('SETTINGS*') - mount_matrix_row = SIGNED_REAL + ',' + SIGNED_REAL + ',' + SIGNED_REAL -- mount_matrix = (mount_matrix_row + ';' + mount_matrix_row + ';' + mount_matrix_row)('MOUNT_MATRIX') -+ mount_matrix = Group(mount_matrix_row + ';' + mount_matrix_row + ';' + mount_matrix_row)('MOUNT_MATRIX') -+ xkb_setting = Optional(Word(alphanums + '+-/@._')) -+ -+ # Although this set doesn't cover all of characters in database entries, it's enough for test targets. -+ name_literal = Word(printables + ' ') - - props = (('MOUSE_DPI', Group(OneOrMore(dpi_setting))), - ('MOUSE_WHEEL_CLICK_ANGLE', INTEGER), - ('MOUSE_WHEEL_CLICK_ANGLE_HORIZONTAL', INTEGER), - ('MOUSE_WHEEL_CLICK_COUNT', INTEGER), - ('MOUSE_WHEEL_CLICK_COUNT_HORIZONTAL', INTEGER), -- ('ID_INPUT', Literal('1')), -- ('ID_INPUT_ACCELEROMETER', Literal('1')), -- ('ID_INPUT_JOYSTICK', Literal('1')), -- ('ID_INPUT_KEY', Literal('1')), -- ('ID_INPUT_KEYBOARD', Literal('1')), -- ('ID_INPUT_MOUSE', Literal('1')), -- ('ID_INPUT_POINTINGSTICK', Literal('1')), -- ('ID_INPUT_SWITCH', Literal('1')), -- ('ID_INPUT_TABLET', Literal('1')), -- ('ID_INPUT_TABLET_PAD', Literal('1')), -- ('ID_INPUT_TOUCHPAD', Literal('1')), -- ('ID_INPUT_TOUCHSCREEN', Literal('1')), -- ('ID_INPUT_TRACKBALL', Literal('1')), -- ('MOUSE_WHEEL_TILT_HORIZONTAL', Literal('1')), -- ('MOUSE_WHEEL_TILT_VERTICAL', Literal('1')), -+ ('ID_AUTOSUSPEND', Or((Literal('0'), Literal('1')))), -+ ('ID_AV_PRODUCTION_CONTROLLER', Or((Literal('0'), Literal('1')))), -+ ('ID_PERSIST', Or((Literal('0'), Literal('1')))), -+ ('ID_PDA', Or((Literal('0'), Literal('1')))), -+ ('ID_INPUT', Or((Literal('0'), Literal('1')))), -+ ('ID_INPUT_ACCELEROMETER', Or((Literal('0'), Literal('1')))), -+ ('ID_INPUT_JOYSTICK', Or((Literal('0'), Literal('1')))), -+ ('ID_INPUT_KEY', Or((Literal('0'), Literal('1')))), -+ ('ID_INPUT_KEYBOARD', Or((Literal('0'), Literal('1')))), -+ ('ID_INPUT_MOUSE', Or((Literal('0'), Literal('1')))), -+ ('ID_INPUT_POINTINGSTICK', Or((Literal('0'), Literal('1')))), -+ ('ID_INPUT_SWITCH', Or((Literal('0'), Literal('1')))), -+ ('ID_INPUT_TABLET', Or((Literal('0'), Literal('1')))), -+ ('ID_INPUT_TABLET_PAD', Or((Literal('0'), Literal('1')))), -+ ('ID_INPUT_TOUCHPAD', Or((Literal('0'), Literal('1')))), -+ ('ID_INPUT_TOUCHSCREEN', Or((Literal('0'), Literal('1')))), -+ ('ID_INPUT_TRACKBALL', Or((Literal('0'), Literal('1')))), -+ ('ID_SIGNAL_ANALYZER', Or((Literal('0'), Literal('1')))), - ('POINTINGSTICK_SENSITIVITY', INTEGER), - ('POINTINGSTICK_CONST_ACCEL', REAL), - ('ID_INPUT_JOYSTICK_INTEGRATION', Or(('internal', 'external'))), - ('ID_INPUT_TOUCHPAD_INTEGRATION', Or(('internal', 'external'))), -- ('XKB_FIXED_LAYOUT', STRING), -- ('XKB_FIXED_VARIANT', STRING), -+ ('XKB_FIXED_LAYOUT', xkb_setting), -+ ('XKB_FIXED_VARIANT', xkb_setting), -+ ('XKB_FIXED_MODEL', xkb_setting), - ('KEYBOARD_LED_NUMLOCK', Literal('0')), - ('KEYBOARD_LED_CAPSLOCK', Literal('0')), - ('ACCEL_MOUNT_MATRIX', mount_matrix), -+ ('ACCEL_LOCATION', Or(('display', 'base'))), -+ ('PROXIMITY_NEAR_LEVEL', INTEGER), -+ ('IEEE1394_UNIT_FUNCTION_MIDI', Or((Literal('0'), Literal('1')))), -+ ('IEEE1394_UNIT_FUNCTION_AUDIO', Or((Literal('0'), Literal('1')))), -+ ('IEEE1394_UNIT_FUNCTION_VIDEO', Or((Literal('0'), Literal('1')))), -+ ('ID_VENDOR_FROM_DATABASE', name_literal), -+ ('ID_MODEL_FROM_DATABASE', name_literal), -+ ('ID_TAG_MASTER_OF_SEAT', Literal('1')), -+ ('ID_INFRARED_CAMERA', Or((Literal('0'), Literal('1')))), -+ ('ID_CAMERA_DIRECTION', Or(('front', 'rear'))), - ) - fixed_props = [Literal(name)('NAME') - Suppress('=') - val('VALUE') - for name, val in props] -@@ -165,8 +209,29 @@ def parse(fname): - return [] - return [convert_properties(g) for g in parsed.GROUPS] - --def check_match_uniqueness(groups): -+def check_matches(groups): - matches = sum((group[0] for group in groups), []) -+ -+ # This is a partial check. The other cases could be also done, but those -+ # two are most commonly wrong. -+ grammars = { 'usb' : 'v' + upperhex_word(4) + Optional('p' + upperhex_word(4) + Optional(':')) + '*', -+ 'pci' : 'v' + upperhex_word(8) + Optional('d' + upperhex_word(8) + Optional(':')) + '*', -+ } -+ -+ for match in matches: -+ prefix, rest = match.split(':', maxsplit=1) -+ gr = grammars.get(prefix) -+ if gr: -+ # we check this first to provide an easy error message -+ if rest[-1] not in '*:': -+ error('pattern {} does not end with "*" or ":"', match) -+ -+ try: -+ gr.parseString(rest) -+ except ParseBaseException as e: -+ error('Pattern {!r} is invalid: {}', rest, e) -+ continue -+ - matches.sort() - prev = None - for match in matches: -@@ -196,15 +261,25 @@ def check_one_mount_matrix(prop, value): - def check_one_keycode(prop, value): - if value != '!' and ecodes is not None: - key = 'KEY_' + value.upper() -- if key not in ecodes: -- key = value.upper() -- if key not in ecodes: -- error('Keycode {} unknown', key) -+ if not (key in ecodes or -+ value.upper() in ecodes or -+ # new keys added in kernel 5.5 -+ 'KBD_LCD_MENU' in key): -+ error('Keycode {} unknown', key) -+ -+def check_wheel_clicks(properties): -+ pairs = (('MOUSE_WHEEL_CLICK_COUNT_HORIZONTAL', 'MOUSE_WHEEL_CLICK_COUNT'), -+ ('MOUSE_WHEEL_CLICK_ANGLE_HORIZONTAL', 'MOUSE_WHEEL_CLICK_ANGLE'), -+ ('MOUSE_WHEEL_CLICK_COUNT_HORIZONTAL', 'MOUSE_WHEEL_CLICK_ANGLE_HORIZONTAL'), -+ ('MOUSE_WHEEL_CLICK_COUNT', 'MOUSE_WHEEL_CLICK_ANGLE')) -+ for pair in pairs: -+ if pair[0] in properties and pair[1] not in properties: -+ error('{} requires {} to be specified', *pair) - - def check_properties(groups): - grammar = property_grammar() - for matches, props in groups: -- prop_names = set() -+ seen_props = {} - for prop in props: - # print('--', prop) - prop = prop.partition('#')[0].rstrip() -@@ -214,30 +289,35 @@ def check_properties(groups): - error('Failed to parse: {!r}', prop) - continue - # print('{!r}'.format(parsed)) -- if parsed.NAME in prop_names: -+ if parsed.NAME in seen_props: - error('Property {} is duplicated', parsed.NAME) -- prop_names.add(parsed.NAME) -+ seen_props[parsed.NAME] = parsed.VALUE - if parsed.NAME == 'MOUSE_DPI': - check_one_default(prop, parsed.VALUE.SETTINGS) - elif parsed.NAME == 'ACCEL_MOUNT_MATRIX': - check_one_mount_matrix(prop, parsed.VALUE) - elif parsed.NAME.startswith('KEYBOARD_KEY_'): -- check_one_keycode(prop, parsed.VALUE) -+ val = parsed.VALUE if isinstance(parsed.VALUE, str) else parsed.VALUE[0] -+ check_one_keycode(prop, val) -+ -+ check_wheel_clicks(seen_props) - - def print_summary(fname, groups): -+ n_matches = sum(len(matches) for matches, props in groups) -+ n_props = sum(len(props) for matches, props in groups) - print('{}: {} match groups, {} matches, {} properties' -- .format(fname, -- len(groups), -- sum(len(matches) for matches, props in groups), -- sum(len(props) for matches, props in groups))) -+ .format(fname, len(groups), n_matches, n_props)) -+ -+ if n_matches == 0 or n_props == 0: -+ error('{}: no matches or props'.format(fname)) - - if __name__ == '__main__': -- args = sys.argv[1:] or glob.glob(os.path.dirname(sys.argv[0]) + '/[67]0-*.hwdb') -+ args = sys.argv[1:] or sorted(glob.glob(os.path.dirname(sys.argv[0]) + '/[678][0-9]-*.hwdb')) - - for fname in args: - groups = parse(fname) - print_summary(fname, groups) -- check_match_uniqueness(groups) -+ check_matches(groups) - check_properties(groups) - - sys.exit(ERROR) diff --git a/20002-cgroup-do-not-refresh-cgroup-devices-config-when-dae.patch b/20002-cgroup-do-not-refresh-cgroup-devices-config-when-dae.patch deleted file mode 100644 index 7d81489..0000000 --- a/20002-cgroup-do-not-refresh-cgroup-devices-config-when-dae.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 62f8dac80e5f908f83b6e7cd06629055184c25d7 Mon Sep 17 00:00:00 2001 -From: Forrestly -Date: Thu, 23 Mar 2023 10:08:33 +0800 -Subject: [PATCH] cgroup: do not refresh cgroup devices config when - daemon-reload(#42937798) - -Signed-off-by: Forrestly ---- - src/core/cgroup.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index 50d2738..ea92aa6 100644 ---- a/src/core/cgroup.c -+++ b/src/core/cgroup.c -@@ -1920,6 +1920,7 @@ static int unit_realize_cgroup_now(Unit *u, ManagerState state) { - enable_mask = unit_get_enable_mask(u); - needs_bpf = unit_get_needs_bpf(u); - -+ target_mask &= ~CGROUP_MASK_DEVICES; - if (unit_has_mask_realized(u, target_mask, enable_mask, needs_bpf)) - return 0; - --- -2.34.1 - diff --git a/20003-core-introduce-cgroup-full-delegation-for-compabilit.patch b/20003-core-introduce-cgroup-full-delegation-for-compabilit.patch deleted file mode 100644 index a09eaa2..0000000 --- a/20003-core-introduce-cgroup-full-delegation-for-compabilit.patch +++ /dev/null @@ -1,125 +0,0 @@ -From ce2e0936e03f6cef91a326186978643b93403052 Mon Sep 17 00:00:00 2001 -From: "zhongling.h" -Date: Fri, 4 Aug 2023 10:08:16 +0800 -Subject: [PATCH] core: introduce cgroup full delegation for compability - -While using systemd-219, users can set 'delegate=y' to claim the -possession of cgroup settings. By then, users are able to write raw -values under /sys/fs/cgroup to adjust cgroup settings and systemd -won't touch these values any longer. - -However, this is likely to be an undefined behaviour for systemd-219. -Upon releasing systemd-239, a documentation of cgroup delegation was -added, -https://github.com/systemd/systemd/commit/e30eaff3a32523b09d61af67fc999f1f62f4e0cb. -It states that: - -Only sub-trees can be delegated (though whoever decides to request a -sub-tree can delegate sub-sub-trees further to somebody else if they -like it).' - -Which is quite different from what people understand the delegation of -systemd-219. Currently, whether a unit is delegated or not, systemd always -possesses any cgroup it created, only ignoring the sub-tree ones -according to delegation settings. - -This behaviour change causes confusion if users switch from systemd-219 to -systemd-239. As a result, we introduce 'FullDelegation', a feature that -brings what users are already familiar with to systemd-239. If users set -'FullDelegation=yes' in /etc/systemd/system.conf, they can control raw -values under /sys/fs/cgroup without worrying systemd touching these -values, which is the same as what they expected with systemd-219. - -diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index 8e474f6..461f9df 100644 ---- a/src/core/cgroup.c -+++ b/src/core/cgroup.c -@@ -1692,6 +1692,15 @@ static int unit_create_cgroup( - /* Keep track that this is now realized */ - u->cgroup_realized = true; - u->cgroup_realized_mask = target_mask; -+ -+ // While realizing cgroup, we don't realize delegated cgroup, therefore, target_mask -+ // doesn't contain delegated cgroup controller bit, and u->cgroup_realized_mask will -+ // not contain delegated cgroup controller bit as well. This unit will be in a state -+ // as if delegated cgroup is not set, which is not expected. -+ // If this is not present, delegated cgroup will be set every 2 systemctl daemon-reload -+ if (u->manager->full_delegation && unit_cgroup_delegate(u)) -+ u->cgroup_realized_mask |= unit_get_delegate_mask(u); -+ - u->cgroup_enabled_mask = enable_mask; - u->cgroup_bpf_state = needs_bpf ? UNIT_CGROUP_BPF_ON : UNIT_CGROUP_BPF_OFF; - -@@ -1920,6 +1929,9 @@ static int unit_realize_cgroup_now(Unit *u, ManagerState state) { - enable_mask = unit_get_enable_mask(u); - needs_bpf = unit_get_needs_bpf(u); - -+ if (u->manager->full_delegation && unit_cgroup_delegate(u)) -+ target_mask ^= u->cgroup_realized_mask; -+ - if (unit_has_mask_realized(u, target_mask, enable_mask, needs_bpf)) - return 0; - -@@ -2882,6 +2894,9 @@ int unit_reset_ip_accounting(Unit *u) { - void unit_invalidate_cgroup(Unit *u, CGroupMask m) { - assert(u); - -+ if (u->manager->full_delegation) -+ m ^= unit_get_delegate_mask(u); // don't invalidate delegated cgroup -+ - if (!UNIT_HAS_CGROUP_CONTEXT(u)) - return; - -diff --git a/src/core/main.c b/src/core/main.c -index 546bf0d..68daf07 100644 ---- a/src/core/main.c -+++ b/src/core/main.c -@@ -142,6 +142,7 @@ static bool reexec_jmp_can = false; - static bool reexec_jmp_inited = false; - static sigjmp_buf reexec_jmp_buf; - static bool arg_default_cpuset_clone_children = false; -+static bool arg_full_delegation = false; - - static int parse_configuration(const struct rlimit *saved_rlimit_nofile, - const struct rlimit *saved_rlimit_memlock); -@@ -768,6 +769,8 @@ static int parse_config_file(void) { - { "Manager", "DefaultTasksMax", config_parse_tasks_max, 0, &arg_default_tasks_max }, - { "Manager", "CtrlAltDelBurstAction", config_parse_emergency_action, 0, &arg_cad_burst_action }, - { "Manager", "DefaultCPUSetCloneChildren",config_parse_bool, 0, &arg_default_cpuset_clone_children }, -+ { "Manager", "FullDelegation", config_parse_bool, 0, &arg_full_delegation }, -+ - {} - }; - -@@ -817,6 +820,7 @@ static void set_manager_defaults(Manager *m) { - m->default_memory_accounting = arg_default_memory_accounting; - m->default_tasks_accounting = arg_default_tasks_accounting; - m->default_tasks_max = arg_default_tasks_max; -+ m->full_delegation = arg_full_delegation; - - manager_set_default_rlimits(m, arg_default_rlimit); - manager_environment_add(m, NULL, arg_default_environment); -diff --git a/src/core/manager.h b/src/core/manager.h -index 98d381b..91f2c05 100644 ---- a/src/core/manager.h -+++ b/src/core/manager.h -@@ -297,6 +297,7 @@ struct Manager { - bool default_blockio_accounting; - bool default_tasks_accounting; - bool default_ip_accounting; -+ bool full_delegation; - - uint64_t default_tasks_max; - usec_t default_timer_accuracy_usec; -diff --git a/src/core/system.conf.in b/src/core/system.conf.in -index 2f6852a..6c84a55 100644 ---- a/src/core/system.conf.in -+++ b/src/core/system.conf.in -@@ -67,3 +67,4 @@ DefaultLimitCORE=0:infinity - #DefaultLimitRTTIME= - #IPAddressAllow= - #IPAddressDeny= -+#FullDelegation=no --- -2.39.3 - diff --git a/20004-Update-vendor-ids-for-ieisystem-0750.patch b/20004-Update-vendor-ids-for-ieisystem-0750.patch deleted file mode 100644 index ca0b4c2..0000000 --- a/20004-Update-vendor-ids-for-ieisystem-0750.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 2afcc209fb4677581294421f20bb0d057238539e Mon Sep 17 00:00:00 2001 -From: wangkaiyuan -Date: Wed, 31 Jan 2024 19:30:33 +0800 -Subject: [PATCH] Update vendor ids for ieisystem 0750 - -Signed-off-by: wangkaiyuan ---- - hwdb/20-pci-vendor-model.hwdb | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/hwdb/20-pci-vendor-model.hwdb b/hwdb/20-pci-vendor-model.hwdb -index cdbd8ff..4b666e8 100644 ---- a/hwdb/20-pci-vendor-model.hwdb -+++ b/hwdb/20-pci-vendor-model.hwdb -@@ -69122,6 +69122,9 @@ pci:v00001BD0d00001203* - pci:v00001BD4* - ID_VENDOR_FROM_DATABASE=Inspur Electronic Information Industry Co., Ltd. - -+pci:v00001BD4d00000750* -+ ID_MODEL_FROM_DATABASE=YHGCH ZX1000 -+ - pci:v00001BD4d00000911* - ID_MODEL_FROM_DATABASE=Arria10_PCIe_F10A1150 - --- -2.31.1 - diff --git a/20005-default-enable-full-delegation-on-device-cgroup.patch b/20005-default-enable-full-delegation-on-device-cgroup.patch deleted file mode 100644 index bf11aa5..0000000 --- a/20005-default-enable-full-delegation-on-device-cgroup.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 0c54a1eda08dc8a1c40274c1f90e5e809e054706 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Tue, 19 Mar 2024 15:53:21 +0800 -Subject: [PATCH] default enable full delegation on device cgroup - ---- - src/core/cgroup.c | 9 +++++++++ - src/core/main.c | 3 +++ - src/core/manager.h | 1 + - src/core/system.conf.in | 1 + - 4 files changed, 14 insertions(+) - -diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index 461f9df..bc677d8 100644 ---- a/src/core/cgroup.c -+++ b/src/core/cgroup.c -@@ -1701,6 +1701,9 @@ static int unit_create_cgroup( - if (u->manager->full_delegation && unit_cgroup_delegate(u)) - u->cgroup_realized_mask |= unit_get_delegate_mask(u); - -+ if (u->manager->full_delegation_devicecg && unit_cgroup_delegate(u)) -+ u->cgroup_realized_mask |= (unit_get_delegate_mask(u) & CGROUP_MASK_DEVICES); -+ - u->cgroup_enabled_mask = enable_mask; - u->cgroup_bpf_state = needs_bpf ? UNIT_CGROUP_BPF_ON : UNIT_CGROUP_BPF_OFF; - -@@ -1932,6 +1935,9 @@ static int unit_realize_cgroup_now(Unit *u, ManagerState state) { - if (u->manager->full_delegation && unit_cgroup_delegate(u)) - target_mask ^= u->cgroup_realized_mask; - -+ if (u->manager->full_delegation_devicecg && unit_cgroup_delegate(u)) -+ target_mask ^= (u->cgroup_realized_mask & CGROUP_MASK_DEVICES); -+ - if (unit_has_mask_realized(u, target_mask, enable_mask, needs_bpf)) - return 0; - -@@ -2897,6 +2903,9 @@ void unit_invalidate_cgroup(Unit *u, CGroupMask m) { - if (u->manager->full_delegation) - m ^= unit_get_delegate_mask(u); // don't invalidate delegated cgroup - -+ if (u->manager->full_delegation_devicecg) -+ m ^= (unit_get_delegate_mask(u) & CGROUP_MASK_DEVICES); // don't invalidate device cgroup if delegate=yes -+ - if (!UNIT_HAS_CGROUP_CONTEXT(u)) - return; - -diff --git a/src/core/main.c b/src/core/main.c -index 68daf07..e27f0a5 100644 ---- a/src/core/main.c -+++ b/src/core/main.c -@@ -143,6 +143,7 @@ static bool reexec_jmp_inited = false; - static sigjmp_buf reexec_jmp_buf; - static bool arg_default_cpuset_clone_children = false; - static bool arg_full_delegation = false; -+static bool arg_full_delegation_devicecg = true; - - static int parse_configuration(const struct rlimit *saved_rlimit_nofile, - const struct rlimit *saved_rlimit_memlock); -@@ -770,6 +771,7 @@ static int parse_config_file(void) { - { "Manager", "CtrlAltDelBurstAction", config_parse_emergency_action, 0, &arg_cad_burst_action }, - { "Manager", "DefaultCPUSetCloneChildren",config_parse_bool, 0, &arg_default_cpuset_clone_children }, - { "Manager", "FullDelegation", config_parse_bool, 0, &arg_full_delegation }, -+ { "Manager", "FullDelegationDeviceCGroup",config_parse_bool, 0, &arg_full_delegation_devicecg }, - - {} - }; -@@ -821,6 +823,7 @@ static void set_manager_defaults(Manager *m) { - m->default_tasks_accounting = arg_default_tasks_accounting; - m->default_tasks_max = arg_default_tasks_max; - m->full_delegation = arg_full_delegation; -+ m->full_delegation_devicecg = arg_full_delegation_devicecg; - - manager_set_default_rlimits(m, arg_default_rlimit); - manager_environment_add(m, NULL, arg_default_environment); -diff --git a/src/core/manager.h b/src/core/manager.h -index 91f2c05..8017d9a 100644 ---- a/src/core/manager.h -+++ b/src/core/manager.h -@@ -298,6 +298,7 @@ struct Manager { - bool default_tasks_accounting; - bool default_ip_accounting; - bool full_delegation; -+ bool full_delegation_devicecg; - - uint64_t default_tasks_max; - usec_t default_timer_accuracy_usec; -diff --git a/src/core/system.conf.in b/src/core/system.conf.in -index 6c84a55..3f9ef7f 100644 ---- a/src/core/system.conf.in -+++ b/src/core/system.conf.in -@@ -68,3 +68,4 @@ DefaultLimitCORE=0:infinity - #IPAddressAllow= - #IPAddressDeny= - #FullDelegation=no -+#FullDelegationDeviceCGroup=yes --- -2.39.3 - diff --git a/20006-systemd-Add-sw64.patch b/20006-systemd-Add-sw64.patch deleted file mode 100644 index f62efc2..0000000 --- a/20006-systemd-Add-sw64.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 6cdb604db829800ec1803d61533bd1947c841911 Mon Sep 17 00:00:00 2001 -From: Weisson -Date: Thu, 26 Sep 2024 13:54:58 +0800 -Subject: [PATCH] Add sw64 architecture. - -Signed-off-by: Weisson ---- - src/basic/architecture.c | 3 +++ - src/basic/architecture.h | 4 ++++ - src/basic/missing.h | 2 +- - src/basic/missing_syscall.h | 2 ++ - 4 files changed, 10 insertions(+), 1 deletion(-) - -diff --git a/src/basic/architecture.c b/src/basic/architecture.c -index 96bbf97..72b98a3 100644 ---- a/src/basic/architecture.c -+++ b/src/basic/architecture.c -@@ -120,6 +120,8 @@ int uname_architecture(void) { - { "arceb", ARCHITECTURE_ARC_BE }, - #elif defined(__loongarch64) - { "loongarch64", ARCHITECTURE_LOONGARCH64 }, -+#elif defined(__sw_64__) -+ { "sw_64" , ARCHITECTURE_SW_64 }, - #else - #error "Please register your architecture here!" - #endif -@@ -176,6 +178,7 @@ static const char *const architecture_table[_ARCHITECTURE_MAX] = { - [ARCHITECTURE_ARC] = "arc", - [ARCHITECTURE_ARC_BE] = "arc-be", - [ARCHITECTURE_LOONGARCH64] = "loongarch64", -+ [ARCHITECTURE_SW_64] = "sw_64", - }; - - DEFINE_STRING_TABLE_LOOKUP(architecture, int); -diff --git a/src/basic/architecture.h b/src/basic/architecture.h -index 22e9108..c317c75 100644 ---- a/src/basic/architecture.h -+++ b/src/basic/architecture.h -@@ -45,6 +45,7 @@ enum { - ARCHITECTURE_ARC, - ARCHITECTURE_ARC_BE, - ARCHITECTURE_LOONGARCH64, -+ ARCHITECTURE_SW_64, - _ARCHITECTURE_MAX, - _ARCHITECTURE_INVALID = -1 - }; -@@ -233,6 +234,9 @@ int uname_architecture(void); - #elif defined(__loongarch64) - # define native_architecture() ARCHITECTURE_LOONGARCH64 - # define LIB_ARCH_TUPLE "loongarch64-linux-gnu" -+#elif defined(__sw_64__) -+# define native_architecture() ARCHITECTURE_SW_64 -+# define LIB_ARCH_TUPLE "sw_64-linux-gnu" - #else - # error "Please register your architecture here!" - #endif -diff --git a/src/basic/missing.h b/src/basic/missing.h -index b937661..c2913b5 100644 ---- a/src/basic/missing.h -+++ b/src/basic/missing.h -@@ -646,7 +646,7 @@ struct input_mask { - */ - - #ifndef __O_TMPFILE --#if defined(__alpha__) -+#if defined(__alpha__) || defined(__sw_64__) - #define __O_TMPFILE 0100000000 - #elif defined(__parisc__) || defined(__hppa__) - #define __O_TMPFILE 0400000000 -diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h -index 014dd2b..51a54b2 100644 ---- a/src/basic/missing_syscall.h -+++ b/src/basic/missing_syscall.h -@@ -405,6 +405,8 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) { - # define __NR_statx 360 - # elif defined __x86_64__ - # define __NR_statx 332 -+# elif defined __sw_64__ -+# define __NR_statx 518 - # else - # warning "__NR_statx not defined for your architecture" - # endif --- -2.39.3 - diff --git a/20007-add-seccomp-support-for-sw_64.patch b/20007-add-seccomp-support-for-sw_64.patch deleted file mode 100644 index f3cda33..0000000 --- a/20007-add-seccomp-support-for-sw_64.patch +++ /dev/null @@ -1,96 +0,0 @@ -From a8b1f7bfc0190af52e863ddc821701d32e6c3c97 Mon Sep 17 00:00:00 2001 -From: Weisson -Date: Sun, 7 Apr 2024 15:45:26 +0800 -Subject: [PATCH 1/1] add seccomp support for sw_64. - -Signed-off-by: Weisson ---- - src/shared/seccomp-util.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c -index 8b0d366..2cedca5 100644 ---- a/src/shared/seccomp-util.c -+++ b/src/shared/seccomp-util.c -@@ -44,6 +44,8 @@ const uint32_t seccomp_local_archs[] = { - SCMP_ARCH_ARM, - #elif defined(__loongarch__) - SCMP_ARCH_LOONGARCH64, -+#elif defined(__sw_64__) -+ SCMP_ARCH_SW_64, - #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32 - SCMP_ARCH_MIPSEL, - SCMP_ARCH_MIPS, /* native */ -@@ -114,6 +116,8 @@ const char* seccomp_arch_to_string(uint32_t c) { - return "x32"; - case SCMP_ARCH_ARM: - return "arm"; -+ case SCMP_ARCH_SW_64: -+ return "sw_64"; - case SCMP_ARCH_AARCH64: - return "arm64"; - case SCMP_ARCH_LOONGARCH64: -@@ -163,6 +167,8 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) { - *ret = SCMP_ARCH_ARM; - else if (streq(n, "arm64")) - *ret = SCMP_ARCH_AARCH64; -+ else if (streq(n, "sw_64")) -+ *ret = SCMP_ARCH_SW_64; - else if (streq(n, "loongarch64")) - *ret = SCMP_ARCH_LOONGARCH64; - else if (streq(n, "mips")) -@@ -1246,7 +1252,7 @@ int seccomp_protect_sysctl(void) { - - log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch)); - -- if (IN_SET(arch, SCMP_ARCH_X32, SCMP_ARCH_AARCH64, SCMP_ARCH_LOONGARCH64)) -+ if (IN_SET(arch, SCMP_ARCH_X32, SCMP_ARCH_AARCH64, SCMP_ARCH_LOONGARCH64, SCMP_ARCH_SW_64)) - /* No _sysctl syscall */ - continue; - -@@ -1291,6 +1297,7 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) { - case SCMP_ARCH_X32: - case SCMP_ARCH_ARM: - case SCMP_ARCH_AARCH64: -+ case SCMP_ARCH_SW_64: - case SCMP_ARCH_LOONGARCH64: - case SCMP_ARCH_MIPSEL64N32: - case SCMP_ARCH_MIPS64N32: -@@ -1536,7 +1543,7 @@ static int add_seccomp_syscall_filter(scmp_filter_ctx seccomp, - } - - /* For known architectures, check that syscalls are indeed defined or not. */ --#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || defined(__loongarch__) -+#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || defined(__loongarch__) || defined(__sw_64__) - assert_cc(SCMP_SYS(shmget) > 0); - assert_cc(SCMP_SYS(shmat) > 0); - assert_cc(SCMP_SYS(shmdt) > 0); -@@ -1583,6 +1590,7 @@ int seccomp_memory_deny_write_execute(void) { - case SCMP_ARCH_X86_64: - case SCMP_ARCH_X32: - case SCMP_ARCH_AARCH64: -+ case SCMP_ARCH_SW_64: - case SCMP_ARCH_LOONGARCH64: - filter_syscall = SCMP_SYS(mmap); /* amd64, x32, and arm64 have only mmap */ - shmat_syscall = SCMP_SYS(shmat); -@@ -1590,7 +1598,7 @@ int seccomp_memory_deny_write_execute(void) { - - /* Please add more definitions here, if you port systemd to other architectures! */ - --#if !defined(__i386__) && !defined(__x86_64__) && !defined(__powerpc__) && !defined(__powerpc64__) && !defined(__arm__) && !defined(__aarch64__) && !defined(__loongarch__) -+#if !defined(__i386__) && !defined(__x86_64__) && !defined(__powerpc__) && !defined(__powerpc64__) && !defined(__arm__) && !defined(__aarch64__) && !defined(__loongarch__) && !defined(__sw_64__) - #warning "Consider adding the right mmap() syscall definitions here!" - #endif - } -@@ -1614,7 +1622,7 @@ int seccomp_memory_deny_write_execute(void) { - if (r < 0) - continue; - } -- if (!IN_SET(arch, SCMP_ARCH_LOONGARCH64)){ -+ if (!IN_SET(arch, SCMP_ARCH_LOONGARCH64, SCMP_ARCH_SW_64)){ - r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(mprotect), - 1, - SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC)); --- -2.31.1 - diff --git a/20008-Fix-unit-test-test-seccomp-support-on-sw_64.patch b/20008-Fix-unit-test-test-seccomp-support-on-sw_64.patch deleted file mode 100644 index ac70671..0000000 --- a/20008-Fix-unit-test-test-seccomp-support-on-sw_64.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 573700e701553081bd2bdb9081da0a1215f5ed97 Mon Sep 17 00:00:00 2001 -From: Weisson -Date: Sun, 7 Apr 2024 17:13:11 +0800 -Subject: [PATCH] Fix unit-test: test-seccomp support on sw_64. - -Signed-off-by: Weisson ---- - src/test/test-seccomp.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c -index 286f01b..c04eb66 100644 ---- a/src/test/test-seccomp.c -+++ b/src/test/test-seccomp.c -@@ -55,6 +55,7 @@ static void test_architecture_table(void) { - "x32\0" - "arm\0" - "arm64\0" -+ "sw_64\0" - "mips\0" - "mips64\0" - "mips64-n32\0" -@@ -403,7 +404,7 @@ static void test_memory_deny_write_execute_mmap(void) { - assert_se(seccomp_memory_deny_write_execute() >= 0); - - p = mmap(NULL, page_size(), PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1,0); --#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc64__) || defined(__arm__) || defined(__aarch64__) -+#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc64__) || defined(__arm__) || defined(__aarch64__) || defined(__sw_64__) - assert_se(p == MAP_FAILED); - assert_se(errno == EPERM); - #else /* unknown architectures */ -@@ -450,7 +451,7 @@ static void test_memory_deny_write_execute_shmat(void) { - assert_se(seccomp_memory_deny_write_execute() >= 0); - - p = shmat(shmid, NULL, SHM_EXEC); --#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) -+#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || defined(__sw_64__) - assert_se(p == MAP_FAILED); - assert_se(errno == EPERM); - #else /* __i386__, __powerpc64__, and "unknown" architectures */ --- -2.31.1 - diff --git a/20009-core-introduce-cgroup-FullDelegation-FullDelegationD.patch b/20009-core-introduce-cgroup-FullDelegation-FullDelegationD.patch deleted file mode 100644 index bcd28b5..0000000 --- a/20009-core-introduce-cgroup-FullDelegation-FullDelegationD.patch +++ /dev/null @@ -1,163 +0,0 @@ -From f4fc78bb9b250e7e8f5197aa15055239276ec3cd Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Wed, 10 Jul 2024 17:46:57 +0800 -Subject: [PATCH] core: introduce cgroup FullDelegation, - FullDelegationDeviceCGroup for compability - -Whille using systemd-219, users can set 'delegate=y' to claim the -possession of cgroup settings. By then, users are able to write raw -values under /sys/fs/cgroup to adjust cgroup settings and systemd -won't touch these values any longer. - -However, this is likely to be an undefined behaviour for systemd-219. -Upon releasing systemd-239, a documentation of cgroup delegation was -added, -https://github.com/systemd/systemd/commit/e30eaff3a32523b09d61af67fc999f1f62f4e0cb. -It states that: - -Only sub-trees can be delegated (though whoever decides to request a -sub-tree can delegate sub-sub-trees further to somebody else if they -like it).' - -Which is quite different from what people understand the delegation of -systemd-219. Currently, whether a unit is delegated or not, systemd always -possesses any cgroup it created, only ignoring the sub-tree ones -according to delegation settings. - -This behaviour change causes confusion if users switch from systemd-219 to -systemd-239. As a result, we introduce 'FullDelegation', a feature that -brings what users are already familiar with to systemd-239. If users set -'FullDelegation=yes' in /etc/systemd/system.conf, they can control raw -values under /sys/fs/cgroup without worrying systemd touching these -values, which is the same as what they expected with systemd-219. - -The 'FullDelegation' option should not be enabled by default, as it alters the -default behavior that users are accustomed to or will become familiar with. -However, without enabling this option, GPU containers will not function -correctly. To address this issue, we have introduced -'FullDelegationDeviceCGroup', which replicates the behavior of systemd-219 -specifically for device cgroups. This option is enabled by default. - -During the use of earlier versions of systemd, we encountered bug reports -indicating that when 'FullDelegation' is enabled, subcgroups are removed by -systemd. This issue arises due to a flaw in our modification of the -`unit_realize_cgroup_now` function. We overlooked the fact that, in addition to -creating cgroups, the unit_create_cgroup function also deletes subcgroups based -on unset bits in the `target_mask`. To resolve this, we have adjusted the -procedure by moving the reduction of the `target_mask` to occur after the -execution of `unit_create_cgroup`, thereby preventing the unintended deletion of -subcgroups. ---- - src/core/cgroup.c | 24 ++++++++++++++++++++++++ - src/core/main.c | 7 +++++++ - src/core/manager.h | 2 ++ - src/core/system.conf.in | 2 ++ - 4 files changed, 35 insertions(+) - -diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index 8e474f6..6a5606f 100644 ---- a/src/core/cgroup.c -+++ b/src/core/cgroup.c -@@ -1692,6 +1692,18 @@ static int unit_create_cgroup( - /* Keep track that this is now realized */ - u->cgroup_realized = true; - u->cgroup_realized_mask = target_mask; -+ -+ // While realizing cgroup, we don't realize delegated cgroup, therefore, target_mask -+ // doesn't contain delegated cgroup controller bit, and u->cgroup_realized_mask will -+ // not contain delegated cgroup controller bit as well. This unit will be in a state -+ // as if delegated cgroup is not set, which is not expected. -+ // If this is not present, delegated cgroup will be set every 2 systemctl daemon-reload -+ if (u->manager->full_delegation && unit_cgroup_delegate(u)) -+ u->cgroup_realized_mask |= unit_get_delegate_mask(u); -+ -+ if (u->manager->full_delegation_devicecg && unit_cgroup_delegate(u)) -+ u->cgroup_realized_mask |= (unit_get_delegate_mask(u) & CGROUP_MASK_DEVICES); -+ - u->cgroup_enabled_mask = enable_mask; - u->cgroup_bpf_state = needs_bpf ? UNIT_CGROUP_BPF_ON : UNIT_CGROUP_BPF_OFF; - -@@ -1940,6 +1952,12 @@ static int unit_realize_cgroup_now(Unit *u, ManagerState state) { - if (r < 0) - return r; - -+ if (u->manager->full_delegation && unit_cgroup_delegate(u)) -+ target_mask ^= u->cgroup_realized_mask; -+ -+ if (u->manager->full_delegation_devicecg && unit_cgroup_delegate(u)) -+ target_mask ^= (u->cgroup_realized_mask & CGROUP_MASK_DEVICES); -+ - /* Finally, apply the necessary attributes. */ - cgroup_context_apply(u, target_mask, apply_bpf, state); - cgroup_xattr_apply(u); -@@ -2882,6 +2900,12 @@ int unit_reset_ip_accounting(Unit *u) { - void unit_invalidate_cgroup(Unit *u, CGroupMask m) { - assert(u); - -+ if (u->manager->full_delegation) -+ m ^= unit_get_delegate_mask(u); // don't invalidate delegated cgroup -+ -+ if (u->manager->full_delegation_devicecg) -+ m ^= (unit_get_delegate_mask(u) & CGROUP_MASK_DEVICES); // don't invalidate device cgroup if delegate=yes -+ - if (!UNIT_HAS_CGROUP_CONTEXT(u)) - return; - -diff --git a/src/core/main.c b/src/core/main.c -index 546bf0d..e27f0a5 100644 ---- a/src/core/main.c -+++ b/src/core/main.c -@@ -142,6 +142,8 @@ static bool reexec_jmp_can = false; - static bool reexec_jmp_inited = false; - static sigjmp_buf reexec_jmp_buf; - static bool arg_default_cpuset_clone_children = false; -+static bool arg_full_delegation = false; -+static bool arg_full_delegation_devicecg = true; - - static int parse_configuration(const struct rlimit *saved_rlimit_nofile, - const struct rlimit *saved_rlimit_memlock); -@@ -768,6 +770,9 @@ static int parse_config_file(void) { - { "Manager", "DefaultTasksMax", config_parse_tasks_max, 0, &arg_default_tasks_max }, - { "Manager", "CtrlAltDelBurstAction", config_parse_emergency_action, 0, &arg_cad_burst_action }, - { "Manager", "DefaultCPUSetCloneChildren",config_parse_bool, 0, &arg_default_cpuset_clone_children }, -+ { "Manager", "FullDelegation", config_parse_bool, 0, &arg_full_delegation }, -+ { "Manager", "FullDelegationDeviceCGroup",config_parse_bool, 0, &arg_full_delegation_devicecg }, -+ - {} - }; - -@@ -817,6 +822,8 @@ static void set_manager_defaults(Manager *m) { - m->default_memory_accounting = arg_default_memory_accounting; - m->default_tasks_accounting = arg_default_tasks_accounting; - m->default_tasks_max = arg_default_tasks_max; -+ m->full_delegation = arg_full_delegation; -+ m->full_delegation_devicecg = arg_full_delegation_devicecg; - - manager_set_default_rlimits(m, arg_default_rlimit); - manager_environment_add(m, NULL, arg_default_environment); -diff --git a/src/core/manager.h b/src/core/manager.h -index 98d381b..8017d9a 100644 ---- a/src/core/manager.h -+++ b/src/core/manager.h -@@ -297,6 +297,8 @@ struct Manager { - bool default_blockio_accounting; - bool default_tasks_accounting; - bool default_ip_accounting; -+ bool full_delegation; -+ bool full_delegation_devicecg; - - uint64_t default_tasks_max; - usec_t default_timer_accuracy_usec; -diff --git a/src/core/system.conf.in b/src/core/system.conf.in -index 2f6852a..3f9ef7f 100644 ---- a/src/core/system.conf.in -+++ b/src/core/system.conf.in -@@ -67,3 +67,5 @@ DefaultLimitCORE=0:infinity - #DefaultLimitRTTIME= - #IPAddressAllow= - #IPAddressDeny= -+#FullDelegation=no -+#FullDelegationDeviceCGroup=yes --- -2.39.3 - diff --git a/91000-analyze-show-information-from-hostnamed-in-plot-even.patch b/91000-analyze-show-information-from-hostnamed-in-plot-even.patch deleted file mode 100644 index 272abec..0000000 --- a/91000-analyze-show-information-from-hostnamed-in-plot-even.patch +++ /dev/null @@ -1,101 +0,0 @@ -From af0841e9fc99fbab958a53fc43424ada6b9a19ad Mon Sep 17 00:00:00 2001 -From: Yu Watanabe -Date: Sun, 22 Jul 2018 14:33:31 +0900 -Subject: [PATCH] analyze: show information from hostnamed in plot even when - user mode - -(cherry-picked from upstream 4f481d76fcbb72fc91789a464cd2b75f0bd47e20) - -This will resolve the following issue after systemd-hostnamed is -disabled: - -``` -[root@localhost ~]# systemd-analyze plot -Failed to get host information from systemd: The name org.freedesktop.hostname1 was not provided by any .service files -``` - -Signed-off-by: Yuanhong Peng ---- - src/analyze/analyze.c | 28 ++++++++++++++++++++-------- - 1 file changed, 20 insertions(+), 8 deletions(-) - -diff --git a/src/analyze/analyze.c b/src/analyze/analyze.c -index c30a133..1ae096d 100644 ---- a/src/analyze/analyze.c -+++ b/src/analyze/analyze.c -@@ -448,6 +448,7 @@ static int acquire_host_info(sd_bus *bus, struct host_info **hi) { - }; - - _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; -+ _cleanup_(sd_bus_flush_close_unrefp) sd_bus *system_bus = NULL; - _cleanup_(free_host_infop) struct host_info *host; - int r; - -@@ -455,7 +456,15 @@ static int acquire_host_info(sd_bus *bus, struct host_info **hi) { - if (!host) - return log_oom(); - -- r = bus_map_all_properties(bus, -+ if (arg_scope != UNIT_FILE_SYSTEM) { -+ r = bus_connect_transport(arg_transport, arg_host, false, &system_bus); -+ if (r < 0) { -+ log_debug_errno(r, "Failed to connect to system bus, ignoring: %m"); -+ goto manager; -+ } -+ } -+ -+ r = bus_map_all_properties(system_bus ?: bus, - "org.freedesktop.hostname1", - "/org/freedesktop/hostname1", - hostname_map, -@@ -463,9 +472,12 @@ static int acquire_host_info(sd_bus *bus, struct host_info **hi) { - &error, - NULL, - host); -- if (r < 0) -- log_debug_errno(r, "Failed to get host information from systemd-hostnamed: %s", bus_error_message(&error, r)); -+ if (r < 0) { -+ log_debug_errno(r, "Failed to get host information from systemd-hostnamed, ignoring: %s", bus_error_message(&error, r)); -+ sd_bus_error_free(&error); -+ } - -+manager: - r = bus_map_all_properties(bus, - "org.freedesktop.systemd1", - "/org/freedesktop/systemd1", -@@ -584,12 +596,12 @@ static int analyze_plot(int argc, char *argv[], void *userdata) { - _cleanup_(free_host_infop) struct host_info *host = NULL; - _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL; - _cleanup_(unit_times_freep) struct unit_times *times = NULL; -+ _cleanup_free_ char *pretty_times = NULL; -+ bool use_full_bus = arg_scope == UNIT_FILE_SYSTEM; - struct boot_times *boot; -+ struct unit_times *u; - int n, m = 1, y = 0, r; -- bool use_full_bus = true; - double width; -- _cleanup_free_ char *pretty_times = NULL; -- struct unit_times *u; - - r = acquire_bus(&bus, &use_full_bus); - if (r < 0) -@@ -603,7 +615,7 @@ static int analyze_plot(int argc, char *argv[], void *userdata) { - if (n < 0) - return n; - -- if (use_full_bus) { -+ if (use_full_bus || arg_scope != UNIT_FILE_SYSTEM) { - n = acquire_host_info(bus, &host); - if (n < 0) - return n; -@@ -705,7 +717,7 @@ static int analyze_plot(int argc, char *argv[], void *userdata) { - - svg("\n"); - svg("%s", pretty_times); -- if (use_full_bus) -+ if (host) - svg("%s %s (%s %s %s) %s %s", - isempty(host->os_pretty_name) ? "Linux" : host->os_pretty_name, - strempty(host->hostname), --- -2.18.1 \ No newline at end of file diff --git a/92000-meson-Make-logind-a-requirement-of-user-runtime-dir.patch b/92000-meson-Make-logind-a-requirement-of-user-runtime-dir.patch deleted file mode 100644 index 16bea35..0000000 --- a/92000-meson-Make-logind-a-requirement-of-user-runtime-dir.patch +++ /dev/null @@ -1,44 +0,0 @@ -From b7da107bc80d65ebf6a1e6838f780f756f2fb25c Mon Sep 17 00:00:00 2001 -From: Yuanhong Peng -Date: Fri, 26 Feb 2021 19:20:48 +0800 -Subject: [PATCH] meson: Make logind a requirement of user-runtime-dir - -Partly cherry-picked from upstream 07ee5adb. Since we don't -enable logind in LifseaOS, this is the simplest way to cut -off the user-runtime-dir binary and service file. - -Signed-off-by: Yuanhong Peng ---- - meson.build | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/meson.build b/meson.build -index cf6990a..fd47e75 100644 ---- a/meson.build -+++ b/meson.build -@@ -1735,15 +1735,15 @@ if conf.get('ENABLE_LOGIND') == 1 - test_dlopen, - args : [pam_systemd.full_path()]) # path to dlopen must include a slash - endif --endif - --executable('systemd-user-runtime-dir', -- user_runtime_dir_sources, -- include_directories : includes, -- link_with : [libshared, liblogind_core], -- install_rpath : rootlibexecdir, -- install : true, -- install_dir : rootlibexecdir) -+ executable('systemd-user-runtime-dir', -+ user_runtime_dir_sources, -+ include_directories : includes, -+ link_with : [libshared, liblogind_core], -+ install_rpath : rootlibexecdir, -+ install : true, -+ install_dir : rootlibexecdir) -+endif - - if conf.get('HAVE_PAM') == 1 - executable('systemd-user-sessions', --- -2.18.1 \ No newline at end of file diff --git a/92001-shared-Remove-dependency-of-libcryptsetup-if-HAVE_LI.patch b/92001-shared-Remove-dependency-of-libcryptsetup-if-HAVE_LI.patch deleted file mode 100644 index 433c611..0000000 --- a/92001-shared-Remove-dependency-of-libcryptsetup-if-HAVE_LI.patch +++ /dev/null @@ -1,40 +0,0 @@ -From afaeb794b5ecf2772765f4a92e92f9be831ef1ea Mon Sep 17 00:00:00 2001 -From: Yuanhong Peng -Date: Fri, 26 Mar 2021 10:37:15 +0800 -Subject: [PATCH] shared: Remove dependency of libcryptsetup if - HAVE_LIBCRYPTSETUP is not defined - -We do not enable libcryptsetup in configuration, so this dependency is -fake. Remove dependency of libcryptsetup will reduce more than ten -dependencies of libsystemd-shared-239.so. - -Signed-off-by: Yuanhong Peng ---- - src/shared/meson.build | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/shared/meson.build b/src/shared/meson.build -index d0a1bba..e492ce9 100644 ---- a/src/shared/meson.build -+++ b/src/shared/meson.build -@@ -131,7 +131,6 @@ libshared_deps = [threads, - librt, - libcap, - libacl, -- libcryptsetup, - libgcrypt, - libiptc, - libseccomp, -@@ -141,6 +140,10 @@ libshared_deps = [threads, - liblz4, - libblkid] - -+if conf.get('HAVE_LIBCRYPTSETUP') == 1 -+ libshared_deps += [libcryptsetup] -+endif -+ - libshared_sym_path = '@0@/libshared.sym'.format(meson.current_source_dir()) - - libshared_static = static_library( --- -2.18.1 \ No newline at end of file diff --git a/92002-Do-not-remove-cgroup-path-which-not-created-by-syst.patch b/92002-Do-not-remove-cgroup-path-which-not-created-by-syst.patch deleted file mode 100644 index aec1813..0000000 --- a/92002-Do-not-remove-cgroup-path-which-not-created-by-syst.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 327dab8117c7b478a928387b4384ae7815ad4f06 Mon Sep 17 00:00:00 2001 -From: Yuanhong Peng -Date: Wed, 22 Nov 2023 17:03:33 +0800 -Subject: [PATCH] Do not remove cgroup path which not created by systemd - -It's a workaround for #52520469 - -Details in https://issues.redhat.com/browse/RHEL-16781 - -Signed-off-by: Yuanhong Peng ---- - src/basic/cgroup-util.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c -index 14abe6e..5c87a7a 100644 ---- a/src/basic/cgroup-util.c -+++ b/src/basic/cgroup-util.c -@@ -719,6 +719,10 @@ static int trim_cb(const char *path, const struct stat *sb, int typeflag, struct - if (ftwbuf->level < 1) - return 0; - -+ // workaround: do not remove cgroup path which not created by systemd -+ if (!strstr(path, ".slice/") && !strstr(path, ".service/")) -+ return 0; -+ - (void) rmdir(path); - return 0; - } --- -2.39.3 \ No newline at end of file diff --git a/README.md b/README.md deleted file mode 100644 index b91be56..0000000 --- a/README.md +++ /dev/null @@ -1,13 +0,0 @@ -# systemd-239 - -This is the repository of systemd-239 for Anolis OS 8. - -## Patch index convention - -Below is the patch index convention of this repository: - -- 0001 ... 0xxx : patches from upstream srpm -- 10001 ... 10xxx : patches cherry-picked from systemd github upstream -- 20001 ... 20xxx : original patch by OpenAnolis community -- 910001 ... 910xxx : LifseaOS patches that cherry-picked from systemd github upstream -- 920001 ... 920xxx : LifseaOS original patches diff --git a/systemd.spec b/systemd.spec index 72bfa80..200c90d 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.3 #global gitcommit 10e465b5321bd53c1fc59ffab27e724535c6bc0f %{?gitcommit:%global gitcommitshort %(c=%{gitcommit}; echo ${c:0:7})} @@ -14,7 +13,7 @@ Name: systemd Url: http://www.freedesktop.org/wiki/Software/systemd Version: 239 -Release: 82%{anolis_release}%{?dist}%{?lifsea_dist}.1 +Release: 82%{?dist}.2 # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -41,9 +40,7 @@ Source8: systemd-journal-gatewayd.xml Source9: 20-yama-ptrace.conf Source10: systemd-udev-trigger-no-reload.conf Source11: 20-grubby.install -%if ! %{defined lifsea_dist} Source12: systemd-user -%endif Source13: rc.local %if 0 @@ -1066,54 +1063,6 @@ Patch1010: 1010-pid1-by-default-make-user-units-inherit-their-umask-.patch Patch1011: 1011-pam-add-call-to-pam_umask.patch Patch1012: 1012-ci-deploy-systemd-man-to-GitHub-Pages.patch Patch1013: 1013-ci-src-git-update-list-of-supported-products.patch -Patch10000: 10000-core-fix-a-null-reference-case-in-load_from_path.patch -Patch10001: 10001-sysctl-Don-t-pass-null-directive-argument-to-s.patch -Patch10002: 10002-exit-status-introduce-EXIT_EXCEPTION-mapping-to-255.patch -Patch10003: 10003-main-don-t-freeze-PID-1-in-containers-exit-with-non-.patch -Patch10004: 10004-Do-not-go-into-freeze-when-systemd-crashd.patch -Patch10005: 10005-mount-setup-change-the-system-mount-propagation-to-s.patch -Patch10006: 10006-cgroup-util-make-definition-of-CGROUP_CONTROLLER_TO_.patch -Patch10007: 10007-cgroup-update-only-siblings-that-got-realized-once.patch -Patch10008: 10008-core-add-a-config-item-to-support-setting-the-value-.patch -Patch10009: 10009-systemd-anolis-support-loongarch64.patch -Patch10010: 10010-test-catalog-Fix-coredump-when-compiled-under-GCC10.patch -Patch10011: 10011-hwdb-add-Iluvatar-CoreX.patch -Patch10012: 10012-seccomp-add-loongarch-support.patch -Patch10013: 10013-umount-check-LO_FLAGS_AUTOCLEAR-after-LOOP_CLR_FD-cl.patch -Patch10014: 10014-fileio-when-reading-a-full-file-into-memory-refuse-.patch -Patch10015: 10015-util-introduce-explicit_bzero_safe-for-explicit-mem.patch -Patch10016: 10016-util-introduce-erase_and_free-helper.patch -Patch10017: 10017-util-introduce-READ_FULL_FILE_SECURE-flag-for-readi.patch -Patch10018: 10018-fileio-introduce-warn_file_is_world_accessible.patch -Patch10019: 10019-fileio-read_full_file_full-also-warns-when-file-is-.patch -Patch10020: 10020-basic-fileio-Fix-memory-leak-if-READ_FULL_FILE_SECU.patch -Patch10021: 10021-fileio-add-explicit-flag-for-generating-world-execu.patch -Patch10022: 10022-fileio-add-dir_fd-parameter-to-read_full_file_full.patch -Patch10023: 10023-fileio-add-support-for-read_full_file-on-AF_UNIX-st.patch -Patch10024: 10024-fileio-beef-up-READ_FULL_FILE_CONNECT_SOCKET-to-all.patch -Patch10025: 10025-fileio-teach-read_full_file_full-to-read-from-offse.patch -Patch10026: 10026-cryptsetup-port-cryptsetup-s-main-key-file-logic-ov.patch -Patch10027: 10027-fix-compilation-without-utmp.patch -Patch10028: 10028-cgroup-drastically-simplify-caching-of-cgroups-membe.patch -Patch10029: 10029-core-udev-remove-old-device-on-move-event.patch - -Patch20001: 20001-hwdb-parse_hwdb_dot_py.patch -# Patch20002: 20002-cgroup-do-not-refresh-cgroup-devices-config-when-dae.patch -# Patch20003: 20003-core-introduce-cgroup-full-delegation-for-compabilit.patch -Patch20004: 20004-Update-vendor-ids-for-ieisystem-0750.patch -# Patch20005: 20005-default-enable-full-delegation-on-device-cgroup.patch -Patch20006: 20006-systemd-Add-sw64.patch -Patch20007: 20007-add-seccomp-support-for-sw_64.patch -Patch20008: 20008-Fix-unit-test-test-seccomp-support-on-sw_64.patch -Patch20009: 20009-core-introduce-cgroup-FullDelegation-FullDelegationD.patch - -# lifsea only patch -%if %{defined lifsea_dist} -Patch91000: 91000-analyze-show-information-from-hostnamed-in-plot-even.patch -Patch92000: 92000-meson-Make-logind-a-requirement-of-user-runtime-dir.patch -Patch92001: 92001-shared-Remove-dependency-of-libcryptsetup-if-HAVE_LI.patch -Patch92002: 92002-Do-not-remove-cgroup-path-which-not-created-by-syst.patch -%endif %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 @@ -1123,8 +1072,7 @@ BuildRequires: gcc BuildRequires: gcc-c++ BuildRequires: libcap-devel BuildRequires: libmount-devel -%{!?lifsea_dist:BuildRequires: pam-devel} -%{?lifsea_dist:BuildRequires: acl} +BuildRequires: pam-devel BuildRequires: libselinux-devel BuildRequires: audit-libs-devel BuildRequires: cryptsetup-devel @@ -1165,19 +1113,15 @@ BuildRequires: gettext Requires(post): coreutils Requires(post): sed -%{!?lifsea_dist:Requires(post): acl} +Requires(post): acl Requires(post): grep # systemd-machine-id-setup requires libssl Requires(post): openssl-libs Requires(pre): coreutils Requires(pre): /usr/bin/getent Requires(pre): /usr/sbin/groupadd -%if ! %{defined lifsea_dist} Requires: dbus >= 1.9.18 Requires: %{name}-pam = %{version}-%{release} -%else -Recommends: dbus >= 1.9.18 -%endif Requires: %{name}-libs = %{version}-%{release} Recommends: diffutils Requires: util-linux @@ -1221,11 +1165,9 @@ Obsoletes: libudev < 183 Obsoletes: systemd < 185-4 Conflicts: systemd < 185-4 Obsoletes: systemd-compat-libs < 230 -%if ! %{defined lifsea_dist} Obsoletes: nss-myhostname < 0.4 Provides: nss-myhostname = 0.4 Provides: nss-myhostname%{_isa} = 0.4 -%endif Requires(post): coreutils Requires(post): sed Requires(post): grep @@ -1234,14 +1176,12 @@ Requires(post): /usr/bin/getent %description libs Libraries for systemd and udev. -%if ! %{defined lifsea_dist} %package pam Summary: systemd PAM module Requires: %{name} = %{version}-%{release} %description pam Systemd PAM module registers the session with systemd-logind. -%endif %package devel Summary: Development headers for systemd @@ -1250,10 +1190,8 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: libudev-devel = %{version} Provides: libudev-devel%{_isa} = %{version} Obsoletes: libudev-devel < 183 -%if ! %{defined lifsea_dist} # Fake dependency to make sure systemd-pam is pulled into multilib (#1414153) Requires: %{name}-pam = %{version}-%{release} -%endif %description devel Development headers and auxiliary files for developing applications linking @@ -1328,15 +1266,8 @@ License: LGPLv2+ "Installed tests" that are usually run as part of the build system. They can be useful to test systemd internals. -# To avoid users installing the LifseaOS package in other os -%define common_pre_scripts() \ -if ! grep -q 'ID="lifsea"' /etc/os-release; then \ - echo "This package is only for LifseaOS!" \ - exit 1 \ -fi - %prep -%autosetup %{?gitcommit:-n %{name}-%{gitcommit}}%{?lifsea_dist: -n %{name}-%{version}} -S git_am +%autosetup %{?gitcommit:-n %{name}-%{gitcommit}} -S git_am %build %define ntpvendor %(source /etc/os-release; echo ${ID}) @@ -1349,34 +1280,35 @@ CONFIGURE_OPTS=( -Ddns-servers='' -Ddev-kvm-mode=0666 -Dkmod=true - -Dxkbcommon=%{!?lifsea_dist:true}%{?lifsea_dist:false} + -Dxkbcommon=true -Dblkid=true -Dseccomp=true -Dima=true -Dselinux=true -Dapparmor=false - -Dpolkit=%{!?lifsea_dist:true}%{?lifsea_dist:false} - -Dxz=%{!?lifsea_dist:true}%{?lifsea_dist:false} - -Dzlib=%{!?lifsea_dist:true}%{?lifsea_dist:false} - -Dbzip2=%{!?lifsea_dist:true}%{?lifsea_dist:false} - -Dlz4=%{!?lifsea_dist:true}%{?lifsea_dist:false} - -Dpam=%{!?lifsea_dist:true}%{?lifsea_dist:false} + -Dpolkit=true + -Dxz=true + -Dzlib=true + -Dbzip2=true + -Dlz4=true + -Dpam=true -Dacl=true - -Dsmack=%{!?lifsea_dist:true}%{?lifsea_dist:false} + -Dsmack=true -Dgcrypt=true - -Daudit=%{!?lifsea_dist:true}%{?lifsea_dist:false} - -Delfutils=%{!?lifsea_dist:true}%{?lifsea_dist:false} - -Dlibcryptsetup=%{!?lifsea_dist:true}%{?lifsea_dist:false} + -Daudit=true + -Delfutils=true + -Dlibcryptsetup=true + -Delfutils=true -Dqrencode=false - -Dgnutls=%{!?lifsea_dist:true}%{?lifsea_dist:false} - -Dmicrohttpd=%{!?lifsea_dist:true}%{?lifsea_dist:false} - -Dlibidn2=%{!?lifsea_dist:true}%{?lifsea_dist:false} + -Dgnutls=true + -Dmicrohttpd=true + -Dlibidn2=true -Dlibiptc=false - -Dlibcurl=%{!?lifsea_dist:true}%{?lifsea_dist:false} - -Defi=%{!?lifsea_dist:true}%{?lifsea_dist:false} - %{!?lifsea_dist:-Dgnu-efi=%{?have_gnu_efi:true}%{?!have_gnu_efi:false}} - -Dtpm=%{!?lifsea_dist:true}%{?lifsea_dist:false} - -Dhwdb=%{!?lifsea_dist:true}%{?lifsea_dist:false} + -Dlibcurl=true + -Defi=true + -Dgnu-efi=%{?have_gnu_efi:true}%{?!have_gnu_efi:false} + -Dtpm=true + -Dhwdb=true -Dsysusers=true -Ddefault-kill-user-processes=false -Dtests=unsafe @@ -1392,36 +1324,6 @@ CONFIGURE_OPTS=( -Dtimesyncd=false -Ddefault-hierarchy=legacy -Dversion-tag=%{version}-%{release} - %if %{defined lifsea_dist} - # remove many useless tools - -Dtimedated=true - -Dman=false - -Dhtml=false - -Dzshcompletiondir=no - -Dbashcompletiondir=no - -Dlogind=false - -Dcoredump=false - -Dbacklight=false - -Dbinfmt=false - -Dimportd=false - -Dhibernate=false - -Dportabled=false - -Dquotacheck=false - -Drfkill=false - -Dvconsole=false - -Dhostnamed=true - -Dlocaled=false - -Dfirstboot=false - -Denvironment-d=false - -Dutmp=false - -Didn=false - -Dlibidn=false - -Dpcre2=false - -Dgcrypt=false - -Dnss-myhostname=false - -Dnss-resolve=false - -Dnss-systemd=false - %endif ) # Don't ship /var/log/README. The relationship between journal and syslog should be documented @@ -1478,7 +1380,7 @@ mkdir -p %{buildroot}%{pkgdir}/user-generators # Create new-style configuration files so that we can ghost-own them touch %{buildroot}%{_sysconfdir}/hostname touch %{buildroot}%{_sysconfdir}/vconsole.conf -%{!?lifsea_dist:touch %{buildroot}%{_sysconfdir}/locale.conf} +touch %{buildroot}%{_sysconfdir}/locale.conf touch %{buildroot}%{_sysconfdir}/machine-id touch %{buildroot}%{_sysconfdir}/machine-info touch %{buildroot}%{_sysconfdir}/localtime @@ -1493,7 +1395,7 @@ mkdir -p %{buildroot}%{pkgdir}/system-sleep/ mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/coredump mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/catalog mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/backlight -%{!?lifsea_dist:mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/rfkill} +mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/rfkill mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/linger mkdir -p %{buildroot}%{_localstatedir}/lib/private mkdir -p %{buildroot}%{_localstatedir}/log/private @@ -1516,10 +1418,8 @@ install -Dm0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/dnf/protected.d/systemd.co install -Dm0644 -t %{buildroot}/usr/lib/firewalld/services/ %{SOURCE7} %{SOURCE8} -%if ! %{defined lifsea_dist} # Restore systemd-user pam config from before "removal of Fedora-specific bits" install -Dm0644 -t %{buildroot}/etc/pam.d/ %{SOURCE12} -%endif # Install additional docs # https://bugzilla.redhat.com/show_bug.cgi?id=1234951 @@ -1557,9 +1457,7 @@ python3 %{SOURCE2} %buildroot </dev/null || groupadd -r -g 11 cdrom &>/dev/null || : getent group utmp &>/dev/null || groupadd -r -g 22 utmp &>/dev/null || : getent group tape &>/dev/null || groupadd -r -g 33 tape &>/dev/null || : @@ -1622,10 +1497,8 @@ getent group kvm &>/dev/null || groupadd -r -g 36 kvm &>/dev/null || : getent group render &>/dev/null || groupadd -r render &>/dev/null || : getent group systemd-journal &>/dev/null || groupadd -r -g 190 systemd-journal 2>&1 || : -%if ! %{defined lifsea_dist} getent group systemd-coredump &>/dev/null || groupadd -r systemd-coredump 2>&1 || : getent passwd systemd-coredump &>/dev/null || useradd -r -l -g systemd-coredump -d / -s /sbin/nologin -c "systemd Core Dumper" systemd-coredump &>/dev/null || : -%endif getent group systemd-resolve &>/dev/null || groupadd -r -g 193 systemd-resolve 2>&1 || : getent passwd systemd-resolve &>/dev/null || useradd -r -u 193 -l -g systemd-resolve -d / -s /sbin/nologin -c "systemd Resolver" systemd-resolve &>/dev/null || : @@ -1640,14 +1513,8 @@ systemd-tmpfiles --create &>/dev/null || : chgrp systemd-journal /run/log/journal/ /run/log/journal/`cat /etc/machine-id 2>/dev/null` /var/log/journal/ /var/log/journal/`cat /etc/machine-id 2>/dev/null` &>/dev/null || : chmod g+s /run/log/journal/ /run/log/journal/`cat /etc/machine-id 2>/dev/null` /var/log/journal/ /var/log/journal/`cat /etc/machine-id 2>/dev/null` &>/dev/null || : -%if ! %{defined lifsea_dist} # Apply ACL to the journal directory setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ &>/dev/null || : -%endif - -# Stop-gap until rsyslog.rpm does this on its own. (This is supposed -# to fail when the link already exists) -ln -s /usr/lib/systemd/system/rsyslog.service /etc/systemd/system/syslog.service &>/dev/null || : # Remove spurious /etc/fstab entries from very old installations # https://bugzilla.redhat.com/show_bug.cgi?id=1009023 @@ -1688,7 +1555,6 @@ fi %post libs %{?ldconfig} -%if ! %{defined lifsea_dist} function mod_nss() { if [ $1 -eq 1 ] && [ -f "$2" ]; then # sed-fu to add myhostname to hosts line (only once, on install) @@ -1717,7 +1583,6 @@ else # possible future authselect configuration mod_nss $1 "/etc/authselect/user-nsswitch.conf" fi -%endif # check if nobody or nfsnobody is defined export SYSTEMD_NSS_BYPASS_SYNTHETIC=1 @@ -1759,9 +1624,6 @@ grep -q -E '^KEYMAP="?fi-latin[19]"?' /etc/vconsole.conf 2>/dev/null && %systemd_postun_with_restart systemd-udevd.service %pre journal-remote -%if %{defined lifsea_dist} -%{common_pre_scripts} -%endif getent group systemd-journal-remote &>/dev/null || groupadd -r systemd-journal-remote 2>&1 || : getent passwd systemd-journal-remote &>/dev/null || useradd -r -l -g systemd-journal-remote -d %{_localstatedir}/log/journal/remote -s /sbin/nologin -c "Journal Remote" systemd-journal-remote &>/dev/null || : @@ -1810,17 +1672,11 @@ fi %ghost %dir %attr(0755,-,-) /etc/systemd/system/system-update.target.wants %ghost %dir %attr(0755,-,-) /etc/systemd/system/timers.target.wants %ghost %dir %attr(0755,-,-) /var/lib/rpm-state/systemd -%if %{defined lifsea_dist} -%exclude %{_prefix}/lib/tmpfiles.d/systemd-nologin.conf -%exclude %{_datarootdir}/polkit-1 -%endif %files libs -f .file-list-libs %license LICENSE.LGPL2.1 -%if ! %{defined lifsea_dist} %files pam -f .file-list-pam -%endif %files devel -f .file-list-devel @@ -1833,73 +1689,8 @@ fi %files tests -f .file-list-tests %changelog -* Thu Sep 26 2024 Weisson - 239-82.0.3 -- bugfix: sw8a machine seems not to support getxpid syscall any more, replace it with getpid. - -* Tue Sep 24 2024 Zhongling He - 239-82.0.2 -- core, udev: remove old device on move event - -* Wed Aug 28 2024 Yuanhong Peng - 239-82.0.1 -- core: fix a null reference case in load_from_path() -- sysctl: Don't pass null directive argument to '%s' -- exit-status: introduce EXIT_EXCEPTION mapping to 255 -- main: don't freeze PID 1 in containers, exit with non-zero instead -- Do not go into freeze when systemd crashd -- mount-setup: change the system mount propagation to shared by default only at bootup -- cgroup-util: make definition of CGROUP_CONTROLLER_TO_MASK() unsigned -- cgroup: update only siblings that got realized once -- core: add a config item to support setting the value of cpuset.clone_children when systemd is starting -- support loongarch for systemd -- test-catalog: Fix coredump when compiled under GCC10 -- add Iluvatar CoreX pci id (Liwei Ge) -- seccomp: add loongarch64 support (Liwei Ge) -- seccomp: remove loongarch64 switch(Liwei Ge) -- umount: check LO_FLAGS_AUTOCLEAR after LOOP_CLR_FD claimed success(yuanhui) -- fileio: when reading a full file into memory, refuse inner NUL bytes (Guorui Yu) -- util: introduce explicit_bzero_safe for explicit memset (Guorui Yu) -- util: introduce erase_and_free() helper (Guorui Yu) -- util: introduce READ_FULL_FILE_SECURE flag for reading secure data (Guorui Yu) -- fileio: introduce warn_file_is_world_accessible() (Guorui Yu) -- fileio: read_full_file_full() also warns when file is world readable and secure flag is set (Guorui Yu) -- basic/fileio: Fix memory leak if READ_FULL_FILE_SECURE flag is used (Guorui Yu) -- fileio: add explicit flag for generating world executable warning when reading file (Guorui Yu) -- fileio: add 'dir_fd' parameter to read_full_file_full() (Guorui Yu) -- fileio: add support for read_full_file() on AF_UNIX stream sockets (Guorui Yu) -- fileio: beef up READ_FULL_FILE_CONNECT_SOCKET to allow setting sender socket name (Guorui Yu) -- fileio: teach read_full_file_full() to read from offset/with maximum size (Guorui Yu) -- cryptsetup: port cryptsetup's main key file logic over to read_full_file_full() (Guorui Yu) -- Update upstream parse_hwdb.py to fix parse-hwdb error (Zhongling He) -- cgroup: do not refresh cgroup devices config when daemon-reload (Zhongling He) -- core: introduce cgroup full delegation for compability (Zhongling He) -- Update vendor ids for ieisystem 0750 (wangkaiyuan@inspur.com) -- LifseaOS: Add back hostnamectl (yuanhui@linux.alibaba.com) -- LifseaOS: Add back timedatectl (yuanhui@linux.alibaba.com) -- LifseaOS: shared: Remove dependency of libcryptsetup if HAVE_LIBCRYPTSETUP is not defined (yuanhui@linux.alibaba.com) -- LifseaOS: analyze: show information from hostnamed in plot even when user mode (yuanhui@linux.alibaba.com) -- LifseaOS: configure: Disable smack (yuanhui@linux.alibaba.com) -- LifseaOS: Remove nss module provided by systemd (yuanhui@linux.alibaba.com) -- LifseaOS: configure: Remove multiple non-essential features (yuanhui@linux.alibaba.com) -- LifseaOS: configure: Disable firstboot (yuanhui@linux.alibaba.com) -- LifseaOS: Remove user-runtime-dir binary and service file (yuanhui@linux.alibaba.com) -- LifseaOS: Remove the dependency of acl package (yuanhui@linux.alibaba.com) -- LifseaOS: Remove locale and hostname related tools (yuanhui@linux.alibaba.com) -- LifseaOS: Remove multiple unnecessary modules (yuanhui@linux.alibaba.com) -- LifseaOS: Remove compression algorithm (yuanhui@linux.alibaba.com) -- LifseaOS: Remove many tools of little use (yuanhui@linux.alibaba.com) -- LifseaOS: Remove coredump tools (yuanhui@linux.alibaba.com) -- LifseaOS: configure: Disable cryptsetup (yuanhui@linux.alibaba.com) -- LifseaOS: configure: Disable polkit (yuanhui@linux.alibaba.com) -- LifseaOS: configure: Disable logind (yuanhui@linux.alibaba.com) -- LifseaOS: Remove systemd-pam module (yuanhui@linux.alibaba.com) -- LifseaOS: configure: Remove manpage and bash/zsh completion (yuanhui@linux.alibaba.com) -- LifseaOS: cgroup: Do not remove cgroup path which not created by systemd (yuanhui@linux.alibaba.com) -- Remove patch 20002 as it inhibits systemd device cgroup slice creation (zhonglingh@linux.alibaba.com) -- Add patch 20005 to enable device cgroup full delegation by default (zhonglingh@linux.alibaba.com) -- cherry-pick `add sw patch #20ead624ed837d467ff4c9607d46c027bbc84ac3`. (nijie@wxiat.com) -- add seccomp support for sw_64. (Weisson@alinux.alibaba.com) -- add test-seccomp support for sw_64. (Weisson@alinux.alibaba.com) -- core: Fix subcgroup deletion caused by full delegation (zhonglingh@linux.alibaba.com) -- core: Fix cgroups members mask cache propagation problem (zhonglingh@linux.alibaba.com) +* Tue Jul 23 2024 systemd maintenance team - 239-82.2 +- spec: do not create symlink /etc/systemd/system/syslog.service (RHEL-13179) * Thu Apr 11 2024 systemd maintenance team - 239-82.1 - pid1: by default make user units inherit their umask from the user manager (RHEL-28048) -- Gitee From 3c7dfd91dcbb139ca7b0ba15fe5d4455d3096697 Mon Sep 17 00:00:00 2001 From: pangqing Date: Tue, 19 Apr 2022 15:08:32 +0800 Subject: [PATCH 02/19] Add optimized patches Signed-off-by: Yuanhong Peng --- ...ull-reference-case-in-load_from_path.patch | 34 +++++ ...-t-pass-null-directive-argument-to-s.patch | 25 ++++ ...roduce-EXIT_EXCEPTION-mapping-to-255.patch | 52 ++++++++ ...e-PID-1-in-containers-exit-with-non-.patch | 52 ++++++++ ...t-go-into-freeze-when-systemd-crashd.patch | 103 +++++++++++++++ ...ge-the-system-mount-propagation-to-s.patch | 62 +++++++++ ...-definition-of-CGROUP_CONTROLLER_TO_.patch | 26 ++++ ...only-siblings-that-got-realized-once.patch | 46 +++++++ ...g-item-to-support-setting-the-value-.patch | 120 ++++++++++++++++++ ...9-systemd-anolis-support-loongarch64.patch | 56 ++++++++ systemd.spec | 25 +++- 11 files changed, 600 insertions(+), 1 deletion(-) create mode 100644 10000-core-fix-a-null-reference-case-in-load_from_path.patch create mode 100644 10001-sysctl-Don-t-pass-null-directive-argument-to-s.patch create mode 100644 10002-exit-status-introduce-EXIT_EXCEPTION-mapping-to-255.patch create mode 100644 10003-main-don-t-freeze-PID-1-in-containers-exit-with-non-.patch create mode 100644 10004-Do-not-go-into-freeze-when-systemd-crashd.patch create mode 100644 10005-mount-setup-change-the-system-mount-propagation-to-s.patch create mode 100644 10006-cgroup-util-make-definition-of-CGROUP_CONTROLLER_TO_.patch create mode 100644 10007-cgroup-update-only-siblings-that-got-realized-once.patch create mode 100644 10008-core-add-a-config-item-to-support-setting-the-value-.patch create mode 100644 10009-systemd-anolis-support-loongarch64.patch diff --git a/10000-core-fix-a-null-reference-case-in-load_from_path.patch b/10000-core-fix-a-null-reference-case-in-load_from_path.patch new file mode 100644 index 0000000..e15690c --- /dev/null +++ b/10000-core-fix-a-null-reference-case-in-load_from_path.patch @@ -0,0 +1,34 @@ +From 11e4aae398f9d26c7c4e54bfa6621f80a3ed2100 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Tue, 19 Apr 2022 11:04:47 +0800 +Subject: [PATCH] fix a null reference case in load_from_path() + +--- + src/core/load-fragment.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c +index c0b1fd4..f59a040 100644 +--- a/src/core/load-fragment.c ++++ b/src/core/load-fragment.c +@@ -4477,7 +4477,6 @@ static int load_from_path(Unit *u, const char *path) { + r = open_follow(&filename, &f, symlink_names, &id); + if (r >= 0) + break; +- filename = mfree(filename); + + /* ENOENT means that the file is missing or is a dangling symlink. + * ENOTDIR means that one of paths we expect to be is a directory +@@ -4486,7 +4485,8 @@ static int load_from_path(Unit *u, const char *path) { + */ + if (r == -EACCES) + log_debug_errno(r, "Cannot access \"%s\": %m", filename); +- else if (!IN_SET(r, -ENOENT, -ENOTDIR)) ++ filename = mfree(filename); ++ if (!IN_SET(r, -ENOENT, -ENOTDIR)) + return r; + + /* Empty the symlink names for the next run */ +-- +2.27.0 + diff --git a/10001-sysctl-Don-t-pass-null-directive-argument-to-s.patch b/10001-sysctl-Don-t-pass-null-directive-argument-to-s.patch new file mode 100644 index 0000000..ec09ee4 --- /dev/null +++ b/10001-sysctl-Don-t-pass-null-directive-argument-to-s.patch @@ -0,0 +1,25 @@ +From 1b3f7805ed7c193e17cb5bad4f4f19c2f72f3d08 Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Tue, 19 Apr 2022 11:16:42 +0800 +Subject: [PATCH] sysctl: Don't pass null directive argument to '%s' + +--- + src/sysctl/sysctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/sysctl/sysctl.c b/src/sysctl/sysctl.c +index 4c85d68..e756eff 100644 +--- a/src/sysctl/sysctl.c ++++ b/src/sysctl/sysctl.c +@@ -160,7 +160,7 @@ static int parse_file(OrderedHashmap *sysctl_options, const char *path, bool ign + + value = strchr(p, '='); + if (!value) { +- log_error("Line is not an assignment at '%s:%u': %s", path, c, value); ++ log_error("Line is not an assignment at '%s:%u': %s", path, c, p); + + if (r == 0) + r = -EINVAL; +-- +2.27.0 + diff --git a/10002-exit-status-introduce-EXIT_EXCEPTION-mapping-to-255.patch b/10002-exit-status-introduce-EXIT_EXCEPTION-mapping-to-255.patch new file mode 100644 index 0000000..66539a0 --- /dev/null +++ b/10002-exit-status-introduce-EXIT_EXCEPTION-mapping-to-255.patch @@ -0,0 +1,52 @@ +From f7940c9cdf872d7504aca9637e9fd14328b2b726 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 19 Apr 2022 11:26:10 +0800 +Subject: [PATCH] exit-status: introduce EXIT_EXCEPTION mapping to 255 + +--- + src/basic/exit-status.c | 9 ++++++--- + src/basic/exit-status.h | 1 + + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/basic/exit-status.c b/src/basic/exit-status.c +index 0a7a53b..8b67d44 100644 +--- a/src/basic/exit-status.c ++++ b/src/basic/exit-status.c +@@ -19,9 +19,9 @@ const char* exit_status_to_string(int status, ExitStatusLevel level) { + * 79…199 │ (Currently unmapped) + * 200…241 │ systemd's private error codes (might be extended to 254 in future development) + * 242…254 │ (Currently unmapped, but see above) +- * 255 │ (We should probably stay away from that one, it's frequently used by applications to indicate an +- * │ exit reason that cannot really be expressed in a single exit status value — such as a propagated +- * │ signal or such) ++ * 255 │ EXIT_EXCEPTION (We use this to propagate exit-by-signal events. It's frequently used by others apps (like bash) ++ * │ to indicate exit reason that cannot really be expressed in a single exit status value — such as a propagated ++ * │ signal or such, and we follow that logic here.) + */ + + switch (status) { /* We always cover the ISO C ones */ +@@ -158,6 +158,9 @@ const char* exit_status_to_string(int status, ExitStatusLevel level) { + + case EXIT_NUMA_POLICY: + return "NUMA_POLICY"; ++ ++ case EXIT_EXCEPTION: ++ return "EXCEPTION"; + } + } + +diff --git a/src/basic/exit-status.h b/src/basic/exit-status.h +index dc284aa..e923247 100644 +--- a/src/basic/exit-status.h ++++ b/src/basic/exit-status.h +@@ -70,6 +70,7 @@ enum { + EXIT_LOGS_DIRECTORY, /* 240 */ + EXIT_CONFIGURATION_DIRECTORY, + EXIT_NUMA_POLICY, ++ EXIT_EXCEPTION = 255, /* Whenever we want to propagate an abnormal/signal exit, in line with bash */ + }; + + typedef enum ExitStatusLevel { +-- +2.27.0 + diff --git a/10003-main-don-t-freeze-PID-1-in-containers-exit-with-non-.patch b/10003-main-don-t-freeze-PID-1-in-containers-exit-with-non-.patch new file mode 100644 index 0000000..026fc66 --- /dev/null +++ b/10003-main-don-t-freeze-PID-1-in-containers-exit-with-non-.patch @@ -0,0 +1,52 @@ +From dffb92b5520a4b539f0466d4161fcaacc6ba5ba8 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 19 Apr 2022 11:34:27 +0800 +Subject: [PATCH] main: don't freeze PID 1 in containers, exit with + +--- + src/core/main.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/src/core/main.c b/src/core/main.c +index d897155..0aec5d1 100644 +--- a/src/core/main.c ++++ b/src/core/main.c +@@ -139,7 +139,13 @@ static NUMAPolicy arg_numa_policy; + static int parse_configuration(const struct rlimit *saved_rlimit_nofile, + const struct rlimit *saved_rlimit_memlock); + +-_noreturn_ static void freeze_or_reboot(void) { ++_noreturn_ static void freeze_or_exit_or_reboot(void) { ++ /* If we are running in a contianer, let's prefer exiting, after all we can propagate an exit code to the ++ * container manager, and thus inform it that something went wrong. */ ++ if (detect_container() > 0) { ++ log_emergency("Exiting PID 1..."); ++ exit(EXIT_EXCEPTION); ++ } + + if (arg_crash_reboot) { + log_notice("Rebooting in 10s..."); +@@ -247,7 +253,7 @@ _noreturn_ static void crash(int sig) { + } + } + +- freeze_or_reboot(); ++ freeze_or_exit_or_reboot(); + } + + static void install_crash_handler(void) { +@@ -2664,9 +2670,9 @@ finish: + if (error_message) + manager_status_printf(NULL, STATUS_TYPE_EMERGENCY, + ANSI_HIGHLIGHT_RED "!!!!!!" ANSI_NORMAL, +- "%s, freezing.", error_message); +- freeze_or_reboot(); ++ "%s.", error_message); ++ freeze_or_exit_or_reboot(); + } + + reset_arguments(); + return retval; +-- +2.27.0 + diff --git a/10004-Do-not-go-into-freeze-when-systemd-crashd.patch b/10004-Do-not-go-into-freeze-when-systemd-crashd.patch new file mode 100644 index 0000000..1cb12cc --- /dev/null +++ b/10004-Do-not-go-into-freeze-when-systemd-crashd.patch @@ -0,0 +1,103 @@ +From 64072aab92ff6489a2e460a9bdd1cfefa587264b Mon Sep 17 00:00:00 2001 +From: Yuanhong Peng +Date: Tue, 19 Apr 2022 13:36:09 +0800 +Subject: [PATCH] Do not go into freeze when systemd crashd + +--- + src/core/main.c | 41 ++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 40 insertions(+), 1 deletion(-) + +diff --git a/src/core/main.c b/src/core/main.c +index 0aec5d1..db91151 100644 +--- a/src/core/main.c ++++ b/src/core/main.c +@@ -3,6 +3,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -10,6 +11,7 @@ + #include + #include + #include ++#include + #include + #if HAVE_SECCOMP + #include +@@ -135,10 +137,41 @@ static sd_id128_t arg_machine_id; + static EmergencyAction arg_cad_burst_action; + static CPUSet arg_cpu_affinity; + static NUMAPolicy arg_numa_policy; ++static bool reexec_jmp_can = false; ++static bool reexec_jmp_inited = false; ++static sigjmp_buf reexec_jmp_buf; + + static int parse_configuration(const struct rlimit *saved_rlimit_nofile, + const struct rlimit *saved_rlimit_memlock); + ++static void reexec_handler(int sig) { ++ reexec_jmp_can = true; ++} ++ ++_noreturn_ static void freeze_wait_upgrade(void) { ++ struct sigaction sa; ++ sigset_t ss; ++ ++ sigemptyset(&ss); ++ sigaddset(&ss, SIGTERM); ++ sigprocmask(SIG_UNBLOCK, &ss, NULL); ++ ++ sa.sa_handler = reexec_handler; ++ sa.sa_flags = SA_RESTART; ++ sigaction(SIGTERM, &sa, NULL); ++ ++ log_error("freeze_wait_upgrade: %d\n", reexec_jmp_inited); ++ reexec_jmp_can = false; ++ while(1) { ++ usleep(10000); ++ if (reexec_jmp_inited && reexec_jmp_can) { ++ log_error("goto manager_reexecute.\n"); ++ siglongjmp(reexec_jmp_buf, 1); ++ } ++ waitpid(-1, NULL, WNOHANG); ++ } ++} ++ + _noreturn_ static void freeze_or_exit_or_reboot(void) { + /* If we are running in a contianer, let's prefer exiting, after all we can propagate an exit code to the + * container manager, and thus inform it that something went wrong. */ +@@ -157,7 +190,8 @@ _noreturn_ static void freeze_or_exit_or_reboot(void) { + } + + log_emergency("Freezing execution."); +- freeze(); ++ freeze_wait_upgrade(); ++ + } + + _noreturn_ static void crash(int sig) { +@@ -1667,6 +1701,10 @@ static int invoke_main_loop( + assert(ret_switch_root_init); + assert(ret_error_message); + ++ reexec_jmp_inited = true; ++ if (sigsetjmp(reexec_jmp_buf, 1)) ++ goto manager_reexecute; ++ + for (;;) { + r = manager_loop(m); + if (r < 0) { +@@ -1709,6 +1747,7 @@ static int invoke_main_loop( + + case MANAGER_REEXECUTE: + ++manager_reexecute: + r = prepare_reexecute(m, &arg_serialization, ret_fds, false); + if (r < 0) { + *ret_error_message = "Failed to prepare for reexecution"; +-- +2.27.0 + diff --git a/10005-mount-setup-change-the-system-mount-propagation-to-s.patch b/10005-mount-setup-change-the-system-mount-propagation-to-s.patch new file mode 100644 index 0000000..fa95141 --- /dev/null +++ b/10005-mount-setup-change-the-system-mount-propagation-to-s.patch @@ -0,0 +1,62 @@ +From 0c7f29561634f9374c0d9042304f4d4caa4242f0 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Tue, 19 Apr 2022 13:50:04 +0800 +Subject: [PATCH] mount-setup: change the system mount propagation to + +--- + src/core/main.c | 2 +- + src/core/mount-setup.c | 4 ++-- + src/core/mount-setup.h | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/core/main.c b/src/core/main.c +index db91151..81dae1c 100644 +--- a/src/core/main.c ++++ b/src/core/main.c +@@ -2519,7 +2519,7 @@ int main(int argc, char *argv[]) { + if (!skip_setup) + kmod_setup(); + +- r = mount_setup(loaded_policy); ++ r = mount_setup(loaded_policy, skip_setup); + if (r < 0) { + error_message = "Failed to mount API filesystems"; + goto finish; +diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c +index a659458..9f9f953 100644 +--- a/src/core/mount-setup.c ++++ b/src/core/mount-setup.c +@@ -400,7 +400,7 @@ static int relabel_cgroup_filesystems(void) { + } + #endif + +-int mount_setup(bool loaded_policy) { ++int mount_setup(bool loaded_policy, bool leave_propagation) { + int r = 0; + + r = mount_points_setup(ELEMENTSOF(mount_table), loaded_policy); +@@ -444,7 +444,7 @@ int mount_setup(bool loaded_policy) { + * needed. Note that we set this only when we are invoked directly by the kernel. If we are invoked by a + * container manager we assume the container manager knows what it is doing (for example, because it set up + * some directories with different propagation modes). */ +- if (detect_container() <= 0) ++ if (detect_container() <= 0 && !leave_propagation) + if (mount(NULL, "/", NULL, MS_REC|MS_SHARED, NULL) < 0) + log_warning_errno(errno, "Failed to set up the root directory for shared mount propagation: %m"); + +diff --git a/src/core/mount-setup.h b/src/core/mount-setup.h +index 43cd890..7a011b2 100644 +--- a/src/core/mount-setup.h ++++ b/src/core/mount-setup.h +@@ -4,7 +4,7 @@ + #include + + int mount_setup_early(void); +-int mount_setup(bool loaded_policy); ++int mount_setup(bool loaded_policy, bool leave_propagation); + + int mount_cgroup_controllers(char ***join_controllers); + +-- +2.27.0 + diff --git a/10006-cgroup-util-make-definition-of-CGROUP_CONTROLLER_TO_.patch b/10006-cgroup-util-make-definition-of-CGROUP_CONTROLLER_TO_.patch new file mode 100644 index 0000000..9a5fa6e --- /dev/null +++ b/10006-cgroup-util-make-definition-of-CGROUP_CONTROLLER_TO_.patch @@ -0,0 +1,26 @@ +From d449667a6a545a46647911838731e8e46a5a39ed Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 19 Apr 2022 13:56:39 +0800 +Subject: [PATCH] cgroup-util: make definition of CGROUP_CONTROLLER_TO_MASK() + unsigned + +--- + src/basic/cgroup-util.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h +index 1210b38..76659c3 100644 +--- a/src/basic/cgroup-util.h ++++ b/src/basic/cgroup-util.h +@@ -31,7 +31,7 @@ typedef enum CGroupController { + _CGROUP_CONTROLLER_INVALID = -1, + } CGroupController; + +-#define CGROUP_CONTROLLER_TO_MASK(c) (1 << (c)) ++#define CGROUP_CONTROLLER_TO_MASK(c) (1U << (c)) + + /* A bit mask of well known cgroup controllers */ + typedef enum CGroupMask { +-- +2.27.0 + diff --git a/10007-cgroup-update-only-siblings-that-got-realized-once.patch b/10007-cgroup-update-only-siblings-that-got-realized-once.patch new file mode 100644 index 0000000..068f21c --- /dev/null +++ b/10007-cgroup-update-only-siblings-that-got-realized-once.patch @@ -0,0 +1,46 @@ +From 841539281bed5187d2f773097eefb0bb3c5057ec Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 19 Apr 2022 14:03:12 +0800 +Subject: [PATCH] cgroup: update only siblings that got realized once + +--- + src/core/cgroup.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/src/core/cgroup.c b/src/core/cgroup.c +index f02cc31..e0e0a98 100644 +--- a/src/core/cgroup.c ++++ b/src/core/cgroup.c +@@ -1980,7 +1980,16 @@ static void unit_add_siblings_to_cgroup_realize_queue(Unit *u) { + Unit *slice; + + /* This adds the siblings of the specified unit and the siblings of all parent units to the cgroup +- * queue. (But neither the specified unit itself nor the parents.) */ ++ * queue. (But neither the specified unit itself nor the parents.) ++ * ++ * Propagation of realization "side-ways" (i.e. towards siblings) is in relevant on cgroup-v1 where ++ * scheduling become very weird if two units that own processes reside in the same slice, but one is ++ * realized in the "cpu" hierarchy and once is not (for example because one has CPUWeight= set and ++ * the other does not), because that means processes need to be scheduled against groups. Let's avoid ++ * this asymmetry by always ensuring that units below a slice that are realized at all are hence ++ * always realized in *all* their hierarchies, and it is sufficient for a unit's sibling to be ++ * realized for a unit to be realized too. */ ++ + + while ((slice = UNIT_DEREF(u->slice))) { + Iterator i; +@@ -1996,6 +2005,11 @@ static void unit_add_siblings_to_cgroup_realize_queue(Unit *u) { + if (UNIT_IS_INACTIVE_OR_FAILED(unit_active_state(m))) + continue; + ++ /* We only enqueue siblings if they were realized once at least, in the main ++ * hierarchy. */ ++ if (!m->cgroup_realized) ++ continue; ++ + /* If the unit doesn't need any new controllers and has current ones realized, it + * doesn't need any changes. */ + if (unit_has_mask_realized(m, +-- +2.27.0 + diff --git a/10008-core-add-a-config-item-to-support-setting-the-value-.patch b/10008-core-add-a-config-item-to-support-setting-the-value-.patch new file mode 100644 index 0000000..272d61b --- /dev/null +++ b/10008-core-add-a-config-item-to-support-setting-the-value-.patch @@ -0,0 +1,120 @@ +From f21d63650318791f29f56dc26f23acb5b53620a6 Mon Sep 17 00:00:00 2001 +From:Yuanhong Peng +Date: Tue, 19 Apr 2022 14:13:49 +0800 +Subject: [PATCH] core: add a config item to support setting the value + +--- + src/core/main.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 69 insertions(+) + +diff --git a/src/core/main.c b/src/core/main.c +index 81dae1c..0712423 100644 +--- a/src/core/main.c ++++ b/src/core/main.c +@@ -140,6 +140,7 @@ static NUMAPolicy arg_numa_policy; + static bool reexec_jmp_can = false; + static bool reexec_jmp_inited = false; + static sigjmp_buf reexec_jmp_buf; ++static bool arg_default_cpuset_clone_children = false; + + static int parse_configuration(const struct rlimit *saved_rlimit_nofile, + const struct rlimit *saved_rlimit_memlock); +@@ -527,6 +528,14 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat + return 0; + + parse_path_argument_and_warn(value, false, &arg_watchdog_device); ++ ++ } else if (proc_cmdline_key_streq(key, "systemd.cpuset_clone_children") && value) { ++ ++ r = parse_boolean(value); ++ if (r < 0) ++ log_warning("Failed to parse cpuset_clone_children switch %s. Ignoring.", value); ++ else ++ arg_default_cpuset_clone_children = r; + + } else if (streq(key, "quiet") && !value) { + +@@ -756,6 +765,7 @@ static int parse_config_file(void) { + { "Manager", "DefaultTasksAccounting", config_parse_bool, 0, &arg_default_tasks_accounting }, + { "Manager", "DefaultTasksMax", config_parse_tasks_max, 0, &arg_default_tasks_max }, + { "Manager", "CtrlAltDelBurstAction", config_parse_emergency_action, 0, &arg_cad_burst_action }, ++ { "Manager", "DefaultCPUSetCloneChildren",config_parse_bool, 0, &arg_default_cpuset_clone_children }, + {} + }; + +@@ -1872,6 +1882,64 @@ static void log_execution_mode(bool *ret_first_boot) { + } + } + ++static bool is_use_triple_cgroup(void) { ++ const char * path ="/sys/fs/cgroup/cpuset"; ++ _cleanup_strv_free_ char **l = NULL; ++ char buf[128] = {0}; ++ int r; ++ ++ r = is_symlink(path); ++ if (r <= 0) ++ return false; ++ ++ r = readlink(path, buf, sizeof(buf)); ++ if (r < 0 || (unsigned int)r >= sizeof(buf)) ++ return false; ++ ++ buf[r] = '\0'; ++ l = strv_split(buf, ","); ++ if (!l) ++ return false; ++ ++ strv_sort(l); ++ if (strv_length(l) != 3) ++ return false; ++ ++ if (streq(l[0],"cpu") && streq(l[1], "cpuacct") && ++ streq(l[2], "cpuset")) { ++ log_debug(PACKAGE_STRING " use_triple_cgroup: %s", buf); ++ return true; ++ } ++ return false; ++} ++ ++static int ali_handle_cpuset_clone_children(void) ++{ ++ const char *file = "/sys/fs/cgroup/cpuset/cgroup.clone_children"; ++ _cleanup_free_ char *buf = NULL; ++ int r; ++ ++ r = read_one_line_file(file, &buf); ++ if (r < 0) { ++ log_warning_errno(r, "Cannot read %s: %m", file); ++ return r; ++ } ++ ++ if (streq(buf, "1") && arg_default_cpuset_clone_children) ++ return 0; ++ ++ if (streq(buf, "0") && (!arg_default_cpuset_clone_children)) ++ return 0; ++ ++ if (!is_use_triple_cgroup()) ++ return 0; ++ ++ r = write_string_file(file, one_zero(arg_default_cpuset_clone_children), 0); ++ log_info(PACKAGE_STRING " set %s to %s, ret=%d", file, one_zero(arg_default_cpuset_clone_children), r); ++ return r; ++} ++ ++ + static int initialize_runtime( + bool skip_setup, + struct rlimit *saved_rlimit_nofile, +@@ -1906,6 +1974,7 @@ static int initialize_runtime( + return r; + } + ++ ali_handle_cpuset_clone_children(); + status_welcome(); + hostname_setup(); + machine_id_setup(NULL, arg_machine_id, NULL); +-- +2.27.0 + diff --git a/10009-systemd-anolis-support-loongarch64.patch b/10009-systemd-anolis-support-loongarch64.patch new file mode 100644 index 0000000..b76c8e0 --- /dev/null +++ b/10009-systemd-anolis-support-loongarch64.patch @@ -0,0 +1,56 @@ +From c8b7c2b34bd451cd9d5904fc215ad14893008a03 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 19 Apr 2022 14:25:05 +0800 +Subject: [PATCH] support loongarch64 for systemd + +--- + src/basic/architecture.c | 3 +++ + src/basic/architecture.h | 4 ++++ + 2 files changed, 7 insertions(+) + +diff --git a/src/basic/architecture.c b/src/basic/architecture.c +index 85837b5..96bbf97 100644 +--- a/src/basic/architecture.c ++++ b/src/basic/architecture.c +@@ -118,6 +118,8 @@ int uname_architecture(void) { + #elif defined(__arc__) + { "arc", ARCHITECTURE_ARC }, + { "arceb", ARCHITECTURE_ARC_BE }, ++#elif defined(__loongarch64) ++ { "loongarch64", ARCHITECTURE_LOONGARCH64 }, + #else + #error "Please register your architecture here!" + #endif +@@ -173,6 +175,7 @@ static const char *const architecture_table[_ARCHITECTURE_MAX] = { + [ARCHITECTURE_RISCV64] = "riscv64", + [ARCHITECTURE_ARC] = "arc", + [ARCHITECTURE_ARC_BE] = "arc-be", ++ [ARCHITECTURE_LOONGARCH64] = "loongarch64", + }; + + DEFINE_STRING_TABLE_LOOKUP(architecture, int); +diff --git a/src/basic/architecture.h b/src/basic/architecture.h +index 443e890..22e9108 100644 +--- a/src/basic/architecture.h ++++ b/src/basic/architecture.h +@@ -44,6 +44,7 @@ enum { + ARCHITECTURE_RISCV64, + ARCHITECTURE_ARC, + ARCHITECTURE_ARC_BE, ++ ARCHITECTURE_LOONGARCH64, + _ARCHITECTURE_MAX, + _ARCHITECTURE_INVALID = -1 + }; +@@ -229,6 +230,9 @@ int uname_architecture(void); + # define native_architecture() ARCHITECTURE_ARC + # define LIB_ARCH_TUPLE "arc-linux" + # endif ++#elif defined(__loongarch64) ++# define native_architecture() ARCHITECTURE_LOONGARCH64 ++# define LIB_ARCH_TUPLE "loongarch64-linux-gnu" + #else + # error "Please register your architecture here!" + #endif +-- +2.27.0 + diff --git a/systemd.spec b/systemd.spec index 200c90d..faf801d 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 #global gitcommit 10e465b5321bd53c1fc59ffab27e724535c6bc0f %{?gitcommit:%global gitcommitshort %(c=%{gitcommit}; echo ${c:0:7})} @@ -13,7 +14,7 @@ Name: systemd Url: http://www.freedesktop.org/wiki/Software/systemd Version: 239 -Release: 82%{?dist}.2 +Release: 82%{anolis_release}%{?dist}.2 # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -1063,6 +1064,16 @@ Patch1010: 1010-pid1-by-default-make-user-units-inherit-their-umask-.patch Patch1011: 1011-pam-add-call-to-pam_umask.patch Patch1012: 1012-ci-deploy-systemd-man-to-GitHub-Pages.patch Patch1013: 1013-ci-src-git-update-list-of-supported-products.patch +Patch10000: 10000-core-fix-a-null-reference-case-in-load_from_path.patch +Patch10001: 10001-sysctl-Don-t-pass-null-directive-argument-to-s.patch +Patch10002: 10002-exit-status-introduce-EXIT_EXCEPTION-mapping-to-255.patch +Patch10003: 10003-main-don-t-freeze-PID-1-in-containers-exit-with-non-.patch +Patch10004: 10004-Do-not-go-into-freeze-when-systemd-crashd.patch +Patch10005: 10005-mount-setup-change-the-system-mount-propagation-to-s.patch +Patch10006: 10006-cgroup-util-make-definition-of-CGROUP_CONTROLLER_TO_.patch +Patch10007: 10007-cgroup-update-only-siblings-that-got-realized-once.patch +Patch10008: 10008-core-add-a-config-item-to-support-setting-the-value-.patch +Patch10009: 10009-systemd-anolis-support-loongarch64.patch %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 @@ -1689,6 +1700,18 @@ fi %files tests -f .file-list-tests %changelog +* Wed Oct 09 2024 Yuanhong Peng - 239-82.0.1.2 +- core: fix a null reference case in load_from_path() +- sysctl: Don't pass null directive argument to '%s' +- exit-status: introduce EXIT_EXCEPTION mapping to 255 +- main: don't freeze PID 1 in containers, exit with non-zero instead +- Do not go into freeze when systemd crashd +- mount-setup: change the system mount propagation to shared by default only at bootup +- cgroup-util: make definition of CGROUP_CONTROLLER_TO_MASK() unsigned +- cgroup: update only siblings that got realized once +- core: add a config item to support setting the value of cpuset.clone_children when systemd is starting +- support loongarch for systemd + * Tue Jul 23 2024 systemd maintenance team - 239-82.2 - spec: do not create symlink /etc/systemd/system/syslog.service (RHEL-13179) -- Gitee From f096138687c4b810e0b66b3681846f52e789eb2e Mon Sep 17 00:00:00 2001 From: Yuanhong Peng Date: Wed, 18 May 2022 10:24:07 +0800 Subject: [PATCH 03/19] test-catalog: Fix coredump when compiled under GCC10 Signed-off-by: Yuanhong Peng --- ...x-coredump-when-compiled-under-GCC10.patch | 56 +++++++++++++++++++ systemd.spec | 2 + 2 files changed, 58 insertions(+) create mode 100644 10010-test-catalog-Fix-coredump-when-compiled-under-GCC10.patch diff --git a/10010-test-catalog-Fix-coredump-when-compiled-under-GCC10.patch b/10010-test-catalog-Fix-coredump-when-compiled-under-GCC10.patch new file mode 100644 index 0000000..d4054b4 --- /dev/null +++ b/10010-test-catalog-Fix-coredump-when-compiled-under-GCC10.patch @@ -0,0 +1,56 @@ +From 5209a26aa917aa54b09ee18394ad46ee601e77be Mon Sep 17 00:00:00 2001 +From: Yuanhong Peng +Date: Tue, 17 May 2022 21:34:34 +0800 +Subject: [PATCH] test-catalog: Fix coredump when compiled under GCC10 + +According to the documentation: +https://gcc.gnu.org/gcc-9/porting_to.html#complit: + +The `catalog_dirs` produced by STRV_MAKE(..) marco relies on +the extended lifetime feature which is fixed by GCC9. + +Signed-off-by: Yuanhong Peng +--- + src/journal/test-catalog.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/journal/test-catalog.c b/src/journal/test-catalog.c +index 0c4da29..2ce92af 100644 +--- a/src/journal/test-catalog.c ++++ b/src/journal/test-catalog.c +@@ -201,7 +201,8 @@ static void test_catalog_file_lang(void) { + + int main(int argc, char *argv[]) { + _cleanup_(unlink_tempfilep) char database[] = "/tmp/test-catalog.XXXXXX"; +- _cleanup_free_ char *text = NULL, *catalog_dir = NULL; ++ _cleanup_free_ char *text = NULL; ++ char *catalog_dir = CATALOG_DIR; + int r; + + setlocale(LC_ALL, "de_DE.UTF-8"); +@@ -214,10 +215,9 @@ int main(int argc, char *argv[]) { + * If it is not, e.g. installed by systemd-tests package, then use installed catalogs. */ + if (test_is_running_from_builddir(NULL)) { + assert_se(catalog_dir = path_join(NULL, ABS_BUILD_DIR, "catalog")); +- catalog_dirs = STRV_MAKE(catalog_dir); +- } else +- catalog_dirs = STRV_MAKE(CATALOG_DIR); ++ } + ++ catalog_dirs = STRV_MAKE(catalog_dir); + assert_se(access(catalog_dirs[0], F_OK) >= 0); + log_notice("Using catalog directory '%s'", catalog_dirs[0]); + +@@ -242,5 +242,9 @@ int main(int argc, char *argv[]) { + assert_se(catalog_get(database, SD_MESSAGE_COREDUMP, &text) >= 0); + printf(">>>%s<<<\n", text); + ++ /* Only in this case, catalog_dir is malloced */ ++ if (test_is_running_from_builddir(NULL)) ++ free(catalog_dir); ++ + return 0; + } +-- +2.27.0 + diff --git a/systemd.spec b/systemd.spec index faf801d..da70795 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1074,6 +1074,7 @@ Patch10006: 10006-cgroup-util-make-definition-of-CGROUP_CONTROLLER_TO_.patch Patch10007: 10007-cgroup-update-only-siblings-that-got-realized-once.patch Patch10008: 10008-core-add-a-config-item-to-support-setting-the-value-.patch Patch10009: 10009-systemd-anolis-support-loongarch64.patch +Patch10010: 10010-test-catalog-Fix-coredump-when-compiled-under-GCC10.patch %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 @@ -1711,6 +1712,7 @@ fi - cgroup: update only siblings that got realized once - core: add a config item to support setting the value of cpuset.clone_children when systemd is starting - support loongarch for systemd +- test-catalog: Fix coredump when compiled under GCC10 * Tue Jul 23 2024 systemd maintenance team - 239-82.2 - spec: do not create symlink /etc/systemd/system/syslog.service (RHEL-13179) -- Gitee From dd6b8456f723a290806a24da110c761a812c60ea Mon Sep 17 00:00:00 2001 From: Liwei Ge Date: Tue, 26 Jul 2022 22:05:44 +0800 Subject: [PATCH 04/19] hwdb: add Iluvatar CoreX https://bugzilla.openanolis.cn/show_bug.cgi?id=1740 Signed-off-by: Liwei Ge --- 10011-hwdb-add-Iluvatar-CoreX.patch | 44 +++++++++++++++++++++++++++++ systemd.spec | 2 ++ 2 files changed, 46 insertions(+) create mode 100644 10011-hwdb-add-Iluvatar-CoreX.patch diff --git a/10011-hwdb-add-Iluvatar-CoreX.patch b/10011-hwdb-add-Iluvatar-CoreX.patch new file mode 100644 index 0000000..e08657c --- /dev/null +++ b/10011-hwdb-add-Iluvatar-CoreX.patch @@ -0,0 +1,44 @@ +From 28e47526dce925e6f32cf79825d38fd10e1f442a Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 26 Jul 2022 22:01:58 +0800 +Subject: [PATCH] hwdb: add Iluvatar CoreX + +Signed-off-by: rpm-build +--- + hwdb/20-pci-vendor-model.hwdb | 6 ++++++ + hwdb/pci.ids | 2 ++ + 2 files changed, 8 insertions(+) + +diff --git a/hwdb/20-pci-vendor-model.hwdb b/hwdb/20-pci-vendor-model.hwdb +index 0020046..78926f8 100644 +--- a/hwdb/20-pci-vendor-model.hwdb ++++ b/hwdb/20-pci-vendor-model.hwdb +@@ -71141,6 +71141,12 @@ pci:v00001EEC* + pci:v00001EFB* + ID_VENDOR_FROM_DATABASE=Flexxon Pte Ltd + ++pci:v00001E3E* ++ ID_VENDOR_FROM_DATABASE=Iluvatar CoreX ++ ++pci:v00001E3Ed00000001* ++ ID_MODEL_FROM_DATABASE=Iluvatar BI-V100 ++ + pci:v00001FC0* + ID_VENDOR_FROM_DATABASE=Ascom (Finland) Oy + +diff --git a/hwdb/pci.ids b/hwdb/pci.ids +index 40ee143..d6661c7 100644 +--- a/hwdb/pci.ids ++++ b/hwdb/pci.ids +@@ -21543,6 +21543,8 @@ + 0003 alst4x + 1dfc JSC NT-COM + 1181 TDM 8 Port E1/T1/J1 Adapter ++1e3e Iluvatar CoreX ++ 0001 Iluvatar BI-V100 + # nee Tumsan Oy + 1fc0 Ascom (Finland) Oy + 0300 E2200 Dual E1/Rawpipe Card +-- +2.27.0 + diff --git a/systemd.spec b/systemd.spec index da70795..f4abdd2 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1075,6 +1075,7 @@ Patch10007: 10007-cgroup-update-only-siblings-that-got-realized-once.patch Patch10008: 10008-core-add-a-config-item-to-support-setting-the-value-.patch Patch10009: 10009-systemd-anolis-support-loongarch64.patch Patch10010: 10010-test-catalog-Fix-coredump-when-compiled-under-GCC10.patch +Patch10011: 10011-hwdb-add-Iluvatar-CoreX.patch %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 @@ -1713,6 +1714,7 @@ fi - core: add a config item to support setting the value of cpuset.clone_children when systemd is starting - support loongarch for systemd - test-catalog: Fix coredump when compiled under GCC10 +- add Iluvatar CoreX pci id(Liwei Ge) * Tue Jul 23 2024 systemd maintenance team - 239-82.2 - spec: do not create symlink /etc/systemd/system/syslog.service (RHEL-13179) -- Gitee From 1206aac4e5767ffec3398fe3be5ac3060c782e7c Mon Sep 17 00:00:00 2001 From: Liwei Ge Date: Thu, 22 Sep 2022 10:38:05 +0800 Subject: [PATCH 05/19] seccomp: add loongarch support --- 10012-seccomp-add-loongarch-support.patch | 79 +++++++++++++++++++++++ systemd.spec | 4 +- 2 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 10012-seccomp-add-loongarch-support.patch diff --git a/10012-seccomp-add-loongarch-support.patch b/10012-seccomp-add-loongarch-support.patch new file mode 100644 index 0000000..69b1b90 --- /dev/null +++ b/10012-seccomp-add-loongarch-support.patch @@ -0,0 +1,79 @@ +From 1894533699f7e01c80e896c5d022275777344492 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 22 Sep 2022 10:33:54 +0800 +Subject: [PATCH] seccomp: add loongarch support + +--- + src/shared/seccomp-util.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c +index c57c409..63a875c 100644 +--- a/src/shared/seccomp-util.c ++++ b/src/shared/seccomp-util.c +@@ -42,6 +42,8 @@ const uint32_t seccomp_local_archs[] = { + SCMP_ARCH_AARCH64, /* native */ + #elif defined(__arm__) + SCMP_ARCH_ARM, ++#elif defined(__loongarch__) ++ SCMP_ARCH_LOONGARCH64, + #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32 + SCMP_ARCH_MIPSEL, + SCMP_ARCH_MIPS, /* native */ +@@ -136,6 +138,10 @@ const char* seccomp_arch_to_string(uint32_t c) { + return "s390"; + case SCMP_ARCH_S390X: + return "s390x"; ++#if defined(__loongarch__) ++ case SCMP_ARCH_LOONGARCH64: ++ return "loongarch64"; ++#endif + default: + return NULL; + } +@@ -181,6 +187,10 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) { + *ret = SCMP_ARCH_S390; + else if (streq(n, "s390x")) + *ret = SCMP_ARCH_S390X; ++#if defined(__loongarch__) ++ else if (streq(n, "loongarch64")) ++ *ret = SCMP_ARCH_LOONGARCH64; ++#endif + else + return -EINVAL; + +@@ -1209,6 +1219,11 @@ int seccomp_protect_sysctl(void) { + if (IN_SET(arch, SCMP_ARCH_X32, SCMP_ARCH_AARCH64)) + /* No _sysctl syscall */ + continue; ++#if defined(__loongarch__) ++ if (IN_SET(arch, SCMP_ARCH_LOONGARCH64)) ++ /* No _sysctl syscall */ ++ continue; ++#endif + + r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW); + if (r < 0) +@@ -1267,6 +1282,9 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) { + case SCMP_ARCH_PPC: + case SCMP_ARCH_PPC64: + case SCMP_ARCH_PPC64LE: ++#if defined(__loongarch__) ++ case SCMP_ARCH_LOONGARCH64: ++#endif + default: + /* These we either know we don't support (i.e. are the ones that do use socketcall()), or we + * don't know */ +@@ -1543,6 +1561,9 @@ int seccomp_memory_deny_write_execute(void) { + case SCMP_ARCH_X86_64: + case SCMP_ARCH_X32: + case SCMP_ARCH_AARCH64: ++#if defined(__loongarch__) ++ case SCMP_ARCH_LOONGARCH64: ++#endif + filter_syscall = SCMP_SYS(mmap); /* amd64, x32, and arm64 have only mmap */ + shmat_syscall = SCMP_SYS(shmat); + break; +-- +2.27.0 + diff --git a/systemd.spec b/systemd.spec index f4abdd2..2407f37 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1076,6 +1076,7 @@ Patch10008: 10008-core-add-a-config-item-to-support-setting-the-value-.patch Patch10009: 10009-systemd-anolis-support-loongarch64.patch Patch10010: 10010-test-catalog-Fix-coredump-when-compiled-under-GCC10.patch Patch10011: 10011-hwdb-add-Iluvatar-CoreX.patch +Patch10012: 10012-seccomp-add-loongarch-support.patch %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 @@ -1714,7 +1715,8 @@ fi - core: add a config item to support setting the value of cpuset.clone_children when systemd is starting - support loongarch for systemd - test-catalog: Fix coredump when compiled under GCC10 -- add Iluvatar CoreX pci id(Liwei Ge) +- add Iluvatar CoreX pci id (Liwei Ge) +- seccomp: add loongarch64 support (Liwei Ge) * Tue Jul 23 2024 systemd maintenance team - 239-82.2 - spec: do not create symlink /etc/systemd/system/syslog.service (RHEL-13179) -- Gitee From 6fb4d9c5e9b11dd244453af3d73fd2921a4c7be7 Mon Sep 17 00:00:00 2001 From: Liwei Ge Date: Tue, 6 Dec 2022 16:16:34 +0800 Subject: [PATCH 06/19] seccomp: remove loongarch condition since seccomp is fit into loongarch64 now these condition code cloud be removed --- 10012-seccomp-add-loongarch-support.patch | 106 +++++++++++++--------- systemd.spec | 1 + 2 files changed, 65 insertions(+), 42 deletions(-) diff --git a/10012-seccomp-add-loongarch-support.patch b/10012-seccomp-add-loongarch-support.patch index 69b1b90..6aba34f 100644 --- a/10012-seccomp-add-loongarch-support.patch +++ b/10012-seccomp-add-loongarch-support.patch @@ -1,14 +1,14 @@ -From 1894533699f7e01c80e896c5d022275777344492 Mon Sep 17 00:00:00 2001 +From 4c7025f5198be3d055c0e5ad68d364a57e8a7dcc Mon Sep 17 00:00:00 2001 From: rpm-build Date: Thu, 22 Sep 2022 10:33:54 +0800 Subject: [PATCH] seccomp: add loongarch support --- - src/shared/seccomp-util.c | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) + src/shared/seccomp-util.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c -index c57c409..63a875c 100644 +index c57c409..1eec0be 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -42,6 +42,8 @@ const uint32_t seccomp_local_archs[] = { @@ -20,60 +20,82 @@ index c57c409..63a875c 100644 #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32 SCMP_ARCH_MIPSEL, SCMP_ARCH_MIPS, /* native */ -@@ -136,6 +138,10 @@ const char* seccomp_arch_to_string(uint32_t c) { - return "s390"; - case SCMP_ARCH_S390X: - return "s390x"; -+#if defined(__loongarch__) +@@ -114,6 +116,8 @@ const char* seccomp_arch_to_string(uint32_t c) { + return "arm"; + case SCMP_ARCH_AARCH64: + return "arm64"; + case SCMP_ARCH_LOONGARCH64: + return "loongarch64"; -+#endif - default: - return NULL; - } -@@ -181,6 +187,10 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) { - *ret = SCMP_ARCH_S390; - else if (streq(n, "s390x")) - *ret = SCMP_ARCH_S390X; -+#if defined(__loongarch__) + case SCMP_ARCH_MIPS: + return "mips"; + case SCMP_ARCH_MIPS64: +@@ -159,6 +163,8 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) { + *ret = SCMP_ARCH_ARM; + else if (streq(n, "arm64")) + *ret = SCMP_ARCH_AARCH64; + else if (streq(n, "loongarch64")) + *ret = SCMP_ARCH_LOONGARCH64; -+#endif - else - return -EINVAL; + else if (streq(n, "mips")) + *ret = SCMP_ARCH_MIPS; + else if (streq(n, "mips64")) +@@ -1206,7 +1212,7 @@ int seccomp_protect_sysctl(void) { -@@ -1209,6 +1219,11 @@ int seccomp_protect_sysctl(void) { - if (IN_SET(arch, SCMP_ARCH_X32, SCMP_ARCH_AARCH64)) + log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch)); + +- if (IN_SET(arch, SCMP_ARCH_X32, SCMP_ARCH_AARCH64)) ++ if (IN_SET(arch, SCMP_ARCH_X32, SCMP_ARCH_AARCH64, SCMP_ARCH_LOONGARCH64)) /* No _sysctl syscall */ continue; -+#if defined(__loongarch__) -+ if (IN_SET(arch, SCMP_ARCH_LOONGARCH64)) -+ /* No _sysctl syscall */ -+ continue; -+#endif - r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW); - if (r < 0) -@@ -1267,6 +1282,9 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) { - case SCMP_ARCH_PPC: - case SCMP_ARCH_PPC64: - case SCMP_ARCH_PPC64LE: -+#if defined(__loongarch__) +@@ -1251,6 +1257,7 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) { + case SCMP_ARCH_X32: + case SCMP_ARCH_ARM: + case SCMP_ARCH_AARCH64: + case SCMP_ARCH_LOONGARCH64: -+#endif - default: - /* These we either know we don't support (i.e. are the ones that do use socketcall()), or we - * don't know */ -@@ -1543,6 +1561,9 @@ int seccomp_memory_deny_write_execute(void) { + case SCMP_ARCH_MIPSEL64N32: + case SCMP_ARCH_MIPS64N32: + case SCMP_ARCH_MIPSEL64: +@@ -1496,7 +1503,7 @@ static int add_seccomp_syscall_filter(scmp_filter_ctx seccomp, + } + + /* For known architectures, check that syscalls are indeed defined or not. */ +-#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) ++#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || defined(__loongarch__) + assert_cc(SCMP_SYS(shmget) > 0); + assert_cc(SCMP_SYS(shmat) > 0); + assert_cc(SCMP_SYS(shmdt) > 0); +@@ -1543,13 +1550,14 @@ int seccomp_memory_deny_write_execute(void) { case SCMP_ARCH_X86_64: case SCMP_ARCH_X32: case SCMP_ARCH_AARCH64: -+#if defined(__loongarch__) + case SCMP_ARCH_LOONGARCH64: -+#endif filter_syscall = SCMP_SYS(mmap); /* amd64, x32, and arm64 have only mmap */ shmat_syscall = SCMP_SYS(shmat); break; + + /* Please add more definitions here, if you port systemd to other architectures! */ + +-#if !defined(__i386__) && !defined(__x86_64__) && !defined(__powerpc__) && !defined(__powerpc64__) && !defined(__arm__) && !defined(__aarch64__) ++#if !defined(__i386__) && !defined(__x86_64__) && !defined(__powerpc__) && !defined(__powerpc64__) && !defined(__arm__) && !defined(__aarch64__) && !defined(__loongarch__) + #warning "Consider adding the right mmap() syscall definitions here!" + #endif + } +@@ -1573,13 +1581,13 @@ int seccomp_memory_deny_write_execute(void) { + if (r < 0) + continue; + } +- ++ if (!IN_SET(arch, SCMP_ARCH_LOONGARCH64)){ + r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(mprotect), + 1, + SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC)); + if (r < 0) + continue; +- ++ } + #ifdef __NR_pkey_mprotect + r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(pkey_mprotect), + 1, -- 2.27.0 diff --git a/systemd.spec b/systemd.spec index 2407f37..02cfa2e 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1717,6 +1717,7 @@ fi - test-catalog: Fix coredump when compiled under GCC10 - add Iluvatar CoreX pci id (Liwei Ge) - seccomp: add loongarch64 support (Liwei Ge) +- seccomp: remove loongarch64 switch(Liwei Ge) * Tue Jul 23 2024 systemd maintenance team - 239-82.2 - spec: do not create symlink /etc/systemd/system/syslog.service (RHEL-13179) -- Gitee From 9184ef52d8001659821fabbd9f2ed5649814b618 Mon Sep 17 00:00:00 2001 From: yuanhui Date: Mon, 6 Mar 2023 17:48:29 +0800 Subject: [PATCH 07/19] umount: check LO_FLAGS_AUTOCLEAR after LOOP_CLR_FD claimed success Signed-off-by: yuanhui --- ...FLAGS_AUTOCLEAR-after-LOOP_CLR_FD-cl.patch | 69 +++++++++++++++++++ systemd.spec | 2 + 2 files changed, 71 insertions(+) create mode 100644 10013-umount-check-LO_FLAGS_AUTOCLEAR-after-LOOP_CLR_FD-cl.patch diff --git a/10013-umount-check-LO_FLAGS_AUTOCLEAR-after-LOOP_CLR_FD-cl.patch b/10013-umount-check-LO_FLAGS_AUTOCLEAR-after-LOOP_CLR_FD-cl.patch new file mode 100644 index 0000000..fbc76ac --- /dev/null +++ b/10013-umount-check-LO_FLAGS_AUTOCLEAR-after-LOOP_CLR_FD-cl.patch @@ -0,0 +1,69 @@ +From b877c3b06f15a025748b9f09621ddf1bd00cacce Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 20 Dec 2019 17:58:03 +0100 +Subject: [PATCH] umount: check LO_FLAGS_AUTOCLEAR after LOOP_CLR_FD claimed + success + +Fixes: #14410 +Replaces: #14386 + +For Lifsea-ng, this patch fixes the problem that the system occasionally +fail to shutdown caused by /sysroot unable to umount. + +--- + systemd-239/src/core/umount.c | 29 ++++++++++++++++++++++------- + 1 file changed, 22 insertions(+), 7 deletions(-) + +diff --git a/src/core/umount.c b/src/core/umount.c +index 241fe6f..4400b3c 100644 +--- a/src/core/umount.c ++++ b/src/core/umount.c +@@ -334,23 +334,38 @@ static int dm_list_get(MountPoint **head) { + + static int delete_loopback(const char *device) { + _cleanup_close_ int fd = -1; +- int r; ++ struct loop_info64 info; + + assert(device); + + fd = open(device, O_RDONLY|O_CLOEXEC); + if (fd < 0) + return errno == ENOENT ? 0 : -errno; ++ ++ if (ioctl(fd, LOOP_CLR_FD, 0) < 0) { ++ if (errno == ENXIO) /* Nothing bound, didn't do anything */ ++ return 0; ++ ++ return -errno; ++ } + +- r = ioctl(fd, LOOP_CLR_FD, 0); +- if (r >= 0) ++ if (ioctl(fd, LOOP_GET_STATUS64, &info) < 0) { ++ /* If the LOOP_CLR_FD above succeeded we'll see ENXIO here. */ ++ if (errno == ENXIO) ++ log_debug("Successfully detached loopback device %s.", device); ++ else ++ log_debug_errno(errno, "Failed to invoke LOOP_GET_STATUS64 on loopback device %s, ignoring: %m", device); /* the LOOP_CLR_FD at least worked, let's hope for the best */ + return 1; ++ } + +- /* ENXIO: not bound, so no error */ +- if (errno == ENXIO) +- return 0; ++ /* Linux makes LOOP_CLR_FD succeed whenever LO_FLAGS_AUTOCLEAR is set without actually doing ++ * anything. Very confusing. Let's hence not claim we did anything in this case. */ ++ if (FLAGS_SET(info.lo_flags, LO_FLAGS_AUTOCLEAR)) ++ log_debug("Successfully called LOOP_CLR_FD on a loopback device %s with autoclear set, which is a NOP.", device); ++ else ++ log_debug("Weird, LOOP_CLR_FD succeeded but the device is still attached on %s.", device); + +- return -errno; ++ return -EBUSY; /* Nothing changed, the device is still attached, hence it apparently is still busy */; + } + + static int delete_dm(dev_t devnum) { +-- +2.31.1 + diff --git a/systemd.spec b/systemd.spec index 02cfa2e..d8444cd 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1077,6 +1077,7 @@ Patch10009: 10009-systemd-anolis-support-loongarch64.patch Patch10010: 10010-test-catalog-Fix-coredump-when-compiled-under-GCC10.patch Patch10011: 10011-hwdb-add-Iluvatar-CoreX.patch Patch10012: 10012-seccomp-add-loongarch-support.patch +Patch10013: 10013-umount-check-LO_FLAGS_AUTOCLEAR-after-LOOP_CLR_FD-cl.patch %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 @@ -1718,6 +1719,7 @@ fi - add Iluvatar CoreX pci id (Liwei Ge) - seccomp: add loongarch64 support (Liwei Ge) - seccomp: remove loongarch64 switch(Liwei Ge) +- umount: check LO_FLAGS_AUTOCLEAR after LOOP_CLR_FD claimed success(yuanhui) * Tue Jul 23 2024 systemd maintenance team - 239-82.2 - spec: do not create symlink /etc/systemd/system/syslog.service (RHEL-13179) -- Gitee From dc3b5a2c11f437298bc894f5487716c411814dbc Mon Sep 17 00:00:00 2001 From: Guorui Yu Date: Wed, 2 Aug 2023 22:44:03 +0800 Subject: [PATCH 08/19] cryptsetup: if keyfile is specified as AF_UNIX socket in the fs, connect to it, and read key data from it Signed-off-by: Guorui Yu --- ...ding-a-full-file-into-memory-refuse-.patch | 120 ++++++++ ...explicit_bzero_safe-for-explicit-mem.patch | 61 ++++ ...util-introduce-erase_and_free-helper.patch | 48 ++++ ...READ_FULL_FILE_SECURE-flag-for-readi.patch | 207 +++++++++++++ ...roduce-warn_file_is_world_accessible.patch | 67 +++++ ...l_file_full-also-warns-when-file-is-.patch | 64 +++++ ...x-memory-leak-if-READ_FULL_FILE_SECU.patch | 30 ++ ...icit-flag-for-generating-world-execu.patch | 44 +++ ..._fd-parameter-to-read_full_file_full.patch | 142 +++++++++ ...ort-for-read_full_file-on-AF_UNIX-st.patch | 271 ++++++++++++++++++ ...READ_FULL_FILE_CONNECT_SOCKET-to-all.patch | 181 ++++++++++++ ...ad_full_file_full-to-read-from-offse.patch | 246 ++++++++++++++++ ...-cryptsetup-s-main-key-file-logic-ov.patch | 95 ++++++ systemd.spec | 26 ++ 14 files changed, 1602 insertions(+) create mode 100644 10014-fileio-when-reading-a-full-file-into-memory-refuse-.patch create mode 100644 10015-util-introduce-explicit_bzero_safe-for-explicit-mem.patch create mode 100644 10016-util-introduce-erase_and_free-helper.patch create mode 100644 10017-util-introduce-READ_FULL_FILE_SECURE-flag-for-readi.patch create mode 100644 10018-fileio-introduce-warn_file_is_world_accessible.patch create mode 100644 10019-fileio-read_full_file_full-also-warns-when-file-is-.patch create mode 100644 10020-basic-fileio-Fix-memory-leak-if-READ_FULL_FILE_SECU.patch create mode 100644 10021-fileio-add-explicit-flag-for-generating-world-execu.patch create mode 100644 10022-fileio-add-dir_fd-parameter-to-read_full_file_full.patch create mode 100644 10023-fileio-add-support-for-read_full_file-on-AF_UNIX-st.patch create mode 100644 10024-fileio-beef-up-READ_FULL_FILE_CONNECT_SOCKET-to-all.patch create mode 100644 10025-fileio-teach-read_full_file_full-to-read-from-offse.patch create mode 100644 10026-cryptsetup-port-cryptsetup-s-main-key-file-logic-ov.patch diff --git a/10014-fileio-when-reading-a-full-file-into-memory-refuse-.patch b/10014-fileio-when-reading-a-full-file-into-memory-refuse-.patch new file mode 100644 index 0000000..f2eeed5 --- /dev/null +++ b/10014-fileio-when-reading-a-full-file-into-memory-refuse-.patch @@ -0,0 +1,120 @@ +From 9f181efdd59bd3e9134cf94007953562ca8b57fa Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Sat, 15 Dec 2018 12:25:32 +0100 +Subject: [PATCH] fileio: when reading a full file into memory, refuse inner + NUL bytes + +Just some extra care to avoid any ambiguities in what we read. + +(cherry picked from commit beb90929913354eec50c3524086fe70d14f97e2f) + +Signed-off-by: Guorui Yu +--- + src/basic/fileio.c | 25 +++++++++++++++++++------ + src/test/test-unit-file.c | 10 +++++----- + 2 files changed, 24 insertions(+), 11 deletions(-) + +diff --git a/src/basic/fileio.c b/src/basic/fileio.c +index 733fb42463..9fef97ff0c 100644 +--- a/src/basic/fileio.c ++++ b/src/basic/fileio.c +@@ -383,16 +383,20 @@ int read_full_virtual_file(const char *filename, char **ret_contents, size_t *re + return 0; + } + +-int read_full_stream(FILE *f, char **contents, size_t *size) { ++int read_full_stream( ++ FILE *f, ++ char **ret_contents, ++ size_t *ret_size) { ++ + _cleanup_free_ char *buf = NULL; + struct stat st; + size_t n, l; + int fd; + + assert(f); +- assert(contents); ++ assert(ret_contents); + +- n = LINE_MAX; ++ n = LINE_MAX; /* Start size */ + + fd = fileno(f); + if (fd >= 0) { /* If the FILE* object is backed by an fd (as opposed to memory or such, see fmemopen(), let's +@@ -448,11 +452,20 @@ int read_full_stream(FILE *f, char **contents, size_t *size) { + n = MIN(n * 2, READ_FULL_BYTES_MAX); + } + ++ if (!ret_size) { ++ /* Safety check: if the caller doesn't want to know the size of what we just read it will rely on the ++ * trailing NUL byte. But if there's an embedded NUL byte, then we should refuse operation as otherwise ++ * there'd be ambiguity about what we just read. */ ++ ++ if (memchr(buf, 0, l)) ++ return -EBADMSG; ++ } ++ + buf[l] = 0; +- *contents = TAKE_PTR(buf); ++ *ret_contents = TAKE_PTR(buf); + +- if (size) +- *size = l; ++ if (ret_size) ++ *ret_size = l; + + return 0; + } +diff --git a/src/test/test-unit-file.c b/src/test/test-unit-file.c +index 09b0179fa1..e64a27dd39 100644 +--- a/src/test/test-unit-file.c ++++ b/src/test/test-unit-file.c +@@ -532,7 +532,7 @@ static void test_load_env_file_1(void) { + + fd = mkostemp_safe(name); + assert_se(fd >= 0); +- assert_se(write(fd, env_file_1, sizeof(env_file_1)) == sizeof(env_file_1)); ++ assert_se(write(fd, env_file_1, strlen(env_file_1)) == strlen(env_file_1)); + + r = load_env_file(NULL, name, NULL, &data); + assert_se(r == 0); +@@ -554,7 +554,7 @@ static void test_load_env_file_2(void) { + + fd = mkostemp_safe(name); + assert_se(fd >= 0); +- assert_se(write(fd, env_file_2, sizeof(env_file_2)) == sizeof(env_file_2)); ++ assert_se(write(fd, env_file_2, strlen(env_file_2)) == strlen(env_file_2)); + + r = load_env_file(NULL, name, NULL, &data); + assert_se(r == 0); +@@ -571,7 +571,7 @@ static void test_load_env_file_3(void) { + + fd = mkostemp_safe(name); + assert_se(fd >= 0); +- assert_se(write(fd, env_file_3, sizeof(env_file_3)) == sizeof(env_file_3)); ++ assert_se(write(fd, env_file_3, strlen(env_file_3)) == strlen(env_file_3)); + + r = load_env_file(NULL, name, NULL, &data); + assert_se(r == 0); +@@ -586,7 +586,7 @@ static void test_load_env_file_4(void) { + + fd = mkostemp_safe(name); + assert_se(fd >= 0); +- assert_se(write(fd, env_file_4, sizeof(env_file_4)) == sizeof(env_file_4)); ++ assert_se(write(fd, env_file_4, strlen(env_file_4)) == strlen(env_file_4)); + + r = load_env_file(NULL, name, NULL, &data); + assert_se(r == 0); +@@ -605,7 +605,7 @@ static void test_load_env_file_5(void) { + + fd = mkostemp_safe(name); + assert_se(fd >= 0); +- assert_se(write(fd, env_file_5, sizeof(env_file_5)) == sizeof(env_file_5)); ++ assert_se(write(fd, env_file_5, strlen(env_file_5)) == strlen(env_file_5)); + + r = load_env_file(NULL, name, NULL, &data); + assert_se(r == 0); +-- +2.39.1 + diff --git a/10015-util-introduce-explicit_bzero_safe-for-explicit-mem.patch b/10015-util-introduce-explicit_bzero_safe-for-explicit-mem.patch new file mode 100644 index 0000000..c0ec4be --- /dev/null +++ b/10015-util-introduce-explicit_bzero_safe-for-explicit-mem.patch @@ -0,0 +1,61 @@ +From 17037ec625fca9e9a473a33954d011065f0088e3 Mon Sep 17 00:00:00 2001 +From: Guorui Yu +Date: Fri, 23 Jun 2023 13:01:24 +0800 +Subject: [PATCH] util: introduce explicit_bzero_safe for explicit memset + +(cherry picked from commit f441ae81ef70e9bdfddbb9e0a276bbb8ca2151d4) + +Signed-off-by: Guorui Yu +--- + src/basic/util.c | 18 ++++++++++++++++++ + src/basic/util.h | 11 +++++++++++ + 2 files changed, 29 insertions(+) + +diff --git a/src/basic/util.c b/src/basic/util.c +index 548e3652cc..bdfaca4aed 100644 +--- a/src/basic/util.c ++++ b/src/basic/util.c +@@ -684,3 +684,21 @@ void disable_coredumps(void) { + if (r < 0) + log_debug_errno(r, "Failed to turn off coredumps, ignoring: %m"); + } ++ ++#if !HAVE_EXPLICIT_BZERO ++/* ++ * The pointer to memset() is volatile so that compiler must de-reference the pointer and can't assume that ++ * it points to any function in particular (such as memset(), which it then might further "optimize"). This ++ * approach is inspired by openssl's crypto/mem_clr.c. ++ */ ++typedef void *(*memset_t)(void *,int,size_t); ++ ++static volatile memset_t memset_func = memset; ++ ++void* explicit_bzero_safe(void *p, size_t l) { ++ if (l > 0) ++ memset_func(p, '\0', l); ++ ++ return p; ++} ++#endif +diff --git a/src/basic/util.h b/src/basic/util.h +index 195f02cf5f..ab3314f82e 100644 +--- a/src/basic/util.h ++++ b/src/basic/util.h +@@ -240,3 +240,14 @@ int version(void); + int str_verscmp(const char *s1, const char *s2); + + void disable_coredumps(void); ++ ++#if HAVE_EXPLICIT_BZERO ++static inline void* explicit_bzero_safe(void *p, size_t l) { ++ if (l > 0) ++ explicit_bzero(p, l); ++ ++ return p; ++} ++#else ++void *explicit_bzero_safe(void *p, size_t l); ++#endif +-- +2.39.1 + diff --git a/10016-util-introduce-erase_and_free-helper.patch b/10016-util-introduce-erase_and_free-helper.patch new file mode 100644 index 0000000..43c42fc --- /dev/null +++ b/10016-util-introduce-erase_and_free-helper.patch @@ -0,0 +1,48 @@ +From 7c48fe64e3f1cdc61d9191d5e004d56d5244aa2c Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 8 Aug 2019 19:53:17 +0200 +Subject: [PATCH] util: introduce erase_and_free() helper + +(cherry picked from commit a20dda788d5a0f3b300e0d8bb34e45be335e2915) + +Signed-off-by: Guorui Yu +--- + src/basic/util.h | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/src/basic/util.h b/src/basic/util.h +index ab3314f82e..4f4877b6b0 100644 +--- a/src/basic/util.h ++++ b/src/basic/util.h +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -251,3 +252,20 @@ static inline void* explicit_bzero_safe(void *p, size_t l) { + #else + void *explicit_bzero_safe(void *p, size_t l); + #endif ++ ++static inline void* erase_and_free(void *p) { ++ size_t l; ++ ++ if (!p) ++ return NULL; ++ ++ l = malloc_usable_size(p); ++ explicit_bzero_safe(p, l); ++ free(p); ++ ++ return NULL; ++} ++ ++static inline void erase_and_freep(void *p) { ++ erase_and_free(*(void**) p); ++} +-- +2.39.1 + diff --git a/10017-util-introduce-READ_FULL_FILE_SECURE-flag-for-readi.patch b/10017-util-introduce-READ_FULL_FILE_SECURE-flag-for-readi.patch new file mode 100644 index 0000000..a37d579 --- /dev/null +++ b/10017-util-introduce-READ_FULL_FILE_SECURE-flag-for-readi.patch @@ -0,0 +1,207 @@ +From bc781489901fc6447cbd27b8d33f4f4439d6a5db Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 8 Apr 2019 02:22:40 +0900 +Subject: [PATCH] util: introduce READ_FULL_FILE_SECURE flag for reading secure + data + +(cherry picked from commit e0721f97b05c0a5f782233711ea95c1e02ccba44) + +[Guorui Yu: include util.h for explicit_bzero_safe] +Signed-off-by: Guorui Yu +--- + src/basic/fileio.c | 68 ++++++++++++++++++++++++++++++++-------------- + src/basic/fileio.h | 16 +++++++++-- + 2 files changed, 60 insertions(+), 24 deletions(-) + +diff --git a/src/basic/fileio.c b/src/basic/fileio.c +index 9fef97ff0c..cf7c92ebc7 100644 +--- a/src/basic/fileio.c ++++ b/src/basic/fileio.c +@@ -35,6 +35,7 @@ + #include "time-util.h" + #include "umask-util.h" + #include "utf8.h" ++#include "util.h" + + #define READ_FULL_BYTES_MAX (4U*1024U*1024U) + +@@ -383,26 +384,27 @@ int read_full_virtual_file(const char *filename, char **ret_contents, size_t *re + return 0; + } + +-int read_full_stream( ++int read_full_stream_full( + FILE *f, ++ ReadFullFileFlags flags, + char **ret_contents, + size_t *ret_size) { + + _cleanup_free_ char *buf = NULL; + struct stat st; +- size_t n, l; +- int fd; ++ size_t n, n_next, l; ++ int fd, r; + + assert(f); + assert(ret_contents); + +- n = LINE_MAX; /* Start size */ ++ n_next = LINE_MAX; /* Start size */ + + fd = fileno(f); + if (fd >= 0) { /* If the FILE* object is backed by an fd (as opposed to memory or such, see fmemopen(), let's + * optimize our buffering) */ + +- if (fstat(fileno(f), &st) < 0) ++ if (fstat(fd, &st) < 0) + return -errno; + + if (S_ISREG(st.st_mode)) { +@@ -415,27 +417,41 @@ int read_full_stream( + * to read here by one, so that the first read attempt already + * makes us notice the EOF. */ + if (st.st_size > 0) +- n = st.st_size + 1; ++ n_next = st.st_size + 1; + } + } + +- l = 0; ++ n = l = 0; + for (;;) { + char *t; + size_t k; + +- t = realloc(buf, n + 1); +- if (!t) +- return -ENOMEM; ++ if (flags & READ_FULL_FILE_SECURE) { ++ t = malloc(n_next + 1); ++ if (!t) { ++ r = -ENOMEM; ++ goto finalize; ++ } ++ memcpy_safe(t, buf, n); ++ explicit_bzero_safe(buf, n); ++ } else { ++ t = realloc(buf, n_next + 1); ++ if (!t) ++ return -ENOMEM; ++ } + + buf = t; ++ n = n_next; ++ + errno = 0; + k = fread(buf + l, 1, n - l, f); + if (k > 0) + l += k; + +- if (ferror(f)) +- return errno > 0 ? -errno : -EIO; ++ if (ferror(f)) { ++ r = errno > 0 ? -errno : -EIO; ++ goto finalize; ++ } + + if (feof(f)) + break; +@@ -446,10 +462,12 @@ int read_full_stream( + assert(l == n); + + /* Safety check */ +- if (n >= READ_FULL_BYTES_MAX) +- return -E2BIG; ++ if (n >= READ_FULL_BYTES_MAX) { ++ r = -E2BIG; ++ goto finalize; ++ } + +- n = MIN(n * 2, READ_FULL_BYTES_MAX); ++ n_next = MIN(n * 2, READ_FULL_BYTES_MAX); + } + + if (!ret_size) { +@@ -457,8 +475,10 @@ int read_full_stream( + * trailing NUL byte. But if there's an embedded NUL byte, then we should refuse operation as otherwise + * there'd be ambiguity about what we just read. */ + +- if (memchr(buf, 0, l)) +- return -EBADMSG; ++ if (memchr(buf, 0, l)) { ++ r = -EBADMSG; ++ goto finalize; ++ } + } + + buf[l] = 0; +@@ -468,21 +488,27 @@ int read_full_stream( + *ret_size = l; + + return 0; ++ ++finalize: ++ if (flags & READ_FULL_FILE_SECURE) ++ explicit_bzero_safe(buf, n); ++ ++ return r; + } + +-int read_full_file(const char *fn, char **contents, size_t *size) { ++int read_full_file_full(const char *filename, ReadFullFileFlags flags, char **contents, size_t *size) { + _cleanup_fclose_ FILE *f = NULL; + +- assert(fn); ++ assert(filename); + assert(contents); + +- f = fopen(fn, "re"); ++ f = fopen(filename, "re"); + if (!f) + return -errno; + + (void) __fsetlocking(f, FSETLOCKING_BYCALLER); + +- return read_full_stream(f, contents, size); ++ return read_full_stream_full(f, flags, contents, size); + } + + static int parse_env_file_internal( +diff --git a/src/basic/fileio.h b/src/basic/fileio.h +index c6ad375b8d..06649ef7e6 100644 +--- a/src/basic/fileio.h ++++ b/src/basic/fileio.h +@@ -24,6 +24,10 @@ typedef enum { + + } WriteStringFileFlags; + ++typedef enum { ++ READ_FULL_FILE_SECURE = 1 << 0, ++} ReadFullFileFlags; ++ + int write_string_stream_ts(FILE *f, const char *line, WriteStringFileFlags flags, struct timespec *ts); + static inline int write_string_stream(FILE *f, const char *line, WriteStringFileFlags flags) { + return write_string_stream_ts(f, line, flags, NULL); +@@ -35,9 +39,15 @@ static inline int write_string_file(const char *fn, const char *line, WriteStrin + + int write_string_filef(const char *fn, WriteStringFileFlags flags, const char *format, ...) _printf_(3, 4); + +-int read_one_line_file(const char *fn, char **line); +-int read_full_file(const char *fn, char **contents, size_t *size); +-int read_full_stream(FILE *f, char **contents, size_t *size); ++int read_one_line_file(const char *filename, char **line); ++int read_full_file_full(const char *filename, ReadFullFileFlags flags, char **contents, size_t *size); ++static inline int read_full_file(const char *filename, char **contents, size_t *size) { ++ return read_full_file_full(filename, 0, contents, size); ++} ++int read_full_stream_full(FILE *f, ReadFullFileFlags flags, char **contents, size_t *size); ++static inline int read_full_stream(FILE *f, char **contents, size_t *size) { ++ return read_full_stream_full(f, 0, contents, size); ++} + int read_full_virtual_file(const char *filename, char **ret_contents, size_t *ret_size); + + int verify_file(const char *fn, const char *blob, bool accept_extra_nl); +-- +2.39.1 + diff --git a/10018-fileio-introduce-warn_file_is_world_accessible.patch b/10018-fileio-introduce-warn_file_is_world_accessible.patch new file mode 100644 index 0000000..02f9518 --- /dev/null +++ b/10018-fileio-introduce-warn_file_is_world_accessible.patch @@ -0,0 +1,67 @@ +From e4c4f0bc712e43776c4f58712f47260711607098 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 8 Apr 2019 03:48:30 +0900 +Subject: [PATCH] fileio: introduce warn_file_is_world_accessible() + +(cherry picked from commit fc0895034d4811e8c6b263c0d902b31535613d76) + +Signed-off-by: Guorui Yu +--- + src/basic/fileio.c | 25 +++++++++++++++++++++++++ + src/basic/fileio.h | 3 +++ + 2 files changed, 28 insertions(+) + +diff --git a/src/basic/fileio.c b/src/basic/fileio.c +index cf7c92ebc7..2e74aac554 100644 +--- a/src/basic/fileio.c ++++ b/src/basic/fileio.c +@@ -1797,3 +1797,28 @@ int read_line(FILE *f, size_t limit, char **ret) { + + return (int) count; + } ++ ++int warn_file_is_world_accessible(const char *filename, struct stat *st, const char *unit, unsigned line) { ++ struct stat _st; ++ ++ if (!filename) ++ return 0; ++ ++ if (!st) { ++ if (stat(filename, &_st) < 0) ++ return -errno; ++ st = &_st; ++ } ++ ++ if ((st->st_mode & S_IRWXO) == 0) ++ return 0; ++ ++ if (unit) ++ log_syntax(unit, LOG_WARNING, filename, line, 0, ++ "%s has %04o mode that is too permissive, please adjust the access mode.", ++ filename, st->st_mode & 07777); ++ else ++ log_warning("%s has %04o mode that is too permissive, please adjust the access mode.", ++ filename, st->st_mode & 07777); ++ return 0; ++} +diff --git a/src/basic/fileio.h b/src/basic/fileio.h +index 06649ef7e6..2c9ce4355b 100644 +--- a/src/basic/fileio.h ++++ b/src/basic/fileio.h +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + #include + + #include "macro.h" +@@ -105,3 +106,5 @@ int read_nul_string(FILE *f, char **ret); + int mkdtemp_malloc(const char *template, char **ret); + + int read_line(FILE *f, size_t limit, char **ret); ++ ++int warn_file_is_world_accessible(const char *filename, struct stat *st, const char *unit, unsigned line); +-- +2.39.1 + diff --git a/10019-fileio-read_full_file_full-also-warns-when-file-is-.patch b/10019-fileio-read_full_file_full-also-warns-when-file-is-.patch new file mode 100644 index 0000000..af813a5 --- /dev/null +++ b/10019-fileio-read_full_file_full-also-warns-when-file-is-.patch @@ -0,0 +1,64 @@ +From 0dbf69ccdfa7b1f99935c3932445fbfa16dbbe75 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 8 Apr 2019 14:15:10 +0900 +Subject: [PATCH] fileio: read_full_file_full() also warns when file is world + readable and secure flag is set + +(cherry picked from commit 65dcd394d8223bc6bc194f3fe5bd70fed9d9a4fe) + +Signed-off-by: Guorui Yu +--- + src/basic/fileio.c | 6 +++++- + src/basic/fileio.h | 4 ++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/basic/fileio.c b/src/basic/fileio.c +index 2e74aac554..3abeb0d7f4 100644 +--- a/src/basic/fileio.c ++++ b/src/basic/fileio.c +@@ -386,6 +386,7 @@ int read_full_virtual_file(const char *filename, char **ret_contents, size_t *re + + int read_full_stream_full( + FILE *f, ++ const char *filename, + ReadFullFileFlags flags, + char **ret_contents, + size_t *ret_size) { +@@ -418,6 +419,9 @@ int read_full_stream_full( + * makes us notice the EOF. */ + if (st.st_size > 0) + n_next = st.st_size + 1; ++ ++ if (flags & READ_FULL_FILE_SECURE) ++ (void) warn_file_is_world_accessible(filename, &st, NULL, 0); + } + } + +@@ -508,7 +512,7 @@ int read_full_file_full(const char *filename, ReadFullFileFlags flags, char **co + + (void) __fsetlocking(f, FSETLOCKING_BYCALLER); + +- return read_full_stream_full(f, flags, contents, size); ++ return read_full_stream_full(f, filename, flags, contents, size); + } + + static int parse_env_file_internal( +diff --git a/src/basic/fileio.h b/src/basic/fileio.h +index 2c9ce4355b..3e572dc0de 100644 +--- a/src/basic/fileio.h ++++ b/src/basic/fileio.h +@@ -45,9 +45,9 @@ int read_full_file_full(const char *filename, ReadFullFileFlags flags, char **co + static inline int read_full_file(const char *filename, char **contents, size_t *size) { + return read_full_file_full(filename, 0, contents, size); + } +-int read_full_stream_full(FILE *f, ReadFullFileFlags flags, char **contents, size_t *size); ++int read_full_stream_full(FILE *f, const char *filename, ReadFullFileFlags flags, char **contents, size_t *size); + static inline int read_full_stream(FILE *f, char **contents, size_t *size) { +- return read_full_stream_full(f, 0, contents, size); ++ return read_full_stream_full(f, NULL, 0, contents, size); + } + int read_full_virtual_file(const char *filename, char **ret_contents, size_t *ret_size); + +-- +2.39.1 + diff --git a/10020-basic-fileio-Fix-memory-leak-if-READ_FULL_FILE_SECU.patch b/10020-basic-fileio-Fix-memory-leak-if-READ_FULL_FILE_SECU.patch new file mode 100644 index 0000000..e434089 --- /dev/null +++ b/10020-basic-fileio-Fix-memory-leak-if-READ_FULL_FILE_SECU.patch @@ -0,0 +1,30 @@ +From 14e0760c251fd5fc51731f7b58079c73f5055d64 Mon Sep 17 00:00:00 2001 +From: Benjamin Robin +Date: Sun, 14 Apr 2019 17:21:27 +0200 +Subject: [PATCH] basic/fileio: Fix memory leak if READ_FULL_FILE_SECURE flag + is used + +The memory leak introduced in #12223 (15f8f02) + +(cherry picked from commit 315a51982af2d480de9f7539346f30425e37a01e) + +Signed-off-by: Guorui Yu +--- + src/basic/fileio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/basic/fileio.c b/src/basic/fileio.c +index 3abeb0d7f4..bb804e3afa 100644 +--- a/src/basic/fileio.c ++++ b/src/basic/fileio.c +@@ -438,6 +438,7 @@ int read_full_stream_full( + } + memcpy_safe(t, buf, n); + explicit_bzero_safe(buf, n); ++ buf = mfree(buf); + } else { + t = realloc(buf, n_next + 1); + if (!t) +-- +2.39.1 + diff --git a/10021-fileio-add-explicit-flag-for-generating-world-execu.patch b/10021-fileio-add-explicit-flag-for-generating-world-execu.patch new file mode 100644 index 0000000..1a93b5a --- /dev/null +++ b/10021-fileio-add-explicit-flag-for-generating-world-execu.patch @@ -0,0 +1,44 @@ +From 1e0dcd6fa1abea9c561f46556f7f7561b2a46e62 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 17 Jul 2020 11:53:22 +0200 +Subject: [PATCH] fileio: add explicit flag for generating world executable + warning when reading file + +(cherry picked from commit 684aa979f1c4ce5f75ccdc131f32fc0434999918) + +Signed-off-by: Guorui Yu +--- + src/basic/fileio.c | 2 +- + src/basic/fileio.h | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/basic/fileio.c b/src/basic/fileio.c +index bb804e3afa..833c55b030 100644 +--- a/src/basic/fileio.c ++++ b/src/basic/fileio.c +@@ -420,7 +420,7 @@ int read_full_stream_full( + if (st.st_size > 0) + n_next = st.st_size + 1; + +- if (flags & READ_FULL_FILE_SECURE) ++ if (flags & READ_FULL_FILE_WARN_WORLD_READABLE) + (void) warn_file_is_world_accessible(filename, &st, NULL, 0); + } + } +diff --git a/src/basic/fileio.h b/src/basic/fileio.h +index 3e572dc0de..be10ac77b6 100644 +--- a/src/basic/fileio.h ++++ b/src/basic/fileio.h +@@ -26,7 +26,8 @@ typedef enum { + } WriteStringFileFlags; + + typedef enum { +- READ_FULL_FILE_SECURE = 1 << 0, ++ READ_FULL_FILE_SECURE = 1 << 0, ++ READ_FULL_FILE_WARN_WORLD_READABLE = 1 << 3, + } ReadFullFileFlags; + + int write_string_stream_ts(FILE *f, const char *line, WriteStringFileFlags flags, struct timespec *ts); +-- +2.39.1 + diff --git a/10022-fileio-add-dir_fd-parameter-to-read_full_file_full.patch b/10022-fileio-add-dir_fd-parameter-to-read_full_file_full.patch new file mode 100644 index 0000000..f6dc153 --- /dev/null +++ b/10022-fileio-add-dir_fd-parameter-to-read_full_file_full.patch @@ -0,0 +1,142 @@ +From 3f4ca11498028756ebde239ae469c0f88e5d3ecc Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 8 Jan 2019 18:29:36 +0100 +Subject: [PATCH] fileio: add 'dir_fd' parameter to read_full_file_full() + +Let's introduce an "at" version of read_full_file(). + +(cherry picked from commit f6be4db4530b7cfea191227c141343a4fb10d4c6) + +Signed-off-by: Guorui Yu +--- + src/basic/fileio.c | 84 +++++++++++++++++++++++++++++++++++++++++++--- + src/basic/fileio.h | 5 +-- + 2 files changed, 83 insertions(+), 6 deletions(-) + +diff --git a/src/basic/fileio.c b/src/basic/fileio.c +index 833c55b030..d7da834a74 100644 +--- a/src/basic/fileio.c ++++ b/src/basic/fileio.c +@@ -501,15 +501,91 @@ finalize: + return r; + } + +-int read_full_file_full(const char *filename, ReadFullFileFlags flags, char **contents, size_t *size) { ++static int mode_to_flags(const char *mode) { ++ const char *p; ++ int flags; ++ ++ if ((p = startswith(mode, "r+"))) ++ flags = O_RDWR; ++ else if ((p = startswith(mode, "r"))) ++ flags = O_RDONLY; ++ else if ((p = startswith(mode, "w+"))) ++ flags = O_RDWR|O_CREAT|O_TRUNC; ++ else if ((p = startswith(mode, "w"))) ++ flags = O_WRONLY|O_CREAT|O_TRUNC; ++ else if ((p = startswith(mode, "a+"))) ++ flags = O_RDWR|O_CREAT|O_APPEND; ++ else if ((p = startswith(mode, "a"))) ++ flags = O_WRONLY|O_CREAT|O_APPEND; ++ else ++ return -EINVAL; ++ ++ for (; *p != 0; p++) { ++ ++ switch (*p) { ++ ++ case 'e': ++ flags |= O_CLOEXEC; ++ break; ++ ++ case 'x': ++ flags |= O_EXCL; ++ break; ++ ++ case 'm': ++ /* ignore this here, fdopen() might care later though */ ++ break; ++ ++ case 'c': /* not sure what to do about this one */ ++ default: ++ return -EINVAL; ++ } ++ } ++ ++ return flags; ++} ++ ++static int xfopenat(int dir_fd, const char *path, const char *mode, int flags, FILE **ret) { ++ FILE *f; ++ ++ /* A combination of fopen() with openat() */ ++ ++ if (dir_fd == AT_FDCWD && flags == 0) { ++ f = fopen(path, mode); ++ if (!f) ++ return -errno; ++ } else { ++ int fd, mode_flags; ++ ++ mode_flags = mode_to_flags(mode); ++ if (mode_flags < 0) ++ return mode_flags; ++ ++ fd = openat(dir_fd, path, mode_flags | flags); ++ if (fd < 0) ++ return -errno; ++ ++ f = fdopen(fd, mode); ++ if (!f) { ++ safe_close(fd); ++ return -errno; ++ } ++ } ++ ++ *ret = f; ++ return 0; ++} ++ ++int read_full_file_full(int dir_fd, const char *filename, ReadFullFileFlags flags, char **contents, size_t *size) { + _cleanup_fclose_ FILE *f = NULL; ++ int r; + + assert(filename); + assert(contents); + +- f = fopen(filename, "re"); +- if (!f) +- return -errno; ++ r = xfopenat(dir_fd, filename, "re", 0, &f); ++ if (r < 0) ++ return r; + + (void) __fsetlocking(f, FSETLOCKING_BYCALLER); + +diff --git a/src/basic/fileio.h b/src/basic/fileio.h +index be10ac77b6..916ddc5e47 100644 +--- a/src/basic/fileio.h ++++ b/src/basic/fileio.h +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + #include + + #include "macro.h" +@@ -42,9 +43,9 @@ static inline int write_string_file(const char *fn, const char *line, WriteStrin + int write_string_filef(const char *fn, WriteStringFileFlags flags, const char *format, ...) _printf_(3, 4); + + int read_one_line_file(const char *filename, char **line); +-int read_full_file_full(const char *filename, ReadFullFileFlags flags, char **contents, size_t *size); ++int read_full_file_full(int dir_fd, const char *filename, ReadFullFileFlags flags, char **contents, size_t *size); + static inline int read_full_file(const char *filename, char **contents, size_t *size) { +- return read_full_file_full(filename, 0, contents, size); ++ return read_full_file_full(AT_FDCWD, filename, 0, contents, size); + } + int read_full_stream_full(FILE *f, const char *filename, ReadFullFileFlags flags, char **contents, size_t *size); + static inline int read_full_stream(FILE *f, char **contents, size_t *size) { +-- +2.39.1 + diff --git a/10023-fileio-add-support-for-read_full_file-on-AF_UNIX-st.patch b/10023-fileio-add-support-for-read_full_file-on-AF_UNIX-st.patch new file mode 100644 index 0000000..bb392bc --- /dev/null +++ b/10023-fileio-add-support-for-read_full_file-on-AF_UNIX-st.patch @@ -0,0 +1,271 @@ +From 054669a4cc4897792b6c209fd55ab1fc1d7b9bd5 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 17 Jul 2020 12:26:01 +0200 +Subject: [PATCH] fileio: add support for read_full_file() on AF_UNIX stream + sockets + +Optionally, teach read_full_file() the ability to connect to an AF_UNIX +socket if the specified path points to one. + +(cherry picked from commit 412b888ec803cdf96fb1d005bb245d20abdb8f2e) + +[Guorui Yu: Adds sockaddr_un_set_path function to socket-util.{c,h}] +Signed-off-by: Guorui Yu +--- + src/basic/fileio.c | 62 +++++++++++++++++++++++++++++++++++------ + src/basic/fileio.h | 1 + + src/basic/socket-util.c | 42 ++++++++++++++++++++++++++++ + src/basic/socket-util.h | 1 + + src/test/test-fileio.c | 50 +++++++++++++++++++++++++++++++++ + 5 files changed, 147 insertions(+), 9 deletions(-) + +diff --git a/src/basic/fileio.c b/src/basic/fileio.c +index d7da834a74..9cb0a2bd28 100644 +--- a/src/basic/fileio.c ++++ b/src/basic/fileio.c +@@ -27,6 +27,7 @@ + #include "missing.h" + #include "parse-util.h" + #include "path-util.h" ++#include "socket-util.h" + #include "process-util.h" + #include "random-util.h" + #include "stdio-util.h" +@@ -450,21 +451,18 @@ int read_full_stream_full( + + errno = 0; + k = fread(buf + l, 1, n - l, f); +- if (k > 0) +- l += k; ++ ++ assert(k <= n - l); ++ l += k; + + if (ferror(f)) { + r = errno > 0 ? -errno : -EIO; + goto finalize; + } +- + if (feof(f)) + break; + +- /* We aren't expecting fread() to return a short read outside +- * of (error && eof), assert buffer is full and enlarge buffer. +- */ +- assert(l == n); ++ assert(k > 0); /* we can't have read zero bytes because that would have been EOF */ + + /* Safety check */ + if (n >= READ_FULL_BYTES_MAX) { +@@ -584,8 +582,54 @@ int read_full_file_full(int dir_fd, const char *filename, ReadFullFileFlags flag + assert(contents); + + r = xfopenat(dir_fd, filename, "re", 0, &f); +- if (r < 0) +- return r; ++ if (r < 0) { ++ _cleanup_close_ int dfd = -1, sk = -1; ++ union sockaddr_union sa; ++ ++ /* ENXIO is what Linux returns if we open a node that is an AF_UNIX socket */ ++ if (r != -ENXIO) ++ return r; ++ ++ /* If this is enabled, let's try to connect to it */ ++ if (!FLAGS_SET(flags, READ_FULL_FILE_CONNECT_SOCKET)) ++ return -ENXIO; ++ ++ if (dir_fd == AT_FDCWD) ++ r = sockaddr_un_set_path(&sa.un, filename); ++ else { ++ char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)]; ++ ++ /* If we shall operate relative to some directory, then let's use O_PATH first to ++ * open the socket inode, and then connect to it via /proc/self/fd/. We have to do ++ * this since there's not connectat() that takes a directory fd as first arg. */ ++ ++ dfd = openat(dir_fd, filename, O_PATH|O_CLOEXEC); ++ if (dfd < 0) ++ return -errno; ++ ++ xsprintf(procfs_path, "/proc/self/fd/%i", dfd); ++ r = sockaddr_un_set_path(&sa.un, procfs_path); ++ } ++ if (r < 0) ++ return r; ++ ++ sk = socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0); ++ if (sk < 0) ++ return -errno; ++ ++ if (connect(sk, &sa.sa, SOCKADDR_UN_LEN(sa.un)) < 0) ++ return errno == ENOTSOCK ? -ENXIO : -errno; /* propagate original error if this is ++ * not a socket after all */ ++ ++ if (shutdown(sk, SHUT_WR) < 0) ++ return -errno; ++ ++ f = fdopen(sk, "r"); ++ if (!f) ++ return -errno; ++ ++ TAKE_FD(sk); ++ } + + (void) __fsetlocking(f, FSETLOCKING_BYCALLER); + +diff --git a/src/basic/fileio.h b/src/basic/fileio.h +index 916ddc5e47..1a16e0fd13 100644 +--- a/src/basic/fileio.h ++++ b/src/basic/fileio.h +@@ -29,6 +29,7 @@ typedef enum { + typedef enum { + READ_FULL_FILE_SECURE = 1 << 0, + READ_FULL_FILE_WARN_WORLD_READABLE = 1 << 3, ++ READ_FULL_FILE_CONNECT_SOCKET = 1 << 4, + } ReadFullFileFlags; + + int write_string_stream_ts(FILE *f, const char *line, WriteStringFileFlags flags, struct timespec *ts); +diff --git a/src/basic/socket-util.c b/src/basic/socket-util.c +index 7f8066123b..427c8b89bb 100644 +--- a/src/basic/socket-util.c ++++ b/src/basic/socket-util.c +@@ -1253,6 +1253,48 @@ int socket_ioctl_fd(void) { + return fd; + } + ++int sockaddr_un_set_path(struct sockaddr_un *ret, const char *path) { ++ size_t l; ++ ++ assert(ret); ++ assert(path); ++ ++ /* Initialize ret->sun_path from the specified argument. This will interpret paths starting with '@' as ++ * abstract namespace sockets, and those starting with '/' as regular filesystem sockets. It won't accept ++ * anything else (i.e. no relative paths), to avoid ambiguities. Note that this function cannot be used to ++ * reference paths in the abstract namespace that include NUL bytes in the name. */ ++ ++ l = strlen(path); ++ if (l < 2) ++ return -EINVAL; ++ if (!IN_SET(path[0], '/', '@')) ++ return -EINVAL; ++ ++ /* Don't allow paths larger than the space in sockaddr_un. Note that we are a tiny bit more restrictive than ++ * the kernel is: we insist on NUL termination (both for abstract namespace and regular file system socket ++ * addresses!), which the kernel doesn't. We do this to reduce chance of incompatibility with other apps that ++ * do not expect non-NUL terminated file system path*/ ++ if (l+1 > sizeof(ret->sun_path)) ++ return -EINVAL; ++ ++ *ret = (struct sockaddr_un) { ++ .sun_family = AF_UNIX, ++ }; ++ ++ if (path[0] == '@') { ++ /* Abstract namespace socket */ ++ memcpy(ret->sun_path + 1, path + 1, l); /* copy *with* trailing NUL byte */ ++ return (int) (offsetof(struct sockaddr_un, sun_path) + l); /* 🔥 *don't* 🔥 include trailing NUL in size */ ++ ++ } else { ++ assert(path[0] == '/'); ++ ++ /* File system socket */ ++ memcpy(ret->sun_path, path, l + 1); /* copy *with* trailing NUL byte */ ++ return (int) (offsetof(struct sockaddr_un, sun_path) + l + 1); /* include trailing NUL in size */ ++ } ++} ++ + int socket_pass_pktinfo(int fd, bool b) { + int af; + socklen_t sl = sizeof(af); +diff --git a/src/basic/socket-util.h b/src/basic/socket-util.h +index 30baba6c03..36edc58caf 100644 +--- a/src/basic/socket-util.h ++++ b/src/basic/socket-util.h +@@ -186,6 +186,7 @@ struct cmsghdr* cmsg_find(struct msghdr *mh, int level, int type, socklen_t leng + }) + + int socket_ioctl_fd(void); ++int sockaddr_un_set_path(struct sockaddr_un *ret, const char *path); + + static inline int setsockopt_int(int fd, int level, int optname, int value) { + if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0) +diff --git a/src/test/test-fileio.c b/src/test/test-fileio.c +index 14ba075144..82b7cb1242 100644 +--- a/src/test/test-fileio.c ++++ b/src/test/test-fileio.c +@@ -14,6 +14,8 @@ + #include "io-util.h" + #include "parse-util.h" + #include "process-util.h" ++#include "rm-rf.h" ++#include "socket-util.h" + #include "string-util.h" + #include "strv.h" + #include "util.h" +@@ -709,6 +711,53 @@ static void test_read_line3(void) { + assert_se(read_line(f, LINE_MAX, NULL) == 0); + } + ++static void test_read_full_file_socket(void) { ++ _cleanup_(rm_rf_physical_and_freep) char *z = NULL; ++ _cleanup_close_ int listener = -1; ++ _cleanup_free_ char *data = NULL; ++ union sockaddr_union sa; ++ const char *j; ++ size_t size; ++ pid_t pid; ++ int r; ++ ++ log_info("/* %s */", __func__); ++ ++ listener = socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0); ++ assert_se(listener >= 0); ++ ++ assert_se(mkdtemp_malloc(NULL, &z) >= 0); ++ j = strjoina(z, "/socket"); ++ ++ assert_se(sockaddr_un_set_path(&sa.un, j) >= 0); ++ ++ assert_se(bind(listener, &sa.sa, SOCKADDR_UN_LEN(sa.un)) >= 0); ++ assert_se(listen(listener, 1) >= 0); ++ ++ r = safe_fork("(server)", FORK_DEATHSIG|FORK_LOG, &pid); ++ assert_se(r >= 0); ++ if (r == 0) { ++ _cleanup_close_ int rfd = -1; ++ /* child */ ++ ++ rfd = accept4(listener, NULL, 0, SOCK_CLOEXEC); ++ assert_se(rfd >= 0); ++ ++#define TEST_STR "This is a test\nreally." ++ ++ assert_se(write(rfd, TEST_STR, strlen(TEST_STR)) == strlen(TEST_STR)); ++ _exit(EXIT_SUCCESS); ++ } ++ ++ assert_se(read_full_file_full(AT_FDCWD, j, 0, &data, &size) == -ENXIO); ++ assert_se(read_full_file_full(AT_FDCWD, j, READ_FULL_FILE_CONNECT_SOCKET, &data, &size) >= 0); ++ assert_se(size == strlen(TEST_STR)); ++ assert_se(streq(data, TEST_STR)); ++ ++ assert_se(wait_for_terminate_and_check("(server)", pid, WAIT_LOG) >= 0); ++#undef TEST_STR ++} ++ + int main(int argc, char *argv[]) { + log_set_max_level(LOG_DEBUG); + log_parse_environment(); +@@ -733,6 +782,7 @@ int main(int argc, char *argv[]) { + test_read_line(); + test_read_line2(); + test_read_line3(); ++ test_read_full_file_socket(); + + return 0; + } +-- +2.39.1 + diff --git a/10024-fileio-beef-up-READ_FULL_FILE_CONNECT_SOCKET-to-all.patch b/10024-fileio-beef-up-READ_FULL_FILE_CONNECT_SOCKET-to-all.patch new file mode 100644 index 0000000..2edc538 --- /dev/null +++ b/10024-fileio-beef-up-READ_FULL_FILE_CONNECT_SOCKET-to-all.patch @@ -0,0 +1,181 @@ +From 0717de25e6508b10ea034fa1b96675f18100ac01 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 2 Nov 2020 12:07:51 +0100 +Subject: [PATCH] fileio: beef up READ_FULL_FILE_CONNECT_SOCKET to allow + setting sender socket name + +This beefs up the READ_FULL_FILE_CONNECT_SOCKET logic of +read_full_file_full() a bit: when used a sender socket name may be +specified. If specified as NULL behaviour is as before: the client +socket name is picked by the kernel. But if specified as non-NULL the +client can pick a socket name to use when connecting. This is useful to +communicate a minimal amount of metainformation from client to server, +outside of the transport payload. + +Specifically, these beefs up the service credential logic to pass an +abstract AF_UNIX socket name as client socket name when connecting via +READ_FULL_FILE_CONNECT_SOCKET, that includes the requesting unit name +and the eventual credential name. This allows servers implementing the +trivial credential socket logic to distinguish clients: via a simple +getpeername() it can be determined which unit is requesting a +credential, and which credential specifically. + +Example: with this patch in place, in a unit file "waldo.service" a +configuration line like the following: + + LoadCredential=foo:/run/quux/creds.sock + +will result in a connection to the AF_UNIX socket /run/quux/creds.sock, +originating from an abstract namespace AF_UNIX socket: + + @$RANDOM/unit/waldo.service/foo + +(The $RANDOM is replaced by some randomized string. This is included in +the socket name order to avoid namespace squatting issues: the abstract +socket namespace is open to unprivileged users after all, and care needs +to be taken not to use guessable names) + +The services listening on the /run/quux/creds.sock socket may thus +easily retrieve the name of the unit the credential is requested for +plus the credential name, via a simpler getpeername(), discarding the +random preifx and the /unit/ string. + +This logic uses "/" as separator between the fields, since both unit +names and credential names appear in the file system, and thus are +designed to use "/" as outer separators. Given that it's a good safe +choice to use as separators here, too avoid any conflicts. + +This is a minimal patch only: the new logic is used only for the unit +file credential logic. For other places where we use +READ_FULL_FILE_CONNECT_SOCKET it is probably a good idea to use this +scheme too, but this should be done carefully in later patches, since +the socket names become API that way, and we should determine the right +amount of info to pass over. + +(cherry picked from commit 142e9756c98c69cdd5d03df4028700acb5739f72) + +Signed-off-by: Guorui Yu +--- + src/basic/fileio.c | 22 +++++++++++++++++++++- + src/basic/fileio.h | 4 ++-- + src/test/test-fileio.c | 19 ++++++++++++++++--- + 3 files changed, 39 insertions(+), 6 deletions(-) + +diff --git a/src/basic/fileio.c b/src/basic/fileio.c +index 9cb0a2bd28..35eaa3c1c7 100644 +--- a/src/basic/fileio.c ++++ b/src/basic/fileio.c +@@ -574,7 +574,13 @@ static int xfopenat(int dir_fd, const char *path, const char *mode, int flags, F + return 0; + } + +-int read_full_file_full(int dir_fd, const char *filename, ReadFullFileFlags flags, char **contents, size_t *size) { ++int read_full_file_full( ++ int dir_fd, ++ const char *filename, ++ ReadFullFileFlags flags, ++ const char *bind_name, ++ char **contents, size_t *size) { ++ + _cleanup_fclose_ FILE *f = NULL; + int r; + +@@ -617,6 +623,20 @@ int read_full_file_full(int dir_fd, const char *filename, ReadFullFileFlags flag + if (sk < 0) + return -errno; + ++ if (bind_name) { ++ /* If the caller specified a socket name to bind to, do so before connecting. This is ++ * useful to communicate some minor, short meta-information token from the client to ++ * the server. */ ++ union sockaddr_union bsa; ++ ++ r = sockaddr_un_set_path(&bsa.un, bind_name); ++ if (r < 0) ++ return r; ++ ++ if (bind(sk, &bsa.sa, r) < 0) ++ return r; ++ } ++ + if (connect(sk, &sa.sa, SOCKADDR_UN_LEN(sa.un)) < 0) + return errno == ENOTSOCK ? -ENXIO : -errno; /* propagate original error if this is + * not a socket after all */ +diff --git a/src/basic/fileio.h b/src/basic/fileio.h +index 1a16e0fd13..82897e209c 100644 +--- a/src/basic/fileio.h ++++ b/src/basic/fileio.h +@@ -44,9 +44,9 @@ static inline int write_string_file(const char *fn, const char *line, WriteStrin + int write_string_filef(const char *fn, WriteStringFileFlags flags, const char *format, ...) _printf_(3, 4); + + int read_one_line_file(const char *filename, char **line); +-int read_full_file_full(int dir_fd, const char *filename, ReadFullFileFlags flags, char **contents, size_t *size); ++int read_full_file_full(int dir_fd, const char *filename, ReadFullFileFlags flags, const char *bind_name, char **contents, size_t *size); + static inline int read_full_file(const char *filename, char **contents, size_t *size) { +- return read_full_file_full(AT_FDCWD, filename, 0, contents, size); ++ return read_full_file_full(AT_FDCWD, filename, 0, NULL, contents, size); + } + int read_full_stream_full(FILE *f, const char *filename, ReadFullFileFlags flags, char **contents, size_t *size); + static inline int read_full_stream(FILE *f, char **contents, size_t *size) { +diff --git a/src/test/test-fileio.c b/src/test/test-fileio.c +index 82b7cb1242..5ec70eec14 100644 +--- a/src/test/test-fileio.c ++++ b/src/test/test-fileio.c +@@ -14,6 +14,7 @@ + #include "io-util.h" + #include "parse-util.h" + #include "process-util.h" ++#include "random-util.h" + #include "rm-rf.h" + #include "socket-util.h" + #include "string-util.h" +@@ -714,7 +715,7 @@ static void test_read_line3(void) { + static void test_read_full_file_socket(void) { + _cleanup_(rm_rf_physical_and_freep) char *z = NULL; + _cleanup_close_ int listener = -1; +- _cleanup_free_ char *data = NULL; ++ _cleanup_free_ char *data = NULL, *clientname = NULL; + union sockaddr_union sa; + const char *j; + size_t size; +@@ -734,23 +735,35 @@ static void test_read_full_file_socket(void) { + assert_se(bind(listener, &sa.sa, SOCKADDR_UN_LEN(sa.un)) >= 0); + assert_se(listen(listener, 1) >= 0); + ++ /* Bind the *client* socket to some randomized name, to verify that this works correctly. */ ++ assert_se(asprintf(&clientname, "@%" PRIx64 "/test-bindname", random_u64()) >= 0); ++ + r = safe_fork("(server)", FORK_DEATHSIG|FORK_LOG, &pid); + assert_se(r >= 0); + if (r == 0) { ++ union sockaddr_union peer = {}; ++ socklen_t peerlen = sizeof(peer); + _cleanup_close_ int rfd = -1; + /* child */ + + rfd = accept4(listener, NULL, 0, SOCK_CLOEXEC); + assert_se(rfd >= 0); + ++ assert_se(getpeername(rfd, &peer.sa, &peerlen) >= 0); ++ ++ assert_se(peer.un.sun_family == AF_UNIX); ++ assert_se(peerlen > offsetof(struct sockaddr_un, sun_path)); ++ assert_se(peer.un.sun_path[0] == 0); ++ assert_se(streq(peer.un.sun_path + 1, clientname + 1)); ++ + #define TEST_STR "This is a test\nreally." + + assert_se(write(rfd, TEST_STR, strlen(TEST_STR)) == strlen(TEST_STR)); + _exit(EXIT_SUCCESS); + } + +- assert_se(read_full_file_full(AT_FDCWD, j, 0, &data, &size) == -ENXIO); +- assert_se(read_full_file_full(AT_FDCWD, j, READ_FULL_FILE_CONNECT_SOCKET, &data, &size) >= 0); ++ assert_se(read_full_file_full(AT_FDCWD, j, 0, NULL, &data, &size) == -ENXIO); ++ assert_se(read_full_file_full(AT_FDCWD, j, READ_FULL_FILE_CONNECT_SOCKET, clientname, &data, &size) >= 0); + assert_se(size == strlen(TEST_STR)); + assert_se(streq(data, TEST_STR)); + +-- +2.39.1 + diff --git a/10025-fileio-teach-read_full_file_full-to-read-from-offse.patch b/10025-fileio-teach-read_full_file_full-to-read-from-offse.patch new file mode 100644 index 0000000..08e8f40 --- /dev/null +++ b/10025-fileio-teach-read_full_file_full-to-read-from-offse.patch @@ -0,0 +1,246 @@ +From 5be0e8a2c3e683c195fd872979d6e5741c80d13f Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 4 Nov 2020 20:25:06 +0100 +Subject: [PATCH] fileio: teach read_full_file_full() to read from offset/with + maximum size + +(cherry picked from commit 7399b3f8083b65db4cb9acb17e4b5c897ba7946d) + +Signed-off-by: Guorui Yu +--- + src/basic/fileio.c | 60 ++++++++++++++++++++++++++++++------------ + src/basic/fileio.h | 12 ++++----- + src/test/test-fileio.c | 49 ++++++++++++++++++++++++++++++++-- + 3 files changed, 96 insertions(+), 25 deletions(-) + +diff --git a/src/basic/fileio.c b/src/basic/fileio.c +index 35eaa3c1c7..c14f9797bd 100644 +--- a/src/basic/fileio.c ++++ b/src/basic/fileio.c +@@ -388,44 +388,58 @@ int read_full_virtual_file(const char *filename, char **ret_contents, size_t *re + int read_full_stream_full( + FILE *f, + const char *filename, ++ uint64_t offset, ++ size_t size, + ReadFullFileFlags flags, + char **ret_contents, + size_t *ret_size) { + + _cleanup_free_ char *buf = NULL; +- struct stat st; + size_t n, n_next, l; + int fd, r; + + assert(f); + assert(ret_contents); + +- n_next = LINE_MAX; /* Start size */ ++ if (offset != UINT64_MAX && offset > LONG_MAX) ++ return -ERANGE; ++ ++ n_next = size != SIZE_MAX ? size : LINE_MAX; /* Start size */ + + fd = fileno(f); +- if (fd >= 0) { /* If the FILE* object is backed by an fd (as opposed to memory or such, see fmemopen(), let's +- * optimize our buffering) */ ++ if (fd >= 0) { /* If the FILE* object is backed by an fd (as opposed to memory or such, see ++ * fmemopen()), let's optimize our buffering */ ++ struct stat st; + + if (fstat(fd, &st) < 0) + return -errno; + + if (S_ISREG(st.st_mode)) { +- +- /* Safety check */ +- if (st.st_size > READ_FULL_BYTES_MAX) +- return -E2BIG; +- +- /* Start with the right file size. Note that we increase the size +- * to read here by one, so that the first read attempt already +- * makes us notice the EOF. */ +- if (st.st_size > 0) +- n_next = st.st_size + 1; ++ if (size == SIZE_MAX) { ++ uint64_t rsize = ++ LESS_BY((uint64_t) st.st_size, offset == UINT64_MAX ? 0 : offset); ++ ++ /* Safety check */ ++ if (rsize > READ_FULL_BYTES_MAX) ++ return -E2BIG; ++ ++ /* Start with the right file size. Note that we increase the size to read ++ * here by one, so that the first read attempt already makes us notice the ++ * EOF. If the reported size of the file is zero, we avoid this logic ++ * however, since quite likely it might be a virtual file in procfs that all ++ * report a zero file size. */ ++ if (st.st_size > 0) ++ n_next = rsize + 1; ++ } + + if (flags & READ_FULL_FILE_WARN_WORLD_READABLE) + (void) warn_file_is_world_accessible(filename, &st, NULL, 0); + } + } + ++ if (offset != UINT64_MAX && fseek(f, offset, SEEK_SET) < 0) ++ return -errno; ++ + n = l = 0; + for (;;) { + char *t; +@@ -462,6 +476,11 @@ int read_full_stream_full( + if (feof(f)) + break; + ++ if (size != SIZE_MAX) { /* If we got asked to read some specific size, we already sized the buffer right, hence leave */ ++ assert(l == size); ++ break; ++ } ++ + assert(k > 0); /* we can't have read zero bytes because that would have been EOF */ + + /* Safety check */ +@@ -577,15 +596,18 @@ static int xfopenat(int dir_fd, const char *path, const char *mode, int flags, F + int read_full_file_full( + int dir_fd, + const char *filename, ++ uint64_t offset, ++ size_t size, + ReadFullFileFlags flags, + const char *bind_name, +- char **contents, size_t *size) { ++ char **ret_contents, ++ size_t *ret_size) { + + _cleanup_fclose_ FILE *f = NULL; + int r; + + assert(filename); +- assert(contents); ++ assert(ret_contents); + + r = xfopenat(dir_fd, filename, "re", 0, &f); + if (r < 0) { +@@ -600,6 +622,10 @@ int read_full_file_full( + if (!FLAGS_SET(flags, READ_FULL_FILE_CONNECT_SOCKET)) + return -ENXIO; + ++ /* Seeking is not supported on AF_UNIX sockets */ ++ if (offset != UINT64_MAX) ++ return -ESPIPE; ++ + if (dir_fd == AT_FDCWD) + r = sockaddr_un_set_path(&sa.un, filename); + else { +@@ -653,7 +679,7 @@ int read_full_file_full( + + (void) __fsetlocking(f, FSETLOCKING_BYCALLER); + +- return read_full_stream_full(f, filename, flags, contents, size); ++ return read_full_stream_full(f, filename, offset, size, flags, ret_contents, ret_size); + } + + static int parse_env_file_internal( +diff --git a/src/basic/fileio.h b/src/basic/fileio.h +index 82897e209c..03150ce776 100644 +--- a/src/basic/fileio.h ++++ b/src/basic/fileio.h +@@ -44,13 +44,13 @@ static inline int write_string_file(const char *fn, const char *line, WriteStrin + int write_string_filef(const char *fn, WriteStringFileFlags flags, const char *format, ...) _printf_(3, 4); + + int read_one_line_file(const char *filename, char **line); +-int read_full_file_full(int dir_fd, const char *filename, ReadFullFileFlags flags, const char *bind_name, char **contents, size_t *size); +-static inline int read_full_file(const char *filename, char **contents, size_t *size) { +- return read_full_file_full(AT_FDCWD, filename, 0, NULL, contents, size); ++int read_full_file_full(int dir_fd, const char *filename, uint64_t offset, size_t size, ReadFullFileFlags flags, const char *bind_name, char **ret_contents, size_t *ret_size); ++static inline int read_full_file(const char *filename, char **ret_contents, size_t *ret_size) { ++ return read_full_file_full(AT_FDCWD, filename, UINT64_MAX, SIZE_MAX, 0, NULL, ret_contents, ret_size); + } +-int read_full_stream_full(FILE *f, const char *filename, ReadFullFileFlags flags, char **contents, size_t *size); +-static inline int read_full_stream(FILE *f, char **contents, size_t *size) { +- return read_full_stream_full(f, NULL, 0, contents, size); ++int read_full_stream_full(FILE *f, const char *filename, uint64_t offset, size_t size, ReadFullFileFlags flags, char **ret_contents, size_t *ret_size); ++static inline int read_full_stream(FILE *f, char **ret_contents, size_t *ret_size) { ++ return read_full_stream_full(f, NULL, UINT64_MAX, SIZE_MAX, 0, ret_contents, ret_size); + } + int read_full_virtual_file(const char *filename, char **ret_contents, size_t *ret_size); + +diff --git a/src/test/test-fileio.c b/src/test/test-fileio.c +index 5ec70eec14..5d0006149b 100644 +--- a/src/test/test-fileio.c ++++ b/src/test/test-fileio.c +@@ -762,8 +762,8 @@ static void test_read_full_file_socket(void) { + _exit(EXIT_SUCCESS); + } + +- assert_se(read_full_file_full(AT_FDCWD, j, 0, NULL, &data, &size) == -ENXIO); +- assert_se(read_full_file_full(AT_FDCWD, j, READ_FULL_FILE_CONNECT_SOCKET, clientname, &data, &size) >= 0); ++ assert_se(read_full_file_full(AT_FDCWD, j, UINT64_MAX, SIZE_MAX, 0, NULL, &data, &size) == -ENXIO); ++ assert_se(read_full_file_full(AT_FDCWD, j, UINT64_MAX, SIZE_MAX, READ_FULL_FILE_CONNECT_SOCKET, clientname, &data, &size) >= 0); + assert_se(size == strlen(TEST_STR)); + assert_se(streq(data, TEST_STR)); + +@@ -771,6 +771,50 @@ static void test_read_full_file_socket(void) { + #undef TEST_STR + } + ++static void test_read_full_file_offset_size(void) { ++ _cleanup_fclose_ FILE *f = NULL; ++ _cleanup_(unlink_and_freep) char *fn = NULL; ++ _cleanup_free_ char *rbuf = NULL; ++ size_t rbuf_size; ++ uint8_t buf[4711]; ++ ++ random_bytes(buf, sizeof(buf)); ++ ++ assert_se(tempfn_random_child(NULL, NULL, &fn) >= 0); ++ assert_se(f = fopen(fn, "we")); ++ assert_se(fwrite(buf, 1, sizeof(buf), f) == sizeof(buf)); ++ assert_se(fflush_and_check(f) >= 0); ++ ++ assert_se(read_full_file_full(AT_FDCWD, fn, UINT64_MAX, SIZE_MAX, 0, NULL, &rbuf, &rbuf_size) >= 0); ++ assert_se(rbuf_size == sizeof(buf)); ++ assert_se(memcmp(buf, rbuf, rbuf_size) == 0); ++ rbuf = mfree(rbuf); ++ ++ assert_se(read_full_file_full(AT_FDCWD, fn, UINT64_MAX, 128, 0, NULL, &rbuf, &rbuf_size) >= 0); ++ assert_se(rbuf_size == 128); ++ assert_se(memcmp(buf, rbuf, rbuf_size) == 0); ++ rbuf = mfree(rbuf); ++ ++ assert_se(read_full_file_full(AT_FDCWD, fn, 1234, SIZE_MAX, 0, NULL, &rbuf, &rbuf_size) >= 0); ++ assert_se(rbuf_size == sizeof(buf) - 1234); ++ assert_se(memcmp(buf + 1234, rbuf, rbuf_size) == 0); ++ rbuf = mfree(rbuf); ++ ++ assert_se(read_full_file_full(AT_FDCWD, fn, 2345, 777, 0, NULL, &rbuf, &rbuf_size) >= 0); ++ assert_se(rbuf_size == 777); ++ assert_se(memcmp(buf + 2345, rbuf, rbuf_size) == 0); ++ rbuf = mfree(rbuf); ++ ++ assert_se(read_full_file_full(AT_FDCWD, fn, 4700, 20, 0, NULL, &rbuf, &rbuf_size) >= 0); ++ assert_se(rbuf_size == 11); ++ assert_se(memcmp(buf + 4700, rbuf, rbuf_size) == 0); ++ rbuf = mfree(rbuf); ++ ++ assert_se(read_full_file_full(AT_FDCWD, fn, 10000, 99, 0, NULL, &rbuf, &rbuf_size) >= 0); ++ assert_se(rbuf_size == 0); ++ rbuf = mfree(rbuf); ++} ++ + int main(int argc, char *argv[]) { + log_set_max_level(LOG_DEBUG); + log_parse_environment(); +@@ -796,6 +840,7 @@ int main(int argc, char *argv[]) { + test_read_line2(); + test_read_line3(); + test_read_full_file_socket(); ++ test_read_full_file_offset_size(); + + return 0; + } +-- +2.39.1 + diff --git a/10026-cryptsetup-port-cryptsetup-s-main-key-file-logic-ov.patch b/10026-cryptsetup-port-cryptsetup-s-main-key-file-logic-ov.patch new file mode 100644 index 0000000..bb66170 --- /dev/null +++ b/10026-cryptsetup-port-cryptsetup-s-main-key-file-logic-ov.patch @@ -0,0 +1,95 @@ +From 8ef03861b75cf0a70511760c395cb4bd228c37b9 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 4 Nov 2020 17:24:53 +0100 +Subject: [PATCH] cryptsetup: port cryptsetup's main key file logic over to + read_full_file_full() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Previously, we'd load the file with libcryptsetup's calls. Let's do that +in our own, so that we can make use of READ_FULL_FILE_CONNECT_SOCKET, +i.e. read in keys via AF_UNIX sockets, so that people can plug key +providers into our logic. + +This provides functionality similar to Debian's keyscript= crypttab +option (see → #3007), as it allows key scripts to be run as socket +activated services, that have stdout connected to the activated socket. +In contrast to traditional keyscript= support this logic runs stuff out +of process however, which is beneficial, since it allows sandboxing and +similar. + +(cherry picked from commit 165a476841ff1aa3aab3508771db9495ab073c7a) + +Signed-off-by: Guorui Yu +--- + src/cryptsetup/cryptsetup.c | 37 ++++++++++++++++++++++++++++++++----- + 1 file changed, 32 insertions(+), 5 deletions(-) + +diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c +index 11162eb722..9251e0eba8 100644 +--- a/src/cryptsetup/cryptsetup.c ++++ b/src/cryptsetup/cryptsetup.c +@@ -17,6 +17,7 @@ + #include "mount-util.h" + #include "parse-util.h" + #include "path-util.h" ++#include "random-util.h" + #include "string-util.h" + #include "strv.h" + #include "util.h" +@@ -480,6 +481,15 @@ static int attach_tcrypt( + return 0; + } + ++static char *make_bindname(const char *volume) { ++ char *s; ++ ++ if (asprintf(&s, "@%" PRIx64"/cryptsetup/%s", random_u64(), volume) < 0) ++ return NULL; ++ ++ return s; ++} ++ + static int attach_luks_or_plain(struct crypt_device *cd, + const char *name, + const char *key_file, +@@ -553,13 +563,30 @@ static int attach_luks_or_plain(struct crypt_device *cd, + crypt_get_device_name(cd)); + + if (key_file) { +- r = crypt_activate_by_keyfile_offset(cd, name, arg_key_slot, key_file, arg_keyfile_size, arg_keyfile_offset, flags); +- if (r == -EPERM) { +- log_error_errno(r, "Failed to activate with key file '%s'. (Key data incorrect?)", key_file); ++ _cleanup_(erase_and_freep) char *kfdata = NULL; ++ _cleanup_free_ char *bindname = NULL; ++ size_t kfsize; ++ ++ /* If we read the key via AF_UNIX, make this client recognizable */ ++ bindname = make_bindname(name); ++ if (!bindname) ++ return log_oom(); ++ ++ r = read_full_file_full( ++ AT_FDCWD, key_file, ++ arg_keyfile_offset == 0 ? UINT64_MAX : arg_keyfile_offset, ++ arg_keyfile_size == 0 ? SIZE_MAX : arg_keyfile_size, ++ READ_FULL_FILE_SECURE|READ_FULL_FILE_WARN_WORLD_READABLE|READ_FULL_FILE_CONNECT_SOCKET, ++ bindname, ++ &kfdata, &kfsize); ++ if (r == -ENOENT) { ++ log_error_errno(r, "Failed to activate, key file '%s' missing.", key_file); + return -EAGAIN; /* Log actual error, but return EAGAIN */ + } +- if (r == -EINVAL) { +- log_error_errno(r, "Failed to activate with key file '%s'. (Key file missing?)", key_file); ++ ++ r = crypt_activate_by_passphrase(cd, name, arg_key_slot, kfdata, kfsize, flags); ++ if (r == -EPERM) { ++ log_error_errno(r, "Failed to activate with key file '%s'. (Key data incorrect?)", key_file); + return -EAGAIN; /* Log actual error, but return EAGAIN */ + } + if (r < 0) +-- +2.39.1 + diff --git a/systemd.spec b/systemd.spec index d8444cd..2a716ee 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1078,6 +1078,19 @@ Patch10010: 10010-test-catalog-Fix-coredump-when-compiled-under-GCC10.patch Patch10011: 10011-hwdb-add-Iluvatar-CoreX.patch Patch10012: 10012-seccomp-add-loongarch-support.patch Patch10013: 10013-umount-check-LO_FLAGS_AUTOCLEAR-after-LOOP_CLR_FD-cl.patch +Patch10014: 10014-fileio-when-reading-a-full-file-into-memory-refuse-.patch +Patch10015: 10015-util-introduce-explicit_bzero_safe-for-explicit-mem.patch +Patch10016: 10016-util-introduce-erase_and_free-helper.patch +Patch10017: 10017-util-introduce-READ_FULL_FILE_SECURE-flag-for-readi.patch +Patch10018: 10018-fileio-introduce-warn_file_is_world_accessible.patch +Patch10019: 10019-fileio-read_full_file_full-also-warns-when-file-is-.patch +Patch10020: 10020-basic-fileio-Fix-memory-leak-if-READ_FULL_FILE_SECU.patch +Patch10021: 10021-fileio-add-explicit-flag-for-generating-world-execu.patch +Patch10022: 10022-fileio-add-dir_fd-parameter-to-read_full_file_full.patch +Patch10023: 10023-fileio-add-support-for-read_full_file-on-AF_UNIX-st.patch +Patch10024: 10024-fileio-beef-up-READ_FULL_FILE_CONNECT_SOCKET-to-all.patch +Patch10025: 10025-fileio-teach-read_full_file_full-to-read-from-offse.patch +Patch10026: 10026-cryptsetup-port-cryptsetup-s-main-key-file-logic-ov.patch %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 @@ -1720,6 +1733,19 @@ fi - seccomp: add loongarch64 support (Liwei Ge) - seccomp: remove loongarch64 switch(Liwei Ge) - umount: check LO_FLAGS_AUTOCLEAR after LOOP_CLR_FD claimed success(yuanhui) +- fileio: when reading a full file into memory, refuse inner NUL bytes (Guorui Yu) +- util: introduce explicit_bzero_safe for explicit memset (Guorui Yu) +- util: introduce erase_and_free() helper (Guorui Yu) +- util: introduce READ_FULL_FILE_SECURE flag for reading secure data (Guorui Yu) +- fileio: introduce warn_file_is_world_accessible() (Guorui Yu) +- fileio: read_full_file_full() also warns when file is world readable and secure flag is set (Guorui Yu) +- basic/fileio: Fix memory leak if READ_FULL_FILE_SECURE flag is used (Guorui Yu) +- fileio: add explicit flag for generating world executable warning when reading file (Guorui Yu) +- fileio: add 'dir_fd' parameter to read_full_file_full() (Guorui Yu) +- fileio: add support for read_full_file() on AF_UNIX stream sockets (Guorui Yu) +- fileio: beef up READ_FULL_FILE_CONNECT_SOCKET to allow setting sender socket name (Guorui Yu) +- fileio: teach read_full_file_full() to read from offset/with maximum size (Guorui Yu) +- cryptsetup: port cryptsetup's main key file logic over to read_full_file_full() (Guorui Yu) * Tue Jul 23 2024 systemd maintenance team - 239-82.2 - spec: do not create symlink /etc/systemd/system/syslog.service (RHEL-13179) -- Gitee From c7363fa75346a45b2994ac52036e2553d1b9a7cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BF=A0=E5=87=8C?= Date: Mon, 30 Oct 2023 15:54:33 +0800 Subject: [PATCH 09/19] Add optimized patches (hwdb,cgroup) - Update upstream parse_hwdb.py to fix parse-hwdb error - cgroup: do not refresh cgroup devices config when daemon-reload - core: introduce cgroup full delegation for compability --- 20001-hwdb-parse_hwdb_dot_py.patch | 299 ++++++++++++++++++ ...fresh-cgroup-devices-config-when-dae.patch | 26 ++ ...group-full-delegation-for-compabilit.patch | 133 ++++++++ systemd.spec | 7 + 4 files changed, 465 insertions(+) create mode 100644 20001-hwdb-parse_hwdb_dot_py.patch create mode 100644 20002-cgroup-do-not-refresh-cgroup-devices-config-when-dae.patch create mode 100644 20003-core-introduce-cgroup-full-delegation-for-compabilit.patch diff --git a/20001-hwdb-parse_hwdb_dot_py.patch b/20001-hwdb-parse_hwdb_dot_py.patch new file mode 100644 index 0000000..71bf1c5 --- /dev/null +++ b/20001-hwdb-parse_hwdb_dot_py.patch @@ -0,0 +1,299 @@ +From: rpm-build +Date: Thu, 28 Apr 2022 01:49:39 +0000 +Subject: [PATCH] Update upstream parse_hwdb.py to fix parse-hwdb error + +This patch does not correspond to a specific commit from upstream. Instead, it +is directly taken from + +https://github.com/systemd/systemd/blob/f2c36c0e2445fa95ba109017d4b768b2fd825c43/hwdb.d/parse_hwdb.py. + +This patch allows systemd-udev to parse newer hwdb. Hwdb is updated mostly +because of new hardware. Therefore, this patch allows systemd-udev to recongnize +these new hardware. + +--- +diff -uNrp systemd-239.orig/hwdb/parse_hwdb.py systemd-239/hwdb/parse_hwdb.py +--- systemd-239.orig/hwdb/parse_hwdb.py 2022-04-28 11:32:08.740731756 +0800 ++++ systemd-239/hwdb/parse_hwdb.py 2022-04-28 11:32:08.741731786 +0800 +@@ -1,6 +1,5 @@ + #!/usr/bin/env python3 +-# -*- Mode: python; coding: utf-8; indent-tabs-mode: nil -*- */ +-# SPDX-License-Identifier: MIT ++# SPDX-License-Identifier: MIT + # + # This file is distributed under the MIT license, see below. + # +@@ -30,12 +29,11 @@ import sys + import os + + try: +- from pyparsing import (Word, White, Literal, ParserElement, Regex, +- LineStart, LineEnd, ++ from pyparsing import (Word, White, Literal, ParserElement, Regex, LineEnd, + OneOrMore, Combine, Or, Optional, Suppress, Group, + nums, alphanums, printables, +- stringEnd, pythonStyleComment, QuotedString, +- ParseBaseException) ++ stringEnd, pythonStyleComment, ++ ParseBaseException, __diag__) + except ImportError: + print('pyparsing is not available') + sys.exit(77) +@@ -52,33 +50,61 @@ except ImportError: + # don't do caching on old python + lru_cache = lambda: (lambda f: f) + ++__diag__.warn_multiple_tokens_in_named_alternation = True ++__diag__.warn_ungrouped_named_tokens_in_collection = True ++__diag__.warn_name_set_on_empty_Forward = True ++__diag__.warn_on_multiple_string_args_to_oneof = True ++__diag__.enable_debug_on_named_expressions = True ++ + EOL = LineEnd().suppress() + EMPTYLINE = LineEnd() + COMMENTLINE = pythonStyleComment + EOL + INTEGER = Word(nums) +-STRING = QuotedString('"') + REAL = Combine((INTEGER + Optional('.' + Optional(INTEGER))) ^ ('.' + INTEGER)) + SIGNED_REAL = Combine(Optional(Word('-+')) + REAL) + UDEV_TAG = Word(string.ascii_uppercase, alphanums + '_') + ++# Those patterns are used in type-specific matches + TYPES = {'mouse': ('usb', 'bluetooth', 'ps2', '*'), + 'evdev': ('name', 'atkbd', 'input'), ++ 'fb': ('pci'), + 'id-input': ('modalias'), + 'touchpad': ('i8042', 'rmi', 'bluetooth', 'usb'), + 'joystick': ('i8042', 'rmi', 'bluetooth', 'usb'), + 'keyboard': ('name', ), + 'sensor': ('modalias', ), ++ 'ieee1394-unit-function' : ('node', ), ++ 'camera': ('usb'), + } + ++# Patterns that are used to set general properties on a device ++GENERAL_MATCHES = {'acpi', ++ 'bluetooth', ++ 'usb', ++ 'pci', ++ 'sdio', ++ 'vmbus', ++ 'OUI', ++ 'ieee1394', ++ } ++ ++def upperhex_word(length): ++ return Word(nums + 'ABCDEF', exact=length) ++ + @lru_cache() + def hwdb_grammar(): + ParserElement.setDefaultWhitespaceChars('') + + prefix = Or(category + ':' + Or(conn) + ':' + for category, conn in TYPES.items()) +- matchline = Combine(prefix + Word(printables + ' ' + '®')) + EOL ++ ++ matchline_typed = Combine(prefix + Word(printables + ' ' + '®')) ++ matchline_general = Combine(Or(GENERAL_MATCHES) + ':' + Word(printables + ' ' + '®')) ++ matchline = (matchline_typed | matchline_general) + EOL ++ + propertyline = (White(' ', exact=1).suppress() + +- Combine(UDEV_TAG - '=' - Word(alphanums + '_=:@*.!-;, "') - Optional(pythonStyleComment)) + ++ Combine(UDEV_TAG - '=' - Optional(Word(alphanums + '_=:@*.!-;, "/')) ++ - Optional(pythonStyleComment)) + + EOL) + propertycomment = White(' ', exact=1) + pythonStyleComment + EOL + +@@ -87,7 +113,7 @@ def hwdb_grammar(): + (EMPTYLINE ^ stringEnd()).suppress()) + commentgroup = OneOrMore(COMMENTLINE).suppress() - EMPTYLINE.suppress() + +- grammar = OneOrMore(group('GROUPS*') ^ commentgroup) + stringEnd() ++ grammar = OneOrMore(Group(group)('GROUPS*') ^ commentgroup) + stringEnd() + + return grammar + +@@ -95,39 +121,57 @@ def hwdb_grammar(): + def property_grammar(): + ParserElement.setDefaultWhitespaceChars(' ') + +- dpi_setting = (Optional('*')('DEFAULT') + INTEGER('DPI') + Suppress('@') + INTEGER('HZ'))('SETTINGS*') ++ dpi_setting = Group(Optional('*')('DEFAULT') + INTEGER('DPI') + Optional(Suppress('@') + INTEGER('HZ')))('SETTINGS*') + mount_matrix_row = SIGNED_REAL + ',' + SIGNED_REAL + ',' + SIGNED_REAL +- mount_matrix = (mount_matrix_row + ';' + mount_matrix_row + ';' + mount_matrix_row)('MOUNT_MATRIX') ++ mount_matrix = Group(mount_matrix_row + ';' + mount_matrix_row + ';' + mount_matrix_row)('MOUNT_MATRIX') ++ xkb_setting = Optional(Word(alphanums + '+-/@._')) ++ ++ # Although this set doesn't cover all of characters in database entries, it's enough for test targets. ++ name_literal = Word(printables + ' ') + + props = (('MOUSE_DPI', Group(OneOrMore(dpi_setting))), + ('MOUSE_WHEEL_CLICK_ANGLE', INTEGER), + ('MOUSE_WHEEL_CLICK_ANGLE_HORIZONTAL', INTEGER), + ('MOUSE_WHEEL_CLICK_COUNT', INTEGER), + ('MOUSE_WHEEL_CLICK_COUNT_HORIZONTAL', INTEGER), +- ('ID_INPUT', Literal('1')), +- ('ID_INPUT_ACCELEROMETER', Literal('1')), +- ('ID_INPUT_JOYSTICK', Literal('1')), +- ('ID_INPUT_KEY', Literal('1')), +- ('ID_INPUT_KEYBOARD', Literal('1')), +- ('ID_INPUT_MOUSE', Literal('1')), +- ('ID_INPUT_POINTINGSTICK', Literal('1')), +- ('ID_INPUT_SWITCH', Literal('1')), +- ('ID_INPUT_TABLET', Literal('1')), +- ('ID_INPUT_TABLET_PAD', Literal('1')), +- ('ID_INPUT_TOUCHPAD', Literal('1')), +- ('ID_INPUT_TOUCHSCREEN', Literal('1')), +- ('ID_INPUT_TRACKBALL', Literal('1')), +- ('MOUSE_WHEEL_TILT_HORIZONTAL', Literal('1')), +- ('MOUSE_WHEEL_TILT_VERTICAL', Literal('1')), ++ ('ID_AUTOSUSPEND', Or((Literal('0'), Literal('1')))), ++ ('ID_AV_PRODUCTION_CONTROLLER', Or((Literal('0'), Literal('1')))), ++ ('ID_PERSIST', Or((Literal('0'), Literal('1')))), ++ ('ID_PDA', Or((Literal('0'), Literal('1')))), ++ ('ID_INPUT', Or((Literal('0'), Literal('1')))), ++ ('ID_INPUT_ACCELEROMETER', Or((Literal('0'), Literal('1')))), ++ ('ID_INPUT_JOYSTICK', Or((Literal('0'), Literal('1')))), ++ ('ID_INPUT_KEY', Or((Literal('0'), Literal('1')))), ++ ('ID_INPUT_KEYBOARD', Or((Literal('0'), Literal('1')))), ++ ('ID_INPUT_MOUSE', Or((Literal('0'), Literal('1')))), ++ ('ID_INPUT_POINTINGSTICK', Or((Literal('0'), Literal('1')))), ++ ('ID_INPUT_SWITCH', Or((Literal('0'), Literal('1')))), ++ ('ID_INPUT_TABLET', Or((Literal('0'), Literal('1')))), ++ ('ID_INPUT_TABLET_PAD', Or((Literal('0'), Literal('1')))), ++ ('ID_INPUT_TOUCHPAD', Or((Literal('0'), Literal('1')))), ++ ('ID_INPUT_TOUCHSCREEN', Or((Literal('0'), Literal('1')))), ++ ('ID_INPUT_TRACKBALL', Or((Literal('0'), Literal('1')))), ++ ('ID_SIGNAL_ANALYZER', Or((Literal('0'), Literal('1')))), + ('POINTINGSTICK_SENSITIVITY', INTEGER), + ('POINTINGSTICK_CONST_ACCEL', REAL), + ('ID_INPUT_JOYSTICK_INTEGRATION', Or(('internal', 'external'))), + ('ID_INPUT_TOUCHPAD_INTEGRATION', Or(('internal', 'external'))), +- ('XKB_FIXED_LAYOUT', STRING), +- ('XKB_FIXED_VARIANT', STRING), ++ ('XKB_FIXED_LAYOUT', xkb_setting), ++ ('XKB_FIXED_VARIANT', xkb_setting), ++ ('XKB_FIXED_MODEL', xkb_setting), + ('KEYBOARD_LED_NUMLOCK', Literal('0')), + ('KEYBOARD_LED_CAPSLOCK', Literal('0')), + ('ACCEL_MOUNT_MATRIX', mount_matrix), ++ ('ACCEL_LOCATION', Or(('display', 'base'))), ++ ('PROXIMITY_NEAR_LEVEL', INTEGER), ++ ('IEEE1394_UNIT_FUNCTION_MIDI', Or((Literal('0'), Literal('1')))), ++ ('IEEE1394_UNIT_FUNCTION_AUDIO', Or((Literal('0'), Literal('1')))), ++ ('IEEE1394_UNIT_FUNCTION_VIDEO', Or((Literal('0'), Literal('1')))), ++ ('ID_VENDOR_FROM_DATABASE', name_literal), ++ ('ID_MODEL_FROM_DATABASE', name_literal), ++ ('ID_TAG_MASTER_OF_SEAT', Literal('1')), ++ ('ID_INFRARED_CAMERA', Or((Literal('0'), Literal('1')))), ++ ('ID_CAMERA_DIRECTION', Or(('front', 'rear'))), + ) + fixed_props = [Literal(name)('NAME') - Suppress('=') - val('VALUE') + for name, val in props] +@@ -165,8 +209,29 @@ def parse(fname): + return [] + return [convert_properties(g) for g in parsed.GROUPS] + +-def check_match_uniqueness(groups): ++def check_matches(groups): + matches = sum((group[0] for group in groups), []) ++ ++ # This is a partial check. The other cases could be also done, but those ++ # two are most commonly wrong. ++ grammars = { 'usb' : 'v' + upperhex_word(4) + Optional('p' + upperhex_word(4) + Optional(':')) + '*', ++ 'pci' : 'v' + upperhex_word(8) + Optional('d' + upperhex_word(8) + Optional(':')) + '*', ++ } ++ ++ for match in matches: ++ prefix, rest = match.split(':', maxsplit=1) ++ gr = grammars.get(prefix) ++ if gr: ++ # we check this first to provide an easy error message ++ if rest[-1] not in '*:': ++ error('pattern {} does not end with "*" or ":"', match) ++ ++ try: ++ gr.parseString(rest) ++ except ParseBaseException as e: ++ error('Pattern {!r} is invalid: {}', rest, e) ++ continue ++ + matches.sort() + prev = None + for match in matches: +@@ -196,15 +261,25 @@ def check_one_mount_matrix(prop, value): + def check_one_keycode(prop, value): + if value != '!' and ecodes is not None: + key = 'KEY_' + value.upper() +- if key not in ecodes: +- key = value.upper() +- if key not in ecodes: +- error('Keycode {} unknown', key) ++ if not (key in ecodes or ++ value.upper() in ecodes or ++ # new keys added in kernel 5.5 ++ 'KBD_LCD_MENU' in key): ++ error('Keycode {} unknown', key) ++ ++def check_wheel_clicks(properties): ++ pairs = (('MOUSE_WHEEL_CLICK_COUNT_HORIZONTAL', 'MOUSE_WHEEL_CLICK_COUNT'), ++ ('MOUSE_WHEEL_CLICK_ANGLE_HORIZONTAL', 'MOUSE_WHEEL_CLICK_ANGLE'), ++ ('MOUSE_WHEEL_CLICK_COUNT_HORIZONTAL', 'MOUSE_WHEEL_CLICK_ANGLE_HORIZONTAL'), ++ ('MOUSE_WHEEL_CLICK_COUNT', 'MOUSE_WHEEL_CLICK_ANGLE')) ++ for pair in pairs: ++ if pair[0] in properties and pair[1] not in properties: ++ error('{} requires {} to be specified', *pair) + + def check_properties(groups): + grammar = property_grammar() + for matches, props in groups: +- prop_names = set() ++ seen_props = {} + for prop in props: + # print('--', prop) + prop = prop.partition('#')[0].rstrip() +@@ -214,30 +289,35 @@ def check_properties(groups): + error('Failed to parse: {!r}', prop) + continue + # print('{!r}'.format(parsed)) +- if parsed.NAME in prop_names: ++ if parsed.NAME in seen_props: + error('Property {} is duplicated', parsed.NAME) +- prop_names.add(parsed.NAME) ++ seen_props[parsed.NAME] = parsed.VALUE + if parsed.NAME == 'MOUSE_DPI': + check_one_default(prop, parsed.VALUE.SETTINGS) + elif parsed.NAME == 'ACCEL_MOUNT_MATRIX': + check_one_mount_matrix(prop, parsed.VALUE) + elif parsed.NAME.startswith('KEYBOARD_KEY_'): +- check_one_keycode(prop, parsed.VALUE) ++ val = parsed.VALUE if isinstance(parsed.VALUE, str) else parsed.VALUE[0] ++ check_one_keycode(prop, val) ++ ++ check_wheel_clicks(seen_props) + + def print_summary(fname, groups): ++ n_matches = sum(len(matches) for matches, props in groups) ++ n_props = sum(len(props) for matches, props in groups) + print('{}: {} match groups, {} matches, {} properties' +- .format(fname, +- len(groups), +- sum(len(matches) for matches, props in groups), +- sum(len(props) for matches, props in groups))) ++ .format(fname, len(groups), n_matches, n_props)) ++ ++ if n_matches == 0 or n_props == 0: ++ error('{}: no matches or props'.format(fname)) + + if __name__ == '__main__': +- args = sys.argv[1:] or glob.glob(os.path.dirname(sys.argv[0]) + '/[67]0-*.hwdb') ++ args = sys.argv[1:] or sorted(glob.glob(os.path.dirname(sys.argv[0]) + '/[678][0-9]-*.hwdb')) + + for fname in args: + groups = parse(fname) + print_summary(fname, groups) +- check_match_uniqueness(groups) ++ check_matches(groups) + check_properties(groups) + + sys.exit(ERROR) diff --git a/20002-cgroup-do-not-refresh-cgroup-devices-config-when-dae.patch b/20002-cgroup-do-not-refresh-cgroup-devices-config-when-dae.patch new file mode 100644 index 0000000..7d81489 --- /dev/null +++ b/20002-cgroup-do-not-refresh-cgroup-devices-config-when-dae.patch @@ -0,0 +1,26 @@ +From 62f8dac80e5f908f83b6e7cd06629055184c25d7 Mon Sep 17 00:00:00 2001 +From: Forrestly +Date: Thu, 23 Mar 2023 10:08:33 +0800 +Subject: [PATCH] cgroup: do not refresh cgroup devices config when + daemon-reload(#42937798) + +Signed-off-by: Forrestly +--- + src/core/cgroup.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/core/cgroup.c b/src/core/cgroup.c +index 50d2738..ea92aa6 100644 +--- a/src/core/cgroup.c ++++ b/src/core/cgroup.c +@@ -1920,6 +1920,7 @@ static int unit_realize_cgroup_now(Unit *u, ManagerState state) { + enable_mask = unit_get_enable_mask(u); + needs_bpf = unit_get_needs_bpf(u); + ++ target_mask &= ~CGROUP_MASK_DEVICES; + if (unit_has_mask_realized(u, target_mask, enable_mask, needs_bpf)) + return 0; + +-- +2.34.1 + diff --git a/20003-core-introduce-cgroup-full-delegation-for-compabilit.patch b/20003-core-introduce-cgroup-full-delegation-for-compabilit.patch new file mode 100644 index 0000000..21c5557 --- /dev/null +++ b/20003-core-introduce-cgroup-full-delegation-for-compabilit.patch @@ -0,0 +1,133 @@ +From f25124fabe1ed973840291d46549af6e1c5fad56 Mon Sep 17 00:00:00 2001 +From: "zhongling.h" +Date: Fri, 4 Aug 2023 10:08:16 +0800 +Subject: [PATCH] core: introduce cgroup full delegation for compability + +While using systemd-219, users can set 'delegate=y' to claim the +possession of cgroup settings. By then, users are able to write raw +values under /sys/fs/cgroup to adjust cgroup settings and systemd +won't touch these values any longer. + +However, this is likely to be an undefined behaviour for systemd-219. +Upon releasing systemd-239, a documentation of cgroup delegation was +added, +https://github.com/systemd/systemd/commit/e30eaff3a32523b09d61af67fc999f1f62f4e0cb. +It states that: + +Only sub-trees can be delegated (though whoever decides to request a +sub-tree can delegate sub-sub-trees further to somebody else if they +like it).' + +Which is quite different from what people understand the delegation of +systemd-219. Currently, whether a unit is delegated or not, systemd always +possesses any cgroup it created, only ignoring the sub-tree ones +according to delegation settings. + +This behaviour change causes confusion if users switch from systemd-219 to +systemd-239. As a result, we introduce 'FullDelegation', a feature that +brings what users are already familiar with to systemd-239. If users set +'FullDelegation=yes' in /etc/systemd/system.conf, they can control raw +values under /sys/fs/cgroup without worrying systemd touching these +values, which is the same as what they expected with systemd-219. + +--- + src/core/cgroup.c | 16 ++++++++++++++++ + src/core/main.c | 4 ++++ + src/core/manager.h | 1 + + src/core/system.conf.in | 1 + + 4 files changed, 22 insertions(+) + +diff --git a/src/core/cgroup.c b/src/core/cgroup.c +index ea92aa6f7b..17e3b90e37 100644 +--- a/src/core/cgroup.c ++++ b/src/core/cgroup.c +@@ -1692,6 +1692,15 @@ static int unit_create_cgroup( + /* Keep track that this is now realized */ + u->cgroup_realized = true; + u->cgroup_realized_mask = target_mask; ++ ++ // While realizing cgroup, we don't realize delegated cgroup, therefore, target_mask ++ // doesn't contain delegated cgroup controller bit, and u->cgroup_realized_mask will ++ // not contain delegated cgroup controller bit as well. This unit will be in a state ++ // as if delegated cgroup is not set, which is not expected. ++ // If this is not present, delegated cgroup will be set every 2 systemctl daemon-reload ++ if (u->manager->full_delegation && unit_cgroup_delegate(u)) ++ u->cgroup_realized_mask |= unit_get_delegate_mask(u); ++ + u->cgroup_enabled_mask = enable_mask; + u->cgroup_bpf_state = needs_bpf ? UNIT_CGROUP_BPF_ON : UNIT_CGROUP_BPF_OFF; + +@@ -1921,6 +1930,10 @@ static int unit_realize_cgroup_now(Unit *u, ManagerState state) { + needs_bpf = unit_get_needs_bpf(u); + + target_mask &= ~CGROUP_MASK_DEVICES; ++ ++ if (u->manager->full_delegation && unit_cgroup_delegate(u)) ++ target_mask ^= u->cgroup_realized_mask; ++ + if (unit_has_mask_realized(u, target_mask, enable_mask, needs_bpf)) + return 0; + +@@ -2883,6 +2896,9 @@ int unit_reset_ip_accounting(Unit *u) { + void unit_invalidate_cgroup(Unit *u, CGroupMask m) { + assert(u); + ++ if (u->manager->full_delegation) ++ m ^= unit_get_delegate_mask(u); // don't invalidate delegated cgroup ++ + if (!UNIT_HAS_CGROUP_CONTEXT(u)) + return; + +diff --git a/src/core/main.c b/src/core/main.c +index 546bf0d870..68daf07077 100644 +--- a/src/core/main.c ++++ b/src/core/main.c +@@ -142,6 +142,7 @@ static bool reexec_jmp_can = false; + static bool reexec_jmp_inited = false; + static sigjmp_buf reexec_jmp_buf; + static bool arg_default_cpuset_clone_children = false; ++static bool arg_full_delegation = false; + + static int parse_configuration(const struct rlimit *saved_rlimit_nofile, + const struct rlimit *saved_rlimit_memlock); +@@ -768,6 +769,8 @@ static int parse_config_file(void) { + { "Manager", "DefaultTasksMax", config_parse_tasks_max, 0, &arg_default_tasks_max }, + { "Manager", "CtrlAltDelBurstAction", config_parse_emergency_action, 0, &arg_cad_burst_action }, + { "Manager", "DefaultCPUSetCloneChildren",config_parse_bool, 0, &arg_default_cpuset_clone_children }, ++ { "Manager", "FullDelegation", config_parse_bool, 0, &arg_full_delegation }, ++ + {} + }; + +@@ -817,6 +820,7 @@ static void set_manager_defaults(Manager *m) { + m->default_memory_accounting = arg_default_memory_accounting; + m->default_tasks_accounting = arg_default_tasks_accounting; + m->default_tasks_max = arg_default_tasks_max; ++ m->full_delegation = arg_full_delegation; + + manager_set_default_rlimits(m, arg_default_rlimit); + manager_environment_add(m, NULL, arg_default_environment); +diff --git a/src/core/manager.h b/src/core/manager.h +index 98d381bc5b..91f2c05afe 100644 +--- a/src/core/manager.h ++++ b/src/core/manager.h +@@ -297,6 +297,7 @@ struct Manager { + bool default_blockio_accounting; + bool default_tasks_accounting; + bool default_ip_accounting; ++ bool full_delegation; + + uint64_t default_tasks_max; + usec_t default_timer_accuracy_usec; +diff --git a/src/core/system.conf.in b/src/core/system.conf.in +index 2f6852a89f..6c84a55401 100644 +--- a/src/core/system.conf.in ++++ b/src/core/system.conf.in +@@ -67,3 +67,4 @@ DefaultLimitCORE=0:infinity + #DefaultLimitRTTIME= + #IPAddressAllow= + #IPAddressDeny= ++#FullDelegation=no +-- +2.39.3 + diff --git a/systemd.spec b/systemd.spec index 2a716ee..44bbe6e 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1092,6 +1092,10 @@ Patch10024: 10024-fileio-beef-up-READ_FULL_FILE_CONNECT_SOCKET-to-all.patch Patch10025: 10025-fileio-teach-read_full_file_full-to-read-from-offse.patch Patch10026: 10026-cryptsetup-port-cryptsetup-s-main-key-file-logic-ov.patch +Patch20001: 20001-hwdb-parse_hwdb_dot_py.patch +Patch20002: 20002-cgroup-do-not-refresh-cgroup-devices-config-when-dae.patch +Patch20003: 20003-core-introduce-cgroup-full-delegation-for-compabilit.patch + %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 %endif @@ -1746,6 +1750,9 @@ fi - fileio: beef up READ_FULL_FILE_CONNECT_SOCKET to allow setting sender socket name (Guorui Yu) - fileio: teach read_full_file_full() to read from offset/with maximum size (Guorui Yu) - cryptsetup: port cryptsetup's main key file logic over to read_full_file_full() (Guorui Yu) +- Update upstream parse_hwdb.py to fix parse-hwdb error (Zhongling He) +- cgroup: do not refresh cgroup devices config when daemon-reload (Zhongling He) +- core: introduce cgroup full delegation for compability (Zhongling He) * Tue Jul 23 2024 systemd maintenance team - 239-82.2 - spec: do not create symlink /etc/systemd/system/syslog.service (RHEL-13179) -- Gitee From a2ce7a30406ab458a7602c0d8ad5d666ab6ec248 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BF=A0=E5=87=8C?= Date: Tue, 12 Dec 2023 17:15:44 +0800 Subject: [PATCH 10/19] add README.md to especially address patch indexing convention --- README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..7d30ca3 --- /dev/null +++ b/README.md @@ -0,0 +1,11 @@ +# systemd-239 + +This is the repository of systemd-239 for Anolis OS 8. + +## Patch index convention + +Below is the patch index convention of this repository: + +- 0001 ... 0xxx : patches from upstream srpm +- 10001 ... 10xxx : patches cherry-picked from systemd github upstream +- 20001 ... 20xxx : original patch by OpenAnolis community \ No newline at end of file -- Gitee From a23965b8099034aa673f78ee21610705d31a5ee9 Mon Sep 17 00:00:00 2001 From: wangkaiyuan Date: Wed, 31 Jan 2024 19:37:11 +0800 Subject: [PATCH 11/19] Update vendor ids for ieisystem 0750 --- ...Update-vendor-ids-for-ieisystem-0750.patch | 27 +++++++++++++++++++ systemd.spec | 2 ++ 2 files changed, 29 insertions(+) create mode 100644 20004-Update-vendor-ids-for-ieisystem-0750.patch diff --git a/20004-Update-vendor-ids-for-ieisystem-0750.patch b/20004-Update-vendor-ids-for-ieisystem-0750.patch new file mode 100644 index 0000000..ca0b4c2 --- /dev/null +++ b/20004-Update-vendor-ids-for-ieisystem-0750.patch @@ -0,0 +1,27 @@ +From 2afcc209fb4677581294421f20bb0d057238539e Mon Sep 17 00:00:00 2001 +From: wangkaiyuan +Date: Wed, 31 Jan 2024 19:30:33 +0800 +Subject: [PATCH] Update vendor ids for ieisystem 0750 + +Signed-off-by: wangkaiyuan +--- + hwdb/20-pci-vendor-model.hwdb | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hwdb/20-pci-vendor-model.hwdb b/hwdb/20-pci-vendor-model.hwdb +index cdbd8ff..4b666e8 100644 +--- a/hwdb/20-pci-vendor-model.hwdb ++++ b/hwdb/20-pci-vendor-model.hwdb +@@ -69122,6 +69122,9 @@ pci:v00001BD0d00001203* + pci:v00001BD4* + ID_VENDOR_FROM_DATABASE=Inspur Electronic Information Industry Co., Ltd. + ++pci:v00001BD4d00000750* ++ ID_MODEL_FROM_DATABASE=YHGCH ZX1000 ++ + pci:v00001BD4d00000911* + ID_MODEL_FROM_DATABASE=Arria10_PCIe_F10A1150 + +-- +2.31.1 + diff --git a/systemd.spec b/systemd.spec index 44bbe6e..7de4b0e 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1095,6 +1095,7 @@ Patch10026: 10026-cryptsetup-port-cryptsetup-s-main-key-file-logic-ov.patch Patch20001: 20001-hwdb-parse_hwdb_dot_py.patch Patch20002: 20002-cgroup-do-not-refresh-cgroup-devices-config-when-dae.patch Patch20003: 20003-core-introduce-cgroup-full-delegation-for-compabilit.patch +Patch20004: 20004-Update-vendor-ids-for-ieisystem-0750.patch %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 @@ -1753,6 +1754,7 @@ fi - Update upstream parse_hwdb.py to fix parse-hwdb error (Zhongling He) - cgroup: do not refresh cgroup devices config when daemon-reload (Zhongling He) - core: introduce cgroup full delegation for compability (Zhongling He) +- Update vendor ids for ieisystem 0750 (wangkaiyuan@inspur.com) * Tue Jul 23 2024 systemd maintenance team - 239-82.2 - spec: do not create symlink /etc/systemd/system/syslog.service (RHEL-13179) -- Gitee From 9bb9d93008e4d434f5f6c9d57255f8b2085775e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BF=A0=E5=87=8C?= Date: Tue, 19 Mar 2024 11:49:45 +0800 Subject: [PATCH 12/19] update lifsea patch numbering convention --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 7d30ca3..b91be56 100644 --- a/README.md +++ b/README.md @@ -8,4 +8,6 @@ Below is the patch index convention of this repository: - 0001 ... 0xxx : patches from upstream srpm - 10001 ... 10xxx : patches cherry-picked from systemd github upstream -- 20001 ... 20xxx : original patch by OpenAnolis community \ No newline at end of file +- 20001 ... 20xxx : original patch by OpenAnolis community +- 910001 ... 910xxx : LifseaOS patches that cherry-picked from systemd github upstream +- 920001 ... 920xxx : LifseaOS original patches -- Gitee From 6ad8ae9bc8865b216f219c1a58c4dedf0cb4c610 Mon Sep 17 00:00:00 2001 From: yuanhui Date: Thu, 29 Feb 2024 16:55:29 +0800 Subject: [PATCH 13/19] Merge LifseaOS modification to anolis8 Signed-off-by: yuanhui --- 10027-fix-compilation-without-utmp.patch | 24 +++ ...ormation-from-hostnamed-in-plot-even.patch | 101 ++++++++++ ...nd-a-requirement-of-user-runtime-dir.patch | 44 +++++ ...pendency-of-libcryptsetup-if-HAVE_LI.patch | 40 ++++ ...group-path-which-not-created-by-syst.patch | 31 ++++ systemd.spec | 172 +++++++++++++++--- 6 files changed, 386 insertions(+), 26 deletions(-) create mode 100644 10027-fix-compilation-without-utmp.patch create mode 100644 91000-analyze-show-information-from-hostnamed-in-plot-even.patch create mode 100644 92000-meson-Make-logind-a-requirement-of-user-runtime-dir.patch create mode 100644 92001-shared-Remove-dependency-of-libcryptsetup-if-HAVE_LI.patch create mode 100644 92002-Do-not-remove-cgroup-path-which-not-created-by-syst.patch diff --git a/10027-fix-compilation-without-utmp.patch b/10027-fix-compilation-without-utmp.patch new file mode 100644 index 0000000..4526be3 --- /dev/null +++ b/10027-fix-compilation-without-utmp.patch @@ -0,0 +1,24 @@ +From 813c9418ca8f6eabd179feace3f115b874e6a1a6 Mon Sep 17 00:00:00 2001 +From: Steven Allen +Date: Wed, 7 Nov 2018 07:44:36 -0800 +Subject: [PATCH] fix compilation without utmp + +--- + src/login/logind-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/login/logind-core.c b/src/login/logind-core.c +index abe6eec..519abf5 100644 +--- a/src/login/logind-core.c ++++ b/src/login/logind-core.c +@@ -779,7 +779,7 @@ int manager_read_utmp(Manager *m) { + endutxent(); + return r; + #else +- return 0 ++ return 0; + #endif + } + +-- +2.39.3 diff --git a/91000-analyze-show-information-from-hostnamed-in-plot-even.patch b/91000-analyze-show-information-from-hostnamed-in-plot-even.patch new file mode 100644 index 0000000..272abec --- /dev/null +++ b/91000-analyze-show-information-from-hostnamed-in-plot-even.patch @@ -0,0 +1,101 @@ +From af0841e9fc99fbab958a53fc43424ada6b9a19ad Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 22 Jul 2018 14:33:31 +0900 +Subject: [PATCH] analyze: show information from hostnamed in plot even when + user mode + +(cherry-picked from upstream 4f481d76fcbb72fc91789a464cd2b75f0bd47e20) + +This will resolve the following issue after systemd-hostnamed is +disabled: + +``` +[root@localhost ~]# systemd-analyze plot +Failed to get host information from systemd: The name org.freedesktop.hostname1 was not provided by any .service files +``` + +Signed-off-by: Yuanhong Peng +--- + src/analyze/analyze.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/src/analyze/analyze.c b/src/analyze/analyze.c +index c30a133..1ae096d 100644 +--- a/src/analyze/analyze.c ++++ b/src/analyze/analyze.c +@@ -448,6 +448,7 @@ static int acquire_host_info(sd_bus *bus, struct host_info **hi) { + }; + + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; ++ _cleanup_(sd_bus_flush_close_unrefp) sd_bus *system_bus = NULL; + _cleanup_(free_host_infop) struct host_info *host; + int r; + +@@ -455,7 +456,15 @@ static int acquire_host_info(sd_bus *bus, struct host_info **hi) { + if (!host) + return log_oom(); + +- r = bus_map_all_properties(bus, ++ if (arg_scope != UNIT_FILE_SYSTEM) { ++ r = bus_connect_transport(arg_transport, arg_host, false, &system_bus); ++ if (r < 0) { ++ log_debug_errno(r, "Failed to connect to system bus, ignoring: %m"); ++ goto manager; ++ } ++ } ++ ++ r = bus_map_all_properties(system_bus ?: bus, + "org.freedesktop.hostname1", + "/org/freedesktop/hostname1", + hostname_map, +@@ -463,9 +472,12 @@ static int acquire_host_info(sd_bus *bus, struct host_info **hi) { + &error, + NULL, + host); +- if (r < 0) +- log_debug_errno(r, "Failed to get host information from systemd-hostnamed: %s", bus_error_message(&error, r)); ++ if (r < 0) { ++ log_debug_errno(r, "Failed to get host information from systemd-hostnamed, ignoring: %s", bus_error_message(&error, r)); ++ sd_bus_error_free(&error); ++ } + ++manager: + r = bus_map_all_properties(bus, + "org.freedesktop.systemd1", + "/org/freedesktop/systemd1", +@@ -584,12 +596,12 @@ static int analyze_plot(int argc, char *argv[], void *userdata) { + _cleanup_(free_host_infop) struct host_info *host = NULL; + _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL; + _cleanup_(unit_times_freep) struct unit_times *times = NULL; ++ _cleanup_free_ char *pretty_times = NULL; ++ bool use_full_bus = arg_scope == UNIT_FILE_SYSTEM; + struct boot_times *boot; ++ struct unit_times *u; + int n, m = 1, y = 0, r; +- bool use_full_bus = true; + double width; +- _cleanup_free_ char *pretty_times = NULL; +- struct unit_times *u; + + r = acquire_bus(&bus, &use_full_bus); + if (r < 0) +@@ -603,7 +615,7 @@ static int analyze_plot(int argc, char *argv[], void *userdata) { + if (n < 0) + return n; + +- if (use_full_bus) { ++ if (use_full_bus || arg_scope != UNIT_FILE_SYSTEM) { + n = acquire_host_info(bus, &host); + if (n < 0) + return n; +@@ -705,7 +717,7 @@ static int analyze_plot(int argc, char *argv[], void *userdata) { + + svg("\n"); + svg("%s", pretty_times); +- if (use_full_bus) ++ if (host) + svg("%s %s (%s %s %s) %s %s", + isempty(host->os_pretty_name) ? "Linux" : host->os_pretty_name, + strempty(host->hostname), +-- +2.18.1 \ No newline at end of file diff --git a/92000-meson-Make-logind-a-requirement-of-user-runtime-dir.patch b/92000-meson-Make-logind-a-requirement-of-user-runtime-dir.patch new file mode 100644 index 0000000..16bea35 --- /dev/null +++ b/92000-meson-Make-logind-a-requirement-of-user-runtime-dir.patch @@ -0,0 +1,44 @@ +From b7da107bc80d65ebf6a1e6838f780f756f2fb25c Mon Sep 17 00:00:00 2001 +From: Yuanhong Peng +Date: Fri, 26 Feb 2021 19:20:48 +0800 +Subject: [PATCH] meson: Make logind a requirement of user-runtime-dir + +Partly cherry-picked from upstream 07ee5adb. Since we don't +enable logind in LifseaOS, this is the simplest way to cut +off the user-runtime-dir binary and service file. + +Signed-off-by: Yuanhong Peng +--- + meson.build | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/meson.build b/meson.build +index cf6990a..fd47e75 100644 +--- a/meson.build ++++ b/meson.build +@@ -1735,15 +1735,15 @@ if conf.get('ENABLE_LOGIND') == 1 + test_dlopen, + args : [pam_systemd.full_path()]) # path to dlopen must include a slash + endif +-endif + +-executable('systemd-user-runtime-dir', +- user_runtime_dir_sources, +- include_directories : includes, +- link_with : [libshared, liblogind_core], +- install_rpath : rootlibexecdir, +- install : true, +- install_dir : rootlibexecdir) ++ executable('systemd-user-runtime-dir', ++ user_runtime_dir_sources, ++ include_directories : includes, ++ link_with : [libshared, liblogind_core], ++ install_rpath : rootlibexecdir, ++ install : true, ++ install_dir : rootlibexecdir) ++endif + + if conf.get('HAVE_PAM') == 1 + executable('systemd-user-sessions', +-- +2.18.1 \ No newline at end of file diff --git a/92001-shared-Remove-dependency-of-libcryptsetup-if-HAVE_LI.patch b/92001-shared-Remove-dependency-of-libcryptsetup-if-HAVE_LI.patch new file mode 100644 index 0000000..433c611 --- /dev/null +++ b/92001-shared-Remove-dependency-of-libcryptsetup-if-HAVE_LI.patch @@ -0,0 +1,40 @@ +From afaeb794b5ecf2772765f4a92e92f9be831ef1ea Mon Sep 17 00:00:00 2001 +From: Yuanhong Peng +Date: Fri, 26 Mar 2021 10:37:15 +0800 +Subject: [PATCH] shared: Remove dependency of libcryptsetup if + HAVE_LIBCRYPTSETUP is not defined + +We do not enable libcryptsetup in configuration, so this dependency is +fake. Remove dependency of libcryptsetup will reduce more than ten +dependencies of libsystemd-shared-239.so. + +Signed-off-by: Yuanhong Peng +--- + src/shared/meson.build | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/shared/meson.build b/src/shared/meson.build +index d0a1bba..e492ce9 100644 +--- a/src/shared/meson.build ++++ b/src/shared/meson.build +@@ -131,7 +131,6 @@ libshared_deps = [threads, + librt, + libcap, + libacl, +- libcryptsetup, + libgcrypt, + libiptc, + libseccomp, +@@ -141,6 +140,10 @@ libshared_deps = [threads, + liblz4, + libblkid] + ++if conf.get('HAVE_LIBCRYPTSETUP') == 1 ++ libshared_deps += [libcryptsetup] ++endif ++ + libshared_sym_path = '@0@/libshared.sym'.format(meson.current_source_dir()) + + libshared_static = static_library( +-- +2.18.1 \ No newline at end of file diff --git a/92002-Do-not-remove-cgroup-path-which-not-created-by-syst.patch b/92002-Do-not-remove-cgroup-path-which-not-created-by-syst.patch new file mode 100644 index 0000000..aec1813 --- /dev/null +++ b/92002-Do-not-remove-cgroup-path-which-not-created-by-syst.patch @@ -0,0 +1,31 @@ +From 327dab8117c7b478a928387b4384ae7815ad4f06 Mon Sep 17 00:00:00 2001 +From: Yuanhong Peng +Date: Wed, 22 Nov 2023 17:03:33 +0800 +Subject: [PATCH] Do not remove cgroup path which not created by systemd + +It's a workaround for #52520469 + +Details in https://issues.redhat.com/browse/RHEL-16781 + +Signed-off-by: Yuanhong Peng +--- + src/basic/cgroup-util.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c +index 14abe6e..5c87a7a 100644 +--- a/src/basic/cgroup-util.c ++++ b/src/basic/cgroup-util.c +@@ -719,6 +719,10 @@ static int trim_cb(const char *path, const struct stat *sb, int typeflag, struct + if (ftwbuf->level < 1) + return 0; + ++ // workaround: do not remove cgroup path which not created by systemd ++ if (!strstr(path, ".slice/") && !strstr(path, ".service/")) ++ return 0; ++ + (void) rmdir(path); + return 0; + } +-- +2.39.3 \ No newline at end of file diff --git a/systemd.spec b/systemd.spec index 7de4b0e..844399a 100644 --- a/systemd.spec +++ b/systemd.spec @@ -14,7 +14,7 @@ Name: systemd Url: http://www.freedesktop.org/wiki/Software/systemd Version: 239 -Release: 82%{anolis_release}%{?dist}.2 +Release: 82%{anolis_release}%{?dist}%{?lifsea_dist}.2 # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -41,7 +41,9 @@ Source8: systemd-journal-gatewayd.xml Source9: 20-yama-ptrace.conf Source10: systemd-udev-trigger-no-reload.conf Source11: 20-grubby.install +%if ! %{defined lifsea_dist} Source12: systemd-user +%endif Source13: rc.local %if 0 @@ -1091,12 +1093,21 @@ Patch10023: 10023-fileio-add-support-for-read_full_file-on-AF_UNIX-st.patch Patch10024: 10024-fileio-beef-up-READ_FULL_FILE_CONNECT_SOCKET-to-all.patch Patch10025: 10025-fileio-teach-read_full_file_full-to-read-from-offse.patch Patch10026: 10026-cryptsetup-port-cryptsetup-s-main-key-file-logic-ov.patch +Patch10027: 10027-fix-compilation-without-utmp.patch Patch20001: 20001-hwdb-parse_hwdb_dot_py.patch Patch20002: 20002-cgroup-do-not-refresh-cgroup-devices-config-when-dae.patch Patch20003: 20003-core-introduce-cgroup-full-delegation-for-compabilit.patch Patch20004: 20004-Update-vendor-ids-for-ieisystem-0750.patch +# lifsea only patch +%if %{defined lifsea_dist} +Patch91000: 91000-analyze-show-information-from-hostnamed-in-plot-even.patch +Patch92000: 92000-meson-Make-logind-a-requirement-of-user-runtime-dir.patch +Patch92001: 92001-shared-Remove-dependency-of-libcryptsetup-if-HAVE_LI.patch +Patch92002: 92002-Do-not-remove-cgroup-path-which-not-created-by-syst.patch +%endif + %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 %endif @@ -1105,7 +1116,8 @@ BuildRequires: gcc BuildRequires: gcc-c++ BuildRequires: libcap-devel BuildRequires: libmount-devel -BuildRequires: pam-devel +%{!?lifsea_dist:BuildRequires: pam-devel} +%{?lifsea_dist:BuildRequires: acl} BuildRequires: libselinux-devel BuildRequires: audit-libs-devel BuildRequires: cryptsetup-devel @@ -1146,15 +1158,19 @@ BuildRequires: gettext Requires(post): coreutils Requires(post): sed -Requires(post): acl +%{!?lifsea_dist:Requires(post): acl} Requires(post): grep # systemd-machine-id-setup requires libssl Requires(post): openssl-libs Requires(pre): coreutils Requires(pre): /usr/bin/getent Requires(pre): /usr/sbin/groupadd +%if ! %{defined lifsea_dist} Requires: dbus >= 1.9.18 Requires: %{name}-pam = %{version}-%{release} +%else +Recommends: dbus >= 1.9.18 +%endif Requires: %{name}-libs = %{version}-%{release} Recommends: diffutils Requires: util-linux @@ -1198,9 +1214,11 @@ Obsoletes: libudev < 183 Obsoletes: systemd < 185-4 Conflicts: systemd < 185-4 Obsoletes: systemd-compat-libs < 230 +%if ! %{defined lifsea_dist} Obsoletes: nss-myhostname < 0.4 Provides: nss-myhostname = 0.4 Provides: nss-myhostname%{_isa} = 0.4 +%endif Requires(post): coreutils Requires(post): sed Requires(post): grep @@ -1209,12 +1227,14 @@ Requires(post): /usr/bin/getent %description libs Libraries for systemd and udev. +%if ! %{defined lifsea_dist} %package pam Summary: systemd PAM module Requires: %{name} = %{version}-%{release} %description pam Systemd PAM module registers the session with systemd-logind. +%endif %package devel Summary: Development headers for systemd @@ -1223,8 +1243,10 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: libudev-devel = %{version} Provides: libudev-devel%{_isa} = %{version} Obsoletes: libudev-devel < 183 +%if ! %{defined lifsea_dist} # Fake dependency to make sure systemd-pam is pulled into multilib (#1414153) Requires: %{name}-pam = %{version}-%{release} +%endif %description devel Development headers and auxiliary files for developing applications linking @@ -1299,8 +1321,15 @@ License: LGPLv2+ "Installed tests" that are usually run as part of the build system. They can be useful to test systemd internals. +# To avoid users installing the LifseaOS package in other os +%define common_pre_scripts() \ +if ! grep -q 'ID="lifsea"' /etc/os-release; then \ + echo "This package is only for LifseaOS!" \ + exit 1 \ +fi + %prep -%autosetup %{?gitcommit:-n %{name}-%{gitcommit}} -S git_am +%autosetup %{?gitcommit:-n %{name}-%{gitcommit}}%{?lifsea_dist: -n %{name}-%{version}} -S git_am %build %define ntpvendor %(source /etc/os-release; echo ${ID}) @@ -1313,35 +1342,34 @@ CONFIGURE_OPTS=( -Ddns-servers='' -Ddev-kvm-mode=0666 -Dkmod=true - -Dxkbcommon=true + -Dxkbcommon=%{!?lifsea_dist:true}%{?lifsea_dist:false} -Dblkid=true -Dseccomp=true -Dima=true -Dselinux=true -Dapparmor=false - -Dpolkit=true - -Dxz=true - -Dzlib=true - -Dbzip2=true - -Dlz4=true - -Dpam=true + -Dpolkit=%{!?lifsea_dist:true}%{?lifsea_dist:false} + -Dxz=%{!?lifsea_dist:true}%{?lifsea_dist:false} + -Dzlib=%{!?lifsea_dist:true}%{?lifsea_dist:false} + -Dbzip2=%{!?lifsea_dist:true}%{?lifsea_dist:false} + -Dlz4=%{!?lifsea_dist:true}%{?lifsea_dist:false} + -Dpam=%{!?lifsea_dist:true}%{?lifsea_dist:false} -Dacl=true - -Dsmack=true + -Dsmack=%{!?lifsea_dist:true}%{?lifsea_dist:false} -Dgcrypt=true - -Daudit=true - -Delfutils=true - -Dlibcryptsetup=true - -Delfutils=true + -Daudit=%{!?lifsea_dist:true}%{?lifsea_dist:false} + -Delfutils=%{!?lifsea_dist:true}%{?lifsea_dist:false} + -Dlibcryptsetup=%{!?lifsea_dist:true}%{?lifsea_dist:false} -Dqrencode=false - -Dgnutls=true - -Dmicrohttpd=true - -Dlibidn2=true + -Dgnutls=%{!?lifsea_dist:true}%{?lifsea_dist:false} + -Dmicrohttpd=%{!?lifsea_dist:true}%{?lifsea_dist:false} + -Dlibidn2=%{!?lifsea_dist:true}%{?lifsea_dist:false} -Dlibiptc=false - -Dlibcurl=true - -Defi=true - -Dgnu-efi=%{?have_gnu_efi:true}%{?!have_gnu_efi:false} - -Dtpm=true - -Dhwdb=true + -Dlibcurl=%{!?lifsea_dist:true}%{?lifsea_dist:false} + -Defi=%{!?lifsea_dist:true}%{?lifsea_dist:false} + %{!?lifsea_dist:-Dgnu-efi=%{?have_gnu_efi:true}%{?!have_gnu_efi:false}} + -Dtpm=%{!?lifsea_dist:true}%{?lifsea_dist:false} + -Dhwdb=%{!?lifsea_dist:true}%{?lifsea_dist:false} -Dsysusers=true -Ddefault-kill-user-processes=false -Dtests=unsafe @@ -1357,6 +1385,36 @@ CONFIGURE_OPTS=( -Dtimesyncd=false -Ddefault-hierarchy=legacy -Dversion-tag=%{version}-%{release} + %if %{defined lifsea_dist} + # remove many useless tools + -Dtimedated=true + -Dman=false + -Dhtml=false + -Dzshcompletiondir=no + -Dbashcompletiondir=no + -Dlogind=false + -Dcoredump=false + -Dbacklight=false + -Dbinfmt=false + -Dimportd=false + -Dhibernate=false + -Dportabled=false + -Dquotacheck=false + -Drfkill=false + -Dvconsole=false + -Dhostnamed=true + -Dlocaled=false + -Dfirstboot=false + -Denvironment-d=false + -Dutmp=false + -Didn=false + -Dlibidn=false + -Dpcre2=false + -Dgcrypt=false + -Dnss-myhostname=false + -Dnss-resolve=false + -Dnss-systemd=false + %endif ) # Don't ship /var/log/README. The relationship between journal and syslog should be documented @@ -1413,7 +1471,7 @@ mkdir -p %{buildroot}%{pkgdir}/user-generators # Create new-style configuration files so that we can ghost-own them touch %{buildroot}%{_sysconfdir}/hostname touch %{buildroot}%{_sysconfdir}/vconsole.conf -touch %{buildroot}%{_sysconfdir}/locale.conf +%{!?lifsea_dist:touch %{buildroot}%{_sysconfdir}/locale.conf} touch %{buildroot}%{_sysconfdir}/machine-id touch %{buildroot}%{_sysconfdir}/machine-info touch %{buildroot}%{_sysconfdir}/localtime @@ -1428,7 +1486,7 @@ mkdir -p %{buildroot}%{pkgdir}/system-sleep/ mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/coredump mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/catalog mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/backlight -mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/rfkill +%{!?lifsea_dist:mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/rfkill} mkdir -p %{buildroot}%{_localstatedir}/lib/systemd/linger mkdir -p %{buildroot}%{_localstatedir}/lib/private mkdir -p %{buildroot}%{_localstatedir}/log/private @@ -1451,8 +1509,10 @@ install -Dm0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/dnf/protected.d/systemd.co install -Dm0644 -t %{buildroot}/usr/lib/firewalld/services/ %{SOURCE7} %{SOURCE8} +%if ! %{defined lifsea_dist} # Restore systemd-user pam config from before "removal of Fedora-specific bits" install -Dm0644 -t %{buildroot}/etc/pam.d/ %{SOURCE12} +%endif # Install additional docs # https://bugzilla.redhat.com/show_bug.cgi?id=1234951 @@ -1490,7 +1550,9 @@ python3 %{SOURCE2} %buildroot </dev/null || groupadd -r -g 11 cdrom &>/dev/null || : getent group utmp &>/dev/null || groupadd -r -g 22 utmp &>/dev/null || : getent group tape &>/dev/null || groupadd -r -g 33 tape &>/dev/null || : @@ -1530,8 +1614,10 @@ getent group kvm &>/dev/null || groupadd -r -g 36 kvm &>/dev/null || : getent group render &>/dev/null || groupadd -r render &>/dev/null || : getent group systemd-journal &>/dev/null || groupadd -r -g 190 systemd-journal 2>&1 || : +%if ! %{defined lifsea_dist} getent group systemd-coredump &>/dev/null || groupadd -r systemd-coredump 2>&1 || : getent passwd systemd-coredump &>/dev/null || useradd -r -l -g systemd-coredump -d / -s /sbin/nologin -c "systemd Core Dumper" systemd-coredump &>/dev/null || : +%endif getent group systemd-resolve &>/dev/null || groupadd -r -g 193 systemd-resolve 2>&1 || : getent passwd systemd-resolve &>/dev/null || useradd -r -u 193 -l -g systemd-resolve -d / -s /sbin/nologin -c "systemd Resolver" systemd-resolve &>/dev/null || : @@ -1546,8 +1632,10 @@ systemd-tmpfiles --create &>/dev/null || : chgrp systemd-journal /run/log/journal/ /run/log/journal/`cat /etc/machine-id 2>/dev/null` /var/log/journal/ /var/log/journal/`cat /etc/machine-id 2>/dev/null` &>/dev/null || : chmod g+s /run/log/journal/ /run/log/journal/`cat /etc/machine-id 2>/dev/null` /var/log/journal/ /var/log/journal/`cat /etc/machine-id 2>/dev/null` &>/dev/null || : +%if ! %{defined lifsea_dist} # Apply ACL to the journal directory setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ &>/dev/null || : +%endif # Remove spurious /etc/fstab entries from very old installations # https://bugzilla.redhat.com/show_bug.cgi?id=1009023 @@ -1588,6 +1676,7 @@ fi %post libs %{?ldconfig} +%if ! %{defined lifsea_dist} function mod_nss() { if [ $1 -eq 1 ] && [ -f "$2" ]; then # sed-fu to add myhostname to hosts line (only once, on install) @@ -1616,6 +1705,7 @@ else # possible future authselect configuration mod_nss $1 "/etc/authselect/user-nsswitch.conf" fi +%endif # check if nobody or nfsnobody is defined export SYSTEMD_NSS_BYPASS_SYNTHETIC=1 @@ -1657,6 +1747,9 @@ grep -q -E '^KEYMAP="?fi-latin[19]"?' /etc/vconsole.conf 2>/dev/null && %systemd_postun_with_restart systemd-udevd.service %pre journal-remote +%if %{defined lifsea_dist} +%{common_pre_scripts} +%endif getent group systemd-journal-remote &>/dev/null || groupadd -r systemd-journal-remote 2>&1 || : getent passwd systemd-journal-remote &>/dev/null || useradd -r -l -g systemd-journal-remote -d %{_localstatedir}/log/journal/remote -s /sbin/nologin -c "Journal Remote" systemd-journal-remote &>/dev/null || : @@ -1705,11 +1798,17 @@ fi %ghost %dir %attr(0755,-,-) /etc/systemd/system/system-update.target.wants %ghost %dir %attr(0755,-,-) /etc/systemd/system/timers.target.wants %ghost %dir %attr(0755,-,-) /var/lib/rpm-state/systemd +%if %{defined lifsea_dist} +%exclude %{_prefix}/lib/tmpfiles.d/systemd-nologin.conf +%exclude %{_datarootdir}/polkit-1 +%endif %files libs -f .file-list-libs %license LICENSE.LGPL2.1 +%if ! %{defined lifsea_dist} %files pam -f .file-list-pam +%endif %files devel -f .file-list-devel @@ -1755,6 +1854,27 @@ fi - cgroup: do not refresh cgroup devices config when daemon-reload (Zhongling He) - core: introduce cgroup full delegation for compability (Zhongling He) - Update vendor ids for ieisystem 0750 (wangkaiyuan@inspur.com) +- LifseaOS: Add back hostnamectl (yuanhui@linux.alibaba.com) +- LifseaOS: Add back timedatectl (yuanhui@linux.alibaba.com) +- LifseaOS: shared: Remove dependency of libcryptsetup if HAVE_LIBCRYPTSETUP is not defined (yuanhui@linux.alibaba.com) +- LifseaOS: analyze: show information from hostnamed in plot even when user mode (yuanhui@linux.alibaba.com) +- LifseaOS: configure: Disable smack (yuanhui@linux.alibaba.com) +- LifseaOS: Remove nss module provided by systemd (yuanhui@linux.alibaba.com) +- LifseaOS: configure: Remove multiple non-essential features (yuanhui@linux.alibaba.com) +- LifseaOS: configure: Disable firstboot (yuanhui@linux.alibaba.com) +- LifseaOS: Remove user-runtime-dir binary and service file (yuanhui@linux.alibaba.com) +- LifseaOS: Remove the dependency of acl package (yuanhui@linux.alibaba.com) +- LifseaOS: Remove locale and hostname related tools (yuanhui@linux.alibaba.com) +- LifseaOS: Remove multiple unnecessary modules (yuanhui@linux.alibaba.com) +- LifseaOS: Remove compression algorithm (yuanhui@linux.alibaba.com) +- LifseaOS: Remove many tools of little use (yuanhui@linux.alibaba.com) +- LifseaOS: Remove coredump tools (yuanhui@linux.alibaba.com) +- LifseaOS: configure: Disable cryptsetup (yuanhui@linux.alibaba.com) +- LifseaOS: configure: Disable polkit (yuanhui@linux.alibaba.com) +- LifseaOS: configure: Disable logind (yuanhui@linux.alibaba.com) +- LifseaOS: Remove systemd-pam module (yuanhui@linux.alibaba.com) +- LifseaOS: configure: Remove manpage and bash/zsh completion (yuanhui@linux.alibaba.com) +- LifseaOS: cgroup: Do not remove cgroup path which not created by systemd (yuanhui@linux.alibaba.com) * Tue Jul 23 2024 systemd maintenance team - 239-82.2 - spec: do not create symlink /etc/systemd/system/syslog.service (RHEL-13179) -- Gitee From f3d94b0cc32a8f153ec067f0e9b0c0f6a514e63a Mon Sep 17 00:00:00 2001 From: ZHe Date: Tue, 19 Mar 2024 16:06:11 +0800 Subject: [PATCH 14/19] default enable full delegation on device cgroup --- ...group-full-delegation-for-compabilit.patch | 24 ++--- ...ble-full-delegation-on-device-cgroup.patch | 98 +++++++++++++++++++ systemd.spec | 5 +- 3 files changed, 110 insertions(+), 17 deletions(-) create mode 100644 20005-default-enable-full-delegation-on-device-cgroup.patch diff --git a/20003-core-introduce-cgroup-full-delegation-for-compabilit.patch b/20003-core-introduce-cgroup-full-delegation-for-compabilit.patch index 21c5557..a09eaa2 100644 --- a/20003-core-introduce-cgroup-full-delegation-for-compabilit.patch +++ b/20003-core-introduce-cgroup-full-delegation-for-compabilit.patch @@ -1,4 +1,4 @@ -From f25124fabe1ed973840291d46549af6e1c5fad56 Mon Sep 17 00:00:00 2001 +From ce2e0936e03f6cef91a326186978643b93403052 Mon Sep 17 00:00:00 2001 From: "zhongling.h" Date: Fri, 4 Aug 2023 10:08:16 +0800 Subject: [PATCH] core: introduce cgroup full delegation for compability @@ -30,15 +30,8 @@ brings what users are already familiar with to systemd-239. If users set values under /sys/fs/cgroup without worrying systemd touching these values, which is the same as what they expected with systemd-219. ---- - src/core/cgroup.c | 16 ++++++++++++++++ - src/core/main.c | 4 ++++ - src/core/manager.h | 1 + - src/core/system.conf.in | 1 + - 4 files changed, 22 insertions(+) - diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index ea92aa6f7b..17e3b90e37 100644 +index 8e474f6..461f9df 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -1692,6 +1692,15 @@ static int unit_create_cgroup( @@ -57,18 +50,17 @@ index ea92aa6f7b..17e3b90e37 100644 u->cgroup_enabled_mask = enable_mask; u->cgroup_bpf_state = needs_bpf ? UNIT_CGROUP_BPF_ON : UNIT_CGROUP_BPF_OFF; -@@ -1921,6 +1930,10 @@ static int unit_realize_cgroup_now(Unit *u, ManagerState state) { +@@ -1920,6 +1929,9 @@ static int unit_realize_cgroup_now(Unit *u, ManagerState state) { + enable_mask = unit_get_enable_mask(u); needs_bpf = unit_get_needs_bpf(u); - target_mask &= ~CGROUP_MASK_DEVICES; -+ + if (u->manager->full_delegation && unit_cgroup_delegate(u)) + target_mask ^= u->cgroup_realized_mask; + if (unit_has_mask_realized(u, target_mask, enable_mask, needs_bpf)) return 0; -@@ -2883,6 +2896,9 @@ int unit_reset_ip_accounting(Unit *u) { +@@ -2882,6 +2894,9 @@ int unit_reset_ip_accounting(Unit *u) { void unit_invalidate_cgroup(Unit *u, CGroupMask m) { assert(u); @@ -79,7 +71,7 @@ index ea92aa6f7b..17e3b90e37 100644 return; diff --git a/src/core/main.c b/src/core/main.c -index 546bf0d870..68daf07077 100644 +index 546bf0d..68daf07 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -142,6 +142,7 @@ static bool reexec_jmp_can = false; @@ -108,7 +100,7 @@ index 546bf0d870..68daf07077 100644 manager_set_default_rlimits(m, arg_default_rlimit); manager_environment_add(m, NULL, arg_default_environment); diff --git a/src/core/manager.h b/src/core/manager.h -index 98d381bc5b..91f2c05afe 100644 +index 98d381b..91f2c05 100644 --- a/src/core/manager.h +++ b/src/core/manager.h @@ -297,6 +297,7 @@ struct Manager { @@ -120,7 +112,7 @@ index 98d381bc5b..91f2c05afe 100644 uint64_t default_tasks_max; usec_t default_timer_accuracy_usec; diff --git a/src/core/system.conf.in b/src/core/system.conf.in -index 2f6852a89f..6c84a55401 100644 +index 2f6852a..6c84a55 100644 --- a/src/core/system.conf.in +++ b/src/core/system.conf.in @@ -67,3 +67,4 @@ DefaultLimitCORE=0:infinity diff --git a/20005-default-enable-full-delegation-on-device-cgroup.patch b/20005-default-enable-full-delegation-on-device-cgroup.patch new file mode 100644 index 0000000..bf11aa5 --- /dev/null +++ b/20005-default-enable-full-delegation-on-device-cgroup.patch @@ -0,0 +1,98 @@ +From 0c54a1eda08dc8a1c40274c1f90e5e809e054706 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 19 Mar 2024 15:53:21 +0800 +Subject: [PATCH] default enable full delegation on device cgroup + +--- + src/core/cgroup.c | 9 +++++++++ + src/core/main.c | 3 +++ + src/core/manager.h | 1 + + src/core/system.conf.in | 1 + + 4 files changed, 14 insertions(+) + +diff --git a/src/core/cgroup.c b/src/core/cgroup.c +index 461f9df..bc677d8 100644 +--- a/src/core/cgroup.c ++++ b/src/core/cgroup.c +@@ -1701,6 +1701,9 @@ static int unit_create_cgroup( + if (u->manager->full_delegation && unit_cgroup_delegate(u)) + u->cgroup_realized_mask |= unit_get_delegate_mask(u); + ++ if (u->manager->full_delegation_devicecg && unit_cgroup_delegate(u)) ++ u->cgroup_realized_mask |= (unit_get_delegate_mask(u) & CGROUP_MASK_DEVICES); ++ + u->cgroup_enabled_mask = enable_mask; + u->cgroup_bpf_state = needs_bpf ? UNIT_CGROUP_BPF_ON : UNIT_CGROUP_BPF_OFF; + +@@ -1932,6 +1935,9 @@ static int unit_realize_cgroup_now(Unit *u, ManagerState state) { + if (u->manager->full_delegation && unit_cgroup_delegate(u)) + target_mask ^= u->cgroup_realized_mask; + ++ if (u->manager->full_delegation_devicecg && unit_cgroup_delegate(u)) ++ target_mask ^= (u->cgroup_realized_mask & CGROUP_MASK_DEVICES); ++ + if (unit_has_mask_realized(u, target_mask, enable_mask, needs_bpf)) + return 0; + +@@ -2897,6 +2903,9 @@ void unit_invalidate_cgroup(Unit *u, CGroupMask m) { + if (u->manager->full_delegation) + m ^= unit_get_delegate_mask(u); // don't invalidate delegated cgroup + ++ if (u->manager->full_delegation_devicecg) ++ m ^= (unit_get_delegate_mask(u) & CGROUP_MASK_DEVICES); // don't invalidate device cgroup if delegate=yes ++ + if (!UNIT_HAS_CGROUP_CONTEXT(u)) + return; + +diff --git a/src/core/main.c b/src/core/main.c +index 68daf07..e27f0a5 100644 +--- a/src/core/main.c ++++ b/src/core/main.c +@@ -143,6 +143,7 @@ static bool reexec_jmp_inited = false; + static sigjmp_buf reexec_jmp_buf; + static bool arg_default_cpuset_clone_children = false; + static bool arg_full_delegation = false; ++static bool arg_full_delegation_devicecg = true; + + static int parse_configuration(const struct rlimit *saved_rlimit_nofile, + const struct rlimit *saved_rlimit_memlock); +@@ -770,6 +771,7 @@ static int parse_config_file(void) { + { "Manager", "CtrlAltDelBurstAction", config_parse_emergency_action, 0, &arg_cad_burst_action }, + { "Manager", "DefaultCPUSetCloneChildren",config_parse_bool, 0, &arg_default_cpuset_clone_children }, + { "Manager", "FullDelegation", config_parse_bool, 0, &arg_full_delegation }, ++ { "Manager", "FullDelegationDeviceCGroup",config_parse_bool, 0, &arg_full_delegation_devicecg }, + + {} + }; +@@ -821,6 +823,7 @@ static void set_manager_defaults(Manager *m) { + m->default_tasks_accounting = arg_default_tasks_accounting; + m->default_tasks_max = arg_default_tasks_max; + m->full_delegation = arg_full_delegation; ++ m->full_delegation_devicecg = arg_full_delegation_devicecg; + + manager_set_default_rlimits(m, arg_default_rlimit); + manager_environment_add(m, NULL, arg_default_environment); +diff --git a/src/core/manager.h b/src/core/manager.h +index 91f2c05..8017d9a 100644 +--- a/src/core/manager.h ++++ b/src/core/manager.h +@@ -298,6 +298,7 @@ struct Manager { + bool default_tasks_accounting; + bool default_ip_accounting; + bool full_delegation; ++ bool full_delegation_devicecg; + + uint64_t default_tasks_max; + usec_t default_timer_accuracy_usec; +diff --git a/src/core/system.conf.in b/src/core/system.conf.in +index 6c84a55..3f9ef7f 100644 +--- a/src/core/system.conf.in ++++ b/src/core/system.conf.in +@@ -68,3 +68,4 @@ DefaultLimitCORE=0:infinity + #IPAddressAllow= + #IPAddressDeny= + #FullDelegation=no ++#FullDelegationDeviceCGroup=yes +-- +2.39.3 + diff --git a/systemd.spec b/systemd.spec index 844399a..550632f 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1096,9 +1096,10 @@ Patch10026: 10026-cryptsetup-port-cryptsetup-s-main-key-file-logic-ov.patch Patch10027: 10027-fix-compilation-without-utmp.patch Patch20001: 20001-hwdb-parse_hwdb_dot_py.patch -Patch20002: 20002-cgroup-do-not-refresh-cgroup-devices-config-when-dae.patch +# Patch20002: 20002-cgroup-do-not-refresh-cgroup-devices-config-when-dae.patch Patch20003: 20003-core-introduce-cgroup-full-delegation-for-compabilit.patch Patch20004: 20004-Update-vendor-ids-for-ieisystem-0750.patch +Patch20005: 20005-default-enable-full-delegation-on-device-cgroup.patch # lifsea only patch %if %{defined lifsea_dist} @@ -1875,6 +1876,8 @@ fi - LifseaOS: Remove systemd-pam module (yuanhui@linux.alibaba.com) - LifseaOS: configure: Remove manpage and bash/zsh completion (yuanhui@linux.alibaba.com) - LifseaOS: cgroup: Do not remove cgroup path which not created by systemd (yuanhui@linux.alibaba.com) +- Remove patch 20002 as it inhibits systemd device cgroup slice creation (zhonglingh@linux.alibaba.com) +- Add patch 20005 to enable device cgroup full delegation by default (zhonglingh@linux.alibaba.com) * Tue Jul 23 2024 systemd maintenance team - 239-82.2 - spec: do not create symlink /etc/systemd/system/syslog.service (RHEL-13179) -- Gitee From e0b10357a430cae1bfe336345aca4cde2fe546e8 Mon Sep 17 00:00:00 2001 From: khy Date: Fri, 12 May 2023 15:35:12 +0800 Subject: [PATCH 15/19] cherry-pick `add sw patch #20ead624ed837d467ff4c9607d46c027bbc84ac3`. Signed-off-by: khy Signed-off-by: Weisson --- 20006-systemd-Add-sw64.patch | 94 ++++++++++++++++++++++++++++++++++++ systemd.spec | 2 + 2 files changed, 96 insertions(+) create mode 100644 20006-systemd-Add-sw64.patch diff --git a/20006-systemd-Add-sw64.patch b/20006-systemd-Add-sw64.patch new file mode 100644 index 0000000..f1e0e6a --- /dev/null +++ b/20006-systemd-Add-sw64.patch @@ -0,0 +1,94 @@ +From 1d1259c0bada01ed92d991b44be1f53042837187 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Fri, 12 May 2023 15:33:42 +0800 +Subject: [PATCH] Add sw64 architecture + +Signed-off-by: rpm-build +--- + src/basic/architecture.c | 3 +++ + src/basic/architecture.h | 4 ++++ + src/basic/missing.h | 2 +- + src/basic/missing_syscall.h | 4 +++- + 4 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/src/basic/architecture.c b/src/basic/architecture.c +index 96bbf97..72b98a3 100644 +--- a/src/basic/architecture.c ++++ b/src/basic/architecture.c +@@ -120,6 +120,8 @@ int uname_architecture(void) { + { "arceb", ARCHITECTURE_ARC_BE }, + #elif defined(__loongarch64) + { "loongarch64", ARCHITECTURE_LOONGARCH64 }, ++#elif defined(__sw_64__) ++ { "sw_64" , ARCHITECTURE_SW_64 }, + #else + #error "Please register your architecture here!" + #endif +@@ -176,6 +178,7 @@ static const char *const architecture_table[_ARCHITECTURE_MAX] = { + [ARCHITECTURE_ARC] = "arc", + [ARCHITECTURE_ARC_BE] = "arc-be", + [ARCHITECTURE_LOONGARCH64] = "loongarch64", ++ [ARCHITECTURE_SW_64] = "sw_64", + }; + + DEFINE_STRING_TABLE_LOOKUP(architecture, int); +diff --git a/src/basic/architecture.h b/src/basic/architecture.h +index 22e9108..c317c75 100644 +--- a/src/basic/architecture.h ++++ b/src/basic/architecture.h +@@ -45,6 +45,7 @@ enum { + ARCHITECTURE_ARC, + ARCHITECTURE_ARC_BE, + ARCHITECTURE_LOONGARCH64, ++ ARCHITECTURE_SW_64, + _ARCHITECTURE_MAX, + _ARCHITECTURE_INVALID = -1 + }; +@@ -233,6 +234,9 @@ int uname_architecture(void); + #elif defined(__loongarch64) + # define native_architecture() ARCHITECTURE_LOONGARCH64 + # define LIB_ARCH_TUPLE "loongarch64-linux-gnu" ++#elif defined(__sw_64__) ++# define native_architecture() ARCHITECTURE_SW_64 ++# define LIB_ARCH_TUPLE "sw_64-linux-gnu" + #else + # error "Please register your architecture here!" + #endif +diff --git a/src/basic/missing.h b/src/basic/missing.h +index b937661..c2913b5 100644 +--- a/src/basic/missing.h ++++ b/src/basic/missing.h +@@ -646,7 +646,7 @@ struct input_mask { + */ + + #ifndef __O_TMPFILE +-#if defined(__alpha__) ++#if defined(__alpha__) || defined(__sw_64__) + #define __O_TMPFILE 0100000000 + #elif defined(__parisc__) || defined(__hppa__) + #define __O_TMPFILE 0400000000 +diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h +index 014dd2b..3acf59f 100644 +--- a/src/basic/missing_syscall.h ++++ b/src/basic/missing_syscall.h +@@ -182,7 +182,7 @@ static inline int missing_setns(int fd, int nstype) { + /* ======================================================================= */ + + static inline pid_t raw_getpid(void) { +-#if defined(__alpha__) ++#if defined(__alpha__) || defined(__sw_64__) + return (pid_t) syscall(__NR_getxpid); + #else + return (pid_t) syscall(__NR_getpid); +@@ -405,6 +405,8 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) { + # define __NR_statx 360 + # elif defined __x86_64__ + # define __NR_statx 332 ++# elif defined __sw_64__ ++# define __NR_statx 518 + # else + # warning "__NR_statx not defined for your architecture" + # endif +-- +2.31.1 + diff --git a/systemd.spec b/systemd.spec index 550632f..0e7d871 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1100,6 +1100,7 @@ Patch20001: 20001-hwdb-parse_hwdb_dot_py.patch Patch20003: 20003-core-introduce-cgroup-full-delegation-for-compabilit.patch Patch20004: 20004-Update-vendor-ids-for-ieisystem-0750.patch Patch20005: 20005-default-enable-full-delegation-on-device-cgroup.patch +Patch20006: 20006-systemd-Add-sw64.patch # lifsea only patch %if %{defined lifsea_dist} @@ -1878,6 +1879,7 @@ fi - LifseaOS: cgroup: Do not remove cgroup path which not created by systemd (yuanhui@linux.alibaba.com) - Remove patch 20002 as it inhibits systemd device cgroup slice creation (zhonglingh@linux.alibaba.com) - Add patch 20005 to enable device cgroup full delegation by default (zhonglingh@linux.alibaba.com) +- cherry-pick `add sw patch #20ead624ed837d467ff4c9607d46c027bbc84ac3`. (nijie@wxiat.com) * Tue Jul 23 2024 systemd maintenance team - 239-82.2 - spec: do not create symlink /etc/systemd/system/syslog.service (RHEL-13179) -- Gitee From a7712f7e45e044b907cba529525b1fbc2a9f988a Mon Sep 17 00:00:00 2001 From: Weisson Date: Sun, 7 Apr 2024 17:56:24 +0800 Subject: [PATCH 16/19] add seccomp support and test-seccomp test case support for sw_64. Signed-off-by: Weisson --- 20007-add-seccomp-support-for-sw_64.patch | 96 +++++++++++++++++++ ...t-test-test-seccomp-support-on-sw_64.patch | 43 +++++++++ systemd.spec | 4 + 3 files changed, 143 insertions(+) create mode 100644 20007-add-seccomp-support-for-sw_64.patch create mode 100644 20008-Fix-unit-test-test-seccomp-support-on-sw_64.patch diff --git a/20007-add-seccomp-support-for-sw_64.patch b/20007-add-seccomp-support-for-sw_64.patch new file mode 100644 index 0000000..f3cda33 --- /dev/null +++ b/20007-add-seccomp-support-for-sw_64.patch @@ -0,0 +1,96 @@ +From a8b1f7bfc0190af52e863ddc821701d32e6c3c97 Mon Sep 17 00:00:00 2001 +From: Weisson +Date: Sun, 7 Apr 2024 15:45:26 +0800 +Subject: [PATCH 1/1] add seccomp support for sw_64. + +Signed-off-by: Weisson +--- + src/shared/seccomp-util.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c +index 8b0d366..2cedca5 100644 +--- a/src/shared/seccomp-util.c ++++ b/src/shared/seccomp-util.c +@@ -44,6 +44,8 @@ const uint32_t seccomp_local_archs[] = { + SCMP_ARCH_ARM, + #elif defined(__loongarch__) + SCMP_ARCH_LOONGARCH64, ++#elif defined(__sw_64__) ++ SCMP_ARCH_SW_64, + #elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && _MIPS_SIM == _MIPS_SIM_ABI32 + SCMP_ARCH_MIPSEL, + SCMP_ARCH_MIPS, /* native */ +@@ -114,6 +116,8 @@ const char* seccomp_arch_to_string(uint32_t c) { + return "x32"; + case SCMP_ARCH_ARM: + return "arm"; ++ case SCMP_ARCH_SW_64: ++ return "sw_64"; + case SCMP_ARCH_AARCH64: + return "arm64"; + case SCMP_ARCH_LOONGARCH64: +@@ -163,6 +167,8 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) { + *ret = SCMP_ARCH_ARM; + else if (streq(n, "arm64")) + *ret = SCMP_ARCH_AARCH64; ++ else if (streq(n, "sw_64")) ++ *ret = SCMP_ARCH_SW_64; + else if (streq(n, "loongarch64")) + *ret = SCMP_ARCH_LOONGARCH64; + else if (streq(n, "mips")) +@@ -1246,7 +1252,7 @@ int seccomp_protect_sysctl(void) { + + log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch)); + +- if (IN_SET(arch, SCMP_ARCH_X32, SCMP_ARCH_AARCH64, SCMP_ARCH_LOONGARCH64)) ++ if (IN_SET(arch, SCMP_ARCH_X32, SCMP_ARCH_AARCH64, SCMP_ARCH_LOONGARCH64, SCMP_ARCH_SW_64)) + /* No _sysctl syscall */ + continue; + +@@ -1291,6 +1297,7 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) { + case SCMP_ARCH_X32: + case SCMP_ARCH_ARM: + case SCMP_ARCH_AARCH64: ++ case SCMP_ARCH_SW_64: + case SCMP_ARCH_LOONGARCH64: + case SCMP_ARCH_MIPSEL64N32: + case SCMP_ARCH_MIPS64N32: +@@ -1536,7 +1543,7 @@ static int add_seccomp_syscall_filter(scmp_filter_ctx seccomp, + } + + /* For known architectures, check that syscalls are indeed defined or not. */ +-#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || defined(__loongarch__) ++#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || defined(__loongarch__) || defined(__sw_64__) + assert_cc(SCMP_SYS(shmget) > 0); + assert_cc(SCMP_SYS(shmat) > 0); + assert_cc(SCMP_SYS(shmdt) > 0); +@@ -1583,6 +1590,7 @@ int seccomp_memory_deny_write_execute(void) { + case SCMP_ARCH_X86_64: + case SCMP_ARCH_X32: + case SCMP_ARCH_AARCH64: ++ case SCMP_ARCH_SW_64: + case SCMP_ARCH_LOONGARCH64: + filter_syscall = SCMP_SYS(mmap); /* amd64, x32, and arm64 have only mmap */ + shmat_syscall = SCMP_SYS(shmat); +@@ -1590,7 +1598,7 @@ int seccomp_memory_deny_write_execute(void) { + + /* Please add more definitions here, if you port systemd to other architectures! */ + +-#if !defined(__i386__) && !defined(__x86_64__) && !defined(__powerpc__) && !defined(__powerpc64__) && !defined(__arm__) && !defined(__aarch64__) && !defined(__loongarch__) ++#if !defined(__i386__) && !defined(__x86_64__) && !defined(__powerpc__) && !defined(__powerpc64__) && !defined(__arm__) && !defined(__aarch64__) && !defined(__loongarch__) && !defined(__sw_64__) + #warning "Consider adding the right mmap() syscall definitions here!" + #endif + } +@@ -1614,7 +1622,7 @@ int seccomp_memory_deny_write_execute(void) { + if (r < 0) + continue; + } +- if (!IN_SET(arch, SCMP_ARCH_LOONGARCH64)){ ++ if (!IN_SET(arch, SCMP_ARCH_LOONGARCH64, SCMP_ARCH_SW_64)){ + r = add_seccomp_syscall_filter(seccomp, arch, SCMP_SYS(mprotect), + 1, + SCMP_A2(SCMP_CMP_MASKED_EQ, PROT_EXEC, PROT_EXEC)); +-- +2.31.1 + diff --git a/20008-Fix-unit-test-test-seccomp-support-on-sw_64.patch b/20008-Fix-unit-test-test-seccomp-support-on-sw_64.patch new file mode 100644 index 0000000..ac70671 --- /dev/null +++ b/20008-Fix-unit-test-test-seccomp-support-on-sw_64.patch @@ -0,0 +1,43 @@ +From 573700e701553081bd2bdb9081da0a1215f5ed97 Mon Sep 17 00:00:00 2001 +From: Weisson +Date: Sun, 7 Apr 2024 17:13:11 +0800 +Subject: [PATCH] Fix unit-test: test-seccomp support on sw_64. + +Signed-off-by: Weisson +--- + src/test/test-seccomp.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c +index 286f01b..c04eb66 100644 +--- a/src/test/test-seccomp.c ++++ b/src/test/test-seccomp.c +@@ -55,6 +55,7 @@ static void test_architecture_table(void) { + "x32\0" + "arm\0" + "arm64\0" ++ "sw_64\0" + "mips\0" + "mips64\0" + "mips64-n32\0" +@@ -403,7 +404,7 @@ static void test_memory_deny_write_execute_mmap(void) { + assert_se(seccomp_memory_deny_write_execute() >= 0); + + p = mmap(NULL, page_size(), PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1,0); +-#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc64__) || defined(__arm__) || defined(__aarch64__) ++#if defined(__x86_64__) || defined(__i386__) || defined(__powerpc64__) || defined(__arm__) || defined(__aarch64__) || defined(__sw_64__) + assert_se(p == MAP_FAILED); + assert_se(errno == EPERM); + #else /* unknown architectures */ +@@ -450,7 +451,7 @@ static void test_memory_deny_write_execute_shmat(void) { + assert_se(seccomp_memory_deny_write_execute() >= 0); + + p = shmat(shmid, NULL, SHM_EXEC); +-#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) ++#if defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) || defined(__sw_64__) + assert_se(p == MAP_FAILED); + assert_se(errno == EPERM); + #else /* __i386__, __powerpc64__, and "unknown" architectures */ +-- +2.31.1 + diff --git a/systemd.spec b/systemd.spec index 0e7d871..14b5528 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1101,6 +1101,8 @@ Patch20003: 20003-core-introduce-cgroup-full-delegation-for-compabilit.patch Patch20004: 20004-Update-vendor-ids-for-ieisystem-0750.patch Patch20005: 20005-default-enable-full-delegation-on-device-cgroup.patch Patch20006: 20006-systemd-Add-sw64.patch +Patch20007: 20007-add-seccomp-support-for-sw_64.patch +Patch20008: 20008-Fix-unit-test-test-seccomp-support-on-sw_64.patch # lifsea only patch %if %{defined lifsea_dist} @@ -1880,6 +1882,8 @@ fi - Remove patch 20002 as it inhibits systemd device cgroup slice creation (zhonglingh@linux.alibaba.com) - Add patch 20005 to enable device cgroup full delegation by default (zhonglingh@linux.alibaba.com) - cherry-pick `add sw patch #20ead624ed837d467ff4c9607d46c027bbc84ac3`. (nijie@wxiat.com) +- add seccomp support for sw_64. (Weisson@alinux.alibaba.com) +- add test-seccomp support for sw_64. (Weisson@alinux.alibaba.com) * Tue Jul 23 2024 systemd maintenance team - 239-82.2 - spec: do not create symlink /etc/systemd/system/syslog.service (RHEL-13179) -- Gitee From e3fbf6c40e12788e7ea518a3d050c29e04f1991b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BF=A0=E5=87=8C?= Date: Mon, 24 Jun 2024 11:49:31 +0800 Subject: [PATCH 17/19] core: Fix 2 subcgroup deletion problems - core: Fix subcgroup deletion introduced by full delegation - core: Fix cgroups members mask cache propagation problem --- ...ly-simplify-caching-of-cgroups-membe.patch | 228 ++++++++++++++++++ ...group-FullDelegation-FullDelegationD.patch | 163 +++++++++++++ systemd.spec | 11 +- 3 files changed, 399 insertions(+), 3 deletions(-) create mode 100644 10028-cgroup-drastically-simplify-caching-of-cgroups-membe.patch create mode 100644 20009-core-introduce-cgroup-FullDelegation-FullDelegationD.patch diff --git a/10028-cgroup-drastically-simplify-caching-of-cgroups-membe.patch b/10028-cgroup-drastically-simplify-caching-of-cgroups-membe.patch new file mode 100644 index 0000000..d69f0ba --- /dev/null +++ b/10028-cgroup-drastically-simplify-caching-of-cgroups-membe.patch @@ -0,0 +1,228 @@ +From 5af8805872809e6de4cc4d9495cb1a904772ab4e Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 23 Nov 2018 01:07:34 +0100 +Subject: [PATCH] cgroup: drastically simplify caching of cgroups members mask + +Previously we tried to be smart: when a new unit appeared and it only +added controllers to the cgroup mask we'd update the cached members mask +in all parents by ORing in the controller flags in their cached values. +Unfortunately this was quite broken, as we missed some conditions when +this cache had to be reset (for example, when a unit got unloaded), +moreover the optimization doesn't work when a controller is removed +anyway (as in that case there's no other way for the parent to iterate +though all children if any other, remaining child unit still needs it). +Hence, let's simplify the logic substantially: instead of updating the +cache on the right events (which we didn't get right), let's simply +invalidate the cache, and generate it lazily when we encounter it later. +This should actually result in better behaviour as we don't have to +calculate the new members mask for a whole subtree whever we have the +suspicion something changed, but can delay it to the point where we +actually need the members mask. + +This allows us to simplify things quite a bit, which is good, since +validating this cache for correctness is hard enough. + +Fixes: #9512 +--- + src/core/cgroup.c | 49 +++++------------------------------------ + src/core/cgroup.h | 2 +- + src/core/dbus-mount.c | 2 +- + src/core/dbus-scope.c | 2 +- + src/core/dbus-service.c | 2 +- + src/core/dbus-slice.c | 2 +- + src/core/dbus-socket.c | 2 +- + src/core/dbus-swap.c | 2 +- + src/core/unit.c | 3 ++- + src/core/unit.h | 2 -- + 10 files changed, 14 insertions(+), 54 deletions(-) + +diff --git a/src/core/cgroup.c b/src/core/cgroup.c +index 6a5606f..d569077 100644 +--- a/src/core/cgroup.c ++++ b/src/core/cgroup.c +@@ -1450,53 +1450,12 @@ bool unit_get_needs_bpf(Unit *u) { + return false; + } + +-/* Recurse from a unit up through its containing slices, propagating +- * mask bits upward. A unit is also member of itself. */ +-void unit_update_cgroup_members_masks(Unit *u) { +- CGroupMask m; +- bool more; +- ++void unit_invalidate_cgroup_members_masks(Unit *u) { + assert(u); +- +- /* Calculate subtree mask */ +- m = unit_get_subtree_mask(u); +- +- /* See if anything changed from the previous invocation. If +- * not, we're done. */ +- if (u->cgroup_subtree_mask_valid && m == u->cgroup_subtree_mask) +- return; +- +- more = +- u->cgroup_subtree_mask_valid && +- ((m & ~u->cgroup_subtree_mask) != 0) && +- ((~m & u->cgroup_subtree_mask) == 0); +- +- u->cgroup_subtree_mask = m; +- u->cgroup_subtree_mask_valid = true; +- +- if (UNIT_ISSET(u->slice)) { +- Unit *s = UNIT_DEREF(u->slice); +- +- if (more) +- /* There's more set now than before. We +- * propagate the new mask to the parent's mask +- * (not caring if it actually was valid or +- * not). */ +- +- s->cgroup_members_mask |= m; +- +- else +- /* There's less set now than before (or we +- * don't know), we need to recalculate +- * everything, so let's invalidate the +- * parent's members mask */ +- +- s->cgroup_members_mask_valid = false; +- +- /* And now make sure that this change also hits our +- * grandparents */ +- unit_update_cgroup_members_masks(s); +- } ++ /* Recurse invalidate the member masks cache all the way up the tree */ ++ u->cgroup_members_mask_valid = false; ++ if (UNIT_ISSET(u->slice)) ++ unit_invalidate_cgroup_members_masks(UNIT_DEREF(u->slice)); + } + + const char *unit_get_realized_cgroup_path(Unit *u, CGroupMask mask) { +diff --git a/src/core/cgroup.h b/src/core/cgroup.h +index 36ea77f..a2e1644 100644 +--- a/src/core/cgroup.h ++++ b/src/core/cgroup.h +@@ -181,7 +181,7 @@ CGroupMask unit_get_enable_mask(Unit *u); + + bool unit_get_needs_bpf(Unit *u); + +-void unit_update_cgroup_members_masks(Unit *u); ++void unit_invalidate_cgroup_members_masks(Unit *u); + + const char *unit_get_realized_cgroup_path(Unit *u, CGroupMask mask); + char *unit_default_cgroup_path(Unit *u); + +diff --git a/src/core/dbus-mount.c b/src/core/dbus-mount.c +index 3f98d3ecf0..b6d61627eb 100644 +--- a/src/core/dbus-mount.c ++++ b/src/core/dbus-mount.c +@@ -145,7 +145,7 @@ int bus_mount_set_property( + int bus_mount_commit_properties(Unit *u) { + assert(u); + +- unit_update_cgroup_members_masks(u); ++ unit_invalidate_cgroup_members_masks(u); + unit_realize_cgroup(u); + + return 0; +diff --git a/src/core/dbus-scope.c b/src/core/dbus-scope.c +index 5d9fe98857..bb807df2e9 100644 +--- a/src/core/dbus-scope.c ++++ b/src/core/dbus-scope.c +@@ -186,7 +186,7 @@ int bus_scope_set_property( + int bus_scope_commit_properties(Unit *u) { + assert(u); + +- unit_update_cgroup_members_masks(u); ++ unit_invalidate_cgroup_members_masks(u); + unit_realize_cgroup(u); + + return 0; +diff --git a/src/core/dbus-service.c b/src/core/dbus-service.c +index fdf6120610..10f53ef401 100644 +--- a/src/core/dbus-service.c ++++ b/src/core/dbus-service.c +@@ -424,7 +424,7 @@ int bus_service_set_property( + int bus_service_commit_properties(Unit *u) { + assert(u); + +- unit_update_cgroup_members_masks(u); ++ unit_invalidate_cgroup_members_masks(u); + unit_realize_cgroup(u); + + return 0; +diff --git a/src/core/dbus-slice.c b/src/core/dbus-slice.c +index 722a5688a5..effd5fa5d7 100644 +--- a/src/core/dbus-slice.c ++++ b/src/core/dbus-slice.c +@@ -28,7 +28,7 @@ int bus_slice_set_property( + int bus_slice_commit_properties(Unit *u) { + assert(u); + +- unit_update_cgroup_members_masks(u); ++ unit_invalidate_cgroup_members_masks(u); + unit_realize_cgroup(u); + + return 0; +diff --git a/src/core/dbus-socket.c b/src/core/dbus-socket.c +index 4ea5b6c6e5..3819653908 100644 +--- a/src/core/dbus-socket.c ++++ b/src/core/dbus-socket.c +@@ -461,7 +461,7 @@ int bus_socket_set_property( + int bus_socket_commit_properties(Unit *u) { + assert(u); + +- unit_update_cgroup_members_masks(u); ++ unit_invalidate_cgroup_members_masks(u); + unit_realize_cgroup(u); + + return 0; +diff --git a/src/core/dbus-swap.c b/src/core/dbus-swap.c +index b272d10113..353fa20132 100644 +--- a/src/core/dbus-swap.c ++++ b/src/core/dbus-swap.c +@@ -63,7 +63,7 @@ int bus_swap_set_property( + int bus_swap_commit_properties(Unit *u) { + assert(u); + +- unit_update_cgroup_members_masks(u); ++ unit_invalidate_cgroup_members_masks(u); + unit_realize_cgroup(u); + + return 0; +diff --git a/src/core/unit.c b/src/core/unit.c +index 392cc2d7c5..a8c0f08e95 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -1547,7 +1547,8 @@ int unit_load(Unit *u) { + if (u->job_running_timeout != USEC_INFINITY && u->job_running_timeout > u->job_timeout) + log_unit_warning(u, "JobRunningTimeoutSec= is greater than JobTimeoutSec=, it has no effect."); + +- unit_update_cgroup_members_masks(u); ++ /* We finished loading, let's ensure our parents recalculate the members mask */ ++ unit_invalidate_cgroup_members_masks(u); + } + + assert((u->load_state != UNIT_MERGED) == !u->merged_into); +diff --git a/src/core/unit.h b/src/core/unit.h +index b8b9147..e2dd794 100644 +--- a/src/core/unit.h ++++ b/src/core/unit.h +@@ -265,7 +265,6 @@ typedef struct Unit { + char *cgroup_path; + CGroupMask cgroup_realized_mask; + CGroupMask cgroup_enabled_mask; +- CGroupMask cgroup_subtree_mask; + CGroupMask cgroup_members_mask; + int cgroup_inotify_wd; + +@@ -341,7 +340,6 @@ typedef struct Unit { + + bool cgroup_realized:1; + bool cgroup_members_mask_valid:1; +- bool cgroup_subtree_mask_valid:1; + + UnitCGroupBPFState cgroup_bpf_state:2; + + diff --git a/20009-core-introduce-cgroup-FullDelegation-FullDelegationD.patch b/20009-core-introduce-cgroup-FullDelegation-FullDelegationD.patch new file mode 100644 index 0000000..bcd28b5 --- /dev/null +++ b/20009-core-introduce-cgroup-FullDelegation-FullDelegationD.patch @@ -0,0 +1,163 @@ +From f4fc78bb9b250e7e8f5197aa15055239276ec3cd Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 10 Jul 2024 17:46:57 +0800 +Subject: [PATCH] core: introduce cgroup FullDelegation, + FullDelegationDeviceCGroup for compability + +Whille using systemd-219, users can set 'delegate=y' to claim the +possession of cgroup settings. By then, users are able to write raw +values under /sys/fs/cgroup to adjust cgroup settings and systemd +won't touch these values any longer. + +However, this is likely to be an undefined behaviour for systemd-219. +Upon releasing systemd-239, a documentation of cgroup delegation was +added, +https://github.com/systemd/systemd/commit/e30eaff3a32523b09d61af67fc999f1f62f4e0cb. +It states that: + +Only sub-trees can be delegated (though whoever decides to request a +sub-tree can delegate sub-sub-trees further to somebody else if they +like it).' + +Which is quite different from what people understand the delegation of +systemd-219. Currently, whether a unit is delegated or not, systemd always +possesses any cgroup it created, only ignoring the sub-tree ones +according to delegation settings. + +This behaviour change causes confusion if users switch from systemd-219 to +systemd-239. As a result, we introduce 'FullDelegation', a feature that +brings what users are already familiar with to systemd-239. If users set +'FullDelegation=yes' in /etc/systemd/system.conf, they can control raw +values under /sys/fs/cgroup without worrying systemd touching these +values, which is the same as what they expected with systemd-219. + +The 'FullDelegation' option should not be enabled by default, as it alters the +default behavior that users are accustomed to or will become familiar with. +However, without enabling this option, GPU containers will not function +correctly. To address this issue, we have introduced +'FullDelegationDeviceCGroup', which replicates the behavior of systemd-219 +specifically for device cgroups. This option is enabled by default. + +During the use of earlier versions of systemd, we encountered bug reports +indicating that when 'FullDelegation' is enabled, subcgroups are removed by +systemd. This issue arises due to a flaw in our modification of the +`unit_realize_cgroup_now` function. We overlooked the fact that, in addition to +creating cgroups, the unit_create_cgroup function also deletes subcgroups based +on unset bits in the `target_mask`. To resolve this, we have adjusted the +procedure by moving the reduction of the `target_mask` to occur after the +execution of `unit_create_cgroup`, thereby preventing the unintended deletion of +subcgroups. +--- + src/core/cgroup.c | 24 ++++++++++++++++++++++++ + src/core/main.c | 7 +++++++ + src/core/manager.h | 2 ++ + src/core/system.conf.in | 2 ++ + 4 files changed, 35 insertions(+) + +diff --git a/src/core/cgroup.c b/src/core/cgroup.c +index 8e474f6..6a5606f 100644 +--- a/src/core/cgroup.c ++++ b/src/core/cgroup.c +@@ -1692,6 +1692,18 @@ static int unit_create_cgroup( + /* Keep track that this is now realized */ + u->cgroup_realized = true; + u->cgroup_realized_mask = target_mask; ++ ++ // While realizing cgroup, we don't realize delegated cgroup, therefore, target_mask ++ // doesn't contain delegated cgroup controller bit, and u->cgroup_realized_mask will ++ // not contain delegated cgroup controller bit as well. This unit will be in a state ++ // as if delegated cgroup is not set, which is not expected. ++ // If this is not present, delegated cgroup will be set every 2 systemctl daemon-reload ++ if (u->manager->full_delegation && unit_cgroup_delegate(u)) ++ u->cgroup_realized_mask |= unit_get_delegate_mask(u); ++ ++ if (u->manager->full_delegation_devicecg && unit_cgroup_delegate(u)) ++ u->cgroup_realized_mask |= (unit_get_delegate_mask(u) & CGROUP_MASK_DEVICES); ++ + u->cgroup_enabled_mask = enable_mask; + u->cgroup_bpf_state = needs_bpf ? UNIT_CGROUP_BPF_ON : UNIT_CGROUP_BPF_OFF; + +@@ -1940,6 +1952,12 @@ static int unit_realize_cgroup_now(Unit *u, ManagerState state) { + if (r < 0) + return r; + ++ if (u->manager->full_delegation && unit_cgroup_delegate(u)) ++ target_mask ^= u->cgroup_realized_mask; ++ ++ if (u->manager->full_delegation_devicecg && unit_cgroup_delegate(u)) ++ target_mask ^= (u->cgroup_realized_mask & CGROUP_MASK_DEVICES); ++ + /* Finally, apply the necessary attributes. */ + cgroup_context_apply(u, target_mask, apply_bpf, state); + cgroup_xattr_apply(u); +@@ -2882,6 +2900,12 @@ int unit_reset_ip_accounting(Unit *u) { + void unit_invalidate_cgroup(Unit *u, CGroupMask m) { + assert(u); + ++ if (u->manager->full_delegation) ++ m ^= unit_get_delegate_mask(u); // don't invalidate delegated cgroup ++ ++ if (u->manager->full_delegation_devicecg) ++ m ^= (unit_get_delegate_mask(u) & CGROUP_MASK_DEVICES); // don't invalidate device cgroup if delegate=yes ++ + if (!UNIT_HAS_CGROUP_CONTEXT(u)) + return; + +diff --git a/src/core/main.c b/src/core/main.c +index 546bf0d..e27f0a5 100644 +--- a/src/core/main.c ++++ b/src/core/main.c +@@ -142,6 +142,8 @@ static bool reexec_jmp_can = false; + static bool reexec_jmp_inited = false; + static sigjmp_buf reexec_jmp_buf; + static bool arg_default_cpuset_clone_children = false; ++static bool arg_full_delegation = false; ++static bool arg_full_delegation_devicecg = true; + + static int parse_configuration(const struct rlimit *saved_rlimit_nofile, + const struct rlimit *saved_rlimit_memlock); +@@ -768,6 +770,9 @@ static int parse_config_file(void) { + { "Manager", "DefaultTasksMax", config_parse_tasks_max, 0, &arg_default_tasks_max }, + { "Manager", "CtrlAltDelBurstAction", config_parse_emergency_action, 0, &arg_cad_burst_action }, + { "Manager", "DefaultCPUSetCloneChildren",config_parse_bool, 0, &arg_default_cpuset_clone_children }, ++ { "Manager", "FullDelegation", config_parse_bool, 0, &arg_full_delegation }, ++ { "Manager", "FullDelegationDeviceCGroup",config_parse_bool, 0, &arg_full_delegation_devicecg }, ++ + {} + }; + +@@ -817,6 +822,8 @@ static void set_manager_defaults(Manager *m) { + m->default_memory_accounting = arg_default_memory_accounting; + m->default_tasks_accounting = arg_default_tasks_accounting; + m->default_tasks_max = arg_default_tasks_max; ++ m->full_delegation = arg_full_delegation; ++ m->full_delegation_devicecg = arg_full_delegation_devicecg; + + manager_set_default_rlimits(m, arg_default_rlimit); + manager_environment_add(m, NULL, arg_default_environment); +diff --git a/src/core/manager.h b/src/core/manager.h +index 98d381b..8017d9a 100644 +--- a/src/core/manager.h ++++ b/src/core/manager.h +@@ -297,6 +297,8 @@ struct Manager { + bool default_blockio_accounting; + bool default_tasks_accounting; + bool default_ip_accounting; ++ bool full_delegation; ++ bool full_delegation_devicecg; + + uint64_t default_tasks_max; + usec_t default_timer_accuracy_usec; +diff --git a/src/core/system.conf.in b/src/core/system.conf.in +index 2f6852a..3f9ef7f 100644 +--- a/src/core/system.conf.in ++++ b/src/core/system.conf.in +@@ -67,3 +67,5 @@ DefaultLimitCORE=0:infinity + #DefaultLimitRTTIME= + #IPAddressAllow= + #IPAddressDeny= ++#FullDelegation=no ++#FullDelegationDeviceCGroup=yes +-- +2.39.3 + diff --git a/systemd.spec b/systemd.spec index 14b5528..14bac0a 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1094,15 +1094,17 @@ Patch10024: 10024-fileio-beef-up-READ_FULL_FILE_CONNECT_SOCKET-to-all.patch Patch10025: 10025-fileio-teach-read_full_file_full-to-read-from-offse.patch Patch10026: 10026-cryptsetup-port-cryptsetup-s-main-key-file-logic-ov.patch Patch10027: 10027-fix-compilation-without-utmp.patch +Patch10028: 10028-cgroup-drastically-simplify-caching-of-cgroups-membe.patch Patch20001: 20001-hwdb-parse_hwdb_dot_py.patch # Patch20002: 20002-cgroup-do-not-refresh-cgroup-devices-config-when-dae.patch -Patch20003: 20003-core-introduce-cgroup-full-delegation-for-compabilit.patch +# Patch20003: 20003-core-introduce-cgroup-full-delegation-for-compabilit.patch Patch20004: 20004-Update-vendor-ids-for-ieisystem-0750.patch -Patch20005: 20005-default-enable-full-delegation-on-device-cgroup.patch +# Patch20005: 20005-default-enable-full-delegation-on-device-cgroup.patch Patch20006: 20006-systemd-Add-sw64.patch Patch20007: 20007-add-seccomp-support-for-sw_64.patch Patch20008: 20008-Fix-unit-test-test-seccomp-support-on-sw_64.patch +Patch20009: 20009-core-introduce-cgroup-FullDelegation-FullDelegationD.patch # lifsea only patch %if %{defined lifsea_dist} @@ -1580,10 +1582,11 @@ python3 %{SOURCE2} %buildroot < - 239-82.2 - spec: do not create symlink /etc/systemd/system/syslog.service (RHEL-13179) -- Gitee From 72e72f64e4de7a2e3381b0c9a1bc0dce037bc04a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BF=A0=E5=87=8C?= Date: Tue, 24 Sep 2024 15:44:21 +0800 Subject: [PATCH 18/19] core, udev: remove old device on move event --- ...udev-remove-old-device-on-move-event.patch | 68 +++++++++++++++++++ systemd.spec | 2 + 2 files changed, 70 insertions(+) create mode 100644 10029-core-udev-remove-old-device-on-move-event.patch diff --git a/10029-core-udev-remove-old-device-on-move-event.patch b/10029-core-udev-remove-old-device-on-move-event.patch new file mode 100644 index 0000000..40481d4 --- /dev/null +++ b/10029-core-udev-remove-old-device-on-move-event.patch @@ -0,0 +1,68 @@ +From ec336943fad7cf191d2168a2e683a5985abb2fa8 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 24 Sep 2024 06:37:25 +0000 +Subject: [PATCH] core, udev: remove old device on move event + +https://github.com/systemd/systemd/pull/16968/ +--- + src/core/device.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/src/core/device.c b/src/core/device.c +index 71b7c1e..dcb47c2 100644 +--- a/src/core/device.c ++++ b/src/core/device.c +@@ -18,6 +18,9 @@ + #include "udev-util.h" + #include "unit-name.h" + #include "unit.h" ++#include "device-util.h" ++#include "sd-device.h" ++#include "libudev-device-internal.h" + + static const UnitActiveState state_translation_table[_DEVICE_STATE_MAX] = { + [DEVICE_DEAD] = UNIT_INACTIVE, +@@ -902,6 +905,29 @@ static void device_propagate_reload_by_sysfs(Manager *m, const char *sysfs) { + } + } + ++static int device_remove_old(Manager *m, sd_device *dev) { ++ _cleanup_free_ char *syspath_old = NULL, *e = NULL; ++ const char *devpath_old; ++ int r; ++ ++ r = sd_device_get_property_value(dev, "DEVPATH_OLD", &devpath_old); ++ if (r < 0) { ++ log_device_debug_errno(dev, r, "Failed to get DEVPATH_OLD= property on 'move' uevent, ignoring: %m"); ++ return 0; ++ } ++ ++ syspath_old = path_join(NULL, "/sys", devpath_old); ++ if (!syspath_old) ++ return log_oom(); ++ ++ r = unit_name_from_path(syspath_old, ".device", &e); ++ if (r < 0) ++ return log_device_error_errno(dev, r, "Failed to generate unit name from old device path: %m"); ++ ++ device_update_found_by_sysfs(m, syspath_old, 0, DEVICE_FOUND_UDEV|DEVICE_FOUND_MOUNT|DEVICE_FOUND_SWAP); ++ return 0; ++} ++ + static int device_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata) { + _cleanup_(udev_device_unrefp) struct udev_device *dev = NULL; + Manager *m = userdata; +@@ -939,6 +965,10 @@ static int device_dispatch_io(sd_event_source *source, int fd, uint32_t revents, + return 0; + } + ++ if (streq(action, "move")) { ++ (void) device_remove_old(m, dev->device); ++ } ++ + if (streq(action, "change")) + device_propagate_reload_by_sysfs(m, sysfs); + +-- +2.43.5 + diff --git a/systemd.spec b/systemd.spec index 14bac0a..c0a378e 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1095,6 +1095,7 @@ Patch10025: 10025-fileio-teach-read_full_file_full-to-read-from-offse.patch Patch10026: 10026-cryptsetup-port-cryptsetup-s-main-key-file-logic-ov.patch Patch10027: 10027-fix-compilation-without-utmp.patch Patch10028: 10028-cgroup-drastically-simplify-caching-of-cgroups-membe.patch +Patch10029: 10029-core-udev-remove-old-device-on-move-event.patch Patch20001: 20001-hwdb-parse_hwdb_dot_py.patch # Patch20002: 20002-cgroup-do-not-refresh-cgroup-devices-config-when-dae.patch @@ -1889,6 +1890,7 @@ fi - add test-seccomp support for sw_64. (Weisson@alinux.alibaba.com) - core: Fix subcgroup deletion caused by full delegation (zhonglingh@linux.alibaba.com) - core: Fix cgroups members mask cache propagation problem (zhonglingh@linux.alibaba.com) +- core, udev: remove old device on move event (zhonglingh@linux.alibaba.com) * Tue Jul 23 2024 systemd maintenance team - 239-82.2 - spec: do not create symlink /etc/systemd/system/syslog.service (RHEL-13179) -- Gitee From c1d04c5dc7e34deb7e309f26779e00f7afa9a73d Mon Sep 17 00:00:00 2001 From: Weisson Date: Thu, 26 Sep 2024 14:01:18 +0800 Subject: [PATCH 19/19] bugfix: sw8a machine seems not to support getxpid syscall any more, replace it with getpid. Signed-off-by: Weisson --- 20006-systemd-Add-sw64.patch | 27 +++++++++------------------ systemd.spec | 5 +++-- 2 files changed, 12 insertions(+), 20 deletions(-) diff --git a/20006-systemd-Add-sw64.patch b/20006-systemd-Add-sw64.patch index f1e0e6a..f62efc2 100644 --- a/20006-systemd-Add-sw64.patch +++ b/20006-systemd-Add-sw64.patch @@ -1,15 +1,15 @@ -From 1d1259c0bada01ed92d991b44be1f53042837187 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Fri, 12 May 2023 15:33:42 +0800 -Subject: [PATCH] Add sw64 architecture +From 6cdb604db829800ec1803d61533bd1947c841911 Mon Sep 17 00:00:00 2001 +From: Weisson +Date: Thu, 26 Sep 2024 13:54:58 +0800 +Subject: [PATCH] Add sw64 architecture. -Signed-off-by: rpm-build +Signed-off-by: Weisson --- src/basic/architecture.c | 3 +++ src/basic/architecture.h | 4 ++++ src/basic/missing.h | 2 +- - src/basic/missing_syscall.h | 4 +++- - 4 files changed, 11 insertions(+), 2 deletions(-) + src/basic/missing_syscall.h | 2 ++ + 4 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/basic/architecture.c b/src/basic/architecture.c index 96bbf97..72b98a3 100644 @@ -68,18 +68,9 @@ index b937661..c2913b5 100644 #elif defined(__parisc__) || defined(__hppa__) #define __O_TMPFILE 0400000000 diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h -index 014dd2b..3acf59f 100644 +index 014dd2b..51a54b2 100644 --- a/src/basic/missing_syscall.h +++ b/src/basic/missing_syscall.h -@@ -182,7 +182,7 @@ static inline int missing_setns(int fd, int nstype) { - /* ======================================================================= */ - - static inline pid_t raw_getpid(void) { --#if defined(__alpha__) -+#if defined(__alpha__) || defined(__sw_64__) - return (pid_t) syscall(__NR_getxpid); - #else - return (pid_t) syscall(__NR_getpid); @@ -405,6 +405,8 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) { # define __NR_statx 360 # elif defined __x86_64__ @@ -90,5 +81,5 @@ index 014dd2b..3acf59f 100644 # warning "__NR_statx not defined for your architecture" # endif -- -2.31.1 +2.39.3 diff --git a/systemd.spec b/systemd.spec index c0a378e..c3cad2f 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1,4 +1,4 @@ -%define anolis_release .0.1 +%define anolis_release .0.3 #global gitcommit 10e465b5321bd53c1fc59ffab27e724535c6bc0f %{?gitcommit:%global gitcommitshort %(c=%{gitcommit}; echo ${c:0:7})} @@ -1829,7 +1829,7 @@ fi %files tests -f .file-list-tests %changelog -* Wed Oct 09 2024 Yuanhong Peng - 239-82.0.1.2 +* Wed Oct 09 2024 Yuanhong Peng - 239-82.0.3.2 - core: fix a null reference case in load_from_path() - sysctl: Don't pass null directive argument to '%s' - exit-status: introduce EXIT_EXCEPTION mapping to 255 @@ -1891,6 +1891,7 @@ fi - core: Fix subcgroup deletion caused by full delegation (zhonglingh@linux.alibaba.com) - core: Fix cgroups members mask cache propagation problem (zhonglingh@linux.alibaba.com) - core, udev: remove old device on move event (zhonglingh@linux.alibaba.com) +- bugfix: sw8a machine seems not to support getxpid syscall any more, replace it with getpid. (Weisson@linux.alibaba.com) * Tue Jul 23 2024 systemd maintenance team - 239-82.2 - spec: do not create symlink /etc/systemd/system/syslog.service (RHEL-13179) -- Gitee