diff --git a/backport-Add-meson-option-to-disable-urlify.patch b/backport-Add-meson-option-to-disable-urlify.patch index 458402347dcb3ec90e721c605a5825c11d3a0b7a..0b1760fcd54287f932585b419693d262b40b25e3 100644 --- a/backport-Add-meson-option-to-disable-urlify.patch +++ b/backport-Add-meson-option-to-disable-urlify.patch @@ -5,6 +5,9 @@ Subject: [PATCH] Add meson option to disable urlify. Useful for systems that don't use a version of less with hyperlink support. + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/e5d86ebed5624ef62342c820a5868b1075deb300 --- meson.build | 1 + meson_options.txt | 2 ++ diff --git a/backport-Bump-the-max-number-of-inodes-for-dev-to-128k.patch b/backport-Bump-the-max-number-of-inodes-for-dev-to-128k.patch new file mode 100644 index 0000000000000000000000000000000000000000..02f65ce21d9cca71618d76f2d01cecbdb653af15 --- /dev/null +++ b/backport-Bump-the-max-number-of-inodes-for-dev-to-128k.patch @@ -0,0 +1,46 @@ +From b1bb976219e4c63d4b8099a2820fedbedf0aa8a5 Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Fri, 3 Dec 2021 11:23:36 +0100 +Subject: [PATCH] Bump the max number of inodes for /dev to 128k + +Follow-up for 7d85383edbab73274dc81cc888d884bb01070bc2. + +Apparently the previous limit set on the max number of inodes for /dev was too +small as a system with 4096 LUNs attached can consume up to 95k inodes for +symlinks: + + # /bin/df -i + Filesystem Inodes IUsed IFree IUse% Mounted on + devtmpfs 49274377 95075 49179302 1% /dev + +Hence this patch bumps the limit from 64k to 128k although the new limit is +still pretty arbitrary (that said, not sure if it really makes sense to put +such absolute limit number). + +(cherry picked from commit 4c733d3046942984c5f73b40c3af39cc218c103f) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/b1bb976219e4c63d4b8099a2820fedbedf0aa8a5 +--- + src/shared/mount-util.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/shared/mount-util.h b/src/shared/mount-util.h +index 36501c2c4a..c5bd881070 100644 +--- a/src/shared/mount-util.h ++++ b/src/shared/mount-util.h +@@ -11,9 +11,9 @@ + #include "errno-util.h" + #include "macro.h" + +-/* 4MB for contents of regular files, 64k inodes for directories, symbolic links and device specials, using ++/* 4MB for contents of regular files, 128k inodes for directories, symbolic links and device specials, using + * large storage array systems as a baseline */ +-#define TMPFS_LIMITS_DEV ",size=4m,nr_inodes=64k" ++#define TMPFS_LIMITS_DEV ",size=4m,nr_inodes=128k" + + /* Very little, if any use expected */ + #define TMPFS_LIMITS_EMPTY_OR_ALMOST ",size=4m,nr_inodes=1k" +-- +2.33.0 + diff --git a/backport-Bump-the-max-number-of-inodes-for-dev-to-a-million.patch b/backport-Bump-the-max-number-of-inodes-for-dev-to-a-million.patch index 88d2014936e1ab510e79d564d63b1c71afe7cb81..3b4470c869cef14bbb95e0ef4ebfce0f609bbea8 100644 --- a/backport-Bump-the-max-number-of-inodes-for-dev-to-a-million.patch +++ b/backport-Bump-the-max-number-of-inodes-for-dev-to-a-million.patch @@ -17,10 +17,10 @@ index 3622170297..ce73aebd4b 100644 #include "errno-util.h" #include "macro.h" --/* 4MB for contents of regular files, 64k inodes for directories, symbolic links and device specials, using +-/* 4MB for contents of regular files, 128k inodes for directories, symbolic links and device specials, using +/* 4MB for contents of regular files, 1m inodes for directories, symbolic links and device nodes, using * large storage array systems as a baseline */ --#define TMPFS_LIMITS_DEV ",size=4m,nr_inodes=64k" +-#define TMPFS_LIMITS_DEV ",size=4m,nr_inodes=128k" +#define TMPFS_LIMITS_DEV ",size=4m,nr_inodes=1m" /* Very little, if any use expected */ diff --git a/backport-Bump-the-max-number-of-inodes-for-tmp-to-a-million-t.patch b/backport-Bump-the-max-number-of-inodes-for-tmp-to-a-million-t.patch index 865735577908d1b7da58ab0f7b37c061d53d4570..d2da5ff5bde173c1d35e168d2219194581f3c763 100644 --- a/backport-Bump-the-max-number-of-inodes-for-tmp-to-a-million-t.patch +++ b/backport-Bump-the-max-number-of-inodes-for-tmp-to-a-million-t.patch @@ -1,7 +1,7 @@ From cac372a80177fb622806270eb0d810e4c6ad0c84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 9 Dec 2021 10:20:46 +0100 -Subject: [PATCH 2/2] Bump the max number of inodes for /tmp to a million too +Subject: [PATCH] Bump the max number of inodes for /tmp to a million too Fixes #21626. (The bug report talks about /run, but the issue is actually with /tmp.) People use /tmp for various things that fit in memory, e.g. unpacking @@ -14,15 +14,12 @@ diff --git a/units/tmp.mount b/units/tmp.mount index 516bd1621c..4e1bb8de24 100644 --- a/units/tmp.mount +++ b/units/tmp.mount -@@ -22,7 +22,7 @@ After=swap.target +@@ -22,4 +22,4 @@ After=swap.target What=tmpfs Where=/tmp Type=tmpfs -Options=mode=1777,strictatime,nosuid,nodev,size=50%,nr_inodes=400k +Options=mode=1777,strictatime,nosuid,nodev,size=50%,nr_inodes=1m - - # Make 'systemctl enable tmp.mount' work: - [Install] -- 2.27.0 diff --git a/backport-CVE-2021-3997-rm-rf-optionally-fsync-after-removing-directory-tree.patch b/backport-CVE-2021-3997-rm-rf-optionally-fsync-after-removing-directory-tree.patch index 941da27c6fc9c9a97d1b1fcdde21c8d3ce6993eb..6847def3b196955056b89577799c49065bebe5ed 100644 --- a/backport-CVE-2021-3997-rm-rf-optionally-fsync-after-removing-directory-tree.patch +++ b/backport-CVE-2021-3997-rm-rf-optionally-fsync-after-removing-directory-tree.patch @@ -1,9 +1,12 @@ From 2426beacca09d84091759be45b25c88116302184 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 5 Oct 2021 10:32:56 +0200 -Subject: [PATCH 2/6] rm-rf: optionally fsync() after removing directory tree +Subject: [PATCH] rm-rf: optionally fsync() after removing directory tree (cherry picked from commit bdfe7ada0d4d66e6d6e65f2822acbb1ec230f9c2) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/2426beacca09d84091759be45b25c88116302184 --- src/shared/rm-rf.c | 3 +++ src/shared/rm-rf.h | 1 + @@ -36,5 +39,5 @@ index 577a2795e0..24fd9a2aa2 100644 int unlinkat_harder(int dfd, const char *filename, int unlink_flags, RemoveFlags remove_flags); -- -2.27.0 +2.33.0 diff --git a/backport-CVE-2021-3997-rm-rf-refactor-rm_rf_children-split-out-body-of-dire.patch b/backport-CVE-2021-3997-rm-rf-refactor-rm_rf_children-split-out-body-of-dire.patch index d7222c4f191ddf3d075e70254cc289d8efc33d40..00aa7c38d7c548c905d7710a4bcde8b141fe5d78 100644 --- a/backport-CVE-2021-3997-rm-rf-refactor-rm_rf_children-split-out-body-of-dire.patch +++ b/backport-CVE-2021-3997-rm-rf-refactor-rm_rf_children-split-out-body-of-dire.patch @@ -1,14 +1,17 @@ From ca4a0e7d41f0b2a1fe2f99dbc3763187c16cf7ab Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 26 Jan 2021 16:30:06 +0100 -Subject: [PATCH 1/6] rm-rf: refactor rm_rf_children(), split out body of - directory iteration loop +Subject: [PATCH] rm-rf: refactor rm_rf_children(), split out body of directory + iteration loop This splits out rm_rf_children_inner() as body of the loop. We can use that to implement rm_rf_child() for deleting one specific entry in a directory. (cherry picked from commit 1f0fb7d544711248cba34615e43c5a76bc902d74) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/ca4a0e7d41f0b2a1fe2f99dbc3763187c16cf7ab --- src/shared/rm-rf.c | 223 ++++++++++++++++++++++++++------------------- src/shared/rm-rf.h | 3 +- @@ -317,5 +320,5 @@ index 40f0894c96..577a2795e0 100644 /* Useful for usage with _cleanup_(), destroys a directory and frees the pointer */ -- -2.27.0 +2.33.0 diff --git a/backport-CVE-2021-3997-shared-rm-rf-loop-over-nested-directories-instead-of.patch b/backport-CVE-2021-3997-shared-rm-rf-loop-over-nested-directories-instead-of.patch index 803a0782f58aac39e23b8337d7ed215ad7f68fa6..4858ff484c5c94d62fcb474b4d8af173387f5845 100644 --- a/backport-CVE-2021-3997-shared-rm-rf-loop-over-nested-directories-instead-of.patch +++ b/backport-CVE-2021-3997-shared-rm-rf-loop-over-nested-directories-instead-of.patch @@ -1,8 +1,8 @@ From 6a28f8b55904c818b25e4db2e1511faac79fd471 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 30 Nov 2021 22:29:05 +0100 -Subject: [PATCH 6/6] shared/rm-rf: loop over nested directories instead of - instead of recursing +Subject: [PATCH] shared/rm-rf: loop over nested directories instead of instead + of recursing To remove directory structures, we need to remove the innermost items first, and then recursively remove higher-level directories. We would recursively @@ -24,6 +24,9 @@ Mauro Matteo Cascella and Riccardo Schirone from Red Hat handled the disclosure. (cherry picked from commit 5b1cf7a9be37e20133c0208005274ce4a5b5c6a1) (cherry picked from commit 911516e1614e435755814ada5fc6064fa107a105) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/6a28f8b55904c818b25e4db2e1511faac79fd471 --- src/shared/rm-rf.c | 161 +++++++++++++++++++++++++++++++-------------- 1 file changed, 113 insertions(+), 48 deletions(-) @@ -269,5 +272,5 @@ index 1bd2431d8a..954686ffc9 100644 + return rm_rf_inner_child(fd, name, -1, flags, NULL, true); } -- -2.27.0 +2.33.0 diff --git a/backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch b/backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch index ee920f65a2ce302eff6abf6261850d58a162f14b..8ba7906afe3c20535ae29141f8e1cc0db3ff7f4c 100644 --- a/backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch +++ b/backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch @@ -1,10 +1,13 @@ From 811b137d6137cc3e8932599e6ef9254ba43ff5eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 23 Nov 2021 16:56:42 +0100 -Subject: [PATCH 5/6] shared/rm_rf: refactor rm_rf() to shorten code a bit +Subject: [PATCH] shared/rm_rf: refactor rm_rf() to shorten code a bit (cherry picked from commit 84ced330020c0bae57bd4628f1f44eec91304e69) (cherry picked from commit 664529efa9431edc043126013ea54e6c399ae2d3) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/811b137d6137cc3e8932599e6ef9254ba43ff5eb --- src/shared/rm-rf.c | 54 +++++++++++++++++++++------------------------- 1 file changed, 24 insertions(+), 30 deletions(-) @@ -96,5 +99,5 @@ index 7362954116..1bd2431d8a 100644 int rm_rf_child(int fd, const char *name, RemoveFlags flags) { -- -2.27.0 +2.33.0 diff --git a/backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch b/backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch index b81bd34db13dcdc77036a2b4dc1db86665a193b8..3fcf1c99c04b3a9b96c724820c8740ebe4e55895 100644 --- a/backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch +++ b/backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch @@ -1,11 +1,14 @@ From 89395b63f04f1acc0db533c32637ea20379f97c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 23 Nov 2021 15:55:45 +0100 -Subject: [PATCH 4/6] shared/rm_rf: refactor rm_rf_children_inner() to shorten - code a bit +Subject: [PATCH] shared/rm_rf: refactor rm_rf_children_inner() to shorten code + a bit (cherry picked from commit 3bac86abfa1b1720180840ffb9d06b3d54841c11) (cherry picked from commit 47741ff9eae6311a03e4d3d837128191826a4a3a) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/89395b63f04f1acc0db533c32637ea20379f97c0 --- src/shared/rm-rf.c | 27 +++++++++------------------ 1 file changed, 9 insertions(+), 18 deletions(-) @@ -64,5 +67,5 @@ index 19f37e0f19..7362954116 100644 int rm_rf_children( -- -2.27.0 +2.33.0 diff --git a/backport-CVE-2021-3997-tmpfiles-st-may-have-been-used-uninitialized.patch b/backport-CVE-2021-3997-tmpfiles-st-may-have-been-used-uninitialized.patch index 4bb3fc812791b4b4cc822e68d093bfdb59282818..fd51c83adb5691766080af4d896855b4077d2362 100644 --- a/backport-CVE-2021-3997-tmpfiles-st-may-have-been-used-uninitialized.patch +++ b/backport-CVE-2021-3997-tmpfiles-st-may-have-been-used-uninitialized.patch @@ -1,9 +1,12 @@ From 7563de501246dccf5a9ea229933481aa1e7bd5c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 23 Nov 2021 15:05:58 +0100 -Subject: [PATCH 3/6] tmpfiles: 'st' may have been used uninitialized +Subject: [PATCH] tmpfiles: 'st' may have been used uninitialized (cherry picked from commit 160dadc0350c77d612aa9d5569f57d9bc84c3dca) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/7563de501246dccf5a9ea229933481aa1e7bd5c9 --- src/shared/rm-rf.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) @@ -24,5 +27,5 @@ index 5ef7c662dd..19f37e0f19 100644 r = fstatat_harder(fd, fname, &st, AT_SYMLINK_NOFOLLOW, flags); if (r < 0) -- -2.27.0 +2.33.0 diff --git a/backport-Change-gendered-terms-to-be-gender-neutral-21325.patch b/backport-Change-gendered-terms-to-be-gender-neutral-21325.patch new file mode 100644 index 0000000000000000000000000000000000000000..44c35d33859018130a98ddc82759adc3c9e2b6d6 --- /dev/null +++ b/backport-Change-gendered-terms-to-be-gender-neutral-21325.patch @@ -0,0 +1,131 @@ +From 3ba07929636e1a55c71767e40e23bf639b7a8db5 Mon Sep 17 00:00:00 2001 +From: Emily Gonyer +Date: Fri, 12 Nov 2021 10:09:56 -0500 +Subject: [PATCH] Change gendered terms to be gender-neutral (#21325) + +Some typos are also fixed. + +(cherry picked from commit be7148ebed5d73c4a76bc6089ebe2e82d8fa33e0) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/3ba07929636e1a55c71767e40e23bf639b7a8db5 +--- + docs/CODING_STYLE.md | 2 +- + docs/PREDICTABLE_INTERFACE_NAMES.md | 2 +- + man/sd_bus_add_object.xml | 2 +- + src/core/manager.h | 2 +- + src/hostname/hostnamectl.c | 2 +- + src/libsystemd/sd-bus/bus-socket.c | 4 ++-- + src/libsystemd/sd-bus/sd-bus.c | 2 +- + src/udev/dmi_memory_id/dmi_memory_id.c | 2 +- + 8 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/docs/CODING_STYLE.md b/docs/CODING_STYLE.md +index 54150e1ee7..05fbb2ac9e 100644 +--- a/docs/CODING_STYLE.md ++++ b/docs/CODING_STYLE.md +@@ -287,7 +287,7 @@ layout: default + with a more brutal `assert()`. We are more forgiving to public users than for + ourselves! Note that `assert()` and `assert_return()` really only should be + used for detecting programming errors, not for runtime errors. `assert()` and +- `assert_return()` by usage of `_likely_()` inform the compiler that he should ++ `assert_return()` by usage of `_likely_()` inform the compiler that it should + not expect these checks to fail, and they inform fellow programmers about the + expected validity and range of parameters. + +diff --git a/docs/PREDICTABLE_INTERFACE_NAMES.md b/docs/PREDICTABLE_INTERFACE_NAMES.md +index 07529e7a70..890bd3935c 100644 +--- a/docs/PREDICTABLE_INTERFACE_NAMES.md ++++ b/docs/PREDICTABLE_INTERFACE_NAMES.md +@@ -53,7 +53,7 @@ With this new scheme you now get: + * The same on all distributions that adopted systemd/udev + * It's easy to opt out of the scheme (see below) + +-Does this have any drawbacks? Yes, it does. Previously it was practically guaranteed that hosts equipped with a single ethernet card only had a single `eth0` interface. With this new scheme in place, an administrator now has to check first what the local interface name is before he can invoke commands on it where previously he had a good chance that `eth0` was the right name. ++Does this have any drawbacks? Yes, it does. Previously it was practically guaranteed that hosts equipped with a single ethernet card only had a single `eth0` interface. With this new scheme in place, an administrator now has to check first what the local interface name is before they can invoke commands on it, where previously they had a good chance that `eth0` was the right name. + + + ## I don't like this, how do I disable this? +diff --git a/man/sd_bus_add_object.xml b/man/sd_bus_add_object.xml +index 31a3344bbd..54683e4f11 100644 +--- a/man/sd_bus_add_object.xml ++++ b/man/sd_bus_add_object.xml +@@ -508,7 +508,7 @@ + + SD_BUS_VTABLE_METHOD_NO_REPLY + +- Mark his vtable entry as a method that will not return a reply using the ++ Mark this vtable entry as a method that will not return a reply using the + org.freedesktop.DBus.Method.NoReply annotation in introspection data. + + +diff --git a/src/core/manager.h b/src/core/manager.h +index b3e7c68e6d..14a80b396e 100644 +--- a/src/core/manager.h ++++ b/src/core/manager.h +@@ -195,7 +195,7 @@ struct Manager { + + sd_event *event; + +- /* This maps PIDs we care about to units that are interested in. We allow multiple units to he interested in ++ /* This maps PIDs we care about to units that are interested in. We allow multiple units to be interested in + * the same PID and multiple PIDs to be relevant to the same unit. Since in most cases only a single unit will + * be interested in the same PID we use a somewhat special encoding here: the first unit interested in a PID is + * stored directly in the hashmap, keyed by the PID unmodified. If there are other units interested too they'll +diff --git a/src/hostname/hostnamectl.c b/src/hostname/hostnamectl.c +index 283038c7cb..2eca5feaca 100644 +--- a/src/hostname/hostnamectl.c ++++ b/src/hostname/hostnamectl.c +@@ -442,7 +442,7 @@ static int set_hostname(int argc, char **argv, void *userdata) { + * dot if there is one. If it was not valid, then it will be made fully valid by truncating, dropping + * multiple dots, and dropping weird chars. Note that we clean the name up only if we also are + * supposed to set the pretty name. If the pretty name is not being set we assume the user knows what +- * he does and pass the name as-is. */ ++ * they are doing and pass the name as-is. */ + h = strdup(hostname); + if (!h) + return log_oom(); +diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c +index 378774fe8b..09eb49c37f 100644 +--- a/src/libsystemd/sd-bus/bus-socket.c ++++ b/src/libsystemd/sd-bus/bus-socket.c +@@ -300,8 +300,8 @@ static int verify_external_token(sd_bus *b, const char *p, size_t l) { + uid_t u; + int r; + +- /* We don't do any real authentication here. Instead, we if +- * the owner of this bus wanted authentication he should have ++ /* We don't do any real authentication here. Instead, if ++ * the owner of this bus wanted authentication they should have + * checked SO_PEERCRED before even creating the bus object. */ + + if (!b->anonymous_auth && !b->ucred_valid) +diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c +index 79c24fe703..ab8d4e4a60 100644 +--- a/src/libsystemd/sd-bus/sd-bus.c ++++ b/src/libsystemd/sd-bus/sd-bus.c +@@ -3274,7 +3274,7 @@ static int bus_poll(sd_bus *bus, bool need_more, uint64_t timeout_usec) { + return e; + + if (need_more) +- /* The caller really needs some more data, he doesn't ++ /* The caller really needs some more data, they don't + * care about what's already read, or any timeouts + * except its own. */ + e |= POLLIN; +diff --git a/src/udev/dmi_memory_id/dmi_memory_id.c b/src/udev/dmi_memory_id/dmi_memory_id.c +index 64eba0d314..00e46f8b9e 100644 +--- a/src/udev/dmi_memory_id/dmi_memory_id.c ++++ b/src/udev/dmi_memory_id/dmi_memory_id.c +@@ -539,7 +539,7 @@ static void dmi_table_decode(const uint8_t *buf, size_t len, uint16_t num) { + + /* If a short entry is found (less than 4 bytes), not only it + * is invalid, but we cannot reliably locate the next entry. +- * Better stop at this point, and let the user know his/her ++ * Better stop at this point, and let the user know their + * table is broken. */ + if (h.length < 4) + break; +-- +2.33.0 + diff --git a/backport-Don-t-open-var-journals-in-volatile-mode-when-runtim.patch b/backport-Don-t-open-var-journals-in-volatile-mode-when-runtim.patch new file mode 100644 index 0000000000000000000000000000000000000000..a1e417600d9e789d2e59a206ef51a3f6a0f93690 --- /dev/null +++ b/backport-Don-t-open-var-journals-in-volatile-mode-when-runtim.patch @@ -0,0 +1,35 @@ +From 00e7f0994a39852ab1adabfb7e19ff2634e916a0 Mon Sep 17 00:00:00 2001 +From: Milo Turner +Date: Fri, 13 Aug 2021 10:28:58 -0400 +Subject: [PATCH] Don't open /var journals in volatile mode when + runtime_journal==NULL + +(cherry picked from commit d64441b669932ab97fbbfc71cb143045f690039e) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/00e7f0994a39852ab1adabfb7e19ff2634e916a0 +--- + src/journal/journald-server.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c +index 30f04f5383..a0695ec519 100644 +--- a/src/journal/journald-server.c ++++ b/src/journal/journald-server.c +@@ -415,6 +415,13 @@ static JournalFile* find_journal(Server *s, uid_t uid) { + if (s->runtime_journal) + return s->runtime_journal; + ++ /* If we are not in persistent mode, then we need return NULL immediately rather than opening a ++ * persistent journal of any sort. ++ * ++ * Fixes https://github.com/systemd/systemd/issues/20390 */ ++ if (!IN_SET(s->storage, STORAGE_AUTO, STORAGE_PERSISTENT)) ++ return NULL; ++ + if (uid_for_system_journal(uid)) + return s->system_journal; + +-- +2.33.0 + diff --git a/backport-Drop-bundled-copy-of-linux-if_arp.h.patch b/backport-Drop-bundled-copy-of-linux-if_arp.h.patch new file mode 100644 index 0000000000000000000000000000000000000000..6453c1045c5775d2d3784e4e49b3f228399ffec8 --- /dev/null +++ b/backport-Drop-bundled-copy-of-linux-if_arp.h.patch @@ -0,0 +1,227 @@ +From f27585b58a308454bf3409a77c8b1dd12fc64816 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 15 Sep 2021 16:33:05 +0200 +Subject: [PATCH] Drop bundled copy of linux/if_arp.h +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As far as I can see, we use this to get a list of ARPHRD_* defines (used in +particular for Type= in .link files). If we drop our copy, and build against +old kernel headers, the user will have a shorter list of types available. This +seems OK, and I don't think it's worth carrying our own version of this file +just to have newest possible entries. + +7c5b9952c4f6e2b72f90edbe439982528b7cf223 recently updated this file, but we'd +have to update it every time the kernel adds new entries. But if we look at +the failure carefully: + +src/basic/arphrd-from-name.gperf:65:16: error: ‘ARPHRD_MCTP’ undeclared (first use in this function); did you mean ‘ARPHRD_FCPP’? + 65 | MCTP, ARPHRD_MCTP + | ^~ + | ARPHRD_FCPP + +we see that the list we were generating was from the system headers, so it was +only as good as the system headers anyway, without the newer entries in our +bundled copy, if there were any. So let's make things simpler by always using +system headers. + +And if somebody wants to fix things so that we always have the newest list, +then we should just generate and store the converted list, not the full header. + +(cherry picked from commit e7f46ee3ae1cc66a94b293957721d68dc09d7449) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/f27585b58a308454bf3409a77c8b1dd12fc64816 +--- + src/basic/linux/if_arp.h | 165 --------------------------------------- + src/basic/meson.build | 1 - + 2 files changed, 166 deletions(-) + delete mode 100644 src/basic/linux/if_arp.h + +diff --git a/src/basic/linux/if_arp.h b/src/basic/linux/if_arp.h +deleted file mode 100644 +index 4783af9fe5..0000000000 +--- a/src/basic/linux/if_arp.h ++++ /dev/null +@@ -1,165 +0,0 @@ +-/* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */ +-/* +- * INET An implementation of the TCP/IP protocol suite for the LINUX +- * operating system. INET is implemented using the BSD Socket +- * interface as the means of communication with the user level. +- * +- * Global definitions for the ARP (RFC 826) protocol. +- * +- * Version: @(#)if_arp.h 1.0.1 04/16/93 +- * +- * Authors: Original taken from Berkeley UNIX 4.3, (c) UCB 1986-1988 +- * Portions taken from the KA9Q/NOS (v2.00m PA0GRI) source. +- * Ross Biro +- * Fred N. van Kempen, +- * Florian La Roche, +- * Jonathan Layes +- * Arnaldo Carvalho de Melo ARPHRD_HWX25 +- * +- * This program is free software; you can redistribute it and/or +- * modify it under the terms of the GNU General Public License +- * as published by the Free Software Foundation; either version +- * 2 of the License, or (at your option) any later version. +- */ +-#ifndef _UAPI_LINUX_IF_ARP_H +-#define _UAPI_LINUX_IF_ARP_H +- +-#include +- +-/* ARP protocol HARDWARE identifiers. */ +-#define ARPHRD_NETROM 0 /* from KA9Q: NET/ROM pseudo */ +-#define ARPHRD_ETHER 1 /* Ethernet 10Mbps */ +-#define ARPHRD_EETHER 2 /* Experimental Ethernet */ +-#define ARPHRD_AX25 3 /* AX.25 Level 2 */ +-#define ARPHRD_PRONET 4 /* PROnet token ring */ +-#define ARPHRD_CHAOS 5 /* Chaosnet */ +-#define ARPHRD_IEEE802 6 /* IEEE 802.2 Ethernet/TR/TB */ +-#define ARPHRD_ARCNET 7 /* ARCnet */ +-#define ARPHRD_APPLETLK 8 /* APPLEtalk */ +-#define ARPHRD_DLCI 15 /* Frame Relay DLCI */ +-#define ARPHRD_ATM 19 /* ATM */ +-#define ARPHRD_METRICOM 23 /* Metricom STRIP (new IANA id) */ +-#define ARPHRD_IEEE1394 24 /* IEEE 1394 IPv4 - RFC 2734 */ +-#define ARPHRD_EUI64 27 /* EUI-64 */ +-#define ARPHRD_INFINIBAND 32 /* InfiniBand */ +- +-/* Dummy types for non ARP hardware */ +-#define ARPHRD_SLIP 256 +-#define ARPHRD_CSLIP 257 +-#define ARPHRD_SLIP6 258 +-#define ARPHRD_CSLIP6 259 +-#define ARPHRD_RSRVD 260 /* Notional KISS type */ +-#define ARPHRD_ADAPT 264 +-#define ARPHRD_ROSE 270 +-#define ARPHRD_X25 271 /* CCITT X.25 */ +-#define ARPHRD_HWX25 272 /* Boards with X.25 in firmware */ +-#define ARPHRD_CAN 280 /* Controller Area Network */ +-#define ARPHRD_MCTP 290 +-#define ARPHRD_PPP 512 +-#define ARPHRD_CISCO 513 /* Cisco HDLC */ +-#define ARPHRD_HDLC ARPHRD_CISCO +-#define ARPHRD_LAPB 516 /* LAPB */ +-#define ARPHRD_DDCMP 517 /* Digital's DDCMP protocol */ +-#define ARPHRD_RAWHDLC 518 /* Raw HDLC */ +-#define ARPHRD_RAWIP 519 /* Raw IP */ +- +-#define ARPHRD_TUNNEL 768 /* IPIP tunnel */ +-#define ARPHRD_TUNNEL6 769 /* IP6IP6 tunnel */ +-#define ARPHRD_FRAD 770 /* Frame Relay Access Device */ +-#define ARPHRD_SKIP 771 /* SKIP vif */ +-#define ARPHRD_LOOPBACK 772 /* Loopback device */ +-#define ARPHRD_LOCALTLK 773 /* Localtalk device */ +-#define ARPHRD_FDDI 774 /* Fiber Distributed Data Interface */ +-#define ARPHRD_BIF 775 /* AP1000 BIF */ +-#define ARPHRD_SIT 776 /* sit0 device - IPv6-in-IPv4 */ +-#define ARPHRD_IPDDP 777 /* IP over DDP tunneller */ +-#define ARPHRD_IPGRE 778 /* GRE over IP */ +-#define ARPHRD_PIMREG 779 /* PIMSM register interface */ +-#define ARPHRD_HIPPI 780 /* High Performance Parallel Interface */ +-#define ARPHRD_ASH 781 /* Nexus 64Mbps Ash */ +-#define ARPHRD_ECONET 782 /* Acorn Econet */ +-#define ARPHRD_IRDA 783 /* Linux-IrDA */ +-/* ARP works differently on different FC media .. so */ +-#define ARPHRD_FCPP 784 /* Point to point fibrechannel */ +-#define ARPHRD_FCAL 785 /* Fibrechannel arbitrated loop */ +-#define ARPHRD_FCPL 786 /* Fibrechannel public loop */ +-#define ARPHRD_FCFABRIC 787 /* Fibrechannel fabric */ +- /* 787->799 reserved for fibrechannel media types */ +-#define ARPHRD_IEEE802_TR 800 /* Magic type ident for TR */ +-#define ARPHRD_IEEE80211 801 /* IEEE 802.11 */ +-#define ARPHRD_IEEE80211_PRISM 802 /* IEEE 802.11 + Prism2 header */ +-#define ARPHRD_IEEE80211_RADIOTAP 803 /* IEEE 802.11 + radiotap header */ +-#define ARPHRD_IEEE802154 804 +-#define ARPHRD_IEEE802154_MONITOR 805 /* IEEE 802.15.4 network monitor */ +- +-#define ARPHRD_PHONET 820 /* PhoNet media type */ +-#define ARPHRD_PHONET_PIPE 821 /* PhoNet pipe header */ +-#define ARPHRD_CAIF 822 /* CAIF media type */ +-#define ARPHRD_IP6GRE 823 /* GRE over IPv6 */ +-#define ARPHRD_NETLINK 824 /* Netlink header */ +-#define ARPHRD_6LOWPAN 825 /* IPv6 over LoWPAN */ +-#define ARPHRD_VSOCKMON 826 /* Vsock monitor header */ +- +-#define ARPHRD_VOID 0xFFFF /* Void type, nothing is known */ +-#define ARPHRD_NONE 0xFFFE /* zero header length */ +- +-/* ARP protocol opcodes. */ +-#define ARPOP_REQUEST 1 /* ARP request */ +-#define ARPOP_REPLY 2 /* ARP reply */ +-#define ARPOP_RREQUEST 3 /* RARP request */ +-#define ARPOP_RREPLY 4 /* RARP reply */ +-#define ARPOP_InREQUEST 8 /* InARP request */ +-#define ARPOP_InREPLY 9 /* InARP reply */ +-#define ARPOP_NAK 10 /* (ATM)ARP NAK */ +- +- +-/* ARP ioctl request. */ +-struct arpreq { +- struct sockaddr arp_pa; /* protocol address */ +- struct sockaddr arp_ha; /* hardware address */ +- int arp_flags; /* flags */ +- struct sockaddr arp_netmask; /* netmask (only for proxy arps) */ +- char arp_dev[IFNAMSIZ]; +-}; +- +-struct arpreq_old { +- struct sockaddr arp_pa; /* protocol address */ +- struct sockaddr arp_ha; /* hardware address */ +- int arp_flags; /* flags */ +- struct sockaddr arp_netmask; /* netmask (only for proxy arps) */ +-}; +- +-/* ARP Flag values. */ +-#define ATF_COM 0x02 /* completed entry (ha valid) */ +-#define ATF_PERM 0x04 /* permanent entry */ +-#define ATF_PUBL 0x08 /* publish entry */ +-#define ATF_USETRAILERS 0x10 /* has requested trailers */ +-#define ATF_NETMASK 0x20 /* want to use a netmask (only +- for proxy entries) */ +-#define ATF_DONTPUB 0x40 /* don't answer this addresses */ +- +-/* +- * This structure defines an ethernet arp header. +- */ +- +-struct arphdr { +- __be16 ar_hrd; /* format of hardware address */ +- __be16 ar_pro; /* format of protocol address */ +- unsigned char ar_hln; /* length of hardware address */ +- unsigned char ar_pln; /* length of protocol address */ +- __be16 ar_op; /* ARP opcode (command) */ +- +-#if 0 +- /* +- * Ethernet looks like this : This bit is variable sized however... +- */ +- unsigned char ar_sha[ETH_ALEN]; /* sender hardware address */ +- unsigned char ar_sip[4]; /* sender IP address */ +- unsigned char ar_tha[ETH_ALEN]; /* target hardware address */ +- unsigned char ar_tip[4]; /* target IP address */ +-#endif +- +-}; +- +- +-#endif /* _UAPI_LINUX_IF_ARP_H */ +diff --git a/src/basic/meson.build b/src/basic/meson.build +index 9b016ce5e8..452b965db3 100644 +--- a/src/basic/meson.build ++++ b/src/basic/meson.build +@@ -88,7 +88,6 @@ basic_sources = files(''' + linux/hdlc/ioctl.h + linux/if.h + linux/if_addr.h +- linux/if_arp.h + linux/if_bonding.h + linux/if_bridge.h + linux/if_ether.h +-- +2.33.0 + diff --git a/backport-Fix-another-crash-due-to-missing-NHDR.patch b/backport-Fix-another-crash-due-to-missing-NHDR.patch new file mode 100644 index 0000000000000000000000000000000000000000..6d8be876b0ad5b92dad8d91685528b163e1a3380 --- /dev/null +++ b/backport-Fix-another-crash-due-to-missing-NHDR.patch @@ -0,0 +1,29 @@ +From 60630b5e812ce103e9625bcc87778165374a455e Mon Sep 17 00:00:00 2001 +From: Kevin Orr +Date: Thu, 26 Aug 2021 17:04:53 -0400 +Subject: [PATCH] Fix another crash due to missing NHDR + +(cherry picked from commit a3a5446b7675696f43c2d8a2a0b898d72228a53d) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/60630b5e812ce103e9625bcc87778165374a455e +--- + src/coredump/stacktrace.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/coredump/stacktrace.c b/src/coredump/stacktrace.c +index e46b324cdf..f855a370ff 100644 +--- a/src/coredump/stacktrace.c ++++ b/src/coredump/stacktrace.c +@@ -299,6 +299,8 @@ static int module_callback(Dwfl_Module *mod, void **userdata, const char *name, + program_header->p_offset, + program_header->p_filesz, + ELF_T_NHDR); ++ if (!data) ++ continue; + + Elf *memelf = elf_memory(data->d_buf, data->d_size); + if (!memelf) +-- +2.33.0 + diff --git a/backport-Fix-error-building-repart-with-no-libcryptsetup-2073.patch b/backport-Fix-error-building-repart-with-no-libcryptsetup-2073.patch new file mode 100644 index 0000000000000000000000000000000000000000..dd74d47087cb30ee4f6217892d117acadaa6a450 --- /dev/null +++ b/backport-Fix-error-building-repart-with-no-libcryptsetup-2073.patch @@ -0,0 +1,33 @@ +From d3dfc9afa2297e2e15019adf974da8fb0ab7270c Mon Sep 17 00:00:00 2001 +From: Marcus Harrison +Date: Wed, 15 Sep 2021 03:55:07 +0200 +Subject: [PATCH] Fix error building repart with no libcryptsetup (#20739) + +(cherry picked from commit 2709d02906dd3ab5ecc2b3e19e2846b1714a7e5a) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/d3dfc9afa2297e2e15019adf974da8fb0ab7270c +--- + src/partition/repart.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/partition/repart.c b/src/partition/repart.c +index 589acaa49d..851c68cc4b 100644 +--- a/src/partition/repart.c ++++ b/src/partition/repart.c +@@ -206,7 +206,12 @@ static const char *encrypt_mode_table[_ENCRYPT_MODE_MAX] = { + [ENCRYPT_KEY_FILE_TPM2] = "key-file+tpm2", + }; + ++#if HAVE_LIBCRYPTSETUP + DEFINE_PRIVATE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(encrypt_mode, EncryptMode, ENCRYPT_KEY_FILE); ++#else ++DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING_WITH_BOOLEAN(encrypt_mode, EncryptMode, ENCRYPT_KEY_FILE); ++#endif ++ + + static uint64_t round_down_size(uint64_t v, uint64_t p) { + return (v / p) * p; +-- +2.33.0 + diff --git a/backport-Fix-the-Failed-to-open-random-seed-.-message.patch b/backport-Fix-the-Failed-to-open-random-seed-.-message.patch new file mode 100644 index 0000000000000000000000000000000000000000..7aca3b691ca5e6f128fadea917d492dbb2b575d9 --- /dev/null +++ b/backport-Fix-the-Failed-to-open-random-seed-.-message.patch @@ -0,0 +1,33 @@ +From c1b4ee2e0fd28a0c802a3694107613e1689d1c96 Mon Sep 17 00:00:00 2001 +From: longpanda <59477474+ventoy@users.noreply.github.com> +Date: Thu, 5 Aug 2021 09:31:44 +0800 +Subject: [PATCH] Fix the "Failed to open random seed ..." message. + +When boot ArchLinux from Ventoy, it always print `Failed to open random seed file: write protected.` +As Ventoy emulate the ISO file as a read-only CDROM, I didn't test with a real physical CDROM drive, but maybe it also has such problem. +As we use `EFI_FILE_MODE_WRITE` to open the `loader\random-seed` file, so I think it's better to check the result with both `EFI_WRITE_PROTECTED` and `EFI_NOT_FOUND`. + +(cherry picked from commit 2846007ecfb1fc84005b942167d394294c707d7b) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/c1b4ee2e0fd28a0c802a3694107613e1689d1c96 +--- + src/boot/efi/random-seed.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/boot/efi/random-seed.c b/src/boot/efi/random-seed.c +index ff364695f3..3e179851b0 100644 +--- a/src/boot/efi/random-seed.c ++++ b/src/boot/efi/random-seed.c +@@ -245,7 +245,7 @@ EFI_STATUS process_random_seed(EFI_FILE *root_dir, RandomSeedMode mode) { + + err = uefi_call_wrapper(root_dir->Open, 5, root_dir, &handle, (CHAR16*) L"\\loader\\random-seed", EFI_FILE_MODE_READ|EFI_FILE_MODE_WRITE, 0ULL); + if (EFI_ERROR(err)) { +- if (err != EFI_NOT_FOUND) ++ if (err != EFI_NOT_FOUND && err != EFI_WRITE_PROTECTED) + Print(L"Failed to open random seed file: %r\n", err); + return err; + } +-- +2.33.0 + diff --git a/backport-Get-rid-of-dangling-setutxent.patch b/backport-Get-rid-of-dangling-setutxent.patch new file mode 100644 index 0000000000000000000000000000000000000000..cb35353dbfcb4d0092bc5789f153180ded17079e --- /dev/null +++ b/backport-Get-rid-of-dangling-setutxent.patch @@ -0,0 +1,55 @@ +From 540389a690b1d6cb00620d8ad6f54077a90e15f8 Mon Sep 17 00:00:00 2001 +From: MertsA +Date: Tue, 10 Aug 2021 20:54:50 -0700 +Subject: [PATCH] Get rid of dangling setutxent() + +utmp_wall() and utmp_put_dead_process() called setutxent() directly instead of the stub in utmp-wtmp.h and never called endutxent(). This would leave /run/utmp left open by PID 1 or journald. This can be reproduced by e.g. lsof /run/utmp and systemd-cat -p 0 echo test. For utmp_put_dead_process() it would only leave it open if it returned early before calling write_utmp_wtmp() + +(cherry picked from commit bbd239f67a683fe63ee3698896fa503ff25031ed) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/540389a690b1d6cb00620d8ad6f54077a90e15f8 +--- + src/shared/utmp-wtmp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/shared/utmp-wtmp.c b/src/shared/utmp-wtmp.c +index 3eeee24693..784aad2943 100644 +--- a/src/shared/utmp-wtmp.c ++++ b/src/shared/utmp-wtmp.c +@@ -215,13 +215,14 @@ int utmp_put_init_process(const char *id, pid_t pid, pid_t sid, const char *line + } + + int utmp_put_dead_process(const char *id, pid_t pid, int code, int status) { ++ _cleanup_(utxent_cleanup) bool utmpx = false; + struct utmpx lookup = { + .ut_type = INIT_PROCESS /* looks for DEAD_PROCESS, LOGIN_PROCESS, USER_PROCESS, too */ + }, store, store_wtmp, *found; + + assert(id); + +- setutxent(); ++ utmpx = utxent_start(); + + /* Copy the whole string if it fits, or just the suffix without the terminating NUL. */ + copy_suffix(store.ut_id, sizeof(store.ut_id), id); +@@ -339,6 +340,7 @@ int utmp_wall( + bool (*match_tty)(const char *tty, void *userdata), + void *userdata) { + ++ _cleanup_(utxent_cleanup) bool utmpx = false; + _cleanup_free_ char *text = NULL, *hn = NULL, *un = NULL, *stdin_tty = NULL; + char date[FORMAT_TIMESTAMP_MAX]; + struct utmpx *u; +@@ -368,7 +370,7 @@ int utmp_wall( + message) < 0) + return -ENOMEM; + +- setutxent(); ++ utmpx = utxent_start(); + + r = 0; + +-- +2.33.0 + diff --git a/backport-Respect-install_sysconfdir.patch b/backport-Respect-install_sysconfdir.patch new file mode 100644 index 0000000000000000000000000000000000000000..c228b0fb932ec1a3693024355cf7cfdb0559de1b --- /dev/null +++ b/backport-Respect-install_sysconfdir.patch @@ -0,0 +1,61 @@ +From 0062322638aa36df8190326a6afd38780fb7a271 Mon Sep 17 00:00:00 2001 +From: Kai Wohlfahrt +Date: Tue, 14 Sep 2021 00:32:52 +0100 +Subject: [PATCH] Respect install_sysconfdir + +This was lost e11a25cadbe and c900d89faa0 while adding jinja2 +templating. Breaks builds on NixOS. + +(cherry picked from commit 679de141122ca30388bba6d132f8c0dddcdddd15) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/0062322638aa36df8190326a6afd38780fb7a271 +--- + src/core/meson.build | 2 +- + src/login/meson.build | 8 +++++--- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/core/meson.build b/src/core/meson.build +index c66538eab1..367c085027 100644 +--- a/src/core/meson.build ++++ b/src/core/meson.build +@@ -193,7 +193,7 @@ foreach item : in_files + output: file, + command : [meson_render_jinja2, config_h, '@INPUT@'], + capture : true, +- install : (dir == pkgsysconfdir and install_sysconfdir_samples) or (dir != pkgsysconfdir and dir != 'no'), ++ install : (dir == pkgsysconfdir) ? install_sysconfdir_samples : (dir != 'no'), + install_dir : dir) + endforeach + +diff --git a/src/login/meson.build b/src/login/meson.build +index b637adc9a2..da704d238f 100644 +--- a/src/login/meson.build ++++ b/src/login/meson.build +@@ -71,18 +71,20 @@ in_files = [ + ['70-uaccess.rules', udevrulesdir, enable_logind and conf.get('HAVE_ACL') == 1], + ['71-seat.rules', udevrulesdir, enable_logind], + ['73-seat-late.rules', udevrulesdir, enable_logind], +- ['systemd-user', pamconfdir, enable_logind and pamconfdir != 'no']] ++ ['systemd-user', pamconfdir, enable_logind]] + + foreach tuple : in_files + file = tuple[0] ++ dir = tuple[1] ++ install = (dir == pkgsysconfdir) ? install_sysconfdir_samples : (dir != 'no') + custom_target( + file, + input : file + '.in', + output: file, + command : [meson_render_jinja2, config_h, '@INPUT@'], + capture : true, +- install : tuple[2], +- install_dir : tuple[1]) ++ install : tuple[2] and install, ++ install_dir : dir) + endforeach + + if enable_logind +-- +2.33.0 + diff --git a/backport-Revert-sysctl.d-switch-net.ipv4.conf.all.rp_filter-f.patch b/backport-Revert-sysctl.d-switch-net.ipv4.conf.all.rp_filter-f.patch new file mode 100644 index 0000000000000000000000000000000000000000..143d74220d4553a78677af90bdde963f5af3fcb3 --- /dev/null +++ b/backport-Revert-sysctl.d-switch-net.ipv4.conf.all.rp_filter-f.patch @@ -0,0 +1,35 @@ +From 47b256d63ac092137fe44e27560a14ee4aa5b7c8 Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Fri, 8 Feb 2019 10:54:34 +0100 +Subject: Revert "sysctl.d: switch net.ipv4.conf.all.rp_filter + from 1 to 2" + +Conflict:according def94437934 and 5d4fc0e665a, modify default.rp_filter +and *.rp_filter +Reference:https://github.com/systemd/systemd/commit/230450d4e4f1f5fc9fa4295ed9185eea5b6ea16e + +This reverts commit 75c9af80cf3529c76988451e63f98010c86f48f1. + +Resolves: #1653824 +--- + sysctl.d/50-default.conf | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf +index 1b76b9d..2717a4d 100644 +--- a/sysctl.d/50-default.conf ++++ b/sysctl.d/50-default.conf +@@ -26,8 +26,8 @@ kernel.core_uses_pid = 1 + kernel.core_uses_pid = 1 + + # Source route verification +-net.ipv4.conf.default.rp_filter = 2 +-net.ipv4.conf.*.rp_filter = 2 ++net.ipv4.conf.default.rp_filter = 1 ++net.ipv4.conf.*.rp_filter = 1 + -net.ipv4.conf.all.rp_filter + + # Do not accept source routing +-- +2.23.0 + diff --git a/backport-Use-correct-fcntl.h-include.patch b/backport-Use-correct-fcntl.h-include.patch new file mode 100644 index 0000000000000000000000000000000000000000..87940c4ac76f3454ecc0228727d5c821a659707d --- /dev/null +++ b/backport-Use-correct-fcntl.h-include.patch @@ -0,0 +1,35 @@ +From 3450d8dc8ddb582816c6c481b6a9b7378706ab3b Mon Sep 17 00:00:00 2001 +From: David Seifert +Date: Mon, 2 Aug 2021 12:41:38 +0200 +Subject: [PATCH] Use correct `` include + +* `` is not specified in POSIX + +(cherry picked from commit f8d54f7810aeea5ff27a5db03e1aab7ea54c8268) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/3450d8dc8ddb582816c6c481b6a9b7378706ab3b +--- + src/basic/fileio.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/fileio.h b/src/basic/fileio.h +index c28b17fef5..9bd2037f5b 100644 +--- a/src/basic/fileio.h ++++ b/src/basic/fileio.h +@@ -2,11 +2,11 @@ + #pragma once + + #include ++#include + #include + #include + #include + #include +-#include + #include + + #include "macro.h" +-- +2.33.0 + diff --git a/backport-Use-correct-poll.h-include.patch b/backport-Use-correct-poll.h-include.patch new file mode 100644 index 0000000000000000000000000000000000000000..6013564c3ea549c392e63821c55894974a0d12a7 --- /dev/null +++ b/backport-Use-correct-poll.h-include.patch @@ -0,0 +1,43 @@ +From fba9fd963bb3b5fafdb123788b3fabe6ed0830c9 Mon Sep 17 00:00:00 2001 +From: David Seifert +Date: Mon, 2 Aug 2021 16:09:10 +0200 +Subject: [PATCH] Use correct `` include + +* `` is not specified in POSIX + +(cherry picked from commit 2b6c0bb2a341c95223ce672249e43c743b03d78c) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/fba9fd963bb3b5fafdb123788b3fabe6ed0830c9 +--- + src/shared/nscd-flush.c | 2 +- + src/shared/varlink.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/shared/nscd-flush.c b/src/shared/nscd-flush.c +index dfc47c4234..19e16d9345 100644 +--- a/src/shared/nscd-flush.c ++++ b/src/shared/nscd-flush.c +@@ -1,5 +1,5 @@ + /* SPDX-License-Identifier: LGPL-2.1-or-later */ +-#include ++#include + + #include "fd-util.h" + #include "io-util.h" +diff --git a/src/shared/varlink.c b/src/shared/varlink.c +index 6b0b343ae9..8da568e208 100644 +--- a/src/shared/varlink.c ++++ b/src/shared/varlink.c +@@ -1,7 +1,7 @@ + /* SPDX-License-Identifier: LGPL-2.1-or-later */ + + #include +-#include ++#include + + #include "alloc-util.h" + #include "errno-util.h" +-- +2.33.0 + diff --git a/backport-analyze-fix-printing-config-when-there-is-no-main-co.patch b/backport-analyze-fix-printing-config-when-there-is-no-main-co.patch new file mode 100644 index 0000000000000000000000000000000000000000..4abd79ed23768367569f2f7d3b13d8851850ff43 --- /dev/null +++ b/backport-analyze-fix-printing-config-when-there-is-no-main-co.patch @@ -0,0 +1,91 @@ +From 8621f957b6e3a7eed1c5965d332ad1c4c594f26e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sat, 20 Nov 2021 11:42:31 +0100 +Subject: [PATCH] analyze: fix printing config when there is no main config + file + +Since 8b8024f1c231c166f5c450905c8fd91d11704ae7 and the follow-up commits, the +main config file may be located in /usr or in other paths. But the code in +analyze.c was still assuming that it must be in /etc. Things mostly worked for +our own config files because we usually install a comments-only file in /etc, +but was not correct in the general case. + +This fixes in particular 'systemd-analyze cat-config systemd/zram-generator.conf'. +In Fedora we distribute a config file in zram-generator-defaults.rpm that is in +/usr/lib, and 'cat-config' would refuse to show it because +/etc/systemd/zram-generator.conf does not exist. + +The main config file is optional, but let's print an informative message +because this is a slightly unusual case. + +The file paths that we printed were missing the root prefix. + +(cherry picked from commit 0895e87348e5fc02f50498cad5922eb3eb172323) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/8621f957b6e3a7eed1c5965d332ad1c4c594f26e +--- + src/shared/pretty-print.c | 43 ++++++++++++++++++++++++++------------- + 1 file changed, 29 insertions(+), 14 deletions(-) + +diff --git a/src/shared/pretty-print.c b/src/shared/pretty-print.c +index 137ba77b3a..97baeda401 100644 +--- a/src/shared/pretty-print.c ++++ b/src/shared/pretty-print.c +@@ -300,24 +300,39 @@ int conf_files_cat(const char *root, const char *name) { + return log_error_errno(r, "Failed to build directory list: %m"); + } + +- r = conf_files_list_strv(&files, extension, root, 0, (const char* const*) dirs); +- if (r < 0) +- return log_error_errno(r, "Failed to query file list: %m"); ++ if (DEBUG_LOGGING) { ++ log_debug("Looking for configuration in:"); ++ if (!is_collection) ++ STRV_FOREACH(prefix, prefixes) ++ log_debug(" %s%s%s", strempty(root), *prefix, name); + ++ STRV_FOREACH(t, dirs) ++ log_debug(" %s%s/*%s", strempty(root), *t, extension); ++ } ++ ++ /* First locate the main config file, if any */ + if (!is_collection) { +- path = path_join(root, "/etc", name); ++ STRV_FOREACH(prefix, prefixes) { ++ path = path_join(root, *prefix, name); ++ if (!path) ++ return log_oom(); ++ if (access(path, F_OK) == 0) ++ break; ++ path = mfree(path); ++ } ++ + if (!path) +- return log_oom(); ++ printf("%s# Main configuration file %s not found%s\n", ++ ansi_highlight_magenta(), ++ name, ++ ansi_normal()); + } + +- if (DEBUG_LOGGING) { +- log_debug("Looking for configuration in:"); +- if (path) +- log_debug(" %s", path); +- STRV_FOREACH(t, dirs) +- log_debug(" %s/*%s", *t, extension); +- } ++ /* Then locate the drop-ins, if any */ ++ r = conf_files_list_strv(&files, extension, root, 0, (const char* const*) dirs); ++ if (r < 0) ++ return log_error_errno(r, "Failed to query file list: %m"); + +- /* show */ +- return cat_files(path, files, CAT_FLAGS_MAIN_FILE_OPTIONAL); ++ /* Show */ ++ return cat_files(path, files, 0); + } +-- +2.33.0 + diff --git a/backport-backlight-ignore-error-if-the-backlight-device-is-al.patch b/backport-backlight-ignore-error-if-the-backlight-device-is-al.patch new file mode 100644 index 0000000000000000000000000000000000000000..c02cf02bab88484ea8033be0e9b50787842bfaf9 --- /dev/null +++ b/backport-backlight-ignore-error-if-the-backlight-device-is-al.patch @@ -0,0 +1,43 @@ +From a69c240157e2ca066130c12bb061e0065f2c2425 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 5 Jan 2022 18:26:46 +0900 +Subject: [PATCH] backlight: ignore error if the backlight device is already + removed + +Fixes #21997. + +(cherry picked from commit f0f65087834198d4dabf8b389ddc34223400aab7) +(cherry picked from commit b4c57e1b1c249f28f13a86637d8854c920bcf26d) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/a69c240157e2ca066130c12bb061e0065f2c2425 +--- + src/backlight/backlight.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/backlight/backlight.c b/src/backlight/backlight.c +index 7c0970a60c..5aeee0de47 100644 +--- a/src/backlight/backlight.c ++++ b/src/backlight/backlight.c +@@ -395,8 +395,16 @@ static int run(int argc, char *argv[]) { + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Not a backlight or LED device: '%s:%s'", ss, sysname); + + r = sd_device_new_from_subsystem_sysname(&device, ss, sysname); +- if (r < 0) +- return log_error_errno(r, "Failed to get backlight or LED device '%s:%s': %m", ss, sysname); ++ if (r < 0) { ++ bool ignore = r == -ENODEV; ++ ++ /* Some drivers, e.g. for AMD GPU, removes acpi backlight device soon after it is added. ++ * See issue #21997. */ ++ log_full_errno(ignore ? LOG_DEBUG : LOG_ERR, r, ++ "Failed to get backlight or LED device '%s:%s'%s: %m", ++ ss, sysname, ignore ? ", ignoring" : ""); ++ return ignore ? 0 : r; ++ } + + /* If max_brightness is 0, then there is no actual backlight device. This happens on desktops + * with Asus mainboards that load the eeepc-wmi module. */ +-- +2.33.0 + diff --git a/backport-basic-env-util-correctly-parse-extended-vars-after-n.patch b/backport-basic-env-util-correctly-parse-extended-vars-after-n.patch new file mode 100644 index 0000000000000000000000000000000000000000..5db2bcaae1f3cf750732ffe502be3e5991e03102 --- /dev/null +++ b/backport-basic-env-util-correctly-parse-extended-vars-after-n.patch @@ -0,0 +1,53 @@ +From 74583cad5a3bf4051b879b8b1ac53934027ef485 Mon Sep 17 00:00:00 2001 +From: Andrew Soutar +Date: Tue, 5 Oct 2021 22:55:27 -0400 +Subject: [PATCH] basic/env-util: correctly parse extended vars after + non-extended vars (#20941) + +(cherry picked from commit 5ef97a712236f0ddddec52665c0aea7d4e6d3c13) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/74583cad5a3bf4051b879b8b1ac53934027ef485 +--- + src/basic/env-util.c | 1 + + src/test/test-env-util.c | 5 ++++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/basic/env-util.c b/src/basic/env-util.c +index 81b1e3f10e..1ca445dab4 100644 +--- a/src/basic/env-util.c ++++ b/src/basic/env-util.c +@@ -577,6 +577,7 @@ char *replace_env_n(const char *format, size_t n, char **env, unsigned flags) { + + word = e+1; + state = WORD; ++ nest--; + } else if (*e == ':') { + if (flags & REPLACE_ENV_ALLOW_EXTENDED) { + len = e - word - 2; +diff --git a/src/test/test-env-util.c b/src/test/test-env-util.c +index ed4580e4af..3d5951c46e 100644 +--- a/src/test/test-env-util.c ++++ b/src/test/test-env-util.c +@@ -198,7 +198,7 @@ static void test_replace_env2(bool extended) { + "BAR=bar", + NULL + }; +- _cleanup_free_ char *t = NULL, *s = NULL, *q = NULL, *r = NULL, *p = NULL, *x = NULL; ++ _cleanup_free_ char *t = NULL, *s = NULL, *q = NULL, *r = NULL, *p = NULL, *x = NULL, *y = NULL; + unsigned flags = REPLACE_ENV_ALLOW_EXTENDED*extended; + + t = replace_env("FOO=${FOO:-${BAR}}", (char**) env, flags); +@@ -218,6 +218,9 @@ static void test_replace_env2(bool extended) { + + x = replace_env("XXX=${XXX:+${BAR}post}", (char**) env, flags); + assert_se(streq(x, extended ? "XXX=" : "XXX=${XXX:+barpost}")); ++ ++ y = replace_env("FOO=${FOO}between${BAR:-baz}", (char**) env, flags); ++ assert_se(streq(y, extended ? "FOO=foobetweenbar" : "FOO=foobetween${BAR:-baz}")); + } + + static void test_replace_env_argv(void) { +-- +2.33.0 + diff --git a/backport-basic-escape-add-helper-for-quoting-command-lines.patch b/backport-basic-escape-add-helper-for-quoting-command-lines.patch new file mode 100644 index 0000000000000000000000000000000000000000..c405da86f9824ca86c817ca9e73391a8065ae55b --- /dev/null +++ b/backport-basic-escape-add-helper-for-quoting-command-lines.patch @@ -0,0 +1,105 @@ +From 17d1b0d2dd109c5e413d8ef1eb5835344f9314b9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 7 Jul 2021 16:27:51 +0200 +Subject: [PATCH] basic/escape: add helper for quoting command lines + +(cherry picked from commit eeb91d29b0279d6bf8a3f1c4da54c9e9c0881a19) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/17d1b0d2dd109c5e413d8ef1eb5835344f9314b9 +--- + src/basic/escape.c | 21 +++++++++++++++++++++ + src/basic/escape.h | 1 + + src/test/test-escape.c | 24 ++++++++++++++++++++++++ + 3 files changed, 46 insertions(+) + +diff --git a/src/basic/escape.c b/src/basic/escape.c +index 2a3a0e31a1..fcade5a1b4 100644 +--- a/src/basic/escape.c ++++ b/src/basic/escape.c +@@ -8,6 +8,7 @@ + #include "escape.h" + #include "hexdecoct.h" + #include "macro.h" ++#include "strv.h" + #include "utf8.h" + + int cescape_char(char c, char *buf) { +@@ -542,3 +543,23 @@ char* shell_maybe_quote(const char *s, ShellEscapeFlags flags) { + + return str_realloc(buf); + } ++ ++char* quote_command_line(char **argv) { ++ _cleanup_free_ char *result = NULL; ++ ++ assert(argv); ++ ++ char **a; ++ STRV_FOREACH(a, argv) { ++ _cleanup_free_ char *t = NULL; ++ ++ t = shell_maybe_quote(*a, SHELL_ESCAPE_EMPTY); ++ if (!t) ++ return NULL; ++ ++ if (!strextend_with_separator(&result, " ", t)) ++ return NULL; ++ } ++ ++ return TAKE_PTR(result); ++} +diff --git a/src/basic/escape.h b/src/basic/escape.h +index 907b572bd4..e9d48d227a 100644 +--- a/src/basic/escape.h ++++ b/src/basic/escape.h +@@ -68,3 +68,4 @@ char* escape_non_printable_full(const char *str, size_t console_width, XEscapeFl + + char* shell_escape(const char *s, const char *bad); + char* shell_maybe_quote(const char *s, ShellEscapeFlags flags); ++char* quote_command_line(char **argv); +diff --git a/src/test/test-escape.c b/src/test/test-escape.c +index 991b135a33..8bda9cdc8d 100644 +--- a/src/test/test-escape.c ++++ b/src/test/test-escape.c +@@ -192,6 +192,29 @@ static void test_shell_maybe_quote(void) { + test_shell_maybe_quote_one("głąb\002\003rząd", SHELL_ESCAPE_POSIX, "$'głąb\\002\\003rząd'"); + } + ++static void test_quote_command_line_one(char **argv, const char *expected) { ++ _cleanup_free_ char *s; ++ ++ assert_se(s = quote_command_line(argv)); ++ log_info("%s", s); ++ assert_se(streq(s, expected)); ++} ++ ++static void test_quote_command_line(void) { ++ log_info("/* %s */", __func__); ++ ++ test_quote_command_line_one(STRV_MAKE("true", "true"), ++ "true true"); ++ test_quote_command_line_one(STRV_MAKE("true", "with a space"), ++ "true \"with a space\""); ++ test_quote_command_line_one(STRV_MAKE("true", "with a 'quote'"), ++ "true \"with a 'quote'\""); ++ test_quote_command_line_one(STRV_MAKE("true", "with a \"quote\""), ++ "true \"with a \\\"quote\\\"\""); ++ test_quote_command_line_one(STRV_MAKE("true", "$dollar"), ++ "true \"\\$dollar\""); ++} ++ + int main(int argc, char *argv[]) { + test_setup_logging(LOG_DEBUG); + +@@ -202,6 +225,7 @@ int main(int argc, char *argv[]) { + test_cunescape(); + test_shell_escape(); + test_shell_maybe_quote(); ++ test_quote_command_line(); + + return 0; + } +-- +2.33.0 + diff --git a/backport-basic-linux-Sync-if_arp.h-with-Linux-5.14.patch b/backport-basic-linux-Sync-if_arp.h-with-Linux-5.14.patch new file mode 100644 index 0000000000000000000000000000000000000000..a72d4d191cc83c9a91189e10776d7a1ea0a26977 --- /dev/null +++ b/backport-basic-linux-Sync-if_arp.h-with-Linux-5.14.patch @@ -0,0 +1,32 @@ +From 6674c65c74dcf52b6887e76642683b593d86cb69 Mon Sep 17 00:00:00 2001 +From: Chris Packham +Date: Fri, 10 Sep 2021 09:51:36 +1200 +Subject: [PATCH] basic/linux: Sync if_arp.h with Linux 5.14 + +ARPHRD_MCTP was added in 5.14. Sync if_arp.h to pick up the definition + +Fixes #20694 + +(cherry picked from commit 7c5b9952c4f6e2b72f90edbe439982528b7cf223) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/6674c65c74dcf52b6887e76642683b593d86cb69 +--- + src/basic/linux/if_arp.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/basic/linux/if_arp.h b/src/basic/linux/if_arp.h +index c3cc5a9e5e..4783af9fe5 100644 +--- a/src/basic/linux/if_arp.h ++++ b/src/basic/linux/if_arp.h +@@ -54,6 +54,7 @@ + #define ARPHRD_X25 271 /* CCITT X.25 */ + #define ARPHRD_HWX25 272 /* Boards with X.25 in firmware */ + #define ARPHRD_CAN 280 /* Controller Area Network */ ++#define ARPHRD_MCTP 290 + #define ARPHRD_PPP 512 + #define ARPHRD_CISCO 513 /* Cisco HDLC */ + #define ARPHRD_HDLC ARPHRD_CISCO +-- +2.33.0 + diff --git a/backport-basic-log-allow-errno-values-higher-than-255.patch b/backport-basic-log-allow-errno-values-higher-than-255.patch new file mode 100644 index 0000000000000000000000000000000000000000..7e2d563d48fa8c54e30af869d952f3ac3c540a8c --- /dev/null +++ b/backport-basic-log-allow-errno-values-higher-than-255.patch @@ -0,0 +1,48 @@ +From fb824c90e5a83218e4252a2c21c7f365d0167458 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 3 Jan 2022 17:53:29 +0100 +Subject: [PATCH] basic/log: allow errno values higher than 255 + +When the support for "synthetic errno" was added, we started truncating +the errno value to just the least significant byte. This is generally OK, +because errno values are defined up to ~130. + +The docs don't really say what the maximum value is. But at least in principle +higher values could be added in the future. So let's stop truncating +the values needlessly. + +The kernel (or libbpf?) have an error where they return 524 as an errno +value (https://bugzilla.redhat.com/show_bug.cgi?id=2036145). We would +confusingly truncate this to 12 (ENOMEM). It seems much nicer to let +strerror() give us "Unknown error 524" rather than to print the bogus +message about ENOMEM. + +(cherry picked from commit 5f74fcd41cb1a1b26c23e0f2ab405ae9cf6bcc93) +(cherry picked from commit cd686fe4c719bfb894bd24d673c51f19cea64643) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/fb824c90e5a83218e4252a2c21c7f365d0167458 +--- + src/basic/log.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/basic/log.h b/src/basic/log.h +index 738c181070..8bfae8e0e5 100644 +--- a/src/basic/log.h ++++ b/src/basic/log.h +@@ -27,10 +27,10 @@ typedef enum LogTarget{ + _LOG_TARGET_INVALID = -EINVAL, + } LogTarget; + +-/* Note to readers: << and >> have lower precedence than & and | */ ++/* Note to readers: << and >> have lower precedence (are evaluated earlier) than & and | */ + #define SYNTHETIC_ERRNO(num) (1 << 30 | (num)) + #define IS_SYNTHETIC_ERRNO(val) ((val) >> 30 & 1) +-#define ERRNO_VALUE(val) (abs(val) & 255) ++#define ERRNO_VALUE(val) (abs(val) & ~(1 << 30)) + + const char *log_target_to_string(LogTarget target) _const_; + LogTarget log_target_from_string(const char *s) _pure_; +-- +2.33.0 + diff --git a/backport-basic-mac_-selinux-smack-_apply_fd-does-not-work-whe.patch b/backport-basic-mac_-selinux-smack-_apply_fd-does-not-work-whe.patch new file mode 100644 index 0000000000000000000000000000000000000000..94fd836fcd7f184862224a9be896bfe133c6c67f --- /dev/null +++ b/backport-basic-mac_-selinux-smack-_apply_fd-does-not-work-whe.patch @@ -0,0 +1,76 @@ +From fdb86800e854d5079c13d3a4597f73617db991f6 Mon Sep 17 00:00:00 2001 +From: Donald Chan +Date: Fri, 28 Jan 2022 22:53:46 +0000 +Subject: [PATCH] basic: mac_[selinux,smack]_apply_fd does not work when + applying labels + +Commit a7fdc6c introduced a regression where file descriptors are opened +using O_PATH option. mac_smack_apply_fd() calls fsetxattr() and would fail +with a -EBADF (Bad file descriptor) error. + +Use FORMAT_PROC_FD_PATH(fd) to convert the fd back into a full path and +call setxattr() or setfilecon() instead. + +Signed-off-by: Donald Chan +(cherry picked from commit a718364e9d9242cc2111c9860f2ab5bb9bb26db9) +(cherry picked from commit 9f596964f6e403b089450dc083724b48fb4b4bb1) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/fdb86800e854d5079c13d3a4597f73617db991f6 +--- + src/shared/selinux-util.c | 6 +++++- + src/shared/smack-util.c | 7 +++++-- + 2 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c +index 03cee76f64..832c29435d 100644 +--- a/src/shared/selinux-util.c ++++ b/src/shared/selinux-util.c +@@ -344,12 +344,16 @@ int mac_selinux_apply_fd(int fd, const char *path, const char *label) { + assert(fd >= 0); + + #if HAVE_SELINUX ++ char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1]; ++ + if (!mac_selinux_use()) + return 0; + + assert(label); + +- if (fsetfilecon(fd, label) < 0) ++ xsprintf(procfs_path, "/proc/self/fd/%i", fd); ++ ++ if (setfilecon(procfs_path, label) < 0) + return log_enforcing_errno(errno, "Failed to set SELinux security context %s on path %s: %m", label, strna(path)); + #endif + return 0; +diff --git a/src/shared/smack-util.c b/src/shared/smack-util.c +index 3362ee3924..8d88a7b49a 100644 +--- a/src/shared/smack-util.c ++++ b/src/shared/smack-util.c +@@ -86,6 +86,7 @@ int mac_smack_apply(const char *path, SmackAttr attr, const char *label) { + } + + int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) { ++ char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1]; + int r; + + assert(fd >= 0); +@@ -94,10 +95,12 @@ int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) { + if (!mac_smack_use()) + return 0; + ++ xsprintf(procfs_path, "/proc/self/fd/%i", fd); ++ + if (label) +- r = fsetxattr(fd, smack_attr_to_string(attr), label, strlen(label), 0); ++ r = setxattr(procfs_path, smack_attr_to_string(attr), label, strlen(label), 0); + else +- r = fremovexattr(fd, smack_attr_to_string(attr)); ++ r = removexattr(procfs_path, smack_attr_to_string(attr)); + if (r < 0) + return -errno; + +-- +2.33.0 + diff --git a/backport-basic-mountpoint-util-detect-erofs-as-a-read-only-FS.patch b/backport-basic-mountpoint-util-detect-erofs-as-a-read-only-FS.patch new file mode 100644 index 0000000000000000000000000000000000000000..f944c57c2ca64d4b687e7ac8971c9797d8d4d56c --- /dev/null +++ b/backport-basic-mountpoint-util-detect-erofs-as-a-read-only-FS.patch @@ -0,0 +1,28 @@ +From 74af5a3696cd3747fa814a21eb1b3d7cae3dea56 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 4 Nov 2021 20:29:43 +0000 +Subject: [PATCH] basic/mountpoint-util: detect erofs as a read-only FS + +(cherry picked from commit fac2c3e97d80fb356eb50abb429bdb5ed36afcf1) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/74af5a3696cd3747fa814a21eb1b3d7cae3dea56 +--- + src/basic/mountpoint-util.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/basic/mountpoint-util.c b/src/basic/mountpoint-util.c +index e7a5a99551..7e57d9a226 100644 +--- a/src/basic/mountpoint-util.c ++++ b/src/basic/mountpoint-util.c +@@ -424,6 +424,7 @@ bool fstype_is_ro(const char *fstype) { + return STR_IN_SET(fstype, + "DM_verity_hash", + "iso9660", ++ "erofs", + "squashfs"); + } + +-- +2.33.0 + diff --git a/backport-basic-unit-file-don-t-filter-out-names-starting-with.patch b/backport-basic-unit-file-don-t-filter-out-names-starting-with.patch new file mode 100644 index 0000000000000000000000000000000000000000..735b09c8359f9d1817e5bc4fbd88de43a705b297 --- /dev/null +++ b/backport-basic-unit-file-don-t-filter-out-names-starting-with.patch @@ -0,0 +1,32 @@ +From d21bfe5c06688a5b6aa0a0b4eae0b05bc45475fb Mon Sep 17 00:00:00 2001 +From: Anita Zhang +Date: Tue, 28 Sep 2021 23:52:39 -0700 +Subject: [PATCH] basic/unit-file: don't filter out names starting with dot + +Fixes #20859 +Reverts 3796bdc55d6ba499d1049f749072218879e619a7 + +(cherry picked from commit 14bb72953458caace048b55ead7ea06a592b864f) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/d21bfe5c06688a5b6aa0a0b4eae0b05bc45475fb +--- + src/basic/unit-file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/unit-file.c b/src/basic/unit-file.c +index 884a0674a9..0d58b1c4fe 100644 +--- a/src/basic/unit-file.c ++++ b/src/basic/unit-file.c +@@ -284,7 +284,7 @@ int unit_file_build_name_map( + continue; + } + +- FOREACH_DIRENT(de, d, log_warning_errno(errno, "Failed to read \"%s\", ignoring: %m", *dir)) { ++ FOREACH_DIRENT_ALL(de, d, log_warning_errno(errno, "Failed to read \"%s\", ignoring: %m", *dir)) { + char *filename; + _cleanup_free_ char *_filename_free = NULL, *simplified = NULL; + const char *suffix, *dst = NULL; +-- +2.33.0 + diff --git a/backport-binfmt-fix-exit-value.patch b/backport-binfmt-fix-exit-value.patch new file mode 100644 index 0000000000000000000000000000000000000000..80ba1e34c54caf850115395504db20b6c39ddeea --- /dev/null +++ b/backport-binfmt-fix-exit-value.patch @@ -0,0 +1,32 @@ +From d4406e94a32d423d8a73deb7757fb09890afe2c4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 10 Nov 2021 13:58:32 +0100 +Subject: [PATCH] binfmt: fix exit value + +Positive values are mapped to 0 by DEFINE_MAIN_FUNCTION(), so e.g. +systemd-binfmt --foobar would "succeed". + +(cherry picked from commit 52707598d5c0dbbc8a967e4874b0b08ee2486772) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/d4406e94a32d423d8a73deb7757fb09890afe2c4 +--- + src/binfmt/binfmt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/binfmt/binfmt.c b/src/binfmt/binfmt.c +index 29530bb691..981218f52f 100644 +--- a/src/binfmt/binfmt.c ++++ b/src/binfmt/binfmt.c +@@ -189,7 +189,7 @@ static int run(int argc, char *argv[]) { + + r = parse_argv(argc, argv); + if (r <= 0) +- return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS; ++ return r; + + log_setup(); + +-- +2.33.0 + diff --git a/backport-boot-timestamps-Discard-firmware-init-time-when-runn.patch b/backport-boot-timestamps-Discard-firmware-init-time-when-runn.patch new file mode 100644 index 0000000000000000000000000000000000000000..fdcfcc5e705d628eb7ab62bead28a314e9bdda09 --- /dev/null +++ b/backport-boot-timestamps-Discard-firmware-init-time-when-runn.patch @@ -0,0 +1,68 @@ +From 9ee300a0b6429b7af73f40edfb2330cbbd7828f3 Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Sun, 9 Jan 2022 14:22:15 +0100 +Subject: [PATCH] boot-timestamps: Discard firmware init time when running in a + VM + +Fixes: #22060 +(cherry picked from commit f699bd81e8e18da2d2fc11e7fb7dce95f8bb3f9e) +(cherry picked from commit 3c5c13f82c760c7067bb189484e1f672ff6713f6) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/9ee300a0b6429b7af73f40edfb2330cbbd7828f3 +--- + src/shared/boot-timestamps.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/src/shared/boot-timestamps.c b/src/shared/boot-timestamps.c +index 8786e89c0e..e00b37aa32 100644 +--- a/src/shared/boot-timestamps.c ++++ b/src/shared/boot-timestamps.c +@@ -5,11 +5,13 @@ + #include "efi-loader.h" + #include "macro.h" + #include "time-util.h" ++#include "virt.h" + + int boot_timestamps(const dual_timestamp *n, dual_timestamp *firmware, dual_timestamp *loader) { + usec_t x = 0, y = 0, a; + int r; + dual_timestamp _n; ++ bool use_firmware = true; + + assert(firmware); + assert(loader); +@@ -24,6 +26,10 @@ int boot_timestamps(const dual_timestamp *n, dual_timestamp *firmware, dual_time + r = efi_loader_get_boot_usec(&x, &y); + if (r < 0) + return r; ++ ++ /* If we are running in a VM, the init timestamp would ++ * be equivalent to the host uptime. */ ++ use_firmware = detect_vm() <= 0; + } + + /* Let's convert this to timestamps where the firmware +@@ -33,12 +39,14 @@ int boot_timestamps(const dual_timestamp *n, dual_timestamp *firmware, dual_time + * the monotonic timestamps here as negative of the actual + * value. */ + +- firmware->monotonic = y; +- loader->monotonic = y - x; +- +- a = n->monotonic + firmware->monotonic; +- firmware->realtime = n->realtime > a ? n->realtime - a : 0; ++ if (use_firmware) { ++ firmware->monotonic = y; ++ a = n->monotonic + firmware->monotonic; ++ firmware->realtime = n->realtime > a ? n->realtime - a : 0; ++ } else ++ firmware->monotonic = firmware->realtime = 0; + ++ loader->monotonic = y - x; + a = n->monotonic + loader->monotonic; + loader->realtime = n->realtime > a ? n->realtime - a : 0; + +-- +2.33.0 + diff --git a/backport-bootctl-Fix-update-not-adding-EFI-entry-if-Boot-IDs-.patch b/backport-bootctl-Fix-update-not-adding-EFI-entry-if-Boot-IDs-.patch new file mode 100644 index 0000000000000000000000000000000000000000..c62801a701047416faaeb101786885da1ab998e1 --- /dev/null +++ b/backport-bootctl-Fix-update-not-adding-EFI-entry-if-Boot-IDs-.patch @@ -0,0 +1,45 @@ +From 0028a3eb976dfa7209433dfa3a24b785f05fd352 Mon Sep 17 00:00:00 2001 +From: Anssi Hannula +Date: Thu, 23 Sep 2021 12:08:05 +0300 +Subject: [PATCH] bootctl: Fix update not adding EFI entry if Boot IDs are + non-consecutive + +"bootctl update" tries to add sd-boot to the EFI boot loader list if it +is not already there. To do so, it uses find_slot() which finds the +proper BootXXXX slot ID to use and also returns 1 if an existing sd-boot +entry was found at this ID or 0 if it is a new unused ID. In "update" +case install_variables() only writes the entry in case 0 (no existing +entry). + +However, find_slot() erroneously returns 1 if it finds a gap in the Boot +IDs (i.e. when not resorting to max(ids) + 1). This causes +"bootctl update" to not add a missing systemd-boot boot entry if the +existing BootXXXX entry IDs are not consecutive. + +Fix that by returning 0 in find_slot() when an empty gap ID is selected +to make it match the behavior when selecting an empty non-gap ID. + +(cherry picked from commit 26d54e1263dcb58daa6578595cc6ab1037315593) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/0028a3eb976dfa7209433dfa3a24b785f05fd352 +--- + src/boot/bootctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/boot/bootctl.c b/src/boot/bootctl.c +index fa8c600321..bd96812246 100644 +--- a/src/boot/bootctl.c ++++ b/src/boot/bootctl.c +@@ -711,7 +711,7 @@ static int find_slot(sd_id128_t uuid, const char *path, uint16_t *id) { + for (i = 0; i < n; i++) + if (i != options[i]) { + *id = i; +- return 1; ++ return 0; + } + + /* use the next one */ +-- +2.33.0 + diff --git a/backport-bus-util-retrieve-bus-error-from-message.patch b/backport-bus-util-retrieve-bus-error-from-message.patch new file mode 100644 index 0000000000000000000000000000000000000000..132b4da7fec26c5c4b79d394e4921cb2be59ee96 --- /dev/null +++ b/backport-bus-util-retrieve-bus-error-from-message.patch @@ -0,0 +1,57 @@ +From 443f25f3cd34ce504a4850373babcde5d572335f Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 30 Jan 2022 05:36:56 +0900 +Subject: [PATCH] bus-util: retrieve bus error from message + +The error in argument is not input, but used for output. + +(cherry picked from commit 853b94863cf26d084454edd63ce987cc7ab0505a) +(cherry picked from commit b9e144629bdb7c3d4535fb0a0ad8639140a25034) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/443f25f3cd34ce504a4850373babcde5d572335f +--- + src/shared/bus-wait-for-units.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/shared/bus-wait-for-units.c b/src/shared/bus-wait-for-units.c +index 29620e0d1b..c867f1cbfd 100644 +--- a/src/shared/bus-wait-for-units.c ++++ b/src/shared/bus-wait-for-units.c +@@ -1,5 +1,6 @@ + /* SPDX-License-Identifier: LGPL-2.1-or-later */ + ++#include "bus-error.h" + #include "bus-map-properties.h" + #include "bus-wait-for-units.h" + #include "hashmap.h" +@@ -288,19 +289,22 @@ static int on_properties_changed(sd_bus_message *m, void *userdata, sd_bus_error + return 0; + } + +-static int on_get_all_properties(sd_bus_message *m, void *userdata, sd_bus_error *error) { ++static int on_get_all_properties(sd_bus_message *m, void *userdata, sd_bus_error *ret_error) { + WaitForItem *item = userdata; ++ const sd_bus_error *e; + int r; + + assert(item); + +- if (sd_bus_error_is_set(error)) { ++ e = sd_bus_message_get_error(m); ++ if (e) { + BusWaitForUnits *d = item->parent; + + d->has_failed = true; + +- log_debug_errno(sd_bus_error_get_errno(error), "GetAll() failed for %s: %s", +- item->bus_path, error->message); ++ r = sd_bus_error_get_errno(e); ++ log_debug_errno(r, "GetAll() failed for %s: %s", ++ item->bus_path, bus_error_message(e, r)); + + call_unit_callback_and_wait(d, item, false); + bus_wait_for_units_check_ready(d); +-- +2.33.0 + diff --git a/backport-calendarspec-fix-possibly-skips-next-elapse.patch b/backport-calendarspec-fix-possibly-skips-next-elapse.patch new file mode 100644 index 0000000000000000000000000000000000000000..ec48edee31d9979b25433173aae0412732d28680 --- /dev/null +++ b/backport-calendarspec-fix-possibly-skips-next-elapse.patch @@ -0,0 +1,82 @@ +From bce3b46aaf8c7ad7ff7eeaafbf4b321ffdad9c07 Mon Sep 17 00:00:00 2001 +From: Gibeom Gwon +Date: Sun, 6 Mar 2022 09:45:38 +0900 +Subject: [PATCH] calendarspec: fix possibly skips next elapse + +If the time unit changes after adding the repetition value, the +timer may skip the next elapse. This patch reset sub time units +to minimum value when upper unit is changed. + +Fixes #22665. + +(cherry picked from commit 1e582ede3b04d12aae11fc5378a446a392054f1c) +(cherry picked from commit 8d4c0d2383e72f30753bf33f206387bc03879ff8) + +Conflict:NA +Reference:https://github.com/systemd/systemd-stable/commit/bce3b46aaf8c7ad7ff7eeaafbf4b321ffdad9c07 +--- + src/shared/calendarspec.c | 27 ++++++++++++++++++++------- + src/test/test-calendarspec.c | 2 ++ + 2 files changed, 22 insertions(+), 7 deletions(-) + +diff --git a/src/shared/calendarspec.c b/src/shared/calendarspec.c +index bf24d8d5bb..238766c96a 100644 +--- a/src/shared/calendarspec.c ++++ b/src/shared/calendarspec.c +@@ -1180,6 +1180,7 @@ static int find_matching_component( + + static int tm_within_bounds(struct tm *tm, bool utc) { + struct tm t; ++ int cmp; + assert(tm); + + /* +@@ -1194,13 +1195,25 @@ static int tm_within_bounds(struct tm *tm, bool utc) { + if (mktime_or_timegm(&t, utc) < 0) + return negative_errno(); + +- /* Did any normalization take place? If so, it was out of bounds before */ +- int cmp = CMP(t.tm_year, tm->tm_year) ?: +- CMP(t.tm_mon, tm->tm_mon) ?: +- CMP(t.tm_mday, tm->tm_mday) ?: +- CMP(t.tm_hour, tm->tm_hour) ?: +- CMP(t.tm_min, tm->tm_min) ?: +- CMP(t.tm_sec, tm->tm_sec); ++ /* ++ * Did any normalization take place? If so, it was out of bounds before. ++ * Normalization could skip next elapse, e.g. result of normalizing 3-33 ++ * is 4-2. This skips 4-1. So reset the sub time unit if upper unit was ++ * out of bounds. Normalization has occurred implies find_matching_component() > 0, ++ * other sub time units are already reset in find_next(). ++ */ ++ if ((cmp = CMP(t.tm_year, tm->tm_year)) != 0) ++ t.tm_mon = 0; ++ else if ((cmp = CMP(t.tm_mon, tm->tm_mon)) != 0) ++ t.tm_mday = 1; ++ else if ((cmp = CMP(t.tm_mday, tm->tm_mday)) != 0) ++ t.tm_hour = 0; ++ else if ((cmp = CMP(t.tm_hour, tm->tm_hour)) != 0) ++ t.tm_min = 0; ++ else if ((cmp = CMP(t.tm_min, tm->tm_min)) != 0) ++ t.tm_sec = 0; ++ else ++ cmp = CMP(t.tm_sec, tm->tm_sec); + + if (cmp < 0) + return -EDEADLK; /* Refuse to go backward */ +diff --git a/src/test/test-calendarspec.c b/src/test/test-calendarspec.c +index 4f1d0f64d5..bc5e56a238 100644 +--- a/src/test/test-calendarspec.c ++++ b/src/test/test-calendarspec.c +@@ -201,6 +201,8 @@ int main(int argc, char* argv[]) { + test_next("2016-02~01 UTC", "", 12345, 1456704000000000); + test_next("Mon 2017-05~01..07 UTC", "", 12345, 1496016000000000); + test_next("Mon 2017-05~07/1 UTC", "", 12345, 1496016000000000); ++ test_next("*-*-01/5 04:00:00 UTC", "", 1646010000000000, 1646107200000000); ++ test_next("*-01/7-01 04:00:00 UTC", "", 1664607600000000, 1672545600000000); + test_next("2017-08-06 9,11,13,15,17:00 UTC", "", 1502029800000000, 1502031600000000); + test_next("2017-08-06 9..17/2:00 UTC", "", 1502029800000000, 1502031600000000); + test_next("2016-12-* 3..21/6:00 UTC", "", 1482613200000001, 1482634800000000); +-- +2.33.0 + diff --git a/backport-cgroup-do-catchup-for-unit-cgroup-inotify-watch-file.patch b/backport-cgroup-do-catchup-for-unit-cgroup-inotify-watch-file.patch new file mode 100644 index 0000000000000000000000000000000000000000..596dc397a1d34be47b9b7dcd6dcd39186182b617 --- /dev/null +++ b/backport-cgroup-do-catchup-for-unit-cgroup-inotify-watch-file.patch @@ -0,0 +1,84 @@ +From 52ab3b8f534eafeed86908ad38f4cd0f169e23ff Mon Sep 17 00:00:00 2001 +From: Dan Streetman +Date: Sun, 11 Jul 2021 16:59:27 -0400 +Subject: [PATCH] cgroup: do 'catchup' for unit cgroup inotify watch files + +While reexec/reload, we drop the inotify watch on cgroup file(s), so +we need to re-check them in case they changed and we missed the event. + +Fixes: #20198 +(cherry picked from commit 869f52f21831b611160c4937bef822ca94c802ba) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/52ab3b8f534eafeed86908ad38f4cd0f169e23ff +--- + src/core/cgroup.c | 18 ++++++++++++++++++ + src/core/cgroup.h | 2 ++ + src/core/unit.c | 2 ++ + 3 files changed, 22 insertions(+) + +diff --git a/src/core/cgroup.c b/src/core/cgroup.c +index 3a6f768c60..5c07aa71d1 100644 +--- a/src/core/cgroup.c ++++ b/src/core/cgroup.c +@@ -3039,6 +3039,9 @@ static int unit_check_cgroup_events(Unit *u) { + + assert(u); + ++ if (!u->cgroup_path) ++ return 0; ++ + r = cg_get_keyed_attribute_graceful(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, "cgroup.events", + STRV_MAKE("populated", "frozen"), values); + if (r < 0) +@@ -3871,6 +3874,21 @@ void unit_invalidate_cgroup_bpf(Unit *u) { + } + } + ++void unit_cgroup_catchup(Unit *u) { ++ assert(u); ++ ++ if (!UNIT_HAS_CGROUP_CONTEXT(u)) ++ return; ++ ++ /* We dropped the inotify watch during reexec/reload, so we need to ++ * check these as they may have changed. ++ * Note that (currently) the kernel doesn't actually update cgroup ++ * file modification times, so we can't just serialize and then check ++ * the mtime for file(s) we are interested in. */ ++ (void) unit_check_cgroup_events(u); ++ unit_add_to_cgroup_oom_queue(u); ++} ++ + bool unit_cgroup_delegate(Unit *u) { + CGroupContext *c; + +diff --git a/src/core/cgroup.h b/src/core/cgroup.h +index ea929368cb..3f8cad899d 100644 +--- a/src/core/cgroup.h ++++ b/src/core/cgroup.h +@@ -313,6 +313,8 @@ void manager_invalidate_startup_units(Manager *m); + const char* cgroup_device_policy_to_string(CGroupDevicePolicy i) _const_; + CGroupDevicePolicy cgroup_device_policy_from_string(const char *s) _pure_; + ++void unit_cgroup_catchup(Unit *u); ++ + bool unit_cgroup_delegate(Unit *u); + + int compare_job_priority(const void *a, const void *b); +diff --git a/src/core/unit.c b/src/core/unit.c +index 47966bcf0d..7e3bd7505e 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -3616,6 +3616,8 @@ void unit_catchup(Unit *u) { + + if (UNIT_VTABLE(u)->catchup) + UNIT_VTABLE(u)->catchup(u); ++ ++ unit_cgroup_catchup(u); + } + + static bool fragment_mtime_newer(const char *path, usec_t mtime, bool path_masked) { +-- +2.33.0 + diff --git a/backport-cgroup-don-t-emit-BPF-firewall-warning-when-manager-.patch b/backport-cgroup-don-t-emit-BPF-firewall-warning-when-manager-.patch new file mode 100644 index 0000000000000000000000000000000000000000..15d9e2ed609884d96f1d3605af3af66f37e18cba --- /dev/null +++ b/backport-cgroup-don-t-emit-BPF-firewall-warning-when-manager-.patch @@ -0,0 +1,45 @@ +From f4472e406eaa1087534066d09a4b7f2fd1de2a06 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 30 Nov 2021 23:49:33 +0000 +Subject: [PATCH] cgroup: don't emit BPF firewall warning when manager is in + test mode + +Support for BPF might not have been checked, since it's not necessary +in test mode (eg: running offline analysis of units). This causes an +assert: + +Assertion '(_error) != 0' failed at src/core/bpf-firewall.c:914, function emit_bpf_firewall_warning(). Aborting. + +Export SYSTEMD_LOG_LEVEl=debug in TEST-65-ANALYZE is enough to trigger +this assert while doing an offline analysis of a unit that has some +firewall/network restrictions set. + +Skip the warning if the manager is in test mode. + +(cherry picked from commit a42232a18c5716f69efc67c779dd2ef6c4b9d6c2) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/f4472e406eaa1087534066d09a4b7f2fd1de2a06 +--- + src/core/bpf-firewall.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c +index 4a92052925..c4989a3ea6 100644 +--- a/src/core/bpf-firewall.c ++++ b/src/core/bpf-firewall.c +@@ -911,7 +911,10 @@ int bpf_firewall_supported(void) { + void emit_bpf_firewall_warning(Unit *u) { + static bool warned = false; + +- if (!warned) { ++ assert(u); ++ assert(u->manager); ++ ++ if (!warned && !MANAGER_IS_TEST_RUN(u->manager)) { + bool quiet = bpf_firewall_unsupported_reason == -EPERM && detect_container() > 0; + + log_unit_full_errno(u, quiet ? LOG_DEBUG : LOG_WARNING, bpf_firewall_unsupported_reason, +-- +2.33.0 + diff --git a/backport-change-indicator-used-for-later-versions-of-VirtualB.patch b/backport-change-indicator-used-for-later-versions-of-VirtualB.patch new file mode 100644 index 0000000000000000000000000000000000000000..24ab4b016ba2f28d81d6d13724e70e6faed015a9 --- /dev/null +++ b/backport-change-indicator-used-for-later-versions-of-VirtualB.patch @@ -0,0 +1,54 @@ +From 7459b7f4a63de87a6e76e9187893c65291b7931f Mon Sep 17 00:00:00 2001 +From: Greg Zuro +Date: Tue, 26 Oct 2021 21:02:37 -0700 +Subject: [PATCH] change indicator used for later versions of VirtualBox + (#21127) + +Detection of VirtualBox is accomplished in the existing code by *either* `innotek GmbH` +or `Oracle Corporation` existing in any of: + +- /sys/class/dmi/id/product_name +- /sys/class/dmi/id/sys_vendor +- /sys/class/dmi/id/board_vendor +- /sys/class/dmi/id/bios_vendor + +With Oracle's physical servers, both `/sys/class/dmi/id/sys_vendor` and +`/sys/class/dmi/id/board_vendor` contain `Oracle Corporation`, so those +servers are detected as `oracle` (VirtualBox). + +VirtualBox has the following values in the latest versions: + +- /sys/class/dmi/id/product_name: `VirtualBox` +- /sys/class/dmi/id/sys_vendor: `innotek GmbH` +- /sys/class/dmi/id/board_vendor: `Oracle Corporation` +- /sys/class/dmi/id/bios_vendor: `innotek GmbH` + +Presumably the existing check for `innotek GmbH` is meant to detect +older versions of VirtualBox, while changing the second checked value +from `Oracle Corporation` to `VirtualBox` will reliably detect later and future +versions. + +(cherry picked from commit cfee6b955154c30be31ffcf0e3b7b89374a52fff) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/7459b7f4a63de87a6e76e9187893c65291b7931f +--- + src/basic/virt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/virt.c b/src/basic/virt.c +index 0243b2d2a8..cc123a286f 100644 +--- a/src/basic/virt.c ++++ b/src/basic/virt.c +@@ -159,7 +159,7 @@ static int detect_vm_dmi_vendor(void) { + { "VMware", VIRTUALIZATION_VMWARE }, /* https://kb.vmware.com/s/article/1009458 */ + { "VMW", VIRTUALIZATION_VMWARE }, + { "innotek GmbH", VIRTUALIZATION_ORACLE }, +- { "Oracle Corporation", VIRTUALIZATION_ORACLE }, ++ { "VirtualBox", VIRTUALIZATION_ORACLE }, + { "Xen", VIRTUALIZATION_XEN }, + { "Bochs", VIRTUALIZATION_BOCHS }, + { "Parallels", VIRTUALIZATION_PARALLELS }, +-- +2.33.0 + diff --git a/backport-ci-cancel-previous-jobs-on-ref-update.patch b/backport-ci-cancel-previous-jobs-on-ref-update.patch new file mode 100644 index 0000000000000000000000000000000000000000..08ecd81f1c77f334a832788e8d29e3cf492881ef --- /dev/null +++ b/backport-ci-cancel-previous-jobs-on-ref-update.patch @@ -0,0 +1,79 @@ +From 47b12629b47d9dfc857874a1b680f60ffc0af0bd Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 10 Nov 2021 16:45:12 +0100 +Subject: [PATCH] ci: cancel previous jobs on ref update + +Let's save the environment (and reduce the number of jobs in GH Actions +queues) by cancelling old jobs on a ref update (force push). + +See: https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#concurrency +(cherry picked from commit 3884837610168e6fb69fc2d5709f6c017a30beb9) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/47b12629b47d9dfc857874a1b680f60ffc0af0bd +--- + .github/workflows/build_test.yml | 3 +++ + .github/workflows/cifuzz.yml | 3 +++ + .github/workflows/mkosi.yml | 3 +++ + .github/workflows/unit_tests.yml | 3 +++ + 4 files changed, 12 insertions(+) + +diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml +index 486016abc1..fa86236c2a 100644 +--- a/.github/workflows/build_test.yml ++++ b/.github/workflows/build_test.yml +@@ -14,6 +14,9 @@ on: + jobs: + build: + runs-on: ubuntu-20.04 ++ concurrency: ++ group: ${{ github.workflow }}-${{ matrix.env.COMPILER }}-${{ matrix.env.COMPILER_VERSION }}-${{ github.ref }} ++ cancel-in-progress: true + strategy: + fail-fast: false + matrix: +diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml +index 5296dc7069..df1fb15ace 100644 +--- a/.github/workflows/cifuzz.yml ++++ b/.github/workflows/cifuzz.yml +@@ -19,6 +19,9 @@ jobs: + Fuzzing: + runs-on: ubuntu-latest + if: github.repository == 'systemd/systemd' ++ concurrency: ++ group: ${{ github.workflow }}-${{ github.ref }} ++ cancel-in-progress: true + strategy: + fail-fast: false + matrix: +diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml +index babdf7ae6e..f67fd23b1c 100644 +--- a/.github/workflows/mkosi.yml ++++ b/.github/workflows/mkosi.yml +@@ -13,6 +13,9 @@ on: + jobs: + ci: + runs-on: ubuntu-20.04 ++ concurrency: ++ group: ${{ github.workflow }}-${{ matrix.distro }}-${{ github.ref }} ++ cancel-in-progress: true + strategy: + fail-fast: false + matrix: +diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml +index ca1e6e0c30..aaf8fcad3d 100644 +--- a/.github/workflows/unit_tests.yml ++++ b/.github/workflows/unit_tests.yml +@@ -10,6 +10,9 @@ on: + jobs: + build: + runs-on: ubuntu-20.04 ++ concurrency: ++ group: ${{ github.workflow }}-${{ matrix.run_phase }}-${{ github.ref }} ++ cancel-in-progress: true + strategy: + fail-fast: false + matrix: +-- +2.33.0 + diff --git a/backport-ci-fix-clang-13-installation.patch b/backport-ci-fix-clang-13-installation.patch new file mode 100644 index 0000000000000000000000000000000000000000..5f085313aac3acc2bf46dd8077945e8bec9ca59c --- /dev/null +++ b/backport-ci-fix-clang-13-installation.patch @@ -0,0 +1,59 @@ +From eaa74c30212d62f546692731ec3cef498f3edb08 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 22 Feb 2022 14:43:40 +0100 +Subject: [PATCH] ci: fix clang-13 installation + +For some reason Ubuntu Focal repositories now have `llvm-13` virtual +package which can't be installed, but successfully fools our check, +resulting in no clang/llvm being installed... + +``` +$ apt show llvm-13 +Package: llvm-13 +State: not a real package (virtual) +N: Can't select candidate version from package llvm-13 as it has no candidate +N: Can't select versions from package 'llvm-13' as it is purely virtual +N: No packages found + +$ apt install --dry-run llvm-13 +Reading package lists... Done +Building dependency tree +Reading state information... Done +Package llvm-13 is not available, but is referred to by another package. +This may mean that the package is missing, has been obsoleted, or +is only available from another source + +E: Package 'llvm-13' has no installation candidate +``` + +(cherry picked from commit b491d74064f9d5e17a71b38b014434237169a077) +(cherry picked from commit fa6e263273905cfc9e4528e8175ace3d19d881e3) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/eaa74c30212d62f546692731ec3cef498f3edb08 +--- + .github/workflows/build_test.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/.github/workflows/build_test.sh b/.github/workflows/build_test.sh +index db38554d97..1200fa23f3 100755 +--- a/.github/workflows/build_test.sh ++++ b/.github/workflows/build_test.sh +@@ -75,12 +75,12 @@ if [[ "$COMPILER" == clang ]]; then + # ATTOW llvm-11 got into focal-updates, which conflicts with llvm-11 + # provided by the apt.llvm.org repositories. Let's use the system + # llvm package if available in such cases to avoid that. +- if ! apt show --quiet "llvm-$COMPILER_VERSION" &>/dev/null; then ++ if ! apt install --dry-run "llvm-$COMPILER_VERSION" >/dev/null; then + # Latest LLVM stack deb packages provided by https://apt.llvm.org/ + # Following snippet was partly borrowed from https://apt.llvm.org/llvm.sh + wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | gpg --yes --dearmor --output /usr/share/keyrings/apt-llvm-org.gpg + printf "deb [signed-by=/usr/share/keyrings/apt-llvm-org.gpg] http://apt.llvm.org/%s/ llvm-toolchain-%s-%s main\n" \ +- "$RELEASE" "$RELEASE" "$COMPILER_VERSION" >/etc/apt/sources.list.d/llvm-toolchain.list ++ "$RELEASE" "$RELEASE" "$COMPILER_VERSION" >/etc/apt/sources.list.d/llvm-toolchain.list + PACKAGES+=("clang-$COMPILER_VERSION" "lldb-$COMPILER_VERSION" "lld-$COMPILER_VERSION" "clangd-$COMPILER_VERSION") + fi + elif [[ "$COMPILER" == gcc ]]; then +-- +2.33.0 + diff --git a/backport-ci-fix-indentation.patch b/backport-ci-fix-indentation.patch new file mode 100644 index 0000000000000000000000000000000000000000..99caf2e886be318e650c67fe82605532878795d4 --- /dev/null +++ b/backport-ci-fix-indentation.patch @@ -0,0 +1,82 @@ +From 6db77b2c9f31c8246ec920a189fe44873111566f Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 10 Nov 2021 16:42:07 +0100 +Subject: [PATCH] ci: fix indentation + +(cherry picked from commit 46573ee1319ee8ae5b292a0a737740eca1a68184) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/6db77b2c9f31c8246ec920a189fe44873111566f +--- + .github/workflows/cifuzz.yml | 58 ++++++++++++++++++------------------ + 1 file changed, 29 insertions(+), 29 deletions(-) + +diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml +index 14d81a67ff..5296dc7069 100644 +--- a/.github/workflows/cifuzz.yml ++++ b/.github/workflows/cifuzz.yml +@@ -16,32 +16,32 @@ on: + branches: + - main + jobs: +- Fuzzing: +- runs-on: ubuntu-latest +- if: github.repository == 'systemd/systemd' +- strategy: +- fail-fast: false +- matrix: +- sanitizer: [address, undefined, memory] +- steps: +- - name: Build Fuzzers (${{ matrix.sanitizer }}) +- id: build +- uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master +- with: +- oss-fuzz-project-name: 'systemd' +- dry-run: false +- allowed-broken-targets-percentage: 0 +- sanitizer: ${{ matrix.sanitizer }} +- - name: Run Fuzzers (${{ matrix.sanitizer }}) +- uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master +- with: +- oss-fuzz-project-name: 'systemd' +- fuzz-seconds: 600 +- dry-run: false +- sanitizer: ${{ matrix.sanitizer }} +- - name: Upload Crash +- uses: actions/upload-artifact@v1 +- if: failure() && steps.build.outcome == 'success' +- with: +- name: ${{ matrix.sanitizer }}-artifacts +- path: ./out/artifacts ++ Fuzzing: ++ runs-on: ubuntu-latest ++ if: github.repository == 'systemd/systemd' ++ strategy: ++ fail-fast: false ++ matrix: ++ sanitizer: [address, undefined, memory] ++ steps: ++ - name: Build Fuzzers (${{ matrix.sanitizer }}) ++ id: build ++ uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master ++ with: ++ oss-fuzz-project-name: 'systemd' ++ dry-run: false ++ allowed-broken-targets-percentage: 0 ++ sanitizer: ${{ matrix.sanitizer }} ++ - name: Run Fuzzers (${{ matrix.sanitizer }}) ++ uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master ++ with: ++ oss-fuzz-project-name: 'systemd' ++ fuzz-seconds: 600 ++ dry-run: false ++ sanitizer: ${{ matrix.sanitizer }} ++ - name: Upload Crash ++ uses: actions/upload-artifact@v1 ++ if: failure() && steps.build.outcome == 'success' ++ with: ++ name: ${{ matrix.sanitizer }}-artifacts ++ path: ./out/artifacts +-- +2.33.0 + diff --git a/backport-ci-pin-the-debian-systemd-repo-to-a-specific-revisio.patch b/backport-ci-pin-the-debian-systemd-repo-to-a-specific-revisio.patch new file mode 100644 index 0000000000000000000000000000000000000000..d5fb67ed5cefd83ee3917374dea3b2faafe5dbbc --- /dev/null +++ b/backport-ci-pin-the-debian-systemd-repo-to-a-specific-revisio.patch @@ -0,0 +1,32 @@ +From cdc1cd4eb3f86f3100d6d04b1b5d12a2d87b8704 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Sun, 14 Nov 2021 12:28:21 +0100 +Subject: [PATCH] ci: pin the debian systemd repo to a specific revision + +to work around missing systemd/systemd#20056 in pre-v250 stable +branches. + +v249-stable-only + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/cdc1cd4eb3f86f3100d6d04b1b5d12a2d87b8704 +--- + .semaphore/semaphore.yml | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/.semaphore/semaphore.yml b/.semaphore/semaphore.yml +index 06f162007e..7fc38a553d 100644 +--- a/.semaphore/semaphore.yml ++++ b/.semaphore/semaphore.yml +@@ -25,3 +25,8 @@ blocks: + - checkout --use-cache + - .semaphore/semaphore-runner.sh SETUP + - .semaphore/semaphore-runner.sh RUN ++ env_vars: ++ # Pin the debian systemd repo to a specific revision, to work around ++ # missing systemd/systemd#20056 in pre-v250 stable branches ++ - name: BRANCH ++ value: e138f8573a14f8f094bd6c9582bc26ed62c1347f +-- +2.33.0 + diff --git a/backport-ci-replace-apt-key-with-signed-by.patch b/backport-ci-replace-apt-key-with-signed-by.patch new file mode 100644 index 0000000000000000000000000000000000000000..ba60037e96e28dda316ba3c52af9fb2702b8f78d --- /dev/null +++ b/backport-ci-replace-apt-key-with-signed-by.patch @@ -0,0 +1,39 @@ +From 84230ae4e3a10fccfb4750b832d2c70fe56df128 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Sun, 26 Dec 2021 01:11:00 +0000 +Subject: [PATCH] ci: replace apt-key with signed-by + +to limit the scope of the key to apt.llvm.org only. + +This is mostly inspired by https://blog.cloudflare.com/dont-use-apt-key/ + +(cherry picked from commit bfa6bd1be098adc4710e1819b9cd34d65b3855da) +(cherry picked from commit c92297a20c13b7e15b0026b1f36ebe99d86cfce8) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/84230ae4e3a10fccfb4750b832d2c70fe56df128 +--- + .github/workflows/build_test.sh | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/.github/workflows/build_test.sh b/.github/workflows/build_test.sh +index 10fa1ea9b0..db38554d97 100755 +--- a/.github/workflows/build_test.sh ++++ b/.github/workflows/build_test.sh +@@ -77,9 +77,10 @@ if [[ "$COMPILER" == clang ]]; then + # llvm package if available in such cases to avoid that. + if ! apt show --quiet "llvm-$COMPILER_VERSION" &>/dev/null; then + # Latest LLVM stack deb packages provided by https://apt.llvm.org/ +- # Following snippet was borrowed from https://apt.llvm.org/llvm.sh +- wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - +- add-apt-repository -y "deb http://apt.llvm.org/$RELEASE/ llvm-toolchain-$RELEASE-$COMPILER_VERSION main" ++ # Following snippet was partly borrowed from https://apt.llvm.org/llvm.sh ++ wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | gpg --yes --dearmor --output /usr/share/keyrings/apt-llvm-org.gpg ++ printf "deb [signed-by=/usr/share/keyrings/apt-llvm-org.gpg] http://apt.llvm.org/%s/ llvm-toolchain-%s-%s main\n" \ ++ "$RELEASE" "$RELEASE" "$COMPILER_VERSION" >/etc/apt/sources.list.d/llvm-toolchain.list + PACKAGES+=("clang-$COMPILER_VERSION" "lldb-$COMPILER_VERSION" "lld-$COMPILER_VERSION" "clangd-$COMPILER_VERSION") + fi + elif [[ "$COMPILER" == gcc ]]; then +-- +2.33.0 + diff --git a/backport-ci-run-the-unit_tests-and-mkosi-jobs-on-stable-branc.patch b/backport-ci-run-the-unit_tests-and-mkosi-jobs-on-stable-branc.patch new file mode 100644 index 0000000000000000000000000000000000000000..e9988f45bbef2a895e51971b3d8e426e1587b7d8 --- /dev/null +++ b/backport-ci-run-the-unit_tests-and-mkosi-jobs-on-stable-branc.patch @@ -0,0 +1,49 @@ +From 9d08ba9b3fa7542037e0522c10d63517366afda6 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Fri, 12 Nov 2021 17:37:15 +0100 +Subject: [PATCH] ci: run the unit_tests and mkosi jobs on stable branches as + well + +To provide more coverage for the systemd-stable repo. + +See: https://github.com/systemd/systemd-stable/issues/24 +(cherry picked from commit c76a83858996148fea36d1018b4707ce5334363b) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/9d08ba9b3fa7542037e0522c10d63517366afda6 +--- + .github/workflows/mkosi.yml | 2 ++ + .github/workflows/unit_tests.yml | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml +index f67fd23b1c..489eb01880 100644 +--- a/.github/workflows/mkosi.yml ++++ b/.github/workflows/mkosi.yml +@@ -6,9 +6,11 @@ on: + push: + branches: + - main ++ - v[0-9]+-stable + pull_request: + branches: + - main ++ - v[0-9]+-stable + + jobs: + ci: +diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml +index aaf8fcad3d..4a19a6a1c8 100644 +--- a/.github/workflows/unit_tests.yml ++++ b/.github/workflows/unit_tests.yml +@@ -6,6 +6,7 @@ on: + pull_request: + branches: + - main ++ - v[0-9]+-stable + + jobs: + build: +-- +2.33.0 + diff --git a/backport-ci-take-CIFuzz-s-matrix-into-consideration.patch b/backport-ci-take-CIFuzz-s-matrix-into-consideration.patch new file mode 100644 index 0000000000000000000000000000000000000000..e9dcbb118903e282d2bf72badf28140d17cb0ba6 --- /dev/null +++ b/backport-ci-take-CIFuzz-s-matrix-into-consideration.patch @@ -0,0 +1,33 @@ +From 428d4988d2bc68e189481f7b46ffd1f84090aadd Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 10 Nov 2021 20:15:41 +0100 +Subject: [PATCH] ci: take CIFuzz's matrix into consideration + +Otherwise the jobs will try to cancel each other out. + +Follow-up to 3884837610168e6fb69fc2d5709f6c017a30beb9. + +(cherry picked from commit 8b212f3596d03f8e1025cd151d17f9a82433844a) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/428d4988d2bc68e189481f7b46ffd1f84090aadd +--- + .github/workflows/cifuzz.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml +index df1fb15ace..8ab2a4cf55 100644 +--- a/.github/workflows/cifuzz.yml ++++ b/.github/workflows/cifuzz.yml +@@ -20,7 +20,7 @@ jobs: + runs-on: ubuntu-latest + if: github.repository == 'systemd/systemd' + concurrency: +- group: ${{ github.workflow }}-${{ github.ref }} ++ group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }} + cancel-in-progress: true + strategy: + fail-fast: false +-- +2.33.0 + diff --git a/backport-ci-use-the-system-llvm-11-package-on-Focal.patch b/backport-ci-use-the-system-llvm-11-package-on-Focal.patch new file mode 100644 index 0000000000000000000000000000000000000000..8c9591db65c7475078b956bf0f141e8ec86a6232 --- /dev/null +++ b/backport-ci-use-the-system-llvm-11-package-on-Focal.patch @@ -0,0 +1,47 @@ +From 441c959460217ba81591ada9185bed2665cdc994 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Mon, 11 Oct 2021 21:12:42 +0200 +Subject: [PATCH] ci: use the system llvm-11 package on Focal + +ATTOW llvm-11 got into focal-updates, which conflicts with llvm-11 +provided by the apt.llvm.org repositories. Let's use the system +llvm package if available in such cases to avoid that. + +(cherry picked from commit 1c71302f70c7d0712d49b5214f5f29b4d6a2c73e) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/441c959460217ba81591ada9185bed2665cdc994 +--- + .github/workflows/build_test.sh | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/.github/workflows/build_test.sh b/.github/workflows/build_test.sh +index bdcb71ba9c..10fa1ea9b0 100755 +--- a/.github/workflows/build_test.sh ++++ b/.github/workflows/build_test.sh +@@ -71,11 +71,17 @@ if [[ "$COMPILER" == clang ]]; then + CC="clang-$COMPILER_VERSION" + CXX="clang++-$COMPILER_VERSION" + AR="llvm-ar-$COMPILER_VERSION" +- # Latest LLVM stack deb packages provided by https://apt.llvm.org/ +- # Following snippet was borrowed from https://apt.llvm.org/llvm.sh +- wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - +- add-apt-repository -y "deb http://apt.llvm.org/$RELEASE/ llvm-toolchain-$RELEASE-$COMPILER_VERSION main" +- PACKAGES+=(clang-$COMPILER_VERSION lldb-$COMPILER_VERSION lld-$COMPILER_VERSION clangd-$COMPILER_VERSION) ++ ++ # ATTOW llvm-11 got into focal-updates, which conflicts with llvm-11 ++ # provided by the apt.llvm.org repositories. Let's use the system ++ # llvm package if available in such cases to avoid that. ++ if ! apt show --quiet "llvm-$COMPILER_VERSION" &>/dev/null; then ++ # Latest LLVM stack deb packages provided by https://apt.llvm.org/ ++ # Following snippet was borrowed from https://apt.llvm.org/llvm.sh ++ wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - ++ add-apt-repository -y "deb http://apt.llvm.org/$RELEASE/ llvm-toolchain-$RELEASE-$COMPILER_VERSION main" ++ PACKAGES+=("clang-$COMPILER_VERSION" "lldb-$COMPILER_VERSION" "lld-$COMPILER_VERSION" "clangd-$COMPILER_VERSION") ++ fi + elif [[ "$COMPILER" == gcc ]]; then + CC="gcc-$COMPILER_VERSION" + CXX="g++-$COMPILER_VERSION" +-- +2.33.0 + diff --git a/backport-clang-format-we-actually-typically-use-16ch-continua.patch b/backport-clang-format-we-actually-typically-use-16ch-continua.patch new file mode 100644 index 0000000000000000000000000000000000000000..e373bc73e355da034e4c9c46928b7cfa8478d44b --- /dev/null +++ b/backport-clang-format-we-actually-typically-use-16ch-continua.patch @@ -0,0 +1,34 @@ +From 8282cc686bedb0cf3702ea4ac2856b39ae351ef3 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 22 Feb 2022 16:51:58 +0100 +Subject: [PATCH] clang-format: we actually typically use 16ch continuation + indentation + +We use 8 for blocks, and 16 for continuation in most cases afaics, hence +say so in .clang-format too + +(cherry picked from commit 92148fb77766767fdb6ad6e52747317dae2aae85) +(cherry picked from commit 4a90c12f4f09f23e071e649422754f04eda6d273) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/8282cc686bedb0cf3702ea4ac2856b39ae351ef3 +--- + .clang-format | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.clang-format b/.clang-format +index 651249c701..c94866fcd5 100644 +--- a/.clang-format ++++ b/.clang-format +@@ -46,7 +46,7 @@ ColumnLimit: 109 + CompactNamespaces: true + ConstructorInitializerAllOnOneLineOrOnePerLine: true + ConstructorInitializerIndentWidth: 8 +-ContinuationIndentWidth: 8 ++ContinuationIndentWidth: 16 + Cpp11BracedListStyle: false + ForEachMacros: + - BITMAP_FOREACH +-- +2.33.0 + diff --git a/backport-core-Make-sure-cgroup_oom_queue-is-flushed-on-manage.patch b/backport-core-Make-sure-cgroup_oom_queue-is-flushed-on-manage.patch new file mode 100644 index 0000000000000000000000000000000000000000..853ac7239437c66ae0120bec2c7eecc1185a5c5b --- /dev/null +++ b/backport-core-Make-sure-cgroup_oom_queue-is-flushed-on-manage.patch @@ -0,0 +1,66 @@ +From 59894983693d36c6017ad995864b5541d7132563 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Koutn=C3=BD?= +Date: Wed, 4 Aug 2021 18:59:35 +0200 +Subject: [PATCH] core: Make sure cgroup_oom_queue is flushed on manager exit + +The unit queues are not serialized/deserialized (they are recreated +after reexec/reload instead). The destroyed units are not removed from +the cgroup_oom_queue. That means the queue may contain possibly invalid +pointers to released units. + +Fix this by removing the units from cgroup_oom_queue as we do for +others. When at it, sync assert checks with currently existing queues +and put them in order in the manager cleanup code. + +(cherry picked from commit 13e721036bf4ba15eb255d8f0a14800f969ac0d7) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/59894983693d36c6017ad995864b5541d7132563 +--- + src/core/manager.c | 4 ++++ + src/core/unit.c | 7 +++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/core/manager.c b/src/core/manager.c +index 8884437347..34891a8754 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -1410,6 +1410,10 @@ static void manager_clear_jobs_and_units(Manager *m) { + assert(!m->cleanup_queue); + assert(!m->gc_unit_queue); + assert(!m->gc_job_queue); ++ assert(!m->cgroup_realize_queue); ++ assert(!m->cgroup_empty_queue); ++ assert(!m->cgroup_oom_queue); ++ assert(!m->target_deps_queue); + assert(!m->stop_when_unneeded_queue); + assert(!m->start_when_upheld_queue); + assert(!m->stop_when_bound_queue); +diff --git a/src/core/unit.c b/src/core/unit.c +index 7e3bd7505e..e469beb534 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -733,6 +733,9 @@ Unit* unit_free(Unit *u) { + if (u->in_dbus_queue) + LIST_REMOVE(dbus_queue, u->manager->dbus_unit_queue, u); + ++ if (u->in_cleanup_queue) ++ LIST_REMOVE(cleanup_queue, u->manager->cleanup_queue, u); ++ + if (u->in_gc_queue) + LIST_REMOVE(gc_queue, u->manager->gc_unit_queue, u); + +@@ -742,8 +745,8 @@ Unit* unit_free(Unit *u) { + if (u->in_cgroup_empty_queue) + LIST_REMOVE(cgroup_empty_queue, u->manager->cgroup_empty_queue, u); + +- if (u->in_cleanup_queue) +- LIST_REMOVE(cleanup_queue, u->manager->cleanup_queue, u); ++ if (u->in_cgroup_oom_queue) ++ LIST_REMOVE(cgroup_oom_queue, u->manager->cgroup_oom_queue, u); + + if (u->in_target_deps_queue) + LIST_REMOVE(target_deps_queue, u->manager->target_deps_queue, u); +-- +2.33.0 + diff --git a/backport-core-Parse-log-environment-settings-again-after-appl.patch b/backport-core-Parse-log-environment-settings-again-after-appl.patch new file mode 100644 index 0000000000000000000000000000000000000000..0612288ccea588acea7217ff6eca66926ee8bd11 --- /dev/null +++ b/backport-core-Parse-log-environment-settings-again-after-appl.patch @@ -0,0 +1,36 @@ +From b246b5370e95756e9597d8ec967ae030b442e73f Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Tue, 7 Sep 2021 16:13:56 +0100 +Subject: [PATCH] core: Parse log environment settings again after applying + manager environment + +Currently, SYSTEMD_LOG_LEVEL set in the ManagerEnvironment property in system.conf +or user.conf doesn't affect the manager's logging level. Parsing the logging environment +variables again after pushing the manager environment into the process environment +block makes sure any new environment changes also get taken into account for logging. + +(cherry picked from commit a4303b4096d9a75acd09c5b897ed3d20c9bca6de) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/b246b5370e95756e9597d8ec967ae030b442e73f +--- + src/core/main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/core/main.c b/src/core/main.c +index b32a19a1d8..c64c73883e 100644 +--- a/src/core/main.c ++++ b/src/core/main.c +@@ -2454,6 +2454,9 @@ static int parse_configuration(const struct rlimit *saved_rlimit_nofile, + /* Push variables into the manager environment block */ + setenv_manager_environment(); + ++ /* Parse log environment variables again to take into account any new environment variables. */ ++ log_parse_environment(); ++ + return 0; + } + +-- +2.33.0 + diff --git a/backport-core-Remove-circular-include.patch b/backport-core-Remove-circular-include.patch new file mode 100644 index 0000000000000000000000000000000000000000..14fbb0212259b4cb647b3c25f72653e6151ff717 --- /dev/null +++ b/backport-core-Remove-circular-include.patch @@ -0,0 +1,45 @@ +From a203879ae5914fa1a676dbd480a7ad41ca0d8e40 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Tue, 24 Aug 2021 16:19:03 +0100 +Subject: [PATCH] core: Remove circular include + +service.h includes socket.h and socket.h includes service.h. Move +service.h include from socket.h to socket.c to remove the circular +dependency. + +(cherry picked from commit a243128d1fcfc378df9fce1b4997148a17ef23a5) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/a203879ae5914fa1a676dbd480a7ad41ca0d8e40 +--- + src/core/socket.c | 1 + + src/core/socket.h | 1 - + 2 files changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/socket.c b/src/core/socket.c +index 8144780bf8..f362a5baa8 100644 +--- a/src/core/socket.c ++++ b/src/core/socket.c +@@ -34,6 +34,7 @@ + #include "process-util.h" + #include "selinux-util.h" + #include "serialize.h" ++#include "service.h" + #include "signal-util.h" + #include "smack-util.h" + #include "socket.h" +diff --git a/src/core/socket.h b/src/core/socket.h +index a65195f2aa..6813bdcf8c 100644 +--- a/src/core/socket.h ++++ b/src/core/socket.h +@@ -5,7 +5,6 @@ typedef struct Socket Socket; + typedef struct SocketPeer SocketPeer; + + #include "mount.h" +-#include "service.h" + #include "socket-util.h" + #include "unit.h" + +-- +2.33.0 + diff --git a/backport-core-bpf-firewall-make-bpf_firewall_supported-always.patch b/backport-core-bpf-firewall-make-bpf_firewall_supported-always.patch new file mode 100644 index 0000000000000000000000000000000000000000..61b913018a1b8353a3d6d8d29447176c86faf783 --- /dev/null +++ b/backport-core-bpf-firewall-make-bpf_firewall_supported-always.patch @@ -0,0 +1,48 @@ +From 27028ef0f0bc128d14f41e233ad256687fd7e379 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 1 Dec 2021 21:07:22 +0900 +Subject: [PATCH] core/bpf-firewall: make bpf_firewall_supported() always set + unsupported reason when BPF_FIREWALL_UNSUPPORTED is returned + +Otherwise, log_unit_full_errno() in emit_bpf_firewall_warning() will +trigger an assertion. + +(cherry picked from commit 8751bb6f5e89562d438566c374b9c3a1059c9211) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/27028ef0f0bc128d14f41e233ad256687fd7e379 +--- + src/core/bpf-firewall.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c +index 9317edeb4c..4a92052925 100644 +--- a/src/core/bpf-firewall.c ++++ b/src/core/bpf-firewall.c +@@ -869,7 +869,10 @@ int bpf_firewall_supported(void) { + + /* YAY! */ + } else { +- log_debug("Wut? Kernel accepted our invalid BPF_PROG_DETACH call? Something is weird, assuming BPF firewalling is broken and hence not supported."); ++ bpf_firewall_unsupported_reason = ++ log_debug_errno(SYNTHETIC_ERRNO(EBADE), ++ "Wut? Kernel accepted our invalid BPF_PROG_DETACH call? " ++ "Something is weird, assuming BPF firewalling is broken and hence not supported."); + return supported = BPF_FIREWALL_UNSUPPORTED; + } + +@@ -897,7 +900,10 @@ int bpf_firewall_supported(void) { + + return supported = BPF_FIREWALL_SUPPORTED; + } else { +- log_debug("Wut? Kernel accepted our invalid BPF_PROG_ATTACH+BPF_F_ALLOW_MULTI call? Something is weird, assuming BPF firewalling is broken and hence not supported."); ++ bpf_firewall_unsupported_reason = ++ log_debug_errno(SYNTHETIC_ERRNO(EBADE), ++ "Wut? Kernel accepted our invalid BPF_PROG_ATTACH+BPF_F_ALLOW_MULTI call? " ++ "Something is weird, assuming BPF firewalling is broken and hence not supported."); + return supported = BPF_FIREWALL_UNSUPPORTED; + } + } +-- +2.33.0 + diff --git a/backport-core-cgroup-fix-error-handling-of-cg_remove_xattr.patch b/backport-core-cgroup-fix-error-handling-of-cg_remove_xattr.patch index e4cbe1e2037a65fc9f31c6a050a44d42d34aae7a..08a26a1a65df43a4a634a04d8d00dade1a63b20c 100644 --- a/backport-core-cgroup-fix-error-handling-of-cg_remove_xattr.patch +++ b/backport-core-cgroup-fix-error-handling-of-cg_remove_xattr.patch @@ -1,17 +1,21 @@ -From 0cddb53c85588fbfb8043f622895c7bd15819198 Mon Sep 17 00:00:00 2001 +From 7e79bfce0674c58068d2a125ed666986544e790f Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Thu, 5 Aug 2021 03:13:48 +0900 -Subject: [PATCH 1/2] core/cgroup: fix error handling of cg_remove_xattr() +Subject: [PATCH] core/cgroup: fix error handling of cg_remove_xattr() +(cherry picked from commit 0cddb53c85588fbfb8043f622895c7bd15819198) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/7e79bfce0674c58068d2a125ed666986544e790f --- src/core/cgroup.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index e5fd6672bb..83bd97327d 100644 +index 2cbb789978..eab0929dc5 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c -@@ -717,13 +717,13 @@ void cgroup_oomd_xattr_apply(Unit *u, const char *cgroup_path) { +@@ -724,13 +724,13 @@ void cgroup_oomd_xattr_apply(Unit *u, const char *cgroup_path) { if (c->moom_preference != MANAGED_OOM_PREFERENCE_AVOID) { r = cg_remove_xattr(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, "user.oomd_avoid"); @@ -27,7 +31,7 @@ index e5fd6672bb..83bd97327d 100644 log_unit_debug_errno(u, r, "Failed to remove oomd_omit flag on control group %s, ignoring: %m", cgroup_path); } } -@@ -755,7 +755,7 @@ static void cgroup_xattr_apply(Unit *u) { +@@ -762,7 +762,7 @@ static void cgroup_xattr_apply(Unit *u) { log_unit_debug_errno(u, r, "Failed to set delegate flag on control group %s, ignoring: %m", u->cgroup_path); } else { r = cg_remove_xattr(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, "trusted.delegate"); @@ -37,5 +41,5 @@ index e5fd6672bb..83bd97327d 100644 } -- -2.27.0 +2.33.0 diff --git a/backport-core-cgroup-set-bfq.weight-first-and-fixes-blkio.wei.patch b/backport-core-cgroup-set-bfq.weight-first-and-fixes-blkio.wei.patch new file mode 100644 index 0000000000000000000000000000000000000000..26d4754df6ad983e254377a1c0484b32deb16171 --- /dev/null +++ b/backport-core-cgroup-set-bfq.weight-first-and-fixes-blkio.wei.patch @@ -0,0 +1,119 @@ +From 55af1d4ce32a32ebd3106cbdf1ef8b6cda55175f Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 25 Aug 2021 01:28:47 +0900 +Subject: [PATCH] core/cgroup: set bfq.weight first, and fixes blkio.weight + value + +Fixes issues introduced by 29eb0eefd14afc9a2424781a28b376db47c3c570. + +This also fixes the value sets to blkio.weight, that is, "default" is dropped. + +Moreover, This also changes the logic for mapping weight -> bfq.weight, +to always matches the min, max, and default values. + +Fixes #20519 and #21187. + +(cherry picked from commit 17283ce7b6035775f125585d1b228226942daf4b) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/55af1d4ce32a32ebd3106cbdf1ef8b6cda55175f +--- + src/core/cgroup.c | 55 +++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 44 insertions(+), 11 deletions(-) + +diff --git a/src/core/cgroup.c b/src/core/cgroup.c +index 79e10ca3c0..8b5b403ae8 100644 +--- a/src/core/cgroup.c ++++ b/src/core/cgroup.c +@@ -37,6 +37,12 @@ + + #define CGROUP_CPU_QUOTA_DEFAULT_PERIOD_USEC ((usec_t) 100 * USEC_PER_MSEC) + ++/* Special values for the bfq.weight attribute */ ++#define CGROUP_BFQ_WEIGHT_INVALID UINT64_MAX ++#define CGROUP_BFQ_WEIGHT_MIN UINT64_C(1) ++#define CGROUP_BFQ_WEIGHT_MAX UINT64_C(1000) ++#define CGROUP_BFQ_WEIGHT_DEFAULT UINT64_C(100) ++ + /* Returns the log level to use when cgroup attribute writes fail. When an attribute is missing or we have access + * problems we downgrade to LOG_DEBUG. This is supposed to be nice to container managers and kernels which want to mask + * out specific attributes from us. */ +@@ -1194,21 +1200,48 @@ static int cgroup_apply_devices(Unit *u) { + return r; + } + +-static void set_io_weight(Unit *u, const char *controller, uint64_t weight) { +- char buf[8+DECIMAL_STR_MAX(uint64_t)+1]; +- const char *p; ++static void set_io_weight(Unit *u, uint64_t weight) { ++ char buf[STRLEN("default \n")+DECIMAL_STR_MAX(uint64_t)]; ++ uint64_t bfq_weight; ++ ++ assert(u); ++ ++ /* FIXME: drop this when distro kernels properly support BFQ through "io.weight" ++ * See also: https://github.com/systemd/systemd/pull/13335 and ++ * https://github.com/torvalds/linux/commit/65752aef0a407e1ef17ec78a7fc31ba4e0b360f9. ++ * The range is 1..1000 apparently, and the default is 100. */ ++ if (weight <= CGROUP_WEIGHT_DEFAULT) ++ bfq_weight = CGROUP_BFQ_WEIGHT_DEFAULT - (CGROUP_WEIGHT_DEFAULT - weight) * (CGROUP_BFQ_WEIGHT_DEFAULT - CGROUP_BFQ_WEIGHT_MIN) / (CGROUP_WEIGHT_DEFAULT - CGROUP_WEIGHT_MIN); ++ else ++ bfq_weight = CGROUP_BFQ_WEIGHT_DEFAULT + (weight - CGROUP_WEIGHT_DEFAULT) * (CGROUP_BFQ_WEIGHT_MAX - CGROUP_BFQ_WEIGHT_DEFAULT) / (CGROUP_WEIGHT_MAX - CGROUP_WEIGHT_DEFAULT); ++ ++ xsprintf(buf, "%" PRIu64 "\n", bfq_weight); ++ (void) set_attribute_and_warn(u, "io", "io.bfq.weight", buf); + +- p = strjoina(controller, ".weight"); + xsprintf(buf, "default %" PRIu64 "\n", weight); +- (void) set_attribute_and_warn(u, controller, p, buf); ++ (void) set_attribute_and_warn(u, "io", "io.weight", buf); ++} ++ ++static void set_blkio_weight(Unit *u, uint64_t weight) { ++ char buf[STRLEN("\n")+DECIMAL_STR_MAX(uint64_t)]; ++ uint64_t bfq_weight; ++ ++ assert(u); + + /* FIXME: drop this when distro kernels properly support BFQ through "io.weight" + * See also: https://github.com/systemd/systemd/pull/13335 and + * https://github.com/torvalds/linux/commit/65752aef0a407e1ef17ec78a7fc31ba4e0b360f9. +- * The range is 1..1000 apparently. */ +- p = strjoina(controller, ".bfq.weight"); +- xsprintf(buf, "%" PRIu64 "\n", (weight + 9) / 10); +- (void) set_attribute_and_warn(u, controller, p, buf); ++ * The range is 1..1000 apparently, and the default is 100. */ ++ if (weight <= CGROUP_BLKIO_WEIGHT_DEFAULT) ++ bfq_weight = CGROUP_BFQ_WEIGHT_DEFAULT - (CGROUP_BLKIO_WEIGHT_DEFAULT - weight) * (CGROUP_BFQ_WEIGHT_DEFAULT - CGROUP_BFQ_WEIGHT_MIN) / (CGROUP_BLKIO_WEIGHT_DEFAULT - CGROUP_BLKIO_WEIGHT_MIN); ++ else ++ bfq_weight = CGROUP_BFQ_WEIGHT_DEFAULT + (weight - CGROUP_BLKIO_WEIGHT_DEFAULT) * (CGROUP_BFQ_WEIGHT_MAX - CGROUP_BFQ_WEIGHT_DEFAULT) / (CGROUP_BLKIO_WEIGHT_MAX - CGROUP_BLKIO_WEIGHT_DEFAULT); ++ ++ xsprintf(buf, "%" PRIu64 "\n", bfq_weight); ++ (void) set_attribute_and_warn(u, "blkio", "blkio.bfq.weight", buf); ++ ++ xsprintf(buf, "%" PRIu64 "\n", weight); ++ (void) set_attribute_and_warn(u, "blkio", "blkio.weight", buf); + } + + static void cgroup_apply_bpf_foreign_program(Unit *u) { +@@ -1322,7 +1355,7 @@ static void cgroup_context_apply( + } else + weight = CGROUP_WEIGHT_DEFAULT; + +- set_io_weight(u, "io", weight); ++ set_io_weight(u, weight); + + if (has_io) { + CGroupIODeviceLatency *latency; +@@ -1392,7 +1425,7 @@ static void cgroup_context_apply( + else + weight = CGROUP_BLKIO_WEIGHT_DEFAULT; + +- set_io_weight(u, "blkio", weight); ++ set_blkio_weight(u, weight); + + if (has_io) { + CGroupIODeviceWeight *w; +-- +2.33.0 + diff --git a/backport-core-cgroup-use-helper-macro-for-bfq-conversion.patch b/backport-core-cgroup-use-helper-macro-for-bfq-conversion.patch new file mode 100644 index 0000000000000000000000000000000000000000..9fa8c71214b237b5428df050a768502027c982d1 --- /dev/null +++ b/backport-core-cgroup-use-helper-macro-for-bfq-conversion.patch @@ -0,0 +1,82 @@ +From d98169555c07668d999ac8ad62718da0ae9eec0f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 10 Nov 2021 11:37:15 +0100 +Subject: [PATCH] core/cgroup: use helper macro for bfq conversion + +As suggested in https://github.com/systemd/systemd/pull/20522#discussion_r696699984. + +(cherry picked from commit 311822ac28c99e2fb0e25286bdb72c9188314a66) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/d98169555c07668d999ac8ad62718da0ae9eec0f +--- + src/core/cgroup.c | 34 ++++++++++++++++------------------ + 1 file changed, 16 insertions(+), 18 deletions(-) + +diff --git a/src/core/cgroup.c b/src/core/cgroup.c +index 8b5b403ae8..6e4780f2f6 100644 +--- a/src/core/cgroup.c ++++ b/src/core/cgroup.c +@@ -1200,9 +1200,21 @@ static int cgroup_apply_devices(Unit *u) { + return r; + } + ++/* Convert the normal io.weight value to io.bfq.weight */ ++#define BFQ_WEIGHT(weight) \ ++ (weight <= CGROUP_WEIGHT_DEFAULT ? \ ++ CGROUP_BFQ_WEIGHT_DEFAULT - (CGROUP_WEIGHT_DEFAULT - weight) * (CGROUP_BFQ_WEIGHT_DEFAULT - CGROUP_BFQ_WEIGHT_MIN) / (CGROUP_WEIGHT_DEFAULT - CGROUP_WEIGHT_MIN) : \ ++ CGROUP_BFQ_WEIGHT_DEFAULT + (weight - CGROUP_WEIGHT_DEFAULT) * (CGROUP_BFQ_WEIGHT_MAX - CGROUP_BFQ_WEIGHT_DEFAULT) / (CGROUP_WEIGHT_MAX - CGROUP_WEIGHT_DEFAULT)) ++ ++assert_cc(BFQ_WEIGHT(1) == 1); ++assert_cc(BFQ_WEIGHT(50) == 50); ++assert_cc(BFQ_WEIGHT(100) == 100); ++assert_cc(BFQ_WEIGHT(500) == 136); ++assert_cc(BFQ_WEIGHT(5000) == 545); ++assert_cc(BFQ_WEIGHT(10000) == 1000); ++ + static void set_io_weight(Unit *u, uint64_t weight) { + char buf[STRLEN("default \n")+DECIMAL_STR_MAX(uint64_t)]; +- uint64_t bfq_weight; + + assert(u); + +@@ -1210,12 +1222,7 @@ static void set_io_weight(Unit *u, uint64_t weight) { + * See also: https://github.com/systemd/systemd/pull/13335 and + * https://github.com/torvalds/linux/commit/65752aef0a407e1ef17ec78a7fc31ba4e0b360f9. + * The range is 1..1000 apparently, and the default is 100. */ +- if (weight <= CGROUP_WEIGHT_DEFAULT) +- bfq_weight = CGROUP_BFQ_WEIGHT_DEFAULT - (CGROUP_WEIGHT_DEFAULT - weight) * (CGROUP_BFQ_WEIGHT_DEFAULT - CGROUP_BFQ_WEIGHT_MIN) / (CGROUP_WEIGHT_DEFAULT - CGROUP_WEIGHT_MIN); +- else +- bfq_weight = CGROUP_BFQ_WEIGHT_DEFAULT + (weight - CGROUP_WEIGHT_DEFAULT) * (CGROUP_BFQ_WEIGHT_MAX - CGROUP_BFQ_WEIGHT_DEFAULT) / (CGROUP_WEIGHT_MAX - CGROUP_WEIGHT_DEFAULT); +- +- xsprintf(buf, "%" PRIu64 "\n", bfq_weight); ++ xsprintf(buf, "%" PRIu64 "\n", BFQ_WEIGHT(weight)); + (void) set_attribute_and_warn(u, "io", "io.bfq.weight", buf); + + xsprintf(buf, "default %" PRIu64 "\n", weight); +@@ -1224,20 +1231,11 @@ static void set_io_weight(Unit *u, uint64_t weight) { + + static void set_blkio_weight(Unit *u, uint64_t weight) { + char buf[STRLEN("\n")+DECIMAL_STR_MAX(uint64_t)]; +- uint64_t bfq_weight; + + assert(u); + +- /* FIXME: drop this when distro kernels properly support BFQ through "io.weight" +- * See also: https://github.com/systemd/systemd/pull/13335 and +- * https://github.com/torvalds/linux/commit/65752aef0a407e1ef17ec78a7fc31ba4e0b360f9. +- * The range is 1..1000 apparently, and the default is 100. */ +- if (weight <= CGROUP_BLKIO_WEIGHT_DEFAULT) +- bfq_weight = CGROUP_BFQ_WEIGHT_DEFAULT - (CGROUP_BLKIO_WEIGHT_DEFAULT - weight) * (CGROUP_BFQ_WEIGHT_DEFAULT - CGROUP_BFQ_WEIGHT_MIN) / (CGROUP_BLKIO_WEIGHT_DEFAULT - CGROUP_BLKIO_WEIGHT_MIN); +- else +- bfq_weight = CGROUP_BFQ_WEIGHT_DEFAULT + (weight - CGROUP_BLKIO_WEIGHT_DEFAULT) * (CGROUP_BFQ_WEIGHT_MAX - CGROUP_BFQ_WEIGHT_DEFAULT) / (CGROUP_BLKIO_WEIGHT_MAX - CGROUP_BLKIO_WEIGHT_DEFAULT); +- +- xsprintf(buf, "%" PRIu64 "\n", bfq_weight); ++ /* FIXME: see comment in set_io_weight(). */ ++ xsprintf(buf, "%" PRIu64 "\n", BFQ_WEIGHT(weight)); + (void) set_attribute_and_warn(u, "blkio", "blkio.bfq.weight", buf); + + xsprintf(buf, "%" PRIu64 "\n", weight); +-- +2.33.0 + diff --git a/backport-core-check-size-before-mmap.patch b/backport-core-check-size-before-mmap.patch new file mode 100644 index 0000000000000000000000000000000000000000..b18b1576c17c6daa3be1903d29443d4b74df329c --- /dev/null +++ b/backport-core-check-size-before-mmap.patch @@ -0,0 +1,148 @@ +From d7ff7e3b6e2bd9eee809880d3632b293097e22e7 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann +Date: Wed, 2 Mar 2022 22:03:26 +0100 +Subject: [PATCH] core: check size before mmap + +The data type off_t can be 64 on 32 bit systems if they have large +file support. Since mmap expects a size_t with 32 bits as second +argument truncation could occur. At worst these huge files could +lead to mmaps smaller than the previous check for small files. + +This in turn shouldn't have a lot of impact because mmap allocates +at page size boundaries. This also made the PAGE_ALIGN call in +open_mmap unneeded. In fact it was neither in sync with other mmap +calls nor with its own munmap counterpart in error path. + +If such large files are encountered, which is very unlikely in these +code paths, treat them with the same error as if they are too small. + +(cherry picked from commit 1a823cdeb9faea3849843e0b3dae0fbdd607e8b7) +(cherry picked from commit 6b37adf4a16c8f7e917dfd9f19dab259cda878b2) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/d7ff7e3b6e2bd9eee809880d3632b293097e22e7 +--- + src/basic/fileio.h | 6 ++++++ + src/basic/locale-util.c | 4 ++++ + src/boot/bootctl.c | 2 +- + src/libsystemd/sd-hwdb/sd-hwdb.c | 4 ++++ + src/libsystemd/sd-journal/catalog.c | 4 ++-- + src/libsystemd/sd-journal/compress.c | 4 ++++ + 6 files changed, 21 insertions(+), 3 deletions(-) + +diff --git a/src/basic/fileio.h b/src/basic/fileio.h +index 9bd2037f5b..ee356ddb02 100644 +--- a/src/basic/fileio.h ++++ b/src/basic/fileio.h +@@ -112,6 +112,12 @@ typedef enum ReadLineFlags { + + int read_line_full(FILE *f, size_t limit, ReadLineFlags flags, char **ret); + ++static inline bool file_offset_beyond_memory_size(off_t x) { ++ if (x < 0) /* off_t is signed, filter that out */ ++ return false; ++ return (uint64_t) x > (uint64_t) SIZE_MAX; ++} ++ + static inline int read_line(FILE *f, size_t limit, char **ret) { + return read_line_full(f, limit, 0, ret); + } +diff --git a/src/basic/locale-util.c b/src/basic/locale-util.c +index fd6b01cfaa..b181646abe 100644 +--- a/src/basic/locale-util.c ++++ b/src/basic/locale-util.c +@@ -15,6 +15,7 @@ + #include "dirent-util.h" + #include "env-util.h" + #include "fd-util.h" ++#include "fileio.h" + #include "hashmap.h" + #include "locale-util.h" + #include "path-util.h" +@@ -113,6 +114,9 @@ static int add_locales_from_archive(Set *locales) { + if (st.st_size < (off_t) sizeof(struct locarhead)) + return -EBADMSG; + ++ if (file_offset_beyond_memory_size(st.st_size)) ++ return -EFBIG; ++ + p = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0); + if (p == MAP_FAILED) + return -errno; +diff --git a/src/boot/bootctl.c b/src/boot/bootctl.c +index bd96812246..d6eb6d00a5 100644 +--- a/src/boot/bootctl.c ++++ b/src/boot/bootctl.c +@@ -145,7 +145,7 @@ static int get_file_version(int fd, char **v) { + if (r < 0) + return log_error_errno(r, "EFI binary is not a regular file: %m"); + +- if (st.st_size < 27) { ++ if (st.st_size < 27 || file_offset_beyond_memory_size(st.st_size)) { + *v = NULL; + return 0; + } +diff --git a/src/libsystemd/sd-hwdb/sd-hwdb.c b/src/libsystemd/sd-hwdb/sd-hwdb.c +index 53601765fe..748cf26934 100644 +--- a/src/libsystemd/sd-hwdb/sd-hwdb.c ++++ b/src/libsystemd/sd-hwdb/sd-hwdb.c +@@ -15,6 +15,7 @@ + + #include "alloc-util.h" + #include "fd-util.h" ++#include "fileio.h" + #include "hashmap.h" + #include "hwdb-internal.h" + #include "nulstr-util.h" +@@ -312,6 +313,9 @@ _public_ int sd_hwdb_new(sd_hwdb **ret) { + if (hwdb->st.st_size < (off_t) offsetof(struct trie_header_f, strings_len) + 8) + return log_debug_errno(SYNTHETIC_ERRNO(EIO), + "File %s is too short: %m", hwdb_bin_path); ++ if (file_offset_beyond_memory_size(hwdb->st.st_size)) ++ return log_debug_errno(SYNTHETIC_ERRNO(EFBIG), ++ "File %s is too long: %m", hwdb_bin_path); + + hwdb->map = mmap(0, hwdb->st.st_size, PROT_READ, MAP_SHARED, fileno(hwdb->f), 0); + if (hwdb->map == MAP_FAILED) +diff --git a/src/libsystemd/sd-journal/catalog.c b/src/libsystemd/sd-journal/catalog.c +index ce8d47ccc3..f2ad1a2039 100644 +--- a/src/libsystemd/sd-journal/catalog.c ++++ b/src/libsystemd/sd-journal/catalog.c +@@ -524,10 +524,10 @@ static int open_mmap(const char *database, int *_fd, struct stat *_st, void **_p + if (fstat(fd, &st) < 0) + return -errno; + +- if (st.st_size < (off_t) sizeof(CatalogHeader)) ++ if (st.st_size < (off_t) sizeof(CatalogHeader) || file_offset_beyond_memory_size(st.st_size)) + return -EINVAL; + +- p = mmap(NULL, PAGE_ALIGN(st.st_size), PROT_READ, MAP_SHARED, fd, 0); ++ p = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0); + if (p == MAP_FAILED) + return -errno; + +diff --git a/src/libsystemd/sd-journal/compress.c b/src/libsystemd/sd-journal/compress.c +index 837abab76c..cb2e82667f 100644 +--- a/src/libsystemd/sd-journal/compress.c ++++ b/src/libsystemd/sd-journal/compress.c +@@ -25,6 +25,7 @@ + #include "alloc-util.h" + #include "compress.h" + #include "fd-util.h" ++#include "fileio.h" + #include "io-util.h" + #include "journal-def.h" + #include "macro.h" +@@ -807,6 +808,9 @@ int decompress_stream_lz4(int in, int out, uint64_t max_bytes) { + if (fstat(in, &st) < 0) + return log_debug_errno(errno, "fstat() failed: %m"); + ++ if (file_offset_beyond_memory_size(st.st_size)) ++ return -EFBIG; ++ + buf = malloc(LZ4_BUFSIZE); + if (!buf) + return -ENOMEM; +-- +2.33.0 + diff --git a/backport-core-command-argument-can-be-longer-than-PATH_MAX.patch b/backport-core-command-argument-can-be-longer-than-PATH_MAX.patch new file mode 100644 index 0000000000000000000000000000000000000000..8826eea2017fdbc9c7e43cdcfa7d614fcf97c7d3 --- /dev/null +++ b/backport-core-command-argument-can-be-longer-than-PATH_MAX.patch @@ -0,0 +1,69 @@ +From a8a4d9a65902b8bfb15395479451070e9644560a Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 5 Apr 2022 21:47:46 +0900 +Subject: [PATCH] core: command argument can be longer than PATH_MAX + +Fixes a bug introduced by 065364920281e1cf59cab989e17aff21790505c4. + +Fixes #22957. + +(cherry picked from commit 58dd4999dcc81a0ed92fbd78bce3592c3e3afe9e) +(cherry picked from commit 9727b9ee7b90afb8fa0e6328dcb6c34b1522d4fd) + +Conflict:NA +Reference:https://github.com/systemd/systemd-stable/commit/a8a4d9a65902b8bfb15395479451070e9644560a +--- + src/core/load-fragment.c | 2 +- + src/test/test-load-fragment.c | 16 ++++++++++++++++ + 2 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c +index 399a759ad0..cd07f3e60d 100644 +--- a/src/core/load-fragment.c ++++ b/src/core/load-fragment.c +@@ -849,7 +849,7 @@ int config_parse_exec( + if (r < 0) + return ignore ? 0 : -ENOEXEC; + +- r = unit_path_printf(u, word, &resolved); ++ r = unit_full_printf(u, word, &resolved); + if (r < 0) { + log_syntax(unit, ignore ? LOG_WARNING : LOG_ERR, filename, line, r, + "Failed to resolve unit specifiers in %s%s: %m", +diff --git a/src/test/test-load-fragment.c b/src/test/test-load-fragment.c +index b41a8abf7b..1a0a0579b2 100644 +--- a/src/test/test-load-fragment.c ++++ b/src/test/test-load-fragment.c +@@ -10,6 +10,7 @@ + #include "capability-util.h" + #include "conf-parser.h" + #include "fd-util.h" ++#include "fileio.h" + #include "format-util.h" + #include "fs-util.h" + #include "hashmap.h" +@@ -412,6 +413,21 @@ static void test_config_parse_exec(void) { + assert_se(r == 0); + assert_se(c1->command_next == NULL); + ++ log_info("/* long arg */"); /* See issue #22957. */ ++ ++ char x[LONG_LINE_MAX-100], *y; ++ y = mempcpy(x, "/bin/echo ", STRLEN("/bin/echo ")); ++ memset(y, 'x', sizeof(x) - STRLEN("/bin/echo ") - 1); ++ x[sizeof(x) - 1] = '\0'; ++ ++ r = config_parse_exec(NULL, "fake", 5, "section", 1, ++ "LValue", 0, x, ++ &c, u); ++ assert_se(r >= 0); ++ c1 = c1->command_next; ++ check_execcommand(c1, ++ "/bin/echo", NULL, y, NULL, false); ++ + log_info("/* empty argument, reset */"); + r = config_parse_exec(NULL, "fake", 4, "section", 1, + "LValue", 0, "", +-- +2.33.0 + diff --git a/backport-core-don-t-fail-on-EEXIST-when-creating-mount-point.patch b/backport-core-don-t-fail-on-EEXIST-when-creating-mount-point.patch new file mode 100644 index 0000000000000000000000000000000000000000..2aac40f43205f1d3b31c02ea6c5bb1328e75eb7e --- /dev/null +++ b/backport-core-don-t-fail-on-EEXIST-when-creating-mount-point.patch @@ -0,0 +1,33 @@ +From 37e8b3a312e64886c6fb1401c741dee7c8c102f4 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 28 Jan 2022 22:56:10 +0000 +Subject: [PATCH] core: don't fail on EEXIST when creating mount point + +systemd[1016]: Failed to mount /tmp/app1 (type n/a) on /run/systemd/unit-extensions/1 (MS_BIND ): No such file or directory +systemd[1016]: Failed to create destination mount point node '/run/systemd/unit-extensions/1': File exists + +(cherry picked from commit 9d6d4c305ab8d65aab7f546450d7331f760b7259) +(cherry picked from commit ae8bc570a81e1286eb5b59a77ef179a500b95f9d) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/37e8b3a312e64886c6fb1401c741dee7c8c102f4 +--- + src/core/namespace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/namespace.c b/src/core/namespace.c +index a6c6963bb7..19942d912f 100644 +--- a/src/core/namespace.c ++++ b/src/core/namespace.c +@@ -1380,7 +1380,7 @@ static int apply_one_mount( + (void) mkdir_parents(mount_entry_path(m), 0755); + + q = make_mount_point_inode_from_path(what, mount_entry_path(m), 0755); +- if (q < 0) ++ if (q < 0 && q != -EEXIST) + log_error_errno(q, "Failed to create destination mount point node '%s': %m", + mount_entry_path(m)); + else +-- +2.33.0 + diff --git a/backport-core-fix-SIGABRT-on-empty-exec-command-argv.patch b/backport-core-fix-SIGABRT-on-empty-exec-command-argv.patch index 79c2a4fca6087b72733a3dfe11cedd3ca9cfeedb..1102871f34ace7465bee538b9d7afa47d73b7230 100644 --- a/backport-core-fix-SIGABRT-on-empty-exec-command-argv.patch +++ b/backport-core-fix-SIGABRT-on-empty-exec-command-argv.patch @@ -1,7 +1,7 @@ -From 29500cf8c47e6eb0518d171d62aa8213020c9152 Mon Sep 17 00:00:00 2001 +From 7a58bf7aac8b2c812ee0531b0cc426e0067edd35 Mon Sep 17 00:00:00 2001 From: Henri Chain Date: Tue, 5 Oct 2021 13:10:31 +0200 -Subject: [PATCH 1/2] core: fix SIGABRT on empty exec command argv +Subject: [PATCH] core: fix SIGABRT on empty exec command argv This verifies that the argv part of any exec_command parameters that are sent through dbus is not empty at deserialization time. @@ -11,6 +11,11 @@ checks if all exec_commands are correctly populated, after the service has been loaded, whether through dbus or otherwise. Fixes #20933. + +(cherry picked from commit 29500cf8c47e6eb0518d171d62aa8213020c9152) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/7a58bf7aac8b2c812ee0531b0cc426e0067edd35 --- src/core/dbus-execute.c | 4 ++++ src/core/service.c | 10 ++++++++++ @@ -18,10 +23,10 @@ Fixes #20933. 3 files changed, 45 insertions(+) diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c -index 488de1242a..5665656b7b 100644 +index 50daef6702..902e074bd2 100644 --- a/src/core/dbus-execute.c +++ b/src/core/dbus-execute.c -@@ -1423,6 +1423,10 @@ int bus_set_transient_exec_command( +@@ -1421,6 +1421,10 @@ int bus_set_transient_exec_command( if (r < 0) return r; @@ -33,10 +38,10 @@ index 488de1242a..5665656b7b 100644 if (r < 0) return r; diff --git a/src/core/service.c b/src/core/service.c -index 9299813d45..4c75819a8f 100644 +index b7cfc04c84..e061d488c7 100644 --- a/src/core/service.c +++ b/src/core/service.c -@@ -564,6 +564,16 @@ static int service_verify(Service *s) { +@@ -548,6 +548,16 @@ static int service_verify(Service *s) { assert(s); assert(UNIT(s)->load_state == UNIT_LOADED); @@ -96,5 +101,5 @@ index 4ef7c878a8..5488447a87 100755 echo OK >/testok -- -2.27.0 +2.33.0 diff --git a/backport-core-fix-free-undefined-pointer-when-strdup-failed-i.patch b/backport-core-fix-free-undefined-pointer-when-strdup-failed-i.patch index 8c68ab479fa238b883fa5a69f9d157c60e986a2b..ad3d40139bcfaf08600a35857e882ca1c5ba5c50 100644 --- a/backport-core-fix-free-undefined-pointer-when-strdup-failed-i.patch +++ b/backport-core-fix-free-undefined-pointer-when-strdup-failed-i.patch @@ -1,15 +1,19 @@ -From 1509274359979079e3e61899ce12fc8b0f0958d9 Mon Sep 17 00:00:00 2001 +From b5162039b2309b78a9c1feb6cc1355988e02b6c3 Mon Sep 17 00:00:00 2001 From: xujing <17826839720@163.com> Date: Wed, 8 Sep 2021 14:26:20 +0800 Subject: [PATCH] core: fix free undefined pointer when strdup failed in the first loop +(cherry picked from commit 1509274359979079e3e61899ce12fc8b0f0958d9) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/b5162039b2309b78a9c1feb6cc1355988e02b6c3 --- src/core/load-fragment.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c -index 92815b1dbaea..1c8159a23550 100644 +index 8fb3c378ee..399a759ad0 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -800,7 +800,7 @@ int config_parse_exec( @@ -30,4 +34,6 @@ index 92815b1dbaea..1c8159a23550 100644 return log_oom(); w = strdup(";"); +-- +2.33.0 diff --git a/backport-core-ignore-failure-on-setting-smack-process-label-w.patch b/backport-core-ignore-failure-on-setting-smack-process-label-w.patch new file mode 100644 index 0000000000000000000000000000000000000000..4ee196a8fd94d7bc32c2c2c8c257320cc658a84d --- /dev/null +++ b/backport-core-ignore-failure-on-setting-smack-process-label-w.patch @@ -0,0 +1,30 @@ +From 4e057fc39be6ce27afcf0371ebcb7e224a7eeb2d Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 1 Nov 2021 13:48:32 +0900 +Subject: [PATCH] core: ignore failure on setting smack process label when + allowed + +(cherry picked from commit 29ff62473b119c0e1d3467148eddcdccc2c9b732) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/4e057fc39be6ce27afcf0371ebcb7e224a7eeb2d +--- + src/core/execute.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index e324db87cc..2f2de4d9cf 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -4408,7 +4408,7 @@ static int exec_child( + * process. This is the latest place before dropping capabilities. Other MAC context are set later. */ + if (use_smack) { + r = setup_smack(context, executable_fd); +- if (r < 0) { ++ if (r < 0 && !context->smack_process_label_ignore) { + *exit_status = EXIT_SMACK_PROCESS_LABEL; + return log_unit_error_errno(unit, r, "Failed to set SMACK process label: %m"); + } +-- +2.33.0 + diff --git a/backport-core-mount-add-implicit-unit-dependencies-even-if-wh.patch b/backport-core-mount-add-implicit-unit-dependencies-even-if-wh.patch new file mode 100644 index 0000000000000000000000000000000000000000..4f4dfc3469877e8a99b1c18ebf70a81a52b9312a --- /dev/null +++ b/backport-core-mount-add-implicit-unit-dependencies-even-if-wh.patch @@ -0,0 +1,34 @@ +From 1bb8af46d1181a407cbc858025b85392f3af7812 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 29 Aug 2021 21:20:43 +0900 +Subject: [PATCH] core/mount: add implicit unit dependencies even if when mount + unit is generated from /proc/self/mountinfo + +Hopefully fixes #20566. + +(cherry picked from commit aebff2e7ce209fc2d75b894a3ae8b80f6f36ec11) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/1bb8af46d1181a407cbc858025b85392f3af7812 +--- + src/core/mount.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/core/mount.c b/src/core/mount.c +index cde4b52731..9bec190cb6 100644 +--- a/src/core/mount.c ++++ b/src/core/mount.c +@@ -1576,6 +1576,10 @@ static int mount_setup_new_unit( + if (r < 0) + return r; + ++ r = mount_add_non_exec_dependencies(MOUNT(u)); ++ if (r < 0) ++ return r; ++ + /* This unit was generated because /proc/self/mountinfo reported it. Remember this, so that by the time we load + * the unit file for it (and thus add in extra deps right after) we know what source to attributes the deps + * to. */ +-- +2.33.0 + diff --git a/backport-core-mount-fail-early-if-directory-cannot-be-created.patch b/backport-core-mount-fail-early-if-directory-cannot-be-created.patch new file mode 100644 index 0000000000000000000000000000000000000000..bb01ab0bb26add481de8ce82821ece8ba41b1322 --- /dev/null +++ b/backport-core-mount-fail-early-if-directory-cannot-be-created.patch @@ -0,0 +1,35 @@ +From 22239a861897fcd7c4d16f728c4bb40d84793961 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 2 Feb 2022 14:05:45 +0900 +Subject: [PATCH] core/mount: fail early if directory cannot be created + +Prompted by #22334. + +(cherry picked from commit e4de58c8231e47509ffeb3aa47620ca42f22d7f6) +(cherry picked from commit 1d7e0b68048ba0760f8fdf6a26c7a5017ac38569) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/22239a861897fcd7c4d16f728c4bb40d84793961 +--- + src/core/mount.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/core/mount.c b/src/core/mount.c +index af39db214b..673eec32b8 100644 +--- a/src/core/mount.c ++++ b/src/core/mount.c +@@ -1035,8 +1035,10 @@ static void mount_enter_mounting(Mount *m) { + r = mkdir_p_label(p->what, m->directory_mode); + /* mkdir_p_label() can return -EEXIST if the target path exists and is not a directory - which is + * totally OK, in case the user wants us to overmount a non-directory inode. */ +- if (r < 0 && r != -EEXIST) ++ if (r < 0 && r != -EEXIST) { + log_unit_error_errno(UNIT(m), r, "Failed to make bind mount source '%s': %m", p->what); ++ goto fail; ++ } + } + + if (p) { +-- +2.33.0 + diff --git a/backport-core-namespace-allow-using-ProtectSubset-pid-and-Pro.patch b/backport-core-namespace-allow-using-ProtectSubset-pid-and-Pro.patch new file mode 100644 index 0000000000000000000000000000000000000000..0406216be1ed2b20e40f81ac8440c45caa1c456f --- /dev/null +++ b/backport-core-namespace-allow-using-ProtectSubset-pid-and-Pro.patch @@ -0,0 +1,53 @@ +From eeb50421761e3ac562e96c47fb5f0f6ed622cfe1 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Fri, 21 Jan 2022 13:08:19 +0100 +Subject: [PATCH] core/namespace: allow using ProtectSubset=pid and + ProtectHostname=true together + +If a service requests both ProtectSubset=pid and ProtectHostname=true +then it will currently fail to start. The ProcSubset=pid option +instructs systemd to mount procfs for the service with subset=pid which +hides all entries other than /proc/. Consequently trying to +interact with the two files /proc/sys/kernel/{hostname,domainname} +covered by ProtectHostname=true will fail. + +Fix this by only performing this check when ProtectSubset=pid is not +requested. Essentially ProtectSubset=pid implies/provides +ProtectHostname=true. + +(cherry picked from commit 1361f015773e3b4d74e382edf1565f3315a3396b) +(cherry picked from commit a727941affa7821592d503c8a5033c92d615f64c) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/eeb50421761e3ac562e96c47fb5f0f6ed622cfe1 +--- + src/core/namespace.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/core/namespace.c b/src/core/namespace.c +index e3aebe8b5e..5961b14f98 100644 +--- a/src/core/namespace.c ++++ b/src/core/namespace.c +@@ -2115,14 +2115,19 @@ int setup_namespace( + goto finish; + } + ++ /* Note, if proc is mounted with subset=pid then neither of the ++ * two paths will exist, i.e. they are implicitly protected by ++ * the mount option. */ + if (ns_info->protect_hostname) { + *(m++) = (MountEntry) { + .path_const = "/proc/sys/kernel/hostname", + .mode = READONLY, ++ .ignore = ignore_protect_proc, + }; + *(m++) = (MountEntry) { + .path_const = "/proc/sys/kernel/domainname", + .mode = READONLY, ++ .ignore = ignore_protect_proc, + }; + } + +-- +2.33.0 + diff --git a/backport-core-namespace-s-normalize_mounts-drop_unused_mounts.patch b/backport-core-namespace-s-normalize_mounts-drop_unused_mounts.patch new file mode 100644 index 0000000000000000000000000000000000000000..a87e2ed66e1a041ba7350c0fab9b2bf8fbe41751 --- /dev/null +++ b/backport-core-namespace-s-normalize_mounts-drop_unused_mounts.patch @@ -0,0 +1,65 @@ +From 2540b0e3e0aa3e9bc4eef39723aa869f235923dd Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Mon, 24 Jan 2022 10:12:57 +0100 +Subject: [PATCH] core/namespace: s/normalize_mounts()/drop_unused_mounts() + +Rename the normalize_mounts() helper to drop_unused_mounts. All the +helpers called in there get rid of mounts that are unused for a variety +of reasons. And whereas the helpers are aptly prefixed with "drop" the +overall helper isn't and instead uses "normalize". + +Make it more obvious what the helper actually does by renaming it from +normalize_mounts() to drop_unused_mounts(). Readers of code calling this +helper will immediately see that it will get rid of unused mounts. + +Link: https://github.com/systemd/systemd/issues/22206 +(cherry picked from commit fbf90c0d5cadc5d1e95485f770f45a7d4cd39daa) +(cherry picked from commit 09936a7ec92c859b3c4c9520ecd49c2909a8b35c) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/2540b0e3e0aa3e9bc4eef39723aa869f235923dd +--- + src/core/namespace.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/src/core/namespace.c b/src/core/namespace.c +index 5961b14f98..a6c6963bb7 100644 +--- a/src/core/namespace.c ++++ b/src/core/namespace.c +@@ -1578,7 +1578,14 @@ static size_t namespace_calculate_mounts( + ns_info->private_ipc; /* /dev/mqueue */ + } + +-static void normalize_mounts(const char *root_directory, MountEntry *mounts, size_t *n_mounts) { ++/* Walk all mount entries and dropping any unused mounts. This affects all ++ * mounts: ++ * - that are implicitly protected by a path that has been rendered inaccessible ++ * - whose immediate parent requests the same protection mode as the mount itself ++ * - that are outside of the relevant root directory ++ * - which are duplicates ++ */ ++static void drop_unused_mounts(const char *root_directory, MountEntry *mounts, size_t *n_mounts) { + assert(root_directory); + assert(n_mounts); + assert(mounts || *n_mounts == 0); +@@ -1659,7 +1666,7 @@ static int apply_mounts( + if (!again) + break; + +- normalize_mounts(root, mounts, n_mounts); ++ drop_unused_mounts(root, mounts, n_mounts); + } + + /* Create a deny list we can pass to bind_mount_recursive() */ +@@ -2208,7 +2215,7 @@ int setup_namespace( + if (r < 0) + goto finish; + +- normalize_mounts(root, mounts, &n_mounts); ++ drop_unused_mounts(root, mounts, &n_mounts); + } + + /* All above is just preparation, figuring out what to do. Let's now actually start doing something. */ +-- +2.33.0 + diff --git a/backport-core-normalize-r-variable-handling-in-unit_attach_pi.patch b/backport-core-normalize-r-variable-handling-in-unit_attach_pi.patch new file mode 100644 index 0000000000000000000000000000000000000000..038642fd557ce1272218f0022ef24fa2be7393fa --- /dev/null +++ b/backport-core-normalize-r-variable-handling-in-unit_attach_pi.patch @@ -0,0 +1,125 @@ +From 84ec6a0043f7a447157753fb12e991ebce6e14b7 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 27 Oct 2021 23:08:58 +0200 +Subject: [PATCH] core: normalize 'r' variable handling in + unit_attach_pids_to_cgroup() a bit + +The 'r' variable is our "go-to" variable for error return codes, all +across our codebase. In unit_attach_pids_to_cgroup() it was so far used +in a strange way for most of the function: instead of directly storing +the error codes of functions we call we'd store it in a local variable +'q' instead, and propagate it to 'r' only in some cases finally we'd +return the ultimate result of 'r'. + +Let's normalize this a bit: let's always store error return values in +'r', and then use 'ret' as the variable to sometimes propagate errors +to, and then return that. + +This also allows us to get rid of one local variable. + +No actual codeflow changes, just some renaming of variables that allows +us to remove one. + +(cherry picked from commit db4229d12f48663400802171b336c7cadbbe04ef) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/84ec6a0043f7a447157753fb12e991ebce6e14b7 +--- + src/core/cgroup.c | 38 +++++++++++++++++++------------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +diff --git a/src/core/cgroup.c b/src/core/cgroup.c +index 5c07aa71d1..1551d57e90 100644 +--- a/src/core/cgroup.c ++++ b/src/core/cgroup.c +@@ -2137,7 +2137,7 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { + CGroupMask delegated_mask; + const char *p; + void *pidp; +- int r, q; ++ int ret, r; + + assert(u); + +@@ -2164,16 +2164,16 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { + + delegated_mask = unit_get_delegate_mask(u); + +- r = 0; ++ ret = 0; + SET_FOREACH(pidp, pids) { + pid_t pid = PTR_TO_PID(pidp); + + /* First, attach the PID to the main cgroup hierarchy */ +- q = cg_attach(SYSTEMD_CGROUP_CONTROLLER, p, pid); +- if (q < 0) { +- bool again = MANAGER_IS_USER(u->manager) && ERRNO_IS_PRIVILEGE(q); ++ r = cg_attach(SYSTEMD_CGROUP_CONTROLLER, p, pid); ++ if (r < 0) { ++ bool again = MANAGER_IS_USER(u->manager) && ERRNO_IS_PRIVILEGE(r); + +- log_unit_full_errno(u, again ? LOG_DEBUG : LOG_INFO, q, ++ log_unit_full_errno(u, again ? LOG_DEBUG : LOG_INFO, r, + "Couldn't move process "PID_FMT" to%s requested cgroup '%s': %m", + pid, again ? " directly" : "", empty_to_root(p)); + +@@ -2192,16 +2192,16 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { + continue; /* When the bus thing worked via the bus we are fully done for this PID. */ + } + +- if (r >= 0) +- r = q; /* Remember first error */ ++ if (ret >= 0) ++ ret = r; /* Remember first error */ + + continue; + } + +- q = cg_all_unified(); +- if (q < 0) +- return q; +- if (q > 0) ++ r = cg_all_unified(); ++ if (r < 0) ++ return r; ++ if (r > 0) + continue; + + /* In the legacy hierarchy, attach the process to the request cgroup if possible, and if not to the +@@ -2216,11 +2216,11 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { + + /* If this controller is delegated and realized, honour the caller's request for the cgroup suffix. */ + if (delegated_mask & u->cgroup_realized_mask & bit) { +- q = cg_attach(cgroup_controller_to_string(c), p, pid); +- if (q >= 0) ++ r = cg_attach(cgroup_controller_to_string(c), p, pid); ++ if (r >= 0) + continue; /* Success! */ + +- log_unit_debug_errno(u, q, "Failed to attach PID " PID_FMT " to requested cgroup %s in controller %s, falling back to unit's cgroup: %m", ++ log_unit_debug_errno(u, r, "Failed to attach PID " PID_FMT " to requested cgroup %s in controller %s, falling back to unit's cgroup: %m", + pid, empty_to_root(p), cgroup_controller_to_string(c)); + } + +@@ -2231,14 +2231,14 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { + if (!realized) + continue; /* Not even realized in the root slice? Then let's not bother */ + +- q = cg_attach(cgroup_controller_to_string(c), realized, pid); +- if (q < 0) +- log_unit_debug_errno(u, q, "Failed to attach PID " PID_FMT " to realized cgroup %s in controller %s, ignoring: %m", ++ r = cg_attach(cgroup_controller_to_string(c), realized, pid); ++ if (r < 0) ++ log_unit_debug_errno(u, r, "Failed to attach PID " PID_FMT " to realized cgroup %s in controller %s, ignoring: %m", + pid, realized, cgroup_controller_to_string(c)); + } + } + +- return r; ++ return ret; + } + + static bool unit_has_mask_realized( +-- +2.33.0 + diff --git a/backport-core-really-skip-automatic-restart-when-a-JOB_STOP-j.patch b/backport-core-really-skip-automatic-restart-when-a-JOB_STOP-j.patch new file mode 100644 index 0000000000000000000000000000000000000000..0b7200437033c3195ff9d5ecc14d075804b6d19d --- /dev/null +++ b/backport-core-really-skip-automatic-restart-when-a-JOB_STOP-j.patch @@ -0,0 +1,54 @@ +From b17f9c7c8db6959227cebf1b30ed1698d024382e Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Fri, 18 Feb 2022 10:06:24 +0100 +Subject: [PATCH] core: really skip automatic restart when a JOB_STOP job is + pending + +It's not clear why we rescheduled a service auto restart while a stop job for +the unit was pending. The comment claims that the unit shouldn't be restarted +but the code did reschedule an auto restart meanwhile. + +In practice that was rarely an issue because the service waited for the next +auto restart to be rescheduled, letting the queued stop job to be proceed and +service_stop() to be called preventing the next restart to complete. + +However when RestartSec=0, the timer expired right away making PID1 to +reschedule the unit again, making the timer expired right away... and so +on. This busy loop prevented PID1 to handle any queued jobs (and hence giving +no chance to the start rate limiting to trigger), which made the busy loop last +forever. + +This patch breaks this loop by skipping the reschedule of the unit auto restart +and hence not depending on the value of u->restart_usec anymore. + +Fixes: #13667 +(cherry picked from commit c972880640ee19e89ce9265d8eae1b3aae190332) +(cherry picked from commit 2198c08d0786c5cec1b39283831969b2cc1adf40) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/b17f9c7c8db6959227cebf1b30ed1698d024382e +--- + src/core/service.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/src/core/service.c b/src/core/service.c +index a480edc439..21bf3dc28c 100644 +--- a/src/core/service.c ++++ b/src/core/service.c +@@ -2267,12 +2267,7 @@ static void service_enter_restart(Service *s) { + + if (unit_has_job_type(UNIT(s), JOB_STOP)) { + /* Don't restart things if we are going down anyway */ +- log_unit_info(UNIT(s), "Stop job pending for unit, delaying automatic restart."); +- +- r = service_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->restart_usec)); +- if (r < 0) +- goto fail; +- ++ log_unit_info(UNIT(s), "Stop job pending for unit, skipping automatic restart."); + return; + } + +-- +2.33.0 + diff --git a/backport-core-refuse-to-mount-ExtensionImages-if-the-base-lay.patch b/backport-core-refuse-to-mount-ExtensionImages-if-the-base-lay.patch new file mode 100644 index 0000000000000000000000000000000000000000..0996f5814a97aa6c60b55f5ee50613dd1c77b5c9 --- /dev/null +++ b/backport-core-refuse-to-mount-ExtensionImages-if-the-base-lay.patch @@ -0,0 +1,34 @@ +From af8d87d6bc8506629f1e73599ccdc4b8f8eaa6c8 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 19 Jan 2022 00:08:57 +0000 +Subject: [PATCH] core: refuse to mount ExtensionImages if the base layer + doesn't at least have ID in os-release + +We can't match an extension if we don't at least have an ID, +so refuse to continue + +(cherry picked from commit 78ab2b5064a0f87579ce5430f9cb83bba0db069a) +(cherry picked from commit 179bd47f04c538ed1f2c1de2cf2c18f17b027a51) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/af8d87d6bc8506629f1e73599ccdc4b8f8eaa6c8 +--- + src/core/namespace.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/core/namespace.c b/src/core/namespace.c +index b933d46cf6..e3aebe8b5e 100644 +--- a/src/core/namespace.c ++++ b/src/core/namespace.c +@@ -1151,6 +1151,8 @@ static int mount_image(const MountEntry *m, const char *root_directory) { + NULL); + if (r < 0) + return log_debug_errno(r, "Failed to acquire 'os-release' data of OS tree '%s': %m", empty_to_root(root_directory)); ++ if (isempty(host_os_release_id)) ++ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "'ID' field not found or empty in 'os-release' data of OS tree '%s': %m", empty_to_root(root_directory)); + } + + r = verity_dissect_and_mount( +-- +2.33.0 + diff --git a/backport-core-replace-slice-dependencies-as-they-get-added.patch b/backport-core-replace-slice-dependencies-as-they-get-added.patch new file mode 100644 index 0000000000000000000000000000000000000000..158be33da6a68de102a9b89d15b53df2898b1b14 --- /dev/null +++ b/backport-core-replace-slice-dependencies-as-they-get-added.patch @@ -0,0 +1,178 @@ +From b68731eeb692a4cfcdf5790ae118ebf21d827301 Mon Sep 17 00:00:00 2001 +From: Anita Zhang +Date: Tue, 9 Nov 2021 15:26:28 -0800 +Subject: [PATCH] core: replace slice dependencies as they get added + +Defines a "UNIT_DEPENDENCY_SLICE_PROPERTY" UnitDependencyMask type that +is used when adding slices to the dependencies hashmap. This type is +used to remove slice dependencies when they get overridden by new ones. + +Fixes #20182 + +Reference:https://github.com/systemd/systemd/commit/899acf5c2d4b89caa891d05ccfa4be828a999c2d +Conflict: NA +--- + src/core/dbus-unit.c | 2 +- + src/core/load-fragment.c | 2 +- + src/core/unit-serialize.c | 1 + + src/core/unit.c | 10 +++++++--- + src/core/unit.h | 7 +++++-- + src/test/test-engine.c | 31 ++++++++++++++++++++++++++++++- + 6 files changed, 45 insertions(+), 8 deletions(-) + +diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c +index aa10939..c42ae5e 100644 +--- a/src/core/dbus-unit.c ++++ b/src/core/dbus-unit.c +@@ -2272,7 +2272,7 @@ static int bus_unit_set_transient_property( + return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Unit name '%s' is not a slice", s); + + if (!UNIT_WRITE_FLAGS_NOOP(flags)) { +- r = unit_set_slice(u, slice, UNIT_DEPENDENCY_FILE); ++ r = unit_set_slice(u, slice); + if (r < 0) + return r; + +diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c +index 399a759..3f5d6d3 100644 +--- a/src/core/load-fragment.c ++++ b/src/core/load-fragment.c +@@ -3575,7 +3575,7 @@ int config_parse_unit_slice( + return 0; + } + +- r = unit_set_slice(u, slice, UNIT_DEPENDENCY_FILE); ++ r = unit_set_slice(u, slice); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to assign slice %s to unit %s, ignoring: %m", slice->id, u->id); + return 0; +diff --git a/src/core/unit-serialize.c b/src/core/unit-serialize.c +index 689a536..3544f18 100644 +--- a/src/core/unit-serialize.c ++++ b/src/core/unit-serialize.c +@@ -571,6 +571,7 @@ static void print_unit_dependency_mask(FILE *f, const char *kind, UnitDependency + { UNIT_DEPENDENCY_MOUNTINFO_IMPLICIT, "mountinfo-implicit" }, + { UNIT_DEPENDENCY_MOUNTINFO_DEFAULT, "mountinfo-default" }, + { UNIT_DEPENDENCY_PROC_SWAP, "proc-swap" }, ++ { UNIT_DEPENDENCY_SLICE_PROPERTY, "slice-property" }, + }; + + assert(f); +diff --git a/src/core/unit.c b/src/core/unit.c +index ffcf8eb..bff0527 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -3267,7 +3267,7 @@ reset: + return r; + } + +-int unit_set_slice(Unit *u, Unit *slice, UnitDependencyMask mask) { ++int unit_set_slice(Unit *u, Unit *slice) { + int r; + + assert(u); +@@ -3300,7 +3300,11 @@ int unit_set_slice(Unit *u, Unit *slice, UnitDependencyMask mask) { + if (UNIT_GET_SLICE(u) && u->cgroup_realized) + return -EBUSY; + +- r = unit_add_dependency(u, UNIT_IN_SLICE, slice, true, mask); ++ /* Remove any slices assigned prior; we should only have one UNIT_IN_SLICE dependency */ ++ if (UNIT_GET_SLICE(u)) ++ unit_remove_dependencies(u, UNIT_DEPENDENCY_SLICE_PROPERTY); ++ ++ r = unit_add_dependency(u, UNIT_IN_SLICE, slice, true, UNIT_DEPENDENCY_SLICE_PROPERTY); + if (r < 0) + return r; + +@@ -3353,7 +3357,7 @@ int unit_set_default_slice(Unit *u) { + if (r < 0) + return r; + +- return unit_set_slice(u, slice, UNIT_DEPENDENCY_FILE); ++ return unit_set_slice(u, slice); + } + + const char *unit_slice_name(Unit *u) { +diff --git a/src/core/unit.h b/src/core/unit.h +index 759104f..6dc2bcb 100644 +--- a/src/core/unit.h ++++ b/src/core/unit.h +@@ -88,7 +88,10 @@ typedef enum UnitDependencyMask { + /* A dependency created because of data read from /proc/swaps and no other configuration source */ + UNIT_DEPENDENCY_PROC_SWAP = 1 << 7, + +- _UNIT_DEPENDENCY_MASK_FULL = (1 << 8) - 1, ++ /* A dependency for units in slices assigned by directly setting Slice= */ ++ UNIT_DEPENDENCY_SLICE_PROPERTY = 1 << 8, ++ ++ _UNIT_DEPENDENCY_MASK_FULL = (1 << 9) - 1, + } UnitDependencyMask; + + /* The Unit's dependencies[] hashmaps use this structure as value. It has the same size as a void pointer, and thus can +@@ -761,7 +764,7 @@ Unit *unit_follow_merge(Unit *u) _pure_; + int unit_load_fragment_and_dropin(Unit *u, bool fragment_required); + int unit_load(Unit *unit); + +-int unit_set_slice(Unit *u, Unit *slice, UnitDependencyMask mask); ++int unit_set_slice(Unit *u, Unit *slice); + int unit_set_default_slice(Unit *u); + + const char *unit_description(Unit *u) _pure_; +diff --git a/src/test/test-engine.c b/src/test/test-engine.c +index 6dc1619..1ac15a8 100644 +--- a/src/test/test-engine.c ++++ b/src/test/test-engine.c +@@ -8,6 +8,7 @@ + #include "manager-dump.h" + #include "rm-rf.h" + #include "service.h" ++#include "slice.h" + #include "special.h" + #include "strv.h" + #include "tests.h" +@@ -75,7 +76,8 @@ int main(int argc, char *argv[]) { + _cleanup_(sd_bus_error_free) sd_bus_error err = SD_BUS_ERROR_NULL; + _cleanup_(manager_freep) Manager *m = NULL; + Unit *a = NULL, *b = NULL, *c = NULL, *d = NULL, *e = NULL, *g = NULL, +- *h = NULL, *i = NULL, *a_conj = NULL, *unit_with_multiple_dashes = NULL, *stub = NULL; ++ *h = NULL, *i = NULL, *a_conj = NULL, *unit_with_multiple_dashes = NULL, *stub = NULL, ++ *tomato = NULL, *sauce = NULL, *fruit = NULL, *zupa = NULL; + Job *j; + int r; + +@@ -260,5 +262,32 @@ int main(int argc, char *argv[]) { + + verify_dependency_atoms(); + ++ /* Test adding multiple Slice= dependencies; only the last should remain */ ++ assert_se(unit_new_for_name(m, sizeof(Service), "tomato.service", &tomato) >= 0); ++ assert_se(unit_new_for_name(m, sizeof(Slice), "sauce.slice", &sauce) >= 0); ++ assert_se(unit_new_for_name(m, sizeof(Slice), "fruit.slice", &fruit) >= 0); ++ assert_se(unit_new_for_name(m, sizeof(Slice), "zupa.slice", &zupa) >= 0); ++ ++ unit_set_slice(tomato, sauce); ++ unit_set_slice(tomato, fruit); ++ unit_set_slice(tomato, zupa); ++ ++ assert_se(UNIT_GET_SLICE(tomato) == zupa); ++ assert_se(!unit_has_dependency(tomato, UNIT_ATOM_IN_SLICE, sauce)); ++ assert_se(!unit_has_dependency(tomato, UNIT_ATOM_IN_SLICE, fruit)); ++ assert_se(unit_has_dependency(tomato, UNIT_ATOM_IN_SLICE, zupa)); ++ ++ assert_se(!unit_has_dependency(tomato, UNIT_ATOM_REFERENCES, sauce)); ++ assert_se(!unit_has_dependency(tomato, UNIT_ATOM_REFERENCES, fruit)); ++ assert_se(unit_has_dependency(tomato, UNIT_ATOM_REFERENCES, zupa)); ++ ++ assert_se(!unit_has_dependency(sauce, UNIT_ATOM_SLICE_OF, tomato)); ++ assert_se(!unit_has_dependency(fruit, UNIT_ATOM_SLICE_OF, tomato)); ++ assert_se(unit_has_dependency(zupa, UNIT_ATOM_SLICE_OF, tomato)); ++ ++ assert_se(!unit_has_dependency(sauce, UNIT_ATOM_REFERENCED_BY, tomato)); ++ assert_se(!unit_has_dependency(fruit, UNIT_ATOM_REFERENCED_BY, tomato)); ++ assert_se(unit_has_dependency(zupa, UNIT_ATOM_REFERENCED_BY, tomato)); ++ + return 0; + } +-- +1.8.3.1 + diff --git a/backport-core-respect-install_sysconfdir_samples-in-meson-fil.patch b/backport-core-respect-install_sysconfdir_samples-in-meson-fil.patch new file mode 100644 index 0000000000000000000000000000000000000000..b5477b1d9791a255a874836433ff2c36cd930276 --- /dev/null +++ b/backport-core-respect-install_sysconfdir_samples-in-meson-fil.patch @@ -0,0 +1,34 @@ +From d36785b19b10ec04ae7b87cdb402de4126e17bca Mon Sep 17 00:00:00 2001 +From: Andreas Rammhold +Date: Mon, 26 Jul 2021 16:57:43 +0200 +Subject: [PATCH] core: respect install_sysconfdir_samples in meson file + +The refactoring done in e11a25cadbe caused the configuration files to be +installed into the pkgsysconfdir regardless of the state of the +install_sysconfdir_samples boolean that indicates whether or not the +sample files should be installed. + +(cherry picked from commit cfd760b6a77808d0b9451ed618a23b6259fe525f) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/d36785b19b10ec04ae7b87cdb402de4126e17bca +--- + src/core/meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/meson.build b/src/core/meson.build +index f0d2c6f642..c66538eab1 100644 +--- a/src/core/meson.build ++++ b/src/core/meson.build +@@ -193,7 +193,7 @@ foreach item : in_files + output: file, + command : [meson_render_jinja2, config_h, '@INPUT@'], + capture : true, +- install : dir != 'no', ++ install : (dir == pkgsysconfdir and install_sysconfdir_samples) or (dir != pkgsysconfdir and dir != 'no'), + install_dir : dir) + endforeach + +-- +2.33.0 + diff --git a/backport-core-service-also-check-path-in-exec-commands.patch b/backport-core-service-also-check-path-in-exec-commands.patch index 83ec315118c36b50a7ce2c2540ce7c91a6ec80d1..f7d6552adc82a1f4a8ba85f61255d48ae6945f9a 100644 --- a/backport-core-service-also-check-path-in-exec-commands.patch +++ b/backport-core-service-also-check-path-in-exec-commands.patch @@ -1,17 +1,21 @@ -From 8688a389cabdff61efe187bb85cc1776de03c460 Mon Sep 17 00:00:00 2001 +From b3978cf401306a793c7531299a5e9b3c63e53a27 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Wed, 6 Oct 2021 00:19:41 +0900 -Subject: [PATCH 2/2] core/service: also check path in exec commands +Subject: [PATCH] core/service: also check path in exec commands +(cherry picked from commit 8688a389cabdff61efe187bb85cc1776de03c460) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/b3978cf401306a793c7531299a5e9b3c63e53a27 --- src/core/service.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/core/service.c b/src/core/service.c -index 4c75819a8f..54d8d0c760 100644 +index e061d488c7..701c145565 100644 --- a/src/core/service.c +++ b/src/core/service.c -@@ -567,11 +567,17 @@ static int service_verify(Service *s) { +@@ -551,11 +551,17 @@ static int service_verify(Service *s) { for (ServiceExecCommand c = 0; c < _SERVICE_EXEC_COMMAND_MAX; c++) { ExecCommand *command; @@ -31,5 +35,5 @@ index 4c75819a8f..54d8d0c760 100644 if (!s->exec_command[SERVICE_EXEC_START] && !s->exec_command[SERVICE_EXEC_STOP] && -- -2.27.0 +2.33.0 diff --git a/backport-core-unit-use-bus_error_message-at-one-more-place.patch b/backport-core-unit-use-bus_error_message-at-one-more-place.patch new file mode 100644 index 0000000000000000000000000000000000000000..be4658f547ffbf00d0c694b44b800861463eb9c6 --- /dev/null +++ b/backport-core-unit-use-bus_error_message-at-one-more-place.patch @@ -0,0 +1,36 @@ +From aa25320dbbc2b239d9f551cffac39263814a3dfa Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 30 Jan 2022 05:38:01 +0900 +Subject: [PATCH] core/unit: use bus_error_message() at one more place + +(cherry picked from commit 33322185554799b08e94aca036dd109aaee52408) +(cherry picked from commit 81e59411161078f4f90d80e2e111755adc16db33) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/aa25320dbbc2b239d9f551cffac39263814a3dfa +--- + src/core/unit.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/core/unit.c b/src/core/unit.c +index dfe200ee20..0e8a01966a 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -3422,8 +3422,12 @@ static int get_name_owner_handler(sd_bus_message *message, void *userdata, sd_bu + + e = sd_bus_message_get_error(message); + if (e) { +- if (!sd_bus_error_has_name(e, "org.freedesktop.DBus.Error.NameHasNoOwner")) +- log_unit_error(u, "Unexpected error response from GetNameOwner(): %s", e->message); ++ if (!sd_bus_error_has_name(e, "org.freedesktop.DBus.Error.NameHasNoOwner")) { ++ r = sd_bus_error_get_errno(e); ++ log_unit_error_errno(u, r, ++ "Unexpected error response from GetNameOwner(): %s", ++ bus_error_message(e, r)); ++ } + + new_owner = NULL; + } else { +-- +2.33.0 + diff --git a/backport-core-use-correct-level-for-CPU-time-log-message.patch b/backport-core-use-correct-level-for-CPU-time-log-message.patch new file mode 100644 index 0000000000000000000000000000000000000000..f4db746689f909a7afaa7c93cf3f2e5566466d43 --- /dev/null +++ b/backport-core-use-correct-level-for-CPU-time-log-message.patch @@ -0,0 +1,35 @@ +From 034a23c640c74856df76b3af5fdc4af5cb48256b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Mon, 6 Dec 2021 16:57:42 +0100 +Subject: [PATCH] core: use correct level for CPU time log message + +raise_level() takes the info condition as second argument and the notice +one as third. For the consumed CPU time these conditions are swapped. + +Fixes: 37109b856aeb ("pid1: use LOG_DEBUG/INFO/NOTICE for unit resource consumption message") +(cherry picked from commit ef6bb4dd3e3bb9c210c310026b4d827a46acc762) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/034a23c640c74856df76b3af5fdc4af5cb48256b +--- + src/core/unit.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/unit.c b/src/core/unit.c +index c792bd8e82..dfe200ee20 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -2296,8 +2296,8 @@ static int unit_log_resources(Unit *u) { + message_parts[n_message_parts++] = t; + + log_level = raise_level(log_level, +- nsec > NOTICEWORTHY_CPU_NSEC, +- nsec > MENTIONWORTHY_CPU_NSEC); ++ nsec > MENTIONWORTHY_CPU_NSEC, ++ nsec > NOTICEWORTHY_CPU_NSEC); + } + + for (CGroupIOAccountingMetric k = 0; k < _CGROUP_IO_ACCOUNTING_METRIC_MAX; k++) { +-- +2.33.0 + diff --git a/backport-core-use-the-new-quoting-helper.patch b/backport-core-use-the-new-quoting-helper.patch new file mode 100644 index 0000000000000000000000000000000000000000..e2d969e9854110b7b8044f8fc59d416fe698b99f --- /dev/null +++ b/backport-core-use-the-new-quoting-helper.patch @@ -0,0 +1,133 @@ +From 284781bcb00be27737b52ffb974b66b7d5e990d5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 7 Jul 2021 16:28:19 +0200 +Subject: [PATCH] core: use the new quoting helper + +(cherry picked from commit 8a62620ebe23945021075df7e1b0759102c286ae) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/284781bcb00be27737b52ffb974b66b7d5e990d5 +--- + src/core/execute.c | 64 ++++++++++------------------------------------ + 1 file changed, 13 insertions(+), 51 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index e24775c150..28efe5c36f 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -51,6 +51,7 @@ + #include "env-file.h" + #include "env-util.h" + #include "errno-list.h" ++#include "escape.h" + #include "execute.h" + #include "exit-status.h" + #include "fd-util.h" +@@ -3596,8 +3597,6 @@ static int compile_suggested_paths(const ExecContext *c, const ExecParameters *p + return 0; + } + +-static char *exec_command_line(char **argv); +- + static int exec_parameters_get_cgroup_path(const ExecParameters *params, char **ret) { + bool using_subcgroup; + char *p; +@@ -3800,7 +3799,7 @@ static int exec_child( + const char *vc = params->confirm_spawn; + _cleanup_free_ char *cmdline = NULL; + +- cmdline = exec_command_line(command->argv); ++ cmdline = quote_command_line(command->argv); + if (!cmdline) { + *exit_status = EXIT_MEMORY; + return log_oom(); +@@ -4650,12 +4649,15 @@ static int exec_child( + if (DEBUG_LOGGING) { + _cleanup_free_ char *line = NULL; + +- line = exec_command_line(final_argv); +- if (line) +- log_unit_struct(unit, LOG_DEBUG, +- "EXECUTABLE=%s", executable, +- LOG_UNIT_MESSAGE(unit, "Executing: %s", line), +- LOG_UNIT_INVOCATION_ID(unit)); ++ line = quote_command_line(final_argv); ++ if (!line) { ++ *exit_status = EXIT_MEMORY; ++ return log_oom(); ++ } ++ ++ log_unit_struct(unit, LOG_DEBUG, ++ "EXECUTABLE=%s", executable, ++ LOG_UNIT_MESSAGE(unit, "Executing: %s", line)); + } + + if (exec_fd >= 0) { +@@ -4739,7 +4741,7 @@ int exec_spawn(Unit *unit, + if (r < 0) + return log_unit_error_errno(unit, r, "Failed to load environment files: %m"); + +- line = exec_command_line(command->argv); ++ line = quote_command_line(command->argv); + if (!line) + return log_oom(); + +@@ -5954,46 +5956,6 @@ void exec_status_dump(const ExecStatus *s, FILE *f, const char *prefix) { + prefix, s->status); + } + +-static char *exec_command_line(char **argv) { +- size_t k; +- char *n, *p, **a; +- bool first = true; +- +- assert(argv); +- +- k = 1; +- STRV_FOREACH(a, argv) +- k += strlen(*a)+3; +- +- n = new(char, k); +- if (!n) +- return NULL; +- +- p = n; +- STRV_FOREACH(a, argv) { +- +- if (!first) +- *(p++) = ' '; +- else +- first = false; +- +- if (strpbrk(*a, WHITESPACE)) { +- *(p++) = '\''; +- p = stpcpy(p, *a); +- *(p++) = '\''; +- } else +- p = stpcpy(p, *a); +- +- } +- +- *p = 0; +- +- /* FIXME: this doesn't really handle arguments that have +- * spaces and ticks in them */ +- +- return n; +-} +- + static void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) { + _cleanup_free_ char *cmd = NULL; + const char *prefix2; +@@ -6004,7 +5966,7 @@ static void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) { + prefix = strempty(prefix); + prefix2 = strjoina(prefix, "\t"); + +- cmd = exec_command_line(c->argv); ++ cmd = quote_command_line(c->argv); + fprintf(f, + "%sCommand Line: %s\n", + prefix, cmd ? cmd : strerror_safe(ENOMEM)); +-- +2.33.0 + diff --git a/backport-core-wrap-cgroup-path-with-empty_to_root-in-log-mess.patch b/backport-core-wrap-cgroup-path-with-empty_to_root-in-log-mess.patch index 7e7c316728a3042af19f1a3df4b0ba5132f62577..729a4275c02a4cbcd26e515f4ddbf97f4d7f5fe3 100644 --- a/backport-core-wrap-cgroup-path-with-empty_to_root-in-log-mess.patch +++ b/backport-core-wrap-cgroup-path-with-empty_to_root-in-log-mess.patch @@ -1,13 +1,17 @@ -From 6178e2f88956e1900f445908ed053865cc22e879 Mon Sep 17 00:00:00 2001 +From 24a40953d3d6ad8b1429d19da2f66399ae3f7e0b Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Thu, 5 Aug 2021 03:14:41 +0900 -Subject: [PATCH 2/2] core: wrap cgroup path with empty_to_root() in log - messages +Subject: [PATCH] core: wrap cgroup path with empty_to_root() in log messages This fixes e.g. the following log message: --- systemd[1]: -.slice: Failed to migrate controller cgroups from , ignoring: Read-only file system --- + +(cherry picked from commit 6178e2f88956e1900f445908ed053865cc22e879) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/24a40953d3d6ad8b1429d19da2f66399ae3f7e0b --- src/core/bpf-devices.c | 3 ++- src/core/cgroup.c | 46 +++++++++++++++++++++--------------------- @@ -36,7 +40,7 @@ index 8a345a4498..4daa7f76b0 100644 finish: /* Unref the old BPF program (which will implicitly detach it) right before attaching the new program. */ diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index 83bd97327d..da821465da 100644 +index eab0929dc5..3a6f768c60 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -84,7 +84,7 @@ static int set_attribute_and_warn(Unit *u, const char *controller, const char *a @@ -48,7 +52,7 @@ index 83bd97327d..da821465da 100644 return r; } -@@ -706,25 +706,25 @@ void cgroup_oomd_xattr_apply(Unit *u, const char *cgroup_path) { +@@ -713,25 +713,25 @@ void cgroup_oomd_xattr_apply(Unit *u, const char *cgroup_path) { if (c->moom_preference == MANAGED_OOM_PREFERENCE_OMIT) { r = cg_set_xattr(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, "user.oomd_omit", "1", 1, 0); if (r < 0) @@ -78,7 +82,7 @@ index 83bd97327d..da821465da 100644 } } -@@ -743,7 +743,7 @@ static void cgroup_xattr_apply(Unit *u) { +@@ -750,7 +750,7 @@ static void cgroup_xattr_apply(Unit *u) { sd_id128_to_string(u->invocation_id, ids), 32, 0); if (r < 0) @@ -87,7 +91,7 @@ index 83bd97327d..da821465da 100644 } if (unit_cgroup_delegate(u)) { -@@ -752,11 +752,11 @@ static void cgroup_xattr_apply(Unit *u) { +@@ -759,11 +759,11 @@ static void cgroup_xattr_apply(Unit *u) { "1", 1, 0); if (r < 0) @@ -101,7 +105,7 @@ index 83bd97327d..da821465da 100644 } cgroup_oomd_xattr_apply(u, u->cgroup_path); -@@ -1913,12 +1913,12 @@ int unit_watch_cgroup(Unit *u) { +@@ -1921,12 +1921,12 @@ int unit_watch_cgroup(Unit *u) { * is not an error */ return 0; @@ -116,7 +120,7 @@ index 83bd97327d..da821465da 100644 return 0; } -@@ -1976,12 +1976,12 @@ int unit_watch_cgroup_memory(Unit *u) { +@@ -1984,12 +1984,12 @@ int unit_watch_cgroup_memory(Unit *u) { * is not an error */ return 0; @@ -131,7 +135,7 @@ index 83bd97327d..da821465da 100644 return 0; } -@@ -2004,9 +2004,9 @@ int unit_pick_cgroup_path(Unit *u) { +@@ -2012,9 +2012,9 @@ int unit_pick_cgroup_path(Unit *u) { r = unit_set_cgroup_path(u, path); if (r == -EEXIST) @@ -143,7 +147,7 @@ index 83bd97327d..da821465da 100644 return 0; } -@@ -2034,7 +2034,7 @@ static int unit_update_cgroup( +@@ -2042,7 +2042,7 @@ static int unit_update_cgroup( /* First, create our own group */ r = cg_create_everywhere(u->manager->cgroup_supported, target_mask, u->cgroup_path); if (r < 0) @@ -152,7 +156,7 @@ index 83bd97327d..da821465da 100644 created = r; /* Start watching it */ -@@ -2050,7 +2050,7 @@ static int unit_update_cgroup( +@@ -2058,7 +2058,7 @@ static int unit_update_cgroup( /* Enable all controllers we need */ r = cg_enable_everywhere(u->manager->cgroup_supported, enable_mask, u->cgroup_path, &result_mask); if (r < 0) @@ -161,7 +165,7 @@ index 83bd97327d..da821465da 100644 /* Remember what's actually enabled now */ u->cgroup_enabled_mask = result_mask; -@@ -2072,12 +2072,12 @@ static int unit_update_cgroup( +@@ -2080,12 +2080,12 @@ static int unit_update_cgroup( if (cg_all_unified() == 0) { r = cg_migrate_v1_controllers(u->manager->cgroup_supported, migrate_mask, u->cgroup_path, migrate_callback, u); if (r < 0) @@ -176,7 +180,7 @@ index 83bd97327d..da821465da 100644 } /* Set attributes */ -@@ -2167,7 +2167,7 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { +@@ -2175,7 +2175,7 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { log_unit_full_errno(u, again ? LOG_DEBUG : LOG_INFO, q, "Couldn't move process "PID_FMT" to%s requested cgroup '%s': %m", @@ -185,7 +189,7 @@ index 83bd97327d..da821465da 100644 if (again) { int z; -@@ -2179,7 +2179,7 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { +@@ -2187,7 +2187,7 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { z = unit_attach_pid_to_cgroup_via_bus(u, pid, suffix_path); if (z < 0) @@ -194,7 +198,7 @@ index 83bd97327d..da821465da 100644 else continue; /* When the bus thing worked via the bus we are fully done for this PID. */ } -@@ -2213,7 +2213,7 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { +@@ -2221,7 +2221,7 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { continue; /* Success! */ log_unit_debug_errno(u, q, "Failed to attach PID " PID_FMT " to requested cgroup %s in controller %s, falling back to unit's cgroup: %m", @@ -203,7 +207,7 @@ index 83bd97327d..da821465da 100644 } /* So this controller is either not delegate or realized, or something else weird happened. In -@@ -2648,7 +2648,7 @@ void unit_prune_cgroup(Unit *u) { +@@ -2656,7 +2656,7 @@ void unit_prune_cgroup(Unit *u) { * the containing slice is stopped. So even if we failed now, this unit shouldn't assume * that the cgroup is still realized the next time it is started. Do not return early * on error, continue cleanup. */ @@ -212,7 +216,7 @@ index 83bd97327d..da821465da 100644 if (is_root_slice) return; -@@ -2861,7 +2861,7 @@ void unit_add_to_cgroup_empty_queue(Unit *u) { +@@ -2869,7 +2869,7 @@ void unit_add_to_cgroup_empty_queue(Unit *u) { r = cg_is_empty_recursive(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path); if (r < 0) { @@ -222,7 +226,7 @@ index 83bd97327d..da821465da 100644 } if (r == 0) diff --git a/src/core/unit.c b/src/core/unit.c -index 6273926013..8ce94ccb75 100644 +index 30afd5a776..47966bcf0d 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -427,7 +427,7 @@ bool unit_may_gc(Unit *u) { @@ -234,7 +238,7 @@ index 6273926013..8ce94ccb75 100644 if (r <= 0) return false; } -@@ -4548,7 +4548,7 @@ int unit_kill_context( +@@ -4553,7 +4553,7 @@ int unit_kill_context( log_func, u); if (r < 0) { if (!IN_SET(r, -EAGAIN, -ESRCH, -ENOENT)) @@ -243,7 +247,7 @@ index 6273926013..8ce94ccb75 100644 } else if (r > 0) { -@@ -5006,7 +5006,7 @@ int unit_fork_helper_process(Unit *u, const char *name, pid_t *ret) { +@@ -5011,7 +5011,7 @@ int unit_fork_helper_process(Unit *u, const char *name, pid_t *ret) { if (u->cgroup_path) { r = cg_attach_everywhere(u->manager->cgroup_supported, u->cgroup_path, 0, NULL, NULL); if (r < 0) { @@ -253,5 +257,5 @@ index 6273926013..8ce94ccb75 100644 } } -- -2.27.0 +2.33.0 diff --git a/backport-coredump-Don-t-log-an-error-if-D-Bus-isn-t-running.patch b/backport-coredump-Don-t-log-an-error-if-D-Bus-isn-t-running.patch new file mode 100644 index 0000000000000000000000000000000000000000..eddefb467f2cd840d19e8b882938e36a55171d66 --- /dev/null +++ b/backport-coredump-Don-t-log-an-error-if-D-Bus-isn-t-running.patch @@ -0,0 +1,36 @@ +From 6745eaa6308b835e2c5e68d49e9bece29fd37fa2 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 6 Oct 2021 13:20:36 +0100 +Subject: [PATCH] coredump: Don't log an error if D-Bus isn't running + +coredumpctl could be used in a chroot where D-Bus isn't running. If +that's the case, we shouldn't consider it an error if we can't connect +to the D-Bus daemon so let's reduce the severity of the error we log +when we can't connect to D-Bus because the socket doesn't exist. + +(cherry picked from commit 414bd2e786f9912f51b82e5fe4a1126179a5652a) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/6745eaa6308b835e2c5e68d49e9bece29fd37fa2 +--- + src/coredump/coredumpctl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/coredump/coredumpctl.c b/src/coredump/coredumpctl.c +index def3650bb4..3d44e51e32 100644 +--- a/src/coredump/coredumpctl.c ++++ b/src/coredump/coredumpctl.c +@@ -1186,6 +1186,10 @@ static int check_units_active(void) { + return false; + + r = sd_bus_default_system(&bus); ++ if (r == -ENOENT) { ++ log_debug("D-Bus is not running, skipping active unit check"); ++ return 0; ++ } + if (r < 0) + return log_error_errno(r, "Failed to acquire bus: %m"); + +-- +2.33.0 + diff --git a/backport-coredump-fix-filename-in-journal-when-not-compressed.patch b/backport-coredump-fix-filename-in-journal-when-not-compressed.patch new file mode 100644 index 0000000000000000000000000000000000000000..c328f72af45a12bb90e7db373bb29e430917688e --- /dev/null +++ b/backport-coredump-fix-filename-in-journal-when-not-compressed.patch @@ -0,0 +1,34 @@ +From 01cf580c235ac4725051e6101ce5bcef1b97cc48 Mon Sep 17 00:00:00 2001 +From: xdavidwu +Date: Fri, 5 Nov 2021 22:37:06 +0800 +Subject: [PATCH] coredump: fix filename in journal when not compressed + +Since 587f2a5e564cf434c2e0a653f52b8f73e86092d8, filename for +not-compressed coredump is missing from save_external_coredump, making +it write COREDUMP_FILENAME= (empty) in journal, making `coredumpctl` +report it missing but it is actually saved. +This fixes it. + +(cherry picked from commit 0cfb0971f0fcd345cae76f6837d9801b6cbde407) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/01cf580c235ac4725051e6101ce5bcef1b97cc48 +--- + src/coredump/coredump.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c +index 444b9ec374..1e34c4b5be 100644 +--- a/src/coredump/coredump.c ++++ b/src/coredump/coredump.c +@@ -525,6 +525,7 @@ static int save_external_coredump( + if (lseek(fd, 0, SEEK_SET) == (off_t) -1) + return log_error_errno(errno, "Failed to seek on coredump %s: %m", fn); + ++ *ret_filename = TAKE_PTR(fn); + *ret_data_fd = TAKE_FD(fd); + *ret_size = (uint64_t) st.st_size; + *ret_truncated = truncated; +-- +2.33.0 + diff --git a/backport-coredump-stacktrace.c-avoid-crash-on-binaries-withou.patch b/backport-coredump-stacktrace.c-avoid-crash-on-binaries-withou.patch new file mode 100644 index 0000000000000000000000000000000000000000..ef501bb2da203c51e89abad9ca1cb3efc748641d --- /dev/null +++ b/backport-coredump-stacktrace.c-avoid-crash-on-binaries-withou.patch @@ -0,0 +1,55 @@ +From 765c366274db3ff841da237769f2b20a4ec3a045 Mon Sep 17 00:00:00 2001 +From: Sergei Trofimovich +Date: Sat, 31 Jul 2021 13:07:54 +0100 +Subject: [PATCH] coredump/stacktrace.c: avoid crash on binaries without NHDR + +Observed as a crash on binaries built with gcc-master: + +``` + 3 0x00005573b8841d6a in parse_package_metadata (name=name@entry=0x5573b901a620 "/a", id_json=0x0, + elf=0x5573b9028730, c=c@entry=0x7fffc688f790) at ../systemd-stable-249.2/src/coredump/stacktrace.c:157 + 4 0x00005573b884209e in module_callback (mod=0x7fffc688f6c0, userdata=, + name=0x5573b901a620 "/a", start=, arg=0x7fffc688f790) + at ../systemd-stable-249.2/src/coredump/stacktrace.c:306 + 5 0x00007f56d60dcbd5 in dwfl_getmodules (dwfl=0x5573b901fda0, + callback=callback@entry=0x5573b8841eb0 , arg=arg@entry=0x7fffc688f790, offset=offset@entry=0) + at ../../elfutils-0.185/libdwfl/dwfl_getmodules.c:86 + 6 0x00005573b884231b in parse_core (ret_package_metadata=0x7fffc688f848, ret=0x7fffc688f850, + executable=0x7fffc688f790 "\200\332\001\271sU", fd=21) at ../systemd-stable-249.2/src/coredump/stacktrace.c:366 + 7 coredump_parse_core (fd=fd@entry=6, executable=0x7fffc688f790 "\200\332\001\271sU", ret=ret@entry=0x7fffc688f850, + ret_package_metadata=ret_package_metadata@entry=0x7fffc688f848) + at ../systemd-stable-249.2/src/coredump/stacktrace.c:406 + 8 0x00005573b883f897 in submit_coredump (context=context@entry=0x7fffc688fa10, iovw=iovw@entry=0x7fffc688f990, + input_fd=input_fd@entry=5) at ../systemd-stable-249.2/src/coredump/coredump.c:827 + 9 0x00005573b883d339 in process_socket (fd=3) at ../systemd-stable-249.2/src/coredump/coredump.c:1041 + 10 run (argv=, argc=-964101648) at ../systemd-stable-249.2/src/coredump/coredump.c:1416 + 11 main (argc=-964101648, argv=) at ../systemd-stable-249.2/src/coredump/coredump.c:1422 +``` + +Happens only on enabled elfutils symbolizer. + +Signed-off-by: Sergei Trofimovich +(cherry picked from commit 1da3eef262078905ec14c707eeab655a17ae8bd2) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/765c366274db3ff841da237769f2b20a4ec3a045 +--- + src/coredump/stacktrace.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/coredump/stacktrace.c b/src/coredump/stacktrace.c +index 0edb1b40a7..e46b324cdf 100644 +--- a/src/coredump/stacktrace.c ++++ b/src/coredump/stacktrace.c +@@ -153,6 +153,8 @@ static int parse_package_metadata(const char *name, JsonVariant *id_json, Elf *e + program_header->p_offset, + program_header->p_filesz, + ELF_T_NHDR); ++ if (!data) ++ continue; + + while (note_offset < data->d_size && + (note_offset = gelf_getnote(data, note_offset, ¬e_header, &name_offset, &desc_offset)) > 0) { +-- +2.33.0 + diff --git a/backport-coredumpctl-stop-truncating-information-about-coredu.patch b/backport-coredumpctl-stop-truncating-information-about-coredu.patch new file mode 100644 index 0000000000000000000000000000000000000000..072fb9a6270d6003874966157c9de931aeffa94b --- /dev/null +++ b/backport-coredumpctl-stop-truncating-information-about-coredu.patch @@ -0,0 +1,37 @@ +From 473627e1c9fcdf8f819ced2bb79cb7e9ff598b0c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 12 Oct 2021 19:46:25 +0200 +Subject: [PATCH] coredumpctl: stop truncating information about coredump +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +With the changes to limit that print 'Found module …' over and over, we were +hitting the journal field message limit, effectively truncating the info output. + +Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1998488. + +(cherry picked from commit 384c6207669eb0d92aa0043dbc01957c6c7ff41e) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/473627e1c9fcdf8f819ced2bb79cb7e9ff598b0c +--- + src/coredump/coredumpctl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/coredump/coredumpctl.c b/src/coredump/coredumpctl.c +index 3d44e51e32..7eba8330d7 100644 +--- a/src/coredump/coredumpctl.c ++++ b/src/coredump/coredumpctl.c +@@ -555,6 +555,8 @@ static int print_info(FILE *file, sd_journal *j, bool need_space) { + assert(file); + assert(j); + ++ (void) sd_journal_set_data_threshold(j, 0); ++ + SD_JOURNAL_FOREACH_DATA(j, d, l) { + RETRIEVE(d, l, "MESSAGE_ID", mid); + RETRIEVE(d, l, "COREDUMP_PID", pid); +-- +2.33.0 + diff --git a/backport-creds-util-switch-to-OpenSSL-3.0-APIs.patch b/backport-creds-util-switch-to-OpenSSL-3.0-APIs.patch new file mode 100644 index 0000000000000000000000000000000000000000..e63c2e89f4a3c9e253c9c55ce601f5a5b0a4896a --- /dev/null +++ b/backport-creds-util-switch-to-OpenSSL-3.0-APIs.patch @@ -0,0 +1,995 @@ +From 5f4862e5e1cd2a7ef302947b8634f7980e8d6275 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 29 Sep 2021 09:47:08 +0200 +Subject: [PATCH] creds-util: switch to OpenSSL 3.0 APIs + +Let's switch from the low-level SHA256 APIs to EVP APIs. The former are +deprecated on OpenSSL 3.0, the latter are supported both by old +OpenSSL and by OpenSSL 3.0, hence are the better choice. + +Fixes: #20775 +(cherry picked from commit 18f568b8e64b48f6aee204cc6384b4796cd27eb0) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/5f4862e5e1cd2a7ef302947b8634f7980e8d6275 +--- + src/shared/creds-util.c | 954 ++++++++++++++++++++++++++++++++++++++ + src/shared/openssl-util.h | 1 + + 2 files changed, 955 insertions(+) + create mode 100644 src/shared/creds-util.c + +diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c +new file mode 100644 +index 0000000000..b764198b76 +--- /dev/null ++++ b/src/shared/creds-util.c +@@ -0,0 +1,954 @@ ++/* SPDX-License-Identifier: LGPL-2.1-or-later */ ++ ++#include ++ ++#if HAVE_OPENSSL ++#include ++#endif ++ ++#include "sd-id128.h" ++ ++#include "blockdev-util.h" ++#include "chattr-util.h" ++#include "creds-util.h" ++#include "env-util.h" ++#include "fd-util.h" ++#include "fileio.h" ++#include "fs-util.h" ++#include "io-util.h" ++#include "memory-util.h" ++#include "mkdir.h" ++#include "openssl-util.h" ++#include "path-util.h" ++#include "random-util.h" ++#include "sparse-endian.h" ++#include "stat-util.h" ++#include "tpm2-util.h" ++#include "virt.h" ++ ++bool credential_name_valid(const char *s) { ++ /* We want that credential names are both valid in filenames (since that's our primary way to pass ++ * them around) and as fdnames (which is how we might want to pass them around eventually) */ ++ return filename_is_valid(s) && fdname_is_valid(s); ++} ++ ++int get_credentials_dir(const char **ret) { ++ const char *e; ++ ++ assert(ret); ++ ++ e = secure_getenv("CREDENTIALS_DIRECTORY"); ++ if (!e) ++ return -ENXIO; ++ ++ if (!path_is_absolute(e) || !path_is_normalized(e)) ++ return -EINVAL; ++ ++ *ret = e; ++ return 0; ++} ++ ++int read_credential(const char *name, void **ret, size_t *ret_size) { ++ _cleanup_free_ char *fn = NULL; ++ const char *d; ++ int r; ++ ++ assert(ret); ++ ++ if (!credential_name_valid(name)) ++ return -EINVAL; ++ ++ r = get_credentials_dir(&d); ++ if (r < 0) ++ return r; ++ ++ fn = path_join(d, name); ++ if (!fn) ++ return -ENOMEM; ++ ++ return read_full_file_full( ++ AT_FDCWD, fn, ++ UINT64_MAX, SIZE_MAX, ++ READ_FULL_FILE_SECURE, ++ NULL, ++ (char**) ret, ret_size); ++} ++ ++#if HAVE_OPENSSL ++ ++#define CREDENTIAL_HOST_SECRET_SIZE 4096 ++ ++static const sd_id128_t credential_app_id = ++ SD_ID128_MAKE(d3,ac,ec,ba,0d,ad,4c,df,b8,c9,38,15,28,93,6c,58); ++ ++struct credential_host_secret_format { ++ /* The hashed machine ID of the machine this belongs to. Why? We want to ensure that each machine ++ * gets its own secret, even if people forget to flush out this secret file. Hence we bind it to the ++ * machine ID, for which there's hopefully a better chance it will be flushed out. We use a hashed ++ * machine ID instead of the literal one, because it's trivial to, and it might be a good idea not ++ * being able to directly associate a secret key file with a host. */ ++ sd_id128_t machine_id; ++ ++ /* The actual secret key */ ++ uint8_t data[CREDENTIAL_HOST_SECRET_SIZE]; ++} _packed_; ++ ++static int make_credential_host_secret( ++ int dfd, ++ const sd_id128_t machine_id, ++ const char *fn, ++ void **ret_data, ++ size_t *ret_size) { ++ ++ struct credential_host_secret_format buf; ++ _cleanup_free_ char *t = NULL; ++ _cleanup_close_ int fd = -1; ++ int r; ++ ++ assert(dfd >= 0); ++ assert(fn); ++ ++ fd = openat(dfd, ".", O_CLOEXEC|O_WRONLY|O_TMPFILE, 0400); ++ if (fd < 0) { ++ log_debug_errno(errno, "Failed to create temporary credential file with O_TMPFILE, proceeding without: %m"); ++ ++ if (asprintf(&t, "credential.secret.%016" PRIx64, random_u64()) < 0) ++ return -ENOMEM; ++ ++ fd = openat(dfd, t, O_CLOEXEC|O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW, 0400); ++ if (fd < 0) ++ return -errno; ++ } ++ ++ r = chattr_secret(fd, 0); ++ if (r < 0) ++ log_debug_errno(r, "Failed to set file attributes for secrets file, ignoring: %m"); ++ ++ buf = (struct credential_host_secret_format) { ++ .machine_id = machine_id, ++ }; ++ ++ r = genuine_random_bytes(buf.data, sizeof(buf.data), RANDOM_BLOCK); ++ if (r < 0) ++ goto finish; ++ ++ r = loop_write(fd, &buf, sizeof(buf), false); ++ if (r < 0) ++ goto finish; ++ ++ if (fsync(fd) < 0) { ++ r = -errno; ++ goto finish; ++ } ++ ++ if (t) { ++ r = rename_noreplace(dfd, t, dfd, fn); ++ if (r < 0) ++ goto finish; ++ ++ t = mfree(t); ++ } else if (linkat(fd, "", dfd, fn, AT_EMPTY_PATH) < 0) { ++ r = -errno; ++ goto finish; ++ } ++ ++ if (fsync(dfd) < 0) { ++ r = -errno; ++ goto finish; ++ } ++ ++ if (ret_data) { ++ void *copy; ++ ++ copy = memdup(buf.data, sizeof(buf.data)); ++ if (!copy) { ++ r = -ENOMEM; ++ goto finish; ++ } ++ ++ *ret_data = copy; ++ } ++ ++ if (ret_size) ++ *ret_size = sizeof(buf.data); ++ ++ r = 0; ++ ++finish: ++ if (t && unlinkat(dfd, t, 0) < 0) ++ log_debug_errno(errno, "Failed to remove temporary credential key: %m"); ++ ++ explicit_bzero_safe(&buf, sizeof(buf)); ++ return r; ++} ++ ++int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t *ret_size) { ++ _cleanup_free_ char *efn = NULL, *ep = NULL; ++ _cleanup_close_ int dfd = -1; ++ sd_id128_t machine_id; ++ const char *e, *fn, *p; ++ int r; ++ ++ r = sd_id128_get_machine_app_specific(credential_app_id, &machine_id); ++ if (r < 0) ++ return r; ++ ++ e = secure_getenv("SYSTEMD_CREDENTIAL_SECRET"); ++ if (e) { ++ if (!path_is_normalized(e)) ++ return -EINVAL; ++ if (!path_is_absolute(e)) ++ return -EINVAL; ++ ++ r = path_extract_directory(e, &ep); ++ if (r < 0) ++ return r; ++ ++ r = path_extract_filename(e, &efn); ++ if (r < 0) ++ return r; ++ ++ p = ep; ++ fn = efn; ++ } else { ++ p = "/var/lib/systemd"; ++ fn = "credential.secret"; ++ } ++ ++ (void) mkdir_p(p, 0755); ++ dfd = open(p, O_CLOEXEC|O_DIRECTORY|O_RDONLY); ++ if (dfd < 0) ++ return -errno; ++ ++ if (FLAGS_SET(flags, CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS)) { ++ r = fd_is_temporary_fs(dfd); ++ if (r < 0) ++ return r; ++ if (r > 0) ++ return -ENOMEDIUM; ++ } ++ ++ for (unsigned attempt = 0;; attempt++) { ++ _cleanup_(erase_and_freep) struct credential_host_secret_format *f = NULL; ++ _cleanup_close_ int fd = -1; ++ size_t l = 0; ++ ssize_t n = 0; ++ struct stat st; ++ ++ if (attempt >= 3) /* Somebody is playing games with us */ ++ return -EIO; ++ ++ fd = openat(dfd, fn, O_CLOEXEC|O_RDONLY|O_NOCTTY|O_NOFOLLOW); ++ if (fd < 0) { ++ if (errno != ENOENT || !FLAGS_SET(flags, CREDENTIAL_SECRET_GENERATE)) ++ return -errno; ++ ++ r = make_credential_host_secret(dfd, machine_id, fn, ret, ret_size); ++ if (r == -EEXIST) { ++ log_debug_errno(r, "Credential secret was created while we were creating it. Trying to read new secret."); ++ continue; ++ } ++ if (r < 0) ++ return r; ++ ++ return 0; ++ } ++ ++ if (fstat(fd, &st) < 0) ++ return -errno; ++ ++ r = stat_verify_regular(&st); ++ if (r < 0) ++ return r; ++ if (st.st_nlink == 0) /* Deleted by now, try again */ ++ continue; ++ if (st.st_nlink > 1) ++ return -EPERM; /* Our deletion check won't work if hardlinked somewhere else */ ++ if ((st.st_mode & 07777) != 0400) /* Don't use file if not 0400 access mode */ ++ return -EPERM; ++ if (st.st_size > 16*1024*1024) ++ return -E2BIG; ++ l = st.st_size; ++ if (l < offsetof(struct credential_host_secret_format, data) + 1) ++ return -EINVAL; ++ ++ f = malloc(l+1); ++ if (!f) ++ return -ENOMEM; ++ ++ n = read(fd, f, l+1); ++ if (n < 0) ++ return -errno; ++ if ((size_t) n != l) /* What? The size changed? */ ++ return -EIO; ++ ++ if (sd_id128_equal(machine_id, f->machine_id)) { ++ size_t sz; ++ ++ if (FLAGS_SET(flags, CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED)) { ++ r = fd_is_encrypted(fd); ++ if (r < 0) ++ log_debug_errno(r, "Failed to determine if credential secret file '%s/%s' is encrypted.", p, fn); ++ else if (r == 0) ++ log_warning("Credential secret file '%s/%s' is not located on encrypted media, using anyway.", p, fn); ++ } ++ ++ sz = l - offsetof(struct credential_host_secret_format, data); ++ assert(sz > 0); ++ ++ if (ret) { ++ void *copy; ++ ++ assert(sz <= sizeof(f->data)); /* Ensure we don't read past f->data bounds */ ++ ++ copy = memdup(f->data, sz); ++ if (!copy) ++ return -ENOMEM; ++ ++ *ret = copy; ++ } ++ ++ if (ret_size) ++ *ret_size = sz; ++ ++ return 0; ++ } ++ ++ /* Hmm, this secret is from somewhere else. Let's delete the file. Let's first acquire a lock ++ * to ensure we are the only ones accessing the file while we delete it. */ ++ ++ if (flock(fd, LOCK_EX) < 0) ++ return -errno; ++ ++ /* Before we delete it check that the file is still linked into the file system */ ++ if (fstat(fd, &st) < 0) ++ return -errno; ++ if (st.st_nlink == 0) /* Already deleted by now? */ ++ continue; ++ if (st.st_nlink != 1) /* Safety check, someone is playing games with us */ ++ return -EPERM; ++ ++ if (unlinkat(dfd, fn, 0) < 0) ++ return -errno; ++ ++ /* And now try again */ ++ } ++} ++ ++/* Construction is like this: ++ * ++ * A symmetric encryption key is derived from: ++ * ++ * 1. Either the "host" key (a key stored in /var/lib/credential.secret) ++ * ++ * 2. A key generated by letting the TPM2 calculate an HMAC hash of some nonce we pass to it, keyed ++ * by a key derived from its internal seed key. ++ * ++ * 3. The concatenation of the above. ++ * ++ * The above is hashed with SHA256 which is then used as encryption key for AES256-GCM. The encrypted ++ * credential is a short (unencrypted) header describing which of the three keys to use, the IV to use for ++ * AES256-GCM and some more meta information (sizes of certain objects) that is strictly speaking redundant, ++ * but kinda nice to have since we can have a more generic parser. If the TPM2 key is used this is followed ++ * by another (unencrypted) header, with information about the TPM2 policy used (specifically: the PCR mask ++ * to bind against, and a hash of the resulting policy — the latter being redundant, but speeding up things a ++ * bit, since we can more quickly refuse PCR state), followed by a sealed/exported TPM2 HMAC key. This is ++ * then followed by the encrypted data, which begins with a metadata header (which contains validity ++ * timestamps as well as the credential name), followed by the actual credential payload. The file ends in ++ * the AES256-GCM tag. To make things simple, the AES256-GCM AAD covers the main and the TPM2 header in ++ * full. This means the whole file is either protected by AAD, or is ciphertext, or is the tag. No ++ * unprotected data is included. ++ */ ++ ++struct _packed_ encrypted_credential_header { ++ sd_id128_t id; ++ le32_t key_size; ++ le32_t block_size; ++ le32_t iv_size; ++ le32_t tag_size; ++ uint8_t iv[]; ++ /* Followed by NUL bytes until next 8 byte boundary */ ++}; ++ ++struct _packed_ tpm2_credential_header { ++ le64_t pcr_mask; /* Note that the spec for PC Clients only mandates 24 PCRs, and that's what systems ++ * generally have. But keep the door open for more. */ ++ le16_t pcr_bank; /* For now, either TPM2_ALG_SHA256 or TPM2_ALG_SHA1 */ ++ le16_t primary_alg; /* Primary key algorithm (either TPM2_ALG_RSA or TPM2_ALG_ECC for now) */ ++ le32_t blob_size; ++ le32_t policy_hash_size; ++ uint8_t policy_hash_and_blob[]; ++ /* Followed by NUL bytes until next 8 byte boundary */ ++}; ++ ++struct _packed_ metadata_credential_header { ++ le64_t timestamp; ++ le64_t not_after; ++ le32_t name_size; ++ char name[]; ++ /* Followed by NUL bytes until next 8 byte boundary */ ++}; ++ ++/* Some generic limit for parts of the encrypted credential for which we don't know the right size ahead of ++ * time, but where we are really sure it won't be larger than this. Should be larger than any possible IV, ++ * padding, tag size and so on. This is purely used for early filtering out of invalid sizes. */ ++#define CREDENTIAL_FIELD_SIZE_MAX (16U*1024U) ++ ++static int sha256_hash_host_and_tpm2_key( ++ const void *host_key, ++ size_t host_key_size, ++ const void *tpm2_key, ++ size_t tpm2_key_size, ++ uint8_t ret[static SHA256_DIGEST_LENGTH]) { ++ ++ _cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX *md = NULL; ++ unsigned l; ++ ++ assert(host_key_size == 0 || host_key); ++ assert(tpm2_key_size == 0 || tpm2_key); ++ assert(ret); ++ ++ /* Combines the host key and the TPM2 HMAC hash into a SHA256 hash value we'll use as symmetric encryption key. */ ++ ++ md = EVP_MD_CTX_new(); ++ if (!md) ++ return log_oom(); ++ ++ if (EVP_DigestInit_ex(md, EVP_sha256(), NULL) != 1) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initial SHA256 context."); ++ ++ if (host_key && EVP_DigestUpdate(md, host_key, host_key_size) != 1) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash host key."); ++ ++ if (tpm2_key && EVP_DigestUpdate(md, tpm2_key, tpm2_key_size) != 1) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash TPM2 key."); ++ ++ assert(EVP_MD_CTX_size(md) == SHA256_DIGEST_LENGTH); ++ ++ if (EVP_DigestFinal_ex(md, ret, &l) != 1) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to finalize SHA256 hash."); ++ ++ assert(l == SHA256_DIGEST_LENGTH); ++ return 0; ++} ++ ++int encrypt_credential_and_warn( ++ sd_id128_t with_key, ++ const char *name, ++ usec_t timestamp, ++ usec_t not_after, ++ const char *tpm2_device, ++ uint32_t tpm2_pcr_mask, ++ const void *input, ++ size_t input_size, ++ void **ret, ++ size_t *ret_size) { ++ ++ _cleanup_(EVP_CIPHER_CTX_freep) EVP_CIPHER_CTX *context = NULL; ++ _cleanup_(erase_and_freep) void *host_key = NULL, *tpm2_key = NULL; ++ size_t host_key_size = 0, tpm2_key_size = 0, tpm2_blob_size = 0, tpm2_policy_hash_size = 0, output_size, p, ml; ++ _cleanup_free_ void *tpm2_blob = NULL, *tpm2_policy_hash = NULL, *iv = NULL, *output = NULL; ++ _cleanup_free_ struct metadata_credential_header *m = NULL; ++ uint16_t tpm2_pcr_bank = 0, tpm2_primary_alg = 0; ++ struct encrypted_credential_header *h; ++ int ksz, bsz, ivsz, tsz, added, r; ++ uint8_t md[SHA256_DIGEST_LENGTH]; ++ const EVP_CIPHER *cc; ++#if HAVE_TPM2 ++ bool try_tpm2 = false; ++#endif ++ sd_id128_t id; ++ ++ assert(input || input_size == 0); ++ assert(ret); ++ assert(ret_size); ++ ++ if (name && !credential_name_valid(name)) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid credential name: %s", name); ++ ++ if (not_after != USEC_INFINITY && timestamp != USEC_INFINITY && not_after < timestamp) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential is invalidated before it is valid (" USEC_FMT " < " USEC_FMT ").", not_after, timestamp); ++ ++ if (DEBUG_LOGGING) { ++ char buf[FORMAT_TIMESTAMP_MAX]; ++ ++ if (name) ++ log_debug("Including credential name '%s' in encrypted credential.", name); ++ if (timestamp != USEC_INFINITY) ++ log_debug("Including timestamp '%s' in encrypted credential.", format_timestamp(buf, sizeof(buf), timestamp)); ++ if (not_after != USEC_INFINITY) ++ log_debug("Including not-after timestamp '%s' in encrypted credential.", format_timestamp(buf, sizeof(buf), not_after)); ++ } ++ ++ if (sd_id128_is_null(with_key) || ++ sd_id128_in_set(with_key, CRED_AES256_GCM_BY_HOST, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC)) { ++ ++ r = get_credential_host_secret( ++ CREDENTIAL_SECRET_GENERATE| ++ CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED| ++ (sd_id128_is_null(with_key) ? CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS : 0), ++ &host_key, ++ &host_key_size); ++ if (r == -ENOMEDIUM && sd_id128_is_null(with_key)) ++ log_debug_errno(r, "Credential host secret location on temporary file system, not using."); ++ else if (r < 0) ++ return log_error_errno(r, "Failed to determine local credential host secret: %m"); ++ } ++ ++#if HAVE_TPM2 ++ if (sd_id128_is_null(with_key)) { ++ /* If automatic mode is selected and we are running in a container, let's not try TPM2. OTOH ++ * if user picks TPM2 explicitly, let's always honour the request and try. */ ++ ++ r = detect_container(); ++ if (r < 0) ++ log_debug_errno(r, "Failed to determine whether we are running in a container, ignoring: %m"); ++ else if (r > 0) ++ log_debug("Running in container, not attempting to use TPM2."); ++ ++ try_tpm2 = r <= 0; ++ } ++ ++ if (try_tpm2 || ++ sd_id128_in_set(with_key, CRED_AES256_GCM_BY_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC)) { ++ ++ r = tpm2_seal(tpm2_device, ++ tpm2_pcr_mask, ++ &tpm2_key, ++ &tpm2_key_size, ++ &tpm2_blob, ++ &tpm2_blob_size, ++ &tpm2_policy_hash, ++ &tpm2_policy_hash_size, ++ &tpm2_pcr_bank, ++ &tpm2_primary_alg); ++ if (r < 0) { ++ if (!sd_id128_is_null(with_key)) ++ return r; ++ ++ log_debug_errno(r, "TPM2 sealing didn't work, not using: %m"); ++ } ++ ++ assert(tpm2_blob_size <= CREDENTIAL_FIELD_SIZE_MAX); ++ assert(tpm2_policy_hash_size <= CREDENTIAL_FIELD_SIZE_MAX); ++ } ++#endif ++ ++ if (sd_id128_is_null(with_key)) { ++ /* Let's settle the key type in auto mode now. */ ++ ++ if (host_key && tpm2_key) ++ id = CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC; ++ else if (tpm2_key) ++ id = CRED_AES256_GCM_BY_TPM2_HMAC; ++ else if (host_key) ++ id = CRED_AES256_GCM_BY_HOST; ++ else ++ return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), ++ "TPM2 not available and host key located on temporary file system, no encryption key available."); ++ } else ++ id = with_key; ++ ++ /* Let's now take the host key and the TPM2 key and hash it together, to use as encryption key for the data */ ++ r = sha256_hash_host_and_tpm2_key(host_key, host_key_size, tpm2_key, tpm2_key_size, md); ++ if (r < 0) ++ return r; ++ ++ assert_se(cc = EVP_aes_256_gcm()); ++ ++ ksz = EVP_CIPHER_key_length(cc); ++ assert(ksz == sizeof(md)); ++ ++ bsz = EVP_CIPHER_block_size(cc); ++ assert(bsz > 0); ++ assert((size_t) bsz <= CREDENTIAL_FIELD_SIZE_MAX); ++ ++ ivsz = EVP_CIPHER_iv_length(cc); ++ if (ivsz > 0) { ++ assert((size_t) ivsz <= CREDENTIAL_FIELD_SIZE_MAX); ++ ++ iv = malloc(ivsz); ++ if (!iv) ++ return log_oom(); ++ ++ r = genuine_random_bytes(iv, ivsz, RANDOM_BLOCK); ++ if (r < 0) ++ return log_error_errno(r, "Failed to acquired randomized IV: %m"); ++ } ++ ++ tsz = 16; /* FIXME: On OpenSSL 3 there is EVP_CIPHER_CTX_get_tag_length(), until then let's hardcode this */ ++ ++ context = EVP_CIPHER_CTX_new(); ++ if (!context) ++ return log_error_errno(SYNTHETIC_ERRNO(ENOMEM), "Failed to allocate encryption object: %s", ++ ERR_error_string(ERR_get_error(), NULL)); ++ ++ if (EVP_EncryptInit_ex(context, cc, NULL, md, iv) != 1) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initialize encryption context: %s", ++ ERR_error_string(ERR_get_error(), NULL)); ++ ++ /* Just an upper estimate */ ++ output_size = ++ ALIGN8(offsetof(struct encrypted_credential_header, iv) + ivsz) + ++ ALIGN8(tpm2_key ? offsetof(struct tpm2_credential_header, policy_hash_and_blob) + tpm2_blob_size + tpm2_policy_hash_size : 0) + ++ ALIGN8(offsetof(struct metadata_credential_header, name) + strlen_ptr(name)) + ++ input_size + 2U * (size_t) bsz + ++ tsz; ++ ++ output = malloc0(output_size); ++ if (!output) ++ return log_oom(); ++ ++ h = (struct encrypted_credential_header*) output; ++ h->id = id; ++ h->block_size = htole32(bsz); ++ h->key_size = htole32(ksz); ++ h->tag_size = htole32(tsz); ++ h->iv_size = htole32(ivsz); ++ memcpy(h->iv, iv, ivsz); ++ ++ p = ALIGN8(offsetof(struct encrypted_credential_header, iv) + ivsz); ++ ++ if (tpm2_key) { ++ struct tpm2_credential_header *t; ++ ++ t = (struct tpm2_credential_header*) ((uint8_t*) output + p); ++ t->pcr_mask = htole64(tpm2_pcr_mask); ++ t->pcr_bank = htole16(tpm2_pcr_bank); ++ t->primary_alg = htole16(tpm2_primary_alg); ++ t->blob_size = htole32(tpm2_blob_size); ++ t->policy_hash_size = htole32(tpm2_policy_hash_size); ++ memcpy(t->policy_hash_and_blob, tpm2_blob, tpm2_blob_size); ++ memcpy(t->policy_hash_and_blob + tpm2_blob_size, tpm2_policy_hash, tpm2_policy_hash_size); ++ ++ p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + tpm2_blob_size + tpm2_policy_hash_size); ++ } ++ ++ /* Pass the encrypted + TPM2 header as AAD */ ++ if (EVP_EncryptUpdate(context, NULL, &added, output, p) != 1) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to write AAD data: %s", ++ ERR_error_string(ERR_get_error(), NULL)); ++ ++ /* Now construct the metadata header */ ++ ml = strlen_ptr(name); ++ m = malloc0(ALIGN8(offsetof(struct metadata_credential_header, name) + ml)); ++ if (!m) ++ return log_oom(); ++ ++ m->timestamp = htole64(timestamp); ++ m->not_after = htole64(not_after); ++ m->name_size = htole32(ml); ++ memcpy_safe(m->name, name, ml); ++ ++ /* And encrypt the metadata header */ ++ if (EVP_EncryptUpdate(context, (uint8_t*) output + p, &added, (const unsigned char*) m, ALIGN8(offsetof(struct metadata_credential_header, name) + ml)) != 1) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to encrypt metadata header: %s", ++ ERR_error_string(ERR_get_error(), NULL)); ++ ++ assert(added >= 0); ++ assert((size_t) added <= output_size - p); ++ p += added; ++ ++ /* Then encrypt the plaintext */ ++ if (EVP_EncryptUpdate(context, (uint8_t*) output + p, &added, input, input_size) != 1) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to encrypt data: %s", ++ ERR_error_string(ERR_get_error(), NULL)); ++ ++ assert(added >= 0); ++ assert((size_t) added <= output_size - p); ++ p += added; ++ ++ /* Finalize */ ++ if (EVP_EncryptFinal_ex(context, (uint8_t*) output + p, &added) != 1) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to finalize data encryption: %s", ++ ERR_error_string(ERR_get_error(), NULL)); ++ ++ assert(added >= 0); ++ assert((size_t) added <= output_size - p); ++ p += added; ++ ++ assert(p <= output_size - tsz); ++ ++ /* Append tag */ ++ if (EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_GCM_GET_TAG, tsz, (uint8_t*) output + p) != 1) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to get tag: %s", ++ ERR_error_string(ERR_get_error(), NULL)); ++ ++ p += tsz; ++ assert(p <= output_size); ++ ++ if (DEBUG_LOGGING && input_size > 0) { ++ size_t base64_size; ++ ++ base64_size = DIV_ROUND_UP(p * 4, 3); /* Include base64 size increase in debug output */ ++ assert(base64_size >= input_size); ++ log_debug("Input of %zu bytes grew to output of %zu bytes (+%2zu%%).", input_size, base64_size, base64_size * 100 / input_size - 100); ++ } ++ ++ *ret = TAKE_PTR(output); ++ *ret_size = p; ++ ++ return 0; ++} ++ ++int decrypt_credential_and_warn( ++ const char *validate_name, ++ usec_t validate_timestamp, ++ const char *tpm2_device, ++ const void *input, ++ size_t input_size, ++ void **ret, ++ size_t *ret_size) { ++ ++ _cleanup_(erase_and_freep) void *host_key = NULL, *tpm2_key = NULL, *plaintext = NULL; ++ _cleanup_(EVP_CIPHER_CTX_freep) EVP_CIPHER_CTX *context = NULL; ++ size_t host_key_size = 0, tpm2_key_size = 0, plaintext_size, p, hs; ++ struct encrypted_credential_header *h; ++ struct metadata_credential_header *m; ++ uint8_t md[SHA256_DIGEST_LENGTH]; ++ bool with_tpm2, with_host_key; ++ const EVP_CIPHER *cc; ++ int r, added; ++ ++ assert(input || input_size == 0); ++ assert(ret); ++ assert(ret_size); ++ ++ h = (struct encrypted_credential_header*) input; ++ ++ /* The ID must fit in, for the current and all future formats */ ++ if (input_size < sizeof(h->id)) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short."); ++ ++ with_host_key = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_HOST, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC); ++ with_tpm2 = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC); ++ ++ if (!with_host_key && !with_tpm2) ++ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Unknown encryption format, or corrupted data: %m"); ++ ++ /* Now we know the minimum header size */ ++ if (input_size < offsetof(struct encrypted_credential_header, iv)) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short."); ++ ++ /* Verify some basic header values */ ++ if (le32toh(h->key_size) != sizeof(md)) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected key size in header."); ++ if (le32toh(h->block_size) <= 0 || le32toh(h->block_size) > CREDENTIAL_FIELD_SIZE_MAX) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected block size in header."); ++ if (le32toh(h->iv_size) > CREDENTIAL_FIELD_SIZE_MAX) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "IV size too large."); ++ if (le32toh(h->tag_size) != 16) /* FIXME: On OpenSSL 3, let's verify via EVP_CIPHER_CTX_get_tag_length() */ ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected tag size in header."); ++ ++ /* Ensure we have space for the full header now (we don't know the size of the name hence this is a ++ * lower limit only) */ ++ if (input_size < ++ ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)) + ++ ALIGN8((with_tpm2 ? offsetof(struct tpm2_credential_header, policy_hash_and_blob) : 0)) + ++ ALIGN8(offsetof(struct metadata_credential_header, name)) + ++ le32toh(h->tag_size)) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short."); ++ ++ p = ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)); ++ ++ if (with_tpm2) { ++#if HAVE_TPM2 ++ struct tpm2_credential_header* t = (struct tpm2_credential_header*) ((uint8_t*) input + p); ++ ++ if (le64toh(t->pcr_mask) >= (UINT64_C(1) << TPM2_PCRS_MAX)) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR mask out of range."); ++ if (!tpm2_pcr_bank_to_string(le16toh(t->pcr_bank))) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR bank invalid or not supported"); ++ if (!tpm2_primary_alg_to_string(le16toh(t->primary_alg))) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 primary key algorithm invalid or not supported."); ++ if (le32toh(t->blob_size) > CREDENTIAL_FIELD_SIZE_MAX) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected TPM2 blob size."); ++ if (le32toh(t->policy_hash_size) > CREDENTIAL_FIELD_SIZE_MAX) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected TPM2 policy hash size."); ++ ++ /* Ensure we have space for the full TPM2 header now (still don't know the name, and its size ++ * though, hence still just a lower limit test only) */ ++ if (input_size < ++ ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)) + ++ ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + le32toh(t->blob_size) + le32toh(t->policy_hash_size)) + ++ ALIGN8(offsetof(struct metadata_credential_header, name)) + ++ le32toh(h->tag_size)) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short."); ++ ++ r = tpm2_unseal(tpm2_device, ++ le64toh(t->pcr_mask), ++ le16toh(t->pcr_bank), ++ le16toh(t->primary_alg), ++ t->policy_hash_and_blob, ++ le32toh(t->blob_size), ++ t->policy_hash_and_blob + le32toh(t->blob_size), ++ le32toh(t->policy_hash_size), ++ &tpm2_key, ++ &tpm2_key_size); ++ if (r < 0) ++ return r; ++ ++ p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + ++ le32toh(t->blob_size) + ++ le32toh(t->policy_hash_size)); ++#else ++ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Credential requires TPM2 support, but TPM2 support not available."); ++#endif ++ } ++ ++ if (with_host_key) { ++ r = get_credential_host_secret( ++ 0, ++ &host_key, ++ &host_key_size); ++ if (r < 0) ++ return log_error_errno(r, "Failed to determine local credential key: %m"); ++ } ++ ++ sha256_hash_host_and_tpm2_key(host_key, host_key_size, tpm2_key, tpm2_key_size, md); ++ ++ assert_se(cc = EVP_aes_256_gcm()); ++ ++ /* Make sure cipher expectations match the header */ ++ if (EVP_CIPHER_key_length(cc) != (int) le32toh(h->key_size)) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected key size in header."); ++ if (EVP_CIPHER_block_size(cc) != (int) le32toh(h->block_size)) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected block size in header."); ++ ++ context = EVP_CIPHER_CTX_new(); ++ if (!context) ++ return log_error_errno(SYNTHETIC_ERRNO(ENOMEM), "Failed to allocate decryption object: %s", ++ ERR_error_string(ERR_get_error(), NULL)); ++ ++ if (EVP_DecryptInit_ex(context, cc, NULL, NULL, NULL) != 1) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initialize decryption context: %s", ++ ERR_error_string(ERR_get_error(), NULL)); ++ ++ if (EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_GCM_SET_IVLEN, le32toh(h->iv_size), NULL) != 1) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set IV size on decryption context: %s", ++ ERR_error_string(ERR_get_error(), NULL)); ++ ++ if (EVP_DecryptInit_ex(context, NULL, NULL, md, h->iv) != 1) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set IV and key: %s", ++ ERR_error_string(ERR_get_error(), NULL)); ++ ++ if (EVP_DecryptUpdate(context, NULL, &added, input, p) != 1) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to write AAD data: %s", ++ ERR_error_string(ERR_get_error(), NULL)); ++ ++ plaintext = malloc(input_size - p - le32toh(h->tag_size)); ++ if (!plaintext) ++ return -ENOMEM; ++ ++ if (EVP_DecryptUpdate( ++ context, ++ plaintext, ++ &added, ++ (uint8_t*) input + p, ++ input_size - p - le32toh(h->tag_size)) != 1) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to decrypt data: %s", ++ ERR_error_string(ERR_get_error(), NULL)); ++ ++ assert(added >= 0); ++ assert((size_t) added <= input_size - p - le32toh(h->tag_size)); ++ plaintext_size = added; ++ ++ if (EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_GCM_SET_TAG, le32toh(h->tag_size), (uint8_t*) input + input_size - le32toh(h->tag_size)) != 1) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set tag: %s", ++ ERR_error_string(ERR_get_error(), NULL)); ++ ++ if (EVP_DecryptFinal_ex(context, (uint8_t*) plaintext + plaintext_size, &added) != 1) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Decryption failed (incorrect key?): %s", ++ ERR_error_string(ERR_get_error(), NULL)); ++ ++ plaintext_size += added; ++ ++ if (plaintext_size < ALIGN8(offsetof(struct metadata_credential_header, name))) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Metadata header incomplete."); ++ ++ m = plaintext; ++ ++ if (le64toh(m->timestamp) != USEC_INFINITY && ++ le64toh(m->not_after) != USEC_INFINITY && ++ le64toh(m->timestamp) >= le64toh(m->not_after)) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Timestamps of credential are not in order, refusing."); ++ ++ if (le32toh(m->name_size) > CREDENTIAL_NAME_MAX) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Embedded credential name too long, refusing."); ++ ++ hs = ALIGN8(offsetof(struct metadata_credential_header, name) + le32toh(m->name_size)); ++ if (plaintext_size < hs) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Metadata header incomplete."); ++ ++ if (le32toh(m->name_size) > 0) { ++ _cleanup_free_ char *embedded_name = NULL; ++ ++ if (memchr(m->name, 0, le32toh(m->name_size))) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Embedded credential name contains NUL byte, refusing."); ++ ++ embedded_name = memdup_suffix0(m->name, le32toh(m->name_size)); ++ if (!embedded_name) ++ return log_oom(); ++ ++ if (!credential_name_valid(embedded_name)) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Embedded credential name is not valid, refusing."); ++ ++ if (validate_name && !streq(embedded_name, validate_name)) { ++ ++ r = getenv_bool_secure("SYSTEMD_CREDENTIAL_VALIDATE_NAME"); ++ if (r < 0 && r != -ENXIO) ++ log_debug_errno(r, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NAME: %m"); ++ if (r != 0) ++ return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Embedded credential name '%s' does not match filename '%s', refusing.", embedded_name, validate_name); ++ ++ log_debug("Embedded credential name '%s' does not match expected name '%s', but configured to use credential anyway.", embedded_name, validate_name); ++ } ++ } ++ ++ if (validate_timestamp != USEC_INFINITY) { ++ if (le64toh(m->timestamp) != USEC_INFINITY && le64toh(m->timestamp) > validate_timestamp) ++ log_debug("Credential timestamp is from the future, assuming clock skew."); ++ ++ if (le64toh(m->not_after) != USEC_INFINITY && le64toh(m->not_after) < validate_timestamp) { ++ ++ r = getenv_bool_secure("SYSTEMD_CREDENTIAL_VALIDATE_NOT_AFTER"); ++ if (r < 0 && r != -ENXIO) ++ log_debug_errno(r, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NOT_AFTER: %m"); ++ if (r != 0) ++ return log_error_errno(SYNTHETIC_ERRNO(ESTALE), "Credential's time passed, refusing to use."); ++ ++ log_debug("Credential not-after timestamp has passed, but configured to use credential anyway."); ++ } ++ } ++ ++ if (ret) { ++ char *without_metadata; ++ ++ without_metadata = memdup((uint8_t*) plaintext + hs, plaintext_size - hs); ++ if (!without_metadata) ++ return log_oom(); ++ ++ *ret = without_metadata; ++ } ++ ++ if (ret_size) ++ *ret_size = plaintext_size - hs; ++ ++ return 0; ++} ++ ++#else ++ ++int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t *ret_size) { ++ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available."); ++} ++ ++int encrypt_credential_and_warn(sd_id128_t with_key, const char *name, usec_t timestamp, usec_t not_after, const char *tpm2_device, uint32_t tpm2_pcr_mask, const void *input, size_t input_size, void **ret, size_t *ret_size) { ++ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available."); ++} ++ ++int decrypt_credential_and_warn(const char *validate_name, usec_t validate_timestamp, const char *tpm2_device, const void *input, size_t input_size, void **ret, size_t *ret_size) { ++ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available."); ++} ++ ++#endif +diff --git a/src/shared/openssl-util.h b/src/shared/openssl-util.h +index e6c2bd9310..ce8207414f 100644 +--- a/src/shared/openssl-util.h ++++ b/src/shared/openssl-util.h +@@ -11,6 +11,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509*, X509_free, NULL); + DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509_NAME*, X509_NAME_free, NULL); + DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY_CTX*, EVP_PKEY_CTX_free, NULL); + DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER_CTX*, EVP_CIPHER_CTX_free, NULL); ++DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MD_CTX*, EVP_MD_CTX_free, NULL); + + int rsa_encrypt_bytes(EVP_PKEY *pkey, const void *decrypted_key, size_t decrypted_key_size, void **ret_encrypt_key, size_t *ret_encrypt_key_size); + +-- +2.33.0 + diff --git a/backport-cryptenroll-fix-wrong-error-messages.patch b/backport-cryptenroll-fix-wrong-error-messages.patch new file mode 100644 index 0000000000000000000000000000000000000000..b234f971f787437361aeecd1c73a0083b6a1afaf --- /dev/null +++ b/backport-cryptenroll-fix-wrong-error-messages.patch @@ -0,0 +1,40 @@ +From a9149ef71dbfafd964b4e509690418be602c6eb6 Mon Sep 17 00:00:00 2001 +From: Gibeom Gwon +Date: Fri, 3 Dec 2021 15:10:50 +0900 +Subject: [PATCH] cryptenroll: fix wrong error messages + +PKCS#11 -> FIDO2 in cryptenroll-fido2.c + +(cherry picked from commit 4b9aa29bc9ded35147f9fa77f77e13c3c6fa7fcf) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/a9149ef71dbfafd964b4e509690418be602c6eb6 +--- + src/cryptenroll/cryptenroll-fido2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/cryptenroll/cryptenroll-fido2.c b/src/cryptenroll/cryptenroll-fido2.c +index fbf76ee586..9e1d94bd16 100644 +--- a/src/cryptenroll/cryptenroll-fido2.c ++++ b/src/cryptenroll/cryptenroll-fido2.c +@@ -67,7 +67,7 @@ int enroll_fido2( + base64_encoded, + strlen(base64_encoded)); + if (keyslot < 0) +- return log_error_errno(keyslot, "Failed to add new PKCS#11 key to %s: %m", node); ++ return log_error_errno(keyslot, "Failed to add new FIDO2 key to %s: %m", node); + + if (asprintf(&keyslot_as_string, "%i", keyslot) < 0) + return log_oom(); +@@ -83,7 +83,7 @@ int enroll_fido2( + JSON_BUILD_PAIR("fido2-up-required", JSON_BUILD_BOOLEAN(FLAGS_SET(lock_with, FIDO2ENROLL_UP))), + JSON_BUILD_PAIR("fido2-uv-required", JSON_BUILD_BOOLEAN(FLAGS_SET(lock_with, FIDO2ENROLL_UV))))); + if (r < 0) +- return log_error_errno(r, "Failed to prepare PKCS#11 JSON token object: %m"); ++ return log_error_errno(r, "Failed to prepare FIDO2 JSON token object: %m"); + + r = cryptsetup_add_token_json(cd, v); + if (r < 0) +-- +2.33.0 + diff --git a/backport-dbus-wait-for-jobs-add-extra_args-to-bus_wait_for_jo.patch b/backport-dbus-wait-for-jobs-add-extra_args-to-bus_wait_for_jo.patch new file mode 100644 index 0000000000000000000000000000000000000000..db4033d5573e6b7f3c398955a7de58d03dab6c55 --- /dev/null +++ b/backport-dbus-wait-for-jobs-add-extra_args-to-bus_wait_for_jo.patch @@ -0,0 +1,143 @@ +From 84188acc6fe4a2f04c91c2c4d7b20a3166caa63b Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 30 Dec 2021 00:53:29 +0000 +Subject: [PATCH] dbus-wait-for-jobs: add extra_args to bus_wait_for_jobs_one() + +And pass it through to bus_wait_for_jobs() + +(cherry picked from commit 86980de64bf8c03505eec729808f52f3b3042998) +(cherry picked from commit 0c4fe2e3dcde8225006a36cff643c112bd6c6523) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/84188acc6fe4a2f04c91c2c4d7b20a3166caa63b +--- + src/mount/mount-tool.c | 6 +++--- + src/nspawn/nspawn-register.c | 2 +- + src/run/run.c | 6 +++--- + src/shared/bus-wait-for-jobs.c | 4 ++-- + src/shared/bus-wait-for-jobs.h | 2 +- + src/shared/tests.c | 2 +- + 6 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/src/mount/mount-tool.c b/src/mount/mount-tool.c +index 70b4c5a765..9659355c33 100644 +--- a/src/mount/mount-tool.c ++++ b/src/mount/mount-tool.c +@@ -600,7 +600,7 @@ static int start_transient_mount( + if (r < 0) + return bus_log_parse_error(r); + +- r = bus_wait_for_jobs_one(w, object, arg_quiet); ++ r = bus_wait_for_jobs_one(w, object, arg_quiet, NULL); + if (r < 0) + return r; + } +@@ -709,7 +709,7 @@ static int start_transient_automount( + if (r < 0) + return bus_log_parse_error(r); + +- r = bus_wait_for_jobs_one(w, object, arg_quiet); ++ r = bus_wait_for_jobs_one(w, object, arg_quiet, NULL); + if (r < 0) + return r; + } +@@ -875,7 +875,7 @@ static int stop_mount( + if (r < 0) + return bus_log_parse_error(r); + +- r = bus_wait_for_jobs_one(w, object, arg_quiet); ++ r = bus_wait_for_jobs_one(w, object, arg_quiet, NULL); + if (r < 0) + return r; + } +diff --git a/src/nspawn/nspawn-register.c b/src/nspawn/nspawn-register.c +index 2e6c12b3b7..c78bead4a4 100644 +--- a/src/nspawn/nspawn-register.c ++++ b/src/nspawn/nspawn-register.c +@@ -313,7 +313,7 @@ int allocate_scope( + if (r < 0) + return bus_log_parse_error(r); + +- r = bus_wait_for_jobs_one(w, object, false); ++ r = bus_wait_for_jobs_one(w, object, false, NULL); + if (r < 0) + return r; + +diff --git a/src/run/run.c b/src/run/run.c +index 1c83e36e4e..9a7e1efaca 100644 +--- a/src/run/run.c ++++ b/src/run/run.c +@@ -1228,7 +1228,7 @@ static int start_transient_service( + if (r < 0) + return bus_log_parse_error(r); + +- r = bus_wait_for_jobs_one(w, object, arg_quiet); ++ r = bus_wait_for_jobs_one(w, object, arg_quiet, NULL); + if (r < 0) + return r; + } +@@ -1473,7 +1473,7 @@ static int start_transient_scope(sd_bus *bus) { + if (r < 0) + return bus_log_parse_error(r); + +- r = bus_wait_for_jobs_one(w, object, arg_quiet); ++ r = bus_wait_for_jobs_one(w, object, arg_quiet, NULL); + if (r < 0) + return r; + +@@ -1693,7 +1693,7 @@ static int start_transient_trigger( + if (r < 0) + return bus_log_parse_error(r); + +- r = bus_wait_for_jobs_one(w, object, arg_quiet); ++ r = bus_wait_for_jobs_one(w, object, arg_quiet, NULL); + if (r < 0) + return r; + +diff --git a/src/shared/bus-wait-for-jobs.c b/src/shared/bus-wait-for-jobs.c +index e4a3ab9a95..0cd47d5787 100644 +--- a/src/shared/bus-wait-for-jobs.c ++++ b/src/shared/bus-wait-for-jobs.c +@@ -323,12 +323,12 @@ int bus_wait_for_jobs_add(BusWaitForJobs *d, const char *path) { + return set_put_strdup(&d->jobs, path); + } + +-int bus_wait_for_jobs_one(BusWaitForJobs *d, const char *path, bool quiet) { ++int bus_wait_for_jobs_one(BusWaitForJobs *d, const char *path, bool quiet, const char* const* extra_args) { + int r; + + r = bus_wait_for_jobs_add(d, path); + if (r < 0) + return log_oom(); + +- return bus_wait_for_jobs(d, quiet, NULL); ++ return bus_wait_for_jobs(d, quiet, extra_args); + } +diff --git a/src/shared/bus-wait-for-jobs.h b/src/shared/bus-wait-for-jobs.h +index 68c9d604ad..5acf8b9241 100644 +--- a/src/shared/bus-wait-for-jobs.h ++++ b/src/shared/bus-wait-for-jobs.h +@@ -11,6 +11,6 @@ int bus_wait_for_jobs_new(sd_bus *bus, BusWaitForJobs **ret); + BusWaitForJobs* bus_wait_for_jobs_free(BusWaitForJobs *d); + int bus_wait_for_jobs_add(BusWaitForJobs *d, const char *path); + int bus_wait_for_jobs(BusWaitForJobs *d, bool quiet, const char* const* extra_args); +-int bus_wait_for_jobs_one(BusWaitForJobs *d, const char *path, bool quiet); ++int bus_wait_for_jobs_one(BusWaitForJobs *d, const char *path, bool quiet, const char* const* extra_args); + + DEFINE_TRIVIAL_CLEANUP_FUNC(BusWaitForJobs*, bus_wait_for_jobs_free); +diff --git a/src/shared/tests.c b/src/shared/tests.c +index ab7d799029..6d35bc6a8d 100644 +--- a/src/shared/tests.c ++++ b/src/shared/tests.c +@@ -247,7 +247,7 @@ static int allocate_scope(void) { + if (r < 0) + return bus_log_parse_error(r); + +- r = bus_wait_for_jobs_one(w, object, false); ++ r = bus_wait_for_jobs_one(w, object, false, NULL); + if (r < 0) + return r; + +-- +2.33.0 + diff --git a/backport-devnode-acl-use-_cleanup_-to-free-acl_t.patch b/backport-devnode-acl-use-_cleanup_-to-free-acl_t.patch new file mode 100644 index 0000000000000000000000000000000000000000..49eba0c4e53c3b17eb80297cc7f4d2ef3cb7f0ec --- /dev/null +++ b/backport-devnode-acl-use-_cleanup_-to-free-acl_t.patch @@ -0,0 +1,146 @@ +From 541ada330879dd928b33b55f1fc437ec1bbd349f Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 3 Mar 2022 15:58:24 +0100 +Subject: [PATCH] devnode-acl: use _cleanup_ to free acl_t + +(cherry picked from commit 203ea2c8f158288fea56c5be980715b2b7e002fe) +(cherry picked from commit 543c73300e3b9298e5316555bf4df6ff7dfc210f) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/541ada330879dd928b33b55f1fc437ec1bbd349f +--- + src/shared/devnode-acl.c | 73 ++++++++++++++-------------------------- + 1 file changed, 25 insertions(+), 48 deletions(-) + +diff --git a/src/shared/devnode-acl.c b/src/shared/devnode-acl.c +index 07e29e1019..394422b164 100644 +--- a/src/shared/devnode-acl.c ++++ b/src/shared/devnode-acl.c +@@ -52,8 +52,8 @@ int devnode_acl(const char *path, + bool del, uid_t old_uid, + bool add, uid_t new_uid) { + +- acl_t acl; +- int r = 0; ++ _cleanup_(acl_freep) acl_t acl = NULL; ++ int r; + bool changed = false; + + assert(path); +@@ -66,7 +66,7 @@ int devnode_acl(const char *path, + + r = flush_acl(acl); + if (r < 0) +- goto finish; ++ return r; + if (r > 0) + changed = true; + +@@ -75,13 +75,11 @@ int devnode_acl(const char *path, + + r = acl_find_uid(acl, old_uid, &entry); + if (r < 0) +- goto finish; ++ return r; + + if (r > 0) { +- if (acl_delete_entry(acl, entry) < 0) { +- r = -errno; +- goto finish; +- } ++ if (acl_delete_entry(acl, entry) < 0) ++ return -errno; + + changed = true; + } +@@ -94,68 +92,47 @@ int devnode_acl(const char *path, + + r = acl_find_uid(acl, new_uid, &entry); + if (r < 0) +- goto finish; ++ return r; + + if (r == 0) { +- if (acl_create_entry(&acl, &entry) < 0) { +- r = -errno; +- goto finish; +- } ++ if (acl_create_entry(&acl, &entry) < 0) ++ return -errno; + + if (acl_set_tag_type(entry, ACL_USER) < 0 || +- acl_set_qualifier(entry, &new_uid) < 0) { +- r = -errno; +- goto finish; +- } ++ acl_set_qualifier(entry, &new_uid) < 0) ++ return -errno; + } + +- if (acl_get_permset(entry, &permset) < 0) { +- r = -errno; +- goto finish; +- } ++ if (acl_get_permset(entry, &permset) < 0) ++ return -errno; + + rd = acl_get_perm(permset, ACL_READ); +- if (rd < 0) { +- r = -errno; +- goto finish; +- } ++ if (rd < 0) ++ return -errno; + + wt = acl_get_perm(permset, ACL_WRITE); +- if (wt < 0) { +- r = -errno; +- goto finish; +- } ++ if (wt < 0) ++ return -errno; + + if (!rd || !wt) { + +- if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) { +- r = -errno; +- goto finish; +- } ++ if (acl_add_perm(permset, ACL_READ|ACL_WRITE) < 0) ++ return -errno; + + changed = true; + } + } + + if (!changed) +- goto finish; +- +- if (acl_calc_mask(&acl) < 0) { +- r = -errno; +- goto finish; +- } +- +- if (acl_set_file(path, ACL_TYPE_ACCESS, acl) < 0) { +- r = -errno; +- goto finish; +- } ++ return 0; + +- r = 0; ++ if (acl_calc_mask(&acl) < 0) ++ return -errno; + +-finish: +- acl_free(acl); ++ if (acl_set_file(path, ACL_TYPE_ACCESS, acl) < 0) ++ return -errno; + +- return r; ++ return 0; + } + + int devnode_acl_all(const char *seat, +-- +2.33.0 + diff --git a/backport-dhcp-fix-assertion-failure.patch b/backport-dhcp-fix-assertion-failure.patch new file mode 100644 index 0000000000000000000000000000000000000000..ff9c40cd9af7b10500810c13e229b5df6e38f873 --- /dev/null +++ b/backport-dhcp-fix-assertion-failure.patch @@ -0,0 +1,31 @@ +From d59f045a9341f33df161a83a0a5428e137381206 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 8 Dec 2021 05:47:11 +0900 +Subject: [PATCH] dhcp: fix assertion failure + +Fixes #21671. + +(cherry picked from commit 990d0aa98023140d1efc897c3dcd5e0599a60203) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/d59f045a9341f33df161a83a0a5428e137381206 +--- + src/libsystemd-network/sd-dhcp-lease.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libsystemd-network/sd-dhcp-lease.c b/src/libsystemd-network/sd-dhcp-lease.c +index 095a4ee683..9a0d7f6fea 100644 +--- a/src/libsystemd-network/sd-dhcp-lease.c ++++ b/src/libsystemd-network/sd-dhcp-lease.c +@@ -691,7 +691,7 @@ int dhcp_lease_parse_options(uint8_t code, uint8_t len, const void *option, void + } + + if (!timezone_is_valid(tz, LOG_DEBUG)) { +- log_debug_errno(r, "Timezone is not valid, ignoring: %m"); ++ log_debug("Timezone is not valid, ignoring."); + return 0; + } + +-- +2.33.0 + diff --git a/backport-discover-image-mount-as-read-only-when-extracting-me.patch b/backport-discover-image-mount-as-read-only-when-extracting-me.patch new file mode 100644 index 0000000000000000000000000000000000000000..83b1f7bcac20a1931b64c9b16361bffb49f038dd --- /dev/null +++ b/backport-discover-image-mount-as-read-only-when-extracting-me.patch @@ -0,0 +1,30 @@ +From 783b787a3aecbd2c9d6908546f89c9690728aa79 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 22 Jul 2021 22:21:10 +0100 +Subject: [PATCH] discover-image: mount as read-only when extracting metadata + +We don't need to modify the image, and the loopback device is already set to read-only. + +(cherry picked from commit f6f4ec7951f429e8a470f8912cbeacde8fa1206e) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/783b787a3aecbd2c9d6908546f89c9690728aa79 +--- + src/shared/discover-image.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c +index 5c833afc78..521264ec29 100644 +--- a/src/shared/discover-image.c ++++ b/src/shared/discover-image.c +@@ -1208,6 +1208,7 @@ int image_read_metadata(Image *i) { + DISSECT_IMAGE_GENERIC_ROOT | + DISSECT_IMAGE_REQUIRE_ROOT | + DISSECT_IMAGE_RELAX_VAR_CHECK | ++ DISSECT_IMAGE_READ_ONLY | + DISSECT_IMAGE_USR_NO_ROOT, + &m); + if (r < 0) +-- +2.33.0 + diff --git a/backport-discover-image-pass-the-right-fd-to-fd_getcrtime.patch b/backport-discover-image-pass-the-right-fd-to-fd_getcrtime.patch new file mode 100644 index 0000000000000000000000000000000000000000..978d488b6daa2d07e516c22f4b1d98dd7ec8ac2e --- /dev/null +++ b/backport-discover-image-pass-the-right-fd-to-fd_getcrtime.patch @@ -0,0 +1,29 @@ +From 64b025686f36ae4385811be6f81d5f7d94da3437 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 18 Aug 2021 22:41:08 +0200 +Subject: [PATCH] discover-image: pass the right fd to fd_getcrtime() + +(cherry picked from commit 12a7f04a2b9135a4751dba71e2f688525d7c93e7) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/64b025686f36ae4385811be6f81d5f7d94da3437 +--- + src/shared/discover-image.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c +index 521264ec29..5f8bf43776 100644 +--- a/src/shared/discover-image.c ++++ b/src/shared/discover-image.c +@@ -305,7 +305,7 @@ static int image_make( + } + + /* Get directory creation time (not available everywhere, but that's OK */ +- (void) fd_getcrtime(dfd, &crtime); ++ (void) fd_getcrtime(fd, &crtime); + + /* If the IMMUTABLE bit is set, we consider the directory read-only. Since the ioctl is not + * supported everywhere we ignore failures. */ +-- +2.33.0 + diff --git a/backport-dissect-image-add-extension-specific-validation-flag.patch b/backport-dissect-image-add-extension-specific-validation-flag.patch new file mode 100644 index 0000000000000000000000000000000000000000..8c523a6e61fbeeac41734a0cdde0f7460f4a179d --- /dev/null +++ b/backport-dissect-image-add-extension-specific-validation-flag.patch @@ -0,0 +1,126 @@ +From 1d1b529d7781c7ac28fd6130eeda76bf2d70fe79 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 18 Aug 2021 16:08:14 +0100 +Subject: [PATCH] dissect-image: add extension-specific validation flag + +Allows callers to specify which image type they are looking for + +(cherry picked from commit 9ccb531a5f99a7f399f352e79079188957f5a170) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/1d1b529d7781c7ac28fd6130eeda76bf2d70fe79 +--- + src/portable/portable.c | 9 ++++++++- + src/shared/dissect-image.c | 26 +++++++++++++++++++------- + src/shared/dissect-image.h | 23 ++++++++++++----------- + 3 files changed, 39 insertions(+), 19 deletions(-) + +diff --git a/src/portable/portable.c b/src/portable/portable.c +index 4cf5fb4f0a..5ecbeec2de 100644 +--- a/src/portable/portable.c ++++ b/src/portable/portable.c +@@ -424,9 +424,16 @@ static int portable_extract_by_path( + if (r < 0) + return r; + if (r == 0) { ++ DissectImageFlags flags = DISSECT_IMAGE_READ_ONLY; ++ + seq[0] = safe_close(seq[0]); + +- r = dissected_image_mount(m, tmpdir, UID_INVALID, UID_INVALID, DISSECT_IMAGE_READ_ONLY); ++ if (!extract_os_release) ++ flags |= DISSECT_IMAGE_VALIDATE_OS_EXT; ++ else ++ flags |= DISSECT_IMAGE_VALIDATE_OS; ++ ++ r = dissected_image_mount(m, tmpdir, UID_INVALID, UID_INVALID, flags); + if (r < 0) { + log_debug_errno(r, "Failed to mount dissected image: %m"); + goto child_finish; +diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c +index 9b30c86a53..3a24f5041f 100644 +--- a/src/shared/dissect-image.c ++++ b/src/shared/dissect-image.c +@@ -1725,17 +1725,28 @@ int dissected_image_mount( + if (r < 0) + return r; + +- if (flags & DISSECT_IMAGE_VALIDATE_OS) { +- r = path_is_os_tree(where); +- if (r < 0) +- return r; +- if (r == 0) { ++ if ((flags & (DISSECT_IMAGE_VALIDATE_OS|DISSECT_IMAGE_VALIDATE_OS_EXT)) != 0) { ++ /* If either one of the validation flags are set, ensure that the image qualifies ++ * as one or the other (or both). */ ++ bool ok = false; ++ ++ if (FLAGS_SET(flags, DISSECT_IMAGE_VALIDATE_OS)) { ++ r = path_is_os_tree(where); ++ if (r < 0) ++ return r; ++ if (r > 0) ++ ok = true; ++ } ++ if (!ok && FLAGS_SET(flags, DISSECT_IMAGE_VALIDATE_OS_EXT)) { + r = path_is_extension_tree(where, m->image_name); + if (r < 0) + return r; +- if (r == 0) +- return -EMEDIUMTYPE; ++ if (r > 0) ++ ok = true; + } ++ ++ if (!ok) ++ return -ENOMEDIUM; + } + } + +@@ -2617,6 +2628,7 @@ int dissected_image_acquire_metadata(DissectedImage *m) { + DISSECT_IMAGE_READ_ONLY| + DISSECT_IMAGE_MOUNT_ROOT_ONLY| + DISSECT_IMAGE_VALIDATE_OS| ++ DISSECT_IMAGE_VALIDATE_OS_EXT| + DISSECT_IMAGE_USR_NO_ROOT); + if (r < 0) { + /* Let parent know the error */ +diff --git a/src/shared/dissect-image.h b/src/shared/dissect-image.h +index 1ce14e915e..9db2719afb 100644 +--- a/src/shared/dissect-image.h ++++ b/src/shared/dissect-image.h +@@ -100,19 +100,20 @@ typedef enum DissectImageFlags { + DISSECT_IMAGE_MOUNT_ROOT_ONLY = 1 << 6, /* Mount only the root and /usr partitions */ + DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY = 1 << 7, /* Mount only the non-root and non-/usr partitions */ + DISSECT_IMAGE_VALIDATE_OS = 1 << 8, /* Refuse mounting images that aren't identifiable as OS images */ +- DISSECT_IMAGE_NO_UDEV = 1 << 9, /* Don't wait for udev initializing things */ +- DISSECT_IMAGE_RELAX_VAR_CHECK = 1 << 10, /* Don't insist that the UUID of /var is hashed from /etc/machine-id */ +- DISSECT_IMAGE_FSCK = 1 << 11, /* File system check the partition before mounting (no effect when combined with DISSECT_IMAGE_READ_ONLY) */ +- DISSECT_IMAGE_NO_PARTITION_TABLE = 1 << 12, /* Only recognize single file system images */ +- DISSECT_IMAGE_VERITY_SHARE = 1 << 13, /* When activating a verity device, reuse existing one if already open */ +- DISSECT_IMAGE_MKDIR = 1 << 14, /* Make top-level directory to mount right before mounting, if missing */ +- DISSECT_IMAGE_USR_NO_ROOT = 1 << 15, /* If no root fs is in the image, but /usr is, then allow this (so that we can mount the rootfs as tmpfs or so */ +- DISSECT_IMAGE_REQUIRE_ROOT = 1 << 16, /* Don't accept disks without root partition (or at least /usr partition if DISSECT_IMAGE_USR_NO_ROOT is set) */ +- DISSECT_IMAGE_MOUNT_READ_ONLY = 1 << 17, /* Make mounts read-only */ ++ DISSECT_IMAGE_VALIDATE_OS_EXT = 1 << 9, /* Refuse mounting images that aren't identifiable as OS extension images */ ++ DISSECT_IMAGE_NO_UDEV = 1 << 10, /* Don't wait for udev initializing things */ ++ DISSECT_IMAGE_RELAX_VAR_CHECK = 1 << 11, /* Don't insist that the UUID of /var is hashed from /etc/machine-id */ ++ DISSECT_IMAGE_FSCK = 1 << 12, /* File system check the partition before mounting (no effect when combined with DISSECT_IMAGE_READ_ONLY) */ ++ DISSECT_IMAGE_NO_PARTITION_TABLE = 1 << 13, /* Only recognize single file system images */ ++ DISSECT_IMAGE_VERITY_SHARE = 1 << 14, /* When activating a verity device, reuse existing one if already open */ ++ DISSECT_IMAGE_MKDIR = 1 << 15, /* Make top-level directory to mount right before mounting, if missing */ ++ DISSECT_IMAGE_USR_NO_ROOT = 1 << 16, /* If no root fs is in the image, but /usr is, then allow this (so that we can mount the rootfs as tmpfs or so */ ++ DISSECT_IMAGE_REQUIRE_ROOT = 1 << 17, /* Don't accept disks without root partition (or at least /usr partition if DISSECT_IMAGE_USR_NO_ROOT is set) */ ++ DISSECT_IMAGE_MOUNT_READ_ONLY = 1 << 18, /* Make mounts read-only */ + DISSECT_IMAGE_READ_ONLY = DISSECT_IMAGE_DEVICE_READ_ONLY | + DISSECT_IMAGE_MOUNT_READ_ONLY, +- DISSECT_IMAGE_GROWFS = 1 << 18, /* Grow file systems in partitions marked for that to the size of the partitions after mount */ +- DISSECT_IMAGE_MOUNT_IDMAPPED = 1 << 19, /* Mount mounts with kernel 5.12-style userns ID mapping, if file system type doesn't support uid=/gid= */ ++ DISSECT_IMAGE_GROWFS = 1 << 19, /* Grow file systems in partitions marked for that to the size of the partitions after mount */ ++ DISSECT_IMAGE_MOUNT_IDMAPPED = 1 << 20, /* Mount mounts with kernel 5.12-style userns ID mapping, if file system type doesn't support uid=/gid= */ + } DissectImageFlags; + + struct DissectedImage { +-- +2.33.0 + diff --git a/backport-dissect-image-validate-extension-release-even-if-the.patch b/backport-dissect-image-validate-extension-release-even-if-the.patch new file mode 100644 index 0000000000000000000000000000000000000000..bea0bf62634f650c42078ddc63997d40999a23a0 --- /dev/null +++ b/backport-dissect-image-validate-extension-release-even-if-the.patch @@ -0,0 +1,42 @@ +From 4b14a6aafe45270b50b4a0b75d0cce11a9ac738d Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 19 Jan 2022 00:01:48 +0000 +Subject: [PATCH] dissect-image: validate extension-release even if the host + has only ID in os-release + +A rolling distro won't set VERSION_ID or SYSEXT_LEVEL in os-release, +which means we skip validation of ExtensionImages. +Validate even with just an ID, the lower level helper already +recognizes and accepts this use case. + +Fixes https://github.com/systemd/systemd/issues/22146 + +(cherry picked from commit 37361f46d571ad0b71ef99dec6a9b76edbab38bb) +(cherry picked from commit 0dab9e5f057380322755e90ee4d35716d5bf6232) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/4b14a6aafe45270b50b4a0b75d0cce11a9ac738d +--- + src/shared/dissect-image.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c +index 714baa8572..9b30c86a53 100644 +--- a/src/shared/dissect-image.c ++++ b/src/shared/dissect-image.c +@@ -3015,9 +3015,9 @@ int verity_dissect_and_mount( + /* If we got os-release values from the caller, then we need to match them with the image's + * extension-release.d/ content. Return -EINVAL if there's any mismatch. + * First, check the distro ID. If that matches, then check the new SYSEXT_LEVEL value if +- * available, or else fallback to VERSION_ID. */ +- if (required_host_os_release_id && +- (required_host_os_release_version_id || required_host_os_release_sysext_level)) { ++ * available, or else fallback to VERSION_ID. If neither is present (eg: rolling release), ++ * then a simple match on the ID will be performed. */ ++ if (required_host_os_release_id) { + _cleanup_strv_free_ char **extension_release = NULL; + + r = load_extension_release_pairs(dest, dissected_image->image_name, &extension_release); +-- +2.33.0 + diff --git a/backport-dns-domain-re-introduce-dns_name_is_empty.patch b/backport-dns-domain-re-introduce-dns_name_is_empty.patch new file mode 100644 index 0000000000000000000000000000000000000000..19d4d6675209669f5234708fe96e0c7a1f415e85 --- /dev/null +++ b/backport-dns-domain-re-introduce-dns_name_is_empty.patch @@ -0,0 +1,32 @@ +From 435a9af906c02d8024811311b012c9d7a2400009 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 24 Jan 2022 06:06:55 +0900 +Subject: [PATCH] dns-domain: re-introduce dns_name_is_empty() + +(cherry picked from commit 7bdf41983044268b4bc2f9d34462db7f89ba284a) +(cherry picked from commit df08c12062dfd9903edec371598412a47a3055e0) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/435a9af906c02d8024811311b012c9d7a2400009 +--- + src/shared/dns-domain.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/shared/dns-domain.h b/src/shared/dns-domain.h +index c25fcaacc2..24bf00bd58 100644 +--- a/src/shared/dns-domain.h ++++ b/src/shared/dns-domain.h +@@ -60,6 +60,10 @@ static inline int dns_name_is_valid_ldh(const char *s) { + return 1; + } + ++static inline bool dns_name_is_empty(const char *s) { ++ return isempty(s) || streq(s, "."); ++} ++ + void dns_name_hash_func(const char *s, struct siphash *state); + int dns_name_compare_func(const char *a, const char *b); + extern const struct hash_ops dns_name_hash_ops; +-- +2.33.0 + diff --git a/backport-docs-SYSTEMD_NSS_BYPASS_BUS-is-not-honoured-anymore-.patch b/backport-docs-SYSTEMD_NSS_BYPASS_BUS-is-not-honoured-anymore-.patch new file mode 100644 index 0000000000000000000000000000000000000000..bd99668e98c534ef0418a9c057bc44a13c2306b4 --- /dev/null +++ b/backport-docs-SYSTEMD_NSS_BYPASS_BUS-is-not-honoured-anymore-.patch @@ -0,0 +1,37 @@ +From a7cfaa555379f19ab229c024027a74a5d22991d6 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 17 Feb 2022 14:47:34 +0100 +Subject: [PATCH] docs: $SYSTEMD_NSS_BYPASS_BUS is not honoured anymore, don't + document it + +It was removed back in 1684c56f40f020e685e70b3d1785d596ff16f892 + +Follow-up for: 1684c56f40f020e685e70b3d1785d596ff16f892 + +(cherry picked from commit cec16155e3dab4f123ba073223477a4ef2cf10f9) +(cherry picked from commit 4ec9aec4b695e1f0a26dc9cd55719c2f91ebdd6a) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/a7cfaa555379f19ab229c024027a74a5d22991d6 +--- + docs/ENVIRONMENT.md | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md +index 2cec3bdc16..efb360f0a4 100644 +--- a/docs/ENVIRONMENT.md ++++ b/docs/ENVIRONMENT.md +@@ -208,10 +208,6 @@ All tools: + user/group records for dynamically registered service users (i.e. users + registered through `DynamicUser=1`). + +-* `$SYSTEMD_NSS_BYPASS_BUS=1` — if set, `nss-systemd` won't use D-Bus to do +- dynamic user lookups. This is primarily useful to make `nss-systemd` work +- safely from within `dbus-daemon`. +- + `systemd-timedated`: + + * `$SYSTEMD_TIMEDATED_NTP_SERVICES=…` — colon-separated list of unit names of +-- +2.33.0 + diff --git a/backport-docs-improve-wording-when-mentioning-the-acronym-ESP.patch b/backport-docs-improve-wording-when-mentioning-the-acronym-ESP.patch new file mode 100644 index 0000000000000000000000000000000000000000..c9e9ba00a1031907ad94654ea8cab73263e20f2a --- /dev/null +++ b/backport-docs-improve-wording-when-mentioning-the-acronym-ESP.patch @@ -0,0 +1,97 @@ +From 6822cfa5f066fcbf79ded85419d59a97decc67b9 Mon Sep 17 00:00:00 2001 +From: nl6720 +Date: Fri, 9 Jul 2021 12:56:54 +0300 +Subject: [PATCH] docs: improve wording when mentioning the acronym "ESP" + +"ESP" is "EFI system partition", so "ESP partition" is redundant. + +(cherry picked from commit 250db1bf02b9fd73f2e0604acddbc20937c67d19) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/6822cfa5f066fcbf79ded85419d59a97decc67b9 +--- + docs/BOOT_LOADER_INTERFACE.md | 8 ++++---- + docs/BOOT_LOADER_SPECIFICATION.md | 4 ++-- + man/systemd-boot.xml | 4 ++-- + src/boot/bootctl.c | 2 +- + src/systemctl/systemctl-start-special.c | 2 +- + 5 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/docs/BOOT_LOADER_INTERFACE.md b/docs/BOOT_LOADER_INTERFACE.md +index be3b6e401d..e9155117b9 100644 +--- a/docs/BOOT_LOADER_INTERFACE.md ++++ b/docs/BOOT_LOADER_INTERFACE.md +@@ -76,10 +76,10 @@ variables. All EFI variables use the vendor UUID + * `1 << 6` → The boot loader supports passing a random seed to the OS. + + * The EFI variable `LoaderRandomSeed` contains a binary random seed if set. It +- is set by the boot loader to pass an entropy seed read from the ESP partition +- to the OS. The system manager then credits this seed to the kernel's entropy +- pool. It is the responsibility of the boot loader to ensure the quality and +- integrity of the random seed. ++ is set by the boot loader to pass an entropy seed read from the ESP to the OS. ++ The system manager then credits this seed to the kernel's entropy pool. It is ++ the responsibility of the boot loader to ensure the quality and integrity of ++ the random seed. + + * The EFI variable `LoaderSystemToken` contains binary random data, + persistently set by the OS installer. Boot loaders that support passing +diff --git a/docs/BOOT_LOADER_SPECIFICATION.md b/docs/BOOT_LOADER_SPECIFICATION.md +index b87246ede1..7b5b19700a 100644 +--- a/docs/BOOT_LOADER_SPECIFICATION.md ++++ b/docs/BOOT_LOADER_SPECIFICATION.md +@@ -61,8 +61,8 @@ Everything described below is located on a placeholder file system `$BOOT`. The + * On disks with GPT (GUID Partition Table) + * If the OS is installed on a disk with GPT, and an Extended Boot Loader Partition or XBOOTLDR partition for short, i.e. a partition with GPT type GUID of `bc13c2ff-59e6-4262-a352-b275fd6f7172`, already exists, it should be used as `$BOOT`. + * Otherwise, if the OS is installed on a disk with GPT, and an EFI System Partition or ESP for short, i.e. a partition with GPT type UID of `c12a7328-f81f-11d2-ba4b-00a0c93ec93b`) already exists and is large enough (let's say 250MB) and otherwise qualifies, it should be used as `$BOOT`. +- * Otherwise, if the OS is installed on a disk with GPT, and if the ESP partition already exists but is too small, a new suitably sized (let's say 500MB) XBOOTLDR partition shall be created and used as `$BOOT`. +- * Otherwise, if the OS is installed on a disk with GPT, and no ESP partition exists yet, a new suitably sized (let's say 500MB) ESP should be created and used as `$BOOT`. ++ * Otherwise, if the OS is installed on a disk with GPT, and if the ESP already exists but is too small, a new suitably sized (let's say 500MB) XBOOTLDR partition shall be created and used as `$BOOT`. ++ * Otherwise, if the OS is installed on a disk with GPT, and no ESP exists yet, a new suitably sized (let's say 500MB) ESP should be created and used as `$BOOT`. + + This placeholder file system shall be determined during _installation time_, and an fstab entry may be created. It should be mounted to either `/boot/` or `/efi/`. Additional locations like `/boot/efi/`, with `/boot/` being a separate file system, might be supported by implementations. This is not recommended because the mounting of `$BOOT` is then dependent on and requires the mounting of the intermediate file system. + +diff --git a/man/systemd-boot.xml b/man/systemd-boot.xml +index 139f79fa6b..2135d9eb36 100644 +--- a/man/systemd-boot.xml ++++ b/man/systemd-boot.xml +@@ -73,8 +73,8 @@ + systemctl1 for + details. + +- An EFI variable set by the boot loader informs the OS about the ESP partition used +- during boot. This is then used to automatically mount the correct ESP partition to ++ An EFI variable set by the boot loader informs the OS about the EFI System Partition used ++ during boot. This is then used to automatically mount the correct EFI System Partition to + /efi/ or /boot/ during OS runtime. See + systemd-gpt-auto-generator8 + for details. +diff --git a/src/boot/bootctl.c b/src/boot/bootctl.c +index df8b0542c9..fa8c600321 100644 +--- a/src/boot/bootctl.c ++++ b/src/boot/bootctl.c +@@ -1337,7 +1337,7 @@ static int verb_status(int argc, char *argv[], void *userdata) { + sd_id128_t bootloader_esp_uuid; + bool have_bootloader_esp_uuid = efi_loader_get_device_part_uuid(&bootloader_esp_uuid) >= 0; + +- print_yes_no_line(false, have_bootloader_esp_uuid, "Boot loader sets ESP partition information"); ++ print_yes_no_line(false, have_bootloader_esp_uuid, "Boot loader sets ESP information"); + if (have_bootloader_esp_uuid && !sd_id128_equal(esp_uuid, bootloader_esp_uuid)) + printf("WARNING: The boot loader reports a different ESP UUID than detected!\n"); + +diff --git a/src/systemctl/systemctl-start-special.c b/src/systemctl/systemctl-start-special.c +index 3edb65be61..56068d25f5 100644 +--- a/src/systemctl/systemctl-start-special.c ++++ b/src/systemctl/systemctl-start-special.c +@@ -36,7 +36,7 @@ static int load_kexec_kernel(void) { + return log_error_errno(r, + "No kexec kernel loaded and autodetection failed.\n%s", + is_efi_boot() +- ? "Cannot automatically load kernel: ESP partition mount point not found." ++ ? "Cannot automatically load kernel: ESP mount point not found." + : "Automatic loading works only on systems booted with EFI."); + if (r < 0) + return r; +-- +2.33.0 + diff --git a/backport-docs-portablectl-is-in-bin.patch b/backport-docs-portablectl-is-in-bin.patch new file mode 100644 index 0000000000000000000000000000000000000000..fc6261888bfd19036ad033fe226ae5ecf55026c0 --- /dev/null +++ b/backport-docs-portablectl-is-in-bin.patch @@ -0,0 +1,40 @@ +From b4221cca108f46f58cc15d83a298714b4de0bebf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 7 Sep 2021 18:43:58 +0200 +Subject: [PATCH] docs: portablectl is in bin/ + +Follow-up for 80f39b81f3876ed3816061f1093db991f72269ec. + +(cherry picked from commit a00ff6717b98580136d46cde0e8f9543e60c8f76) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/b4221cca108f46f58cc15d83a298714b4de0bebf +--- + docs/PORTABLE_SERVICES.md | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/docs/PORTABLE_SERVICES.md b/docs/PORTABLE_SERVICES.md +index d9171c7b65..ec4a50373c 100644 +--- a/docs/PORTABLE_SERVICES.md ++++ b/docs/PORTABLE_SERVICES.md +@@ -86,7 +86,7 @@ If you have a portable service image, maybe in a raw disk image called + `foobar_0.7.23.raw`, then attaching the services to the host is as easy as: + + ``` +-# /usr/lib/systemd/portablectl attach foobar_0.7.23.raw ++# portablectl attach foobar_0.7.23.raw + ``` + + This command does the following: +@@ -268,7 +268,7 @@ include template units such as `foobar@.service`, so that instantiation is as + simple as: + + ``` +-# /usr/lib/systemd/portablectl attach foobar_0.7.23.raw ++# portablectl attach foobar_0.7.23.raw + # systemctl enable --now foobar@instancea.service + # systemctl enable --now foobar@instanceb.service + … +-- +2.33.0 + diff --git a/backport-ether-addr-util-make-hw_addr_to_string-return-valid-.patch b/backport-ether-addr-util-make-hw_addr_to_string-return-valid-.patch new file mode 100644 index 0000000000000000000000000000000000000000..59807412535cca9fc78477921ccc6a7e1dfdb709 --- /dev/null +++ b/backport-ether-addr-util-make-hw_addr_to_string-return-valid-.patch @@ -0,0 +1,52 @@ +From 798baafc027d829bdf6fc41163e6d12085a2c620 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 15 Sep 2021 22:59:52 +0900 +Subject: [PATCH] ether-addr-util: make hw_addr_to_string() return valid string + even if hardware address is null + +Previously, when the length of the hardware address is zero, then the +buffer was not nul-terminated. + +This also replaces sprintf() with hexchar(). + +(cherry picked from commit 914ac555cd40f9c09e655a737214bfb7de21b8d9) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/798baafc027d829bdf6fc41163e6d12085a2c620 +--- + src/basic/ether-addr-util.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/basic/ether-addr-util.c b/src/basic/ether-addr-util.c +index e660ac2c6f..dc5b5b833d 100644 +--- a/src/basic/ether-addr-util.c ++++ b/src/basic/ether-addr-util.c +@@ -7,6 +7,7 @@ + #include + + #include "ether-addr-util.h" ++#include "hexdecoct.h" + #include "macro.h" + #include "string-util.h" + +@@ -15,12 +16,13 @@ char* hw_addr_to_string(const struct hw_addr_data *addr, char buffer[HW_ADDR_TO_ + assert(buffer); + assert(addr->length <= HW_ADDR_MAX_SIZE); + +- for (size_t i = 0; i < addr->length; i++) { +- sprintf(&buffer[3*i], "%02"PRIx8, addr->bytes[i]); +- if (i < addr->length - 1) +- buffer[3*i + 2] = ':'; ++ for (size_t i = 0, j = 0; i < addr->length; i++) { ++ buffer[j++] = hexchar(addr->bytes[i] >> 4); ++ buffer[j++] = hexchar(addr->bytes[i] & 0x0f); ++ buffer[j++] = ':'; + } + ++ buffer[addr->length > 0 ? addr->length * 3 - 1 : 0] = '\0'; + return buffer; + } + +-- +2.33.0 + diff --git a/backport-execute-document-that-the-env-param-is-input-and-out.patch b/backport-execute-document-that-the-env-param-is-input-and-out.patch new file mode 100644 index 0000000000000000000000000000000000000000..0e386acec0164b0a04ccca1f93214bde9c9242ef --- /dev/null +++ b/backport-execute-document-that-the-env-param-is-input-and-out.patch @@ -0,0 +1,30 @@ +From 5c8437361d54bd6c04d613619f71c161df32024f Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 1 Feb 2022 13:50:28 +0100 +Subject: [PATCH] execute: document that the 'env' param is input *and* output + +(cherry picked from commit 421bb42d1b366c00392ef5bbab6a67412295b6dc) +(cherry picked from commit c4357f31da66b1917d3612d02c28adb300d4b0c6) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/5c8437361d54bd6c04d613619f71c161df32024f +--- + src/core/execute.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index 1129905b61..e24775c150 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -1152,7 +1152,7 @@ static int setup_pam( + uid_t uid, + gid_t gid, + const char *tty, +- char ***env, ++ char ***env, /* updated on success */ + const int fds[], size_t n_fds) { + + #if HAVE_PAM +-- +2.33.0 + diff --git a/backport-execute-line-break-comments-a-bit-less-aggressively.patch b/backport-execute-line-break-comments-a-bit-less-aggressively.patch new file mode 100644 index 0000000000000000000000000000000000000000..b10e32d47e07180546a405ea4e34a395d8cd56e6 --- /dev/null +++ b/backport-execute-line-break-comments-a-bit-less-aggressively.patch @@ -0,0 +1,107 @@ +From ee7db04c13f5b46ad2437762caa7b4c239780de5 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 1 Feb 2022 13:50:13 +0100 +Subject: [PATCH] execute: line break comments a bit less aggressively + +(cherry picked from commit cafc5ca147cb05b90bd731661d8594c299601f79) +(cherry picked from commit 14567dc93d5c498bfaadd28478f59952f6da320c) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/ee7db04c13f5b46ad2437762caa7b4c239780de5 +--- + src/core/execute.c | 41 +++++++++++++++++------------------------ + 1 file changed, 17 insertions(+), 24 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index b6c54493d3..1129905b61 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -1238,8 +1238,7 @@ static int setup_pam( + goto fail; + } + +- /* Block SIGTERM, so that we know that it won't get lost in +- * the child */ ++ /* Block SIGTERM, so that we know that it won't get lost in the child */ + + assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0); + +@@ -1251,18 +1250,16 @@ static int setup_pam( + if (r == 0) { + int sig, ret = EXIT_PAM; + +- /* The child's job is to reset the PAM session on +- * termination */ ++ /* The child's job is to reset the PAM session on termination */ + barrier_set_role(&barrier, BARRIER_CHILD); + + /* Make sure we don't keep open the passed fds in this child. We assume that otherwise only + * those fds are open here that have been opened by PAM. */ + (void) close_many(fds, n_fds); + +- /* Drop privileges - we don't need any to pam_close_session +- * and this will make PR_SET_PDEATHSIG work in most cases. +- * If this fails, ignore the error - but expect sd-pam threads +- * to fail to exit normally */ ++ /* Drop privileges - we don't need any to pam_close_session and this will make ++ * PR_SET_PDEATHSIG work in most cases. If this fails, ignore the error - but expect sd-pam ++ * threads to fail to exit normally */ + + r = maybe_setgroups(0, NULL); + if (r < 0) +@@ -1274,20 +1271,16 @@ static int setup_pam( + + (void) ignore_signals(SIGPIPE); + +- /* Wait until our parent died. This will only work if +- * the above setresuid() succeeds, otherwise the kernel +- * will not allow unprivileged parents kill their privileged +- * children this way. We rely on the control groups kill logic +- * to do the rest for us. */ ++ /* Wait until our parent died. This will only work if the above setresuid() succeeds, ++ * otherwise the kernel will not allow unprivileged parents kill their privileged children ++ * this way. We rely on the control groups kill logic to do the rest for us. */ + if (prctl(PR_SET_PDEATHSIG, SIGTERM) < 0) + goto child_finish; + +- /* Tell the parent that our setup is done. This is especially +- * important regarding dropping privileges. Otherwise, unit +- * setup might race against our setresuid(2) call. ++ /* Tell the parent that our setup is done. This is especially important regarding dropping ++ * privileges. Otherwise, unit setup might race against our setresuid(2) call. + * +- * If the parent aborted, we'll detect this below, hence ignore +- * return failure here. */ ++ * If the parent aborted, we'll detect this below, hence ignore return failure here. */ + (void) barrier_place(&barrier); + + /* Check if our parent process might already have died? */ +@@ -1332,19 +1325,19 @@ static int setup_pam( + + barrier_set_role(&barrier, BARRIER_PARENT); + +- /* If the child was forked off successfully it will do all the +- * cleanups, so forget about the handle here. */ ++ /* If the child was forked off successfully it will do all the cleanups, so forget about the handle ++ * here. */ + handle = NULL; + + /* Unblock SIGTERM again in the parent */ + assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0); + +- /* We close the log explicitly here, since the PAM modules +- * might have opened it, but we don't want this fd around. */ ++ /* We close the log explicitly here, since the PAM modules might have opened it, but we don't want ++ * this fd around. */ + closelog(); + +- /* Synchronously wait for the child to initialize. We don't care for +- * errors as we cannot recover. However, warn loudly if it happens. */ ++ /* Synchronously wait for the child to initialize. We don't care for errors as we cannot ++ * recover. However, warn loudly if it happens. */ + if (!barrier_place_and_sync(&barrier)) + log_error("PAM initialization failed"); + +-- +2.33.0 + diff --git a/backport-execute-respect-selinux_context_ignore.patch b/backport-execute-respect-selinux_context_ignore.patch new file mode 100644 index 0000000000000000000000000000000000000000..7dacf3c76fde1a093e4f09f4632b511677eddd89 --- /dev/null +++ b/backport-execute-respect-selinux_context_ignore.patch @@ -0,0 +1,45 @@ +From 38d0d41e0fc5d559cff5a1bcf46482aec9d6f5ef Mon Sep 17 00:00:00 2001 +From: Topi Miettinen +Date: Sat, 30 Oct 2021 19:58:41 +0300 +Subject: [PATCH] execute: respect selinux_context_ignore + +When `SELinuxContext=` parameter is prefixed with `-`, the documentation states +that any errors determining or changing context should be ignored, but this +doesn't actually happen and the service may fail with `229/SELINUX_CONTEXT`. + +Fix by adding checks to `context->selinux_context_ignore`. + +Closes: #21057 +(cherry picked from commit 2ad2925de5f258d128ec8cdb07f10f3c52fa4fcf) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/38d0d41e0fc5d559cff5a1bcf46482aec9d6f5ef +--- + src/core/execute.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index 6ff757ff04..e324db87cc 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -4361,7 +4361,7 @@ static int exec_child( + + if (fd >= 0) { + r = mac_selinux_get_child_mls_label(fd, executable, context->selinux_context, &mac_selinux_context_net); +- if (r < 0) { ++ if (r < 0 && !context->selinux_context_ignore) { + *exit_status = EXIT_SELINUX_CONTEXT; + return log_unit_error_errno(unit, r, "Failed to determine SELinux context: %m"); + } +@@ -4495,7 +4495,7 @@ static int exec_child( + + if (exec_context) { + r = setexeccon(exec_context); +- if (r < 0) { ++ if (r < 0 && !context->selinux_context_ignore) { + *exit_status = EXIT_SELINUX_CONTEXT; + return log_unit_error_errno(unit, r, "Failed to change SELinux context to %s: %m", exec_context); + } +-- +2.33.0 + diff --git a/backport-execute-use-_cleanup_-logic-where-appropriate.patch b/backport-execute-use-_cleanup_-logic-where-appropriate.patch new file mode 100644 index 0000000000000000000000000000000000000000..07b41e720fe3b2038e67a3d807d14157ea9788b3 --- /dev/null +++ b/backport-execute-use-_cleanup_-logic-where-appropriate.patch @@ -0,0 +1,44 @@ +From 1fa6abd4ae2445b08e3c3fc3d4eade1e833f43da Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 1 Feb 2022 13:49:56 +0100 +Subject: [PATCH] execute: use _cleanup_ logic where appropriate + +(cherry picked from commit 46e5bbab5895b7137b03453dee08bd1c89c710e9) +(cherry picked from commit 9b2954b79435eaf54be208acdce8026b83bdc249) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/1fa6abd4ae2445b08e3c3fc3d4eade1e833f43da +--- + src/core/execute.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index 04c0513453..b6c54493d3 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -1163,10 +1163,11 @@ static int setup_pam( + }; + + _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL; ++ _cleanup_strv_free_ char **e = NULL; + pam_handle_t *handle = NULL; + sigset_t old_ss; + int pam_code = PAM_SUCCESS, r; +- char **nv, **e = NULL; ++ char **nv; + bool close_session = false; + pid_t pam_pid = 0, parent_pid; + int flags = 0; +@@ -1363,9 +1364,7 @@ fail: + (void) pam_end(handle, pam_code | flags); + } + +- strv_free(e); + closelog(); +- + return r; + #else + return 0; +-- +2.33.0 + diff --git a/backport-explicitly-close-FIDO2-devices.patch b/backport-explicitly-close-FIDO2-devices.patch new file mode 100644 index 0000000000000000000000000000000000000000..c1b79265f29bedf380ffca36b7e38ce1d8330021 --- /dev/null +++ b/backport-explicitly-close-FIDO2-devices.patch @@ -0,0 +1,66 @@ +From d6e4920b10c3da1665cb44f4686893b865003d12 Mon Sep 17 00:00:00 2001 +From: pedro martelletto +Date: Wed, 8 Sep 2021 10:42:56 +0200 +Subject: [PATCH] explicitly close FIDO2 devices + +FIDO2 device access is serialised by libfido2 using flock(). +Therefore, make sure to close a FIDO2 device once we are done +with it, or we risk opening it again at a later point and +deadlocking. Fixes #20664. + +(cherry picked from commit b6aa89b0a399992c8ea762e6ec4f30cff90618f2) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/d6e4920b10c3da1665cb44f4686893b865003d12 +--- + src/shared/libfido2-util.c | 2 ++ + src/shared/libfido2-util.h | 5 ++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c +index 12c644dcfc..6d18178b68 100644 +--- a/src/shared/libfido2-util.c ++++ b/src/shared/libfido2-util.c +@@ -58,6 +58,7 @@ bool (*sym_fido_dev_is_fido2)(const fido_dev_t *) = NULL; + int (*sym_fido_dev_make_cred)(fido_dev_t *, fido_cred_t *, const char *) = NULL; + fido_dev_t* (*sym_fido_dev_new)(void) = NULL; + int (*sym_fido_dev_open)(fido_dev_t *, const char *) = NULL; ++int (*sym_fido_dev_close)(fido_dev_t *) = NULL; + const char* (*sym_fido_strerr)(int) = NULL; + + int dlopen_libfido2(void) { +@@ -106,6 +107,7 @@ int dlopen_libfido2(void) { + DLSYM_ARG(fido_dev_make_cred), + DLSYM_ARG(fido_dev_new), + DLSYM_ARG(fido_dev_open), ++ DLSYM_ARG(fido_dev_close), + DLSYM_ARG(fido_strerr)); + } + +diff --git a/src/shared/libfido2-util.h b/src/shared/libfido2-util.h +index 5640cca5e3..4ebf8ab775 100644 +--- a/src/shared/libfido2-util.h ++++ b/src/shared/libfido2-util.h +@@ -60,6 +60,7 @@ extern bool (*sym_fido_dev_is_fido2)(const fido_dev_t *); + extern int (*sym_fido_dev_make_cred)(fido_dev_t *, fido_cred_t *, const char *); + extern fido_dev_t* (*sym_fido_dev_new)(void); + extern int (*sym_fido_dev_open)(fido_dev_t *, const char *); ++extern int (*sym_fido_dev_close)(fido_dev_t *); + extern const char* (*sym_fido_strerr)(int); + + int dlopen_libfido2(void); +@@ -75,8 +76,10 @@ static inline void fido_assert_free_wrapper(fido_assert_t **p) { + } + + static inline void fido_dev_free_wrapper(fido_dev_t **p) { +- if (*p) ++ if (*p) { ++ sym_fido_dev_close(*p); + sym_fido_dev_free(p); ++ } + } + + static inline void fido_cred_free_wrapper(fido_cred_t **p) { +-- +2.33.0 + diff --git a/backport-fileio-fix-truncated-read-handling-in-read_virtual_f.patch b/backport-fileio-fix-truncated-read-handling-in-read_virtual_f.patch new file mode 100644 index 0000000000000000000000000000000000000000..7b02708b3cefa67b82571ed0a4cfd0ecf10e8531 --- /dev/null +++ b/backport-fileio-fix-truncated-read-handling-in-read_virtual_f.patch @@ -0,0 +1,44 @@ +From c9e0daf821b3e1e6504ca4c4e3a8b73513e28fa7 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 16 Sep 2021 12:20:09 +0200 +Subject: [PATCH] fileio: fix truncated read handling in read_virtual_file() + +We mishandled the case where the size we read from the file actually +matched the maximum size fully. In that case we cannot really make a +determination whether the file was fully read or only partially. In that +case let's do another loop, so that we operate with a buffer, and +we can detect the EOF (which will be signalled to us via a short read). + +(cherry picked from commit 00bd9a4a82ed57bc0c7f158da4564fc1eab808b4) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/c9e0daf821b3e1e6504ca4c4e3a8b73513e28fa7 +--- + src/basic/fileio.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/basic/fileio.c b/src/basic/fileio.c +index 1046e5b9b4..6c8ebe63e0 100644 +--- a/src/basic/fileio.c ++++ b/src/basic/fileio.c +@@ -470,9 +470,14 @@ int read_virtual_file(const char *filename, size_t max_size, char **ret_contents + if (n <= size) + break; + +- /* If a maximum size is specified and we already read as much, no need to try again */ +- if (max_size != SIZE_MAX && n >= max_size) { +- n = max_size; ++ /* If a maximum size is specified and we already read more we know the file is larger, and ++ * can handle this as truncation case. Note that if the size of what we read equals the ++ * maximum size then this doesn't mean truncation, the file might or might not end on that ++ * byte. We need to rerun the loop in that case, with a larger buffer size, so that we read ++ * at least one more byte to be able to distinguish EOF from truncation. */ ++ if (max_size != SIZE_MAX && n > max_size) { ++ n = size; /* Make sure we never use more than what we sized the buffer for (so that ++ * we have one free byte in it for the trailing NUL we add below).*/ + truncated = true; + break; + } +-- +2.33.0 + diff --git a/backport-fileio-lower-maximum-virtual-file-buffer-size-by-one.patch b/backport-fileio-lower-maximum-virtual-file-buffer-size-by-one.patch new file mode 100644 index 0000000000000000000000000000000000000000..e883954d425dd04c7fa5447900f0dc84a6f0f8c8 --- /dev/null +++ b/backport-fileio-lower-maximum-virtual-file-buffer-size-by-one.patch @@ -0,0 +1,71 @@ +From feb68f6aad36930f0b0c6c70164287c5bc46b64c Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 14 Sep 2021 23:03:37 +0200 +Subject: [PATCH] fileio: lower maximum virtual file buffer size by one byte +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When reading virtual files (i.e. procfs, sysfs, …) we currently put a +limit of 4M-1 on that. We have to pick something, and we have to read +these files in a single read() (since the kernel generally doesn't +support continuation read()s for them). 4M-1 is actually the maximum +size the kernel allows for reads from files in /proc/sys/, all larger +reads will result in an ENOMEM error (which is really weird, but the +kernel does what the kernel does). Hence 4M-1 sounds like a smart +choice. + +However, we made one mistake here: in order to be able to detect EOFs +properly we actually read one byte more than we actually intend to +return: if that extra byte can be read, then we know the file is +actually larger than our limit and we can generate an EFBIG error from +that. However, if it cannot be read then we know EOF was hit, and we are +good. So ultimately after all we issued a single 4M read, which the +kernel then responds with ENOMEM to. And that means read_virtual_file() +actually doesn't work properly right now on /proc/sys/. Let's fix that. + +The fix is simple, lower the limit of the the buffer we intend to return +by one, i.e. 4M-2. That way, the read() we'll issue is exactly as large +as the limit the kernel allows, and we still get safely detect EOF from +it. + +(cherry picked from commit 7ab7547a40d456d34120b2f44b26385ac1338ebd) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/feb68f6aad36930f0b0c6c70164287c5bc46b64c +--- + src/basic/fileio.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/src/basic/fileio.c b/src/basic/fileio.c +index 99a44fdea2..ba0ca98d72 100644 +--- a/src/basic/fileio.c ++++ b/src/basic/fileio.c +@@ -30,14 +30,16 @@ + /* The maximum size of the file we'll read in one go in read_full_file() (64M). */ + #define READ_FULL_BYTES_MAX (64U*1024U*1024U - 1U) + +-/* The maximum size of virtual files we'll read in one go in read_virtual_file() (4M). Note that this limit +- * is different (and much lower) than the READ_FULL_BYTES_MAX limit. This reflects the fact that we use +- * different strategies for reading virtual and regular files: virtual files are generally size constrained: +- * there we allocate the full buffer size in advance. Regular files OTOH can be much larger, and here we grow +- * the allocations exponentially in a loop. In glibc large allocations are immediately backed by mmap() +- * making them relatively slow (measurably so). Thus, when allocating the full buffer in advance the large +- * limit is a problem. When allocating piecemeal it's not. Hence pick two distinct limits. */ +-#define READ_VIRTUAL_BYTES_MAX (4U*1024U*1024U - 1U) ++/* The maximum size of virtual files (i.e. procfs, sysfs, and other virtual "API" files) we'll read in one go ++ * in read_virtual_file(). Note that this limit is different (and much lower) than the READ_FULL_BYTES_MAX ++ * limit. This reflects the fact that we use different strategies for reading virtual and regular files: ++ * virtual files we generally have to read in a single read() syscall since the kernel doesn't support ++ * continuation read()s for them. Thankfully they are somewhat size constrained. Thus we can allocate the ++ * full potential buffer in advance. Regular files OTOH can be much larger, and there we grow the allocations ++ * exponentially in a loop. We use a size limit of 4M-2 because 4M-1 is the maximum buffer that /proc/sys/ ++ * allows us to read() (larger reads will fail with ENOMEM), and we want to read one extra byte so that we ++ * can detect EOFs. */ ++#define READ_VIRTUAL_BYTES_MAX (4U*1024U*1024U - 2U) + + int fopen_unlocked(const char *path, const char *options, FILE **ret) { + assert(ret); +-- +2.33.0 + diff --git a/backport-fileio-set-O_NOCTTY-when-reading-virtual-files.patch b/backport-fileio-set-O_NOCTTY-when-reading-virtual-files.patch new file mode 100644 index 0000000000000000000000000000000000000000..2d7ae85c0f8123de9297437596dbf55536b60169 --- /dev/null +++ b/backport-fileio-set-O_NOCTTY-when-reading-virtual-files.patch @@ -0,0 +1,32 @@ +From ca6c93956879e368e40bbf5a742fcb1689712d81 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 14 Sep 2021 23:11:55 +0200 +Subject: [PATCH] fileio: set O_NOCTTY when reading virtual files + +Better be safe than sorry, maybe someone points this call to a TTY one +day, and we'd rather not make it our controlling TTY in that case. + +(cherry picked from commit be991d7678c35aa037ef79672c0c70781eebed9c) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/ca6c93956879e368e40bbf5a742fcb1689712d81 +--- + src/basic/fileio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/fileio.c b/src/basic/fileio.c +index ba0ca98d72..39abf985eb 100644 +--- a/src/basic/fileio.c ++++ b/src/basic/fileio.c +@@ -395,7 +395,7 @@ int read_virtual_file(const char *filename, size_t max_size, char **ret_contents + * contents* may be returned. (Though the read is still done using one syscall.) Returns 0 on + * partial success, 1 if untruncated contents were read. */ + +- fd = open(filename, O_RDONLY|O_CLOEXEC); ++ fd = open(filename, O_RDONLY|O_NOCTTY|O_CLOEXEC); + if (fd < 0) + return -errno; + +-- +2.33.0 + diff --git a/backport-fileio-start-with-4k-buffer-for-procfs.patch b/backport-fileio-start-with-4k-buffer-for-procfs.patch new file mode 100644 index 0000000000000000000000000000000000000000..ed9f02abcd5e1eb4885f25501b0210e65c16c763 --- /dev/null +++ b/backport-fileio-start-with-4k-buffer-for-procfs.patch @@ -0,0 +1,46 @@ +From b3f5d2f4044751a4a741e033a9bc621ede573cb2 Mon Sep 17 00:00:00 2001 +From: Anita Zhang +Date: Tue, 14 Sep 2021 16:33:10 -0700 +Subject: [PATCH] fileio: start with 4k buffer for procfs + +There's a very gradual increase of anonymous memory in systemd-journald that +blames to 2ac67221bb6270f0fbe7cbd0076653832cd49de2. + +systemd-journald makes many calls to read /proc/PID/cmdline and +/proc/PID/status, both of which tend to be well under 4K. However the +combination of allocating 4M read buffers, then using `realloc()` to +shrink the buffer in `read_virtual_file()` appears to be creating +fragmentation in the heap (when combined with the other allocations +systemd-journald is doing). + +To help mitigate this, try reading /proc with a 4K buffer as +`read_virtual_file()` did before 2ac67221bb6270f0fbe7cbd0076653832cd49de2. +If it isn't big enough then try again with the larger buffers. + +(cherry picked from commit 5aaa55d841249f057fd69e50cf12a52e9781a6ce) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/b3f5d2f4044751a4a741e033a9bc621ede573cb2 +--- + src/basic/fileio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/basic/fileio.c b/src/basic/fileio.c +index 39abf985eb..1046e5b9b4 100644 +--- a/src/basic/fileio.c ++++ b/src/basic/fileio.c +@@ -433,6 +433,11 @@ int read_virtual_file(const char *filename, size_t max_size, char **ret_contents + } + + n_retries--; ++ } else if (n_retries > 1) { ++ /* Files in /proc are generally smaller than the page size so let's start with a page size ++ * buffer from malloc and only use the max buffer on the final try. */ ++ size = MIN3(page_size() - 1, READ_VIRTUAL_BYTES_MAX, max_size); ++ n_retries = 1; + } else { + size = MIN(READ_VIRTUAL_BYTES_MAX, max_size); + n_retries = 0; +-- +2.33.0 + diff --git a/backport-fix-CVE-2021-33910.patch b/backport-fix-CVE-2021-33910.patch index e0a971f82047673fe76838ea762515806fda80f8..cf702e549af37bdd34157f214a85511a2b86d27e 100644 --- a/backport-fix-CVE-2021-33910.patch +++ b/backport-fix-CVE-2021-33910.patch @@ -1,4 +1,4 @@ -From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001 +From 764b74113e36ac5219a4b82a05f311b5a92136ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 23 Jun 2021 11:46:41 +0200 Subject: [PATCH] basic/unit-name: do not use strdupa() on a path @@ -20,13 +20,16 @@ So we can't reject paths that are too long before doing the duplication. Hence the most obvious solution is to switch back to strdup(), as before 7410616cd9dbbec97cf98d75324da5cda2b2f7a2. -https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9 +(cherry picked from commit 441e0115646d54f080e5c3bb0ba477c892861ab9) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/764b74113e36ac5219a4b82a05f311b5a92136ce --- src/basic/unit-name.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c -index 532f8fa..024b8a5 100644 +index 284a773483..a22763443f 100644 --- a/src/basic/unit-name.c +++ b/src/basic/unit-name.c @@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) { @@ -62,5 +65,5 @@ index 532f8fa..024b8a5 100644 if (!s) return -ENOMEM; -- -2.23.0 +2.33.0 diff --git a/backport-fix-ConditionDirectoryNotEmpty-when-it-comes-to-a-No.patch b/backport-fix-ConditionDirectoryNotEmpty-when-it-comes-to-a-No.patch index 6e026b31bc1a641c7fc919841af3c8f012642af4..182e9c61485a706aee3e566e91060dc33e7da03c 100644 --- a/backport-fix-ConditionDirectoryNotEmpty-when-it-comes-to-a-No.patch +++ b/backport-fix-ConditionDirectoryNotEmpty-when-it-comes-to-a-No.patch @@ -1,18 +1,22 @@ -From 193105f2d0408e2d96265935174b3cf0f100ef2e Mon Sep 17 00:00:00 2001 +From 10fc8b7775a8cfd9519a1c6628d813b1aa315a33 Mon Sep 17 00:00:00 2001 From: jiangchuangang Date: Mon, 29 Nov 2021 22:30:37 +0800 Subject: [PATCH] fix ConditionDirectoryNotEmpty when it comes to a Non-directory file +(cherry picked from commit 193105f2d0408e2d96265935174b3cf0f100ef2e) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/10fc8b7775a8cfd9519a1c6628d813b1aa315a33 --- src/shared/condition.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/shared/condition.c b/src/shared/condition.c -index 6e769e9d59..a86f2b9ffb 100644 +index ec9d57b292..163ddc1208 100644 --- a/src/shared/condition.c +++ b/src/shared/condition.c -@@ -931,7 +931,7 @@ static int condition_test_directory_not_empty(Condition *c, char **env) { +@@ -934,7 +934,7 @@ static int condition_test_directory_not_empty(Condition *c, char **env) { assert(c->type == CONDITION_DIRECTORY_NOT_EMPTY); r = dir_is_empty(c->parameter); @@ -22,5 +26,5 @@ index 6e769e9d59..a86f2b9ffb 100644 static int condition_test_file_not_empty(Condition *c, char **env) { -- -2.27.0 +2.33.0 diff --git a/backport-fix-ConditionPathIsReadWrite-when-path-does-not-exis.patch b/backport-fix-ConditionPathIsReadWrite-when-path-does-not-exis.patch index 6c8b7f28840f31f54ad4645a2bb80651f6ecc421..b70ba2c1543341766c7712c9cec9d4afad73b87c 100644 --- a/backport-fix-ConditionPathIsReadWrite-when-path-does-not-exis.patch +++ b/backport-fix-ConditionPathIsReadWrite-when-path-does-not-exis.patch @@ -1,17 +1,21 @@ -From 7c4c9948d02ceda903ed4e4deea0d0084612625a Mon Sep 17 00:00:00 2001 +From 80b7a4276abb832b6af1d1d060affb0988ab7fa0 Mon Sep 17 00:00:00 2001 From: jiangchuangang Date: Tue, 30 Nov 2021 15:25:27 +0800 Subject: [PATCH] fix ConditionPathIsReadWrite when path does not exist. +(cherry picked from commit 7c4c9948d02ceda903ed4e4deea0d0084612625a) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/80b7a4276abb832b6af1d1d060affb0988ab7fa0 --- src/shared/condition.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/shared/condition.c b/src/shared/condition.c -index a86f2b9ffb..dae75a5bf5 100644 +index 163ddc1208..6645f771dd 100644 --- a/src/shared/condition.c +++ b/src/shared/condition.c -@@ -894,11 +894,15 @@ static int condition_test_path_is_mount_point(Condition *c, char **env) { +@@ -897,11 +897,15 @@ static int condition_test_path_is_mount_point(Condition *c, char **env) { } static int condition_test_path_is_read_write(Condition *c, char **env) { @@ -29,5 +33,5 @@ index a86f2b9ffb..dae75a5bf5 100644 static int condition_test_cpufeature(Condition *c, char **env) { -- -2.27.0 +2.33.0 diff --git a/backport-fix-DirectoryNotEmpty-when-it-comes-to-a-Non-directo.patch b/backport-fix-DirectoryNotEmpty-when-it-comes-to-a-Non-directo.patch index 3234d285d6003099edd76292342908b72f1593b5..0e0f6d6ff012256192d838b6f0807484dab0a058 100644 --- a/backport-fix-DirectoryNotEmpty-when-it-comes-to-a-Non-directo.patch +++ b/backport-fix-DirectoryNotEmpty-when-it-comes-to-a-Non-directo.patch @@ -1,14 +1,18 @@ -From 5896a9ebdbe4d38c01390d0a5e82f9fcb4971059 Mon Sep 17 00:00:00 2001 +From 0fdcae09c44486e30e4fe0469606c02d034577be Mon Sep 17 00:00:00 2001 From: yangmingtai <961612727@qq.com> Date: Mon, 6 Dec 2021 17:06:13 +0800 Subject: [PATCH] fix DirectoryNotEmpty when it comes to a Non-directory file +(cherry picked from commit 5896a9ebdbe4d38c01390d0a5e82f9fcb4971059) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/0fdcae09c44486e30e4fe0469606c02d034577be --- src/core/path.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/path.c b/src/core/path.c -index 29ec66fd4d..bcd922901b 100644 +index e098e83a31..684e17f433 100644 --- a/src/core/path.c +++ b/src/core/path.c @@ -215,7 +215,7 @@ static bool path_spec_check_good(PathSpec *s, bool initial, bool from_trigger_no @@ -21,5 +25,5 @@ index 29ec66fd4d..bcd922901b 100644 } -- -2.27.0 +2.33.0 diff --git a/backport-fix-test-string-util-failed-when-locale-is-not-utf8.patch b/backport-fix-test-string-util-failed-when-locale-is-not-utf8.patch new file mode 100644 index 0000000000000000000000000000000000000000..bab87450a59df866803c0fe0d2c4689089515e08 --- /dev/null +++ b/backport-fix-test-string-util-failed-when-locale-is-not-utf8.patch @@ -0,0 +1,71 @@ +From bad124022e97195191d3dd1ea2b5b9aa9df57aea Mon Sep 17 00:00:00 2001 +From: yangmingtai <961612727@qq.com> +Date: Tue, 11 Jan 2022 20:22:11 +0800 +Subject: [PATCH] fix test-string-util failed when locale is not utf8 + +(cherry picked from commit 647082cf7f07a87c65601626e86c3ed9f78fb387) +(cherry picked from commit 32f33c9474ab89061d799a92a1273b106468e8c6) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/bad124022e97195191d3dd1ea2b5b9aa9df57aea +--- + src/test/test-string-util.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/src/test/test-string-util.c b/src/test/test-string-util.c +index 4d9d0260c9..266aee9115 100644 +--- a/src/test/test-string-util.c ++++ b/src/test/test-string-util.c +@@ -176,33 +176,33 @@ static void test_cellescape(void) { + assert_se(streq(cellescape(buf, 1, "\020"), "")); + assert_se(streq(cellescape(buf, 2, "\020"), ".")); + assert_se(streq(cellescape(buf, 3, "\020"), "..")); +- assert_se(streq(cellescape(buf, 4, "\020"), "…")); ++ assert_se(streq(cellescape(buf, 4, "\020"), is_locale_utf8() ? "…" : "...")); + assert_se(streq(cellescape(buf, 5, "\020"), "\\020")); + +- assert_se(streq(cellescape(buf, 5, "1234\020"), "1…")); +- assert_se(streq(cellescape(buf, 6, "1234\020"), "12…")); +- assert_se(streq(cellescape(buf, 7, "1234\020"), "123…")); +- assert_se(streq(cellescape(buf, 8, "1234\020"), "1234…")); ++ assert_se(streq(cellescape(buf, 5, "1234\020"), is_locale_utf8() ? "1…" : "1...")); ++ assert_se(streq(cellescape(buf, 6, "1234\020"), is_locale_utf8() ? "12…" : "12...")); ++ assert_se(streq(cellescape(buf, 7, "1234\020"), is_locale_utf8() ? "123…" : "123...")); ++ assert_se(streq(cellescape(buf, 8, "1234\020"), is_locale_utf8() ? "1234…" : "1234...")); + assert_se(streq(cellescape(buf, 9, "1234\020"), "1234\\020")); + + assert_se(streq(cellescape(buf, 1, "\t\n"), "")); + assert_se(streq(cellescape(buf, 2, "\t\n"), ".")); + assert_se(streq(cellescape(buf, 3, "\t\n"), "..")); +- assert_se(streq(cellescape(buf, 4, "\t\n"), "…")); ++ assert_se(streq(cellescape(buf, 4, "\t\n"), is_locale_utf8() ? "…" : "...")); + assert_se(streq(cellescape(buf, 5, "\t\n"), "\\t\\n")); + +- assert_se(streq(cellescape(buf, 5, "1234\t\n"), "1…")); +- assert_se(streq(cellescape(buf, 6, "1234\t\n"), "12…")); +- assert_se(streq(cellescape(buf, 7, "1234\t\n"), "123…")); +- assert_se(streq(cellescape(buf, 8, "1234\t\n"), "1234…")); ++ assert_se(streq(cellescape(buf, 5, "1234\t\n"), is_locale_utf8() ? "1…" : "1...")); ++ assert_se(streq(cellescape(buf, 6, "1234\t\n"), is_locale_utf8() ? "12…" : "12...")); ++ assert_se(streq(cellescape(buf, 7, "1234\t\n"), is_locale_utf8() ? "123…" : "123...")); ++ assert_se(streq(cellescape(buf, 8, "1234\t\n"), is_locale_utf8() ? "1234…" : "1234...")); + assert_se(streq(cellescape(buf, 9, "1234\t\n"), "1234\\t\\n")); + +- assert_se(streq(cellescape(buf, 4, "x\t\020\n"), "…")); +- assert_se(streq(cellescape(buf, 5, "x\t\020\n"), "x…")); +- assert_se(streq(cellescape(buf, 6, "x\t\020\n"), "x…")); +- assert_se(streq(cellescape(buf, 7, "x\t\020\n"), "x\\t…")); +- assert_se(streq(cellescape(buf, 8, "x\t\020\n"), "x\\t…")); +- assert_se(streq(cellescape(buf, 9, "x\t\020\n"), "x\\t…")); ++ assert_se(streq(cellescape(buf, 4, "x\t\020\n"), is_locale_utf8() ? "…" : "...")); ++ assert_se(streq(cellescape(buf, 5, "x\t\020\n"), is_locale_utf8() ? "x…" : "x...")); ++ assert_se(streq(cellescape(buf, 6, "x\t\020\n"), is_locale_utf8() ? "x…" : "x...")); ++ assert_se(streq(cellescape(buf, 7, "x\t\020\n"), is_locale_utf8() ? "x\\t…" : "x\\t...")); ++ assert_se(streq(cellescape(buf, 8, "x\t\020\n"), is_locale_utf8() ? "x\\t…" : "x\\t...")); ++ assert_se(streq(cellescape(buf, 9, "x\t\020\n"), is_locale_utf8() ? "x\\t…" : "x\\t...")); + assert_se(streq(cellescape(buf, 10, "x\t\020\n"), "x\\t\\020\\n")); + + assert_se(streq(cellescape(buf, 6, "1\011"), "1\\t")); +-- +2.33.0 + diff --git a/backport-fstab-generator-Respect-nofail-when-ordering.patch b/backport-fstab-generator-Respect-nofail-when-ordering.patch new file mode 100644 index 0000000000000000000000000000000000000000..11b4c20f2da071711825de84595a72a6f3945c72 --- /dev/null +++ b/backport-fstab-generator-Respect-nofail-when-ordering.patch @@ -0,0 +1,30 @@ +From efd98964fb9202451293043dcffb3898b176a7d0 Mon Sep 17 00:00:00 2001 +From: Vladimir Panteleev +Date: Tue, 17 Aug 2021 18:30:29 +0000 +Subject: [PATCH] fstab-generator: Respect nofail when ordering + +(cherry picked from commit e9aee932409754c9f709a8ea3ad13caf39fce7d2) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/efd98964fb9202451293043dcffb3898b176a7d0 +--- + src/fstab-generator/fstab-generator.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c +index a4e3ea5311..b6582c9538 100644 +--- a/src/fstab-generator/fstab-generator.c ++++ b/src/fstab-generator/fstab-generator.c +@@ -435,7 +435,8 @@ static int add_mount( + + /* Order the mount unit we generate relative to the post unit, so that DefaultDependencies= on the + * target unit won't affect us. */ +- if (post && !FLAGS_SET(flags, MOUNT_AUTOMOUNT) && !FLAGS_SET(flags, MOUNT_NOAUTO)) ++ if (post && !FLAGS_SET(flags, MOUNT_AUTOMOUNT) && !FLAGS_SET(flags, MOUNT_NOAUTO) && ++ !FLAGS_SET(flags, MOUNT_NOFAIL)) + fprintf(f, "Before=%s\n", post); + + if (passno != 0) { +-- +2.33.0 + diff --git a/backport-fstab-generator-do-not-remount-sys-when-running-in-a.patch b/backport-fstab-generator-do-not-remount-sys-when-running-in-a.patch new file mode 100644 index 0000000000000000000000000000000000000000..c79e2da9c3b82a187e5f0504a51342e5078c6e3d --- /dev/null +++ b/backport-fstab-generator-do-not-remount-sys-when-running-in-a.patch @@ -0,0 +1,43 @@ +From cee7e40200b5eba60a5fed04fe006e8b48944fb2 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 12 Dec 2021 11:43:21 +0900 +Subject: [PATCH] fstab-generator: do not remount /sys when running in a + container + +Closes #21744. + +(cherry picked from commit 18f0eaafd7f180f5d0d2d65349835374146efdb3) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/cee7e40200b5eba60a5fed04fe006e8b48944fb2 +--- + src/fstab-generator/fstab-generator.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c +index b6582c9538..1dee728233 100644 +--- a/src/fstab-generator/fstab-generator.c ++++ b/src/fstab-generator/fstab-generator.c +@@ -601,9 +601,16 @@ static int parse_fstab(bool initrd) { + if (!what) + return log_oom(); + +- if (is_device_path(what) && path_is_read_only_fs("/sys") > 0) { +- log_info("Running in a container, ignoring fstab device entry for %s.", what); +- continue; ++ if (path_is_read_only_fs("/sys") > 0) { ++ if (streq(what, "sysfs")) { ++ log_info("Running in a container, ignoring fstab entry for %s.", what); ++ continue; ++ } ++ ++ if (is_device_path(what)) { ++ log_info("Running in a container, ignoring fstab device entry for %s.", what); ++ continue; ++ } + } + + where = strdup(me->mnt_dir); +-- +2.33.0 + diff --git a/backport-fstab-generator-skip-root-directory-handling-when-nf.patch b/backport-fstab-generator-skip-root-directory-handling-when-nf.patch new file mode 100644 index 0000000000000000000000000000000000000000..34e5b38f42bbe1f99d683b5ecc05081640617104 --- /dev/null +++ b/backport-fstab-generator-skip-root-directory-handling-when-nf.patch @@ -0,0 +1,105 @@ +From 60d4ac20d8b02dd8f67150aaf55a4e0d019f58d2 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 5 Jan 2022 19:24:46 +0900 +Subject: [PATCH] fstab-generator: skip root directory handling when nfsroot is + requested + +Fixes RHBZ#2037233 (https://bugzilla.redhat.com/show_bug.cgi?id=2037233). + +(cherry picked from commit 77b8e92de8264c0b656a7d2fb437dd8d598ab597) +(cherry picked from commit 7ca41c509e6549abbfc753e560c822b5e32a63cc) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/60d4ac20d8b02dd8f67150aaf55a4e0d019f58d2 +--- + src/fstab-generator/fstab-generator.c | 59 ++++++++++++++++++++++++++- + 1 file changed, 57 insertions(+), 2 deletions(-) + +diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c +index 1dee728233..0f3892789f 100644 +--- a/src/fstab-generator/fstab-generator.c ++++ b/src/fstab-generator/fstab-generator.c +@@ -10,6 +10,7 @@ + #include "fs-util.h" + #include "fstab-util.h" + #include "generator.h" ++#include "in-addr-util.h" + #include "log.h" + #include "main-func.h" + #include "mkdir.h" +@@ -691,6 +692,57 @@ static int parse_fstab(bool initrd) { + return r; + } + ++static int sysroot_is_nfsroot(void) { ++ union in_addr_union u; ++ const char *sep, *a; ++ int r; ++ ++ assert(arg_root_what); ++ ++ /* From dracut.cmdline(7). ++ * ++ * root=[:][:] ++ * root=nfs:[:][:], ++ * root=nfs4:[:][:], ++ * root={dhcp|dhcp6} ++ * ++ * mount nfs share from :/, if no server-ip is given, use dhcp next_server. ++ * If server-ip is an IPv6 address it has to be put in brackets, e.g. [2001:DB8::1]. NFS options ++ * can be appended with the prefix ":" or "," and are separated by ",". */ ++ ++ if (path_equal(arg_root_what, "/dev/nfs") || ++ STR_IN_SET(arg_root_what, "dhcp", "dhcp6") || ++ STARTSWITH_SET(arg_root_what, "nfs:", "nfs4:")) ++ return true; ++ ++ /* IPv6 address */ ++ if (arg_root_what[0] == '[') { ++ sep = strchr(arg_root_what + 1, ']'); ++ if (!sep) ++ return -EINVAL; ++ ++ a = strndupa(arg_root_what + 1, sep - arg_root_what - 1); ++ ++ r = in_addr_from_string(AF_INET6, a, &u); ++ if (r < 0) ++ return r; ++ ++ return true; ++ } ++ ++ /* IPv4 address */ ++ sep = strchr(arg_root_what, ':'); ++ if (sep) { ++ a = strndupa(arg_root_what, sep - arg_root_what); ++ ++ if (in_addr_from_string(AF_INET, a, &u) >= 0) ++ return true; ++ } ++ ++ /* root directory without address */ ++ return path_is_absolute(arg_root_what) && !path_startswith(arg_root_what, "/dev"); ++} ++ + static int add_sysroot_mount(void) { + _cleanup_free_ char *what = NULL; + const char *opts, *fstype; +@@ -708,9 +760,12 @@ static int add_sysroot_mount(void) { + return 0; + } + +- if (path_equal(arg_root_what, "/dev/nfs")) { ++ r = sysroot_is_nfsroot(); ++ if (r < 0) ++ log_debug_errno(r, "Failed to determine if the root directory is on NFS, assuming not: %m"); ++ else if (r > 0) { + /* This is handled by the kernel or the initrd */ +- log_debug("Skipping root directory handling, as /dev/nfs was requested."); ++ log_debug("Skipping root directory handling, as root on NFS was requested."); + return 0; + } + +-- +2.33.0 + diff --git a/backport-home-fix-heap-use-after-free.patch b/backport-home-fix-heap-use-after-free.patch new file mode 100644 index 0000000000000000000000000000000000000000..47e679978e3968ab364d7161436eb9fadbe50de4 --- /dev/null +++ b/backport-home-fix-heap-use-after-free.patch @@ -0,0 +1,38 @@ +From 5ed20345db356121bc72e0092c17b74e2de67ff7 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 14 Dec 2021 15:38:12 +0900 +Subject: [PATCH] home: fix heap-use-after-free + +`bus_home_emit_remove()` may be called from manager_free() -> home_free(). +In that case, manager->bus is already unref()ed. + +Fixes #21767. + +(cherry picked from commit 2ff457720bd3bc59985e807b748f6305bdf27826) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/5ed20345db356121bc72e0092c17b74e2de67ff7 +--- + src/home/homed-home-bus.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/home/homed-home-bus.c b/src/home/homed-home-bus.c +index c71256d15e..601ecc5cf5 100644 +--- a/src/home/homed-home-bus.c ++++ b/src/home/homed-home-bus.c +@@ -940,6 +940,12 @@ int bus_home_emit_remove(Home *h) { + if (!h->announced) + return 0; + ++ if (!h->manager) ++ return 0; ++ ++ if (!h->manager->bus) ++ return 0; ++ + r = bus_home_path(h, &path); + if (r < 0) + return r; +-- +2.33.0 + diff --git a/backport-home-secret-argument-of-handle_generic_user_record_e.patch b/backport-home-secret-argument-of-handle_generic_user_record_e.patch new file mode 100644 index 0000000000000000000000000000000000000000..ffb203f993581e7b5da1ffcb57e7a8fd90d1c839 --- /dev/null +++ b/backport-home-secret-argument-of-handle_generic_user_record_e.patch @@ -0,0 +1,114 @@ +From 5179b3a071535610be2b55efa77f174c87c3c2b6 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 5 Sep 2021 11:16:26 +0900 +Subject: [PATCH] home: 'secret' argument of handle_generic_user_record_error + may be null + +When RefHome() bus method is called in acquire_home(), secret is NULL. + +Fixes #20639. + +(cherry picked from commit 6a09dbb89507449d158af6c7097d2c51ce83205f) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/5179b3a071535610be2b55efa77f174c87c3c2b6 +--- + src/home/pam_systemd_home.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/src/home/pam_systemd_home.c b/src/home/pam_systemd_home.c +index b7db39dab9..27b292f460 100644 +--- a/src/home/pam_systemd_home.c ++++ b/src/home/pam_systemd_home.c +@@ -281,7 +281,6 @@ static int handle_generic_user_record_error( + const sd_bus_error *error) { + + assert(user_name); +- assert(secret); + assert(error); + + int r; +@@ -301,6 +300,8 @@ static int handle_generic_user_record_error( + } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_PASSWORD)) { + _cleanup_(erase_and_freep) char *newp = NULL; + ++ assert(secret); ++ + /* This didn't work? Ask for an (additional?) password */ + + if (strv_isempty(secret->password)) +@@ -326,6 +327,8 @@ static int handle_generic_user_record_error( + } else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_PASSWORD_AND_NO_TOKEN)) { + _cleanup_(erase_and_freep) char *newp = NULL; + ++ assert(secret); ++ + if (strv_isempty(secret->password)) { + (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token of user %s not inserted.", user_name); + r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Try again with password: "); +@@ -350,6 +353,8 @@ static int handle_generic_user_record_error( + } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PIN_NEEDED)) { + _cleanup_(erase_and_freep) char *newp = NULL; + ++ assert(secret); ++ + r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Security token PIN: "); + if (r != PAM_SUCCESS) + return PAM_CONV_ERR; /* no logging here */ +@@ -367,6 +372,8 @@ static int handle_generic_user_record_error( + + } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PROTECTED_AUTHENTICATION_PATH_NEEDED)) { + ++ assert(secret); ++ + (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please authenticate physically on security token of user %s.", user_name); + + r = user_record_set_pkcs11_protected_authentication_path_permitted(secret, true); +@@ -377,6 +384,8 @@ static int handle_generic_user_record_error( + + } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_USER_PRESENCE_NEEDED)) { + ++ assert(secret); ++ + (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please confirm presence on security token of user %s.", user_name); + + r = user_record_set_fido2_user_presence_permitted(secret, true); +@@ -387,6 +396,8 @@ static int handle_generic_user_record_error( + + } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_USER_VERIFICATION_NEEDED)) { + ++ assert(secret); ++ + (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please verify user on security token of user %s.", user_name); + + r = user_record_set_fido2_user_verification_permitted(secret, true); +@@ -403,6 +414,8 @@ static int handle_generic_user_record_error( + } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN)) { + _cleanup_(erase_and_freep) char *newp = NULL; + ++ assert(secret); ++ + (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN incorrect for user %s.", user_name); + r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, retry security token PIN: "); + if (r != PAM_SUCCESS) +@@ -422,6 +435,8 @@ static int handle_generic_user_record_error( + } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN_FEW_TRIES_LEFT)) { + _cleanup_(erase_and_freep) char *newp = NULL; + ++ assert(secret); ++ + (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN of user %s incorrect (only a few tries left!)", user_name); + r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, retry security token PIN: "); + if (r != PAM_SUCCESS) +@@ -441,6 +456,8 @@ static int handle_generic_user_record_error( + } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_BAD_PIN_ONE_TRY_LEFT)) { + _cleanup_(erase_and_freep) char *newp = NULL; + ++ assert(secret); ++ + (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN of user %s incorrect (only one try left!)", user_name); + r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, retry security token PIN: "); + if (r != PAM_SUCCESS) +-- +2.33.0 + diff --git a/backport-homed-add-missing-SYNTHETIC_ERRNO.patch b/backport-homed-add-missing-SYNTHETIC_ERRNO.patch new file mode 100644 index 0000000000000000000000000000000000000000..56b670cf5d13374f55d23cf99b3186e3048e088d --- /dev/null +++ b/backport-homed-add-missing-SYNTHETIC_ERRNO.patch @@ -0,0 +1,30 @@ +From 00eff1d423d2cb336d1e378cc8f348d2d19c2ed4 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 31 Aug 2021 10:47:29 +0200 +Subject: [PATCH] homed: add missing SYNTHETIC_ERRNO() + +(cherry picked from commit 9191142ddfb3ccd2007245c01197d3f42943815c) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/00eff1d423d2cb336d1e378cc8f348d2d19c2ed4 +--- + src/home/homework-cifs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/home/homework-cifs.c b/src/home/homework-cifs.c +index a697f7e5ee..04a4db8a94 100644 +--- a/src/home/homework-cifs.c ++++ b/src/home/homework-cifs.c +@@ -86,7 +86,8 @@ int home_prepare_cifs( + } + + if (!mounted) +- return log_error_errno(ENOKEY, "Failed to mount home directory with supplied password."); ++ return log_error_errno(SYNTHETIC_ERRNO(ENOKEY), ++ "Failed to mount home directory with supplied password."); + + setup->root_fd = open("/run/systemd/user-home-mount", O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOFOLLOW); + } +-- +2.33.0 + diff --git a/backport-homed-fix-log-message-referring-to-fsck-when-we-actu.patch b/backport-homed-fix-log-message-referring-to-fsck-when-we-actu.patch new file mode 100644 index 0000000000000000000000000000000000000000..31da36a0d4504f007037886ad968570d6813c445 --- /dev/null +++ b/backport-homed-fix-log-message-referring-to-fsck-when-we-actu.patch @@ -0,0 +1,30 @@ +From f41b77e9788541244ad6d6bafe3e130fbabace84 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 31 Aug 2021 10:47:02 +0200 +Subject: [PATCH] homed: fix log message referring to fsck, when we actually + mean mount + +(cherry picked from commit e070b9eac92993422db25c72ebdbdcc1cf424a0f) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/f41b77e9788541244ad6d6bafe3e130fbabace84 +--- + src/home/homework-cifs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/home/homework-cifs.c b/src/home/homework-cifs.c +index cf3c58431a..a697f7e5ee 100644 +--- a/src/home/homework-cifs.c ++++ b/src/home/homework-cifs.c +@@ -71,7 +71,7 @@ int home_prepare_cifs( + h->cifs_service, "/run/systemd/user-home-mount", + "-o", options, NULL); + +- log_error_errno(errno, "Failed to execute fsck: %m"); ++ log_error_errno(errno, "Failed to execute mount: %m"); + _exit(EXIT_FAILURE); + } + +-- +2.33.0 + diff --git a/backport-homed-make-sure-to-use-right-asssesors-for-GID-acces.patch b/backport-homed-make-sure-to-use-right-asssesors-for-GID-acces.patch new file mode 100644 index 0000000000000000000000000000000000000000..ba15a3e709cea0096199c7a10f9e848556ef17f0 --- /dev/null +++ b/backport-homed-make-sure-to-use-right-asssesors-for-GID-acces.patch @@ -0,0 +1,34 @@ +From b2420e2f911455b57edbb67e16883485ba75a638 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 31 Aug 2021 10:46:06 +0200 +Subject: [PATCH] homed: make sure to use right asssesors for GID + access mode + +Don't reach directly into the UserRecord struct, but use the right +assessors, so that the "unspecified" case is covered. + +(cherry picked from commit 279e060e2549183101ebf94e9739b70ed499c4c1) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/b2420e2f911455b57edbb67e16883485ba75a638 +--- + src/home/homework-cifs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/home/homework-cifs.c b/src/home/homework-cifs.c +index 2254eb59cd..cf3c58431a 100644 +--- a/src/home/homework-cifs.c ++++ b/src/home/homework-cifs.c +@@ -58,8 +58,8 @@ int home_prepare_cifs( + + f = safe_fclose(f); + +- if (asprintf(&options, "credentials=%s,uid=" UID_FMT ",forceuid,gid=" UID_FMT ",forcegid,file_mode=0%3o,dir_mode=0%3o", +- p, h->uid, h->uid, h->access_mode, h->access_mode) < 0) ++ if (asprintf(&options, "credentials=%s,uid=" UID_FMT ",forceuid,gid=" GID_FMT ",forcegid,file_mode=0%3o,dir_mode=0%3o", ++ p, h->uid, user_record_gid(h), user_record_access_mode(h), user_record_access_mode(h)) < 0) + return log_oom(); + + r = safe_fork("(mount)", FORK_RESET_SIGNALS|FORK_RLIMIT_NOFILE_SAFE|FORK_DEATHSIG|FORK_LOG|FORK_STDOUT_TO_STDERR, &mount_pid); +-- +2.33.0 + diff --git a/backport-homed-remove-misplaced-assert.patch b/backport-homed-remove-misplaced-assert.patch new file mode 100644 index 0000000000000000000000000000000000000000..a541e8d374011ace9ffeda42a5ad512ceab1ae88 --- /dev/null +++ b/backport-homed-remove-misplaced-assert.patch @@ -0,0 +1,32 @@ +From 3c8240a44dc28a4c7c60c1599799383776f9e6dc Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 31 Aug 2021 10:47:40 +0200 +Subject: [PATCH] homed: remove misplaced assert() + +(cherry picked from commit 67f9bf897c762ecb61872a5e8e0707a97c8ccd3d) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/3c8240a44dc28a4c7c60c1599799383776f9e6dc +--- + src/home/homework-mount.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/home/homework-mount.c b/src/home/homework-mount.c +index 5e737687d1..da4f14e08d 100644 +--- a/src/home/homework-mount.c ++++ b/src/home/homework-mount.c +@@ -69,9 +69,10 @@ int home_move_mount(const char *user_name_and_realm, const char *target) { + const char *d; + int r; + +- assert(user_name_and_realm); + assert(target); + ++ /* If user_name_and_realm is set, then we'll mount a subdir of the source mount into the host. If ++ * it's NULL we'll move the mount itself */ + if (user_name_and_realm) { + subdir = path_join("/run/systemd/user-home-mount/", user_name_and_realm); + if (!subdir) +-- +2.33.0 + diff --git a/backport-homed-shutdown-call-valgrind-magic-after-LOOP_GET_ST.patch b/backport-homed-shutdown-call-valgrind-magic-after-LOOP_GET_ST.patch new file mode 100644 index 0000000000000000000000000000000000000000..83bced076d2756edf9aa2787c52dea0935477bc3 --- /dev/null +++ b/backport-homed-shutdown-call-valgrind-magic-after-LOOP_GET_ST.patch @@ -0,0 +1,84 @@ +From bf6bd21f7c887ffa4591ed0cee00b234835ca2be Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 15 Oct 2021 17:58:13 +0200 +Subject: [PATCH] homed,shutdown: call valgrind magic after LOOP_GET_STATUS64 + +valgrind doesn't understand LOOP_GET_STATUS64. We already work around +this in various placed, via VALGRIND_MAKE_MEM_DEFINE(), but we forgot +three places. Let's fix that. + +(cherry picked from commit 48f462547d63e1d03bee612e1c77073263e71293) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/bf6bd21f7c887ffa4591ed0cee00b234835ca2be +--- + src/home/homework-luks.c | 8 ++++++++ + src/shutdown/umount.c | 12 ++++++++++++ + 2 files changed, 20 insertions(+) + +diff --git a/src/home/homework-luks.c b/src/home/homework-luks.c +index 38d7d7cc70..05a0ed861e 100644 +--- a/src/home/homework-luks.c ++++ b/src/home/homework-luks.c +@@ -8,6 +8,10 @@ + #include + #include + ++#if HAVE_VALGRIND_MEMCHECK_H ++#include ++#endif ++ + #include "blkid-util.h" + #include "blockdev-util.h" + #include "btrfs-util.h" +@@ -1136,6 +1140,10 @@ int home_prepare_luks( + offset *= 512U; + } + } else { ++#if HAVE_VALGRIND_MEMCHECK_H ++ VALGRIND_MAKE_MEM_DEFINED(&info, sizeof(info)); ++#endif ++ + offset = info.lo_offset; + size = info.lo_sizelimit; + } +diff --git a/src/shutdown/umount.c b/src/shutdown/umount.c +index c2a26242c0..1f945b7875 100644 +--- a/src/shutdown/umount.c ++++ b/src/shutdown/umount.c +@@ -15,6 +15,10 @@ + #include + #include + ++#if HAVE_VALGRIND_MEMCHECK_H ++#include ++#endif ++ + #include "sd-device.h" + + #include "alloc-util.h" +@@ -409,6 +413,10 @@ static int delete_loopback(const char *device) { + return -EBUSY; /* propagate original error */ + } + ++#if HAVE_VALGRIND_MEMCHECK_H ++ VALGRIND_MAKE_MEM_DEFINED(&info, sizeof(info)); ++#endif ++ + if (FLAGS_SET(info.lo_flags, LO_FLAGS_AUTOCLEAR)) /* someone else already set LO_FLAGS_AUTOCLEAR for us? fine by us */ + return -EBUSY; /* propagate original error */ + +@@ -434,6 +442,10 @@ static int delete_loopback(const char *device) { + return 1; + } + ++#if HAVE_VALGRIND_MEMCHECK_H ++ VALGRIND_MAKE_MEM_DEFINED(&info, sizeof(info)); ++#endif ++ + /* Linux makes LOOP_CLR_FD succeed whenever LO_FLAGS_AUTOCLEAR is set without actually doing + * anything. Very confusing. Let's hence not claim we did anything in this case. */ + if (FLAGS_SET(info.lo_flags, LO_FLAGS_AUTOCLEAR)) +-- +2.33.0 + diff --git a/backport-homework-don-t-bother-with-BLKRRPART-on-images-that-.patch b/backport-homework-don-t-bother-with-BLKRRPART-on-images-that-.patch new file mode 100644 index 0000000000000000000000000000000000000000..84b46be287e1be247c217baa3365c33787671a71 --- /dev/null +++ b/backport-homework-don-t-bother-with-BLKRRPART-on-images-that-.patch @@ -0,0 +1,43 @@ +From 7b3ff9a957630535ec58aeca7e41e6c63fa99114 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 15 Oct 2021 11:23:00 +0200 +Subject: [PATCH] homework: don't bother with BLKRRPART on images that aren't + block devices + +We currently call this ioctl even if we are backed by a regular file, +which is actually the common case. While this doesn't really hurt, it +does result in very confusing logs. + +(cherry picked from commit 6a1301d8c97dc650e4355bb7c193f5821b3383a8) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/7b3ff9a957630535ec58aeca7e41e6c63fa99114 +--- + src/home/homework-luks.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/home/homework-luks.c b/src/home/homework-luks.c +index 64bbfe3c77..38d7d7cc70 100644 +--- a/src/home/homework-luks.c ++++ b/src/home/homework-luks.c +@@ -2813,7 +2813,7 @@ int home_resize_luks( + if (r > 0) + log_info("Growing of partition completed."); + +- if (ioctl(image_fd, BLKRRPART, 0) < 0) ++ if (S_ISBLK(st.st_mode) && ioctl(image_fd, BLKRRPART, 0) < 0) + log_debug_errno(errno, "BLKRRPART failed on block device, ignoring: %m"); + + /* Tell LUKS about the new bigger size too */ +@@ -2887,7 +2887,7 @@ int home_resize_luks( + if (r > 0) + log_info("Shrinking of partition completed."); + +- if (ioctl(image_fd, BLKRRPART, 0) < 0) ++ if (S_ISBLK(st.st_mode) && ioctl(image_fd, BLKRRPART, 0) < 0) + log_debug_errno(errno, "BLKRRPART failed on block device, ignoring: %m"); + } else { + r = home_store_embedded_identity(new_home, setup->root_fd, h->uid, embedded_home); +-- +2.33.0 + diff --git a/backport-homework-fix-a-bad-error-propagation.patch b/backport-homework-fix-a-bad-error-propagation.patch new file mode 100644 index 0000000000000000000000000000000000000000..8f04f0b74f428ad7fe5ea933a078de3e8fcb1295 --- /dev/null +++ b/backport-homework-fix-a-bad-error-propagation.patch @@ -0,0 +1,29 @@ +From e05915315fdf21ee51ec1501e02d04ba1e9af045 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 24 Nov 2021 18:36:00 +0100 +Subject: [PATCH] homework: fix a bad error propagation + +(cherry picked from commit b05f4495bd374dc28d39ea43ac7cec3f0fea4071) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/e05915315fdf21ee51ec1501e02d04ba1e9af045 +--- + src/home/homework.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/home/homework.c b/src/home/homework.c +index b20b4bdf3e..32a42c5d09 100644 +--- a/src/home/homework.c ++++ b/src/home/homework.c +@@ -485,7 +485,7 @@ static int write_identity_file(int root_fd, JsonVariant *v, uid_t uid) { + } + + if (fchown(fileno(identity_file), uid, uid) < 0) { +- log_error_errno(r, "Failed to change ownership of identity file: %m"); ++ r = log_error_errno(errno, "Failed to change ownership of identity file: %m"); + goto fail; + } + +-- +2.33.0 + diff --git a/backport-homework-fix-incorrect-error-variable-use.patch b/backport-homework-fix-incorrect-error-variable-use.patch new file mode 100644 index 0000000000000000000000000000000000000000..3b7d7478bbb4af69ff3e2a35280fe4090472ebcf --- /dev/null +++ b/backport-homework-fix-incorrect-error-variable-use.patch @@ -0,0 +1,38 @@ +From 3e9dbda7d5efbe642e6254cc086b4cf54c862618 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 14 Oct 2021 15:40:59 +0200 +Subject: [PATCH] homework: fix incorrect error variable use + +(cherry picked from commit 82fb0911fc0aa2aaf39428ef36e78898ece2b4ea) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/3e9dbda7d5efbe642e6254cc086b4cf54c862618 +--- + src/home/homework-luks.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/home/homework-luks.c b/src/home/homework-luks.c +index 6448883fe0..64bbfe3c77 100644 +--- a/src/home/homework-luks.c ++++ b/src/home/homework-luks.c +@@ -1146,7 +1146,7 @@ int home_prepare_luks( + + root_fd = open(user_record_home_directory(h), O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOFOLLOW); + if (root_fd < 0) { +- r = log_error_errno(r, "Failed to open home directory: %m"); ++ r = log_error_errno(errno, "Failed to open home directory: %m"); + goto fail; + } + } else { +@@ -1233,7 +1233,7 @@ int home_prepare_luks( + + root_fd = open(subdir, O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOFOLLOW); + if (root_fd < 0) { +- r = log_error_errno(r, "Failed to open home directory: %m"); ++ r = log_error_errno(errno, "Failed to open home directory: %m"); + goto fail; + } + +-- +2.33.0 + diff --git a/backport-homework-repart-turn-on-cryptsetup-logging-before-we.patch b/backport-homework-repart-turn-on-cryptsetup-logging-before-we.patch new file mode 100644 index 0000000000000000000000000000000000000000..21dc8b5faa9120d21341455631246044dbd5fd44 --- /dev/null +++ b/backport-homework-repart-turn-on-cryptsetup-logging-before-we.patch @@ -0,0 +1,53 @@ +From 7b49704dfe47474be0d74996db45e6ba42d6b2e1 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 28 Oct 2021 19:06:52 +0200 +Subject: [PATCH] homework,repart: turn on cryptsetup logging before we have a + context + +Otherwise we'll miss the log message from allocation of the context. We +already made this change in most of our tools that interface with +libcryptsetup, but we forgot two. + +As suggested: + +https://github.com/systemd/systemd/pull/21135#discussion_r738287504 +(cherry picked from commit 30f194001ff647280ad49b68597c223e57ad7f6e) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/7b49704dfe47474be0d74996db45e6ba42d6b2e1 +--- + src/home/homework.c | 2 ++ + src/partition/repart.c | 4 ++++ + 2 files changed, 6 insertions(+) + +diff --git a/src/home/homework.c b/src/home/homework.c +index bdd9ac649e..b20b4bdf3e 100644 +--- a/src/home/homework.c ++++ b/src/home/homework.c +@@ -1651,6 +1651,8 @@ static int run(int argc, char *argv[]) { + + log_setup(); + ++ cryptsetup_enable_logging(NULL); ++ + umask(0022); + + if (argc < 2 || argc > 3) +diff --git a/src/partition/repart.c b/src/partition/repart.c +index 3c80d1380a..7602ac6aa8 100644 +--- a/src/partition/repart.c ++++ b/src/partition/repart.c +@@ -4863,6 +4863,10 @@ static int run(int argc, char *argv[]) { + if (r < 0) + return r; + ++#if HAVE_LIBCRYPTSETUP ++ cryptsetup_enable_logging(NULL); ++#endif ++ + if (arg_image) { + assert(!arg_root); + +-- +2.33.0 + diff --git a/backport-hostname-fix-off-by-one-issue-in-gethostname.patch b/backport-hostname-fix-off-by-one-issue-in-gethostname.patch new file mode 100644 index 0000000000000000000000000000000000000000..30fdc7db819d5ad73feb098839cce902456011c8 --- /dev/null +++ b/backport-hostname-fix-off-by-one-issue-in-gethostname.patch @@ -0,0 +1,52 @@ +From 6a8b886fef4ad101108126cab2125a90f7aa6441 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 11 Aug 2021 00:12:40 +0900 +Subject: [PATCH] hostname: fix off-by-one issue in gethostname() + +gethostname() returns null-terminated hostname. + +Fixes #20309 and #20417. + +(cherry picked from commit ccdf235464297c2ca4c1dea8733a6bad423084d5) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/6a8b886fef4ad101108126cab2125a90f7aa6441 +--- + src/shared/hostname-setup.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/shared/hostname-setup.c b/src/shared/hostname-setup.c +index 511aa7d031..742174d6c8 100644 +--- a/src/shared/hostname-setup.c ++++ b/src/shared/hostname-setup.c +@@ -20,11 +20,11 @@ + #include "util.h" + + static int sethostname_idempotent_full(const char *s, bool really) { +- char buf[HOST_NAME_MAX + 1] = {}; ++ char buf[HOST_NAME_MAX + 1]; + + assert(s); + +- if (gethostname(buf, sizeof(buf) - 1) < 0) ++ if (gethostname(buf, sizeof(buf)) < 0) + return -errno; + + if (streq(buf, s)) +@@ -42,11 +42,11 @@ int sethostname_idempotent(const char *s) { + } + + bool get_hostname_filtered(char ret[static HOST_NAME_MAX + 1]) { +- char buf[HOST_NAME_MAX + 1] = {}; ++ char buf[HOST_NAME_MAX + 1]; + + /* Returns true if we got a good hostname, false otherwise. */ + +- if (gethostname(buf, sizeof(buf) - 1) < 0) ++ if (gethostname(buf, sizeof(buf)) < 0) + return false; /* This can realistically only fail with ENAMETOOLONG. + * Let's treat that case the same as an invalid hostname. */ + +-- +2.33.0 + diff --git a/backport-hostnamed-correct-variable-with-errno-in-fallback_ch.patch b/backport-hostnamed-correct-variable-with-errno-in-fallback_ch.patch new file mode 100644 index 0000000000000000000000000000000000000000..184cfdf7c2e1da9fe03c825cd268d9381910305e --- /dev/null +++ b/backport-hostnamed-correct-variable-with-errno-in-fallback_ch.patch @@ -0,0 +1,59 @@ +From b873f52871845b769f739e9d6954080ba490200c Mon Sep 17 00:00:00 2001 +From: Jan Palus +Date: Thu, 8 Jul 2021 00:23:21 +0200 +Subject: [PATCH] hostnamed: correct variable with errno in fallback_chassis + +fixes assertion failure on arm: + +systemd-hostnamed[642]: Assertion '(_error) != 0' failed at src/hostname/hostnamed.c:207, function fallback_chassis(). Aborting. + +(cherry picked from commit 105a4245ff13d588e1e848e8ee3cffd6185bd0ae) +(cherry picked from commit 4a44597bdd725f504ebd520b0deef7797dc46daa) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/b873f52871845b769f739e9d6954080ba490200c +--- + src/hostname/hostnamed.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c +index bd535ddc4d..36702f2fb0 100644 +--- a/src/hostname/hostnamed.c ++++ b/src/hostname/hostnamed.c +@@ -204,14 +204,14 @@ static const char* fallback_chassis(void) { + + r = read_one_line_file("/sys/class/dmi/id/chassis_type", &type); + if (r < 0) { +- log_debug_errno(v, "Failed to read DMI chassis type, ignoring: %m"); ++ log_debug_errno(r, "Failed to read DMI chassis type, ignoring: %m"); + goto try_acpi; + } + + r = safe_atou(type, &t); + free(type); + if (r < 0) { +- log_debug_errno(v, "Failed to parse DMI chassis type, ignoring: %m"); ++ log_debug_errno(r, "Failed to parse DMI chassis type, ignoring: %m"); + goto try_acpi; + } + +@@ -260,14 +260,14 @@ static const char* fallback_chassis(void) { + try_acpi: + r = read_one_line_file("/sys/firmware/acpi/pm_profile", &type); + if (r < 0) { +- log_debug_errno(v, "Failed read ACPI PM profile, ignoring: %m"); ++ log_debug_errno(r, "Failed read ACPI PM profile, ignoring: %m"); + return NULL; + } + + r = safe_atou(type, &t); + free(type); + if (r < 0) { +- log_debug_errno(v, "Failed parse ACPI PM profile, ignoring: %m"); ++ log_debug_errno(r, "Failed parse ACPI PM profile, ignoring: %m"); + return NULL; + } + +-- +2.33.0 + diff --git a/backport-hwdb-Allow-console-users-access-to-media-nodes.patch b/backport-hwdb-Allow-console-users-access-to-media-nodes.patch new file mode 100644 index 0000000000000000000000000000000000000000..991bd32d725d274bd8208166b9f1fdb82092e333 --- /dev/null +++ b/backport-hwdb-Allow-console-users-access-to-media-nodes.patch @@ -0,0 +1,33 @@ +From 920d0d1b14dfb94788a5b2794860cac583b982c3 Mon Sep 17 00:00:00 2001 +From: Bastien Nocera +Date: Tue, 26 Oct 2021 11:57:30 +0200 +Subject: [PATCH] hwdb: Allow console users access to media* nodes + +Newer webcams and video devices have controls only available through +/dev/media* nodes. Make sure they're accessible in the same way as +/dev/video* nodes. + +Closes: #21054 +(cherry picked from commit 63fbfc598f9f6d3ce34cc00a7687089dab24daff) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/920d0d1b14dfb94788a5b2794860cac583b982c3 +--- + src/login/70-uaccess.rules.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/login/70-uaccess.rules.in b/src/login/70-uaccess.rules.in +index 56e1087fef..1b6be82703 100644 +--- a/src/login/70-uaccess.rules.in ++++ b/src/login/70-uaccess.rules.in +@@ -33,6 +33,7 @@ SUBSYSTEM=="sound", TAG+="uaccess", \ + # Webcams, frame grabber, TV cards + SUBSYSTEM=="video4linux", TAG+="uaccess" + SUBSYSTEM=="dvb", TAG+="uaccess" ++SUBSYSTEM=="media", TAG+="uaccess" + + # industrial cameras, some webcams, camcorders, set-top boxes, TV sets, audio devices, and more + SUBSYSTEM=="firewire", TEST=="units", ENV{IEEE1394_UNIT_FUNCTION_MIDI}=="1", TAG+="uaccess" +-- +2.33.0 + diff --git a/backport-hwdb-fix-parsing-options.patch b/backport-hwdb-fix-parsing-options.patch new file mode 100644 index 0000000000000000000000000000000000000000..00eb94e4cd51683285e827123a42050c447f8833 --- /dev/null +++ b/backport-hwdb-fix-parsing-options.patch @@ -0,0 +1,34 @@ +From eee4da4d240bef47a6cc8ab60838d6c443ab8ab8 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 6 Apr 2022 01:08:35 +0900 +Subject: [PATCH] hwdb: fix parsing options + +Fixes #22976. + +(cherry picked from commit 5674b74c4f99e433fd8e7242e9f16f6ddfece94c) +(cherry picked from commit df6253cbda3e5d1b3c694de223cb7899f3aecc74) + +Conflict:NA +Reference:https://github.com/systemd/systemd-stable/commit/eee4da4d240bef47a6cc8ab60838d6c443ab8ab8 +--- + src/hwdb/hwdb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/hwdb/hwdb.c b/src/hwdb/hwdb.c +index 50b4cb304a..a3a050530b 100644 +--- a/src/hwdb/hwdb.c ++++ b/src/hwdb/hwdb.c +@@ -73,8 +73,8 @@ static int parse_argv(int argc, char *argv[]) { + assert(argc >= 0); + assert(argv); + +- while ((c = getopt_long(argc, argv, "ust:r:h", options, NULL)) >= 0) +- switch(c) { ++ while ((c = getopt_long(argc, argv, "sr:h", options, NULL)) >= 0) ++ switch (c) { + + case 'h': + return help(); +-- +2.33.0 + diff --git a/backport-hwdb-remove-double-empty-line-in-help-text.patch b/backport-hwdb-remove-double-empty-line-in-help-text.patch new file mode 100644 index 0000000000000000000000000000000000000000..7189fea36579e79c9b5b583b87c9ba2622f05a5c --- /dev/null +++ b/backport-hwdb-remove-double-empty-line-in-help-text.patch @@ -0,0 +1,29 @@ +From da61fe147e40ba26ed8cf405dbf0a0e71e060d0b Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 30 Aug 2021 13:20:59 +0200 +Subject: [PATCH] hwdb: remove double empty line in --help text + +(cherry picked from commit aecc04f1800c87e0479e74e0225e288a403ba77e) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/da61fe147e40ba26ed8cf405dbf0a0e71e060d0b +--- + src/hwdb/hwdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/hwdb/hwdb.c b/src/hwdb/hwdb.c +index 26cc83f31b..50b4cb304a 100644 +--- a/src/hwdb/hwdb.c ++++ b/src/hwdb/hwdb.c +@@ -43,7 +43,7 @@ static int help(void) { + " --version Show package version\n" + " -s --strict When updating, return non-zero exit value on any parsing error\n" + " --usr Generate in " UDEVLIBEXECDIR " instead of /etc/udev\n" +- " -r --root=PATH Alternative root path in the filesystem\n\n" ++ " -r --root=PATH Alternative root path in the filesystem\n" + "\nSee the %s for details.\n", + program_invocation_short_name, + ansi_highlight(), +-- +2.33.0 + diff --git a/backport-icmp6-drop-unnecessary-assertion.patch b/backport-icmp6-drop-unnecessary-assertion.patch new file mode 100644 index 0000000000000000000000000000000000000000..4b4dbaefce9d8bb243c662765e1bdf39c4cf72be --- /dev/null +++ b/backport-icmp6-drop-unnecessary-assertion.patch @@ -0,0 +1,30 @@ +From aff2bf0465f677ba60e1cc701ae73968991e4a3f Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 20 Aug 2021 08:44:27 +0900 +Subject: [PATCH] icmp6: drop unnecessary assertion + +Follow-up for 3691bcf3c5eebdcca5b4f1c51c745441c57a6cd1. + +(cherry picked from commit 6da22a2fa592cc908d26c732b537d8b4fc004280) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/aff2bf0465f677ba60e1cc701ae73968991e4a3f +--- + src/libsystemd-network/icmp6-util.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/libsystemd-network/icmp6-util.c b/src/libsystemd-network/icmp6-util.c +index 67c6b55d84..0b8c3e4cc3 100644 +--- a/src/libsystemd-network/icmp6-util.c ++++ b/src/libsystemd-network/icmp6-util.c +@@ -186,7 +186,6 @@ int icmp6_receive(int fd, void *buffer, size_t size, struct in6_addr *ret_dst, + + /* namelen == 0 only happens when running the test-suite over a socketpair */ + +- assert(!(msg.msg_flags & MSG_CTRUNC)); + assert(!(msg.msg_flags & MSG_TRUNC)); + + CMSG_FOREACH(cmsg, &msg) { +-- +2.33.0 + diff --git a/backport-import-turn-off-weird-protocols-in-curl.patch b/backport-import-turn-off-weird-protocols-in-curl.patch new file mode 100644 index 0000000000000000000000000000000000000000..5994c122ab364c46d29464686a458c74a95b4bf1 --- /dev/null +++ b/backport-import-turn-off-weird-protocols-in-curl.patch @@ -0,0 +1,42 @@ +From 4d8fd88b9641fce81272f60f556543f713175403 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 19 Aug 2021 18:12:56 +0200 +Subject: [PATCH] import: turn off weird protocols in curl + +Let's lock things down a bit and now allow curl's weirder protocols to +be used with our use. i.e. stick to http:// + https:// + file:// and +turn everything else off. (Gopher!) + +This is cde that interfaces with the network after all, and we better +shouldn't support protocols needlessly that are much less tested. + +(Given that HTTP redirects (and other redirects) exist, this should give +us a security benefit, since we will then be sure that noone can forward +us to a weird protocol, which we never tested, and other people test +neither) + +(cherry picked from commit 55b90ee00b78a449c8f187a5e8141f8ccb100bf4) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/4d8fd88b9641fce81272f60f556543f713175403 +--- + src/import/curl-util.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/import/curl-util.c b/src/import/curl-util.c +index ed2ac0a654..d6a16b4f57 100644 +--- a/src/import/curl-util.c ++++ b/src/import/curl-util.c +@@ -256,6 +256,9 @@ int curl_glue_make(CURL **ret, const char *url, void *userdata) { + if (curl_easy_setopt(c, CURLOPT_LOW_SPEED_LIMIT, 30L) != CURLE_OK) + return -EIO; + ++ if (curl_easy_setopt(c, CURLOPT_PROTOCOLS, CURLPROTO_HTTP|CURLPROTO_HTTPS|CURLPROTO_FILE) != CURLE_OK) ++ return -EIO; ++ + *ret = TAKE_PTR(c); + return 0; + } +-- +2.33.0 + diff --git a/backport-journactl-show-info-about-journal-range-only-at-debu.patch b/backport-journactl-show-info-about-journal-range-only-at-debu.patch new file mode 100644 index 0000000000000000000000000000000000000000..8ade4a13a359fe12476a4a4c9df084fd6929dcff --- /dev/null +++ b/backport-journactl-show-info-about-journal-range-only-at-debu.patch @@ -0,0 +1,51 @@ +From cc9ef67919c33b253bed86db415f5970e96440d9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 14 Dec 2021 22:30:15 +0100 +Subject: [PATCH] journactl: show info about journal range only at debug level + (#21775) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The message that the "journal begins … ends …" has been always confusing to +users. (Before b91ae210e62 it was "logs begin … end …" which was arguably even +more confusing, but really the change in b91ae210e62 didn't substantially change +this.) + +When the range shown is limited (by -e, -f, --since, or other options), it +doesn't really matter to the user what the oldest entries are, since they are +purposefully limiting the range. In fact, if we are showing the last few +entries with -e or -f, knowing that many months the oldest entries have is +completely useless. + +And when such options are *not* used, the first entry generally corresponds to +the beginning of the range shown, and the last entry corresponds to the end of +that range. So again, it's not particularly useful, except when debugging +journalctl or such. Let's just treat it as a debug message. + +Fixes #21491. + +(cherry picked from commit a2d7654f99eba250eddf988db262abef96ebbe7a) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/cc9ef67919c33b253bed86db415f5970e96440d9 +--- + src/journal/journalctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c +index 3eac97510d..decdf14145 100644 +--- a/src/journal/journalctl.c ++++ b/src/journal/journalctl.c +@@ -2598,7 +2598,7 @@ int main(int argc, char *argv[]) { + if (!arg_follow) + (void) pager_open(arg_pager_flags); + +- if (!arg_quiet && (arg_lines != 0 || arg_follow)) { ++ if (!arg_quiet && (arg_lines != 0 || arg_follow) && DEBUG_LOGGING) { + usec_t start, end; + char start_buf[FORMAT_TIMESTAMP_MAX], end_buf[FORMAT_TIMESTAMP_MAX]; + +-- +2.33.0 + diff --git a/backport-journal-Deduplicate-entry-items-before-they-are-stor.patch b/backport-journal-Deduplicate-entry-items-before-they-are-stor.patch new file mode 100644 index 0000000000000000000000000000000000000000..757d1da5ab54a95026c7f2ebeb8c8bd6b78f2025 --- /dev/null +++ b/backport-journal-Deduplicate-entry-items-before-they-are-stor.patch @@ -0,0 +1,55 @@ +From 71976e91c5a887585b9fb8a162116824b141eecf Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 12 Nov 2021 14:32:40 +0000 +Subject: [PATCH] journal: Deduplicate entry items before they are stored in + the entry object + +If the iovec contains the same data more than once, we'll end up with +duplicate offsets in the items array. Let's make sure we remove any +duplicates before we store the items in an entry object. + +(cherry picked from commit 5ec9fbae64bef896368f744a875dd0437a4c42f2) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/71976e91c5a887585b9fb8a162116824b141eecf +--- + src/libsystemd/sd-journal/journal-file.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c +index ae19c1c1f2..a8029c2868 100644 +--- a/src/libsystemd/sd-journal/journal-file.c ++++ b/src/libsystemd/sd-journal/journal-file.c +@@ -2082,6 +2082,21 @@ static int entry_item_cmp(const EntryItem *a, const EntryItem *b) { + return CMP(le64toh(a->object_offset), le64toh(b->object_offset)); + } + ++static size_t remove_duplicate_entry_items(EntryItem items[], size_t n) { ++ ++ /* This function relies on the items array being sorted. */ ++ size_t j = 1; ++ ++ if (n <= 1) ++ return n; ++ ++ for (size_t i = 1; i < n; i++) ++ if (items[i].object_offset != items[j - 1].object_offset) ++ items[j++] = items[i]; ++ ++ return j; ++} ++ + int journal_file_append_entry( + JournalFile *f, + const dual_timestamp *ts, +@@ -2151,6 +2166,7 @@ int journal_file_append_entry( + /* Order by the position on disk, in order to improve seek + * times for rotating media. */ + typesafe_qsort(items, n_iovec, entry_item_cmp); ++ n_iovec = remove_duplicate_entry_items(items, n_iovec); + + r = journal_file_append_entry_internal(f, ts, boot_id, xor_hash, items, n_iovec, seqnum, ret, ret_offset); + +-- +2.33.0 + diff --git a/backport-journal-Remove-entry-seqnum-revert-logic.patch b/backport-journal-Remove-entry-seqnum-revert-logic.patch new file mode 100644 index 0000000000000000000000000000000000000000..b2a1a519e02a12594525ab1f759a210162fd0645 --- /dev/null +++ b/backport-journal-Remove-entry-seqnum-revert-logic.patch @@ -0,0 +1,83 @@ +From 06a0e8283ed87773795f28e58318d5d1b46b1088 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 12 Nov 2021 14:29:02 +0000 +Subject: [PATCH] journal: Remove entry seqnum revert logic + +This actually causes mismatches between the header tail entry seqnum +and the last entry seqnum since when we revert the header seqnum, we +don't remove the entry object we added. If adding the entry object +itself fails, we don't need to revert the seqnum since it's never +incremented so let's remove this logic alltogether. + +(cherry picked from commit b41b682bd6f1290caa4220291b22cae317cb6413) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/06a0e8283ed87773795f28e58318d5d1b46b1088 +--- + src/libsystemd/sd-journal/journal-file.c | 32 ++---------------------- + 1 file changed, 2 insertions(+), 30 deletions(-) + +diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c +index 2c17435de2..ae19c1c1f2 100644 +--- a/src/libsystemd/sd-journal/journal-file.c ++++ b/src/libsystemd/sd-journal/journal-file.c +@@ -1021,30 +1021,6 @@ static uint64_t journal_file_entry_seqnum( + return ret; + } + +-static void journal_file_revert_entry_seqnum( +- JournalFile *f, +- uint64_t *seqnum, +- uint64_t revert_seqnum) { +- +- assert(f); +- assert(f->header); +- +- if (revert_seqnum == 0) /* sequence number 0? can't go back */ +- return; +- +- /* Undoes the effect of journal_file_entry_seqnum() above: if we fail to append an entry to a file, +- * let's revert the seqnum we were about to use, so that we can use it on the next entry. */ +- +- if (le64toh(f->header->tail_entry_seqnum) == revert_seqnum) +- f->header->tail_entry_seqnum = htole64(revert_seqnum - 1); +- +- if (le64toh(f->header->head_entry_seqnum) == revert_seqnum) +- f->header->head_entry_seqnum = 0; +- +- if (seqnum && *seqnum == revert_seqnum) +- *seqnum = revert_seqnum - 1; +-} +- + int journal_file_append_object( + JournalFile *f, + ObjectType type, +@@ -2004,12 +1980,12 @@ static int journal_file_append_entry_internal( + #if HAVE_GCRYPT + r = journal_file_hmac_put_object(f, OBJECT_ENTRY, o, np); + if (r < 0) +- goto fail; ++ return r; + #endif + + r = journal_file_link_entry(f, o, np); + if (r < 0) +- goto fail; ++ return r; + + if (ret) + *ret = o; +@@ -2017,10 +1993,6 @@ static int journal_file_append_entry_internal( + if (ret_offset) + *ret_offset = np; + +- return 0; +- +-fail: +- journal_file_revert_entry_seqnum(f, seqnum, le64toh(o->entry.seqnum)); + return r; + } + +-- +2.33.0 + diff --git a/backport-journal-Skip-corrupt-Data-objects-in-sd_journal_get_.patch b/backport-journal-Skip-corrupt-Data-objects-in-sd_journal_get_.patch new file mode 100644 index 0000000000000000000000000000000000000000..82b2269b70aafead4deba733406f15df87e12a13 --- /dev/null +++ b/backport-journal-Skip-corrupt-Data-objects-in-sd_journal_get_.patch @@ -0,0 +1,43 @@ +From 2124893b258ffc23ae034bce388b61fb148c805f Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 17 Nov 2021 16:46:29 +0000 +Subject: [PATCH] journal: Skip corrupt Data objects in sd_journal_get_data() + +Similar to the change we made for sd_journal_enumerate_data(), let's +skip corrupt entry items and data objects in sd_journal_get_data(). + +(cherry picked from commit 8a799bed4c25be5792acf4d375bd2cdf0a4a3165) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/2124893b258ffc23ae034bce388b61fb148c805f +--- + src/libsystemd/sd-journal/sd-journal.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c +index 18ede19e26..71875a4dc8 100644 +--- a/src/libsystemd/sd-journal/sd-journal.c ++++ b/src/libsystemd/sd-journal/sd-journal.c +@@ -2309,11 +2309,17 @@ _public_ int sd_journal_get_data(sd_journal *j, const char *field, const void ** + p = le64toh(o->entry.items[i].object_offset); + le_hash = o->entry.items[i].hash; + r = journal_file_move_to_object(f, OBJECT_DATA, p, &d); ++ if (r == -EBADMSG) { ++ log_debug("Entry item %"PRIu64" data object is bad, skipping over it.", i); ++ continue; ++ } + if (r < 0) + return r; + +- if (le_hash != d->data.hash) +- return -EBADMSG; ++ if (le_hash != d->data.hash) { ++ log_debug("Entry item %"PRIu64" hash is bad, skipping over it.", i); ++ continue; ++ } + + l = le64toh(d->object.size) - offsetof(Object, data.payload); + +-- +2.33.0 + diff --git a/backport-journal-Skip-data-objects-with-invalid-offsets.patch b/backport-journal-Skip-data-objects-with-invalid-offsets.patch new file mode 100644 index 0000000000000000000000000000000000000000..e2af7d697994ce46cfc0988f65c3f4615876d2b3 --- /dev/null +++ b/backport-journal-Skip-data-objects-with-invalid-offsets.patch @@ -0,0 +1,68 @@ +From bf022f9f4841368bb84372ee5605ce5c0f936c79 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 12 Jan 2022 14:44:50 +0000 +Subject: [PATCH] journal: Skip data objects with invalid offsets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We already skip invalid objects, but don't yet skip invalid offsets. +Let's skip these as well to improve robustness when we're dealing with +corrupted journals. + +Before: + +``` +➜ systemd git:(main) build/journalctl -r -n 5 --file ~/Downloads/system@0005d2b275abaaf8-f243a2818cb39b98.journal_ +Failed to get journal fields: Cannot assign requested address +-- No entries -- +``` + +After: + +``` +➜ systemd git:(main) ✗ build/journalctl -r -n 5 --file ~/Downloads/system@0005d2b275abaaf8-f243a2818cb39b98.journal_ +Dec 09 08:32:38 snowball3 NetworkManager[911]: [1639038758.1464] device (wlp1s0): supplicant interface state: scanning -> authenticating +Dec 09 08:32:38 snowball3 kernel: wlp1s0: send auth to ec:a9:40:79:fb:ad (try 1/3) +Dec 09 08:32:38 snowball3 kernel: wlp1s0: authenticate with ec:a9:40:79:fb:ad +Dec 09 08:32:38 snowball3 wpa_supplicant[1003]: wlp1s0: SME: Trying to authenticate with ec:a9:40:79:fb:ad (SSID='UPC949397B' freq=5500 MHz) +``` + +(cherry picked from commit df207ccb7be02b1ca6bdd0a2066a898e5b24ee86) +(cherry picked from commit 556f46aa3b17f4ed6768521137405297c8a99d35) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/bf022f9f4841368bb84372ee5605ce5c0f936c79 +--- + src/libsystemd/sd-journal/sd-journal.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c +index dd28b8008f..3cdc629a8d 100644 +--- a/src/libsystemd/sd-journal/sd-journal.c ++++ b/src/libsystemd/sd-journal/sd-journal.c +@@ -2310,8 +2310,8 @@ _public_ int sd_journal_get_data(sd_journal *j, const char *field, const void ** + p = le64toh(o->entry.items[i].object_offset); + le_hash = o->entry.items[i].hash; + r = journal_file_move_to_object(f, OBJECT_DATA, p, &d); +- if (r == -EBADMSG) { +- log_debug("Entry item %"PRIu64" data object is bad, skipping over it.", i); ++ if (IN_SET(r, -EADDRNOTAVAIL, -EBADMSG)) { ++ log_debug_errno(r, "Entry item %"PRIu64" data object is bad, skipping over it: %m", i); + continue; + } + if (r < 0) +@@ -2455,8 +2455,8 @@ _public_ int sd_journal_enumerate_data(sd_journal *j, const void **data, size_t + p = le64toh(o->entry.items[j->current_field].object_offset); + le_hash = o->entry.items[j->current_field].hash; + r = journal_file_move_to_object(f, OBJECT_DATA, p, &o); +- if (r == -EBADMSG) { +- log_debug("Entry item %"PRIu64" data object is bad, skipping over it.", j->current_field); ++ if (IN_SET(r, -EADDRNOTAVAIL, -EBADMSG)) { ++ log_debug_errno(r, "Entry item %"PRIu64" data object is bad, skipping over it: %m", j->current_field); + continue; + } + if (r < 0) +-- +2.33.0 + diff --git a/backport-journal-Skip-over-corrupt-entry-items-in-enumerate_d.patch b/backport-journal-Skip-over-corrupt-entry-items-in-enumerate_d.patch new file mode 100644 index 0000000000000000000000000000000000000000..9cfa077350ba5403e887b67f4b219c9469b0e967 --- /dev/null +++ b/backport-journal-Skip-over-corrupt-entry-items-in-enumerate_d.patch @@ -0,0 +1,93 @@ +From e8a54526d8a89097742d808a53956a54431ded06 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 17 Nov 2021 15:54:35 +0000 +Subject: [PATCH] journal: Skip over corrupt entry items in enumerate_data() + +Similar to sd_journal_next(), if trying to access an entry item +offset's data results in EBADMSG, skip to the next entry item so +we handle corruption better. + +Fixes #21407 + +(cherry picked from commit 5a94a2bf2b9c9ae362dd4a7c2e6b263c55545036) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/e8a54526d8a89097742d808a53956a54431ded06 +--- + src/libsystemd/sd-journal/sd-journal.c | 47 ++++++++++++++++---------- + 1 file changed, 29 insertions(+), 18 deletions(-) + +diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c +index b3240177cb..02d4582c98 100644 +--- a/src/libsystemd/sd-journal/sd-journal.c ++++ b/src/libsystemd/sd-journal/sd-journal.c +@@ -2425,10 +2425,8 @@ static int return_data( + + _public_ int sd_journal_enumerate_data(sd_journal *j, const void **data, size_t *size) { + JournalFile *f; +- uint64_t p, n; +- le64_t le_hash; +- int r; + Object *o; ++ int r; + + assert_return(j, -EINVAL); + assert_return(!journal_pid_changed(j), -ECHILD); +@@ -2446,26 +2444,39 @@ _public_ int sd_journal_enumerate_data(sd_journal *j, const void **data, size_t + if (r < 0) + return r; + +- n = journal_file_entry_n_items(o); +- if (j->current_field >= n) +- return 0; ++ for (uint64_t n = journal_file_entry_n_items(o); j->current_field < n; j->current_field++) { ++ uint64_t p; ++ le64_t le_hash; + +- p = le64toh(o->entry.items[j->current_field].object_offset); +- le_hash = o->entry.items[j->current_field].hash; +- r = journal_file_move_to_object(f, OBJECT_DATA, p, &o); +- if (r < 0) +- return r; ++ p = le64toh(o->entry.items[j->current_field].object_offset); ++ le_hash = o->entry.items[j->current_field].hash; ++ r = journal_file_move_to_object(f, OBJECT_DATA, p, &o); ++ if (r == -EBADMSG) { ++ log_debug("Entry item %"PRIu64" data object is bad, skipping over it.", j->current_field); ++ continue; ++ } ++ if (r < 0) ++ return r; + +- if (le_hash != o->data.hash) +- return -EBADMSG; ++ if (le_hash != o->data.hash) { ++ log_debug("Entry item %"PRIu64" hash is bad, skipping over it.", j->current_field); ++ continue; ++ } + +- r = return_data(j, f, o, data, size); +- if (r < 0) +- return r; ++ r = return_data(j, f, o, data, size); ++ if (r == -EBADMSG) { ++ log_debug("Entry item %"PRIu64" data payload is bad, skipping over it.", j->current_field); ++ continue; ++ } ++ if (r < 0) ++ return r; + +- j->current_field++; ++ j->current_field++; + +- return 1; ++ return 1; ++ } ++ ++ return 0; + } + + _public_ int sd_journal_enumerate_available_data(sd_journal *j, const void **data, size_t *size) { +-- +2.33.0 + diff --git a/backport-journal-Use-separate-variable-for-Data-object-in-sd_.patch b/backport-journal-Use-separate-variable-for-Data-object-in-sd_.patch new file mode 100644 index 0000000000000000000000000000000000000000..be58cca79ed4579a41cfb7819d4aa660daa0dcc2 --- /dev/null +++ b/backport-journal-Use-separate-variable-for-Data-object-in-sd_.patch @@ -0,0 +1,95 @@ +From a1ca5320ec74f5112d32338e3061a34f17c4b954 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 17 Nov 2021 16:44:21 +0000 +Subject: [PATCH] journal: Use separate variable for Data object in + sd_journal_get_data() + +A little cleanup to make the next change easier. We're not moving to a +new Entry object in the for loop so there's no danger of changing the +Entry object window. + +(cherry picked from commit 847c7ee8c3c1a6cecd02501562b1afd8dd3c51de) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/a1ca5320ec74f5112d32338e3061a34f17c4b954 +--- + src/libsystemd/sd-journal/sd-journal.c | 23 ++++++++++------------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c +index 02d4582c98..18ede19e26 100644 +--- a/src/libsystemd/sd-journal/sd-journal.c ++++ b/src/libsystemd/sd-journal/sd-journal.c +@@ -2300,6 +2300,7 @@ _public_ int sd_journal_get_data(sd_journal *j, const char *field, const void ** + + n = journal_file_entry_n_items(o); + for (i = 0; i < n; i++) { ++ Object *d; + uint64_t p, l; + le64_t le_hash; + size_t t; +@@ -2307,20 +2308,20 @@ _public_ int sd_journal_get_data(sd_journal *j, const char *field, const void ** + + p = le64toh(o->entry.items[i].object_offset); + le_hash = o->entry.items[i].hash; +- r = journal_file_move_to_object(f, OBJECT_DATA, p, &o); ++ r = journal_file_move_to_object(f, OBJECT_DATA, p, &d); + if (r < 0) + return r; + +- if (le_hash != o->data.hash) ++ if (le_hash != d->data.hash) + return -EBADMSG; + +- l = le64toh(o->object.size) - offsetof(Object, data.payload); ++ l = le64toh(d->object.size) - offsetof(Object, data.payload); + +- compression = o->object.flags & OBJECT_COMPRESSION_MASK; ++ compression = d->object.flags & OBJECT_COMPRESSION_MASK; + if (compression) { + #if HAVE_COMPRESSION + r = decompress_startswith(compression, +- o->data.payload, l, ++ d->data.payload, l, + &f->compress_buffer, + field, field_length, '='); + if (r < 0) +@@ -2331,7 +2332,7 @@ _public_ int sd_journal_get_data(sd_journal *j, const char *field, const void ** + size_t rsize; + + r = decompress_blob(compression, +- o->data.payload, l, ++ d->data.payload, l, + &f->compress_buffer, &rsize, + j->data_threshold); + if (r < 0) +@@ -2346,23 +2347,19 @@ _public_ int sd_journal_get_data(sd_journal *j, const char *field, const void ** + return -EPROTONOSUPPORT; + #endif + } else if (l >= field_length+1 && +- memcmp(o->data.payload, field, field_length) == 0 && +- o->data.payload[field_length] == '=') { ++ memcmp(d->data.payload, field, field_length) == 0 && ++ d->data.payload[field_length] == '=') { + + t = (size_t) l; + + if ((uint64_t) t != l) + return -E2BIG; + +- *data = o->data.payload; ++ *data = d->data.payload; + *size = t; + + return 0; + } +- +- r = journal_file_move_to_object(f, OBJECT_ENTRY, f->current_offset, &o); +- if (r < 0) +- return r; + } + + return -ENOENT; +-- +2.33.0 + diff --git a/backport-journal-file-if-we-are-going-down-don-t-use-event-lo.patch b/backport-journal-file-if-we-are-going-down-don-t-use-event-lo.patch new file mode 100644 index 0000000000000000000000000000000000000000..2156ec174dd1d78afec0af98fa2a96e8873adc6c --- /dev/null +++ b/backport-journal-file-if-we-are-going-down-don-t-use-event-lo.patch @@ -0,0 +1,44 @@ +From 88afe98fa9887ba636d5f271c7b9c9b7c5a65960 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 24 Mar 2022 21:24:23 +0100 +Subject: [PATCH] journal-file: if we are going down, don't use event loop to + schedule post + +The event loop is already shutting down, hence no point in using it +anymore, it's not going to run any further iteration. + +(cherry picked from commit 47f04c2a69d5a604411f17a2e660021165d09c89) +(cherry picked from commit 6253eb576cdde2230b75f84532f745b4409f71ad) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/88afe98fa9887ba636d5f271c7b9c9b7c5a65960 +--- + src/libsystemd/sd-journal/journal-file.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c +index a8029c2868..e3e926b0f0 100644 +--- a/src/libsystemd/sd-journal/journal-file.c ++++ b/src/libsystemd/sd-journal/journal-file.c +@@ -2022,11 +2022,18 @@ static int post_change_thunk(sd_event_source *timer, uint64_t usec, void *userda + } + + static void schedule_post_change(JournalFile *f) { ++ sd_event *e; + int r; + + assert(f); + assert(f->post_change_timer); + ++ assert_se(e = sd_event_source_get_event(f->post_change_timer)); ++ ++ /* If we are aleady going down, post the change immediately. */ ++ if (IN_SET(sd_event_get_state(e), SD_EVENT_EXITING, SD_EVENT_FINISHED)) ++ goto fail; ++ + r = sd_event_source_get_enabled(f->post_change_timer, NULL); + if (r < 0) { + log_debug_errno(r, "Failed to get ftruncate timer state: %m"); +-- +2.33.0 + diff --git a/backport-journal-network-timesync-fix-segfault-on-32bit-timev.patch b/backport-journal-network-timesync-fix-segfault-on-32bit-timev.patch new file mode 100644 index 0000000000000000000000000000000000000000..93f3cb61c4d5048941ed3774106aaf4a36605543 --- /dev/null +++ b/backport-journal-network-timesync-fix-segfault-on-32bit-timev.patch @@ -0,0 +1,71 @@ +From bacb991ea76b4a8ad41e74273b65549ac926a694 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 15 Sep 2021 23:29:11 +0900 +Subject: [PATCH] journal,network,timesync: fix segfault on 32bit + timeval/timespec systems + +Fixes #20741. + +(cherry picked from commit f782eee68aea996c68b8cfeba5f288dae7fc876f) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/bacb991ea76b4a8ad41e74273b65549ac926a694 +--- + src/journal/journald-server.c | 7 +++++-- + src/libsystemd-network/icmp6-util.c | 3 ++- + src/timesync/timesyncd-manager.c | 3 ++- + 3 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c +index abd52f7c14..2d1d9e66d7 100644 +--- a/src/journal/journald-server.c ++++ b/src/journal/journald-server.c +@@ -1275,11 +1275,14 @@ int server_process_datagram( + /* We use NAME_MAX space for the SELinux label here. The kernel currently enforces no limit, but + * according to suggestions from the SELinux people this will change and it will probably be + * identical to NAME_MAX. For now we use that, but this should be updated one day when the final +- * limit is known. */ ++ * limit is known. ++ * ++ * Here, we need to explicitly initialize the buffer with zero, as glibc has a bug in ++ * __convert_scm_timestamps(), which assumes the buffer is initialized. See #20741. */ + CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(struct ucred)) + + CMSG_SPACE_TIMEVAL + + CMSG_SPACE(sizeof(int)) + /* fd */ +- CMSG_SPACE(NAME_MAX) /* selinux label */) control; ++ CMSG_SPACE(NAME_MAX) /* selinux label */) control = {}; + + union sockaddr_union sa = {}; + +diff --git a/src/libsystemd-network/icmp6-util.c b/src/libsystemd-network/icmp6-util.c +index 823be0f275..3832bbd920 100644 +--- a/src/libsystemd-network/icmp6-util.c ++++ b/src/libsystemd-network/icmp6-util.c +@@ -148,8 +148,9 @@ int icmp6_send_router_solicitation(int s, const struct ether_addr *ether_addr) { + int icmp6_receive(int fd, void *buffer, size_t size, struct in6_addr *ret_dst, + triple_timestamp *ret_timestamp) { + ++ /* This needs to be initialized with zero. See #20741. */ + CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(int)) + /* ttl */ +- CMSG_SPACE_TIMEVAL) control; ++ CMSG_SPACE_TIMEVAL) control = {}; + struct iovec iov = {}; + union sockaddr_union sa = {}; + struct msghdr msg = { +diff --git a/src/timesync/timesyncd-manager.c b/src/timesync/timesyncd-manager.c +index 648e804105..e37db1c570 100644 +--- a/src/timesync/timesyncd-manager.c ++++ b/src/timesync/timesyncd-manager.c +@@ -412,7 +412,8 @@ static int manager_receive_response(sd_event_source *source, int fd, uint32_t re + .iov_base = &ntpmsg, + .iov_len = sizeof(ntpmsg), + }; +- CMSG_BUFFER_TYPE(CMSG_SPACE_TIMESPEC) control; ++ /* This needs to be initialized with zero. See #20741. */ ++ CMSG_BUFFER_TYPE(CMSG_SPACE_TIMESPEC) control = {}; + union sockaddr_union server_addr; + struct msghdr msghdr = { + .msg_iov = &iov, +-- +2.33.0 + diff --git a/backport-journal-remote-use-MHD_HTTP_CONTENT_TOO_LARGE-as-MHD.patch b/backport-journal-remote-use-MHD_HTTP_CONTENT_TOO_LARGE-as-MHD.patch new file mode 100644 index 0000000000000000000000000000000000000000..c123614a74c01906451b5c8a949d0ce75fe5c759 --- /dev/null +++ b/backport-journal-remote-use-MHD_HTTP_CONTENT_TOO_LARGE-as-MHD.patch @@ -0,0 +1,52 @@ +From c4d12459c6bc065bd255c9f5555ca20bf735e16a Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 20 Dec 2021 20:48:32 +0900 +Subject: [PATCH] journal-remote: use MHD_HTTP_CONTENT_TOO_LARGE as + MHD_HTTP_PAYLOAD_TOO_LARGE is deprecated since 0.9.74 + +(cherry picked from commit 30df858f43b14a55c6650b43bea12cbf2cc0bc67) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/c4d12459c6bc065bd255c9f5555ca20bf735e16a +--- + src/journal-remote/journal-remote-main.c | 2 +- + src/journal-remote/microhttpd-util.h | 10 +++++++--- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/journal-remote/journal-remote-main.c b/src/journal-remote/journal-remote-main.c +index ae1d43756a..9ff31763da 100644 +--- a/src/journal-remote/journal-remote-main.c ++++ b/src/journal-remote/journal-remote-main.c +@@ -319,7 +319,7 @@ static mhd_result request_handler( + /* When serialized, an entry of maximum size might be slightly larger, + * so this does not correspond exactly to the limit in journald. Oh well. + */ +- return mhd_respondf(connection, 0, MHD_HTTP_PAYLOAD_TOO_LARGE, ++ return mhd_respondf(connection, 0, MHD_HTTP_CONTENT_TOO_LARGE, + "Payload larger than maximum size of %u bytes", ENTRY_SIZE_MAX); + } + +diff --git a/src/journal-remote/microhttpd-util.h b/src/journal-remote/microhttpd-util.h +index a92ba57d0f..7e7d1b56b1 100644 +--- a/src/journal-remote/microhttpd-util.h ++++ b/src/journal-remote/microhttpd-util.h +@@ -38,9 +38,13 @@ + # define MHD_HTTP_NOT_ACCEPTABLE MHD_HTTP_METHOD_NOT_ACCEPTABLE + #endif + +-/* Renamed in µhttpd 0.9.53 */ +-#ifndef MHD_HTTP_PAYLOAD_TOO_LARGE +-# define MHD_HTTP_PAYLOAD_TOO_LARGE MHD_HTTP_REQUEST_ENTITY_TOO_LARGE ++/* Renamed in µhttpd 0.9.74 (8c644fc1f4d498ea489add8d40a68f5d3e5899fa) */ ++#ifndef MHD_HTTP_CONTENT_TOO_LARGE ++# ifdef MHD_HTTP_PAYLOAD_TOO_LARGE ++# define MHD_HTTP_CONTENT_TOO_LARGE MHD_HTTP_PAYLOAD_TOO_LARGE /* 0.9.53 or newer */ ++# else ++# define MHD_HTTP_CONTENT_TOO_LARGE MHD_HTTP_REQUEST_ENTITY_TOO_LARGE ++# endif + #endif + + #if MHD_VERSION < 0x00094203 +-- +2.33.0 + diff --git a/backport-journal-send-close-fd-on-exit-when-running-with-valg.patch b/backport-journal-send-close-fd-on-exit-when-running-with-valg.patch new file mode 100644 index 0000000000000000000000000000000000000000..20b5b3df9bfff7d29673dd0c0dff1b7b5c037f7d --- /dev/null +++ b/backport-journal-send-close-fd-on-exit-when-running-with-valg.patch @@ -0,0 +1,132 @@ +From 6e5141ba038c1d8e22933f969b2bfe25bbc031d8 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 23 Feb 2022 02:03:54 +0900 +Subject: [PATCH] journal-send: close fd on exit when running with valgrind + +Fixes an issue reported in #22576. + +(cherry picked from commit eb9752d2be82d994cd6a17f271be27c4d56423d6) +(cherry picked from commit a7ec2be1509372974f44f1d98bf243a155cd203f) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/6e5141ba038c1d8e22933f969b2bfe25bbc031d8 +--- + src/libsystemd/meson.build | 1 + + src/libsystemd/sd-journal/journal-send.c | 26 +++++++++++++++++-- + src/libsystemd/sd-journal/journal-send.h | 8 ++++++ + src/libsystemd/sd-journal/test-journal-send.c | 3 +++ + 4 files changed, 36 insertions(+), 2 deletions(-) + create mode 100644 src/libsystemd/sd-journal/journal-send.h + +diff --git a/src/libsystemd/meson.build b/src/libsystemd/meson.build +index 489ed12a73..3be5b3ec5e 100644 +--- a/src/libsystemd/meson.build ++++ b/src/libsystemd/meson.build +@@ -12,6 +12,7 @@ sd_journal_sources = files( + 'sd-journal/journal-file.h', + 'sd-journal/journal-internal.h', + 'sd-journal/journal-send.c', ++ 'sd-journal/journal-send.h', + 'sd-journal/journal-vacuum.c', + 'sd-journal/journal-vacuum.h', + 'sd-journal/journal-verify.c', +diff --git a/src/libsystemd/sd-journal/journal-send.c b/src/libsystemd/sd-journal/journal-send.c +index fd3fd7ef9c..d96e422d3b 100644 +--- a/src/libsystemd/sd-journal/journal-send.c ++++ b/src/libsystemd/sd-journal/journal-send.c +@@ -6,6 +6,9 @@ + #include + #include + #include ++#if HAVE_VALGRIND_VALGRIND_H ++#include ++#endif + + #define SD_JOURNAL_SUPPRESS_LOCATION + +@@ -14,8 +17,9 @@ + #include "alloc-util.h" + #include "errno-util.h" + #include "fd-util.h" +-#include "io-util.h" + #include "fileio.h" ++#include "io-util.h" ++#include "journal-send.h" + #include "memfd-util.h" + #include "socket-util.h" + #include "stdio-util.h" +@@ -39,10 +43,10 @@ + * all its threads, and all its subprocesses. This means we need to + * initialize it atomically, and need to operate on it atomically + * never assuming we are the only user */ ++static int fd_plus_one = 0; + + static int journal_fd(void) { + int fd; +- static int fd_plus_one = 0; + + retry: + if (fd_plus_one > 0) +@@ -62,6 +66,24 @@ retry: + return fd; + } + ++#if VALGRIND ++void close_journal_fd(void) { ++ /* Be nice to valgrind. This is not atomic. This must be used only in tests. */ ++ ++ if (!RUNNING_ON_VALGRIND) ++ return; ++ ++ if (getpid() != gettid()) ++ return; ++ ++ if (fd_plus_one <= 0) ++ return; ++ ++ safe_close(fd_plus_one - 1); ++ fd_plus_one = 0; ++} ++#endif ++ + _public_ int sd_journal_print(int priority, const char *format, ...) { + int r; + va_list ap; +diff --git a/src/libsystemd/sd-journal/journal-send.h b/src/libsystemd/sd-journal/journal-send.h +new file mode 100644 +index 0000000000..cf8b199297 +--- /dev/null ++++ b/src/libsystemd/sd-journal/journal-send.h +@@ -0,0 +1,8 @@ ++/* SPDX-License-Identifier: LGPL-2.1-or-later */ ++#pragma once ++ ++#if VALGRIND ++void close_journal_fd(void); ++#else ++static inline void close_journal_fd(void) {} ++#endif +diff --git a/src/libsystemd/sd-journal/test-journal-send.c b/src/libsystemd/sd-journal/test-journal-send.c +index b6644e65c1..533b8d91e6 100644 +--- a/src/libsystemd/sd-journal/test-journal-send.c ++++ b/src/libsystemd/sd-journal/test-journal-send.c +@@ -5,7 +5,9 @@ + #include + + #include "sd-journal.h" ++ + #include "fileio.h" ++#include "journal-send.h" + #include "macro.h" + #include "memory-util.h" + +@@ -103,5 +105,6 @@ int main(int argc, char *argv[]) { + /* Sleep a bit to make it easy for journald to collect metadata. */ + sleep(1); + ++ close_journal_fd(); + return 0; + } +-- +2.33.0 + diff --git a/backport-journalctl-never-fail-at-flushing-when-the-flushed-f.patch b/backport-journalctl-never-fail-at-flushing-when-the-flushed-f.patch index 0de04dffea6da1e4a9c0269819c854eb96b032b1..3be690d977350442c8a6ddfc829c0c9de1248014 100644 --- a/backport-journalctl-never-fail-at-flushing-when-the-flushed-f.patch +++ b/backport-journalctl-never-fail-at-flushing-when-the-flushed-f.patch @@ -1,4 +1,4 @@ -From f6fca35e642a112e80cc9bddb9a2b4805ad40df2 Mon Sep 17 00:00:00 2001 +From dc331f4c9268d17a66f4393cfd0dba14c7022d41 Mon Sep 17 00:00:00 2001 From: Franck Bui Date: Wed, 4 Aug 2021 11:20:07 +0200 Subject: [PATCH] journalctl: never fail at flushing when the flushed flag is @@ -14,15 +14,20 @@ flushed flag anymore. This patch restores the previous behavior since there's no reason to fail when journalctl can figure out that the flush is not necessary. + +(cherry picked from commit f6fca35e642a112e80cc9bddb9a2b4805ad40df2) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/dc331f4c9268d17a66f4393cfd0dba14c7022d41 --- src/journal/journalctl.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c -index 4a2343a63d..73e4fafdff 100644 +index c8fb726d42..3eac97510d 100644 --- a/src/journal/journalctl.c +++ b/src/journal/journalctl.c -@@ -2064,6 +2064,11 @@ static int simple_varlink_call(const char *option, const char *method) { +@@ -2074,6 +2074,11 @@ static int simple_varlink_call(const char *option, const char *method) { } static int flush_to_var(void) { @@ -35,5 +40,5 @@ index 4a2343a63d..73e4fafdff 100644 } -- -2.27.0 +2.33.0 diff --git a/backport-journald-make-sure-SIGTERM-handling-doesn-t-get-star.patch b/backport-journald-make-sure-SIGTERM-handling-doesn-t-get-star.patch new file mode 100644 index 0000000000000000000000000000000000000000..a460e1009492ff8ed81691b6b49739a24b9b197c --- /dev/null +++ b/backport-journald-make-sure-SIGTERM-handling-doesn-t-get-star.patch @@ -0,0 +1,125 @@ +From a98f2d7a0b017505720477d9fc89de2b56470dfa Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 24 Mar 2022 20:37:43 +0100 +Subject: [PATCH] journald: make sure SIGTERM handling doesn't get starved out + +Fixes: #22642 +(cherry picked from commit 19252b254861d8c9b56e2acaeb182812c8f07e52) +(cherry picked from commit c901bc8680d1835737de116f2bf1f522bdb083c2) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/a98f2d7a0b017505720477d9fc89de2b56470dfa +--- + src/journal/journald-server.c | 76 +++++++++++++++++++++++++++++++++-- + 1 file changed, 73 insertions(+), 3 deletions(-) + +diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c +index a212079758..86302e31e3 100644 +--- a/src/journal/journald-server.c ++++ b/src/journal/journald-server.c +@@ -1443,12 +1443,82 @@ static int dispatch_sigusr2(sd_event_source *es, const struct signalfd_siginfo * + } + + static int dispatch_sigterm(sd_event_source *es, const struct signalfd_siginfo *si, void *userdata) { ++ _cleanup_(sd_event_source_disable_unrefp) sd_event_source *news = NULL; + Server *s = userdata; ++ int r; + + assert(s); + + log_received_signal(LOG_INFO, si); + ++ (void) sd_event_source_set_enabled(es, false); /* Make sure this handler is called at most once */ ++ ++ /* So on one hand we want to ensure that SIGTERMs are definitely handled in appropriate, bounded ++ * time. On the other hand we want that everything pending is first comprehensively processed and ++ * written to disk. These goals are incompatible, hence we try to find a middle ground: we'll process ++ * SIGTERM with high priority, but from the handler (this one right here) we'll install two new event ++ * sources: one low priority idle one that will issue the exit once everything else is processed (and ++ * which is hopefully the regular, clean codepath); and one high priority timer that acts as safety ++ * net: if our idle handler isn't run within 10s, we'll exit anyway. ++ * ++ * TLDR: we'll exit either when everything is processed, or after 10s max, depending on what happens ++ * first. ++ * ++ * Note that exiting before the idle event is hit doesn't typically mean that we lose any data, as ++ * messages will remain queued in the sockets they came in from, and thus can be processed when we ++ * start up next – unless we are going down for the final system shutdown, in which case everything ++ * is lost. */ ++ ++ r = sd_event_add_defer(s->event, &news, NULL, NULL); /* NULL handler means → exit when triggered */ ++ if (r < 0) { ++ log_error_errno(r, "Failed to allocate exit idle event handler: %m"); ++ goto fail; ++ } ++ ++ (void) sd_event_source_set_description(news, "exit-idle"); ++ ++ /* Run everything relevant before this. */ ++ r = sd_event_source_set_priority(news, SD_EVENT_PRIORITY_NORMAL+20); ++ if (r < 0) { ++ log_error_errno(r, "Failed to adjust priority of exit idle event handler: %m"); ++ goto fail; ++ } ++ ++ /* Give up ownership, so that this event source is freed automatically when the event loop is freed. */ ++ r = sd_event_source_set_floating(news, true); ++ if (r < 0) { ++ log_error_errno(r, "Failed to make exit idle event handler floating: %m"); ++ goto fail; ++ } ++ ++ news = sd_event_source_unref(news); ++ ++ r = sd_event_add_time_relative(s->event, &news, CLOCK_MONOTONIC, 10 * USEC_PER_SEC, 0, NULL, NULL); ++ if (r < 0) { ++ log_error_errno(r, "Failed to allocate exit timeout event handler: %m"); ++ goto fail; ++ } ++ ++ (void) sd_event_source_set_description(news, "exit-timeout"); ++ ++ r = sd_event_source_set_priority(news, SD_EVENT_PRIORITY_IMPORTANT-20); /* This is a safety net, with highest priority */ ++ if (r < 0) { ++ log_error_errno(r, "Failed to adjust priority of exit timeout event handler: %m"); ++ goto fail; ++ } ++ ++ r = sd_event_source_set_floating(news, true); ++ if (r < 0) { ++ log_error_errno(r, "Failed to make exit timeout event handler floating: %m"); ++ goto fail; ++ } ++ ++ news = sd_event_source_unref(news); ++ ++ log_debug("Exit event sources are now pending."); ++ return 0; ++ ++fail: + sd_event_exit(s->event, 0); + return 0; + } +@@ -1500,8 +1570,8 @@ static int setup_signals(Server *s) { + if (r < 0) + return r; + +- /* Let's process SIGTERM late, so that we flush all queued messages to disk before we exit */ +- r = sd_event_source_set_priority(s->sigterm_event_source, SD_EVENT_PRIORITY_NORMAL+20); ++ /* Let's process SIGTERM early, so that we definitely react to it */ ++ r = sd_event_source_set_priority(s->sigterm_event_source, SD_EVENT_PRIORITY_IMPORTANT-10); + if (r < 0) + return r; + +@@ -1511,7 +1581,7 @@ static int setup_signals(Server *s) { + if (r < 0) + return r; + +- r = sd_event_source_set_priority(s->sigint_event_source, SD_EVENT_PRIORITY_NORMAL+20); ++ r = sd_event_source_set_priority(s->sigint_event_source, SD_EVENT_PRIORITY_IMPORTANT-10); + if (r < 0) + return r; + +-- +2.33.0 + diff --git a/backport-json-do-something-remotely-reasonable-when-we-see-Na.patch b/backport-json-do-something-remotely-reasonable-when-we-see-Na.patch new file mode 100644 index 0000000000000000000000000000000000000000..c4c0f5c79ccf4ffc5c1ad6dd00294b877bd00748 --- /dev/null +++ b/backport-json-do-something-remotely-reasonable-when-we-see-Na.patch @@ -0,0 +1,50 @@ +From 06444b314b863facdb173f10f2d1ff11196755d2 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 26 Oct 2021 15:45:49 +0200 +Subject: [PATCH] json: do something remotely reasonable when we see + NaN/infinity + +JSON doesn't have NaN/infinity/-infinity concepts in the spec. +Implementations vary what they do with it. JSON5 + Python simply +generate special words "NAN" and "Inifinity" from it. Others generate +"null" for it. + +At this point we never actually want to output this, so let's be +conservative and generate RFC compliant JSON, i.e. convert to null. + +One day should JSON5 actually become a thing we can revisit this, but in +that case we should implement things via a flag, and only optinally +process nan/infinity/-infinity. + +This patch is extremely simple: whenever accepting a +nan/infinity/-infinity from outside it converts it to NULL. I.e. we +convert on input, not output. + +(cherry picked from commit 8f1daefce6e952f2fad9510e5101b5fc675d363f) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/06444b314b863facdb173f10f2d1ff11196755d2 +--- + src/shared/json.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/shared/json.c b/src/shared/json.c +index c52460a3ec..d72b1e3a38 100644 +--- a/src/shared/json.c ++++ b/src/shared/json.c +@@ -359,6 +359,12 @@ int json_variant_new_real(JsonVariant **ret, long double d) { + } + REENABLE_WARNING; + ++ /* JSON doesn't know NaN, +Infinity or -Infinity. Let's silently convert to 'null'. */ ++ if (isnan(d) || isinf(d)) { ++ *ret = JSON_VARIANT_MAGIC_NULL; ++ return 0; ++ } ++ + r = json_variant_new(&v, JSON_VARIANT_REAL, sizeof(d)); + if (r < 0) + return r; +-- +2.33.0 + diff --git a/backport-kernel-install-also-remove-modules.builtin.alias.bin.patch b/backport-kernel-install-also-remove-modules.builtin.alias.bin.patch new file mode 100644 index 0000000000000000000000000000000000000000..1aa7a99341949065d07d464481f70fa73984440a --- /dev/null +++ b/backport-kernel-install-also-remove-modules.builtin.alias.bin.patch @@ -0,0 +1,32 @@ +From 44e060dd1641068752b79d49322d379c2ef2a1c1 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 15 Jan 2022 03:37:40 +0900 +Subject: [PATCH] kernel-install: also remove modules.builtin.alias.bin + +Fixes RHBZ#2016630. + +(cherry picked from commit 06006691b5c56b6123044179d934b3ed81c237ca) +(cherry picked from commit fdcb1bf67371615f12c4b11283f2bd6a25bda019) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/44e060dd1641068752b79d49322d379c2ef2a1c1 +--- + src/kernel-install/50-depmod.install | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/kernel-install/50-depmod.install b/src/kernel-install/50-depmod.install +index 2fd959865f..fd00c43632 100644 +--- a/src/kernel-install/50-depmod.install ++++ b/src/kernel-install/50-depmod.install +@@ -36,7 +36,7 @@ case "$COMMAND" in + remove) + [ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] && \ + echo "Removing /lib/modules/${KERNEL_VERSION}/modules.dep and associated files" +- exec rm -f /lib/modules/"${KERNEL_VERSION}"/modules.{alias{,.bin},builtin.bin,dep{,.bin},devname,softdep,symbols{,.bin}} ++ exec rm -f /lib/modules/"${KERNEL_VERSION}"/modules.{alias{,.bin},builtin{,.alias}.bin,dep{,.bin},devname,softdep,symbols{,.bin}} + ;; + *) + exit 0 +-- +2.33.0 + diff --git a/backport-libsystemd-network-disable-event-sources-before-unre.patch b/backport-libsystemd-network-disable-event-sources-before-unre.patch new file mode 100644 index 0000000000000000000000000000000000000000..d947eff68c285bb2e2808da6db9077269fbc05a7 --- /dev/null +++ b/backport-libsystemd-network-disable-event-sources-before-unre.patch @@ -0,0 +1,194 @@ +From 00a2361bb5d3fccfa5b4fdb4d73b7aa7938e2449 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 24 Sep 2021 17:26:35 +0900 +Subject: [PATCH] libsystemd-network: disable event sources before unref them + +Fixes #20825. + +(cherry picked from commit eb2f750242d6c4c0963887dbd561d8bafa318685) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/00a2361bb5d3fccfa5b4fdb4d73b7aa7938e2449 +--- + src/libsystemd-network/sd-dhcp-client.c | 12 +++++------- + src/libsystemd-network/sd-dhcp-server.c | 4 ++-- + src/libsystemd-network/sd-ipv4acd.c | 5 ++--- + src/libsystemd-network/sd-lldp.c | 7 ++++--- + src/libsystemd-network/sd-ndisc.c | 9 +++++---- + src/libsystemd-network/sd-radv.c | 6 ++---- + 6 files changed, 20 insertions(+), 23 deletions(-) + +diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c +index 030b50cf2a..46191e58f5 100644 +--- a/src/libsystemd-network/sd-dhcp-client.c ++++ b/src/libsystemd-network/sd-dhcp-client.c +@@ -726,7 +726,7 @@ static int client_notify(sd_dhcp_client *client, int event) { + static int client_initialize(sd_dhcp_client *client) { + assert_return(client, -EINVAL); + +- client->receive_message = sd_event_source_unref(client->receive_message); ++ client->receive_message = sd_event_source_disable_unref(client->receive_message); + + client->fd = safe_close(client->fd); + +@@ -1492,7 +1492,7 @@ static int client_timeout_t2(sd_event_source *s, uint64_t usec, void *userdata) + + assert(client); + +- client->receive_message = sd_event_source_unref(client->receive_message); ++ client->receive_message = sd_event_source_disable_unref(client->receive_message); + client->fd = safe_close(client->fd); + + client->state = DHCP_STATE_REBINDING; +@@ -1847,7 +1847,7 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i + + client->start_delay = 0; + (void) event_source_disable(client->timeout_resend); +- client->receive_message = sd_event_source_unref(client->receive_message); ++ client->receive_message = sd_event_source_disable_unref(client->receive_message); + client->fd = safe_close(client->fd); + + client->state = DHCP_STATE_BOUND; +@@ -2229,17 +2229,15 @@ static sd_dhcp_client *dhcp_client_free(sd_dhcp_client *client) { + + log_dhcp_client(client, "FREE"); + ++ client_initialize(client); ++ + client->timeout_resend = sd_event_source_unref(client->timeout_resend); + client->timeout_t1 = sd_event_source_unref(client->timeout_t1); + client->timeout_t2 = sd_event_source_unref(client->timeout_t2); + client->timeout_expire = sd_event_source_unref(client->timeout_expire); + +- client_initialize(client); +- + sd_dhcp_client_detach_event(client); + +- sd_dhcp_lease_unref(client->lease); +- + set_free(client->req_opts); + free(client->hostname); + free(client->vendor_class_identifier); +diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c +index 9ae884b0fc..3f4af8440e 100644 +--- a/src/libsystemd-network/sd-dhcp-server.c ++++ b/src/libsystemd-network/sd-dhcp-server.c +@@ -267,8 +267,8 @@ int sd_dhcp_server_stop(sd_dhcp_server *server) { + if (!server) + return 0; + +- server->receive_message = sd_event_source_unref(server->receive_message); +- server->receive_broadcast = sd_event_source_unref(server->receive_broadcast); ++ server->receive_message = sd_event_source_disable_unref(server->receive_message); ++ server->receive_broadcast = sd_event_source_disable_unref(server->receive_broadcast); + + server->fd_raw = safe_close(server->fd_raw); + server->fd = safe_close(server->fd); +diff --git a/src/libsystemd-network/sd-ipv4acd.c b/src/libsystemd-network/sd-ipv4acd.c +index 9a77a33317..ebd4764840 100644 +--- a/src/libsystemd-network/sd-ipv4acd.c ++++ b/src/libsystemd-network/sd-ipv4acd.c +@@ -120,7 +120,7 @@ static void ipv4acd_reset(sd_ipv4acd *acd) { + assert(acd); + + (void) event_source_disable(acd->timer_event_source); +- acd->receive_message_event_source = sd_event_source_unref(acd->receive_message_event_source); ++ acd->receive_message_event_source = sd_event_source_disable_unref(acd->receive_message_event_source); + + acd->fd = safe_close(acd->fd); + +@@ -130,9 +130,8 @@ static void ipv4acd_reset(sd_ipv4acd *acd) { + static sd_ipv4acd *ipv4acd_free(sd_ipv4acd *acd) { + assert(acd); + +- acd->timer_event_source = sd_event_source_unref(acd->timer_event_source); +- + ipv4acd_reset(acd); ++ sd_event_source_unref(acd->timer_event_source); + sd_ipv4acd_detach_event(acd); + free(acd->ifname); + return mfree(acd); +diff --git a/src/libsystemd-network/sd-lldp.c b/src/libsystemd-network/sd-lldp.c +index 49aa876a53..b38d6dbd1e 100644 +--- a/src/libsystemd-network/sd-lldp.c ++++ b/src/libsystemd-network/sd-lldp.c +@@ -239,7 +239,7 @@ static void lldp_reset(sd_lldp *lldp) { + assert(lldp); + + (void) event_source_disable(lldp->timer_event_source); +- lldp->io_event_source = sd_event_source_unref(lldp->io_event_source); ++ lldp->io_event_source = sd_event_source_disable_unref(lldp->io_event_source); + lldp->fd = safe_close(lldp->fd); + } + +@@ -365,10 +365,11 @@ const char *sd_lldp_get_ifname(sd_lldp *lldp) { + static sd_lldp* lldp_free(sd_lldp *lldp) { + assert(lldp); + +- lldp->timer_event_source = sd_event_source_unref(lldp->timer_event_source); +- + lldp_reset(lldp); ++ ++ sd_event_source_unref(lldp->timer_event_source); + sd_lldp_detach_event(lldp); ++ + lldp_flush_neighbors(lldp); + + hashmap_free(lldp->neighbor_by_id); +diff --git a/src/libsystemd-network/sd-ndisc.c b/src/libsystemd-network/sd-ndisc.c +index 4d5f1b54cd..9b3a89378c 100644 +--- a/src/libsystemd-network/sd-ndisc.c ++++ b/src/libsystemd-network/sd-ndisc.c +@@ -133,18 +133,19 @@ static void ndisc_reset(sd_ndisc *nd) { + (void) event_source_disable(nd->timeout_event_source); + (void) event_source_disable(nd->timeout_no_ra); + nd->retransmit_time = 0; +- nd->recv_event_source = sd_event_source_unref(nd->recv_event_source); ++ nd->recv_event_source = sd_event_source_disable_unref(nd->recv_event_source); + nd->fd = safe_close(nd->fd); + } + + static sd_ndisc *ndisc_free(sd_ndisc *nd) { + assert(nd); + +- nd->timeout_event_source = sd_event_source_unref(nd->timeout_event_source); +- nd->timeout_no_ra = sd_event_source_unref(nd->timeout_no_ra); +- + ndisc_reset(nd); ++ ++ sd_event_source_unref(nd->timeout_event_source); ++ sd_event_source_unref(nd->timeout_no_ra); + sd_ndisc_detach_event(nd); ++ + free(nd->ifname); + return mfree(nd); + } +diff --git a/src/libsystemd-network/sd-radv.c b/src/libsystemd-network/sd-radv.c +index 857401bf6e..eac8aa385b 100644 +--- a/src/libsystemd-network/sd-radv.c ++++ b/src/libsystemd-network/sd-radv.c +@@ -89,8 +89,7 @@ static void radv_reset(sd_radv *ra) { + + (void) event_source_disable(ra->timeout_event_source); + +- ra->recv_event_source = +- sd_event_source_unref(ra->recv_event_source); ++ ra->recv_event_source = sd_event_source_disable_unref(ra->recv_event_source); + + ra->ra_sent = 0; + } +@@ -116,10 +115,9 @@ static sd_radv *radv_free(sd_radv *ra) { + free(ra->rdnss); + free(ra->dnssl); + +- ra->timeout_event_source = sd_event_source_unref(ra->timeout_event_source); +- + radv_reset(ra); + ++ sd_event_source_unref(ra->timeout_event_source); + sd_radv_detach_event(ra); + + ra->fd = safe_close(ra->fd); +-- +2.33.0 + diff --git a/backport-localed-use-PROJECT_FILE-rather-than-__FILE__-for-lo.patch b/backport-localed-use-PROJECT_FILE-rather-than-__FILE__-for-lo.patch new file mode 100644 index 0000000000000000000000000000000000000000..f6961b329d7f90fa9821483bf438a45413466d4b --- /dev/null +++ b/backport-localed-use-PROJECT_FILE-rather-than-__FILE__-for-lo.patch @@ -0,0 +1,32 @@ +From 00b0393e65252bf631670604f58b844780b08c50 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 11 Oct 2021 13:56:22 +0200 +Subject: [PATCH] localed: use PROJECT_FILE rather than __FILE__ for logging + +All our log.h code uses PROJECT_FILE for this, let's hence use it here +too. + +(cherry picked from commit 11c8b1f1031d368358286f4bb26abebd73cd2868) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/00b0393e65252bf631670604f58b844780b08c50 +--- + src/locale/localed.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/locale/localed.c b/src/locale/localed.c +index df0eb030d4..c228385d0e 100644 +--- a/src/locale/localed.c ++++ b/src/locale/localed.c +@@ -560,7 +560,7 @@ static void log_xkb(struct xkb_context *ctx, enum xkb_log_level lvl, const char + + fmt = strjoina("libxkbcommon: ", format); + DISABLE_WARNING_FORMAT_NONLITERAL; +- log_internalv(LOG_DEBUG, 0, __FILE__, __LINE__, __func__, fmt, args); ++ log_internalv(LOG_DEBUG, 0, PROJECT_FILE, __LINE__, __func__, fmt, args); + REENABLE_WARNING; + } + +-- +2.33.0 + diff --git a/backport-login-drop-non-default-value-for-RuntimeDirectoryIno.patch b/backport-login-drop-non-default-value-for-RuntimeDirectoryIno.patch index 118b7d74398bece68cf88122a68ad3cf3dfcbc3c..a4535998db9a03755f3f0fad04de187198c75133 100644 --- a/backport-login-drop-non-default-value-for-RuntimeDirectoryIno.patch +++ b/backport-login-drop-non-default-value-for-RuntimeDirectoryIno.patch @@ -1,26 +1,26 @@ From 0bc055cf52251a98e41391a7587b7222120c67d2 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Thu, 28 Apr 2022 19:53:12 +0900 -Subject: [PATCH] login: drop non-default value for -RuntimeDirectoryInodesMax= +Subject: [PATCH] login: drop non-default value for RuntimeDirectoryInodesMax= +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/0bc055cf52251a98e41391a7587b7222120c67d2 --- src/login/logind.conf.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/login/logind.conf.in b/src/login/logind.conf.in -index 3c2ae4b..cc6f6c9 100644 +index 8ec979e0e8..08a89c351c 100644 --- a/src/login/logind.conf.in +++ b/src/login/logind.conf.in -@@ -38,7 +38,7 @@ +@@ -42,7 +42,7 @@ #IdleAction=ignore #IdleActionSec=30min #RuntimeDirectorySize=10% -#RuntimeDirectoryInodesMax=400k +#RuntimeDirectoryInodesMax= - #RemoveIPC=no + #RemoveIPC=yes #InhibitorsMax=8192 #SessionsMax=8192 -- -2.27.0 - +2.33.0 \ No newline at end of file diff --git a/backport-login-make-RuntimeDirectoryInodesMax-support-K-G-M-s.patch b/backport-login-make-RuntimeDirectoryInodesMax-support-K-G-M-s.patch new file mode 100644 index 0000000000000000000000000000000000000000..a363efee4cbe40896e26724d9aa72c3104d151c0 --- /dev/null +++ b/backport-login-make-RuntimeDirectoryInodesMax-support-K-G-M-s.patch @@ -0,0 +1,30 @@ +From 08a767f1e03bd59c0960a96ad585dbc3ef0bc78d Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 27 Apr 2022 17:44:46 +0900 +Subject: [PATCH] login: make RuntimeDirectoryInodesMax= support K, G, M + suffixes + +Fixes #23017. + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/08a767f1e03bd59c0960a96ad585dbc3ef0bc78d +--- + src/login/logind-gperf.gperf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/login/logind-gperf.gperf b/src/login/logind-gperf.gperf +index 867db36533..f11ab8ada5 100644 +--- a/src/login/logind-gperf.gperf ++++ b/src/login/logind-gperf.gperf +@@ -45,7 +45,7 @@ Login.HoldoffTimeoutSec, config_parse_sec, 0, offse + Login.IdleAction, config_parse_handle_action, 0, offsetof(Manager, idle_action) + Login.IdleActionSec, config_parse_sec, 0, offsetof(Manager, idle_action_usec) + Login.RuntimeDirectorySize, config_parse_tmpfs_size, 0, offsetof(Manager, runtime_dir_size) +-Login.RuntimeDirectoryInodesMax, config_parse_uint64, 0, offsetof(Manager, runtime_dir_inodes) ++Login.RuntimeDirectoryInodesMax, config_parse_iec_uint64, 0, offsetof(Manager, runtime_dir_inodes) + Login.RemoveIPC, config_parse_bool, 0, offsetof(Manager, remove_ipc) + Login.InhibitorsMax, config_parse_uint64, 0, offsetof(Manager, inhibitors_max) + Login.SessionsMax, config_parse_uint64, 0, offsetof(Manager, sessions_max) +-- +2.27.0 + diff --git a/backport-login-respect-install_sysconfdir_samples-in-meson-fi.patch b/backport-login-respect-install_sysconfdir_samples-in-meson-fi.patch new file mode 100644 index 0000000000000000000000000000000000000000..16c0e9d6c085f7db9a6d070d66bff99b4cdb79b7 --- /dev/null +++ b/backport-login-respect-install_sysconfdir_samples-in-meson-fi.patch @@ -0,0 +1,34 @@ +From 426cd32268f6068b843bc24d54b3f969034ab998 Mon Sep 17 00:00:00 2001 +From: Andreas Rammhold +Date: Mon, 26 Jul 2021 17:20:34 +0200 +Subject: [PATCH] login: respect install_sysconfdir_samples in meson file + +The refactoring done in c900d89faa0 caused the configuration files to be +installed into the pkgsysconfdir regardless of the state of the +install_sysconfdir_samples boolean that indicates whether or not the +sample files should be installed. + +(cherry picked from commit 72964d047a7a8f79ae12ab41168feb0080eef6c3) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/426cd32268f6068b843bc24d54b3f969034ab998 +--- + src/login/meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/login/meson.build b/src/login/meson.build +index 8c20e6be65..b637adc9a2 100644 +--- a/src/login/meson.build ++++ b/src/login/meson.build +@@ -67,7 +67,7 @@ pam_systemd_c = files('pam_systemd.c') + + enable_logind = conf.get('ENABLE_LOGIND') == 1 + in_files = [ +- ['logind.conf', pkgsysconfdir, enable_logind], ++ ['logind.conf', pkgsysconfdir, enable_logind and install_sysconfdir_samples], + ['70-uaccess.rules', udevrulesdir, enable_logind and conf.get('HAVE_ACL') == 1], + ['71-seat.rules', udevrulesdir, enable_logind], + ['73-seat-late.rules', udevrulesdir, enable_logind], +-- +2.33.0 + diff --git a/backport-login-use-bus_error_message-at-one-more-place.patch b/backport-login-use-bus_error_message-at-one-more-place.patch new file mode 100644 index 0000000000000000000000000000000000000000..ef14f1382c086d14f3c13d655256abb1209c448a --- /dev/null +++ b/backport-login-use-bus_error_message-at-one-more-place.patch @@ -0,0 +1,44 @@ +From 98f8c18db0edda121db05171fbaf35c342fd86b2 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 30 Jan 2022 05:38:35 +0900 +Subject: [PATCH] login: use bus_error_message() at one more place + +(cherry picked from commit 80c8c786a314bceba180fac5506e72aa48c0764a) +(cherry picked from commit 048487c094a149e99b4067c8cd2d3974a8f17397) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/98f8c18db0edda121db05171fbaf35c342fd86b2 +--- + src/login/logind-user.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/login/logind-user.c b/src/login/logind-user.c +index a2c468e8dd..3c65867cb6 100644 +--- a/src/login/logind-user.c ++++ b/src/login/logind-user.c +@@ -358,15 +358,19 @@ static void user_start_service(User *u) { + + static int update_slice_callback(sd_bus_message *m, void *userdata, sd_bus_error *ret_error) { + _cleanup_(user_record_unrefp) UserRecord *ur = userdata; ++ const sd_bus_error *e; ++ int r; + + assert(m); + assert(ur); + +- if (sd_bus_message_is_method_error(m, NULL)) { +- log_warning_errno(sd_bus_message_get_errno(m), ++ e = sd_bus_message_get_error(m); ++ if (e) { ++ r = sd_bus_error_get_errno(e); ++ log_warning_errno(r, + "Failed to update slice of %s, ignoring: %s", + ur->user_name, +- sd_bus_message_get_error(m)->message); ++ bus_error_message(e, r)); + + return 0; + } +-- +2.33.0 + diff --git a/backport-logind-do-not-propagate-error-in-delayed-action.patch b/backport-logind-do-not-propagate-error-in-delayed-action.patch new file mode 100644 index 0000000000000000000000000000000000000000..6dddc40f61fac882441732f9fdef81378155726d --- /dev/null +++ b/backport-logind-do-not-propagate-error-in-delayed-action.patch @@ -0,0 +1,65 @@ +From e6ca5aa8ac8d79217d11240b09dfbdb9364cdb36 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 5 Jan 2022 15:10:33 +0100 +Subject: [PATCH] logind: do not propagate error in delayed action + +If the action failed, we should log about the issue, and continue. +Exiting would bring the graphical session down, which of course is not +appreciated by users. + +As documented in previous commits, a non-negative return from the callback +doesn't matter, so the callback is simplified a bit. + +Fixes #21991. + +(cherry picked from commit 8207b8321bbbcbd19a345deb77d455d98e6ffb84) +(cherry picked from commit fb9bbbee6a3c09b75817f9f343176fa2170fdb31) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/e6ca5aa8ac8d79217d11240b09dfbdb9364cdb36 +--- + src/login/logind-dbus.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c +index 19c3f9bd6e..b3c204f0b0 100644 +--- a/src/login/logind-dbus.c ++++ b/src/login/logind-dbus.c +@@ -1639,7 +1639,6 @@ error: + } + + int manager_dispatch_delayed(Manager *manager, bool timeout) { +- + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; + Inhibitor *offending = NULL; + int r; +@@ -1671,10 +1670,9 @@ int manager_dispatch_delayed(Manager *manager, bool timeout) { + + manager->action_unit = NULL; + manager->action_what = 0; +- return r; + } + +- return 1; ++ return 1; /* We did some work. */ + } + + static int manager_inhibit_timeout_handler( +@@ -1683,13 +1681,11 @@ static int manager_inhibit_timeout_handler( + void *userdata) { + + Manager *manager = userdata; +- int r; + + assert(manager); + assert(manager->inhibit_timeout_source == s); + +- r = manager_dispatch_delayed(manager, true); +- return (r < 0) ? r : 0; ++ return manager_dispatch_delayed(manager, true); + } + + static int delay_shutdown_or_sleep( +-- +2.33.0 + diff --git a/backport-logind-downgrade-message-about-run-utmp-missing-to-L.patch b/backport-logind-downgrade-message-about-run-utmp-missing-to-L.patch new file mode 100644 index 0000000000000000000000000000000000000000..0ca919013d6bef9725551197ce55c3e7619c68c1 --- /dev/null +++ b/backport-logind-downgrade-message-about-run-utmp-missing-to-L.patch @@ -0,0 +1,35 @@ +From 5ac75f556c2ff3c28a815414dab92b58c3726dbd Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 8 Nov 2021 23:08:13 +0100 +Subject: [PATCH] logind: downgrade message about /run/utmp missing to + LOG_DEBUG + +This isn't really anything to really complain about, let's debug log +about this, and continue quietly as if utmp was empty. + +(cherry picked from commit 9830d716147c4e35026457027af95f303e690ae9) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/5ac75f556c2ff3c28a815414dab92b58c3726dbd +--- + src/login/logind-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/login/logind-core.c b/src/login/logind-core.c +index 22031f485a..e08929e52a 100644 +--- a/src/login/logind-core.c ++++ b/src/login/logind-core.c +@@ -707,7 +707,9 @@ int manager_read_utmp(Manager *m) { + errno = 0; + u = getutxent(); + if (!u) { +- if (errno != 0) ++ if (errno == ENOENT) ++ log_debug_errno(errno, _PATH_UTMPX " does not exist, ignoring."); ++ else if (errno != 0) + log_warning_errno(errno, "Failed to read " _PATH_UTMPX ", ignoring: %m"); + return 0; + } +-- +2.33.0 + diff --git a/backport-logind.conf-Fix-name-of-option-RuntimeDirectoryInode.patch b/backport-logind.conf-Fix-name-of-option-RuntimeDirectoryInode.patch index a3d5881d4350ca7b04770ac62ae5f71fae84c421..411c6b5a81022642f5c58f701d17779b35e631f1 100644 --- a/backport-logind.conf-Fix-name-of-option-RuntimeDirectoryInode.patch +++ b/backport-logind.conf-Fix-name-of-option-RuntimeDirectoryInode.patch @@ -1,26 +1,31 @@ -From a42a93830fcc18da073a5ac06f93c386efc9109d Mon Sep 17 00:00:00 2001 +From 927898c86d121a2985bc6c8d261f505197df8e80 Mon Sep 17 00:00:00 2001 From: Arfrever Frehtes Taifersar Arahesis Date: Thu, 27 Jan 2022 00:00:00 +0000 Subject: [PATCH] logind.conf: Fix name of option: RuntimeDirectoryInodes -> RuntimeDirectoryInodesMax +(cherry picked from commit a42a93830fcc18da073a5ac06f93c386efc9109d) +(cherry picked from commit 5b20a2b19c847b8ad8b354f1b735fbbaf88d2f8f) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/927898c86d121a2985bc6c8d261f505197df8e80 --- src/login/logind.conf.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/login/logind.conf.in b/src/login/logind.conf.in -index 2d084e134d..926bd6cfe9 100644 +index 27ba77ce79..be2eb790bf 100644 --- a/src/login/logind.conf.in +++ b/src/login/logind.conf.in -@@ -39,7 +39,7 @@ +@@ -38,7 +38,7 @@ #IdleAction=ignore #IdleActionSec=30min #RuntimeDirectorySize=10% -#RuntimeDirectoryInodes=400k +#RuntimeDirectoryInodesMax=400k - #RemoveIPC=no + #RemoveIPC=yes #InhibitorsMax=8192 #SessionsMax=8192 -- -2.27.0 +2.33.0 diff --git a/backport-machined-set-TTYPath-for-container-shell.patch b/backport-machined-set-TTYPath-for-container-shell.patch new file mode 100644 index 0000000000000000000000000000000000000000..61634ff7423f30d9a28141941e1904e6ef8b5190 --- /dev/null +++ b/backport-machined-set-TTYPath-for-container-shell.patch @@ -0,0 +1,40 @@ +From 6076f379d6911abd69c9565cbbecc60d34be8ce8 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Tue, 21 Dec 2021 11:38:49 +0100 +Subject: [PATCH] machined: set TTYPath for container shell + +TTYPath is needed for proper utmp registration of the shell to +receive wall messages. + +(cherry picked from commit a9c97bbbfb271d68b2ca4f3aa346fdf5e9c70c27) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/6076f379d6911abd69c9565cbbecc60d34be8ce8 +--- + src/machine/machine-dbus.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/machine/machine-dbus.c b/src/machine/machine-dbus.c +index 0022a980c5..404ff1ca46 100644 +--- a/src/machine/machine-dbus.c ++++ b/src/machine/machine-dbus.c +@@ -688,7 +688,7 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu + + description = strjoina("Shell for User ", user); + r = sd_bus_message_append(tm, +- "(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)", ++ "(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)(sv)", + "Description", "s", description, + "StandardInputFileDescriptor", "h", slave, + "StandardOutputFileDescriptor", "h", slave, +@@ -696,6 +696,7 @@ int bus_machine_method_open_shell(sd_bus_message *message, void *userdata, sd_bu + "SendSIGHUP", "b", true, + "IgnoreSIGPIPE", "b", false, + "KillMode", "s", "mixed", ++ "TTYPath", "s", pty_name, + "TTYReset", "b", true, + "UtmpIdentifier", "s", utmp_id, + "UtmpMode", "s", "user", +-- +2.33.0 + diff --git a/backport-machined-varlink-fix-double-free.patch b/backport-machined-varlink-fix-double-free.patch new file mode 100644 index 0000000000000000000000000000000000000000..b98a6ae554e7dc39048fccaffe7211a63facd27c --- /dev/null +++ b/backport-machined-varlink-fix-double-free.patch @@ -0,0 +1,30 @@ +From 1600b38cd2029533547f8c3d4abfa12911ca0630 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Mon, 2 Aug 2021 13:31:04 +0200 +Subject: [PATCH] machined-varlink: fix double free + +Fixes: #18599 +(cherry picked from commit feac9a1d1bf3f59adaa85f58b655ec01a111a29a) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/1600b38cd2029533547f8c3d4abfa12911ca0630 +--- + src/machine/machined-varlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c +index 009d283acc..fc0b0f11ad 100644 +--- a/src/machine/machined-varlink.c ++++ b/src/machine/machined-varlink.c +@@ -297,7 +297,7 @@ static int group_lookup_name(Manager *m, const char *name, gid_t *ret_gid, char + desc = mfree(desc); + + *ret_gid = converted_gid; +- *ret_description = desc; ++ *ret_description = TAKE_PTR(desc); + return 0; + } + +-- +2.33.0 + diff --git a/backport-macro-account-for-negative-values-in-DECIMAL_STR_WID.patch b/backport-macro-account-for-negative-values-in-DECIMAL_STR_WID.patch new file mode 100644 index 0000000000000000000000000000000000000000..740c0c16e324f76a52166bb959c61cc08a25311d --- /dev/null +++ b/backport-macro-account-for-negative-values-in-DECIMAL_STR_WID.patch @@ -0,0 +1,34 @@ +From 19c0ce4c68fd424f48a71afbc9d8b7b67ba58709 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Sun, 13 Mar 2022 14:45:03 +0100 +Subject: [PATCH] macro: account for negative values in DECIMAL_STR_WIDTH() + +With negative numbers we wouldn't account for the minus sign, thus +returning a string with one character too short, triggering buffer +overflows in certain situations. + +(cherry picked from commit e3dd9ea8ea4510221f73071ad30ee657ca77565d) +(cherry picked from commit 25b3c48ec5203a1220daaf33b8df6e50e79fd74a) + +Conflict:NA +Reference:https://github.com/systemd/systemd-stable/commit/19c0ce4c68fd424f48a71afbc9d8b7b67ba58709 +--- + src/basic/macro.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/macro.h b/src/basic/macro.h +index 072fed4378..5a3027ae5c 100644 +--- a/src/basic/macro.h ++++ b/src/basic/macro.h +@@ -349,7 +349,7 @@ static inline int __coverity_check_and_return__(int condition) { + #define DECIMAL_STR_WIDTH(x) \ + ({ \ + typeof(x) _x_ = (x); \ +- unsigned ans = 1; \ ++ unsigned ans = 2; \ + while ((_x_ /= 10) != 0) \ + ans++; \ + ans; \ +-- +2.33.0 + diff --git a/backport-malloc-uses-getrandom-now.patch b/backport-malloc-uses-getrandom-now.patch new file mode 100644 index 0000000000000000000000000000000000000000..3f9220fb57aceda028559673ef6e064fcaa16d51 --- /dev/null +++ b/backport-malloc-uses-getrandom-now.patch @@ -0,0 +1,30 @@ +From 08c99e5600f92c5143b931a507980a2655380cb3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= +Date: Fri, 9 Jul 2021 17:19:05 -0400 +Subject: [PATCH] malloc() uses getrandom now + +glibc master uses getrandom in malloc since https://sourceware.org/git/?p=glibc.git;a=commit;h=fc859c304898a5ec72e0ba5269ed136ed0ea10e1 , getrandom should be in the default set so to avoid all non trivial programs to fallback to a PRNG. + +(cherry picked from commit 14f4b1b568907350d023d1429c1aa4aaa8925f22) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/08c99e5600f92c5143b931a507980a2655380cb3 +--- + src/shared/seccomp-util.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c +index e0f88aec73..cad0af89f2 100644 +--- a/src/shared/seccomp-util.c ++++ b/src/shared/seccomp-util.c +@@ -310,6 +310,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { + "getpgrp\0" + "getpid\0" + "getppid\0" ++ "getrandom\0" + "getresgid\0" + "getresgid32\0" + "getresuid\0" +-- +2.33.0 + diff --git a/backport-missing-syscall-add-__NR_openat2.patch b/backport-missing-syscall-add-__NR_openat2.patch new file mode 100644 index 0000000000000000000000000000000000000000..ef7c146bb987ffe23a0116b9801df17da3bbb336 --- /dev/null +++ b/backport-missing-syscall-add-__NR_openat2.patch @@ -0,0 +1,107 @@ +From 31f64a65423414bf1d11fc9035450e9b6256858c Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 3 Jan 2022 03:44:50 +0900 +Subject: [PATCH] missing-syscall: add __NR_openat2 + +(cherry picked from commit d96ad9e8cb9fc8a9adfeebf69a645b809705daa0) +(cherry picked from commit cd88d010e862d26ce816eb3bd6735a80999ac41e) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/31f64a65423414bf1d11fc9035450e9b6256858c +--- + src/basic/missing_syscall_def.h | 66 +++++++++++++++++++++++++++++++++ + src/basic/missing_syscalls.py | 1 + + 2 files changed, 67 insertions(+) + +diff --git a/src/basic/missing_syscall_def.h b/src/basic/missing_syscall_def.h +index 6a48c2a0c5..29dfd2e5fa 100644 +--- a/src/basic/missing_syscall_def.h ++++ b/src/basic/missing_syscall_def.h +@@ -679,6 +679,72 @@ assert_cc(__NR_open_tree == systemd_NR_open_tree); + # endif + #endif + ++#ifndef __IGNORE_openat2 ++# if defined(__aarch64__) ++# define systemd_NR_openat2 437 ++# elif defined(__alpha__) ++# define systemd_NR_openat2 547 ++# elif defined(__arc__) || defined(__tilegx__) ++# define systemd_NR_openat2 437 ++# elif defined(__arm__) ++# define systemd_NR_openat2 437 ++# elif defined(__i386__) ++# define systemd_NR_openat2 437 ++# elif defined(__ia64__) ++# define systemd_NR_openat2 1461 ++# elif defined(__loongarch64) ++# define systemd_NR_openat2 437 ++# elif defined(__m68k__) ++# define systemd_NR_openat2 437 ++# elif defined(_MIPS_SIM) ++# if _MIPS_SIM == _MIPS_SIM_ABI32 ++# define systemd_NR_openat2 4437 ++# elif _MIPS_SIM == _MIPS_SIM_NABI32 ++# define systemd_NR_openat2 6437 ++# elif _MIPS_SIM == _MIPS_SIM_ABI64 ++# define systemd_NR_openat2 5437 ++# else ++# error "Unknown MIPS ABI" ++# endif ++# elif defined(__powerpc__) ++# define systemd_NR_openat2 437 ++# elif defined(__riscv) ++# if __riscv_xlen == 32 ++# define systemd_NR_openat2 437 ++# elif __riscv_xlen == 64 ++# define systemd_NR_openat2 437 ++# else ++# error "Unknown RISC-V ABI" ++# endif ++# elif defined(__s390__) ++# define systemd_NR_openat2 437 ++# elif defined(__sparc__) ++# define systemd_NR_openat2 437 ++# elif defined(__x86_64__) ++# if defined(__ILP32__) ++# define systemd_NR_openat2 (437 | /* __X32_SYSCALL_BIT */ 0x40000000) ++# else ++# define systemd_NR_openat2 437 ++# endif ++# elif !defined(missing_arch_template) ++# warning "openat2() syscall number is unknown for your architecture" ++# endif ++ ++/* may be an (invalid) negative number due to libseccomp, see PR 13319 */ ++# if defined __NR_openat2 && __NR_openat2 >= 0 ++# if defined systemd_NR_openat2 ++assert_cc(__NR_openat2 == systemd_NR_openat2); ++# endif ++# else ++# if defined __NR_openat2 ++# undef __NR_openat2 ++# endif ++# if defined systemd_NR_openat2 && systemd_NR_openat2 >= 0 ++# define __NR_openat2 systemd_NR_openat2 ++# endif ++# endif ++#endif ++ + #ifndef __IGNORE_pidfd_open + # if defined(__aarch64__) + # define systemd_NR_pidfd_open 434 +diff --git a/src/basic/missing_syscalls.py b/src/basic/missing_syscalls.py +index 19f9726d4e..dd458994f2 100644 +--- a/src/basic/missing_syscalls.py ++++ b/src/basic/missing_syscalls.py +@@ -16,6 +16,7 @@ SYSCALLS = [ + 'move_mount', + 'name_to_handle_at', + 'open_tree', ++ 'openat2', + 'pidfd_open', + 'pidfd_send_signal', + 'pkey_mprotect', +-- +2.33.0 + diff --git a/backport-mkosi-Build-Fedora-35-images.patch b/backport-mkosi-Build-Fedora-35-images.patch new file mode 100644 index 0000000000000000000000000000000000000000..748d1c22b57f65579f1e92498dbabbe2e4ef7b3c --- /dev/null +++ b/backport-mkosi-Build-Fedora-35-images.patch @@ -0,0 +1,29 @@ +From e5c19733785558e6fc17f96e6c18219d46179a2d Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Thu, 9 Dec 2021 12:35:23 +0100 +Subject: [PATCH] mkosi: Build Fedora 35 images + +(cherry picked from commit 808b23ecf681c12493cbb84958e75ea300ebbeab) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/e5c19733785558e6fc17f96e6c18219d46179a2d +--- + .mkosi/mkosi.fedora | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.mkosi/mkosi.fedora b/.mkosi/mkosi.fedora +index cc3a5a2d1a..3e7462e477 100644 +--- a/.mkosi/mkosi.fedora ++++ b/.mkosi/mkosi.fedora +@@ -5,7 +5,7 @@ + + [Distribution] + Distribution=fedora +-Release=34 ++Release=35 + + [Packages] + BuildPackages= +-- +2.33.0 + diff --git a/backport-mkosi-Fix-openSUSE-Jinja2-package-name.patch b/backport-mkosi-Fix-openSUSE-Jinja2-package-name.patch new file mode 100644 index 0000000000000000000000000000000000000000..1188a08b07a6f6ceb1d6f963e783726b62e007cd --- /dev/null +++ b/backport-mkosi-Fix-openSUSE-Jinja2-package-name.patch @@ -0,0 +1,34 @@ +From c135c18d0aedeb6043ea4e54a252b7d2452d0937 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Koutn=C3=BD?= +Date: Thu, 10 Jun 2021 14:39:13 +0200 +Subject: [PATCH] mkosi: Fix openSUSE Jinja2 package name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Dare to be different ¯\_(ツ)_/¯ + +(cherry picked from commit ed802c44da7918ba1c14944b711a20b14d9e0fd4) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/c135c18d0aedeb6043ea4e54a252b7d2452d0937 +--- + .mkosi/mkosi.opensuse | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.mkosi/mkosi.opensuse b/.mkosi/mkosi.opensuse +index fdbbdeb1f8..7eb7b857ca 100644 +--- a/.mkosi/mkosi.opensuse ++++ b/.mkosi/mkosi.opensuse +@@ -36,7 +36,7 @@ BuildPackages= + pcre-devel + python3 + python3-lxml +- python3-jinja2 ++ python3-Jinja2 + qrencode-devel + system-user-nobody + systemd-sysvinit +-- +2.33.0 + diff --git a/backport-mkosi-Remove-Arch-nspawn-workaround.patch b/backport-mkosi-Remove-Arch-nspawn-workaround.patch new file mode 100644 index 0000000000000000000000000000000000000000..bbc1d4caf0a39edec4536520bd6468cbf8d2b342 --- /dev/null +++ b/backport-mkosi-Remove-Arch-nspawn-workaround.patch @@ -0,0 +1,43 @@ +From c24f4e86781d866894128a56fbc03f4302f737f6 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 25 Feb 2022 11:01:07 +0000 +Subject: [PATCH] mkosi: Remove Arch nspawn workaround + +This has been fixed so the workaround can be removed. + +(cherry picked from commit 6b2ab8fc5cc0f706b85cbd559e8dcf4e05d7687d) +(cherry picked from commit f0cc6d2f99b2510c57fa36ad7f28cc42c0b724b3) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/c24f4e86781d866894128a56fbc03f4302f737f6 +--- + .github/workflows/mkosi.yml | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml +index 489eb01880..c8d572a4d8 100644 +--- a/.github/workflows/mkosi.yml ++++ b/.github/workflows/mkosi.yml +@@ -37,19 +37,6 @@ jobs: + - name: Symlink + run: ln -s .mkosi/mkosi.${{ matrix.distro }} mkosi.default + +- # Ubuntu's systemd-nspawn doesn't support faccessat2() syscall, which is +- # required, since current Arch's glibc implements faccessat() via faccessat2(). +- - name: Update systemd-nspawn +- if: ${{ matrix.distro == 'arch' }} +- run: | +- echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list +- sudo apt update +- sudo apt build-dep systemd +- meson build +- ninja -C build +- sudo ln -svf $PWD/build/systemd-nspawn `which systemd-nspawn` +- systemd-nspawn --version +- + - name: Build ${{ matrix.distro }} + run: sudo python3 -m mkosi --password= --qemu-headless build + +-- +2.33.0 + diff --git a/backport-mkosi-openSUSE-update-bootable-no-dependencies.patch b/backport-mkosi-openSUSE-update-bootable-no-dependencies.patch new file mode 100644 index 0000000000000000000000000000000000000000..4e81ba429349e63ffca3ca7b2f199dc79b4c09f6 --- /dev/null +++ b/backport-mkosi-openSUSE-update-bootable-no-dependencies.patch @@ -0,0 +1,31 @@ +From e4e572117b41f6e8152a30acc6f60a0385090137 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Koutn=C3=BD?= +Date: Fri, 12 Feb 2021 18:11:18 +0100 +Subject: [PATCH] mkosi: openSUSE update --bootable=no dependencies + +Since we can build --bootable=no images without dracut->systemd, we need +to add systemd runtime dependencies explicitely. + +(cherry picked from commit f2bb8857cd093eb9bd5e1dad6fb996a0a4463556) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/e4e572117b41f6e8152a30acc6f60a0385090137 +--- + .mkosi/mkosi.opensuse | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/.mkosi/mkosi.opensuse b/.mkosi/mkosi.opensuse +index b468433f34..fdbbdeb1f8 100644 +--- a/.mkosi/mkosi.opensuse ++++ b/.mkosi/mkosi.opensuse +@@ -60,6 +60,7 @@ Packages= + libapparmor1 + libcrypt1 + libcryptsetup12 ++ libgcrypt20 + libkmod2 + liblz4-1 + libmount1 +-- +2.33.0 + diff --git a/backport-mmap-cache-LIST_REMOVE-after-w-unused_prev.patch b/backport-mmap-cache-LIST_REMOVE-after-w-unused_prev.patch new file mode 100644 index 0000000000000000000000000000000000000000..4bd7350a35d86602a517fde232b22e00e370b404 --- /dev/null +++ b/backport-mmap-cache-LIST_REMOVE-after-w-unused_prev.patch @@ -0,0 +1,38 @@ +From 42ca0ab5082344004c0f26b2d6ec57b7a9d4ff03 Mon Sep 17 00:00:00 2001 +From: Vito Caputo +Date: Thu, 25 Nov 2021 07:05:06 -0800 +Subject: [PATCH] mmap-cache: LIST_REMOVE() *after* w->unused_prev + +The LIST_REMOVE() macro always assigns NULL to w->unused_prev, +meaning every time this window was in last_unused, the remainder +of the unused list was lost to the ether. + +Turns out there's been a memory leak in journald after all, this +code has been there since at least 2013... + +(cherry picked from commit b82aca89a5b366c4377b3b140e54313e817e8f57) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/42ca0ab5082344004c0f26b2d6ec57b7a9d4ff03 +--- + src/libsystemd/sd-journal/mmap-cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libsystemd/sd-journal/mmap-cache.c b/src/libsystemd/sd-journal/mmap-cache.c +index 9e0be01d41..02d2d721cf 100644 +--- a/src/libsystemd/sd-journal/mmap-cache.c ++++ b/src/libsystemd/sd-journal/mmap-cache.c +@@ -224,9 +224,9 @@ static void context_attach_window(Context *c, Window *w) { + + if (w->in_unused) { + /* Used again? */ +- LIST_REMOVE(unused, c->cache->unused, w); + if (c->cache->last_unused == w) + c->cache->last_unused = w->unused_prev; ++ LIST_REMOVE(unused, c->cache->unused, w); + + w->in_unused = false; + } +-- +2.33.0 + diff --git a/backport-mount-util-fix-fd_is_mount_point-when-both-the-paren.patch b/backport-mount-util-fix-fd_is_mount_point-when-both-the-paren.patch new file mode 100644 index 0000000000000000000000000000000000000000..acdfb33730229b6b99a182283c028974e112ef43 --- /dev/null +++ b/backport-mount-util-fix-fd_is_mount_point-when-both-the-paren.patch @@ -0,0 +1,125 @@ +From 8de173ff933510200ac3db77f1ae713f2c4acdc3 Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Thu, 30 Sep 2021 14:05:36 +0200 +Subject: [PATCH] mount-util: fix fd_is_mount_point() when both the parent and + directory are network fs + +The second call to name_to_handle_at_loop() didn't check for the specific +errors that can happen when the parent dir is mounted by nfs and instead of +falling back like it's done for the child dir, fd_is_mount_point() failed in +this case. + +(cherry picked from commit 964ccab8286a7e75d7e9107f574f5cb23752bd5d) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/8de173ff933510200ac3db77f1ae713f2c4acdc3 +--- + src/basic/mountpoint-util.c | 68 ++++++++++++++++++++++--------------- + 1 file changed, 41 insertions(+), 27 deletions(-) + +diff --git a/src/basic/mountpoint-util.c b/src/basic/mountpoint-util.c +index 8c836a1b74..e7a5a99551 100644 +--- a/src/basic/mountpoint-util.c ++++ b/src/basic/mountpoint-util.c +@@ -157,6 +157,19 @@ static bool filename_possibly_with_slash_suffix(const char *s) { + return filename_is_valid(copied); + } + ++static bool is_name_to_handle_at_fatal_error(int err) { ++ /* name_to_handle_at() can return "acceptable" errors that are due to the context. For ++ * example the kernel does not support name_to_handle_at() at all (ENOSYS), or the syscall ++ * was blocked (EACCES/EPERM; maybe through seccomp, because we are running inside of a ++ * container), or the mount point is not triggered yet (EOVERFLOW, think nfs4), or some ++ * general name_to_handle_at() flakiness (EINVAL). However other errors are not supposed to ++ * happen and therefore are considered fatal ones. */ ++ ++ assert(err < 0); ++ ++ return !IN_SET(err, -EOPNOTSUPP, -ENOSYS, -EACCES, -EPERM, -EOVERFLOW, -EINVAL); ++} ++ + int fd_is_mount_point(int fd, const char *filename, int flags) { + _cleanup_free_ struct file_handle *h = NULL, *h_parent = NULL; + int mount_id = -1, mount_id_parent = -1; +@@ -206,39 +219,40 @@ int fd_is_mount_point(int fd, const char *filename, int flags) { + return false; /* symlinks are never mount points */ + + r = name_to_handle_at_loop(fd, filename, &h, &mount_id, flags); +- if (IN_SET(r, -ENOSYS, -EACCES, -EPERM, -EOVERFLOW, -EINVAL)) +- /* This kernel does not support name_to_handle_at() at all (ENOSYS), or the syscall was blocked +- * (EACCES/EPERM; maybe through seccomp, because we are running inside of a container?), or the mount +- * point is not triggered yet (EOVERFLOW, think nfs4), or some general name_to_handle_at() flakiness +- * (EINVAL): fall back to simpler logic. */ +- goto fallback_fdinfo; +- else if (r == -EOPNOTSUPP) +- /* This kernel or file system does not support name_to_handle_at(), hence let's see if the upper fs +- * supports it (in which case it is a mount point), otherwise fall back to the traditional stat() +- * logic */ ++ if (r < 0) { ++ if (is_name_to_handle_at_fatal_error(r)) ++ return r; ++ if (r != -EOPNOTSUPP) ++ goto fallback_fdinfo; ++ ++ /* This kernel or file system does not support name_to_handle_at(), hence let's see ++ * if the upper fs supports it (in which case it is a mount point), otherwise fall ++ * back to the traditional stat() logic */ + nosupp = true; +- else if (r < 0) +- return r; ++ } + + r = name_to_handle_at_loop(fd, "", &h_parent, &mount_id_parent, AT_EMPTY_PATH); +- if (r == -EOPNOTSUPP) { ++ if (r < 0) { ++ if (is_name_to_handle_at_fatal_error(r)) ++ return r; ++ if (r != -EOPNOTSUPP) ++ goto fallback_fdinfo; + if (nosupp) +- /* Neither parent nor child do name_to_handle_at()? We have no choice but to fall back. */ ++ /* Both the parent and the directory can't do name_to_handle_at() */ + goto fallback_fdinfo; +- else +- /* The parent can't do name_to_handle_at() but the directory we are interested in can? If so, +- * it must be a mount point. */ +- return 1; +- } else if (r < 0) +- return r; + +- /* The parent can do name_to_handle_at() but the directory we are interested in can't? If so, it must +- * be a mount point. */ ++ /* The parent can't do name_to_handle_at() but the directory we are ++ * interested in can? If so, it must be a mount point. */ ++ return 1; ++ } ++ ++ /* The parent can do name_to_handle_at() but the directory we are interested in can't? If ++ * so, it must be a mount point. */ + if (nosupp) + return 1; + +- /* If the file handle for the directory we are interested in and its parent are identical, we assume +- * this is the root directory, which is a mount point. */ ++ /* If the file handle for the directory we are interested in and its parent are identical, ++ * we assume this is the root directory, which is a mount point. */ + + if (h->handle_bytes == h_parent->handle_bytes && + h->handle_type == h_parent->handle_type && +@@ -338,10 +352,10 @@ int path_get_mnt_id(const char *path, int *ret) { + } + + r = name_to_handle_at_loop(AT_FDCWD, path, NULL, ret, 0); +- if (IN_SET(r, -EOPNOTSUPP, -ENOSYS, -EACCES, -EPERM, -EOVERFLOW, -EINVAL)) /* kernel/fs don't support this, or seccomp blocks access, or untriggered mount, or name_to_handle_at() is flaky */ +- return fd_fdinfo_mnt_id(AT_FDCWD, path, 0, ret); ++ if (r == 0 || is_name_to_handle_at_fatal_error(r)) ++ return r; + +- return r; ++ return fd_fdinfo_mnt_id(AT_FDCWD, path, 0, ret); + } + + bool fstype_is_network(const char *fstype) { +-- +2.33.0 + diff --git a/backport-namespace-allow-ProcSubset-pid-with-some-ProtectKern.patch b/backport-namespace-allow-ProcSubset-pid-with-some-ProtectKern.patch new file mode 100644 index 0000000000000000000000000000000000000000..7175d71a904ba4dff9a4c26575d20dcdc80e01e5 --- /dev/null +++ b/backport-namespace-allow-ProcSubset-pid-with-some-ProtectKern.patch @@ -0,0 +1,116 @@ +From c789d2f457d2e160d00760aa3ecfd6883c64cf5f Mon Sep 17 00:00:00 2001 +From: Topi Miettinen +Date: Sat, 27 Nov 2021 12:51:39 +0200 +Subject: [PATCH] namespace: allow ProcSubset=pid with some ProtectKernel + options + +In case `/proc` is successfully mounted with pid tree subset only due to +`ProcSubset=pid`, the protective mounts for `ProtectKernelTunables=yes` and +`ProtectKernelLogs=yes` to non-pid `/proc` paths are failing because the paths +don't exist. But the pid only option may have failed gracefully (for example +because of ancient kernel), so let's try the mounts but it's not fatal if they +don't succeed. + +(cherry picked from commit 788e720181aead8c85ba30fc7ec9a1455a865cbe) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/c789d2f457d2e160d00760aa3ecfd6883c64cf5f +--- + src/core/namespace.c | 42 ++++++++++++++++++++++++++++++++++-------- + 1 file changed, 34 insertions(+), 8 deletions(-) + +diff --git a/src/core/namespace.c b/src/core/namespace.c +index 9251871384..b933d46cf6 100644 +--- a/src/core/namespace.c ++++ b/src/core/namespace.c +@@ -101,7 +101,7 @@ static const MountEntry apivfs_table[] = { + }; + + /* ProtectKernelTunables= option and the related filesystem APIs */ +-static const MountEntry protect_kernel_tunables_table[] = { ++static const MountEntry protect_kernel_tunables_proc_table[] = { + { "/proc/acpi", READONLY, true }, + { "/proc/apm", READONLY, true }, /* Obsolete API, there's no point in permitting access to this, ever */ + { "/proc/asound", READONLY, true }, +@@ -116,6 +116,9 @@ static const MountEntry protect_kernel_tunables_table[] = { + { "/proc/sys", READONLY, true }, + { "/proc/sysrq-trigger", READONLY, true }, + { "/proc/timer_stats", READONLY, true }, ++}; ++ ++static const MountEntry protect_kernel_tunables_sys_table[] = { + { "/sys", READONLY, false }, + { "/sys/fs/bpf", READONLY, true }, + { "/sys/fs/cgroup", READWRITE_IMPLICIT, false }, /* READONLY is set by ProtectControlGroups= option */ +@@ -133,8 +136,11 @@ static const MountEntry protect_kernel_modules_table[] = { + }; + + /* ProtectKernelLogs= option */ +-static const MountEntry protect_kernel_logs_table[] = { ++static const MountEntry protect_kernel_logs_proc_table[] = { + { "/proc/kmsg", INACCESSIBLE, true }, ++}; ++ ++static const MountEntry protect_kernel_logs_dev_table[] = { + { "/dev/kmsg", INACCESSIBLE, true }, + }; + +@@ -1554,9 +1560,11 @@ static size_t namespace_calculate_mounts( + (n_extension_images > 0 ? n_hierarchies + n_extension_images : 0) + /* Mount each image plus an overlay per hierarchy */ + n_temporary_filesystems + + ns_info->private_dev + +- (ns_info->protect_kernel_tunables ? ELEMENTSOF(protect_kernel_tunables_table) : 0) + ++ (ns_info->protect_kernel_tunables ? ++ ELEMENTSOF(protect_kernel_tunables_proc_table) + ELEMENTSOF(protect_kernel_tunables_sys_table) : 0) + + (ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) + +- (ns_info->protect_kernel_logs ? ELEMENTSOF(protect_kernel_logs_table) : 0) + ++ (ns_info->protect_kernel_logs ? ++ ELEMENTSOF(protect_kernel_logs_proc_table) + ELEMENTSOF(protect_kernel_logs_dev_table) : 0) + + (ns_info->protect_control_groups ? 1 : 0) + + protect_home_cnt + protect_system_cnt + + (ns_info->protect_hostname ? 2 : 0) + +@@ -2037,10 +2045,21 @@ int setup_namespace( + .flags = DEV_MOUNT_OPTIONS, + }; + ++ /* In case /proc is successfully mounted with pid tree subset only (ProcSubset=pid), the ++ protective mounts to non-pid /proc paths would fail. But the pid only option may have ++ failed gracefully, so let's try the mounts but it's not fatal if they don't succeed. */ ++ bool ignore_protect_proc = ns_info->ignore_protect_paths || ns_info->proc_subset == PROC_SUBSET_PID; + if (ns_info->protect_kernel_tunables) { + r = append_static_mounts(&m, +- protect_kernel_tunables_table, +- ELEMENTSOF(protect_kernel_tunables_table), ++ protect_kernel_tunables_proc_table, ++ ELEMENTSOF(protect_kernel_tunables_proc_table), ++ ignore_protect_proc); ++ if (r < 0) ++ goto finish; ++ ++ r = append_static_mounts(&m, ++ protect_kernel_tunables_sys_table, ++ ELEMENTSOF(protect_kernel_tunables_sys_table), + ns_info->ignore_protect_paths); + if (r < 0) + goto finish; +@@ -2057,8 +2076,15 @@ int setup_namespace( + + if (ns_info->protect_kernel_logs) { + r = append_static_mounts(&m, +- protect_kernel_logs_table, +- ELEMENTSOF(protect_kernel_logs_table), ++ protect_kernel_logs_proc_table, ++ ELEMENTSOF(protect_kernel_logs_proc_table), ++ ignore_protect_proc); ++ if (r < 0) ++ goto finish; ++ ++ r = append_static_mounts(&m, ++ protect_kernel_logs_dev_table, ++ ELEMENTSOF(protect_kernel_logs_dev_table), + ns_info->ignore_protect_paths); + if (r < 0) + goto finish; +-- +2.33.0 + diff --git a/backport-namespace-make-tmp-dir-handling-code-independent-of-.patch b/backport-namespace-make-tmp-dir-handling-code-independent-of-.patch new file mode 100644 index 0000000000000000000000000000000000000000..581e66a3cdd06eeccd1b16288efbf027899b861a --- /dev/null +++ b/backport-namespace-make-tmp-dir-handling-code-independent-of-.patch @@ -0,0 +1,68 @@ +From 78858632566c30d2299bcdbd6efe3cbd1cc99d5a Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 12 Nov 2021 11:16:02 +0100 +Subject: [PATCH] namespace: make tmp dir handling code independent of umask + too + +Let's make all code in namespace.c robust towards weird umask. This +doesn't matter too much given that the parent dirs we deal here almost +certainly exist anyway, but let's clean this up anyway and make it fully +clean. + +(cherry picked from commit 30443439274cc223583c6c57f7d9041e440e346f) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/78858632566c30d2299bcdbd6efe3cbd1cc99d5a +--- + src/core/namespace.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/src/core/namespace.c b/src/core/namespace.c +index b10a53ad2e..9251871384 100644 +--- a/src/core/namespace.c ++++ b/src/core/namespace.c +@@ -2466,7 +2466,8 @@ static int make_tmp_prefix(const char *prefix) { + if (errno != ENOENT) + return -errno; + +- r = mkdir_parents(prefix, 0755); ++ RUN_WITH_UMASK(000) ++ r = mkdir_parents(prefix, 0755); + if (r < 0) + return r; + +@@ -2474,7 +2475,8 @@ static int make_tmp_prefix(const char *prefix) { + if (r < 0) + return r; + +- if (mkdir(t, 0777) < 0) ++ if (mkdir(t, 0777) < 0) /* umask will corrupt this access mode, but that doesn't matter, we need to ++ * call chmod() anyway for the suid bit, below. */ + return -errno; + + if (chmod(t, 01777) < 0) { +@@ -2533,10 +2535,9 @@ static int setup_one_tmp_dir(const char *id, const char *prefix, char **path, ch + if (!y) + return -ENOMEM; + +- RUN_WITH_UMASK(0000) { ++ RUN_WITH_UMASK(0000) + if (mkdir(y, 0777 | S_ISVTX) < 0) + return -errno; +- } + + r = label_fix_container(y, prefix, 0); + if (r < 0) +@@ -2548,7 +2549,8 @@ static int setup_one_tmp_dir(const char *id, const char *prefix, char **path, ch + /* Trouble: we failed to create the directory. Instead of failing, let's simulate /tmp being + * read-only. This way the service will get the EROFS result as if it was writing to the real + * file system. */ +- r = mkdir_p(RUN_SYSTEMD_EMPTY, 0500); ++ RUN_WITH_UMASK(0000) ++ r = mkdir_p(RUN_SYSTEMD_EMPTY, 0500); + if (r < 0) + return r; + +-- +2.33.0 + diff --git a/backport-namespace-make-whole-namespace_setup-work-regardless.patch b/backport-namespace-make-whole-namespace_setup-work-regardless.patch new file mode 100644 index 0000000000000000000000000000000000000000..3631c599528478c8c250787260fa2d1199519c20 --- /dev/null +++ b/backport-namespace-make-whole-namespace_setup-work-regardless.patch @@ -0,0 +1,56 @@ +From 569ef9413c2ef3275b45458367342112e5d5f991 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 12 Nov 2021 11:11:27 +0100 +Subject: [PATCH] namespace: make whole namespace_setup() work regardless of + configured umask + +Let's reset the umask during the whole namespace_setup() logic, so that +all our mkdir() + mknod() are not subjected to whatever umask might +currently be set. + +This mostly moves the umask save/restore logic out of +mount_private_dev() and into the stack frame of namespace_setup() that +is further out. + +Fixes #19899 + +(cherry picked from commit cdf42f9bd40ff21a67d58b948efea055d56ad398) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/569ef9413c2ef3275b45458367342112e5d5f991 +--- + src/core/namespace.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/core/namespace.c b/src/core/namespace.c +index 233ee7be40..b10a53ad2e 100644 +--- a/src/core/namespace.c ++++ b/src/core/namespace.c +@@ -852,13 +852,10 @@ static int mount_private_dev(MountEntry *m) { + char temporary_mount[] = "/tmp/namespace-dev-XXXXXX"; + const char *d, *dev = NULL, *devpts = NULL, *devshm = NULL, *devhugepages = NULL, *devmqueue = NULL, *devlog = NULL, *devptmx = NULL; + bool can_mknod = true; +- _cleanup_umask_ mode_t u; + int r; + + assert(m); + +- u = umask(0000); +- + if (!mkdtemp(temporary_mount)) + return log_debug_errno(errno, "Failed to create temporary directory '%s': %m", temporary_mount); + +@@ -1864,6 +1861,10 @@ int setup_namespace( + + assert(ns_info); + ++ /* Make sure that all mknod(), mkdir() calls we do are unaffected by the umask, and the access modes ++ * we configure take effect */ ++ BLOCK_WITH_UMASK(0000); ++ + if (!isempty(propagate_dir) && !isempty(incoming_dir)) + setup_propagate = true; + +-- +2.33.0 + diff --git a/backport-namespace-rebreak-a-few-comments.patch b/backport-namespace-rebreak-a-few-comments.patch new file mode 100644 index 0000000000000000000000000000000000000000..dd7258133a6411cb0876af727216e1213be059e1 --- /dev/null +++ b/backport-namespace-rebreak-a-few-comments.patch @@ -0,0 +1,92 @@ +From bce7fb14df960aee57f0ad5c9c12a0d35c3e504e Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 12 Nov 2021 11:09:40 +0100 +Subject: [PATCH] namespace: rebreak a few comments + +(cherry picked from commit d73020f2420aa3f220481016829aaa2602abf081) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/bce7fb14df960aee57f0ad5c9c12a0d35c3e504e +--- + src/core/namespace.c | 30 ++++++++++++++---------------- + 1 file changed, 14 insertions(+), 16 deletions(-) + +diff --git a/src/core/namespace.c b/src/core/namespace.c +index 982aeeac19..233ee7be40 100644 +--- a/src/core/namespace.c ++++ b/src/core/namespace.c +@@ -806,8 +806,7 @@ static int clone_device_node( + *make_devnode = false; + } + +- /* We're about to fall back to bind-mounting the device +- * node. So create a dummy bind-mount target. ++ /* We're about to fall back to bind-mounting the device node. So create a dummy bind-mount target. + * Do not prepare device-node SELinux label (see issue 13762) */ + r = mknod(dn, S_IFREG, 0); + if (r < 0 && errno != EEXIST) +@@ -930,10 +929,8 @@ static int mount_private_dev(MountEntry *m) { + if (r < 0) + log_debug_errno(r, "Failed to set up basic device tree at '%s', ignoring: %m", temporary_mount); + +- /* Create the /dev directory if missing. It is more likely to be +- * missing when the service is started with RootDirectory. This is +- * consistent with mount units creating the mount points when missing. +- */ ++ /* Create the /dev directory if missing. It is more likely to be missing when the service is started ++ * with RootDirectory. This is consistent with mount units creating the mount points when missing. */ + (void) mkdir_p_label(mount_entry_path(m), 0755); + + /* Unmount everything in old /dev */ +@@ -975,8 +972,8 @@ static int mount_bind_dev(const MountEntry *m) { + + assert(m); + +- /* Implements the little brother of mount_private_dev(): simply bind mounts the host's /dev into the service's +- * /dev. This is only used when RootDirectory= is set. */ ++ /* Implements the little brother of mount_private_dev(): simply bind mounts the host's /dev into the ++ * service's /dev. This is only used when RootDirectory= is set. */ + + (void) mkdir_p_label(mount_entry_path(m), 0755); + +@@ -1085,7 +1082,8 @@ static int mount_tmpfs(const MountEntry *m) { + entry_path = mount_entry_path(m); + inner_path = mount_entry_unprefixed_path(m); + +- /* First, get rid of everything that is below if there is anything. Then, overmount with our new tmpfs */ ++ /* First, get rid of everything that is below if there is anything. Then, overmount with our new ++ * tmpfs */ + + (void) mkdir_p_label(entry_path, 0755); + (void) umount_recursive(entry_path, 0); +@@ -1930,11 +1928,11 @@ int setup_namespace( + * we create it if it doesn't already exist. */ + (void) mkdir_p_label("/run/systemd", 0755); + +- /* Always create the mount namespace in a temporary directory, instead of operating +- * directly in the root. The temporary directory prevents any mounts from being +- * potentially obscured my other mounts we already applied. +- * We use the same mount point for all images, which is safe, since they all live +- * in their own namespaces after all, and hence won't see each other. */ ++ /* Always create the mount namespace in a temporary directory, instead of operating directly ++ * in the root. The temporary directory prevents any mounts from being potentially obscured ++ * my other mounts we already applied. We use the same mount point for all images, which is ++ * safe, since they all live in their own namespaces after all, and hence won't see each ++ * other. */ + + root = "/run/systemd/unit-root"; + (void) mkdir_label(root, 0700); +@@ -2198,8 +2196,8 @@ int setup_namespace( + (void) mkdir_p(propagate_dir, 0600); + + if (n_extension_images > 0) +- /* ExtensionImages mountpoint directories will be created +- * while parsing the mounts to create, so have the parent ready */ ++ /* ExtensionImages mountpoint directories will be created while parsing the mounts to create, ++ * so have the parent ready */ + (void) mkdir_p(extension_dir, 0600); + + /* Remount / as SLAVE so that nothing now mounted in the namespace +-- +2.33.0 + diff --git a/backport-network-add-comments.patch b/backport-network-add-comments.patch new file mode 100644 index 0000000000000000000000000000000000000000..15583546904613c7a898dd7bfa308707227ad5f1 --- /dev/null +++ b/backport-network-add-comments.patch @@ -0,0 +1,84 @@ +From 7522b239b865f851e7834b53367dc196244e48fd Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 4 Aug 2021 13:52:52 +0900 +Subject: [PATCH] network: add comments + +(cherry picked from commit 17d808a8bf55471009f5e0e1ccb06b1ffccdfa1a) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/7522b239b865f851e7834b53367dc196244e48fd +--- + src/network/networkd-setlink.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/src/network/networkd-setlink.c b/src/network/networkd-setlink.c +index a316a6c59b..fa1dd9b3ba 100644 +--- a/src/network/networkd-setlink.c ++++ b/src/network/networkd-setlink.c +@@ -106,7 +106,7 @@ on_error: + static int link_set_addrgen_mode_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { + int r; + +- r = set_link_handler_internal(rtnl, m, link, SET_LINK_ADDRESS_GENERATION_MODE, true, NULL); ++ r = set_link_handler_internal(rtnl, m, link, SET_LINK_ADDRESS_GENERATION_MODE, /* ignore = */ true, NULL); + if (r <= 0) + return r; + +@@ -120,31 +120,31 @@ static int link_set_addrgen_mode_handler(sd_netlink *rtnl, sd_netlink_message *m + } + + static int link_set_bond_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { +- return set_link_handler_internal(rtnl, m, link, SET_LINK_BOND, false, NULL); ++ return set_link_handler_internal(rtnl, m, link, SET_LINK_BOND, /* ignore = */ false, NULL); + } + + static int link_set_bridge_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { +- return set_link_handler_internal(rtnl, m, link, SET_LINK_BRIDGE, false, NULL); ++ return set_link_handler_internal(rtnl, m, link, SET_LINK_BRIDGE, /* ignore = */ false, NULL); + } + + static int link_set_bridge_vlan_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { +- return set_link_handler_internal(rtnl, m, link, SET_LINK_BRIDGE_VLAN, false, NULL); ++ return set_link_handler_internal(rtnl, m, link, SET_LINK_BRIDGE_VLAN, /* ignore = */ false, NULL); + } + + static int link_set_can_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { +- return set_link_handler_internal(rtnl, m, link, SET_LINK_CAN, false, NULL); ++ return set_link_handler_internal(rtnl, m, link, SET_LINK_CAN, /* ignore = */ false, NULL); + } + + static int link_set_flags_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { +- return set_link_handler_internal(rtnl, m, link, SET_LINK_FLAGS, false, get_link_update_flag_handler); ++ return set_link_handler_internal(rtnl, m, link, SET_LINK_FLAGS, /* ignore = */ false, get_link_update_flag_handler); + } + + static int link_set_group_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { +- return set_link_handler_internal(rtnl, m, link, SET_LINK_GROUP, false, NULL); ++ return set_link_handler_internal(rtnl, m, link, SET_LINK_GROUP, /* ignore = */ false, NULL); + } + + static int link_set_mac_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { +- return set_link_handler_internal(rtnl, m, link, SET_LINK_MAC, true, get_link_default_handler); ++ return set_link_handler_internal(rtnl, m, link, SET_LINK_MAC, /* ignore = */ true, get_link_default_handler); + } + + static int link_set_mac_allow_retry_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { +@@ -180,13 +180,13 @@ static int link_set_mac_allow_retry_handler(sd_netlink *rtnl, sd_netlink_message + } + + static int link_set_master_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { +- return set_link_handler_internal(rtnl, m, link, SET_LINK_MASTER, false, get_link_master_handler); ++ return set_link_handler_internal(rtnl, m, link, SET_LINK_MASTER, /* ignore = */ false, get_link_master_handler); + } + + static int link_set_mtu_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { + int r; + +- r = set_link_handler_internal(rtnl, m, link, SET_LINK_MTU, true, get_link_default_handler); ++ r = set_link_handler_internal(rtnl, m, link, SET_LINK_MTU, /* ignore = */ true, get_link_default_handler); + if (r <= 0) + return r; + +-- +2.33.0 + diff --git a/backport-network-address-read-flags-from-message-header-when-.patch b/backport-network-address-read-flags-from-message-header-when-.patch new file mode 100644 index 0000000000000000000000000000000000000000..d47827e6dc1fdad1e0220140d58eb8a62ca2e155 --- /dev/null +++ b/backport-network-address-read-flags-from-message-header-when-.patch @@ -0,0 +1,40 @@ +From a6c264cbd6fc8c10c905ee2c1cd22717247c3c25 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 8 Dec 2021 05:35:37 +0900 +Subject: [PATCH] network: address: read flags from message header when + IFA_FLAGS is not supported by kernel + +Follow-up for 0828a38605975b68c14c9194a1ee2c5c2ff7038f. + +Fixes #21670. + +(cherry picked from commit 8ed68422e1bafc84afe524bc5020d343bc6163ca) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/a6c264cbd6fc8c10c905ee2c1cd22717247c3c25 +--- + src/network/networkd-address.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c +index 7b221516d7..bfc2e19bee 100644 +--- a/src/network/networkd-address.c ++++ b/src/network/networkd-address.c +@@ -1368,6 +1368,14 @@ int manager_rtnl_process_address(sd_netlink *rtnl, sd_netlink_message *message, + } + + r = sd_netlink_message_read_u32(message, IFA_FLAGS, &tmp->flags); ++ if (r == -ENODATA) { ++ unsigned char flags; ++ ++ /* For old kernels. */ ++ r = sd_rtnl_message_addr_get_flags(message, &flags); ++ if (r >= 0) ++ tmp->flags = flags; ++ } + if (r < 0) { + log_link_warning_errno(link, r, "rtnl: received address message without flags, ignoring: %m"); + return 0; +-- +2.33.0 + diff --git a/backport-network-allow-users-to-forbid-passthru-MACVLAN-from-.patch b/backport-network-allow-users-to-forbid-passthru-MACVLAN-from-.patch new file mode 100644 index 0000000000000000000000000000000000000000..06bef7024b0366190a688e3661a31b1e605949c0 --- /dev/null +++ b/backport-network-allow-users-to-forbid-passthru-MACVLAN-from-.patch @@ -0,0 +1,55 @@ +From 1d1b7de63902e5fa8d1ba900e9bf608e2ccd2b23 Mon Sep 17 00:00:00 2001 +From: Tom Yan +Date: Mon, 16 Aug 2021 18:00:42 +0800 +Subject: [PATCH] network: allow users to forbid passthru MACVLAN from putting + its link into promiscuous mode + +While we haven't implemented a key for users to set MACVLAN/MACVTAP flags, +we can at least allow them to make use of the Promiscuous= key of +the corresponding link to set the nopromisc flag. + +(cherry picked from commit 17a6a4ae2e7104a1105a0cef0ba049799f3ef6bc) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/1d1b7de63902e5fa8d1ba900e9bf608e2ccd2b23 +--- + src/network/netdev/macvlan.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/network/netdev/macvlan.c b/src/network/netdev/macvlan.c +index 46b0826148..9d037c2f36 100644 +--- a/src/network/netdev/macvlan.c ++++ b/src/network/netdev/macvlan.c +@@ -5,6 +5,7 @@ + #include "conf-parser.h" + #include "macvlan.h" + #include "macvlan-util.h" ++#include "networkd-network.h" + #include "parse-util.h" + + DEFINE_CONFIG_PARSE_ENUM(config_parse_macvlan_mode, macvlan_mode, MacVlanMode, "Failed to parse macvlan mode"); +@@ -16,6 +17,7 @@ static int netdev_macvlan_fill_message_create(NetDev *netdev, Link *link, sd_net + assert(netdev); + assert(link); + assert(netdev->ifname); ++ assert(link->network); + + if (netdev->kind == NETDEV_KIND_MACVLAN) + m = MACVLAN(netdev); +@@ -52,6 +54,13 @@ static int netdev_macvlan_fill_message_create(NetDev *netdev, Link *link, sd_net + return log_netdev_error_errno(netdev, r, "Could not append IFLA_MACVLAN_MODE attribute: %m"); + } + ++ /* set the nopromisc flag if Promiscuous= of the link is explicitly set to false */ ++ if (m->mode == NETDEV_MACVLAN_MODE_PASSTHRU && link->network->promiscuous == 0) { ++ r = sd_netlink_message_append_u16(req, IFLA_MACVLAN_FLAGS, MACVLAN_FLAG_NOPROMISC); ++ if (r < 0) ++ return log_netdev_error_errno(netdev, r, "Could not append IFLA_MACVLAN_FLAGS attribute: %m"); ++ } ++ + if (m->bc_queue_length != UINT32_MAX) { + r = sd_netlink_message_append_u32(req, IFLA_MACVLAN_BC_QUEUE_LEN, m->bc_queue_length); + if (r < 0) +-- +2.33.0 + diff --git a/backport-network-also-check-addresses-when-determine-a-gatewa.patch b/backport-network-also-check-addresses-when-determine-a-gatewa.patch new file mode 100644 index 0000000000000000000000000000000000000000..b42298bfc9c26416a6f99afe419acf351bbddda9 --- /dev/null +++ b/backport-network-also-check-addresses-when-determine-a-gatewa.patch @@ -0,0 +1,71 @@ +From 2f599380f1ab1ee5fe3f7b02926ae2dd642bed9b Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 12 Jul 2021 15:46:44 +0900 +Subject: [PATCH] network: also check addresses when determine a gateway + address is reachable or not + +Fixes #20201. + +(cherry picked from commit 11046cea1414c70b5d7aab37ea88d5a839cbd209) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/2f599380f1ab1ee5fe3f7b02926ae2dd642bed9b +--- + src/network/networkd-route.c | 34 ++++++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c +index 77a93beca9..068915616e 100644 +--- a/src/network/networkd-route.c ++++ b/src/network/networkd-route.c +@@ -746,6 +746,26 @@ static bool route_address_is_reachable(const Route *route, int family, const uni + FAMILY_ADDRESS_SIZE(family) * 8) > 0; + } + ++static bool prefix_route_address_is_reachable(const Address *a, int family, const union in_addr_union *address) { ++ assert(a); ++ assert(IN_SET(family, AF_INET, AF_INET6)); ++ assert(address); ++ ++ if (a->family != family) ++ return false; ++ if (FLAGS_SET(a->flags, IFA_F_NOPREFIXROUTE)) ++ return false; ++ if (in_addr_is_set(a->family, &a->in_addr_peer)) ++ return false; ++ ++ return in_addr_prefix_intersect( ++ family, ++ &a->in_addr, ++ a->prefixlen, ++ address, ++ FAMILY_ADDRESS_SIZE(family) * 8) > 0; ++} ++ + bool manager_address_is_reachable(Manager *manager, int family, const union in_addr_union *address) { + Link *link; + +@@ -764,6 +784,20 @@ bool manager_address_is_reachable(Manager *manager, int family, const union in_a + return true; + } + ++ /* If we do not manage foreign routes, then there may exist a prefix route we do not know, ++ * which was created on configuring an address. Hence, also check the addresses. */ ++ if (!manager->manage_foreign_routes) ++ HASHMAP_FOREACH(link, manager->links_by_index) { ++ Address *a; ++ ++ SET_FOREACH(a, link->addresses) ++ if (prefix_route_address_is_reachable(a, family, address)) ++ return true; ++ SET_FOREACH(a, link->addresses_foreign) ++ if (prefix_route_address_is_reachable(a, family, address)) ++ return true; ++ } ++ + return false; + } + +-- +2.33.0 + diff --git a/backport-network-bridge-fix-endian-of-vlan-protocol.patch b/backport-network-bridge-fix-endian-of-vlan-protocol.patch new file mode 100644 index 0000000000000000000000000000000000000000..59cdde4d0728b9976259dcdd2987f596f8e43418 --- /dev/null +++ b/backport-network-bridge-fix-endian-of-vlan-protocol.patch @@ -0,0 +1,32 @@ +From 7b9aa956fbf9fc342a4e35fbcf90e7083cccbf6c Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 10 Feb 2022 17:47:14 +0900 +Subject: [PATCH] network: bridge: fix endian of vlan protocol + +Fixes #22469. + +(cherry picked from commit 6eb35be8e0fa5f1f00dddd558cf4dc3642d9e53e) +(cherry picked from commit 514a4c051ce6cceaa5417a2044e708bd5105131d) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/7b9aa956fbf9fc342a4e35fbcf90e7083cccbf6c +--- + src/network/netdev/bridge.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/network/netdev/bridge.c b/src/network/netdev/bridge.c +index 99fb9e1c3c..b9a0136843 100644 +--- a/src/network/netdev/bridge.c ++++ b/src/network/netdev/bridge.c +@@ -126,7 +126,7 @@ static int netdev_bridge_post_create(NetDev *netdev, Link *link, sd_netlink_mess + } + + if (b->vlan_protocol >= 0) { +- r = sd_netlink_message_append_u16(req, IFLA_BR_VLAN_PROTOCOL, b->vlan_protocol); ++ r = sd_netlink_message_append_u16(req, IFLA_BR_VLAN_PROTOCOL, htobe16(b->vlan_protocol)); + if (r < 0) + return log_netdev_error_errno(netdev, r, "Could not append IFLA_BR_VLAN_PROTOCOL attribute: %m"); + } +-- +2.33.0 + diff --git a/backport-network-check-the-received-interface-name-is-actuall.patch b/backport-network-check-the-received-interface-name-is-actuall.patch new file mode 100644 index 0000000000000000000000000000000000000000..b23ec35cd0ce06855ef3d4b2bf7d24ca346688de --- /dev/null +++ b/backport-network-check-the-received-interface-name-is-actuall.patch @@ -0,0 +1,71 @@ +From d2895063305712cd9e5d7f4361f9343bf3b3f00b Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 12 Jul 2021 21:23:41 +0900 +Subject: [PATCH] network: check the received interface name is actually new + +For some reasons I do not know, on interface renaming, kernel once send +netlink message with old interface name, and then send with new name. +If eth0 is renamed, and then new interface appears as eth0, then the +message with the old name 'eth0' makes the interface enters failed +state. + +To ignore such invalid(?) rename event messages, let's confirm the +received interface name. + +Fixes #20203. + +(cherry picked from commit 176b8be10ffce2f8c1fc931a37904a528057016f) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/d2895063305712cd9e5d7f4361f9343bf3b3f00b +--- + src/network/networkd-link.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index 9421ce1aa6..d58b700050 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -1,5 +1,6 @@ + /* SPDX-License-Identifier: LGPL-2.1-or-later */ + ++#include + #include + #include + #include +@@ -21,6 +22,7 @@ + #include "ethtool-util.h" + #include "fd-util.h" + #include "fileio.h" ++#include "format-util.h" + #include "fs-util.h" + #include "ipvlan.h" + #include "missing_network.h" +@@ -2161,6 +2163,7 @@ static int link_update_alternative_names(Link *link, sd_netlink_message *message + } + + static int link_update_name(Link *link, sd_netlink_message *message) { ++ char ifname_from_index[IF_NAMESIZE + 1]; + const char *ifname; + int r; + +@@ -2177,6 +2180,16 @@ static int link_update_name(Link *link, sd_netlink_message *message) { + if (streq(ifname, link->ifname)) + return 0; + ++ if (!format_ifname(link->ifindex, ifname_from_index)) ++ return log_link_debug_errno(link, SYNTHETIC_ERRNO(ENXIO), "Could not get interface name for index %i.", link->ifindex); ++ ++ if (!streq(ifname, ifname_from_index)) { ++ log_link_debug(link, "New interface name '%s' received from the kernel does not correspond " ++ "with the name currently configured on the actual interface '%s'. Ignoring.", ++ ifname, ifname_from_index); ++ return 0; ++ } ++ + log_link_info(link, "Interface name change detected, renamed to %s.", ifname); + + hashmap_remove(link->manager->links_by_name, link->ifname); +-- +2.33.0 + diff --git a/backport-network-configure-address-with-requested-lifetime.patch b/backport-network-configure-address-with-requested-lifetime.patch new file mode 100644 index 0000000000000000000000000000000000000000..9489faef244d6d13c4c92986325052eceaa98a7e --- /dev/null +++ b/backport-network-configure-address-with-requested-lifetime.patch @@ -0,0 +1,50 @@ +From d18f1ad555a0b0b03fe8eb176f763b50a1aab215 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 19 Jul 2021 15:18:37 +0900 +Subject: [PATCH] network: configure address with requested lifetime + +When assigning the same address provided by a dynamic addressing +protocol, the new lifetime is stored on Request::Address, but not +Address object in Link object, which can be obtained by address_get(). +So, we need to configure address with Address object in Request. + +Fixes #20245. + +(cherry picked from commit 2d302d88e4dfd48b18486c5ce2c7dfeb229a1b0a) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/d18f1ad555a0b0b03fe8eb176f763b50a1aab215 +--- + src/network/networkd-address.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c +index 6b2230b725..7b221516d7 100644 +--- a/src/network/networkd-address.c ++++ b/src/network/networkd-address.c +@@ -1272,17 +1272,17 @@ int request_process_address(Request *req) { + if (r <= 0) + return r; + +- r = address_get(link, req->address, &a); +- if (r < 0) +- return r; +- +- r = address_configure(a, link, req->netlink_handler); ++ r = address_configure(req->address, link, req->netlink_handler); + if (r < 0) + return r; + + /* To prevent a double decrement on failure in after_configure(). */ + req->message_counter = NULL; + ++ r = address_get(link, req->address, &a); ++ if (r < 0) ++ return r; ++ + if (req->after_configure) { + r = req->after_configure(req, a); + if (r < 0) +-- +2.33.0 + diff --git a/backport-network-disable-event-sources-before-unref-them.patch b/backport-network-disable-event-sources-before-unref-them.patch new file mode 100644 index 0000000000000000000000000000000000000000..e084d88c3f30196c7a120c0bd374b1bb39fff3f4 --- /dev/null +++ b/backport-network-disable-event-sources-before-unref-them.patch @@ -0,0 +1,61 @@ +From 847168ed320e9ff14ed95dbde0a1f392acbe4a44 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 24 Sep 2021 17:26:10 +0900 +Subject: [PATCH] network: disable event sources before unref them + +(cherry picked from commit d105befc976ad704d3b17b3a5ee1b659a5f624d4) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/847168ed320e9ff14ed95dbde0a1f392acbe4a44 +--- + src/network/networkd-lldp-tx.c | 2 +- + src/network/networkd-route.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/network/networkd-lldp-tx.c b/src/network/networkd-lldp-tx.c +index 45a087b301..82a403fe21 100644 +--- a/src/network/networkd-lldp-tx.c ++++ b/src/network/networkd-lldp-tx.c +@@ -413,7 +413,7 @@ int link_lldp_emit_start(Link *link) { + void link_lldp_emit_stop(Link *link) { + assert(link); + +- link->lldp_emit_event_source = sd_event_source_unref(link->lldp_emit_event_source); ++ link->lldp_emit_event_source = sd_event_source_disable_unref(link->lldp_emit_event_source); + } + + int config_parse_lldp_mud( +diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c +index b7852f6eec..791fd64c39 100644 +--- a/src/network/networkd-route.c ++++ b/src/network/networkd-route.c +@@ -290,7 +290,7 @@ Route *route_free(Route *route) { + + ordered_set_free_with_destructor(route->multipath_routes, multipath_route_free); + +- sd_event_source_unref(route->expire); ++ sd_event_source_disable_unref(route->expire); + + return mfree(route); + } +@@ -1273,7 +1273,7 @@ static int route_expire_handler(sd_event_source *s, uint64_t usec, void *userdat + } + + static int route_add_and_setup_timer_one(Link *link, const Route *route, const MultipathRoute *m, const NextHop *nh, uint8_t nh_weight, Route **ret) { +- _cleanup_(sd_event_source_unrefp) sd_event_source *expire = NULL; ++ _cleanup_(sd_event_source_disable_unrefp) sd_event_source *expire = NULL; + Route *nr; + int r; + +@@ -1311,7 +1311,7 @@ static int route_add_and_setup_timer_one(Link *link, const Route *route, const M + return log_link_error_errno(link, r, "Could not arm expiration timer: %m"); + } + +- sd_event_source_unref(nr->expire); ++ sd_event_source_disable_unref(nr->expire); + nr->expire = TAKE_PTR(expire); + + *ret = nr; +-- +2.33.0 + diff --git a/backport-network-do-not-assume-the-highest-priority-when-Prio.patch b/backport-network-do-not-assume-the-highest-priority-when-Prio.patch new file mode 100644 index 0000000000000000000000000000000000000000..b7059d954a00ada50ba64a2de1167bf0af48b16e --- /dev/null +++ b/backport-network-do-not-assume-the-highest-priority-when-Prio.patch @@ -0,0 +1,292 @@ +From c5ff3ea39882609b307c4a9925d1c17413d17dfc Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 17 Aug 2021 14:03:19 +0900 +Subject: [PATCH] network: do not assume the highest priority when Priority= is + unspecified + +Previously, when Priority= is unspecified, networkd configured the rule with +the highest (=0) priority. This commit makes networkd distinguish the case +the setting is unspecified and one explicitly specified as Priority=0. + +Note. +1) If the priority is unspecified on configure, then kernel dynamically picks + a priority for the rule. +2) The new behavior is consistent with 'ip rule' command. + +Replaces #15606. + +(cherry picked from commit c4f7a347566b8926382029593b4d9957fef2564c) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/c5ff3ea39882609b307c4a9925d1c17413d17dfc +--- + man/systemd.network.xml | 4 +- + src/network/networkd-routing-policy-rule.c | 120 +++++++++++++++++--- + src/network/networkd-routing-policy-rule.h | 1 + + test/test-network/systemd-networkd-tests.py | 2 +- + 4 files changed, 110 insertions(+), 17 deletions(-) + +diff --git a/man/systemd.network.xml b/man/systemd.network.xml +index 3b7680eb8b..9de9816ced 100644 +--- a/man/systemd.network.xml ++++ b/man/systemd.network.xml +@@ -1238,7 +1238,9 @@ IPv6Token=prefixstable:2002:da8:1:: + Priority= + + Specifies the priority of this rule. Priority= is an unsigned +- integer. Higher number means lower priority, and rules get processed in order of increasing number. ++ integer in the range 0…4294967295. Higher number means lower priority, and rules get ++ processed in order of increasing number. Defaults to unset, and the kernel will pick ++ a value dynamically. + + + +diff --git a/src/network/networkd-routing-policy-rule.c b/src/network/networkd-routing-policy-rule.c +index af7e8a973c..03ccbd8e85 100644 +--- a/src/network/networkd-routing-policy-rule.c ++++ b/src/network/networkd-routing-policy-rule.c +@@ -163,7 +163,9 @@ void routing_policy_rule_hash_func(const RoutingPolicyRule *rule, struct siphash + siphash24_compress(&rule->type, sizeof(rule->type), state); + siphash24_compress(&rule->fwmark, sizeof(rule->fwmark), state); + siphash24_compress(&rule->fwmask, sizeof(rule->fwmask), state); +- siphash24_compress(&rule->priority, sizeof(rule->priority), state); ++ siphash24_compress_boolean(rule->priority_set, state); ++ if (rule->priority_set) ++ siphash24_compress(&rule->priority, sizeof(rule->priority), state); + siphash24_compress(&rule->table, sizeof(rule->table), state); + siphash24_compress(&rule->suppress_prefixlen, sizeof(rule->suppress_prefixlen), state); + +@@ -229,10 +231,16 @@ int routing_policy_rule_compare_func(const RoutingPolicyRule *a, const RoutingPo + if (r != 0) + return r; + +- r = CMP(a->priority, b->priority); ++ r = CMP(a->priority_set, b->priority_set); + if (r != 0) + return r; + ++ if (a->priority_set) { ++ r = CMP(a->priority, b->priority); ++ if (r != 0) ++ return r; ++ } ++ + r = CMP(a->table, b->table); + if (r != 0) + return r; +@@ -293,8 +301,9 @@ DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR( + routing_policy_rule_compare_func, + routing_policy_rule_free); + +-static int routing_policy_rule_get(Manager *m, const RoutingPolicyRule *rule, RoutingPolicyRule **ret) { ++static int routing_policy_rule_get(Manager *m, const RoutingPolicyRule *rule, bool require_priority, RoutingPolicyRule **ret) { + RoutingPolicyRule *existing; ++ int r; + + assert(m); + +@@ -312,6 +321,23 @@ static int routing_policy_rule_get(Manager *m, const RoutingPolicyRule *rule, Ro + return 0; + } + ++ if (!require_priority && rule->priority_set) { ++ _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *tmp = NULL; ++ ++ r = routing_policy_rule_dup(rule, &tmp); ++ if (r < 0) ++ return r; ++ ++ tmp->priority_set = false; ++ ++ existing = set_get(m->rules, tmp); ++ if (existing) { ++ if (ret) ++ *ret = existing; ++ return 1; ++ } ++ } ++ + return -ENOENT; + } + +@@ -328,7 +354,7 @@ static int routing_policy_rule_add(Manager *m, const RoutingPolicyRule *in, Rout + if (r < 0) + return r; + +- r = routing_policy_rule_get(m, rule, &existing); ++ r = routing_policy_rule_get(m, rule, true, &existing); + if (r == -ENOENT) { + /* Rule does not exist, use a new one. */ + r = set_ensure_put(&m->rules, &routing_policy_rule_hash_ops, rule); +@@ -371,6 +397,32 @@ static int routing_policy_rule_consume_foreign(Manager *m, RoutingPolicyRule *ru + return 1; + } + ++static int routing_policy_rule_update_priority(RoutingPolicyRule *rule, uint32_t priority) { ++ int r; ++ ++ assert(rule); ++ assert(rule->manager); ++ ++ if (rule->priority_set) ++ return 0; ++ ++ if (!set_remove(rule->manager->rules, rule)) ++ return -ENOENT; ++ ++ rule->priority = priority; ++ rule->priority_set = true; ++ ++ r = set_put(rule->manager->rules, rule); ++ if (r <= 0) { ++ /* Undo */ ++ rule->priority_set = false; ++ assert_se(set_put(rule->manager->rules, rule) > 0); ++ return r == 0 ? -EEXIST : r; ++ } ++ ++ return 1; ++} ++ + static void log_routing_policy_rule_debug(const RoutingPolicyRule *rule, const char *str, const Link *link, const Manager *m) { + _cleanup_free_ char *from = NULL, *to = NULL, *table = NULL; + +@@ -422,9 +474,11 @@ static int routing_policy_rule_set_netlink_message(const RoutingPolicyRule *rule + return log_link_error_errno(link, r, "Could not set destination prefix length: %m"); + } + +- r = sd_netlink_message_append_u32(m, FRA_PRIORITY, rule->priority); +- if (r < 0) +- return log_link_error_errno(link, r, "Could not append FRA_PRIORITY attribute: %m"); ++ if (rule->priority_set) { ++ r = sd_netlink_message_append_u32(m, FRA_PRIORITY, rule->priority); ++ if (r < 0) ++ return log_link_error_errno(link, r, "Could not append FRA_PRIORITY attribute: %m"); ++ } + + if (rule->tos > 0) { + r = sd_rtnl_message_routing_policy_rule_set_tos(m, rule->tos); +@@ -662,6 +716,28 @@ int manager_drop_routing_policy_rules_internal(Manager *m, bool foreign, const L + continue; + } + ++ if (!foreign) { ++ _cleanup_(routing_policy_rule_freep) RoutingPolicyRule *tmp = NULL; ++ ++ /* The rule may be configured without priority. Try to find without priority. */ ++ ++ k = routing_policy_rule_dup(rule, &tmp); ++ if (k < 0) { ++ if (r >= 0) ++ r = k; ++ continue; ++ } ++ ++ tmp->priority_set = false; ++ ++ k = links_have_routing_policy_rule(m, tmp, except); ++ if (k != 0) { ++ if (k < 0 && r >= 0) ++ r = k; ++ continue; ++ } ++ } ++ + k = routing_policy_rule_remove(rule, m); + if (k < 0 && r >= 0) + r = k; +@@ -821,11 +897,11 @@ int request_process_routing_policy_rule(Request *req) { + } + + static const RoutingPolicyRule kernel_rules[] = { +- { .family = AF_INET, .priority = 0, .table = RT_TABLE_LOCAL, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, }, +- { .family = AF_INET, .priority = 32766, .table = RT_TABLE_MAIN, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, }, +- { .family = AF_INET, .priority = 32767, .table = RT_TABLE_DEFAULT, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, }, +- { .family = AF_INET6, .priority = 0, .table = RT_TABLE_LOCAL, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, }, +- { .family = AF_INET6, .priority = 32766, .table = RT_TABLE_MAIN, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, }, ++ { .family = AF_INET, .priority_set = true, .priority = 0, .table = RT_TABLE_LOCAL, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, }, ++ { .family = AF_INET, .priority_set = true, .priority = 32766, .table = RT_TABLE_MAIN, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, }, ++ { .family = AF_INET, .priority_set = true, .priority = 32767, .table = RT_TABLE_DEFAULT, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, }, ++ { .family = AF_INET6, .priority_set = true, .priority = 0, .table = RT_TABLE_LOCAL, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, }, ++ { .family = AF_INET6, .priority_set = true, .priority = 32766, .table = RT_TABLE_MAIN, .type = FR_ACT_TO_TBL, .uid_range.start = UID_INVALID, .uid_range.end = UID_INVALID, .suppress_prefixlen = -1, }, + }; + + static bool routing_policy_rule_is_created_by_kernel(const RoutingPolicyRule *rule) { +@@ -936,6 +1012,9 @@ int manager_rtnl_process_rule(sd_netlink *rtnl, sd_netlink_message *message, Man + log_warning_errno(r, "rtnl: could not get FRA_PRIORITY attribute, ignoring: %m"); + return 0; + } ++ /* The kernel does not send priority if priority is zero. So, the flag below must be always set ++ * even if the message does not contain FRA_PRIORITY. */ ++ tmp->priority_set = true; + + r = sd_netlink_message_read_u32(message, FRA_TABLE, &tmp->table); + if (r < 0 && r != -ENODATA) { +@@ -1027,13 +1106,16 @@ int manager_rtnl_process_rule(sd_netlink *rtnl, sd_netlink_message *message, Man + * protocol of the received rule is RTPROT_KERNEL or RTPROT_STATIC. */ + tmp->protocol = routing_policy_rule_is_created_by_kernel(tmp) ? RTPROT_KERNEL : RTPROT_STATIC; + +- (void) routing_policy_rule_get(m, tmp, &rule); ++ (void) routing_policy_rule_get(m, tmp, false, &rule); + + switch (type) { + case RTM_NEWRULE: +- if (rule) ++ if (rule) { + log_routing_policy_rule_debug(tmp, "Received remembered", NULL, m); +- else if (!m->manage_foreign_routes) ++ r = routing_policy_rule_update_priority(rule, tmp->priority); ++ if (r < 0) ++ log_warning_errno(r, "Failed to update priority of remembered routing policy rule, ignoring: %m"); ++ } else if (!m->manage_foreign_routes) + log_routing_policy_rule_debug(tmp, "Ignoring received foreign", NULL, m); + else { + log_routing_policy_rule_debug(tmp, "Remembering foreign", NULL, m); +@@ -1155,11 +1237,19 @@ int config_parse_routing_policy_rule_priority( + if (r < 0) + return log_oom(); + ++ if (isempty(rvalue)) { ++ n->priority = 0; ++ n->priority_set = false; ++ TAKE_PTR(n); ++ return 0; ++ } ++ + r = safe_atou32(rvalue, &n->priority); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse RPDB rule priority, ignoring: %s", rvalue); + return 0; + } ++ n->priority_set = true; + + TAKE_PTR(n); + return 0; +diff --git a/src/network/networkd-routing-policy-rule.h b/src/network/networkd-routing-policy-rule.h +index aed37b00d2..557048c3f4 100644 +--- a/src/network/networkd-routing-policy-rule.h ++++ b/src/network/networkd-routing-policy-rule.h +@@ -20,6 +20,7 @@ typedef struct RoutingPolicyRule { + NetworkConfigSection *section; + + bool invert_rule; ++ bool priority_set; + + uint8_t tos; + uint8_t type; +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index 0eb2fdf87e..4a2af0c500 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -3644,7 +3644,7 @@ class NetworkdBridgeTests(unittest.TestCase, Utilities): + + output = check_output('ip rule list table 100') + print(output) +- self.assertIn('0: from all to 8.8.8.8 lookup 100', output) ++ self.assertIn('from all to 8.8.8.8 lookup 100', output) + + class NetworkdLLDPTests(unittest.TestCase, Utilities): + links = ['veth99'] +-- +2.33.0 + diff --git a/backport-network-fix-configuring-of-CAN-devices.patch b/backport-network-fix-configuring-of-CAN-devices.patch new file mode 100644 index 0000000000000000000000000000000000000000..0558913cd8035f2ccd2617837aacd668b2b642ba --- /dev/null +++ b/backport-network-fix-configuring-of-CAN-devices.patch @@ -0,0 +1,40 @@ +From 9bf50758426a3d8dd4b40e28c960e920d41444ba Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 12 Aug 2021 13:39:53 +0900 +Subject: [PATCH] network: fix configuring of CAN devices + +Fix a bug introduced by 7558f9e717381eef0ddc8ddfb5a754ea4b0f3e6c. + +Fixes #20428. + +(cherry picked from commit 1e8cce8f1e61e01db844d518b7051b6ce69867fd) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/9bf50758426a3d8dd4b40e28c960e920d41444ba +--- + src/network/networkd-setlink.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/network/networkd-setlink.c b/src/network/networkd-setlink.c +index 10c312c480..13c4cedd10 100644 +--- a/src/network/networkd-setlink.c ++++ b/src/network/networkd-setlink.c +@@ -229,10 +229,14 @@ static int link_configure( + + log_link_debug(link, "Setting %s", set_link_operation_to_string(op)); + +- if (IN_SET(op, SET_LINK_BOND, SET_LINK_CAN)) { ++ if (op == SET_LINK_BOND) { + r = sd_rtnl_message_new_link(link->manager->rtnl, &req, RTM_NEWLINK, link->master_ifindex); + if (r < 0) + return log_link_debug_errno(link, r, "Could not allocate RTM_NEWLINK message: %m"); ++ } else if (op == SET_LINK_CAN) { ++ r = sd_rtnl_message_new_link(link->manager->rtnl, &req, RTM_NEWLINK, link->ifindex); ++ if (r < 0) ++ return log_link_debug_errno(link, r, "Could not allocate RTM_NEWLINK message: %m"); + } else { + r = sd_rtnl_message_new_link(link->manager->rtnl, &req, RTM_SETLINK, link->ifindex); + if (r < 0) +-- +2.33.0 + diff --git a/backport-network-fix-handling-of-network-interface-renaming.patch b/backport-network-fix-handling-of-network-interface-renaming.patch new file mode 100644 index 0000000000000000000000000000000000000000..f7eddd03812c6a377565b320d0653c92b6cd01c5 --- /dev/null +++ b/backport-network-fix-handling-of-network-interface-renaming.patch @@ -0,0 +1,49 @@ +From 6ee3390c978dca7a590a4c16d4d620984e60fa96 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 10 Sep 2021 08:09:56 +0900 +Subject: [PATCH] network: fix handling of network interface renaming + +Fixes #20657. + +(cherry picked from commit 160203e974945ce520fe8f569458634ef898c61c) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/6ee3390c978dca7a590a4c16d4d620984e60fa96 +--- + src/network/networkd-link.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index d58b700050..20675f2306 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -1404,17 +1404,21 @@ static int link_initialized(Link *link, sd_device *device) { + assert(link); + assert(device); + +- if (link->state != LINK_STATE_PENDING) +- return 0; ++ /* Always replace with the new sd_device object. As the sysname (and possibly other properties ++ * or sysattrs) may be outdated. */ ++ sd_device_ref(device); ++ sd_device_unref(link->sd_device); ++ link->sd_device = device; + +- if (link->sd_device) ++ /* Do not ignore unamanaged state case here. If an interface is renamed after being once ++ * configured, and the corresponding .network file has Name= in [Match] section, then the ++ * interface may be already in unmanaged state. See #20657. */ ++ if (!IN_SET(link->state, LINK_STATE_PENDING, LINK_STATE_UNMANAGED)) + return 0; + + log_link_debug(link, "udev initialized link"); + link_set_state(link, LINK_STATE_INITIALIZED); + +- link->sd_device = sd_device_ref(device); +- + /* udev has initialized the link, but we don't know if we have yet + * processed the NEWLINK messages with the latest state. Do a GETLINK, + * when it returns we know that the pending NEWLINKs have already been +-- +2.33.0 + diff --git a/backport-network-fix-logic-for-checking-gateway-address-is-re.patch b/backport-network-fix-logic-for-checking-gateway-address-is-re.patch new file mode 100644 index 0000000000000000000000000000000000000000..3c5a1f66bc59265be81a91051cf836702b26448d --- /dev/null +++ b/backport-network-fix-logic-for-checking-gateway-address-is-re.patch @@ -0,0 +1,182 @@ +From 2bd5bbbd39d5c825ed520e8282840b76b8f7fc79 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 21 Aug 2021 03:51:39 +0900 +Subject: [PATCH] network: fix logic for checking gateway address is ready + +This fixes the followings: +- The corresponding route or address to the gateway address must be in + the same link. +- IPv6 link local address is not necessary to be reachable. + +Fixes an issue reported in https://github.com/systemd/systemd/issues/8686#issuecomment-902562324. + +(cherry picked from commit 3333350a0e1917395d3654731ca985ea668bca9b) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/2bd5bbbd39d5c825ed520e8282840b76b8f7fc79 +--- + src/network/networkd-nexthop.c | 7 +--- + src/network/networkd-route.c | 72 ++++++++++++++++++++-------------- + src/network/networkd-route.h | 2 +- + 3 files changed, 44 insertions(+), 37 deletions(-) + +diff --git a/src/network/networkd-nexthop.c b/src/network/networkd-nexthop.c +index a52e5dcb16..c5cba88f46 100644 +--- a/src/network/networkd-nexthop.c ++++ b/src/network/networkd-nexthop.c +@@ -791,12 +791,7 @@ static bool nexthop_is_ready_to_configure(Link *link, const NextHop *nexthop) { + } + } + +- if (nexthop->onlink <= 0 && +- in_addr_is_set(nexthop->family, &nexthop->gw) && +- !manager_address_is_reachable(link->manager, nexthop->family, &nexthop->gw)) +- return false; +- +- return true; ++ return gateway_is_ready(link, nexthop->onlink, nexthop->family, &nexthop->gw); + } + + int request_process_nexthop(Request *req) { +diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c +index 068915616e..b7852f6eec 100644 +--- a/src/network/networkd-route.c ++++ b/src/network/networkd-route.c +@@ -753,6 +753,8 @@ static bool prefix_route_address_is_reachable(const Address *a, int family, cons + + if (a->family != family) + return false; ++ if (!address_is_ready(a)) ++ return false; + if (FLAGS_SET(a->flags, IFA_F_NOPREFIXROUTE)) + return false; + if (in_addr_is_set(a->family, &a->in_addr_peer)) +@@ -766,37 +768,34 @@ static bool prefix_route_address_is_reachable(const Address *a, int family, cons + FAMILY_ADDRESS_SIZE(family) * 8) > 0; + } + +-bool manager_address_is_reachable(Manager *manager, int family, const union in_addr_union *address) { +- Link *link; ++static bool link_address_is_reachable(Link *link, int family, const union in_addr_union *address) { ++ Route *route; + +- assert(manager); ++ assert(link); ++ assert(link->manager); + assert(IN_SET(family, AF_INET, AF_INET6)); + assert(address); + +- HASHMAP_FOREACH(link, manager->links_by_index) { +- Route *route; + +- SET_FOREACH(route, link->routes) +- if (route_address_is_reachable(route, family, address)) +- return true; +- SET_FOREACH(route, link->routes_foreign) +- if (route_address_is_reachable(route, family, address)) +- return true; +- } ++ SET_FOREACH(route, link->routes) ++ if (route_address_is_reachable(route, family, address)) ++ return true; ++ SET_FOREACH(route, link->routes_foreign) ++ if (route_address_is_reachable(route, family, address)) ++ return true; + + /* If we do not manage foreign routes, then there may exist a prefix route we do not know, + * which was created on configuring an address. Hence, also check the addresses. */ +- if (!manager->manage_foreign_routes) +- HASHMAP_FOREACH(link, manager->links_by_index) { +- Address *a; +- +- SET_FOREACH(a, link->addresses) +- if (prefix_route_address_is_reachable(a, family, address)) +- return true; +- SET_FOREACH(a, link->addresses_foreign) +- if (prefix_route_address_is_reachable(a, family, address)) +- return true; +- } ++ if (!link->manager->manage_foreign_routes) { ++ Address *a; ++ ++ SET_FOREACH(a, link->addresses) ++ if (prefix_route_address_is_reachable(a, family, address)) ++ return true; ++ SET_FOREACH(a, link->addresses_foreign) ++ if (prefix_route_address_is_reachable(a, family, address)) ++ return true; ++ } + + return false; + } +@@ -1692,6 +1691,22 @@ int link_request_static_routes(Link *link, bool only_ipv4) { + return 0; + } + ++bool gateway_is_ready(Link *link, int onlink, int family, const union in_addr_union *gw) { ++ assert(link); ++ assert(gw); ++ ++ if (onlink > 0) ++ return true; ++ ++ if (!in_addr_is_set(family, gw)) ++ return true; ++ ++ if (family == AF_INET6 && in6_addr_is_link_local(&gw->in6)) ++ return true; ++ ++ return link_address_is_reachable(link, family, gw); ++} ++ + static int route_is_ready_to_configure(const Route *route, Link *link) { + MultipathRoute *m; + NextHop *nh = NULL; +@@ -1735,19 +1750,13 @@ static int route_is_ready_to_configure(const Route *route, Link *link) { + return r; + } + +- if (route->gateway_onlink <= 0 && +- in_addr_is_set(route->gw_family, &route->gw) > 0 && +- !manager_address_is_reachable(link->manager, route->gw_family, &route->gw)) ++ if (!gateway_is_ready(link, route->gateway_onlink, route->gw_family, &route->gw)) + return false; + + ORDERED_SET_FOREACH(m, route->multipath_routes) { + union in_addr_union a = m->gateway.address; + Link *l = NULL; + +- if (route->gateway_onlink <= 0 && +- !manager_address_is_reachable(link->manager, m->gateway.family, &a)) +- return false; +- + if (m->ifname) { + if (link_get_by_name(link->manager, m->ifname, &l) < 0) + return false; +@@ -1759,6 +1768,9 @@ static int route_is_ready_to_configure(const Route *route, Link *link) { + } + if (l && !link_is_ready_to_configure(l, true)) + return false; ++ ++ if (!gateway_is_ready(l ?: link, route->gateway_onlink, m->gateway.family, &a)) ++ return false; + } + + return true; +diff --git a/src/network/networkd-route.h b/src/network/networkd-route.h +index 2d262819ad..235a91f08d 100644 +--- a/src/network/networkd-route.h ++++ b/src/network/networkd-route.h +@@ -78,8 +78,8 @@ int route_configure_handler_internal(sd_netlink *rtnl, sd_netlink_message *m, Li + int route_remove(const Route *route, Manager *manager, Link *link); + + int link_has_route(Link *link, const Route *route); +-bool manager_address_is_reachable(Manager *manager, int family, const union in_addr_union *address); + int manager_find_uplink(Manager *m, int family, Link *exclude, Link **ret); ++bool gateway_is_ready(Link *link, int onlink, int family, const union in_addr_union *gw); + + int link_drop_routes(Link *link); + int link_drop_foreign_routes(Link *link); +-- +2.33.0 + diff --git a/backport-network-fix-wrong-flag-manage_foreign_routes-manage_.patch b/backport-network-fix-wrong-flag-manage_foreign_routes-manage_.patch new file mode 100644 index 0000000000000000000000000000000000000000..d40fbba9cab258719fdb23c53f46ef8606941ee0 --- /dev/null +++ b/backport-network-fix-wrong-flag-manage_foreign_routes-manage_.patch @@ -0,0 +1,32 @@ +From fc88dc07544978b1bda9c192481a07d43d384f81 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 7 Sep 2021 21:46:50 +0900 +Subject: [PATCH] network: fix wrong flag: manage_foreign_routes -> + manage_foreign_rules + +Fixes a bug in d94dfe7053d49fa62c4bfc07b7f3fc2227c10aff. + +(cherry picked from commit 771a36439e955906290afc16a6fb3b10401892cf) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/fc88dc07544978b1bda9c192481a07d43d384f81 +--- + src/network/networkd-routing-policy-rule.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/network/networkd-routing-policy-rule.c b/src/network/networkd-routing-policy-rule.c +index 03ccbd8e85..b7e0fd779d 100644 +--- a/src/network/networkd-routing-policy-rule.c ++++ b/src/network/networkd-routing-policy-rule.c +@@ -1115,7 +1115,7 @@ int manager_rtnl_process_rule(sd_netlink *rtnl, sd_netlink_message *message, Man + r = routing_policy_rule_update_priority(rule, tmp->priority); + if (r < 0) + log_warning_errno(r, "Failed to update priority of remembered routing policy rule, ignoring: %m"); +- } else if (!m->manage_foreign_routes) ++ } else if (!m->manage_foreign_rules) + log_routing_policy_rule_debug(tmp, "Ignoring received foreign", NULL, m); + else { + log_routing_policy_rule_debug(tmp, "Remembering foreign", NULL, m); +-- +2.33.0 + diff --git a/backport-network-ignore-errors-on-setting-bridge-config.patch b/backport-network-ignore-errors-on-setting-bridge-config.patch new file mode 100644 index 0000000000000000000000000000000000000000..33d26bd8a9e37ba344ff6c3f7e713f7f303284e4 --- /dev/null +++ b/backport-network-ignore-errors-on-setting-bridge-config.patch @@ -0,0 +1,34 @@ +From 0c136b86d6c32445c6b503c87ba5fa348f34e22b Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 4 Aug 2021 13:53:21 +0900 +Subject: [PATCH] network: ignore errors on setting bridge config + +For some setups, kernel refuses to set bridge configs with -EOPNOTSUPP. +See kernel's rtnl_bridge_setlink() in net/core/rtnetlink.c. + +Fixes #20373. + +(cherry picked from commit 1171f3f030319155914c2bb90655f46653f88cbf) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/0c136b86d6c32445c6b503c87ba5fa348f34e22b +--- + src/network/networkd-setlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/network/networkd-setlink.c b/src/network/networkd-setlink.c +index fa1dd9b3ba..8130bb6bcc 100644 +--- a/src/network/networkd-setlink.c ++++ b/src/network/networkd-setlink.c +@@ -124,7 +124,7 @@ static int link_set_bond_handler(sd_netlink *rtnl, sd_netlink_message *m, Link * + } + + static int link_set_bridge_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { +- return set_link_handler_internal(rtnl, m, link, SET_LINK_BRIDGE, /* ignore = */ false, NULL); ++ return set_link_handler_internal(rtnl, m, link, SET_LINK_BRIDGE, /* ignore = */ true, NULL); + } + + static int link_set_bridge_vlan_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { +-- +2.33.0 + diff --git a/backport-network-ignore-errors-on-unsetting-master-ifindex.patch b/backport-network-ignore-errors-on-unsetting-master-ifindex.patch new file mode 100644 index 0000000000000000000000000000000000000000..1090eca78bebd626c99b59fb38e40a7e59041e35 --- /dev/null +++ b/backport-network-ignore-errors-on-unsetting-master-ifindex.patch @@ -0,0 +1,68 @@ +From 090378dcb1de5ca66900503210e85d63075fa70a Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 5 Aug 2021 00:10:52 +0900 +Subject: [PATCH] network: ignore errors on unsetting master ifindex + +Fixes #20241. + +(cherry picked from commit c347a98272bd1b81682c266b9720fad107b96ab0) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/090378dcb1de5ca66900503210e85d63075fa70a +--- + src/network/networkd-setlink.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/src/network/networkd-setlink.c b/src/network/networkd-setlink.c +index 8130bb6bcc..10c312c480 100644 +--- a/src/network/networkd-setlink.c ++++ b/src/network/networkd-setlink.c +@@ -95,9 +95,16 @@ static int set_link_handler_internal( + return 1; + + on_error: +- if (op == SET_LINK_FLAGS) { ++ switch (op) { ++ case SET_LINK_FLAGS: + assert(link->set_flags_messages > 0); + link->set_flags_messages--; ++ break; ++ case SET_LINK_MASTER: ++ link->master_set = true; ++ break; ++ default: ++ break; + } + + return 0; +@@ -183,6 +190,11 @@ static int link_set_master_handler(sd_netlink *rtnl, sd_netlink_message *m, Link + return set_link_handler_internal(rtnl, m, link, SET_LINK_MASTER, /* ignore = */ false, get_link_master_handler); + } + ++static int link_unset_master_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { ++ /* Some devices do not support setting master ifindex. Let's ignore error on unsetting master ifindex. */ ++ return set_link_handler_internal(rtnl, m, link, SET_LINK_MASTER, /* ignore = */ true, get_link_master_handler); ++} ++ + static int link_set_mtu_handler(sd_netlink *rtnl, sd_netlink_message *m, Link *link) { + int r; + +@@ -745,10 +757,14 @@ int link_request_to_set_mac(Link *link, bool allow_retry) { + + int link_request_to_set_master(Link *link) { + assert(link); ++ assert(link->network); + + link->master_set = false; + +- return link_request_set_link(link, SET_LINK_MASTER, link_set_master_handler, NULL); ++ if (link->network->batadv || link->network->bond || link->network->bridge || link->network->vrf) ++ return link_request_set_link(link, SET_LINK_MASTER, link_set_master_handler, NULL); ++ else ++ return link_request_set_link(link, SET_LINK_MASTER, link_unset_master_handler, NULL); + } + + int link_request_to_set_mtu(Link *link, uint32_t mtu) { +-- +2.33.0 + diff --git a/backport-network-print-Ethernet-Link-Layer-DHCP-client-ID-wit.patch b/backport-network-print-Ethernet-Link-Layer-DHCP-client-ID-wit.patch new file mode 100644 index 0000000000000000000000000000000000000000..7dd72a957700388f9c56e8d51834fd2aed21bb42 --- /dev/null +++ b/backport-network-print-Ethernet-Link-Layer-DHCP-client-ID-wit.patch @@ -0,0 +1,40 @@ +From 133354a3b9fc7b88fb143f241cfc4565b943ae87 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alvin=20=C5=A0ipraga?= +Date: Tue, 31 Aug 2021 14:17:33 +0200 +Subject: [PATCH] network: print Ethernet Link-Layer DHCP client ID with + leading 0's + +This is a small cosmetic change. + +Before: + + Offered DHCP leases: 192.168.0.183 (to 0:9:a7:36:bc:89) + +After: + + Offered DHCP leases: 192.168.0.183 (to 00:09:a7:36:bc:89) + +(cherry picked from commit 8e664ab6ecc9c420d2151f14b36824aecc76d8ac) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/133354a3b9fc7b88fb143f241cfc4565b943ae87 +--- + src/libsystemd-network/sd-dhcp-client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c +index dc8ff19d1a..030b50cf2a 100644 +--- a/src/libsystemd-network/sd-dhcp-client.c ++++ b/src/libsystemd-network/sd-dhcp-client.c +@@ -192,7 +192,7 @@ int sd_dhcp_client_id_to_string(const void *data, size_t len, char **ret) { + if (len != sizeof_field(sd_dhcp_client_id, eth)) + return -EINVAL; + +- r = asprintf(&t, "%x:%x:%x:%x:%x:%x", ++ r = asprintf(&t, "%02x:%02x:%02x:%02x:%02x:%02x", + client_id->eth.haddr[0], + client_id->eth.haddr[1], + client_id->eth.haddr[2], +-- +2.33.0 + diff --git a/backport-network-route-fix-possible-overflow-in-conversion-us.patch b/backport-network-route-fix-possible-overflow-in-conversion-us.patch new file mode 100644 index 0000000000000000000000000000000000000000..ea7bb019f7f755527ff34274ed6b011f1539a63b --- /dev/null +++ b/backport-network-route-fix-possible-overflow-in-conversion-us.patch @@ -0,0 +1,30 @@ +From 7a9b38919302e98cebc2c6233fd09d0c07ae41dc Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 15 Oct 2021 10:06:25 +0900 +Subject: [PATCH] network: route: fix possible overflow in conversion usec_t -> + uint32_t + +(cherry picked from commit ff43dddab7260c9220eaea2a545514772c0e581f) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/7a9b38919302e98cebc2c6233fd09d0c07ae41dc +--- + src/network/networkd-route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c +index 791fd64c39..eeba31c45d 100644 +--- a/src/network/networkd-route.c ++++ b/src/network/networkd-route.c +@@ -1537,7 +1537,7 @@ static int route_configure( + + if (route->lifetime != USEC_INFINITY && kernel_route_expiration_supported()) { + r = sd_netlink_message_append_u32(req, RTA_EXPIRES, +- DIV_ROUND_UP(usec_sub_unsigned(route->lifetime, now(clock_boottime_or_monotonic())), USEC_PER_SEC)); ++ MIN(DIV_ROUND_UP(usec_sub_unsigned(route->lifetime, now(clock_boottime_or_monotonic())), USEC_PER_SEC), UINT32_MAX)); + if (r < 0) + return log_link_error_errno(link, r, "Could not append RTA_EXPIRES attribute: %m"); + } +-- +2.33.0 + diff --git a/backport-network-use-address_equal-route_equal-to-compare-add.patch b/backport-network-use-address_equal-route_equal-to-compare-add.patch new file mode 100644 index 0000000000000000000000000000000000000000..4232212ea1b3a3461c3703b034a7dd4e274f2bc2 --- /dev/null +++ b/backport-network-use-address_equal-route_equal-to-compare-add.patch @@ -0,0 +1,68 @@ +From ea4d7828fe525201ffb98ff2a31fde8a12e0a4c4 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 4 Aug 2021 13:14:03 +0900 +Subject: [PATCH] network: use address_equal()/route_equal() to compare + addresses or routes configured by NDisc + +Fixes #20244. + +(cherry picked from commit 10e417b3eac03c1bcd0b5f3d5c24291ac644e164) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/ea4d7828fe525201ffb98ff2a31fde8a12e0a4c4 +--- + src/network/networkd-address.c | 2 +- + src/network/networkd-route.c | 4 ++-- + src/network/networkd-route.h | 1 + + 3 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c +index 35305aff99..6b2230b725 100644 +--- a/src/network/networkd-address.c ++++ b/src/network/networkd-address.c +@@ -165,7 +165,7 @@ Address *address_free(Address *address) { + set_remove(address->link->dhcp6_pd_addresses, address); + set_remove(address->link->dhcp6_pd_addresses_old, address); + SET_FOREACH(n, address->link->ndisc_addresses) +- if (n->address == address) ++ if (address_equal(n->address, address)) + free(set_remove(address->link->ndisc_addresses, n)); + + if (address->family == AF_INET6 && +diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c +index 7b36b48141..77a93beca9 100644 +--- a/src/network/networkd-route.c ++++ b/src/network/networkd-route.c +@@ -279,7 +279,7 @@ Route *route_free(Route *route) { + set_remove(route->link->dhcp6_pd_routes, route); + set_remove(route->link->dhcp6_pd_routes_old, route); + SET_FOREACH(n, route->link->ndisc_routes) +- if (n->route == route) ++ if (route_equal(n->route, route)) + free(set_remove(route->link->ndisc_routes, n)); + } + +@@ -435,7 +435,7 @@ DEFINE_HASH_OPS_WITH_KEY_DESTRUCTOR( + route_compare_func, + route_free); + +-static bool route_equal(const Route *r1, const Route *r2) { ++bool route_equal(const Route *r1, const Route *r2) { + if (r1 == r2) + return true; + +diff --git a/src/network/networkd-route.h b/src/network/networkd-route.h +index fa0b3ba0fc..2d262819ad 100644 +--- a/src/network/networkd-route.h ++++ b/src/network/networkd-route.h +@@ -66,6 +66,7 @@ typedef struct Route { + + void route_hash_func(const Route *route, struct siphash *state); + int route_compare_func(const Route *a, const Route *b); ++bool route_equal(const Route *r1, const Route *r2); + extern const struct hash_ops route_hash_ops; + + int route_new(Route **ret); +-- +2.33.0 + diff --git a/backport-network-use-monotonic-instead-of-boot-time-to-handle.patch b/backport-network-use-monotonic-instead-of-boot-time-to-handle.patch new file mode 100644 index 0000000000000000000000000000000000000000..8c8e824c3af4c3651364ad8e23d7eabd75363386 --- /dev/null +++ b/backport-network-use-monotonic-instead-of-boot-time-to-handle.patch @@ -0,0 +1,36 @@ +From 171daf2dc084fab16c0696b139b1af3f0ab9d9f0 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 6 Aug 2021 19:37:16 +0900 +Subject: [PATCH] network: use monotonic instead of boot time to handle address + creation/update timestamp + +Follow-up for 25db3aeaf32ba95bad5e765720ebc23c8ef77a99 and 899034ba8167bd16e802cfbea29a9ee85dee5be5. + +Fixes another issue in #20244. + +(cherry picked from commit 5865dc1493e5519549d24fef23a2ce5c812eca32) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/171daf2dc084fab16c0696b139b1af3f0ab9d9f0 +--- + src/network/networkd-ndisc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c +index efc4707855..e3705bfed5 100644 +--- a/src/network/networkd-ndisc.c ++++ b/src/network/networkd-ndisc.c +@@ -765,7 +765,9 @@ static int ndisc_router_process_autonomous_prefix(Link *link, sd_ndisc_router *r + assert(link); + assert(rt); + +- r = sd_ndisc_router_get_timestamp(rt, clock_boottime_or_monotonic(), &time_now); ++ /* Do not use clock_boottime_or_monotonic() here, as the kernel internally manages cstamp and ++ * tstamp with jiffies, and it is not increased while the system is suspended. */ ++ r = sd_ndisc_router_get_timestamp(rt, CLOCK_MONOTONIC, &time_now); + if (r < 0) + return log_link_error_errno(link, r, "Failed to get RA timestamp: %m"); + +-- +2.33.0 + diff --git a/backport-networkd-Include-linux-netdevice.h-header.patch b/backport-networkd-Include-linux-netdevice.h-header.patch new file mode 100644 index 0000000000000000000000000000000000000000..4be2aeddbe0f92e644f2d5bda024d13d93973263 --- /dev/null +++ b/backport-networkd-Include-linux-netdevice.h-header.patch @@ -0,0 +1,37 @@ +From 898949f71513da918c4aa94a0681fbc6b868e00f Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Mon, 26 Jul 2021 10:58:46 -0700 +Subject: [PATCH] networkd: Include linux/netdevice.h header +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This header provides definitions for NET_NAME_UNKNOWN ånd NET_NAME_ENUM +Fixes build issue found with non-glibc systems + +../git/src/network/networkd-link.c:1203:52: error: 'NET_NAME_UNKNOWN' undeclared (first use in this function) + +Signed-off-by: Khem Raj +(cherry picked from commit 2a0d07d6a0d5be63c6c10cb0789412f584858ec1) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/898949f71513da918c4aa94a0681fbc6b868e00f +--- + src/network/networkd-link.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index c1ab14ebec..9421ce1aa6 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -4,6 +4,7 @@ + #include + #include + #include ++#include + #include + #include + +-- +2.33.0 + diff --git a/backport-nspawn-fix-type-to-pass-to-connect.patch b/backport-nspawn-fix-type-to-pass-to-connect.patch new file mode 100644 index 0000000000000000000000000000000000000000..a9f689ef0d6740f3e491ac9dd89458a4ec278410 --- /dev/null +++ b/backport-nspawn-fix-type-to-pass-to-connect.patch @@ -0,0 +1,34 @@ +From caa0827ca920617dc54e62be1ff8422ad9ce2d3a Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 1 Sep 2021 14:41:37 +0200 +Subject: [PATCH] nspawn: fix type to pass to connect() + +It expects a generic "struct sockaddr", not a "struct sockaddr_un". +Pass the right member of the union. + +Not sure why gcc/llvm never complained about this... + +(cherry picked from commit 32b9736a230d47b73babcc5cfa27d672bb721bd0) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/caa0827ca920617dc54e62be1ff8422ad9ce2d3a +--- + src/nspawn/nspawn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index 04685fecba..575b9da447 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -5354,7 +5354,7 @@ static int cant_be_in_netns(void) { + if (fd < 0) + return log_error_errno(errno, "Failed to allocate udev control socket: %m"); + +- if (connect(fd, &sa.un, SOCKADDR_UN_LEN(sa.un)) < 0) { ++ if (connect(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un)) < 0) { + + if (errno == ENOENT || ERRNO_IS_DISCONNECT(errno)) + return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), +-- +2.33.0 + diff --git a/backport-nss-drop-dummy-setup_logging-helpers.patch b/backport-nss-drop-dummy-setup_logging-helpers.patch new file mode 100644 index 0000000000000000000000000000000000000000..f2e296d686d71e46595d3f182ea51a1dfce964e8 --- /dev/null +++ b/backport-nss-drop-dummy-setup_logging-helpers.patch @@ -0,0 +1,61 @@ +From da98ffd65aa29ee968a4f4379f5c8e06bf2d58f4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 11 Jan 2022 13:23:27 +0100 +Subject: [PATCH] nss: drop dummy setup_logging() helpers + +log_parse_environment() stopped being a macro in 9fdee66f2d9. +As reported by @bauen1 in https://github.com/systemd/systemd/issues/22020, +the comment was out of date. + +(cherry picked from commit 56a5f4969b96529c82ec8cc08db4fa8e9c61e7b9) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/da98ffd65aa29ee968a4f4379f5c8e06bf2d58f4 +--- + src/nss-mymachines/nss-mymachines.c | 7 +------ + src/nss-systemd/nss-systemd.c | 7 +------ + 2 files changed, 2 insertions(+), 12 deletions(-) + +diff --git a/src/nss-mymachines/nss-mymachines.c b/src/nss-mymachines/nss-mymachines.c +index 44715bb3e5..781fd48d72 100644 +--- a/src/nss-mymachines/nss-mymachines.c ++++ b/src/nss-mymachines/nss-mymachines.c +@@ -22,14 +22,9 @@ + #include "signal-util.h" + #include "string-util.h" + +-static void setup_logging(void) { +- /* We need a dummy function because log_parse_environment is a macro. */ +- log_parse_environment(); +-} +- + static void setup_logging_once(void) { + static pthread_once_t once = PTHREAD_ONCE_INIT; +- assert_se(pthread_once(&once, setup_logging) == 0); ++ assert_se(pthread_once(&once, log_parse_environment) == 0); + } + + #define NSS_ENTRYPOINT_BEGIN \ +diff --git a/src/nss-systemd/nss-systemd.c b/src/nss-systemd/nss-systemd.c +index 36486b96e3..c6c00c40e6 100644 +--- a/src/nss-systemd/nss-systemd.c ++++ b/src/nss-systemd/nss-systemd.c +@@ -116,14 +116,9 @@ static GetentData getsgent_data = { + .mutex = PTHREAD_MUTEX_INITIALIZER, + }; + +-static void setup_logging(void) { +- /* We need a dummy function because log_parse_environment is a macro. */ +- log_parse_environment(); +-} +- + static void setup_logging_once(void) { + static pthread_once_t once = PTHREAD_ONCE_INIT; +- assert_se(pthread_once(&once, setup_logging) == 0); ++ assert_se(pthread_once(&once, log_parse_environment) == 0); + } + + #define NSS_ENTRYPOINT_BEGIN \ +-- +2.33.0 + diff --git a/backport-nss-myhostname-do-not-apply-non-zero-offset-to-null-.patch b/backport-nss-myhostname-do-not-apply-non-zero-offset-to-null-.patch new file mode 100644 index 0000000000000000000000000000000000000000..a7007ab3a1122dce61ff73b5e5d022a6f2ec9996 --- /dev/null +++ b/backport-nss-myhostname-do-not-apply-non-zero-offset-to-null-.patch @@ -0,0 +1,45 @@ +From 05189e8c961c6b4ac8ef79c8911cb56965a5034f Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 31 Dec 2021 09:13:00 +0900 +Subject: [PATCH] nss-myhostname: do not apply non-zero offset to null pointer + +Fixes https://github.com/systemd/systemd/issues/21935#issuecomment-1003216503. + +(cherry picked from commit 92e9df9ca031b9b04487a46afd986ab3122183fd) +(cherry picked from commit a473bfb4332ad6b0a0894135c4de0f8cc324d378) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/05189e8c961c6b4ac8ef79c8911cb56965a5034f +--- + src/nss-myhostname/nss-myhostname.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/nss-myhostname/nss-myhostname.c b/src/nss-myhostname/nss-myhostname.c +index 3536c5fc83..67b1554d27 100644 +--- a/src/nss-myhostname/nss-myhostname.c ++++ b/src/nss-myhostname/nss-myhostname.c +@@ -39,10 +39,8 @@ enum nss_status _nss_myhostname_gethostbyname4_r( + const char *canonical = NULL; + int n_addresses = 0; + uint32_t local_address_ipv4; +- struct local_address *a; + size_t l, idx, ms; + char *r_name; +- unsigned n; + + PROTECT_ERRNO; + BLOCK_SIGNALS(NSS_SIGNALS_BLOCK); +@@ -136,7 +134,9 @@ enum nss_status _nss_myhostname_gethostbyname4_r( + } + + /* Fourth, fill actual addresses in, but in backwards order */ +- for (a = addresses + n_addresses - 1, n = 0; (int) n < n_addresses; n++, a--) { ++ for (int i = n_addresses; i > 0; i--) { ++ struct local_address *a = addresses + i - 1; ++ + r_tuple = (struct gaih_addrtuple*) (buffer + idx); + r_tuple->next = r_tuple_prev; + r_tuple->name = r_name; +-- +2.33.0 + diff --git a/backport-nss-only-read-logging-config-from-environment-variab.patch b/backport-nss-only-read-logging-config-from-environment-variab.patch new file mode 100644 index 0000000000000000000000000000000000000000..45ed5e5cb194f10a5dc3f52c642ef2b4d54f140c --- /dev/null +++ b/backport-nss-only-read-logging-config-from-environment-variab.patch @@ -0,0 +1,118 @@ +From 9e29d13926b62c10d931d287b30b7874872bfe39 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 11 Jan 2022 13:36:39 +0100 +Subject: [PATCH] nss: only read logging config from environment variables + +log_parse_environment() uses should_parse_proc_cmdline() to determine whether +it should parse settings from the kernel command line. But the checks that +should_parse_proc_cmdline() apply to the whole process, and we could get a positive +answer also when log_parse_environment() was called from one of the nss modules. +In case of nss-modules, we don't want to look at the kernel command line. + +log_parse_environment_variables() that only looks at the environment variables +is split out and used in the nss modules. + +Fixes #22020. + +(cherry picked from commit a7d15a24659770b0fa9f4cd26fc7bbb17765cbb7) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/9e29d13926b62c10d931d287b30b7874872bfe39 +--- + src/basic/log.c | 16 ++++++++++------ + src/basic/log.h | 1 + + src/nss-mymachines/nss-mymachines.c | 2 +- + src/nss-resolve/nss-resolve.c | 2 +- + src/nss-systemd/nss-systemd.c | 2 +- + 5 files changed, 14 insertions(+), 9 deletions(-) + +diff --git a/src/basic/log.c b/src/basic/log.c +index fb183ea9e7..1d68b49963 100644 +--- a/src/basic/log.c ++++ b/src/basic/log.c +@@ -1189,14 +1189,9 @@ static bool should_parse_proc_cmdline(void) { + return getpid_cached() == p; + } + +-void log_parse_environment(void) { ++void log_parse_environment_variables(void) { + const char *e; + +- /* Do not call from library code. */ +- +- if (should_parse_proc_cmdline()) +- (void) proc_cmdline_parse(parse_proc_cmdline_item, NULL, PROC_CMDLINE_STRIP_RD_PREFIX); +- + e = getenv("SYSTEMD_LOG_TARGET"); + if (e && log_set_target_from_string(e) < 0) + log_warning("Failed to parse log target '%s'. Ignoring.", e); +@@ -1222,6 +1217,15 @@ void log_parse_environment(void) { + log_warning("Failed to parse log tid '%s'. Ignoring.", e); + } + ++void log_parse_environment(void) { ++ /* Do not call from library code. */ ++ ++ if (should_parse_proc_cmdline()) ++ (void) proc_cmdline_parse(parse_proc_cmdline_item, NULL, PROC_CMDLINE_STRIP_RD_PREFIX); ++ ++ log_parse_environment_variables(); ++} ++ + LogTarget log_get_target(void) { + return log_target; + } +diff --git a/src/basic/log.h b/src/basic/log.h +index 8bfae8e0e5..3dbd01a75d 100644 +--- a/src/basic/log.h ++++ b/src/basic/log.h +@@ -69,6 +69,7 @@ int log_open(void); + void log_close(void); + void log_forget_fds(void); + ++void log_parse_environment_variables(void); + void log_parse_environment(void); + + int log_dispatch_internal( +diff --git a/src/nss-mymachines/nss-mymachines.c b/src/nss-mymachines/nss-mymachines.c +index 781fd48d72..c64e79bdff 100644 +--- a/src/nss-mymachines/nss-mymachines.c ++++ b/src/nss-mymachines/nss-mymachines.c +@@ -24,7 +24,7 @@ + + static void setup_logging_once(void) { + static pthread_once_t once = PTHREAD_ONCE_INIT; +- assert_se(pthread_once(&once, log_parse_environment) == 0); ++ assert_se(pthread_once(&once, log_parse_environment_variables) == 0); + } + + #define NSS_ENTRYPOINT_BEGIN \ +diff --git a/src/nss-resolve/nss-resolve.c b/src/nss-resolve/nss-resolve.c +index 4f54973202..dd2e5206e2 100644 +--- a/src/nss-resolve/nss-resolve.c ++++ b/src/nss-resolve/nss-resolve.c +@@ -22,7 +22,7 @@ + static JsonDispatchFlags json_dispatch_flags = 0; + + static void setup_logging(void) { +- log_parse_environment(); ++ log_parse_environment_variables(); + + if (DEBUG_LOGGING) + json_dispatch_flags = JSON_LOG; +diff --git a/src/nss-systemd/nss-systemd.c b/src/nss-systemd/nss-systemd.c +index c6c00c40e6..e87f1d31b3 100644 +--- a/src/nss-systemd/nss-systemd.c ++++ b/src/nss-systemd/nss-systemd.c +@@ -118,7 +118,7 @@ static GetentData getsgent_data = { + + static void setup_logging_once(void) { + static pthread_once_t once = PTHREAD_ONCE_INIT; +- assert_se(pthread_once(&once, log_parse_environment) == 0); ++ assert_se(pthread_once(&once, log_parse_environment_variables) == 0); + } + + #define NSS_ENTRYPOINT_BEGIN \ +-- +2.33.0 + diff --git a/backport-nss-systemd-ensure-returned-strings-point-into-provi.patch b/backport-nss-systemd-ensure-returned-strings-point-into-provi.patch new file mode 100644 index 0000000000000000000000000000000000000000..4165a9c152179dbac7cd758e46828c23b21f6885 --- /dev/null +++ b/backport-nss-systemd-ensure-returned-strings-point-into-provi.patch @@ -0,0 +1,350 @@ +From 055ba736e12255cf79acc81aac382344129d03c5 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Wed, 8 Sep 2021 16:51:16 -0500 +Subject: [PATCH] nss-systemd: ensure returned strings point into provided + buffer + +Jamie Bainbridge found an issue where glib's g_get_user_database_entry() +may crash after doing: + +``` +error = getpwnam_r (logname, &pwd, buffer, bufsize, &pw); +// ... +pw->pw_name[0] = g_ascii_toupper (pw->pw_name[0]); +``` + +in order to uppercase the first letter of the user's real name. This is +a glib bug, because there is a different codepath that gets the pwd from +vanilla getpwnam instead of getpwnam_r as shown here. When the pwd +struct is returned by getpwnam, its fields point to static data owned by +glibc/NSS, and so it must not be modified by the caller. After much +debugging, Jamie Bainbridge has fixed this in https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2244 +by making a copy of the data before modifying it, and that resolves all +problems for glib. Yay! + +However, glib is crashing even when getpwnam_r is used instead of +getpwnam! According to getpwnam_r(3), the strings in the pwd struct are +supposed to be pointers into the buffer passed by the caller, so glib +should be able to safely edit it directly in this case, so long as it +doesn't try to increase the size of any of the strings. + +Problem is various functions throughout nss-systemd.c return synthesized +records declared at the top of the file. These records are returned +directly and so contain pointers to static strings owned by +libsystemd-nss. systemd must instead copy all the strings into the +provided buffer. + +This crash is reproducible if nss-systemd is listed first on the passwd +line in /etc/nsswitch.conf, and the application looks up one of the +synthesized user accounts "root" or "nobody", and finally the +application attempts to edit one of the strings in the returned struct. +All our synthesized records for the other struct types have the same +problem, so this commit fixes them all at once. + +Fixes #20679 + +(cherry picked from commit 47fd7fa6c650d7a0ac41bc89747e3b866ffb9534) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/055ba736e12255cf79acc81aac382344129d03c5 +--- + src/nss-systemd/nss-systemd.c | 204 ++++++++++++++++++++++++++++------ + 1 file changed, 168 insertions(+), 36 deletions(-) + +diff --git a/src/nss-systemd/nss-systemd.c b/src/nss-systemd/nss-systemd.c +index 1b0866109a..1840a0d508 100644 +--- a/src/nss-systemd/nss-systemd.c ++++ b/src/nss-systemd/nss-systemd.c +@@ -2,6 +2,7 @@ + + #include + #include ++#include + + #include "env-util.h" + #include "errno-util.h" +@@ -139,6 +140,155 @@ NSS_GRENT_PROTOTYPES(systemd); + NSS_SGENT_PROTOTYPES(systemd); + NSS_INITGROUPS_PROTOTYPE(systemd); + ++/* Since our NSS functions implement reentrant glibc APIs, we have to guarantee ++ * all the string pointers we return point into the buffer provided by the ++ * caller, not into our own static memory. */ ++ ++static enum nss_status copy_synthesized_passwd( ++ struct passwd *dest, ++ const struct passwd *src, ++ char *buffer, size_t buflen, ++ int *errnop) { ++ ++ size_t required; ++ ++ assert(dest); ++ assert(src); ++ assert(src->pw_name); ++ assert(src->pw_passwd); ++ assert(src->pw_gecos); ++ assert(src->pw_dir); ++ assert(src->pw_shell); ++ ++ required = strlen(src->pw_name) + 1; ++ required += strlen(src->pw_passwd) + 1; ++ required += strlen(src->pw_gecos) + 1; ++ required += strlen(src->pw_dir) + 1; ++ required += strlen(src->pw_shell) + 1; ++ ++ if (buflen < required) { ++ *errnop = ERANGE; ++ return NSS_STATUS_TRYAGAIN; ++ } ++ ++ assert(buffer); ++ ++ *dest = *src; ++ ++ /* String fields point into the user-provided buffer */ ++ dest->pw_name = buffer; ++ dest->pw_passwd = stpcpy(dest->pw_name, src->pw_name) + 1; ++ dest->pw_gecos = stpcpy(dest->pw_passwd, src->pw_passwd) + 1; ++ dest->pw_dir = stpcpy(dest->pw_gecos, src->pw_gecos) + 1; ++ dest->pw_shell = stpcpy(dest->pw_dir, src->pw_dir) + 1; ++ strcpy(dest->pw_shell, src->pw_shell); ++ ++ return NSS_STATUS_SUCCESS; ++} ++ ++static enum nss_status copy_synthesized_spwd( ++ struct spwd *dest, ++ const struct spwd *src, ++ char *buffer, size_t buflen, ++ int *errnop) { ++ ++ size_t required; ++ ++ assert(dest); ++ assert(src); ++ assert(src->sp_namp); ++ assert(src->sp_pwdp); ++ ++ required = strlen(src->sp_namp) + 1; ++ required += strlen(src->sp_pwdp) + 1; ++ ++ if (buflen < required) { ++ *errnop = ERANGE; ++ return NSS_STATUS_TRYAGAIN; ++ } ++ ++ assert(buffer); ++ ++ *dest = *src; ++ ++ /* String fields point into the user-provided buffer */ ++ dest->sp_namp = buffer; ++ dest->sp_pwdp = stpcpy(dest->sp_namp, src->sp_namp) + 1; ++ strcpy(dest->sp_pwdp, src->sp_pwdp); ++ ++ return NSS_STATUS_SUCCESS; ++} ++ ++static enum nss_status copy_synthesized_group( ++ struct group *dest, ++ const struct group *src, ++ char *buffer, size_t buflen, ++ int *errnop) { ++ ++ size_t required; ++ ++ assert(dest); ++ assert(src); ++ assert(src->gr_name); ++ assert(src->gr_passwd); ++ assert(src->gr_mem); ++ assert(!*src->gr_mem); /* Our synthesized records' gr_mem is always just NULL... */ ++ ++ required = strlen(src->gr_name) + 1; ++ required += strlen(src->gr_passwd) + 1; ++ required += 1; /* ...but that NULL still needs to be stored into the buffer! */ ++ ++ if (buflen < required) { ++ *errnop = ERANGE; ++ return NSS_STATUS_TRYAGAIN; ++ } ++ ++ assert(buffer); ++ ++ *dest = *src; ++ ++ /* String fields point into the user-provided buffer */ ++ dest->gr_name = buffer; ++ dest->gr_passwd = stpcpy(dest->gr_name, src->gr_name) + 1; ++ dest->gr_mem = (char **) strcpy(dest->gr_passwd, src->gr_passwd) + 1; ++ *dest->gr_mem = NULL; ++ ++ return NSS_STATUS_SUCCESS; ++} ++ ++static enum nss_status copy_synthesized_sgrp( ++ struct sgrp *dest, ++ const struct sgrp *src, ++ char *buffer, size_t buflen, ++ int *errnop) { ++ ++ size_t required; ++ ++ assert(dest); ++ assert(src); ++ assert(src->sg_namp); ++ assert(src->sg_passwd); ++ ++ required = strlen(src->sg_namp) + 1; ++ required += strlen(src->sg_passwd) + 1; ++ ++ if (buflen < required) { ++ *errnop = ERANGE; ++ return NSS_STATUS_TRYAGAIN; ++ } ++ ++ assert(buffer); ++ ++ *dest = *src; ++ ++ /* String fields point into the user-provided buffer */ ++ dest->sg_namp = buffer; ++ dest->sg_passwd = stpcpy(dest->sg_namp, src->sg_namp) + 1; ++ strcpy(dest->sg_passwd, src->sg_passwd); ++ ++ return NSS_STATUS_SUCCESS; ++} ++ + enum nss_status _nss_systemd_getpwnam_r( + const char *name, + struct passwd *pwd, +@@ -164,17 +314,14 @@ enum nss_status _nss_systemd_getpwnam_r( + /* Synthesize entries for the root and nobody users, in case they are missing in /etc/passwd */ + if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) { + +- if (streq(name, root_passwd.pw_name)) { +- *pwd = root_passwd; +- return NSS_STATUS_SUCCESS; +- } ++ if (streq(name, root_passwd.pw_name)) ++ return copy_synthesized_passwd(pwd, &root_passwd, buffer, buflen, errnop); + + if (streq(name, nobody_passwd.pw_name)) { + if (!synthesize_nobody()) + return NSS_STATUS_NOTFOUND; + +- *pwd = nobody_passwd; +- return NSS_STATUS_SUCCESS; ++ return copy_synthesized_passwd(pwd, &nobody_passwd, buffer, buflen, errnop); + } + + } else if (STR_IN_SET(name, root_passwd.pw_name, nobody_passwd.pw_name)) +@@ -211,17 +358,14 @@ enum nss_status _nss_systemd_getpwuid_r( + /* Synthesize data for the root user and for nobody in case they are missing from /etc/passwd */ + if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) { + +- if (uid == root_passwd.pw_uid) { +- *pwd = root_passwd; +- return NSS_STATUS_SUCCESS; +- } ++ if (uid == root_passwd.pw_uid) ++ return copy_synthesized_passwd(pwd, &root_passwd, buffer, buflen, errnop); + + if (uid == nobody_passwd.pw_uid) { + if (!synthesize_nobody()) + return NSS_STATUS_NOTFOUND; + +- *pwd = nobody_passwd; +- return NSS_STATUS_SUCCESS; ++ return copy_synthesized_passwd(pwd, &nobody_passwd, buffer, buflen, errnop); + } + + } else if (uid == root_passwd.pw_uid || uid == nobody_passwd.pw_uid) +@@ -259,17 +403,14 @@ enum nss_status _nss_systemd_getspnam_r( + /* Synthesize entries for the root and nobody users, in case they are missing in /etc/passwd */ + if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) { + +- if (streq(name, root_spwd.sp_namp)) { +- *spwd = root_spwd; +- return NSS_STATUS_SUCCESS; +- } ++ if (streq(name, root_spwd.sp_namp)) ++ return copy_synthesized_spwd(spwd, &root_spwd, buffer, buflen, errnop); + + if (streq(name, nobody_spwd.sp_namp)) { + if (!synthesize_nobody()) + return NSS_STATUS_NOTFOUND; + +- *spwd = nobody_spwd; +- return NSS_STATUS_SUCCESS; ++ return copy_synthesized_spwd(spwd, &nobody_spwd, buffer, buflen, errnop); + } + + } else if (STR_IN_SET(name, root_spwd.sp_namp, nobody_spwd.sp_namp)) +@@ -309,17 +450,14 @@ enum nss_status _nss_systemd_getgrnam_r( + /* Synthesize records for root and nobody, in case they are missing from /etc/group */ + if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) { + +- if (streq(name, root_group.gr_name)) { +- *gr = root_group; +- return NSS_STATUS_SUCCESS; +- } ++ if (streq(name, root_group.gr_name)) ++ return copy_synthesized_group(gr, &root_group, buffer, buflen, errnop); + + if (streq(name, nobody_group.gr_name)) { + if (!synthesize_nobody()) + return NSS_STATUS_NOTFOUND; + +- *gr = nobody_group; +- return NSS_STATUS_SUCCESS; ++ return copy_synthesized_group(gr, &nobody_group, buffer, buflen, errnop); + } + + } else if (STR_IN_SET(name, root_group.gr_name, nobody_group.gr_name)) +@@ -356,17 +494,14 @@ enum nss_status _nss_systemd_getgrgid_r( + /* Synthesize records for root and nobody, in case they are missing from /etc/group */ + if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) { + +- if (gid == root_group.gr_gid) { +- *gr = root_group; +- return NSS_STATUS_SUCCESS; +- } ++ if (gid == root_group.gr_gid) ++ return copy_synthesized_group(gr, &root_group, buffer, buflen, errnop); + + if (gid == nobody_group.gr_gid) { + if (!synthesize_nobody()) + return NSS_STATUS_NOTFOUND; + +- *gr = nobody_group; +- return NSS_STATUS_SUCCESS; ++ return copy_synthesized_group(gr, &nobody_group, buffer, buflen, errnop); + } + + } else if (gid == root_group.gr_gid || gid == nobody_group.gr_gid) +@@ -404,17 +539,14 @@ enum nss_status _nss_systemd_getsgnam_r( + /* Synthesize records for root and nobody, in case they are missing from /etc/group */ + if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_SYNTHETIC") <= 0) { + +- if (streq(name, root_sgrp.sg_namp)) { +- *sgrp = root_sgrp; +- return NSS_STATUS_SUCCESS; +- } ++ if (streq(name, root_sgrp.sg_namp)) ++ return copy_synthesized_sgrp(sgrp, &root_sgrp, buffer, buflen, errnop); + + if (streq(name, nobody_sgrp.sg_namp)) { + if (!synthesize_nobody()) + return NSS_STATUS_NOTFOUND; + +- *sgrp = nobody_sgrp; +- return NSS_STATUS_SUCCESS; ++ return copy_synthesized_sgrp(sgrp, &nobody_sgrp, buffer, buflen, errnop); + } + + } else if (STR_IN_SET(name, root_sgrp.sg_namp, nobody_sgrp.sg_namp)) +-- +2.33.0 + diff --git a/backport-nss-systemd-fix-alignment-of-gr_mem.patch b/backport-nss-systemd-fix-alignment-of-gr_mem.patch new file mode 100644 index 0000000000000000000000000000000000000000..fca306bb81359ad65caea009d0d95fdcf3903f2f --- /dev/null +++ b/backport-nss-systemd-fix-alignment-of-gr_mem.patch @@ -0,0 +1,43 @@ +From 649e83bb995eb067cce3e70f50e5d3ab54c9d47d Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 31 Dec 2021 06:59:42 +0900 +Subject: [PATCH] nss-systemd: fix alignment of gr_mem + +Follow-up for 1e65eb8f9b7d567462030b2e625998d77677e636. + +Fixes #21935. + +(cherry picked from commit 420a35c1fadfb4d67be6316436233d98b5688de5) +(cherry picked from commit 9c8bc0451ab2393f3b9b689e46e1b05e9f6dad35) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/649e83bb995eb067cce3e70f50e5d3ab54c9d47d +--- + src/nss-systemd/nss-systemd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/nss-systemd/nss-systemd.c b/src/nss-systemd/nss-systemd.c +index 7aea3652c4..36486b96e3 100644 +--- a/src/nss-systemd/nss-systemd.c ++++ b/src/nss-systemd/nss-systemd.c +@@ -238,7 +238,7 @@ static enum nss_status copy_synthesized_group( + required += strlen(src->gr_passwd) + 1; + required += sizeof(char*); /* ...but that NULL still needs to be stored into the buffer! */ + +- if (buflen < required) { ++ if (buflen < ALIGN(required)) { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } +@@ -250,7 +250,7 @@ static enum nss_status copy_synthesized_group( + /* String fields point into the user-provided buffer */ + dest->gr_name = buffer; + dest->gr_passwd = stpcpy(dest->gr_name, src->gr_name) + 1; +- dest->gr_mem = (char **) stpcpy(dest->gr_passwd, src->gr_passwd) + 1; ++ dest->gr_mem = ALIGN_PTR(stpcpy(dest->gr_passwd, src->gr_passwd) + 1); + *dest->gr_mem = NULL; + + return NSS_STATUS_SUCCESS; +-- +2.33.0 + diff --git a/backport-nss-systemd-fix-required-buffer-size-calculation.patch b/backport-nss-systemd-fix-required-buffer-size-calculation.patch new file mode 100644 index 0000000000000000000000000000000000000000..fa0220ffcf1db0499358ad97ee977b2100630501 --- /dev/null +++ b/backport-nss-systemd-fix-required-buffer-size-calculation.patch @@ -0,0 +1,45 @@ +From 5f78618a44a21197e727cd1c62da5aa8bf7e0610 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 31 Dec 2021 00:31:51 +0900 +Subject: [PATCH] nss-systemd: fix required buffer size calculation + +This also fixes the pointer assigned to the gr_mem element of struct group. + +Fixes a bug introduced by 47fd7fa6c650d7a0ac41bc89747e3b866ffb9534. + +Fixes #21935. + +(cherry picked from commit 1e65eb8f9b7d567462030b2e625998d77677e636) +(cherry picked from commit 17227e81ab8a9bdfac679d450ed35434435a6ff8) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/5f78618a44a21197e727cd1c62da5aa8bf7e0610 +--- + src/nss-systemd/nss-systemd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/nss-systemd/nss-systemd.c b/src/nss-systemd/nss-systemd.c +index 1840a0d508..7aea3652c4 100644 +--- a/src/nss-systemd/nss-systemd.c ++++ b/src/nss-systemd/nss-systemd.c +@@ -236,7 +236,7 @@ static enum nss_status copy_synthesized_group( + + required = strlen(src->gr_name) + 1; + required += strlen(src->gr_passwd) + 1; +- required += 1; /* ...but that NULL still needs to be stored into the buffer! */ ++ required += sizeof(char*); /* ...but that NULL still needs to be stored into the buffer! */ + + if (buflen < required) { + *errnop = ERANGE; +@@ -250,7 +250,7 @@ static enum nss_status copy_synthesized_group( + /* String fields point into the user-provided buffer */ + dest->gr_name = buffer; + dest->gr_passwd = stpcpy(dest->gr_name, src->gr_name) + 1; +- dest->gr_mem = (char **) strcpy(dest->gr_passwd, src->gr_passwd) + 1; ++ dest->gr_mem = (char **) stpcpy(dest->gr_passwd, src->gr_passwd) + 1; + *dest->gr_mem = NULL; + + return NSS_STATUS_SUCCESS; +-- +2.33.0 + diff --git a/backport-nss-systemd-pack-pw_passwd-result-into-supplied-buff.patch b/backport-nss-systemd-pack-pw_passwd-result-into-supplied-buff.patch new file mode 100644 index 0000000000000000000000000000000000000000..ebee8776d2f01d5df3c6f4feb275c42c8f171232 --- /dev/null +++ b/backport-nss-systemd-pack-pw_passwd-result-into-supplied-buff.patch @@ -0,0 +1,58 @@ +From 84313bc5a262e87f49d176db169e1562d7060b33 Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Wed, 8 Sep 2021 13:42:16 -0500 +Subject: [PATCH] nss-systemd: pack pw_passwd result into supplied buffer + +getpwnam_r() guarantees that the strings in the struct passwd that it +returns are pointers into the buffer allocated by the application and +passed to getpwnam_r(). This means applications may choose to modify the +strings in place, as long as the length of the strings is not increased. +So it's wrong for us to return a static string here, we really do have +to copy it into the application-provided buffer like we do for all the +other strings. + +This is only a theoretical problem since it would be very weird for an +application to modify the pw_passwd field, but I spotted this when +investigating a similar crash caused by glib editing a different field. +See also: + +https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2244 +(cherry picked from commit 92b264676ccd79c89da270aabc1ec466fa18cd0d) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/84313bc5a262e87f49d176db169e1562d7060b33 +--- + src/nss-systemd/userdb-glue.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/nss-systemd/userdb-glue.c b/src/nss-systemd/userdb-glue.c +index a55790f641..c865ff0d82 100644 +--- a/src/nss-systemd/userdb-glue.c ++++ b/src/nss-systemd/userdb-glue.c +@@ -35,6 +35,8 @@ int nss_pack_user_record( + assert(hr->user_name); + required = strlen(hr->user_name) + 1; + ++ required += 2; /* strlen(PASSWORD_SEE_SHADOW) + 1 */ ++ + assert_se(rn = user_record_real_name(hr)); + required += strlen(rn) + 1; + +@@ -51,12 +53,12 @@ int nss_pack_user_record( + .pw_name = buffer, + .pw_uid = hr->uid, + .pw_gid = user_record_gid(hr), +- .pw_passwd = (char*) PASSWORD_SEE_SHADOW, + }; + + assert(buffer); + +- pwd->pw_gecos = stpcpy(pwd->pw_name, hr->user_name) + 1; ++ pwd->pw_passwd = stpcpy(pwd->pw_name, hr->user_name) + 1; ++ pwd->pw_gecos = stpcpy(pwd->pw_passwd, PASSWORD_SEE_SHADOW) + 1; + pwd->pw_dir = stpcpy(pwd->pw_gecos, rn) + 1; + pwd->pw_shell = stpcpy(pwd->pw_dir, hd) + 1; + strcpy(pwd->pw_shell, shell); +-- +2.33.0 + diff --git a/backport-oomd-fix-race-with-path-unavailability-when-killing-.patch b/backport-oomd-fix-race-with-path-unavailability-when-killing-.patch new file mode 100644 index 0000000000000000000000000000000000000000..095f7e7e109b67e21572348d9a91e7607531ccd3 --- /dev/null +++ b/backport-oomd-fix-race-with-path-unavailability-when-killing-.patch @@ -0,0 +1,45 @@ +From 1656ad6fd17e5be6504785bf94495437bcf453cb Mon Sep 17 00:00:00 2001 +From: Anita Zhang +Date: Wed, 19 Jan 2022 10:40:46 -0800 +Subject: [PATCH] oomd: fix race with path unavailability when killing cgroups + +There can be a situation where systemd-oomd would kill all of the processes +in a cgroup, pid1 would clean up that cgroup, and systemd-oomd would get +ENODEV trying to iterate the cgroup a final time to ensure it was empty. +systemd-oomd sees this as an error and immediately picks a new candidate even +though pressure may have recovered. To counter this, check and handle +path unavailability errnos specially. + +Fixes: #22030 +(cherry picked from commit 2ee209466bb51f39ae9df7fec4d5594ce8cfa3f0) +(cherry picked from commit 0456e3aaaae7c21a037f4d3c758463c3ba4d167c) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/1656ad6fd17e5be6504785bf94495437bcf453cb +--- + src/oom/oomd-util.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/oom/oomd-util.c b/src/oom/oomd-util.c +index b2a48acb1f..503ede9a9f 100644 +--- a/src/oom/oomd-util.c ++++ b/src/oom/oomd-util.c +@@ -196,7 +196,14 @@ int oomd_cgroup_kill(const char *path, bool recurse, bool dry_run) { + r = cg_kill_recursive(SYSTEMD_CGROUP_CONTROLLER, path, SIGKILL, CGROUP_IGNORE_SELF, pids_killed, log_kill, NULL); + else + r = cg_kill(SYSTEMD_CGROUP_CONTROLLER, path, SIGKILL, CGROUP_IGNORE_SELF, pids_killed, log_kill, NULL); +- if (r < 0) ++ ++ /* The cgroup could have been cleaned up after we have sent SIGKILL to all of the processes, but before ++ * we could do one last iteration of cgroup.procs to check. Or the service unit could have exited and ++ * was removed between picking candidates and coming into this function. In either case, let's log ++ * about it let the caller decide what to do once they know how many PIDs were killed. */ ++ if (IN_SET(r, -ENOENT, -ENODEV)) ++ log_debug_errno(r, "Error when sending SIGKILL to processes in cgroup path %s, ignoring: %m", path); ++ else if (r < 0) + return r; + + r = increment_oomd_xattr(path, "user.oomd_kill", set_size(pids_killed)); +-- +2.33.0 + diff --git a/backport-oomd-handle-situations-when-no-cgroups-are-killed.patch b/backport-oomd-handle-situations-when-no-cgroups-are-killed.patch new file mode 100644 index 0000000000000000000000000000000000000000..e8064128a93c0d06926910bc43fa54e576ba02ff --- /dev/null +++ b/backport-oomd-handle-situations-when-no-cgroups-are-killed.patch @@ -0,0 +1,104 @@ +From 07b5c382361a310b3ec1fa6ccfcfc99fb4fc1ee0 Mon Sep 17 00:00:00 2001 +From: Anita Zhang +Date: Wed, 19 Jan 2022 13:26:01 -0800 +Subject: [PATCH] oomd: handle situations when no cgroups are killed + +Currently if systemd-oomd doesn't kill anything in a selected cgroup, it +selects a new candidate immediately. But if a selected cgroup wasn't killed, +it is likely due to it disappearing or getting cleaned up between the time +it was selected as a candidate and getting sent SIGKILL(s). We should handle +it as though systemd-oomd did perform a kill so that it will check +swap/pressure again before it tries to select a new candidate. + +(cherry picked from commit 914d4e99f43761f1ce77b520850cf096aa5196cd) +(cherry picked from commit c4d89cd602b94ab3baac746395c797ec4da43679) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/07b5c382361a310b3ec1fa6ccfcfc99fb4fc1ee0 +--- + src/oom/oomd-manager.c | 10 +++++++--- + src/oom/oomd-util.c | 11 +++++------ + 2 files changed, 12 insertions(+), 9 deletions(-) + +diff --git a/src/oom/oomd-manager.c b/src/oom/oomd-manager.c +index 9cae0c9c8a..727206d0b3 100644 +--- a/src/oom/oomd-manager.c ++++ b/src/oom/oomd-manager.c +@@ -364,7 +364,7 @@ static int monitor_swap_contexts_handler(sd_event_source *s, uint64_t usec, void + if (r < 0) + log_notice_errno(r, "Failed to kill any cgroup(s) based on swap: %m"); + else { +- if (selected) ++ if (selected && r > 0) + log_notice("Killed %s due to memory used (%"PRIu64") / total (%"PRIu64") and " + "swap used (%"PRIu64") / total (%"PRIu64") being more than " + PERMYRIAD_AS_PERCENT_FORMAT_STR, +@@ -475,9 +475,13 @@ static int monitor_memory_pressure_contexts_handler(sd_event_source *s, uint64_t + if (r < 0) + log_notice_errno(r, "Failed to kill any cgroup(s) under %s based on pressure: %m", t->path); + else { +- /* Don't act on all the high pressure cgroups at once; return as soon as we kill one */ ++ /* Don't act on all the high pressure cgroups at once; return as soon as we kill one. ++ * If r == 0 then it means there were not eligible candidates, the candidate cgroup ++ * disappeared, or the candidate cgroup has no processes by the time we tried to kill ++ * it. In either case, go through the event loop again and select a new candidate if ++ * pressure is still high. */ + m->mem_pressure_post_action_delay_start = usec_now; +- if (selected) ++ if (selected && r > 0) + log_notice("Killed %s due to memory pressure for %s being %lu.%02lu%% > %lu.%02lu%%" + " for > %s with reclaim activity", + selected, t->path, +diff --git a/src/oom/oomd-util.c b/src/oom/oomd-util.c +index 503ede9a9f..5867d2946c 100644 +--- a/src/oom/oomd-util.c ++++ b/src/oom/oomd-util.c +@@ -206,6 +206,9 @@ int oomd_cgroup_kill(const char *path, bool recurse, bool dry_run) { + else if (r < 0) + return r; + ++ if (set_isempty(pids_killed)) ++ log_debug("Nothing killed when attempting to kill %s", path); ++ + r = increment_oomd_xattr(path, "user.oomd_kill", set_size(pids_killed)); + if (r < 0) + log_debug_errno(r, "Failed to set user.oomd_kill on kill: %m"); +@@ -231,8 +234,6 @@ int oomd_kill_by_pgscan_rate(Hashmap *h, const char *prefix, bool dry_run, char + continue; + + r = oomd_cgroup_kill(sorted[i]->path, true, dry_run); +- if (r == 0) +- continue; /* We didn't find anything to kill */ + if (r == -ENOMEM) + return r; /* Treat oom as a hard error */ + if (r < 0) { +@@ -245,7 +246,7 @@ int oomd_kill_by_pgscan_rate(Hashmap *h, const char *prefix, bool dry_run, char + if (!selected) + return -ENOMEM; + *ret_selected = selected; +- return 1; ++ return r; + } + + return ret; +@@ -271,8 +272,6 @@ int oomd_kill_by_swap_usage(Hashmap *h, uint64_t threshold_usage, bool dry_run, + continue; + + r = oomd_cgroup_kill(sorted[i]->path, true, dry_run); +- if (r == 0) +- continue; /* We didn't find anything to kill */ + if (r == -ENOMEM) + return r; /* Treat oom as a hard error */ + if (r < 0) { +@@ -285,7 +284,7 @@ int oomd_kill_by_swap_usage(Hashmap *h, uint64_t threshold_usage, bool dry_run, + if (!selected) + return -ENOMEM; + *ret_selected = selected; +- return 1; ++ return r; + } + + return ret; +-- +2.33.0 + diff --git a/backport-openssl-util-use-EVP-API-to-get-RSA-bits.patch b/backport-openssl-util-use-EVP-API-to-get-RSA-bits.patch new file mode 100644 index 0000000000000000000000000000000000000000..33be9f8a281cee3e9137434b1603d9595b2b0097 --- /dev/null +++ b/backport-openssl-util-use-EVP-API-to-get-RSA-bits.patch @@ -0,0 +1,41 @@ +From 0b982442694ff69e873349459b83b421abc60d52 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 29 Sep 2021 15:03:44 +0200 +Subject: [PATCH] openssl-util: use EVP API to get RSA bits + +(cherry picked from commit 7f12adc3000c08a370f74bd16c654506c8a99e92) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/0b982442694ff69e873349459b83b421abc60d52 +--- + src/shared/openssl-util.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/src/shared/openssl-util.c b/src/shared/openssl-util.c +index bb47ae5e87..bd728e6c7c 100644 +--- a/src/shared/openssl-util.c ++++ b/src/shared/openssl-util.c +@@ -46,7 +46,6 @@ int rsa_pkey_to_suitable_key_size( + size_t *ret_suitable_key_size) { + + size_t suitable_key_size; +- const RSA *rsa; + int bits; + + assert_se(pkey); +@@ -58,11 +57,7 @@ int rsa_pkey_to_suitable_key_size( + if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA) + return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), "X.509 certificate does not refer to RSA key."); + +- rsa = EVP_PKEY_get0_RSA(pkey); +- if (!rsa) +- return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to acquire RSA public key from X.509 certificate."); +- +- bits = RSA_bits(rsa); ++ bits = EVP_PKEY_bits(pkey); + log_debug("Bits in RSA key: %i", bits); + + /* We use PKCS#1 padding for the RSA cleartext, hence let's leave some extra space for it, hence only +-- +2.33.0 + diff --git a/backport-packit-build-on-and-use-Fedora-35-spec-file.patch b/backport-packit-build-on-and-use-Fedora-35-spec-file.patch new file mode 100644 index 0000000000000000000000000000000000000000..2ecdaab26ef7e1866d8f46d235a1f563ea937f15 --- /dev/null +++ b/backport-packit-build-on-and-use-Fedora-35-spec-file.patch @@ -0,0 +1,51 @@ +From 4d2e39342352fce3969064e58e366753e7002f46 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 15 Feb 2022 01:21:01 +0000 +Subject: [PATCH] packit: build on and use Fedora 35 spec file + +It's targeted to the v249 branch, while the rawhide one follows +the newest upstream release, and the command line options are not +compatible + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/4d2e39342352fce3969064e58e366753e7002f46 +--- + .packit.yml | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/.packit.yml b/.packit.yml +index ee47f8954e..fb2cb5a7c3 100644 +--- a/.packit.yml ++++ b/.packit.yml +@@ -16,8 +16,8 @@ upstream_tag_template: "v{version}" + + actions: + post-upstream-clone: +- # Use the Fedora Rawhide specfile +- - "git clone https://src.fedoraproject.org/rpms/systemd .packit_rpm --depth=1" ++ # Use the Fedora 35 specfile ++ - "git clone --branch f35 https://src.fedoraproject.org/rpms/systemd .packit_rpm --depth=1" + # Drop the "sources" file so rebase-helper doesn't think we're a dist-git + - "rm -fv .packit_rpm/sources" + # Drop backported patches from the specfile, but keep the downstream-only ones +@@ -31,14 +31,12 @@ actions: + # [0] https://github.com/mesonbuild/meson/issues/7360 + # [1] https://github.com/systemd/systemd/pull/18908#issuecomment-792250110 + - 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec' +- # cryptolib is supported from v250 and newer, remove it +- - 'sed -i "/-Dcryptolib=openssl/d" .packit_rpm/systemd.spec' + + jobs: + - job: copr_build + trigger: pull_request + metadata: + targets: +- - fedora-rawhide-aarch64 +- - fedora-rawhide-i386 +- - fedora-rawhide-x86_64 ++ - fedora-35-aarch64 ++ - fedora-35-i386 ++ - fedora-35-x86_64 +-- +2.33.0 + diff --git a/backport-packit-drop-unnumbered-patches-as-well.patch b/backport-packit-drop-unnumbered-patches-as-well.patch new file mode 100644 index 0000000000000000000000000000000000000000..e353d65ea699db90093707c2ca2a9f01c8841472 --- /dev/null +++ b/backport-packit-drop-unnumbered-patches-as-well.patch @@ -0,0 +1,33 @@ +From d566e288f2fb1935261d36c0c35effc4489da5e6 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 17 Feb 2022 14:02:04 +0100 +Subject: [PATCH] packit: drop unnumbered patches as well + +(cherry picked from commit 729c6b6af8e3cef259b80746f7f7f10cc63d309f) +(cherry picked from commit 477b85f43871c78fce053ebbd9592bf71d49dd30) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/d566e288f2fb1935261d36c0c35effc4489da5e6 +--- + .packit.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/.packit.yml b/.packit.yml +index fb2cb5a7c3..3a47c6a6a1 100644 +--- a/.packit.yml ++++ b/.packit.yml +@@ -21,9 +21,9 @@ actions: + # Drop the "sources" file so rebase-helper doesn't think we're a dist-git + - "rm -fv .packit_rpm/sources" + # Drop backported patches from the specfile, but keep the downstream-only ones +- # - Patch0000-0499: backported patches from upstream ++ # - Patch(0000-0499): backported patches from upstream + # - Patch0500-9999: downstream-only patches +- - "sed -ri '/^Patch0[0-4]?[0-9]{0,2}\\:.+\\.patch/d' .packit_rpm/systemd.spec" ++ - "sed -ri '/^Patch(0[0-4]?[0-9]{0,2})?\\:.+\\.patch/d' .packit_rpm/systemd.spec" + # Build the RPM with --werror. Even though --werror doesn't work in all + # cases (see [0]), we can't use -Dc_args=/-Dcpp_args= here because of the + # RPM hardening macros, that use $CFLAGS/$CPPFLAGS (see [1]). +-- +2.33.0 + diff --git a/backport-packit-remove-unsupported-Dcryptolib-openssl-option.patch b/backport-packit-remove-unsupported-Dcryptolib-openssl-option.patch new file mode 100644 index 0000000000000000000000000000000000000000..3d0099a6fbfb4e8117155eb598e8c450daa7cd28 --- /dev/null +++ b/backport-packit-remove-unsupported-Dcryptolib-openssl-option.patch @@ -0,0 +1,29 @@ +From 8815d340e508f0456bb56e9858c6cea3390a6143 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 15 Feb 2022 01:21:01 +0000 +Subject: [PATCH] packit: remove unsupported -Dcryptolib=openssl option + +Introduced later, so it breaks the build on v249-stable + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/8815d340e508f0456bb56e9858c6cea3390a6143 +--- + .packit.yml | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/.packit.yml b/.packit.yml +index 4545e30e08..ee47f8954e 100644 +--- a/.packit.yml ++++ b/.packit.yml +@@ -31,6 +31,8 @@ actions: + # [0] https://github.com/mesonbuild/meson/issues/7360 + # [1] https://github.com/systemd/systemd/pull/18908#issuecomment-792250110 + - 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec' ++ # cryptolib is supported from v250 and newer, remove it ++ - 'sed -i "/-Dcryptolib=openssl/d" .packit_rpm/systemd.spec' + + jobs: + - job: copr_build +-- +2.33.0 + diff --git a/backport-path-util-make-find_executable-work-without-proc-mou.patch b/backport-path-util-make-find_executable-work-without-proc-mou.patch new file mode 100644 index 0000000000000000000000000000000000000000..94a4d0aec71cb11dfbc59b7512e9e62c0284b013 --- /dev/null +++ b/backport-path-util-make-find_executable-work-without-proc-mou.patch @@ -0,0 +1,37 @@ +From 727d0b55f46468d6171f4a326bd3139bab3c93ab Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 23 Aug 2021 06:16:48 +0900 +Subject: [PATCH] path-util: make find_executable() work without /proc mounted + +Follow-up for 888f65ace6296ed61285d31db846babf1c11885e. + +Hopefully fixes #20514. + +(cherry picked from commit 93413acd3ef3a637a0f31a1d133b103e1dc81fd6) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/727d0b55f46468d6171f4a326bd3139bab3c93ab +--- + src/basic/path-util.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/basic/path-util.c b/src/basic/path-util.c +index e5afb5f5f5..13d71ed1b6 100644 +--- a/src/basic/path-util.c ++++ b/src/basic/path-util.c +@@ -628,7 +628,11 @@ static int check_x_access(const char *path, int *ret_fd) { + return r; + + r = access_fd(fd, X_OK); +- if (r < 0) ++ if (r == -ENOSYS) { ++ /* /proc is not mounted. Fallback to access(). */ ++ if (access(path, X_OK) < 0) ++ return -errno; ++ } else if (r < 0) + return r; + + if (ret_fd) +-- +2.33.0 + diff --git a/backport-pid1-lookup-owning-PID-of-BusName-name-of-services-a.patch b/backport-pid1-lookup-owning-PID-of-BusName-name-of-services-a.patch new file mode 100644 index 0000000000000000000000000000000000000000..e8ecbb568694ca7b9176877a3dbaae7f18dca34d --- /dev/null +++ b/backport-pid1-lookup-owning-PID-of-BusName-name-of-services-a.patch @@ -0,0 +1,160 @@ +From 1daa382a7f9e55d11f7b59b144a9963688169843 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 17 Feb 2022 14:40:25 +0100 +Subject: [PATCH] pid1: lookup owning PID of BusName= name of services + asynchronously + +A first step of removing blocking calls to the D-Bus broker from PID 1. +There's a lot more to got (i.e. grep src/core/ for sd_bus_creds +basically), but it's a start. + +Removing blocking calls to D-Bus broker deals systematicallly with +deadlocks caused by dbus-daemon blocking on synchronous IPC calls back +to PID1 (e.g. Varlink calls through nss-systemd). Bugs such as #15316. + +Also-see: https://github.com/systemd/systemd/pull/22038#issuecomment-1042958390 +(cherry picked from commit e39eb045a502d599e6cd3fda7a46020dd438d018) +(cherry picked from commit cf390149cb25248169c482e315a1a7ff02eaf956) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/1daa382a7f9e55d11f7b59b144a9963688169843 +--- + src/core/service.c | 91 ++++++++++++++++++++++++++++++++++++---------- + src/core/service.h | 2 + + 2 files changed, 74 insertions(+), 19 deletions(-) + +diff --git a/src/core/service.c b/src/core/service.c +index 5f56217904..f6eb46cb54 100644 +--- a/src/core/service.c ++++ b/src/core/service.c +@@ -398,6 +398,8 @@ static void service_done(Unit *u) { + s->timer_event_source = sd_event_source_disable_unref(s->timer_event_source); + s->exec_fd_event_source = sd_event_source_disable_unref(s->exec_fd_event_source); + ++ s->bus_name_pid_lookup_slot = sd_bus_slot_unref(s->bus_name_pid_lookup_slot); ++ + service_release_resources(u); + } + +@@ -4216,6 +4218,60 @@ static int service_get_timeout(Unit *u, usec_t *timeout) { + return 1; + } + ++static bool pick_up_pid_from_bus_name(Service *s) { ++ assert(s); ++ ++ /* If the service is running but we have no main PID yet, get it from the owner of the D-Bus name */ ++ ++ return !pid_is_valid(s->main_pid) && ++ IN_SET(s->state, ++ SERVICE_START, ++ SERVICE_START_POST, ++ SERVICE_RUNNING, ++ SERVICE_RELOAD); ++} ++ ++static int bus_name_pid_lookup_callback(sd_bus_message *reply, void *userdata, sd_bus_error *ret_error) { ++ const sd_bus_error *e; ++ Unit *u = userdata; ++ uint32_t pid; ++ Service *s; ++ int r; ++ ++ assert(reply); ++ assert(u); ++ ++ s = SERVICE(u); ++ s->bus_name_pid_lookup_slot = sd_bus_slot_unref(s->bus_name_pid_lookup_slot); ++ ++ if (!s->bus_name || !pick_up_pid_from_bus_name(s)) ++ return 1; ++ ++ e = sd_bus_message_get_error(reply); ++ if (e) { ++ r = sd_bus_error_get_errno(e); ++ log_warning_errno(r, "GetConnectionUnixProcessID() failed: %s", bus_error_message(e, r)); ++ return 1; ++ } ++ ++ r = sd_bus_message_read(reply, "u", &pid); ++ if (r < 0) { ++ bus_log_parse_error(r); ++ return 1; ++ } ++ ++ if (!pid_is_valid(pid)) { ++ log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "GetConnectionUnixProcessID() returned invalid PID"); ++ return 1; ++ } ++ ++ log_unit_debug(u, "D-Bus name %s is now owned by process " PID_FMT, s->bus_name, (pid_t) pid); ++ ++ service_set_main_pid(s, pid); ++ unit_watch_pid(UNIT(s), pid, false); ++ return 1; ++} ++ + static void service_bus_name_owner_change(Unit *u, const char *new_owner) { + + Service *s = SERVICE(u); +@@ -4246,28 +4302,25 @@ static void service_bus_name_owner_change(Unit *u, const char *new_owner) { + else if (s->state == SERVICE_START && new_owner) + service_enter_start_post(s); + +- } else if (new_owner && +- s->main_pid <= 0 && +- IN_SET(s->state, +- SERVICE_START, +- SERVICE_START_POST, +- SERVICE_RUNNING, +- SERVICE_RELOAD)) { +- +- _cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL; +- pid_t pid; ++ } else if (new_owner && pick_up_pid_from_bus_name(s)) { + + /* Try to acquire PID from bus service */ + +- r = sd_bus_get_name_creds(u->manager->api_bus, s->bus_name, SD_BUS_CREDS_PID, &creds); +- if (r >= 0) +- r = sd_bus_creds_get_pid(creds, &pid); +- if (r >= 0) { +- log_unit_debug(u, "D-Bus name %s is now owned by process " PID_FMT, s->bus_name, pid); +- +- service_set_main_pid(s, pid); +- unit_watch_pid(UNIT(s), pid, false); +- } ++ s->bus_name_pid_lookup_slot = sd_bus_slot_unref(s->bus_name_pid_lookup_slot); ++ ++ r = sd_bus_call_method_async( ++ u->manager->api_bus, ++ &s->bus_name_pid_lookup_slot, ++ "org.freedesktop.DBus", ++ "/org/freedesktop/DBus", ++ "org.freedesktop.DBus", ++ "GetConnectionUnixProcessID", ++ bus_name_pid_lookup_callback, ++ s, ++ "s", ++ s->bus_name); ++ if (r < 0) ++ log_debug_errno(r, "Failed to request owner PID of service name, ignoring: %m"); + } + } + +diff --git a/src/core/service.h b/src/core/service.h +index 6d931c3d5e..6c47c91f85 100644 +--- a/src/core/service.h ++++ b/src/core/service.h +@@ -185,6 +185,8 @@ struct Service { + NotifyAccess notify_access; + NotifyState notify_state; + ++ sd_bus_slot *bus_name_pid_lookup_slot; ++ + sd_event_source *exec_fd_event_source; + + ServiceFDStore *fd_store; +-- +2.33.0 + diff --git a/backport-pid1-pass-PAM_DATA_SILENT-to-pam_end-in-child.patch b/backport-pid1-pass-PAM_DATA_SILENT-to-pam_end-in-child.patch new file mode 100644 index 0000000000000000000000000000000000000000..f1da3dd00415c2e8f46f70d9762fcca50905b233 --- /dev/null +++ b/backport-pid1-pass-PAM_DATA_SILENT-to-pam_end-in-child.patch @@ -0,0 +1,42 @@ +From 9ac4b463b6d8da420c2b12af4408d0d583280a6d Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 1 Feb 2022 12:37:51 +0100 +Subject: [PATCH] pid1: pass PAM_DATA_SILENT to pam_end() in child + +Fixes: #22318 +(cherry picked from commit 7feb2b5737ad110eb3985e8e9d8189f18d1c5147) +(cherry picked from commit 9c560d201527ee064ae11784d6538ae544926181) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/9ac4b463b6d8da420c2b12af4408d0d583280a6d +--- + src/core/execute.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index 2f2de4d9cf..04c0513453 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -1323,7 +1323,9 @@ static int setup_pam( + ret = 0; + + child_finish: +- pam_end(handle, pam_code | flags); ++ /* NB: pam_end() when called in child processes should set PAM_DATA_SILENT to let the module ++ * know about this. See pam_end(3) */ ++ (void) pam_end(handle, pam_code | flags | PAM_DATA_SILENT); + _exit(ret); + } + +@@ -1358,7 +1360,7 @@ fail: + if (close_session) + pam_code = pam_close_session(handle, flags); + +- pam_end(handle, pam_code | flags); ++ (void) pam_end(handle, pam_code | flags); + } + + strv_free(e); +-- +2.33.0 + diff --git a/backport-pid1-propagate-the-original-command-line-when-reexec.patch b/backport-pid1-propagate-the-original-command-line-when-reexec.patch new file mode 100644 index 0000000000000000000000000000000000000000..e995700b9ac7a26b4ab0cf37a0ef6c17da8a5e9b --- /dev/null +++ b/backport-pid1-propagate-the-original-command-line-when-reexec.patch @@ -0,0 +1,156 @@ +From f3af6ba86c1128ccf6d6f896f70c22f9645a51c5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 22 Jul 2021 08:21:46 +0200 +Subject: [PATCH] pid1: propagate the original command line when reexecuting + +When we reexec the manager in a container, we lose configuration settings on +the kernel command line: + + $ systemd-nspawn -M rawhide -b systemd.status-unit-format=name systemd.show-status=yes + ... + # tr '\0' ' ' +Date: Thu, 17 Feb 2022 14:49:54 +0100 +Subject: [PATCH] pid1: set SYSTEMD_NSS_DYNAMIC_BYPASS=1 env var for + dbus-daemon +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +There's currently a deadlock between PID 1 and dbus-daemon: in some +cases dbus-daemon will do NSS lookups (which are blocking) at the same +time PID 1 synchronously blocks on some call to dbus-daemon. Let's break +that by setting SYSTEMD_NSS_DYNAMIC_BYPASS=1 env var for dbus-daemon, +which will disable synchronously blocking varlink calls from nss-systemd +to PID 1. + +In the long run we should fix this differently: remove all synchronous +calls to dbus-daemon from PID 1. This is not trivial however: so far we +had the rule that synchronous calls from PID 1 to the dbus broker are OK +as long as they only go to interfaces implemented by the broke itself +rather than services reachable through it. Given that the relationship +between PID 1 and dbus is kinda special anyway, this was considered +acceptable for the sake of simplicity, since we quite often need +metadata about bus peers from the broker, and the asynchronous logic +would substantially complicate even the simplest method handlers. + +This mostly reworks the existing code that sets SYSTEMD_NSS_BYPASS_BUS= +(which is a similar hack to deal with deadlocks between nss-systemd and +dbus-daemon itself) to set SYSTEMD_NSS_DYNAMIC_BYPASS=1 instead. No code +was checking SYSTEMD_NSS_BYPASS_BUS= anymore anyway, and it used to +solve a similar problem, hence it's an obvious piece of code to rework +like this. + +Issue originally tracked down by Lukas Märdian. This patch is inspired +and closely based on his patch: + + https://github.com/systemd/systemd/pull/22038 + +Fixes: #15316 +Co-authored-by: Lukas Märdian +(cherry picked from commit de90700f36f2126528f7ce92df0b5b5d5e277558) +(cherry picked from commit 367041af816d48d4852140f98fd0ba78ed83f9e4) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/0863a55ae95fe6bf7312b7a864d07a9e3fbee563 +--- + src/core/execute.c | 10 +++++----- + src/core/execute.h | 26 +++++++++++++------------- + src/core/service.c | 2 +- + 3 files changed, 19 insertions(+), 19 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index 28efe5c36f..37f63a9378 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -1828,11 +1828,11 @@ static int build_environment( + our_env[n_env++] = x; + } + +- /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic +- * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but +- * check the database directly. */ +- if (p->flags & EXEC_NSS_BYPASS_BUS) { +- x = strdup("SYSTEMD_NSS_BYPASS_BUS=1"); ++ /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use blocking ++ * Varlink calls back to us for look up dynamic users in PID 1. Break the deadlock between D-Bus and ++ * PID 1 by disabling use of PID1' NSS interface for looking up dynamic users. */ ++ if (p->flags & EXEC_NSS_DYNAMIC_BYPASS) { ++ x = strdup("SYSTEMD_NSS_DYNAMIC_BYPASS=1"); + if (!x) + return -ENOMEM; + our_env[n_env++] = x; +diff --git a/src/core/execute.h b/src/core/execute.h +index 4c7a5b874f..47349a69a2 100644 +--- a/src/core/execute.h ++++ b/src/core/execute.h +@@ -343,21 +343,21 @@ static inline bool exec_context_with_rootfs(const ExecContext *c) { + } + + typedef enum ExecFlags { +- EXEC_APPLY_SANDBOXING = 1 << 0, +- EXEC_APPLY_CHROOT = 1 << 1, +- EXEC_APPLY_TTY_STDIN = 1 << 2, +- EXEC_PASS_LOG_UNIT = 1 << 3, /* Whether to pass the unit name to the service's journal stream connection */ +- EXEC_CHOWN_DIRECTORIES = 1 << 4, /* chown() the runtime/state/cache/log directories to the user we run as, under all conditions */ +- EXEC_NSS_BYPASS_BUS = 1 << 5, /* Set the SYSTEMD_NSS_BYPASS_BUS environment variable, to disable nss-systemd for dbus */ +- EXEC_CGROUP_DELEGATE = 1 << 6, +- EXEC_IS_CONTROL = 1 << 7, +- EXEC_CONTROL_CGROUP = 1 << 8, /* Place the process not in the indicated cgroup but in a subcgroup '/.control', but only EXEC_CGROUP_DELEGATE and EXEC_IS_CONTROL is set, too */ +- EXEC_WRITE_CREDENTIALS = 1 << 9, /* Set up the credential store logic */ ++ EXEC_APPLY_SANDBOXING = 1 << 0, ++ EXEC_APPLY_CHROOT = 1 << 1, ++ EXEC_APPLY_TTY_STDIN = 1 << 2, ++ EXEC_PASS_LOG_UNIT = 1 << 3, /* Whether to pass the unit name to the service's journal stream connection */ ++ EXEC_CHOWN_DIRECTORIES = 1 << 4, /* chown() the runtime/state/cache/log directories to the user we run as, under all conditions */ ++ EXEC_NSS_DYNAMIC_BYPASS = 1 << 5, /* Set the SYSTEMD_NSS_DYNAMIC_BYPASS environment variable, to disable nss-systemd blocking on PID 1, for use by dbus-daemon */ ++ EXEC_CGROUP_DELEGATE = 1 << 6, ++ EXEC_IS_CONTROL = 1 << 7, ++ EXEC_CONTROL_CGROUP = 1 << 8, /* Place the process not in the indicated cgroup but in a subcgroup '/.control', but only EXEC_CGROUP_DELEGATE and EXEC_IS_CONTROL is set, too */ ++ EXEC_WRITE_CREDENTIALS = 1 << 9, /* Set up the credential store logic */ + + /* The following are not used by execute.c, but by consumers internally */ +- EXEC_PASS_FDS = 1 << 10, +- EXEC_SETENV_RESULT = 1 << 11, +- EXEC_SET_WATCHDOG = 1 << 12, ++ EXEC_PASS_FDS = 1 << 10, ++ EXEC_SETENV_RESULT = 1 << 11, ++ EXEC_SET_WATCHDOG = 1 << 12, + } ExecFlags; + + /* Parameters for a specific invocation of a command. This structure is put together right before a command is +diff --git a/src/core/service.c b/src/core/service.c +index f6eb46cb54..a480edc439 100644 +--- a/src/core/service.c ++++ b/src/core/service.c +@@ -1573,7 +1573,7 @@ static int service_spawn( + return -ENOMEM; + + /* System D-Bus needs nss-systemd disabled, so that we don't deadlock */ +- SET_FLAG(exec_params.flags, EXEC_NSS_BYPASS_BUS, ++ SET_FLAG(exec_params.flags, EXEC_NSS_DYNAMIC_BYPASS, + MANAGER_IS_SYSTEM(UNIT(s)->manager) && unit_has_name(UNIT(s), SPECIAL_DBUS_SERVICE)); + + strv_free_and_replace(exec_params.environment, final_env); +-- +2.33.0 + diff --git a/backport-pid1-watch-bus-name-always-when-we-have-it.patch b/backport-pid1-watch-bus-name-always-when-we-have-it.patch new file mode 100644 index 0000000000000000000000000000000000000000..f9b816d6c6d439d0034da729ce7185749ccaa8e4 --- /dev/null +++ b/backport-pid1-watch-bus-name-always-when-we-have-it.patch @@ -0,0 +1,57 @@ +From b301230a6ce52989053b12324fcaef0d45610ee6 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 17 Feb 2022 17:23:48 +0100 +Subject: [PATCH] pid1: watch bus name always when we have it + +Previously we'd only watch configured service bus names if Type=dbus was +set. Let's also watch it for other types. This is useful to pick up the +main PID of such a service. In fact the code to pick it up was already +in place, alas it didn't do anything given the signal was never received +for it. Fix that. + +(It's also useful for debugging) + +(cherry picked from commit 1e8b312e5a22538f91defb89cf2997e09e106297) +(cherry picked from commit a51e540b278827c0fc59760b9c77cd42cbddc0d2) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/b301230a6ce52989053b12324fcaef0d45610ee6 +--- + src/core/service.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/src/core/service.c b/src/core/service.c +index 7b90822f68..5f56217904 100644 +--- a/src/core/service.c ++++ b/src/core/service.c +@@ -685,17 +685,19 @@ static int service_setup_bus_name(Service *s) { + assert(s); + + /* If s->bus_name is not set, then the unit will be refused by service_verify() later. */ +- if (s->type != SERVICE_DBUS || !s->bus_name) ++ if (!s->bus_name) + return 0; + +- r = unit_add_dependency_by_name(UNIT(s), UNIT_REQUIRES, SPECIAL_DBUS_SOCKET, true, UNIT_DEPENDENCY_FILE); +- if (r < 0) +- return log_unit_error_errno(UNIT(s), r, "Failed to add dependency on " SPECIAL_DBUS_SOCKET ": %m"); ++ if (s->type == SERVICE_DBUS) { ++ r = unit_add_dependency_by_name(UNIT(s), UNIT_REQUIRES, SPECIAL_DBUS_SOCKET, true, UNIT_DEPENDENCY_FILE); ++ if (r < 0) ++ return log_unit_error_errno(UNIT(s), r, "Failed to add dependency on " SPECIAL_DBUS_SOCKET ": %m"); + +- /* We always want to be ordered against dbus.socket if both are in the transaction. */ +- r = unit_add_dependency_by_name(UNIT(s), UNIT_AFTER, SPECIAL_DBUS_SOCKET, true, UNIT_DEPENDENCY_FILE); +- if (r < 0) +- return log_unit_error_errno(UNIT(s), r, "Failed to add dependency on " SPECIAL_DBUS_SOCKET ": %m"); ++ /* We always want to be ordered against dbus.socket if both are in the transaction. */ ++ r = unit_add_dependency_by_name(UNIT(s), UNIT_AFTER, SPECIAL_DBUS_SOCKET, true, UNIT_DEPENDENCY_FILE); ++ if (r < 0) ++ return log_unit_error_errno(UNIT(s), r, "Failed to add dependency on " SPECIAL_DBUS_SOCKET ": %m"); ++ } + + r = unit_watch_bus_name(UNIT(s), s->bus_name); + if (r == -EEXIST) +-- +2.33.0 + diff --git a/backport-policy-files-adjust-landing-page-link.patch b/backport-policy-files-adjust-landing-page-link.patch new file mode 100644 index 0000000000000000000000000000000000000000..40cdc7fc95a214eb35966dbd0a4a608fd78360a1 --- /dev/null +++ b/backport-policy-files-adjust-landing-page-link.patch @@ -0,0 +1,170 @@ +From de0d375e38df25b9fe333d64f9880751aea46e6b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 12 Jan 2022 10:42:22 +0100 +Subject: [PATCH] policy files: adjust landing page link + +(cherry picked from commit d6e2c1ab7158d52425d3cb72459c5624db12368c) +(cherry picked from commit 944d8d9050b96e690054224e796254dfc18e6681) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/de0d375e38df25b9fe333d64f9880751aea46e6b +--- + src/core/org.freedesktop.systemd1.policy.in | 2 +- + src/home/org.freedesktop.home1.policy | 2 +- + src/hostname/org.freedesktop.hostname1.policy | 2 +- + src/import/org.freedesktop.import1.policy | 2 +- + src/locale/org.freedesktop.locale1.policy | 2 +- + src/login/org.freedesktop.login1.policy | 2 +- + src/machine/org.freedesktop.machine1.policy | 2 +- + src/network/org.freedesktop.network1.policy | 2 +- + src/portable/org.freedesktop.portable1.policy | 2 +- + src/resolve/org.freedesktop.resolve1.policy | 2 +- + src/timedate/org.freedesktop.timedate1.policy | 2 +- + 11 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/src/core/org.freedesktop.systemd1.policy.in b/src/core/org.freedesktop.systemd1.policy.in +index 74721c516f..f34b2d5bf0 100644 +--- a/src/core/org.freedesktop.systemd1.policy.in ++++ b/src/core/org.freedesktop.systemd1.policy.in +@@ -16,7 +16,7 @@ + + + The systemd Project +- http://www.freedesktop.org/wiki/Software/systemd ++ https://systemd.io + + + Send passphrase back to system +diff --git a/src/home/org.freedesktop.home1.policy b/src/home/org.freedesktop.home1.policy +index 10ad7c283a..71253e04e9 100644 +--- a/src/home/org.freedesktop.home1.policy ++++ b/src/home/org.freedesktop.home1.policy +@@ -7,7 +7,7 @@ + + + The systemd Project +- http://www.freedesktop.org/wiki/Software/systemd ++ https://systemd.io + + + Create a home area +diff --git a/src/hostname/org.freedesktop.hostname1.policy b/src/hostname/org.freedesktop.hostname1.policy +index 7d28c395cf..dacea0ff0a 100644 +--- a/src/hostname/org.freedesktop.hostname1.policy ++++ b/src/hostname/org.freedesktop.hostname1.policy +@@ -14,7 +14,7 @@ + + + The systemd Project +- http://www.freedesktop.org/wiki/Software/systemd ++ https://systemd.io + + + Set hostname +diff --git a/src/import/org.freedesktop.import1.policy b/src/import/org.freedesktop.import1.policy +index 9736816e33..e88a6e8ae6 100644 +--- a/src/import/org.freedesktop.import1.policy ++++ b/src/import/org.freedesktop.import1.policy +@@ -16,7 +16,7 @@ + + + The systemd Project +- http://www.freedesktop.org/wiki/Software/systemd ++ https://systemd.io + + + Import a VM or container image +diff --git a/src/locale/org.freedesktop.locale1.policy b/src/locale/org.freedesktop.locale1.policy +index f12ca0970a..ed98c4aa09 100644 +--- a/src/locale/org.freedesktop.locale1.policy ++++ b/src/locale/org.freedesktop.locale1.policy +@@ -16,7 +16,7 @@ + + + The systemd Project +- http://www.freedesktop.org/wiki/Software/systemd ++ https://systemd.io + + + Set system locale +diff --git a/src/login/org.freedesktop.login1.policy b/src/login/org.freedesktop.login1.policy +index 80ebb39f30..df906b0e73 100644 +--- a/src/login/org.freedesktop.login1.policy ++++ b/src/login/org.freedesktop.login1.policy +@@ -16,7 +16,7 @@ + + + The systemd Project +- http://www.freedesktop.org/wiki/Software/systemd ++ https://systemd.io + + + Allow applications to inhibit system shutdown +diff --git a/src/machine/org.freedesktop.machine1.policy b/src/machine/org.freedesktop.machine1.policy +index ddf5ec05c6..5e43cb6e24 100644 +--- a/src/machine/org.freedesktop.machine1.policy ++++ b/src/machine/org.freedesktop.machine1.policy +@@ -16,7 +16,7 @@ + + + The systemd Project +- http://www.freedesktop.org/wiki/Software/systemd ++ https://systemd.io + + + Log into a local container +diff --git a/src/network/org.freedesktop.network1.policy b/src/network/org.freedesktop.network1.policy +index 9e27f728bc..c39f20655d 100644 +--- a/src/network/org.freedesktop.network1.policy ++++ b/src/network/org.freedesktop.network1.policy +@@ -16,7 +16,7 @@ + + + The systemd Project +- http://www.freedesktop.org/wiki/Software/systemd ++ https://systemd.io + + + Set NTP servers +diff --git a/src/portable/org.freedesktop.portable1.policy b/src/portable/org.freedesktop.portable1.policy +index 17e22b0155..09f9028dc5 100644 +--- a/src/portable/org.freedesktop.portable1.policy ++++ b/src/portable/org.freedesktop.portable1.policy +@@ -7,7 +7,7 @@ + + + The systemd Project +- http://www.freedesktop.org/wiki/Software/systemd ++ https://systemd.io + + + Inspect a portable service image +diff --git a/src/resolve/org.freedesktop.resolve1.policy b/src/resolve/org.freedesktop.resolve1.policy +index 08615ec6a4..2408bb9e38 100644 +--- a/src/resolve/org.freedesktop.resolve1.policy ++++ b/src/resolve/org.freedesktop.resolve1.policy +@@ -16,7 +16,7 @@ + + + The systemd Project +- http://www.freedesktop.org/wiki/Software/systemd ++ https://systemd.io + + + Register a DNS-SD service +diff --git a/src/timedate/org.freedesktop.timedate1.policy b/src/timedate/org.freedesktop.timedate1.policy +index c4e71b0753..4a770c08e6 100644 +--- a/src/timedate/org.freedesktop.timedate1.policy ++++ b/src/timedate/org.freedesktop.timedate1.policy +@@ -16,7 +16,7 @@ + + + The systemd Project +- http://www.freedesktop.org/wiki/Software/systemd ++ https://systemd.io + + + Set system time +-- +2.33.0 + diff --git a/backport-portable-add-flag-to-return-extension-releases-in-Ge.patch b/backport-portable-add-flag-to-return-extension-releases-in-Ge.patch new file mode 100644 index 0000000000000000000000000000000000000000..7cc7fd5193526f4246b0db373df1e3f7a3118b25 --- /dev/null +++ b/backport-portable-add-flag-to-return-extension-releases-in-Ge.patch @@ -0,0 +1,493 @@ +From e31e2b84cf5afff73b793dd335600265dca1ca7e Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 25 Jan 2022 15:49:22 +0000 +Subject: [PATCH] portable: add flag to return extension-releases in + GetImageMetadataWithExtensions + +Return the name of each extension and the associated extension-release +file, and pretty-print them in 'portablectl inspect', if a new flag +is passed. + +$ portablectl inspect --extension app2 --extension app0 minimal app0 app1 +(Matching unit files with prefixes 'app0', 'app1'.) +Image: + /run/portables/minimal.raw +Portable Service: + n/a +Operating System: + Debian GNU/Linux 10 (buster) +Extension: + /run/portables/app2.raw + Extension Scope: + n/a + Extension Compatibility Level: + n/a + Portable Service: + n/a + Portable Prefixes: + n/a + Operating System: + n/a (debian 10) +Extension: + /run/portables/app0.raw + Extension Scope: + n/a + Extension Compatibility Level: + n/a + Portable Service: + n/a + Portable Prefixes: + n/a + Operating System: + n/a (debian 10) +Unit files: + app0.service + +(cherry picked from commit e3f7ed944ae750a40685c52349f3cc850db0876e) +(cherry picked from commit a87fdd2af22128bce621508315ed5126a8d11f45) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/e31e2b84cf5afff73b793dd335600265dca1ca7e +--- + man/org.freedesktop.portable1.xml | 10 ++- + src/portable/portable.c | 99 ++++++++++++++++++++---------- + src/portable/portable.h | 15 ++--- + src/portable/portablectl.c | 78 ++++++++++++++++++++++- + src/portable/portabled-image-bus.c | 38 ++++++++++-- + test/units/testsuite-29.sh | 3 + + 6 files changed, 199 insertions(+), 44 deletions(-) + +diff --git a/man/org.freedesktop.portable1.xml b/man/org.freedesktop.portable1.xml +index 53c960206e..053f2a5434 100644 +--- a/man/org.freedesktop.portable1.xml ++++ b/man/org.freedesktop.portable1.xml +@@ -187,7 +187,15 @@ node /org/freedesktop/portable1 { + This method is a superset of GetImageMetadata() with the addition of + a list of extensions as input parameter, which were overlaid on top of the main + image via AttachImageWithExtensions(). +- The flag parameter is currently unused and reserved for future purposes. ++ The flag parameter can be used to request that, before the units, the path of ++ each extension and an array of bytes with the content of the respective extension-release file ++ are sent. One such structure will be sent for each extension named in the input arguments. The ++ flag value to enable this functionality is defined as follows: ++ ++ ++#define PORTABLE_INSPECT_EXTENSION_RELEASES (UINT64_C(1) << 1) ++ ++ + + GetImageState() retrieves the image state as one of the following + strings: +diff --git a/src/portable/portable.c b/src/portable/portable.c +index 8c5e5b6821..23fe6bf926 100644 +--- a/src/portable/portable.c ++++ b/src/portable/portable.c +@@ -533,13 +533,14 @@ static int extract_image_and_extensions( + bool validate_sysext, + Image **ret_image, + OrderedHashmap **ret_extension_images, ++ OrderedHashmap **ret_extension_releases, + PortableMetadata **ret_os_release, + Hashmap **ret_unit_files, + sd_bus_error *error) { + + _cleanup_free_ char *id = NULL, *version_id = NULL, *sysext_level = NULL; + _cleanup_(portable_metadata_unrefp) PortableMetadata *os_release = NULL; +- _cleanup_ordered_hashmap_free_ OrderedHashmap *extension_images = NULL; ++ _cleanup_ordered_hashmap_free_ OrderedHashmap *extension_images = NULL, *extension_releases = NULL; + _cleanup_hashmap_free_ Hashmap *unit_files = NULL; + _cleanup_(image_unrefp) Image *image = NULL; + Image *ext; +@@ -561,6 +562,12 @@ static int extract_image_and_extensions( + if (!extension_images) + return -ENOMEM; + ++ if (ret_extension_releases) { ++ extension_releases = ordered_hashmap_new(&portable_metadata_hash_ops); ++ if (!extension_releases) ++ return -ENOMEM; ++ } ++ + STRV_FOREACH(p, extension_image_paths) { + _cleanup_(image_unrefp) Image *new = NULL; + +@@ -600,6 +607,7 @@ static int extract_image_and_extensions( + _cleanup_(portable_metadata_unrefp) PortableMetadata *extension_release_meta = NULL; + _cleanup_hashmap_free_ Hashmap *extra_unit_files = NULL; + _cleanup_strv_free_ char **extension_release = NULL; ++ _cleanup_close_ int extension_release_fd = -1; + _cleanup_fclose_ FILE *f = NULL; + + r = portable_extract_by_path(ext->path, /* path_is_extension= */ true, matches, &extension_release_meta, &extra_unit_files, error); +@@ -610,10 +618,15 @@ static int extract_image_and_extensions( + if (r < 0) + return r; + +- if (!validate_sysext) ++ if (!validate_sysext && !ret_extension_releases) + continue; + +- r = take_fdopen_unlocked(&extension_release_meta->fd, "r", &f); ++ /* We need to keep the fd valid, to return the PortableMetadata to the caller. */ ++ extension_release_fd = fd_reopen(extension_release_meta->fd, O_CLOEXEC); ++ if (extension_release_fd < 0) ++ return extension_release_fd; ++ ++ r = take_fdopen_unlocked(&extension_release_fd, "r", &f); + if (r < 0) + return r; + +@@ -621,15 +634,28 @@ static int extract_image_and_extensions( + if (r < 0) + return r; + +- r = extension_release_validate(ext->path, id, version_id, sysext_level, extension_release); +- if (r == 0) +- return sd_bus_error_set_errnof(error, SYNTHETIC_ERRNO(ESTALE), "Image %s extension-release metadata does not match the root's", ext->path); +- if (r < 0) +- return sd_bus_error_set_errnof(error, r, "Failed to compare image %s extension-release metadata with the root's os-release: %m", ext->path); ++ if (validate_sysext) { ++ r = extension_release_validate(ext->path, id, version_id, sysext_level, extension_release); ++ if (r == 0) ++ return sd_bus_error_set_errnof(error, SYNTHETIC_ERRNO(ESTALE), "Image %s extension-release metadata does not match the root's", ext->path); ++ if (r < 0) ++ return sd_bus_error_set_errnof(error, r, "Failed to compare image %s extension-release metadata with the root's os-release: %m", ext->path); ++ } ++ ++ if (ret_extension_releases) { ++ r = ordered_hashmap_put(extension_releases, ext->name, extension_release_meta); ++ if (r < 0) ++ return r; ++ TAKE_PTR(extension_release_meta); ++ } + } + +- *ret_image = TAKE_PTR(image); +- *ret_extension_images = TAKE_PTR(extension_images); ++ if (ret_image) ++ *ret_image = TAKE_PTR(image); ++ if (ret_extension_images) ++ *ret_extension_images = TAKE_PTR(extension_images); ++ if (ret_extension_releases) ++ *ret_extension_releases = TAKE_PTR(extension_releases); + if (ret_os_release) + *ret_os_release = TAKE_PTR(os_release); + if (ret_unit_files) +@@ -643,24 +669,29 @@ int portable_extract( + char **matches, + char **extension_image_paths, + PortableMetadata **ret_os_release, ++ OrderedHashmap **ret_extension_releases, + Hashmap **ret_unit_files, + sd_bus_error *error) { + + _cleanup_(portable_metadata_unrefp) PortableMetadata *os_release = NULL; +- _cleanup_ordered_hashmap_free_ OrderedHashmap *extension_images = NULL; ++ _cleanup_ordered_hashmap_free_ OrderedHashmap *extension_images = NULL, *extension_releases = NULL; + _cleanup_hashmap_free_ Hashmap *unit_files = NULL; + _cleanup_(image_unrefp) Image *image = NULL; + int r; + +- r = extract_image_and_extensions(name_or_path, +- matches, +- extension_image_paths, +- /* validate_sysext= */ false, +- &image, +- &extension_images, +- &os_release, +- &unit_files, +- error); ++ assert(name_or_path); ++ ++ r = extract_image_and_extensions( ++ name_or_path, ++ matches, ++ extension_image_paths, ++ /* validate_sysext= */ false, ++ &image, ++ &extension_images, ++ &extension_releases, ++ &os_release, ++ &unit_files, ++ error); + if (r < 0) + return r; + +@@ -677,8 +708,12 @@ int portable_extract( + isempty(extensions) ? "" : extensions); + } + +- *ret_os_release = TAKE_PTR(os_release); +- *ret_unit_files = TAKE_PTR(unit_files); ++ if (ret_os_release) ++ *ret_os_release = TAKE_PTR(os_release); ++ if (ret_extension_releases) ++ *ret_extension_releases = TAKE_PTR(extension_releases); ++ if (ret_unit_files) ++ *ret_unit_files = TAKE_PTR(unit_files); + + return 0; + } +@@ -1225,15 +1260,17 @@ int portable_attach( + PortableMetadata *item; + int r; + +- r = extract_image_and_extensions(name_or_path, +- matches, +- extension_image_paths, +- /* validate_sysext= */ true, +- &image, +- &extension_images, +- /* os_release= */ NULL, +- &unit_files, +- error); ++ r = extract_image_and_extensions( ++ name_or_path, ++ matches, ++ extension_image_paths, ++ /* validate_sysext= */ true, ++ &image, ++ &extension_images, ++ /* extension_releases= */ NULL, ++ /* os_release= */ NULL, ++ &unit_files, ++ error); + if (r < 0) + return r; + +diff --git a/src/portable/portable.h b/src/portable/portable.h +index 94144287ae..ce55f050a2 100644 +--- a/src/portable/portable.h ++++ b/src/portable/portable.h +@@ -20,13 +20,14 @@ typedef struct PortableMetadata { + #define PORTABLE_METADATA_IS_UNIT(m) (!IN_SET((m)->name[0], 0, '/')) + + typedef enum PortableFlags { +- PORTABLE_RUNTIME = 1 << 0, /* Public API via DBUS, do not change */ +- PORTABLE_PREFER_COPY = 1 << 1, +- PORTABLE_PREFER_SYMLINK = 1 << 2, +- PORTABLE_REATTACH = 1 << 3, +- _PORTABLE_MASK_PUBLIC = PORTABLE_RUNTIME, ++ PORTABLE_RUNTIME = 1 << 0, ++ PORTABLE_INSPECT_EXTENSION_RELEASES = 1 << 1, /* Public API via DBUS, do not change */ ++ PORTABLE_PREFER_COPY = 1 << 2, ++ PORTABLE_PREFER_SYMLINK = 1 << 3, ++ PORTABLE_REATTACH = 1 << 4, ++ _PORTABLE_MASK_PUBLIC = PORTABLE_RUNTIME | PORTABLE_INSPECT_EXTENSION_RELEASES, + _PORTABLE_TYPE_MAX, +- _PORTABLE_TYPE_INVALID = -EINVAL, ++ _PORTABLE_TYPE_INVALID = -EINVAL, + } PortableFlags; + + /* This enum is anonymous, since we usually store it in an 'int', as we overload it with negative errno +@@ -64,7 +65,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(PortableMetadata*, portable_metadata_unref); + + int portable_metadata_hashmap_to_sorted_array(Hashmap *unit_files, PortableMetadata ***ret); + +-int portable_extract(const char *image, char **matches, char **extension_image_paths, PortableMetadata **ret_os_release, Hashmap **ret_unit_files, sd_bus_error *error); ++int portable_extract(const char *image, char **matches, char **extension_image_paths, PortableMetadata **ret_os_release, OrderedHashmap **ret_extension_releases, Hashmap **ret_unit_files, sd_bus_error *error); + + int portable_attach(sd_bus *bus, const char *name_or_path, char **matches, const char *profile, char **extension_images, PortableFlags flags, PortableChange **changes, size_t *n_changes, sd_bus_error *error); + int portable_detach(sd_bus *bus, const char *name_or_path, char **extension_image_paths, PortableFlags flags, PortableChange **changes, size_t *n_changes, sd_bus_error *error); +diff --git a/src/portable/portablectl.c b/src/portable/portablectl.c +index 2d8079ad97..af5e78c998 100644 +--- a/src/portable/portablectl.c ++++ b/src/portable/portablectl.c +@@ -259,8 +259,8 @@ static int maybe_reload(sd_bus **bus) { + static int get_image_metadata(sd_bus *bus, const char *image, char **matches, sd_bus_message **reply) { + _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL; + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; ++ PortableFlags flags = PORTABLE_INSPECT_EXTENSION_RELEASES; + const char *method; +- uint64_t flags = 0; + int r; + + assert(bus); +@@ -365,6 +365,74 @@ static int inspect_image(int argc, char *argv[], void *userdata) { + if (r < 0) + return bus_log_parse_error(r); + ++ /* If we specified any extensions, we'll first get back exactly the ++ * paths (and extension-release content) for each one of the arguments. */ ++ for (size_t i = 0; i < strv_length(arg_extension_images); ++i) { ++ const char *name; ++ ++ r = sd_bus_message_enter_container(reply, 'e', "say"); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ if (r == 0) ++ break; ++ ++ r = sd_bus_message_read(reply, "s", &name); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ ++ r = sd_bus_message_read_array(reply, 'y', &data, &sz); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ ++ if (arg_cat) { ++ if (nl) ++ fputc('\n', stdout); ++ ++ printf("%s-- Extension Release: %s --%s\n", ansi_highlight(), name, ansi_normal()); ++ fwrite(data, sz, 1, stdout); ++ fflush(stdout); ++ nl = true; ++ } else { ++ _cleanup_free_ char *pretty_portable = NULL, *pretty_os = NULL, *sysext_level = NULL, ++ *id = NULL, *version_id = NULL, *sysext_scope = NULL, *portable_prefixes = NULL; ++ _cleanup_fclose_ FILE *f = NULL; ++ ++ f = fmemopen_unlocked((void*) data, sz, "re"); ++ if (!f) ++ return log_error_errno(errno, "Failed to open extension-release buffer: %m"); ++ ++ r = parse_env_file(f, name, ++ "ID", &id, ++ "VERSION_ID", &version_id, ++ "SYSEXT_SCOPE", &sysext_scope, ++ "SYSEXT_LEVEL", &sysext_level, ++ "PORTABLE_PRETTY_NAME", &pretty_portable, ++ "PORTABLE_PREFIXES", &portable_prefixes, ++ "PRETTY_NAME", &pretty_os); ++ if (r < 0) ++ return log_error_errno(r, "Failed to parse extension release from '%s': %m", name); ++ ++ printf("Extension:\n\t%s\n" ++ "\tExtension Scope:\n\t\t%s\n" ++ "\tExtension Compatibility Level:\n\t\t%s\n" ++ "\tPortable Service:\n\t\t%s\n" ++ "\tPortable Prefixes:\n\t\t%s\n" ++ "\tOperating System:\n\t\t%s (%s %s)\n", ++ name, ++ strna(sysext_scope), ++ strna(sysext_level), ++ strna(pretty_portable), ++ strna(portable_prefixes), ++ strna(pretty_os), ++ strna(id), ++ strna(version_id)); ++ } ++ ++ r = sd_bus_message_exit_container(reply); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ } ++ + for (;;) { + const char *name; + +@@ -699,6 +767,14 @@ static int maybe_stop_disable(sd_bus *bus, char *image, char *argv[]) { + if (r < 0) + return bus_log_parse_error(r); + ++ /* If we specified any extensions, we'll first get back exactly the ++ * paths (and extension-release content) for each one of the arguments. */ ++ for (size_t i = 0; i < strv_length(arg_extension_images); ++i) { ++ r = sd_bus_message_skip(reply, "{say}"); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ } ++ + for (;;) { + const char *name; + +diff --git a/src/portable/portabled-image-bus.c b/src/portable/portabled-image-bus.c +index 23c6e2633a..3e6310f23e 100644 +--- a/src/portable/portabled-image-bus.c ++++ b/src/portable/portabled-image-bus.c +@@ -102,13 +102,13 @@ int bus_image_common_get_metadata( + Image *image, + sd_bus_error *error) { + ++ _cleanup_ordered_hashmap_free_ OrderedHashmap *extension_releases = NULL; + _cleanup_(portable_metadata_unrefp) PortableMetadata *os_release = NULL; + _cleanup_strv_free_ char **matches = NULL, **extension_images = NULL; + _cleanup_hashmap_free_ Hashmap *unit_files = NULL; + _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; + _cleanup_free_ PortableMetadata **sorted = NULL; +- /* Unused for now, but added to the DBUS methods for future-proofing */ +- uint64_t input_flags = 0; ++ PortableFlags flags = 0; + size_t i; + int r; + +@@ -133,14 +133,17 @@ int bus_image_common_get_metadata( + + if (sd_bus_message_is_method_call(message, NULL, "GetImageMetadataWithExtensions") || + sd_bus_message_is_method_call(message, NULL, "GetMetadataWithExtensions")) { ++ uint64_t input_flags = 0; ++ + r = sd_bus_message_read(message, "t", &input_flags); + if (r < 0) + return r; +- /* Let clients know that this version doesn't support any flags */ +- if (input_flags != 0) ++ ++ if ((input_flags & ~_PORTABLE_MASK_PUBLIC) != 0) + return sd_bus_reply_method_errorf(message, SD_BUS_ERROR_INVALID_ARGS, + "Invalid 'flags' parameter '%" PRIu64 "'", + input_flags); ++ flags |= input_flags; + } + + r = bus_image_acquire(m, +@@ -161,6 +164,7 @@ int bus_image_common_get_metadata( + matches, + extension_images, + &os_release, ++ &extension_releases, + &unit_files, + error); + if (r < 0) +@@ -186,6 +190,32 @@ int bus_image_common_get_metadata( + if (r < 0) + return r; + ++ /* If it was requested, also send back the extension path and the content ++ * of each extension-release file. Behind a flag, as it's an incompatible ++ * change. */ ++ if (FLAGS_SET(flags, PORTABLE_INSPECT_EXTENSION_RELEASES)) { ++ PortableMetadata *extension_release; ++ ++ ORDERED_HASHMAP_FOREACH(extension_release, extension_releases) { ++ ++ r = sd_bus_message_open_container(reply, 'e', "say"); ++ if (r < 0) ++ return r; ++ ++ r = sd_bus_message_append(reply, "s", extension_release->image_path); ++ if (r < 0) ++ return r; ++ ++ r = append_fd(reply, extension_release); ++ if (r < 0) ++ return r; ++ ++ r = sd_bus_message_close_container(reply); ++ if (r < 0) ++ return r; ++ } ++ } ++ + for (i = 0; i < hashmap_size(unit_files); i++) { + + r = sd_bus_message_open_container(reply, 'e', "say"); +diff --git a/test/units/testsuite-29.sh b/test/units/testsuite-29.sh +index 34fa730514..ca09f321b7 100755 +--- a/test/units/testsuite-29.sh ++++ b/test/units/testsuite-29.sh +@@ -80,6 +80,9 @@ systemctl is-active app1.service + portablectl "${ARGS[@]}" reattach --now --runtime --extension ${app1} ${root} app1 + + systemctl is-active app1.service ++portablectl inspect --cat --extension ${app1} ${root} app1 | grep -F "MARKER=1" ++portablectl inspect --cat --extension ${app1} ${root} app1 | grep -F "Extension Release: /usr/share/app1.raw" ++portablectl inspect --cat --extension ${app1} ${root} app1 | grep -F "ExecStart=/opt/script1.sh" + + portablectl detach --now --runtime --extension ${app1} ${root} app1 + +-- +2.33.0 + diff --git a/backport-portable-add-return-parameter-to-GetImageMetadataWit.patch b/backport-portable-add-return-parameter-to-GetImageMetadataWit.patch new file mode 100644 index 0000000000000000000000000000000000000000..224ccf487abc67e764992014075db88533ec558e --- /dev/null +++ b/backport-portable-add-return-parameter-to-GetImageMetadataWit.patch @@ -0,0 +1,393 @@ +From 594b9adc847c4b759d1e51559fceb617015f8575 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 3 Mar 2022 16:26:36 +0100 +Subject: [PATCH] portable: add return parameter to + GetImageMetadataWithExtensions + +The complaint was that the output array was used for two kinds of data, and the +input flag decided whether this extra data should be included. The flag is +removed, and instead the old method is changed to include the data always as +a separate parameter. + +This breaks backward compatibility, but the old method is effectively broken +and does not appear to be used yet, at least in open source code, by +searching on codesearch.debian.net and github.com. + +Fixes #22404. + +Co-authored-by: Luca Boccassi +(cherry picked from commit 087a799f64560bb0379b8a99ebbd9ca84804e4c3) +(cherry picked from commit 00b5aa8d741ad17f6b8f5f03d901b038e3a27d04) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/594b9adc847c4b759d1e51559fceb617015f8575 +--- + man/org.freedesktop.portable1.xml | 21 ++--- + src/portable/portable.h | 13 ++- + src/portable/portablectl.c | 142 +++++++++++++++-------------- + src/portable/portabled-bus.c | 1 + + src/portable/portabled-image-bus.c | 30 +++--- + 5 files changed, 110 insertions(+), 97 deletions(-) + +diff --git a/man/org.freedesktop.portable1.xml b/man/org.freedesktop.portable1.xml +index 053f2a5434..8f960cc28d 100644 +--- a/man/org.freedesktop.portable1.xml ++++ b/man/org.freedesktop.portable1.xml +@@ -54,6 +54,7 @@ node /org/freedesktop/portable1 { + in t flags, + out s image, + out ay os_release, ++ out a{say} extensions, + out a{say} units); + GetImageState(in s image, + out s state); +@@ -183,19 +184,12 @@ node /org/freedesktop/portable1 { + and a list of portable units contained in the image, in the form of a string (unit name) and + an array of bytes with the content. + +- GetImageMetadataWithExtensions() retrieves metadata associated with an image. +- This method is a superset of GetImageMetadata() with the addition of +- a list of extensions as input parameter, which were overlaid on top of the main +- image via AttachImageWithExtensions(). +- The flag parameter can be used to request that, before the units, the path of +- each extension and an array of bytes with the content of the respective extension-release file +- are sent. One such structure will be sent for each extension named in the input arguments. The +- flag value to enable this functionality is defined as follows: +- +- +-#define PORTABLE_INSPECT_EXTENSION_RELEASES (UINT64_C(1) << 1) +- +- ++ GetImageMetadataWithExtensions() retrieves metadata associated with an ++ image. This method is a superset of GetImageMetadata() with the addition of a list ++ of extensions as input parameter, which were overlaid on top of the main image via ++ AttachImageWithExtensions(). The path of each extension and an array of bytes with ++ the content of the respective extension-release file are returned, one such structure for each ++ extension named in the input arguments. + + GetImageState() retrieves the image state as one of the following + strings: +@@ -340,6 +334,7 @@ node /org/freedesktop/portable1 { + in t flags, + out s image, + out ay os_release, ++ out a{say} extensions, + out a{say} units); + GetState(out s state); + Attach(in as matches, +diff --git a/src/portable/portable.h b/src/portable/portable.h +index ce55f050a2..a1abf60dc7 100644 +--- a/src/portable/portable.h ++++ b/src/portable/portable.h +@@ -20,14 +20,13 @@ typedef struct PortableMetadata { + #define PORTABLE_METADATA_IS_UNIT(m) (!IN_SET((m)->name[0], 0, '/')) + + typedef enum PortableFlags { +- PORTABLE_RUNTIME = 1 << 0, +- PORTABLE_INSPECT_EXTENSION_RELEASES = 1 << 1, /* Public API via DBUS, do not change */ +- PORTABLE_PREFER_COPY = 1 << 2, +- PORTABLE_PREFER_SYMLINK = 1 << 3, +- PORTABLE_REATTACH = 1 << 4, +- _PORTABLE_MASK_PUBLIC = PORTABLE_RUNTIME | PORTABLE_INSPECT_EXTENSION_RELEASES, ++ PORTABLE_RUNTIME = 1 << 0, /* Public API via DBUS, do not change */ ++ PORTABLE_PREFER_COPY = 1 << 1, ++ PORTABLE_PREFER_SYMLINK = 1 << 2, ++ PORTABLE_REATTACH = 1 << 3, ++ _PORTABLE_MASK_PUBLIC = PORTABLE_RUNTIME, + _PORTABLE_TYPE_MAX, +- _PORTABLE_TYPE_INVALID = -EINVAL, ++ _PORTABLE_TYPE_INVALID = -EINVAL, + } PortableFlags; + + /* This enum is anonymous, since we usually store it in an 'int', as we overload it with negative errno +diff --git a/src/portable/portablectl.c b/src/portable/portablectl.c +index 827d7a7b4a..21048baeb5 100644 +--- a/src/portable/portablectl.c ++++ b/src/portable/portablectl.c +@@ -259,7 +259,7 @@ static int maybe_reload(sd_bus **bus) { + static int get_image_metadata(sd_bus *bus, const char *image, char **matches, sd_bus_message **reply) { + _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL; + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; +- PortableFlags flags = PORTABLE_INSPECT_EXTENSION_RELEASES; ++ uint64_t flags = 0; + const char *method; + int r; + +@@ -361,71 +361,78 @@ static int inspect_image(int argc, char *argv[], void *userdata) { + strna(pretty_os)); + } + +- r = sd_bus_message_enter_container(reply, 'a', "{say}"); +- if (r < 0) +- return bus_log_parse_error(r); +- +- /* If we specified any extensions, we'll first get back exactly the +- * paths (and extension-release content) for each one of the arguments. */ +- for (size_t i = 0; i < strv_length(arg_extension_images); ++i) { +- const char *name; ++ if (!strv_isempty(arg_extension_images)) { ++ /* If we specified any extensions, we'll first get back exactly the paths (and ++ * extension-release content) for each one of the arguments. */ + +- r = sd_bus_message_enter_container(reply, 'e', "say"); ++ r = sd_bus_message_enter_container(reply, 'a', "{say}"); + if (r < 0) + return bus_log_parse_error(r); +- if (r == 0) +- break; + +- r = sd_bus_message_read(reply, "s", &name); +- if (r < 0) +- return bus_log_parse_error(r); ++ for (size_t i = 0; i < strv_length(arg_extension_images); ++i) { ++ const char *name; + +- r = sd_bus_message_read_array(reply, 'y', &data, &sz); +- if (r < 0) +- return bus_log_parse_error(r); ++ r = sd_bus_message_enter_container(reply, 'e', "say"); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ if (r == 0) ++ break; + +- if (arg_cat) { +- if (nl) +- fputc('\n', stdout); ++ r = sd_bus_message_read(reply, "s", &name); ++ if (r < 0) ++ return bus_log_parse_error(r); + +- printf("%s-- Extension Release: %s --%s\n", ansi_highlight(), name, ansi_normal()); +- fwrite(data, sz, 1, stdout); +- fflush(stdout); +- nl = true; +- } else { +- _cleanup_free_ char *pretty_portable = NULL, *pretty_os = NULL, *sysext_level = NULL, +- *id = NULL, *version_id = NULL, *sysext_scope = NULL, *portable_prefixes = NULL; +- _cleanup_fclose_ FILE *f = NULL; +- +- f = fmemopen_unlocked((void*) data, sz, "re"); +- if (!f) +- return log_error_errno(errno, "Failed to open extension-release buffer: %m"); +- +- r = parse_env_file(f, name, +- "ID", &id, +- "VERSION_ID", &version_id, +- "SYSEXT_SCOPE", &sysext_scope, +- "SYSEXT_LEVEL", &sysext_level, +- "PORTABLE_PRETTY_NAME", &pretty_portable, +- "PORTABLE_PREFIXES", &portable_prefixes, +- "PRETTY_NAME", &pretty_os); ++ r = sd_bus_message_read_array(reply, 'y', &data, &sz); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ ++ if (arg_cat) { ++ if (nl) ++ fputc('\n', stdout); ++ ++ printf("%s-- Extension Release: %s --%s\n", ansi_highlight(), name, ansi_normal()); ++ fwrite(data, sz, 1, stdout); ++ fflush(stdout); ++ nl = true; ++ } else { ++ _cleanup_free_ char *pretty_portable = NULL, *pretty_os = NULL, *sysext_level = NULL, ++ *id = NULL, *version_id = NULL, *sysext_scope = NULL, *portable_prefixes = NULL; ++ _cleanup_fclose_ FILE *f = NULL; ++ ++ f = fmemopen_unlocked((void*) data, sz, "re"); ++ if (!f) ++ return log_error_errno(errno, "Failed to open extension-release buffer: %m"); ++ ++ r = parse_env_file(f, name, ++ "ID", &id, ++ "VERSION_ID", &version_id, ++ "SYSEXT_SCOPE", &sysext_scope, ++ "SYSEXT_LEVEL", &sysext_level, ++ "PORTABLE_PRETTY_NAME", &pretty_portable, ++ "PORTABLE_PREFIXES", &portable_prefixes, ++ "PRETTY_NAME", &pretty_os); ++ if (r < 0) ++ return log_error_errno(r, "Failed to parse extension release from '%s': %m", name); ++ ++ printf("Extension:\n\t%s\n" ++ "\tExtension Scope:\n\t\t%s\n" ++ "\tExtension Compatibility Level:\n\t\t%s\n" ++ "\tPortable Service:\n\t\t%s\n" ++ "\tPortable Prefixes:\n\t\t%s\n" ++ "\tOperating System:\n\t\t%s (%s %s)\n", ++ name, ++ strna(sysext_scope), ++ strna(sysext_level), ++ strna(pretty_portable), ++ strna(portable_prefixes), ++ strna(pretty_os), ++ strna(id), ++ strna(version_id)); ++ } ++ ++ r = sd_bus_message_exit_container(reply); + if (r < 0) +- return log_error_errno(r, "Failed to parse extension release from '%s': %m", name); +- +- printf("Extension:\n\t%s\n" +- "\tExtension Scope:\n\t\t%s\n" +- "\tExtension Compatibility Level:\n\t\t%s\n" +- "\tPortable Service:\n\t\t%s\n" +- "\tPortable Prefixes:\n\t\t%s\n" +- "\tOperating System:\n\t\t%s (%s %s)\n", +- name, +- strna(sysext_scope), +- strna(sysext_level), +- strna(pretty_portable), +- strna(portable_prefixes), +- strna(pretty_os), +- strna(id), +- strna(version_id)); ++ return bus_log_parse_error(r); + } + + r = sd_bus_message_exit_container(reply); +@@ -433,6 +440,10 @@ static int inspect_image(int argc, char *argv[], void *userdata) { + return bus_log_parse_error(r); + } + ++ r = sd_bus_message_enter_container(reply, 'a', "{say}"); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ + for (;;) { + const char *name; + +@@ -763,18 +774,17 @@ static int maybe_stop_disable(sd_bus *bus, char *image, char *argv[]) { + if (r < 0) + return bus_log_parse_error(r); + +- r = sd_bus_message_enter_container(reply, 'a', "{say}"); +- if (r < 0) +- return bus_log_parse_error(r); +- +- /* If we specified any extensions, we'll first get back exactly the +- * paths (and extension-release content) for each one of the arguments. */ +- for (size_t i = 0; i < strv_length(arg_extension_images); ++i) { +- r = sd_bus_message_skip(reply, "{say}"); ++ /* If we specified any extensions, we'll first an array of extension-release metadata. */ ++ if (!strv_isempty(arg_extension_images)) { ++ r = sd_bus_message_skip(reply, "a{say}"); + if (r < 0) + return bus_log_parse_error(r); + } + ++ r = sd_bus_message_enter_container(reply, 'a', "{say}"); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ + for (;;) { + const char *name; + +diff --git a/src/portable/portabled-bus.c b/src/portable/portabled-bus.c +index 5b992d9df8..db71057bb3 100644 +--- a/src/portable/portabled-bus.c ++++ b/src/portable/portabled-bus.c +@@ -420,6 +420,7 @@ const sd_bus_vtable manager_vtable[] = { + "t", flags), + SD_BUS_RESULT("s", image, + "ay", os_release, ++ "a{say}", extensions, + "a{say}", units), + method_get_image_metadata, + SD_BUS_VTABLE_UNPRIVILEGED), +diff --git a/src/portable/portabled-image-bus.c b/src/portable/portabled-image-bus.c +index 964035ec15..d538a4786f 100644 +--- a/src/portable/portabled-image-bus.c ++++ b/src/portable/portabled-image-bus.c +@@ -108,7 +108,6 @@ int bus_image_common_get_metadata( + _cleanup_hashmap_free_ Hashmap *unit_files = NULL; + _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; + _cleanup_free_ PortableMetadata **sorted = NULL; +- PortableFlags flags = 0; + int r; + + assert(name_or_path || image); +@@ -119,8 +118,10 @@ int bus_image_common_get_metadata( + m = image->userdata; + } + +- if (sd_bus_message_is_method_call(message, NULL, "GetImageMetadataWithExtensions") || +- sd_bus_message_is_method_call(message, NULL, "GetMetadataWithExtensions")) { ++ bool have_exti = sd_bus_message_is_method_call(message, NULL, "GetImageMetadataWithExtensions") || ++ sd_bus_message_is_method_call(message, NULL, "GetMetadataWithExtensions"); ++ ++ if (have_exti) { + r = sd_bus_message_read_strv(message, &extension_images); + if (r < 0) + return r; +@@ -130,8 +131,7 @@ int bus_image_common_get_metadata( + if (r < 0) + return r; + +- if (sd_bus_message_is_method_call(message, NULL, "GetImageMetadataWithExtensions") || +- sd_bus_message_is_method_call(message, NULL, "GetMetadataWithExtensions")) { ++ if (have_exti) { + uint64_t input_flags = 0; + + r = sd_bus_message_read(message, "t", &input_flags); +@@ -142,7 +142,6 @@ int bus_image_common_get_metadata( + return sd_bus_reply_method_errorf(message, SD_BUS_ERROR_INVALID_ARGS, + "Invalid 'flags' parameter '%" PRIu64 "'", + input_flags); +- flags |= input_flags; + } + + r = bus_image_acquire(m, +@@ -185,16 +184,16 @@ int bus_image_common_get_metadata( + if (r < 0) + return r; + +- r = sd_bus_message_open_container(reply, 'a', "{say}"); +- if (r < 0) +- return r; +- + /* If it was requested, also send back the extension path and the content + * of each extension-release file. Behind a flag, as it's an incompatible + * change. */ +- if (FLAGS_SET(flags, PORTABLE_INSPECT_EXTENSION_RELEASES)) { ++ if (have_exti) { + PortableMetadata *extension_release; + ++ r = sd_bus_message_open_container(reply, 'a', "{say}"); ++ if (r < 0) ++ return r; ++ + ORDERED_HASHMAP_FOREACH(extension_release, extension_releases) { + + r = sd_bus_message_open_container(reply, 'e', "say"); +@@ -213,8 +212,16 @@ int bus_image_common_get_metadata( + if (r < 0) + return r; + } ++ ++ r = sd_bus_message_close_container(reply); ++ if (r < 0) ++ return r; + } + ++ r = sd_bus_message_open_container(reply, 'a', "{say}"); ++ if (r < 0) ++ return r; ++ + for (size_t i = 0; i < hashmap_size(unit_files); i++) { + + r = sd_bus_message_open_container(reply, 'e', "say"); +@@ -866,6 +873,7 @@ const sd_bus_vtable image_vtable[] = { + "t", flags), + SD_BUS_RESULT("s", image, + "ay", os_release, ++ "a{say}", extensions, + "a{say}", units), + bus_image_method_get_metadata, + SD_BUS_VTABLE_UNPRIVILEGED), +-- +2.33.0 + diff --git a/backport-portable-inline-one-variable-declaration.patch b/backport-portable-inline-one-variable-declaration.patch new file mode 100644 index 0000000000000000000000000000000000000000..5b6ffda4719912cccd36bb1f8f36370f744eedb2 --- /dev/null +++ b/backport-portable-inline-one-variable-declaration.patch @@ -0,0 +1,38 @@ +From f1f790658be65ba281d101d651f853701a829250 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 3 Mar 2022 19:13:20 +0100 +Subject: [PATCH] portable: inline one variable declaration + +(cherry picked from commit 90e3f3581dd578a23aec9f63ca846babfe4fcaa0) +(cherry picked from commit 06d466a05c69e39058f109700c8a6c10bd4c2c89) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/f1f790658be65ba281d101d651f853701a829250 +--- + src/portable/portabled-image-bus.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/portable/portabled-image-bus.c b/src/portable/portabled-image-bus.c +index 3e6310f23e..964035ec15 100644 +--- a/src/portable/portabled-image-bus.c ++++ b/src/portable/portabled-image-bus.c +@@ -109,7 +109,6 @@ int bus_image_common_get_metadata( + _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; + _cleanup_free_ PortableMetadata **sorted = NULL; + PortableFlags flags = 0; +- size_t i; + int r; + + assert(name_or_path || image); +@@ -216,7 +215,7 @@ int bus_image_common_get_metadata( + } + } + +- for (i = 0; i < hashmap_size(unit_files); i++) { ++ for (size_t i = 0; i < hashmap_size(unit_files); i++) { + + r = sd_bus_message_open_container(reply, 'e', "say"); + if (r < 0) +-- +2.33.0 + diff --git a/backport-portable-move-profile-search-helper-to-path-lookup.patch b/backport-portable-move-profile-search-helper-to-path-lookup.patch new file mode 100644 index 0000000000000000000000000000000000000000..5b90cbd3c19edc3988333ae6fb0fed01737f1ab0 --- /dev/null +++ b/backport-portable-move-profile-search-helper-to-path-lookup.patch @@ -0,0 +1,139 @@ +From 494652d95c620f0191f5c7c8f30956e9e98dd62b Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 26 Nov 2021 17:50:34 +0000 +Subject: [PATCH] portable: move profile search helper to path-lookup + +Will be used in systemd-analyze later + +(cherry picked from commit 13c02e7bd54e4420c392bd76c0fcf1846c10f99c) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/494652d95c620f0191f5c7c8f30956e9e98dd62b +--- + src/basic/path-lookup.c | 28 ++++++++++++++++++++++++++++ + src/basic/path-lookup.h | 3 +++ + src/portable/portable.c | 33 ++------------------------------- + 3 files changed, 33 insertions(+), 31 deletions(-) + +diff --git a/src/basic/path-lookup.c b/src/basic/path-lookup.c +index 05eb17d66c..83adf4767e 100644 +--- a/src/basic/path-lookup.c ++++ b/src/basic/path-lookup.c +@@ -8,6 +8,7 @@ + #include "fs-util.h" + #include "log.h" + #include "macro.h" ++#include "nulstr-util.h" + #include "path-lookup.h" + #include "path-util.h" + #include "stat-util.h" +@@ -864,3 +865,30 @@ char **env_generator_binary_paths(bool is_system) { + + return TAKE_PTR(paths); + } ++ ++int find_portable_profile(const char *name, const char *unit, char **ret_path) { ++ const char *p, *dot; ++ ++ assert(name); ++ assert(ret_path); ++ ++ assert_se(dot = strrchr(unit, '.')); ++ ++ NULSTR_FOREACH(p, PORTABLE_PROFILE_DIRS) { ++ _cleanup_free_ char *joined = NULL; ++ ++ joined = strjoin(p, "/", name, "/", dot + 1, ".conf"); ++ if (!joined) ++ return -ENOMEM; ++ ++ if (laccess(joined, F_OK) >= 0) { ++ *ret_path = TAKE_PTR(joined); ++ return 0; ++ } ++ ++ if (errno != ENOENT) ++ return -errno; ++ } ++ ++ return -ENOENT; ++} +diff --git a/src/basic/path-lookup.h b/src/basic/path-lookup.h +index 088bb9b57c..af85dc7b4f 100644 +--- a/src/basic/path-lookup.h ++++ b/src/basic/path-lookup.h +@@ -72,3 +72,6 @@ char **env_generator_binary_paths(bool is_system); + + #define NETWORK_DIRS ((const char* const*) CONF_PATHS_STRV("systemd/network")) + #define NETWORK_DIRS_NULSTR CONF_PATHS_NULSTR("systemd/network") ++ ++#define PORTABLE_PROFILE_DIRS CONF_PATHS_NULSTR("systemd/portable/profile") ++int find_portable_profile(const char *name, const char *unit, char **ret_path); +diff --git a/src/portable/portable.c b/src/portable/portable.c +index 02f4a692b0..8c5e5b6821 100644 +--- a/src/portable/portable.c ++++ b/src/portable/portable.c +@@ -37,8 +37,6 @@ + #include "tmpfile-util.h" + #include "user-util.h" + +-static const char profile_dirs[] = CONF_PATHS_NULSTR("systemd/portable/profile"); +- + /* Markers used in the first line of our 20-portable.conf unit file drop-in to determine, that a) the unit file was + * dropped there by the portable service logic and b) for which image it was dropped there. */ + #define PORTABLE_DROPIN_MARKER_BEGIN "# Drop-in created for image '" +@@ -967,33 +965,6 @@ static int install_chroot_dropin( + return 0; + } + +-static int find_profile(const char *name, const char *unit, char **ret) { +- const char *p, *dot; +- +- assert(name); +- assert(ret); +- +- assert_se(dot = strrchr(unit, '.')); +- +- NULSTR_FOREACH(p, profile_dirs) { +- _cleanup_free_ char *joined = NULL; +- +- joined = strjoin(p, "/", name, "/", dot + 1, ".conf"); +- if (!joined) +- return -ENOMEM; +- +- if (laccess(joined, F_OK) >= 0) { +- *ret = TAKE_PTR(joined); +- return 0; +- } +- +- if (errno != ENOENT) +- return -errno; +- } +- +- return -ENOENT; +-} +- + static int install_profile_dropin( + const char *image_path, + const PortableMetadata *m, +@@ -1014,7 +985,7 @@ static int install_profile_dropin( + if (!profile) + return 0; + +- r = find_profile(profile, m->name, &from); ++ r = find_portable_profile(profile, m->name, &from); + if (r < 0) { + if (r != -ENOENT) + return log_debug_errno(errno, "Profile '%s' is not accessible: %m", profile); +@@ -1731,7 +1702,7 @@ int portable_get_state( + int portable_get_profiles(char ***ret) { + assert(ret); + +- return conf_files_list_nulstr(ret, NULL, NULL, CONF_FILES_DIRECTORY|CONF_FILES_BASENAME|CONF_FILES_FILTER_MASKED, profile_dirs); ++ return conf_files_list_nulstr(ret, NULL, NULL, CONF_FILES_DIRECTORY|CONF_FILES_BASENAME|CONF_FILES_FILTER_MASKED, PORTABLE_PROFILE_DIRS); + } + + static const char* const portable_change_type_table[_PORTABLE_CHANGE_TYPE_MAX] = { +-- +2.33.0 + diff --git a/backport-portablectl-reorder-if-branches-to-match-previous-co.patch b/backport-portablectl-reorder-if-branches-to-match-previous-co.patch new file mode 100644 index 0000000000000000000000000000000000000000..3298903e49adb05dd5ab932ce9e5c9cbe610631b --- /dev/null +++ b/backport-portablectl-reorder-if-branches-to-match-previous-co.patch @@ -0,0 +1,42 @@ +From b57a0605dd294c00ed34d7bad08a9c33f9810a2d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 3 Mar 2022 18:56:06 +0100 +Subject: [PATCH] portablectl: reorder if branches to match previous + conditional in the same function + +One is a ternary op, the other an normal conditional, but they should still use +the same order of branches. + +(cherry picked from commit 573e33de078956ded078653ef3f90f93469b4dbf) +(cherry picked from commit 7856dc310906cb8b09d27b7175b322129bd619b6) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/b57a0605dd294c00ed34d7bad08a9c33f9810a2d +--- + src/portable/portablectl.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/portable/portablectl.c b/src/portable/portablectl.c +index af5e78c998..827d7a7b4a 100644 +--- a/src/portable/portablectl.c ++++ b/src/portable/portablectl.c +@@ -927,12 +927,13 @@ static int detach_image(int argc, char *argv[], void *userdata) { + if (r < 0) + return r; + +- if (!strv_isempty(arg_extension_images)) { ++ if (strv_isempty(arg_extension_images)) ++ r = sd_bus_message_append(m, "b", arg_runtime); ++ else { + uint64_t flags = arg_runtime ? PORTABLE_RUNTIME : 0; + + r = sd_bus_message_append(m, "t", flags); +- } else +- r = sd_bus_message_append(m, "b", arg_runtime); ++ } + if (r < 0) + return bus_log_create_error(r); + +-- +2.33.0 + diff --git a/backport-portabled-error-out-if-there-are-no-units-only-after.patch b/backport-portabled-error-out-if-there-are-no-units-only-after.patch new file mode 100644 index 0000000000000000000000000000000000000000..fc8fe1cfc9d455c90017d81ade96484ecbb07c44 --- /dev/null +++ b/backport-portabled-error-out-if-there-are-no-units-only-after.patch @@ -0,0 +1,74 @@ +From 6ea63e538eaa13e1efacd33e4ade2cd096b818e0 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 18 Aug 2021 16:37:13 +0100 +Subject: [PATCH] portabled: error out if there are no units only after parsing + all images + +It's ok if the OS image doesn't have matching units, if we find them +in the extensions. Tidies up the parsing logic a bit. + +(cherry picked from commit 7bf5ec4538cd4c77979dd9d09d9e9429a0a3535c) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/6ea63e538eaa13e1efacd33e4ade2cd096b818e0 +--- + src/portable/portable.c | 29 ++++++++++++++++++++++++++--- + 1 file changed, 26 insertions(+), 3 deletions(-) + +diff --git a/src/portable/portable.c b/src/portable/portable.c +index 5ecbeec2de..8550becded 100644 +--- a/src/portable/portable.c ++++ b/src/portable/portable.c +@@ -504,9 +504,6 @@ static int portable_extract_by_path( + if (extract_os_release && !os_release) + return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Image '%s' lacks os-release data, refusing.", path); + +- if (!extract_os_release && hashmap_isempty(unit_files)) +- return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Couldn't find any matching unit files in image '%s', refusing.", path); +- + if (ret_unit_files) + *ret_unit_files = TAKE_PTR(unit_files); + +@@ -573,6 +570,19 @@ int portable_extract( + return r; + } + ++ if (hashmap_isempty(unit_files)) { ++ _cleanup_free_ char *extensions = strv_join(extension_image_paths, ", "); ++ if (!extensions) ++ return -ENOMEM; ++ ++ return sd_bus_error_setf(error, ++ SD_BUS_ERROR_INVALID_ARGS, ++ "Couldn't find any matching unit files in image '%s%s%s', refusing.", ++ image->path, ++ isempty(extensions) ? "" : "' or any of its extensions '", ++ isempty(extensions) ? "" : extensions); ++ } ++ + *ret_os_release = TAKE_PTR(os_release); + *ret_unit_files = TAKE_PTR(unit_files); + +@@ -1189,6 +1199,19 @@ int portable_attach( + return r; + } + ++ if (hashmap_isempty(unit_files)) { ++ _cleanup_free_ char *extensions = strv_join(extension_image_paths, ", "); ++ if (!extensions) ++ return -ENOMEM; ++ ++ return sd_bus_error_setf(error, ++ SD_BUS_ERROR_INVALID_ARGS, ++ "Couldn't find any matching unit files in image '%s%s%s', refusing.", ++ image->path, ++ isempty(extensions) ? "" : "' or any of its extensions '", ++ isempty(extensions) ? "" : extensions); ++ } ++ + r = lookup_paths_init(&paths, UNIT_FILE_SYSTEM, LOOKUP_PATHS_SPLIT_USR, NULL); + if (r < 0) + return r; +-- +2.33.0 + diff --git a/backport-portabled-refactor-extraction-validation-into-a-comm.patch b/backport-portabled-refactor-extraction-validation-into-a-comm.patch new file mode 100644 index 0000000000000000000000000000000000000000..9534602a5ea48eef9d2b643f8df58f2146e19189 --- /dev/null +++ b/backport-portabled-refactor-extraction-validation-into-a-comm.patch @@ -0,0 +1,245 @@ +From 04934ab329767b4a1fde60438f769f9eb055fd9d Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 6 Sep 2021 13:19:47 +0100 +Subject: [PATCH] portabled: refactor extraction/validation into a common + helper + +(cherry picked from commit 9ff61565be1efe5cc962964cde1af2278e554e9e) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/04934ab329767b4a1fde60438f769f9eb055fd9d +--- + src/portable/portable.c | 169 ++++++++++++++++++++++------------------ + 1 file changed, 92 insertions(+), 77 deletions(-) + +diff --git a/src/portable/portable.c b/src/portable/portable.c +index 765aedf852..02f4a692b0 100644 +--- a/src/portable/portable.c ++++ b/src/portable/portable.c +@@ -528,14 +528,18 @@ static int portable_extract_by_path( + return 0; + } + +-int portable_extract( ++static int extract_image_and_extensions( + const char *name_or_path, + char **matches, + char **extension_image_paths, ++ bool validate_sysext, ++ Image **ret_image, ++ OrderedHashmap **ret_extension_images, + PortableMetadata **ret_os_release, + Hashmap **ret_unit_files, + sd_bus_error *error) { + ++ _cleanup_free_ char *id = NULL, *version_id = NULL, *sysext_level = NULL; + _cleanup_(portable_metadata_unrefp) PortableMetadata *os_release = NULL; + _cleanup_ordered_hashmap_free_ OrderedHashmap *extension_images = NULL; + _cleanup_hashmap_free_ Hashmap *unit_files = NULL; +@@ -544,6 +548,9 @@ int portable_extract( + int r; + + assert(name_or_path); ++ assert(matches); ++ assert(ret_image); ++ assert(ret_extension_images); + + r = image_find_harder(IMAGE_PORTABLE, name_or_path, NULL, &image); + if (r < 0) +@@ -574,17 +581,91 @@ int portable_extract( + if (r < 0) + return r; + ++ /* If we are layering extension images on top of a runtime image, check that the os-release and extension-release metadata ++ * match, otherwise reject it immediately as invalid, or it will fail when the units are started. */ ++ if (validate_sysext) { ++ _cleanup_fclose_ FILE *f = NULL; ++ ++ r = take_fdopen_unlocked(&os_release->fd, "r", &f); ++ if (r < 0) ++ return r; ++ ++ r = parse_env_file(f, os_release->name, ++ "ID", &id, ++ "VERSION_ID", &version_id, ++ "SYSEXT_LEVEL", &sysext_level); ++ if (r < 0) ++ return r; ++ } ++ + ORDERED_HASHMAP_FOREACH(ext, extension_images) { ++ _cleanup_(portable_metadata_unrefp) PortableMetadata *extension_release_meta = NULL; + _cleanup_hashmap_free_ Hashmap *extra_unit_files = NULL; ++ _cleanup_strv_free_ char **extension_release = NULL; ++ _cleanup_fclose_ FILE *f = NULL; + +- r = portable_extract_by_path(ext->path, /* path_is_extension= */ true, matches, NULL, &extra_unit_files, error); ++ r = portable_extract_by_path(ext->path, /* path_is_extension= */ true, matches, &extension_release_meta, &extra_unit_files, error); + if (r < 0) + return r; ++ + r = hashmap_move(unit_files, extra_unit_files); + if (r < 0) + return r; ++ ++ if (!validate_sysext) ++ continue; ++ ++ r = take_fdopen_unlocked(&extension_release_meta->fd, "r", &f); ++ if (r < 0) ++ return r; ++ ++ r = load_env_file_pairs(f, extension_release_meta->name, &extension_release); ++ if (r < 0) ++ return r; ++ ++ r = extension_release_validate(ext->path, id, version_id, sysext_level, extension_release); ++ if (r == 0) ++ return sd_bus_error_set_errnof(error, SYNTHETIC_ERRNO(ESTALE), "Image %s extension-release metadata does not match the root's", ext->path); ++ if (r < 0) ++ return sd_bus_error_set_errnof(error, r, "Failed to compare image %s extension-release metadata with the root's os-release: %m", ext->path); + } + ++ *ret_image = TAKE_PTR(image); ++ *ret_extension_images = TAKE_PTR(extension_images); ++ if (ret_os_release) ++ *ret_os_release = TAKE_PTR(os_release); ++ if (ret_unit_files) ++ *ret_unit_files = TAKE_PTR(unit_files); ++ ++ return 0; ++} ++ ++int portable_extract( ++ const char *name_or_path, ++ char **matches, ++ char **extension_image_paths, ++ PortableMetadata **ret_os_release, ++ Hashmap **ret_unit_files, ++ sd_bus_error *error) { ++ ++ _cleanup_(portable_metadata_unrefp) PortableMetadata *os_release = NULL; ++ _cleanup_ordered_hashmap_free_ OrderedHashmap *extension_images = NULL; ++ _cleanup_hashmap_free_ Hashmap *unit_files = NULL; ++ _cleanup_(image_unrefp) Image *image = NULL; ++ int r; ++ ++ r = extract_image_and_extensions(name_or_path, ++ matches, ++ extension_image_paths, ++ /* validate_sysext= */ false, ++ &image, ++ &extension_images, ++ &os_release, ++ &unit_files, ++ error); ++ if (r < 0) ++ return r; ++ + if (hashmap_isempty(unit_files)) { + _cleanup_free_ char *extensions = strv_join(extension_image_paths, ", "); + if (!extensions) +@@ -1166,91 +1247,25 @@ int portable_attach( + size_t *n_changes, + sd_bus_error *error) { + +- _cleanup_free_ char *id = NULL, *version_id = NULL, *sysext_level = NULL; +- _cleanup_(portable_metadata_unrefp) PortableMetadata *os_release = NULL; + _cleanup_ordered_hashmap_free_ OrderedHashmap *extension_images = NULL; + _cleanup_hashmap_free_ Hashmap *unit_files = NULL; + _cleanup_(lookup_paths_free) LookupPaths paths = {}; + _cleanup_(image_unrefp) Image *image = NULL; + PortableMetadata *item; +- Image *ext; +- char **p; + int r; + +- assert(name_or_path); +- +- r = image_find_harder(IMAGE_PORTABLE, name_or_path, NULL, &image); +- if (r < 0) +- return r; +- if (!strv_isempty(extension_image_paths)) { +- extension_images = ordered_hashmap_new(&image_hash_ops); +- if (!extension_images) +- return -ENOMEM; +- +- STRV_FOREACH(p, extension_image_paths) { +- _cleanup_(image_unrefp) Image *new = NULL; +- +- r = image_find_harder(IMAGE_PORTABLE, *p, NULL, &new); +- if (r < 0) +- return r; +- +- r = ordered_hashmap_put(extension_images, new->name, new); +- if (r < 0) +- return r; +- TAKE_PTR(new); +- } +- } +- +- r = portable_extract_by_path(image->path, /* path_is_extension= */ false, matches, &os_release, &unit_files, error); ++ r = extract_image_and_extensions(name_or_path, ++ matches, ++ extension_image_paths, ++ /* validate_sysext= */ true, ++ &image, ++ &extension_images, ++ /* os_release= */ NULL, ++ &unit_files, ++ error); + if (r < 0) + return r; + +- /* If we are layering extension images on top of a runtime image, check that the os-release and extension-release metadata +- * match, otherwise reject it immediately as invalid, or it will fail when the units are started. */ +- if (os_release) { +- _cleanup_fclose_ FILE *f = NULL; +- +- r = take_fdopen_unlocked(&os_release->fd, "r", &f); +- if (r < 0) +- return r; +- +- r = parse_env_file(f, os_release->name, +- "ID", &id, +- "VERSION_ID", &version_id, +- "SYSEXT_LEVEL", &sysext_level); +- if (r < 0) +- return r; +- } +- +- ORDERED_HASHMAP_FOREACH(ext, extension_images) { +- _cleanup_(portable_metadata_unrefp) PortableMetadata *extension_release_meta = NULL; +- _cleanup_hashmap_free_ Hashmap *extra_unit_files = NULL; +- _cleanup_strv_free_ char **extension_release = NULL; +- _cleanup_fclose_ FILE *f = NULL; +- +- r = portable_extract_by_path(ext->path, /* path_is_extension= */ true, matches, &extension_release_meta, &extra_unit_files, error); +- if (r < 0) +- return r; +- +- r = take_fdopen_unlocked(&extension_release_meta->fd, "r", &f); +- if (r < 0) +- return r; +- +- r = load_env_file_pairs(f, extension_release_meta->name, &extension_release); +- if (r < 0) +- return r; +- +- r = extension_release_validate(ext->path, id, version_id, sysext_level, extension_release); +- if (r == 0) +- return sd_bus_error_set_errnof(error, SYNTHETIC_ERRNO(ESTALE), "Image %s extension-release metadata does not match the root's", ext->path); +- if (r < 0) +- return sd_bus_error_set_errnof(error, r, "Failed to compare image %s extension-release metadata with the root's os-release: %m", ext->path); +- +- r = hashmap_move(unit_files, extra_unit_files); +- if (r < 0) +- return r; +- } +- + if (hashmap_isempty(unit_files)) { + _cleanup_free_ char *extensions = strv_join(extension_image_paths, ", "); + if (!extensions) +-- +2.33.0 + diff --git a/backport-portabled-validate-SYSEXT_LEVEL-when-attaching.patch b/backport-portabled-validate-SYSEXT_LEVEL-when-attaching.patch new file mode 100644 index 0000000000000000000000000000000000000000..e3787da2237a7bac8985a188385ff7d3fb97bdbd --- /dev/null +++ b/backport-portabled-validate-SYSEXT_LEVEL-when-attaching.patch @@ -0,0 +1,240 @@ +From 5453257f8caebbcfe880601de27853f2d51acbb7 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 4 Aug 2021 15:00:06 +0100 +Subject: [PATCH] portabled: validate SYSEXT_LEVEL when attaching + +When attaching a portable service with extensions, immediately validate +that the os-release and extension-release metadata values match, rather +than letting it fail when the units are started + +(cherry picked from commit 239ac0c7f72c30cab2e84d395d064c3b7384ff84) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/5453257f8caebbcfe880601de27853f2d51acbb7 +--- + src/portable/portable.c | 88 ++++++++++++++++++++++++++++++++--------- + src/portable/portable.h | 1 + + 2 files changed, 71 insertions(+), 18 deletions(-) + +diff --git a/src/portable/portable.c b/src/portable/portable.c +index 8550becded..765aedf852 100644 +--- a/src/portable/portable.c ++++ b/src/portable/portable.c +@@ -11,8 +11,10 @@ + #include "dirent-util.h" + #include "discover-image.h" + #include "dissect-image.h" ++#include "env-file.h" + #include "errno-list.h" + #include "escape.h" ++#include "extension-release.h" + #include "fd-util.h" + #include "fileio.h" + #include "fs-util.h" +@@ -232,6 +234,8 @@ DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(portable_metadata_hash_ops, char, + static int extract_now( + const char *where, + char **matches, ++ const char *image_name, ++ bool path_is_extension, + int socket_fd, + PortableMetadata **ret_os_release, + Hashmap **ret_unit_files) { +@@ -241,6 +245,7 @@ static int extract_now( + _cleanup_(lookup_paths_free) LookupPaths paths = {}; + _cleanup_close_ int os_release_fd = -1; + _cleanup_free_ char *os_release_path = NULL; ++ const char *os_release_id; + char **i; + int r; + +@@ -255,19 +260,27 @@ static int extract_now( + + assert(where); + +- /* First, find /etc/os-release and send it upstream (or just save it). */ +- r = open_os_release(where, &os_release_path, &os_release_fd); ++ /* First, find os-release/extension-release and send it upstream (or just save it). */ ++ if (path_is_extension) { ++ os_release_id = strjoina("/usr/lib/extension-release.d/extension-release.", image_name); ++ r = open_extension_release(where, image_name, &os_release_path, &os_release_fd); ++ } else { ++ os_release_id = "/etc/os-release"; ++ r = open_os_release(where, &os_release_path, &os_release_fd); ++ } + if (r < 0) +- log_debug_errno(r, "Couldn't acquire os-release file, ignoring: %m"); ++ log_debug_errno(r, ++ "Couldn't acquire %s file, ignoring: %m", ++ path_is_extension ? "extension-release " : "os-release"); + else { + if (socket_fd >= 0) { +- r = send_item(socket_fd, "/etc/os-release", os_release_fd); ++ r = send_item(socket_fd, os_release_id, os_release_fd); + if (r < 0) + return log_debug_errno(r, "Failed to send os-release file: %m"); + } + + if (ret_os_release) { +- os_release = portable_metadata_new("/etc/os-release", NULL, os_release_fd); ++ os_release = portable_metadata_new(os_release_id, NULL, os_release_fd); + if (!os_release) + return -ENOMEM; + +@@ -353,7 +366,7 @@ static int extract_now( + + static int portable_extract_by_path( + const char *path, +- bool extract_os_release, ++ bool path_is_extension, + char **matches, + PortableMetadata **ret_os_release, + Hashmap **ret_unit_files, +@@ -371,7 +384,7 @@ static int portable_extract_by_path( + /* We can't turn this into a loop-back block device, and this returns EISDIR? Then this is a directory + * tree and not a raw device. It's easy then. */ + +- r = extract_now(path, matches, -1, &os_release, &unit_files); ++ r = extract_now(path, matches, NULL, path_is_extension, -1, &os_release, &unit_files); + if (r < 0) + return r; + +@@ -428,7 +441,7 @@ static int portable_extract_by_path( + + seq[0] = safe_close(seq[0]); + +- if (!extract_os_release) ++ if (path_is_extension) + flags |= DISSECT_IMAGE_VALIDATE_OS_EXT; + else + flags |= DISSECT_IMAGE_VALIDATE_OS; +@@ -439,7 +452,7 @@ static int portable_extract_by_path( + goto child_finish; + } + +- r = extract_now(tmpdir, matches, seq[1], NULL, NULL); ++ r = extract_now(tmpdir, matches, m->image_name, path_is_extension, seq[1], NULL, NULL); + + child_finish: + _exit(r < 0 ? EXIT_FAILURE : EXIT_SUCCESS); +@@ -485,7 +498,7 @@ static int portable_extract_by_path( + + add = NULL; + +- } else if (PORTABLE_METADATA_IS_OS_RELEASE(add)) { ++ } else if (PORTABLE_METADATA_IS_OS_RELEASE(add) || PORTABLE_METADATA_IS_EXTENSION_RELEASE(add)) { + + assert(!os_release); + os_release = TAKE_PTR(add); +@@ -499,10 +512,12 @@ static int portable_extract_by_path( + child = 0; + } + +- /* When the portable image is layered, the image with units will not +- * have a full filesystem, so no os-release - it will be in the root layer */ +- if (extract_os_release && !os_release) +- return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Image '%s' lacks os-release data, refusing.", path); ++ if (!os_release) ++ return sd_bus_error_setf(error, ++ SD_BUS_ERROR_INVALID_ARGS, ++ "Image '%s' lacks %s data, refusing.", ++ path, ++ path_is_extension ? "extension-release" : "os-release"); + + if (ret_unit_files) + *ret_unit_files = TAKE_PTR(unit_files); +@@ -555,14 +570,14 @@ int portable_extract( + } + } + +- r = portable_extract_by_path(image->path, true, matches, &os_release, &unit_files, error); ++ r = portable_extract_by_path(image->path, /* path_is_extension= */ false, matches, &os_release, &unit_files, error); + if (r < 0) + return r; + + ORDERED_HASHMAP_FOREACH(ext, extension_images) { + _cleanup_hashmap_free_ Hashmap *extra_unit_files = NULL; + +- r = portable_extract_by_path(ext->path, false, matches, NULL, &extra_unit_files, error); ++ r = portable_extract_by_path(ext->path, /* path_is_extension= */ true, matches, NULL, &extra_unit_files, error); + if (r < 0) + return r; + r = hashmap_move(unit_files, extra_unit_files); +@@ -1151,6 +1166,8 @@ int portable_attach( + size_t *n_changes, + sd_bus_error *error) { + ++ _cleanup_free_ char *id = NULL, *version_id = NULL, *sysext_level = NULL; ++ _cleanup_(portable_metadata_unrefp) PortableMetadata *os_release = NULL; + _cleanup_ordered_hashmap_free_ OrderedHashmap *extension_images = NULL; + _cleanup_hashmap_free_ Hashmap *unit_files = NULL; + _cleanup_(lookup_paths_free) LookupPaths paths = {}; +@@ -1184,16 +1201,51 @@ int portable_attach( + } + } + +- r = portable_extract_by_path(image->path, true, matches, NULL, &unit_files, error); ++ r = portable_extract_by_path(image->path, /* path_is_extension= */ false, matches, &os_release, &unit_files, error); + if (r < 0) + return r; + ++ /* If we are layering extension images on top of a runtime image, check that the os-release and extension-release metadata ++ * match, otherwise reject it immediately as invalid, or it will fail when the units are started. */ ++ if (os_release) { ++ _cleanup_fclose_ FILE *f = NULL; ++ ++ r = take_fdopen_unlocked(&os_release->fd, "r", &f); ++ if (r < 0) ++ return r; ++ ++ r = parse_env_file(f, os_release->name, ++ "ID", &id, ++ "VERSION_ID", &version_id, ++ "SYSEXT_LEVEL", &sysext_level); ++ if (r < 0) ++ return r; ++ } ++ + ORDERED_HASHMAP_FOREACH(ext, extension_images) { ++ _cleanup_(portable_metadata_unrefp) PortableMetadata *extension_release_meta = NULL; + _cleanup_hashmap_free_ Hashmap *extra_unit_files = NULL; ++ _cleanup_strv_free_ char **extension_release = NULL; ++ _cleanup_fclose_ FILE *f = NULL; ++ ++ r = portable_extract_by_path(ext->path, /* path_is_extension= */ true, matches, &extension_release_meta, &extra_unit_files, error); ++ if (r < 0) ++ return r; + +- r = portable_extract_by_path(ext->path, false, matches, NULL, &extra_unit_files, error); ++ r = take_fdopen_unlocked(&extension_release_meta->fd, "r", &f); + if (r < 0) + return r; ++ ++ r = load_env_file_pairs(f, extension_release_meta->name, &extension_release); ++ if (r < 0) ++ return r; ++ ++ r = extension_release_validate(ext->path, id, version_id, sysext_level, extension_release); ++ if (r == 0) ++ return sd_bus_error_set_errnof(error, SYNTHETIC_ERRNO(ESTALE), "Image %s extension-release metadata does not match the root's", ext->path); ++ if (r < 0) ++ return sd_bus_error_set_errnof(error, r, "Failed to compare image %s extension-release metadata with the root's os-release: %m", ext->path); ++ + r = hashmap_move(unit_files, extra_unit_files); + if (r < 0) + return r; +diff --git a/src/portable/portable.h b/src/portable/portable.h +index dd080edf4e..94144287ae 100644 +--- a/src/portable/portable.h ++++ b/src/portable/portable.h +@@ -16,6 +16,7 @@ typedef struct PortableMetadata { + } PortableMetadata; + + #define PORTABLE_METADATA_IS_OS_RELEASE(m) (streq((m)->name, "/etc/os-release")) ++#define PORTABLE_METADATA_IS_EXTENSION_RELEASE(m) (startswith((m)->name, "/usr/lib/extension-release.d/extension-release.")) + #define PORTABLE_METADATA_IS_UNIT(m) (!IN_SET((m)->name[0], 0, '/')) + + typedef enum PortableFlags { +-- +2.33.0 + diff --git a/backport-process-util-wait-for-processes-we-killed-even-if-ki.patch b/backport-process-util-wait-for-processes-we-killed-even-if-ki.patch new file mode 100644 index 0000000000000000000000000000000000000000..4250b701ed4b943b837e6726eccbe93dcb55ea1c --- /dev/null +++ b/backport-process-util-wait-for-processes-we-killed-even-if-ki.patch @@ -0,0 +1,46 @@ +From deda69dad784f9c4367533555ff4d7bf6308c0ff Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 3 Nov 2021 15:54:28 +0100 +Subject: [PATCH] process-util: wait for processes we killed even if killing + failed + +The processes might be zombies in which case killing will fail, but +reaping them still matters. + +(cherry picked from commit 2c1612100daae9cef1b71c06ae4c4ec5f9378f09) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/deda69dad784f9c4367533555ff4d7bf6308c0ff +--- + src/basic/process-util.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/basic/process-util.c b/src/basic/process-util.c +index 14259ea8df..461bbfe9a5 100644 +--- a/src/basic/process-util.c ++++ b/src/basic/process-util.c +@@ -858,8 +858,8 @@ int wait_for_terminate_with_timeout(pid_t pid, usec_t timeout) { + void sigkill_wait(pid_t pid) { + assert(pid > 1); + +- if (kill(pid, SIGKILL) >= 0) +- (void) wait_for_terminate(pid, NULL); ++ (void) kill(pid, SIGKILL); ++ (void) wait_for_terminate(pid, NULL); + } + + void sigkill_waitp(pid_t *pid) { +@@ -876,8 +876,8 @@ void sigkill_waitp(pid_t *pid) { + void sigterm_wait(pid_t pid) { + assert(pid > 1); + +- if (kill_and_sigcont(pid, SIGTERM) >= 0) +- (void) wait_for_terminate(pid, NULL); ++ (void) kill_and_sigcont(pid, SIGTERM); ++ (void) wait_for_terminate(pid, NULL); + } + + int kill_and_sigcont(pid_t pid, int sig) { +-- +2.33.0 + diff --git a/backport-random-util-use-ssize_t-for-getrandom-return-value.patch b/backport-random-util-use-ssize_t-for-getrandom-return-value.patch new file mode 100644 index 0000000000000000000000000000000000000000..df5788543ba5ce8a08eb047556b45a19def4a38e --- /dev/null +++ b/backport-random-util-use-ssize_t-for-getrandom-return-value.patch @@ -0,0 +1,81 @@ +From a7ba75de06efb5a1d962c4b250f66e49e1d3ac6a Mon Sep 17 00:00:00 2001 +From: Mike Gilbert +Date: Fri, 24 Dec 2021 19:20:36 -0500 +Subject: [PATCH] random-util: use ssize_t for getrandom return value + +This matches the prototype provided by glibc. + +(cherry picked from commit 289b41aae7356b7a6c72ff4a3476193a084ff33f) +(cherry picked from commit 4d889024ef5ba1edc5d967a010a2551e0826e5d7) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/a7ba75de06efb5a1d962c4b250f66e49e1d3ac6a +--- + src/basic/missing_syscall.h | 3 ++- + src/basic/random-util.c | 16 ++++++++-------- + 2 files changed, 10 insertions(+), 9 deletions(-) + +diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h +index 9e3a165857..279c5911bd 100644 +--- a/src/basic/missing_syscall.h ++++ b/src/basic/missing_syscall.h +@@ -57,7 +57,8 @@ static inline int missing_memfd_create(const char *name, unsigned int flags) { + /* ======================================================================= */ + + #if !HAVE_GETRANDOM +-static inline int missing_getrandom(void *buffer, size_t count, unsigned flags) { ++/* glibc says getrandom() returns ssize_t */ ++static inline ssize_t missing_getrandom(void *buffer, size_t count, unsigned flags) { + # ifdef __NR_getrandom + return syscall(__NR_getrandom, buffer, count, flags); + # else +diff --git a/src/basic/random-util.c b/src/basic/random-util.c +index c2be962355..e117330857 100644 +--- a/src/basic/random-util.c ++++ b/src/basic/random-util.c +@@ -161,7 +161,6 @@ int genuine_random_bytes(void *p, size_t n, RandomFlags flags) { + static int have_syscall = -1; + _cleanup_close_ int fd = -1; + bool got_some = false; +- int r; + + /* Gathers some high-quality randomness from the kernel (or potentially mid-quality randomness from + * the CPU if the RANDOM_ALLOW_RDRAND flag is set). This call won't block, unless the RANDOM_BLOCK +@@ -220,18 +219,19 @@ int genuine_random_bytes(void *p, size_t n, RandomFlags flags) { + if (have_syscall != 0 && !HAS_FEATURE_MEMORY_SANITIZER) { + + for (;;) { +- r = getrandom(p, n, ++ ssize_t l; ++ l = getrandom(p, n, + (FLAGS_SET(flags, RANDOM_BLOCK) ? 0 : GRND_NONBLOCK) | + (FLAGS_SET(flags, RANDOM_ALLOW_INSECURE) ? GRND_INSECURE : 0)); +- if (r > 0) { ++ if (l > 0) { + have_syscall = true; + +- if ((size_t) r == n) ++ if ((size_t) l == n) + return 0; /* Yay, success! */ + +- assert((size_t) r < n); +- p = (uint8_t*) p + r; +- n -= r; ++ assert((size_t) l < n); ++ p = (uint8_t*) p + l; ++ n -= l; + + if (FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) { + /* Fill in the remaining bytes using pseudo-random values */ +@@ -248,7 +248,7 @@ int genuine_random_bytes(void *p, size_t n, RandomFlags flags) { + /* Fill in the rest with /dev/urandom */ + break; + +- } else if (r == 0) { ++ } else if (l == 0) { + have_syscall = true; + return -EIO; + +-- +2.33.0 + diff --git a/backport-repart-use-real-disk-start-end-for-bar-production.patch b/backport-repart-use-real-disk-start-end-for-bar-production.patch new file mode 100644 index 0000000000000000000000000000000000000000..5c323084a1acf6844df08bc1bcb30729a5a86d09 --- /dev/null +++ b/backport-repart-use-real-disk-start-end-for-bar-production.patch @@ -0,0 +1,48 @@ +From 0c3c3db042a24d11da7accf777029fbaf8db5a29 Mon Sep 17 00:00:00 2001 +From: Tom Yan +Date: Mon, 20 Dec 2021 01:30:38 +0800 +Subject: [PATCH] repart: use real disk start/end for bar production + +Partitions are not always within our aligned scope. Bar printing +involves foreign partitions as well. + +Fixes #21817. + +(cherry picked from commit d8daed09f37bc9f8ecb9268a4e371f65aec8b24a) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/0c3c3db042a24d11da7accf777029fbaf8db5a29 +--- + src/partition/repart.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/src/partition/repart.c b/src/partition/repart.c +index 7602ac6aa8..9f0fe9e10d 100644 +--- a/src/partition/repart.c ++++ b/src/partition/repart.c +@@ -2103,16 +2103,14 @@ static void context_bar_char_process_partition( + from = p->offset; + to = from + p->new_size; + +- assert(context->end >= context->start); +- total = context->end - context->start; ++ assert(context->total > 0); ++ total = context->total; + +- assert(from >= context->start); +- assert(from <= context->end); +- x = (from - context->start) * n / total; ++ assert(from <= total); ++ x = from * n / total; + +- assert(to >= context->start); +- assert(to <= context->end); +- y = (to - context->start) * n / total; ++ assert(to <= total); ++ y = to * n / total; + + assert(x <= y); + assert(y <= n); +-- +2.33.0 + diff --git a/backport-repart-use-right-error-variable.patch b/backport-repart-use-right-error-variable.patch new file mode 100644 index 0000000000000000000000000000000000000000..620cde1b753e837aca8dc2ab74ef43a462830613 --- /dev/null +++ b/backport-repart-use-right-error-variable.patch @@ -0,0 +1,38 @@ +From b57f76bff912de738a8da8feceb298160bebab26 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 5 Oct 2021 14:10:27 +0200 +Subject: [PATCH] repart: use right error variable + +(cherry picked from commit 8ac04a65477b59c9143b635c0c0daa5152d9b466) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/b57f76bff912de738a8da8feceb298160bebab26 +--- + src/partition/repart.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/partition/repart.c b/src/partition/repart.c +index 851c68cc4b..3c80d1380a 100644 +--- a/src/partition/repart.c ++++ b/src/partition/repart.c +@@ -2784,7 +2784,7 @@ static int context_copy_blocks(Context *context) { + return log_error_errno(r, "Failed to copy in data from '%s': %m", p->copy_blocks_path); + + if (fsync(target_fd) < 0) +- return log_error_errno(r, "Failed to synchronize copied data blocks: %m"); ++ return log_error_errno(errno, "Failed to synchronize copied data blocks: %m"); + + if (p->encrypt != ENCRYPT_OFF) { + encrypted_dev_fd = safe_close(encrypted_dev_fd); +@@ -3060,7 +3060,7 @@ static int context_mkfs(Context *context) { + + if (p->encrypt != ENCRYPT_OFF) { + if (fsync(encrypted_dev_fd) < 0) +- return log_error_errno(r, "Failed to synchronize LUKS volume: %m"); ++ return log_error_errno(errno, "Failed to synchronize LUKS volume: %m"); + encrypted_dev_fd = safe_close(encrypted_dev_fd); + + r = deactivate_luks(cd, encrypted); +-- +2.33.0 + diff --git a/backport-resolvconf-compat-make-u-operation-a-NOP.patch b/backport-resolvconf-compat-make-u-operation-a-NOP.patch new file mode 100644 index 0000000000000000000000000000000000000000..2b371f25dcc49a7ffa8379745909264b902eca6e --- /dev/null +++ b/backport-resolvconf-compat-make-u-operation-a-NOP.patch @@ -0,0 +1,57 @@ +From 4fe53426991e829c0add9378d91f3677a23076fd Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 29 Sep 2021 10:48:24 +0200 +Subject: [PATCH] resolvconf-compat: make "-u" operation a NOP + +According to the various man pages of "resolvconf" the -u switch is for: + +"-u Just run the update scripts (if updating is enabled)." + +"-u Force resolvconf to update all its subscribers. resolvconf does not + update the subscribers when adding a resolv.conf that matches what + it already has for that interface." + +We have no "subscribers", we ourselves are the only "subscriber" we +support. Hence it's probably better to ignore such a request and make it +a NOP, then to fail. + +Fixes: #20748 +(cherry picked from commit bee07a399572e0d60600c040a84099ecb418ed33) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/4fe53426991e829c0add9378d91f3677a23076fd +--- + src/resolve/resolvconf-compat.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/resolve/resolvconf-compat.c b/src/resolve/resolvconf-compat.c +index 93ded6d564..991c62e21d 100644 +--- a/src/resolve/resolvconf-compat.c ++++ b/src/resolve/resolvconf-compat.c +@@ -39,8 +39,8 @@ static int resolvconf_help(void) { + "This is a compatibility alias for the resolvectl(1) tool, providing native\n" + "command line compatibility with the resolvconf(8) tool of various Linux\n" + "distributions and BSD systems. Some options supported by other implementations\n" +- "are not supported and are ignored: -m, -p. Various options supported by other\n" +- "implementations are not supported and will cause the invocation to fail: -u,\n" ++ "are not supported and are ignored: -m, -p, -u. Various options supported by other\n" ++ "implementations are not supported and will cause the invocation to fail:\n" + "-I, -i, -l, -R, -r, -v, -V, --enable-updates, --disable-updates,\n" + "--updates-are-enabled.\n" + "\nSee the %2$s for details.\n", +@@ -171,8 +171,11 @@ int resolvconf_parse_argv(int argc, char *argv[]) { + log_debug("Switch -%c ignored.", c); + break; + +- /* Everybody else can agree on the existence of -u but we don't support it. */ ++ /* -u supposedly should "update all subscribers". We have no subscribers, hence let's make ++ this a NOP, and exit immediately, cleanly. */ + case 'u': ++ log_info("Switch -%c ignored.", c); ++ return 0; + + /* The following options are openresolv inventions we don't support. */ + case 'I': +-- +2.33.0 + diff --git a/backport-resolve-add-reference-of-the-original-bus-message-to.patch b/backport-resolve-add-reference-of-the-original-bus-message-to.patch new file mode 100644 index 0000000000000000000000000000000000000000..578c244dae9d9119eb72190cf49e62cf12c8d463 --- /dev/null +++ b/backport-resolve-add-reference-of-the-original-bus-message-to.patch @@ -0,0 +1,34 @@ +From 965e8b5a691d05b32ecadbe1d4d00de2200492c2 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 11 Feb 2022 09:43:16 +0900 +Subject: [PATCH] resolve: add reference of the original bus message to the aux + queries + +Otherwise, the error in aux queries cannot be replied. + +Fixes #22477. + +(cherry picked from commit 08275791d85a1852e79951212f6cbbc727db789a) +(cherry picked from commit 919d398668d2baa1873e61f7f502fac910a9d606) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/965e8b5a691d05b32ecadbe1d4d00de2200492c2 +--- + src/resolve/resolved-bus.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c +index ed06895ed9..61d4b50c5b 100644 +--- a/src/resolve/resolved-bus.c ++++ b/src/resolve/resolved-bus.c +@@ -1137,6 +1137,7 @@ static int resolve_service_hostname(DnsQuery *q, DnsResourceRecord *rr, int ifin + if (r < 0) + return r; + ++ aux->bus_request = sd_bus_message_ref(q->bus_request); + aux->request_family = q->request_family; + aux->complete = resolve_service_hostname_complete; + +-- +2.33.0 + diff --git a/backport-resolve-drop-never-matched-condition.patch b/backport-resolve-drop-never-matched-condition.patch new file mode 100644 index 0000000000000000000000000000000000000000..2144bf3226aeaa48edbbaf8dbfe23ebf53ec301c --- /dev/null +++ b/backport-resolve-drop-never-matched-condition.patch @@ -0,0 +1,49 @@ +From 7b99795c46d4cd61501a31364894f13ac3a9e60d Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 23 Feb 2022 07:49:40 +0900 +Subject: [PATCH] resolve: drop never matched condition + +As dns_scope_good_domain() does not return negative errno. + +(cherry picked from commit 830f50ab1e03fa7ee262876ed42023d10e89688d) +(cherry picked from commit 499115dbc3408f9a85160099e114bbaf0bacfe84) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/7b99795c46d4cd61501a31364894f13ac3a9e60d +--- + src/resolve/resolved-dns-query.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c +index 192bfd3bf5..4d15240e25 100644 +--- a/src/resolve/resolved-dns-query.c ++++ b/src/resolve/resolved-dns-query.c +@@ -743,11 +743,7 @@ int dns_query_go(DnsQuery *q) { + continue; + + match = dns_scope_good_domain(s, q->ifindex, q->flags, name); +- if (match < 0) { +- log_debug("Couldn't check if '%s' matches against scope, ignoring.", name); +- continue; +- } +- ++ assert(match >= 0); + if (match > found) { /* Does this match better? If so, remember how well it matched, and the first one + * that matches this well */ + found = match; +@@ -779,11 +775,7 @@ int dns_query_go(DnsQuery *q) { + continue; + + match = dns_scope_good_domain(s, q->ifindex, q->flags, name); +- if (match < 0) { +- log_debug("Couldn't check if '%s' matches against scope, ignoring.", name); +- continue; +- } +- ++ assert(match >= 0); + if (match < found) + continue; + +-- +2.33.0 + diff --git a/backport-resolve-fix-assertion-triggered-when-r-0.patch b/backport-resolve-fix-assertion-triggered-when-r-0.patch new file mode 100644 index 0000000000000000000000000000000000000000..61fabd1e551816315a54b3a3c099033e0e09750c --- /dev/null +++ b/backport-resolve-fix-assertion-triggered-when-r-0.patch @@ -0,0 +1,35 @@ +From bfa7063dac7173858ddddda7c49eda95a9dd89bf Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 20 Jan 2022 05:24:31 +0900 +Subject: [PATCH] resolve: fix assertion triggered when r == 0 + +Fixes #22178. + +(cherry picked from commit 98b1eb711cfc70776fefd3d4ec437a6a4f9aeff2) +(cherry picked from commit 740dd39e070b3b827cbac37df2a40d61bd9cdb89) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/bfa7063dac7173858ddddda7c49eda95a9dd89bf +--- + src/resolve/resolved-etc-hosts.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-etc-hosts.c b/src/resolve/resolved-etc-hosts.c +index 9af3a27bb1..a8da6c3d88 100644 +--- a/src/resolve/resolved-etc-hosts.c ++++ b/src/resolve/resolved-etc-hosts.c +@@ -109,7 +109,10 @@ static int parse_line(EtcHosts *hosts, unsigned nr, const char *line) { + + r = dns_name_is_valid_ldh(name); + if (r <= 0) { +- log_warning_errno(r, "/etc/hosts:%u: hostname \"%s\" is not valid, ignoring.", nr, name); ++ if (r < 0) ++ log_warning_errno(r, "/etc/hosts:%u: Failed to check the validity of hostname \"%s\", ignoring: %m", nr, name); ++ else ++ log_warning("/etc/hosts:%u: hostname \"%s\" is not valid, ignoring.", nr, name); + continue; + } + +-- +2.33.0 + diff --git a/backport-resolve-fix-possible-memleak.patch b/backport-resolve-fix-possible-memleak.patch new file mode 100644 index 0000000000000000000000000000000000000000..cc0955b09215f86e9f2805efac71cb004229314c --- /dev/null +++ b/backport-resolve-fix-possible-memleak.patch @@ -0,0 +1,41 @@ +From 11f8123bbf36801ec436dc77d42a8e253eed1fb7 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 5 Feb 2022 22:03:19 +0900 +Subject: [PATCH] resolve: fix possible memleak + +Fortunately, unlike the issue fixed in the previous commit, the memleak +should be superficial and not become apparent, as the queries handled +here are managed by the stub stream, and will be freed when the stream +is closed. + +Just for safety, and slightly reducing the runtime memory usage by the +stub stream. + +(cherry picked from commit fe8c5ce615ee2123f17b1f0b3728c439e19e4b5b) +(cherry picked from commit 4dbc210124b4303ecadb6cdb28a4a4c821e1150b) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/11f8123bbf36801ec436dc77d42a8e253eed1fb7 +--- + src/resolve/resolved-dns-stub.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c +index 49da916576..8040db70f9 100644 +--- a/src/resolve/resolved-dns-stub.c ++++ b/src/resolve/resolved-dns-stub.c +@@ -755,8 +755,10 @@ static void dns_stub_query_complete(DnsQuery *q) { + * packet doesn't answer our question. In that case let's restart the query, + * now with the redirected question. We'll */ + r = dns_query_go(q); +- if (r < 0) ++ if (r < 0) { + log_debug_errno(r, "Failed to restart query: %m"); ++ dns_query_free(q); ++ } + + return; + } +-- +2.33.0 + diff --git a/backport-resolve-fix-potential-memleak-and-use-after-free.patch b/backport-resolve-fix-potential-memleak-and-use-after-free.patch new file mode 100644 index 0000000000000000000000000000000000000000..1cc6f9b0e3cbf89ea2f5519085f9563bf357a70f --- /dev/null +++ b/backport-resolve-fix-potential-memleak-and-use-after-free.patch @@ -0,0 +1,40 @@ +From 8baf04a6588bd392f606a3d55b0711cdd00b4b80 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 5 Feb 2022 21:37:01 +0900 +Subject: [PATCH] resolve: fix potential memleak and use-after-free + +When stub stream is closed early, then queries associated to the stream +are freed. Previously, the timer event source for queries may not be +disabled, hence may be triggered with already freed query. +See also dns_stub_stream_complete(). + +Note that we usually not set NULL or zero when freeing simple objects. +But, here DnsQuery is large and complicated object, and the element may +be referenced in subsequent freeing process in the future. Hence, for +safety, let's set NULL to the pointer. + +(cherry picked from commit 73bfd7be042cc63e7649242b377ad494bf74ea4b) +(cherry picked from commit d82bd80cf4e7659906a502735b20a45964b55a88) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/8baf04a6588bd392f606a3d55b0711cdd00b4b80 +--- + src/resolve/resolved-dns-query.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c +index 7f341986d9..6d372395fe 100644 +--- a/src/resolve/resolved-dns-query.c ++++ b/src/resolve/resolved-dns-query.c +@@ -381,6 +381,8 @@ DnsQuery *dns_query_free(DnsQuery *q) { + if (!q) + return NULL; + ++ q->timeout_event_source = sd_event_source_disable_unref(q->timeout_event_source); ++ + while (q->auxiliary_queries) + dns_query_free(q->auxiliary_queries); + +-- +2.33.0 + diff --git a/backport-resolve-make-dns_scope_good_domain-take-DnsQuery.patch b/backport-resolve-make-dns_scope_good_domain-take-DnsQuery.patch new file mode 100644 index 0000000000000000000000000000000000000000..dc34ed50c33bb04448e2c22a5b16ce6466ebedeb --- /dev/null +++ b/backport-resolve-make-dns_scope_good_domain-take-DnsQuery.patch @@ -0,0 +1,116 @@ +From 8cc818cdc726c8185387b413e8a2f31e00d7c185 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 23 Feb 2022 07:50:30 +0900 +Subject: [PATCH] resolve: make dns_scope_good_domain() take DnsQuery* + +(cherry picked from commit 176a9a2cca47f7c1553d96f7dd51c2193a269dbc) +(cherry picked from commit 54ab65f5f3da22985126dc3ae846a777d6b555a9) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/8cc818cdc726c8185387b413e8a2f31e00d7c185 +--- + src/resolve/resolved-dns-query.c | 14 ++------------ + src/resolve/resolved-dns-scope.c | 21 +++++++++++++++++---- + src/resolve/resolved-dns-scope.h | 4 ++-- + 3 files changed, 21 insertions(+), 18 deletions(-) + +diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c +index 4d15240e25..24cd7cddf5 100644 +--- a/src/resolve/resolved-dns-query.c ++++ b/src/resolve/resolved-dns-query.c +@@ -736,13 +736,8 @@ int dns_query_go(DnsQuery *q) { + + LIST_FOREACH(scopes, s, q->manager->dns_scopes) { + DnsScopeMatch match; +- const char *name; + +- name = dns_question_first_name(dns_query_question_for_protocol(q, s->protocol)); +- if (!name) +- continue; +- +- match = dns_scope_good_domain(s, q->ifindex, q->flags, name); ++ match = dns_scope_good_domain(s, q); + assert(match >= 0); + if (match > found) { /* Does this match better? If so, remember how well it matched, and the first one + * that matches this well */ +@@ -768,13 +763,8 @@ int dns_query_go(DnsQuery *q) { + + LIST_FOREACH(scopes, s, first->scopes_next) { + DnsScopeMatch match; +- const char *name; +- +- name = dns_question_first_name(dns_query_question_for_protocol(q, s->protocol)); +- if (!name) +- continue; + +- match = dns_scope_good_domain(s, q->ifindex, q->flags, name); ++ match = dns_scope_good_domain(s, q); + assert(match >= 0); + if (match < found) + continue; +diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c +index 2546d0d4da..47edba6bc3 100644 +--- a/src/resolve/resolved-dns-scope.c ++++ b/src/resolve/resolved-dns-scope.c +@@ -584,11 +584,13 @@ static DnsScopeMatch match_subnet_reverse_lookups( + + DnsScopeMatch dns_scope_good_domain( + DnsScope *s, +- int ifindex, +- uint64_t flags, +- const char *domain) { ++ DnsQuery *q) { + ++ DnsQuestion *question; + DnsSearchDomain *d; ++ const char *domain; ++ uint64_t flags; ++ int ifindex; + + /* This returns the following return values: + * +@@ -602,7 +604,18 @@ DnsScopeMatch dns_scope_good_domain( + */ + + assert(s); +- assert(domain); ++ assert(q); ++ ++ question = dns_query_question_for_protocol(q, s->protocol); ++ if (!question) ++ return DNS_SCOPE_NO; ++ ++ domain = dns_question_first_name(question); ++ if (!domain) ++ return DNS_SCOPE_NO; ++ ++ ifindex = q->ifindex; ++ flags = q->flags; + + /* Checks if the specified domain is something to look up on this scope. Note that this accepts + * non-qualified hostnames, i.e. those without any search path suffixed. */ +diff --git a/src/resolve/resolved-dns-scope.h b/src/resolve/resolved-dns-scope.h +index a2b9546b38..1f9d22b7d1 100644 +--- a/src/resolve/resolved-dns-scope.h ++++ b/src/resolve/resolved-dns-scope.h +@@ -10,7 +10,7 @@ typedef struct DnsScope DnsScope; + #include "resolved-dns-cache.h" + #include "resolved-dns-dnssec.h" + #include "resolved-dns-packet.h" +- ++#include "resolved-dns-query.h" + #include "resolved-dns-search-domain.h" + #include "resolved-dns-server.h" + #include "resolved-dns-stream.h" +@@ -76,7 +76,7 @@ int dns_scope_emit_udp(DnsScope *s, int fd, int af, DnsPacket *p); + int dns_scope_socket_tcp(DnsScope *s, int family, const union in_addr_union *address, DnsServer *server, uint16_t port, union sockaddr_union *ret_socket_address); + int dns_scope_socket_udp(DnsScope *s, DnsServer *server); + +-DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, const char *domain); ++DnsScopeMatch dns_scope_good_domain(DnsScope *s, DnsQuery *q); + bool dns_scope_good_key(DnsScope *s, const DnsResourceKey *key); + + DnsServer *dns_scope_get_dns_server(DnsScope *s); +-- +2.33.0 + diff --git a/backport-resolve-refuse-AF_UNSPEC-when-resolving-address.patch b/backport-resolve-refuse-AF_UNSPEC-when-resolving-address.patch new file mode 100644 index 0000000000000000000000000000000000000000..033898af29ef770e1e2789551aae5088b9a997ed --- /dev/null +++ b/backport-resolve-refuse-AF_UNSPEC-when-resolving-address.patch @@ -0,0 +1,32 @@ +From 63590abb5dd48fbcc8c0dfc5dfc1ee088382d5f7 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 11 Feb 2022 09:49:13 +0900 +Subject: [PATCH] resolve: refuse AF_UNSPEC when resolving address + +Fixes #22480. + +(cherry picked from commit 0234f0c0531682e7f28a4ef51852c102c6e97267) +(cherry picked from commit 084c88983eaecbf23e113db5a7ee11f94b60472b) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/63590abb5dd48fbcc8c0dfc5dfc1ee088382d5f7 +--- + src/resolve/resolved-varlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-varlink.c b/src/resolve/resolved-varlink.c +index 6f4ab425ef..9a61b19e61 100644 +--- a/src/resolve/resolved-varlink.c ++++ b/src/resolve/resolved-varlink.c +@@ -484,7 +484,7 @@ static int vl_method_resolve_address(Varlink *link, JsonVariant *parameters, Var + if (p.ifindex < 0) + return varlink_error_invalid_parameter(link, JSON_VARIANT_STRING_CONST("ifindex")); + +- if (!IN_SET(p.family, AF_UNSPEC, AF_INET, AF_INET6)) ++ if (!IN_SET(p.family, AF_INET, AF_INET6)) + return varlink_error_invalid_parameter(link, JSON_VARIANT_STRING_CONST("family")); + + if (FAMILY_ADDRESS_SIZE(p.family) != p.address_size) +-- +2.33.0 + diff --git a/backport-resolve-remove-server-large-level.patch b/backport-resolve-remove-server-large-level.patch new file mode 100644 index 0000000000000000000000000000000000000000..d51cfd9b7f511666cfcd9f60afe8635ce6912281 --- /dev/null +++ b/backport-resolve-remove-server-large-level.patch @@ -0,0 +1,152 @@ +From 0bc9811acfd2535bf8a7a16a3903a2c22df206c9 Mon Sep 17 00:00:00 2001 +From: Dan Streetman +Date: Fri, 20 Aug 2021 14:44:35 -0400 +Subject: [PATCH] resolve: remove server 'large' level + +This removes the DNS_SERVER_FEATURE_LEVEL_LARGE, and sets the EDNS0 +advertised max packet size as if always in 'large' mode. + +Without this, we always send out EDNS0 opts that limit response sizes +to 512 bytes, thus the remote server will never send anything larger +and will always truncate responses larger than 512 bytes, forcing us +to drop from EDNS0 down to TCP, even though one of the primary benefits +of EDNS0 is larger packet sizes. + +Fixes: #20993 +(cherry picked from commit 526fce97afe130f71dba3bd4646196bbb1188b82) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/0bc9811acfd2535bf8a7a16a3903a2c22df206c9 +--- + src/resolve/resolved-dns-server.c | 63 +++++++++++-------------------- + src/resolve/resolved-dns-server.h | 3 +- + 2 files changed, 24 insertions(+), 42 deletions(-) + +diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c +index 58a1376708..a21148d288 100644 +--- a/src/resolve/resolved-dns-server.c ++++ b/src/resolve/resolved-dns-server.c +@@ -282,11 +282,6 @@ void dns_server_packet_received(DnsServer *s, int protocol, DnsServerFeatureLeve + if (s->packet_bad_opt && level >= DNS_SERVER_FEATURE_LEVEL_EDNS0) + level = DNS_SERVER_FEATURE_LEVEL_EDNS0 - 1; + +- /* Even if we successfully receive a reply to a request announcing support for large packets, that +- * does not mean we can necessarily receive large packets. */ +- if (level == DNS_SERVER_FEATURE_LEVEL_LARGE) +- level = DNS_SERVER_FEATURE_LEVEL_LARGE - 1; +- + dns_server_verified(s, level); + + /* Remember the size of the largest UDP packet fragment we received from a server, we know that we +@@ -429,7 +424,7 @@ DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) { + * better than EDNS0, hence don't even try. */ + if (dns_server_get_dnssec_mode(s) != DNSSEC_NO) + best = dns_server_get_dns_over_tls_mode(s) == DNS_OVER_TLS_NO ? +- DNS_SERVER_FEATURE_LEVEL_LARGE : ++ DNS_SERVER_FEATURE_LEVEL_DO : + DNS_SERVER_FEATURE_LEVEL_TLS_DO; + else + best = dns_server_get_dns_over_tls_mode(s) == DNS_OVER_TLS_NO ? +@@ -597,7 +592,7 @@ DnsServerFeatureLevel dns_server_possible_feature_level(DnsServer *s) { + } + + int dns_server_adjust_opt(DnsServer *server, DnsPacket *packet, DnsServerFeatureLevel level) { +- size_t packet_size; ++ size_t packet_size, udp_size; + bool edns_do; + int r; + +@@ -616,40 +611,29 @@ int dns_server_adjust_opt(DnsServer *server, DnsPacket *packet, DnsServerFeature + + edns_do = level >= DNS_SERVER_FEATURE_LEVEL_DO; + +- if (level == DNS_SERVER_FEATURE_LEVEL_LARGE) { +- size_t udp_size; +- +- /* In large mode, advertise the local MTU, in order to avoid fragmentation (for security +- * reasons) – except if we are talking to localhost (where the security considerations don't +- * matter). If we see fragmentation, lower the reported size to the largest fragment, to +- * avoid it. */ +- +- udp_size = udp_header_size(server->family); +- +- if (in_addr_is_localhost(server->family, &server->address) > 0) +- packet_size = 65536 - udp_size; /* force linux loopback MTU if localhost address */ +- else { +- /* Use the MTU pointing to the server, subtract the IP/UDP header size */ +- packet_size = LESS_BY(dns_server_get_mtu(server), udp_size); ++ udp_size = udp_header_size(server->family); + +- /* On the Internet we want to avoid fragmentation for security reasons. If we saw +- * fragmented packets, the above was too large, let's clamp it to the largest +- * fragment we saw */ +- if (server->packet_fragmented) +- packet_size = MIN(server->received_udp_fragment_max, packet_size); +- +- /* Let's not pick ridiculously large sizes, i.e. not more than 4K. No one appears +- * to ever use such large sized on the Internet IRL, hence let's not either. */ +- packet_size = MIN(packet_size, 4096U); +- } ++ if (in_addr_is_localhost(server->family, &server->address) > 0) ++ packet_size = 65536 - udp_size; /* force linux loopback MTU if localhost address */ ++ else { ++ /* Use the MTU pointing to the server, subtract the IP/UDP header size */ ++ packet_size = LESS_BY(dns_server_get_mtu(server), udp_size); ++ ++ /* On the Internet we want to avoid fragmentation for security reasons. If we saw ++ * fragmented packets, the above was too large, let's clamp it to the largest ++ * fragment we saw */ ++ if (server->packet_fragmented) ++ packet_size = MIN(server->received_udp_fragment_max, packet_size); ++ ++ /* Let's not pick ridiculously large sizes, i.e. not more than 4K. No one appears ++ * to ever use such large sized on the Internet IRL, hence let's not either. */ ++ packet_size = MIN(packet_size, 4096U); ++ } + +- /* Strictly speaking we quite possibly can receive larger datagrams than the MTU (since the +- * MTU is for egress, not for ingress), but more often than not the value is symmetric, and +- * we want something that does the right thing in the majority of cases, and not just in the +- * theoretical edge case. */ +- } else +- /* In non-large mode, let's advertise the size of the largest fragment we ever managed to accept. */ +- packet_size = server->received_udp_fragment_max; ++ /* Strictly speaking we quite possibly can receive larger datagrams than the MTU (since the ++ * MTU is for egress, not for ingress), but more often than not the value is symmetric, and ++ * we want something that does the right thing in the majority of cases, and not just in the ++ * theoretical edge case. */ + + /* Safety clamp, never advertise less than 512 or more than 65535 */ + packet_size = CLAMP(packet_size, +@@ -1097,7 +1081,6 @@ static const char* const dns_server_feature_level_table[_DNS_SERVER_FEATURE_LEVE + [DNS_SERVER_FEATURE_LEVEL_EDNS0] = "UDP+EDNS0", + [DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN] = "TLS+EDNS0", + [DNS_SERVER_FEATURE_LEVEL_DO] = "UDP+EDNS0+DO", +- [DNS_SERVER_FEATURE_LEVEL_LARGE] = "UDP+EDNS0+DO+LARGE", + [DNS_SERVER_FEATURE_LEVEL_TLS_DO] = "TLS+EDNS0+D0", + }; + DEFINE_STRING_TABLE_LOOKUP(dns_server_feature_level, DnsServerFeatureLevel); +diff --git a/src/resolve/resolved-dns-server.h b/src/resolve/resolved-dns-server.h +index fe0eaee49c..be9efb0a79 100644 +--- a/src/resolve/resolved-dns-server.h ++++ b/src/resolve/resolved-dns-server.h +@@ -32,7 +32,6 @@ typedef enum DnsServerFeatureLevel { + DNS_SERVER_FEATURE_LEVEL_EDNS0, + DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN, + DNS_SERVER_FEATURE_LEVEL_DO, +- DNS_SERVER_FEATURE_LEVEL_LARGE, + DNS_SERVER_FEATURE_LEVEL_TLS_DO, + _DNS_SERVER_FEATURE_LEVEL_MAX, + _DNS_SERVER_FEATURE_LEVEL_INVALID = -EINVAL, +@@ -43,7 +42,7 @@ typedef enum DnsServerFeatureLevel { + #define DNS_SERVER_FEATURE_LEVEL_IS_EDNS0(x) ((x) >= DNS_SERVER_FEATURE_LEVEL_EDNS0) + #define DNS_SERVER_FEATURE_LEVEL_IS_TLS(x) IN_SET(x, DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN, DNS_SERVER_FEATURE_LEVEL_TLS_DO) + #define DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(x) ((x) >= DNS_SERVER_FEATURE_LEVEL_DO) +-#define DNS_SERVER_FEATURE_LEVEL_IS_UDP(x) IN_SET(x, DNS_SERVER_FEATURE_LEVEL_UDP, DNS_SERVER_FEATURE_LEVEL_EDNS0, DNS_SERVER_FEATURE_LEVEL_DO, DNS_SERVER_FEATURE_LEVEL_LARGE) ++#define DNS_SERVER_FEATURE_LEVEL_IS_UDP(x) IN_SET(x, DNS_SERVER_FEATURE_LEVEL_UDP, DNS_SERVER_FEATURE_LEVEL_EDNS0, DNS_SERVER_FEATURE_LEVEL_DO) + + const char* dns_server_feature_level_to_string(int i) _const_; + int dns_server_feature_level_from_string(const char *s) _pure_; +-- +2.33.0 + diff --git a/backport-resolve-synthesize-empty-domain-only-when-A-and-or-A.patch b/backport-resolve-synthesize-empty-domain-only-when-A-and-or-A.patch new file mode 100644 index 0000000000000000000000000000000000000000..69ebd7500add42cc3d95c7e084119995cd09a56d --- /dev/null +++ b/backport-resolve-synthesize-empty-domain-only-when-A-and-or-A.patch @@ -0,0 +1,105 @@ +From 76016b82c683bcb15c155a8ab7ca45004894c134 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 4 Feb 2022 12:05:33 +0900 +Subject: [PATCH] resolve: synthesize empty domain only when A and/or AAAA key + is requested + +Follow-up for 3b2ac14ac45bef01cf489c3231b868936866444b (#22231). + +Before this commit. +--- +$ dig -t SRV '.' + +; <<>> DiG 9.16.24-RH <<>> -t SRV . +;; global options: +cmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16836 +;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags:; udp: 65494 +;; QUESTION SECTION: +;. IN SRV + +;; Query time: 1 msec +;; SERVER: 127.0.0.53#53(127.0.0.53) +;; WHEN: Fri Feb 04 12:01:09 JST 2022 +;; MSG SIZE rcvd: 28 +--- + +After this commit. +--- +$ dig -t SRV '.' + +; <<>> DiG 9.16.24-RH <<>> -t SRV . +;; global options: +cmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19861 +;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags:; udp: 65494 +;; QUESTION SECTION: +;. IN SRV + +;; AUTHORITY SECTION: +. 86394 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2022020302 1800 900 604800 86400 + +;; Query time: 20 msec +;; SERVER: 127.0.0.53#53(127.0.0.53) +;; WHEN: Fri Feb 04 12:00:12 JST 2022 +;; MSG SIZE rcvd: 103 +--- + +Fixes #22401. + +(cherry picked from commit 30fa3aa1fa56d9a1a4f3a26c0bc02253d44dfa0f) +(cherry picked from commit d57147ef5698c50e02e5e74df8d0936230032cfe) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/76016b82c683bcb15c155a8ab7ca45004894c134 +--- + src/resolve/resolved-dns-scope.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c +index 47edba6bc3..360ceecdb7 100644 +--- a/src/resolve/resolved-dns-scope.c ++++ b/src/resolve/resolved-dns-scope.c +@@ -626,10 +626,6 @@ DnsScopeMatch dns_scope_good_domain( + if ((SD_RESOLVED_FLAGS_MAKE(s->protocol, s->family, false, false) & flags) == 0) + return DNS_SCOPE_NO; + +- /* Never resolve empty name. */ +- if (dns_name_is_empty(domain)) +- return DNS_SCOPE_NO; +- + /* Never resolve any loopback hostname or IP address via DNS, LLMNR or mDNS. Instead, always rely on + * synthesized RRs for these. */ + if (is_localhost(domain) || +@@ -658,6 +654,22 @@ DnsScopeMatch dns_scope_good_domain( + DnsScopeMatch m; + int n_best = -1; + ++ if (dns_name_is_empty(domain)) { ++ DnsResourceKey *t; ++ bool found = false; ++ ++ /* Refuse empty name if only A and/or AAAA records are requested. */ ++ ++ DNS_QUESTION_FOREACH(t, question) ++ if (!IN_SET(t->type, DNS_TYPE_A, DNS_TYPE_AAAA)) { ++ found = true; ++ break; ++ } ++ ++ if (!found) ++ return DNS_SCOPE_NO; ++ } ++ + /* Never route things to scopes that lack DNS servers */ + if (!dns_scope_get_dns_server(s)) + return DNS_SCOPE_NO; +-- +2.33.0 + diff --git a/backport-resolve-synthesize-empty-name.patch b/backport-resolve-synthesize-empty-name.patch new file mode 100644 index 0000000000000000000000000000000000000000..165d41104c1cba1f423ee0e55d2ddb1a8053c283 --- /dev/null +++ b/backport-resolve-synthesize-empty-name.patch @@ -0,0 +1,97 @@ +From d3331adc66af4e69f7bdc378c1c591dd27703bf2 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 24 Jan 2022 06:07:33 +0900 +Subject: [PATCH] resolve: synthesize empty name + +Do not return any error for empty name. Just returns empty answer. + +Before: +--- +$ dig . + +; <<>> DiG 9.16.24-RH <<>> . +;; global options: +cmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 13617 +;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags:; udp: 65494 +;; QUESTION SECTION: +;. IN A + +;; Query time: 0 msec +;; SERVER: 127.0.0.53#53(127.0.0.53) +;; WHEN: Mon Jan 24 05:49:30 JST 2022 +;; MSG SIZE rcvd: 28 +--- + +After: +--- +$ dig . + +; <<>> DiG 9.16.24-RH <<>> . +;; global options: +cmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7957 +;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags:; udp: 65494 +;; QUESTION SECTION: +;. IN A + +;; Query time: 1 msec +;; SERVER: 127.0.0.53#53(127.0.0.53) +;; WHEN: Mon Jan 24 06:05:02 JST 2022 +;; MSG SIZE rcvd: 28 +--- + +Replaces #22197. + +Fixes RHBZ#2039854 (https://bugzilla.redhat.com/show_bug.cgi?id=2039854). + +(cherry picked from commit 3b2ac14ac45bef01cf489c3231b868936866444b) +(cherry picked from commit 0fd3ccca64402eaec9535d0288d888f7fcacb9b8) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/d3331adc66af4e69f7bdc378c1c591dd27703bf2 +--- + src/resolve/resolved-dns-scope.c | 4 ++++ + src/resolve/resolved-dns-synthesize.c | 5 ++++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c +index 178482727c..2546d0d4da 100644 +--- a/src/resolve/resolved-dns-scope.c ++++ b/src/resolve/resolved-dns-scope.c +@@ -613,6 +613,10 @@ DnsScopeMatch dns_scope_good_domain( + if ((SD_RESOLVED_FLAGS_MAKE(s->protocol, s->family, false, false) & flags) == 0) + return DNS_SCOPE_NO; + ++ /* Never resolve empty name. */ ++ if (dns_name_is_empty(domain)) ++ return DNS_SCOPE_NO; ++ + /* Never resolve any loopback hostname or IP address via DNS, LLMNR or mDNS. Instead, always rely on + * synthesized RRs for these. */ + if (is_localhost(domain) || +diff --git a/src/resolve/resolved-dns-synthesize.c b/src/resolve/resolved-dns-synthesize.c +index ef1423f441..ea239e686d 100644 +--- a/src/resolve/resolved-dns-synthesize.c ++++ b/src/resolve/resolved-dns-synthesize.c +@@ -394,7 +394,10 @@ int dns_synthesize_answer( + + name = dns_resource_key_name(key); + +- if (is_localhost(name)) { ++ if (dns_name_is_empty(name)) { ++ /* Do nothing. */ ++ ++ } else if (is_localhost(name)) { + + r = synthesize_localhost_rr(m, key, ifindex, &answer); + if (r < 0) +-- +2.33.0 + diff --git a/backport-resolve-synthesize-null-address-IPv4-broadcast-addre.patch b/backport-resolve-synthesize-null-address-IPv4-broadcast-addre.patch new file mode 100644 index 0000000000000000000000000000000000000000..8478b2733a9047de3a691c637025bb4f6db7ae25 --- /dev/null +++ b/backport-resolve-synthesize-null-address-IPv4-broadcast-addre.patch @@ -0,0 +1,41 @@ +From a3d2c2b669149fe7e1bfdfa0c72c39653bef2e4c Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 24 Jan 2022 06:36:53 +0900 +Subject: [PATCH] resolve: synthesize null address, IPv4 broadcast address, or + invalid domain + +These are filtered in `dns_scope_good_domain()`, but not synthesized. + +Fixes #22229. + +(cherry picked from commit 46b53e8035fb60c9a7f26dd32d6689ab3b7da97c) +(cherry picked from commit 89b439ee00e3fbee47cda3f790cbf320538cae7f) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/a3d2c2b669149fe7e1bfdfa0c72c39653bef2e4c +--- + src/resolve/resolved-dns-synthesize.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/resolve/resolved-dns-synthesize.c b/src/resolve/resolved-dns-synthesize.c +index ea239e686d..0914515fdf 100644 +--- a/src/resolve/resolved-dns-synthesize.c ++++ b/src/resolve/resolved-dns-synthesize.c +@@ -397,6 +397,14 @@ int dns_synthesize_answer( + if (dns_name_is_empty(name)) { + /* Do nothing. */ + ++ } else if (dns_name_endswith(name, "0.in-addr.arpa") > 0 || ++ dns_name_equal(name, "255.255.255.255.in-addr.arpa") > 0 || ++ dns_name_equal(name, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0 || ++ dns_name_endswith(name, "invalid") > 0) { ++ ++ nxdomain = true; ++ continue; ++ + } else if (is_localhost(name)) { + + r = synthesize_localhost_rr(m, key, ifindex, &answer); +-- +2.33.0 + diff --git a/backport-resolve-use-_cleanup_-attribute-for-freeing-DnsQuery.patch b/backport-resolve-use-_cleanup_-attribute-for-freeing-DnsQuery.patch new file mode 100644 index 0000000000000000000000000000000000000000..e56b3525ffca8425183d17a84ef7c74974e41e51 --- /dev/null +++ b/backport-resolve-use-_cleanup_-attribute-for-freeing-DnsQuery.patch @@ -0,0 +1,563 @@ +From 87f33d6a03d8c25393ad6472fcad5b69bb60aa6b Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 5 Feb 2022 22:04:42 +0900 +Subject: [PATCH] resolve: use _cleanup_ attribute for freeing DnsQuery + +(cherry picked from commit c704288c473fa08820566fdb16c38726d24db026) +(cherry picked from commit 0533d1aab61b6a797d07c4c861acf5e87f8191e8) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/87f33d6a03d8c25393ad6472fcad5b69bb60aa6b +--- + src/resolve/resolved-bus.c | 112 +++++++++++++++----------------- + src/resolve/resolved-dns-stub.c | 27 +++----- + src/resolve/resolved-varlink.c | 38 +++++------ + 3 files changed, 79 insertions(+), 98 deletions(-) + +diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c +index 78d1acf5e0..ed06895ed9 100644 +--- a/src/resolve/resolved-bus.c ++++ b/src/resolve/resolved-bus.c +@@ -179,9 +179,10 @@ static int append_address(sd_bus_message *reply, DnsResourceRecord *rr, int ifin + return 0; + } + +-static void bus_method_resolve_hostname_complete(DnsQuery *q) { ++static void bus_method_resolve_hostname_complete(DnsQuery *query) { + _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *canonical = NULL; + _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; ++ _cleanup_(dns_query_freep) DnsQuery *q = query; + _cleanup_free_ char *normalized = NULL; + DnsQuestion *question; + DnsResourceRecord *rr; +@@ -202,8 +203,11 @@ static void bus_method_resolve_hostname_complete(DnsQuery *q) { + } + if (r < 0) + goto finish; +- if (r == DNS_QUERY_CNAME) /* This was a cname, and the query was restarted. */ ++ if (r == DNS_QUERY_CNAME) { ++ /* This was a cname, and the query was restarted. */ ++ TAKE_PTR(q); + return; ++ } + + r = sd_bus_message_new_method_return(q->bus_request, &reply); + if (r < 0) +@@ -264,8 +268,6 @@ finish: + log_error_errno(r, "Failed to send hostname reply: %m"); + sd_bus_reply_method_errno(q->bus_request, r, NULL); + } +- +- dns_query_free(q); + } + + static int validate_and_mangle_flags( +@@ -403,11 +405,11 @@ void bus_client_log(sd_bus_message *m, const char *what) { + + static int bus_method_resolve_hostname(sd_bus_message *message, void *userdata, sd_bus_error *error) { + _cleanup_(dns_question_unrefp) DnsQuestion *question_idna = NULL, *question_utf8 = NULL; ++ _cleanup_(dns_query_freep) DnsQuery *q = NULL; + Manager *m = userdata; + const char *hostname; + int family, ifindex; + uint64_t flags; +- DnsQuery *q; + int r; + + assert(message); +@@ -459,21 +461,19 @@ static int bus_method_resolve_hostname(sd_bus_message *message, void *userdata, + + r = dns_query_bus_track(q, message); + if (r < 0) +- goto fail; ++ return r; + + r = dns_query_go(q); + if (r < 0) +- goto fail; ++ return r; + ++ TAKE_PTR(q); + return 1; +- +-fail: +- dns_query_free(q); +- return r; + } + +-static void bus_method_resolve_address_complete(DnsQuery *q) { ++static void bus_method_resolve_address_complete(DnsQuery *query) { + _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; ++ _cleanup_(dns_query_freep) DnsQuery *q = query; + DnsQuestion *question; + DnsResourceRecord *rr; + unsigned added = 0; +@@ -493,8 +493,11 @@ static void bus_method_resolve_address_complete(DnsQuery *q) { + } + if (r < 0) + goto finish; +- if (r == DNS_QUERY_CNAME) /* This was a cname, and the query was restarted. */ ++ if (r == DNS_QUERY_CNAME) { ++ /* This was a cname, and the query was restarted. */ ++ TAKE_PTR(q); + return; ++ } + + r = sd_bus_message_new_method_return(q->bus_request, &reply); + if (r < 0) +@@ -550,17 +553,15 @@ finish: + log_error_errno(r, "Failed to send address reply: %m"); + sd_bus_reply_method_errno(q->bus_request, r, NULL); + } +- +- dns_query_free(q); + } + + static int bus_method_resolve_address(sd_bus_message *message, void *userdata, sd_bus_error *error) { + _cleanup_(dns_question_unrefp) DnsQuestion *question = NULL; ++ _cleanup_(dns_query_freep) DnsQuery *q = NULL; + Manager *m = userdata; + union in_addr_union a; + int family, ifindex; + uint64_t flags; +- DnsQuery *q; + int r; + + assert(message); +@@ -604,17 +605,14 @@ static int bus_method_resolve_address(sd_bus_message *message, void *userdata, s + + r = dns_query_bus_track(q, message); + if (r < 0) +- goto fail; ++ return r; + + r = dns_query_go(q); + if (r < 0) +- goto fail; ++ return r; + ++ TAKE_PTR(q); + return 1; +- +-fail: +- dns_query_free(q); +- return r; + } + + static int bus_message_append_rr(sd_bus_message *m, DnsResourceRecord *rr, int ifindex) { +@@ -645,8 +643,9 @@ static int bus_message_append_rr(sd_bus_message *m, DnsResourceRecord *rr, int i + return sd_bus_message_close_container(m); + } + +-static void bus_method_resolve_record_complete(DnsQuery *q) { ++static void bus_method_resolve_record_complete(DnsQuery *query) { + _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; ++ _cleanup_(dns_query_freep) DnsQuery *q = query; + DnsResourceRecord *rr; + DnsQuestion *question; + unsigned added = 0; +@@ -667,8 +666,11 @@ static void bus_method_resolve_record_complete(DnsQuery *q) { + } + if (r < 0) + goto finish; +- if (r == DNS_QUERY_CNAME) /* This was a cname, and the query was restarted. */ ++ if (r == DNS_QUERY_CNAME) { ++ /* This was a cname, and the query was restarted. */ ++ TAKE_PTR(q); + return; ++ } + + r = sd_bus_message_new_method_return(q->bus_request, &reply); + if (r < 0) +@@ -714,19 +716,17 @@ finish: + log_error_errno(r, "Failed to send record reply: %m"); + sd_bus_reply_method_errno(q->bus_request, r, NULL); + } +- +- dns_query_free(q); + } + + static int bus_method_resolve_record(sd_bus_message *message, void *userdata, sd_bus_error *error) { + _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL; + _cleanup_(dns_question_unrefp) DnsQuestion *question = NULL; ++ _cleanup_(dns_query_freep) DnsQuery *q = NULL; + Manager *m = userdata; + uint16_t class, type; + const char *name; + int r, ifindex; + uint64_t flags; +- DnsQuery *q; + + assert(message); + assert(m); +@@ -782,17 +782,14 @@ static int bus_method_resolve_record(sd_bus_message *message, void *userdata, sd + + r = dns_query_bus_track(q, message); + if (r < 0) +- goto fail; ++ return r; + + r = dns_query_go(q); + if (r < 0) +- goto fail; ++ return r; + ++ TAKE_PTR(q); + return 1; +- +-fail: +- dns_query_free(q); +- return r; + } + + static int append_srv(DnsQuery *q, sd_bus_message *reply, DnsResourceRecord *rr) { +@@ -952,10 +949,11 @@ static int append_txt(sd_bus_message *reply, DnsResourceRecord *rr) { + return 1; + } + +-static void resolve_service_all_complete(DnsQuery *q) { ++static void resolve_service_all_complete(DnsQuery *query) { + _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *canonical = NULL; + _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; + _cleanup_free_ char *name = NULL, *type = NULL, *domain = NULL; ++ _cleanup_(dns_query_freep) DnsQuery *q = query; + DnsQuestion *question; + DnsResourceRecord *rr; + unsigned added = 0; +@@ -964,8 +962,10 @@ static void resolve_service_all_complete(DnsQuery *q) { + + assert(q); + +- if (q->block_all_complete > 0) ++ if (q->block_all_complete > 0) { ++ TAKE_PTR(q); + return; ++ } + + if ((q->flags & SD_RESOLVED_NO_ADDRESS) == 0) { + DnsQuery *bad = NULL; +@@ -977,6 +977,7 @@ static void resolve_service_all_complete(DnsQuery *q) { + + case DNS_TRANSACTION_PENDING: + /* If an auxiliary query is still pending, let's wait */ ++ TAKE_PTR(q); + return; + + case DNS_TRANSACTION_SUCCESS: +@@ -1093,8 +1094,6 @@ finish: + log_error_errno(r, "Failed to send service reply: %m"); + sd_bus_reply_method_errno(q->bus_request, r, NULL); + } +- +- dns_query_free(q); + } + + static void resolve_service_hostname_complete(DnsQuery *q) { +@@ -1119,7 +1118,7 @@ static void resolve_service_hostname_complete(DnsQuery *q) { + + static int resolve_service_hostname(DnsQuery *q, DnsResourceRecord *rr, int ifindex) { + _cleanup_(dns_question_unrefp) DnsQuestion *question = NULL; +- DnsQuery *aux; ++ _cleanup_(dns_query_freep) DnsQuery *aux = NULL; + int r; + + assert(q); +@@ -1142,32 +1141,27 @@ static int resolve_service_hostname(DnsQuery *q, DnsResourceRecord *rr, int ifin + aux->complete = resolve_service_hostname_complete; + + r = dns_query_make_auxiliary(aux, q); +- if (r == -EAGAIN) { ++ if (r == -EAGAIN) + /* Too many auxiliary lookups? If so, don't complain, + * let's just not add this one, we already have more + * than enough */ +- +- dns_query_free(aux); + return 0; +- } + if (r < 0) +- goto fail; ++ return r; + + /* Note that auxiliary queries do not track the original bus + * client, only the primary request does that. */ + + r = dns_query_go(aux); + if (r < 0) +- goto fail; ++ return r; + ++ TAKE_PTR(aux); + return 1; +- +-fail: +- dns_query_free(aux); +- return r; + } + +-static void bus_method_resolve_service_complete(DnsQuery *q) { ++static void bus_method_resolve_service_complete(DnsQuery *query) { ++ _cleanup_(dns_query_freep) DnsQuery *q = query; + bool has_root_domain = false; + DnsResourceRecord *rr; + DnsQuestion *question; +@@ -1188,8 +1182,11 @@ static void bus_method_resolve_service_complete(DnsQuery *q) { + } + if (r < 0) + goto finish; +- if (r == DNS_QUERY_CNAME) /* This was a cname, and the query was restarted. */ ++ if (r == DNS_QUERY_CNAME) { ++ /* This was a cname, and the query was restarted. */ ++ TAKE_PTR(q); + return; ++ } + + question = dns_query_question_for_protocol(q, q->answer_protocol); + +@@ -1237,7 +1234,7 @@ static void bus_method_resolve_service_complete(DnsQuery *q) { + } + + /* Maybe we are already finished? check now... */ +- resolve_service_all_complete(q); ++ resolve_service_all_complete(TAKE_PTR(q)); + return; + + finish: +@@ -1245,17 +1242,15 @@ finish: + log_error_errno(r, "Failed to send service reply: %m"); + sd_bus_reply_method_errno(q->bus_request, r, NULL); + } +- +- dns_query_free(q); + } + + static int bus_method_resolve_service(sd_bus_message *message, void *userdata, sd_bus_error *error) { + _cleanup_(dns_question_unrefp) DnsQuestion *question_idna = NULL, *question_utf8 = NULL; ++ _cleanup_(dns_query_freep) DnsQuery *q = NULL; + const char *name, *type, *domain; + Manager *m = userdata; + int family, ifindex; + uint64_t flags; +- DnsQuery *q; + int r; + + assert(message); +@@ -1316,17 +1311,14 @@ static int bus_method_resolve_service(sd_bus_message *message, void *userdata, s + + r = dns_query_bus_track(q, message); + if (r < 0) +- goto fail; ++ return r; + + r = dns_query_go(q); + if (r < 0) +- goto fail; ++ return r; + ++ TAKE_PTR(q); + return 1; +- +-fail: +- dns_query_free(q); +- return r; + } + + int bus_dns_server_append(sd_bus_message *reply, DnsServer *s, bool with_ifindex, bool extended) { +diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c +index 8040db70f9..400e741031 100644 +--- a/src/resolve/resolved-dns-stub.c ++++ b/src/resolve/resolved-dns-stub.c +@@ -684,7 +684,8 @@ static int dns_stub_patch_bypass_reply_packet( + return 0; + } + +-static void dns_stub_query_complete(DnsQuery *q) { ++static void dns_stub_query_complete(DnsQuery *query) { ++ _cleanup_(dns_query_freep) DnsQuery *q = query; + int r; + + assert(q); +@@ -705,7 +706,6 @@ static void dns_stub_query_complete(DnsQuery *q) { + else + (void) dns_stub_send(q->manager, q->stub_listener_extra, q->request_stream, q->request_packet, reply); + +- dns_query_free(q); + return; + } + } +@@ -717,11 +717,8 @@ static void dns_stub_query_complete(DnsQuery *q) { + q, + dns_query_question_for_protocol(q, DNS_PROTOCOL_DNS), + dns_stub_reply_with_edns0_do(q)); +- if (r < 0) { +- log_debug_errno(r, "Failed to assign sections: %m"); +- dns_query_free(q); +- return; +- } ++ if (r < 0) ++ return (void) log_debug_errno(r, "Failed to assign sections: %m"); + + switch (q->state) { + +@@ -755,11 +752,10 @@ static void dns_stub_query_complete(DnsQuery *q) { + * packet doesn't answer our question. In that case let's restart the query, + * now with the redirected question. We'll */ + r = dns_query_go(q); +- if (r < 0) { +- log_debug_errno(r, "Failed to restart query: %m"); +- dns_query_free(q); +- } ++ if (r < 0) ++ return (void) log_debug_errno(r, "Failed to restart query: %m"); + ++ TAKE_PTR(q); + return; + } + +@@ -767,11 +763,8 @@ static void dns_stub_query_complete(DnsQuery *q) { + q, + dns_query_question_for_protocol(q, DNS_PROTOCOL_DNS), + dns_stub_reply_with_edns0_do(q)); +- if (r < 0) { +- log_debug_errno(r, "Failed to assign sections: %m"); +- dns_query_free(q); +- return; +- } ++ if (r < 0) ++ return (void) log_debug_errno(r, "Failed to assign sections: %m"); + + if (cname_result == DNS_QUERY_MATCH) /* A match? Then we are done, let's return what we got */ + break; +@@ -817,8 +810,6 @@ static void dns_stub_query_complete(DnsQuery *q) { + default: + assert_not_reached("Impossible state"); + } +- +- dns_query_free(q); + } + + static int dns_stub_stream_complete(DnsStream *s, int error) { +diff --git a/src/resolve/resolved-varlink.c b/src/resolve/resolved-varlink.c +index 27d8c8967e..6f4ab425ef 100644 +--- a/src/resolve/resolved-varlink.c ++++ b/src/resolve/resolved-varlink.c +@@ -143,9 +143,10 @@ static bool validate_and_mangle_flags( + return true; + } + +-static void vl_method_resolve_hostname_complete(DnsQuery *q) { ++static void vl_method_resolve_hostname_complete(DnsQuery *query) { + _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *canonical = NULL; + _cleanup_(json_variant_unrefp) JsonVariant *array = NULL; ++ _cleanup_(dns_query_freep) DnsQuery *q = query; + _cleanup_free_ char *normalized = NULL; + DnsResourceRecord *rr; + DnsQuestion *question; +@@ -165,8 +166,11 @@ static void vl_method_resolve_hostname_complete(DnsQuery *q) { + } + if (r < 0) + goto finish; +- if (r == DNS_QUERY_CNAME) /* This was a cname, and the query was restarted. */ ++ if (r == DNS_QUERY_CNAME) { ++ /* This was a cname, and the query was restarted. */ ++ TAKE_PTR(q); + return; ++ } + + question = dns_query_question_for_protocol(q, q->answer_protocol); + +@@ -228,8 +232,6 @@ finish: + log_error_errno(r, "Failed to send hostname reply: %m"); + r = varlink_error_errno(q->varlink_request, r); + } +- +- dns_query_free(q); + } + + static int parse_as_address(Varlink *link, LookupParameters *p) { +@@ -284,7 +286,7 @@ static int vl_method_resolve_hostname(Varlink *link, JsonVariant *parameters, Va + _cleanup_(lookup_parameters_destroy) LookupParameters p = { + .family = AF_UNSPEC, + }; +- DnsQuery *q; ++ _cleanup_(dns_query_freep) DnsQuery *q = NULL; + Manager *m; + int r; + +@@ -338,13 +340,10 @@ static int vl_method_resolve_hostname(Varlink *link, JsonVariant *parameters, Va + + r = dns_query_go(q); + if (r < 0) +- goto fail; ++ return r; + ++ TAKE_PTR(q); + return 1; +- +-fail: +- dns_query_free(q); +- return r; + } + + static int json_dispatch_address(const char *name, JsonVariant *variant, JsonDispatchFlags flags, void *userdata) { +@@ -382,8 +381,9 @@ static int json_dispatch_address(const char *name, JsonVariant *variant, JsonDis + return 0; + } + +-static void vl_method_resolve_address_complete(DnsQuery *q) { ++static void vl_method_resolve_address_complete(DnsQuery *query) { + _cleanup_(json_variant_unrefp) JsonVariant *array = NULL; ++ _cleanup_(dns_query_freep) DnsQuery *q = query; + DnsQuestion *question; + DnsResourceRecord *rr; + int ifindex, r; +@@ -402,8 +402,11 @@ static void vl_method_resolve_address_complete(DnsQuery *q) { + } + if (r < 0) + goto finish; +- if (r == DNS_QUERY_CNAME) /* This was a cname, and the query was restarted. */ ++ if (r == DNS_QUERY_CNAME) { ++ /* This was a cname, and the query was restarted. */ ++ TAKE_PTR(q); + return; ++ } + + question = dns_query_question_for_protocol(q, q->answer_protocol); + +@@ -447,8 +450,6 @@ finish: + log_error_errno(r, "Failed to send address reply: %m"); + r = varlink_error_errno(q->varlink_request, r); + } +- +- dns_query_free(q); + } + + static int vl_method_resolve_address(Varlink *link, JsonVariant *parameters, VarlinkMethodFlags flags, void *userdata) { +@@ -464,7 +465,7 @@ static int vl_method_resolve_address(Varlink *link, JsonVariant *parameters, Var + _cleanup_(lookup_parameters_destroy) LookupParameters p = { + .family = AF_UNSPEC, + }; +- DnsQuery *q; ++ _cleanup_(dns_query_freep) DnsQuery *q = NULL; + Manager *m; + int r; + +@@ -509,13 +510,10 @@ static int vl_method_resolve_address(Varlink *link, JsonVariant *parameters, Var + + r = dns_query_go(q); + if (r < 0) +- goto fail; ++ return r; + ++ TAKE_PTR(q); + return 1; +- +-fail: +- dns_query_free(q); +- return r; + } + + int manager_varlink_init(Manager *m) { +-- +2.33.0 + diff --git a/backport-resolved-Don-t-omit-AD-bit-in-reply-if-DO-is-set-in-.patch b/backport-resolved-Don-t-omit-AD-bit-in-reply-if-DO-is-set-in-.patch new file mode 100644 index 0000000000000000000000000000000000000000..9a7efbc5ced27f08951d703d082735c03ced9afb --- /dev/null +++ b/backport-resolved-Don-t-omit-AD-bit-in-reply-if-DO-is-set-in-.patch @@ -0,0 +1,43 @@ +From 5421863a16f19ba6a85214bb17986d6015b298b3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jack=20D=C3=A4hn?= +Date: Tue, 3 Aug 2021 08:07:05 +0200 +Subject: [PATCH] resolved: Don't omit AD bit in reply if DO is set in the + query + +Set the AD bit in the response if the data is authenticated and AD or DO is set in the query, as suggested by section 5.8 of RFC6840. + +Fixes #20332 + +(cherry picked from commit b553abd8aed0f6fbff9973882fb08c3aec1d9400) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/5421863a16f19ba6a85214bb17986d6015b298b3 +--- + src/resolve/resolved-dns-stub.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c +index 5b9d32f001..49da916576 100644 +--- a/src/resolve/resolved-dns-stub.c ++++ b/src/resolve/resolved-dns-stub.c +@@ -585,7 +585,7 @@ static int dns_stub_send_reply( + DNS_PACKET_RD(q->request_packet), + !!q->request_packet->opt, + edns0_do, +- DNS_PACKET_AD(q->request_packet) && dns_query_fully_authenticated(q), ++ (DNS_PACKET_AD(q->request_packet) || DNS_PACKET_DO(q->request_packet)) && dns_query_fully_authenticated(q), + DNS_PACKET_CD(q->request_packet), + q->stub_listener_extra ? ADVERTISE_EXTRA_DATAGRAM_SIZE_MAX : ADVERTISE_DATAGRAM_SIZE_MAX, + dns_packet_has_nsid_request(q->request_packet) > 0 && !q->stub_listener_extra); +@@ -627,7 +627,7 @@ static int dns_stub_send_failure( + DNS_PACKET_RD(p), + !!p->opt, + DNS_PACKET_DO(p), +- DNS_PACKET_AD(p) && authenticated, ++ (DNS_PACKET_AD(p) || DNS_PACKET_DO(p)) && authenticated, + DNS_PACKET_CD(p), + l ? ADVERTISE_EXTRA_DATAGRAM_SIZE_MAX : ADVERTISE_DATAGRAM_SIZE_MAX, + dns_packet_has_nsid_request(p) > 0 && !l); +-- +2.33.0 + diff --git a/backport-resolved-clean-up-manager_write_resolv_conf-a-bit.patch b/backport-resolved-clean-up-manager_write_resolv_conf-a-bit.patch new file mode 100644 index 0000000000000000000000000000000000000000..f80a934fa683242cab748a6503e8dca3b8c315a4 --- /dev/null +++ b/backport-resolved-clean-up-manager_write_resolv_conf-a-bit.patch @@ -0,0 +1,109 @@ +From e4f6e956abdca1b7f538845dae79e5afb708e2df Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 22 Nov 2021 18:29:17 +0100 +Subject: [PATCH] resolved: clean up manager_write_resolv_conf() a bit + +Let's downgrade log messages which are not fatal for the service to +LOG_WARNING. + +And let's simplify clean-up by using _cleanup_(unlink_and_freep). + +(cherry picked from commit e2ef1e9aea24d89d1e92fa4675ddc330029b48bf) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/e4f6e956abdca1b7f538845dae79e5afb708e2df +--- + src/resolve/resolved-resolv-conf.c | 41 +++++++++++------------------- + 1 file changed, 15 insertions(+), 26 deletions(-) + +diff --git a/src/resolve/resolved-resolv-conf.c b/src/resolve/resolved-resolv-conf.c +index d5a77605a8..100894d6b2 100644 +--- a/src/resolve/resolved-resolv-conf.c ++++ b/src/resolve/resolved-resolv-conf.c +@@ -330,7 +330,7 @@ static int write_stub_resolv_conf_contents(FILE *f, OrderedSet *dns, OrderedSet + + int manager_write_resolv_conf(Manager *m) { + _cleanup_ordered_set_free_ OrderedSet *dns = NULL, *domains = NULL; +- _cleanup_free_ char *temp_path_uplink = NULL, *temp_path_stub = NULL; ++ _cleanup_(unlink_and_freep) char *temp_path_uplink = NULL, *temp_path_stub = NULL; + _cleanup_fclose_ FILE *f_uplink = NULL, *f_stub = NULL; + int r; + +@@ -342,60 +342,49 @@ int manager_write_resolv_conf(Manager *m) { + /* Add the full list to a set, to filter out duplicates */ + r = manager_compile_dns_servers(m, &dns); + if (r < 0) +- return log_warning_errno(r, "Failed to compile list of DNS servers: %m"); ++ return log_warning_errno(r, "Failed to compile list of DNS servers, ignoring: %m"); + + r = manager_compile_search_domains(m, &domains, false); + if (r < 0) +- return log_warning_errno(r, "Failed to compile list of search domains: %m"); ++ return log_warning_errno(r, "Failed to compile list of search domains, ignoring: %m"); + + r = fopen_temporary_label(PRIVATE_UPLINK_RESOLV_CONF, PRIVATE_UPLINK_RESOLV_CONF, &f_uplink, &temp_path_uplink); + if (r < 0) +- return log_warning_errno(r, "Failed to open new %s for writing: %m", PRIVATE_UPLINK_RESOLV_CONF); ++ return log_warning_errno(r, "Failed to open new %s for writing, ignoring: %m", PRIVATE_UPLINK_RESOLV_CONF); + + (void) fchmod(fileno(f_uplink), 0644); + + r = write_uplink_resolv_conf_contents(f_uplink, dns, domains); +- if (r < 0) { +- log_error_errno(r, "Failed to write new %s: %m", PRIVATE_UPLINK_RESOLV_CONF); +- goto fail; +- } ++ if (r < 0) ++ return log_warning_errno(r, "Failed to write new %s, ignoring: %m", PRIVATE_UPLINK_RESOLV_CONF); + + if (m->dns_stub_listener_mode != DNS_STUB_LISTENER_NO) { + r = fopen_temporary_label(PRIVATE_STUB_RESOLV_CONF, PRIVATE_STUB_RESOLV_CONF, &f_stub, &temp_path_stub); +- if (r < 0) { +- log_warning_errno(r, "Failed to open new %s for writing: %m", PRIVATE_STUB_RESOLV_CONF); +- goto fail; +- } ++ if (r < 0) ++ return log_warning_errno(r, "Failed to open new %s for writing, ignoring: %m", PRIVATE_STUB_RESOLV_CONF); + + (void) fchmod(fileno(f_stub), 0644); + + r = write_stub_resolv_conf_contents(f_stub, dns, domains); +- if (r < 0) { +- log_error_errno(r, "Failed to write new %s: %m", PRIVATE_STUB_RESOLV_CONF); +- goto fail; +- } ++ if (r < 0) ++ return log_warning_errno(r, "Failed to write new %s, ignoring: %m", PRIVATE_STUB_RESOLV_CONF); + + r = conservative_rename(temp_path_stub, PRIVATE_STUB_RESOLV_CONF); + if (r < 0) +- log_error_errno(r, "Failed to move new %s into place: %m", PRIVATE_STUB_RESOLV_CONF); ++ log_warning_errno(r, "Failed to move new %s into place, ignoring: %m", PRIVATE_STUB_RESOLV_CONF); + ++ temp_path_stub = mfree(temp_path_stub); /* free the string explicitly, so that we don't unlink anymore */ + } else { + r = symlink_atomic_label(basename(PRIVATE_UPLINK_RESOLV_CONF), PRIVATE_STUB_RESOLV_CONF); + if (r < 0) +- log_error_errno(r, "Failed to symlink %s: %m", PRIVATE_STUB_RESOLV_CONF); ++ log_warning_errno(r, "Failed to symlink %s, ignoring: %m", PRIVATE_STUB_RESOLV_CONF); + } + + r = conservative_rename(temp_path_uplink, PRIVATE_UPLINK_RESOLV_CONF); + if (r < 0) +- log_error_errno(r, "Failed to move new %s into place: %m", PRIVATE_UPLINK_RESOLV_CONF); +- +- fail: +- if (r < 0) { +- /* Something went wrong, perform cleanup... */ +- (void) unlink(temp_path_uplink); +- (void) unlink(temp_path_stub); +- } ++ log_warning_errno(r, "Failed to move new %s into place: %m", PRIVATE_UPLINK_RESOLV_CONF); + ++ temp_path_uplink = mfree(temp_path_uplink); /* free the string explicitly, so that we don't unlink anymore */ + return r; + } + +-- +2.33.0 + diff --git a/backport-resolved-fix-ResolveService-hostname-handling.patch b/backport-resolved-fix-ResolveService-hostname-handling.patch new file mode 100644 index 0000000000000000000000000000000000000000..f7c33d4a21e43012733ce02f326e153d7ff603a8 --- /dev/null +++ b/backport-resolved-fix-ResolveService-hostname-handling.patch @@ -0,0 +1,47 @@ +From 70f465cb5d10b7bcd7bd7c326756d542e59c0e0b Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 22 Nov 2021 14:37:54 +0100 +Subject: [PATCH] resolved: fix ResolveService() hostname handling + +Let's eat up special returns of dns_query_process_cname_many() when +storing hostname resolution results. + +The rest of the code assumes only == 0 means success and != 0 means +error, but so far > 0 also could mean success, let's fix that. + +Fixes: #21365 #21140 + +(This was originally broken in 1db8e6d1db0880de240e5598e28d24d708479434) + +(cherry picked from commit 5a78106ad92d3f122f7ac653eecf767f0a8948cf) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/70f465cb5d10b7bcd7bd7c326756d542e59c0e0b +--- + src/resolve/resolved-bus.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c +index 7226200f00..78d1acf5e0 100644 +--- a/src/resolve/resolved-bus.c ++++ b/src/resolve/resolved-bus.c +@@ -1005,6 +1005,7 @@ static void resolve_service_all_complete(DnsQuery *q) { + goto finish; + } + ++ assert(bad->auxiliary_result < 0); + r = bad->auxiliary_result; + goto finish; + } +@@ -1112,7 +1113,7 @@ static void resolve_service_hostname_complete(DnsQuery *q) { + return; + + /* This auxiliary lookup is finished or failed, let's see if all are finished now. */ +- q->auxiliary_result = r; ++ q->auxiliary_result = r < 0 ? r : 0; + resolve_service_all_complete(q->auxiliary_for); + } + +-- +2.33.0 + diff --git a/backport-resolved-make-sure-we-don-t-hit-an-assert-when-deali.patch b/backport-resolved-make-sure-we-don-t-hit-an-assert-when-deali.patch new file mode 100644 index 0000000000000000000000000000000000000000..ff70e3f9a52a105426365830526aec739d486847 --- /dev/null +++ b/backport-resolved-make-sure-we-don-t-hit-an-assert-when-deali.patch @@ -0,0 +1,33 @@ +From 018c8e8f67b699c5e5aadb73a3ddf3b8009a741a Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 22 Nov 2021 16:14:07 +0100 +Subject: [PATCH] resolved: make sure we don't hit an assert when dealing with + incomplete DNSSD service definitions + +Fixes: #21142 +(cherry picked from commit 8cf9898a964693b8a3c40b502af0377ede746f4d) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/018c8e8f67b699c5e5aadb73a3ddf3b8009a741a +--- + src/resolve/resolved-dns-zone.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-zone.c b/src/resolve/resolved-dns-zone.c +index b86b325144..6b3f5f707d 100644 +--- a/src/resolve/resolved-dns-zone.c ++++ b/src/resolve/resolved-dns-zone.c +@@ -94,7 +94,9 @@ void dns_zone_remove_rr(DnsZone *z, DnsResourceRecord *rr) { + DnsZoneItem *i; + + assert(z); +- assert(rr); ++ ++ if (!rr) ++ return; + + i = dns_zone_get(z, rr); + if (i) +-- +2.33.0 + diff --git a/backport-resolved-properly-signal-transient-errors-back-to-NS.patch b/backport-resolved-properly-signal-transient-errors-back-to-NS.patch new file mode 100644 index 0000000000000000000000000000000000000000..700839c6f438e552b148d943fc3d0a5073a59d3d --- /dev/null +++ b/backport-resolved-properly-signal-transient-errors-back-to-NS.patch @@ -0,0 +1,140 @@ +From 7ab91cb307eb0a518f4a956674a108221538fc88 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 22 Nov 2021 15:17:34 +0100 +Subject: [PATCH] resolved: properly signal transient errors back to NSS stack + +NSS mostly knows four error cases: SUCCESS, NOTFOUND, UNAVAIL, TRYAGAIN, +and they can all be used in nsswitch.conf to route requests. + +So far nss-resolve would return SUCCESS + NOTFOUND + UNAVAIL. Let's also +return TRYAGAIN in some cases, specifically the ones where we are +currntly unable to resolve a request but likely could later. i.e. +errors caused by networking issues or such. + +Fixes: #20786 +(cherry picked from commit ae78529fc75027b3487b64e0d22a572fd9c8ffeb) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/7ab91cb307eb0a518f4a956674a108221538fc88 +--- + src/nss-resolve/nss-resolve.c | 55 +++++++++++++++++++++++++++++------ + 1 file changed, 46 insertions(+), 9 deletions(-) + +diff --git a/src/nss-resolve/nss-resolve.c b/src/nss-resolve/nss-resolve.c +index e2a29475a2..4f54973202 100644 +--- a/src/nss-resolve/nss-resolve.c ++++ b/src/nss-resolve/nss-resolve.c +@@ -41,6 +41,9 @@ NSS_GETHOSTBYNAME_PROTOTYPES(resolve); + NSS_GETHOSTBYADDR_PROTOTYPES(resolve); + + static bool error_shall_fallback(const char *error_id) { ++ /* The Varlink errors where we shall signal "please fallback" back to the NSS stack, so that some ++ * fallback module can be loaded. (These are mostly all Varlink-internal errors, as apparently we ++ * then were unable to even do IPC with systemd-resolved.) */ + return STR_IN_SET(error_id, + VARLINK_ERROR_DISCONNECTED, + VARLINK_ERROR_TIMEOUT, +@@ -50,6 +53,16 @@ static bool error_shall_fallback(const char *error_id) { + VARLINK_ERROR_METHOD_NOT_IMPLEMENTED); + } + ++static bool error_shall_try_again(const char *error_id) { ++ /* The Varlink errors where we shall signal "can't answer now but might be able to later" back to the ++ * NSS stack. These are all errors that indicate lack of configuration or network problems. */ ++ return STR_IN_SET(error_id, ++ "io.systemd.Resolve.NoNameServers", ++ "io.systemd.Resolve.QueryTimedOut", ++ "io.systemd.Resolve.MaxAttemptsReached", ++ "io.systemd.Resolve.NetworkDown"); ++} ++ + static int connect_to_resolved(Varlink **ret) { + _cleanup_(varlink_unrefp) Varlink *link = NULL; + int r; +@@ -242,9 +255,11 @@ enum nss_status _nss_resolve_gethostbyname4_r( + if (r < 0) + goto fail; + if (!isempty(error_id)) { +- if (!error_shall_fallback(error_id)) +- goto not_found; +- goto fail; ++ if (error_shall_try_again(error_id)) ++ goto try_again; ++ if (error_shall_fallback(error_id)) ++ goto fail; ++ goto not_found; + } + + r = json_dispatch(rparams, resolve_hostname_reply_dispatch_table, NULL, json_dispatch_flags, &p); +@@ -341,6 +356,12 @@ fail: + not_found: + *h_errnop = HOST_NOT_FOUND; + return NSS_STATUS_NOTFOUND; ++ ++try_again: ++ UNPROTECT_ERRNO; ++ *errnop = -r; ++ *h_errnop = TRY_AGAIN; ++ return NSS_STATUS_TRYAGAIN; + } + + enum nss_status _nss_resolve_gethostbyname3_r( +@@ -390,9 +411,11 @@ enum nss_status _nss_resolve_gethostbyname3_r( + if (r < 0) + goto fail; + if (!isempty(error_id)) { +- if (!error_shall_fallback(error_id)) +- goto not_found; +- goto fail; ++ if (error_shall_try_again(error_id)) ++ goto try_again; ++ if (error_shall_fallback(error_id)) ++ goto fail; ++ goto not_found; + } + + r = json_dispatch(rparams, resolve_hostname_reply_dispatch_table, NULL, json_dispatch_flags, &p); +@@ -508,6 +531,12 @@ fail: + not_found: + *h_errnop = HOST_NOT_FOUND; + return NSS_STATUS_NOTFOUND; ++ ++try_again: ++ UNPROTECT_ERRNO; ++ *errnop = -r; ++ *h_errnop = TRY_AGAIN; ++ return NSS_STATUS_TRYAGAIN; + } + + typedef struct ResolveAddressReply { +@@ -594,9 +623,11 @@ enum nss_status _nss_resolve_gethostbyaddr2_r( + if (r < 0) + goto fail; + if (!isempty(error_id)) { +- if (!error_shall_fallback(error_id)) +- goto not_found; +- goto fail; ++ if (error_shall_try_again(error_id)) ++ goto try_again; ++ if (error_shall_fallback(error_id)) ++ goto fail; ++ goto not_found; + } + + r = json_dispatch(rparams, resolve_address_reply_dispatch_table, NULL, json_dispatch_flags, &p); +@@ -694,6 +725,12 @@ fail: + not_found: + *h_errnop = HOST_NOT_FOUND; + return NSS_STATUS_NOTFOUND; ++ ++try_again: ++ UNPROTECT_ERRNO; ++ *errnop = -r; ++ *h_errnop = TRY_AGAIN; ++ return NSS_STATUS_TRYAGAIN; + } + + NSS_GETHOSTBYNAME_FALLBACKS(resolve); +-- +2.33.0 + diff --git a/backport-resolved-retry-on-SERVFAIL-before-downgrading-featur.patch b/backport-resolved-retry-on-SERVFAIL-before-downgrading-featur.patch new file mode 100644 index 0000000000000000000000000000000000000000..ff081de33ff5b9fa26ceb484867f64f57b15193d --- /dev/null +++ b/backport-resolved-retry-on-SERVFAIL-before-downgrading-featur.patch @@ -0,0 +1,98 @@ +From 8280bec34df8e35592f4a4a549127471a9199231 Mon Sep 17 00:00:00 2001 +From: Steven Siloti +Date: Sun, 11 Jul 2021 11:05:26 -0700 +Subject: [PATCH] resolved: retry on SERVFAIL before downgrading feature level + +The SERVFAIL RCODE can be generated for many reasons which may not be related +to lack of feature support. For example, the Stubby resolver generates +SERVFAIL when a request times out. Such transient failures can cause +unnecessary downgrades to both the transaction and the server's feature level. +The consequences of this are especially severe if the server is in DNSSEC +strict mode. In this case repeated downgrades eventually cause the server to +stop resolving entirely with the error "incompatible-server". + +To avoid unnecessary downgrades the request should be retried once with the +current level before the transaction's feature level is downgraded. + +(cherry picked from commit 8a33aa199dc1cea14494469ac9d7d08dc6721df1) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/8280bec34df8e35592f4a4a549127471a9199231 +--- + src/resolve/resolved-dns-server.c | 3 +- + src/resolve/resolved-dns-transaction.c | 43 +++++++++++++++++--------- + 2 files changed, 29 insertions(+), 17 deletions(-) + +diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c +index e7a4bce71a..58a1376708 100644 +--- a/src/resolve/resolved-dns-server.c ++++ b/src/resolve/resolved-dns-server.c +@@ -362,9 +362,8 @@ void dns_server_packet_rcode_downgrade(DnsServer *s, DnsServerFeatureLevel level + if (s->possible_feature_level > level) { + s->possible_feature_level = level; + dns_server_reset_counters(s); ++ log_debug("Downgrading transaction feature level fixed an RCODE error, downgrading server %s too.", strna(dns_server_string_full(s))); + } +- +- log_debug("Downgrading transaction feature level fixed an RCODE error, downgrading server %s too.", strna(dns_server_string_full(s))); + } + + void dns_server_packet_invalid(DnsServer *s, DnsServerFeatureLevel level) { +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index 9535a7ba4c..cf10c5c359 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -1142,22 +1142,35 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p, bool encrypt + break; + } + +- /* Reduce this feature level by one and try again. */ +- switch (t->current_feature_level) { +- case DNS_SERVER_FEATURE_LEVEL_TLS_DO: +- t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN; +- break; +- case DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN + 1: +- /* Skip plain TLS when TLS is not supported */ +- t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN - 1; +- break; +- default: +- t->clamp_feature_level_servfail = t->current_feature_level - 1; +- } ++ /* SERVFAIL can happen for many reasons and may be transient. ++ * To avoid unnecessary downgrades retry once with the initial level. ++ * Check for clamp_feature_level_servfail having an invalid value as a sign that this is the ++ * first attempt to downgrade. If so, clamp to the current value so that the transaction ++ * is retried without actually downgrading. If the next try also fails we will downgrade by ++ * hitting the else branch below. */ ++ if (DNS_PACKET_RCODE(p) == DNS_RCODE_SERVFAIL && ++ t->clamp_feature_level_servfail < 0) { ++ t->clamp_feature_level_servfail = t->current_feature_level; ++ log_debug("Server returned error %s, retrying transaction.", ++ dns_rcode_to_string(DNS_PACKET_RCODE(p))); ++ } else { ++ /* Reduce this feature level by one and try again. */ ++ switch (t->current_feature_level) { ++ case DNS_SERVER_FEATURE_LEVEL_TLS_DO: ++ t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN; ++ break; ++ case DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN + 1: ++ /* Skip plain TLS when TLS is not supported */ ++ t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN - 1; ++ break; ++ default: ++ t->clamp_feature_level_servfail = t->current_feature_level - 1; ++ } + +- log_debug("Server returned error %s, retrying transaction with reduced feature level %s.", +- dns_rcode_to_string(DNS_PACKET_RCODE(p)), +- dns_server_feature_level_to_string(t->clamp_feature_level_servfail)); ++ log_debug("Server returned error %s, retrying transaction with reduced feature level %s.", ++ dns_rcode_to_string(DNS_PACKET_RCODE(p)), ++ dns_server_feature_level_to_string(t->clamp_feature_level_servfail)); ++ } + + dns_transaction_retry(t, false /* use the same server */); + return; +-- +2.33.0 + diff --git a/backport-resolved-suppress-writing-DNS-server-info-into-etc-r.patch b/backport-resolved-suppress-writing-DNS-server-info-into-etc-r.patch new file mode 100644 index 0000000000000000000000000000000000000000..6c2d00f3125e268e644a1eef393b5147a873ea18 --- /dev/null +++ b/backport-resolved-suppress-writing-DNS-server-info-into-etc-r.patch @@ -0,0 +1,38 @@ +From 2b2804757c8520b5cc133d9a3078f6fbec4a69cb Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 27 Sep 2021 14:28:16 +0200 +Subject: [PATCH] resolved: suppress writing DNS server info into + /etc/resolv.conf for non-standard UDP ports + +glibc doesn't support this, hence don#t generate it. + +Fixes: #20836 +(cherry picked from commit a50dadf2fd7413bbfc26af7e2ad2900b3e06af82) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/2b2804757c8520b5cc133d9a3078f6fbec4a69cb +--- + src/resolve/resolved-resolv-conf.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/resolve/resolved-resolv-conf.c b/src/resolve/resolved-resolv-conf.c +index dd02d368e9..d5a77605a8 100644 +--- a/src/resolve/resolved-resolv-conf.c ++++ b/src/resolve/resolved-resolv-conf.c +@@ -216,6 +216,13 @@ static void write_resolv_conf_server(DnsServer *s, FILE *f, unsigned *count) { + return; + } + ++ /* resolv.conf simply doesn't support any other ports than 53, hence there's nothing much we can ++ * do — we have to suppress these entries */ ++ if (dns_server_port(s) != 53) { ++ log_debug("DNS server %s with non-standard UDP port number, suppressing from generated resolv.conf.", dns_server_string(s)); ++ return; ++ } ++ + /* Check if the scope this DNS server belongs to is suitable as 'default' route for lookups; resolv.conf does + * not have a syntax to express that, so it must not appear as a global name server to avoid routing unrelated + * domains to it (which is a privacy violation, will most probably fail anyway, and adds unnecessary load) */ +-- +2.33.0 + diff --git a/backport-revert-core-map-io.bfq.weight-to-1.1000.patch b/backport-revert-core-map-io.bfq.weight-to-1.1000.patch deleted file mode 100644 index 8f6b4cd6c0e9f582a3b57efc81460659f88564ba..0000000000000000000000000000000000000000 --- a/backport-revert-core-map-io.bfq.weight-to-1.1000.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 04bee6cd5439a4efb0faaf56ea245d44f3e99781 Mon Sep 17 00:00:00 2001 -From: y30009332 -Date: Tue, 1 Mar 2022 16:54:46 +0800 -Subject: [PATCH] revert :core map io.bfq.weight to 1..1000 -Reason:systemd-248 map io.bfq.weight to 1..1000, example 600 map to 60, -In order to maintain compatibility with v243, revert the commit and use -the v243 scheme - -Reference:https://github.com/systemd/systemd/commit/68c1ac1568910037a224c301d5c871af73493c16 ---- - src/core/cgroup.c | 35 ++++++++++++++++------------------- - 1 file changed, 16 insertions(+), 19 deletions(-) - -diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index 2cbb789978..e5c4a605a6 100644 ---- a/src/core/cgroup.c -+++ b/src/core/cgroup.c -@@ -1194,23 +1194,6 @@ static int cgroup_apply_devices(Unit *u) { - return r; - } - --static void set_io_weight(Unit *u, const char *controller, uint64_t weight) { -- char buf[8+DECIMAL_STR_MAX(uint64_t)+1]; -- const char *p; -- -- p = strjoina(controller, ".weight"); -- xsprintf(buf, "default %" PRIu64 "\n", weight); -- (void) set_attribute_and_warn(u, controller, p, buf); -- -- /* FIXME: drop this when distro kernels properly support BFQ through "io.weight" -- * See also: https://github.com/systemd/systemd/pull/13335 and -- * https://github.com/torvalds/linux/commit/65752aef0a407e1ef17ec78a7fc31ba4e0b360f9. -- * The range is 1..1000 apparently. */ -- p = strjoina(controller, ".bfq.weight"); -- xsprintf(buf, "%" PRIu64 "\n", (weight + 9) / 10); -- (void) set_attribute_and_warn(u, controller, p, buf); --} -- - static void cgroup_apply_bpf_foreign_program(Unit *u) { - assert(u); - -@@ -1303,6 +1286,7 @@ static void cgroup_context_apply( - * controller), and in case of containers we want to leave control of these attributes to the container manager - * (and we couldn't access that stuff anyway, even if we tried if proper delegation is used). */ - if ((apply_mask & CGROUP_MASK_IO) && !is_local_root) { -+ char buf[8+DECIMAL_STR_MAX(uint64_t)+1]; - bool has_io, has_blockio; - uint64_t weight; - -@@ -1322,7 +1306,13 @@ static void cgroup_context_apply( - } else - weight = CGROUP_WEIGHT_DEFAULT; - -- set_io_weight(u, "io", weight); -+ xsprintf(buf, "default %" PRIu64 "\n", weight); -+ (void) set_attribute_and_warn(u, "io", "io.weight", buf); -+ -+ /* FIXME: drop this when distro kernels properly support BFQ through "io.weight" -+ * See also: https://github.com/systemd/systemd/pull/13335 */ -+ xsprintf(buf, "%" PRIu64 "\n", weight); -+ (void) set_attribute_and_warn(u, "io", "io.bfq.weight", buf); - - if (has_io) { - CGroupIODeviceLatency *latency; -@@ -1377,6 +1367,7 @@ static void cgroup_context_apply( - /* Applying a 'weight' never makes sense for the host root cgroup, and for containers this should be - * left to our container manager, too. */ - if (!is_local_root) { -+ char buf[DECIMAL_STR_MAX(uint64_t)+1]; - uint64_t weight; - - if (has_io) { -@@ -1392,7 +1383,13 @@ static void cgroup_context_apply( - else - weight = CGROUP_BLKIO_WEIGHT_DEFAULT; - -- set_io_weight(u, "blkio", weight); -+ xsprintf(buf, "%" PRIu64 "\n", weight); -+ (void) set_attribute_and_warn(u, "blkio", "blkio.weight", buf); -+ -+ /* FIXME: drop this when distro kernels properly support BFQ through "blkio.weight" -+ * See also: https://github.com/systemd/systemd/pull/13335 */ -+ xsprintf(buf, "%" PRIu64 "\n", weight); -+ (void) set_attribute_and_warn(u, "blkio", "blkio.bfq.weight", buf); - - if (has_io) { - CGroupIODeviceWeight *w; --- -2.27.0 - diff --git a/backport-revert-delete-initrd-usr-fs-target.patch b/backport-revert-delete-initrd-usr-fs-target.patch index 6a63742307626aae203b632ce42591a0bc002107..15deec132c978e29f82f00e5f14b65bb97c6b0b7 100644 --- a/backport-revert-delete-initrd-usr-fs-target.patch +++ b/backport-revert-delete-initrd-usr-fs-target.patch @@ -3,15 +3,12 @@ From: Lennart Poettering Date: Fri, 26 Mar 2021 22:40:40 +0100 Subject: [PATCH] fstab-generator: if usr= is specified, mount it to /sysusr/usr/ first. - + This reverts 29a24ab28e9790680348b1ffab653a321fa49a67 -Reason: In systemd 249, at initrd stage, /usr fs will be mounted on -/sysroot, or on /sysusr. -This will cause sysroot.mount to be run ahead of time. But at this time, -the lvm of extra file directory is inactive, -This will make the crashed system have to wait 5 minutes. So we revert -the commit, and don't mount sysroot in advance. +Reason: In systemd 249, at initrd stage, /usr fs will be mounted on /sysroot, or on /sysusr. +This will cause sysroot.mount to be run ahead of time. But at this time, the lvm of extra file directory is inactive, +This will make the crashed system have to wait 5 minutes. So we revert the commit, and don't mount sysroot in advance. Conflict:NA Reference:https://github.com/systemd/systemd/commit/29a24ab28e9790680348b1ffab653a321fa49a67 @@ -236,5 +233,5 @@ index 5a0ec89..37eb23c 100644 AssertPathExists=/etc/initrd-release -- -2.27.0 +2.33.0 diff --git a/backport-run-mount-systemctl-don-t-fork-off-PolicyKit-ask-pw-.patch b/backport-run-mount-systemctl-don-t-fork-off-PolicyKit-ask-pw-.patch new file mode 100644 index 0000000000000000000000000000000000000000..f1318d9eefacac9f2cf07fd70002a2520d20316d --- /dev/null +++ b/backport-run-mount-systemctl-don-t-fork-off-PolicyKit-ask-pw-.patch @@ -0,0 +1,70 @@ +From fb999b918462361fefa435f86884f81edff503c5 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 30 Aug 2021 13:21:55 +0200 +Subject: [PATCH] run/mount/systemctl: don't fork off PolicyKit/ask-pw agent + when in --user mode + +When we are in --user mode there's no point in doing PolicyKit/ask-pw +because both of these systems are only used by system-level services. +Let's disable the two agents for that automaticlly hence. + +Prompted by: #20576 + +(cherry picked from commit 966f3a246c8c804d8a9c9d393f03c5c3fe0dd393) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/fb999b918462361fefa435f86884f81edff503c5 +--- + src/mount/mount-tool.c | 3 +++ + src/run/run.c | 4 ++++ + src/systemctl/systemctl.c | 5 +++++ + 3 files changed, 12 insertions(+) + +diff --git a/src/mount/mount-tool.c b/src/mount/mount-tool.c +index c213c905a1..70b4c5a765 100644 +--- a/src/mount/mount-tool.c ++++ b/src/mount/mount-tool.c +@@ -332,6 +332,9 @@ static int parse_argv(int argc, char *argv[]) { + assert_not_reached("Unhandled option"); + } + ++ if (arg_user) ++ arg_ask_password = false; ++ + if (arg_user && arg_transport != BUS_TRANSPORT_LOCAL) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Execution in user context is not supported on non-local systems."); +diff --git a/src/run/run.c b/src/run/run.c +index 38de0322e0..1c83e36e4e 100644 +--- a/src/run/run.c ++++ b/src/run/run.c +@@ -506,6 +506,10 @@ static int parse_argv(int argc, char *argv[]) { + assert_not_reached("Unhandled option"); + } + ++ /* If we are talking to the per-user instance PolicyKit isn't going to help */ ++ if (arg_user) ++ arg_ask_password = false; ++ + with_trigger = !!arg_path_property || !!arg_socket_property || arg_with_timer; + + /* currently, only single trigger (path, socket, timer) unit can be created simultaneously */ +diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c +index 4cc723aab5..2f6f58127c 100644 +--- a/src/systemctl/systemctl.c ++++ b/src/systemctl/systemctl.c +@@ -925,6 +925,11 @@ static int systemctl_parse_argv(int argc, char *argv[]) { + assert_not_reached("Unhandled option"); + } + ++ /* If we are in --user mode, there's no point in talking to PolicyKit or the infra to query system ++ * passwords */ ++ if (arg_scope != UNIT_FILE_SYSTEM) ++ arg_ask_password = false; ++ + if (arg_transport == BUS_TRANSPORT_REMOTE && arg_scope != UNIT_FILE_SYSTEM) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Cannot access user instance remotely."); +-- +2.33.0 + diff --git a/backport-scope-count-successful-cgroup-additions-when-delegat.patch b/backport-scope-count-successful-cgroup-additions-when-delegat.patch new file mode 100644 index 0000000000000000000000000000000000000000..6393e0f270319e7617176bfd0cf0456b9464e49a --- /dev/null +++ b/backport-scope-count-successful-cgroup-additions-when-delegat.patch @@ -0,0 +1,51 @@ +From be509064edba9863521a77a4a20a6e1a0971693e Mon Sep 17 00:00:00 2001 +From: Jonas Witschel +Date: Wed, 10 Nov 2021 22:46:35 +0100 +Subject: [PATCH] scope: count successful cgroup additions when delegating via + D-Bus + +Since commit 8d3e4ac7cd37200d1431411a4b98925a24b7d9b3 ("scope: refuse +activation of scopes if no PIDs to add are left") all "systemd-run --scope +--user" calls fail because cgroup attachments delegated to the system instance +are not counted towards successful additions. Fix this by incrementing the +return value in case unit_attach_pid_to_cgroup_via_bus() succeeds, similar to +what happens when cg_attach() succeeds directly. + +Note that this can *not* distinguish the case when +unit_attach_pid_to_cgroup_via_bus() has been run successfully, but all +processes to attach are gone in the meantime, unlike the checks that commit +8d3e4ac7cd37200d1431411a4b98925a24b7d9b3 adds for the system instance. This is +because even though unit_attach_pid_to_cgroup_via_bus() leads to an internal +unit_attach_pids_to_cgroup() call, the return value over D-Bus does not include +the number of successfully attached processes and is always NULL on success. + +Fixes: #21297 + +(cherry picked from commit c65417a01121301fdf7f8514ee7663d287af3a72) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/be509064edba9863521a77a4a20a6e1a0971693e +--- + src/core/cgroup.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/core/cgroup.c b/src/core/cgroup.c +index 51936b7d1d..79e10ca3c0 100644 +--- a/src/core/cgroup.c ++++ b/src/core/cgroup.c +@@ -2188,8 +2188,11 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { + z = unit_attach_pid_to_cgroup_via_bus(u, pid, suffix_path); + if (z < 0) + log_unit_info_errno(u, z, "Couldn't move process "PID_FMT" to requested cgroup '%s' (directly or via the system bus): %m", pid, empty_to_root(p)); +- else ++ else { ++ if (ret >= 0) ++ ret++; /* Count successful additions */ + continue; /* When the bus thing worked via the bus we are fully done for this PID. */ ++ } + } + + if (ret >= 0) +-- +2.33.0 + diff --git a/backport-scope-refuse-activation-of-scopes-if-no-PIDs-to-add-.patch b/backport-scope-refuse-activation-of-scopes-if-no-PIDs-to-add-.patch new file mode 100644 index 0000000000000000000000000000000000000000..54b281492203ecefce8c8bda3b196ced45b45eb4 --- /dev/null +++ b/backport-scope-refuse-activation-of-scopes-if-no-PIDs-to-add-.patch @@ -0,0 +1,55 @@ +From 7ecb1b82d9b55a081d81b2802695fd21293ce029 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 27 Oct 2021 23:17:50 +0200 +Subject: [PATCH] scope: refuse activation of scopes if no PIDs to add are left + +If all processes we are supposed to add are gone by the time we are +ready to do so, let's fail. + +THis is heavily based on Cunlong Li's work, who thankfully tracked this +down. + +Replaces: #20577 +(cherry picked from commit 8d3e4ac7cd37200d1431411a4b98925a24b7d9b3) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/7ecb1b82d9b55a081d81b2802695fd21293ce029 +--- + src/core/cgroup.c | 3 ++- + src/core/scope.c | 6 ++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/core/cgroup.c b/src/core/cgroup.c +index 1551d57e90..51936b7d1d 100644 +--- a/src/core/cgroup.c ++++ b/src/core/cgroup.c +@@ -2196,7 +2196,8 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { + ret = r; /* Remember first error */ + + continue; +- } ++ } else if (ret >= 0) ++ ret++; /* Count successful additions */ + + r = cg_all_unified(); + if (r < 0) +diff --git a/src/core/scope.c b/src/core/scope.c +index af6311bb5f..fd4367dbed 100644 +--- a/src/core/scope.c ++++ b/src/core/scope.c +@@ -374,6 +374,12 @@ static int scope_start(Unit *u) { + scope_enter_dead(s, SCOPE_FAILURE_RESOURCES); + return r; + } ++ if (r == 0) { ++ log_unit_warning(u, "No PIDs left to attach to the scope's control group, refusing: %m"); ++ scope_enter_dead(s, SCOPE_FAILURE_RESOURCES); ++ return -ECHILD; ++ } ++ log_unit_debug(u, "%i %s added to scope's control group.", r, r == 1 ? "process" : "processes"); + + s->result = SCOPE_SUCCESS; + +-- +2.33.0 + diff --git a/backport-sd-boot-Fix-possible-null-pointer-dereference.patch b/backport-sd-boot-Fix-possible-null-pointer-dereference.patch new file mode 100644 index 0000000000000000000000000000000000000000..4e9aec9755d731db118cf07a9cb6e3eedb40e307 --- /dev/null +++ b/backport-sd-boot-Fix-possible-null-pointer-dereference.patch @@ -0,0 +1,32 @@ +From 872d101c2308e07c523fd6ca84bd774447f05b7e Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Wed, 11 Aug 2021 14:59:46 +0200 +Subject: [PATCH] sd-boot: Fix possible null pointer dereference + +Auto entries are showing garbage for the version in print_status() +because StrDuplicate does not expect null pointers. + +(cherry picked from commit b52fafb26d90b77cfc259fcbdab3c95a571bacb1) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/872d101c2308e07c523fd6ca84bd774447f05b7e +--- + src/boot/efi/boot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index 3249171ec1..13940a6df7 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -1724,7 +1724,7 @@ static ConfigEntry *config_entry_add_loader( + *entry = (ConfigEntry) { + .type = type, + .title = StrDuplicate(title), +- .version = StrDuplicate(version), ++ .version = version ? StrDuplicate(version) : NULL, + .device = device, + .loader = StrDuplicate(loader), + .id = StrDuplicate(id), +-- +2.33.0 + diff --git a/backport-sd-boot-Rework-console-input-handling.patch b/backport-sd-boot-Rework-console-input-handling.patch new file mode 100644 index 0000000000000000000000000000000000000000..263eb2a56603aab342b098477eee5b349a460c85 --- /dev/null +++ b/backport-sd-boot-Rework-console-input-handling.patch @@ -0,0 +1,323 @@ +From 9e47ea7c98d1f4e0a75edb5d1590e5742f253317 Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Wed, 11 Aug 2021 14:59:46 +0200 +Subject: [PATCH] sd-boot: Rework console input handling + +Fixes: #15847 +Probably fixes: #19191 + +(cherry picked from commit e98d271e57f3d0356e444b6ea2d48836ee2769b0) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/9e47ea7c98d1f4e0a75edb5d1590e5742f253317 +--- + src/boot/efi/boot.c | 55 +++++++--------------- + src/boot/efi/console.c | 102 +++++++++++++++++++++++++++++------------ + src/boot/efi/console.h | 2 +- + 3 files changed, 91 insertions(+), 68 deletions(-) + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index 54d704f0d1..b4f3b9605a 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -134,7 +134,7 @@ static BOOLEAN line_edit( + uefi_call_wrapper(ST->ConOut->OutputString, 2, ST->ConOut, print); + uefi_call_wrapper(ST->ConOut->SetCursorPosition, 3, ST->ConOut, cursor, y_pos); + +- err = console_key_read(&key, TRUE); ++ err = console_key_read(&key, 0); + if (EFI_ERROR(err)) + continue; + +@@ -387,7 +387,7 @@ static VOID print_status(Config *config, CHAR16 *loaded_image_path) { + Print(L"OsIndicationsSupported: %d\n", indvar); + + Print(L"\n--- press key ---\n\n"); +- console_key_read(&key, TRUE); ++ console_key_read(&key, 0); + + Print(L"timeout: %u\n", config->timeout_sec); + if (config->timeout_sec_efivar >= 0) +@@ -432,7 +432,7 @@ static VOID print_status(Config *config, CHAR16 *loaded_image_path) { + Print(L"LoaderEntryDefault: %s\n", defaultstr); + + Print(L"\n--- press key ---\n\n"); +- console_key_read(&key, TRUE); ++ console_key_read(&key, 0); + + for (UINTN i = 0; i < config->entry_count; i++) { + ConfigEntry *entry; +@@ -482,7 +482,7 @@ static VOID print_status(Config *config, CHAR16 *loaded_image_path) { + entry->path, entry->next_name); + + Print(L"\n--- press key ---\n\n"); +- console_key_read(&key, TRUE); ++ console_key_read(&key, 0); + } + + uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); +@@ -509,11 +509,10 @@ static BOOLEAN menu_run( + UINTN y_max; + CHAR16 *status; + CHAR16 *clearline; +- INTN timeout_remain; ++ UINTN timeout_remain = config->timeout_sec; + INT16 idx; + BOOLEAN exit = FALSE; + BOOLEAN run = TRUE; +- BOOLEAN wait = FALSE; + + graphics_mode(FALSE); + uefi_call_wrapper(ST->ConIn->Reset, 2, ST->ConIn, FALSE); +@@ -538,12 +537,6 @@ static BOOLEAN menu_run( + y_max = 25; + } + +- /* we check 10 times per second for a keystroke */ +- if (config->timeout_sec > 0) +- timeout_remain = config->timeout_sec * 10; +- else +- timeout_remain = -1; +- + idx_highlight = config->idx_default; + idx_highlight_prev = 0; + +@@ -643,7 +636,7 @@ static BOOLEAN menu_run( + + if (timeout_remain > 0) { + FreePool(status); +- status = PoolPrint(L"Boot in %d sec.", (timeout_remain + 5) / 10); ++ status = PoolPrint(L"Boot in %d s.", timeout_remain); + } + + /* print status at last line of screen */ +@@ -664,27 +657,18 @@ static BOOLEAN menu_run( + uefi_call_wrapper(ST->ConOut->OutputString, 2, ST->ConOut, clearline+1 + x + len); + } + +- err = console_key_read(&key, wait); +- if (EFI_ERROR(err)) { +- /* timeout reached */ ++ err = console_key_read(&key, timeout_remain > 0 ? 1000 * 1000 : 0); ++ if (err == EFI_TIMEOUT) { ++ timeout_remain--; + if (timeout_remain == 0) { + exit = TRUE; + break; + } + +- /* sleep and update status */ +- if (timeout_remain > 0) { +- uefi_call_wrapper(BS->Stall, 1, 100 * 1000); +- timeout_remain--; +- continue; +- } +- +- /* timeout disabled, wait for next key */ +- wait = TRUE; ++ /* update status */ + continue; +- } +- +- timeout_remain = -1; ++ } else ++ timeout_remain = 0; + + /* clear status after keystroke */ + if (status) { +@@ -787,7 +771,7 @@ static BOOLEAN menu_run( + config->timeout_sec_efivar, + EFI_VARIABLE_NON_VOLATILE); + if (config->timeout_sec_efivar > 0) +- status = PoolPrint(L"Menu timeout set to %d sec.", config->timeout_sec_efivar); ++ status = PoolPrint(L"Menu timeout set to %d s.", config->timeout_sec_efivar); + else + status = StrDuplicate(L"Menu disabled. Hold down key at bootup to show menu."); + } else if (config->timeout_sec_efivar <= 0){ +@@ -795,7 +779,7 @@ static BOOLEAN menu_run( + efivar_set( + LOADER_GUID, L"LoaderConfigTimeout", NULL, EFI_VARIABLE_NON_VOLATILE); + if (config->timeout_sec_config > 0) +- status = PoolPrint(L"Menu timeout of %d sec is defined by configuration file.", ++ status = PoolPrint(L"Menu timeout of %d s is defined by configuration file.", + config->timeout_sec_config); + else + status = StrDuplicate(L"Menu disabled. Hold down key at bootup to show menu."); +@@ -813,7 +797,7 @@ static BOOLEAN menu_run( + config->timeout_sec_efivar, + EFI_VARIABLE_NON_VOLATILE); + if (config->timeout_sec_efivar > 0) +- status = PoolPrint(L"Menu timeout set to %d sec.", ++ status = PoolPrint(L"Menu timeout set to %d s.", + config->timeout_sec_efivar); + else + status = StrDuplicate(L"Menu disabled. Hold down key at bootup to show menu."); +@@ -2369,13 +2353,8 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { + else { + UINT64 key; + +- err = console_key_read(&key, FALSE); +- +- if (err == EFI_NOT_READY) { +- uefi_call_wrapper(BS->Stall, 1, 100 * 1000); +- err = console_key_read(&key, FALSE); +- } +- ++ /* Block up to 100ms to give firmware time to get input working. */ ++ err = console_key_read(&key, 100 * 1000); + if (!EFI_ERROR(err)) { + INT16 idx; + +diff --git a/src/boot/efi/console.c b/src/boot/efi/console.c +index 83619d2147..369c549daf 100644 +--- a/src/boot/efi/console.c ++++ b/src/boot/efi/console.c +@@ -11,61 +11,105 @@ + + #define EFI_SIMPLE_TEXT_INPUT_EX_GUID &(EFI_GUID) EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL_GUID + +-EFI_STATUS console_key_read(UINT64 *key, BOOLEAN wait) { ++static inline void EventClosep(EFI_EVENT *event) { ++ if (!*event) ++ return; ++ ++ uefi_call_wrapper(BS->CloseEvent, 1, *event); ++} ++ ++/* ++ * Reading input from the console sounds like an easy task to do, but thanks to broken ++ * firmware it is actually a nightmare. ++ * ++ * There is a ConIn and TextInputEx API for this. Ideally we want to use TextInputEx, ++ * because that gives us Ctrl/Alt/Shift key state information. Unfortunately, it is not ++ * always available and sometimes just non-functional. ++ * ++ * On the other hand we have ConIn, where some firmware likes to just freeze on us ++ * if we call ReadKeyStroke on it. ++ * ++ * Therefore, we use WaitForEvent on both ConIn and TextInputEx (if available) along ++ * with a timer event. The timer ensures there is no need to call into functions ++ * that might freeze on us, while still allowing us to show a timeout counter. ++ */ ++EFI_STATUS console_key_read(UINT64 *key, UINT64 timeout_usec) { + static EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL *TextInputEx; + static BOOLEAN checked; + UINTN index; + EFI_INPUT_KEY k; + EFI_STATUS err; ++ _cleanup_(EventClosep) EFI_EVENT timer = NULL; ++ EFI_EVENT events[3] = { ST->ConIn->WaitForKey }; ++ UINTN n_events = 1; + + if (!checked) { + err = LibLocateProtocol(EFI_SIMPLE_TEXT_INPUT_EX_GUID, (VOID **)&TextInputEx); +- if (EFI_ERROR(err)) ++ if (EFI_ERROR(err) || ++ uefi_call_wrapper(BS->CheckEvent, 1, TextInputEx->WaitForKeyEx) == EFI_INVALID_PARAMETER) ++ /* If WaitForKeyEx fails here, the firmware pretends it talks this ++ * protocol, but it really doesn't. */ + TextInputEx = NULL; ++ else ++ events[n_events++] = TextInputEx->WaitForKeyEx; + + checked = TRUE; + } + +- /* wait until key is pressed */ +- if (wait) +- uefi_call_wrapper(BS->WaitForEvent, 3, 1, &ST->ConIn->WaitForKey, &index); ++ if (timeout_usec > 0) { ++ err = uefi_call_wrapper(BS->CreateEvent, 5, EVT_TIMER, 0, NULL, NULL, &timer); ++ if (EFI_ERROR(err)) ++ return log_error_status_stall(err, L"Error creating timer event: %r", err); ++ ++ /* SetTimer expects 100ns units for some reason. */ ++ err = uefi_call_wrapper(BS->SetTimer, 3, timer, TimerRelative, timeout_usec * 10); ++ if (EFI_ERROR(err)) ++ return log_error_status_stall(err, L"Error arming timer event: %r", err); + +- if (TextInputEx) { ++ events[n_events++] = timer; ++ } ++ ++ err = uefi_call_wrapper(BS->WaitForEvent, 3, n_events, events, &index); ++ if (EFI_ERROR(err)) ++ return log_error_status_stall(err, L"Error waiting for events: %r", err); ++ ++ if (timeout_usec > 0 && timer == events[index]) ++ return EFI_TIMEOUT; ++ ++ /* TextInputEx might be ready too even if ConIn got to signal first. */ ++ if (TextInputEx && !EFI_ERROR(uefi_call_wrapper(BS->CheckEvent, 1, TextInputEx->WaitForKeyEx))) { + EFI_KEY_DATA keydata; + UINT64 keypress; ++ UINT32 shift = 0; + + err = uefi_call_wrapper(TextInputEx->ReadKeyStrokeEx, 2, TextInputEx, &keydata); +- if (!EFI_ERROR(err)) { +- UINT32 shift = 0; +- +- /* do not distinguish between left and right keys */ +- if (keydata.KeyState.KeyShiftState & EFI_SHIFT_STATE_VALID) { +- if (keydata.KeyState.KeyShiftState & (EFI_RIGHT_CONTROL_PRESSED|EFI_LEFT_CONTROL_PRESSED)) +- shift |= EFI_CONTROL_PRESSED; +- if (keydata.KeyState.KeyShiftState & (EFI_RIGHT_ALT_PRESSED|EFI_LEFT_ALT_PRESSED)) +- shift |= EFI_ALT_PRESSED; +- }; +- +- /* 32 bit modifier keys + 16 bit scan code + 16 bit unicode */ +- keypress = KEYPRESS(shift, keydata.Key.ScanCode, keydata.Key.UnicodeChar); +- if (keypress > 0) { +- *key = keypress; +- return 0; +- } ++ if (EFI_ERROR(err)) ++ return err; ++ ++ /* do not distinguish between left and right keys */ ++ if (keydata.KeyState.KeyShiftState & EFI_SHIFT_STATE_VALID) { ++ if (keydata.KeyState.KeyShiftState & (EFI_RIGHT_CONTROL_PRESSED|EFI_LEFT_CONTROL_PRESSED)) ++ shift |= EFI_CONTROL_PRESSED; ++ if (keydata.KeyState.KeyShiftState & (EFI_RIGHT_ALT_PRESSED|EFI_LEFT_ALT_PRESSED)) ++ shift |= EFI_ALT_PRESSED; ++ }; ++ ++ /* 32 bit modifier keys + 16 bit scan code + 16 bit unicode */ ++ keypress = KEYPRESS(shift, keydata.Key.ScanCode, keydata.Key.UnicodeChar); ++ if (keypress > 0) { ++ *key = keypress; ++ return EFI_SUCCESS; + } ++ ++ return EFI_NOT_READY; + } + +- /* fallback for firmware which does not support SimpleTextInputExProtocol +- * +- * This is also called in case ReadKeyStrokeEx did not return a key, because +- * some broken firmwares offer SimpleTextInputExProtocol, but never actually +- * handle any key. */ + err = uefi_call_wrapper(ST->ConIn->ReadKeyStroke, 2, ST->ConIn, &k); + if (EFI_ERROR(err)) + return err; + + *key = KEYPRESS(0, k.ScanCode, k.UnicodeChar); +- return 0; ++ return EFI_SUCCESS; + } + + static EFI_STATUS change_mode(UINTN mode) { +diff --git a/src/boot/efi/console.h b/src/boot/efi/console.h +index 2c69af552a..23848a9c58 100644 +--- a/src/boot/efi/console.h ++++ b/src/boot/efi/console.h +@@ -16,5 +16,5 @@ enum console_mode_change_type { + CONSOLE_MODE_MAX, + }; + +-EFI_STATUS console_key_read(UINT64 *key, BOOLEAN wait); ++EFI_STATUS console_key_read(UINT64 *key, UINT64 timeout_usec); + EFI_STATUS console_set_mode(UINTN *mode, enum console_mode_change_type how); +-- +2.33.0 + diff --git a/backport-sd-boot-Unify-error-handling.patch b/backport-sd-boot-Unify-error-handling.patch new file mode 100644 index 0000000000000000000000000000000000000000..d6147b6f26beb9c1179a9ba4217684b272dab6ad --- /dev/null +++ b/backport-sd-boot-Unify-error-handling.patch @@ -0,0 +1,404 @@ +From 218c0839b24853899d2ea15cb2973ab0d56a7f31 Mon Sep 17 00:00:00 2001 +From: Jan Janssen +Date: Wed, 11 Aug 2021 14:59:46 +0200 +Subject: [PATCH] sd-boot: Unify error handling + +log_error_stall() and log_error_status_stall() will ensure the user has +a chance to catch an error message by stalling and also forcing a +lightred/black color on it. Also, convert several Print() calls to it +since they are actually error messages. + +(cherry picked from commit 8aba0eec499b762657f528988c2f093ac490620d) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/218c0839b24853899d2ea15cb2973ab0d56a7f31 +--- + src/boot/efi/boot.c | 62 ++++++++++---------------------- + src/boot/efi/random-seed.c | 73 +++++++++++++------------------------- + src/boot/efi/stub.c | 24 ++++--------- + src/boot/efi/util.c | 17 +++++++-- + src/boot/efi/util.h | 9 +++++ + 5 files changed, 75 insertions(+), 110 deletions(-) + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index 13940a6df7..54d704f0d1 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -527,7 +527,7 @@ static BOOLEAN menu_run( + err = console_set_mode(&config->console_mode, config->console_mode_change); + if (EFI_ERROR(err)) { + uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); +- Print(L"Error switching console mode to %ld: %r.\r", (UINT64)config->console_mode, err); ++ log_error_stall(L"Error switching console mode to %lu: %r", (UINT64)config->console_mode, err); + } + } else + uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); +@@ -1221,8 +1221,7 @@ static VOID config_entry_bump_counters( + break; + + if (r != EFI_BUFFER_TOO_SMALL || file_info_size * 2 < file_info_size) { +- Print(L"\nFailed to get file info for '%s': %r\n", old_path, r); +- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); ++ log_error_stall(L"Failed to get file info for '%s': %r", old_path, r); + return; + } + +@@ -1234,8 +1233,7 @@ static VOID config_entry_bump_counters( + StrCpy(file_info->FileName, entry->next_name); + r = uefi_call_wrapper(handle->SetInfo, 4, handle, &EfiFileInfoGuid, file_info_size, file_info); + if (EFI_ERROR(r)) { +- Print(L"\nFailed to rename '%s' to '%s', ignoring: %r\n", old_path, entry->next_name, r); +- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); ++ log_error_stall(L"Failed to rename '%s' to '%s', ignoring: %r", old_path, entry->next_name, r); + return; + } + +@@ -2165,18 +2163,12 @@ static EFI_STATUS image_start( + EFI_STATUS err; + + path = FileDevicePath(entry->device, entry->loader); +- if (!path) { +- Print(L"Error getting device path."); +- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); +- return EFI_INVALID_PARAMETER; +- } ++ if (!path) ++ return log_error_status_stall(EFI_INVALID_PARAMETER, L"Error getting device path."); + + err = uefi_call_wrapper(BS->LoadImage, 6, FALSE, parent_image, path, NULL, 0, &image); +- if (EFI_ERROR(err)) { +- Print(L"Error loading %s: %r", entry->loader, err); +- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); +- return err; +- } ++ if (EFI_ERROR(err)) ++ return log_error_status_stall(err, L"Error loading %s: %r", entry->loader, err); + + if (config->options_edit) + options = config->options_edit; +@@ -2190,8 +2182,7 @@ static EFI_STATUS image_start( + err = uefi_call_wrapper(BS->OpenProtocol, 6, image, &LoadedImageProtocol, (VOID **)&loaded_image, + parent_image, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL); + if (EFI_ERROR(err)) { +- Print(L"Error getting LoadedImageProtocol handle: %r", err); +- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); ++ log_error_stall(L"Error getting LoadedImageProtocol handle: %r", err); + goto out_unload; + } + loaded_image->LoadOptions = options; +@@ -2202,10 +2193,8 @@ static EFI_STATUS image_start( + err = tpm_log_event(SD_TPM_PCR, + (EFI_PHYSICAL_ADDRESS) (UINTN) loaded_image->LoadOptions, + loaded_image->LoadOptionsSize, loaded_image->LoadOptions); +- if (EFI_ERROR(err)) { +- Print(L"Unable to add image options measurement: %r", err); +- uefi_call_wrapper(BS->Stall, 1, 200 * 1000); +- } ++ if (EFI_ERROR(err)) ++ log_error_stall(L"Unable to add image options measurement: %r", err); + #endif + } + +@@ -2231,9 +2220,7 @@ static EFI_STATUS reboot_into_firmware(VOID) { + return err; + + err = uefi_call_wrapper(RT->ResetSystem, 4, EfiResetCold, EFI_SUCCESS, 0, NULL); +- Print(L"Error calling ResetSystem: %r", err); +- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); +- return err; ++ return log_error_status_stall(err, L"Error calling ResetSystem: %r", err); + } + + static VOID config_free(Config *config) { +@@ -2305,30 +2292,21 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { + + err = uefi_call_wrapper(BS->OpenProtocol, 6, image, &LoadedImageProtocol, (VOID **)&loaded_image, + image, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL); +- if (EFI_ERROR(err)) { +- Print(L"Error getting a LoadedImageProtocol handle: %r", err); +- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); +- return err; +- } ++ if (EFI_ERROR(err)) ++ return log_error_status_stall(err, L"Error getting a LoadedImageProtocol handle: %r", err); + + /* export the device path this image is started from */ + if (disk_get_part_uuid(loaded_image->DeviceHandle, uuid) == EFI_SUCCESS) + efivar_set(LOADER_GUID, L"LoaderDevicePartUUID", uuid, 0); + + root_dir = LibOpenRoot(loaded_image->DeviceHandle); +- if (!root_dir) { +- Print(L"Unable to open root directory."); +- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); +- return EFI_LOAD_ERROR; +- } ++ if (!root_dir) ++ return log_error_status_stall(EFI_LOAD_ERROR, L"Unable to open root directory.", EFI_LOAD_ERROR); + + if (secure_boot_enabled() && shim_loaded()) { + err = security_policy_install(); +- if (EFI_ERROR(err)) { +- Print(L"Error installing security policy: %r ", err); +- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); +- return err; +- } ++ if (EFI_ERROR(err)) ++ return log_error_status_stall(err, L"Error installing security policy: %r", err); + } + + /* the filesystem path to this image, to prevent adding ourselves to the menu */ +@@ -2367,8 +2345,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { + } + + if (config.entry_count == 0) { +- Print(L"No loader found. Configuration files in \\loader\\entries\\*.conf are needed."); +- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); ++ log_error_stall(L"No loader found. Configuration files in \\loader\\entries\\*.conf are needed."); + goto out; + } + +@@ -2440,8 +2417,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { + err = image_start(image, &config, entry); + if (EFI_ERROR(err)) { + graphics_mode(FALSE); +- Print(L"\nFailed to execute %s (%s): %r\n", entry->title, entry->loader, err); +- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); ++ log_error_stall(L"Failed to execute %s (%s): %r", entry->title, entry->loader, err); + goto out; + } + +diff --git a/src/boot/efi/random-seed.c b/src/boot/efi/random-seed.c +index 3e179851b0..939daf3e41 100644 +--- a/src/boot/efi/random-seed.c ++++ b/src/boot/efi/random-seed.c +@@ -35,10 +35,8 @@ static EFI_STATUS acquire_rng(UINTN size, VOID **ret) { + return log_oom(); + + err = uefi_call_wrapper(rng->GetRNG, 3, rng, NULL, size, data); +- if (EFI_ERROR(err)) { +- Print(L"Failed to acquire RNG data: %r\n", err); +- return err; +- } ++ if (EFI_ERROR(err)) ++ return log_error_status_stall(err, L"Failed to acquire RNG data: %r", err); + + *ret = TAKE_PTR(data); + return EFI_SUCCESS; +@@ -149,14 +147,12 @@ static EFI_STATUS acquire_system_token(VOID **ret, UINTN *ret_size) { + err = efivar_get_raw(LOADER_GUID, L"LoaderSystemToken", &data, &size); + if (EFI_ERROR(err)) { + if (err != EFI_NOT_FOUND) +- Print(L"Failed to read LoaderSystemToken EFI variable: %r", err); ++ log_error_stall(L"Failed to read LoaderSystemToken EFI variable: %r", err); + return err; + } + +- if (size <= 0) { +- Print(L"System token too short, ignoring."); +- return EFI_NOT_FOUND; +- } ++ if (size <= 0) ++ return log_error_status_stall(EFI_NOT_FOUND, L"System token too short, ignoring."); + + *ret = TAKE_PTR(data); + *ret_size = size; +@@ -209,8 +205,7 @@ static VOID validate_sha256(void) { + sha256_finish_ctx(&hash, result); + + if (CompareMem(result, array[i].hash, HASH_VALUE_SIZE) != 0) { +- Print(L"SHA256 failed validation.\n"); +- uefi_call_wrapper(BS->Stall, 1, 120 * 1000 * 1000); ++ log_error_stall(L"SHA256 failed validation."); + return; + } + } +@@ -246,7 +241,7 @@ EFI_STATUS process_random_seed(EFI_FILE *root_dir, RandomSeedMode mode) { + err = uefi_call_wrapper(root_dir->Open, 5, root_dir, &handle, (CHAR16*) L"\\loader\\random-seed", EFI_FILE_MODE_READ|EFI_FILE_MODE_WRITE, 0ULL); + if (EFI_ERROR(err)) { + if (err != EFI_NOT_FOUND && err != EFI_WRITE_PROTECTED) +- Print(L"Failed to open random seed file: %r\n", err); ++ log_error_stall(L"Failed to open random seed file: %r", err); + return err; + } + +@@ -255,15 +250,11 @@ EFI_STATUS process_random_seed(EFI_FILE *root_dir, RandomSeedMode mode) { + return log_oom(); + + size = info->FileSize; +- if (size < RANDOM_MAX_SIZE_MIN) { +- Print(L"Random seed file is too short?\n"); +- return EFI_INVALID_PARAMETER; +- } ++ if (size < RANDOM_MAX_SIZE_MIN) ++ return log_error_status_stall(EFI_INVALID_PARAMETER, L"Random seed file is too short."); + +- if (size > RANDOM_MAX_SIZE_MAX) { +- Print(L"Random seed file is too large?\n"); +- return EFI_INVALID_PARAMETER; +- } ++ if (size > RANDOM_MAX_SIZE_MAX) ++ return log_error_status_stall(EFI_INVALID_PARAMETER, L"Random seed file is too large."); + + seed = AllocatePool(size); + if (!seed) +@@ -271,20 +262,14 @@ EFI_STATUS process_random_seed(EFI_FILE *root_dir, RandomSeedMode mode) { + + rsize = size; + err = uefi_call_wrapper(handle->Read, 3, handle, &rsize, seed); +- if (EFI_ERROR(err)) { +- Print(L"Failed to read random seed file: %r\n", err); +- return err; +- } +- if (rsize != size) { +- Print(L"Short read on random seed file\n"); +- return EFI_PROTOCOL_ERROR; +- } ++ if (EFI_ERROR(err)) ++ return log_error_status_stall(err, L"Failed to read random seed file: %r", err); ++ if (rsize != size) ++ return log_error_status_stall(EFI_PROTOCOL_ERROR, L"Short read on random seed file."); + + err = uefi_call_wrapper(handle->SetPosition, 2, handle, 0); +- if (EFI_ERROR(err)) { +- Print(L"Failed to seek to beginning of random seed file: %r\n", err); +- return err; +- } ++ if (EFI_ERROR(err)) ++ return log_error_status_stall(err, L"Failed to seek to beginning of random seed file: %r", err); + + /* Request some random data from the UEFI RNG. We don't need this to work safely, but it's a good + * idea to use it because it helps us for cases where users mistakenly include a random seed in +@@ -299,27 +284,19 @@ EFI_STATUS process_random_seed(EFI_FILE *root_dir, RandomSeedMode mode) { + /* Update the random seed on disk before we use it */ + wsize = size; + err = uefi_call_wrapper(handle->Write, 3, handle, &wsize, new_seed); +- if (EFI_ERROR(err)) { +- Print(L"Failed to write random seed file: %r\n", err); +- return err; +- } +- if (wsize != size) { +- Print(L"Short write on random seed file\n"); +- return EFI_PROTOCOL_ERROR; +- } ++ if (EFI_ERROR(err)) ++ return log_error_status_stall(err, L"Failed to write random seed file: %r", err); ++ if (wsize != size) ++ return log_error_status_stall(EFI_PROTOCOL_ERROR, L"Short write on random seed file."); + + err = uefi_call_wrapper(handle->Flush, 1, handle); +- if (EFI_ERROR(err)) { +- Print(L"Failed to flush random seed file: %r\n"); +- return err; +- } ++ if (EFI_ERROR(err)) ++ return log_error_status_stall(err, L"Failed to flush random seed file: %r", err); + + /* We are good to go */ + err = efivar_set_raw(LOADER_GUID, L"LoaderRandomSeed", for_kernel, size, 0); +- if (EFI_ERROR(err)) { +- Print(L"Failed to write random seed to EFI variable: %r\n", err); +- return err; +- } ++ if (EFI_ERROR(err)) ++ return log_error_status_stall(err, L"Failed to write random seed to EFI variable: %r", err); + + return EFI_SUCCESS; + } +diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c +index 082fe91c9e..82da1d3ec4 100644 +--- a/src/boot/efi/stub.c ++++ b/src/boot/efi/stub.c +@@ -36,18 +36,12 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { + + err = uefi_call_wrapper(BS->OpenProtocol, 6, image, &LoadedImageProtocol, (VOID **)&loaded_image, + image, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL); +- if (EFI_ERROR(err)) { +- Print(L"Error getting a LoadedImageProtocol handle: %r ", err); +- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); +- return err; +- } ++ if (EFI_ERROR(err)) ++ return log_error_status_stall(err, L"Error getting a LoadedImageProtocol handle: %r", err); + + err = pe_memory_locate_sections(loaded_image->ImageBase, sections, addrs, offs, szs); +- if (EFI_ERROR(err)) { +- Print(L"Unable to locate embedded .linux section: %r ", err); +- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); +- return err; +- } ++ if (EFI_ERROR(err)) ++ return log_error_status_stall(err, L"Unable to locate embedded .linux section: %r", err); + + if (szs[0] > 0) + cmdline = (CHAR8 *)(loaded_image->ImageBase) + addrs[0]; +@@ -72,10 +66,8 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { + err = tpm_log_event(SD_TPM_PCR, + (EFI_PHYSICAL_ADDRESS) (UINTN) loaded_image->LoadOptions, + loaded_image->LoadOptionsSize, loaded_image->LoadOptions); +- if (EFI_ERROR(err)) { +- Print(L"Unable to add image options measurement: %r", err); +- uefi_call_wrapper(BS->Stall, 1, 200 * 1000); +- } ++ if (EFI_ERROR(err)) ++ log_error_stall(L"Unable to add image options measurement: %r", err); + #endif + } + +@@ -126,7 +118,5 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { + (UINTN)loaded_image->ImageBase + addrs[2], szs[2]); + + graphics_mode(FALSE); +- Print(L"Execution of embedded linux image failed: %r\n", err); +- uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); +- return err; ++ return log_error_status_stall(err, L"Execution of embedded linux image failed: %r", err); + } +diff --git a/src/boot/efi/util.c b/src/boot/efi/util.c +index 6f4e5933d3..aee076060b 100644 +--- a/src/boot/efi/util.c ++++ b/src/boot/efi/util.c +@@ -411,8 +411,21 @@ EFI_STATUS file_read(EFI_FILE_HANDLE dir, const CHAR16 *name, UINTN off, UINTN s + return err; + } + ++VOID log_error_stall(const CHAR16 *fmt, ...) { ++ va_list args; ++ ++ uefi_call_wrapper(ST->ConOut->SetAttribute, 2, ST->ConOut, EFI_LIGHTRED|EFI_BACKGROUND_BLACK); ++ ++ Print(L"\n"); ++ va_start(args, fmt); ++ VPrint(fmt, args); ++ va_end(args); ++ Print(L"\n"); ++ ++ uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); ++} ++ + EFI_STATUS log_oom(void) { +- Print(L"Out of memory."); +- (void) uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000); ++ log_error_stall(L"Out of memory."); + return EFI_OUT_OF_RESOURCES; + } +diff --git a/src/boot/efi/util.h b/src/boot/efi/util.h +index 1a42b01033..d3bf848a95 100644 +--- a/src/boot/efi/util.h ++++ b/src/boot/efi/util.h +@@ -74,4 +74,13 @@ static inline void FileHandleClosep(EFI_FILE_HANDLE *handle) { + #define UINT64_MAX ((UINT64) -1) + #endif + ++VOID log_error_stall(const CHAR16 *fmt, ...); + EFI_STATUS log_oom(void); ++ ++/* This works just like log_error_errno() from userspace, but requires you ++ * to provide err a second time if you want to use %r in the message! */ ++#define log_error_status_stall(err, fmt, ...) \ ++ ({ \ ++ log_error_stall(fmt, ##__VA_ARGS__); \ ++ err; \ ++ }) +-- +2.33.0 + diff --git a/backport-sd-bus-allow-numerical-uids-in-M-user-.host.patch b/backport-sd-bus-allow-numerical-uids-in-M-user-.host.patch new file mode 100644 index 0000000000000000000000000000000000000000..526768d07d0ea0033b4ebfb9401fe054d19385f9 --- /dev/null +++ b/backport-sd-bus-allow-numerical-uids-in-M-user-.host.patch @@ -0,0 +1,75 @@ +From 93597655ac3b1ecc8411e6b1249ab6ce631e87e2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 7 Jul 2021 18:02:50 +0200 +Subject: [PATCH] sd-bus: allow numerical uids in -M user@.host + +UIDs don't work well over ssh, but locally or with containers they are OK. +In particular, user@.service uses UIDs as identifiers, and it's nice to be +able to copy&paste that UID for interaction with the user's managers. + +(cherry picked from commit 2da7d0bc92e2423a5c7225c5d24b99d5d52a0bc6) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/93597655ac3b1ecc8411e6b1249ab6ce631e87e2 +--- + src/libsystemd/sd-bus/sd-bus.c | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c +index ab8d4e4a60..e85a409871 100644 +--- a/src/libsystemd/sd-bus/sd-bus.c ++++ b/src/libsystemd/sd-bus/sd-bus.c +@@ -39,6 +39,7 @@ + #include "parse-util.h" + #include "path-util.h" + #include "process-util.h" ++#include "stdio-util.h" + #include "string-util.h" + #include "strv.h" + #include "user-util.h" +@@ -1616,7 +1617,7 @@ static int user_and_machine_valid(const char *user_and_machine) { + if (!user) + return -ENOMEM; + +- if (!isempty(user) && !valid_user_group_name(user, VALID_USER_RELAX)) ++ if (!isempty(user) && !valid_user_group_name(user, VALID_USER_RELAX | VALID_USER_ALLOW_NUMERIC)) + return false; + + h++; +@@ -1647,17 +1648,25 @@ static int user_and_machine_equivalent(const char *user_and_machine) { + + /* Otherwise, if we are root, then we can also allow the ".host" syntax, as that's the user this + * would connect to. */ +- if (geteuid() == 0 && STR_IN_SET(user_and_machine, ".host", "root@.host")) ++ uid_t uid = geteuid(); ++ ++ if (uid == 0 && STR_IN_SET(user_and_machine, ".host", "root@.host", "0@.host")) + return true; + +- /* Otherwise, we have to figure our user name, and compare things with that. */ +- un = getusername_malloc(); +- if (!un) +- return -ENOMEM; ++ /* Otherwise, we have to figure out our user id and name, and compare things with that. */ ++ char buf[DECIMAL_STR_MAX(uid_t)]; ++ xsprintf(buf, UID_FMT, uid); ++ ++ f = startswith(user_and_machine, buf); ++ if (!f) { ++ un = getusername_malloc(); ++ if (!un) ++ return -ENOMEM; + +- f = startswith(user_and_machine, un); +- if (!f) +- return false; ++ f = startswith(user_and_machine, un); ++ if (!f) ++ return false; ++ } + + return STR_IN_SET(f, "@", "@.host"); + } +-- +2.33.0 + diff --git a/backport-sd-bus-fix-buffer-overflow.patch b/backport-sd-bus-fix-buffer-overflow.patch new file mode 100644 index 0000000000000000000000000000000000000000..d08ebc26d76c5aee7a80a65da7c5c080494cc930 --- /dev/null +++ b/backport-sd-bus-fix-buffer-overflow.patch @@ -0,0 +1,126 @@ +From 1a4f4051c3f41b7750dbc904bb4768413bc8bd58 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 27 May 2022 04:23:10 +0900 +Subject: [PATCH] sd-bus: fix buffer overflow + +Fixes #23486. + +(cherry picked from commit 89b6a3f13e5f3b8a375dc82cb2a1c2c204a5067e) +(cherry picked from commit a5c4e29b2ca83b0956ea4635e1db7b02ae007d55) +(cherry picked from commit a5b0338e896338774226a3bd8a56f63555c7b9ce) + +Conflict:NA +Reference:https://github.com/systemd/systemd-stable/commit/1a4f4051c3f41b7750dbc904bb4768413bc8bd58 +--- + src/libsystemd/sd-bus/bus-message.c | 30 ++++++++++++++---- + test/fuzz/fuzz-bus-message/issue-23486-case-1 | Bin 0 -> 32 bytes + test/fuzz/fuzz-bus-message/issue-23486-case-2 | Bin 0 -> 16 bytes + test/fuzz/fuzz-bus-message/issue-23486-case-3 | Bin 0 -> 16 bytes + 4 files changed, 23 insertions(+), 7 deletions(-) + create mode 100644 test/fuzz/fuzz-bus-message/issue-23486-case-1 + create mode 100644 test/fuzz/fuzz-bus-message/issue-23486-case-2 + create mode 100644 test/fuzz/fuzz-bus-message/issue-23486-case-3 + +diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c +index 20f7396c74..d74a351e29 100644 +--- a/src/libsystemd/sd-bus/bus-message.c ++++ b/src/libsystemd/sd-bus/bus-message.c +@@ -428,7 +428,7 @@ int bus_message_from_header( + + _cleanup_free_ sd_bus_message *m = NULL; + struct bus_header *h; +- size_t a, label_sz; ++ size_t a, label_sz = 0; /* avoid false maybe-uninitialized warning */ + + assert(bus); + assert(header || header_accessible <= 0); +@@ -506,7 +506,10 @@ int bus_message_from_header( + m->fields_size = BUS_MESSAGE_BSWAP32(m, h->dbus1.fields_size); + m->body_size = BUS_MESSAGE_BSWAP32(m, h->dbus1.body_size); + +- if (sizeof(struct bus_header) + ALIGN8(m->fields_size) + m->body_size != message_size) ++ assert(message_size >= sizeof(struct bus_header)); ++ if (m->fields_size > message_size - sizeof(struct bus_header) || ++ ALIGN8(m->fields_size) > message_size - sizeof(struct bus_header) || ++ m->body_size != message_size - sizeof(struct bus_header) - ALIGN8(m->fields_size)) + return -EBADMSG; + } + +@@ -3062,15 +3065,21 @@ void bus_body_part_unmap(struct bus_body_part *part) { + return; + } + +-static int buffer_peek(const void *p, uint32_t sz, size_t *rindex, size_t align, size_t nbytes, void **r) { ++static int buffer_peek(const void *p, size_t sz, size_t *rindex, size_t align, size_t nbytes, void **r) { + size_t k, start, end; + + assert(rindex); + assert(align > 0); + +- start = ALIGN_TO((size_t) *rindex, align); +- end = start + nbytes; ++ start = ALIGN_TO(*rindex, align); ++ if (start > sz) ++ return -EBADMSG; ++ ++ /* Avoid overflow below */ ++ if (nbytes > SIZE_MAX - start) ++ return -EBADMSG; + ++ end = start + nbytes; + if (end > sz) + return -EBADMSG; + +@@ -3273,10 +3282,17 @@ static int message_peek_body( + assert(rindex); + assert(align > 0); + +- start = ALIGN_TO((size_t) *rindex, align); ++ start = ALIGN_TO(*rindex, align); ++ if (start > m->user_body_size) ++ return -EBADMSG; ++ + padding = start - *rindex; +- end = start + nbytes; + ++ /* Avoid overflow below */ ++ if (nbytes > SIZE_MAX - start) ++ return -EBADMSG; ++ ++ end = start + nbytes; + if (end > m->user_body_size) + return -EBADMSG; + +diff --git a/test/fuzz/fuzz-bus-message/issue-23486-case-1 b/test/fuzz/fuzz-bus-message/issue-23486-case-1 +new file mode 100644 +index 0000000000000000000000000000000000000000..fe8338b42ba6af6c080aa92aa619e05a6e6e1cc8 +GIT binary patch +literal 32 +gcmd1dVrFCj0xbpQd;uUW! +Date: Wed, 21 Jul 2021 11:10:36 +0200 +Subject: [PATCH] sd-bus: fix missing initializer in SD_BUS_VTABLE_END (#20253) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When two fields were added to the vtable.x.start struct, no initializers +for these were added to SD_BUS_VTABLE_END which also (ab)used that +struct (albeit sneakily by using non-designated initialization). + +While C tolerates this, C++ prohibits these missing initializers, and +both g++ and clang++ will complain when using -Wextra. + +This patch gives SD_BUS_VTABLE_END its own case in the union and +clarifies its initialization. + +I tested the behaviour of g++ 10.2 and clang 11 in various cases. Both will warn +(-Wmissing-field-initializers, implied by -Wextra) if you provide initializers for some +but not all fields of a struct. Declaring x.end as empty struct or using an empty initializer +{} to initialize the union or one of its members is valid C++ but not C, although both gcc +and clang accept it without warning (even at -Wall -Wextra -std=c90/c++11) unless you +use -pedantic (which requires -std=c99/c++2a to support designated initializers). + +Interestingly, .x = { .start = { 0, 0, NULL } } is the only initializer I found for the union +(among candidates for SD_BUS_VTABLE_END) where gcc doesn't zero-fill it entirely +when allocated on stack, it looked like it did in all other cases (I only examined this on +32-bit arm). clang always seems to initialize all bytes of the union. + +[zjs: test case: +$ cat vtable-test.cc +#include "sd-bus.h" + +const sd_bus_vtable vtable[] = { + SD_BUS_VTABLE_END +}; + +$ g++ -I src/systemd/ -Wall -Wmissing-field-initializers -c vtable-test.cc +vtable-test.cc:5:1: warning: missing initializer for member ‘sd_bus_vtable::::::features’ [-Wmissing-field-initializers] + 5 | }; + | ^ +vtable-test.cc:5:1: warning: missing initializer for member ‘sd_bus_vtable::::::vtable_format_reference’ [-Wmissing-field-initializers] + +$ clang++ -I src/systemd/ -Wmissing-field-initializers -c vtable-test.cc +vtable-test.cc:4:4: warning: missing field 'features' initializer [-Wmissing-field-initializers] + SD_BUS_VTABLE_END + ^ +src/systemd/sd-bus-vtable.h:188:28: note: expanded from macro 'SD_BUS_VTABLE_END' + .x = { { 0 } }, \ + ^ +1 warning generated. + +Both warnings are gone with the patch.] + +(cherry picked from commit 654eaa403070d3c897454a5190603fda4071c3ff) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/cdaf655f73bb3be10d47ab6f00d71a8d0b1a81e3 +--- + src/systemd/sd-bus-vtable.h | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/systemd/sd-bus-vtable.h b/src/systemd/sd-bus-vtable.h +index 75f8848360..35c942b16c 100644 +--- a/src/systemd/sd-bus-vtable.h ++++ b/src/systemd/sd-bus-vtable.h +@@ -75,6 +75,9 @@ struct sd_bus_vtable { + uint64_t features; + const unsigned *vtable_format_reference; + } start; ++ struct { ++ size_t reserved; ++ } end; + struct { + const char *member; + const char *signature; +@@ -185,7 +188,11 @@ struct sd_bus_vtable { + { \ + .type = _SD_BUS_VTABLE_END, \ + .flags = 0, \ +- .x = { { 0 } }, \ ++ .x = { \ ++ .end = { \ ++ .reserved = 0, \ ++ }, \ ++ }, \ + } + + #define _SD_ECHO(X) X +-- +2.33.0 + diff --git a/backport-sd-bus-print-debugging-information-if-bus_container_.patch b/backport-sd-bus-print-debugging-information-if-bus_container_.patch new file mode 100644 index 0000000000000000000000000000000000000000..2c046d95a0425451400942a673cf0ee08fdd8cbf --- /dev/null +++ b/backport-sd-bus-print-debugging-information-if-bus_container_.patch @@ -0,0 +1,80 @@ +From 4358cbc8076352e7946956f5d71bf7c80d7f2e43 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 7 Jul 2021 18:01:03 +0200 +Subject: [PATCH] sd-bus: print debugging information if + bus_container_connect_socket() fails + +We would return the errno, but there are many steps, and without some +debugging info it's hard to figure out what exactly failed. + +(cherry picked from commit 0c201ca945c64e97ba4961ded13ce38a63200468) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/4358cbc8076352e7946956f5d71bf7c80d7f2e43 +--- + src/libsystemd/sd-bus/bus-container.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/src/libsystemd/sd-bus/bus-container.c b/src/libsystemd/sd-bus/bus-container.c +index b11ebb3f65..1159af46cd 100644 +--- a/src/libsystemd/sd-bus/bus-container.c ++++ b/src/libsystemd/sd-bus/bus-container.c +@@ -37,11 +37,11 @@ int bus_container_connect_socket(sd_bus *b) { + + r = namespace_open(b->nspid, &pidnsfd, &mntnsfd, NULL, &usernsfd, &rootfd); + if (r < 0) +- return r; ++ return log_debug_errno(r, "Failed to open namespace of PID "PID_FMT": %m", b->nspid); + + b->input_fd = socket(b->sockaddr.sa.sa_family, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0); + if (b->input_fd < 0) +- return -errno; ++ return log_debug_errno(errno, "Failed to create a socket: %m"); + + b->input_fd = fd_move_above_stdio(b->input_fd); + +@@ -50,12 +50,12 @@ int bus_container_connect_socket(sd_bus *b) { + bus_socket_setup(b); + + if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pair) < 0) +- return -errno; ++ return log_debug_errno(errno, "Failed to create a socket pair: %m"); + + r = namespace_fork("(sd-buscntrns)", "(sd-buscntr)", NULL, 0, FORK_RESET_SIGNALS|FORK_DEATHSIG, + pidnsfd, mntnsfd, -1, usernsfd, rootfd, &child); + if (r < 0) +- return r; ++ return log_debug_errno(r, "Failed to create namespace for (sd-buscntr): %m"); + if (r == 0) { + pair[0] = safe_close(pair[0]); + +@@ -80,20 +80,22 @@ int bus_container_connect_socket(sd_bus *b) { + + n = read(pair[0], &error_buf, sizeof(error_buf)); + if (n < 0) +- return -errno; ++ return log_debug_errno(errno, "Failed to read error status from (sd-buscntr): %m"); + + if (n > 0) { + if (n != sizeof(error_buf)) +- return -EIO; ++ return log_debug_errno(SYNTHETIC_ERRNO(EIO), ++ "Read error status of unexpected length %zd from (sd-buscntr): %m", n); + + if (error_buf < 0) +- return -EIO; ++ return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), ++ "Got unexpected error status from (sd-buscntr): %m"); + + if (error_buf == EINPROGRESS) + return 1; + + if (error_buf > 0) +- return -error_buf; ++ return log_debug_errno(error_buf, "Got error from (sd-buscntr): %m"); + } + + return bus_socket_start_auth(b); +-- +2.33.0 + diff --git a/backport-sd-bus-print-quoted-commandline-when-in-bus_socket_e.patch b/backport-sd-bus-print-quoted-commandline-when-in-bus_socket_e.patch new file mode 100644 index 0000000000000000000000000000000000000000..333e9e31e8ced539d912f919c204fce5893c900c --- /dev/null +++ b/backport-sd-bus-print-quoted-commandline-when-in-bus_socket_e.patch @@ -0,0 +1,69 @@ +From a221143c6de4917bb6653f5aa134ce8be3c90f6c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 7 Jul 2021 16:36:49 +0200 +Subject: [PATCH] sd-bus: print quoted commandline when in bus_socket_exec() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The arguments are where the interesting part is: +src/libsystemd/sd-bus/bus-socket.c:965: sd-bus: starting bus with systemd-run... +↓ +src/libsystemd/sd-bus/bus-socket.c:972: sd-bus: starting bus with systemd-run -M.host -PGq --wait -pUser=1000 -pPAMName=login systemd-stdio-bridge "-punix:path=\${XDG_RUNTIME_DIR}/bus" + +(cherry picked from commit 87fa2e21dd7a30d25ccda2df6b8446a82637b059) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/a221143c6de4917bb6653f5aa134ce8be3c90f6c +--- + src/libsystemd/sd-bus/bus-socket.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c +index 09eb49c37f..42c5f175d3 100644 +--- a/src/libsystemd/sd-bus/bus-socket.c ++++ b/src/libsystemd/sd-bus/bus-socket.c +@@ -12,6 +12,7 @@ + #include "bus-internal.h" + #include "bus-message.h" + #include "bus-socket.h" ++#include "escape.h" + #include "fd-util.h" + #include "format-util.h" + #include "fs-util.h" +@@ -962,8 +963,17 @@ int bus_socket_exec(sd_bus *b) { + assert(b->exec_path); + assert(b->busexec_pid == 0); + +- log_debug("sd-bus: starting bus%s%s with %s...", +- b->description ? " " : "", strempty(b->description), b->exec_path); ++ if (DEBUG_LOGGING) { ++ _cleanup_free_ char *line = NULL; ++ ++ if (b->exec_argv) ++ line = quote_command_line(b->exec_argv); ++ ++ log_debug("sd-bus: starting bus%s%s with %s%s", ++ b->description ? " " : "", strempty(b->description), ++ line ?: b->exec_path, ++ b->exec_argv && !line ? "…" : ""); ++ } + + r = socketpair(AF_UNIX, SOCK_STREAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0, s); + if (r < 0) +@@ -984,10 +994,8 @@ int bus_socket_exec(sd_bus *b) { + + if (b->exec_argv) + execvp(b->exec_path, b->exec_argv); +- else { +- const char *argv[] = { b->exec_path, NULL }; +- execvp(b->exec_path, (char**) argv); +- } ++ else ++ execvp(b->exec_path, STRV_MAKE(b->exec_path)); + + _exit(EXIT_FAILURE); + } +-- +2.33.0 + diff --git a/backport-sd-device-introduce-device_has_devlink.patch b/backport-sd-device-introduce-device_has_devlink.patch new file mode 100644 index 0000000000000000000000000000000000000000..147314c2c7eff9d890a780e75aa8c52fe629eaa1 --- /dev/null +++ b/backport-sd-device-introduce-device_has_devlink.patch @@ -0,0 +1,47 @@ +From 8ada2c1b5922110d961aa82e6d712f6eed696afe Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 1 Sep 2021 09:22:15 +0900 +Subject: [PATCH] sd-device: introduce device_has_devlink() + +(cherry picked from commit b881ce16b9ccae4c3089c82e2ea1781cd9773a4f) + +Conflict:NA +Reference:https://github.com/systemd/systemd-stable/commit/8ada2c1b5922110d961aa82e6d712f6eed696afe +--- + src/libsystemd/sd-device/device-private.h | 1 + + src/libsystemd/sd-device/sd-device.c | 7 +++++++ + 2 files changed, 8 insertions(+) + +diff --git a/src/libsystemd/sd-device/device-private.h b/src/libsystemd/sd-device/device-private.h +index fe268d7f2f..9bb5eff208 100644 +--- a/src/libsystemd/sd-device/device-private.h ++++ b/src/libsystemd/sd-device/device-private.h +@@ -32,6 +32,7 @@ void device_set_db_persist(sd_device *device); + void device_set_devlink_priority(sd_device *device, int priority); + int device_ensure_usec_initialized(sd_device *device, sd_device *device_old); + int device_add_devlink(sd_device *device, const char *devlink); ++bool device_has_devlink(sd_device *device, const char *devlink); + int device_add_property(sd_device *device, const char *property, const char *value); + int device_add_tag(sd_device *device, const char *tag, bool both); + void device_remove_tag(sd_device *device, const char *tag); +diff --git a/src/libsystemd/sd-device/sd-device.c b/src/libsystemd/sd-device/sd-device.c +index 3f2cce5bba..418a5b10bd 100644 +--- a/src/libsystemd/sd-device/sd-device.c ++++ b/src/libsystemd/sd-device/sd-device.c +@@ -1195,6 +1195,13 @@ int device_add_devlink(sd_device *device, const char *devlink) { + return 0; + } + ++bool device_has_devlink(sd_device *device, const char *devlink) { ++ assert(device); ++ assert(devlink); ++ ++ return set_contains(device->devlinks, devlink); ++} ++ + static int device_add_property_internal_from_string(sd_device *device, const char *str) { + _cleanup_free_ char *key = NULL; + char *value; +-- +2.33.0 + diff --git a/backport-sd-device-monitor-update-log-message-to-clarify-the-.patch b/backport-sd-device-monitor-update-log-message-to-clarify-the-.patch new file mode 100644 index 0000000000000000000000000000000000000000..c07f7387d8aaba9ee9129acb6f720168d3034493 --- /dev/null +++ b/backport-sd-device-monitor-update-log-message-to-clarify-the-.patch @@ -0,0 +1,42 @@ +From 82b2135bf0512c11f7f21f9d0689e8ea5b4a2529 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 13 Oct 2021 12:57:40 +0900 +Subject: [PATCH] sd-device-monitor: update log message to clarify the error + will be ignored + +(cherry picked from commit 6b652c03a47aa28898dffd408543c06670e3450d) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/82b2135bf0512c11f7f21f9d0689e8ea5b4a2529 +--- + src/libsystemd/sd-device/device-monitor.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/libsystemd/sd-device/device-monitor.c b/src/libsystemd/sd-device/device-monitor.c +index b485e3e2b6..2cb35951de 100644 +--- a/src/libsystemd/sd-device/device-monitor.c ++++ b/src/libsystemd/sd-device/device-monitor.c +@@ -178,7 +178,7 @@ int device_monitor_new_full(sd_device_monitor **ret, MonitorNetlinkGroup group, + + netns = ioctl(m->sock, SIOCGSKNS); + if (netns < 0) +- log_debug_errno(errno, "sd-device-monitor: Unable to get network namespace of udev netlink socket, unable to determine if we are in host netns: %m"); ++ log_debug_errno(errno, "sd-device-monitor: Unable to get network namespace of udev netlink socket, unable to determine if we are in host netns, ignoring: %m"); + else { + struct stat a, b; + +@@ -191,9 +191,9 @@ int device_monitor_new_full(sd_device_monitor **ret, MonitorNetlinkGroup group, + if (ERRNO_IS_PRIVILEGE(errno)) + /* If we can't access PID1's netns info due to permissions, it's fine, this is a + * safety check only after all. */ +- log_debug_errno(errno, "sd-device-monitor: No permission to stat PID1's netns, unable to determine if we are in host netns: %m"); ++ log_debug_errno(errno, "sd-device-monitor: No permission to stat PID1's netns, unable to determine if we are in host netns, ignoring: %m"); + else +- log_debug_errno(errno, "sd-device-monitor: Failed to stat PID1's netns: %m"); ++ log_debug_errno(errno, "sd-device-monitor: Failed to stat PID1's netns, ignoring: %m"); + + } else if (a.st_dev != b.st_dev || a.st_ino != b.st_ino) + log_debug("sd-device-monitor: Netlink socket we listen on is not from host netns, we won't see device events."); +-- +2.33.0 + diff --git a/backport-sd-device-silence-gcc-warning-with-newest-gcc.patch b/backport-sd-device-silence-gcc-warning-with-newest-gcc.patch new file mode 100644 index 0000000000000000000000000000000000000000..6aef517e4cb5a3b3d777e5b1e72686692aaacfc4 --- /dev/null +++ b/backport-sd-device-silence-gcc-warning-with-newest-gcc.patch @@ -0,0 +1,30 @@ +From e05023045edd4a0e20b60e81f9fa54f08636d660 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sat, 15 Jan 2022 13:38:30 +0100 +Subject: [PATCH] sd-device: silence gcc warning with newest gcc + +(cherry picked from commit 376ee2c312b87951028a0adff96b1052f32475fa) +(cherry picked from commit 18aff8c85720606e05826045b6799d19a7dcf08a) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/e05023045edd4a0e20b60e81f9fa54f08636d660 +--- + src/libsystemd/sd-device/sd-device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libsystemd/sd-device/sd-device.c b/src/libsystemd/sd-device/sd-device.c +index 388128bf33..45261588a8 100644 +--- a/src/libsystemd/sd-device/sd-device.c ++++ b/src/libsystemd/sd-device/sd-device.c +@@ -1370,7 +1370,7 @@ int device_read_db_internal_filename(sd_device *device, const char *filename) { + _cleanup_free_ char *db = NULL; + const char *value; + size_t db_len; +- char key; ++ char key = '\0'; /* Unnecessary initialization to appease gcc-12.0.0-0.4.fc36 */ + int r; + + enum { +-- +2.33.0 + diff --git a/backport-sd-dhcp-lease-fix-a-memory-leak-in-dhcp_lease_parse_.patch b/backport-sd-dhcp-lease-fix-a-memory-leak-in-dhcp_lease_parse_.patch new file mode 100644 index 0000000000000000000000000000000000000000..7c37251bcbc07e8c44fcd1072b13cbe7efbcd871 --- /dev/null +++ b/backport-sd-dhcp-lease-fix-a-memory-leak-in-dhcp_lease_parse_.patch @@ -0,0 +1,51 @@ +From aaf7afb05cdbfbec6d06798b698689bdfe1a50ac Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Sat, 29 Jan 2022 03:16:40 +0000 +Subject: [PATCH] sd-dhcp-lease: fix a memory leak in + dhcp_lease_parse_search_domains + +================================================================= +==81071==ERROR: LeakSanitizer: detected memory leaks + +Direct leak of 16 byte(s) in 1 object(s) allocated from: + #0 0x51245c in __interceptor_reallocarray (/home/vagrant/systemd/build/fuzz-dhcp-client+0x51245c) + #1 0x7f01440c67e6 in strv_push /home/vagrant/systemd/build/../src/basic/strv.c:435:13 + #2 0x7f01440ca9e1 in strv_consume /home/vagrant/systemd/build/../src/basic/strv.c:506:13 + #3 0x7f01440ca9e1 in strv_extend /home/vagrant/systemd/build/../src/basic/strv.c:558:16 + #4 0x5806e3 in dhcp_lease_parse_search_domains /home/vagrant/systemd/build/../src/libsystemd-network/sd-dhcp-lease.c:900:21 + #5 0x57c1be in dhcp_lease_parse_options /home/vagrant/systemd/build/../src/libsystemd-network/sd-dhcp-lease.c:727:21 + #6 0x572450 in parse_options /home/vagrant/systemd/build/../src/libsystemd-network/dhcp-option.c:348:33 + #7 0x571c6a in dhcp_option_parse /home/vagrant/systemd/build/../src/libsystemd-network/dhcp-option.c:376:13 + #8 0x559a01 in client_handle_offer /home/vagrant/systemd/build/../src/libsystemd-network/sd-dhcp-client.c:1543:13 + #9 0x5592bd in LLVMFuzzerTestOneInput /home/vagrant/systemd/build/../src/libsystemd-network/fuzz-dhcp-client.c:74:16 + #10 0x44a379 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/vagrant/systemd/build/fuzz-dhcp-client+0x44a379) + #11 0x42ae1f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/vagrant/systemd/build/fuzz-dhcp-client+0x42ae1f) + #12 0x432ade in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/vagrant/systemd/build/fuzz-dhcp-client+0x432ade) + #13 0x421f86 in main (/home/vagrant/systemd/build/fuzz-dhcp-client+0x421f86) + #14 0x7f0142fff55f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f) + +(cherry picked from commit 9591c0a8b3496d0e5cbbfe7c75161ba80089c143) +(cherry picked from commit 7dc0f80588f371a62a56a75bf27eab2c515becf3) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/aaf7afb05cdbfbec6d06798b698689bdfe1a50ac +--- + src/libsystemd-network/sd-dhcp-lease.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libsystemd-network/sd-dhcp-lease.c b/src/libsystemd-network/sd-dhcp-lease.c +index 75aa0c3d2c..ccfd66caa3 100644 +--- a/src/libsystemd-network/sd-dhcp-lease.c ++++ b/src/libsystemd-network/sd-dhcp-lease.c +@@ -815,7 +815,7 @@ int dhcp_lease_parse_search_domains(const uint8_t *option, size_t len, char ***d + pos = next_chunk; + } + +- *domains = TAKE_PTR(names); ++ strv_free_and_replace(*domains, names); + + return cnt; + } +-- +2.33.0 + diff --git a/backport-sd-dhcp-lease-fix-an-infinite-loop-found-by-the-fuzz.patch b/backport-sd-dhcp-lease-fix-an-infinite-loop-found-by-the-fuzz.patch new file mode 100644 index 0000000000000000000000000000000000000000..8b270d422dab5ad961e5ffb0e076a507066e3fea --- /dev/null +++ b/backport-sd-dhcp-lease-fix-an-infinite-loop-found-by-the-fuzz.patch @@ -0,0 +1,34 @@ +From c95ae2ba0093742292671fd30a63af15f1b63bc6 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Sat, 29 Jan 2022 02:08:39 +0000 +Subject: [PATCH] sd-dhcp-lease: fix an infinite loop found by the fuzzer + +(cherry picked from commit 86b06c666be8b7afb45541d35aa4d0ecb38056d1) +(cherry picked from commit 426807c54b9500b806eaaf50d32c7c936510706c) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/c95ae2ba0093742292671fd30a63af15f1b63bc6 +--- + src/libsystemd-network/sd-dhcp-lease.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/libsystemd-network/sd-dhcp-lease.c b/src/libsystemd-network/sd-dhcp-lease.c +index 9a0d7f6fea..75aa0c3d2c 100644 +--- a/src/libsystemd-network/sd-dhcp-lease.c ++++ b/src/libsystemd-network/sd-dhcp-lease.c +@@ -463,10 +463,8 @@ static int lease_parse_routes( + + route->option = SD_DHCP_OPTION_STATIC_ROUTE; + r = in4_addr_default_prefixlen((struct in_addr*) option, &route->dst_prefixlen); +- if (r < 0) { +- log_debug("Failed to determine destination prefix length from class based IP, ignoring"); +- continue; +- } ++ if (r < 0) ++ return -EINVAL; + + assert_se(lease_parse_be32(option, 4, &addr.s_addr) >= 0); + route->dst_addr = inet_makeaddr(inet_netof(addr), 0); +-- +2.33.0 + diff --git a/backport-sd-dhcp-lease-fix-memleak.patch b/backport-sd-dhcp-lease-fix-memleak.patch new file mode 100644 index 0000000000000000000000000000000000000000..9408663edb18bb4a6f9aee2574ce789cfaf40213 --- /dev/null +++ b/backport-sd-dhcp-lease-fix-memleak.patch @@ -0,0 +1,64 @@ +From e2b7a7e3d285180ef04087cd5f821b42cb128c31 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 31 Jan 2022 05:19:09 +0900 +Subject: [PATCH] sd-dhcp-lease: fix memleak + +Fixes https://github.com/systemd/systemd/pull/22294#issuecomment-1024840811. + +(cherry picked from commit 06cf04dff4dd6c69e527913ad137616c23861270) +(cherry picked from commit ae95ca27bee2bef5bf53002873a254f1a0fe8b81) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/e2b7a7e3d285180ef04087cd5f821b42cb128c31 +--- + src/libsystemd-network/sd-dhcp-lease.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/src/libsystemd-network/sd-dhcp-lease.c b/src/libsystemd-network/sd-dhcp-lease.c +index ccfd66caa3..421ca6f306 100644 +--- a/src/libsystemd-network/sd-dhcp-lease.c ++++ b/src/libsystemd-network/sd-dhcp-lease.c +@@ -1024,6 +1024,18 @@ int dhcp_lease_save(sd_dhcp_lease *lease, const char *lease_file) { + return 0; + } + ++static char **private_options_free(char **options) { ++ if (!options) ++ return NULL; ++ ++ for (unsigned i = 0; i < SD_DHCP_OPTION_PRIVATE_LAST - SD_DHCP_OPTION_PRIVATE_BASE + 1; i++) ++ free(options[i]); ++ ++ return mfree(options); ++} ++ ++DEFINE_TRIVIAL_CLEANUP_FUNC(char**, private_options_free); ++ + int dhcp_lease_load(sd_dhcp_lease **ret, const char *lease_file) { + _cleanup_(sd_dhcp_lease_unrefp) sd_dhcp_lease *lease = NULL; + _cleanup_free_ char +@@ -1046,8 +1058,8 @@ int dhcp_lease_load(sd_dhcp_lease **ret, const char *lease_file) { + *vendor_specific_hex = NULL, + *lifetime = NULL, + *t1 = NULL, +- *t2 = NULL, +- *options[SD_DHCP_OPTION_PRIVATE_LAST - SD_DHCP_OPTION_PRIVATE_BASE + 1] = {}; ++ *t2 = NULL; ++ _cleanup_(private_options_freep) char **options = NULL; + + int r, i; + +@@ -1058,6 +1070,10 @@ int dhcp_lease_load(sd_dhcp_lease **ret, const char *lease_file) { + if (r < 0) + return r; + ++ options = new0(char*, SD_DHCP_OPTION_PRIVATE_LAST - SD_DHCP_OPTION_PRIVATE_BASE + 1); ++ if (!options) ++ return -ENOMEM; ++ + r = parse_env_file(NULL, lease_file, + "ADDRESS", &address, + "ROUTER", &router, +-- +2.33.0 + diff --git a/backport-sd-dhcp-server-fix-possible-double-free-or-use-after.patch b/backport-sd-dhcp-server-fix-possible-double-free-or-use-after.patch new file mode 100644 index 0000000000000000000000000000000000000000..37921e05d054751c2d912c28408cfe3c31a2a794 --- /dev/null +++ b/backport-sd-dhcp-server-fix-possible-double-free-or-use-after.patch @@ -0,0 +1,29 @@ +From bb320989bf7580f46a4867c361be1ee02eccc678 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 11 Aug 2021 16:20:35 +0900 +Subject: [PATCH] sd-dhcp-server: fix possible double-free or use-after-free + +(cherry picked from commit 3dc8fb0eb8dd4b7dd802aa69cfe5b2c8f760f561) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/bb320989bf7580f46a4867c361be1ee02eccc678 +--- + src/libsystemd-network/sd-dhcp-server.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c +index e2ea79f584..9ae884b0fc 100644 +--- a/src/libsystemd-network/sd-dhcp-server.c ++++ b/src/libsystemd-network/sd-dhcp-server.c +@@ -1107,7 +1107,7 @@ int dhcp_server_handle_message(sd_dhcp_server *server, DHCPMessage *message, siz + + if (server->bound_leases[pool_offset] == existing_lease) { + server->bound_leases[pool_offset] = NULL; +- hashmap_remove(server->leases_by_client_id, existing_lease); ++ hashmap_remove(server->leases_by_client_id, &existing_lease->client_id); + dhcp_lease_free(existing_lease); + + if (server->callback) +-- +2.33.0 + diff --git a/backport-sd-dhcp-server-refuse-too-large-packet-to-send.patch b/backport-sd-dhcp-server-refuse-too-large-packet-to-send.patch new file mode 100644 index 0000000000000000000000000000000000000000..a11eccdbb29d653e46260686381d51dafd9cfb10 --- /dev/null +++ b/backport-sd-dhcp-server-refuse-too-large-packet-to-send.patch @@ -0,0 +1,88 @@ +From 76bcd1d6d26ebe0424e2c5edc7f5a31a82ae3a7c Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 28 Jan 2022 11:53:49 +0900 +Subject: [PATCH] sd-dhcp-server: refuse too large packet to send + +Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44134. + +(cherry picked from commit 71df50a9734f7006bc1ac8be59ca81c797b39c35) +(cherry picked from commit 530a18d49361ade6d3f09abb78f8f901753a4cda) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/76bcd1d6d26ebe0424e2c5edc7f5a31a82ae3a7c +--- + src/libsystemd-network/sd-dhcp-server.c | 3 +++ + ...z-dhcp-server-relay-message-4972399731277824 | Bin 0 -> 65508 bytes + 2 files changed, 3 insertions(+) + create mode 100644 test/fuzz/fuzz-dhcp-server-relay-message/clusterfuzz-testcase-minimized-fuzz-dhcp-server-relay-message-4972399731277824 + +diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c +index 3f4af8440e..0b3904c02a 100644 +--- a/src/libsystemd-network/sd-dhcp-server.c ++++ b/src/libsystemd-network/sd-dhcp-server.c +@@ -296,6 +296,9 @@ static int dhcp_server_send_unicast_raw(sd_dhcp_server *server, + + memcpy(&link.ll.sll_addr, &packet->dhcp.chaddr, ETH_ALEN); + ++ if (len > UINT16_MAX) ++ return -EOVERFLOW; ++ + dhcp_packet_append_ip_headers(packet, server->address, DHCP_PORT_SERVER, + packet->dhcp.yiaddr, + DHCP_PORT_CLIENT, len, -1); +diff --git a/test/fuzz/fuzz-dhcp-server-relay-message/clusterfuzz-testcase-minimized-fuzz-dhcp-server-relay-message-4972399731277824 b/test/fuzz/fuzz-dhcp-server-relay-message/clusterfuzz-testcase-minimized-fuzz-dhcp-server-relay-message-4972399731277824 +new file mode 100644 +index 0000000000000000000000000000000000000000..e902b6989b419428fa0114c973b148fbe583c871 +GIT binary patch +literal 65508 +zcmeHQO^Xyq7_QnGHe|g?!~_DVcn}G3nRRFO0}pY$Wa3jnmhk?a_5|05v50Z;< +z1A(xFv7AqGrXhzLPhg%F5=s4Qd=bvy4)*Yw9z +zZ$0%^b-mR?(XdwPvQk6J$<0WqDAFTJX*r;pPQLo0xf(^0?8x@Xn?A1uE5-~N`~Nl~ +zhtGuH?fz))UzyNS`-2uF0t}NYi=vLRRHC7)k&K;Yz +z5Ai&kd6AE?nV$zJxnc|PGo`*nj-Oq&D@#{5M^dG4&m4&|K2!Qgx7vgvHRjv;6O>OP +zUKu6u`sm=g5t$Yx617$MQ9b$PF0TP{AgERfP$atKe_n^KxF=V`K1)576{ilF@5puC +zUqzev0zUJ7f5_^t62;#O#n6SqfJ487Kt2DI6?y7t&sLu%Kf`1BR?lRv#!%W7m|djw+iBtgIV@ +zAghzr$?9bFfkJ?+PFC-L09l=^K2V%STb-=lfzxQKlhw)U-Lm@RWM#ZMFDmP5j=b>cA*6fKJ?Xv!0;GG=eYbQk6IRLUFCGE1dIwJH&WJxyn-G1L +zQ`uROo&^dv!<8lsm3>o`eSdXoY`ivhU}}1@HZ@V1tWH(NsQraUfZD$)+TV*SgLmmz +zPWczf+ui-vuVF>X!?_nVTm6fgdlI({>;CfAWAD!q9ezz*As)zMDD~dRD=Ly*^>?%R +z{-LHl$HCyE^mLtD$gQU-pOE_Ku0NfF(ti!yTI^EtuK0vtKEIs*mb7GdmX&!Gll-qb +z=a1hlH4zJZ0mhD*s=k45zdAa)pU+=wyrx=I2(?RT2P0ya5}$cf2HUM +zIQk;1iv>bf&qe^8MxVsM>|}Madf^cutE0Mt)5+>N2mm0mI#7U+)eFyQ9DyOL+p0=d +z&qn|N^@r6*v=;r74VTLC^{}^qOXXzZMOOE)a9o|XdL9D(V|5{PxAGrZJ(Hd~C6d)M +z5hAOT)oH7DK!B_c1cGn`Mi>2EAz3}e>Vvc%Y3jC@_2+c}2afE^5MKv-4>)j?i5a^XWOcH72L#CKKp+Thbb{A0EgKv1qzUU8ZcwNHg+4ZTbhZ~w(6F?bSnnn +zv!2P~1iwm^Ge(Np&Z3pAEEAQ;hQIGb0|s11RtE}@ezJNdN3}^Lt7n3akK#)jbr+{1?PH2gbp|IWU|9sOPFA;l4cnFFqGXu}03dct +z1Fw_S$?AnifUHhd?|=XflhuI&gsfh8PNS_(R<~7^wt7AS0Eny(6d+`EvU=eWAgkM| +zn$KyR7yy9C>OcWPRxdoK^<=AGR`1{&YgUG3x~)-IQpta&OG|QdxBC!Eqk%m3LnvC? +zU(6ywWX1*fxYzBYC#EmnJ$3qc$xqW#^7Rxsi@ejfQ+e&lwLPuO>bP|N_wpOR``O= +zqMO=~2sB@?6&(RzdpT`FI5hM163shM8qK>v>|}Madf^cutE0M#ZM>~ny%#$@FRwAu +zk8l%d#fw5bDWdCer#O6O$y`~w=Xy5PwQG&lhl_K^W&;VX4@Kj8>Q%AdupUF7!WO3R +z{JOcS4!g6@%MIo#TkCDp9e8L`-YMu$3$_ +zaOZxQvn`eOK-`d<+VS|`eLFJbpiRT4lOy?4>V_X!)LM2vw5OIxEY^)t?!n%Hcv>f`=W!aRkE7ml1O_NT$m&Aef`c80 +zvxtz@3x@z%-B#6jpg2srvbbRK7g-$uk=20$gse_hFFXQdbz4=*>iGx&AhJ48fRNP- +z&uJWiA*SXo8BS2QSRh6vXf&iBy%Ui|(>7aHi!9A00o^9~h +z<{8Bgix(dOws~yxIv{|T1^a9R8WiUMptohP;6HhCB$y_Nj3%X4rt414eRIEidqLx#7$K}Yv%4A%QOlz5w +ms+1UNDFta4jrEG`)UNv3W$G~9mo9->FvVI#b}H<0Wd8%4hT`V{ + +literal 0 +HcmV?d00001 + +-- +2.33.0 + diff --git a/backport-sd-dhcp-server-rename-server_send_nak-server_send_na.patch b/backport-sd-dhcp-server-rename-server_send_nak-server_send_na.patch new file mode 100644 index 0000000000000000000000000000000000000000..ac227f2b7a5470bee052c116ebca6ae35a5f82dc --- /dev/null +++ b/backport-sd-dhcp-server-rename-server_send_nak-server_send_na.patch @@ -0,0 +1,76 @@ +From 96acfde5aae2017e1cad042b51f179ad20aba38d Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 28 Jan 2022 02:14:47 +0900 +Subject: [PATCH] sd-dhcp-server: rename server_send_nak() -> + server_send_nak_or_ignore() + +And logs error in the function. + +(cherry picked from commit eb5bff9c9de2bd218f5ac431e3aead4b5747ecd9) +(cherry picked from commit 7f36fb25d5c6681dbabb067a9fb083bfad37a804) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/96acfde5aae2017e1cad042b51f179ad20aba38d +--- + src/libsystemd-network/sd-dhcp-server.c | 29 ++++++++++++++----------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c +index 070f4ec1c2..d594aeb7cd 100644 +--- a/src/libsystemd-network/sd-dhcp-server.c ++++ b/src/libsystemd-network/sd-dhcp-server.c +@@ -583,16 +583,28 @@ static int server_send_offer_or_ack( + return 0; + } + +-static int server_send_nak(sd_dhcp_server *server, DHCPRequest *req) { ++static int server_send_nak_or_ignore(sd_dhcp_server *server, bool init_reboot, DHCPRequest *req) { + _cleanup_free_ DHCPPacket *packet = NULL; + size_t offset; + int r; + ++ /* When a request is refused, RFC 2131, section 4.3.2 mentioned we should send NAK when the ++ * client is in INITREBOOT. If the client is in other state, there is nothing mentioned in the ++ * RFC whether we should send NAK or not. Hence, let's silently ignore the request. */ ++ ++ if (!init_reboot) ++ return 0; ++ + r = server_message_init(server, &packet, DHCP_NAK, &offset, req); + if (r < 0) +- return r; ++ return log_dhcp_server_errno(server, r, "Failed to create NAK message: %m"); ++ ++ r = dhcp_server_send_packet(server, req, packet, DHCP_NAK, offset); ++ if (r < 0) ++ return log_dhcp_server_errno(server, r, "Could not send NAK message: %m"); + +- return dhcp_server_send_packet(server, req, packet, DHCP_NAK, offset); ++ log_dhcp_server(server, "NAK (0x%x)", be32toh(req->message->xid)); ++ return DHCP_NAK; + } + + static int server_send_forcerenew(sd_dhcp_server *server, be32_t address, +@@ -1079,18 +1091,9 @@ int dhcp_server_handle_message(sd_dhcp_server *server, DHCPMessage *message, siz + server->callback(server, SD_DHCP_SERVER_EVENT_LEASE_CHANGED, server->callback_userdata); + + return DHCP_ACK; +- +- } else if (init_reboot) { +- r = server_send_nak(server, req); +- if (r < 0) +- /* this only fails on critical errors */ +- return log_dhcp_server_errno(server, r, "Could not send nak: %m"); +- +- log_dhcp_server(server, "NAK (0x%x)", be32toh(req->message->xid)); +- return DHCP_NAK; + } + +- break; ++ return server_send_nak_or_ignore(server, init_reboot, req); + } + + case DHCP_RELEASE: { +-- +2.33.0 + diff --git a/backport-sd-dhcp6-client-cirtainly-adjust-T1-and-T2.patch b/backport-sd-dhcp6-client-cirtainly-adjust-T1-and-T2.patch new file mode 100644 index 0000000000000000000000000000000000000000..496d3eeb3136e3ea9c96aedbbe4abc40f705d2c2 --- /dev/null +++ b/backport-sd-dhcp6-client-cirtainly-adjust-T1-and-T2.patch @@ -0,0 +1,50 @@ +From e444192a850854e5bc45673b29ba03e5a87a2297 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 10 Aug 2021 21:39:27 +0900 +Subject: [PATCH] sd-dhcp6-client: cirtainly adjust T1 and T2 + +This fixes a bug introduced by 99f1d3fc5043b33dea5faa88f7015a487965333f. +Note that in the information requesting mode, the lease has neither +addresses nor PD prefixes. + +(cherry picked from commit de949e911ee15d1c9daaf5ba5a3cff806fb2b514) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/e444192a850854e5bc45673b29ba03e5a87a2297 +--- + src/libsystemd-network/sd-dhcp6-client.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/src/libsystemd-network/sd-dhcp6-client.c b/src/libsystemd-network/sd-dhcp6-client.c +index afeb346944..f99c12620b 100644 +--- a/src/libsystemd-network/sd-dhcp6-client.c ++++ b/src/libsystemd-network/sd-dhcp6-client.c +@@ -1328,17 +1328,16 @@ static int client_parse_message( + dhcp6_message_type_to_string(message->type)); + return -EINVAL; + } ++ } + +- } else { +- if (lease->ia.addresses) { +- lease->ia.ia_na.lifetime_t1 = htobe32(lt_t1); +- lease->ia.ia_na.lifetime_t2 = htobe32(lt_t2); +- } ++ if (lease->ia.addresses) { ++ lease->ia.ia_na.lifetime_t1 = htobe32(lt_t1); ++ lease->ia.ia_na.lifetime_t2 = htobe32(lt_t2); ++ } + +- if (lease->pd.addresses) { +- lease->pd.ia_pd.lifetime_t1 = htobe32(lt_t1); +- lease->pd.ia_pd.lifetime_t2 = htobe32(lt_t2); +- } ++ if (lease->pd.addresses) { ++ lease->pd.ia_pd.lifetime_t1 = htobe32(lt_t1); ++ lease->pd.ia_pd.lifetime_t2 = htobe32(lt_t2); + } + + client->information_refresh_time_usec = MAX(irt, IRT_MINIMUM); +-- +2.33.0 + diff --git a/backport-sd-dhcp6-client-constify-one-argument.patch b/backport-sd-dhcp6-client-constify-one-argument.patch new file mode 100644 index 0000000000000000000000000000000000000000..3bd2d1481d65845de1e398762ab1b0d379f56ef4 --- /dev/null +++ b/backport-sd-dhcp6-client-constify-one-argument.patch @@ -0,0 +1,43 @@ +From d3f99205f84172f6f9e41061a5aa9414eccf3571 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 23 Sep 2021 14:57:29 +0900 +Subject: [PATCH] sd-dhcp6-client: constify one argument + +(cherry picked from commit dc95e21d33708e807d3e5872af428383aac3f9b7) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/d3f99205f84172f6f9e41061a5aa9414eccf3571 +--- + src/libsystemd-network/dhcp6-internal.h | 2 +- + src/libsystemd-network/dhcp6-option.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libsystemd-network/dhcp6-internal.h b/src/libsystemd-network/dhcp6-internal.h +index 35cafc96ec..96d7de8cae 100644 +--- a/src/libsystemd-network/dhcp6-internal.h ++++ b/src/libsystemd-network/dhcp6-internal.h +@@ -105,7 +105,7 @@ int dhcp6_option_parse(uint8_t **buf, size_t *buflen, uint16_t *optcode, + size_t *optlen, uint8_t **optvalue); + int dhcp6_option_parse_status(DHCP6Option *option, size_t len); + int dhcp6_option_parse_ia(sd_dhcp6_client *client, DHCP6Option *iaoption, be32_t iaid, DHCP6IA *ia, uint16_t *ret_status_code); +-int dhcp6_option_parse_ip6addrs(uint8_t *optval, uint16_t optlen, ++int dhcp6_option_parse_ip6addrs(const uint8_t *optval, uint16_t optlen, + struct in6_addr **addrs, size_t count); + int dhcp6_option_parse_domainname_list(const uint8_t *optval, uint16_t optlen, + char ***str_arr); +diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c +index 34d7e997dd..0709cfd4fd 100644 +--- a/src/libsystemd-network/dhcp6-option.c ++++ b/src/libsystemd-network/dhcp6-option.c +@@ -707,7 +707,7 @@ int dhcp6_option_parse_ia( + return 1; + } + +-int dhcp6_option_parse_ip6addrs(uint8_t *optval, uint16_t optlen, ++int dhcp6_option_parse_ip6addrs(const uint8_t *optval, uint16_t optlen, + struct in6_addr **addrs, size_t count) { + + if (optlen == 0 || optlen % sizeof(struct in6_addr) != 0) +-- +2.33.0 + diff --git a/backport-sd-dhcp6-client-constify-several-arguments.patch b/backport-sd-dhcp6-client-constify-several-arguments.patch new file mode 100644 index 0000000000000000000000000000000000000000..e799b0b7990352439d464f2b4e32adb755dbcc17 --- /dev/null +++ b/backport-sd-dhcp6-client-constify-several-arguments.patch @@ -0,0 +1,89 @@ +From 9dcf9e12a68640f413d52f48d1d9786c4c71e073 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 24 Sep 2021 13:34:14 +0900 +Subject: [PATCH] sd-dhcp6-client: constify several arguments + +(cherry picked from commit 3f8227bf830cc2b87ea9bce5394a71c186d12956) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/9dcf9e12a68640f413d52f48d1d9786c4c71e073 +--- + src/libsystemd-network/dhcp6-lease-internal.h | 10 ++++------ + src/libsystemd-network/sd-dhcp6-lease.c | 12 +++++------- + 2 files changed, 9 insertions(+), 13 deletions(-) + +diff --git a/src/libsystemd-network/dhcp6-lease-internal.h b/src/libsystemd-network/dhcp6-lease-internal.h +index 391b4f1fa9..41b43ba7a4 100644 +--- a/src/libsystemd-network/dhcp6-lease-internal.h ++++ b/src/libsystemd-network/dhcp6-lease-internal.h +@@ -50,12 +50,10 @@ int dhcp6_lease_get_rapid_commit(sd_dhcp6_lease *lease, bool *rapid_commit); + int dhcp6_lease_get_iaid(sd_dhcp6_lease *lease, be32_t *iaid); + int dhcp6_lease_get_pd_iaid(sd_dhcp6_lease *lease, be32_t *iaid); + +-int dhcp6_lease_set_dns(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen); +-int dhcp6_lease_set_domains(sd_dhcp6_lease *lease, uint8_t *optval, +- size_t optlen); +-int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen); +-int dhcp6_lease_set_sntp(sd_dhcp6_lease *lease, uint8_t *optval, +- size_t optlen) ; ++int dhcp6_lease_set_dns(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen); ++int dhcp6_lease_set_domains(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen); ++int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen); ++int dhcp6_lease_set_sntp(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen) ; + int dhcp6_lease_set_fqdn(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen); + + int dhcp6_lease_new(sd_dhcp6_lease **ret); +diff --git a/src/libsystemd-network/sd-dhcp6-lease.c b/src/libsystemd-network/sd-dhcp6-lease.c +index 9c77b146c7..8378971422 100644 +--- a/src/libsystemd-network/sd-dhcp6-lease.c ++++ b/src/libsystemd-network/sd-dhcp6-lease.c +@@ -193,7 +193,7 @@ void sd_dhcp6_lease_reset_pd_prefix_iter(sd_dhcp6_lease *lease) { + lease->prefix_iter = lease->pd.addresses; + } + +-int dhcp6_lease_set_dns(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { ++int dhcp6_lease_set_dns(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen) { + assert_return(lease, -EINVAL); + assert_return(optval, -EINVAL); + +@@ -215,8 +215,7 @@ int sd_dhcp6_lease_get_dns(sd_dhcp6_lease *lease, const struct in6_addr **addrs) + return -ENOENT; + } + +-int dhcp6_lease_set_domains(sd_dhcp6_lease *lease, uint8_t *optval, +- size_t optlen) { ++int dhcp6_lease_set_domains(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen) { + int r; + char **domains; + +@@ -248,7 +247,7 @@ int sd_dhcp6_lease_get_domains(sd_dhcp6_lease *lease, char ***domains) { + return -ENOENT; + } + +-int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { ++int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen) { + int r; + + assert_return(lease, -EINVAL); +@@ -295,7 +294,7 @@ int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { + return 0; + } + +-int dhcp6_lease_set_sntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { ++int dhcp6_lease_set_sntp(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen) { + assert_return(lease, -EINVAL); + assert_return(optval, -EINVAL); + +@@ -335,8 +334,7 @@ int sd_dhcp6_lease_get_ntp_fqdn(sd_dhcp6_lease *lease, char ***ntp_fqdn) { + return -ENOENT; + } + +-int dhcp6_lease_set_fqdn(sd_dhcp6_lease *lease, const uint8_t *optval, +- size_t optlen) { ++int dhcp6_lease_set_fqdn(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen) { + int r; + char *fqdn; + +-- +2.33.0 + diff --git a/backport-sd-dhcp6-client-do-not-merge-NTP-and-SNTP-options.patch b/backport-sd-dhcp6-client-do-not-merge-NTP-and-SNTP-options.patch new file mode 100644 index 0000000000000000000000000000000000000000..a544e4d339bce00f07932fbf44b1a54da88fd852 --- /dev/null +++ b/backport-sd-dhcp6-client-do-not-merge-NTP-and-SNTP-options.patch @@ -0,0 +1,130 @@ +From 4b05527fe35de9602cdcd68a9812d67cd0892e00 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 24 Sep 2021 15:00:43 +0900 +Subject: [PATCH] sd-dhcp6-client: do not merge NTP and SNTP options + +Previously, SNTP option is ignored when it appears after NTP option(s), +but merged later NTP options when it appears first. +This makes split the NTP and SNTP addresses, and use SNTP addresses only +when no NTP option is provided. + +(cherry picked from commit e693e969614062fea1746399cf5cff4c09526c6a) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/4b05527fe35de9602cdcd68a9812d67cd0892e00 +--- + src/libsystemd-network/dhcp6-lease-internal.h | 4 ++- + src/libsystemd-network/sd-dhcp6-client.c | 2 +- + src/libsystemd-network/sd-dhcp6-lease.c | 26 ++++++++++--------- + src/libsystemd-network/test-dhcp6-client.c | 3 +-- + 4 files changed, 19 insertions(+), 16 deletions(-) + +diff --git a/src/libsystemd-network/dhcp6-lease-internal.h b/src/libsystemd-network/dhcp6-lease-internal.h +index 41b43ba7a4..dbcb6d040f 100644 +--- a/src/libsystemd-network/dhcp6-lease-internal.h ++++ b/src/libsystemd-network/dhcp6-lease-internal.h +@@ -33,6 +33,8 @@ struct sd_dhcp6_lease { + size_t ntp_count; + char **ntp_fqdn; + size_t ntp_fqdn_count; ++ struct in6_addr *sntp; ++ size_t sntp_count; + char *fqdn; + }; + +@@ -53,7 +55,7 @@ int dhcp6_lease_get_pd_iaid(sd_dhcp6_lease *lease, be32_t *iaid); + int dhcp6_lease_set_dns(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen); + int dhcp6_lease_set_domains(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen); + int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen); +-int dhcp6_lease_set_sntp(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen) ; ++int dhcp6_lease_add_sntp(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen) ; + int dhcp6_lease_set_fqdn(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen); + + int dhcp6_lease_new(sd_dhcp6_lease **ret); +diff --git a/src/libsystemd-network/sd-dhcp6-client.c b/src/libsystemd-network/sd-dhcp6-client.c +index efbf7d7df3..a31dd16c01 100644 +--- a/src/libsystemd-network/sd-dhcp6-client.c ++++ b/src/libsystemd-network/sd-dhcp6-client.c +@@ -1265,7 +1265,7 @@ static int client_parse_message( + break; + + case SD_DHCP6_OPTION_SNTP_SERVERS: +- r = dhcp6_lease_set_sntp(lease, optval, optlen); ++ r = dhcp6_lease_add_sntp(lease, optval, optlen); + if (r < 0) + return r; + +diff --git a/src/libsystemd-network/sd-dhcp6-lease.c b/src/libsystemd-network/sd-dhcp6-lease.c +index 4804f0941a..e424aa15b6 100644 +--- a/src/libsystemd-network/sd-dhcp6-lease.c ++++ b/src/libsystemd-network/sd-dhcp6-lease.c +@@ -294,31 +294,32 @@ int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, const uint8_t *optval, size_t opt + return 0; + } + +-int dhcp6_lease_set_sntp(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen) { ++int dhcp6_lease_add_sntp(sd_dhcp6_lease *lease, const uint8_t *optval, size_t optlen) { + assert_return(lease, -EINVAL); + assert_return(optval, -EINVAL); + + if (optlen == 0) + return 0; + +- if (lease->ntp || lease->ntp_fqdn) +- return -EEXIST; +- +- /* Using deprecated SNTP information */ +- +- return dhcp6_option_parse_addresses(optval, optlen, &lease->ntp, &lease->ntp_count); ++ /* SNTP option is defined in RFC4075, and deprecated by RFC5908. */ ++ return dhcp6_option_parse_addresses(optval, optlen, &lease->sntp, &lease->sntp_count); + } + +-int sd_dhcp6_lease_get_ntp_addrs(sd_dhcp6_lease *lease, +- const struct in6_addr **addrs) { ++int sd_dhcp6_lease_get_ntp_addrs(sd_dhcp6_lease *lease, const struct in6_addr **ret) { + assert_return(lease, -EINVAL); +- assert_return(addrs, -EINVAL); ++ assert_return(ret, -EINVAL); + +- if (lease->ntp_count) { +- *addrs = lease->ntp; ++ if (lease->ntp) { ++ *ret = lease->ntp; + return lease->ntp_count; + } + ++ if (lease->sntp && !lease->ntp_fqdn) { ++ /* Fallback to the deprecated SNTP option. */ ++ *ret = lease->sntp; ++ return lease->sntp_count; ++ } ++ + return -ENOENT; + } + +@@ -377,6 +378,7 @@ static sd_dhcp6_lease *dhcp6_lease_free(sd_dhcp6_lease *lease) { + strv_free(lease->domains); + free(lease->ntp); + strv_free(lease->ntp_fqdn); ++ free(lease->sntp); + + return mfree(lease); + } +diff --git a/src/libsystemd-network/test-dhcp6-client.c b/src/libsystemd-network/test-dhcp6-client.c +index b22297dcd5..429687562c 100644 +--- a/src/libsystemd-network/test-dhcp6-client.c ++++ b/src/libsystemd-network/test-dhcp6-client.c +@@ -521,8 +521,7 @@ static int test_advertise_option(sd_event *e) { + + case SD_DHCP6_OPTION_SNTP_SERVERS: + assert_se(optlen == 16); +- assert_se(dhcp6_lease_set_sntp(lease, optval, +- optlen) >= 0); ++ assert_se(dhcp6_lease_add_sntp(lease, optval, optlen) >= 0); + break; + + default: +-- +2.33.0 + diff --git a/backport-sd-dhcp6-client-fix-buffer-size-calculation-in-dhcp6.patch b/backport-sd-dhcp6-client-fix-buffer-size-calculation-in-dhcp6.patch new file mode 100644 index 0000000000000000000000000000000000000000..d49a7b63e9795cca1e372b8838179f051e63cd86 --- /dev/null +++ b/backport-sd-dhcp6-client-fix-buffer-size-calculation-in-dhcp6.patch @@ -0,0 +1,154 @@ +From b8a852e515002e5e312dd99b964bb17b9ca8fc1d Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 24 Sep 2021 01:24:52 +0900 +Subject: [PATCH] sd-dhcp6-client: fix buffer size calculation in + dhcp6_option_parse_ip6addrs() + +GREEDY_REALLOC() takes number of elements, not buffer size. + +This also rename dhcp6_option_parse_ip6addrs() to +dhcp6_option_parse_addresses(). + +(cherry picked from commit ad3c84204c76e03a0b9b761563f6cd8907515014) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/b8a852e515002e5e312dd99b964bb17b9ca8fc1d +--- + src/libsystemd-network/dhcp6-internal.h | 7 ++++-- + src/libsystemd-network/dhcp6-option.c | 22 +++++++++++------- + src/libsystemd-network/sd-dhcp6-lease.c | 30 +++++-------------------- + 3 files changed, 24 insertions(+), 35 deletions(-) + +diff --git a/src/libsystemd-network/dhcp6-internal.h b/src/libsystemd-network/dhcp6-internal.h +index 8d083d3858..e555557914 100644 +--- a/src/libsystemd-network/dhcp6-internal.h ++++ b/src/libsystemd-network/dhcp6-internal.h +@@ -111,8 +111,11 @@ int dhcp6_option_parse( + const uint8_t **ret_option_data); + int dhcp6_option_parse_status(DHCP6Option *option, size_t len); + int dhcp6_option_parse_ia(sd_dhcp6_client *client, DHCP6Option *iaoption, be32_t iaid, DHCP6IA *ia, uint16_t *ret_status_code); +-int dhcp6_option_parse_ip6addrs(const uint8_t *optval, uint16_t optlen, +- struct in6_addr **addrs, size_t count); ++int dhcp6_option_parse_addresses( ++ const uint8_t *optval, ++ size_t optlen, ++ struct in6_addr **addrs, ++ size_t *count); + int dhcp6_option_parse_domainname_list(const uint8_t *optval, uint16_t optlen, + char ***str_arr); + int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char **str); +diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c +index 781d391c0c..8f763de133 100644 +--- a/src/libsystemd-network/dhcp6-option.c ++++ b/src/libsystemd-network/dhcp6-option.c +@@ -699,20 +699,26 @@ int dhcp6_option_parse_ia( + return 1; + } + +-int dhcp6_option_parse_ip6addrs(const uint8_t *optval, uint16_t optlen, +- struct in6_addr **addrs, size_t count) { ++int dhcp6_option_parse_addresses( ++ const uint8_t *optval, ++ size_t optlen, ++ struct in6_addr **addrs, ++ size_t *count) { ++ ++ assert(optval); ++ assert(addrs); ++ assert(count); + + if (optlen == 0 || optlen % sizeof(struct in6_addr) != 0) +- return -EINVAL; ++ return -EBADMSG; + +- if (!GREEDY_REALLOC(*addrs, count * sizeof(struct in6_addr) + optlen)) ++ if (!GREEDY_REALLOC(*addrs, *count + optlen / sizeof(struct in6_addr))) + return -ENOMEM; + +- memcpy(*addrs + count, optval, optlen); ++ memcpy(*addrs + *count, optval, optlen); ++ *count += optlen / sizeof(struct in6_addr); + +- count += optlen / sizeof(struct in6_addr); +- +- return count; ++ return 0; + } + + static int parse_domain(const uint8_t **data, uint16_t *len, char **out_domain) { +diff --git a/src/libsystemd-network/sd-dhcp6-lease.c b/src/libsystemd-network/sd-dhcp6-lease.c +index 6375a22537..9c77b146c7 100644 +--- a/src/libsystemd-network/sd-dhcp6-lease.c ++++ b/src/libsystemd-network/sd-dhcp6-lease.c +@@ -194,22 +194,13 @@ void sd_dhcp6_lease_reset_pd_prefix_iter(sd_dhcp6_lease *lease) { + } + + int dhcp6_lease_set_dns(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { +- int r; +- + assert_return(lease, -EINVAL); + assert_return(optval, -EINVAL); + +- if (!optlen) ++ if (optlen == 0) + return 0; + +- r = dhcp6_option_parse_ip6addrs(optval, optlen, &lease->dns, +- lease->dns_count); +- if (r < 0) +- return r; +- +- lease->dns_count = r; +- +- return 0; ++ return dhcp6_option_parse_addresses(optval, optlen, &lease->dns, &lease->dns_count); + } + + int sd_dhcp6_lease_get_dns(sd_dhcp6_lease *lease, const struct in6_addr **addrs) { +@@ -281,12 +272,10 @@ int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { + if (sublen != 16) + return 0; + +- r = dhcp6_option_parse_ip6addrs(subval, sublen, &lease->ntp, lease->ntp_count); ++ r = dhcp6_option_parse_addresses(subval, sublen, &lease->ntp, &lease->ntp_count); + if (r < 0) + return r; + +- lease->ntp_count = r; +- + break; + + case DHCP6_NTP_SUBOPTION_SRV_FQDN: { +@@ -307,12 +296,10 @@ int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { + } + + int dhcp6_lease_set_sntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { +- int r; +- + assert_return(lease, -EINVAL); + assert_return(optval, -EINVAL); + +- if (!optlen) ++ if (optlen == 0) + return 0; + + if (lease->ntp || lease->ntp_fqdn) +@@ -320,14 +307,7 @@ int dhcp6_lease_set_sntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) + + /* Using deprecated SNTP information */ + +- r = dhcp6_option_parse_ip6addrs(optval, optlen, &lease->ntp, +- lease->ntp_count); +- if (r < 0) +- return r; +- +- lease->ntp_count = r; +- +- return 0; ++ return dhcp6_option_parse_addresses(optval, optlen, &lease->ntp, &lease->ntp_count); + } + + int sd_dhcp6_lease_get_ntp_addrs(sd_dhcp6_lease *lease, +-- +2.33.0 + diff --git a/backport-sd-dhcp6-client-fix-copy-and-paste-mistake.patch b/backport-sd-dhcp6-client-fix-copy-and-paste-mistake.patch new file mode 100644 index 0000000000000000000000000000000000000000..5b175e4b5e49e69345f1e310bfdccec4da0bb855 --- /dev/null +++ b/backport-sd-dhcp6-client-fix-copy-and-paste-mistake.patch @@ -0,0 +1,31 @@ +From 1c71cba86be4818c1546d5f84fde5138f737e180 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 10 Aug 2021 21:36:04 +0900 +Subject: [PATCH] sd-dhcp6-client: fix copy-and-paste mistake + +Fix bug introduced by b47fb949b338a8e77be789542fffb8c86da79284. + +(cherry picked from commit 0c42b613485978eb82d7aff7ed426b8a8bb327af) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/1c71cba86be4818c1546d5f84fde5138f737e180 +--- + src/libsystemd-network/sd-dhcp6-client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libsystemd-network/sd-dhcp6-client.c b/src/libsystemd-network/sd-dhcp6-client.c +index e8c47f429a..afeb346944 100644 +--- a/src/libsystemd-network/sd-dhcp6-client.c ++++ b/src/libsystemd-network/sd-dhcp6-client.c +@@ -1219,7 +1219,7 @@ static int client_parse_message( + + if (lease->ia.addresses) { + lt_t1 = MIN(lt_t1, be32toh(lease->ia.ia_na.lifetime_t1)); +- lt_t2 = MIN(lt_t2, be32toh(lease->ia.ia_na.lifetime_t1)); ++ lt_t2 = MIN(lt_t2, be32toh(lease->ia.ia_na.lifetime_t2)); + } + + break; +-- +2.33.0 + diff --git a/backport-sd-dhcp6-client-fix-error-handling.patch b/backport-sd-dhcp6-client-fix-error-handling.patch new file mode 100644 index 0000000000000000000000000000000000000000..437f5767e4b93a08fe0f4a8c90e10b7fe2165018 --- /dev/null +++ b/backport-sd-dhcp6-client-fix-error-handling.patch @@ -0,0 +1,33 @@ +From c766dc2f77ed15e41de70e5e5f03dc4650fa55de Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 30 Nov 2021 17:58:40 +0900 +Subject: [PATCH] sd-dhcp6-client: fix error handling + +(cherry picked from commit 97e80ee4a86d4097fda78a01d8b64ad2085008f3) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/c766dc2f77ed15e41de70e5e5f03dc4650fa55de +--- + src/libsystemd-network/sd-dhcp6-client.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libsystemd-network/sd-dhcp6-client.c b/src/libsystemd-network/sd-dhcp6-client.c +index a31dd16c01..1acca301b4 100644 +--- a/src/libsystemd-network/sd-dhcp6-client.c ++++ b/src/libsystemd-network/sd-dhcp6-client.c +@@ -1424,10 +1424,10 @@ static int client_receive_message( + len = recv(fd, message, buflen, 0); + if (len < 0) { + /* see comment above for why we shouldn't error out on ENETDOWN. */ +- if (IN_SET(errno, EAGAIN, EINTR, ENETDOWN)) ++ if (IN_SET(len, -EAGAIN, -EINTR, -ENETDOWN)) + return 0; + +- return log_dhcp6_client_errno(client, errno, "Could not receive message from UDP socket: %m"); ++ return log_dhcp6_client_errno(client, len, "Could not receive message from UDP socket: %m"); + + } + if ((size_t) len < sizeof(DHCP6Message)) { +-- +2.33.0 + diff --git a/backport-sd-dhcp6-client-ignore-IAs-whose-IAID-do-not-match-c.patch b/backport-sd-dhcp6-client-ignore-IAs-whose-IAID-do-not-match-c.patch new file mode 100644 index 0000000000000000000000000000000000000000..ca540bee42c7cf8a1c2f70a9af9fd8b039b4af93 --- /dev/null +++ b/backport-sd-dhcp6-client-ignore-IAs-whose-IAID-do-not-match-c.patch @@ -0,0 +1,318 @@ +From 5193b40cebe30e6297ba8d1e8cf888ab25cea2ae Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 22 Sep 2021 10:35:56 +0300 +Subject: [PATCH] sd-dhcp6-client: ignore IAs whose IAID do not match client's + IAID + +But do not refuse whole message. + +(cherry picked from commit 469fd57f181e2a8d93f01662418ca998e1239ea5) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/5193b40cebe30e6297ba8d1e8cf888ab25cea2ae +--- + src/libsystemd-network/dhcp6-internal.h | 2 +- + src/libsystemd-network/dhcp6-option.c | 36 ++++++++++++++++++-- + src/libsystemd-network/sd-dhcp6-client.c | 29 +++------------- + src/libsystemd-network/test-dhcp6-client.c | 39 ++++++++++++++-------- + 4 files changed, 64 insertions(+), 42 deletions(-) + +diff --git a/src/libsystemd-network/dhcp6-internal.h b/src/libsystemd-network/dhcp6-internal.h +index f0f814957f..35cafc96ec 100644 +--- a/src/libsystemd-network/dhcp6-internal.h ++++ b/src/libsystemd-network/dhcp6-internal.h +@@ -104,7 +104,7 @@ int dhcp6_option_append_vendor_option(uint8_t **buf, size_t *buflen, OrderedHash + int dhcp6_option_parse(uint8_t **buf, size_t *buflen, uint16_t *optcode, + size_t *optlen, uint8_t **optvalue); + int dhcp6_option_parse_status(DHCP6Option *option, size_t len); +-int dhcp6_option_parse_ia(sd_dhcp6_client *client, DHCP6Option *iaoption, DHCP6IA *ia, uint16_t *ret_status_code); ++int dhcp6_option_parse_ia(sd_dhcp6_client *client, DHCP6Option *iaoption, be32_t iaid, DHCP6IA *ia, uint16_t *ret_status_code); + int dhcp6_option_parse_ip6addrs(uint8_t *optval, uint16_t optlen, + struct in6_addr **addrs, size_t count); + int dhcp6_option_parse_domainname_list(const uint8_t *optval, uint16_t optlen, +diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c +index 97ef03a2d2..34d7e997dd 100644 +--- a/src/libsystemd-network/dhcp6-option.c ++++ b/src/libsystemd-network/dhcp6-option.c +@@ -509,7 +509,13 @@ static int dhcp6_option_parse_pdprefix(sd_dhcp6_client *client, DHCP6Option *opt + return 0; + } + +-int dhcp6_option_parse_ia(sd_dhcp6_client *client, DHCP6Option *iaoption, DHCP6IA *ia, uint16_t *ret_status_code) { ++int dhcp6_option_parse_ia( ++ sd_dhcp6_client *client, ++ DHCP6Option *iaoption, ++ be32_t iaid, ++ DHCP6IA *ia, ++ uint16_t *ret_status_code) { ++ + uint32_t lt_t1, lt_t2, lt_valid = 0, lt_min = UINT32_MAX; + uint16_t iatype, optlen; + size_t iaaddr_offset; +@@ -529,6 +535,14 @@ int dhcp6_option_parse_ia(sd_dhcp6_client *client, DHCP6Option *iaoption, DHCP6I + if (len < DHCP6_OPTION_IA_NA_LEN) + return -ENOBUFS; + ++ /* According to RFC8415, IAs which do not match the client's IAID should be ignored, ++ * but not necessary to ignore or refuse the whole message. */ ++ if (((const struct ia_na*) iaoption->data)->id != iaid) ++ /* ENOANO indicates the option should be ignored. */ ++ return log_dhcp6_client_errno(client, SYNTHETIC_ERRNO(ENOANO), ++ "Received an IA_NA option with a different IAID " ++ "from the one chosen by the client, ignoring."); ++ + iaaddr_offset = DHCP6_OPTION_IA_NA_LEN; + memcpy(&ia->ia_na, iaoption->data, sizeof(ia->ia_na)); + +@@ -547,6 +561,14 @@ int dhcp6_option_parse_ia(sd_dhcp6_client *client, DHCP6Option *iaoption, DHCP6I + if (len < sizeof(ia->ia_pd)) + return -ENOBUFS; + ++ /* According to RFC8415, IAs which do not match the client's IAID should be ignored, ++ * but not necessary to ignore or refuse the whole message. */ ++ if (((const struct ia_pd*) iaoption->data)->id != iaid) ++ /* ENOANO indicates the option should be ignored. */ ++ return log_dhcp6_client_errno(client, SYNTHETIC_ERRNO(ENOANO), ++ "Received an IA_PD option with a different IAID " ++ "from the one chosen by the client, ignoring."); ++ + iaaddr_offset = sizeof(ia->ia_pd); + memcpy(&ia->ia_pd, iaoption->data, sizeof(ia->ia_pd)); + +@@ -564,13 +586,21 @@ int dhcp6_option_parse_ia(sd_dhcp6_client *client, DHCP6Option *iaoption, DHCP6I + if (len < DHCP6_OPTION_IA_TA_LEN) + return -ENOBUFS; + ++ /* According to RFC8415, IAs which do not match the client's IAID should be ignored, ++ * but not necessary to ignore or refuse the whole message. */ ++ if (((const struct ia_ta*) iaoption->data)->id != iaid) ++ /* ENOANO indicates the option should be ignored. */ ++ return log_dhcp6_client_errno(client, SYNTHETIC_ERRNO(ENOANO), ++ "Received an IA_TA option with a different IAID " ++ "from the one chosen by the client, ignoring."); ++ + iaaddr_offset = DHCP6_OPTION_IA_TA_LEN; +- memcpy(&ia->ia_ta.id, iaoption->data, sizeof(ia->ia_ta)); ++ memcpy(&ia->ia_ta, iaoption->data, sizeof(ia->ia_ta)); + + break; + + default: +- return -ENOMSG; ++ return -EINVAL; + } + + ia->type = iatype; +diff --git a/src/libsystemd-network/sd-dhcp6-client.c b/src/libsystemd-network/sd-dhcp6-client.c +index f99c12620b..efbf7d7df3 100644 +--- a/src/libsystemd-network/sd-dhcp6-client.c ++++ b/src/libsystemd-network/sd-dhcp6-client.c +@@ -1119,7 +1119,6 @@ static int client_parse_message( + while (pos < len) { + DHCP6Option *option = (DHCP6Option *) &message->options[pos]; + uint16_t optcode, optlen; +- be32_t iaid_lease; + int status; + uint8_t *optval; + +@@ -1198,8 +1197,8 @@ static int client_parse_message( + break; + } + +- r = dhcp6_option_parse_ia(client, option, &lease->ia, &ia_na_status); +- if (r < 0 && r != -ENOMSG) ++ r = dhcp6_option_parse_ia(client, option, client->ia_pd.ia_na.id, &lease->ia, &ia_na_status); ++ if (r < 0 && r != -ENOANO) + return r; + + if (ia_na_status == DHCP6_STATUS_NO_ADDRS_AVAIL) { +@@ -1207,16 +1206,6 @@ static int client_parse_message( + continue; + } + +- r = dhcp6_lease_get_iaid(lease, &iaid_lease); +- if (r < 0) +- return r; +- +- if (client->ia_na.ia_na.id != iaid_lease) { +- log_dhcp6_client(client, "%s has wrong IAID for IA NA", +- dhcp6_message_type_to_string(message->type)); +- return -EINVAL; +- } +- + if (lease->ia.addresses) { + lt_t1 = MIN(lt_t1, be32toh(lease->ia.ia_na.lifetime_t1)); + lt_t2 = MIN(lt_t2, be32toh(lease->ia.ia_na.lifetime_t2)); +@@ -1231,8 +1220,8 @@ static int client_parse_message( + break; + } + +- r = dhcp6_option_parse_ia(client, option, &lease->pd, &ia_pd_status); +- if (r < 0 && r != -ENOMSG) ++ r = dhcp6_option_parse_ia(client, option, client->ia_pd.ia_pd.id, &lease->pd, &ia_pd_status); ++ if (r < 0 && r != -ENOANO) + return r; + + if (ia_pd_status == DHCP6_STATUS_NO_PREFIX_AVAIL) { +@@ -1240,16 +1229,6 @@ static int client_parse_message( + continue; + } + +- r = dhcp6_lease_get_pd_iaid(lease, &iaid_lease); +- if (r < 0) +- return r; +- +- if (client->ia_pd.ia_pd.id != iaid_lease) { +- log_dhcp6_client(client, "%s has wrong IAID for IA PD", +- dhcp6_message_type_to_string(message->type)); +- return -EINVAL; +- } +- + if (lease->pd.addresses) { + lt_t1 = MIN(lt_t1, be32toh(lease->pd.ia_pd.lifetime_t1)); + lt_t2 = MIN(lt_t2, be32toh(lease->pd.ia_pd.lifetime_t2)); +diff --git a/src/libsystemd-network/test-dhcp6-client.c b/src/libsystemd-network/test-dhcp6-client.c +index a72c13684d..5e3b191595 100644 +--- a/src/libsystemd-network/test-dhcp6-client.c ++++ b/src/libsystemd-network/test-dhcp6-client.c +@@ -287,25 +287,31 @@ static int test_option_status(sd_event *e) { + }; + DHCP6Option *option; + DHCP6IA ia, pd; ++ be32_t iaid; + int r = 0; + + log_debug("/* %s */", __func__); + ++ memcpy(&iaid, option1 + 4, sizeof(iaid)); ++ + zero(ia); + option = (DHCP6Option *)option1; + assert_se(sizeof(option1) == sizeof(DHCP6Option) + be16toh(option->len)); + +- r = dhcp6_option_parse_ia(NULL, option, &ia, NULL); ++ r = dhcp6_option_parse_ia(NULL, option, 0, &ia, NULL); ++ assert_se(r == -ENOANO); ++ ++ r = dhcp6_option_parse_ia(NULL, option, iaid, &ia, NULL); + assert_se(r == 0); + assert_se(ia.addresses == NULL); + + option->len = htobe16(17); +- r = dhcp6_option_parse_ia(NULL, option, &ia, NULL); ++ r = dhcp6_option_parse_ia(NULL, option, iaid, &ia, NULL); + assert_se(r == -ENOBUFS); + assert_se(ia.addresses == NULL); + + option->len = htobe16(sizeof(DHCP6Option)); +- r = dhcp6_option_parse_ia(NULL, option, &ia, NULL); ++ r = dhcp6_option_parse_ia(NULL, option, iaid, &ia, NULL); + assert_se(r == -ENOBUFS); + assert_se(ia.addresses == NULL); + +@@ -313,7 +319,7 @@ static int test_option_status(sd_event *e) { + option = (DHCP6Option *)option2; + assert_se(sizeof(option2) == sizeof(DHCP6Option) + be16toh(option->len)); + +- r = dhcp6_option_parse_ia(NULL, option, &ia, NULL); ++ r = dhcp6_option_parse_ia(NULL, option, iaid, &ia, NULL); + assert_se(r >= 0); + assert_se(ia.addresses == NULL); + +@@ -321,7 +327,7 @@ static int test_option_status(sd_event *e) { + option = (DHCP6Option *)option3; + assert_se(sizeof(option3) == sizeof(DHCP6Option) + be16toh(option->len)); + +- r = dhcp6_option_parse_ia(NULL, option, &ia, NULL); ++ r = dhcp6_option_parse_ia(NULL, option, iaid, &ia, NULL); + assert_se(r >= 0); + assert_se(ia.addresses != NULL); + dhcp6_lease_free_ia(&ia); +@@ -330,7 +336,7 @@ static int test_option_status(sd_event *e) { + option = (DHCP6Option *)option4; + assert_se(sizeof(option4) == sizeof(DHCP6Option) + be16toh(option->len)); + +- r = dhcp6_option_parse_ia(NULL, option, &pd, NULL); ++ r = dhcp6_option_parse_ia(NULL, option, iaid, &pd, NULL); + assert_se(r >= 0); + assert_se(pd.addresses != NULL); + assert_se(memcmp(&pd.ia_pd.id, &option4[4], 4) == 0); +@@ -342,7 +348,7 @@ static int test_option_status(sd_event *e) { + option = (DHCP6Option *)option5; + assert_se(sizeof(option5) == sizeof(DHCP6Option) + be16toh(option->len)); + +- r = dhcp6_option_parse_ia(NULL, option, &pd, NULL); ++ r = dhcp6_option_parse_ia(NULL, option, iaid, &pd, NULL); + assert_se(r >= 0); + assert_se(pd.addresses != NULL); + dhcp6_lease_free_ia(&pd); +@@ -447,13 +453,14 @@ static int test_advertise_option(sd_event *e) { + opt_clientid = true; + break; + +- case SD_DHCP6_OPTION_IA_NA: ++ case SD_DHCP6_OPTION_IA_NA: { ++ be32_t iaid = htobe32(0x0ecfa37d); ++ + assert_se(optlen == 94); + assert_se(optval == &msg_advertise[26]); + assert_se(!memcmp(optval, &msg_advertise[26], optlen)); + +- val = htobe32(0x0ecfa37d); +- assert_se(!memcmp(optval, &val, sizeof(val))); ++ assert_se(!memcmp(optval, &iaid, sizeof(val))); + + val = htobe32(80); + assert_se(!memcmp(optval + 4, &val, sizeof(val))); +@@ -461,10 +468,10 @@ static int test_advertise_option(sd_event *e) { + val = htobe32(120); + assert_se(!memcmp(optval + 8, &val, sizeof(val))); + +- assert_se(dhcp6_option_parse_ia(NULL, option, &lease->ia, NULL) >= 0); ++ assert_se(dhcp6_option_parse_ia(NULL, option, iaid, &lease->ia, NULL) >= 0); + + break; +- ++ } + case SD_DHCP6_OPTION_SERVERID: + assert_se(optlen == 14); + assert_se(optval == &msg_advertise[179]); +@@ -598,6 +605,8 @@ static void test_client_solicit_cb(sd_dhcp6_client *client, int event, + static int test_client_send_reply(DHCP6Message *request) { + DHCP6Message reply; + ++ log_debug("/* %s */", __func__); ++ + reply.transaction_id = request->transaction_id; + reply.type = DHCP6_REPLY; + +@@ -658,7 +667,7 @@ static int test_client_verify_request(DHCP6Message *request, size_t len) { + assert_se(!memcmp(optval + 8, &val, sizeof(val))); + + /* Then, this should refuse all addresses. */ +- assert_se(dhcp6_option_parse_ia(NULL, option, &lease->ia, NULL) >= 0); ++ assert_se(dhcp6_option_parse_ia(NULL, option, test_iaid, &lease->ia, NULL) >= 0); + + break; + +@@ -704,6 +713,8 @@ static int test_client_verify_request(DHCP6Message *request, size_t len) { + static int test_client_send_advertise(DHCP6Message *solicit) { + DHCP6Message advertise; + ++ log_debug("/* %s */", __func__); ++ + advertise.transaction_id = solicit->transaction_id; + advertise.type = DHCP6_ADVERTISE; + +@@ -899,6 +910,8 @@ int dhcp6_network_send_udp_socket(int s, struct in6_addr *server_address, + IN6ADDR_ALL_DHCP6_RELAY_AGENTS_AND_SERVERS_INIT; + DHCP6Message *message; + ++ log_debug("/* %s */", __func__); ++ + assert_se(s == test_dhcp_fd[0]); + assert_se(server_address); + assert_se(packet); +-- +2.33.0 + diff --git a/backport-sd-dhcp6-client-make-dhcp6_lease_free-accepts-NULL.patch b/backport-sd-dhcp6-client-make-dhcp6_lease_free-accepts-NULL.patch new file mode 100644 index 0000000000000000000000000000000000000000..6ef421914ed0ed3400cd089a00ab7378a0ea3ff1 --- /dev/null +++ b/backport-sd-dhcp6-client-make-dhcp6_lease_free-accepts-NULL.patch @@ -0,0 +1,45 @@ +From f160a20a6bf995617cf8a22466638755f9a07813 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 24 Sep 2021 23:45:13 +0900 +Subject: [PATCH] sd-dhcp6-client: make dhcp6_lease_free() accepts NULL + +(cherry picked from commit 5cf67bb4072f149d0404398bfc359b068312ba28) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/f160a20a6bf995617cf8a22466638755f9a07813 +--- + src/libsystemd-network/sd-dhcp6-lease.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/src/libsystemd-network/sd-dhcp6-lease.c b/src/libsystemd-network/sd-dhcp6-lease.c +index 8378971422..4804f0941a 100644 +--- a/src/libsystemd-network/sd-dhcp6-lease.c ++++ b/src/libsystemd-network/sd-dhcp6-lease.c +@@ -366,20 +366,18 @@ int sd_dhcp6_lease_get_fqdn(sd_dhcp6_lease *lease, const char **fqdn) { + } + + static sd_dhcp6_lease *dhcp6_lease_free(sd_dhcp6_lease *lease) { +- assert(lease); ++ if (!lease) ++ return NULL; + + free(lease->serverid); + dhcp6_lease_free_ia(&lease->ia); + dhcp6_lease_free_ia(&lease->pd); +- + free(lease->dns); + free(lease->fqdn); +- +- lease->domains = strv_free(lease->domains); +- ++ strv_free(lease->domains); + free(lease->ntp); ++ strv_free(lease->ntp_fqdn); + +- lease->ntp_fqdn = strv_free(lease->ntp_fqdn); + return mfree(lease); + } + +-- +2.33.0 + diff --git a/backport-sd-dhcp6-client-modernize-dhcp6_option_parse.patch b/backport-sd-dhcp6-client-modernize-dhcp6_option_parse.patch new file mode 100644 index 0000000000000000000000000000000000000000..e9b9c03724436f37254998ef5a233907e9101976 --- /dev/null +++ b/backport-sd-dhcp6-client-modernize-dhcp6_option_parse.patch @@ -0,0 +1,275 @@ +From 1cc074167fd29c6c8c9dc5d7fd6c38e4dd91ca71 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 23 Sep 2021 14:58:28 +0900 +Subject: [PATCH] sd-dhcp6-client: modernize dhcp6_option_parse() + +- merge dhcp6_option_parse() with option_parse_hdr(). +- do not assign/update any values on error. +- use assert() instead of assert_return(), as the assertions cannot + be triggered by a library user. + +(cherry picked from commit b89a3758e92894162e3c2dcb594a55acff3274d5) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/1cc074167fd29c6c8c9dc5d7fd6c38e4dd91ca71 +--- + src/libsystemd-network/dhcp6-internal.h | 10 +++- + src/libsystemd-network/dhcp6-option.c | 60 ++++++++++------------ + src/libsystemd-network/sd-dhcp6-lease.c | 37 ++++++------- + src/libsystemd-network/test-dhcp6-client.c | 50 +++++++++--------- + 4 files changed, 76 insertions(+), 81 deletions(-) + +diff --git a/src/libsystemd-network/dhcp6-internal.h b/src/libsystemd-network/dhcp6-internal.h +index 96d7de8cae..8d083d3858 100644 +--- a/src/libsystemd-network/dhcp6-internal.h ++++ b/src/libsystemd-network/dhcp6-internal.h +@@ -101,8 +101,14 @@ int dhcp6_option_append_fqdn(uint8_t **buf, size_t *buflen, const char *fqdn); + int dhcp6_option_append_user_class(uint8_t **buf, size_t *buflen, char * const *user_class); + int dhcp6_option_append_vendor_class(uint8_t **buf, size_t *buflen, char * const *user_class); + int dhcp6_option_append_vendor_option(uint8_t **buf, size_t *buflen, OrderedHashmap *vendor_options); +-int dhcp6_option_parse(uint8_t **buf, size_t *buflen, uint16_t *optcode, +- size_t *optlen, uint8_t **optvalue); ++ ++int dhcp6_option_parse( ++ const uint8_t *buf, ++ size_t buflen, ++ size_t *offset, ++ uint16_t *ret_option_code, ++ size_t *ret_option_data_len, ++ const uint8_t **ret_option_data); + int dhcp6_option_parse_status(DHCP6Option *option, size_t len); + int dhcp6_option_parse_ia(sd_dhcp6_client *client, DHCP6Option *iaoption, be32_t iaid, DHCP6IA *ia, uint16_t *ret_status_code); + int dhcp6_option_parse_ip6addrs(const uint8_t *optval, uint16_t optlen, +diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c +index 0709cfd4fd..781d391c0c 100644 +--- a/src/libsystemd-network/dhcp6-option.c ++++ b/src/libsystemd-network/dhcp6-option.c +@@ -370,47 +370,39 @@ int dhcp6_option_append_vendor_class(uint8_t **buf, size_t *buflen, char * const + return dhcp6_option_append(buf, buflen, SD_DHCP6_OPTION_VENDOR_CLASS, total, p); + } + +-static int option_parse_hdr(uint8_t **buf, size_t *buflen, uint16_t *optcode, size_t *optlen) { +- DHCP6Option *option = (DHCP6Option*) *buf; +- uint16_t len; +- +- assert_return(buf, -EINVAL); +- assert_return(optcode, -EINVAL); +- assert_return(optlen, -EINVAL); +- +- if (*buflen < offsetof(DHCP6Option, data)) +- return -ENOMSG; +- +- len = be16toh(option->len); +- +- if (len > *buflen) +- return -ENOMSG; +- +- *optcode = be16toh(option->code); +- *optlen = len; ++int dhcp6_option_parse( ++ const uint8_t *buf, ++ size_t buflen, ++ size_t *offset, ++ uint16_t *ret_option_code, ++ size_t *ret_option_data_len, ++ const uint8_t **ret_option_data) { + +- *buf += 4; +- *buflen -= 4; ++ const DHCP6Option *option; ++ size_t len; + +- return 0; +-} ++ assert(buf); ++ assert(offset); ++ assert(ret_option_code); ++ assert(ret_option_data_len); ++ assert(ret_option_data); + +-int dhcp6_option_parse(uint8_t **buf, size_t *buflen, uint16_t *optcode, +- size_t *optlen, uint8_t **optvalue) { +- int r; ++ if (buflen < offsetof(DHCP6Option, data)) ++ return -EBADMSG; + +- assert_return(buf && buflen && optcode && optlen && optvalue, -EINVAL); ++ if (*offset >= buflen - offsetof(DHCP6Option, data)) ++ return -EBADMSG; + +- r = option_parse_hdr(buf, buflen, optcode, optlen); +- if (r < 0) +- return r; ++ option = (const DHCP6Option*) (buf + *offset); ++ len = be16toh(option->len); + +- if (*optlen > *buflen) +- return -ENOBUFS; ++ if (len > buflen - offsetof(DHCP6Option, data) - *offset) ++ return -EBADMSG; + +- *optvalue = *buf; +- *buflen -= *optlen; +- *buf += *optlen; ++ *offset += offsetof(DHCP6Option, data) + len; ++ *ret_option_code = be16toh(option->code); ++ *ret_option_data_len = len; ++ *ret_option_data = option->data; + + return 0; + } +diff --git a/src/libsystemd-network/sd-dhcp6-lease.c b/src/libsystemd-network/sd-dhcp6-lease.c +index 9082185bca..6375a22537 100644 +--- a/src/libsystemd-network/sd-dhcp6-lease.c ++++ b/src/libsystemd-network/sd-dhcp6-lease.c +@@ -259,9 +259,6 @@ int sd_dhcp6_lease_get_domains(sd_dhcp6_lease *lease, char ***domains) { + + int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { + int r; +- uint16_t subopt; +- size_t sublen; +- uint8_t *subval; + + assert_return(lease, -EINVAL); + assert_return(optval, -EINVAL); +@@ -269,10 +266,14 @@ int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { + lease->ntp = mfree(lease->ntp); + lease->ntp_count = 0; + +- while ((r = dhcp6_option_parse(&optval, &optlen, &subopt, &sublen, +- &subval)) >= 0) { +- int s; +- char **servers; ++ for (size_t offset = 0; offset < optlen;) { ++ const uint8_t *subval; ++ size_t sublen; ++ uint16_t subopt; ++ ++ r = dhcp6_option_parse(optval, optlen, &offset, &subopt, &sublen, &subval); ++ if (r < 0) ++ return r; + + switch(subopt) { + case DHCP6_NTP_SUBOPTION_SRV_ADDR: +@@ -280,19 +281,18 @@ int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { + if (sublen != 16) + return 0; + +- s = dhcp6_option_parse_ip6addrs(subval, sublen, +- &lease->ntp, +- lease->ntp_count); +- if (s < 0) +- return s; ++ r = dhcp6_option_parse_ip6addrs(subval, sublen, &lease->ntp, lease->ntp_count); ++ if (r < 0) ++ return r; + +- lease->ntp_count = s; ++ lease->ntp_count = r; + + break; + +- case DHCP6_NTP_SUBOPTION_SRV_FQDN: +- r = dhcp6_option_parse_domainname_list(subval, sublen, +- &servers); ++ case DHCP6_NTP_SUBOPTION_SRV_FQDN: { ++ char **servers; ++ ++ r = dhcp6_option_parse_domainname_list(subval, sublen, &servers); + if (r < 0) + return 0; + +@@ -300,12 +300,9 @@ int dhcp6_lease_set_ntp(sd_dhcp6_lease *lease, uint8_t *optval, size_t optlen) { + lease->ntp_fqdn_count = r; + + break; +- } ++ }} + } + +- if (r != -ENOMSG) +- return r; +- + return 0; + } + +diff --git a/src/libsystemd-network/test-dhcp6-client.c b/src/libsystemd-network/test-dhcp6-client.c +index 5e3b191595..5d1f709f11 100644 +--- a/src/libsystemd-network/test-dhcp6-client.c ++++ b/src/libsystemd-network/test-dhcp6-client.c +@@ -170,47 +170,47 @@ static int test_option(sd_event *e) { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 'B', 'A', 'R', + }; ++ size_t offset, pos, optlen, outlen = sizeof(result); ++ const uint8_t *optval; + uint16_t optcode; +- size_t optlen; +- uint8_t *optval, *buf, *out; +- size_t zero = 0, pos = 3; +- size_t buflen = sizeof(packet), outlen = sizeof(result); ++ uint8_t *out; + + log_debug("/* %s */", __func__); + +- assert_se(buflen == outlen); ++ assert_se(sizeof(packet) == sizeof(result)); + +- assert_se(dhcp6_option_parse(&buf, &zero, &optcode, &optlen, +- &optval) == -ENOMSG); ++ offset = 0; ++ assert_se(dhcp6_option_parse(packet, 0, &offset, &optcode, &optlen, &optval) == -EBADMSG); + +- buflen -= 3; +- buf = &packet[3]; +- outlen -= 3; +- out = &result[3]; ++ offset = 3; ++ assert_se(dhcp6_option_parse(packet, 0, &offset, &optcode, &optlen, &optval) == -EBADMSG); ++ ++ offset = 3; ++ assert_se(dhcp6_option_parse(packet, sizeof(packet), &offset, &optcode, &optlen, &optval) >= 0); + +- assert_se(dhcp6_option_parse(&buf, &buflen, &optcode, &optlen, +- &optval) >= 0); +- pos += 4 + optlen; +- assert_se(buf == &packet[pos]); + assert_se(optcode == SD_DHCP6_OPTION_ORO); + assert_se(optlen == 7); +- assert_se(buflen + pos == sizeof(packet)); ++ assert_se(optval == packet + 7); ++ ++ pos = 3; ++ outlen -= 3; ++ out = &result[3]; + +- assert_se(dhcp6_option_append(&out, &outlen, optcode, optlen, +- optval) >= 0); ++ assert_se(dhcp6_option_append(&out, &outlen, optcode, optlen, optval) >= 0); ++ ++ pos += 4 + optlen; + assert_se(out == &result[pos]); + assert_se(*out == 0x00); + +- assert_se(dhcp6_option_parse(&buf, &buflen, &optcode, &optlen, +- &optval) >= 0); +- pos += 4 + optlen; +- assert_se(buf == &packet[pos]); ++ assert_se(dhcp6_option_parse(packet, sizeof(packet), &offset, &optcode, &optlen, &optval) >= 0); ++ + assert_se(optcode == SD_DHCP6_OPTION_VENDOR_CLASS); + assert_se(optlen == 9); +- assert_se(buflen + pos == sizeof(packet)); ++ assert_se(optval == packet + 18); ++ ++ assert_se(dhcp6_option_append(&out, &outlen, optcode, optlen, optval) >= 0); + +- assert_se(dhcp6_option_append(&out, &outlen, optcode, optlen, +- optval) >= 0); ++ pos += 4 + optlen; + assert_se(out == &result[pos]); + assert_se(*out == 'B'); + +-- +2.33.0 + diff --git a/backport-sd-event-don-t-destroy-inotify-data-structures-from-.patch b/backport-sd-event-don-t-destroy-inotify-data-structures-from-.patch new file mode 100644 index 0000000000000000000000000000000000000000..caec0efdd3efe711491f8178ce3437f480a739cc --- /dev/null +++ b/backport-sd-event-don-t-destroy-inotify-data-structures-from-.patch @@ -0,0 +1,109 @@ +From 439a271943aa182002e5fb64f1a216415e556472 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 9 Nov 2021 00:11:38 +0100 +Subject: [PATCH] sd-event: don't destroy inotify data structures from inotify + event handler + +This fixes a bad memory access when we destroy an inotify source handler +from the handler itself, and thus destroy the associated inotify_data +structures. + +Fixes: #20177 +(cherry picked from commit 53baf2efa420cab6c4b1904c9a0c46a0c4ec80a1) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/439a271943aa182002e5fb64f1a216415e556472 +--- + src/libsystemd/sd-event/event-source.h | 5 ++++ + src/libsystemd/sd-event/sd-event.c | 40 +++++++++++++++++++++++--- + 2 files changed, 41 insertions(+), 4 deletions(-) + +diff --git a/src/libsystemd/sd-event/event-source.h b/src/libsystemd/sd-event/event-source.h +index d2dc21470e..7a0f14ecce 100644 +--- a/src/libsystemd/sd-event/event-source.h ++++ b/src/libsystemd/sd-event/event-source.h +@@ -214,6 +214,11 @@ struct inotify_data { + * the events locally if they can't be coalesced). */ + unsigned n_pending; + ++ /* If this counter is non-zero, don't GC the inotify data object even if not used to watch any inode ++ * anymore. This is useful to pin the object for a bit longer, after the last event source needing it ++ * is gone. */ ++ unsigned n_busy; ++ + /* A linked list of all inotify objects with data already read, that still need processing. We keep this list + * to make it efficient to figure out what inotify objects to process data on next. */ + LIST_FIELDS(struct inotify_data, buffered); +diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c +index 99c0acfa54..3b4d938546 100644 +--- a/src/libsystemd/sd-event/sd-event.c ++++ b/src/libsystemd/sd-event/sd-event.c +@@ -1820,6 +1820,29 @@ static void event_free_inode_data( + free(d); + } + ++static void event_gc_inotify_data( ++ sd_event *e, ++ struct inotify_data *d) { ++ ++ assert(e); ++ ++ /* GCs the inotify data object if we don't need it anymore. That's the case if we don't want to watch ++ * any inode with it anymore, which in turn happens if no event source of this priority is interested ++ * in any inode any longer. That said, we maintain an extra busy counter: if non-zero we'll delay GC ++ * (under the expectation that the GC is called again once the counter is decremented). */ ++ ++ if (!d) ++ return; ++ ++ if (!hashmap_isempty(d->inodes)) ++ return; ++ ++ if (d->n_busy > 0) ++ return; ++ ++ event_free_inotify_data(e, d); ++} ++ + static void event_gc_inode_data( + sd_event *e, + struct inode_data *d) { +@@ -1837,8 +1860,7 @@ static void event_gc_inode_data( + inotify_data = d->inotify_data; + event_free_inode_data(e, d); + +- if (inotify_data && hashmap_isempty(inotify_data->inodes)) +- event_free_inotify_data(e, inotify_data); ++ event_gc_inotify_data(e, inotify_data); + } + + static int event_make_inode_data( +@@ -3556,13 +3578,23 @@ static int source_dispatch(sd_event_source *s) { + sz = offsetof(struct inotify_event, name) + d->buffer.ev.len; + assert(d->buffer_filled >= sz); + ++ /* If the inotify callback destroys the event source then this likely means we don't need to ++ * watch the inode anymore, and thus also won't need the inotify object anymore. But if we'd ++ * free it immediately, then we couldn't drop the event from the inotify event queue without ++ * memory corruption anymore, as below. Hence, let's not free it immediately, but mark it ++ * "busy" with a counter (which will ensure it's not GC'ed away prematurely). Let's then ++ * explicitly GC it after we are done dropping the inotify event from the buffer. */ ++ d->n_busy++; + r = s->inotify.callback(s, &d->buffer.ev, s->userdata); ++ d->n_busy--; + +- /* When no event is pending anymore on this inotify object, then let's drop the event from the +- * buffer. */ ++ /* When no event is pending anymore on this inotify object, then let's drop the event from ++ * the inotify event queue buffer. */ + if (d->n_pending == 0) + event_inotify_data_drop(e, d, sz); + ++ /* Now we don't want to access 'd' anymore, it's OK to GC now. */ ++ event_gc_inotify_data(e, d); + break; + } + +-- +2.33.0 + diff --git a/backport-sd-event-take-ref-on-event-loop-object-before-dispat.patch b/backport-sd-event-take-ref-on-event-loop-object-before-dispat.patch new file mode 100644 index 0000000000000000000000000000000000000000..8f600cc75807159c1c8c7e4a71c4c91282cb1368 --- /dev/null +++ b/backport-sd-event-take-ref-on-event-loop-object-before-dispat.patch @@ -0,0 +1,36 @@ +From a93ddddd00860bda05df72cfd5b80be9b3a93023 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 8 Sep 2021 15:42:11 +0200 +Subject: [PATCH] sd-event: take ref on event loop object before dispatching + event sources + +Idea is that all public APIs should take reference on objects that get +exposed to user-provided callbacks. We take the reference as a +protection from callbacks dropping it. We used to do this also here in +sd_event_loop(). However, in cleanup portion of f814c871e6 this was +accidentally dropped. + +(cherry picked from commit 9f6ef467818f902fe5369c8e37a39a3901bdcf4f) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/a93ddddd00860bda05df72cfd5b80be9b3a93023 +--- + src/libsystemd/sd-event/sd-event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c +index e9199deb41..99c0acfa54 100644 +--- a/src/libsystemd/sd-event/sd-event.c ++++ b/src/libsystemd/sd-event/sd-event.c +@@ -4154,7 +4154,7 @@ _public_ int sd_event_loop(sd_event *e) { + assert_return(!event_pid_changed(e), -ECHILD); + assert_return(e->state == SD_EVENT_INITIAL, -EBUSY); + +- _unused_ _cleanup_(sd_event_unrefp) sd_event *ref = NULL; ++ _unused_ _cleanup_(sd_event_unrefp) sd_event *ref = sd_event_ref(e); + + while (e->state != SD_EVENT_FINISHED) { + r = sd_event_run(e, UINT64_MAX); +-- +2.33.0 + diff --git a/backport-sd-journal-Don-t-compare-hashes-from-different-journ.patch b/backport-sd-journal-Don-t-compare-hashes-from-different-journ.patch new file mode 100644 index 0000000000000000000000000000000000000000..fc300e1c800b381acc20a30607d58bd23d70a7df --- /dev/null +++ b/backport-sd-journal-Don-t-compare-hashes-from-different-journ.patch @@ -0,0 +1,48 @@ +From 2f5b486edfdb6dc3d5465fe7569c19560208813c Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Tue, 14 Sep 2021 15:08:46 +0100 +Subject: [PATCH] sd-journal: Don't compare hashes from different journal files + +In sd_journal_enumerate_fields(), we check if we've already handled +a field by checking if we can find it in any of the already processed +journal files. We do this by calling +journal_file_find_field_object_with_hash(), which compares the size, +payload and hash of the given field against all fields in a journal file, +trying to find a match. However, since we now use per file hash functions, +hashes for the same fields will differ between different journal files, +meaning we'll never find an actual match. + +To fix the issue(), let's use journal_file_find_field_object() when one +or more of the files we're comparing is using per file keyed hashes. +journal_file_find_field_object() only takes the field payload and size +as arguments and calculates the hash itself using the hash function from +the journal file we're searching in. + +(cherry picked from commit 27bf0ab76e13611dce10210f2a22fb5fba05adbb) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/2f5b486edfdb6dc3d5465fe7569c19560208813c +--- + src/libsystemd/sd-journal/sd-journal.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c +index 5728c537bc..a2fbc1b037 100644 +--- a/src/libsystemd/sd-journal/sd-journal.c ++++ b/src/libsystemd/sd-journal/sd-journal.c +@@ -3158,7 +3158,11 @@ _public_ int sd_journal_enumerate_fields(sd_journal *j, const char **field) { + if (JOURNAL_HEADER_CONTAINS(of->header, n_fields) && le64toh(of->header->n_fields) <= 0) + continue; + +- r = journal_file_find_field_object_with_hash(of, o->field.payload, sz, le64toh(o->field.hash), NULL, NULL); ++ if (!JOURNAL_HEADER_KEYED_HASH(f->header) && !JOURNAL_HEADER_KEYED_HASH(of->header)) ++ r = journal_file_find_field_object_with_hash(of, o->field.payload, sz, ++ le64toh(o->field.hash), NULL, NULL); ++ else ++ r = journal_file_find_field_object(of, o->field.payload, sz, NULL, NULL); + if (r < 0) + return r; + if (r > 0) { +-- +2.33.0 + diff --git a/backport-sd-journal-Ignore-data-threshold-if-set-to-zero-in-s.patch b/backport-sd-journal-Ignore-data-threshold-if-set-to-zero-in-s.patch new file mode 100644 index 0000000000000000000000000000000000000000..cccaf5d1ecbc7dae95de2fb33d995aad7235a614 --- /dev/null +++ b/backport-sd-journal-Ignore-data-threshold-if-set-to-zero-in-s.patch @@ -0,0 +1,35 @@ +From 99ae9b83b42abbe54c059ae964b737b64ae17df9 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 15 Sep 2021 13:05:46 +0100 +Subject: [PATCH] sd-journal: Ignore data threshold if set to zero in + sd_journal_enumerate_fields() + +According to the documentation, Setting the data threshold to zero disables the +data threshold alltogether. Let's make sure we actually implement this behaviour +in sd_journal_enumerate_fields() by only applying the data threshold if it exceeds +zero. + +(cherry picked from commit adbd80f51088058d55e703abe0ac11476cfe0ba4) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/99ae9b83b42abbe54c059ae964b737b64ae17df9 +--- + src/libsystemd/sd-journal/sd-journal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c +index a2fbc1b037..b3240177cb 100644 +--- a/src/libsystemd/sd-journal/sd-journal.c ++++ b/src/libsystemd/sd-journal/sd-journal.c +@@ -3178,7 +3178,7 @@ _public_ int sd_journal_enumerate_fields(sd_journal *j, const char **field) { + if (memchr(o->field.payload, 0, sz)) + return -EBADMSG; + +- if (sz > j->data_threshold) ++ if (j->data_threshold > 0 && sz > j->data_threshold) + sz = j->data_threshold; + + if (!GREEDY_REALLOC(j->fields_buffer, sz + 1)) +-- +2.33.0 + diff --git a/backport-sd-journal-fix-segfault-when-match_new-fails.patch b/backport-sd-journal-fix-segfault-when-match_new-fails.patch new file mode 100644 index 0000000000000000000000000000000000000000..27bf8c1ae3a54abbb8b2eced4218c50802541423 --- /dev/null +++ b/backport-sd-journal-fix-segfault-when-match_new-fails.patch @@ -0,0 +1,63 @@ +From 4bf497c3814e2f612cb055b838a656e6e14c0ed0 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 23 Dec 2021 21:45:29 +0900 +Subject: [PATCH] sd-journal: fix segfault when match_new() fails + +Fixes #21867. + +(cherry picked from commit 39dfc0de05238410e2cd4d7c0176a3f3994cc563) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/4bf497c3814e2f612cb055b838a656e6e14c0ed0 +--- + src/libsystemd/sd-journal/sd-journal.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c +index 63b8f0dc7b..dd28b8008f 100644 +--- a/src/libsystemd/sd-journal/sd-journal.c ++++ b/src/libsystemd/sd-journal/sd-journal.c +@@ -211,7 +211,7 @@ static Match *match_new(Match *p, MatchType t) { + return m; + } + +-static void match_free(Match *m) { ++static Match *match_free(Match *m) { + assert(m); + + while (m->matches) +@@ -221,14 +221,14 @@ static void match_free(Match *m) { + LIST_REMOVE(matches, m->parent->matches, m); + + free(m->data); +- free(m); ++ return mfree(m); + } + +-static void match_free_if_empty(Match *m) { ++static Match *match_free_if_empty(Match *m) { + if (!m || m->matches) +- return; ++ return m; + +- match_free(m); ++ return match_free(m); + } + + _public_ int sd_journal_add_match(sd_journal *j, const void *data, size_t size) { +@@ -323,9 +323,9 @@ _public_ int sd_journal_add_match(sd_journal *j, const void *data, size_t size) + fail: + match_free(m); + match_free_if_empty(add_here); +- match_free_if_empty(j->level2); +- match_free_if_empty(j->level1); +- match_free_if_empty(j->level0); ++ j->level2 = match_free_if_empty(j->level2); ++ j->level1 = match_free_if_empty(j->level1); ++ j->level0 = match_free_if_empty(j->level0); + + return -ENOMEM; + } +-- +2.33.0 + diff --git a/backport-sd-journal-free-incomplete-match-on-failure.patch b/backport-sd-journal-free-incomplete-match-on-failure.patch new file mode 100644 index 0000000000000000000000000000000000000000..9b083e639b2a076495c3858a7de2c4bf6693a561 --- /dev/null +++ b/backport-sd-journal-free-incomplete-match-on-failure.patch @@ -0,0 +1,37 @@ +From cd9b726453398bef20c66f30a454eb503f7bcb72 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 23 Dec 2021 21:35:29 +0900 +Subject: [PATCH] sd-journal: free incomplete match on failure + +(cherry picked from commit 418cce628cf28d4feaeda60241cf9781f8afbf1c) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/cd9b726453398bef20c66f30a454eb503f7bcb72 +--- + src/libsystemd/sd-journal/sd-journal.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c +index 71875a4dc8..63b8f0dc7b 100644 +--- a/src/libsystemd/sd-journal/sd-journal.c ++++ b/src/libsystemd/sd-journal/sd-journal.c +@@ -232,7 +232,7 @@ static void match_free_if_empty(Match *m) { + } + + _public_ int sd_journal_add_match(sd_journal *j, const void *data, size_t size) { +- Match *l3, *l4, *add_here = NULL, *m; ++ Match *l3, *l4, *add_here = NULL, *m = NULL; + uint64_t hash; + + assert_return(j, -EINVAL); +@@ -321,6 +321,7 @@ _public_ int sd_journal_add_match(sd_journal *j, const void *data, size_t size) + return 0; + + fail: ++ match_free(m); + match_free_if_empty(add_here); + match_free_if_empty(j->level2); + match_free_if_empty(j->level1); +-- +2.33.0 + diff --git a/backport-sd-netlink-always-append-new-bridge-FDB-entries.patch b/backport-sd-netlink-always-append-new-bridge-FDB-entries.patch new file mode 100644 index 0000000000000000000000000000000000000000..28959a9a37146631f29ed1787f35a55d6eb04abd --- /dev/null +++ b/backport-sd-netlink-always-append-new-bridge-FDB-entries.patch @@ -0,0 +1,39 @@ +From f65dedbb8f3bd8a0ec69a02f63f62f339a791423 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 4 Aug 2021 18:16:44 +0900 +Subject: [PATCH] sd-netlink: always append new bridge FDB entries + +This partially reverts 192a9d95ea3e058afd824d38a9cea16ad0a84a57 (#19432). + +Fixes #20305. + +(cherry picked from commit 74c1ab841fbad9d4f237c819577fcd1d46a072b6) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/f65dedbb8f3bd8a0ec69a02f63f62f339a791423 +--- + src/libsystemd/sd-netlink/rtnl-message.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/libsystemd/sd-netlink/rtnl-message.c b/src/libsystemd/sd-netlink/rtnl-message.c +index e771b95e08..7f83bf58b3 100644 +--- a/src/libsystemd/sd-netlink/rtnl-message.c ++++ b/src/libsystemd/sd-netlink/rtnl-message.c +@@ -443,8 +443,12 @@ int sd_rtnl_message_new_neigh(sd_netlink *rtnl, sd_netlink_message **ret, uint16 + if (r < 0) + return r; + +- if (nlmsg_type == RTM_NEWNEIGH) +- (*ret)->hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_REPLACE; ++ if (nlmsg_type == RTM_NEWNEIGH) { ++ if (ndm_family == AF_BRIDGE) ++ (*ret)->hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_APPEND; ++ else ++ (*ret)->hdr->nlmsg_flags |= NLM_F_CREATE | NLM_F_REPLACE; ++ } + + ndm = NLMSG_DATA((*ret)->hdr); + +-- +2.33.0 + diff --git a/backport-seccomp-Always-install-filters-for-native-architectu.patch b/backport-seccomp-Always-install-filters-for-native-architectu.patch new file mode 100644 index 0000000000000000000000000000000000000000..91671e69f649a071f2b19bac1675b90c368589fc --- /dev/null +++ b/backport-seccomp-Always-install-filters-for-native-architectu.patch @@ -0,0 +1,64 @@ +From ba8bce7b562f9ef83a4de697eae2f97cf1806e3d Mon Sep 17 00:00:00 2001 +From: Benjamin Berg +Date: Fri, 17 Sep 2021 13:05:32 +0200 +Subject: [PATCH] seccomp: Always install filters for native architecture + +The commit 6597686865ff ("seccomp: don't install filters for archs that +can't use syscalls") introduced a regression where filters may not be +installed for the "native" architecture. This means that setting +SystemCallArchitectures=native for a unit effectively disables the +SystemCallFilter= and SystemCallLog= options. + +Conceptually, we have two filter stages: + 1. architecture used for syscall (SystemCallArchitectures=) + 2. syscall + architecture combination (SystemCallFilter=) + +The above commit tried to optimize the filter generation by skipping the +second level filtering when it is not required. + +However, systemd will never fully block the "native" architecture using +the first level filter. This makes the code a lot simpler, as systemd +can execve() the target binary using its own architecture. And, it +should be perfectly fine as the "native" architecture will always be the +one with the most restrictive seccomp filtering. + +Said differently, the bug arises because (on x86_64): + 1. x86_64 is permitted by libseccomp already + 2. native != x86_64 + 3. the loop wants to block x86_64 because the permitted set only + contains "native" (i.e. "native" != "x86_64") + 4. x86_64 is marked as blocked in seccomp_local_archs + +Thereby we have an inconsistency, where it is marked as blocked in the +seccomp_local_archs array but it is allowed by libseccomp. i.e. we will +skip generating filter stage 2 without having stage 1 in place. + +The fix is simple, we just skip the native architecture when looping +seccomp_local_archs. This way the inconsistency cannot happen. + +(cherry picked from commit f833df38488ea40fc3d601ccefd64cfa3fce8bb4) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/ba8bce7b562f9ef83a4de697eae2f97cf1806e3d +--- + src/shared/seccomp-util.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c +index 631ca5dd34..31d6b542c0 100644 +--- a/src/shared/seccomp-util.c ++++ b/src/shared/seccomp-util.c +@@ -1789,6 +1789,10 @@ int seccomp_restrict_archs(Set *archs) { + for (unsigned i = 0; seccomp_local_archs[i] != SECCOMP_LOCAL_ARCH_END; ++i) { + uint32_t arch = seccomp_local_archs[i]; + ++ /* See above comment, our "native" architecture is never blocked. */ ++ if (arch == seccomp_arch_native()) ++ continue; ++ + /* That architecture might have already been blocked by a previous call to seccomp_restrict_archs. */ + if (arch == SECCOMP_LOCAL_ARCH_BLOCKED) + continue; +-- +2.33.0 + diff --git a/backport-seccomp-drop-getrandom-from-system-service.patch b/backport-seccomp-drop-getrandom-from-system-service.patch new file mode 100644 index 0000000000000000000000000000000000000000..ae771d088b5a84aa3ff79dfbd98158b745dbed21 --- /dev/null +++ b/backport-seccomp-drop-getrandom-from-system-service.patch @@ -0,0 +1,34 @@ +From 9eb9b07c404be8d59a800c70593809a69f0d0e55 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 27 Jul 2021 17:10:21 +0200 +Subject: [PATCH] seccomp: drop getrandom() from @system-service + +It's included in @default now, since +14f4b1b568907350d023d1429c1aa4aaa8925f22, and since @system-service +pulls that in we can drop it from @system-service. + +Follow-up for #20191 + +(cherry picked from commit 67347f37407489a68e12da8f75b78ae1d1168de9) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/9eb9b07c404be8d59a800c70593809a69f0d0e55 +--- + src/shared/seccomp-util.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c +index cad0af89f2..703d5a939c 100644 +--- a/src/shared/seccomp-util.c ++++ b/src/shared/seccomp-util.c +@@ -859,7 +859,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { + "get_mempolicy\0" + "getcpu\0" + "getpriority\0" +- "getrandom\0" + "ioctl\0" + "ioprio_get\0" + "kcmp\0" +-- +2.33.0 + diff --git a/backport-seccomp-move-arch_prctl-to-default.patch b/backport-seccomp-move-arch_prctl-to-default.patch new file mode 100644 index 0000000000000000000000000000000000000000..4a305c4a0ba24f36d482798d2dd127394110a230 --- /dev/null +++ b/backport-seccomp-move-arch_prctl-to-default.patch @@ -0,0 +1,54 @@ +From cf6d1dcc93ad7caedaa139d3c0377f7524fe1013 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 7 Jan 2022 15:23:55 +0100 +Subject: [PATCH] seccomp: move arch_prctl to @default + +It was reported as used by the linker: + +> [It is] called in the setup of ld-linux-x86-64.so.2 from _dl_sysdep_start. +> My local call stack (with LTO): +> +> #0 init_cpu_features.constprop.0 (/usr/lib64/ld-linux-x86-64.so.2) +> #1 _dl_sysdep_start (/usr/lib64/ld-linux-x86-64.so.2) +> #2 _dl_start (/usr/lib64/ld-linux-x86-64.so.2) +> #3 _start (/usr/lib64/ld-linux-x86-64.so.2) +> +> Looking through the source, I think it's this (links for glibc 2.34): +> - First dl_platform_init calls _dl_x86_init_cpu_features, a wrapper for init_cpu_features. +> - Then init_cpu_features calls get_cet_status. +> - At last, get_cet_status invokes arch_prctl. + +Fixes #22033. + +(cherry picked from commit 5f02870a74aa3a758115cc9bd6d68f239caf8453) +(cherry picked from commit d08f6ff204c8525f7533875128468afb8be60ae0) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/cf6d1dcc93ad7caedaa139d3c0377f7524fe1013 +--- + src/shared/seccomp-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c +index 2d73354e1a..ccfa4cc56a 100644 +--- a/src/shared/seccomp-util.c ++++ b/src/shared/seccomp-util.c +@@ -283,6 +283,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { + .name = "@default", + .help = "System calls that are always permitted", + .value = ++ "arch_prctl\0" /* Used during platform-specific initialization by ld-linux.so. */ + "brk\0" + "cacheflush\0" + "clock_getres\0" +@@ -712,7 +713,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { + .name = "@process", + .help = "Process control, execution, namespacing operations", + .value = +- "arch_prctl\0" + "capget\0" /* Able to query arbitrary processes */ + "clone\0" + "clone3\0" +-- +2.33.0 + diff --git a/backport-seccomp-move-mprotect-to-default.patch b/backport-seccomp-move-mprotect-to-default.patch new file mode 100644 index 0000000000000000000000000000000000000000..05be12fff3ca311c3ea6ce2fe13d5b30bcd418ec --- /dev/null +++ b/backport-seccomp-move-mprotect-to-default.patch @@ -0,0 +1,52 @@ +From 0c8195d673f46ab41ffbf7bb0eb54b53f202bb3f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sat, 13 Nov 2021 16:08:25 +0100 +Subject: [PATCH] seccomp: move mprotect to @default + +With glibc-2.34.9000-17.fc36.x86_64, dynamically programs newly fail in early +init with a restrictive syscall filter that does not include @system-service. +I think this is caused by 2dd87703d4386f2776c5b5f375a494c91d7f9fe4: + +Author: Florian Weimer +Date: Mon May 10 10:31:41 2021 +0200 + + nptl: Move changing of stack permissions into ld.so + + All the stack lists are now in _rtld_global, so it is possible + to change stack permissions directly from there, instead of + calling into libpthread to do the change. + +It seems that this call will now be very widely used, so let's just move it to +default to avoid too many failures. + +(cherry picked from commit 4728625490b70ac4a686b1655c08ad3fe7b97359) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/0c8195d673f46ab41ffbf7bb0eb54b53f202bb3f +--- + src/shared/seccomp-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c +index 31d6b542c0..2d73354e1a 100644 +--- a/src/shared/seccomp-util.c ++++ b/src/shared/seccomp-util.c +@@ -324,6 +324,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { + "membarrier\0" + "mmap\0" + "mmap2\0" ++ "mprotect\0" + "munmap\0" + "nanosleep\0" + "pause\0" +@@ -864,7 +865,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { + "ioprio_get\0" + "kcmp\0" + "madvise\0" +- "mprotect\0" + "mremap\0" + "name_to_handle_at\0" + "oldolduname\0" +-- +2.33.0 + diff --git a/backport-seccomp-move-sched_getaffinity-from-system-service-t.patch b/backport-seccomp-move-sched_getaffinity-from-system-service-t.patch new file mode 100644 index 0000000000000000000000000000000000000000..32e96e97002039637cb9385a13fd963fc1f476f5 --- /dev/null +++ b/backport-seccomp-move-sched_getaffinity-from-system-service-t.patch @@ -0,0 +1,49 @@ +From 77681242c8c6d7693814b8245e9096e43faa21be Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 27 Jul 2021 17:11:09 +0200 +Subject: [PATCH] seccomp: move sched_getaffinity() from @system-service to + @default + +See: https://github.com/systemd/systemd/pull/20191#issuecomment-881982739 + +In general, we shouldn't blanket move syscalls like this into @default, +given that glibc actually does have fallbacks, afaics. However, as +long as the syscalls are "read-only" and thus benign, I figure it's a +safe thing to do. But we should probably stick to a "if in doubt, don't" +rule, and put these syscalls in @system-service as default, but not into +@default. + +I think in the real world @system-service is the sensible group people +should use, and not @default actually. + +(cherry picked from commit 7df660e45682af5c40a236abe1bdc5ddcf3b3533) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/77681242c8c6d7693814b8245e9096e43faa21be +--- + src/shared/seccomp-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c +index 703d5a939c..631ca5dd34 100644 +--- a/src/shared/seccomp-util.c ++++ b/src/shared/seccomp-util.c +@@ -331,6 +331,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { + "restart_syscall\0" + "rseq\0" + "rt_sigreturn\0" ++ "sched_getaffinity\0" + "sched_yield\0" + "set_robust_list\0" + "set_thread_area\0" +@@ -874,7 +875,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { + "remap_file_pages\0" + "sched_get_priority_max\0" + "sched_get_priority_min\0" +- "sched_getaffinity\0" + "sched_getattr\0" + "sched_getparam\0" + "sched_getscheduler\0" +-- +2.33.0 + diff --git a/backport-shared-format-table-allocate-buffer-of-sufficient-si.patch b/backport-shared-format-table-allocate-buffer-of-sufficient-si.patch new file mode 100644 index 0000000000000000000000000000000000000000..ebe05afadd1e218dd54ddcce724d26df5374a4cb --- /dev/null +++ b/backport-shared-format-table-allocate-buffer-of-sufficient-si.patch @@ -0,0 +1,38 @@ +From e6407ca25852dadec355df2e6fdc92d1f189bceb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 5 Jul 2021 21:29:11 +0200 +Subject: [PATCH] shared/format-table: allocate buffer of sufficient size + +(cherry picked from commit 6dc57047ff0f1f9e98938ffb172dae06e6868b94) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/e6407ca25852dadec355df2e6fdc92d1f189bceb +--- + src/shared/format-table.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/shared/format-table.c b/src/shared/format-table.c +index c4c3439541..4c4e4593d8 100644 +--- a/src/shared/format-table.c ++++ b/src/shared/format-table.c +@@ -1409,7 +1409,7 @@ static const char *table_data_format(Table *t, TableData *d, bool avoid_uppercas + _cleanup_free_ char *p = NULL; + char *ret; + +- p = new(char, FORMAT_TIMESTAMP_MAX); ++ p = new(char, d->type == TABLE_TIMESTAMP_RELATIVE ? FORMAT_TIMESTAMP_RELATIVE_MAX : FORMAT_TIMESTAMP_MAX); + if (!p) + return NULL; + +@@ -1418,7 +1418,7 @@ static const char *table_data_format(Table *t, TableData *d, bool avoid_uppercas + else if (d->type == TABLE_TIMESTAMP_UTC) + ret = format_timestamp_style(p, FORMAT_TIMESTAMP_MAX, d->timestamp, TIMESTAMP_UTC); + else +- ret = format_timestamp_relative(p, FORMAT_TIMESTAMP_MAX, d->timestamp); ++ ret = format_timestamp_relative(p, FORMAT_TIMESTAMP_RELATIVE_MAX, d->timestamp); + if (!ret) + return "n/a"; + +-- +2.33.0 + diff --git a/backport-sleep-don-t-skip-resume-device-with-low-priority-ava.patch b/backport-sleep-don-t-skip-resume-device-with-low-priority-ava.patch new file mode 100644 index 0000000000000000000000000000000000000000..b9e39caa5958d7a3ddd60cdb6a5dde01232dc138 --- /dev/null +++ b/backport-sleep-don-t-skip-resume-device-with-low-priority-ava.patch @@ -0,0 +1,53 @@ +From 20c776c5e92201e01d4bfbea4ecbc4df758bcf09 Mon Sep 17 00:00:00 2001 +From: Egor +Date: Sun, 3 Oct 2021 03:42:50 +0300 +Subject: [PATCH] sleep: don't skip resume device with low priority/available + space + +this fixes hibernation when there's a higher priority swap preceding +the resume swap in /proc/swaps. + +fixes #19486 + +(cherry picked from commit 936a7cb66a0b423e75ceef87f02537067ad17002) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/20c776c5e92201e01d4bfbea4ecbc4df758bcf09 +--- + src/shared/sleep-config.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/src/shared/sleep-config.c b/src/shared/sleep-config.c +index dbaecb3a0f..8ec3d09a58 100644 +--- a/src/shared/sleep-config.c ++++ b/src/shared/sleep-config.c +@@ -392,15 +392,17 @@ int find_hibernate_location(HibernateLocation **ret_hibernate_location) { + } + + /* prefer resume device or highest priority swap with most remaining space */ +- if (hibernate_location && swap->priority < hibernate_location->swap->priority) { +- log_debug("%s: ignoring device with lower priority", swap->device); +- continue; +- } +- if (hibernate_location && +- (swap->priority == hibernate_location->swap->priority +- && swap->size - swap->used < hibernate_location->swap->size - hibernate_location->swap->used)) { +- log_debug("%s: ignoring device with lower usable space", swap->device); +- continue; ++ if (sys_resume == 0) { ++ if (hibernate_location && swap->priority < hibernate_location->swap->priority) { ++ log_debug("%s: ignoring device with lower priority", swap->device); ++ continue; ++ } ++ if (hibernate_location && ++ (swap->priority == hibernate_location->swap->priority ++ && swap->size - swap->used < hibernate_location->swap->size - hibernate_location->swap->used)) { ++ log_debug("%s: ignoring device with lower usable space", swap->device); ++ continue; ++ } + } + + dev_t swap_device; +-- +2.33.0 + diff --git a/backport-socket-util-introduce-CMSG_SPACE_TIMEVAL-TIMESPEC-ma.patch b/backport-socket-util-introduce-CMSG_SPACE_TIMEVAL-TIMESPEC-ma.patch new file mode 100644 index 0000000000000000000000000000000000000000..30628d74bff99c39d5b73c14fed539878696a3b0 --- /dev/null +++ b/backport-socket-util-introduce-CMSG_SPACE_TIMEVAL-TIMESPEC-ma.patch @@ -0,0 +1,94 @@ +From d36785cdd845710028ab033f85493572f15cab23 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 29 Aug 2021 20:50:49 +0900 +Subject: [PATCH] socket-util: introduce CMSG_SPACE_TIMEVAL/TIMESPEC macro to + support additional 64bit timeval or timespec + +Fixes #20482 and #20564. + +(cherry picked from commit 9365e296fe281da45797af89a97627e872fc019d) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/d36785cdd845710028ab033f85493572f15cab23 +--- + src/basic/socket-util.h | 22 ++++++++++++++++++++++ + src/journal/journald-server.c | 2 +- + src/libsystemd-network/icmp6-util.c | 2 +- + src/timesync/timesyncd-manager.c | 2 +- + 4 files changed, 25 insertions(+), 3 deletions(-) + +diff --git a/src/basic/socket-util.h b/src/basic/socket-util.h +index f92e425fd6..09e606614c 100644 +--- a/src/basic/socket-util.h ++++ b/src/basic/socket-util.h +@@ -277,6 +277,28 @@ static inline int getsockopt_int(int fd, int level, int optname, int *ret) { + int socket_bind_to_ifname(int fd, const char *ifname); + int socket_bind_to_ifindex(int fd, int ifindex); + ++/* Define a 64bit version of timeval/timespec in any case, even on 32bit userspace. */ ++struct timeval_large { ++ uint64_t tvl_sec, tvl_usec; ++}; ++struct timespec_large { ++ uint64_t tvl_sec, tvl_nsec; ++}; ++ ++/* glibc duplicates timespec/timeval on certain 32bit archs, once in 32bit and once in 64bit. ++ * See __convert_scm_timestamps() in glibc source code. Hence, we need additional buffer space for them ++ * to prevent from recvmsg_safe() returning -EXFULL. */ ++#define CMSG_SPACE_TIMEVAL \ ++ ((sizeof(struct timeval) == sizeof(struct timeval_large)) ? \ ++ CMSG_SPACE(sizeof(struct timeval)) : \ ++ CMSG_SPACE(sizeof(struct timeval)) + \ ++ CMSG_SPACE(sizeof(struct timeval_large))) ++#define CMSG_SPACE_TIMESPEC \ ++ ((sizeof(struct timespec) == sizeof(struct timespec_large)) ? \ ++ CMSG_SPACE(sizeof(struct timespec)) : \ ++ CMSG_SPACE(sizeof(struct timespec)) + \ ++ CMSG_SPACE(sizeof(struct timespec_large))) ++ + ssize_t recvmsg_safe(int sockfd, struct msghdr *msg, int flags); + + int socket_get_family(int fd, int *ret); +diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c +index a0695ec519..abd52f7c14 100644 +--- a/src/journal/journald-server.c ++++ b/src/journal/journald-server.c +@@ -1277,7 +1277,7 @@ int server_process_datagram( + * identical to NAME_MAX. For now we use that, but this should be updated one day when the final + * limit is known. */ + CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(struct ucred)) + +- CMSG_SPACE(sizeof(struct timeval)) + ++ CMSG_SPACE_TIMEVAL + + CMSG_SPACE(sizeof(int)) + /* fd */ + CMSG_SPACE(NAME_MAX) /* selinux label */) control; + +diff --git a/src/libsystemd-network/icmp6-util.c b/src/libsystemd-network/icmp6-util.c +index 0b8c3e4cc3..823be0f275 100644 +--- a/src/libsystemd-network/icmp6-util.c ++++ b/src/libsystemd-network/icmp6-util.c +@@ -149,7 +149,7 @@ int icmp6_receive(int fd, void *buffer, size_t size, struct in6_addr *ret_dst, + triple_timestamp *ret_timestamp) { + + CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(int)) + /* ttl */ +- CMSG_SPACE(sizeof(struct timeval))) control; ++ CMSG_SPACE_TIMEVAL) control; + struct iovec iov = {}; + union sockaddr_union sa = {}; + struct msghdr msg = { +diff --git a/src/timesync/timesyncd-manager.c b/src/timesync/timesyncd-manager.c +index 9d874cfc8a..eae14e8fb2 100644 +--- a/src/timesync/timesyncd-manager.c ++++ b/src/timesync/timesyncd-manager.c +@@ -412,7 +412,7 @@ static int manager_receive_response(sd_event_source *source, int fd, uint32_t re + .iov_base = &ntpmsg, + .iov_len = sizeof(ntpmsg), + }; +- CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(struct timespec))) control; ++ CMSG_BUFFER_TYPE(CMSG_SPACE_TIMESPEC) control; + union sockaddr_union server_addr; + struct msghdr msghdr = { + .msg_iov = &iov, +-- +2.33.0 + diff --git a/backport-src-boot-efi-linux-fix-linux_exec-prototype.patch b/backport-src-boot-efi-linux-fix-linux_exec-prototype.patch new file mode 100644 index 0000000000000000000000000000000000000000..be174329c50045b05f2431ab08f0a2785c485198 --- /dev/null +++ b/backport-src-boot-efi-linux-fix-linux_exec-prototype.patch @@ -0,0 +1,48 @@ +From a825ced57fa8533ba54fec4c4476400e122ddbc3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alfonso=20S=C3=A1nchez-Beato?= + +Date: Thu, 19 Aug 2021 12:21:12 +0200 +Subject: [PATCH] src/boot/efi/linux: fix linux_exec prototype + +Callers to linux_exec() are actually passing an EFI_HANDLE, not a pointer to +it. linux_efi_handover(), which is called by linux_exec(), also expects an +EFI_HANDLE. + +(cherry picked from commit d48f9174cf211a235193963a06b3d28537fc6529) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/a825ced57fa8533ba54fec4c4476400e122ddbc3 +--- + src/boot/efi/linux.c | 2 +- + src/boot/efi/linux.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/boot/efi/linux.c b/src/boot/efi/linux.c +index 4d44671315..b5d6120493 100644 +--- a/src/boot/efi/linux.c ++++ b/src/boot/efi/linux.c +@@ -25,7 +25,7 @@ static VOID linux_efi_handover(EFI_HANDLE image, struct boot_params *params) { + handover(image, ST, params); + } + +-EFI_STATUS linux_exec(EFI_HANDLE *image, ++EFI_STATUS linux_exec(EFI_HANDLE image, + CHAR8 *cmdline, UINTN cmdline_len, + UINTN linux_addr, + UINTN initrd_addr, UINTN initrd_size) { +diff --git a/src/boot/efi/linux.h b/src/boot/efi/linux.h +index 09be2de27b..53270e16b3 100644 +--- a/src/boot/efi/linux.h ++++ b/src/boot/efi/linux.h +@@ -83,7 +83,7 @@ struct boot_params { + UINT8 _pad9[276]; + } __attribute__((packed)); + +-EFI_STATUS linux_exec(EFI_HANDLE *image, ++EFI_STATUS linux_exec(EFI_HANDLE image, + CHAR8 *cmdline, UINTN cmdline_size, + UINTN linux_addr, + UINTN initrd_addr, UINTN initrd_size); +-- +2.33.0 + diff --git a/backport-stat-util-specify-O_DIRECTORY-when-reopening-dir-in-.patch b/backport-stat-util-specify-O_DIRECTORY-when-reopening-dir-in-.patch new file mode 100644 index 0000000000000000000000000000000000000000..687df80e897ea392bdab7b85d8b71d29f8538f76 --- /dev/null +++ b/backport-stat-util-specify-O_DIRECTORY-when-reopening-dir-in-.patch @@ -0,0 +1,36 @@ +From e1e32516f98a1f39ce763545de9a8664526d0b8a Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 21 Oct 2021 18:07:06 +0200 +Subject: [PATCH] stat-util: specify O_DIRECTORY when reopening dir in + dir_is_empty_at() + +That way we can fail earlier if the specified fd is not actually a +directory. + +(Also, it's not exactly according to standards to open things without +either O_RDONLY/O_RDWR...) + +(cherry picked from commit b9d06522631a22d242374dc44a74c3b6459e3cb3) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/e1e32516f98a1f39ce763545de9a8664526d0b8a +--- + src/basic/stat-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/stat-util.c b/src/basic/stat-util.c +index 72a7e4a48b..56f7652cec 100644 +--- a/src/basic/stat-util.c ++++ b/src/basic/stat-util.c +@@ -79,7 +79,7 @@ int dir_is_empty_at(int dir_fd, const char *path) { + } else { + /* Note that DUPing is not enough, as the internal pointer + * would still be shared and moved by FOREACH_DIRENT. */ +- fd = fd_reopen(dir_fd, O_CLOEXEC); ++ fd = fd_reopen(dir_fd, O_RDONLY|O_DIRECTORY|O_CLOEXEC); + if (fd < 0) + return fd; + } +-- +2.33.0 + diff --git a/backport-syscalls-update-syscall-definitions.patch b/backport-syscalls-update-syscall-definitions.patch new file mode 100644 index 0000000000000000000000000000000000000000..78f80cf404aa9207e49b8cdecd812f17c1bd86a6 --- /dev/null +++ b/backport-syscalls-update-syscall-definitions.patch @@ -0,0 +1,853 @@ +From f551941e5d7a39312903625d473e1d527358f0e1 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 3 Jan 2022 03:48:10 +0900 +Subject: [PATCH] syscalls: update syscall definitions + +(cherry picked from commit 0c718b1a67cd0d3512eafeb4659458694bf3865b) +(cherry picked from commit 7e338876577cb328632ce3e7753c0130b54dd7a2) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/f551941e5d7a39312903625d473e1d527358f0e1 +--- + src/basic/syscalls-alpha.txt | 6 ++++-- + src/basic/syscalls-arc.txt | 6 ++++-- + src/basic/syscalls-arm.txt | 6 ++++-- + src/basic/syscalls-arm64.txt | 6 ++++-- + src/basic/syscalls-i386.txt | 6 ++++-- + src/basic/syscalls-ia64.txt | 6 ++++-- + src/basic/syscalls-m68k.txt | 6 ++++-- + src/basic/syscalls-mips64.txt | 6 ++++-- + src/basic/syscalls-mips64n32.txt | 6 ++++-- + src/basic/syscalls-mipso32.txt | 6 ++++-- + src/basic/syscalls-powerpc.txt | 6 ++++-- + src/basic/syscalls-powerpc64.txt | 6 ++++-- + src/basic/syscalls-riscv32.txt | 8 +++++--- + src/basic/syscalls-riscv64.txt | 6 ++++-- + src/basic/syscalls-s390.txt | 6 ++++-- + src/basic/syscalls-s390x.txt | 6 ++++-- + src/basic/syscalls-sparc.txt | 6 ++++-- + src/basic/syscalls-x86_64.txt | 6 ++++-- + 18 files changed, 73 insertions(+), 37 deletions(-) + +diff --git a/src/basic/syscalls-alpha.txt b/src/basic/syscalls-alpha.txt +index 3bcc357075..5aef86b09e 100644 +--- a/src/basic/syscalls-alpha.txt ++++ b/src/basic/syscalls-alpha.txt +@@ -106,6 +106,7 @@ ftruncate 130 + ftruncate64 + futex 394 + futex_time64 ++futex_waitv 559 + futimesat 454 + get_kernel_syms 309 + get_mempolicy 430 +@@ -203,6 +204,7 @@ madvise 75 + mbind 429 + membarrier 517 + memfd_create 512 ++memfd_secret + memory_ordering + migrate_pages 449 + mincore 375 +@@ -374,7 +376,6 @@ pciconfig_read 345 + pciconfig_write 346 + perf_event_open 493 + perfctr +-perfmonctl + personality 324 + pidfd_getfd 548 + pidfd_open 544 +@@ -394,6 +395,7 @@ preadv 490 + preadv2 520 + prlimit64 496 + process_madvise 550 ++process_mrelease 558 + process_vm_readv 504 + process_vm_writev 505 + pselect6 463 +@@ -404,7 +406,7 @@ pwritev 491 + pwritev2 521 + query_module 347 + quotactl 148 +-quotactl_path ++quotactl_fd 553 + read 3 + readahead 379 + readdir +diff --git a/src/basic/syscalls-arc.txt b/src/basic/syscalls-arc.txt +index e4204fa0f2..f275f104bf 100644 +--- a/src/basic/syscalls-arc.txt ++++ b/src/basic/syscalls-arc.txt +@@ -106,6 +106,7 @@ ftruncate + ftruncate64 46 + futex 98 + futex_time64 422 ++futex_waitv 449 + futimesat + get_kernel_syms + get_mempolicy 236 +@@ -203,6 +204,7 @@ madvise 233 + mbind 235 + membarrier 283 + memfd_create 279 ++memfd_secret + memory_ordering + migrate_pages 238 + mincore 232 +@@ -374,7 +376,6 @@ pciconfig_read + pciconfig_write + perf_event_open 241 + perfctr +-perfmonctl + personality 92 + pidfd_getfd 438 + pidfd_open 434 +@@ -394,6 +395,7 @@ preadv 69 + preadv2 286 + prlimit64 261 + process_madvise 440 ++process_mrelease 448 + process_vm_readv 270 + process_vm_writev 271 + pselect6 72 +@@ -404,7 +406,7 @@ pwritev 70 + pwritev2 287 + query_module + quotactl 60 +-quotactl_path ++quotactl_fd 443 + read 63 + readahead 213 + readdir +diff --git a/src/basic/syscalls-arm.txt b/src/basic/syscalls-arm.txt +index a4847a18b3..9037b28384 100644 +--- a/src/basic/syscalls-arm.txt ++++ b/src/basic/syscalls-arm.txt +@@ -106,6 +106,7 @@ ftruncate 93 + ftruncate64 194 + futex 240 + futex_time64 422 ++futex_waitv 449 + futimesat 326 + get_kernel_syms + get_mempolicy 320 +@@ -203,6 +204,7 @@ madvise 220 + mbind 319 + membarrier 389 + memfd_create 385 ++memfd_secret + memory_ordering + migrate_pages 400 + mincore 219 +@@ -374,7 +376,6 @@ pciconfig_read 272 + pciconfig_write 273 + perf_event_open 364 + perfctr +-perfmonctl + personality 136 + pidfd_getfd 438 + pidfd_open 434 +@@ -394,6 +395,7 @@ preadv 361 + preadv2 392 + prlimit64 369 + process_madvise 440 ++process_mrelease 448 + process_vm_readv 376 + process_vm_writev 377 + pselect6 335 +@@ -404,7 +406,7 @@ pwritev 362 + pwritev2 393 + query_module + quotactl 131 +-quotactl_path ++quotactl_fd 443 + read 3 + readahead 225 + readdir +diff --git a/src/basic/syscalls-arm64.txt b/src/basic/syscalls-arm64.txt +index ef76ffa96f..e91d7cfca4 100644 +--- a/src/basic/syscalls-arm64.txt ++++ b/src/basic/syscalls-arm64.txt +@@ -106,6 +106,7 @@ ftruncate 46 + ftruncate64 + futex 98 + futex_time64 ++futex_waitv 449 + futimesat + get_kernel_syms + get_mempolicy 236 +@@ -203,6 +204,7 @@ madvise 233 + mbind 235 + membarrier 283 + memfd_create 279 ++memfd_secret 447 + memory_ordering + migrate_pages 238 + mincore 232 +@@ -374,7 +376,6 @@ pciconfig_read + pciconfig_write + perf_event_open 241 + perfctr +-perfmonctl + personality 92 + pidfd_getfd 438 + pidfd_open 434 +@@ -394,6 +395,7 @@ preadv 69 + preadv2 286 + prlimit64 261 + process_madvise 440 ++process_mrelease 448 + process_vm_readv 270 + process_vm_writev 271 + pselect6 72 +@@ -404,7 +406,7 @@ pwritev 70 + pwritev2 287 + query_module + quotactl 60 +-quotactl_path ++quotactl_fd 443 + read 63 + readahead 213 + readdir +diff --git a/src/basic/syscalls-i386.txt b/src/basic/syscalls-i386.txt +index baacb9b7a3..6b57d6f05d 100644 +--- a/src/basic/syscalls-i386.txt ++++ b/src/basic/syscalls-i386.txt +@@ -106,6 +106,7 @@ ftruncate 93 + ftruncate64 194 + futex 240 + futex_time64 422 ++futex_waitv 449 + futimesat 299 + get_kernel_syms 130 + get_mempolicy 275 +@@ -203,6 +204,7 @@ madvise 219 + mbind 274 + membarrier 375 + memfd_create 356 ++memfd_secret 447 + memory_ordering + migrate_pages 294 + mincore 218 +@@ -374,7 +376,6 @@ pciconfig_read + pciconfig_write + perf_event_open 336 + perfctr +-perfmonctl + personality 136 + pidfd_getfd 438 + pidfd_open 434 +@@ -394,6 +395,7 @@ preadv 333 + preadv2 378 + prlimit64 340 + process_madvise 440 ++process_mrelease 448 + process_vm_readv 347 + process_vm_writev 348 + pselect6 308 +@@ -404,7 +406,7 @@ pwritev 334 + pwritev2 379 + query_module 167 + quotactl 131 +-quotactl_path ++quotactl_fd 443 + read 3 + readahead 225 + readdir 89 +diff --git a/src/basic/syscalls-ia64.txt b/src/basic/syscalls-ia64.txt +index c37ea6f88f..3d646f6d17 100644 +--- a/src/basic/syscalls-ia64.txt ++++ b/src/basic/syscalls-ia64.txt +@@ -106,6 +106,7 @@ ftruncate 1098 + ftruncate64 + futex 1230 + futex_time64 ++futex_waitv 1473 + futimesat 1285 + get_kernel_syms + get_mempolicy 1260 +@@ -203,6 +204,7 @@ madvise 1209 + mbind 1259 + membarrier 1344 + memfd_create 1340 ++memfd_secret + memory_ordering + migrate_pages 1280 + mincore 1208 +@@ -374,7 +376,6 @@ pciconfig_read 1173 + pciconfig_write 1174 + perf_event_open 1352 + perfctr +-perfmonctl 1175 + personality 1140 + pidfd_getfd 1462 + pidfd_open 1458 +@@ -394,6 +395,7 @@ preadv 1319 + preadv2 1348 + prlimit64 1325 + process_madvise 1464 ++process_mrelease 1472 + process_vm_readv 1332 + process_vm_writev 1333 + pselect6 1294 +@@ -404,7 +406,7 @@ pwritev 1320 + pwritev2 1349 + query_module + quotactl 1137 +-quotactl_path ++quotactl_fd 1467 + read 1026 + readahead 1216 + readdir +diff --git a/src/basic/syscalls-m68k.txt b/src/basic/syscalls-m68k.txt +index 7522b82e1f..ef7295db2f 100644 +--- a/src/basic/syscalls-m68k.txt ++++ b/src/basic/syscalls-m68k.txt +@@ -106,6 +106,7 @@ ftruncate 93 + ftruncate64 194 + futex 235 + futex_time64 422 ++futex_waitv 449 + futimesat 292 + get_kernel_syms 130 + get_mempolicy 269 +@@ -203,6 +204,7 @@ madvise 238 + mbind 268 + membarrier 374 + memfd_create 353 ++memfd_secret + memory_ordering + migrate_pages 287 + mincore 237 +@@ -374,7 +376,6 @@ pciconfig_read + pciconfig_write + perf_event_open 332 + perfctr +-perfmonctl + personality 136 + pidfd_getfd 438 + pidfd_open 434 +@@ -394,6 +395,7 @@ preadv 329 + preadv2 377 + prlimit64 339 + process_madvise 440 ++process_mrelease 448 + process_vm_readv 345 + process_vm_writev 346 + pselect6 301 +@@ -404,7 +406,7 @@ pwritev 330 + pwritev2 378 + query_module 167 + quotactl 131 +-quotactl_path ++quotactl_fd 443 + read 3 + readahead 240 + readdir 89 +diff --git a/src/basic/syscalls-mips64.txt b/src/basic/syscalls-mips64.txt +index 6b85975eea..1f7ff567be 100644 +--- a/src/basic/syscalls-mips64.txt ++++ b/src/basic/syscalls-mips64.txt +@@ -106,6 +106,7 @@ ftruncate 5075 + ftruncate64 + futex 5194 + futex_time64 ++futex_waitv 5449 + futimesat 5251 + get_kernel_syms 5170 + get_mempolicy 5228 +@@ -203,6 +204,7 @@ madvise 5027 + mbind 5227 + membarrier 5318 + memfd_create 5314 ++memfd_secret + memory_ordering + migrate_pages 5246 + mincore 5026 +@@ -374,7 +376,6 @@ pciconfig_read + pciconfig_write + perf_event_open 5292 + perfctr +-perfmonctl + personality 5132 + pidfd_getfd 5438 + pidfd_open 5434 +@@ -394,6 +395,7 @@ preadv 5289 + preadv2 5321 + prlimit64 5297 + process_madvise 5440 ++process_mrelease 5448 + process_vm_readv 5304 + process_vm_writev 5305 + pselect6 5260 +@@ -404,7 +406,7 @@ pwritev 5290 + pwritev2 5322 + query_module 5171 + quotactl 5172 +-quotactl_path ++quotactl_fd 5443 + read 5000 + readahead 5179 + readdir +diff --git a/src/basic/syscalls-mips64n32.txt b/src/basic/syscalls-mips64n32.txt +index a4c12cc442..7e1ad9637d 100644 +--- a/src/basic/syscalls-mips64n32.txt ++++ b/src/basic/syscalls-mips64n32.txt +@@ -106,6 +106,7 @@ ftruncate 6075 + ftruncate64 + futex 6194 + futex_time64 6422 ++futex_waitv 6449 + futimesat 6255 + get_kernel_syms 6170 + get_mempolicy 6232 +@@ -203,6 +204,7 @@ madvise 6027 + mbind 6231 + membarrier 6322 + memfd_create 6318 ++memfd_secret + memory_ordering + migrate_pages 6250 + mincore 6026 +@@ -374,7 +376,6 @@ pciconfig_read + pciconfig_write + perf_event_open 6296 + perfctr +-perfmonctl + personality 6132 + pidfd_getfd 6438 + pidfd_open 6434 +@@ -394,6 +395,7 @@ preadv 6293 + preadv2 6325 + prlimit64 6302 + process_madvise 6440 ++process_mrelease 6448 + process_vm_readv 6309 + process_vm_writev 6310 + pselect6 6264 +@@ -404,7 +406,7 @@ pwritev 6294 + pwritev2 6326 + query_module 6171 + quotactl 6172 +-quotactl_path ++quotactl_fd 6443 + read 6000 + readahead 6179 + readdir +diff --git a/src/basic/syscalls-mipso32.txt b/src/basic/syscalls-mipso32.txt +index fcebabab11..c0c262fd1a 100644 +--- a/src/basic/syscalls-mipso32.txt ++++ b/src/basic/syscalls-mipso32.txt +@@ -106,6 +106,7 @@ ftruncate 4093 + ftruncate64 4212 + futex 4238 + futex_time64 4422 ++futex_waitv 4449 + futimesat 4292 + get_kernel_syms 4130 + get_mempolicy 4269 +@@ -203,6 +204,7 @@ madvise 4218 + mbind 4268 + membarrier 4358 + memfd_create 4354 ++memfd_secret + memory_ordering + migrate_pages 4287 + mincore 4217 +@@ -374,7 +376,6 @@ pciconfig_read + pciconfig_write + perf_event_open 4333 + perfctr +-perfmonctl + personality 4136 + pidfd_getfd 4438 + pidfd_open 4434 +@@ -394,6 +395,7 @@ preadv 4330 + preadv2 4361 + prlimit64 4338 + process_madvise 4440 ++process_mrelease 4448 + process_vm_readv 4345 + process_vm_writev 4346 + pselect6 4301 +@@ -404,7 +406,7 @@ pwritev 4331 + pwritev2 4362 + query_module 4187 + quotactl 4131 +-quotactl_path ++quotactl_fd 4443 + read 4003 + readahead 4223 + readdir 4089 +diff --git a/src/basic/syscalls-powerpc.txt b/src/basic/syscalls-powerpc.txt +index 3185562726..2f085161e1 100644 +--- a/src/basic/syscalls-powerpc.txt ++++ b/src/basic/syscalls-powerpc.txt +@@ -106,6 +106,7 @@ ftruncate 93 + ftruncate64 194 + futex 221 + futex_time64 422 ++futex_waitv 449 + futimesat 290 + get_kernel_syms 130 + get_mempolicy 260 +@@ -203,6 +204,7 @@ madvise 205 + mbind 259 + membarrier 365 + memfd_create 360 ++memfd_secret + memory_ordering + migrate_pages 258 + mincore 206 +@@ -374,7 +376,6 @@ pciconfig_read 198 + pciconfig_write 199 + perf_event_open 319 + perfctr +-perfmonctl + personality 136 + pidfd_getfd 438 + pidfd_open 434 +@@ -394,6 +395,7 @@ preadv 320 + preadv2 380 + prlimit64 325 + process_madvise 440 ++process_mrelease 448 + process_vm_readv 351 + process_vm_writev 352 + pselect6 280 +@@ -404,7 +406,7 @@ pwritev 321 + pwritev2 381 + query_module 166 + quotactl 131 +-quotactl_path ++quotactl_fd 443 + read 3 + readahead 191 + readdir 89 +diff --git a/src/basic/syscalls-powerpc64.txt b/src/basic/syscalls-powerpc64.txt +index e940737781..85e53422ee 100644 +--- a/src/basic/syscalls-powerpc64.txt ++++ b/src/basic/syscalls-powerpc64.txt +@@ -106,6 +106,7 @@ ftruncate 93 + ftruncate64 + futex 221 + futex_time64 ++futex_waitv 449 + futimesat 290 + get_kernel_syms 130 + get_mempolicy 260 +@@ -203,6 +204,7 @@ madvise 205 + mbind 259 + membarrier 365 + memfd_create 360 ++memfd_secret + memory_ordering + migrate_pages 258 + mincore 206 +@@ -374,7 +376,6 @@ pciconfig_read 198 + pciconfig_write 199 + perf_event_open 319 + perfctr +-perfmonctl + personality 136 + pidfd_getfd 438 + pidfd_open 434 +@@ -394,6 +395,7 @@ preadv 320 + preadv2 380 + prlimit64 325 + process_madvise 440 ++process_mrelease 448 + process_vm_readv 351 + process_vm_writev 352 + pselect6 280 +@@ -404,7 +406,7 @@ pwritev 321 + pwritev2 381 + query_module 166 + quotactl 131 +-quotactl_path ++quotactl_fd 443 + read 3 + readahead 191 + readdir 89 +diff --git a/src/basic/syscalls-riscv32.txt b/src/basic/syscalls-riscv32.txt +index 8fe0d5ea88..013e38189b 100644 +--- a/src/basic/syscalls-riscv32.txt ++++ b/src/basic/syscalls-riscv32.txt +@@ -40,7 +40,7 @@ clock_settime + clock_settime64 404 + clone 220 + clone2 +-clone3 ++clone3 435 + close 57 + close_range 436 + connect 203 +@@ -106,6 +106,7 @@ ftruncate + ftruncate64 46 + futex + futex_time64 422 ++futex_waitv 449 + futimesat + get_kernel_syms + get_mempolicy 236 +@@ -203,6 +204,7 @@ madvise 233 + mbind 235 + membarrier 283 + memfd_create 279 ++memfd_secret + memory_ordering + migrate_pages 238 + mincore 232 +@@ -374,7 +376,6 @@ pciconfig_read + pciconfig_write + perf_event_open 241 + perfctr +-perfmonctl + personality 92 + pidfd_getfd 438 + pidfd_open 434 +@@ -394,6 +395,7 @@ preadv 69 + preadv2 286 + prlimit64 261 + process_madvise 440 ++process_mrelease 448 + process_vm_readv 270 + process_vm_writev 271 + pselect6 +@@ -404,7 +406,7 @@ pwritev 70 + pwritev2 287 + query_module + quotactl 60 +-quotactl_path ++quotactl_fd 443 + read 63 + readahead 213 + readdir +diff --git a/src/basic/syscalls-riscv64.txt b/src/basic/syscalls-riscv64.txt +index e021ea79b4..104a2d9dfa 100644 +--- a/src/basic/syscalls-riscv64.txt ++++ b/src/basic/syscalls-riscv64.txt +@@ -106,6 +106,7 @@ ftruncate 46 + ftruncate64 + futex 98 + futex_time64 ++futex_waitv 449 + futimesat + get_kernel_syms + get_mempolicy 236 +@@ -203,6 +204,7 @@ madvise 233 + mbind 235 + membarrier 283 + memfd_create 279 ++memfd_secret + memory_ordering + migrate_pages 238 + mincore 232 +@@ -374,7 +376,6 @@ pciconfig_read + pciconfig_write + perf_event_open 241 + perfctr +-perfmonctl + personality 92 + pidfd_getfd 438 + pidfd_open 434 +@@ -394,6 +395,7 @@ preadv 69 + preadv2 286 + prlimit64 261 + process_madvise 440 ++process_mrelease 448 + process_vm_readv 270 + process_vm_writev 271 + pselect6 72 +@@ -404,7 +406,7 @@ pwritev 70 + pwritev2 287 + query_module + quotactl 60 +-quotactl_path ++quotactl_fd 443 + read 63 + readahead 213 + readdir +diff --git a/src/basic/syscalls-s390.txt b/src/basic/syscalls-s390.txt +index 5d3b73e6c0..a25093c7be 100644 +--- a/src/basic/syscalls-s390.txt ++++ b/src/basic/syscalls-s390.txt +@@ -106,6 +106,7 @@ ftruncate 93 + ftruncate64 194 + futex 238 + futex_time64 422 ++futex_waitv 449 + futimesat 292 + get_kernel_syms 130 + get_mempolicy 269 +@@ -203,6 +204,7 @@ madvise 219 + mbind 268 + membarrier 356 + memfd_create 350 ++memfd_secret + memory_ordering + migrate_pages 287 + mincore 218 +@@ -374,7 +376,6 @@ pciconfig_read + pciconfig_write + perf_event_open 331 + perfctr +-perfmonctl + personality 136 + pidfd_getfd 438 + pidfd_open 434 +@@ -394,6 +395,7 @@ preadv 328 + preadv2 376 + prlimit64 334 + process_madvise 440 ++process_mrelease 448 + process_vm_readv 340 + process_vm_writev 341 + pselect6 301 +@@ -404,7 +406,7 @@ pwritev 329 + pwritev2 377 + query_module 167 + quotactl 131 +-quotactl_path ++quotactl_fd 443 + read 3 + readahead 222 + readdir 89 +diff --git a/src/basic/syscalls-s390x.txt b/src/basic/syscalls-s390x.txt +index 62a2ea4fae..b4b798f9df 100644 +--- a/src/basic/syscalls-s390x.txt ++++ b/src/basic/syscalls-s390x.txt +@@ -106,6 +106,7 @@ ftruncate 93 + ftruncate64 + futex 238 + futex_time64 ++futex_waitv 449 + futimesat 292 + get_kernel_syms 130 + get_mempolicy 269 +@@ -203,6 +204,7 @@ madvise 219 + mbind 268 + membarrier 356 + memfd_create 350 ++memfd_secret + memory_ordering + migrate_pages 287 + mincore 218 +@@ -374,7 +376,6 @@ pciconfig_read + pciconfig_write + perf_event_open 331 + perfctr +-perfmonctl + personality 136 + pidfd_getfd 438 + pidfd_open 434 +@@ -394,6 +395,7 @@ preadv 328 + preadv2 376 + prlimit64 334 + process_madvise 440 ++process_mrelease 448 + process_vm_readv 340 + process_vm_writev 341 + pselect6 301 +@@ -404,7 +406,7 @@ pwritev 329 + pwritev2 377 + query_module 167 + quotactl 131 +-quotactl_path ++quotactl_fd 443 + read 3 + readahead 222 + readdir 89 +diff --git a/src/basic/syscalls-sparc.txt b/src/basic/syscalls-sparc.txt +index fe41bf97e8..a382e75c24 100644 +--- a/src/basic/syscalls-sparc.txt ++++ b/src/basic/syscalls-sparc.txt +@@ -106,6 +106,7 @@ ftruncate 130 + ftruncate64 84 + futex 142 + futex_time64 422 ++futex_waitv 449 + futimesat 288 + get_kernel_syms 223 + get_mempolicy 304 +@@ -203,6 +204,7 @@ madvise 75 + mbind 303 + membarrier 351 + memfd_create 348 ++memfd_secret + memory_ordering + migrate_pages 302 + mincore 78 +@@ -374,7 +376,6 @@ pciconfig_read 148 + pciconfig_write 149 + perf_event_open 327 + perfctr 18 +-perfmonctl + personality 191 + pidfd_getfd 438 + pidfd_open 434 +@@ -394,6 +395,7 @@ preadv 324 + preadv2 358 + prlimit64 331 + process_madvise 440 ++process_mrelease 448 + process_vm_readv 338 + process_vm_writev 339 + pselect6 297 +@@ -404,7 +406,7 @@ pwritev 325 + pwritev2 359 + query_module 184 + quotactl 165 +-quotactl_path ++quotactl_fd 443 + read 3 + readahead 205 + readdir 204 +diff --git a/src/basic/syscalls-x86_64.txt b/src/basic/syscalls-x86_64.txt +index d2ac17ab46..5bc9c58a2a 100644 +--- a/src/basic/syscalls-x86_64.txt ++++ b/src/basic/syscalls-x86_64.txt +@@ -106,6 +106,7 @@ ftruncate 77 + ftruncate64 + futex 202 + futex_time64 ++futex_waitv 449 + futimesat 261 + get_kernel_syms 177 + get_mempolicy 239 +@@ -203,6 +204,7 @@ madvise 28 + mbind 237 + membarrier 324 + memfd_create 319 ++memfd_secret 447 + memory_ordering + migrate_pages 256 + mincore 27 +@@ -374,7 +376,6 @@ pciconfig_read + pciconfig_write + perf_event_open 298 + perfctr +-perfmonctl + personality 135 + pidfd_getfd 438 + pidfd_open 434 +@@ -394,6 +395,7 @@ preadv 295 + preadv2 327 + prlimit64 302 + process_madvise 440 ++process_mrelease 448 + process_vm_readv 310 + process_vm_writev 311 + pselect6 270 +@@ -404,7 +406,7 @@ pwritev 296 + pwritev2 328 + query_module 178 + quotactl 179 +-quotactl_path ++quotactl_fd 443 + read 0 + readahead 187 + readdir +-- +2.33.0 + diff --git a/backport-sysext-use-LO_FLAGS_PARTSCAN-when-opening-image.patch b/backport-sysext-use-LO_FLAGS_PARTSCAN-when-opening-image.patch new file mode 100644 index 0000000000000000000000000000000000000000..f5ca58dfa58800146c7d93e77e3a2151dba2ec41 --- /dev/null +++ b/backport-sysext-use-LO_FLAGS_PARTSCAN-when-opening-image.patch @@ -0,0 +1,46 @@ +From 9370cf015e54e2201227c27271506e63ad8c3e1d Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 19 Jan 2022 00:27:45 +0000 +Subject: [PATCH] sysext: use LO_FLAGS_PARTSCAN when opening image + +Jan 17 12:34:59 myguest1 (sd-sysext)[486]: Device '/var/lib/extensions/myext.raw' is loopback block device with partition scanning turned off, please turn it on. + +Fixes https://github.com/systemd/systemd/issues/22146 + +(cherry picked from commit 70a5c6dce0872b3bb0a39be250adde86a0c8f35c) +(cherry picked from commit 4ef7122f3c3328aa01e1ed187a793e7b1595ee87) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/9370cf015e54e2201227c27271506e63ad8c3e1d +--- + src/sysext/sysext.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c +index 572e4007fe..bcd87ab152 100644 +--- a/src/sysext/sysext.c ++++ b/src/sysext/sysext.c +@@ -2,6 +2,7 @@ + + #include + #include ++#include + #include + #include + +@@ -523,7 +524,11 @@ static int merge_subprocess(Hashmap *images, const char *workspace) { + if (verity_settings.data_path) + flags |= DISSECT_IMAGE_NO_PARTITION_TABLE; + +- r = loop_device_make_by_path(img->path, O_RDONLY, 0, &d); ++ r = loop_device_make_by_path( ++ img->path, ++ O_RDONLY, ++ FLAGS_SET(flags, DISSECT_IMAGE_NO_PARTITION_TABLE) ? 0 : LO_FLAGS_PARTSCAN, ++ &d); + if (r < 0) + return log_error_errno(r, "Failed to set up loopback device for %s: %m", img->path); + +-- +2.33.0 + diff --git a/backport-systemctl-allow-set-property-to-be-called-with-a-glo.patch b/backport-systemctl-allow-set-property-to-be-called-with-a-glo.patch new file mode 100644 index 0000000000000000000000000000000000000000..16b6a658aa75b2f12ae0bc6b5d5797ccd60e30ed --- /dev/null +++ b/backport-systemctl-allow-set-property-to-be-called-with-a-glo.patch @@ -0,0 +1,111 @@ +From f8e994d928fc1636f7aefc6dd9ee8374c7cc63f3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 28 Jul 2021 12:57:10 +0200 +Subject: [PATCH] systemctl: allow set-property to be called with a glob + pattern +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We call "systemctl set-property … Markers=+needs-restart" and this should +also work for globs, e.g. "user@*.service" or "syncthing@*.service". + +https://bugzilla.redhat.com/show_bug.cgi?id=1986258 +(cherry picked from commit 23a0ffa59f9cb26c4b016c9fd1a3a70da2607f61) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/f8e994d928fc1636f7aefc6dd9ee8374c7cc63f3 +--- + src/systemctl/systemctl-set-property.c | 53 ++++++++++++++++---------- + 1 file changed, 33 insertions(+), 20 deletions(-) + +diff --git a/src/systemctl/systemctl-set-property.c b/src/systemctl/systemctl-set-property.c +index 183a7b6a8a..5739bac070 100644 +--- a/src/systemctl/systemctl-set-property.c ++++ b/src/systemctl/systemctl-set-property.c +@@ -6,33 +6,20 @@ + #include "systemctl-util.h" + #include "systemctl.h" + +-int set_property(int argc, char *argv[], void *userdata) { +- _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL; ++static int set_property_one(sd_bus *bus, const char *name, char **properties) { + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; +- _cleanup_free_ char *n = NULL; +- UnitType t; +- sd_bus *bus; ++ _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL; + int r; + +- r = acquire_bus(BUS_MANAGER, &bus); +- if (r < 0) +- return r; +- +- polkit_agent_open_maybe(); +- + r = bus_message_new_method_call(bus, &m, bus_systemd_mgr, "SetUnitProperties"); + if (r < 0) + return bus_log_create_error(r); + +- r = unit_name_mangle(argv[1], arg_quiet ? 0 : UNIT_NAME_MANGLE_WARN, &n); +- if (r < 0) +- return log_error_errno(r, "Failed to mangle unit name: %m"); +- +- t = unit_name_to_type(n); ++ UnitType t = unit_name_to_type(name); + if (t < 0) +- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid unit type: %s", n); ++ return log_error_errno(t, "Invalid unit type: %s", name); + +- r = sd_bus_message_append(m, "sb", n, arg_runtime); ++ r = sd_bus_message_append(m, "sb", name, arg_runtime); + if (r < 0) + return bus_log_create_error(r); + +@@ -40,7 +27,7 @@ int set_property(int argc, char *argv[], void *userdata) { + if (r < 0) + return bus_log_create_error(r); + +- r = bus_append_unit_property_assignment_many(m, t, strv_skip(argv, 2)); ++ r = bus_append_unit_property_assignment_many(m, t, properties); + if (r < 0) + return r; + +@@ -50,7 +37,33 @@ int set_property(int argc, char *argv[], void *userdata) { + + r = sd_bus_call(bus, m, 0, &error, NULL); + if (r < 0) +- return log_error_errno(r, "Failed to set unit properties on %s: %s", n, bus_error_message(&error, r)); ++ return log_error_errno(r, "Failed to set unit properties on %s: %s", ++ name, bus_error_message(&error, r)); + + return 0; + } ++ ++int set_property(int argc, char *argv[], void *userdata) { ++ sd_bus *bus; ++ _cleanup_strv_free_ char **names = NULL; ++ char **name; ++ int r, k; ++ ++ r = acquire_bus(BUS_MANAGER, &bus); ++ if (r < 0) ++ return r; ++ ++ polkit_agent_open_maybe(); ++ ++ r = expand_unit_names(bus, STRV_MAKE(argv[1]), NULL, &names, NULL); ++ if (r < 0) ++ return log_error_errno(r, "Failed to expand '%s' into names: %m", argv[1]); ++ ++ r = 0; ++ STRV_FOREACH(name, names) { ++ k = set_property_one(bus, *name, strv_skip(argv, 2)); ++ if (k < 0 && r >= 0) ++ r = k; ++ } ++ return r; ++} +-- +2.33.0 + diff --git a/backport-systemctl-make-timestamp-affect-the-show-verb-as-wel.patch b/backport-systemctl-make-timestamp-affect-the-show-verb-as-wel.patch new file mode 100644 index 0000000000000000000000000000000000000000..f88beaa955a8c7868311985e8063ebc295ec362c --- /dev/null +++ b/backport-systemctl-make-timestamp-affect-the-show-verb-as-wel.patch @@ -0,0 +1,76 @@ +From 99a6dc51727e6c26cf43566de481272773cb1a91 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Fri, 18 Feb 2022 23:09:18 +0100 +Subject: [PATCH] systemctl: make `--timestamp=` affect the `show` verb as well + +Currently the `--timestamp=` option has no effect on timestamps shown by +`systemctl show`, let's fix that. + +Spotted in #22567. + +Before: +``` +$ systemctl show --timestamp=us+utc systemd-journald | grep Timestamp= +ExecMainStartTimestamp=Sat 2021-12-11 15:25:57 CET +StateChangeTimestamp=Sat 2021-12-11 15:25:57 CET +InactiveExitTimestamp=Sat 2021-12-11 15:25:57 CET +ActiveEnterTimestamp=Sat 2021-12-11 15:25:57 CET +ActiveExitTimestamp=Sat 2021-12-11 15:25:57 CET +InactiveEnterTimestamp=Sat 2021-12-11 15:25:57 CET +ConditionTimestamp=Sat 2021-12-11 15:25:57 CET +AssertTimestamp=Sat 2021-12-11 15:25:57 CET +``` + +After: +``` +$ systemctl show --timestamp=us+utc systemd-journald | grep Timestamp= +ExecMainStartTimestamp=Sat 2021-12-11 14:25:57.177848 UTC +StateChangeTimestamp=Sat 2021-12-11 14:25:57.196714 UTC +InactiveExitTimestamp=Sat 2021-12-11 14:25:57.177871 UTC +ActiveEnterTimestamp=Sat 2021-12-11 14:25:57.196714 UTC +ActiveExitTimestamp=Sat 2021-12-11 14:25:57.144677 UTC +InactiveEnterTimestamp=Sat 2021-12-11 14:25:57.176331 UTC +ConditionTimestamp=Sat 2021-12-11 14:25:57.176980 UTC +AssertTimestamp=Sat 2021-12-11 14:25:57.176980 UTC + +``` + +(cherry picked from commit a59e5c625da5a6e0c46e493d55f2f4212e9457ca) +(cherry picked from commit e59c381e2321ae9e476c550d5a3d43a1fd0493ac) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/99a6dc51727e6c26cf43566de481272773cb1a91 +--- + src/systemctl/systemctl-show.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/src/systemctl/systemctl-show.c b/src/systemctl/systemctl-show.c +index dd99bc5323..5b6ee3c518 100644 +--- a/src/systemctl/systemctl-show.c ++++ b/src/systemctl/systemctl-show.c +@@ -1006,6 +1006,22 @@ static int print_property(const char *name, const char *expected_value, sd_bus_m + } + break; + ++ case SD_BUS_TYPE_UINT64: ++ if (endswith(name, "Timestamp")) { ++ char timestamp_str[FORMAT_TIMESTAMP_MAX] = "n/a"; ++ uint64_t timestamp; ++ ++ r = sd_bus_message_read_basic(m, bus_type, ×tamp); ++ if (r < 0) ++ return r; ++ ++ (void) format_timestamp_style(timestamp_str, sizeof(timestamp_str), timestamp, arg_timestamp_style); ++ bus_print_property_value(name, expected_value, flags, timestamp_str); ++ ++ return 1; ++ } ++ break; ++ + case SD_BUS_TYPE_STRUCT: + + if (contents[0] == SD_BUS_TYPE_UINT32 && streq(name, "Job")) { +-- +2.33.0 + diff --git a/backport-systemctl-only-fall-back-to-local-cgroup-display-if-.patch b/backport-systemctl-only-fall-back-to-local-cgroup-display-if-.patch new file mode 100644 index 0000000000000000000000000000000000000000..49abf23381c012702b8f338f70bd2b665ddec26a --- /dev/null +++ b/backport-systemctl-only-fall-back-to-local-cgroup-display-if-.patch @@ -0,0 +1,34 @@ +From 08693ce568f0967046b669fcd99ba0939a1df86d Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 28 Oct 2021 16:47:40 +0200 +Subject: [PATCH] systemctl: only fall back to local cgroup display if we talk + to local systemd + +Otherwise we likely show rubbish because even in local containers we +nowadays have cgroup namespacing, hence we likely can't access the +cgroup tree from the host at the same place as inside the container. + +(cherry picked from commit 35ac0260db7b896604d156e9638ad15700083508) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/08693ce568f0967046b669fcd99ba0939a1df86d +--- + src/systemctl/systemctl-show.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/systemctl/systemctl-show.c b/src/systemctl/systemctl-show.c +index 290a501c52..dd99bc5323 100644 +--- a/src/systemctl/systemctl-show.c ++++ b/src/systemctl/systemctl-show.c +@@ -741,7 +741,7 @@ static void print_status_info( + c = 0; + + r = unit_show_processes(bus, i->id, i->control_group, prefix, c, get_output_flags(), &error); +- if (r == -EBADR) { ++ if (r == -EBADR && arg_transport == BUS_TRANSPORT_LOCAL) { + unsigned k = 0; + pid_t extra[2]; + +-- +2.33.0 + diff --git a/backport-systemctl-pretty-print-ExtensionImages-property.patch b/backport-systemctl-pretty-print-ExtensionImages-property.patch new file mode 100644 index 0000000000000000000000000000000000000000..9d51284188226c24ab7f229754e5ada3cb71e021 --- /dev/null +++ b/backport-systemctl-pretty-print-ExtensionImages-property.patch @@ -0,0 +1,85 @@ +From c4967b69610a75375cdcaafc9a9816ffddaeec38 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 26 Oct 2021 22:55:30 +0100 +Subject: [PATCH] systemctl: pretty-print ExtensionImages property + +Complex type, so without explicit support 'systemctl show' just prints [unprintable] + +(cherry picked from commit 60c16c5cf3458199646cbda9dfe7763b6ba8b62f) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/c4967b69610a75375cdcaafc9a9816ffddaeec38 +--- + src/systemctl/systemctl-show.c | 56 ++++++++++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +diff --git a/src/systemctl/systemctl-show.c b/src/systemctl/systemctl-show.c +index 1f524626bf..3bc9fd4920 100644 +--- a/src/systemctl/systemctl-show.c ++++ b/src/systemctl/systemctl-show.c +@@ -1694,6 +1694,62 @@ static int print_property(const char *name, const char *expected_value, sd_bus_m + + return 1; + ++ } else if (streq(name, "ExtensionImages")) { ++ _cleanup_free_ char *paths = NULL; ++ ++ r = sd_bus_message_enter_container(m, SD_BUS_TYPE_ARRAY, "(sba(ss))"); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ ++ for (;;) { ++ _cleanup_free_ char *str = NULL; ++ const char *source, *partition, *mount_options; ++ int ignore_enoent; ++ ++ r = sd_bus_message_enter_container(m, 'r', "sba(ss)"); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ if (r == 0) ++ break; ++ ++ r = sd_bus_message_read(m, "sb", &source, &ignore_enoent); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ ++ str = strjoin(ignore_enoent ? "-" : "", source); ++ if (!str) ++ return log_oom(); ++ ++ r = sd_bus_message_enter_container(m, 'a', "(ss)"); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ ++ while ((r = sd_bus_message_read(m, "(ss)", &partition, &mount_options)) > 0) ++ if (!strextend_with_separator(&str, ":", partition, mount_options)) ++ return log_oom(); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ ++ if (!strextend_with_separator(&paths, " ", str)) ++ return log_oom(); ++ ++ r = sd_bus_message_exit_container(m); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ ++ r = sd_bus_message_exit_container(m); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ } ++ ++ r = sd_bus_message_exit_container(m); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ ++ bus_print_property_value(name, expected_value, flags, paths); ++ ++ return 1; ++ + } else if (streq(name, "BPFProgram")) { + const char *a, *p; + +-- +2.33.0 + diff --git a/backport-systemctl-show-error-when-help-for-unknown-unit-is-r.patch b/backport-systemctl-show-error-when-help-for-unknown-unit-is-r.patch new file mode 100644 index 0000000000000000000000000000000000000000..be2136845bfc84710c5d1a0a6b98ef0a0883c008 --- /dev/null +++ b/backport-systemctl-show-error-when-help-for-unknown-unit-is-r.patch @@ -0,0 +1,39 @@ +From 486412ad3bba4f1306597302cf66cc4858126243 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 12 Jul 2021 12:32:39 +0200 +Subject: [PATCH] systemctl: show error when help for unknown unit is requested + +Fixes #20189. We would only log at debug level and return failure, which looks +like a noop for the user. + +('help' accepts multiple arguments and will show multiple concatenated man +pages in that case. Actually, it will also show multiple concatenated man pages +if the Documentation= setting lists multiple pages. I don't think it's very +terribly useful, but, meh, I don't think we can do much better. If a user +requests a help for a two services, one known and one unknown, there'll now be +a line in the output. It's not very user friendly, but not exactly wrong too.) + +(cherry picked from commit 75312ada5324d8adae3f3a0ed97f0acfc8b8bde5) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/486412ad3bba4f1306597302cf66cc4858126243 +--- + src/systemctl/systemctl-show.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/systemctl/systemctl-show.c b/src/systemctl/systemctl-show.c +index 470ff617d6..1f524626bf 100644 +--- a/src/systemctl/systemctl-show.c ++++ b/src/systemctl/systemctl-show.c +@@ -1915,7 +1915,7 @@ static int show_one( + return log_error_errno(r, "Failed to get properties: %s", bus_error_message(&error, r)); + + if (unit && streq_ptr(info.load_state, "not-found") && streq_ptr(info.active_state, "inactive")) { +- log_full(show_mode == SYSTEMCTL_SHOW_STATUS ? LOG_ERR : LOG_DEBUG, ++ log_full(show_mode == SYSTEMCTL_SHOW_PROPERTIES ? LOG_DEBUG : LOG_ERR, + "Unit %s could not be found.", unit); + + if (show_mode == SYSTEMCTL_SHOW_STATUS) +-- +2.33.0 + diff --git a/backport-systemctl-small-fixes-for-MountImages-pretty-printin.patch b/backport-systemctl-small-fixes-for-MountImages-pretty-printin.patch new file mode 100644 index 0000000000000000000000000000000000000000..e6ca843ee69d3ac42ee66742a0a511a64dbadb18 --- /dev/null +++ b/backport-systemctl-small-fixes-for-MountImages-pretty-printin.patch @@ -0,0 +1,70 @@ +From 1f332abc9f82c653d40e5f3e42b761dca88d31ed Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 27 Oct 2021 11:17:02 +0100 +Subject: [PATCH] systemctl: small fixes for MountImages pretty printing + +(cherry picked from commit 8ec6108c0bdb5ab2e05bc20ab41ad6653805fd00) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/1f332abc9f82c653d40e5f3e42b761dca88d31ed +--- + src/systemctl/systemctl-show.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/src/systemctl/systemctl-show.c b/src/systemctl/systemctl-show.c +index 3bc9fd4920..290a501c52 100644 +--- a/src/systemctl/systemctl-show.c ++++ b/src/systemctl/systemctl-show.c +@@ -1649,11 +1649,13 @@ static int print_property(const char *name, const char *expected_value, sd_bus_m + + r = sd_bus_message_enter_container(m, 'r', "ssba(ss)"); + if (r < 0) +- return r; ++ return bus_log_parse_error(r); ++ if (r == 0) ++ break; + + r = sd_bus_message_read(m, "ssb", &source, &destination, &ignore_enoent); +- if (r <= 0) +- break; ++ if (r < 0) ++ return bus_log_parse_error(r); + + str = strjoin(ignore_enoent ? "-" : "", + source, +@@ -1664,27 +1666,25 @@ static int print_property(const char *name, const char *expected_value, sd_bus_m + + r = sd_bus_message_enter_container(m, 'a', "(ss)"); + if (r < 0) +- return r; ++ return bus_log_parse_error(r); + + while ((r = sd_bus_message_read(m, "(ss)", &partition, &mount_options)) > 0) +- if (!strextend_with_separator(&str, ":", partition, ":", mount_options)) ++ if (!strextend_with_separator(&str, ":", partition, mount_options)) + return log_oom(); + if (r < 0) +- return r; ++ return bus_log_parse_error(r); + + if (!strextend_with_separator(&paths, " ", str)) + return log_oom(); + + r = sd_bus_message_exit_container(m); + if (r < 0) +- return r; ++ return bus_log_parse_error(r); + + r = sd_bus_message_exit_container(m); + if (r < 0) +- return r; ++ return bus_log_parse_error(r); + } +- if (r < 0) +- return bus_log_parse_error(r); + + r = sd_bus_message_exit_container(m); + if (r < 0) +-- +2.33.0 + diff --git a/backport-systemd-analyze-parse-ip_filters_custom_egress-corre.patch b/backport-systemd-analyze-parse-ip_filters_custom_egress-corre.patch new file mode 100644 index 0000000000000000000000000000000000000000..77dcb738746a3edd88f87decd7b70df1b2bd00c0 --- /dev/null +++ b/backport-systemd-analyze-parse-ip_filters_custom_egress-corre.patch @@ -0,0 +1,31 @@ +From 2d8f28adf58c58d99c19da9d53c6c66a9b952ce4 Mon Sep 17 00:00:00 2001 +From: Maanya Goenka +Date: Tue, 10 Aug 2021 14:30:46 -0700 +Subject: [PATCH] systemd-analyze: parse ip_filters_custom_egress correctly + +Fixed bug in original assignment of security_info variable: ip_filters_custom_egress. + +(cherry picked from commit 3da57008e743643d45d3dc05eacac1a4623539a4) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/2d8f28adf58c58d99c19da9d53c6c66a9b952ce4 +--- + src/analyze/analyze-security.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c +index f20606c17c..309e9a81b5 100644 +--- a/src/analyze/analyze-security.c ++++ b/src/analyze/analyze-security.c +@@ -1910,7 +1910,7 @@ static int property_read_ip_filters( + if (streq(member, "IPIngressFilterPath")) + info->ip_filters_custom_ingress = !strv_isempty(l); + else if (streq(member, "IPEgressFilterPath")) +- info->ip_filters_custom_ingress = !strv_isempty(l); ++ info->ip_filters_custom_egress = !strv_isempty(l); + + return 0; + } +-- +2.33.0 + diff --git a/backport-systemd-run-ensure-error-logs-suggest-to-use-user-wh.patch b/backport-systemd-run-ensure-error-logs-suggest-to-use-user-wh.patch new file mode 100644 index 0000000000000000000000000000000000000000..7f7b236a0763e8abc934851dbca722995e7e96bb --- /dev/null +++ b/backport-systemd-run-ensure-error-logs-suggest-to-use-user-wh.patch @@ -0,0 +1,63 @@ +From 8ece102d314cfe92aaa7a7afc853b6921da941c4 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 30 Dec 2021 00:54:32 +0000 +Subject: [PATCH] systemd-run: ensure error logs suggest to use '--user' when + appropriate + +Before: + +$ systemd-run --service-type=notify --user false +Job for run-rc3fe52ee6ddd4a6eaaf1a20e0a949cdf.service failed because the control process exited with error code. +See "systemctl status run-rc3fe52ee6ddd4a6eaaf1a20e0a949cdf.service" and "journalctl -xeu run-rc3fe52ee6ddd4a6eaaf1a20e0a949cdf.service" for details. + +After: + +$ systemd-run --service-type=notify --user false +Job for run-r7791e380a7b6400ea01d6a0e5a458b23.service failed because the control process exited with error code. +See "systemctl --user status run-r7791e380a7b6400ea01d6a0e5a458b23.service" and "journalctl --user -xeu run-r7791e380a7b6400ea01d6a0e5a458b23.service" for details. + +Fixes https://github.com/systemd/systemd/issues/21933 + +(cherry picked from commit 466f2351bbb5c0fdc9f153e35506570e59b14c5f) +(cherry picked from commit b59615dc76cf82bd1fca301220ee0b7961cbcacd) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/8ece102d314cfe92aaa7a7afc853b6921da941c4 +--- + src/run/run.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/run/run.c b/src/run/run.c +index 9a7e1efaca..c858bf793d 100644 +--- a/src/run/run.c ++++ b/src/run/run.c +@@ -1228,7 +1228,7 @@ static int start_transient_service( + if (r < 0) + return bus_log_parse_error(r); + +- r = bus_wait_for_jobs_one(w, object, arg_quiet, NULL); ++ r = bus_wait_for_jobs_one(w, object, arg_quiet, arg_user ? STRV_MAKE_CONST("--user") : NULL); + if (r < 0) + return r; + } +@@ -1473,7 +1473,7 @@ static int start_transient_scope(sd_bus *bus) { + if (r < 0) + return bus_log_parse_error(r); + +- r = bus_wait_for_jobs_one(w, object, arg_quiet, NULL); ++ r = bus_wait_for_jobs_one(w, object, arg_quiet, arg_user ? STRV_MAKE_CONST("--user") : NULL); + if (r < 0) + return r; + +@@ -1693,7 +1693,7 @@ static int start_transient_trigger( + if (r < 0) + return bus_log_parse_error(r); + +- r = bus_wait_for_jobs_one(w, object, arg_quiet, NULL); ++ r = bus_wait_for_jobs_one(w, object, arg_quiet, arg_user ? STRV_MAKE_CONST("--user") : NULL); + if (r < 0) + return r; + +-- +2.33.0 + diff --git a/backport-sysusers-use-filename-if-proc-is-not-mounted.patch b/backport-sysusers-use-filename-if-proc-is-not-mounted.patch new file mode 100644 index 0000000000000000000000000000000000000000..8b5196fb077dbfd047f11c18a77d41b539dfd496 --- /dev/null +++ b/backport-sysusers-use-filename-if-proc-is-not-mounted.patch @@ -0,0 +1,34 @@ +From f78a48840205339157b186b7c8e576a3c690f6d9 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 31 Dec 2021 00:11:01 +0900 +Subject: [PATCH] sysusers: use filename if /proc is not mounted + +During system install, /proc may not be mounted yet. + +Fixes RHBZ#2036217 (https://bugzilla.redhat.com/show_bug.cgi?id=2036217). + +(cherry picked from commit b78d7f246899687a1697cdcebe93d8512c5e7c4b) +(cherry picked from commit 747b4f1ff8aac3a1b800b0a7ac0edef4af34da70) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/f78a48840205339157b186b7c8e576a3c690f6d9 +--- + src/sysusers/sysusers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c +index a18634d254..669efe4a1d 100644 +--- a/src/sysusers/sysusers.c ++++ b/src/sysusers/sysusers.c +@@ -267,7 +267,7 @@ static int make_backup(const char *target, const char *x) { + + /* Copy over the access mask. Don't fail on chmod() or chown(). If it stays owned by us and/or + * unreadable by others, then it isn't too bad... */ +- r = fchmod_and_chown(fileno(dst), st.st_mode & 07777, st.st_uid, st.st_gid); ++ r = fchmod_and_chown_with_fallback(fileno(dst), dst_tmp, st.st_mode & 07777, st.st_uid, st.st_gid); + if (r < 0) + log_warning_errno(r, "Failed to change access mode or ownership of %s: %m", backup); + +-- +2.33.0 + diff --git a/backport-temporarily-disable-test-seccomp.patch b/backport-temporarily-disable-test-seccomp.patch index 32b4b1322a614d2ad75fd84b0b9bfc406ef5228a..2aca22171b75d39d1efdfb230d6c55f4bfb42669 100644 --- a/backport-temporarily-disable-test-seccomp.patch +++ b/backport-temporarily-disable-test-seccomp.patch @@ -4,14 +4,14 @@ Date: Tue, 22 Feb 2022 20:33:40 +0800 Subject: [PATCH] temporarily disable test-seccomp --- - src/test/test-seccomp.c | 22 +--------------------- - 1 file changed, 1 insertion(+), 21 deletions(-) + src/test/test-seccomp.c | 23 +--------------------- + 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c index 023c4b6..8d23ab5 100644 --- a/src/test/test-seccomp.c +++ b/src/test/test-seccomp.c -@@ -1154,25 +1154,5 @@ static void test_restrict_suid_sgid(void) { +@@ -1154,26 +1154,5 @@ static void test_restrict_suid_sgid(void) { } int main(int argc, char *argv[]) { @@ -32,6 +32,7 @@ index 023c4b6..8d23ab5 100644 - test_memory_deny_write_execute_shmat(); - test_restrict_archs(); - test_load_syscall_filter_set_raw(); +- test_native_syscalls_filtered(); - test_lock_personality(); - test_restrict_suid_sgid(); - diff --git a/backport-test-Check-that-native-architecture-is-always-filter.patch b/backport-test-Check-that-native-architecture-is-always-filter.patch new file mode 100644 index 0000000000000000000000000000000000000000..e031198070e51590d67ab5ba16c97aef6230bdfa --- /dev/null +++ b/backport-test-Check-that-native-architecture-is-always-filter.patch @@ -0,0 +1,95 @@ +From ef92d7fc97a543d2b7e0730f2b78d8ef2a91959c Mon Sep 17 00:00:00 2001 +From: Benjamin Berg +Date: Fri, 17 Sep 2021 14:00:39 +0200 +Subject: [PATCH] test: Check that "native" architecture is always filtered + +(cherry picked from commit 08bf703cc1511817cdf67543c3b166dc8831ba8c) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/ef92d7fc97a543d2b7e0730f2b78d8ef2a91959c +--- + src/test/test-seccomp.c | 61 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 61 insertions(+) + +diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c +index 023c4b6e0e..dc3088d4b0 100644 +--- a/src/test/test-seccomp.c ++++ b/src/test/test-seccomp.c +@@ -890,6 +890,66 @@ static void test_load_syscall_filter_set_raw(void) { + assert_se(wait_for_terminate_and_check("syscallrawseccomp", pid, WAIT_LOG) == EXIT_SUCCESS); + } + ++static void test_native_syscalls_filtered(void) { ++ pid_t pid; ++ ++ log_info("/* %s */", __func__); ++ ++ if (!is_seccomp_available()) { ++ log_notice("Seccomp not available, skipping %s", __func__); ++ return; ++ } ++ if (!have_seccomp_privs()) { ++ log_notice("Not privileged, skipping %s", __func__); ++ return; ++ } ++ ++ pid = fork(); ++ assert_se(pid >= 0); ++ ++ if (pid == 0) { ++ _cleanup_set_free_ Set *arch_s = NULL; ++ _cleanup_hashmap_free_ Hashmap *s = NULL; ++ ++ /* Passing "native" or an empty set is equivalent, just do both here. */ ++ assert_se(arch_s = set_new(NULL)); ++ assert_se(seccomp_restrict_archs(arch_s) >= 0); ++ assert_se(set_put(arch_s, SCMP_ARCH_NATIVE) >= 0); ++ assert_se(seccomp_restrict_archs(arch_s) >= 0); ++ ++ assert_se(access("/", F_OK) >= 0); ++ assert_se(poll(NULL, 0, 0) == 0); ++ ++ assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, NULL, scmp_act_kill_process(), true) >= 0); ++ assert_se(access("/", F_OK) >= 0); ++ assert_se(poll(NULL, 0, 0) == 0); ++ ++ assert_se(s = hashmap_new(NULL)); ++#if defined __NR_access && __NR_access >= 0 ++ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0); ++ log_debug("has access()"); ++#endif ++#if defined __NR_faccessat && __NR_faccessat >= 0 ++ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0); ++ log_debug("has faccessat()"); ++#endif ++#if defined __NR_faccessat2 && __NR_faccessat2 >= 0 ++ assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat2 + 1), INT_TO_PTR(-1)) >= 0); ++ log_debug("has faccessat2()"); ++#endif ++ ++ assert_se(!hashmap_isempty(s)); ++ assert_se(seccomp_load_syscall_filter_set_raw(SCMP_ACT_ALLOW, s, SCMP_ACT_ERRNO(EUCLEAN), true) >= 0); ++ ++ assert_se(access("/", F_OK) < 0); ++ assert_se(errno == EUCLEAN); ++ ++ _exit(EXIT_SUCCESS); ++ } ++ ++ assert_se(wait_for_terminate_and_check("nativeseccomp", pid, WAIT_LOG) == EXIT_SUCCESS); ++} ++ + static void test_lock_personality(void) { + unsigned long current; + pid_t pid; +@@ -1171,6 +1231,7 @@ int main(int argc, char *argv[]) { + test_memory_deny_write_execute_shmat(); + test_restrict_archs(); + test_load_syscall_filter_set_raw(); ++ test_native_syscalls_filtered(); + test_lock_personality(); + test_restrict_suid_sgid(); + +-- +2.33.0 + diff --git a/backport-test-add-tests-for-reading-unaligned-data.patch b/backport-test-add-tests-for-reading-unaligned-data.patch new file mode 100644 index 0000000000000000000000000000000000000000..ed29eb82831cda7573c640b0239b483b6538e94e --- /dev/null +++ b/backport-test-add-tests-for-reading-unaligned-data.patch @@ -0,0 +1,87 @@ +From 61ca9b34258e4786d9a8e68b9b28c4e794a65d1f Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 28 Sep 2021 00:48:59 +0900 +Subject: [PATCH] test: add tests for reading unaligned data + +(cherry picked from commit e620104956dff64244c0e73e86c3138c0b13b875) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/61ca9b34258e4786d9a8e68b9b28c4e794a65d1f +--- + src/libsystemd-network/test-dhcp6-client.c | 29 ++++++++++++++++------ + 1 file changed, 21 insertions(+), 8 deletions(-) + +diff --git a/src/libsystemd-network/test-dhcp6-client.c b/src/libsystemd-network/test-dhcp6-client.c +index 5d1f709f11..b22297dcd5 100644 +--- a/src/libsystemd-network/test-dhcp6-client.c ++++ b/src/libsystemd-network/test-dhcp6-client.c +@@ -156,7 +156,7 @@ static int test_parse_domain(sd_event *e) { + + static int test_option(sd_event *e) { + uint8_t packet[] = { +- 'F', 'O', 'O', ++ 'F', 'O', 'O', 'H', 'O', 'G', 'E', + 0x00, SD_DHCP6_OPTION_ORO, 0x00, 0x07, + 'A', 'B', 'C', 'D', 'E', 'F', 'G', + 0x00, SD_DHCP6_OPTION_VENDOR_CLASS, 0x00, 0x09, +@@ -164,12 +164,13 @@ static int test_option(sd_event *e) { + 'B', 'A', 'R', + }; + uint8_t result[] = { +- 'F', 'O', 'O', ++ 'F', 'O', 'O', 'H', 'O', 'G', 'E', + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 'B', 'A', 'R', + }; ++ _cleanup_free_ uint8_t *buf = NULL; + size_t offset, pos, optlen, outlen = sizeof(result); + const uint8_t *optval; + uint16_t optcode; +@@ -185,16 +186,28 @@ static int test_option(sd_event *e) { + offset = 3; + assert_se(dhcp6_option_parse(packet, 0, &offset, &optcode, &optlen, &optval) == -EBADMSG); + +- offset = 3; ++ /* Tests for reading unaligned data. */ ++ assert_se(buf = new(uint8_t, sizeof(packet))); ++ for (size_t i = 0; i <= 7; i++) { ++ memcpy(buf, packet + i, sizeof(packet) - i); ++ offset = 7 - i; ++ assert_se(dhcp6_option_parse(buf, sizeof(packet), &offset, &optcode, &optlen, &optval) >= 0); ++ ++ assert_se(optcode == SD_DHCP6_OPTION_ORO); ++ assert_se(optlen == 7); ++ assert_se(optval == buf + 11 - i); ++ } ++ ++ offset = 7; + assert_se(dhcp6_option_parse(packet, sizeof(packet), &offset, &optcode, &optlen, &optval) >= 0); + + assert_se(optcode == SD_DHCP6_OPTION_ORO); + assert_se(optlen == 7); +- assert_se(optval == packet + 7); ++ assert_se(optval == packet + 11); + +- pos = 3; +- outlen -= 3; +- out = &result[3]; ++ pos = 7; ++ outlen -= 7; ++ out = &result[pos]; + + assert_se(dhcp6_option_append(&out, &outlen, optcode, optlen, optval) >= 0); + +@@ -206,7 +219,7 @@ static int test_option(sd_event *e) { + + assert_se(optcode == SD_DHCP6_OPTION_VENDOR_CLASS); + assert_se(optlen == 9); +- assert_se(optval == packet + 18); ++ assert_se(optval == packet + 22); + + assert_se(dhcp6_option_append(&out, &outlen, optcode, optlen, optval) >= 0); + +-- +2.33.0 + diff --git a/backport-test-do-not-use-alloca-in-function-call.patch b/backport-test-do-not-use-alloca-in-function-call.patch new file mode 100644 index 0000000000000000000000000000000000000000..3cf5457f1a4c1a632d646eae0f7c0c96ff61f847 --- /dev/null +++ b/backport-test-do-not-use-alloca-in-function-call.patch @@ -0,0 +1,39 @@ +From 5f326b0388d4b0a7fcab8cedca255e93a6e311f4 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 24 Oct 2021 00:16:57 +0900 +Subject: [PATCH] test: do not use alloca() in function call + +(cherry picked from commit 4150584e63562616e16242f7b1016c0e642fb59e) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/5f326b0388d4b0a7fcab8cedca255e93a6e311f4 +--- + src/test/test-path.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/test/test-path.c b/src/test/test-path.c +index 490fb136a7..88457d177f 100644 +--- a/src/test/test-path.c ++++ b/src/test/test-path.c +@@ -306,7 +306,7 @@ static void test_path_unit(Manager *m) { + } + + static void test_path_directorynotempty(Manager *m) { +- const char *test_path = "/tmp/test-path_directorynotempty/"; ++ const char *test_file, *test_path = "/tmp/test-path_directorynotempty/"; + Unit *unit = NULL; + Path *path = NULL; + Service *service = NULL; +@@ -328,7 +328,8 @@ static void test_path_directorynotempty(Manager *m) { + assert_se(access(test_path, F_OK) < 0); + + assert_se(mkdir_p(test_path, 0755) >= 0); +- assert_se(touch(strjoina(test_path, "test_file")) >= 0); ++ test_file = strjoina(test_path, "test_file"); ++ assert_se(touch(test_file) >= 0); + if (check_states(m, path, service, PATH_RUNNING, SERVICE_RUNNING) < 0) + return; + +-- +2.33.0 + diff --git a/backport-test-fileio-test-read_virtual_file-with-more-files-f.patch b/backport-test-fileio-test-read_virtual_file-with-more-files-f.patch new file mode 100644 index 0000000000000000000000000000000000000000..c1b91219ca189213a71a4f6b65eb7e9198f1c231 --- /dev/null +++ b/backport-test-fileio-test-read_virtual_file-with-more-files-f.patch @@ -0,0 +1,53 @@ +From dd6cb364bcc58b390671d4ee2ed7b30f4a5dced8 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 16 Sep 2021 11:31:52 +0200 +Subject: [PATCH] test-fileio: test read_virtual_file() with more files from + /proc + +i.e. let's pick some files we know are too large, or where struct stat's +.st_size is zero even though non-empty, and test read_virtual_file() +with that, to ensure things are handled sensibly. Goal is to ensure all +three major codepaths in read_virtual_file() are tested. + +Prompted-by: #20743 +(cherry picked from commit f3b751220bb842ce22a4f607d817f481f0961d40) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/dd6cb364bcc58b390671d4ee2ed7b30f4a5dced8 +--- + src/test/test-fileio.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/test/test-fileio.c b/src/test/test-fileio.c +index 321b544448..c8d5bf6914 100644 +--- a/src/test/test-fileio.c ++++ b/src/test/test-fileio.c +@@ -1028,7 +1028,11 @@ static void test_read_virtual_file(size_t max_size) { + FOREACH_STRING(filename, + "/proc/1/cmdline", + "/etc/nsswitch.conf", +- "/sys/kernel/uevent_seqnum") { ++ "/sys/kernel/uevent_seqnum", ++ "/proc/kcore", ++ "/proc/kallsyms", ++ "/proc/self/exe", ++ "/proc/self/pagemap") { + + _cleanup_free_ char *buf = NULL; + size_t size = 0; +@@ -1036,7 +1040,11 @@ static void test_read_virtual_file(size_t max_size) { + r = read_virtual_file(filename, max_size, &buf, &size); + if (r < 0) { + log_info_errno(r, "read_virtual_file(\"%s\", %zu): %m", filename, max_size); +- assert_se(ERRNO_IS_PRIVILEGE(r) || r == -ENOENT); ++ assert_se(ERRNO_IS_PRIVILEGE(r) || /* /proc/kcore is not accessible to unpriv */ ++ IN_SET(r, ++ -ENOENT, /* Some of the files might be absent */ ++ -EINVAL, /* too small reads from /proc/self/pagemap trigger EINVAL */ ++ -EFBIG)); /* /proc/kcore and /proc/self/pagemap should be too large */ + } else + log_info("read_virtual_file(\"%s\", %zu): %s (%zu bytes)", filename, max_size, r ? "non-truncated" : "truncated", size); + } +-- +2.33.0 + diff --git a/backport-test-fix-file-descriptor-leak-in-test-catalog.patch b/backport-test-fix-file-descriptor-leak-in-test-catalog.patch new file mode 100644 index 0000000000000000000000000000000000000000..cb8f7b0836ce6c0fa520513dc14dd271cbda450f --- /dev/null +++ b/backport-test-fix-file-descriptor-leak-in-test-catalog.patch @@ -0,0 +1,40 @@ +From 4ad43ef47147039b63a1a86c08087c7ced97d10c Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 22 Feb 2022 21:11:51 +0900 +Subject: [PATCH] test: fix file descriptor leak in test-catalog + +Fixes an issue reported in #22576. + +(cherry picked from commit 62d4b3b36e9aba9e605ba042a75c374155b6e18b) +(cherry picked from commit 92b86911c0c877e6b61d06dfe3ad20046e10d8e8) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/4ad43ef47147039b63a1a86c08087c7ced97d10c +--- + src/libsystemd/sd-journal/test-catalog.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/libsystemd/sd-journal/test-catalog.c b/src/libsystemd/sd-journal/test-catalog.c +index 316c3b1634..ad06221175 100644 +--- a/src/libsystemd/sd-journal/test-catalog.c ++++ b/src/libsystemd/sd-journal/test-catalog.c +@@ -196,6 +196,7 @@ static void test_catalog_file_lang(void) { + + int main(int argc, char *argv[]) { + _cleanup_(unlink_tempfilep) char database[] = "/tmp/test-catalog.XXXXXX"; ++ _cleanup_close_ int fd = -1; + _cleanup_free_ char *text = NULL; + int r; + +@@ -218,7 +219,7 @@ int main(int argc, char *argv[]) { + test_catalog_import_merge(); + test_catalog_import_merge_no_body(); + +- assert_se(mkostemp_safe(database) >= 0); ++ assert_se((fd = mkostemp_safe(database)) >= 0); + + test_catalog_update(database); + +-- +2.33.0 + diff --git a/backport-test-fix-file-descriptor-leak-in-test-fs-util.patch b/backport-test-fix-file-descriptor-leak-in-test-fs-util.patch new file mode 100644 index 0000000000000000000000000000000000000000..f9e1cd1543bc8e5e7374b73e237659982042939a --- /dev/null +++ b/backport-test-fix-file-descriptor-leak-in-test-fs-util.patch @@ -0,0 +1,52 @@ +From 4a247759a008f0a80f03a80c78efcde2e23e5ae5 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 22 Feb 2022 21:42:22 +0900 +Subject: [PATCH] test: fix file descriptor leak in test-fs-util + +Fixes an issue reported in #22576. + +(cherry picked from commit 19962747ca86a25e7102c536380bb2e9d7cfee9a) +(cherry picked from commit cfe1cd0a066b29e5508b4a2c388fd919fd5e0c9f) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/4a247759a008f0a80f03a80c78efcde2e23e5ae5 +--- + src/test/test-fs-util.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/test/test-fs-util.c b/src/test/test-fs-util.c +index a24558f25b..98ce3d96ef 100644 +--- a/src/test/test-fs-util.c ++++ b/src/test/test-fs-util.c +@@ -27,10 +27,11 @@ static const char *arg_test_dir = NULL; + + static void test_chase_symlinks(void) { + _cleanup_free_ char *result = NULL; ++ _cleanup_close_ int pfd = -1; + char *temp; + const char *top, *p, *pslash, *q, *qslash; + struct stat st; +- int r, pfd; ++ int r; + + log_info("/* %s */", __func__); + +@@ -318,6 +319,7 @@ static void test_chase_symlinks(void) { + assert_se(fstat(pfd, &st) >= 0); + assert_se(S_ISLNK(st.st_mode)); + result = mfree(result); ++ pfd = safe_close(pfd); + + /* s1 -> s2 -> nonexistent */ + q = strjoina(temp, "/s1"); +@@ -331,6 +333,7 @@ static void test_chase_symlinks(void) { + assert_se(fstat(pfd, &st) >= 0); + assert_se(S_ISLNK(st.st_mode)); + result = mfree(result); ++ pfd = safe_close(pfd); + + /* Test CHASE_STEP */ + +-- +2.33.0 + diff --git a/backport-test-fix-file-descriptor-leak-in-test-oomd-util.patch b/backport-test-fix-file-descriptor-leak-in-test-oomd-util.patch new file mode 100644 index 0000000000000000000000000000000000000000..7cb7219aeae6dbd8f6f1a21725f2ecc05e8bc46a --- /dev/null +++ b/backport-test-fix-file-descriptor-leak-in-test-oomd-util.patch @@ -0,0 +1,54 @@ +From 95def20d81c030e36046770f55840191ff98c91a Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 22 Feb 2022 21:38:15 +0900 +Subject: [PATCH] test: fix file descriptor leak in test-oomd-util + +Fixes an issue reported in #22576. + +(cherry picked from commit 282696ce52471f5e3c963b9d98dbc89fba3a1fba) +(cherry picked from commit 55ec995341e6a2d554bc69a1eddb097d21d8084f) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/95def20d81c030e36046770f55840191ff98c91a +--- + src/oom/test-oomd-util.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/oom/test-oomd-util.c b/src/oom/test-oomd-util.c +index a152387a26..2c2ee114b1 100644 +--- a/src/oom/test-oomd-util.c ++++ b/src/oom/test-oomd-util.c +@@ -5,6 +5,7 @@ + #include "alloc-util.h" + #include "cgroup-setup.h" + #include "cgroup-util.h" ++#include "fd-util.h" + #include "fileio.h" + #include "fs-util.h" + #include "oomd-util.h" +@@ -13,6 +14,7 @@ + #include "string-util.h" + #include "strv.h" + #include "tests.h" ++#include "tmpfile-util.h" + + static int fork_and_sleep(unsigned sleep_min) { + usec_t n, timeout, ts; +@@ -244,12 +246,13 @@ static void test_oomd_update_cgroup_contexts_between_hashmaps(void) { + + static void test_oomd_system_context_acquire(void) { + _cleanup_(unlink_tempfilep) char path[] = "/oomdgetsysctxtestXXXXXX"; ++ _cleanup_close_ int fd = -1; + OomdSystemContext ctx; + + if (geteuid() != 0) + return (void) log_tests_skipped("not root"); + +- assert_se(mkstemp(path)); ++ assert_se((fd = mkostemp_safe(path)) >= 0); + + assert_se(oomd_system_context_acquire("/verylikelynonexistentpath", &ctx) == -ENOENT); + +-- +2.33.0 + diff --git a/backport-test-fix-file-descriptor-leak-in-test-psi-util.patch b/backport-test-fix-file-descriptor-leak-in-test-psi-util.patch new file mode 100644 index 0000000000000000000000000000000000000000..5d6bcb9970888645e8dab0d21487d13812c94715 --- /dev/null +++ b/backport-test-fix-file-descriptor-leak-in-test-psi-util.patch @@ -0,0 +1,47 @@ +From eb760f4875afd75c433961c0a9bf00b1883e5d35 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 22 Feb 2022 21:46:41 +0900 +Subject: [PATCH] test: fix file descriptor leak in test-psi-util + +Fixes an issue reported in #22576. + +(cherry picked from commit be99883e131ef422f8278ec1d099520996a78bb0) +(cherry picked from commit 81d3e2abff5f4234e06ceb6590d0c9939d8d97b4) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/eb760f4875afd75c433961c0a9bf00b1883e5d35 +--- + src/test/test-psi-util.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/test/test-psi-util.c b/src/test/test-psi-util.c +index c636cf255b..026f6aa1ab 100644 +--- a/src/test/test-psi-util.c ++++ b/src/test/test-psi-util.c +@@ -3,19 +3,22 @@ + #include + + #include "alloc-util.h" ++#include "fd-util.h" + #include "fileio.h" + #include "fs-util.h" + #include "psi-util.h" + #include "tests.h" ++#include "tmpfile-util.h" + + static void test_read_mem_pressure(void) { + _cleanup_(unlink_tempfilep) char path[] = "/tmp/pressurereadtestXXXXXX"; ++ _cleanup_close_ int fd = -1; + ResourcePressure rp; + + if (geteuid() != 0) + return (void) log_tests_skipped("not root"); + +- assert_se(mkstemp(path)); ++ assert_se((fd = mkostemp_safe(path)) >= 0); + + assert_se(read_resource_pressure("/verylikelynonexistentpath", PRESSURE_TYPE_SOME, &rp) < 0); + assert_se(read_resource_pressure(path, PRESSURE_TYPE_SOME, &rp) < 0); +-- +2.33.0 + diff --git a/backport-test-fix-file-descriptor-leak-in-test-tmpfiles.c.patch b/backport-test-fix-file-descriptor-leak-in-test-tmpfiles.c.patch new file mode 100644 index 0000000000000000000000000000000000000000..cdcf73ba0a5a2e163d4639dbf6a0adea170ffa9a --- /dev/null +++ b/backport-test-fix-file-descriptor-leak-in-test-tmpfiles.c.patch @@ -0,0 +1,42 @@ +From 40e43b290473aac1737f64b84194c5fc6b8210cf Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 22 Feb 2022 21:44:58 +0900 +Subject: [PATCH] test: fix file descriptor leak in test-tmpfiles.c + +Also fixes a typo in assertion. + +Fixes an issure reported in #22576. + +(cherry picked from commit 1da5325d19dee654326e5fa2f61262e5e0a40fff) +(cherry picked from commit d9189c31117e159f7bae9233863aa88a02159e14) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/40e43b290473aac1737f64b84194c5fc6b8210cf +--- + src/test/test-tmpfiles.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/test/test-tmpfiles.c b/src/test/test-tmpfiles.c +index 4c3389af8c..0ac2b7f599 100644 +--- a/src/test/test-tmpfiles.c ++++ b/src/test/test-tmpfiles.c +@@ -37,7 +37,7 @@ int main(int argc, char** argv) { + assert_se(endswith(ans, " (deleted)")); + + fd2 = mkostemp_safe(pattern); +- assert_se(fd >= 0); ++ assert_se(fd2 >= 0); + assert_se(unlink(pattern) == 0); + + assert_se(asprintf(&cmd2, "ls -l /proc/"PID_FMT"/fd/%d", getpid_cached(), fd2) > 0); +@@ -49,6 +49,7 @@ int main(int argc, char** argv) { + pattern = strjoina(p, "/tmpfiles-test"); + assert_se(tempfn_random(pattern, NULL, &d) >= 0); + ++ fd = safe_close(fd); + fd = open_tmpfile_linkable(d, O_RDWR|O_CLOEXEC, &tmp); + assert_se(fd >= 0); + assert_se(write(fd, "foobar\n", 7) == 7); +-- +2.33.0 + diff --git a/backport-test-journal-flush-allow-testing-against-specific-fi.patch b/backport-test-journal-flush-allow-testing-against-specific-fi.patch new file mode 100644 index 0000000000000000000000000000000000000000..6bfe71befb5b12c189cc19bcd9909da2468392c3 --- /dev/null +++ b/backport-test-journal-flush-allow-testing-against-specific-fi.patch @@ -0,0 +1,39 @@ +From bb29932a4172810357597175a62cb4c8cbd1087c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 26 Nov 2021 09:40:51 +0100 +Subject: [PATCH] test-journal-flush: allow testing against specific files +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +>=0 → ==0 because sd_journal_open* are documented to return 0. + +(cherry picked from commit 0fa167cd58b5a4ffe16a332131df70bf77edddbe) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/bb29932a4172810357597175a62cb4c8cbd1087c +--- + src/libsystemd/sd-journal/test-journal-flush.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/libsystemd/sd-journal/test-journal-flush.c b/src/libsystemd/sd-journal/test-journal-flush.c +index dad277dd66..aa814225dd 100644 +--- a/src/libsystemd/sd-journal/test-journal-flush.c ++++ b/src/libsystemd/sd-journal/test-journal-flush.c +@@ -29,8 +29,11 @@ int main(int argc, char *argv[]) { + r = journal_file_open(-1, fn, O_CREAT|O_RDWR, 0644, false, 0, false, NULL, NULL, NULL, NULL, &new_journal); + assert_se(r >= 0); + +- r = sd_journal_open(&j, 0); +- assert_se(r >= 0); ++ if (argc > 1) ++ r = sd_journal_open_files(&j, (const char **) strv_skip(argv, 1), 0); ++ else ++ r = sd_journal_open(&j, 0); ++ assert_se(r == 0); + + sd_journal_set_data_threshold(j, 0); + +-- +2.33.0 + diff --git a/backport-test-journal-flush-do-not-croak-on-corrupted-input-f.patch b/backport-test-journal-flush-do-not-croak-on-corrupted-input-f.patch new file mode 100644 index 0000000000000000000000000000000000000000..4e3edc65ebf31c6811e02a9cee52a9d342502056 --- /dev/null +++ b/backport-test-journal-flush-do-not-croak-on-corrupted-input-f.patch @@ -0,0 +1,44 @@ +From 0d98afa9548873669531fb3f8aa0f1ab56455411 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 26 Nov 2021 09:46:02 +0100 +Subject: [PATCH] test-journal-flush: do not croak on corrupted input files + +We would fail if the input file was corrupted: +build/test-journal-flush ./system@0005b7dac334f805-0021aca076ae5c5e.journal\~ +journal_file_copy_entry failed: Bad message +Assertion 'r >= 0' failed at src/libsystemd/sd-journal/test-journal-flush.c:55, function main(). Aborting. +[1] 619472 IOT instruction (core dumped) build/test-journal-flush ./system@0005b7dac334f805-0021aca076ae5c5e.journal\~ + +Let's skip some "reasonable" errors. + +Fixes #17963. + +(cherry picked from commit b4046d55570ff0e23d16f7e2912e7ef0a55b25d8) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/0d98afa9548873669531fb3f8aa0f1ab56455411 +--- + src/libsystemd/sd-journal/test-journal-flush.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/libsystemd/sd-journal/test-journal-flush.c b/src/libsystemd/sd-journal/test-journal-flush.c +index aa814225dd..c6fb65791e 100644 +--- a/src/libsystemd/sd-journal/test-journal-flush.c ++++ b/src/libsystemd/sd-journal/test-journal-flush.c +@@ -51,8 +51,11 @@ int main(int argc, char *argv[]) { + + r = journal_file_copy_entry(f, new_journal, o, f->current_offset); + if (r < 0) +- log_error_errno(r, "journal_file_copy_entry failed: %m"); +- assert_se(r >= 0); ++ log_warning_errno(r, "journal_file_copy_entry failed: %m"); ++ assert_se(r >= 0 || ++ IN_SET(r, -EBADMSG, /* corrupted file */ ++ -EPROTONOSUPPORT, /* unsupported compression */ ++ -EIO)); /* file rotated */ + + if (++n >= 10000) + break; +-- +2.33.0 + diff --git a/backport-test-journal-send-close-fd-opend-by-syslog.patch b/backport-test-journal-send-close-fd-opend-by-syslog.patch new file mode 100644 index 0000000000000000000000000000000000000000..9ca6330716e7d864662d0d7fea27a3a88e8d1fba --- /dev/null +++ b/backport-test-journal-send-close-fd-opend-by-syslog.patch @@ -0,0 +1,34 @@ +From e1cc12ee2ba089bc126764be509b6b0ed8e8a68b Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 23 Feb 2022 01:52:29 +0900 +Subject: [PATCH] test-journal-send: close fd opend by syslog() + +Fixes an issue reported in #22576. + +(cherry picked from commit 9048a6ccf3bd4f6794fc1ac9a838e1a0bfbcabf1) +(cherry picked from commit 4d24a369908f9915757632fa196deda14c172f9e) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/e1cc12ee2ba089bc126764be509b6b0ed8e8a68b +--- + src/libsystemd/sd-journal/test-journal-send.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/libsystemd/sd-journal/test-journal-send.c b/src/libsystemd/sd-journal/test-journal-send.c +index 75bd8e7b85..b6644e65c1 100644 +--- a/src/libsystemd/sd-journal/test-journal-send.c ++++ b/src/libsystemd/sd-journal/test-journal-send.c +@@ -90,6 +90,10 @@ static void test_journal_send(void) { + assert_se(sd_journal_sendv(graph2, 1) == 0); + assert_se(sd_journal_sendv(message1, 1) == 0); + assert_se(sd_journal_sendv(message2, 1) == 0); ++ ++ /* The above syslog() opens a fd which is stored in libc, and the valgrind reports the fd is ++ * leaked when we do not call closelog(). */ ++ closelog(); + } + + int main(int argc, char *argv[]) { +-- +2.33.0 + diff --git a/backport-test-oomd-util-fix-conditional-jump-on-uninitialised.patch b/backport-test-oomd-util-fix-conditional-jump-on-uninitialised.patch new file mode 100644 index 0000000000000000000000000000000000000000..544a1f681c2f10e9023c23bba4d9875a5f3095c4 --- /dev/null +++ b/backport-test-oomd-util-fix-conditional-jump-on-uninitialised.patch @@ -0,0 +1,32 @@ +From bb0bb8afe78c699a1334fdd7df78d71427596d2e Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 22 Feb 2022 20:23:58 +0900 +Subject: [PATCH] test-oomd-util: fix conditional jump on uninitialised value + +Fixes #22577. + +(cherry picked from commit a6d6a51d83fae32212e1780e71b16517a4df9a57) +(cherry picked from commit b10cc2de7dc6ac8d7d72d576100dd3a37ddb588a) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/bb0bb8afe78c699a1334fdd7df78d71427596d2e +--- + src/oom/test-oomd-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/oom/test-oomd-util.c b/src/oom/test-oomd-util.c +index 02034c1293..a152387a26 100644 +--- a/src/oom/test-oomd-util.c ++++ b/src/oom/test-oomd-util.c +@@ -283,7 +283,7 @@ static void test_oomd_system_context_acquire(void) { + static void test_oomd_pressure_above(void) { + _cleanup_hashmap_free_ Hashmap *h1 = NULL, *h2 = NULL; + _cleanup_set_free_ Set *t1 = NULL, *t2 = NULL, *t3 = NULL; +- OomdCGroupContext ctx[2], *c; ++ OomdCGroupContext ctx[2] = {}, *c; + loadavg_t threshold; + + assert_se(store_loadavg_fixed_point(80, 0, &threshold) == 0); +-- +2.33.0 + diff --git a/backport-test-oomd-util-skip-tests-if-cgroup-memory-controlle.patch b/backport-test-oomd-util-skip-tests-if-cgroup-memory-controlle.patch new file mode 100644 index 0000000000000000000000000000000000000000..51ab68268ab334ff942011c78daec25ee96ffc9c --- /dev/null +++ b/backport-test-oomd-util-skip-tests-if-cgroup-memory-controlle.patch @@ -0,0 +1,43 @@ +From 38787a985396277058a20ac0c6f66fd1377d0737 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 11 Sep 2021 20:37:50 +0900 +Subject: [PATCH] test-oomd-util: skip tests if cgroup memory controller is not + available + +Fixes #20593 and #20655. + +(cherry picked from commit 8b2e22579a6549ab8423858819703fc142862bcb) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/38787a985396277058a20ac0c6f66fd1377d0737 +--- + src/oom/test-oomd-util.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/oom/test-oomd-util.c b/src/oom/test-oomd-util.c +index 776c65820e..29f2c54ab1 100644 +--- a/src/oom/test-oomd-util.c ++++ b/src/oom/test-oomd-util.c +@@ -90,6 +90,7 @@ static void test_oomd_cgroup_context_acquire_and_insert(void) { + _cleanup_free_ char *cgroup = NULL; + ManagedOOMPreference root_pref; + OomdCGroupContext *c1, *c2; ++ CGroupMask mask; + bool test_xattrs; + int root_xattrs, r; + +@@ -102,6 +103,11 @@ static void test_oomd_cgroup_context_acquire_and_insert(void) { + if (cg_all_unified() <= 0) + return (void) log_tests_skipped("cgroups are not running in unified mode"); + ++ assert_se(cg_mask_supported(&mask) >= 0); ++ ++ if (!FLAGS_SET(mask, CGROUP_MASK_MEMORY)) ++ return (void) log_tests_skipped("cgroup memory controller is not available"); ++ + assert_se(cg_pid_get_path(NULL, 0, &cgroup) >= 0); + + /* If we don't have permissions to set xattrs we're likely in a userns or missing capabilities +-- +2.33.0 + diff --git a/backport-test-oomd-util-style-fixlets.patch b/backport-test-oomd-util-style-fixlets.patch new file mode 100644 index 0000000000000000000000000000000000000000..55f80c202fd3e0a429d50fc548a48c7a46c8a17f --- /dev/null +++ b/backport-test-oomd-util-style-fixlets.patch @@ -0,0 +1,52 @@ +From 76b5fae410a2434e8fadab07700d1480566e8ddd Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 22 Feb 2022 20:21:45 +0900 +Subject: [PATCH] test-oomd-util: style fixlets + +(cherry picked from commit d9fe39b24a0a5464c83c7a754752ca21dbd2578f) +(cherry picked from commit 1343c2efd5401aa52f7790fff4ad7e2d70173f01) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/76b5fae410a2434e8fadab07700d1480566e8ddd +--- + src/oom/test-oomd-util.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/src/oom/test-oomd-util.c b/src/oom/test-oomd-util.c +index 29f2c54ab1..02034c1293 100644 +--- a/src/oom/test-oomd-util.c ++++ b/src/oom/test-oomd-util.c +@@ -300,12 +300,11 @@ static void test_oomd_pressure_above(void) { + assert_se(store_loadavg_fixed_point(1, 11, &(ctx[1].memory_pressure.avg300)) == 0); + ctx[1].mem_pressure_limit = threshold; + +- + /* High memory pressure */ + assert_se(h1 = hashmap_new(&string_hash_ops)); + assert_se(hashmap_put(h1, "/herp.slice", &ctx[0]) >= 0); + assert_se(oomd_pressure_above(h1, 0 /* duration */, &t1) == 1); +- assert_se(set_contains(t1, &ctx[0]) == true); ++ assert_se(set_contains(t1, &ctx[0])); + assert_se(c = hashmap_get(h1, "/herp.slice")); + assert_se(c->mem_pressure_limit_hit_start > 0); + +@@ -313,14 +312,14 @@ static void test_oomd_pressure_above(void) { + assert_se(h2 = hashmap_new(&string_hash_ops)); + assert_se(hashmap_put(h2, "/derp.slice", &ctx[1]) >= 0); + assert_se(oomd_pressure_above(h2, 0 /* duration */, &t2) == 0); +- assert_se(t2 == NULL); ++ assert_se(!t2); + assert_se(c = hashmap_get(h2, "/derp.slice")); + assert_se(c->mem_pressure_limit_hit_start == 0); + + /* High memory pressure w/ multiple cgroups */ + assert_se(hashmap_put(h1, "/derp.slice", &ctx[1]) >= 0); + assert_se(oomd_pressure_above(h1, 0 /* duration */, &t3) == 1); +- assert_se(set_contains(t3, &ctx[0]) == true); ++ assert_se(set_contains(t3, &ctx[0])); + assert_se(set_size(t3) == 1); + assert_se(c = hashmap_get(h1, "/herp.slice")); + assert_se(c->mem_pressure_limit_hit_start > 0); +-- +2.33.0 + diff --git a/backport-test-use-a-less-restrictive-portable-profile-when-ru.patch b/backport-test-use-a-less-restrictive-portable-profile-when-ru.patch new file mode 100644 index 0000000000000000000000000000000000000000..272bed12daa047292f3a9473de0ceedd37dc6f54 --- /dev/null +++ b/backport-test-use-a-less-restrictive-portable-profile-when-ru.patch @@ -0,0 +1,92 @@ +From 9dbdd33ffa824934962ebe61d03a9f727a1c416c Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 30 Sep 2021 14:14:19 +0200 +Subject: [PATCH] test: use a less restrictive portable profile when running w/ + sanitizers + +Since f833df3 we now actually use the seccomp rules defined in portable +profiles. However, the default one is too restrictive for sanitizers, as +it blocks certain syscall required by LSan. Mitigate this by using the +'trusted' profile when running TEST-29-PORTABLE under sanitizers. + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/9dbdd33ffa824934962ebe61d03a9f727a1c416c +--- + test/units/testsuite-29.sh | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/test/units/testsuite-29.sh b/test/units/testsuite-29.sh +index 3408e6d71a..549fc2663c 100755 +--- a/test/units/testsuite-29.sh ++++ b/test/units/testsuite-29.sh +@@ -4,9 +4,16 @@ + set -eux + set -o pipefail + ++ARGS=() ++if [[ -v ASAN_OPTIONS || -v UBSAN_OPTIONS ]]; then ++ # If we're running under sanitizers, we need to use a less restrictive ++ # profile, otherwise LSan syscall would get blocked by seccomp ++ ARGS+=(--profile=trusted) ++fi ++ + export SYSTEMD_LOG_LEVEL=debug + +-portablectl attach --now --runtime /usr/share/minimal_0.raw app0 ++portablectl "${ARGS[@]}" attach --now --runtime /usr/share/minimal_0.raw app0 + + systemctl is-active app0.service + systemctl is-active app0-foo.service +@@ -16,7 +23,7 @@ systemctl is-active app0-bar.service && exit 1 + set -e + set -o pipefail + +-portablectl reattach --now --runtime /usr/share/minimal_1.raw app0 ++portablectl "${ARGS[@]}" reattach --now --runtime /usr/share/minimal_1.raw app0 + + systemctl is-active app0.service + systemctl is-active app0-bar.service +@@ -37,7 +44,7 @@ portablectl list | grep -q -F "No images." + unsquashfs -dest /tmp/minimal_0 /usr/share/minimal_0.raw + unsquashfs -dest /tmp/minimal_1 /usr/share/minimal_1.raw + +-portablectl attach --copy=symlink --now --runtime /tmp/minimal_0 app0 ++portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime /tmp/minimal_0 app0 + + systemctl is-active app0.service + systemctl is-active app0-foo.service +@@ -47,7 +54,7 @@ systemctl is-active app0-bar.service && exit 1 + set -e + set -o pipefail + +-portablectl reattach --now --enable --runtime /tmp/minimal_1 app0 ++portablectl "${ARGS[@]}" reattach --now --enable --runtime /tmp/minimal_1 app0 + + systemctl is-active app0.service + systemctl is-active app0-bar.service +@@ -66,11 +73,11 @@ portablectl list | grep -q -F "No images." + root="/usr/share/minimal_0.raw" + app1="/usr/share/app1.raw" + +-portablectl attach --now --runtime --extension ${app1} ${root} app1 ++portablectl "${ARGS[@]}" attach --now --runtime --extension ${app1} ${root} app1 + + systemctl is-active app1.service + +-portablectl reattach --now --runtime --extension ${app1} ${root} app1 ++portablectl "${ARGS[@]}" reattach --now --runtime --extension ${app1} ${root} app1 + + systemctl is-active app1.service + +@@ -83,7 +90,7 @@ mount ${app1} /tmp/app1 + mount ${root} /tmp/rootdir + mount -t overlay overlay -o lowerdir=/tmp/app1:/tmp/rootdir /tmp/overlay + +-portablectl attach --copy=symlink --now --runtime /tmp/overlay app1 ++portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime /tmp/overlay app1 + + systemctl is-active app1.service + +-- +2.33.0 + diff --git a/backport-test-watchdog-mark-as-unsafe.patch b/backport-test-watchdog-mark-as-unsafe.patch new file mode 100644 index 0000000000000000000000000000000000000000..7012938b5c00247813b3750b3faa98d0cc1c32bf --- /dev/null +++ b/backport-test-watchdog-mark-as-unsafe.patch @@ -0,0 +1,36 @@ +From 7f7ad0e691eb2a05e7f319be8d098af760258dcd Mon Sep 17 00:00:00 2001 +From: Mike Gilbert +Date: Tue, 4 Jan 2022 23:43:10 -0500 +Subject: [PATCH] test-watchdog: mark as unsafe + +If something goes wrong with this test it may result in an unsafe +system restart. Let's avoid running it automatically. + +See https://github.com/systemd/systemd/issues/22001. + +(cherry picked from commit 70652c2a6fa9c06c7faac62f41c72e2e4eaa9340) +(cherry picked from commit 4c0ed19c520a8944f68f613edc3acbd0471dcc81) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/7f7ad0e691eb2a05e7f319be8d098af760258dcd +--- + src/test/meson.build | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/test/meson.build b/src/test/meson.build +index 64dbb82002..a327a1f8f9 100644 +--- a/src/test/meson.build ++++ b/src/test/meson.build +@@ -521,7 +521,8 @@ tests += [ + [], + core_includes, '', 'manual'], + +- [['src/test/test-watchdog.c']], ++ [['src/test/test-watchdog.c'], ++ [], [], [], '', 'unsafe'], + + [['src/test/test-sched-prio.c'], + [libcore, +-- +2.33.0 + diff --git a/backport-tests-add-test-case-for-UMask-BindPaths-combination.patch b/backport-tests-add-test-case-for-UMask-BindPaths-combination.patch new file mode 100644 index 0000000000000000000000000000000000000000..463c48dd204246d6807f3b7e4eff71a0902f35dc --- /dev/null +++ b/backport-tests-add-test-case-for-UMask-BindPaths-combination.patch @@ -0,0 +1,61 @@ +From ae53f4b5e48860b473c4d05958486a77f84ecc6d Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 12 Nov 2021 13:41:59 +0100 +Subject: [PATCH] tests: add test case for UMask=+BindPaths= combination + +Inspired by the test case described in #19899 + +(cherry picked from commit 875afa02fabe1dad5aa3d1e9bff89d493a369fd0) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/ae53f4b5e48860b473c4d05958486a77f84ecc6d +--- + src/test/test-execute.c | 5 +++++ + test/test-execute/exec-umask-namespace.service | 12 ++++++++++++ + 2 files changed, 17 insertions(+) + create mode 100644 test/test-execute/exec-umask-namespace.service + +diff --git a/src/test/test-execute.c b/src/test/test-execute.c +index 1119ad4acf..88e1b30095 100644 +--- a/src/test/test-execute.c ++++ b/src/test/test-execute.c +@@ -828,6 +828,10 @@ static void test_exec_condition(Manager *m) { + test_service(m, "exec-condition-skip.service", SERVICE_SKIP_CONDITION); + } + ++static void test_exec_umask_namespace(Manager *m) { ++ test(m, "exec-umask-namespace.service", can_unshare ? 0 : EXIT_NAMESPACE, CLD_EXITED); ++} ++ + typedef struct test_entry { + test_function_t f; + const char *name; +@@ -904,6 +908,7 @@ int main(int argc, char *argv[]) { + entry(test_exec_dynamicuser), + entry(test_exec_specifier), + entry(test_exec_systemcallfilter_system), ++ entry(test_exec_umask_namespace), + {}, + }; + int r; +diff --git a/test/test-execute/exec-umask-namespace.service b/test/test-execute/exec-umask-namespace.service +new file mode 100644 +index 0000000000..8419c86c9a +--- /dev/null ++++ b/test/test-execute/exec-umask-namespace.service +@@ -0,0 +1,12 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++[Unit] ++Description=Test for UMask= + namespacing ++ ++[Service] ++ExecStart=/bin/ls -lahd /tmp/subdir ++Type=oneshot ++User=65534 ++Group=65534 ++TemporaryFileSystem=/tmp:ro ++BindPaths=/etc:/tmp/subdir/subsub ++UMask=0007 +-- +2.33.0 + diff --git a/backport-timesync-check-cmsg-length.patch b/backport-timesync-check-cmsg-length.patch new file mode 100644 index 0000000000000000000000000000000000000000..90a32603c32ba36b999942e04f8369df3a3ac840 --- /dev/null +++ b/backport-timesync-check-cmsg-length.patch @@ -0,0 +1,29 @@ +From 4e9f1d0a28cc29d1f010b05d74898f222d757cc8 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 29 Aug 2021 20:55:44 +0900 +Subject: [PATCH] timesync: check cmsg length + +(cherry picked from commit 37df6d9b8d3a8b34bec5346766ab8093c0f0fc26) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/4e9f1d0a28cc29d1f010b05d74898f222d757cc8 +--- + src/timesync/timesyncd-manager.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/timesync/timesyncd-manager.c b/src/timesync/timesyncd-manager.c +index eae14e8fb2..648e804105 100644 +--- a/src/timesync/timesyncd-manager.c ++++ b/src/timesync/timesyncd-manager.c +@@ -467,6 +467,8 @@ static int manager_receive_response(sd_event_source *source, int fd, uint32_t re + + switch (cmsg->cmsg_type) { + case SCM_TIMESTAMPNS: ++ assert(cmsg->cmsg_len == CMSG_LEN(sizeof(struct timespec))); ++ + recv_time = (struct timespec *) CMSG_DATA(cmsg); + break; + } +-- +2.33.0 + diff --git a/backport-timesync-fix-wrong-type-for-receiving-timestamp-in-n.patch b/backport-timesync-fix-wrong-type-for-receiving-timestamp-in-n.patch index 26a990bf4583c09d771092e6c255993d536967fa..aef7fe98f381ee046056a49e84261c511fd112f2 100644 --- a/backport-timesync-fix-wrong-type-for-receiving-timestamp-in-n.patch +++ b/backport-timesync-fix-wrong-type-for-receiving-timestamp-in-n.patch @@ -1,10 +1,15 @@ -From 6f96bdc58746b1698bf8b3430a6c638f8949daec Mon Sep 17 00:00:00 2001 +From dac54d1aa759255144d9937361289bde57d64118 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 20 Aug 2021 08:40:11 +0900 Subject: [PATCH] timesync: fix wrong type for receiving timestamp in nanoseconds Fixes #20482. + +(cherry picked from commit 6f96bdc58746b1698bf8b3430a6c638f8949daec) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/dac54d1aa759255144d9937361289bde57d64118 --- src/test/test-sizeof.c | 2 ++ src/timesync/timesyncd-manager.c | 2 +- @@ -23,10 +28,10 @@ index 3c9dc180fa..e36bee4e8f 100644 return 0; } diff --git a/src/timesync/timesyncd-manager.c b/src/timesync/timesyncd-manager.c -index 1c284f31e3..3a89d9b1fa 100644 +index cb5d42b1d3..9d874cfc8a 100644 --- a/src/timesync/timesyncd-manager.c +++ b/src/timesync/timesyncd-manager.c -@@ -416,7 +416,7 @@ static int manager_receive_response(sd_event_source *source, int fd, uint32_t re +@@ -412,7 +412,7 @@ static int manager_receive_response(sd_event_source *source, int fd, uint32_t re .iov_base = &ntpmsg, .iov_len = sizeof(ntpmsg), }; @@ -36,5 +41,5 @@ index 1c284f31e3..3a89d9b1fa 100644 struct msghdr msghdr = { .msg_iov = &iov, -- -2.27.0 +2.33.0 diff --git a/backport-tpm-util-fix-TPM-parameter-handling.patch b/backport-tpm-util-fix-TPM-parameter-handling.patch new file mode 100644 index 0000000000000000000000000000000000000000..8ea2e6b9e2f88416efba80498946ff40e6db3570 --- /dev/null +++ b/backport-tpm-util-fix-TPM-parameter-handling.patch @@ -0,0 +1,52 @@ +From 966a8cd270e017928389aa1c3966551b301da5e7 Mon Sep 17 00:00:00 2001 +From: Anatol Pomozov +Date: Fri, 10 Sep 2021 11:52:55 -0700 +Subject: [PATCH] tpm-util: fix TPM parameter handling + +cryptenroll allows to specify a custom TPM driver separated from +parameters with colon e.g. `systemd-cryptenroll --tpm2-device=swtpm:` +tells to load swtpm tss driver and use it as a device. + +Unfortunately it does not work, swtpm driver init() fails with + +``` +debug:tcti:src/tss2-tcti/tcti-swtpm.c:570:Tss2_Tcti_Swtpm_Init() Dup'd conf string to: 0x562f91cbc000 +debug:tcti:src/util/key-value-parse.c:85:parse_key_value_string() parsing key/value: swtpm: +WARNING:tcti:src/util/key-value-parse.c:50:parse_key_value() key / value string is invalid +Failed to initialize TCTI context: tcti:A parameter has a bad value +``` + +It turns out that cryptenroll suppose to use the driver name internally +and strip it before passing the rest of parameters to init() function. +Without doing it swtpm receives incorrect key-value property and gets +confused. + +Fix it by passing the correct parameter (without driver name) to the +init() function. + +Fixes #20708 + +(cherry picked from commit 8889564a8da574e4b956e2b6ced34354dee54cd7) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/966a8cd270e017928389aa1c3966551b301da5e7 +--- + src/shared/tpm2-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index df6d2eef58..56a7fe622e 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -182,7 +182,7 @@ static int tpm2_init(const char *device, struct tpm2_context *ret) { + if (!tcti) + return log_oom(); + +- rc = info->init(tcti, &sz, device); ++ rc = info->init(tcti, &sz, param); + if (rc != TPM2_RC_SUCCESS) + return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), + "Failed to initialize TCTI context: %s", sym_Tss2_RC_Decode(rc)); +-- +2.33.0 + diff --git a/backport-tree-wide-mark-set-but-not-used-variables-as-unused-.patch b/backport-tree-wide-mark-set-but-not-used-variables-as-unused-.patch new file mode 100644 index 0000000000000000000000000000000000000000..800c91a933e90f1f729bd9d470192795827d1ed1 --- /dev/null +++ b/backport-tree-wide-mark-set-but-not-used-variables-as-unused-.patch @@ -0,0 +1,546 @@ +From e3516e4fdce54f62819bbb18a9fcdd843544d354 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 15 Sep 2021 10:56:21 +0200 +Subject: [PATCH] tree-wide: mark set-but-not-used variables as unused to make + LLVM happy + +LLVM 13 introduced `-Wunused-but-set-variable` diagnostic flag, which +trips over some intentionally set-but-not-used variables or variables +attached to cleanup handlers with side effects (`_cleanup_umask_`, +`_cleanup_(notify_on_cleanup)`, `_cleanup_(restore_sigsetp)`, etc.): + +``` +../src/basic/process-util.c:1257:46: error: variable 'saved_ssp' set but not used [-Werror,-Wunused-but-set-variable] + _cleanup_(restore_sigsetp) sigset_t *saved_ssp = NULL; + ^ + 1 error generated. +``` + +(cherry picked from commit d7ac09520be8f0d3d94df3dd4fd8a6e7404c0174) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/e3516e4fdce54f62819bbb18a9fcdd843544d354 +--- + src/basic/process-util.c | 2 +- + src/basic/unit-file.c | 3 ++- + src/core/manager.c | 4 ++-- + src/cryptsetup/cryptsetup.c | 2 +- + src/home/homed.c | 2 +- + src/initctl/initctl.c | 2 +- + src/journal-remote/journal-remote-main.c | 2 +- + src/journal-remote/journal-remote.c | 2 +- + src/journal-remote/journal-upload.c | 2 +- + src/journal/journald-server.c | 2 +- + src/libsystemd-network/sd-dhcp-server.c | 6 ++++-- + src/libsystemd/sd-device/sd-device.c | 9 ++++++--- + src/libsystemd/sd-journal/test-catalog.c | 2 +- + src/login/logind-core.c | 2 +- + src/login/logind-session.c | 2 +- + src/login/logind.c | 2 +- + src/network/networkd-dhcp-common.c | 6 ++++-- + src/network/networkd.c | 2 +- + src/network/wait-online/wait-online.c | 2 +- + src/nss-systemd/userdb-glue.c | 4 ++-- + src/oom/oomd-manager.c | 2 +- + src/oom/oomd.c | 2 +- + src/resolve/resolved-dns-cache.c | 2 +- + src/resolve/resolved-dns-query.c | 2 +- + src/resolve/resolved.c | 2 +- + src/shared/barrier.c | 2 +- + src/shared/utmp-wtmp.c | 8 ++++---- + src/timesync/timesyncd.c | 2 +- + src/tty-ask-password-agent/tty-ask-password-agent.c | 3 ++- + src/udev/udevd.c | 3 ++- + src/userdb/userdbd.c | 2 +- + 31 files changed, 50 insertions(+), 40 deletions(-) + +diff --git a/src/basic/process-util.c b/src/basic/process-util.c +index 461bbfe9a5..b76ca6f7c5 100644 +--- a/src/basic/process-util.c ++++ b/src/basic/process-util.c +@@ -1278,7 +1278,7 @@ int safe_fork_full( + + pid_t original_pid, pid; + sigset_t saved_ss, ss; +- _cleanup_(restore_sigsetp) sigset_t *saved_ssp = NULL; ++ _unused_ _cleanup_(restore_sigsetp) sigset_t *saved_ssp = NULL; + bool block_signals = false, block_all = false; + int prio, r; + +diff --git a/src/basic/unit-file.c b/src/basic/unit-file.c +index 0d58b1c4fe..d1e997ec9f 100644 +--- a/src/basic/unit-file.c ++++ b/src/basic/unit-file.c +@@ -286,7 +286,8 @@ int unit_file_build_name_map( + + FOREACH_DIRENT_ALL(de, d, log_warning_errno(errno, "Failed to read \"%s\", ignoring: %m", *dir)) { + char *filename; +- _cleanup_free_ char *_filename_free = NULL, *simplified = NULL; ++ _unused_ _cleanup_free_ char *_filename_free = NULL; ++ _cleanup_free_ char *simplified = NULL; + const char *suffix, *dst = NULL; + bool valid_unit_name; + +diff --git a/src/core/manager.c b/src/core/manager.c +index 34891a8754..abc63a71af 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -1731,7 +1731,7 @@ int manager_startup(Manager *m, FILE *serialization, FDSet *fds) { + + { + /* This block is (optionally) done with the reloading counter bumped */ +- _cleanup_(manager_reloading_stopp) Manager *reloading = NULL; ++ _unused_ _cleanup_(manager_reloading_stopp) Manager *reloading = NULL; + + /* If we will deserialize make sure that during enumeration this is already known, so we increase the + * counter here already */ +@@ -3770,7 +3770,7 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) { + } + + int manager_reload(Manager *m) { +- _cleanup_(manager_reloading_stopp) Manager *reloading = NULL; ++ _unused_ _cleanup_(manager_reloading_stopp) Manager *reloading = NULL; + _cleanup_fdset_free_ FDSet *fds = NULL; + _cleanup_fclose_ FILE *f = NULL; + int r; +diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c +index 0fa41b8360..440f17d017 100644 +--- a/src/cryptsetup/cryptsetup.c ++++ b/src/cryptsetup/cryptsetup.c +@@ -1482,7 +1482,7 @@ static int run(int argc, char *argv[]) { + verb = argv[1]; + + if (streq(verb, "attach")) { +- _cleanup_(remove_and_erasep) const char *destroy_key_file = NULL; ++ _unused_ _cleanup_(remove_and_erasep) const char *destroy_key_file = NULL; + _cleanup_(erase_and_freep) void *key_data = NULL; + const char *volume, *source, *key_file, *options; + crypt_status_info status; +diff --git a/src/home/homed.c b/src/home/homed.c +index 807d25e273..579c289a68 100644 +--- a/src/home/homed.c ++++ b/src/home/homed.c +@@ -14,7 +14,7 @@ + + static int run(int argc, char *argv[]) { + _cleanup_(manager_freep) Manager *m = NULL; +- _cleanup_(notify_on_cleanup) const char *notify_stop = NULL; ++ _unused_ _cleanup_(notify_on_cleanup) const char *notify_stop = NULL; + int r; + + log_setup(); +diff --git a/src/initctl/initctl.c b/src/initctl/initctl.c +index c48fef16ef..a48a8570c4 100644 +--- a/src/initctl/initctl.c ++++ b/src/initctl/initctl.c +@@ -311,7 +311,7 @@ static int process_event(Server *s, struct epoll_event *ev) { + + static int run(int argc, char *argv[]) { + _cleanup_(server_done) Server server = { .epoll_fd = -1 }; +- _cleanup_(notify_on_cleanup) const char *notify_stop = NULL; ++ _unused_ _cleanup_(notify_on_cleanup) const char *notify_stop = NULL; + int r, n; + + if (argc > 1) +diff --git a/src/journal-remote/journal-remote-main.c b/src/journal-remote/journal-remote-main.c +index 9ff31763da..b46b4fc08e 100644 +--- a/src/journal-remote/journal-remote-main.c ++++ b/src/journal-remote/journal-remote-main.c +@@ -1099,7 +1099,7 @@ static int load_certificates(char **key, char **cert, char **trust) { + + static int run(int argc, char **argv) { + _cleanup_(journal_remote_server_destroy) RemoteServer s = {}; +- _cleanup_(notify_on_cleanup) const char *notify_message = NULL; ++ _unused_ _cleanup_(notify_on_cleanup) const char *notify_message = NULL; + _cleanup_(erase_and_freep) char *key = NULL; + _cleanup_free_ char *cert = NULL, *trust = NULL; + int r; +diff --git a/src/journal-remote/journal-remote.c b/src/journal-remote/journal-remote.c +index 6e5aebdc48..f530ba3c7e 100644 +--- a/src/journal-remote/journal-remote.c ++++ b/src/journal-remote/journal-remote.c +@@ -272,7 +272,7 @@ int journal_remote_add_source(RemoteServer *s, int fd, char* name, bool own_name + + int journal_remote_add_raw_socket(RemoteServer *s, int fd) { + int r; +- _cleanup_close_ int fd_ = fd; ++ _unused_ _cleanup_close_ int fd_ = fd; + char name[STRLEN("raw-socket-") + DECIMAL_STR_MAX(int) + 1]; + + assert(fd >= 0); +diff --git a/src/journal-remote/journal-upload.c b/src/journal-remote/journal-upload.c +index 2a38d206ea..37660b925a 100644 +--- a/src/journal-remote/journal-upload.c ++++ b/src/journal-remote/journal-upload.c +@@ -820,7 +820,7 @@ static int open_journal(sd_journal **j) { + + static int run(int argc, char **argv) { + _cleanup_(destroy_uploader) Uploader u = {}; +- _cleanup_(notify_on_cleanup) const char *notify_message = NULL; ++ _unused_ _cleanup_(notify_on_cleanup) const char *notify_message = NULL; + bool use_journal; + int r; + +diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c +index 2d1d9e66d7..a212079758 100644 +--- a/src/journal/journald-server.c ++++ b/src/journal/journald-server.c +@@ -910,7 +910,7 @@ static void dispatch_message_real( + pid_t object_pid) { + + char source_time[sizeof("_SOURCE_REALTIME_TIMESTAMP=") + DECIMAL_STR_MAX(usec_t)]; +- _cleanup_free_ char *cmdline1 = NULL, *cmdline2 = NULL; ++ _unused_ _cleanup_free_ char *cmdline1 = NULL, *cmdline2 = NULL; + uid_t journal_uid; + ClientContext *o; + +diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c +index 0b3904c02a..070f4ec1c2 100644 +--- a/src/libsystemd-network/sd-dhcp-server.c ++++ b/src/libsystemd-network/sd-dhcp-server.c +@@ -1004,7 +1004,8 @@ int dhcp_server_handle_message(sd_dhcp_server *server, DHCPMessage *message, siz + /* verify that the requested address is from the pool, and either + owned by the current client or free */ + if (pool_offset >= 0 && static_lease) { +- _cleanup_(dhcp_lease_freep) DHCPLease *lease = NULL, *old_lease = NULL; ++ _unused_ _cleanup_(dhcp_lease_freep) DHCPLease *old_lease = NULL; ++ _cleanup_(dhcp_lease_freep) DHCPLease *lease = NULL; + usec_t time_now, expiration; + + r = sd_event_now(server->event, clock_boottime_or_monotonic(), &time_now); +@@ -1482,7 +1483,8 @@ int sd_dhcp_server_set_static_lease( + uint8_t *client_id, + size_t client_id_size) { + +- _cleanup_(dhcp_lease_freep) DHCPLease *lease = NULL, *old = NULL; ++ _unused_ _cleanup_(dhcp_lease_freep) DHCPLease *old = NULL; ++ _cleanup_(dhcp_lease_freep) DHCPLease *lease = NULL; + DHCPClientId c; + int r; + +diff --git a/src/libsystemd/sd-device/sd-device.c b/src/libsystemd/sd-device/sd-device.c +index 45261588a8..3f2cce5bba 100644 +--- a/src/libsystemd/sd-device/sd-device.c ++++ b/src/libsystemd/sd-device/sd-device.c +@@ -94,7 +94,8 @@ int device_add_property_aux(sd_device *device, const char *key, const char *valu + properties = &device->properties; + + if (value) { +- _cleanup_free_ char *new_key = NULL, *new_value = NULL, *old_key = NULL, *old_value = NULL; ++ _unused_ _cleanup_free_ char *old_value = NULL; ++ _cleanup_free_ char *new_key = NULL, *new_value = NULL, *old_key = NULL; + int r; + + r = ordered_hashmap_ensure_allocated(properties, &string_hash_ops_free_free); +@@ -119,7 +120,8 @@ int device_add_property_aux(sd_device *device, const char *key, const char *valu + TAKE_PTR(new_key); + TAKE_PTR(new_value); + } else { +- _cleanup_free_ char *old_key = NULL, *old_value = NULL; ++ _unused_ _cleanup_free_ char *old_value = NULL; ++ _cleanup_free_ char *old_key = NULL; + + old_value = ordered_hashmap_remove2(*properties, key, (void**) &old_key); + } +@@ -1920,7 +1922,8 @@ _public_ int sd_device_get_trigger_uuid(sd_device *device, sd_id128_t *ret) { + } + + static int device_cache_sysattr_value(sd_device *device, const char *key, char *value) { +- _cleanup_free_ char *new_key = NULL, *old_value = NULL; ++ _unused_ _cleanup_free_ char *old_value = NULL; ++ _cleanup_free_ char *new_key = NULL; + int r; + + assert(device); +diff --git a/src/libsystemd/sd-journal/test-catalog.c b/src/libsystemd/sd-journal/test-catalog.c +index 982fec0d8d..316c3b1634 100644 +--- a/src/libsystemd/sd-journal/test-catalog.c ++++ b/src/libsystemd/sd-journal/test-catalog.c +@@ -53,7 +53,7 @@ static void test_catalog_import_invalid(void) { + } + + static void test_catalog_import_badid(void) { +- _cleanup_ordered_hashmap_free_free_free_ OrderedHashmap *h = NULL; ++ _unused_ _cleanup_ordered_hashmap_free_free_free_ OrderedHashmap *h = NULL; + const char *input = + "-- 0027229ca0644181a76c4e92458afaff dededededededededededededededede\n" \ + "Subject: message\n" \ +diff --git a/src/login/logind-core.c b/src/login/logind-core.c +index e08929e52a..a9792fd5e4 100644 +--- a/src/login/logind-core.c ++++ b/src/login/logind-core.c +@@ -689,7 +689,7 @@ bool manager_all_buttons_ignored(Manager *m) { + int manager_read_utmp(Manager *m) { + #if ENABLE_UTMP + int r; +- _cleanup_(utxent_cleanup) bool utmpx = false; ++ _unused_ _cleanup_(utxent_cleanup) bool utmpx = false; + + assert(m); + +diff --git a/src/login/logind-session.c b/src/login/logind-session.c +index 3f09750ec9..cde2b5e8bb 100644 +--- a/src/login/logind-session.c ++++ b/src/login/logind-session.c +@@ -1323,7 +1323,7 @@ bool session_is_controller(Session *s, const char *sender) { + } + + static void session_release_controller(Session *s, bool notify) { +- _cleanup_free_ char *name = NULL; ++ _unused_ _cleanup_free_ char *name = NULL; + SessionDevice *sd; + + if (!s->controller) +diff --git a/src/login/logind.c b/src/login/logind.c +index ec52a57acb..b642da6eaa 100644 +--- a/src/login/logind.c ++++ b/src/login/logind.c +@@ -1155,7 +1155,7 @@ static int manager_run(Manager *m) { + + static int run(int argc, char *argv[]) { + _cleanup_(manager_unrefp) Manager *m = NULL; +- _cleanup_(notify_on_cleanup) const char *notify_message = NULL; ++ _unused_ _cleanup_(notify_on_cleanup) const char *notify_message = NULL; + int r; + + log_set_facility(LOG_AUTH); +diff --git a/src/network/networkd-dhcp-common.c b/src/network/networkd-dhcp-common.c +index 249d780887..02cef0fbfc 100644 +--- a/src/network/networkd-dhcp-common.c ++++ b/src/network/networkd-dhcp-common.c +@@ -631,8 +631,10 @@ int config_parse_dhcp_send_option( + void *data, + void *userdata) { + +- _cleanup_(sd_dhcp_option_unrefp) sd_dhcp_option *opt4 = NULL, *old4 = NULL; +- _cleanup_(sd_dhcp6_option_unrefp) sd_dhcp6_option *opt6 = NULL, *old6 = NULL; ++ _cleanup_(sd_dhcp_option_unrefp) sd_dhcp_option *opt4 = NULL; ++ _cleanup_(sd_dhcp6_option_unrefp) sd_dhcp6_option *opt6 = NULL; ++ _unused_ _cleanup_(sd_dhcp_option_unrefp) sd_dhcp_option *old4 = NULL; ++ _unused_ _cleanup_(sd_dhcp6_option_unrefp) sd_dhcp6_option *old6 = NULL; + uint32_t uint32_data, enterprise_identifier = 0; + _cleanup_free_ char *word = NULL, *q = NULL; + OrderedHashmap **options = data; +diff --git a/src/network/networkd.c b/src/network/networkd.c +index 48f6061b1f..ff3380c82c 100644 +--- a/src/network/networkd.c ++++ b/src/network/networkd.c +@@ -19,7 +19,7 @@ + + static int run(int argc, char *argv[]) { + _cleanup_(manager_freep) Manager *m = NULL; +- _cleanup_(notify_on_cleanup) const char *notify_message = NULL; ++ _unused_ _cleanup_(notify_on_cleanup) const char *notify_message = NULL; + int r; + + log_setup(); +diff --git a/src/network/wait-online/wait-online.c b/src/network/wait-online/wait-online.c +index 1b24b6f1a6..3ce29ac679 100644 +--- a/src/network/wait-online/wait-online.c ++++ b/src/network/wait-online/wait-online.c +@@ -195,7 +195,7 @@ static int parse_argv(int argc, char *argv[]) { + + static int run(int argc, char *argv[]) { + _cleanup_(manager_freep) Manager *m = NULL; +- _cleanup_(notify_on_cleanup) const char *notify_message = NULL; ++ _unused_ _cleanup_(notify_on_cleanup) const char *notify_message = NULL; + int r; + + log_setup(); +diff --git a/src/nss-systemd/userdb-glue.c b/src/nss-systemd/userdb-glue.c +index c865ff0d82..002e6925f9 100644 +--- a/src/nss-systemd/userdb-glue.c ++++ b/src/nss-systemd/userdb-glue.c +@@ -303,7 +303,7 @@ enum nss_status userdb_getgrnam( + } + + if (!g) { +- _cleanup_(_nss_systemd_unblockp) bool blocked = false; ++ _unused_ _cleanup_(_nss_systemd_unblockp) bool blocked = false; + + if (strv_isempty(members)) + return NSS_STATUS_NOTFOUND; +@@ -365,7 +365,7 @@ enum nss_status userdb_getgrgid( + } + + if (!g) { +- _cleanup_(_nss_systemd_unblockp) bool blocked = false; ++ _unused_ _cleanup_(_nss_systemd_unblockp) bool blocked = false; + + /* So, quite possibly we have to extend an existing group record with additional members. But + * to do this we need to know the group name first. The group didn't exist via non-NSS +diff --git a/src/oom/oomd-manager.c b/src/oom/oomd-manager.c +index 727206d0b3..891b0acacb 100644 +--- a/src/oom/oomd-manager.c ++++ b/src/oom/oomd-manager.c +@@ -387,7 +387,7 @@ static void clear_candidate_hashmapp(Manager **m) { + static int monitor_memory_pressure_contexts_handler(sd_event_source *s, uint64_t usec, void *userdata) { + /* Don't want to use stale candidate data. Setting this will clear the candidate hashmap on return unless we + * update the candidate data (in which case clear_candidates will be NULL). */ +- _cleanup_(clear_candidate_hashmapp) Manager *clear_candidates = userdata; ++ _unused_ _cleanup_(clear_candidate_hashmapp) Manager *clear_candidates = userdata; + _cleanup_set_free_ Set *targets = NULL; + bool in_post_action_delay = false; + Manager *m = userdata; +diff --git a/src/oom/oomd.c b/src/oom/oomd.c +index deb7b094d5..e13a1b35e5 100644 +--- a/src/oom/oomd.c ++++ b/src/oom/oomd.c +@@ -116,7 +116,7 @@ static int parse_argv(int argc, char *argv[]) { + } + + static int run(int argc, char *argv[]) { +- _cleanup_(notify_on_cleanup) const char *notify_msg = NULL; ++ _unused_ _cleanup_(notify_on_cleanup) const char *notify_msg = NULL; + _cleanup_(manager_freep) Manager *m = NULL; + _cleanup_free_ char *swap = NULL; + unsigned long long s = 0; +diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c +index f73ead872d..c2fca1fabe 100644 +--- a/src/resolve/resolved-dns-cache.c ++++ b/src/resolve/resolved-dns-cache.c +@@ -274,7 +274,7 @@ static int dns_cache_link_item(DnsCache *c, DnsCacheItem *i) { + + first = hashmap_get(c->by_key, i->key); + if (first) { +- _cleanup_(dns_resource_key_unrefp) DnsResourceKey *k = NULL; ++ _unused_ _cleanup_(dns_resource_key_unrefp) DnsResourceKey *k = NULL; + + /* Keep a reference to the original key, while we manipulate the list. */ + k = dns_resource_key_ref(first->key); +diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c +index 6d372395fe..192bfd3bf5 100644 +--- a/src/resolve/resolved-dns-query.c ++++ b/src/resolve/resolved-dns-query.c +@@ -165,7 +165,7 @@ static int dns_query_candidate_add_transaction( + } + + static int dns_query_candidate_go(DnsQueryCandidate *c) { +- _cleanup_(dns_query_candidate_unrefp) DnsQueryCandidate *keep_c = NULL; ++ _unused_ _cleanup_(dns_query_candidate_unrefp) DnsQueryCandidate *keep_c = NULL; + DnsTransaction *t; + int r; + unsigned n = 0; +diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c +index aabaa266e9..85ab917c4f 100644 +--- a/src/resolve/resolved.c ++++ b/src/resolve/resolved.c +@@ -23,7 +23,7 @@ + + static int run(int argc, char *argv[]) { + _cleanup_(manager_freep) Manager *m = NULL; +- _cleanup_(notify_on_cleanup) const char *notify_stop = NULL; ++ _unused_ _cleanup_(notify_on_cleanup) const char *notify_stop = NULL; + int r; + + log_setup(); +diff --git a/src/shared/barrier.c b/src/shared/barrier.c +index 2864c1b8f9..87061f55d7 100644 +--- a/src/shared/barrier.c ++++ b/src/shared/barrier.c +@@ -90,7 +90,7 @@ + * Returns: 0 on success, negative error code on failure. + */ + int barrier_create(Barrier *b) { +- _cleanup_(barrier_destroyp) Barrier *staging = b; ++ _unused_ _cleanup_(barrier_destroyp) Barrier *staging = b; + int r; + + assert(b); +diff --git a/src/shared/utmp-wtmp.c b/src/shared/utmp-wtmp.c +index 784aad2943..d529498fad 100644 +--- a/src/shared/utmp-wtmp.c ++++ b/src/shared/utmp-wtmp.c +@@ -25,7 +25,7 @@ + #include "utmp-wtmp.h" + + int utmp_get_runlevel(int *runlevel, int *previous) { +- _cleanup_(utxent_cleanup) bool utmpx = false; ++ _unused_ _cleanup_(utxent_cleanup) bool utmpx = false; + struct utmpx *found, lookup = { .ut_type = RUN_LVL }; + const char *e; + +@@ -87,7 +87,7 @@ static void init_entry(struct utmpx *store, usec_t t) { + } + + static int write_entry_utmp(const struct utmpx *store) { +- _cleanup_(utxent_cleanup) bool utmpx = false; ++ _unused_ _cleanup_(utxent_cleanup) bool utmpx = false; + + assert(store); + +@@ -215,7 +215,7 @@ int utmp_put_init_process(const char *id, pid_t pid, pid_t sid, const char *line + } + + int utmp_put_dead_process(const char *id, pid_t pid, int code, int status) { +- _cleanup_(utxent_cleanup) bool utmpx = false; ++ _unused_ _cleanup_(utxent_cleanup) bool utmpx = false; + struct utmpx lookup = { + .ut_type = INIT_PROCESS /* looks for DEAD_PROCESS, LOGIN_PROCESS, USER_PROCESS, too */ + }, store, store_wtmp, *found; +@@ -340,7 +340,7 @@ int utmp_wall( + bool (*match_tty)(const char *tty, void *userdata), + void *userdata) { + +- _cleanup_(utxent_cleanup) bool utmpx = false; ++ _unused_ _cleanup_(utxent_cleanup) bool utmpx = false; + _cleanup_free_ char *text = NULL, *hn = NULL, *un = NULL, *stdin_tty = NULL; + char date[FORMAT_TIMESTAMP_MAX]; + struct utmpx *u; +diff --git a/src/timesync/timesyncd.c b/src/timesync/timesyncd.c +index e6a2b06687..8d43e55583 100644 +--- a/src/timesync/timesyncd.c ++++ b/src/timesync/timesyncd.c +@@ -90,7 +90,7 @@ settime: + + static int run(int argc, char *argv[]) { + _cleanup_(manager_freep) Manager *m = NULL; +- _cleanup_(notify_on_cleanup) const char *notify_message = NULL; ++ _unused_ _cleanup_(notify_on_cleanup) const char *notify_message = NULL; + const char *user = "systemd-timesync"; + uid_t uid, uid_current; + gid_t gid; +diff --git a/src/tty-ask-password-agent/tty-ask-password-agent.c b/src/tty-ask-password-agent/tty-ask-password-agent.c +index 59b144972b..25d69180c5 100644 +--- a/src/tty-ask-password-agent/tty-ask-password-agent.c ++++ b/src/tty-ask-password-agent/tty-ask-password-agent.c +@@ -338,7 +338,8 @@ static int process_and_watch_password_files(bool watch) { + _FD_MAX + }; + +- _cleanup_close_ int notify = -1, signal_fd = -1, tty_block_fd = -1; ++ _unused_ _cleanup_close_ int tty_block_fd = -1; ++ _cleanup_close_ int notify = -1, signal_fd = -1; + struct pollfd pollfd[_FD_MAX]; + sigset_t mask; + int r; +diff --git a/src/udev/udevd.c b/src/udev/udevd.c +index 13ac7c83b5..8808c5cf95 100644 +--- a/src/udev/udevd.c ++++ b/src/udev/udevd.c +@@ -1092,7 +1092,8 @@ static int on_ctrl_msg(struct udev_ctrl *uctrl, enum udev_ctrl_msg_type type, co + manager_reload(manager); + break; + case UDEV_CTRL_SET_ENV: { +- _cleanup_free_ char *key = NULL, *val = NULL, *old_key = NULL, *old_val = NULL; ++ _unused_ _cleanup_free_ char *old_val = NULL; ++ _cleanup_free_ char *key = NULL, *val = NULL, *old_key = NULL; + const char *eq; + + eq = strchr(value->buf, '='); +diff --git a/src/userdb/userdbd.c b/src/userdb/userdbd.c +index d469411eb8..0c321bf411 100644 +--- a/src/userdb/userdbd.c ++++ b/src/userdb/userdbd.c +@@ -24,7 +24,7 @@ + + static int run(int argc, char *argv[]) { + _cleanup_(manager_freep) Manager *m = NULL; +- _cleanup_(notify_on_cleanup) const char *notify_stop = NULL; ++ _unused_ _cleanup_(notify_on_cleanup) const char *notify_stop = NULL; + int r; + + log_setup(); +-- +2.33.0 + diff --git a/backport-tree-wide-use-sd_event_source_disable_unref-where-we.patch b/backport-tree-wide-use-sd_event_source_disable_unref-where-we.patch new file mode 100644 index 0000000000000000000000000000000000000000..52a9aadcc00e765e67945a270a40b3ae76565d4f --- /dev/null +++ b/backport-tree-wide-use-sd_event_source_disable_unref-where-we.patch @@ -0,0 +1,158 @@ +From e53bfae86dfb909e0a2eb179328b61f4ed723639 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 8 Nov 2021 23:07:51 +0100 +Subject: [PATCH] tree-wide: use sd_event_source_disable_unref() where we can + +(cherry picked from commit 4f538d7b221de5707c1ff422e6e34be795535397) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/e53bfae86dfb909e0a2eb179328b61f4ed723639 +--- + src/journal/journald-stream.c | 7 +---- + src/libsystemd/sd-bus/sd-bus.c | 37 +++++--------------------- + src/libsystemd/sd-resolve/sd-resolve.c | 6 +---- + src/shared/varlink.c | 10 ++----- + 4 files changed, 10 insertions(+), 50 deletions(-) + +diff --git a/src/journal/journald-stream.c b/src/journal/journald-stream.c +index c6720b6b13..ee0fd27f2e 100644 +--- a/src/journal/journald-stream.c ++++ b/src/journal/journald-stream.c +@@ -108,7 +108,6 @@ StdoutStream* stdout_stream_free(StdoutStream *s) { + return NULL; + + if (s->server) { +- + if (s->context) + client_context_release(s->server, s->context); + +@@ -122,11 +121,7 @@ StdoutStream* stdout_stream_free(StdoutStream *s) { + (void) server_start_or_stop_idle_timer(s->server); /* Maybe we are idle now? */ + } + +- if (s->event_source) { +- sd_event_source_set_enabled(s->event_source, SD_EVENT_OFF); +- s->event_source = sd_event_source_unref(s->event_source); +- } +- ++ sd_event_source_disable_unref(s->event_source); + safe_close(s->fd); + free(s->label); + free(s->identifier); +diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c +index a32e2f5e20..79c24fe703 100644 +--- a/src/libsystemd/sd-bus/sd-bus.c ++++ b/src/libsystemd/sd-bus/sd-bus.c +@@ -62,7 +62,6 @@ + + static int bus_poll(sd_bus *bus, bool need_more, uint64_t timeout_usec); + static void bus_detach_io_events(sd_bus *b); +-static void bus_detach_inotify_event(sd_bus *b); + + static thread_local sd_bus *default_system_bus = NULL; + static thread_local sd_bus *default_user_bus = NULL; +@@ -139,7 +138,7 @@ void bus_close_io_fds(sd_bus *b) { + void bus_close_inotify_fd(sd_bus *b) { + assert(b); + +- bus_detach_inotify_event(b); ++ b->inotify_event_source = sd_event_source_disable_unref(b->inotify_event_source); + + b->inotify_fd = safe_close(b->inotify_fd); + b->inotify_watches = mfree(b->inotify_watches); +@@ -3738,15 +3737,8 @@ int bus_attach_io_events(sd_bus *bus) { + static void bus_detach_io_events(sd_bus *bus) { + assert(bus); + +- if (bus->input_io_event_source) { +- sd_event_source_set_enabled(bus->input_io_event_source, SD_EVENT_OFF); +- bus->input_io_event_source = sd_event_source_unref(bus->input_io_event_source); +- } +- +- if (bus->output_io_event_source) { +- sd_event_source_set_enabled(bus->output_io_event_source, SD_EVENT_OFF); +- bus->output_io_event_source = sd_event_source_unref(bus->output_io_event_source); +- } ++ bus->input_io_event_source = sd_event_source_disable_unref(bus->input_io_event_source); ++ bus->output_io_event_source = sd_event_source_disable_unref(bus->output_io_event_source); + } + + int bus_attach_inotify_event(sd_bus *bus) { +@@ -3778,15 +3770,6 @@ int bus_attach_inotify_event(sd_bus *bus) { + return 0; + } + +-static void bus_detach_inotify_event(sd_bus *bus) { +- assert(bus); +- +- if (bus->inotify_event_source) { +- sd_event_source_set_enabled(bus->inotify_event_source, SD_EVENT_OFF); +- bus->inotify_event_source = sd_event_source_unref(bus->inotify_event_source); +- } +-} +- + _public_ int sd_bus_attach_event(sd_bus *bus, sd_event *event, int priority) { + int r; + +@@ -3851,17 +3834,9 @@ _public_ int sd_bus_detach_event(sd_bus *bus) { + return 0; + + bus_detach_io_events(bus); +- bus_detach_inotify_event(bus); +- +- if (bus->time_event_source) { +- sd_event_source_set_enabled(bus->time_event_source, SD_EVENT_OFF); +- bus->time_event_source = sd_event_source_unref(bus->time_event_source); +- } +- +- if (bus->quit_event_source) { +- sd_event_source_set_enabled(bus->quit_event_source, SD_EVENT_OFF); +- bus->quit_event_source = sd_event_source_unref(bus->quit_event_source); +- } ++ bus->inotify_event_source = sd_event_source_disable_unref(bus->inotify_event_source); ++ bus->time_event_source = sd_event_source_disable_unref(bus->time_event_source); ++ bus->quit_event_source = sd_event_source_disable_unref(bus->quit_event_source); + + bus->event = sd_event_unref(bus->event); + return 1; +diff --git a/src/libsystemd/sd-resolve/sd-resolve.c b/src/libsystemd/sd-resolve/sd-resolve.c +index ee973c0692..073b658d3f 100644 +--- a/src/libsystemd/sd-resolve/sd-resolve.c ++++ b/src/libsystemd/sd-resolve/sd-resolve.c +@@ -1285,11 +1285,7 @@ _public_ int sd_resolve_detach_event(sd_resolve *resolve) { + if (!resolve->event) + return 0; + +- if (resolve->event_source) { +- sd_event_source_set_enabled(resolve->event_source, SD_EVENT_OFF); +- resolve->event_source = sd_event_source_unref(resolve->event_source); +- } +- ++ resolve->event_source = sd_event_source_disable_unref(resolve->event_source); + resolve->event = sd_event_unref(resolve->event); + return 1; + } +diff --git a/src/shared/varlink.c b/src/shared/varlink.c +index a57475b5ba..ec062f3da4 100644 +--- a/src/shared/varlink.c ++++ b/src/shared/varlink.c +@@ -2364,14 +2364,8 @@ int varlink_server_detach_event(VarlinkServer *s) { + + assert_return(s, -EINVAL); + +- LIST_FOREACH(sockets, ss, s->sockets) { +- +- if (!ss->event_source) +- continue; +- +- (void) sd_event_source_set_enabled(ss->event_source, SD_EVENT_OFF); +- ss->event_source = sd_event_source_unref(ss->event_source); +- } ++ LIST_FOREACH(sockets, ss, s->sockets) ++ ss->event_source = sd_event_source_disable_unref(ss->event_source); + + sd_event_unref(s->event); + return 0; +-- +2.33.0 + diff --git a/backport-udev-builtin-input_id-don-t-label-absolute-mice-as-p.patch b/backport-udev-builtin-input_id-don-t-label-absolute-mice-as-p.patch new file mode 100644 index 0000000000000000000000000000000000000000..387daa88afc166dc3bb0c25302391af13218566e --- /dev/null +++ b/backport-udev-builtin-input_id-don-t-label-absolute-mice-as-p.patch @@ -0,0 +1,69 @@ +From c6cdd3489f2abfd0a868ad5d8d42b166d7eec33f Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Wed, 23 Feb 2022 09:12:43 +1000 +Subject: [PATCH] udev-builtin-input_id: don't label absolute mice as pointing + sticks + +The Getac UX10 tablet exposes a "CUST0000:00 0EEF:C002 Mouse" device +with BTN_LEFT/RIGHT and ABS_X/Y on the i2c bus. This causes the builtin +to incorrectly label it as pointing stick (all i2c mice are +tagged as ID_INPUT_POINTING_STICK, see 3d7ac1c655ec4). + +Fix this by adding a separate variable for absolute pointing +devices like the VMmouse USB mouse or this Getac tablet - this way we +skip the pointing stick check. + +See https://gitlab.freedesktop.org/libinput/libinput/-/issues/743 +for recordings. + +(cherry picked from commit 8ac9ec4d5c210825759d515422d3e66c20615fc1) +(cherry picked from commit ea5701eb64ff40f915567ae4088ffb7efc0f4155) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/c6cdd3489f2abfd0a868ad5d8d42b166d7eec33f +--- + src/udev/udev-builtin-input_id.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/udev/udev-builtin-input_id.c b/src/udev/udev-builtin-input_id.c +index dda53b6da0..f62dffbc58 100644 +--- a/src/udev/udev-builtin-input_id.c ++++ b/src/udev/udev-builtin-input_id.c +@@ -168,6 +168,7 @@ static bool test_pointers(sd_device *dev, + bool finger_but_no_pen = false; + bool has_mouse_button = false; + bool is_mouse = false; ++ bool is_abs_mouse = false; + bool is_touchpad = false; + bool is_touchscreen = false; + bool is_tablet = false; +@@ -232,7 +233,7 @@ static bool test_pointers(sd_device *dev, + else if (has_mouse_button) + /* This path is taken by VMware's USB mouse, which has + * absolute axes, but no touch/pressure button. */ +- is_mouse = true; ++ is_abs_mouse = true; + else if (has_touch || is_direct) + is_touchscreen = true; + else if (has_joystick_axes_or_buttons) +@@ -264,7 +265,7 @@ static bool test_pointers(sd_device *dev, + + if (is_pointing_stick) + udev_builtin_add_property(dev, test, "ID_INPUT_POINTINGSTICK", "1"); +- if (is_mouse) ++ if (is_mouse || is_abs_mouse) + udev_builtin_add_property(dev, test, "ID_INPUT_MOUSE", "1"); + if (is_touchpad) + udev_builtin_add_property(dev, test, "ID_INPUT_TOUCHPAD", "1"); +@@ -277,7 +278,7 @@ static bool test_pointers(sd_device *dev, + if (is_tablet_pad) + udev_builtin_add_property(dev, test, "ID_INPUT_TABLET_PAD", "1"); + +- return is_tablet || is_mouse || is_touchpad || is_touchscreen || is_joystick || is_pointing_stick; ++ return is_tablet || is_mouse || is_abs_mouse || is_touchpad || is_touchscreen || is_joystick || is_pointing_stick; + } + + /* key like devices */ +-- +2.33.0 + diff --git a/backport-udev-do-not-try-to-rename-interface-if-it-is-already.patch b/backport-udev-do-not-try-to-rename-interface-if-it-is-already.patch new file mode 100644 index 0000000000000000000000000000000000000000..33a4b1bc375cd298ed82a24b580c107ec73c39ee --- /dev/null +++ b/backport-udev-do-not-try-to-rename-interface-if-it-is-already.patch @@ -0,0 +1,49 @@ +From 214ea3a26e9cc5dda8530a45a71b052e75a250a4 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 24 Oct 2021 20:43:34 +0900 +Subject: [PATCH] udev: do not try to rename interface if it is already up + +See dev_change_name() in kernel's net/core/dev.c. + +Fixes #21105. + +(cherry picked from commit 6681eb021a0b56ef0dc849e3b358a515ece16482) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/214ea3a26e9cc5dda8530a45a71b052e75a250a4 +--- + src/udev/udev-event.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c +index b28089be71..9854270b27 100644 +--- a/src/udev/udev-event.c ++++ b/src/udev/udev-event.c +@@ -828,6 +828,7 @@ int udev_event_spawn(UdevEvent *event, + static int rename_netif(UdevEvent *event) { + sd_device *dev = event->dev; + const char *oldname; ++ unsigned flags; + int ifindex, r; + + if (!event->name) +@@ -855,6 +856,16 @@ static int rename_netif(UdevEvent *event) { + return 0; + } + ++ r = rtnl_get_link_info(&event->rtnl, ifindex, NULL, &flags); ++ if (r < 0) ++ return log_device_warning_errno(dev, r, "Failed to get link flags: %m"); ++ ++ if (FLAGS_SET(flags, IFF_UP)) { ++ log_device_info(dev, "Network interface '%s' is already up, refusing to rename to '%s'.", ++ oldname, event->name); ++ return 0; ++ } ++ + /* Set ID_RENAMING boolean property here, and drop it in the corresponding move uevent later. */ + r = device_add_property(dev, "ID_RENAMING", "1"); + if (r < 0) +-- +2.33.0 + diff --git a/backport-udev-fix-potential-memleak.patch b/backport-udev-fix-potential-memleak.patch index 1fde896dfbad4405900d5d71ab3be88d4ecd199c..27c77fd151951b1727ce3627a174561eaeb77d2d 100644 --- a/backport-udev-fix-potential-memleak.patch +++ b/backport-udev-fix-potential-memleak.patch @@ -1,17 +1,21 @@ -From 4154524d47d24bcee3ebfed939912a847ebeb1b3 Mon Sep 17 00:00:00 2001 +From f4a8e2c2115fc901e588a1672f129e7e3371f5d7 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 27 Aug 2021 17:27:26 +0900 Subject: [PATCH] udev: fix potential memleak +(cherry picked from commit 4154524d47d24bcee3ebfed939912a847ebeb1b3) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/f4a8e2c2115fc901e588a1672f129e7e3371f5d7 --- src/udev/udev-builtin-net_id.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c -index 0aede28f7d..9578fa00c3 100644 +index 92917852ba..2699a8929f 100644 --- a/src/udev/udev-builtin-net_id.c +++ b/src/udev/udev-builtin-net_id.c -@@ -101,7 +101,6 @@ static int get_virtfn_info(sd_device *dev, struct netnames *names, struct virtfn +@@ -103,7 +103,6 @@ static int get_virtfn_info(sd_device *dev, struct netnames *names, struct virtfn _cleanup_(sd_device_unrefp) sd_device *physfn_pcidev = NULL; const char *physfn_link_file, *syspath; _cleanup_free_ char *physfn_pci_syspath = NULL; @@ -19,7 +23,7 @@ index 0aede28f7d..9578fa00c3 100644 struct dirent *dent; _cleanup_closedir_ DIR *dir = NULL; char suffix[ALTIFNAMSIZ]; -@@ -132,7 +131,7 @@ static int get_virtfn_info(sd_device *dev, struct netnames *names, struct virtfn +@@ -134,7 +133,7 @@ static int get_virtfn_info(sd_device *dev, struct netnames *names, struct virtfn return -errno; FOREACH_DIRENT_ALL(dent, dir, break) { @@ -29,5 +33,5 @@ index 0aede28f7d..9578fa00c3 100644 if (!startswith(dent->d_name, "virtfn")) continue; -- -2.27.0 +2.33.0 diff --git a/backport-udev-node-add-random-delay-on-conflict-in-updating-d.patch b/backport-udev-node-add-random-delay-on-conflict-in-updating-d.patch new file mode 100644 index 0000000000000000000000000000000000000000..e4d4930d13a1b8c336c3afd175b9a5c72d41954f --- /dev/null +++ b/backport-udev-node-add-random-delay-on-conflict-in-updating-d.patch @@ -0,0 +1,64 @@ +From fca1dafcc29f123aadfd8a2bc5ebfc2468284a6a Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 1 Sep 2021 04:34:48 +0900 +Subject: [PATCH] udev-node: add random delay on conflict in updating device + node symlink + +To make multiple workers not update the same device node symlink +simultaneously. + +(cherry picked from commit 0063fa23a1384dd4385d03b568dc629916b7e72a) + +Conflict:NA +Reference:https://github.com/systemd/systemd-stable/commit/fca1dafcc29f123aadfd8a2bc5ebfc2468284a6a +--- + src/udev/udev-node.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c +index 2e7df899e4..d8edf39aec 100644 +--- a/src/udev/udev-node.c ++++ b/src/udev/udev-node.c +@@ -20,12 +20,14 @@ + #include "mkdir.h" + #include "parse-util.h" + #include "path-util.h" ++#include "random-util.h" + #include "selinux-util.h" + #include "smack-util.h" + #include "stat-util.h" + #include "stdio-util.h" + #include "string-util.h" + #include "strxcpyx.h" ++#include "time-util.h" + #include "udev-node.h" + #include "user-util.h" + +@@ -33,6 +35,8 @@ + #define LINK_UPDATE_MAX_RETRIES 128 + #define CREATE_STACK_LINK_MAX_RETRIES 128 + #define UPDATE_TIMESTAMP_MAX_RETRIES 128 ++#define MAX_RANDOM_DELAY (250 * USEC_PER_MSEC) ++#define MIN_RANDOM_DELAY ( 50 * USEC_PER_MSEC) + #define UDEV_NODE_HASH_KEY SD_ID128_MAKE(b9,6a,f1,ce,40,31,44,1a,9e,19,ec,8b,ae,f3,e3,2f) + + static int create_symlink(const char *target, const char *slink) { +@@ -447,6 +451,15 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) { + _cleanup_free_ char *target = NULL; + struct stat st1 = {}, st2 = {}; + ++ if (i > 0) { ++ char buf[FORMAT_TIMESPAN_MAX]; ++ usec_t delay = MIN_RANDOM_DELAY + random_u64_range(MAX_RANDOM_DELAY - MIN_RANDOM_DELAY); ++ ++ log_device_debug(dev, "Directory %s was updated, retrying to update devlink %s after %s.", ++ dirname, slink, format_timespan(buf, sizeof(buf), delay, USEC_PER_MSEC)); ++ (void) usleep(delay); ++ } ++ + if (stat(dirname, &st1) < 0 && errno != ENOENT) + return log_device_debug_errno(dev, errno, "Failed to stat %s: %m", dirname); + +-- +2.33.0 + diff --git a/backport-udev-node-always-atomically-create-symlink-to-device.patch b/backport-udev-node-always-atomically-create-symlink-to-device.patch new file mode 100644 index 0000000000000000000000000000000000000000..6121dfc42b52f3f56a37585eb252e6221c13092e --- /dev/null +++ b/backport-udev-node-always-atomically-create-symlink-to-device.patch @@ -0,0 +1,96 @@ +From 0116618b67980eeb8d82d09050087ed245630efe Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 1 Sep 2021 02:20:33 +0900 +Subject: [PATCH] udev-node: always atomically create symlink to device node + +By the previous commit, it is not necessary to distinguish if the devlink +already exists. Also, I cannot find any significant advantages of the +previous complecated logic, that is, first try to create directly, and then +fallback to atomically creation. Moreover, such logic increases the chance +of conflicts between multiple udev workers. + +This makes devlinks always created atomically. Hopefully, this reduces the +conflicts between the workers. + +(cherry picked from commit 242d39ebc1391f4734f6e63ff13764de92bc5f70) + +Conflict:NA +Reference:https://github.com/systemd/systemd-stable/commit/0116618b67980eeb8d82d09050087ed245630efe +--- + src/udev/udev-node.c | 42 +++++++++--------------------------------- + 1 file changed, 9 insertions(+), 33 deletions(-) + +diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c +index 1a34ea8128..46c04fe00b 100644 +--- a/src/udev/udev-node.c ++++ b/src/udev/udev-node.c +@@ -71,6 +71,13 @@ static int node_symlink(sd_device *dev, const char *node, const char *slink) { + assert(node); + assert(slink); + ++ if (lstat(slink, &stats) >= 0) { ++ if (!S_ISLNK(stats.st_mode)) ++ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EEXIST), ++ "Conflicting inode '%s' found, link to '%s' will not be created.", slink, node); ++ } else if (errno != ENOENT) ++ return log_device_debug_errno(dev, errno, "Failed to lstat() '%s': %m", slink); ++ + r = path_extract_directory(slink, &slink_dirname); + if (r < 0) + return log_device_debug_errno(dev, r, "Failed to get parent directory of '%s': %m", slink); +@@ -80,41 +87,11 @@ static int node_symlink(sd_device *dev, const char *node, const char *slink) { + if (r < 0) + return log_device_debug_errno(dev, r, "Failed to get relative path from '%s' to '%s': %m", slink, node); + +- if (lstat(slink, &stats) >= 0) { +- _cleanup_free_ char *buf = NULL; +- +- if (!S_ISLNK(stats.st_mode)) +- return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EEXIST), +- "Conflicting inode '%s' found, link to '%s' will not be created.", slink, node); +- +- if (readlink_malloc(slink, &buf) >= 0 && +- path_equal(target, buf)) { +- /* preserve link with correct target, do not replace node of other device */ +- log_device_debug(dev, "Preserve already existing symlink '%s' to '%s'", slink, target); +- +- (void) label_fix(slink, LABEL_IGNORE_ENOENT); +- (void) utimensat(AT_FDCWD, slink, NULL, AT_SYMLINK_NOFOLLOW); +- +- return 0; +- } +- } else if (errno == ENOENT) { +- log_device_debug(dev, "Creating symlink '%s' to '%s'", slink, target); +- +- r = create_symlink(target, slink); +- if (r >= 0) +- return 0; +- +- log_device_debug_errno(dev, r, "Failed to create symlink '%s' to '%s', trying to replace '%s': %m", slink, target, slink); +- } else +- return log_device_debug_errno(dev, errno, "Failed to lstat() '%s': %m", slink); +- +- log_device_debug(dev, "Atomically replace '%s'", slink); +- + r = device_get_device_id(dev, &id); + if (r < 0) + return log_device_debug_errno(dev, r, "Failed to get device id: %m"); +- slink_tmp = strjoina(slink, ".tmp-", id); + ++ slink_tmp = strjoina(slink, ".tmp-", id); + (void) unlink(slink_tmp); + + r = create_symlink(target, slink_tmp); +@@ -127,8 +104,7 @@ static int node_symlink(sd_device *dev, const char *node, const char *slink) { + return r; + } + +- /* Tell caller that we replaced already existing symlink. */ +- return 1; ++ return 0; + } + + static int link_find_prioritized(sd_device *dev, bool add, const char *stackdir, char **ret) { +-- +2.33.0 + diff --git a/backport-udev-node-always-update-timestamp-of-stack-directory.patch b/backport-udev-node-always-update-timestamp-of-stack-directory.patch new file mode 100644 index 0000000000000000000000000000000000000000..9fc0e72f6af8ea5b656b354a226c00dc8e97ac1a --- /dev/null +++ b/backport-udev-node-always-update-timestamp-of-stack-directory.patch @@ -0,0 +1,150 @@ +From bd4714982537b5fc08b82ccd5f20522231dd5bee Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 1 Sep 2021 12:57:40 +0900 +Subject: [PATCH] udev-node: always update timestamp of stack directory + +Please see the comments in the code. + +(cherry picked from commit 6df797f75fa08bb1a9e657001229bd47903e6174) + +Conflict:NA +Reference:https://github.com/systemd/systemd-stable/commit/bd4714982537b5fc08b82ccd5f20522231dd5bee +--- + src/udev/udev-node.c | 90 ++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 87 insertions(+), 3 deletions(-) + +diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c +index 5d6aae0bd4..0de848da19 100644 +--- a/src/udev/udev-node.c ++++ b/src/udev/udev-node.c +@@ -32,6 +32,7 @@ + #define CREATE_LINK_MAX_RETRIES 128 + #define LINK_UPDATE_MAX_RETRIES 128 + #define CREATE_STACK_LINK_MAX_RETRIES 128 ++#define UPDATE_TIMESTAMP_MAX_RETRIES 128 + #define UDEV_NODE_HASH_KEY SD_ID128_MAKE(b9,6a,f1,ce,40,31,44,1a,9e,19,ec,8b,ae,f3,e3,2f) + + static int create_symlink(const char *target, const char *slink) { +@@ -285,9 +286,60 @@ toolong: + return size - 1; + } + ++static int update_timestamp(sd_device *dev, const char *path, struct stat *prev) { ++ assert(path); ++ assert(prev); ++ ++ /* Even if a symlink in the stack directory is created/removed, the mtime of the directory may ++ * not be changed. Why? Let's consider the following situation. For simplicity, let's assume ++ * there exist three udev workers (A, B, and C) and all of them calls link_update() for the ++ * same devlink simultaneously. ++ * ++ * 1. B creates/removes a symlink in the stack directory. ++ * 2. A calls the first stat() in the loop of link_update(). ++ * 3. A calls link_find_prioritized(). ++ * 4. C creates/removes another symlink in the stack directory, so the result of the step 3 is outdated. ++ * 5. B and C finish link_update(). ++ * 6. A creates/removes devlink according to the outdated result in the step 3. ++ * 7. A calls the second stat() in the loop of link_update(). ++ * ++ * If these 7 steps are processed in this order within a short time period that kernel's timer ++ * does not increase, then even if the contents in the stack directory is changed, the results ++ * of two stat() called by A shows the same timestamp, and A cannot detect the change. ++ * ++ * By calling this function after creating/removing symlinks in the stack directory, the ++ * timestamp of the stack directory is always increased at least in the above step 5, so A can ++ * detect the update. */ ++ ++ if ((prev->st_mode & S_IFMT) == 0) ++ return 0; /* Does not exist, or previous stat() failed. */ ++ ++ for (unsigned i = 0; i < UPDATE_TIMESTAMP_MAX_RETRIES; i++) { ++ struct stat st; ++ ++ if (stat(path, &st) < 0) ++ return -errno; ++ ++ if (!stat_inode_unmodified(prev, &st)) ++ return 0; ++ ++ log_device_debug(dev, ++ "%s is modified, but its timestamp is not changed, " ++ "updating timestamp after 10ms.", ++ path); ++ ++ (void) usleep(10 * USEC_PER_MSEC); ++ if (utimensat(AT_FDCWD, path, NULL, 0) < 0) ++ return -errno; ++ } ++ ++ return -ELOOP; ++} ++ + static int update_stack_directory(sd_device *dev, const char *dirname, bool add) { + _cleanup_free_ char *filename = NULL, *data = NULL, *buf = NULL; + const char *devname, *id; ++ struct stat st = {}; + int priority, r; + + assert(dev); +@@ -302,10 +354,31 @@ static int update_stack_directory(sd_device *dev, const char *dirname, bool add) + return log_oom_debug(); + + if (!add) { +- if (unlink(filename) < 0 && errno != ENOENT) +- log_device_debug_errno(dev, errno, "Failed to remove %s, ignoring: %m", filename); ++ bool unlink_failed = false; ++ ++ if (stat(dirname, &st) < 0) { ++ if (errno == ENOENT) ++ return 0; /* The stack directory is already removed. That's OK. */ ++ log_device_debug_errno(dev, errno, "Failed to stat %s, ignoring: %m", dirname); ++ } ++ ++ if (unlink(filename) < 0) { ++ unlink_failed = true; ++ if (errno != ENOENT) ++ log_device_debug_errno(dev, errno, "Failed to remove %s, ignoring: %m", filename); ++ } ++ ++ if (rmdir(dirname) >= 0 || errno == ENOENT) ++ return 0; ++ ++ if (unlink_failed) ++ return 0; /* If we failed to remove the symlink, there is almost nothing we can do. */ ++ ++ /* The symlink was removed. Check if the timestamp of directory is changed. */ ++ r = update_timestamp(dev, dirname, &st); ++ if (r < 0 && r != -ENOENT) ++ return log_device_debug_errno(dev, r, "Failed to update timestamp of %s: %m", dirname); + +- (void) rmdir(dirname); + return 0; + } + +@@ -335,12 +408,23 @@ static int update_stack_directory(sd_device *dev, const char *dirname, bool add) + if (r < 0) + return log_device_debug_errno(dev, r, "Failed to create directory %s: %m", dirname); + ++ if (stat(dirname, &st) < 0) { ++ if (errno == ENOENT) ++ continue; ++ return log_device_debug_errno(dev, errno, "Failed to stat %s: %m", dirname); ++ } ++ + if (symlink(data, filename) < 0) { + if (errno == ENOENT) + continue; + return log_device_debug_errno(dev, errno, "Failed to create symbolic link %s: %m", filename); + } + ++ /* The symlink was created. Check if the timestamp of directory is changed. */ ++ r = update_timestamp(dev, dirname, &st); ++ if (r < 0) ++ return log_device_debug_errno(dev, r, "Failed to update timestamp of %s: %m", dirname); ++ + return 0; + } + +-- +2.33.0 + diff --git a/backport-udev-node-assume-no-new-claim-to-a-symlink-if-run-ud.patch b/backport-udev-node-assume-no-new-claim-to-a-symlink-if-run-ud.patch new file mode 100644 index 0000000000000000000000000000000000000000..26a4cb07e1612d7664b727e4883d8eaa4359c7a0 --- /dev/null +++ b/backport-udev-node-assume-no-new-claim-to-a-symlink-if-run-ud.patch @@ -0,0 +1,38 @@ +From c9fce59c8f0c471a7a474c6a20cdc340fc53a48d Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 2 Sep 2021 06:58:59 +0900 +Subject: [PATCH] udev-node: assume no new claim to a symlink if + /run/udev/links is not updated + +During creating a symlink to a device node, if another device node which +requests the same symlink is added/removed, `stat_inode_unmodified()` +should always detects that. We do not need to continue the loop +unconditionally. + +(cherry picked from commit 8f27311eb2aec2411d1fb7d62e6c9d75d21ae8df) + +Conflict:NA +Reference:https://github.com/systemd/systemd-stable/commit/c9fce59c8f0c471a7a474c6a20cdc340fc53a48d +--- + src/udev/udev-node.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c +index 0de848da19..1a34ea8128 100644 +--- a/src/udev/udev-node.c ++++ b/src/udev/udev-node.c +@@ -491,11 +491,6 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) { + r = node_symlink(dev, target, slink); + if (r < 0) + return r; +- if (r == 1) +- /* We have replaced already existing symlink, possibly there is some other device trying +- * to claim the same symlink. Let's do one more iteration to give us a chance to fix +- * the error if other device actually claims the symlink with higher priority. */ +- continue; + + /* Skip the second stat() if the first failed, stat_inode_unmodified() would return false regardless. */ + if ((st1.st_mode & S_IFMT) != 0) { +-- +2.33.0 + diff --git a/backport-udev-node-check-stack-directory-change-even-if-devli.patch b/backport-udev-node-check-stack-directory-change-even-if-devli.patch new file mode 100644 index 0000000000000000000000000000000000000000..270df9a9c06934e922e6fa3018011830162266a1 --- /dev/null +++ b/backport-udev-node-check-stack-directory-change-even-if-devli.patch @@ -0,0 +1,48 @@ +From 982d13d4cfd1513bdbd74ceb8b256bad5cf679d5 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 1 Sep 2021 09:44:26 +0900 +Subject: [PATCH] udev-node: check stack directory change even if devlink is + removed + +Otherwise, when multiple device additions and removals occur +simultaneously, symlink to unexisting devnode may be created. + +Hopefully fixes #19946. + +(cherry picked from commit 1cd4e325693007b3628f1a27297f0ab7114b24b8) + +Conflict:NA +Reference:https://github.com/systemd/systemd-stable/commit/982d13d4cfd1513bdbd74ceb8b256bad5cf679d5 +--- + src/udev/udev-node.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c +index 46c04fe00b..28e6e8df94 100644 +--- a/src/udev/udev-node.c ++++ b/src/udev/udev-node.c +@@ -468,15 +468,12 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) { + if (r < 0) + return r; + +- /* Skip the second stat() if the first failed, stat_inode_unmodified() would return false regardless. */ +- if ((st1.st_mode & S_IFMT) != 0) { +- r = stat(dirname, &st2); +- if (r < 0 && errno != ENOENT) +- return log_device_debug_errno(dev, errno, "Failed to stat %s: %m", dirname); +- +- if (stat_inode_unmodified(&st1, &st2)) +- break; +- } ++ if (stat(dirname, &st2) < 0 && errno != ENOENT) ++ return log_device_debug_errno(dev, errno, "Failed to stat %s: %m", dirname); ++ ++ if (((st1.st_mode & S_IFMT) == 0 && (st2.st_mode & S_IFMT) == 0) || ++ stat_inode_unmodified(&st1, &st2)) ++ return 0; + } + + return i < LINK_UPDATE_MAX_RETRIES ? 0 : -ELOOP; +-- +2.33.0 + diff --git a/backport-udev-node-do-not-ignore-unexpected-errors-on-removin.patch b/backport-udev-node-do-not-ignore-unexpected-errors-on-removin.patch new file mode 100644 index 0000000000000000000000000000000000000000..b5a2475f51aae6e740c4a691a32ec49b1ba4fe9f --- /dev/null +++ b/backport-udev-node-do-not-ignore-unexpected-errors-on-removin.patch @@ -0,0 +1,63 @@ +From 4a0c4d21ca03ffb37da3b5203988156644e13c5e Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 12 Sep 2021 16:14:27 +0900 +Subject: [PATCH] udev-node: do not ignore unexpected errors on removing + symlink in stack directory + +Only acceptable error here is -ENOENT. + +(cherry picked from commit 0706cdf4ec92d6bd40391da0e81a30d9bf851663) + +Conflict:NA +Reference:https://github.com/systemd/systemd-stable/commit/4a0c4d21ca03ffb37da3b5203988156644e13c5e +--- + src/udev/udev-node.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c +index 4e4a45bbe9..d9309efa25 100644 +--- a/src/udev/udev-node.c ++++ b/src/udev/udev-node.c +@@ -334,25 +334,30 @@ static int update_stack_directory(sd_device *dev, const char *dirname, bool add) + return log_oom_debug(); + + if (!add) { +- bool unlink_failed = false; ++ int unlink_error = 0, stat_error = 0; + + if (stat(dirname, &st) < 0) { + if (errno == ENOENT) + return 0; /* The stack directory is already removed. That's OK. */ +- log_device_debug_errno(dev, errno, "Failed to stat %s, ignoring: %m", dirname); ++ stat_error = -errno; + } + +- if (unlink(filename) < 0) { +- unlink_failed = true; +- if (errno != ENOENT) +- log_device_debug_errno(dev, errno, "Failed to remove %s, ignoring: %m", filename); +- } ++ if (unlink(filename) < 0) ++ unlink_error = -errno; + + if (rmdir(dirname) >= 0 || errno == ENOENT) + return 0; + +- if (unlink_failed) +- return 0; /* If we failed to remove the symlink, there is almost nothing we can do. */ ++ if (unlink_error < 0) { ++ if (unlink_error == -ENOENT) ++ return 0; ++ ++ /* If we failed to remove the symlink, then there is almost nothing we can do. */ ++ return log_device_debug_errno(dev, unlink_error, "Failed to remove %s: %m", filename); ++ } ++ ++ if (stat_error < 0) ++ return log_device_debug_errno(dev, stat_error, "Failed to stat %s: %m", dirname); + + /* The symlink was removed. Check if the timestamp of directory is changed. */ + r = update_timestamp(dev, dirname, &st); +-- +2.33.0 + diff --git a/backport-udev-node-drop-redundant-trial-of-devlink-creation.patch b/backport-udev-node-drop-redundant-trial-of-devlink-creation.patch new file mode 100644 index 0000000000000000000000000000000000000000..ea31b432b11205fad011b012a0502e9862f5961f --- /dev/null +++ b/backport-udev-node-drop-redundant-trial-of-devlink-creation.patch @@ -0,0 +1,84 @@ +From 1df2313e201c39907653a99335b7d21db092fcbc Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 1 Sep 2021 09:29:42 +0900 +Subject: [PATCH] udev-node: drop redundant trial of devlink creation + +Previously, the devlink was created based on the priority saved in udev +database. So, we needed to reevaluate devlinks after database is saved. + +But now the priority is stored in the symlink under /run/udev/links, and +the loop of devlink creation is controlled with the timestamp of the +directory. So, the double evaluation is not necessary anymore. + +(cherry picked from commit 7920d0a135fb6a08aa0bfc31e9d0a3f589fe7a1f) + +Conflict:NA +Reference:https://github.com/systemd/systemd-stable/commit/1df2313e201c39907653a99335b7d21db092fcbc +--- + src/udev/udev-event.c | 5 +---- + src/udev/udev-node.c | 12 ++++-------- + 2 files changed, 5 insertions(+), 12 deletions(-) + +diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c +index 8320e96fe2..56fe0a43a7 100644 +--- a/src/udev/udev-event.c ++++ b/src/udev/udev-event.c +@@ -1071,10 +1071,7 @@ int udev_event_execute_rules( + + device_set_is_initialized(dev); + +- /* Yes, we run update_devnode() twice, because in the first invocation, that is before update of udev database, +- * it could happen that two contenders are replacing each other's symlink. Hence we run it again to make sure +- * symlinks point to devices that claim them with the highest priority. */ +- return update_devnode(event); ++ return 0; + } + + void udev_event_execute_run(UdevEvent *event, usec_t timeout_usec, int timeout_signal) { +diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c +index d8edf39aec..52816c72fd 100644 +--- a/src/udev/udev-node.c ++++ b/src/udev/udev-node.c +@@ -416,7 +416,7 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) { + _cleanup_free_ char *slink = NULL, *dirname = NULL; + const char *slink_name; + char name_enc[NAME_MAX+1]; +- int i, r, retries; ++ int r; + + assert(dev); + assert(slink_in); +@@ -443,11 +443,7 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) { + if (r < 0) + return r; + +- /* If the database entry is not written yet we will just do one iteration and possibly wrong symlink +- * will be fixed in the second invocation. */ +- retries = sd_device_get_is_initialized(dev) > 0 ? LINK_UPDATE_MAX_RETRIES : 1; +- +- for (i = 0; i < retries; i++) { ++ for (unsigned i = 0; i < LINK_UPDATE_MAX_RETRIES; i++) { + _cleanup_free_ char *target = NULL; + struct stat st1 = {}, st2 = {}; + +@@ -473,7 +469,7 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) { + log_device_debug_errno(dev, errno, "Failed to remove '%s', ignoring: %m", slink); + + (void) rmdir_parents(slink, "/dev"); +- break; ++ return 0; + } + + r = node_symlink(dev, target, slink); +@@ -488,7 +484,7 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) { + return 0; + } + +- return i < LINK_UPDATE_MAX_RETRIES ? 0 : -ELOOP; ++ return -ELOOP; + } + + static int device_get_devpath_by_devnum(sd_device *dev, char **ret) { +-- +2.33.0 + diff --git a/backport-udev-node-save-information-about-device-node-and-pri.patch b/backport-udev-node-save-information-about-device-node-and-pri.patch new file mode 100644 index 0000000000000000000000000000000000000000..bd74ab8b1f8038cdd5010376386f58d50304b30d --- /dev/null +++ b/backport-udev-node-save-information-about-device-node-and-pri.patch @@ -0,0 +1,254 @@ +From 56c7e4c0873feba9809d4638d64132a61b43f995 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 1 Sep 2021 04:16:21 +0900 +Subject: [PATCH] udev-node: save information about device node and priority in + symlink + +Previously, we only store device IDs in /run/udev/links, and when +creating/removing device node symlink, we create sd_device object +corresponds to the IDs and read device node and priority from the +object. That requires parsing uevent and udev database files. + +This makes link_find_prioritized() get the most prioritzed device node +without parsing the files. + +(cherry picked from commit 377a83f0d80376456d9be203796f66f543a8b943) + +Conflict:NA +Reference:https://github.com/systemd/systemd-stable/commit/56c7e4c0873feba9809d4638d64132a61b43f995 +--- + src/udev/udev-node.c | 172 ++++++++++++++++++++++++++++++------------- + 1 file changed, 121 insertions(+), 51 deletions(-) + +diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c +index 4496a2bd9b..5d6aae0bd4 100644 +--- a/src/udev/udev-node.c ++++ b/src/udev/udev-node.c +@@ -18,6 +18,7 @@ + #include "fs-util.h" + #include "hexdecoct.h" + #include "mkdir.h" ++#include "parse-util.h" + #include "path-util.h" + #include "selinux-util.h" + #include "smack-util.h" +@@ -28,9 +29,9 @@ + #include "udev-node.h" + #include "user-util.h" + +-#define CREATE_LINK_MAX_RETRIES 128 +-#define LINK_UPDATE_MAX_RETRIES 128 +-#define TOUCH_FILE_MAX_RETRIES 128 ++#define CREATE_LINK_MAX_RETRIES 128 ++#define LINK_UPDATE_MAX_RETRIES 128 ++#define CREATE_STACK_LINK_MAX_RETRIES 128 + #define UDEV_NODE_HASH_KEY SD_ID128_MAKE(b9,6a,f1,ce,40,31,44,1a,9e,19,ec,8b,ae,f3,e3,2f) + + static int create_symlink(const char *target, const char *slink) { +@@ -175,39 +176,67 @@ static int link_find_prioritized(sd_device *dev, bool add, const char *stackdir, + return r; + + FOREACH_DIRENT_ALL(dent, dir, break) { +- _cleanup_(sd_device_unrefp) sd_device *dev_db = NULL; +- const char *devnode; +- int db_prio = 0; ++ _cleanup_free_ char *path = NULL, *buf = NULL; ++ int tmp_prio; + +- if (dent->d_name[0] == '\0') +- break; + if (dent->d_name[0] == '.') + continue; + +- log_device_debug(dev, "Found '%s' claiming '%s'", dent->d_name, stackdir); +- +- /* did we find ourself? */ ++ /* skip ourself */ + if (streq(dent->d_name, id)) + continue; + +- if (sd_device_new_from_device_id(&dev_db, dent->d_name) < 0) +- continue; ++ path = path_join(stackdir, dent->d_name); ++ if (!path) ++ return -ENOMEM; + +- if (sd_device_get_devname(dev_db, &devnode) < 0) +- continue; ++ if (readlink_malloc(path, &buf) >= 0) { ++ char *devnode; + +- if (device_get_devlink_priority(dev_db, &db_prio) < 0) +- continue; ++ /* New format. The devnode and priority can be obtained from symlink. */ + +- if (target && db_prio <= priority) +- continue; ++ devnode = strchr(buf, ':'); ++ if (!devnode || devnode == buf) ++ continue; + +- log_device_debug(dev_db, "Device claims priority %i for '%s'", db_prio, stackdir); ++ *(devnode++) = '\0'; ++ if (!path_startswith(devnode, "/dev")) ++ continue; + +- r = free_and_strdup(&target, devnode); +- if (r < 0) +- return r; +- priority = db_prio; ++ if (safe_atoi(buf, &tmp_prio) < 0) ++ continue; ++ ++ if (target && tmp_prio <= priority) ++ continue; ++ ++ r = free_and_strdup(&target, devnode); ++ if (r < 0) ++ return r; ++ } else { ++ _cleanup_(sd_device_unrefp) sd_device *tmp_dev = NULL; ++ const char *devnode; ++ ++ /* Old format. The devnode and priority must be obtained from uevent and ++ * udev database files. */ ++ ++ if (sd_device_new_from_device_id(&tmp_dev, dent->d_name) < 0) ++ continue; ++ ++ if (device_get_devlink_priority(tmp_dev, &tmp_prio) < 0) ++ continue; ++ ++ if (target && tmp_prio <= priority) ++ continue; ++ ++ if (sd_device_get_devname(tmp_dev, &devnode) < 0) ++ continue; ++ ++ r = free_and_strdup(&target, devnode); ++ if (r < 0) ++ return r; ++ } ++ ++ priority = tmp_prio; + } + + *ret = TAKE_PTR(target); +@@ -256,10 +285,72 @@ toolong: + return size - 1; + } + ++static int update_stack_directory(sd_device *dev, const char *dirname, bool add) { ++ _cleanup_free_ char *filename = NULL, *data = NULL, *buf = NULL; ++ const char *devname, *id; ++ int priority, r; ++ ++ assert(dev); ++ assert(dirname); ++ ++ r = device_get_device_id(dev, &id); ++ if (r < 0) ++ return log_device_debug_errno(dev, r, "Failed to get device id: %m"); ++ ++ filename = path_join(dirname, id); ++ if (!filename) ++ return log_oom_debug(); ++ ++ if (!add) { ++ if (unlink(filename) < 0 && errno != ENOENT) ++ log_device_debug_errno(dev, errno, "Failed to remove %s, ignoring: %m", filename); ++ ++ (void) rmdir(dirname); ++ return 0; ++ } ++ ++ r = sd_device_get_devname(dev, &devname); ++ if (r < 0) ++ return log_device_debug_errno(dev, r, "Failed to get device node: %m"); ++ ++ r = device_get_devlink_priority(dev, &priority); ++ if (r < 0) ++ return log_device_debug_errno(dev, r, "Failed to get priority of device node symlink: %m"); ++ ++ if (asprintf(&data, "%i:%s", priority, devname) < 0) ++ return log_oom_debug(); ++ ++ if (readlink_malloc(filename, &buf) >= 0 && streq(buf, data)) ++ return 0; ++ ++ if (unlink(filename) < 0 && errno != ENOENT) ++ log_device_debug_errno(dev, errno, "Failed to remove %s, ignoring: %m", filename); ++ ++ for (unsigned j = 0; j < CREATE_STACK_LINK_MAX_RETRIES; j++) { ++ /* This may fail with -ENOENT when the parent directory is removed during ++ * creating the file by another udevd worker. */ ++ r = mkdir_p(dirname, 0755); ++ if (r == -ENOENT) ++ continue; ++ if (r < 0) ++ return log_device_debug_errno(dev, r, "Failed to create directory %s: %m", dirname); ++ ++ if (symlink(data, filename) < 0) { ++ if (errno == ENOENT) ++ continue; ++ return log_device_debug_errno(dev, errno, "Failed to create symbolic link %s: %m", filename); ++ } ++ ++ return 0; ++ } ++ ++ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(ELOOP), "Failed to create symbolic link %s: %m", filename); ++} ++ + /* manage "stack of names" with possibly specified device priorities */ + static int link_update(sd_device *dev, const char *slink_in, bool add) { +- _cleanup_free_ char *slink = NULL, *filename = NULL, *dirname = NULL; +- const char *slink_name, *id; ++ _cleanup_free_ char *slink = NULL, *dirname = NULL; ++ const char *slink_name; + char name_enc[NAME_MAX+1]; + int i, r, retries; + +@@ -279,35 +370,14 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) { + return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), + "Invalid symbolic link of device node: %s", slink); + +- r = device_get_device_id(dev, &id); +- if (r < 0) +- return log_device_debug_errno(dev, r, "Failed to get device id: %m"); +- + (void) udev_node_escape_path(slink_name, name_enc, sizeof(name_enc)); +- dirname = path_join("/run/udev/links/", name_enc); ++ dirname = path_join("/run/udev/links", name_enc); + if (!dirname) + return log_oom_debug(); + +- filename = path_join(dirname, id); +- if (!filename) +- return log_oom_debug(); +- +- if (!add) { +- if (unlink(filename) < 0 && errno != ENOENT) +- log_device_debug_errno(dev, errno, "Failed to remove %s, ignoring: %m", filename); +- +- (void) rmdir(dirname); +- } else { +- for (unsigned j = 0; j < TOUCH_FILE_MAX_RETRIES; j++) { +- /* This may fail with -ENOENT when the parent directory is removed during +- * creating the file by another udevd worker. */ +- r = touch_file(filename, /* parents= */ true, USEC_INFINITY, UID_INVALID, GID_INVALID, 0444); +- if (r != -ENOENT) +- break; +- } +- if (r < 0) +- return log_device_debug_errno(dev, r, "Failed to create %s: %m", filename); +- } ++ r = update_stack_directory(dev, dirname, add); ++ if (r < 0) ++ return r; + + /* If the database entry is not written yet we will just do one iteration and possibly wrong symlink + * will be fixed in the second invocation. */ +-- +2.33.0 + diff --git a/backport-udev-node-shorten-code-a-bit-and-update-log-message.patch b/backport-udev-node-shorten-code-a-bit-and-update-log-message.patch new file mode 100644 index 0000000000000000000000000000000000000000..44608eee977f7e1e220bed48eb05f754b4434edb --- /dev/null +++ b/backport-udev-node-shorten-code-a-bit-and-update-log-message.patch @@ -0,0 +1,36 @@ +From f27b7c3d26bf90cad9348e7c31a2db4eb3cac42e Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 2 Sep 2021 08:23:35 +0900 +Subject: [PATCH] udev-node: shorten code a bit and update log message + +(cherry picked from commit 8424da2de88ceeed7be8544fb69221f0b0ea84ea) + +Conflict:NA +Reference:https://github.com/systemd/systemd-stable/commit/f27b7c3d26bf90cad9348e7c31a2db4eb3cac42e +--- + src/udev/udev-node.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c +index 28e6e8df94..2e7df899e4 100644 +--- a/src/udev/udev-node.c ++++ b/src/udev/udev-node.c +@@ -447,13 +447,12 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) { + _cleanup_free_ char *target = NULL; + struct stat st1 = {}, st2 = {}; + +- r = stat(dirname, &st1); +- if (r < 0 && errno != ENOENT) ++ if (stat(dirname, &st1) < 0 && errno != ENOENT) + return log_device_debug_errno(dev, errno, "Failed to stat %s: %m", dirname); + + r = link_find_prioritized(dev, add, dirname, &target); + if (r < 0) +- return log_device_debug_errno(dev, r, "Failed to determine highest priority for symlink '%s': %m", slink); ++ return log_device_debug_errno(dev, r, "Failed to determine device node with the highest priority for '%s': %m", slink); + if (r == 0) { + log_device_debug(dev, "No reference left for '%s', removing", slink); + +-- +2.33.0 + diff --git a/backport-udev-node-simplify-the-example-of-race.patch b/backport-udev-node-simplify-the-example-of-race.patch new file mode 100644 index 0000000000000000000000000000000000000000..d7736ee77ab96f20737e0356b3ba2183af0ee06e --- /dev/null +++ b/backport-udev-node-simplify-the-example-of-race.patch @@ -0,0 +1,40 @@ +From 76e4e1df71fc26acd2aa2ef2d599da3cdd95a014 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 12 Sep 2021 16:05:51 +0900 +Subject: [PATCH] udev-node: simplify the example of race + +(cherry picked from commit 3df566a66723490914ef3bae0ca8046044b70dce) + +Conflict:NA +Reference:https://github.com/systemd/systemd-stable/commit/76e4e1df71fc26acd2aa2ef2d599da3cdd95a014 +--- + src/udev/udev-node.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c +index 52816c72fd..4e4a45bbe9 100644 +--- a/src/udev/udev-node.c ++++ b/src/udev/udev-node.c +@@ -272,14 +272,14 @@ static int update_timestamp(sd_device *dev, const char *path, struct stat *prev) + + /* Even if a symlink in the stack directory is created/removed, the mtime of the directory may + * not be changed. Why? Let's consider the following situation. For simplicity, let's assume +- * there exist three udev workers (A, B, and C) and all of them calls link_update() for the +- * same devlink simultaneously. ++ * there exist two udev workers (A and B) and all of them calls link_update() for the same ++ * devlink simultaneously. + * +- * 1. B creates/removes a symlink in the stack directory. ++ * 1. A creates/removes a symlink in the stack directory. + * 2. A calls the first stat() in the loop of link_update(). + * 3. A calls link_find_prioritized(). +- * 4. C creates/removes another symlink in the stack directory, so the result of the step 3 is outdated. +- * 5. B and C finish link_update(). ++ * 4. B creates/removes another symlink in the stack directory, so the result of the step 3 is outdated. ++ * 5. B finishes link_update(). + * 6. A creates/removes devlink according to the outdated result in the step 3. + * 7. A calls the second stat() in the loop of link_update(). + * +-- +2.33.0 + diff --git a/backport-udev-node-split-out-permission-handling-from-udev_no.patch b/backport-udev-node-split-out-permission-handling-from-udev_no.patch new file mode 100644 index 0000000000000000000000000000000000000000..7d79c3f4cece70c5959186e18096d44ab342e56a --- /dev/null +++ b/backport-udev-node-split-out-permission-handling-from-udev_no.patch @@ -0,0 +1,309 @@ +From 7534eb17595810512574e930eb114b49ec1d3675 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 1 Sep 2021 09:24:15 +0900 +Subject: [PATCH] udev-node: split out permission handling from udev_node_add() + +And then merge udev_node_add() and udev_node_update_old_links(). + +(cherry picked from commit 2f48561e0db3cd63f65e9311b4d69282b4ac605d) + +Conflict:NA +Reference:https://github.com/systemd/systemd-stable/commit/7534eb17595810512574e930eb114b49ec1d3675 +--- + src/udev/udev-event.c | 9 +- + src/udev/udev-node.c | 204 +++++++++++++++++++----------------------- + src/udev/udev-node.h | 12 ++- + 3 files changed, 106 insertions(+), 119 deletions(-) + +diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c +index 9854270b27..8320e96fe2 100644 +--- a/src/udev/udev-event.c ++++ b/src/udev/udev-event.c +@@ -906,9 +906,6 @@ static int update_devnode(UdevEvent *event) { + if (r < 0) + return log_device_error_errno(dev, r, "Failed to get devnum: %m"); + +- /* remove/update possible left-over symlinks from old database entry */ +- (void) udev_node_update_old_links(dev, event->dev_db_clone); +- + if (!uid_is_valid(event->uid)) { + r = device_get_devnode_uid(dev, &event->uid); + if (r < 0 && r != -ENOENT) +@@ -932,7 +929,11 @@ static int update_devnode(UdevEvent *event) { + + bool apply_mac = device_for_action(dev, SD_DEVICE_ADD); + +- return udev_node_add(dev, apply_mac, event->mode, event->uid, event->gid, event->seclabel_list); ++ r = udev_node_apply_permissions(dev, apply_mac, event->mode, event->uid, event->gid, event->seclabel_list); ++ if (r < 0) ++ return log_device_error_errno(dev, r, "Failed to apply devnode permissions: %m"); ++ ++ return udev_node_update(dev, event->dev_db_clone); + } + + static int event_execute_rules_on_remove( +diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c +index 9e52906571..7cc9ee3670 100644 +--- a/src/udev/udev-node.c ++++ b/src/udev/udev-node.c +@@ -356,45 +356,117 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) { + return i < LINK_UPDATE_MAX_RETRIES ? 0 : -ELOOP; + } + +-int udev_node_update_old_links(sd_device *dev, sd_device *dev_old) { +- const char *name; ++static int device_get_devpath_by_devnum(sd_device *dev, char **ret) { ++ const char *subsystem; ++ dev_t devnum; ++ int r; ++ ++ assert(dev); ++ assert(ret); ++ ++ r = sd_device_get_subsystem(dev, &subsystem); ++ if (r < 0) ++ return r; ++ ++ r = sd_device_get_devnum(dev, &devnum); ++ if (r < 0) ++ return r; ++ ++ return device_path_make_major_minor(streq(subsystem, "block") ? S_IFBLK : S_IFCHR, devnum, ret); ++} ++ ++int udev_node_update(sd_device *dev, sd_device *dev_old) { ++ _cleanup_free_ char *filename = NULL; ++ const char *devnode, *devlink; + int r; + + assert(dev); + assert(dev_old); + +- /* update possible left-over symlinks */ +- FOREACH_DEVICE_DEVLINK(dev_old, name) { +- const char *name_current; +- bool found = false; ++ r = sd_device_get_devname(dev, &devnode); ++ if (r < 0) ++ return log_device_debug_errno(dev, r, "Failed to get devnode: %m"); + +- /* check if old link name still belongs to this device */ +- FOREACH_DEVICE_DEVLINK(dev, name_current) +- if (streq(name, name_current)) { +- found = true; +- break; +- } ++ if (DEBUG_LOGGING) { ++ const char *id = NULL; + +- if (found) ++ (void) device_get_device_id(dev, &id); ++ log_device_debug(dev, "Handling device node '%s', devnum=%s", devnode, strna(id)); ++ } ++ ++ /* update possible left-over symlinks */ ++ FOREACH_DEVICE_DEVLINK(dev_old, devlink) { ++ /* check if old link name still belongs to this device */ ++ if (device_has_devlink(dev, devlink)) + continue; + + log_device_debug(dev, +- "Updating old device symlink '%s', which is no longer belonging to this device.", +- name); ++ "Removing/updating old device symlink '%s', which is no longer belonging to this device.", ++ devlink); + +- r = link_update(dev, name, false); ++ r = link_update(dev, devlink, /* add = */ false); + if (r < 0) + log_device_warning_errno(dev, r, +- "Failed to update device symlink '%s', ignoring: %m", +- name); ++ "Failed to remove/update device symlink '%s', ignoring: %m", ++ devlink); + } + ++ /* create/update symlinks, add symlinks to name index */ ++ FOREACH_DEVICE_DEVLINK(dev, devlink) { ++ r = link_update(dev, devlink, /* add = */ true); ++ if (r < 0) ++ log_device_warning_errno(dev, r, ++ "Failed to create/update device symlink '%s', ignoring: %m", ++ devlink); ++ } ++ ++ r = device_get_devpath_by_devnum(dev, &filename); ++ if (r < 0) ++ return log_device_debug_errno(dev, r, "Failed to get device path: %m"); ++ ++ /* always add /dev/{block,char}/$major:$minor */ ++ r = node_symlink(dev, devnode, filename); ++ if (r < 0) ++ return log_device_warning_errno(dev, r, "Failed to create device symlink '%s': %m", filename); ++ ++ return 0; ++} ++ ++int udev_node_remove(sd_device *dev) { ++ _cleanup_free_ char *filename = NULL; ++ const char *devlink; ++ int r; ++ ++ assert(dev); ++ ++ /* remove/update symlinks, remove symlinks from name index */ ++ FOREACH_DEVICE_DEVLINK(dev, devlink) { ++ r = link_update(dev, devlink, /* add = */ false); ++ if (r < 0) ++ log_device_warning_errno(dev, r, ++ "Failed to remove/update device symlink '%s', ignoring: %m", ++ devlink); ++ } ++ ++ r = device_get_devpath_by_devnum(dev, &filename); ++ if (r < 0) ++ return log_device_debug_errno(dev, r, "Failed to get device path: %m"); ++ ++ /* remove /dev/{block,char}/$major:$minor */ ++ if (unlink(filename) < 0 && errno != ENOENT) ++ return log_device_debug_errno(dev, errno, "Failed to remove '%s': %m", filename); ++ + return 0; + } + +-static int node_permissions_apply(sd_device *dev, bool apply_mac, +- mode_t mode, uid_t uid, gid_t gid, +- OrderedHashmap *seclabel_list) { ++int udev_node_apply_permissions( ++ sd_device *dev, ++ bool apply_mac, ++ mode_t mode, ++ uid_t uid, ++ gid_t gid, ++ OrderedHashmap *seclabel_list) { ++ + const char *devnode, *subsystem, *id = NULL; + bool apply_mode, apply_uid, apply_gid; + _cleanup_close_ int node_fd = -1; +@@ -511,95 +583,5 @@ static int node_permissions_apply(sd_device *dev, bool apply_mac, + if (r < 0) + log_device_debug_errno(dev, r, "Failed to adjust timestamp of node %s: %m", devnode); + +- return r; +-} +- +-static int xsprintf_dev_num_path_from_sd_device(sd_device *dev, char **ret) { +- const char *subsystem; +- dev_t devnum; +- int r; +- +- assert(ret); +- +- r = sd_device_get_subsystem(dev, &subsystem); +- if (r < 0) +- return r; +- +- r = sd_device_get_devnum(dev, &devnum); +- if (r < 0) +- return r; +- +- return device_path_make_major_minor(streq(subsystem, "block") ? S_IFBLK : S_IFCHR, devnum, ret); +-} +- +-int udev_node_add(sd_device *dev, bool apply, +- mode_t mode, uid_t uid, gid_t gid, +- OrderedHashmap *seclabel_list) { +- const char *devnode, *devlink; +- _cleanup_free_ char *filename = NULL; +- int r; +- +- assert(dev); +- +- r = sd_device_get_devname(dev, &devnode); +- if (r < 0) +- return log_device_debug_errno(dev, r, "Failed to get devnode: %m"); +- +- if (DEBUG_LOGGING) { +- const char *id = NULL; +- +- (void) device_get_device_id(dev, &id); +- log_device_debug(dev, "Handling device node '%s', devnum=%s", devnode, strna(id)); +- } +- +- r = node_permissions_apply(dev, apply, mode, uid, gid, seclabel_list); +- if (r < 0) +- return r; +- +- /* create/update symlinks, add symlinks to name index */ +- FOREACH_DEVICE_DEVLINK(dev, devlink) { +- r = link_update(dev, devlink, true); +- if (r < 0) +- log_device_warning_errno(dev, r, +- "Failed to update device symlink '%s', ignoring: %m", +- devlink); +- } +- +- r = xsprintf_dev_num_path_from_sd_device(dev, &filename); +- if (r < 0) +- return log_device_debug_errno(dev, r, "Failed to get device path: %m"); +- +- /* always add /dev/{block,char}/$major:$minor */ +- r = node_symlink(dev, devnode, filename); +- if (r < 0) +- return log_device_warning_errno(dev, r, "Failed to create device symlink '%s': %m", filename); +- +- return 0; +-} +- +-int udev_node_remove(sd_device *dev) { +- _cleanup_free_ char *filename = NULL; +- const char *devlink; +- int r; +- +- assert(dev); +- +- /* remove/update symlinks, remove symlinks from name index */ +- FOREACH_DEVICE_DEVLINK(dev, devlink) { +- r = link_update(dev, devlink, false); +- if (r < 0) +- log_device_warning_errno(dev, r, +- "Failed to update device symlink '%s', ignoring: %m", +- devlink); +- } +- +- r = xsprintf_dev_num_path_from_sd_device(dev, &filename); +- if (r < 0) +- return log_device_debug_errno(dev, r, "Failed to get device path: %m"); +- +- /* remove /dev/{block,char}/$major:$minor */ +- if (unlink(filename) < 0 && errno != ENOENT) +- return log_device_debug_errno(dev, errno, "Failed to remove '%s': %m", filename); +- + return 0; + } +diff --git a/src/udev/udev-node.h b/src/udev/udev-node.h +index 2349f9c471..a34af77146 100644 +--- a/src/udev/udev-node.h ++++ b/src/udev/udev-node.h +@@ -8,10 +8,14 @@ + + #include "hashmap.h" + +-int udev_node_add(sd_device *dev, bool apply, +- mode_t mode, uid_t uid, gid_t gid, +- OrderedHashmap *seclabel_list); ++int udev_node_apply_permissions( ++ sd_device *dev, ++ bool apply_mac, ++ mode_t mode, ++ uid_t uid, ++ gid_t gid, ++ OrderedHashmap *seclabel_list); + int udev_node_remove(sd_device *dev); +-int udev_node_update_old_links(sd_device *dev, sd_device *dev_old); ++int udev_node_update(sd_device *dev, sd_device *dev_old); + + size_t udev_node_escape_path(const char *src, char *dest, size_t size); +-- +2.33.0 + diff --git a/backport-udev-node-stack-directory-must-exist-when-adding-dev.patch b/backport-udev-node-stack-directory-must-exist-when-adding-dev.patch new file mode 100644 index 0000000000000000000000000000000000000000..f1c6fe815ee2a09cd3516cd6188cddf0adf87a44 --- /dev/null +++ b/backport-udev-node-stack-directory-must-exist-when-adding-dev.patch @@ -0,0 +1,40 @@ +From f16172aeb2349dab0f73a4651f31cd025faab6b7 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 1 Sep 2021 04:14:42 +0900 +Subject: [PATCH] udev-node: stack directory must exist when adding device node + symlink + +(cherry picked from commit 46070dbf26435ba0def099121f46a6253f3f19b6) + +Conflict:NA +Reference:https://github.com/systemd/systemd-stable/commit/f16172aeb2349dab0f73a4651f31cd025faab6b7 +--- + src/udev/udev-node.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c +index 7cc9ee3670..4496a2bd9b 100644 +--- a/src/udev/udev-node.c ++++ b/src/udev/udev-node.c +@@ -161,12 +161,13 @@ static int link_find_prioritized(sd_device *dev, bool add, const char *stackdir, + + dir = opendir(stackdir); + if (!dir) { +- if (errno == ENOENT) { +- *ret = TAKE_PTR(target); +- return !!*ret; +- } ++ if (add) /* The stack directory must exist. */ ++ return -errno; ++ if (errno != ENOENT) ++ return -errno; + +- return -errno; ++ *ret = NULL; ++ return 0; + } + + r = device_get_device_id(dev, &id); +-- +2.33.0 + diff --git a/backport-udev-when-setting-up-lo-do-not-return-an-error.patch b/backport-udev-when-setting-up-lo-do-not-return-an-error.patch new file mode 100644 index 0000000000000000000000000000000000000000..3739d43b17efb97d304cf6d62810bef33bf66bc8 --- /dev/null +++ b/backport-udev-when-setting-up-lo-do-not-return-an-error.patch @@ -0,0 +1,56 @@ +From 5f2582e23f10b46052c7f83b85c1f85184b4cd0f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 26 Jul 2021 11:46:12 +0200 +Subject: [PATCH] udev: when setting up lo, do not return an error + +From #20300: +> commit 70f32a260b5ebb68c19ecadf5d69b3844896ba55 +> Author: Yu Watanabe +> Date: Sun May 23 16:59:40 2021 +0900 + +> udev/net: do not manage loopback interfaces + +> There are nothing we can configure in udevd for loopback interfaces; +> no ethertool configs can be applied, MAC address, interface name should + +> introduced a regression for 'udevadm test-builtin net_setup_link /sys/class/net/lo/'. +> Prior to this commit this command would exit with 0 whereas after this commit +> it exists with 1. This causes cloud-init on Archlinux to fail as this command +> is run by it and likely also netplan to have networkd rescan and re-apply a +> bunch of things on NICs. + +I think it's reasonable to keep returning 0 here: we are intentatinally doing +nothing for the device, and that is not an error, but a (noop) success. + +Fixes #20300. + +(cherry picked from commit b4f0261337c91157231452b5a258799391d7ae51) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/5f2582e23f10b46052c7f83b85c1f85184b4cd0f +--- + src/udev/udev-builtin-net_setup_link.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/udev/udev-builtin-net_setup_link.c b/src/udev/udev-builtin-net_setup_link.c +index d40251331c..5964e30bf1 100644 +--- a/src/udev/udev-builtin-net_setup_link.c ++++ b/src/udev/udev-builtin-net_setup_link.c +@@ -28,10 +28,12 @@ static int builtin_net_setup_link(sd_device *dev, int argc, char **argv, bool te + + r = link_config_get(ctx, dev, &link); + if (r < 0) { +- if (r == -ENOENT) +- return log_device_debug_errno(dev, r, "No matching link configuration found."); + if (r == -ENODEV) + return log_device_debug_errno(dev, r, "Link vanished while searching for configuration for it."); ++ if (r == -ENOENT) { ++ log_device_debug_errno(dev, r, "No matching link configuration found, ignoring device."); ++ return 0; ++ } + + return log_device_error_errno(dev, r, "Failed to get link config: %m"); + } +-- +2.33.0 + diff --git a/backport-udevadm-cleanup-db-don-t-delete-information-for-kept.patch b/backport-udevadm-cleanup-db-don-t-delete-information-for-kept.patch new file mode 100644 index 0000000000000000000000000000000000000000..2e2d2306a40b5cfce20dbbad2d3004e91a80b867 --- /dev/null +++ b/backport-udevadm-cleanup-db-don-t-delete-information-for-kept.patch @@ -0,0 +1,123 @@ +From 7a23db67795b6583028b7d7c0d5d8ef63c67d8c9 Mon Sep 17 00:00:00 2001 +From: Martin Wilck +Date: Thu, 20 Jan 2022 14:31:45 +0100 +Subject: [PATCH] udevadm: cleanup-db: don't delete information for kept db + entries + +devices with the db_persist property won't be deleted during database +cleanup. This applies to dm and md devices in particular. +For such devices, we should also keep the files under /run/udev/links, +/run/udev/tags, and /run/udev/watch, to make sure that after restart, +udevd has the same information about the devices as it did before +the cleanup. + +If we don't do this, a lower-priority device that is discovered in +the coldplug phase may take over symlinks from a device that persisted. +Not removing the watches also enables udevd to resume watching a device +after restart. + +Signed-off-by: Martin Wilck +(cherry picked from commit 7ec624147a41d80f8e492c9fe19a24e2cda58c25) +(cherry picked from commit ef7ceef26adb714ef44b2fbc07a219c05a012b42) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/7a23db67795b6583028b7d7c0d5d8ef63c67d8c9 +--- + src/udev/udevadm-info.c | 64 +++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 61 insertions(+), 3 deletions(-) + +diff --git a/src/udev/udevadm-info.c b/src/udev/udevadm-info.c +index f05363150e..3314d6335e 100644 +--- a/src/udev/udevadm-info.c ++++ b/src/udev/udevadm-info.c +@@ -248,6 +248,64 @@ static void cleanup_dir(DIR *dir, mode_t mask, int depth) { + } + } + ++/* ++ * Assume that dir is a directory with file names matching udev data base ++ * entries for devices in /run/udev/data (such as "b8:16"), and removes ++ * all files except those that haven't been deleted in /run/udev/data ++ * (i.e. they were skipped during db cleanup because of the db_persist flag). ++ * Returns true if the directory is empty after cleanup. ++ */ ++static bool cleanup_dir_after_db_cleanup(DIR *dir, DIR *datadir) { ++ unsigned int kept = 0; ++ struct dirent *dent; ++ ++ assert(dir && datadir); ++ ++ FOREACH_DIRENT_ALL(dent, dir, break) { ++ struct stat data_stats, link_stats; ++ ++ if (dot_or_dot_dot(dent->d_name)) ++ continue; ++ if (fstatat(dirfd(dir), dent->d_name, &link_stats, AT_SYMLINK_NOFOLLOW) < 0) { ++ if (errno != ENOENT) ++ kept++; ++ continue; ++ } ++ ++ if (fstatat(dirfd(datadir), dent->d_name, &data_stats, 0) < 0) ++ (void) unlinkat(dirfd(dir), dent->d_name, ++ S_ISDIR(link_stats.st_mode) ? AT_REMOVEDIR : 0); ++ else ++ /* The entry still exists under /run/udev/data */ ++ kept++; ++ } ++ ++ return kept == 0; ++} ++ ++static void cleanup_dirs_after_db_cleanup(DIR *dir, DIR *datadir) { ++ struct dirent *dent; ++ ++ assert(dir && datadir); ++ ++ FOREACH_DIRENT_ALL(dent, dir, break) { ++ struct stat stats; ++ ++ if (dot_or_dot_dot(dent->d_name)) ++ continue; ++ if (fstatat(dirfd(dir), dent->d_name, &stats, AT_SYMLINK_NOFOLLOW) < 0) ++ continue; ++ if (S_ISDIR(stats.st_mode)) { ++ _cleanup_closedir_ DIR *dir2 = NULL; ++ ++ dir2 = fdopendir(openat(dirfd(dir), dent->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC)); ++ if (dir2 && cleanup_dir_after_db_cleanup(dir2, datadir)) ++ (void) unlinkat(dirfd(dir), dent->d_name, AT_REMOVEDIR); ++ } else ++ (void) unlinkat(dirfd(dir), dent->d_name, 0); ++ } ++} ++ + static void cleanup_db(void) { + _cleanup_closedir_ DIR *dir1 = NULL, *dir2 = NULL, *dir3 = NULL, *dir4 = NULL, *dir5 = NULL; + +@@ -257,11 +315,11 @@ static void cleanup_db(void) { + + dir2 = opendir("/run/udev/links"); + if (dir2) +- cleanup_dir(dir2, 0, 2); ++ cleanup_dirs_after_db_cleanup(dir2, dir1); + + dir3 = opendir("/run/udev/tags"); + if (dir3) +- cleanup_dir(dir3, 0, 2); ++ cleanup_dirs_after_db_cleanup(dir3, dir1); + + dir4 = opendir("/run/udev/static_node-tags"); + if (dir4) +@@ -269,7 +327,7 @@ static void cleanup_db(void) { + + dir5 = opendir("/run/udev/watch"); + if (dir5) +- cleanup_dir(dir5, 0, 1); ++ cleanup_dir_after_db_cleanup(dir5, dir1); + } + + static int query_device(QueryType query, sd_device* device) { +-- +2.33.0 + diff --git a/backport-udevadm-cleanup_dir-use-dot_or_dot_dot.patch b/backport-udevadm-cleanup_dir-use-dot_or_dot_dot.patch new file mode 100644 index 0000000000000000000000000000000000000000..fa22397bb849b1d1b2aa45493b12a022572b9dae --- /dev/null +++ b/backport-udevadm-cleanup_dir-use-dot_or_dot_dot.patch @@ -0,0 +1,41 @@ +From 75ff2fb73ed545d0427aea251fae6d55124f0e7c Mon Sep 17 00:00:00 2001 +From: Martin Wilck +Date: Fri, 21 Jan 2022 10:44:26 +0100 +Subject: [PATCH] udevadm: cleanup_dir: use dot_or_dot_dot() + +which is safer than just checking dent[0]. +Also, fix two style issues. + +(cherry picked from commit 28d6e8545151d413f8614db9fa790f9f9edbb045) +(cherry picked from commit 494e3c0def197abd4ec88f7b0c3ba331a708d81e) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/75ff2fb73ed545d0427aea251fae6d55124f0e7c +--- + src/udev/udevadm-info.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/udev/udevadm-info.c b/src/udev/udevadm-info.c +index fa7f04f14c..f05363150e 100644 +--- a/src/udev/udevadm-info.c ++++ b/src/udev/udevadm-info.c +@@ -224,12 +224,14 @@ static void cleanup_dir(DIR *dir, mode_t mask, int depth) { + if (depth <= 0) + return; + ++ assert(dir); ++ + FOREACH_DIRENT_ALL(dent, dir, break) { + struct stat stats; + +- if (dent->d_name[0] == '.') ++ if (dot_or_dot_dot(dent->d_name)) + continue; +- if (fstatat(dirfd(dir), dent->d_name, &stats, AT_SYMLINK_NOFOLLOW) != 0) ++ if (fstatat(dirfd(dir), dent->d_name, &stats, AT_SYMLINK_NOFOLLOW) < 0) + continue; + if ((stats.st_mode & mask) != 0) + continue; +-- +2.33.0 + diff --git a/backport-umask-util-add-helper-that-resets-umask-until-end-of.patch b/backport-umask-util-add-helper-that-resets-umask-until-end-of.patch new file mode 100644 index 0000000000000000000000000000000000000000..3316a58465c9244fce6fb66dc2abf7ddc4b8910c --- /dev/null +++ b/backport-umask-util-add-helper-that-resets-umask-until-end-of.patch @@ -0,0 +1,117 @@ +From 77cfa37459fbd350c67c08597aaa5cc098fcc1ee Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 12 Nov 2021 11:06:46 +0100 +Subject: [PATCH] umask-util: add helper that resets umask until end of current + code block + +(cherry picked from commit 52f05ef21d7790f37bc3cd6e54fb9a4bcb16efa5) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/77cfa37459fbd350c67c08597aaa5cc098fcc1ee +--- + src/basic/umask-util.h | 3 +++ + src/nspawn/nspawn.c | 9 +++------ + src/shared/dev-setup.c | 3 +-- + src/test/test-fs-util.c | 3 ++- + 4 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/src/basic/umask-util.h b/src/basic/umask-util.h +index bd7c2bdb8c..90d18f70ba 100644 +--- a/src/basic/umask-util.h ++++ b/src/basic/umask-util.h +@@ -24,3 +24,6 @@ assert_cc((S_IFMT & 0777) == 0); + for (_cleanup_umask_ mode_t _saved_umask_ = umask(mask) | S_IFMT; \ + FLAGS_SET(_saved_umask_, S_IFMT); \ + _saved_umask_ &= 0777) ++ ++#define BLOCK_WITH_UMASK(mask) \ ++ _unused_ _cleanup_umask_ mode_t _saved_umask_ = umask(mask); +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index 575b9da447..1c468b310f 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -2201,13 +2201,12 @@ static int copy_devnodes(const char *dest) { + "tty\0" + "net/tun\0"; + +- _cleanup_umask_ mode_t u; + const char *d; + int r = 0; + + assert(dest); + +- u = umask(0000); ++ BLOCK_WITH_UMASK(0000); + + /* Create /dev/net, so that we can create /dev/net/tun in it */ + if (userns_mkdir(dest, "/dev/net", 0755, 0, 0) < 0) +@@ -2284,11 +2283,10 @@ static int copy_devnodes(const char *dest) { + } + + static int make_extra_nodes(const char *dest) { +- _cleanup_umask_ mode_t u; + size_t i; + int r; + +- u = umask(0000); ++ BLOCK_WITH_UMASK(0000); + + for (i = 0; i < arg_n_extra_nodes; i++) { + _cleanup_free_ char *path = NULL; +@@ -2485,12 +2483,11 @@ static int setup_kmsg(int kmsg_socket) { + _cleanup_(unlink_and_freep) char *from = NULL; + _cleanup_free_ char *fifo = NULL; + _cleanup_close_ int fd = -1; +- _cleanup_umask_ mode_t u; + int r; + + assert(kmsg_socket >= 0); + +- u = umask(0000); ++ BLOCK_WITH_UMASK(0000); + + /* We create the kmsg FIFO as as temporary file in /run, but immediately delete it after bind mounting it to + * /proc/kmsg. While FIFOs on the reading side behave very similar to /proc/kmsg, their writing side behaves +diff --git a/src/shared/dev-setup.c b/src/shared/dev-setup.c +index b788b06913..0390abbfdc 100644 +--- a/src/shared/dev-setup.c ++++ b/src/shared/dev-setup.c +@@ -81,13 +81,12 @@ int make_inaccessible_nodes( + { "inaccessible/blk", S_IFBLK | 0000 }, + }; + +- _cleanup_umask_ mode_t u; + int r; + + if (!parent_dir) + parent_dir = "/run/systemd"; + +- u = umask(0000); ++ BLOCK_WITH_UMASK(0000); + + /* Set up inaccessible (and empty) file nodes of all types. This are used to as mount sources for over-mounting + * ("masking") file nodes that shall become inaccessible and empty for specific containers or services. We try +diff --git a/src/test/test-fs-util.c b/src/test/test-fs-util.c +index 08bebcf0e8..a24558f25b 100644 +--- a/src/test/test-fs-util.c ++++ b/src/test/test-fs-util.c +@@ -763,7 +763,6 @@ static void test_rename_noreplace(void) { + + static void test_chmod_and_chown(void) { + _cleanup_(rm_rf_physical_and_freep) char *d = NULL; +- _unused_ _cleanup_umask_ mode_t u = umask(0000); + struct stat st; + const char *p; + +@@ -772,6 +771,8 @@ static void test_chmod_and_chown(void) { + + log_info("/* %s */", __func__); + ++ BLOCK_WITH_UMASK(0000); ++ + assert_se(mkdtemp_malloc(NULL, &d) >= 0); + + p = strjoina(d, "/reg"); +-- +2.33.0 + diff --git a/backport-unit-coldplug-both-job-and-nop_job-if-possible.patch b/backport-unit-coldplug-both-job-and-nop_job-if-possible.patch index 054c28619c375d533cf2ef33b0c0eb3626de33e6..18580507a15f8cca39c0d85b5f99c9b60bd6d55d 100644 --- a/backport-unit-coldplug-both-job-and-nop_job-if-possible.patch +++ b/backport-unit-coldplug-both-job-and-nop_job-if-possible.patch @@ -1,4 +1,4 @@ -From 7dbd330c7ef28852db0fb044503ed6f072477d50 Mon Sep 17 00:00:00 2001 +From 213ae9db6274227636fdca6731511499ed933e61 Mon Sep 17 00:00:00 2001 From: Geass-LL Date: Fri, 2 Apr 2021 11:27:59 +0800 Subject: [PATCH] unit: coldplug both job and nop_job if possible @@ -6,15 +6,20 @@ Subject: [PATCH] unit: coldplug both job and nop_job if possible Sometimes, both job and nop_job are deserialized. In this case, if we only cold plug the job, the nop_job will also stuck in the job list. + +(cherry picked from commit 7dbd330c7ef28852db0fb044503ed6f072477d50) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/213ae9db6274227636fdca6731511499ed933e61 --- src/core/unit.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/core/unit.c b/src/core/unit.c -index 7c39e4d0f8..2f7f022ef3 100644 +index e469beb534..38d3eb703f 100644 --- a/src/core/unit.c +++ b/src/core/unit.c -@@ -3588,7 +3588,6 @@ int unit_add_blockdev_dependency(Unit *u, const char *what, UnitDependencyMask m +@@ -3581,7 +3581,6 @@ int unit_add_blockdev_dependency(Unit *u, const char *what, UnitDependencyMask m int unit_coldplug(Unit *u) { int r = 0, q; char **i; @@ -22,7 +27,7 @@ index 7c39e4d0f8..2f7f022ef3 100644 assert(u); -@@ -3611,9 +3610,13 @@ int unit_coldplug(Unit *u) { +@@ -3604,9 +3603,13 @@ int unit_coldplug(Unit *u) { r = q; } @@ -40,5 +45,5 @@ index 7c39e4d0f8..2f7f022ef3 100644 r = q; } -- -2.27.0 +2.33.0 diff --git a/backport-unit-escape.patch b/backport-unit-escape.patch index 971a033ba68f1070b01b6612a251b996ee411ab6..2394762fd3b89c13a12e463113eee4d2345097a5 100644 --- a/backport-unit-escape.patch +++ b/backport-unit-escape.patch @@ -12,15 +12,12 @@ diff --git a/units/tmp.mount b/units/tmp.mount index 4e1bb8de24..734acea237 100644 --- a/units/tmp.mount +++ b/units/tmp.mount -@@ -22,7 +22,7 @@ After=swap.target +@@ -22,4 +22,4 @@ After=swap.target What=tmpfs Where=/tmp Type=tmpfs -Options=mode=1777,strictatime,nosuid,nodev,size=50%,nr_inodes=1m +Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m - - # Make 'systemctl enable tmp.mount' work: - [Install] -- 2.27.0 diff --git a/backport-unit_is_bound_by_inactive-fix-return-pointer-check.patch b/backport-unit_is_bound_by_inactive-fix-return-pointer-check.patch new file mode 100644 index 0000000000000000000000000000000000000000..0829a03e1ae333957ebf6fe2ad614fe6b413469c --- /dev/null +++ b/backport-unit_is_bound_by_inactive-fix-return-pointer-check.patch @@ -0,0 +1,37 @@ +From 02d51801672376505f07fae5938e195845f2c7a9 Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Wed, 24 Nov 2021 22:27:22 +0900 +Subject: [PATCH] unit_is_bound_by_inactive: fix return pointer check + +*ret_culprit should be set if ret_culprit has been passed a non-null value, +checking the previous *ret_culprit value does not make sense. + +This would cause the culprit to not properly be assigned, leading to +pid1 crash when a unit could not be stopped. + +Fixes: #21476 + +(cherry picked from commit 3da361064bf550d1818c7cd800a514326058e5f2) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/02d51801672376505f07fae5938e195845f2c7a9 +--- + src/core/unit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/unit.c b/src/core/unit.c +index 38d3eb703f..c792bd8e82 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -2118,7 +2118,7 @@ bool unit_is_bound_by_inactive(Unit *u, Unit **ret_culprit) { + continue; + + if (UNIT_IS_INACTIVE_OR_FAILED(unit_active_state(other))) { +- if (*ret_culprit) ++ if (ret_culprit) + *ret_culprit = other; + + return true; +-- +2.33.0 + diff --git a/backport-user-record-disable-two-pbkdf-fields-that-don-t-appl.patch b/backport-user-record-disable-two-pbkdf-fields-that-don-t-appl.patch new file mode 100644 index 0000000000000000000000000000000000000000..cd65874c364cbf0d6e3b41c9ba07fc8f560d043e --- /dev/null +++ b/backport-user-record-disable-two-pbkdf-fields-that-don-t-appl.patch @@ -0,0 +1,46 @@ +From 5ee578fd13809e08fbda1a9bca2256ffd24e9857 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 5 Oct 2021 18:24:05 +0200 +Subject: [PATCH] user-record: disable two pbkdf fields that don't apply for + pkbdf2 + +Fixes: #20830 +(cherry picked from commit 8b4f88d13681c6dec839de06c668d32374d44724) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/5ee578fd13809e08fbda1a9bca2256ffd24e9857 +--- + src/shared/user-record.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/shared/user-record.c b/src/shared/user-record.c +index 17460ceaf6..5fb3d4bbf2 100644 +--- a/src/shared/user-record.c ++++ b/src/shared/user-record.c +@@ -1913,9 +1913,9 @@ uint64_t user_record_luks_pbkdf_memory_cost(UserRecord *h) { + assert(h); + + /* Returns a value with kb granularity, since that's what libcryptsetup expects */ +- + if (h->luks_pbkdf_memory_cost == UINT64_MAX) +- return 64*1024*1024; /* We default to 64M, since this should work on smaller systems too */ ++ return streq(user_record_luks_pbkdf_type(h), "pbkdf2") ? 0 : /* doesn't apply for simple pbkdf2 */ ++ 64*1024*1024; /* We default to 64M, since this should work on smaller systems too */ + + return MIN(DIV_ROUND_UP(h->luks_pbkdf_memory_cost, 1024), UINT32_MAX) * 1024; + } +@@ -1923,8 +1923,9 @@ uint64_t user_record_luks_pbkdf_memory_cost(UserRecord *h) { + uint64_t user_record_luks_pbkdf_parallel_threads(UserRecord *h) { + assert(h); + +- if (h->luks_pbkdf_memory_cost == UINT64_MAX) +- return 1; /* We default to 1, since this should work on smaller systems too */ ++ if (h->luks_pbkdf_parallel_threads == UINT64_MAX) ++ return streq(user_record_luks_pbkdf_type(h), "pbkdf2") ? 0 : /* doesn't apply for simple pbkdf2 */ ++ 1; /* We default to 1, since this should work on smaller systems too */ + + return MIN(h->luks_pbkdf_parallel_threads, UINT32_MAX); + } +-- +2.33.0 + diff --git a/backport-user-record-fix-display-of-access-mode.patch b/backport-user-record-fix-display-of-access-mode.patch new file mode 100644 index 0000000000000000000000000000000000000000..bc28126e11cb7d487e18518c91b9d6f9bcb0542f --- /dev/null +++ b/backport-user-record-fix-display-of-access-mode.patch @@ -0,0 +1,29 @@ +From 9e318d9ff288b2b12b21a534d0cab3b4e153b462 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 5 Nov 2021 16:36:32 +0100 +Subject: [PATCH] user-record: fix display of access mode + +(cherry picked from commit 7cdd5c0d4c2213b791d8d22e7dd466a39e9c5db0) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/9e318d9ff288b2b12b21a534d0cab3b4e153b462 +--- + src/shared/user-record-show.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/user-record-show.c b/src/shared/user-record-show.c +index 29790282b4..54ff949ff5 100644 +--- a/src/shared/user-record-show.c ++++ b/src/shared/user-record-show.c +@@ -280,7 +280,7 @@ void user_record_show(UserRecord *hr, bool show_full_group_info) { + printf(" IO Weight: %" PRIu64 "\n", hr->io_weight); + + if (hr->access_mode != MODE_INVALID) +- printf(" Access Mode: 0%03oo\n", user_record_access_mode(hr)); ++ printf(" Access Mode: 0%03o\n", user_record_access_mode(hr)); + + if (storage == USER_LUKS) { + printf("LUKS Discard: online=%s offline=%s\n", yes_no(user_record_luks_discard(hr)), yes_no(user_record_luks_offline_discard(hr))); +-- +2.33.0 + diff --git a/backport-userdb-fix-type-to-pass-to-connect.patch b/backport-userdb-fix-type-to-pass-to-connect.patch new file mode 100644 index 0000000000000000000000000000000000000000..6c89beb3309ec0be4f235b3447268ca1b5734ef9 --- /dev/null +++ b/backport-userdb-fix-type-to-pass-to-connect.patch @@ -0,0 +1,31 @@ +From 667eab61d4c5520d7875de5df489ec68a4c9f123 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 16 Oct 2021 05:04:26 +0900 +Subject: [PATCH] userdb: fix type to pass to connect() + +Fixes https://github.com/systemd/systemd/pull/20613#issuecomment-944621275. + +(cherry picked from commit c14e57356f1e82c35bf3a3e8aaeac134b545801b) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/667eab61d4c5520d7875de5df489ec68a4c9f123 +--- + src/userdb/userdbctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/userdb/userdbctl.c b/src/userdb/userdbctl.c +index 8db0c34fb5..9ec0ad6c5e 100644 +--- a/src/userdb/userdbctl.c ++++ b/src/userdb/userdbctl.c +@@ -512,7 +512,7 @@ static int display_services(int argc, char *argv[], void *userdata) { + if (fd < 0) + return log_error_errno(r, "Failed to allocate AF_UNIX/SOCK_STREAM socket: %m"); + +- if (connect(fd, &sockaddr.un, sockaddr_len) < 0) { ++ if (connect(fd, &sockaddr.sa, sockaddr_len) < 0) { + no = strjoin("No (", errno_to_name(errno), ")"); + if (!no) + return log_oom(); +-- +2.33.0 + diff --git a/backport-util-another-set-of-CVE-2021-4034-assert-s.patch b/backport-util-another-set-of-CVE-2021-4034-assert-s.patch new file mode 100644 index 0000000000000000000000000000000000000000..ca8b54d1c1e6384dad07d28cdbfcdc09094cafc4 --- /dev/null +++ b/backport-util-another-set-of-CVE-2021-4034-assert-s.patch @@ -0,0 +1,37 @@ +From 356b1ee1febeecf636eec6b7e08036603bf760d5 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 1 Feb 2022 12:06:21 +0100 +Subject: [PATCH] util: another set of CVE-2021-4034 assert()s + +It's a good idea that we validate argc/argv when we are supposed to +store them away. + +(cherry picked from commit 007e03b284e8ffc0b92edb2122cd9d2d16f049ef) +(cherry picked from commit dcba78244e5dc3a4b57fb978a2d21640164c89a2) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/356b1ee1febeecf636eec6b7e08036603bf760d5 +--- + src/basic/util.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/basic/util.h b/src/basic/util.h +index b6c51c036e..22fcef719f 100644 +--- a/src/basic/util.h ++++ b/src/basic/util.h +@@ -9,6 +9,12 @@ extern int saved_argc; + extern char **saved_argv; + + static inline void save_argc_argv(int argc, char **argv) { ++ ++ /* Protect against CVE-2021-4034 style attacks */ ++ assert_se(argc > 0); ++ assert_se(argv); ++ assert_se(argv[0]); ++ + saved_argc = argc; + saved_argv = argv; + } +-- +2.33.0 + diff --git a/backport-utmp-remove-dev-from-line.patch b/backport-utmp-remove-dev-from-line.patch new file mode 100644 index 0000000000000000000000000000000000000000..5b6f2efe12378582e7352bd2143d1d462753b627 --- /dev/null +++ b/backport-utmp-remove-dev-from-line.patch @@ -0,0 +1,44 @@ +From 09534e85b5c51c664077637e7e8c7c68dec52972 Mon Sep 17 00:00:00 2001 +From: Vincent Bernat +Date: Mon, 18 Oct 2021 20:58:43 +0200 +Subject: [PATCH] utmp: remove /dev from line + +utmp(5) says `ut_line` is the device name minus the leading "/dev/". Therefore, +remove it. Without that, when using UtmpMode=user, we get `/dev/tty` in the +output of `last`/`w`. + +(cherry picked from commit 33331d116db2eaf1189ea56ee4b36540179ac3dd) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/09534e85b5c51c664077637e7e8c7c68dec52972 +--- + src/core/execute.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index 2a337b55a2..6ff757ff04 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -4059,13 +4059,17 @@ static int exec_child( + } + } + +- if (context->utmp_id) ++ if (context->utmp_id) { ++ const char *line = context->tty_path ? ++ (path_startswith(context->tty_path, "/dev/") ?: context->tty_path) : ++ NULL; + utmp_put_init_process(context->utmp_id, getpid_cached(), getsid(0), +- context->tty_path, ++ line, + context->utmp_mode == EXEC_UTMP_INIT ? INIT_PROCESS : + context->utmp_mode == EXEC_UTMP_LOGIN ? LOGIN_PROCESS : + USER_PROCESS, + username); ++ } + + if (uid_is_valid(uid)) { + r = chown_terminal(STDIN_FILENO, uid); +-- +2.33.0 + diff --git a/backport-varlink-disconnect-varlink-link-in-one-more-case.patch b/backport-varlink-disconnect-varlink-link-in-one-more-case.patch new file mode 100644 index 0000000000000000000000000000000000000000..915d3dbdb09fdbb6ddf7704fb3bdeece233f960e --- /dev/null +++ b/backport-varlink-disconnect-varlink-link-in-one-more-case.patch @@ -0,0 +1,41 @@ +From 968f2f3f5a76b05142e1de447bb79f4f97868721 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 21 Oct 2021 17:29:48 +0200 +Subject: [PATCH] varlink: disconnect varlink link in one more case + +Previously we'd possibly see POLLHUP on a varlink link, and continue to +run epoll on it even though we have nothing to read nor write anymore. + +Let's fix that, and once we know that there's nothing to write anymore +(or we saw a write error already) we'll disconnect after POLLHUP. + +Fixes: #20062 +(cherry picked from commit 7c26a631ad8bf91016db156b7d299ca68fd7866e) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/968f2f3f5a76b05142e1de447bb79f4f97868721 +--- + src/shared/varlink.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/shared/varlink.c b/src/shared/varlink.c +index 8da568e208..a57475b5ba 100644 +--- a/src/shared/varlink.c ++++ b/src/shared/varlink.c +@@ -417,9 +417,10 @@ static int varlink_test_disconnect(Varlink *v) { + if (IN_SET(v->state, VARLINK_IDLE_CLIENT) && (v->write_disconnected || v->got_pollhup)) + goto disconnect; + +- /* The server is still expecting to write more, but its write end is disconnected and it got a POLLHUP +- * (i.e. from a disconnected client), so disconnect. */ +- if (IN_SET(v->state, VARLINK_PENDING_METHOD, VARLINK_PENDING_METHOD_MORE) && v->write_disconnected && v->got_pollhup) ++ /* We are on the server side and still want to send out more replies, but we saw POLLHUP already, and ++ * either got no buffered bytes to write anymore or already saw a write error. In that case we should ++ * shut down the varlink link. */ ++ if (IN_SET(v->state, VARLINK_PENDING_METHOD, VARLINK_PENDING_METHOD_MORE) && (v->write_disconnected || v->output_buffer_size == 0) && v->got_pollhup) + goto disconnect; + + return 0; +-- +2.33.0 + diff --git a/backport-veritysetup-print-help-for-help-h-help.patch b/backport-veritysetup-print-help-for-help-h-help.patch new file mode 100644 index 0000000000000000000000000000000000000000..a3725c9d2a81f0ec4f15f6a8e66e8c4e5e0b46e5 --- /dev/null +++ b/backport-veritysetup-print-help-for-help-h-help.patch @@ -0,0 +1,35 @@ +From 5e5923f272682476c053e5afd705e0f6b4595cbf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sat, 31 Jul 2021 09:00:11 +0200 +Subject: [PATCH] veritysetup: print help for --help/-h/help + +In general our commands print help on --help, but here this would trigger +the error that two arguments are needed. Let's make this more user-friendly. + +(cherry picked from commit 5d5e43cc33637a12f743f17294cfbd3ede08a1b3) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/5e5923f272682476c053e5afd705e0f6b4595cbf +--- + src/veritysetup/veritysetup.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/veritysetup/veritysetup.c b/src/veritysetup/veritysetup.c +index 34208dcd87..14d7462ddb 100644 +--- a/src/veritysetup/veritysetup.c ++++ b/src/veritysetup/veritysetup.c +@@ -130,7 +130,10 @@ static int run(int argc, char *argv[]) { + _cleanup_(crypt_freep) struct crypt_device *cd = NULL; + int r; + +- if (argc <= 1) ++ if (argc <= 1 || ++ strv_contains(strv_skip(argv, 1), "--help") || ++ strv_contains(strv_skip(argv, 1), "-h") || ++ streq(argv[1], "help")) + return help(); + + if (argc < 3) +-- +2.33.0 + diff --git a/backport-virt-Fix-the-detection-for-Hyper-V-VMs.patch b/backport-virt-Fix-the-detection-for-Hyper-V-VMs.patch new file mode 100644 index 0000000000000000000000000000000000000000..fc435fc520b93ca34cf34d36f8b233130b29fb3c --- /dev/null +++ b/backport-virt-Fix-the-detection-for-Hyper-V-VMs.patch @@ -0,0 +1,45 @@ +From ba22ee4985c6ca690b84fdca36cf012b200a3c4e Mon Sep 17 00:00:00 2001 +From: Boqun Feng +Date: Tue, 23 Nov 2021 15:09:26 +0800 +Subject: [PATCH] virt: Fix the detection for Hyper-V VMs + +Use product_version instead of product_name in DMI table and the string +"Hyper-V" to avoid misdetection. + +Fixes: #21468 + +Signed-off-by: Boqun Feng +(cherry picked from commit 76eec0649936d9ae2f9087769f463feaf0cf5cb4) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/ba22ee4985c6ca690b84fdca36cf012b200a3c4e +--- + src/basic/virt.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/basic/virt.c b/src/basic/virt.c +index cc123a286f..bbc583ae52 100644 +--- a/src/basic/virt.c ++++ b/src/basic/virt.c +@@ -146,7 +146,8 @@ static int detect_vm_dmi_vendor(void) { + "/sys/class/dmi/id/product_name", /* Test this before sys_vendor to detect KVM over QEMU */ + "/sys/class/dmi/id/sys_vendor", + "/sys/class/dmi/id/board_vendor", +- "/sys/class/dmi/id/bios_vendor" ++ "/sys/class/dmi/id/bios_vendor", ++ "/sys/class/dmi/id/product_version" /* For Hyper-V VMs test */ + }; + + static const struct { +@@ -165,7 +166,7 @@ static int detect_vm_dmi_vendor(void) { + { "Parallels", VIRTUALIZATION_PARALLELS }, + /* https://wiki.freebsd.org/bhyve */ + { "BHYVE", VIRTUALIZATION_BHYVE }, +- { "Microsoft", VIRTUALIZATION_MICROSOFT }, ++ { "Hyper-V", VIRTUALIZATION_MICROSOFT }, + }; + int r; + +-- +2.33.0 + diff --git a/backport-virt-Improve-detection-of-EC2-metal-instances.patch b/backport-virt-Improve-detection-of-EC2-metal-instances.patch new file mode 100644 index 0000000000000000000000000000000000000000..309cca9587b4f20cfdf66c2366647cf15b737b1f --- /dev/null +++ b/backport-virt-Improve-detection-of-EC2-metal-instances.patch @@ -0,0 +1,81 @@ +From 785e760653cf5249207caa80857956f0096525df Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Fri, 3 Sep 2021 11:36:46 +1000 +Subject: [PATCH] virt: Improve detection of EC2 metal instances + +The current detection code relies on /sys/firmware/dmi/entries/0-0/raw +to disambiguate Amazon EC2 virtualized from metal instances. + +Unfortunately this file is root only. Thus on a c6g.metal instance +(aarch64), we observe something like this: + +$ systemd-detect-virt +amazon +$ sudo systemd-detect-virt +none + +Only the latter is correct. + +The right long term fix is to extend the kernel to expose the SMBIOS BIOS +Characteristics properly via /sys/class/dmi, but until this happens (and +for backwards compatibility when it does), we need a plan B. + +This change implements such a workaround by falling back to using the +instance type from DMI and looking at the ".metal" string present on +metal instances. + +Signed-off-by: Benjamin Herrenschmidt +(cherry picked from commit f90eea7d18d9ebe88e6a66cd7a86b618def8945d) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/785e760653cf5249207caa80857956f0096525df +--- + src/basic/virt.c | 32 ++++++++++++++++++++++++++++++-- + 1 file changed, 30 insertions(+), 2 deletions(-) + +diff --git a/src/basic/virt.c b/src/basic/virt.c +index 7e88f09b48..7ed01ba3c9 100644 +--- a/src/basic/virt.c ++++ b/src/basic/virt.c +@@ -235,8 +235,36 @@ static int detect_vm_dmi(void) { + + /* The DMI vendor tables in /sys/class/dmi/id don't help us distinguish between Amazon EC2 + * virtual machines and bare-metal instances, so we need to look at SMBIOS. */ +- if (r == VIRTUALIZATION_AMAZON && detect_vm_smbios() == SMBIOS_VM_BIT_UNSET) +- return VIRTUALIZATION_NONE; ++ if (r == VIRTUALIZATION_AMAZON) { ++ switch (detect_vm_smbios()) { ++ case SMBIOS_VM_BIT_SET: ++ return VIRTUALIZATION_AMAZON; ++ case SMBIOS_VM_BIT_UNSET: ++ return VIRTUALIZATION_NONE; ++ case SMBIOS_VM_BIT_UNKNOWN: { ++ /* The DMI information we are after is only accessible to the root user, ++ * so we fallback to using the product name which is less restricted ++ * to distinguish metal systems from virtualized instances */ ++ _cleanup_free_ char *s = NULL; ++ ++ r = read_full_virtual_file("/sys/class/dmi/id/product_name", &s, NULL); ++ /* In EC2, virtualized is much more common than metal, so if for some reason ++ * we fail to read the DMI data, assume we are virtualized. */ ++ if (r < 0) { ++ log_debug_errno(r, "Can't read /sys/class/dmi/id/product_name," ++ " assuming virtualized: %m"); ++ return VIRTUALIZATION_AMAZON; ++ } ++ if (endswith(truncate_nl(s), ".metal")) { ++ log_debug("DMI product name ends with '.metal', assuming no virtualization"); ++ return VIRTUALIZATION_NONE; ++ } else ++ return VIRTUALIZATION_AMAZON; ++ } ++ default: ++ assert_not_reached("Bad virtualization value"); ++ } ++ } + + /* If we haven't identified a VM, but the firmware indicates that there is one, indicate as much. We + * have no further information about what it is. */ +-- +2.33.0 + diff --git a/backport-virt-Support-detection-for-ARM64-Hyper-V-guests.patch b/backport-virt-Support-detection-for-ARM64-Hyper-V-guests.patch new file mode 100644 index 0000000000000000000000000000000000000000..48ece313324f0a291c2b577d096092e7e0e1c7cf --- /dev/null +++ b/backport-virt-Support-detection-for-ARM64-Hyper-V-guests.patch @@ -0,0 +1,35 @@ +From 258968ba75bc27d4ea61967b9a27c1f139e89799 Mon Sep 17 00:00:00 2001 +From: Boqun Feng +Date: Wed, 13 Oct 2021 11:32:09 +0800 +Subject: [PATCH] virt: Support detection for ARM64 Hyper-V guests + +The detection of Microsoft Hyper-V VMs is done by cpuid currently, +however there is no cpuid on ARM64. And since ARM64 is now a supported +architecture for Microsoft Hyper-V guests[1], then use DMI tables to +detect a Hyper-V guest, which is more generic and works for ARM64. + +[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7aff79e297ee1aa0126924921fd87a4ae59d2467 + +(cherry picked from commit 506bbc8569014253ea8614b680ccbc4fc2513a87) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/258968ba75bc27d4ea61967b9a27c1f139e89799 +--- + src/basic/virt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/basic/virt.c b/src/basic/virt.c +index 7ed01ba3c9..0243b2d2a8 100644 +--- a/src/basic/virt.c ++++ b/src/basic/virt.c +@@ -165,6 +165,7 @@ static int detect_vm_dmi_vendor(void) { + { "Parallels", VIRTUALIZATION_PARALLELS }, + /* https://wiki.freebsd.org/bhyve */ + { "BHYVE", VIRTUALIZATION_BHYVE }, ++ { "Microsoft", VIRTUALIZATION_MICROSOFT }, + }; + int r; + +-- +2.33.0 + diff --git a/backport-virt-detect-OpenStack-Nova-instance.patch b/backport-virt-detect-OpenStack-Nova-instance.patch new file mode 100644 index 0000000000000000000000000000000000000000..47f4df4722f9cae24574392657ab1578d0327c71 --- /dev/null +++ b/backport-virt-detect-OpenStack-Nova-instance.patch @@ -0,0 +1,95 @@ +From 01d9fbccddd694bc584aed24eaa0543f831dc929 Mon Sep 17 00:00:00 2001 +From: wangyuhang +Date: Tue, 19 Apr 2022 21:05:25 +0800 +Subject: [PATCH] virt: detect OpenStack Nova instance + +Conflict:add testcase for virt detect OpenStack Nova instance +Reference:https://github.com/systemd/systemd/commit/01d9fbccddd694bc584aed24eaa0543f831dc929 +--- + src/basic/virt.c | 1 + + src/test/meson.build | 14 ++ + src/test/test-virt.c | 39 ++++++++++++++++++++++++++++++ + 3 file changed, 54 insertion(+) + +diff --git a/src/basic/virt.c b/src/basic/virt.c +index 7e88f09..d8740cf 100644 +--- a/src/basic/virt.c ++++ b/src/basic/virt.c +@@ -154,6 +154,7 @@ static int detect_vm_dmi_vendor(void) { + int id; + } dmi_vendor_table[] = { + { "KVM", VIRTUALIZATION_KVM }, ++ { "OpenStack", VIRTUALIZATION_KVM }, /* Detect OpenStack instance as KVM in non x86 architecture */ + { "Amazon EC2", VIRTUALIZATION_AMAZON }, + { "QEMU", VIRTUALIZATION_QEMU }, + { "VMware", VIRTUALIZATION_VMWARE }, /* https://kb.vmware.com/s/article/1009458 */ + +diff --git a/src/test/meson.build b/src/test/meson.build +index e106059..ea64a12 100644 +--- a/src/test/meson.build ++++ b/src/test/meson.build +@@ -602,6 +602,14 @@ tests += [ + + [['src/test/test-nscd-flush.c'], + [], [], [], 'ENABLE_NSCD', 'manual'], ++ ++ [['src/test/test-virt.c', ++ 'src/basic/virt.c', ++ 'src/basic/virt.h'], ++ [libcore, ++ libshared], ++ [], ++ core_includes], + ] + + ############################################################ + +diff --git a/src/test/test-virt.c b/src/test/test-virt.c +new file mode 100644 +index 0000000..17cc22e +--- /dev/null ++++ b/src/test/test-virt.c +@@ -0,0 +1,39 @@ ++/* SPDX-License-Identifier: LGPL-2.1-or-later */ ++ ++#include ++#include ++#include ++ ++#include "string-util.h" ++#include "fileio.h" ++#include "virt.h" ++#include "log.h" ++#include "tests.h" ++ ++static void detect_virt(const char *vendor) { ++ assert_se(write_string_file("/sys/class/dmi/id/product_name", vendor, ++ WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MKDIR_0755) == 0); ++ ++ assert_se(detect_virtualization() == VIRTUALIZATION_KVM); ++} ++ ++int main(int argc, char *argv[]) { ++ char template[] = "/tmp/test-virt.XXXXXX"; ++ assert_se(mkdtemp(template)); ++ ++ if (geteuid() > 0 && unshare(CLONE_NEWUSER) != 0) { ++ (void) log_tests_skipped("Don't have namespace support"); ++ return EXIT_TEST_SKIP; ++ } ++ ++ if (chroot(template) != 0) { ++ (void) log_tests_skipped("Don't have chroot support"); ++ return EXIT_TEST_SKIP; ++ } ++ ++#if defined(__arm__) || defined(__aarch64__) ++ detect_virt("OpenStack Nova"); ++#endif ++ ++ return 0; ++} +\ No newline at end of file +-- +2.27.0 + diff --git a/backport-wait-online-rename-Manager-elements.patch b/backport-wait-online-rename-Manager-elements.patch new file mode 100644 index 0000000000000000000000000000000000000000..5011a9755bf611838e939779b0a88a42e5f7caea --- /dev/null +++ b/backport-wait-online-rename-Manager-elements.patch @@ -0,0 +1,175 @@ +From 5d4fc5cb2a0d18f8a67468209227a59ec3f30b5f Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 26 Jan 2022 20:54:39 +0900 +Subject: [PATCH] wait-online: rename Manager elements + +(cherry picked from commit 5f200833ed0754adaba548b0b617f6c192615acd) +(cherry picked from commit 397ede8dcd29f35350c015f1d945e50c88476a93) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/5d4fc5cb2a0d18f8a67468209227a59ec3f30b5f +--- + src/network/wait-online/link.c | 4 ++-- + src/network/wait-online/manager.c | 33 ++++++++++++++++++------------- + src/network/wait-online/manager.h | 8 ++++---- + 3 files changed, 25 insertions(+), 20 deletions(-) + +diff --git a/src/network/wait-online/link.c b/src/network/wait-online/link.c +index 5a33d563c2..0f5f68e765 100644 +--- a/src/network/wait-online/link.c ++++ b/src/network/wait-online/link.c +@@ -32,7 +32,7 @@ int link_new(Manager *m, Link **ret, int ifindex, const char *ifname) { + .required_operstate = LINK_OPERSTATE_RANGE_DEFAULT, + }; + +- r = hashmap_ensure_put(&m->links, NULL, INT_TO_PTR(ifindex), l); ++ r = hashmap_ensure_put(&m->links_by_index, NULL, INT_TO_PTR(ifindex), l); + if (r < 0) + return r; + +@@ -53,7 +53,7 @@ Link *link_free(Link *l) { + return NULL; + + if (l->manager) { +- hashmap_remove(l->manager->links, INT_TO_PTR(l->ifindex)); ++ hashmap_remove(l->manager->links_by_index, INT_TO_PTR(l->ifindex)); + hashmap_remove(l->manager->links_by_name, l->ifname); + } + +diff --git a/src/network/wait-online/manager.c b/src/network/wait-online/manager.c +index e1df0345c0..d8cf2338b0 100644 +--- a/src/network/wait-online/manager.c ++++ b/src/network/wait-online/manager.c +@@ -21,14 +21,15 @@ static bool manager_ignore_link(Manager *m, Link *link) { + return true; + + /* if interfaces are given on the command line, ignore all others */ +- if (m->interfaces && !hashmap_contains(m->interfaces, link->ifname)) ++ if (m->command_line_interfaces_by_name && ++ !hashmap_contains(m->command_line_interfaces_by_name, link->ifname)) + return true; + + if (!link->required_for_online) + return true; + + /* ignore interfaces we explicitly are asked to ignore */ +- return strv_fnmatch(m->ignore, link->ifname); ++ return strv_fnmatch(m->ignored_interfaces, link->ifname); + } + + static int manager_link_is_online(Manager *m, Link *l, LinkOperationalStateRange s) { +@@ -101,14 +102,14 @@ static int manager_link_is_online(Manager *m, Link *l, LinkOperationalStateRange + bool manager_configured(Manager *m) { + bool one_ready = false; + const char *ifname; +- void *p; + Link *l; + int r; + +- if (!hashmap_isempty(m->interfaces)) { ++ if (!hashmap_isempty(m->command_line_interfaces_by_name)) { ++ LinkOperationalStateRange *range; ++ + /* wait for all the links given on the command line to appear */ +- HASHMAP_FOREACH_KEY(p, ifname, m->interfaces) { +- LinkOperationalStateRange *range = p; ++ HASHMAP_FOREACH_KEY(range, ifname, m->command_line_interfaces_by_name) { + + l = hashmap_get(m->links_by_name, ifname); + if (!l && range->min == LINK_OPERSTATE_MISSING) { +@@ -139,7 +140,7 @@ bool manager_configured(Manager *m) { + + /* wait for all links networkd manages to be in admin state 'configured' + * and at least one link to gain a carrier */ +- HASHMAP_FOREACH(l, m->links) { ++ HASHMAP_FOREACH(l, m->links_by_index) { + if (manager_ignore_link(m, l)) { + log_link_debug(l, "link is ignored"); + continue; +@@ -191,7 +192,7 @@ static int manager_process_link(sd_netlink *rtnl, sd_netlink_message *mm, void * + return 0; + } + +- l = hashmap_get(m->links, INT_TO_PTR(ifindex)); ++ l = hashmap_get(m->links_by_index, INT_TO_PTR(ifindex)); + + switch (type) { + +@@ -294,7 +295,7 @@ static int on_network_event(sd_event_source *s, int fd, uint32_t revents, void * + + sd_network_monitor_flush(m->network_monitor); + +- HASHMAP_FOREACH(l, m->links) { ++ HASHMAP_FOREACH(l, m->links_by_index) { + r = link_update_monitor(l); + if (r < 0 && r != -ENODATA) + log_link_warning_errno(l, r, "Failed to update link state, ignoring: %m"); +@@ -331,10 +332,14 @@ static int manager_network_monitor_listen(Manager *m) { + return 0; + } + +-int manager_new(Manager **ret, Hashmap *interfaces, char **ignore, ++int manager_new(Manager **ret, ++ Hashmap *command_line_interfaces_by_name, ++ char **ignored_interfaces, + LinkOperationalStateRange required_operstate, + AddressFamily required_family, +- bool any, usec_t timeout) { ++ bool any, ++ usec_t timeout) { ++ + _cleanup_(manager_freep) Manager *m = NULL; + int r; + +@@ -345,8 +350,8 @@ int manager_new(Manager **ret, Hashmap *interfaces, char **ignore, + return -ENOMEM; + + *m = (Manager) { +- .interfaces = interfaces, +- .ignore = ignore, ++ .command_line_interfaces_by_name = command_line_interfaces_by_name, ++ .ignored_interfaces = ignored_interfaces, + .required_operstate = required_operstate, + .required_family = required_family, + .any = any, +@@ -384,7 +389,7 @@ Manager* manager_free(Manager *m) { + if (!m) + return NULL; + +- hashmap_free_with_destructor(m->links, link_free); ++ hashmap_free_with_destructor(m->links_by_index, link_free); + hashmap_free(m->links_by_name); + + sd_event_source_unref(m->network_monitor_event_source); +diff --git a/src/network/wait-online/manager.h b/src/network/wait-online/manager.h +index f2e091638c..01ad18f8f6 100644 +--- a/src/network/wait-online/manager.h ++++ b/src/network/wait-online/manager.h +@@ -13,12 +13,12 @@ typedef struct Manager Manager; + typedef struct Link Link; + + struct Manager { +- Hashmap *links; ++ Hashmap *links_by_index; + Hashmap *links_by_name; + + /* Do not free the two members below. */ +- Hashmap *interfaces; +- char **ignore; ++ Hashmap *command_line_interfaces_by_name; ++ char **ignored_interfaces; + + LinkOperationalStateRange required_operstate; + AddressFamily required_family; +@@ -34,7 +34,7 @@ struct Manager { + }; + + Manager* manager_free(Manager *m); +-int manager_new(Manager **ret, Hashmap *interfaces, char **ignore, ++int manager_new(Manager **ret, Hashmap *command_line_interfaces_by_name, char **ignored_interfaces, + LinkOperationalStateRange required_operstate, + AddressFamily required_family, + bool any, usec_t timeout); +-- +2.33.0 + diff --git a/backport-watchdog-pass-right-error-code-to-log-function-so-th.patch b/backport-watchdog-pass-right-error-code-to-log-function-so-th.patch new file mode 100644 index 0000000000000000000000000000000000000000..cdc4dc963789ad42d1058adf5e81f019caca96f7 --- /dev/null +++ b/backport-watchdog-pass-right-error-code-to-log-function-so-th.patch @@ -0,0 +1,32 @@ +From 11d5f109b04cd61c8bf437065b5e178c485a49b4 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 15 Sep 2021 15:43:42 +0200 +Subject: [PATCH] watchdog: pass right error code to log function so that %m + works + +(cherry picked from commit a4588af942af976c55f72869340c24d5017db278) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/11d5f109b04cd61c8bf437065b5e178c485a49b4 +--- + src/shared/watchdog.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/shared/watchdog.c b/src/shared/watchdog.c +index d33acafe64..8586a88e54 100644 +--- a/src/shared/watchdog.c ++++ b/src/shared/watchdog.c +@@ -47,8 +47,8 @@ static int update_timeout(void) { + flags = WDIOS_ENABLECARD; + if (ioctl(watchdog_fd, WDIOC_SETOPTIONS, &flags) < 0) { + /* ENOTTY means the watchdog is always enabled so we're fine */ +- log_full(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, +- "Failed to enable hardware watchdog: %m"); ++ log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, errno, ++ "Failed to enable hardware watchdog, ignoring: %m"); + if (!ERRNO_IS_NOT_SUPPORTED(errno)) + return -errno; + } +-- +2.33.0 + diff --git a/backport-xdg-autostart-service-Ignore-missing-desktop-sepcifi.patch b/backport-xdg-autostart-service-Ignore-missing-desktop-sepcifi.patch new file mode 100644 index 0000000000000000000000000000000000000000..ab388d4ea43e3b26140573c94722dfe0a609d7f6 --- /dev/null +++ b/backport-xdg-autostart-service-Ignore-missing-desktop-sepcifi.patch @@ -0,0 +1,38 @@ +From 5d3466ec91b05853b815db509b901e6a6d5f4db4 Mon Sep 17 00:00:00 2001 +From: Benjamin Berg +Date: Mon, 10 Jan 2022 12:35:46 +0100 +Subject: [PATCH] xdg-autostart-service: Ignore missing desktop-sepcific + condition binary + +If a desktop specific ExecCondition= binary does not exist, this just +means that the desktop environment is not available. As such, it is not +an error condition that should prevent the service from being installed +in the .wants target. + +Fix this by simply returning zero. + +(cherry picked from commit 6d0aef1dd15088e7379681b3bd93c3cb450f3c55) +(cherry picked from commit 19fbd7764da2e23a89e27b4d95afd77b99f4be87) + +Conflict:NA +Reference:https://github.com/systemd/systemd/commit/5d3466ec91b05853b815db509b901e6a6d5f4db4 +--- + src/xdg-autostart-generator/xdg-autostart-service.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/xdg-autostart-generator/xdg-autostart-service.c b/src/xdg-autostart-generator/xdg-autostart-service.c +index fe73bfe9db..16545beb50 100644 +--- a/src/xdg-autostart-generator/xdg-autostart-service.c ++++ b/src/xdg-autostart-generator/xdg-autostart-service.c +@@ -486,7 +486,7 @@ static int xdg_autostart_generate_desktop_condition( + log_full_errno(r == -ENOENT ? LOG_DEBUG : LOG_WARNING, r, + "%s not found: %m", test_binary); + fprintf(f, "# ExecCondition using %s skipped due to missing binary.\n", test_binary); +- return r; ++ return 0; + } + + e_autostart_condition = cescape(condition); +-- +2.33.0 + diff --git a/delay-to-restart-when-a-service-can-not-be-auto-restarted.patch b/delay-to-restart-when-a-service-can-not-be-auto-restarted.patch index 6edafc9e84e2281224784afb980b14c69cb6f000..557e0dedd2b4ac81132032cea2cafc05c9418433 100644 --- a/delay-to-restart-when-a-service-can-not-be-auto-restarted.patch +++ b/delay-to-restart-when-a-service-can-not-be-auto-restarted.patch @@ -13,14 +13,14 @@ is same(both with 0), so the STOP job has no chance to be scheduled, and systemd to handle the time task. This patch fix this problem by delaying 1 second to restart the service to cause STOP job to be scheduled. --- - src/core/service.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) + src/core/service.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/core/service.c b/src/core/service.c -index ad9c028..8217447 100644 +index e368ec8..9b4b5b1 100644 --- a/src/core/service.c +++ b/src/core/service.c -@@ -1716,14 +1716,15 @@ fail: +@@ -2262,13 +2262,17 @@ fail: static void service_enter_restart(Service *s) { _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; int r; @@ -30,14 +30,15 @@ index ad9c028..8217447 100644 if (unit_has_job_type(UNIT(s), JOB_STOP)) { /* Don't restart things if we are going down anyway */ - log_unit_info(UNIT(s), "Stop job pending for unit, delaying automatic restart."); -- -- r = service_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), s->restart_usec)); + log_unit_info(UNIT(s), "Stop job pending for unit, skipping automatic restart."); +- return; + restart_usec = (s->restart_usec == 0) ? 1*USEC_PER_SEC : s->restart_usec; + r = service_arm_timer(s, usec_add(now(CLOCK_MONOTONIC), restart_usec)); - if (r < 0) - goto fail; ++ if (r < 0) ++ goto fail; + } + /* Any units that are bound to this service must also be -- 1.8.3.1 diff --git a/disable-systemd-timesyncd-networkd-resolved-homed-us.patch b/disable-systemd-timesyncd-networkd-resolved-homed-us.patch new file mode 100644 index 0000000000000000000000000000000000000000..8c0381e56a7e2b747867832312f910f9c9c76fe1 --- /dev/null +++ b/disable-systemd-timesyncd-networkd-resolved-homed-us.patch @@ -0,0 +1,40 @@ +From 72e9c079d0fd769d1bdb7d7db9c49454ce4bd255 Mon Sep 17 00:00:00 2001 +From: licunlong +Date: Wed, 1 Dec 2021 17:27:07 +0800 +Subject: [PATCH] disable systemd-{timesyncd, networkd, resolved, homed, + userdbd, pstore} by default + +--- + presets/90-systemd.preset | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/presets/90-systemd.preset b/presets/90-systemd.preset +index d260874..2a7396c 100644 +--- a/presets/90-systemd.preset ++++ b/presets/90-systemd.preset +@@ -16,12 +16,6 @@ enable remote-cryptsetup.target + enable machines.target + + enable getty@.service +-enable systemd-timesyncd.service +-enable systemd-networkd.service +-enable systemd-resolved.service +-enable systemd-homed.service +-enable systemd-userdbd.socket +-enable systemd-pstore.service + + disable console-getty.service + disable debug-shell.service +@@ -44,3 +38,9 @@ disable syslog.socket + disable systemd-journal-gatewayd.* + disable systemd-journal-remote.* + disable systemd-journal-upload.* ++disable systemd-timesyncd.service ++disable systemd-networkd.service ++disable systemd-resolved.service ++disable systemd-homed.service ++disable systemd-userdbd.socket ++disable systemd-pstore.service +-- +2.23.0 + diff --git a/keep-weight-consistent-with-the-set-value.patch b/keep-weight-consistent-with-the-set-value.patch new file mode 100644 index 0000000000000000000000000000000000000000..5f6385b8b72827029398dcfa55c3a0e0b6bf5433 --- /dev/null +++ b/keep-weight-consistent-with-the-set-value.patch @@ -0,0 +1,34 @@ +From 7424b6c0f38d4a32fd96e74d7078707c026c6c66 Mon Sep 17 00:00:00 2001 +From: wangyuhang +Date: Thu, 9 Jun 2022 20:10:50 +0800 +Subject: [PATCH] keep weight consistent with the set value + +--- + src/core/cgroup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/cgroup.c b/src/core/cgroup.c +index ee15d50..4c5feef 100644 +--- a/src/core/cgroup.c ++++ b/src/core/cgroup.c +@@ -1249,7 +1249,7 @@ static void set_io_weight(Unit *u, uint64_t weight) { + * See also: https://github.com/systemd/systemd/pull/13335 and + * https://github.com/torvalds/linux/commit/65752aef0a407e1ef17ec78a7fc31ba4e0b360f9. + * The range is 1..1000 apparently, and the default is 100. */ +- xsprintf(buf, "%" PRIu64 "\n", BFQ_WEIGHT(weight)); ++ xsprintf(buf, "%" PRIu64 "\n", weight); + (void) set_attribute_and_warn(u, "io", "io.bfq.weight", buf); + + xsprintf(buf, "default %" PRIu64 "\n", weight); +@@ -1262,7 +1262,7 @@ static void set_blkio_weight(Unit *u, uint64_t weight) { + assert(u); + + /* FIXME: see comment in set_io_weight(). */ +- xsprintf(buf, "%" PRIu64 "\n", BFQ_WEIGHT(weight)); ++ xsprintf(buf, "%" PRIu64 "\n", weight); + (void) set_attribute_and_warn(u, "blkio", "blkio.bfq.weight", buf); + + xsprintf(buf, "%" PRIu64 "\n", weight); +-- +2.33.0 + diff --git a/logind-set-RemoveIPC-to-false-by-default.patch b/logind-set-RemoveIPC-to-false-by-default.patch index 02df6b3588d3c027eac9aebe05b40933bc92e318..657b28aa3e09af2d15fe7e3bfeac2da19a6a4f6e 100644 --- a/logind-set-RemoveIPC-to-false-by-default.patch +++ b/logind-set-RemoveIPC-to-false-by-default.patch @@ -43,7 +43,7 @@ index ed1084b06e..07ff0d195e 100644 @@ -33,6 +33,6 @@ #IdleActionSec=30min #RuntimeDirectorySize=10% - #RuntimeDirectoryInodes=400k + #RuntimeDirectoryInodesMax= -#RemoveIPC=yes +#RemoveIPC=no #InhibitorsMax=8192 diff --git a/print-the-real-reason-for-link-update.patch b/print-the-real-reason-for-link-update.patch deleted file mode 100644 index 702877366d3c34e4818b273239d3276386489e53..0000000000000000000000000000000000000000 --- a/print-the-real-reason-for-link-update.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 7ed8309747a2947ff1ea0f4149e0501f1eb81271 Mon Sep 17 00:00:00 2001 -From: gaoyi -Date: Tue, 20 Jul 2021 15:09:28 +0800 -Subject: [PATCH] print the real reason for link update - -reduce retries to improve performance and print the real -reaseon when the max retries reached ---- - src/udev/udev-node.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c -index 9e52906..8b7996d 100644 ---- a/src/udev/udev-node.c -+++ b/src/udev/udev-node.c -@@ -29,7 +29,7 @@ - #include "user-util.h" - - #define CREATE_LINK_MAX_RETRIES 128 --#define LINK_UPDATE_MAX_RETRIES 128 -+#define LINK_UPDATE_MAX_RETRIES 4 - #define TOUCH_FILE_MAX_RETRIES 128 - #define UDEV_NODE_HASH_KEY SD_ID128_MAKE(b9,6a,f1,ce,40,31,44,1a,9e,19,ec,8b,ae,f3,e3,2f) - -@@ -353,7 +353,10 @@ static int link_update(sd_device *dev, const char *slink_in, bool add) { - } - } - -- return i < LINK_UPDATE_MAX_RETRIES ? 0 : -ELOOP; -+ if (i >= LINK_UPDATE_MAX_RETRIES) -+ log_device_debug(dev, "Exceeded max retries for link update"); -+ -+ return 0; - } - - int udev_node_update_old_links(sd_device *dev, sd_device *dev_old) { --- -2.27.0 - diff --git a/systemd.spec b/systemd.spec index d56b5b25b001708063eab24140f6383d32f6a5c4..52bab779e25e579f5e3b55cd5129a48f45b23bb3 100644 --- a/systemd.spec +++ b/systemd.spec @@ -20,7 +20,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 249 -Release: 36 +Release: 38 License: MIT and LGPLv2+ and GPLv2+ Summary: System and Service Manager @@ -46,73 +46,402 @@ Source105: rule_generator.functions Source106: write_net_rules Source107: detect_virt -Patch0001: update-rtc-with-system-clock-when-shutdown.patch -Patch0002: udev-add-actions-while-rename-netif-failed.patch -Patch0003: fix-two-VF-virtual-machines-have-same-mac-address.patch -Patch0004: logind-set-RemoveIPC-to-false-by-default.patch -Patch0005: rules-add-rule-for-naming-Dell-iDRAC-USB-Virtual-NIC.patch -Patch0006: unit-don-t-add-Requires-for-tmp.mount.patch -Patch0007: rules-add-elevator-kernel-command-line-parameter.patch -Patch0008: rules-add-the-rule-that-adds-elevator-kernel-command.patch -Patch0009: units-add-Install-section-to-tmp.mount.patch -Patch0010: Make-systemd-udevd.service-start-after-systemd-remou.patch -Patch0011: udev-virsh-shutdown-vm.patch -Patch0012: sd-bus-properly-initialize-containers.patch -Patch0013: Revert-core-one-step-back-again-for-nspawn-we-actual.patch -Patch0014: journal-don-t-enable-systemd-journald-audit.socket-b.patch -Patch0015: systemd-change-time-log-level.patch -Patch0016: fix-capsh-drop-but-ping-success.patch -Patch0017: resolved-create-etc-resolv.conf-symlink-at-runtime.patch -Patch0018: pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch -Patch0019: fix-journal-file-descriptors-leak-problems.patch -Patch0020: activation-service-must-be-restarted-when-reactivated.patch -Patch0021: systemd-core-fix-problem-of-dbus-service-can-not-be-started.patch -Patch0022: delay-to-restart-when-a-service-can-not-be-auto-restarted.patch -Patch0023: disable-initialize_clock.patch -Patch0024: systemd-solve-that-rsyslog-reads-journal-s-object-of.patch -Patch0025: check-whether-command_prev-is-null-before-assigning-.patch -Patch0026: print-the-real-reason-for-link-update.patch -Patch0027: core-skip-change-device-to-dead-in-manager_catchup-d.patch -Patch0028: revert-rpm-restart-services-in-posttrans.patch -Patch0029: Don-t-set-AlternativeNamesPolicy-by-default.patch -Patch0030: change-NTP-server-to-x.pool.ntp.org.patch - -#backport -Patch6000: backport-core-fix-free-undefined-pointer-when-strdup-failed-i.patch -Patch6001: backport-fix-ConditionDirectoryNotEmpty-when-it-comes-to-a-No.patch -Patch6002: backport-fix-ConditionPathIsReadWrite-when-path-does-not-exis.patch -Patch6003: backport-fix-DirectoryNotEmpty-when-it-comes-to-a-Non-directo.patch -Patch6004: backport-CVE-2021-3997-rm-rf-refactor-rm_rf_children-split-out-body-of-dire.patch -Patch6005: backport-CVE-2021-3997-rm-rf-optionally-fsync-after-removing-directory-tree.patch -Patch6006: backport-CVE-2021-3997-tmpfiles-st-may-have-been-used-uninitialized.patch -Patch6007: backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch -Patch6008: backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch -Patch6009: backport-CVE-2021-3997-shared-rm-rf-loop-over-nested-directories-instead-of.patch -Patch6010: backport-fix-CVE-2021-33910.patch -Patch6011: backport-temporarily-disable-test-seccomp.patch -Patch6012: backport-revert-core-map-io.bfq.weight-to-1.1000.patch -Patch6013: backport-core-cgroup-fix-error-handling-of-cg_remove_xattr.patch -Patch6014: backport-core-wrap-cgroup-path-with-empty_to_root-in-log-mess.patch -Patch6015: backport-Bump-the-max-number-of-inodes-for-dev-to-a-million.patch -Patch6016: backport-Bump-the-max-number-of-inodes-for-tmp-to-a-million-t.patch -Patch6017: backport-unit-escape.patch -Patch6018: backport-udev-rename-type-name-e.g.-struct-worker-Worker.patch -Patch6019: backport-udev-run-the-main-process-workers-and-spawned-comman.patch -Patch6020: backport-timesync-fix-wrong-type-for-receiving-timestamp-in-n.patch -Patch6021: backport-udev-fix-potential-memleak.patch -Patch6022: backport-journalctl-never-fail-at-flushing-when-the-flushed-f.patch -Patch6023: backport-core-fix-SIGABRT-on-empty-exec-command-argv.patch -Patch6024: backport-core-service-also-check-path-in-exec-commands.patch -Patch6025: backport-Add-meson-option-to-disable-urlify.patch -Patch6026: backport-logind.conf-Fix-name-of-option-RuntimeDirectoryInode.patch -Patch6027: backport-unit-coldplug-both-job-and-nop_job-if-possible.patch -Patch6028: backport-meson.build-change-operator-combining-bools-from-to-.patch -Patch6029: backport-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch -Patch6030: backport-journal-Only-move-to-objects-when-necessary.patch -Patch6031: backport-scsi_id-retry-inquiry-ioctl-if-host_byte-is-DID_TRAN.patch -Patch6032: backport-revert-units-add-ProtectClock-yes.patch -Patch6033: backport-revert-delete-initrd-usr-fs-target.patch -Patch6034: backport-login-drop-non-default-value-for-RuntimeDirectoryIno.patch +Patch6000: backport-hostnamed-correct-variable-with-errno-in-fallback_ch.patch +Patch6001: backport-docs-improve-wording-when-mentioning-the-acronym-ESP.patch +Patch6002: backport-systemctl-show-error-when-help-for-unknown-unit-is-r.patch +Patch6003: backport-shared-format-table-allocate-buffer-of-sufficient-si.patch +Patch6004: backport-fix-CVE-2021-33910.patch +Patch6005: backport-sd-bus-fix-missing-initializer-in-SD_BUS_VTABLE_END-.patch +Patch6006: backport-pid1-propagate-the-original-command-line-when-reexec.patch +Patch6007: backport-coredump-stacktrace.c-avoid-crash-on-binaries-withou.patch +Patch6008: backport-machined-varlink-fix-double-free.patch +Patch6009: backport-malloc-uses-getrandom-now.patch +Patch6010: backport-discover-image-mount-as-read-only-when-extracting-me.patch +Patch6011: backport-networkd-Include-linux-netdevice.h-header.patch +Patch6012: backport-seccomp-drop-getrandom-from-system-service.patch +Patch6013: backport-seccomp-move-sched_getaffinity-from-system-service-t.patch +Patch6014: backport-systemctl-allow-set-property-to-be-called-with-a-glo.patch +Patch6015: backport-Use-correct-fcntl.h-include.patch +Patch6016: backport-Use-correct-poll.h-include.patch +Patch6017: backport-veritysetup-print-help-for-help-h-help.patch +Patch6018: backport-network-use-address_equal-route_equal-to-compare-add.patch +Patch6019: backport-mkosi-openSUSE-update-bootable-no-dependencies.patch +Patch6020: backport-mkosi-Fix-openSUSE-Jinja2-package-name.patch +Patch6021: backport-sd-netlink-always-append-new-bridge-FDB-entries.patch +Patch6022: backport-core-cgroup-fix-error-handling-of-cg_remove_xattr.patch +Patch6023: backport-core-wrap-cgroup-path-with-empty_to_root-in-log-mess.patch +Patch6024: backport-network-add-comments.patch +Patch6025: backport-network-ignore-errors-on-setting-bridge-config.patch +Patch6026: backport-network-ignore-errors-on-unsetting-master-ifindex.patch +Patch6027: backport-network-also-check-addresses-when-determine-a-gatewa.patch +Patch6028: backport-network-check-the-received-interface-name-is-actuall.patch +Patch6029: backport-network-configure-address-with-requested-lifetime.patch +Patch6030: backport-network-use-monotonic-instead-of-boot-time-to-handle.patch +Patch6031: backport-udev-when-setting-up-lo-do-not-return-an-error.patch +Patch6032: backport-network-fix-configuring-of-CAN-devices.patch +Patch6033: backport-network-fix-logic-for-checking-gateway-address-is-re.patch +Patch6034: backport-Fix-the-Failed-to-open-random-seed-.-message.patch +Patch6035: backport-resolved-Don-t-omit-AD-bit-in-reply-if-DO-is-set-in-.patch +Patch6036: backport-sd-dhcp6-client-fix-copy-and-paste-mistake.patch +Patch6037: backport-sd-dhcp6-client-cirtainly-adjust-T1-and-T2.patch +Patch6038: backport-Get-rid-of-dangling-setutxent.patch +Patch6039: backport-sd-dhcp-server-fix-possible-double-free-or-use-after.patch +Patch6040: backport-hostname-fix-off-by-one-issue-in-gethostname.patch +Patch6041: backport-systemd-analyze-parse-ip_filters_custom_egress-corre.patch +Patch6042: backport-cgroup-do-catchup-for-unit-cgroup-inotify-watch-file.patch +Patch6043: backport-core-Make-sure-cgroup_oom_queue-is-flushed-on-manage.patch +Patch6044: backport-sd-boot-Fix-possible-null-pointer-dereference.patch +Patch6045: backport-resolved-retry-on-SERVFAIL-before-downgrading-featur.patch +Patch6046: backport-Don-t-open-var-journals-in-volatile-mode-when-runtim.patch +Patch6047: backport-network-allow-users-to-forbid-passthru-MACVLAN-from-.patch +Patch6048: backport-unit-coldplug-both-job-and-nop_job-if-possible.patch +Patch6049: backport-network-do-not-assume-the-highest-priority-when-Prio.patch +Patch6050: backport-fstab-generator-Respect-nofail-when-ordering.patch +Patch6051: backport-discover-image-pass-the-right-fd-to-fd_getcrtime.patch +Patch6052: backport-src-boot-efi-linux-fix-linux_exec-prototype.patch +Patch6053: backport-timesync-fix-wrong-type-for-receiving-timestamp-in-n.patch +Patch6054: backport-import-turn-off-weird-protocols-in-curl.patch +Patch6055: backport-network-fix-wrong-flag-manage_foreign_routes-manage_.patch +Patch6056: backport-icmp6-drop-unnecessary-assertion.patch +Patch6057: backport-socket-util-introduce-CMSG_SPACE_TIMEVAL-TIMESPEC-ma.patch +Patch6058: backport-timesync-check-cmsg-length.patch +Patch6059: backport-journal-network-timesync-fix-segfault-on-32bit-timev.patch +Patch6060: backport-tpm-util-fix-TPM-parameter-handling.patch +Patch6061: backport-basic-linux-Sync-if_arp.h-with-Linux-5.14.patch +Patch6062: backport-Drop-bundled-copy-of-linux-if_arp.h.patch +Patch6063: backport-explicitly-close-FIDO2-devices.patch +Patch6064: backport-core-respect-install_sysconfdir_samples-in-meson-fil.patch +Patch6065: backport-login-respect-install_sysconfdir_samples-in-meson-fi.patch +Patch6066: backport-core-Remove-circular-include.patch +Patch6067: backport-path-util-make-find_executable-work-without-proc-mou.patch +Patch6068: backport-Fix-another-crash-due-to-missing-NHDR.patch +Patch6069: backport-hwdb-remove-double-empty-line-in-help-text.patch +Patch6070: backport-run-mount-systemctl-don-t-fork-off-PolicyKit-ask-pw-.patch +Patch6071: backport-homed-make-sure-to-use-right-asssesors-for-GID-acces.patch +Patch6072: backport-homed-fix-log-message-referring-to-fsck-when-we-actu.patch +Patch6073: backport-homed-add-missing-SYNTHETIC_ERRNO.patch +Patch6074: backport-homed-remove-misplaced-assert.patch +Patch6075: backport-network-print-Ethernet-Link-Layer-DHCP-client-ID-wit.patch +Patch6076: backport-udev-fix-potential-memleak.patch +Patch6077: backport-nspawn-fix-type-to-pass-to-connect.patch +Patch6078: backport-home-secret-argument-of-handle_generic_user_record_e.patch +Patch6079: backport-docs-portablectl-is-in-bin.patch +Patch6080: backport-core-fix-free-undefined-pointer-when-strdup-failed-i.patch +Patch6081: backport-sd-event-take-ref-on-event-loop-object-before-dispat.patch +Patch6082: backport-nss-systemd-pack-pw_passwd-result-into-supplied-buff.patch +Patch6083: backport-nss-systemd-ensure-returned-strings-point-into-provi.patch +Patch6084: backport-core-Parse-log-environment-settings-again-after-appl.patch +Patch6085: backport-network-fix-handling-of-network-interface-renaming.patch +Patch6086: backport-virt-Improve-detection-of-EC2-metal-instances.patch +Patch6087: backport-Fix-error-building-repart-with-no-libcryptsetup-2073.patch +Patch6088: backport-sd-journal-Don-t-compare-hashes-from-different-journ.patch +Patch6089: backport-test-use-a-less-restrictive-portable-profile-when-ru.patch +Patch6090: backport-Respect-install_sysconfdir.patch +Patch6091: backport-journalctl-never-fail-at-flushing-when-the-flushed-f.patch +Patch6092: backport-sd-journal-Ignore-data-threshold-if-set-to-zero-in-s.patch +Patch6093: backport-watchdog-pass-right-error-code-to-log-function-so-th.patch +Patch6094: backport-fileio-lower-maximum-virtual-file-buffer-size-by-one.patch +Patch6095: backport-fileio-set-O_NOCTTY-when-reading-virtual-files.patch +Patch6096: backport-fileio-start-with-4k-buffer-for-procfs.patch +Patch6097: backport-fileio-fix-truncated-read-handling-in-read_virtual_f.patch +Patch6098: backport-test-fileio-test-read_virtual_file-with-more-files-f.patch +Patch6099: backport-bootctl-Fix-update-not-adding-EFI-entry-if-Boot-IDs-.patch +Patch6100: backport-network-disable-event-sources-before-unref-them.patch +Patch6101: backport-libsystemd-network-disable-event-sources-before-unre.patch +Patch6102: backport-resolved-suppress-writing-DNS-server-info-into-etc-r.patch +Patch6103: backport-resolvconf-compat-make-u-operation-a-NOP.patch +Patch6104: backport-basic-unit-file-don-t-filter-out-names-starting-with.patch +Patch6105: backport-core-mount-add-implicit-unit-dependencies-even-if-wh.patch +Patch6106: backport-seccomp-Always-install-filters-for-native-architectu.patch +Patch6107: backport-test-Check-that-native-architecture-is-always-filter.patch +Patch6108: backport-mount-util-fix-fd_is_mount_point-when-both-the-paren.patch +Patch6109: backport-sleep-don-t-skip-resume-device-with-low-priority-ava.patch +Patch6110: backport-repart-use-right-error-variable.patch +Patch6111: backport-basic-env-util-correctly-parse-extended-vars-after-n.patch +Patch6112: backport-user-record-disable-two-pbkdf-fields-that-don-t-appl.patch +Patch6113: backport-core-fix-SIGABRT-on-empty-exec-command-argv.patch +Patch6114: backport-core-service-also-check-path-in-exec-commands.patch +Patch6115: backport-coredump-Don-t-log-an-error-if-D-Bus-isn-t-running.patch +Patch6116: backport-ether-addr-util-make-hw_addr_to_string-return-valid-.patch +Patch6117: backport-localed-use-PROJECT_FILE-rather-than-__FILE__-for-lo.patch +Patch6118: backport-coredumpctl-stop-truncating-information-about-coredu.patch +Patch6119: backport-sd-dhcp6-client-ignore-IAs-whose-IAID-do-not-match-c.patch +Patch6120: backport-sd-boot-Unify-error-handling.patch +Patch6121: backport-sd-boot-Rework-console-input-handling.patch +Patch6122: backport-coredump-fix-filename-in-journal-when-not-compressed.patch +Patch6123: backport-virt-Support-detection-for-ARM64-Hyper-V-guests.patch +Patch6124: backport-homework-fix-incorrect-error-variable-use.patch +Patch6125: backport-sd-device-monitor-update-log-message-to-clarify-the-.patch +Patch6126: backport-homework-don-t-bother-with-BLKRRPART-on-images-that-.patch +Patch6127: backport-userdb-fix-type-to-pass-to-connect.patch +Patch6128: backport-homed-shutdown-call-valgrind-magic-after-LOOP_GET_ST.patch +Patch6129: backport-utmp-remove-dev-from-line.patch +Patch6130: backport-network-route-fix-possible-overflow-in-conversion-us.patch +Patch6131: backport-varlink-disconnect-varlink-link-in-one-more-case.patch +Patch6132: backport-udev-do-not-try-to-rename-interface-if-it-is-already.patch +Patch6133: backport-stat-util-specify-O_DIRECTORY-when-reopening-dir-in-.patch +Patch6134: backport-json-do-something-remotely-reasonable-when-we-see-Na.patch +Patch6135: backport-change-indicator-used-for-later-versions-of-VirtualB.patch +Patch6136: backport-hwdb-Allow-console-users-access-to-media-nodes.patch +Patch6137: backport-test-do-not-use-alloca-in-function-call.patch +Patch6138: backport-systemctl-pretty-print-ExtensionImages-property.patch +Patch6139: backport-systemctl-small-fixes-for-MountImages-pretty-printin.patch +Patch6140: backport-core-normalize-r-variable-handling-in-unit_attach_pi.patch +Patch6141: backport-scope-refuse-activation-of-scopes-if-no-PIDs-to-add-.patch +Patch6142: backport-homework-repart-turn-on-cryptsetup-logging-before-we.patch +Patch6143: backport-systemctl-only-fall-back-to-local-cgroup-display-if-.patch +Patch6144: backport-execute-respect-selinux_context_ignore.patch +Patch6145: backport-core-ignore-failure-on-setting-smack-process-label-w.patch +Patch6146: backport-process-util-wait-for-processes-we-killed-even-if-ki.patch +Patch6147: backport-scope-count-successful-cgroup-additions-when-delegat.patch +Patch6148: backport-creds-util-switch-to-OpenSSL-3.0-APIs.patch +Patch6149: backport-openssl-util-use-EVP-API-to-get-RSA-bits.patch +Patch6150: backport-ci-fix-indentation.patch +Patch6151: backport-ci-cancel-previous-jobs-on-ref-update.patch +Patch6152: backport-ci-take-CIFuzz-s-matrix-into-consideration.patch +Patch6153: backport-ci-run-the-unit_tests-and-mkosi-jobs-on-stable-branc.patch +Patch6154: backport-test-oomd-util-skip-tests-if-cgroup-memory-controlle.patch +Patch6155: backport-ci-pin-the-debian-systemd-repo-to-a-specific-revisio.patch +Patch6156: backport-basic-mountpoint-util-detect-erofs-as-a-read-only-FS.patch +Patch6157: backport-user-record-fix-display-of-access-mode.patch +Patch6158: backport-logind-downgrade-message-about-run-utmp-missing-to-L.patch +Patch6159: backport-tree-wide-use-sd_event_source_disable_unref-where-we.patch +Patch6160: backport-sd-event-don-t-destroy-inotify-data-structures-from-.patch +Patch6161: backport-Change-gendered-terms-to-be-gender-neutral-21325.patch +Patch6162: backport-binfmt-fix-exit-value.patch +Patch6163: backport-unit_is_bound_by_inactive-fix-return-pointer-check.patch +Patch6164: backport-umask-util-add-helper-that-resets-umask-until-end-of.patch +Patch6165: backport-namespace-rebreak-a-few-comments.patch +Patch6166: backport-namespace-make-whole-namespace_setup-work-regardless.patch +Patch6167: backport-namespace-make-tmp-dir-handling-code-independent-of-.patch +Patch6168: backport-tests-add-test-case-for-UMask-BindPaths-combination.patch +Patch6169: backport-sd-dhcp6-client-constify-one-argument.patch +Patch6170: backport-sd-dhcp6-client-modernize-dhcp6_option_parse.patch +Patch6171: backport-test-add-tests-for-reading-unaligned-data.patch +Patch6172: backport-sd-dhcp6-client-fix-buffer-size-calculation-in-dhcp6.patch +Patch6173: backport-sd-dhcp6-client-constify-several-arguments.patch +Patch6174: backport-sd-dhcp6-client-make-dhcp6_lease_free-accepts-NULL.patch +Patch6175: backport-sd-dhcp6-client-do-not-merge-NTP-and-SNTP-options.patch +Patch6176: backport-dhcp-fix-assertion-failure.patch +Patch6177: backport-network-address-read-flags-from-message-header-when-.patch +Patch6178: backport-seccomp-move-mprotect-to-default.patch +Patch6179: backport-journal-Skip-over-corrupt-entry-items-in-enumerate_d.patch +Patch6180: backport-journal-Use-separate-variable-for-Data-object-in-sd_.patch +Patch6181: backport-journal-Skip-corrupt-Data-objects-in-sd_journal_get_.patch +Patch6182: backport-analyze-fix-printing-config-when-there-is-no-main-co.patch +Patch6183: backport-resolved-fix-ResolveService-hostname-handling.patch +Patch6184: backport-resolved-properly-signal-transient-errors-back-to-NS.patch +Patch6185: backport-resolved-make-sure-we-don-t-hit-an-assert-when-deali.patch +Patch6186: backport-resolved-clean-up-manager_write_resolv_conf-a-bit.patch +Patch6187: backport-virt-Fix-the-detection-for-Hyper-V-VMs.patch +Patch6188: backport-homework-fix-a-bad-error-propagation.patch +Patch6189: backport-journal-Remove-entry-seqnum-revert-logic.patch +Patch6190: backport-mmap-cache-LIST_REMOVE-after-w-unused_prev.patch +Patch6191: backport-journal-Deduplicate-entry-items-before-they-are-stor.patch +Patch6192: backport-test-journal-flush-allow-testing-against-specific-fi.patch +Patch6193: backport-test-journal-flush-do-not-croak-on-corrupted-input-f.patch +Patch6194: backport-fix-ConditionDirectoryNotEmpty-when-it-comes-to-a-No.patch +Patch6195: backport-fix-ConditionPathIsReadWrite-when-path-does-not-exis.patch +Patch6196: backport-sd-dhcp6-client-fix-error-handling.patch +Patch6197: backport-core-bpf-firewall-make-bpf_firewall_supported-always.patch +Patch6198: backport-cgroup-don-t-emit-BPF-firewall-warning-when-manager-.patch +Patch6199: backport-cryptenroll-fix-wrong-error-messages.patch +Patch6200: backport-Bump-the-max-number-of-inodes-for-dev-to-128k.patch +Patch6201: backport-fix-DirectoryNotEmpty-when-it-comes-to-a-Non-directo.patch +Patch6202: backport-core-use-correct-level-for-CPU-time-log-message.patch +Patch6203: backport-core-cgroup-set-bfq.weight-first-and-fixes-blkio.wei.patch +Patch6204: backport-core-cgroup-use-helper-macro-for-bfq-conversion.patch +Patch6205: backport-resolve-remove-server-large-level.patch +Patch6206: backport-mkosi-Build-Fedora-35-images.patch +Patch6207: backport-home-fix-heap-use-after-free.patch +Patch6208: backport-journactl-show-info-about-journal-range-only-at-debu.patch +Patch6209: backport-fstab-generator-do-not-remount-sys-when-running-in-a.patch +Patch6210: backport-journal-remote-use-MHD_HTTP_CONTENT_TOO_LARGE-as-MHD.patch +Patch6211: backport-repart-use-real-disk-start-end-for-bar-production.patch +Patch6212: backport-machined-set-TTYPath-for-container-shell.patch +Patch6213: backport-sd-journal-free-incomplete-match-on-failure.patch +Patch6214: backport-sd-journal-fix-segfault-when-match_new-fails.patch +Patch6215: backport-random-util-use-ssize_t-for-getrandom-return-value.patch +Patch6216: backport-dbus-wait-for-jobs-add-extra_args-to-bus_wait_for_jo.patch +Patch6217: backport-systemd-run-ensure-error-logs-suggest-to-use-user-wh.patch +Patch6218: backport-sysusers-use-filename-if-proc-is-not-mounted.patch +Patch6219: backport-nss-systemd-fix-required-buffer-size-calculation.patch +Patch6220: backport-nss-systemd-fix-alignment-of-gr_mem.patch +Patch6221: backport-nss-myhostname-do-not-apply-non-zero-offset-to-null-.patch +Patch6222: backport-syscalls-update-syscall-definitions.patch +Patch6223: backport-missing-syscall-add-__NR_openat2.patch +Patch6224: backport-basic-log-allow-errno-values-higher-than-255.patch +Patch6225: backport-backlight-ignore-error-if-the-backlight-device-is-al.patch +Patch6226: backport-logind-do-not-propagate-error-in-delayed-action.patch +Patch6227: backport-test-watchdog-mark-as-unsafe.patch +Patch6228: backport-fstab-generator-skip-root-directory-handling-when-nf.patch +Patch6229: backport-seccomp-move-arch_prctl-to-default.patch +Patch6230: backport-boot-timestamps-Discard-firmware-init-time-when-runn.patch +Patch6231: backport-CVE-2021-3997-rm-rf-refactor-rm_rf_children-split-out-body-of-dire.patch +Patch6232: backport-CVE-2021-3997-rm-rf-optionally-fsync-after-removing-directory-tree.patch +Patch6233: backport-CVE-2021-3997-tmpfiles-st-may-have-been-used-uninitialized.patch +Patch6234: backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch +Patch6235: backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch +Patch6236: backport-CVE-2021-3997-shared-rm-rf-loop-over-nested-directories-instead-of.patch +Patch6237: backport-nss-drop-dummy-setup_logging-helpers.patch +Patch6238: backport-nss-only-read-logging-config-from-environment-variab.patch +Patch6239: backport-fix-test-string-util-failed-when-locale-is-not-utf8.patch +Patch6240: backport-policy-files-adjust-landing-page-link.patch +Patch6241: backport-xdg-autostart-service-Ignore-missing-desktop-sepcifi.patch +Patch6242: backport-journal-Skip-data-objects-with-invalid-offsets.patch +Patch6243: backport-namespace-allow-ProcSubset-pid-with-some-ProtectKern.patch +Patch6244: backport-sysext-use-LO_FLAGS_PARTSCAN-when-opening-image.patch +Patch6245: backport-dissect-image-validate-extension-release-even-if-the.patch +Patch6246: backport-core-refuse-to-mount-ExtensionImages-if-the-base-lay.patch +Patch6247: backport-resolve-fix-assertion-triggered-when-r-0.patch +Patch6248: backport-oomd-fix-race-with-path-unavailability-when-killing-.patch +Patch6249: backport-oomd-handle-situations-when-no-cgroups-are-killed.patch +Patch6250: backport-udevadm-cleanup_dir-use-dot_or_dot_dot.patch +Patch6251: backport-udevadm-cleanup-db-don-t-delete-information-for-kept.patch +Patch6252: backport-core-namespace-allow-using-ProtectSubset-pid-and-Pro.patch +Patch6253: backport-core-namespace-s-normalize_mounts-drop_unused_mounts.patch +Patch6254: backport-logind.conf-Fix-name-of-option-RuntimeDirectoryInode.patch +Patch6255: backport-sd-dhcp-server-refuse-too-large-packet-to-send.patch +Patch6256: backport-basic-mac_-selinux-smack-_apply_fd-does-not-work-whe.patch +Patch6257: backport-sd-dhcp-lease-fix-an-infinite-loop-found-by-the-fuzz.patch +Patch6258: backport-sd-dhcp-lease-fix-a-memory-leak-in-dhcp_lease_parse_.patch +Patch6259: backport-core-don-t-fail-on-EEXIST-when-creating-mount-point.patch +Patch6260: backport-bus-util-retrieve-bus-error-from-message.patch +Patch6261: backport-core-unit-use-bus_error_message-at-one-more-place.patch +Patch6262: backport-login-use-bus_error_message-at-one-more-place.patch +Patch6263: backport-pid1-pass-PAM_DATA_SILENT-to-pam_end-in-child.patch +Patch6264: backport-execute-use-_cleanup_-logic-where-appropriate.patch +Patch6265: backport-execute-line-break-comments-a-bit-less-aggressively.patch +Patch6266: backport-execute-document-that-the-env-param-is-input-and-out.patch +Patch6267: backport-sd-dhcp-lease-fix-memleak.patch +Patch6268: backport-core-mount-fail-early-if-directory-cannot-be-created.patch +Patch6269: backport-util-another-set-of-CVE-2021-4034-assert-s.patch +Patch6270: backport-resolve-fix-potential-memleak-and-use-after-free.patch +Patch6271: backport-resolve-fix-possible-memleak.patch +Patch6272: backport-resolve-use-_cleanup_-attribute-for-freeing-DnsQuery.patch +Patch6273: backport-network-bridge-fix-endian-of-vlan-protocol.patch +Patch6274: backport-basic-escape-add-helper-for-quoting-command-lines.patch +Patch6275: backport-core-use-the-new-quoting-helper.patch +Patch6276: backport-sd-bus-print-quoted-commandline-when-in-bus_socket_e.patch +Patch6277: backport-sd-bus-print-debugging-information-if-bus_container_.patch +Patch6278: backport-sd-bus-allow-numerical-uids-in-M-user-.host.patch +Patch6279: backport-packit-remove-unsupported-Dcryptolib-openssl-option.patch +Patch6280: backport-sd-device-silence-gcc-warning-with-newest-gcc.patch +Patch6281: backport-packit-build-on-and-use-Fedora-35-spec-file.patch +Patch6282: backport-ci-use-the-system-llvm-11-package-on-Focal.patch +Patch6283: backport-resolve-refuse-AF_UNSPEC-when-resolving-address.patch +Patch6284: backport-resolve-add-reference-of-the-original-bus-message-to.patch +Patch6285: backport-ci-replace-apt-key-with-signed-by.patch +Patch6286: backport-ci-fix-clang-13-installation.patch +Patch6287: backport-tree-wide-mark-set-but-not-used-variables-as-unused-.patch +Patch6288: backport-sd-dhcp-server-rename-server_send_nak-server_send_na.patch +Patch6289: backport-packit-drop-unnumbered-patches-as-well.patch +Patch6290: backport-dns-domain-re-introduce-dns_name_is_empty.patch +Patch6291: backport-resolve-synthesize-empty-name.patch +Patch6292: backport-resolve-synthesize-null-address-IPv4-broadcast-addre.patch +Patch6293: backport-resolve-drop-never-matched-condition.patch +Patch6294: backport-resolve-make-dns_scope_good_domain-take-DnsQuery.patch +Patch6295: backport-resolve-synthesize-empty-domain-only-when-A-and-or-A.patch +Patch6296: backport-pid1-watch-bus-name-always-when-we-have-it.patch +Patch6297: backport-pid1-lookup-owning-PID-of-BusName-name-of-services-a.patch +Patch6298: backport-docs-SYSTEMD_NSS_BYPASS_BUS-is-not-honoured-anymore-.patch +Patch6299: backport-pid1-set-SYSTEMD_NSS_DYNAMIC_BYPASS-1-env-var-for-db.patch +Patch6300: backport-systemctl-make-timestamp-affect-the-show-verb-as-wel.patch +Patch6301: backport-core-really-skip-automatic-restart-when-a-JOB_STOP-j.patch +Patch6302: backport-test-oomd-util-style-fixlets.patch +Patch6303: backport-test-oomd-util-fix-conditional-jump-on-uninitialised.patch +Patch6304: backport-test-fix-file-descriptor-leak-in-test-catalog.patch +Patch6305: backport-test-fix-file-descriptor-leak-in-test-oomd-util.patch +Patch6306: backport-test-fix-file-descriptor-leak-in-test-fs-util.patch +Patch6307: backport-test-fix-file-descriptor-leak-in-test-tmpfiles.c.patch +Patch6308: backport-test-fix-file-descriptor-leak-in-test-psi-util.patch +Patch6309: backport-clang-format-we-actually-typically-use-16ch-continua.patch +Patch6310: backport-test-journal-send-close-fd-opend-by-syslog.patch +Patch6311: backport-journal-send-close-fd-on-exit-when-running-with-valg.patch +Patch6312: backport-udev-builtin-input_id-don-t-label-absolute-mice-as-p.patch +Patch6313: backport-mkosi-Remove-Arch-nspawn-workaround.patch +Patch6314: backport-core-check-size-before-mmap.patch +Patch6315: backport-devnode-acl-use-_cleanup_-to-free-acl_t.patch +Patch6316: backport-dissect-image-add-extension-specific-validation-flag.patch +Patch6317: backport-portabled-error-out-if-there-are-no-units-only-after.patch +Patch6318: backport-portabled-validate-SYSEXT_LEVEL-when-attaching.patch +Patch6319: backport-portabled-refactor-extraction-validation-into-a-comm.patch +Patch6320: backport-portable-move-profile-search-helper-to-path-lookup.patch +Patch6321: backport-portable-add-flag-to-return-extension-releases-in-Ge.patch +Patch6322: backport-portablectl-reorder-if-branches-to-match-previous-co.patch +Patch6323: backport-portable-inline-one-variable-declaration.patch +Patch6324: backport-portable-add-return-parameter-to-GetImageMetadataWit.patch +Patch6325: backport-wait-online-rename-Manager-elements.patch +Patch6326: backport-journald-make-sure-SIGTERM-handling-doesn-t-get-star.patch +Patch6327: backport-journal-file-if-we-are-going-down-don-t-use-event-lo.patch +Patch6328: backport-kernel-install-also-remove-modules.builtin.alias.bin.patch +Patch6329: backport-Bump-the-max-number-of-inodes-for-dev-to-a-million.patch +Patch6330: backport-Bump-the-max-number-of-inodes-for-tmp-to-a-million-t.patch +Patch6331: backport-unit-escape.patch +Patch6332: backport-udev-rename-type-name-e.g.-struct-worker-Worker.patch +Patch6333: backport-udev-run-the-main-process-workers-and-spawned-comman.patch +Patch6334: backport-Add-meson-option-to-disable-urlify.patch +Patch6335: backport-Revert-sysctl.d-switch-net.ipv4.conf.all.rp_filter-f.patch +Patch6336: backport-login-drop-non-default-value-for-RuntimeDirectoryIno.patch +Patch6337: backport-login-make-RuntimeDirectoryInodesMax-support-K-G-M-s.patch +Patch6338: backport-virt-detect-OpenStack-Nova-instance.patch +Patch6339: backport-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch +Patch6340: backport-revert-delete-initrd-usr-fs-target.patch +Patch6341: backport-journal-Only-move-to-objects-when-necessary.patch +Patch6342: backport-sd-device-introduce-device_has_devlink.patch +Patch6343: backport-udev-node-split-out-permission-handling-from-udev_no.patch +Patch6344: backport-udev-node-stack-directory-must-exist-when-adding-dev.patch +Patch6345: backport-udev-node-save-information-about-device-node-and-pri.patch +Patch6346: backport-udev-node-always-update-timestamp-of-stack-directory.patch +Patch6347: backport-udev-node-assume-no-new-claim-to-a-symlink-if-run-ud.patch +Patch6348: backport-udev-node-always-atomically-create-symlink-to-device.patch +Patch6349: backport-udev-node-check-stack-directory-change-even-if-devli.patch +Patch6350: backport-udev-node-shorten-code-a-bit-and-update-log-message.patch +Patch6351: backport-udev-node-add-random-delay-on-conflict-in-updating-d.patch +Patch6352: backport-udev-node-drop-redundant-trial-of-devlink-creation.patch +Patch6353: backport-udev-node-simplify-the-example-of-race.patch +Patch6354: backport-udev-node-do-not-ignore-unexpected-errors-on-removin.patch +Patch6355: backport-calendarspec-fix-possibly-skips-next-elapse.patch +Patch6356: backport-macro-account-for-negative-values-in-DECIMAL_STR_WID.patch +Patch6357: backport-core-command-argument-can-be-longer-than-PATH_MAX.patch +Patch6358: backport-hwdb-fix-parsing-options.patch +Patch6359: backport-sd-bus-fix-buffer-overflow.patch +Patch6360: backport-temporarily-disable-test-seccomp.patch +Patch6362: backport-meson.build-change-operator-combining-bools-from-to-.patch +Patch6363: backport-core-replace-slice-dependencies-as-they-get-added.patch +Patch6364: backport-scsi_id-retry-inquiry-ioctl-if-host_byte-is-DID_TRAN.patch +Patch6365: backport-revert-units-add-ProtectClock-yes.patch + +Patch9001: update-rtc-with-system-clock-when-shutdown.patch +Patch9002: udev-add-actions-while-rename-netif-failed.patch +Patch9003: fix-two-VF-virtual-machines-have-same-mac-address.patch +Patch9004: logind-set-RemoveIPC-to-false-by-default.patch +Patch9005: rules-add-rule-for-naming-Dell-iDRAC-USB-Virtual-NIC.patch +Patch9006: unit-don-t-add-Requires-for-tmp.mount.patch +Patch9007: rules-add-elevator-kernel-command-line-parameter.patch +Patch9008: rules-add-the-rule-that-adds-elevator-kernel-command.patch +Patch9009: units-add-Install-section-to-tmp.mount.patch +Patch9010: Make-systemd-udevd.service-start-after-systemd-remou.patch +Patch9011: udev-virsh-shutdown-vm.patch +Patch9012: sd-bus-properly-initialize-containers.patch +Patch9013: Revert-core-one-step-back-again-for-nspawn-we-actual.patch +Patch9014: journal-don-t-enable-systemd-journald-audit.socket-b.patch +Patch9015: systemd-change-time-log-level.patch +Patch9016: fix-capsh-drop-but-ping-success.patch +Patch9017: resolved-create-etc-resolv.conf-symlink-at-runtime.patch +Patch9018: pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch +Patch9019: fix-journal-file-descriptors-leak-problems.patch +Patch9020: activation-service-must-be-restarted-when-reactivated.patch +Patch9021: systemd-core-fix-problem-of-dbus-service-can-not-be-started.patch +Patch9022: delay-to-restart-when-a-service-can-not-be-auto-restarted.patch +Patch9023: disable-initialize_clock.patch +Patch9024: systemd-solve-that-rsyslog-reads-journal-s-object-of.patch +Patch9025: check-whether-command_prev-is-null-before-assigning-.patch +Patch9027: core-skip-change-device-to-dead-in-manager_catchup-d.patch +Patch9028: revert-rpm-restart-services-in-posttrans.patch +Patch9029: Don-t-set-AlternativeNamesPolicy-by-default.patch +Patch9030: change-NTP-server-to-x.pool.ntp.org.patch +Patch9031: keep-weight-consistent-with-the-set-value.patch BuildRequires: gcc, gcc-c++ BuildRequires: libcap-devel, libmount-devel, pam-devel, libselinux-devel @@ -1515,23 +1844,29 @@ fi %{_libdir}/security/pam_systemd.so %changelog -* Thu Sep 29 2022 yangmingtai -249-36 +* Mon Oct 10 2022 wangyuhang -249-38 +- backport: sync systemd-stable-249 patches from systemd community + +* Thu Sep 29 2022 yangmingtai -249-37 - 1.change default ntp server 2.correct the default value of RuntimeDirectoryInodesMax -* Fri Sep 16 2022 yangmingtai -249-35 +* Fri Sep 16 2022 yangmingtai -249-36 - revert:delete the initrd-usr-fs.target -* Wed Sep 14 2022 xujing -249-34 +* Wed Sep 14 2022 xujing -249-35 - revert add ProtectClock=yes -* Fri Sep 2 2022 Wenchao Hao -249-33 +* Fri Sep 2 2022 Wenchao Hao -249-34 - scsi_id: retry inquiry ioctl if host_byte is DID_TRANSPORT_DISRUPTED -* Thu Sep 1 2022 hongjinghao -249-32 +* Thu Sep 1 2022 hongjinghao - 249-33 - 1. Don't set AlternativeNamesPolicy by default 2. fix systemd-journald coredump +* Tue Aug 02 2022 zhukeqian -249-32 +- core: replace slice dependencies as they get added + * Wed Jun 22 2022 zhangyao -249-31 - fix don't preset systemd-timesyncd when install systemd-udev @@ -1637,6 +1972,12 @@ fi * Wed Dec 8 2021 yangmingtai - 249-1 - systemd update to v249 +* Tue Dec 28 2021 licunlong - 248-15 +- fix typo: disable not denable. + +* Wed Dec 01 2021 licunlong - 248-14 +- disable systemd-{timesyncd, networkd, resolved} by default + * Thu Sep 16 2021 ExtinctFire - 248-13 - core: fix free undefined pointer when strdup failed in the first loop diff --git a/udev-add-actions-while-rename-netif-failed.patch b/udev-add-actions-while-rename-netif-failed.patch index 3482482348e87448e1c404bd04cb28c333abe08e..9832a3c4a749a7db3b60628b297ba66ebd85598a 100644 --- a/udev-add-actions-while-rename-netif-failed.patch +++ b/udev-add-actions-while-rename-netif-failed.patch @@ -11,8 +11,8 @@ index e1c2baf..b64d279 100644 --- a/src/udev/udev-event.c +++ b/src/udev/udev-event.c @@ -820,6 +820,7 @@ static int rename_netif(UdevEvent *event) { - sd_device *dev = event->dev; const char *oldname; + unsigned flags; int ifindex, r; + char name[IFNAMSIZ]; diff --git a/units-add-Install-section-to-tmp.mount.patch b/units-add-Install-section-to-tmp.mount.patch index 14288973274ff265dc56c8c4565c2d69f2272640..b7c1fd46ef23731e46be87c342141f59a4008c31 100644 --- a/units-add-Install-section-to-tmp.mount.patch +++ b/units-add-Install-section-to-tmp.mount.patch @@ -15,7 +15,7 @@ index cf68378..66d9a32 100644 @@ -23,3 +23,7 @@ What=tmpfs Where=/tmp Type=tmpfs - Options=mode=1777,strictatime,nosuid,nodev,size=50%,nr_inodes=400k + Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m + +# Make 'systemctl enable tmp.mount' work: +[Install]