From 28542386520155239c23d144deacbded89cba2a6 Mon Sep 17 00:00:00 2001 From: hongjinghao Date: Thu, 4 Sep 2025 17:08:41 +0800 Subject: [PATCH] sync patches form upstream systemd-stable v255.18 (cherry picked from commit 7f54921e5f34ee8ff2d63bb806756bc15ea4122a) --- ...-to-control-whether-udev-complies-wi.patch | 6 +- ...-rework-SYSTEMD_READY-logic-for-devi.patch | 97 ++ ...-an-extra-debug-log-to-dissect_image.patch | 28 + ...rsions-of-the-systemd-postun-scriptl.patch | 71 + backport-CVE-2023-50387.patch | 8 +- backport-CVE-2023-50868.patch | 7 +- backport-CVE-2023-7008.patch | 7 +- ...check-to-reflect-changes-done-in-5.1.patch | 53 + ...rtable-is-not-detached-when-another-.patch | 66 + ...-pidfd_open-on-permission-errors-too.patch | 48 + ...ix-KeepCarrier-tun-tap-device-option.patch | 123 ++ ...framework-build-failure-with-gcc-bpf.patch | 41 + ...stemd-tmpfiles-gets-stuck-on-fifos-i.patch | 29 + ...-TDX-confidential-VM-on-Azure-platfo.patch | 124 ++ ...c14-Wcalloc-transposed-args-warnings.patch | 98 ++ ...uninitialized-warnings-with-gcc-14.2.patch | 54 + ...-to-FileDescriptorStoreMax-directive.patch | 26 + ...Fix-tense-in-SD_MESSAGE_SHUTDOWN_STR.patch | 33 + ...ix-typo-in-CAP_BPF-description-33464.patch | 31 + ...g-VLAN-ranges-in-man-systemd.network.patch | 30 + ...Y_REALLOC_APPEND-Make-more-type-safe.patch | 35 + ...t-Install-pacman-in-Arch-Linux-image.patch | 28 + ...expand-text-to-summarize-state-for-b.patch | 57 + ...rt-Measure-empty-PK-and-KEK-EFI-vars.patch | 50 + ...nts-for-calloc-like-functions-part-2.patch | 100 ++ ...v4-client-when-max-REQUEST-attempts-.patch | 190 ++ ...st-with-GCC-BPF-compiler-on-opensuse.patch | 48 + ...in-CentOS8-kernel-to-working-version.patch | 85 + ...d-create-the-user-for-systemd-journa.patch | 34 + ...-disable-TEST-08-INITRD-on-ubuntu-CI.patch | 21 + ...-from-tmp-to-var-tmp-to-avoid-disk-s.patch | 41 + ...LEVEL-info-explicitly-in-test-sysuse.patch | 30 + backport-Sort-input-file-list.patch | 34 + ...ss-mymachines-Use-negative-matching-.patch | 35 + ...UDEV-Don-t-hardcode-root-device-name.patch | 144 ++ ...dd-test-cases-for-IPAddressAllow-IPA.patch | 133 ++ ...TEST-38-FREEZER-Relax-regex-a-little.patch | 31 + ...OMED-Ignore-Disk-Usage-field-as-well.patch | 31 + ...drop-duplicated-inclusion-of-util.sh.patch | 29 + ...58-REPART-reverse-order-of-diff-args.patch | 51 + ...TELIMIT-wait-for-mount-unit-being-st.patch | 73 + ...RAGE-Make-nvme_subsystem-expected-pc.patch | 41 + ...CESS-don-t-specify-pid-if-MAINPID-is.patch | 31 + ...EST-81-GENERATORS-Do-a-lazy-unmounts.patch | 42 + ...andline-params-forcequotacheck-fastb.patch | 66 + backport-Update-_udevadm.patch | 26 + ...date-sd_bus_message_append_array.xml.patch | 29 + ...se-.d-path-for-PCRLOCK_KERNEL_-_PATH.patch | 34 + ...tive-comparison-for-the-machine-s-ar.patch | 42 + ...pelling-of-systemd.condition_first_b.patch | 28 + ...lt-log-level-by-environment-variable.patch | 9 +- ...s-in-seconds-for-Activating-and-Acti.patch | 34 + ...d-template-unit-when-a-template-inst.patch | 105 ++ backport-analyze-man-and-help-fixes.patch | 92 + ...nalyze-show-pcrs-also-in-sha384-bank.patch | 31 + backport-analyze-tab-fix.patch | 28 + ...-password-refuse-empty-password-strv.patch | 91 + backport-async-voidify-call-of-fsync.patch | 30 + backport-audit-util-check-correct-errno.patch | 27 + ...filesystem-check-for-__s390x__-first.patch | 44 + ...do-not-attempt-to-create-a-lib64-usr.patch | 100 ++ ...add-missing-options-to-systemd-crypt.patch | 57 + ...add-missing-options-to-systemd-disse.patch | 36 + ...d-systemctl-service-log-level-target.patch | 8 +- ...make-systemctl-mount-image-bind-auto.patch | 64 + backport-basic-add-PIDFS-magic-31709.patch | 52 + ...ce-Wunterminated-string-initializati.patch | 84 + ...fix-overflow-detection-in-sigbus_pop.patch | 49 + ...-Copy-netfilter.h-to-the-source-tree.patch | 99 ++ ...-treat-all-negative-errnos-as-synthe.patch | 6 +- ...irtualbox-detection-on-proprietary-s.patch | 32 + ...rse-options-before-checking-for-kern.patch | 41 + ...se-log-level-for-battery_is_discharg.patch | 34 + ...s-boot-pass-the-right-error-variable.patch | 26 + ...til-also-check-loop-partscan-sysattr.patch | 75 + ...so-check-newer-value-of-GENHD_FL_NO_.patch | 61 + ...so-read-ext_range-sysattr-to-check-i.patch | 109 ++ ...rtscan-sysattr-now-directly-shows-th.patch | 48 + backport-boot-Improve-log-message.patch | 28 + ...cleanup-pages-below-4GiB-only-on-x86.patch | 53 + ...mpare-filename-suffixes-without-case.patch | 29 + ...-for-hardware-keys-on-phones-tablets.patch | 58 + ...-error-if-device-tree-fixup-protocol.patch | 33 + ...ent-of-ret_-variables-in-initrd_prep.patch | 31 + ...don-t-load-etc-machine-info-from-cwd.patch | 31 + ...-sensitive-comparisons-in-reporting-.patch | 100 ++ ...l-return-earlier-with-print-esp-path.patch | 40 + ...nt-sorting-by-tries-left-done-to-mat.patch | 52 + ...heck-for-errors-when-loading-symbols.patch | 45 + ...fix-unexpected-behavior-with-either-.patch | 118 ++ ...-bsod-do-not-check-for-color-support.patch | 116 ++ ...-make-message-for-qrcode-more-useful.patch | 71 + ...l-add-assert-to-fix-Coverity-warning.patch | 33 + ...ently-btrfs-ioctls-return-unaligned-.patch | 474 +++++ ...til-check-current-offset-before-read.patch | 81 + ...k-btrfs_is_nocow_fd-around-fd_is_fs_.patch | 48 + ...emdup_suffix0-instead-of-strndup-at-.patch | 40 + ...fy-that-inotify-is-supposed-to-watch.patch | 65 + ...it-for-jobs-fix-service-result-table.patch | 56 + ...sctl-avoid-asserting-on-NULL-message.patch | 97 ++ ...-an-assert-if-we-call-invalid-bus-me.patch | 37 + ...t-of-delegated-cgroup-attributes-up-.patch | 47 + ...ble-bpf-pseudo-controllers-when-doin.patch | 69 + ...t-try-to-open-pidfd-for-kernel-threa.patch | 33 + ...t-try-to-open-pidfd-for-pids-from-cg.patch | 70 + ...nore-kernel-threads-in-cg_kill_items.patch | 37 + ...w-cg_read_pid-to-skip-unmapped-zero-.patch | 231 +++ backport-chase-Fix-shortcut.patch | 29 + backport-chase-Tighten-.-and-.-check.patch | 58 + ...-do-not-wrap-xopenat-with-RET_NERRNO.patch | 49 + backport-chattr-util-fix-error-code.patch | 28 + ...an-ipc-pass-the-right-error-variable.patch | 26 + ...-virt-add-detection-for-s390x-target.patch | 92 + ...t-split-caching-of-CVM-detection-int.patch | 78 + ...link-context-cleanup-before-restorin.patch | 44 + ...re-chattr_flags-and-friends-passed-t.patch | 29 + ...nore-EOPNOTSUPP-from-copy_file_range.patch | 31 + ...py-introduce-COPY_VERIFY_LINKED-flag.patch | 161 ++ ...penat-to-make-from-argument-optional.patch | 197 +++ ...level-of-reexecute-request-to-notice.patch | 12 +- ...e-Check-for-TERM-dumb-in-show_status.patch | 136 ++ ...ix-assertion-in-parse_smbios_strings.patch | 26 + backport-core-Fix-file-descriptor-leak.patch | 12 +- ...-scenarios-about-which-process-initi.patch | 31 +- ...oth-pid-and-pidfd-to-keep-downgrades.patch | 151 ++ ...rt-core-Serialize-both-pid-and-pidfd.patch | 125 ++ ...er-expansion-to-AllowedCPUs-and-frie.patch | 43 + ...e-add-trigger-to-path-unit-debug-log.patch | 40 + ...y-IODevice-directives-in-configured-.patch | 135 ++ ...IPAddressAllow-IPAddressDeny-set-thr.patch | 46 + ...-unit_has_host_root_cgroup-take-cons.patch | 44 + ...ix-segfault-when-key-not-found-in-os.patch | 88 + ...r-mark-unit-file-state-as-outdated-o.patch | 125 ++ ...r-refuse-SoftReboot-for-user-manager.patch | 33 + ...core-device-add-stopping-job-message.patch | 30 + ...ot-drop-backslashes-in-SYSTEMD_WANTS.patch | 59 + ...-make-private-dev-read-only-too-soon.patch | 67 + ...t-about-fallback_smack_process_label.patch | 31 + ...rop-unnecessary-auto_fs4.h-inclusion.patch | 29 + ...spaces-in-paths-during-serialization.patch | 33 +- ...cape-spaces-when-serializing-as-well.patch | 15 +- ...-crash-with-UtmpMode-user-without-Us.patch | 8 +- ...-call-pam_setcred-PAM_DELETE_CRED-af.patch | 71 + ...-call-setpriority-after-sched_setatt.patch | 57 + ...-prevent-potential-double-close-of-e.patch | 143 ++ ...oke-remove-redundant-fd_cloexec-call.patch | 60 + ...-invoke-rename-flags_fds-to-flag_fds.patch | 47 + ...ke-reopen-OpenFile-fds-with-O_NOCTTY.patch | 28 + ...-use-sched_setattr-instead-of-sched_.patch | 167 ++ ...-t-reload-selinux-before-spawning-ex.patch | 32 + ...ialize-drop-extraneous-in-ip-in-e-gr.patch | 33 + ...ialize-use-serialize_item_escaped-fo.patch | 104 ++ ...-destruct-static-variables-and-selin.patch | 85 + ...ve-argv-for-later-use-by-rename_proc.patch | 40 + ...when-AddDependencyUnitFiles-is-calle.patch | 14 +- ...b-start-message-if-we-re-only-waitin.patch | 97 ++ ...never-consider-reload-jobs-redundant.patch | 39 + ...8-and-swapon-8-inherit-SMACK-label-f.patch | 50 + ...ntrollers-as-DISABLED_LEGACY-rather-.patch | 29 + ...unt-is-gone-eventually-consider-it-s.patch | 232 +++ ...ount-8-fails-but-mount-disappeared-a.patch | 84 + ...mount-retries-exceeded-max-record-as.patch | 27 + ...onor-MountEntry.read_only-.options-a.patch | 86 + ...er-waiting-if-target-is-deactivating.patch | 128 ++ ...og-priority-if-sd-executor-is-missin.patch | 52 + ...eck-if-varlink-socket-has-been-deser.patch | 7 +- ...ort-core-serialize-reload-rate-limit.patch | 37 + ...e-notify-dbus-services-shouldn-t-be-.patch | 36 + ...not-propagate-reload-for-combined-RE.patch | 84 + ...-t-transition-to-start-post-on-cgrou.patch | 37 + ...ce-fix-accept-socket-deserialization.patch | 25 +- ...make-error-msg-match-with-conditions.patch | 33 + ...vice_add_fd_store-consumes-passed-fd.patch | 40 + ...vice-use-log_unit_-where-appropriate.patch | 5 +- ...c-warning-about-unitialized-variable.patch | 54 + ...ind-mounting-if-the-destination-was-.patch | 44 + ...-use-unit-path-cache-in-unit_need_da.patch | 128 ++ ...-merged-units-before-updating-Source.patch | 38 + ...-dropins-for-masked-units-completely.patch | 78 + ...rialize-fix-serialization-of-markers.patch | 35 + ...arn-if-a-generator-is-world-writable.patch | 66 + ...ly-take-tmpfs-size-into-account-for-.patch | 7 +- ...redump-keep-core-files-for-two-weeks.patch | 36 + backport-cpio-fix-assert.patch | 26 + ...s-fix-cat-with-encrypted-credentials.patch | 51 + ...roll-Fix-reading-keyfile-from-socket.patch | 35 + ...ctl-journalctl-adjust-messages-befor.patch | 50 + ...nroll-it-s-called-PKCS-11-not-PKCS11.patch | 30 + ...-better-log-message-if-slot-to-wipe-.patch | 39 + ...cryptsetup-improve-TPM2-blob-display.patch | 29 + ...s-fix-argument-order-mismatch-in-fun.patch | 33 + ...rt-cryptsetup-tokens-fix-pin-asserts.patch | 95 + ...libcurl-attempting-to-change-timeout.patch | 40 + ...-configure-new-io-event-source-when-.patch | 34 + backport-data-fd-util-Fixup-header.patch | 28 + ...-disconnect-on-api-and-system-busses.patch | 40 + ...w-detection-via-device-tree-on-RISC-.patch | 28 + ...rt-fix-Google-Compute-Engine-support.patch | 38 + ...se-control-and-non-UTF8-characters-i.patch | 96 ++ ...lso-update-Image.limit-in-image_set_.patch | 110 ++ ...on-t-accidentally-set-run-systemd-ns.patch | 62 + ...pdate-Image.read_only-flag-in-image_.patch | 30 + ...ix-log_debug_errno-assert-due-to-r-0.patch | 30 + backport-dissect-fix-memory-leak.patch | 34 + ...n-t-try-to-validate-an-extension-rel.patch | 52 + ...x-fd-leak-in-dissected_image_acquire.patch | 57 + ...nerate-better-log-message-for-EUCLEA.patch | 41 + ...ndle-continue-event-in-metadata-acqu.patch | 47 + ...ct-image-move-comment-to-right-place.patch | 36 + ...percase-first-char-of-dissect-error-.patch | 39 + ...ool-right-align-the-partition-number.patch | 31 + ...g-message-when-a-library-is-dlopened.patch | 83 + ...read-DNS-packet-data-if-we-identifie.patch | 39 + ...pdate-record-type-enum-to-match-iana.patch | 60 + ...rtise-subtype-PTRs-to-the-browsing-d.patch | 80 + ...s-class-tpm-tpm0-tpm_version_major-t.patch | 102 ++ ...-sections-of-our-EFI-binaries-are-pr.patch | 83 + ...alloc-to-fix-build-failure-with-gcc-.patch | 64 + ...link-to-legacy-EFI-handover-protocol.patch | 27 + ...efi_loader_get_entries-handling-miss.patch | 59 + ...detecting-if-we-are-booted-in-UKI-me.patch | 57 + ...-deal-with-uncommitted-efi-variables.patch | 56 + ...utdated-comment-mentioning-linker-sc.patch | 28 + ...port-env-util-add-new-setenvf-helper.patch | 150 ++ ...-Log-if-we-skip-duplicate-credential.patch | 31 + ...-exec-invoke-correct-dont_close-size.patch | 5 +- ...invoke-pass-the-right-error-variable.patch | 26 + ...-level-to-unit-log-level-in-exec_spa.patch | 87 + ...e-free-syscall_log-hashmap-when-done.patch | 12 +- ...racefully-if-we-cannot-lock-dev-cons.patch | 47 + ...log-message-about-TTY-ownership-rese.patch | 36 + ...or-all-permission-related-errnos-whe.patch | 34 + ...uplicate-FD-array-to-avoid-double-cl.patch | 214 +++ ...set-POSIX_SPAWN_SETSIGDEF-for-posix_.patch | 36 + ...n-t-eat-up-errors-in-fd_cloexec_many.patch | 51 + backport-fd-util-modernization.patch | 147 ++ ...llected-fds-to-CLOEXEC-in-fdset_new_.patch | 112 ++ ...ugging-log-about-failure-in-parsing-.patch | 40 + ...fail-when-boot-on-btrfs-RAID-on-sear.patch | 62 + ...skip-fstype-check-even-when-root-or-.patch | 34 + ...ce-verify_esp_flags_init-helper-func.patch | 170 ++ ...-locked-and-empty-root-passwords-con.patch | 63 + ...ot-params-with-creds-and-prompting-d.patch | 140 ++ ...po-and-add-missing-option-to-help-te.patch | 33 + ...handle-missing-root-password-entries.patch | 120 ++ ...stboot-remove-etc-localtime-on-reset.patch | 30 + ...port-firstboot-validate-keymap-entry.patch | 66 + ...t-fix-analyze-q-option-invalid-issue.patch | 11 +- ...-fix-cgtop-sscanf-return-code-checks.patch | 7 +- ...port-fix-conf-parser-oom-check-issue.patch | 7 +- ...ort-fix-homed-log-message-typo-error.patch | 7 +- ...b-patterns-passed-to-disable-command.patch | 9 +- ...-default-shells-to-use-bin-and-not-u.patch | 65 + ...-readlinkat-supports-an-empty-string.patch | 8 +- ...-fs-util-rename-xopenat-xopanat_full.patch | 497 ++++++ ...pull-down-mount-units-on-soft-reboot.patch | 30 + ...are-flex-array-updated-for-gcc15-and.patch | 45 + ...ecompress_startswith-may-return-zero.patch | 54 + ...ly-disable-fuzz-compress-on-oss-fuzz.patch | 38 + ...rt-gpt-add-more-architecture-aliases.patch | 54 + ...or-fix-argument-passed-to-parse_imag.patch | 35 + ...rder-fields-to-pack-structure-better.patch | 31 + ...-always-clear-HibernateLocation-if-s.patch | 81 + ...-don-t-wait-forever-if-hibernate-inf.patch | 68 + ...heck-noresume-before-reading-resume-.patch | 57 + ...ogind-emit-a-clear-error-if-the-spec.patch | 115 ++ ...ake-sure-we-use-blockdev-path-for-Hi.patch | 48 + ...ip-of-files-copied-from-skelton-dire.patch | 45 + ...sing-bus-call-to-homed-access-policy.patch | 28 + ...anager-pass-the-right-error-variable.patch | 44 + ...t-homework-cifs-Pass-password-via-fd.patch | 122 ++ ...scrypt-pass-the-right-error-variable.patch | 35 + ...-quota-pass-the-right-error-variable.patch | 26 + ...-machine-ID-and-boot-ID-through-DBus.patch | 219 +++ ...ot-show-local-machine-ID-and-boot-ID.patch | 76 + ...db-util-drop-unused-value-assignment.patch | 108 ++ ...-specific-if-we-re-listing-GPT-types.patch | 128 ++ ...pt-to-read-UUID-from-sys-hypervisor-.patch | 32 + ...t-expose-product-UUID-when-running-i.patch | 46 + backport-import-check-overflow.patch | 49 + ...n-we-hit-ENOENT-on-SMBIOS-11-do-not-.patch | 36 + ...moving-symlinks-even-for-units-that-.patch | 18 +- ...iler-warning-about-empty-directive-a.patch | 48 + ...nal-file-util-use-COPY_VERIFY_LINKED.patch | 39 + ...l-use-the-file-descriptor-of-journal.patch | 38 + ...-importer-Consider-ECONNRESET-as-EOF.patch | 47 + ...-remote-Use-sd_event_set_signal_exit.patch | 165 ++ ...llow-AF_VSOCK-and-AF_UNIX-for-listen.patch | 32 + ...al-remote-fix-two-minor-memory-leaks.patch | 39 + ...e-main-pass-the-right-error-variable.patch | 26 + ...se-macro-wrapper-instead-of-alloca-t.patch | 158 ++ ...check-arg_file_stdin-with-other-jour.patch | 29 + ...-skip-over-messages-not-matching-the.patch | 138 ++ ...rnalctl-erase-verify-key-before-free.patch | 25 +- ...urnalctl-honor-quiet-with-setup-keys.patch | 88 + ...until-work-again-with-after-cursor-a.patch | 60 + ...ate-help-to-say-priority-range-32323.patch | 31 + ...drop-spuriously-doubled-for-OBJECT_S.patch | 27 + ...tting-journal-data-via-memfd-check-f.patch | 92 + ...-dispatch-flag-JSON_ALLOW_EXTENSIONS.patch | 65 + ...un-base64-hex-mem-for-sensitive-vari.patch | 39 + ...kbd-model-map-add-a-georgian-mapping.patch | 29 + ...ix-inspect-with-root-when-no-version.patch | 46 + ...nly-read-cmdline-from-proc-cmdline-w.patch | 45 + ...emove-existing-loader-entries-and-UK.patch | 57 + ...ry-some-more-initrd-variants-in-90-l.patch | 44 + ...port-kernel-install-fix-context_copy.patch | 84 + ...ernel-install-fix-uki-copy-deinstall.patch | 44 + ...emove-depmod-generated-file-modules..patch | 33 + ...nstall-silence-num-kernels-installed.patch | 26 + ...-Use-reported-key-size-to-resize-buf.patch | 78 + backport-killall-fix-errno-check.patch | 26 + ...ly-handle-processes-inserted-into-co.patch | 70 + ...til-fix-wrong-errno-value-assignment.patch | 28 + ...cept-cached-pin-in-fido2_generate_hm.patch | 49 + ...port-libsystemd-link-with-z-nodelete.patch | 31 + ...network-remove-double-initialization.patch | 35 + ...rk-skip-dhcp-server-test-in-case-of-.patch | 32 + ...ort-linux-import-input.h-and-friends.patch | 1528 +++++++++++++++++ ...-terminate-the-specifier-table-34421.patch | 31 + ...not-load-locale-from-environemnt-whe.patch | 35 + ...-expect-EACCES-when-it-cannot-happen.patch | 64 + ...ize-calculation-for-number-of-iovecs.patch | 49 + ...-a-log-message-to-a-TTY-always-end-l.patch | 108 ++ ...x-session_kill-.-KILL_LEADER-.-35105.patch | 48 + ...me-dir-properly-check-for-mount-poin.patch | 15 +- ...nicer-error-message-when-no-session-.patch | 77 + ...ack-for-when-the-PIDFDs-property-is-.patch | 112 ++ ...k-LidClosed-property-as-emits-change.patch | 80 + backport-logind-add-one-more-debug-log.patch | 31 + ...allow-read-write-to-char-hvc-devices.patch | 29 + ...k-auth.-for-all-inhibitor-operations.patch | 80 + ...il-creating-a-session-when-request-i.patch | 47 + ...nd-group-policy-entries-by-interface.patch | 47 + ...m-wide-idle-begin-at-the-time-logind.patch | 10 +- ...aseSession-unprivileged-and-allow-cl.patch | 126 ++ ...e-tolerant-if-we-failed-to-remove-le.patch | 30 + ...e_action_to_string-where-appropriate.patch | 47 + backport-loop-util-fix-error-handling.patch | 28 + ...GC-machine-when-no-leader-PID-is-set.patch | 41 + ...uire-Image-object-from-cache-when-a-.patch | 60 + ...use-after-free-in-Rename-DBus-method.patch | 50 + ...-Generate-stable-machine-IDs-based-o.patch | 28 + ...-id-setup-bhyve-also-provides-a-uuid.patch | 31 + ...race-condition-in-TEST-13-NSPAWN.mac.patch | 45 + ...t-manager_acquire_image-from-image_o.patch | 132 ++ ...the-temporary-VA_ARGS_FOREACH-array-.patch | 70 + ...t-main-pass-the-right-error-variable.patch | 15 +- ...add-list-of-subscribers-to-dump-info.patch | 31 + ...anager-pass-the-right-error-variable.patch | 51 + ...g-dbus_programs-dependency-on-update.patch | 33 + ...__TARGET_ARCH-macros-required-by-bpf.patch | 48 + ...eson-Skip-getent-when-it-s-not-found.patch | 66 + ...port-meson-Use-fstrict-flex-arrays-3.patch | 31 + ...rch64-s-definition-to-cpu_arch_defin.patch | 48 + ...-to-build-systemd-executor-staticall.patch | 102 ++ ...uid-gid-check-for-nobody-user-group-.patch | 133 ++ ...pagate-sysroot-for-cross-compilation.patch | 33 + ...ystemd-core-via-an-intermediate-stat.patch | 63 + ...pefile-dependency-before-enabling-uk.patch | 33 + ...x-mapping-CFLAGS-when-building-BPF-o.patch | 45 + ...0-for-s390x-when-building-BPF-object.patch | 46 + backport-meson-disable-Wnonnull-compare.patch | 54 + ...empt-to-install-tests-when-they-are-.patch | 37 + ...fail-build-with-newer-kernel-headers.patch | 36 + ...-drop-arch-filtering-in-syscall-list.patch | 53 + ...-Wunterminated-string-initialization.patch | 29 + backport-meson-fix-build.patch | 26 + ...fix-installation-of-html-doc-aliases.patch | 38 + ...g-failure-if-bpf-framework-was-enabl.patch | 39 + ...eyboard-keys-list-from-local-input.h.patch | 49 + ...sa-phiopt-when-building-bpf-with-gcc.patch | 32 + backport-meson-sort-includes.patch | 31 + ...ur-close_range-syscall-wrapper-to-ma.patch | 81 + ...rt-missing_fcntl-Fix-RAW_O_LARGEFILE.patch | 51 + ...h-fix-LOOP_SET_STATUS_SETTABLE_FLAGS.patch | 28 + backport-missing_sched-add-CLONE_PIDFD.patch | 51 + ...il-Set-sector-size-for-btrfs-as-well.patch | 41 + ...ome-stats-about-files-windows-unused.patch | 61 + ...he-enforce-an-unused-windows-minimum.patch | 84 + ...-numifbs-0-to-avoid-autocreating-ifb.patch | 28 + ...ountinfo-traversal-by-decoupling-dev.patch | 14 +- backport-mount-setup-fix-typo.patch | 26 + ...Deal-with-kernel-API-breakage-in-nor.patch | 116 ++ ...do-not-assume-symlinks-are-not-mount.patch | 39 + ...ce-Fix-extension-release-memory-leak.patch | 65 + ...invoke-loopback_setup-unless-we-allo.patch | 60 + ...k-actually-show-the-unexpected-flags.patch | 40 + backport-network-adjust-log-message.patch | 42 + ...-configure-interface-MTU-for-CAN-dev.patch | 43 + ...k_handle_bound_by_list-before-trying.patch | 50 + ...hcp4-disable-IPv6OnlyMode-by-default.patch | 66 + ...-not-set-gateway-if-DNS-server-or-fr.patch | 146 ++ ...em-DHCPv6-configuration-to-be-finish.patch | 31 + ...6-set-hostname-even-if-UseAddress-no.patch | 87 + ...ring-down-a-bonding-port-interface-w.patch | 54 + ...ring-down-bound-interfaces-immediate.patch | 86 + ...ake-the-implied-default-have-the-fir.patch | 51 + ...equest-DHCP-addresses-configured-on-.patch | 47 + ...ry-to-update-IP-sysctl-settings-for-.patch | 40 + ...k-drop-unused-Manager.routes_foreign.patch | 38 + backport-network-fix-typo.patch | 37 + backport-network-fix-use-of-wrong-flag.patch | 28 + ...r-drop-wrong-warning-for-rd.peerdns-.patch | 31 + ...r-parse-vlan-ID-from-vlan-interface-.patch | 138 ++ ...r-vlan-can-be-specified-multiple-tim.patch | 82 + ...ays-join-to-the-main-interface-when-.patch | 55 + ...-not-try-to-set-too-large-value-for-.patch | 56 + ...twork-neighbor-add-missing-OOM-check.patch | 26 + ...-address-don-t-set-up-firewall-rules.patch | 10 +- ...eue-fix-potential-double-free-on-oom.patch | 76 + ...non-NULL-SSID-when-a-wlan-interface-.patch | 30 + ...-not-invalidate-Route-section-when-a.patch | 26 + ...x-reachability-check-when-peer-addre.patch | 37 + ...-network-save-the-real-rdnss-address.patch | 29 + ...port-network-split-out-common-checks.patch | 242 +++ ...-concurrent-set-modification-in-tcla.patch | 214 +++ ...tack-overflow-when-dropping-tclass-o.patch | 70 + ...mum-MTU-size-for-CAN-interface-may-b.patch | 53 + ...llow-Local-Remote-any-for-all-tunnel.patch | 72 + ...TU-after-CAN-specific-configs-applie.patch | 48 + ...-documentation-for-LinkLocalAddressi.patch | 44 + ...raise-limits-on-number-of-address-8x.patch | 36 + ...reguard-private-key-read-error-numbe.patch | 31 + ...er-whether-to-keep-drop-CAP_NET_BIND.patch | 49 + ...rm_fadvise64_64-in-syscall-allow_lis.patch | 34 + ...-to-unregister-a-machine-we-never-re.patch | 32 + ...ilure-in-creating-dev-net-tun-when-p.patch | 66 + ...og-message-on-bad-incoming-sd_notify.patch | 30 + ...-private-users-ownership-no-and-off-.patch | 33 + ...nspawn-pass-the-right-error-variable.patch | 26 + ...hemeral-with-link-journal-try-treat-.patch | 53 + ...sers-ownership-value-is-called-chown.patch | 29 + ...-bind-mount-device-node-from-host-wh.patch | 49 + ...l-util-avoid-freeing-invalid-pointer.patch | 26 + ...tching-versioned-image-with-extensio.patch | 219 +++ ...tching-on-the-wrong-extension-releas.patch | 74 + ...ckit-test-switch-to-legacy-ci-branch.patch | 27 + backport-packit-use-Fedora-40.patch | 51 + ...losest-matching-tag-for-the-checked-.patch | 50 + ...closing-bus-connection-which-is-open.patch | 51 + ...temd-always-check-if-session-is-busy.patch | 76 + ...rt-pam_systemd-close-pidfd-after-use.patch | 50 + ...stemd_loadkey-add-missing-PAM_EXTERN.patch | 35 + ...pt-arbitrary-MTU-size-when-AF_UNSPEC.patch | 110 ++ ...ATTRIB-from-parent-directory-watches.patch | 40 + ...Pad-pe-hash-to-a-multiple-of-8-bytes.patch | 32 + ...rrect-NV-index-when-writing-new-poli.patch | 28 + ...rtualSize-SizeOfRawData-into-account.patch | 48 + ...ror-messages-when-we-are-not-looking.patch | 40 + ...-.initrd-section-is-optional-for-UKI.patch | 34 + backport-pe-binary-fix-array-overrun.patch | 34 + ...de-default-mount-rate-limit-interval.patch | 2 +- ...that-WATCHDOG_USEC-is-set-for-the-sh.patch | 42 + ...add-false-positives-to-POTFILES.skip.patch | 33 + ...ail-if-etc-resolv.conf-doesn-t-exist.patch | 42 + ...PORTABLE_FORCE_ATTACH-works-even-whe.patch | 143 ++ ...tablectl-list-to-show-the-actual-sta.patch | 72 + ...uctured-message-when-attach-detach-s.patch | 194 +++ ...per-do-not-set-POSIX_SPAWN_SETSIGDEF.patch | 43 + ...ontinue-on-errors-report-more-errors.patch | 101 ++ ...-confext-and-sysext-by-default-31211.patch | 32 + ...not-unblock-unrelated-signals-while-.patch | 62 + ...ssing-assertions-for-pty_forward_new.patch | 27 + ...debug-message-to-show-why-a-qrcode-w.patch | 67 + ...ode-util-avoid-memleak-in-error-path.patch | 53 + ...rt-random-util-fix-compilation-error.patch | 44 + ...some-basic-validation-on-reboot-argu.patch | 221 +++ ...wrong-assertion-and-error-code-in-lo.patch | 40 + ...ting-directory-timestamps-intact-whe.patch | 127 ++ ...sh-when-looping-over-dropped-partiti.patch | 162 ++ ...-to-determine-sector-size-from-a-dis.patch | 65 + backport-repart-fix-memory-leak.patch | 8 +- ...nimal-ext4-size-in-the-same-ballpark.patch | 80 + ...NSCOUNT-of-DNS-query-may-not-be-zero.patch | 59 + ...-several-comments-for-DNS-type-table.patch | 81 + ...isten-to-IPv6-when-disabled-by-sysct.patch | 43 + ...lve-do-not-trigger-assertion-on-exit.patch | 68 + ...d-sockets-to-the-graveyard-on-shutdo.patch | 55 + ...g-error-cause-assignment-to-log_debu.patch | 29 + ...not-append-goodby-packet-entries-to-.patch | 39 + ...action_stream_error-may-free-multipl.patch | 43 + ...e-invalid-service-without-type-field.patch | 32 + ...skip-IP_UNICAST_IF-for-local-sockets.patch | 69 + ...resolvectl-use-JSON_ALLOW_EXTENSIONS.patch | 67 + ...he-full-TTL-to-be-used-by-OPT-record.patch | 59 + ...ply-NOTIMP-when-refusing-a-query-bas.patch | 40 + ...-resolved-always-progress-DS-queries.patch | 34 + ...-clear-the-AD-bit-for-bypass-packets.patch | 66 + ...rrect-parsing-of-OPT-extended-RCODEs.patch | 48 + ...e-mdns-llmnr-priority-for-the-revers.patch | 67 + ...stream-pass-the-right-error-variable.patch | 35 + ...ache-NXDOMAIN-for-SUDN-resolver.arpa.patch | 156 ++ ...-request-the-SOA-for-every-dns-label.patch | 349 ++++ ...on-t-treat-conn-reset-as-packet-loss.patch | 51 + ...tly-disconnect-all-left-over-TCP-con.patch | 114 ++ ...esolved-fix-DNSSEC-missing-key-error.patch | 31 + backport-resolved-fix-fastopen-fallback.patch | 49 + ...transaction-completes-expect-other-t.patch | 266 +++ ...or-messages-for-openssl-gnutls-conte.patch | 14 +- backport-resolved-minor-dnssec-fixups.patch | 56 + ...dnssec-rrtype-questions-when-we-aren.patch | 41 + ...ved-pick-up-new-DNSSEC-KSC-from-2024.patch | 45 + ...or-dnssec-support-in-allow-downgrade.patch | 55 + ...-resolv.conf-files-when-link-goes-aw.patch | 33 + ...efuse-queries-with-no-suitable-scope.patch | 41 + ...port-resolved-request-DS-with-DNSKEY.patch | 81 + ...e-authentic-insecure-delegation-to-C.patch | 39 + ...-gc-transactions-if-they-might-still.patch | 107 ++ ...t-rpm-macros-add-_kernel_install_dir.patch | 46 + ...rror-on-PTY-forwarding-logic-when-di.patch | 34 + ...the-pty-slave-fd-to-transient-servic.patch | 4 +- ...fully-if-we-can-t-find-binary-client.patch | 36 + ...he-pty-slave-fd-to-transient-service.patch | 2 +- ...ected-from-PTY-forwarder-exit-event-.patch | 54 + ...ng-event-loop-when-sd_bus_set_exit_o.patch | 118 ++ ...-rework-assert-to-make-the-gcc-happy.patch | 62 + ...d-dummy-macro-to-support-compile-wit.patch | 61 + backport-sd-common-add-__const__.patch | 34 + ...Replace-SO_LINGER-with-shutdown-recv.patch | 42 + ...ade-log-level-for-library-code-use-c.patch | 41 + ...-sd-device-add-missing-debugging-log.patch | 30 + ...uce-device_get_sysattr_unsigned_full.patch | 53 + ...-debug-log-message-when-dirs-are-mis.patch | 91 + ...p-server-clear-buffer-before-receive.patch | 34 + ...r-refuse-invalid-hostname-in-request.patch | 105 ++ ...d-event-change-error-code-EINVAL-EIO.patch | 10 +- ...vent-do-not-assert-on-invalid-signal.patch | 10 +- ...-when-fd-is-owned-by-IO-event-source.patch | 60 +- ...memleak-when-built-without-assertion.patch | 74 + ...-increase-test-event-timeout-to-120s.patch | 40 + ...nal-fix-error-handling-of-inotify_ad.patch | 44 + ...lly-handle-systems-where-kernel-keyr.patch | 38 + ...128-mark-functions-as-const-not-pure.patch | 60 + ...ssertion-triggered-when-an-ARP-recei.patch | 12 +- ...-sd-event-state-before-setting-up-po.patch | 56 + ...rade-log-message-Unused-data-entry_o.patch | 34 + ...-check-in-journal_file_verify_header.patch | 47 + ...rt-sd-journal-use-stat_verify_linked.patch | 29 + ...y-monotonic-timestamp-before-assigni.patch | 41 + ...x-rtnl_resolve_link_alternative_name.patch | 45 + ...d-radv-fix-potential-buffer-overflow.patch | 33 + ...ug-when-enqueuing-messages-with-fds-.patch | 34 + ...-seccomp-allowlist-uretprobe-syscall.patch | 38 + ...comp-util-include-sandbox-in-default.patch | 47 + ...s-negative-fds-as-is-to-fsync-and-fr.patch | 70 + backport-semaphore-bump-timeout.patch | 31 + backport-semaphore-do-not-build-docs.patch | 32 + ...ve-back-to-autopkgtest-master-branch.patch | 41 + ...aphore-remove-workaround-for-adduser.patch | 32 + backport-semaphore-speed-up-build.patch | 36 + ...uilding-and-running-extra-unit-tests.patch | 31 + ...temporarily-pin-autopkgtest-to-v5.32.patch | 31 + ...hore-use-variable-for-Salsa-repo-URL.patch | 36 + ...PM2-unsealing-when-PCR-values-change.patch | 49 + ...er-do-not-print-null-as-section-name.patch | 38 + ...-util-don-t-attempt-to-fiemap-fd-if-.patch | 53 + ...-util-handle-the-case-where-no-swap-.patch | 50 + ...ialize-a-couple-of-values-explicitly.patch | 51 + ...orrectly-report-changes-in-install_i.patch | 44 + ...install-drop-unneeded-initialization.patch | 27 + ...ropagate-all-errors-in-install_info_.patch | 43 + ...orrectly-warn-about-rootfs-daemon-s-.patch | 43 + ...rt-shared-log-error-when-execve-fail.patch | 5 +- ...-restore-infinite-loop-avoidance-for.patch | 40 + ...t-util-for-old-kernels-assume-noreco.patch | 35 + ...ared-open-file-use-xescape-to-escape.patch | 52 + ...ort-shared-verbs-minor-modernization.patch | 57 + ...erbs-show-list-of-verbs-when-missing.patch | 53 + ...-add-kernel-identify-inspect-verbs-f.patch | 41 + ...-add-missing-args-to-bash-resolvectl.patch | 84 + ...letion-fix-machinectl-import-tar-raw.patch | 33 + ...s-install-new-completions-which-were.patch | 35 + ...ix-output-ith-CRNL-rather-than-just-.patch | 34 + ...n-Send-EXIT_STATUS-before-final-sync.patch | 54 + ...wn-clean-up-sync_with_progress-a-bit.patch | 29 +- ...M-block-device-before-issuing-DM_DEV.patch | 10 +- ...-unbounded-fsync-with-bounded-sync_w.patch | 18 +- ...ync_with_progress-to-optionally-sync.patch | 37 +- ...-correct-bus-when-locking-homed-mana.patch | 31 + ...port-sleep-don-t-log-duplicate-error.patch | 31 + ...g_loop.h-fix-missing-LOOP_SET_BLOCK_.patch | 41 + ...ock.c-Handle-empty-pcrlock.d-directo.patch | 99 ++ ...til-introduce-stat-fd-_verify_linked.patch | 90 + backport-stat-util-rebreak-comment.patch | 28 + backport-stdio-bridge-fix-polled-fds.patch | 38 + ...t-storagetm-always-hash-stat.st_mode.patch | 32 + ...ragetm-fix-use-of-wrong-stat-element.patch | 26 + ...se-GREEDY_REALLOC-to-grow-the-buffer.patch | 85 + ...trv-introduce-strv_copy_unless_empty.patch | 54 + ...d-zero-enough-space-in-legacy-x86-ha.patch | 168 ++ ...rt-stub-drop-PE-sections-parsing-cap.patch | 42 + ...ame-from-image-before-loading-addons.patch | 44 + ...user-to-suppress-output-when-no-acti.patch | 27 + ...rey-out-useful-hints-in-output-since.patch | 38 + ...ure-boot-loader-options-only-when-go.patch | 123 ++ ...-try-to-acquire-triggering-units-for.patch | 50 + ...it-ignore-ENOENT-from-unit_is_masked.patch | 34 + ...plying-zero-offset-to-null-pointer-U.patch | 29 + ...llback-for-pidfd_open-permission-err.patch | 27 + backport-systemctl-fix-memleak.patch | 4 +- ...ctl-fix-printing-of-RootImageOptions.patch | 5 +- ...ut-tasks-limit-the-same-way-we-grey-.patch | 32 + ...tem-running-display-offline-with-ima.patch | 34 + ...obs-interchange-waiting-for-and-bloc.patch | 72 + ...riggering-unit-warning-if-unit-vanis.patch | 30 + ...d-boot-Allow-key-enroll-in-AuditMode.patch | 30 + ...-tests-Skip-tests-requiring-dhcpd-if.patch | 47 + ...elper-Show-executed-commands-if-debu.patch | 30 + ...f-requested-group-name-matches-user-.patch | 82 + ...ysusers-handle-NSS-errors-gracefully.patch | 5 +- ...es-clarify-error-message-for-replace.patch | 59 + ...erator-break-long-message-into-lines.patch | 40 + ...ort-temporarily-disable-test-seccomp.patch | 2 +- ...x-underlining-with-SYSTEMD_COLORS-no.patch | 29 + ...TERM-to-ask-systemd-nspawn-to-proper.patch | 53 + ...est-for-per-device-cgroup-properties.patch | 88 + ...-deprecated-use-Europe-Berlin-and-Ky.patch | 119 ++ ...handle-running-within-user-namespace.patch | 205 +++ ...a-brief-comment-for-the-chattr-check.patch | 28 + ...port-test-add-a-reproducer-for-33672.patch | 62 + backport-test-add-a-test-for-31384.patch | 55 + ...add-basic-coverity-tests-for-bootctl.patch | 299 ++++ ...tests-for-in_addr_prefix_covers_full.patch | 74 + ...erate-for-Compress-yes-config-option.patch | 42 + backport-test-add-missing-operators.patch | 53 + ...mple-coverage-tests-for-udevadm-lock.patch | 35 + ...t-test-add-test-case-for-issue-31776.patch | 29 + ...t-test-add-test-case-for-issue-34637.patch | 78 + ...-case-for-systemd-repart-seed-random.patch | 71 + ...-test-add-test-cases-for-issue-30357.patch | 62 + ...ases-for-journal-corruption-on-btrfs.patch | 73 + ...t-cases-for-timestamp-with-time-zone.patch | 32 + ...-add-tests-for-seccomp_suppress_sync.patch | 82 + ...ip-matrix_run_one-if-TEST_MATCH_TEST.patch | 48 + ...flush-and-rotate-journal-before-read.patch | 42 + ...lways-try-to-install-the-ext4-module.patch | 36 + ...mdadm-create-question-for-compat-wit.patch | 89 + ...st-applying-timezone-is-asynchronous.patch | 46 + ...ST.INTEGER_OVERFLOW-in-test-oomd-uti.patch | 60 + ...etc-udev-udev.conf-only-if-it-exists.patch | 62 + ...-programs-pass-the-right-error-varia.patch | 27 + ...ict-fs-pass-the-right-error-variable.patch | 26 + ...lctl-sync-just-before-reading-journa.patch | 34 + ...CAP_LINUX_IMMUTABLE-is-not-available.patch | 49 + ..._PUBLIC-name-during-PEM-TPM2B_PUBLIC.patch | 129 ++ ...ev-loop-control-when-checking-lodev-.patch | 45 + ...test-check-if-resolved-exits-cleanly.patch | 88 + backport-test-check-pam-warning-message.patch | 39 + backport-test-clean-up-the-code-a-bit.patch | 111 ++ ...t-create-ESP-and-xbootldr-partitions.patch | 111 ++ ...tc-os-release-instead-of-usr-lib-os-.patch | 37 + ...t-utilize-log_info-instead-of-printf.patch | 121 ++ ...-Gracefully-handle-the-network-being.patch | 39 + ...ort-test-dhcp6-terminate-fqdn-option.patch | 44 + ...tsuite-04.LogFilterPatterns-journal-.patch | 63 + ...do-not-attempt-to-set-xattr-on-tmpfs.patch | 45 + ...-network-namespace-test-with-permiss.patch | 105 ++ ...t-test-do-not-fill-journal-with-diff.patch | 26 + ...t-test-do-not-fill-journal-with-wait.patch | 26 + ...viate-log-messages-when-dumping-the-.patch | 29 + ...-for-Dinstall-tests-true-with-NO_BUI.patch | 32 + ...ore-udev-worker-coredumps-in-journal.patch | 50 + ...est-don-t-truncate-the-final-journal.patch | 32 + ...rop-removed-SCSI-passthrough-feature.patch | 38 + ...le-summary-at-the-end-of-TEST-02-UNI.patch | 141 ++ ...p-tests-that-are-broken-without-unpr.patch | 227 +++ ...ecute-update-permission-of-credstore.patch | 42 + ...-set-TERM-linux-for-TEST-69-SHUTDOWN.patch | 43 + ...explicitly-set-nsec3-iterations-to-0.patch | 41 + backport-test-extend-firstboot-testing.patch | 130 ++ ...-extend-timeout-for-DHCP-NDisc-tests.patch | 56 + ...o-SYSLOG_IDENTIFIER-matching-where-n.patch | 175 ++ ...p-test-when-lacking-privileges-to-cr.patch | 43 + ...-test-fix-TEST-24-CRYPTSETUP-on-SUSE.patch | 29 + ...fix-check-for-device-in-test-execute.patch | 30 + ...t-test-fix-dbus-installation-on-Arch.patch | 56 + backport-test-fix-indentation.patch | 27 + backport-test-fix-subtests-naming.patch | 27 + ...st-fix-test-scripts-filename-pattern.patch | 27 + ...port-test-fix-the-container-ID-check.patch | 54 + backport-test-fix-tool-name-in-comment.patch | 27 + ...socket-once-the-triggered-unit-exits.patch | 61 + ...rnal-messages-to-console-during-sd-b.patch | 44 + ...-necessary-units-generators-for-LVM-.patch | 69 + ...-correct-kpartx-udev-rules-on-Debian.patch | 29 + ...ll-empty-directories-with-NO_BUILD-1.patch | 80 + backport-test-install-etc-hosts.patch | 28 + ...t-test-install-modinfo-to-test-image.patch | 37 + ...l-root-introduce-test-case-for-33411.patch | 52 + ...systemd-boot-in-openSUSE-test-images.patch | 27 + ...ock-device-during-running-cryptsetup.patch | 47 + ...ock-return-77-on-skip-in-more-places.patch | 39 + ...8-INITRD-slightly-less-annoying-to-d.patch | 36 + ...l_mdadm-also-install-relevant-kernel.patch | 28 + ...hat-sd-boot-is-installed-before-test.patch | 33 + ...he-dummy-CA-certificate-is-marked-as.patch | 70 + ...o-install-the-filesystem-package-in-.patch | 32 + ...moryHigh-limit-a-bit-more-generous-w.patch | 77 + ...tput-of-TEST-69-less-painful-to-read.patch | 46 + ...t-mask-mdmonitor-when-building-image.patch | 46 + ...k-rc.local-generator-broken-on-Jammy.patch | 35 + ...port-test-mask-the-mdmonitor.service.patch | 58 + ...es.d-file-shipped-by-selinux-policy-.patch | 39 + ...t-test-modernize-TEST-55-OOMD-s-init.patch | 42 + ....cache-in-minimal-nspawn-container-i.patch | 34 + ...pace-SOCK_CLOEXEC-ify-all-the-things.patch | 26 + ...cefully-handle-the-loopback-interfac.patch | 49 + ...-one-more-test-case-for-DHCP-prefix-.patch | 98 ++ ...etwork-add-test-case-for-issue-30403.patch | 41 + ...etwork-add-test-case-for-issue-31165.patch | 44 + ...-test-case-for-requesting-routing-po.patch | 99 ++ ...work-add-test-for-small-MTU-for-vcan.patch | 78 + ...-test-for-stack-overflow-in-qdisc_dr.patch | 42 + ...o-set-custom-altternative-name-for-n.patch | 165 ++ ...etwork-check-existence-of-kernel-bug.patch | 61 + ...not-call-networkctl-if-networkd-is-i.patch | 62 + ...not-fail-if-macvlan-module-is-not-av.patch | 26 + ...not-fail-when-etc-protocols-does-not.patch | 83 + ...ork-fix-racy-test-for-address_static.patch | 34 + ...ork-introduce-networkctl-and-friends.patch | 824 +++++++++ ...-network-introduce-no-journal-option.patch | 62 + ...st-network-split-out-setup_netdevsim.patch | 60 + ...split-test_dhcp6pd-into-small-pieces.patch | 180 ++ ...est-network-sync-journal-before-read.patch | 28 + ...e-different-destination-from-gateway.patch | 51 + ...-read_networkd_log-at-one-more-place.patch | 35 + ...ver-is-not-a-valid-value-for-Restart.patch | 44 + ...s-treat-negative-host-lookup-as-slow.patch | 33 + ...dout-stderr-of-TEST-04-JOURNAL-to-co.patch | 77 + ...replace-Europe-Kiev-with-Europe-Kyiv.patch | 65 + ...md-resolved.service-s-restart-counte.patch | 48 + ...ystemd-udevd.service-restart-counter.patch | 39 + ...-sbat-separate-the-two-sbat-sections.patch | 50 + ...-group-for-systemd-journal-upload-te.patch | 73 + backport-test-set-ex-separately.patch | 30 + ...set-nsec3-salt-length-8-in-knot.conf.patch | 34 + ...ort-test-set-pexpect-s-logfile-early.patch | 50 + ...8-INITRD-if-systemd-didn-t-run-in-th.patch | 56 + ...3-PRIVATEUSER-UNPRIV-if-unprivileged.patch | 37 + ...4-STORAGETM-if-running-with-bugged-l.patch | 46 + ...emd-run-test-if-unprivileged-userns-.patch | 45 + ...xec_networknamespacepath-if-netns-se.patch | 60 + ...t-bind-pass-the-right-error-variable.patch | 26 + ...ost_has_-btrfs-mdadm-from-TEST-64-UD.patch | 65 + ...T_MATCH_-stuff-in-TEST-23-UNIT-FILE-.patch | 35 + backport-test-sync-journal-before-read.patch | 47 + ...-sync-journal-before-reading-journal.patch | 32 + ...st-sync-journal-before-starting-test.patch | 78 + ...o-load-anchors-from-etc-bind.keys-ex.patch | 108 ++ ...-adjust-the-default-mount-rate-limit.patch | 45 + ...test-temporarily-disable-test_sysctl.patch | 27 + ...-enable-session-lingering-for-the-te.patch | 87 + ...l-util-print-value-of-colors_enabled.patch | 31 + ...cros.sh-add-build-directory-to-pkg-c.patch | 30 + ...wn.py-optionally-display-the-test-I-.patch | 68 + ...elegation-of-some-newer-attrs-that-s.patch | 38 + ...o-more-suppression-of-time-zone-chec.patch | 71 + ...e-util-fix-truncation-of-usec-to-sec.patch | 59 + ...fore-timezone-sensitive-unit-tests-a.patch | 65 + ...se-a-dropin-for-the-journald-snippet.patch | 34 + ...st-instead-of-hosts-where-applicable.patch | 74 + ...t-test-use-btrfs-mkswapfile-on-btrfs.patch | 51 + ...nstead-of-stat-follow_symlinks-False.patch | 30 + ...e-the-default-nsec3-iterations-value.patch | 29 + ...TPM2B_PUBLIC-conversion-for-RSA-key-.patch | 43 + ...-bit-before-stopping-killing-service.patch | 72 + ...op-backing_file-attribute-being-remo.patch | 35 + ...rtition-device-being-processed-by-ud.patch | 28 + ...ait-for-partition-processed-by-udevd.patch | 28 + ...-test-wait-for-sessions-being-closed.patch | 30 + ...it-for-slice-unit-being-de-activated.patch | 37 + ...it-generated-from-proc-self-mountinf.patch | 36 + ...the-test-container-is-fully-booted-u.patch | 32 + ...-mode-of-root-inode-of-throw-away-co.patch | 31 + ...e-util-copy-input-string-before-fork.patch | 35 + ...x-parsing-timestamp-with-NZ-timezone.patch | 85 + ...gracefully-if-RTC-lost-time-because-.patch | 51 + ...imesync-IPTOS_LOWDELAY-IPTOS_DSCP_EF.patch | 33 + ...he-transmit-timestamp-in-requests-fu.patch | 101 ++ ...ail-if-file-does-not-exist-in-item_d.patch | 48 + ...S_NOINFO-_IS_NEG_-correct-negative-e.patch | 84 + ...o-X-bit-check-in-an-ACL-aware-manner.patch | 88 + ...-t-compare-errno-with-negative-value.patch | 28 + ...ypasta-in-create_symlink-FIFO-symlin.patch | 29 + ...one-more-use-of-goto-and-modernizati.patch | 187 ++ ...-deprecated-undocumented-syntax-s-F-.patch | 28 + ...md-nologin.conf-use-f-instead-of-F-d.patch | 26 + ...temd-use-ACL-X-bit-where-appropriate.patch | 38 + ...RSA-exponent-special-case-default-va.patch | 78 + ...g-results-in-policy-hash-mismatch-wh.patch | 52 + backport-tpm2-setup-Add-graceful.patch | 99 ++ ...-fail-if-we-can-t-access-the-TPM-due.patch | 136 ++ ...-add-missing-O_CLOEXEC-at-two-places.patch | 37 + ...-early-order-against-pcrphase-initrd.patch | 41 + ...neric-wrapper-tpm2_context_new_or_wa.patch | 280 +++ ...-TPMs-gracefully-that-do-not-support.patch | 50 + backport-tree-wide-Fix-Wformat-warnings.patch | 59 + ...-do-dlopen-with-RTLD_NOW-RTLD_NODELE.patch | 162 ++ ...e-careful-when-passing-literal-integ.patch | 116 ++ ...ck-if-non-empty-password-is-acquired.patch | 56 + ...ON_ALLOW_EXTENSIONS-when-disptching-.patch | 108 ++ ...device-symlink-properly-on-udev-acti.patch | 43 + ...substitutions-can-be-done-in-ENV-too.patch | 47 + ...ecution-for-hidraw-subsystem-devices.patch | 29 + ...id-update-table-with-latest-SMBIOS-s.patch | 66 + ...to-lock-whole-block-device-on-remove.patch | 52 + ...evice-is-a-zac-device-scsi-ID_SERIAL.patch | 81 + ...stack-directory-creation-for-diskseq.patch | 130 ++ ...-rules-pass-the-right-error-variable.patch | 26 + ...pty-udev-rules-file-while-collecting.patch | 36 + ...t-try-to-remove-invalid-watch-handle.patch | 48 + ...-mention-that-the-failure-is-ignored.patch | 28 + ...debugging-log-about-success-of-flock.patch | 28 + ...opagate-return-code-from-verb-result.patch | 71 + ...check-for-correct-function-in-vtable.patch | 7 +- ...ystemd-resolved-after-systemd-sysctl.patch | 29 + ...ules_load-and-rd.modules_load-in-sys.patch | 31 + ...-directory-to-list-of-conditions-for.patch | 30 + ...t-user-util-validate-the-right-field.patch | 14 +- ...apped-user-range-only-inside-of-user.patch | 75 + ...t-userdb-reset-errno-before-getpwent.patch | 35 + ...t-userdbctl-avoid-NULL-pointer-deref.patch | 30 + ...dbctl-correct-uid_range_covers-check.patch | 29 + backport-userdbctl-fix-counting.patch | 63 + ...operly-close-the-listener-fd-on-exit.patch | 26 + ...til-make-file_read-64bit-offset-safe.patch | 61 + ...actual-value-of-bool-instead-of-poin.patch | 28 + ...-various-correct-laccess-error-check.patch | 256 +++ ...s-don-t-log-synthetic-EIO-for-fwrite.patch | 28 + ...rt-variuos-fwrite-does-not-set-errno.patch | 113 ++ ...compat-with-varlink-C-reference-impl.patch | 68 + ...ors-returned-by-verify_unix_socket-s.patch | 49 + ...rt-add-Google-Compute-Engine-support.patch | 96 ++ ...rt-fix-detection-of-avx2-and-friends.patch | 40 + ...ection-of-Apple-Virtualization-guest.patch | 30 + ...-can-handle-smbios-objects-without-v.patch | 56 + ...e-are-fine-with-ovmf-metadata-extens.patch | 59 + ...efault-not-all-interface-need-to-be-.patch | 36 + ...ify-that-we-set-the-watchdog-timeout.patch | 90 + ...configured-timeout-is-used-instead-o.patch | 60 + ...complete-g-case-sensitive-help-pseud.patch | 36 + ...remove-duplicated-argument-for-compl.patch | 30 + systemd.spec | 918 +++++++++- treat-underscore-as-valid-hostname-char.patch | 2 +- 845 files changed, 51153 insertions(+), 417 deletions(-) create mode 100644 backport-99-systemd.rules-rework-SYSTEMD_READY-logic-for-devi.patch create mode 100644 backport-Add-an-extra-debug-log-to-dissect_image.patch create mode 100644 backport-Add-posttrans-versions-of-the-systemd-postun-scriptl.patch create mode 100644 backport-Conditional-PSI-check-to-reflect-changes-done-in-5.1.patch create mode 100644 backport-Ensure-that-a-portable-is-not-detached-when-another-.patch create mode 100644 backport-Fallback-from-pidfd_open-on-permission-errors-too.patch create mode 100644 backport-Fix-KeepCarrier-tun-tap-device-option.patch create mode 100644 backport-Fix-bpf-framework-build-failure-with-gcc-bpf.patch create mode 100644 backport-Fix-bug-where-systemd-tmpfiles-gets-stuck-on-fifos-i.patch create mode 100644 backport-Fix-detection-of-TDX-confidential-VM-on-Azure-platfo.patch create mode 100644 backport-Fix-gcc14-Wcalloc-transposed-args-warnings.patch create mode 100644 backport-Fix-maybe-uninitialized-warnings-with-gcc-14.2.patch create mode 100644 backport-Fix-reference-to-FileDescriptorStoreMax-directive.patch create mode 100644 backport-Fix-tense-in-SD_MESSAGE_SHUTDOWN_STR.patch create mode 100644 backport-Fix-typo-in-CAP_BPF-description-33464.patch create mode 100644 backport-Fixing-VLAN-ranges-in-man-systemd.network.patch create mode 100644 backport-GREEDY_REALLOC_APPEND-Make-more-type-safe.patch create mode 100644 backport-Install-pacman-in-Arch-Linux-image.patch create mode 100644 backport-LICENSES-README-expand-text-to-summarize-state-for-b.patch create mode 100644 backport-Measure-empty-PK-and-KEK-EFI-vars.patch create mode 100644 backport-Reorder-arguments-for-calloc-like-functions-part-2.patch create mode 100644 backport-Restart-the-DHCPv4-client-when-max-REQUEST-attempts-.patch create mode 100644 backport-Revert-bpf-test-with-GCC-BPF-compiler-on-opensuse.patch create mode 100644 backport-Revert-mkosi-pin-CentOS8-kernel-to-working-version.patch create mode 100644 backport-Revert-sysusers.d-create-the-user-for-systemd-journa.patch create mode 100644 backport-Revert-test-disable-TEST-08-INITRD-on-ubuntu-CI.patch create mode 100644 backport-Semaphore-switch-from-tmp-to-var-tmp-to-avoid-disk-s.patch create mode 100644 backport-Set-SYSTEMD_LOG_LEVEL-info-explicitly-in-test-sysuse.patch create mode 100644 backport-Sort-input-file-list.patch create mode 100644 backport-TEST-13-NSPAWN.nss-mymachines-Use-negative-matching-.patch create mode 100644 backport-TEST-17-UDEV-Don-t-hardcode-root-device-name.patch create mode 100644 backport-TEST-19-CGROUP-add-test-cases-for-IPAddressAllow-IPA.patch create mode 100644 backport-TEST-38-FREEZER-Relax-regex-a-little.patch create mode 100644 backport-TEST-46-HOMED-Ignore-Disk-Usage-field-as-well.patch create mode 100644 backport-TEST-58-REPART-drop-duplicated-inclusion-of-util.sh.patch create mode 100644 backport-TEST-58-REPART-reverse-order-of-diff-args.patch create mode 100644 backport-TEST-60-MOUNT-RATELIMIT-wait-for-mount-unit-being-st.patch create mode 100644 backport-TEST-64-UDEV-STORAGE-Make-nvme_subsystem-expected-pc.patch create mode 100644 backport-TEST-80-NOTIFYACCESS-don-t-specify-pid-if-MAINPID-is.patch create mode 100644 backport-TEST-81-GENERATORS-Do-a-lazy-unmounts.patch create mode 100644 backport-Undeprecate-commandline-params-forcequotacheck-fastb.patch create mode 100644 backport-Update-_udevadm.patch create mode 100644 backport-Update-sd_bus_message_append_array.xml.patch create mode 100644 backport-Use-.d-path-for-PCRLOCK_KERNEL_-_PATH.patch create mode 100644 backport-Use-case-insensitive-comparison-for-the-machine-s-ar.patch create mode 100644 backport-Use-consistent-spelling-of-systemd.condition_first_b.patch create mode 100644 backport-analyze-Add-times-in-seconds-for-Activating-and-Acti.patch create mode 100644 backport-analyze-also-find-template-unit-when-a-template-inst.patch create mode 100644 backport-analyze-man-and-help-fixes.patch create mode 100644 backport-analyze-show-pcrs-also-in-sha384-bank.patch create mode 100644 backport-analyze-tab-fix.patch create mode 100644 backport-ask-password-refuse-empty-password-strv.patch create mode 100644 backport-async-voidify-call-of-fsync.patch create mode 100644 backport-audit-util-check-correct-errno.patch create mode 100644 backport-base-filesystem-check-for-__s390x__-first.patch create mode 100644 backport-base-filesystem-do-not-attempt-to-create-a-lib64-usr.patch create mode 100644 backport-bash-completion-add-missing-options-to-systemd-crypt.patch create mode 100644 backport-bash-completion-add-missing-options-to-systemd-disse.patch create mode 100644 backport-bash-completion-make-systemctl-mount-image-bind-auto.patch create mode 100644 backport-basic-add-PIDFS-magic-31709.patch create mode 100644 backport-basic-boot-silence-Wunterminated-string-initializati.patch create mode 100644 backport-basic-fix-overflow-detection-in-sigbus_pop.patch create mode 100644 backport-basic-linux-Copy-netfilter.h-to-the-source-tree.patch create mode 100644 backport-basic-virt-Fix-virtualbox-detection-on-proprietary-s.patch create mode 100644 backport-battery-check-parse-options-before-checking-for-kern.patch create mode 100644 backport-battery-util-raise-log-level-for-battery_is_discharg.patch create mode 100644 backport-bless-boot-pass-the-right-error-variable.patch create mode 100644 backport-blockdev-util-also-check-loop-partscan-sysattr.patch create mode 100644 backport-blockdev-util-also-check-newer-value-of-GENHD_FL_NO_.patch create mode 100644 backport-blockdev-util-also-read-ext_range-sysattr-to-check-i.patch create mode 100644 backport-blockdev-util-partscan-sysattr-now-directly-shows-th.patch create mode 100644 backport-boot-Improve-log-message.patch create mode 100644 backport-boot-allocate-cleanup-pages-below-4GiB-only-on-x86.patch create mode 100644 backport-boot-compare-filename-suffixes-without-case.patch create mode 100644 backport-boot-cover-for-hardware-keys-on-phones-tablets.patch create mode 100644 backport-boot-don-t-print-error-if-device-tree-fixup-protocol.patch create mode 100644 backport-boot-fix-assignment-of-ret_-variables-in-initrd_prep.patch create mode 100644 backport-bootctl-don-t-load-etc-machine-info-from-cwd.patch create mode 100644 backport-bootctl-fix-case-sensitive-comparisons-in-reporting-.patch create mode 100644 backport-bootctl-return-earlier-with-print-esp-path.patch create mode 100644 backport-bootspec-implement-sorting-by-tries-left-done-to-mat.patch create mode 100644 backport-bpf-actually-check-for-errors-when-loading-symbols.patch create mode 100644 backport-bpf-socket-bind-fix-unexpected-behavior-with-either-.patch create mode 100644 backport-bsod-do-not-check-for-color-support.patch create mode 100644 backport-bsod-make-message-for-qrcode-more-useful.patch create mode 100644 backport-btrfs-util-add-assert-to-fix-Coverity-warning.patch create mode 100644 backport-btrfs-util-apparently-btrfs-ioctls-return-unaligned-.patch create mode 100644 backport-btrfs-util-check-current-offset-before-read.patch create mode 100644 backport-btrfs-util-rework-btrfs_is_nocow_fd-around-fd_is_fs_.patch create mode 100644 backport-btrfs-util-use-memdup_suffix0-instead-of-strndup-at-.patch create mode 100644 backport-bus-socket-Clarify-that-inotify-is-supposed-to-watch.patch create mode 100644 backport-bus-wait-for-jobs-fix-service-result-table.patch create mode 100644 backport-busctl-avoid-asserting-on-NULL-message.patch create mode 100644 backport-busctl-don-t-hit-an-assert-if-we-call-invalid-bus-me.patch create mode 100644 backport-cgroup-bring-list-of-delegated-cgroup-attributes-up-.patch create mode 100644 backport-cgroup-don-t-enable-bpf-pseudo-controllers-when-doin.patch create mode 100644 backport-cgroup-util-Don-t-try-to-open-pidfd-for-kernel-threa.patch create mode 100644 backport-cgroup-util-Don-t-try-to-open-pidfd-for-pids-from-cg.patch create mode 100644 backport-cgroup-util-Ignore-kernel-threads-in-cg_kill_items.patch create mode 100644 backport-cgroup-util-allow-cg_read_pid-to-skip-unmapped-zero-.patch create mode 100644 backport-chase-Fix-shortcut.patch create mode 100644 backport-chase-Tighten-.-and-.-check.patch create mode 100644 backport-chase-do-not-wrap-xopenat-with-RET_NERRNO.patch create mode 100644 backport-chattr-util-fix-error-code.patch create mode 100644 backport-clean-ipc-pass-the-right-error-variable.patch create mode 100644 backport-confidential-virt-add-detection-for-s390x-target.patch create mode 100644 backport-confidential-virt-split-caching-of-CVM-detection-int.patch create mode 100644 backport-copy-Invoke-hardlink-context-cleanup-before-restorin.patch create mode 100644 backport-copy-do-not-ignore-chattr_flags-and-friends-passed-t.patch create mode 100644 backport-copy-ignore-EOPNOTSUPP-from-copy_file_range.patch create mode 100644 backport-copy-introduce-COPY_VERIFY_LINKED-flag.patch create mode 100644 backport-copy-use-xopenat-to-make-from-argument-optional.patch create mode 100644 backport-core-Check-for-TERM-dumb-in-show_status.patch create mode 100644 backport-core-Fix-assertion-in-parse_smbios_strings.patch create mode 100644 backport-core-Serialize-both-pid-and-pidfd-to-keep-downgrades.patch create mode 100644 backport-core-Serialize-both-pid-and-pidfd.patch create mode 100644 backport-core-add-specifier-expansion-to-AllowedCPUs-and-frie.patch create mode 100644 backport-core-add-trigger-to-path-unit-debug-log.patch create mode 100644 backport-core-cgroup-Apply-IODevice-directives-in-configured-.patch create mode 100644 backport-core-cgroup-fix-IPAddressAllow-IPAddressDeny-set-thr.patch create mode 100644 backport-core-cgroup-make-unit_has_host_root_cgroup-take-cons.patch create mode 100644 backport-core-condition-fix-segfault-when-key-not-found-in-os.patch create mode 100644 backport-core-dbus-manager-mark-unit-file-state-as-outdated-o.patch create mode 100644 backport-core-dbus-manager-refuse-SoftReboot-for-user-manager.patch create mode 100644 backport-core-device-add-stopping-job-message.patch create mode 100644 backport-core-device-do-not-drop-backslashes-in-SYSTEMD_WANTS.patch create mode 100644 backport-core-do-not-make-private-dev-read-only-too-soon.patch create mode 100644 backport-core-don-t-forget-about-fallback_smack_process_label.patch create mode 100644 backport-core-drop-unnecessary-auto_fs4.h-inclusion.patch create mode 100644 backport-core-exec-invoke-call-pam_setcred-PAM_DELETE_CRED-af.patch create mode 100644 backport-core-exec-invoke-call-setpriority-after-sched_setatt.patch create mode 100644 backport-core-exec-invoke-prevent-potential-double-close-of-e.patch create mode 100644 backport-core-exec-invoke-remove-redundant-fd_cloexec-call.patch create mode 100644 backport-core-exec-invoke-rename-flags_fds-to-flag_fds.patch create mode 100644 backport-core-exec-invoke-reopen-OpenFile-fds-with-O_NOCTTY.patch create mode 100644 backport-core-exec-invoke-use-sched_setattr-instead-of-sched_.patch create mode 100644 backport-core-execute-don-t-reload-selinux-before-spawning-ex.patch create mode 100644 backport-core-execute-serialize-drop-extraneous-in-ip-in-e-gr.patch create mode 100644 backport-core-execute-serialize-use-serialize_item_escaped-fo.patch create mode 100644 backport-core-executor-do-destruct-static-variables-and-selin.patch create mode 100644 backport-core-executor-save-argv-for-later-use-by-rename_proc.patch create mode 100644 backport-core-job-emit-job-start-message-if-we-re-only-waitin.patch create mode 100644 backport-core-job-never-consider-reload-jobs-redundant.patch create mode 100644 backport-core-make-mount-8-and-swapon-8-inherit-SMACK-label-f.patch create mode 100644 backport-core-mark-JoinControllers-as-DISABLED_LEGACY-rather-.patch create mode 100644 backport-core-mount-if-mount-is-gone-eventually-consider-it-s.patch create mode 100644 backport-core-mount-if-umount-8-fails-but-mount-disappeared-a.patch create mode 100644 backport-core-mount-if-unmount-retries-exceeded-max-record-as.patch create mode 100644 backport-core-namespace-honor-MountEntry.read_only-.options-a.patch create mode 100644 backport-core-path-Re-enter-waiting-if-target-is-deactivating.patch create mode 100644 backport-core-raise-the-log-priority-if-sd-executor-is-missin.patch create mode 100644 backport-core-serialize-reload-rate-limit.patch create mode 100644 backport-core-service-Type-notify-dbus-services-shouldn-t-be-.patch create mode 100644 backport-core-service-do-not-propagate-reload-for-combined-RE.patch create mode 100644 backport-core-service-don-t-transition-to-start-post-on-cgrou.patch create mode 100644 backport-core-service-make-error-msg-match-with-conditions.patch create mode 100644 backport-core-service-service_add_fd_store-consumes-passed-fd.patch create mode 100644 backport-core-silence-gcc-warning-about-unitialized-variable.patch create mode 100644 backport-core-try-again-bind-mounting-if-the-destination-was-.patch create mode 100644 backport-core-unit-do-not-use-unit-path-cache-in-unit_need_da.patch create mode 100644 backport-core-unit-follow-merged-units-before-updating-Source.patch create mode 100644 backport-core-unit-ignore-dropins-for-masked-units-completely.patch create mode 100644 backport-core-unit-serialize-fix-serialization-of-markers.patch create mode 100644 backport-core-warn-if-a-generator-is-world-writable.patch create mode 100644 backport-coredump-keep-core-files-for-two-weeks.patch create mode 100644 backport-cpio-fix-assert.patch create mode 100644 backport-creds-fix-cat-with-encrypted-credentials.patch create mode 100644 backport-cryptenroll-Fix-reading-keyfile-from-socket.patch create mode 100644 backport-cryptenroll-homectl-journalctl-adjust-messages-befor.patch create mode 100644 backport-cryptenroll-it-s-called-PKCS-11-not-PKCS11.patch create mode 100644 backport-cryptenroll-show-better-log-message-if-slot-to-wipe-.patch create mode 100644 backport-cryptsetup-improve-TPM2-blob-display.patch create mode 100644 backport-cryptsetup-tokens-fix-argument-order-mismatch-in-fun.patch create mode 100644 backport-cryptsetup-tokens-fix-pin-asserts.patch create mode 100644 backport-curl-glue-catch-libcurl-attempting-to-change-timeout.patch create mode 100644 backport-curl-util-do-not-configure-new-io-event-source-when-.patch create mode 100644 backport-data-fd-util-Fixup-header.patch create mode 100644 backport-dbus-log-disconnect-on-api-and-system-busses.patch create mode 100644 backport-detect-virt-allow-detection-via-device-tree-on-RISC-.patch create mode 100644 backport-detect-virt-fix-Google-Compute-Engine-support.patch create mode 100644 backport-dhcp-option-refuse-control-and-non-UTF8-characters-i.patch create mode 100644 backport-discover-image-also-update-Image.limit-in-image_set_.patch create mode 100644 backport-discover-image-don-t-accidentally-set-run-systemd-ns.patch create mode 100644 backport-discover-image-update-Image.read_only-flag-in-image_.patch create mode 100644 backport-dissect-fix-log_debug_errno-assert-due-to-r-0.patch create mode 100644 backport-dissect-fix-memory-leak.patch create mode 100644 backport-dissect-image-don-t-try-to-validate-an-extension-rel.patch create mode 100644 backport-dissect-image-fix-fd-leak-in-dissected_image_acquire.patch create mode 100644 backport-dissect-image-generate-better-log-message-for-EUCLEA.patch create mode 100644 backport-dissect-image-handle-continue-event-in-metadata-acqu.patch create mode 100644 backport-dissect-image-move-comment-to-right-place.patch create mode 100644 backport-dissect-image-uppercase-first-char-of-dissect-error-.patch create mode 100644 backport-dissect-tool-right-align-the-partition-number.patch create mode 100644 backport-dlopen-log-debug-message-when-a-library-is-dlopened.patch create mode 100644 backport-dns-stream-only-read-DNS-packet-data-if-we-identifie.patch create mode 100644 backport-dns-update-record-type-enum-to-match-iana.patch create mode 100644 backport-dnssd-don-t-advertise-subtype-PTRs-to-the-browsing-d.patch create mode 100644 backport-efi-api-check-sys-class-tpm-tpm0-tpm_version_major-t.patch create mode 100644 backport-efi-check-if-all-sections-of-our-EFI-binaries-are-pr.patch create mode 100644 backport-efi-de-inline-xmalloc-to-fix-build-failure-with-gcc-.patch create mode 100644 backport-efi-fix-link-to-legacy-EFI-handover-protocol.patch create mode 100644 backport-efi-loader-make-efi_loader_get_entries-handling-miss.patch create mode 100644 backport-efi-loader-when-detecting-if-we-are-booted-in-UKI-me.patch create mode 100644 backport-efivars-deal-with-uncommitted-efi-variables.patch create mode 100644 backport-elf2efi-remove-outdated-comment-mentioning-linker-sc.patch create mode 100644 backport-env-util-add-new-setenvf-helper.patch create mode 100644 backport-exec-credential-Log-if-we-skip-duplicate-credential.patch create mode 100644 backport-exec-invoke-pass-the-right-error-variable.patch create mode 100644 backport-execute-Drop-log-level-to-unit-log-level-in-exec_spa.patch create mode 100644 backport-execute-handle-gracefully-if-we-cannot-lock-dev-cons.patch create mode 100644 backport-execute-improve-log-message-about-TTY-ownership-rese.patch create mode 100644 backport-executor-check-for-all-permission-related-errnos-whe.patch create mode 100644 backport-executor-don-t-duplicate-FD-array-to-avoid-double-cl.patch create mode 100644 backport-executor-really-set-POSIX_SPAWN_SETSIGDEF-for-posix_.patch create mode 100644 backport-fd-util-don-t-eat-up-errors-in-fd_cloexec_many.patch create mode 100644 backport-fd-util-modernization.patch create mode 100644 backport-fdset-set-all-collected-fds-to-CLOEXEC-in-fdset_new_.patch create mode 100644 backport-find-esp-add-debugging-log-about-failure-in-parsing-.patch create mode 100644 backport-find-esp-do-not-fail-when-boot-on-btrfs-RAID-on-sear.patch create mode 100644 backport-find-esp-do-not-skip-fstype-check-even-when-root-or-.patch create mode 100644 backport-find-esp-introduce-verify_esp_flags_init-helper-func.patch create mode 100644 backport-firstboot-create-locked-and-empty-root-passwords-con.patch create mode 100644 backport-firstboot-fix-root-params-with-creds-and-prompting-d.patch create mode 100644 backport-firstboot-fix-typo-and-add-missing-option-to-help-te.patch create mode 100644 backport-firstboot-handle-missing-root-password-entries.patch create mode 100644 backport-firstboot-remove-etc-localtime-on-reset.patch create mode 100644 backport-firstboot-validate-keymap-entry.patch create mode 100644 backport-fix-the-value-of-default-shells-to-use-bin-and-not-u.patch create mode 100644 backport-fs-util-rename-xopenat-xopanat_full.patch create mode 100644 backport-fsck-do-not-pull-down-mount-units-on-soft-reboot.patch create mode 100644 backport-fundamental-declare-flex-array-updated-for-gcc15-and.patch create mode 100644 backport-fuzz-decompress_startswith-may-return-zero.patch create mode 100644 backport-fuzz-tentatively-disable-fuzz-compress-on-oss-fuzz.patch create mode 100644 backport-gpt-add-more-architecture-aliases.patch create mode 100644 backport-gpt-auto-generator-fix-argument-passed-to-parse_imag.patch create mode 100644 backport-hashmap-reorder-fields-to-pack-structure-better.patch create mode 100644 backport-hibernate-resume-always-clear-HibernateLocation-if-s.patch create mode 100644 backport-hibernate-resume-don-t-wait-forever-if-hibernate-inf.patch create mode 100644 backport-hibernate-util-check-noresume-before-reading-resume-.patch create mode 100644 backport-hibernate-util-logind-emit-a-clear-error-if-the-spec.patch create mode 100644 backport-hibernate-util-make-sure-we-use-blockdev-path-for-Hi.patch create mode 100644 backport-home-fix-ownership-of-files-copied-from-skelton-dire.patch create mode 100644 backport-homed-add-missing-bus-call-to-homed-access-policy.patch create mode 100644 backport-homed-manager-pass-the-right-error-variable.patch create mode 100644 backport-homework-cifs-Pass-password-via-fd.patch create mode 100644 backport-homework-fscrypt-pass-the-right-error-variable.patch create mode 100644 backport-homework-quota-pass-the-right-error-variable.patch create mode 100644 backport-hostname-expose-machine-ID-and-boot-ID-through-DBus.patch create mode 100644 backport-hostnamectl-do-not-show-local-machine-ID-and-boot-ID.patch create mode 100644 backport-hwdb-util-drop-unused-value-assignment.patch create mode 100644 backport-id128-refuse-app-specific-if-we-re-listing-GPT-types.patch create mode 100644 backport-id128-util-Attempt-to-read-UUID-from-sys-hypervisor-.patch create mode 100644 backport-id128-util-do-not-expose-product-UUID-when-running-i.patch create mode 100644 backport-import-check-overflow.patch create mode 100644 backport-import-creds-when-we-hit-ENOENT-on-SMBIOS-11-do-not-.patch create mode 100644 backport-install-fix-compiler-warning-about-empty-directive-a.patch create mode 100644 backport-journal-file-util-use-COPY_VERIFY_LINKED.patch create mode 100644 backport-journal-file-util-use-the-file-descriptor-of-journal.patch create mode 100644 backport-journal-importer-Consider-ECONNRESET-as-EOF.patch create mode 100644 backport-journal-remote-Use-sd_event_set_signal_exit.patch create mode 100644 backport-journal-remote-allow-AF_VSOCK-and-AF_UNIX-for-listen.patch create mode 100644 backport-journal-remote-fix-two-minor-memory-leaks.patch create mode 100644 backport-journal-remote-main-pass-the-right-error-variable.patch create mode 100644 backport-journal-remote-use-macro-wrapper-instead-of-alloca-t.patch create mode 100644 backport-journalctl-also-check-arg_file_stdin-with-other-jour.patch create mode 100644 backport-journalctl-don-t-skip-over-messages-not-matching-the.patch create mode 100644 backport-journalctl-honor-quiet-with-setup-keys.patch create mode 100644 backport-journalctl-make-until-work-again-with-after-cursor-a.patch create mode 100644 backport-journalctl-update-help-to-say-priority-range-32323.patch create mode 100644 backport-journald-server-drop-spuriously-doubled-for-OBJECT_S.patch create mode 100644 backport-journald-when-getting-journal-data-via-memfd-check-f.patch create mode 100644 backport-json-add-new-dispatch-flag-JSON_ALLOW_EXTENSIONS.patch create mode 100644 backport-json-use-secure-un-base64-hex-mem-for-sensitive-vari.patch create mode 100644 backport-kbd-model-map-add-a-georgian-mapping.patch create mode 100644 backport-kernel-install-Fix-inspect-with-root-when-no-version.patch create mode 100644 backport-kernel-install-Only-read-cmdline-from-proc-cmdline-w.patch create mode 100644 backport-kernel-install-Remove-existing-loader-entries-and-UK.patch create mode 100644 backport-kernel-install-Try-some-more-initrd-variants-in-90-l.patch create mode 100644 backport-kernel-install-fix-context_copy.patch create mode 100644 backport-kernel-install-fix-uki-copy-deinstall.patch create mode 100644 backport-kernel-install-remove-depmod-generated-file-modules..patch create mode 100644 backport-kernel-install-silence-num-kernels-installed.patch create mode 100644 backport-keyring-util-Use-reported-key-size-to-resize-buf.patch create mode 100644 backport-killall-fix-errno-check.patch create mode 100644 backport-killall-gracefully-handle-processes-inserted-into-co.patch create mode 100644 backport-libcrypt-util-fix-wrong-errno-value-assignment.patch create mode 100644 backport-libfido2-util-accept-cached-pin-in-fido2_generate_hm.patch create mode 100644 backport-libsystemd-link-with-z-nodelete.patch create mode 100644 backport-libsystemd-network-remove-double-initialization.patch create mode 100644 backport-libsystemd-network-skip-dhcp-server-test-in-case-of-.patch create mode 100644 backport-linux-import-input.h-and-friends.patch create mode 100644 backport-load-fragment-terminate-the-specifier-table-34421.patch create mode 100644 backport-locale-setup-do-not-load-locale-from-environemnt-whe.patch create mode 100644 backport-lock-util-do-not-expect-EACCES-when-it-cannot-happen.patch create mode 100644 backport-log-Fix-size-calculation-for-number-of-iovecs.patch create mode 100644 backport-log-when-writing-a-log-message-to-a-TTY-always-end-l.patch create mode 100644 backport-login-fix-session_kill-.-KILL_LEADER-.-35105.patch create mode 100644 backport-loginctl-show-a-nicer-error-message-when-no-session-.patch create mode 100644 backport-logind-Add-fallback-for-when-the-PIDFDs-property-is-.patch create mode 100644 backport-logind-Mark-LidClosed-property-as-emits-change.patch create mode 100644 backport-logind-add-one-more-debug-log.patch create mode 100644 backport-logind-allow-read-write-to-char-hvc-devices.patch create mode 100644 backport-logind-dbus-check-auth.-for-all-inhibitor-operations.patch create mode 100644 backport-logind-do-not-fail-creating-a-session-when-request-i.patch create mode 100644 backport-logind-group-policy-entries-by-interface.patch create mode 100644 backport-logind-make-ReleaseSession-unprivileged-and-allow-cl.patch create mode 100644 backport-logind-session-be-tolerant-if-we-failed-to-remove-le.patch create mode 100644 backport-logind-use-handle_action_to_string-where-appropriate.patch create mode 100644 backport-loop-util-fix-error-handling.patch create mode 100644 backport-machine-GC-machine-when-no-leader-PID-is-set.patch create mode 100644 backport-machine-also-acquire-Image-object-from-cache-when-a-.patch create mode 100644 backport-machine-fix-use-after-free-in-Rename-DBus-method.patch create mode 100644 backport-machine-id-setup-Generate-stable-machine-IDs-based-o.patch create mode 100644 backport-machine-id-setup-bhyve-also-provides-a-uuid.patch create mode 100644 backport-machine-resolve-race-condition-in-TEST-13-NSPAWN.mac.patch create mode 100644 backport-machine-split-out-manager_acquire_image-from-image_o.patch create mode 100644 backport-macro-terminate-the-temporary-VA_ARGS_FOREACH-array-.patch create mode 100644 backport-manager-add-list-of-subscribers-to-dump-info.patch create mode 100644 backport-manager-pass-the-right-error-variable.patch create mode 100644 backport-meson-Add-missing-dbus_programs-dependency-on-update.patch create mode 100644 backport-meson-Define-__TARGET_ARCH-macros-required-by-bpf.patch create mode 100644 backport-meson-Skip-getent-when-it-s-not-found.patch create mode 100644 backport-meson-Use-fstrict-flex-arrays-3.patch create mode 100644 backport-meson-add-loongarch64-s-definition-to-cpu_arch_defin.patch create mode 100644 backport-meson-add-option-to-build-systemd-executor-staticall.patch create mode 100644 backport-meson-also-skip-uid-gid-check-for-nobody-user-group-.patch create mode 100644 backport-meson-bpf-propagate-sysroot-for-cross-compilation.patch create mode 100644 backport-meson-build-libsystemd-core-via-an-intermediate-stat.patch create mode 100644 backport-meson-check-for-pefile-dependency-before-enabling-uk.patch create mode 100644 backport-meson-copy-prefix-mapping-CFLAGS-when-building-BPF-o.patch create mode 100644 backport-meson-define-s390-for-s390x-when-building-BPF-object.patch create mode 100644 backport-meson-disable-Wnonnull-compare.patch create mode 100644 backport-meson-do-not-attempt-to-install-tests-when-they-are-.patch create mode 100644 backport-meson-do-not-fail-build-with-newer-kernel-headers.patch create mode 100644 backport-meson-drop-arch-filtering-in-syscall-list.patch create mode 100644 backport-meson-enable-Wunterminated-string-initialization.patch create mode 100644 backport-meson-fix-build.patch create mode 100644 backport-meson-fix-installation-of-html-doc-aliases.patch create mode 100644 backport-meson-fix-missing-failure-if-bpf-framework-was-enabl.patch create mode 100644 backport-meson-generate-keyboard-keys-list-from-local-input.h.patch create mode 100644 backport-meson-set-fno-ssa-phiopt-when-building-bpf-with-gcc.patch create mode 100644 backport-meson-sort-includes.patch create mode 100644 backport-missing-change-our-close_range-syscall-wrapper-to-ma.patch create mode 100644 backport-missing_fcntl-Fix-RAW_O_LARGEFILE.patch create mode 100644 backport-missing_loop.h-fix-LOOP_SET_STATUS_SETTABLE_FLAGS.patch create mode 100644 backport-missing_sched-add-CLONE_PIDFD.patch create mode 100644 backport-mkfs-util-Set-sector-size-for-btrfs-as-well.patch create mode 100644 backport-mmap-cache-add-some-stats-about-files-windows-unused.patch create mode 100644 backport-mmap-cache-enforce-an-unused-windows-minimum.patch create mode 100644 backport-modprobe-set-ifb-numifbs-0-to-avoid-autocreating-ifb.patch create mode 100644 backport-mount-setup-fix-typo.patch create mode 100644 backport-mountpoint-util-Deal-with-kernel-API-breakage-in-nor.patch create mode 100644 backport-mountpoint-util-do-not-assume-symlinks-are-not-mount.patch create mode 100644 backport-namespace-Fix-extension-release-memory-leak.patch create mode 100644 backport-namespace-don-t-invoke-loopback_setup-unless-we-allo.patch create mode 100644 backport-network-actually-show-the-unexpected-flags.patch create mode 100644 backport-network-adjust-log-message.patch create mode 100644 backport-network-allow-to-configure-interface-MTU-for-CAN-dev.patch create mode 100644 backport-network-call-link_handle_bound_by_list-before-trying.patch create mode 100644 backport-network-dhcp4-disable-IPv6OnlyMode-by-default.patch create mode 100644 backport-network-dhcp4-do-not-set-gateway-if-DNS-server-or-fr.patch create mode 100644 backport-network-dhcp6-deem-DHCPv6-configuration-to-be-finish.patch create mode 100644 backport-network-dhcp6-set-hostname-even-if-UseAddress-no.patch create mode 100644 backport-network-do-not-bring-down-a-bonding-port-interface-w.patch create mode 100644 backport-network-do-not-bring-down-bound-interfaces-immediate.patch create mode 100644 backport-network-do-not-make-the-implied-default-have-the-fir.patch create mode 100644 backport-network-do-not-request-DHCP-addresses-configured-on-.patch create mode 100644 backport-network-do-not-try-to-update-IP-sysctl-settings-for-.patch create mode 100644 backport-network-drop-unused-Manager.routes_foreign.patch create mode 100644 backport-network-fix-typo.patch create mode 100644 backport-network-fix-use-of-wrong-flag.patch create mode 100644 backport-network-generator-drop-wrong-warning-for-rd.peerdns-.patch create mode 100644 backport-network-generator-parse-vlan-ID-from-vlan-interface-.patch create mode 100644 backport-network-generator-vlan-can-be-specified-multiple-tim.patch create mode 100644 backport-network-link-always-join-to-the-main-interface-when-.patch create mode 100644 backport-network-ndisc-do-not-try-to-set-too-large-value-for-.patch create mode 100644 backport-network-neighbor-add-missing-OOM-check.patch create mode 100644 backport-network-queue-fix-potential-double-free-on-oom.patch create mode 100644 backport-network-request-non-NULL-SSID-when-a-wlan-interface-.patch create mode 100644 backport-network-route-do-not-invalidate-Route-section-when-a.patch create mode 100644 backport-network-route-fix-reachability-check-when-peer-addre.patch create mode 100644 backport-network-save-the-real-rdnss-address.patch create mode 100644 backport-network-split-out-common-checks.patch create mode 100644 backport-network-tc-Avoid-concurrent-set-modification-in-tcla.patch create mode 100644 backport-network-tc-fix-stack-overflow-when-dropping-tclass-o.patch create mode 100644 backport-network-the-maximum-MTU-size-for-CAN-interface-may-b.patch create mode 100644 backport-network-tunnel-allow-Local-Remote-any-for-all-tunnel.patch create mode 100644 backport-network-update-MTU-after-CAN-specific-configs-applie.patch create mode 100644 backport-networkd-Correct-documentation-for-LinkLocalAddressi.patch create mode 100644 backport-networkd-raise-limits-on-number-of-address-8x.patch create mode 100644 backport-networkd-show-wireguard-private-key-read-error-numbe.patch create mode 100644 backport-nspawn-Check-later-whether-to-keep-drop-CAP_NET_BIND.patch create mode 100644 backport-nspawn-Include-arm_fadvise64_64-in-syscall-allow_lis.patch create mode 100644 backport-nspawn-don-t-try-to-unregister-a-machine-we-never-re.patch create mode 100644 backport-nspawn-ignore-failure-in-creating-dev-net-tun-when-p.patch create mode 100644 backport-nspawn-improve-log-message-on-bad-incoming-sd_notify.patch create mode 100644 backport-nspawn-make-sure-private-users-ownership-no-and-off-.patch create mode 100644 backport-nspawn-pass-the-right-error-variable.patch create mode 100644 backport-nspawn-permit-ephemeral-with-link-journal-try-treat-.patch create mode 100644 backport-nspawn-private-users-ownership-value-is-called-chown.patch create mode 100644 backport-nspawn-refuse-to-bind-mount-device-node-from-host-wh.patch create mode 100644 backport-openssl-util-avoid-freeing-invalid-pointer.patch create mode 100644 backport-os-util-allow-matching-versioned-image-with-extensio.patch create mode 100644 backport-os-util-avoid-matching-on-the-wrong-extension-releas.patch create mode 100644 backport-packit-test-switch-to-legacy-ci-branch.patch create mode 100644 backport-packit-use-Fedora-40.patch create mode 100644 backport-packit-use-the-closest-matching-tag-for-the-checked-.patch create mode 100644 backport-pam-do-not-warn-closing-bus-connection-which-is-open.patch create mode 100644 backport-pam_systemd-always-check-if-session-is-busy.patch create mode 100644 backport-pam_systemd-close-pidfd-after-use.patch create mode 100644 backport-pam_systemd_loadkey-add-missing-PAM_EXTERN.patch create mode 100644 backport-parse-util-accept-arbitrary-MTU-size-when-AF_UNSPEC.patch create mode 100644 backport-path-drop-IN_ATTRIB-from-parent-directory-watches.patch create mode 100644 backport-pcrlock-Pad-pe-hash-to-a-multiple-of-8-bytes.patch create mode 100644 backport-pcrlock-Print-correct-NV-index-when-writing-new-poli.patch create mode 100644 backport-pcrlock-Take-VirtualSize-SizeOfRawData-into-account.patch create mode 100644 backport-pcrlock-tweak-error-messages-when-we-are-not-looking.patch create mode 100644 backport-pe-binary-.initrd-section-is-optional-for-UKI.patch create mode 100644 backport-pe-binary-fix-array-overrun.patch create mode 100644 backport-pid1-make-clear-that-WATCHDOG_USEC-is-set-for-the-sh.patch create mode 100644 backport-po-add-false-positives-to-POTFILES.skip.patch create mode 100644 backport-portable-Don-t-fail-if-etc-resolv.conf-doesn-t-exist.patch create mode 100644 backport-portable-ensure-PORTABLE_FORCE_ATTACH-works-even-whe.patch create mode 100644 backport-portable-fix-portablectl-list-to-show-the-actual-sta.patch create mode 100644 backport-portable-log-structured-message-when-attach-detach-s.patch create mode 100644 backport-posix_spawn_wrapper-do-not-set-POSIX_SPAWN_SETSIGDEF.patch create mode 100644 backport-preset-all-continue-on-errors-report-more-errors.patch create mode 100644 backport-preset-enable-confext-and-sysext-by-default-31211.patch create mode 100644 backport-process-util-do-not-unblock-unrelated-signals-while-.patch create mode 100644 backport-ptyfwd-add-missing-assertions-for-pty_forward_new.patch create mode 100644 backport-qrcode-util-add-debug-message-to-show-why-a-qrcode-w.patch create mode 100644 backport-qrcode-util-avoid-memleak-in-error-path.patch create mode 100644 backport-random-util-fix-compilation-error.patch create mode 100644 backport-reboot-util-Add-some-basic-validation-on-reboot-argu.patch create mode 100644 backport-recurse-dir-fix-wrong-assertion-and-error-code-in-lo.patch create mode 100644 backport-repart-Keep-existing-directory-timestamps-intact-whe.patch create mode 100644 backport-repart-don-t-crash-when-looping-over-dropped-partiti.patch create mode 100644 backport-repart-don-t-try-to-determine-sector-size-from-a-dis.patch create mode 100644 backport-resize-fs-Put-minimal-ext4-size-in-the-same-ballpark.patch create mode 100644 backport-resolve-NSCOUNT-of-DNS-query-may-not-be-zero.patch create mode 100644 backport-resolve-add-several-comments-for-DNS-type-table.patch create mode 100644 backport-resolve-do-not-listen-to-IPv6-when-disabled-by-sysct.patch create mode 100644 backport-resolve-do-not-trigger-assertion-on-exit.patch create mode 100644 backport-resolve-don-t-add-sockets-to-the-graveyard-on-shutdo.patch create mode 100644 backport-resolve-fix-wrong-error-cause-assignment-to-log_debu.patch create mode 100644 backport-resolve-mdns-do-not-append-goodby-packet-entries-to-.patch create mode 100644 backport-resolve-on_transaction_stream_error-may-free-multipl.patch create mode 100644 backport-resolve-refuse-invalid-service-without-type-field.patch create mode 100644 backport-resolve-skip-IP_UNICAST_IF-for-local-sockets.patch create mode 100644 backport-resolvectl-use-JSON_ALLOW_EXTENSIONS.patch create mode 100644 backport-resolved-allow-the-full-TTL-to-be-used-by-OPT-record.patch create mode 100644 backport-resolved-also-reply-NOTIMP-when-refusing-a-query-bas.patch create mode 100644 backport-resolved-always-progress-DS-queries.patch create mode 100644 backport-resolved-clear-the-AD-bit-for-bypass-packets.patch create mode 100644 backport-resolved-correct-parsing-of-OPT-extended-RCODEs.patch create mode 100644 backport-resolved-decrease-mdns-llmnr-priority-for-the-revers.patch create mode 100644 backport-resolved-dns-stream-pass-the-right-error-variable.patch create mode 100644 backport-resolved-don-t-cache-NXDOMAIN-for-SUDN-resolver.arpa.patch create mode 100644 backport-resolved-don-t-request-the-SOA-for-every-dns-label.patch create mode 100644 backport-resolved-don-t-treat-conn-reset-as-packet-loss.patch create mode 100644 backport-resolved-explicitly-disconnect-all-left-over-TCP-con.patch create mode 100644 backport-resolved-fix-DNSSEC-missing-key-error.patch create mode 100644 backport-resolved-fix-fastopen-fallback.patch create mode 100644 backport-resolved-if-one-transaction-completes-expect-other-t.patch create mode 100644 backport-resolved-minor-dnssec-fixups.patch create mode 100644 backport-resolved-permit-dnssec-rrtype-questions-when-we-aren.patch create mode 100644 backport-resolved-pick-up-new-DNSSEC-KSC-from-2024.patch create mode 100644 backport-resolved-probe-for-dnssec-support-in-allow-downgrade.patch create mode 100644 backport-resolved-refresh-resolv.conf-files-when-link-goes-aw.patch create mode 100644 backport-resolved-refuse-queries-with-no-suitable-scope.patch create mode 100644 backport-resolved-request-DS-with-DNSKEY.patch create mode 100644 backport-resolved-validate-authentic-insecure-delegation-to-C.patch create mode 100644 backport-resolved-wait-to-gc-transactions-if-they-might-still.patch create mode 100644 backport-rpm-macros-add-_kernel_install_dir.patch create mode 100644 backport-run-do-not-log-Error-on-PTY-forwarding-logic-when-di.patch create mode 100644 backport-run-handle-gracefully-if-we-can-t-find-binary-client.patch create mode 100644 backport-run-when-disconnected-from-PTY-forwarder-exit-event-.patch create mode 100644 backport-sd-bus-fix-exiting-event-loop-when-sd_bus_set_exit_o.patch create mode 100644 backport-sd-bus-rework-assert-to-make-the-gcc-happy.patch create mode 100644 backport-sd-bus-vtable-add-dummy-macro-to-support-compile-wit.patch create mode 100644 backport-sd-common-add-__const__.patch create mode 100644 backport-sd-daemon-Replace-SO_LINGER-with-shutdown-recv.patch create mode 100644 backport-sd-daemon-downgrade-log-level-for-library-code-use-c.patch create mode 100644 backport-sd-device-add-missing-debugging-log.patch create mode 100644 backport-sd-device-introduce-device_get_sysattr_unsigned_full.patch create mode 100644 backport-sd-device-remove-debug-log-message-when-dirs-are-mis.patch create mode 100644 backport-sd-dhcp-server-clear-buffer-before-receive.patch create mode 100644 backport-sd-dhcp-server-refuse-invalid-hostname-in-request.patch create mode 100644 backport-sd-event-fix-memleak-when-built-without-assertion.patch create mode 100644 backport-sd-event-increase-test-event-timeout-to-120s.patch create mode 100644 backport-sd-event-sd-journal-fix-error-handling-of-inotify_ad.patch create mode 100644 backport-sd-id128-gracefully-handle-systems-where-kernel-keyr.patch create mode 100644 backport-sd-id128-mark-functions-as-const-not-pure.patch create mode 100644 backport-sd-journal-check-sd-event-state-before-setting-up-po.patch create mode 100644 backport-sd-journal-downgrade-log-message-Unused-data-entry_o.patch create mode 100644 backport-sd-journal-fix-check-in-journal_file_verify_header.patch create mode 100644 backport-sd-journal-use-stat_verify_linked.patch create mode 100644 backport-sd-journal-verify-monotonic-timestamp-before-assigni.patch create mode 100644 backport-sd-netlink-fix-rtnl_resolve_link_alternative_name.patch create mode 100644 backport-sd-radv-fix-potential-buffer-overflow.patch create mode 100644 backport-sd-varlink-fix-bug-when-enqueuing-messages-with-fds-.patch create mode 100644 backport-seccomp-allowlist-uretprobe-syscall.patch create mode 100644 backport-seccomp-util-include-sandbox-in-default.patch create mode 100644 backport-seccomp-util-pass-negative-fds-as-is-to-fsync-and-fr.patch create mode 100644 backport-semaphore-bump-timeout.patch create mode 100644 backport-semaphore-do-not-build-docs.patch create mode 100644 backport-semaphore-move-back-to-autopkgtest-master-branch.patch create mode 100644 backport-semaphore-remove-workaround-for-adduser.patch create mode 100644 backport-semaphore-speed-up-build.patch create mode 100644 backport-semaphore-stop-building-and-running-extra-unit-tests.patch create mode 100644 backport-semaphore-temporarily-pin-autopkgtest-to-v5.32.patch create mode 100644 backport-semaphore-use-variable-for-Salsa-repo-URL.patch create mode 100644 backport-shared-Fix-TPM2-unsealing-when-PCR-values-change.patch create mode 100644 backport-shared-conf-parser-do-not-print-null-as-section-name.patch create mode 100644 backport-shared-hibernate-util-don-t-attempt-to-fiemap-fd-if-.patch create mode 100644 backport-shared-hibernate-util-handle-the-case-where-no-swap-.patch create mode 100644 backport-shared-initialize-a-couple-of-values-explicitly.patch create mode 100644 backport-shared-install-correctly-report-changes-in-install_i.patch create mode 100644 backport-shared-install-drop-unneeded-initialization.patch create mode 100644 backport-shared-install-propagate-all-errors-in-install_info_.patch create mode 100644 backport-shared-killall-correctly-warn-about-rootfs-daemon-s-.patch create mode 100644 backport-shared-logs-show-restore-infinite-loop-avoidance-for.patch create mode 100644 backport-shared-mountpoint-util-for-old-kernels-assume-noreco.patch create mode 100644 backport-shared-open-file-use-xescape-to-escape.patch create mode 100644 backport-shared-verbs-minor-modernization.patch create mode 100644 backport-shared-verbs-show-list-of-verbs-when-missing.patch create mode 100644 backport-shell-completion-add-kernel-identify-inspect-verbs-f.patch create mode 100644 backport-shell-completion-add-missing-args-to-bash-resolvectl.patch create mode 100644 backport-shell-completion-fix-machinectl-import-tar-raw.patch create mode 100644 backport-shell-completions-install-new-completions-which-were.patch create mode 100644 backport-show-status-suffix-output-ith-CRNL-rather-than-just-.patch create mode 100644 backport-shutdown-Send-EXIT_STATUS-before-final-sync.patch create mode 100644 backport-sleep-connect-to-correct-bus-when-locking-homed-mana.patch create mode 100644 backport-sleep-don-t-log-duplicate-error.patch create mode 100644 backport-src-basic-missing_loop.h-fix-missing-LOOP_SET_BLOCK_.patch create mode 100644 backport-src-pcrlock-pcrlock.c-Handle-empty-pcrlock.d-directo.patch create mode 100644 backport-stat-util-introduce-stat-fd-_verify_linked.patch create mode 100644 backport-stat-util-rebreak-comment.patch create mode 100644 backport-stdio-bridge-fix-polled-fds.patch create mode 100644 backport-storagetm-always-hash-stat.st_mode.patch create mode 100644 backport-storagetm-fix-use-of-wrong-stat-element.patch create mode 100644 backport-strbuf-use-GREEDY_REALLOC-to-grow-the-buffer.patch create mode 100644 backport-strv-introduce-strv_copy_unless_empty.patch create mode 100644 backport-stub-allocate-and-zero-enough-space-in-legacy-x86-ha.patch create mode 100644 backport-stub-drop-PE-sections-parsing-cap.patch create mode 100644 backport-stub-get-uname-from-image-before-loading-addons.patch create mode 100644 backport-systemctl-allow-user-to-suppress-output-when-no-acti.patch create mode 100644 backport-systemctl-also-grey-out-useful-hints-in-output-since.patch create mode 100644 backport-systemctl-configure-boot-loader-options-only-when-go.patch create mode 100644 backport-systemctl-do-not-try-to-acquire-triggering-units-for.patch create mode 100644 backport-systemctl-edit-ignore-ENOENT-from-unit_is_masked.patch create mode 100644 backport-systemctl-fix-applying-zero-offset-to-null-pointer-U.patch create mode 100644 backport-systemctl-fix-fallback-for-pidfd_open-permission-err.patch create mode 100644 backport-systemctl-grey-out-tasks-limit-the-same-way-we-grey-.patch create mode 100644 backport-systemctl-is-system-running-display-offline-with-ima.patch create mode 100644 backport-systemctl-list-jobs-interchange-waiting-for-and-bloc.patch create mode 100644 backport-systemctl-skip-triggering-unit-warning-if-unit-vanis.patch create mode 100644 backport-systemd-boot-Allow-key-enroll-in-AuditMode.patch create mode 100644 backport-systemd-networkd-tests-Skip-tests-requiring-dhcpd-if.patch create mode 100644 backport-systemd-update-helper-Show-executed-commands-if-debu.patch create mode 100644 backport-sysusers-check-if-requested-group-name-matches-user-.patch create mode 100644 backport-sysusers-tmpfiles-clarify-error-message-for-replace.patch create mode 100644 backport-sysv-generator-break-long-message-into-lines.patch create mode 100644 backport-terminal-util-fix-underlining-with-SYSTEMD_COLORS-no.patch create mode 100644 backport-test-69-send-SIGTERM-to-ask-systemd-nspawn-to-proper.patch create mode 100644 backport-test-Add-test-for-per-device-cgroup-properties.patch create mode 100644 backport-test-CET-EET-are-deprecated-use-Europe-Berlin-and-Ky.patch create mode 100644 backport-test-Gracefully-handle-running-within-user-namespace.patch create mode 100644 backport-test-add-a-brief-comment-for-the-chattr-check.patch create mode 100644 backport-test-add-a-reproducer-for-33672.patch create mode 100644 backport-test-add-a-test-for-31384.patch create mode 100644 backport-test-add-basic-coverity-tests-for-bootctl.patch create mode 100644 backport-test-add-basic-tests-for-in_addr_prefix_covers_full.patch create mode 100644 backport-test-add-coverate-for-Compress-yes-config-option.patch create mode 100644 backport-test-add-missing-operators.patch create mode 100644 backport-test-add-simple-coverage-tests-for-udevadm-lock.patch create mode 100644 backport-test-add-test-case-for-issue-31776.patch create mode 100644 backport-test-add-test-case-for-issue-34637.patch create mode 100644 backport-test-add-test-case-for-systemd-repart-seed-random.patch create mode 100644 backport-test-add-test-cases-for-issue-30357.patch create mode 100644 backport-test-add-test-cases-for-journal-corruption-on-btrfs.patch create mode 100644 backport-test-add-test-cases-for-timestamp-with-time-zone.patch create mode 100644 backport-test-add-tests-for-seccomp_suppress_sync.patch create mode 100644 backport-test-allow-to-skip-matrix_run_one-if-TEST_MATCH_TEST.patch create mode 100644 backport-test-also-flush-and-rotate-journal-before-read.patch create mode 100644 backport-test-always-try-to-install-the-ext4-module.patch create mode 100644 backport-test-answer-2nd-mdadm-create-question-for-compat-wit.patch create mode 100644 backport-test-applying-timezone-is-asynchronous.patch create mode 100644 backport-test-avoid-NO_CAST.INTEGER_OVERFLOW-in-test-oomd-uti.patch create mode 100644 backport-test-backup-etc-udev-udev.conf-only-if-it-exists.patch create mode 100644 backport-test-bpf-foreign-programs-pass-the-right-error-varia.patch create mode 100644 backport-test-bpf-restrict-fs-pass-the-right-error-variable.patch create mode 100644 backport-test-call-journalctl-sync-just-before-reading-journa.patch create mode 100644 backport-test-capability-CAP_LINUX_IMMUTABLE-is-not-available.patch create mode 100644 backport-test-check-TPM2B_PUBLIC-name-during-PEM-TPM2B_PUBLIC.patch create mode 100644 backport-test-check-for-dev-loop-control-when-checking-lodev-.patch create mode 100644 backport-test-check-if-resolved-exits-cleanly.patch create mode 100644 backport-test-check-pam-warning-message.patch create mode 100644 backport-test-clean-up-the-code-a-bit.patch create mode 100644 backport-test-create-ESP-and-xbootldr-partitions.patch create mode 100644 backport-test-customize-etc-os-release-instead-of-usr-lib-os-.patch create mode 100644 backport-test-dhcp-client-utilize-log_info-instead-of-printf.patch create mode 100644 backport-test-dhcp-server-Gracefully-handle-the-network-being.patch create mode 100644 backport-test-dhcp6-terminate-fqdn-option.patch create mode 100644 backport-test-disable-testsuite-04.LogFilterPatterns-journal-.patch create mode 100644 backport-test-do-not-attempt-to-set-xattr-on-tmpfs.patch create mode 100644 backport-test-do-not-fail-network-namespace-test-with-permiss.patch create mode 100644 backport-test-do-not-fill-journal-with-diff.patch create mode 100644 backport-test-do-not-fill-journal-with-wait.patch create mode 100644 backport-test-don-t-abbreviate-log-messages-when-dumping-the-.patch create mode 100644 backport-test-don-t-check-for-Dinstall-tests-true-with-NO_BUI.patch create mode 100644 backport-test-don-t-store-udev-worker-coredumps-in-journal.patch create mode 100644 backport-test-don-t-truncate-the-final-journal.patch create mode 100644 backport-test-drop-removed-SCSI-passthrough-feature.patch create mode 100644 backport-test-dump-a-simple-summary-at-the-end-of-TEST-02-UNI.patch create mode 100644 backport-test-execute-skip-tests-that-are-broken-without-unpr.patch create mode 100644 backport-test-execute-update-permission-of-credstore.patch create mode 100644 backport-test-explicitly-set-TERM-linux-for-TEST-69-SHUTDOWN.patch create mode 100644 backport-test-explicitly-set-nsec3-iterations-to-0.patch create mode 100644 backport-test-extend-firstboot-testing.patch create mode 100644 backport-test-extend-timeout-for-DHCP-NDisc-tests.patch create mode 100644 backport-test-fall-back-to-SYSLOG_IDENTIFIER-matching-where-n.patch create mode 100644 backport-test-fd-util-skip-test-when-lacking-privileges-to-cr.patch create mode 100644 backport-test-fix-TEST-24-CRYPTSETUP-on-SUSE.patch create mode 100644 backport-test-fix-check-for-device-in-test-execute.patch create mode 100644 backport-test-fix-dbus-installation-on-Arch.patch create mode 100644 backport-test-fix-indentation.patch create mode 100644 backport-test-fix-subtests-naming.patch create mode 100644 backport-test-fix-test-scripts-filename-pattern.patch create mode 100644 backport-test-fix-the-container-ID-check.patch create mode 100644 backport-test-fix-tool-name-in-comment.patch create mode 100644 backport-test-flush-the-socket-once-the-triggered-unit-exits.patch create mode 100644 backport-test-forward-journal-messages-to-console-during-sd-b.patch create mode 100644 backport-test-install-all-necessary-units-generators-for-LVM-.patch create mode 100644 backport-test-install-correct-kpartx-udev-rules-on-Debian.patch create mode 100644 backport-test-install-empty-directories-with-NO_BUILD-1.patch create mode 100644 backport-test-install-etc-hosts.patch create mode 100644 backport-test-install-modinfo-to-test-image.patch create mode 100644 backport-test-install-root-introduce-test-case-for-33411.patch create mode 100644 backport-test-install-systemd-boot-in-openSUSE-test-images.patch create mode 100644 backport-test-lock-device-during-running-cryptsetup.patch create mode 100644 backport-test-loop-block-return-77-on-skip-in-more-places.patch create mode 100644 backport-test-make-TEST-08-INITRD-slightly-less-annoying-to-d.patch create mode 100644 backport-test-make-install_mdadm-also-install-relevant-kernel.patch create mode 100644 backport-test-make-sure-that-sd-boot-is-installed-before-test.patch create mode 100644 backport-test-make-sure-the-dummy-CA-certificate-is-marked-as.patch create mode 100644 backport-test-make-sure-to-install-the-filesystem-package-in-.patch create mode 100644 backport-test-make-the-MemoryHigh-limit-a-bit-more-generous-w.patch create mode 100644 backport-test-make-the-output-of-TEST-69-less-painful-to-read.patch create mode 100644 backport-test-mask-mdmonitor-when-building-image.patch create mode 100644 backport-test-mask-rc.local-generator-broken-on-Jammy.patch create mode 100644 backport-test-mask-the-mdmonitor.service.patch create mode 100644 backport-test-mask-tmpfiles.d-file-shipped-by-selinux-policy-.patch create mode 100644 backport-test-modernize-TEST-55-OOMD-s-init.patch create mode 100644 backport-test-mount-ld.so.cache-in-minimal-nspawn-container-i.patch create mode 100644 backport-test-namespace-SOCK_CLOEXEC-ify-all-the-things.patch create mode 100644 backport-test-netlink-Gracefully-handle-the-loopback-interfac.patch create mode 100644 backport-test-network-add-one-more-test-case-for-DHCP-prefix-.patch create mode 100644 backport-test-network-add-test-case-for-issue-30403.patch create mode 100644 backport-test-network-add-test-case-for-issue-31165.patch create mode 100644 backport-test-network-add-test-case-for-requesting-routing-po.patch create mode 100644 backport-test-network-add-test-for-small-MTU-for-vcan.patch create mode 100644 backport-test-network-add-test-for-stack-overflow-in-qdisc_dr.patch create mode 100644 backport-test-network-also-set-custom-altternative-name-for-n.patch create mode 100644 backport-test-network-check-existence-of-kernel-bug.patch create mode 100644 backport-test-network-do-not-call-networkctl-if-networkd-is-i.patch create mode 100644 backport-test-network-do-not-fail-if-macvlan-module-is-not-av.patch create mode 100644 backport-test-network-do-not-fail-when-etc-protocols-does-not.patch create mode 100644 backport-test-network-fix-racy-test-for-address_static.patch create mode 100644 backport-test-network-introduce-networkctl-and-friends.patch create mode 100644 backport-test-network-introduce-no-journal-option.patch create mode 100644 backport-test-network-split-out-setup_netdevsim.patch create mode 100644 backport-test-network-split-test_dhcp6pd-into-small-pieces.patch create mode 100644 backport-test-network-sync-journal-before-read.patch create mode 100644 backport-test-network-use-different-destination-from-gateway.patch create mode 100644 backport-test-network-use-read_networkd_log-at-one-more-place.patch create mode 100644 backport-test-never-is-not-a-valid-value-for-Restart.patch create mode 100644 backport-test-nss-hosts-treat-negative-host-lookup-as-slow.patch create mode 100644 backport-test-redirect-stdout-stderr-of-TEST-04-JOURNAL-to-co.patch create mode 100644 backport-test-replace-Europe-Kiev-with-Europe-Kyiv.patch create mode 100644 backport-test-reset-systemd-resolved.service-s-restart-counte.patch create mode 100644 backport-test-reset-systemd-udevd.service-restart-counter.patch create mode 100644 backport-test-sbat-separate-the-two-sbat-sections.patch create mode 100644 backport-test-set-correct-group-for-systemd-journal-upload-te.patch create mode 100644 backport-test-set-ex-separately.patch create mode 100644 backport-test-set-nsec3-salt-length-8-in-knot.conf.patch create mode 100644 backport-test-set-pexpect-s-logfile-early.patch create mode 100644 backport-test-skip-TEST-08-INITRD-if-systemd-didn-t-run-in-th.patch create mode 100644 backport-test-skip-TEST-43-PRIVATEUSER-UNPRIV-if-unprivileged.patch create mode 100644 backport-test-skip-TEST-84-STORAGETM-if-running-with-bugged-l.patch create mode 100644 backport-test-skip-a-systemd-run-test-if-unprivileged-userns-.patch create mode 100644 backport-test-skip-test_exec_networknamespacepath-if-netns-se.patch create mode 100644 backport-test-socket-bind-pass-the-right-error-variable.patch create mode 100644 backport-test-split-out-host_has_-btrfs-mdadm-from-TEST-64-UD.patch create mode 100644 backport-test-support-TEST_MATCH_-stuff-in-TEST-23-UNIT-FILE-.patch create mode 100644 backport-test-sync-journal-before-read.patch create mode 100644 backport-test-sync-journal-before-reading-journal.patch create mode 100644 backport-test-sync-journal-before-starting-test.patch create mode 100644 backport-test-tell-delv-to-load-anchors-from-etc-bind.keys-ex.patch create mode 100644 backport-test-temporarily-adjust-the-default-mount-rate-limit.patch create mode 100644 backport-test-temporarily-disable-test_sysctl.patch create mode 100644 backport-test-temporarily-enable-session-lingering-for-the-te.patch create mode 100644 backport-test-terminal-util-print-value-of-colors_enabled.patch create mode 100644 backport-test-test-rpm-macros.sh-add-build-directory-to-pkg-c.patch create mode 100644 backport-test-test-shutdown.py-optionally-display-the-test-I-.patch create mode 100644 backport-test-test-that-delegation-of-some-newer-attrs-that-s.patch create mode 100644 backport-test-time-util-do-more-suppression-of-time-zone-chec.patch create mode 100644 backport-test-time-util-fix-truncation-of-usec-to-sec.patch create mode 100644 backport-test-unset-TZ-before-timezone-sensitive-unit-tests-a.patch create mode 100644 backport-test-use-a-dropin-for-the-journald-snippet.patch create mode 100644 backport-test-use-ahost-instead-of-hosts-where-applicable.patch create mode 100644 backport-test-use-btrfs-mkswapfile-on-btrfs.patch create mode 100644 backport-test-use-lstat-instead-of-stat-follow_symlinks-False.patch create mode 100644 backport-test-use-the-default-nsec3-iterations-value.patch create mode 100644 backport-test-verify-PEM-TPM2B_PUBLIC-conversion-for-RSA-key-.patch create mode 100644 backport-test-wait-a-bit-before-stopping-killing-service.patch create mode 100644 backport-test-wait-for-loop-backing_file-attribute-being-remo.patch create mode 100644 backport-test-wait-for-partition-device-being-processed-by-ud.patch create mode 100644 backport-test-wait-for-partition-processed-by-udevd.patch create mode 100644 backport-test-wait-for-sessions-being-closed.patch create mode 100644 backport-test-wait-for-slice-unit-being-de-activated.patch create mode 100644 backport-test-wait-for-unit-generated-from-proc-self-mountinf.patch create mode 100644 backport-test-wait-until-the-test-container-is-fully-booted-u.patch create mode 100644 backport-tests-fix-access-mode-of-root-inode-of-throw-away-co.patch create mode 100644 backport-time-util-copy-input-string-before-fork.patch create mode 100644 backport-time-util-fix-parsing-timestamp-with-NZ-timezone.patch create mode 100644 backport-timedate-handle-gracefully-if-RTC-lost-time-because-.patch create mode 100644 backport-timesync-IPTOS_LOWDELAY-IPTOS_DSCP_EF.patch create mode 100644 backport-timesyncd-make-the-transmit-timestamp-in-requests-fu.patch create mode 100644 backport-tmpfiles-Don-t-fail-if-file-does-not-exist-in-item_d.patch create mode 100644 backport-tmpfiles-ERRNO_IS_NOINFO-_IS_NEG_-correct-negative-e.patch create mode 100644 backport-tmpfiles-do-X-bit-check-in-an-ACL-aware-manner.patch create mode 100644 backport-tmpfiles-don-t-compare-errno-with-negative-value.patch create mode 100644 backport-tmpfiles-fix-copypasta-in-create_symlink-FIFO-symlin.patch create mode 100644 backport-tmpfiles-remove-one-more-use-of-goto-and-modernizati.patch create mode 100644 backport-tmpfiles.d-avoid-deprecated-undocumented-syntax-s-F-.patch create mode 100644 backport-tmpfiles.d-systemd-nologin.conf-use-f-instead-of-F-d.patch create mode 100644 backport-tmpfiles.d-systemd-use-ACL-X-bit-where-appropriate.patch create mode 100644 backport-tpm2-Do-not-use-RSA-exponent-special-case-default-va.patch create mode 100644 backport-tpm2-If-unsealing-results-in-policy-hash-mismatch-wh.patch create mode 100644 backport-tpm2-setup-Add-graceful.patch create mode 100644 backport-tpm2-setup-Don-t-fail-if-we-can-t-access-the-TPM-due.patch create mode 100644 backport-tpm2-setup-add-missing-O_CLOEXEC-at-two-places.patch create mode 100644 backport-tpm2-setup-early-order-against-pcrphase-initrd.patch create mode 100644 backport-tpm2-util-add-generic-wrapper-tpm2_context_new_or_wa.patch create mode 100644 backport-tpm2-util-handle-TPMs-gracefully-that-do-not-support.patch create mode 100644 backport-tree-wide-Fix-Wformat-warnings.patch create mode 100644 backport-tree-wide-always-do-dlopen-with-RTLD_NOW-RTLD_NODELE.patch create mode 100644 backport-tree-wide-be-more-careful-when-passing-literal-integ.patch create mode 100644 backport-tree-wide-check-if-non-empty-password-is-acquired.patch create mode 100644 backport-tree-wide-use-JSON_ALLOW_EXTENSIONS-when-disptching-.patch create mode 100644 backport-udev-Handle-PTP-device-symlink-properly-on-udev-acti.patch create mode 100644 backport-udev-String-substitutions-can-be-done-in-ENV-too.patch create mode 100644 backport-udev-add-hwdb-execution-for-hidraw-subsystem-devices.patch create mode 100644 backport-udev-dmi-memory-id-update-table-with-latest-SMBIOS-s.patch create mode 100644 backport-udev-do-not-try-to-lock-whole-block-device-on-remove.patch create mode 100644 backport-udev-even-if-a-device-is-a-zac-device-scsi-ID_SERIAL.patch create mode 100644 backport-udev-node-skip-stack-directory-creation-for-diskseq.patch create mode 100644 backport-udev-rules-pass-the-right-error-variable.patch create mode 100644 backport-udev-skipping-empty-udev-rules-file-while-collecting.patch create mode 100644 backport-udev-watch-do-not-try-to-remove-invalid-watch-handle.patch create mode 100644 backport-udev-watch-mention-that-the-failure-is-ignored.patch create mode 100644 backport-udev-worker-add-debugging-log-about-success-of-flock.patch create mode 100644 backport-udevadm-Propagate-return-code-from-verb-result.patch create mode 100644 backport-unit-order-systemd-resolved-after-systemd-sysctl.patch create mode 100644 backport-units-Accept-modules_load-and-rd.modules_load-in-sys.patch create mode 100644 backport-units-add-initrd-directory-to-list-of-conditions-for.patch create mode 100644 backport-userbdctl-show-mapped-user-range-only-inside-of-user.patch create mode 100644 backport-userdb-reset-errno-before-getpwent.patch create mode 100644 backport-userdbctl-avoid-NULL-pointer-deref.patch create mode 100644 backport-userdbctl-correct-uid_range_covers-check.patch create mode 100644 backport-userdbctl-fix-counting.patch create mode 100644 backport-userdbd-properly-close-the-listener-fd-on-exit.patch create mode 100644 backport-util-make-file_read-64bit-offset-safe.patch create mode 100644 backport-utmp-wtmp-check-actual-value-of-bool-instead-of-poin.patch create mode 100644 backport-various-correct-laccess-error-check.patch create mode 100644 backport-various-don-t-log-synthetic-EIO-for-fwrite.patch create mode 100644 backport-variuos-fwrite-does-not-set-errno.patch create mode 100644 backport-varlink-improve-compat-with-varlink-C-reference-impl.patch create mode 100644 backport-varlink-make-errors-returned-by-verify_unix_socket-s.patch create mode 100644 backport-virt-add-Google-Compute-Engine-support.patch create mode 100644 backport-virt-fix-detection-of-avx2-and-friends.patch create mode 100644 backport-virt-support-detection-of-Apple-Virtualization-guest.patch create mode 100644 backport-vmm-make-sure-we-can-handle-smbios-objects-without-v.patch create mode 100644 backport-vmspawn-make-sure-are-fine-with-ovmf-metadata-extens.patch create mode 100644 backport-wait-online-by-default-not-all-interface-need-to-be-.patch create mode 100644 backport-watchdog-clarify-that-we-set-the-watchdog-timeout.patch create mode 100644 backport-watchdog-ensure-configured-timeout-is-used-instead-o.patch create mode 100644 backport-zsh-_journalctl-complete-g-case-sensitive-help-pseud.patch create mode 100644 backport-zsh-_networkctl-remove-duplicated-argument-for-compl.patch diff --git a/add-a-new-switch-to-control-whether-udev-complies-wi.patch b/add-a-new-switch-to-control-whether-udev-complies-wi.patch index d2b52d6..2ec3c62 100644 --- a/add-a-new-switch-to-control-whether-udev-complies-wi.patch +++ b/add-a-new-switch-to-control-whether-udev-complies-wi.patch @@ -67,7 +67,7 @@ index 651d335..ee1dbe5 100644 int device_wait_for_initialization(sd_device *device, const char *subsystem, usec_t timeout_usec, sd_device **ret); int device_wait_for_devlink(const char *path, const char *subsystem, usec_t timeout_usec, sd_device **ret); diff --git a/src/udev/ata_id/ata_id.c b/src/udev/ata_id/ata_id.c -index 0b1f0b7..92f87d9 100644 +index 4dd7e54..33575c6 100644 --- a/src/udev/ata_id/ata_id.c +++ b/src/udev/ata_id/ata_id.c @@ -31,9 +31,13 @@ @@ -93,8 +93,8 @@ index 0b1f0b7..92f87d9 100644 return log_debug_errno(SYNTHETIC_ERRNO(EIO), "ioctl v4 failed: %m"); } -@@ -410,10 +414,20 @@ static int run(int argc, char *argv[]) { - int r; +@@ -414,10 +418,20 @@ static int run(int argc, char *argv[]) { + int r, peripheral_device_type = -1; log_set_target(LOG_TARGET_AUTO); - udev_parse_config(); diff --git a/backport-99-systemd.rules-rework-SYSTEMD_READY-logic-for-devi.patch b/backport-99-systemd.rules-rework-SYSTEMD_READY-logic-for-devi.patch new file mode 100644 index 0000000..9247e21 --- /dev/null +++ b/backport-99-systemd.rules-rework-SYSTEMD_READY-logic-for-devi.patch @@ -0,0 +1,97 @@ +From 20415d357fb0e253df7444019a47674fac4ed1d6 Mon Sep 17 00:00:00 2001 +From: Martin Wilck +Date: Wed, 6 Mar 2024 11:39:00 +0100 +Subject: [PATCH 1160/1160] 99-systemd.rules: rework SYSTEMD_READY logic for + device mapper + +Device mapper devices are set up in multiple steps. The first step, which +generates the initial "add" event, only creates an empty container, which is +useless for higher layers. SYSTEMD_READY should be set to 0 on this event to +avoid premature device activation. + +The event that matters is the "activation" event: the first "change" event on +which DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 is not set. When this event arrives, +the device is ready for being scanned by blkid and similar tools, and for being +activated by systemd. + +Intermittent events with DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 should be ignored +as far as systemd or higher-level block layers are concerned. Previous device +properties and symlinks should be preserved: the device shouldn't be scanned or +activated, but shouldn't be deactivated, either. In particular, SYSTEM_READY +shouldn't be set to 0 if it wasn't set before, because that might cause mounted +file systems to be unmounted. Such intermittent events may occur any time, +before or after the "activation" event. + +DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 can have multiple reasons. One possible reason +is that the device is suspended. There are other reasons that depend on the +device-mapper subsystem (LVM, multipath, dm-crypt, etc.). + +The current systemd rule set + +1) sets SYSTEMD_READY=0 if DM_UDEV_DISABLE_OTHER_RULES_FLAG is set in "add" +events; +2) imports SYSTEMD_READY from the udev db if DM_SUSPENDED is set, and jumps to systemd_end; +3) sets SYSTEMD_READY=1, otherwise. + +This logic has several flaws: + +* 1) can cause file systems to be unmounted if an coldplug event arrives while +a file system is suspended. This rule shouldn't be applied for coldplug events +or in general, "synthetic" add events; +* 2) evaluates DM_SUSPENDED=1, which is a device-mapper internal property. +It's wrong to infer that a device is accessible if DM_SUSPENDED=0. +The jump to systemd_end may cause properties and/or symlinks to be lost; +* 3) is superfluous, because SYSTEMD_READY=1 is equivalent with SYSTEMD_READY +being unset, and can create the wrong impression that the device was explicitly +activated. + +This patch fixes the logic as follows: + +- apply 1) only if DM_NAME is empty, which is only the case for the first +"genuine add" event; +- change 2) to use DM_UDEV_DISABLE_OTHER_RULES_FLAG instead of DM_SUSPENDED, +and remove the GOTO directive; +- remove 3). + +Fixes: b7cf1b6 ("udev: use SYSTEMD_READY to mask uninitialized DM devices") +Fixes: 35a6750 ("rules: set SYSTEMD_READY=0 on DM_UDEV_DISABLE_OTHER_RULES_FLAG=1 only with ADD event (#2747)") + +Signed-off-by: Martin Wilck +(cherry picked from commit c072860593329293e19580b337504adb52248462) +--- + rules.d/99-systemd.rules.in | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/rules.d/99-systemd.rules.in b/rules.d/99-systemd.rules.in +index d077881696..da0ad81bff 100644 +--- a/rules.d/99-systemd.rules.in ++++ b/rules.d/99-systemd.rules.in +@@ -20,19 +20,18 @@ SUBSYSTEM=="ubi", TAG+="systemd" + + SUBSYSTEM=="block", TAG+="systemd" + +-# We can't make any conclusions about suspended DM devices so let's just import previous SYSTEMD_READY state and skip other rules +-SUBSYSTEM=="block", ENV{DM_SUSPENDED}=="1", IMPORT{db}="SYSTEMD_READY" +-SUBSYSTEM=="block", ENV{DM_SUSPENDED}=="1", GOTO="systemd_end" ++# When a dm device is first created, it's just an empty container. Ignore it. ++# DM_NAME is not set in this case, but it's set on spurious "add" events that occur later. ++SUBSYSTEM=="block", ACTION=="add", KERNEL=="dm-*", ENV{DM_NAME}!="?*", ENV{SYSTEMD_READY}="0" + +-SUBSYSTEM=="block", ACTION=="add", ENV{DM_UDEV_DISABLE_OTHER_RULES_FLAG}=="1", ENV{SYSTEMD_READY}="0" ++# DM_UDEV_DISABLE_OTHER_RULES_FLAG==1 means that the device shouldn't be probed. ++# Import previous SYSTEMD_READY state. ++SUBSYSTEM=="block", ENV{DM_UDEV_DISABLE_OTHER_RULES_FLAG}=="1", ENV{SYSTEMD_READY}=="", IMPORT{db}="SYSTEMD_READY" + + # Ignore encrypted devices with no identified superblock on it, since + # we are probably still calling mke2fs or mkswap on it. + SUBSYSTEM=="block", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}=="", ENV{SYSTEMD_READY}="0" + +-# Explicitly set SYSTEMD_READY=1 for DM devices that don't have it set yet, so that we always have something to import above +-SUBSYSTEM=="block", ENV{DM_UUID}=="?*", ENV{SYSTEMD_READY}=="", ENV{SYSTEMD_READY}="1" +- + # add symlink to GPT root disk + SUBSYSTEM=="block", ENV{ID_PART_GPT_AUTO_ROOT}=="1", ENV{ID_FS_TYPE}!="crypto_LUKS", SYMLINK+="gpt-auto-root" + SUBSYSTEM=="block", ENV{ID_PART_GPT_AUTO_ROOT}=="1", ENV{ID_FS_TYPE}=="crypto_LUKS", SYMLINK+="gpt-auto-root-luks" +-- +2.33.0 + diff --git a/backport-Add-an-extra-debug-log-to-dissect_image.patch b/backport-Add-an-extra-debug-log-to-dissect_image.patch new file mode 100644 index 0000000..a2d008e --- /dev/null +++ b/backport-Add-an-extra-debug-log-to-dissect_image.patch @@ -0,0 +1,28 @@ +From cef973c15d9f089b62f4791e2b2e7a807481aefb Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Thu, 19 Sep 2024 14:53:53 +0200 +Subject: [PATCH 0880/1160] Add an extra debug log to dissect_image() + +(cherry picked from commit 0121b84e41cd187e44c275a23db1a656656ec37f) +(cherry picked from commit efd5e357d7ed6b7def0d12631835efd6a5bf5f5a) +--- + src/shared/dissect-image.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c +index 843fea882a..6b671ff1ea 100644 +--- a/src/shared/dissect-image.c ++++ b/src/shared/dissect-image.c +@@ -970,6 +970,9 @@ static int dissect_image( + + label = blkid_partition_get_name(pp); /* libblkid returns NULL here if empty */ + ++ log_debug("Dissecting %s partition with label %s and UUID %s", ++ strna(partition_designator_to_string(type.designator)), strna(label), SD_ID128_TO_UUID_STRING(id)); ++ + if (IN_SET(type.designator, + PARTITION_HOME, + PARTITION_SRV, +-- +2.33.0 + diff --git a/backport-Add-posttrans-versions-of-the-systemd-postun-scriptl.patch b/backport-Add-posttrans-versions-of-the-systemd-postun-scriptl.patch new file mode 100644 index 0000000..e842284 --- /dev/null +++ b/backport-Add-posttrans-versions-of-the-systemd-postun-scriptl.patch @@ -0,0 +1,71 @@ +From 3697aa81ea2e26afe196ff7002dc9a5ea11ab04e Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Mon, 30 Sep 2024 16:08:17 +0200 +Subject: [PATCH 0896/1160] Add %posttrans versions of the systemd %postun + scriptlets + +On upgrades, only the %postun scriptlets of the old package version +run. This means that any changes related to restarting daemons require +two releases before they're actually used. + +%postun is used because it runs after the old package has been removed, +which is important as it means any lingering dropins from the old package +will have been removed as well. + +To allow deploying fixes in just a single release while still running after +the old package has been removed, let's introduce %posttrans versions of these +scriptlets as %posttrans of the new package runs on upgrade and install after +the old package has been removed. + +(cherry picked from commit 9fd8a9dffe9b8f29da52e4e1481926bceed5ce6c) +(cherry picked from commit d1f11d909f673ade60a4e66a4733c200f9013be3) +--- + src/rpm/macros.systemd.in | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/src/rpm/macros.systemd.in b/src/rpm/macros.systemd.in +index 317e13dfd7..97b3ffdd31 100644 +--- a/src/rpm/macros.systemd.in ++++ b/src/rpm/macros.systemd.in +@@ -118,6 +118,38 @@ if [ $1 -ge 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \ + fi \ + %{nil} + ++%systemd_posttrans_with_restart() \ ++%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_posttrans_with_restart}} \ ++if [ $1 -ge 2 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \ ++ # Package upgrade, not install \ ++ {{SYSTEMD_UPDATE_HELPER_PATH}} mark-restart-system-units %{?*} || : \ ++fi \ ++%{nil} ++ ++%systemd_user_posttrans_with_restart() \ ++%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_user_posttrans_with_restart}} \ ++if [ $1 -ge 2 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \ ++ # Package upgrade, not uninstall \ ++ {{SYSTEMD_UPDATE_HELPER_PATH}} mark-restart-user-units %{?*} || : \ ++fi \ ++%{nil} ++ ++%systemd_posttrans_with_reload() \ ++%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_posttrans_with_reload}} \ ++if [ $1 -ge 2 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \ ++ # Package upgrade, not uninstall \ ++ {{SYSTEMD_UPDATE_HELPER_PATH}} mark-reload-system-units %{?*} || : \ ++fi \ ++%{nil} ++ ++%systemd_user_posttrans_with_reload() \ ++%{expand:%%{?__systemd_someargs_%#:%%__systemd_someargs_%# systemd_user_posttrans_with_reload}} \ ++if [ $1 -ge 2 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \ ++ # Package upgrade, not uninstall \ ++ {{SYSTEMD_UPDATE_HELPER_PATH}} mark-reload-user-units %{?*} || : \ ++fi \ ++%{nil} ++ + %systemd_user_daemon_reexec() \ + if [ $1 -ge 1 ] && [ -x "{{SYSTEMD_UPDATE_HELPER_PATH}}" ]; then \ + # Package upgrade, not uninstall \ +-- +2.33.0 + diff --git a/backport-CVE-2023-50387.patch b/backport-CVE-2023-50387.patch index 58a71cf..3873156 100644 --- a/backport-CVE-2023-50387.patch +++ b/backport-CVE-2023-50387.patch @@ -1,8 +1,8 @@ From 1ebdb19ff194120109b08bbf888bdcc502f83211 Mon Sep 17 00:00:00 2001 From: Ronan Pigott Date: Sat, 24 Feb 2024 18:21:24 -0700 -Subject: [PATCH] resolved: limit the number of signature validations in a - transaction +Subject: [PATCH 0255/1160] resolved: limit the number of signature validations + in a transaction It has been demonstrated that tolerating an unbounded number of dnssec signature validations is a bad idea. It is easy for a maliciously @@ -19,10 +19,6 @@ signatures encountered per rrset, and another on the total number of validations performed per transaction. (cherry picked from commit 67d0ce8843d612a2245d0966197d4f528b911b66) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/1ebdb19ff194120109b08bbf888bdcc502f83211 - --- src/resolve/resolved-dns-dnssec.c | 16 ++++++++++++++-- src/resolve/resolved-dns-dnssec.h | 9 ++++++++- diff --git a/backport-CVE-2023-50868.patch b/backport-CVE-2023-50868.patch index c50cfb4..83ce01f 100644 --- a/backport-CVE-2023-50868.patch +++ b/backport-CVE-2023-50868.patch @@ -1,7 +1,8 @@ From 572692f0bdd6a3fabe3dd4a3e8e5565cc69b5e14 Mon Sep 17 00:00:00 2001 From: Ronan Pigott Date: Sun, 25 Feb 2024 00:23:32 -0700 -Subject: [PATCH] resolved: reduce the maximum nsec3 iterations to 100 +Subject: [PATCH 0256/1160] resolved: reduce the maximum nsec3 iterations to + 100 According to RFC9267, the 2500 value is not helpful, and in fact it can be harmful to permit a large number of iterations. Combined with limits @@ -10,10 +11,6 @@ impact of maliciously crafted domains designed to cause excessive cryptographic work. (cherry picked from commit eba291124bc11f03732d1fc468db3bfac069f9cb) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/572692f0bdd6a3fabe3dd4a3e8e5565cc69b5e14 - --- src/resolve/resolved-dns-dnssec.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/backport-CVE-2023-7008.patch b/backport-CVE-2023-7008.patch index 1d626c8..736063e 100644 --- a/backport-CVE-2023-7008.patch +++ b/backport-CVE-2023-7008.patch @@ -1,13 +1,12 @@ -From 3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 Mon Sep 17 00:00:00 2001 +From 6da5ca9dd69c0e3340d4439413718ad4963252de Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Wed, 20 Dec 2023 16:44:14 +0100 -Subject: [PATCH] resolved: actually check authenticated flag of SOA +Subject: [PATCH 0080/1160] resolved: actually check authenticated flag of SOA transaction Fixes #25676 -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 +(cherry picked from commit 3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1) --- src/resolve/resolved-dns-transaction.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backport-Conditional-PSI-check-to-reflect-changes-done-in-5.1.patch b/backport-Conditional-PSI-check-to-reflect-changes-done-in-5.1.patch new file mode 100644 index 0000000..22d0c5d --- /dev/null +++ b/backport-Conditional-PSI-check-to-reflect-changes-done-in-5.1.patch @@ -0,0 +1,53 @@ +From a28883e2d666ae17361c2f268041d9696e2dfe6b Mon Sep 17 00:00:00 2001 +From: rhellstrom <97554405+rhellstrom@users.noreply.github.com> +Date: Thu, 27 Jun 2024 11:00:00 +0300 +Subject: [PATCH 0737/1160] Conditional PSI check to reflect changes done + in 5.13 + +cpu.pressure 'full' is undefined for system-wide checks since 5.13 but still reported with values set to 0 for backwards compatibility. Made changes to reflect this for system-wide checks so that the conditional comparison is not made against the 0 value and instead fall back to 'some'. + +https://www.kernel.org/doc/html/latest/accounting/psi.html +(cherry picked from commit 98b1ecc9175a8bb241292f6f441a754b6759dd97) +(cherry picked from commit c2f74defaad3c2d0eb114d3f5aeded07890d9989) +--- + src/shared/condition.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/shared/condition.c b/src/shared/condition.c +index d3446e8a9d..3b7436c1d7 100644 +--- a/src/shared/condition.c ++++ b/src/shared/condition.c +@@ -1009,6 +1009,7 @@ static int condition_test_psi(Condition *c, char **env) { + loadavg_t *current, limit; + ResourcePressure pressure; + int r; ++ PressureType preferred_pressure_type = PRESSURE_TYPE_FULL; + + assert(c); + assert(c->parameter); +@@ -1029,6 +1030,10 @@ static int condition_test_psi(Condition *c, char **env) { + return log_debug_errno(r < 0 ? r : SYNTHETIC_ERRNO(EINVAL), "Failed to parse condition parameter %s: %m", c->parameter); + /* If only one parameter is passed, then we look at the global system pressure rather than a specific cgroup. */ + if (r == 1) { ++ /* cpu.pressure 'full' is reported but undefined at system level */ ++ if(c->type == CONDITION_CPU_PRESSURE) ++ preferred_pressure_type = PRESSURE_TYPE_SOME; ++ + pressure_path = path_join("/proc/pressure", pressure_type); + if (!pressure_path) + return log_oom_debug(); +@@ -1133,8 +1138,9 @@ static int condition_test_psi(Condition *c, char **env) { + if (r < 0) + return log_debug_errno(r, "Failed to parse loadavg: %s", c->parameter); + +- r = read_resource_pressure(pressure_path, PRESSURE_TYPE_FULL, &pressure); +- if (r == -ENODATA) /* cpu.pressure 'full' was added recently, fall back to 'some'. */ ++ r = read_resource_pressure(pressure_path, preferred_pressure_type, &pressure); ++ /* cpu.pressure 'full' was recently added at cgroup level, fall back to 'some' */ ++ if (r == -ENODATA && preferred_pressure_type == PRESSURE_TYPE_FULL) + r = read_resource_pressure(pressure_path, PRESSURE_TYPE_SOME, &pressure); + if (r == -ENOENT) { + /* We already checked that /proc/pressure exists, so this means we were given a cgroup +-- +2.33.0 + diff --git a/backport-Ensure-that-a-portable-is-not-detached-when-another-.patch b/backport-Ensure-that-a-portable-is-not-detached-when-another-.patch new file mode 100644 index 0000000..71beee3 --- /dev/null +++ b/backport-Ensure-that-a-portable-is-not-detached-when-another-.patch @@ -0,0 +1,66 @@ +From 802d1341ee88b5df0260cd9d524aee8b80627975 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 28 Mar 2024 11:11:45 +0000 +Subject: [PATCH 0540/1160] Ensure that a portable is not detached when another + portable that shares the same base is detached + +The matches line includes all images, but the logic returned +immediately with a successful match if the first element matches. + +(cherry picked from commit 1cbb79276319923e6f2ebbbc6b5e127a14c16154) +--- + src/portable/portable.c | 34 ++++++++++++++++++---------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +diff --git a/src/portable/portable.c b/src/portable/portable.c +index ba221fbb85..38b655154c 100644 +--- a/src/portable/portable.c ++++ b/src/portable/portable.c +@@ -1644,26 +1644,28 @@ static bool marker_matches_images(const char *marker, const char *name_or_path, + if (r < 0) + return r; + +- STRV_FOREACH(image_name_or_path, root_and_extensions) { +- _cleanup_free_ char *image = NULL, *base_image = NULL, *base_image_name_or_path = NULL; ++ /* Ensure the number of images passed matches the number of images listed in the marker */ ++ while (!isempty(marker)) ++ STRV_FOREACH(image_name_or_path, root_and_extensions) { ++ _cleanup_free_ char *image = NULL, *base_image = NULL, *base_image_name_or_path = NULL; + +- r = extract_first_word(&marker, &image, ":", EXTRACT_UNQUOTE|EXTRACT_RETAIN_ESCAPE); +- if (r < 0) +- return log_debug_errno(r, "Failed to parse marker: %s", marker); +- if (r == 0) +- return false; ++ r = extract_first_word(&marker, &image, ":", EXTRACT_UNQUOTE|EXTRACT_RETAIN_ESCAPE); ++ if (r < 0) ++ return log_debug_errno(r, "Failed to parse marker: %s", marker); ++ if (r == 0) ++ return false; + +- r = path_extract_image_name(image, &base_image); +- if (r < 0) +- return log_debug_errno(r, "Failed to extract image name from %s, ignoring: %m", image); ++ r = path_extract_image_name(image, &base_image); ++ if (r < 0) ++ return log_debug_errno(r, "Failed to extract image name from %s, ignoring: %m", image); + +- r = path_extract_image_name(*image_name_or_path, &base_image_name_or_path); +- if (r < 0) +- return log_debug_errno(r, "Failed to extract image name from %s, ignoring: %m", *image_name_or_path); ++ r = path_extract_image_name(*image_name_or_path, &base_image_name_or_path); ++ if (r < 0) ++ return log_debug_errno(r, "Failed to extract image name from %s, ignoring: %m", *image_name_or_path); + +- if (!streq(base_image, base_image_name_or_path)) +- return false; +- } ++ if (!streq(base_image, base_image_name_or_path)) ++ return false; ++ } + + return true; + } +-- +2.33.0 + diff --git a/backport-Fallback-from-pidfd_open-on-permission-errors-too.patch b/backport-Fallback-from-pidfd_open-on-permission-errors-too.patch new file mode 100644 index 0000000..5c884bc --- /dev/null +++ b/backport-Fallback-from-pidfd_open-on-permission-errors-too.patch @@ -0,0 +1,48 @@ +From 9c978a8286263aa25a969139ece9d05d24dada09 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 23 Feb 2024 21:09:11 +0000 +Subject: [PATCH 0253/1160] Fallback from pidfd_open on permission errors too + +Skip using pidfds if we get a permission denied error. +This can happen with an old policy and a new kernel that uses the +new pidfs filesystem to back pidfds, instead of anonymous inodes, +as the existing policy denies access. + +This is already the case for most uses of pidfd_open, like pidref, +but not on these two. Fix them. + +(cherry picked from commit 857945cc5f2a4c1d6aa0bd7532a995c8480b1cc3) +--- + src/login/pam_systemd.c | 2 +- + src/systemctl/systemctl-show.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c +index 3b6539aaac..bf45974ca5 100644 +--- a/src/login/pam_systemd.c ++++ b/src/login/pam_systemd.c +@@ -820,7 +820,7 @@ static int create_session_message( + + if (!avoid_pidfd) { + pidfd = pidfd_open(getpid_cached(), 0); +- if (pidfd < 0 && !ERRNO_IS_NOT_SUPPORTED(errno)) ++ if (pidfd < 0 && !ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) + return -errno; + } + +diff --git a/src/systemctl/systemctl-show.c b/src/systemctl/systemctl-show.c +index 963ba69ab6..e7fabcf235 100644 +--- a/src/systemctl/systemctl-show.c ++++ b/src/systemctl/systemctl-show.c +@@ -2255,7 +2255,7 @@ static int get_unit_dbus_path_by_pid( + * sends the numeric PID. */ + + pidfd = pidfd_open(pid, 0); +- if (pidfd < 0 && ERRNO_IS_NOT_SUPPORTED(errno)) ++ if (pidfd < 0 && ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) + return get_unit_dbus_path_by_pid_fallback(bus, pid, ret_path, ret_unit); + if (pidfd < 0) + return log_error_errno(errno, "Failed to open PID %"PRIu32": %m", pid); +-- +2.33.0 + diff --git a/backport-Fix-KeepCarrier-tun-tap-device-option.patch b/backport-Fix-KeepCarrier-tun-tap-device-option.patch new file mode 100644 index 0000000..18c64ff --- /dev/null +++ b/backport-Fix-KeepCarrier-tun-tap-device-option.patch @@ -0,0 +1,123 @@ +From 0e5347b2f936a061705164941dcf9957fa294274 Mon Sep 17 00:00:00 2001 +From: Dmitry Konishchev +Date: Sat, 16 Dec 2023 19:41:57 +0300 +Subject: [PATCH 0114/1160] Fix KeepCarrier tun/tap device option + +When KeepCarrier is set, networkd doesn't close tun/tap file descriptor +preserving the active interface state, but doesn't disable its queue +which makes kernel to think that it's still active and send packets to +it. + +This patch disables the created queue right after tun/tap interface +creation. + +Here is the steps to reproduce the bug: + +Having: + +systemd/network/10-tun-test.netdev: + + [NetDev] + Name=tun-test + Kind=tun + + [Tun] + MultiQueue=yes + KeepCarrier=yes + +systemd/network/10-tun-test.network: + + [Match] + Name=tun-test + + [Network] + DHCP=no + IPv6AcceptRA=false + + LLMNR=false + MulticastDNS=false + + Address=172.31.0.1/24 + +app.c: + + #include + #include + #include + #include + #include + #include + #include + + int main() { + int fd; + struct ifreq ifr; + + memset(&ifr, 0, sizeof ifr); + strcpy(ifr.ifr_name, "tun-test"); + ifr.ifr_flags = IFF_TUN | IFF_NO_PI | IFF_MULTI_QUEUE; + + if((fd = open("/dev/net/tun", O_RDWR)) < 0) { + perror("Open error"); + return 1; + } + + if(ioctl(fd, TUNSETIFF, &ifr)) { + perror("Configure error"); + return 1; + } + + puts("Ready."); + + char buf[1500]; + + while(1) { + int size = read(fd, buf, sizeof buf); + if(size < 0) { + perror("Read error"); + return 1; + } + printf("Read %d bytes.\n", size); + } + + return 0; + } + +Run: +* gcc -o app app.c && ./app +* ping -I tun-test 172.31.0.2 + +Before the patch the app shows no pings, but after it works properly. + +(cherry picked from commit 0e1ab2261cd91f3f7beec1f24134498a853ea4d5) +--- + src/network/netdev/tuntap.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/src/network/netdev/tuntap.c b/src/network/netdev/tuntap.c +index 1a37ba3465..9e909d1abc 100644 +--- a/src/network/netdev/tuntap.c ++++ b/src/network/netdev/tuntap.c +@@ -137,6 +137,19 @@ static int netdev_create_tuntap(NetDev *netdev) { + if (ioctl(fd, TUNSETIFF, &ifr) < 0) + return log_netdev_error_errno(netdev, errno, "TUNSETIFF failed: %m"); + ++ if (t->multi_queue) { ++ /* If we don't detach the queue, the kernel will send packets to our queue and they ++ * will be dropped because we never read them, which is especially important in case ++ * of KeepCarrier option which persists open FD. So detach our queue right after ++ * device create/attach to make kernel not send the packets to it. The option is ++ * available for multi-queue devices only. ++ * ++ * See https://github.com/systemd/systemd/pull/30504 for details. */ ++ struct ifreq detach_request = { .ifr_flags = IFF_DETACH_QUEUE }; ++ if (ioctl(fd, TUNSETQUEUE, &detach_request) < 0) ++ return log_netdev_error_errno(netdev, errno, "TUNSETQUEUE failed: %m"); ++ } ++ + if (t->user_name) { + const char *user = t->user_name; + uid_t uid; +-- +2.33.0 + diff --git a/backport-Fix-bpf-framework-build-failure-with-gcc-bpf.patch b/backport-Fix-bpf-framework-build-failure-with-gcc-bpf.patch new file mode 100644 index 0000000..4351196 --- /dev/null +++ b/backport-Fix-bpf-framework-build-failure-with-gcc-bpf.patch @@ -0,0 +1,41 @@ +From 4d70912941b69074a9a0c0088f96bd9c401c70c9 Mon Sep 17 00:00:00 2001 +From: Michael Biebl +Date: Fri, 22 Mar 2024 13:26:45 +0100 +Subject: [PATCH 0473/1160] Fix bpf-framework build failure with gcc-bpf + +The -mkernel option was dropped in +https://github.com/gcc-mirror/gcc/commit/da445a5858299ed2a72af1089c225a438ab93ce2 + +We also need to ensure that the include paths are properly set for the +linux kernel headers. + +Fixes: #31869 +(cherry picked from commit 1df021927f119287985ac0cafefcfec9ead6d9ae) +--- + meson.build | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/meson.build b/meson.build +index 1bb18fb740..52de3f5e31 100644 +--- a/meson.build ++++ b/meson.build +@@ -1678,7 +1678,6 @@ if conf.get('BPF_FRAMEWORK') == 1 + '-std=gnu11', + '-fno-stack-protector', + '-O2', +- '-mkernel=5.2', + '-mcpu=v3', + '-mco-re', + '-gbtf', +@@ -1727,7 +1726,7 @@ if conf.get('BPF_FRAMEWORK') == 1 + + bpf_o_unstripped_cmd += ['-I.'] + +- if not meson.is_cross_build() and bpf_compiler == 'clang' ++ if not meson.is_cross_build() + target_triplet_cmd = run_command('gcc', '-dumpmachine', check: false) + if target_triplet_cmd.returncode() == 0 + target_triplet = target_triplet_cmd.stdout().strip() +-- +2.33.0 + diff --git a/backport-Fix-bug-where-systemd-tmpfiles-gets-stuck-on-fifos-i.patch b/backport-Fix-bug-where-systemd-tmpfiles-gets-stuck-on-fifos-i.patch new file mode 100644 index 0000000..c49e505 --- /dev/null +++ b/backport-Fix-bug-where-systemd-tmpfiles-gets-stuck-on-fifos-i.patch @@ -0,0 +1,29 @@ +From b912b9a040593aae93b76f182d38f06deca6b401 Mon Sep 17 00:00:00 2001 +From: r-vdp +Date: Mon, 29 Jan 2024 11:21:12 +0100 +Subject: [PATCH 0283/1160] Fix bug where systemd-tmpfiles gets stuck on fifos + in tmp. + +Fixes #30690. + +(cherry picked from commit 25e6ce1c11a3881cf68d41d4d16711684ef56267) +--- + src/tmpfiles/tmpfiles.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index 230ec09b97..afa3ae275d 100644 +--- a/src/tmpfiles/tmpfiles.c ++++ b/src/tmpfiles/tmpfiles.c +@@ -819,7 +819,7 @@ static int dir_cleanup( + + fd = xopenat(dirfd(d), + de->d_name, +- O_RDONLY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME, ++ O_RDONLY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME|O_NONBLOCK, + /* xopen_flags = */ 0, + /* mode = */ 0); + if (fd < 0 && !IN_SET(fd, -ENOENT, -ELOOP)) +-- +2.33.0 + diff --git a/backport-Fix-detection-of-TDX-confidential-VM-on-Azure-platfo.patch b/backport-Fix-detection-of-TDX-confidential-VM-on-Azure-platfo.patch new file mode 100644 index 0000000..cfaf4c8 --- /dev/null +++ b/backport-Fix-detection-of-TDX-confidential-VM-on-Azure-platfo.patch @@ -0,0 +1,124 @@ +From b994100d4e204fa5bba22973d1dab3468c46db11 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 30 Jul 2024 10:51:21 +0100 +Subject: [PATCH 0815/1160] Fix detection of TDX confidential VM on Azure + platform +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The original CVM detection logic for TDX assumes that the guest can see +the standard TDX CPUID leaf. This was true in Azure when this code was +originally written, however, current Azure now blocks that leaf in the +paravisor. Instead it is required to use the same Azure specific CPUID +leaf that is used for SEV-SNP detection, which reports the VM isolation +type. + +Signed-off-by: Daniel P. Berrangé +(cherry picked from commit 9d7be044cad1ae54e344daf8f2ec37da46faf0fd) +(cherry picked from commit 812fc38b9147232862263e482ce19bec71137b95) +--- + src/basic/confidential-virt.c | 11 ++++++++--- + src/boot/efi/vmm.c | 9 ++++++--- + src/fundamental/confidential-virt-fundamental.h | 1 + + 3 files changed, 15 insertions(+), 6 deletions(-) + +diff --git a/src/basic/confidential-virt.c b/src/basic/confidential-virt.c +index b6521cf5bf..8a88a3eb83 100644 +--- a/src/basic/confidential-virt.c ++++ b/src/basic/confidential-virt.c +@@ -76,7 +76,7 @@ static uint64_t msr(uint64_t index) { + return ret; + } + +-static bool detect_hyperv_sev(void) { ++static bool detect_hyperv_cvm(uint32_t isoltype) { + uint32_t eax, ebx, ecx, edx, feat; + char sig[13] = {}; + +@@ -100,7 +100,7 @@ static bool detect_hyperv_sev(void) { + ebx = ecx = edx = 0; + cpuid(&eax, &ebx, &ecx, &edx); + +- if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == CPUID_HYPERV_ISOLATION_TYPE_SNP) ++ if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == isoltype) + return true; + } + +@@ -133,7 +133,7 @@ static ConfidentialVirtualization detect_sev(void) { + if (!(eax & EAX_SEV)) { + log_debug("No sev in CPUID, trying hyperv CPUID"); + +- if (detect_hyperv_sev()) ++ if (detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_SNP)) + return CONFIDENTIAL_VIRTUALIZATION_SEV_SNP; + + log_debug("No hyperv CPUID"); +@@ -171,6 +171,11 @@ static ConfidentialVirtualization detect_tdx(void) { + if (memcmp(sig, CPUID_SIG_INTEL_TDX, sizeof(sig)) == 0) + return CONFIDENTIAL_VIRTUALIZATION_TDX; + ++ log_debug("No tdx in CPUID, trying hyperv CPUID"); ++ ++ if (detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_TDX)) ++ return CONFIDENTIAL_VIRTUALIZATION_TDX; ++ + return CONFIDENTIAL_VIRTUALIZATION_NONE; + } + +diff --git a/src/boot/efi/vmm.c b/src/boot/efi/vmm.c +index bfc7acc052..ed654f68c7 100644 +--- a/src/boot/efi/vmm.c ++++ b/src/boot/efi/vmm.c +@@ -346,7 +346,7 @@ static uint64_t msr(uint32_t index) { + return val; + } + +-static bool detect_hyperv_sev(void) { ++static bool detect_hyperv_cvm(uint32_t isoltype) { + uint32_t eax, ebx, ecx, edx, feat; + char sig[13] = {}; + +@@ -363,7 +363,7 @@ static bool detect_hyperv_sev(void) { + if (ebx & CPUID_HYPERV_ISOLATION && !(ebx & CPUID_HYPERV_CPU_MANAGEMENT)) { + __cpuid(CPUID_HYPERV_ISOLATION_CONFIG, eax, ebx, ecx, edx); + +- if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == CPUID_HYPERV_ISOLATION_TYPE_SNP) ++ if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == isoltype) + return true; + } + +@@ -388,7 +388,7 @@ static bool detect_sev(void) { + * specific CPUID checks. + */ + if (!(eax & EAX_SEV)) +- return detect_hyperv_sev(); ++ return detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_SNP); + + msrval = msr(MSR_AMD64_SEV); + +@@ -412,6 +412,9 @@ static bool detect_tdx(void) { + if (memcmp(sig, CPUID_SIG_INTEL_TDX, sizeof(sig)) == 0) + return true; + ++ if (detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_TDX)) ++ return true; ++ + return false; + } + #endif /* ! __i386__ && ! __x86_64__ */ +diff --git a/src/fundamental/confidential-virt-fundamental.h b/src/fundamental/confidential-virt-fundamental.h +index 986923e1c2..618b5800ea 100644 +--- a/src/fundamental/confidential-virt-fundamental.h ++++ b/src/fundamental/confidential-virt-fundamental.h +@@ -65,6 +65,7 @@ + + #define CPUID_HYPERV_ISOLATION_TYPE_MASK UINT32_C(0xf) + #define CPUID_HYPERV_ISOLATION_TYPE_SNP 2 ++#define CPUID_HYPERV_ISOLATION_TYPE_TDX 3 + + #define EAX_SEV (UINT32_C(1) << 1) + #define MSR_SEV (UINT64_C(1) << 0) +-- +2.33.0 + diff --git a/backport-Fix-gcc14-Wcalloc-transposed-args-warnings.patch b/backport-Fix-gcc14-Wcalloc-transposed-args-warnings.patch new file mode 100644 index 0000000..2714236 --- /dev/null +++ b/backport-Fix-gcc14-Wcalloc-transposed-args-warnings.patch @@ -0,0 +1,98 @@ +From 573649ab73377d3381fe80cffa0cb6bacfc94a55 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= +Date: Sat, 13 Jan 2024 20:14:05 -0300 +Subject: [PATCH 0147/1160] Fix gcc14 -Wcalloc-transposed-args warnings + +all functions annotated with two parameter _alloc_ are calloc-like. +gcc14 enforces this and warns if arguments are backwards. + +(cherry picked from commit 2a9ab0974bb290bc66dc84d909c33d23361b0752) +--- + src/basic/alloc-util.h | 8 ++++---- + src/cryptenroll/cryptenroll.c | 2 +- + src/libsystemd/sd-bus/bus-message.c | 2 +- + src/libsystemd/sd-login/sd-login.c | 2 +- + 4 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/basic/alloc-util.h b/src/basic/alloc-util.h +index 4f86334d7d..05a6f211f7 100644 +--- a/src/basic/alloc-util.h ++++ b/src/basic/alloc-util.h +@@ -20,7 +20,7 @@ typedef void* (*mfree_func_t)(void *p); + * proceeding and smashing the stack limits. Note that by default RLIMIT_STACK is 8M on Linux. */ + #define ALLOCA_MAX (4U*1024U*1024U) + +-#define new(t, n) ((t*) malloc_multiply(sizeof(t), (n))) ++#define new(t, n) ((t*) malloc_multiply((n), sizeof(t))) + + #define new0(t, n) ((t*) calloc((n) ?: 1, sizeof(t))) + +@@ -45,7 +45,7 @@ typedef void* (*mfree_func_t)(void *p); + (t*) alloca0((sizeof(t)*_n_)); \ + }) + +-#define newdup(t, p, n) ((t*) memdup_multiply(p, sizeof(t), (n))) ++#define newdup(t, p, n) ((t*) memdup_multiply(p, (n), sizeof(t))) + + #define newdup_suffix0(t, p, n) ((t*) memdup_suffix0_multiply(p, sizeof(t), (n))) + +@@ -112,7 +112,7 @@ static inline bool size_multiply_overflow(size_t size, size_t need) { + return _unlikely_(need != 0 && size > (SIZE_MAX / need)); + } + +-_malloc_ _alloc_(1, 2) static inline void *malloc_multiply(size_t size, size_t need) { ++_malloc_ _alloc_(1, 2) static inline void *malloc_multiply(size_t need, size_t size) { + if (size_multiply_overflow(size, need)) + return NULL; + +@@ -128,7 +128,7 @@ _alloc_(2, 3) static inline void *reallocarray(void *p, size_t need, size_t size + } + #endif + +-_alloc_(2, 3) static inline void *memdup_multiply(const void *p, size_t size, size_t need) { ++_alloc_(2, 3) static inline void *memdup_multiply(const void *p, size_t need, size_t size) { + if (size_multiply_overflow(size, need)) + return NULL; + +diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c +index 5a7f7c3bff..be6892bbd3 100644 +--- a/src/cryptenroll/cryptenroll.c ++++ b/src/cryptenroll/cryptenroll.c +@@ -488,7 +488,7 @@ static int parse_argv(int argc, char *argv[]) { + if (n > INT_MAX) + return log_error_errno(SYNTHETIC_ERRNO(ERANGE), "Slot index out of range: %u", n); + +- a = reallocarray(arg_wipe_slots, sizeof(int), arg_n_wipe_slots + 1); ++ a = reallocarray(arg_wipe_slots, arg_n_wipe_slots + 1, sizeof(int)); + if (!a) + return log_oom(); + +diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c +index ff0228081f..ab8b06896d 100644 +--- a/src/libsystemd/sd-bus/bus-message.c ++++ b/src/libsystemd/sd-bus/bus-message.c +@@ -1288,7 +1288,7 @@ static int message_push_fd(sd_bus_message *m, int fd) { + if (copy < 0) + return -errno; + +- f = reallocarray(m->fds, sizeof(int), m->n_fds + 1); ++ f = reallocarray(m->fds, m->n_fds + 1, sizeof(int)); + if (!f) { + m->poisoned = true; + safe_close(copy); +diff --git a/src/libsystemd/sd-login/sd-login.c b/src/libsystemd/sd-login/sd-login.c +index 4d09b15653..f9e86c6608 100644 +--- a/src/libsystemd/sd-login/sd-login.c ++++ b/src/libsystemd/sd-login/sd-login.c +@@ -1081,7 +1081,7 @@ _public_ int sd_get_uids(uid_t **users) { + uid_t *t; + + n = MAX(16, 2*r); +- t = reallocarray(l, sizeof(uid_t), n); ++ t = reallocarray(l, n, sizeof(uid_t)); + if (!t) + return -ENOMEM; + +-- +2.33.0 + diff --git a/backport-Fix-maybe-uninitialized-warnings-with-gcc-14.2.patch b/backport-Fix-maybe-uninitialized-warnings-with-gcc-14.2.patch new file mode 100644 index 0000000..bd860c4 --- /dev/null +++ b/backport-Fix-maybe-uninitialized-warnings-with-gcc-14.2.patch @@ -0,0 +1,54 @@ +From 4c9509ad0c57a88370be9e938e3e130a3398e4c5 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 16 Oct 2024 11:42:06 +0100 +Subject: [PATCH 0953/1160] Fix maybe-uninitialized warnings with gcc 14.2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +../src/resolve/resolved-bus.c: In function ‘call_link_method’: +../src/resolve/resolved-bus.c:1769:16: warning: ‘l’ may be used uninitialized [-Wmaybe-uninitialized] + 1769 | return handler(message, l, error); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~ +../src/resolve/resolved-bus.c:1755:15: note: ‘l’ was declared here + 1755 | Link *l; + | ^ +../src/resolve/resolved-bus.c: In function ‘bus_method_get_link’: +../src/resolve/resolved-bus.c:1828:13: warning: ‘l’ may be used uninitialized [-Wmaybe-uninitialized] + 1828 | p = link_bus_path(l); + | ^~~~~~~~~~~~~~~~ +../src/resolve/resolved-bus.c:1816:15: note: ‘l’ was declared here + 1816 | Link *l; + | ^ + +(cherry picked from commit 5f911aca8434b4163514019fcb4c1c967a50617c) +(cherry picked from commit 2590b77f39f7c1264b686e0b379465f5670631d3) +--- + src/resolve/resolved-bus.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c +index fb07516d5d..9db4a578c4 100644 +--- a/src/resolve/resolved-bus.c ++++ b/src/resolve/resolved-bus.c +@@ -1739,7 +1739,7 @@ static int get_any_link(Manager *m, int ifindex, Link **ret, sd_bus_error *error + + static int call_link_method(Manager *m, sd_bus_message *message, sd_bus_message_handler_t handler, sd_bus_error *error) { + int ifindex, r; +- Link *l; ++ Link *l = NULL; /* avoid false maybe-uninitialized warning */ + + assert(m); + assert(message); +@@ -1800,7 +1800,7 @@ static int bus_method_get_link(sd_bus_message *message, void *userdata, sd_bus_e + _cleanup_free_ char *p = NULL; + Manager *m = ASSERT_PTR(userdata); + int r, ifindex; +- Link *l; ++ Link *l = NULL; /* avoid false maybe-uninitialized warning */ + + assert(message); + +-- +2.33.0 + diff --git a/backport-Fix-reference-to-FileDescriptorStoreMax-directive.patch b/backport-Fix-reference-to-FileDescriptorStoreMax-directive.patch new file mode 100644 index 0000000..ff9e868 --- /dev/null +++ b/backport-Fix-reference-to-FileDescriptorStoreMax-directive.patch @@ -0,0 +1,26 @@ +From 0d25e8b030d4177a26fcabfcfd2b1e054e89c91d Mon Sep 17 00:00:00 2001 +From: Nils K <24257556+septatrix@users.noreply.github.com> +Date: Mon, 23 Sep 2024 21:01:38 +0200 +Subject: [PATCH 0888/1160] Fix reference to FileDescriptorStoreMax= directive + +(cherry picked from commit 543015a164c1fbf22c13c357efb180cf1adc5f03) +(cherry picked from commit c1431b7eff6f8d6b0d571c1ec7bfc49cefbba1f4) +--- + docs/FILE_DESCRIPTOR_STORE.md | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs/FILE_DESCRIPTOR_STORE.md b/docs/FILE_DESCRIPTOR_STORE.md +index 206dda7038..757a2a2708 100644 +--- a/docs/FILE_DESCRIPTOR_STORE.md ++++ b/docs/FILE_DESCRIPTOR_STORE.md +@@ -208,6 +208,6 @@ service. + The + [`systemd-run`](https://www.freedesktop.org/software/systemd/man/systemd-run.html) + tool may be used to quickly start a testing binary or similar as a service. Use +-`-p FileDescriptorStore=4711` to enable the fdstore from `systemd-run`'s ++`-p FileDescriptorStoreMax=4711` to enable the fdstore from `systemd-run`'s + command line. By using the `-t` switch you can even interactively communicate + via processes spawned that way, via the TTY. +-- +2.33.0 + diff --git a/backport-Fix-tense-in-SD_MESSAGE_SHUTDOWN_STR.patch b/backport-Fix-tense-in-SD_MESSAGE_SHUTDOWN_STR.patch new file mode 100644 index 0000000..06a3633 --- /dev/null +++ b/backport-Fix-tense-in-SD_MESSAGE_SHUTDOWN_STR.patch @@ -0,0 +1,33 @@ +From 8b516d4116801adfb18e00fbbaa4d8369f480ca9 Mon Sep 17 00:00:00 2001 +From: Andrew Sayers +Date: Wed, 29 Jan 2025 11:03:00 +0000 +Subject: [PATCH 1100/1160] Fix tense in SD_MESSAGE_SHUTDOWN_STR + +This is printed by bus_manager_log_shutdown() in logind-dbus.c, +near the start of the shutdown process. + +Clarify that events *will* happen, long after this message is sent. + +(cherry picked from commit 6c45c5a57cac1dd0c35a879bf46d4a42e03e74e1) +(cherry picked from commit 6936658daf139c5d4114a44116905fb469e5a1e2) +(cherry picked from commit c25f8b98bc87353c58dd058190a213a3ac12b6eb) +--- + catalog/systemd.catalog.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in +index 7f528e4cac..9a91b66834 100644 +--- a/catalog/systemd.catalog.in ++++ b/catalog/systemd.catalog.in +@@ -179,7 +179,7 @@ Defined-By: systemd + Support: %SUPPORT_URL% + + System shutdown has been initiated. The shutdown has now begun and +-all system services are terminated and all file systems unmounted. ++all system services will be terminated and all file systems will be unmounted. + + -- c14aaf76ec284a5fa1f105f88dfb061c + Subject: System factory reset initiated +-- +2.33.0 + diff --git a/backport-Fix-typo-in-CAP_BPF-description-33464.patch b/backport-Fix-typo-in-CAP_BPF-description-33464.patch new file mode 100644 index 0000000..9553a19 --- /dev/null +++ b/backport-Fix-typo-in-CAP_BPF-description-33464.patch @@ -0,0 +1,31 @@ +From f685b22f073b8d56c5c5fcbb87037e8322386e29 Mon Sep 17 00:00:00 2001 +From: Eugeny Shcheglov +Date: Mon, 24 Jun 2024 21:23:50 +0300 +Subject: [PATCH 0721/1160] Fix typo in CAP_BPF description (#33464) + +description_good and description_bad are mixed up. Disabling CAP_BPF results in the inability to load BPF, not the other way around. + +(cherry picked from commit 1750e30d237e6d9cdebc6b546d0a26342828dbd1) +(cherry picked from commit 8e775590f1b25d399fdffa0279a2e244d7afff23) +--- + src/analyze/analyze-security.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c +index 5f1b5e6970..e78356d240 100644 +--- a/src/analyze/analyze-security.c ++++ b/src/analyze/analyze-security.c +@@ -1252,8 +1252,8 @@ static const struct security_assessor security_assessor_table[] = { + { + .id = "CapabilityBoundingSet=~CAP_BPF", + .json_field = "CapabilityBoundingSet_CAP_BPF", +- .description_good = "Service may load BPF programs", +- .description_bad = "Service may not load BPF programs", ++ .description_good = "Service may not load BPF programs", ++ .description_bad = "Service may load BPF programs", + .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=", + .weight = 25, + .range = 1, +-- +2.33.0 + diff --git a/backport-Fixing-VLAN-ranges-in-man-systemd.network.patch b/backport-Fixing-VLAN-ranges-in-man-systemd.network.patch new file mode 100644 index 0000000..71dcfd8 --- /dev/null +++ b/backport-Fixing-VLAN-ranges-in-man-systemd.network.patch @@ -0,0 +1,30 @@ +From b879b06ed1498f88a01191f4e8422976a80db344 Mon Sep 17 00:00:00 2001 +From: andrejpodzimek +Date: Wed, 11 Dec 2024 12:46:43 +0000 +Subject: [PATCH 1051/1160] Fixing VLAN ranges in man systemd.network. + +Otherwise it doesn't hold that VLANs 100-400 are allowed (because 201-299 are disallowed). + +(cherry picked from commit ae2f3af63962ba6e2f67cfce07c9fee61722e30e) +(cherry picked from commit 9fad72cc52bdec7f44337b1e48c23ee15fc08d77) +(cherry picked from commit 0102ff403ee230bdd7a0c2b38463d9292fb9c0ae) +--- + man/systemd.network.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/man/systemd.network.xml b/man/systemd.network.xml +index 6d6f98cf1b..7b72a1eba1 100644 +--- a/man/systemd.network.xml ++++ b/man/systemd.network.xml +@@ -6081,7 +6081,7 @@ PVID=42 + EgressUntagged=42 + + [BridgeVLAN] +-VLAN=100-200 ++VLAN=100-299 + + [BridgeVLAN] + EgressUntagged=300-400 +-- +2.33.0 + diff --git a/backport-GREEDY_REALLOC_APPEND-Make-more-type-safe.patch b/backport-GREEDY_REALLOC_APPEND-Make-more-type-safe.patch new file mode 100644 index 0000000..134475f --- /dev/null +++ b/backport-GREEDY_REALLOC_APPEND-Make-more-type-safe.patch @@ -0,0 +1,35 @@ +From 299118fd081584265a964cfdfbe67f093f757a5d Mon Sep 17 00:00:00 2001 +From: Adrian Vovk +Date: Wed, 4 Sep 2024 13:44:26 -0400 +Subject: [PATCH 0956/1160] GREEDY_REALLOC_APPEND: Make more type safe + +Previously, GREEDY_REALLOC_APPEND would compile perfectly fine and cause +subtle memory corruption if the caller messes up the type they're passing +in (i.e. by forgetting to pass-by-reference when appending a Type* to an +array of Type*). Now this will lead to compilation failure + +(cherry picked from commit fafc3c2d5c7fae6bad0f6dc51611ae9390589ade) +(cherry picked from commit b3fc9021164222fae727988dc1b6203e7c0aa683) +--- + src/basic/alloc-util.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/basic/alloc-util.h b/src/basic/alloc-util.h +index 136d2b3e68..c71df9bf01 100644 +--- a/src/basic/alloc-util.h ++++ b/src/basic/alloc-util.h +@@ -155,7 +155,10 @@ void* greedy_realloc_append(void **p, size_t *n_p, const void *from, size_t n_fr + greedy_realloc0((void**) &(array), (need), sizeof((array)[0])) + + #define GREEDY_REALLOC_APPEND(array, n_array, from, n_from) \ +- greedy_realloc_append((void**) &(array), (size_t*) &(n_array), (from), (n_from), sizeof((array)[0])) ++ ({ \ ++ const typeof(*(array)) *_from_ = (from); \ ++ greedy_realloc_append((void**) &(array), &(n_array), _from_, (n_from), sizeof((array)[0])); \ ++ }) + + #define alloca0(n) \ + ({ \ +-- +2.33.0 + diff --git a/backport-Install-pacman-in-Arch-Linux-image.patch b/backport-Install-pacman-in-Arch-Linux-image.patch new file mode 100644 index 0000000..504b143 --- /dev/null +++ b/backport-Install-pacman-in-Arch-Linux-image.patch @@ -0,0 +1,28 @@ +From d1b5658450dfe60b8762b521934ef69151fbf661 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 9 Feb 2024 12:43:43 +0100 +Subject: [PATCH 0295/1160] Install pacman in Arch Linux image + +We install apt and dnf in the other images as well, so lets be +consistent and install pacman in the Arch image as well. + +(cherry picked from commit 317cb6f9b51f3d26c3b7a974dd1edee3c45864f5) +--- + mkosi.images/system/mkosi.conf.d/10-arch.conf | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/mkosi.images/system/mkosi.conf.d/10-arch.conf b/mkosi.images/system/mkosi.conf.d/10-arch.conf +index 0b15677ff2..e1a511c979 100644 +--- a/mkosi.images/system/mkosi.conf.d/10-arch.conf ++++ b/mkosi.images/system/mkosi.conf.d/10-arch.conf +@@ -16,6 +16,7 @@ Packages= + man-db + openbsd-netcat + openssh ++ pacman + polkit + python-pefile + python-psutil +-- +2.33.0 + diff --git a/backport-LICENSES-README-expand-text-to-summarize-state-for-b.patch b/backport-LICENSES-README-expand-text-to-summarize-state-for-b.patch new file mode 100644 index 0000000..fcc891e --- /dev/null +++ b/backport-LICENSES-README-expand-text-to-summarize-state-for-b.patch @@ -0,0 +1,57 @@ +From e22e239cd9d60fd41d197ea39d41c1413d5c9cc6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 28 Jun 2024 13:22:40 +0200 +Subject: [PATCH 0728/1160] LICENSES/README: expand text to summarize state for + binaries and libs + +We would say how *sources* are licensed, but actually most user care about the +resulting binaries. So say how the *binaries* are licensed. I used the word +"effectively" because the permissive licenses don't set any requirements on the +binaries, so the license of sources is a complex mix, but the resulting +binaries have a simple effective license. + +Also, make it clear that the GPLv2 license applies to udev programs, but not +the shared library. Based on private correspondence, there's some confusion +about this. + +(cherry picked from commit bd7236912f373e0a06a1b0395000ec67d96767af) +(cherry picked from commit fb747bd8cdcbeb55f9ef3c62289fff8ff5a25b68) +--- + LICENSES/README.md | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/LICENSES/README.md b/LICENSES/README.md +index e4c9fd6c34..16a53386e5 100644 +--- a/LICENSES/README.md ++++ b/LICENSES/README.md +@@ -13,7 +13,14 @@ The 'LICENSES/' directory contains all the licenses used by the sources included + the systemd project source tree. + + Unless otherwise noted, the systemd project sources are licensed under the terms +-and conditions of the **GNU Lesser General Public License v2.1 or later**. ++and conditions of ++**LGPL-2.1-or-later** (**GNU Lesser General Public License v2.1 or later**). ++ ++Unless otherwise noted, compiled programs and all shared or static libraries ++include sources under **LGPL-2.1-or-later** along with more permissive ++licenses, and are effectively licensed **LGPL-2.1-or-later**. ++systemd-udevd and other udev helper programs also include sources under ++**GPL-2.0-or-later**, and are effectively licensed **GPL-2.0-or-later**. + + New sources that cannot be distributed under LGPL-2.1-or-later will no longer + be accepted for inclusion in the systemd project to maintain license uniformity. +@@ -22,8 +29,9 @@ be accepted for inclusion in the systemd project to maintain license uniformity. + + The following exceptions apply: + +- * some udev sources under src/udev/ are licensed under **GPL-2.0-or-later**, so the +- udev binaries as a whole are also distributed under **GPL-2.0-or-later**. ++ * some sources under src/udev/ are licensed under **GPL-2.0-or-later**, ++ so all udev programs (`systemd-udevd`, `udevadm`, and the udev builtins ++ and test programs) are also distributed under **GPL-2.0-or-later**. + * the header files contained in src/basic/linux/ and src/shared/linux/ are copied + verbatim from the Linux kernel source tree and are licensed under **GPL-2.0 WITH + Linux-syscall-note** and are used within the scope of the Linux-syscall-note +-- +2.33.0 + diff --git a/backport-Measure-empty-PK-and-KEK-EFI-vars.patch b/backport-Measure-empty-PK-and-KEK-EFI-vars.patch new file mode 100644 index 0000000..3632bbf --- /dev/null +++ b/backport-Measure-empty-PK-and-KEK-EFI-vars.patch @@ -0,0 +1,50 @@ +From fc3199507cf1f1b5016eb93109c7307449eacb9d Mon Sep 17 00:00:00 2001 +From: Alberto Planas +Date: Thu, 18 Jan 2024 15:38:30 +0100 +Subject: [PATCH 0166/1160] Measure empty PK and KEK EFI vars + +The OVMF UEFI firmware is measuring PK and KEK when secure boot is +disabled, and those variables are absent. This can be checked via the +event log to see that there are extensions for PCR 7 associated with PK +and KEK events of type EV_EFI_VARIABLE_DRIVER_CONFIG. + +When running the "lock-secureboot-policy" verb, pcrlock complains that +those variables are not found and refuse to generate the +240-secureboot-policy.pcrlock.d/generated.pcrlock file. + +The "TCG PC Client Platform Firmware Profile Specification Version 1.05 +Revision 23"[1] from May 7, 2021, in section "3.3.4.8 PCR[7] - Secure +Boot Policy Measurements", point 10.b: + +If reading a UEFI variable returns UEFI_NOT_FOUND, platform firmware +SHALL measure the absence of the variable. The +UEFI_VARIABLE_DATA.VariableDataLength field MUST be set to zero and +UEFI_VARIABLE_DATA.VariableData field will have a size of zero. + +This patch mark those variables to be marked as "synthesize empty", +generating the correct hash for those variables. + +Signed-off-by: Alberto Planas +(cherry picked from commit 4054e8128e4957f9fde783889485051ec5560d60) +--- + src/pcrlock/pcrlock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c +index 6baffce7d6..bdc6bbd817 100644 +--- a/src/pcrlock/pcrlock.c ++++ b/src/pcrlock/pcrlock.c +@@ -2801,8 +2801,8 @@ static int verb_lock_secureboot_policy(int argc, char *argv[], void *userdata) { + int synthesize_empty; /* 0 → fail, > 0 → synthesize empty db, < 0 → skip */ + } variables[] = { + { EFI_VENDOR_GLOBAL, "SecureBoot", 0 }, +- { EFI_VENDOR_GLOBAL, "PK", 0 }, +- { EFI_VENDOR_GLOBAL, "KEK", 0 }, ++ { EFI_VENDOR_GLOBAL, "PK", 1 }, ++ { EFI_VENDOR_GLOBAL, "KEK", 1 }, + { EFI_VENDOR_DATABASE, "db", 1 }, + { EFI_VENDOR_DATABASE, "dbx", 1 }, + { EFI_VENDOR_DATABASE, "dbt", -1 }, +-- +2.33.0 + diff --git a/backport-Reorder-arguments-for-calloc-like-functions-part-2.patch b/backport-Reorder-arguments-for-calloc-like-functions-part-2.patch new file mode 100644 index 0000000..7d8f9db --- /dev/null +++ b/backport-Reorder-arguments-for-calloc-like-functions-part-2.patch @@ -0,0 +1,100 @@ +From b24c90d567778ee13893f5edfa666042df76e4c0 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 16 Jan 2024 22:42:39 +0100 +Subject: [PATCH 0163/1160] Reorder arguments for calloc()-like functions, part + #2 + +To appease gcc-14's -Wcalloc-transposed-args check. + +Follow-up for 2a9ab0974bb290bc66dc84d909c33d23361b0752. + +(cherry picked from commit fdd84270df0062fad68783eea8b51a6ed87b67cd) +--- + src/basic/alloc-util.h | 4 ++-- + src/boot/efi/util.h | 4 ++-- + src/nspawn/nspawn-bind-user.c | 2 +- + src/test/test-alloc-util.c | 4 ++-- + 4 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/basic/alloc-util.h b/src/basic/alloc-util.h +index 05a6f211f7..136d2b3e68 100644 +--- a/src/basic/alloc-util.h ++++ b/src/basic/alloc-util.h +@@ -47,7 +47,7 @@ typedef void* (*mfree_func_t)(void *p); + + #define newdup(t, p, n) ((t*) memdup_multiply(p, (n), sizeof(t))) + +-#define newdup_suffix0(t, p, n) ((t*) memdup_suffix0_multiply(p, sizeof(t), (n))) ++#define newdup_suffix0(t, p, n) ((t*) memdup_suffix0_multiply(p, (n), sizeof(t))) + + #define malloc0(n) (calloc(1, (n) ?: 1)) + +@@ -137,7 +137,7 @@ _alloc_(2, 3) static inline void *memdup_multiply(const void *p, size_t need, si + + /* Note that we can't decorate this function with _alloc_() since the returned memory area is one byte larger + * than the product of its parameters. */ +-static inline void *memdup_suffix0_multiply(const void *p, size_t size, size_t need) { ++static inline void *memdup_suffix0_multiply(const void *p, size_t need, size_t size) { + if (size_multiply_overflow(size, need)) + return NULL; + +diff --git a/src/boot/efi/util.h b/src/boot/efi/util.h +index aef831d132..6e15a8b85d 100644 +--- a/src/boot/efi/util.h ++++ b/src/boot/efi/util.h +@@ -36,7 +36,7 @@ static inline void *xmalloc(size_t size) { + } + + _malloc_ _alloc_(1, 2) _returns_nonnull_ _warn_unused_result_ +-static inline void *xmalloc_multiply(size_t size, size_t n) { ++static inline void *xmalloc_multiply(size_t n, size_t size) { + assert_se(!__builtin_mul_overflow(size, n, &size)); + return xmalloc(size); + } +@@ -57,7 +57,7 @@ static inline void* xmemdup(const void *p, size_t l) { + return memcpy(xmalloc(l), p, l); + } + +-#define xnew(type, n) ((type *) xmalloc_multiply(sizeof(type), (n))) ++#define xnew(type, n) ((type *) xmalloc_multiply((n), sizeof(type))) + + typedef struct { + EFI_PHYSICAL_ADDRESS addr; +diff --git a/src/nspawn/nspawn-bind-user.c b/src/nspawn/nspawn-bind-user.c +index 0a8653033d..61d8d304e6 100644 +--- a/src/nspawn/nspawn-bind-user.c ++++ b/src/nspawn/nspawn-bind-user.c +@@ -286,7 +286,7 @@ int bind_user_prepare( + if (!sd) + return log_oom(); + +- cm = reallocarray(*custom_mounts, sizeof(CustomMount), *n_custom_mounts + 1); ++ cm = reallocarray(*custom_mounts, *n_custom_mounts + 1, sizeof(CustomMount)); + if (!cm) + return log_oom(); + +diff --git a/src/test/test-alloc-util.c b/src/test/test-alloc-util.c +index 57cb886c41..24cb5f73eb 100644 +--- a/src/test/test-alloc-util.c ++++ b/src/test/test-alloc-util.c +@@ -100,7 +100,7 @@ TEST(memdup_multiply_and_greedy_realloc) { + size_t i; + int *p; + +- dup = memdup_suffix0_multiply(org, sizeof(int), 3); ++ dup = memdup_suffix0_multiply(org, 3, sizeof(int)); + assert_se(dup); + assert_se(dup[0] == 1); + assert_se(dup[1] == 2); +@@ -108,7 +108,7 @@ TEST(memdup_multiply_and_greedy_realloc) { + assert_se(((uint8_t*) dup)[sizeof(int) * 3] == 0); + free(dup); + +- dup = memdup_multiply(org, sizeof(int), 3); ++ dup = memdup_multiply(org, 3, sizeof(int)); + assert_se(dup); + assert_se(dup[0] == 1); + assert_se(dup[1] == 2); +-- +2.33.0 + diff --git a/backport-Restart-the-DHCPv4-client-when-max-REQUEST-attempts-.patch b/backport-Restart-the-DHCPv4-client-when-max-REQUEST-attempts-.patch new file mode 100644 index 0000000..9180705 --- /dev/null +++ b/backport-Restart-the-DHCPv4-client-when-max-REQUEST-attempts-.patch @@ -0,0 +1,190 @@ +From 0c7e1fd7f92d8c4869b73843589a4ad431f2c6b3 Mon Sep 17 00:00:00 2001 +From: Andres Beltran +Date: Tue, 21 Nov 2023 22:29:14 +0000 +Subject: [PATCH 0261/1160] Restart the DHCPv4 client when max REQUEST attempts + is reached + +(cherry picked from commit 6ff84614f52fa4587ce793a89d7600bf36c0f02d) +--- + src/libsystemd-network/sd-dhcp-client.c | 60 +++++++++++++++++-------- + 1 file changed, 42 insertions(+), 18 deletions(-) + +diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c +index 67911a2b93..24bcd74ba2 100644 +--- a/src/libsystemd-network/sd-dhcp-client.c ++++ b/src/libsystemd-network/sd-dhcp-client.c +@@ -112,8 +112,10 @@ struct sd_dhcp_client { + usec_t t1_time; + usec_t t2_time; + usec_t expire_time; +- uint64_t attempt; +- uint64_t max_attempts; ++ uint64_t discover_attempt; ++ uint64_t request_attempt; ++ uint64_t max_discover_attempts; ++ uint64_t max_request_attempts; + OrderedHashmap *extra_options; + OrderedHashmap *vendor_options; + sd_event_source *timeout_t1; +@@ -177,6 +179,7 @@ static int client_receive_message_udp( + uint32_t revents, + void *userdata); + static void client_stop(sd_dhcp_client *client, int error); ++static int client_restart(sd_dhcp_client *client); + + int sd_dhcp_client_id_to_string(const void *data, size_t len, char **ret) { + const sd_dhcp_client_id *client_id = data; +@@ -673,7 +676,7 @@ int sd_dhcp_client_set_max_attempts(sd_dhcp_client *client, uint64_t max_attempt + assert_return(client, -EINVAL); + assert_return(!sd_dhcp_client_is_running(client), -EBUSY); + +- client->max_attempts = max_attempts; ++ client->max_discover_attempts = max_attempts; + + return 0; + } +@@ -798,7 +801,8 @@ static int client_initialize(sd_dhcp_client *client) { + (void) event_source_disable(client->timeout_expire); + (void) event_source_disable(client->timeout_ipv6_only_mode); + +- client->attempt = 0; ++ client->discover_attempt = 0; ++ client->request_attempt = 0; + + client_set_state(client, DHCP_STATE_STOPPED); + client->xid = 0; +@@ -1332,13 +1336,19 @@ static int client_timeout_resend( + case DHCP_STATE_INIT: + case DHCP_STATE_INIT_REBOOT: + case DHCP_STATE_SELECTING: ++ if (client->discover_attempt >= client->max_discover_attempts) ++ goto error; ++ ++ client->discover_attempt++; ++ next_timeout = client_compute_request_timeout(time_now, client->discover_attempt); ++ break; + case DHCP_STATE_REQUESTING: + case DHCP_STATE_BOUND: +- if (client->attempt >= client->max_attempts) ++ if (client->request_attempt >= client->max_request_attempts) + goto error; + +- client->attempt++; +- next_timeout = client_compute_request_timeout(time_now, client->attempt); ++ client->request_attempt++; ++ next_timeout = client_compute_request_timeout(time_now, client->request_attempt); + break; + + case DHCP_STATE_STOPPED: +@@ -1362,14 +1372,14 @@ static int client_timeout_resend( + r = client_send_discover(client); + if (r >= 0) { + client_set_state(client, DHCP_STATE_SELECTING); +- client->attempt = 0; +- } else if (client->attempt >= client->max_attempts) ++ client->discover_attempt = 0; ++ } else if (client->discover_attempt >= client->max_discover_attempts) + goto error; + break; + + case DHCP_STATE_SELECTING: + r = client_send_discover(client); +- if (r < 0 && client->attempt >= client->max_attempts) ++ if (r < 0 && client->discover_attempt >= client->max_discover_attempts) + goto error; + break; + +@@ -1378,7 +1388,7 @@ static int client_timeout_resend( + case DHCP_STATE_RENEWING: + case DHCP_STATE_REBINDING: + r = client_send_request(client); +- if (r < 0 && client->attempt >= client->max_attempts) ++ if (r < 0 && client->request_attempt >= client->max_request_attempts) + goto error; + + if (client->state == DHCP_STATE_INIT_REBOOT) +@@ -1395,12 +1405,20 @@ static int client_timeout_resend( + goto error; + } + +- if (client->attempt >= TRANSIENT_FAILURE_ATTEMPTS) ++ if (client->discover_attempt >= TRANSIENT_FAILURE_ATTEMPTS) + client_notify(client, SD_DHCP_CLIENT_EVENT_TRANSIENT_FAILURE); + + return 0; + + error: ++ /* Avoid REQUEST infinite loop. Per RFC 2131 section 3.1.5: if the client receives ++ neither a DHCPACK or a DHCPNAK message after employing the retransmission algorithm, ++ the client reverts to INIT state and restarts the initialization process */ ++ if (client->request_attempt >= client->max_request_attempts) { ++ log_dhcp_client(client, "Max REQUEST attempts reached. Restarting..."); ++ client_restart(client); ++ return 0; ++ } + client_stop(client, r); + + /* Errors were dealt with when stopping the client, don't spill +@@ -1533,7 +1551,8 @@ static int client_timeout_t2(sd_event_source *s, uint64_t usec, void *userdata) + client->fd = safe_close(client->fd); + + client_set_state(client, DHCP_STATE_REBINDING); +- client->attempt = 0; ++ client->discover_attempt = 0; ++ client->request_attempt = 0; + + r = dhcp_network_bind_raw_socket(client->ifindex, &client->link, client->xid, + &client->hw_addr, &client->bcast_addr, +@@ -1556,7 +1575,8 @@ static int client_timeout_t1(sd_event_source *s, uint64_t usec, void *userdata) + client_set_state(client, DHCP_STATE_RENEWING); + else if (client->state != DHCP_STATE_INIT) + client_set_state(client, DHCP_STATE_INIT_REBOOT); +- client->attempt = 0; ++ client->discover_attempt = 0; ++ client->request_attempt = 0; + + return client_initialize_time_events(client); + } +@@ -1696,7 +1716,8 @@ static int client_enter_requesting_now(sd_dhcp_client *client) { + assert(client); + + client_set_state(client, DHCP_STATE_REQUESTING); +- client->attempt = 0; ++ client->discover_attempt = 0; ++ client->request_attempt = 0; + + return event_reset_time(client->event, &client->timeout_resend, + CLOCK_BOOTTIME, 0, 0, +@@ -1923,7 +1944,8 @@ static int client_enter_bound_now(sd_dhcp_client *client, int notify_event) { + notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE; + + client_set_state(client, DHCP_STATE_BOUND); +- client->attempt = 0; ++ client->discover_attempt = 0; ++ client->request_attempt = 0; + + client->last_addr = client->lease->address; + +@@ -2253,7 +2275,8 @@ int sd_dhcp_client_send_renew(sd_dhcp_client *client) { + assert(client->lease); + + client->start_delay = 0; +- client->attempt = 1; ++ client->discover_attempt = 1; ++ client->request_attempt = 1; + client_set_state(client, DHCP_STATE_RENEWING); + + return client_initialize_time_events(client); +@@ -2506,7 +2529,8 @@ int sd_dhcp_client_new(sd_dhcp_client **ret, int anonymize) { + .mtu = DHCP_MIN_PACKET_SIZE, + .port = DHCP_PORT_CLIENT, + .anonymize = !!anonymize, +- .max_attempts = UINT64_MAX, ++ .max_discover_attempts = UINT64_MAX, ++ .max_request_attempts = 5, + .ip_service_type = -1, + }; + /* NOTE: this could be moved to a function. */ +-- +2.33.0 + diff --git a/backport-Revert-bpf-test-with-GCC-BPF-compiler-on-opensuse.patch b/backport-Revert-bpf-test-with-GCC-BPF-compiler-on-opensuse.patch new file mode 100644 index 0000000..e7f0798 --- /dev/null +++ b/backport-Revert-bpf-test-with-GCC-BPF-compiler-on-opensuse.patch @@ -0,0 +1,48 @@ +From 0ea06c5f01518ec61e3376c53c822ba619139abe Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 23 Apr 2024 23:45:17 +0100 +Subject: [PATCH 0545/1160] Revert "bpf: test with GCC BPF compiler on + opensuse" + +The bpf build is currently broken with the gcc available in suse due +to a conflict with stdint headers definitions in socket-bind-api.bpf.h +after 30897ddf5018da21266e4b8a28a4a925c4681de4 + +This reverts commit e4086f7dc9c40578047fa26c669ffc4c1191b85c. +--- + mkosi.images/base/mkosi.build.chroot | 6 ------ + mkosi.images/base/mkosi.conf.d/10-opensuse.conf | 1 - + 2 files changed, 7 deletions(-) + +diff --git a/mkosi.images/base/mkosi.build.chroot b/mkosi.images/base/mkosi.build.chroot +index f26098cedf..02dcbc7b3d 100755 +--- a/mkosi.images/base/mkosi.build.chroot ++++ b/mkosi.images/base/mkosi.build.chroot +@@ -193,12 +193,6 @@ if [ ! -f "$BUILDDIR"/build.ninja ]; then + ) + fi + +- if grep -q '^ID="opensuse' /usr/lib/os-release; then +- CONFIGURE_OPTS+=( +- -Dbpf-compiler=gcc +- ) +- fi +- + ( set -x; meson setup "$BUILDDIR" "$SRCDIR" "${CONFIGURE_OPTS[@]}" ) + fi + +diff --git a/mkosi.images/base/mkosi.conf.d/10-opensuse.conf b/mkosi.images/base/mkosi.conf.d/10-opensuse.conf +index ec91b4901f..5aae0ed8fb 100644 +--- a/mkosi.images/base/mkosi.conf.d/10-opensuse.conf ++++ b/mkosi.images/base/mkosi.conf.d/10-opensuse.conf +@@ -44,7 +44,6 @@ Packages= + BuildPackages= + audit-devel + bpftool +- cross-bpf-gcc13 + dbus-1-devel + fdupes + gcc-c++ +-- +2.33.0 + diff --git a/backport-Revert-mkosi-pin-CentOS8-kernel-to-working-version.patch b/backport-Revert-mkosi-pin-CentOS8-kernel-to-working-version.patch new file mode 100644 index 0000000..05e96aa --- /dev/null +++ b/backport-Revert-mkosi-pin-CentOS8-kernel-to-working-version.patch @@ -0,0 +1,85 @@ +From 2bc6ad67a3c9b08eb3c8603837e3ce37ece4974f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 23 Jan 2024 16:42:11 +0100 +Subject: [PATCH 0188/1160] Revert "mkosi: pin CentOS8 kernel to working + version" + +This reverts commit a64398b2ca1cdaee291550face0d1ce5f8ea52f6. + +Equivalent to 97e52d62fbf9890bfc55193898ccffdc638ec182. +--- + mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf | 1 + + mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf | 4 ++++ + .../mkosi.conf.d/10-centos/mkosi.conf.d/10-centos8.conf | 9 --------- + .../mkosi.conf.d/10-centos/mkosi.conf.d/10-centos9.conf | 9 --------- + mkosi.images/system/mkosi.conf.d/10-fedora.conf | 1 - + 5 files changed, 5 insertions(+), 19 deletions(-) + delete mode 100644 mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf.d/10-centos8.conf + delete mode 100644 mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf.d/10-centos9.conf + +diff --git a/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf +index 145c79bf63..67d46432d4 100644 +--- a/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf ++++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora.conf +@@ -14,6 +14,7 @@ Packages= + integritysetup + iproute + iproute-tc ++ kernel-core + libcap-ng-utils + netcat + openssh-server +diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf +index af4862d4b1..146e03a895 100644 +--- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf ++++ b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf +@@ -2,3 +2,7 @@ + + [Match] + Distribution=centos ++ ++[Content] ++Packages= ++ kernel-modules # For squashfs support +diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf.d/10-centos8.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf.d/10-centos8.conf +deleted file mode 100644 +index 30643e72b3..0000000000 +--- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf.d/10-centos8.conf ++++ /dev/null +@@ -1,9 +0,0 @@ +-# SPDX-License-Identifier: LGPL-2.1-or-later +- +-[Match] +-Release=8 +- +-[Content] +-Packages= +- kernel-core-4.18.0-521.el8 +- kernel-modules-4.18.0-521.el8 # For squashfs support +diff --git a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf.d/10-centos9.conf b/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf.d/10-centos9.conf +deleted file mode 100644 +index a21739f230..0000000000 +--- a/mkosi.images/system/mkosi.conf.d/10-centos/mkosi.conf.d/10-centos9.conf ++++ /dev/null +@@ -1,9 +0,0 @@ +-# SPDX-License-Identifier: LGPL-2.1-or-later +- +-[Match] +-Release=9 +- +-[Content] +-Packages= +- kernel-core +- kernel-modules +diff --git a/mkosi.images/system/mkosi.conf.d/10-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-fedora.conf +index 281e9464f6..42d0093a89 100644 +--- a/mkosi.images/system/mkosi.conf.d/10-fedora.conf ++++ b/mkosi.images/system/mkosi.conf.d/10-fedora.conf +@@ -8,4 +8,3 @@ Packages= + btrfs-progs + compsize + f2fs-tools +- kernel-core +-- +2.33.0 + diff --git a/backport-Revert-sysusers.d-create-the-user-for-systemd-journa.patch b/backport-Revert-sysusers.d-create-the-user-for-systemd-journa.patch new file mode 100644 index 0000000..bce2828 --- /dev/null +++ b/backport-Revert-sysusers.d-create-the-user-for-systemd-journa.patch @@ -0,0 +1,34 @@ +From bd3f4436938409c5c5868a4884c77e80f2ff9606 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Mon, 4 Dec 2023 19:23:54 +0100 +Subject: [PATCH 0016/1160] Revert "sysusers.d: create the user for + systemd-journal-upload.service" + +I have no idea what was my reasoning that led to this change, but it is +simply wrong: systemd-journal-upload.service uses +User=systemd-journal-upload together with DynamicUser=yes, so the user +doesn't have to (and shouldn't) exist before starting the service. + +See: + - https://github.com/systemd/systemd/commit/941afc4b902af21b0675e9e5d417c2ee6b202f30 + - https://src.fedoraproject.org/rpms/systemd/c/db8b8fe77ce30244ad82e70ec4e8302b0c9dbf41 + +This reverts commit 5b9dfd33c6cd4d32ee1fd3681b570e09401c885d. + +(cherry picked from commit e4d216f2dc3ffbb9979cf6830215e0c29fd9963d) +--- + sysusers.d/systemd-remote.conf | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/sysusers.d/systemd-remote.conf b/sysusers.d/systemd-remote.conf +index 341ae4e0a1..ca20c24896 100644 +--- a/sysusers.d/systemd-remote.conf ++++ b/sysusers.d/systemd-remote.conf +@@ -6,4 +6,3 @@ + # (at your option) any later version. + + u systemd-journal-remote - "systemd Journal Remote" +-u systemd-journal-upload - "systemd Journal Upload" +-- +2.33.0 + diff --git a/backport-Revert-test-disable-TEST-08-INITRD-on-ubuntu-CI.patch b/backport-Revert-test-disable-TEST-08-INITRD-on-ubuntu-CI.patch new file mode 100644 index 0000000..0b3b649 --- /dev/null +++ b/backport-Revert-test-disable-TEST-08-INITRD-on-ubuntu-CI.patch @@ -0,0 +1,21 @@ +From 92dae87119fa76d79dafb35d89721c5f3519547b Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Fri, 15 Dec 2023 11:06:28 +0100 +Subject: [PATCH 0197/1160] Revert "test: disable TEST-08-INITRD on ubuntu CI" + +No longer necessary, as the test checks if systemd ran in the initrd. + +This reverts commit 0d290cbcd62c5021b485c6f2bf0cef633e77a2b1. + +(cherry picked from commit 23eca16aad7963ed651aa27f71fde2e171bf8687) +--- + test/TEST-08-INITRD/deny-list-ubuntu-ci | 0 + 1 file changed, 0 insertions(+), 0 deletions(-) + delete mode 100644 test/TEST-08-INITRD/deny-list-ubuntu-ci + +diff --git a/test/TEST-08-INITRD/deny-list-ubuntu-ci b/test/TEST-08-INITRD/deny-list-ubuntu-ci +deleted file mode 100644 +index e69de29bb2..0000000000 +-- +2.33.0 + diff --git a/backport-Semaphore-switch-from-tmp-to-var-tmp-to-avoid-disk-s.patch b/backport-Semaphore-switch-from-tmp-to-var-tmp-to-avoid-disk-s.patch new file mode 100644 index 0000000..8c2719c --- /dev/null +++ b/backport-Semaphore-switch-from-tmp-to-var-tmp-to-avoid-disk-s.patch @@ -0,0 +1,41 @@ +From 82baa27f9d1c5f15906b4aa9b9a40b3d900bec09 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 7 Oct 2024 11:23:32 +0100 +Subject: [PATCH 0918/1160] Semaphore: switch from /tmp to /var/tmp to avoid + disk space issues + +Builds have been failing as we run out of space in /tmp/, move to +/var/tmp + +(cherry picked from commit 0c7b5dad33ee01b7ff6b7a8c583a7e2c27ac0673) +(cherry picked from commit bc0102b0caacb97041ada0b0dbca40da09eab453) +--- + .semaphore/semaphore-runner.sh | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/.semaphore/semaphore-runner.sh b/.semaphore/semaphore-runner.sh +index d2ee50b41c..6cb947fa71 100755 +--- a/.semaphore/semaphore-runner.sh ++++ b/.semaphore/semaphore-runner.sh +@@ -11,7 +11,8 @@ SALSA_URL="${SALSA_URL:-https://salsa.debian.org/systemd-team/systemd.git}" + BRANCH="${BRANCH:-upstream-ci}" + ARCH="${ARCH:-amd64}" + CONTAINER="${RELEASE}-${ARCH}" +-CACHE_DIR="${SEMAPHORE_CACHE_DIR:-/tmp}" ++CACHE_DIR=/var/tmp ++TMPDIR=/var/tmp + AUTOPKGTEST_DIR="${CACHE_DIR}/autopkgtest" + # semaphore cannot expose these, but useful for interactive/local runs + ARTIFACTS_DIR=/tmp/artifacts +@@ -101,7 +102,7 @@ EOF + # now build the package and run the tests + rm -rf "$ARTIFACTS_DIR" + # autopkgtest exits with 2 for "some tests skipped", accept that +- sudo "$AUTOPKGTEST_DIR/runner/autopkgtest" --env DEB_BUILD_OPTIONS="noudeb nostrip optimize=-lto" \ ++ sudo TMPDIR=/var/tmp "$AUTOPKGTEST_DIR/runner/autopkgtest" --env DEB_BUILD_OPTIONS="noudeb nostrip optimize=-lto" \ + --env DPKG_DEB_COMPRESSOR_TYPE="none" \ + --env DEB_BUILD_PROFILES="noudeb" \ + --env TEST_UPSTREAM=1 \ +-- +2.33.0 + diff --git a/backport-Set-SYSTEMD_LOG_LEVEL-info-explicitly-in-test-sysuse.patch b/backport-Set-SYSTEMD_LOG_LEVEL-info-explicitly-in-test-sysuse.patch new file mode 100644 index 0000000..b5387b1 --- /dev/null +++ b/backport-Set-SYSTEMD_LOG_LEVEL-info-explicitly-in-test-sysuse.patch @@ -0,0 +1,30 @@ +From db97c3a48c34fe09fc128dbeb5bdf45726b7e365 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Mon, 19 Feb 2024 14:35:07 +0100 +Subject: [PATCH 0324/1160] Set SYSTEMD_LOG_LEVEL=info explicitly in + test-sysusers + +If we're looking for output on stderr, let's make sure it's not +littered with debug logs if SYSTEMD_LOG_LEVEL=debug. + +(cherry picked from commit 88d4b97a24d532c1c34cbb99ac46e25f905d3884) +--- + test/test-sysusers.sh.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/test-sysusers.sh.in b/test/test-sysusers.sh.in +index 5d66c6776d..11e3940ec1 100755 +--- a/test/test-sysusers.sh.in ++++ b/test/test-sysusers.sh.in +@@ -166,7 +166,7 @@ for f in $(find "$SOURCE"/unhappy-*.input | sort -V); do + echo "*** Running test $f" + prepare_testdir "${f%.input}" + cp "$f" "$TESTDIR/usr/lib/sysusers.d/test.conf" +- $SYSUSERS --root="$TESTDIR" 2>&1 | tail -n1 | sed -r 's/^[^:]+:[^:]+://' >"$TESTDIR/err" ++ SYSTEMD_LOG_LEVEL=info $SYSUSERS --root="$TESTDIR" 2>&1 | tail -n1 | sed -r 's/^[^:]+:[^:]+://' >"$TESTDIR/err" + if ! diff -u "$TESTDIR/err" "${f%.*}.expected-err"; then + echo "**** Unexpected error output for $f" + cat "$TESTDIR/err" +-- +2.33.0 + diff --git a/backport-Sort-input-file-list.patch b/backport-Sort-input-file-list.patch new file mode 100644 index 0000000..39021c3 --- /dev/null +++ b/backport-Sort-input-file-list.patch @@ -0,0 +1,34 @@ +From e2f8d25c648b7fdf39778dea1be39746bc65cd71 Mon Sep 17 00:00:00 2001 +From: "Bernhard M. Wiedemann" +Date: Thu, 25 Jan 2024 05:48:35 +0100 +Subject: [PATCH 0212/1160] Sort input file list + +so that /usr/lib/systemd/tests/unit-tests/test-libsystemd-sym +builds in a reproducible way +in spite of non-deterministic filesystem readdir order + +See https://reproducible-builds.org/ for why this is good. + +This patch was done while working on reproducible builds for openSUSE. + +(cherry picked from commit ac0054e686e7570d0a77dbbd017165e473cae825) +--- + src/test/generate-sym-test.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/test/generate-sym-test.py b/src/test/generate-sym-test.py +index e97b6bbbd5..028d108bb5 100755 +--- a/src/test/generate-sym-test.py ++++ b/src/test/generate-sym-test.py +@@ -66,7 +66,7 @@ print(''' {} + }, symbols_from_source[] = {''') + + for dirpath, _, filenames in sorted(os.walk(sys.argv[2])): +- for filename in filenames: ++ for filename in sorted(filenames): + if not filename.endswith(".c") and not filename.endswith(".h"): + continue + with open(os.path.join(dirpath, filename), "r") as f: +-- +2.33.0 + diff --git a/backport-TEST-13-NSPAWN.nss-mymachines-Use-negative-matching-.patch b/backport-TEST-13-NSPAWN.nss-mymachines-Use-negative-matching-.patch new file mode 100644 index 0000000..e21f6b5 --- /dev/null +++ b/backport-TEST-13-NSPAWN.nss-mymachines-Use-negative-matching-.patch @@ -0,0 +1,35 @@ +From ec3def8aaec6903571f7131e15e3fe9f1b3fe7a3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Koutn=C3=BD?= +Date: Tue, 25 Feb 2025 11:36:51 +0100 +Subject: [PATCH 1145/1160] TEST-13-NSPAWN.nss-mymachines: Use negative + matching switch + +The test expects _not_ to find the patterns but the run_and_grep would +still print 'FAIL:' message. Use the dedicated -n option that inverts +the semantics cleaner than shell's !. + +(cherry picked from commit c4b75966075e01d39556a87caa778eb63d96d6f6) +(cherry picked from commit f45b42ea5d7055f0fdd5bfe548bde3b73a0c2051) +(cherry picked from commit 63725bc3a312ca5481b514a8ebb00ef2617a331e) +--- + test/units/testsuite-13.nss-mymachines.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/test/units/testsuite-13.nss-mymachines.sh b/test/units/testsuite-13.nss-mymachines.sh +index b566c7343d..feba591f05 100755 +--- a/test/units/testsuite-13.nss-mymachines.sh ++++ b/test/units/testsuite-13.nss-mymachines.sh +@@ -113,8 +113,8 @@ for i in {100..120}; do + run_and_grep "^10\.2\.0\.$i\s+STREAM" getent ahostsv4 -s mymachines nss-mymachines-manyips + done + run_and_grep "^fd00:dead:beef:cafe::2\s+STREAM" getent ahostsv6 -s mymachines nss-mymachines-manyips +-(! run_and_grep "^fd00:" getent ahostsv4 -s mymachines nss-mymachines-manyips) +-(! run_and_grep "^10\.2:" getent ahostsv6 -s mymachines nss-mymachines-manyips) ++run_and_grep -n "^fd00:" getent ahostsv4 -s mymachines nss-mymachines-manyips ++run_and_grep -n "^10\.2:" getent ahostsv6 -s mymachines nss-mymachines-manyips + + # Multiple machines at once + run_and_grep "^10\.1\.0\.2\s+nss-mymachines-singleip$" getent hosts -s mymachines nss-mymachines-{singleip,manyips} +-- +2.33.0 + diff --git a/backport-TEST-17-UDEV-Don-t-hardcode-root-device-name.patch b/backport-TEST-17-UDEV-Don-t-hardcode-root-device-name.patch new file mode 100644 index 0000000..0ca739c --- /dev/null +++ b/backport-TEST-17-UDEV-Don-t-hardcode-root-device-name.patch @@ -0,0 +1,144 @@ +From 5541b1b49462658221cff36a6271714c14b632e4 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 1 Nov 2024 21:27:08 +0100 +Subject: [PATCH 0986/1160] TEST-17-UDEV: Don't hardcode root device name + +There's no guarantee the root device will be /dev/sda, so let's use +bootctl to get the actual path instead of harcoding it. + +(cherry picked from commit 29a8e71d9c0858aef502f091a0ef58d5569b1c70) +(cherry picked from commit beca1de2efe7a749bfe9b35a63e6916b3a5966aa) +--- + test/units/testsuite-17.01.sh | 50 ++++++++++++++++++----------------- + test/units/testsuite-17.06.sh | 10 ++++--- + 2 files changed, 32 insertions(+), 28 deletions(-) + +diff --git a/test/units/testsuite-17.01.sh b/test/units/testsuite-17.01.sh +index 44f36f5955..41f8c6ae0e 100755 +--- a/test/units/testsuite-17.01.sh ++++ b/test/units/testsuite-17.01.sh +@@ -5,52 +5,54 @@ set -o pipefail + + mkdir -p /run/udev/rules.d/ + ++ROOTDEV="$(bootctl -RR)" ++ + rm -f /run/udev/rules.d/50-testsuite.rules + udevadm control --reload +-udevadm trigger --settle /dev/sda ++udevadm trigger --settle "$ROOTDEV" + + while : ; do + ( +- udevadm info /dev/sda | grep -q -v SYSTEMD_WANTS=foobar.service +- udevadm info /dev/sda | grep -q -v SYSTEMD_WANTS=waldo.service +- systemctl show -p WantedBy foobar.service | grep -q -v sda +- systemctl show -p WantedBy waldo.service | grep -q -v sda ++ udevadm info "$ROOTDEV" | grep -q -v SYSTEMD_WANTS=foobar.service ++ udevadm info "$ROOTDEV" | grep -q -v SYSTEMD_WANTS=waldo.service ++ systemctl show -p WantedBy foobar.service | grep -q -v "${ROOTDEV#/dev/}" ++ systemctl show -p WantedBy waldo.service | grep -q -v "${ROOTDEV#/dev/}" + ) && break + + sleep .5 + done + + cat >/run/udev/rules.d/50-testsuite.rules </run/udev/rules.d/50-testsuite.rules </run/udev/rules.d/50-testsuite.rules < +Date: Wed, 16 Oct 2024 14:31:16 +0900 +Subject: [PATCH 0951/1160] TEST-19-CGROUP: add test cases for + IPAddressAllow=/IPAddressDeny= + +(cherry picked from commit 5f3cfb9d5ee334c53cc407308ba677401a6ba1cd) +(cherry picked from commit 04bf8544baa3ef4c675e610f35dd44f2ea60382e) +--- + .../TEST-19-CGROUP.IPAddressAllow-Deny.sh | 73 +++++++++++++++++++ + test/units/util.sh | 15 +++- + 2 files changed, 86 insertions(+), 2 deletions(-) + create mode 100755 test/units/TEST-19-CGROUP.IPAddressAllow-Deny.sh + +diff --git a/test/units/TEST-19-CGROUP.IPAddressAllow-Deny.sh b/test/units/TEST-19-CGROUP.IPAddressAllow-Deny.sh +new file mode 100755 +index 0000000000..a5c47b7086 +--- /dev/null ++++ b/test/units/TEST-19-CGROUP.IPAddressAllow-Deny.sh +@@ -0,0 +1,73 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++set -ex ++set -o pipefail ++ ++# shellcheck source=test/units/util.sh ++. "$(dirname "$0")"/util.sh ++ ++if [[ "$(get_cgroup_hierarchy)" != unified ]]; then ++ echo "Skipping $0 as we're not running with the unified cgroup hierarchy." ++ exit 0 ++fi ++ ++if systemd-detect-virt --container --quiet; then ++ echo "Skipping $0 as we're running on container." ++ exit 0 ++fi ++ ++ip netns add test-ns ++ip link add test-veth-1 type veth peer test-veth-2 ++ip link set test-veth-2 netns test-ns ++ip link set test-veth-1 up ++ip address add 192.0.2.1/24 dev test-veth-1 ++ip address add 2001:db8::1/64 dev test-veth-1 nodad ++ip netns exec test-ns ip link set test-veth-2 up ++ip netns exec test-ns ip address add 192.0.2.2/24 dev test-veth-2 ++ip netns exec test-ns ip address add 2001:db8::2/64 dev test-veth-2 nodad ++ ++ping_ok_one() { ++ local interface="${1?}" ++ local target="${2?}" ++ shift 2 ++ ++ assert_ok systemd-run --wait --pipe "$@" ping -c 1 -W 1 -I "$interface" "$target" ++} ++ ++ping_fail_one() { ++ local interface="${1?}" ++ local target="${2?}" ++ shift 2 ++ ++ assert_fail systemd-run --wait --pipe "$@" ping -c 1 -W 1 -I "$interface" "$target" ++} ++ ++ping_ok() { ++ ping_ok_one lo 127.0.0.1 "$@" ++ ping_ok_one lo ::1 "$@" ++ ping_ok_one test-veth-1 192.0.2.2 "$@" ++ ping_ok_one test-veth-1 2001:db8::2 "$@" ++} ++ ++ping_fail() { ++ ping_fail_one lo 127.0.0.1 "$@" ++ ping_fail_one lo ::1 "$@" ++ ping_fail_one test-veth-1 192.0.2.2 "$@" ++ ping_fail_one test-veth-1 2001:db8::2 "$@" ++} ++ ++ping_ok ++ping_ok -p IPAddressDeny=any -p IPAddressDeny= ++ping_ok -p IPAddressDeny=any -p IPAddressDeny= -p IPAddressDeny=link-local ++ping_ok -p IPAddressDeny=any -p IPAddressAllow=localhost -p IPAddressAllow=192.0.2.0/24 -p IPAddressAllow=2001:db8::/64 ++ping_ok -p IPAddressDeny=any -p IPAddressAllow=localhost -p IPAddressAllow=192.0.2.0/24 -p IPAddressAllow=2001:db8::/64 \ ++ -p IPAddressAllow= -p IPAddressAllow=localhost -p IPAddressAllow=192.0.2.0/24 -p IPAddressAllow=2001:db8::/64 ++ ++ping_fail -p IPAddressDeny=any ++ping_fail -p IPAddressDeny=any -p IPAddressDeny= -p IPAddressDeny=localhost -p IPAddressDeny=192.0.2.0/24 -p IPAddressDeny=2001:db8::/64 ++ping_fail -p IPAddressDeny=any -p IPAddressAllow=localhost -p IPAddressAllow=192.0.2.0/24 -p IPAddressAllow=2001:db8::/64 -p IPAddressAllow= ++ping_fail -p IPAddressDeny=any -p IPAddressAllow=localhost -p IPAddressAllow=192.0.2.0/24 -p IPAddressAllow=2001:db8::/64 -p IPAddressAllow= -p IPAddressAllow=link-local ++ ++ip link del test-veth-1 ++ip netns exec test-ns ip link del test-veth-2 || : ++ip netns del test-ns +diff --git a/test/units/util.sh b/test/units/util.sh +index b5ed73237c..2f6a25fb97 100755 +--- a/test/units/util.sh ++++ b/test/units/util.sh +@@ -6,19 +6,30 @@ + # shellcheck disable=SC2034 + [[ -e /var/tmp/.systemd_reboot_count ]] && REBOOT_COUNT="$(&2 + exit 1 + fi + )} + ++assert_fail() {( ++ set +ex ++ ++ local rc ++ ++ if "$@"; then ++ echo "FAIL: command '$*' unexpectedly succeeded" >&2 ++ exit 1 ++ fi ++)} ++ + assert_eq() {( + set +ex + +-- +2.33.0 + diff --git a/backport-TEST-38-FREEZER-Relax-regex-a-little.patch b/backport-TEST-38-FREEZER-Relax-regex-a-little.patch new file mode 100644 index 0000000..91a400a --- /dev/null +++ b/backport-TEST-38-FREEZER-Relax-regex-a-little.patch @@ -0,0 +1,31 @@ +From 33a8ea65ca28b67a1faf766143e2847be5dd379e Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Mon, 13 May 2024 13:27:14 +0200 +Subject: [PATCH 0626/1160] TEST-38-FREEZER: Relax regex a little + +The state might be "freezing-by-parent" as well so let's take that +into account. + +Fixes #32746 + +(cherry picked from commit 034e85c5f3608b8ae48ab1ad76b8af0b2c2fd3e5) +--- + test/units/testsuite-38.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/units/testsuite-38.sh b/test/units/testsuite-38.sh +index 5fc87fca7b..2da5f4e9b9 100755 +--- a/test/units/testsuite-38.sh ++++ b/test/units/testsuite-38.sh +@@ -94,7 +94,7 @@ check_freezer_state() { + + # Ignore the intermediate freezing & thawing states in case we check + # the unit state too quickly +- [[ "$state" =~ ^(freezing|thawing)$ ]] || break ++ [[ "$state" =~ ^(freezing|thawing) ]] || break + sleep .5 + done + +-- +2.33.0 + diff --git a/backport-TEST-46-HOMED-Ignore-Disk-Usage-field-as-well.patch b/backport-TEST-46-HOMED-Ignore-Disk-Usage-field-as-well.patch new file mode 100644 index 0000000..26b762d --- /dev/null +++ b/backport-TEST-46-HOMED-Ignore-Disk-Usage-field-as-well.patch @@ -0,0 +1,31 @@ +From 868bcfa220b64bd766a629f9392eadb832cfcb20 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Thu, 9 May 2024 09:40:16 +0200 +Subject: [PATCH 0617/1160] TEST-46-HOMED: Ignore "Disk Usage" field as well + +This can change between the call to homectl inspect and userdbctl +user so let's ignore it along with the other disk fields. + +Fixes #32727 + +(cherry picked from commit 6c5d4f0645ca36281fafbf72d0219b115dbdebb4) +--- + test/units/testsuite-46.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/units/testsuite-46.sh b/test/units/testsuite-46.sh +index a77683b479..4ccd60e403 100755 +--- a/test/units/testsuite-46.sh ++++ b/test/units/testsuite-46.sh +@@ -20,7 +20,7 @@ inspect() { + userdbctl user "$USERNAME" | tee /tmp/b + + # diff uses the grep BREs for pattern matching +- diff -I '^\s*Disk \(Size\|Free\|Floor\|Ceiling\):' /tmp/{a,b} ++ diff -I '^\s*Disk \(Size\|Free\|Floor\|Ceiling\|Usage\):' /tmp/{a,b} + rm /tmp/{a,b} + + homectl inspect --json=pretty "$USERNAME" +-- +2.33.0 + diff --git a/backport-TEST-58-REPART-drop-duplicated-inclusion-of-util.sh.patch b/backport-TEST-58-REPART-drop-duplicated-inclusion-of-util.sh.patch new file mode 100644 index 0000000..f280b62 --- /dev/null +++ b/backport-TEST-58-REPART-drop-duplicated-inclusion-of-util.sh.patch @@ -0,0 +1,29 @@ +From f4206ba15cadbb2d17d840fd16b822e31d1d481e Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 11 Oct 2024 14:08:49 +0900 +Subject: [PATCH 0945/1160] TEST-58-REPART: drop duplicated inclusion of + util.sh + +(cherry picked from commit 4ca7b553295315c759a622a47240af56e2d06b46) +(cherry picked from commit d600880c9901575ba981a84ab9ceaf63a4a2e756) +--- + test/units/testsuite-58.sh | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/test/units/testsuite-58.sh b/test/units/testsuite-58.sh +index 0ca0427d58..701a72b20b 100755 +--- a/test/units/testsuite-58.sh ++++ b/test/units/testsuite-58.sh +@@ -4,9 +4,6 @@ + set -eux + set -o pipefail + +-# shellcheck source=test/units/util.sh +-. "$(dirname "$0")"/util.sh +- + if ! command -v systemd-repart >/dev/null; then + echo "no systemd-repart" >/skipped + exit 0 +-- +2.33.0 + diff --git a/backport-TEST-58-REPART-reverse-order-of-diff-args.patch b/backport-TEST-58-REPART-reverse-order-of-diff-args.patch new file mode 100644 index 0000000..ae107d3 --- /dev/null +++ b/backport-TEST-58-REPART-reverse-order-of-diff-args.patch @@ -0,0 +1,51 @@ +From 5469bc61185163119bec209612e0a72381ba232c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 30 May 2024 11:33:20 +0200 +Subject: [PATCH 0727/1160] TEST-58-REPART: reverse order of diff args + +I expect the test output to be the second argument, so we're diffing "expected" +and "output", not the other way around. + +I noticed this when working on https://github.com/systemd/systemd/pull/33081. + +(cherry picked from commit 6bb3ea655d08c0602c99ccd2a580ba102fd19114) +(cherry picked from commit 9663bb74100dd79c1e4e9c6b2377ea1b817ddee5) +--- + test/units/testsuite-58.sh | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/test/units/testsuite-58.sh b/test/units/testsuite-58.sh +index 20d4bda84e..d875461721 100755 +--- a/test/units/testsuite-58.sh ++++ b/test/units/testsuite-58.sh +@@ -423,7 +423,7 @@ EOF + --json=pretty \ + "$imgs/zzz") + +- diff -u <(echo "$output") - < +Date: Wed, 16 Oct 2024 21:17:15 +0900 +Subject: [PATCH 0954/1160] TEST-60-MOUNT-RATELIMIT: wait for mount unit being + started or stopped + +(cherry picked from commit c5928a768417b298eb2741107fa7492e93d637fc) +(cherry picked from commit 3b171cb7bc6d84381f8ac27722503b103745cd2b) +--- + test/units/testsuite-60.sh | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/test/units/testsuite-60.sh b/test/units/testsuite-60.sh +index c1afeddcd0..3b88a659ed 100755 +--- a/test/units/testsuite-60.sh ++++ b/test/units/testsuite-60.sh +@@ -59,7 +59,7 @@ check_dependencies() { + + # mount LOOP_0 + mount -t ext4 "${LOOP_0}p1" /tmp/deptest +- sleep 1 ++ timeout 10 bash -c 'until systemctl -q is-active tmp-deptest.mount; do sleep .1; done' + after=$(systemctl show --property=After --value tmp-deptest.mount) + assert_in "local-fs-pre.target" "$after" + assert_not_in "remote-fs-pre.target" "$after" +@@ -68,7 +68,7 @@ check_dependencies() { + assert_in "blockdev@${escaped_0}.target" "$after" + assert_not_in "${escaped_1}.device" "$after" + assert_not_in "blockdev@${escaped_1}.target" "$after" +- umount /tmp/deptest ++ systemctl stop tmp-deptest.mount + + if [[ -f /run/systemd/system/tmp-deptest.mount ]]; then + after=$(systemctl show --property=After --value tmp-deptest.mount) +@@ -79,7 +79,7 @@ check_dependencies() { + + # mount LOOP_1 (using fake _netdev option) + mount -t ext4 -o _netdev "${LOOP_1}p1" /tmp/deptest +- sleep 1 ++ timeout 10 bash -c 'until systemctl -q is-active tmp-deptest.mount; do sleep .1; done' + after=$(systemctl show --property=After --value tmp-deptest.mount) + assert_not_in "local-fs-pre.target" "$after" + assert_in "remote-fs-pre.target" "$after" +@@ -88,7 +88,7 @@ check_dependencies() { + assert_not_in "blockdev@${escaped_0}.target" "$after" + assert_in "${escaped_1}.device" "$after" + assert_in "blockdev@${escaped_1}.target" "$after" +- umount /tmp/deptest ++ systemctl stop tmp-deptest.mount + + if [[ -f /run/systemd/system/tmp-deptest.mount ]]; then + after=$(systemctl show --property=After --value tmp-deptest.mount) +@@ -99,7 +99,7 @@ check_dependencies() { + + # mount tmpfs + mount -t tmpfs tmpfs /tmp/deptest +- sleep 1 ++ timeout 10 bash -c 'until systemctl -q is-active tmp-deptest.mount; do sleep .1; done' + after=$(systemctl show --property=After --value tmp-deptest.mount) + assert_in "local-fs-pre.target" "$after" + assert_not_in "remote-fs-pre.target" "$after" +@@ -108,7 +108,7 @@ check_dependencies() { + assert_not_in "blockdev@${escaped_0}.target" "$after" + assert_not_in "${escaped_1}.device" "$after" + assert_not_in "blockdev@${escaped_1}.target" "$after" +- umount /tmp/deptest ++ systemctl stop tmp-deptest.mount + + if [[ -f /run/systemd/system/tmp-deptest.mount ]]; then + after=$(systemctl show --property=After --value tmp-deptest.mount) +-- +2.33.0 + diff --git a/backport-TEST-64-UDEV-STORAGE-Make-nvme_subsystem-expected-pc.patch b/backport-TEST-64-UDEV-STORAGE-Make-nvme_subsystem-expected-pc.patch new file mode 100644 index 0000000..e447d56 --- /dev/null +++ b/backport-TEST-64-UDEV-STORAGE-Make-nvme_subsystem-expected-pc.patch @@ -0,0 +1,41 @@ +From d34128a1f1a2fe0148e95fbe76157895a7b951af Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 28 Jun 2024 14:20:34 +0200 +Subject: [PATCH 0729/1160] TEST-64-UDEV-STORAGE: Make nvme_subsystem expected + pci symlinks more generic + +When running the test on aarch64 the symlinks look as follows: + +""" +[root@H ~]# ls /dev/disk/by-path +platform-4010000000.pcie-pci-0000:00:04.0-scsi-0:0:0:0 platform-4010000000.pcie-pci-0000:00:04.0-scsi-0:0:0:0-part1 platform-4010000000.pcie-pci-0000:00:05.0-nvme-16 +platform-4010000000.pcie-pci-0000:00:04.0-scsi-0:0:0:0-part platform-4010000000.pcie-pci-0000:00:04.0-scsi-0:0:0:0-part2 platform-4010000000.pcie-pci-0000:00:05.0-nvme-17 +""" + +So let's make the PCI patterns a little more generic so they match +both the x86 and the aarch64 paths. + +(cherry picked from commit 72d121b60174b825bf1390958eb1b55f34c5ff5b) +(cherry picked from commit dc0167b674bc6b555c25f374719c818bc6ad1416) +--- + test/units/testsuite-64.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/test/units/testsuite-64.sh b/test/units/testsuite-64.sh +index f41cc7fdc2..dc3a87b732 100755 +--- a/test/units/testsuite-64.sh ++++ b/test/units/testsuite-64.sh +@@ -231,8 +231,8 @@ testcase_nvme_subsystem() { + /dev/disk/by-id/nvme-QEMU_NVMe_Ctrl_deadbeef_16 + /dev/disk/by-id/nvme-QEMU_NVMe_Ctrl_deadbeef_17 + # Shared namespaces +- /dev/disk/by-path/pci-*-nvme-16 +- /dev/disk/by-path/pci-*-nvme-17 ++ /dev/disk/by-path/*pci*-nvme-16 ++ /dev/disk/by-path/*pci*-nvme-17 + ) + + udevadm wait --settle --timeout=30 "${expected_symlinks[@]}" +-- +2.33.0 + diff --git a/backport-TEST-80-NOTIFYACCESS-don-t-specify-pid-if-MAINPID-is.patch b/backport-TEST-80-NOTIFYACCESS-don-t-specify-pid-if-MAINPID-is.patch new file mode 100644 index 0000000..cd07cd4 --- /dev/null +++ b/backport-TEST-80-NOTIFYACCESS-don-t-specify-pid-if-MAINPID-is.patch @@ -0,0 +1,31 @@ +From e0bb603e3e9f6c44af9126b65961851f04f6b339 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Tue, 29 Oct 2024 18:35:50 +0100 +Subject: [PATCH 0979/1160] TEST-80-NOTIFYACCESS: don't specify --pid= if + MAINPID= is provided explicitly + +Otherwise, with recent additions, the MAINPIDFDID= generated by +systemd-notify would mismatch with overridden MAINPID=. + +(cherry picked from commit c3ecb747f1e35f609f15fc94ad4d5e5ca0bda4a2) +(cherry picked from commit b2496d151ae093974e6ecd3a6b3299e1ba5f3e23) +--- + test/testsuite-80.units/test.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/testsuite-80.units/test.sh b/test/testsuite-80.units/test.sh +index 565ed8d35a..a0e233946e 100755 +--- a/test/testsuite-80.units/test.sh ++++ b/test/testsuite-80.units/test.sh +@@ -39,7 +39,7 @@ sync_in b + sync_in d + + # Move main process back to toplevel +- systemd-notify --pid=parent "MAINPID=$$" ++ systemd-notify "MAINPID=$$" + + # Should be dropped again + systemd-notify --status="BOGUS2" --pid=parent +-- +2.33.0 + diff --git a/backport-TEST-81-GENERATORS-Do-a-lazy-unmounts.patch b/backport-TEST-81-GENERATORS-Do-a-lazy-unmounts.patch new file mode 100644 index 0000000..8e3cf5e --- /dev/null +++ b/backport-TEST-81-GENERATORS-Do-a-lazy-unmounts.patch @@ -0,0 +1,42 @@ +From d6a1d86b92d8c9aedaca9699ca73b5a351ae971a Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 8 May 2024 11:41:04 +0200 +Subject: [PATCH 0616/1160] TEST-81-GENERATORS: Do a lazy unmounts + +Otherwise we might fail if PID 1 is currently accessing these files. + +Fixes #32692 (hopefully) + +(cherry picked from commit 65690de6f994b383e2f060df855e151a45356264) +--- + test/units/generator-utils.sh | 2 +- + test/units/testsuite-81.getty-generator.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/test/units/generator-utils.sh b/test/units/generator-utils.sh +index fb62747fa1..97a63d8043 100755 +--- a/test/units/generator-utils.sh ++++ b/test/units/generator-utils.sh +@@ -72,7 +72,7 @@ run_and_list() { + ls -lR "$out_dir" + + if [[ -n "${environ:-}" ]]; then +- umount /proc/1/environ ++ umount /proc/1/environ --lazy + rm -f "$environ" + fi + } +diff --git a/test/units/testsuite-81.getty-generator.sh b/test/units/testsuite-81.getty-generator.sh +index 103e966191..d1dd22c18e 100755 +--- a/test/units/testsuite-81.getty-generator.sh ++++ b/test/units/testsuite-81.getty-generator.sh +@@ -85,5 +85,5 @@ PID1_ENVIRON="SYSTEMD_GETTY_AUTO=0" run_and_list "$GENERATOR_BIN" "$OUT_DIR" + [[ "$(find "$OUT_DIR" ! -type d | wc -l)" -eq 0 ]] + + # Cleanup +-umount /sys/class/tty/console/active ++umount /sys/class/tty/console/active --lazy + rm -f "${DUMMY_CONSOLES[@]/#//dev/}" /dev/notatty99 +-- +2.33.0 + diff --git a/backport-Undeprecate-commandline-params-forcequotacheck-fastb.patch b/backport-Undeprecate-commandline-params-forcequotacheck-fastb.patch new file mode 100644 index 0000000..761e76a --- /dev/null +++ b/backport-Undeprecate-commandline-params-forcequotacheck-fastb.patch @@ -0,0 +1,66 @@ +From 59d4a05e3bfcce8cf495e0e39e29f36849273c68 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 21 Nov 2024 20:36:51 +0100 +Subject: [PATCH 1027/1160] Undeprecate commandline params forcequotacheck, + fastboot, and forcefsck + +Those are historical names, but there is nothing wrong with them. The files on +/ (/fastboot, /forcefsck, and /forcequotacheck) are problematic because they +require a modification of the root file system. But the commandline params work +fine. They have the obvious advantage compared to our "modern" option that they +are much easier to type without looking up the spelling in the docs. Undeprecate +them to avoid unnecessary churn. + +(cherry picked from commit 5598454a3f8fc13257e0313d999e6ac9684082e1) +(cherry picked from commit eb841e9b8eb5ec47c46617b288135b2119694ea0) +--- + src/fsck/fsck.c | 9 ++------- + src/quotacheck/quotacheck.c | 7 +------ + 2 files changed, 3 insertions(+), 13 deletions(-) + +diff --git a/src/fsck/fsck.c b/src/fsck/fsck.c +index 000ed69667..0b452645de 100644 +--- a/src/fsck/fsck.c ++++ b/src/fsck/fsck.c +@@ -98,16 +98,11 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat + } + } + +-#if HAVE_SYSV_COMPAT +- else if (streq(key, "fastboot") && !value) { +- log_warning("Please pass 'fsck.mode=skip' rather than 'fastboot' on the kernel command line."); ++ else if (streq(key, "fastboot") && !value) + arg_skip = true; + +- } else if (streq(key, "forcefsck") && !value) { +- log_warning("Please pass 'fsck.mode=force' rather than 'forcefsck' on the kernel command line."); ++ else if (streq(key, "forcefsck") && !value) + arg_force = true; +- } +-#endif + + return 0; + } +diff --git a/src/quotacheck/quotacheck.c b/src/quotacheck/quotacheck.c +index 27a914d737..3f7fda05b9 100644 +--- a/src/quotacheck/quotacheck.c ++++ b/src/quotacheck/quotacheck.c +@@ -32,14 +32,9 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat + arg_skip = true; + else + log_warning("Invalid quotacheck.mode= parameter '%s'. Ignoring.", value); +- } + +-#if HAVE_SYSV_COMPAT +- else if (streq(key, "forcequotacheck") && !value) { +- log_warning("Please use 'quotacheck.mode=force' rather than 'forcequotacheck' on the kernel command line."); ++ } else if (streq(key, "forcequotacheck") && !value) + arg_force = true; +- } +-#endif + + return 0; + } +-- +2.33.0 + diff --git a/backport-Update-_udevadm.patch b/backport-Update-_udevadm.patch new file mode 100644 index 0000000..6dd3c1b --- /dev/null +++ b/backport-Update-_udevadm.patch @@ -0,0 +1,26 @@ +From 36ecc6f0ad48a38ca3c0ac5acdf80ef92734b043 Mon Sep 17 00:00:00 2001 +From: samuelvw01 <132577980+samuelvw01@users.noreply.github.com> +Date: Sat, 16 Mar 2024 13:43:23 +0100 +Subject: [PATCH 0453/1160] Update _udevadm + +(cherry picked from commit 3623a7ea831b22105deb0d12114b00e666082708) +--- + shell-completion/zsh/_udevadm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shell-completion/zsh/_udevadm b/shell-completion/zsh/_udevadm +index 37e9f28a58..6d313986bb 100644 +--- a/shell-completion/zsh/_udevadm ++++ b/shell-completion/zsh/_udevadm +@@ -167,7 +167,7 @@ _udevadm_commands(){ + 'test-builtin:test a built-in command' + 'verify:verify udev rules files' + 'wait:wait for devices or device symlinks being created' +- 'lock:lock a block device and run a comand' ++ 'lock:lock a block device and run a command' + ) + + if ((CURRENT == 1)); then +-- +2.33.0 + diff --git a/backport-Update-sd_bus_message_append_array.xml.patch b/backport-Update-sd_bus_message_append_array.xml.patch new file mode 100644 index 0000000..2441c52 --- /dev/null +++ b/backport-Update-sd_bus_message_append_array.xml.patch @@ -0,0 +1,29 @@ +From a422935fe076c758b4a05dc495944d798b71b938 Mon Sep 17 00:00:00 2001 +From: Marcel Hellwig +Date: Tue, 1 Oct 2024 14:31:08 +0200 +Subject: [PATCH 0897/1160] Update sd_bus_message_append_array.xml + +fix pointer constness in documentation + +(cherry picked from commit fec09ff094670a6903b12b1c599b00b39a2b0c88) +(cherry picked from commit 072ea04e26c84ac25419316c659f4d89d8002f34) +--- + man/sd_bus_message_append_array.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/man/sd_bus_message_append_array.xml b/man/sd_bus_message_append_array.xml +index ea8f532ab6..08775abeca 100644 +--- a/man/sd_bus_message_append_array.xml ++++ b/man/sd_bus_message_append_array.xml +@@ -34,7 +34,7 @@ + int sd_bus_message_append_array + sd_bus_message *m + char type +- void *ptr ++ const void *ptr + size_t size + + +-- +2.33.0 + diff --git a/backport-Use-.d-path-for-PCRLOCK_KERNEL_-_PATH.patch b/backport-Use-.d-path-for-PCRLOCK_KERNEL_-_PATH.patch new file mode 100644 index 0000000..b10f346 --- /dev/null +++ b/backport-Use-.d-path-for-PCRLOCK_KERNEL_-_PATH.patch @@ -0,0 +1,34 @@ +From 6930874b83df64d940664a9a56f9ef45df9477fc Mon Sep 17 00:00:00 2001 +From: Alberto Planas +Date: Thu, 4 Jan 2024 15:12:22 +0100 +Subject: [PATCH 0122/1160] Use .d path for PCRLOCK_KERNEL_*_PATH + +Fix the path for the generated.pcrlock files for the cmdline and initrd +cases. Without it the tool complains with: + + Failed to parse component file /var/lib/pcrlock.d/720-kernel-initrd.pcrlock, ignoring: Is a directory + +Signed-off-by: Alberto Planas +(cherry picked from commit ef949448ec96e00d0beaba3cb3daee359ae77324) +--- + src/pcrlock/pcrlock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c +index dc48bc57e5..56d41a1e2c 100644 +--- a/src/pcrlock/pcrlock.c ++++ b/src/pcrlock/pcrlock.c +@@ -73,8 +73,8 @@ STATIC_DESTRUCTOR_REGISTER(arg_policy_path, freep); + #define PCRLOCK_FIRMWARE_CONFIG_LATE_PATH "/var/lib/pcrlock.d/550-firmware-config-late.pcrlock.d/generated.pcrlock" + #define PCRLOCK_GPT_PATH "/var/lib/pcrlock.d/600-gpt.pcrlock.d/generated.pcrlock" + #define PCRLOCK_SECUREBOOT_AUTHORITY_PATH "/var/lib/pcrlock.d/620-secureboot-authority.pcrlock.d/generated.pcrlock" +-#define PCRLOCK_KERNEL_CMDLINE_PATH "/var/lib/pcrlock.d/710-kernel-cmdline.pcrlock/generated.pcrlock" +-#define PCRLOCK_KERNEL_INITRD_PATH "/var/lib/pcrlock.d/720-kernel-initrd.pcrlock/generated.pcrlock" ++#define PCRLOCK_KERNEL_CMDLINE_PATH "/var/lib/pcrlock.d/710-kernel-cmdline.pcrlock.d/generated.pcrlock" ++#define PCRLOCK_KERNEL_INITRD_PATH "/var/lib/pcrlock.d/720-kernel-initrd.pcrlock.d/generated.pcrlock" + #define PCRLOCK_MACHINE_ID_PATH "/var/lib/pcrlock.d/820-machine-id.pcrlock" + #define PCRLOCK_ROOT_FILE_SYSTEM_PATH "/var/lib/pcrlock.d/830-root-file-system.pcrlock" + #define PCRLOCK_FILE_SYSTEM_PATH_PREFIX "/var/lib/pcrlock.d/840-file-system-" +-- +2.33.0 + diff --git a/backport-Use-case-insensitive-comparison-for-the-machine-s-ar.patch b/backport-Use-case-insensitive-comparison-for-the-machine-s-ar.patch new file mode 100644 index 0000000..b542bf3 --- /dev/null +++ b/backport-Use-case-insensitive-comparison-for-the-machine-s-ar.patch @@ -0,0 +1,42 @@ +From 129c30beb66b1736bfcbb44140cd406b32dc0369 Mon Sep 17 00:00:00 2001 +From: Daniel Martinez +Date: Sat, 5 Oct 2024 23:39:43 -0400 +Subject: [PATCH 0909/1160] Use case insensitive comparison for the machine's + architechture +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +boot loader specification states: + +architecture: refers to the architecture this entry is for. The argument +should be an architecture identifier, using the architecture vocabulary +defined by the EFI specification (i.e. IA32, x64, IA64, ARM, AA64, …). +If specified and it does not match the local system architecture this +entry should be hidden. The comparison should be done case-insensitively. + +Example: architecture aa64 + +https://uapi-group.org/specifications/specs/boot_loader_specification/#type-1-boot-loader-entry-keys +(cherry picked from commit f819a516dbbddb16724f33dcef5badcb6fe8b80b) +(cherry picked from commit d65b7426e93e50c470173614c2eaca094f318ab5) +--- + src/boot/efi/boot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index 0907733c43..83207a5afe 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -1468,7 +1468,7 @@ static void boot_entry_add_type1( + + } else if (streq8(key, "architecture")) { + /* do not add an entry for an EFI image of architecture not matching with that of the image */ +- if (!streq8(value, EFI_MACHINE_TYPE_NAME)) { ++ if (!strcaseeq8(value, EFI_MACHINE_TYPE_NAME)) { + entry->type = LOADER_UNDEFINED; + break; + } +-- +2.33.0 + diff --git a/backport-Use-consistent-spelling-of-systemd.condition_first_b.patch b/backport-Use-consistent-spelling-of-systemd.condition_first_b.patch new file mode 100644 index 0000000..3572899 --- /dev/null +++ b/backport-Use-consistent-spelling-of-systemd.condition_first_b.patch @@ -0,0 +1,28 @@ +From 130358d6def563aeb8897a7d9eb8f860f162f7a3 Mon Sep 17 00:00:00 2001 +From: pyfisch +Date: Tue, 18 Jun 2024 22:22:15 +0200 +Subject: [PATCH 0716/1160] Use consistent spelling of + systemd.condition_first_boot argument + +(cherry picked from commit 051d462b42fe6c27824046c15cd3c84fa5afe05b) +(cherry picked from commit 90b5cb35e9901947fca63d82e69b74b2df959258) +--- + man/machine-id.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/man/machine-id.xml b/man/machine-id.xml +index e57a7c13b8..aea3ad150b 100644 +--- a/man/machine-id.xml ++++ b/man/machine-id.xml +@@ -124,7 +124,7 @@ + are as follows: + + +- The kernel command argument systemd.condition-first-boot= may be ++ The kernel command argument systemd.condition_first_boot= may be + used to override the autodetection logic, see + kernel-command-line7. + +-- +2.33.0 + diff --git a/backport-allow-override-default-log-level-by-environment-variable.patch b/backport-allow-override-default-log-level-by-environment-variable.patch index 37dfd9c..3b3ee68 100644 --- a/backport-allow-override-default-log-level-by-environment-variable.patch +++ b/backport-allow-override-default-log-level-by-environment-variable.patch @@ -1,7 +1,7 @@ From cd6ec641deaf94e2eb2fcaf87b9236f65479ef3f Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sat, 6 Jan 2024 03:27:07 +0900 -Subject: [PATCH] udevadm: allow to override the default log level by +Subject: [PATCH 0125/1160] udevadm: allow to override the default log level by environment variable Previously, there was no way to override the log level for test and @@ -16,7 +16,7 @@ variable. 2 files changed, 2 insertions(+) diff --git a/src/udev/udevadm-test-builtin.c b/src/udev/udevadm-test-builtin.c -index f5498a1e5b1..088b4da3c1a 100644 +index f5498a1e5b..088b4da3c1 100644 --- a/src/udev/udevadm-test-builtin.c +++ b/src/udev/udevadm-test-builtin.c @@ -78,6 +78,7 @@ int builtin_main(int argc, char *argv[], void *userdata) { @@ -28,7 +28,7 @@ index f5498a1e5b1..088b4da3c1a 100644 r = parse_argv(argc, argv); if (r <= 0) diff --git a/src/udev/udevadm-test.c b/src/udev/udevadm-test.c -index 809143ede0b..e1afd7d29e6 100644 +index 809143ede0..e1afd7d29e 100644 --- a/src/udev/udevadm-test.c +++ b/src/udev/udevadm-test.c @@ -95,6 +95,7 @@ int test_main(int argc, char *argv[], void *userdata) { @@ -39,3 +39,6 @@ index 809143ede0b..e1afd7d29e6 100644 r = parse_argv(argc, argv); if (r <= 0) +-- +2.33.0 + diff --git a/backport-analyze-Add-times-in-seconds-for-Activating-and-Acti.patch b/backport-analyze-Add-times-in-seconds-for-Activating-and-Acti.patch new file mode 100644 index 0000000..48662d6 --- /dev/null +++ b/backport-analyze-Add-times-in-seconds-for-Activating-and-Acti.patch @@ -0,0 +1,34 @@ +From a3614fd7bf62760d7e23b83b480ae57efd12606a Mon Sep 17 00:00:00 2001 +From: hugo303 +Date: Fri, 25 Oct 2024 12:15:02 +0200 +Subject: [PATCH 0980/1160] analyze: Add times in seconds for Activating and + Activated in tooltip + +Print the times in seconds in the tooltip to remove the need to count +and trying to follow the lines in the svg diagram in order to see at +what times these events happen. + +(cherry picked from commit f172dfddde3379319ee3a02666a7ecf11a5711f4) +(cherry picked from commit 40cab4a3873b9a3205d9a0db505ad1a6b21a95e2) +--- + src/analyze/analyze-plot.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/analyze/analyze-plot.c b/src/analyze/analyze-plot.c +index 81fc25b31e..70a126a51b 100644 +--- a/src/analyze/analyze-plot.c ++++ b/src/analyze/analyze-plot.c +@@ -166,7 +166,9 @@ static void plot_tooltip(const UnitTimes *ut) { + assert(ut->name); + + svg("%s:\n", ut->name); +- ++ svg("Activating: %"PRI_USEC".%.3"PRI_USEC"\n", ut->activating / USEC_PER_SEC, ut->activating % USEC_PER_SEC); ++ svg("Activated: %"PRI_USEC".%.3"PRI_USEC"\n", ut->activated / USEC_PER_SEC, ut->activated % USEC_PER_SEC); ++ + UnitDependency i; + VA_ARGS_FOREACH(i, UNIT_AFTER, UNIT_BEFORE, UNIT_REQUIRES, UNIT_REQUISITE, UNIT_WANTS, UNIT_CONFLICTS, UNIT_UPHOLDS) + if (!strv_isempty(ut->deps[i])) { +-- +2.33.0 + diff --git a/backport-analyze-also-find-template-unit-when-a-template-inst.patch b/backport-analyze-also-find-template-unit-when-a-template-inst.patch new file mode 100644 index 0000000..24720d3 --- /dev/null +++ b/backport-analyze-also-find-template-unit-when-a-template-inst.patch @@ -0,0 +1,105 @@ +From 8b9f0065d37c255a41f266ca2252035895e0b90a Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 7 Dec 2023 19:29:29 +0900 +Subject: [PATCH 0043/1160] analyze: also find template unit when a template + instance is specified + +Fixes a regression caused by 2f6181ad4d6c126e3ebf6880ba30b3b0059c6fc8. + +Fixes #30357. + +Co-authored-by: Jeff King +(cherry picked from commit 6d9d55657946385916fa4db7149a9b389645ee73) +--- + src/analyze/analyze-verify-util.c | 64 +++++++++++++++++++++++++------ + 1 file changed, 53 insertions(+), 11 deletions(-) + +diff --git a/src/analyze/analyze-verify-util.c b/src/analyze/analyze-verify-util.c +index 26d1130477..6fbd6fa54c 100644 +--- a/src/analyze/analyze-verify-util.c ++++ b/src/analyze/analyze-verify-util.c +@@ -72,6 +72,54 @@ int verify_prepare_filename(const char *filename, char **ret) { + return 0; + } + ++static int find_unit_directory(const char *p, char **ret) { ++ _cleanup_free_ char *a = NULL, *u = NULL, *t = NULL, *d = NULL; ++ int r; ++ ++ assert(p); ++ assert(ret); ++ ++ r = path_make_absolute_cwd(p, &a); ++ if (r < 0) ++ return r; ++ ++ if (access(a, F_OK) >= 0) { ++ r = path_extract_directory(a, &d); ++ if (r < 0) ++ return r; ++ ++ *ret = TAKE_PTR(d); ++ return 0; ++ } ++ ++ r = path_extract_filename(a, &u); ++ if (r < 0) ++ return r; ++ ++ if (!unit_name_is_valid(u, UNIT_NAME_INSTANCE)) ++ return -ENOENT; ++ ++ /* If the specified unit is an instance of a template unit, then let's try to find the template unit. */ ++ r = unit_name_template(u, &t); ++ if (r < 0) ++ return r; ++ ++ r = path_extract_directory(a, &d); ++ if (r < 0) ++ return r; ++ ++ free(a); ++ a = path_join(d, t); ++ if (!a) ++ return -ENOMEM; ++ ++ if (access(a, F_OK) < 0) ++ return -errno; ++ ++ *ret = TAKE_PTR(d); ++ return 0; ++} ++ + int verify_set_unit_path(char **filenames) { + _cleanup_strv_free_ char **ans = NULL; + _cleanup_free_ char *joined = NULL; +@@ -79,21 +127,15 @@ int verify_set_unit_path(char **filenames) { + int r; + + STRV_FOREACH(filename, filenames) { +- _cleanup_free_ char *a = NULL; +- char *t; ++ _cleanup_free_ char *t = NULL; + +- r = path_make_absolute_cwd(*filename, &a); +- if (r < 0) ++ r = find_unit_directory(*filename, &t); ++ if (r == -ENOMEM) + return r; +- +- if (access(a, F_OK) < 0) +- continue; +- +- r = path_extract_directory(a, &t); + if (r < 0) +- return r; ++ continue; + +- r = strv_consume(&ans, t); ++ r = strv_consume(&ans, TAKE_PTR(t)); + if (r < 0) + return r; + } +-- +2.33.0 + diff --git a/backport-analyze-man-and-help-fixes.patch b/backport-analyze-man-and-help-fixes.patch new file mode 100644 index 0000000..f46883d --- /dev/null +++ b/backport-analyze-man-and-help-fixes.patch @@ -0,0 +1,92 @@ +From 487a7a85b9fa8c1e04e8cee85675f5e7212f35b5 Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Tue, 9 Jan 2024 10:11:59 +0100 +Subject: [PATCH 0135/1160] analyze: man and --help fixes + +man: +- `verify` requires an argument +- `security` does not require an argument +- `fdstore` requires an argument +- `image-policy` requires an argument + +`--help` text: +- missing `image-policy` command +- `cat-config` requires NAME or PATH + +(cherry picked from commit ca029693790434f0baf51f3a9086d9bd6b7c86da) +--- + man/systemd-analyze.xml | 10 +++++----- + src/analyze/analyze.c | 3 ++- + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml +index 63232ad1f0..35ad8435f4 100644 +--- a/man/systemd-analyze.xml ++++ b/man/systemd-analyze.xml +@@ -136,13 +136,13 @@ + systemd-analyze + OPTIONS + verify +- FILE ++ FILE + + + systemd-analyze + OPTIONS + security +- UNIT ++ UNIT + + + systemd-analyze +@@ -160,7 +160,7 @@ + systemd-analyze + OPTIONS + fdstore +- UNIT ++ UNIT + + + systemd-analyze +@@ -833,7 +833,7 @@ alias.service:7: Unknown key name 'MysteryKey' in section 'Service', ignoring. + + + +- <command>systemd-analyze fdstore <optional><replaceable>UNIT</replaceable>...</optional></command> ++ <command>systemd-analyze fdstore <replaceable>UNIT</replaceable>...</command> + + Lists the current contents of the specified service unit's file descriptor store. This shows + names, inode types, device numbers, inode numbers, paths and open modes of the open file +@@ -862,7 +862,7 @@ stored sock 0:8 4213190 - socket:[4213190] ro + + + +- <command>systemd-analyze image-policy <optional><replaceable>POLICY</replaceable>…</optional></command> ++ <command>systemd-analyze image-policy <replaceable>POLICY</replaceable>…</command> + + This command analyzes the specified image policy string, as per + systemd.image-policy7. The +diff --git a/src/analyze/analyze.c b/src/analyze/analyze.c +index ba95bbaba5..021de65bdb 100644 +--- a/src/analyze/analyze.c ++++ b/src/analyze/analyze.c +@@ -217,7 +217,7 @@ static int help(int argc, char *argv[], void *userdata) { + " dot [UNIT...] Output dependency graph in %s format\n" + " dump [PATTERN...] Output state serialization of service\n" + " manager\n" +- " cat-config Show configuration file and drop-ins\n" ++ " cat-config NAME|PATH... Show configuration file and drop-ins\n" + " unit-files List files and symlinks for units\n" + " unit-paths List load directories for units\n" + " exit-status [STATUS...] List exit status definitions\n" +@@ -236,6 +236,7 @@ static int help(int argc, char *argv[], void *userdata) { + " inspect-elf FILE... Parse and print ELF package metadata\n" + " malloc [D-BUS SERVICE...] Dump malloc stats of a D-Bus service\n" + " fdstore SERVICE... Show file descriptor store contents of service\n" ++ " image-policy POLICY... Analyze image policy string\n" + " pcrs [PCR...] Show TPM2 PCRs and their names\n" + " srk > FILE Write TPM2 SRK to stdout\n" + "\nOptions:\n" +-- +2.33.0 + diff --git a/backport-analyze-show-pcrs-also-in-sha384-bank.patch b/backport-analyze-show-pcrs-also-in-sha384-bank.patch new file mode 100644 index 0000000..d66a5fa --- /dev/null +++ b/backport-analyze-show-pcrs-also-in-sha384-bank.patch @@ -0,0 +1,31 @@ +From 5024b1b09634e7cee4308457ac327854740b0a4a Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 4 Jun 2024 11:02:34 +0200 +Subject: [PATCH 0696/1160] analyze: show pcrs also in sha384 bank + +SHA384 is pretty much the bank we actually *want* to use, since it's +faster to calculate than SHA256, hence at the very least, start +considering. + +(cherry picked from commit acaca5ab250a51be6ba07768bee80bf0f7b462fa) +(cherry picked from commit 51390a1f41a762ef96d3c496d8a5d890d722907d) +--- + src/analyze/analyze-pcrs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/analyze/analyze-pcrs.c b/src/analyze/analyze-pcrs.c +index ed907f78d1..88dfc66fe4 100644 +--- a/src/analyze/analyze-pcrs.c ++++ b/src/analyze/analyze-pcrs.c +@@ -11,7 +11,7 @@ + static int get_pcr_alg(const char **ret) { + assert(ret); + +- FOREACH_STRING(alg, "sha256", "sha1") { ++ FOREACH_STRING(alg, "sha256", "sha384", "sha1") { + _cleanup_free_ char *p = NULL; + + if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/0", alg) < 0) +-- +2.33.0 + diff --git a/backport-analyze-tab-fix.patch b/backport-analyze-tab-fix.patch new file mode 100644 index 0000000..fffc3c5 --- /dev/null +++ b/backport-analyze-tab-fix.patch @@ -0,0 +1,28 @@ +From 3a4acc447afabf32b7a13e89f621614bc40f0bba Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 11 Dec 2024 10:31:41 +0100 +Subject: [PATCH 1046/1160] analyze: tab fix + +(cherry picked from commit 7167bee6c672f9a0729631ba1f7459dd5e18f549) +(cherry picked from commit f4215e7909a74e01f3275c8537d9574924aefa4c) +(cherry picked from commit 503e60447e9207485a381a5491d8b28f4e33f509) +--- + src/analyze/analyze-plot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/analyze/analyze-plot.c b/src/analyze/analyze-plot.c +index 70a126a51b..beff8cfc78 100644 +--- a/src/analyze/analyze-plot.c ++++ b/src/analyze/analyze-plot.c +@@ -168,7 +168,7 @@ static void plot_tooltip(const UnitTimes *ut) { + svg("%s:\n", ut->name); + svg("Activating: %"PRI_USEC".%.3"PRI_USEC"\n", ut->activating / USEC_PER_SEC, ut->activating % USEC_PER_SEC); + svg("Activated: %"PRI_USEC".%.3"PRI_USEC"\n", ut->activated / USEC_PER_SEC, ut->activated % USEC_PER_SEC); +- ++ + UnitDependency i; + VA_ARGS_FOREACH(i, UNIT_AFTER, UNIT_BEFORE, UNIT_REQUIRES, UNIT_REQUISITE, UNIT_WANTS, UNIT_CONFLICTS, UNIT_UPHOLDS) + if (!strv_isempty(ut->deps[i])) { +-- +2.33.0 + diff --git a/backport-ask-password-refuse-empty-password-strv.patch b/backport-ask-password-refuse-empty-password-strv.patch new file mode 100644 index 0000000..44f2188 --- /dev/null +++ b/backport-ask-password-refuse-empty-password-strv.patch @@ -0,0 +1,91 @@ +From 553d5b03bd61f7f52b4e8f99df924878bcf34e1a Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 6 Sep 2024 11:19:39 +0900 +Subject: [PATCH 0870/1160] ask-password: refuse empty password strv + +Fixes #34270. + +(cherry picked from commit 623a8b1922bdbd2fb06bc5f2c67d3d6930efc58e) +(cherry picked from commit 34881c9d5afdd05e9e6f1824cbea9d1954ea80c0) +--- + src/shared/ask-password-api.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +diff --git a/src/shared/ask-password-api.c b/src/shared/ask-password-api.c +index 0e323f4644..23d5f8aab8 100644 +--- a/src/shared/ask-password-api.c ++++ b/src/shared/ask-password-api.c +@@ -168,7 +168,16 @@ static int ask_password_keyring(const char *keyname, AskPasswordFlags flags, cha + if (r < 0) + return r; + +- return retrieve_key(serial, ret); ++ _cleanup_strv_free_erase_ char **l = NULL; ++ r = retrieve_key(serial, &l); ++ if (r < 0) ++ return r; ++ ++ if (strv_isempty(l)) ++ return log_debug_errno(SYNTHETIC_ERRNO(ENOKEY), "Found an empty password from keyring."); ++ ++ *ret = TAKE_PTR(l); ++ return 0; + } + + static int backspace_chars(int ttyfd, size_t p) { +@@ -321,8 +330,8 @@ int ask_password_plymouth( + return -ENOENT; + + } else if (IN_SET(buffer[0], 2, 9)) { ++ _cleanup_strv_free_erase_ char **l = NULL; + uint32_t size; +- char **l; + + /* One or more answers */ + if (p < 5) +@@ -340,15 +349,16 @@ int ask_password_plymouth( + if (!l) + return -ENOMEM; + +- *ret = l; +- break; ++ if (strv_isempty(l)) ++ return log_debug_errno(SYNTHETIC_ERRNO(ECANCELED), "Received an empty password."); ++ ++ *ret = TAKE_PTR(l); ++ return 0; + + } else + /* Unknown packet */ + return -EIO; + } +- +- return 0; + } + + #define NO_ECHO "(no echo) " +@@ -944,8 +954,8 @@ finish: + + static int ask_password_credential(const char *credential_name, AskPasswordFlags flags, char ***ret) { + _cleanup_(erase_and_freep) char *buffer = NULL; ++ _cleanup_strv_free_erase_ char **l = NULL; + size_t size; +- char **l; + int r; + + assert(credential_name); +@@ -959,7 +969,10 @@ static int ask_password_credential(const char *credential_name, AskPasswordFlags + if (!l) + return -ENOMEM; + +- *ret = l; ++ if (strv_isempty(l)) ++ return log_debug_errno(SYNTHETIC_ERRNO(ENOKEY), "Found an empty password in credential."); ++ ++ *ret = TAKE_PTR(l); + return 0; + } + +-- +2.33.0 + diff --git a/backport-async-voidify-call-of-fsync.patch b/backport-async-voidify-call-of-fsync.patch new file mode 100644 index 0000000..3181fcf --- /dev/null +++ b/backport-async-voidify-call-of-fsync.patch @@ -0,0 +1,30 @@ +From b5bc721d66e5bafb11c78c3184660f1b6d1bf10f Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 19 Feb 2025 02:34:13 +0900 +Subject: [PATCH 1146/1160] async: voidify call of fsync() + +Fixes CID#1564787. + +(cherry picked from commit b0e5cde687dacf885e4000da804ddcd900a83152) +(cherry picked from commit dce29c0c5f006a54033e27154fc9b1056e781c92) +(cherry picked from commit b7b0f1c6b410a2f90268458c74acae823599a4ab) +--- + src/shared/async.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/async.c b/src/shared/async.c +index 563daed3c9..28e5fb93bc 100644 +--- a/src/shared/async.c ++++ b/src/shared/async.c +@@ -49,7 +49,7 @@ int asynchronous_fsync(int fd, pid_t *ret_pid) { + return r; + if (r == 0) { + /* Child process */ +- fsync(fd); ++ (void) fsync(fd); + _exit(EXIT_SUCCESS); + } + +-- +2.33.0 + diff --git a/backport-audit-util-check-correct-errno.patch b/backport-audit-util-check-correct-errno.patch new file mode 100644 index 0000000..f97b718 --- /dev/null +++ b/backport-audit-util-check-correct-errno.patch @@ -0,0 +1,27 @@ +From a3872e60aed7ba05c9da967fac65afa7470ff9c9 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sat, 31 Aug 2024 15:42:43 +0200 +Subject: [PATCH 0865/1160] audit-util: check correct errno + +(cherry picked from commit 190a0953808608b099f9465f9e786e4efe276c26) +(cherry picked from commit c90ae08b0a5f2844504a109f71dcd773c16d8260) +--- + src/basic/audit-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/audit-util.c b/src/basic/audit-util.c +index bf96e080d2..7f86f84fa3 100644 +--- a/src/basic/audit-util.c ++++ b/src/basic/audit-util.c +@@ -99,7 +99,7 @@ static int try_audit_request(int fd) { + + n = recvmsg_safe(fd, &mh, 0); + if (n < 0) +- return -errno; ++ return n; + if (n != NLMSG_LENGTH(sizeof(struct nlmsgerr))) + return -EIO; + +-- +2.33.0 + diff --git a/backport-base-filesystem-check-for-__s390x__-first.patch b/backport-base-filesystem-check-for-__s390x__-first.patch new file mode 100644 index 0000000..30c6cfa --- /dev/null +++ b/backport-base-filesystem-check-for-__s390x__-first.patch @@ -0,0 +1,44 @@ +From 23f1dbd8294f87bb38edf33ebddaea83e05f576b Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Fri, 5 Apr 2024 19:33:28 +0200 +Subject: [PATCH 0492/1160] base-filesystem: check for __s390x__ first +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +On s390x both __s390__ and __s390x__ are defined, and with the original +order we'd go through the __s390__ branch and emit a warning: + +[169/2118] Compiling C object src/shared/libsystemd-shared-256.a.p/base-filesystem.c.o +../src/shared/base-filesystem.c:136:11: note: ‘#pragma message: Please add an entry above specifying whether your architecture uses /lib64/, /lib32/, or no such links.’ + 136 | # pragma message "Please add an entry above specifying whether your architecture uses /lib64/, /lib32/, or no such links." + | ^~~~~~~ + +(cherry picked from commit 1d07188b159878fc025cbd81bcaad3ba333bbb1c) +--- + src/shared/base-filesystem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/shared/base-filesystem.c b/src/shared/base-filesystem.c +index 569ef466c3..a4e2dae245 100644 +--- a/src/shared/base-filesystem.c ++++ b/src/shared/base-filesystem.c +@@ -120,13 +120,13 @@ static const BaseFilesystem table[] = { + # else + # error "Unknown RISC-V ABI" + # endif +-#elif defined(__s390__) +- /* s390-linux-gnu */ + #elif defined(__s390x__) + { "lib64", 0, "usr/lib/"LIB_ARCH_TUPLE"\0" + "usr/lib64\0" + "usr/lib\0", "ld-lsb-s390x.so.3" }, + # define KNOW_LIB64_DIRS 1 ++#elif defined(__s390__) ++ /* s390-linux-gnu */ + #elif defined(__sparc__) + #endif + /* gcc doesn't allow pragma to be used within constructs, hence log about this separately below */ +-- +2.33.0 + diff --git a/backport-base-filesystem-do-not-attempt-to-create-a-lib64-usr.patch b/backport-base-filesystem-do-not-attempt-to-create-a-lib64-usr.patch new file mode 100644 index 0000000..c9ac023 --- /dev/null +++ b/backport-base-filesystem-do-not-attempt-to-create-a-lib64-usr.patch @@ -0,0 +1,100 @@ +From b2738ee8155a826e3812253f5672ac8acaa5aa8c Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sun, 4 Aug 2024 00:00:05 +0100 +Subject: [PATCH 0839/1160] base-filesystem: do not attempt to create a /lib64 + -> /usr/lib/ symlink + +In multi-arch distributions (debian and derivatives) multiarch tuples under +/usr/lib are used, such as /usr/lib/x86_64-linux-gnu/ but the /lib64 symlink +should never point there, it should always point to /usr/lib64, as that's +how they are set up by distribution-specific tools. + +https://packages.debian.org/bookworm/amd64/libc6-i386/filelist +https://packages.debian.org/bookworm/mipsel/libc6-mips64/filelist +https://salsa.debian.org/md/usrmerge/-/blob/master/convert-usrmerge?ref_type=heads#L295 +https://salsa.debian.org/md/usrmerge/-/blob/master/convert-usrmerge?ref_type=heads#L517 +http://bugs.debian.org/1076491 + +Fixes https://github.com/systemd/systemd/issues/33919 + +(cherry picked from commit b75c13731ee0867a8d7889348fc8da1869af7551) +(cherry picked from commit 38caeac7680b3f7a81b741336f57f9b56d040297) +--- + src/shared/base-filesystem.c | 24 ++++++++---------------- + 1 file changed, 8 insertions(+), 16 deletions(-) + +diff --git a/src/shared/base-filesystem.c b/src/shared/base-filesystem.c +index a4e2dae245..0d5075e1e6 100644 +--- a/src/shared/base-filesystem.c ++++ b/src/shared/base-filesystem.c +@@ -56,8 +56,7 @@ static const BaseFilesystem table[] = { + /* aarch64 ELF ABI actually says dynamic loader is in /lib/, but Fedora puts it in /lib64/ anyway and + * just symlinks /lib/ld-linux-aarch64.so.1 to ../lib64/ld-linux-aarch64.so.1. For this to work + * correctly, /lib64/ must be symlinked to /usr/lib64/. */ +- { "lib64", 0, "usr/lib/"LIB_ARCH_TUPLE"\0" +- "usr/lib64\0" ++ { "lib64", 0, "usr/lib64\0" + "usr/lib\0", "ld-linux-aarch64.so.1" }, + # define KNOW_LIB64_DIRS 1 + #elif defined(__alpha__) +@@ -66,24 +65,20 @@ static const BaseFilesystem table[] = { + /* No /lib64 on arm. The linker is /lib/ld-linux-armhf.so.3. */ + # define KNOW_LIB64_DIRS 1 + #elif defined(__i386__) || defined(__x86_64__) +- { "lib64", 0, "usr/lib/"LIB_ARCH_TUPLE"\0" +- "usr/lib64\0" ++ { "lib64", 0, "usr/lib64\0" + "usr/lib\0", "ld-linux-x86-64.so.2" }, + # define KNOW_LIB64_DIRS 1 + #elif defined(__ia64__) + #elif defined(__loongarch_lp64) + # define KNOW_LIB64_DIRS 1 + # if defined(__loongarch_double_float) +- { "lib64", 0, "usr/lib/"LIB_ARCH_TUPLE"\0" +- "usr/lib64\0" ++ { "lib64", 0, "usr/lib64\0" + "usr/lib\0", "ld-linux-loongarch-lp64d.so.1" }, + # elif defined(__loongarch_single_float) +- { "lib64", 0, "usr/lib/"LIB_ARCH_TUPLE"\0" +- "usr/lib64\0" ++ { "lib64", 0, "usr/lib64\0" + "usr/lib\0", "ld-linux-loongarch-lp64f.so.1" }, + # elif defined(__loongarch_soft_float) +- { "lib64", 0, "usr/lib/"LIB_ARCH_TUPLE"\0" +- "usr/lib64\0" ++ { "lib64", 0, "usr/lib64\0" + "usr/lib\0", "ld-linux-loongarch-lp64s.so.1" }, + # else + # error "Unknown LoongArch ABI" +@@ -100,8 +95,7 @@ static const BaseFilesystem table[] = { + # endif + #elif defined(__powerpc__) + # if defined(__PPC64__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ +- { "lib64", 0, "usr/lib/"LIB_ARCH_TUPLE"\0" +- "usr/lib64\0" ++ { "lib64", 0, "usr/lib64\0" + "usr/lib\0", "ld64.so.2" }, + # define KNOW_LIB64_DIRS 1 + # elif defined(__powerpc64__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ +@@ -113,16 +107,14 @@ static const BaseFilesystem table[] = { + # if __riscv_xlen == 32 + # elif __riscv_xlen == 64 + /* Same situation as for aarch64 */ +- { "lib64", 0, "usr/lib/"LIB_ARCH_TUPLE"\0" +- "usr/lib64\0" ++ { "lib64", 0, "usr/lib64\0" + "usr/lib\0", "ld-linux-riscv64-lp64d.so.1" }, + # define KNOW_LIB64_DIRS 1 + # else + # error "Unknown RISC-V ABI" + # endif + #elif defined(__s390x__) +- { "lib64", 0, "usr/lib/"LIB_ARCH_TUPLE"\0" +- "usr/lib64\0" ++ { "lib64", 0, "usr/lib64\0" + "usr/lib\0", "ld-lsb-s390x.so.3" }, + # define KNOW_LIB64_DIRS 1 + #elif defined(__s390__) +-- +2.33.0 + diff --git a/backport-bash-completion-add-missing-options-to-systemd-crypt.patch b/backport-bash-completion-add-missing-options-to-systemd-crypt.patch new file mode 100644 index 0000000..ba0e9ad --- /dev/null +++ b/backport-bash-completion-add-missing-options-to-systemd-crypt.patch @@ -0,0 +1,57 @@ +From 40623a302b4e0597dcfed8376b5881214d760594 Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Fri, 19 Jan 2024 15:49:52 +0100 +Subject: [PATCH 0265/1160] bash-completion: add missing options to + systemd-cryptenroll + +(cherry picked from commit c13d9199d6a9553108f68403b570838e2aeca8a0) +--- + shell-completion/bash/systemd-cryptenroll | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/shell-completion/bash/systemd-cryptenroll b/shell-completion/bash/systemd-cryptenroll +index 66c6524fe8..1723f75bee 100644 +--- a/shell-completion/bash/systemd-cryptenroll ++++ b/shell-completion/bash/systemd-cryptenroll +@@ -44,7 +44,7 @@ __get_block_devices() { + done + } + +-_systemd-cryptenroll() { ++_systemd_cryptenroll() { + local comps + local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} words cword + local -A OPTS=( +@@ -59,11 +59,14 @@ _systemd-cryptenroll() { + --fido2-with-user-presence + --fido2-with-user-verification + --tpm2-device ++ --tpm2-device-key ++ --tpm2-seal-key-handle + --tpm2-pcrs + --tpm2-public-key + --tpm2-public-key-pcrs + --tpm2-signature + --tpm2-with-pin ++ --tpm2-pcrlock + --wipe-slot' + ) + +@@ -71,7 +74,7 @@ _systemd-cryptenroll() { + + if __contains_word "$prev" ${OPTS[ARG]}; then + case $prev in +- --unlock-key-file|--tpm2-public-key|--tpm2-signature) ++ --unlock-key-file|--tpm2-device-key|--tpm2-public-key|--tpm2-signature|--tpm2-pcrlock) + comps=$(compgen -A file -- "$cur") + compopt -o filenames + ;; +@@ -111,4 +114,4 @@ _systemd-cryptenroll() { + return 0 + } + +-complete -F _systemd-cryptenroll systemd-cryptenroll ++complete -F _systemd_cryptenroll systemd-cryptenroll +-- +2.33.0 + diff --git a/backport-bash-completion-add-missing-options-to-systemd-disse.patch b/backport-bash-completion-add-missing-options-to-systemd-disse.patch new file mode 100644 index 0000000..6a60ef0 --- /dev/null +++ b/backport-bash-completion-add-missing-options-to-systemd-disse.patch @@ -0,0 +1,36 @@ +From 67bc6f6e0071454e0759dc610d6883cb1a6705cf Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Fri, 19 Jan 2024 15:50:15 +0100 +Subject: [PATCH 0266/1160] bash-completion: add missing options to + systemd-dissect + +(cherry picked from commit 43aaa1b3d36c8ce38441bd24306f2a5cedd8b367) +--- + shell-completion/bash/systemd-dissect | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/shell-completion/bash/systemd-dissect b/shell-completion/bash/systemd-dissect +index 4bb203a2f8..17fb6420de 100644 +--- a/shell-completion/bash/systemd-dissect ++++ b/shell-completion/bash/systemd-dissect +@@ -37,6 +37,8 @@ _systemd_dissect() { + --in-memory' + [ARG]='-m --mount -M + -u --umount -U ++ --attach ++ --detach + -l --list + --mtree + --with +@@ -72,7 +74,7 @@ _systemd_dissect() { + + if __contains_word "$prev_1" ${OPTS[ARG]}; then + case $prev_1 in +- -l|--list|--mtree|-m|--mount|-M|-x|--copy-from|-a|--copy-to|--verity-data|--validate|--with) ++ -l|--list|--mtree|-m|--mount|-M|--attach|--detach|-x|--copy-from|-a|--copy-to|--verity-data|--validate|--with) + comps=$(compgen -A file -- "$cur") + compopt -o filenames + ;; +-- +2.33.0 + diff --git a/backport-bash-completion-add-systemctl-service-log-level-target.patch b/backport-bash-completion-add-systemctl-service-log-level-target.patch index 17cea61..0f3f97f 100644 --- a/backport-bash-completion-add-systemctl-service-log-level-target.patch +++ b/backport-bash-completion-add-systemctl-service-log-level-target.patch @@ -1,7 +1,8 @@ From 8bfc0e2d5ca09985900e8a2494b797f3086e9649 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Wed, 27 Dec 2023 16:59:03 +0100 -Subject: [PATCH] bash completion: add systemctl service-log-level/target +Subject: [PATCH 0096/1160] bash completion: add systemctl + service-log-level/target (cherry picked from commit 79272d3098597686d9e796bd946ea272304fd720) --- @@ -9,7 +10,7 @@ Subject: [PATCH] bash completion: add systemctl service-log-level/target 1 file changed, 18 insertions(+) diff --git a/shell-completion/bash/systemctl.in b/shell-completion/bash/systemctl.in -index 03c3b701504..ef8cd8f4be2 100644 +index 03c3b70150..ef8cd8f4be 100644 --- a/shell-completion/bash/systemctl.in +++ b/shell-completion/bash/systemctl.in @@ -236,6 +236,8 @@ _systemctl () { @@ -44,3 +45,6 @@ index 03c3b701504..ef8cd8f4be2 100644 elif __contains_word "$verb" ${VERBS[SERVICE_WATCHDOGS]}; then comps='on off' fi +-- +2.33.0 + diff --git a/backport-bash-completion-make-systemctl-mount-image-bind-auto.patch b/backport-bash-completion-make-systemctl-mount-image-bind-auto.patch new file mode 100644 index 0000000..7a7519c --- /dev/null +++ b/backport-bash-completion-make-systemctl-mount-image-bind-auto.patch @@ -0,0 +1,64 @@ +From cf7670121219b9ced9574df1b21797e4295d7d2e Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 27 Dec 2023 17:48:05 +0100 +Subject: [PATCH 0097/1160] bash completion: make systemctl mount-image/bind + autocomplete on active services + +The verb works only on running service units, so complete on that as the first +parameter, and a local file as the second. The other parameters are inside the +service namespace so we can't autocomplete from the outside, return early. + +(cherry picked from commit c24c63e94674c877052a327dbca342c0b50b5690) +--- + shell-completion/bash/systemctl.in | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/shell-completion/bash/systemctl.in b/shell-completion/bash/systemctl.in +index ef8cd8f4be..5c444b7fa4 100644 +--- a/shell-completion/bash/systemctl.in ++++ b/shell-completion/bash/systemctl.in +@@ -62,6 +62,8 @@ __get_template_names () { __systemctl $1 list-unit-files "$2*" \ + | { while read -r a b; do [[ $a =~ @\. ]] && echo " ${a%%@.*}@"; done; }; } + __get_active_units () { __systemctl $1 list-units "$2*" \ + | { while read -r a b; do echo " $a"; done; }; } ++__get_active_services() { __systemctl $1 list-units "$2*.service" \ ++ | { while read -r a b; do echo " $a"; done; }; } + + __get_not_masked_unit_files() { + # filter out masked, not-found, or template units. +@@ -231,7 +233,7 @@ _systemctl () { + list-timers list-units list-unit-files poweroff + reboot rescue show-environment suspend get-default + is-system-running preset-all list-automounts list-paths' +- [FILE]='link switch-root bind mount-image' ++ [FILE]='link switch-root' + [TARGETS]='set-default' + [MACHINES]='list-machines' + [LOG_LEVEL]='log-level' +@@ -239,6 +241,7 @@ _systemctl () { + [SERVICE_LOG_LEVEL]='service-log-level' + [SERVICE_LOG_TARGET]='service-log-target' + [SERVICE_WATCHDOGS]='service-watchdogs' ++ [MOUNT]='bind mount-image' + ) + + for ((i=0; i < COMP_CWORD; i++)); do +@@ -385,6 +388,15 @@ _systemctl () { + fi + elif __contains_word "$verb" ${VERBS[SERVICE_WATCHDOGS]}; then + comps='on off' ++ elif __contains_word "$verb" ${VERBS[MOUNT]}; then ++ if __contains_word "$prev" ${VERBS[MOUNT]}; then ++ comps=$( __get_active_services $mode "$cur" ) ++ elif [[ "$prev" =~ .service ]]; then ++ comps=$( compgen -A file -- "$cur" ) ++ compopt -o filenames ++ else ++ return 0 ++ fi + fi + + COMPREPLY=( $(compgen -o filenames -W '$comps' -- "$cur_orig") ) +-- +2.33.0 + diff --git a/backport-basic-add-PIDFS-magic-31709.patch b/backport-basic-add-PIDFS-magic-31709.patch new file mode 100644 index 0000000..2f5fa9f --- /dev/null +++ b/backport-basic-add-PIDFS-magic-31709.patch @@ -0,0 +1,52 @@ +From 3676ca07d1a150b857ba8b69410462d387267277 Mon Sep 17 00:00:00 2001 +From: cpackham-atlnz <85916201+cpackham-atlnz@users.noreply.github.com> +Date: Tue, 12 Mar 2024 00:55:36 +1300 +Subject: [PATCH 0340/1160] basic: add PIDFS magic (#31709) + +Kernel commit cb12fd8e0dabb9a1c8aef55a6a41e2c255fcdf4b added pidfs. +Update filesystems-gperf.gperf and missing_magic.h accordingly. + +This fixes the following error building against a bleeding edge kernel. +``` +../src/basic/meson.build:234:8: ERROR: Problem encountered: Unknown filesystems defined in kernel headers: + +Filesystem found in kernel header but not in filesystems-gperf.gperf: PID_FS_MAGIC +``` + +(cherry picked from commit ed01b92e1c92871bbd92711f280e2b2d15753f0e) +--- + src/basic/filesystems-gperf.gperf | 1 + + src/basic/missing_magic.h | 5 +++++ + 2 files changed, 6 insertions(+) + +diff --git a/src/basic/filesystems-gperf.gperf b/src/basic/filesystems-gperf.gperf +index e8c5357f91..1cd66b5a5f 100644 +--- a/src/basic/filesystems-gperf.gperf ++++ b/src/basic/filesystems-gperf.gperf +@@ -91,6 +91,7 @@ ocfs2, {OCFS2_SUPER_MAGIC} + openpromfs, {OPENPROM_SUPER_MAGIC} + orangefs, {ORANGEFS_DEVREQ_MAGIC} + overlay, {OVERLAYFS_SUPER_MAGIC} ++pidfs, {PID_FS_MAGIC} + pipefs, {PIPEFS_MAGIC} + ppc-cmm, {PPC_CMM_MAGIC} + proc, {PROC_SUPER_MAGIC} +diff --git a/src/basic/missing_magic.h b/src/basic/missing_magic.h +index 27a33adecb..82d71c8ad1 100644 +--- a/src/basic/missing_magic.h ++++ b/src/basic/missing_magic.h +@@ -128,6 +128,11 @@ + #define DEVMEM_MAGIC 0x454d444d + #endif + ++/* cb12fd8e0dabb9a1c8aef55a6a41e2c255fcdf4b (6.8) */ ++#ifndef PID_FS_MAGIC ++#define PID_FS_MAGIC 0x50494446 ++#endif ++ + /* Not in mainline but included in Ubuntu */ + #ifndef SHIFTFS_MAGIC + #define SHIFTFS_MAGIC 0x6a656a62 +-- +2.33.0 + diff --git a/backport-basic-boot-silence-Wunterminated-string-initializati.patch b/backport-basic-boot-silence-Wunterminated-string-initializati.patch new file mode 100644 index 0000000..a2fa8ff --- /dev/null +++ b/backport-basic-boot-silence-Wunterminated-string-initializati.patch @@ -0,0 +1,84 @@ +From f6f0d85135f472eeae58807918311a6fa78596a1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= +Date: Sun, 4 Aug 2024 18:51:54 -0400 +Subject: [PATCH 0844/1160] basic|boot: silence + Wunterminated-string-initialization gcc15 warnings + +gcc15 has -Wunterminated-string-initialization in -Wextra and +warns about string constants that are not null terminated even though +the functions do do out of bounds access. +Silence the warnings by simply not providing an explicit size. + +(cherry picked from commit af1a6db58fde8f64edcf7d27e1f3b636c999934c) +(cherry picked from commit ca09bc33e8b2cbc7c410c300b6df5cf3ce437a3b) +--- + src/basic/hexdecoct.c | 18 +++++++++--------- + src/boot/efi/efi-string.c | 2 +- + 2 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/src/basic/hexdecoct.c b/src/basic/hexdecoct.c +index ea683eb427..16af77d20e 100644 +--- a/src/basic/hexdecoct.c ++++ b/src/basic/hexdecoct.c +@@ -36,7 +36,7 @@ int undecchar(char c) { + } + + char hexchar(int x) { +- static const char table[16] = "0123456789abcdef"; ++ static const char table[] = "0123456789abcdef"; + + return table[x & 15]; + } +@@ -168,8 +168,8 @@ int unhexmem_full( + * useful when representing NSEC3 hashes, as one can then verify the + * order of hashes directly from their representation. */ + char base32hexchar(int x) { +- static const char table[32] = "0123456789" +- "ABCDEFGHIJKLMNOPQRSTUV"; ++ static const char table[] = "0123456789" ++ "ABCDEFGHIJKLMNOPQRSTUV"; + + return table[x & 31]; + } +@@ -519,9 +519,9 @@ int unbase32hexmem(const char *p, size_t l, bool padding, void **mem, size_t *_l + + /* https://tools.ietf.org/html/rfc4648#section-4 */ + char base64char(int x) { +- static const char table[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +- "abcdefghijklmnopqrstuvwxyz" +- "0123456789+/"; ++ static const char table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" ++ "abcdefghijklmnopqrstuvwxyz" ++ "0123456789+/"; + return table[x & 63]; + } + +@@ -529,9 +529,9 @@ char base64char(int x) { + * since we don't want "/" appear in interface names (since interfaces appear in sysfs as filenames). + * See section #5 of RFC 4648. */ + char urlsafe_base64char(int x) { +- static const char table[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +- "abcdefghijklmnopqrstuvwxyz" +- "0123456789-_"; ++ static const char table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" ++ "abcdefghijklmnopqrstuvwxyz" ++ "0123456789-_"; + return table[x & 63]; + } + +diff --git a/src/boot/efi/efi-string.c b/src/boot/efi/efi-string.c +index 4144c0d497..df71797ed0 100644 +--- a/src/boot/efi/efi-string.c ++++ b/src/boot/efi/efi-string.c +@@ -481,7 +481,7 @@ char *line_get_key_value(char *s, const char *sep, size_t *pos, char **ret_key, + } + + char16_t *hexdump(const void *data, size_t size) { +- static const char hex[16] = "0123456789abcdef"; ++ static const char hex[] = "0123456789abcdef"; + const uint8_t *d = data; + + assert(data || size == 0); +-- +2.33.0 + diff --git a/backport-basic-fix-overflow-detection-in-sigbus_pop.patch b/backport-basic-fix-overflow-detection-in-sigbus_pop.patch new file mode 100644 index 0000000..9130449 --- /dev/null +++ b/backport-basic-fix-overflow-detection-in-sigbus_pop.patch @@ -0,0 +1,49 @@ +From 4332dc5369b55efd00be331abbcfbba8672d1811 Mon Sep 17 00:00:00 2001 +From: Rose <83477269+AtariDreams@users.noreply.github.com> +Date: Tue, 2 Jan 2024 10:13:27 -0500 +Subject: [PATCH 0117/1160] basic: fix overflow detection in sigbus_pop + +The current check checks for n_sigbus_queue +being greater than or equal to SIGBUS_QUEUE_MAX, +when it should be just greater than as +n_sigbus_queue being SIGBUS_QUEUE_MAX indicates +that the queue is full, but not overflowed. + +(cherry picked from commit b4a9d19e4ec527a7b2d774a1349a6133f7739847) +--- + src/basic/sigbus.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/basic/sigbus.c b/src/basic/sigbus.c +index 7e5a493f6b..47ab0b81d8 100644 +--- a/src/basic/sigbus.c ++++ b/src/basic/sigbus.c +@@ -40,14 +40,14 @@ static void sigbus_push(void *addr) { + } + + /* If we can't, make sure the queue size is out of bounds, to +- * mark it as overflow */ ++ * mark it as overflowed */ + for (;;) { + sig_atomic_t c; + + __atomic_thread_fence(__ATOMIC_SEQ_CST); + c = n_sigbus_queue; + +- if (c > SIGBUS_QUEUE_MAX) /* already overflow */ ++ if (c > SIGBUS_QUEUE_MAX) /* already overflowed */ + return; + + /* OK if we clobber c here, since we either immediately return +@@ -70,7 +70,7 @@ int sigbus_pop(void **ret) { + if (_likely_(c == 0)) + return 0; + +- if (_unlikely_(c >= SIGBUS_QUEUE_MAX)) ++ if (_unlikely_(c > SIGBUS_QUEUE_MAX)) + return -EOVERFLOW; + + for (u = 0; u < SIGBUS_QUEUE_MAX; u++) { +-- +2.33.0 + diff --git a/backport-basic-linux-Copy-netfilter.h-to-the-source-tree.patch b/backport-basic-linux-Copy-netfilter.h-to-the-source-tree.patch new file mode 100644 index 0000000..f6ae4ad --- /dev/null +++ b/backport-basic-linux-Copy-netfilter.h-to-the-source-tree.patch @@ -0,0 +1,99 @@ +From d8d64ce8a2609ea677c1b81e63406b0feaa1deb1 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Mon, 6 May 2024 10:40:29 -0700 +Subject: [PATCH 0618/1160] basic/linux: Copy netfilter.h to the source tree + +This fixes build with old toolchains prior to Linux < 4.2 which do not +have a definition for NFPROTO_NETDEV. + +(cherry picked from commit 41a94ae670c11860f3cf1806a39d13904366f3a3) +--- + src/basic/linux/netfilter.h | 76 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 76 insertions(+) + create mode 100644 src/basic/linux/netfilter.h + +diff --git a/src/basic/linux/netfilter.h b/src/basic/linux/netfilter.h +new file mode 100644 +index 0000000000..30c045b818 +--- /dev/null ++++ b/src/basic/linux/netfilter.h +@@ -0,0 +1,76 @@ ++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ ++#ifndef __LINUX_NETFILTER_H ++#define __LINUX_NETFILTER_H ++ ++#include ++ ++#include ++#include ++ ++/* Responses from hook functions. */ ++#define NF_DROP 0 ++#define NF_ACCEPT 1 ++#define NF_STOLEN 2 ++#define NF_QUEUE 3 ++#define NF_REPEAT 4 ++#define NF_STOP 5 /* Deprecated, for userspace nf_queue compatibility. */ ++#define NF_MAX_VERDICT NF_STOP ++ ++/* we overload the higher bits for encoding auxiliary data such as the queue ++ * number or errno values. Not nice, but better than additional function ++ * arguments. */ ++#define NF_VERDICT_MASK 0x000000ff ++ ++/* extra verdict flags have mask 0x0000ff00 */ ++#define NF_VERDICT_FLAG_QUEUE_BYPASS 0x00008000 ++ ++/* queue number (NF_QUEUE) or errno (NF_DROP) */ ++#define NF_VERDICT_QMASK 0xffff0000 ++#define NF_VERDICT_QBITS 16 ++ ++#define NF_QUEUE_NR(x) ((((x) << 16) & NF_VERDICT_QMASK) | NF_QUEUE) ++ ++#define NF_DROP_ERR(x) (((-x) << 16) | NF_DROP) ++ ++/* only for userspace compatibility */ ++ ++/* NF_VERDICT_BITS should be 8 now, but userspace might break if this changes */ ++#define NF_VERDICT_BITS 16 ++ ++enum nf_inet_hooks { ++ NF_INET_PRE_ROUTING, ++ NF_INET_LOCAL_IN, ++ NF_INET_FORWARD, ++ NF_INET_LOCAL_OUT, ++ NF_INET_POST_ROUTING, ++ NF_INET_NUMHOOKS, ++ NF_INET_INGRESS = NF_INET_NUMHOOKS, ++}; ++ ++enum nf_dev_hooks { ++ NF_NETDEV_INGRESS, ++ NF_NETDEV_EGRESS, ++ NF_NETDEV_NUMHOOKS ++}; ++ ++enum { ++ NFPROTO_UNSPEC = 0, ++ NFPROTO_INET = 1, ++ NFPROTO_IPV4 = 2, ++ NFPROTO_ARP = 3, ++ NFPROTO_NETDEV = 5, ++ NFPROTO_BRIDGE = 7, ++ NFPROTO_IPV6 = 10, ++ NFPROTO_DECNET = 12, ++ NFPROTO_NUMPROTO, ++}; ++ ++union nf_inet_addr { ++ __u32 all[4]; ++ __be32 ip; ++ __be32 ip6[4]; ++ struct in_addr in; ++ struct in6_addr in6; ++}; ++ ++#endif /* __LINUX_NETFILTER_H */ +-- +2.33.0 + diff --git a/backport-basic-log-do-not-treat-all-negative-errnos-as-synthe.patch b/backport-basic-log-do-not-treat-all-negative-errnos-as-synthe.patch index 3f31594..fbbe56d 100644 --- a/backport-basic-log-do-not-treat-all-negative-errnos-as-synthe.patch +++ b/backport-basic-log-do-not-treat-all-negative-errnos-as-synthe.patch @@ -1,7 +1,8 @@ From 1fc7e3473c2fec27bdc0b19753e4ea84cd39644f Mon Sep 17 00:00:00 2001 From: Mike Yuan Date: Wed, 24 Jul 2024 16:28:48 +0200 -Subject: [PATCH] basic/log: do not treat all negative errnos as synthetic +Subject: [PATCH 0801/1160] basic/log: do not treat all negative errnos as + synthetic Currently, IS_SYNTHETIC_ERRNO() evaluates to true for all negative errnos, because of the two's-complement negative value representation. @@ -16,9 +17,6 @@ Fixes #33800 (cherry picked from commit 268f58076f7e0258dce75f521d08199092279853) (cherry picked from commit 4ad6b2631d73a574859a62d33715a7bdef810bcf) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/1fc7e3473c2fec27bdc0b19753e4ea84cd39644f --- src/basic/log.h | 5 ++--- src/test/test-log.c | 14 +++++++++----- diff --git a/backport-basic-virt-Fix-virtualbox-detection-on-proprietary-s.patch b/backport-basic-virt-Fix-virtualbox-detection-on-proprietary-s.patch new file mode 100644 index 0000000..9d1b319 --- /dev/null +++ b/backport-basic-virt-Fix-virtualbox-detection-on-proprietary-s.patch @@ -0,0 +1,32 @@ +From ddc22010a95ea3496be147e524763826a00d012c Mon Sep 17 00:00:00 2001 +From: Friedrich Altheide <11352905+FriedrichAltheide@users.noreply.github.com> +Date: Tue, 26 Mar 2024 07:56:14 +0100 +Subject: [PATCH 0420/1160] basic/virt: Fix virtualbox detection on proprietary + system via board_vendor + +Identify an virtualbox instance even if product_name, sys_vendor and bios_vendor reflect the +information of the real hardware, by checking if board_vendor == "Oracle Corporation" + +This fixes #13429 again +The previous fix was removed in #21127 + +(cherry picked from commit 5e3c08d37510ec1001f98c09420c83bd8f775023) +--- + src/basic/virt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/basic/virt.c b/src/basic/virt.c +index 93ccfaa369..88357a9568 100644 +--- a/src/basic/virt.c ++++ b/src/basic/virt.c +@@ -178,6 +178,7 @@ static Virtualization detect_vm_dmi_vendor(void) { + { "VMW", VIRTUALIZATION_VMWARE }, + { "innotek GmbH", VIRTUALIZATION_ORACLE }, + { "VirtualBox", VIRTUALIZATION_ORACLE }, ++ { "Oracle Corporation", VIRTUALIZATION_ORACLE }, /* Detect VirtualBox on some proprietary systems via the board_vendor */ + { "Xen", VIRTUALIZATION_XEN }, + { "Bochs", VIRTUALIZATION_BOCHS }, + { "Parallels", VIRTUALIZATION_PARALLELS }, +-- +2.33.0 + diff --git a/backport-battery-check-parse-options-before-checking-for-kern.patch b/backport-battery-check-parse-options-before-checking-for-kern.patch new file mode 100644 index 0000000..20bea17 --- /dev/null +++ b/backport-battery-check-parse-options-before-checking-for-kern.patch @@ -0,0 +1,41 @@ +From 06b1c4b9c269ee29c15ded5be34b1064c7b8bdc9 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 8 Nov 2024 12:23:37 +0000 +Subject: [PATCH 1057/1160] battery-check: parse options before checking for + kernel command line + +Otherwise --help/--version/etc which exit immediately will do pointless work + +(cherry picked from commit 60d23b7f4ae26d934e5748d30bb7ae956f3ad83d) +(cherry picked from commit 29cdad871ea5febb64336b43f08aab5ac15ab4cb) +(cherry picked from commit 80e4e3122dc7ee01012d9e0a5f68a3c8faa72572) +--- + src/battery-check/battery-check.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/battery-check/battery-check.c b/src/battery-check/battery-check.c +index 03628c8b92..978b118277 100644 +--- a/src/battery-check/battery-check.c ++++ b/src/battery-check/battery-check.c +@@ -123,14 +123,14 @@ static int run(int argc, char *argv[]) { + + log_setup(); + +- r = proc_cmdline_get_bool("systemd.battery-check", PROC_CMDLINE_STRIP_RD_PREFIX|PROC_CMDLINE_TRUE_WHEN_MISSING, &arg_doit); +- if (r < 0) +- log_warning_errno(r, "Failed to parse systemd.battery-check= kernel command line option, ignoring: %m"); +- + r = parse_argv(argc, argv); + if (r <= 0) + return r; + ++ r = proc_cmdline_get_bool("systemd.battery-check", PROC_CMDLINE_STRIP_RD_PREFIX|PROC_CMDLINE_TRUE_WHEN_MISSING, &arg_doit); ++ if (r < 0) ++ log_warning_errno(r, "Failed to parse systemd.battery-check= kernel command line option, ignoring: %m"); ++ + if (!arg_doit) { + log_info("Checking battery status and AC power existence is disabled by the kernel command line, skipping execution."); + return 0; +-- +2.33.0 + diff --git a/backport-battery-util-raise-log-level-for-battery_is_discharg.patch b/backport-battery-util-raise-log-level-for-battery_is_discharg.patch new file mode 100644 index 0000000..b323897 --- /dev/null +++ b/backport-battery-util-raise-log-level-for-battery_is_discharg.patch @@ -0,0 +1,34 @@ +From b2be9ca5c3ae6f7be069c84191259aeb17ac4460 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sat, 6 Jan 2024 22:45:43 +0800 +Subject: [PATCH 0148/1160] battery-util: raise log level for + battery_is_discharging_and_low + +(cherry picked from commit ad0b7e03db613f86f244c9af797db6d12e7b9f62) +--- + src/shared/battery-util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/shared/battery-util.c b/src/shared/battery-util.c +index 85cb067c84..37b3f6a6ea 100644 +--- a/src/shared/battery-util.c ++++ b/src/shared/battery-util.c +@@ -241,13 +241,13 @@ int battery_is_discharging_and_low(void) { + + r = on_ac_power(); + if (r < 0) +- log_debug_errno(r, "Failed to check if the system is running on AC, assuming it is not: %m"); ++ log_warning_errno(r, "Failed to check if the system is running on AC, assuming it is not: %m"); + if (r > 0) + return false; + + r = battery_enumerator_new(&e); + if (r < 0) +- return log_debug_errno(r, "Failed to initialize battery enumerator: %m"); ++ return log_error_errno(r, "Failed to initialize battery enumerator: %m"); + + FOREACH_DEVICE(e, dev) { + int level; +-- +2.33.0 + diff --git a/backport-bless-boot-pass-the-right-error-variable.patch b/backport-bless-boot-pass-the-right-error-variable.patch new file mode 100644 index 0000000..c86f842 --- /dev/null +++ b/backport-bless-boot-pass-the-right-error-variable.patch @@ -0,0 +1,26 @@ +From fce226b4ca67aaf225f729182f08b02d3b326555 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 7 May 2024 13:16:30 +0200 +Subject: [PATCH 0593/1160] bless-boot: pass the right error variable + +(cherry picked from commit bad6cb5ae8db5d03ded4c852d624014c8738cc7b) +--- + src/boot/bless-boot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/boot/bless-boot.c b/src/boot/bless-boot.c +index 0c0b4f23c7..12dfdf76fa 100644 +--- a/src/boot/bless-boot.c ++++ b/src/boot/bless-boot.c +@@ -476,7 +476,7 @@ static int verb_set(int argc, char *argv[], void *userdata) { + /* First, fsync() the directory these files are located in */ + r = fsync_parent_at(fd, skip_slash(target)); + if (r < 0) +- log_debug_errno(errno, "Failed to synchronize image directory, ignoring: %m"); ++ log_debug_errno(r, "Failed to synchronize image directory, ignoring: %m"); + + /* Secondly, syncfs() the whole file system these files are located in */ + if (syncfs(fd) < 0) +-- +2.33.0 + diff --git a/backport-blockdev-util-also-check-loop-partscan-sysattr.patch b/backport-blockdev-util-also-check-loop-partscan-sysattr.patch new file mode 100644 index 0000000..63663ff --- /dev/null +++ b/backport-blockdev-util-also-check-loop-partscan-sysattr.patch @@ -0,0 +1,75 @@ +From ae7a07b9ff9066f549ea5ae95be5201d581ea0e8 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 27 May 2024 06:01:05 +0900 +Subject: [PATCH 0684/1160] blockdev-util: also check loop/partscan sysattr + +With https://github.com/torvalds/linux/commit/b9684a71fca793213378dd410cd11675d973eaa1 (v5.19), +we cannot check partition scanning is enabled for a loopback block device +without checking the attribute. + +(cherry picked from commit bab8c851daaa2a4ed9febb7cc958f701ee024151) +--- + src/shared/blockdev-util.c | 33 ++++++++++++++++++++++++++------- + 1 file changed, 26 insertions(+), 7 deletions(-) + +diff --git a/src/shared/blockdev-util.c b/src/shared/blockdev-util.c +index 00ce7e6600..c27fe894cb 100644 +--- a/src/shared/blockdev-util.c ++++ b/src/shared/blockdev-util.c +@@ -394,16 +394,29 @@ int blockdev_partscan_enabled(int fd) { + * e81cd5a983bb35dabd38ee472cf3fea1c63e0f23, the flag was never used. So, fortunately, we can use + * both the new and old values safely. + * ++ * With https://github.com/torvalds/linux/commit/b9684a71fca793213378dd410cd11675d973eaa1 (v5.19), ++ * another flag GD_SUPPRESS_PART_SCAN is introduced for loopback block device, and partition scanning ++ * is done only when both GENHD_FL_NO_PART and GD_SUPPRESS_PART_SCAN are not set. Before the commit, ++ * LO_FLAGS_PARTSCAN flag was directly tied with GENHD_FL_NO_PART. But with this change now it is ++ * tied with GD_SUPPRESS_PART_SCAN. So, LO_FLAGS_PARTSCAN cannot be obtained from 'ext_range' ++ * sysattr, which corresponds to GENHD_FL_NO_PART, and we need to read 'loop/partscan'. 💣💣💣 ++ * ++ * With https://github.com/torvalds/linux/commit/73a166d9749230d598320fdae3b687cdc0e2e205 (v6.3), ++ * the GD_SUPPRESS_PART_SCAN flag is also introduced for userspace block device (ublk). Though, not ++ * sure if we should support the device... ++ * + * With https://github.com/torvalds/linux/commit/e81cd5a983bb35dabd38ee472cf3fea1c63e0f23 (v6.3), +- * the 'capability' sysfs attribute is deprecated, hence we cannot check the flag from it. ++ * the 'capability' sysfs attribute is deprecated, hence we cannot check flags from it. 💣💣💣 + * +- * With https://github.com/torvalds/linux/commit/a4217c6740dc64a3eb6815868a9260825e8c68c6 +- * (backported to v6.9), the partscan status is directly exposed as 'partscan' sysattr. ++ * With https://github.com/torvalds/linux/commit/a4217c6740dc64a3eb6815868a9260825e8c68c6 (v6.10, ++ * backported to v6.9), the partscan status is directly exposed as 'partscan' sysattr. + * +- * To support both old and new kernels, we need to do the following: first check 'partscan' attr +- * where the information is made directly available; then, fall back to 'ext_range' sysfs attribute, +- * and if '1' we can conclude partition scanning is disabled; otherwise check 'capability' sysattr +- * for ancient version. */ ++ * To support both old and new kernels, we need to do the following: ++ * 1) check 'partscan' sysfs attribute where the information is made directly available, ++ * 2) check 'loop/partscan' sysfs attribute for loopback block devices, and if '0' we can conclude ++ * partition scanning is disabled, ++ * 3) check 'ext_range' sysfs attribute, and if '1' we can conclude partition scanning is disabled, ++ * 4) otherwise check 'capability' sysfs attribute for ancient version. */ + + assert(fd >= 0); + +@@ -411,10 +424,16 @@ int blockdev_partscan_enabled(int fd) { + if (r < 0) + return r; + ++ /* For v6.10 or newer. */ + r = device_get_sysattr_bool(dev, "partscan"); + if (r != -ENOENT) + return r; + ++ /* For loopback block device, especially for v5.19 or newer. Even if this is enabled, we also need to ++ * check GENHD_FL_NO_PART flag through 'ext_range' and 'capability' sysfs attributes below. */ ++ if (device_get_sysattr_bool(dev, "loop/partscan") == 0) ++ return false; ++ + r = device_get_sysattr_int(dev, "ext_range", &ext_range); + if (r == -ENOENT) /* If the ext_range file doesn't exist then we are most likely looking at a + * partition block device, not the whole block device. And that means we have no +-- +2.33.0 + diff --git a/backport-blockdev-util-also-check-newer-value-of-GENHD_FL_NO_.patch b/backport-blockdev-util-also-check-newer-value-of-GENHD_FL_NO_.patch new file mode 100644 index 0000000..9bca259 --- /dev/null +++ b/backport-blockdev-util-also-check-newer-value-of-GENHD_FL_NO_.patch @@ -0,0 +1,61 @@ +From 49b0f0ed08ec50d0ca9d19de657493800b72420b Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 27 May 2024 09:21:41 +0900 +Subject: [PATCH 0683/1160] blockdev-util: also check newer value of + GENHD_FL_NO_PART flag + +With https://github.com/torvalds/linux/commit/430cc5d3ab4d0ba0bd011cfbb0035e46ba92920c, +the value of GENHD_FL_NO_PART, previously named as GENHD_FL_NO_PART_SCAN, +is changed from 0x0200 to 0x0004. So, we need to check both flags. + +(cherry picked from commit f0c2668c9934682a3b4ed5c228c05e26bb0ba1dc) +--- + src/shared/blockdev-util.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/src/shared/blockdev-util.c b/src/shared/blockdev-util.c +index a5fe05e5c7..00ce7e6600 100644 +--- a/src/shared/blockdev-util.c ++++ b/src/shared/blockdev-util.c +@@ -380,8 +380,19 @@ int blockdev_partscan_enabled(int fd) { + * is 1, which can be check with 'ext_range' sysfs attribute. Explicit flag ('GENHD_FL_NO_PART_SCAN') + * can be obtained from 'capability' sysattr. + * +- * With https://github.com/torvalds/linux/commit/1ebe2e5f9d68e94c524aba876f27b945669a7879 (v5.17), we +- * can check the flag from 'ext_range' sysfs attribute directly. ++ * With https://github.com/torvalds/linux/commit/46e7eac647b34ed4106a8262f8bedbb90801fadd (v5.17), ++ * the flag is renamed to GENHD_FL_NO_PART. ++ * ++ * With https://github.com/torvalds/linux/commit/1ebe2e5f9d68e94c524aba876f27b945669a7879 (v5.17), ++ * we can check the flag from 'ext_range' sysfs attribute directly. ++ * ++ * With https://github.com/torvalds/linux/commit/430cc5d3ab4d0ba0bd011cfbb0035e46ba92920c (v5.17), ++ * the value of GENHD_FL_NO_PART is changed from 0x0200 to 0x0004. 💣💣💣 ++ * Note, the new value was used by the GENHD_FL_MEDIA_CHANGE_NOTIFY flag, which was introduced by ++ * 86ce18d7b7925bfd6b64c061828ca2a857ee83b8 (v2.6.22), and removed by ++ * 9243c6f3e012a92dd900d97ef45efaf8a8edc448 (v5.7). If we believe the commit message of ++ * e81cd5a983bb35dabd38ee472cf3fea1c63e0f23, the flag was never used. So, fortunately, we can use ++ * both the new and old values safely. + * + * With https://github.com/torvalds/linux/commit/e81cd5a983bb35dabd38ee472cf3fea1c63e0f23 (v6.3), + * the 'capability' sysfs attribute is deprecated, hence we cannot check the flag from it. +@@ -423,12 +434,10 @@ int blockdev_partscan_enabled(int fd) { + if (r < 0) + return r; + +-#ifndef GENHD_FL_NO_PART_SCAN +-#define GENHD_FL_NO_PART_SCAN (0x0200) +-#endif +- +- /* If 0x200 is set, part scanning is definitely off. */ +- if (FLAGS_SET(capability, GENHD_FL_NO_PART_SCAN)) ++#define GENHD_FL_NO_PART_OLD 0x0200 ++#define GENHD_FL_NO_PART_NEW 0x0004 ++ /* If one of the NO_PART flags is set, part scanning is definitely off. */ ++ if ((capability & (GENHD_FL_NO_PART_OLD | GENHD_FL_NO_PART_NEW)) != 0) + return false; + + /* Otherwise, assume part scanning is on, we have no further checks available. Assume the best. */ +-- +2.33.0 + diff --git a/backport-blockdev-util-also-read-ext_range-sysattr-to-check-i.patch b/backport-blockdev-util-also-read-ext_range-sysattr-to-check-i.patch new file mode 100644 index 0000000..695e4a0 --- /dev/null +++ b/backport-blockdev-util-also-read-ext_range-sysattr-to-check-i.patch @@ -0,0 +1,109 @@ +From 4798f036f08f4dbdc993fc45dbe7306cbd2362d1 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 8 Apr 2024 11:57:42 +0900 +Subject: [PATCH 0535/1160] blockdev-util: also read 'ext_range' sysattr to + check if the partscan is enabled + +The 'capability' sysattr was deprecated by +https://github.com/torvalds/linux/commit/e81cd5a983bb35dabd38ee472cf3fea1c63e0f23 (v6.3). + +(cherry picked from commit 33ff155957327f51dde740a7a75f19122bff1ebc) +--- + src/shared/blockdev-util.c | 56 +++++++++++++++++++++++++++----------- + 1 file changed, 40 insertions(+), 16 deletions(-) + +diff --git a/src/shared/blockdev-util.c b/src/shared/blockdev-util.c +index c906aec109..7a2dd1c5d0 100644 +--- a/src/shared/blockdev-util.c ++++ b/src/shared/blockdev-util.c +@@ -11,6 +11,7 @@ + #include "alloc-util.h" + #include "blockdev-util.h" + #include "btrfs-util.h" ++#include "device-private.h" + #include "device-util.h" + #include "devnum-util.h" + #include "dirent-util.h" +@@ -367,24 +368,36 @@ int lock_whole_block_device(dev_t devt, int operation) { + } + + int blockdev_partscan_enabled(int fd) { +- _cleanup_free_ char *p = NULL, *buf = NULL; +- unsigned long long ull; +- struct stat st; +- int r; +- +- /* Checks if partition scanning is correctly enabled on the block device */ ++ _cleanup_(sd_device_unrefp) sd_device *dev = NULL; ++ unsigned capability; ++ int r, ext_range; + +- if (fstat(fd, &st) < 0) +- return -errno; ++ /* Checks if partition scanning is correctly enabled on the block device. ++ * ++ * The 'GENHD_FL_NO_PART_SCAN' flag was introduced by ++ * https://github.com/torvalds/linux/commit/d27769ec3df1a8de9ca450d2dcd72d1ab259ba32 (v3.2). ++ * But at that time, the flag is also effectively implied when 'minors' element of 'struct gendisk' ++ * is 1, which can be check with 'ext_range' sysfs attribute. Explicit flag ('GENHD_FL_NO_PART_SCAN') ++ * can be obtained from 'capability' sysattr. ++ * ++ * With https://github.com/torvalds/linux/commit/1ebe2e5f9d68e94c524aba876f27b945669a7879 (v5.17), we ++ * can check the flag from 'ext_range' sysfs attribute directly. ++ * ++ * With https://github.com/torvalds/linux/commit/e81cd5a983bb35dabd38ee472cf3fea1c63e0f23 (v6.3), ++ * the 'capability' sysfs attribute is deprecated, hence we cannot check the flag from it. ++ * ++ * To support both old and new kernels, we need to do the following: first check 'ext_range' sysfs ++ * attribute, and if '1' we can conclude partition scanning is disabled, otherwise check 'capability' ++ * sysattr for older version. */ + +- if (!S_ISBLK(st.st_mode)) +- return -ENOTBLK; ++ assert(fd >= 0); + +- if (asprintf(&p, "/sys/dev/block/%u:%u/capability", major(st.st_rdev), minor(st.st_rdev)) < 0) +- return -ENOMEM; ++ r = block_device_new_from_fd(fd, 0, &dev); ++ if (r < 0) ++ return r; + +- r = read_one_line_file(p, &buf); +- if (r == -ENOENT) /* If the capability file doesn't exist then we are most likely looking at a ++ r = device_get_sysattr_int(dev, "ext_range", &ext_range); ++ if (r == -ENOENT) /* If the ext_range file doesn't exist then we are most likely looking at a + * partition block device, not the whole block device. And that means we have no + * partition scanning on for it (we do for its parent, but not for the partition + * itself). */ +@@ -392,7 +405,13 @@ int blockdev_partscan_enabled(int fd) { + if (r < 0) + return r; + +- r = safe_atollu_full(buf, 16, &ull); ++ if (ext_range <= 1) /* The valus should be always positive, but the kernel uses '%d' for the ++ * attribute. Let's gracefully handle zero or negative. */ ++ return false; ++ ++ r = device_get_sysattr_unsigned_full(dev, "capability", 16, &capability); ++ if (r == -ENOENT) ++ return false; + if (r < 0) + return r; + +@@ -400,7 +419,12 @@ int blockdev_partscan_enabled(int fd) { + #define GENHD_FL_NO_PART_SCAN (0x0200) + #endif + +- return !FLAGS_SET(ull, GENHD_FL_NO_PART_SCAN); ++ /* If 0x200 is set, part scanning is definitely off. */ ++ if (FLAGS_SET(capability, GENHD_FL_NO_PART_SCAN)) ++ return false; ++ ++ /* Otherwise, assume part scanning is on, we have no further checks available. Assume the best. */ ++ return true; + } + + static int blockdev_is_encrypted(const char *sysfs_path, unsigned depth_left) { +-- +2.33.0 + diff --git a/backport-blockdev-util-partscan-sysattr-now-directly-shows-th.patch b/backport-blockdev-util-partscan-sysattr-now-directly-shows-th.patch new file mode 100644 index 0000000..0fc4ab9 --- /dev/null +++ b/backport-blockdev-util-partscan-sysattr-now-directly-shows-th.patch @@ -0,0 +1,48 @@ +From 41fb19e778913273d904f3b75b545bb77da9d1f7 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sun, 26 May 2024 15:54:06 +0800 +Subject: [PATCH 0682/1160] blockdev-util: "partscan" sysattr now directly + shows the enabled state + +See also: https://lore.kernel.org/r/20240502130033.1958492-3-hch@lst.de + +(cherry picked from commit 100bed702b73414161d57adff71e07329c1016ac) +--- + src/shared/blockdev-util.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/src/shared/blockdev-util.c b/src/shared/blockdev-util.c +index 7a2dd1c5d0..a5fe05e5c7 100644 +--- a/src/shared/blockdev-util.c ++++ b/src/shared/blockdev-util.c +@@ -386,9 +386,13 @@ int blockdev_partscan_enabled(int fd) { + * With https://github.com/torvalds/linux/commit/e81cd5a983bb35dabd38ee472cf3fea1c63e0f23 (v6.3), + * the 'capability' sysfs attribute is deprecated, hence we cannot check the flag from it. + * +- * To support both old and new kernels, we need to do the following: first check 'ext_range' sysfs +- * attribute, and if '1' we can conclude partition scanning is disabled, otherwise check 'capability' +- * sysattr for older version. */ ++ * With https://github.com/torvalds/linux/commit/a4217c6740dc64a3eb6815868a9260825e8c68c6 ++ * (backported to v6.9), the partscan status is directly exposed as 'partscan' sysattr. ++ * ++ * To support both old and new kernels, we need to do the following: first check 'partscan' attr ++ * where the information is made directly available; then, fall back to 'ext_range' sysfs attribute, ++ * and if '1' we can conclude partition scanning is disabled; otherwise check 'capability' sysattr ++ * for ancient version. */ + + assert(fd >= 0); + +@@ -396,6 +400,10 @@ int blockdev_partscan_enabled(int fd) { + if (r < 0) + return r; + ++ r = device_get_sysattr_bool(dev, "partscan"); ++ if (r != -ENOENT) ++ return r; ++ + r = device_get_sysattr_int(dev, "ext_range", &ext_range); + if (r == -ENOENT) /* If the ext_range file doesn't exist then we are most likely looking at a + * partition block device, not the whole block device. And that means we have no +-- +2.33.0 + diff --git a/backport-boot-Improve-log-message.patch b/backport-boot-Improve-log-message.patch new file mode 100644 index 0000000..5594cb6 --- /dev/null +++ b/backport-boot-Improve-log-message.patch @@ -0,0 +1,28 @@ +From 8d87145808ef7f84292b64bbb543fae4c748e57e Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Sat, 25 Jan 2025 20:42:54 +0100 +Subject: [PATCH 1083/1160] boot: Improve log message + +(cherry picked from commit ff83795469a20af02a9bf3285992128799b16302) +(cherry picked from commit 05a135c36e164bbda708af99597742788ef4eeea) +(cherry picked from commit c1092e032f2c814beb559da00690a9f457416426) +--- + src/boot/efi/boot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index 83207a5afe..824d2add6a 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -1372,7 +1372,7 @@ static EFI_STATUS boot_entry_bump_counters(BootEntry *entry) { + + err = root->Open(root, &handle, old_path, EFI_FILE_MODE_READ|EFI_FILE_MODE_WRITE, 0ULL); + if (err != EFI_SUCCESS) +- return log_error_status(err, "Error opening boot entry: %m"); ++ return log_error_status(err, "Error opening boot entry '%ls': %m", old_path); + + err = get_file_info(handle, &file_info, &file_info_size); + if (err != EFI_SUCCESS) +-- +2.33.0 + diff --git a/backport-boot-allocate-cleanup-pages-below-4GiB-only-on-x86.patch b/backport-boot-allocate-cleanup-pages-below-4GiB-only-on-x86.patch new file mode 100644 index 0000000..b5283a1 --- /dev/null +++ b/backport-boot-allocate-cleanup-pages-below-4GiB-only-on-x86.patch @@ -0,0 +1,53 @@ +From 8923d937684dba17a84dc3693e77adeb4a4f4ec8 Mon Sep 17 00:00:00 2001 +From: andre4ik3 +Date: Wed, 13 Nov 2024 18:53:25 +0400 +Subject: [PATCH 1003/1160] boot: allocate cleanup pages below 4GiB only on x86 + +Outside of x86, some machines (e.g. Apple silicon, AMD Opteron A1100) have +physical memory mapped above 4GiB, meaning this allocation will fail, causing +the entire boot process to fail on these machines. + +This commit makes it so that the below-4GB address space allocation requirement +is only set on x86 platforms, and not on other platforms (that don't have the +specific Linux x86 boot protocol), thereby fixing boot on those that have no +memory mapped below 4GiB in their address space. + +Tested on an Apple silicon M1 laptop and an AMD x86_64 desktop tower. + +Fixes: #35026 + +Manual backport of 6e207b370e91e681efb08c497a6c8ad78e3c8d83. + +(cherry picked from commit a9d9db7f4e4a75f6dbda5c31fbbf325eff9d63b4) +--- + src/boot/efi/stub.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c +index 0d9df7eb28..d9d515b1a9 100644 +--- a/src/boot/efi/stub.c ++++ b/src/boot/efi/stub.c +@@ -50,11 +50,20 @@ static EFI_STATUS combine_initrd( + n += extra_initrd_sizes[i]; + } + ++#if defined(__i386__) || defined(__x86_64__) + _cleanup_pages_ Pages pages = xmalloc_pages( + AllocateMaxAddress, + EfiLoaderData, + EFI_SIZE_TO_PAGES(n), + UINT32_MAX /* Below 4G boundary. */); ++#else ++ _cleanup_pages_ Pages pages = xmalloc_pages( ++ AllocateAnyPages, ++ EfiLoaderData, ++ EFI_SIZE_TO_PAGES(n), ++ 0 /* Ignored. */); ++#endif ++ + uint8_t *p = PHYSICAL_ADDRESS_TO_POINTER(pages.addr); + if (initrd_base != 0) { + size_t pad; +-- +2.33.0 + diff --git a/backport-boot-compare-filename-suffixes-without-case.patch b/backport-boot-compare-filename-suffixes-without-case.patch new file mode 100644 index 0000000..0cbe602 --- /dev/null +++ b/backport-boot-compare-filename-suffixes-without-case.patch @@ -0,0 +1,29 @@ +From 04cd06e2f679376e932a1b1424bdffb326f607d6 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 4 Jul 2024 17:07:59 +0200 +Subject: [PATCH 0778/1160] boot: compare filename suffixes without case + +This is VFAT world after all. + +(cherry picked from commit 764faf60400bafb1764b728aafe0dcf4cbf07364) +(cherry picked from commit 18143edf3e582d6b8c2933f5c181c9b29146023a) +--- + src/boot/efi/boot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index 6a1b3845f3..c047fcdfd4 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -1332,7 +1332,7 @@ static void boot_entry_parse_tries( + return; + + /* Boot counter in the middle of the name? */ +- if (!streq16(counter, suffix)) ++ if (!strcaseeq16(counter, suffix)) + return; + + entry->tries_left = tries_left; +-- +2.33.0 + diff --git a/backport-boot-cover-for-hardware-keys-on-phones-tablets.patch b/backport-boot-cover-for-hardware-keys-on-phones-tablets.patch new file mode 100644 index 0000000..599eca7 --- /dev/null +++ b/backport-boot-cover-for-hardware-keys-on-phones-tablets.patch @@ -0,0 +1,58 @@ +From 80c7571d9a30ac45d3cebab5b4b7ac74279757a2 Mon Sep 17 00:00:00 2001 +From: Brenton Simpson +Date: Wed, 3 Jul 2024 15:40:26 +0200 +Subject: [PATCH 0745/1160] boot: cover for hardware keys on phones/tablets + +The patch is originally from Brenton Simpson, I (Lennart) just added some +comments and rebased it. + +I didn't test this, but the patch looks so obviously right to me, that +I think we should just merge it, instead of delaying this further. In +the worst case noone notices, in the best case this makes sd-boot work +reasonably nicely on devices that only have a hadware power key + volume +rocker. + +Fixes: #30598 +Replaces: #31135 +(cherry picked from commit 2fda6f5fffcc05adaa5a08d976e09ad7cc97c1b3) +(cherry picked from commit 71de25f2df501cd0ab8e639100ce23534d23a208) +--- + src/boot/efi/boot.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index e0ffc3b62d..6a1b3845f3 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -874,6 +874,7 @@ static bool menu_run( + + switch (key) { + case KEYPRESS(0, SCAN_UP, 0): ++ case KEYPRESS(0, SCAN_VOLUME_UP, 0): /* Handle phones/tablets that only have a volume up/down rocker + power key (and otherwise just touchscreen input) */ + case KEYPRESS(0, 0, 'k'): + case KEYPRESS(0, 0, 'K'): + if (idx_highlight > 0) +@@ -881,6 +882,7 @@ static bool menu_run( + break; + + case KEYPRESS(0, SCAN_DOWN, 0): ++ case KEYPRESS(0, SCAN_VOLUME_DOWN, 0): + case KEYPRESS(0, 0, 'j'): + case KEYPRESS(0, 0, 'J'): + if (idx_highlight < config->n_entries-1) +@@ -918,9 +920,10 @@ static bool menu_run( + + case KEYPRESS(0, 0, '\n'): + case KEYPRESS(0, 0, '\r'): +- case KEYPRESS(0, SCAN_F3, 0): /* EZpad Mini 4s firmware sends malformed events */ +- case KEYPRESS(0, SCAN_F3, '\r'): /* Teclast X98+ II firmware sends malformed events */ ++ case KEYPRESS(0, SCAN_F3, 0): /* EZpad Mini 4s firmware sends malformed events */ ++ case KEYPRESS(0, SCAN_F3, '\r'): /* Teclast X98+ II firmware sends malformed events */ + case KEYPRESS(0, SCAN_RIGHT, 0): ++ case KEYPRESS(0, SCAN_SUSPEND, 0): /* Handle phones/tablets with only a power key + volume up/down rocker (and otherwise just touchscreen input) */ + action = ACTION_RUN; + break; + +-- +2.33.0 + diff --git a/backport-boot-don-t-print-error-if-device-tree-fixup-protocol.patch b/backport-boot-don-t-print-error-if-device-tree-fixup-protocol.patch new file mode 100644 index 0000000..481c01e --- /dev/null +++ b/backport-boot-don-t-print-error-if-device-tree-fixup-protocol.patch @@ -0,0 +1,33 @@ +From c8243b15d7f081da0dab38e45f2481193f692231 Mon Sep 17 00:00:00 2001 +From: Clayton Craft +Date: Thu, 18 Jan 2024 16:20:55 -0800 +Subject: [PATCH 0264/1160] boot: don't print error if device tree fixup + protocol isn't supported + +This isn't a failure we care about, and it's somewhat alarming to see a +red error message flash up on the display when booting, so this just +simply returns EFI_SUCCESS and skips printing the "error" altogether. + +(cherry picked from commit fb7a902aed5a795fc5e2f613ffbfa07737b25629) +--- + src/boot/efi/devicetree.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/boot/efi/devicetree.c b/src/boot/efi/devicetree.c +index b139780510..61a43cd77d 100644 +--- a/src/boot/efi/devicetree.c ++++ b/src/boot/efi/devicetree.c +@@ -33,8 +33,9 @@ static EFI_STATUS devicetree_fixup(struct devicetree_state *state, size_t len) { + assert(state); + + err = BS->LocateProtocol(MAKE_GUID_PTR(EFI_DT_FIXUP_PROTOCOL), NULL, (void **) &fixup); ++ /* Skip fixup if we cannot locate device tree fixup protocol */ + if (err != EFI_SUCCESS) +- return log_error_status(EFI_SUCCESS, "Could not locate device tree fixup protocol, skipping."); ++ return EFI_SUCCESS; + + size = devicetree_allocated(state); + err = fixup->Fixup(fixup, PHYSICAL_ADDRESS_TO_POINTER(state->addr), &size, +-- +2.33.0 + diff --git a/backport-boot-fix-assignment-of-ret_-variables-in-initrd_prep.patch b/backport-boot-fix-assignment-of-ret_-variables-in-initrd_prep.patch new file mode 100644 index 0000000..48984c0 --- /dev/null +++ b/backport-boot-fix-assignment-of-ret_-variables-in-initrd_prep.patch @@ -0,0 +1,31 @@ +From 394fce25a978a265a6a0cc4dddc1a38bd42d82ff Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Thu, 18 Apr 2024 11:58:07 +0200 +Subject: [PATCH 0504/1160] boot: fix assignment of ret_* variables in + `initrd_prepare()` + +(cherry picked from commit e2fe5c4b981177bf77f3b40d1e3d19d9ad8bb71d) +--- + src/boot/efi/boot.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index 5c0f0ab10a..a3d5607c1a 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -2250,9 +2250,9 @@ static EFI_STATUS initrd_prepare( + assert(ret_initrd_size); + + if (entry->type != LOADER_LINUX || !entry->initrd) { +- ret_options = NULL; +- ret_initrd = NULL; +- ret_initrd_size = 0; ++ *ret_options = NULL; ++ *ret_initrd = NULL; ++ *ret_initrd_size = 0; + return EFI_SUCCESS; + } + +-- +2.33.0 + diff --git a/backport-bootctl-don-t-load-etc-machine-info-from-cwd.patch b/backport-bootctl-don-t-load-etc-machine-info-from-cwd.patch new file mode 100644 index 0000000..527aecd --- /dev/null +++ b/backport-bootctl-don-t-load-etc-machine-info-from-cwd.patch @@ -0,0 +1,31 @@ +From a573fd18483ea3e14cef1a7c7d1c6b825dce0df5 Mon Sep 17 00:00:00 2001 +From: Alyssa Ross +Date: Wed, 21 Aug 2024 14:21:47 +0200 +Subject: [PATCH 0861/1160] bootctl: don't load etc/machine-info from cwd + +arg_root defaults to null, so if --root isn't given, this would try reading +etc/machine-info from the current working directory, which is likely to fail. + +Fixes: 77db9ef2ab ("boot: Make sure we take --root into account everywhere.") +(cherry picked from commit 0452779b0054f5c2724b745b1db33bba1ac8e677) +(cherry picked from commit 8d7eef9ee5ead7c7b47b2ad4418529ac5cf17bb3) +--- + src/boot/bootctl-install.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/boot/bootctl-install.c b/src/boot/bootctl-install.c +index bacbbb2939..9a068a2c97 100644 +--- a/src/boot/bootctl-install.c ++++ b/src/boot/bootctl-install.c +@@ -44,7 +44,7 @@ static int load_etc_machine_info(void) { + _cleanup_free_ char *p = NULL, *s = NULL, *layout = NULL; + int r; + +- p = path_join(arg_root, "etc/machine-info"); ++ p = path_join(arg_root, "/etc/machine-info"); + if (!p) + return log_oom(); + +-- +2.33.0 + diff --git a/backport-bootctl-fix-case-sensitive-comparisons-in-reporting-.patch b/backport-bootctl-fix-case-sensitive-comparisons-in-reporting-.patch new file mode 100644 index 0000000..6a63eb1 --- /dev/null +++ b/backport-bootctl-fix-case-sensitive-comparisons-in-reporting-.patch @@ -0,0 +1,100 @@ +From 8655945ae229d0b59bf56aa9fde6a7c4951ad881 Mon Sep 17 00:00:00 2001 +From: ksaleem +Date: Wed, 6 Dec 2023 11:44:24 -0500 +Subject: [PATCH 0037/1160] bootctl: fix case-sensitive comparisons in + reporting bootloader entries + +Fixes #30159 + +(cherry picked from commit 9fb2a618308e8811978c0f740a8c8718a8b8b5f8) +--- + src/shared/bootspec.c | 4 +-- + src/test/test-bootspec.c | 59 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 61 insertions(+), 2 deletions(-) + +diff --git a/src/shared/bootspec.c b/src/shared/bootspec.c +index a38911603d..f4b2fdc5d1 100644 +--- a/src/shared/bootspec.c ++++ b/src/shared/bootspec.c +@@ -1205,8 +1205,8 @@ BootEntry* boot_config_find_entry(BootConfig *config, const char *id) { + assert(id); + + for (size_t j = 0; j < config->n_entries; j++) +- if (streq_ptr(config->entries[j].id, id) || +- streq_ptr(config->entries[j].id_old, id)) ++ if (strcaseeq_ptr(config->entries[j].id, id) || ++ strcaseeq_ptr(config->entries[j].id_old, id)) + return config->entries + j; + + return NULL; +diff --git a/src/test/test-bootspec.c b/src/test/test-bootspec.c +index 67fa8beea9..18611fc051 100644 +--- a/src/test/test-bootspec.c ++++ b/src/test/test-bootspec.c +@@ -149,4 +149,63 @@ TEST_RET(bootspec_extract_tries) { + return 0; + } + ++TEST_RET(bootspec_boot_config_find_entry) { ++ ++ static const struct { ++ const char *fname; ++ const char *contents; ++ } entries[] = { ++ { ++ .fname = "a-10.conf", ++ .contents = ++ "title A\n" ++ "version 10\n" ++ "machine-id dd235d00696545768f6f693bfd23b15f\n", ++ }, ++ { ++ .fname = "a-05.conf", ++ .contents = ++ "title A\n" ++ "version 10\n" ++ "machine-id dd235d00696545768f6f693bfd23b15f\n", ++ }, ++ }; ++ ++ _cleanup_(rm_rf_physical_and_freep) char *d = NULL; ++ _cleanup_(boot_config_free) BootConfig config = BOOT_CONFIG_NULL; ++ ++ assert_se(mkdtemp_malloc("/tmp/bootspec-testXXXXXX", &d) >= 0); ++ ++ for (size_t i = 0; i < ELEMENTSOF(entries); i++) { ++ _cleanup_free_ char *j = NULL; ++ ++ j = path_join(d, "/loader/entries/", entries[i].fname); ++ assert_se(j); ++ ++ assert_se(write_string_file(j, entries[i].contents, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MKDIR_0755) >= 0); ++ } ++ ++ assert_se(boot_config_load(&config, d, NULL) >= 0); ++ assert_se(config.n_entries == 2); ++ ++ // Test finding the first entry ++ BootEntry *entry = boot_config_find_entry(&config, "a-10.conf"); ++ assert_se(entry && streq(entry->id, "a-10.conf")); ++ ++ // Test finding the second entry ++ entry = boot_config_find_entry(&config, "a-05.conf"); ++ assert_se(entry && streq(entry->id, "a-05.conf")); ++ ++ // Test finding a non-existent entry ++ entry = boot_config_find_entry(&config, "nonexistent.conf"); ++ assert_se(entry == NULL); ++ ++ // Test case-insensitivity ++ entry = boot_config_find_entry(&config, "A-10.CONF"); ++ assert_se(entry && streq(entry->id, "a-10.conf")); ++ ++ ++ return 0; ++} ++ + DEFINE_TEST_MAIN(LOG_INFO); +-- +2.33.0 + diff --git a/backport-bootctl-return-earlier-with-print-esp-path.patch b/backport-bootctl-return-earlier-with-print-esp-path.patch new file mode 100644 index 0000000..1c89cc1 --- /dev/null +++ b/backport-bootctl-return-earlier-with-print-esp-path.patch @@ -0,0 +1,40 @@ +From 3af3ea1be418f5f20a7eb002f4ae049fb68a375b Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Tue, 23 Jan 2024 10:24:44 +0100 +Subject: [PATCH 0272/1160] bootctl: return earlier with `--print-esp-path` + +`--print-esp-path` and `--print-boot-path` cannot be combined, so it's not +necessary to acquire the XBOOTLDR partition with `--print-esp-path`. + +(cherry picked from commit 285ae04040ed911f56d2277b0027c7f56310a061) +--- + src/boot/bootctl-status.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/boot/bootctl-status.c b/src/boot/bootctl-status.c +index 16b2eaed07..d171512dda 100644 +--- a/src/boot/bootctl-status.c ++++ b/src/boot/bootctl-status.c +@@ -330,6 +330,7 @@ int verb_status(int argc, char *argv[], void *userdata) { + return r; + + puts(arg_esp_path); ++ return 0; + } + + r = acquire_xbootldr(/* unprivileged_mode= */ -1, &xbootldr_uuid, &xbootldr_devid); +@@ -344,10 +345,8 @@ int verb_status(int argc, char *argv[], void *userdata) { + return log_error_errno(SYNTHETIC_ERRNO(EACCES), "Failed to determine XBOOTLDR location: %m"); + + puts(path); +- } +- +- if (arg_print_esp_path || arg_print_dollar_boot_path) + return 0; ++ } + + r = 0; /* If we couldn't determine the path, then don't consider that a problem from here on, just + * show what we can show */ +-- +2.33.0 + diff --git a/backport-bootspec-implement-sorting-by-tries-left-done-to-mat.patch b/backport-bootspec-implement-sorting-by-tries-left-done-to-mat.patch new file mode 100644 index 0000000..1daf745 --- /dev/null +++ b/backport-bootspec-implement-sorting-by-tries-left-done-to-mat.patch @@ -0,0 +1,52 @@ +From 0672a43dd27dd4cd4f9b6188be2c51a572628b84 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 5 Jul 2024 09:52:58 +0200 +Subject: [PATCH 0779/1160] bootspec: implement sorting by tries left/done, to + match what sd-boot does + +(cherry picked from commit 35451a32043504013eed5725c8be46b36ccdf71a) +(cherry picked from commit 3736e21341500d98d878b84a34cc5b9d7cd9125f) +--- + src/shared/bootspec.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/src/shared/bootspec.c b/src/shared/bootspec.c +index f4b2fdc5d1..9d6e8a3810 100644 +--- a/src/shared/bootspec.c ++++ b/src/shared/bootspec.c +@@ -528,6 +528,12 @@ static int boot_entry_compare(const BootEntry *a, const BootEntry *b) { + assert(a); + assert(b); + ++ /* This mimics a function of the same name in src/boot/efi/sd-boot.c */ ++ ++ r = CMP(a->tries_left == 0, b->tries_left == 0); ++ if (r != 0) ++ return r; ++ + r = CMP(!a->sort_key, !b->sort_key); + if (r != 0) + return r; +@@ -546,7 +552,18 @@ static int boot_entry_compare(const BootEntry *a, const BootEntry *b) { + return r; + } + +- return -strverscmp_improved(a->id, b->id); ++ r = -strverscmp_improved(a->id, b->id); ++ if (r != 0) ++ return r; ++ ++ if (a->tries_left != UINT_MAX || b->tries_left != UINT_MAX) ++ return 0; ++ ++ r = -CMP(a->tries_left, b->tries_left); ++ if (r != 0) ++ return r; ++ ++ return CMP(a->tries_done, b->tries_done); + } + + static int config_check_inode_relevant_and_unseen(BootConfig *config, int fd, const char *fname) { +-- +2.33.0 + diff --git a/backport-bpf-actually-check-for-errors-when-loading-symbols.patch b/backport-bpf-actually-check-for-errors-when-loading-symbols.patch new file mode 100644 index 0000000..badd01f --- /dev/null +++ b/backport-bpf-actually-check-for-errors-when-loading-symbols.patch @@ -0,0 +1,45 @@ +From 9fa444041a5a61588a88af75343bf2198e18d147 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 3 Apr 2024 12:10:10 +0100 +Subject: [PATCH 0484/1160] bpf: actually check for errors when loading symbols + +Also restructure ifdef to avoid confusing vscode + +Follow-up for 87e462f71361a47b154865dc14032a27580dd4cb + +(cherry picked from commit e5d4adb173ccff55bad21238ef82914e0c9d6a1d) +--- + src/shared/bpf-dlopen.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/shared/bpf-dlopen.c b/src/shared/bpf-dlopen.c +index 15301aee60..2e49b2ea5d 100644 +--- a/src/shared/bpf-dlopen.c ++++ b/src/shared/bpf-dlopen.c +@@ -80,11 +80,12 @@ int dlopen_bpf(void) { + #if MODERN_LIBBPF + /* Don't exist anymore in new libbpf, hence cannot type check them */ + DLSYM_ARG_FORCE(bpf_create_map), +- DLSYM_ARG_FORCE(bpf_probe_prog_type)); ++ DLSYM_ARG_FORCE(bpf_probe_prog_type) + #else + DLSYM_ARG(bpf_create_map), +- DLSYM_ARG(bpf_probe_prog_type)); ++ DLSYM_ARG(bpf_probe_prog_type) + #endif ++ ); + } else { + /* symbols available from 0.7.0 */ + r = dlsym_many_or_warn( +@@ -99,6 +100,8 @@ int dlopen_bpf(void) { + #endif + ); + } ++ if (r < 0) ++ return r; + + r = dlsym_many_or_warn( + dl, LOG_DEBUG, +-- +2.33.0 + diff --git a/backport-bpf-socket-bind-fix-unexpected-behavior-with-either-.patch b/backport-bpf-socket-bind-fix-unexpected-behavior-with-either-.patch new file mode 100644 index 0000000..ddef7fd --- /dev/null +++ b/backport-bpf-socket-bind-fix-unexpected-behavior-with-either-.patch @@ -0,0 +1,118 @@ +From 30897ddf5018da21266e4b8a28a4a925c4681de4 Mon Sep 17 00:00:00 2001 +From: networkException +Date: Sun, 10 Mar 2024 18:55:06 +0100 +Subject: [PATCH 0474/1160] bpf-socket-bind: fix unexpected behavior with + either 0 allow or deny rules + +This patch fixes an issue where, when not specifiying either at least one +`SocketBindAllow` or `SocketBindDeny` rule, behavior for the bind syscall +filtering would be unexpected. + +For example, when trying to bind to a port with only "SocketBindDeny=any" +given, the syscall would succeed: + +> systemd-run -t -p "SocketBindDeny=any" nc -l 8080 + +Expected with this set of rules (also in accordance with the documentation) +would be an Operation not permitted error. + +This behavior occurs because a default initialized socket_bind_rule struct +matches what "any" represents. When creating the bpf list all elements get +default initialized, as such represeting "any". Seemingly it is necressarry +to set the size of the map to at least one, as such if no allow rule is +given default initialization and minimal map size cause one any allow rule +to be in the map, causing the behavior observed above. + +This patch solves this by introducing a new "match nothing" magic stored in +the rule's address family and setting such a rule as the first one if no +rule is given, making sure that default initialized rule structs are never +used. + +Resolves #30556 + +(cherry picked from commit f2cb9d17da9c47d11ebeac00c75dd3d788ec1fc3) +--- + src/core/bpf-socket-bind.c | 9 +++++++++ + src/core/bpf/socket_bind/socket-bind-api.bpf.h | 7 ++++++- + src/core/bpf/socket_bind/socket-bind.bpf.c | 3 +++ + test/units/testsuite-07.exec-context.sh | 2 ++ + 4 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/src/core/bpf-socket-bind.c b/src/core/bpf-socket-bind.c +index 9f290ab412..88ab487a77 100644 +--- a/src/core/bpf-socket-bind.c ++++ b/src/core/bpf-socket-bind.c +@@ -32,6 +32,15 @@ static int update_rules_map( + + assert(map_fd >= 0); + ++ if (!head) { ++ static const struct socket_bind_rule val = { ++ .address_family = SOCKET_BIND_RULE_AF_MATCH_NOTHING, ++ }; ++ ++ if (sym_bpf_map_update_elem(map_fd, &i, &val, BPF_ANY) != 0) ++ return -errno; ++ } ++ + LIST_FOREACH(socket_bind_items, item, head) { + struct socket_bind_rule val = { + .address_family = (uint32_t) item->address_family, +diff --git a/src/core/bpf/socket_bind/socket-bind-api.bpf.h b/src/core/bpf/socket_bind/socket-bind-api.bpf.h +index 277b9bbde2..4fe08f1f44 100644 +--- a/src/core/bpf/socket_bind/socket-bind-api.bpf.h ++++ b/src/core/bpf/socket_bind/socket-bind-api.bpf.h +@@ -7,13 +7,17 @@ + */ + + #include ++#include + + /* + * Bind rule is matched with socket fields accessible to cgroup/bind{4,6} hook + * through bpf_sock_addr struct. +- * 'address_family' is expected to be one of AF_UNSPEC, AF_INET or AF_INET6. ++ * 'address_family' is expected to be one of AF_UNSPEC, AF_INET, AF_INET6 or the ++ * magic SOCKET_BIND_RULE_AF_MATCH_NOTHING. + * Matching by family is bypassed for rules with AF_UNSPEC set, which makes the + * rest of a rule applicable for both IPv4 and IPv6 addresses. ++ * If SOCKET_BIND_RULE_AF_MATCH_NOTHING is set the rule fails unconditionally ++ * and other checks are skipped. + * If matching by family is either successful or bypassed, a rule and a socket + * are matched by ip protocol. + * If 'protocol' is 0, matching is bypassed. +@@ -49,3 +53,4 @@ struct socket_bind_rule { + }; + + #define SOCKET_BIND_MAX_RULES 128 ++#define SOCKET_BIND_RULE_AF_MATCH_NOTHING UINT32_MAX +diff --git a/src/core/bpf/socket_bind/socket-bind.bpf.c b/src/core/bpf/socket_bind/socket-bind.bpf.c +index b7972a887a..da9f9d13de 100644 +--- a/src/core/bpf/socket_bind/socket-bind.bpf.c ++++ b/src/core/bpf/socket_bind/socket-bind.bpf.c +@@ -55,6 +55,9 @@ static __always_inline bool match( + __u32 protocol, + __u16 port, + const struct socket_bind_rule *r) { ++ if (r->address_family == SOCKET_BIND_RULE_AF_MATCH_NOTHING) ++ return false; ++ + return match_af(address_family, r) && + match_protocol(protocol, r) && + match_user_port(port, r); +diff --git a/test/units/testsuite-07.exec-context.sh b/test/units/testsuite-07.exec-context.sh +index 66e8fce446..b44658f4e4 100755 +--- a/test/units/testsuite-07.exec-context.sh ++++ b/test/units/testsuite-07.exec-context.sh +@@ -186,6 +186,8 @@ if ! systemd-detect-virt -cq; then + bash -xec 'timeout 1s nc -6 -u -l ::1 9999; exit 42' + systemd-run --wait -p SuccessExitStatus="1 2" --pipe "${ARGUMENTS[@]}" \ + bash -xec 'timeout 1s nc -4 -l 127.0.0.1 6666; exit 42' ++ systemd-run --wait -p SuccessExitStatus="1 2" --pipe -p SocketBindDeny=any \ ++ bash -xec 'timeout 1s nc -l 127.0.0.1 9999; exit 42' + # Consequently, we should succeed when binding to a socket on the allow list + # and keep listening on it until we're killed by `timeout` (EC 124) + systemd-run --wait --pipe -p SuccessExitStatus=124 "${ARGUMENTS[@]}" \ +-- +2.33.0 + diff --git a/backport-bsod-do-not-check-for-color-support.patch b/backport-bsod-do-not-check-for-color-support.patch new file mode 100644 index 0000000..5276421 --- /dev/null +++ b/backport-bsod-do-not-check-for-color-support.patch @@ -0,0 +1,116 @@ +From 5071f6492f59dfb3995a8cf0b82f1247eced6772 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 28 Oct 2024 13:38:58 +0100 +Subject: [PATCH 0976/1160] bsod: do not check for color support + +When invoked on a running system, bsod would not print the qrcode. +The check for "color support" on stdout is pointless, since we're not +printing to stdout but to a terminal fd that is opened separately. + +(cherry picked from commit 5a64c86936477ecea5cc1fb8dbc79faf522cf370) +(cherry picked from commit f23efaf96d3ac667c78cb07a895be8f72b46e808) +--- + src/journal/bsod.c | 4 +++- + src/shared/qrcode-util.c | 13 +++++++++++-- + src/shared/qrcode-util.h | 31 +++++++++++++++++++++++-------- + 3 files changed, 37 insertions(+), 11 deletions(-) + +diff --git a/src/journal/bsod.c b/src/journal/bsod.c +index a88cb66b81..5d4e0f38e5 100644 +--- a/src/journal/bsod.c ++++ b/src/journal/bsod.c +@@ -200,7 +200,9 @@ static int display_emergency_message_fullscreen(const char *message) { + goto cleanup; + } + +- r = print_qrcode_full(stream, "Scan the QR code", message, qr_code_start_row, qr_code_start_column, w.ws_col, w.ws_row); ++ r = print_qrcode_full(stream, "Scan the QR code", ++ message, qr_code_start_row, qr_code_start_column, w.ws_col, w.ws_row, ++ /* check_tty= */ false); + if (r < 0) + log_warning_errno(r, "QR code could not be printed, ignoring: %m"); + +diff --git a/src/shared/qrcode-util.c b/src/shared/qrcode-util.c +index 55438ba716..e70f4e5ddb 100644 +--- a/src/shared/qrcode-util.c ++++ b/src/shared/qrcode-util.c +@@ -167,7 +167,16 @@ static void write_qrcode(FILE *output, QRcode *qr, unsigned int row, unsigned in + fflush(output); + } + +-int print_qrcode_full(FILE *out, const char *header, const char *string, unsigned row, unsigned column, unsigned tty_width, unsigned tty_height) { ++int print_qrcode_full( ++ FILE *out, ++ const char *header, ++ const char *string, ++ unsigned row, ++ unsigned column, ++ unsigned tty_width, ++ unsigned tty_height, ++ bool check_tty) { ++ + QRcode* qr; + int r; + +@@ -175,7 +184,7 @@ int print_qrcode_full(FILE *out, const char *header, const char *string, unsigne + * codes */ + if (!is_locale_utf8()) + return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Not an UTF-8 system, cannot print qrcode"); +- if (!colors_enabled()) ++ if (check_tty && !colors_enabled()) + return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Colors are disabled, cannot print qrcode"); + + r = dlopen_qrencode(); +diff --git a/src/shared/qrcode-util.h b/src/shared/qrcode-util.h +index ee58294436..89a15bb3f5 100644 +--- a/src/shared/qrcode-util.h ++++ b/src/shared/qrcode-util.h +@@ -1,6 +1,7 @@ + /* SPDX-License-Identifier: LGPL-2.1-or-later */ +- + #pragma once ++ ++#include + #include + #include + #include +@@ -8,15 +9,29 @@ + #if HAVE_QRENCODE + int dlopen_qrencode(void); + +-int print_qrcode_full(FILE *out, const char *header, const char *string, unsigned row, unsigned column, unsigned tty_width, unsigned tty_height); +-static inline int print_qrcode(FILE *out, const char *header, const char *string) { +- return print_qrcode_full(out, header, string, UINT_MAX, UINT_MAX, UINT_MAX, UINT_MAX); +-} ++int print_qrcode_full( ++ FILE *out, ++ const char *header, ++ const char *string, ++ unsigned row, ++ unsigned column, ++ unsigned tty_width, ++ unsigned tty_height, ++ bool check_tty); + #else +-static inline int print_qrcode_full(FILE *out, const char *header, const char *string, unsigned row, unsigned column, unsigned tty_width, unsigned tty_height) { ++static inline int print_qrcode_full( ++ FILE *out, ++ const char *header, ++ const char *string, ++ unsigned row, ++ unsigned column, ++ unsigned tty_width, ++ unsigned tty_height, ++ bool check_tty) { + return -EOPNOTSUPP; + } ++#endif ++ + static inline int print_qrcode(FILE *out, const char *header, const char *string) { +- return -EOPNOTSUPP; ++ return print_qrcode_full(out, header, string, UINT_MAX, UINT_MAX, UINT_MAX, UINT_MAX, true); + } +-#endif +-- +2.33.0 + diff --git a/backport-bsod-make-message-for-qrcode-more-useful.patch b/backport-bsod-make-message-for-qrcode-more-useful.patch new file mode 100644 index 0000000..30e3464 --- /dev/null +++ b/backport-bsod-make-message-for-qrcode-more-useful.patch @@ -0,0 +1,71 @@ +From d38e29784bf1108f1d69b5ce40881aff59b9e627 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 28 Oct 2024 13:51:25 +0100 +Subject: [PATCH 0981/1160] bsod: make message for qrcode more useful + +People know what a qrcode is. We don't need to tell them to scan it. +Instead, we should say what the code contains. + +While at it, rename "stream" to "f" in line with the usual style. + +(cherry picked from commit abf1cae0a75ca07f09afbb4eaa9f11fc429b1d02) +(cherry picked from commit 0ec7854d4488a839740789333a8150bed4d5046a) +--- + src/journal/bsod.c | 8 ++++---- + test/units/testsuite-04.bsod.sh | 2 +- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/journal/bsod.c b/src/journal/bsod.c +index 5d4e0f38e5..0449905091 100644 +--- a/src/journal/bsod.c ++++ b/src/journal/bsod.c +@@ -137,7 +137,7 @@ static int display_emergency_message_fullscreen(const char *message) { + unsigned qr_code_start_row = 1, qr_code_start_column = 1; + char tty[STRLEN("/dev/tty") + DECIMAL_STR_MAX(int) + 1]; + _cleanup_close_ int fd = -EBADF; +- _cleanup_fclose_ FILE *stream = NULL; ++ _cleanup_fclose_ FILE *f = NULL; + char read_character_buffer = '\0'; + struct winsize w = { + .ws_col = 80, +@@ -194,13 +194,13 @@ static int display_emergency_message_fullscreen(const char *message) { + goto cleanup; + } + +- r = fdopen_independent(fd, "r+", &stream); ++ r = fdopen_independent(fd, "r+", &f); + if (r < 0) { + ret = log_error_errno(errno, "Failed to open output file: %m"); + goto cleanup; + } + +- r = print_qrcode_full(stream, "Scan the QR code", ++ r = print_qrcode_full(f, "Scan the error message", + message, qr_code_start_row, qr_code_start_column, w.ws_col, w.ws_row, + /* check_tty= */ false); + if (r < 0) +@@ -216,7 +216,7 @@ static int display_emergency_message_fullscreen(const char *message) { + goto cleanup; + } + +- r = read_one_char(stream, &read_character_buffer, USEC_INFINITY, NULL); ++ r = read_one_char(f, &read_character_buffer, USEC_INFINITY, NULL); + if (r < 0 && r != -EINTR) + ret = log_error_errno(r, "Failed to read character: %m"); + +diff --git a/test/units/testsuite-04.bsod.sh b/test/units/testsuite-04.bsod.sh +index 30f0cb0bd4..56abf9861b 100755 +--- a/test/units/testsuite-04.bsod.sh ++++ b/test/units/testsuite-04.bsod.sh +@@ -70,7 +70,7 @@ journalctl --sync + SYSTEMD_COLORS=256 /usr/lib/systemd/systemd-bsod & + PID=$! + vcs_dump_and_check "Root emergency message" +-grep -aq "Scan the QR code" /tmp/console.dump ++grep -aq "Scan the error message" /tmp/console.dump + # TODO: check if systemd-bsod exits on a key press (didn't figure this one out yet) + kill $PID + timeout 10 bash -c "while kill -0 $PID; do sleep .5; done" +-- +2.33.0 + diff --git a/backport-btrfs-util-add-assert-to-fix-Coverity-warning.patch b/backport-btrfs-util-add-assert-to-fix-Coverity-warning.patch new file mode 100644 index 0000000..d576140 --- /dev/null +++ b/backport-btrfs-util-add-assert-to-fix-Coverity-warning.patch @@ -0,0 +1,33 @@ +From 7204e8415245b7bce9573ad99c1d417c18b0be32 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 21 May 2024 13:32:48 +0100 +Subject: [PATCH 0664/1160] btrfs-util: add assert to fix Coverity warning + +Coverity gets confused since the iterator change, so add an +assert to indicate that this is allocated if n_old_groups is > 0 + +CID#1545922 + +Follow-up for 125cca1b51e19d9209a229fca4fb9d94d34c3e78 + +(cherry picked from commit 5e30e6e28190fe30e76e071b2eb99546abcee7e6) +--- + src/shared/btrfs-util.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/shared/btrfs-util.c b/src/shared/btrfs-util.c +index 42d21ad118..03c1311ab1 100644 +--- a/src/shared/btrfs-util.c ++++ b/src/shared/btrfs-util.c +@@ -1187,6 +1187,8 @@ static int copy_quota_hierarchy(int fd, uint64_t old_subvol_id, uint64_t new_sub + if (n_old_qgroups <= 0) /* Nothing to copy */ + return n_old_qgroups; + ++ assert(old_qgroups); /* Coverity gets confused by the macro iterator allocating this, add a hint */ ++ + r = btrfs_subvol_get_parent(fd, old_subvol_id, &old_parent_id); + if (r == -ENXIO) + /* We have no parent, hence nothing to copy. */ +-- +2.33.0 + diff --git a/backport-btrfs-util-apparently-btrfs-ioctls-return-unaligned-.patch b/backport-btrfs-util-apparently-btrfs-ioctls-return-unaligned-.patch new file mode 100644 index 0000000..160f6fc --- /dev/null +++ b/backport-btrfs-util-apparently-btrfs-ioctls-return-unaligned-.patch @@ -0,0 +1,474 @@ +From 6cc8ff8f6113dbe1d655ed60b92516818b935a57 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 12 Feb 2024 12:50:36 +0100 +Subject: [PATCH 0305/1160] btrfs-util: apparently btrfs ioctls return + unaligned data. deal with it. + +Kinda sad, that interfaces like this exist in 2024. But let's deal with +it: before we access "struct btrfs_ioctl_search_header" let's copy it +out, and access it only in the aligned copy. + +Fixes: #31282 +(cherry picked from commit 801bf40c3b3c498b09748fe133d6676dbaa0913b) +--- + src/shared/btrfs-util.c | 203 +++++++++++++++++++--------------------- + 1 file changed, 98 insertions(+), 105 deletions(-) + +diff --git a/src/shared/btrfs-util.c b/src/shared/btrfs-util.c +index b0ecf8f820..b3e4b505d8 100644 +--- a/src/shared/btrfs-util.c ++++ b/src/shared/btrfs-util.c +@@ -261,15 +261,25 @@ static int btrfs_ioctl_search_args_compare(const struct btrfs_ioctl_search_args + return CMP(args->key.min_offset, args->key.max_offset); + } + +-#define FOREACH_BTRFS_IOCTL_SEARCH_HEADER(i, sh, args) \ +- for ((i) = 0, \ +- (sh) = (const struct btrfs_ioctl_search_header*) (args).buf; \ +- (i) < (args).key.nr_items; \ +- (i)++, \ +- (sh) = (const struct btrfs_ioctl_search_header*) ((uint8_t*) (sh) + sizeof(struct btrfs_ioctl_search_header) + (sh)->len)) +- +-#define BTRFS_IOCTL_SEARCH_HEADER_BODY(sh) \ +- ((void*) ((uint8_t*) sh + sizeof(struct btrfs_ioctl_search_header))) ++typedef struct BtrfsForeachIterator { ++ const void *p; ++ size_t i; ++} BtrfsForeachIterator; ++ ++/* Iterates through a series of struct btrfs_file_extent_item elements. They are unfortunately not aligned, ++ * hence we copy out the header from them */ ++#define FOREACH_BTRFS_IOCTL_SEARCH_HEADER(sh, body, args) \ ++ for (BtrfsForeachIterator iterator = { \ ++ .p = ({ \ ++ memcpy(&(sh), (args).buf, sizeof(struct btrfs_ioctl_search_header)); \ ++ (body) = (const void*) ((const uint8_t*) (args).buf + sizeof(struct btrfs_ioctl_search_header)); \ ++ (args).buf; \ ++ }), \ ++ }; \ ++ iterator.i < (args).key.nr_items; \ ++ iterator.i++, \ ++ memcpy(&(sh), iterator.p = (const uint8_t*) iterator.p + sizeof(struct btrfs_ioctl_search_header) + (sh).len, sizeof(struct btrfs_ioctl_search_header)), \ ++ (body) = (const void*) ((const uint8_t*) iterator.p + sizeof(struct btrfs_ioctl_search_header))) + + int btrfs_subvol_get_info_fd(int fd, uint64_t subvol_id, BtrfsSubvolInfo *ret) { + struct btrfs_ioctl_search_args args = { +@@ -309,8 +319,8 @@ int btrfs_subvol_get_info_fd(int fd, uint64_t subvol_id, BtrfsSubvolInfo *ret) { + args.key.min_objectid = args.key.max_objectid = subvol_id; + + while (btrfs_ioctl_search_args_compare(&args) <= 0) { +- const struct btrfs_ioctl_search_header *sh; +- unsigned i; ++ struct btrfs_ioctl_search_header sh; ++ const void *body; + + args.key.nr_items = 256; + if (ioctl(fd, BTRFS_IOC_TREE_SEARCH, &args) < 0) +@@ -319,24 +329,20 @@ int btrfs_subvol_get_info_fd(int fd, uint64_t subvol_id, BtrfsSubvolInfo *ret) { + if (args.key.nr_items <= 0) + break; + +- FOREACH_BTRFS_IOCTL_SEARCH_HEADER(i, sh, args) { +- +- const struct btrfs_root_item *ri; +- ++ FOREACH_BTRFS_IOCTL_SEARCH_HEADER(sh, body, args) { + /* Make sure we start the next search at least from this entry */ +- btrfs_ioctl_search_args_set(&args, sh); ++ btrfs_ioctl_search_args_set(&args, &sh); + +- if (sh->objectid != subvol_id) ++ if (sh.objectid != subvol_id) + continue; +- if (sh->type != BTRFS_ROOT_ITEM_KEY) ++ if (sh.type != BTRFS_ROOT_ITEM_KEY) + continue; + + /* Older versions of the struct lacked the otime setting */ +- if (sh->len < offsetof(struct btrfs_root_item, otime) + sizeof(struct btrfs_timespec)) ++ if (sh.len < offsetof(struct btrfs_root_item, otime) + sizeof(struct btrfs_timespec)) + continue; + +- ri = BTRFS_IOCTL_SEARCH_HEADER_BODY(sh); +- ++ const struct btrfs_root_item *ri = body; + ret->otime = (usec_t) le64toh(ri->otime.sec) * USEC_PER_SEC + + (usec_t) le32toh(ri->otime.nsec) / NSEC_PER_USEC; + +@@ -400,8 +406,8 @@ int btrfs_qgroup_get_quota_fd(int fd, uint64_t qgroupid, BtrfsQuotaInfo *ret) { + args.key.min_offset = args.key.max_offset = qgroupid; + + while (btrfs_ioctl_search_args_compare(&args) <= 0) { +- const struct btrfs_ioctl_search_header *sh; +- unsigned i; ++ struct btrfs_ioctl_search_header sh; ++ const void *body; + + args.key.nr_items = 256; + if (ioctl(fd, BTRFS_IOC_TREE_SEARCH, &args) < 0) { +@@ -414,26 +420,26 @@ int btrfs_qgroup_get_quota_fd(int fd, uint64_t qgroupid, BtrfsQuotaInfo *ret) { + if (args.key.nr_items <= 0) + break; + +- FOREACH_BTRFS_IOCTL_SEARCH_HEADER(i, sh, args) { ++ FOREACH_BTRFS_IOCTL_SEARCH_HEADER(sh, body, args) { + + /* Make sure we start the next search at least from this entry */ +- btrfs_ioctl_search_args_set(&args, sh); ++ btrfs_ioctl_search_args_set(&args, &sh); + +- if (sh->objectid != 0) ++ if (sh.objectid != 0) + continue; +- if (sh->offset != qgroupid) ++ if (sh.offset != qgroupid) + continue; + +- if (sh->type == BTRFS_QGROUP_INFO_KEY) { +- const struct btrfs_qgroup_info_item *qii = BTRFS_IOCTL_SEARCH_HEADER_BODY(sh); ++ if (sh.type == BTRFS_QGROUP_INFO_KEY) { ++ const struct btrfs_qgroup_info_item *qii = body; + + ret->referenced = le64toh(qii->rfer); + ret->exclusive = le64toh(qii->excl); + + found_info = true; + +- } else if (sh->type == BTRFS_QGROUP_LIMIT_KEY) { +- const struct btrfs_qgroup_limit_item *qli = BTRFS_IOCTL_SEARCH_HEADER_BODY(sh); ++ } else if (sh.type == BTRFS_QGROUP_LIMIT_KEY) { ++ const struct btrfs_qgroup_limit_item *qli = body; + + if (le64toh(qli->flags) & BTRFS_QGROUP_LIMIT_MAX_RFER) + ret->referenced_max = le64toh(qli->max_rfer); +@@ -947,8 +953,8 @@ static int subvol_remove_children(int fd, const char *subvolume, uint64_t subvol + args.key.min_offset = args.key.max_offset = subvol_id; + + while (btrfs_ioctl_search_args_compare(&args) <= 0) { +- const struct btrfs_ioctl_search_header *sh; +- unsigned i; ++ struct btrfs_ioctl_search_header sh; ++ const void *body; + + args.key.nr_items = 256; + if (ioctl(fd, BTRFS_IOC_TREE_SEARCH, &args) < 0) +@@ -957,19 +963,17 @@ static int subvol_remove_children(int fd, const char *subvolume, uint64_t subvol + if (args.key.nr_items <= 0) + break; + +- FOREACH_BTRFS_IOCTL_SEARCH_HEADER(i, sh, args) { ++ FOREACH_BTRFS_IOCTL_SEARCH_HEADER(sh, body, args) { + _cleanup_free_ char *p = NULL; +- const struct btrfs_root_ref *ref; + +- btrfs_ioctl_search_args_set(&args, sh); ++ btrfs_ioctl_search_args_set(&args, &sh); + +- if (sh->type != BTRFS_ROOT_BACKREF_KEY) ++ if (sh.type != BTRFS_ROOT_BACKREF_KEY) + continue; +- if (sh->offset != subvol_id) ++ if (sh.offset != subvol_id) + continue; + +- ref = BTRFS_IOCTL_SEARCH_HEADER_BODY(sh); +- ++ const struct btrfs_root_ref *ref = body; + p = memdup_suffix0((char*) ref + sizeof(struct btrfs_root_ref), le64toh(ref->name_len)); + if (!p) + return -ENOMEM; +@@ -993,7 +997,7 @@ static int subvol_remove_children(int fd, const char *subvolume, uint64_t subvol + if (isempty(ino_args.name)) + /* Subvolume is in the top-level + * directory of the subvolume. */ +- r = subvol_remove_children(subvol_fd, p, sh->objectid, flags); ++ r = subvol_remove_children(subvol_fd, p, sh.objectid, flags); + else { + _cleanup_close_ int child_fd = -EBADF; + +@@ -1005,7 +1009,7 @@ static int subvol_remove_children(int fd, const char *subvolume, uint64_t subvol + if (child_fd < 0) + return -errno; + +- r = subvol_remove_children(child_fd, p, sh->objectid, flags); ++ r = subvol_remove_children(child_fd, p, sh.objectid, flags); + } + if (r < 0) + return r; +@@ -1075,8 +1079,8 @@ int btrfs_qgroup_copy_limits(int fd, uint64_t old_qgroupid, uint64_t new_qgroupi + return -ENOTTY; + + while (btrfs_ioctl_search_args_compare(&args) <= 0) { +- const struct btrfs_ioctl_search_header *sh; +- unsigned i; ++ struct btrfs_ioctl_search_header sh; ++ const void *body; + + args.key.nr_items = 256; + if (ioctl(fd, BTRFS_IOC_TREE_SEARCH, &args) < 0) { +@@ -1089,23 +1093,23 @@ int btrfs_qgroup_copy_limits(int fd, uint64_t old_qgroupid, uint64_t new_qgroupi + if (args.key.nr_items <= 0) + break; + +- FOREACH_BTRFS_IOCTL_SEARCH_HEADER(i, sh, args) { +- const struct btrfs_qgroup_limit_item *qli = BTRFS_IOCTL_SEARCH_HEADER_BODY(sh); ++ FOREACH_BTRFS_IOCTL_SEARCH_HEADER(sh, body, args) { + struct btrfs_ioctl_qgroup_limit_args qargs; + unsigned c; + + /* Make sure we start the next search at least from this entry */ +- btrfs_ioctl_search_args_set(&args, sh); ++ btrfs_ioctl_search_args_set(&args, &sh); + +- if (sh->objectid != 0) ++ if (sh.objectid != 0) + continue; +- if (sh->type != BTRFS_QGROUP_LIMIT_KEY) ++ if (sh.type != BTRFS_QGROUP_LIMIT_KEY) + continue; +- if (sh->offset != old_qgroupid) ++ if (sh.offset != old_qgroupid) + continue; + + /* We found the entry, now copy things over. */ + ++ const struct btrfs_qgroup_limit_item *qli = body; + qargs = (struct btrfs_ioctl_qgroup_limit_args) { + .qgroupid = new_qgroupid, + +@@ -1314,8 +1318,8 @@ static int subvol_snapshot_children( + args.key.min_offset = args.key.max_offset = old_subvol_id; + + while (btrfs_ioctl_search_args_compare(&args) <= 0) { +- const struct btrfs_ioctl_search_header *sh; +- unsigned i; ++ struct btrfs_ioctl_search_header sh; ++ const void *body; + + args.key.nr_items = 256; + if (ioctl(old_fd, BTRFS_IOC_TREE_SEARCH, &args) < 0) +@@ -1324,27 +1328,24 @@ static int subvol_snapshot_children( + if (args.key.nr_items <= 0) + break; + +- FOREACH_BTRFS_IOCTL_SEARCH_HEADER(i, sh, args) { ++ FOREACH_BTRFS_IOCTL_SEARCH_HEADER(sh, body, args) { + _cleanup_free_ char *p = NULL, *c = NULL, *np = NULL; +- const struct btrfs_root_ref *ref; + _cleanup_close_ int old_child_fd = -EBADF, new_child_fd = -EBADF; + +- btrfs_ioctl_search_args_set(&args, sh); ++ btrfs_ioctl_search_args_set(&args, &sh); + +- if (sh->type != BTRFS_ROOT_BACKREF_KEY) ++ if (sh.type != BTRFS_ROOT_BACKREF_KEY) + continue; + +- /* Avoid finding the source subvolume a second +- * time */ +- if (sh->offset != old_subvol_id) ++ /* Avoid finding the source subvolume a second time */ ++ if (sh.offset != old_subvol_id) + continue; + +- /* Avoid running into loops if the new +- * subvolume is below the old one. */ +- if (sh->objectid == new_subvol_id) ++ /* Avoid running into loops if the new subvolume is below the old one. */ ++ if (sh.objectid == new_subvol_id) + continue; + +- ref = BTRFS_IOCTL_SEARCH_HEADER_BODY(sh); ++ const struct btrfs_root_ref *ref = body; + p = memdup_suffix0((char*) ref + sizeof(struct btrfs_root_ref), le64toh(ref->name_len)); + if (!p) + return -ENOMEM; +@@ -1374,10 +1375,8 @@ static int subvol_snapshot_children( + return -errno; + + if (flags & BTRFS_SNAPSHOT_READ_ONLY) { +- /* If the snapshot is read-only we +- * need to mark it writable +- * temporarily, to put the subsnapshot +- * into place. */ ++ /* If the snapshot is read-only we need to mark it writable temporarily, to ++ * put the subsnapshot into place. */ + + if (subvolume_fd < 0) { + subvolume_fd = openat(new_fd, subvolume, O_RDONLY|O_NOCTTY|O_CLOEXEC|O_DIRECTORY|O_NOFOLLOW); +@@ -1390,10 +1389,8 @@ static int subvol_snapshot_children( + return r; + } + +- /* When btrfs clones the subvolumes, child +- * subvolumes appear as empty directories. Remove +- * them, so that we can create a new snapshot +- * in their place */ ++ /* When btrfs clones the subvolumes, child subvolumes appear as empty ++ * directories. Remove them, so that we can create a new snapshot in their place */ + if (unlinkat(new_child_fd, p, AT_REMOVEDIR) < 0) { + int k = -errno; + +@@ -1403,7 +1400,7 @@ static int subvol_snapshot_children( + return k; + } + +- r = subvol_snapshot_children(old_child_fd, new_child_fd, p, sh->objectid, ++ r = subvol_snapshot_children(old_child_fd, new_child_fd, p, sh.objectid, + flags & ~(BTRFS_SNAPSHOT_FALLBACK_COPY|BTRFS_SNAPSHOT_LOCK_BSD)); + + /* Restore the readonly flag */ +@@ -1582,8 +1579,8 @@ int btrfs_qgroup_find_parents(int fd, uint64_t qgroupid, uint64_t **ret) { + args.key.min_objectid = args.key.max_objectid = qgroupid; + + while (btrfs_ioctl_search_args_compare(&args) <= 0) { +- const struct btrfs_ioctl_search_header *sh; +- unsigned i; ++ struct btrfs_ioctl_search_header sh; ++ _unused_ const void *body; + + args.key.nr_items = 256; + if (ioctl(fd, BTRFS_IOC_TREE_SEARCH, &args) < 0) { +@@ -1596,22 +1593,22 @@ int btrfs_qgroup_find_parents(int fd, uint64_t qgroupid, uint64_t **ret) { + if (args.key.nr_items <= 0) + break; + +- FOREACH_BTRFS_IOCTL_SEARCH_HEADER(i, sh, args) { ++ FOREACH_BTRFS_IOCTL_SEARCH_HEADER(sh, body, args) { + + /* Make sure we start the next search at least from this entry */ +- btrfs_ioctl_search_args_set(&args, sh); ++ btrfs_ioctl_search_args_set(&args, &sh); + +- if (sh->type != BTRFS_QGROUP_RELATION_KEY) ++ if (sh.type != BTRFS_QGROUP_RELATION_KEY) + continue; +- if (sh->offset < sh->objectid) ++ if (sh.offset < sh.objectid) + continue; +- if (sh->objectid != qgroupid) ++ if (sh.objectid != qgroupid) + continue; + + if (!GREEDY_REALLOC(items, n_items+1)) + return -ENOMEM; + +- items[n_items++] = sh->offset; ++ items[n_items++] = sh.offset; + } + + /* Increase search key by one, to read the next item, if we can. */ +@@ -1829,8 +1826,8 @@ int btrfs_subvol_get_parent(int fd, uint64_t subvol_id, uint64_t *ret) { + args.key.min_objectid = args.key.max_objectid = subvol_id; + + while (btrfs_ioctl_search_args_compare(&args) <= 0) { +- const struct btrfs_ioctl_search_header *sh; +- unsigned i; ++ struct btrfs_ioctl_search_header sh; ++ _unused_ const void *body = NULL; + + args.key.nr_items = 256; + if (ioctl(fd, BTRFS_IOC_TREE_SEARCH, &args) < 0) +@@ -1839,14 +1836,14 @@ int btrfs_subvol_get_parent(int fd, uint64_t subvol_id, uint64_t *ret) { + if (args.key.nr_items <= 0) + break; + +- FOREACH_BTRFS_IOCTL_SEARCH_HEADER(i, sh, args) { ++ FOREACH_BTRFS_IOCTL_SEARCH_HEADER(sh, body, args) { + +- if (sh->type != BTRFS_ROOT_BACKREF_KEY) ++ if (sh.type != BTRFS_ROOT_BACKREF_KEY) + continue; +- if (sh->objectid != subvol_id) ++ if (sh.objectid != subvol_id) + continue; + +- *ret = sh->offset; ++ *ret = sh.offset; + return 0; + } + } +@@ -1936,8 +1933,8 @@ static int btrfs_read_chunk_tree_fd(int fd, BtrfsChunkTree *ret) { + assert(ret); + + while (btrfs_ioctl_search_args_compare(&search_args) <= 0) { +- const struct btrfs_ioctl_search_header *sh; +- unsigned i; ++ struct btrfs_ioctl_search_header sh; ++ const void *body; + + search_args.key.nr_items = 256; + +@@ -1947,25 +1944,23 @@ static int btrfs_read_chunk_tree_fd(int fd, BtrfsChunkTree *ret) { + if (search_args.key.nr_items == 0) + break; + +- FOREACH_BTRFS_IOCTL_SEARCH_HEADER(i, sh, search_args) { ++ FOREACH_BTRFS_IOCTL_SEARCH_HEADER(sh, body, search_args) { + _cleanup_(btrfs_chunk_freep) BtrfsChunk *chunk = NULL; +- const struct btrfs_chunk *item; + +- btrfs_ioctl_search_args_set(&search_args, sh); ++ btrfs_ioctl_search_args_set(&search_args, &sh); + +- if (sh->objectid != BTRFS_FIRST_CHUNK_TREE_OBJECTID) ++ if (sh.objectid != BTRFS_FIRST_CHUNK_TREE_OBJECTID) + continue; +- if (sh->type != BTRFS_CHUNK_ITEM_KEY) ++ if (sh.type != BTRFS_CHUNK_ITEM_KEY) + continue; + + chunk = new(BtrfsChunk, 1); + if (!chunk) + return -ENOMEM; + +- item = BTRFS_IOCTL_SEARCH_HEADER_BODY(sh); +- ++ const struct btrfs_chunk *item = body; + *chunk = (BtrfsChunk) { +- .offset = sh->offset, ++ .offset = sh.offset, + .length = le64toh(item->length), + .type = le64toh(item->type), + .n_stripes = le16toh(item->num_stripes), +@@ -2095,8 +2090,8 @@ int btrfs_get_file_physical_offset_fd(int fd, uint64_t *ret) { + search_args.key.min_objectid = search_args.key.max_objectid = st.st_ino; + + while (btrfs_ioctl_search_args_compare(&search_args) <= 0) { +- const struct btrfs_ioctl_search_header *sh; +- unsigned i; ++ struct btrfs_ioctl_search_header sh; ++ const void *body; + + search_args.key.nr_items = 256; + +@@ -2106,21 +2101,19 @@ int btrfs_get_file_physical_offset_fd(int fd, uint64_t *ret) { + if (search_args.key.nr_items == 0) + break; + +- FOREACH_BTRFS_IOCTL_SEARCH_HEADER(i, sh, search_args) { +- const struct btrfs_file_extent_item *item; ++ FOREACH_BTRFS_IOCTL_SEARCH_HEADER(sh, body, search_args) { + uint64_t logical_offset; + BtrfsChunk *chunk; + +- btrfs_ioctl_search_args_set(&search_args, sh); ++ btrfs_ioctl_search_args_set(&search_args, &sh); + +- if (sh->type != BTRFS_EXTENT_DATA_KEY) ++ if (sh.type != BTRFS_EXTENT_DATA_KEY) + continue; + +- if (sh->objectid != st.st_ino) ++ if (sh.objectid != st.st_ino) + continue; + +- item = BTRFS_IOCTL_SEARCH_HEADER_BODY(sh); +- ++ const struct btrfs_file_extent_item *item = body; + if (!IN_SET(item->type, BTRFS_FILE_EXTENT_REG, BTRFS_FILE_EXTENT_PREALLOC)) + return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), + "Cannot get physical address for btrfs extent: invalid type %" PRIu8, +-- +2.33.0 + diff --git a/backport-btrfs-util-check-current-offset-before-read.patch b/backport-btrfs-util-check-current-offset-before-read.patch new file mode 100644 index 0000000..0ab596b --- /dev/null +++ b/backport-btrfs-util-check-current-offset-before-read.patch @@ -0,0 +1,81 @@ +From c496b01d663d087278038bf26802488969441078 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 21 May 2024 01:34:34 +0900 +Subject: [PATCH 0663/1160] btrfs-util: check current offset before read + +Fixes #32936. + +(cherry picked from commit 125cca1b51e19d9209a229fca4fb9d94d34c3e78) +--- + src/shared/btrfs-util.c | 49 +++++++++++++++++++++++++++++++---------- + 1 file changed, 37 insertions(+), 12 deletions(-) + +diff --git a/src/shared/btrfs-util.c b/src/shared/btrfs-util.c +index 2ed6bf24a2..42d21ad118 100644 +--- a/src/shared/btrfs-util.c ++++ b/src/shared/btrfs-util.c +@@ -262,24 +262,49 @@ static int btrfs_ioctl_search_args_compare(const struct btrfs_ioctl_search_args + } + + typedef struct BtrfsForeachIterator { +- const void *p; +- size_t i; ++ const struct btrfs_ioctl_search_args *args; ++ size_t offset; ++ unsigned index; ++ struct btrfs_ioctl_search_header *header; ++ const void **body; + } BtrfsForeachIterator; + ++static int btrfs_iterate(BtrfsForeachIterator *i) { ++ assert(i); ++ assert(i->args); ++ assert(i->header); ++ assert(i->body); ++ ++ if (i->index >= i->args->key.nr_items) ++ return 0; /* end */ ++ ++ assert_cc(BTRFS_SEARCH_ARGS_BUFSIZE >= sizeof(struct btrfs_ioctl_search_header)); ++ if (i->offset > BTRFS_SEARCH_ARGS_BUFSIZE - sizeof(struct btrfs_ioctl_search_header)) ++ return -EBADMSG; ++ ++ struct btrfs_ioctl_search_header h; ++ memcpy(&h, (const uint8_t*) i->args->buf + i->offset, sizeof(struct btrfs_ioctl_search_header)); ++ ++ if (i->offset > BTRFS_SEARCH_ARGS_BUFSIZE - sizeof(struct btrfs_ioctl_search_header) - h.len) ++ return -EBADMSG; ++ ++ *i->body = (const uint8_t*) i->args->buf + i->offset + sizeof(struct btrfs_ioctl_search_header); ++ *i->header = h; ++ i->offset += sizeof(struct btrfs_ioctl_search_header) + h.len; ++ i->index++; ++ ++ return 1; ++} ++ + /* Iterates through a series of struct btrfs_file_extent_item elements. They are unfortunately not aligned, + * hence we copy out the header from them */ +-#define FOREACH_BTRFS_IOCTL_SEARCH_HEADER(sh, body, args) \ ++#define FOREACH_BTRFS_IOCTL_SEARCH_HEADER(_sh, _body, _args) \ + for (BtrfsForeachIterator iterator = { \ +- .p = ({ \ +- memcpy(&(sh), (args).buf, sizeof(struct btrfs_ioctl_search_header)); \ +- (body) = (const void*) ((const uint8_t*) (args).buf + sizeof(struct btrfs_ioctl_search_header)); \ +- (args).buf; \ +- }), \ ++ .args = &(_args), \ ++ .header = &(_sh), \ ++ .body = &(_body), \ + }; \ +- iterator.i < (args).key.nr_items; \ +- iterator.i++, \ +- memcpy(&(sh), iterator.p = (const uint8_t*) iterator.p + sizeof(struct btrfs_ioctl_search_header) + (sh).len, sizeof(struct btrfs_ioctl_search_header)), \ +- (body) = (const void*) ((const uint8_t*) iterator.p + sizeof(struct btrfs_ioctl_search_header))) ++ btrfs_iterate(&iterator) > 0; ) + + int btrfs_subvol_get_info_fd(int fd, uint64_t subvol_id, BtrfsSubvolInfo *ret) { + struct btrfs_ioctl_search_args args = { +-- +2.33.0 + diff --git a/backport-btrfs-util-rework-btrfs_is_nocow_fd-around-fd_is_fs_.patch b/backport-btrfs-util-rework-btrfs_is_nocow_fd-around-fd_is_fs_.patch new file mode 100644 index 0000000..1027a8e --- /dev/null +++ b/backport-btrfs-util-rework-btrfs_is_nocow_fd-around-fd_is_fs_.patch @@ -0,0 +1,48 @@ +From fc9fbe7f73b058bf2d4bc40bbbd8d24ed74b2f00 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 12 Feb 2024 12:55:47 +0100 +Subject: [PATCH 0303/1160] btrfs-util: rework btrfs_is_nocow_fd() around + fd_is_fs_type() + read_attr_fd() + +Let's our safer helpers where appropriate. + +(cherry picked from commit 05f38c897fa9ac32d627395e4c7a7c7d7e5a1b23) +--- + src/shared/btrfs-util.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/src/shared/btrfs-util.c b/src/shared/btrfs-util.c +index aa4eb5a8d8..57e11dc1a8 100644 +--- a/src/shared/btrfs-util.c ++++ b/src/shared/btrfs-util.c +@@ -2030,19 +2030,20 @@ static BtrfsChunk* btrfs_find_chunk_from_logical_address(const BtrfsChunkTree *t + } + + static int btrfs_is_nocow_fd(int fd) { +- struct statfs sfs; + unsigned flags; ++ int r; + + assert(fd >= 0); + +- if (fstatfs(fd, &sfs) < 0) +- return -errno; +- +- if (!is_fs_type(&sfs, BTRFS_SUPER_MAGIC)) ++ r = fd_is_fs_type(fd, BTRFS_SUPER_MAGIC); ++ if (r < 0) ++ return r; ++ if (r == 0) + return -ENOTTY; + +- if (ioctl(fd, FS_IOC_GETFLAGS, &flags) < 0) +- return -errno; ++ r = read_attr_fd(fd, &flags); ++ if (r < 0) ++ return r; + + return FLAGS_SET(flags, FS_NOCOW_FL) && !FLAGS_SET(flags, FS_COMPR_FL); + } +-- +2.33.0 + diff --git a/backport-btrfs-util-use-memdup_suffix0-instead-of-strndup-at-.patch b/backport-btrfs-util-use-memdup_suffix0-instead-of-strndup-at-.patch new file mode 100644 index 0000000..dbb9cb7 --- /dev/null +++ b/backport-btrfs-util-use-memdup_suffix0-instead-of-strndup-at-.patch @@ -0,0 +1,40 @@ +From 5b20ddb64212b4c9179a0ebb240170e59a1bf89d Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 12 Feb 2024 15:32:25 +0100 +Subject: [PATCH 0304/1160] btrfs-util: use memdup_suffix0() instead of + strndup() at one more place + +The structure we copy this out is a large (unaligned) binary blob, hence +let's better use the memdup_suffix0() so that gcc doesn't make +assumption about the source being a valid string. + +(cherry picked from commit e5c41c6138a6f0fe1c47c0a1db15ec3113622492) +--- + src/shared/btrfs-util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/shared/btrfs-util.c b/src/shared/btrfs-util.c +index 57e11dc1a8..b0ecf8f820 100644 +--- a/src/shared/btrfs-util.c ++++ b/src/shared/btrfs-util.c +@@ -970,7 +970,7 @@ static int subvol_remove_children(int fd, const char *subvolume, uint64_t subvol + + ref = BTRFS_IOCTL_SEARCH_HEADER_BODY(sh); + +- p = strndup((char*) ref + sizeof(struct btrfs_root_ref), le64toh(ref->name_len)); ++ p = memdup_suffix0((char*) ref + sizeof(struct btrfs_root_ref), le64toh(ref->name_len)); + if (!p) + return -ENOMEM; + +@@ -1345,7 +1345,7 @@ static int subvol_snapshot_children( + continue; + + ref = BTRFS_IOCTL_SEARCH_HEADER_BODY(sh); +- p = strndup((char*) ref + sizeof(struct btrfs_root_ref), le64toh(ref->name_len)); ++ p = memdup_suffix0((char*) ref + sizeof(struct btrfs_root_ref), le64toh(ref->name_len)); + if (!p) + return -ENOMEM; + +-- +2.33.0 + diff --git a/backport-bus-socket-Clarify-that-inotify-is-supposed-to-watch.patch b/backport-bus-socket-Clarify-that-inotify-is-supposed-to-watch.patch new file mode 100644 index 0000000..8b3f50c --- /dev/null +++ b/backport-bus-socket-Clarify-that-inotify-is-supposed-to-watch.patch @@ -0,0 +1,65 @@ +From b3b1b8c45e698a73e92f7aeab3e4429d08de5757 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Mon, 15 Jan 2024 17:16:10 +0100 +Subject: [PATCH 0258/1160] bus-socket: Clarify that inotify is supposed to + watch all components + +The previous wording of the components could mean that we should only +watch directories, not the socket itself. Reword so that we clearly +mention that all components of the path are watched, including the +socket itself. + +(cherry picked from commit 0e2f18eedd6b9be32b1c1122dcd2c30319074c7f) +--- + src/libsystemd/sd-bus/bus-socket.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c +index 3c59d0d615..5ade8e99aa 100644 +--- a/src/libsystemd/sd-bus/bus-socket.c ++++ b/src/libsystemd/sd-bus/bus-socket.c +@@ -735,12 +735,12 @@ static int bus_socket_inotify_setup(sd_bus *b) { + assert(b->sockaddr.sa.sa_family == AF_UNIX); + assert(b->sockaddr.un.sun_path[0] != 0); + +- /* Sets up an inotify fd in case watch_bind is enabled: wait until the configured AF_UNIX file system socket +- * appears before connecting to it. The implemented is pretty simplistic: we just subscribe to relevant changes +- * to all prefix components of the path, and every time we get an event for that we try to reconnect again, +- * without actually caring what precisely the event we got told us. If we still can't connect we re-subscribe +- * to all relevant changes of anything in the path, so that our watches include any possibly newly created path +- * components. */ ++ /* Sets up an inotify fd in case watch_bind is enabled: wait until the configured AF_UNIX file system ++ * socket appears before connecting to it. The implemented is pretty simplistic: we just subscribe to ++ * relevant changes to all components of the path, and every time we get an event for that we try to ++ * reconnect again, without actually caring what precisely the event we got told us. If we still ++ * can't connect we re-subscribe to all relevant changes of anything in the path, so that our watches ++ * include any possibly newly created path components. */ + + if (b->inotify_fd < 0) { + b->inotify_fd = inotify_init1(IN_NONBLOCK|IN_CLOEXEC); +@@ -759,17 +759,17 @@ static int bus_socket_inotify_setup(sd_bus *b) { + if (r < 0) + goto fail; + +- /* Watch all parent directories, and don't mind any prefix that doesn't exist yet. For the innermost directory +- * that exists we want to know when files are created or moved into it. For all parents of it we just care if +- * they are removed or renamed. */ ++ /* Watch all components of the path, and don't mind any prefix that doesn't exist yet. For the ++ * innermost directory that exists we want to know when files are created or moved into it. For all ++ * parents of it we just care if they are removed or renamed. */ + + if (!GREEDY_REALLOC(new_watches, n + 1)) { + r = -ENOMEM; + goto fail; + } + +- /* Start with the top-level directory, which is a bit simpler than the rest, since it can't be a symlink, and +- * always exists */ ++ /* Start with the top-level directory, which is a bit simpler than the rest, since it can't be a ++ * symlink, and always exists */ + wd = inotify_add_watch(b->inotify_fd, "/", IN_CREATE|IN_MOVED_TO); + if (wd < 0) { + r = log_debug_errno(errno, "Failed to add inotify watch on /: %m"); +-- +2.33.0 + diff --git a/backport-bus-wait-for-jobs-fix-service-result-table.patch b/backport-bus-wait-for-jobs-fix-service-result-table.patch new file mode 100644 index 0000000..8d89e9b --- /dev/null +++ b/backport-bus-wait-for-jobs-fix-service-result-table.patch @@ -0,0 +1,56 @@ +From 760afe632f94c791583426533fd4c43f82f61bef Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 14 Jan 2025 13:56:58 +0100 +Subject: [PATCH 1088/1160] bus-wait-for-jobs: fix service result table + +We were missing one service result (oom-kill), and the ratelimit one is +called differently. Correct that so that we generate proper log messages +for these cases. + +(cherry picked from commit a7620f5dd16f0386b8ddeadfcd4e89da4050beef) +(cherry picked from commit 13ce2fd65cc2c8b8f269b9e16c576b9b493754ba) +(cherry picked from commit dbc791b61facdc98d3e4f156e2bbf0f2f3a86853) +--- + src/shared/bus-wait-for-jobs.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/src/shared/bus-wait-for-jobs.c b/src/shared/bus-wait-for-jobs.c +index 969c62979f..16883d5816 100644 +--- a/src/shared/bus-wait-for-jobs.c ++++ b/src/shared/bus-wait-for-jobs.c +@@ -168,14 +168,15 @@ static void log_job_error_with_service_result(const char* service, const char *r + static const struct { + const char *result, *explanation; + } explanations[] = { +- { "resources", "of unavailable resources or another system error" }, +- { "protocol", "the service did not take the steps required by its unit configuration" }, +- { "timeout", "a timeout was exceeded" }, +- { "exit-code", "the control process exited with error code" }, +- { "signal", "a fatal signal was delivered to the control process" }, +- { "core-dump", "a fatal signal was delivered causing the control process to dump core" }, +- { "watchdog", "the service failed to send watchdog ping" }, +- { "start-limit", "start of the service was attempted too often" } ++ { "resources", "of unavailable resources or another system error" }, ++ { "protocol", "the service did not take the steps required by its unit configuration" }, ++ { "timeout", "a timeout was exceeded" }, ++ { "exit-code", "the control process exited with error code" }, ++ { "signal", "a fatal signal was delivered to the control process" }, ++ { "core-dump", "a fatal signal was delivered causing the control process to dump core" }, ++ { "watchdog", "the service failed to send watchdog ping" }, ++ { "start-limit-hit", "start of the service was attempted too often" }, ++ { "oom-kill", "of an out-of-memory (OOM) siutation" }, + }; + + assert(service); +@@ -220,7 +221,7 @@ static void log_job_error_with_service_result(const char* service, const char *r + + finish: + /* For some results maybe additional explanation is required */ +- if (streq_ptr(result, "start-limit")) ++ if (streq_ptr(result, "start-limit-hit")) + log_info("To force a start use \"%1$s reset-failed %2$s\"\n" + "followed by \"%1$s start %2$s\" again.", + systemctl, +-- +2.33.0 + diff --git a/backport-busctl-avoid-asserting-on-NULL-message.patch b/backport-busctl-avoid-asserting-on-NULL-message.patch new file mode 100644 index 0000000..3a032a6 --- /dev/null +++ b/backport-busctl-avoid-asserting-on-NULL-message.patch @@ -0,0 +1,97 @@ +From ac851effbe936cbeb4b1d8f32016fa4458342a87 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Sun, 24 Dec 2023 14:49:23 +0100 +Subject: [PATCH 0089/1160] busctl: avoid asserting on NULL message +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Avoid passing a NULL message to sd_bus_message_is_signal(), to not trip +over an assertion: + +[ 132.869436] H testsuite-82.sh[614]: + systemctl --no-block --check-inhibitors=yes soft-reboot +[ 132.967386] H systemd[1]: Created slice system-systemd\x2dcoredump.slice. +[ 133.018292] H systemd[1]: Starting inhibit.service... +[ 133.122610] H systemd[1]: Started systemd-coredump@0-665-0.service. +[ 133.163643] H systemd[1]: Started inhibit.service. +[ 133.206836] H testsuite-82.sh[614]: + exec sleep infinity +[ 133.236762] H systemd-logind[611]: The system will reboot now! +[ 135.891607] H systemd-coredump[667]: [🡕] Process 663 (busctl) of user 0 dumped core. + + Stack trace of thread 663: + #0 0x00007f2ec45e6acf raise (libc.so.6 + 0x4eacf) + #1 0x00007f2ec45b9ea5 abort (libc.so.6 + 0x21ea5) + #2 0x00007f2ec4b5c9a6 log_assert_failed (libsystemd-shared-255.so + 0x1ff9a6) + #3 0x00007f2ec4b5dca5 log_assert_failed_return (libsystemd-shared-255.so + 0x200ca5) + #4 0x00007f2ec4bb3df6 sd_bus_message_is_signal (libsystemd-shared-255.so + 0x256df6) + #5 0x000000000040e478 monitor (busctl + 0xe478) + #6 0x000000000040e82f verb_monitor (busctl + 0xe82f) + #7 0x00007f2ec4b202cb dispatch_verb (libsystemd-shared-255.so + 0x1c32cb) + #8 0x00000000004074fa busctl_main (busctl + 0x74fa) + #9 0x0000000000407525 run (busctl + 0x7525) + #10 0x000000000040ff67 main (busctl + 0xff67) + #11 0x00007f2ec45d2d85 __libc_start_main (libc.so.6 + 0x3ad85) + #12 0x00000000004044be _start (busctl + 0x44be) + ELF object binary architecture: AMD x86-64 +[ 136.141152] H dbus-daemon[634]: [system] Monitoring connection :1.2 closed. +[ 136.152233] H systemd[1]: busctl.service: Main process exited, code=dumped, status=6/ABRT +[ 136.153996] H systemd[1]: busctl.service: Failed with result 'core-dump'. + +The asertion in question: + +Assertion 'm' failed at src/libsystemd/sd-bus/bus-message.c:1015, function sd_bus_message_is_signal(). Aborting. + +We can get a NULL message here through sd_bus_process() -> +bus_process_internal() -> process_running(), so let's handle this case +appropriately. + +(cherry picked from commit b4a21d51487e21052af49b755d1707d4616e2977) +--- + src/busctl/busctl.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +diff --git a/src/busctl/busctl.c b/src/busctl/busctl.c +index 9f82198f2f..39d22f2912 100644 +--- a/src/busctl/busctl.c ++++ b/src/busctl/busctl.c +@@ -1320,24 +1320,24 @@ static int monitor(int argc, char **argv, int (*dump)(sd_bus_message *m, FILE *f + if (r < 0) + return log_error_errno(r, "Failed to process bus: %m"); + +- if (!is_monitor) { +- const char *name; ++ if (m) { ++ if (!is_monitor) { ++ const char *name; + +- /* wait until we lose our unique name */ +- if (sd_bus_message_is_signal(m, "org.freedesktop.DBus", "NameLost") <= 0) +- continue; ++ /* wait until we lose our unique name */ ++ if (sd_bus_message_is_signal(m, "org.freedesktop.DBus", "NameLost") <= 0) ++ continue; + +- r = sd_bus_message_read(m, "s", &name); +- if (r < 0) +- return bus_log_parse_error(r); ++ r = sd_bus_message_read(m, "s", &name); ++ if (r < 0) ++ return bus_log_parse_error(r); + +- if (streq(name, unique_name)) +- is_monitor = true; ++ if (streq(name, unique_name)) ++ is_monitor = true; + +- continue; +- } ++ continue; ++ } + +- if (m) { + dump(m, stdout); + fflush(stdout); + +-- +2.33.0 + diff --git a/backport-busctl-don-t-hit-an-assert-if-we-call-invalid-bus-me.patch b/backport-busctl-don-t-hit-an-assert-if-we-call-invalid-bus-me.patch new file mode 100644 index 0000000..9fe29dd --- /dev/null +++ b/backport-busctl-don-t-hit-an-assert-if-we-call-invalid-bus-me.patch @@ -0,0 +1,37 @@ +From 39770716e0dbe684b75175b5ec98a9ec16eaaa0d Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 1 Mar 2024 14:42:34 +0100 +Subject: [PATCH 0429/1160] busctl: don't hit an assert if we call invalid bus + method names + +We should validate this explicitly and generate a clear error string, +rather then hit an assert() later in the code. + +(cherry picked from commit 5f76155e65ac21aca1ccbe945f1bfdd7feeb270b) +--- + src/busctl/busctl.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/busctl/busctl.c b/src/busctl/busctl.c +index 39d22f2912..01cb896a44 100644 +--- a/src/busctl/busctl.c ++++ b/src/busctl/busctl.c +@@ -2021,6 +2021,15 @@ static int call(int argc, char **argv, void *userdata) { + if (r < 0) + return r; + ++ if (!service_name_is_valid(argv[1])) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid service name: %s", argv[1]); ++ if (!object_path_is_valid(argv[2])) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid object path: %s", argv[2]); ++ if (!interface_name_is_valid(argv[3])) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid interface name: %s", argv[3]); ++ if (!member_name_is_valid(argv[4])) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid member name: %s", argv[4]); ++ + r = sd_bus_message_new_method_call(bus, &m, argv[1], argv[2], argv[3], argv[4]); + if (r < 0) + return bus_log_create_error(r); +-- +2.33.0 + diff --git a/backport-cgroup-bring-list-of-delegated-cgroup-attributes-up-.patch b/backport-cgroup-bring-list-of-delegated-cgroup-attributes-up-.patch new file mode 100644 index 0000000..3d4a8ff --- /dev/null +++ b/backport-cgroup-bring-list-of-delegated-cgroup-attributes-up-.patch @@ -0,0 +1,47 @@ +From 9b298cb7e888232d6ca42588062e8db3dfd5f0e9 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 12 Dec 2023 10:54:55 +0100 +Subject: [PATCH 0068/1160] cgroup: bring list of delegated cgroup attributes + up-to-date with current kernels + +THis brings the list of attributes to delegate to managers of subcgroups +to the state of kernel 6.6. + +We probably should unify this list, and maybe generate it automatically +from /sys/kernel/cgroup/delegate, but let's do that another time. + +(cherry picked from commit 2c70a81de6e9a3b4c13899dfd75d155ba6143f6e) +--- + src/nspawn/nspawn-cgroup.c | 2 ++ + src/shared/cgroup-setup.c | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/src/nspawn/nspawn-cgroup.c b/src/nspawn/nspawn-cgroup.c +index a9d36627a8..a5002437c6 100644 +--- a/src/nspawn/nspawn-cgroup.c ++++ b/src/nspawn/nspawn-cgroup.c +@@ -35,6 +35,8 @@ static int chown_cgroup_path(const char *path, uid_t uid_shift) { + "cgroup.stat", + "cgroup.subtree_control", + "cgroup.threads", ++ "memory.oom.group", ++ "memory.reclaim", + "notify_on_release", + "tasks") + if (fchownat(fd, fn, uid_shift, uid_shift, 0) < 0) +diff --git a/src/shared/cgroup-setup.c b/src/shared/cgroup-setup.c +index 811f129f6c..934a16eaf3 100644 +--- a/src/shared/cgroup-setup.c ++++ b/src/shared/cgroup-setup.c +@@ -421,6 +421,8 @@ int cg_set_access( + { "cgroup.procs", true }, + { "cgroup.subtree_control", true }, + { "cgroup.threads", false }, ++ { "memory.oom.group", false }, ++ { "memory.reclaim", false }, + {}, + }; + +-- +2.33.0 + diff --git a/backport-cgroup-don-t-enable-bpf-pseudo-controllers-when-doin.patch b/backport-cgroup-don-t-enable-bpf-pseudo-controllers-when-doin.patch new file mode 100644 index 0000000..70571da --- /dev/null +++ b/backport-cgroup-don-t-enable-bpf-pseudo-controllers-when-doin.patch @@ -0,0 +1,69 @@ +From 70f0b7929ed460293176b0490439859fd56f8567 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 24 Jan 2024 22:40:04 +0100 +Subject: [PATCH 0277/1160] cgroup: don't enable bpf pseudo-controllers when + doing a wildcard delegation + +We can only delegate actual controllers, not the BPF pseudo-controllers +we defined as there's imply no concept for that. Hence, when users set +Delegate=yes to do a wildcard delegation, only delegate the regular +controllers. + +This means that we won't bother with BPF stuff for such units where it's +entirelly unnecessary. + +(cherry picked from commit 677e6c14b199c1fa637b7c4c8cae39c31213a79d) +--- + src/basic/cgroup-util.h | 5 ++++- + src/core/dbus-cgroup.c | 2 +- + src/core/load-fragment.c | 2 +- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h +index 6ab14c753d..d06eb6daee 100644 +--- a/src/basic/cgroup-util.h ++++ b/src/basic/cgroup-util.h +@@ -67,10 +67,13 @@ typedef enum CGroupMask { + /* All real cgroup v2 controllers */ + CGROUP_MASK_V2 = CGROUP_MASK_CPU|CGROUP_MASK_CPUSET|CGROUP_MASK_IO|CGROUP_MASK_MEMORY|CGROUP_MASK_PIDS, + ++ /* All controllers we want to delegate in case of Delegate=yes. Which are prety much the v2 controllers only, as delegation on v1 is not safe, and bpf stuff isn't a real controller */ ++ CGROUP_MASK_DELEGATE = CGROUP_MASK_V2, ++ + /* All cgroup v2 BPF pseudo-controllers */ + CGROUP_MASK_BPF = CGROUP_MASK_BPF_FIREWALL|CGROUP_MASK_BPF_DEVICES|CGROUP_MASK_BPF_FOREIGN|CGROUP_MASK_BPF_SOCKET_BIND|CGROUP_MASK_BPF_RESTRICT_NETWORK_INTERFACES, + +- _CGROUP_MASK_ALL = CGROUP_CONTROLLER_TO_MASK(_CGROUP_CONTROLLER_MAX) - 1 ++ _CGROUP_MASK_ALL = CGROUP_CONTROLLER_TO_MASK(_CGROUP_CONTROLLER_MAX) - 1, + } CGroupMask; + + static inline CGroupMask CGROUP_MASK_EXTEND_JOINED(CGroupMask mask) { +diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c +index 4237e694c0..8a9570fd21 100644 +--- a/src/core/dbus-cgroup.c ++++ b/src/core/dbus-cgroup.c +@@ -542,7 +542,7 @@ static int bus_cgroup_set_transient_property( + + if (!UNIT_WRITE_FLAGS_NOOP(flags)) { + c->delegate = b; +- c->delegate_controllers = b ? _CGROUP_MASK_ALL : 0; ++ c->delegate_controllers = b ? CGROUP_MASK_DELEGATE : 0; + + unit_write_settingf(u, flags, name, "Delegate=%s", yes_no(b)); + } +diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c +index f442bd8203..0baf08ecae 100644 +--- a/src/core/load-fragment.c ++++ b/src/core/load-fragment.c +@@ -4034,7 +4034,7 @@ int config_parse_delegate( + + } else if (r > 0) { + c->delegate = true; +- c->delegate_controllers = _CGROUP_MASK_ALL; ++ c->delegate_controllers = CGROUP_MASK_DELEGATE; + } else { + c->delegate = false; + c->delegate_controllers = 0; +-- +2.33.0 + diff --git a/backport-cgroup-util-Don-t-try-to-open-pidfd-for-kernel-threa.patch b/backport-cgroup-util-Don-t-try-to-open-pidfd-for-kernel-threa.patch new file mode 100644 index 0000000..1ba506f --- /dev/null +++ b/backport-cgroup-util-Don-t-try-to-open-pidfd-for-kernel-threa.patch @@ -0,0 +1,33 @@ +From 8747a45cca86d9d41c612534cee1666a8f70733e Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 31 Jul 2024 13:38:50 +0200 +Subject: [PATCH 0826/1160] cgroup-util: Don't try to open pidfd for kernel + threads + +The kernel might start returning -EINVAL when trying to open pidfd's +for kernel threads so let's not try to open pidfd's for kernel threads. + +(cherry picked from commit ead48ec35c863650944352a3455f26ce3b393058) +(cherry picked from commit f1d4e79eff71102199d864175efb7a2353c36502) +--- + src/basic/cgroup-util.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c +index a3648ee376..50224648d3 100644 +--- a/src/basic/cgroup-util.c ++++ b/src/basic/cgroup-util.c +@@ -116,7 +116,9 @@ int cg_read_pidref(FILE *f, PidRef *ret, CGroupFlags flags) { + if (pid == 0) + return -EREMOTE; + +- if (FLAGS_SET(flags, CGROUP_NO_PIDFD)) { ++ /* We might read kernel thread pids from cgroup.procs for which we cannot create a pidfd so ++ * catch those and don't try to create a pidfd for them. */ ++ if (FLAGS_SET(flags, CGROUP_NO_PIDFD) || pid_is_kernel_thread(pid) > 0) { + *ret = PIDREF_MAKE_FROM_PID(pid); + return 1; + } +-- +2.33.0 + diff --git a/backport-cgroup-util-Don-t-try-to-open-pidfd-for-pids-from-cg.patch b/backport-cgroup-util-Don-t-try-to-open-pidfd-for-pids-from-cg.patch new file mode 100644 index 0000000..9f80ed4 --- /dev/null +++ b/backport-cgroup-util-Don-t-try-to-open-pidfd-for-pids-from-cg.patch @@ -0,0 +1,70 @@ +From 400e45fd78df1008db53f39c01d2a75237f3c146 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 29 May 2024 22:03:38 +0200 +Subject: [PATCH 0709/1160] cgroup-util: Don't try to open pidfd for pids from + cgroup.threads + +Opening pidfds for non thread group leaders only works from 6.9 onwards with PIDFD_THREAD. On +older kernels or without PIDFD_THREAD pidfd_open() fails with EINVAL. Since we might read non +thread group leader IDs from cgroup.threads, we introduce and set CGROUP_NO_PIDFD to avoid +trying open pidfd's for them and instead use the pid as is. + +(cherry picked from commit 8783355fd98448c08dae68e80da9580d74ea8687) +--- + src/basic/cgroup-util.c | 13 +++++++++++-- + src/basic/cgroup-util.h | 1 + + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c +index 6900c9a1b6..3b58db779e 100644 +--- a/src/basic/cgroup-util.c ++++ b/src/basic/cgroup-util.c +@@ -116,6 +116,11 @@ int cg_read_pidref(FILE *f, PidRef *ret, CGroupFlags flags) { + if (pid == 0) + return -EREMOTE; + ++ if (FLAGS_SET(flags, CGROUP_NO_PIDFD)) { ++ *ret = PIDREF_MAKE_FROM_PID(pid); ++ return 1; ++ } ++ + r = pidref_set_pid(ret, pid); + if (r >= 0) + return 1; +@@ -331,7 +336,7 @@ static int cg_kill_items( + for (;;) { + _cleanup_(pidref_done) PidRef pidref = PIDREF_NULL; + +- r = cg_read_pidref(f, &pidref, /* flags = */ 0); ++ r = cg_read_pidref(f, &pidref, flags); + if (r < 0) + return RET_GATHER(ret, r); + if (r == 0) +@@ -402,7 +407,11 @@ int cg_kill( + if (r == 0) + return ret; + +- r = cg_kill_items(path, sig, flags, s, log_kill, userdata, "cgroup.threads"); ++ /* Opening pidfds for non thread group leaders only works from 6.9 onwards with PIDFD_THREAD. On ++ * older kernels or without PIDFD_THREAD pidfd_open() fails with EINVAL. Since we might read non ++ * thread group leader IDs from cgroup.threads, we set CGROUP_NO_PIDFD to avoid trying open pidfd's ++ * for them and instead use the regular pid. */ ++ r = cg_kill_items(path, sig, flags|CGROUP_NO_PIDFD, s, log_kill, userdata, "cgroup.threads"); + if (r < 0) + return r; + +diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h +index 88c36a5b17..41de28fa47 100644 +--- a/src/basic/cgroup-util.h ++++ b/src/basic/cgroup-util.h +@@ -185,6 +185,7 @@ typedef enum CGroupFlags { + CGROUP_IGNORE_SELF = 1 << 1, + CGROUP_REMOVE = 1 << 2, + CGROUP_DONT_SKIP_UNMAPPED = 1 << 3, ++ CGROUP_NO_PIDFD = 1 << 4, + } CGroupFlags; + + int cg_enumerate_processes(const char *controller, const char *path, FILE **ret); +-- +2.33.0 + diff --git a/backport-cgroup-util-Ignore-kernel-threads-in-cg_kill_items.patch b/backport-cgroup-util-Ignore-kernel-threads-in-cg_kill_items.patch new file mode 100644 index 0000000..34f0b4a --- /dev/null +++ b/backport-cgroup-util-Ignore-kernel-threads-in-cg_kill_items.patch @@ -0,0 +1,37 @@ +From c0834113766a190fd3a042790e824c85709fc7f1 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Tue, 30 Jul 2024 11:53:32 +0200 +Subject: [PATCH 0812/1160] cgroup-util: Ignore kernel threads in + cg_kill_items() + +Similar to the implementation of cgroup.kill in the kernel, let's +skip kernel threads in cg_kill_items() as trying to kill kernel +threads as an unprivileged process will fail with EPERM and doesn't +do anything when running privileged. + +(cherry picked from commit 0fbb569de1dcc06118dba006cf7a40caf6cd94d0) +(cherry picked from commit 3d90344e941f10b6fe7b1a315b79ca09c4451a86) +--- + src/basic/cgroup-util.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c +index 3b58db779e..a3648ee376 100644 +--- a/src/basic/cgroup-util.c ++++ b/src/basic/cgroup-util.c +@@ -348,6 +348,12 @@ static int cg_kill_items( + if (set_get(s, PID_TO_PTR(pidref.pid)) == PID_TO_PTR(pidref.pid)) + continue; + ++ /* Ignore kernel threads to mimick the behavior of cgroup.kill. */ ++ if (pidref_is_kernel_thread(&pidref) > 0) { ++ log_debug("Ignoring kernel thread with pid " PID_FMT " in cgroup '%s'", pidref.pid, path); ++ continue; ++ } ++ + if (log_kill) + ret_log_kill = log_kill(&pidref, sig, userdata); + +-- +2.33.0 + diff --git a/backport-cgroup-util-allow-cg_read_pid-to-skip-unmapped-zero-.patch b/backport-cgroup-util-allow-cg_read_pid-to-skip-unmapped-zero-.patch new file mode 100644 index 0000000..0062171 --- /dev/null +++ b/backport-cgroup-util-allow-cg_read_pid-to-skip-unmapped-zero-.patch @@ -0,0 +1,231 @@ +From 8e57759d6d80ef772d8e17a4559a6797e09af93a Mon Sep 17 00:00:00 2001 +From: Timo Rothenpieler +Date: Sun, 28 Apr 2024 16:27:06 +0200 +Subject: [PATCH 0613/1160] cgroup-util: allow cg_read_pid() to skip unmapped + (zero) pids + +(cherry picked from commit 41219b4e9a71e0936ce1543bf9a3e16321f8f45c) +--- + src/basic/cgroup-util.c | 45 +++++++++++++++++++++++---------------- + src/basic/cgroup-util.h | 17 ++++++++------- + src/cgtop/cgtop.c | 2 +- + src/core/cgroup.c | 6 ++++-- + src/core/dbus-unit.c | 2 +- + src/shared/cgroup-setup.c | 5 ++++- + src/shared/cgroup-show.c | 2 +- + 7 files changed, 47 insertions(+), 32 deletions(-) + +diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c +index 18b16ecc0e..6900c9a1b6 100644 +--- a/src/basic/cgroup-util.c ++++ b/src/basic/cgroup-util.c +@@ -62,7 +62,7 @@ int cg_enumerate_processes(const char *controller, const char *path, FILE **ret) + return cg_enumerate_items(controller, path, ret, "cgroup.procs"); + } + +-int cg_read_pid(FILE *f, pid_t *ret) { ++int cg_read_pid(FILE *f, pid_t *ret, CGroupFlags flags) { + unsigned long ul; + + /* Note that the cgroup.procs might contain duplicates! See cgroups.txt for details. */ +@@ -70,27 +70,33 @@ int cg_read_pid(FILE *f, pid_t *ret) { + assert(f); + assert(ret); + +- errno = 0; +- if (fscanf(f, "%lu", &ul) != 1) { ++ for (;;) { ++ errno = 0; ++ if (fscanf(f, "%lu", &ul) != 1) { + +- if (feof(f)) { +- *ret = 0; +- return 0; ++ if (feof(f)) { ++ *ret = 0; ++ return 0; ++ } ++ ++ return errno_or_else(EIO); + } + +- return errno_or_else(EIO); +- } ++ if (ul > PID_T_MAX) ++ return -EIO; + +- if (ul <= 0) +- return -EIO; +- if (ul > PID_T_MAX) +- return -EIO; ++ /* In some circumstances (e.g. WSL), cgroups might contain unmappable PIDs from other ++ * contexts. These show up as zeros, and depending on the caller, can either be plain ++ * skipped over, or returned as-is. */ ++ if (ul == 0 && !FLAGS_SET(flags, CGROUP_DONT_SKIP_UNMAPPED)) ++ continue; + +- *ret = (pid_t) ul; +- return 1; ++ *ret = (pid_t) ul; ++ return 1; ++ } + } + +-int cg_read_pidref(FILE *f, PidRef *ret) { ++int cg_read_pidref(FILE *f, PidRef *ret, CGroupFlags flags) { + int r; + + assert(f); +@@ -99,7 +105,7 @@ int cg_read_pidref(FILE *f, PidRef *ret) { + for (;;) { + pid_t pid; + +- r = cg_read_pid(f, &pid); ++ r = cg_read_pid(f, &pid, flags); + if (r < 0) + return r; + if (r == 0) { +@@ -107,6 +113,9 @@ int cg_read_pidref(FILE *f, PidRef *ret) { + return 0; + } + ++ if (pid == 0) ++ return -EREMOTE; ++ + r = pidref_set_pid(ret, pid); + if (r >= 0) + return 1; +@@ -322,7 +331,7 @@ static int cg_kill_items( + for (;;) { + _cleanup_(pidref_done) PidRef pidref = PIDREF_NULL; + +- r = cg_read_pidref(f, &pidref); ++ r = cg_read_pidref(f, &pidref, /* flags = */ 0); + if (r < 0) + return RET_GATHER(ret, r); + if (r == 0) +@@ -917,7 +926,7 @@ int cg_is_empty(const char *controller, const char *path) { + if (r < 0) + return r; + +- r = cg_read_pid(f, &pid); ++ r = cg_read_pid(f, &pid, CGROUP_DONT_SKIP_UNMAPPED); + if (r < 0) + return r; + +diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h +index d06eb6daee..88c36a5b17 100644 +--- a/src/basic/cgroup-util.h ++++ b/src/basic/cgroup-util.h +@@ -180,20 +180,21 @@ typedef enum CGroupUnified { + * generate paths with multiple adjacent / removed. + */ + ++typedef enum CGroupFlags { ++ CGROUP_SIGCONT = 1 << 0, ++ CGROUP_IGNORE_SELF = 1 << 1, ++ CGROUP_REMOVE = 1 << 2, ++ CGROUP_DONT_SKIP_UNMAPPED = 1 << 3, ++} CGroupFlags; ++ + int cg_enumerate_processes(const char *controller, const char *path, FILE **ret); +-int cg_read_pid(FILE *f, pid_t *ret); +-int cg_read_pidref(FILE *f, PidRef *ret); ++int cg_read_pid(FILE *f, pid_t *ret, CGroupFlags flags); ++int cg_read_pidref(FILE *f, PidRef *ret, CGroupFlags flags); + int cg_read_event(const char *controller, const char *path, const char *event, char **ret); + + int cg_enumerate_subgroups(const char *controller, const char *path, DIR **ret); + int cg_read_subgroup(DIR *d, char **ret); + +-typedef enum CGroupFlags { +- CGROUP_SIGCONT = 1 << 0, +- CGROUP_IGNORE_SELF = 1 << 1, +- CGROUP_REMOVE = 1 << 2, +-} CGroupFlags; +- + typedef int (*cg_kill_log_func_t)(const PidRef *pid, int sig, void *userdata); + + int cg_kill(const char *path, int sig, CGroupFlags flags, Set *s, cg_kill_log_func_t kill_log, void *userdata); +diff --git a/src/cgtop/cgtop.c b/src/cgtop/cgtop.c +index ca51455440..08eae5988b 100644 +--- a/src/cgtop/cgtop.c ++++ b/src/cgtop/cgtop.c +@@ -207,7 +207,7 @@ static int process( + return r; + + g->n_tasks = 0; +- while (cg_read_pid(f, &pid) > 0) { ++ while (cg_read_pid(f, &pid, CGROUP_DONT_SKIP_UNMAPPED) > 0) { + + if (arg_count == COUNT_USERSPACE_PROCESSES && pid_is_kernel_thread(pid) > 0) + continue; +diff --git a/src/core/cgroup.c b/src/core/cgroup.c +index 61ac4df1a6..03d6ec9c6f 100644 +--- a/src/core/cgroup.c ++++ b/src/core/cgroup.c +@@ -3181,7 +3181,9 @@ int unit_search_main_pid(Unit *u, PidRef *ret) { + for (;;) { + _cleanup_(pidref_done) PidRef npidref = PIDREF_NULL; + +- r = cg_read_pidref(f, &npidref); ++ /* cg_read_pidref() will return an error on unmapped PIDs. ++ * We can't reasonably deal with units that contain those. */ ++ r = cg_read_pidref(f, &npidref, CGROUP_DONT_SKIP_UNMAPPED); + if (r < 0) + return r; + if (r == 0) +@@ -3223,7 +3225,7 @@ static int unit_watch_pids_in_path(Unit *u, const char *path) { + for (;;) { + _cleanup_(pidref_done) PidRef pid = PIDREF_NULL; + +- r = cg_read_pidref(f, &pid); ++ r = cg_read_pidref(f, &pid, /* flags = */ 0); + if (r == 0) + break; + if (r < 0) { +diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c +index 7c8e462055..17a0c446d2 100644 +--- a/src/core/dbus-unit.c ++++ b/src/core/dbus-unit.c +@@ -1299,7 +1299,7 @@ static int append_cgroup(sd_bus_message *reply, const char *p, Set *pids) { + * threaded domain cgroup contains the PIDs of all processes in the subtree and is not + * readable in the subtree proper. */ + +- r = cg_read_pidref(f, &pidref); ++ r = cg_read_pidref(f, &pidref, /* flags = */ 0); + if (IN_SET(r, 0, -EOPNOTSUPP)) + break; + if (r < 0) +diff --git a/src/shared/cgroup-setup.c b/src/shared/cgroup-setup.c +index 934a16eaf3..1b8a86dc54 100644 +--- a/src/shared/cgroup-setup.c ++++ b/src/shared/cgroup-setup.c +@@ -597,7 +597,10 @@ int cg_migrate( + return ret; + } + +- while ((r = cg_read_pid(f, &pid)) > 0) { ++ while ((r = cg_read_pid(f, &pid, flags)) > 0) { ++ /* Throw an error if unmappable PIDs are in output, we can't migrate those. */ ++ if (pid == 0) ++ return -EREMOTE; + + /* This might do weird stuff if we aren't a + * single-threaded program. However, we +diff --git a/src/shared/cgroup-show.c b/src/shared/cgroup-show.c +index c2ee1c5aef..7bc15d92cc 100644 +--- a/src/shared/cgroup-show.c ++++ b/src/shared/cgroup-show.c +@@ -108,7 +108,7 @@ static int show_cgroup_one_by_path( + * From https://docs.kernel.org/admin-guide/cgroup-v2.html#threads, + * “cgroup.procs” in a threaded domain cgroup contains the PIDs of all processes in + * the subtree and is not readable in the subtree proper. */ +- r = cg_read_pid(f, &pid); ++ r = cg_read_pid(f, &pid, /* flags = */ 0); + if (IN_SET(r, 0, -EOPNOTSUPP)) + break; + if (r < 0) +-- +2.33.0 + diff --git a/backport-chase-Fix-shortcut.patch b/backport-chase-Fix-shortcut.patch new file mode 100644 index 0000000..d4dcc79 --- /dev/null +++ b/backport-chase-Fix-shortcut.patch @@ -0,0 +1,29 @@ +From 4a22a9e11bbc6470c6109a7b1c0ae8c835f8b985 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 4 Oct 2024 21:34:33 +0200 +Subject: [PATCH 0907/1160] chase: Fix shortcut + +We can't shortcut chaseat() if CHASE_PARENT is set. + +(cherry picked from commit 87333bd1dc69195b93e9aee9b91c06fb167b152e) +(cherry picked from commit 83f7bced66041624a16a7b13a1405b9f9684c257) +--- + src/basic/chase.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/chase.c b/src/basic/chase.c +index d9966f4108..2fb5cbc254 100644 +--- a/src/basic/chase.c ++++ b/src/basic/chase.c +@@ -192,7 +192,7 @@ int chaseat(int dir_fd, const char *path, ChaseFlags flags, char **ret_path, int + + if (!(flags & + (CHASE_AT_RESOLVE_IN_ROOT|CHASE_NONEXISTENT|CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_STEP| +- CHASE_PROHIBIT_SYMLINKS|CHASE_MKDIR_0755)) && ++ CHASE_PROHIBIT_SYMLINKS|CHASE_MKDIR_0755|CHASE_PARENT)) && + !ret_path && ret_fd) { + + /* Shortcut the ret_fd case if the caller isn't interested in the actual path and has no root +-- +2.33.0 + diff --git a/backport-chase-Tighten-.-and-.-check.patch b/backport-chase-Tighten-.-and-.-check.patch new file mode 100644 index 0000000..ccaeeaf --- /dev/null +++ b/backport-chase-Tighten-.-and-.-check.patch @@ -0,0 +1,58 @@ +From 81f6faf2d48598840f3360567094760267c67527 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Thu, 6 Jun 2024 22:59:36 +0200 +Subject: [PATCH 0708/1160] chase: Tighten "." and "./" check + +Currently the check also succeeds if the input path starts with a dot, whereas +we only want it to succeed for "." and "./". Tighten the check and add a test. + +(cherry picked from commit 7efaab482af44e0ffcb5242d4f37cc316e705e2d) +--- + src/basic/chase.c | 6 +++--- + src/test/test-chase.c | 6 ++++++ + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/basic/chase.c b/src/basic/chase.c +index 9f5477e4f3..d9966f4108 100644 +--- a/src/basic/chase.c ++++ b/src/basic/chase.c +@@ -641,8 +641,8 @@ int chase(const char *path, const char *root, ChaseFlags flags, char **ret_path, + * absolute, hence it is not necessary to prefix with the root. When "root" points to + * a non-root directory, the result path is always normalized and relative, hence + * we can simply call path_join() and not necessary to call path_simplify(). +- * Note that the result of chaseat() may start with "." (more specifically, it may be +- * "." or "./"), and we need to drop "." in that case. */ ++ * As a special case, chaseat() may return "." or "./", which are normalized too, ++ * but we need to drop "." before merging with root. */ + + if (empty_or_root(root)) + assert(path_is_absolute(p)); +@@ -651,7 +651,7 @@ int chase(const char *path, const char *root, ChaseFlags flags, char **ret_path, + + assert(!path_is_absolute(p)); + +- q = path_join(root, p + (*p == '.')); ++ q = path_join(root, p + STR_IN_SET(p, ".", "./")); + if (!q) + return -ENOMEM; + +diff --git a/src/test/test-chase.c b/src/test/test-chase.c +index dbbc99bf81..59b51a3088 100644 +--- a/src/test/test-chase.c ++++ b/src/test/test-chase.c +@@ -236,6 +236,12 @@ TEST(chase) { + assert_se(streq(result, "/test-chase.fsldajfl")); + result = mfree(result); + ++ r = chase("/.path/with/dot", temp, CHASE_PREFIX_ROOT|CHASE_NONEXISTENT, &result, NULL); ++ assert_se(r == 0); ++ q = strjoina(temp, "/.path/with/dot"); ++ assert_se(streq(result, q)); ++ result = mfree(result); ++ + r = chase("/etc/machine-id/foo", NULL, 0, &result, NULL); + assert_se(IN_SET(r, -ENOTDIR, -ENOENT)); + result = mfree(result); +-- +2.33.0 + diff --git a/backport-chase-do-not-wrap-xopenat-with-RET_NERRNO.patch b/backport-chase-do-not-wrap-xopenat-with-RET_NERRNO.patch new file mode 100644 index 0000000..8f10469 --- /dev/null +++ b/backport-chase-do-not-wrap-xopenat-with-RET_NERRNO.patch @@ -0,0 +1,49 @@ +From 2e7f1960b60191cc861094a2fd3e7e0a521ae4f3 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 15 Feb 2024 20:02:51 +0900 +Subject: [PATCH 0316/1160] chase: do not wrap xopenat() with RET_NERRNO() + +Follow-up for 47f0e1b5e04c27572b540ae4a86e522d268ffd3c. + +(cherry picked from commit bec13836235cf43f93dd13428c4425b0697edb3b) +--- + src/basic/chase.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/src/basic/chase.c b/src/basic/chase.c +index b0592c538d..26bc2d69a9 100644 +--- a/src/basic/chase.c ++++ b/src/basic/chase.c +@@ -760,10 +760,10 @@ int chase_and_open(const char *path, const char *root, ChaseFlags chase_flags, i + if (empty_or_root(root) && !ret_path && + (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_PROHIBIT_SYMLINKS|CHASE_PARENT|CHASE_MKDIR_0755)) == 0) + /* Shortcut this call if none of the special features of this call are requested */ +- return RET_NERRNO(xopenat(AT_FDCWD, path, +- open_flags | (FLAGS_SET(chase_flags, CHASE_NOFOLLOW) ? O_NOFOLLOW : 0), +- /* xopen_flags = */ 0, +- mode)); ++ return xopenat(AT_FDCWD, path, ++ open_flags | (FLAGS_SET(chase_flags, CHASE_NOFOLLOW) ? O_NOFOLLOW : 0), ++ /* xopen_flags = */ 0, ++ mode); + + r = chase(path, root, CHASE_PARENT|chase_flags, &p, &path_fd); + if (r < 0) +@@ -964,10 +964,10 @@ int chase_and_openat(int dir_fd, const char *path, ChaseFlags chase_flags, int o + if (dir_fd == AT_FDCWD && !ret_path && + (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_PROHIBIT_SYMLINKS|CHASE_PARENT|CHASE_MKDIR_0755)) == 0) + /* Shortcut this call if none of the special features of this call are requested */ +- return RET_NERRNO(xopenat(dir_fd, path, +- open_flags | (FLAGS_SET(chase_flags, CHASE_NOFOLLOW) ? O_NOFOLLOW : 0), +- /* xopen_flags = */ 0, +- mode)); ++ return xopenat(dir_fd, path, ++ open_flags | (FLAGS_SET(chase_flags, CHASE_NOFOLLOW) ? O_NOFOLLOW : 0), ++ /* xopen_flags = */ 0, ++ mode); + + r = chaseat(dir_fd, path, chase_flags|CHASE_PARENT, &p, &path_fd); + if (r < 0) +-- +2.33.0 + diff --git a/backport-chattr-util-fix-error-code.patch b/backport-chattr-util-fix-error-code.patch new file mode 100644 index 0000000..bfcc75e --- /dev/null +++ b/backport-chattr-util-fix-error-code.patch @@ -0,0 +1,28 @@ +From afac07771161ca0c4829c3273cc34a3ca2892ae7 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 15 Feb 2024 20:04:00 +0900 +Subject: [PATCH 0317/1160] chattr-util: fix error code + +Follow-up for cf91b9155c20a57bfc756b2b7e1a8f401f2bf16d. + +(cherry picked from commit 59a4e172498545e3daaebcd70eb18b9c1d82eb03) +--- + src/basic/chattr-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/chattr-util.c b/src/basic/chattr-util.c +index c59fb8a84e..fe8b9abf91 100644 +--- a/src/basic/chattr-util.c ++++ b/src/basic/chattr-util.c +@@ -31,7 +31,7 @@ int chattr_full( + + fd = xopenat(dir_fd, path, O_RDONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, /* xopen_flags = */ 0, /* mode = */ 0); + if (fd < 0) +- return -errno; ++ return fd; + + if (fstat(fd, &st) < 0) + return -errno; +-- +2.33.0 + diff --git a/backport-clean-ipc-pass-the-right-error-variable.patch b/backport-clean-ipc-pass-the-right-error-variable.patch new file mode 100644 index 0000000..673c09a --- /dev/null +++ b/backport-clean-ipc-pass-the-right-error-variable.patch @@ -0,0 +1,26 @@ +From 9333db0c4d4c96ac448b55d237b701865aee89f0 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 7 May 2024 13:56:26 +0200 +Subject: [PATCH 0606/1160] clean-ipc: pass the right error variable + +(cherry picked from commit cd35c15de3373fa4415ef013676cde13d9fe7d92) +--- + src/shared/clean-ipc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/clean-ipc.c b/src/shared/clean-ipc.c +index bbb343f3d3..1e90cc2a1c 100644 +--- a/src/shared/clean-ipc.c ++++ b/src/shared/clean-ipc.c +@@ -58,7 +58,7 @@ static int clean_sysvipc_shm(uid_t delete_uid, gid_t delete_gid, bool rm) { + + r = read_line(f, LONG_LINE_MAX, &line); + if (r < 0) +- return log_warning_errno(errno, "Failed to read /proc/sysvipc/shm: %m"); ++ return log_warning_errno(r, "Failed to read /proc/sysvipc/shm: %m"); + if (r == 0) + break; + +-- +2.33.0 + diff --git a/backport-confidential-virt-add-detection-for-s390x-target.patch b/backport-confidential-virt-add-detection-for-s390x-target.patch new file mode 100644 index 0000000..47c044b --- /dev/null +++ b/backport-confidential-virt-add-detection-for-s390x-target.patch @@ -0,0 +1,92 @@ +From c9a3269181a75aa16b398c2936dda6532aef5e9e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Fri, 2 Aug 2024 11:03:10 +0100 +Subject: [PATCH 0832/1160] confidential-virt: add detection for s390x target +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The s390x platform provides confidential VMs using the "Secure Execution" +technology, which is also referred to as "Protected Virtualization" or +just "prot virt" in Linux / QEMU. + +This can be detected through a simple sysfs attribute. + +Signed-off-by: Daniel P. Berrangé +(cherry picked from commit 6c35e0a51cc6a852ce239ea46cd75c133212a68e) +(cherry picked from commit 7a6d4cdc483c3cff03342d8c69b10c6792192171) +--- + src/basic/confidential-virt.c | 30 +++++++++++++++++++++++++----- + src/basic/confidential-virt.h | 1 + + 2 files changed, 26 insertions(+), 5 deletions(-) + +diff --git a/src/basic/confidential-virt.c b/src/basic/confidential-virt.c +index 0e05ecffbf..c246636c7c 100644 +--- a/src/basic/confidential-virt.c ++++ b/src/basic/confidential-virt.c +@@ -11,6 +11,7 @@ + #include "confidential-virt-fundamental.h" + #include "confidential-virt.h" + #include "fd-util.h" ++#include "fileio.h" + #include "missing_threads.h" + #include "string-table.h" + #include "utf8.h" +@@ -209,6 +210,24 @@ static ConfidentialVirtualization detect_confidential_virtualization_impl(void) + + return CONFIDENTIAL_VIRTUALIZATION_NONE; + } ++#elif defined(__s390x__) ++static ConfidentialVirtualization detect_confidential_virtualization_impl(void) { ++ _cleanup_free_ char *s = NULL; ++ size_t readsize; ++ int r; ++ ++ r = read_full_virtual_file("/sys/firmware/uv/prot_virt_guest", &s, &readsize); ++ if (r < 0) { ++ log_debug_errno(r, "Unable to read /sys/firmware/uv/prot_virt_guest: %m"); ++ return CONFIDENTIAL_VIRTUALIZATION_NONE; ++ } ++ ++ if (readsize >= 1 && s[0] == '1') ++ return CONFIDENTIAL_VIRTUALIZATION_PROTVIRT; ++ ++ return CONFIDENTIAL_VIRTUALIZATION_NONE; ++} ++ + #else /* ! x86_64 */ + static ConfidentialVirtualization detect_confidential_virtualization_impl(void) { + log_debug("No confidential virtualization detection on this architecture"); +@@ -226,11 +245,12 @@ ConfidentialVirtualization detect_confidential_virtualization(void) { + } + + static const char *const confidential_virtualization_table[_CONFIDENTIAL_VIRTUALIZATION_MAX] = { +- [CONFIDENTIAL_VIRTUALIZATION_NONE] = "none", +- [CONFIDENTIAL_VIRTUALIZATION_SEV] = "sev", +- [CONFIDENTIAL_VIRTUALIZATION_SEV_ES] = "sev-es", +- [CONFIDENTIAL_VIRTUALIZATION_SEV_SNP] = "sev-snp", +- [CONFIDENTIAL_VIRTUALIZATION_TDX] = "tdx", ++ [CONFIDENTIAL_VIRTUALIZATION_NONE] = "none", ++ [CONFIDENTIAL_VIRTUALIZATION_SEV] = "sev", ++ [CONFIDENTIAL_VIRTUALIZATION_SEV_ES] = "sev-es", ++ [CONFIDENTIAL_VIRTUALIZATION_SEV_SNP] = "sev-snp", ++ [CONFIDENTIAL_VIRTUALIZATION_TDX] = "tdx", ++ [CONFIDENTIAL_VIRTUALIZATION_PROTVIRT] = "protvirt", + }; + + DEFINE_STRING_TABLE_LOOKUP(confidential_virtualization, ConfidentialVirtualization); +diff --git a/src/basic/confidential-virt.h b/src/basic/confidential-virt.h +index c02f3b2321..f92e3e883d 100644 +--- a/src/basic/confidential-virt.h ++++ b/src/basic/confidential-virt.h +@@ -13,6 +13,7 @@ typedef enum ConfidentialVirtualization { + CONFIDENTIAL_VIRTUALIZATION_SEV_ES, + CONFIDENTIAL_VIRTUALIZATION_SEV_SNP, + CONFIDENTIAL_VIRTUALIZATION_TDX, ++ CONFIDENTIAL_VIRTUALIZATION_PROTVIRT, + + _CONFIDENTIAL_VIRTUALIZATION_MAX, + _CONFIDENTIAL_VIRTUALIZATION_INVALID = -EINVAL, +-- +2.33.0 + diff --git a/backport-confidential-virt-split-caching-of-CVM-detection-int.patch b/backport-confidential-virt-split-caching-of-CVM-detection-int.patch new file mode 100644 index 0000000..9ecdd19 --- /dev/null +++ b/backport-confidential-virt-split-caching-of-CVM-detection-int.patch @@ -0,0 +1,78 @@ +From 4804c2b1b0d130a12a6b657db85a1ddf5381ec9e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Fri, 2 Aug 2024 16:26:00 +0100 +Subject: [PATCH 0831/1160] confidential-virt: split caching of CVM detection + into separate method +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We have different impls of detect_confidential_virtualization per +architecture. The detection is cached in the x86_64 impl, and as we +add support for more targets, we want to use caching for all. It thus +makes sense to split caching out into an architecture independent +method. + +Signed-off-by: Daniel P. Berrangé +(cherry picked from commit 1c4bd7adcc281af2a2dd40867f64f2ac54a43c7a) +(cherry picked from commit a1359ac94068580b4a12b2714a590a8ac1d30cae) +--- + src/basic/confidential-virt.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/src/basic/confidential-virt.c b/src/basic/confidential-virt.c +index 8a88a3eb83..0e05ecffbf 100644 +--- a/src/basic/confidential-virt.c ++++ b/src/basic/confidential-virt.c +@@ -194,34 +194,37 @@ static bool detect_hypervisor(void) { + return is_hv; + } + +-ConfidentialVirtualization detect_confidential_virtualization(void) { +- static thread_local ConfidentialVirtualization cached_found = _CONFIDENTIAL_VIRTUALIZATION_INVALID; ++static ConfidentialVirtualization detect_confidential_virtualization_impl(void) { + char sig[13] = {}; +- ConfidentialVirtualization cv = CONFIDENTIAL_VIRTUALIZATION_NONE; +- +- if (cached_found >= 0) +- return cached_found; + + /* Skip everything on bare metal */ + if (detect_hypervisor()) { + cpuid_leaf(0, sig, true); + + if (memcmp(sig, CPUID_SIG_AMD, sizeof(sig)) == 0) +- cv = detect_sev(); ++ return detect_sev(); + else if (memcmp(sig, CPUID_SIG_INTEL, sizeof(sig)) == 0) +- cv = detect_tdx(); ++ return detect_tdx(); + } + +- cached_found = cv; +- return cv; ++ return CONFIDENTIAL_VIRTUALIZATION_NONE; + } + #else /* ! x86_64 */ +-ConfidentialVirtualization detect_confidential_virtualization(void) { ++static ConfidentialVirtualization detect_confidential_virtualization_impl(void) { + log_debug("No confidential virtualization detection on this architecture"); + return CONFIDENTIAL_VIRTUALIZATION_NONE; + } + #endif /* ! x86_64 */ + ++ConfidentialVirtualization detect_confidential_virtualization(void) { ++ static thread_local ConfidentialVirtualization cached_found = _CONFIDENTIAL_VIRTUALIZATION_INVALID; ++ ++ if (cached_found == _CONFIDENTIAL_VIRTUALIZATION_INVALID) ++ cached_found = detect_confidential_virtualization_impl(); ++ ++ return cached_found; ++} ++ + static const char *const confidential_virtualization_table[_CONFIDENTIAL_VIRTUALIZATION_MAX] = { + [CONFIDENTIAL_VIRTUALIZATION_NONE] = "none", + [CONFIDENTIAL_VIRTUALIZATION_SEV] = "sev", +-- +2.33.0 + diff --git a/backport-copy-Invoke-hardlink-context-cleanup-before-restorin.patch b/backport-copy-Invoke-hardlink-context-cleanup-before-restorin.patch new file mode 100644 index 0000000..c183111 --- /dev/null +++ b/backport-copy-Invoke-hardlink-context-cleanup-before-restorin.patch @@ -0,0 +1,44 @@ +From 0ef879114ac9cfe4cb0ce51893cb3a2487b55bac Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Andreas=20St=C3=BChrk?= +Date: Wed, 26 Feb 2025 00:05:41 +0100 +Subject: [PATCH 1136/1160] copy: Invoke hardlink context cleanup before + restoring timestamps + +When hardlink recreation is requested, it creates temporary files that +will be deleted once the context is destroyed. The deletion +(potentially) updates the directory's timestamps, so it's crucial that +the deletion happens before the directory timestamps are restored when +`COPY_RESTORE_DIRECTORY_TIMESTAMPS` is requested. + +(cherry picked from commit b66291444b8d4022ce68121af8e6f99d29ebefd0) +(cherry picked from commit 9e2ba7eb050fcfd9c13f5212c7df9c82cd44cef5) +(cherry picked from commit 9ade6934cb18afa2cb38ad49c31b34e0467b30d5) +--- + src/shared/copy.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/shared/copy.c b/src/shared/copy.c +index 823992ca85..65293613ed 100644 +--- a/src/shared/copy.c ++++ b/src/shared/copy.c +@@ -1126,11 +1126,16 @@ finish: + if (fchmod(fdt, st->st_mode & 07777) < 0) + r = -errno; + ++ /* Run hardlink context cleanup now because it potentially changes timestamps */ ++ hardlink_context_destroy(&our_hardlink_context); + (void) copy_xattr(dirfd(d), NULL, fdt, NULL, copy_flags); + (void) futimens(fdt, (struct timespec[]) { st->st_atim, st->st_mtim }); +- } else if (FLAGS_SET(copy_flags, COPY_RESTORE_DIRECTORY_TIMESTAMPS)) ++ } else if (FLAGS_SET(copy_flags, COPY_RESTORE_DIRECTORY_TIMESTAMPS)) { ++ /* Run hardlink context cleanup now because it potentially changes timestamps */ ++ hardlink_context_destroy(&our_hardlink_context); + /* If the directory already exists, make sure the timestamps stay the same as before. */ + (void) futimens(fdt, (struct timespec[]) { dt_st.st_atim, dt_st.st_mtim }); ++ } + + if (copy_flags & COPY_FSYNC_FULL) { + if (fsync(fdt) < 0) +-- +2.33.0 + diff --git a/backport-copy-do-not-ignore-chattr_flags-and-friends-passed-t.patch b/backport-copy-do-not-ignore-chattr_flags-and-friends-passed-t.patch new file mode 100644 index 0000000..1a8d1c4 --- /dev/null +++ b/backport-copy-do-not-ignore-chattr_flags-and-friends-passed-t.patch @@ -0,0 +1,29 @@ +From b5c8d1b73d6150fa7969866b9dc820705efcffe2 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 8 Feb 2024 15:59:48 +0900 +Subject: [PATCH 0243/1160] copy: do not ignore chattr_flags and friends passed + to copy_file_atomic_full() + +Fixes a bug introduced by 427d9c34e61a8f5bfe369f1d5a0426143fe5741e. + +(cherry picked from commit 738ad08b0db11d7e66c14ff4b9852cf16abf3aa9) +--- + src/shared/copy.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/copy.h b/src/shared/copy.h +index 4e4eb74986..d842edd2c8 100644 +--- a/src/shared/copy.h ++++ b/src/shared/copy.h +@@ -70,7 +70,7 @@ static inline int copy_file_atomic_at(int dir_fdf, const char *from, int dir_fdt + return copy_file_atomic_at_full(dir_fdf, from, dir_fdt, to, mode, 0, 0, copy_flags, NULL, NULL); + } + static inline int copy_file_atomic_full(const char *from, const char *to, mode_t mode, unsigned chattr_flags, unsigned chattr_mask, CopyFlags copy_flags, copy_progress_bytes_t progress, void *userdata) { +- return copy_file_atomic_at_full(AT_FDCWD, from, AT_FDCWD, to, mode, 0, 0, copy_flags, NULL, NULL); ++ return copy_file_atomic_at_full(AT_FDCWD, from, AT_FDCWD, to, mode, chattr_flags, chattr_mask, copy_flags, progress, userdata); + } + static inline int copy_file_atomic(const char *from, const char *to, mode_t mode, CopyFlags copy_flags) { + return copy_file_atomic_full(from, to, mode, 0, 0, copy_flags, NULL, NULL); +-- +2.33.0 + diff --git a/backport-copy-ignore-EOPNOTSUPP-from-copy_file_range.patch b/backport-copy-ignore-EOPNOTSUPP-from-copy_file_range.patch new file mode 100644 index 0000000..1e0de62 --- /dev/null +++ b/backport-copy-ignore-EOPNOTSUPP-from-copy_file_range.patch @@ -0,0 +1,31 @@ +From fa31a681c6fb396b5c6b6911b231959c834979f5 Mon Sep 17 00:00:00 2001 +From: Nick Rosbrook +Date: Thu, 18 Apr 2024 12:01:42 -0400 +Subject: [PATCH 0505/1160] copy: ignore -EOPNOTSUPP from copy_file_range() + +According to copy_file_range (2), errno will be set to EOPNOTSUPP when +the file system does not support copy_file_range(). Since there is +already fallback logic in place here for other kinds of errors, add +-EOPNOTSUPP to the list of ignored errors. + +(cherry picked from commit c0bc1e897178da521e74acb270843805f5906adf) +--- + src/shared/copy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/copy.c b/src/shared/copy.c +index c0e30cdc27..bc8643efc2 100644 +--- a/src/shared/copy.c ++++ b/src/shared/copy.c +@@ -316,7 +316,7 @@ int copy_bytes_full( + if (try_cfr) { + n = try_copy_file_range(fdf, NULL, fdt, NULL, m, 0u); + if (n < 0) { +- if (!IN_SET(n, -EINVAL, -ENOSYS, -EXDEV, -EBADF)) ++ if (!IN_SET(n, -EINVAL, -ENOSYS, -EXDEV, -EBADF, -EOPNOTSUPP)) + return n; + + try_cfr = false; +-- +2.33.0 + diff --git a/backport-copy-introduce-COPY_VERIFY_LINKED-flag.patch b/backport-copy-introduce-COPY_VERIFY_LINKED-flag.patch new file mode 100644 index 0000000..15ba96e --- /dev/null +++ b/backport-copy-introduce-COPY_VERIFY_LINKED-flag.patch @@ -0,0 +1,161 @@ +From 47c90f516f58b0d4ab2ff3c676e49111e064a149 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 15 Feb 2024 19:37:43 +0900 +Subject: [PATCH 0557/1160] copy: introduce COPY_VERIFY_LINKED flag + +If the flag is set, then copy_file() and friends check if the source +file still exists when the copy operation finished. + +(cherry picked from commit 72ef2a617f43e156dbe15e9fa28b84224c2969ad) +--- + src/shared/copy.c | 46 ++++++++++++++++++++++++++++++++++++++++++-- + src/shared/copy.h | 1 + + src/test/test-copy.c | 22 +++++++++++++++++++++ + 3 files changed, 67 insertions(+), 2 deletions(-) + +diff --git a/src/shared/copy.c b/src/shared/copy.c +index 5c104a119d..2b87cbacd7 100644 +--- a/src/shared/copy.c ++++ b/src/shared/copy.c +@@ -208,6 +208,7 @@ int copy_bytes_full( + r = reflink_range(fdf, foffset, fdt, toffset, max_bytes == UINT64_MAX ? 0 : max_bytes); /* partial reflink */ + if (r >= 0) { + off_t t; ++ int ret; + + /* This worked, yay! Now — to be fully correct — let's adjust the file pointers */ + if (max_bytes == UINT64_MAX) { +@@ -226,7 +227,14 @@ int copy_bytes_full( + if (t < 0) + return -errno; + +- return 0; /* we copied the whole thing, hence hit EOF, return 0 */ ++ if (FLAGS_SET(copy_flags, COPY_VERIFY_LINKED)) { ++ r = fd_verify_linked(fdf); ++ if (r < 0) ++ return r; ++ } ++ ++ /* We copied the whole thing, hence hit EOF, return 0. */ ++ ret = 0; + } else { + t = lseek(fdf, foffset + max_bytes, SEEK_SET); + if (t < 0) +@@ -236,8 +244,18 @@ int copy_bytes_full( + if (t < 0) + return -errno; + +- return 1; /* we copied only some number of bytes, which worked, but this means we didn't hit EOF, return 1 */ ++ /* We copied only some number of bytes, which worked, but ++ * this means we didn't hit EOF, return 1. */ ++ ret = 1; ++ } ++ ++ if (FLAGS_SET(copy_flags, COPY_VERIFY_LINKED)) { ++ r = fd_verify_linked(fdf); ++ if (r < 0) ++ return r; + } ++ ++ return ret; + } + } + } +@@ -483,6 +501,12 @@ int copy_bytes_full( + copied_something = true; + } + ++ if (FLAGS_SET(copy_flags, COPY_VERIFY_LINKED)) { ++ r = fd_verify_linked(fdf); ++ if (r < 0) ++ return r; ++ } ++ + if (copy_flags & COPY_TRUNCATE) { + off_t off = lseek(fdt, 0, SEEK_CUR); + if (off < 0) +@@ -798,6 +822,12 @@ static int fd_copy_regular( + (void) futimens(fdt, (struct timespec[]) { st->st_atim, st->st_mtim }); + (void) copy_xattr(fdf, NULL, fdt, NULL, copy_flags); + ++ if (FLAGS_SET(copy_flags, COPY_VERIFY_LINKED)) { ++ r = fd_verify_linked(fdf); ++ if (r < 0) ++ return r; ++ } ++ + if (copy_flags & COPY_FSYNC) { + if (fsync(fdt) < 0) { + r = -errno; +@@ -1333,6 +1363,12 @@ int copy_file_fd_at_full( + (void) copy_xattr(fdf, NULL, fdt, NULL, copy_flags); + } + ++ if (FLAGS_SET(copy_flags, COPY_VERIFY_LINKED)) { ++ r = fd_verify_linked(fdf); ++ if (r < 0) ++ return r; ++ } ++ + if (copy_flags & COPY_FSYNC_FULL) { + r = fsync_full(fdt); + if (r < 0) +@@ -1403,6 +1439,12 @@ int copy_file_at_full( + (void) copy_times(fdf, fdt, copy_flags); + (void) copy_xattr(fdf, NULL, fdt, NULL, copy_flags); + ++ if (FLAGS_SET(copy_flags, COPY_VERIFY_LINKED)) { ++ r = fd_verify_linked(fdf); ++ if (r < 0) ++ goto fail; ++ } ++ + if (chattr_mask != 0) + (void) chattr_fd(fdt, chattr_flags, chattr_mask & ~CHATTR_EARLY_FL, NULL); + +diff --git a/src/shared/copy.h b/src/shared/copy.h +index d842edd2c8..b8fb28a09e 100644 +--- a/src/shared/copy.h ++++ b/src/shared/copy.h +@@ -30,6 +30,7 @@ typedef enum CopyFlags { + COPY_GRACEFUL_WARN = 1 << 15, /* Skip copying file types that aren't supported by the target filesystem */ + COPY_TRUNCATE = 1 << 16, /* Truncate to current file offset after copying */ + COPY_LOCK_BSD = 1 << 17, /* Return a BSD exclusively locked file descriptor referring to the copied image/directory. */ ++ COPY_VERIFY_LINKED = 1 << 18, /* Check the source file is still linked after copying. */ + } CopyFlags; + + typedef enum DenyType { +diff --git a/src/test/test-copy.c b/src/test/test-copy.c +index 61bfbc0c42..9674e781cd 100644 +--- a/src/test/test-copy.c ++++ b/src/test/test-copy.c +@@ -529,4 +529,26 @@ TEST(copy_lock) { + fd = safe_close(fd); + } + ++TEST(copy_verify_linked) { ++ _cleanup_(rm_rf_physical_and_freep) char *t = NULL; ++ _cleanup_close_ int tfd = -EBADF, fd_1 = -EBADF, fd_2 = -EBADF; ++ ++ tfd = mkdtemp_open(NULL, O_PATH, &t); ++ assert_se(tfd >= 0); ++ ++ assert_se(write_string_file_at(tfd, "hoge", "bar bar", WRITE_STRING_FILE_CREATE) >= 0); ++ ++ fd_1 = openat(tfd, "hoge", O_CLOEXEC | O_NOCTTY | O_RDONLY); ++ assert_se(fd_1 >= 0); ++ fd_2 = openat(tfd, "hoge", O_CLOEXEC | O_NOCTTY | O_RDONLY); ++ assert_se(fd_2 >= 0); ++ assert_se(unlinkat(tfd, "hoge", 0) >= 0); ++ ++ assert_se(copy_file_at(fd_1, NULL, tfd, "to_1", 0, 0644, 0) >= 0); ++ assert_se(read_file_at_and_streq(tfd, "to_1", "bar bar\n")); ++ ++ assert_se(copy_file_at(fd_2, NULL, tfd, "to_2", O_EXCL, 0644, COPY_VERIFY_LINKED) == -EIDRM); ++ assert_se(faccessat(tfd, "to_2", F_OK, AT_SYMLINK_NOFOLLOW) < 0 && errno == ENOENT); ++} ++ + DEFINE_TEST_MAIN(LOG_DEBUG); +-- +2.33.0 + diff --git a/backport-copy-use-xopenat-to-make-from-argument-optional.patch b/backport-copy-use-xopenat-to-make-from-argument-optional.patch new file mode 100644 index 0000000..ad79630 --- /dev/null +++ b/backport-copy-use-xopenat-to-make-from-argument-optional.patch @@ -0,0 +1,197 @@ +From 455b4eca2f9cb3aaba3bb2f990ddf452d5fc7c7c Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 15 Feb 2024 07:06:21 +0900 +Subject: [PATCH 0553/1160] copy: use xopenat() to make 'from' argument + optional + +(cherry picked from commit d1553bfd20b8865178c7f79d60e0491fe58e3209) +--- + src/shared/copy.c | 53 +++++++++++++++++++++++------------------------ + 1 file changed, 26 insertions(+), 27 deletions(-) + +diff --git a/src/shared/copy.c b/src/shared/copy.c +index 157373148e..5c104a119d 100644 +--- a/src/shared/copy.c ++++ b/src/shared/copy.c +@@ -508,7 +508,6 @@ static int fd_copy_symlink( + _cleanup_free_ char *target = NULL; + int r; + +- assert(from); + assert(st); + assert(to); + +@@ -526,7 +525,10 @@ static int fd_copy_symlink( + mac_selinux_create_file_clear(); + if (r < 0) { + if (FLAGS_SET(copy_flags, COPY_GRACEFUL_WARN) && (ERRNO_IS_PRIVILEGE(r) || ERRNO_IS_NOT_SUPPORTED(r))) { +- log_notice_errno(r, "Failed to copy symlink '%s', ignoring: %m", from); ++ log_notice_errno(r, "Failed to copy symlink%s%s%s, ignoring: %m", ++ isempty(from) ? "" : " '", ++ strempty(from), ++ isempty(from) ? "" : "'"); + return 0; + } + +@@ -757,7 +759,6 @@ static int fd_copy_regular( + _cleanup_close_ int fdf = -EBADF, fdt = -EBADF; + int r, q; + +- assert(from); + assert(st); + assert(to); + +@@ -767,9 +768,9 @@ static int fd_copy_regular( + if (r > 0) /* worked! */ + return 0; + +- fdf = openat(df, from, O_RDONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW); ++ fdf = xopenat(df, from, O_RDONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW); + if (fdf < 0) +- return -errno; ++ return fdf; + + if (copy_flags & COPY_MAC_CREATE) { + r = mac_selinux_create_file_prepare_at(dt, to, S_IFREG); +@@ -830,7 +831,6 @@ static int fd_copy_fifo( + HardlinkContext *hardlink_context) { + int r; + +- assert(from); + assert(st); + assert(to); + +@@ -849,7 +849,10 @@ static int fd_copy_fifo( + if (copy_flags & COPY_MAC_CREATE) + mac_selinux_create_file_clear(); + if (FLAGS_SET(copy_flags, COPY_GRACEFUL_WARN) && (ERRNO_IS_NEG_PRIVILEGE(r) || ERRNO_IS_NEG_NOT_SUPPORTED(r))) { +- log_notice_errno(r, "Failed to copy fifo '%s', ignoring: %m", from); ++ log_notice_errno(r, "Failed to copy fifo%s%s%s, ignoring: %m", ++ isempty(from) ? "" : " '", ++ strempty(from), ++ isempty(from) ? "" : "'"); + return 0; + } else if (r < 0) + return r; +@@ -881,7 +884,6 @@ static int fd_copy_node( + HardlinkContext *hardlink_context) { + int r; + +- assert(from); + assert(st); + assert(to); + +@@ -900,7 +902,10 @@ static int fd_copy_node( + if (copy_flags & COPY_MAC_CREATE) + mac_selinux_create_file_clear(); + if (FLAGS_SET(copy_flags, COPY_GRACEFUL_WARN) && (ERRNO_IS_NEG_PRIVILEGE(r) || ERRNO_IS_NEG_NOT_SUPPORTED(r))) { +- log_notice_errno(r, "Failed to copy node '%s', ignoring: %m", from); ++ log_notice_errno(r, "Failed to copy node%s%s%s, ignoring: %m", ++ isempty(from) ? "" : " '", ++ strempty(from), ++ isempty(from) ? "" : "'"); + return 0; + } else if (r < 0) + return r; +@@ -955,12 +960,9 @@ static int fd_copy_directory( + if (depth_left == 0) + return -ENAMETOOLONG; + +- if (from) +- fdf = openat(df, from, O_RDONLY|O_DIRECTORY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW); +- else +- fdf = fcntl(df, F_DUPFD_CLOEXEC, 3); ++ fdf = xopenat(df, from, O_RDONLY|O_DIRECTORY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW); + if (fdf < 0) +- return -errno; ++ return fdf; + + if (!hardlink_context) { + /* If recreating hardlinks is requested let's set up a context for that now. */ +@@ -996,7 +998,7 @@ static int fd_copy_directory( + r = 0; + + if (PTR_TO_INT(hashmap_get(denylist, st)) == DENY_CONTENTS) { +- log_debug("%s is in the denylist, not recursing", from); ++ log_debug("%s is in the denylist, not recursing", from ?: "file to copy"); + goto finish; + } + +@@ -1030,7 +1032,8 @@ static int fd_copy_directory( + } + + if (PTR_TO_INT(hashmap_get(denylist, &buf)) == DENY_INODE) { +- log_debug("%s/%s is in the denylist, ignoring", from, de->d_name); ++ log_debug("%s%s%s is in the denylist, ignoring", ++ strempty(from), isempty(from) ? "" : "/", de->d_name); + continue; + } + +@@ -1163,10 +1166,10 @@ static int fd_copy_tree_generic( + + DenyType t = PTR_TO_INT(hashmap_get(denylist, st)); + if (t == DENY_INODE) { +- log_debug("%s is in the denylist, ignoring", from); ++ log_debug("%s is in the denylist, ignoring", from ?: "file to copy"); + return 0; + } else if (t == DENY_CONTENTS) +- log_debug("%s is configured to have its contents excluded, but is not a directory", from); ++ log_debug("%s is configured to have its contents excluded, but is not a directory", from ?: "file to copy"); + + r = fd_copy_leaf(df, from, st, dt, to, override_uid, override_gid, copy_flags, hardlink_context, display_path, progress_bytes, userdata); + /* We just tried to copy a leaf node of the tree. If it failed because the node already exists *and* the COPY_REPLACE flag has been provided, we should unlink the node and re-copy. */ +@@ -1198,11 +1201,10 @@ int copy_tree_at_full( + struct stat st; + int r; + +- assert(from); + assert(to); + assert(!FLAGS_SET(copy_flags, COPY_LOCK_BSD)); + +- if (fstatat(fdf, from, &st, AT_SYMLINK_NOFOLLOW) < 0) ++ if (fstatat(fdf, strempty(from), &st, AT_SYMLINK_NOFOLLOW | (isempty(from) ? AT_EMPTY_PATH : 0)) < 0) + return -errno; + + r = fd_copy_tree_generic(fdf, from, &st, fdt, to, st.st_dev, COPY_DEPTH_MAX, override_uid, +@@ -1305,13 +1307,12 @@ int copy_file_fd_at_full( + int r; + + assert(dir_fdf >= 0 || dir_fdf == AT_FDCWD); +- assert(from); + assert(fdt >= 0); + assert(!FLAGS_SET(copy_flags, COPY_LOCK_BSD)); + +- fdf = openat(dir_fdf, from, O_RDONLY|O_CLOEXEC|O_NOCTTY); ++ fdf = xopenat(dir_fdf, from, O_RDONLY|O_CLOEXEC|O_NOCTTY); + if (fdf < 0) +- return -errno; ++ return fdf; + + r = fd_verify_regular(fdf); + if (r < 0) +@@ -1363,12 +1364,11 @@ int copy_file_at_full( + + assert(dir_fdf >= 0 || dir_fdf == AT_FDCWD); + assert(dir_fdt >= 0 || dir_fdt == AT_FDCWD); +- assert(from); + assert(to); + +- fdf = openat(dir_fdf, from, O_RDONLY|O_CLOEXEC|O_NOCTTY); ++ fdf = xopenat(dir_fdf, from, O_RDONLY|O_CLOEXEC|O_NOCTTY); + if (fdf < 0) +- return -errno; ++ return fdf; + + if (fstat(fdf, &st) < 0) + return -errno; +@@ -1451,7 +1451,6 @@ int copy_file_atomic_at_full( + _cleanup_close_ int fdt = -EBADF; + int r; + +- assert(from); + assert(to); + assert(!FLAGS_SET(copy_flags, COPY_LOCK_BSD)); + +-- +2.33.0 + diff --git a/backport-core-Bump-log-level-of-reexecute-request-to-notice.patch b/backport-core-Bump-log-level-of-reexecute-request-to-notice.patch index 6cc543e..310d8ec 100644 --- a/backport-core-Bump-log-level-of-reexecute-request-to-notice.patch +++ b/backport-core-Bump-log-level-of-reexecute-request-to-notice.patch @@ -1,26 +1,22 @@ -From 50e3bc139fc750c7b15bda55807fcb9209787319 Mon Sep 17 00:00:00 2001 +From 79dc77a7ffed671a16c44369df2552cf733dbbef Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Tue, 8 Oct 2024 16:25:52 +0200 -Subject: [PATCH] core: Bump log level of reexecute request to notice +Subject: [PATCH 0924/1160] core: Bump log level of reexecute request to notice A daemon-reload is important enough to deserve logging at notice level. (cherry picked from commit 4ee41be82507348fbbc9d3ab28aae6330eb51663) (cherry picked from commit 31e38b55b2e4bb1aa42fe106ea14df8e82758303) -(cherry picked from commit 79dc77a7ffed671a16c44369df2552cf733dbbef) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/50e3bc139fc750c7b15bda55807fcb9209787319 --- src/core/dbus-manager.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c -index 33984f6f0e..90c1daf995 100644 +index 03ccb6b0f2..139a4f79e1 100644 --- a/src/core/dbus-manager.c +++ b/src/core/dbus-manager.c -@@ -1614,10 +1614,10 @@ static void log_caller(sd_bus_message *message, Manager *manager, const char *me +@@ -1594,10 +1594,10 @@ static void log_caller(sd_bus_message *message, Manager *manager, const char *me (void) sd_bus_creds_get_comm(creds, &comm); caller = manager_get_unit_by_pid(manager, pid); diff --git a/backport-core-Check-for-TERM-dumb-in-show_status.patch b/backport-core-Check-for-TERM-dumb-in-show_status.patch new file mode 100644 index 0000000..326566a --- /dev/null +++ b/backport-core-Check-for-TERM-dumb-in-show_status.patch @@ -0,0 +1,136 @@ +From 1ee7e53c9233ad7e9ee008a38eebaa9d88840eed Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Sun, 21 Apr 2024 11:21:14 +0200 +Subject: [PATCH 0511/1160] core: Check for TERM=dumb in show_status() + +We shouldn't try to use any ANSI escape sequences if TERM=dumb. +Also, the "\r\n" we output can get interpreted as a double newline +(for example by Github Actions), so let's output just "\n" when +TERM=dumb to clean up the CI logs. + +(cherry picked from commit 1b889631edbcfb526358b114e949847e50096181) +--- + src/basic/log.c | 10 ++++++++-- + src/basic/terminal-util.c | 2 +- + src/basic/terminal-util.h | 1 + + src/core/show-status.c | 15 +++++++++++---- + 4 files changed, 21 insertions(+), 7 deletions(-) + +diff --git a/src/basic/log.c b/src/basic/log.c +index 1470611a75..7a443005f6 100644 +--- a/src/basic/log.c ++++ b/src/basic/log.c +@@ -427,6 +427,8 @@ static int write_to_console( + const char *func, + const char *buffer) { + ++ static int dumb = -1; ++ + char location[256], + header_time[FORMAT_TIMESTAMP_MAX], + prefix[1 + DECIMAL_STR_MAX(int) + 2], +@@ -438,6 +440,9 @@ static int write_to_console( + if (console_fd < 0) + return 0; + ++ if (dumb < 0) ++ dumb = getenv_terminal_is_dumb(); ++ + if (log_target == LOG_TARGET_CONSOLE_PREFIXED) { + xsprintf(prefix, "<%i>", level); + iovec[n++] = IOVEC_MAKE_STRING(prefix); +@@ -481,8 +486,9 @@ static int write_to_console( + /* When writing to a TTY we output an extra '\r' (i.e. CR) first, to generate CRNL rather than just + * NL. This is a robustness thing in case the TTY is currently in raw mode (specifically: has the + * ONLCR flag off). We want that subsequent output definitely starts at the beginning of the line +- * again, after all. If the TTY is not in raw mode the extra CR should not hurt. */ +- iovec[n++] = IOVEC_MAKE_STRING(check_console_fd_is_tty() ? "\r\n" : "\n"); ++ * again, after all. If the TTY is not in raw mode the extra CR should not hurt. If we're writing to ++ * a dumb terminal, only write NL as CRNL might be interpreted as a double newline. */ ++ iovec[n++] = IOVEC_MAKE_STRING(check_console_fd_is_tty() && !dumb ? "\r\n" : "\n"); + + if (writev(console_fd, iovec, n) < 0) { + +diff --git a/src/basic/terminal-util.c b/src/basic/terminal-util.c +index 3355b749cc..530ef9a921 100644 +--- a/src/basic/terminal-util.c ++++ b/src/basic/terminal-util.c +@@ -1300,7 +1300,7 @@ static bool on_dev_null(void) { + return cached_on_dev_null; + } + +-static bool getenv_terminal_is_dumb(void) { ++bool getenv_terminal_is_dumb(void) { + const char *e; + + e = getenv("TERM"); +diff --git a/src/basic/terminal-util.h b/src/basic/terminal-util.h +index 80d16f6db9..b1d7aeee83 100644 +--- a/src/basic/terminal-util.h ++++ b/src/basic/terminal-util.h +@@ -160,6 +160,7 @@ void columns_lines_cache_reset(int _unused_ signum); + void reset_terminal_feature_caches(void); + + bool on_tty(void); ++bool getenv_terminal_is_dumb(void); + bool terminal_is_dumb(void); + ColorMode get_color_mode(void); + bool underline_enabled(void); +diff --git a/src/core/show-status.c b/src/core/show-status.c +index 606237ee0e..5b003ba4e2 100644 +--- a/src/core/show-status.c ++++ b/src/core/show-status.c +@@ -38,6 +38,8 @@ int parse_show_status(const char *v, ShowStatus *ret) { + + int status_vprintf(const char *status, ShowStatusFlags flags, const char *format, va_list ap) { + static const char status_indent[] = " "; /* "[" STATUS "] " */ ++ static int dumb = -1; ++ + _cleanup_free_ char *s = NULL; + _cleanup_close_ int fd = -EBADF; + struct iovec iovec[7] = {}; +@@ -46,6 +48,9 @@ int status_vprintf(const char *status, ShowStatusFlags flags, const char *format + + assert(format); + ++ if (dumb < 0) ++ dumb = getenv_terminal_is_dumb(); ++ + /* This is independent of logging, as status messages are + * optional and go exclusively to the console. */ + +@@ -61,7 +66,7 @@ int status_vprintf(const char *status, ShowStatusFlags flags, const char *format + if (fd < 0) + return fd; + +- if (FLAGS_SET(flags, SHOW_STATUS_ELLIPSIZE)) { ++ if (FLAGS_SET(flags, SHOW_STATUS_ELLIPSIZE) && !dumb) { + char *e; + size_t emax, sl; + int c; +@@ -81,7 +86,7 @@ int status_vprintf(const char *status, ShowStatusFlags flags, const char *format + free_and_replace(s, e); + } + +- if (prev_ephemeral) ++ if (prev_ephemeral && !dumb) + iovec[n++] = IOVEC_MAKE_STRING(ANSI_REVERSE_LINEFEED "\r" ANSI_ERASE_TO_END_OF_LINE); + + if (status) { +@@ -94,9 +99,11 @@ int status_vprintf(const char *status, ShowStatusFlags flags, const char *format + } + + iovec[n++] = IOVEC_MAKE_STRING(s); +- iovec[n++] = IOVEC_MAKE_STRING("\r\n"); /* use CRNL instead of just NL, to be robust towards TTYs in raw mode */ ++ /* use CRNL instead of just NL, to be robust towards TTYs in raw mode. If we're writing to a dumb ++ * terminal, use NL as CRNL might be interpreted as a double newline. */ ++ iovec[n++] = IOVEC_MAKE_STRING(dumb ? "\n" : "\r\n"); + +- if (prev_ephemeral && !FLAGS_SET(flags, SHOW_STATUS_EPHEMERAL)) ++ if (prev_ephemeral && !FLAGS_SET(flags, SHOW_STATUS_EPHEMERAL) && !dumb) + iovec[n++] = IOVEC_MAKE_STRING(ANSI_ERASE_TO_END_OF_LINE); + prev_ephemeral = FLAGS_SET(flags, SHOW_STATUS_EPHEMERAL); + +-- +2.33.0 + diff --git a/backport-core-Fix-assertion-in-parse_smbios_strings.patch b/backport-core-Fix-assertion-in-parse_smbios_strings.patch new file mode 100644 index 0000000..886d52f --- /dev/null +++ b/backport-core-Fix-assertion-in-parse_smbios_strings.patch @@ -0,0 +1,26 @@ +From 9612ec00a5cfc5fecc0cbf7de63e14bbb89acbdf Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 15 May 2024 12:26:33 +0200 +Subject: [PATCH 0632/1160] core: Fix assertion in parse_smbios_strings() + +(cherry picked from commit d02a41a9d4e5e250f5d817dd8cffd38e3db949e8) +--- + src/core/import-creds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/import-creds.c b/src/core/import-creds.c +index 48f3160923..2f8ab069b2 100644 +--- a/src/core/import-creds.c ++++ b/src/core/import-creds.c +@@ -519,7 +519,7 @@ static int parse_smbios_strings(ImportCredentialContext *c, const char *data, si + return log_oom(); + + if (!credential_name_valid(cn)) { +- log_warning("SMBIOS credential name '%s' is not valid, ignoring: %m", cn); ++ log_warning("SMBIOS credential name '%s' is not valid, ignoring.", cn); + continue; + } + +-- +2.33.0 + diff --git a/backport-core-Fix-file-descriptor-leak.patch b/backport-core-Fix-file-descriptor-leak.patch index 507df0e..ea6a642 100644 --- a/backport-core-Fix-file-descriptor-leak.patch +++ b/backport-core-Fix-file-descriptor-leak.patch @@ -1,22 +1,18 @@ -From 400f0785e92866e5d8fd31ade6ae07a605d0df25 Mon Sep 17 00:00:00 2001 +From 844bb02e48be98f4ae594e043c965588be3b138c Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Wed, 1 May 2024 03:14:45 +0200 -Subject: [PATCH] core: Fix file descriptor leak +Subject: [PATCH 0584/1160] core: Fix file descriptor leak (cherry picked from commit 5bcf0881a322a72c38d518be3e3ae8bff95de5f6) -(cherry picked from commit 844bb02e48be98f4ae594e043c965588be3b138c) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/400f0785e92866e5d8fd31ade6ae07a605d0df25 --- src/core/service.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/service.c b/src/core/service.c -index f0763a59eb..e9466ed928 100644 +index ffe92d2b5a..42fffbbd67 100644 --- a/src/core/service.c +++ b/src/core/service.c -@@ -414,7 +414,7 @@ static void service_release_fd_store(Service *s) { +@@ -429,7 +429,7 @@ static void service_release_fd_store(Service *s) { static void service_release_stdio_fd(Service *s) { assert(s); diff --git a/backport-core-Log-in-more-scenarios-about-which-process-initi.patch b/backport-core-Log-in-more-scenarios-about-which-process-initi.patch index c16b3fb..67ae054 100644 --- a/backport-core-Log-in-more-scenarios-about-which-process-initi.patch +++ b/backport-core-Log-in-more-scenarios-about-which-process-initi.patch @@ -1,27 +1,23 @@ -From 4389fea50bbb0810ed9193522c487257ca0b5d2d Mon Sep 17 00:00:00 2001 +From 4ce745446386bae450114c6fc2278577a7cf46f4 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Tue, 8 Oct 2024 16:28:25 +0200 -Subject: [PATCH] core: Log in more scenarios about which process initiated an - operation +Subject: [PATCH 0925/1160] core: Log in more scenarios about which process + initiated an operation Exit/Reboot/Poweroff and similar operations are invasive enough that logging about who initiated them is very useful to debug issues. (cherry picked from commit acb0f501f4291efce82bcf89d4ad92b6a895f4fa) (cherry picked from commit 814be7116dda14074749253d94b83387ceff0ff1) -(cherry picked from commit 4ce745446386bae450114c6fc2278577a7cf46f4) - -Conflict:the current code does not have the method_soft_reboot function, so the related code is not combined -Reference:https://github.com/systemd/systemd/commit/acb0f501f4291efce82bcf89d4ad92b6a895f4fa --- src/core/dbus-manager.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c -index 90c1daf995..856dd3b5dc 100644 +index 139a4f79e1..4112f6af29 100644 --- a/src/core/dbus-manager.c +++ b/src/core/dbus-manager.c -@@ -1706,6 +1706,8 @@ static int method_exit(sd_bus_message *message, void *userdata, sd_bus_error *er +@@ -1686,6 +1686,8 @@ static int method_exit(sd_bus_message *message, void *userdata, sd_bus_error *er if (r < 0) return r; @@ -30,7 +26,7 @@ index 90c1daf995..856dd3b5dc 100644 /* Exit() (in contrast to SetExitCode()) is actually allowed even if * we are running on the host. It will fall back on reboot() in * systemd-shutdown if it cannot do the exit() because it isn't a -@@ -1730,6 +1732,8 @@ static int method_reboot(sd_bus_message *message, void *userdata, sd_bus_error * +@@ -1710,6 +1712,8 @@ static int method_reboot(sd_bus_message *message, void *userdata, sd_bus_error * return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Reboot is only supported for system managers."); @@ -39,7 +35,16 @@ index 90c1daf995..856dd3b5dc 100644 m->objective = MANAGER_REBOOT; return sd_bus_reply_method_return(message, NULL); -@@ -1792,6 +1798,8 @@ static int method_poweroff(sd_bus_message *message, void *userdata, sd_bus_error +@@ -1752,6 +1756,8 @@ static int method_soft_reboot(sd_bus_message *message, void *userdata, sd_bus_er + return -ENOMEM; + } + ++ log_caller(message, m, "Soft reboot"); ++ + free_and_replace(m->switch_root, rt); + m->objective = MANAGER_SOFT_REBOOT; + +@@ -1772,6 +1778,8 @@ static int method_poweroff(sd_bus_message *message, void *userdata, sd_bus_error return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Powering off is only supported for system managers."); @@ -48,7 +53,7 @@ index 90c1daf995..856dd3b5dc 100644 m->objective = MANAGER_POWEROFF; return sd_bus_reply_method_return(message, NULL); -@@ -1811,6 +1819,8 @@ static int method_halt(sd_bus_message *message, void *userdata, sd_bus_error *er +@@ -1791,6 +1799,8 @@ static int method_halt(sd_bus_message *message, void *userdata, sd_bus_error *er return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Halt is only supported for system managers."); @@ -57,7 +62,7 @@ index 90c1daf995..856dd3b5dc 100644 m->objective = MANAGER_HALT; return sd_bus_reply_method_return(message, NULL); -@@ -1830,6 +1840,8 @@ static int method_kexec(sd_bus_message *message, void *userdata, sd_bus_error *e +@@ -1810,6 +1820,8 @@ static int method_kexec(sd_bus_message *message, void *userdata, sd_bus_error *e return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "KExec is only supported for system managers."); diff --git a/backport-core-Serialize-both-pid-and-pidfd-to-keep-downgrades.patch b/backport-core-Serialize-both-pid-and-pidfd-to-keep-downgrades.patch new file mode 100644 index 0000000..3542953 --- /dev/null +++ b/backport-core-Serialize-both-pid-and-pidfd-to-keep-downgrades.patch @@ -0,0 +1,151 @@ +From 3c9547e8444aa4eed1859fcc0164cc86ae0c1e66 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 3 Apr 2024 16:06:14 +0200 +Subject: [PATCH 0549/1160] core: Serialize both pid and pidfd to keep + downgrades working + +Currently, when downgrading from a version with pidfd support to a +version without pidfd support, all information about running processes +is lost as the newer systemd will serialized pidfds which are not recognized +by the older systemd when deserializing. + +To improve the situation, let's serialize both the pid and the pidfd. +This is safe because existing versions will either replace the first +deserialized pidref with the second one or discard the second one in +favor of the first one depending on the unit and field. Older versions +that don't support pidfd's will silently discard any fields that contain +a pidfd as those will try to parse the field as a pid and since a pidfd +field will start with '@', those versions will debug error log and ignore +the value. + +To make sure we reuse the existing pidfd as much as possible, the pidfd +is serialized first. Both for scopes and service main pids, if the same +pid is seen multiple times, the first pidref is kept. So by serializing +the pidfd first we make sure the original pidfd is used instead of the +new one which is opened when deserializing the first pid field. + +For other control units, older versions with pidfd support will discard +the first pidfd and replace it with a new pidfd from the second pid field. +This is a slight regression on downgrades, but we make sure it doesn't +happen for future versions (and older versions when this commit is +backported) by modifying the logic to only use the first successfully +deserialized pidref so that the raw pid without pidfd is discarded instead +of it replacing the existing pidfd. + +(cherry picked from commit aaa872a71356a2599f028825125005f225384b95) +--- + src/core/mount.c | 4 ++-- + src/core/service.c | 4 ++-- + src/core/socket.c | 5 +++-- + src/core/swap.c | 4 ++-- + src/shared/serialize.c | 22 +++++++++++++--------- + 5 files changed, 22 insertions(+), 17 deletions(-) + +diff --git a/src/core/mount.c b/src/core/mount.c +index f1133d7371..3c4971c581 100644 +--- a/src/core/mount.c ++++ b/src/core/mount.c +@@ -1475,8 +1475,8 @@ static int mount_deserialize_item(Unit *u, const char *key, const char *value, F + + } else if (streq(key, "control-pid")) { + +- pidref_done(&m->control_pid); +- (void) deserialize_pidref(fds, value, &m->control_pid); ++ if (!pidref_is_set(&m->control_pid)) ++ (void) deserialize_pidref(fds, value, &m->control_pid); + + } else if (streq(key, "control-command")) { + MountExecCommand id; +diff --git a/src/core/service.c b/src/core/service.c +index ac4fd24a59..a1070a071e 100644 +--- a/src/core/service.c ++++ b/src/core/service.c +@@ -3174,9 +3174,9 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value, + s->reload_result = f; + + } else if (streq(key, "control-pid")) { +- pidref_done(&s->control_pid); + +- (void) deserialize_pidref(fds, value, &s->control_pid); ++ if (!pidref_is_set(&s->control_pid)) ++ (void) deserialize_pidref(fds, value, &s->control_pid); + + } else if (streq(key, "main-pid")) { + _cleanup_(pidref_done) PidRef pidref = PIDREF_NULL; +diff --git a/src/core/socket.c b/src/core/socket.c +index 388be62318..9adae16b00 100644 +--- a/src/core/socket.c ++++ b/src/core/socket.c +@@ -2634,8 +2634,9 @@ static int socket_deserialize_item(Unit *u, const char *key, const char *value, + else + s->n_refused += k; + } else if (streq(key, "control-pid")) { +- pidref_done(&s->control_pid); +- (void) deserialize_pidref(fds, value, &s->control_pid); ++ ++ if (!pidref_is_set(&s->control_pid)) ++ (void) deserialize_pidref(fds, value, &s->control_pid); + + } else if (streq(key, "control-command")) { + SocketExecCommand id; +diff --git a/src/core/swap.c b/src/core/swap.c +index 488b1719c5..682c2b99f7 100644 +--- a/src/core/swap.c ++++ b/src/core/swap.c +@@ -989,8 +989,8 @@ static int swap_deserialize_item(Unit *u, const char *key, const char *value, FD + s->result = f; + } else if (streq(key, "control-pid")) { + +- pidref_done(&s->control_pid); +- (void) deserialize_pidref(fds, value, &s->control_pid); ++ if (!pidref_is_set(&s->control_pid)) ++ (void) deserialize_pidref(fds, value, &s->control_pid); + + } else if (streq(key, "control-command")) { + SwapExecCommand id; +diff --git a/src/shared/serialize.c b/src/shared/serialize.c +index 483cbc7419..d1f41ce4c8 100644 +--- a/src/shared/serialize.c ++++ b/src/shared/serialize.c +@@ -180,7 +180,7 @@ int serialize_strv(FILE *f, const char *key, char **l) { + } + + int serialize_pidref(FILE *f, FDSet *fds, const char *key, PidRef *pidref) { +- int copy; ++ int r; + + assert(f); + assert(fds); +@@ -188,17 +188,21 @@ int serialize_pidref(FILE *f, FDSet *fds, const char *key, PidRef *pidref) { + if (!pidref_is_set(pidref)) + return 0; + +- /* If we have a pidfd we serialize the fd and encode the fd number prefixed by "@" in the +- * serialization. Otherwise we serialize the numeric PID as it is. */ ++ /* We always serialize the pid, to keep downgrades mostly working (older versions will deserialize ++ * the pid and silently fail to deserialize the pidfd). If we also have a pidfd, we serialize it ++ * first and encode the fd number prefixed by "@" in the serialization. */ + +- if (pidref->fd < 0) +- return serialize_item_format(f, key, PID_FMT, pidref->pid); ++ if (pidref->fd >= 0) { ++ int copy = fdset_put_dup(fds, pidref->fd); ++ if (copy < 0) ++ return log_error_errno(copy, "Failed to add file descriptor to serialization set: %m"); + +- copy = fdset_put_dup(fds, pidref->fd); +- if (copy < 0) +- return log_error_errno(copy, "Failed to add file descriptor to serialization set: %m"); ++ r = serialize_item_format(f, key, "@%i", copy); ++ if (r < 0) ++ return log_error_errno(r, "Failed to serialize PID file descriptor: %m"); ++ } + +- return serialize_item_format(f, key, "@%i", copy); ++ return serialize_item_format(f, key, PID_FMT, pidref->pid); + } + + int serialize_ratelimit(FILE *f, const char *key, const RateLimit *rl) { +-- +2.33.0 + diff --git a/backport-core-Serialize-both-pid-and-pidfd.patch b/backport-core-Serialize-both-pid-and-pidfd.patch new file mode 100644 index 0000000..a3da175 --- /dev/null +++ b/backport-core-Serialize-both-pid-and-pidfd.patch @@ -0,0 +1,125 @@ +From 0df675e0e80f64075dda2a18082238ea26226bfc Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 5 Apr 2024 15:21:49 +0200 +Subject: [PATCH 0550/1160] core: Serialize both pid and pidfd + +If we try to deserialize only a pidfd that points to a process that +has been reaped, creating the pidref object will fail, which means that +we'll try to create a pidref object from the serialized pid that comes +next. If the pid has already been reused, this will succeed and we'll +now have a pidref that points to a different process. + +Let's avoid this issue by serializing both the pidfd and the pid and +creating the pidref object directly from both. This means we'll reuse +the deserialized pidfd instead of opening a new one. We'll then immediately +notice the pidfd is dead and do the appropriate follow up depending on +the unit type. + +(cherry picked from commit 7072777163bef1877d65dce07e0914cf57c6ea38) +--- + src/core/scope.c | 2 ++ + src/core/service.c | 2 +- + src/shared/serialize.c | 43 +++++++++++++++++++++++++++++++++++------- + 3 files changed, 39 insertions(+), 8 deletions(-) + +diff --git a/src/core/scope.c b/src/core/scope.c +index e4c27da91d..2841280cff 100644 +--- a/src/core/scope.c ++++ b/src/core/scope.c +@@ -586,6 +586,8 @@ static int scope_deserialize_item(Unit *u, const char *key, const char *value, F + } else if (streq(key, "pids")) { + _cleanup_(pidref_done) PidRef pidref = PIDREF_NULL; + ++ /* We don't check if we already received the pid before here because unit_watch_pidref() ++ * does this check internally and discards the new pidref if we already received it before. */ + if (deserialize_pidref(fds, value, &pidref) >= 0) { + r = unit_watch_pidref(u, &pidref, /* exclusive= */ false); + if (r < 0) +diff --git a/src/core/service.c b/src/core/service.c +index a1070a071e..ffe92d2b5a 100644 +--- a/src/core/service.c ++++ b/src/core/service.c +@@ -3181,7 +3181,7 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value, + } else if (streq(key, "main-pid")) { + _cleanup_(pidref_done) PidRef pidref = PIDREF_NULL; + +- if (deserialize_pidref(fds, value, &pidref) >= 0) ++ if (!pidref_is_set(&s->main_pid) && deserialize_pidref(fds, value, &pidref) >= 0) + (void) service_set_main_pidref(s, &pidref); + + } else if (streq(key, "main-pid-known")) { +diff --git a/src/shared/serialize.c b/src/shared/serialize.c +index d1f41ce4c8..344b102f51 100644 +--- a/src/shared/serialize.c ++++ b/src/shared/serialize.c +@@ -188,18 +188,20 @@ int serialize_pidref(FILE *f, FDSet *fds, const char *key, PidRef *pidref) { + if (!pidref_is_set(pidref)) + return 0; + +- /* We always serialize the pid, to keep downgrades mostly working (older versions will deserialize +- * the pid and silently fail to deserialize the pidfd). If we also have a pidfd, we serialize it +- * first and encode the fd number prefixed by "@" in the serialization. */ ++ /* We always serialize the pid separately, to keep downgrades mostly working (older versions will ++ * deserialize the pid and silently fail to deserialize the pidfd). If we also have a pidfd, we ++ * serialize both the pid and pidfd, so that we can construct the exact same pidref after ++ * deserialization (this doesn't work with only the pidfd, as we can't retrieve the original pid ++ * from the pidfd anymore if the process is reaped). */ + + if (pidref->fd >= 0) { + int copy = fdset_put_dup(fds, pidref->fd); + if (copy < 0) + return log_error_errno(copy, "Failed to add file descriptor to serialization set: %m"); + +- r = serialize_item_format(f, key, "@%i", copy); ++ r = serialize_item_format(f, key, "@%i:" PID_FMT, copy, pidref->pid); + if (r < 0) +- return log_error_errno(r, "Failed to serialize PID file descriptor: %m"); ++ return r; + } + + return serialize_item_format(f, key, PID_FMT, pidref->pid); +@@ -480,12 +482,39 @@ int deserialize_pidref(FDSet *fds, const char *value, PidRef *ret) { + + e = startswith(value, "@"); + if (e) { +- int fd = deserialize_fd(fds, e); ++ _cleanup_free_ char *fdstr = NULL, *pidstr = NULL; ++ _cleanup_close_ int fd = -EBADF; ++ ++ r = extract_many_words(&e, ":", /* flags = */ 0, &fdstr, &pidstr, NULL); ++ if (r < 0) ++ return log_debug_errno(r, "Failed to deserialize pidref '%s': %m", e); ++ if (r == 0) ++ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Cannot deserialize pidref from empty string."); ++ ++ assert(r <= 2); + ++ fd = deserialize_fd(fds, fdstr); + if (fd < 0) + return fd; + +- r = pidref_set_pidfd_consume(ret, fd); ++ /* The serialization format changed after 255.4. In systemd <= 255.4 only pidfd is ++ * serialized, but that causes problems when reconstructing pidref (see serialize_pidref for ++ * details). After 255.4 the pid is serialized as well even if we have a pidfd, but we still ++ * need to support older format as we might be upgrading from a version that still uses the ++ * old format. */ ++ if (pidstr) { ++ pid_t pid; ++ ++ r = parse_pid(pidstr, &pid); ++ if (r < 0) ++ return log_debug_errno(r, "Failed to parse PID: %s", pidstr); ++ ++ *ret = (PidRef) { ++ .pid = pid, ++ .fd = TAKE_FD(fd), ++ }; ++ } else ++ r = pidref_set_pidfd_consume(ret, TAKE_FD(fd)); + } else { + pid_t pid; + +-- +2.33.0 + diff --git a/backport-core-add-specifier-expansion-to-AllowedCPUs-and-frie.patch b/backport-core-add-specifier-expansion-to-AllowedCPUs-and-frie.patch new file mode 100644 index 0000000..165d1e8 --- /dev/null +++ b/backport-core-add-specifier-expansion-to-AllowedCPUs-and-frie.patch @@ -0,0 +1,43 @@ +From 745be6f35356961344f0935582cae3bdc9c156bf Mon Sep 17 00:00:00 2001 +From: Alan Liang +Date: Sun, 3 Dec 2023 13:49:06 +0800 +Subject: [PATCH 0004/1160] core: add specifier expansion to AllowedCPUs= and + friends + +(cherry picked from commit 67001c25348f37617e207f298f4c4196305bad07) +--- + src/core/load-fragment.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c +index 6e3a22bc16..f442bd8203 100644 +--- a/src/core/load-fragment.c ++++ b/src/core/load-fragment.c +@@ -3800,8 +3800,23 @@ int config_parse_allowed_cpuset( + void *userdata) { + + CPUSet *c = data; ++ const Unit *u = userdata; ++ _cleanup_free_ char *k = NULL; ++ int r; ++ ++ assert(filename); ++ assert(lvalue); ++ assert(rvalue); ++ ++ r = unit_full_printf(u, rvalue, &k); ++ if (r < 0) { ++ log_syntax(unit, LOG_WARNING, filename, line, r, ++ "Failed to resolve unit specifiers in '%s', ignoring: %m", ++ rvalue); ++ return 0; ++ } + +- (void) parse_cpu_set_extend(rvalue, c, true, unit, filename, line, lvalue); ++ (void) parse_cpu_set_extend(k, c, true, unit, filename, line, lvalue); + return 0; + } + +-- +2.33.0 + diff --git a/backport-core-add-trigger-to-path-unit-debug-log.patch b/backport-core-add-trigger-to-path-unit-debug-log.patch new file mode 100644 index 0000000..6a5658f --- /dev/null +++ b/backport-core-add-trigger-to-path-unit-debug-log.patch @@ -0,0 +1,40 @@ +From 15be4c0c3c35abf5645016c9f1fa8264eea82f2d Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 27 Jan 2025 20:30:16 +0000 +Subject: [PATCH 1097/1160] core: add trigger to path unit debug log + +Useful for debugging, given it's already logging and the trigger +is known, add it + +(cherry picked from commit 6566b4306a65bc7af6ade0cb6887217212925202) +(cherry picked from commit b6b287854aa622083ec25e19e2fac26bd332e693) +(cherry picked from commit d139f17ea1f20633c41af0f77eaf9e4c7b05111d) +--- + src/core/path.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/path.c b/src/core/path.c +index cbaefb684d..e3f58dcdcd 100644 +--- a/src/core/path.c ++++ b/src/core/path.c +@@ -589,7 +589,7 @@ static void path_enter_waiting(Path *p, bool initial, bool from_trigger_notify) + } + + if (path_check_good(p, initial, from_trigger_notify, &trigger_path)) { +- log_unit_debug(UNIT(p), "Got triggered."); ++ log_unit_debug(UNIT(p), "Got triggered by '%s'.", trigger_path); + path_enter_running(p, trigger_path); + return; + } +@@ -606,7 +606,7 @@ static void path_enter_waiting(Path *p, bool initial, bool from_trigger_notify) + * recheck */ + + if (path_check_good(p, false, from_trigger_notify, &trigger_path)) { +- log_unit_debug(UNIT(p), "Got triggered."); ++ log_unit_debug(UNIT(p), "Got triggered by '%s'.", trigger_path); + path_enter_running(p, trigger_path); + return; + } +-- +2.33.0 + diff --git a/backport-core-cgroup-Apply-IODevice-directives-in-configured-.patch b/backport-core-cgroup-Apply-IODevice-directives-in-configured-.patch new file mode 100644 index 0000000..b34d313 --- /dev/null +++ b/backport-core-cgroup-Apply-IODevice-directives-in-configured-.patch @@ -0,0 +1,135 @@ +From f45acd05bec88521bb2f25bbd6c3792a35ad3a87 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Koutn=C3=BD?= +Date: Fri, 13 Sep 2024 19:27:13 +0200 +Subject: [PATCH 0884/1160] core/cgroup: Apply IODevice*= directives in + configured order + +Different device paths may resolve to same device node +(lookup_block_device()), e.g. + IOReadBandwidthMax=/dev/sda1 18879 + IOReadBandwidthMax=/dev/sda2 18878 +where both partitions resolve to /dev/sda and when these values are +applied (they are associated with original paths, i.e. as if applied for +different device) in the order from io_device_limits. + +The parsing code prepends, so they end up in reverse order wrt config +file. Switch the direction so that the order of application matches the +order of configuration -- i.e. semantics in all other unit file +directives. + +Apply same change to all directives that use per-device lists. (The +question whether partitions should be resolved to base device is +independent.) + +And apply the changes equally to DBus properties write handlers. + +Fixes #34126 + +(cherry picked from commit 0fa0dfa04465651a18107d503f9967f84bd761d1) +(cherry picked from commit 00dfa7964b5e48a37596207ad8b2862b157cffaf) +--- + src/core/dbus-cgroup.c | 10 +++++----- + src/core/load-fragment.c | 10 +++++----- + 2 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c +index 8a9570fd21..88198010ee 100644 +--- a/src/core/dbus-cgroup.c ++++ b/src/core/dbus-cgroup.c +@@ -1417,7 +1417,7 @@ int bus_cgroup_set_property( + for (type = 0; type < _CGROUP_IO_LIMIT_TYPE_MAX; type++) + a->limits[type] = cgroup_io_limit_defaults[type]; + +- LIST_PREPEND(device_limits, c->io_device_limits, a); ++ LIST_APPEND(device_limits, c->io_device_limits, a); + } + + a->limits[iol_type] = u64; +@@ -1497,7 +1497,7 @@ int bus_cgroup_set_property( + free(a); + return -ENOMEM; + } +- LIST_PREPEND(device_weights, c->io_device_weights, a); ++ LIST_APPEND(device_weights, c->io_device_weights, a); + } + + a->weight = weight; +@@ -1571,7 +1571,7 @@ int bus_cgroup_set_property( + free(a); + return -ENOMEM; + } +- LIST_PREPEND(device_latencies, c->io_device_latencies, a); ++ LIST_APPEND(device_latencies, c->io_device_latencies, a); + } + + a->target_usec = target; +@@ -1652,7 +1652,7 @@ int bus_cgroup_set_property( + return -ENOMEM; + } + +- LIST_PREPEND(device_bandwidths, c->blockio_device_bandwidths, a); ++ LIST_APPEND(device_bandwidths, c->blockio_device_bandwidths, a); + } + + if (read) +@@ -1746,7 +1746,7 @@ int bus_cgroup_set_property( + free(a); + return -ENOMEM; + } +- LIST_PREPEND(device_weights, c->blockio_device_weights, a); ++ LIST_APPEND(device_weights, c->blockio_device_weights, a); + } + + a->weight = weight; +diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c +index 6e3e6a5ee9..161a2d2d32 100644 +--- a/src/core/load-fragment.c ++++ b/src/core/load-fragment.c +@@ -4319,7 +4319,7 @@ int config_parse_io_device_weight( + w->path = TAKE_PTR(resolved); + w->weight = u; + +- LIST_PREPEND(device_weights, c->io_device_weights, w); ++ LIST_APPEND(device_weights, c->io_device_weights, w); + return 0; + } + +@@ -4390,7 +4390,7 @@ int config_parse_io_device_latency( + l->path = TAKE_PTR(resolved); + l->target_usec = usec; + +- LIST_PREPEND(device_latencies, c->io_device_latencies, l); ++ LIST_APPEND(device_latencies, c->io_device_latencies, l); + return 0; + } + +@@ -4476,7 +4476,7 @@ int config_parse_io_limit( + for (CGroupIOLimitType i = 0; i < _CGROUP_IO_LIMIT_TYPE_MAX; i++) + l->limits[i] = cgroup_io_limit_defaults[i]; + +- LIST_PREPEND(device_limits, c->io_device_limits, l); ++ LIST_APPEND(device_limits, c->io_device_limits, l); + } + + l->limits[type] = num; +@@ -4557,7 +4557,7 @@ int config_parse_blockio_device_weight( + w->path = TAKE_PTR(resolved); + w->weight = u; + +- LIST_PREPEND(device_weights, c->blockio_device_weights, w); ++ LIST_APPEND(device_weights, c->blockio_device_weights, w); + return 0; + } + +@@ -4644,7 +4644,7 @@ int config_parse_blockio_bandwidth( + b->rbps = CGROUP_LIMIT_MAX; + b->wbps = CGROUP_LIMIT_MAX; + +- LIST_PREPEND(device_bandwidths, c->blockio_device_bandwidths, b); ++ LIST_APPEND(device_bandwidths, c->blockio_device_bandwidths, b); + } + + if (read) +-- +2.33.0 + diff --git a/backport-core-cgroup-fix-IPAddressAllow-IPAddressDeny-set-thr.patch b/backport-core-cgroup-fix-IPAddressAllow-IPAddressDeny-set-thr.patch new file mode 100644 index 0000000..bacc44a --- /dev/null +++ b/backport-core-cgroup-fix-IPAddressAllow-IPAddressDeny-set-thr.patch @@ -0,0 +1,46 @@ +From 71fca73f70c96fb9c7573d73d6eae2c5fccd1d56 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 16 Oct 2024 12:45:34 +0900 +Subject: [PATCH 0950/1160] core/cgroup: fix IPAddressAllow=/IPAddressDeny= set + through DBus + +Fixes a regression caused by 84ebe6f01381c21b88e37e856956c9c9ee6781d6 (v250). +Fixes #34773. + +(cherry picked from commit 77bbd9f1bd2b01bcb2a49ed42c6dc06613532bcf) +(cherry picked from commit a94b2c39f94e7af82a56c52941cc1c6aeaf2318f) +--- + src/core/dbus-cgroup.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c +index 88198010ee..b3baf03afc 100644 +--- a/src/core/dbus-cgroup.c ++++ b/src/core/dbus-cgroup.c +@@ -1970,11 +1970,12 @@ int bus_cgroup_set_property( + prefixes = streq(name, "IPAddressAllow") ? &c->ip_address_allow : &c->ip_address_deny; + reduced = streq(name, "IPAddressAllow") ? &c->ip_address_allow_reduced : &c->ip_address_deny_reduced; + ++ fputs(name, f); ++ fputs("=\n", f); ++ + if (n == 0) { + *reduced = true; + *prefixes = set_free(*prefixes); +- fputs(name, f); +- fputs("=\n", f); + } else { + *reduced = false; + +@@ -1983,7 +1984,7 @@ int bus_cgroup_set_property( + return r; + + const struct in_addr_prefix *p; +- SET_FOREACH(p, new_prefixes) ++ SET_FOREACH(p, *prefixes) + fprintf(f, "%s=%s\n", name, + IN_ADDR_PREFIX_TO_STRING(p->family, &p->address, p->prefixlen)); + } +-- +2.33.0 + diff --git a/backport-core-cgroup-make-unit_has_host_root_cgroup-take-cons.patch b/backport-core-cgroup-make-unit_has_host_root_cgroup-take-cons.patch new file mode 100644 index 0000000..f0d4574 --- /dev/null +++ b/backport-core-cgroup-make-unit_has_host_root_cgroup-take-cons.patch @@ -0,0 +1,44 @@ +From 00b495a85b1088490d5757b38ed0528c158d433d Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sat, 15 Jun 2024 13:15:08 +0200 +Subject: [PATCH 0771/1160] core/cgroup: make unit_has_host_root_cgroup take + const Unit* + +(cherry picked from commit 4442aef08e0fe8ba381b580455f7eb281c5a28a1) +(cherry picked from commit 06c2ee39799064a82d2af1bee7a5c72ebdd66090) +--- + src/core/cgroup.c | 3 ++- + src/core/cgroup.h | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/core/cgroup.c b/src/core/cgroup.c +index 03d6ec9c6f..61539afdbf 100644 +--- a/src/core/cgroup.c ++++ b/src/core/cgroup.c +@@ -100,8 +100,9 @@ bool unit_has_startup_cgroup_constraints(Unit *u) { + c->startup_memory_low_set; + } + +-bool unit_has_host_root_cgroup(Unit *u) { ++bool unit_has_host_root_cgroup(const Unit *u) { + assert(u); ++ assert(u->manager); + + /* Returns whether this unit manages the root cgroup. This will return true if this unit is the root slice and + * the manager manages the root cgroup. */ +diff --git a/src/core/cgroup.h b/src/core/cgroup.h +index f1b674b4b7..4ef2d92364 100644 +--- a/src/core/cgroup.h ++++ b/src/core/cgroup.h +@@ -389,7 +389,7 @@ int unit_reset_accounting(Unit *u); + }) + + bool manager_owns_host_root_cgroup(Manager *m); +-bool unit_has_host_root_cgroup(Unit *u); ++bool unit_has_host_root_cgroup(const Unit *u); + + bool unit_has_startup_cgroup_constraints(Unit *u); + +-- +2.33.0 + diff --git a/backport-core-condition-fix-segfault-when-key-not-found-in-os.patch b/backport-core-condition-fix-segfault-when-key-not-found-in-os.patch new file mode 100644 index 0000000..f0e10ff --- /dev/null +++ b/backport-core-condition-fix-segfault-when-key-not-found-in-os.patch @@ -0,0 +1,88 @@ +From 42dc6431fde34b4e0c64293ecfd211de239e5d21 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 13 Feb 2025 15:49:50 +0100 +Subject: [PATCH 1121/1160] core/condition: fix segfault when key not found in + os-release + +'ConditionOSRelease=|ID_LIKE$=*rhel*' results in a segfault. +The key 'ID_LIKE' is not present in Fedora's os-release file. + +I think the most reasonable behaviour is to treat missing keys as empty. +This matches the "shell-like" sprit, since in a shell empty keys would +by default be treated as empty too. Thus, "ID_LIKE=" would match, if +ID_LIKE is not present in the file, and ID_LIKE=!$foo" would also match. +The other option would be to make those matches fail, but I think that'd +make the feature harder to use, esp. with negative matches. + +Documentation is updated to clarify the new behaviour. + +https://bugzilla.redhat.com/show_bug.cgi?id=2345544 +(cherry picked from commit de02b551adcf74e5677454fd36bf7653b1a4def1) +(cherry picked from commit 8f8514c03f166c352ebdcb577c29d2dff88a37f7) +(cherry picked from commit f36638fbd262f79b334f0f4cf8f0d056458d30ae) +--- + man/systemd.unit.xml | 2 ++ + src/shared/condition.c | 4 +++- + src/test/test-condition.c | 18 ++++++++++++++++++ + 3 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml +index 4b262e61be..8cf30e7def 100644 +--- a/man/systemd.unit.xml ++++ b/man/systemd.unit.xml +@@ -1928,6 +1928,8 @@ + wildcard comparisons (*, ?, []) are + supported with the $= (match) and !$= (non-match). + ++ If the given key is not found in the file, the match is done against an empty value. ++ + + + +diff --git a/src/shared/condition.c b/src/shared/condition.c +index 20fa1ae9ac..7c5e09df02 100644 +--- a/src/shared/condition.c ++++ b/src/shared/condition.c +@@ -273,7 +273,9 @@ static int condition_test_osrelease(Condition *c, char **env) { + if (r < 0) + return log_debug_errno(r, "Failed to parse os-release: %m"); + +- r = version_or_fnmatch_compare(operator, actual_value, word); ++ /* If not found, use "". This means that missing and empty assignments ++ * in the file have the same result. */ ++ r = version_or_fnmatch_compare(operator, strempty(actual_value), word); + if (r < 0) + return r; + if (!r) +diff --git a/src/test/test-condition.c b/src/test/test-condition.c +index f294be45c5..7f10279210 100644 +--- a/src/test/test-condition.c ++++ b/src/test/test-condition.c +@@ -1246,6 +1246,24 @@ TEST(condition_test_os_release) { + assert_se(condition_test(condition, environ) > 0); + condition_free(condition); + ++ /* Test shell style globs */ ++ ++ assert_se((condition = condition_new(CONDITION_OS_RELEASE, "ID_LIKE$=*THISHOPEFULLYWONTEXIST*", false, false))); ++ assert_se(condition_test(condition, environ) == 0); ++ condition_free(condition); ++ ++ assert_se((condition = condition_new(CONDITION_OS_RELEASE, "ID_THISHOPEFULLYWONTEXIST$=*rhel*", false, false))); ++ assert_se(condition_test(condition, environ) == 0); ++ condition_free(condition); ++ ++ assert_se((condition = condition_new(CONDITION_OS_RELEASE, "ID_LIKE!$=*THISHOPEFULLYWONTEXIST*", false, false))); ++ assert_se(condition_test(condition, environ) >= 0); ++ condition_free(condition); ++ ++ assert_se((condition = condition_new(CONDITION_OS_RELEASE, "ID_THISHOPEFULLYWONTEXIST!$=*rhel*", false, false))); ++ assert_se(condition_test(condition, environ) >= 0); ++ condition_free(condition); ++ + /* load_os_release_pairs() removes quotes, we have to add them back, + * otherwise we get a string: "PRETTY_NAME=Debian GNU/Linux 10 (buster)" + * which is wrong, as the value is not quoted anymore. */ +-- +2.33.0 + diff --git a/backport-core-dbus-manager-mark-unit-file-state-as-outdated-o.patch b/backport-core-dbus-manager-mark-unit-file-state-as-outdated-o.patch new file mode 100644 index 0000000..416220f --- /dev/null +++ b/backport-core-dbus-manager-mark-unit-file-state-as-outdated-o.patch @@ -0,0 +1,125 @@ +From 9ac5ce42d0792e3bea3c9e25f4c4c431bc7054d9 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Wed, 1 May 2024 17:30:35 +0800 +Subject: [PATCH 0702/1160] core/dbus-manager: mark unit file state as outdated + only if some changes succeeded + +Follow-up for a82b8b3dc80619c3275ad8180069289b411206d0 + +We don't need to invalidate the unit file state +if all operations failed. + +Also, emit UnitFilesChanged signal as long as +some operations succeeded. + +(cherry picked from commit d69cba3bfffc7b1e3197e2a34b459db13b1e1cb7) +--- + src/core/dbus-manager.c | 36 ++++++++++++++++++++++++------------ + 1 file changed, 24 insertions(+), 12 deletions(-) + +diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c +index 745f5cc17c..b33711e22e 100644 +--- a/src/core/dbus-manager.c ++++ b/src/core/dbus-manager.c +@@ -2329,6 +2329,23 @@ static int send_unit_files_changed(sd_bus *bus, void *userdata) { + return sd_bus_send(bus, message, NULL); + } + ++static void manager_unit_files_changed(Manager *m, const InstallChange *changes, size_t n_changes) { ++ int r; ++ ++ assert(m); ++ assert(changes || n_changes == 0); ++ ++ if (!install_changes_have_modification(changes, n_changes)) ++ return; ++ ++ /* See comments for this variable in manager.h */ ++ m->unit_file_state_outdated = true; ++ ++ r = bus_foreach_bus(m, NULL, send_unit_files_changed, NULL); ++ if (r < 0) ++ log_debug_errno(r, "Failed to send UnitFilesChanged signal, ignoring: %m"); ++} ++ + /* Create an error reply, using the error information from changes[] + * if possible, and fall back to generating an error from error code c. + * The error message only describes the first error. +@@ -2426,12 +2443,6 @@ static int reply_install_changes_and_free( + + CLEANUP_ARRAY(changes, n_changes, install_changes_free); + +- if (install_changes_have_modification(changes, n_changes)) { +- r = bus_foreach_bus(m, NULL, send_unit_files_changed, NULL); +- if (r < 0) +- log_debug_errno(r, "Failed to send UnitFilesChanged signal: %m"); +- } +- + r = sd_bus_message_new_method_return(message, &reply); + if (r < 0) + return r; +@@ -2521,7 +2532,7 @@ static int method_enable_unit_files_generic( + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ + + r = call(m->runtime_scope, flags, NULL, l, &changes, &n_changes); +- m->unit_file_state_outdated = m->unit_file_state_outdated || n_changes > 0; /* See comments for this variable in manager.h */ ++ manager_unit_files_changed(m, changes, n_changes); + if (r < 0) + return install_error(error, r, changes, n_changes); + +@@ -2594,7 +2605,7 @@ static int method_preset_unit_files_with_mode(sd_bus_message *message, void *use + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ + + r = unit_file_preset(m->runtime_scope, flags, NULL, l, preset_mode, &changes, &n_changes); +- m->unit_file_state_outdated = m->unit_file_state_outdated || n_changes > 0; /* See comments for this variable in manager.h */ ++ manager_unit_files_changed(m, changes, n_changes); + if (r < 0) + return install_error(error, r, changes, n_changes); + +@@ -2648,7 +2659,7 @@ static int method_disable_unit_files_generic( + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ + + r = call(m->runtime_scope, flags, NULL, l, &changes, &n_changes); +- m->unit_file_state_outdated = m->unit_file_state_outdated || n_changes > 0; /* See comments for this variable in manager.h */ ++ manager_unit_files_changed(m, changes, n_changes); + if (r < 0) + return install_error(error, r, changes, n_changes); + +@@ -2691,7 +2702,7 @@ static int method_revert_unit_files(sd_bus_message *message, void *userdata, sd_ + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ + + r = unit_file_revert(m->runtime_scope, NULL, l, &changes, &n_changes); +- m->unit_file_state_outdated = m->unit_file_state_outdated || n_changes > 0; /* See comments for this variable in manager.h */ ++ manager_unit_files_changed(m, changes, n_changes); + if (r < 0) + return install_error(error, r, changes, n_changes); + +@@ -2722,6 +2733,7 @@ static int method_set_default_target(sd_bus_message *message, void *userdata, sd + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ + + r = unit_file_set_default(m->runtime_scope, force ? UNIT_FILE_FORCE : 0, NULL, name, &changes, &n_changes); ++ manager_unit_files_changed(m, changes, n_changes); + if (r < 0) + return install_error(error, r, changes, n_changes); + +@@ -2764,7 +2776,7 @@ static int method_preset_all_unit_files(sd_bus_message *message, void *userdata, + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ + + r = unit_file_preset_all(m->runtime_scope, flags, NULL, preset_mode, &changes, &n_changes); +- m->unit_file_state_outdated = m->unit_file_state_outdated || n_changes > 0; /* See comments for this variable in manager.h */ ++ manager_unit_files_changed(m, changes, n_changes); + if (r < 0) + return install_error(error, r, changes, n_changes); + +@@ -2804,7 +2816,7 @@ static int method_add_dependency_unit_files(sd_bus_message *message, void *userd + return -EINVAL; + + r = unit_file_add_dependency(m->runtime_scope, flags, NULL, l, target, dep, &changes, &n_changes); +- m->unit_file_state_outdated = m->unit_file_state_outdated || n_changes > 0; /* See comments for this variable in manager.h */ ++ manager_unit_files_changed(m, changes, n_changes); + if (r < 0) + return install_error(error, r, changes, n_changes); + +-- +2.33.0 + diff --git a/backport-core-dbus-manager-refuse-SoftReboot-for-user-manager.patch b/backport-core-dbus-manager-refuse-SoftReboot-for-user-manager.patch new file mode 100644 index 0000000..58fe754 --- /dev/null +++ b/backport-core-dbus-manager-refuse-SoftReboot-for-user-manager.patch @@ -0,0 +1,33 @@ +From 8d443b7486a5e26bb4627f1fe8a50769241af110 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Tue, 2 Jul 2024 18:08:06 +0200 +Subject: [PATCH 0744/1160] core/dbus-manager: refuse SoftReboot() for user + managers + +Otherwise, busctl --user call ... SoftReboot results in +user manager broadcasting signal and initiating soft-reboot... + +(cherry picked from commit 236cd4854657745e1a59b224a191a232a476527e) +(cherry picked from commit efc44e0c3eab9d502e472de484ddb8a29d559fab) +--- + src/core/dbus-manager.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c +index b33711e22e..03ccb6b0f2 100644 +--- a/src/core/dbus-manager.c ++++ b/src/core/dbus-manager.c +@@ -1723,6 +1723,10 @@ static int method_soft_reboot(sd_bus_message *message, void *userdata, sd_bus_er + + assert(message); + ++ if (!MANAGER_IS_SYSTEM(m)) ++ return sd_bus_error_set(error, SD_BUS_ERROR_NOT_SUPPORTED, ++ "Soft reboot is only supported by system manager."); ++ + r = verify_run_space_permissive("soft reboot may fail", error); + if (r < 0) + return r; +-- +2.33.0 + diff --git a/backport-core-device-add-stopping-job-message.patch b/backport-core-device-add-stopping-job-message.patch new file mode 100644 index 0000000..76f4852 --- /dev/null +++ b/backport-core-device-add-stopping-job-message.patch @@ -0,0 +1,30 @@ +From 7feb10fdda886d50fa7ba2e252b31ba815411893 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Tue, 12 Dec 2023 16:42:19 +0800 +Subject: [PATCH 0054/1160] core/device: add stopping job message + +The use case for stopping a device unit is indeed narrow, +but we still want to show a clear message. + +Preparation for later commits. + +(cherry picked from commit 3f4a7a472f90949425f76ffde39a6c94a0b77e0b) +--- + src/core/device.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/core/device.c b/src/core/device.c +index d07adb2d2a..6b2d7c3e24 100644 +--- a/src/core/device.c ++++ b/src/core/device.c +@@ -1291,6 +1291,7 @@ const UnitVTable device_vtable = { + .status_message_formats = { + .starting_stopping = { + [0] = "Expecting device %s...", ++ [1] = "Waiting for device %s to disappear...", + }, + .finished_start_job = { + [JOB_DONE] = "Found device %s.", +-- +2.33.0 + diff --git a/backport-core-device-do-not-drop-backslashes-in-SYSTEMD_WANTS.patch b/backport-core-device-do-not-drop-backslashes-in-SYSTEMD_WANTS.patch new file mode 100644 index 0000000..fff5730 --- /dev/null +++ b/backport-core-device-do-not-drop-backslashes-in-SYSTEMD_WANTS.patch @@ -0,0 +1,59 @@ +From a783d12f82ec9fa5dd29dd4638a8a872a28a0e11 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 6 Jan 2025 17:26:52 +0900 +Subject: [PATCH 1085/1160] core/device: do not drop backslashes in + SYSTEMD_WANTS=/SYSTEMD_USER_WANTS= + +Let consider the following udev rules: +=== +PROGRAM="/usr/bin/systemd-escape foo-bar-baz", ENV{SYSTEMD_WANTS}+="test1@$result.service" +PROGRAM="/usr/bin/systemd-escape aaa-bbb-ccc", ENV{SYSTEMD_WANTS}+="test2@$result.service" +=== +Then, a device expectedly gains a property: +=== +SYSTEMD_WANTS=test1@foo\x2dbar\x2dbaz.service test2@aaa\x2dbbb\x2dccc.service +=== +After the event being processed by udevd, PID1 processes the device, the +property previously was parsed with extract_first_word(EXTRACT_UNQUOTE), +then the device unit gained the following dependencies: +=== +Wants=test1@foox2dbarx2dbaz.service test2@aaax2dbbbx2dccc.service +=== +So both '%i' and '%I' for the template services did not match with the original +data, and it was hard to use systemd-escape in PROGRAM= udev rule token. + +This makes the property parsed with extract_first_word(EXTRACT_UNQUOTE|EXTRACT_RETAIN_ESCAPE), +hence the device unit now gains the following dependencies: +=== +Wants=test1@foo\x2dbar\x2dbaz.service test2@aaa\x2dbbb\x2dccc.service +=== +and '%I' for the template services match with the original data. + +Fixes a bug caused by ceed8f0c8b9a46300eccd1afa2dd8d3c2cb6b47c (v233). + +Fixes #16735. +Replaces #16737 and #35768. + +(cherry picked from commit a467358b2a18b611e48e62ed89167a04e0f7634e) +(cherry picked from commit 0c1daafe41889f272c9e9d37f62614505a50f1d3) +(cherry picked from commit cfa57758101dfe5d013e9020a09e25bffe325ea2) +--- + src/core/device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/device.c b/src/core/device.c +index 6b2d7c3e24..a94f4b4558 100644 +--- a/src/core/device.c ++++ b/src/core/device.c +@@ -555,7 +555,7 @@ static int device_add_udev_wants(Unit *u, sd_device *dev) { + for (;;) { + _cleanup_free_ char *word = NULL, *k = NULL; + +- r = extract_first_word(&wants, &word, NULL, EXTRACT_UNQUOTE); ++ r = extract_first_word(&wants, &word, NULL, EXTRACT_UNQUOTE | EXTRACT_RETAIN_ESCAPE); + if (r == 0) + break; + if (r == -ENOMEM) +-- +2.33.0 + diff --git a/backport-core-do-not-make-private-dev-read-only-too-soon.patch b/backport-core-do-not-make-private-dev-read-only-too-soon.patch new file mode 100644 index 0000000..7874add --- /dev/null +++ b/backport-core-do-not-make-private-dev-read-only-too-soon.patch @@ -0,0 +1,67 @@ +From 7b818b396b106452a03d49292f3de7dddeeab182 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 7 Dec 2023 22:19:11 +0000 +Subject: [PATCH 0027/1160] core: do not make private /dev/ read-only too soon + +The read-only bit is flipped after setting up all the mounts, so that +bind mounts can be added. Remove the early config, and add a unit +test. + +Fixes https://github.com/systemd/systemd/issues/30372 + +(cherry picked from commit ae7482b994e6a9bc8e033de9accd24b1e1ffe2ed) +--- + src/core/namespace.c | 5 ----- + src/test/test-execute.c | 2 ++ + test/test-execute/exec-privatedevices-bind.service | 10 ++++++++++ + 3 files changed, 12 insertions(+), 5 deletions(-) + create mode 100644 test/test-execute/exec-privatedevices-bind.service + +diff --git a/src/core/namespace.c b/src/core/namespace.c +index 1a4d15a800..50d7b05aa0 100644 +--- a/src/core/namespace.c ++++ b/src/core/namespace.c +@@ -1070,11 +1070,6 @@ static int mount_private_dev(MountEntry *m, RuntimeScope scope) { + if (r < 0) + log_debug_errno(r, "Failed to set up basic device tree at '%s', ignoring: %m", temporary_mount); + +- /* Make the bind mount read-only. */ +- r = mount_nofollow_verbose(LOG_DEBUG, NULL, dev, NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL); +- if (r < 0) +- return r; +- + /* Create the /dev directory if missing. It is more likely to be missing when the service is started + * with RootDirectory. This is consistent with mount units creating the mount points when missing. */ + (void) mkdir_p_label(mount_entry_path(m), 0755); +diff --git a/src/test/test-execute.c b/src/test/test-execute.c +index 9a03e291a0..88e4c8d4d9 100644 +--- a/src/test/test-execute.c ++++ b/src/test/test-execute.c +@@ -438,6 +438,8 @@ static void test_exec_privatedevices(Manager *m) { + + test(m, "exec-privatedevices-yes.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); + test(m, "exec-privatedevices-no.service", 0, CLD_EXITED); ++ if (access("/dev/kvm", F_OK) >= 0) ++ test(m, "exec-privatedevices-bind.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); + test(m, "exec-privatedevices-disabled-by-prefix.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); + test(m, "exec-privatedevices-yes-with-group.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); + +diff --git a/test/test-execute/exec-privatedevices-bind.service b/test/test-execute/exec-privatedevices-bind.service +new file mode 100644 +index 0000000000..dbbbb4ee33 +--- /dev/null ++++ b/test/test-execute/exec-privatedevices-bind.service +@@ -0,0 +1,10 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++[Unit] ++Description=Test for PrivateDevices=yes with a bind mounted device ++ ++[Service] ++ExecStart=/bin/sh -c 'test -c /dev/kmsg' ++ExecStart=/bin/sh -c 'test ! -w /dev/' ++Type=oneshot ++PrivateDevices=yes ++BindPaths=/dev/kmsg +-- +2.33.0 + diff --git a/backport-core-don-t-forget-about-fallback_smack_process_label.patch b/backport-core-don-t-forget-about-fallback_smack_process_label.patch new file mode 100644 index 0000000..c859d5b --- /dev/null +++ b/backport-core-don-t-forget-about-fallback_smack_process_label.patch @@ -0,0 +1,31 @@ +From 0a1715feb6dbf5464482e0dc9c04fbf7c5084b00 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=81ukasz=20Stelmach?= +Date: Wed, 23 Oct 2024 12:58:36 +0200 +Subject: [PATCH 0968/1160] core: don't forget about + fallback_smack_process_label + +Call setup_smack() also when only fallback_smack_process_label is set. + +Fixes: 75689fb2d41f +(cherry picked from commit 20bbf5ee4c6c80599a91e7a4b7474e931a27db4a) +(cherry picked from commit 7408f2653816c2f26f1155109911939a37671425) +--- + src/core/exec-invoke.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c +index 308d332c15..22bc8d10c1 100644 +--- a/src/core/exec-invoke.c ++++ b/src/core/exec-invoke.c +@@ -4831,7 +4831,7 @@ int exec_invoke( + #if ENABLE_SMACK + /* LSM Smack needs the capability CAP_MAC_ADMIN to change the current execution security context of the + * process. This is the latest place before dropping capabilities. Other MAC context are set later. */ +- if (use_smack && context->smack_process_label) { ++ if (use_smack) { + r = setup_smack(params, context, executable_fd); + if (r < 0 && !context->smack_process_label_ignore) { + *exit_status = EXIT_SMACK_PROCESS_LABEL; +-- +2.33.0 + diff --git a/backport-core-drop-unnecessary-auto_fs4.h-inclusion.patch b/backport-core-drop-unnecessary-auto_fs4.h-inclusion.patch new file mode 100644 index 0000000..447f140 --- /dev/null +++ b/backport-core-drop-unnecessary-auto_fs4.h-inclusion.patch @@ -0,0 +1,29 @@ +From 5bb67d1f77aeeef87d7ffe92add0518d774e74bd Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 28 May 2024 11:21:35 +0900 +Subject: [PATCH 1080/1160] core: drop unnecessary auto_fs4.h inclusion + +auto_fs4.h is a trivial wrapper of auto_fs.h, and it is already included +by auto_dev-ioctl.h. + +(cherry picked from commit 834afa11ab514f4a32f3e4f98182dd32a365fac7) +(cherry picked from commit 2718ccec9de003bcde9b47a2b80710cbe415c983) +--- + src/core/automount.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/core/automount.c b/src/core/automount.c +index 14bf7e6998..84dcaade3f 100644 +--- a/src/core/automount.c ++++ b/src/core/automount.c +@@ -4,7 +4,6 @@ + #include + #include + #include +-#include + #include + #include + #include +-- +2.33.0 + diff --git a/backport-core-escape-spaces-in-paths-during-serialization.patch b/backport-core-escape-spaces-in-paths-during-serialization.patch index 59313fa..250972a 100644 --- a/backport-core-escape-spaces-in-paths-during-serialization.patch +++ b/backport-core-escape-spaces-in-paths-during-serialization.patch @@ -1,25 +1,22 @@ -From d7942fe5fc197d1eb77986b5c73b5c36d82e141e Mon Sep 17 00:00:00 2001 +From 56b40d23a2043a8f44fd4e4f2489e85f6c239a4d Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Fri, 5 Jan 2024 20:39:40 +0100 -Subject: [PATCH] core: escape spaces in paths during serialization +Subject: [PATCH 0126/1160] core: escape spaces in paths during serialization Otherwise we split them incorrectly when deserializing them. Resolves: #30747 - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/d7942fe5fc197d1eb77986b5c73b5c36d82e141e - +(cherry picked from commit d7942fe5fc197d1eb77986b5c73b5c36d82e141e) --- src/core/execute-serialize.c | 17 ++++++------ test/units/testsuite-07.exec-context.sh | 36 ++++++++++++++++--------- 2 files changed, 32 insertions(+), 21 deletions(-) diff --git a/src/core/execute-serialize.c b/src/core/execute-serialize.c -index 55d24094f7..dd48ad3f65 100644 +index 6c62bdf7c5..b1e716e8cc 100644 --- a/src/core/execute-serialize.c +++ b/src/core/execute-serialize.c -@@ -1930,7 +1930,7 @@ static int exec_context_serialize(const ExecContext *c, FILE *f) { +@@ -1931,7 +1931,7 @@ static int exec_context_serialize(const ExecContext *c, FILE *f) { FOREACH_ARRAY(i, c->directories[dt].items, c->directories[dt].n_items) { _cleanup_free_ char *path_escaped = NULL; @@ -28,7 +25,7 @@ index 55d24094f7..dd48ad3f65 100644 if (!path_escaped) return log_oom_debug(); -@@ -1943,7 +1943,7 @@ static int exec_context_serialize(const ExecContext *c, FILE *f) { +@@ -1944,7 +1944,7 @@ static int exec_context_serialize(const ExecContext *c, FILE *f) { STRV_FOREACH(d, i->symlinks) { _cleanup_free_ char *link_escaped = NULL; @@ -37,7 +34,7 @@ index 55d24094f7..dd48ad3f65 100644 if (!link_escaped) return log_oom_debug(); -@@ -2264,11 +2264,11 @@ static int exec_context_serialize(const ExecContext *c, FILE *f) { +@@ -2263,11 +2263,11 @@ static int exec_context_serialize(const ExecContext *c, FILE *f) { FOREACH_ARRAY(mount, c->bind_mounts, c->n_bind_mounts) { _cleanup_free_ char *src_escaped = NULL, *dst_escaped = NULL; @@ -51,7 +48,7 @@ index 55d24094f7..dd48ad3f65 100644 if (!dst_escaped) return log_oom_debug(); -@@ -2455,11 +2455,11 @@ static int exec_context_serialize(const ExecContext *c, FILE *f) { +@@ -2454,11 +2454,11 @@ static int exec_context_serialize(const ExecContext *c, FILE *f) { FOREACH_ARRAY(mount, c->mount_images, c->n_mount_images) { _cleanup_free_ char *s = NULL, *source_escaped = NULL, *dest_escaped = NULL; @@ -65,7 +62,7 @@ index 55d24094f7..dd48ad3f65 100644 if (!dest_escaped) return log_oom_debug(); -@@ -2496,7 +2496,7 @@ static int exec_context_serialize(const ExecContext *c, FILE *f) { +@@ -2495,7 +2495,7 @@ static int exec_context_serialize(const ExecContext *c, FILE *f) { FOREACH_ARRAY(mount, c->extension_images, c->n_extension_images) { _cleanup_free_ char *s = NULL, *source_escaped = NULL; @@ -74,7 +71,7 @@ index 55d24094f7..dd48ad3f65 100644 if (!source_escaped) return log_oom_debug(); -@@ -2847,7 +2847,8 @@ static int exec_context_deserialize(ExecContext *c, FILE *f) { +@@ -2846,7 +2846,8 @@ static int exec_context_deserialize(ExecContext *c, FILE *f) { _cleanup_free_ char *tuple = NULL, *path = NULL, *only_create = NULL; const char *p; @@ -85,10 +82,10 @@ index 55d24094f7..dd48ad3f65 100644 return r; if (r == 0) diff --git a/test/units/testsuite-07.exec-context.sh b/test/units/testsuite-07.exec-context.sh -index c84974f1de..dd63163008 100755 +index 5fb7dddf89..26ed66a9a8 100755 --- a/test/units/testsuite-07.exec-context.sh +++ b/test/units/testsuite-07.exec-context.sh -@@ -93,6 +93,13 @@ systemd-run --wait --pipe -p BindPaths="/etc /home:/mnt:norbind -/foo/bar/baz:/u +@@ -84,6 +84,13 @@ systemd-run --wait --pipe -p BindPaths="/etc /home:/mnt:norbind -/foo/bar/baz:/u bash -xec "mountpoint /etc; test -d /etc/systemd; mountpoint /mnt; ! mountpoint /usr" systemd-run --wait --pipe -p BindReadOnlyPaths="/etc /home:/mnt:norbind -/foo/bar/baz:/usr:rbind" \ bash -xec "test ! -w /etc; test ! -w /mnt; ! mountpoint /usr" @@ -102,7 +99,7 @@ index c84974f1de..dd63163008 100755 # Check if we correctly serialize, deserialize, and set directives that # have more complex internal handling -@@ -206,18 +213,20 @@ fi +@@ -197,18 +204,20 @@ fi # {Cache,Configuration,Logs,Runtime,State}Directory= ARGUMENTS=( @@ -127,7 +124,7 @@ index c84974f1de..dd63163008 100755 -p RuntimeDirectoryPreserve=yes -p StateDirectory="context" -p StateDirectory="./././././././context context context" -@@ -226,21 +235,22 @@ ARGUMENTS=( +@@ -217,21 +226,22 @@ ARGUMENTS=( rm -rf /run/context systemd-run --wait --pipe "${ARGUMENTS[@]}" \ @@ -160,5 +157,5 @@ index c84974f1de..dd63163008 100755 # Limit*= -- -2.43.0 +2.33.0 diff --git a/backport-core-escape-spaces-when-serializing-as-well.patch b/backport-core-escape-spaces-when-serializing-as-well.patch index 7d3328e..c55e660 100644 --- a/backport-core-escape-spaces-when-serializing-as-well.patch +++ b/backport-core-escape-spaces-when-serializing-as-well.patch @@ -1,15 +1,12 @@ -From 5b1aa0e19a6df603336894604a85df74204d04f9 Mon Sep 17 00:00:00 2001 +From b2b88da7fb1b6a9604f8d17facdca869f8717c79 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Mon, 12 Feb 2024 18:32:03 +0100 -Subject: [PATCH] core: escape spaces when serializing as well +Subject: [PATCH 0244/1160] core: escape spaces when serializing as well Otherwise they might get stripped when reading the serialized data back. Resolves: #31214 - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/5b1aa0e19a6df603336894604a85df74204d04f9 - +(cherry picked from commit 5b1aa0e19a6df603336894604a85df74204d04f9) --- src/shared/serialize.c | 2 +- test/units/testsuite-07.exec-context.sh | 33 +++++++++++++++++++++++++ @@ -29,10 +26,10 @@ index 7099f67f92..483cbc7419 100644 return log_oom(); diff --git a/test/units/testsuite-07.exec-context.sh b/test/units/testsuite-07.exec-context.sh -index dd63163008..e1e4367cc6 100755 +index 26ed66a9a8..66e8fce446 100755 --- a/test/units/testsuite-07.exec-context.sh +++ b/test/units/testsuite-07.exec-context.sh -@@ -338,6 +338,39 @@ if [[ ! -v ASAN_OPTIONS ]] && systemctl --version | grep "+BPF_FRAMEWORK" && ker +@@ -329,6 +329,39 @@ if [[ ! -v ASAN_OPTIONS ]] && systemctl --version | grep "+BPF_FRAMEWORK" && ker (! systemd-run --wait --pipe -p RestrictFileSystems="~proc devtmpfs sysfs" ls /sys) fi @@ -73,5 +70,5 @@ index dd63163008..e1e4367cc6 100755 touch /run/not-a-directory mkdir /tmp/root -- -2.43.0 +2.33.0 diff --git a/backport-core-exec-do-not-crash-with-UtmpMode-user-without-Us.patch b/backport-core-exec-do-not-crash-with-UtmpMode-user-without-Us.patch index 1d0d493..b566d09 100644 --- a/backport-core-exec-do-not-crash-with-UtmpMode-user-without-Us.patch +++ b/backport-core-exec-do-not-crash-with-UtmpMode-user-without-Us.patch @@ -1,18 +1,14 @@ From cba1060f8854fd9a11dac8e2b02126d2f3bb14ba Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Mon, 19 Feb 2024 13:04:28 +0900 -Subject: [PATCH] core/exec: do not crash with UtmpMode=user without User= - setting +Subject: [PATCH 0250/1160] core/exec: do not crash with UtmpMode=user without + User= setting Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2264404. Replaces #31356. (cherry picked from commit d42b81f93f81e45f7a4053c6522ec3a2145ff136) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/cba1060f8854fd9a11dac8e2b02126d2f3bb14ba - --- src/core/exec-invoke.c | 12 +++++++++++- src/shared/utmp-wtmp.c | 1 + diff --git a/backport-core-exec-invoke-call-pam_setcred-PAM_DELETE_CRED-af.patch b/backport-core-exec-invoke-call-pam_setcred-PAM_DELETE_CRED-af.patch new file mode 100644 index 0000000..47fd947 --- /dev/null +++ b/backport-core-exec-invoke-call-pam_setcred-PAM_DELETE_CRED-af.patch @@ -0,0 +1,71 @@ +From 7f5575777c2a12a4964046dc3e584f2c51833d7a Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 26 Jan 2024 03:09:13 +0900 +Subject: [PATCH 0288/1160] core/exec-invoke: call pam_setcred(PAM_DELETE_CRED) + after pam_close_session() + +The man page pam_setcred(3) states: +> The credentials should be deleted after the session has been closed +> (with pam_close_session(3)). + +Follow-up for 3bb39ea936a51a6a63a8b65a135521df098c32c4. + +(cherry picked from commit 41ad01520573d5d2cb0ff05cfcfb492fcc0f5d22) +--- + src/core/exec-invoke.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c +index 9927e5d1e7..28d6142318 100644 +--- a/src/core/exec-invoke.c ++++ b/src/core/exec-invoke.c +@@ -1101,6 +1101,22 @@ static int null_conv( + return PAM_CONV_ERR; + } + ++static int pam_close_session_and_delete_credentials(pam_handle_t *handle, int flags) { ++ int r, s; ++ ++ assert(handle); ++ ++ r = pam_close_session(handle, flags); ++ if (r != PAM_SUCCESS) ++ log_debug("pam_close_session() failed: %s", pam_strerror(handle, r)); ++ ++ s = pam_setcred(handle, PAM_DELETE_CRED | flags); ++ if (s != PAM_SUCCESS) ++ log_debug("pam_setcred(PAM_DELETE_CRED) failed: %s", pam_strerror(handle, s)); ++ ++ return r != PAM_SUCCESS ? r : s; ++} ++ + #endif + + static int setup_pam( +@@ -1259,13 +1275,9 @@ static int setup_pam( + } + } + +- pam_code = pam_setcred(handle, PAM_DELETE_CRED | flags); +- if (pam_code != PAM_SUCCESS) +- goto child_finish; +- + /* If our parent died we'll end the session */ + if (getppid() != parent_pid) { +- pam_code = pam_close_session(handle, flags); ++ pam_code = pam_close_session_and_delete_credentials(handle, flags); + if (pam_code != PAM_SUCCESS) + goto child_finish; + } +@@ -1308,7 +1320,7 @@ fail: + + if (handle) { + if (close_session) +- pam_code = pam_close_session(handle, flags); ++ pam_code = pam_close_session_and_delete_credentials(handle, flags); + + (void) pam_end(handle, pam_code | flags); + } +-- +2.33.0 + diff --git a/backport-core-exec-invoke-call-setpriority-after-sched_setatt.patch b/backport-core-exec-invoke-call-setpriority-after-sched_setatt.patch new file mode 100644 index 0000000..072d69c --- /dev/null +++ b/backport-core-exec-invoke-call-setpriority-after-sched_setatt.patch @@ -0,0 +1,57 @@ +From 4994f15f35c183792afcfc12de91b9074379a09c Mon Sep 17 00:00:00 2001 +From: Ivan Shapovalov +Date: Wed, 7 Aug 2024 10:02:45 +0200 +Subject: [PATCH 0848/1160] core/exec-invoke: call setpriority() after + sched_setattr() + +The nice value is part of struct sched_attr, and consequently invoking +sched_setattr() after setpriority() would clobber the nice value with +the default (as we are not setting it in struct sched_attr). + +It would be best to combine both calls, but for now simply invoke +setpriority() after sched_setattr() to make sure Nice= remains effective +when used together with CPUSchedulingPolicy=. + +(cherry picked from commit 711a157738b3dcd29a5ebc8f498eb46bfac59652) +(cherry picked from commit b628d4dfa61234d28ffaa648ec09c5e9972f832a) +--- + src/core/exec-invoke.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c +index 32373ed0c2..308d332c15 100644 +--- a/src/core/exec-invoke.c ++++ b/src/core/exec-invoke.c +@@ -4279,14 +4279,6 @@ int exec_invoke( + } + } + +- if (context->nice_set) { +- r = setpriority_closest(context->nice); +- if (r < 0) { +- *exit_status = EXIT_NICE; +- return log_exec_error_errno(context, params, r, "Failed to set up process scheduling priority (nice level): %m"); +- } +- } +- + if (context->cpu_sched_set) { + struct sched_attr attr = { + .size = sizeof(attr), +@@ -4302,6 +4294,14 @@ int exec_invoke( + } + } + ++ if (context->nice_set) { ++ r = setpriority_closest(context->nice); ++ if (r < 0) { ++ *exit_status = EXIT_NICE; ++ return log_exec_error_errno(context, params, r, "Failed to set up process scheduling priority (nice level): %m"); ++ } ++ } ++ + if (context->cpu_affinity_from_numa || context->cpu_set.set) { + _cleanup_(cpu_set_reset) CPUSet converted_cpu_set = {}; + const CPUSet *cpu_set; +-- +2.33.0 + diff --git a/backport-core-exec-invoke-prevent-potential-double-close-of-e.patch b/backport-core-exec-invoke-prevent-potential-double-close-of-e.patch new file mode 100644 index 0000000..ee16815 --- /dev/null +++ b/backport-core-exec-invoke-prevent-potential-double-close-of-e.patch @@ -0,0 +1,143 @@ +From 9ac6463f424df2af7f4ed867307d5980c8518fa3 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Thu, 30 Nov 2023 20:09:29 +0800 +Subject: [PATCH 0015/1160] core/exec-invoke: prevent potential double-close of + exec_fd + +If exec_fd is closed in add_shifted_fd() by close_and_replace(), +but something goes wrong later, we may close exec_fd twice +in exec_params_shallow_clear(). + +(cherry picked from commit 5a5fdfe3ac27914e0487f0a7c506882227991ec5) +--- + src/core/exec-invoke.c | 47 +++++++++++++++++++----------------------- + 1 file changed, 21 insertions(+), 26 deletions(-) + +diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c +index b24e44dbfe..cc87f213de 100644 +--- a/src/core/exec-invoke.c ++++ b/src/core/exec-invoke.c +@@ -3601,32 +3601,29 @@ static int exec_context_cpu_affinity_from_numa(const ExecContext *c, CPUSet *ret + return cpu_set_add_all(ret, &s); + } + +-static int add_shifted_fd(int *fds, size_t fds_size, size_t *n_fds, int fd, int *ret_fd) { ++static int add_shifted_fd(int *fds, size_t fds_size, size_t *n_fds, int *fd) { + int r; + + assert(fds); + assert(n_fds); + assert(*n_fds < fds_size); +- assert(ret_fd); ++ assert(fd); + +- if (fd < 0) { +- *ret_fd = -EBADF; +- return 0; +- } ++ if (*fd < 0) ++ return 0; + +- if (fd < 3 + (int) *n_fds) { ++ if (*fd < 3 + (int) *n_fds) { + /* Let's move the fd up, so that it's outside of the fd range we will use to store + * the fds we pass to the process (or which are closed only during execve). */ + +- r = fcntl(fd, F_DUPFD_CLOEXEC, 3 + (int) *n_fds); ++ r = fcntl(*fd, F_DUPFD_CLOEXEC, 3 + (int) *n_fds); + if (r < 0) + return -errno; + +- close_and_replace(fd, r); ++ close_and_replace(*fd, r); + } + +- *ret_fd = fds[*n_fds] = fd; +- (*n_fds) ++; ++ fds[(*n_fds)++] = *fd; + return 1; + } + +@@ -3926,7 +3923,7 @@ int exec_invoke( + int *exit_status) { + + _cleanup_strv_free_ char **our_env = NULL, **pass_env = NULL, **joined_exec_search_path = NULL, **accum_env = NULL, **replaced_argv = NULL; +- int r, ngids = 0, exec_fd; ++ int r, ngids = 0; + _cleanup_free_ gid_t *supplementary_gids = NULL; + const char *username = NULL, *groupname = NULL; + _cleanup_free_ char *home_buffer = NULL, *memory_pressure_path = NULL; +@@ -4064,19 +4061,17 @@ int exec_invoke( + memcpy_safe(keep_fds, fds, n_fds * sizeof(int)); + n_keep_fds = n_fds; + +- r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, params->exec_fd, &exec_fd); ++ r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, ¶ms->exec_fd); + if (r < 0) { + *exit_status = EXIT_FDS; +- return log_exec_error_errno(context, params, r, "Failed to shift fd and set FD_CLOEXEC: %m"); ++ return log_exec_error_errno(context, params, r, "Failed to collect shifted fd: %m"); + } + + #if HAVE_LIBBPF +- if (params->bpf_outer_map_fd >= 0) { +- r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, params->bpf_outer_map_fd, (int *)¶ms->bpf_outer_map_fd); +- if (r < 0) { +- *exit_status = EXIT_FDS; +- return log_exec_error_errno(context, params, r, "Failed to shift fd and set FD_CLOEXEC: %m"); +- } ++ r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, ¶ms->bpf_outer_map_fd); ++ if (r < 0) { ++ *exit_status = EXIT_FDS; ++ return log_exec_error_errno(context, params, r, "Failed to collect shifted fd: %m"); + } + #endif + +@@ -4757,10 +4752,10 @@ int exec_invoke( + "EXECUTABLE=%s", command->path); + } + +- r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, executable_fd, &executable_fd); ++ r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, &executable_fd); + if (r < 0) { + *exit_status = EXIT_FDS; +- return log_exec_error_errno(context, params, r, "Failed to shift fd and set FD_CLOEXEC: %m"); ++ return log_exec_error_errno(context, params, r, "Failed to collect shifted fd: %m"); + } + + #if HAVE_SELINUX +@@ -5210,13 +5205,13 @@ int exec_invoke( + + log_command_line(context, params, "Executing", executable, final_argv); + +- if (exec_fd >= 0) { ++ if (params->exec_fd >= 0) { + uint8_t hot = 1; + + /* We have finished with all our initializations. Let's now let the manager know that. From this point + * on, if the manager sees POLLHUP on the exec_fd, then execve() was successful. */ + +- if (write(exec_fd, &hot, sizeof(hot)) < 0) { ++ if (write(params->exec_fd, &hot, sizeof(hot)) < 0) { + *exit_status = EXIT_EXEC; + return log_exec_error_errno(context, params, errno, "Failed to enable exec_fd: %m"); + } +@@ -5224,13 +5219,13 @@ int exec_invoke( + + r = fexecve_or_execve(executable_fd, executable, final_argv, accum_env); + +- if (exec_fd >= 0) { ++ if (params->exec_fd >= 0) { + uint8_t hot = 0; + + /* The execve() failed. This means the exec_fd is still open. Which means we need to tell the manager + * that POLLHUP on it no longer means execve() succeeded. */ + +- if (write(exec_fd, &hot, sizeof(hot)) < 0) { ++ if (write(params->exec_fd, &hot, sizeof(hot)) < 0) { + *exit_status = EXIT_EXEC; + return log_exec_error_errno(context, params, errno, "Failed to disable exec_fd: %m"); + } +-- +2.33.0 + diff --git a/backport-core-exec-invoke-remove-redundant-fd_cloexec-call.patch b/backport-core-exec-invoke-remove-redundant-fd_cloexec-call.patch new file mode 100644 index 0000000..fff4bf2 --- /dev/null +++ b/backport-core-exec-invoke-remove-redundant-fd_cloexec-call.patch @@ -0,0 +1,60 @@ +From 2357267a8f702eb6d32114892665e480f89c746c Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Thu, 30 Nov 2023 19:24:01 +0800 +Subject: [PATCH 0014/1160] core/exec-invoke: remove redundant fd_cloexec() + call + +(cherry picked from commit f38cbaff63e662c8a1aa0c7708e0e796d6c3aee2) +--- + src/core/execute-serialize.c | 12 ------------ + src/core/executor.c | 4 +++- + 2 files changed, 3 insertions(+), 13 deletions(-) + +diff --git a/src/core/execute-serialize.c b/src/core/execute-serialize.c +index 6c19cd42a2..6c62bdf7c5 100644 +--- a/src/core/execute-serialize.c ++++ b/src/core/execute-serialize.c +@@ -1611,12 +1611,6 @@ static int exec_parameters_deserialize(ExecParameters *p, FILE *f, FDSet *fds) { + if (fd < 0) + continue; + +- /* This is special and relies on close-on-exec semantics, make sure it's +- * there */ +- r = fd_cloexec(fd, true); +- if (r < 0) +- return r; +- + p->exec_fd = fd; + } else if ((val = startswith(l, "exec-parameters-bpf-outer-map-fd="))) { + int fd; +@@ -1625,12 +1619,6 @@ static int exec_parameters_deserialize(ExecParameters *p, FILE *f, FDSet *fds) { + if (fd < 0) + continue; + +- /* This is special and relies on close-on-exec semantics, make sure it's +- * there */ +- r = fd_cloexec(fd, true); +- if (r < 0) +- return r; +- + p->bpf_outer_map_fd = fd; + } else if ((val = startswith(l, "exec-parameters-notify-socket="))) { + r = free_and_strdup(&p->notify_socket, val); +diff --git a/src/core/executor.c b/src/core/executor.c +index f55bacdbd8..993cd4a4d2 100644 +--- a/src/core/executor.c ++++ b/src/core/executor.c +@@ -204,7 +204,9 @@ int main(int argc, char *argv[]) { + log_set_prohibit_ipc(false); + log_open(); + +- /* The serialization fd is set to CLOEXEC in parse_argv, so it's also filtered. */ ++ /* This call would collect all passed fds and enable CLOEXEC. We'll unset it in exec_invoke (flag_fds) ++ * for fds that shall be passed to the child. ++ * The serialization fd is set to CLOEXEC in parse_argv, so it's also filtered. */ + r = fdset_new_fill(/* filter_cloexec= */ 0, &fdset); + if (r < 0) + return log_error_errno(r, "Failed to create fd set: %m"); +-- +2.33.0 + diff --git a/backport-core-exec-invoke-rename-flags_fds-to-flag_fds.patch b/backport-core-exec-invoke-rename-flags_fds-to-flag_fds.patch new file mode 100644 index 0000000..b9d9b9f --- /dev/null +++ b/backport-core-exec-invoke-rename-flags_fds-to-flag_fds.patch @@ -0,0 +1,47 @@ +From 3db2c1a90b746aa778a45aaa363f117853ab0ac5 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Thu, 30 Nov 2023 19:16:49 +0800 +Subject: [PATCH 0012/1160] core/exec-invoke: rename flags_fds to flag_fds + +(cherry picked from commit d8da25b5d9c9251baf64cff1c8612a465d7b5415) +--- + src/core/exec-invoke.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c +index 74c910fc12..b24e44dbfe 100644 +--- a/src/core/exec-invoke.c ++++ b/src/core/exec-invoke.c +@@ -105,7 +105,7 @@ static int shift_fds(int fds[], size_t n_fds) { + return 0; + } + +-static int flags_fds( ++static int flag_fds( + const int fds[], + size_t n_socket_fds, + size_t n_fds, +@@ -113,10 +113,7 @@ static int flags_fds( + + int r; + +- if (n_fds <= 0) +- return 0; +- +- assert(fds); ++ assert(fds || n_fds == 0); + + /* Drops/Sets O_NONBLOCK and FD_CLOEXEC from the file flags. + * O_NONBLOCK only applies to socket activation though. */ +@@ -4808,7 +4805,7 @@ int exec_invoke( + if (r >= 0) + r = shift_fds(fds, n_fds); + if (r >= 0) +- r = flags_fds(fds, n_socket_fds, n_fds, context->non_blocking); ++ r = flag_fds(fds, n_socket_fds, n_fds, context->non_blocking); + if (r < 0) { + *exit_status = EXIT_FDS; + return log_exec_error_errno(context, params, r, "Failed to adjust passed file descriptors: %m"); +-- +2.33.0 + diff --git a/backport-core-exec-invoke-reopen-OpenFile-fds-with-O_NOCTTY.patch b/backport-core-exec-invoke-reopen-OpenFile-fds-with-O_NOCTTY.patch new file mode 100644 index 0000000..56302b2 --- /dev/null +++ b/backport-core-exec-invoke-reopen-OpenFile-fds-with-O_NOCTTY.patch @@ -0,0 +1,28 @@ +From 8966f222cd56cb4dbc323b665513334cedf397da Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Mon, 24 Jun 2024 18:26:15 +0200 +Subject: [PATCH 0720/1160] core/exec-invoke: reopen OpenFile= fds with + O_NOCTTY + +(cherry picked from commit b9c5d812d5132ea1d6a7146be80d41ae2ccb288e) +(cherry picked from commit 0b909bf685c661027d1fdc59abcab77c06d62406) +--- + src/core/exec-invoke.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c +index 24524fa0f1..7c825e8b94 100644 +--- a/src/core/exec-invoke.c ++++ b/src/core/exec-invoke.c +@@ -3721,7 +3721,7 @@ static int get_open_file_fd(const ExecContext *c, const ExecParameters *p, const + else if (FLAGS_SET(of->flags, OPENFILE_TRUNCATE)) + flags |= O_TRUNC; + +- fd = fd_reopen(ofd, flags | O_CLOEXEC); ++ fd = fd_reopen(ofd, flags|O_NOCTTY|O_CLOEXEC); + if (fd < 0) + return log_exec_error_errno(c, p, fd, "Failed to open file %s: %m", of->path); + +-- +2.33.0 + diff --git a/backport-core-exec-invoke-use-sched_setattr-instead-of-sched_.patch b/backport-core-exec-invoke-use-sched_setattr-instead-of-sched_.patch new file mode 100644 index 0000000..20dd012 --- /dev/null +++ b/backport-core-exec-invoke-use-sched_setattr-instead-of-sched_.patch @@ -0,0 +1,167 @@ +From 02e50f7a4b53e56b051889b982fa43118c577493 Mon Sep 17 00:00:00 2001 +From: Florian Schmaus +Date: Wed, 26 Jun 2024 14:37:52 +0200 +Subject: [PATCH 0724/1160] core/exec-invoke: use sched_setattr instead of + sched_setscheduler + +The kernel's sched_setattr interface allows for more control over a processes +scheduling attributes as the previously used sched_setscheduler interface. + +Using sched_setattr is also the prerequisite for support of utilization +clamping (UCLAMP [1], see #26705) and allows to set sched_runtime. The latter, +sched_runtime, will probably become a relevant scheduling parameter of the +EEVDF scheduler [2, 3], and therefore will not only apply to processes +scheduled via SCHED_DEADLINE, but also for processes scheduled via +SCHED_OTHER/SCHED_BATCH (i.e., most processes). + +1: https://docs.kernel.org/next/scheduler/sched-util-clamp.html +2: https://lwn.net/Articles/969062/ +3: https://lwn.net/ml/linux-kernel/20240405110010.934104715@infradead.org/ +(cherry picked from commit 016e9d8d08ce66f5e81b42e0a0db398afc17336a) +(cherry picked from commit fb7ec285c98d9eeaa69d1efda3e450e6f7207e57) +--- + meson.build | 3 +++ + src/basic/missing_sched.h | 18 ++++++++++++++++++ + src/basic/missing_syscall.h | 17 +++++++++++++++++ + src/core/exec-invoke.c | 13 +++++++------ + 4 files changed, 45 insertions(+), 6 deletions(-) + +diff --git a/meson.build b/meson.build +index 3d7b0d5fe6..aa21b3c549 100644 +--- a/meson.build ++++ b/meson.build +@@ -524,6 +524,7 @@ decl_headers = ''' + #include + #include + #include ++#include + ''' + + foreach decl : ['char16_t', +@@ -531,6 +532,7 @@ foreach decl : ['char16_t', + 'struct mount_attr', + 'struct statx', + 'struct dirent64', ++ 'struct sched_attr', + ] + + # We get -1 if the size cannot be determined +@@ -578,6 +580,7 @@ foreach ident : [ + #include '''], # no known header declares pivot_root + ['ioprio_get', '''#include '''], # no known header declares ioprio_get + ['ioprio_set', '''#include '''], # no known header declares ioprio_set ++ ['sched_setattr', '''#include '''], # no known header declares sched_setattr + ['name_to_handle_at', '''#include + #include + #include '''], +diff --git a/src/basic/missing_sched.h b/src/basic/missing_sched.h +index bcd5b77120..fbf18c315f 100644 +--- a/src/basic/missing_sched.h ++++ b/src/basic/missing_sched.h +@@ -1,6 +1,7 @@ + /* SPDX-License-Identifier: LGPL-2.1-or-later */ + #pragma once + ++#include + #include + + #ifndef CLONE_NEWCGROUP +@@ -24,3 +25,20 @@ + #ifndef TASK_COMM_LEN + #define TASK_COMM_LEN 16 + #endif ++ ++#if !HAVE_STRUCT_SCHED_ATTR ++struct sched_attr { ++ __u32 size; /* Size of this structure */ ++ __u32 sched_policy; /* Policy (SCHED_*) */ ++ __u64 sched_flags; /* Flags */ ++ __s32 sched_nice; /* Nice value (SCHED_OTHER, ++ SCHED_BATCH) */ ++ __u32 sched_priority; /* Static priority (SCHED_FIFO, ++ SCHED_RR) */ ++ /* Remaining fields are for SCHED_DEADLINE ++ and potentially soon for SCHED_OTHER/SCHED_BATCH */ ++ __u64 sched_runtime; ++ __u64 sched_deadline; ++ __u64 sched_period; ++}; ++#endif +diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h +index 86280771c4..e2cd8b4e35 100644 +--- a/src/basic/missing_syscall.h ++++ b/src/basic/missing_syscall.h +@@ -22,6 +22,7 @@ + + #include "macro.h" + #include "missing_keyctl.h" ++#include "missing_sched.h" + #include "missing_stat.h" + #include "missing_syscall_def.h" + +@@ -667,6 +668,22 @@ static inline ssize_t missing_getdents64(int fd, void *buffer, size_t length) { + + /* ======================================================================= */ + ++#if !HAVE_SCHED_SETATTR ++ ++static inline ssize_t missing_sched_setattr(pid_t pid, struct sched_attr *attr, unsigned int flags) { ++# if defined __NR_sched_setattr ++ return syscall(__NR_sched_setattr, pid, attr, flags); ++# else ++ errno = ENOSYS; ++ return -1; ++# endif ++} ++ ++# define sched_setattr missing_sched_setattr ++#endif ++ ++/* ======================================================================= */ ++ + /* glibc does not provide clone() on ia64, only clone2(). Not only that, but it also doesn't provide a + * prototype, only the symbol in the shared library (it provides a prototype for clone(), but not the + * symbol in the shared library). */ +diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c +index 7c825e8b94..32373ed0c2 100644 +--- a/src/core/exec-invoke.c ++++ b/src/core/exec-invoke.c +@@ -1,5 +1,6 @@ + /* SPDX-License-Identifier: LGPL-2.1-or-later */ + ++#include + #include + #include + #include +@@ -43,6 +44,7 @@ + #include "iovec-util.h" + #include "missing_ioprio.h" + #include "missing_prctl.h" ++#include "missing_sched.h" + #include "missing_securebits.h" + #include "missing_syscall.h" + #include "mkdir-label.h" +@@ -4286,15 +4288,14 @@ int exec_invoke( + } + + if (context->cpu_sched_set) { +- struct sched_param param = { ++ struct sched_attr attr = { ++ .size = sizeof(attr), ++ .sched_policy = context->cpu_sched_policy, + .sched_priority = context->cpu_sched_priority, ++ .sched_flags = context->cpu_sched_reset_on_fork ? SCHED_FLAG_RESET_ON_FORK : 0, + }; + +- r = sched_setscheduler(0, +- context->cpu_sched_policy | +- (context->cpu_sched_reset_on_fork ? +- SCHED_RESET_ON_FORK : 0), +- ¶m); ++ r = sched_setattr(/* pid= */ 0, &attr, /* flags= */ 0); + if (r < 0) { + *exit_status = EXIT_SETSCHEDULER; + return log_exec_error_errno(context, params, errno, "Failed to set up CPU scheduling: %m"); +-- +2.33.0 + diff --git a/backport-core-execute-don-t-reload-selinux-before-spawning-ex.patch b/backport-core-execute-don-t-reload-selinux-before-spawning-ex.patch new file mode 100644 index 0000000..7891ee6 --- /dev/null +++ b/backport-core-execute-don-t-reload-selinux-before-spawning-ex.patch @@ -0,0 +1,32 @@ +From e8acf0795536d96a88d559da13ec4fa79f5934e6 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Fri, 12 Jan 2024 15:13:29 +0800 +Subject: [PATCH 0145/1160] core/execute: don't reload selinux before spawning + executor + +With the introduction of sd-executor, SELinux needs to be re-initialized +after execve() anyway. + +(cherry picked from commit 73090a38b0cf7fd62fb8dfb337885a5747e591b4) +--- + src/core/execute.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index ef0bf88687..8dbdfcf369 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -382,10 +382,6 @@ int exec_spawn(Unit *unit, + if (r < 0) + return log_unit_error_errno(unit, r, "Failed to load environment files: %m"); + +- /* Fork with up-to-date SELinux label database, so the child inherits the up-to-date db +- and, until the next SELinux policy changes, we save further reloads in future children. */ +- mac_selinux_maybe_reload(); +- + /* We won't know the real executable path until we create the mount namespace in the child, but we + want to log from the parent, so we use the possibly inaccurate path here. */ + log_command_line(unit, "About to execute", command->path, command->argv); +-- +2.33.0 + diff --git a/backport-core-execute-serialize-drop-extraneous-in-ip-in-e-gr.patch b/backport-core-execute-serialize-drop-extraneous-in-ip-in-e-gr.patch new file mode 100644 index 0000000..8684c68 --- /dev/null +++ b/backport-core-execute-serialize-drop-extraneous-in-ip-in-e-gr.patch @@ -0,0 +1,33 @@ +From 807f3ccb07df60834babfa292830e15a3d1afdac Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sat, 3 Aug 2024 22:37:41 +0200 +Subject: [PATCH 0836/1160] core/execute-serialize: drop extraneous '=' in + ip-{in,e}gress serialization + +(cherry picked from commit f0fdd13c2f06f9c78747103b971566e2c62b9333) +(cherry picked from commit 8beae811239830a86107abbbd6256b13cde2e33f) +--- + src/core/execute-serialize.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/execute-serialize.c b/src/core/execute-serialize.c +index b1e716e8cc..5239d8ccf0 100644 +--- a/src/core/execute-serialize.c ++++ b/src/core/execute-serialize.c +@@ -431,11 +431,11 @@ static int exec_cgroup_context_serialize(const CGroupContext *c, FILE *f) { + if (r < 0) + return r; + +- r = serialize_strv(f, "exec-cgroup-context-ip-ingress-filter-path=", c->ip_filters_ingress); ++ r = serialize_strv(f, "exec-cgroup-context-ip-ingress-filter-path", c->ip_filters_ingress); + if (r < 0) + return r; + +- r = serialize_strv(f, "exec-cgroup-context-ip-egress-filter-path=", c->ip_filters_egress); ++ r = serialize_strv(f, "exec-cgroup-context-ip-egress-filter-path", c->ip_filters_egress); + if (r < 0) + return r; + +-- +2.33.0 + diff --git a/backport-core-execute-serialize-use-serialize_item_escaped-fo.patch b/backport-core-execute-serialize-use-serialize_item_escaped-fo.patch new file mode 100644 index 0000000..5c25339 --- /dev/null +++ b/backport-core-execute-serialize-use-serialize_item_escaped-fo.patch @@ -0,0 +1,104 @@ +From 510aa8b33d9221c7370a199192ee375f988d039c Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sat, 3 Aug 2024 22:38:18 +0200 +Subject: [PATCH 0837/1160] core/execute-serialize: use + serialize_item_escaped() for external paths + +Otherwise, read_stripped_line() would spuriously drop trailing spaces. + +Fixes #33924 + +(cherry picked from commit 9be46b1da8b01c3f47e6c050185f2b45484d6300) +(cherry picked from commit c3ede0cfe78c4d70cfbeb333897969e27a6c6dda) +--- + src/core/execute-serialize.c | 52 ++++++++++++++++++++++-------------- + 1 file changed, 32 insertions(+), 20 deletions(-) + +diff --git a/src/core/execute-serialize.c b/src/core/execute-serialize.c +index 5239d8ccf0..7320722512 100644 +--- a/src/core/execute-serialize.c ++++ b/src/core/execute-serialize.c +@@ -1739,15 +1739,23 @@ static int exec_context_serialize(const ExecContext *c, FILE *f) { + if (r < 0) + return r; + +- r = serialize_item(f, "exec-context-working-directory", c->working_directory); ++ r = serialize_item_escaped(f, "exec-context-working-directory", c->working_directory); + if (r < 0) + return r; + +- r = serialize_item(f, "exec-context-root-directory", c->root_directory); ++ r = serialize_bool_elide(f, "exec-context-working-directory-missing-ok", c->working_directory_missing_ok); + if (r < 0) + return r; + +- r = serialize_item(f, "exec-context-root-image", c->root_image); ++ r = serialize_bool_elide(f, "exec-context-working-directory-home", c->working_directory_home); ++ if (r < 0) ++ return r; ++ ++ r = serialize_item_escaped(f, "exec-context-root-directory", c->root_directory); ++ if (r < 0) ++ return r; ++ ++ r = serialize_item_escaped(f, "exec-context-root-image", c->root_image); + if (r < 0) + return r; + +@@ -1968,14 +1976,6 @@ static int exec_context_serialize(const ExecContext *c, FILE *f) { + return r; + } + +- r = serialize_bool_elide(f, "exec-context-working-directory-missing-ok", c->working_directory_missing_ok); +- if (r < 0) +- return r; +- +- r = serialize_bool_elide(f, "exec-context-working-directory-home", c->working_directory_home); +- if (r < 0) +- return r; +- + if (c->oom_score_adjust_set) { + r = serialize_item_format(f, "exec-context-oom-score-adjust", "%i", c->oom_score_adjust); + if (r < 0) +@@ -2611,17 +2611,29 @@ static int exec_context_deserialize(ExecContext *c, FILE *f) { + if (r < 0) + return r; + } else if ((val = startswith(l, "exec-context-working-directory="))) { +- r = free_and_strdup(&c->working_directory, val); +- if (r < 0) +- return r; ++ ssize_t k; ++ char *p; ++ ++ k = cunescape(val, 0, &p); ++ if (k < 0) ++ return k; ++ free_and_replace(c->working_directory, p); + } else if ((val = startswith(l, "exec-context-root-directory="))) { +- r = free_and_strdup(&c->root_directory, val); +- if (r < 0) +- return r; ++ ssize_t k; ++ char *p; ++ ++ k = cunescape(val, 0, &p); ++ if (k < 0) ++ return k; ++ free_and_replace(c->root_directory, p); + } else if ((val = startswith(l, "exec-context-root-image="))) { +- r = free_and_strdup(&c->root_image, val); +- if (r < 0) +- return r; ++ ssize_t k; ++ char *p; ++ ++ k = cunescape(val, 0, &p); ++ if (k < 0) ++ return k; ++ free_and_replace(c->root_image, p); + } else if ((val = startswith(l, "exec-context-root-image-options="))) { + for (;;) { + _cleanup_free_ char *word = NULL, *mount_options = NULL, *partition = NULL; +-- +2.33.0 + diff --git a/backport-core-executor-do-destruct-static-variables-and-selin.patch b/backport-core-executor-do-destruct-static-variables-and-selin.patch new file mode 100644 index 0000000..08e4d4a --- /dev/null +++ b/backport-core-executor-do-destruct-static-variables-and-selin.patch @@ -0,0 +1,85 @@ +From 3c1ea052a1b188ca12242700aa43efab5b0432fa Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sat, 9 Dec 2023 00:06:16 +0800 +Subject: [PATCH 0032/1160] core/executor: do destruct static variables and + selinux before exiting + +I was wondering why I couldn't trigger the assertion in safe_fclose() +when submitting #30251. It turned out that the static destructor was +not run at all :/ + +Replace main() with a minimized version of main-func.h. This also +prevents emitting negative exit codes. + +(cherry picked from commit ba8245a77a074bf65db79a60d2b6e390d76ebde3) +--- + src/core/executor.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/src/core/executor.c b/src/core/executor.c +index 51c727f325..b2716efeea 100644 +--- a/src/core/executor.c ++++ b/src/core/executor.c +@@ -19,9 +19,10 @@ + #include "label-util.h" + #include "parse-util.h" + #include "pretty-print.h" ++#include "selinux-util.h" + #include "static-destruct.h" + +-static FILE* arg_serialization = NULL; ++static FILE *arg_serialization = NULL; + + STATIC_DESTRUCTOR_REGISTER(arg_serialization, fclosep); + +@@ -171,9 +172,8 @@ static int parse_argv(int argc, char *argv[]) { + return 1 /* work to do */; + } + +-int main(int argc, char *argv[]) { ++static int run(int argc, char *argv[]) { + _cleanup_fdset_free_ FDSet *fdset = NULL; +- int exit_status = EXIT_SUCCESS, r; + _cleanup_(cgroup_context_done) CGroupContext cgroup_context = {}; + _cleanup_(exec_context_done) ExecContext context = {}; + _cleanup_(exec_command_done) ExecCommand command = {}; +@@ -188,15 +188,11 @@ int main(int argc, char *argv[]) { + .shared = &shared, + .dynamic_creds = &dynamic_creds, + }; ++ int exit_status = EXIT_SUCCESS, r; + + exec_context_init(&context); + cgroup_context_init(&cgroup_context); + +- /* We use safe_fork() for spawning sd-pam helper process, which internally calls rename_process(). +- * As the last step of renaming, all saved argvs are memzero()-ed. Hence, we need to save the argv +- * first to prevent showing "intense" cmdline. See #30352. */ +- save_argc_argv(argc, argv); +- + /* We might be starting the journal itself, we'll be told by the caller what to do */ + log_set_always_reopen_console(true); + log_set_prohibit_ipc(true); +@@ -258,3 +254,19 @@ int main(int argc, char *argv[]) { + + return exit_status; + } ++ ++int main(int argc, char *argv[]) { ++ int r; ++ ++ /* We use safe_fork() for spawning sd-pam helper process, which internally calls rename_process(). ++ * As the last step of renaming, all saved argvs are memzero()-ed. Hence, we need to save the argv ++ * first to prevent showing "intense" cmdline. See #30352. */ ++ save_argc_argv(argc, argv); ++ ++ r = run(argc, argv); ++ ++ mac_selinux_finish(); ++ static_destruct(); ++ ++ return r < 0 ? EXIT_FAILURE : r; ++} +-- +2.33.0 + diff --git a/backport-core-executor-save-argv-for-later-use-by-rename_proc.patch b/backport-core-executor-save-argv-for-later-use-by-rename_proc.patch new file mode 100644 index 0000000..f1b6da3 --- /dev/null +++ b/backport-core-executor-save-argv-for-later-use-by-rename_proc.patch @@ -0,0 +1,40 @@ +From b356b4c7d397bbc026a3fdf445d6a923c5c65b11 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Fri, 8 Dec 2023 21:14:11 +0800 +Subject: [PATCH 0028/1160] core/executor: save argv for later use by + rename_process() + +Partially fixes #30352 + +(cherry picked from commit b041175e0894c8b2607e5cc8bc8b5e4ab9f53553) +--- + src/core/executor.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/core/executor.c b/src/core/executor.c +index 993cd4a4d2..51c727f325 100644 +--- a/src/core/executor.c ++++ b/src/core/executor.c +@@ -6,6 +6,7 @@ + #include "sd-messages.h" + + #include "alloc-util.h" ++#include "argv-util.h" + #include "build.h" + #include "exec-invoke.h" + #include "execute-serialize.h" +@@ -191,6 +192,11 @@ int main(int argc, char *argv[]) { + exec_context_init(&context); + cgroup_context_init(&cgroup_context); + ++ /* We use safe_fork() for spawning sd-pam helper process, which internally calls rename_process(). ++ * As the last step of renaming, all saved argvs are memzero()-ed. Hence, we need to save the argv ++ * first to prevent showing "intense" cmdline. See #30352. */ ++ save_argc_argv(argc, argv); ++ + /* We might be starting the journal itself, we'll be told by the caller what to do */ + log_set_always_reopen_console(true); + log_set_prohibit_ipc(true); +-- +2.33.0 + diff --git a/backport-core-fix-assert-when-AddDependencyUnitFiles-is-calle.patch b/backport-core-fix-assert-when-AddDependencyUnitFiles-is-calle.patch index 105dfbb..b3c64b8 100644 --- a/backport-core-fix-assert-when-AddDependencyUnitFiles-is-calle.patch +++ b/backport-core-fix-assert-when-AddDependencyUnitFiles-is-calle.patch @@ -1,8 +1,8 @@ -From 71efbe69b6b7a0d6a663b8dbe6fe4d8f5655848a Mon Sep 17 00:00:00 2001 +From 4d47117b05f2bd836c465c3efdee69c5a573e8d6 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Mon, 6 Jan 2025 18:16:29 +0000 -Subject: [PATCH] core: fix assert when AddDependencyUnitFiles is called with - invalid parameter +Subject: [PATCH 1068/1160] core: fix assert when AddDependencyUnitFiles is + called with invalid parameter unit_file_add_dependency() asserts, so check before calling it that the type is expected, or return EINVAL to the caller. @@ -18,19 +18,15 @@ Fixes https://github.com/systemd/systemd/issues/35882 (cherry picked from commit d87dc74e8f1a30d72a0f202e411400bab34ab55a) (cherry picked from commit b6792202f31c4e83d23a944b845e1f17fc14f619) (cherry picked from commit c65056e1318fe20cf9b62771ffa589abe2c21a76) -(cherry picked from commit 4d47117b05f2bd836c465c3efdee69c5a573e8d6) - -Conflict:context adaptation -Reference:https://github.com/systemd/systemd-stable/commit/71efbe69b6b7a0d6a663b8dbe6fe4d8f5655848a --- src/core/dbus-manager.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c -index 856dd3b5dc..dea69bb6e2 100644 +index 4112f6af29..12d54351f8 100644 --- a/src/core/dbus-manager.c +++ b/src/core/dbus-manager.c -@@ -2820,7 +2820,7 @@ static int method_add_dependency_unit_files(sd_bus_message *message, void *userd +@@ -2828,7 +2828,7 @@ static int method_add_dependency_unit_files(sd_bus_message *message, void *userd flags = unit_file_bools_to_flags(runtime, force); dep = unit_dependency_from_string(type); diff --git a/backport-core-job-emit-job-start-message-if-we-re-only-waitin.patch b/backport-core-job-emit-job-start-message-if-we-re-only-waitin.patch new file mode 100644 index 0000000..bd79fd0 --- /dev/null +++ b/backport-core-job-emit-job-start-message-if-we-re-only-waitin.patch @@ -0,0 +1,97 @@ +From 7ee2d7d9cae5c6f38378787c7e99d474c8916032 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Tue, 12 Dec 2023 16:33:13 +0800 +Subject: [PATCH 0055/1160] core/job: emit job start message if we're only + waiting for unit state + +Currently, start/stop messages for device units are not used, since +job_perform_on_unit() does nothing and we simply wait for unit status +change. I think we still want some nice log messages explaining what +the start jobs for devices are doing, so let's fix this. + +(cherry picked from commit d8deb18720a494a68251e14e521570c4bf6e2b96) +--- + src/core/job.c | 31 ++++++++++++++----------------- + 1 file changed, 14 insertions(+), 17 deletions(-) + +diff --git a/src/core/job.c b/src/core/job.c +index e7d1f65dbc..e78c2a70db 100644 +--- a/src/core/job.c ++++ b/src/core/job.c +@@ -833,13 +833,12 @@ static int job_perform_on_unit(Job **j) { + Manager *m; + JobType t; + Unit *u; ++ bool wait_only; + int r; + +- /* While we execute this operation the job might go away (for +- * example: because it finishes immediately or is replaced by +- * a new, conflicting job.) To make sure we don't access a +- * freed job later on we store the id here, so that we can +- * verify the job is still valid. */ ++ /* While we execute this operation the job might go away (for example: because it finishes immediately ++ * or is replaced by a new, conflicting job). To make sure we don't access a freed job later on we ++ * store the id here, so that we can verify the job is still valid. */ + + assert(j); + assert(*j); +@@ -853,6 +852,7 @@ static int job_perform_on_unit(Job **j) { + switch (t) { + case JOB_START: + r = unit_start(u, a); ++ wait_only = r == -EBADR; /* If the unit type does not support starting, then simply wait. */ + break; + + case JOB_RESTART: +@@ -860,24 +860,28 @@ static int job_perform_on_unit(Job **j) { + _fallthrough_; + case JOB_STOP: + r = unit_stop(u); ++ wait_only = r == -EBADR; /* If the unit type does not support stopping, then simply wait. */ + break; + + case JOB_RELOAD: + r = unit_reload(u); ++ wait_only = false; /* A clear error is generated if reload is not supported. */ + break; + + default: + assert_not_reached(); + } + +- /* Log if the job still exists and the start/stop/reload function actually did something. Note that this means +- * for units for which there's no 'activating' phase (i.e. because we transition directly from 'inactive' to +- * 'active') we'll possibly skip the "Starting..." message. */ ++ /* Log if the job still exists and the start/stop/reload function actually did something or we're ++ * only waiting for unit status change (common for device units). The latter ensures that job start ++ * messages for device units are correctly shown. Note that if the job disappears too quickly, e.g. ++ * for units for which there's no 'activating' phase (i.e. because we transition directly from ++ * 'inactive' to 'active'), we'll possibly skip the "Starting..." message. */ + *j = manager_get_job(m, id); +- if (*j && r > 0) ++ if (*j && (r > 0 || wait_only)) + job_emit_start_message(u, id, t); + +- return r; ++ return wait_only ? 0 : r; + } + + int job_run_and_invalidate(Job *j) { +@@ -919,13 +923,6 @@ int job_run_and_invalidate(Job *j) { + case JOB_START: + case JOB_STOP: + case JOB_RESTART: +- r = job_perform_on_unit(&j); +- +- /* If the unit type does not support starting/stopping, then simply wait. */ +- if (r == -EBADR) +- r = 0; +- break; +- + case JOB_RELOAD: + r = job_perform_on_unit(&j); + break; +-- +2.33.0 + diff --git a/backport-core-job-never-consider-reload-jobs-redundant.patch b/backport-core-job-never-consider-reload-jobs-redundant.patch new file mode 100644 index 0000000..f97f503 --- /dev/null +++ b/backport-core-job-never-consider-reload-jobs-redundant.patch @@ -0,0 +1,39 @@ +From 42082edcc0a67ba284a310b5c0532344a9a28817 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Wed, 22 Jan 2025 19:36:27 +0100 +Subject: [PATCH 1090/1160] core/job: never consider reload jobs redundant + +Follow-up for 656bbffc6c45bdd8d5c28a96ca948ba16c546547 + +The commit reworked job merging logic so that reload jobs +won't get merged. However, they might get dropped from +transaction due to being deemed redundant, i.e. way before +it even hits job_install(). Let's make sure reload jobs +are always kept during transaction construction stage, too. + +(cherry picked from commit 7b940d8de91aeba6fa171eb42b690fa95641f29e) +(cherry picked from commit 1e7b1ce928f2fd62ac63299851124aaf977f48d4) +(cherry picked from commit d770304e6d96342cf0be601be68f219e560a3c50) +--- + src/core/job.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/core/job.c b/src/core/job.c +index e78c2a70db..225563abe0 100644 +--- a/src/core/job.c ++++ b/src/core/job.c +@@ -430,9 +430,8 @@ bool job_type_is_redundant(JobType a, UnitActiveState b) { + return IN_SET(b, UNIT_ACTIVE, UNIT_RELOADING); + + case JOB_RELOAD: +- return +- b == UNIT_RELOADING; +- ++ /* Reload jobs are never consider redundant/duplicate. Refer jobs_may_late_merge() for ++ * a detailed justification. */ + case JOB_RESTART: + /* Restart jobs must always be kept. + * +-- +2.33.0 + diff --git a/backport-core-make-mount-8-and-swapon-8-inherit-SMACK-label-f.patch b/backport-core-make-mount-8-and-swapon-8-inherit-SMACK-label-f.patch new file mode 100644 index 0000000..c222349 --- /dev/null +++ b/backport-core-make-mount-8-and-swapon-8-inherit-SMACK-label-f.patch @@ -0,0 +1,50 @@ +From 79ec10aacbc2e4c6b7d6dee3639a53faed6b3418 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=81ukasz=20Stelmach?= +Date: Tue, 29 Oct 2024 15:53:45 +0100 +Subject: [PATCH 0984/1160] core: make mount(8) and swapon(8) inherit SMACK + label from systemd + +By default mount(8), umount(8), swapon(8) and swapoff(8) should run with +with the SMACK label inherited from systemd rather than the default one +meant for services. + +Fixes: aa5ae9711ef3cd0c69b7fcfbd65bca05fb704a8a +Follow-up-for: 20bbf5ee4c6c80599a91e7a4b7474e931a27db4a +(cherry picked from commit 8144537a81c7a815af3d4c63cd8545ee17b2715d) +(cherry picked from commit 9d060fb7eb6be828c3a6a822e38dabcc627ac98d) +--- + src/core/mount.c | 3 +++ + src/core/swap.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/src/core/mount.c b/src/core/mount.c +index 53790dff6c..6aed715eeb 100644 +--- a/src/core/mount.c ++++ b/src/core/mount.c +@@ -930,6 +930,9 @@ static int mount_spawn(Mount *m, ExecCommand *c, PidRef *ret_pid) { + if (r < 0) + return r; + ++ /* Assume the label inherited from systemd as the fallback */ ++ exec_params.fallback_smack_process_label = NULL; ++ + r = exec_spawn(UNIT(m), + c, + &m->exec_context, +diff --git a/src/core/swap.c b/src/core/swap.c +index 682c2b99f7..1bdb4a755f 100644 +--- a/src/core/swap.c ++++ b/src/core/swap.c +@@ -654,6 +654,9 @@ static int swap_spawn(Swap *s, ExecCommand *c, PidRef *ret_pid) { + if (r < 0) + return r; + ++ /* Assume the label inherited from systemd as the fallback */ ++ exec_params.fallback_smack_process_label = NULL; ++ + r = exec_spawn(UNIT(s), + c, + &s->exec_context, +-- +2.33.0 + diff --git a/backport-core-mark-JoinControllers-as-DISABLED_LEGACY-rather-.patch b/backport-core-mark-JoinControllers-as-DISABLED_LEGACY-rather-.patch new file mode 100644 index 0000000..5f97add --- /dev/null +++ b/backport-core-mark-JoinControllers-as-DISABLED_LEGACY-rather-.patch @@ -0,0 +1,29 @@ +From 71e6fb4616f245a60fd5fbfe172cb3e878630355 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Thu, 22 Feb 2024 13:06:44 +0800 +Subject: [PATCH 0424/1160] core: mark JoinControllers= as DISABLED_LEGACY + rather than _CONFIGURATION + +Follow-up for 143fadf369a18449464956206226761e49be1928 + +(cherry picked from commit 62b5bd3c8a17bad11cde728b0b592f9936e75648) +--- + src/core/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/main.c b/src/core/main.c +index 3f71cc0947..1ed968d139 100644 +--- a/src/core/main.c ++++ b/src/core/main.c +@@ -627,7 +627,7 @@ static int parse_config_file(void) { + { "Manager", "CPUAffinity", config_parse_cpu_affinity2, 0, &arg_cpu_affinity }, + { "Manager", "NUMAPolicy", config_parse_numa_policy, 0, &arg_numa_policy.type }, + { "Manager", "NUMAMask", config_parse_numa_mask, 0, &arg_numa_policy }, +- { "Manager", "JoinControllers", config_parse_warn_compat, DISABLED_CONFIGURATION, NULL }, ++ { "Manager", "JoinControllers", config_parse_warn_compat, DISABLED_LEGACY, NULL }, + { "Manager", "RuntimeWatchdogSec", config_parse_watchdog_sec, 0, &arg_runtime_watchdog }, + { "Manager", "RuntimeWatchdogPreSec", config_parse_watchdog_sec, 0, &arg_pretimeout_watchdog }, + { "Manager", "RebootWatchdogSec", config_parse_watchdog_sec, 0, &arg_reboot_watchdog }, +-- +2.33.0 + diff --git a/backport-core-mount-if-mount-is-gone-eventually-consider-it-s.patch b/backport-core-mount-if-mount-is-gone-eventually-consider-it-s.patch new file mode 100644 index 0000000..6b19aa5 --- /dev/null +++ b/backport-core-mount-if-mount-is-gone-eventually-consider-it-s.patch @@ -0,0 +1,232 @@ +From c1327ff59dfb2236b34dd2459a5ad19fad33efbf Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Fri, 29 Mar 2024 00:43:25 +0800 +Subject: [PATCH 0547/1160] core/mount: if mount is gone eventually, consider + it success + +Currently, if unmount initiated by us fails, we record +that in result. Later, if we tried again and succeeded, +or someone else successfully unmounted it, the unit +state is still considered failed. Let's be more tolerant +instead, and forget about previous failure. + +Alternative to #32002 + +(cherry picked from commit e3783068c6dc1d5199c30c6ee4835f16ad92d3f9) +--- + src/core/mount.c | 65 ++++++++++++++++++++++++++++-------------------- + 1 file changed, 38 insertions(+), 27 deletions(-) + +diff --git a/src/core/mount.c b/src/core/mount.c +index 67ac1acc05..f1133d7371 100644 +--- a/src/core/mount.c ++++ b/src/core/mount.c +@@ -55,7 +55,7 @@ static const UnitActiveState state_translation_table[_MOUNT_STATE_MAX] = { + + static int mount_dispatch_timer(sd_event_source *source, usec_t usec, void *userdata); + static int mount_dispatch_io(sd_event_source *source, int fd, uint32_t revents, void *userdata); +-static void mount_enter_dead(Mount *m, MountResult f); ++static void mount_enter_dead(Mount *m, MountResult f, bool flush_result); + static void mount_enter_mounted(Mount *m, MountResult f); + static void mount_cycle_clear(Mount *m); + static int mount_process_proc_self_mountinfo(Manager *m); +@@ -846,7 +846,7 @@ static void mount_catchup(Unit *u) { + break; + case MOUNT_MOUNTED: + assert(!pidref_is_set(&m->control_pid)); +- mount_enter_dead(m, MOUNT_SUCCESS); ++ mount_enter_dead(m, MOUNT_SUCCESS, /* flush_result = */ false); + break; + default: + break; +@@ -952,10 +952,10 @@ static int mount_spawn(Mount *m, ExecCommand *c, PidRef *ret_pid) { + return 0; + } + +-static void mount_enter_dead(Mount *m, MountResult f) { ++static void mount_enter_dead(Mount *m, MountResult f, bool flush_result) { + assert(m); + +- if (m->result == MOUNT_SUCCESS) ++ if (m->result == MOUNT_SUCCESS || flush_result) + m->result = f; + + unit_log_result(UNIT(m), m->result == MOUNT_SUCCESS, mount_result_to_string(m->result)); +@@ -983,17 +983,20 @@ static void mount_enter_mounted(Mount *m, MountResult f) { + mount_set_state(m, MOUNT_MOUNTED); + } + +-static void mount_enter_dead_or_mounted(Mount *m, MountResult f) { ++static void mount_enter_dead_or_mounted(Mount *m, MountResult f, bool flush_result) { + assert(m); + +- /* Enter DEAD or MOUNTED state, depending on what the kernel currently says about the mount point. We use this +- * whenever we executed an operation, so that our internal state reflects what the kernel says again, after all +- * ultimately we just mirror the kernel's internal state on this. */ ++ /* Enter DEAD or MOUNTED state, depending on what the kernel currently says about the mount point. ++ * We use this whenever we executed an operation, so that our internal state reflects what ++ * the kernel says again, after all ultimately we just mirror the kernel's internal state on this. ++ * ++ * Note that flush_result only applies to mount_enter_dead(), since that's when the result gets ++ * turned into unit end state. */ + + if (m->from_proc_self_mountinfo) + mount_enter_mounted(m, f); + else +- mount_enter_dead(m, f); ++ mount_enter_dead(m, f, flush_result); + } + + static int state_to_kill_operation(MountState state) { +@@ -1049,12 +1052,12 @@ static void mount_enter_signal(Mount *m, MountState state, MountResult f) { + else if (state == MOUNT_UNMOUNTING_SIGTERM && m->kill_context.send_sigkill) + mount_enter_signal(m, MOUNT_UNMOUNTING_SIGKILL, MOUNT_SUCCESS); + else +- mount_enter_dead_or_mounted(m, MOUNT_SUCCESS); ++ mount_enter_dead_or_mounted(m, MOUNT_SUCCESS, /* flush_result = */ false); + + return; + + fail: +- mount_enter_dead_or_mounted(m, MOUNT_FAILURE_RESOURCES); ++ mount_enter_dead_or_mounted(m, MOUNT_FAILURE_RESOURCES, /* flush_result = */ false); + } + + static int mount_set_umount_command(Mount *m, ExecCommand *c) { +@@ -1116,7 +1119,7 @@ static void mount_enter_unmounting(Mount *m) { + return; + + fail: +- mount_enter_dead_or_mounted(m, MOUNT_FAILURE_RESOURCES); ++ mount_enter_dead_or_mounted(m, MOUNT_FAILURE_RESOURCES, /* flush_result = */ false); + } + + static int mount_set_mount_command(Mount *m, ExecCommand *c, const MountParameters *p) { +@@ -1232,7 +1235,7 @@ static void mount_enter_mounting(Mount *m) { + return; + + fail: +- mount_enter_dead_or_mounted(m, MOUNT_FAILURE_RESOURCES); ++ mount_enter_dead_or_mounted(m, MOUNT_FAILURE_RESOURCES, /* flush_result = */ false); + } + + static void mount_set_reload_result(Mount *m, MountResult result) { +@@ -1298,7 +1301,7 @@ static void mount_enter_remounting(Mount *m) { + + fail: + mount_set_reload_result(m, MOUNT_FAILURE_RESOURCES); +- mount_enter_dead_or_mounted(m, MOUNT_SUCCESS); ++ mount_enter_dead_or_mounted(m, MOUNT_SUCCESS, /* flush_result = */ false); + } + + static void mount_cycle_clear(Mount *m) { +@@ -1587,7 +1590,7 @@ static void mount_sigchld_event(Unit *u, pid_t pid, int code, int status) { + log_unit_warning(UNIT(m), "Mount process finished, but there is no mount."); + f = MOUNT_FAILURE_PROTOCOL; + } +- mount_enter_dead(m, f); ++ mount_enter_dead(m, f, /* flush_result = */ false); + break; + + case MOUNT_MOUNTING_DONE: +@@ -1597,7 +1600,7 @@ static void mount_sigchld_event(Unit *u, pid_t pid, int code, int status) { + case MOUNT_REMOUNTING: + case MOUNT_REMOUNTING_SIGTERM: + case MOUNT_REMOUNTING_SIGKILL: +- mount_enter_dead_or_mounted(m, MOUNT_SUCCESS); ++ mount_enter_dead_or_mounted(m, MOUNT_SUCCESS, /* flush_result = */ false); + break; + + case MOUNT_UNMOUNTING: +@@ -1618,22 +1621,27 @@ static void mount_sigchld_event(Unit *u, pid_t pid, int code, int status) { + /* Hmm, umount process spawned by us failed, but the mount disappeared anyway? + * Maybe someone else is trying to unmount at the same time. */ + log_unit_notice(u, "Mount disappeared even though umount process failed, continuing."); +- mount_enter_dead(m, MOUNT_SUCCESS); ++ mount_enter_dead(m, MOUNT_SUCCESS, /* flush_result = */ true); + } else +- mount_enter_dead_or_mounted(m, f); ++ /* At this point, either the unmount succeeded or unexpected error occurred. We usually ++ * remember the first error in 'result', but here let's update that forcibly, since ++ * there could previous failed attempts yet we only care about the most recent ++ * attempt. IOW, if we eventually managed to unmount the stuff, don't enter failed ++ * end state. */ ++ mount_enter_dead_or_mounted(m, f, /* flush_result = */ true); + + break; + + case MOUNT_UNMOUNTING_SIGTERM: + case MOUNT_UNMOUNTING_SIGKILL: +- mount_enter_dead_or_mounted(m, f); ++ mount_enter_dead_or_mounted(m, f, /* flush_result = */ false); + break; + + case MOUNT_CLEANING: + if (m->clean_result == MOUNT_SUCCESS) + m->clean_result = f; + +- mount_enter_dead(m, MOUNT_SUCCESS); ++ mount_enter_dead(m, MOUNT_SUCCESS, /* flush_result = */ false); + break; + + default: +@@ -1672,7 +1680,7 @@ static int mount_dispatch_timer(sd_event_source *source, usec_t usec, void *user + mount_enter_signal(m, MOUNT_REMOUNTING_SIGKILL, MOUNT_SUCCESS); + } else { + log_unit_warning(UNIT(m), "Remounting timed out. Skipping SIGKILL. Ignoring."); +- mount_enter_dead_or_mounted(m, MOUNT_SUCCESS); ++ mount_enter_dead_or_mounted(m, MOUNT_SUCCESS, /* flush_result = */ false); + } + break; + +@@ -1680,7 +1688,7 @@ static int mount_dispatch_timer(sd_event_source *source, usec_t usec, void *user + mount_set_reload_result(m, MOUNT_FAILURE_TIMEOUT); + + log_unit_warning(UNIT(m), "Mount process still around after SIGKILL. Ignoring."); +- mount_enter_dead_or_mounted(m, MOUNT_SUCCESS); ++ mount_enter_dead_or_mounted(m, MOUNT_SUCCESS, /* flush_result = */ false); + break; + + case MOUNT_UNMOUNTING: +@@ -1694,13 +1702,13 @@ static int mount_dispatch_timer(sd_event_source *source, usec_t usec, void *user + mount_enter_signal(m, MOUNT_UNMOUNTING_SIGKILL, MOUNT_FAILURE_TIMEOUT); + } else { + log_unit_warning(UNIT(m), "Mount process timed out. Skipping SIGKILL. Ignoring."); +- mount_enter_dead_or_mounted(m, MOUNT_FAILURE_TIMEOUT); ++ mount_enter_dead_or_mounted(m, MOUNT_FAILURE_TIMEOUT, /* flush_result = */ false); + } + break; + + case MOUNT_UNMOUNTING_SIGKILL: + log_unit_warning(UNIT(m), "Mount process still around after SIGKILL. Ignoring."); +- mount_enter_dead_or_mounted(m, MOUNT_FAILURE_TIMEOUT); ++ mount_enter_dead_or_mounted(m, MOUNT_FAILURE_TIMEOUT, /* flush_result = */ false); + break; + + case MOUNT_CLEANING: +@@ -2161,8 +2169,11 @@ static int mount_process_proc_self_mountinfo(Manager *m) { + switch (mount->state) { + + case MOUNT_MOUNTED: +- /* This has just been unmounted by somebody else, follow the state change. */ +- mount_enter_dead(mount, MOUNT_SUCCESS); ++ /* This has just been unmounted by somebody else, follow the state change. ++ * Also explicitly override the result (see the comment in mount_sigchld_event()), ++ * but more aggressively here since the state change is extrinsic. */ ++ mount_cycle_clear(mount); ++ mount_enter_dead(mount, MOUNT_SUCCESS, /* flush_result = */ true); + break; + + case MOUNT_MOUNTING_DONE: +@@ -2334,7 +2345,7 @@ static int mount_can_start(Unit *u) { + + r = unit_test_start_limit(u); + if (r < 0) { +- mount_enter_dead(m, MOUNT_FAILURE_START_LIMIT_HIT); ++ mount_enter_dead(m, MOUNT_FAILURE_START_LIMIT_HIT, /* flush_result = */ false); + return r; + } + +-- +2.33.0 + diff --git a/backport-core-mount-if-umount-8-fails-but-mount-disappeared-a.patch b/backport-core-mount-if-umount-8-fails-but-mount-disappeared-a.patch new file mode 100644 index 0000000..c595572 --- /dev/null +++ b/backport-core-mount-if-umount-8-fails-but-mount-disappeared-a.patch @@ -0,0 +1,84 @@ +From 564692e243534a2ec5714c37f77866e01b1e5552 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sat, 17 Feb 2024 03:03:50 +0800 +Subject: [PATCH 0542/1160] core/mount: if umount(8) fails but mount + disappeared, assume success + +Fixes #31337 + +(cherry picked from commit 8e94bb62a5c1309c56c57e0a505aae13a2ac5f4f) +--- + src/core/mount.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/src/core/mount.c b/src/core/mount.c +index 865e356a97..67ac1acc05 100644 +--- a/src/core/mount.c ++++ b/src/core/mount.c +@@ -1555,7 +1555,8 @@ static void mount_sigchld_event(Unit *u, pid_t pid, int code, int status) { + + if (IN_SET(m->state, MOUNT_REMOUNTING, MOUNT_REMOUNTING_SIGKILL, MOUNT_REMOUNTING_SIGTERM)) + mount_set_reload_result(m, f); +- else if (m->result == MOUNT_SUCCESS) ++ else if (m->result == MOUNT_SUCCESS && !IN_SET(m->state, MOUNT_MOUNTING, MOUNT_UNMOUNTING)) ++ /* MOUNT_MOUNTING and MOUNT_UNMOUNTING states need to be patched, see below. */ + m->result = f; + + if (m->control_command) { +@@ -1578,11 +1579,11 @@ static void mount_sigchld_event(Unit *u, pid_t pid, int code, int status) { + switch (m->state) { + + case MOUNT_MOUNTING: +- /* Our mount point has not appeared in mountinfo. Something went wrong. */ ++ /* Our mount point has not appeared in mountinfo. Something went wrong. */ + + if (f == MOUNT_SUCCESS) { +- /* Either /bin/mount has an unexpected definition of success, +- * or someone raced us and we lost. */ ++ /* Either /bin/mount has an unexpected definition of success, or someone raced us ++ * and we lost. */ + log_unit_warning(UNIT(m), "Mount process finished, but there is no mount."); + f = MOUNT_FAILURE_PROTOCOL; + } +@@ -1600,9 +1601,7 @@ static void mount_sigchld_event(Unit *u, pid_t pid, int code, int status) { + break; + + case MOUNT_UNMOUNTING: +- + if (f == MOUNT_SUCCESS && m->from_proc_self_mountinfo) { +- + /* Still a mount point? If so, let's try again. Most likely there were multiple mount points + * stacked on top of each other. We might exceed the timeout specified by the user overall, + * but we will stop as soon as any one umount times out. */ +@@ -1615,13 +1614,18 @@ static void mount_sigchld_event(Unit *u, pid_t pid, int code, int status) { + log_unit_warning(u, "Mount still present after %u attempts to unmount, giving up.", m->n_retry_umount); + mount_enter_mounted(m, MOUNT_FAILURE_PROTOCOL); + } ++ } else if (f == MOUNT_FAILURE_EXIT_CODE && !m->from_proc_self_mountinfo) { ++ /* Hmm, umount process spawned by us failed, but the mount disappeared anyway? ++ * Maybe someone else is trying to unmount at the same time. */ ++ log_unit_notice(u, "Mount disappeared even though umount process failed, continuing."); ++ mount_enter_dead(m, MOUNT_SUCCESS); + } else + mount_enter_dead_or_mounted(m, f); + + break; + +- case MOUNT_UNMOUNTING_SIGKILL: + case MOUNT_UNMOUNTING_SIGTERM: ++ case MOUNT_UNMOUNTING_SIGKILL: + mount_enter_dead_or_mounted(m, f); + break; + +@@ -2166,7 +2170,7 @@ static int mount_process_proc_self_mountinfo(Manager *m) { + * then remove it because of an internal error. E.g., fuse.sshfs seems + * to do that when the connection fails. See #17617. To handle such the + * case, let's once set the state back to mounting. Then, the unit can +- * correctly enter the failed state later in mount_sigchld(). */ ++ * correctly enter the failed state later in mount_sigchld_event(). */ + mount_set_state(mount, MOUNT_MOUNTING); + break; + +-- +2.33.0 + diff --git a/backport-core-mount-if-unmount-retries-exceeded-max-record-as.patch b/backport-core-mount-if-unmount-retries-exceeded-max-record-as.patch new file mode 100644 index 0000000..0caffff --- /dev/null +++ b/backport-core-mount-if-unmount-retries-exceeded-max-record-as.patch @@ -0,0 +1,27 @@ +From ddc9d2115e32b98e241801e9a7350284b9706f71 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Fri, 29 Mar 2024 00:51:27 +0800 +Subject: [PATCH 0537/1160] core/mount: if unmount retries exceeded max, record + as failure + +(cherry picked from commit 9c7c3d9cdbf8b98ff6c5c63f2d3373909cb8ca5b) +--- + src/core/mount.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/mount.c b/src/core/mount.c +index ded322d332..865e356a97 100644 +--- a/src/core/mount.c ++++ b/src/core/mount.c +@@ -1613,7 +1613,7 @@ static void mount_sigchld_event(Unit *u, pid_t pid, int code, int status) { + mount_enter_unmounting(m); + } else { + log_unit_warning(u, "Mount still present after %u attempts to unmount, giving up.", m->n_retry_umount); +- mount_enter_mounted(m, f); ++ mount_enter_mounted(m, MOUNT_FAILURE_PROTOCOL); + } + } else + mount_enter_dead_or_mounted(m, f); +-- +2.33.0 + diff --git a/backport-core-namespace-honor-MountEntry.read_only-.options-a.patch b/backport-core-namespace-honor-MountEntry.read_only-.options-a.patch new file mode 100644 index 0000000..c3b1406 --- /dev/null +++ b/backport-core-namespace-honor-MountEntry.read_only-.options-a.patch @@ -0,0 +1,86 @@ +From bc1320a7e290291b6b40c32e069d014ae10e4f56 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 19 Oct 2024 14:38:08 +0900 +Subject: [PATCH 1000/1160] core/namespace: honor MountEntry.read_only, + .options, and so on in static entries + +Otherwise, ProtectHome=tmpfs makes /home/ and friends not read-only. +Also, mount options for /run/ specified in MountAPIVFS=yes are not +applied. + +The function append_static_mounts() was introduced in +5327c910d2fc1ae91bd0b891be92b30379c7467b, but at that time, there were +neither .read_only nor .options in the struct. But, when later the +struct is extended, the function was not updated and they were not +copied from the static table. +The fields has been used in static tables since +e4da7d8c796a1fd11ecfa80fb8a48eac9e823f06, and also in +94293d65cd4125347e21b3e423d0e245226b1be2. + +Fixes #34825. + +(cherry picked from commit 0cc496b2d21f73d0a03414ce40eceb9e3af76e22) +(cherry picked from commit dc44fd69b0bf2a5176ce740f9cb113c33607206f) +--- + src/core/namespace.c | 15 ++++++++++----- + test/units/testsuite-07.exec-context.sh | 13 +++++++++++-- + 2 files changed, 21 insertions(+), 7 deletions(-) + +diff --git a/src/core/namespace.c b/src/core/namespace.c +index 4962b5b538..50e765761b 100644 +--- a/src/core/namespace.c ++++ b/src/core/namespace.c +@@ -656,11 +656,16 @@ static int append_static_mounts(MountList *ml, const MountEntry *mounts, size_t + if (!me) + return log_oom_debug(); + +- *me = (MountEntry) { +- .path_const = mount_entry_path(m), +- .mode = m->mode, +- .ignore = m->ignore || ignore_protect, +- }; ++ /* No dynamic values allowed. */ ++ assert(m->path_const); ++ assert(!m->path_malloc); ++ assert(!m->unprefixed_path_malloc); ++ assert(!m->source_malloc); ++ assert(!m->options_malloc); ++ assert(!m->overlay_layers); ++ ++ *me = *m; ++ me->ignore = me->ignore || ignore_protect; + } + + return 0; +diff --git a/test/units/testsuite-07.exec-context.sh b/test/units/testsuite-07.exec-context.sh +index b44658f4e4..827a714911 100755 +--- a/test/units/testsuite-07.exec-context.sh ++++ b/test/units/testsuite-07.exec-context.sh +@@ -46,13 +46,22 @@ if [[ -z "${COVERAGE_BUILD_DIR:-}" ]]; then + bash -xec "test ! -w /home; test ! -w /root; test ! -w /run/user; test ! -e $MARK" + systemd-run --wait --pipe -p ProtectHome=read-only \ + bash -xec "test ! -w /home; test ! -w /root; test ! -w /run/user; test -e $MARK" +- systemd-run --wait --pipe -p ProtectHome=tmpfs \ +- bash -xec "test -w /home; test -w /root; test -w /run/user; test ! -e $MARK" ++ systemd-run --wait --pipe -p ProtectHome=tmpfs -p TemporaryFileSystem=/home/foo \ ++ bash -xec "test ! -w /home; test ! -w /root; test ! -w /run/user; test ! -e $MARK; test -w /home/foo" + systemd-run --wait --pipe -p ProtectHome=no \ + bash -xec "test -w /home; test -w /root; test -w /run/user; test -e $MARK" + rm -f "$MARK" + fi + ++systemd-run --wait --pipe -p PrivateMounts=true -p MountAPIVFS=yes \ ++ bash -xec '[[ "$(findmnt --mountpoint /proc --noheadings -o FSTYPE)" == proc ]]; ++ [[ "$$(findmnt --mountpoint /dev --noheadings -o FSTYPE)" =~ (devtmpfs|tmpfs) ]]; ++ [[ "$$(findmnt --mountpoint /sys --noheadings -o FSTYPE)" =~ (sysfs|tmpfs) ]]; ++ [[ "$$(findmnt --mountpoint /run --noheadings -o FSTYPE)" == tmpfs ]]; ++ [[ "$$(findmnt --mountpoint /run --noheadings -o VFS-OPTIONS)" =~ rw ]]; ++ [[ "$$(findmnt --mountpoint /run --noheadings -o VFS-OPTIONS)" =~ nosuid ]]; ++ [[ "$$(findmnt --mountpoint /run --noheadings -o VFS-OPTIONS)" =~ nodev ]]' ++ + if proc_supports_option "hidepid=off"; then + systemd-run --wait --pipe -p ProtectProc=noaccess -p User=testuser \ + bash -xec 'test -e /proc/1; test ! -r /proc/1; test -r /proc/$$$$/comm' +-- +2.33.0 + diff --git a/backport-core-path-Re-enter-waiting-if-target-is-deactivating.patch b/backport-core-path-Re-enter-waiting-if-target-is-deactivating.patch new file mode 100644 index 0000000..4d84b6c --- /dev/null +++ b/backport-core-path-Re-enter-waiting-if-target-is-deactivating.patch @@ -0,0 +1,128 @@ +From 23b8d2f39302523be151765c00d8c03a65a80181 Mon Sep 17 00:00:00 2001 +From: Adrian Vovk +Date: Sat, 30 Dec 2023 14:06:39 -0500 +Subject: [PATCH 0270/1160] core: path: Re-enter waiting if target is + deactivating + +Previously, path units would remain in the running state while their +target unit is deactivating. This left a window of time where the target +unit is no longer operational (i.e. it is busy deactivating/cleaning +up/etc) but the path unit would continue to ignore inotify events. In +short: any inotify event that occurs while the target unit deactivates +would be completely lost. + +With this commit, the path will go back into a waiting state when the +target unit starts deactivating. This means that any inotify event that +occurs while the target unit deactivates will queue a start job. + +(cherry picked from commit 720c618397397f958caeb050a1528eb0d6f7a4a6) +--- + src/core/path.c | 6 +-- + test/testsuite-63.units/test63-pr-30768.path | 3 ++ + .../test63-pr-30768.service | 5 +++ + test/units/testsuite-63.sh | 40 +++++++++++++++++++ + 4 files changed, 51 insertions(+), 3 deletions(-) + create mode 100644 test/testsuite-63.units/test63-pr-30768.path + create mode 100644 test/testsuite-63.units/test63-pr-30768.service + +diff --git a/src/core/path.c b/src/core/path.c +index 44481a95d5..ef00c20131 100644 +--- a/src/core/path.c ++++ b/src/core/path.c +@@ -582,7 +582,7 @@ static void path_enter_waiting(Path *p, bool initial, bool from_trigger_notify) + + /* If the triggered unit is already running, so are we */ + trigger = UNIT_TRIGGER(UNIT(p)); +- if (trigger && !UNIT_IS_INACTIVE_OR_FAILED(unit_active_state(trigger))) { ++ if (trigger && !UNIT_IS_INACTIVE_OR_DEACTIVATING(unit_active_state(trigger))) { + path_set_state(p, PATH_RUNNING); + path_unwatch(p); + return; +@@ -853,11 +853,11 @@ static void path_trigger_notify_impl(Unit *u, Unit *other, bool on_defer) { + return; + + if (p->state == PATH_RUNNING && +- UNIT_IS_INACTIVE_OR_FAILED(unit_active_state(other))) { ++ UNIT_IS_INACTIVE_OR_DEACTIVATING(unit_active_state(other))) { + if (!on_defer) + log_unit_debug(u, "Got notified about unit deactivation."); + } else if (p->state == PATH_WAITING && +- !UNIT_IS_INACTIVE_OR_FAILED(unit_active_state(other))) { ++ !UNIT_IS_INACTIVE_OR_DEACTIVATING(unit_active_state(other))) { + if (!on_defer) + log_unit_debug(u, "Got notified about unit activation."); + } else +diff --git a/test/testsuite-63.units/test63-pr-30768.path b/test/testsuite-63.units/test63-pr-30768.path +new file mode 100644 +index 0000000000..b541358541 +--- /dev/null ++++ b/test/testsuite-63.units/test63-pr-30768.path +@@ -0,0 +1,3 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++[Path] ++PathChanged=/tmp/copyme +diff --git a/test/testsuite-63.units/test63-pr-30768.service b/test/testsuite-63.units/test63-pr-30768.service +new file mode 100644 +index 0000000000..5739084a3f +--- /dev/null ++++ b/test/testsuite-63.units/test63-pr-30768.service +@@ -0,0 +1,5 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++[Service] ++ExecStart=cp -v /tmp/copyme /tmp/copied ++# once cp exits, service goes into deactivating state and then runs ExecStop ++ExecStop=flock -e /tmp/noexit true +diff --git a/test/units/testsuite-63.sh b/test/units/testsuite-63.sh +index 9bbd700104..ea8cd945ed 100755 +--- a/test/units/testsuite-63.sh ++++ b/test/units/testsuite-63.sh +@@ -80,6 +80,46 @@ output=$(systemctl list-jobs --no-legend) + assert_not_in "test63-issue-24577.service" "$output" + assert_in "test63-issue-24577-dep.service" "$output" + ++# Test for race condition fixed by https://github.com/systemd/systemd/pull/30768 ++# Here's the schedule of events that we to happen during this test: ++# (This test) (The service) ++# .path unit monitors /tmp/copyme for changes ++# Take lock on /tmp/noexeit ↓ ++# Write to /tmp/copyme ↓ ++# Wait for deactivating Started ++# ↓ Copies /tmp/copyme to /tmp/copied ++# ↓ Tells manager it's shutting down ++# Ensure service did the copy Tries to lock /tmp/noexit and blocks ++# Write to /tmp/copyme ↓ ++# ++# Now at this point the test can diverge. If we regress, this second write is ++# missed and we'll see: ++# ... (second write) ... (blocked) ++# Drop lock on /tmp/noexit ↓ ++# Wait for service to do copy Unblocks and exits ++# ↓ (dead) ++# ↓ ++# (timeout) ++# Test fails ++# ++# Otherwise, we'll see: ++# ... (second write) ... (blocked) ++# Drop lock on /tmp/noexit ↓ and .path unit queues a new start job ++# Wait for service to do copy Unblocks and exits ++# ↓ Starts again b/c of queued job ++# ↓ Copies again ++# Test Passes ++systemctl start test63-pr-30768.path ++exec {lock}<>/tmp/noexit ++flock -e $lock ++echo test1 > /tmp/copyme ++# shellcheck disable=SC2016 ++timeout 30 bash -c 'until test "$(systemctl show test63-pr-30768.service -P ActiveState)" = deactivating; do sleep .2; done' ++diff /tmp/copyme /tmp/copied ++echo test2 > /tmp/copyme ++exec {lock}<&- ++timeout 30 bash -c 'until diff /tmp/copyme /tmp/copied; do sleep .2; done' ++ + systemctl log-level info + + touch /testok +-- +2.33.0 + diff --git a/backport-core-raise-the-log-priority-if-sd-executor-is-missin.patch b/backport-core-raise-the-log-priority-if-sd-executor-is-missin.patch new file mode 100644 index 0000000..f30615f --- /dev/null +++ b/backport-core-raise-the-log-priority-if-sd-executor-is-missin.patch @@ -0,0 +1,52 @@ +From bd9ac416ec78cd415f6128c907d9e31c0f0265e5 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Mon, 22 Jan 2024 14:15:31 +0100 +Subject: [PATCH 0169/1160] core: raise the log priority if sd-executor is + missing + +Log about missing executor at the emergency level, so the message always +makes it to the console - otherwise it won't get anywhere, since we +can't even start systemd-journald in that case. + +Before: + +Welcome to Arch Linux! + +[ 5.202479] systemd[1]: Failed to allocate manager object: No such file or directory +[!!!!!!] Failed to allocate manager object. +[ 5.207741] systemd[1]: Freezing execution. + +After: + +Welcome to Arch Linux! + +[ 5.279408] systemd[1]: Failed to open executor binary '/usr/lib/systemd/systemd-executor': No such file or directory +[ 5.290756] systemd[1]: Failed to allocate manager object: No such file or directory +[!!!!!!] Failed to allocate manager object. +[ 5.295919] systemd[1]: Freezing execution. + +(cherry picked from commit 00fafa1a17c03bb6a4e58a9187ef5235e316766e) +--- + src/core/manager.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/core/manager.c b/src/core/manager.c +index 37e4f70950..88eebfc626 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -1016,9 +1016,9 @@ int manager_new(RuntimeScope runtime_scope, ManagerTestRunFlags test_run_flags, + + m->executor_fd = open(SYSTEMD_EXECUTOR_BINARY_PATH, O_CLOEXEC|O_PATH); + if (m->executor_fd < 0) +- return log_warning_errno(errno, +- "Failed to open executor binary '%s': %m", +- SYSTEMD_EXECUTOR_BINARY_PATH); ++ return log_emergency_errno(errno, ++ "Failed to open executor binary '%s': %m", ++ SYSTEMD_EXECUTOR_BINARY_PATH); + } else if (!FLAGS_SET(test_run_flags, MANAGER_TEST_DONT_OPEN_EXECUTOR)) { + _cleanup_free_ char *self_exe = NULL, *executor_path = NULL; + _cleanup_close_ int self_dir_fd = -EBADF; +-- +2.33.0 + diff --git a/backport-core-reliably-check-if-varlink-socket-has-been-deser.patch b/backport-core-reliably-check-if-varlink-socket-has-been-deser.patch index f4f365c..4481425 100644 --- a/backport-core-reliably-check-if-varlink-socket-has-been-deser.patch +++ b/backport-core-reliably-check-if-varlink-socket-has-been-deser.patch @@ -1,7 +1,8 @@ From 3b3875ead34bdd14b853e9c77565647244263fa0 Mon Sep 17 00:00:00 2001 From: Mike Yuan Date: Tue, 23 Jul 2024 17:55:12 +0200 -Subject: [PATCH] core: reliably check if varlink socket has been deserialized +Subject: [PATCH 0795/1160] core: reliably check if varlink socket has been + deserialized Follow-up for 6906c028e83b77b35eaaf87b27d0fe5c6e1984b7 @@ -27,10 +28,6 @@ Alternative to #33817 Co-authored-by: Luca Boccassi (cherry picked from commit d4e5c66ed469c822ca5346c7a445ec1446b1d17f) (cherry picked from commit b825a8be0b7b857a715e982cee861e8ae6995ee8) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/3b3875ead34bdd14b853e9c77565647244263fa0 - --- src/core/core-varlink.c | 50 ++++++++++++++++++++--------------- src/core/core-varlink.h | 2 +- diff --git a/backport-core-serialize-reload-rate-limit.patch b/backport-core-serialize-reload-rate-limit.patch new file mode 100644 index 0000000..7f39e03 --- /dev/null +++ b/backport-core-serialize-reload-rate-limit.patch @@ -0,0 +1,37 @@ +From 673c2e1bbbe3091fad10b5857e21b873e7637ee7 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 29 Mar 2024 01:15:26 +0000 +Subject: [PATCH 0480/1160] core: serialize reload rate limit + +Otherwise the rate limit is lost on reexec, and the privileges to call it +are the same as reloads + +(cherry picked from commit 9b1db2dbc48c2aeae9aae86c9f2a2e3c017dacb7) +--- + src/core/manager-serialize.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/core/manager-serialize.c b/src/core/manager-serialize.c +index e9d567a97b..1ac26360a7 100644 +--- a/src/core/manager-serialize.c ++++ b/src/core/manager-serialize.c +@@ -153,6 +153,7 @@ int manager_serialize( + } + + (void) serialize_ratelimit(f, "dump-ratelimit", &m->dump_ratelimit); ++ (void) serialize_ratelimit(f, "reload-ratelimit", &m->reload_ratelimit); + + bus_track_serialize(m->subscribed, f, "subscribed"); + +@@ -515,6 +516,8 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) { + (void) varlink_server_deserialize_one(m->varlink_server, val, fds); + } else if ((val = startswith(l, "dump-ratelimit="))) + deserialize_ratelimit(&m->dump_ratelimit, "dump-ratelimit", val); ++ else if ((val = startswith(l, "reload-ratelimit="))) ++ deserialize_ratelimit(&m->reload_ratelimit, "reload-ratelimit", val); + else { + ManagerTimestamp q; + +-- +2.33.0 + diff --git a/backport-core-service-Type-notify-dbus-services-shouldn-t-be-.patch b/backport-core-service-Type-notify-dbus-services-shouldn-t-be-.patch new file mode 100644 index 0000000..74ece4c --- /dev/null +++ b/backport-core-service-Type-notify-dbus-services-shouldn-t-be-.patch @@ -0,0 +1,36 @@ +From e2ac714783fca20abcbe721cba7cdfbf36a6635d Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sat, 2 Mar 2024 21:03:22 +0800 +Subject: [PATCH 0435/1160] core/service: Type=notify/dbus services shouldn't + be considered active when ExitType=cgroup and main process exits + +Follow-up for ef4300654e70e76ed74f7d544e0f44c5d92fb698 + +(cherry picked from commit 1651ce09c049d7dae1b987f0a74d54e7c1bc3231) +--- + src/core/service.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/core/service.c b/src/core/service.c +index 060ac084ee..82cddf30d2 100644 +--- a/src/core/service.c ++++ b/src/core/service.c +@@ -3861,11 +3861,13 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) { + default: + assert_not_reached(); + } +- } else if (s->exit_type == SERVICE_EXIT_CGROUP && s->state == SERVICE_START) ++ } else if (s->exit_type == SERVICE_EXIT_CGROUP && s->state == SERVICE_START && ++ !IN_SET(s->type, SERVICE_NOTIFY, SERVICE_NOTIFY_RELOAD, SERVICE_DBUS)) + /* If a main process exits very quickly, this function might be executed + * before service_dispatch_exec_io(). Since this function disabled IO events + * to monitor the main process above, we need to update the state here too. +- * Let's consider the process is successfully launched and exited. */ ++ * Let's consider the process is successfully launched and exited, but ++ * only when we're not expecting a readiness notification or dbus name. */ + service_enter_start_post(s); + } + +-- +2.33.0 + diff --git a/backport-core-service-do-not-propagate-reload-for-combined-RE.patch b/backport-core-service-do-not-propagate-reload-for-combined-RE.patch new file mode 100644 index 0000000..e2dad1f --- /dev/null +++ b/backport-core-service-do-not-propagate-reload-for-combined-RE.patch @@ -0,0 +1,84 @@ +From f6b973d48e7bea959aaa2aa8c319b2cdaaf79ed4 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Wed, 26 Feb 2025 15:02:58 +0100 +Subject: [PATCH 1139/1160] core/service: do not propagate reload for combined + RELOADING=1 + READY=1 when notify-reload + +Follow-up for 3bd28bf721dc70722ff1c675026ed0b44ad968a3 + +SERVICE_RELOAD_SIGNAL state can only be reached via explicit reload jobs, +and we have a clear distinction between that and plain RELOADING=1 +notifications, the latter of which is issued by clients doing reload +outside of our job engine. I.e. upon SERVICE_RELOAD_SIGNAL + RELOADING=1 +we don't propagate reload jobs again, since that's done during transaction +construction stage already. The handling of combined RELOADING=1 + READY=1 +so far is bogus however, as it tries to propagate duplicate reload jobs. +Amend this by following the logic for standalone RELOADING=1. + +(cherry picked from commit c337a1301f2de4105fc8023e45db20238c6a895a) +(cherry picked from commit aef4adde624246b074082db8b4c1d446e13f85ca) +(cherry picked from commit 7e6e8b3dedc136d77e9698ba9f140a33573daead) +--- + src/core/service.c | 39 ++++++++++++++++++++++----------------- + 1 file changed, 22 insertions(+), 17 deletions(-) + +diff --git a/src/core/service.c b/src/core/service.c +index d3ea8a9c3c..d0353ae461 100644 +--- a/src/core/service.c ++++ b/src/core/service.c +@@ -4418,7 +4418,28 @@ static void service_notify_message( + + s->notify_state = NOTIFY_READY; + +- /* Type=notify services inform us about completed initialization with READY=1 */ ++ /* Combined RELOADING=1 and READY=1? Then this is indication that the service started and ++ * immediately finished reloading. */ ++ if (strv_contains(tags, "RELOADING=1")) { ++ if (s->state == SERVICE_RELOAD_SIGNAL && ++ monotonic_usec != USEC_INFINITY && ++ monotonic_usec >= s->reload_begin_usec) ++ /* Valid Type=notify-reload protocol? Then we're all good. */ ++ service_enter_running(s, SERVICE_SUCCESS); ++ ++ else if (s->state == SERVICE_RUNNING) { ++ _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; ++ ++ /* Propagate a reload explicitly for plain RELOADING=1 (semantically equivalent to ++ * service_enter_reload_by_notify() call in below) */ ++ r = manager_propagate_reload(UNIT(s)->manager, UNIT(s), JOB_FAIL, &error); ++ if (r < 0) ++ log_unit_warning(UNIT(s), "Failed to schedule propagation of reload, ignoring: %s", ++ bus_error_message(&error, r)); ++ } ++ } ++ ++ /* Type=notify(-reload) services inform us about completed initialization with READY=1 */ + if (IN_SET(s->type, SERVICE_NOTIFY, SERVICE_NOTIFY_RELOAD) && + s->state == SERVICE_START) + service_enter_start_post(s); +@@ -4427,22 +4448,6 @@ static void service_notify_message( + if (s->state == SERVICE_RELOAD_NOTIFY) + service_enter_running(s, SERVICE_SUCCESS); + +- /* Combined RELOADING=1 and READY=1? Then this is indication that the service started and +- * immediately finished reloading. */ +- if (s->state == SERVICE_RELOAD_SIGNAL && +- strv_contains(tags, "RELOADING=1") && +- monotonic_usec != USEC_INFINITY && +- monotonic_usec >= s->reload_begin_usec) { +- _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; +- +- /* Propagate a reload explicitly */ +- r = manager_propagate_reload(UNIT(s)->manager, UNIT(s), JOB_FAIL, &error); +- if (r < 0) +- log_unit_warning(UNIT(s), "Failed to schedule propagation of reload, ignoring: %s", bus_error_message(&error, r)); +- +- service_enter_running(s, SERVICE_SUCCESS); +- } +- + notify_dbus = true; + + } else if (strv_contains(tags, "RELOADING=1")) { +-- +2.33.0 + diff --git a/backport-core-service-don-t-transition-to-start-post-on-cgrou.patch b/backport-core-service-don-t-transition-to-start-post-on-cgrou.patch new file mode 100644 index 0000000..c593fb3 --- /dev/null +++ b/backport-core-service-don-t-transition-to-start-post-on-cgrou.patch @@ -0,0 +1,37 @@ +From 9f4f1a1a37dbf306fb3b4032fcf467d7d469dbaf Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sat, 2 Mar 2024 21:22:51 +0800 +Subject: [PATCH 0436/1160] core/service: don't transition to start-post on + cgroup empty event with ExitType=cgroup + +It's not clear to me what the rationale of the logic was +when ExitType=cgroup got introduced. But similar to +the previous commit, I think we should not transition to +'start-post' on cgroup empty event. This is especially +important for Type=dbus/notify services. + +(cherry picked from commit f52e9ed62bc27cbb04f8f41bb2c60d2b540e023e) +--- + src/core/service.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/core/service.c b/src/core/service.c +index 82cddf30d2..ac4fd24a59 100644 +--- a/src/core/service.c ++++ b/src/core/service.c +@@ -3589,8 +3589,10 @@ static void service_notify_cgroup_empty_event(Unit *u) { + break; + } + +- if (s->exit_type == SERVICE_EXIT_CGROUP && main_pid_good(s) <= 0) +- service_enter_start_post(s); ++ if (s->exit_type == SERVICE_EXIT_CGROUP && main_pid_good(s) <= 0) { ++ service_enter_stop_post(s, SERVICE_SUCCESS); ++ break; ++ } + + _fallthrough_; + case SERVICE_START_POST: +-- +2.33.0 + diff --git a/backport-core-service-fix-accept-socket-deserialization.patch b/backport-core-service-fix-accept-socket-deserialization.patch index a770396..162ae39 100644 --- a/backport-core-service-fix-accept-socket-deserialization.patch +++ b/backport-core-service-fix-accept-socket-deserialization.patch @@ -1,25 +1,21 @@ -From 8f280216e052c9b9937ba77fad6659fb727535d9 Mon Sep 17 00:00:00 2001 +From 8ead2545bf86bd0fe00b344506e071390ffaa99f Mon Sep 17 00:00:00 2001 From: Mike Yuan Date: Mon, 17 Jun 2024 07:47:20 +0200 -Subject: [PATCH] core/service: fix accept-socket deserialization +Subject: [PATCH 0699/1160] core/service: fix accept-socket deserialization Follow-up for 45b1017488cef2a5bacdf82028ce900a311c9a1c (cherry picked from commit 9f5d8c3da4f505346bd1edfae907a2abcdbdc578) (cherry picked from commit f7d55cc801611781fbff2817f2fd4a16ec96ca85) -(cherry picked from commit 8ead2545bf86bd0fe00b344506e071390ffaa99f) - -Conflict:there is no macro definition ASSERT_PTR, so we use the assert function instead -Reference:https://github.com/systemd/systemd-stable/commit/8f280216e052c9b9937ba77fad6659fb727535d9 --- - src/core/service.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) + src/core/service.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/core/service.c b/src/core/service.c -index de07cde..64bfe17 100644 +index 42fffbbd67..5f4859e0d3 100644 --- a/src/core/service.c +++ b/src/core/service.c -@@ -1237,7 +1237,7 @@ static int service_coldplug(Unit *u) { +@@ -1363,7 +1363,7 @@ static int service_coldplug(Unit *u) { service_start_watchdog(s); if (UNIT_ISSET(s->accept_socket)) { @@ -28,7 +24,7 @@ index de07cde..64bfe17 100644 if (socket->max_connections_per_source > 0) { SocketPeer *peer; -@@ -2948,8 +2948,8 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value, +@@ -3217,8 +3217,8 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value, } else if (streq(key, "accept-socket")) { Unit *socket; @@ -39,14 +35,15 @@ index de07cde..64bfe17 100644 return 0; } -@@ -2958,6 +2958,7 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value, +@@ -3227,7 +3227,7 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value, log_unit_debug_errno(u, r, "Failed to load accept-socket unit '%s': %m", value); else { unit_ref_set(&s->accept_socket, u, socket); -+ assert(SOCKET(socket)); - SOCKET(socket)->n_connections++; +- SOCKET(socket)->n_connections++; ++ ASSERT_PTR(SOCKET(socket))->n_connections++; } + } else if (streq(key, "socket-fd")) { -- 2.33.0 diff --git a/backport-core-service-make-error-msg-match-with-conditions.patch b/backport-core-service-make-error-msg-match-with-conditions.patch new file mode 100644 index 0000000..2a51ebf --- /dev/null +++ b/backport-core-service-make-error-msg-match-with-conditions.patch @@ -0,0 +1,33 @@ +From 3ad123a4faed274afce32e88bc600c304e0dd4a9 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Thu, 1 Feb 2024 01:47:35 +0800 +Subject: [PATCH 0299/1160] core/service: make error msg match with conditions + +This was discussed in +https://github.com/systemd/systemd/pull/13754#discussion_r333395362. +I think we should actually list "success" Restart= settings instead. +There are more error statuses than success ones after all, and this +list hasn't really changed for quite some time. + +(cherry picked from commit d67c51e386bb9817b74b2968ff195fb06425aa8f) +--- + src/core/service.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/core/service.c b/src/core/service.c +index b9eb40c555..060ac084ee 100644 +--- a/src/core/service.c ++++ b/src/core/service.c +@@ -651,8 +651,7 @@ static int service_verify(Service *s) { + if (s->type != SERVICE_ONESHOT && s->exec_command[SERVICE_EXEC_START]->command_next) + return log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOEXEC), "Service has more than one ExecStart= setting, which is only allowed for Type=oneshot services. Refusing."); + +- if (s->type == SERVICE_ONESHOT && +- !IN_SET(s->restart, SERVICE_RESTART_NO, SERVICE_RESTART_ON_FAILURE, SERVICE_RESTART_ON_ABNORMAL, SERVICE_RESTART_ON_WATCHDOG, SERVICE_RESTART_ON_ABORT)) ++ if (s->type == SERVICE_ONESHOT && IN_SET(s->restart, SERVICE_RESTART_ALWAYS, SERVICE_RESTART_ON_SUCCESS)) + return log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOEXEC), "Service has Restart= set to either always or on-success, which isn't allowed for Type=oneshot services. Refusing."); + + if (s->type == SERVICE_ONESHOT && !exit_status_set_is_empty(&s->restart_force_status)) +-- +2.33.0 + diff --git a/backport-core-service-service_add_fd_store-consumes-passed-fd.patch b/backport-core-service-service_add_fd_store-consumes-passed-fd.patch new file mode 100644 index 0000000..e4f22da --- /dev/null +++ b/backport-core-service-service_add_fd_store-consumes-passed-fd.patch @@ -0,0 +1,40 @@ +From 6d9595ae13febe15fbf56d6ee6e329c1ee4d414e Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 22 Nov 2024 05:15:49 +0900 +Subject: [PATCH 1023/1160] core/service: service_add_fd_store() consumes + passed fd + +Without this change, the fd is closed twice on failure. + +Fixes a bug introduced by dff9808a628c31b7ecb1f1aba8fdc3be06ce8372. + +Fixes #35288. + +(cherry picked from commit d99198819caeff6f40a0a520364e59b8a0cbaa4f) +(cherry picked from commit 6dcb53ba0ac6fa7b8e82ef5dba7c507f324a10a1) +--- + src/core/service.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/core/service.c b/src/core/service.c +index 2894451d7f..d3ea8a9c3c 100644 +--- a/src/core/service.c ++++ b/src/core/service.c +@@ -3264,13 +3264,12 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value, + return 0; + } + +- r = service_add_fd_store(s, fd, fdn, do_poll); ++ r = service_add_fd_store(s, TAKE_FD(fd), fdn, do_poll); + if (r < 0) { + log_unit_debug_errno(u, r, "Failed to store deserialized fd %i, ignoring: %m", fd); + return 0; + } + +- TAKE_FD(fd); + } else if (streq(key, "main-exec-status-pid")) { + pid_t pid; + +-- +2.33.0 + diff --git a/backport-core-service-use-log_unit_-where-appropriate.patch b/backport-core-service-use-log_unit_-where-appropriate.patch index 22fa894..5c75ee0 100644 --- a/backport-core-service-use-log_unit_-where-appropriate.patch +++ b/backport-core-service-use-log_unit_-where-appropriate.patch @@ -1,13 +1,10 @@ From e575661da99de81bf0f07d7efdcf8b4c5d9b779e Mon Sep 17 00:00:00 2001 From: Mike Yuan Date: Sat, 26 Oct 2024 17:38:06 +0200 -Subject: [PATCH] core/service: use log_unit_* where appropriate +Subject: [PATCH 0970/1160] core/service: use log_unit_* where appropriate (cherry picked from commit 1e8f0beee4272ddc8b25dfa9af8e54bafc4c061a) (cherry picked from commit b9ff85ece7a6bd9eca158aa0a8af46055ffb6142) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/e575661da99de81bf0f07d7efdcf8b4c5d9b779e --- src/core/service.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/backport-core-silence-gcc-warning-about-unitialized-variable.patch b/backport-core-silence-gcc-warning-about-unitialized-variable.patch new file mode 100644 index 0000000..8898b63 --- /dev/null +++ b/backport-core-silence-gcc-warning-about-unitialized-variable.patch @@ -0,0 +1,54 @@ +From fcc33169501b1dc8d480faa16f9f3b2e4fac05d0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sun, 7 Apr 2024 11:05:42 +0200 +Subject: [PATCH 0494/1160] core: silence gcc warning about unitialized + variable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When compiled with -O2, the compiler is not happy about dynamic_user_pop() and +would warn about the output variables not being set. It does have a point: +we were doing a cast from ssize_t to int, and theoretically there could be +wraparound. So let's add an explicit check that the cast to int is fine. + +[540/2509] Compiling C object src/core/libsystemd-core-256.so.p/dynamic-user.c.o +../src/core/dynamic-user.c: In function ‘dynamic_user_close.isra’: +../src/core/dynamic-user.c:580:9: warning: ‘uid’ may be used uninitialized [-Wmaybe-uninitialized] + 580 | unlink_uid_lock(lock_fd, uid, d->name); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../src/core/dynamic-user.c:560:15: note: ‘uid’ was declared here + 560 | uid_t uid; + | ^~~ +../src/core/dynamic-user.c: In function ‘dynamic_user_realize’: +../src/core/dynamic-user.c:476:29: warning: ‘new_uid’ may be used uninitialized [-Wmaybe-uninitialized] + 476 | num = new_uid; + | ~~~~^~~~~~~~~ +../src/core/dynamic-user.c:398:23: note: ‘new_uid’ was declared here + 398 | uid_t new_uid; + | ^~~~~~~ + +(cherry picked from commit 741f6ae39be136f65fbc7fe424b7087f3ad23b0b) +--- + src/core/dynamic-user.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/core/dynamic-user.c b/src/core/dynamic-user.c +index 12724c682c..2bf9094481 100644 +--- a/src/core/dynamic-user.c ++++ b/src/core/dynamic-user.c +@@ -337,8 +337,10 @@ static int dynamic_user_pop(DynamicUser *d, uid_t *ret_uid, int *ret_lock_fd) { + * the lock on the socket taken. */ + + k = receive_one_fd_iov(d->storage_socket[0], &iov, 1, MSG_DONTWAIT, &lock_fd); +- if (k < 0) ++ if (k < 0) { ++ assert(errno_is_valid(-k)); + return (int) k; ++ } + + *ret_uid = uid; + *ret_lock_fd = lock_fd; +-- +2.33.0 + diff --git a/backport-core-try-again-bind-mounting-if-the-destination-was-.patch b/backport-core-try-again-bind-mounting-if-the-destination-was-.patch new file mode 100644 index 0000000..b50ceb6 --- /dev/null +++ b/backport-core-try-again-bind-mounting-if-the-destination-was-.patch @@ -0,0 +1,44 @@ +From 5e3fc0b746d38889c1adc6ef0041864694287287 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sat, 29 Jun 2024 18:31:23 +0100 +Subject: [PATCH 0736/1160] core: try again bind mounting if the destination + was already created + +If the destination mount point is on a shared filesystem and is +missing on the first attempt, we try to create it, but then +fail with -EEXIST if something else created it in the meanwhile. +Enter the retry logic on EEXIST, as we can just use the mount +point if it was already created. + +Fixes https://github.com/systemd/systemd/issues/29690 + +(cherry picked from commit c3f0f6f8bd812fee4b2ab658a5cc9ac9167d387d) +(cherry picked from commit df990be91348f847f31da8d02d3ee2fbcb946c30) +--- + src/core/namespace.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/core/namespace.c b/src/core/namespace.c +index 88681aa31f..4ec38a3ea9 100644 +--- a/src/core/namespace.c ++++ b/src/core/namespace.c +@@ -1687,11 +1687,11 @@ static int apply_one_mount( + (void) mkdir_parents(mount_entry_path(m), 0755); + + q = make_mount_point_inode_from_path(what, mount_entry_path(m), 0755); +- if (q < 0) { +- if (q != -EEXIST) // FIXME: this shouldn't be logged at LOG_WARNING, but be bubbled up, and logged there to avoid duplicate logging +- log_warning_errno(q, "Failed to create destination mount point node '%s', ignoring: %m", +- mount_entry_path(m)); +- } else ++ if (q < 0 && q != -EEXIST) ++ // FIXME: this shouldn't be logged at LOG_WARNING, but be bubbled up, and logged there to avoid duplicate logging ++ log_warning_errno(q, "Failed to create destination mount point node '%s', ignoring: %m", ++ mount_entry_path(m)); ++ else + try_again = true; + } + +-- +2.33.0 + diff --git a/backport-core-unit-do-not-use-unit-path-cache-in-unit_need_da.patch b/backport-core-unit-do-not-use-unit-path-cache-in-unit_need_da.patch new file mode 100644 index 0000000..388e033 --- /dev/null +++ b/backport-core-unit-do-not-use-unit-path-cache-in-unit_need_da.patch @@ -0,0 +1,128 @@ +From e6f8282051e2066d8b32b46aba7776883e5cb953 Mon Sep 17 00:00:00 2001 +From: Nick Rosbrook +Date: Wed, 7 Aug 2024 18:18:06 -0400 +Subject: [PATCH 0847/1160] core/unit: do not use unit path cache in + unit_need_daemon_reload() + +When unit_need_daemon_reload() calls unit_find_dropin_paths() to check +for new drop-in configs, the manager's unit path cache is used to limit +which directories are considered. If a new drop-in directory is created, +it may not be in the unit path cache, and hence unit_need_daemon_reload() +may return false, despite a new drop-in being present. However, if a +unit path cache is not given to unit_file_find_dropin_paths() at all, +then it behaves as if the target path was found in the unit path cache. + +So, to fix this, adapt unit_find_dropin_paths() to take a boolean +argument indicating whether or not to pass along the unit path cache. +Set this to false in unit_need_daemon_reload(). + +Fixes #31752 + +(cherry picked from commit 82c482d573c9d2f3ab36f7be8d32772f90f2c335) +(cherry picked from commit 6f57f9b8aa4084179c82c98ec654315a63532fe9) +--- + src/core/load-dropin.c | 2 +- + src/core/load-dropin.h | 4 +-- + src/core/unit.c | 2 +- + test/units/TEST-07-PID1.issue-31752.sh | 44 ++++++++++++++++++++++++++ + 4 files changed, 48 insertions(+), 4 deletions(-) + create mode 100755 test/units/TEST-07-PID1.issue-31752.sh + +diff --git a/src/core/load-dropin.c b/src/core/load-dropin.c +index fd45744261..dc9c44e6d6 100644 +--- a/src/core/load-dropin.c ++++ b/src/core/load-dropin.c +@@ -102,7 +102,7 @@ int unit_load_dropin(Unit *u) { + return r; + + /* Load .conf dropins */ +- r = unit_find_dropin_paths(u, &l); ++ r = unit_find_dropin_paths(u, /* use_unit_path_cache = */ true, &l); + if (r <= 0) + return 0; + +diff --git a/src/core/load-dropin.h b/src/core/load-dropin.h +index f0b87d3e9f..141bc7dd0f 100644 +--- a/src/core/load-dropin.h ++++ b/src/core/load-dropin.h +@@ -6,12 +6,12 @@ + + /* Read service data supplementary drop-in directories */ + +-static inline int unit_find_dropin_paths(Unit *u, char ***paths) { ++static inline int unit_find_dropin_paths(Unit *u, bool use_unit_path_cache, char ***paths) { + assert(u); + + return unit_file_find_dropin_paths(NULL, + u->manager->lookup_paths.search_path, +- u->manager->unit_path_cache, ++ use_unit_path_cache ? u->manager->unit_path_cache : NULL, + ".d", ".conf", + u->id, u->aliases, + paths); +diff --git a/src/core/unit.c b/src/core/unit.c +index ac76ecd54b..8ac9a965b6 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -3927,7 +3927,7 @@ bool unit_need_daemon_reload(Unit *u) { + if (u->load_state == UNIT_LOADED) { + _cleanup_strv_free_ char **dropins = NULL; + +- (void) unit_find_dropin_paths(u, &dropins); ++ (void) unit_find_dropin_paths(u, /* use_unit_path_cache = */ false, &dropins); + + if (!strv_equal(u->dropin_paths, dropins)) + return true; +diff --git a/test/units/TEST-07-PID1.issue-31752.sh b/test/units/TEST-07-PID1.issue-31752.sh +new file mode 100755 +index 0000000000..89ec07e46b +--- /dev/null ++++ b/test/units/TEST-07-PID1.issue-31752.sh +@@ -0,0 +1,44 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- ++# ex: ts=8 sw=4 sts=4 et filetype=sh ++ ++set -eux ++set -o pipefail ++ ++# shellcheck source=test/units/util.sh ++. "$(dirname "$0")"/util.sh ++ ++# Make sure NeedDaemonReload= considers newly created drop-ins. ++# Issue: https://github.com/systemd/systemd/issues/31752 ++ ++UNIT=test-issue-31752.service ++ ++cleanup() { ++ rm -rf /run/systemd/system/"$UNIT" /run/systemd/system/"$UNIT".d ++ systemctl daemon-reload ++} ++ ++trap cleanup EXIT ++ ++cat > /run/systemd/system/"$UNIT" < /run/systemd/system/"$UNIT".d/desc.conf < +Date: Fri, 28 Jun 2024 15:32:33 +0200 +Subject: [PATCH 0732/1160] core/unit: follow merged units before updating + SourcePath= timestamp too + +Currently, we only follow merged units for unit_load_dropin() call. +But if the unit is an alias, we should always perform operations +on the "canonical" unit. + +(cherry picked from commit 740cd1e0f2ae5cc1a10d2111d63cc4e975761091) +(cherry picked from commit 86d47d63b01c1910f8f186668948f0dc7b80db37) +--- + src/core/unit.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/core/unit.c b/src/core/unit.c +index 2fc9f5ad2d..753fbe3b7f 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -1457,11 +1457,13 @@ int unit_load_fragment_and_dropin(Unit *u, bool fragment_required) { + u->load_state = UNIT_LOADED; + } + ++ u = unit_follow_merge(u); ++ + /* Load drop-in directory data. If u is an alias, we might be reloading the + * target unit needlessly. But we cannot be sure which drops-ins have already + * been loaded and which not, at least without doing complicated book-keeping, + * so let's always reread all drop-ins. */ +- r = unit_load_dropin(unit_follow_merge(u)); ++ r = unit_load_dropin(u); + if (r < 0) + return r; + +-- +2.33.0 + diff --git a/backport-core-unit-ignore-dropins-for-masked-units-completely.patch b/backport-core-unit-ignore-dropins-for-masked-units-completely.patch new file mode 100644 index 0000000..0766483 --- /dev/null +++ b/backport-core-unit-ignore-dropins-for-masked-units-completely.patch @@ -0,0 +1,78 @@ +From b6adde516effd547291dfded28d2521759c72683 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Mon, 8 Jul 2024 17:12:20 +0200 +Subject: [PATCH 0790/1160] core/unit: ignore dropins for masked units + completely when checking need_reload + +Follow-up for 19a44dfe4525ab01caf593a9c2beada4b412910d + +If a drop-in is set from upper level, e.g. global unit_type.d/, +even if a unit is masked, its dropin_paths would still be partially +populated. However, unit_need_daemon_reload() would always +compare u->dropin_paths with empty strv in case of masked units, +resulting in it always returning true. Instead, let's ignore +dropins entirely here. + +Fixes #33672 + +(cherry picked from commit 11b3775f514f521f353741ff6ac4d66cf0e928e8) +(cherry picked from commit 6a3cb4cd11119cf8d3ed29d076c223b0fe491f98) +--- + src/core/unit.c | 18 ++++++++++-------- + test/units/TEST-07-PID1.issue-33672.sh | 3 +-- + 2 files changed, 11 insertions(+), 10 deletions(-) + +diff --git a/src/core/unit.c b/src/core/unit.c +index 753fbe3b7f..ac76ecd54b 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -3909,8 +3909,6 @@ static bool fragment_mtime_newer(const char *path, usec_t mtime, bool path_maske + } + + bool unit_need_daemon_reload(Unit *u) { +- _cleanup_strv_free_ char **dropins = NULL; +- + assert(u); + assert(u->manager); + +@@ -3926,16 +3924,20 @@ bool unit_need_daemon_reload(Unit *u) { + if (fragment_mtime_newer(u->source_path, u->source_mtime, false)) + return true; + +- if (u->load_state == UNIT_LOADED) ++ if (u->load_state == UNIT_LOADED) { ++ _cleanup_strv_free_ char **dropins = NULL; ++ + (void) unit_find_dropin_paths(u, &dropins); +- if (!strv_equal(u->dropin_paths, dropins)) +- return true; + +- /* … any drop-ins that are masked are simply omitted from the list. */ +- STRV_FOREACH(path, u->dropin_paths) +- if (fragment_mtime_newer(*path, u->dropin_mtime, false)) ++ if (!strv_equal(u->dropin_paths, dropins)) + return true; + ++ /* … any drop-ins that are masked are simply omitted from the list. */ ++ STRV_FOREACH(path, u->dropin_paths) ++ if (fragment_mtime_newer(*path, u->dropin_mtime, false)) ++ return true; ++ } ++ + return false; + } + +diff --git a/test/units/TEST-07-PID1.issue-33672.sh b/test/units/TEST-07-PID1.issue-33672.sh +index ab388e32b1..370497c346 100755 +--- a/test/units/TEST-07-PID1.issue-33672.sh ++++ b/test/units/TEST-07-PID1.issue-33672.sh +@@ -37,5 +37,4 @@ systemctl unmask "$UNIT" + assert_eq "$(systemctl show -P NeedDaemonReload "$UNIT")" no + + systemctl mask "$UNIT" +-# FIXME: should be "no" +-assert_eq "$(systemctl show -P NeedDaemonReload "$UNIT")" yes ++assert_eq "$(systemctl show -P NeedDaemonReload "$UNIT")" no +-- +2.33.0 + diff --git a/backport-core-unit-serialize-fix-serialization-of-markers.patch b/backport-core-unit-serialize-fix-serialization-of-markers.patch new file mode 100644 index 0000000..cc888da --- /dev/null +++ b/backport-core-unit-serialize-fix-serialization-of-markers.patch @@ -0,0 +1,35 @@ +From b030bfba78d06f90759226eadfded84f0543ddcf Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Thu, 26 Dec 2024 21:15:44 +0100 +Subject: [PATCH 1075/1160] core/unit-serialize: fix serialization of markers + +Follow-up for ff68472a20c208121b69ea13586f3105a219bc14 + +(cherry picked from commit 5ce8d7d83902e920a34488c4193d9bc4b5bb70ae) +(cherry picked from commit 6f30e56bf3e5272e83cff11d153ae70c3ffb7624) +(cherry picked from commit 4a9f42e19782a9d6ab8b444511fa2a319ea1a804) +--- + src/core/unit-serialize.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/core/unit-serialize.c b/src/core/unit-serialize.c +index fe4221ca46..6e1514983e 100644 +--- a/src/core/unit-serialize.c ++++ b/src/core/unit-serialize.c +@@ -39,10 +39,12 @@ static int serialize_markers(FILE *f, unsigned markers) { + if (markers == 0) + return 0; + ++ bool space = false; ++ + fputs("markers=", f); + for (UnitMarker m = 0; m < _UNIT_MARKER_MAX; m++) + if (FLAGS_SET(markers, 1u << m)) +- fputs(unit_marker_to_string(m), f); ++ fputs_with_space(f, unit_marker_to_string(m), /* separator = */ NULL, &space); + fputc('\n', f); + return 0; + } +-- +2.33.0 + diff --git a/backport-core-warn-if-a-generator-is-world-writable.patch b/backport-core-warn-if-a-generator-is-world-writable.patch new file mode 100644 index 0000000..348ddb1 --- /dev/null +++ b/backport-core-warn-if-a-generator-is-world-writable.patch @@ -0,0 +1,66 @@ +From 3b0731b9d414e08f67f1976e2d400974f470fd3f Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Fri, 4 Oct 2024 10:51:02 +0200 +Subject: [PATCH 0912/1160] core: warn if a generator is world-writable + +... because that is obviously a security risk. + +(cherry picked from commit da32cac8a014ddf048fc7bad84dafdbc204d4dc8) +(cherry picked from commit 7ac58949a37db3ddb662908d3aadaf5934fec222) +--- + src/core/manager.c | 2 +- + src/shared/exec-util.c | 12 ++++++++++++ + src/shared/exec-util.h | 1 + + 3 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/core/manager.c b/src/core/manager.c +index 30cd8bcbea..3874586ebd 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -4003,7 +4003,7 @@ static int manager_execute_generators(Manager *m, char **paths, bool remount_ro) + /* callbacks= */ NULL, /* callback_args= */ NULL, + (char**) argv, + ge, +- EXEC_DIR_PARALLEL | EXEC_DIR_IGNORE_ERRORS | EXEC_DIR_SET_SYSTEMD_EXEC_PID); ++ EXEC_DIR_PARALLEL | EXEC_DIR_IGNORE_ERRORS | EXEC_DIR_SET_SYSTEMD_EXEC_PID | EXEC_DIR_WARN_WORLD_WRITABLE); + } + + static int manager_run_generators(Manager *m) { +diff --git a/src/shared/exec-util.c b/src/shared/exec-util.c +index b402877d4d..8c928595b3 100644 +--- a/src/shared/exec-util.c ++++ b/src/shared/exec-util.c +@@ -147,6 +147,18 @@ static int do_execute( + log_debug("About to execute %s%s%s", t, argv ? " " : "", argv ? strnull(args) : ""); + } + ++ if (FLAGS_SET(flags, EXEC_DIR_WARN_WORLD_WRITABLE)) { ++ struct stat st; ++ ++ r = stat(t, &st); ++ if (r < 0) ++ log_warning_errno(errno, "Failed to stat '%s', ignoring: %m", t); ++ else if (S_ISREG(st.st_mode) && (st.st_mode & 0002)) ++ log_warning("'%s' is marked world-writable, which is a security risk as it " ++ "is executed with privileges. Please remove world writability " ++ "permission bits. Proceeding anyway.", t); ++ } ++ + r = do_spawn(t, argv, fd, &pid, FLAGS_SET(flags, EXEC_DIR_SET_SYSTEMD_EXEC_PID)); + if (r <= 0) + continue; +diff --git a/src/shared/exec-util.h b/src/shared/exec-util.h +index b99336ee3b..86dac52ebf 100644 +--- a/src/shared/exec-util.h ++++ b/src/shared/exec-util.h +@@ -20,6 +20,7 @@ typedef enum { + EXEC_DIR_IGNORE_ERRORS = 1 << 1, /* Ignore non-zero exit status of scripts */ + EXEC_DIR_SET_SYSTEMD_EXEC_PID = 1 << 2, /* Set $SYSTEMD_EXEC_PID environment variable */ + EXEC_DIR_SKIP_REMAINING = 1 << 3, /* Ignore remaining executions when one exit with 77. */ ++ EXEC_DIR_WARN_WORLD_WRITABLE = 1 << 4, /* Warn if world writable files are found */ + } ExecDirFlags; + + typedef enum ExecCommandFlags { +-- +2.33.0 + diff --git a/backport-coredump-correctly-take-tmpfs-size-into-account-for-.patch b/backport-coredump-correctly-take-tmpfs-size-into-account-for-.patch index 7f619e0..767cd33 100644 --- a/backport-coredump-correctly-take-tmpfs-size-into-account-for-.patch +++ b/backport-coredump-correctly-take-tmpfs-size-into-account-for-.patch @@ -1,8 +1,8 @@ From 3dacca114bde3a216605ab51d2f5203c4a6b9707 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Tue, 2 Jul 2024 15:28:47 +0100 -Subject: [PATCH] coredump: correctly take tmpfs size into account for - compression +Subject: [PATCH 0742/1160] coredump: correctly take tmpfs size into account + for compression We calculate the amount of uncompressed data we can write by taking the limits into account and halving it to ensure there's room for switching to compression @@ -17,9 +17,6 @@ the tmpfs size. (cherry picked from commit e6b2508275aac2951aedfc842735d8ebc29850bb) (cherry picked from commit a946258e9df627c675d13b2041ae186babf269dc) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/3dacca114bde3a216605ab51d2f5203c4a6b9707 --- src/coredump/coredump.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/backport-coredump-keep-core-files-for-two-weeks.patch b/backport-coredump-keep-core-files-for-two-weeks.patch new file mode 100644 index 0000000..5a14b28 --- /dev/null +++ b/backport-coredump-keep-core-files-for-two-weeks.patch @@ -0,0 +1,36 @@ +From e2be83f9495020c399b60cc0ecf138d2e6df34e4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 5 Dec 2023 15:56:54 +0100 +Subject: [PATCH 0005/1160] coredump: keep core files for two weeks + +We have two mechanisms that remove old coredumps: systemd-coredump has +parameters based on disk use / remaining disk free, and systemd-tmpfiles does +cleanup based on time. The first mechanism should prevent us from using too much +disk space in case something is crashing continuously or there are very large +core files. + +The limit of 3 days makes it likely that the core file will be gone by the time +the admin looks at the issue. E.g. if something crashes on Friday, the coredump +would likely be gone before people are back on Monday to look at it. + +(cherry picked from commit f8d67130b8b492a1f2eedd07a3189051f98db648) +--- + tmpfiles.d/systemd.conf.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tmpfiles.d/systemd.conf.in b/tmpfiles.d/systemd.conf.in +index 3781c579e0..11a45a3f4b 100644 +--- a/tmpfiles.d/systemd.conf.in ++++ b/tmpfiles.d/systemd.conf.in +@@ -59,7 +59,7 @@ a+ /var/log/journal/%m/system.journal - - - - group:wheel:r-- + {% endif %} + + d /var/lib/systemd 0755 root root - +-d /var/lib/systemd/coredump 0755 root root 3d ++d /var/lib/systemd/coredump 0755 root root 2w + # Files and directories in /var/lib/systemd/ephemeral-trees are locked by pid 1 to prevent tmpfiles from + # removing them, and tmpfiles is told to clean up anything in /var/lib/systemd/ephemeral-trees that isn't + # locked unconditionally. +-- +2.33.0 + diff --git a/backport-cpio-fix-assert.patch b/backport-cpio-fix-assert.patch new file mode 100644 index 0000000..3fa7d26 --- /dev/null +++ b/backport-cpio-fix-assert.patch @@ -0,0 +1,26 @@ +From 8019b6fb4b226fac2bff43c8ff573cf504768257 Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Fri, 19 Apr 2024 16:13:21 +0200 +Subject: [PATCH 0507/1160] cpio: fix assert + +(cherry picked from commit cc51dbe999f8ebbe8c26a59b6f961c4bff89e3f6) +--- + src/boot/efi/cpio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/boot/efi/cpio.c b/src/boot/efi/cpio.c +index 5b90e17c41..c4f803c31a 100644 +--- a/src/boot/efi/cpio.c ++++ b/src/boot/efi/cpio.c +@@ -65,7 +65,7 @@ static EFI_STATUS pack_cpio_one( + char *a; + + assert(fname); +- assert(contents_size || contents_size == 0); ++ assert(contents || contents_size == 0); + assert(target_dir_prefix); + assert(inode_counter); + assert(cpio_buffer); +-- +2.33.0 + diff --git a/backport-creds-fix-cat-with-encrypted-credentials.patch b/backport-creds-fix-cat-with-encrypted-credentials.patch new file mode 100644 index 0000000..d2d6e34 --- /dev/null +++ b/backport-creds-fix-cat-with-encrypted-credentials.patch @@ -0,0 +1,51 @@ +From 6a6cf125dae4b8394e2d09caa18fbe098726ceed Mon Sep 17 00:00:00 2001 +From: Simon Pilkington +Date: Wed, 25 Sep 2024 11:25:48 +0200 +Subject: [PATCH 0886/1160] creds: fix cat with encrypted credentials + +Fixes: https://github.com/systemd/systemd/issues/34547 +(cherry picked from commit 32951fe4de683f5d42cec2fb2e036f766b051e2b) +(cherry picked from commit bc0ba0030b83cea3c5bf62695bb70f406fe6d12d) +--- + src/creds/creds.c | 6 +++++- + test/units/testsuite-54.sh | 4 ++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/creds/creds.c b/src/creds/creds.c +index 10d117118f..fffa082faa 100644 +--- a/src/creds/creds.c ++++ b/src/creds/creds.c +@@ -391,10 +391,14 @@ static int verb_cat(int argc, char **argv, void *userdata) { + if (!d) /* Not set */ + continue; + ++ ReadFullFileFlags flags = READ_FULL_FILE_SECURE|READ_FULL_FILE_WARN_WORLD_READABLE; ++ if (encrypted) ++ flags |= READ_FULL_FILE_UNBASE64; ++ + r = read_full_file_full( + dirfd(d), *cn, + UINT64_MAX, SIZE_MAX, +- READ_FULL_FILE_SECURE|READ_FULL_FILE_WARN_WORLD_READABLE, ++ flags, + NULL, + (char**) &data, &size); + if (r == -ENOENT) /* Not found */ +diff --git a/test/units/testsuite-54.sh b/test/units/testsuite-54.sh +index bcbe7a1e6a..8aa21b6b5e 100755 +--- a/test/units/testsuite-54.sh ++++ b/test/units/testsuite-54.sh +@@ -33,8 +33,8 @@ CRED_DIR="$(mktemp -d)" + ENC_CRED_DIR="$(mktemp -d)" + echo foo >"$CRED_DIR/secure-or-weak" + echo foo >"$CRED_DIR/insecure" +-echo foo | systemd-creds --name="encrypted" encrypt - - | base64 -d >"$ENC_CRED_DIR/encrypted" +-echo foo | systemd-creds encrypt - - | base64 -d >"$ENC_CRED_DIR/encrypted-unnamed" ++echo foo | systemd-creds --name="encrypted" encrypt - "$ENC_CRED_DIR/encrypted" ++echo foo | systemd-creds encrypt - "$ENC_CRED_DIR/encrypted-unnamed" + chmod -R 0400 "$CRED_DIR" "$ENC_CRED_DIR" + chmod -R 0444 "$CRED_DIR/insecure" + mkdir /tmp/empty/ +-- +2.33.0 + diff --git a/backport-cryptenroll-Fix-reading-keyfile-from-socket.patch b/backport-cryptenroll-Fix-reading-keyfile-from-socket.patch new file mode 100644 index 0000000..946f229 --- /dev/null +++ b/backport-cryptenroll-Fix-reading-keyfile-from-socket.patch @@ -0,0 +1,35 @@ +From d8be85261911f2655f19c668590bece1295aadce Mon Sep 17 00:00:00 2001 +From: Felix Riemann +Date: Fri, 2 Feb 2024 18:08:52 +0100 +Subject: [PATCH 0293/1160] cryptenroll: Fix reading keyfile from socket + +systemd-cryptenroll uses the READ_FULL_FILE_CONNECT_SOCKET flag when +reading the keyfile to also allow reading it from a socket. But it also +sets the offset to 0, causing an unnecessary seek to the beginning of +the newly opened keyfile and disables socket support again, as these do +not support seeking. + +Disable seeking entirely to remove the unneeded seek and restore support +for reading the keyfile from a socket again as with systemd-cryptsetup. + +(cherry picked from commit 0119370cbba902cdb162cc4a1eb2ac8a38058bdd) +--- + src/cryptenroll/cryptenroll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c +index be6892bbd3..1cb6652352 100644 +--- a/src/cryptenroll/cryptenroll.c ++++ b/src/cryptenroll/cryptenroll.c +@@ -601,7 +601,7 @@ static int load_volume_key_keyfile( + r = read_full_file_full( + AT_FDCWD, + arg_unlock_keyfile, +- 0, ++ UINT64_MAX, + SIZE_MAX, + READ_FULL_FILE_SECURE|READ_FULL_FILE_WARN_WORLD_READABLE|READ_FULL_FILE_CONNECT_SOCKET, + NULL, +-- +2.33.0 + diff --git a/backport-cryptenroll-homectl-journalctl-adjust-messages-befor.patch b/backport-cryptenroll-homectl-journalctl-adjust-messages-befor.patch new file mode 100644 index 0000000..a43af1e --- /dev/null +++ b/backport-cryptenroll-homectl-journalctl-adjust-messages-befor.patch @@ -0,0 +1,50 @@ +From 4ca8f5e68dc86606890806d7c17ae71d17e1cd9a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 28 Oct 2024 13:59:05 +0100 +Subject: [PATCH 0982/1160] cryptenroll,homectl,journalctl: adjust messages + before qrcodes + +Users will generally know what a qrcode is, so let's not treat them as dumb and +explain that it can be scanned. OTOH, we should say what the qrcode contains +and it is useful to give a hint why the users would want to scan it. Reword +messages accordingly. + +(Also, don't say "to your phone", when somebody might be using a stolen phone, +or something else then a phone.) + +(cherry picked from commit 10faa40ba781cf499258a3b37de02dd643822dc6) +(cherry picked from commit fefd60bf7ad9f361c85395ab38f10482f3007f15) +--- + src/cryptenroll/cryptenroll-recovery.c | 2 +- + src/home/homectl-recovery-key.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/cryptenroll/cryptenroll-recovery.c b/src/cryptenroll/cryptenroll-recovery.c +index 7c170f2850..f12c271338 100644 +--- a/src/cryptenroll/cryptenroll-recovery.c ++++ b/src/cryptenroll/cryptenroll-recovery.c +@@ -67,7 +67,7 @@ int enroll_recovery( + "whenever authentication is requested.\n", stderr); + fflush(stderr); + +- (void) print_qrcode(stderr, "You may optionally scan the recovery key off screen", password); ++ (void) print_qrcode(stderr, "Optionally scan the recovery key for safekeeping", password); + + if (asprintf(&keyslot_as_string, "%i", keyslot) < 0) { + r = log_oom(); +diff --git a/src/home/homectl-recovery-key.c b/src/home/homectl-recovery-key.c +index bf18ae49e4..ada9a2d693 100644 +--- a/src/home/homectl-recovery-key.c ++++ b/src/home/homectl-recovery-key.c +@@ -159,7 +159,7 @@ int identity_add_recovery_key(JsonVariant **v) { + "whenever authentication is requested.\n", stderr); + fflush(stderr); + +- (void) print_qrcode(stderr, "You may optionally scan the recovery key off screen", password); ++ (void) print_qrcode(stderr, "Optionally scan the recovery key for safekeeping", password); + + return 0; + } +-- +2.33.0 + diff --git a/backport-cryptenroll-it-s-called-PKCS-11-not-PKCS11.patch b/backport-cryptenroll-it-s-called-PKCS-11-not-PKCS11.patch new file mode 100644 index 0000000..37b2459 --- /dev/null +++ b/backport-cryptenroll-it-s-called-PKCS-11-not-PKCS11.patch @@ -0,0 +1,30 @@ +From 60bf1dd1dac2173ccf17abdf3ab1ef65e2a668eb Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 22 Nov 2024 10:11:04 +0100 +Subject: [PATCH 1024/1160] cryptenroll: it's called PKCS#11, not PKCS11 + +In the --help text we really should use the official spelling, just like +in the man page. + +(cherry picked from commit cc6baba7200bd8171b6beff446b4009dad5c4230) +(cherry picked from commit ddcc0bc151a5cea91432279c4194cf352593e60a) +--- + src/cryptenroll/cryptenroll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c +index 1cb6652352..6dbfdbae76 100644 +--- a/src/cryptenroll/cryptenroll.c ++++ b/src/cryptenroll/cryptenroll.c +@@ -120,7 +120,7 @@ static int help(void) { + "\n%3$sSimple Enrollment:%4$s\n" + " --password Enroll a user-supplied password\n" + " --recovery-key Enroll a recovery key\n" +- "\n%3$sPKCS11 Enrollment:%4$s\n" ++ "\n%3$sPKCS#11 Enrollment:%4$s\n" + " --pkcs11-token-uri=URI\n" + " Specify PKCS#11 security token URI\n" + "\n%3$sFIDO2 Enrollment:%4$s\n" +-- +2.33.0 + diff --git a/backport-cryptenroll-show-better-log-message-if-slot-to-wipe-.patch b/backport-cryptenroll-show-better-log-message-if-slot-to-wipe-.patch new file mode 100644 index 0000000..270f3e5 --- /dev/null +++ b/backport-cryptenroll-show-better-log-message-if-slot-to-wipe-.patch @@ -0,0 +1,39 @@ +From ade617cf3db3844bcd9cb3beccfc1f978bdf3a94 Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Tue, 19 Nov 2024 11:26:49 +0100 +Subject: [PATCH 1019/1160] cryptenroll: show better log message if slot to + wipe does not exist + +``` +$ systemd-cryptenroll /dev/vda3 +SLOT TYPE + 0 password +$ systemd-cryptenroll --wipe-slot 1 /dev/vda3 +Failed to wipe slot 1, continuing: No such file or directory +``` + +(cherry picked from commit 2b251491debf9cab695f5f34da9908ca46f085fe) +(cherry picked from commit 4a3d55a032053525ab331e4af6f95ec2dc053ee9) +--- + src/cryptenroll/cryptenroll-wipe.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/cryptenroll/cryptenroll-wipe.c b/src/cryptenroll/cryptenroll-wipe.c +index 314ebd3113..26478d1e88 100644 +--- a/src/cryptenroll/cryptenroll-wipe.c ++++ b/src/cryptenroll/cryptenroll-wipe.c +@@ -425,7 +425,10 @@ int wipe_slots(struct crypt_device *cd, + for (size_t i = n_ordered_slots; i > 0; i--) { + r = crypt_keyslot_destroy(cd, ordered_slots[i - 1]); + if (r < 0) { +- log_warning_errno(r, "Failed to wipe slot %i, continuing: %m", ordered_slots[i - 1]); ++ if (r == -ENOENT) ++ log_warning_errno(r, "Failed to wipe non-existent slot %i, continuing.", ordered_slots[i - 1]); ++ else ++ log_warning_errno(r, "Failed to wipe slot %i, continuing: %m", ordered_slots[i - 1]); + if (ret == 0) + ret = r; + } else +-- +2.33.0 + diff --git a/backport-cryptsetup-improve-TPM2-blob-display.patch b/backport-cryptsetup-improve-TPM2-blob-display.patch new file mode 100644 index 0000000..b603a3e --- /dev/null +++ b/backport-cryptsetup-improve-TPM2-blob-display.patch @@ -0,0 +1,29 @@ +From eaf934f01f3e1d1aa9794d1f464340ffd15710a5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Kamil=20Szcz=C4=99k?= +Date: Tue, 25 Jun 2024 17:44:53 +0200 +Subject: [PATCH 0723/1160] cryptsetup: improve TPM2 blob display + +Just a tiny change to fix an eyesore in cryptsetup luksDump display :) + +(cherry picked from commit 0828c6a2bf9aa40a6cf5fcb3d5650130c483ac8a) +(cherry picked from commit 5911f1ec2568805fc820aa96560988f13a11e45e) +--- + .../cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c +index a76fd1c9b6..c11f37cf00 100644 +--- a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c ++++ b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c +@@ -237,7 +237,7 @@ _public_ void cryptsetup_token_dump( + crypt_log(cd, "\ttpm2-pubkey:" CRYPT_DUMP_LINE_SEP "%s\n", pubkey_str); + crypt_log(cd, "\ttpm2-pubkey-pcrs: %s\n", strna(pubkey_pcrs_str)); + crypt_log(cd, "\ttpm2-primary-alg: %s\n", strna(tpm2_asym_alg_to_string(primary_alg))); +- crypt_log(cd, "\ttpm2-blob: %s\n", blob_str); ++ crypt_log(cd, "\ttpm2-blob: %s\n", blob_str); + crypt_log(cd, "\ttpm2-policy-hash:" CRYPT_DUMP_LINE_SEP "%s\n", policy_hash_str); + crypt_log(cd, "\ttpm2-pin: %s\n", true_false(flags & TPM2_FLAGS_USE_PIN)); + crypt_log(cd, "\ttpm2-pcrlock: %s\n", true_false(flags & TPM2_FLAGS_USE_PCRLOCK)); +-- +2.33.0 + diff --git a/backport-cryptsetup-tokens-fix-argument-order-mismatch-in-fun.patch b/backport-cryptsetup-tokens-fix-argument-order-mismatch-in-fun.patch new file mode 100644 index 0000000..c1337e8 --- /dev/null +++ b/backport-cryptsetup-tokens-fix-argument-order-mismatch-in-fun.patch @@ -0,0 +1,33 @@ +From 8d5c7428423ddf39ae7d1f94b6f00bfc8213dc80 Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Thu, 4 Apr 2024 17:44:52 +0200 +Subject: [PATCH 0488/1160] cryptsetup-tokens: fix argument order mismatch in + function + +The order of the arguments of the function `acquire_luks2_key()` in +`luks2-tpm2.h` is wrong, `pcrlock_path` and `pin` are swapped. + +Fixes 404aea7815595c1324947ed7f2a7502b17d3cc01 + +(cherry picked from commit ce18410a54424dd247805a93ebfc515d875f999e) +--- + src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h +index d84e5a3c3b..8408bab344 100644 +--- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h ++++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h +@@ -14,8 +14,8 @@ int acquire_luks2_key( + size_t pubkey_size, + uint32_t pubkey_pcr_mask, + const char *signature_path, +- const char *pcrlock_path, + const char *pin, ++ const char *pcrlock_path, + uint16_t primary_alg, + const void *key_data, + size_t key_data_size, +-- +2.33.0 + diff --git a/backport-cryptsetup-tokens-fix-pin-asserts.patch b/backport-cryptsetup-tokens-fix-pin-asserts.patch new file mode 100644 index 0000000..f47ea55 --- /dev/null +++ b/backport-cryptsetup-tokens-fix-pin-asserts.patch @@ -0,0 +1,95 @@ +From 723a7c8ab5cfc48bfae2f151f3c1d9a145f00b8b Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Thu, 25 Apr 2024 12:14:25 +0200 +Subject: [PATCH 0568/1160] cryptsetup-tokens: fix pin asserts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If a user only presses ENTER when the PIN is requested (without actually typing +the PIN), an assertion is reached and no other unlock method is requested. + +``` +sh-5.2# systemctl status systemd-cryptsetup@cr_root +× systemd-cryptsetup@cr_root.service - Cryptography Setup for cr_root + Loaded: loaded (/etc/crypttab; generated) + Drop-In: /etc/systemd/system/systemd-cryptsetup@.service.d + └─pcr-signature.conf + Active: failed (Result: core-dump) since Thu 2024-04-25 08:44:30 UTC; 10min ago + Docs: man:crypttab(5) + man:systemd-cryptsetup-generator(8) + man:systemd-cryptsetup@.service(8) + Process: 559 ExecStartPre=/usr/bin/pcr-signature.sh (code=exited, status=0/SUCCESS) + Process: 604 ExecStart=/usr/bin/systemd-cryptsetup attach cr_root /dev/disk/by-uuid/a8cbd937-6975-4e61-9120-ce5c03138700 none x-initrd.attach,tpm2-device=auto (code=dumped, signal=ABRT) + Main PID: 604 (code=dumped, signal=ABRT) + CPU: 19ms + +Apr 25 08:44:29 localhost systemd[1]: Starting Cryptography Setup for cr_root... +Apr 25 08:44:30 localhost systemd-cryptsetup[604]: Assertion '!pin || pin_size > 0' failed at src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c:60, function cryptsetup_token_open_pin(). Aborting. +Apr 25 08:44:30 localhost systemd[1]: systemd-cryptsetup@cr_root.service: Main process exited, code=dumped, status=6/ABRT +Apr 25 08:44:30 localhost systemd[1]: systemd-cryptsetup@cr_root.service: Failed with result 'core-dump'. +Apr 25 08:44:30 localhost systemd[1]: Failed to start Cryptography Setup for cr_root. +``` + +In this case, `cryptsetup_token_open_pin()` receives an empty (non-NULL) `pin` +with `pin_size` equals to 0. + +``` +🔐 Please enter LUKS2 token PIN: + +Breakpoint 3, cryptsetup_token_open_pin (cd=0x5555555744c0, token=0, pin=0x5555555b3cc0 "", pin_size=0, ret_password=0x7fffffffd380, + ret_password_len=0x7fffffffd378, usrptr=0x0) at ../src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c:42 +42 void *usrptr /* plugin defined parameter passed to crypt_activate_by_token*() API */) { +(gdb) continue +Assertion '!pin || pin_size > 0' failed at src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c:60, function cryptsetup_token_open_pin(). Aborting. +``` + +(cherry picked from commit 5cef6b5393871a99ad17799197b26da9196f7035) +--- + .../cryptsetup-tokens/cryptsetup-token-systemd-fido2.c | 2 +- + .../cryptsetup-tokens/cryptsetup-token-systemd-pkcs11.c | 2 +- + .../cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-fido2.c b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-fido2.c +index fdb3b17d2d..5f9dad6d0c 100644 +--- a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-fido2.c ++++ b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-fido2.c +@@ -34,7 +34,7 @@ _public_ int cryptsetup_token_open_pin( + const char *json; + _cleanup_(erase_and_freep) char *pin_string = NULL; + +- assert(!pin || pin_size); ++ assert(pin || pin_size == 0); + assert(token >= 0); + + /* This must not fail at this moment (internal error) */ +diff --git a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-pkcs11.c b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-pkcs11.c +index 2ac8a270c5..44cb30d52c 100644 +--- a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-pkcs11.c ++++ b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-pkcs11.c +@@ -33,7 +33,7 @@ _public_ int cryptsetup_token_open_pin( + const char *json; + int r; + +- assert(!pin || pin_size); ++ assert(pin || pin_size == 0); + assert(token >= 0); + + /* This must not fail at this moment (internal error) */ +diff --git a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c +index 6fee8319a7..a76fd1c9b6 100644 +--- a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c ++++ b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c +@@ -57,7 +57,7 @@ _public_ int cryptsetup_token_open_pin( + int r; + + assert(token >= 0); +- assert(!pin || pin_size > 0); ++ assert(pin || pin_size == 0); + assert(ret_password); + assert(ret_password_len); + +-- +2.33.0 + diff --git a/backport-curl-glue-catch-libcurl-attempting-to-change-timeout.patch b/backport-curl-glue-catch-libcurl-attempting-to-change-timeout.patch new file mode 100644 index 0000000..bee6f34 --- /dev/null +++ b/backport-curl-glue-catch-libcurl-attempting-to-change-timeout.patch @@ -0,0 +1,40 @@ +From 73164d4819afdb3d0870c3d5ce769d1e0a90347a Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Sat, 11 May 2024 13:45:44 +0200 +Subject: [PATCH 0627/1160] curl-glue: catch libcurl attempting to change + timeout handler when we destroy a curl context on exit + +If we destroy both an event loop and a curl contect object at the same +time, then we get into this weird situation where curl wants us to +reconfigure a timout event source right before destruction, which +sd-event will refuse however, since it is already being shutdown. + +Hence, catch that and simply don't bother adjusting the timeout, since +we cannot get back from there anyway. + +(cherry picked from commit c5ecf0949460dd0bf3211db128a385ce6375252e) +--- + src/import/curl-util.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/import/curl-util.c b/src/import/curl-util.c +index 94f718de17..b631f4b896 100644 +--- a/src/import/curl-util.c ++++ b/src/import/curl-util.c +@@ -126,6 +126,13 @@ static int curl_glue_timer_callback(CURLM *curl, long timeout_ms, void *userdata + + assert(curl); + ++ /* Don't configure timer anymore when the event loop is dead already. */ ++ if (g->timer) { ++ sd_event *event_loop = sd_event_source_get_event(g->timer); ++ if (event_loop && sd_event_get_state(event_loop) == SD_EVENT_FINISHED) ++ return 0; ++ } ++ + if (timeout_ms < 0) { + if (g->timer) { + if (sd_event_source_set_enabled(g->timer, SD_EVENT_OFF) < 0) +-- +2.33.0 + diff --git a/backport-curl-util-do-not-configure-new-io-event-source-when-.patch b/backport-curl-util-do-not-configure-new-io-event-source-when-.patch new file mode 100644 index 0000000..8c757ac --- /dev/null +++ b/backport-curl-util-do-not-configure-new-io-event-source-when-.patch @@ -0,0 +1,34 @@ +From 5749fc1b29702dffaf5b548df357891d8486376d Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 24 Nov 2024 01:05:47 +0900 +Subject: [PATCH 1030/1160] curl-util: do not configure new io event source + when the event loop is already dead + +Similar to c5ecf0949460dd0bf3211db128a385ce6375252e, but for io event source. + +Fixes #35322. + +(cherry picked from commit 5b2926d9414f4333153ebe0bf169e1dd76129119) +(cherry picked from commit ce997e944f66da452ed01b86b838508ee132abb7) +--- + src/import/curl-util.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/import/curl-util.c b/src/import/curl-util.c +index b631f4b896..f14cee3b71 100644 +--- a/src/import/curl-util.c ++++ b/src/import/curl-util.c +@@ -67,6 +67,10 @@ static int curl_glue_socket_callback(CURL *curl, curl_socket_t s, int action, vo + return 0; + } + ++ /* Don't configure io event source anymore when the event loop is dead already. */ ++ if (g->event && sd_event_get_state(g->event) == SD_EVENT_FINISHED) ++ return 0; ++ + r = hashmap_ensure_allocated(&g->ios, &trivial_hash_ops); + if (r < 0) { + log_oom(); +-- +2.33.0 + diff --git a/backport-data-fd-util-Fixup-header.patch b/backport-data-fd-util-Fixup-header.patch new file mode 100644 index 0000000..7920cb6 --- /dev/null +++ b/backport-data-fd-util-Fixup-header.patch @@ -0,0 +1,28 @@ +From edd67cc9488fc986d8e21f11bfcd9c27179bd213 Mon Sep 17 00:00:00 2001 +From: Adrian Vovk +Date: Mon, 11 Mar 2024 12:23:06 -0400 +Subject: [PATCH 0446/1160] data-fd-util: Fixup header + +inttypes.h doesn't define size_t + +(cherry picked from commit 58d061b5aafc72c3b7593c07717ced05bc9e2d17) +--- + src/shared/data-fd-util.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/data-fd-util.h b/src/shared/data-fd-util.h +index 4f3d8b8e74..6d99209421 100644 +--- a/src/shared/data-fd-util.h ++++ b/src/shared/data-fd-util.h +@@ -1,7 +1,7 @@ + /* SPDX-License-Identifier: LGPL-2.1-or-later */ + #pragma once + +-#include ++#include + + enum { + ACQUIRE_NO_DEV_NULL = 1 << 0, +-- +2.33.0 + diff --git a/backport-dbus-log-disconnect-on-api-and-system-busses.patch b/backport-dbus-log-disconnect-on-api-and-system-busses.patch new file mode 100644 index 0000000..8ab5fc8 --- /dev/null +++ b/backport-dbus-log-disconnect-on-api-and-system-busses.patch @@ -0,0 +1,40 @@ +From d0684dfb9fcd81a1db9426204b44097724487225 Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Thu, 28 Nov 2024 12:51:38 -0700 +Subject: [PATCH 1055/1160] dbus: log disconnect on api and system busses + +This is an interesting event. Let's log about it. + +(cherry picked from commit 11ee1bab60abde67cd0edc470c93c1afe10d975d) +(cherry picked from commit c189ecc7fe5039d98bbb448ab45ab0fa3842b3a3) +(cherry picked from commit 7054f66e6cd35c3fe68f3a9ba328d20e3813f4eb) +--- + src/core/dbus.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/core/dbus.c b/src/core/dbus.c +index ba2cec4d77..b08e97f2e0 100644 +--- a/src/core/dbus.c ++++ b/src/core/dbus.c +@@ -131,10 +131,16 @@ static int signal_disconnected(sd_bus_message *message, void *userdata, sd_bus_e + assert(message); + assert_se(bus = sd_bus_message_get_bus(message)); + +- if (bus == m->api_bus) ++ if (bus == m->api_bus) { ++ log_notice("Got disconnect on API bus."); + bus_done_api(m); +- if (bus == m->system_bus) ++ } ++ if (bus == m->system_bus) { ++ /* If we are the system manager, this is already logged by the API bus. */ ++ if (!MANAGER_IS_SYSTEM(m)) ++ log_notice("Got disconnect on system bus."); + bus_done_system(m); ++ } + + if (set_remove(m->private_buses, bus)) { + log_debug("Got disconnect on private connection."); +-- +2.33.0 + diff --git a/backport-detect-virt-allow-detection-via-device-tree-on-RISC-.patch b/backport-detect-virt-allow-detection-via-device-tree-on-RISC-.patch new file mode 100644 index 0000000..ba90012 --- /dev/null +++ b/backport-detect-virt-allow-detection-via-device-tree-on-RISC-.patch @@ -0,0 +1,28 @@ +From db00f6db94552251d80c8c975b60e019948a9db7 Mon Sep 17 00:00:00 2001 +From: Heinrich Schuchardt +Date: Fri, 23 Feb 2024 17:25:59 +0100 +Subject: [PATCH 0332/1160] detect-virt: allow detection via device-tree on + RISC-V + +Signed-off-by: Heinrich Schuchardt +(cherry picked from commit 819874adc07f2996c899f80f63207c4b15919b75) +--- + src/basic/virt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/virt.c b/src/basic/virt.c +index 1109f83f80..26c8ac6531 100644 +--- a/src/basic/virt.c ++++ b/src/basic/virt.c +@@ -97,7 +97,7 @@ static Virtualization detect_vm_cpuid(void) { + } + + static Virtualization detect_vm_device_tree(void) { +-#if defined(__arm__) || defined(__aarch64__) || defined(__powerpc__) || defined(__powerpc64__) ++#if defined(__arm__) || defined(__aarch64__) || defined(__powerpc__) || defined(__powerpc64__) || defined(__riscv) + _cleanup_free_ char *hvtype = NULL; + int r; + +-- +2.33.0 + diff --git a/backport-detect-virt-fix-Google-Compute-Engine-support.patch b/backport-detect-virt-fix-Google-Compute-Engine-support.patch new file mode 100644 index 0000000..f3e6d2d --- /dev/null +++ b/backport-detect-virt-fix-Google-Compute-Engine-support.patch @@ -0,0 +1,38 @@ +From 8363e23a2f7482f8cfc33d8e1c99eb939083b609 Mon Sep 17 00:00:00 2001 +From: mille-feuille +Date: Thu, 8 Feb 2024 23:47:24 +0900 +Subject: [PATCH 0294/1160] detect-virt: fix Google Compute Engine support + +Follow-up for 9b0688f491674b53ef7a52bdf561a430c53673d6 + +(cherry picked from commit baa90b4b81da6fd28b2fe7f4f37c8c546881f3a0) +--- + src/basic/virt.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/basic/virt.c b/src/basic/virt.c +index e6c95fdae7..1109f83f80 100644 +--- a/src/basic/virt.c ++++ b/src/basic/virt.c +@@ -454,7 +454,7 @@ Virtualization detect_vm(void) { + + /* We have to use the correct order here: + * +- * → First, try to detect Oracle Virtualbox, Amazon EC2 Nitro, and Parallels, even if they use KVM, ++ * → First, try to detect Oracle Virtualbox, Amazon EC2 Nitro, Parallels, and Google Compute Engine, even if they use KVM, + * as well as Xen even if it cloaks as Microsoft Hyper-V. Attempt to detect uml at this stage also + * since it runs as a user-process nested inside other VMs. Also check for Xen now, because Xen PV + * mode does not override CPUID when nested inside another hypervisor. +@@ -469,7 +469,8 @@ Virtualization detect_vm(void) { + VIRTUALIZATION_ORACLE, + VIRTUALIZATION_XEN, + VIRTUALIZATION_AMAZON, +- VIRTUALIZATION_PARALLELS)) { ++ VIRTUALIZATION_PARALLELS, ++ VIRTUALIZATION_GOOGLE)) { + v = dmi; + goto finish; + } +-- +2.33.0 + diff --git a/backport-dhcp-option-refuse-control-and-non-UTF8-characters-i.patch b/backport-dhcp-option-refuse-control-and-non-UTF8-characters-i.patch new file mode 100644 index 0000000..d32023d --- /dev/null +++ b/backport-dhcp-option-refuse-control-and-non-UTF8-characters-i.patch @@ -0,0 +1,96 @@ +From d3f79de70aa8956db4cb7c0fa6885d258dd0f231 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 12 Mar 2024 01:32:03 +0900 +Subject: [PATCH 0336/1160] dhcp-option: refuse control and non-UTF8 characters + in string option + +We oftem save parsed DHCP options into a file, or expose them +through DBus or Varlink. In such case, control characters or non-UTF8 +characters may cause many kind of unexpected errors. In general, a DHCP +message that have string options with spurious characters is mostly +malformed or broken. Let's refuse them. + +This also makes dhcp_option_parse_string() do not free 'ret' argument, +to follow our usual coding style. So, callers now need to free the +pre-exisitng string if necessary. + +Fixes #31708. + +(cherry picked from commit fa3357b9e8d9d7a486902d0b6d4b4015fc10aac0) +--- + src/libsystemd-network/dhcp-option.c | 26 +++++++++++++------------- + src/libsystemd-network/sd-dhcp-lease.c | 10 +++++++--- + 2 files changed, 20 insertions(+), 16 deletions(-) + +diff --git a/src/libsystemd-network/dhcp-option.c b/src/libsystemd-network/dhcp-option.c +index 5e216c5139..8f4e8f3a1e 100644 +--- a/src/libsystemd-network/dhcp-option.c ++++ b/src/libsystemd-network/dhcp-option.c +@@ -396,27 +396,27 @@ int dhcp_option_parse(DHCPMessage *message, size_t len, dhcp_option_callback_t c + } + + int dhcp_option_parse_string(const uint8_t *option, size_t len, char **ret) { ++ _cleanup_free_ char *string = NULL; + int r; + + assert(option); + assert(ret); + +- if (len <= 0) +- *ret = mfree(*ret); +- else { +- char *string; ++ if (len <= 0) { ++ *ret = NULL; ++ return 0; ++ } + +- /* +- * One trailing NUL byte is OK, we don't mind. See: +- * https://github.com/systemd/systemd/issues/1337 +- */ +- r = make_cstring((const char *) option, len, MAKE_CSTRING_ALLOW_TRAILING_NUL, &string); +- if (r < 0) +- return r; ++ /* One trailing NUL byte is OK, we don't mind. See: ++ * https://github.com/systemd/systemd/issues/1337 */ ++ r = make_cstring((const char *) option, len, MAKE_CSTRING_ALLOW_TRAILING_NUL, &string); ++ if (r < 0) ++ return r; + +- free_and_replace(*ret, string); +- } ++ if (!string_is_safe(string) || !utf8_is_valid(string)) ++ return -EINVAL; + ++ *ret = TAKE_PTR(string); + return 0; + } + +diff --git a/src/libsystemd-network/sd-dhcp-lease.c b/src/libsystemd-network/sd-dhcp-lease.c +index 4e3be98a33..202d75f93f 100644 +--- a/src/libsystemd-network/sd-dhcp-lease.c ++++ b/src/libsystemd-network/sd-dhcp-lease.c +@@ -833,12 +833,16 @@ int dhcp_lease_parse_options(uint8_t code, uint8_t len, const void *option, void + + break; + +- case SD_DHCP_OPTION_ROOT_PATH: +- r = dhcp_option_parse_string(option, len, &lease->root_path); ++ case SD_DHCP_OPTION_ROOT_PATH: { ++ _cleanup_free_ char *p = NULL; ++ ++ r = dhcp_option_parse_string(option, len, &p); + if (r < 0) + log_debug_errno(r, "Failed to parse root path, ignoring: %m"); +- break; + ++ free_and_replace(lease->root_path, p); ++ break; ++ } + case SD_DHCP_OPTION_RENEWAL_TIME: + r = lease_parse_be32_seconds(option, len, /* max_as_infinity = */ true, &lease->t1); + if (r < 0) +-- +2.33.0 + diff --git a/backport-discover-image-also-update-Image.limit-in-image_set_.patch b/backport-discover-image-also-update-Image.limit-in-image_set_.patch new file mode 100644 index 0000000..1cceb8a --- /dev/null +++ b/backport-discover-image-also-update-Image.limit-in-image_set_.patch @@ -0,0 +1,110 @@ +From a2349e8ce6b511f24b2ecea58be5ada820a41058 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 18 May 2024 05:46:24 +0900 +Subject: [PATCH 0652/1160] discover-image: also update Image.limit in + image_set_limit() + +Same as the previous commit, but for SetLimit DBus method vs Limit +property and friends. + +(cherry picked from commit 96ac6d3fccfe84eeda806da3d132a1374f8b5216) +--- + src/shared/discover-image.c | 61 ++++++++++++++++++++++++++++--------- + 1 file changed, 47 insertions(+), 14 deletions(-) + +diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c +index 8799fdae8f..9413637162 100644 +--- a/src/shared/discover-image.c ++++ b/src/shared/discover-image.c +@@ -246,6 +246,44 @@ static int extract_pretty( + return 0; + } + ++static int image_update_quota(Image *i, int fd) { ++ _cleanup_close_ int fd_close = -EBADF; ++ int r; ++ ++ assert(i); ++ ++ if (IMAGE_IS_VENDOR(i) || IMAGE_IS_HOST(i)) ++ return -EROFS; ++ ++ if (i->type != IMAGE_SUBVOLUME) ++ return -EOPNOTSUPP; ++ ++ if (fd < 0) { ++ fd_close = open(i->path, O_CLOEXEC|O_NOCTTY|O_DIRECTORY); ++ if (fd_close < 0) ++ return -errno; ++ fd = fd_close; ++ } ++ ++ r = btrfs_quota_scan_ongoing(fd); ++ if (r < 0) ++ return r; ++ if (r > 0) ++ return 0; ++ ++ BtrfsQuotaInfo quota; ++ r = btrfs_subvol_get_subtree_quota_fd(fd, 0, "a); ++ if (r < 0) ++ return r; ++ ++ i->usage = quota.referenced; ++ i->usage_exclusive = quota.exclusive; ++ i->limit = quota.referenced_max; ++ i->limit_exclusive = quota.exclusive_max; ++ ++ return 1; ++} ++ + static int image_make( + ImageClass c, + const char *pretty, +@@ -334,19 +372,7 @@ static int image_make( + if (r < 0) + return r; + +- if (btrfs_quota_scan_ongoing(fd) == 0) { +- BtrfsQuotaInfo quota; +- +- r = btrfs_subvol_get_subtree_quota_fd(fd, 0, "a); +- if (r >= 0) { +- (*ret)->usage = quota.referenced; +- (*ret)->usage_exclusive = quota.exclusive; +- +- (*ret)->limit = quota.referenced_max; +- (*ret)->limit_exclusive = quota.exclusive_max; +- } +- } +- ++ (void) image_update_quota(*ret, fd); + return 0; + } + } +@@ -1155,6 +1181,8 @@ int image_path_lock(const char *path, int operation, LockFile *global, LockFile + } + + int image_set_limit(Image *i, uint64_t referenced_max) { ++ int r; ++ + assert(i); + + if (IMAGE_IS_VENDOR(i) || IMAGE_IS_HOST(i)) +@@ -1170,7 +1198,12 @@ int image_set_limit(Image *i, uint64_t referenced_max) { + + (void) btrfs_qgroup_set_limit(i->path, 0, referenced_max); + (void) btrfs_subvol_auto_qgroup(i->path, 0, true); +- return btrfs_subvol_set_subtree_quota_limit(i->path, 0, referenced_max); ++ r = btrfs_subvol_set_subtree_quota_limit(i->path, 0, referenced_max); ++ if (r < 0) ++ return r; ++ ++ (void) image_update_quota(i, -EBADF); ++ return 0; + } + + int image_read_metadata(Image *i, const ImagePolicy *image_policy) { +-- +2.33.0 + diff --git a/backport-discover-image-don-t-accidentally-set-run-systemd-ns.patch b/backport-discover-image-don-t-accidentally-set-run-systemd-ns.patch new file mode 100644 index 0000000..134a3fe --- /dev/null +++ b/backport-discover-image-don-t-accidentally-set-run-systemd-ns.patch @@ -0,0 +1,62 @@ +From 0e3843242f629bb2c83f9b68641b98b2ff490fdf Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 5 Jan 2024 22:20:32 +0100 +Subject: [PATCH 0133/1160] discover-image: don't accidentally set + /run/systemd/nspawn/ access mode too strict + +mkdir_p() uses the specified access mode for all dirs that are missing, +hence if we call it on /run/systemd/nspawn/locking and +/run/systemd/nspawn/ doesn't exist yet, we#d create it 0700 here. But +that was never the intention, and all other code creating that dir sets +the mode to 0755. Fix this here to match the rest. + +(cherry picked from commit 8759bc9541800a1f7faff04e2f5710d9c731a446) +--- + src/shared/discover-image.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c +index 348880cac8..e8f4dfbf4e 100644 +--- a/src/shared/discover-image.c ++++ b/src/shared/discover-image.c +@@ -1059,6 +1059,11 @@ int image_read_only(Image *i, bool b) { + return 0; + } + ++static void make_lock_dir(void) { ++ (void) mkdir_p("/run/systemd/nspawn", 0755); ++ (void) mkdir("/run/systemd/nspawn/locks", 0700); ++} ++ + int image_path_lock(const char *path, int operation, LockFile *global, LockFile *local) { + _cleanup_free_ char *p = NULL; + LockFile t = LOCK_FILE_INIT; +@@ -1134,7 +1139,7 @@ int image_path_lock(const char *path, int operation, LockFile *global, LockFile + } + + if (p) { +- (void) mkdir_p("/run/systemd/nspawn/locks", 0700); ++ make_lock_dir(); + + r = make_lock_file(p, operation, global); + if (r < 0) { +@@ -1309,7 +1314,7 @@ int image_name_lock(const char *name, int operation, LockFile *ret) { + return 0; + } + +- (void) mkdir_p("/run/systemd/nspawn/locks", 0700); ++ make_lock_dir(); + + p = strjoina("/run/systemd/nspawn/locks/name-", name); + return make_lock_file(p, operation, ret); +@@ -1347,7 +1352,6 @@ bool image_in_search_path( + /* Accept trailing slashes */ + if (p[strspn(p, "/")] == 0) + return true; +- + } + + return false; +-- +2.33.0 + diff --git a/backport-discover-image-update-Image.read_only-flag-in-image_.patch b/backport-discover-image-update-Image.read_only-flag-in-image_.patch new file mode 100644 index 0000000..bf6df0e --- /dev/null +++ b/backport-discover-image-update-Image.read_only-flag-in-image_.patch @@ -0,0 +1,30 @@ +From c16f4aaf6588238b979bbab74e0327c736eb16f6 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 18 May 2024 05:10:42 +0900 +Subject: [PATCH 0651/1160] discover-image: update Image.read_only flag in + image_read_only() + +Otherwise, ReadOnly DBus property in org.freedesktop.machine1.Image or +org.freedesktop.portable1.Image will not be updated by MarkReadOnly DBus +method. + +(cherry picked from commit 608c321f232105966e509265c13ae061c03b9f77) +--- + src/shared/discover-image.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c +index e8f4dfbf4e..8799fdae8f 100644 +--- a/src/shared/discover-image.c ++++ b/src/shared/discover-image.c +@@ -1056,6 +1056,7 @@ int image_read_only(Image *i, bool b) { + return -EOPNOTSUPP; + } + ++ i->read_only = b; + return 0; + } + +-- +2.33.0 + diff --git a/backport-dissect-fix-log_debug_errno-assert-due-to-r-0.patch b/backport-dissect-fix-log_debug_errno-assert-due-to-r-0.patch new file mode 100644 index 0000000..5be8f8b --- /dev/null +++ b/backport-dissect-fix-log_debug_errno-assert-due-to-r-0.patch @@ -0,0 +1,30 @@ +From 72f68ecd83abc7d21938c5c598014764e0e5eedf Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 17 Feb 2025 01:04:33 +0000 +Subject: [PATCH 1125/1160] dissect: fix log_debug_errno assert due to r=0 + +systemd-dissect[612]: Assertion '(_error) != 0' failed at src/shared/dissect-image.c:3436, function dissected_image_load_verity_sig_partition(). Aborting. + +(cherry picked from commit 135640c140ba32915b97d23e8d6c1cc3fd6c6a2a) +(cherry picked from commit e58924ea6d1274928c3fb7d3e08a520ad16c32fd) +(cherry picked from commit ac6039f4ba3775595c98fb84eee5e94cef978632) +--- + src/shared/dissect-image.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c +index b198dec164..29b441d3f8 100644 +--- a/src/shared/dissect-image.c ++++ b/src/shared/dissect-image.c +@@ -3337,7 +3337,7 @@ int dissected_image_load_verity_sig_partition( + a = hexmem(root_hash, root_hash_size); + b = hexmem(verity->root_hash, verity->root_hash_size); + +- return log_debug_errno(r, "Root hash in signature JSON data (%s) doesn't match configured hash (%s).", strna(a), strna(b)); ++ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Root hash in signature JSON data (%s) doesn't match configured hash (%s).", strna(a), strna(b)); + } + + sig = json_variant_by_key(v, "signature"); +-- +2.33.0 + diff --git a/backport-dissect-fix-memory-leak.patch b/backport-dissect-fix-memory-leak.patch new file mode 100644 index 0000000..5a6076e --- /dev/null +++ b/backport-dissect-fix-memory-leak.patch @@ -0,0 +1,34 @@ +From 320082abb1e17bc2a74d16f2124ebedf0c807e1a Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Tue, 26 Mar 2024 14:53:44 +0100 +Subject: [PATCH 0538/1160] dissect: fix memory leak + +(cherry picked from commit dde1931b061e979409726f14b7135ff338741035) +--- + src/dissect/dissect.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/dissect/dissect.c b/src/dissect/dissect.c +index 92432b6fed..c858e6ae03 100644 +--- a/src/dissect/dissect.c ++++ b/src/dissect/dissect.c +@@ -85,7 +85,7 @@ static bool arg_rmdir = false; + static bool arg_in_memory = false; + static char **arg_argv = NULL; + static char *arg_loop_ref = NULL; +-static ImagePolicy* arg_image_policy = NULL; ++static ImagePolicy *arg_image_policy = NULL; + static bool arg_mtree_hash = true; + + STATIC_DESTRUCTOR_REGISTER(arg_image, freep); +@@ -94,6 +94,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_path, freep); + STATIC_DESTRUCTOR_REGISTER(arg_verity_settings, verity_settings_done); + STATIC_DESTRUCTOR_REGISTER(arg_argv, strv_freep); + STATIC_DESTRUCTOR_REGISTER(arg_loop_ref, freep); ++STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep); + + static int help(void) { + _cleanup_free_ char *link = NULL; +-- +2.33.0 + diff --git a/backport-dissect-image-don-t-try-to-validate-an-extension-rel.patch b/backport-dissect-image-don-t-try-to-validate-an-extension-rel.patch new file mode 100644 index 0000000..cc75a27 --- /dev/null +++ b/backport-dissect-image-don-t-try-to-validate-an-extension-rel.patch @@ -0,0 +1,52 @@ +From 1c7df1e8e5b45704f51b7c2319f9eb83c0ba6d6f Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 4 Dec 2023 18:20:36 +0100 +Subject: [PATCH 0064/1160] dissect-image: don't try to validate an extension + release file with no image name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Otherwise we might validate the OS release file instead… + +(cherry picked from commit a8e8bcfb7dbe53158c30b236e66814b32a6b748b) +--- + src/shared/dissect-image.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c +index fda52fed85..120e900207 100644 +--- a/src/shared/dissect-image.c ++++ b/src/shared/dissect-image.c +@@ -2179,7 +2179,7 @@ int dissected_image_mount( + if (r > 0) + ok = true; + } +- if (!ok && FLAGS_SET(flags, DISSECT_IMAGE_VALIDATE_OS_EXT)) { ++ if (!ok && FLAGS_SET(flags, DISSECT_IMAGE_VALIDATE_OS_EXT) && m->image_name) { + r = extension_has_forbidden_content(where); + if (r < 0) + return r; +@@ -3443,6 +3443,9 @@ int dissected_image_acquire_metadata(DissectedImage *m, DissectImageFlags extra_ + switch (k) { + + case META_SYSEXT_RELEASE: ++ if (!m->image_name) ++ goto next; ++ + /* As per the os-release spec, if the image is an extension it will have a + * file named after the image name in extension-release.d/ - we use the image + * name and try to resolve it with the extension-release helpers, as +@@ -3463,6 +3466,9 @@ int dissected_image_acquire_metadata(DissectedImage *m, DissectImageFlags extra_ + break; + + case META_CONFEXT_RELEASE: ++ if (!m->image_name) ++ goto next; ++ + /* As above */ + r = open_extension_release( + t, +-- +2.33.0 + diff --git a/backport-dissect-image-fix-fd-leak-in-dissected_image_acquire.patch b/backport-dissect-image-fix-fd-leak-in-dissected_image_acquire.patch new file mode 100644 index 0000000..4b5b058 --- /dev/null +++ b/backport-dissect-image-fix-fd-leak-in-dissected_image_acquire.patch @@ -0,0 +1,57 @@ +From f6cf899f1ed55f9ed140f1a4b57d6e27b973854b Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 4 Dec 2023 18:21:23 +0100 +Subject: [PATCH 0065/1160] dissect-image: fix fd leak in + dissected_image_acquire_metadata() + +We have to go through the "finish" label to properly close all pipes in +the error path, so that we don't leak them. + +(cherry picked from commit 8d5e61db432932faa5b2d8531ab804bb4da4791d) +--- + src/shared/dissect-image.c | 27 +++++++++++++++++---------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c +index 120e900207..84cfbcde87 100644 +--- a/src/shared/dissect-image.c ++++ b/src/shared/dissect-image.c +@@ -3634,18 +3634,25 @@ int dissected_image_acquire_metadata(DissectedImage *m, DissectImageFlags extra_ + r = wait_for_terminate_and_check("(sd-dissect)", child, 0); + child = 0; + if (r < 0) +- return r; ++ goto finish; + + n = read(error_pipe[0], &v, sizeof(v)); +- if (n < 0) +- return -errno; +- if (n == sizeof(v)) +- return v; /* propagate error sent to us from child */ +- if (n != 0) +- return -EIO; +- +- if (r != EXIT_SUCCESS) +- return -EPROTO; ++ if (n < 0) { ++ r = -errno; ++ goto finish; ++ } ++ if (n == sizeof(v)) { ++ r = v; /* propagate error sent to us from child */ ++ goto finish; ++ } ++ if (n != 0) { ++ r = -EIO; ++ goto finish; ++ } ++ if (r != EXIT_SUCCESS) { ++ r = -EPROTO; ++ goto finish; ++ } + + free_and_replace(m->hostname, hostname); + m->machine_id = machine_id; +-- +2.33.0 + diff --git a/backport-dissect-image-generate-better-log-message-for-EUCLEA.patch b/backport-dissect-image-generate-better-log-message-for-EUCLEA.patch new file mode 100644 index 0000000..b58daa6 --- /dev/null +++ b/backport-dissect-image-generate-better-log-message-for-EUCLEA.patch @@ -0,0 +1,41 @@ +From 0c919ea9ce0f057a604e95090e3820162efb5a19 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 18 Oct 2024 14:16:53 +0200 +Subject: [PATCH 0960/1160] dissect-image: generate better log message for + EUCLEAN dissect error + +Fixes: #31799 +(cherry picked from commit 2186334e00acba6e6c1a4564bce60474eecfbf16) +(cherry picked from commit 452cfd91fe07792775f4eccad813e148f96d4a86) +--- + src/shared/dissect-image.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c +index 685d8c0368..b198dec164 100644 +--- a/src/shared/dissect-image.c ++++ b/src/shared/dissect-image.c +@@ -677,7 +677,9 @@ static int dissect_image( + * Returns -ERFKILL if image doesn't match image policy + * Returns -EBADR if verity data was provided externally for an image that has a GPT partition table (i.e. is not just a naked fs) + * Returns -EPROTONOSUPPORT if DISSECT_IMAGE_ADD_PARTITION_DEVICES is set but the block device does not have partition logic enabled +- * Returns -ENOMSG if we didn't find a single usable partition (and DISSECT_IMAGE_REFUSE_EMPTY is set) */ ++ * Returns -ENOMSG if we didn't find a single usable partition (and DISSECT_IMAGE_REFUSE_EMPTY is set) ++ * Returns -EUCLEAN if some file system had an ambiguous file system superblock signature ++ */ + + uint64_t diskseq = m->loop ? m->loop->diskseq : 0; + +@@ -1627,6 +1629,9 @@ int dissect_log_error(int log_level, int r, const char *name, const VeritySettin + case -ENOMSG: + return log_full_errno(log_level, r, "%s: No suitable partitions found.", name); + ++ case -EUCLEAN: ++ return log_full_errno(log_level, r, "%s: Partition with ambiguous file system superblock signature found.", name); ++ + default: + return log_full_errno(log_level, r, "%s: Cannot dissect image: %m", name); + } +-- +2.33.0 + diff --git a/backport-dissect-image-handle-continue-event-in-metadata-acqu.patch b/backport-dissect-image-handle-continue-event-in-metadata-acqu.patch new file mode 100644 index 0000000..3cb08d6 --- /dev/null +++ b/backport-dissect-image-handle-continue-event-in-metadata-acqu.patch @@ -0,0 +1,47 @@ +From 1cda778cb380bd94973591417fcce4b4d15a32a4 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 4 Dec 2023 18:19:27 +0100 +Subject: [PATCH 0063/1160] dissect-image: handle 'continue' event in metadata + acquisition uniformly + +Let's jump to the same label in all cases, that closes the associated +pipe, systematically. + +(cherry picked from commit 29b4db7ede36ecba27b417e8d3e834ebacd36e89) +--- + src/shared/dissect-image.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c +index 2687eafaf6..fda52fed85 100644 +--- a/src/shared/dissect-image.c ++++ b/src/shared/dissect-image.c +@@ -3498,7 +3498,7 @@ int dissected_image_acquire_metadata(DissectedImage *m, DissectImageFlags extra_ + if (r < 0) + goto inner_fail; + +- continue; ++ goto next; + } + + default: +@@ -3511,14 +3511,14 @@ int dissected_image_acquire_metadata(DissectedImage *m, DissectImageFlags extra_ + + if (fd < 0) { + log_debug_errno(fd, "Failed to read %s file of image, ignoring: %m", paths[k]); +- fds[2*k+1] = safe_close(fds[2*k+1]); +- continue; ++ goto next; + } + + r = copy_bytes(fd, fds[2*k+1], UINT64_MAX, 0); + if (r < 0) + goto inner_fail; + ++ next: + fds[2*k+1] = safe_close(fds[2*k+1]); + } + +-- +2.33.0 + diff --git a/backport-dissect-image-move-comment-to-right-place.patch b/backport-dissect-image-move-comment-to-right-place.patch new file mode 100644 index 0000000..795184b --- /dev/null +++ b/backport-dissect-image-move-comment-to-right-place.patch @@ -0,0 +1,36 @@ +From 09dab16e3983ae28469be28671916eee41a1a3fd Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 4 Dec 2023 18:28:45 +0100 +Subject: [PATCH 0066/1160] dissect-image: move comment to right place + +The image name is extracted from the image path originally passed in, +i.e. not the contents of the image. And the image UUID is directly +retrieved from the partition table, hence also not from the contents. +Let's hence move the comment to separate out the stuff extract from the +file systems (and thus only available when mounting/with privs/with +block devices) from the data available without any of that. + +(cherry picked from commit 3f8229fbb069c39d2082a0f49f07ddbce61c7b75) +--- + src/shared/dissect-image.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/shared/dissect-image.h b/src/shared/dissect-image.h +index 979fd384fe..15c0bf7219 100644 +--- a/src/shared/dissect-image.h ++++ b/src/shared/dissect-image.h +@@ -103,9 +103,10 @@ struct DissectedImage { + + uint32_t sector_size; + +- /* Meta information extracted from /etc/os-release and similar */ + char *image_name; + sd_id128_t image_uuid; ++ ++ /* Meta information extracted from /etc/os-release and similar */ + char *hostname; + sd_id128_t machine_id; + char **machine_info; +-- +2.33.0 + diff --git a/backport-dissect-image-uppercase-first-char-of-dissect-error-.patch b/backport-dissect-image-uppercase-first-char-of-dissect-error-.patch new file mode 100644 index 0000000..d273636 --- /dev/null +++ b/backport-dissect-image-uppercase-first-char-of-dissect-error-.patch @@ -0,0 +1,39 @@ +From 331a02ef24afa4d59a50b42f42f8807c2ab23eeb Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 18 Oct 2024 14:16:13 +0200 +Subject: [PATCH 0959/1160] dissect-image: uppercase first char of dissect + error message systematically + +Some of the log message stricts used proper uppercasing, others didn't. +Fix that to make it uniform. + +(cherry picked from commit 620a03f669a9075f2d78c2fcf7db45f7046481bc) +(cherry picked from commit f2833a50bdbb735913b7b549d9b2ce9b659d5e1f) +--- + src/shared/dissect-image.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c +index 6b671ff1ea..685d8c0368 100644 +--- a/src/shared/dissect-image.c ++++ b/src/shared/dissect-image.c +@@ -1622,13 +1622,13 @@ int dissect_log_error(int log_level, int r, const char *name, const VeritySettin + name, strna(verity ? verity->data_path : NULL)); + + case -ERFKILL: +- return log_full_errno(log_level, r, "%s: image does not match image policy.", name); ++ return log_full_errno(log_level, r, "%s: Image does not match image policy.", name); + + case -ENOMSG: +- return log_full_errno(log_level, r, "%s: no suitable partitions found.", name); ++ return log_full_errno(log_level, r, "%s: No suitable partitions found.", name); + + default: +- return log_full_errno(log_level, r, "%s: cannot dissect image: %m", name); ++ return log_full_errno(log_level, r, "%s: Cannot dissect image: %m", name); + } + } + +-- +2.33.0 + diff --git a/backport-dissect-tool-right-align-the-partition-number.patch b/backport-dissect-tool-right-align-the-partition-number.patch new file mode 100644 index 0000000..4ea5ea5 --- /dev/null +++ b/backport-dissect-tool-right-align-the-partition-number.patch @@ -0,0 +1,31 @@ +From 8ff96162aa7e724fc0137afab9ad35ec662909df Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 4 Dec 2023 18:07:18 +0100 +Subject: [PATCH 0060/1160] dissect-tool: right-align the partition number + +The right-alignment was applied to the wrong column, because neither +ee8e497d249ab2e2df92aa024274f5b817270114 nor +1474d7ac2d308204e599a2502a8b5625bca76bcc updated the column count as +they should have. + +(cherry picked from commit 748e87a7911813d64e34f2366df842b210a27f11) +--- + src/dissect/dissect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/dissect/dissect.c b/src/dissect/dissect.c +index dc753b461c..92432b6fed 100644 +--- a/src/dissect/dissect.c ++++ b/src/dissect/dissect.c +@@ -960,7 +960,7 @@ static int action_dissect(DissectedImage *m, LoopDevice *d) { + return log_oom(); + + table_set_ersatz_string(t, TABLE_ERSATZ_DASH); +- (void) table_set_align_percent(t, table_get_cell(t, 0, 7), 100); ++ (void) table_set_align_percent(t, table_get_cell(t, 0, 9), 100); + + for (PartitionDesignator i = 0; i < _PARTITION_DESIGNATOR_MAX; i++) { + DissectedPartition *p = m->partitions + i; +-- +2.33.0 + diff --git a/backport-dlopen-log-debug-message-when-a-library-is-dlopened.patch b/backport-dlopen-log-debug-message-when-a-library-is-dlopened.patch new file mode 100644 index 0000000..0e11468 --- /dev/null +++ b/backport-dlopen-log-debug-message-when-a-library-is-dlopened.patch @@ -0,0 +1,83 @@ +From 68cd53ff2a475b7592ebe1e77e685ec47eeb292f Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 3 Apr 2024 12:07:43 +0100 +Subject: [PATCH 0485/1160] dlopen: log debug message when a library is + dlopened + +Useful to track what is being used and when + +(cherry picked from commit dd6c0df65cd9c0c19cbd655772824c90125347b4) +--- + src/shared/bpf-dlopen.c | 4 ++++ + src/shared/dlfcn-util.c | 2 ++ + src/shared/idn-util.c | 5 ++++- + src/shared/tpm2-util.c | 2 ++ + 4 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/shared/bpf-dlopen.c b/src/shared/bpf-dlopen.c +index 2e49b2ea5d..f00dbeabae 100644 +--- a/src/shared/bpf-dlopen.c ++++ b/src/shared/bpf-dlopen.c +@@ -74,6 +74,8 @@ int dlopen_bpf(void) { + return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), + "neither libbpf.so.1 nor libbpf.so.0 are installed: %s", dlerror()); + ++ log_debug("Loaded 'libbpf.so.0' via dlopen()"); ++ + /* symbols deprecated in 1.0 we use as compat */ + r = dlsym_many_or_warn( + dl, LOG_DEBUG, +@@ -87,6 +89,8 @@ int dlopen_bpf(void) { + #endif + ); + } else { ++ log_debug("Loaded 'libbpf.so.1' via dlopen()"); ++ + /* symbols available from 0.7.0 */ + r = dlsym_many_or_warn( + dl, LOG_DEBUG, +diff --git a/src/shared/dlfcn-util.c b/src/shared/dlfcn-util.c +index a321df3c67..8022f55294 100644 +--- a/src/shared/dlfcn-util.c ++++ b/src/shared/dlfcn-util.c +@@ -49,6 +49,8 @@ int dlopen_many_sym_or_warn_sentinel(void **dlp, const char *filename, int log_l + return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), + "%s is not installed: %s", filename, dlerror()); + ++ log_debug("Loaded '%s' via dlopen()", filename); ++ + va_list ap; + va_start(ap, log_level); + r = dlsym_many_or_warnv(dl, log_level, ap); +diff --git a/src/shared/idn-util.c b/src/shared/idn-util.c +index 6f36688dc0..26a9d608ec 100644 +--- a/src/shared/idn-util.c ++++ b/src/shared/idn-util.c +@@ -50,7 +50,10 @@ int dlopen_idn(void) { + if (!dl) + return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), + "libidn support is not installed: %s", dlerror()); +- } ++ log_debug("Loaded 'libidn.so.11' via dlopen()"); ++ } else ++ log_debug("Loaded 'libidn.so.12' via dlopen()"); ++ + + r = dlsym_many_or_warn( + dl, +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index 892e5c7388..02e0e3b803 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -666,6 +666,8 @@ int tpm2_context_new(const char *device, Tpm2Context **ret_context) { + if (!context->tcti_dl) + return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to load %s: %s", fn, dlerror()); + ++ log_debug("Loaded '%s' via dlopen()", fn); ++ + func = dlsym(context->tcti_dl, TSS2_TCTI_INFO_SYMBOL); + if (!func) + return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), +-- +2.33.0 + diff --git a/backport-dns-stream-only-read-DNS-packet-data-if-we-identifie.patch b/backport-dns-stream-only-read-DNS-packet-data-if-we-identifie.patch new file mode 100644 index 0000000..7c72010 --- /dev/null +++ b/backport-dns-stream-only-read-DNS-packet-data-if-we-identifie.patch @@ -0,0 +1,39 @@ +From e22b61dd1e1828f0af1e298aa8f626adc1907f12 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 4 Mar 2025 00:17:21 +0100 +Subject: [PATCH 1150/1160] dns-stream: only read DNS packet data if we + identified the peer properly + +If we use TCP fastopen to connect to a DNS server via TCP, and it +responds really quickly between our connection attempt and our immediate +check back, then we have not identified the peer yet, and will not be +able to use the peer metadata to fill in our packet info. + +Let's fix that, and simply not read from the socket until identification +is complete. + +Fixes: #34956 +(cherry picked from commit facc9439a76b4c3a5c273c71bd7a676e4c74778c) +(cherry picked from commit 11da52785c978369e4cd92e67e5017a436404340) +(cherry picked from commit 9bf15a285e96eec950e21528d712ec0539839a8b) +--- + src/resolve/resolved-dns-stream.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c +index c3e825abf4..020783d626 100644 +--- a/src/resolve/resolved-dns-stream.c ++++ b/src/resolve/resolved-dns-stream.c +@@ -359,7 +359,8 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use + } + } + +- while ((revents & (EPOLLIN|EPOLLHUP|EPOLLRDHUP)) && ++ while (s->identified && /* Only read data once we identified the peer, because we cannot fill in the DNS packet meta info otherwise */ ++ (revents & (EPOLLIN|EPOLLHUP|EPOLLRDHUP)) && + (!s->read_packet || + s->n_read < sizeof(s->read_size) + s->read_packet->size)) { + +-- +2.33.0 + diff --git a/backport-dns-update-record-type-enum-to-match-iana.patch b/backport-dns-update-record-type-enum-to-match-iana.patch new file mode 100644 index 0000000..51193ed --- /dev/null +++ b/backport-dns-update-record-type-enum-to-match-iana.patch @@ -0,0 +1,60 @@ +From d32ddaf488f2f087e028373dd0a95987d4c7ec45 Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Wed, 27 Dec 2023 18:27:00 -0700 +Subject: [PATCH 0098/1160] dns: update record type enum to match iana +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Adds some new dns record types. Also, some types were inserted into the +middle of the enum — this corrects an error where the enum constants for +some of the record types previously held an incorrect value. + +(cherry picked from commit 818bb6f4825b57c2cd2783fbffe2b2ef82a31573) +--- + src/resolve/dns-type.h | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/src/resolve/dns-type.h b/src/resolve/dns-type.h +index f0bb3be7be..9255f1c345 100644 +--- a/src/resolve/dns-type.h ++++ b/src/resolve/dns-type.h +@@ -60,6 +60,7 @@ enum { + DNS_TYPE_NSEC3, + DNS_TYPE_NSEC3PARAM, + DNS_TYPE_TLSA, ++ DNS_TYPE_SMIMEA, /* RFC 8162 */ + + DNS_TYPE_HIP = 0x37, + DNS_TYPE_NINFO, +@@ -68,8 +69,16 @@ enum { + DNS_TYPE_CDS, + DNS_TYPE_CDNSKEY, + DNS_TYPE_OPENPGPKEY, ++ DNS_TYPE_CSYNC, ++ DNS_TYPE_ZONEMD, ++ DNS_TYPE_SVCB, /* RFC 9460 */ ++ DNS_TYPE_HTTPS, /* RFC 9460 */ + + DNS_TYPE_SPF = 0x63, ++ DNS_TYPE_UINFO, ++ DNS_TYPE_UID, ++ DNS_TYPE_GID, ++ DNS_TYPE_UNSPEC, + DNS_TYPE_NID, + DNS_TYPE_L32, + DNS_TYPE_L64, +@@ -86,6 +95,10 @@ enum { + DNS_TYPE_ANY, + DNS_TYPE_URI, + DNS_TYPE_CAA, ++ DNS_TYPE_AVC, ++ DNS_TYPE_DOA, ++ DNS_TYPE_AMTRELAY, ++ DNS_TYPE_RESINFO, + DNS_TYPE_TA = 0x8000, + DNS_TYPE_DLV, + +-- +2.33.0 + diff --git a/backport-dnssd-don-t-advertise-subtype-PTRs-to-the-browsing-d.patch b/backport-dnssd-don-t-advertise-subtype-PTRs-to-the-browsing-d.patch new file mode 100644 index 0000000..e853d24 --- /dev/null +++ b/backport-dnssd-don-t-advertise-subtype-PTRs-to-the-browsing-d.patch @@ -0,0 +1,80 @@ +From d5fbe960a89e8c8dbcbd58cbfbf1818da4665412 Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Tue, 19 Mar 2024 01:56:03 -0700 +Subject: [PATCH 0457/1160] dnssd: don't advertise subtype PTRs to the browsing + domain +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The RFC6763 § 9 recommendation is to advertise only the two-label +service names. + +Fixes: 88123aa21c26 ("dnssd: support service subtypes") +(cherry picked from commit cd40efc671e9bfbefb70e409afc2fab62948ae1f) +--- + src/resolve/resolved-dns-rr.c | 17 +++++++++++++++++ + src/resolve/resolved-dns-rr.h | 1 + + src/resolve/resolved-dns-scope.c | 5 +++-- + 3 files changed, 21 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-dns-rr.c b/src/resolve/resolved-dns-rr.c +index 00f7beacc8..b280a5a6ba 100644 +--- a/src/resolve/resolved-dns-rr.c ++++ b/src/resolve/resolved-dns-rr.c +@@ -181,6 +181,23 @@ bool dns_resource_key_is_dnssd_ptr(const DnsResourceKey *key) { + dns_name_endswith(dns_resource_key_name(key), "_udp.local"); + } + ++bool dns_resource_key_is_dnssd_two_label_ptr(const DnsResourceKey *key) { ++ assert(key); ++ ++ /* Check if this is a PTR resource key used in Service Instance ++ * Enumeration as described in RFC6763 § 4.1, excluding selective ++ * service names described in RFC6763 § 7.1. */ ++ ++ if (key->type != DNS_TYPE_PTR) ++ return false; ++ ++ const char *name = dns_resource_key_name(key); ++ if (dns_name_parent(&name) <= 0) ++ return false; ++ ++ return dns_name_equal(name, "_tcp.local") || dns_name_equal(name, "_udp.local"); ++} ++ + int dns_resource_key_equal(const DnsResourceKey *a, const DnsResourceKey *b) { + int r; + +diff --git a/src/resolve/resolved-dns-rr.h b/src/resolve/resolved-dns-rr.h +index fd15cc343d..1a12933b01 100644 +--- a/src/resolve/resolved-dns-rr.h ++++ b/src/resolve/resolved-dns-rr.h +@@ -305,6 +305,7 @@ DnsResourceKey* dns_resource_key_unref(DnsResourceKey *key); + const char* dns_resource_key_name(const DnsResourceKey *key); + bool dns_resource_key_is_address(const DnsResourceKey *key); + bool dns_resource_key_is_dnssd_ptr(const DnsResourceKey *key); ++bool dns_resource_key_is_dnssd_two_label_ptr(const DnsResourceKey *key); + int dns_resource_key_equal(const DnsResourceKey *a, const DnsResourceKey *b); + int dns_resource_key_match_rr(const DnsResourceKey *key, DnsResourceRecord *rr, const char *search_domain); + int dns_resource_key_match_cname_or_dname(const DnsResourceKey *key, const DnsResourceKey *cname, const char *search_domain); +diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c +index 3e2eac53f2..af8e9cd113 100644 +--- a/src/resolve/resolved-dns-scope.c ++++ b/src/resolve/resolved-dns-scope.c +@@ -1489,9 +1489,10 @@ int dns_scope_announce(DnsScope *scope, bool goodbye) { + continue; + } + +- /* Collect service types for _services._dns-sd._udp.local RRs in a set */ ++ /* Collect service types for _services._dns-sd._udp.local RRs in a set. Only two-label names ++ * (not selective names) are considered according to RFC6763 § 9. */ + if (!scope->announced && +- dns_resource_key_is_dnssd_ptr(z->rr->key)) { ++ dns_resource_key_is_dnssd_two_label_ptr(z->rr->key)) { + if (!set_contains(types, dns_resource_key_name(z->rr->key))) { + r = set_ensure_put(&types, &dns_name_hash_ops, dns_resource_key_name(z->rr->key)); + if (r < 0) +-- +2.33.0 + diff --git a/backport-efi-api-check-sys-class-tpm-tpm0-tpm_version_major-t.patch b/backport-efi-api-check-sys-class-tpm-tpm0-tpm_version_major-t.patch new file mode 100644 index 0000000..ad8f6d8 --- /dev/null +++ b/backport-efi-api-check-sys-class-tpm-tpm0-tpm_version_major-t.patch @@ -0,0 +1,102 @@ +From b2046c36d5324e90ff7ef0e41c9f71b10df12176 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 30 May 2024 10:02:36 +0200 +Subject: [PATCH 0704/1160] efi-api: check + /sys/class/tpm/tpm0/tpm_version_major, too + +If the ceck for the ACPI TPM2 table did not work we currently check if +the EFI TPM table exists to check if the firmware supports TPM2. +Specifically we check if +/sys/kernel/security/tpm0/binary_bios_measurements exists. But that's +not enough, since that also exists on TPM1.2 systems. Hence, let's also +check /sys/class/tpm/tpm0/tpm_version_major which should exist under +similar conditions and tells us the kernel's idea of the TPM version in +use. + +I originally intended to read the signature of the +/sys/kernel/security/tpm0/binary_bios_measurements contents for this, +but this is not ideal since that file has tight access mode, and our TPM +availability check would thus not work anymore if invoked unpriv. + +Follow-up for 4b3391158197e9158cc754e56bbeaf94e2fd8395 + +Fixes: #33077 +(cherry picked from commit aeaac9a2899a11194d6f808ba70cd48d1253b7a3) +--- + src/shared/efi-api.c | 37 ++++++++++++++++++++++--------------- + 1 file changed, 22 insertions(+), 15 deletions(-) + +diff --git a/src/shared/efi-api.c b/src/shared/efi-api.c +index 4cd1091e9a..2cc2b75d98 100644 +--- a/src/shared/efi-api.c ++++ b/src/shared/efi-api.c +@@ -7,6 +7,7 @@ + #include "efi-api.h" + #include "efivars.h" + #include "fd-util.h" ++#include "fileio.h" + #include "sort-util.h" + #include "stat-util.h" + #include "stdio-util.h" +@@ -481,6 +482,7 @@ int efi_get_boot_options(uint16_t **ret_options) { + + bool efi_has_tpm2(void) { + static int cache = -1; ++ int r; + + /* Returns whether the system has a TPM2 chip which is known to the EFI firmware. */ + +@@ -488,30 +490,35 @@ bool efi_has_tpm2(void) { + return cache; + + /* First, check if we are on an EFI boot at all. */ +- if (!is_efi_boot()) { +- cache = 0; +- return cache; +- } ++ if (!is_efi_boot()) ++ return (cache = false); + + /* Then, check if the ACPI table "TPM2" exists, which is the TPM2 event log table, see: + * https://trustedcomputinggroup.org/wp-content/uploads/TCG_ACPIGeneralSpecification_v1.20_r8.pdf +- * This table exists whenever the firmware is hooked up to TPM2. */ +- cache = access("/sys/firmware/acpi/tables/TPM2", F_OK) >= 0; +- if (cache) +- return cache; +- ++ * This table exists whenever the firmware knows ACPI and is hooked up to TPM2. */ ++ if (access("/sys/firmware/acpi/tables/TPM2", F_OK) >= 0) ++ return (cache = true); + if (errno != ENOENT) + log_debug_errno(errno, "Unable to test whether /sys/firmware/acpi/tables/TPM2 exists, assuming it doesn't: %m"); + + /* As the last try, check if the EFI firmware provides the EFI_TCG2_FINAL_EVENTS_TABLE + * stored in EFI configuration table, see: +- * https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-rev13-160330final.pdf +- */ +- cache = access("/sys/kernel/security/tpm0/binary_bios_measurements", F_OK) >= 0; +- if (!cache && errno != ENOENT) +- log_debug_errno(errno, "Unable to test whether /sys/kernel/security/tpm0/binary_bios_measurements exists, assuming it doesn't: %m"); ++ * ++ * https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-rev13-160330final.pdf */ ++ if (access("/sys/kernel/security/tpm0/binary_bios_measurements", F_OK) >= 0) { ++ _cleanup_free_ char *major = NULL; ++ ++ /* The EFI table might exist for TPM 1.2 as well, hence let's check explicitly which TPM version we are looking at here. */ ++ r = read_virtual_file("/sys/class/tpm/tpm0/tpm_version_major", SIZE_MAX, &major, /* ret_size= */ NULL); ++ if (r >= 0) ++ return (cache = streq(strstrip(major), "2")); ++ ++ log_debug_errno(r, "Unable to read /sys/class/tpm/tpm0/tpm_version_major, assuming TPM does not qualify as TPM2: %m"); ++ ++ } else if (errno != ENOENT) ++ log_debug_errno(errno, "Unable to test whether /sys/kernel/security/tpm0/binary_bios_measurements exists, assuming it doesn't: %m"); + +- return cache; ++ return (cache = false); + } + + #endif +-- +2.33.0 + diff --git a/backport-efi-check-if-all-sections-of-our-EFI-binaries-are-pr.patch b/backport-efi-check-if-all-sections-of-our-EFI-binaries-are-pr.patch new file mode 100644 index 0000000..311e7e1 --- /dev/null +++ b/backport-efi-check-if-all-sections-of-our-EFI-binaries-are-pr.patch @@ -0,0 +1,83 @@ +From 547ab65a8138c71a04849f2932e70cb2102c4713 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Fri, 22 Mar 2024 13:35:38 +0100 +Subject: [PATCH 0472/1160] efi: check if all sections of our EFI binaries are + properly aligned + +(cherry picked from commit 7ff3b88396f440bff60328b4bff7627a34d45e4a) +--- + meson.build | 1 + + src/boot/efi/meson.build | 5 +++++ + tools/check-efi-alignment.py | 32 ++++++++++++++++++++++++++++++++ + 3 files changed, 38 insertions(+) + create mode 100755 tools/check-efi-alignment.py + +diff --git a/meson.build b/meson.build +index 7b31929e7a..1bb18fb740 100644 +--- a/meson.build ++++ b/meson.build +@@ -1813,6 +1813,7 @@ conf.set10('ENABLE_UKIFY', want_ukify) + + ############################################################ + ++check_efi_alignment_py = find_program('tools/check-efi-alignment.py') + check_version_history_py = find_program('tools/check-version-history.py') + elf2efi_py = find_program('tools/elf2efi.py') + export_dbus_interfaces_py = find_program('tools/dbus_exporter.py') +diff --git a/src/boot/efi/meson.build b/src/boot/efi/meson.build +index c95132e420..43727ef050 100644 +--- a/src/boot/efi/meson.build ++++ b/src/boot/efi/meson.build +@@ -404,6 +404,11 @@ foreach efi_elf_binary : efi_elf_binaries + if name == 'addon@0@.efi.stub'.format(efi_arch) + efi_addon = exe.full_path() + endif ++ ++ test('check-alignment-@0@'.format(name), ++ check_efi_alignment_py, ++ args : exe.full_path(), ++ suite : 'efi') + endforeach + + alias_target('systemd-boot', boot_targets) +diff --git a/tools/check-efi-alignment.py b/tools/check-efi-alignment.py +new file mode 100755 +index 0000000000..bb33ac0809 +--- /dev/null ++++ b/tools/check-efi-alignment.py +@@ -0,0 +1,32 @@ ++#!/usr/bin/python3 ++# SPDX-License-Identifier: LGPL-2.1-or-later ++# vi: set tw=110 sw=4 ts=4 et: ++ ++import sys ++ ++import pefile ++ ++ ++def main(): ++ pe = pefile.PE(sys.argv[1], fast_load=True) ++ ++ for section in pe.sections: ++ name = section.Name.rstrip(b"\x00").decode() ++ file_addr = section.PointerToRawData ++ virt_addr = section.VirtualAddress ++ print(f"{name:10s} file=0x{file_addr:08x} virt=0x{virt_addr:08x}") ++ ++ if file_addr % 512 != 0: ++ print(f"File address of {name} section is not aligned to 512 bytes", file=sys.stderr) ++ return 1 ++ ++ if virt_addr % 512 != 0: ++ print(f"Virt address of {name} section is not aligned to 512 bytes", file=sys.stderr) ++ return 1 ++ ++if __name__ == '__main__': ++ if len(sys.argv) != 2: ++ print(f"Usage: {sys.argv[0]} pe-image") ++ sys.exit(1) ++ ++ sys.exit(main()) +-- +2.33.0 + diff --git a/backport-efi-de-inline-xmalloc-to-fix-build-failure-with-gcc-.patch b/backport-efi-de-inline-xmalloc-to-fix-build-failure-with-gcc-.patch new file mode 100644 index 0000000..6439968 --- /dev/null +++ b/backport-efi-de-inline-xmalloc-to-fix-build-failure-with-gcc-.patch @@ -0,0 +1,64 @@ +From 4cf3445955e9b539fd4dcbd14810913a3054c8a5 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 22 Feb 2024 14:23:06 +0000 +Subject: [PATCH 0254/1160] efi: de-inline xmalloc to fix build failure with + gcc 12.2 and -O2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +With meson build --werror --buildtype=plain -Dc_args=" -O2" the build fails: + +../src/boot/efi/stub.c: In function ‘load_addons.constprop’:03:06 +../src/boot/efi/stub.c:475:40: error: using a dangling pointer to ‘p’ [-Werror=dangling-pointer=]03:06 + 475 | dt_bases[n_dt] = xmemdup((uint8_t*)loaded_addon->ImageBase + addrs[UNIFIED_SECTION_DTB],03:06 + | ~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~03:06 + 476 | dt_sizes[n_dt]);03:06 + | ~~~~~~~~~~~~~~~03:06 +In file included from ../src/boot/efi/stub.c:20:03:06 +../src/boot/efi/util.h:33:15: note: ‘p’ declared here03:06 + 33 | void *p;03:06 + | ^ + +De-inline the function and initialize p to make gcc happy. + +(cherry picked from commit 6036f62c51aea80e199b8c81f8ceb16b5a1a341a) +--- + src/boot/efi/util.c | 6 ++++++ + src/boot/efi/util.h | 6 +----- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/src/boot/efi/util.c b/src/boot/efi/util.c +index 25f5e0f032..e56ccfd8ae 100644 +--- a/src/boot/efi/util.c ++++ b/src/boot/efi/util.c +@@ -697,3 +697,9 @@ char16_t *get_extra_dir(const EFI_DEVICE_PATH *file_path) { + remove_boot_count(file_path_str); + return xasprintf("%ls.extra.d", file_path_str); + } ++ ++void *xmalloc(size_t size) { ++ void *p = NULL; ++ assert_se(BS->AllocatePool(EfiLoaderData, size, &p) == EFI_SUCCESS); ++ return p; ++} +diff --git a/src/boot/efi/util.h b/src/boot/efi/util.h +index 6e15a8b85d..0306e32810 100644 +--- a/src/boot/efi/util.h ++++ b/src/boot/efi/util.h +@@ -29,11 +29,7 @@ static inline void freep(void *p) { + #define _cleanup_free_ _cleanup_(freep) + + _malloc_ _alloc_(1) _returns_nonnull_ _warn_unused_result_ +-static inline void *xmalloc(size_t size) { +- void *p; +- assert_se(BS->AllocatePool(EfiLoaderData, size, &p) == EFI_SUCCESS); +- return p; +-} ++void *xmalloc(size_t size); + + _malloc_ _alloc_(1, 2) _returns_nonnull_ _warn_unused_result_ + static inline void *xmalloc_multiply(size_t n, size_t size) { +-- +2.33.0 + diff --git a/backport-efi-fix-link-to-legacy-EFI-handover-protocol.patch b/backport-efi-fix-link-to-legacy-EFI-handover-protocol.patch new file mode 100644 index 0000000..48ebb51 --- /dev/null +++ b/backport-efi-fix-link-to-legacy-EFI-handover-protocol.patch @@ -0,0 +1,27 @@ +From 407ac39dd8c3ac41c7c9c6f2f9c8307cd60b5ce9 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 31 Jul 2024 01:46:58 +0100 +Subject: [PATCH 0818/1160] efi: fix link to legacy EFI handover protocol + +(cherry picked from commit 4d6ab7e8440845301c90211beb22015e7232faa1) +(cherry picked from commit c12c122e2ad3668848ffff69913006d420bda41d) +--- + src/boot/efi/linux_x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/boot/efi/linux_x86.c b/src/boot/efi/linux_x86.c +index 3e42361812..58b1b3cc8f 100644 +--- a/src/boot/efi/linux_x86.c ++++ b/src/boot/efi/linux_x86.c +@@ -7,7 +7,7 @@ + * this x86 specific linux_exec function passes the initrd by setting the + * corresponding fields in the setup_header struct. + * +- * see https://docs.kernel.org/x86/boot.html ++ * see https://docs.kernel.org/arch/x86/boot.html + */ + + #include "initrd.h" +-- +2.33.0 + diff --git a/backport-efi-loader-make-efi_loader_get_entries-handling-miss.patch b/backport-efi-loader-make-efi_loader_get_entries-handling-miss.patch new file mode 100644 index 0000000..d9e664c --- /dev/null +++ b/backport-efi-loader-make-efi_loader_get_entries-handling-miss.patch @@ -0,0 +1,59 @@ +From 1cd60d47e812172cf04f25c4fc828e72b7e725f1 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 12 Feb 2024 17:23:59 +0100 +Subject: [PATCH 0311/1160] efi-loader: make efi_loader_get_entries() handling + missing NUL termination gracefully + +Our function so far assumed that the LoaderEntries's last string is or +is not NUL terminated. But if it was, then we'd debug log about this, +claiming there was an invalid id. sd-boot actually ends the list in a +properly NUL-terminated string, hence we should just accept that. Handle +that case gracefully, and add comments explaining why we have two ways +why we exit the loop. + +This is cosmetic only, just suppresses a misleading debug log message. + +(cherry picked from commit 2cda44c23eb54cebf60f90aaeda82d95ec204152) +--- + src/shared/efi-loader.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/shared/efi-loader.c b/src/shared/efi-loader.c +index 758aaa13c1..7d6bda924a 100644 +--- a/src/shared/efi-loader.c ++++ b/src/shared/efi-loader.c +@@ -102,7 +102,8 @@ int efi_loader_get_entries(char ***ret) { + if (r < 0) + return r; + +- /* The variable contains a series of individually NUL terminated UTF-16 strings. */ ++ /* The variable contains a series of individually NUL terminated UTF-16 strings. We gracefully ++ * consider the final NUL byte optional (i.e. the last string may or may not end in a NUL byte).*/ + + for (size_t i = 0, start = 0;; i++) { + _cleanup_free_ char *decoded = NULL; +@@ -116,6 +117,11 @@ int efi_loader_get_entries(char ***ret) { + if (!end && entries[i] != 0) + continue; + ++ /* Empty string at the end of variable? That's the trailer, we are done (i.e. we have a final ++ * NUL terminator). */ ++ if (end && start == i) ++ break; ++ + /* We reached the end of a string, let's decode it into UTF-8 */ + decoded = utf16_to_utf8(entries + start, (i - start) * sizeof(char16_t)); + if (!decoded) +@@ -128,7 +134,8 @@ int efi_loader_get_entries(char ***ret) { + } else + log_debug("Ignoring invalid loader entry '%s'.", decoded); + +- /* We reached the end of the variable */ ++ /* Exit the loop if we reached the end of the variable (i.e. we do not have a final NUL ++ * terminator) */ + if (end) + break; + +-- +2.33.0 + diff --git a/backport-efi-loader-when-detecting-if-we-are-booted-in-UKI-me.patch b/backport-efi-loader-when-detecting-if-we-are-booted-in-UKI-me.patch new file mode 100644 index 0000000..8f6e828 --- /dev/null +++ b/backport-efi-loader-when-detecting-if-we-are-booted-in-UKI-me.patch @@ -0,0 +1,57 @@ +From 85fdfb5673299921f405a5943908d60b22704e7b Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 2 Jan 2024 17:44:53 +0100 +Subject: [PATCH 0111/1160] efi-loader: when detecting if we are booted in UKI + measured boot mode, imply a check for TPM2 + +We simply don't carry any userspace support for TPM1.2 in our tree, and +we shouldn't given it's too weak by today's standards. Hence, if we +check if we are booted in UKI measured boot mode, don't just check if we +are booted in EFI, but also check that we have a TPM2 chip (as opposed +to none or only a TPM1.2 chip). + +This is an alternative to #30652 but more comprehensive (and simpler), +since it covers all invocations of efi_measured_uki(). + +Fixes: #30650 +Replaces: #30652 +(cherry picked from commit 03d808c9f6ea75d74bfaf2b4e37aad8d4935c5cd) +--- + src/shared/efi-loader.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/shared/efi-loader.c b/src/shared/efi-loader.c +index 0822364535..758aaa13c1 100644 +--- a/src/shared/efi-loader.c ++++ b/src/shared/efi-loader.c +@@ -1,6 +1,7 @@ + /* SPDX-License-Identifier: LGPL-2.1-or-later */ + + #include "alloc-util.h" ++#include "efi-api.h" + #include "efi-loader.h" + #include "env-util.h" + #include "parse-util.h" +@@ -247,8 +248,8 @@ int efi_measured_uki(int log_level) { + if (cached >= 0) + return cached; + +- /* Checks if we are booted on a kernel with sd-stub which measured the kernel into PCR 11. Or in +- * other words, if we are running on a TPM enabled UKI. ++ /* Checks if we are booted on a kernel with sd-stub which measured the kernel into PCR 11 on a TPM2 ++ * chip. Or in other words, if we are running on a TPM enabled UKI. (TPM 1.2 situations are ignored.) + * + * Returns == 0 and > 0 depending on the result of the test. Returns -EREMOTE if we detected a stub + * being used, but it measured things into a different PCR than we are configured for in +@@ -261,7 +262,7 @@ int efi_measured_uki(int log_level) { + if (r != -ENXIO) + log_debug_errno(r, "Failed to parse $SYSTEMD_FORCE_MEASURE, ignoring: %m"); + +- if (!is_efi_boot()) ++ if (!efi_has_tpm2()) + return (cached = 0); + + r = efi_get_variable_string(EFI_LOADER_VARIABLE(StubPcrKernelImage), &pcr_string); +-- +2.33.0 + diff --git a/backport-efivars-deal-with-uncommitted-efi-variables.patch b/backport-efivars-deal-with-uncommitted-efi-variables.patch new file mode 100644 index 0000000..eebe755 --- /dev/null +++ b/backport-efivars-deal-with-uncommitted-efi-variables.patch @@ -0,0 +1,56 @@ +From 7ab4191066f324d9109aabedce2c4462cc5bb250 Mon Sep 17 00:00:00 2001 +From: wrvsrx +Date: Sat, 7 Dec 2024 10:32:15 +0800 +Subject: [PATCH 1084/1160] efivars: deal with uncommitted efi variables + +Unfortunately kernel reports EOF if there's an inconsistency between efivarfs var list +and what's actually stored in firmware, c.f. #34304. A zero size env var is not allowed in +efi and hence the variable doesn't really exist in the backing store as long as it is zero +sized, and the kernel calls this "uncommitted". Hence we translate EOF back to ENOENT here, +as with kernel behavior before +https://github.com/torvalds/linux/commit/3fab70c165795431f00ddf9be8b84ddd07bd1f8f + +If the kernel changes behaviour (to flush dentries on resume), we can drop +this at some point in the future. But note that the commit is 11 +years old at this point so we'll need to deal with the current behaviour for +a long time. + +Fix #34304. + +(cherry picked from commit 6013dee98d6543ac290a2938c4ec8494e26531ab) +(cherry picked from commit 87df05b575bb42ce698ce0e44dcda23913a55e96) +(cherry picked from commit 537b527e02a4747685763289ee746925c4de5da7) +--- + src/basic/efivars.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/src/basic/efivars.c b/src/basic/efivars.c +index 9011ae29a3..92d28fa693 100644 +--- a/src/basic/efivars.c ++++ b/src/basic/efivars.c +@@ -96,6 +96,22 @@ int efi_get_variable( + (void) usleep_safe(EFI_RETRY_DELAY); + } + ++ /* Unfortunately kernel reports EOF if there's an inconsistency between efivarfs var list ++ * and what's actually stored in firmware, c.f. #34304. A zero size env var is not allowed in ++ * efi and hence the variable doesn't really exist in the backing store as long as it is zero ++ * sized, and the kernel calls this "uncommitted". Hence we translate EOF back to ENOENT here, ++ * as with kernel behavior before ++ * https://github.com/torvalds/linux/commit/3fab70c165795431f00ddf9be8b84ddd07bd1f8f ++ * ++ * If the kernel changes behaviour (to flush dentries on resume), we can drop ++ * this at some point in the future. But note that the commit is 11 ++ * years old at this point so we'll need to deal with the current behaviour for ++ * a long time. ++ */ ++ if (n == 0) ++ return log_debug_errno(SYNTHETIC_ERRNO(ENOENT), ++ "EFI variable %s is uncommitted", p); ++ + if (n != sizeof(a)) + return log_debug_errno(SYNTHETIC_ERRNO(EIO), + "Read %zi bytes from EFI variable %s, expected %zu.", n, p, sizeof(a)); +-- +2.33.0 + diff --git a/backport-elf2efi-remove-outdated-comment-mentioning-linker-sc.patch b/backport-elf2efi-remove-outdated-comment-mentioning-linker-sc.patch new file mode 100644 index 0000000..c916a24 --- /dev/null +++ b/backport-elf2efi-remove-outdated-comment-mentioning-linker-sc.patch @@ -0,0 +1,28 @@ +From c5952482f9faf34249da13f5b02039f7ee943727 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sun, 10 Dec 2023 19:05:27 +0800 +Subject: [PATCH 0466/1160] elf2efi: remove outdated comment mentioning linker + script + +Follow-up for 142f0c61a37091e233b80f02375cff1114dab24a + +(cherry picked from commit ced3e6bc0e4accb2dbef26e419ad850ca783b490) +--- + tools/elf2efi.py | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tools/elf2efi.py b/tools/elf2efi.py +index 54f64fa53c..5411a02341 100755 +--- a/tools/elf2efi.py ++++ b/tools/elf2efi.py +@@ -552,7 +552,6 @@ def write_pe( + offset = opt.SizeOfHeaders + for pe_s in sorted(sections, key=lambda s: s.VirtualAddress): + if pe_s.VirtualAddress < opt.SizeOfHeaders: +- # Linker script should make sure this does not happen. + raise RuntimeError(f"Section {pe_s.Name} overlapping PE headers.") + + pe_s.PointerToRawData = offset +-- +2.33.0 + diff --git a/backport-env-util-add-new-setenvf-helper.patch b/backport-env-util-add-new-setenvf-helper.patch new file mode 100644 index 0000000..882a1f9 --- /dev/null +++ b/backport-env-util-add-new-setenvf-helper.patch @@ -0,0 +1,150 @@ +From 855cc5e81a9e3e3aeb21e4003e188e2cd734bf83 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 8 Jan 2024 18:48:53 +0100 +Subject: [PATCH 0447/1160] env-util: add new setenvf() helper + +And convert some pieces of code over. + +(cherry picked from commit b20e9dc51596f787b0e0c6c2d4d21485e8d670c9) +--- + src/basic/env-util.c | 31 ++++++++++++++++++++++++++----- + src/basic/env-util.h | 2 ++ + src/journal/cat.c | 10 ++++------ + src/userdb/userdbd-manager.c | 8 ++++---- + 4 files changed, 36 insertions(+), 15 deletions(-) + +diff --git a/src/basic/env-util.c b/src/basic/env-util.c +index d3bf73385f..a97651d7af 100644 +--- a/src/basic/env-util.c ++++ b/src/basic/env-util.c +@@ -983,8 +983,8 @@ int putenv_dup(const char *assignment, bool override) { + } + + int setenv_systemd_exec_pid(bool update_only) { +- char str[DECIMAL_STR_MAX(pid_t)]; + const char *e; ++ int r; + + /* Update $SYSTEMD_EXEC_PID=pid except when '*' is set for the variable. */ + +@@ -995,10 +995,9 @@ int setenv_systemd_exec_pid(bool update_only) { + if (streq_ptr(e, "*")) + return 0; + +- xsprintf(str, PID_FMT, getpid_cached()); +- +- if (setenv("SYSTEMD_EXEC_PID", str, 1) < 0) +- return -errno; ++ r = setenvf("SYSTEMD_EXEC_PID", /* overwrite= */ 1, PID_FMT, getpid_cached()); ++ if (r < 0) ++ return r; + + return 1; + } +@@ -1093,3 +1092,25 @@ int set_full_environment(char **env) { + + return 0; + } ++ ++int setenvf(const char *name, bool overwrite, const char *valuef, ...) { ++ _cleanup_free_ char *value = NULL; ++ va_list ap; ++ int r; ++ ++ assert(name); ++ ++ if (!valuef) ++ return RET_NERRNO(unsetenv(name)); ++ ++ va_start(ap, valuef); ++ DISABLE_WARNING_FORMAT_NONLITERAL; ++ r = vasprintf(&value, valuef, ap); ++ REENABLE_WARNING; ++ va_end(ap); ++ ++ if (r < 0) ++ return -ENOMEM; ++ ++ return RET_NERRNO(setenv(name, value, overwrite)); ++} +diff --git a/src/basic/env-util.h b/src/basic/env-util.h +index f7fb1e9082..34cf1f9372 100644 +--- a/src/basic/env-util.h ++++ b/src/basic/env-util.h +@@ -79,3 +79,5 @@ int getenv_path_list(const char *name, char ***ret_paths); + int getenv_steal_erase(const char *name, char **ret); + + int set_full_environment(char **env); ++ ++int setenvf(const char *name, bool overwrite, const char *valuef, ...) _printf_(3,4); +diff --git a/src/journal/cat.c b/src/journal/cat.c +index 609ddbaf6b..0325add12f 100644 +--- a/src/journal/cat.c ++++ b/src/journal/cat.c +@@ -12,6 +12,7 @@ + + #include "alloc-util.h" + #include "build.h" ++#include "env-util.h" + #include "fd-util.h" + #include "format-util.h" + #include "main-func.h" +@@ -157,7 +158,6 @@ static int run(int argc, char *argv[]) { + if (argc <= optind) + (void) execl("/bin/cat", "/bin/cat", NULL); + else { +- _cleanup_free_ char *s = NULL; + struct stat st; + + if (fstat(STDERR_FILENO, &st) < 0) +@@ -165,11 +165,9 @@ static int run(int argc, char *argv[]) { + "Failed to fstat(%s): %m", + FORMAT_PROC_FD_PATH(STDERR_FILENO)); + +- if (asprintf(&s, DEV_FMT ":" INO_FMT, (dev_t)st.st_dev, st.st_ino) < 0) +- return log_oom(); +- +- if (setenv("JOURNAL_STREAM", s, /* overwrite = */ true) < 0) +- return log_error_errno(errno, "Failed to set environment variable JOURNAL_STREAM: %m"); ++ r = setenvf("JOURNAL_STREAM", /* overwrite = */ true, DEV_FMT ":" INO_FMT, (dev_t) st.st_dev, st.st_ino); ++ if (r < 0) ++ return log_error_errno(r, "Failed to set environment variable JOURNAL_STREAM: %m"); + + (void) execvp(argv[optind], argv + optind); + } +diff --git a/src/userdb/userdbd-manager.c b/src/userdb/userdbd-manager.c +index c1dfe47ea3..359c827a32 100644 +--- a/src/userdb/userdbd-manager.c ++++ b/src/userdb/userdbd-manager.c +@@ -5,6 +5,7 @@ + #include "sd-daemon.h" + + #include "common-signal.h" ++#include "env-util.h" + #include "fd-util.h" + #include "fs-util.h" + #include "mkdir.h" +@@ -156,7 +157,6 @@ static int start_one_worker(Manager *m) { + if (r < 0) + return log_error_errno(r, "Failed to fork new worker child: %m"); + if (r == 0) { +- char pids[DECIMAL_STR_MAX(pid_t)]; + /* Child */ + + if (m->listen_fd == 3) { +@@ -174,9 +174,9 @@ static int start_one_worker(Manager *m) { + safe_close(m->listen_fd); + } + +- xsprintf(pids, PID_FMT, pid); +- if (setenv("LISTEN_PID", pids, 1) < 0) { +- log_error_errno(errno, "Failed to set $LISTEN_PID: %m"); ++ r = setenvf("LISTEN_PID", /* overwrite= */ true, PID_FMT, pid); ++ if (r < 0) { ++ log_error_errno(r, "Failed to set $LISTEN_PID: %m"); + _exit(EXIT_FAILURE); + } + +-- +2.33.0 + diff --git a/backport-exec-credential-Log-if-we-skip-duplicate-credential.patch b/backport-exec-credential-Log-if-we-skip-duplicate-credential.patch new file mode 100644 index 0000000..04867bc --- /dev/null +++ b/backport-exec-credential-Log-if-we-skip-duplicate-credential.patch @@ -0,0 +1,31 @@ +From 4fad4203fc63dbb300b82588fc98936986534ebb Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 31 Jul 2024 15:01:40 +0200 +Subject: [PATCH 0827/1160] exec-credential: Log if we skip duplicate + credential + +(cherry picked from commit 590348e2bf8415053487324d47d0083b49dfdeb0) +(cherry picked from commit ee85ef4ffa9367ff5122b5955039009080659ce0) +--- + src/core/exec-credential.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/core/exec-credential.c b/src/core/exec-credential.c +index 6bcfb68d8f..50109179a1 100644 +--- a/src/core/exec-credential.c ++++ b/src/core/exec-credential.c +@@ -692,8 +692,10 @@ static int acquire_credentials( + * EEXIST if the credential already exists. That's because the TPM2-based decryption is kinda + * slow and involved, hence it's nice to be able to skip that if the credential already + * exists anyway. */ +- if (faccessat(dfd, sc->id, F_OK, AT_SYMLINK_NOFOLLOW) >= 0) ++ if (faccessat(dfd, sc->id, F_OK, AT_SYMLINK_NOFOLLOW) >= 0) { ++ log_debug("Skipping credential with duplicated ID %s", sc->id); + continue; ++ } + if (errno != ENOENT) + return log_debug_errno(errno, "Failed to test if credential %s exists: %m", sc->id); + +-- +2.33.0 + diff --git a/backport-exec-invoke-correct-dont_close-size.patch b/backport-exec-invoke-correct-dont_close-size.patch index 5c331d0..18a7053 100644 --- a/backport-exec-invoke-correct-dont_close-size.patch +++ b/backport-exec-invoke-correct-dont_close-size.patch @@ -1,7 +1,7 @@ From 8f4dab049074d31c31af2bb9eb76f9f4f08e3711 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 23 Apr 2024 21:49:12 +0200 -Subject: [PATCH] exec-invoke: correct dont_close[] size +Subject: [PATCH 0561/1160] exec-invoke: correct dont_close[] size THis needs 15 entries as far as I can count, not just 14. @@ -10,9 +10,6 @@ Follow-up for: 5686391b006ee82d8a4559067ad9818e3e631247 Sniff. (cherry picked from commit 07296542d636dcac43f6c9ee45a638fca8c5f3dd) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/8f4dab049074d31c31af2bb9eb76f9f4f08e3711 --- src/core/exec-invoke.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/backport-exec-invoke-pass-the-right-error-variable.patch b/backport-exec-invoke-pass-the-right-error-variable.patch new file mode 100644 index 0000000..2380bc4 --- /dev/null +++ b/backport-exec-invoke-pass-the-right-error-variable.patch @@ -0,0 +1,26 @@ +From 2f849d36e02babe508b691f732cde65e52ef6cab Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 7 May 2024 13:19:42 +0200 +Subject: [PATCH 0595/1160] exec-invoke: pass the right error variable + +(cherry picked from commit 6400084caa758677444354eae552ef5415ba4675) +--- + src/core/exec-invoke.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c +index 8e6de15c71..fe14ceeb31 100644 +--- a/src/core/exec-invoke.c ++++ b/src/core/exec-invoke.c +@@ -2934,7 +2934,7 @@ static int setup_ephemeral(const ExecContext *context, ExecRuntime *runtime) { + */ + r = chattr_fd(fd, FS_NOCOW_FL, FS_NOCOW_FL, NULL); + if (r < 0) +- log_debug_errno(fd, "Failed to disable copy-on-write for %s, ignoring: %m", runtime->ephemeral_copy); ++ log_debug_errno(r, "Failed to disable copy-on-write for %s, ignoring: %m", runtime->ephemeral_copy); + } + + r = send_one_fd(runtime->ephemeral_storage_socket[1], fd, MSG_DONTWAIT); +-- +2.33.0 + diff --git a/backport-execute-Drop-log-level-to-unit-log-level-in-exec_spa.patch b/backport-execute-Drop-log-level-to-unit-log-level-in-exec_spa.patch new file mode 100644 index 0000000..b268a59 --- /dev/null +++ b/backport-execute-Drop-log-level-to-unit-log-level-in-exec_spa.patch @@ -0,0 +1,87 @@ +From af9add0e1d701cf188954f16402ef151383a2988 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 31 Jul 2024 13:11:51 +0200 +Subject: [PATCH 0824/1160] execute: Drop log level to unit log level in + exec_spawn() + +All messages logged from exec_spawn() are attributed to the unit +and as such we should set the log level to the unit's max log level +for the duration of the function. + +(cherry picked from commit 7881f485c9f57b1c7de4308eeab54458890c5c19) +(cherry picked from commit 4fd349953ea1d1ed580ecb94e5c0bf98c59d0fac) +--- + src/basic/log.c | 5 ++++- + src/basic/log.h | 11 ++++++++++- + src/core/execute.c | 1 + + 3 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/src/basic/log.c b/src/basic/log.c +index 7a443005f6..eb2053891d 100644 +--- a/src/basic/log.c ++++ b/src/basic/log.c +@@ -388,9 +388,10 @@ void log_forget_fds(void) { + console_fd_is_tty = -1; + } + +-void log_set_max_level(int level) { ++int log_set_max_level(int level) { + assert(level == LOG_NULL || (level & LOG_PRIMASK) == level); + ++ int old = log_max_level; + log_max_level = level; + + /* Also propagate max log level to libc's syslog(), just in case some other component loaded into our +@@ -403,6 +404,8 @@ void log_set_max_level(int level) { + + /* Ensure that our own LOG_NULL define maps sanely to the log mask */ + assert_cc(LOG_UPTO(LOG_NULL) == 0); ++ ++ return old; + } + + void log_set_facility(int facility) { +diff --git a/src/basic/log.h b/src/basic/log.h +index 12b310575e..76c188dcd3 100644 +--- a/src/basic/log.h ++++ b/src/basic/log.h +@@ -55,7 +55,7 @@ int log_set_target_from_string(const char *e); + LogTarget log_get_target(void) _pure_; + void log_settle_target(void); + +-void log_set_max_level(int level); ++int log_set_max_level(int level); + int log_set_max_level_from_string(const char *e); + int log_get_max_level(void) _pure_; + +@@ -485,6 +485,15 @@ size_t log_context_num_contexts(void); + /* Returns the number of fields in all attached log contexts. */ + size_t log_context_num_fields(void); + ++static inline void _reset_log_level(int *saved_log_level) { ++ assert(saved_log_level); ++ ++ log_set_max_level(*saved_log_level); ++} ++ ++#define LOG_CONTEXT_SET_LOG_LEVEL(level) \ ++ _cleanup_(_reset_log_level) _unused_ int _saved_log_level_ = log_set_max_level(level); ++ + #define LOG_CONTEXT_PUSH(...) \ + LOG_CONTEXT_PUSH_STRV(STRV_MAKE(__VA_ARGS__)) + +diff --git a/src/core/execute.c b/src/core/execute.c +index 8dbdfcf369..4d597bf8a6 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -377,6 +377,7 @@ int exec_spawn(Unit *unit, + assert(!params->files_env); /* We fill this field, ensure it comes NULL-initialized to us */ + + LOG_CONTEXT_PUSH_UNIT(unit); ++ LOG_CONTEXT_SET_LOG_LEVEL(context->log_level_max >= 0 ? context->log_level_max : log_get_max_level()); + + r = exec_context_load_environment(unit, context, ¶ms->files_env); + if (r < 0) +-- +2.33.0 + diff --git a/backport-execute-free-syscall_log-hashmap-when-done.patch b/backport-execute-free-syscall_log-hashmap-when-done.patch index 9ae1673..bb20281 100644 --- a/backport-execute-free-syscall_log-hashmap-when-done.patch +++ b/backport-execute-free-syscall_log-hashmap-when-done.patch @@ -1,25 +1,21 @@ -From 742f3232bcddbbb47bfad3ad22e2de15c49f0325 Mon Sep 17 00:00:00 2001 +From a9c650b207369d047ac9c0f21d6d70590173df45 Mon Sep 17 00:00:00 2001 From: David Tardon Date: Thu, 28 Nov 2024 13:33:55 +0100 -Subject: [PATCH] execute: free syscall_log hashmap when done +Subject: [PATCH 1039/1160] execute: free syscall_log hashmap when done Fixes #35394 (cherry picked from commit c3dc460b6c3f062af540e4233c65ac12c01077fa) (cherry picked from commit f15fd96efd5ebdfb18746acb0cbb35a4331b4d8b) -(cherry picked from commit a9c650b207369d047ac9c0f21d6d70590173df45) - -Conflict:context adaptation -Reference:https://github.com/systemd/systemd-stable/commit/742f3232bcddbbb47bfad3ad22e2de15c49f0325 --- src/core/execute.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/core/execute.c b/src/core/execute.c -index e6fcb115b7..7b7b97ae9c 100644 +index 4d597bf8a6..aa179fd57e 100644 --- a/src/core/execute.c +++ b/src/core/execute.c -@@ -6225,6 +6225,7 @@ void exec_context_done(ExecContext *c) { +@@ -568,6 +568,7 @@ void exec_context_done(ExecContext *c) { c->syscall_filter = hashmap_free(c->syscall_filter); c->syscall_archs = set_free(c->syscall_archs); diff --git a/backport-execute-handle-gracefully-if-we-cannot-lock-dev-cons.patch b/backport-execute-handle-gracefully-if-we-cannot-lock-dev-cons.patch new file mode 100644 index 0000000..d13d47e --- /dev/null +++ b/backport-execute-handle-gracefully-if-we-cannot-lock-dev-cons.patch @@ -0,0 +1,47 @@ +From 718b6cadaf193bdd5d57df12a045f3d0fb16d3de Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 6 Dec 2023 16:37:18 +0100 +Subject: [PATCH 0056/1160] execute: handle gracefully if we cannot lock + /dev/console when resetting tty due to perms + +This is the common case in --user instances, hence handle this +gracefully. + +This should be safe since user instances won't get access to +/dev/console-related ttys anyway, but only their own ptys. + +(cherry picked from commit f121efd392d1f1ad51bf1e3e6de443858963e5df) +--- + src/core/execute.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index 1e48e88ee8..455d7e8013 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -161,9 +161,10 @@ void exec_context_tty_reset(const ExecContext *context, const ExecParameters *p) + * systemd-vconsole-setup.service also takes the lock to avoid being interrupted. We open a new fd + * that will be closed automatically, and operate on it for convenience. */ + lock_fd = lock_dev_console(); +- if (lock_fd < 0) +- return (void) log_debug_errno(lock_fd, +- "Failed to lock /dev/console: %m"); ++ if (ERRNO_IS_NEG_PRIVILEGE(lock_fd)) ++ log_debug_errno(lock_fd, "No privileges to lock /dev/console, proceeding without: %m"); ++ else if (lock_fd < 0) ++ return (void) log_debug_errno(lock_fd, "Failed to lock /dev/console: %m"); + + if (context->tty_vhangup) + (void) terminal_vhangup_fd(fd); +@@ -1453,7 +1454,7 @@ void exec_context_revert_tty(ExecContext *c) { + assert(c); + + /* First, reset the TTY (possibly kicking everybody else from the TTY) */ +- exec_context_tty_reset(c, NULL); ++ exec_context_tty_reset(c, /* parameters= */ NULL); + + /* And then undo what chown_terminal() did earlier. Note that we only do this if we have a path + * configured. If the TTY was passed to us as file descriptor we assume the TTY is opened and managed +-- +2.33.0 + diff --git a/backport-execute-improve-log-message-about-TTY-ownership-rese.patch b/backport-execute-improve-log-message-about-TTY-ownership-rese.patch new file mode 100644 index 0000000..ad5adf2 --- /dev/null +++ b/backport-execute-improve-log-message-about-TTY-ownership-rese.patch @@ -0,0 +1,36 @@ +From 5af41ce0bce0915865f8e830bfe7cc50ac2b7e53 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 6 Dec 2023 16:38:53 +0100 +Subject: [PATCH 0058/1160] execute: improve log message about TTY ownership + reset failures + +(cherry picked from commit 026a8b022e1f0883b09d99c360a738506814407a) +--- + src/core/execute.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index 455d7e8013..ef0bf88687 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -1466,7 +1466,7 @@ void exec_context_revert_tty(ExecContext *c) { + if (!path) + return; + +- fd = open(path, O_PATH|O_CLOEXEC); ++ fd = open(path, O_PATH|O_CLOEXEC); /* Pin the inode */ + if (fd < 0) + return (void) log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, errno, + "Failed to open TTY inode of '%s' to adjust ownership/access mode, ignoring: %m", +@@ -1485,7 +1485,7 @@ void exec_context_revert_tty(ExecContext *c) { + + r = fchmod_and_chown(fd, TTY_MODE, 0, TTY_GID); + if (r < 0) +- log_warning_errno(r, "Failed to reset TTY ownership/access mode of %s, ignoring: %m", path); ++ log_warning_errno(r, "Failed to reset TTY ownership/access mode of %s to " UID_FMT ":" GID_FMT ", ignoring: %m", path, (uid_t) 0, (gid_t) TTY_GID); + } + + int exec_context_get_clean_directories( +-- +2.33.0 + diff --git a/backport-executor-check-for-all-permission-related-errnos-whe.patch b/backport-executor-check-for-all-permission-related-errnos-whe.patch new file mode 100644 index 0000000..f8e572d --- /dev/null +++ b/backport-executor-check-for-all-permission-related-errnos-whe.patch @@ -0,0 +1,34 @@ +From e4817103d0f32a3492608f14da6628d5c9b83197 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 27 May 2024 01:52:11 +0100 +Subject: [PATCH 0686/1160] executor: check for all permission related errnos + when setting up IPC namespace + +Denials from AppArmor are raised as EACCES, so EPERM is not enough. Do +the same check as PrivateNetwork above. + +Fixes https://github.com/systemd/systemd/issues/31037 + +Related to 06384eb3c5044f632f50304a0210a402460f1189 + +(cherry picked from commit cafe40ec8201db31c6d3519474ef40a72541d511) +--- + src/core/exec-invoke.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c +index fe14ceeb31..24524fa0f1 100644 +--- a/src/core/exec-invoke.c ++++ b/src/core/exec-invoke.c +@@ -4639,7 +4639,7 @@ int exec_invoke( + + if (ns_type_supported(NAMESPACE_IPC)) { + r = setup_shareable_ns(runtime->shared->ipcns_storage_socket, CLONE_NEWIPC); +- if (r == -EPERM) ++ if (ERRNO_IS_NEG_PRIVILEGE(r)) + log_exec_warning_errno(context, params, r, + "PrivateIPC=yes is configured, but IPC namespace setup failed, ignoring: %m"); + else if (r < 0) { +-- +2.33.0 + diff --git a/backport-executor-don-t-duplicate-FD-array-to-avoid-double-cl.patch b/backport-executor-don-t-duplicate-FD-array-to-avoid-double-cl.patch new file mode 100644 index 0000000..e6b38f2 --- /dev/null +++ b/backport-executor-don-t-duplicate-FD-array-to-avoid-double-cl.patch @@ -0,0 +1,214 @@ +From 1d6dcec3864c641a5dc0a0c3ceb671cd20dcc402 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 11 Dec 2023 01:03:39 +0000 +Subject: [PATCH 0042/1160] executor: don't duplicate FD array to avoid double + closing + +Just use ExecParam directly, as these are all internal to sd-exec now +anyway. Avoids double close when execution fails after FDs are set up +for inheritance and were already re-arranged. + +Fixes https://github.com/systemd/systemd/issues/30412 + +(cherry picked from commit 1eeaa93de36678001aeff329bc34e2b03d49f1e4) +--- + src/core/exec-invoke.c | 49 +++++++------------------- + test/TEST-07-PID1/test.sh | 2 +- + test/units/testsuite-07.issue-30412.sh | 31 ++++++++++++++++ + 3 files changed, 45 insertions(+), 37 deletions(-) + create mode 100755 test/units/testsuite-07.issue-30412.sh + +diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c +index cc87f213de..70d963e269 100644 +--- a/src/core/exec-invoke.c ++++ b/src/core/exec-invoke.c +@@ -1819,7 +1819,6 @@ static int build_environment( + const ExecParameters *p, + const CGroupContext *cgroup_context, + size_t n_fds, +- char **fdnames, + const char *home, + const char *username, + const char *shell, +@@ -1853,7 +1852,7 @@ static int build_environment( + return -ENOMEM; + our_env[n_env++] = x; + +- joined = strv_join(fdnames, ":"); ++ joined = strv_join(p->fd_names, ":"); + if (!joined) + return -ENOMEM; + +@@ -3718,18 +3717,11 @@ static int get_open_file_fd(const ExecContext *c, const ExecParameters *p, const + return TAKE_FD(fd); + } + +-static int collect_open_file_fds( +- const ExecContext *c, +- const ExecParameters *p, +- int **fds, +- char ***fdnames, +- size_t *n_fds) { ++static int collect_open_file_fds(const ExecContext *c, ExecParameters *p, size_t *n_fds) { + int r; + + assert(c); + assert(p); +- assert(fds); +- assert(fdnames); + assert(n_fds); + + LIST_FOREACH(open_files, of, p->open_files) { +@@ -3745,14 +3737,14 @@ static int collect_open_file_fds( + return fd; + } + +- if (!GREEDY_REALLOC(*fds, *n_fds + 1)) ++ if (!GREEDY_REALLOC(p->fds, *n_fds + 1)) + return -ENOMEM; + +- r = strv_extend(fdnames, of->fdname); ++ r = strv_extend(&p->fd_names, of->fdname); + if (r < 0) + return r; + +- (*fds)[*n_fds] = TAKE_FD(fd); ++ p->fds[*n_fds] = TAKE_FD(fd); + + (*n_fds)++; + } +@@ -3959,11 +3951,9 @@ int exec_invoke( + int secure_bits; + _cleanup_free_ gid_t *gids_after_pam = NULL; + int ngids_after_pam = 0; +- _cleanup_free_ int *fds = NULL; +- _cleanup_strv_free_ char **fdnames = NULL; + +- int socket_fd = -EBADF, named_iofds[3] = EBADF_TRIPLET, *params_fds = NULL; +- size_t n_storage_fds = 0, n_socket_fds = 0; ++ int socket_fd = -EBADF, named_iofds[3] = EBADF_TRIPLET; ++ size_t n_storage_fds, n_socket_fds; + + assert(command); + assert(context); +@@ -3996,8 +3986,8 @@ int exec_invoke( + return log_exec_error_errno(context, params, SYNTHETIC_ERRNO(EINVAL), "Got no socket."); + + socket_fd = params->fds[0]; ++ n_storage_fds = n_socket_fds = 0; + } else { +- params_fds = params->fds; + n_socket_fds = params->n_socket_fds; + n_storage_fds = params->n_storage_fds; + } +@@ -4039,26 +4029,14 @@ int exec_invoke( + /* In case anything used libc syslog(), close this here, too */ + closelog(); + +- fds = newdup(int, params_fds, n_fds); +- if (!fds) { +- *exit_status = EXIT_MEMORY; +- return log_oom(); +- } +- +- fdnames = strv_copy((char**) params->fd_names); +- if (!fdnames) { +- *exit_status = EXIT_MEMORY; +- return log_oom(); +- } +- +- r = collect_open_file_fds(context, params, &fds, &fdnames, &n_fds); ++ r = collect_open_file_fds(context, params, &n_fds); + if (r < 0) { + *exit_status = EXIT_FDS; + return log_exec_error_errno(context, params, r, "Failed to get OpenFile= file descriptors: %m"); + } + + int keep_fds[n_fds + 3]; +- memcpy_safe(keep_fds, fds, n_fds * sizeof(int)); ++ memcpy_safe(keep_fds, params->fds, n_fds * sizeof(int)); + n_keep_fds = n_fds; + + r = add_shifted_fd(keep_fds, ELEMENTSOF(keep_fds), &n_keep_fds, ¶ms->exec_fd); +@@ -4456,7 +4434,6 @@ int exec_invoke( + params, + cgroup_context, + n_fds, +- fdnames, + home, + username, + shell, +@@ -4566,7 +4543,7 @@ int exec_invoke( + * wins here. (See above.) */ + + /* All fds passed in the fds array will be closed in the pam child process. */ +- r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, fds, n_fds); ++ r = setup_pam(context->pam_name, username, uid, gid, context->tty_path, &accum_env, params->fds, n_fds); + if (r < 0) { + *exit_status = EXIT_PAM; + return log_exec_error_errno(context, params, r, "Failed to set up PAM session: %m"); +@@ -4798,9 +4775,9 @@ int exec_invoke( + + r = close_all_fds(keep_fds, n_keep_fds); + if (r >= 0) +- r = shift_fds(fds, n_fds); ++ r = shift_fds(params->fds, n_fds); + if (r >= 0) +- r = flag_fds(fds, n_socket_fds, n_fds, context->non_blocking); ++ r = flag_fds(params->fds, n_socket_fds, n_fds, context->non_blocking); + if (r < 0) { + *exit_status = EXIT_FDS; + return log_exec_error_errno(context, params, r, "Failed to adjust passed file descriptors: %m"); +diff --git a/test/TEST-07-PID1/test.sh b/test/TEST-07-PID1/test.sh +index a5982e0183..cc8a81f77d 100755 +--- a/test/TEST-07-PID1/test.sh ++++ b/test/TEST-07-PID1/test.sh +@@ -36,7 +36,7 @@ EOF + "${SYSTEMCTL:?}" enable --root="$workspace" issue2730.mount + ln -svrf "$workspace/etc/systemd/system/issue2730.mount" "$workspace/etc/systemd/system/issue2730-alias.mount" + +- image_install logger ++ image_install logger socat + } + + do_test "$@" +diff --git a/test/units/testsuite-07.issue-30412.sh b/test/units/testsuite-07.issue-30412.sh +new file mode 100755 +index 0000000000..333b95f9bb +--- /dev/null ++++ b/test/units/testsuite-07.issue-30412.sh +@@ -0,0 +1,31 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++set -eux ++set -o pipefail ++ ++# Check that socket FDs are not double closed on error: https://github.com/systemd/systemd/issues/30412 ++ ++mkdir -p /run/systemd/system ++ ++rm -f /tmp/badbin ++touch /tmp/badbin ++chmod 744 /tmp/badbin ++ ++cat >/run/systemd/system/badbin_assert.service </run/systemd/system/badbin_assert.socket < +Date: Mon, 5 Feb 2024 14:22:52 +0000 +Subject: [PATCH 0242/1160] executor: really set POSIX_SPAWN_SETSIGDEF for + posix_spawn + +posix_spawnattr_setflags() doesn't OR the input to the current set of flags, +it overwrites them, so we are currently losing POSIX_SPAWN_SETSIGDEF. + +Follow-up for: 6ecdfe7d1008964eed3f67b489cef8c65a218bf1 + +(cherry picked from commit 9ca13d60dbf5d76f52b21c12dd5c91cd082e291e) +--- + src/basic/process-util.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/basic/process-util.c b/src/basic/process-util.c +index 201c5596ae..4492e7ded2 100644 +--- a/src/basic/process-util.c ++++ b/src/basic/process-util.c +@@ -1947,10 +1947,8 @@ int posix_spawn_wrapper(const char *path, char *const *argv, char *const *envp, + r = posix_spawnattr_init(&attr); + if (r != 0) + return -r; /* These functions return a positive errno on failure */ +- r = posix_spawnattr_setflags(&attr, POSIX_SPAWN_SETSIGMASK); +- if (r != 0) +- goto fail; +- r = posix_spawnattr_setflags(&attr, POSIX_SPAWN_SETSIGDEF); /* Set all signals to SIG_DFL */ ++ /* Set all signals to SIG_DFL */ ++ r = posix_spawnattr_setflags(&attr, POSIX_SPAWN_SETSIGMASK|POSIX_SPAWN_SETSIGDEF); + if (r != 0) + goto fail; + r = posix_spawnattr_setsigmask(&attr, &mask); +-- +2.33.0 + diff --git a/backport-fd-util-don-t-eat-up-errors-in-fd_cloexec_many.patch b/backport-fd-util-don-t-eat-up-errors-in-fd_cloexec_many.patch new file mode 100644 index 0000000..55fd5de --- /dev/null +++ b/backport-fd-util-don-t-eat-up-errors-in-fd_cloexec_many.patch @@ -0,0 +1,51 @@ +From 7b2f679d0d554d830dd2ed1c70e958d93280d623 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Fri, 29 Dec 2023 17:57:59 +0800 +Subject: [PATCH 0101/1160] fd-util: don't eat up errors in fd_cloexec_many + +Follow-up for ed18c22c989495aab36512f03449222cfcf79aa7 + +Before this commit, a successful fd_cloexec() call would +discard all previously gathered errors. + +(cherry picked from commit 6b9cac874c33f4fa27aa4b4b5b980f60c28ee043) +--- + src/basic/fd-util.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/src/basic/fd-util.c b/src/basic/fd-util.c +index 9c52f733c1..fa3fc77093 100644 +--- a/src/basic/fd-util.c ++++ b/src/basic/fd-util.c +@@ -187,7 +187,7 @@ int fd_cloexec(int fd, bool cloexec) { + } + + int fd_cloexec_many(const int fds[], size_t n_fds, bool cloexec) { +- int ret = 0, r; ++ int r = 0; + + assert(fds || n_fds == 0); + +@@ -195,14 +195,13 @@ int fd_cloexec_many(const int fds[], size_t n_fds, bool cloexec) { + if (*fd < 0) /* Skip gracefully over already invalidated fds */ + continue; + +- r = fd_cloexec(*fd, cloexec); +- if (r < 0) /* Continue going, but return first error */ +- RET_GATHER(ret, r); +- else +- ret = 1; /* report if we did anything */ ++ RET_GATHER(r, fd_cloexec(*fd, cloexec)); ++ ++ if (r >= 0) ++ r = 1; /* report if we did anything */ + } + +- return ret; ++ return r; + } + + static bool fd_in_set(int fd, const int fds[], size_t n_fds) { +-- +2.33.0 + diff --git a/backport-fd-util-modernization.patch b/backport-fd-util-modernization.patch new file mode 100644 index 0000000..7475124 --- /dev/null +++ b/backport-fd-util-modernization.patch @@ -0,0 +1,147 @@ +From a524aebe8d78f047b146ff1daa6db1c3726e2d40 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Thu, 28 Dec 2023 18:17:52 +0800 +Subject: [PATCH 0100/1160] fd-util: modernization + +(cherry picked from commit 1276e633708c2d8b41a3d4c0a981a830ee537465) +--- + src/basic/fd-util.c | 52 ++++++++++++++++++++++----------------------- + src/basic/fd-util.h | 4 ++-- + 2 files changed, 28 insertions(+), 28 deletions(-) + +diff --git a/src/basic/fd-util.c b/src/basic/fd-util.c +index 0690bcd830..9c52f733c1 100644 +--- a/src/basic/fd-util.c ++++ b/src/basic/fd-util.c +@@ -92,22 +92,22 @@ void safe_close_pair(int p[static 2]) { + p[1] = safe_close(p[1]); + } + +-void close_many(const int fds[], size_t n_fd) { +- assert(fds || n_fd <= 0); ++void close_many(const int fds[], size_t n_fds) { ++ assert(fds || n_fds == 0); + +- for (size_t i = 0; i < n_fd; i++) +- safe_close(fds[i]); ++ FOREACH_ARRAY(fd, fds, n_fds) ++ safe_close(*fd); + } + +-void close_many_unset(int fds[], size_t n_fd) { +- assert(fds || n_fd <= 0); ++void close_many_unset(int fds[], size_t n_fds) { ++ assert(fds || n_fds == 0); + +- for (size_t i = 0; i < n_fd; i++) +- fds[i] = safe_close(fds[i]); ++ FOREACH_ARRAY(fd, fds, n_fds) ++ *fd = safe_close(*fd); + } + + void close_many_and_free(int *fds, size_t n_fds) { +- assert(fds || n_fds <= 0); ++ assert(fds || n_fds == 0); + + close_many(fds, n_fds); + free(fds); +@@ -189,15 +189,15 @@ int fd_cloexec(int fd, bool cloexec) { + int fd_cloexec_many(const int fds[], size_t n_fds, bool cloexec) { + int ret = 0, r; + +- assert(n_fds == 0 || fds); ++ assert(fds || n_fds == 0); + +- for (size_t i = 0; i < n_fds; i++) { +- if (fds[i] < 0) /* Skip gracefully over already invalidated fds */ ++ FOREACH_ARRAY(fd, fds, n_fds) { ++ if (*fd < 0) /* Skip gracefully over already invalidated fds */ + continue; + +- r = fd_cloexec(fds[i], cloexec); +- if (r < 0 && ret >= 0) /* Continue going, but return first error */ +- ret = r; ++ r = fd_cloexec(*fd, cloexec); ++ if (r < 0) /* Continue going, but return first error */ ++ RET_GATHER(ret, r); + else + ret = 1; /* report if we did anything */ + } +@@ -205,14 +205,15 @@ int fd_cloexec_many(const int fds[], size_t n_fds, bool cloexec) { + return ret; + } + +-static bool fd_in_set(int fd, const int fdset[], size_t n_fdset) { +- assert(n_fdset == 0 || fdset); ++static bool fd_in_set(int fd, const int fds[], size_t n_fds) { ++ assert(fd >= 0); ++ assert(fds || n_fds == 0); + +- for (size_t i = 0; i < n_fdset; i++) { +- if (fdset[i] < 0) ++ FOREACH_ARRAY(i, fds, n_fds) { ++ if (*i < 0) + continue; + +- if (fdset[i] == fd) ++ if (*i == fd) + return true; + } + +@@ -243,7 +244,7 @@ int get_max_fd(void) { + static int close_all_fds_frugal(const int except[], size_t n_except) { + int max_fd, r = 0; + +- assert(n_except == 0 || except); ++ assert(except || n_except == 0); + + /* This is the inner fallback core of close_all_fds(). This never calls malloc() or opendir() or so + * and hence is safe to be called in signal handler context. Most users should call close_all_fds(), +@@ -258,8 +259,7 @@ static int close_all_fds_frugal(const int except[], size_t n_except) { + * spin the CPU for a long time. */ + if (max_fd > MAX_FD_LOOP_LIMIT) + return log_debug_errno(SYNTHETIC_ERRNO(EPERM), +- "Refusing to loop over %d potential fds.", +- max_fd); ++ "Refusing to loop over %d potential fds.", max_fd); + + for (int fd = 3; fd >= 0; fd = fd < max_fd ? fd + 1 : -EBADF) { + int q; +@@ -268,8 +268,8 @@ static int close_all_fds_frugal(const int except[], size_t n_except) { + continue; + + q = close_nointr(fd); +- if (q < 0 && q != -EBADF && r >= 0) +- r = q; ++ if (q != -EBADF) ++ RET_GATHER(r, q); + } + + return r; +@@ -598,7 +598,7 @@ int move_fd(int from, int to, int cloexec) { + if (fl < 0) + return -errno; + +- cloexec = !!(fl & FD_CLOEXEC); ++ cloexec = FLAGS_SET(fl, FD_CLOEXEC); + } + + r = dup3(from, to, cloexec ? O_CLOEXEC : 0); +diff --git a/src/basic/fd-util.h b/src/basic/fd-util.h +index 5061e32196..d3e91921f3 100644 +--- a/src/basic/fd-util.h ++++ b/src/basic/fd-util.h +@@ -32,8 +32,8 @@ static inline int safe_close_above_stdio(int fd) { + return safe_close(fd); + } + +-void close_many(const int fds[], size_t n_fd); +-void close_many_unset(int fds[], size_t n_fd); ++void close_many(const int fds[], size_t n_fds); ++void close_many_unset(int fds[], size_t n_fds); + void close_many_and_free(int *fds, size_t n_fds); + + int fclose_nointr(FILE *f); +-- +2.33.0 + diff --git a/backport-fdset-set-all-collected-fds-to-CLOEXEC-in-fdset_new_.patch b/backport-fdset-set-all-collected-fds-to-CLOEXEC-in-fdset_new_.patch new file mode 100644 index 0000000..538e67f --- /dev/null +++ b/backport-fdset-set-all-collected-fds-to-CLOEXEC-in-fdset_new_.patch @@ -0,0 +1,112 @@ +From fc38c9b25e2110883bb7a24ef077bb1d82a5ec53 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Fri, 1 Dec 2023 00:00:27 +0800 +Subject: [PATCH 0013/1160] fdset: set all collected fds to CLOEXEC in + fdset_new_fill() + +(cherry picked from commit a2467ea894b37b0861b92e35edd93788f8e2a342) +--- + src/core/main.c | 2 -- + src/notify/notify.c | 4 ---- + src/shared/fdset.c | 12 +++++++++++- + src/test/test-fdset.c | 5 ++++- + 4 files changed, 15 insertions(+), 8 deletions(-) + +diff --git a/src/core/main.c b/src/core/main.c +index 2ac59dabf5..3f71cc0947 100644 +--- a/src/core/main.c ++++ b/src/core/main.c +@@ -2739,8 +2739,6 @@ static int collect_fds(FDSet **ret_fds, const char **ret_error_message) { + "MESSAGE_ID=" SD_MESSAGE_CORE_FD_SET_FAILED_STR); + } + +- (void) fdset_cloexec(*ret_fds, true); +- + /* The serialization fd should have O_CLOEXEC turned on already, let's verify that we didn't pick it up here */ + assert_se(!arg_serialization || !fdset_contains(*ret_fds, fileno(arg_serialization))); + +diff --git a/src/notify/notify.c b/src/notify/notify.c +index 675fbda752..f63ec8b355 100644 +--- a/src/notify/notify.c ++++ b/src/notify/notify.c +@@ -225,10 +225,6 @@ static int parse_argv(int argc, char *argv[]) { + r = fdset_new_fill(/* filter_cloexec= */ 0, &passed); + if (r < 0) + return log_error_errno(r, "Failed to take possession of passed file descriptors: %m"); +- +- r = fdset_cloexec(passed, true); +- if (r < 0) +- return log_error_errno(r, "Failed to enable O_CLOEXEC for passed file descriptors: %m"); + } + + if (fdnr < 3) { +diff --git a/src/shared/fdset.c b/src/shared/fdset.c +index b62f15c649..e5b8e92e80 100644 +--- a/src/shared/fdset.c ++++ b/src/shared/fdset.c +@@ -150,13 +150,15 @@ int fdset_remove(FDSet *s, int fd) { + int fdset_new_fill( + int filter_cloexec, /* if < 0 takes all fds, otherwise only those with O_CLOEXEC set (1) or unset (0) */ + FDSet **ret) { ++ + _cleanup_(fdset_shallow_freep) FDSet *s = NULL; + _cleanup_closedir_ DIR *d = NULL; + int r; + + assert(ret); + +- /* Creates an fdset and fills in all currently open file descriptors. */ ++ /* Creates an fdset and fills in all currently open file descriptors. Also set all collected fds ++ * to CLOEXEC. */ + + d = opendir("/proc/self/fd"); + if (!d) { +@@ -191,6 +193,7 @@ int fdset_new_fill( + /* If user asked for that filter by O_CLOEXEC. This is useful so that fds that have + * been passed in can be collected and fds which have been created locally can be + * ignored, under the assumption that only the latter have O_CLOEXEC set. */ ++ + fl = fcntl(fd, F_GETFD); + if (fl < 0) + return -errno; +@@ -199,6 +202,13 @@ int fdset_new_fill( + continue; + } + ++ /* We need to set CLOEXEC manually only if we're collecting non-CLOEXEC fds. */ ++ if (filter_cloexec <= 0) { ++ r = fd_cloexec(fd, true); ++ if (r < 0) ++ return r; ++ } ++ + r = fdset_put(s, fd); + if (r < 0) + return r; +diff --git a/src/test/test-fdset.c b/src/test/test-fdset.c +index 8947a319b6..8f00e598fd 100644 +--- a/src/test/test-fdset.c ++++ b/src/test/test-fdset.c +@@ -11,8 +11,8 @@ + #include "tmpfile-util.h" + + TEST(fdset_new_fill) { +- int fd = -EBADF; + _cleanup_fdset_free_ FDSet *fdset = NULL; ++ int fd = -EBADF, flags; + + log_close(); + log_set_open_when_needed(true); +@@ -50,6 +50,9 @@ TEST(fdset_new_fill) { + + assert_se(fdset_new_fill(/* filter_cloexec= */ 0, &fdset) >= 0); + assert_se(fdset_contains(fdset, fd)); ++ flags = fcntl(fd, F_GETFD); ++ assert_se(flags >= 0); ++ assert_se(FLAGS_SET(flags, FD_CLOEXEC)); + fdset = fdset_free(fdset); + assert_se(fcntl(fd, F_GETFD) < 0); + assert_se(errno == EBADF); +-- +2.33.0 + diff --git a/backport-find-esp-add-debugging-log-about-failure-in-parsing-.patch b/backport-find-esp-add-debugging-log-about-failure-in-parsing-.patch new file mode 100644 index 0000000..c36c9c3 --- /dev/null +++ b/backport-find-esp-add-debugging-log-about-failure-in-parsing-.patch @@ -0,0 +1,40 @@ +From 69267129385d79393fb0f552eb89ee9de91891c9 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 19 Dec 2023 12:06:00 +0900 +Subject: [PATCH 0185/1160] find-esp: add debugging log about failure in + parsing env variable + +Addresses https://github.com/systemd/systemd/pull/30321#discussion_r1429716344. + +(cherry picked from commit 422d8905c0c01170ab5c196f0c4db1d554c83f64) +--- + src/shared/find-esp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/shared/find-esp.c b/src/shared/find-esp.c +index bbfd3b175f..db87084a4d 100644 +--- a/src/shared/find-esp.c ++++ b/src/shared/find-esp.c +@@ -33,6 +33,7 @@ typedef enum VerifyESPFlags { + + static VerifyESPFlags verify_esp_flags_init(int unprivileged_mode, const char *env_name_for_relaxing) { + VerifyESPFlags flags = 0; ++ int r; + + assert(env_name_for_relaxing); + +@@ -41,7 +42,10 @@ static VerifyESPFlags verify_esp_flags_init(int unprivileged_mode, const char *e + if (unprivileged_mode) + flags |= VERIFY_ESP_UNPRIVILEGED_MODE; + +- if (getenv_bool(env_name_for_relaxing) > 0) ++ r = getenv_bool(env_name_for_relaxing); ++ if (r < 0 && r != -ENXIO) ++ log_debug_errno(r, "Failed to parse $%s environment variable, assuming false.", env_name_for_relaxing); ++ else if (r > 0) + flags |= VERIFY_ESP_SKIP_FSTYPE_CHECK | VERIFY_ESP_SKIP_DEVICE_CHECK; + + if (detect_container() > 0) +-- +2.33.0 + diff --git a/backport-find-esp-do-not-fail-when-boot-on-btrfs-RAID-on-sear.patch b/backport-find-esp-do-not-fail-when-boot-on-btrfs-RAID-on-sear.patch new file mode 100644 index 0000000..f40e849 --- /dev/null +++ b/backport-find-esp-do-not-fail-when-boot-on-btrfs-RAID-on-sear.patch @@ -0,0 +1,62 @@ +From 7500ac4b82f4c6f30938f2c4e4da6c807fcf50e5 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 5 Dec 2023 14:57:13 +0900 +Subject: [PATCH 0177/1160] find-esp: do not fail when /boot on btrfs RAID on + searching ESP or xbootldr + +When /boot or friends is on btrfs RAID, btrfs_get_block_device_at() will +succeed with 0 and provide zero devnum. Then, +- if we are previleged, devname_from_devnum() maps the devnum to + /run/systemd/inaccessible/blk, and the subsequent verification by blkid + will fail, +- if we are unprevileged, sd_device_new_from_devnum() will fail. + +This makes +- when find_esp() or find_xbootldr() is called without any paths, that + is, called with the searching mode, then returns -ENOKEY, which should + be handled gracefully by the caller, +- when they are called with an input path, then they provide the proper + error message and suggestion. + +Fixes RHBZ#2251262 (https://bugzilla.redhat.com/show_bug.cgi?id=2251262). + +(cherry picked from commit 5c831ddec801d653014b4eea820a1d6afbb91a63) +--- + src/shared/find-esp.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/src/shared/find-esp.c b/src/shared/find-esp.c +index 9b8c7f73bc..ce1069e943 100644 +--- a/src/shared/find-esp.c ++++ b/src/shared/find-esp.c +@@ -396,6 +396,11 @@ static int verify_esp( + if (relax_checks) + goto finish; + ++ if (devnum_is_zero(devid)) ++ return log_full_errno(searching ? LOG_DEBUG : LOG_ERR, ++ SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV), ++ "Could not determine backing block device of directory \"%s\" (btrfs RAID?).", p); ++ + /* If we are unprivileged we ask udev for the metadata about the partition. If we are privileged we + * use blkid instead. Why? Because this code is called from 'bootctl' which is pretty much an + * emergency recovery tool that should also work when udev isn't up (i.e. from the emergency shell), +@@ -767,6 +772,15 @@ static int verify_xbootldr( + if (relax_checks) + goto finish; + ++ if (devnum_is_zero(devid)) ++ return log_full_errno(searching ? LOG_DEBUG : LOG_ERR, ++ SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV), ++ "Could not determine backing block device of directory \"%s\" (btrfs RAID?).%s", ++ p, ++ searching ? "" : ++ "\nHint: set $SYSTEMD_RELAX_XBOOTLDR_CHECKS=yes environment variable " ++ "to bypass this and further verifications for the directory."); ++ + if (unprivileged_mode) + r = verify_xbootldr_udev(devid, flags, ret_uuid); + else +-- +2.33.0 + diff --git a/backport-find-esp-do-not-skip-fstype-check-even-when-root-or-.patch b/backport-find-esp-do-not-skip-fstype-check-even-when-root-or-.patch new file mode 100644 index 0000000..ce0f611 --- /dev/null +++ b/backport-find-esp-do-not-skip-fstype-check-even-when-root-or-.patch @@ -0,0 +1,34 @@ +From eb5e7ce7fd5d1f629477da2d35738feabe6247a6 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 8 Dec 2023 12:48:44 +0900 +Subject: [PATCH 0179/1160] find-esp: do not skip fstype check even when + --root= or --image= is specified + +The check was introduced by 63105f33edad423691e2d53bf7071f99c83799ba, +but there is no reason to skip the check even in such cases. + +(cherry picked from commit 997ba18af1bcc9982e2ffc622f993727a48960c5) +--- + src/shared/find-esp.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/src/shared/find-esp.c b/src/shared/find-esp.c +index 7fcdd32df5..bbfd3b175f 100644 +--- a/src/shared/find-esp.c ++++ b/src/shared/find-esp.c +@@ -473,12 +473,6 @@ int find_esp_and_warn_at( + + flags = verify_esp_flags_init(unprivileged_mode, "SYSTEMD_RELAX_ESP_CHECKS"); + +- r = dir_fd_is_root_or_cwd(rfd); +- if (r < 0) +- return log_error_errno(r, "Failed to check if directory file descriptor is root: %m"); +- if (r == 0) +- flags |= VERIFY_ESP_SKIP_FSTYPE_CHECK | VERIFY_ESP_SKIP_DEVICE_CHECK; +- + if (path) + return verify_esp(rfd, path, ret_path, ret_part, ret_pstart, ret_psize, ret_uuid, ret_devid, flags); + +-- +2.33.0 + diff --git a/backport-find-esp-introduce-verify_esp_flags_init-helper-func.patch b/backport-find-esp-introduce-verify_esp_flags_init-helper-func.patch new file mode 100644 index 0000000..e39ac32 --- /dev/null +++ b/backport-find-esp-introduce-verify_esp_flags_init-helper-func.patch @@ -0,0 +1,170 @@ +From 499f8a70ee4099e8a9bfdb806764673dd4370fce Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 8 Dec 2023 11:55:17 +0900 +Subject: [PATCH 0178/1160] find-esp: introduce verify_esp_flags_init() helper + function + +And split VERIFY_ESP_RELAX_CHECKS into two. + +No functional change, just refactoring. + +(cherry picked from commit 9bbd3c699c3789b1c6e1a0626bb1aa42740cd28b) +--- + src/shared/find-esp.c | 64 ++++++++++++++++++++++--------------------- + 1 file changed, 33 insertions(+), 31 deletions(-) + +diff --git a/src/shared/find-esp.c b/src/shared/find-esp.c +index ce1069e943..7fcdd32df5 100644 +--- a/src/shared/find-esp.c ++++ b/src/shared/find-esp.c +@@ -27,9 +27,29 @@ + typedef enum VerifyESPFlags { + VERIFY_ESP_SEARCHING = 1 << 0, /* Downgrade various "not found" logs to debug level */ + VERIFY_ESP_UNPRIVILEGED_MODE = 1 << 1, /* Call into udev rather than blkid */ +- VERIFY_ESP_RELAX_CHECKS = 1 << 2, /* Do not validate ESP partition */ ++ VERIFY_ESP_SKIP_FSTYPE_CHECK = 1 << 2, /* Skip filesystem check */ ++ VERIFY_ESP_SKIP_DEVICE_CHECK = 1 << 3, /* Skip device node check */ + } VerifyESPFlags; + ++static VerifyESPFlags verify_esp_flags_init(int unprivileged_mode, const char *env_name_for_relaxing) { ++ VerifyESPFlags flags = 0; ++ ++ assert(env_name_for_relaxing); ++ ++ if (unprivileged_mode < 0) ++ unprivileged_mode = geteuid() != 0; ++ if (unprivileged_mode) ++ flags |= VERIFY_ESP_UNPRIVILEGED_MODE; ++ ++ if (getenv_bool(env_name_for_relaxing) > 0) ++ flags |= VERIFY_ESP_SKIP_FSTYPE_CHECK | VERIFY_ESP_SKIP_DEVICE_CHECK; ++ ++ if (detect_container() > 0) ++ flags |= VERIFY_ESP_SKIP_DEVICE_CHECK; ++ ++ return flags; ++} ++ + static int verify_esp_blkid( + dev_t devid, + VerifyESPFlags flags, +@@ -326,8 +346,8 @@ static int verify_esp( + dev_t *ret_devid, + VerifyESPFlags flags) { + +- bool relax_checks, searching = FLAGS_SET(flags, VERIFY_ESP_SEARCHING), +- unprivileged_mode = FLAGS_SET(flags, VERIFY_ESP_UNPRIVILEGED_MODE); ++ bool searching = FLAGS_SET(flags, VERIFY_ESP_SEARCHING), ++ unprivileged_mode = FLAGS_SET(flags, VERIFY_ESP_UNPRIVILEGED_MODE); + _cleanup_free_ char *p = NULL; + _cleanup_close_ int pfd = -EBADF; + dev_t devid = 0; +@@ -343,10 +363,6 @@ static int verify_esp( + * -EACESS → if 'unprivileged_mode' is set, and we have trouble accessing the thing + */ + +- relax_checks = +- getenv_bool("SYSTEMD_RELAX_ESP_CHECKS") > 0 || +- FLAGS_SET(flags, VERIFY_ESP_RELAX_CHECKS); +- + /* Non-root user can only check the status, so if an error occurred in the following, it does not cause any + * issues. Let's also, silence the error messages. */ + +@@ -356,7 +372,7 @@ static int verify_esp( + (unprivileged_mode && ERRNO_IS_PRIVILEGE(r)) ? LOG_DEBUG : LOG_ERR, + r, "Failed to open parent directory of \"%s\": %m", path); + +- if (!relax_checks) { ++ if (!FLAGS_SET(flags, VERIFY_ESP_SKIP_FSTYPE_CHECK)) { + _cleanup_free_ char *f = NULL; + struct statfs sfs; + +@@ -383,17 +399,13 @@ static int verify_esp( + "File system \"%s\" is not a FAT EFI System Partition (ESP) file system.", p); + } + +- relax_checks = +- relax_checks || +- detect_container() > 0; +- +- r = verify_fsroot_dir(pfd, p, flags, relax_checks ? NULL : &devid); ++ r = verify_fsroot_dir(pfd, p, flags, FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK) ? NULL : &devid); + if (r < 0) + return r; + + /* In a container we don't have access to block devices, skip this part of the verification, we trust + * the container manager set everything up correctly on its own. */ +- if (relax_checks) ++ if (FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK)) + goto finish; + + if (devnum_is_zero(devid)) +@@ -459,15 +471,13 @@ int find_esp_and_warn_at( + + assert(rfd >= 0 || rfd == AT_FDCWD); + +- if (unprivileged_mode < 0) +- unprivileged_mode = geteuid() != 0; +- flags = unprivileged_mode > 0 ? VERIFY_ESP_UNPRIVILEGED_MODE : 0; ++ flags = verify_esp_flags_init(unprivileged_mode, "SYSTEMD_RELAX_ESP_CHECKS"); + + r = dir_fd_is_root_or_cwd(rfd); + if (r < 0) + return log_error_errno(r, "Failed to check if directory file descriptor is root: %m"); + if (r == 0) +- flags |= VERIFY_ESP_RELAX_CHECKS; ++ flags |= VERIFY_ESP_SKIP_FSTYPE_CHECK | VERIFY_ESP_SKIP_DEVICE_CHECK; + + if (path) + return verify_esp(rfd, path, ret_path, ret_part, ret_pstart, ret_psize, ret_uuid, ret_devid, flags); +@@ -747,8 +757,7 @@ static int verify_xbootldr( + _cleanup_free_ char *p = NULL; + _cleanup_close_ int pfd = -EBADF; + bool searching = FLAGS_SET(flags, VERIFY_ESP_SEARCHING), +- unprivileged_mode = FLAGS_SET(flags, VERIFY_ESP_UNPRIVILEGED_MODE), +- relax_checks; ++ unprivileged_mode = FLAGS_SET(flags, VERIFY_ESP_UNPRIVILEGED_MODE); + dev_t devid = 0; + int r; + +@@ -761,15 +770,11 @@ static int verify_xbootldr( + (unprivileged_mode && ERRNO_IS_PRIVILEGE(r)) ? LOG_DEBUG : LOG_ERR, + r, "Failed to open parent directory of \"%s\": %m", path); + +- relax_checks = +- getenv_bool("SYSTEMD_RELAX_XBOOTLDR_CHECKS") > 0 || +- detect_container() > 0; +- +- r = verify_fsroot_dir(pfd, p, flags, relax_checks ? NULL : &devid); ++ r = verify_fsroot_dir(pfd, p, flags, FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK) ? NULL : &devid); + if (r < 0) + return r; + +- if (relax_checks) ++ if (FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK)) + goto finish; + + if (devnum_is_zero(devid)) +@@ -814,17 +819,14 @@ int find_xbootldr_and_warn_at( + sd_id128_t *ret_uuid, + dev_t *ret_devid) { + +- VerifyESPFlags flags = 0; ++ VerifyESPFlags flags; + int r; + + /* Similar to find_esp_and_warn(), but finds the XBOOTLDR partition. Returns the same errors. */ + + assert(rfd >= 0 || rfd == AT_FDCWD); + +- if (unprivileged_mode < 0) +- unprivileged_mode = geteuid() != 0; +- if (unprivileged_mode) +- flags |= VERIFY_ESP_UNPRIVILEGED_MODE; ++ flags = verify_esp_flags_init(unprivileged_mode, "SYSTEMD_RELAX_XBOOTLDR_CHECKS"); + + if (path) + return verify_xbootldr(rfd, path, flags, ret_path, ret_uuid, ret_devid); +-- +2.33.0 + diff --git a/backport-firstboot-create-locked-and-empty-root-passwords-con.patch b/backport-firstboot-create-locked-and-empty-root-passwords-con.patch new file mode 100644 index 0000000..2595e0b --- /dev/null +++ b/backport-firstboot-create-locked-and-empty-root-passwords-con.patch @@ -0,0 +1,63 @@ +From a35826ca81f8071c746900a40a41e0d80b0c44e7 Mon Sep 17 00:00:00 2001 +From: Dan Nicholson +Date: Tue, 30 Jul 2024 11:11:11 -0600 +Subject: [PATCH 0821/1160] firstboot: create locked and empty root passwords + consistently + +Although locked and empty passwords in /etc/passwd are treated the same, in all +other cases the entry is configured to read the password from /etc/shadow. + +(cherry picked from commit 5088de9daa156a095e79684c658f9035db971538) +(cherry picked from commit 21d270d38f821915949e3c13950637994c33d34f) +--- + src/firstboot/firstboot.c | 11 +++++++---- + test/units/testsuite-74.firstboot.sh | 4 ++-- + 2 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c +index d4029272de..c8a2d1ff8e 100644 +--- a/src/firstboot/firstboot.c ++++ b/src/firstboot/firstboot.c +@@ -1137,10 +1137,13 @@ static int process_root_account(int rfd) { + password = PASSWORD_SEE_SHADOW; + hashed_password = _hashed_password; + +- } else if (arg_delete_root_password) +- password = hashed_password = PASSWORD_NONE; +- else +- password = hashed_password = PASSWORD_LOCKED_AND_INVALID; ++ } else if (arg_delete_root_password) { ++ password = PASSWORD_SEE_SHADOW; ++ hashed_password = PASSWORD_NONE; ++ } else { ++ password = PASSWORD_SEE_SHADOW; ++ hashed_password = PASSWORD_LOCKED_AND_INVALID; ++ } + + r = write_root_passwd(rfd, pfd, password, arg_root_shell); + if (r < 0) +diff --git a/test/units/testsuite-74.firstboot.sh b/test/units/testsuite-74.firstboot.sh +index d00ff6cb9d..99629007de 100755 +--- a/test/units/testsuite-74.firstboot.sh ++++ b/test/units/testsuite-74.firstboot.sh +@@ -189,7 +189,7 @@ echo -ne "\nfoobar\n" | systemd-firstboot --root="$ROOT" --prompt-hostname + grep -q "foobar" "$ROOT/etc/hostname" + # With no root password provided, a locked account should be created. + systemd-firstboot --root="$ROOT" --prompt-root-password +Date: Tue, 30 Jul 2024 07:37:40 -0600 +Subject: [PATCH 0823/1160] firstboot: fix root params with creds and prompting + disabled + +Remove an early return that prevents --prompt-root-password or +--prompt-root-shell and systemd.firstboot=off using credentials. In that case, +arg_prompt_root_password and arg_prompt_root_shell will be false, but the +prompt helpers still need to be called to read the credentials. Furthermore, if +only the root shell has been set, don't overwrite the root password. + +(cherry picked from commit 35bc4c34240afdd55e117b909f26fa9a5dc54f3b) +(cherry picked from commit b5448c16f8f7a67da5266bec7d5c6677cc34ab24) +--- + src/firstboot/firstboot.c | 35 ++++++++++++++-------------- + test/units/testsuite-74.firstboot.sh | 10 ++++++-- + 2 files changed, 26 insertions(+), 19 deletions(-) + +diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c +index baa58489f7..a70738aa11 100644 +--- a/src/firstboot/firstboot.c ++++ b/src/firstboot/firstboot.c +@@ -902,8 +902,6 @@ static int write_root_passwd(int rfd, int etc_fd, const char *password, const ch + int r; + bool found = false; + +- assert(password); +- + r = fopen_temporary_at_label(etc_fd, "passwd", "passwd", &passwd, &passwd_tmp); + if (r < 0) + return r; +@@ -922,7 +920,8 @@ static int write_root_passwd(int rfd, int etc_fd, const char *password, const ch + while ((r = fgetpwent_sane(original, &i)) > 0) { + + if (streq(i->pw_name, "root")) { +- i->pw_passwd = (char *) password; ++ if (password) ++ i->pw_passwd = (char *) password; + if (shell) + i->pw_shell = (char *) shell; + found = true; +@@ -944,7 +943,7 @@ static int write_root_passwd(int rfd, int etc_fd, const char *password, const ch + if (!found) { + struct passwd root = { + .pw_name = (char *) "root", +- .pw_passwd = (char *) password, ++ .pw_passwd = (char *) (password ?: PASSWORD_SEE_SHADOW), + .pw_uid = 0, + .pw_gid = 0, + .pw_gecos = (char *) "Super User", +@@ -977,8 +976,6 @@ static int write_root_shadow(int etc_fd, const char *hashed_password) { + int r; + bool found = false; + +- assert(hashed_password); +- + r = fopen_temporary_at_label(etc_fd, "shadow", "shadow", &shadow, &shadow_tmp); + if (r < 0) + return r; +@@ -997,8 +994,10 @@ static int write_root_shadow(int etc_fd, const char *hashed_password) { + while ((r = fgetspent_sane(original, &i)) > 0) { + + if (streq(i->sp_namp, "root")) { +- i->sp_pwdp = (char *) hashed_password; +- i->sp_lstchg = (long) (now(CLOCK_REALTIME) / USEC_PER_DAY); ++ if (hashed_password) { ++ i->sp_pwdp = (char *) hashed_password; ++ i->sp_lstchg = (long) (now(CLOCK_REALTIME) / USEC_PER_DAY); ++ } + found = true; + } + +@@ -1018,7 +1017,7 @@ static int write_root_shadow(int etc_fd, const char *hashed_password) { + if (!found) { + struct spwd root = { + .sp_namp = (char*) "root", +- .sp_pwdp = (char *) hashed_password, ++ .sp_pwdp = (char *) (hashed_password ?: PASSWORD_LOCKED_AND_INVALID), + .sp_lstchg = (long) (now(CLOCK_REALTIME) / USEC_PER_DAY), + .sp_min = -1, + .sp_max = -1, +@@ -1083,13 +1082,6 @@ static int process_root_account(int rfd) { + return 0; + } + +- /* Don't create/modify passwd and shadow if not asked */ +- if (!(arg_root_password || arg_prompt_root_password || arg_copy_root_password || arg_delete_root_password || +- arg_root_shell || arg_prompt_root_shell || arg_copy_root_shell)) { +- log_debug("Initialization of root account was not requested, skipping."); +- return 0; +- } +- + r = make_lock_file_at(pfd, ETC_PASSWD_LOCK_FILENAME, LOCK_EX, &lock); + if (r < 0) + return log_error_errno(r, "Failed to take a lock on /etc/passwd: %m"); +@@ -1148,9 +1140,18 @@ static int process_root_account(int rfd) { + } else if (arg_delete_root_password) { + password = PASSWORD_SEE_SHADOW; + hashed_password = PASSWORD_NONE; +- } else { ++ } else if (!arg_root_password && arg_prompt_root_password) { ++ /* If the user was prompted, but no password was supplied, lock the account. */ + password = PASSWORD_SEE_SHADOW; + hashed_password = PASSWORD_LOCKED_AND_INVALID; ++ } else ++ /* Leave the password as is. */ ++ password = hashed_password = NULL; ++ ++ /* Don't create/modify passwd and shadow if there's nothing to do. */ ++ if (!(password || hashed_password || arg_root_shell)) { ++ log_debug("Initialization of root account was not requested, skipping."); ++ return 0; + } + + r = write_root_passwd(rfd, pfd, password, arg_root_shell); +diff --git a/test/units/testsuite-74.firstboot.sh b/test/units/testsuite-74.firstboot.sh +index 5af32ec34e..bc7e9accf7 100755 +--- a/test/units/testsuite-74.firstboot.sh ++++ b/test/units/testsuite-74.firstboot.sh +@@ -90,8 +90,14 @@ systemd-firstboot --root="$ROOT" --root-password=foo + grep -q "^root:x:0:0:" "$ROOT/etc/passwd" + grep -q "^root:[^!*]" "$ROOT/etc/shadow" + rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" +-# Set the shell together with the password, as firstboot won't touch +-# /etc/passwd if it already exists ++systemd-firstboot --root="$ROOT" --root-password-hashed="$ROOT_HASHED_PASSWORD1" ++grep -q "^root:x:0:0:" "$ROOT/etc/passwd" ++grep -q "^root:$ROOT_HASHED_PASSWORD1:" "$ROOT/etc/shadow" ++rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" ++systemd-firstboot --root="$ROOT" --root-shell=/bin/fooshell ++grep -q "^root:x:0:0:.*:/bin/fooshell$" "$ROOT/etc/passwd" ++grep -q "^root:!\*:" "$ROOT/etc/shadow" ++rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" + systemd-firstboot --root="$ROOT" --root-password-hashed="$ROOT_HASHED_PASSWORD1" --root-shell=/bin/fooshell + grep -q "^root:x:0:0:.*:/bin/fooshell$" "$ROOT/etc/passwd" + grep -q "^root:$ROOT_HASHED_PASSWORD1:" "$ROOT/etc/shadow" +-- +2.33.0 + diff --git a/backport-firstboot-fix-typo-and-add-missing-option-to-help-te.patch b/backport-firstboot-fix-typo-and-add-missing-option-to-help-te.patch new file mode 100644 index 0000000..d2669c5 --- /dev/null +++ b/backport-firstboot-fix-typo-and-add-missing-option-to-help-te.patch @@ -0,0 +1,33 @@ +From 6ec3c83858801391c6a28190c3deef48c5ad278b Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Wed, 10 Jan 2024 17:29:56 +0100 +Subject: [PATCH 0140/1160] firstboot: fix typo and add missing option to help + text + +(cherry picked from commit 981644edc9662de0c09b00c19c706f0f7eb4429b) +--- + src/firstboot/firstboot.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c +index 17d344e980..28b2083a1b 100644 +--- a/src/firstboot/firstboot.c ++++ b/src/firstboot/firstboot.c +@@ -1239,11 +1239,13 @@ static int help(void) { + " --timezone=TIMEZONE Set timezone\n" + " --hostname=NAME Set hostname\n" + " --setup-machine-id Set a random machine ID\n" +- " --machine-ID=ID Set specified machine ID\n" ++ " --machine-id=ID Set specified machine ID\n" + " --root-password=PASSWORD Set root password from plaintext password\n" + " --root-password-file=FILE Set root password from file\n" + " --root-password-hashed=HASH Set root password from hashed password\n" + " --root-shell=SHELL Set root shell\n" ++ " --kernel-command-line=CMDLINE\n" ++ " Set kernel command line\n" + " --prompt-locale Prompt the user for locale settings\n" + " --prompt-keymap Prompt the user for keymap settings\n" + " --prompt-timezone Prompt the user for timezone\n" +-- +2.33.0 + diff --git a/backport-firstboot-handle-missing-root-password-entries.patch b/backport-firstboot-handle-missing-root-password-entries.patch new file mode 100644 index 0000000..66e60af --- /dev/null +++ b/backport-firstboot-handle-missing-root-password-entries.patch @@ -0,0 +1,120 @@ +From 23c5d712f009bc63ec437413328f240dae29c76c Mon Sep 17 00:00:00 2001 +From: Dan Nicholson +Date: Tue, 30 Jul 2024 13:42:26 -0600 +Subject: [PATCH 0822/1160] firstboot: handle missing root password entries + +If /etc/passwd and/or /etc/shadow exist but don't have an existing root entry, +one needs to be added. Previously this only worked if the files didn't exist. + +(cherry picked from commit 2319154a6bec7b8c42e901dfacaefe95bf4e3750) +(cherry picked from commit 847dd914d0ee0e6f3ca576891b82896ee3e68d99) +--- + src/firstboot/firstboot.c | 24 ++++++++++++++++-------- + test/units/testsuite-74.firstboot.sh | 7 +++++++ + 2 files changed, 23 insertions(+), 8 deletions(-) + +diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c +index c8a2d1ff8e..baa58489f7 100644 +--- a/src/firstboot/firstboot.c ++++ b/src/firstboot/firstboot.c +@@ -900,6 +900,7 @@ static int write_root_passwd(int rfd, int etc_fd, const char *password, const ch + _cleanup_fclose_ FILE *original = NULL, *passwd = NULL; + _cleanup_(unlink_and_freep) char *passwd_tmp = NULL; + int r; ++ bool found = false; + + assert(password); + +@@ -924,6 +925,7 @@ static int write_root_passwd(int rfd, int etc_fd, const char *password, const ch + i->pw_passwd = (char *) password; + if (shell) + i->pw_shell = (char *) shell; ++ found = true; + } + + r = putpwent_sane(i, passwd); +@@ -934,6 +936,12 @@ static int write_root_passwd(int rfd, int etc_fd, const char *password, const ch + return r; + + } else { ++ r = fchmod(fileno(passwd), 0644); ++ if (r < 0) ++ return -errno; ++ } ++ ++ if (!found) { + struct passwd root = { + .pw_name = (char *) "root", + .pw_passwd = (char *) password, +@@ -947,10 +955,6 @@ static int write_root_passwd(int rfd, int etc_fd, const char *password, const ch + if (errno != ENOENT) + return -errno; + +- r = fchmod(fileno(passwd), 0644); +- if (r < 0) +- return -errno; +- + r = putpwent_sane(&root, passwd); + if (r < 0) + return r; +@@ -971,6 +975,7 @@ static int write_root_shadow(int etc_fd, const char *hashed_password) { + _cleanup_fclose_ FILE *original = NULL, *shadow = NULL; + _cleanup_(unlink_and_freep) char *shadow_tmp = NULL; + int r; ++ bool found = false; + + assert(hashed_password); + +@@ -994,6 +999,7 @@ static int write_root_shadow(int etc_fd, const char *hashed_password) { + if (streq(i->sp_namp, "root")) { + i->sp_pwdp = (char *) hashed_password; + i->sp_lstchg = (long) (now(CLOCK_REALTIME) / USEC_PER_DAY); ++ found = true; + } + + r = putspent_sane(i, shadow); +@@ -1004,6 +1010,12 @@ static int write_root_shadow(int etc_fd, const char *hashed_password) { + return r; + + } else { ++ r = fchmod(fileno(shadow), 0000); ++ if (r < 0) ++ return -errno; ++ } ++ ++ if (!found) { + struct spwd root = { + .sp_namp = (char*) "root", + .sp_pwdp = (char *) hashed_password, +@@ -1019,10 +1031,6 @@ static int write_root_shadow(int etc_fd, const char *hashed_password) { + if (errno != ENOENT) + return -errno; + +- r = fchmod(fileno(shadow), 0000); +- if (r < 0) +- return -errno; +- + r = putspent_sane(&root, shadow); + if (r < 0) + return r; +diff --git a/test/units/testsuite-74.firstboot.sh b/test/units/testsuite-74.firstboot.sh +index 99629007de..5af32ec34e 100755 +--- a/test/units/testsuite-74.firstboot.sh ++++ b/test/units/testsuite-74.firstboot.sh +@@ -69,6 +69,13 @@ systemd-firstboot --root="$ROOT" --root-password-file=root.passwd + grep -q "^root:x:0:0:" "$ROOT/etc/passwd" + grep -q "^root:[^!*]" "$ROOT/etc/shadow" + rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" root.passwd ++# Make sure the root password is set if /etc/passwd and /etc/shadow exist but ++# don't have a root entry. ++touch "$ROOT/etc/passwd" "$ROOT/etc/shadow" ++systemd-firstboot --root="$ROOT" --root-password=foo ++grep -q "^root:x:0:0:" "$ROOT/etc/passwd" ++grep -q "^root:[^!*]" "$ROOT/etc/shadow" ++rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" + # If /etc/passwd and /etc/shadow exist, they will only be updated if the shadow + # password is !unprovisioned. + echo "root:x:0:0:root:/root:/bin/sh" >"$ROOT/etc/passwd" +-- +2.33.0 + diff --git a/backport-firstboot-remove-etc-localtime-on-reset.patch b/backport-firstboot-remove-etc-localtime-on-reset.patch new file mode 100644 index 0000000..ff548f6 --- /dev/null +++ b/backport-firstboot-remove-etc-localtime-on-reset.patch @@ -0,0 +1,30 @@ +From 1d1b1fa25ba259515db9b17210cf3c20a9957b1a Mon Sep 17 00:00:00 2001 +From: Nick Rosbrook +Date: Thu, 7 Dec 2023 16:21:51 -0500 +Subject: [PATCH 0024/1160] firstboot: remove /etc/localtime on --reset + +The --reset option is supposed to remove all files configured by +firstboot, but currently it does not remove /etc/localtime. + +(cherry picked from commit cd3207491d2a6ea633562925f46e88ad9cfb8aa5) +--- + src/firstboot/firstboot.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c +index f77a5f6266..17d344e980 100644 +--- a/src/firstboot/firstboot.c ++++ b/src/firstboot/firstboot.c +@@ -1208,7 +1208,8 @@ static int process_reset(int rfd) { + "/etc/vconsole.conf", + "/etc/hostname", + "/etc/machine-id", +- "/etc/kernel/cmdline") { ++ "/etc/kernel/cmdline", ++ "/etc/localtime") { + r = reset_one(rfd, p); + if (r < 0) + return r; +-- +2.33.0 + diff --git a/backport-firstboot-validate-keymap-entry.patch b/backport-firstboot-validate-keymap-entry.patch new file mode 100644 index 0000000..4e4d78b --- /dev/null +++ b/backport-firstboot-validate-keymap-entry.patch @@ -0,0 +1,66 @@ +From b4c1ec891d2bd89e611740f82b030a1917b67a43 Mon Sep 17 00:00:00 2001 +From: Eric Daigle +Date: Thu, 8 Feb 2024 23:09:34 -0800 +Subject: [PATCH 0301/1160] firstboot: validate keymap entry + +As described in #30940, systemd-firstboot currently does not perform +any validation on keymap entry, allowing nonexistent keymaps to be +written to /etc/vconsole.conf. This commit adds validation checks +based on those already performed on locale entry, preventing invalid +keymaps from being set. + +Closes #30940 + +m + +(cherry picked from commit 321a8c595e3470a0fe9002014656eee6a50b9553) +--- + src/firstboot/firstboot.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c +index 28b2083a1b..d4029272de 100644 +--- a/src/firstboot/firstboot.c ++++ b/src/firstboot/firstboot.c +@@ -456,6 +456,20 @@ static int process_locale(int rfd) { + return 1; + } + ++static bool keymap_exists_bool(const char *name) { ++ return keymap_exists(name) > 0; ++} ++ ++static typeof(&keymap_is_valid) determine_keymap_validity_func(int rfd) { ++ int r; ++ ++ r = dir_fd_is_root(rfd); ++ if (r < 0) ++ log_debug_errno(r, "Unable to determine if operating on host root directory, assuming we are: %m"); ++ ++ return r != 0 ? keymap_exists_bool : keymap_is_valid; ++} ++ + static int prompt_keymap(int rfd) { + _cleanup_strv_free_ char **kmaps = NULL; + int r; +@@ -487,7 +501,7 @@ static int prompt_keymap(int rfd) { + print_welcome(rfd); + + return prompt_loop("Please enter system keymap name or number", +- kmaps, 60, keymap_is_valid, &arg_keymap); ++ kmaps, 60, determine_keymap_validity_func(rfd), &arg_keymap); + } + + static int process_keymap(int rfd) { +@@ -1694,6 +1708,8 @@ static int run(int argc, char *argv[]) { + /* We check these conditions here instead of in parse_argv() so that we can take the root directory + * into account. */ + ++ if (arg_keymap && !determine_keymap_validity_func(rfd)(arg_keymap)) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Keymap %s is not installed.", arg_keymap); + if (arg_locale && !locale_is_ok(rfd, arg_locale)) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Locale %s is not installed.", arg_locale); + if (arg_locale_messages && !locale_is_ok(rfd, arg_locale_messages)) +-- +2.33.0 + diff --git a/backport-fix-analyze-q-option-invalid-issue.patch b/backport-fix-analyze-q-option-invalid-issue.patch index 7d48459..0da8d2c 100644 --- a/backport-fix-analyze-q-option-invalid-issue.patch +++ b/backport-fix-analyze-q-option-invalid-issue.patch @@ -1,7 +1,7 @@ From b0d294099790e75b0d8a1c90847895f5c7925354 Mon Sep 17 00:00:00 2001 From: Antonio Alvarez Feijoo Date: Tue, 9 Jan 2024 09:05:50 +0100 -Subject: [PATCH] analyze: fix -q option +Subject: [PATCH 0134/1160] analyze: fix -q option Follow-up to 52117f5af831a816c47ceebb83c8244ee93b72fe @@ -13,7 +13,7 @@ Follow-up to 52117f5af831a816c47ceebb83c8244ee93b72fe 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml -index 2f2873452ac..63232ad1f02 100644 +index 2f2873452a..63232ad1f0 100644 --- a/man/systemd-analyze.xml +++ b/man/systemd-analyze.xml @@ -1481,6 +1481,7 @@ NR NAME SHA256 @@ -25,7 +25,7 @@ index 2f2873452ac..63232ad1f02 100644 Suppress hints and other non-essential output. diff --git a/shell-completion/bash/systemd-analyze b/shell-completion/bash/systemd-analyze -index 8ecf9935715..1fde67218b9 100644 +index 8ecf993571..1fde67218b 100644 --- a/shell-completion/bash/systemd-analyze +++ b/shell-completion/bash/systemd-analyze @@ -57,7 +57,7 @@ _systemd_analyze() { @@ -38,7 +38,7 @@ index 8ecf9935715..1fde67218b9 100644 ) diff --git a/src/analyze/analyze.c b/src/analyze/analyze.c -index d2be144f4f4..ba95bbaba59 100644 +index d2be144f4f..ba95bbaba5 100644 --- a/src/analyze/analyze.c +++ b/src/analyze/analyze.c @@ -360,7 +360,7 @@ static int parse_argv(int argc, char *argv[]) { @@ -50,3 +50,6 @@ index d2be144f4f4..ba95bbaba59 100644 switch (c) { case 'h': +-- +2.33.0 + diff --git a/backport-fix-cgtop-sscanf-return-code-checks.patch b/backport-fix-cgtop-sscanf-return-code-checks.patch index 59ddb47..da59965 100644 --- a/backport-fix-cgtop-sscanf-return-code-checks.patch +++ b/backport-fix-cgtop-sscanf-return-code-checks.patch @@ -1,7 +1,7 @@ From bab356f5a0b8d4a43a71076c2333ff4da7ed737e Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Fri, 19 Jan 2024 15:12:49 +0000 -Subject: [PATCH] cgtop: fix sscanf return code checks +Subject: [PATCH 0168/1160] cgtop: fix sscanf return code checks sscanf can return EOF on error, so check that we get a result instead. @@ -13,7 +13,7 @@ CodeQL#2386 and CodeQL#2387 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/cgtop/cgtop.c b/src/cgtop/cgtop.c -index e34da7cf728..ca514554408 100644 +index e34da7cf72..ca51455440 100644 --- a/src/cgtop/cgtop.c +++ b/src/cgtop/cgtop.c @@ -310,9 +310,9 @@ static int process( @@ -28,3 +28,6 @@ index e34da7cf728..ca514554408 100644 wr += k; l += strcspn(l, WHITESPACE); +-- +2.33.0 + diff --git a/backport-fix-conf-parser-oom-check-issue.patch b/backport-fix-conf-parser-oom-check-issue.patch index 689f06b..175ca97 100644 --- a/backport-fix-conf-parser-oom-check-issue.patch +++ b/backport-fix-conf-parser-oom-check-issue.patch @@ -1,7 +1,7 @@ From 4dc646fa1ae83c570801a22d256e39eb3508a17b Mon Sep 17 00:00:00 2001 From: Antonio Alvarez Feijoo Date: Tue, 30 Jan 2024 11:59:54 +0100 -Subject: [PATCH] conf-parser: fix OOM check +Subject: [PATCH 0284/1160] conf-parser: fix OOM check (cherry picked from commit 0fa25bd5f4789e8b37be5dd7927bab81c18c2dcd) --- @@ -9,7 +9,7 @@ Subject: [PATCH] conf-parser: fix OOM check 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/shared/conf-parser.c b/src/shared/conf-parser.c -index 59a529d4bcb..e8ecd9bc794 100644 +index 59a529d4bc..e8ecd9bc79 100644 --- a/src/shared/conf-parser.c +++ b/src/shared/conf-parser.c @@ -466,7 +466,7 @@ int hashmap_put_stats_by_path(Hashmap **stats_by_path, const char *path, const s @@ -21,3 +21,6 @@ index 59a529d4bcb..e8ecd9bc794 100644 return -ENOMEM; r = hashmap_put(*stats_by_path, path_copy, st_copy); +-- +2.33.0 + diff --git a/backport-fix-homed-log-message-typo-error.patch b/backport-fix-homed-log-message-typo-error.patch index 8ed943e..5299d5b 100644 --- a/backport-fix-homed-log-message-typo-error.patch +++ b/backport-fix-homed-log-message-typo-error.patch @@ -1,7 +1,7 @@ From 5df96d470fea91b29279e3ae7ff31deff907f751 Mon Sep 17 00:00:00 2001 From: Antonio Alvarez Feijoo Date: Tue, 12 Mar 2024 15:22:43 +0100 -Subject: [PATCH] homed: fix typo +Subject: [PATCH 0450/1160] homed: fix typo (cherry picked from commit d3d880e558e608de351c0b518c10953cba2ed0b3) --- @@ -9,7 +9,7 @@ Subject: [PATCH] homed: fix typo 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/home/homed-manager.c b/src/home/homed-manager.c -index c4525310fc2..b8bef53db52 100644 +index c4525310fc..b8bef53db5 100644 --- a/src/home/homed-manager.c +++ b/src/home/homed-manager.c @@ -1040,7 +1040,7 @@ static int manager_bind_varlink(Manager *m) { @@ -21,3 +21,6 @@ index c4525310fc2..b8bef53db52 100644 /* Avoid recursion */ if (setenv("SYSTEMD_BYPASS_USERDB", m->userdb_service, 1) < 0) +-- +2.33.0 + diff --git a/backport-fix-log-message-not-match-glob-patterns-passed-to-disable-command.patch b/backport-fix-log-message-not-match-glob-patterns-passed-to-disable-command.patch index b6dde46..ebbefb5 100644 --- a/backport-fix-log-message-not-match-glob-patterns-passed-to-disable-command.patch +++ b/backport-fix-log-message-not-match-glob-patterns-passed-to-disable-command.patch @@ -1,8 +1,8 @@ From 819f3f0be986848d0b1ed82166e1244a6bd6d508 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Wed, 1 May 2024 15:14:37 +0900 -Subject: [PATCH] systemctl: fix log message when glob patterns passed to - disable command and friends +Subject: [PATCH 0585/1160] systemctl: fix log message when glob patterns + passed to disable command and friends Fixes #32599. @@ -12,7 +12,7 @@ Fixes #32599. 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/systemctl/systemctl-enable.c b/src/systemctl/systemctl-enable.c -index 7d9b7c794a1..fc746b2b2be 100644 +index 7d9b7c794a..fc746b2b2b 100644 --- a/src/systemctl/systemctl-enable.c +++ b/src/systemctl/systemctl-enable.c @@ -71,7 +71,8 @@ int verb_enable(int argc, char *argv[], void *userdata) { @@ -25,3 +25,6 @@ index 7d9b7c794a1..fc746b2b2be 100644 if (r < 0) return r; +-- +2.33.0 + diff --git a/backport-fix-the-value-of-default-shells-to-use-bin-and-not-u.patch b/backport-fix-the-value-of-default-shells-to-use-bin-and-not-u.patch new file mode 100644 index 0000000..e72873e --- /dev/null +++ b/backport-fix-the-value-of-default-shells-to-use-bin-and-not-u.patch @@ -0,0 +1,65 @@ +From 5625c2018e4b46bf0c8d2feafe18eac663ad62d5 Mon Sep 17 00:00:00 2001 +From: Eli Schwartz +Date: Tue, 20 Feb 2024 21:59:13 -0500 +Subject: [PATCH 0426/1160] fix the value of default shells to use /bin and not + /usr/bin + +Partially reverts commit b0d3095fd6cc1791a38f57a1982116b4475244ba. + +While it is generally worthwhile for systemd to drop split-usr support, +these options are NOT about split-usr support. The universal location of +POSIX sh is always /bin/sh. Bash is pretty reasonably standardized there +too. + +This happens irrespective of /bin being a symlink to /usr/bin. +Ramifications of this change include things like: + +- portably running shell scripts that might run very nearly anywhere +- /etc/shells support + +For standardization and compatibility reasons, these commands with these +paths need to be consistently found on any system, and thus distros make +sure this works, although even on split-usr systems /usr/bin/bash may be +a symlink to /bin/bash. + +Embedding the *access path* of bash as /usr/bin/bash in systemd, for +example in libnss_systemd.so, means that login shells must agree with +systemd on how they invoke the shell. End result: users fail to login +because of access violations. + +This cannot be fixed by "fixing PAM" because PAM does not follow +symlinks by design: one example is that it needs to treat rbash as +different from bash. + +Fixes: https://bugs.gentoo.org/919749 +Signed-off-by: Eli Schwartz +(cherry picked from commit 5656c593cee0a811b896b2887af7efacb99f6adf) +--- + meson_options.txt | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/meson_options.txt b/meson_options.txt +index 83b48ff5bb..414b0345d1 100644 +--- a/meson_options.txt ++++ b/meson_options.txt +@@ -69,7 +69,7 @@ option('loadkeys-path', type : 'string', description : 'path to loadkeys') + option('setfont-path', type : 'string', description : 'path to setfont') + option('nologin-path', type : 'string', description : 'path to nologin') + +-option('debug-shell', type : 'string', value : '/usr/bin/sh', ++option('debug-shell', type : 'string', value : '/bin/sh', + description : 'path to debug shell binary') + option('debug-tty', type : 'string', value : '/dev/tty9', + description : 'specify the tty device for debug shell') +@@ -236,7 +236,7 @@ option('time-epoch', type : 'integer', value : 0, + description : 'time epoch for time clients') + option('clock-valid-range-usec-max', type : 'integer', value : 473364000000000, # 15 years + description : 'maximum value in microseconds for the difference between RTC and epoch, exceeding which is considered an RTC error ["0" disables]') +-option('default-user-shell', type : 'string', value : '/usr/bin/bash', ++option('default-user-shell', type : 'string', value : '/bin/bash', + description : 'default interactive shell') + + option('system-alloc-uid-min', type : 'integer', value : 0, +-- +2.33.0 + diff --git a/backport-fs-util-readlinkat-supports-an-empty-string.patch b/backport-fs-util-readlinkat-supports-an-empty-string.patch index e85ccb7..0b3cf9c 100644 --- a/backport-fs-util-readlinkat-supports-an-empty-string.patch +++ b/backport-fs-util-readlinkat-supports-an-empty-string.patch @@ -1,7 +1,7 @@ -From 7a2349072e165c27ed0655934b05530c19d23779 Mon Sep 17 00:00:00 2001 +From 30142e781d7afcfa93185d2543f59e9cf90dc882 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Thu, 15 Feb 2024 07:01:17 +0900 -Subject: [PATCH] fs-util: readlinkat() supports an empty string +Subject: [PATCH 0315/1160] fs-util: readlinkat() supports an empty string From readlinkat(2): Since Linux 2.6.39, pathname can be an empty string, in which case the @@ -9,10 +9,6 @@ call operates on the symbolic link referred to by dirfd (which should have been obtained using open(2) with the O_PATH and O_NOFOLLOW flags). (cherry picked from commit e4c094c05543410ba05a16f757d1e11652f4f6bd) -(cherry picked from commit 30142e781d7afcfa93185d2543f59e9cf90dc882) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/7a2349072e165c27ed0655934b05530c19d23779 --- src/basic/fs-util.c | 8 ++++++-- src/test/test-fs-util.c | 35 +++++++++++++++++++++++++++++++++++ diff --git a/backport-fs-util-rename-xopenat-xopanat_full.patch b/backport-fs-util-rename-xopenat-xopanat_full.patch new file mode 100644 index 0000000..352db2d --- /dev/null +++ b/backport-fs-util-rename-xopenat-xopanat_full.patch @@ -0,0 +1,497 @@ +From c5c9a85a4b9cd3e41f4a68404cab38618572ff95 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 15 Feb 2024 08:23:35 +0900 +Subject: [PATCH 0552/1160] fs-util: rename xopenat() -> xopanat_full() + +(cherry picked from commit e40b11be04b8abfe040507338336ce8e5e456ff6) +--- + src/basic/chase.c | 30 +++++++++--------- + src/basic/chattr-util.c | 2 +- + src/basic/fs-util.c | 8 ++--- + src/basic/fs-util.h | 10 ++++-- + src/basic/lock-util.c | 14 ++++----- + src/basic/stat-util.c | 2 +- + src/libsystemd/sd-id128/id128-util.c | 4 +-- + src/shared/btrfs-util.c | 10 ++---- + src/shared/copy.c | 22 ++++++------- + src/shared/loop-util.c | 8 ++--- + src/test/test-btrfs.c | 2 +- + src/test/test-copy.c | 4 +-- + src/test/test-fs-util.c | 46 ++++++++++++++-------------- + src/tmpfiles/tmpfiles.c | 2 +- + 14 files changed, 83 insertions(+), 81 deletions(-) + +diff --git a/src/basic/chase.c b/src/basic/chase.c +index 26bc2d69a9..9f5477e4f3 100644 +--- a/src/basic/chase.c ++++ b/src/basic/chase.c +@@ -374,11 +374,11 @@ int chaseat(int dir_fd, const char *path, ChaseFlags flags, char **ret_path, int + return r; + + if (FLAGS_SET(flags, CHASE_MKDIR_0755) && !isempty(todo)) { +- child = xopenat(fd, +- first, +- O_DIRECTORY|O_CREAT|O_EXCL|O_NOFOLLOW|O_CLOEXEC, +- /* xopen_flags = */ 0, +- 0755); ++ child = xopenat_full(fd, ++ first, ++ O_DIRECTORY|O_CREAT|O_EXCL|O_NOFOLLOW|O_CLOEXEC, ++ /* xopen_flags = */ 0, ++ 0755); + if (child < 0) + return child; + } else if (FLAGS_SET(flags, CHASE_PARENT) && isempty(todo)) { +@@ -760,10 +760,10 @@ int chase_and_open(const char *path, const char *root, ChaseFlags chase_flags, i + if (empty_or_root(root) && !ret_path && + (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_PROHIBIT_SYMLINKS|CHASE_PARENT|CHASE_MKDIR_0755)) == 0) + /* Shortcut this call if none of the special features of this call are requested */ +- return xopenat(AT_FDCWD, path, +- open_flags | (FLAGS_SET(chase_flags, CHASE_NOFOLLOW) ? O_NOFOLLOW : 0), +- /* xopen_flags = */ 0, +- mode); ++ return xopenat_full(AT_FDCWD, path, ++ open_flags | (FLAGS_SET(chase_flags, CHASE_NOFOLLOW) ? O_NOFOLLOW : 0), ++ /* xopen_flags = */ 0, ++ mode); + + r = chase(path, root, CHASE_PARENT|chase_flags, &p, &path_fd); + if (r < 0) +@@ -777,7 +777,7 @@ int chase_and_open(const char *path, const char *root, ChaseFlags chase_flags, i + return r; + } + +- r = xopenat(path_fd, strempty(fname), open_flags|O_NOFOLLOW, /* xopen_flags = */ 0, mode); ++ r = xopenat_full(path_fd, strempty(fname), open_flags|O_NOFOLLOW, /* xopen_flags = */ 0, mode); + if (r < 0) + return r; + +@@ -964,10 +964,10 @@ int chase_and_openat(int dir_fd, const char *path, ChaseFlags chase_flags, int o + if (dir_fd == AT_FDCWD && !ret_path && + (chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_PROHIBIT_SYMLINKS|CHASE_PARENT|CHASE_MKDIR_0755)) == 0) + /* Shortcut this call if none of the special features of this call are requested */ +- return xopenat(dir_fd, path, +- open_flags | (FLAGS_SET(chase_flags, CHASE_NOFOLLOW) ? O_NOFOLLOW : 0), +- /* xopen_flags = */ 0, +- mode); ++ return xopenat_full(dir_fd, path, ++ open_flags | (FLAGS_SET(chase_flags, CHASE_NOFOLLOW) ? O_NOFOLLOW : 0), ++ /* xopen_flags = */ 0, ++ mode); + + r = chaseat(dir_fd, path, chase_flags|CHASE_PARENT, &p, &path_fd); + if (r < 0) +@@ -979,7 +979,7 @@ int chase_and_openat(int dir_fd, const char *path, ChaseFlags chase_flags, int o + return r; + } + +- r = xopenat(path_fd, strempty(fname), open_flags|O_NOFOLLOW, /* xopen_flags = */ 0, mode); ++ r = xopenat_full(path_fd, strempty(fname), open_flags|O_NOFOLLOW, /* xopen_flags = */ 0, mode); + if (r < 0) + return r; + +diff --git a/src/basic/chattr-util.c b/src/basic/chattr-util.c +index fe8b9abf91..d76be5c99b 100644 +--- a/src/basic/chattr-util.c ++++ b/src/basic/chattr-util.c +@@ -29,7 +29,7 @@ int chattr_full( + + assert(dir_fd >= 0 || dir_fd == AT_FDCWD); + +- fd = xopenat(dir_fd, path, O_RDONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, /* xopen_flags = */ 0, /* mode = */ 0); ++ fd = xopenat(dir_fd, path, O_RDONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW); + if (fd < 0) + return fd; + +diff --git a/src/basic/fs-util.c b/src/basic/fs-util.c +index 9ba9268d77..5bc7d2f95b 100644 +--- a/src/basic/fs-util.c ++++ b/src/basic/fs-util.c +@@ -1054,7 +1054,7 @@ int open_mkdir_at(int dirfd, const char *path, int flags, mode_t mode) { + path = fname; + } + +- fd = xopenat(dirfd, path, flags|O_CREAT|O_DIRECTORY|O_NOFOLLOW, /* xopen_flags = */ 0, mode); ++ fd = xopenat_full(dirfd, path, flags|O_CREAT|O_DIRECTORY|O_NOFOLLOW, /* xopen_flags = */ 0, mode); + if (IN_SET(fd, -ELOOP, -ENOTDIR)) + return -EEXIST; + if (fd < 0) +@@ -1110,7 +1110,7 @@ int openat_report_new(int dirfd, const char *pathname, int flags, mode_t mode, b + } + } + +-int xopenat(int dir_fd, const char *path, int open_flags, XOpenFlags xopen_flags, mode_t mode) { ++int xopenat_full(int dir_fd, const char *path, int open_flags, XOpenFlags xopen_flags, mode_t mode) { + _cleanup_close_ int fd = -EBADF; + bool made = false; + int r; +@@ -1191,7 +1191,7 @@ int xopenat(int dir_fd, const char *path, int open_flags, XOpenFlags xopen_flags + return TAKE_FD(fd); + } + +-int xopenat_lock( ++int xopenat_lock_full( + int dir_fd, + const char *path, + int open_flags, +@@ -1214,7 +1214,7 @@ int xopenat_lock( + for (;;) { + struct stat st; + +- fd = xopenat(dir_fd, path, open_flags, xopen_flags, mode); ++ fd = xopenat_full(dir_fd, path, open_flags, xopen_flags, mode); + if (fd < 0) + return fd; + +diff --git a/src/basic/fs-util.h b/src/basic/fs-util.h +index 1023ab73ca..6a1e2e76d1 100644 +--- a/src/basic/fs-util.h ++++ b/src/basic/fs-util.h +@@ -137,6 +137,12 @@ typedef enum XOpenFlags { + XO_SUBVOLUME = 1 << 1, + } XOpenFlags; + +-int xopenat(int dir_fd, const char *path, int open_flags, XOpenFlags xopen_flags, mode_t mode); ++int xopenat_full(int dir_fd, const char *path, int open_flags, XOpenFlags xopen_flags, mode_t mode); ++static inline int xopenat(int dir_fd, const char *path, int open_flags) { ++ return xopenat_full(dir_fd, path, open_flags, 0, 0); ++} + +-int xopenat_lock(int dir_fd, const char *path, int open_flags, XOpenFlags xopen_flags, mode_t mode, LockType locktype, int operation); ++int xopenat_lock_full(int dir_fd, const char *path, int open_flags, XOpenFlags xopen_flags, mode_t mode, LockType locktype, int operation); ++static inline int xopenat_lock(int dir_fd, const char *path, int open_flags, LockType locktype, int operation) { ++ return xopenat_lock_full(dir_fd, path, open_flags, 0, 0, locktype, operation); ++} +diff --git a/src/basic/lock-util.c b/src/basic/lock-util.c +index 047fd0184d..7bffe85461 100644 +--- a/src/basic/lock-util.c ++++ b/src/basic/lock-util.c +@@ -40,13 +40,13 @@ int make_lock_file_at(int dir_fd, const char *p, int operation, LockFile *ret) { + if (!t) + return -ENOMEM; + +- fd = xopenat_lock(dfd, +- p, +- O_CREAT|O_RDWR|O_NOFOLLOW|O_CLOEXEC|O_NOCTTY, +- /* xopen_flags = */ 0, +- 0600, +- LOCK_UNPOSIX, +- operation); ++ fd = xopenat_lock_full(dfd, ++ p, ++ O_CREAT|O_RDWR|O_NOFOLLOW|O_CLOEXEC|O_NOCTTY, ++ /* xopen_flags = */ 0, ++ 0600, ++ LOCK_UNPOSIX, ++ operation); + if (fd < 0) + return fd == -EAGAIN ? -EBUSY : fd; + +diff --git a/src/basic/stat-util.c b/src/basic/stat-util.c +index c54374b2c9..6f719ddd1c 100644 +--- a/src/basic/stat-util.c ++++ b/src/basic/stat-util.c +@@ -470,7 +470,7 @@ int xstatfsat(int dir_fd, const char *path, struct statfs *ret) { + assert(dir_fd >= 0 || dir_fd == AT_FDCWD); + assert(ret); + +- fd = xopenat(dir_fd, path, O_PATH|O_CLOEXEC|O_NOCTTY, /* xopen_flags = */ 0, /* mode = */ 0); ++ fd = xopenat(dir_fd, path, O_PATH|O_CLOEXEC|O_NOCTTY); + if (fd < 0) + return fd; + +diff --git a/src/libsystemd/sd-id128/id128-util.c b/src/libsystemd/sd-id128/id128-util.c +index 94bfd70bff..b9714eee06 100644 +--- a/src/libsystemd/sd-id128/id128-util.c ++++ b/src/libsystemd/sd-id128/id128-util.c +@@ -138,7 +138,7 @@ int id128_read_at(int dir_fd, const char *path, Id128Flag f, sd_id128_t *ret) { + assert(dir_fd >= 0 || dir_fd == AT_FDCWD); + assert(path); + +- fd = xopenat(dir_fd, path, O_RDONLY|O_CLOEXEC|O_NOCTTY, /* xopen_flags = */ 0, /* mode = */ 0); ++ fd = xopenat(dir_fd, path, O_RDONLY|O_CLOEXEC|O_NOCTTY); + if (fd < 0) + return fd; + +@@ -184,7 +184,7 @@ int id128_write_at(int dir_fd, const char *path, Id128Flag f, sd_id128_t id) { + assert(dir_fd >= 0 || dir_fd == AT_FDCWD); + assert(path); + +- fd = xopenat(dir_fd, path, O_WRONLY|O_CREAT|O_CLOEXEC|O_NOCTTY|O_TRUNC, /* xopen_flags = */ 0, 0444); ++ fd = xopenat_full(dir_fd, path, O_WRONLY|O_CREAT|O_CLOEXEC|O_NOCTTY|O_TRUNC, /* xopen_flags = */ 0, 0444); + if (fd < 0) + return fd; + +diff --git a/src/shared/btrfs-util.c b/src/shared/btrfs-util.c +index b3e4b505d8..2ed6bf24a2 100644 +--- a/src/shared/btrfs-util.c ++++ b/src/shared/btrfs-util.c +@@ -65,7 +65,7 @@ int btrfs_subvol_set_read_only_at(int dir_fd, const char *path, bool b) { + + assert(dir_fd >= 0 || dir_fd == AT_FDCWD); + +- fd = xopenat(dir_fd, path, O_RDONLY|O_NOCTTY|O_CLOEXEC|O_DIRECTORY, /* xopen_flags = */ 0, /* mode = */ 0); ++ fd = xopenat(dir_fd, path, O_RDONLY|O_NOCTTY|O_CLOEXEC|O_DIRECTORY); + if (fd < 0) + return fd; + +@@ -113,7 +113,7 @@ int btrfs_get_block_device_at(int dir_fd, const char *path, dev_t *ret) { + assert(path); + assert(ret); + +- fd = xopenat(dir_fd, path, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_NOCTTY, /* xopen_flags = */ 0, /* mode = */ 0); ++ fd = xopenat(dir_fd, path, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_NOCTTY); + if (fd < 0) + return fd; + +@@ -1276,8 +1276,6 @@ static int subvol_snapshot_children( + if (FLAGS_SET(flags, BTRFS_SNAPSHOT_LOCK_BSD)) { + subvolume_fd = xopenat_lock(new_fd, subvolume, + O_RDONLY|O_NOCTTY|O_CLOEXEC|O_DIRECTORY|O_NOFOLLOW, +- /* xopen_flags = */ 0, +- /* mode = */ 0, + LOCK_BSD, + LOCK_EX); + if (subvolume_fd < 0) +@@ -1445,7 +1443,7 @@ int btrfs_subvol_snapshot_at_full( + assert(dir_fdt >= 0 || dir_fdt == AT_FDCWD); + assert(to); + +- old_fd = xopenat(dir_fdf, from, O_RDONLY|O_NOCTTY|O_CLOEXEC|O_DIRECTORY, /* xopen_flags = */ 0, /* mode = */ 0); ++ old_fd = xopenat(dir_fdf, from, O_RDONLY|O_NOCTTY|O_CLOEXEC|O_DIRECTORY); + if (old_fd < 0) + return old_fd; + +@@ -1482,8 +1480,6 @@ int btrfs_subvol_snapshot_at_full( + if (FLAGS_SET(flags, BTRFS_SNAPSHOT_LOCK_BSD)) { + subvolume_fd = xopenat_lock(new_fd, subvolume, + O_RDONLY|O_NOCTTY|O_CLOEXEC|O_DIRECTORY|O_NOFOLLOW, +- /* xopen_flags = */ 0, +- /* mode = */ 0, + LOCK_BSD, + LOCK_EX); + if (subvolume_fd < 0) +diff --git a/src/shared/copy.c b/src/shared/copy.c +index bc8643efc2..157373148e 100644 +--- a/src/shared/copy.c ++++ b/src/shared/copy.c +@@ -984,12 +984,12 @@ static int fd_copy_directory( + + exists = r >= 0; + +- fdt = xopenat_lock(dt, to, +- O_RDONLY|O_DIRECTORY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|(exists ? 0 : O_CREAT|O_EXCL), +- (copy_flags & COPY_MAC_CREATE ? XO_LABEL : 0)|(set_contains(subvolumes, st) ? XO_SUBVOLUME : 0), +- st->st_mode & 07777, +- copy_flags & COPY_LOCK_BSD ? LOCK_BSD : LOCK_NONE, +- LOCK_EX); ++ fdt = xopenat_lock_full(dt, to, ++ O_RDONLY|O_DIRECTORY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|(exists ? 0 : O_CREAT|O_EXCL), ++ (copy_flags & COPY_MAC_CREATE ? XO_LABEL : 0)|(set_contains(subvolumes, st) ? XO_SUBVOLUME : 0), ++ st->st_mode & 07777, ++ copy_flags & COPY_LOCK_BSD ? LOCK_BSD : LOCK_NONE, ++ LOCK_EX); + if (fdt < 0) + return fdt; + +@@ -1378,11 +1378,11 @@ int copy_file_at_full( + return r; + + WITH_UMASK(0000) { +- fdt = xopenat_lock(dir_fdt, to, +- flags|O_WRONLY|O_CREAT|O_CLOEXEC|O_NOCTTY, +- (copy_flags & COPY_MAC_CREATE ? XO_LABEL : 0), +- mode != MODE_INVALID ? mode : st.st_mode, +- copy_flags & COPY_LOCK_BSD ? LOCK_BSD : LOCK_NONE, LOCK_EX); ++ fdt = xopenat_lock_full(dir_fdt, to, ++ flags|O_WRONLY|O_CREAT|O_CLOEXEC|O_NOCTTY, ++ (copy_flags & COPY_MAC_CREATE ? XO_LABEL : 0), ++ mode != MODE_INVALID ? mode : st.st_mode, ++ copy_flags & COPY_LOCK_BSD ? LOCK_BSD : LOCK_NONE, LOCK_EX); + if (fdt < 0) + return fdt; + } +diff --git a/src/shared/loop-util.c b/src/shared/loop-util.c +index 5860303896..6d55df7076 100644 +--- a/src/shared/loop-util.c ++++ b/src/shared/loop-util.c +@@ -702,9 +702,9 @@ int loop_device_make_by_path_at( + direct_flags = FLAGS_SET(loop_flags, LO_FLAGS_DIRECT_IO) ? O_DIRECT : 0; + rdwr_flags = open_flags >= 0 ? open_flags : O_RDWR; + +- fd = xopenat(dir_fd, path, basic_flags|direct_flags|rdwr_flags, /* xopen_flags = */ 0, /* mode = */ 0); ++ fd = xopenat(dir_fd, path, basic_flags|direct_flags|rdwr_flags); + if (fd < 0 && direct_flags != 0) /* If we had O_DIRECT on, and things failed with that, let's immediately try again without */ +- fd = xopenat(dir_fd, path, basic_flags|rdwr_flags, /* xopen_flags = */ 0, /* mode = */ 0); ++ fd = xopenat(dir_fd, path, basic_flags|rdwr_flags); + else + direct = direct_flags != 0; + if (fd < 0) { +@@ -714,9 +714,9 @@ int loop_device_make_by_path_at( + if (open_flags >= 0 || !(ERRNO_IS_PRIVILEGE(r) || r == -EROFS)) + return r; + +- fd = xopenat(dir_fd, path, basic_flags|direct_flags|O_RDONLY, /* xopen_flags = */ 0, /* mode = */ 0); ++ fd = xopenat(dir_fd, path, basic_flags|direct_flags|O_RDONLY); + if (fd < 0 && direct_flags != 0) /* as above */ +- fd = xopenat(dir_fd, path, basic_flags|O_RDONLY, /* xopen_flags = */ 0, /* mode = */ 0); ++ fd = xopenat(dir_fd, path, basic_flags|O_RDONLY); + else + direct = direct_flags != 0; + if (fd < 0) +diff --git a/src/test/test-btrfs.c b/src/test/test-btrfs.c +index 205142e982..6dff70902e 100644 +--- a/src/test/test-btrfs.c ++++ b/src/test/test-btrfs.c +@@ -71,7 +71,7 @@ int main(int argc, char *argv[]) { + if (r < 0) + log_error_errno(r, "Failed to make snapshot: %m"); + if (r >= 0) +- assert_se(xopenat_lock(AT_FDCWD, "/xxxtest4", 0, 0, 0, LOCK_BSD, LOCK_EX|LOCK_NB) == -EAGAIN); ++ assert_se(xopenat_lock(AT_FDCWD, "/xxxtest4", 0, LOCK_BSD, LOCK_EX|LOCK_NB) == -EAGAIN); + + safe_close(r); + +diff --git a/src/test/test-copy.c b/src/test/test-copy.c +index f3144f0c07..61bfbc0c42 100644 +--- a/src/test/test-copy.c ++++ b/src/test/test-copy.c +@@ -520,12 +520,12 @@ TEST(copy_lock) { + assert_se((fd = copy_directory_at(tfd, "abc", tfd, "qed", COPY_LOCK_BSD)) >= 0); + assert_se(faccessat(tfd, "qed", F_OK, 0) >= 0); + assert_se(faccessat(tfd, "qed/def", F_OK, 0) >= 0); +- assert_se(xopenat_lock(tfd, "qed", 0, 0, 0, LOCK_BSD, LOCK_EX|LOCK_NB) == -EAGAIN); ++ assert_se(xopenat_lock(tfd, "qed", 0, LOCK_BSD, LOCK_EX|LOCK_NB) == -EAGAIN); + fd = safe_close(fd); + + assert_se((fd = copy_file_at(tfd, "abc/def", tfd, "poi", 0, 0644, COPY_LOCK_BSD))); + assert_se(read_file_at_and_streq(tfd, "poi", "abc\n")); +- assert_se(xopenat_lock(tfd, "poi", 0, 0, 0, LOCK_BSD, LOCK_EX|LOCK_NB) == -EAGAIN); ++ assert_se(xopenat_lock(tfd, "poi", 0, LOCK_BSD, LOCK_EX|LOCK_NB) == -EAGAIN); + fd = safe_close(fd); + } + +diff --git a/src/test/test-fs-util.c b/src/test/test-fs-util.c +index ef335b43ae..b32feffd30 100644 +--- a/src/test/test-fs-util.c ++++ b/src/test/test-fs-util.c +@@ -673,37 +673,37 @@ TEST(openat_report_new) { + assert_se(b); + } + +-TEST(xopenat) { ++TEST(xopenat_full) { + _cleanup_(rm_rf_physical_and_freep) char *t = NULL; + _cleanup_close_ int tfd = -EBADF, fd = -EBADF, fd2 = -EBADF; + + assert_se((tfd = mkdtemp_open(NULL, 0, &t)) >= 0); + +- /* Test that xopenat() creates directories if O_DIRECTORY is specified. */ ++ /* Test that xopenat_full() creates directories if O_DIRECTORY is specified. */ + +- assert_se((fd = xopenat(tfd, "abc", O_DIRECTORY|O_CREAT|O_EXCL|O_CLOEXEC, 0, 0755)) >= 0); ++ assert_se((fd = xopenat_full(tfd, "abc", O_DIRECTORY|O_CREAT|O_EXCL|O_CLOEXEC, 0, 0755)) >= 0); + assert_se((fd_verify_directory(fd) >= 0)); + fd = safe_close(fd); + +- assert_se(xopenat(tfd, "abc", O_DIRECTORY|O_CREAT|O_EXCL|O_CLOEXEC, 0, 0755) == -EEXIST); ++ assert_se(xopenat_full(tfd, "abc", O_DIRECTORY|O_CREAT|O_EXCL|O_CLOEXEC, 0, 0755) == -EEXIST); + +- assert_se((fd = xopenat(tfd, "abc", O_DIRECTORY|O_CREAT|O_CLOEXEC, 0, 0755)) >= 0); ++ assert_se((fd = xopenat_full(tfd, "abc", O_DIRECTORY|O_CREAT|O_CLOEXEC, 0, 0755)) >= 0); + assert_se((fd_verify_directory(fd) >= 0)); + fd = safe_close(fd); + +- /* Test that xopenat() creates regular files if O_DIRECTORY is not specified. */ ++ /* Test that xopenat_full() creates regular files if O_DIRECTORY is not specified. */ + +- assert_se((fd = xopenat(tfd, "def", O_CREAT|O_EXCL|O_CLOEXEC, 0, 0644)) >= 0); ++ assert_se((fd = xopenat_full(tfd, "def", O_CREAT|O_EXCL|O_CLOEXEC, 0, 0644)) >= 0); + assert_se(fd_verify_regular(fd) >= 0); + fd = safe_close(fd); + +- /* Test that we can reopen an existing fd with xopenat() by specifying an empty path. */ ++ /* Test that we can reopen an existing fd with xopenat_full() by specifying an empty path. */ + +- assert_se((fd = xopenat(tfd, "def", O_PATH|O_CLOEXEC, 0, 0)) >= 0); +- assert_se((fd2 = xopenat(fd, "", O_RDWR|O_CLOEXEC, 0, 0644)) >= 0); ++ assert_se((fd = xopenat_full(tfd, "def", O_PATH|O_CLOEXEC, 0, 0)) >= 0); ++ assert_se((fd2 = xopenat_full(fd, "", O_RDWR|O_CLOEXEC, 0, 0644)) >= 0); + } + +-TEST(xopenat_lock) { ++TEST(xopenat_lock_full) { + _cleanup_(rm_rf_physical_and_freep) char *t = NULL; + _cleanup_close_ int tfd = -EBADF, fd = -EBADF; + siginfo_t si; +@@ -714,11 +714,11 @@ TEST(xopenat_lock) { + * and close the file descriptor and still properly create the directory and acquire the lock in + * another process. */ + +- fd = xopenat_lock(tfd, "abc", O_CREAT|O_DIRECTORY|O_CLOEXEC, 0, 0755, LOCK_BSD, LOCK_EX); ++ fd = xopenat_lock_full(tfd, "abc", O_CREAT|O_DIRECTORY|O_CLOEXEC, 0, 0755, LOCK_BSD, LOCK_EX); + assert_se(fd >= 0); + assert_se(faccessat(tfd, "abc", F_OK, 0) >= 0); + assert_se(fd_verify_directory(fd) >= 0); +- assert_se(xopenat_lock(tfd, "abc", O_DIRECTORY|O_CLOEXEC, 0, 0755, LOCK_BSD, LOCK_EX|LOCK_NB) == -EAGAIN); ++ assert_se(xopenat_lock_full(tfd, "abc", O_DIRECTORY|O_CLOEXEC, 0, 0755, LOCK_BSD, LOCK_EX|LOCK_NB) == -EAGAIN); + + pid_t pid = fork(); + assert_se(pid >= 0); +@@ -726,21 +726,21 @@ TEST(xopenat_lock) { + if (pid == 0) { + safe_close(fd); + +- fd = xopenat_lock(tfd, "abc", O_CREAT|O_DIRECTORY|O_CLOEXEC, 0, 0755, LOCK_BSD, LOCK_EX); ++ fd = xopenat_lock_full(tfd, "abc", O_CREAT|O_DIRECTORY|O_CLOEXEC, 0, 0755, LOCK_BSD, LOCK_EX); + assert_se(fd >= 0); + assert_se(faccessat(tfd, "abc", F_OK, 0) >= 0); + assert_se(fd_verify_directory(fd) >= 0); +- assert_se(xopenat_lock(tfd, "abc", O_DIRECTORY|O_CLOEXEC, 0, 0755, LOCK_BSD, LOCK_EX|LOCK_NB) == -EAGAIN); ++ assert_se(xopenat_lock_full(tfd, "abc", O_DIRECTORY|O_CLOEXEC, 0, 0755, LOCK_BSD, LOCK_EX|LOCK_NB) == -EAGAIN); + + _exit(EXIT_SUCCESS); + } + +- /* We need to give the child process some time to get past the xopenat() call in xopenat_lock() and +- * block in the call to lock_generic() waiting for the lock to become free. We can't modify +- * xopenat_lock() to signal an eventfd to let us know when that has happened, so we just sleep for a +- * little and assume that's enough time for the child process to get along far enough. It doesn't +- * matter if it doesn't get far enough, in that case we just won't trigger the fallback logic in +- * xopenat_lock(), but the test will still succeed. */ ++ /* We need to give the child process some time to get past the xopenat() call in xopenat_lock_full() ++ * and block in the call to lock_generic() waiting for the lock to become free. We can't modify ++ * xopenat_lock_full() to signal an eventfd to let us know when that has happened, so we just sleep ++ * for a little and assume that's enough time for the child process to get along far enough. It ++ * doesn't matter if it doesn't get far enough, in that case we just won't trigger the fallback logic ++ * in xopenat_lock_full(), but the test will still succeed. */ + assert_se(usleep_safe(20 * USEC_PER_MSEC) >= 0); + + assert_se(unlinkat(tfd, "abc", AT_REMOVEDIR) >= 0); +@@ -749,8 +749,8 @@ TEST(xopenat_lock) { + assert_se(wait_for_terminate(pid, &si) >= 0); + assert_se(si.si_code == CLD_EXITED); + +- assert_se(xopenat_lock(tfd, "abc", 0, 0, 0755, LOCK_POSIX, LOCK_EX) == -EBADF); +- assert_se(xopenat_lock(tfd, "def", O_DIRECTORY, 0, 0755, LOCK_POSIX, LOCK_EX) == -EBADF); ++ assert_se(xopenat_lock_full(tfd, "abc", 0, 0, 0755, LOCK_POSIX, LOCK_EX) == -EBADF); ++ assert_se(xopenat_lock_full(tfd, "def", O_DIRECTORY, 0, 0755, LOCK_POSIX, LOCK_EX) == -EBADF); + } + + static int intro(void) { +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index 63a70adcdc..4919cb79d5 100644 +--- a/src/tmpfiles/tmpfiles.c ++++ b/src/tmpfiles/tmpfiles.c +@@ -817,7 +817,7 @@ static int dir_cleanup( + cutoff_nsec, sub_path, age_by_file, false)) + continue; + +- fd = xopenat(dirfd(d), ++ fd = xopenat_full(dirfd(d), + de->d_name, + O_RDONLY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME|O_NONBLOCK, + /* xopen_flags = */ 0, +-- +2.33.0 + diff --git a/backport-fsck-do-not-pull-down-mount-units-on-soft-reboot.patch b/backport-fsck-do-not-pull-down-mount-units-on-soft-reboot.patch new file mode 100644 index 0000000..371394d --- /dev/null +++ b/backport-fsck-do-not-pull-down-mount-units-on-soft-reboot.patch @@ -0,0 +1,30 @@ +From 593a867d2a483e810a8758b096c25f66383b85f2 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 8 Jul 2024 16:23:06 +0100 +Subject: [PATCH 0775/1160] fsck: do not pull down mount units on soft-reboot + +Otherwise they will pull down the disk too, which we don't want on soft-reboot + +(cherry picked from commit bbb0b72849ebbeeb8e252d9aeed94521df4f0ae8) +(cherry picked from commit 1747350ffd05e2588b808d17befbc36072207c3c) +--- + units/systemd-fsck@.service.in | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/units/systemd-fsck@.service.in b/units/systemd-fsck@.service.in +index 65521b1087..8eb4821d41 100644 +--- a/units/systemd-fsck@.service.in ++++ b/units/systemd-fsck@.service.in +@@ -12,7 +12,8 @@ Description=File System Check on %f + Documentation=man:systemd-fsck@.service(8) + DefaultDependencies=no + BindsTo=%i.device +-Conflicts=shutdown.target ++IgnoreOnIsolate=yes ++Conflicts=reboot.target kexec.target poweroff.target halt.target + After=%i.device systemd-fsck-root.service local-fs-pre.target + Before=systemd-quotacheck.service shutdown.target + +-- +2.33.0 + diff --git a/backport-fundamental-declare-flex-array-updated-for-gcc15-and.patch b/backport-fundamental-declare-flex-array-updated-for-gcc15-and.patch new file mode 100644 index 0000000..c73c1da --- /dev/null +++ b/backport-fundamental-declare-flex-array-updated-for-gcc15-and.patch @@ -0,0 +1,45 @@ +From 52fb963b495bcf0d60b06e7a8ae00494b3912bb8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= +Date: Thu, 13 Jun 2024 11:59:28 -0400 +Subject: [PATCH 0697/1160] fundamental: declare flex array updated for gcc15 + and clang 19 + +Silly workaround that: +- allowed flexible arrays in unions +- allowed flexible arrays in otherwise empty structs + +Is no longer needed since https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=adb1c8a0f167c3a1f7593d75f5a10eb07a5d741a +(GCC15) or clang 19 https://github.com/llvm/llvm-project/commit/14ba782a87e16e9e15460a51f50e67e2744c26d9 + +(cherry picked from commit 3c2f2146f50c75662987541719bedc4aee9df939) +(cherry picked from commit 3706b5e8e92fe6a4ff21cefe66f2eb27953a3fdf) +--- + src/fundamental/macro-fundamental.h | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/fundamental/macro-fundamental.h b/src/fundamental/macro-fundamental.h +index 797330dd97..c237108abf 100644 +--- a/src/fundamental/macro-fundamental.h ++++ b/src/fundamental/macro-fundamental.h +@@ -489,6 +489,10 @@ static inline uint64_t ALIGN_OFFSET_U64(uint64_t l, uint64_t ali) { + } \ + } + ++/* Restriction/bug (see above) was fixed in GCC 15 and clang 19.*/ ++#if __GNUC__ >= 15 || (defined(__clang__) && __clang_major__ >= 19) ++#define DECLARE_FLEX_ARRAY(type, name) type name[]; ++#else + /* Declare a flexible array usable in a union. + * This is essentially a work-around for a pointless constraint in C99 + * and might go away in some future version of the standard. +@@ -500,6 +504,7 @@ static inline uint64_t ALIGN_OFFSET_U64(uint64_t l, uint64_t ali) { + dummy_t __empty__ ## name; \ + type name[]; \ + } ++#endif + + /* Declares an ELF read-only string section that does not occupy memory at runtime. */ + #define DECLARE_NOALLOC_SECTION(name, text) \ +-- +2.33.0 + diff --git a/backport-fuzz-decompress_startswith-may-return-zero.patch b/backport-fuzz-decompress_startswith-may-return-zero.patch new file mode 100644 index 0000000..e5048f4 --- /dev/null +++ b/backport-fuzz-decompress_startswith-may-return-zero.patch @@ -0,0 +1,54 @@ +From 3b3e4c55c5adc127e04e45e048ae6dc60ffe2d40 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 23 Feb 2025 04:59:46 +0900 +Subject: [PATCH 1133/1160] fuzz: decompress_startswith() may return zero + +Fixes #36472. + +(cherry picked from commit 339f2f2eeb883b201f59076900e3bee7ff143460) +(cherry picked from commit 5e00d957baea4731cd08508141e9d3c807011312) +(cherry picked from commit 06f967b820bd3e5e0fe53a099e91b724d0ec5b3e) +--- + src/fuzz/fuzz-compress.c | 2 +- + test/fuzz/.gitattributes | 1 + + test/fuzz/fuzz-compress/issue-36472 | Bin 0 -> 34 bytes + 3 files changed, 2 insertions(+), 1 deletion(-) + create mode 100644 test/fuzz/fuzz-compress/issue-36472 + +diff --git a/src/fuzz/fuzz-compress.c b/src/fuzz/fuzz-compress.c +index c3f68f62dd..556ca3aafa 100644 +--- a/src/fuzz/fuzz-compress.c ++++ b/src/fuzz/fuzz-compress.c +@@ -60,7 +60,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + size_t sw_len = MIN(data_len - 1, h->sw_len); + + r = decompress_startswith(alg, buf, csize, &buf2, h->data, sw_len, h->data[sw_len]); +- assert_se(r > 0); ++ assert_se(r >= 0); + + return 0; + } +diff --git a/test/fuzz/.gitattributes b/test/fuzz/.gitattributes +index 02dea65580..673c2e6fcc 100644 +--- a/test/fuzz/.gitattributes ++++ b/test/fuzz/.gitattributes +@@ -1,5 +1,6 @@ + /*/* -whitespace + /fuzz-bus-match/* binary ++/fuzz-compress/* binary + /fuzz-dhcp*/* binary + /fuzz-dns-packet/* binary + /fuzz-fido-id-desc/ binary +diff --git a/test/fuzz/fuzz-compress/issue-36472 b/test/fuzz/fuzz-compress/issue-36472 +new file mode 100644 +index 0000000000000000000000000000000000000000..fca37d475f228090f039974522515d21f98f7ebd +GIT binary patch +literal 34 +Qcmca-00;NrEMx{30G3JzmjD0& + +literal 0 +HcmV?d00001 + +-- +2.33.0 + diff --git a/backport-fuzz-tentatively-disable-fuzz-compress-on-oss-fuzz.patch b/backport-fuzz-tentatively-disable-fuzz-compress-on-oss-fuzz.patch new file mode 100644 index 0000000..e14d612 --- /dev/null +++ b/backport-fuzz-tentatively-disable-fuzz-compress-on-oss-fuzz.patch @@ -0,0 +1,38 @@ +From d6cf5e1733aa6b8a57896753c356f6c2d1fef713 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 23 Feb 2025 05:34:55 +0900 +Subject: [PATCH 1134/1160] fuzz: tentatively disable fuzz-compress on oss-fuzz + +It does not work on oss-fuzz for some reasons. See #11018. + +(cherry picked from commit 0656b3a083b48a2cccb90ee1f7fed949d9283b76) +(cherry picked from commit 16c3e3eac0864d9707b4eac018edcf6c88e754da) +(cherry picked from commit 6b2e003525542959dc73a1377947ac21f08ca19b) +--- + src/fuzz/meson.build | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/fuzz/meson.build b/src/fuzz/meson.build +index 8c1b2e91ea..a1a13950f8 100644 +--- a/src/fuzz/meson.build ++++ b/src/fuzz/meson.build +@@ -5,7 +5,6 @@ simple_fuzzers += files( + 'fuzz-bus-label.c', + 'fuzz-calendarspec.c', + 'fuzz-catalog.c', +- 'fuzz-compress.c', + 'fuzz-env-file.c', + 'fuzz-hostname-setup.c', + 'fuzz-json.c', +@@ -14,3 +13,8 @@ simple_fuzzers += files( + 'fuzz-varlink.c', + 'fuzz-varlink-idl.c', + ) ++ ++# The following fuzzers do not work on oss-fuzz. See #11018. ++if not want_ossfuzz ++ simple_fuzzers += files('fuzz-compress.c') ++endif +-- +2.33.0 + diff --git a/backport-gpt-add-more-architecture-aliases.patch b/backport-gpt-add-more-architecture-aliases.patch new file mode 100644 index 0000000..b519079 --- /dev/null +++ b/backport-gpt-add-more-architecture-aliases.patch @@ -0,0 +1,54 @@ +From b4e43b53c4a2b6f3fd238a6ea073d9471514bf59 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 16 Jul 2024 17:46:54 +0100 +Subject: [PATCH 0781/1160] gpt: add more architecture aliases + +Same as the other aliases. Allows chaining commands like: + +$ systemd-id128 show -P root-$(dpkg-architecture --query DEB_HOST_ARCH) +4f68bce3e8cd4db196e7fbcaf984b709 + +(cherry picked from commit f0b151ce864371da06a4d4a63a2a8b5282817b7e) +(cherry picked from commit b60d5bc1b774f900dc5c5d45faed17e919bdf0b3) +--- + src/shared/gpt.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/shared/gpt.c b/src/shared/gpt.c +index 7d40c4ab5e..f3e52478ea 100644 +--- a/src/shared/gpt.c ++++ b/src/shared/gpt.c +@@ -143,21 +143,30 @@ const GptPartitionType gpt_partition_type_table[] = { + _GPT_ARCH_SEXTET(ARM64, "aarch64"), /* Alias: must be listed after arm64 */ + _GPT_ARCH_SEXTET(IA64, "ia64"), + _GPT_ARCH_SEXTET(LOONGARCH64, "loongarch64"), ++ _GPT_ARCH_SEXTET(LOONGARCH64, "loong64"), /* Alias: must be listed after loongarch64 */ + _GPT_ARCH_SEXTET(MIPS, "mips"), + _GPT_ARCH_SEXTET(MIPS64, "mips64"), + _GPT_ARCH_SEXTET(MIPS_LE, "mips-le"), ++ _GPT_ARCH_SEXTET(MIPS_LE, "mipsel"), /* Alias: must be listed after mips-le */ + _GPT_ARCH_SEXTET(MIPS64_LE, "mips64-le"), ++ _GPT_ARCH_SEXTET(MIPS64_LE, "mips64el"), /* Alias: must be listed after mips64-le */ + _GPT_ARCH_SEXTET(PARISC, "parisc"), ++ _GPT_ARCH_SEXTET(PARISC, "hppa"), /* Alias: must be listed after parisc */ + _GPT_ARCH_SEXTET(PPC, "ppc"), + _GPT_ARCH_SEXTET(PPC64, "ppc64"), + _GPT_ARCH_SEXTET(PPC64_LE, "ppc64-le"), + _GPT_ARCH_SEXTET(PPC64_LE, "ppc64le"), /* Alias: must be listed after ppc64-le */ ++ _GPT_ARCH_SEXTET(PPC64_LE, "ppc64el"), /* Alias: must be listed after ppc64-le */ + _GPT_ARCH_SEXTET(RISCV32, "riscv32"), + _GPT_ARCH_SEXTET(RISCV64, "riscv64"), + _GPT_ARCH_SEXTET(S390, "s390"), + _GPT_ARCH_SEXTET(S390X, "s390x"), + _GPT_ARCH_SEXTET(TILEGX, "tilegx"), + _GPT_ARCH_SEXTET(X86, "x86"), ++ _GPT_ARCH_SEXTET(X86, "i386"), /* Alias: must be listed after x86 */ ++ _GPT_ARCH_SEXTET(X86, "i486"), /* Alias: must be listed after x86 */ ++ _GPT_ARCH_SEXTET(X86, "i586"), /* Alias: must be listed after x86 */ ++ _GPT_ARCH_SEXTET(X86, "i686"), /* Alias: must be listed after x86 */ + _GPT_ARCH_SEXTET(X86_64, "x86-64"), + _GPT_ARCH_SEXTET(X86_64, "x86_64"), /* Alias: must be listed after x86-64 */ + _GPT_ARCH_SEXTET(X86_64, "amd64"), /* Alias: must be listed after x86-64 */ +-- +2.33.0 + diff --git a/backport-gpt-auto-generator-fix-argument-passed-to-parse_imag.patch b/backport-gpt-auto-generator-fix-argument-passed-to-parse_imag.patch new file mode 100644 index 0000000..ee62080 --- /dev/null +++ b/backport-gpt-auto-generator-fix-argument-passed-to-parse_imag.patch @@ -0,0 +1,35 @@ +From f02d013803efd3ffb5376ee1db5e85b0bc4a06df Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Mon, 19 Feb 2024 16:53:15 +0100 +Subject: [PATCH 0252/1160] gpt-auto-generator: fix argument passed to + `parse_image_policy_argument` + +Otherwise: + +``` +Feb 19 16:35:34 localhost systemd-gpt-auto-generator[188]: Assertion 's' failed at src/shared/image-policy.c:656, function parse_image_policy_argument(). Aborting. +``` + +Fixes 06e78680e3c36589b785f90ecda64d124905a3f7 + +(cherry picked from commit d0a0059c214905595ffc9b0348ec8dfa88b49b6d) +--- + src/gpt-auto-generator/gpt-auto-generator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c +index 80ca647e51..07531ec101 100644 +--- a/src/gpt-auto-generator/gpt-auto-generator.c ++++ b/src/gpt-auto-generator/gpt-auto-generator.c +@@ -967,7 +967,7 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat + else if (streq(key, "ro") && !value) + arg_root_rw = false; + else if (proc_cmdline_key_streq(key, "systemd.image_policy")) +- return parse_image_policy_argument(optarg, &arg_image_policy); ++ return parse_image_policy_argument(value, &arg_image_policy); + + else if (streq(key, "systemd.swap")) { + +-- +2.33.0 + diff --git a/backport-hashmap-reorder-fields-to-pack-structure-better.patch b/backport-hashmap-reorder-fields-to-pack-structure-better.patch new file mode 100644 index 0000000..d76a69d --- /dev/null +++ b/backport-hashmap-reorder-fields-to-pack-structure-better.patch @@ -0,0 +1,31 @@ +From cbfc0c772918b52d9b61a7b00e57b19f11972672 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 1 Mar 2024 21:43:21 +0100 +Subject: [PATCH 0431/1160] hashmap: reorder fields to pack structure better + +When building with ENABLE_DEBUG_HASHMAP we can pack the hashmap iterator +structure a bit better. + +Fixes: #31558 +(cherry picked from commit e28b70a52752a3da6d517982f33a9b1ee85f3f37) +--- + src/basic/hashmap.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/hashmap.h b/src/basic/hashmap.h +index 233f1d7a1e..d0ebdf545e 100644 +--- a/src/basic/hashmap.h ++++ b/src/basic/hashmap.h +@@ -39,8 +39,8 @@ typedef struct IteratedCache IteratedCache; /* Caches the iterated order of on + * by hashmap users, so the definition has to be here. Do not use its fields + * directly. */ + typedef struct { +- unsigned idx; /* index of an entry to be iterated next */ + const void *next_key; /* expected value of that entry's key pointer */ ++ unsigned idx; /* index of an entry to be iterated next */ + #if ENABLE_DEBUG_HASHMAP + unsigned put_count; /* hashmap's put_count recorded at start of iteration */ + unsigned rem_count; /* hashmap's rem_count in previous iteration */ +-- +2.33.0 + diff --git a/backport-hibernate-resume-always-clear-HibernateLocation-if-s.patch b/backport-hibernate-resume-always-clear-HibernateLocation-if-s.patch new file mode 100644 index 0000000..dabf4a4 --- /dev/null +++ b/backport-hibernate-resume-always-clear-HibernateLocation-if-s.patch @@ -0,0 +1,81 @@ +From bce69dc3f9efca7513761ac418447b43db89f194 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Tue, 5 Dec 2023 16:37:36 +0800 +Subject: [PATCH 0018/1160] hibernate-resume: always clear HibernateLocation if + system info matches + +Follow-up for a628d933cc67cc8b183dc809ba1451aa5b2996e5 + +HibernateInfo.from_efi is not actually useful. info.efi is only +set if the system identifier stored in EFI variable matches with +that of the running system, and thus the variable should be cleared +no matter whether resume= is set from kernel cmdline or not. + +(cherry picked from commit 24ab77c3cd72306f23edef11091feec100603cac) +--- + src/hibernate-resume/hibernate-resume-config.c | 9 +++------ + src/hibernate-resume/hibernate-resume-config.h | 1 - + src/hibernate-resume/hibernate-resume.c | 2 +- + 3 files changed, 4 insertions(+), 8 deletions(-) + +diff --git a/src/hibernate-resume/hibernate-resume-config.c b/src/hibernate-resume/hibernate-resume-config.c +index fe4add2c19..e4be7ca245 100644 +--- a/src/hibernate-resume/hibernate-resume-config.c ++++ b/src/hibernate-resume/hibernate-resume-config.c +@@ -204,13 +204,12 @@ void compare_hibernate_location_and_warn(const HibernateInfo *info) { + int r; + + assert(info); +- assert(info->from_efi || info->cmdline); + +- if (info->from_efi) +- return; +- if (!info->efi) ++ if (!info->cmdline || !info->efi) + return; + ++ assert(info->device == info->cmdline->device); ++ + if (!path_equal(info->cmdline->device, info->efi->device)) { + r = devnode_same(info->cmdline->device, info->efi->device); + if (r < 0) +@@ -256,11 +255,9 @@ int acquire_hibernate_info(HibernateInfo *ret) { + if (i.cmdline) { + i.device = i.cmdline->device; + i.offset = i.cmdline->offset; +- i.from_efi = false; + } else if (i.efi) { + i.device = i.efi->device; + i.offset = i.efi->offset; +- i.from_efi = true; + } else + return -ENODEV; + +diff --git a/src/hibernate-resume/hibernate-resume-config.h b/src/hibernate-resume/hibernate-resume-config.h +index 364abf7912..365d9ccda5 100644 +--- a/src/hibernate-resume/hibernate-resume-config.h ++++ b/src/hibernate-resume/hibernate-resume-config.h +@@ -27,7 +27,6 @@ typedef struct EFIHibernateLocation { + typedef struct HibernateInfo { + const char *device; + uint64_t offset; /* in memory pages */ +- bool from_efi; + + KernelHibernateLocation *cmdline; + EFIHibernateLocation *efi; +diff --git a/src/hibernate-resume/hibernate-resume.c b/src/hibernate-resume/hibernate-resume.c +index 9d81332f26..175a0bda96 100644 +--- a/src/hibernate-resume/hibernate-resume.c ++++ b/src/hibernate-resume/hibernate-resume.c +@@ -59,7 +59,7 @@ static int run(int argc, char *argv[]) { + if (r <= 0) + return r; + +- if (arg_info.from_efi) ++ if (arg_info.efi) + clear_efi_hibernate_location(); + } + +-- +2.33.0 + diff --git a/backport-hibernate-resume-don-t-wait-forever-if-hibernate-inf.patch b/backport-hibernate-resume-don-t-wait-forever-if-hibernate-inf.patch new file mode 100644 index 0000000..f5145a1 --- /dev/null +++ b/backport-hibernate-resume-don-t-wait-forever-if-hibernate-inf.patch @@ -0,0 +1,68 @@ +From 02dfbf3362b999865414708c78a4e97f2a7264ff Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Tue, 12 Dec 2023 16:20:32 +0800 +Subject: [PATCH 0053/1160] hibernate-resume: don't wait forever if hibernate + info is from EFI + +(cherry picked from commit 6cfce71b5034eb304eea82a31c400ff511cfa69e) +--- + .../hibernate-resume-generator.c | 26 +++++++++++-------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +diff --git a/src/hibernate-resume/hibernate-resume-generator.c b/src/hibernate-resume/hibernate-resume-generator.c +index c1c21a2c13..0168428394 100644 +--- a/src/hibernate-resume/hibernate-resume-generator.c ++++ b/src/hibernate-resume/hibernate-resume-generator.c +@@ -54,26 +54,30 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat + return 0; + } + +-static int process_resume(const char *device) { ++static int process_resume(const HibernateInfo *info) { + _cleanup_free_ char *device_unit = NULL; + int r; + +- assert(device); ++ assert(info); + +- r = unit_name_from_path(device, ".device", &device_unit); ++ r = unit_name_from_path(info->device, ".device", &device_unit); + if (r < 0) +- return log_error_errno(r, "Failed to generate device unit name from path '%s': %m", device); ++ return log_error_errno(r, "Failed to generate device unit name from path '%s': %m", info->device); + +- r = write_drop_in(arg_dest, device_unit, 40, "device-timeout", +- "# Automatically generated by systemd-hibernate-resume-generator\n\n" +- "[Unit]\n" +- "JobTimeoutSec=infinity\n"); ++ /* If hibernate info is acquired from EFI variable, don't wait forever by default. Otherwise, if ++ * swap device is not present and HibernateLocation was not correctly cleared, we end up blocking ++ * the boot process infinitely. */ ++ r = write_drop_in_format(arg_dest, device_unit, 40, "device-timeout", ++ "# Automatically generated by systemd-hibernate-resume-generator\n\n" ++ "[Unit]\n" ++ "JobTimeoutSec=%s\n", ++ info->cmdline ? "infinity" : "2min"); + if (r < 0) + log_warning_errno(r, "Failed to write device timeout drop-in, ignoring: %m"); + + r = generator_write_timeouts(arg_dest, +- device, +- device, ++ info->device, ++ info->device, + arg_resume_options ?: arg_root_options, + NULL); + if (r < 0) +@@ -120,7 +124,7 @@ static int run(const char *dest, const char *dest_early, const char *dest_late) + if (r < 0) + return r; + +- return process_resume(info.device); ++ return process_resume(&info); + } + + DEFINE_MAIN_GENERATOR_FUNCTION(run); +-- +2.33.0 + diff --git a/backport-hibernate-util-check-noresume-before-reading-resume-.patch b/backport-hibernate-util-check-noresume-before-reading-resume-.patch new file mode 100644 index 0000000..fbccf4b --- /dev/null +++ b/backport-hibernate-util-check-noresume-before-reading-resume-.patch @@ -0,0 +1,57 @@ +From 676047efb8713ee7e0072791224e327c42b0db2b Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sun, 7 Apr 2024 02:59:07 +0800 +Subject: [PATCH 0496/1160] hibernate-util: check 'noresume' before reading + resume setting + +Also hibernation_is_safe() should really take this +into consideration too. + +(cherry picked from commit b8b0704ce97842c47a4406d262f07c314edef034) +--- + src/login/logind-dbus.c | 2 +- + src/shared/hibernate-util.c | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c +index ec1f2f3305..cd2db2d18c 100644 +--- a/src/login/logind-dbus.c ++++ b/src/login/logind-dbus.c +@@ -2072,7 +2072,7 @@ static int method_do_shutdown_or_sleep( + + case SLEEP_RESUME_NOT_SUPPORTED: + return sd_bus_error_set(error, BUS_ERROR_SLEEP_VERB_NOT_SUPPORTED, +- "Not running on EFI and resume= is not set. No available method to resume from hibernation"); ++ "Not running on EFI and resume= is not set, or noresume is set. No available method to resume from hibernation"); + + case SLEEP_NOT_ENOUGH_SWAP_SPACE: + return sd_bus_error_set(error, BUS_ERROR_SLEEP_VERB_NOT_SUPPORTED, +diff --git a/src/shared/hibernate-util.c b/src/shared/hibernate-util.c +index 0d215e8570..c3991cfa4c 100644 +--- a/src/shared/hibernate-util.c ++++ b/src/shared/hibernate-util.c +@@ -23,6 +23,7 @@ + #include "log.h" + #include "parse-util.h" + #include "path-util.h" ++#include "proc-cmdline.h" + #include "stat-util.h" + #include "string-util.h" + #include "strv.h" +@@ -129,6 +130,13 @@ static int read_resume_config(dev_t *ret_devno, uint64_t *ret_offset) { + assert(ret_devno); + assert(ret_offset); + ++ r = proc_cmdline_get_key("noresume", /* flags = */ 0, /* ret_value = */ NULL); ++ if (r < 0) ++ return log_debug_errno(r, "Failed to check if 'noresume' kernel command line option is set: %m"); ++ if (r > 0) ++ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), ++ "'noresume' kernel command line option is set, refusing hibernation device lookup."); ++ + r = read_one_line_file("/sys/power/resume", &devno_str); + if (r < 0) + return log_debug_errno(r, "Failed to read /sys/power/resume: %m"); +-- +2.33.0 + diff --git a/backport-hibernate-util-logind-emit-a-clear-error-if-the-spec.patch b/backport-hibernate-util-logind-emit-a-clear-error-if-the-spec.patch new file mode 100644 index 0000000..41fe662 --- /dev/null +++ b/backport-hibernate-util-logind-emit-a-clear-error-if-the-spec.patch @@ -0,0 +1,115 @@ +From 5ad37b316a9b86311b7664a2252007e32648bd8a Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Wed, 8 May 2024 12:42:40 +0800 +Subject: [PATCH 0615/1160] hibernate-util,logind: emit a clear error if the + specified resume dev is missing + +Currently, SLEEP_NOT_ENOUGH_SWAP_SPACE (ENOSPC) is returned +on all sorts of error conditions. But one important case +that's worth differentiating from that is when the resume device +is manually specified yet missing. + +Closes #32644 + +(cherry picked from commit 40eb83a8fe535897b17760988849fa061a8f4929) +--- + src/login/logind-dbus.c | 4 ++++ + src/shared/hibernate-util.c | 12 ++++++------ + src/shared/sleep-config.c | 18 +++++++++++++----- + src/shared/sleep-config.h | 1 + + 4 files changed, 24 insertions(+), 11 deletions(-) + +diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c +index 6dbc3662e1..5a442bdc2c 100644 +--- a/src/login/logind-dbus.c ++++ b/src/login/logind-dbus.c +@@ -2074,6 +2074,10 @@ static int method_do_shutdown_or_sleep( + return sd_bus_error_set(error, BUS_ERROR_SLEEP_VERB_NOT_SUPPORTED, + "Not running on EFI and resume= is not set, or noresume is set. No available method to resume from hibernation"); + ++ case SLEEP_RESUME_DEVICE_MISSING: ++ return sd_bus_error_set(error, BUS_ERROR_SLEEP_VERB_NOT_SUPPORTED, ++ "Specified resume device is missing or is not an active swap device"); ++ + case SLEEP_NOT_ENOUGH_SWAP_SPACE: + return sd_bus_error_set(error, BUS_ERROR_SLEEP_VERB_NOT_SUPPORTED, + "Not enough suitable swap space for hibernation available on compatible block devices and file systems"); +diff --git a/src/shared/hibernate-util.c b/src/shared/hibernate-util.c +index c3991cfa4c..ea1b024ab6 100644 +--- a/src/shared/hibernate-util.c ++++ b/src/shared/hibernate-util.c +@@ -393,7 +393,7 @@ int find_suitable_hibernation_device_full(HibernationDevice *ret_device, uint64_ + if (!entry) { + /* No need to check n_swaps == 0, since it's rejected early */ + assert(resume_config_devno > 0); +- return log_debug_errno(SYNTHETIC_ERRNO(ENOSPC), "Cannot find swap entry corresponding to /sys/power/resume."); ++ return log_debug_errno(SYNTHETIC_ERRNO(ESTALE), "Cannot find swap entry corresponding to /sys/power/resume."); + } + + if (ret_device) { +@@ -451,11 +451,11 @@ int hibernation_is_safe(void) { + bypass_space_check = getenv_bool("SYSTEMD_BYPASS_HIBERNATION_MEMORY_CHECK") > 0; + + r = find_suitable_hibernation_device_full(NULL, &size, &used); +- if (r == -ENOSPC && bypass_space_check) +- /* If we don't have any available swap space at all, and SYSTEMD_BYPASS_HIBERNATION_MEMORY_CHECK +- * is set, skip all remaining checks since we can't do that properly anyway. It is quite +- * possible that the user is using a setup similar to #30083. When we actually perform +- * hibernation in sleep.c we'll check everything again. */ ++ if (IN_SET(r, -ENOSPC, -ESTALE) && bypass_space_check) ++ /* If we don't have any available swap space at all, or the specified resume device is missing, ++ * and $SYSTEMD_BYPASS_HIBERNATION_MEMORY_CHECK is set, skip all remaining checks since ++ * we can't do that properly anyway. It is quite possible that the user is using a setup ++ * similar to #30083. When we actually perform hibernation in sleep.c we'll check everything again. */ + return 0; + if (r < 0) + return r; +diff --git a/src/shared/sleep-config.c b/src/shared/sleep-config.c +index 7282111f49..a7e9dfe018 100644 +--- a/src/shared/sleep-config.c ++++ b/src/shared/sleep-config.c +@@ -348,16 +348,24 @@ static int sleep_supported_internal( + } + + r = hibernation_is_safe(); +- if (r == -ENOTRECOVERABLE) { ++ switch (r) { ++ ++ case -ENOTRECOVERABLE: + *ret_support = SLEEP_RESUME_NOT_SUPPORTED; + return false; +- } +- if (r == -ENOSPC) { ++ ++ case -ESTALE: ++ *ret_support = SLEEP_RESUME_DEVICE_MISSING; ++ return false; ++ ++ case -ENOSPC: + *ret_support = SLEEP_NOT_ENOUGH_SWAP_SPACE; + return false; ++ ++ default: ++ if (r < 0) ++ return r; + } +- if (r < 0) +- return r; + } else + assert(!sleep_config->modes[operation]); + +diff --git a/src/shared/sleep-config.h b/src/shared/sleep-config.h +index bc5aeb91bd..4864a8b042 100644 +--- a/src/shared/sleep-config.h ++++ b/src/shared/sleep-config.h +@@ -45,6 +45,7 @@ typedef enum SleepSupport { + SLEEP_NOT_CONFIGURED, /* SleepConfig.states is not configured */ + SLEEP_STATE_OR_MODE_NOT_SUPPORTED, /* SleepConfig.states/modes are not supported by kernel */ + SLEEP_RESUME_NOT_SUPPORTED, ++ SLEEP_RESUME_DEVICE_MISSING, /* resume= is specified, but the device cannot be found in /proc/swaps */ + SLEEP_NOT_ENOUGH_SWAP_SPACE, + SLEEP_ALARM_NOT_SUPPORTED, /* CLOCK_BOOTTIME_ALARM is unsupported by kernel (only used by s2h) */ + } SleepSupport; +-- +2.33.0 + diff --git a/backport-hibernate-util-make-sure-we-use-blockdev-path-for-Hi.patch b/backport-hibernate-util-make-sure-we-use-blockdev-path-for-Hi.patch new file mode 100644 index 0000000..f75d5cb --- /dev/null +++ b/backport-hibernate-util-make-sure-we-use-blockdev-path-for-Hi.patch @@ -0,0 +1,48 @@ +From 78d2f76f8fd80fa68717725c24412e0388500d4b Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Wed, 27 Dec 2023 22:19:07 +0800 +Subject: [PATCH 0094/1160] hibernate-util: make sure we use blockdev path for + HibernationDevice.path + +Before this commit, this field could spuriously contain the path of the +swapfile. + +(cherry picked from commit 66b9956082f4e458b5fb2d3571088fb73872f6b2) +--- + src/shared/hibernate-util.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/src/shared/hibernate-util.c b/src/shared/hibernate-util.c +index 3eb13d48f6..0d215e8570 100644 +--- a/src/shared/hibernate-util.c ++++ b/src/shared/hibernate-util.c +@@ -388,12 +388,24 @@ int find_suitable_hibernation_device_full(HibernationDevice *ret_device, uint64_ + return log_debug_errno(SYNTHETIC_ERRNO(ENOSPC), "Cannot find swap entry corresponding to /sys/power/resume."); + } + +- if (ret_device) ++ if (ret_device) { ++ char *path; ++ ++ if (entry->swapfile) { ++ r = device_path_make_canonical(S_IFBLK, entry->devno, &path); ++ if (r < 0) ++ return log_debug_errno(r, ++ "Failed to format canonical device path for devno '" DEVNUM_FORMAT_STR "': %m", ++ DEVNUM_FORMAT_VAL(entry->devno)); ++ } else ++ path = TAKE_PTR(entry->path); ++ + *ret_device = (HibernationDevice) { + .devno = entry->devno, + .offset = entry->offset, +- .path = TAKE_PTR(entry->path), ++ .path = path, + }; ++ } + + if (ret_size) { + *ret_size = entry->size; +-- +2.33.0 + diff --git a/backport-home-fix-ownership-of-files-copied-from-skelton-dire.patch b/backport-home-fix-ownership-of-files-copied-from-skelton-dire.patch new file mode 100644 index 0000000..d61711a --- /dev/null +++ b/backport-home-fix-ownership-of-files-copied-from-skelton-dire.patch @@ -0,0 +1,45 @@ +From 8d67da247a6d7841ba3e9a7fd06fcde16b217113 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 15 May 2024 06:19:42 +0900 +Subject: [PATCH 0631/1160] home: fix ownership of files copied from skelton + directory + +Fixes #32808. + +(cherry picked from commit 05e64ea45dedc7206f2054d9821c71d7dc94ef1b) +--- + src/home/homework.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/home/homework.c b/src/home/homework.c +index 066483e342..500c310cfc 100644 +--- a/src/home/homework.c ++++ b/src/home/homework.c +@@ -1031,12 +1031,13 @@ static int home_deactivate(UserRecord *h, bool force) { + return 0; + } + +-static int copy_skel(int root_fd, const char *skel) { ++static int copy_skel(UserRecord *h, int root_fd, const char *skel) { + int r; + ++ assert(h); + assert(root_fd >= 0); + +- r = copy_tree_at(AT_FDCWD, skel, root_fd, ".", UID_INVALID, GID_INVALID, COPY_MERGE|COPY_REPLACE, NULL, NULL); ++ r = copy_tree_at(AT_FDCWD, skel, root_fd, ".", h->uid, h->gid, COPY_MERGE|COPY_REPLACE, NULL, NULL); + if (r == -ENOENT) { + log_info("Skeleton directory %s missing, ignoring.", skel); + return 0; +@@ -1064,7 +1065,7 @@ int home_populate(UserRecord *h, int dir_fd) { + assert(h); + assert(dir_fd >= 0); + +- r = copy_skel(dir_fd, user_record_skeleton_directory(h)); ++ r = copy_skel(h, dir_fd, user_record_skeleton_directory(h)); + if (r < 0) + return r; + +-- +2.33.0 + diff --git a/backport-homed-add-missing-bus-call-to-homed-access-policy.patch b/backport-homed-add-missing-bus-call-to-homed-access-policy.patch new file mode 100644 index 0000000..8be16cf --- /dev/null +++ b/backport-homed-add-missing-bus-call-to-homed-access-policy.patch @@ -0,0 +1,28 @@ +From 222d89805d3f860d15f0502fc563ea589f286055 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 27 Nov 2023 17:10:35 +0100 +Subject: [PATCH 0118/1160] homed: add missing bus call to homed access policy + +(cherry picked from commit 72bbd740a0df2705fd3c245c42aab702323e200e) +--- + src/home/org.freedesktop.home1.conf | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/home/org.freedesktop.home1.conf b/src/home/org.freedesktop.home1.conf +index de1fb93cc0..5af1a68607 100644 +--- a/src/home/org.freedesktop.home1.conf ++++ b/src/home/org.freedesktop.home1.conf +@@ -125,6 +125,10 @@ + send_interface="org.freedesktop.home1.Manager" + send_member="LockAllHomes"/> + ++ ++ + +-- +2.33.0 + diff --git a/backport-homed-manager-pass-the-right-error-variable.patch b/backport-homed-manager-pass-the-right-error-variable.patch new file mode 100644 index 0000000..4538e3d --- /dev/null +++ b/backport-homed-manager-pass-the-right-error-variable.patch @@ -0,0 +1,44 @@ +From 9799198824b0ab934a6ea672e561a9b74f334332 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 7 May 2024 13:46:32 +0200 +Subject: [PATCH 0602/1160] homed-manager: pass the right error variable + +(cherry picked from commit bc65a5e37d66c22296ba10e63a429ce1fbf14acb) +--- + src/home/homed-manager.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/home/homed-manager.c b/src/home/homed-manager.c +index b8bef53db5..e37660a61b 100644 +--- a/src/home/homed-manager.c ++++ b/src/home/homed-manager.c +@@ -903,7 +903,7 @@ static int manager_assess_image( + + r = btrfs_is_subvol_fd(fd); + if (r < 0) +- return log_warning_errno(errno, "Failed to determine whether %s is a btrfs subvolume: %m", path); ++ return log_warning_errno(r, "Failed to determine whether %s is a btrfs subvolume: %m", path); + if (r > 0) + storage = USER_SUBVOLUME; + else { +@@ -1428,7 +1428,7 @@ static int manager_generate_key_pair(Manager *m) { + /* Write out public key (note that we only do that as a help to the user, we don't make use of this ever */ + r = fopen_temporary("/var/lib/systemd/home/local.public", &fpublic, &temp_public); + if (r < 0) +- return log_error_errno(errno, "Failed to open key file for writing: %m"); ++ return log_error_errno(r, "Failed to open key file for writing: %m"); + + if (PEM_write_PUBKEY(fpublic, m->private_key) <= 0) + return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to write public key."); +@@ -1442,7 +1442,7 @@ static int manager_generate_key_pair(Manager *m) { + /* Write out the private key (this actually writes out both private and public, OpenSSL is confusing) */ + r = fopen_temporary("/var/lib/systemd/home/local.private", &fprivate, &temp_private); + if (r < 0) +- return log_error_errno(errno, "Failed to open key file for writing: %m"); ++ return log_error_errno(r, "Failed to open key file for writing: %m"); + + if (PEM_write_PrivateKey(fprivate, m->private_key, NULL, NULL, 0, NULL, 0) <= 0) + return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to write private key pair."); +-- +2.33.0 + diff --git a/backport-homework-cifs-Pass-password-via-fd.patch b/backport-homework-cifs-Pass-password-via-fd.patch new file mode 100644 index 0000000..7f0ea74 --- /dev/null +++ b/backport-homework-cifs-Pass-password-via-fd.patch @@ -0,0 +1,122 @@ +From 29b632ff675b371f6373463f7fd22904026c2d34 Mon Sep 17 00:00:00 2001 +From: Adrian Vovk +Date: Thu, 7 Mar 2024 13:38:26 -0500 +Subject: [PATCH 0448/1160] homework-cifs: Pass password via fd + +Pass the password into mount.cifs via a file descriptor, rather +than putting it into a plain-text file in /tmp. This uses the $PASSWD_FD +environment variable, which is undocumented but has existed since +forever (initial commit from 2010 [1] has it already) + +[1]: +https://git.samba.org/?p=cifs-utils.git;a=blob;f=mount.cifs.c;hb=ce0b1609a9eedce6c5eb20eab287ea44217c0a6a#l1477 + +(cherry picked from commit 606a1f203c8871871bc8c5833d66ccbef870b010) +--- + src/home/homework-cifs.c | 62 +++++++++++++++++++++------------------- + 1 file changed, 32 insertions(+), 30 deletions(-) + +diff --git a/src/home/homework-cifs.c b/src/home/homework-cifs.c +index 19f1cd5b85..5d8713111e 100644 +--- a/src/home/homework-cifs.c ++++ b/src/home/homework-cifs.c +@@ -5,6 +5,7 @@ + #include + #endif + ++#include "data-fd-util.h" + #include "dirent-util.h" + #include "fd-util.h" + #include "fileio.h" +@@ -24,7 +25,7 @@ int home_setup_cifs( + HomeSetupFlags flags, + HomeSetup *setup) { + +- _cleanup_free_ char *chost = NULL, *cservice = NULL, *cdir = NULL, *chost_and_service = NULL, *j = NULL; ++ _cleanup_free_ char *chost = NULL, *cservice = NULL, *cdir = NULL, *chost_and_service = NULL, *j = NULL, *options = NULL; + int r; + + assert(h); +@@ -53,49 +54,50 @@ int home_setup_cifs( + if (!chost_and_service) + return log_oom(); + ++ if (asprintf(&options, "user=%s,uid=" UID_FMT ",forceuid,gid=" GID_FMT ",forcegid,file_mode=0%3o,dir_mode=0%3o", ++ user_record_cifs_user_name(h), h->uid, user_record_gid(h), user_record_access_mode(h), ++ user_record_access_mode(h)) < 0) ++ return log_oom(); ++ ++ if (h->cifs_domain) ++ if (strextendf_with_separator(&options, ",", "domain=%s", h->cifs_domain) < 0) ++ return log_oom(); ++ ++ if (h->cifs_extra_mount_options) ++ if (!strextend_with_separator(&options, ",", h->cifs_extra_mount_options)) ++ return log_oom(); ++ + r = home_unshare_and_mkdir(); + if (r < 0) + return r; + + STRV_FOREACH(pw, h->password) { +- _cleanup_(unlink_and_freep) char *p = NULL; +- _cleanup_free_ char *options = NULL; +- _cleanup_fclose_ FILE *f = NULL; ++ _cleanup_close_ int passwd_fd = -EBADF; + pid_t mount_pid; + int exit_status; + +- r = fopen_temporary_child(NULL, &f, &p); +- if (r < 0) +- return log_error_errno(r, "Failed to create temporary credentials file: %m"); +- +- fprintf(f, +- "username=%s\n" +- "password=%s\n", +- user_record_cifs_user_name(h), +- *pw); +- +- if (h->cifs_domain) +- fprintf(f, "domain=%s\n", h->cifs_domain); +- +- r = fflush_and_check(f); +- if (r < 0) +- return log_error_errno(r, "Failed to write temporary credentials file: %m"); +- +- f = safe_fclose(f); +- +- if (asprintf(&options, "credentials=%s,uid=" UID_FMT ",forceuid,gid=" GID_FMT ",forcegid,file_mode=0%3o,dir_mode=0%3o", +- p, h->uid, user_record_gid(h), user_record_access_mode(h), user_record_access_mode(h)) < 0) +- return log_oom(); +- +- if (h->cifs_extra_mount_options) +- if (!strextend_with_separator(&options, ",", h->cifs_extra_mount_options)) +- return log_oom(); ++ passwd_fd = acquire_data_fd(*pw, strlen(*pw), /* flags= */ 0); ++ if (passwd_fd < 0) ++ return log_error_errno(passwd_fd, "Failed to create data FD for password: %m"); + + r = safe_fork("(mount)", FORK_RESET_SIGNALS|FORK_RLIMIT_NOFILE_SAFE|FORK_DEATHSIG_SIGTERM|FORK_LOG|FORK_STDOUT_TO_STDERR, &mount_pid); + if (r < 0) + return r; + if (r == 0) { + /* Child */ ++ ++ r = fd_cloexec(passwd_fd, false); ++ if (r < 0) { ++ log_error_errno(r, "Failed to disable CLOEXEC on password FD: %m"); ++ _exit(EXIT_FAILURE); ++ } ++ ++ r = setenvf("PASSWD_FD", /* overwrite= */ true, "%d", passwd_fd); ++ if (r < 0) { ++ log_error_errno(errno, "Failed to set $PASSWD_FD: %m"); ++ _exit(EXIT_FAILURE); ++ } ++ + execl("/bin/mount", "/bin/mount", "-n", "-t", "cifs", + chost_and_service, HOME_RUNTIME_WORK_DIR, + "-o", options, NULL); +-- +2.33.0 + diff --git a/backport-homework-fscrypt-pass-the-right-error-variable.patch b/backport-homework-fscrypt-pass-the-right-error-variable.patch new file mode 100644 index 0000000..aa34418 --- /dev/null +++ b/backport-homework-fscrypt-pass-the-right-error-variable.patch @@ -0,0 +1,35 @@ +From 9aeadf541d87e9f6a0d990b1f534b3938dd6f83e Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 7 May 2024 13:49:31 +0200 +Subject: [PATCH 0603/1160] homework-fscrypt: pass the right error variable + +(cherry picked from commit 11bbc1f8b8e367019f1e1e1fece3c1cade6cb1c3) +--- + src/home/homework-fscrypt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/home/homework-fscrypt.c b/src/home/homework-fscrypt.c +index 6aae1d2626..3834055646 100644 +--- a/src/home/homework-fscrypt.c ++++ b/src/home/homework-fscrypt.c +@@ -212,7 +212,7 @@ static int fscrypt_setup( + + r = flistxattr_malloc(setup->root_fd, &xattr_buf); + if (r < 0) +- return log_error_errno(errno, "Failed to retrieve xattr list: %m"); ++ return log_error_errno(r, "Failed to retrieve xattr list: %m"); + + NULSTR_FOREACH(xa, xattr_buf) { + _cleanup_free_ void *salt = NULL, *encrypted = NULL; +@@ -649,7 +649,7 @@ int home_passwd_fscrypt( + + r = flistxattr_malloc(setup->root_fd, &xattr_buf); + if (r < 0) +- return log_error_errno(errno, "Failed to retrieve xattr list: %m"); ++ return log_error_errno(r, "Failed to retrieve xattr list: %m"); + + NULSTR_FOREACH(xa, xattr_buf) { + const char *nr; +-- +2.33.0 + diff --git a/backport-homework-quota-pass-the-right-error-variable.patch b/backport-homework-quota-pass-the-right-error-variable.patch new file mode 100644 index 0000000..ae034b0 --- /dev/null +++ b/backport-homework-quota-pass-the-right-error-variable.patch @@ -0,0 +1,26 @@ +From a2e7aac103565ce931fbcb4ea86e1df5943d7329 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 7 May 2024 13:54:21 +0200 +Subject: [PATCH 0604/1160] homework-quota: pass the right error variable + +(cherry picked from commit 2c30973f0bb538a7ed2d19e8c019fcb7deb882a3) +--- + src/home/homework-quota.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/home/homework-quota.c b/src/home/homework-quota.c +index 508c0c01b2..24c7bfe1ed 100644 +--- a/src/home/homework-quota.c ++++ b/src/home/homework-quota.c +@@ -107,7 +107,7 @@ int home_update_quota_auto(UserRecord *h, const char *path) { + + r = btrfs_is_subvol(path); + if (r < 0) +- return log_error_errno(errno, "Failed to test if %s is a subvolume: %m", path); ++ return log_error_errno(r, "Failed to test if %s is a subvolume: %m", path); + if (r == 0) + return log_error_errno(SYNTHETIC_ERRNO(ENOTTY), "Directory %s is not a subvolume, cannot apply quota.", path); + +-- +2.33.0 + diff --git a/backport-hostname-expose-machine-ID-and-boot-ID-through-DBus.patch b/backport-hostname-expose-machine-ID-and-boot-ID-through-DBus.patch new file mode 100644 index 0000000..9891fc5 --- /dev/null +++ b/backport-hostname-expose-machine-ID-and-boot-ID-through-DBus.patch @@ -0,0 +1,219 @@ +From 2741ddebe6997fc342323bd35c8a020bc6011350 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 2 Dec 2023 19:26:29 +0900 +Subject: [PATCH 0009/1160] hostname: expose machine ID and boot ID through + DBus + +Fixes #30293. + +(cherry picked from commit 5db7eb21f95b6538de089b17c4e856f1d1ec2f60) +--- + man/org.freedesktop.hostname1.xml | 14 +++++++++ + src/hostname/hostnamectl.c | 45 +++++++++++++------------- + src/hostname/hostnamed.c | 52 ++++++++++++++++++++++++++++++- + 3 files changed, 88 insertions(+), 23 deletions(-) + +diff --git a/man/org.freedesktop.hostname1.xml b/man/org.freedesktop.hostname1.xml +index a079837a67..0c5b0f2704 100644 +--- a/man/org.freedesktop.hostname1.xml ++++ b/man/org.freedesktop.hostname1.xml +@@ -95,6 +95,10 @@ node /org/freedesktop/hostname1 { + readonly s FirmwareVendor = '...'; + @org.freedesktop.DBus.Property.EmitsChangedSignal("const") + readonly t FirmwareDate = ...; ++ @org.freedesktop.DBus.Property.EmitsChangedSignal("const") ++ readonly ay MachineID = [...]; ++ @org.freedesktop.DBus.Property.EmitsChangedSignal("const") ++ readonly ay BootID = [...]; + }; + interface org.freedesktop.DBus.Peer { ... }; + interface org.freedesktop.DBus.Introspectable { ... }; +@@ -116,6 +120,10 @@ node /org/freedesktop/hostname1 { + + + ++ ++ ++ ++ + + + +@@ -184,6 +192,10 @@ node /org/freedesktop/hostname1 { + + + ++ ++ ++ ++ + + + Whenever the hostname or other metadata is changed via the daemon, +@@ -428,6 +440,8 @@ node /org/freedesktop/hostname1 { + OperatingSystemSupportEnd, + FirmwareVendor, and + FirmwareDate were added in version 253. ++ MachineID, and ++ BootID were added in version 256. + + + +diff --git a/src/hostname/hostnamectl.c b/src/hostname/hostnamectl.c +index 75226e3a00..14fc160909 100644 +--- a/src/hostname/hostnamectl.c ++++ b/src/hostname/hostnamectl.c +@@ -335,29 +335,29 @@ static int show_all_names(sd_bus *bus) { + StatusInfo info = {}; + + static const struct bus_properties_map hostname_map[] = { +- { "Hostname", "s", NULL, offsetof(StatusInfo, hostname) }, +- { "StaticHostname", "s", NULL, offsetof(StatusInfo, static_hostname) }, +- { "PrettyHostname", "s", NULL, offsetof(StatusInfo, pretty_hostname) }, +- { "IconName", "s", NULL, offsetof(StatusInfo, icon_name) }, +- { "Chassis", "s", NULL, offsetof(StatusInfo, chassis) }, +- { "Deployment", "s", NULL, offsetof(StatusInfo, deployment) }, +- { "Location", "s", NULL, offsetof(StatusInfo, location) }, +- { "KernelName", "s", NULL, offsetof(StatusInfo, kernel_name) }, +- { "KernelRelease", "s", NULL, offsetof(StatusInfo, kernel_release) }, +- { "OperatingSystemPrettyName", "s", NULL, offsetof(StatusInfo, os_pretty_name) }, +- { "OperatingSystemCPEName", "s", NULL, offsetof(StatusInfo, os_cpe_name) }, +- { "OperatingSystemSupportEnd", "t", NULL, offsetof(StatusInfo, os_support_end) }, +- { "HomeURL", "s", NULL, offsetof(StatusInfo, home_url) }, +- { "HardwareVendor", "s", NULL, offsetof(StatusInfo, hardware_vendor) }, +- { "HardwareModel", "s", NULL, offsetof(StatusInfo, hardware_model) }, +- { "FirmwareVersion", "s", NULL, offsetof(StatusInfo, firmware_version) }, +- { "FirmwareDate", "t", NULL, offsetof(StatusInfo, firmware_date) }, ++ { "Hostname", "s", NULL, offsetof(StatusInfo, hostname) }, ++ { "StaticHostname", "s", NULL, offsetof(StatusInfo, static_hostname) }, ++ { "PrettyHostname", "s", NULL, offsetof(StatusInfo, pretty_hostname) }, ++ { "IconName", "s", NULL, offsetof(StatusInfo, icon_name) }, ++ { "Chassis", "s", NULL, offsetof(StatusInfo, chassis) }, ++ { "Deployment", "s", NULL, offsetof(StatusInfo, deployment) }, ++ { "Location", "s", NULL, offsetof(StatusInfo, location) }, ++ { "KernelName", "s", NULL, offsetof(StatusInfo, kernel_name) }, ++ { "KernelRelease", "s", NULL, offsetof(StatusInfo, kernel_release) }, ++ { "OperatingSystemPrettyName", "s", NULL, offsetof(StatusInfo, os_pretty_name) }, ++ { "OperatingSystemCPEName", "s", NULL, offsetof(StatusInfo, os_cpe_name) }, ++ { "OperatingSystemSupportEnd", "t", NULL, offsetof(StatusInfo, os_support_end) }, ++ { "HomeURL", "s", NULL, offsetof(StatusInfo, home_url) }, ++ { "HardwareVendor", "s", NULL, offsetof(StatusInfo, hardware_vendor) }, ++ { "HardwareModel", "s", NULL, offsetof(StatusInfo, hardware_model) }, ++ { "FirmwareVersion", "s", NULL, offsetof(StatusInfo, firmware_version) }, ++ { "FirmwareDate", "t", NULL, offsetof(StatusInfo, firmware_date) }, ++ { "MachineID", "ay", bus_map_id128, offsetof(StatusInfo, machine_id) }, ++ { "BootID", "ay", bus_map_id128, offsetof(StatusInfo, boot_id) }, + {} +- }; +- +- static const struct bus_properties_map manager_map[] = { +- { "Virtualization", "s", NULL, offsetof(StatusInfo, virtualization) }, +- { "Architecture", "s", NULL, offsetof(StatusInfo, architecture) }, ++ }, manager_map[] = { ++ { "Virtualization", "s", NULL, offsetof(StatusInfo, virtualization) }, ++ { "Architecture", "s", NULL, offsetof(StatusInfo, architecture) }, + {} + }; + +@@ -387,6 +387,7 @@ static int show_all_names(sd_bus *bus) { + if (r < 0) + return log_error_errno(r, "Failed to query system properties: %s", bus_error_message(&error, r)); + ++ /* For older version of hostnamed. */ + if (!arg_host) { + if (sd_id128_is_null(info.machine_id)) + (void) sd_id128_get_machine(&info.machine_id); +diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c +index e1d53f2395..fc7a97fb99 100644 +--- a/src/hostname/hostnamed.c ++++ b/src/hostname/hostnamed.c +@@ -995,6 +995,44 @@ static int property_get_uname_field( + return sd_bus_message_append(reply, "s", (char*) &u + PTR_TO_SIZE(userdata)); + } + ++static int property_get_machine_id( ++ sd_bus *bus, ++ const char *path, ++ const char *interface, ++ const char *property, ++ sd_bus_message *reply, ++ void *userdata, ++ sd_bus_error *error) { ++ ++ sd_id128_t id; ++ int r; ++ ++ r = sd_id128_get_machine(&id); ++ if (r < 0) ++ return r; ++ ++ return bus_property_get_id128(bus, path, interface, property, reply, &id, error); ++} ++ ++static int property_get_boot_id( ++ sd_bus *bus, ++ const char *path, ++ const char *interface, ++ const char *property, ++ sd_bus_message *reply, ++ void *userdata, ++ sd_bus_error *error) { ++ ++ sd_id128_t id; ++ int r; ++ ++ r = sd_id128_get_boot(&id); ++ if (r < 0) ++ return r; ++ ++ return bus_property_get_id128(bus, path, interface, property, reply, &id, error); ++} ++ + static int method_set_hostname(sd_bus_message *m, void *userdata, sd_bus_error *error) { + Context *c = ASSERT_PTR(userdata); + const char *name; +@@ -1302,7 +1340,7 @@ static int method_describe(sd_bus_message *m, void *userdata, sd_bus_error *erro + usec_t firmware_date = USEC_INFINITY, eol = USEC_INFINITY; + _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; + _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; +- sd_id128_t product_uuid = SD_ID128_NULL; ++ sd_id128_t machine_id, boot_id, product_uuid = SD_ID128_NULL; + Context *c = ASSERT_PTR(userdata); + bool privileged; + struct utsname u; +@@ -1369,6 +1407,14 @@ static int method_describe(sd_bus_message *m, void *userdata, sd_bus_error *erro + if (c->data[PROP_OS_SUPPORT_END]) + (void) os_release_support_ended(c->data[PROP_OS_SUPPORT_END], /* quiet= */ false, &eol); + ++ r = sd_id128_get_machine(&machine_id); ++ if (r < 0) ++ return log_error_errno(r, "Failed to get machine ID: %m"); ++ ++ r = sd_id128_get_boot(&boot_id); ++ if (r < 0) ++ return log_error_errno(r, "Failed to get boot ID: %m"); ++ + r = json_build(&v, JSON_BUILD_OBJECT( + JSON_BUILD_PAIR("Hostname", JSON_BUILD_STRING(hn)), + JSON_BUILD_PAIR("StaticHostname", JSON_BUILD_STRING(c->data[PROP_STATIC_HOSTNAME])), +@@ -1392,6 +1438,8 @@ static int method_describe(sd_bus_message *m, void *userdata, sd_bus_error *erro + JSON_BUILD_PAIR("FirmwareVersion", JSON_BUILD_STRING(firmware_version)), + JSON_BUILD_PAIR("FirmwareVendor", JSON_BUILD_STRING(firmware_vendor)), + JSON_BUILD_PAIR_FINITE_USEC("FirmwareDate", firmware_date), ++ JSON_BUILD_PAIR_ID128("MachineID", machine_id), ++ JSON_BUILD_PAIR_ID128("BootID", boot_id), + JSON_BUILD_PAIR_CONDITION(!sd_id128_is_null(product_uuid), "ProductUUID", JSON_BUILD_ID128(product_uuid)), + JSON_BUILD_PAIR_CONDITION(sd_id128_is_null(product_uuid), "ProductUUID", JSON_BUILD_NULL))); + +@@ -1436,6 +1484,8 @@ static const sd_bus_vtable hostname_vtable[] = { + SD_BUS_PROPERTY("FirmwareVersion", "s", property_get_firmware_version, 0, SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_PROPERTY("FirmwareVendor", "s", property_get_firmware_vendor, 0, SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_PROPERTY("FirmwareDate", "t", property_get_firmware_date, 0, SD_BUS_VTABLE_PROPERTY_CONST), ++ SD_BUS_PROPERTY("MachineID", "ay", property_get_machine_id, 0, SD_BUS_VTABLE_PROPERTY_CONST), ++ SD_BUS_PROPERTY("BootID", "ay", property_get_boot_id, 0, SD_BUS_VTABLE_PROPERTY_CONST), + + SD_BUS_METHOD_WITH_ARGS("SetHostname", + SD_BUS_ARGS("s", hostname, "b", interactive), +-- +2.33.0 + diff --git a/backport-hostnamectl-do-not-show-local-machine-ID-and-boot-ID.patch b/backport-hostnamectl-do-not-show-local-machine-ID-and-boot-ID.patch new file mode 100644 index 0000000..7cbcf0e --- /dev/null +++ b/backport-hostnamectl-do-not-show-local-machine-ID-and-boot-ID.patch @@ -0,0 +1,76 @@ +From 683415c1ed731845dddc87ad48f2c8fe973d951a Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 2 Dec 2023 19:14:35 +0900 +Subject: [PATCH 0008/1160] hostnamectl: do not show local machine ID and boot + ID when requested to show information about remote host + +Prompted by #30293. + +(cherry picked from commit 01e554e2e71859220e86a14212420720e05bccbf) +--- + src/hostname/hostnamectl.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/src/hostname/hostnamectl.c b/src/hostname/hostnamectl.c +index b1cf19205b..75226e3a00 100644 +--- a/src/hostname/hostnamectl.c ++++ b/src/hostname/hostnamectl.c +@@ -56,6 +56,8 @@ typedef struct StatusInfo { + const char *hardware_model; + const char *firmware_version; + usec_t firmware_date; ++ sd_id128_t machine_id; ++ sd_id128_t boot_id; + } StatusInfo; + + static const char* chassis_string_to_glyph(const char *chassis) { +@@ -97,7 +99,6 @@ static const char *os_support_end_color(usec_t n, usec_t eol) { + + static int print_status_info(StatusInfo *i) { + _cleanup_(table_unrefp) Table *table = NULL; +- sd_id128_t mid = {}, bid = {}; + TableCell *cell; + int r; + +@@ -174,20 +175,18 @@ static int print_status_info(StatusInfo *i) { + return table_log_add_error(r); + } + +- r = sd_id128_get_machine(&mid); +- if (r >= 0) { ++ if (!sd_id128_is_null(i->machine_id)) { + r = table_add_many(table, + TABLE_FIELD, "Machine ID", +- TABLE_ID128, mid); ++ TABLE_ID128, i->machine_id); + if (r < 0) + return table_log_add_error(r); + } + +- r = sd_id128_get_boot(&bid); +- if (r >= 0) { ++ if (!sd_id128_is_null(i->boot_id)) { + r = table_add_many(table, + TABLE_FIELD, "Boot ID", +- TABLE_ID128, bid); ++ TABLE_ID128, i->boot_id); + if (r < 0) + return table_log_add_error(r); + } +@@ -388,6 +387,13 @@ static int show_all_names(sd_bus *bus) { + if (r < 0) + return log_error_errno(r, "Failed to query system properties: %s", bus_error_message(&error, r)); + ++ if (!arg_host) { ++ if (sd_id128_is_null(info.machine_id)) ++ (void) sd_id128_get_machine(&info.machine_id); ++ if (sd_id128_is_null(info.boot_id)) ++ (void) sd_id128_get_boot(&info.boot_id); ++ } ++ + return print_status_info(&info); + } + +-- +2.33.0 + diff --git a/backport-hwdb-util-drop-unused-value-assignment.patch b/backport-hwdb-util-drop-unused-value-assignment.patch new file mode 100644 index 0000000..5994f07 --- /dev/null +++ b/backport-hwdb-util-drop-unused-value-assignment.patch @@ -0,0 +1,108 @@ +From 8858f69efa24a219586eb715b46ee306c59479bb Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 19 Feb 2025 03:46:55 +0900 +Subject: [PATCH 1148/1160] hwdb-util: drop unused value assignment + +The values assigned to 'r' were never used, and overwritten by the next +call of read_line_full(). + +Fixes CID#1548043 and CID#1548064. + +(cherry picked from commit 00575cfd696a2a335decb66580727fafd3c152aa) +(cherry picked from commit 244790adfa626fbdbaf8cebec2f1b4759b12456b) +(cherry picked from commit f92b518f17232b709a62c21250e0502464743409) +--- + src/shared/hwdb-util.c | 36 +++++++++++++++--------------------- + 1 file changed, 15 insertions(+), 21 deletions(-) + +diff --git a/src/shared/hwdb-util.c b/src/shared/hwdb-util.c +index f67e917b53..2292104d3b 100644 +--- a/src/shared/hwdb-util.c ++++ b/src/shared/hwdb-util.c +@@ -466,7 +466,7 @@ static int import_file(struct trie *trie, const char *filename, uint16_t file_pr + _cleanup_fclose_ FILE *f = NULL; + _cleanup_strv_free_ char **match_list = NULL; + uint32_t line_number = 0; +- int r, err; ++ int r; + + f = fopen(filename, "re"); + if (!f) +@@ -506,24 +506,23 @@ static int import_file(struct trie *trie, const char *filename, uint16_t file_pr + break; + + if (line[0] == ' ') { +- r = log_syntax(NULL, LOG_WARNING, filename, line_number, SYNTHETIC_ERRNO(EINVAL), +- "Match expected but got indented property \"%s\", ignoring line.", line); ++ log_syntax(NULL, LOG_WARNING, filename, line_number, 0, ++ "Match expected but got indented property \"%s\", ignoring line.", line); + break; + } + + /* start of record, first match */ + state = HW_MATCH; + +- err = strv_extend(&match_list, line); +- if (err < 0) +- return err; +- ++ r = strv_extend(&match_list, line); ++ if (r < 0) ++ return r; + break; + + case HW_MATCH: + if (len == 0) { +- r = log_syntax(NULL, LOG_WARNING, filename, line_number, SYNTHETIC_ERRNO(EINVAL), +- "Property expected, ignoring record with no properties."); ++ log_syntax(NULL, LOG_WARNING, filename, line_number, 0, ++ "Property expected, ignoring record with no properties."); + state = HW_NONE; + match_list = strv_free(match_list); + break; +@@ -531,18 +530,15 @@ static int import_file(struct trie *trie, const char *filename, uint16_t file_pr + + if (line[0] != ' ') { + /* another match */ +- err = strv_extend(&match_list, line); +- if (err < 0) +- return err; +- ++ r = strv_extend(&match_list, line); ++ if (r < 0) ++ return r; + break; + } + + /* first data */ + state = HW_DATA; +- err = insert_data(trie, match_list, line, filename, file_priority, line_number, compat); +- if (err < 0) +- r = err; ++ (void) insert_data(trie, match_list, line, filename, file_priority, line_number, compat); + break; + + case HW_DATA: +@@ -554,16 +550,14 @@ static int import_file(struct trie *trie, const char *filename, uint16_t file_pr + } + + if (line[0] != ' ') { +- r = log_syntax(NULL, LOG_WARNING, filename, line_number, SYNTHETIC_ERRNO(EINVAL), +- "Property or empty line expected, got \"%s\", ignoring record.", line); ++ log_syntax(NULL, LOG_WARNING, filename, line_number, 0, ++ "Property or empty line expected, got \"%s\", ignoring record.", line); + state = HW_NONE; + match_list = strv_free(match_list); + break; + } + +- err = insert_data(trie, match_list, line, filename, file_priority, line_number, compat); +- if (err < 0) +- r = err; ++ (void) insert_data(trie, match_list, line, filename, file_priority, line_number, compat); + break; + }; + } +-- +2.33.0 + diff --git a/backport-id128-refuse-app-specific-if-we-re-listing-GPT-types.patch b/backport-id128-refuse-app-specific-if-we-re-listing-GPT-types.patch new file mode 100644 index 0000000..ae518c3 --- /dev/null +++ b/backport-id128-refuse-app-specific-if-we-re-listing-GPT-types.patch @@ -0,0 +1,128 @@ +From 0537c8b6465a42c5887a9746323b660bc6ae81bf Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Tue, 16 Jul 2024 21:10:46 +0200 +Subject: [PATCH 0782/1160] id128: refuse --app-specific= if we're listing GPT + types + +Prompted by #33737 + +The intention of b37e8184a5a376749fbf68674ed6d7a4fc9901aa +is to expose sd_id128_get_app_specific() on command line. +But combining that with GPT type list makes little sense. + +(cherry picked from commit fa96c55b7b0d19a7f72908ee7d3f8a1ef630be96) +(cherry picked from commit 86ec58a55c62e974a4f0cc345fac3fd84817399f) +--- + src/id128/id128.c | 37 ++++++++++++++++++++----------------- + 1 file changed, 20 insertions(+), 17 deletions(-) + +diff --git a/src/id128/id128.c b/src/id128/id128.c +index d726ab7051..e756fc5d4f 100644 +--- a/src/id128/id128.c ++++ b/src/id128/id128.c +@@ -15,7 +15,7 @@ + #include "verbs.h" + + static Id128PrettyPrintMode arg_mode = ID128_PRINT_ID128; +-static sd_id128_t arg_app = {}; ++static sd_id128_t arg_app = SD_ID128_NULL; + static bool arg_value = false; + + static int verb_new(int argc, char **argv, void *userdata) { +@@ -68,15 +68,12 @@ static int verb_invocation_id(int argc, char **argv, void *userdata) { + } + + static int show_one(Table **table, const char *name, sd_id128_t uuid, bool first) { +- sd_id128_t u; + int r; + + assert(table); + +- if (sd_id128_is_null(arg_app)) +- u = uuid; +- else +- assert_se(sd_id128_get_app_specific(uuid, arg_app, &u) == 0); ++ if (!name) ++ name = "XYZ"; + + if (arg_mode == ID128_PRINT_PRETTY) { + _cleanup_free_ char *id = NULL; +@@ -87,7 +84,7 @@ static int show_one(Table **table, const char *name, sd_id128_t uuid, bool first + + ascii_strupper(id); + +- r = id128_pretty_print_sample(id, u); ++ r = id128_pretty_print_sample(id, uuid); + if (r < 0) + return r; + if (!first) +@@ -96,19 +93,19 @@ static int show_one(Table **table, const char *name, sd_id128_t uuid, bool first + } + + if (arg_value) +- return id128_pretty_print(u, arg_mode); ++ return id128_pretty_print(uuid, arg_mode); + + if (!*table) { + *table = table_new("name", "id"); + if (!*table) + return log_oom(); ++ + table_set_width(*table, 0); + } + + return table_add_many(*table, + TABLE_STRING, name, +- arg_mode == ID128_PRINT_ID128 ? TABLE_ID128 : TABLE_UUID, +- u); ++ arg_mode == ID128_PRINT_ID128 ? TABLE_ID128 : TABLE_UUID, uuid); + } + + static int verb_show(int argc, char **argv, void *userdata) { +@@ -116,23 +113,26 @@ static int verb_show(int argc, char **argv, void *userdata) { + int r; + + argv = strv_skip(argv, 1); +- if (strv_isempty(argv)) ++ if (strv_isempty(argv)) { ++ if (!sd_id128_is_null(arg_app)) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), ++ "'show --app-specific=' can only be used with explicit UUID input."); ++ + for (const GptPartitionType *e = gpt_partition_type_table; e->name; e++) { + r = show_one(&table, e->name, e->uuid, e == gpt_partition_type_table); + if (r < 0) + return r; + } +- else ++ } else + STRV_FOREACH(p, argv) { + sd_id128_t uuid; +- bool have_uuid; +- const char *id; ++ const char *id = NULL; + + /* Check if the argument is an actual UUID first */ +- have_uuid = sd_id128_from_string(*p, &uuid) >= 0; ++ bool is_uuid = sd_id128_from_string(*p, &uuid) >= 0; + +- if (have_uuid) +- id = gpt_partition_type_uuid_to_string(uuid) ?: "XYZ"; ++ if (is_uuid) ++ id = gpt_partition_type_uuid_to_string(uuid); + else { + GptPartitionType type; + +@@ -144,6 +144,9 @@ static int verb_show(int argc, char **argv, void *userdata) { + id = *p; + } + ++ if (!sd_id128_is_null(arg_app)) ++ assert_se(sd_id128_get_app_specific(uuid, arg_app, &uuid) >= 0); ++ + r = show_one(&table, id, uuid, p == argv); + if (r < 0) + return r; +-- +2.33.0 + diff --git a/backport-id128-util-Attempt-to-read-UUID-from-sys-hypervisor-.patch b/backport-id128-util-Attempt-to-read-UUID-from-sys-hypervisor-.patch new file mode 100644 index 0000000..8e211a9 --- /dev/null +++ b/backport-id128-util-Attempt-to-read-UUID-from-sys-hypervisor-.patch @@ -0,0 +1,32 @@ +From 38d632aad551cbf4dc44f759a0cf507ecacda238 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafa=C3=ABl=20Kooi?= + <48814281+RA-Kooi@users.noreply.github.com> +Date: Mon, 22 Jan 2024 17:04:07 +0100 +Subject: [PATCH 0202/1160] id128-util: Attempt to read UUID from + /sys/hypervisor/uuid + +When using the Xen hypervisor the virtual machine UUID is exposed here. +This is useful when one needs stable IPv4 address assignment, e.g. for a +set of RAM nodes that are built from a template. + +(cherry picked from commit d2f2c20a6dc0f5c6fbab7d7ca8dc8f636a72abdb) +--- + src/libsystemd/sd-id128/id128-util.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/libsystemd/sd-id128/id128-util.c b/src/libsystemd/sd-id128/id128-util.c +index 9d32d95589..94bfd70bff 100644 +--- a/src/libsystemd/sd-id128/id128-util.c ++++ b/src/libsystemd/sd-id128/id128-util.c +@@ -234,6 +234,8 @@ int id128_get_product(sd_id128_t *ret) { + r = id128_read("/sys/class/dmi/id/product_uuid", ID128_FORMAT_UUID, &uuid); + if (r == -ENOENT) + r = id128_read("/proc/device-tree/vm,uuid", ID128_FORMAT_UUID, &uuid); ++ if (r == -ENOENT) ++ r = id128_read("/sys/hypervisor/uuid", ID128_FORMAT_UUID, &uuid); + if (r < 0) + return r; + +-- +2.33.0 + diff --git a/backport-id128-util-do-not-expose-product-UUID-when-running-i.patch b/backport-id128-util-do-not-expose-product-UUID-when-running-i.patch new file mode 100644 index 0000000..33d5e00 --- /dev/null +++ b/backport-id128-util-do-not-expose-product-UUID-when-running-i.patch @@ -0,0 +1,46 @@ +From 74a344a0d649232405f56df881d2e529af8d7efd Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 8 Jan 2024 16:14:44 +0100 +Subject: [PATCH 0136/1160] id128-util: do not expose product UUID when running + in a container + +When we run in a container we should show our own system's info, not the +hosts hence suppress this info in that case. + +This matches the behaviour of most other calls in hostnamed to expose +system properties. + +(cherry picked from commit 5ee5b1659aad07a6b718de2868124d490c0dfb73) +--- + src/libsystemd/sd-id128/id128-util.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/libsystemd/sd-id128/id128-util.c b/src/libsystemd/sd-id128/id128-util.c +index dbe4d20150..9d32d95589 100644 +--- a/src/libsystemd/sd-id128/id128-util.c ++++ b/src/libsystemd/sd-id128/id128-util.c +@@ -13,6 +13,7 @@ + #include "stdio-util.h" + #include "string-util.h" + #include "sync-util.h" ++#include "virt.h" + + int id128_from_string_nonzero(const char *s, sd_id128_t *ret) { + sd_id128_t t; +@@ -223,6 +224,13 @@ int id128_get_product(sd_id128_t *ret) { + /* Reads the systems product UUID from DMI or devicetree (where it is located on POWER). This is + * particularly relevant in VM environments, where VM managers typically place a VM uuid there. */ + ++ r = detect_container(); ++ if (r < 0) ++ return r; ++ if (r > 0) /* Refuse returning this in containers, as this is not a property of our system then, but ++ * of the host */ ++ return -ENOENT; ++ + r = id128_read("/sys/class/dmi/id/product_uuid", ID128_FORMAT_UUID, &uuid); + if (r == -ENOENT) + r = id128_read("/proc/device-tree/vm,uuid", ID128_FORMAT_UUID, &uuid); +-- +2.33.0 + diff --git a/backport-import-check-overflow.patch b/backport-import-check-overflow.patch new file mode 100644 index 0000000..da64960 --- /dev/null +++ b/backport-import-check-overflow.patch @@ -0,0 +1,49 @@ +From a920cc9b3a8fc8b9ee57fa5c4a30d9234eb7a819 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 1 Aug 2024 12:03:54 +0900 +Subject: [PATCH 0829/1160] import: check overflow + +Fixes CID#1548022 and CID#1548075. + +(cherry picked from commit f7012a93a7f04fa29c7933a4963aa17fcf120e97) +(cherry picked from commit 11c15905cd4759b89a1da63d05772c1f7c3744a4) +--- + src/import/import-raw.c | 5 +++++ + src/import/import-tar.c | 5 +++++ + 2 files changed, 10 insertions(+) + +diff --git a/src/import/import-raw.c b/src/import/import-raw.c +index f7ed163d86..4abc6911a1 100644 +--- a/src/import/import-raw.c ++++ b/src/import/import-raw.c +@@ -408,6 +408,11 @@ static int raw_import_process(RawImport *i) { + goto finish; + } + ++ if ((size_t) l > sizeof(i->buffer) - i->buffer_size) { ++ r = log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Read input file exceeded maximum size."); ++ goto finish; ++ } ++ + i->buffer_size += l; + + if (i->compress.type == IMPORT_COMPRESS_UNKNOWN) { +diff --git a/src/import/import-tar.c b/src/import/import-tar.c +index 90202709ec..0951d65e26 100644 +--- a/src/import/import-tar.c ++++ b/src/import/import-tar.c +@@ -275,6 +275,11 @@ static int tar_import_process(TarImport *i) { + goto finish; + } + ++ if ((size_t) l > sizeof(i->buffer) - i->buffer_size) { ++ r = log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Read input file exceeded maximum size."); ++ goto finish; ++ } ++ + i->buffer_size += l; + + if (i->compress.type == IMPORT_COMPRESS_UNKNOWN) { +-- +2.33.0 + diff --git a/backport-import-creds-when-we-hit-ENOENT-on-SMBIOS-11-do-not-.patch b/backport-import-creds-when-we-hit-ENOENT-on-SMBIOS-11-do-not-.patch new file mode 100644 index 0000000..96f2c35 --- /dev/null +++ b/backport-import-creds-when-we-hit-ENOENT-on-SMBIOS-11-do-not-.patch @@ -0,0 +1,36 @@ +From f084959002e9efc2c4dccf410fa745b57f51f512 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 11 Jul 2024 14:32:09 +0200 +Subject: [PATCH 0791/1160] import-creds: when we hit ENOENT on SMBIOS 11 do + not even debug log + +We'll *always* hit ENEOENT when iterating through SMBIOS type #11 +fields, on the last one. it's very confusing to debug log about that, +let's just not do it. + +(cherry picked from commit 5202ee42d5da0ae3a6655d2bc959a19d8c347e9d) +(cherry picked from commit 995c702a347d16cfad4605f3982d5278616ea1f8) +--- + src/core/import-creds.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/core/import-creds.c b/src/core/import-creds.c +index 2f8ab069b2..36f71fb578 100644 +--- a/src/core/import-creds.c ++++ b/src/core/import-creds.c +@@ -595,9 +595,11 @@ static int import_credentials_smbios(ImportCredentialContext *c) { + return log_oom(); + + r = read_virtual_file(p, sizeof(dmi_field_header) + CREDENTIALS_TOTAL_SIZE_MAX, (char**) &data, &size); ++ if (r == -ENOENT) /* Once we reach ENOENT there are no more DMI Type 11 fields around. */ ++ break; + if (r < 0) { + /* Once we reach ENOENT there are no more DMI Type 11 fields around. */ +- log_full_errno(r == -ENOENT ? LOG_DEBUG : LOG_WARNING, r, "Failed to open '%s', ignoring: %m", p); ++ log_warning_errno(r, "Failed to open '%s', ignoring: %m", p); + break; + } + +-- +2.33.0 + diff --git a/backport-install-allow-removing-symlinks-even-for-units-that-.patch b/backport-install-allow-removing-symlinks-even-for-units-that-.patch index f817e02..8540450 100644 --- a/backport-install-allow-removing-symlinks-even-for-units-that-.patch +++ b/backport-install-allow-removing-symlinks-even-for-units-that-.patch @@ -1,7 +1,8 @@ -From 5163c9b1e56293b1bb2803420613c5b374570892 Mon Sep 17 00:00:00 2001 +From 44c08e66f8e99c57e49f90ebf0ce4f153cee1627 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Fri, 7 Jun 2024 21:39:45 +0100 -Subject: [PATCH] install: allow removing symlinks even for units that are gone +Subject: [PATCH 0700/1160] install: allow removing symlinks even for units + that are gone If a symlink is leftover, still allow cleaning it up via 'disable'. This happens when a unit is stopped and removed, but not disabled, and a reload @@ -12,19 +13,18 @@ OOM. Follow-up for f31f10a6207efc9ae9e0b1f73975b5b610914017 -Conflict:Adaptation TEST-26-SYSTEMCTL.sh to testsuite-26.sh -Reference:https://github.com/systemd/systemd/commit/5163c9b1e56293b1bb2803420613c5b374570892 - +(cherry picked from commit 5163c9b1e56293b1bb2803420613c5b374570892) +(cherry picked from commit c26e56d08f30a2946dfa1d03781c63bfa9f56c1d) --- src/shared/install.c | 14 ++++++++++---- test/units/testsuite-26.sh | 6 ++++++ 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/src/shared/install.c b/src/shared/install.c -index 0f4dab4..62d9c3c 100644 +index 8400e489b2..270124cce0 100644 --- a/src/shared/install.c +++ b/src/shared/install.c -@@ -2224,7 +2224,9 @@ static int install_context_mark_for_removal( +@@ -2232,7 +2232,9 @@ static int install_context_mark_for_removal( else { log_debug_errno(r, "Unit %s not found, removing name.", i->name); r = install_changes_add(changes, n_changes, r, i->path ?: i->name, NULL); @@ -35,7 +35,7 @@ index 0f4dab4..62d9c3c 100644 return r; } } else if (r < 0) { -@@ -2822,9 +2824,13 @@ static int do_unit_file_disable( +@@ -2830,9 +2832,13 @@ static int do_unit_file_disable( r = install_info_add(&ctx, *name, NULL, lp->root_dir, /* auxiliary= */ false, &info); if (r >= 0) r = install_info_traverse(&ctx, lp, info, SEARCH_LOAD|SEARCH_FOLLOW_CONFIG_SYMLINKS, NULL); @@ -53,7 +53,7 @@ index 0f4dab4..62d9c3c 100644 /* If we enable multiple units, some with install info and others without, * the "empty [Install] section" warning is not shown. Let's make the behavior diff --git a/test/units/testsuite-26.sh b/test/units/testsuite-26.sh -index 1e11c42..d08b03a 100755 +index 1e11c420e1..d08b03a449 100755 --- a/test/units/testsuite-26.sh +++ b/test/units/testsuite-26.sh @@ -311,6 +311,12 @@ systemctl cat "$UNIT_NAME" diff --git a/backport-install-fix-compiler-warning-about-empty-directive-a.patch b/backport-install-fix-compiler-warning-about-empty-directive-a.patch new file mode 100644 index 0000000..9e07f70 --- /dev/null +++ b/backport-install-fix-compiler-warning-about-empty-directive-a.patch @@ -0,0 +1,48 @@ +From f85d2c6d1023b1fe558142440b1d63c4fc5f7c98 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sat, 24 Feb 2024 12:05:44 +0000 +Subject: [PATCH 0335/1160] install: fix compiler warning about empty directive + argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +On ppc64el with gcc 13.2 on Ubuntu 24.04: + +3s In file included from ../src/basic/macro.h:386, +483s from ../src/basic/alloc-util.h:10, +483s from ../src/shared/install.c:12: +483s ../src/shared/install.c: In function ‘install_changes_dump’: +483s ../src/shared/install.c:432:64: error: ‘%s’ directive argument is null [-Werror=format-overflow=] +483s 432 | err = log_error_errno(changes[i].type, "Failed to %s unit, unit %s does not exist.", +483s | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +483s ../src/shared/install.c:432:75: note: format string is defined here +483s 432 | err = log_error_errno(changes[i].type, "Failed to %s unit, unit %s does not exist.", + +(cherry picked from commit 8040fa55a1cbc34dede3205a902095ecd26c21e3) +--- + src/shared/install.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/shared/install.c b/src/shared/install.c +index 0f4dab4aa2..27a421e463 100644 +--- a/src/shared/install.c ++++ b/src/shared/install.c +@@ -340,9 +340,12 @@ void install_changes_dump(int r, const char *verb, const InstallChange *changes, + assert(verb || r >= 0); + + for (size_t i = 0; i < n_changes; i++) { +- if (changes[i].type < 0) +- assert(verb); + assert(changes[i].path); ++ /* This tries to tell the compiler that it's safe to use 'verb' in a string format if there ++ * was an error, but the compiler doesn't care and fails anyway, so strna(verb) is used ++ * too. */ ++ assert(verb || changes[i].type >= 0); ++ verb = strna(verb); + + /* When making changes here, make sure to also change install_error() in dbus-manager.c. */ + +-- +2.33.0 + diff --git a/backport-journal-file-util-use-COPY_VERIFY_LINKED.patch b/backport-journal-file-util-use-COPY_VERIFY_LINKED.patch new file mode 100644 index 0000000..2dd08f7 --- /dev/null +++ b/backport-journal-file-util-use-COPY_VERIFY_LINKED.patch @@ -0,0 +1,39 @@ +From 04209567d40b4bf802ac22b631f126aa52647732 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 15 Feb 2024 22:46:06 +0900 +Subject: [PATCH 0559/1160] journal-file-util: use COPY_VERIFY_LINKED + +As the main thread may call journal_directory_vacuum() -> +unlinkat_deallocate() while another thread is copying the file. + +Fixes #24150 and #31222. + +(cherry picked from commit 18d4e475c7fad8a5f003e5eb2a9ed0616e0ade20) +--- + src/shared/journal-file-util.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/shared/journal-file-util.c b/src/shared/journal-file-util.c +index b05ae0da7a..bdceac489f 100644 +--- a/src/shared/journal-file-util.c ++++ b/src/shared/journal-file-util.c +@@ -210,11 +210,15 @@ static void journal_file_set_offline_internal(JournalFile *f) { + + log_debug_errno(r, "Failed to re-enable copy-on-write for %s: %m, rewriting file", f->path); + ++ /* Here, setting COPY_VERIFY_LINKED flag is crucial. Otherwise, a broken ++ * journal file may be created, if journal_directory_vacuum() -> ++ * unlinkat_deallocate() is called in the main thread while this thread is ++ * copying the file. See issue #24150 and #31222. */ + r = copy_file_atomic_at_full( + f->fd, NULL, AT_FDCWD, f->path, f->mode, + 0, + FS_NOCOW_FL, +- COPY_REPLACE | COPY_FSYNC | COPY_HOLES | COPY_ALL_XATTRS, ++ COPY_REPLACE | COPY_FSYNC | COPY_HOLES | COPY_ALL_XATTRS | COPY_VERIFY_LINKED, + NULL, NULL); + if (r < 0) { + log_debug_errno(r, "Failed to rewrite %s: %m", f->path); +-- +2.33.0 + diff --git a/backport-journal-file-util-use-the-file-descriptor-of-journal.patch b/backport-journal-file-util-use-the-file-descriptor-of-journal.patch new file mode 100644 index 0000000..c2aa5a6 --- /dev/null +++ b/backport-journal-file-util-use-the-file-descriptor-of-journal.patch @@ -0,0 +1,38 @@ +From 8ee43d11581f8f8debef9793c7776a584eb4157d Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 14 Feb 2024 09:36:45 +0900 +Subject: [PATCH 0558/1160] journal-file-util: use the file descriptor of + journal file on copy + +No effective functionality changed, just refactoring. + +(cherry picked from commit f73ad0a9fb18bdba3f0704f5feef2dcbd6130915) +--- + src/shared/journal-file-util.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/src/shared/journal-file-util.c b/src/shared/journal-file-util.c +index e444a2bdd8..b05ae0da7a 100644 +--- a/src/shared/journal-file-util.c ++++ b/src/shared/journal-file-util.c +@@ -210,11 +210,12 @@ static void journal_file_set_offline_internal(JournalFile *f) { + + log_debug_errno(r, "Failed to re-enable copy-on-write for %s: %m, rewriting file", f->path); + +- r = copy_file_atomic_full(FORMAT_PROC_FD_PATH(f->fd), f->path, f->mode, +- 0, +- FS_NOCOW_FL, +- COPY_REPLACE | COPY_FSYNC | COPY_HOLES | COPY_ALL_XATTRS, +- NULL, NULL); ++ r = copy_file_atomic_at_full( ++ f->fd, NULL, AT_FDCWD, f->path, f->mode, ++ 0, ++ FS_NOCOW_FL, ++ COPY_REPLACE | COPY_FSYNC | COPY_HOLES | COPY_ALL_XATTRS, ++ NULL, NULL); + if (r < 0) { + log_debug_errno(r, "Failed to rewrite %s: %m", f->path); + continue; +-- +2.33.0 + diff --git a/backport-journal-importer-Consider-ECONNRESET-as-EOF.patch b/backport-journal-importer-Consider-ECONNRESET-as-EOF.patch new file mode 100644 index 0000000..bca75b4 --- /dev/null +++ b/backport-journal-importer-Consider-ECONNRESET-as-EOF.patch @@ -0,0 +1,47 @@ +From 51c2887c850fcc0326233c5b1aaf60ce5182e397 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 15 May 2024 21:40:12 +0200 +Subject: [PATCH 0636/1160] journal-importer: Consider ECONNRESET as EOF + +Otherwise we log a noisy error when we get ECONNRESET. + +(cherry picked from commit 2540036979b341f22567e848e6698cbe993932e3) +--- + src/shared/journal-importer.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/src/shared/journal-importer.c b/src/shared/journal-importer.c +index 83e9834bbf..bb0536e48a 100644 +--- a/src/shared/journal-importer.c ++++ b/src/shared/journal-importer.c +@@ -93,7 +93,12 @@ static int get_line(JournalImporter *imp, char **line, size_t *size) { + imp->buf + imp->filled, + MALLOC_SIZEOF_SAFE(imp->buf) - imp->filled); + if (n < 0) { +- if (errno != EAGAIN) ++ if (ERRNO_IS_DISCONNECT(errno)) { ++ log_debug_errno(errno, "Got disconnect for importer %s.", strna(imp->name)); ++ return 0; ++ } ++ ++ if (!ERRNO_IS_TRANSIENT(errno)) + log_error_errno(errno, "read(%d, ..., %zu): %m", + imp->fd, + MALLOC_SIZEOF_SAFE(imp->buf) - imp->filled); +@@ -134,7 +139,12 @@ static int fill_fixed_size(JournalImporter *imp, void **data, size_t size) { + n = read(imp->fd, imp->buf + imp->filled, + MALLOC_SIZEOF_SAFE(imp->buf) - imp->filled); + if (n < 0) { +- if (errno != EAGAIN) ++ if (ERRNO_IS_DISCONNECT(errno)) { ++ log_debug_errno(errno, "Got disconnect for importer %s.", strna(imp->name)); ++ return 0; ++ } ++ ++ if (!ERRNO_IS_TRANSIENT(errno)) + log_error_errno(errno, "read(%d, ..., %zu): %m", imp->fd, + MALLOC_SIZEOF_SAFE(imp->buf) - imp->filled); + return -errno; +-- +2.33.0 + diff --git a/backport-journal-remote-Use-sd_event_set_signal_exit.patch b/backport-journal-remote-Use-sd_event_set_signal_exit.patch new file mode 100644 index 0000000..52182a5 --- /dev/null +++ b/backport-journal-remote-Use-sd_event_set_signal_exit.patch @@ -0,0 +1,165 @@ +From 247627c6b5781e654245c23b0b30519e3b9c9281 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Thu, 11 Apr 2024 09:51:23 +0200 +Subject: [PATCH 0546/1160] journal-remote: Use sd_event_set_signal_exit() + +This also fixes bugs in the previous code where we pass the server +object as userdata to sd_event_add_signal which means that sd-event +tries to use the value of the server pointer as its exit code when +a signal is triggered. + +(cherry picked from commit dcd332ae00b9e82fc1c05cbb136afe39253dff70) +--- + src/journal-remote/journal-remote-main.c | 22 ++------------ + src/journal-remote/journal-remote.c | 2 -- + src/journal-remote/journal-remote.h | 2 +- + src/journal-remote/journal-upload.c | 38 ++---------------------- + src/journal-remote/journal-upload.h | 1 - + 5 files changed, 5 insertions(+), 60 deletions(-) + +diff --git a/src/journal-remote/journal-remote-main.c b/src/journal-remote/journal-remote-main.c +index da0f20d3ce..294719b706 100644 +--- a/src/journal-remote/journal-remote-main.c ++++ b/src/journal-remote/journal-remote-main.c +@@ -535,24 +535,6 @@ static int dispatch_http_event(sd_event_source *event, + ********************************************************************** + **********************************************************************/ + +-static int setup_signals(RemoteServer *s) { +- int r; +- +- assert(s); +- +- assert_se(sigprocmask_many(SIG_SETMASK, NULL, SIGINT, SIGTERM, -1) >= 0); +- +- r = sd_event_add_signal(s->events, &s->sigterm_event, SIGTERM, NULL, s); +- if (r < 0) +- return r; +- +- r = sd_event_add_signal(s->events, &s->sigint_event, SIGINT, NULL, s); +- if (r < 0) +- return r; +- +- return 0; +-} +- + static int setup_raw_socket(RemoteServer *s, const char *address) { + int fd; + +@@ -580,9 +562,9 @@ static int create_remoteserver( + if (r < 0) + return r; + +- r = setup_signals(s); ++ r = sd_event_set_signal_exit(s->events, true); + if (r < 0) +- return log_error_errno(r, "Failed to set up signals: %m"); ++ return log_error_errno(r, "Failed to install SIGINT/SIGTERM handlers: %m"); + + n = sd_listen_fds(true); + if (n < 0) +diff --git a/src/journal-remote/journal-remote.c b/src/journal-remote/journal-remote.c +index e0c54675ee..9db686dd88 100644 +--- a/src/journal-remote/journal-remote.c ++++ b/src/journal-remote/journal-remote.c +@@ -376,8 +376,6 @@ void journal_remote_server_destroy(RemoteServer *s) { + writer_unref(s->_single_writer); + hashmap_free(s->writers); + +- sd_event_source_unref(s->sigterm_event); +- sd_event_source_unref(s->sigint_event); + sd_event_source_unref(s->listen_event); + sd_event_unref(s->events); + +diff --git a/src/journal-remote/journal-remote.h b/src/journal-remote/journal-remote.h +index 8d73f95dc9..3d64db02fd 100644 +--- a/src/journal-remote/journal-remote.h ++++ b/src/journal-remote/journal-remote.h +@@ -30,7 +30,7 @@ struct RemoteServer { + size_t active; + + sd_event *events; +- sd_event_source *sigterm_event, *sigint_event, *listen_event; ++ sd_event_source *listen_event; + + Hashmap *writers; + Writer *_single_writer; +diff --git a/src/journal-remote/journal-upload.c b/src/journal-remote/journal-upload.c +index cef82af0c2..d70a049484 100644 +--- a/src/journal-remote/journal-upload.c ++++ b/src/journal-remote/journal-upload.c +@@ -380,38 +380,6 @@ static int open_file_for_upload(Uploader *u, const char *filename) { + return r; + } + +-static int dispatch_sigterm(sd_event_source *event, +- const struct signalfd_siginfo *si, +- void *userdata) { +- Uploader *u = ASSERT_PTR(userdata); +- +- log_received_signal(LOG_INFO, si); +- +- close_fd_input(u); +- close_journal_input(u); +- +- sd_event_exit(u->events, 0); +- return 0; +-} +- +-static int setup_signals(Uploader *u) { +- int r; +- +- assert(u); +- +- assert_se(sigprocmask_many(SIG_SETMASK, NULL, SIGINT, SIGTERM, -1) >= 0); +- +- r = sd_event_add_signal(u->events, &u->sigterm_event, SIGTERM, dispatch_sigterm, u); +- if (r < 0) +- return r; +- +- r = sd_event_add_signal(u->events, &u->sigint_event, SIGINT, dispatch_sigterm, u); +- if (r < 0) +- return r; +- +- return 0; +-} +- + static int setup_uploader(Uploader *u, const char *url, const char *state_file) { + int r; + const char *host, *proto = ""; +@@ -451,9 +419,9 @@ static int setup_uploader(Uploader *u, const char *url, const char *state_file) + if (r < 0) + return log_error_errno(r, "sd_event_default failed: %m"); + +- r = setup_signals(u); ++ r = sd_event_set_signal_exit(u->events, true); + if (r < 0) +- return log_error_errno(r, "Failed to set up signals: %m"); ++ return log_error_errno(r, "Failed to install SIGINT/SIGTERM handlers: %m"); + + (void) sd_watchdog_enabled(false, &u->watchdog_usec); + +@@ -477,8 +445,6 @@ static void destroy_uploader(Uploader *u) { + close_fd_input(u); + close_journal_input(u); + +- sd_event_source_unref(u->sigterm_event); +- sd_event_source_unref(u->sigint_event); + sd_event_unref(u->events); + } + +diff --git a/src/journal-remote/journal-upload.h b/src/journal-remote/journal-upload.h +index 9ff5a7ba58..200786413f 100644 +--- a/src/journal-remote/journal-upload.h ++++ b/src/journal-remote/journal-upload.h +@@ -25,7 +25,6 @@ typedef enum { + + typedef struct Uploader { + sd_event *events; +- sd_event_source *sigint_event, *sigterm_event; + + char *url; + CURL *easy; +-- +2.33.0 + diff --git a/backport-journal-remote-allow-AF_VSOCK-and-AF_UNIX-for-listen.patch b/backport-journal-remote-allow-AF_VSOCK-and-AF_UNIX-for-listen.patch new file mode 100644 index 0000000..fec4150 --- /dev/null +++ b/backport-journal-remote-allow-AF_VSOCK-and-AF_UNIX-for-listen.patch @@ -0,0 +1,32 @@ +From cea50a11f4576d921c933c9c5fcca254262bd225 Mon Sep 17 00:00:00 2001 +From: Sam Leonard +Date: Mon, 22 Jan 2024 16:12:39 +0000 +Subject: [PATCH 0543/1160] journal-remote: allow AF_VSOCK and AF_UNIX for + --listen-raw + +This allows log messages forwarded over an AF_UNIX or AF_VSOCK socket by +journald to be received by systemd-journal-remote. + +(cherry picked from commit b4d4ebe850d7de6c485a790c5334de1da0760ee1) +--- + src/journal-remote/journal-remote.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/journal-remote/journal-remote.c b/src/journal-remote/journal-remote.c +index 79010d0482..e0c54675ee 100644 +--- a/src/journal-remote/journal-remote.c ++++ b/src/journal-remote/journal-remote.c +@@ -517,7 +517,9 @@ static int accept_connection( + + switch (socket_address_family(addr)) { + case AF_INET: +- case AF_INET6: { ++ case AF_INET6: ++ case AF_VSOCK: ++ case AF_UNIX: { + _cleanup_free_ char *a = NULL; + char *b; + +-- +2.33.0 + diff --git a/backport-journal-remote-fix-two-minor-memory-leaks.patch b/backport-journal-remote-fix-two-minor-memory-leaks.patch new file mode 100644 index 0000000..6edaa92 --- /dev/null +++ b/backport-journal-remote-fix-two-minor-memory-leaks.patch @@ -0,0 +1,39 @@ +From f27430bf4ae583f62da67d0607b2146687dfbd44 Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Thu, 11 Apr 2024 17:20:02 +0200 +Subject: [PATCH 0533/1160] journal-remote: fix two minor memory leaks + +(cherry picked from commit 3ec49af97332050701a1e2cc08390aa76d40585a) +--- + src/journal-remote/journal-gatewayd.c | 1 + + src/journal-remote/journal-upload.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/src/journal-remote/journal-gatewayd.c b/src/journal-remote/journal-gatewayd.c +index 09194710cb..aaa52c0f8e 100644 +--- a/src/journal-remote/journal-gatewayd.c ++++ b/src/journal-remote/journal-gatewayd.c +@@ -47,6 +47,7 @@ static char **arg_file = NULL; + STATIC_DESTRUCTOR_REGISTER(arg_key_pem, erase_and_freep); + STATIC_DESTRUCTOR_REGISTER(arg_cert_pem, freep); + STATIC_DESTRUCTOR_REGISTER(arg_trust_pem, freep); ++STATIC_DESTRUCTOR_REGISTER(arg_file, strv_freep); + + typedef struct RequestMeta { + sd_journal *journal; +diff --git a/src/journal-remote/journal-upload.c b/src/journal-remote/journal-upload.c +index db74355842..cef82af0c2 100644 +--- a/src/journal-remote/journal-upload.c ++++ b/src/journal-remote/journal-upload.c +@@ -59,6 +59,8 @@ static int arg_follow = -1; + static const char *arg_save_state = NULL; + static usec_t arg_network_timeout_usec = USEC_INFINITY; + ++STATIC_DESTRUCTOR_REGISTER(arg_file, strv_freep); ++ + static void close_fd_input(Uploader *u); + + #define SERVER_ANSWER_KEEP 2048 +-- +2.33.0 + diff --git a/backport-journal-remote-main-pass-the-right-error-variable.patch b/backport-journal-remote-main-pass-the-right-error-variable.patch new file mode 100644 index 0000000..242faca --- /dev/null +++ b/backport-journal-remote-main-pass-the-right-error-variable.patch @@ -0,0 +1,26 @@ +From 88710976fe309aeb8e026eabc33eca26eeb8769d Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 7 May 2024 13:13:24 +0200 +Subject: [PATCH 0592/1160] journal-remote-main: pass the right error variable + +(cherry picked from commit 47eab95ea813fdeee686ca720287b7fe4189b2d4) +--- + src/journal-remote/journal-remote-main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/journal-remote/journal-remote-main.c b/src/journal-remote/journal-remote-main.c +index 294719b706..2d380bc7a7 100644 +--- a/src/journal-remote/journal-remote-main.c ++++ b/src/journal-remote/journal-remote-main.c +@@ -108,7 +108,7 @@ static int spawn_child(const char* child, char** argv) { + + r = fd_nonblock(fd[0], true); + if (r < 0) +- log_warning_errno(errno, "Failed to set child pipe to non-blocking: %m"); ++ log_warning_errno(r, "Failed to set child pipe to non-blocking: %m"); + + return fd[0]; + } +-- +2.33.0 + diff --git a/backport-journal-remote-use-macro-wrapper-instead-of-alloca-t.patch b/backport-journal-remote-use-macro-wrapper-instead-of-alloca-t.patch new file mode 100644 index 0000000..e4d0646 --- /dev/null +++ b/backport-journal-remote-use-macro-wrapper-instead-of-alloca-t.patch @@ -0,0 +1,158 @@ +From fb974c88270cfddf231b42ab27a5bd6ad8e4cc34 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 12 Jan 2024 16:37:04 +0100 +Subject: [PATCH 0193/1160] journal-remote: use macro wrapper instead of alloca + to extend string + +We would use alloca to extend the format string with "\n". We do this +automatically in order to not forget appending the newline everywhere. +We can simplify the whole thing by using a macro to append the newline instead, +which means that we don't need to copy the string. + +Because we concatenate the string argument with another literal string, we know +it must a literal string. Thus it's not a problem that it is "evaluated" two +times. + +Quoting Hristo Venev: +> Since commit f5e757f1ce84c1d6ae932cf2b604238fb4cedc00, mhd_respond() adds a +> newline to its argument before passing it on to mhd_respond_internal(). This +> is done via an alloca()-allocated buffer. However, MHD_RESPMEM_PERSISTENT is +> given as a flag to MHD_create_response_from_buffer(), leading to a +> use-after-free later when the response is sent. Replacing +> MHD_RESPMEM_PERSISTENT with MHD_RESPMEM_MUST_COPY appears to fix the issue. + +MHD_RESPMEM_MUST_COPY would work, but we also use mhd_respond() for mhd_oom(), +and we don't want to allocate in an oom scenario in order to maximize the +possibility that an answer will be delivered. Using the macro magic makes this +nicer and we get rid of the code doing alloca. + +Fixes an issue reported by Hristo Venev. +Fixes https://github.com/systemd/systemd/issues/9858. + +(cherry picked from commit 320ff932658fb1e3c2aeb1832ff6c10d755e5a56) +--- + src/journal-remote/microhttpd-util.c | 42 ++++++++++------------------ + src/journal-remote/microhttpd-util.h | 31 +++++++++++++++----- + 2 files changed, 38 insertions(+), 35 deletions(-) + +diff --git a/src/journal-remote/microhttpd-util.c b/src/journal-remote/microhttpd-util.c +index 9e6c36f87d..c1e35b7ed3 100644 +--- a/src/journal-remote/microhttpd-util.c ++++ b/src/journal-remote/microhttpd-util.c +@@ -25,11 +25,13 @@ void microhttpd_logger(void *arg, const char *fmt, va_list ap) { + REENABLE_WARNING; + } + +-static int mhd_respond_internal(struct MHD_Connection *connection, +- enum MHD_RequestTerminationCode code, +- const char *buffer, +- size_t size, +- enum MHD_ResponseMemoryMode mode) { ++int mhd_respond_internal( ++ struct MHD_Connection *connection, ++ enum MHD_RequestTerminationCode code, ++ const char *buffer, ++ size_t size, ++ enum MHD_ResponseMemoryMode mode) { ++ + assert(connection); + + _cleanup_(MHD_destroy_responsep) struct MHD_Response *response +@@ -43,29 +45,16 @@ static int mhd_respond_internal(struct MHD_Connection *connection, + return MHD_queue_response(connection, code, response); + } + +-int mhd_respond(struct MHD_Connection *connection, +- enum MHD_RequestTerminationCode code, +- const char *message) { +- +- const char *fmt; +- +- fmt = strjoina(message, "\n"); +- +- return mhd_respond_internal(connection, code, +- fmt, strlen(message) + 1, +- MHD_RESPMEM_PERSISTENT); +-} +- + int mhd_respond_oom(struct MHD_Connection *connection) { +- return mhd_respond(connection, MHD_HTTP_SERVICE_UNAVAILABLE, "Out of memory."); ++ return mhd_respond(connection, MHD_HTTP_SERVICE_UNAVAILABLE, "Out of memory."); + } + +-int mhd_respondf(struct MHD_Connection *connection, +- int error, +- enum MHD_RequestTerminationCode code, +- const char *format, ...) { ++int mhd_respondf_internal( ++ struct MHD_Connection *connection, ++ int error, ++ enum MHD_RequestTerminationCode code, ++ const char *format, ...) { + +- const char *fmt; + char *m; + int r; + va_list ap; +@@ -76,11 +65,8 @@ int mhd_respondf(struct MHD_Connection *connection, + if (error < 0) + error = -error; + errno = -error; +- fmt = strjoina(format, "\n"); + va_start(ap, format); +- DISABLE_WARNING_FORMAT_NONLITERAL; +- r = vasprintf(&m, fmt, ap); +- REENABLE_WARNING; ++ r = vasprintf(&m, format, ap); + va_end(ap); + + if (r < 0) +diff --git a/src/journal-remote/microhttpd-util.h b/src/journal-remote/microhttpd-util.h +index 140e7f6223..309c39aab0 100644 +--- a/src/journal-remote/microhttpd-util.h ++++ b/src/journal-remote/microhttpd-util.h +@@ -62,17 +62,34 @@ void microhttpd_logger(void *arg, const char *fmt, va_list ap) _printf_(2, 0); + /* respond_oom() must be usable with return, hence this form. */ + #define respond_oom(connection) log_oom(), mhd_respond_oom(connection) + +-int mhd_respondf(struct MHD_Connection *connection, +- int error, +- enum MHD_RequestTerminationCode code, +- const char *format, ...) _printf_(4,5); +- +-int mhd_respond(struct MHD_Connection *connection, ++int mhd_respond_internal( ++ struct MHD_Connection *connection, + enum MHD_RequestTerminationCode code, +- const char *message); ++ const char *buffer, ++ size_t size, ++ enum MHD_ResponseMemoryMode mode); ++ ++#define mhd_respond(connection, code, message) \ ++ mhd_respond_internal( \ ++ connection, code, \ ++ message "\n", \ ++ strlen(message) + 1, \ ++ MHD_RESPMEM_PERSISTENT) + + int mhd_respond_oom(struct MHD_Connection *connection); + ++int mhd_respondf_internal( ++ struct MHD_Connection *connection, ++ int error, ++ enum MHD_RequestTerminationCode code, ++ const char *format, ...) _printf_(4,5); ++ ++#define mhd_respondf(connection, error, code, format, ...) \ ++ mhd_respondf_internal( \ ++ connection, error, code, \ ++ format "\n", \ ++ ##__VA_ARGS__) ++ + int check_permissions(struct MHD_Connection *connection, int *code, char **hostname); + + /* Set gnutls internal logging function to a callback which uses our +-- +2.33.0 + diff --git a/backport-journalctl-also-check-arg_file_stdin-with-other-jour.patch b/backport-journalctl-also-check-arg_file_stdin-with-other-jour.patch new file mode 100644 index 0000000..0a4f7c0 --- /dev/null +++ b/backport-journalctl-also-check-arg_file_stdin-with-other-jour.patch @@ -0,0 +1,29 @@ +From 2c1ce9f00b189ac03de2501f4a7b4691b2adb55c Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Mon, 29 Apr 2024 16:47:11 +0800 +Subject: [PATCH 0580/1160] journalctl: also check arg_file_stdin with other + journal location options + +Prompted by #32491 + +(cherry picked from commit 821bf13b6e7a20ca05bebad2bc435e40a424ca18) +--- + src/journal/journalctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c +index 45ecc960ae..87e2f28841 100644 +--- a/src/journal/journalctl.c ++++ b/src/journal/journalctl.c +@@ -1081,7 +1081,7 @@ static int parse_argv(int argc, char *argv[]) { + arg_boot_offset = 0; + } + +- if (!!arg_directory + !!arg_file + !!arg_machine + !!arg_root + !!arg_image > 1) ++ if (!!arg_directory + !!arg_file + arg_file_stdin + !!arg_machine + !!arg_root + !!arg_image > 1) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Please specify at most one of -D/--directory=, --file=, -M/--machine=, --root=, --image=."); + +-- +2.33.0 + diff --git a/backport-journalctl-don-t-skip-over-messages-not-matching-the.patch b/backport-journalctl-don-t-skip-over-messages-not-matching-the.patch new file mode 100644 index 0000000..f1eaa25 --- /dev/null +++ b/backport-journalctl-don-t-skip-over-messages-not-matching-the.patch @@ -0,0 +1,138 @@ +From d68d9019c483f5ebbbeea006e7670532dc26680d Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 5 Dec 2023 17:38:25 +0100 +Subject: [PATCH 0020/1160] journalctl: don't skip over messages not matching + the cursor + +When --after-cursor=/--cursor-file= is used together with a journal +filter, we still skipped over the first matching entry even if it wasn't +the entry the cursor points at, thus missing one "valid" entry +completely. Let's fix this by checking if the entry cursor after seeking +matches the user provided cursor, and skip to the next entry only when +the cursors match. + +Resolves: #30288 +(cherry picked from commit 4207a5577a3711fb6760f1f122314fe3f4448709) +--- + src/journal/journalctl.c | 45 +++++++++++++++++++----------- + test/units/testsuite-04.journal.sh | 24 ++++++++++++++++ + 2 files changed, 52 insertions(+), 17 deletions(-) + +diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c +index c52a8d13be..7f3dcd56a4 100644 +--- a/src/journal/journalctl.c ++++ b/src/journal/journalctl.c +@@ -2165,10 +2165,12 @@ static int setup_event(Context *c, int fd, sd_event **ret) { + } + + static int run(int argc, char *argv[]) { +- bool need_seek = false, since_seeked = false, use_cursor = false, after_cursor = false; ++ bool need_seek = false, since_seeked = false, after_cursor = false; + _cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL; + _cleanup_(umount_and_freep) char *mounted_dir = NULL; + _cleanup_(sd_journal_closep) sd_journal *j = NULL; ++ _cleanup_free_ char *cursor_from_file = NULL; ++ const char *cursor = NULL; + int n_shown, r, poll_fd = -EBADF; + + setlocale(LC_ALL, ""); +@@ -2445,8 +2447,7 @@ static int run(int argc, char *argv[]) { + } + + if (arg_cursor || arg_after_cursor || arg_cursor_file) { +- _cleanup_free_ char *cursor_from_file = NULL; +- const char *cursor = arg_cursor ?: arg_after_cursor; ++ cursor = arg_cursor ?: arg_after_cursor; + + if (arg_cursor_file) { + r = read_one_line_file(arg_cursor_file, &cursor_from_file); +@@ -2459,30 +2460,40 @@ static int run(int argc, char *argv[]) { + } + } else + after_cursor = arg_after_cursor; ++ } + +- if (cursor) { +- r = sd_journal_seek_cursor(j, cursor); +- if (r < 0) +- return log_error_errno(r, "Failed to seek to cursor: %m"); ++ if (cursor) { ++ r = sd_journal_seek_cursor(j, cursor); ++ if (r < 0) ++ return log_error_errno(r, "Failed to seek to cursor: %m"); + +- use_cursor = true; ++ r = sd_journal_step_one(j, !arg_reverse); ++ if (r < 0) ++ return log_error_errno(r, "Failed to iterate through journal: %m"); ++ ++ if (after_cursor && r > 0) { ++ /* With --after-cursor=/--cursor-file= we want to skip the first entry only if it's ++ * the entry the cursor is pointing at, otherwise, if some journal filters are used, ++ * we might skip the first entry of the filter match, which leads to unexpectedly ++ * missing journal entries. */ ++ int k; ++ ++ k = sd_journal_test_cursor(j, cursor); ++ if (k < 0) ++ return log_error_errno(k, "Failed to test cursor against current entry: %m"); ++ if (k > 0) ++ /* Current entry matches the one our cursor is pointing at, so let's try ++ * to advance the next entry. */ ++ r = sd_journal_step_one(j, !arg_reverse); + } +- } +- +- if (use_cursor) { +- if (!arg_reverse) +- r = sd_journal_next_skip(j, 1 + after_cursor); +- else +- r = sd_journal_previous_skip(j, 1 + after_cursor); + +- if (after_cursor && r < 2) { ++ if (r == 0) { + /* We couldn't find the next entry after the cursor. */ + if (arg_follow) + need_seek = true; + else + arg_lines = 0; + } +- + } else if (arg_until_set && (arg_reverse || arg_lines_needs_seek_end())) { + /* If both --until and any of --reverse and --lines=N is specified, things get + * a little tricky. We seek to the place of --until first. If only --reverse or +diff --git a/test/units/testsuite-04.journal.sh b/test/units/testsuite-04.journal.sh +index 3efac616e0..4d9e48717a 100755 +--- a/test/units/testsuite-04.journal.sh ++++ b/test/units/testsuite-04.journal.sh +@@ -241,3 +241,27 @@ diff -u /tmp/lb1 - <<'EOF' + [{"index":-3,"boot_id":"5ea5fc4f82a14186b5332a788ef9435e","first_entry":1666569600994371,"last_entry":1666584266223608},{"index":-2,"boot_id":"bea6864f21ad4c9594c04a99d89948b0","first_entry":1666569601005945,"last_entry":1666584347230411},{"index":-1,"boot_id":"4c708e1fd0744336be16f3931aa861fb","first_entry":1666569601017222,"last_entry":1666584354649355},{"index":0,"boot_id":"35e8501129134edd9df5267c49f744a4","first_entry":1666569601009823,"last_entry":1666584438086856}] + EOF + rm -rf "$JOURNAL_DIR" /tmp/lb1 ++ ++# Check that using --after-cursor/--cursor-file= together with journal filters doesn't ++# skip over entries matched by the filter ++# See: https://github.com/systemd/systemd/issues/30288 ++UNIT_NAME="test-cursor-$RANDOM.service" ++CURSOR_FILE="$(mktemp)" ++# Generate some messages we can match against ++journalctl --cursor-file="$CURSOR_FILE" -n1 ++systemd-run --unit="$UNIT_NAME" --wait --service-type=exec bash -xec "echo hello; echo world" ++journalctl --sync ++# --after-cursor= + --unit= ++# The format of the "Starting ..." message depends on StatusUnitFormat=, so match only the beginning ++# which should be enough in this case ++[[ "$(journalctl -n 1 -p info -o cat --unit="$UNIT_NAME" --after-cursor="$(<"$CURSOR_FILE")" _PID=1 )" =~ ^Starting\ ]] ++# There should be no such messages before the cursor ++[[ -z "$(journalctl -n 1 -p info -o cat --unit="$UNIT_NAME" --after-cursor="$(<"$CURSOR_FILE")" --reverse)" ]] ++# --cursor-file= + a journal filter ++diff <(journalctl --cursor-file="$CURSOR_FILE" -p info -o cat _SYSTEMD_UNIT="$UNIT_NAME") - < Date: Wed, 16 Oct 2024 19:27:36 +0900 -Subject: [PATCH] journalctl: erase verify key before free +Subject: [PATCH 0952/1160] journalctl: erase verify key before free Even optarg is erased, copied string was not erased. Let's erase the copied key for safety. (cherry picked from commit d0ad4e88d4e6b5e312c359a6505125f7e088f3e3) (cherry picked from commit 28f7c958fb799887cb67528a85ca59f0ccd9261e) -(cherry picked from commit 6b13398c220a01e2eff5bb25da7d457f445c82e9) - -Conflict:the current code does not use STATIC_DESTRUCTOR_REGISTER instead of free, so the related code is not combined -Reference:https://github.com/systemd/systemd/commit/d0ad4e88d4e6b5e312c359a6505125f7e088f3e3 --- - src/journal/journalctl.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) + src/journal/journalctl.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c -index decdf14..327e035 100644 +index 87e2f28841..0a6c49c040 100644 --- a/src/journal/journalctl.c +++ b/src/journal/journalctl.c -@@ -791,9 +791,11 @@ static int parse_argv(int argc, char *argv[]) { +@@ -144,7 +144,7 @@ ImagePolicy *arg_image_policy = NULL; + + STATIC_DESTRUCTOR_REGISTER(arg_file, strv_freep); + STATIC_DESTRUCTOR_REGISTER(arg_facilities, set_freep); +-STATIC_DESTRUCTOR_REGISTER(arg_verify_key, freep); ++STATIC_DESTRUCTOR_REGISTER(arg_verify_key, erase_and_freep); + STATIC_DESTRUCTOR_REGISTER(arg_syslog_identifier, strv_freep); + STATIC_DESTRUCTOR_REGISTER(arg_system_units, strv_freep); + STATIC_DESTRUCTOR_REGISTER(arg_user_units, strv_freep); +@@ -821,9 +821,11 @@ static int parse_argv(int argc, char *argv[]) { break; case ARG_VERIFY_KEY: diff --git a/backport-journalctl-honor-quiet-with-setup-keys.patch b/backport-journalctl-honor-quiet-with-setup-keys.patch new file mode 100644 index 0000000..6b16c23 --- /dev/null +++ b/backport-journalctl-honor-quiet-with-setup-keys.patch @@ -0,0 +1,88 @@ +From dbab170b9ef2a8c00b88c8dfb89de47009e8ffbb Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 10 Dec 2024 09:40:43 +0900 +Subject: [PATCH 1054/1160] journalctl: honor --quiet with --setup-keys + +Closes #35504. + +(cherry picked from commit a5b2973850e5952b9dffdfa3f6a0ef486957cb17) +(cherry picked from commit 644f2a02c8befba986ebbc5d58767807fb2999ee) +(cherry picked from commit c03e3169ddd663c6d3aaea3df7af0031fe00cf5c) +--- + src/journal/journalctl.c | 15 +++++++++------ + test/units/testsuite-04.fss.sh | 6 ++++-- + 2 files changed, 13 insertions(+), 8 deletions(-) + +diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c +index 0a6c49c040..f52ed03dd0 100644 +--- a/src/journal/journalctl.c ++++ b/src/journal/journalctl.c +@@ -1672,15 +1672,18 @@ static int setup_keys(void) { + state_size = FSPRG_stateinbytes(FSPRG_RECOMMENDED_SECPAR); + state = alloca_safe(state_size); + +- log_info("Generating seed..."); ++ if (!arg_quiet) ++ log_info("Generating seed..."); + r = crypto_random_bytes(seed, seed_size); + if (r < 0) + return log_error_errno(r, "Failed to acquire random seed: %m"); + +- log_info("Generating key pair..."); ++ if (!arg_quiet) ++ log_info("Generating key pair..."); + FSPRG_GenMK(NULL, mpk, seed, seed_size, FSPRG_RECOMMENDED_SECPAR); + +- log_info("Generating sealing key..."); ++ if (!arg_quiet) ++ log_info("Generating sealing key..."); + FSPRG_GenState0(state, mpk, seed, seed_size); + + assert(arg_interval > 0); +@@ -1695,7 +1698,7 @@ static int setup_keys(void) { + + r = chattr_secret(fd, CHATTR_WARN_UNSUPPORTED_FLAGS); + if (r < 0) +- log_full_errno(ERRNO_IS_NOT_SUPPORTED(r) ? LOG_DEBUG : LOG_WARNING, ++ log_full_errno(ERRNO_IS_NOT_SUPPORTED(r) || arg_quiet ? LOG_DEBUG : LOG_WARNING, + r, "Failed to set file attributes on '%s', ignoring: %m", k); + + struct FSSHeader h = { +@@ -1728,7 +1731,7 @@ static int setup_keys(void) { + if (r < 0) + return r; + +- if (on_tty()) { ++ if (on_tty() && !arg_quiet) { + hn = gethostname_malloc(); + if (hn) + hostname_cleanup(hn); +@@ -1759,7 +1762,7 @@ static int setup_keys(void) { + + puts(key); + +- if (on_tty()) { ++ if (on_tty() && !arg_quiet) { + fprintf(stderr, "%s", ansi_normal()); + #if HAVE_QRENCODE + _cleanup_free_ char *url = NULL; +diff --git a/test/units/testsuite-04.fss.sh b/test/units/testsuite-04.fss.sh +index 03351b812f..140bd9fd67 100755 +--- a/test/units/testsuite-04.fss.sh ++++ b/test/units/testsuite-04.fss.sh +@@ -10,8 +10,10 @@ if ! journalctl --version | grep -qF +GCRYPT; then + exit 0 + fi + +-journalctl --force --setup-keys --interval=2 |& tee /tmp/fss +-FSS_VKEY="$(sed -rn '/([a-f0-9]{6}\-){3}[a-f0-9]{6}\/[a-f0-9]+\-[a-f0-9]+/p' /tmp/fss)" ++# without --quiet, should be effectively equivalent to the below, as we are not on tty ++journalctl --force --setup-keys --interval=2 ++ ++FSS_VKEY=$(journalctl --force --setup-keys --interval=2 --quiet) + [[ -n "$FSS_VKEY" ]] + + # Generate some buzz in the journal and wait until the FSS key is changed +-- +2.33.0 + diff --git a/backport-journalctl-make-until-work-again-with-after-cursor-a.patch b/backport-journalctl-make-until-work-again-with-after-cursor-a.patch new file mode 100644 index 0000000..e5509b2 --- /dev/null +++ b/backport-journalctl-make-until-work-again-with-after-cursor-a.patch @@ -0,0 +1,60 @@ +From 5f01d4790d3877c9d5cdc7b3b521c1ff63ae41b6 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 21 Mar 2024 04:34:37 +0900 +Subject: [PATCH 0464/1160] journalctl: make --until work again with + --after-cursor and --lines + +Fixes a regression introduced by 81fb5375b3b3bfc22d023d7908ad9eee4b3c1ffb. + +If one of the cursor option is specified, we first seek to the cursor position. +So, the current position may be out of the time range specified by --until, +and we need to verify the timestamp of the current position. + +Fixes #31776. + +Co-authored-by: Reid Wahl +(cherry picked from commit cb2be36650913e7b3020a3c283414c1c418c6862) +--- + src/journal/journalctl.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c +index 7f3dcd56a4..c436d971d4 100644 +--- a/src/journal/journalctl.c ++++ b/src/journal/journalctl.c +@@ -1938,6 +1938,7 @@ static int update_cursor(sd_journal *j) { + + typedef struct Context { + sd_journal *journal; ++ bool has_cursor; + bool need_seek; + bool since_seeked; + bool ellipsized; +@@ -1967,11 +1968,11 @@ static int show(Context *c) { + break; + } + +- if (arg_until_set && !arg_reverse && (arg_lines < 0 || arg_since_set)) { +- /* If --lines= is set, we usually rely on the n_shown to tell us +- * when to stop. However, if --since= is set too, we may end up +- * having less than --lines= to output. In this case let's also +- * check if the entry is in range. */ ++ if (arg_until_set && !arg_reverse && (arg_lines < 0 || arg_since_set || c->has_cursor)) { ++ /* If --lines= is set, we usually rely on the n_shown to tell us when to stop. ++ * However, if --since= or one of the cursor argument is set too, we may end up ++ * having less than --lines= to output. In this case let's also check if the entry ++ * is in range. */ + + usec_t usec; + +@@ -2572,6 +2573,7 @@ static int run(int argc, char *argv[]) { + + Context c = { + .journal = j, ++ .has_cursor = cursor, + .need_seek = need_seek, + .since_seeked = since_seeked, + }; +-- +2.33.0 + diff --git a/backport-journalctl-update-help-to-say-priority-range-32323.patch b/backport-journalctl-update-help-to-say-priority-range-32323.patch new file mode 100644 index 0000000..3fa6a43 --- /dev/null +++ b/backport-journalctl-update-help-to-say-priority-range-32323.patch @@ -0,0 +1,31 @@ +From 24ccc1adf2655b927ca32fc7c6bc2369e1b6c354 Mon Sep 17 00:00:00 2001 +From: Winterhuman <86165318+Winterhuman@users.noreply.github.com> +Date: Thu, 18 Apr 2024 00:43:28 +0000 +Subject: [PATCH 0502/1160] journalctl: update help to say "priority range" + (#32323) + +Clarify that `-p, --priority=` always treats its option as a priority range, even when given +a single log level per the full man page description. + +Co-authored-by: Mike Yuan +(cherry picked from commit ad938537ef4c8e8a77704557f2cb23e35f894b5d) +--- + src/journal/journalctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c +index c436d971d4..45ecc960ae 100644 +--- a/src/journal/journalctl.c ++++ b/src/journal/journalctl.c +@@ -380,7 +380,7 @@ static int help(void) { + " -u --unit=UNIT Show logs from the specified unit\n" + " --user-unit=UNIT Show logs from the specified user unit\n" + " -t --identifier=STRING Show entries with the specified syslog identifier\n" +- " -p --priority=RANGE Show entries with the specified priority\n" ++ " -p --priority=RANGE Show entries within the specified priority range\n" + " --facility=FACILITY... Show entries with the specified facilities\n" + " -g --grep=PATTERN Show entries with MESSAGE matching PATTERN\n" + " --case-sensitive[=BOOL] Force case sensitive or insensitive matching\n" +-- +2.33.0 + diff --git a/backport-journald-server-drop-spuriously-doubled-for-OBJECT_S.patch b/backport-journald-server-drop-spuriously-doubled-for-OBJECT_S.patch new file mode 100644 index 0000000..4905353 --- /dev/null +++ b/backport-journald-server-drop-spuriously-doubled-for-OBJECT_S.patch @@ -0,0 +1,27 @@ +From 9fd78d3052c681d48ce04f13243b962c713d00b3 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Thu, 25 Apr 2024 00:55:31 +0800 +Subject: [PATCH 0566/1160] journald-server: drop spuriously doubled '=' for + OBJECT_SYSTEMD_INVOCATION_ID + +(cherry picked from commit 6cb8286aa3f3cca6cc565942abe8597f35c11a6c) +--- + src/journal/journald-server.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c +index 1c3a2a0b37..33e5b0f82b 100644 +--- a/src/journal/journald-server.c ++++ b/src/journal/journald-server.c +@@ -1111,7 +1111,7 @@ static void server_dispatch_message_real( + IOVEC_ADD_STRING_FIELD(iovec, n, o->slice, "OBJECT_SYSTEMD_SLICE"); + IOVEC_ADD_STRING_FIELD(iovec, n, o->user_slice, "OBJECT_SYSTEMD_USER_SLICE"); + +- IOVEC_ADD_ID128_FIELD(iovec, n, o->invocation_id, "OBJECT_SYSTEMD_INVOCATION_ID="); ++ IOVEC_ADD_ID128_FIELD(iovec, n, o->invocation_id, "OBJECT_SYSTEMD_INVOCATION_ID"); + } + + assert(n <= m); +-- +2.33.0 + diff --git a/backport-journald-when-getting-journal-data-via-memfd-check-f.patch b/backport-journald-when-getting-journal-data-via-memfd-check-f.patch new file mode 100644 index 0000000..8fdfda5 --- /dev/null +++ b/backport-journald-when-getting-journal-data-via-memfd-check-f.patch @@ -0,0 +1,92 @@ +From 76cfca0e4866b0311e3698475f309964b45ff44e Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 14 Feb 2024 10:55:22 +0100 +Subject: [PATCH 0309/1160] journald: when getting journal data via memfd, + check flags are valid + +Add some extra safety checks: refuse weird open flags. + +And while we are at it, also use stat_verify_regular() + +(cherry picked from commit 1f47e27a290f0cfbf55caad1573cc1b857f67af3) +--- + src/journal/journald-native.c | 49 +++++++++++++++++++++-------------- + 1 file changed, 30 insertions(+), 19 deletions(-) + +diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c +index 4f030dda86..315ec0b513 100644 +--- a/src/journal/journald-native.c ++++ b/src/journal/journald-native.c +@@ -22,6 +22,7 @@ + #include "journald-wall.h" + #include "memfd-util.h" + #include "memory-util.h" ++#include "missing_fcntl.h" + #include "parse-util.h" + #include "path-util.h" + #include "process-util.h" +@@ -342,8 +343,33 @@ void server_process_native_file( + assert(s); + assert(fd >= 0); + +- /* If it's a memfd, check if it is sealed. If so, we can just +- * mmap it and use it, and do not need to copy the data out. */ ++ if (fstat(fd, &st) < 0) { ++ log_ratelimit_error_errno(errno, JOURNAL_LOG_RATELIMIT, "Failed to stat passed file, ignoring: %m"); ++ return; ++ } ++ ++ r = stat_verify_regular(&st); ++ if (r < 0) { ++ log_ratelimit_error_errno(r, JOURNAL_LOG_RATELIMIT, "File passed is not regular, ignoring: %m"); ++ return; ++ } ++ ++ if (st.st_size <= 0) ++ return; ++ ++ int flags = fcntl(fd, F_GETFL); ++ if (flags < 0) { ++ log_ratelimit_error_errno(errno, JOURNAL_LOG_RATELIMIT, "Failed to get flags of passed file, ignoring: %m"); ++ return; ++ } ++ ++ if ((flags & ~(O_ACCMODE|RAW_O_LARGEFILE)) != 0) { ++ log_ratelimit_error(JOURNAL_LOG_RATELIMIT, "Unexpected flags of passed memory fd, ignoring message: %m"); ++ return; ++ } ++ ++ /* If it's a memfd, check if it is sealed. If so, we can just mmap it and use it, and do not need to ++ * copy the data out. */ + sealed = memfd_get_sealed(fd) > 0; + + if (!sealed && (!ucred || ucred->uid != 0)) { +@@ -374,23 +400,8 @@ void server_process_native_file( + } + } + +- if (fstat(fd, &st) < 0) { +- log_ratelimit_error_errno(errno, JOURNAL_LOG_RATELIMIT, +- "Failed to stat passed file, ignoring: %m"); +- return; +- } +- +- if (!S_ISREG(st.st_mode)) { +- log_ratelimit_error(JOURNAL_LOG_RATELIMIT, +- "File passed is not regular. Ignoring."); +- return; +- } +- +- if (st.st_size <= 0) +- return; +- +- /* When !sealed, set a lower memory limit. We have to read the file, +- * effectively doubling memory use. */ ++ /* When !sealed, set a lower memory limit. We have to read the file, effectively doubling memory ++ * use. */ + if (st.st_size > ENTRY_SIZE_MAX / (sealed ? 1 : 2)) { + log_ratelimit_error(JOURNAL_LOG_RATELIMIT, + "File passed too large (%"PRIu64" bytes). Ignoring.", +-- +2.33.0 + diff --git a/backport-json-add-new-dispatch-flag-JSON_ALLOW_EXTENSIONS.patch b/backport-json-add-new-dispatch-flag-JSON_ALLOW_EXTENSIONS.patch new file mode 100644 index 0000000..88e534f --- /dev/null +++ b/backport-json-add-new-dispatch-flag-JSON_ALLOW_EXTENSIONS.patch @@ -0,0 +1,65 @@ +From f33f8aefbdbdcf75cfcccaa8356c6f5c685e0036 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 4 Dec 2023 18:10:02 +0100 +Subject: [PATCH 0710/1160] json: add new dispatch flag JSON_ALLOW_EXTENSIONS + +This is a subset of JSON_PERMISSIVE focussed on allowing parsing of +varlink replies that get extended, i.e. gain new fields, without +allowing more than that (i.e. without allowing missing fields, or bad +field types or such). + +(cherry picked from commit a617fd904789cd3a05cf4cb2f54649e2a1f73d33) +--- + src/shared/json.c | 6 +++++- + src/shared/json.h | 15 ++++++++------- + 2 files changed, 13 insertions(+), 8 deletions(-) + +diff --git a/src/shared/json.c b/src/shared/json.c +index d147cc0281..686a28b62b 100644 +--- a/src/shared/json.c ++++ b/src/shared/json.c +@@ -4592,8 +4592,12 @@ int json_dispatch_full( + done ++; + + } else { +- json_log(value, flags, 0, "Unexpected object field '%s'.", json_variant_string(key)); ++ if (flags & JSON_ALLOW_EXTENSIONS) { ++ json_log(value, flags, 0, "Unrecognized object field '%s', assuming extension.", json_variant_string(key)); ++ continue; ++ } + ++ json_log(value, flags, 0, "Unexpected object field '%s'.", json_variant_string(key)); + if (flags & JSON_PERMISSIVE) + continue; + +diff --git a/src/shared/json.h b/src/shared/json.h +index c40c23487a..f891f9cb65 100644 +--- a/src/shared/json.h ++++ b/src/shared/json.h +@@ -375,15 +375,16 @@ int json_buildv(JsonVariant **ret, va_list ap); + * entry, as well the bitmask specified for json_log() calls */ + typedef enum JsonDispatchFlags { + /* The following three may be set in JsonDispatch's .flags field or the json_dispatch() flags parameter */ +- JSON_PERMISSIVE = 1 << 0, /* Shall parsing errors be considered fatal for this property? */ +- JSON_MANDATORY = 1 << 1, /* Should existence of this property be mandatory? */ +- JSON_LOG = 1 << 2, /* Should the parser log about errors? */ +- JSON_SAFE = 1 << 3, /* Don't accept "unsafe" strings in json_dispatch_string() + json_dispatch_string() */ +- JSON_RELAX = 1 << 4, /* Use relaxed user name checking in json_dispatch_user_group_name */ ++ JSON_PERMISSIVE = 1 << 0, /* Shall parsing errors be considered fatal for this field or object? */ ++ JSON_MANDATORY = 1 << 1, /* Should existence of this property be mandatory? */ ++ JSON_LOG = 1 << 2, /* Should the parser log about errors? */ ++ JSON_SAFE = 1 << 3, /* Don't accept "unsafe" strings in json_dispatch_string() + json_dispatch_string() */ ++ JSON_RELAX = 1 << 4, /* Use relaxed user name checking in json_dispatch_user_group_name */ ++ JSON_ALLOW_EXTENSIONS = 1 << 5, /* Subset of JSON_PERMISSIVE: allow additional fields, but no other permissive handling */ + + /* The following two may be passed into log_json() in addition to those above */ +- JSON_DEBUG = 1 << 5, /* Indicates that this log message is a debug message */ +- JSON_WARNING = 1 << 6, /* Indicates that this log message is a warning message */ ++ JSON_DEBUG = 1 << 6, /* Indicates that this log message is a debug message */ ++ JSON_WARNING = 1 << 7, /* Indicates that this log message is a warning message */ + } JsonDispatchFlags; + + typedef int (*JsonDispatchCallback)(const char *name, JsonVariant *variant, JsonDispatchFlags flags, void *userdata); +-- +2.33.0 + diff --git a/backport-json-use-secure-un-base64-hex-mem-for-sensitive-vari.patch b/backport-json-use-secure-un-base64-hex-mem-for-sensitive-vari.patch new file mode 100644 index 0000000..fb2df3c --- /dev/null +++ b/backport-json-use-secure-un-base64-hex-mem-for-sensitive-vari.patch @@ -0,0 +1,39 @@ +From cce7df4079c2ac48c6a6be85785332c6764522b9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Kamil=20Szcz=C4=99k?= +Date: Wed, 5 Jun 2024 11:21:23 +0200 +Subject: [PATCH 0706/1160] json: use secure un{base64,hex}mem for sensitive + variants + +While tracing a LUKS code path in homework, I've noticed that we don't +erase buffers when doing unbase64 or unhex on JSON variants, even if the +variant is marked as sensitive. + +(cherry picked from commit 80313c55770ef0e2174fe5750680e426278416cb) +--- + src/shared/json.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/shared/json.c b/src/shared/json.c +index 06c9e850ea..d147cc0281 100644 +--- a/src/shared/json.c ++++ b/src/shared/json.c +@@ -5107,14 +5107,14 @@ int json_variant_unbase64(JsonVariant *v, void **ret, size_t *ret_size) { + if (!json_variant_is_string(v)) + return -EINVAL; + +- return unbase64mem(json_variant_string(v), SIZE_MAX, ret, ret_size); ++ return unbase64mem_full(json_variant_string(v), SIZE_MAX, /* secure= */ json_variant_is_sensitive(v), ret, ret_size); + } + + int json_variant_unhex(JsonVariant *v, void **ret, size_t *ret_size) { + if (!json_variant_is_string(v)) + return -EINVAL; + +- return unhexmem(json_variant_string(v), SIZE_MAX, ret, ret_size); ++ return unhexmem_full(json_variant_string(v), SIZE_MAX, /* secure= */ json_variant_is_sensitive(v), ret, ret_size); + } + + static const char* const json_variant_type_table[_JSON_VARIANT_TYPE_MAX] = { +-- +2.33.0 + diff --git a/backport-kbd-model-map-add-a-georgian-mapping.patch b/backport-kbd-model-map-add-a-georgian-mapping.patch new file mode 100644 index 0000000..7aecf06 --- /dev/null +++ b/backport-kbd-model-map-add-a-georgian-mapping.patch @@ -0,0 +1,29 @@ +From 48fd2d36050d3e6fcbd538d675538d301d076c16 Mon Sep 17 00:00:00 2001 +From: Adam Williamson +Date: Fri, 10 Jan 2025 13:01:47 -0800 +Subject: [PATCH 1096/1160] kbd-model-map: add a georgian mapping + +https://github.com/legionus/kbd/pull/127 adds a Georgian mapping +to kbd. console-setup already has one. Let's support it here, so +it's used for Georgian installs on distros that use this table. + +Signed-off-by: Adam Williamson +(cherry picked from commit f89d4c5f108ffbd29d0cc963ed7202bb9b0f778a) +(cherry picked from commit 52b5a79982e3dec63532f9145f12f0d2c212cef6) +(cherry picked from commit c9e1a4a9ecf657cfd17422cd955c32c0d4f545eb) +--- + src/locale/kbd-model-map | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/locale/kbd-model-map b/src/locale/kbd-model-map +index 279d1a36d8..612f6d749a 100644 +--- a/src/locale/kbd-model-map ++++ b/src/locale/kbd-model-map +@@ -70,3 +70,4 @@ khmer kh,us pc105 - terminate:ctrl_alt_bksp + es-dvorak es microsoftpro dvorak terminate:ctrl_alt_bksp + lv lv pc105 apostrophe terminate:ctrl_alt_bksp + lv-tilde lv pc105 tilde terminate:ctrl_alt_bksp ++ge ge,us pc105 - terminate:ctrl_alt_bksp +-- +2.33.0 + diff --git a/backport-kernel-install-Fix-inspect-with-root-when-no-version.patch b/backport-kernel-install-Fix-inspect-with-root-when-no-version.patch new file mode 100644 index 0000000..8eba18c --- /dev/null +++ b/backport-kernel-install-Fix-inspect-with-root-when-no-version.patch @@ -0,0 +1,46 @@ +From 52ae96755ec92463fc3901e45af5ed928af9a0ab Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Sun, 10 Dec 2023 17:02:38 +0100 +Subject: [PATCH 0038/1160] kernel-install: Fix inspect with --root= when no + version is specified + +Using the kernel version from the host is incorrect in this case, so +fix the logic so it handles no version being specified correctly with +--root=. + +(cherry picked from commit dbab00564571ca47d77aa86b5cd0b1a43420c7b6) +--- + src/kernel-install/kernel-install.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/kernel-install/kernel-install.c b/src/kernel-install/kernel-install.c +index 2387eb07fa..45f0c1e7a8 100644 +--- a/src/kernel-install/kernel-install.c ++++ b/src/kernel-install/kernel-install.c +@@ -306,7 +306,7 @@ static int context_set_uki_generator(Context *c, const char *s, const char *sour + static int context_set_version(Context *c, const char *s) { + assert(c); + +- if (!filename_is_valid(s)) ++ if (s && !filename_is_valid(s)) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid version specified: %s", s); + + return context_set_string(s, "command line", "kernel version", &c->version); +@@ -1355,12 +1355,12 @@ static int verb_inspect(int argc, char *argv[], void *userdata) { + (argc > 1 ? empty_or_dash_to_null(argv[1]) : NULL); + initrds = strv_skip(argv, 3); + +- if (!version) { ++ if (!version && !arg_root) { + assert_se(uname(&un) >= 0); + version = un.release; + } + +- if (!kernel) { ++ if (!kernel && version) { + r = kernel_from_version(version, &vmlinuz); + if (r < 0) + return r; +-- +2.33.0 + diff --git a/backport-kernel-install-Only-read-cmdline-from-proc-cmdline-w.patch b/backport-kernel-install-Only-read-cmdline-from-proc-cmdline-w.patch new file mode 100644 index 0000000..f6f661e --- /dev/null +++ b/backport-kernel-install-Only-read-cmdline-from-proc-cmdline-w.patch @@ -0,0 +1,45 @@ +From 0b4d00b28469353df337add92930626744adf06e Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Mon, 29 Jul 2024 17:13:28 +0200 +Subject: [PATCH 0810/1160] kernel-install: Only read cmdline from + /proc/cmdline when not in container + +If we're running from within a container, we're very likely not going +to want to use the kernel command line from /proc/cmdline, so let's add +a check to see if we're running from a container to decide whether we'll +use the kernel command line from /proc/cmdline. + +(cherry picked from commit 35c01ec59e0c2e6bd06cb18ca2ff612c6a7ea35d) +(cherry picked from commit c386327fc851863abf4c27076bd368dfc55b83a0) +--- + src/kernel-install/90-loaderentry.install.in | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/kernel-install/90-loaderentry.install.in b/src/kernel-install/90-loaderentry.install.in +index 0408530f05..b3509d69b4 100755 +--- a/src/kernel-install/90-loaderentry.install.in ++++ b/src/kernel-install/90-loaderentry.install.in +@@ -79,8 +79,10 @@ elif [ -f /etc/kernel/cmdline ]; then + BOOT_OPTIONS="$(tr -s "$IFS" ' ' +Date: Fri, 12 Jul 2024 10:43:54 +0200 +Subject: [PATCH 0780/1160] kernel-install: Remove existing loader entries and + UKIs + +When boot counting is enabled, adding a new loader entry or UKI can conflict +with an existing one that has booted successfully and therefore has its boot +counter removed. systemd-bless-boot will fail to bless the new successful boot, +since a file without a boot counter already exists. Since kernel-install will +clobber existing files without boot counting, we should therefore remove files +without a boot count as well, when we add a file with one. + +Fixes: #33504 +(cherry picked from commit 99d4575e541fa1fb00dc80f7aad572f3a66db461) +(cherry picked from commit b78618540659a40c4c26aa588b3cd8b9c46116d1) +--- + src/kernel-install/90-loaderentry.install.in | 5 +++++ + src/kernel-install/90-uki-copy.install | 6 ++++++ + 2 files changed, 11 insertions(+) + +diff --git a/src/kernel-install/90-loaderentry.install.in b/src/kernel-install/90-loaderentry.install.in +index a52dd812e4..0408530f05 100755 +--- a/src/kernel-install/90-loaderentry.install.in ++++ b/src/kernel-install/90-loaderentry.install.in +@@ -101,6 +101,11 @@ if [ -f "$TRIES_FILE" ]; then + echo "$TRIES_FILE does not contain an integer." >&2 + exit 1 + fi ++ if [ -f "$LOADER_ENTRY" ]; then ++ [ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] && \ ++ echo "Removing previous loader entry '$LOADER_ENTRY' without boot counting." >&2 ++ rm -f "$LOADER_ENTRY" "${LOADER_ENTRY%.conf}+"*.conf ++ fi + LOADER_ENTRY="${LOADER_ENTRY%.conf}+$TRIES.conf" + fi + +diff --git a/src/kernel-install/90-uki-copy.install b/src/kernel-install/90-uki-copy.install +index d443c4b401..d6f71349cb 100755 +--- a/src/kernel-install/90-uki-copy.install ++++ b/src/kernel-install/90-uki-copy.install +@@ -61,6 +61,12 @@ if [ -f "$TRIES_FILE" ]; then + echo "$TRIES_FILE does not contain an integer." >&2 + exit 1 + fi ++ if [ -f "$UKI_DIR/$ENTRY_TOKEN-$KERNEL_VERSION.efi" ]; then ++ [ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] && \ ++ echo "Removing previous UKI '$UKI_DIR/$ENTRY_TOKEN-$KERNEL_VERSION.efi' without boot counting." >&2 ++ rm -f "$UKI_DIR/$ENTRY_TOKEN-$KERNEL_VERSION.efi" "$UKI_DIR/$ENTRY_TOKEN-$KERNEL_VERSION+"*.efi ++ fi ++ + UKI_FILE="$UKI_DIR/$ENTRY_TOKEN-$KERNEL_VERSION+$TRIES.efi" + else + UKI_FILE="$UKI_DIR/$ENTRY_TOKEN-$KERNEL_VERSION.efi" +-- +2.33.0 + diff --git a/backport-kernel-install-Try-some-more-initrd-variants-in-90-l.patch b/backport-kernel-install-Try-some-more-initrd-variants-in-90-l.patch new file mode 100644 index 0000000..29a82fe --- /dev/null +++ b/backport-kernel-install-Try-some-more-initrd-variants-in-90-l.patch @@ -0,0 +1,44 @@ +From 22acfc05a72da8d79e907e1a1f34896735e00b22 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Mon, 29 Jul 2024 15:41:51 +0200 +Subject: [PATCH 0811/1160] kernel-install: Try some more initrd variants in + 90-loaderentry.install + +On CentOS/Fedora, dracut is configured to write the initrd to +/boot/initramfs-$KERNEL_VERSION...img so let's check for that as well +if no initrds were supplied. + +(cherry picked from commit b56920e36c5692c0dde701bfb48330653a9c62c9) +(cherry picked from commit 1cb21b2cb194501464c52c1f32ae55f593689cc3) +--- + src/kernel-install/90-loaderentry.install.in | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/src/kernel-install/90-loaderentry.install.in b/src/kernel-install/90-loaderentry.install.in +index b3509d69b4..46f700b23e 100755 +--- a/src/kernel-install/90-loaderentry.install.in ++++ b/src/kernel-install/90-loaderentry.install.in +@@ -207,8 +207,18 @@ mkdir -p "${LOADER_ENTRY%/*}" || { + have_initrd=yes + done + +- # Try "initrd", generated by dracut in its kernel-install hook, if no initrds were supplied +- [ -z "$have_initrd" ] && [ -f "$ENTRY_DIR_ABS/initrd" ] && echo "initrd $ENTRY_DIR/initrd" ++ # Try a few variations that are generated by various initrd generators in their kernel-install hooks if ++ # no initrds were supplied. ++ ++ if [ -z "$have_initrd" ] && [ -f "$ENTRY_DIR_ABS/initrd" ]; then ++ echo "initrd $ENTRY_DIR/initrd" ++ have_initrd=yes ++ fi ++ ++ if [ -z "$have_initrd" ] && [ -f "$BOOT_ROOT/initramfs-$KERNEL_VERSION.img" ]; then ++ echo "initrd /initramfs-$KERNEL_VERSION.img" ++ have_initrd=yes ++ fi + : + } >"$LOADER_ENTRY" || { + echo "Error: could not create loader entry '$LOADER_ENTRY'." >&2 +-- +2.33.0 + diff --git a/backport-kernel-install-fix-context_copy.patch b/backport-kernel-install-fix-context_copy.patch new file mode 100644 index 0000000..fe5ae78 --- /dev/null +++ b/backport-kernel-install-fix-context_copy.patch @@ -0,0 +1,84 @@ +From 93f507eca6b8af395c1e46d326fbc46395e73168 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Tue, 9 Jan 2024 12:29:36 +0100 +Subject: [PATCH 0154/1160] kernel-install: fix context_copy + +Don't reopen or dup values that weren't set before. Fixes add-all. + +(cherry picked from commit 27d420f46645ed584bdd66857eabc25f8c0118bb) +--- + src/kernel-install/kernel-install.c | 35 ++++++++++++++++------------- + 1 file changed, 19 insertions(+), 16 deletions(-) + +diff --git a/src/kernel-install/kernel-install.c b/src/kernel-install/kernel-install.c +index 45f0c1e7a8..6b0a519cc6 100644 +--- a/src/kernel-install/kernel-install.c ++++ b/src/kernel-install/kernel-install.c +@@ -132,9 +132,10 @@ static int context_copy(const Context *source, Context *ret) { + + assert(source); + assert(ret); ++ assert(source->rfd >= 0 || source->rfd == AT_FDCWD); + + _cleanup_(context_done) Context copy = (Context) { +- .rfd = -EBADF, ++ .rfd = AT_FDCWD, + .action = source->action, + .machine_id = source->machine_id, + .machine_id_is_random = source->machine_id_is_random, +@@ -143,9 +144,11 @@ static int context_copy(const Context *source, Context *ret) { + .entry_token_type = source->entry_token_type, + }; + +- copy.rfd = fd_reopen(source->rfd, O_CLOEXEC|O_DIRECTORY|O_PATH); +- if (copy.rfd < 0) +- return copy.rfd; ++ if (source->rfd >= 0) { ++ copy.rfd = fd_reopen(source->rfd, O_CLOEXEC|O_DIRECTORY|O_PATH); ++ if (copy.rfd < 0) ++ return copy.rfd; ++ } + + r = strdup_or_null(source->layout_other, ©.layout_other); + if (r < 0) +@@ -168,9 +171,9 @@ static int context_copy(const Context *source, Context *ret) { + r = strdup_or_null(source->kernel, ©.kernel); + if (r < 0) + return r; +- copy.initrds = strv_copy(source->initrds); +- if (!copy.initrds) +- return -ENOMEM; ++ r = strv_copy_unless_empty(source->initrds, ©.initrds); ++ if (r < 0) ++ return r; + r = strdup_or_null(source->initrd_generator, ©.initrd_generator); + if (r < 0) + return r; +@@ -180,15 +183,15 @@ static int context_copy(const Context *source, Context *ret) { + r = strdup_or_null(source->staging_area, ©.staging_area); + if (r < 0) + return r; +- copy.plugins = strv_copy(source->plugins); +- if (!copy.plugins) +- return -ENOMEM; +- copy.argv = strv_copy(source->argv); +- if (!copy.argv) +- return -ENOMEM; +- copy.envp = strv_copy(source->envp); +- if (!copy.envp) +- return -ENOMEM; ++ r = strv_copy_unless_empty(source->plugins, ©.plugins); ++ if (r < 0) ++ return r; ++ r = strv_copy_unless_empty(source->argv, ©.argv); ++ if (r < 0) ++ return r; ++ r = strv_copy_unless_empty(source->envp, ©.envp); ++ if (r < 0) ++ return r; + + *ret = copy; + copy = CONTEXT_NULL; +-- +2.33.0 + diff --git a/backport-kernel-install-fix-uki-copy-deinstall.patch b/backport-kernel-install-fix-uki-copy-deinstall.patch new file mode 100644 index 0000000..f975e28 --- /dev/null +++ b/backport-kernel-install-fix-uki-copy-deinstall.patch @@ -0,0 +1,44 @@ +From fc353a59c5e1c5d5454d8dc9f9f95c349d427519 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 18 Mar 2024 17:04:22 +0100 +Subject: [PATCH 0458/1160] kernel-install: fix uki-copy deinstall + +For "kernel-install remove ..." only the kernel version is passed, not +the kernel image. So auto-detecting KERNEL_INSTALL_IMAGE_TYPE and +setting KERNEL_INSTALL_LAYOUT does not work for uninstall. + +The 90-uki-copy.install plugin must consider this and *not* exit early +for the "remove" command, otherwise $BOOT_ROOT will be filled with stale +kernel images. + +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 3037616d8ed68f3263746e3c6399d4a05242068b) +--- + src/kernel-install/90-uki-copy.install | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/kernel-install/90-uki-copy.install b/src/kernel-install/90-uki-copy.install +index c66c09719c..d443c4b401 100755 +--- a/src/kernel-install/90-uki-copy.install ++++ b/src/kernel-install/90-uki-copy.install +@@ -26,8 +26,6 @@ KERNEL_VERSION="${2:?}" + ENTRY_DIR_ABS="$3" + KERNEL_IMAGE="$4" + +-[ "$KERNEL_INSTALL_LAYOUT" = "uki" ] || exit 0 +- + ENTRY_TOKEN="$KERNEL_INSTALL_ENTRY_TOKEN" + BOOT_ROOT="$KERNEL_INSTALL_BOOT_ROOT" + +@@ -48,6 +46,8 @@ case "$COMMAND" in + ;; + esac + ++[ "$KERNEL_INSTALL_LAYOUT" = "uki" ] || exit 0 ++ + if ! [ -d "$UKI_DIR" ]; then + [ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] && echo "creating $UKI_DIR" + mkdir -p "$UKI_DIR" +-- +2.33.0 + diff --git a/backport-kernel-install-remove-depmod-generated-file-modules..patch b/backport-kernel-install-remove-depmod-generated-file-modules..patch new file mode 100644 index 0000000..6d7382b --- /dev/null +++ b/backport-kernel-install-remove-depmod-generated-file-modules..patch @@ -0,0 +1,33 @@ +From ae0c61b4a722a7eacd2cc544798467e209238bf7 Mon Sep 17 00:00:00 2001 +From: Jose Ignacio Tornos Martinez +Date: Fri, 26 Jul 2024 10:28:21 +0200 +Subject: [PATCH 0806/1160] kernel-install: remove depmod generated file + modules.weakdep + +The new file, modules.weakdep, generated by depmod to get the weak +dpendencies information can be present +(https://github.com/kmod-project/kmod/commit/05828b4a6e9327a63ef94df544a042b5e9ce4fe7), +so remove it like the other similar files. + +Signed-off-by: Jose Ignacio Tornos Martinez +(cherry picked from commit eef4cd51f94d837bd0e71512c831634a2902522d) +(cherry picked from commit 0cdec6e1fef4174c0d04aaca195ab56750437535) +--- + src/kernel-install/50-depmod.install | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/kernel-install/50-depmod.install b/src/kernel-install/50-depmod.install +index 88f858fed9..08247c735b 100755 +--- a/src/kernel-install/50-depmod.install ++++ b/src/kernel-install/50-depmod.install +@@ -44,6 +44,7 @@ case "$COMMAND" in + "/lib/modules/$KERNEL_VERSION/modules.dep.bin" \ + "/lib/modules/$KERNEL_VERSION/modules.devname" \ + "/lib/modules/$KERNEL_VERSION/modules.softdep" \ ++ "/lib/modules/$KERNEL_VERSION/modules.weakdep" \ + "/lib/modules/$KERNEL_VERSION/modules.symbols" \ + "/lib/modules/$KERNEL_VERSION/modules.symbols.bin" + ;; +-- +2.33.0 + diff --git a/backport-kernel-install-silence-num-kernels-installed.patch b/backport-kernel-install-silence-num-kernels-installed.patch new file mode 100644 index 0000000..a8914e1 --- /dev/null +++ b/backport-kernel-install-silence-num-kernels-installed.patch @@ -0,0 +1,26 @@ +From b814c2883e71e713d76e2550b1f10374914a1960 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Tue, 9 Jan 2024 12:49:09 +0100 +Subject: [PATCH 0155/1160] kernel-install: silence num kernels installed + +(cherry picked from commit ec9ff6ea94417f83f45f563ae5375c0e090e6fb5) +--- + src/kernel-install/kernel-install.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/kernel-install/kernel-install.c b/src/kernel-install/kernel-install.c +index 6b0a519cc6..14ae1a84c5 100644 +--- a/src/kernel-install/kernel-install.c ++++ b/src/kernel-install/kernel-install.c +@@ -1286,7 +1286,7 @@ static int verb_add_all(int argc, char *argv[], void *userdata) { + } + + if (n > 0) +- log_info("Installed %zu kernels.", n); ++ log_debug("Installed %zu kernel(s).", n); + else if (ret == 0) + ret = log_error_errno(SYNTHETIC_ERRNO(ENOENT), "No kernels to install found."); + +-- +2.33.0 + diff --git a/backport-keyring-util-Use-reported-key-size-to-resize-buf.patch b/backport-keyring-util-Use-reported-key-size-to-resize-buf.patch new file mode 100644 index 0000000..5bcc013 --- /dev/null +++ b/backport-keyring-util-Use-reported-key-size-to-resize-buf.patch @@ -0,0 +1,78 @@ +From 87e47aacb86c2545064400407a697e035a3b3235 Mon Sep 17 00:00:00 2001 +From: Adrian Vovk +Date: Thu, 1 Feb 2024 17:53:01 -0500 +Subject: [PATCH 0313/1160] keyring-util: Use reported key size to resize buf + +According to keyctl(2), the return value for KEYCTL_READ is: + + The amount of data that is available in the key, + irrespective of the provided buffer size + +So, we could pass in a NULL buffer to query the size, then allocate the +exact right amount of space, then call keyctl again to get the key data. +However, we must still keep the for loop to avoid TOCTOU issues: the key +might have been replaced with something bigger while we're busy +allocating the buffer to store it. + +Thus, we can actually save a syscall by picking some reasonable default +buffer size and skipping the NULL call to keyctl. If our default is big +enough, we're done and have saved a syscall! If not, then the first call +behaves essentially the same as the NULL call, and we use the size it +returns to reallocate the buffer appropriately. + +(cherry picked from commit d0aef638ac43ad64df920d8b3f6c2d835db7643c) +--- + src/shared/keyring-util.c | 21 +++++++++------------ + 1 file changed, 9 insertions(+), 12 deletions(-) + +diff --git a/src/shared/keyring-util.c b/src/shared/keyring-util.c +index 655cf5241d..fadd90ebcc 100644 +--- a/src/shared/keyring-util.c ++++ b/src/shared/keyring-util.c +@@ -5,34 +5,31 @@ + #include "missing_syscall.h" + + int keyring_read(key_serial_t serial, void **ret, size_t *ret_size) { +- size_t m = 100; ++ size_t bufsize = 100; + + for (;;) { +- _cleanup_(erase_and_freep) uint8_t *p = NULL; ++ _cleanup_(erase_and_freep) uint8_t *buf = NULL; + long n; + +- p = new(uint8_t, m+1); +- if (!p) ++ buf = new(uint8_t, bufsize + 1); ++ if (!buf) + return -ENOMEM; + +- n = keyctl(KEYCTL_READ, (unsigned long) serial, (unsigned long) p, (unsigned long) m, 0); ++ n = keyctl(KEYCTL_READ, (unsigned long) serial, (unsigned long) buf, (unsigned long) bufsize, 0); + if (n < 0) + return -errno; + +- if ((size_t) n <= m) { +- p[n] = 0; /* NUL terminate, just in case */ ++ if ((size_t) n <= bufsize) { ++ buf[n] = 0; /* NUL terminate, just in case */ + + if (ret) +- *ret = TAKE_PTR(p); ++ *ret = TAKE_PTR(buf); + if (ret_size) + *ret_size = n; + + return 0; + } + +- if (m > (SIZE_MAX-1) / 2) /* overflow check */ +- return -ENOMEM; +- +- m *= 2; ++ bufsize = (size_t) n; + } + } +-- +2.33.0 + diff --git a/backport-killall-fix-errno-check.patch b/backport-killall-fix-errno-check.patch new file mode 100644 index 0000000..ebf9dd3 --- /dev/null +++ b/backport-killall-fix-errno-check.patch @@ -0,0 +1,26 @@ +From ef132265a1635bb26273fdeed6d8f3f29a9e15ae Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Mon, 25 Dec 2023 12:18:02 +0100 +Subject: [PATCH 0092/1160] killall: fix errno check + +(cherry picked from commit 6f7936cf57dfeeaa4af479d480037ca58424d43d) +--- + src/shared/killall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/killall.c b/src/shared/killall.c +index 330b4c3272..917b773266 100644 +--- a/src/shared/killall.c ++++ b/src/shared/killall.c +@@ -257,7 +257,7 @@ static int killall(int sig, Set *pids, bool send_sighup) { + + r = pidref_kill(&pidref, sig); + if (r < 0) { +- if (errno != -ESRCH) ++ if (r != -ESRCH) + log_warning_errno(errno, "Could not kill " PID_FMT ", ignoring: %m", pidref.pid); + } else { + n_killed++; +-- +2.33.0 + diff --git a/backport-killall-gracefully-handle-processes-inserted-into-co.patch b/backport-killall-gracefully-handle-processes-inserted-into-co.patch new file mode 100644 index 0000000..ce69354 --- /dev/null +++ b/backport-killall-gracefully-handle-processes-inserted-into-co.patch @@ -0,0 +1,70 @@ +From 064de0b7cd50ec4a83c7af728067facb9b98b414 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 20 Nov 2024 12:02:46 +0100 +Subject: [PATCH 1022/1160] killall: gracefully handle processes inserted into + containers via nsenter -a + +"nsenter -a" doesn't migrate the specified process into the target +cgroup (it really should). Thus the cgroup will remain in a cgroup +that is (due to cgroup ns) outside our visibility. The kernel will +report the cgroup path of such cgroups as starting with "/../". Detect +that and print a reasonably error message instead of trying to resolve +that. + +(cherry picked from commit f6793bbcf0e3f0a6daa77add96183b88d5ec2117) +(cherry picked from commit 38e0f618ee26d1030a61884db3ba5c317ece3122) +--- + src/basic/cgroup-util.c | 4 ++++ + src/shared/killall.c | 8 ++++++-- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c +index 50224648d3..e978bd3eff 100644 +--- a/src/basic/cgroup-util.c ++++ b/src/basic/cgroup-util.c +@@ -813,6 +813,10 @@ int cg_pid_get_path(const char *controller, pid_t pid, char **ret_path) { + if (!path) + return -ENOMEM; + ++ /* Refuse cgroup paths from outside our cgroup namespace */ ++ if (startswith(path, "/../")) ++ return -EUNATCH; ++ + /* Truncate suffix indicating the process is a zombie */ + e = endswith(path, " (deleted)"); + if (e) +diff --git a/src/shared/killall.c b/src/shared/killall.c +index 917b773266..11a0cb2b14 100644 +--- a/src/shared/killall.c ++++ b/src/shared/killall.c +@@ -46,13 +46,17 @@ static bool argv_has_at(pid_t pid) { + return c == '@'; + } + +-static bool is_survivor_cgroup(const PidRef *pid) { ++static bool is_in_survivor_cgroup(const PidRef *pid) { + _cleanup_free_ char *cgroup_path = NULL; + int r; + + assert(pidref_is_set(pid)); + + r = cg_pidref_get_path(/* root= */ NULL, pid, &cgroup_path); ++ if (r == -EUNATCH) { ++ log_warning_errno(r, "Process " PID_FMT " appears to originate in foreign namespace, ignoring.", pid->pid); ++ return true; ++ } + if (r < 0) { + log_warning_errno(r, "Failed to get cgroup path of process " PID_FMT ", ignoring: %m", pid->pid); + return false; +@@ -86,7 +90,7 @@ static bool ignore_proc(const PidRef *pid, bool warn_rootfs) { + return true; /* also ignore processes where we can't determine this */ + + /* Ignore processes that are part of a cgroup marked with the user.survive_final_kill_signal xattr */ +- if (is_survivor_cgroup(pid)) ++ if (is_in_survivor_cgroup(pid)) + return true; + + r = pidref_get_uid(pid, &uid); +-- +2.33.0 + diff --git a/backport-libcrypt-util-fix-wrong-errno-value-assignment.patch b/backport-libcrypt-util-fix-wrong-errno-value-assignment.patch new file mode 100644 index 0000000..bcf4f22 --- /dev/null +++ b/backport-libcrypt-util-fix-wrong-errno-value-assignment.patch @@ -0,0 +1,28 @@ +From 29868fb1238a7127b4f939f5693732eeb96f7aba Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 10 May 2024 21:06:24 +0900 +Subject: [PATCH 0625/1160] libcrypt-util: fix wrong errno value assignment + +Follow-up for 9de324c3c919f20fd49e1d25579f5a66cac0eaa0. + +(cherry picked from commit a937fa96ac121bc8c1e74c3014c6bc0f2a597aeb) +--- + src/shared/libcrypt-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/libcrypt-util.c b/src/shared/libcrypt-util.c +index 81e6f1754c..5ccf75a522 100644 +--- a/src/shared/libcrypt-util.c ++++ b/src/shared/libcrypt-util.c +@@ -114,7 +114,7 @@ static char* systemd_crypt_ra(const char *phrase, const char *setting, void **da + if (!*data) { + *data = new0(struct crypt_data, 1); + if (!*data) { +- errno = -ENOMEM; ++ errno = ENOMEM; + return NULL; + } + +-- +2.33.0 + diff --git a/backport-libfido2-util-accept-cached-pin-in-fido2_generate_hm.patch b/backport-libfido2-util-accept-cached-pin-in-fido2_generate_hm.patch new file mode 100644 index 0000000..8565a42 --- /dev/null +++ b/backport-libfido2-util-accept-cached-pin-in-fido2_generate_hm.patch @@ -0,0 +1,49 @@ +From 993f1e90a7d3ddee790565a8481a178dc3f3422c Mon Sep 17 00:00:00 2001 +From: Martin Wilck +Date: Mon, 17 Feb 2025 18:40:35 +0100 +Subject: [PATCH 1141/1160] libfido2-util: accept cached pin in + fido2_generate_hmac_hash() + +fido2_generate_hmac_hash() sets req->keyring to "fido2-pin" when +calling ask_password_auto(), suggesting that a key by this name +can be read from the kernel keyring. But the keyring is never +opened because the ASK_PASSWORD_ACCEPT_CACHED flag is not set. + +Set ASK_PASSWORD_ACCEPT_CACHED to allow automated / scripted +setup of encrypted volumes with FIDO2. If the PIN turns out to +be invalid, clear ASK_PASSWORD_ACCEPT_CACHED to avoid retrying +and possible lockout. + +(cherry picked from commit 505c2f21377019c058de16aa9e2d8db005e97e6f) +(cherry picked from commit f2054b8aee28a09767d9bfb976167ce288152d5d) +(cherry picked from commit 012cde19b899475cb72153daba69144d47122801) +--- + src/shared/libfido2-util.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c +index 1cc3afe6b9..9e7c395b8a 100644 +--- a/src/shared/libfido2-util.c ++++ b/src/shared/libfido2-util.c +@@ -836,13 +836,17 @@ int fido2_generate_hmac_hash( + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Token asks for PIN but doesn't advertise 'clientPin' feature."); + ++ AskPasswordFlags askpw_flags = ASK_PASSWORD_ACCEPT_CACHED; ++ + for (;;) { + _cleanup_strv_free_erase_ char **pin = NULL; + +- r = ask_password_auto("Please enter security token PIN:", askpw_icon_name, NULL, "fido2-pin", "fido2-pin", USEC_INFINITY, 0, &pin); ++ r = ask_password_auto("Please enter security token PIN:", askpw_icon_name, NULL, "fido2-pin", "fido2-pin", USEC_INFINITY, askpw_flags, &pin); + if (r < 0) + return log_error_errno(r, "Failed to acquire user PIN: %m"); + ++ askpw_flags &= ~ASK_PASSWORD_ACCEPT_CACHED; ++ + r = FIDO_ERR_PIN_INVALID; + STRV_FOREACH(i, pin) { + if (isempty(*i)) { +-- +2.33.0 + diff --git a/backport-libsystemd-link-with-z-nodelete.patch b/backport-libsystemd-link-with-z-nodelete.patch new file mode 100644 index 0000000..f8c17ba --- /dev/null +++ b/backport-libsystemd-link-with-z-nodelete.patch @@ -0,0 +1,31 @@ +From 34cc605f1764bedce3f54d337be370f594c5eaef Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 22 May 2024 17:15:07 +0200 +Subject: [PATCH 0678/1160] libsystemd: link with '-z nodelete' + +We want to avoid reinitialization of our global variables with static +storage duration in case we get dlopened multiple times by the same +application. This will avoid potential resource leaks that could have +happened otherwise (e.g. leaking journal socket fd). + +(cherry picked from commit 9d8533b7152daf792356c601516b57c6412d3e52) +--- + meson.build | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/meson.build b/meson.build +index 187e7b216d..15ad855a7f 100644 +--- a/meson.build ++++ b/meson.build +@@ -1945,6 +1945,8 @@ libsystemd = shared_library( + version : libsystemd_version, + include_directories : libsystemd_includes, + link_args : ['-shared', ++ # Make sure our library is never deleted from memory, so that our open logging fds don't leak on dlopen/dlclose cycles. ++ '-z', 'nodelete', + '-Wl,--version-script=' + libsystemd_sym_path], + link_with : [libbasic, + libbasic_gcrypt, +-- +2.33.0 + diff --git a/backport-libsystemd-network-remove-double-initialization.patch b/backport-libsystemd-network-remove-double-initialization.patch new file mode 100644 index 0000000..026a4f5 --- /dev/null +++ b/backport-libsystemd-network-remove-double-initialization.patch @@ -0,0 +1,35 @@ +From 8d074b77f63e6c73c9628c36f89c30c5d7c44cc5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 14 May 2024 18:04:31 +0200 +Subject: [PATCH 0630/1160] libsystemd-network: remove double initialization + +(cherry picked from commit f7a6418d47d141f4543aa01253f64f60ffdd2e17) +--- + src/libsystemd-network/icmp6-util.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/src/libsystemd-network/icmp6-util.c b/src/libsystemd-network/icmp6-util.c +index 72c20baadc..3034c85ebc 100644 +--- a/src/libsystemd-network/icmp6-util.c ++++ b/src/libsystemd-network/icmp6-util.c +@@ -155,7 +155,7 @@ int icmp6_receive( + /* This needs to be initialized with zero. See #20741. */ + CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(int)) + /* ttl */ + CMSG_SPACE_TIMEVAL) control = {}; +- struct iovec iov = {}; ++ struct iovec iov = { buffer, size }; + union sockaddr_union sa = {}; + struct msghdr msg = { + .msg_name = &sa.sa, +@@ -168,8 +168,6 @@ int icmp6_receive( + struct in6_addr addr = {}; + ssize_t len; + +- iov = IOVEC_MAKE(buffer, size); +- + len = recvmsg_safe(fd, &msg, MSG_DONTWAIT); + if (len < 0) + return (int) len; +-- +2.33.0 + diff --git a/backport-libsystemd-network-skip-dhcp-server-test-in-case-of-.patch b/backport-libsystemd-network-skip-dhcp-server-test-in-case-of-.patch new file mode 100644 index 0000000..7a662bb --- /dev/null +++ b/backport-libsystemd-network-skip-dhcp-server-test-in-case-of-.patch @@ -0,0 +1,32 @@ +From 1b75c5144544aa7153317209339c552d948d4b12 Mon Sep 17 00:00:00 2001 +From: Radoslav Kolev +Date: Tue, 14 May 2024 10:25:49 +0300 +Subject: [PATCH 0629/1160] libsystemd-network: skip dhcp server test in case + of EAFNOSUPPORT + +We want to eanble running tests as part of the build, but +our builds run in VMs with networking disabled. + +(cherry picked from commit 19614a08d13fb8e0e73f1cb5859f8011e7df2394) +--- + src/libsystemd-network/test-dhcp-server.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/libsystemd-network/test-dhcp-server.c b/src/libsystemd-network/test-dhcp-server.c +index b2e6034b42..cd39efe3cb 100644 +--- a/src/libsystemd-network/test-dhcp-server.c ++++ b/src/libsystemd-network/test-dhcp-server.c +@@ -62,7 +62,9 @@ static int test_basic(bool bind_to_interface) { + test_pool(&address_lo, 1, 0); + + r = sd_dhcp_server_start(server); +- if (r == -EPERM) ++ /* skip test if running in an environment with no full networking support, CONFIG_PACKET not ++ * compiled in kernel, nor af_packet module available. */ ++ if (r == -EPERM || r == -EAFNOSUPPORT) + return r; + assert_se(r >= 0); + +-- +2.33.0 + diff --git a/backport-linux-import-input.h-and-friends.patch b/backport-linux-import-input.h-and-friends.patch new file mode 100644 index 0000000..ab17726 --- /dev/null +++ b/backport-linux-import-input.h-and-friends.patch @@ -0,0 +1,1528 @@ +From 4ae0c3f93c18958728b1ad6c7e68249541c22779 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 1 Oct 2024 18:34:01 +0200 +Subject: [PATCH 1081/1160] linux: import input.h and friends + +The CIs apparently have rally old headers, where KEY_BRIGHTNESS_AUTO is +missing, let's hence ship our own copies from a current kernel. + +(cherry picked from commit 0a73c8e7b8f109abbad6172f8f6c3f42f015ae70) +(cherry picked from commit 2e137906f14a094a659e0bf07ffb311909029fdb) +--- + src/basic/linux/input-event-codes.h | 980 ++++++++++++++++++++++++++++ + src/basic/linux/input.h | 516 +++++++++++++++ + 2 files changed, 1496 insertions(+) + create mode 100644 src/basic/linux/input-event-codes.h + create mode 100644 src/basic/linux/input.h + +diff --git a/src/basic/linux/input-event-codes.h b/src/basic/linux/input-event-codes.h +new file mode 100644 +index 0000000000..de4647601e +--- /dev/null ++++ b/src/basic/linux/input-event-codes.h +@@ -0,0 +1,980 @@ ++/* SPDX-License-Identifier: GPL-2.0-only WITH Linux-syscall-note */ ++/* ++ * Input event codes ++ * ++ * *** IMPORTANT *** ++ * This file is not only included from C-code but also from devicetree source ++ * files. As such this file MUST only contain comments and defines. ++ * ++ * Copyright (c) 1999-2002 Vojtech Pavlik ++ * Copyright (c) 2015 Hans de Goede ++ * ++ * This program is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 as published by ++ * the Free Software Foundation. ++ */ ++#ifndef _INPUT_EVENT_CODES_H ++#define _INPUT_EVENT_CODES_H ++ ++/* ++ * Device properties and quirks ++ */ ++ ++#define INPUT_PROP_POINTER 0x00 /* needs a pointer */ ++#define INPUT_PROP_DIRECT 0x01 /* direct input devices */ ++#define INPUT_PROP_BUTTONPAD 0x02 /* has button(s) under pad */ ++#define INPUT_PROP_SEMI_MT 0x03 /* touch rectangle only */ ++#define INPUT_PROP_TOPBUTTONPAD 0x04 /* softbuttons at top of pad */ ++#define INPUT_PROP_POINTING_STICK 0x05 /* is a pointing stick */ ++#define INPUT_PROP_ACCELEROMETER 0x06 /* has accelerometer */ ++ ++#define INPUT_PROP_MAX 0x1f ++#define INPUT_PROP_CNT (INPUT_PROP_MAX + 1) ++ ++/* ++ * Event types ++ */ ++ ++#define EV_SYN 0x00 ++#define EV_KEY 0x01 ++#define EV_REL 0x02 ++#define EV_ABS 0x03 ++#define EV_MSC 0x04 ++#define EV_SW 0x05 ++#define EV_LED 0x11 ++#define EV_SND 0x12 ++#define EV_REP 0x14 ++#define EV_FF 0x15 ++#define EV_PWR 0x16 ++#define EV_FF_STATUS 0x17 ++#define EV_MAX 0x1f ++#define EV_CNT (EV_MAX+1) ++ ++/* ++ * Synchronization events. ++ */ ++ ++#define SYN_REPORT 0 ++#define SYN_CONFIG 1 ++#define SYN_MT_REPORT 2 ++#define SYN_DROPPED 3 ++#define SYN_MAX 0xf ++#define SYN_CNT (SYN_MAX+1) ++ ++/* ++ * Keys and buttons ++ * ++ * Most of the keys/buttons are modeled after USB HUT 1.12 ++ * (see http://www.usb.org/developers/hidpage). ++ * Abbreviations in the comments: ++ * AC - Application Control ++ * AL - Application Launch Button ++ * SC - System Control ++ */ ++ ++#define KEY_RESERVED 0 ++#define KEY_ESC 1 ++#define KEY_1 2 ++#define KEY_2 3 ++#define KEY_3 4 ++#define KEY_4 5 ++#define KEY_5 6 ++#define KEY_6 7 ++#define KEY_7 8 ++#define KEY_8 9 ++#define KEY_9 10 ++#define KEY_0 11 ++#define KEY_MINUS 12 ++#define KEY_EQUAL 13 ++#define KEY_BACKSPACE 14 ++#define KEY_TAB 15 ++#define KEY_Q 16 ++#define KEY_W 17 ++#define KEY_E 18 ++#define KEY_R 19 ++#define KEY_T 20 ++#define KEY_Y 21 ++#define KEY_U 22 ++#define KEY_I 23 ++#define KEY_O 24 ++#define KEY_P 25 ++#define KEY_LEFTBRACE 26 ++#define KEY_RIGHTBRACE 27 ++#define KEY_ENTER 28 ++#define KEY_LEFTCTRL 29 ++#define KEY_A 30 ++#define KEY_S 31 ++#define KEY_D 32 ++#define KEY_F 33 ++#define KEY_G 34 ++#define KEY_H 35 ++#define KEY_J 36 ++#define KEY_K 37 ++#define KEY_L 38 ++#define KEY_SEMICOLON 39 ++#define KEY_APOSTROPHE 40 ++#define KEY_GRAVE 41 ++#define KEY_LEFTSHIFT 42 ++#define KEY_BACKSLASH 43 ++#define KEY_Z 44 ++#define KEY_X 45 ++#define KEY_C 46 ++#define KEY_V 47 ++#define KEY_B 48 ++#define KEY_N 49 ++#define KEY_M 50 ++#define KEY_COMMA 51 ++#define KEY_DOT 52 ++#define KEY_SLASH 53 ++#define KEY_RIGHTSHIFT 54 ++#define KEY_KPASTERISK 55 ++#define KEY_LEFTALT 56 ++#define KEY_SPACE 57 ++#define KEY_CAPSLOCK 58 ++#define KEY_F1 59 ++#define KEY_F2 60 ++#define KEY_F3 61 ++#define KEY_F4 62 ++#define KEY_F5 63 ++#define KEY_F6 64 ++#define KEY_F7 65 ++#define KEY_F8 66 ++#define KEY_F9 67 ++#define KEY_F10 68 ++#define KEY_NUMLOCK 69 ++#define KEY_SCROLLLOCK 70 ++#define KEY_KP7 71 ++#define KEY_KP8 72 ++#define KEY_KP9 73 ++#define KEY_KPMINUS 74 ++#define KEY_KP4 75 ++#define KEY_KP5 76 ++#define KEY_KP6 77 ++#define KEY_KPPLUS 78 ++#define KEY_KP1 79 ++#define KEY_KP2 80 ++#define KEY_KP3 81 ++#define KEY_KP0 82 ++#define KEY_KPDOT 83 ++ ++#define KEY_ZENKAKUHANKAKU 85 ++#define KEY_102ND 86 ++#define KEY_F11 87 ++#define KEY_F12 88 ++#define KEY_RO 89 ++#define KEY_KATAKANA 90 ++#define KEY_HIRAGANA 91 ++#define KEY_HENKAN 92 ++#define KEY_KATAKANAHIRAGANA 93 ++#define KEY_MUHENKAN 94 ++#define KEY_KPJPCOMMA 95 ++#define KEY_KPENTER 96 ++#define KEY_RIGHTCTRL 97 ++#define KEY_KPSLASH 98 ++#define KEY_SYSRQ 99 ++#define KEY_RIGHTALT 100 ++#define KEY_LINEFEED 101 ++#define KEY_HOME 102 ++#define KEY_UP 103 ++#define KEY_PAGEUP 104 ++#define KEY_LEFT 105 ++#define KEY_RIGHT 106 ++#define KEY_END 107 ++#define KEY_DOWN 108 ++#define KEY_PAGEDOWN 109 ++#define KEY_INSERT 110 ++#define KEY_DELETE 111 ++#define KEY_MACRO 112 ++#define KEY_MUTE 113 ++#define KEY_VOLUMEDOWN 114 ++#define KEY_VOLUMEUP 115 ++#define KEY_POWER 116 /* SC System Power Down */ ++#define KEY_KPEQUAL 117 ++#define KEY_KPPLUSMINUS 118 ++#define KEY_PAUSE 119 ++#define KEY_SCALE 120 /* AL Compiz Scale (Expose) */ ++ ++#define KEY_KPCOMMA 121 ++#define KEY_HANGEUL 122 ++#define KEY_HANGUEL KEY_HANGEUL ++#define KEY_HANJA 123 ++#define KEY_YEN 124 ++#define KEY_LEFTMETA 125 ++#define KEY_RIGHTMETA 126 ++#define KEY_COMPOSE 127 ++ ++#define KEY_STOP 128 /* AC Stop */ ++#define KEY_AGAIN 129 ++#define KEY_PROPS 130 /* AC Properties */ ++#define KEY_UNDO 131 /* AC Undo */ ++#define KEY_FRONT 132 ++#define KEY_COPY 133 /* AC Copy */ ++#define KEY_OPEN 134 /* AC Open */ ++#define KEY_PASTE 135 /* AC Paste */ ++#define KEY_FIND 136 /* AC Search */ ++#define KEY_CUT 137 /* AC Cut */ ++#define KEY_HELP 138 /* AL Integrated Help Center */ ++#define KEY_MENU 139 /* Menu (show menu) */ ++#define KEY_CALC 140 /* AL Calculator */ ++#define KEY_SETUP 141 ++#define KEY_SLEEP 142 /* SC System Sleep */ ++#define KEY_WAKEUP 143 /* System Wake Up */ ++#define KEY_FILE 144 /* AL Local Machine Browser */ ++#define KEY_SENDFILE 145 ++#define KEY_DELETEFILE 146 ++#define KEY_XFER 147 ++#define KEY_PROG1 148 ++#define KEY_PROG2 149 ++#define KEY_WWW 150 /* AL Internet Browser */ ++#define KEY_MSDOS 151 ++#define KEY_COFFEE 152 /* AL Terminal Lock/Screensaver */ ++#define KEY_SCREENLOCK KEY_COFFEE ++#define KEY_ROTATE_DISPLAY 153 /* Display orientation for e.g. tablets */ ++#define KEY_DIRECTION KEY_ROTATE_DISPLAY ++#define KEY_CYCLEWINDOWS 154 ++#define KEY_MAIL 155 ++#define KEY_BOOKMARKS 156 /* AC Bookmarks */ ++#define KEY_COMPUTER 157 ++#define KEY_BACK 158 /* AC Back */ ++#define KEY_FORWARD 159 /* AC Forward */ ++#define KEY_CLOSECD 160 ++#define KEY_EJECTCD 161 ++#define KEY_EJECTCLOSECD 162 ++#define KEY_NEXTSONG 163 ++#define KEY_PLAYPAUSE 164 ++#define KEY_PREVIOUSSONG 165 ++#define KEY_STOPCD 166 ++#define KEY_RECORD 167 ++#define KEY_REWIND 168 ++#define KEY_PHONE 169 /* Media Select Telephone */ ++#define KEY_ISO 170 ++#define KEY_CONFIG 171 /* AL Consumer Control Configuration */ ++#define KEY_HOMEPAGE 172 /* AC Home */ ++#define KEY_REFRESH 173 /* AC Refresh */ ++#define KEY_EXIT 174 /* AC Exit */ ++#define KEY_MOVE 175 ++#define KEY_EDIT 176 ++#define KEY_SCROLLUP 177 ++#define KEY_SCROLLDOWN 178 ++#define KEY_KPLEFTPAREN 179 ++#define KEY_KPRIGHTPAREN 180 ++#define KEY_NEW 181 /* AC New */ ++#define KEY_REDO 182 /* AC Redo/Repeat */ ++ ++#define KEY_F13 183 ++#define KEY_F14 184 ++#define KEY_F15 185 ++#define KEY_F16 186 ++#define KEY_F17 187 ++#define KEY_F18 188 ++#define KEY_F19 189 ++#define KEY_F20 190 ++#define KEY_F21 191 ++#define KEY_F22 192 ++#define KEY_F23 193 ++#define KEY_F24 194 ++ ++#define KEY_PLAYCD 200 ++#define KEY_PAUSECD 201 ++#define KEY_PROG3 202 ++#define KEY_PROG4 203 ++#define KEY_ALL_APPLICATIONS 204 /* AC Desktop Show All Applications */ ++#define KEY_DASHBOARD KEY_ALL_APPLICATIONS ++#define KEY_SUSPEND 205 ++#define KEY_CLOSE 206 /* AC Close */ ++#define KEY_PLAY 207 ++#define KEY_FASTFORWARD 208 ++#define KEY_BASSBOOST 209 ++#define KEY_PRINT 210 /* AC Print */ ++#define KEY_HP 211 ++#define KEY_CAMERA 212 ++#define KEY_SOUND 213 ++#define KEY_QUESTION 214 ++#define KEY_EMAIL 215 ++#define KEY_CHAT 216 ++#define KEY_SEARCH 217 ++#define KEY_CONNECT 218 ++#define KEY_FINANCE 219 /* AL Checkbook/Finance */ ++#define KEY_SPORT 220 ++#define KEY_SHOP 221 ++#define KEY_ALTERASE 222 ++#define KEY_CANCEL 223 /* AC Cancel */ ++#define KEY_BRIGHTNESSDOWN 224 ++#define KEY_BRIGHTNESSUP 225 ++#define KEY_MEDIA 226 ++ ++#define KEY_SWITCHVIDEOMODE 227 /* Cycle between available video ++ outputs (Monitor/LCD/TV-out/etc) */ ++#define KEY_KBDILLUMTOGGLE 228 ++#define KEY_KBDILLUMDOWN 229 ++#define KEY_KBDILLUMUP 230 ++ ++#define KEY_SEND 231 /* AC Send */ ++#define KEY_REPLY 232 /* AC Reply */ ++#define KEY_FORWARDMAIL 233 /* AC Forward Msg */ ++#define KEY_SAVE 234 /* AC Save */ ++#define KEY_DOCUMENTS 235 ++ ++#define KEY_BATTERY 236 ++ ++#define KEY_BLUETOOTH 237 ++#define KEY_WLAN 238 ++#define KEY_UWB 239 ++ ++#define KEY_UNKNOWN 240 ++ ++#define KEY_VIDEO_NEXT 241 /* drive next video source */ ++#define KEY_VIDEO_PREV 242 /* drive previous video source */ ++#define KEY_BRIGHTNESS_CYCLE 243 /* brightness up, after max is min */ ++#define KEY_BRIGHTNESS_AUTO 244 /* Set Auto Brightness: manual ++ brightness control is off, ++ rely on ambient */ ++#define KEY_BRIGHTNESS_ZERO KEY_BRIGHTNESS_AUTO ++#define KEY_DISPLAY_OFF 245 /* display device to off state */ ++ ++#define KEY_WWAN 246 /* Wireless WAN (LTE, UMTS, GSM, etc.) */ ++#define KEY_WIMAX KEY_WWAN ++#define KEY_RFKILL 247 /* Key that controls all radios */ ++ ++#define KEY_MICMUTE 248 /* Mute / unmute the microphone */ ++ ++/* Code 255 is reserved for special needs of AT keyboard driver */ ++ ++#define BTN_MISC 0x100 ++#define BTN_0 0x100 ++#define BTN_1 0x101 ++#define BTN_2 0x102 ++#define BTN_3 0x103 ++#define BTN_4 0x104 ++#define BTN_5 0x105 ++#define BTN_6 0x106 ++#define BTN_7 0x107 ++#define BTN_8 0x108 ++#define BTN_9 0x109 ++ ++#define BTN_MOUSE 0x110 ++#define BTN_LEFT 0x110 ++#define BTN_RIGHT 0x111 ++#define BTN_MIDDLE 0x112 ++#define BTN_SIDE 0x113 ++#define BTN_EXTRA 0x114 ++#define BTN_FORWARD 0x115 ++#define BTN_BACK 0x116 ++#define BTN_TASK 0x117 ++ ++#define BTN_JOYSTICK 0x120 ++#define BTN_TRIGGER 0x120 ++#define BTN_THUMB 0x121 ++#define BTN_THUMB2 0x122 ++#define BTN_TOP 0x123 ++#define BTN_TOP2 0x124 ++#define BTN_PINKIE 0x125 ++#define BTN_BASE 0x126 ++#define BTN_BASE2 0x127 ++#define BTN_BASE3 0x128 ++#define BTN_BASE4 0x129 ++#define BTN_BASE5 0x12a ++#define BTN_BASE6 0x12b ++#define BTN_DEAD 0x12f ++ ++#define BTN_GAMEPAD 0x130 ++#define BTN_SOUTH 0x130 ++#define BTN_A BTN_SOUTH ++#define BTN_EAST 0x131 ++#define BTN_B BTN_EAST ++#define BTN_C 0x132 ++#define BTN_NORTH 0x133 ++#define BTN_X BTN_NORTH ++#define BTN_WEST 0x134 ++#define BTN_Y BTN_WEST ++#define BTN_Z 0x135 ++#define BTN_TL 0x136 ++#define BTN_TR 0x137 ++#define BTN_TL2 0x138 ++#define BTN_TR2 0x139 ++#define BTN_SELECT 0x13a ++#define BTN_START 0x13b ++#define BTN_MODE 0x13c ++#define BTN_THUMBL 0x13d ++#define BTN_THUMBR 0x13e ++ ++#define BTN_DIGI 0x140 ++#define BTN_TOOL_PEN 0x140 ++#define BTN_TOOL_RUBBER 0x141 ++#define BTN_TOOL_BRUSH 0x142 ++#define BTN_TOOL_PENCIL 0x143 ++#define BTN_TOOL_AIRBRUSH 0x144 ++#define BTN_TOOL_FINGER 0x145 ++#define BTN_TOOL_MOUSE 0x146 ++#define BTN_TOOL_LENS 0x147 ++#define BTN_TOOL_QUINTTAP 0x148 /* Five fingers on trackpad */ ++#define BTN_STYLUS3 0x149 ++#define BTN_TOUCH 0x14a ++#define BTN_STYLUS 0x14b ++#define BTN_STYLUS2 0x14c ++#define BTN_TOOL_DOUBLETAP 0x14d ++#define BTN_TOOL_TRIPLETAP 0x14e ++#define BTN_TOOL_QUADTAP 0x14f /* Four fingers on trackpad */ ++ ++#define BTN_WHEEL 0x150 ++#define BTN_GEAR_DOWN 0x150 ++#define BTN_GEAR_UP 0x151 ++ ++#define KEY_OK 0x160 ++#define KEY_SELECT 0x161 ++#define KEY_GOTO 0x162 ++#define KEY_CLEAR 0x163 ++#define KEY_POWER2 0x164 ++#define KEY_OPTION 0x165 ++#define KEY_INFO 0x166 /* AL OEM Features/Tips/Tutorial */ ++#define KEY_TIME 0x167 ++#define KEY_VENDOR 0x168 ++#define KEY_ARCHIVE 0x169 ++#define KEY_PROGRAM 0x16a /* Media Select Program Guide */ ++#define KEY_CHANNEL 0x16b ++#define KEY_FAVORITES 0x16c ++#define KEY_EPG 0x16d ++#define KEY_PVR 0x16e /* Media Select Home */ ++#define KEY_MHP 0x16f ++#define KEY_LANGUAGE 0x170 ++#define KEY_TITLE 0x171 ++#define KEY_SUBTITLE 0x172 ++#define KEY_ANGLE 0x173 ++#define KEY_FULL_SCREEN 0x174 /* AC View Toggle */ ++#define KEY_ZOOM KEY_FULL_SCREEN ++#define KEY_MODE 0x175 ++#define KEY_KEYBOARD 0x176 ++#define KEY_ASPECT_RATIO 0x177 /* HUTRR37: Aspect */ ++#define KEY_SCREEN KEY_ASPECT_RATIO ++#define KEY_PC 0x178 /* Media Select Computer */ ++#define KEY_TV 0x179 /* Media Select TV */ ++#define KEY_TV2 0x17a /* Media Select Cable */ ++#define KEY_VCR 0x17b /* Media Select VCR */ ++#define KEY_VCR2 0x17c /* VCR Plus */ ++#define KEY_SAT 0x17d /* Media Select Satellite */ ++#define KEY_SAT2 0x17e ++#define KEY_CD 0x17f /* Media Select CD */ ++#define KEY_TAPE 0x180 /* Media Select Tape */ ++#define KEY_RADIO 0x181 ++#define KEY_TUNER 0x182 /* Media Select Tuner */ ++#define KEY_PLAYER 0x183 ++#define KEY_TEXT 0x184 ++#define KEY_DVD 0x185 /* Media Select DVD */ ++#define KEY_AUX 0x186 ++#define KEY_MP3 0x187 ++#define KEY_AUDIO 0x188 /* AL Audio Browser */ ++#define KEY_VIDEO 0x189 /* AL Movie Browser */ ++#define KEY_DIRECTORY 0x18a ++#define KEY_LIST 0x18b ++#define KEY_MEMO 0x18c /* Media Select Messages */ ++#define KEY_CALENDAR 0x18d ++#define KEY_RED 0x18e ++#define KEY_GREEN 0x18f ++#define KEY_YELLOW 0x190 ++#define KEY_BLUE 0x191 ++#define KEY_CHANNELUP 0x192 /* Channel Increment */ ++#define KEY_CHANNELDOWN 0x193 /* Channel Decrement */ ++#define KEY_FIRST 0x194 ++#define KEY_LAST 0x195 /* Recall Last */ ++#define KEY_AB 0x196 ++#define KEY_NEXT 0x197 ++#define KEY_RESTART 0x198 ++#define KEY_SLOW 0x199 ++#define KEY_SHUFFLE 0x19a ++#define KEY_BREAK 0x19b ++#define KEY_PREVIOUS 0x19c ++#define KEY_DIGITS 0x19d ++#define KEY_TEEN 0x19e ++#define KEY_TWEN 0x19f ++#define KEY_VIDEOPHONE 0x1a0 /* Media Select Video Phone */ ++#define KEY_GAMES 0x1a1 /* Media Select Games */ ++#define KEY_ZOOMIN 0x1a2 /* AC Zoom In */ ++#define KEY_ZOOMOUT 0x1a3 /* AC Zoom Out */ ++#define KEY_ZOOMRESET 0x1a4 /* AC Zoom */ ++#define KEY_WORDPROCESSOR 0x1a5 /* AL Word Processor */ ++#define KEY_EDITOR 0x1a6 /* AL Text Editor */ ++#define KEY_SPREADSHEET 0x1a7 /* AL Spreadsheet */ ++#define KEY_GRAPHICSEDITOR 0x1a8 /* AL Graphics Editor */ ++#define KEY_PRESENTATION 0x1a9 /* AL Presentation App */ ++#define KEY_DATABASE 0x1aa /* AL Database App */ ++#define KEY_NEWS 0x1ab /* AL Newsreader */ ++#define KEY_VOICEMAIL 0x1ac /* AL Voicemail */ ++#define KEY_ADDRESSBOOK 0x1ad /* AL Contacts/Address Book */ ++#define KEY_MESSENGER 0x1ae /* AL Instant Messaging */ ++#define KEY_DISPLAYTOGGLE 0x1af /* Turn display (LCD) on and off */ ++#define KEY_BRIGHTNESS_TOGGLE KEY_DISPLAYTOGGLE ++#define KEY_SPELLCHECK 0x1b0 /* AL Spell Check */ ++#define KEY_LOGOFF 0x1b1 /* AL Logoff */ ++ ++#define KEY_DOLLAR 0x1b2 ++#define KEY_EURO 0x1b3 ++ ++#define KEY_FRAMEBACK 0x1b4 /* Consumer - transport controls */ ++#define KEY_FRAMEFORWARD 0x1b5 ++#define KEY_CONTEXT_MENU 0x1b6 /* GenDesc - system context menu */ ++#define KEY_MEDIA_REPEAT 0x1b7 /* Consumer - transport control */ ++#define KEY_10CHANNELSUP 0x1b8 /* 10 channels up (10+) */ ++#define KEY_10CHANNELSDOWN 0x1b9 /* 10 channels down (10-) */ ++#define KEY_IMAGES 0x1ba /* AL Image Browser */ ++#define KEY_NOTIFICATION_CENTER 0x1bc /* Show/hide the notification center */ ++#define KEY_PICKUP_PHONE 0x1bd /* Answer incoming call */ ++#define KEY_HANGUP_PHONE 0x1be /* Decline incoming call */ ++ ++#define KEY_DEL_EOL 0x1c0 ++#define KEY_DEL_EOS 0x1c1 ++#define KEY_INS_LINE 0x1c2 ++#define KEY_DEL_LINE 0x1c3 ++ ++#define KEY_FN 0x1d0 ++#define KEY_FN_ESC 0x1d1 ++#define KEY_FN_F1 0x1d2 ++#define KEY_FN_F2 0x1d3 ++#define KEY_FN_F3 0x1d4 ++#define KEY_FN_F4 0x1d5 ++#define KEY_FN_F5 0x1d6 ++#define KEY_FN_F6 0x1d7 ++#define KEY_FN_F7 0x1d8 ++#define KEY_FN_F8 0x1d9 ++#define KEY_FN_F9 0x1da ++#define KEY_FN_F10 0x1db ++#define KEY_FN_F11 0x1dc ++#define KEY_FN_F12 0x1dd ++#define KEY_FN_1 0x1de ++#define KEY_FN_2 0x1df ++#define KEY_FN_D 0x1e0 ++#define KEY_FN_E 0x1e1 ++#define KEY_FN_F 0x1e2 ++#define KEY_FN_S 0x1e3 ++#define KEY_FN_B 0x1e4 ++#define KEY_FN_RIGHT_SHIFT 0x1e5 ++ ++#define KEY_BRL_DOT1 0x1f1 ++#define KEY_BRL_DOT2 0x1f2 ++#define KEY_BRL_DOT3 0x1f3 ++#define KEY_BRL_DOT4 0x1f4 ++#define KEY_BRL_DOT5 0x1f5 ++#define KEY_BRL_DOT6 0x1f6 ++#define KEY_BRL_DOT7 0x1f7 ++#define KEY_BRL_DOT8 0x1f8 ++#define KEY_BRL_DOT9 0x1f9 ++#define KEY_BRL_DOT10 0x1fa ++ ++#define KEY_NUMERIC_0 0x200 /* used by phones, remote controls, */ ++#define KEY_NUMERIC_1 0x201 /* and other keypads */ ++#define KEY_NUMERIC_2 0x202 ++#define KEY_NUMERIC_3 0x203 ++#define KEY_NUMERIC_4 0x204 ++#define KEY_NUMERIC_5 0x205 ++#define KEY_NUMERIC_6 0x206 ++#define KEY_NUMERIC_7 0x207 ++#define KEY_NUMERIC_8 0x208 ++#define KEY_NUMERIC_9 0x209 ++#define KEY_NUMERIC_STAR 0x20a ++#define KEY_NUMERIC_POUND 0x20b ++#define KEY_NUMERIC_A 0x20c /* Phone key A - HUT Telephony 0xb9 */ ++#define KEY_NUMERIC_B 0x20d ++#define KEY_NUMERIC_C 0x20e ++#define KEY_NUMERIC_D 0x20f ++ ++#define KEY_CAMERA_FOCUS 0x210 ++#define KEY_WPS_BUTTON 0x211 /* WiFi Protected Setup key */ ++ ++#define KEY_TOUCHPAD_TOGGLE 0x212 /* Request switch touchpad on or off */ ++#define KEY_TOUCHPAD_ON 0x213 ++#define KEY_TOUCHPAD_OFF 0x214 ++ ++#define KEY_CAMERA_ZOOMIN 0x215 ++#define KEY_CAMERA_ZOOMOUT 0x216 ++#define KEY_CAMERA_UP 0x217 ++#define KEY_CAMERA_DOWN 0x218 ++#define KEY_CAMERA_LEFT 0x219 ++#define KEY_CAMERA_RIGHT 0x21a ++ ++#define KEY_ATTENDANT_ON 0x21b ++#define KEY_ATTENDANT_OFF 0x21c ++#define KEY_ATTENDANT_TOGGLE 0x21d /* Attendant call on or off */ ++#define KEY_LIGHTS_TOGGLE 0x21e /* Reading light on or off */ ++ ++#define BTN_DPAD_UP 0x220 ++#define BTN_DPAD_DOWN 0x221 ++#define BTN_DPAD_LEFT 0x222 ++#define BTN_DPAD_RIGHT 0x223 ++ ++#define KEY_ALS_TOGGLE 0x230 /* Ambient light sensor */ ++#define KEY_ROTATE_LOCK_TOGGLE 0x231 /* Display rotation lock */ ++#define KEY_REFRESH_RATE_TOGGLE 0x232 /* Display refresh rate toggle */ ++ ++#define KEY_BUTTONCONFIG 0x240 /* AL Button Configuration */ ++#define KEY_TASKMANAGER 0x241 /* AL Task/Project Manager */ ++#define KEY_JOURNAL 0x242 /* AL Log/Journal/Timecard */ ++#define KEY_CONTROLPANEL 0x243 /* AL Control Panel */ ++#define KEY_APPSELECT 0x244 /* AL Select Task/Application */ ++#define KEY_SCREENSAVER 0x245 /* AL Screen Saver */ ++#define KEY_VOICECOMMAND 0x246 /* Listening Voice Command */ ++#define KEY_ASSISTANT 0x247 /* AL Context-aware desktop assistant */ ++#define KEY_KBD_LAYOUT_NEXT 0x248 /* AC Next Keyboard Layout Select */ ++#define KEY_EMOJI_PICKER 0x249 /* Show/hide emoji picker (HUTRR101) */ ++#define KEY_DICTATE 0x24a /* Start or Stop Voice Dictation Session (HUTRR99) */ ++#define KEY_CAMERA_ACCESS_ENABLE 0x24b /* Enables programmatic access to camera devices. (HUTRR72) */ ++#define KEY_CAMERA_ACCESS_DISABLE 0x24c /* Disables programmatic access to camera devices. (HUTRR72) */ ++#define KEY_CAMERA_ACCESS_TOGGLE 0x24d /* Toggles the current state of the camera access control. (HUTRR72) */ ++#define KEY_ACCESSIBILITY 0x24e /* Toggles the system bound accessibility UI/command (HUTRR116) */ ++#define KEY_DO_NOT_DISTURB 0x24f /* Toggles the system-wide "Do Not Disturb" control (HUTRR94)*/ ++ ++#define KEY_BRIGHTNESS_MIN 0x250 /* Set Brightness to Minimum */ ++#define KEY_BRIGHTNESS_MAX 0x251 /* Set Brightness to Maximum */ ++ ++#define KEY_KBDINPUTASSIST_PREV 0x260 ++#define KEY_KBDINPUTASSIST_NEXT 0x261 ++#define KEY_KBDINPUTASSIST_PREVGROUP 0x262 ++#define KEY_KBDINPUTASSIST_NEXTGROUP 0x263 ++#define KEY_KBDINPUTASSIST_ACCEPT 0x264 ++#define KEY_KBDINPUTASSIST_CANCEL 0x265 ++ ++/* Diagonal movement keys */ ++#define KEY_RIGHT_UP 0x266 ++#define KEY_RIGHT_DOWN 0x267 ++#define KEY_LEFT_UP 0x268 ++#define KEY_LEFT_DOWN 0x269 ++ ++#define KEY_ROOT_MENU 0x26a /* Show Device's Root Menu */ ++/* Show Top Menu of the Media (e.g. DVD) */ ++#define KEY_MEDIA_TOP_MENU 0x26b ++#define KEY_NUMERIC_11 0x26c ++#define KEY_NUMERIC_12 0x26d ++/* ++ * Toggle Audio Description: refers to an audio service that helps blind and ++ * visually impaired consumers understand the action in a program. Note: in ++ * some countries this is referred to as "Video Description". ++ */ ++#define KEY_AUDIO_DESC 0x26e ++#define KEY_3D_MODE 0x26f ++#define KEY_NEXT_FAVORITE 0x270 ++#define KEY_STOP_RECORD 0x271 ++#define KEY_PAUSE_RECORD 0x272 ++#define KEY_VOD 0x273 /* Video on Demand */ ++#define KEY_UNMUTE 0x274 ++#define KEY_FASTREVERSE 0x275 ++#define KEY_SLOWREVERSE 0x276 ++/* ++ * Control a data application associated with the currently viewed channel, ++ * e.g. teletext or data broadcast application (MHEG, MHP, HbbTV, etc.) ++ */ ++#define KEY_DATA 0x277 ++#define KEY_ONSCREEN_KEYBOARD 0x278 ++/* Electronic privacy screen control */ ++#define KEY_PRIVACY_SCREEN_TOGGLE 0x279 ++ ++/* Select an area of screen to be copied */ ++#define KEY_SELECTIVE_SCREENSHOT 0x27a ++ ++/* Move the focus to the next or previous user controllable element within a UI container */ ++#define KEY_NEXT_ELEMENT 0x27b ++#define KEY_PREVIOUS_ELEMENT 0x27c ++ ++/* Toggle Autopilot engagement */ ++#define KEY_AUTOPILOT_ENGAGE_TOGGLE 0x27d ++ ++/* Shortcut Keys */ ++#define KEY_MARK_WAYPOINT 0x27e ++#define KEY_SOS 0x27f ++#define KEY_NAV_CHART 0x280 ++#define KEY_FISHING_CHART 0x281 ++#define KEY_SINGLE_RANGE_RADAR 0x282 ++#define KEY_DUAL_RANGE_RADAR 0x283 ++#define KEY_RADAR_OVERLAY 0x284 ++#define KEY_TRADITIONAL_SONAR 0x285 ++#define KEY_CLEARVU_SONAR 0x286 ++#define KEY_SIDEVU_SONAR 0x287 ++#define KEY_NAV_INFO 0x288 ++#define KEY_BRIGHTNESS_MENU 0x289 ++ ++/* ++ * Some keyboards have keys which do not have a defined meaning, these keys ++ * are intended to be programmed / bound to macros by the user. For most ++ * keyboards with these macro-keys the key-sequence to inject, or action to ++ * take, is all handled by software on the host side. So from the kernel's ++ * point of view these are just normal keys. ++ * ++ * The KEY_MACRO# codes below are intended for such keys, which may be labeled ++ * e.g. G1-G18, or S1 - S30. The KEY_MACRO# codes MUST NOT be used for keys ++ * where the marking on the key does indicate a defined meaning / purpose. ++ * ++ * The KEY_MACRO# codes MUST also NOT be used as fallback for when no existing ++ * KEY_FOO define matches the marking / purpose. In this case a new KEY_FOO ++ * define MUST be added. ++ */ ++#define KEY_MACRO1 0x290 ++#define KEY_MACRO2 0x291 ++#define KEY_MACRO3 0x292 ++#define KEY_MACRO4 0x293 ++#define KEY_MACRO5 0x294 ++#define KEY_MACRO6 0x295 ++#define KEY_MACRO7 0x296 ++#define KEY_MACRO8 0x297 ++#define KEY_MACRO9 0x298 ++#define KEY_MACRO10 0x299 ++#define KEY_MACRO11 0x29a ++#define KEY_MACRO12 0x29b ++#define KEY_MACRO13 0x29c ++#define KEY_MACRO14 0x29d ++#define KEY_MACRO15 0x29e ++#define KEY_MACRO16 0x29f ++#define KEY_MACRO17 0x2a0 ++#define KEY_MACRO18 0x2a1 ++#define KEY_MACRO19 0x2a2 ++#define KEY_MACRO20 0x2a3 ++#define KEY_MACRO21 0x2a4 ++#define KEY_MACRO22 0x2a5 ++#define KEY_MACRO23 0x2a6 ++#define KEY_MACRO24 0x2a7 ++#define KEY_MACRO25 0x2a8 ++#define KEY_MACRO26 0x2a9 ++#define KEY_MACRO27 0x2aa ++#define KEY_MACRO28 0x2ab ++#define KEY_MACRO29 0x2ac ++#define KEY_MACRO30 0x2ad ++ ++/* ++ * Some keyboards with the macro-keys described above have some extra keys ++ * for controlling the host-side software responsible for the macro handling: ++ * -A macro recording start/stop key. Note that not all keyboards which emit ++ * KEY_MACRO_RECORD_START will also emit KEY_MACRO_RECORD_STOP if ++ * KEY_MACRO_RECORD_STOP is not advertised, then KEY_MACRO_RECORD_START ++ * should be interpreted as a recording start/stop toggle; ++ * -Keys for switching between different macro (pre)sets, either a key for ++ * cycling through the configured presets or keys to directly select a preset. ++ */ ++#define KEY_MACRO_RECORD_START 0x2b0 ++#define KEY_MACRO_RECORD_STOP 0x2b1 ++#define KEY_MACRO_PRESET_CYCLE 0x2b2 ++#define KEY_MACRO_PRESET1 0x2b3 ++#define KEY_MACRO_PRESET2 0x2b4 ++#define KEY_MACRO_PRESET3 0x2b5 ++ ++/* ++ * Some keyboards have a buildin LCD panel where the contents are controlled ++ * by the host. Often these have a number of keys directly below the LCD ++ * intended for controlling a menu shown on the LCD. These keys often don't ++ * have any labeling so we just name them KEY_KBD_LCD_MENU# ++ */ ++#define KEY_KBD_LCD_MENU1 0x2b8 ++#define KEY_KBD_LCD_MENU2 0x2b9 ++#define KEY_KBD_LCD_MENU3 0x2ba ++#define KEY_KBD_LCD_MENU4 0x2bb ++#define KEY_KBD_LCD_MENU5 0x2bc ++ ++#define BTN_TRIGGER_HAPPY 0x2c0 ++#define BTN_TRIGGER_HAPPY1 0x2c0 ++#define BTN_TRIGGER_HAPPY2 0x2c1 ++#define BTN_TRIGGER_HAPPY3 0x2c2 ++#define BTN_TRIGGER_HAPPY4 0x2c3 ++#define BTN_TRIGGER_HAPPY5 0x2c4 ++#define BTN_TRIGGER_HAPPY6 0x2c5 ++#define BTN_TRIGGER_HAPPY7 0x2c6 ++#define BTN_TRIGGER_HAPPY8 0x2c7 ++#define BTN_TRIGGER_HAPPY9 0x2c8 ++#define BTN_TRIGGER_HAPPY10 0x2c9 ++#define BTN_TRIGGER_HAPPY11 0x2ca ++#define BTN_TRIGGER_HAPPY12 0x2cb ++#define BTN_TRIGGER_HAPPY13 0x2cc ++#define BTN_TRIGGER_HAPPY14 0x2cd ++#define BTN_TRIGGER_HAPPY15 0x2ce ++#define BTN_TRIGGER_HAPPY16 0x2cf ++#define BTN_TRIGGER_HAPPY17 0x2d0 ++#define BTN_TRIGGER_HAPPY18 0x2d1 ++#define BTN_TRIGGER_HAPPY19 0x2d2 ++#define BTN_TRIGGER_HAPPY20 0x2d3 ++#define BTN_TRIGGER_HAPPY21 0x2d4 ++#define BTN_TRIGGER_HAPPY22 0x2d5 ++#define BTN_TRIGGER_HAPPY23 0x2d6 ++#define BTN_TRIGGER_HAPPY24 0x2d7 ++#define BTN_TRIGGER_HAPPY25 0x2d8 ++#define BTN_TRIGGER_HAPPY26 0x2d9 ++#define BTN_TRIGGER_HAPPY27 0x2da ++#define BTN_TRIGGER_HAPPY28 0x2db ++#define BTN_TRIGGER_HAPPY29 0x2dc ++#define BTN_TRIGGER_HAPPY30 0x2dd ++#define BTN_TRIGGER_HAPPY31 0x2de ++#define BTN_TRIGGER_HAPPY32 0x2df ++#define BTN_TRIGGER_HAPPY33 0x2e0 ++#define BTN_TRIGGER_HAPPY34 0x2e1 ++#define BTN_TRIGGER_HAPPY35 0x2e2 ++#define BTN_TRIGGER_HAPPY36 0x2e3 ++#define BTN_TRIGGER_HAPPY37 0x2e4 ++#define BTN_TRIGGER_HAPPY38 0x2e5 ++#define BTN_TRIGGER_HAPPY39 0x2e6 ++#define BTN_TRIGGER_HAPPY40 0x2e7 ++ ++/* We avoid low common keys in module aliases so they don't get huge. */ ++#define KEY_MIN_INTERESTING KEY_MUTE ++#define KEY_MAX 0x2ff ++#define KEY_CNT (KEY_MAX+1) ++ ++/* ++ * Relative axes ++ */ ++ ++#define REL_X 0x00 ++#define REL_Y 0x01 ++#define REL_Z 0x02 ++#define REL_RX 0x03 ++#define REL_RY 0x04 ++#define REL_RZ 0x05 ++#define REL_HWHEEL 0x06 ++#define REL_DIAL 0x07 ++#define REL_WHEEL 0x08 ++#define REL_MISC 0x09 ++/* ++ * 0x0a is reserved and should not be used in input drivers. ++ * It was used by HID as REL_MISC+1 and userspace needs to detect if ++ * the next REL_* event is correct or is just REL_MISC + n. ++ * We define here REL_RESERVED so userspace can rely on it and detect ++ * the situation described above. ++ */ ++#define REL_RESERVED 0x0a ++#define REL_WHEEL_HI_RES 0x0b ++#define REL_HWHEEL_HI_RES 0x0c ++#define REL_MAX 0x0f ++#define REL_CNT (REL_MAX+1) ++ ++/* ++ * Absolute axes ++ */ ++ ++#define ABS_X 0x00 ++#define ABS_Y 0x01 ++#define ABS_Z 0x02 ++#define ABS_RX 0x03 ++#define ABS_RY 0x04 ++#define ABS_RZ 0x05 ++#define ABS_THROTTLE 0x06 ++#define ABS_RUDDER 0x07 ++#define ABS_WHEEL 0x08 ++#define ABS_GAS 0x09 ++#define ABS_BRAKE 0x0a ++#define ABS_HAT0X 0x10 ++#define ABS_HAT0Y 0x11 ++#define ABS_HAT1X 0x12 ++#define ABS_HAT1Y 0x13 ++#define ABS_HAT2X 0x14 ++#define ABS_HAT2Y 0x15 ++#define ABS_HAT3X 0x16 ++#define ABS_HAT3Y 0x17 ++#define ABS_PRESSURE 0x18 ++#define ABS_DISTANCE 0x19 ++#define ABS_TILT_X 0x1a ++#define ABS_TILT_Y 0x1b ++#define ABS_TOOL_WIDTH 0x1c ++ ++#define ABS_VOLUME 0x20 ++#define ABS_PROFILE 0x21 ++ ++#define ABS_MISC 0x28 ++ ++/* ++ * 0x2e is reserved and should not be used in input drivers. ++ * It was used by HID as ABS_MISC+6 and userspace needs to detect if ++ * the next ABS_* event is correct or is just ABS_MISC + n. ++ * We define here ABS_RESERVED so userspace can rely on it and detect ++ * the situation described above. ++ */ ++#define ABS_RESERVED 0x2e ++ ++#define ABS_MT_SLOT 0x2f /* MT slot being modified */ ++#define ABS_MT_TOUCH_MAJOR 0x30 /* Major axis of touching ellipse */ ++#define ABS_MT_TOUCH_MINOR 0x31 /* Minor axis (omit if circular) */ ++#define ABS_MT_WIDTH_MAJOR 0x32 /* Major axis of approaching ellipse */ ++#define ABS_MT_WIDTH_MINOR 0x33 /* Minor axis (omit if circular) */ ++#define ABS_MT_ORIENTATION 0x34 /* Ellipse orientation */ ++#define ABS_MT_POSITION_X 0x35 /* Center X touch position */ ++#define ABS_MT_POSITION_Y 0x36 /* Center Y touch position */ ++#define ABS_MT_TOOL_TYPE 0x37 /* Type of touching device */ ++#define ABS_MT_BLOB_ID 0x38 /* Group a set of packets as a blob */ ++#define ABS_MT_TRACKING_ID 0x39 /* Unique ID of initiated contact */ ++#define ABS_MT_PRESSURE 0x3a /* Pressure on contact area */ ++#define ABS_MT_DISTANCE 0x3b /* Contact hover distance */ ++#define ABS_MT_TOOL_X 0x3c /* Center X tool position */ ++#define ABS_MT_TOOL_Y 0x3d /* Center Y tool position */ ++ ++ ++#define ABS_MAX 0x3f ++#define ABS_CNT (ABS_MAX+1) ++ ++/* ++ * Switch events ++ */ ++ ++#define SW_LID 0x00 /* set = lid shut */ ++#define SW_TABLET_MODE 0x01 /* set = tablet mode */ ++#define SW_HEADPHONE_INSERT 0x02 /* set = inserted */ ++#define SW_RFKILL_ALL 0x03 /* rfkill master switch, type "any" ++ set = radio enabled */ ++#define SW_RADIO SW_RFKILL_ALL /* deprecated */ ++#define SW_MICROPHONE_INSERT 0x04 /* set = inserted */ ++#define SW_DOCK 0x05 /* set = plugged into dock */ ++#define SW_LINEOUT_INSERT 0x06 /* set = inserted */ ++#define SW_JACK_PHYSICAL_INSERT 0x07 /* set = mechanical switch set */ ++#define SW_VIDEOOUT_INSERT 0x08 /* set = inserted */ ++#define SW_CAMERA_LENS_COVER 0x09 /* set = lens covered */ ++#define SW_KEYPAD_SLIDE 0x0a /* set = keypad slide out */ ++#define SW_FRONT_PROXIMITY 0x0b /* set = front proximity sensor active */ ++#define SW_ROTATE_LOCK 0x0c /* set = rotate locked/disabled */ ++#define SW_LINEIN_INSERT 0x0d /* set = inserted */ ++#define SW_MUTE_DEVICE 0x0e /* set = device disabled */ ++#define SW_PEN_INSERTED 0x0f /* set = pen inserted */ ++#define SW_MACHINE_COVER 0x10 /* set = cover closed */ ++#define SW_MAX 0x10 ++#define SW_CNT (SW_MAX+1) ++ ++/* ++ * Misc events ++ */ ++ ++#define MSC_SERIAL 0x00 ++#define MSC_PULSELED 0x01 ++#define MSC_GESTURE 0x02 ++#define MSC_RAW 0x03 ++#define MSC_SCAN 0x04 ++#define MSC_TIMESTAMP 0x05 ++#define MSC_MAX 0x07 ++#define MSC_CNT (MSC_MAX+1) ++ ++/* ++ * LEDs ++ */ ++ ++#define LED_NUML 0x00 ++#define LED_CAPSL 0x01 ++#define LED_SCROLLL 0x02 ++#define LED_COMPOSE 0x03 ++#define LED_KANA 0x04 ++#define LED_SLEEP 0x05 ++#define LED_SUSPEND 0x06 ++#define LED_MUTE 0x07 ++#define LED_MISC 0x08 ++#define LED_MAIL 0x09 ++#define LED_CHARGING 0x0a ++#define LED_MAX 0x0f ++#define LED_CNT (LED_MAX+1) ++ ++/* ++ * Autorepeat values ++ */ ++ ++#define REP_DELAY 0x00 ++#define REP_PERIOD 0x01 ++#define REP_MAX 0x01 ++#define REP_CNT (REP_MAX+1) ++ ++/* ++ * Sounds ++ */ ++ ++#define SND_CLICK 0x00 ++#define SND_BELL 0x01 ++#define SND_TONE 0x02 ++#define SND_MAX 0x07 ++#define SND_CNT (SND_MAX+1) ++ ++#endif +diff --git a/src/basic/linux/input.h b/src/basic/linux/input.h +new file mode 100644 +index 0000000000..7f37e6e40a +--- /dev/null ++++ b/src/basic/linux/input.h +@@ -0,0 +1,516 @@ ++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ ++/* ++ * Copyright (c) 1999-2002 Vojtech Pavlik ++ * ++ * This program is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 as published by ++ * the Free Software Foundation. ++ */ ++#ifndef _INPUT_H ++#define _INPUT_H ++ ++ ++#include ++#include ++#include ++#include ++ ++#include "input-event-codes.h" ++ ++/* ++ * The event structure itself ++ * Note that __USE_TIME_BITS64 is defined by libc based on ++ * application's request to use 64 bit time_t. ++ */ ++ ++struct input_event { ++#if (__BITS_PER_LONG != 32 || !defined(__USE_TIME_BITS64)) && !defined(__KERNEL__) ++ struct timeval time; ++#define input_event_sec time.tv_sec ++#define input_event_usec time.tv_usec ++#else ++ __kernel_ulong_t __sec; ++#if defined(__sparc__) && defined(__arch64__) ++ unsigned int __usec; ++ unsigned int __pad; ++#else ++ __kernel_ulong_t __usec; ++#endif ++#define input_event_sec __sec ++#define input_event_usec __usec ++#endif ++ __u16 type; ++ __u16 code; ++ __s32 value; ++}; ++ ++/* ++ * Protocol version. ++ */ ++ ++#define EV_VERSION 0x010001 ++ ++/* ++ * IOCTLs (0x00 - 0x7f) ++ */ ++ ++struct input_id { ++ __u16 bustype; ++ __u16 vendor; ++ __u16 product; ++ __u16 version; ++}; ++ ++/** ++ * struct input_absinfo - used by EVIOCGABS/EVIOCSABS ioctls ++ * @value: latest reported value for the axis. ++ * @minimum: specifies minimum value for the axis. ++ * @maximum: specifies maximum value for the axis. ++ * @fuzz: specifies fuzz value that is used to filter noise from ++ * the event stream. ++ * @flat: values that are within this value will be discarded by ++ * joydev interface and reported as 0 instead. ++ * @resolution: specifies resolution for the values reported for ++ * the axis. ++ * ++ * Note that input core does not clamp reported values to the ++ * [minimum, maximum] limits, such task is left to userspace. ++ * ++ * The default resolution for main axes (ABS_X, ABS_Y, ABS_Z, ++ * ABS_MT_POSITION_X, ABS_MT_POSITION_Y) is reported in units ++ * per millimeter (units/mm), resolution for rotational axes ++ * (ABS_RX, ABS_RY, ABS_RZ) is reported in units per radian. ++ * The resolution for the size axes (ABS_MT_TOUCH_MAJOR, ++ * ABS_MT_TOUCH_MINOR, ABS_MT_WIDTH_MAJOR, ABS_MT_WIDTH_MINOR) ++ * is reported in units per millimeter (units/mm). ++ * When INPUT_PROP_ACCELEROMETER is set the resolution changes. ++ * The main axes (ABS_X, ABS_Y, ABS_Z) are then reported in ++ * units per g (units/g) and in units per degree per second ++ * (units/deg/s) for rotational axes (ABS_RX, ABS_RY, ABS_RZ). ++ */ ++struct input_absinfo { ++ __s32 value; ++ __s32 minimum; ++ __s32 maximum; ++ __s32 fuzz; ++ __s32 flat; ++ __s32 resolution; ++}; ++ ++/** ++ * struct input_keymap_entry - used by EVIOCGKEYCODE/EVIOCSKEYCODE ioctls ++ * @scancode: scancode represented in machine-endian form. ++ * @len: length of the scancode that resides in @scancode buffer. ++ * @index: index in the keymap, may be used instead of scancode ++ * @flags: allows to specify how kernel should handle the request. For ++ * example, setting INPUT_KEYMAP_BY_INDEX flag indicates that kernel ++ * should perform lookup in keymap by @index instead of @scancode ++ * @keycode: key code assigned to this scancode ++ * ++ * The structure is used to retrieve and modify keymap data. Users have ++ * option of performing lookup either by @scancode itself or by @index ++ * in keymap entry. EVIOCGKEYCODE will also return scancode or index ++ * (depending on which element was used to perform lookup). ++ */ ++struct input_keymap_entry { ++#define INPUT_KEYMAP_BY_INDEX (1 << 0) ++ __u8 flags; ++ __u8 len; ++ __u16 index; ++ __u32 keycode; ++ __u8 scancode[32]; ++}; ++ ++struct input_mask { ++ __u32 type; ++ __u32 codes_size; ++ __u64 codes_ptr; ++}; ++ ++#define EVIOCGVERSION _IOR('E', 0x01, int) /* get driver version */ ++#define EVIOCGID _IOR('E', 0x02, struct input_id) /* get device ID */ ++#define EVIOCGREP _IOR('E', 0x03, unsigned int[2]) /* get repeat settings */ ++#define EVIOCSREP _IOW('E', 0x03, unsigned int[2]) /* set repeat settings */ ++ ++#define EVIOCGKEYCODE _IOR('E', 0x04, unsigned int[2]) /* get keycode */ ++#define EVIOCGKEYCODE_V2 _IOR('E', 0x04, struct input_keymap_entry) ++#define EVIOCSKEYCODE _IOW('E', 0x04, unsigned int[2]) /* set keycode */ ++#define EVIOCSKEYCODE_V2 _IOW('E', 0x04, struct input_keymap_entry) ++ ++#define EVIOCGNAME(len) _IOC(_IOC_READ, 'E', 0x06, len) /* get device name */ ++#define EVIOCGPHYS(len) _IOC(_IOC_READ, 'E', 0x07, len) /* get physical location */ ++#define EVIOCGUNIQ(len) _IOC(_IOC_READ, 'E', 0x08, len) /* get unique identifier */ ++#define EVIOCGPROP(len) _IOC(_IOC_READ, 'E', 0x09, len) /* get device properties */ ++ ++/** ++ * EVIOCGMTSLOTS(len) - get MT slot values ++ * @len: size of the data buffer in bytes ++ * ++ * The ioctl buffer argument should be binary equivalent to ++ * ++ * struct input_mt_request_layout { ++ * __u32 code; ++ * __s32 values[num_slots]; ++ * }; ++ * ++ * where num_slots is the (arbitrary) number of MT slots to extract. ++ * ++ * The ioctl size argument (len) is the size of the buffer, which ++ * should satisfy len = (num_slots + 1) * sizeof(__s32). If len is ++ * too small to fit all available slots, the first num_slots are ++ * returned. ++ * ++ * Before the call, code is set to the wanted ABS_MT event type. On ++ * return, values[] is filled with the slot values for the specified ++ * ABS_MT code. ++ * ++ * If the request code is not an ABS_MT value, -EINVAL is returned. ++ */ ++#define EVIOCGMTSLOTS(len) _IOC(_IOC_READ, 'E', 0x0a, len) ++ ++#define EVIOCGKEY(len) _IOC(_IOC_READ, 'E', 0x18, len) /* get global key state */ ++#define EVIOCGLED(len) _IOC(_IOC_READ, 'E', 0x19, len) /* get all LEDs */ ++#define EVIOCGSND(len) _IOC(_IOC_READ, 'E', 0x1a, len) /* get all sounds status */ ++#define EVIOCGSW(len) _IOC(_IOC_READ, 'E', 0x1b, len) /* get all switch states */ ++ ++#define EVIOCGBIT(ev,len) _IOC(_IOC_READ, 'E', 0x20 + (ev), len) /* get event bits */ ++#define EVIOCGABS(abs) _IOR('E', 0x40 + (abs), struct input_absinfo) /* get abs value/limits */ ++#define EVIOCSABS(abs) _IOW('E', 0xc0 + (abs), struct input_absinfo) /* set abs value/limits */ ++ ++#define EVIOCSFF _IOW('E', 0x80, struct ff_effect) /* send a force effect to a force feedback device */ ++#define EVIOCRMFF _IOW('E', 0x81, int) /* Erase a force effect */ ++#define EVIOCGEFFECTS _IOR('E', 0x84, int) /* Report number of effects playable at the same time */ ++ ++#define EVIOCGRAB _IOW('E', 0x90, int) /* Grab/Release device */ ++#define EVIOCREVOKE _IOW('E', 0x91, int) /* Revoke device access */ ++ ++/** ++ * EVIOCGMASK - Retrieve current event mask ++ * ++ * This ioctl allows user to retrieve the current event mask for specific ++ * event type. The argument must be of type "struct input_mask" and ++ * specifies the event type to query, the address of the receive buffer and ++ * the size of the receive buffer. ++ * ++ * The event mask is a per-client mask that specifies which events are ++ * forwarded to the client. Each event code is represented by a single bit ++ * in the event mask. If the bit is set, the event is passed to the client ++ * normally. Otherwise, the event is filtered and will never be queued on ++ * the client's receive buffer. ++ * ++ * Event masks do not affect global state of the input device. They only ++ * affect the file descriptor they are applied to. ++ * ++ * The default event mask for a client has all bits set, i.e. all events ++ * are forwarded to the client. If the kernel is queried for an unknown ++ * event type or if the receive buffer is larger than the number of ++ * event codes known to the kernel, the kernel returns all zeroes for those ++ * codes. ++ * ++ * At maximum, codes_size bytes are copied. ++ * ++ * This ioctl may fail with ENODEV in case the file is revoked, EFAULT ++ * if the receive-buffer points to invalid memory, or EINVAL if the kernel ++ * does not implement the ioctl. ++ */ ++#define EVIOCGMASK _IOR('E', 0x92, struct input_mask) /* Get event-masks */ ++ ++/** ++ * EVIOCSMASK - Set event mask ++ * ++ * This ioctl is the counterpart to EVIOCGMASK. Instead of receiving the ++ * current event mask, this changes the client's event mask for a specific ++ * type. See EVIOCGMASK for a description of event-masks and the ++ * argument-type. ++ * ++ * This ioctl provides full forward compatibility. If the passed event type ++ * is unknown to the kernel, or if the number of event codes specified in ++ * the mask is bigger than what is known to the kernel, the ioctl is still ++ * accepted and applied. However, any unknown codes are left untouched and ++ * stay cleared. That means, the kernel always filters unknown codes ++ * regardless of what the client requests. If the new mask doesn't cover ++ * all known event-codes, all remaining codes are automatically cleared and ++ * thus filtered. ++ * ++ * This ioctl may fail with ENODEV in case the file is revoked. EFAULT is ++ * returned if the receive-buffer points to invalid memory. EINVAL is returned ++ * if the kernel does not implement the ioctl. ++ */ ++#define EVIOCSMASK _IOW('E', 0x93, struct input_mask) /* Set event-masks */ ++ ++#define EVIOCSCLOCKID _IOW('E', 0xa0, int) /* Set clockid to be used for timestamps */ ++ ++/* ++ * IDs. ++ */ ++ ++#define ID_BUS 0 ++#define ID_VENDOR 1 ++#define ID_PRODUCT 2 ++#define ID_VERSION 3 ++ ++#define BUS_PCI 0x01 ++#define BUS_ISAPNP 0x02 ++#define BUS_USB 0x03 ++#define BUS_HIL 0x04 ++#define BUS_BLUETOOTH 0x05 ++#define BUS_VIRTUAL 0x06 ++ ++#define BUS_ISA 0x10 ++#define BUS_I8042 0x11 ++#define BUS_XTKBD 0x12 ++#define BUS_RS232 0x13 ++#define BUS_GAMEPORT 0x14 ++#define BUS_PARPORT 0x15 ++#define BUS_AMIGA 0x16 ++#define BUS_ADB 0x17 ++#define BUS_I2C 0x18 ++#define BUS_HOST 0x19 ++#define BUS_GSC 0x1A ++#define BUS_ATARI 0x1B ++#define BUS_SPI 0x1C ++#define BUS_RMI 0x1D ++#define BUS_CEC 0x1E ++#define BUS_INTEL_ISHTP 0x1F ++#define BUS_AMD_SFH 0x20 ++ ++/* ++ * MT_TOOL types ++ */ ++#define MT_TOOL_FINGER 0x00 ++#define MT_TOOL_PEN 0x01 ++#define MT_TOOL_PALM 0x02 ++#define MT_TOOL_DIAL 0x0a ++#define MT_TOOL_MAX 0x0f ++ ++/* ++ * Values describing the status of a force-feedback effect ++ */ ++#define FF_STATUS_STOPPED 0x00 ++#define FF_STATUS_PLAYING 0x01 ++#define FF_STATUS_MAX 0x01 ++ ++/* ++ * Structures used in ioctls to upload effects to a device ++ * They are pieces of a bigger structure (called ff_effect) ++ */ ++ ++/* ++ * All duration values are expressed in ms. Values above 32767 ms (0x7fff) ++ * should not be used and have unspecified results. ++ */ ++ ++/** ++ * struct ff_replay - defines scheduling of the force-feedback effect ++ * @length: duration of the effect ++ * @delay: delay before effect should start playing ++ */ ++struct ff_replay { ++ __u16 length; ++ __u16 delay; ++}; ++ ++/** ++ * struct ff_trigger - defines what triggers the force-feedback effect ++ * @button: number of the button triggering the effect ++ * @interval: controls how soon the effect can be re-triggered ++ */ ++struct ff_trigger { ++ __u16 button; ++ __u16 interval; ++}; ++ ++/** ++ * struct ff_envelope - generic force-feedback effect envelope ++ * @attack_length: duration of the attack (ms) ++ * @attack_level: level at the beginning of the attack ++ * @fade_length: duration of fade (ms) ++ * @fade_level: level at the end of fade ++ * ++ * The @attack_level and @fade_level are absolute values; when applying ++ * envelope force-feedback core will convert to positive/negative ++ * value based on polarity of the default level of the effect. ++ * Valid range for the attack and fade levels is 0x0000 - 0x7fff ++ */ ++struct ff_envelope { ++ __u16 attack_length; ++ __u16 attack_level; ++ __u16 fade_length; ++ __u16 fade_level; ++}; ++ ++/** ++ * struct ff_constant_effect - defines parameters of a constant force-feedback effect ++ * @level: strength of the effect; may be negative ++ * @envelope: envelope data ++ */ ++struct ff_constant_effect { ++ __s16 level; ++ struct ff_envelope envelope; ++}; ++ ++/** ++ * struct ff_ramp_effect - defines parameters of a ramp force-feedback effect ++ * @start_level: beginning strength of the effect; may be negative ++ * @end_level: final strength of the effect; may be negative ++ * @envelope: envelope data ++ */ ++struct ff_ramp_effect { ++ __s16 start_level; ++ __s16 end_level; ++ struct ff_envelope envelope; ++}; ++ ++/** ++ * struct ff_condition_effect - defines a spring or friction force-feedback effect ++ * @right_saturation: maximum level when joystick moved all way to the right ++ * @left_saturation: same for the left side ++ * @right_coeff: controls how fast the force grows when the joystick moves ++ * to the right ++ * @left_coeff: same for the left side ++ * @deadband: size of the dead zone, where no force is produced ++ * @center: position of the dead zone ++ */ ++struct ff_condition_effect { ++ __u16 right_saturation; ++ __u16 left_saturation; ++ ++ __s16 right_coeff; ++ __s16 left_coeff; ++ ++ __u16 deadband; ++ __s16 center; ++}; ++ ++/** ++ * struct ff_periodic_effect - defines parameters of a periodic force-feedback effect ++ * @waveform: kind of the effect (wave) ++ * @period: period of the wave (ms) ++ * @magnitude: peak value ++ * @offset: mean value of the wave (roughly) ++ * @phase: 'horizontal' shift ++ * @envelope: envelope data ++ * @custom_len: number of samples (FF_CUSTOM only) ++ * @custom_data: buffer of samples (FF_CUSTOM only) ++ * ++ * Known waveforms - FF_SQUARE, FF_TRIANGLE, FF_SINE, FF_SAW_UP, ++ * FF_SAW_DOWN, FF_CUSTOM. The exact syntax FF_CUSTOM is undefined ++ * for the time being as no driver supports it yet. ++ * ++ * Note: the data pointed by custom_data is copied by the driver. ++ * You can therefore dispose of the memory after the upload/update. ++ */ ++struct ff_periodic_effect { ++ __u16 waveform; ++ __u16 period; ++ __s16 magnitude; ++ __s16 offset; ++ __u16 phase; ++ ++ struct ff_envelope envelope; ++ ++ __u32 custom_len; ++ __s16 *custom_data; ++}; ++ ++/** ++ * struct ff_rumble_effect - defines parameters of a periodic force-feedback effect ++ * @strong_magnitude: magnitude of the heavy motor ++ * @weak_magnitude: magnitude of the light one ++ * ++ * Some rumble pads have two motors of different weight. Strong_magnitude ++ * represents the magnitude of the vibration generated by the heavy one. ++ */ ++struct ff_rumble_effect { ++ __u16 strong_magnitude; ++ __u16 weak_magnitude; ++}; ++ ++/** ++ * struct ff_effect - defines force feedback effect ++ * @type: type of the effect (FF_CONSTANT, FF_PERIODIC, FF_RAMP, FF_SPRING, ++ * FF_FRICTION, FF_DAMPER, FF_RUMBLE, FF_INERTIA, or FF_CUSTOM) ++ * @id: an unique id assigned to an effect ++ * @direction: direction of the effect ++ * @trigger: trigger conditions (struct ff_trigger) ++ * @replay: scheduling of the effect (struct ff_replay) ++ * @u: effect-specific structure (one of ff_constant_effect, ff_ramp_effect, ++ * ff_periodic_effect, ff_condition_effect, ff_rumble_effect) further ++ * defining effect parameters ++ * ++ * This structure is sent through ioctl from the application to the driver. ++ * To create a new effect application should set its @id to -1; the kernel ++ * will return assigned @id which can later be used to update or delete ++ * this effect. ++ * ++ * Direction of the effect is encoded as follows: ++ * 0 deg -> 0x0000 (down) ++ * 90 deg -> 0x4000 (left) ++ * 180 deg -> 0x8000 (up) ++ * 270 deg -> 0xC000 (right) ++ */ ++struct ff_effect { ++ __u16 type; ++ __s16 id; ++ __u16 direction; ++ struct ff_trigger trigger; ++ struct ff_replay replay; ++ ++ union { ++ struct ff_constant_effect constant; ++ struct ff_ramp_effect ramp; ++ struct ff_periodic_effect periodic; ++ struct ff_condition_effect condition[2]; /* One for each axis */ ++ struct ff_rumble_effect rumble; ++ } u; ++}; ++ ++/* ++ * Force feedback effect types ++ */ ++ ++#define FF_RUMBLE 0x50 ++#define FF_PERIODIC 0x51 ++#define FF_CONSTANT 0x52 ++#define FF_SPRING 0x53 ++#define FF_FRICTION 0x54 ++#define FF_DAMPER 0x55 ++#define FF_INERTIA 0x56 ++#define FF_RAMP 0x57 ++ ++#define FF_EFFECT_MIN FF_RUMBLE ++#define FF_EFFECT_MAX FF_RAMP ++ ++/* ++ * Force feedback periodic effect types ++ */ ++ ++#define FF_SQUARE 0x58 ++#define FF_TRIANGLE 0x59 ++#define FF_SINE 0x5a ++#define FF_SAW_UP 0x5b ++#define FF_SAW_DOWN 0x5c ++#define FF_CUSTOM 0x5d ++ ++#define FF_WAVEFORM_MIN FF_SQUARE ++#define FF_WAVEFORM_MAX FF_CUSTOM ++ ++/* ++ * Set ff device properties ++ */ ++ ++#define FF_GAIN 0x60 ++#define FF_AUTOCENTER 0x61 ++ ++/* ++ * ff->playback(effect_id = FF_GAIN) is the first effect_id to ++ * cause a collision with another ff method, in this case ff->set_gain(). ++ * Therefore the greatest safe value for effect_id is FF_GAIN - 1, ++ * and thus the total number of effects should never exceed FF_GAIN. ++ */ ++#define FF_MAX_EFFECTS FF_GAIN ++ ++#define FF_MAX 0x7f ++#define FF_CNT (FF_MAX+1) ++ ++#endif /* _INPUT_H */ +-- +2.33.0 + diff --git a/backport-load-fragment-terminate-the-specifier-table-34421.patch b/backport-load-fragment-terminate-the-specifier-table-34421.patch new file mode 100644 index 0000000..2f3db97 --- /dev/null +++ b/backport-load-fragment-terminate-the-specifier-table-34421.patch @@ -0,0 +1,31 @@ +From a8d83342f86d35becdff881395c46385e27e4988 Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Sat, 14 Sep 2024 20:21:39 -0700 +Subject: [PATCH 0914/1160] load-fragment: terminate the specifier table + (#34421) + +Otherwise an invalid specifier iterates over uninitialized data. + +Fixes a bug introduced by 0b40688d1830abc6f59b1f1f67eccd757c23eb09 (v254). + +(cherry picked from commit 32b8065e876c6f89f55b1bb30eeb442d3921fb3a) +(cherry picked from commit 5dc97968d6ef732508311ecff555b305a05b6fe5) +--- + src/core/load-fragment.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c +index 6d60b1fb1f..aa05aa0885 100644 +--- a/src/core/load-fragment.c ++++ b/src/core/load-fragment.c +@@ -2789,6 +2789,7 @@ int config_parse_environ( + COMMON_CREDS_SPECIFIERS(ltype), + { 'h', specifier_user_home, NULL }, + { 's', specifier_user_shell, NULL }, ++ {} + }; + + for (const char *p = rvalue;; ) { +-- +2.33.0 + diff --git a/backport-locale-setup-do-not-load-locale-from-environemnt-whe.patch b/backport-locale-setup-do-not-load-locale-from-environemnt-whe.patch new file mode 100644 index 0000000..f7d25f2 --- /dev/null +++ b/backport-locale-setup-do-not-load-locale-from-environemnt-whe.patch @@ -0,0 +1,35 @@ +From 79b3378c33ecbc52264ac795b125b1cca2316466 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 28 Dec 2024 15:07:31 +0900 +Subject: [PATCH 1073/1160] locale-setup: do not load locale from environemnt + when /etc/locale.conf is unchanged + +Previously, when /etc/locale.conf is unchanged, locales were loaded from +possibly outdated environment variable. + +Fixes a bug introduced by 018befcff6b51f8a50ca232e1984d34526037241 (v253). +Fixes #35717. + +(cherry picked from commit 80797bbb919b3ccde4e51b349f3ca70c1157053e) +(cherry picked from commit d00cc09bf0c23c9bb376e1280773f7996ab7820e) +(cherry picked from commit d19d42b570e0ca6101f6f35b7f2f97557c7fa80f) +--- + src/shared/locale-setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/locale-setup.c b/src/shared/locale-setup.c +index 4e7f486a23..5c4580cfff 100644 +--- a/src/shared/locale-setup.c ++++ b/src/shared/locale-setup.c +@@ -75,7 +75,7 @@ static int locale_context_load_conf(LocaleContext *c, LocaleLoadFlag flag) { + + /* If the file is not changed, then we do not need to re-read the file. */ + if (stat_inode_unmodified(&c->st, &st)) +- return 0; ++ return 1; /* (already) loaded */ + + c->st = st; + locale_context_clear(c); +-- +2.33.0 + diff --git a/backport-lock-util-do-not-expect-EACCES-when-it-cannot-happen.patch b/backport-lock-util-do-not-expect-EACCES-when-it-cannot-happen.patch new file mode 100644 index 0000000..7a3838c --- /dev/null +++ b/backport-lock-util-do-not-expect-EACCES-when-it-cannot-happen.patch @@ -0,0 +1,64 @@ +From 2af054219547b848c309d11cccc6ff11769fec1d Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 22 May 2024 00:17:10 +0100 +Subject: [PATCH 0676/1160] lock-util: do not expect EACCES when it cannot + happen + +As per the documentation, EACCES is only returned when F_SETLK is +used, and only on some platforms, which doesn't seem to include +Linux: + +https://github.com/torvalds/linux/blob/master/fs/locks.c + +F_OFD_SETLK is documented to only return EAGAIN, and F_SETLKW/F_OFD_SETLKW +are blocking operations so this logic doesn't apply to them in the +first place. + +Hence, only automatically convert EACCES into EAGAIN for F_SETLK +operations, and propagate the original error in the other cases. + +This is important because in some cases we catch permission errors +and gracefully fallback, which is not possible if the original error +is lost. + +This is an issue in practice because, due to a kernel bug present +before v6.2, AppArmor denies locking on file descriptors to LXC +containers. We support all currently maintained LTS kernels, +including v6.1, where despite a lot of effort and attempts over almost +a year, the bugfix still hasn't been backported, as it is complex and +requires large changes to AppArmor. +On affected kernels, all services running with PrivateNetwork=yes +fail and do not recover, instead of the normal behaviour of gracefully +downgrading to PrivateNetwork=no. + +The integration tests in the Debian CI fail due to this issue: + +https://ci.debian.net/packages/s/systemd/testing/arm64/46828037/ +(cherry picked from commit 06384eb3c5044f632f50304a0210a402460f1189) +--- + src/basic/lock-util.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/basic/lock-util.c b/src/basic/lock-util.c +index 7bffe85461..aef395d78e 100644 +--- a/src/basic/lock-util.c ++++ b/src/basic/lock-util.c +@@ -139,7 +139,14 @@ static int fcntl_lock(int fd, int operation, bool ofd) { + .l_len = 0, + })); + +- if (r == -EACCES) /* Treat EACCESS/EAGAIN the same as per man page. */ ++ /* If we are doing non-blocking operations, treat EACCES/EAGAIN the same as per man page. But if ++ * not, propagate EACCES back, as it will likely be due to an LSM denying the operation (for example ++ * LXC with AppArmor when running on kernel < 6.2), and in some cases we want to gracefully ++ * fallback (e.g.: PrivateNetwork=yes). As per documentation, it's only the non-blocking operation ++ * F_SETLK that might return EACCES on some platforms (although the Linux implementation doesn't ++ * seem to), as F_SETLKW and F_OFD_SETLKW block so this is not an issue, and F_OFD_SETLK is documented ++ * to only return EAGAIN if the lock is already held. */ ++ if ((operation & LOCK_NB) && r == -EACCES) + r = -EAGAIN; + + return r; +-- +2.33.0 + diff --git a/backport-log-Fix-size-calculation-for-number-of-iovecs.patch b/backport-log-Fix-size-calculation-for-number-of-iovecs.patch new file mode 100644 index 0000000..90addae --- /dev/null +++ b/backport-log-Fix-size-calculation-for-number-of-iovecs.patch @@ -0,0 +1,49 @@ +From f58fc0ffaa37ff1368829c789b422256f8a4494e Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 31 Jul 2024 11:39:04 +0200 +Subject: [PATCH 0825/1160] log: Fix size calculation for number of iovecs + +Each log context field can expand to up to three iovecs (key, value +and newline) so let's fix the size calculation to take this into +account. + +(cherry picked from commit fc83ff3f55ee53fd9101d4e45736f3f996ee7ca6) +(cherry picked from commit f2edebce25779018beca0acd28457864869c2546) +--- + src/basic/log.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/basic/log.c b/src/basic/log.c +index eb2053891d..ade6c8b089 100644 +--- a/src/basic/log.c ++++ b/src/basic/log.c +@@ -727,7 +727,7 @@ static int write_to_journal( + if (journal_fd < 0) + return 0; + +- iovec_len = MIN(6 + _log_context_num_fields * 2, IOVEC_MAX); ++ iovec_len = MIN(6 + _log_context_num_fields * 3, IOVEC_MAX); + iovec = newa(struct iovec, iovec_len); + + log_do_header(header, sizeof(header), level, error, file, line, func, object_field, object, extra_field, extra); +@@ -1075,7 +1075,7 @@ int log_struct_internal( + int r; + bool fallback = false; + +- iovec_len = MIN(17 + _log_context_num_fields * 2, IOVEC_MAX); ++ iovec_len = MIN(17 + _log_context_num_fields * 3, IOVEC_MAX); + iovec = newa(struct iovec, iovec_len); + + /* If the journal is available do structured logging. +@@ -1172,7 +1172,7 @@ int log_struct_iovec_internal( + struct iovec *iovec; + size_t n = 0, iovec_len; + +- iovec_len = MIN(1 + n_input_iovec * 2 + _log_context_num_fields * 2, IOVEC_MAX); ++ iovec_len = MIN(1 + n_input_iovec * 2 + _log_context_num_fields * 3, IOVEC_MAX); + iovec = newa(struct iovec, iovec_len); + + log_do_header(header, sizeof(header), level, error, file, line, func, NULL, NULL, NULL, NULL); +-- +2.33.0 + diff --git a/backport-log-when-writing-a-log-message-to-a-TTY-always-end-l.patch b/backport-log-when-writing-a-log-message-to-a-TTY-always-end-l.patch new file mode 100644 index 0000000..55eb136 --- /dev/null +++ b/backport-log-when-writing-a-log-message-to-a-TTY-always-end-l.patch @@ -0,0 +1,108 @@ +From 81303cb82e5bd121dcd1c14814b817cf722621b2 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 24 Nov 2023 10:50:47 +0100 +Subject: [PATCH 0007/1160] log: when writing a log message to a TTY always end + line in CRNL + +This should make sure our log lines look nice even if the tty we are +connected to is in raw mode. Normally, it's the TTY's job to turn an NL +we output into a CRNL and interpret it accordingly. However, if the tty +is in "raw" mode it won't do that. Specifically, this is controlled by +the ONLCR flag on the TTY. A TTY might be in raw mode if our "ptyfwd" +logic is used for example, where a 2nd tty is bi-directionally connected +to the primary tty, and duplicate processing is not desired. + +Hence, let's just write out the CR on our own. This will make sure that +whenever we output something subsequent output always continues on the +beginning of the next line again, regardless the mode the TTY is in. Of +course, if the TTY is *not* in raw mode, then the extra CR we now +generate is redundant, but it shouldn't hurt either, as it just moves +the cursor to the front of the line even though already is just there. + +We only to that if we actually talk to a TTY though, since we don't want +the extra CRs if we are redirected to a pipe or file or so. We are not +on Windows after all. + +Fixes: #30155 +(cherry picked from commit d19ddf91fdaf2661a6fed2908a64f6ae9cd54c50) +--- + src/basic/log.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/src/basic/log.c b/src/basic/log.c +index 0d78ecfd24..1470611a75 100644 +--- a/src/basic/log.c ++++ b/src/basic/log.c +@@ -53,6 +53,7 @@ static int log_facility = LOG_DAEMON; + static bool ratelimit_kmsg = true; + + static int console_fd = STDERR_FILENO; ++static int console_fd_is_tty = -1; /* tri-state: -1 means don't know */ + static int syslog_fd = -EBADF; + static int kmsg_fd = -EBADF; + static int journal_fd = -EBADF; +@@ -108,12 +109,14 @@ bool _log_message_dummy = false; /* Always false */ + static void log_close_console(void) { + /* See comment in log_close_journal() */ + (void) safe_close_above_stdio(TAKE_FD(console_fd)); ++ console_fd_is_tty = -1; + } + + static int log_open_console(void) { + + if (!always_reopen_console) { + console_fd = STDERR_FILENO; ++ console_fd_is_tty = -1; + return 0; + } + +@@ -125,6 +128,7 @@ static int log_open_console(void) { + return fd; + + console_fd = fd_move_above_stdio(fd); ++ console_fd_is_tty = true; + } + + return 0; +@@ -381,6 +385,7 @@ void log_forget_fds(void) { + /* Do not call from library code. */ + + console_fd = kmsg_fd = syslog_fd = journal_fd = -EBADF; ++ console_fd_is_tty = -1; + } + + void log_set_max_level(int level) { +@@ -404,6 +409,16 @@ void log_set_facility(int facility) { + log_facility = facility; + } + ++static bool check_console_fd_is_tty(void) { ++ if (console_fd < 0) ++ return false; ++ ++ if (console_fd_is_tty < 0) ++ console_fd_is_tty = isatty(console_fd) > 0; ++ ++ return console_fd_is_tty; ++} ++ + static int write_to_console( + int level, + int error, +@@ -462,7 +477,12 @@ static int write_to_console( + iovec[n++] = IOVEC_MAKE_STRING(buffer); + if (off) + iovec[n++] = IOVEC_MAKE_STRING(off); +- iovec[n++] = IOVEC_MAKE_STRING("\n"); ++ ++ /* When writing to a TTY we output an extra '\r' (i.e. CR) first, to generate CRNL rather than just ++ * NL. This is a robustness thing in case the TTY is currently in raw mode (specifically: has the ++ * ONLCR flag off). We want that subsequent output definitely starts at the beginning of the line ++ * again, after all. If the TTY is not in raw mode the extra CR should not hurt. */ ++ iovec[n++] = IOVEC_MAKE_STRING(check_console_fd_is_tty() ? "\r\n" : "\n"); + + if (writev(console_fd, iovec, n) < 0) { + +-- +2.33.0 + diff --git a/backport-login-fix-session_kill-.-KILL_LEADER-.-35105.patch b/backport-login-fix-session_kill-.-KILL_LEADER-.-35105.patch new file mode 100644 index 0000000..9c2c948 --- /dev/null +++ b/backport-login-fix-session_kill-.-KILL_LEADER-.-35105.patch @@ -0,0 +1,48 @@ +From 80efb1da3f073daec9f84dd83571a7b98451f953 Mon Sep 17 00:00:00 2001 +From: 12paper <104864644+12paper@users.noreply.github.com> +Date: Sun, 10 Nov 2024 03:13:39 +0100 +Subject: [PATCH 0998/1160] login: fix session_kill(..., KILL_LEADER,...) + (#35105) + +`loginctl kill-session --kill-whom=leader ` (or the D-Bus equivalent) +doesn't work because logind ends up calling `KillUnit(..., "main", ...)` +on a scope unit and these don't have a `MainPID` property. Here, I just +make it send a signal to the `Leader` directly. + +(cherry picked from commit 8254755091847105c33e473c62cdc7621ed275bc) +(cherry picked from commit c89c5d04f33dbc5c6dfb67b8bc58cbd3d924b434) +--- + src/login/logind-session.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/src/login/logind-session.c b/src/login/logind-session.c +index 9e45e3fb12..1b21ab802e 100644 +--- a/src/login/logind-session.c ++++ b/src/login/logind-session.c +@@ -1336,10 +1336,20 @@ SessionState session_get_state(Session *s) { + int session_kill(Session *s, KillWho who, int signo) { + assert(s); + +- if (!s->scope) +- return -ESRCH; ++ switch (who) { ++ ++ case KILL_ALL: ++ if (!s->scope) ++ return -ESRCH; ++ ++ return manager_kill_unit(s->manager, s->scope, KILL_ALL, signo, NULL); + +- return manager_kill_unit(s->manager, s->scope, who, signo, NULL); ++ case KILL_LEADER: ++ return pidref_kill(&s->leader, signo); ++ ++ default: ++ assert_not_reached(); ++ } + } + + static int session_open_vt(Session *s, bool reopen) { +-- +2.33.0 + diff --git a/backport-login-user-runtime-dir-properly-check-for-mount-poin.patch b/backport-login-user-runtime-dir-properly-check-for-mount-poin.patch index 474737a..846644c 100644 --- a/backport-login-user-runtime-dir-properly-check-for-mount-poin.patch +++ b/backport-login-user-runtime-dir-properly-check-for-mount-poin.patch @@ -1,24 +1,19 @@ -From 4c3e455c093c274e3ccbc4662e47a72c3f43a34d Mon Sep 17 00:00:00 2001 +From 0ec2d29241b9d5d77630ba5ad7fa1cf4f632e1f6 Mon Sep 17 00:00:00 2001 From: Mike Yuan Date: Mon, 5 Feb 2024 04:53:14 +0800 -Subject: [PATCH] login/user-runtime-dir: properly check for mount point +Subject: [PATCH 0241/1160] login/user-runtime-dir: properly check for mount + point (cherry picked from commit 561d8793058bba886d71f96fa157ca77cd6b5c23) -(cherry picked from commit 0ec2d29241b9d5d77630ba5ad7fa1cf4f632e1f6) -(cherry picked from commit ad9eafcc8264976b762efe4d0ce70f924d2be0bc) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/4c3e455c093c274e3ccbc4662e47a72c3f43a34d - --- src/login/user-runtime-dir.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/login/user-runtime-dir.c b/src/login/user-runtime-dir.c -index f96a2d8662..c74d8b8d0e 100644 +index ed8a80e6ed..ad04b04df9 100644 --- a/src/login/user-runtime-dir.c +++ b/src/login/user-runtime-dir.c -@@ -66,7 +66,7 @@ static int user_mkdir_runtime_path( +@@ -67,7 +67,7 @@ static int user_mkdir_runtime_path( if (r < 0) return log_error_errno(r, "Failed to create /run/user: %m"); diff --git a/backport-loginctl-show-a-nicer-error-message-when-no-session-.patch b/backport-loginctl-show-a-nicer-error-message-when-no-session-.patch new file mode 100644 index 0000000..be0e960 --- /dev/null +++ b/backport-loginctl-show-a-nicer-error-message-when-no-session-.patch @@ -0,0 +1,77 @@ +From 125e202b898e70c520104ff05b65b9d38c57681f Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 6 Dec 2023 11:03:06 +0100 +Subject: [PATCH 0001/1160] loginctl: show a nicer error message when no + session/seat is available + +When calling loginctl {seat,session}-status without arguments, show a nicer +error message in case there's no suitable session/seat attached to the calling +tty. + +Before: +~# loginctl seat-status +Could not get properties: Unknown object '/org/freedesktop/login1/seat/auto'. +~# systemd-run -q -t loginctl seat-status +Could not get properties: Unknown object '/org/freedesktop/login1/seat/auto'. +~# systemd-run -q -t loginctl session-status +Could not get properties: Unknown object '/org/freedesktop/login1/session/auto'. + +After: +~# build/loginctl seat-status +Failed to get path for seat 'auto': Session '1' has no seat. +~# systemd-run -q -t build/loginctl seat-status +Failed to get path for seat 'auto': Caller does not belong to any known session and doesn't own any suitable session. +~# systemd-run -q -t build/loginctl session-status +Failed to get path for session 'auto': Caller does not belong to any known session and doesn't own any suitable session. + +Resolves: #25199 +(cherry picked from commit b28940ca10ff1223f42a9ffdf8acfa92eeb443a7) +--- + src/login/loginctl.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/src/login/loginctl.c b/src/login/loginctl.c +index 3f8f1aa9be..7fc6efc9da 100644 +--- a/src/login/loginctl.c ++++ b/src/login/loginctl.c +@@ -992,11 +992,17 @@ static int show_session(int argc, char *argv[], void *userdata) { + pager_open(arg_pager_flags); + + if (argc <= 1) { ++ _cleanup_free_ char *path = NULL; ++ + /* If no argument is specified inspect the manager itself */ + if (properties) + return show_properties(bus, "/org/freedesktop/login1"); + +- return print_session_status_info(bus, "/org/freedesktop/login1/session/auto"); ++ r = get_bus_path_by_id(bus, "session", "GetSession", "auto", &path); ++ if (r < 0) ++ return r; ++ ++ return print_session_status_info(bus, path); + } + + for (int i = 1, first = true; i < argc; i++, first = false) { +@@ -1083,11 +1089,17 @@ static int show_seat(int argc, char *argv[], void *userdata) { + pager_open(arg_pager_flags); + + if (argc <= 1) { ++ _cleanup_free_ char *path = NULL; ++ + /* If no argument is specified inspect the manager itself */ + if (properties) + return show_properties(bus, "/org/freedesktop/login1"); + +- return print_seat_status_info(bus, "/org/freedesktop/login1/seat/auto"); ++ r = get_bus_path_by_id(bus, "seat", "GetSeat", "auto", &path); ++ if (r < 0) ++ return r; ++ ++ return print_seat_status_info(bus, path); + } + + for (int i = 1, first = true; i < argc; i++, first = false) { +-- +2.33.0 + diff --git a/backport-logind-Add-fallback-for-when-the-PIDFDs-property-is-.patch b/backport-logind-Add-fallback-for-when-the-PIDFDs-property-is-.patch new file mode 100644 index 0000000..0f9beb0 --- /dev/null +++ b/backport-logind-Add-fallback-for-when-the-PIDFDs-property-is-.patch @@ -0,0 +1,112 @@ +From 5810c25792d4268282dd3892af1a253b690423c9 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Thu, 21 Mar 2024 15:48:54 +0100 +Subject: [PATCH 0612/1160] logind: Add fallback for when the PIDFDs= property + is not available + +logind is not zero-downtime restartable yet, specifically it's not yet +restarted in the Fedora spec, so we can end up in situations where we're +running newer logind with older pid1 which doesn't know about the PIDFDs= +property, so let's make sure we have a fallback in place for when that +happens. + +(cherry picked from commit 8ba3efed8669639457fc9b482d61d87e77f79b33) +--- + src/login/logind-dbus.c | 27 +++++++++++++++++++++++++-- + src/login/logind-dbus.h | 14 +++++++++++++- + src/login/logind-session.c | 1 + + 3 files changed, 39 insertions(+), 3 deletions(-) + +diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c +index be5d8861a5..6dbc3662e1 100644 +--- a/src/login/logind-dbus.c ++++ b/src/login/logind-dbus.c +@@ -4126,6 +4126,7 @@ int manager_start_scope( + Manager *manager, + const char *scope, + const PidRef *pidref, ++ bool allow_pidfd, + const char *slice, + const char *description, + char **wants, +@@ -4191,7 +4192,10 @@ int manager_start_scope( + if (r < 0) + return r; + +- r = bus_append_scope_pidref(m, pidref); ++ if (allow_pidfd) ++ r = bus_append_scope_pidref(m, pidref); ++ else ++ r = sd_bus_message_append(m, "(sv)", "PIDs", "au", 1, (uint32_t) pidref->pid); + if (r < 0) + return r; + +@@ -4222,8 +4226,27 @@ int manager_start_scope( + return r; + + r = sd_bus_call(manager->bus, m, 0, error, &reply); +- if (r < 0) ++ if (r < 0) { ++ /* If this failed with a property we couldn't write, this is quite likely because the server ++ * doesn't support PIDFDs yet, let's try without. */ ++ if (allow_pidfd && ++ sd_bus_error_has_names(error, SD_BUS_ERROR_UNKNOWN_PROPERTY, SD_BUS_ERROR_PROPERTY_READ_ONLY)) ++ return manager_start_scope( ++ manager, ++ scope, ++ pidref, ++ /* allow_pidfd = */ false, ++ slice, ++ description, ++ wants, ++ after, ++ requires_mounts_for, ++ more_properties, ++ error, ++ job); ++ + return r; ++ } + + return strdup_job(reply, job); + } +diff --git a/src/login/logind-dbus.h b/src/login/logind-dbus.h +index c9d59231d4..72c8ec7584 100644 +--- a/src/login/logind-dbus.h ++++ b/src/login/logind-dbus.h +@@ -24,7 +24,19 @@ int match_reloading(sd_bus_message *message, void *userdata, sd_bus_error *error + + int manager_send_changed(Manager *manager, const char *property, ...) _sentinel_; + +-int manager_start_scope(Manager *manager, const char *scope, const PidRef *pidref, const char *slice, const char *description, char **wants, char **after, const char *requires_mounts_for, sd_bus_message *more_properties, sd_bus_error *error, char **job); ++int manager_start_scope( ++ Manager *manager, ++ const char *scope, ++ const PidRef *pidref, ++ bool allow_pidfd, ++ const char *slice, ++ const char *description, ++ char **wants, ++ char **after, ++ const char *requires_mounts_for, ++ sd_bus_message *more_properties, ++ sd_bus_error *error, ++ char **job); + int manager_start_unit(Manager *manager, const char *unit, sd_bus_error *error, char **job); + int manager_stop_unit(Manager *manager, const char *unit, const char *job_mode, sd_bus_error *error, char **job); + int manager_abandon_scope(Manager *manager, const char *scope, sd_bus_error *error); +diff --git a/src/login/logind-session.c b/src/login/logind-session.c +index 3988e553f3..9e45e3fb12 100644 +--- a/src/login/logind-session.c ++++ b/src/login/logind-session.c +@@ -686,6 +686,7 @@ static int session_start_scope(Session *s, sd_bus_message *properties, sd_bus_er + s->manager, + scope, + &s->leader, ++ /* allow_pidfd = */ true, + s->user->slice, + description, + /* These two have StopWhenUnneeded= set, hence add a dep towards them */ +-- +2.33.0 + diff --git a/backport-logind-Mark-LidClosed-property-as-emits-change.patch b/backport-logind-Mark-LidClosed-property-as-emits-change.patch new file mode 100644 index 0000000..76cef3f --- /dev/null +++ b/backport-logind-Mark-LidClosed-property-as-emits-change.patch @@ -0,0 +1,80 @@ +From b4381f9f89fb8ed3a9f59c57d3a3cfb2287c0447 Mon Sep 17 00:00:00 2001 +From: Carlos Garnacho +Date: Wed, 3 Jan 2024 13:51:02 +0100 +Subject: [PATCH 0142/1160] logind: Mark LidClosed property as "emits change" + +It may be useful for DEs to follow changes on this property, esp. now that +recent UPower has removed its own lid handling code. + +Related: https://gitlab.freedesktop.org/upower/upower/-/commit/07565ef6a1aa4a115f8ce51e259e408edbaed4cc +(cherry picked from commit 501d8b8bc6dbb58668d3165998bb5f61d48fb0f6) +--- + man/org.freedesktop.login1.xml | 1 - + src/login/logind-button.c | 4 ++++ + src/login/logind-dbus.c | 2 +- + 3 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/man/org.freedesktop.login1.xml b/man/org.freedesktop.login1.xml +index 877bf463a0..519a6862c4 100644 +--- a/man/org.freedesktop.login1.xml ++++ b/man/org.freedesktop.login1.xml +@@ -253,7 +253,6 @@ node /org/freedesktop/login1 { + readonly (st) ScheduledShutdown = ...; + @org.freedesktop.DBus.Property.EmitsChangedSignal("false") + readonly b Docked = ...; +- @org.freedesktop.DBus.Property.EmitsChangedSignal("false") + readonly b LidClosed = ...; + @org.freedesktop.DBus.Property.EmitsChangedSignal("false") + readonly b OnExternalPower = ...; +diff --git a/src/login/logind-button.c b/src/login/logind-button.c +index 7f95fa7a4f..14835aedc1 100644 +--- a/src/login/logind-button.c ++++ b/src/login/logind-button.c +@@ -11,6 +11,7 @@ + #include "async.h" + #include "fd-util.h" + #include "logind-button.h" ++#include "logind-dbus.h" + #include "missing_input.h" + #include "string-util.h" + +@@ -343,6 +344,7 @@ static int button_dispatch(sd_event_source *s, int fd, uint32_t revents, void *u + b->lid_closed = true; + button_lid_switch_handle_action(b->manager, true); + button_install_check_event_source(b); ++ manager_send_changed(b->manager, "LidClosed", NULL); + + } else if (ev.code == SW_DOCK) { + log_struct(LOG_INFO, +@@ -361,6 +363,7 @@ static int button_dispatch(sd_event_source *s, int fd, uint32_t revents, void *u + + b->lid_closed = false; + b->check_event_source = sd_event_source_unref(b->check_event_source); ++ manager_send_changed(b->manager, "LidClosed", NULL); + + } else if (ev.code == SW_DOCK) { + log_struct(LOG_INFO, +@@ -514,6 +517,7 @@ int button_check_switches(Button *b) { + + b->lid_closed = bitset_get(switches, SW_LID); + b->docked = bitset_get(switches, SW_DOCK); ++ manager_send_changed(b->manager, "LidClosed", NULL); + + if (b->lid_closed) + button_install_check_event_source(b); +diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c +index 0263d7f837..ec1f2f3305 100644 +--- a/src/login/logind-dbus.c ++++ b/src/login/logind-dbus.c +@@ -3539,7 +3539,7 @@ static const sd_bus_vtable manager_vtable[] = { + SD_BUS_PROPERTY("PreparingForSleep", "b", property_get_preparing, 0, 0), + SD_BUS_PROPERTY("ScheduledShutdown", "(st)", property_get_scheduled_shutdown, 0, 0), + SD_BUS_PROPERTY("Docked", "b", property_get_docked, 0, 0), +- SD_BUS_PROPERTY("LidClosed", "b", property_get_lid_closed, 0, 0), ++ SD_BUS_PROPERTY("LidClosed", "b", property_get_lid_closed, 0, SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE), + SD_BUS_PROPERTY("OnExternalPower", "b", property_get_on_external_power, 0, 0), + SD_BUS_PROPERTY("RemoveIPC", "b", bus_property_get_bool, offsetof(Manager, remove_ipc), SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_PROPERTY("RuntimeDirectorySize", "t", NULL, offsetof(Manager, runtime_dir_size), SD_BUS_VTABLE_PROPERTY_CONST), +-- +2.33.0 + diff --git a/backport-logind-add-one-more-debug-log.patch b/backport-logind-add-one-more-debug-log.patch new file mode 100644 index 0000000..22fff19 --- /dev/null +++ b/backport-logind-add-one-more-debug-log.patch @@ -0,0 +1,31 @@ +From a2982084abf7e965a4d9af7a98bf4d563deca353 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 20 May 2024 13:08:56 +0100 +Subject: [PATCH 0660/1160] logind: add one more debug log + +Helped track down issue with session tracking + +(cherry picked from commit c275e01d99acf502e32f442531902ea000dcd929) +--- + src/login/logind-dbus.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c +index 5a442bdc2c..935e209375 100644 +--- a/src/login/logind-dbus.c ++++ b/src/login/logind-dbus.c +@@ -846,7 +846,10 @@ static int create_session( + * which is a special PAM session that avoids creating a logind session. */ + r = manager_get_user_by_pid(m, leader.pid, NULL); + if (r < 0) +- return r; ++ return log_debug_errno( ++ r, ++ "Failed to check if process " PID_FMT " is already in a session: %m", ++ leader.pid); + if (r > 0) + return sd_bus_error_setf(error, BUS_ERROR_SESSION_BUSY, + "Already running in a session or user slice"); +-- +2.33.0 + diff --git a/backport-logind-allow-read-write-to-char-hvc-devices.patch b/backport-logind-allow-read-write-to-char-hvc-devices.patch new file mode 100644 index 0000000..23dea6a --- /dev/null +++ b/backport-logind-allow-read-write-to-char-hvc-devices.patch @@ -0,0 +1,29 @@ +From ccb963233d9dc6db693b2206cd37bb9e3247e5ee Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 22 Oct 2024 17:04:41 +0100 +Subject: [PATCH 0967/1160] logind: allow read/write to char-hvc devices + +virtio console uses /dev/hvc* so we need access to write wall +messages + +(cherry picked from commit 5ff6841c2378ed83e645681cbd4ee145f68d72b7) +(cherry picked from commit 0852240f927f47100b61e3b33e34a0f74b0d6a90) +--- + units/systemd-logind.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in +index 39dc0c2241..a04d0b22f3 100644 +--- a/units/systemd-logind.service.in ++++ b/units/systemd-logind.service.in +@@ -27,6 +27,7 @@ CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CA + DeviceAllow=block-* r + DeviceAllow=char-/dev/console rw + DeviceAllow=char-drm rw ++DeviceAllow=char-hvc rw + DeviceAllow=char-input rw + DeviceAllow=char-tty rw + DeviceAllow=char-vcs rw +-- +2.33.0 + diff --git a/backport-logind-dbus-check-auth.-for-all-inhibitor-operations.patch b/backport-logind-dbus-check-auth.-for-all-inhibitor-operations.patch new file mode 100644 index 0000000..6566e2a --- /dev/null +++ b/backport-logind-dbus-check-auth.-for-all-inhibitor-operations.patch @@ -0,0 +1,80 @@ +From 76d1f0664cf47b657040343ddb20298b157f2724 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 25 Jul 2024 09:47:56 +0200 +Subject: [PATCH 0802/1160] logind-dbus: check auth. for all inhibitor + operations + +Fixes #33834 + +(cherry picked from commit 639719e01065c3a2f557d70e4d8088c2ec71c7c6) +(cherry picked from commit b2df49a87b17ba79b6e97d87199ceb1e4cbdb5de) +--- + src/login/logind-dbus.c | 45 +++++++++++++++++++++++------------------ + 1 file changed, 25 insertions(+), 20 deletions(-) + +diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c +index 935e209375..774c807ccb 100644 +--- a/src/login/logind-dbus.c ++++ b/src/login/logind-dbus.c +@@ -9,6 +9,7 @@ + + #include "alloc-util.h" + #include "audit-util.h" ++#include "bitfield.h" + #include "bootspec.h" + #include "bus-common-errors.h" + #include "bus-error.h" +@@ -3432,26 +3433,30 @@ static int method_inhibit(sd_bus_message *message, void *userdata, sd_bus_error + return sd_bus_error_setf(error, BUS_ERROR_OPERATION_IN_PROGRESS, + "The operation inhibition has been requested for is already running"); + +- r = bus_verify_polkit_async( +- message, +- CAP_SYS_BOOT, +- w == INHIBIT_SHUTDOWN ? (mm == INHIBIT_BLOCK ? "org.freedesktop.login1.inhibit-block-shutdown" : "org.freedesktop.login1.inhibit-delay-shutdown") : +- w == INHIBIT_SLEEP ? (mm == INHIBIT_BLOCK ? "org.freedesktop.login1.inhibit-block-sleep" : "org.freedesktop.login1.inhibit-delay-sleep") : +- w == INHIBIT_IDLE ? "org.freedesktop.login1.inhibit-block-idle" : +- w == INHIBIT_HANDLE_POWER_KEY ? "org.freedesktop.login1.inhibit-handle-power-key" : +- w == INHIBIT_HANDLE_SUSPEND_KEY ? "org.freedesktop.login1.inhibit-handle-suspend-key" : +- w == INHIBIT_HANDLE_REBOOT_KEY ? "org.freedesktop.login1.inhibit-handle-reboot-key" : +- w == INHIBIT_HANDLE_HIBERNATE_KEY ? "org.freedesktop.login1.inhibit-handle-hibernate-key" : +- "org.freedesktop.login1.inhibit-handle-lid-switch", +- NULL, +- false, +- UID_INVALID, +- &m->polkit_registry, +- error); +- if (r < 0) +- return r; +- if (r == 0) +- return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ ++ BIT_FOREACH(i, w) { ++ const InhibitWhat v = 1U << i; ++ ++ r = bus_verify_polkit_async( ++ message, ++ CAP_SYS_BOOT, ++ v == INHIBIT_SHUTDOWN ? (mm == INHIBIT_BLOCK ? "org.freedesktop.login1.inhibit-block-shutdown" : "org.freedesktop.login1.inhibit-delay-shutdown") : ++ v == INHIBIT_SLEEP ? (mm == INHIBIT_BLOCK ? "org.freedesktop.login1.inhibit-block-sleep" : "org.freedesktop.login1.inhibit-delay-sleep") : ++ v == INHIBIT_IDLE ? "org.freedesktop.login1.inhibit-block-idle" : ++ v == INHIBIT_HANDLE_POWER_KEY ? "org.freedesktop.login1.inhibit-handle-power-key" : ++ v == INHIBIT_HANDLE_SUSPEND_KEY ? "org.freedesktop.login1.inhibit-handle-suspend-key" : ++ v == INHIBIT_HANDLE_REBOOT_KEY ? "org.freedesktop.login1.inhibit-handle-reboot-key" : ++ v == INHIBIT_HANDLE_HIBERNATE_KEY ? "org.freedesktop.login1.inhibit-handle-hibernate-key" : ++ "org.freedesktop.login1.inhibit-handle-lid-switch", ++ /* details= */ NULL, ++ false, ++ UID_INVALID, ++ &m->polkit_registry, ++ error); ++ if (r < 0) ++ return r; ++ if (r == 0) ++ return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ ++ } + + r = sd_bus_query_sender_creds(message, SD_BUS_CREDS_EUID|SD_BUS_CREDS_PID, &creds); + if (r < 0) +-- +2.33.0 + diff --git a/backport-logind-do-not-fail-creating-a-session-when-request-i.patch b/backport-logind-do-not-fail-creating-a-session-when-request-i.patch new file mode 100644 index 0000000..9353b7d --- /dev/null +++ b/backport-logind-do-not-fail-creating-a-session-when-request-i.patch @@ -0,0 +1,47 @@ +From 04a73fa1bcfd7bb42fd195bf1d1a3d3013acdf06 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 20 May 2024 13:12:03 +0100 +Subject: [PATCH 0661/1160] logind: do not fail creating a session when request + is not from a unit + +When running inside an LXC container the 'su' process will not be part of +any unit or slice. + +manager_get_user_by_pid() which was used until v255 (included) does not fail +if it cannot find a unit/slice, but simply returns 'not found'. Do the same +in manager_get_session_by_pidref(). + +This was not detected as Semaphore CI does not reboot the testbed before +the logind test, so the session is started by the old logind from the base +distro, instead of the one being tested. + +Follow-up for 8494f562c8963d8a936b0598e23eab277ff29374 +Follow-up for 5099a50d4398e190387d204f5df81cc176bd33e2 + +Fixes https://github.com/systemd/systemd/issues/32929 + +(cherry picked from commit eb56b564a04b2c34a80bea9ede541c573fb41501) +--- + src/login/logind-core.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/login/logind-core.c b/src/login/logind-core.c +index f15008e0df..c47f7f0d8b 100644 +--- a/src/login/logind-core.c ++++ b/src/login/logind-core.c +@@ -366,10 +366,8 @@ int manager_get_session_by_pidref(Manager *m, const PidRef *pid, Session **ret) + return r; + } else { + r = cg_pidref_get_unit(pid, &unit); +- if (r < 0) +- return r; +- +- s = hashmap_get(m->session_units, unit); ++ if (r >= 0) ++ s = hashmap_get(m->session_units, unit); + } + + if (ret) +-- +2.33.0 + diff --git a/backport-logind-group-policy-entries-by-interface.patch b/backport-logind-group-policy-entries-by-interface.patch new file mode 100644 index 0000000..fcb9db6 --- /dev/null +++ b/backport-logind-group-policy-entries-by-interface.patch @@ -0,0 +1,47 @@ +From 092f6b60ceb0b71b8b1d1529741f0d92fac57bcd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 16 May 2024 17:57:28 +0200 +Subject: [PATCH 1041/1160] logind: group policy entries by interface + +(cherry picked from commit 337f74d7c0c548b12ea90610f99869383fd51876) +--- + src/login/org.freedesktop.login1.conf | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/src/login/org.freedesktop.login1.conf b/src/login/org.freedesktop.login1.conf +index 8ba094bcff..674a4e1aa6 100644 +--- a/src/login/org.freedesktop.login1.conf ++++ b/src/login/org.freedesktop.login1.conf +@@ -338,14 +338,6 @@ + send_interface="org.freedesktop.login1.Session" + send_member="SetBrightness"/> + +- +- +- +- + +@@ -354,6 +346,14 @@ + send_interface="org.freedesktop.login1.Session" + send_member="SetTTY"/> + ++ ++ ++ ++ + + + +-- +2.33.0 + diff --git a/backport-logind-let-system-wide-idle-begin-at-the-time-logind.patch b/backport-logind-let-system-wide-idle-begin-at-the-time-logind.patch index 37b7dc9..4d94dce 100644 --- a/backport-logind-let-system-wide-idle-begin-at-the-time-logind.patch +++ b/backport-logind-let-system-wide-idle-begin-at-the-time-logind.patch @@ -1,8 +1,8 @@ -From dcb86edde5ef3b70f68abb7ed8bb0be63f28485b Mon Sep 17 00:00:00 2001 +From cd6f07effafdcb9e1c903589a8cf398cd46b8acd Mon Sep 17 00:00:00 2001 From: Florian Schmaus Date: Sat, 16 Nov 2024 10:29:35 +0100 -Subject: [PATCH] logind: let system-wide idle begin at the time logind was - initialized +Subject: [PATCH 1059/1160] logind: let system-wide idle begin at the time + logind was initialized Initialize the start of the system-wide idle time with the time logind was initialized and not with the start of the Unix epoch. This means that systemd @@ -15,10 +15,6 @@ Fixes #35163 (cherry picked from commit 718b31138b9a93f262259f297ad6b521454decc6) (cherry picked from commit 9d36809256c6d92c6d8358769479ad2c2b695664) (cherry picked from commit 77b963c31712ef81786fcc6623fe1b10a46b62e0) -(cherry picked from commit cd6f07effafdcb9e1c903589a8cf398cd46b8acd) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/dcb86edde5ef3b70f68abb7ed8bb0be63f28485b --- src/login/logind-core.c | 6 +++++- src/login/logind.c | 2 ++ diff --git a/backport-logind-make-ReleaseSession-unprivileged-and-allow-cl.patch b/backport-logind-make-ReleaseSession-unprivileged-and-allow-cl.patch new file mode 100644 index 0000000..b6618ab --- /dev/null +++ b/backport-logind-make-ReleaseSession-unprivileged-and-allow-cl.patch @@ -0,0 +1,126 @@ +From 97ad9a336a7f121770e6b74e8411da7278847d4f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 16 May 2024 17:06:24 +0200 +Subject: [PATCH 1042/1160] logind: make ReleaseSession "unprivileged" and + allow closing of own session + +Fixes https://github.com/systemd/systemd/issues/28514. + +Quoting https://github.com/systemd/systemd/issues/28514#issuecomment-1831781486: +> Whenever PAM is enabled for a service, we set up the PAM session and then +> fork off a process whose only job is to eventually close the PAM session when +> the service dies. That services we run with service privileges, both to +> minimize attack surface and because we want to use PR_SET_DEATHSIG to be get +> a notification via signal whenever the main process dies. But that only works +> if we have the same credentials as that main process. +> +> Now, if pam_systemd runs inside the PAM stack (which it normally does) it's +> session close hook will ask logind to synchronously end the session via a bus +> call. Currently that call is not accessible to unprivileged clients. And +> that's the part we need to relax: allow users to end their own sessions. + +The check is implemented in a way that allows the kill if the sender is in +the target session. + +I found 'sudo systemctl --user -M "zbyszek@" is-system-running' to +be a convenient reproducer. + +Before: +May 16 16:25:26 x1c systemd[1]: run-u24754.service: Deactivated successfully. +May 16 16:25:26 x1c dbus-broker[1489]: A security policy denied :1.24757 to send method call /org/freedesktop/login1:org.freedesktop.login1.Manager.ReleaseSession to org.freedesktop.login1. +May 16 16:25:26 x1c (sd-pam)[3036470]: pam_systemd(login:session): Failed to release session: Access denied +May 16 16:25:26 x1c systemd[1]: Stopping session-114.scope... +May 16 16:25:26 x1c systemd[1]: session-114.scope: Deactivated successfully. +May 16 16:25:26 x1c systemd[1]: Stopped session-114.scope. +May 16 16:25:26 x1c systemd[1]: session-c151.scope: Deactivated successfully. +May 16 16:25:26 x1c systemd-logind[1513]: Session c151 logged out. Waiting for processes to exit. +May 16 16:25:26 x1c systemd-logind[1513]: Removed session c151. +After: +May 16 17:02:15 x1c systemd[1]: run-u24770.service: Deactivated successfully. +May 16 17:02:15 x1c systemd[1]: Stopping session-115.scope... +May 16 17:02:15 x1c systemd[1]: session-c153.scope: Deactivated successfully. +May 16 17:02:15 x1c systemd[1]: session-115.scope: Deactivated successfully. +May 16 17:02:15 x1c systemd[1]: Stopped session-115.scope. +May 16 17:02:15 x1c systemd-logind[1513]: Session c153 logged out. Waiting for processes to exit. +May 16 17:02:15 x1c systemd-logind[1513]: Removed session c153. + +Edit: this seems to also fix https://github.com/systemd/systemd/issues/8598. +It seems that with the call to ReleaseSession, we wait for the pam session +close hooks to finish. I inserted a 'sleep(10)' after the call to ReleaseSession +in pam_systemd, and things block on that, nothing is killed prematurely. + +(cherry picked from commit fc0bb7ccc763ec79efe7a8a58220e9bc80f34f81) + +Resolves https://bugzilla.redhat.com/show_bug.cgi?id=2221337. +--- + man/org.freedesktop.login1.xml | 1 - + src/login/logind-dbus.c | 11 +++++++++-- + src/login/org.freedesktop.login1.conf | 4 ++++ + 3 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/man/org.freedesktop.login1.xml b/man/org.freedesktop.login1.xml +index 519a6862c4..06fa9c1298 100644 +--- a/man/org.freedesktop.login1.xml ++++ b/man/org.freedesktop.login1.xml +@@ -103,7 +103,6 @@ node /org/freedesktop/login1 { + out s seat_id, + out u vtnr, + out b existing); +- @org.freedesktop.systemd1.Privileged("true") + ReleaseSession(in s session_id); + ActivateSession(in s session_id); + ActivateSessionOnSeat(in s session_id, +diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c +index 774c807ccb..85de3af380 100644 +--- a/src/login/logind-dbus.c ++++ b/src/login/logind-dbus.c +@@ -1116,7 +1116,7 @@ static int method_create_session_pidfd(sd_bus_message *message, void *userdata, + + static int method_release_session(sd_bus_message *message, void *userdata, sd_bus_error *error) { + Manager *m = ASSERT_PTR(userdata); +- Session *session; ++ Session *session, *sender_session; + const char *name; + int r; + +@@ -1130,6 +1130,13 @@ static int method_release_session(sd_bus_message *message, void *userdata, sd_bu + if (r < 0) + return r; + ++ r = get_sender_session(m, message, /* consult_display= */ false, error, &sender_session); ++ if (r < 0) ++ return r; ++ ++ if (session != sender_session) ++ return sd_bus_error_set(error, BUS_ERROR_NOT_IN_CONTROL, "You are not in control of this session"); ++ + r = session_release(session); + if (r < 0) + return r; +@@ -3666,7 +3673,7 @@ static const sd_bus_vtable manager_vtable[] = { + SD_BUS_ARGS("s", session_id), + SD_BUS_NO_RESULT, + method_release_session, +- 0), ++ SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD_WITH_ARGS("ActivateSession", + SD_BUS_ARGS("s", session_id), + SD_BUS_NO_RESULT, +diff --git a/src/login/org.freedesktop.login1.conf b/src/login/org.freedesktop.login1.conf +index 674a4e1aa6..54a955f1e4 100644 +--- a/src/login/org.freedesktop.login1.conf ++++ b/src/login/org.freedesktop.login1.conf +@@ -262,6 +262,10 @@ + send_interface="org.freedesktop.login1.Manager" + send_member="FlushDevices"/> + ++ ++ + +-- +2.33.0 + diff --git a/backport-logind-session-be-tolerant-if-we-failed-to-remove-le.patch b/backport-logind-session-be-tolerant-if-we-failed-to-remove-le.patch new file mode 100644 index 0000000..fe1dd58 --- /dev/null +++ b/backport-logind-session-be-tolerant-if-we-failed-to-remove-le.patch @@ -0,0 +1,30 @@ +From 5b03efe826d7daae675809639d7d4e64e8a1bd24 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Tue, 26 Dec 2023 14:20:36 +0800 +Subject: [PATCH 0121/1160] logind-session: be tolerant if we failed to remove + leader from hashmap + +If something wrong happened before hashmap_put(), session_free() +may be called through gc logic, and the assertion is triggered. + +(cherry picked from commit 889975bb00a0db26a30bee967df319df7605fd95) +--- + src/login/logind-session.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/login/logind-session.c b/src/login/logind-session.c +index 3f5decd8d9..3988e553f3 100644 +--- a/src/login/logind-session.c ++++ b/src/login/logind-session.c +@@ -93,7 +93,7 @@ static void session_reset_leader(Session *s) { + if (!pidref_is_set(&s->leader)) + return; + +- assert_se(hashmap_remove_value(s->manager->sessions_by_leader, &s->leader, s)); ++ (void) hashmap_remove_value(s->manager->sessions_by_leader, &s->leader, s); + + return pidref_done(&s->leader); + } +-- +2.33.0 + diff --git a/backport-logind-use-handle_action_to_string-where-appropriate.patch b/backport-logind-use-handle_action_to_string-where-appropriate.patch new file mode 100644 index 0000000..c3d0b40 --- /dev/null +++ b/backport-logind-use-handle_action_to_string-where-appropriate.patch @@ -0,0 +1,47 @@ +From d46c4a7c64f0654fcee738ff51f9cb1c3101cf5d Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Mon, 1 Jan 2024 20:08:11 +0800 +Subject: [PATCH 0106/1160] logind: use handle_action_to_string where + appropriate + +Since 138224fc807091d31f19a3b22f066d6044626001, HandleActionData +records the corresponding HandleAction. Let's use it instead of +relying on inhibit_what when mapping to string. + +(cherry picked from commit a31222b232eb4312301b232a3f28f144ab144895) +--- + src/login/logind-action.c | 4 ++-- + src/login/logind-dbus.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/login/logind-action.c b/src/login/logind-action.c +index e678edd66f..8269f52934 100644 +--- a/src/login/logind-action.c ++++ b/src/login/logind-action.c +@@ -165,8 +165,8 @@ static int handle_action_execute( + + if (m->delayed_action) + return log_debug_errno(SYNTHETIC_ERRNO(EALREADY), +- "Action already in progress (%s), ignoring requested %s operation.", +- inhibit_what_to_string(m->delayed_action->inhibit_what), ++ "Action %s already in progress, ignoring requested %s operation.", ++ handle_action_to_string(m->delayed_action->handle), + handle_action_to_string(handle)); + + inhibit_operation = handle_action_lookup(handle)->inhibit_what; +diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c +index ae9b2cbf36..0263d7f837 100644 +--- a/src/login/logind-dbus.c ++++ b/src/login/logind-dbus.c +@@ -3964,7 +3964,7 @@ int match_job_removed(sd_bus_message *message, void *userdata, sd_bus_error *err + + if (m->action_job && streq(m->action_job, path)) { + assert(m->delayed_action); +- log_info("Operation '%s' finished.", inhibit_what_to_string(m->delayed_action->inhibit_what)); ++ log_info("Operation '%s' finished.", handle_action_to_string(m->delayed_action->handle)); + + /* Tell people that they now may take a lock again */ + (void) send_prepare_for(m, m->delayed_action, false); +-- +2.33.0 + diff --git a/backport-loop-util-fix-error-handling.patch b/backport-loop-util-fix-error-handling.patch new file mode 100644 index 0000000..2edce1f --- /dev/null +++ b/backport-loop-util-fix-error-handling.patch @@ -0,0 +1,28 @@ +From 9e35c1d66dfc3f3b8b67a6a5b3aa244236b04b8a Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 16 Feb 2024 00:16:00 +0900 +Subject: [PATCH 0318/1160] loop-util: fix error handling + +Follow-up for 972c8db589f1f031d1fbbe01d821ddb1795fe285. + +(cherry picked from commit 6383abd62c2810c43fae046ce0d97f8e27444fff) +--- + src/shared/loop-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/loop-util.c b/src/shared/loop-util.c +index b11e9268af..5860303896 100644 +--- a/src/shared/loop-util.c ++++ b/src/shared/loop-util.c +@@ -708,7 +708,7 @@ int loop_device_make_by_path_at( + else + direct = direct_flags != 0; + if (fd < 0) { +- r = -errno; ++ r = fd; + + /* Retry read-only? */ + if (open_flags >= 0 || !(ERRNO_IS_PRIVILEGE(r) || r == -EROFS)) +-- +2.33.0 + diff --git a/backport-machine-GC-machine-when-no-leader-PID-is-set.patch b/backport-machine-GC-machine-when-no-leader-PID-is-set.patch new file mode 100644 index 0000000..5fd559a --- /dev/null +++ b/backport-machine-GC-machine-when-no-leader-PID-is-set.patch @@ -0,0 +1,41 @@ +From 19ffe2b0cb759861ae870ce4fdb3ec68d2470af5 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 28 Dec 2024 11:38:24 +0900 +Subject: [PATCH 1074/1160] machine: GC machine when no leader PID is set + +After d8854ff1aca4434db0d7d6dcaf9fcf2f38105fb4, if a serialized +leader PID of a machine is already dead when deserialized, then the +leader PID and PIDFD are unset for the machine, and subsequent +machine_start() -> machine_watch_pidfd() will trigger an assertion. +This makes a Machine object without leader PID GCed. + +Fixes a bug introduced by the combination of +d8854ff1aca4434db0d7d6dcaf9fcf2f38105fb4 (v255) and +1762c2c045d3a78d3cad54c6b1e5ee9624b32b00 (v257). + +Fixes #35602. + +(cherry picked from commit 51a0a3b0494d01c1622f6d0c3e2c31e01c18612f) +(cherry picked from commit 962bdd1d02df80a6e846a6426709624009c7d9d8) +(cherry picked from commit 0df46d157a3ea6782f82cc60732fb577cbfeb925) +--- + src/machine/machine.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/machine/machine.c b/src/machine/machine.c +index 44ff5c190b..642759ed75 100644 +--- a/src/machine/machine.c ++++ b/src/machine/machine.c +@@ -540,6 +540,9 @@ bool machine_may_gc(Machine *m, bool drop_not_started) { + if (m->class == MACHINE_HOST) + return false; + ++ if (!pidref_is_set(&m->leader)) ++ return true; ++ + if (drop_not_started && !m->started) + return true; + +-- +2.33.0 + diff --git a/backport-machine-also-acquire-Image-object-from-cache-when-a-.patch b/backport-machine-also-acquire-Image-object-from-cache-when-a-.patch new file mode 100644 index 0000000..334a9f8 --- /dev/null +++ b/backport-machine-also-acquire-Image-object-from-cache-when-a-.patch @@ -0,0 +1,60 @@ +From bf270a3b06eff023b13e252d1d9c1876449b79e1 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 18 May 2024 05:33:48 +0900 +Subject: [PATCH 0654/1160] machine: also acquire Image object from cache when + a dbus method in the main interface is called + +Previously, Image objects were only cached when reading properties or +methods in the org.freedesktop.machine1.Image interface are called. + +This makes that, when a method in the main interface (org.freedesktop.machine1) +for an image is called, also acquire the Image object from the cache, +and if not cached, create Image object and put into the cache, like we +do for org.freedesktop.machine1.Image. + +Otherwise, if some properties of an image are updated by methods in the main +interface, e.g. MarkImageReadOnly(), the changes do not applied to the cached +Image object, and subsequent read of proerties through the interface for the +image, e.g. ReadOnly property, may provide outdated values. + +Follow-up for 1ddb263d21099ae42195c2bc382bdf72a7f24f82. + +Fixes #32888. + +(cherry picked from commit c6aeb9b596749b263145346c7fa2c6bf7fbd3867) +--- + src/machine/machined-dbus.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/machine/machined-dbus.c b/src/machine/machined-dbus.c +index 9fec047385..7f0f075ef7 100644 +--- a/src/machine/machined-dbus.c ++++ b/src/machine/machined-dbus.c +@@ -546,8 +546,8 @@ static int method_get_machine_uid_shift(sd_bus_message *message, void *userdata, + } + + static int redirect_method_to_image(sd_bus_message *message, Manager *m, sd_bus_error *error, sd_bus_message_handler_t method) { +- _cleanup_(image_unrefp) Image* i = NULL; + const char *name; ++ Image *i; + int r; + + assert(message); +@@ -561,13 +561,12 @@ static int redirect_method_to_image(sd_bus_message *message, Manager *m, sd_bus_ + if (!image_name_is_valid(name)) + return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Image name '%s' is invalid.", name); + +- r = image_find(IMAGE_MACHINE, name, NULL, &i); ++ r = manager_acquire_image(m, name, &i); + if (r == -ENOENT) + return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_IMAGE, "No image '%s' known", name); + if (r < 0) + return r; + +- i->userdata = m; + return method(message, i, error); + } + +-- +2.33.0 + diff --git a/backport-machine-fix-use-after-free-in-Rename-DBus-method.patch b/backport-machine-fix-use-after-free-in-Rename-DBus-method.patch new file mode 100644 index 0000000..636bc74 --- /dev/null +++ b/backport-machine-fix-use-after-free-in-Rename-DBus-method.patch @@ -0,0 +1,50 @@ +From c937169b0ef8403bb7a35741e2587dc5473601b8 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 18 May 2024 06:14:50 +0900 +Subject: [PATCH 0655/1160] machine: fix use-after-free in Rename() DBus method + +Fixes a bug introduced by 1ddb263d21099ae42195c2bc382bdf72a7f24f82. + +Note, this requires the previous two commits, and cannot backport without them. + +Note, before the previous commit, the use-after-free could be triggered +only by Rename() DBus method, and could not by RenameImage(), as we did not +cache Image object when RenameImage() method is called. And machinectl +always uses RenameImage(). Hence, the issue could be triggered only when +Rename() DBus method is explicitly called by e.g. busctl. + +With the previous commit, the Image object passed to the function is +always cached. Hence, the issue could be triggered even with machinectl +command, and this fix is important. + +(cherry picked from commit 3b1b2d4e3d544c593399e914fd1c3a5f61d7e827) +--- + src/machine/image-dbus.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/machine/image-dbus.c b/src/machine/image-dbus.c +index 16fca4f874..436f6b4fbb 100644 +--- a/src/machine/image-dbus.c ++++ b/src/machine/image-dbus.c +@@ -133,9 +133,17 @@ int bus_image_method_rename( + if (r == 0) + return 1; /* Will call us back */ + ++ /* The image is cached with its name, hence it is necessary to remove from the cache before renaming. */ ++ assert_se(hashmap_remove_value(m->image_cache, image->name, image)); ++ + r = image_rename(image, new_name); +- if (r < 0) ++ if (r < 0) { ++ image_unref(image); + return r; ++ } ++ ++ /* Then save the object again in the cache. */ ++ assert_se(hashmap_put(m->image_cache, image->name, image) > 0); + + return sd_bus_reply_method_return(message, NULL); + } +-- +2.33.0 + diff --git a/backport-machine-id-setup-Generate-stable-machine-IDs-based-o.patch b/backport-machine-id-setup-Generate-stable-machine-IDs-based-o.patch new file mode 100644 index 0000000..a053d82 --- /dev/null +++ b/backport-machine-id-setup-Generate-stable-machine-IDs-based-o.patch @@ -0,0 +1,28 @@ +From 907feccab12745f5983523b756bcdcd7e623889c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafa=C3=ABl=20Kooi?= + <48814281+RA-Kooi@users.noreply.github.com> +Date: Mon, 22 Jan 2024 17:13:21 +0100 +Subject: [PATCH 0203/1160] machine-id-setup: Generate stable machine IDs based + on Xen hypervisor UUID + +(cherry picked from commit 98d550baa9086a0c5d531a67d263357270ebadf0) +--- + src/shared/machine-id-setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/machine-id-setup.c b/src/shared/machine-id-setup.c +index d6aa667ada..3efba0365a 100644 +--- a/src/shared/machine-id-setup.c ++++ b/src/shared/machine-id-setup.c +@@ -78,7 +78,7 @@ static int generate_machine_id(const char *root, sd_id128_t *ret) { + return 0; + } + +- } else if (IN_SET(detect_vm(), VIRTUALIZATION_KVM, VIRTUALIZATION_AMAZON, VIRTUALIZATION_QEMU)) { ++ } else if (IN_SET(detect_vm(), VIRTUALIZATION_KVM, VIRTUALIZATION_AMAZON, VIRTUALIZATION_QEMU, VIRTUALIZATION_XEN)) { + + /* If we are not running in a container, see if we are running in a VM that provides + * a system UUID via the SMBIOS/DMI interfaces. Such environments include QEMU/KVM +-- +2.33.0 + diff --git a/backport-machine-id-setup-bhyve-also-provides-a-uuid.patch b/backport-machine-id-setup-bhyve-also-provides-a-uuid.patch new file mode 100644 index 0000000..edbe4ed --- /dev/null +++ b/backport-machine-id-setup-bhyve-also-provides-a-uuid.patch @@ -0,0 +1,31 @@ +From 4c702186cb92255380713f0e6ed10e3e7f6d1c6a Mon Sep 17 00:00:00 2001 +From: Dan McGregor +Date: Thu, 27 Feb 2025 16:18:23 -0600 +Subject: [PATCH 1142/1160] machine-id-setup: bhyve also provides a uuid + +When using UEFI with bhyve it behaves similarly to qemu, and provides +a product_uuid. Use it if found, just like with qemu. + +(cherry picked from commit 113c159ba9c4e8052ae162e12faba28b102a90d0) +(cherry picked from commit 4cdaff292c8918511b88d9a05a4111c366702c3c) +(cherry picked from commit ebdb1df19e34b02a32e1b67cf06a4fa3935cb569) +--- + src/shared/machine-id-setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/machine-id-setup.c b/src/shared/machine-id-setup.c +index 3efba0365a..f46de141ab 100644 +--- a/src/shared/machine-id-setup.c ++++ b/src/shared/machine-id-setup.c +@@ -78,7 +78,7 @@ static int generate_machine_id(const char *root, sd_id128_t *ret) { + return 0; + } + +- } else if (IN_SET(detect_vm(), VIRTUALIZATION_KVM, VIRTUALIZATION_AMAZON, VIRTUALIZATION_QEMU, VIRTUALIZATION_XEN)) { ++ } else if (IN_SET(detect_vm(), VIRTUALIZATION_KVM, VIRTUALIZATION_AMAZON, VIRTUALIZATION_QEMU, VIRTUALIZATION_XEN, VIRTUALIZATION_BHYVE)) { + + /* If we are not running in a container, see if we are running in a VM that provides + * a system UUID via the SMBIOS/DMI interfaces. Such environments include QEMU/KVM +-- +2.33.0 + diff --git a/backport-machine-resolve-race-condition-in-TEST-13-NSPAWN.mac.patch b/backport-machine-resolve-race-condition-in-TEST-13-NSPAWN.mac.patch new file mode 100644 index 0000000..ef68f5b --- /dev/null +++ b/backport-machine-resolve-race-condition-in-TEST-13-NSPAWN.mac.patch @@ -0,0 +1,45 @@ +From b71956482c990c10f69fa242a6f6cbd1e4f12189 Mon Sep 17 00:00:00 2001 +From: Ivan Kruglov +Date: Fri, 20 Sep 2024 12:20:53 +0200 +Subject: [PATCH 0887/1160] machine: resolve race condition in + TEST-13-NSPAWN.machinectl.sh + +I encountered this race condition while working on TEST-13-NSPAWN.varlinkctl.sh. +The long-running machine's init script sometimes does not have time to start and +register signals. As result, occasiounally failed tests. + +(cherry picked from commit e826a8bed447f3b3f9ad487f96ab7f8c7620c75b) +(cherry picked from commit 0cd10d410b49303894c48521c0629b97e72b43bc) +--- + test/units/testsuite-13.machinectl.sh | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/test/units/testsuite-13.machinectl.sh b/test/units/testsuite-13.machinectl.sh +index 04e6fdc67c..15a83d0330 100755 +--- a/test/units/testsuite-13.machinectl.sh ++++ b/test/units/testsuite-13.machinectl.sh +@@ -44,12 +44,21 @@ trap 'kill $PID' EXIT + # We need to wait for the sleep process asynchronously in order to allow + # bash to process signals + sleep infinity & ++ ++# notify that the process is ready ++touch /ready ++ + PID=$! + while :; do + wait || : + done + EOF ++ ++rm -f /var/lib/machines/long-running/ready + machinectl start long-running ++# !!!! DO NOT REMOVE THIS TEST ++# The test makes sure that the long-running's init script has enough time to start and registered signal traps ++timeout 10 bash -c "until test -e /var/lib/machines/long-running/ready; do sleep .5; done" + + machinectl + machinectl --no-pager --help +-- +2.33.0 + diff --git a/backport-machine-split-out-manager_acquire_image-from-image_o.patch b/backport-machine-split-out-manager_acquire_image-from-image_o.patch new file mode 100644 index 0000000..171259c --- /dev/null +++ b/backport-machine-split-out-manager_acquire_image-from-image_o.patch @@ -0,0 +1,132 @@ +From aa6822f2bdca04feb0f3d7224da2d29b02578fb9 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 18 May 2024 05:31:16 +0900 +Subject: [PATCH 0653/1160] machine: split out manager_acquire_image() from + image_object_find() + +Preparation for the next commit. No functional change. + +(cherry picked from commit 6d917da1409eae3b6988ed56cc4812252058ecdb) +--- + src/machine/image-dbus.c | 69 +++++++++++++++++++++++++--------------- + src/machine/image-dbus.h | 2 ++ + 2 files changed, 45 insertions(+), 26 deletions(-) + +diff --git a/src/machine/image-dbus.c b/src/machine/image-dbus.c +index aa4525ddbd..16fca4f874 100644 +--- a/src/machine/image-dbus.c ++++ b/src/machine/image-dbus.c +@@ -393,30 +393,17 @@ static int image_flush_cache(sd_event_source *s, void *userdata) { + return 0; + } + +-static int image_object_find(sd_bus *bus, const char *path, const char *interface, void *userdata, void **found, sd_bus_error *error) { +- _cleanup_free_ char *e = NULL; +- Manager *m = userdata; +- Image *image = NULL; +- const char *p; ++int manager_acquire_image(Manager *m, const char *name, Image **ret) { + int r; + +- assert(bus); +- assert(path); +- assert(interface); +- assert(found); ++ assert(m); ++ assert(name); + +- p = startswith(path, "/org/freedesktop/machine1/image/"); +- if (!p) ++ Image *existing = hashmap_get(m->image_cache, name); ++ if (existing) { ++ if (ret) ++ *ret = existing; + return 0; +- +- e = bus_label_unescape(p); +- if (!e) +- return -ENOMEM; +- +- image = hashmap_get(m->image_cache, e); +- if (image) { +- *found = image; +- return 1; + } + + if (!m->image_cache_defer_event) { +@@ -433,19 +420,49 @@ static int image_object_find(sd_bus *bus, const char *path, const char *interfac + if (r < 0) + return r; + +- r = image_find(IMAGE_MACHINE, e, NULL, &image); +- if (r == -ENOENT) +- return 0; ++ _cleanup_(image_unrefp) Image *image = NULL; ++ r = image_find(IMAGE_MACHINE, name, NULL, &image); + if (r < 0) + return r; + + image->userdata = m; + + r = hashmap_ensure_put(&m->image_cache, &image_hash_ops, image->name, image); +- if (r < 0) { +- image_unref(image); ++ if (r < 0) ++ return r; ++ ++ if (ret) ++ *ret = image; ++ ++ TAKE_PTR(image); ++ return 0; ++} ++ ++static int image_object_find(sd_bus *bus, const char *path, const char *interface, void *userdata, void **found, sd_bus_error *error) { ++ _cleanup_free_ char *e = NULL; ++ Manager *m = userdata; ++ Image *image; ++ const char *p; ++ int r; ++ ++ assert(bus); ++ assert(path); ++ assert(interface); ++ assert(found); ++ ++ p = startswith(path, "/org/freedesktop/machine1/image/"); ++ if (!p) ++ return 0; ++ ++ e = bus_label_unescape(p); ++ if (!e) ++ return -ENOMEM; ++ ++ r = manager_acquire_image(m, e, &image); ++ if (r == -ENOENT) ++ return 0; ++ if (r < 0) + return r; +- } + + *found = image; + return 1; +diff --git a/src/machine/image-dbus.h b/src/machine/image-dbus.h +index 4b00203bff..0c4fab1b0a 100644 +--- a/src/machine/image-dbus.h ++++ b/src/machine/image-dbus.h +@@ -2,10 +2,12 @@ + #pragma once + + #include "bus-object.h" ++#include "discover-image.h" + #include "machined.h" + + extern const BusObjectImplementation image_object; + ++int manager_acquire_image(Manager *m, const char *name, Image **ret); + char *image_bus_path(const char *name); + + int bus_image_method_remove(sd_bus_message *message, void *userdata, sd_bus_error *error); +-- +2.33.0 + diff --git a/backport-macro-terminate-the-temporary-VA_ARGS_FOREACH-array-.patch b/backport-macro-terminate-the-temporary-VA_ARGS_FOREACH-array-.patch new file mode 100644 index 0000000..e28fb7b --- /dev/null +++ b/backport-macro-terminate-the-temporary-VA_ARGS_FOREACH-array-.patch @@ -0,0 +1,70 @@ +From 0ddd788136622da3320e43aaa5005b0a68c89137 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 17 Jan 2024 13:11:14 +0100 +Subject: [PATCH 0165/1160] macro: terminate the temporary VA_ARGS_FOREACH() + array with a sentinel +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +So gcc-14 doesn't complain we're out of bounds on the last iteration: + +[2092/2414] Compiling C object test-macro.p/src_test_test-macro.c.o +In file included from ../src/basic/list.h:209, + from ../src/basic/log.h:10, + from ../src/test/test-macro.c:5: +../src/test/test-macro.c: In function ‘test_FOREACH_VA_ARGS’: +../src/basic/macro.h:395:90: warning: array subscript 1 is outside array bounds of ‘uint8_t[1]’ {aka ‘unsigned char[1]’} [-Warray-bounds=] + 395 | ((long)(_current_ - _entries_) < (long)ELEMENTSOF(_entries_)) && ({ entry = *_current_; true; }); \ +../src/basic/macro.h:392:9: note: in expansion of macro ‘_VA_ARGS_FOREACH’ + 392 | _VA_ARGS_FOREACH(entry, UNIQ_T(_entries_, UNIQ), UNIQ_T(_current_, UNIQ), ##__VA_ARGS__) + | ^~~~~~~~~~~~~~~~ +../src/test/test-macro.c:322:9: note: in expansion of macro ‘VA_ARGS_FOREACH’ + 322 | VA_ARGS_FOREACH(u8, 0) { + | ^~~~~~~~~~~~~~~ +../src/fundamental/macro-fundamental.h:163:37: note: at offset 1 into object ‘__unique_prefix__entries_181’ of size 1 + 163 | #define UNIQ_T(x, uniq) CONCATENATE(__unique_prefix_, CONCATENATE(x, uniq)) + | ^~~~~~~~~~~~~~~~ +../src/basic/macro.h:394:28: note: in definition of macro ‘_VA_ARGS_FOREACH’ + 394 | for (typeof(entry) _entries_[] = { __VA_ARGS__ }, *_current_ = _entries_; \ + | ^~~~~~~~~ +../src/fundamental/macro-fundamental.h:109:27: note: in expansion of macro ‘XCONCATENATE’ + 109 | #define CONCATENATE(x, y) XCONCATENATE(x, y) + | ^~~~~~~~~~~~ +../src/fundamental/macro-fundamental.h:163:25: note: in expansion of macro ‘CONCATENATE’ + 163 | #define UNIQ_T(x, uniq) CONCATENATE(__unique_prefix_, CONCATENATE(x, uniq)) + | ^~~~~~~~~~~ +../src/basic/macro.h:392:33: note: in expansion of macro ‘UNIQ_T’ + 392 | _VA_ARGS_FOREACH(entry, UNIQ_T(_entries_, UNIQ), UNIQ_T(_current_, UNIQ), ##__VA_ARGS__) + | ^~~~~~ +../src/test/test-macro.c:322:9: note: in expansion of macro ‘VA_ARGS_FOREACH’ + 322 | VA_ARGS_FOREACH(u8, 0) { + | ^~~~~~~~~~~~~~~ + +(cherry picked from commit dc571cccd75db7be49b2aada64baf92e3a498c39) +--- + src/basic/macro.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/basic/macro.h b/src/basic/macro.h +index d3eb980abd..d63aa816cc 100644 +--- a/src/basic/macro.h ++++ b/src/basic/macro.h +@@ -383,10 +383,10 @@ assert_cc(sizeof(dummy_t) == 0); + /* Iterate through each variadic arg. All must be the same type as 'entry' or must be implicitly + * convertible. The iteration variable 'entry' must already be defined. */ + #define VA_ARGS_FOREACH(entry, ...) \ +- _VA_ARGS_FOREACH(entry, UNIQ_T(_entries_, UNIQ), UNIQ_T(_current_, UNIQ), ##__VA_ARGS__) +-#define _VA_ARGS_FOREACH(entry, _entries_, _current_, ...) \ +- for (typeof(entry) _entries_[] = { __VA_ARGS__ }, *_current_ = _entries_; \ +- ((long)(_current_ - _entries_) < (long)ELEMENTSOF(_entries_)) && ({ entry = *_current_; true; }); \ ++ _VA_ARGS_FOREACH(entry, UNIQ_T(_entries_, UNIQ), UNIQ_T(_current_, UNIQ), UNIQ_T(_va_sentinel_, UNIQ), ##__VA_ARGS__) ++#define _VA_ARGS_FOREACH(entry, _entries_, _current_, _va_sentinel_, ...) \ ++ for (typeof(entry) _va_sentinel_[1] = {}, _entries_[] = { __VA_ARGS__ __VA_OPT__(,) _va_sentinel_[0] }, *_current_ = _entries_; \ ++ ((long)(_current_ - _entries_) < (long)(ELEMENTSOF(_entries_) - 1)) && ({ entry = *_current_; true; }); \ + _current_++) + + #include "log.h" +-- +2.33.0 + diff --git a/backport-main-pass-the-right-error-variable.patch b/backport-main-pass-the-right-error-variable.patch index 117d28a..8eb036e 100644 --- a/backport-main-pass-the-right-error-variable.patch +++ b/backport-main-pass-the-right-error-variable.patch @@ -1,17 +1,18 @@ -From 56d0ed476290b51d8e3eb305a8fbfdfe7a873be8 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Tue, 21 May 2024 16:58:39 +0800 -Subject: [PATCH] main: pass the right error variable +From 01dce7e5b40daec227ecc33872b3b533748167db Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 7 May 2024 13:18:10 +0200 +Subject: [PATCH 0594/1160] main: pass the right error variable +(cherry picked from commit ac10f7e28c03c05451547e36eeb9b5c19df0ed34) --- src/core/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/main.c b/src/core/main.c -index 534c14a..a63e954 100644 +index 1ed968d139..1c0030a75f 100644 --- a/src/core/main.c +++ b/src/core/main.c -@@ -2517,7 +2517,7 @@ static void setenv_manager_environment(void) { +@@ -2493,7 +2493,7 @@ static void setenv_manager_environment(void) { r = putenv_dup(*p, true); if (r < 0) @@ -21,5 +22,5 @@ index 534c14a..a63e954 100644 } -- -2.27.0 +2.33.0 diff --git a/backport-manager-add-list-of-subscribers-to-dump-info.patch b/backport-manager-add-list-of-subscribers-to-dump-info.patch new file mode 100644 index 0000000..76ed51d --- /dev/null +++ b/backport-manager-add-list-of-subscribers-to-dump-info.patch @@ -0,0 +1,31 @@ +From cc110c0ce654653765cbdbe7799b9f09d8bf23f7 Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Thu, 28 Nov 2024 12:52:45 -0700 +Subject: [PATCH 1056/1160] manager: add list of subscribers to dump info + +This is handy for debugging. + +(cherry picked from commit 91713841491d0d4775566ed59f621f0f9a2413b5) +(cherry picked from commit bcf740e4a3caa32b3a920512833b68fc6d530125) +(cherry picked from commit 0a4a3a8e3f8c2daedabba8ac0d785da55263467b) +--- + src/core/manager-dump.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/core/manager-dump.c b/src/core/manager-dump.c +index 6c32d78f3f..57c3768556 100644 +--- a/src/core/manager-dump.c ++++ b/src/core/manager-dump.c +@@ -77,6 +77,9 @@ static void manager_dump_header(Manager *m, FILE *f, const char *prefix) { + timestamp_is_set(t->realtime) ? FORMAT_TIMESTAMP(t->realtime) : + FORMAT_TIMESPAN(t->monotonic, 1)); + } ++ ++ for (const char *n = sd_bus_track_first(m->subscribed); n; n = sd_bus_track_next(m->subscribed)) ++ fprintf(f, "%sSubscribed: %s\n", strempty(prefix), n); + } + + void manager_dump(Manager *m, FILE *f, char **patterns, const char *prefix) { +-- +2.33.0 + diff --git a/backport-manager-pass-the-right-error-variable.patch b/backport-manager-pass-the-right-error-variable.patch new file mode 100644 index 0000000..f9ee65d --- /dev/null +++ b/backport-manager-pass-the-right-error-variable.patch @@ -0,0 +1,51 @@ +From d2d9d6631cb41b43b2ae077620d4f6f60247053c Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 7 May 2024 13:29:30 +0200 +Subject: [PATCH 0597/1160] manager: pass the right error variable + +(cherry picked from commit af1690cfccceb7e7553f6f842a201be4ebcbbd27) +--- + src/core/manager.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/core/manager.c b/src/core/manager.c +index 88eebfc626..30cd8bcbea 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -1236,13 +1236,13 @@ static int manager_setup_user_lookup_fd(Manager *m) { + if (!m->user_lookup_event_source) { + r = sd_event_add_io(m->event, &m->user_lookup_event_source, m->user_lookup_fds[0], EPOLLIN, manager_dispatch_user_lookup_fd, m); + if (r < 0) +- return log_error_errno(errno, "Failed to allocate user lookup event source: %m"); ++ return log_error_errno(r, "Failed to allocate user lookup event source: %m"); + + /* Process even earlier than the notify event source, so that we always know first about valid UID/GID + * resolutions */ + r = sd_event_source_set_priority(m->user_lookup_event_source, SD_EVENT_PRIORITY_NORMAL-11); + if (r < 0) +- return log_error_errno(errno, "Failed to set priority of user lookup event source: %m"); ++ return log_error_errno(r, "Failed to set priority of user lookup event source: %m"); + + (void) sd_event_source_set_description(m->user_lookup_event_source, "user-lookup"); + } +@@ -2986,7 +2986,7 @@ static int manager_dispatch_signal_fd(sd_event_source *source, int fd, uint32_t + + r = manager_get_dump_string(m, /* patterns= */ NULL, &dump); + if (r < 0) { +- log_warning_errno(errno, "Failed to acquire manager dump: %m"); ++ log_warning_errno(r, "Failed to acquire manager dump: %m"); + break; + } + +@@ -3077,7 +3077,7 @@ static int manager_dispatch_signal_fd(sd_event_source *source, int fd, uint32_t + + r = manager_get_dump_jobs_string(m, /* patterns= */ NULL, " ", &dump_jobs); + if (r < 0) { +- log_warning_errno(errno, "Failed to acquire manager jobs dump: %m"); ++ log_warning_errno(r, "Failed to acquire manager jobs dump: %m"); + break; + } + +-- +2.33.0 + diff --git a/backport-meson-Add-missing-dbus_programs-dependency-on-update.patch b/backport-meson-Add-missing-dbus_programs-dependency-on-update.patch new file mode 100644 index 0000000..c79a95f --- /dev/null +++ b/backport-meson-Add-missing-dbus_programs-dependency-on-update.patch @@ -0,0 +1,33 @@ +From bf899b73cfe66b5688604e22dbdc79c701b20e39 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 26 Feb 2025 22:06:41 +0100 +Subject: [PATCH 1140/1160] meson: Add missing dbus_programs dependency on + update-dbus-docs + +All dbus programs have to be up-to-date for update-dbus-docs to +produce the expected output, so add the missing dependency. + +(cherry picked from commit 461bd9277a69833a534518c263d00443f2f6fbf4) +(cherry picked from commit cd727da491f0715995f06f3ad7e6e2ec2ab2e44a) +(cherry picked from commit c5e562c8eeb81f9573bd14446ad77c43f5b73d7a) +--- + man/meson.build | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/man/meson.build b/man/meson.build +index 403098a814..0e70d9bad8 100644 +--- a/man/meson.build ++++ b/man/meson.build +@@ -218,7 +218,8 @@ update_dbus_docs = custom_target( + 'update-dbus-docs-impl', + output : 'update-dbus-docs', + command : [update_dbus_docs_py, '--build-dir', project_build_root, '@INPUT@'], +- input : dbus_docs) ++ input : dbus_docs, ++ depends : dbus_programs) + + if conf.get('BUILD_MODE_DEVELOPER') == 1 + test('dbus-docs-fresh', +-- +2.33.0 + diff --git a/backport-meson-Define-__TARGET_ARCH-macros-required-by-bpf.patch b/backport-meson-Define-__TARGET_ARCH-macros-required-by-bpf.patch new file mode 100644 index 0000000..7882b3b --- /dev/null +++ b/backport-meson-Define-__TARGET_ARCH-macros-required-by-bpf.patch @@ -0,0 +1,48 @@ +From 7dd3dff3a0c4f5e81913048b553f325b74384196 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Tue, 2 Jul 2024 17:50:57 +0200 +Subject: [PATCH 0743/1160] meson: Define __TARGET_ARCH macros required by bpf + +These are required by the bpf_tracing.h header in libbpf, see +https://github.com/libbpf/libbpf/blob/master/src/bpf_tracing.h. + +bpf_tracing.h does have a few fallbacks in case __TARGET_ARCH_XXX +is not defined but recommends using the __TARGET_ARCH macros instead +so let's do that. + +(cherry picked from commit 48d6dad100d0b42c02aa21d897e913461f6b3cc3) +(cherry picked from commit 399e78855324b3424bbbbbe8e2a3b31e75570ec6) +--- + meson.build | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/meson.build b/meson.build +index aa21b3c549..6009210923 100644 +--- a/meson.build ++++ b/meson.build +@@ -1714,15 +1714,15 @@ if conf.get('BPF_FRAMEWORK') == 1 + # C.f. https://mesonbuild.com/Reference-tables.html#cpu-families + # and src/basic/missing_syscall_def.h. + cpu_arch_defines = { +- 'ppc' : ['-D__powerpc__'], +- 'ppc64' : ['-D__powerpc64__', '-D_CALL_ELF=2'], +- 'riscv32' : ['-D__riscv', '-D__riscv_xlen=32'], +- 'riscv64' : ['-D__riscv', '-D__riscv_xlen=64'], +- 'x86' : ['-D__i386__'], +- 's390x' : ['-D__s390__', '-D__s390x__'], ++ 'ppc' : ['-D__powerpc__', '-D__TARGET_ARCH_powerpc'], ++ 'ppc64' : ['-D__powerpc64__', '-D__TARGET_ARCH_powerpc', '-D_CALL_ELF=2'], ++ 'riscv32' : ['-D__riscv', '-D__riscv_xlen=32', '-D__TARGET_ARCH_riscv'], ++ 'riscv64' : ['-D__riscv', '-D__riscv_xlen=64', '-D__TARGET_ARCH_riscv'], ++ 'x86' : ['-D__i386__', '-D__TARGET_ARCH_x86'], ++ 's390x' : ['-D__s390__', '-D__s390x__', '-D__TARGET_ARCH_s390'], + + # For arm, assume hardware fp is available. +- 'arm' : ['-D__arm__', '-D__ARM_PCS_VFP'], ++ 'arm' : ['-D__arm__', '-D__ARM_PCS_VFP', '-D__TARGET_ARCH_arm'], + } + + bpf_arch_flags = cpu_arch_defines.get(host_machine.cpu_family(), +-- +2.33.0 + diff --git a/backport-meson-Skip-getent-when-it-s-not-found.patch b/backport-meson-Skip-getent-when-it-s-not-found.patch new file mode 100644 index 0000000..ad5d575 --- /dev/null +++ b/backport-meson-Skip-getent-when-it-s-not-found.patch @@ -0,0 +1,66 @@ +From 818c33b1e4e806d4c3aa0d702dc7b898044c9c58 Mon Sep 17 00:00:00 2001 +From: Vyacheslav Yurkov +Date: Wed, 5 Feb 2025 07:14:20 +0000 +Subject: [PATCH 1105/1160] meson: Skip getent when it's not found + +(cherry picked from commit 8b413ae4060b21ed4712fdad7eba195890740756) +(cherry picked from commit 2b9914bd23a9a7c123e9330c3121e2e72af66ccb) +(cherry picked from commit 10c5fa5bd1454d015cd7d709239446a272378b1a) +--- + meson.build | 33 +++++++++++++++++++-------------- + 1 file changed, 19 insertions(+), 14 deletions(-) + +diff --git a/meson.build b/meson.build +index 216a8cbc91..912ad5643a 100644 +--- a/meson.build ++++ b/meson.build +@@ -860,13 +860,16 @@ nobody_user = get_option('nobody-user') + nobody_group = get_option('nobody-group') + + if not meson.is_cross_build() +- getent_result = run_command('getent', 'passwd', '65534', check : false) +- if getent_result.returncode() == 0 +- name = getent_result.stdout().split(':')[0] +- if name != nobody_user +- warning('\n' + +- 'The local user with the UID 65534 does not match the configured user name "@0@" of the nobody user (its name is @1@).\n'.format(nobody_user, name) + +- 'Your build will result in an user table setup that is incompatible with the local system.') ++ find_getent_result = find_program('getent', required : false) ++ if find_getent_result.found() ++ getent_result = run_command('getent', 'passwd', '65534', check : false) ++ if getent_result.returncode() == 0 ++ name = getent_result.stdout().split(':')[0] ++ if name != nobody_user ++ warning('\n' + ++ 'The local user with the UID 65534 does not match the configured user name "@0@" of the nobody user (its name is @1@).\n'.format(nobody_user, name) + ++ 'Your build will result in an user table setup that is incompatible with the local system.') ++ endif + endif + endif + id_result = run_command('id', '-u', nobody_user, check : false) +@@ -879,13 +882,15 @@ if not meson.is_cross_build() + endif + endif + +- getent_result = run_command('getent', 'group', '65534', check : false) +- if getent_result.returncode() == 0 +- name = getent_result.stdout().split(':')[0] +- if name != nobody_group +- warning('\n' + +- 'The local group with the GID 65534 does not match the configured group name "@0@" of the nobody group (its name is @1@).\n'.format(nobody_group, name) + +- 'Your build will result in an group table setup that is incompatible with the local system.') ++ if find_getent_result.found() ++ getent_result = run_command('getent', 'group', '65534', check : false) ++ if getent_result.returncode() == 0 ++ name = getent_result.stdout().split(':')[0] ++ if name != nobody_group ++ warning('\n' + ++ 'The local group with the GID 65534 does not match the configured group name "@0@" of the nobody group (its name is @1@).\n'.format(nobody_group, name) + ++ 'Your build will result in an group table setup that is incompatible with the local system.') ++ endif + endif + endif + id_result = run_command('id', '-g', nobody_group, check : false) +-- +2.33.0 + diff --git a/backport-meson-Use-fstrict-flex-arrays-3.patch b/backport-meson-Use-fstrict-flex-arrays-3.patch new file mode 100644 index 0000000..1bb9c99 --- /dev/null +++ b/backport-meson-Use-fstrict-flex-arrays-3.patch @@ -0,0 +1,31 @@ +From 828c900ec7da113ea2e69141993d7d61d111e67d Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Sat, 3 Aug 2024 20:10:54 +0200 +Subject: [PATCH 0838/1160] meson: Use -fstrict-flex-arrays=3 + +Let's explicitly pass the value to -fstrict-flex-arrays. This does +not change behavior but it does (selfishly) make my error not bug +out with an error saying -fstrict-flex-arrays does not exist. + +(cherry picked from commit ad723ca3e5bd41d2d884760375534910bb55d9b3) +(cherry picked from commit 2925fc2c6f4b13a2f098912fa3d44ad31e9f2cf0) +--- + meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/meson.build b/meson.build +index d89e91c834..5630221162 100644 +--- a/meson.build ++++ b/meson.build +@@ -381,7 +381,7 @@ possible_common_cc_flags = [ + '-fno-common', + '-fstack-protector', + '-fstack-protector-strong', +- '-fstrict-flex-arrays', ++ '-fstrict-flex-arrays=3', + '--param=ssp-buffer-size=4', + ] + +-- +2.33.0 + diff --git a/backport-meson-add-loongarch64-s-definition-to-cpu_arch_defin.patch b/backport-meson-add-loongarch64-s-definition-to-cpu_arch_defin.patch new file mode 100644 index 0000000..391222c --- /dev/null +++ b/backport-meson-add-loongarch64-s-definition-to-cpu_arch_defin.patch @@ -0,0 +1,48 @@ +From dbcc0151c41d5b1777ffb149ad9a8f1d5164db9e Mon Sep 17 00:00:00 2001 +From: Zhou Qiankang +Date: Mon, 28 Oct 2024 12:47:20 +0800 +Subject: [PATCH 0971/1160] meson: add loongarch64's definition to + cpu_arch_defines + +The default definition to add is `-D__loongarch64__`, which is not searched in [bpf_tracing.h](https://github.com/libbpf/libbpf/blob/09b9e83102eb8ab9e540d36b4559c55f3bcdb95d/src/bpf_tracing.h#L68) + +This may avoid `error: Must specify a BPF target arch via __TARGET_ARCH_xxx` in loongarch64 + +Signed-off-by: Zhou Qiankang +(cherry picked from commit 85d0aff84c83182875bc564e295978efd76ab905) +(cherry picked from commit 963171cf4148d4dd7e63c84febe36c77d0b46a5e) +--- + meson.build | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/meson.build b/meson.build +index c2beeeffff..216a8cbc91 100644 +--- a/meson.build ++++ b/meson.build +@@ -1718,15 +1718,16 @@ if conf.get('BPF_FRAMEWORK') == 1 + # C.f. https://mesonbuild.com/Reference-tables.html#cpu-families + # and src/basic/missing_syscall_def.h. + cpu_arch_defines = { +- 'ppc' : ['-D__powerpc__', '-D__TARGET_ARCH_powerpc'], +- 'ppc64' : ['-D__powerpc64__', '-D__TARGET_ARCH_powerpc', '-D_CALL_ELF=2'], +- 'riscv32' : ['-D__riscv', '-D__riscv_xlen=32', '-D__TARGET_ARCH_riscv'], +- 'riscv64' : ['-D__riscv', '-D__riscv_xlen=64', '-D__TARGET_ARCH_riscv'], +- 'x86' : ['-D__i386__', '-D__TARGET_ARCH_x86'], +- 's390x' : ['-D__s390__', '-D__s390x__', '-D__TARGET_ARCH_s390'], ++ 'ppc' : ['-D__powerpc__', '-D__TARGET_ARCH_powerpc'], ++ 'ppc64' : ['-D__powerpc64__', '-D__TARGET_ARCH_powerpc', '-D_CALL_ELF=2'], ++ 'riscv32' : ['-D__riscv', '-D__riscv_xlen=32', '-D__TARGET_ARCH_riscv'], ++ 'riscv64' : ['-D__riscv', '-D__riscv_xlen=64', '-D__TARGET_ARCH_riscv'], ++ 'x86' : ['-D__i386__', '-D__TARGET_ARCH_x86'], ++ 's390x' : ['-D__s390__', '-D__s390x__', '-D__TARGET_ARCH_s390'], + + # For arm, assume hardware fp is available. +- 'arm' : ['-D__arm__', '-D__ARM_PCS_VFP', '-D__TARGET_ARCH_arm'], ++ 'arm' : ['-D__arm__', '-D__ARM_PCS_VFP', '-D__TARGET_ARCH_arm'], ++ 'loongarch64' : ['-D__loongarch__', '-D__loongarch_grlen=64', '-D__TARGET_ARCH_loongarch'] + } + + bpf_arch_flags = cpu_arch_defines.get(host_machine.cpu_family(), +-- +2.33.0 + diff --git a/backport-meson-add-option-to-build-systemd-executor-staticall.patch b/backport-meson-add-option-to-build-systemd-executor-staticall.patch new file mode 100644 index 0000000..5b8a0dd --- /dev/null +++ b/backport-meson-add-option-to-build-systemd-executor-staticall.patch @@ -0,0 +1,102 @@ +From c4ddf5d5dcb0c95ce930fa533ac81eaf5307be47 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 3 Jul 2024 17:05:31 +0200 +Subject: [PATCH 0756/1160] meson: add option to build systemd-executor + "statically" + +The new link-executor-shared option is similar to the existing +link-udev-shared: when set to false, we link to the static versions of our +internal libraries. + +The resulting exuctor binary is fairly large, about as large as libsystemd-core +(14 MB without lto, 8 with lto). + +This is intended as a workaround for the fuckup with the pinned executor +binary: +when an upgrade is performed, the package manager will install new version of +the libraries and new version of the code, and some time later reexecute the +managers. This creates a window when the pinned executor binary will fail to +execute. There are two factors which make the issue easier to hit: + +- when the distribution uses a finely-grained shared-lib-tag. E.g. Fedora + uses version-release as the tag, which means that the issue occurs on + every package upgrade. This is the right thing to do, because the + ABI of our internal libraries is not stable at all, so replacing the + library from a different version in place creates a window where our + programs may crash or misbehave. + +- when the distribution doesn't immediately reexec all the managers after + upgrade. In early versions of systemd, we used to hammer the machine during + upgrade, doing daemon-reexecs repeatedly. This works, but is ugly and + wasteful. Doing the reexecs while the upgrade is in progres also creates a + window where a mix of old and new configs or both is loaded. Users are + particularly annoyed by those reloads if there is some issue in the + configuration causing us to emit warnings on every reexec. Doing the + reexecs once after the new configuration and libraries have been put + in place is nicer. + +The pinning of the executor binary breaks upgrades and in particular +it penalizes the distributions which make use of the features which +were previously added to avoid bugs and inefficiency during upgrades. + +When the executor is linked statically, there is a smaller chance that it'll +fail to load libraries. The issue can still occur because other libraries, not +our own, are linked dynamically. + +(cherry picked from commit d59cae6cebd0fc25a16a020bd28e5303901f1b19) +(cherry picked from commit d28aa922fdee5c5c438ca9b485b92b21180482d3) +--- + meson_options.txt | 2 ++ + src/core/meson.build | 16 ++++++++++++---- + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/meson_options.txt b/meson_options.txt +index 414b0345d1..aa9b021ae6 100644 +--- a/meson_options.txt ++++ b/meson_options.txt +@@ -19,6 +19,8 @@ option('rootprefix', type : 'string', deprecated: true, + description : '''This option is deprecated and will be removed in a future release''') + option('link-udev-shared', type : 'boolean', + description : 'link systemd-udevd and its helpers to libsystemd-shared.so') ++option('link-executor-shared', type : 'boolean', ++ description : 'link systemd-executor to libsystemd-shared.so and libsystemd-core.so') + option('link-systemctl-shared', type: 'boolean', + description : 'link systemctl against libsystemd-shared.so') + option('link-networkd-shared', type: 'boolean', +diff --git a/src/core/meson.build b/src/core/meson.build +index 301b1515b5..65e39cb43f 100644 +--- a/src/core/meson.build ++++ b/src/core/meson.build +@@ -155,6 +155,17 @@ systemd_executor_sources = files( + 'exec-invoke.c', + ) + ++executor_libs = get_option('link-executor-shared') ? \ ++ [ ++ libcore, ++ libshared, ++ ] : [ ++ libcore_static, ++ libshared_static, ++ libbasic_static, ++ libsystemd_static, ++ ] ++ + executables += [ + libexec_template + { + 'name' : 'systemd', +@@ -172,10 +183,7 @@ executables += [ + 'public' : true, + 'sources' : systemd_executor_sources, + 'include_directories' : core_includes, +- 'link_with' : [ +- libcore, +- libshared, +- ], ++ 'link_with' : executor_libs, + 'dependencies' : [ + libapparmor, + libpam, +-- +2.33.0 + diff --git a/backport-meson-also-skip-uid-gid-check-for-nobody-user-group-.patch b/backport-meson-also-skip-uid-gid-check-for-nobody-user-group-.patch new file mode 100644 index 0000000..713b5ce --- /dev/null +++ b/backport-meson-also-skip-uid-gid-check-for-nobody-user-group-.patch @@ -0,0 +1,133 @@ +From ebc40b9e6fc8ec7b164940eb5629fc113638abb8 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 7 Feb 2025 11:36:46 +0900 +Subject: [PATCH 1106/1160] meson: also skip uid/gid check for nobody + user/group when id command not found + +Follow-up for 8b413ae4060b21ed4712fdad7eba195890740756. + +(cherry picked from commit be4f4c4343f05f2b53deb326c241c6031c36c911) +(cherry picked from commit c7767b606a77af10b66975200c6fd830150f2fe5) +(cherry picked from commit cdb157a33ffafd0cc2ac9b5fee08a57e527197a5) +--- + meson.build | 70 ++++++++++++++++++++++++++++------------------------- + 1 file changed, 37 insertions(+), 33 deletions(-) + +diff --git a/meson.build b/meson.build +index 912ad5643a..8c16c1c5c0 100644 +--- a/meson.build ++++ b/meson.build +@@ -649,17 +649,20 @@ endif + + ##################################################################### + +-sh = find_program('sh') +-echo = find_program('echo') +-sed = find_program('sed') + awk = find_program('awk') +-stat = find_program('stat') +-ln = find_program('ln') +-git = find_program('git', required : false) +-env = find_program('env') +-rsync = find_program('rsync', required : false) + diff = find_program('diff') ++echo = find_program('echo') ++env = find_program('env') + find = find_program('find') ++getent = find_program('getent', required : false) ++git = find_program('git', required : false) ++gperf = find_program('gperf') ++id = find_program('id', required : false) ++ln = find_program('ln') ++rsync = find_program('rsync', required : false) ++sed = find_program('sed') ++sh = find_program('sh') ++stat = find_program('stat') + + ln_s = ln.full_path() + ' -frsT -- "${DESTDIR:-}@0@" "${DESTDIR:-}@1@"' + +@@ -699,8 +702,6 @@ endif + + ############################################################ + +-gperf = find_program('gperf') +- + gperf_test_format = ''' + #include + const char * in_word_set(const char *, @0@); +@@ -860,11 +861,10 @@ nobody_user = get_option('nobody-user') + nobody_group = get_option('nobody-group') + + if not meson.is_cross_build() +- find_getent_result = find_program('getent', required : false) +- if find_getent_result.found() +- getent_result = run_command('getent', 'passwd', '65534', check : false) +- if getent_result.returncode() == 0 +- name = getent_result.stdout().split(':')[0] ++ if getent.found() ++ ret = run_command(getent, 'passwd', '65534', check : false) ++ if ret.returncode() == 0 ++ name = ret.stdout().split(':')[0] + if name != nobody_user + warning('\n' + + 'The local user with the UID 65534 does not match the configured user name "@0@" of the nobody user (its name is @1@).\n'.format(nobody_user, name) + +@@ -872,20 +872,22 @@ if not meson.is_cross_build() + endif + endif + endif +- id_result = run_command('id', '-u', nobody_user, check : false) +- if id_result.returncode() == 0 +- id = id_result.stdout().strip().to_int() +- if id != 65534 +- warning('\n' + +- 'The local user with the configured user name "@0@" of the nobody user does not have UID 65534 (it has @1@).\n'.format(nobody_user, id) + +- 'Your build will result in an user table setup that is incompatible with the local system.') ++ if id.found() ++ ret = run_command(id, '-u', nobody_user, check : false) ++ if ret.returncode() == 0 ++ uid = ret.stdout().strip().to_int() ++ if uid != 65534 ++ warning('\n' + ++ 'The local user with the configured user name "@0@" of the nobody user does not have UID 65534 (it has @1@).\n'.format(nobody_user, uid) + ++ 'Your build will result in an user table setup that is incompatible with the local system.') ++ endif + endif + endif + +- if find_getent_result.found() +- getent_result = run_command('getent', 'group', '65534', check : false) +- if getent_result.returncode() == 0 +- name = getent_result.stdout().split(':')[0] ++ if getent.found() ++ ret = run_command(getent, 'group', '65534', check : false) ++ if ret.returncode() == 0 ++ name = ret.stdout().split(':')[0] + if name != nobody_group + warning('\n' + + 'The local group with the GID 65534 does not match the configured group name "@0@" of the nobody group (its name is @1@).\n'.format(nobody_group, name) + +@@ -893,13 +895,15 @@ if not meson.is_cross_build() + endif + endif + endif +- id_result = run_command('id', '-g', nobody_group, check : false) +- if id_result.returncode() == 0 +- id = id_result.stdout().strip().to_int() +- if id != 65534 +- warning('\n' + +- 'The local group with the configured group name "@0@" of the nobody group does not have GID 65534 (it has @1@).\n'.format(nobody_group, id) + +- 'Your build will result in an group table setup that is incompatible with the local system.') ++ if id.found() ++ ret = run_command(id, '-g', nobody_group, check : false) ++ if ret.returncode() == 0 ++ gid = ret.stdout().strip().to_int() ++ if gid != 65534 ++ warning('\n' + ++ 'The local group with the configured group name "@0@" of the nobody group does not have GID 65534 (it has @1@).\n'.format(nobody_group, gid) + ++ 'Your build will result in an group table setup that is incompatible with the local system.') ++ endif + endif + endif + endif +-- +2.33.0 + diff --git a/backport-meson-bpf-propagate-sysroot-for-cross-compilation.patch b/backport-meson-bpf-propagate-sysroot-for-cross-compilation.patch new file mode 100644 index 0000000..37dfc69 --- /dev/null +++ b/backport-meson-bpf-propagate-sysroot-for-cross-compilation.patch @@ -0,0 +1,33 @@ +From b61a8cf3f4091876ad0151d1bb2238c5a762f33a Mon Sep 17 00:00:00 2001 +From: Johannes Schneider +Date: Thu, 20 Jun 2024 12:32:18 +0200 +Subject: [PATCH 0719/1160] meson: bpf: propagate 'sysroot' for cross + compilation + +During cross-compilation of systemd, the compiler used to build the bpf's needs +to be pointed at the correct include searchpath. Which can be done by passing +the corresponding directory in through the cflags; for example in yocto/bitbake +this would work: CFLAGS += "--sysroot=${STAGING_DIR_TARGET}" + +Signed-off-by: Johannes Schneider +(cherry picked from commit b608bf5620765de20851eca55cbd6c42ce1af450) +(cherry picked from commit 3174fae67beeae49f71eda09c9fa844316440522) +--- + meson.build | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/meson.build b/meson.build +index 15ad855a7f..3d7b0d5fe6 100644 +--- a/meson.build ++++ b/meson.build +@@ -1691,6 +1691,7 @@ if conf.get('BPF_FRAMEWORK') == 1 + '-ffile-prefix-map=', + '-fdebug-prefix-map=', + '-fmacro-prefix-map=', ++ '--sysroot=', + ] + + foreach opt : c_args +-- +2.33.0 + diff --git a/backport-meson-build-libsystemd-core-via-an-intermediate-stat.patch b/backport-meson-build-libsystemd-core-via-an-intermediate-stat.patch new file mode 100644 index 0000000..4c32df3 --- /dev/null +++ b/backport-meson-build-libsystemd-core-via-an-intermediate-stat.patch @@ -0,0 +1,63 @@ +From 77c80325dc12fac39425fc26b1d0887d171699af Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 3 Jul 2024 17:03:26 +0200 +Subject: [PATCH 0755/1160] meson: build libsystemd-core via an intermediate + static library + +By itself, this is not useful. I'm making this a separate commit to +make debugging easier. It turns out that meson does static libraries +using references, so the "static library" a tiny stub stub that refers +to the object files on disk and this has negligible cost: +$ ls -lhd build/src/core/libsystemd-core-257.{a,so} +-rw-r--r-- 1 zbyszek zbyszek 36K Jul 3 16:54 build/src/core/libsystemd-core-257.a +-rwxr-xr-x 1 zbyszek zbyszek 6.1M Jul 3 16:54 build/src/core/libsystemd-core-257.so + +(cherry picked from commit d0689ee5fbfafa736e6eca89bc80cb2d372f2229) +(cherry picked from commit c3b4032fc3153684c9917f23e08e2928f8972f0d) +--- + src/core/meson.build | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/src/core/meson.build b/src/core/meson.build +index 7701d3de0a..301b1515b5 100644 +--- a/src/core/meson.build ++++ b/src/core/meson.build +@@ -109,17 +109,13 @@ load_fragment_gperf_nulstr_c = custom_target( + + libcore_name = 'systemd-core-@0@'.format(shared_lib_tag) + +-libcore = shared_library( ++libcore_static = static_library( + libcore_name, + libcore_sources, + load_fragment_gperf_c, + load_fragment_gperf_nulstr_c, + include_directories : includes, + c_args : ['-fvisibility=default'], +- link_args : ['-shared', +- '-Wl,--version-script=' + libshared_sym_path], +- link_depends : libshared_sym_path, +- link_with : libshared, + dependencies : [libacl, + libapparmor, + libaudit, +@@ -134,6 +130,16 @@ libcore = shared_library( + libselinux, + threads, + userspace], ++ build_by_default : false) ++ ++libcore = shared_library( ++ libcore_name, ++ c_args : ['-fvisibility=default'], ++ link_args : ['-shared', ++ '-Wl,--version-script=' + libshared_sym_path], ++ link_depends : libshared_sym_path, ++ link_whole: libcore_static, ++ link_with : libshared, + install : true, + install_dir : pkglibdir) + +-- +2.33.0 + diff --git a/backport-meson-check-for-pefile-dependency-before-enabling-uk.patch b/backport-meson-check-for-pefile-dependency-before-enabling-uk.patch new file mode 100644 index 0000000..37dcc1b --- /dev/null +++ b/backport-meson-check-for-pefile-dependency-before-enabling-uk.patch @@ -0,0 +1,33 @@ +From 7920c41a8380fa7ef0b1d9dff98e328de67c19e7 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sat, 23 Dec 2023 09:56:31 +0100 +Subject: [PATCH 0172/1160] meson: check for pefile dependency before enabling + ukify + +ukify (and all the tests, including the autogenerated check-version-ukify) +does not work unless pefile is available, so track it as a dependency +in meson to avoid unit test failures later + +(cherry picked from commit 85915f312c4f83365d603a33f065cf6d648cab27) +--- + meson.build | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/meson.build b/meson.build +index e17af8551a..f1f4e7e3c5 100644 +--- a/meson.build ++++ b/meson.build +@@ -1805,7 +1805,9 @@ if have and efi_arch == 'x64' and cc.links(''' + efi_cpu_family_alt = 'x86' + endif + +-want_ukify = get_option('ukify').require(python_39, error_message : 'Python >= 3.9 required').allowed() ++pefile = pymod.find_installation('python3', required: false, modules : ['pefile']) ++ ++want_ukify = get_option('ukify').require(python_39 and (want_tests != 'true' or pefile.found()), error_message : 'Python >= 3.9 and pefile required').allowed() + conf.set10('ENABLE_UKIFY', want_ukify) + + ############################################################ +-- +2.33.0 + diff --git a/backport-meson-copy-prefix-mapping-CFLAGS-when-building-BPF-o.patch b/backport-meson-copy-prefix-mapping-CFLAGS-when-building-BPF-o.patch new file mode 100644 index 0000000..fbec767 --- /dev/null +++ b/backport-meson-copy-prefix-mapping-CFLAGS-when-building-BPF-o.patch @@ -0,0 +1,45 @@ +From 4a8f9649caa996a6969365f7f41cf577b5cca291 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sat, 27 Apr 2024 17:55:27 +0100 +Subject: [PATCH 0583/1160] meson: copy prefix mapping CFLAGS when building BPF + objects + +Otherwise the filenames will contain variable paths and break reproducibility + +(cherry picked from commit 8d6e439aae6a5e2e1b89647ec05ca2d0cf8df8b9) +--- + meson.build | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/meson.build b/meson.build +index edd5ba2d25..187e7b216d 100644 +--- a/meson.build ++++ b/meson.build +@@ -1685,6 +1685,24 @@ if conf.get('BPF_FRAMEWORK') == 1 + '-c', + ] + ++ # If c_args contains these flags copy them along with the values, in order to avoid breaking ++ # reproducible builds and other functionality ++ propagate_cflags = [ ++ '-ffile-prefix-map=', ++ '-fdebug-prefix-map=', ++ '-fmacro-prefix-map=', ++ ] ++ ++ foreach opt : c_args ++ foreach flag : propagate_cflags ++ if opt.startswith(flag) ++ bpf_clang_flags += [opt] ++ bpf_gcc_flags += [opt] ++ break ++ endif ++ endforeach ++ endforeach ++ + # Generate defines that are appropriate to tell the compiler what architecture + # we're compiling for. By default we just map meson's cpu_family to ____. + # This dictionary contains the exceptions where this doesn't work. +-- +2.33.0 + diff --git a/backport-meson-define-s390-for-s390x-when-building-BPF-object.patch b/backport-meson-define-s390-for-s390x-when-building-BPF-object.patch new file mode 100644 index 0000000..522a54e --- /dev/null +++ b/backport-meson-define-s390-for-s390x-when-building-BPF-object.patch @@ -0,0 +1,46 @@ +From bd9c837bb733ce516bd31cfd023f83907fe476fc Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sat, 27 Apr 2024 18:06:42 +0100 +Subject: [PATCH 0582/1160] meson: define 's390' for 's390x' when building BPF + objects + +The kernel headers match on __s390__ so the build fails + +../src/nsresourced/bpf/userns_restrict/userns-restrict.bpf.c:159:6: error: Must specify a BPF target arch via __TARGET_ARCH_xxx +void BPF_KPROBE(userns_restrict_free_user_ns, struct work_struct *work) { + ^ +/usr/include/bpf/bpf_tracing.h:817:20: note: expanded from macro 'BPF_KPROBE' + return ____##name(___bpf_kprobe_args(args)); \ + ^ +/usr/include/bpf/bpf_tracing.h:797:41: note: expanded from macro '___bpf_kprobe_args' + ^ +/usr/include/bpf/bpf_helpers.h:195:29: note: expanded from macro '___bpf_apply' + ^ +note: (skipping 2 expansions in backtrace; use -fmacro-backtrace-limit=0 to see all) +/usr/include/bpf/bpf_tracing.h:789:72: note: expanded from macro '___bpf_kprobe_args1' + ^ +/usr/include/bpf/bpf_tracing.h:563:29: note: expanded from macro 'PT_REGS_PARM1' + ^ +:125:6: note: expanded from here + GCC error "Must specify a BPF target arch via __TARGET_ARCH_xxx" + +(cherry picked from commit aab7bb596821e83f736bcb19b5c71ec1b8dc440e) +--- + meson.build | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/meson.build b/meson.build +index 554765bc70..edd5ba2d25 100644 +--- a/meson.build ++++ b/meson.build +@@ -1697,6 +1697,7 @@ if conf.get('BPF_FRAMEWORK') == 1 + 'riscv32' : ['-D__riscv', '-D__riscv_xlen=32'], + 'riscv64' : ['-D__riscv', '-D__riscv_xlen=64'], + 'x86' : ['-D__i386__'], ++ 's390x' : ['-D__s390__', '-D__s390x__'], + + # For arm, assume hardware fp is available. + 'arm' : ['-D__arm__', '-D__ARM_PCS_VFP'], +-- +2.33.0 + diff --git a/backport-meson-disable-Wnonnull-compare.patch b/backport-meson-disable-Wnonnull-compare.patch new file mode 100644 index 0000000..0554f24 --- /dev/null +++ b/backport-meson-disable-Wnonnull-compare.patch @@ -0,0 +1,54 @@ +From 08e99f781e15f559a137c625aeba81790b54121a Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 16 Jan 2024 22:25:04 +0100 +Subject: [PATCH 0164/1160] meson: disable -Wnonnull-compare +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This gets enabled by default in gcc-14 and complains everywhere where we +use assert() on an expression that is always true (i.e. using +`int x[static 2]` in function declaration, etc.): + +[153/2414] Compiling C object src/basic/libbasic.a.p/fs-util.c.o +In file included from ../src/basic/macro.h:13, + from ../src/basic/alloc-util.h:10, + from ../src/basic/fs-util.c:11: +../src/basic/fd-util.h: In function ‘format_proc_fd_path’: +../src/fundamental/macro-fundamental.h:74:41: warning: ‘nonnull’ argument ‘buf’ compared to NULL [-Wnonnull-compare] + 74 | #define _unlikely_(x) (__builtin_expect(!!(x), 0)) + | ^~~~~ +../src/basic/macro.h:150:21: note: in expansion of macro ‘_unlikely_’ + 150 | if (_unlikely_(!(expr))) \ + | ^~~~~~~~~~ +../src/basic/macro.h:167:22: note: in expansion of macro ‘assert_message_se’ + 167 | #define assert(expr) assert_message_se(expr, #expr) + | ^~~~~~~~~~~~~~~~~ +../src/basic/fd-util.h:129:9: note: in expansion of macro ‘assert’ + 129 | assert(buf); + | ^~~~~~ + +Disabling this selectively only for asserts is a bit painful, since the +option is not available in all compilers, and it'd need to be handled in +the EFI stuff as well. + +(cherry picked from commit b59bce308df746e1793b134db7fec4c298ed1f61) +--- + meson.build | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/meson.build b/meson.build +index 7419e2b0b0..e17af8551a 100644 +--- a/meson.build ++++ b/meson.build +@@ -328,6 +328,7 @@ endif + basic_disabled_warnings = [ + '-Wno-missing-field-initializers', + '-Wno-unused-parameter', ++ '-Wno-nonnull-compare', + ] + + possible_common_cc_flags = [ +-- +2.33.0 + diff --git a/backport-meson-do-not-attempt-to-install-tests-when-they-are-.patch b/backport-meson-do-not-attempt-to-install-tests-when-they-are-.patch new file mode 100644 index 0000000..9bce06d --- /dev/null +++ b/backport-meson-do-not-attempt-to-install-tests-when-they-are-.patch @@ -0,0 +1,37 @@ +From 2dfc3b2cb7d8ba7672d368a3e3d6ad801fcffc68 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 13 Feb 2024 13:43:49 +0000 +Subject: [PATCH 0310/1160] meson: do not attempt to install tests when they + are disabled + +If -Dtests=false but -Dinstall-tests=true the build will fail, as some tests will +be pulled in the build but not their prerequisites. It doesn't make sense to ask +for tests to be installed if they are disabled. + +FAILED: test-acd +cc -o test-acd test-acd.p/src_libsystemd-network_test-acd.c.o -flto -Wl,--as-needed -Wl,--no-undefined -pie -fstack-protector -Wl,-z,relro -specs=/usr/share/debhelper/dh_package_notes/debian-package-notes.specs -g -O2 -ffile-prefix-map=/tmp/s=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -ffat-lto-objects -Wdate-time -D_FORTIFY_SOURCE=2 '-Wl,-rpath,$ORIGIN/src/shared:XXXXXXXXXXXXXXX' -Wl,-rpath-link,/tmp/s/obj-x86_64-linux-gnu/src/shared -Wl,--start-group src/shared/libsystemd-shared-255.so src/libsystemd-network/libsystemd-network.a -Wl,--end-group -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common -Wl,--gc-sections -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common -Wl,--gc-sections +/usr/bin/ld: /tmp/cc0oYwFZ.ltrans0.ltrans.o: in function `main': +./obj-x86_64-linux-gnu/./obj-x86_64-linux-gnu/:85:(.text.startup+0x33): undefined reference to `test_setup_logging' +collect2: error: ld returned 1 exit status + +(cherry picked from commit 311efaae253f2c7d317f3f296aac16b19e622bb1) +--- + meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/meson.build b/meson.build +index f1f4e7e3c5..a577ac793e 100644 +--- a/meson.build ++++ b/meson.build +@@ -300,7 +300,7 @@ meson_build_sh = find_program('tools/meson-build.sh') + want_tests = get_option('tests') + slow_tests = want_tests != 'false' and get_option('slow-tests') + fuzz_tests = want_tests != 'false' and get_option('fuzz-tests') +-install_tests = get_option('install-tests') ++install_tests = want_tests != 'false' and get_option('install-tests') + + if add_languages('cpp', native : false, required : fuzzer_build) + # Used only for tests +-- +2.33.0 + diff --git a/backport-meson-do-not-fail-build-with-newer-kernel-headers.patch b/backport-meson-do-not-fail-build-with-newer-kernel-headers.patch new file mode 100644 index 0000000..f673c0c --- /dev/null +++ b/backport-meson-do-not-fail-build-with-newer-kernel-headers.patch @@ -0,0 +1,36 @@ +From f14895301489e7f36db24afb022ea89646176eaa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sun, 7 Apr 2024 10:39:20 +0200 +Subject: [PATCH 0499/1160] meson: do not fail build with newer kernel headers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +systemd-255 is failing a build with the latest kernel headers… Let's downgrade +this warning, because it's fine if there's a file system we don't know about +and it makes thing less brittle if we don't treat this as a hard error. + +(I initially conditionalized this on BUILD_MODE, but I don't think we need a +hard error there either. A warning will be noticed and fixed.) + +(cherry picked from commit c71b50179e24282a74a8d9faed82b01fb3aaeb6d) +--- + src/basic/meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/meson.build b/src/basic/meson.build +index d7450d8b44..111253e3a5 100644 +--- a/src/basic/meson.build ++++ b/src/basic/meson.build +@@ -235,7 +235,7 @@ filesystem_includes = ['linux/magic.h', + check_filesystems = find_program('check-filesystems.sh') + r = run_command([check_filesystems, cpp, files('filesystems-gperf.gperf')] + filesystem_includes, check: false) + if r.returncode() != 0 +- error('Unknown filesystems defined in kernel headers:\n\n' + r.stdout()) ++ warning('Unknown filesystems defined in kernel headers:\n\n' + r.stdout()) + endif + + filesystems_gperf_h = custom_target( +-- +2.33.0 + diff --git a/backport-meson-drop-arch-filtering-in-syscall-list.patch b/backport-meson-drop-arch-filtering-in-syscall-list.patch new file mode 100644 index 0000000..be139be --- /dev/null +++ b/backport-meson-drop-arch-filtering-in-syscall-list.patch @@ -0,0 +1,53 @@ +From ded73e68fcbfbf82beba15a8f0280e5c010c8bde Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 25 Jan 2024 13:26:21 +0100 +Subject: [PATCH 0213/1160] meson: drop arch filtering in syscall list + +I added the filtering in 752fedbea7c02c82287c7ff2a4139f528b3f7ba8 as a way +to reduce the number of items in the tables. I thought it's "obvious", but +it might not be so. + +One immediate problem is that the filter is broken, because on arm64, +os.uname().machine returns "aarch64", so we incorrectly filter out the arm +syscalls (there is just one: arm_fadvise64_64). Of course we could fix the +filter, but I think it's better to nuke it altogether. The filter on applies to +1 arm syscall and 5 s390 syscalls, and we have 500+ other syscalls, so this +"optimization" doesn't really matter. OTOH, if we get the filter wrong, +the result is bad. And also, the existence of the filter at all creates +problems for cross-builds. + +I wanted to get rid of 'generate-syscall-list.py', but we need to generate a +backslash in the output. https://github.com/mesonbuild/meson/issues/1564 makes +this very very hard, since any attempt to put a backslash an inline argument +results in the backslash being replaces by a forward slash, which doesn't quite +have the same meaning. So let's use a standalone script until +https://github.com/mesonbuild/meson/issues/1564 is resolved. + +(cherry picked from commit 58fcc6b013bbc8c6290348f701ddb862928cc1a0) +--- + src/shared/generate-syscall-list.py | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/src/shared/generate-syscall-list.py b/src/shared/generate-syscall-list.py +index 3ee19ff709..c0975a06da 100755 +--- a/src/shared/generate-syscall-list.py ++++ b/src/shared/generate-syscall-list.py +@@ -2,15 +2,6 @@ + # SPDX-License-Identifier: LGPL-2.1-or-later + + import sys +-import os +- +-s390 = 's390' in os.uname().machine +-arm = 'arm' in os.uname().machine + + for line in open(sys.argv[1]): +- if line.startswith('s390_') and not s390: +- continue +- if line.startswith('arm_') and not arm: +- continue +- + print('"{}\\0"'.format(line.strip())) +-- +2.33.0 + diff --git a/backport-meson-enable-Wunterminated-string-initialization.patch b/backport-meson-enable-Wunterminated-string-initialization.patch new file mode 100644 index 0000000..cae93fa --- /dev/null +++ b/backport-meson-enable-Wunterminated-string-initialization.patch @@ -0,0 +1,29 @@ +From da229ea89a9b5e861e978d3787f9cf422be21553 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 7 Aug 2024 14:03:13 +0900 +Subject: [PATCH 0845/1160] meson: enable -Wunterminated-string-initialization + +With af1a6db58fde8f64edcf7d27e1f3b636c999934c, now we can build with the +option. + +(cherry picked from commit f548bc4011bcdab008b125b9d0993817efa00718) +(cherry picked from commit 772549666cf291d85c28d3bfc1ab2b7227422d4f) +--- + meson.build | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/meson.build b/meson.build +index 5630221162..fa501e37f6 100644 +--- a/meson.build ++++ b/meson.build +@@ -369,6 +369,7 @@ possible_common_cc_flags = [ + '-Wstrict-aliasing=2', + '-Wstrict-prototypes', + '-Wsuggest-attribute=noreturn', ++ '-Wunterminated-string-initialization', + '-Wunused-function', + '-Wwrite-strings', + '-Wzero-length-bounds', +-- +2.33.0 + diff --git a/backport-meson-fix-build.patch b/backport-meson-fix-build.patch new file mode 100644 index 0000000..5e9c8e6 --- /dev/null +++ b/backport-meson-fix-build.patch @@ -0,0 +1,26 @@ +From 5f131f40158c531e2ffef8e6c6e08073a9b8ed2c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 5 Aug 2024 13:37:11 +0200 +Subject: [PATCH 0799/1160] meson: fix build + +Fixup for incorrect backport in c4ddf5d5dcb0c95ce930fa533ac81eaf5307be47. +--- + src/core/meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/meson.build b/src/core/meson.build +index 65e39cb43f..439a88c5b2 100644 +--- a/src/core/meson.build ++++ b/src/core/meson.build +@@ -162,7 +162,7 @@ executor_libs = get_option('link-executor-shared') ? \ + ] : [ + libcore_static, + libshared_static, +- libbasic_static, ++ libbasic, + libsystemd_static, + ] + +-- +2.33.0 + diff --git a/backport-meson-fix-installation-of-html-doc-aliases.patch b/backport-meson-fix-installation-of-html-doc-aliases.patch new file mode 100644 index 0000000..bf933ec --- /dev/null +++ b/backport-meson-fix-installation-of-html-doc-aliases.patch @@ -0,0 +1,38 @@ +From e5ec53f4b747694f061c0ebbb34943fdb7ff5ac9 Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Tue, 30 Jan 2024 09:34:17 +0100 +Subject: [PATCH 0235/1160] meson: fix installation of html doc aliases + +Apparently since 9289e093ae6fd5484f9119e1ee07d1dffe37cd10, "ln_s" takes +*absolute* paths only. + +(cherry picked from commit d537bf72aeaeeaa01f7f50f88a463890e1c9945e) +--- + man/meson.build | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/man/meson.build b/man/meson.build +index e4f2905d60..403098a814 100644 +--- a/man/meson.build ++++ b/man/meson.build +@@ -84,7 +84,7 @@ foreach tuple : manpages + output : htmlalias, + command : [ln, '-fs', html, '@OUTPUT@']) + if want_html +- meson.add_install_script(sh, '-c', ln_s.format(html, docdir / 'html' / htmlalias)) ++ meson.add_install_script(sh, '-c', ln_s.format(docdir / 'html' / html, docdir / 'html' / htmlalias)) + p2 += link + endif + html_pages += link +@@ -155,7 +155,7 @@ foreach tuple : xsltproc.found() ? [['systemd.directives', '7', systemd_directiv + output : htmlalias, + command : [ln, '-fs', html, '@OUTPUT@']) + if want_html +- meson.add_install_script(sh, '-c', ln_s.format(html, docdir / 'html' / htmlalias)) ++ meson.add_install_script(sh, '-c', ln_s.format(docdir / 'html' / html, docdir / 'html' / htmlalias)) + p2 += link + endif + html_pages += link +-- +2.33.0 + diff --git a/backport-meson-fix-missing-failure-if-bpf-framework-was-enabl.patch b/backport-meson-fix-missing-failure-if-bpf-framework-was-enabl.patch new file mode 100644 index 0000000..c67f0cc --- /dev/null +++ b/backport-meson-fix-missing-failure-if-bpf-framework-was-enabl.patch @@ -0,0 +1,39 @@ +From 896754db8ee19166c86e9b5319ba53cd08bafc64 Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Sat, 20 Jul 2024 20:38:37 +0900 +Subject: [PATCH 0787/1160] meson: fix missing failure if bpf-framework was + enabled + +If building with clang and clang does not support bpf, then enabling +-Dbpf-framework=enabled would silently drop the feature (even printing +bpf-framework: enabled in the meson build recap, and no message anywhere +that'd hint at the failure!) + +This is unexpected, so add check to fail hard in this case. + +All other code paths (gcc, missing bpftool) properly check for the +option, but it is not as easy for a custom command so check explicitly + +(cherry picked from commit 8da20e3fe2a544979922cea457de3031aa74d64c) +(cherry picked from commit d6f8575f1e771ec667ed6821fa89ac679dab119d) +--- + meson.build | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/meson.build b/meson.build +index 6009210923..d89e91c834 100644 +--- a/meson.build ++++ b/meson.build +@@ -1081,6 +1081,9 @@ else + # Check if 'clang -target bpf' is supported. + clang_supports_bpf = run_command(clang, '-target', 'bpf', '--print-supported-cpus', check : false).returncode() == 0 + endif ++ if bpf_framework.enabled() and not clang_supports_bpf ++ error('bpf-framework was enabled but clang does not support bpf') ++ endif + elif bpf_compiler == 'gcc' + bpf_gcc = find_program('bpf-gcc', + 'bpf-none-gcc', +-- +2.33.0 + diff --git a/backport-meson-generate-keyboard-keys-list-from-local-input.h.patch b/backport-meson-generate-keyboard-keys-list-from-local-input.h.patch new file mode 100644 index 0000000..aad7cbf --- /dev/null +++ b/backport-meson-generate-keyboard-keys-list-from-local-input.h.patch @@ -0,0 +1,49 @@ +From 00c20001992e264cc8bc7ffdc39c5d90e1716131 Mon Sep 17 00:00:00 2001 +From: "Alex Xu (Hello71)" +Date: Tue, 28 Jan 2025 17:17:01 -0500 +Subject: [PATCH 1099/1160] meson: generate keyboard-keys-list from local + input.h + +otherwise it will use the system input.h which will fail to build if +newer than the bundled version + +Fixes: 0a73c8e7b8 ("linux: import input.h and friends") +(cherry picked from commit bc996fd1ba7bce7be4cbae0d0d5ba7c35e8c3f50) +(cherry picked from commit a485c928ee9872c8ce7ddbb8e9ba6f33f9ef23cc) +(cherry picked from commit f3d520479a46a398b322f6e4628648d131281590) +--- + src/udev/generate-keyboard-keys-list.sh | 2 +- + src/udev/meson.build | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/udev/generate-keyboard-keys-list.sh b/src/udev/generate-keyboard-keys-list.sh +index ead3113342..4cac507322 100755 +--- a/src/udev/generate-keyboard-keys-list.sh ++++ b/src/udev/generate-keyboard-keys-list.sh +@@ -3,7 +3,7 @@ + set -eu + set -o pipefail + +-${1:?} -dM -include linux/input.h - / { next } + /^#define[ \t]+(KEY|BTN)_[^ ]+[ \t]+[0-9BK]/ { print $2 } + ' +diff --git a/src/udev/meson.build b/src/udev/meson.build +index 824ec47803..97b780ed6c 100644 +--- a/src/udev/meson.build ++++ b/src/udev/meson.build +@@ -57,8 +57,9 @@ endif + generate_keyboard_keys_list = find_program('generate-keyboard-keys-list.sh') + keyboard_keys_list_txt = custom_target( + 'keyboard-keys-list.txt', ++ input : files('../basic/linux/input.h'), + output : 'keyboard-keys-list.txt', +- command : [generate_keyboard_keys_list, cpp], ++ command : [generate_keyboard_keys_list, cpp, '@INPUT@'], + capture : true) + + generate_keyboard_keys_gperf = find_program('generate-keyboard-keys-gperf.sh') +-- +2.33.0 + diff --git a/backport-meson-set-fno-ssa-phiopt-when-building-bpf-with-gcc.patch b/backport-meson-set-fno-ssa-phiopt-when-building-bpf-with-gcc.patch new file mode 100644 index 0000000..c40e057 --- /dev/null +++ b/backport-meson-set-fno-ssa-phiopt-when-building-bpf-with-gcc.patch @@ -0,0 +1,32 @@ +From fe11401fbc4dc00c9ce1c8beea7a361986c258c7 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 4 Apr 2024 23:42:45 +0100 +Subject: [PATCH 0490/1160] meson: set -fno-ssa-phiopt when building bpf with + gcc + +There are bugs in the kernel verifier that cause legitimate code +to be rejected, disabling this optimization makes bpf programs +built with a new enough gcc work again. + +Fixes https://github.com/systemd/systemd/issues/31888 + +(cherry picked from commit 1ce28e5a248b15e278e8585c154c38c31574ca83) +--- + meson.build | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/meson.build b/meson.build +index 52de3f5e31..554765bc70 100644 +--- a/meson.build ++++ b/meson.build +@@ -1677,6 +1677,7 @@ if conf.get('BPF_FRAMEWORK') == 1 + bpf_gcc_flags = [ + '-std=gnu11', + '-fno-stack-protector', ++ '-fno-ssa-phiopt', + '-O2', + '-mcpu=v3', + '-mco-re', +-- +2.33.0 + diff --git a/backport-meson-sort-includes.patch b/backport-meson-sort-includes.patch new file mode 100644 index 0000000..b337411 --- /dev/null +++ b/backport-meson-sort-includes.patch @@ -0,0 +1,31 @@ +From 40ea469735cb869c98c9bd3e651a25b74cade631 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 10 Oct 2024 11:49:47 +0200 +Subject: [PATCH 0939/1160] meson: sort includes + +(cherry picked from commit 882032faaf9e2d2524936e82ccc770903d4c38d6) +(cherry picked from commit c14a47547d040c4976f20388f5535ed655bbd035) +--- + meson.build | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/meson.build b/meson.build +index 2418d6e8f7..c2beeeffff 100644 +--- a/meson.build ++++ b/meson.build +@@ -522,10 +522,10 @@ conf.set_quoted('LONG_MAX_STR', '@0@'.format(long_max)) + + decl_headers = ''' + #include +-#include ++#include + #include + #include +-#include ++#include + ''' + + foreach decl : ['char16_t', +-- +2.33.0 + diff --git a/backport-missing-change-our-close_range-syscall-wrapper-to-ma.patch b/backport-missing-change-our-close_range-syscall-wrapper-to-ma.patch new file mode 100644 index 0000000..e9fc047 --- /dev/null +++ b/backport-missing-change-our-close_range-syscall-wrapper-to-ma.patch @@ -0,0 +1,81 @@ +From 9b82b1fab8dd014204d52f13c8f25f75cab7fc84 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 12 Feb 2024 11:23:54 +0100 +Subject: [PATCH 0302/1160] missing: change our close_range() syscall wrapper + to map glibc's + +So glibc exposes a close_range() syscall wrapper now, but they decided +to use "unsigned" as type for the fds. Which is a bit weird, because fds +are universally understood to be "int". The kernel internally uses +"unsigned", both for close() and for close_range(), but weirdly, +userspace didn't fix that for close_range() unlike what they did for +close()... Weird. + +But anyway, let's follow suit, and make our wrapper match glibc's. + +Fixes #31270 + +(cherry picked from commit 39d69836ad47788b7a4ec13f8a4145d5118a50a5) +--- + src/basic/fd-util.c | 4 ++-- + src/basic/missing_syscall.h | 19 +++++-------------- + 2 files changed, 7 insertions(+), 16 deletions(-) + +diff --git a/src/basic/fd-util.c b/src/basic/fd-util.c +index fa3fc77093..542acca14d 100644 +--- a/src/basic/fd-util.c ++++ b/src/basic/fd-util.c +@@ -295,7 +295,7 @@ static int close_all_fds_special_case(const int except[], size_t n_except) { + case 0: + /* Close everything. Yay! */ + +- if (close_range(3, -1, 0) >= 0) ++ if (close_range(3, INT_MAX, 0) >= 0) + return 1; + + if (ERRNO_IS_NOT_SUPPORTED(errno) || ERRNO_IS_PRIVILEGE(errno)) { +@@ -406,7 +406,7 @@ int close_all_fds(const int except[], size_t n_except) { + if (sorted[n_sorted-1] >= INT_MAX) /* Dont let the addition below overflow */ + return 0; + +- if (close_range(sorted[n_sorted-1] + 1, -1, 0) >= 0) ++ if (close_range(sorted[n_sorted-1] + 1, INT_MAX, 0) >= 0) + return 0; + + if (!ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) +diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h +index d795efd8f2..86280771c4 100644 +--- a/src/basic/missing_syscall.h ++++ b/src/basic/missing_syscall.h +@@ -412,23 +412,14 @@ static inline int missing_execveat(int dirfd, const char *pathname, + /* ======================================================================= */ + + #if !HAVE_CLOSE_RANGE +-static inline int missing_close_range(int first_fd, int end_fd, unsigned flags) { ++static inline int missing_close_range(unsigned first_fd, unsigned end_fd, unsigned flags) { + # ifdef __NR_close_range + /* Kernel-side the syscall expects fds as unsigned integers (just like close() actually), while +- * userspace exclusively uses signed integers for fds. We don't know just yet how glibc is going to +- * wrap this syscall, but let's assume it's going to be similar to what they do for close(), +- * i.e. make the same unsigned → signed type change from the raw kernel syscall compared to the +- * userspace wrapper. There's only one caveat for this: unlike for close() there's the special +- * UINT_MAX fd value for the 'end_fd' argument. Let's safely map that to -1 here. And let's refuse +- * any other negative values. */ +- if ((first_fd < 0) || (end_fd < 0 && end_fd != -1)) { +- errno = -EBADF; +- return -1; +- } +- ++ * userspace exclusively uses signed integers for fds. glibc chose to expose it 1:1 however, hence we ++ * do so here too, even if we end up passing signed fds to it most of the time. */ + return syscall(__NR_close_range, +- (unsigned) first_fd, +- end_fd == -1 ? UINT_MAX : (unsigned) end_fd, /* Of course, the compiler should figure out that this is the identity mapping IRL */ ++ first_fd, ++ end_fd, + flags); + # else + errno = ENOSYS; +-- +2.33.0 + diff --git a/backport-missing_fcntl-Fix-RAW_O_LARGEFILE.patch b/backport-missing_fcntl-Fix-RAW_O_LARGEFILE.patch new file mode 100644 index 0000000..26c5919 --- /dev/null +++ b/backport-missing_fcntl-Fix-RAW_O_LARGEFILE.patch @@ -0,0 +1,51 @@ +From b228a683db9341ed9a0ccedd29064e41c3238bd3 Mon Sep 17 00:00:00 2001 +From: Adrian Vovk +Date: Tue, 20 Feb 2024 14:24:01 -0500 +Subject: [PATCH 0327/1160] missing_fcntl: Fix RAW_O_LARGEFILE + +This value is actually arch-specific, so this commit defines it for all +the arches that set it to some custom value + +Fixes https://github.com/systemd/systemd/issues/31417 + +(cherry picked from commit 9e3db91f2f7663860657afbf2076ecebeeb26c93) +--- + src/basic/missing_fcntl.h | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/src/basic/missing_fcntl.h b/src/basic/missing_fcntl.h +index 24b2dc3119..3c85befda9 100644 +--- a/src/basic/missing_fcntl.h ++++ b/src/basic/missing_fcntl.h +@@ -69,9 +69,26 @@ + + /* So O_LARGEFILE is generally implied by glibc, and defined to zero hence, because we only build in LFS + * mode. However, when invoking fcntl(F_GETFL) the flag is ORed into the result anyway — glibc does not mask +- * it away. Which sucks. Let's define the actual value here, so that we can mask it ourselves. */ ++ * it away. Which sucks. Let's define the actual value here, so that we can mask it ourselves. ++ * ++ * The precise definition is arch specific, so we use the values defined in the kernel (note that some ++ * are hexa and others are octal; duplicated as-is from the kernel definitions): ++ * - alpha, arm, arm64, m68k, mips, parisc, powerpc, sparc: each has a specific value; ++ * - others: they use the "generic" value (defined in include/uapi/asm-generic/fcntl.h) */ + #if O_LARGEFILE != 0 + #define RAW_O_LARGEFILE O_LARGEFILE + #else +-#define RAW_O_LARGEFILE 0100000 ++#if defined(__alpha__) || defined(__arm__) || defined(__aarch64__) || defined(__m68k__) ++#define RAW_O_LARGEFILE 0400000 ++#elif defined(__mips__) ++#define RAW_O_LARGEFILE 0x2000 ++#elif defined(__parisc__) || defined(__hppa__) ++#define RAW_O_LARGEFILE 000004000 ++#elif defined(__powerpc__) ++#define RAW_O_LARGEFILE 0200000 ++#elif defined(__sparc__) ++#define RAW_O_LARGEFILE 0x40000 ++#else ++#define RAW_O_LARGEFILE 00100000 ++#endif + #endif +-- +2.33.0 + diff --git a/backport-missing_loop.h-fix-LOOP_SET_STATUS_SETTABLE_FLAGS.patch b/backport-missing_loop.h-fix-LOOP_SET_STATUS_SETTABLE_FLAGS.patch new file mode 100644 index 0000000..78e8590 --- /dev/null +++ b/backport-missing_loop.h-fix-LOOP_SET_STATUS_SETTABLE_FLAGS.patch @@ -0,0 +1,28 @@ +From b097677ec0bdae17ae3f5eec62313934daf73385 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 28 May 2024 12:26:21 +0900 +Subject: [PATCH 0703/1160] missing_loop.h: fix LOOP_SET_STATUS_SETTABLE_FLAGS + +See https://github.com/torvalds/linux/blob/v6.10-rc1/include/uapi/linux/loop.h + +Fixes a bug in b3fe33ff52ece458a5b990a4a68d59aef7cae10b. + +(cherry picked from commit eb6d3a5917f5c92c2d4706217aa5a77a7d6dccb7) +--- + src/basic/missing_loop.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/missing_loop.h b/src/basic/missing_loop.h +index 7141544b64..24b3e0def9 100644 +--- a/src/basic/missing_loop.h ++++ b/src/basic/missing_loop.h +@@ -20,5 +20,5 @@ struct loop_config { + #endif + + #ifndef LOOP_SET_STATUS_SETTABLE_FLAGS +-#define LOOP_SET_STATUS_SETTABLE_FLAGS (LO_FLAGS_AUTOCLEAR | LO_FLAGS_PARTSCAN | LO_FLAGS_DIRECT_IO) ++#define LOOP_SET_STATUS_SETTABLE_FLAGS (LO_FLAGS_AUTOCLEAR | LO_FLAGS_PARTSCAN) + #endif +-- +2.33.0 + diff --git a/backport-missing_sched-add-CLONE_PIDFD.patch b/backport-missing_sched-add-CLONE_PIDFD.patch new file mode 100644 index 0000000..a90224d --- /dev/null +++ b/backport-missing_sched-add-CLONE_PIDFD.patch @@ -0,0 +1,51 @@ +From e6b576c8bd542f46c03a4b8fdc345604b3833a81 Mon Sep 17 00:00:00 2001 +From: Michael Olbrich +Date: Sun, 9 Feb 2025 13:32:36 +0100 +Subject: [PATCH 1111/1160] missing_sched: add CLONE_PIDFD + +CLONE_PIDFD was introduced in v5.2 and in sched.h in glibc-2.31 so +without this, building with older version fails with: + +src/basic/raw-clone.h:41:108: error: 'CLONE_PIDFD' undeclared (first use in this function); did you mean 'CLONE_FILES'? + +(cherry picked from commit e91c5cf06ab7ca9e5576c6feac5f743927f2b063) +(cherry picked from commit 480e39dbbb3df253e02a4908dfcfecf1fb3511e2) +(cherry picked from commit 5e0588e3d97715da9995013eb8dbc13eb21a8d0b) +--- + src/basic/missing_sched.h | 7 +++++++ + src/basic/raw-clone.h | 1 + + 2 files changed, 8 insertions(+) + +diff --git a/src/basic/missing_sched.h b/src/basic/missing_sched.h +index fbf18c315f..32e3208bb6 100644 +--- a/src/basic/missing_sched.h ++++ b/src/basic/missing_sched.h +@@ -8,6 +8,13 @@ + #define CLONE_NEWCGROUP 0x02000000 + #endif + ++/* b3e5838252665ee4cfa76b82bdf1198dca81e5be (5.2) */ ++#ifndef CLONE_PIDFD ++# define CLONE_PIDFD 0x00001000 ++#else ++assert_cc(CLONE_PIDFD == 0x00001000); ++#endif ++ + /* 769071ac9f20b6a447410c7eaa55d1a5233ef40c (5.8) */ + #ifndef CLONE_NEWTIME + #define CLONE_NEWTIME 0x00000080 +diff --git a/src/basic/raw-clone.h b/src/basic/raw-clone.h +index 6de67ab752..c66ec0ee73 100644 +--- a/src/basic/raw-clone.h ++++ b/src/basic/raw-clone.h +@@ -11,6 +11,7 @@ + + #include "log.h" + #include "macro.h" ++#include "missing_sched.h" + #include "process-util.h" + + /** +-- +2.33.0 + diff --git a/backport-mkfs-util-Set-sector-size-for-btrfs-as-well.patch b/backport-mkfs-util-Set-sector-size-for-btrfs-as-well.patch new file mode 100644 index 0000000..ea551f5 --- /dev/null +++ b/backport-mkfs-util-Set-sector-size-for-btrfs-as-well.patch @@ -0,0 +1,41 @@ +From 4d8065ef16c9e2d6e6164dbf9369dc519d769236 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Sat, 29 Jun 2024 15:27:02 +0200 +Subject: [PATCH 0735/1160] mkfs-util: Set sector size for btrfs as well + +btrfs used to default the sector size to the page size and didn't +support anything else. Since 6.7, it defaults to 4K and using 4K +makes the filesystem compatible with all page sizes. So let's make +sure we use minimum 4K as well (lower causes failures on systems with +a 4K page size) but still allow larger sector sizes if specified by +the user. + +(cherry picked from commit 03c9e88fb7eb8973477c33aa63dc6bcf0cab52c9) +(cherry picked from commit 24987eb3cc175dd4e5cfaab5abe6da02b64104bc) +--- + src/shared/mkfs-util.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/shared/mkfs-util.c b/src/shared/mkfs-util.c +index 4e58b6e871..74c68370fb 100644 +--- a/src/shared/mkfs-util.c ++++ b/src/shared/mkfs-util.c +@@ -466,6 +466,15 @@ int make_filesystem( + if (quiet) + stdio_fds[1] = -EBADF; + ++ if (sector_size > 0) { ++ if (strv_extend(&argv, "--sectorsize") < 0) ++ return log_oom(); ++ ++ /* mkfs.btrfs expects a sector size of at least 4k bytes. */ ++ if (strv_extendf(&argv, "%"PRIu64, MAX(sector_size, UINT64_C(4) * UINT64_C(1024))) < 0) ++ return log_oom(); ++ } ++ + } else if (streq(fstype, "f2fs")) { + argv = strv_new(mkfs, + "-g", /* "default options" */ +-- +2.33.0 + diff --git a/backport-mmap-cache-add-some-stats-about-files-windows-unused.patch b/backport-mmap-cache-add-some-stats-about-files-windows-unused.patch new file mode 100644 index 0000000..177b570 --- /dev/null +++ b/backport-mmap-cache-add-some-stats-about-files-windows-unused.patch @@ -0,0 +1,61 @@ +From 1d8a639e5380f031b67caefee1505f39614410ee Mon Sep 17 00:00:00 2001 +From: Vito Caputo +Date: Sat, 21 Sep 2024 14:43:51 -0700 +Subject: [PATCH 0927/1160] mmap-cache: add some stats about + files/windows/unused + +Let's give some visibility into the ratio of files:windows:unused +by the time we're done using the cache. + +(cherry picked from commit 284802c597aa0194dc1504db65ee24941d9721eb) +(cherry picked from commit 5e45c58274529970e4603fb1da66f5ebab431397) +--- + src/libsystemd/sd-journal/mmap-cache.c | 4 ++-- + src/libsystemd/sd-journal/sd-journal.c | 8 +++++--- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/src/libsystemd/sd-journal/mmap-cache.c b/src/libsystemd/sd-journal/mmap-cache.c +index 249b98a968..ce8aff3c5c 100644 +--- a/src/libsystemd/sd-journal/mmap-cache.c ++++ b/src/libsystemd/sd-journal/mmap-cache.c +@@ -435,8 +435,8 @@ found: + void mmap_cache_stats_log_debug(MMapCache *m) { + assert(m); + +- log_debug("mmap cache statistics: %u category cache hit, %u window list hit, %u miss", +- m->n_category_cache_hit, m->n_window_list_hit, m->n_missed); ++ log_debug("mmap cache statistics: %u category cache hit, %u window list hit, %u miss, %u files, %u windows, %u unused", ++ m->n_category_cache_hit, m->n_window_list_hit, m->n_missed, hashmap_size(m->fds), m->n_windows, m->n_unused); + } + + static void mmap_cache_process_sigbus(MMapCache *m) { +diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c +index 7a1dd2569f..acabec699f 100644 +--- a/src/libsystemd/sd-journal/sd-journal.c ++++ b/src/libsystemd/sd-journal/sd-journal.c +@@ -2282,6 +2282,10 @@ _public_ void sd_journal_close(sd_journal *j) { + + sd_journal_flush_matches(j); + ++ /* log stats before closing files so we can see the windows state */ ++ if (j->mmap) ++ mmap_cache_stats_log_debug(j->mmap); ++ + ordered_hashmap_free_with_destructor(j->files, journal_file_close); + iterated_cache_free(j->files_cache); + +@@ -2299,10 +2303,8 @@ _public_ void sd_journal_close(sd_journal *j) { + + safe_close(j->inotify_fd); + +- if (j->mmap) { +- mmap_cache_stats_log_debug(j->mmap); ++ if (j->mmap) + mmap_cache_unref(j->mmap); +- } + + hashmap_free_free(j->errors); + +-- +2.33.0 + diff --git a/backport-mmap-cache-enforce-an-unused-windows-minimum.patch b/backport-mmap-cache-enforce-an-unused-windows-minimum.patch new file mode 100644 index 0000000..565cf55 --- /dev/null +++ b/backport-mmap-cache-enforce-an-unused-windows-minimum.patch @@ -0,0 +1,84 @@ +From 487234c4e6c941378e433235b33799e02e4ceacd Mon Sep 17 00:00:00 2001 +From: Vito Caputo +Date: Sat, 21 Sep 2024 12:30:49 -0700 +Subject: [PATCH 0926/1160] mmap-cache: enforce an unused windows minimum + +With many fds the global windows count generally exceeds the +minimum. This results in always reusing the unused entry if +there is one, which becomes a sort of degenerate case where we're +just constantly unmapping->mapping. + +Instead let's try always have at least several unused windows on +the unused list before we resort to churning through it. + +Fixes #34516 + +(cherry picked from commit 176f73272e6e3116caab3900eb553be54f520a68) +(cherry picked from commit 3dcde32fedd389f814fb2256a423cee6bc812584) +--- + src/libsystemd/sd-journal/mmap-cache.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/libsystemd/sd-journal/mmap-cache.c b/src/libsystemd/sd-journal/mmap-cache.c +index 973ade64c0..249b98a968 100644 +--- a/src/libsystemd/sd-journal/mmap-cache.c ++++ b/src/libsystemd/sd-journal/mmap-cache.c +@@ -64,11 +64,13 @@ struct MMapCache { + + LIST_HEAD(Window, unused); + Window *last_unused; ++ unsigned n_unused; + + Window *windows_by_category[_MMAP_CACHE_CATEGORY_MAX]; + }; + + #define WINDOWS_MIN 64 ++#define UNUSED_MIN 4 + + #if ENABLE_DEBUG_MMAP_CACHE + /* Tiny windows increase mmap activity and the chance of exposing unsafe use. */ +@@ -103,6 +105,7 @@ static Window* window_unlink(Window *w) { + if (m->last_unused == w) + m->last_unused = w->unused_prev; + LIST_REMOVE(unused, m->unused, w); ++ m->n_unused--; + } + + for (unsigned i = 0; i < _MMAP_CACHE_CATEGORY_MAX; i++) +@@ -160,7 +163,7 @@ static Window* window_add(MMapFileDescriptor *f, uint64_t offset, size_t size, v + MMapCache *m = mmap_cache_fd_cache(f); + Window *w; + +- if (!m->last_unused || m->n_windows <= WINDOWS_MIN) { ++ if (!m->last_unused || m->n_windows < WINDOWS_MIN || m->n_unused < UNUSED_MIN) { + /* Allocate a new window */ + w = new(Window, 1); + if (!w) +@@ -202,6 +205,7 @@ static void category_detach_window(MMapCache *m, MMapCacheCategory c) { + LIST_PREPEND(unused, m->unused, w); + if (!m->last_unused) + m->last_unused = w; ++ m->n_unused++; + w->flags |= WINDOW_IN_UNUSED; + #endif + } +@@ -222,6 +226,7 @@ static void category_attach_window(MMapCache *m, MMapCacheCategory c, Window *w) + if (m->last_unused == w) + m->last_unused = w->unused_prev; + LIST_REMOVE(unused, m->unused, w); ++ m->n_unused--; + w->flags &= ~WINDOW_IN_UNUSED; + } + +@@ -239,7 +244,7 @@ static MMapCache* mmap_cache_free(MMapCache *m) { + assert(hashmap_isempty(m->fds)); + hashmap_free(m->fds); + +- assert(!m->unused); ++ assert(!m->unused && m->n_unused == 0); + assert(m->n_windows == 0); + + return mfree(m); +-- +2.33.0 + diff --git a/backport-modprobe-set-ifb-numifbs-0-to-avoid-autocreating-ifb.patch b/backport-modprobe-set-ifb-numifbs-0-to-avoid-autocreating-ifb.patch new file mode 100644 index 0000000..c7e50d1 --- /dev/null +++ b/backport-modprobe-set-ifb-numifbs-0-to-avoid-autocreating-ifb.patch @@ -0,0 +1,28 @@ +From a541dc8fd5ea073763608ab23a2a27894e7a8e12 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 12 Jan 2024 21:44:51 +0000 +Subject: [PATCH 0146/1160] modprobe: set 'ifb numifbs=0' to avoid autocreating + ifb0 + +Fixes https://github.com/systemd/systemd/issues/30913 + +(cherry picked from commit b0c45a633af94bab810f47abe57bc47c67e0b516) +--- + modprobe.d/systemd.conf | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/modprobe.d/systemd.conf b/modprobe.d/systemd.conf +index 652254155c..e6499a0d61 100644 +--- a/modprobe.d/systemd.conf ++++ b/modprobe.d/systemd.conf +@@ -18,3 +18,7 @@ options bonding max_bonds=0 + # Do the same for dummy0. + + options dummy numdummies=0 ++ ++# Do the same for ifb0. ++ ++options ifb numifbs=0 +-- +2.33.0 + diff --git a/backport-mount-optimize-mountinfo-traversal-by-decoupling-dev.patch b/backport-mount-optimize-mountinfo-traversal-by-decoupling-dev.patch index daa0afa..44f7654 100644 --- a/backport-mount-optimize-mountinfo-traversal-by-decoupling-dev.patch +++ b/backport-mount-optimize-mountinfo-traversal-by-decoupling-dev.patch @@ -1,8 +1,8 @@ -From 00ad3f02275b507a753495ace5e5f84cb38b604d Mon Sep 17 00:00:00 2001 +From ea35f88ae763b4f99d57c4ec7fd0d3aa6351a352 Mon Sep 17 00:00:00 2001 From: Chen Guanqiao Date: Wed, 2 Oct 2024 13:10:21 +0800 -Subject: [PATCH] mount: optimize mountinfo traversal by decoupling device - discovery +Subject: [PATCH 0934/1160] mount: optimize mountinfo traversal by decoupling + device discovery In mount_load_proc_self_mountinfo(), device_found_node() is synchronously called during the traversal of mountinfo entries. When there are a large number of @@ -16,15 +16,17 @@ avoiding redundant device operations. As a result, it significantly improves performance, especially in environments with numerous mount points. Signed-off-by: Chen Guanqiao +(cherry picked from commit 00ad3f02275b507a753495ace5e5f84cb38b604d) +(cherry picked from commit 44e1774660fcddcfefcf153cc3c189ea35572d63) --- src/core/mount.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/core/mount.c b/src/core/mount.c -index 28701df231..5261b80957 100644 +index 3c4971c581..53790dff6c 100644 --- a/src/core/mount.c +++ b/src/core/mount.c -@@ -1857,6 +1857,7 @@ static int mount_setup_unit( +@@ -1907,6 +1907,7 @@ static int mount_setup_unit( static int mount_load_proc_self_mountinfo(Manager *m, bool set_flags) { _cleanup_(mnt_free_tablep) struct libmnt_table *table = NULL; _cleanup_(mnt_free_iterp) struct libmnt_iter *iter = NULL; @@ -32,7 +34,7 @@ index 28701df231..5261b80957 100644 int r; assert(m); -@@ -1883,7 +1884,11 @@ static int mount_load_proc_self_mountinfo(Manager *m, bool set_flags) { +@@ -1933,7 +1934,11 @@ static int mount_load_proc_self_mountinfo(Manager *m, bool set_flags) { if (!device || !path) continue; diff --git a/backport-mount-setup-fix-typo.patch b/backport-mount-setup-fix-typo.patch new file mode 100644 index 0000000..070942d --- /dev/null +++ b/backport-mount-setup-fix-typo.patch @@ -0,0 +1,26 @@ +From 0e607f569116e0802b81e17b8a475d40ce02817f Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sun, 21 Apr 2024 03:09:22 +0800 +Subject: [PATCH 0571/1160] mount-setup: fix typo + +(cherry picked from commit a0a09da45ee9bd5ba09504d082f2a9c4b9ace759) +--- + src/shared/mount-setup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/mount-setup.c b/src/shared/mount-setup.c +index 1226ca121e..22111b47d2 100644 +--- a/src/shared/mount-setup.c ++++ b/src/shared/mount-setup.c +@@ -69,7 +69,7 @@ static bool check_recursiveprot_supported(void) { + + r = mount_option_supported("cgroup2", "memory_recursiveprot", NULL); + if (r < 0) +- log_debug_errno(r, "Failed to determiner whether the 'memory_recursiveprot' mount option is supported, assuming not: %m"); ++ log_debug_errno(r, "Failed to determine whether the 'memory_recursiveprot' mount option is supported, assuming not: %m"); + else if (r == 0) + log_debug("This kernel version does not support 'memory_recursiveprot', not using mount option."); + +-- +2.33.0 + diff --git a/backport-mountpoint-util-Deal-with-kernel-API-breakage-in-nor.patch b/backport-mountpoint-util-Deal-with-kernel-API-breakage-in-nor.patch new file mode 100644 index 0000000..0f547a1 --- /dev/null +++ b/backport-mountpoint-util-Deal-with-kernel-API-breakage-in-nor.patch @@ -0,0 +1,116 @@ +From c267ea9a89cb5f2fe29ae9f93c703ce9dc07cbb0 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 17 May 2024 10:46:12 +0200 +Subject: [PATCH 0646/1160] mountpoint-util: Deal with kernel API breakage in + "norecovery" mount option + +"norecovery" was deprecated for btrfs in +https://github.com/torvalds/linux/commit/74ef00185eb864252156022ff129b01549504175 +and removed in +https://github.com/torvalds/linux/commit/a1912f712188291f9d7d434fba155461f1ebef66. + +Let's drop our assumption that btrfs supports "norecovery" and first query for the +new name of the option followed by querying for the old name. + +(cherry picked from commit e3828d7103a99a15a1e947ba3063294ead590631) +--- + src/basic/mountpoint-util.c | 22 ++++++++++++++++++---- + src/basic/mountpoint-util.h | 3 ++- + src/shared/dissect-image.c | 7 +++++-- + src/test/test-mountpoint-util.c | 6 +++--- + 4 files changed, 28 insertions(+), 10 deletions(-) + +diff --git a/src/basic/mountpoint-util.c b/src/basic/mountpoint-util.c +index bf67f7e01a..ffd7a54c3a 100644 +--- a/src/basic/mountpoint-util.c ++++ b/src/basic/mountpoint-util.c +@@ -495,16 +495,30 @@ bool fstype_can_discard(const char *fstype) { + return mount_option_supported(fstype, "discard", NULL) > 0; + } + +-bool fstype_can_norecovery(const char *fstype) { ++const char* fstype_norecovery_option(const char *fstype) { ++ int r; ++ + assert(fstype); + + /* Use a curated list as first check, to avoid calling fsopen() which might load kmods, which might + * not be allowed in our MAC context. */ +- if (STR_IN_SET(fstype, "ext3", "ext4", "xfs", "btrfs")) +- return true; ++ if (STR_IN_SET(fstype, "ext3", "ext4", "xfs")) ++ return "norecovery"; ++ ++ /* btrfs dropped support for the "norecovery" option in 6.8 ++ * (https://github.com/torvalds/linux/commit/a1912f712188291f9d7d434fba155461f1ebef66) and replaced ++ * it with rescue=nologreplay, so we check for the new name first and fall back to checking for the ++ * old name if the new name doesn't work. */ ++ if (streq(fstype, "btrfs")) { ++ r = mount_option_supported(fstype, "rescue=nologreplay", NULL); ++ if (r < 0) ++ log_debug_errno(r, "Failed to check for btrfs rescue=nologreplay option, assuming it is not supported: %m"); ++ if (r > 0) ++ return "rescue=nologreplay"; ++ } + + /* On new kernels we can just ask the kernel */ +- return mount_option_supported(fstype, "norecovery", NULL) > 0; ++ return mount_option_supported(fstype, "norecovery", NULL) > 0 ? "norecovery" : NULL; + } + + bool fstype_can_umask(const char *fstype) { +diff --git a/src/basic/mountpoint-util.h b/src/basic/mountpoint-util.h +index 499403a4d8..3ba0683919 100644 +--- a/src/basic/mountpoint-util.h ++++ b/src/basic/mountpoint-util.h +@@ -53,9 +53,10 @@ bool fstype_is_blockdev_backed(const char *fstype); + bool fstype_is_ro(const char *fsype); + bool fstype_can_discard(const char *fstype); + bool fstype_can_uid_gid(const char *fstype); +-bool fstype_can_norecovery(const char *fstype); + bool fstype_can_umask(const char *fstype); + ++const char* fstype_norecovery_option(const char *fstype); ++ + int dev_is_devtmpfs(void); + + int mount_fd(const char *source, int target_fd, const char *filesystemtype, unsigned long mountflags, const void *data); +diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c +index 84cfbcde87..627b67c40f 100644 +--- a/src/shared/dissect-image.c ++++ b/src/shared/dissect-image.c +@@ -1861,9 +1861,12 @@ int partition_pick_mount_options( + * access that actually modifies stuff work on such image files. Or to say this differently: if + * people want their file systems to be fixed up they should just open them in writable mode, where + * all these problems don't exist. */ +- if (!rw && fstype && fstype_can_norecovery(fstype)) +- if (!strextend_with_separator(&options, ",", "norecovery")) ++ if (!rw && fstype) { ++ const char *option = fstype_norecovery_option(fstype); ++ ++ if (option && !strextend_with_separator(&options, ",", option)) + return -ENOMEM; ++ } + + if (discard && fstype && fstype_can_discard(fstype)) + if (!strextend_with_separator(&options, ",", "discard")) +diff --git a/src/test/test-mountpoint-util.c b/src/test/test-mountpoint-util.c +index ff447c6582..1f3c6beb19 100644 +--- a/src/test/test-mountpoint-util.c ++++ b/src/test/test-mountpoint-util.c +@@ -359,9 +359,9 @@ TEST(fstype_can_discard) { + } + + TEST(fstype_can_norecovery) { +- assert_se(fstype_can_norecovery("ext4")); +- assert_se(!fstype_can_norecovery("vfat")); +- assert_se(!fstype_can_norecovery("tmpfs")); ++ assert_se(streq(fstype_norecovery_option("ext4"), "norecovery")); ++ assert_se(!fstype_norecovery_option("vfat")); ++ assert_se(!fstype_norecovery_option("tmpfs")); + } + + TEST(fstype_can_umask) { +-- +2.33.0 + diff --git a/backport-mountpoint-util-do-not-assume-symlinks-are-not-mount.patch b/backport-mountpoint-util-do-not-assume-symlinks-are-not-mount.patch new file mode 100644 index 0000000..1ef775a --- /dev/null +++ b/backport-mountpoint-util-do-not-assume-symlinks-are-not-mount.patch @@ -0,0 +1,39 @@ +From 98a4c8009b655b74ccdbe3664ca9191d40cf3343 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Wed, 26 Jun 2024 18:11:30 +0200 +Subject: [PATCH 0725/1160] mountpoint-util: do not assume symlinks are not + mountpoints + +They very much can be with the new mount API. + +(cherry picked from commit 36e48f22af102843b6cceeda5a2292e57434d2ee) +(cherry picked from commit 99cb4bdbbb15f3812de7f0fd161f91335000790d) +--- + src/basic/mountpoint-util.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/src/basic/mountpoint-util.c b/src/basic/mountpoint-util.c +index 9897ca0aa6..51fbe4ed84 100644 +--- a/src/basic/mountpoint-util.c ++++ b/src/basic/mountpoint-util.c +@@ -231,8 +231,6 @@ int fd_is_mount_point(int fd, const char *filename, int flags) { + /* If statx() is not available or forbidden, fall back to name_to_handle_at() below */ + } else if (FLAGS_SET(sx.stx_attributes_mask, STATX_ATTR_MOUNT_ROOT)) /* yay! */ + return FLAGS_SET(sx.stx_attributes, STATX_ATTR_MOUNT_ROOT); +- else if (FLAGS_SET(sx.stx_mask, STATX_TYPE) && S_ISLNK(sx.stx_mode)) +- return false; /* symlinks are never mount points */ + + r = name_to_handle_at_loop(fd, filename, &h, &mount_id, flags); + if (r < 0) { +@@ -311,8 +309,6 @@ fallback_fstat: + flags |= AT_SYMLINK_NOFOLLOW; + if (fstatat(fd, filename, &a, flags) < 0) + return -errno; +- if (S_ISLNK(a.st_mode)) /* Symlinks are never mount points */ +- return false; + + if (isempty(filename)) + r = fstatat(fd, "..", &b, 0); +-- +2.33.0 + diff --git a/backport-namespace-Fix-extension-release-memory-leak.patch b/backport-namespace-Fix-extension-release-memory-leak.patch new file mode 100644 index 0000000..134a565 --- /dev/null +++ b/backport-namespace-Fix-extension-release-memory-leak.patch @@ -0,0 +1,65 @@ +From 4c0da06e1dfcc631b6bc8276c78154c1bc57c223 Mon Sep 17 00:00:00 2001 +From: "maia x." +Date: Mon, 19 Aug 2024 12:47:21 -0700 +Subject: [PATCH 0860/1160] namespace: Fix extension release memory leak + +In apply_one_mount(), in the MOUNT_EXTENSION_DIRECTORY case, +char **extension_release was used as a return pointer twice but only +cleaned up once in the end. Fix it by removing duplicate code that +was causing this issue. + +Fixes issue introduced in 55ea4ef096543d2bceea9315868d5aca945d7a57. + +(cherry picked from commit 010ea061fceb84d36259d576f52c09b940d0d615) +(cherry picked from commit 83f30941731ca454309c566edbfe3b3bfeaf8453) +--- + src/core/namespace.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/src/core/namespace.c b/src/core/namespace.c +index 4ec38a3ea9..4962b5b538 100644 +--- a/src/core/namespace.c ++++ b/src/core/namespace.c +@@ -1557,12 +1557,24 @@ static int apply_one_mount( + if (r < 0) + return log_debug_errno(r, "Failed to extract extension name from %s: %m", mount_entry_source(m)); + +- r = load_extension_release_pairs(mount_entry_source(m), IMAGE_SYSEXT, extension_name, /* relax_extension_release_check= */ false, &extension_release); ++ r = load_extension_release_pairs( ++ mount_entry_source(m), ++ IMAGE_SYSEXT, ++ extension_name, ++ /* relax_extension_release_check= */ false, ++ &extension_release); + if (r == -ENOENT) { +- r = load_extension_release_pairs(mount_entry_source(m), IMAGE_CONFEXT, extension_name, /* relax_extension_release_check= */ false, &extension_release); ++ r = load_extension_release_pairs( ++ mount_entry_source(m), ++ IMAGE_CONFEXT, ++ extension_name, ++ /* relax_extension_release_check= */ false, ++ &extension_release); + if (r >= 0) + class = IMAGE_CONFEXT; + } ++ if (r == -ENOENT && m->ignore) ++ return 0; + if (r < 0) + return log_debug_errno(r, "Failed to acquire 'extension-release' data of extension tree %s: %m", mount_entry_source(m)); + +@@ -1577,12 +1589,6 @@ static int apply_one_mount( + if (isempty(host_os_release_id)) + return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "'ID' field not found or empty in 'os-release' data of OS tree '%s': %m", empty_to_root(root_directory)); + +- r = load_extension_release_pairs(mount_entry_source(m), class, extension_name, /* relax_extension_release_check= */ false, &extension_release); +- if (r == -ENOENT && m->ignore) +- return 0; +- if (r < 0) +- return log_debug_errno(r, "Failed to parse directory %s extension-release metadata: %m", extension_name); +- + r = extension_release_validate( + extension_name, + host_os_release_id, +-- +2.33.0 + diff --git a/backport-namespace-don-t-invoke-loopback_setup-unless-we-allo.patch b/backport-namespace-don-t-invoke-loopback_setup-unless-we-allo.patch new file mode 100644 index 0000000..6553006 --- /dev/null +++ b/backport-namespace-don-t-invoke-loopback_setup-unless-we-allo.patch @@ -0,0 +1,60 @@ +From 982d3114e497645f75af45587c1e4af2f2775113 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 31 Jan 2024 13:19:45 +0100 +Subject: [PATCH 0286/1160] namespace: don't invoke loopback_setup() unless we + allocate a CLONE_NEWNET namespace + +It doesn't really make sense to initialize the loopback device if we are +not called for a network namespace. + +Follow-up for 54c2459d560283f556e331246f64776cebd6eba6 + +(cherry picked from commit a5387637c2bcb3b16c61eb6905f52419714a187a) +--- + src/core/namespace.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/src/core/namespace.c b/src/core/namespace.c +index 50d7b05aa0..88681aa31f 100644 +--- a/src/core/namespace.c ++++ b/src/core/namespace.c +@@ -2890,21 +2890,18 @@ int setup_tmp_dirs(const char *id, char **tmp_dir, char **var_tmp_dir) { + + int setup_shareable_ns(int ns_storage_socket[static 2], unsigned long nsflag) { + _cleanup_close_ int ns = -EBADF; +- int r; + const char *ns_name, *ns_path; ++ int r; + + assert(ns_storage_socket); + assert(ns_storage_socket[0] >= 0); + assert(ns_storage_socket[1] >= 0); + +- ns_name = namespace_single_flag_to_string(nsflag); +- assert(ns_name); ++ ns_name = ASSERT_PTR(namespace_single_flag_to_string(nsflag)); + +- /* We use the passed socketpair as a storage buffer for our +- * namespace reference fd. Whatever process runs this first +- * shall create a new namespace, all others should just join +- * it. To serialize that we use a file lock on the socket +- * pair. ++ /* We use the passed socketpair as a storage buffer for our namespace reference fd. Whatever process ++ * runs this first shall create a new namespace, all others should just join it. To serialize that we ++ * use a file lock on the socket pair. + * + * It's a bit crazy, but hey, works great! */ + +@@ -2932,7 +2929,8 @@ int setup_shareable_ns(int ns_storage_socket[static 2], unsigned long nsflag) { + if (unshare(nsflag) < 0) + return -errno; + +- (void) loopback_setup(); ++ if (nsflag == CLONE_NEWNET) ++ (void) loopback_setup(); + + ns_path = strjoina("/proc/self/ns/", ns_name); + ns = open(ns_path, O_RDONLY|O_CLOEXEC|O_NOCTTY); +-- +2.33.0 + diff --git a/backport-network-actually-show-the-unexpected-flags.patch b/backport-network-actually-show-the-unexpected-flags.patch new file mode 100644 index 0000000..e406d41 --- /dev/null +++ b/backport-network-actually-show-the-unexpected-flags.patch @@ -0,0 +1,40 @@ +From d9f3ad21a84d2d69bc980c3bcdc187be1a4f52f9 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Mon, 11 Dec 2023 16:16:02 +0100 +Subject: [PATCH 0045/1160] network: actually show the unexpected flags + +The original version would yield a slightly _unexpected_ message for +this [Address] section: + +[Address] +Address=10.9.3.1/24 +HomeAddress=yes +ManageTemporaryAddress=yes + +systemd-networkd[68396]: /run/systemd/network/25-address-static.network: unexpected address flags "n/a" were configured. Ignoring [Address] section from line 144. + +Let's instead show the unexpected flags: + +systemd-networkd[69160]: /run/systemd/network/25-address-static.network: unexpected address flags "home-address,manage-temporary-address" were configured. Ignoring [Address] section from line 144. + +(cherry picked from commit b7d435925dd81e7ab505c41692140c7a3ad2f73e) +--- + src/network/networkd-address.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c +index 29c424026e..0e4d87b000 100644 +--- a/src/network/networkd-address.c ++++ b/src/network/networkd-address.c +@@ -2472,7 +2472,7 @@ int address_section_verify(Address *address) { + if (address->flags != filtered_flags) { + _cleanup_free_ char *str = NULL; + +- (void) address_flags_to_string_alloc(filtered_flags, address->family, &str); ++ (void) address_flags_to_string_alloc(address->flags ^ filtered_flags, address->family, &str); + return log_warning_errno(SYNTHETIC_ERRNO(EINVAL), + "%s: unexpected address flags \"%s\" were configured. " + "Ignoring [Address] section from line %u.", +-- +2.33.0 + diff --git a/backport-network-adjust-log-message.patch b/backport-network-adjust-log-message.patch new file mode 100644 index 0000000..a087f07 --- /dev/null +++ b/backport-network-adjust-log-message.patch @@ -0,0 +1,42 @@ +From c6222b1fc005a3e868fd92ea171966695a9a596d Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 11 Dec 2023 15:19:02 +0900 +Subject: [PATCH 0040/1160] network: adjust log message + +The address or neighbor processed here may not be foreign. + +(cherry picked from commit e924dc598ef588d8c32101d1ffe44fd60c3f988d) +--- + src/network/networkd-address.c | 2 +- + src/network/networkd-neighbor.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c +index 7071137676..29c424026e 100644 +--- a/src/network/networkd-address.c ++++ b/src/network/networkd-address.c +@@ -1802,7 +1802,7 @@ int manager_rtnl_process_address(sd_netlink *rtnl, sd_netlink_message *message, + /* If we did not know the address, then save it. */ + r = address_add(link, tmp); + if (r < 0) { +- log_link_warning_errno(link, r, "Failed to remember foreign address %s, ignoring: %m", ++ log_link_warning_errno(link, r, "Failed to save received address %s, ignoring: %m", + IN_ADDR_PREFIX_TO_STRING(tmp->family, &tmp->in_addr, tmp->prefixlen)); + return 0; + } +diff --git a/src/network/networkd-neighbor.c b/src/network/networkd-neighbor.c +index 8abe67bda5..8321831c9a 100644 +--- a/src/network/networkd-neighbor.c ++++ b/src/network/networkd-neighbor.c +@@ -574,7 +574,7 @@ int manager_rtnl_process_neighbor(sd_netlink *rtnl, sd_netlink_message *message, + if (!neighbor) { + r = neighbor_add(link, tmp); + if (r < 0) { +- log_link_warning_errno(link, r, "Failed to remember foreign neighbor, ignoring: %m"); ++ log_link_warning_errno(link, r, "Failed to save received neighbor, ignoring: %m"); + return 0; + } + neighbor = TAKE_PTR(tmp); +-- +2.33.0 + diff --git a/backport-network-allow-to-configure-interface-MTU-for-CAN-dev.patch b/backport-network-allow-to-configure-interface-MTU-for-CAN-dev.patch new file mode 100644 index 0000000..47c8a40 --- /dev/null +++ b/backport-network-allow-to-configure-interface-MTU-for-CAN-dev.patch @@ -0,0 +1,43 @@ +From 394da666e074218b597198347a8159b8b56c0029 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 7 Dec 2023 18:57:13 +0900 +Subject: [PATCH 0051/1160] network: allow to configure interface MTU for CAN + devices + +Previously, even if MTUBytes= is specified in matching .network file, +the setting was ignored for CAN devices. + +(cherry picked from commit 941f8e1399bcbac54c9cc862a227e0e63cebc538) +--- + src/network/networkd-link.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index 2caf4ff249..ee5f0f2c0a 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -1048,6 +1048,10 @@ static int link_configure(Link *link) { + if (r < 0) + return r; + ++ r = link_configure_mtu(link); ++ if (r < 0) ++ return r; ++ + if (link->iftype == ARPHRD_CAN) { + /* let's shortcut things for CAN which doesn't need most of what's done below. */ + r = link_request_to_set_can(link); +@@ -1081,10 +1085,6 @@ static int link_configure(Link *link) { + if (r < 0) + return r; + +- r = link_configure_mtu(link); +- if (r < 0) +- return r; +- + r = link_request_to_set_addrgen_mode(link); + if (r < 0) + return r; +-- +2.33.0 + diff --git a/backport-network-call-link_handle_bound_by_list-before-trying.patch b/backport-network-call-link_handle_bound_by_list-before-trying.patch new file mode 100644 index 0000000..fd3e751 --- /dev/null +++ b/backport-network-call-link_handle_bound_by_list-before-trying.patch @@ -0,0 +1,50 @@ +From 84c4a44f17b0cd68ba5f2ee0342a5a32299a3d62 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 31 Jul 2024 03:50:55 +0900 +Subject: [PATCH 0816/1160] network: call link_handle_bound_by_list() before + trying to reconfigure interface + +Otherwise, when an interface gained its carrier, the interface may not +have matching .network file yet, then link_reconfigure_impl() returns +zero, and link_handle_bound_by_list() is skipped. + +Fixes #33837. + +(cherry picked from commit 36b8ad085c6902631ad7054bffbda33d6d168823) +(cherry picked from commit 0d98178abb5ea470d03d05680e58ff0e59fe69bd) +--- + src/network/networkd-link.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index 26dd691248..a4fa321264 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -1526,6 +1526,13 @@ static int link_carrier_gained(Link *link) { + if (r < 0) + log_link_warning_errno(link, r, "Failed to disable carrier lost timer, ignoring: %m"); + ++ /* Process BindCarrier= setting specified by other interfaces. This is independent of the .network ++ * file assigned to this interface, but depends on .network files assigned to other interfaces. ++ * Hence, this can and should be called earlier. */ ++ r = link_handle_bound_by_list(link); ++ if (r < 0) ++ return r; ++ + /* If a wireless interface was connected to an access point, and the SSID is changed (that is, + * both previous_ssid and ssid are non-NULL), then the connected wireless network could be + * changed. So, always reconfigure the link. Which means e.g. the DHCP client will be +@@ -1559,10 +1566,6 @@ static int link_carrier_gained(Link *link) { + if (r != 0) + return r; + +- r = link_handle_bound_by_list(link); +- if (r < 0) +- return r; +- + if (link->iftype == ARPHRD_CAN) + /* let's shortcut things for CAN which doesn't need most of what's done below. */ + return 0; +-- +2.33.0 + diff --git a/backport-network-dhcp4-disable-IPv6OnlyMode-by-default.patch b/backport-network-dhcp4-disable-IPv6OnlyMode-by-default.patch new file mode 100644 index 0000000..441e722 --- /dev/null +++ b/backport-network-dhcp4-disable-IPv6OnlyMode-by-default.patch @@ -0,0 +1,66 @@ +From 24970f3fbfbcad86c5eb769747bfede88a91a3a6 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 4 Feb 2024 16:37:33 +0900 +Subject: [PATCH 0240/1160] network/dhcp4: disable IPv6OnlyMode= by default + +As explained in #30891, IPv6OnlyMode= should be enabled with 464XLAT +support, but we do not support it yet. Let's disable by default. + +Fixes #30891. + +(cherry picked from commit 7dc431839eeeffe6ed65acbe9bfe2a6e89422086) +--- + man/systemd.network.xml | 3 +-- + src/network/networkd-dhcp4.c | 4 +++- + test/test-network/conf/25-dhcp-client-ipv6-only.network | 3 +++ + 3 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/man/systemd.network.xml b/man/systemd.network.xml +index e7024652f0..bfa313da38 100644 +--- a/man/systemd.network.xml ++++ b/man/systemd.network.xml +@@ -2610,8 +2610,7 @@ NFTSet=prefix:netdev:filter:eth_ipv4_prefix + When true, the DHCPv4 configuration will be delayed by the timespan provided by the DHCP + server and skip to configure dynamic IPv4 network connectivity if IPv6 connectivity is provided + within the timespan. See RFC 8925. +- Defaults to true when IPv6AcceptRA= is enabled or DHCPv6 client is enabled +- (i.e., DHCP=yes), and false otherwise. ++ Defaults to false. + + + +diff --git a/src/network/networkd-dhcp4.c b/src/network/networkd-dhcp4.c +index efbae6d868..49c452da7c 100644 +--- a/src/network/networkd-dhcp4.c ++++ b/src/network/networkd-dhcp4.c +@@ -1463,10 +1463,12 @@ static bool link_dhcp4_ipv6_only_mode(Link *link) { + assert(link); + assert(link->network); + ++ /* If it is explicitly specified, then honor the setting. */ + if (link->network->dhcp_ipv6_only_mode >= 0) + return link->network->dhcp_ipv6_only_mode; + +- return link_dhcp6_enabled(link) || link_ipv6_accept_ra_enabled(link); ++ /* Defaults to false, until we support 464XLAT. See issue #30891. */ ++ return false; + } + + static int dhcp4_configure(Link *link) { +diff --git a/test/test-network/conf/25-dhcp-client-ipv6-only.network b/test/test-network/conf/25-dhcp-client-ipv6-only.network +index 4aba206cb4..1ec63b1fa6 100644 +--- a/test/test-network/conf/25-dhcp-client-ipv6-only.network ++++ b/test/test-network/conf/25-dhcp-client-ipv6-only.network +@@ -7,6 +7,9 @@ Name=veth99 + DHCP=yes + IPv6Token=::1a:2b:3c:4d + ++[DHCPv4] ++IPv6OnlyMode=yes ++ + [Route] + Gateway=_ipv6ra + Destination=2001:1234:5:9fff:ff:ff:ff:ff/128 +-- +2.33.0 + diff --git a/backport-network-dhcp4-do-not-set-gateway-if-DNS-server-or-fr.patch b/backport-network-dhcp4-do-not-set-gateway-if-DNS-server-or-fr.patch new file mode 100644 index 0000000..e5d31aa --- /dev/null +++ b/backport-network-dhcp4-do-not-set-gateway-if-DNS-server-or-fr.patch @@ -0,0 +1,146 @@ +From fad859aab8515514187aea746a3d05c5bb32c9b9 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 10 May 2024 12:49:50 +0900 +Subject: [PATCH 0620/1160] network/dhcp4: do not set gateway if DNS server or + friends is in the acquired prefix + +Previously, even if a DNS server is in the acquired prefix, the route to the +server might have gateway address. +This makes the prefix route, which is always configured, is also handled +as same as static routes, and do not use any gateway if the prefix route +is the most suitable route to access the destination. +The same change is also applied to route to NTP servers and semi-static +routes. + +Fixes a regression introduced by 0ce86f5eeb0921b44a9782260a8c88aafb15ffde. + +Fixes #32715. + +(cherry picked from commit 0f3116f039ca997156038c317011866011298a3f) +--- + src/network/networkd-dhcp4.c | 52 ++++++++++++++++++------------------ + 1 file changed, 26 insertions(+), 26 deletions(-) + +diff --git a/src/network/networkd-dhcp4.c b/src/network/networkd-dhcp4.c +index 49c452da7c..8945827862 100644 +--- a/src/network/networkd-dhcp4.c ++++ b/src/network/networkd-dhcp4.c +@@ -146,12 +146,11 @@ static int dhcp4_find_gateway_for_destination( + Link *link, + const struct in_addr *destination, + uint8_t prefixlength, +- bool allow_null, + struct in_addr *ret) { + + _cleanup_free_ sd_dhcp_route **routes = NULL; + size_t n_routes = 0; +- bool is_classless, reachable; ++ bool is_classless; + uint8_t max_prefixlen = UINT8_MAX; + struct in_addr gw; + int r; +@@ -164,14 +163,21 @@ static int dhcp4_find_gateway_for_destination( + /* This tries to find the most suitable gateway for an address or address range. + * E.g. if the server provides the default gateway 192.168.0.1 and a classless static route for + * 8.0.0.0/8 with gateway 192.168.0.2, then this returns 192.168.0.2 for 8.8.8.8/32, and 192.168.0.1 +- * for 9.9.9.9/32. If 'allow_null' flag is set, and the input address or address range is in the +- * assigned network, then the default gateway will be ignored and the null address will be returned +- * unless a matching non-default gateway found. */ ++ * for 9.9.9.9/32. If the input address or address range is in the assigned network, then the null ++ * address will be returned. */ + ++ /* First, check with the assigned prefix, and if the destination is in the prefix, set the null ++ * address for the gateway, and return it unless more suitable static route is found. */ + r = dhcp4_prefix_covers(link, destination, prefixlength); + if (r < 0) + return r; +- reachable = r > 0; ++ if (r > 0) { ++ r = sd_dhcp_lease_get_prefix(link->dhcp_lease, NULL, &max_prefixlen); ++ if (r < 0) ++ return r; ++ ++ gw = (struct in_addr) {}; ++ } + + r = dhcp4_get_classless_static_or_static_routes(link, &routes, &n_routes); + if (r < 0 && r != -ENODATA) +@@ -207,25 +213,17 @@ static int dhcp4_find_gateway_for_destination( + max_prefixlen = len; + } + +- /* Found a suitable gateway in classless static routes or static routes. */ ++ /* The destination is reachable. Note, the gateway address returned here may be NULL. */ + if (max_prefixlen != UINT8_MAX) { +- if (max_prefixlen == 0 && reachable && allow_null) +- /* Do not return the default gateway, if the destination is in the assigned network. */ +- *ret = (struct in_addr) {}; +- else +- *ret = gw; +- return 0; +- } +- +- /* When the destination is in the assigned network, return the null address if allowed. */ +- if (reachable && allow_null) { +- *ret = (struct in_addr) {}; ++ *ret = gw; + return 0; + } + + /* According to RFC 3442: If the DHCP server returns both a Classless Static Routes option and + * a Router option, the DHCP client MUST ignore the Router option. */ + if (!is_classless) { ++ /* No matching static route is found, and the destination is not in the acquired network, ++ * falling back to the Router option. */ + r = dhcp4_get_router(link, ret); + if (r >= 0) + return 0; +@@ -233,11 +231,7 @@ static int dhcp4_find_gateway_for_destination( + return r; + } + +- if (!reachable) +- return -EHOSTUNREACH; /* Not in the same network, cannot reach the destination. */ +- +- assert(!allow_null); +- return -ENODATA; /* No matching gateway found. */ ++ return -EHOSTUNREACH; /* Cannot reach the destination. */ + } + + static int dhcp4_remove_address_and_routes(Link *link, bool only_marked) { +@@ -650,8 +644,8 @@ static int dhcp4_request_semi_static_routes(Link *link) { + + assert(rt->family == AF_INET); + +- r = dhcp4_find_gateway_for_destination(link, &rt->dst.in, rt->dst_prefixlen, /* allow_null = */ false, &gw); +- if (IN_SET(r, -EHOSTUNREACH, -ENODATA)) { ++ r = dhcp4_find_gateway_for_destination(link, &rt->dst.in, rt->dst_prefixlen, &gw); ++ if (r == -EHOSTUNREACH) { + log_link_debug_errno(link, r, "DHCP: Cannot find suitable gateway for destination %s of semi-static route, ignoring: %m", + IN4_ADDR_PREFIX_TO_STRING(&rt->dst.in, rt->dst_prefixlen)); + continue; +@@ -659,6 +653,12 @@ static int dhcp4_request_semi_static_routes(Link *link) { + if (r < 0) + return r; + ++ if (in4_addr_is_null(&gw)) { ++ log_link_debug(link, "DHCP: Destination %s of semi-static route is in the acquired network, skipping configuration.", ++ IN4_ADDR_PREFIX_TO_STRING(&rt->dst.in, rt->dst_prefixlen)); ++ continue; ++ } ++ + r = dhcp4_request_route_to_gateway(link, &gw); + if (r < 0) + return r; +@@ -696,7 +696,7 @@ static int dhcp4_request_routes_to_servers( + if (in4_addr_is_null(dst)) + continue; + +- r = dhcp4_find_gateway_for_destination(link, dst, 32, /* allow_null = */ true, &gw); ++ r = dhcp4_find_gateway_for_destination(link, dst, 32, &gw); + if (r == -EHOSTUNREACH) { + log_link_debug_errno(link, r, "DHCP: Cannot find suitable gateway for destination %s, ignoring: %m", + IN4_ADDR_PREFIX_TO_STRING(dst, 32)); +-- +2.33.0 + diff --git a/backport-network-dhcp6-deem-DHCPv6-configuration-to-be-finish.patch b/backport-network-dhcp6-deem-DHCPv6-configuration-to-be-finish.patch new file mode 100644 index 0000000..f8a2b88 --- /dev/null +++ b/backport-network-dhcp6-deem-DHCPv6-configuration-to-be-finish.patch @@ -0,0 +1,31 @@ +From 29440c77ee634906999edecd525ca83ab1e23de6 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 17 Feb 2024 05:52:40 +0900 +Subject: [PATCH 0245/1160] network/dhcp6: deem DHCPv6 configuration to be + finished even if no IA_NA is provided + +Follow-up for fc4aa64c2d7bf1443bf30b66d334e33addb0d27a. + +Otherwise, even if we request no address, Link.dhcp6_configured stuck on +false. + +(cherry picked from commit 43a752669e5ec60b1a688e611266db33dba39dcb) +--- + src/network/networkd-dhcp6.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/network/networkd-dhcp6.c b/src/network/networkd-dhcp6.c +index ee20d0ed50..f499d0369c 100644 +--- a/src/network/networkd-dhcp6.c ++++ b/src/network/networkd-dhcp6.c +@@ -107,6 +107,7 @@ int dhcp6_check_ready(Link *link) { + } + + if (link->network->dhcp6_use_address && ++ sd_dhcp6_lease_has_address(link->dhcp6_lease) && + !link_check_addresses_ready(link, NETWORK_CONFIG_SOURCE_DHCP6)) { + Address *address; + +-- +2.33.0 + diff --git a/backport-network-dhcp6-set-hostname-even-if-UseAddress-no.patch b/backport-network-dhcp6-set-hostname-even-if-UseAddress-no.patch new file mode 100644 index 0000000..c559992 --- /dev/null +++ b/backport-network-dhcp6-set-hostname-even-if-UseAddress-no.patch @@ -0,0 +1,87 @@ +From f4189fdd1de998703feb9ca221b700fdaee5cd31 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 16 Sep 2024 04:45:13 +0900 +Subject: [PATCH 0949/1160] network/dhcp6: set hostname even if UseAddress=no + +Follow-up for f963f8953daeab03b892616ce0c65f7572932187 and +1536b7b2d00819615bf8eba194de7ccd20c3689f. + +(cherry picked from commit 8fead9c9e46e5f71ae6f6b038ff7f72c5a13b663) +(cherry picked from commit 30cf66855b6e31e7de2bff6d79d5c2d9fc17d684) +--- + src/network/networkd-dhcp6.c | 52 +++++++++++++++++++++++------------- + 1 file changed, 33 insertions(+), 19 deletions(-) + +diff --git a/src/network/networkd-dhcp6.c b/src/network/networkd-dhcp6.c +index f499d0369c..3e7b456317 100644 +--- a/src/network/networkd-dhcp6.c ++++ b/src/network/networkd-dhcp6.c +@@ -269,25 +269,35 @@ static int dhcp6_address_acquired(Link *link) { + return r; + } + +- if (link->network->dhcp6_use_hostname) { +- const char *dhcpname = NULL; +- _cleanup_free_ char *hostname = NULL; +- +- (void) sd_dhcp6_lease_get_fqdn(link->dhcp6_lease, &dhcpname); +- +- if (dhcpname) { +- r = shorten_overlong(dhcpname, &hostname); +- if (r < 0) +- log_link_warning_errno(link, r, "Unable to shorten overlong DHCP hostname '%s', ignoring: %m", dhcpname); +- if (r == 1) +- log_link_notice(link, "Overlong DHCP hostname received, shortened from '%s' to '%s'", dhcpname, hostname); +- } +- if (hostname) { +- r = manager_set_hostname(link->manager, hostname); +- if (r < 0) +- log_link_error_errno(link, r, "Failed to set transient hostname to '%s': %m", hostname); +- } +- } ++ return 0; ++} ++ ++static int dhcp6_request_hostname(Link *link) { ++ _cleanup_free_ char *hostname = NULL; ++ const char *dhcpname = NULL; ++ int r; ++ ++ assert(link); ++ assert(link->network); ++ ++ if (!link->network->dhcp6_use_hostname) ++ return 0; ++ ++ r = sd_dhcp6_lease_get_fqdn(link->dhcp6_lease, &dhcpname); ++ if (r == -ENODATA) ++ return 0; ++ if (r < 0) ++ return r; ++ ++ r = shorten_overlong(dhcpname, &hostname); ++ if (r < 0) ++ return log_link_warning_errno(link, r, "Unable to shorten overlong DHCP hostname '%s': %m", dhcpname); ++ if (r == 1) ++ log_link_notice(link, "Overlong DHCP hostname received, shortened from '%s' to '%s'", dhcpname, hostname); ++ ++ r = manager_set_hostname(link->manager, hostname); ++ if (r < 0) ++ log_link_warning_errno(link, r, "Failed to set transient hostname to '%s', ignoring: %m", hostname); + + return 0; + } +@@ -307,6 +317,10 @@ static int dhcp6_lease_ip_acquired(sd_dhcp6_client *client, Link *link) { + lease_old = TAKE_PTR(link->dhcp6_lease); + link->dhcp6_lease = sd_dhcp6_lease_ref(lease); + ++ r = dhcp6_request_hostname(link); ++ if (r < 0) ++ return r; ++ + r = dhcp6_address_acquired(link); + if (r < 0) + return r; +-- +2.33.0 + diff --git a/backport-network-do-not-bring-down-a-bonding-port-interface-w.patch b/backport-network-do-not-bring-down-a-bonding-port-interface-w.patch new file mode 100644 index 0000000..6db20e0 --- /dev/null +++ b/backport-network-do-not-bring-down-a-bonding-port-interface-w.patch @@ -0,0 +1,54 @@ +From b71ec1cd42477d37dd84bafe081842780f4da196 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 2 Feb 2024 11:10:45 +0900 +Subject: [PATCH 0237/1160] network: do not bring down a bonding port interface + when it is already joined + +Follow-up for 9f913d37a01f71e559d099bff280827f8817d8c5. + +Fixes #31165. + +(cherry picked from commit c3e12de0a634f15154b8b0826b00c9f0816ef1fb) +--- + src/network/networkd-setlink.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/src/network/networkd-setlink.c b/src/network/networkd-setlink.c +index 9dccb56795..a454853833 100644 +--- a/src/network/networkd-setlink.c ++++ b/src/network/networkd-setlink.c +@@ -530,15 +530,6 @@ static int link_is_ready_to_set_link(Link *link, Request *req) { + if (!netdev_is_ready(link->network->bond)) + return false; + m = link->network->bond->ifindex; +- +- /* Do not check link->set_flags_messages here, as it is ok even if link->flags +- * is outdated, and checking the counter causes a deadlock. */ +- if (FLAGS_SET(link->flags, IFF_UP)) { +- /* link must be down when joining to bond master. */ +- r = link_down_now(link); +- if (r < 0) +- return r; +- } + } else if (link->network->bridge) { + if (ordered_set_contains(link->manager->request_queue, &req_mac)) + return false; +@@ -557,6 +548,15 @@ static int link_is_ready_to_set_link(Link *link, Request *req) { + return -EALREADY; /* indicate to cancel the request. */ + } + ++ /* Do not check link->set_flags_messages here, as it is ok even if link->flags is outdated, ++ * and checking the counter causes a deadlock. */ ++ if (link->network->bond && FLAGS_SET(link->flags, IFF_UP)) { ++ /* link must be down when joining to bond master. */ ++ r = link_down_now(link); ++ if (r < 0) ++ return r; ++ } ++ + req->userdata = UINT32_TO_PTR(m); + break; + } +-- +2.33.0 + diff --git a/backport-network-do-not-bring-down-bound-interfaces-immediate.patch b/backport-network-do-not-bring-down-bound-interfaces-immediate.patch new file mode 100644 index 0000000..513edd1 --- /dev/null +++ b/backport-network-do-not-bring-down-bound-interfaces-immediate.patch @@ -0,0 +1,86 @@ +From 80e93a0640e06b9fbe7d7354b4fad8a6ad140140 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 31 Jul 2024 03:04:04 +0900 +Subject: [PATCH 0814/1160] network: do not bring down bound interfaces + immediately + +Even if a timespan specified to IgnoreCarrierLoss= for an interface, +when the carrier of the interface lost, bound interfaces might be bring +down immediately. + +Let's also postpone bringing down bound interfaces with the specified +timespan. + +(cherry picked from commit e8eaed0240d642e70c567b08f3593e4cf45a255a) +(cherry picked from commit 9468a6ea47cfb8412875923d09b8a8ae6ee02119) +--- + src/network/networkd-link.c | 30 +++++++++++------------------- + 1 file changed, 11 insertions(+), 19 deletions(-) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index 4ef1be4bad..26dd691248 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -1581,25 +1581,22 @@ static int link_carrier_gained(Link *link) { + } + + static int link_carrier_lost_impl(Link *link) { +- int r, ret = 0; ++ int ret = 0; + + assert(link); + + link->previous_ssid = mfree(link->previous_ssid); + ++ ret = link_handle_bound_by_list(link); ++ + if (IN_SET(link->state, LINK_STATE_FAILED, LINK_STATE_LINGER)) +- return 0; ++ return ret; + + if (!link->network) +- return 0; ++ return ret; + +- r = link_stop_engines(link, false); +- if (r < 0) +- ret = r; +- +- r = link_drop_managed_config(link); +- if (r < 0 && ret >= 0) +- ret = r; ++ RET_GATHER(ret, link_stop_engines(link, false)); ++ RET_GATHER(ret, link_drop_managed_config(link)); + + return ret; + } +@@ -1620,22 +1617,17 @@ static int link_carrier_lost_handler(sd_event_source *s, uint64_t usec, void *us + static int link_carrier_lost(Link *link) { + uint16_t dhcp_mtu; + usec_t usec; +- int r; + + assert(link); + +- r = link_handle_bound_by_list(link); +- if (r < 0) +- return r; +- + if (link->iftype == ARPHRD_CAN) + /* let's shortcut things for CAN which doesn't need most of what's done below. */ +- return 0; ++ usec = 0; + +- if (!link->network) +- return 0; ++ else if (!link->network) ++ usec = 0; + +- if (link->network->ignore_carrier_loss_set) ++ else if (link->network->ignore_carrier_loss_set) + /* If IgnoreCarrierLoss= is explicitly specified, then use the specified value. */ + usec = link->network->ignore_carrier_loss_usec; + +-- +2.33.0 + diff --git a/backport-network-do-not-make-the-implied-default-have-the-fir.patch b/backport-network-do-not-make-the-implied-default-have-the-fir.patch new file mode 100644 index 0000000..7f182c5 --- /dev/null +++ b/backport-network-do-not-make-the-implied-default-have-the-fir.patch @@ -0,0 +1,51 @@ +From 04241e45a5ca5d2ab089a5d89f9489fe52698558 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 5 Jan 2024 01:10:56 +0900 +Subject: [PATCH 0123/1160] network: do not make the implied default have the + first priority + +Follow-up for b732606950f8726c0280080c7d055a714c2888f5 and +6706ce2fd2a13df0ae5e469b72d688eaf643dac4. + +If Network.ignore_carrier_loss_set flag is set, then the timeout value +is always used, hence the logic implemented by +b732606950f8726c0280080c7d055a714c2888f5 never worked. + +(cherry picked from commit 2743854540c2325ce025bdbdbab8c1a582c0ba0a) +--- + src/network/networkd-link.c | 2 +- + src/network/networkd-network.c | 4 +--- + 2 files changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index ee5f0f2c0a..fb88022ee5 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -1654,7 +1654,7 @@ static int link_carrier_lost(Link *link) { + usec = 5 * USEC_PER_SEC; + + else +- /* Otherwise, use the currently set value. */ ++ /* Otherwise, use the implied default value. */ + usec = link->network->ignore_carrier_loss_usec; + + if (usec == USEC_INFINITY) +diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c +index 6cbaf82d6f..dcd3e5ae12 100644 +--- a/src/network/networkd-network.c ++++ b/src/network/networkd-network.c +@@ -274,10 +274,8 @@ int network_verify(Network *network) { + network->ignore_carrier_loss_usec = USEC_INFINITY; + } + +- if (!network->ignore_carrier_loss_set) { +- network->ignore_carrier_loss_set = true; ++ if (!network->ignore_carrier_loss_set) /* Set implied default. */ + network->ignore_carrier_loss_usec = network->configure_without_carrier ? USEC_INFINITY : 0; +- } + + if (IN_SET(network->activation_policy, ACTIVATION_POLICY_DOWN, ACTIVATION_POLICY_ALWAYS_DOWN, ACTIVATION_POLICY_MANUAL)) { + if (network->required_for_online < 0 || +-- +2.33.0 + diff --git a/backport-network-do-not-request-DHCP-addresses-configured-on-.patch b/backport-network-do-not-request-DHCP-addresses-configured-on-.patch new file mode 100644 index 0000000..1df387f --- /dev/null +++ b/backport-network-do-not-request-DHCP-addresses-configured-on-.patch @@ -0,0 +1,47 @@ +From b4a1cf93ffa135af6fbfc2921600bfd709a35d9b Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 17 Feb 2024 04:30:34 +0900 +Subject: [PATCH 0246/1160] network: do not request DHCP addresses configured + on checking prefix delegation + +This does not change anything for DHCPv4, as a DHCPv4 address is always +requested anyway. However for DHCPv6, the client may not request IA_NA +addresses by UseAddress=no, or even if it is requested, the server may +not provide any IA_NA addresses. Even in such cases, here the check is +for delegated prefixes, hence it is not necessary to check if DHCPv6 +IA_NA addresses are configured. + +Fixes a bug introduced by 195b83edf852f4e40e0d3a3b630cde97c84d77ba. + +Fixes #31349. + +(cherry picked from commit b4054aff24b326e36008e6174b5737e0917405c1) +--- + src/network/networkd-link.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index 6e4e2af9c1..4ef1be4bad 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -505,7 +505,7 @@ void link_check_ready(Link *link) { + if (dhcp_pd_is_uplink(link, link, /* accept_auto = */ false)) { + if (link_dhcp4_enabled(link) && link->network->dhcp_use_6rd && + sd_dhcp_lease_has_6rd(link->dhcp_lease)) { +- if (!dhcp4_ready) ++ if (!link->dhcp4_configured) + return (void) log_link_debug(link, "%s(): DHCPv4 6rd prefix is assigned, but DHCPv4 protocol is not finished yet.", __func__); + if (!dhcp_pd_ready) + return (void) log_link_debug(link, "%s(): DHCPv4 is finished, but prefix acquired by DHCPv4-6rd is not assigned yet.", __func__); +@@ -513,7 +513,7 @@ void link_check_ready(Link *link) { + + if (link_dhcp6_enabled(link) && link->network->dhcp6_use_pd_prefix && + sd_dhcp6_lease_has_pd_prefix(link->dhcp6_lease)) { +- if (!dhcp6_ready) ++ if (!link->dhcp6_configured) + return (void) log_link_debug(link, "%s(): DHCPv6 IA_PD prefix is assigned, but DHCPv6 protocol is not finished yet.", __func__); + if (!dhcp_pd_ready) + return (void) log_link_debug(link, "%s(): DHCPv6 is finished, but prefix acquired by DHCPv6 IA_PD is not assigned yet.", __func__); +-- +2.33.0 + diff --git a/backport-network-do-not-try-to-update-IP-sysctl-settings-for-.patch b/backport-network-do-not-try-to-update-IP-sysctl-settings-for-.patch new file mode 100644 index 0000000..0a7c921 --- /dev/null +++ b/backport-network-do-not-try-to-update-IP-sysctl-settings-for-.patch @@ -0,0 +1,40 @@ +From 7517e551ff2a14edb75097ff16c4dd6c3d42aa40 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 23 Nov 2023 04:56:58 +0900 +Subject: [PATCH 0047/1160] network: do not try to update IP sysctl settings + for CAN devices + +CAN devices do not support IP layer. + +Most of the functions below are never called for CAN devices, but +link_set_ipv6_mtu() may be called after setting interface MTU, and warn +about the failure. + +For safety, let's unconditionally check if the interface is not a CAN +device. + +(cherry picked from commit f43ce810c408ee491b6edfc14c7680ee29274238) +--- + src/network/networkd-sysctl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/network/networkd-sysctl.c b/src/network/networkd-sysctl.c +index 24525a10c1..2b226b2e2a 100644 +--- a/src/network/networkd-sysctl.c ++++ b/src/network/networkd-sysctl.c +@@ -22,6 +22,12 @@ static bool link_is_configured_for_family(Link *link, int family) { + if (link->flags & IFF_LOOPBACK) + return false; + ++ /* CAN devices do not support IP layer. Most of the functions below are never called for CAN devices, ++ * but link_set_ipv6_mtu() may be called after setting interface MTU, and warn about the failure. For ++ * safety, let's unconditionally check if the interface is not a CAN device. */ ++ if (IN_SET(family, AF_INET, AF_INET6) && link->iftype == ARPHRD_CAN) ++ return false; ++ + if (family == AF_INET6 && !socket_ipv6_is_supported()) + return false; + +-- +2.33.0 + diff --git a/backport-network-drop-unused-Manager.routes_foreign.patch b/backport-network-drop-unused-Manager.routes_foreign.patch new file mode 100644 index 0000000..5428cb2 --- /dev/null +++ b/backport-network-drop-unused-Manager.routes_foreign.patch @@ -0,0 +1,38 @@ +From 509bb7df68e9c8b1dc8fb0d7cdae96f4e704b46e Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 11 Dec 2023 15:44:08 +0900 +Subject: [PATCH 0041/1160] network: drop unused Manager.routes_foreign + +(cherry picked from commit cfe69f962be7295a8e4589620677e816872c2a3d) +--- + src/network/networkd-manager.c | 1 - + src/network/networkd-manager.h | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c +index 1ca1d7abe5..c09dcfb396 100644 +--- a/src/network/networkd-manager.c ++++ b/src/network/networkd-manager.c +@@ -647,7 +647,6 @@ Manager* manager_free(Manager *m) { + * by the upstream link. And the links may be referenced by netlink slots. Hence, two + * set_free() must be called after the above sd_netlink_unref(). */ + m->routes = set_free(m->routes); +- m->routes_foreign = set_free(m->routes_foreign); + + m->nexthops = set_free(m->nexthops); + m->nexthops_by_id = hashmap_free(m->nexthops_by_id); +diff --git a/src/network/networkd-manager.h b/src/network/networkd-manager.h +index 65bd5073a5..fbef5289d2 100644 +--- a/src/network/networkd-manager.h ++++ b/src/network/networkd-manager.h +@@ -79,7 +79,6 @@ struct Manager { + /* Manager stores routes without RTA_OIF attribute. */ + unsigned route_remove_messages; + Set *routes; +- Set *routes_foreign; + + /* Route table name */ + Hashmap *route_table_numbers_by_name; +-- +2.33.0 + diff --git a/backport-network-fix-typo.patch b/backport-network-fix-typo.patch new file mode 100644 index 0000000..10e687c --- /dev/null +++ b/backport-network-fix-typo.patch @@ -0,0 +1,37 @@ +From bd12386e70e2d830bb484769ea645cd4ec7e28be Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 9 Feb 2024 14:12:09 +0900 +Subject: [PATCH 0236/1160] network: fix typo + +Follow-up for baa95d2274179e680c4731a74f514e2651722ad2. + +(cherry picked from commit a140eaf16a65558d5ce448bfc4f4ecc99710b29b) +--- + src/network/networkd-setlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/network/networkd-setlink.c b/src/network/networkd-setlink.c +index 2298f9ea3a..9dccb56795 100644 +--- a/src/network/networkd-setlink.c ++++ b/src/network/networkd-setlink.c +@@ -484,7 +484,7 @@ static int link_is_ready_to_set_link(Link *link, Request *req) { + break; + + case REQUEST_TYPE_SET_LINK_CAN: +- /* Do not check link->set_flgas_messages here, as it is ok even if link->flags ++ /* Do not check link->set_flags_messages here, as it is ok even if link->flags + * is outdated, and checking the counter causes a deadlock. */ + if (FLAGS_SET(link->flags, IFF_UP)) { + /* The CAN interface must be down to configure bitrate, etc... */ +@@ -531,7 +531,7 @@ static int link_is_ready_to_set_link(Link *link, Request *req) { + return false; + m = link->network->bond->ifindex; + +- /* Do not check link->set_flgas_messages here, as it is ok even if link->flags ++ /* Do not check link->set_flags_messages here, as it is ok even if link->flags + * is outdated, and checking the counter causes a deadlock. */ + if (FLAGS_SET(link->flags, IFF_UP)) { + /* link must be down when joining to bond master. */ +-- +2.33.0 + diff --git a/backport-network-fix-use-of-wrong-flag.patch b/backport-network-fix-use-of-wrong-flag.patch new file mode 100644 index 0000000..1898319 --- /dev/null +++ b/backport-network-fix-use-of-wrong-flag.patch @@ -0,0 +1,28 @@ +From 2f06c2775c1e5b229d9d1db1ca89f1c1b3db497f Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 16 Apr 2024 10:46:09 +0900 +Subject: [PATCH 0526/1160] network: fix use of wrong flag + +Fixes a bug introduced by 86a66e9b95048b1a3a4e297ba2884afcedd1585e (v255). + +(cherry picked from commit e188243d1f8c8ccdc11ca8d46ef86dba76d1bf50) +--- + src/network/networkd-state-file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/network/networkd-state-file.c b/src/network/networkd-state-file.c +index b83934edf3..bba84bbdb8 100644 +--- a/src/network/networkd-state-file.c ++++ b/src/network/networkd-state-file.c +@@ -190,7 +190,7 @@ static int link_put_sip(Link *link, OrderedSet **s) { + assert(link->network); + assert(s); + +- if (link->dhcp_lease && link->network->dhcp_use_ntp) { ++ if (link->dhcp_lease && link->network->dhcp_use_sip) { + const struct in_addr *addresses; + + r = sd_dhcp_lease_get_sip(link->dhcp_lease, &addresses); +-- +2.33.0 + diff --git a/backport-network-generator-drop-wrong-warning-for-rd.peerdns-.patch b/backport-network-generator-drop-wrong-warning-for-rd.peerdns-.patch new file mode 100644 index 0000000..0369661 --- /dev/null +++ b/backport-network-generator-drop-wrong-warning-for-rd.peerdns-.patch @@ -0,0 +1,31 @@ +From 2e956d084024b7cc984528719e866b3d9f2f59eb Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 14 Aug 2024 15:39:12 +0900 +Subject: [PATCH 1009/1160] network-generator: drop wrong warning for + rd.peerdns without value + +(cherry picked from commit 2a774f064815573efc33d43dfe3548590e42e9c2) +(cherry picked from commit 56cc8acf45dbff227d1713d509bc3b71386df5d8) +--- + src/network/generator/network-generator.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/network/generator/network-generator.c b/src/network/generator/network-generator.c +index fad7d094f8..e5f78a3b99 100644 +--- a/src/network/generator/network-generator.c ++++ b/src/network/generator/network-generator.c +@@ -942,10 +942,7 @@ static int parse_cmdline_rd_peerdns(Context *context, const char *key, const cha + assert(context); + assert(key); + +- if (proc_cmdline_value_missing(key, value)) +- return network_set_dhcp_use_dns(context, "", true); +- +- r = parse_boolean(value); ++ r = value ? parse_boolean(value) : true; + if (r < 0) + return r; + +-- +2.33.0 + diff --git a/backport-network-generator-parse-vlan-ID-from-vlan-interface-.patch b/backport-network-generator-parse-vlan-ID-from-vlan-interface-.patch new file mode 100644 index 0000000..f4aef18 --- /dev/null +++ b/backport-network-generator-parse-vlan-ID-from-vlan-interface-.patch @@ -0,0 +1,138 @@ +From f9f74a067c56c40172fbbe79971f3192b4154718 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 7 Aug 2024 15:04:46 +0900 +Subject: [PATCH 1008/1160] network-generator: parse vlan ID from vlan + interface name + +Fixes #33954. + +(cherry picked from commit e31a55edf136e777aabdf19894ee886eac47c20e) +(cherry picked from commit 4cd435ca49950c2bba86a95b500c6d239f18efe1) +--- + src/network/generator/network-generator.c | 30 +++++++++++++++++ + src/network/generator/network-generator.h | 3 ++ + .../generator/test-network-generator.c | 32 +++++++++++++++++++ + 3 files changed, 65 insertions(+) + +diff --git a/src/network/generator/network-generator.c b/src/network/generator/network-generator.c +index ac0faa3b04..fad7d094f8 100644 +--- a/src/network/generator/network-generator.c ++++ b/src/network/generator/network-generator.c +@@ -14,6 +14,7 @@ + #include "string-table.h" + #include "string-util.h" + #include "strv.h" ++#include "vlan-util.h" + + /* + # .network +@@ -951,6 +952,24 @@ static int parse_cmdline_rd_peerdns(Context *context, const char *key, const cha + return network_set_dhcp_use_dns(context, "", r); + } + ++static int extract_vlan_id(const char *vlan_name, uint16_t *ret) { ++ assert(!isempty(vlan_name)); ++ assert(ret); ++ ++ /* From dracut.cmdline(7): ++ * We support the four styles of vlan names: ++ * VLAN_PLUS_VID (vlan0005), ++ * VLAN_PLUS_VID_NO_PAD (vlan5), ++ * DEV_PLUS_VID (eth0.0005), and ++ * DEV_PLUS_VID_NO_PAD (eth0.5). */ ++ ++ for (const char *p = vlan_name + strlen(vlan_name) - 1; p > vlan_name; p--) ++ if (!ascii_isdigit(*p)) ++ return parse_vlanid(p+1, ret); ++ ++ return -EINVAL; ++} ++ + static int parse_cmdline_vlan(Context *context, const char *key, const char *value) { + const char *name, *p; + NetDev *netdev; +@@ -975,6 +994,10 @@ static int parse_cmdline_vlan(Context *context, const char *key, const char *val + return r; + } + ++ r = extract_vlan_id(name, &netdev->vlan_id); ++ if (r < 0) ++ return log_debug_errno(r, "Failed to parse VLAN ID from VLAN device name '%s': %m", name); ++ + return network_set_vlan(context, p + 1, name); + } + +@@ -1352,6 +1375,13 @@ void netdev_dump(NetDev *netdev, FILE *f) { + + if (netdev->mtu > 0) + fprintf(f, "MTUBytes=%" PRIu32 "\n", netdev->mtu); ++ ++ if (streq(netdev->kind, "vlan")) { ++ fprintf(f, ++ "\n[VLAN]\n" ++ "Id=%u\n", ++ netdev->vlan_id); ++ } + } + + void link_dump(Link *link, FILE *f) { +diff --git a/src/network/generator/network-generator.h b/src/network/generator/network-generator.h +index 166ec68fe6..f2fdd02808 100644 +--- a/src/network/generator/network-generator.h ++++ b/src/network/generator/network-generator.h +@@ -79,6 +79,9 @@ struct NetDev { + char *ifname; + char *kind; + uint32_t mtu; ++ ++ /* [VLAN] */ ++ uint16_t vlan_id; + }; + + struct Link { +diff --git a/src/network/generator/test-network-generator.c b/src/network/generator/test-network-generator.c +index 1d94bbc20d..c0335554d7 100644 +--- a/src/network/generator/test-network-generator.c ++++ b/src/network/generator/test-network-generator.c +@@ -336,6 +336,38 @@ int main(int argc, char *argv[]) { + "MTUBytes=1530\n" + ); + ++ test_netdev_one("vlan123", "vlan", "vlan123:eth0", ++ "[NetDev]\n" ++ "Kind=vlan\n" ++ "Name=vlan123\n" ++ "\n[VLAN]\n" ++ "Id=123\n" ++ ); ++ ++ test_netdev_one("vlan0013", "vlan", "vlan0013:eth0", ++ "[NetDev]\n" ++ "Kind=vlan\n" ++ "Name=vlan0013\n" ++ "\n[VLAN]\n" ++ "Id=11\n" /* 0013 (octal) -> 11 */ ++ ); ++ ++ test_netdev_one("eth0.123", "vlan", "eth0.123:eth0", ++ "[NetDev]\n" ++ "Kind=vlan\n" ++ "Name=eth0.123\n" ++ "\n[VLAN]\n" ++ "Id=123\n" ++ ); ++ ++ test_netdev_one("eth0.0013", "vlan", "eth0.0013:eth0", ++ "[NetDev]\n" ++ "Kind=vlan\n" ++ "Name=eth0.0013\n" ++ "\n[VLAN]\n" ++ "Id=11\n" /* 0013 (octal) -> 11 */ ++ ); ++ + test_link_one("hogehoge", "ifname", "hogehoge:00:11:22:33:44:55", + "[Match]\n" + "MACAddress=00:11:22:33:44:55\n" +-- +2.33.0 + diff --git a/backport-network-generator-vlan-can-be-specified-multiple-tim.patch b/backport-network-generator-vlan-can-be-specified-multiple-tim.patch new file mode 100644 index 0000000..a4deabb --- /dev/null +++ b/backport-network-generator-vlan-can-be-specified-multiple-tim.patch @@ -0,0 +1,82 @@ +From be571ff64808c30c1d5566600c86084768138bc4 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 7 Aug 2024 15:03:59 +0900 +Subject: [PATCH 1007/1160] network-generator: vlan= can be specified multiple + times + +(cherry picked from commit 9eee6b1b3f00d46459eebefb70be50ea6af30ddb) +(cherry picked from commit f3baba94425e6ccaf7a672903148dbb2b9e022f7) +--- + src/network/generator/network-generator.c | 8 ++++---- + src/network/generator/network-generator.h | 2 +- + src/network/generator/test-network-generator.c | 3 ++- + 3 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/src/network/generator/network-generator.c b/src/network/generator/network-generator.c +index 48527a2c73..ac0faa3b04 100644 +--- a/src/network/generator/network-generator.c ++++ b/src/network/generator/network-generator.c +@@ -181,7 +181,7 @@ static Network *network_free(Network *network) { + free(network->ifname); + free(network->hostname); + strv_free(network->dns); +- free(network->vlan); ++ strv_free(network->vlan); + free(network->bridge); + free(network->bond); + +@@ -531,7 +531,7 @@ static int network_set_vlan(Context *context, const char *ifname, const char *va + return r; + } + +- return free_and_strdup(&network->vlan, value); ++ return strv_extend(&network->vlan, value); + } + + static int network_set_bridge(Context *context, const char *ifname, const char *value) { +@@ -1315,8 +1315,8 @@ void network_dump(Network *network, FILE *f) { + STRV_FOREACH(dns, network->dns) + fprintf(f, "DNS=%s\n", *dns); + +- if (network->vlan) +- fprintf(f, "VLAN=%s\n", network->vlan); ++ STRV_FOREACH(v, network->vlan) ++ fprintf(f, "VLAN=%s\n", *v); + + if (network->bridge) + fprintf(f, "Bridge=%s\n", network->bridge); +diff --git a/src/network/generator/network-generator.h b/src/network/generator/network-generator.h +index aa5ca9d695..166ec68fe6 100644 +--- a/src/network/generator/network-generator.h ++++ b/src/network/generator/network-generator.h +@@ -62,7 +62,7 @@ struct Network { + /* [Network] */ + DHCPType dhcp_type; + char **dns; +- char *vlan; ++ char **vlan; + char *bridge; + char *bond; + +diff --git a/src/network/generator/test-network-generator.c b/src/network/generator/test-network-generator.c +index 7850da9904..1d94bbc20d 100644 +--- a/src/network/generator/test-network-generator.c ++++ b/src/network/generator/test-network-generator.c +@@ -283,12 +283,13 @@ int main(int argc, char *argv[]) { + "UseDNS=yes\n" + ); + +- test_network_one("eth0", "vlan", "vlan99:eth0", ++ test_network_two("eth0", "vlan", "vlan99:eth0", "vlan", "vlan98:eth0", + "[Match]\n" + "Name=eth0\n" + "\n[Link]\n" + "\n[Network]\n" + "VLAN=vlan99\n" ++ "VLAN=vlan98\n" + "\n[DHCP]\n" + ); + +-- +2.33.0 + diff --git a/backport-network-link-always-join-to-the-main-interface-when-.patch b/backport-network-link-always-join-to-the-main-interface-when-.patch new file mode 100644 index 0000000..984909d --- /dev/null +++ b/backport-network-link-always-join-to-the-main-interface-when-.patch @@ -0,0 +1,55 @@ +From 9e142965e8051a56c090f9dd69d902b1acccf67e Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 5 Jan 2024 01:58:01 +0900 +Subject: [PATCH 0127/1160] network/link: always join to the main interface + when we receive IFLA_MASTER attribute + +Otherwise, e.g. when we enumerate a bridge port first, then the bridge +main interface, then the port cannot be managed by the main interface. + +Fixes #30682. + +(cherry picked from commit 74e95e3a81dfaa7bff107e4e975c453aeed18464) +--- + src/network/networkd-link.c | 24 +++++++++++------------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index fb88022ee5..6e4e2af9c1 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -1989,20 +1989,18 @@ static int link_update_master(Link *link, sd_netlink_message *message) { + if (master_ifindex == link->ifindex) + master_ifindex = 0; + +- if (master_ifindex == link->master_ifindex) +- return 0; +- +- if (link->master_ifindex == 0) +- log_link_debug(link, "Attached to master interface: %i", master_ifindex); +- else if (master_ifindex == 0) +- log_link_debug(link, "Detached from master interface: %i", link->master_ifindex); +- else +- log_link_debug(link, "Master interface changed: %i %s %i", link->master_ifindex, +- special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), master_ifindex); +- +- link_drop_from_master(link); ++ if (master_ifindex != link->master_ifindex) { ++ if (link->master_ifindex == 0) ++ log_link_debug(link, "Attached to master interface: %i", master_ifindex); ++ else if (master_ifindex == 0) ++ log_link_debug(link, "Detached from master interface: %i", link->master_ifindex); ++ else ++ log_link_debug(link, "Master interface changed: %i %s %i", link->master_ifindex, ++ special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), master_ifindex); + +- link->master_ifindex = master_ifindex; ++ link_drop_from_master(link); ++ link->master_ifindex = master_ifindex; ++ } + + r = link_append_to_master(link); + if (r < 0) +-- +2.33.0 + diff --git a/backport-network-ndisc-do-not-try-to-set-too-large-value-for-.patch b/backport-network-ndisc-do-not-try-to-set-too-large-value-for-.patch new file mode 100644 index 0000000..850b2f1 --- /dev/null +++ b/backport-network-ndisc-do-not-try-to-set-too-large-value-for-.patch @@ -0,0 +1,56 @@ +From 7866741e68ca3b480148b1d8fe9c0911306e845a Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 12 Jan 2024 10:00:31 +0900 +Subject: [PATCH 0144/1160] network/ndisc: do not try to set too large value + for ICMP ratelimting + +Follow-up for 6197db53ba3c61de2268eb723a7a9cd4b3f5f87c. + +When we set too large value, the kernel just refuse it. So, this does +not change the net behavior. + +Prompted by https://github.com/systemd/systemd/pull/30490#discussion_r1449477125. + +(cherry picked from commit be89a76a4613e6fdfbd027d735dc7c4d4e5f495a) +--- + src/network/networkd-ndisc.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c +index ab9eeb13a5..840ccb158d 100644 +--- a/src/network/networkd-ndisc.c ++++ b/src/network/networkd-ndisc.c +@@ -355,8 +355,7 @@ static int ndisc_router_process_default(Link *link, sd_ndisc_router *rt) { + } + + static int ndisc_router_process_icmp6_ratelimit(Link *link, sd_ndisc_router *rt) { +- char buf[DECIMAL_STR_MAX(usec_t)]; +- usec_t icmp6_ratelimit; ++ usec_t icmp6_ratelimit, msec; + int r; + + assert(link); +@@ -372,14 +371,17 @@ static int ndisc_router_process_icmp6_ratelimit(Link *link, sd_ndisc_router *rt) + return 0; + } + ++ /* We do not allow 0 here. */ + if (!timestamp_is_set(icmp6_ratelimit)) + return 0; + ++ msec = DIV_ROUND_UP(icmp6_ratelimit, USEC_PER_MSEC); ++ if (msec <= 0 || msec > INT_MAX) ++ return 0; ++ + /* Limit the maximal rates for sending ICMPv6 packets. 0 to disable any limiting, otherwise the + * minimal space between responses in milliseconds. Default: 1000. */ +- xsprintf(buf, USEC_FMT, DIV_ROUND_UP(icmp6_ratelimit, USEC_PER_MSEC)); +- +- r = sysctl_write_ip_property(AF_INET6, NULL, "icmp/ratelimit", buf); ++ r = sysctl_write_ip_property_int(AF_INET6, NULL, "icmp/ratelimit", (int) msec); + if (r < 0) + log_link_warning_errno(link, r, "Failed to apply ICMP6 ratelimit, ignoring: %m"); + +-- +2.33.0 + diff --git a/backport-network-neighbor-add-missing-OOM-check.patch b/backport-network-neighbor-add-missing-OOM-check.patch new file mode 100644 index 0000000..56c4b89 --- /dev/null +++ b/backport-network-neighbor-add-missing-OOM-check.patch @@ -0,0 +1,26 @@ +From 3411c8a42a60816187aa8dce7c4282af001473d6 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 10 Dec 2023 16:03:52 +0900 +Subject: [PATCH 0039/1160] network/neighbor: add missing OOM check + +(cherry picked from commit be26893c85b7200d41440792928f5ebbf06fa8cb) +--- + src/network/networkd-neighbor.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/network/networkd-neighbor.c b/src/network/networkd-neighbor.c +index c4e1c463c4..8abe67bda5 100644 +--- a/src/network/networkd-neighbor.c ++++ b/src/network/networkd-neighbor.c +@@ -533,6 +533,8 @@ int manager_rtnl_process_neighbor(sd_netlink *rtnl, sd_netlink_message *message, + } + + tmp = new0(Neighbor, 1); ++ if (!tmp) ++ return log_oom(); + + /* First, retrieve the fundamental information about the neighbor. */ + r = sd_rtnl_message_neigh_get_family(message, &tmp->family); +-- +2.33.0 + diff --git a/backport-network-networkd-address-don-t-set-up-firewall-rules.patch b/backport-network-networkd-address-don-t-set-up-firewall-rules.patch index d4bebb2..42ee97d 100644 --- a/backport-network-networkd-address-don-t-set-up-firewall-rules.patch +++ b/backport-network-networkd-address-don-t-set-up-firewall-rules.patch @@ -1,20 +1,20 @@ -From 58c6e75f263a1562f5550221af1ec1a9b6046143 Mon Sep 17 00:00:00 2001 +From 87da4f4e93d661df18dd15a7219d1cef01c2d9e1 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Mon, 4 Dec 2023 21:49:12 +0200 -Subject: [PATCH] network/networkd-address: don't set up firewall rules here +Subject: [PATCH 0003/1160] network/networkd-address: don't set up firewall + rules here Don't set up firewall rules when we're just initializing the firewall context for NFT sets. Fixes: #30257 -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/58c6e75f263a1562f5550221af1ec1a9b6046143 +(cherry picked from commit 58c6e75f263a1562f5550221af1ec1a9b6046143) --- src/network/networkd-address.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c -index c1a8cd884..707113767 100644 +index c1a8cd884a..7071137676 100644 --- a/src/network/networkd-address.c +++ b/src/network/networkd-address.c @@ -645,7 +645,7 @@ static void address_modify_nft_set_context(Address *address, bool add, NFTSetCon diff --git a/backport-network-queue-fix-potential-double-free-on-oom.patch b/backport-network-queue-fix-potential-double-free-on-oom.patch new file mode 100644 index 0000000..be92e8c --- /dev/null +++ b/backport-network-queue-fix-potential-double-free-on-oom.patch @@ -0,0 +1,76 @@ +From 3bbd43be013a0cc2fd0d719a452d7636eb09881d Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 3 Jan 2024 04:19:33 +0900 +Subject: [PATCH 0109/1160] network/queue: fix potential double-free on oom + +Currently, link_queue_request_safe(), which is a wrapper of +request_new(), is called with a free function at +- link_request_stacked_netdev() at netdev/netdev.c, +- link_request_address() at networkd-address.c, +- link_request_nexthop() at networkd-nexthop.c, +- link_request_neighbor() at networkd-networkd.c. + +For the netdev case, the reference counter of the passed object is increased +only when the function returns 1. So, on failure (with -ENOMEM) +previously we unexpectedly dropped the reference of the NetDev object. +Similarly, for Address and friends, the ownership of the object is moved to the +Request object only when the function returns 1. And on failure, previously +the object was freed twice. + +Also, netdev_queue_request(), which is another wrapper of request_new() +potentially leaks memory when the same NetDev object is queued twice. +Fortunately, that should not happen as the function is called only once +per object. + +This fixes the above issue, and now the ownership or the reference +counter of the object is changed only when it is succeeded with 1. + +(cherry picked from commit 6ba147485e09de649d5b13e0c341688a04403d40) +--- + src/network/networkd-queue.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/src/network/networkd-queue.c b/src/network/networkd-queue.c +index 1695aacf76..1128987a33 100644 +--- a/src/network/networkd-queue.c ++++ b/src/network/networkd-queue.c +@@ -133,11 +133,8 @@ static int request_new( + assert(process); + + req = new(Request, 1); +- if (!req) { +- if (free_func) +- free_func(userdata); ++ if (!req) + return -ENOMEM; +- } + + *req = (Request) { + .n_ref = 1, +@@ -179,12 +176,19 @@ int netdev_queue_request( + request_process_func_t process, + Request **ret) { + ++ int r; ++ + assert(netdev); + +- return request_new(netdev->manager, NULL, REQUEST_TYPE_NETDEV_INDEPENDENT, +- netdev_ref(netdev), (mfree_func_t) netdev_unref, +- trivial_hash_func, trivial_compare_func, +- process, NULL, NULL, ret); ++ r = request_new(netdev->manager, NULL, REQUEST_TYPE_NETDEV_INDEPENDENT, ++ netdev, (mfree_func_t) netdev_unref, ++ trivial_hash_func, trivial_compare_func, ++ process, NULL, NULL, ret); ++ if (r <= 0) ++ return r; ++ ++ netdev_ref(netdev); ++ return 1; + } + + int link_queue_request_full( +-- +2.33.0 + diff --git a/backport-network-request-non-NULL-SSID-when-a-wlan-interface-.patch b/backport-network-request-non-NULL-SSID-when-a-wlan-interface-.patch new file mode 100644 index 0000000..27bd8fa --- /dev/null +++ b/backport-network-request-non-NULL-SSID-when-a-wlan-interface-.patch @@ -0,0 +1,30 @@ +From 2a182ae521331fc71cf5aabc20bf0e8f0b38ae42 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 31 Jul 2024 06:49:32 +0900 +Subject: [PATCH 0819/1160] network: request non-NULL SSID when a wlan + interface is configured as station + +To avoid conflicts with user .network file for the wlan interface with Bond=. +See https://github.com/systemd/systemd/issues/19832#issuecomment-857661200. + +(cherry picked from commit e2becab08506d8a085f4c18231c7f354db16df9f) +(cherry picked from commit ad861b6ae6ee9660912f03f73f771c98f426753c) +--- + network/80-wifi-station.network.example | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/network/80-wifi-station.network.example b/network/80-wifi-station.network.example +index 160b4eb5e3..600ce4c5ea 100644 +--- a/network/80-wifi-station.network.example ++++ b/network/80-wifi-station.network.example +@@ -12,6 +12,7 @@ + [Match] + Type=wlan + WLANInterfaceType=station ++SSID=* + + [Network] + DHCP=yes +-- +2.33.0 + diff --git a/backport-network-route-do-not-invalidate-Route-section-when-a.patch b/backport-network-route-do-not-invalidate-Route-section-when-a.patch new file mode 100644 index 0000000..c33f237 --- /dev/null +++ b/backport-network-route-do-not-invalidate-Route-section-when-a.patch @@ -0,0 +1,26 @@ +From 9350cbb47fe227c1dbf175c3cee182538dcb6668 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 6 Jan 2024 05:23:06 +0900 +Subject: [PATCH 0128/1160] network/route: do not invalidate [Route] section + when an empty string is assigned to MultiPathRoute= + +(cherry picked from commit d2bec2426fa938fc12f8a679341cae48241ff512) +--- + src/network/networkd-route.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c +index 7218d799fc..eb502ae2cf 100644 +--- a/src/network/networkd-route.c ++++ b/src/network/networkd-route.c +@@ -2920,6 +2920,7 @@ int config_parse_multipath_route( + + if (isempty(rvalue)) { + n->multipath_routes = ordered_set_free_with_destructor(n->multipath_routes, multipath_route_free); ++ TAKE_PTR(n); + return 0; + } + +-- +2.33.0 + diff --git a/backport-network-route-fix-reachability-check-when-peer-addre.patch b/backport-network-route-fix-reachability-check-when-peer-addre.patch new file mode 100644 index 0000000..09daaad --- /dev/null +++ b/backport-network-route-fix-reachability-check-when-peer-addre.patch @@ -0,0 +1,37 @@ +From b641ced147d94578375f5e25d616241fef195a4a Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 10 Dec 2023 13:56:46 +0900 +Subject: [PATCH 0074/1160] network/route: fix reachability check when peer + address is specified + +When an address with peer address is specified, the kernel by default +adds the prefix route for the peer address. When ManageForeignRoute=no +is set, then we also needs to check the prefix for the peer address. + +Fixes #30403. + +(cherry picked from commit e091ed405353624f2da28e2f3210e205f7eab370) +--- + src/network/networkd-route-util.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/network/networkd-route-util.c b/src/network/networkd-route-util.c +index a204fb9631..d49a0b9512 100644 +--- a/src/network/networkd-route-util.c ++++ b/src/network/networkd-route-util.c +@@ -162,9 +162,9 @@ bool gateway_is_ready(Link *link, bool onlink, int family, const union in_addr_u + continue; + if (FLAGS_SET(a->flags, IFA_F_NOPREFIXROUTE)) + continue; +- if (in_addr_is_set(a->family, &a->in_addr_peer)) +- continue; +- if (in_addr_prefix_covers(family, &a->in_addr, a->prefixlen, gw) > 0) ++ if (in_addr_prefix_covers(a->family, ++ in_addr_is_set(a->family, &a->in_addr_peer) ? &a->in_addr_peer : &a->in_addr, ++ a->prefixlen, gw) > 0) + return true; + } + +-- +2.33.0 + diff --git a/backport-network-save-the-real-rdnss-address.patch b/backport-network-save-the-real-rdnss-address.patch new file mode 100644 index 0000000..f79fe03 --- /dev/null +++ b/backport-network-save-the-real-rdnss-address.patch @@ -0,0 +1,29 @@ +From cad44fdce5ed235badc54cc6ede6b830bf17cc5a Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Wed, 27 Mar 2024 17:19:43 -0700 +Subject: [PATCH 0479/1160] network: save the real rdnss address + +... instead of the router that informed us + +Fixes: 86a66e9b9504 ("network: also save NTP servers and friends obtained by other protocols") +(cherry picked from commit 64761f38cc7077f8c30db3522ce9a35d28501f7b) +--- + src/network/networkd-state-file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/network/networkd-state-file.c b/src/network/networkd-state-file.c +index 3a95ba8d8b..b83934edf3 100644 +--- a/src/network/networkd-state-file.c ++++ b/src/network/networkd-state-file.c +@@ -127,7 +127,7 @@ static int link_put_dns(Link *link, OrderedSet **s) { + NDiscRDNSS *a; + + SET_FOREACH(a, link->ndisc_rdnss) { +- r = ordered_set_put_in6_addrv(s, &a->router, 1); ++ r = ordered_set_put_in6_addrv(s, &a->address, 1); + if (r < 0) + return r; + } +-- +2.33.0 + diff --git a/backport-network-split-out-common-checks.patch b/backport-network-split-out-common-checks.patch new file mode 100644 index 0000000..505b02b --- /dev/null +++ b/backport-network-split-out-common-checks.patch @@ -0,0 +1,242 @@ +From 11fdedcaca3913d2f6f90f7fb245cbb310d24928 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 23 Nov 2023 04:53:43 +0900 +Subject: [PATCH 0046/1160] network: split out common checks + +No functional change, just refactoring. +Note, some checks may be redundant, but the cost is not heavy, so let's +explicitly check for safety. + +(cherry picked from commit 01a88375e3543d3ae6b19927cec23966aff39a1c) +--- + src/network/networkd-sysctl.c | 113 +++++++++++++--------------------- + 1 file changed, 43 insertions(+), 70 deletions(-) + +diff --git a/src/network/networkd-sysctl.c b/src/network/networkd-sysctl.c +index 2ac6c3527b..24525a10c1 100644 +--- a/src/network/networkd-sysctl.c ++++ b/src/network/networkd-sysctl.c +@@ -2,6 +2,7 @@ + + #include + #include ++#include + + #include "missing_network.h" + #include "networkd-link.h" +@@ -12,10 +13,25 @@ + #include "string-table.h" + #include "sysctl-util.h" + +-static int link_update_ipv6_sysctl(Link *link) { ++static bool link_is_configured_for_family(Link *link, int family) { + assert(link); + ++ if (!link->network) ++ return false; ++ + if (link->flags & IFF_LOOPBACK) ++ return false; ++ ++ if (family == AF_INET6 && !socket_ipv6_is_supported()) ++ return false; ++ ++ return true; ++} ++ ++static int link_update_ipv6_sysctl(Link *link) { ++ assert(link); ++ ++ if (!link_is_configured_for_family(link, AF_INET6)) + return 0; + + if (!link_ipv6_enabled(link)) +@@ -27,10 +43,7 @@ static int link_update_ipv6_sysctl(Link *link) { + static int link_set_proxy_arp(Link *link) { + assert(link); + +- if (link->flags & IFF_LOOPBACK) +- return 0; +- +- if (!link->network) ++ if (!link_is_configured_for_family(link, AF_INET)) + return 0; + + if (link->network->proxy_arp < 0) +@@ -43,13 +56,7 @@ static bool link_ip_forward_enabled(Link *link, int family) { + assert(link); + assert(IN_SET(family, AF_INET, AF_INET6)); + +- if (family == AF_INET6 && !socket_ipv6_is_supported()) +- return false; +- +- if (link->flags & IFF_LOOPBACK) +- return false; +- +- if (!link->network) ++ if (!link_is_configured_for_family(link, family)) + return false; + + return link->network->ip_forward & (family == AF_INET ? ADDRESS_FAMILY_IPV4 : ADDRESS_FAMILY_IPV6); +@@ -92,10 +99,7 @@ static int link_set_ipv6_forward(Link *link) { + static int link_set_ipv4_rp_filter(Link *link) { + assert(link); + +- if (link->flags & IFF_LOOPBACK) +- return 0; +- +- if (!link->network) ++ if (!link_is_configured_for_family(link, AF_INET)) + return 0; + + if (link->network->ipv4_rp_filter < 0) +@@ -110,13 +114,7 @@ static int link_set_ipv6_privacy_extensions(Link *link) { + assert(link); + assert(link->manager); + +- if (!socket_ipv6_is_supported()) +- return 0; +- +- if (link->flags & IFF_LOOPBACK) +- return 0; +- +- if (!link->network) ++ if (!link_is_configured_for_family(link, AF_INET6)) + return 0; + + val = link->network->ipv6_privacy_extensions; +@@ -133,14 +131,7 @@ static int link_set_ipv6_privacy_extensions(Link *link) { + static int link_set_ipv6_accept_ra(Link *link) { + assert(link); + +- /* Make this a NOP if IPv6 is not available */ +- if (!socket_ipv6_is_supported()) +- return 0; +- +- if (link->flags & IFF_LOOPBACK) +- return 0; +- +- if (!link->network) ++ if (!link_is_configured_for_family(link, AF_INET6)) + return 0; + + return sysctl_write_ip_property(AF_INET6, link->ifname, "accept_ra", "0"); +@@ -149,14 +140,7 @@ static int link_set_ipv6_accept_ra(Link *link) { + static int link_set_ipv6_dad_transmits(Link *link) { + assert(link); + +- /* Make this a NOP if IPv6 is not available */ +- if (!socket_ipv6_is_supported()) +- return 0; +- +- if (link->flags & IFF_LOOPBACK) +- return 0; +- +- if (!link->network) ++ if (!link_is_configured_for_family(link, AF_INET6)) + return 0; + + if (link->network->ipv6_dad_transmits < 0) +@@ -168,14 +152,7 @@ static int link_set_ipv6_dad_transmits(Link *link) { + static int link_set_ipv6_hop_limit(Link *link) { + assert(link); + +- /* Make this a NOP if IPv6 is not available */ +- if (!socket_ipv6_is_supported()) +- return 0; +- +- if (link->flags & IFF_LOOPBACK) +- return 0; +- +- if (!link->network) ++ if (!link_is_configured_for_family(link, AF_INET6)) + return 0; + + if (link->network->ipv6_hop_limit <= 0) +@@ -189,13 +166,7 @@ static int link_set_ipv6_proxy_ndp(Link *link) { + + assert(link); + +- if (!socket_ipv6_is_supported()) +- return 0; +- +- if (link->flags & IFF_LOOPBACK) +- return 0; +- +- if (!link->network) ++ if (!link_is_configured_for_family(link, AF_INET6)) + return 0; + + if (link->network->ipv6_proxy_ndp >= 0) +@@ -211,14 +182,7 @@ int link_set_ipv6_mtu(Link *link) { + + assert(link); + +- /* Make this a NOP if IPv6 is not available */ +- if (!socket_ipv6_is_supported()) +- return 0; +- +- if (link->flags & IFF_LOOPBACK) +- return 0; +- +- if (!link->network) ++ if (!link_is_configured_for_family(link, AF_INET6)) + return 0; + + if (link->network->ipv6_mtu == 0) +@@ -237,7 +201,7 @@ int link_set_ipv6_mtu(Link *link) { + static int link_set_ipv4_accept_local(Link *link) { + assert(link); + +- if (link->flags & IFF_LOOPBACK) ++ if (!link_is_configured_for_family(link, AF_INET)) + return 0; + + if (link->network->ipv4_accept_local < 0) +@@ -249,7 +213,7 @@ static int link_set_ipv4_accept_local(Link *link) { + static int link_set_ipv4_route_localnet(Link *link) { + assert(link); + +- if (link->flags & IFF_LOOPBACK) ++ if (!link_is_configured_for_family(link, AF_INET)) + return 0; + + if (link->network->ipv4_route_localnet < 0) +@@ -258,6 +222,20 @@ static int link_set_ipv4_route_localnet(Link *link) { + return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "route_localnet", link->network->ipv4_route_localnet > 0); + } + ++static int link_set_ipv4_promote_secondaries(Link *link) { ++ assert(link); ++ ++ if (!link_is_configured_for_family(link, AF_INET)) ++ return 0; ++ ++ /* If promote_secondaries is not set, DHCP will work only as long as the IP address does not ++ * changes between leases. The kernel will remove all secondary IP addresses of an interface ++ * otherwise. The way systemd-networkd works is that the new IP of a lease is added as a ++ * secondary IP and when the primary one expires it relies on the kernel to promote the ++ * secondary IP. See also https://github.com/systemd/systemd/issues/7163 */ ++ return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "promote_secondaries", true); ++} ++ + int link_set_sysctl(Link *link) { + int r; + +@@ -321,12 +299,7 @@ int link_set_sysctl(Link *link) { + if (r < 0) + log_link_warning_errno(link, r, "Cannot set IPv4 reverse path filtering for interface, ignoring: %m"); + +- /* If promote_secondaries is not set, DHCP will work only as long as the IP address does not +- * changes between leases. The kernel will remove all secondary IP addresses of an interface +- * otherwise. The way systemd-networkd works is that the new IP of a lease is added as a +- * secondary IP and when the primary one expires it relies on the kernel to promote the +- * secondary IP. See also https://github.com/systemd/systemd/issues/7163 */ +- r = sysctl_write_ip_property_boolean(AF_INET, link->ifname, "promote_secondaries", true); ++ r = link_set_ipv4_promote_secondaries(link); + if (r < 0) + log_link_warning_errno(link, r, "Cannot enable promote_secondaries for interface, ignoring: %m"); + +-- +2.33.0 + diff --git a/backport-network-tc-Avoid-concurrent-set-modification-in-tcla.patch b/backport-network-tc-Avoid-concurrent-set-modification-in-tcla.patch new file mode 100644 index 0000000..326cba7 --- /dev/null +++ b/backport-network-tc-Avoid-concurrent-set-modification-in-tcla.patch @@ -0,0 +1,214 @@ +From b3fd8fa1cae7837043bfb1096c413a086f720a4b Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 1 May 2024 14:41:41 +0200 +Subject: [PATCH 0611/1160] network/tc: Avoid concurrent set modification in + tclass_drop()/qdisc_drop() + +With the current algorithm, we can end up removing entries from the +qdisc/tclass sets while having multiple open iterators over the sets at +various positions which leads to assertion failures in the hashmap logic +as it's only safe to remove the "current" entry. + +To avoid the problem, let's split up marking and dropping of tclasses +and qdiscs. First, we recursively iterate tclasses/qdiscs and mark all +that need to be removed. Next, we iterate once over tclasses and qdiscs +and remove all marked entries. + +Fixes 632d321050f58fe1b5bed7cfe769d212377c0301 + +(cherry picked from commit ee8f605ded4fea6b93aae018415efae877c26ed2) +--- + src/network/tc/qdisc.c | 54 ++++++++++++++++++++++++++++------------- + src/network/tc/qdisc.h | 2 ++ + src/network/tc/tclass.c | 53 +++++++++++++++++++++++++++------------- + src/network/tc/tclass.h | 2 ++ + 4 files changed, 77 insertions(+), 34 deletions(-) + +diff --git a/src/network/tc/qdisc.c b/src/network/tc/qdisc.c +index f9b943787c..43f5c7379f 100644 +--- a/src/network/tc/qdisc.c ++++ b/src/network/tc/qdisc.c +@@ -285,37 +285,57 @@ int link_find_qdisc(Link *link, uint32_t handle, const char *kind, QDisc **ret) + return -ENOENT; + } + +-QDisc* qdisc_drop(QDisc *qdisc) { ++void qdisc_mark_recursive(QDisc *qdisc) { + TClass *tclass; +- Link *link; + + assert(qdisc); ++ assert(qdisc->link); + +- link = ASSERT_PTR(qdisc->link); ++ if (qdisc_is_marked(qdisc)) ++ return; + +- qdisc_mark(qdisc); /* To avoid stack overflow. */ ++ qdisc_mark(qdisc); + +- /* also drop all child classes assigned to the qdisc. */ +- SET_FOREACH(tclass, link->tclasses) { +- if (tclass_is_marked(tclass)) ++ /* also mark all child classes assigned to the qdisc. */ ++ SET_FOREACH(tclass, qdisc->link->tclasses) { ++ if (TC_H_MAJ(tclass->classid) != qdisc->handle) + continue; + +- if (TC_H_MAJ(tclass->classid) != qdisc->handle) ++ tclass_mark_recursive(tclass); ++ } ++} ++ ++void link_qdisc_drop_marked(Link *link) { ++ QDisc *qdisc; ++ ++ assert(link); ++ ++ SET_FOREACH(qdisc, link->qdiscs) { ++ if (!qdisc_is_marked(qdisc)) + continue; + +- tclass_drop(tclass); ++ qdisc_unmark(qdisc); ++ qdisc_enter_removed(qdisc); ++ ++ if (qdisc->state == 0) { ++ log_qdisc_debug(qdisc, link, "Forgetting"); ++ qdisc_free(qdisc); ++ } else ++ log_qdisc_debug(qdisc, link, "Removed"); + } ++} + +- qdisc_unmark(qdisc); +- qdisc_enter_removed(qdisc); ++QDisc* qdisc_drop(QDisc *qdisc) { ++ assert(qdisc); ++ assert(qdisc->link); + +- if (qdisc->state == 0) { +- log_qdisc_debug(qdisc, link, "Forgetting"); +- qdisc = qdisc_free(qdisc); +- } else +- log_qdisc_debug(qdisc, link, "Removed"); ++ qdisc_mark_recursive(qdisc); ++ ++ /* link_qdisc_drop_marked() may invalidate qdisc, so run link_tclass_drop_marked() first. */ ++ link_tclass_drop_marked(qdisc->link); ++ link_qdisc_drop_marked(qdisc->link); + +- return qdisc; ++ return NULL; + } + + static int qdisc_handler(sd_netlink *rtnl, sd_netlink_message *m, Request *req, Link *link, QDisc *qdisc) { +diff --git a/src/network/tc/qdisc.h b/src/network/tc/qdisc.h +index a62b9413ec..cbba1bef71 100644 +--- a/src/network/tc/qdisc.h ++++ b/src/network/tc/qdisc.h +@@ -77,7 +77,9 @@ DEFINE_NETWORK_CONFIG_STATE_FUNCTIONS(QDisc, qdisc); + QDisc* qdisc_free(QDisc *qdisc); + int qdisc_new_static(QDiscKind kind, Network *network, const char *filename, unsigned section_line, QDisc **ret); + ++void qdisc_mark_recursive(QDisc *qdisc); + QDisc* qdisc_drop(QDisc *qdisc); ++void link_qdisc_drop_marked(Link *link); + + int link_find_qdisc(Link *link, uint32_t handle, const char *kind, QDisc **qdisc); + +diff --git a/src/network/tc/tclass.c b/src/network/tc/tclass.c +index 394e06ddec..fc74c487df 100644 +--- a/src/network/tc/tclass.c ++++ b/src/network/tc/tclass.c +@@ -252,37 +252,56 @@ static void log_tclass_debug(TClass *tclass, Link *link, const char *str) { + strna(tclass_get_tca_kind(tclass))); + } + +-TClass* tclass_drop(TClass *tclass) { ++void tclass_mark_recursive(TClass *tclass) { + QDisc *qdisc; +- Link *link; + + assert(tclass); ++ assert(tclass->link); + +- link = ASSERT_PTR(tclass->link); ++ if (tclass_is_marked(tclass)) ++ return; + +- tclass_mark(tclass); /* To avoid stack overflow. */ ++ tclass_mark(tclass); + +- /* Also drop all child qdiscs assigned to the class. */ +- SET_FOREACH(qdisc, link->qdiscs) { +- if (qdisc_is_marked(qdisc)) ++ /* Also mark all child qdiscs assigned to the class. */ ++ SET_FOREACH(qdisc, tclass->link->qdiscs) { ++ if (qdisc->parent != tclass->classid) + continue; + +- if (qdisc->parent != tclass->classid) ++ qdisc_mark_recursive(qdisc); ++ } ++} ++ ++void link_tclass_drop_marked(Link *link) { ++ TClass *tclass; ++ ++ assert(link); ++ ++ SET_FOREACH(tclass, link->tclasses) { ++ if (!tclass_is_marked(tclass)) + continue; + +- qdisc_drop(qdisc); ++ tclass_unmark(tclass); ++ tclass_enter_removed(tclass); ++ ++ if (tclass->state == 0) { ++ log_tclass_debug(tclass, link, "Forgetting"); ++ tclass_free(tclass); ++ } else ++ log_tclass_debug(tclass, link, "Removed"); + } ++} + +- tclass_unmark(tclass); +- tclass_enter_removed(tclass); ++TClass* tclass_drop(TClass *tclass) { ++ assert(tclass); + +- if (tclass->state == 0) { +- log_tclass_debug(tclass, link, "Forgetting"); +- tclass = tclass_free(tclass); +- } else +- log_tclass_debug(tclass, link, "Removed"); ++ tclass_mark_recursive(tclass); ++ ++ /* link_tclass_drop_marked() may invalidate tclass, so run link_qdisc_drop_marked() first. */ ++ link_qdisc_drop_marked(tclass->link); ++ link_tclass_drop_marked(tclass->link); + +- return tclass; ++ return NULL; + } + + static int tclass_handler(sd_netlink *rtnl, sd_netlink_message *m, Request *req, Link *link, TClass *tclass) { +diff --git a/src/network/tc/tclass.h b/src/network/tc/tclass.h +index e73e23c97f..85df57d42c 100644 +--- a/src/network/tc/tclass.h ++++ b/src/network/tc/tclass.h +@@ -58,7 +58,9 @@ DEFINE_NETWORK_CONFIG_STATE_FUNCTIONS(TClass, tclass); + TClass* tclass_free(TClass *tclass); + int tclass_new_static(TClassKind kind, Network *network, const char *filename, unsigned section_line, TClass **ret); + ++void tclass_mark_recursive(TClass *tclass); + TClass* tclass_drop(TClass *tclass); ++void link_tclass_drop_marked(Link *link); + + int link_find_tclass(Link *link, uint32_t classid, TClass **ret); + +-- +2.33.0 + diff --git a/backport-network-tc-fix-stack-overflow-when-dropping-tclass-o.patch b/backport-network-tc-fix-stack-overflow-when-dropping-tclass-o.patch new file mode 100644 index 0000000..0ebbdf2 --- /dev/null +++ b/backport-network-tc-fix-stack-overflow-when-dropping-tclass-o.patch @@ -0,0 +1,70 @@ +From af95833d49ee4a77511d5ce9a507f9c74352347c Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 13 Apr 2024 08:46:44 +0900 +Subject: [PATCH 0527/1160] network/tc: fix stack overflow when dropping tclass + or qdisc + +Fixes a bug introduced by be8e93390003e45acbb318c6e1e48fbc3c772f78 (v255). + +Fixes #32247. +Fixes #32254. + +(cherry picked from commit 632d321050f58fe1b5bed7cfe769d212377c0301) +--- + src/network/tc/qdisc.c | 6 ++++++ + src/network/tc/tclass.c | 6 ++++++ + 2 files changed, 12 insertions(+) + +diff --git a/src/network/tc/qdisc.c b/src/network/tc/qdisc.c +index f20f410497..f9b943787c 100644 +--- a/src/network/tc/qdisc.c ++++ b/src/network/tc/qdisc.c +@@ -293,14 +293,20 @@ QDisc* qdisc_drop(QDisc *qdisc) { + + link = ASSERT_PTR(qdisc->link); + ++ qdisc_mark(qdisc); /* To avoid stack overflow. */ ++ + /* also drop all child classes assigned to the qdisc. */ + SET_FOREACH(tclass, link->tclasses) { ++ if (tclass_is_marked(tclass)) ++ continue; ++ + if (TC_H_MAJ(tclass->classid) != qdisc->handle) + continue; + + tclass_drop(tclass); + } + ++ qdisc_unmark(qdisc); + qdisc_enter_removed(qdisc); + + if (qdisc->state == 0) { +diff --git a/src/network/tc/tclass.c b/src/network/tc/tclass.c +index 0a5fec0234..394e06ddec 100644 +--- a/src/network/tc/tclass.c ++++ b/src/network/tc/tclass.c +@@ -260,14 +260,20 @@ TClass* tclass_drop(TClass *tclass) { + + link = ASSERT_PTR(tclass->link); + ++ tclass_mark(tclass); /* To avoid stack overflow. */ ++ + /* Also drop all child qdiscs assigned to the class. */ + SET_FOREACH(qdisc, link->qdiscs) { ++ if (qdisc_is_marked(qdisc)) ++ continue; ++ + if (qdisc->parent != tclass->classid) + continue; + + qdisc_drop(qdisc); + } + ++ tclass_unmark(tclass); + tclass_enter_removed(tclass); + + if (tclass->state == 0) { +-- +2.33.0 + diff --git a/backport-network-the-maximum-MTU-size-for-CAN-interface-may-b.patch b/backport-network-the-maximum-MTU-size-for-CAN-interface-may-b.patch new file mode 100644 index 0000000..3e9c7f9 --- /dev/null +++ b/backport-network-the-maximum-MTU-size-for-CAN-interface-may-b.patch @@ -0,0 +1,53 @@ +From d238ead08297f1e4a46a72953d2c5377fbe3111c Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 23 Nov 2023 05:36:43 +0900 +Subject: [PATCH 0050/1160] network: the maximum MTU size for CAN interface may + be changed later + +So we should not reduce the requested size to the current maximum +before applying CAN FD mode. + +(cherry picked from commit 15be80428204b57ca55272d2b45703047ad6f28d) +--- + src/network/networkd-setlink.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/src/network/networkd-setlink.c b/src/network/networkd-setlink.c +index 954fd7947d..2298f9ea3a 100644 +--- a/src/network/networkd-setlink.c ++++ b/src/network/networkd-setlink.c +@@ -848,7 +848,7 @@ int link_request_to_set_master(Link *link) { + + int link_request_to_set_mtu(Link *link, uint32_t mtu) { + const char *origin; +- uint32_t min_mtu; ++ uint32_t min_mtu, max_mtu; + Request *req; + int r; + +@@ -876,10 +876,19 @@ int link_request_to_set_mtu(Link *link, uint32_t mtu) { + mtu = min_mtu; + } + +- if (mtu > link->max_mtu) { ++ max_mtu = link->max_mtu; ++ if (link->iftype == ARPHRD_CAN) ++ /* The maximum MTU may be changed when FD mode is changed. ++ * See https://docs.kernel.org/networking/can.html#can-fd-flexible-data-rate-driver-support ++ * MTU = 16 (CAN_MTU) => Classical CAN device ++ * MTU = 72 (CANFD_MTU) => CAN FD capable device ++ * So, even if the current maximum is 16, we should not reduce the requested value now. */ ++ max_mtu = MAX(max_mtu, 72u); ++ ++ if (mtu > max_mtu) { + log_link_warning(link, "Reducing the requested MTU %"PRIu32" to the interface's maximum MTU %"PRIu32".", +- mtu, link->max_mtu); +- mtu = link->max_mtu; ++ mtu, max_mtu); ++ mtu = max_mtu; + } + + if (link->mtu == mtu) +-- +2.33.0 + diff --git a/backport-network-tunnel-allow-Local-Remote-any-for-all-tunnel.patch b/backport-network-tunnel-allow-Local-Remote-any-for-all-tunnel.patch new file mode 100644 index 0000000..937bb96 --- /dev/null +++ b/backport-network-tunnel-allow-Local-Remote-any-for-all-tunnel.patch @@ -0,0 +1,72 @@ +From 81c84336f47e1bcfa3b63ae4eb3889e249537e64 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 30 Oct 2024 02:51:18 +0900 +Subject: [PATCH 0999/1160] network/tunnel: allow Local=/Remote=any for all + tunnel types + +It seems there is no restriction for local and remote addresses. + +Fixes #34930. + +(cherry picked from commit 5e48fd0506ed6212c9db2276d5845ab77aa9bce4) +(cherry picked from commit 3093ac05abcaf5a43f75ec1d5702ed226cc3ce31) +--- + src/network/netdev/tunnel.c | 35 ++++++++++++++--------------------- + 1 file changed, 14 insertions(+), 21 deletions(-) + +diff --git a/src/network/netdev/tunnel.c b/src/network/netdev/tunnel.c +index db84e7cf6e..ab3b8fbb51 100644 +--- a/src/network/netdev/tunnel.c ++++ b/src/network/netdev/tunnel.c +@@ -681,34 +681,27 @@ static int netdev_tunnel_verify(NetDev *netdev, const char *filename) { + } + } + +- if (IN_SET(netdev->kind, NETDEV_KIND_VTI, NETDEV_KIND_IPIP, NETDEV_KIND_SIT, NETDEV_KIND_GRE) && +- !IN_SET(t->family, AF_UNSPEC, AF_INET)) +- return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL), +- "vti/ipip/sit/gre tunnel without a local/remote IPv4 address configured in %s. Ignoring", filename); +- +- if (IN_SET(netdev->kind, NETDEV_KIND_GRETAP, NETDEV_KIND_ERSPAN) && +- (t->family != AF_INET || !in_addr_is_set(t->family, &t->remote))) +- return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL), +- "gretap/erspan tunnel without a remote IPv4 address configured in %s. Ignoring", filename); ++ if (IN_SET(netdev->kind, NETDEV_KIND_VTI, NETDEV_KIND_IPIP, NETDEV_KIND_SIT, NETDEV_KIND_GRE, NETDEV_KIND_GRETAP, NETDEV_KIND_ERSPAN)) { ++ if (!IN_SET(t->family, AF_UNSPEC, AF_INET)) ++ return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL), ++ "%s tunnel without a local/remote IPv4 address configured in %s, ignoring.", ++ netdev_kind_to_string(netdev->kind), filename); + +- if ((IN_SET(netdev->kind, NETDEV_KIND_VTI6, NETDEV_KIND_IP6TNL) && t->family != AF_INET6) || +- (netdev->kind == NETDEV_KIND_IP6GRE && !IN_SET(t->family, AF_UNSPEC, AF_INET6))) +- return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL), +- "vti6/ip6tnl/ip6gre tunnel without a local/remote IPv6 address configured in %s. Ignoring", filename); ++ t->family = AF_INET; /* For netlink_message_append_in_addr_union(). */ ++ } + +- if (netdev->kind == NETDEV_KIND_IP6GRETAP && +- (t->family != AF_INET6 || !in_addr_is_set(t->family, &t->remote))) +- return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL), +- "ip6gretap tunnel without a remote IPv6 address configured in %s. Ignoring", filename); ++ if (IN_SET(netdev->kind, NETDEV_KIND_VTI6, NETDEV_KIND_IP6TNL, NETDEV_KIND_IP6GRE, NETDEV_KIND_IP6GRETAP)) { ++ if (!IN_SET(t->family, AF_UNSPEC, AF_INET6)) ++ return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL), ++ "%s tunnel without a local/remote IPv6 address configured in %s, ignoring,", ++ netdev_kind_to_string(netdev->kind), filename); ++ t->family = AF_INET6; /* For netlink_message_append_in_addr_union(). */ ++ } + + if (t->fou_tunnel && t->fou_destination_port <= 0) + return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL), + "FooOverUDP missing port configured in %s. Ignoring", filename); + +- /* netlink_message_append_in_addr_union() is used for vti/vti6. So, t->family cannot be AF_UNSPEC. */ +- if (netdev->kind == NETDEV_KIND_VTI) +- t->family = AF_INET; +- + if (t->assign_to_loopback) + t->independent = true; + +-- +2.33.0 + diff --git a/backport-network-update-MTU-after-CAN-specific-configs-applie.patch b/backport-network-update-MTU-after-CAN-specific-configs-applie.patch new file mode 100644 index 0000000..14354f5 --- /dev/null +++ b/backport-network-update-MTU-after-CAN-specific-configs-applie.patch @@ -0,0 +1,48 @@ +From a2534533721eda624eaf066c0deed1eec5e5117a Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 23 Nov 2023 05:19:24 +0900 +Subject: [PATCH 0049/1160] network: update MTU after CAN specific configs + applied + +Changing FD mode may trigger change of MTU and maximum MTU size. +See kernel documents about CAN FD mode: +https://docs.kernel.org/networking/can.html#can-fd-flexible-data-rate-driver-support + +(cherry picked from commit a60cc587d456c83e8bf77bc3d7fe3c9ed10f3c40) +--- + src/network/networkd-setlink.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/src/network/networkd-setlink.c b/src/network/networkd-setlink.c +index 541c4b8a72..954fd7947d 100644 +--- a/src/network/networkd-setlink.c ++++ b/src/network/networkd-setlink.c +@@ -561,12 +561,20 @@ static int link_is_ready_to_set_link(Link *link, Request *req) { + break; + } + case REQUEST_TYPE_SET_LINK_MTU: { +- Request req_ipoib = { +- .link = link, +- .type = REQUEST_TYPE_SET_LINK_IPOIB, +- }; ++ if (ordered_set_contains(link->manager->request_queue, ++ &(const Request) { ++ .link = link, ++ .type = REQUEST_TYPE_SET_LINK_IPOIB, ++ })) ++ return false; + +- return !ordered_set_contains(link->manager->request_queue, &req_ipoib); ++ /* Changing FD mode may affect MTU. */ ++ if (ordered_set_contains(link->manager->request_queue, ++ &(const Request) { ++ .link = link, ++ .type = REQUEST_TYPE_SET_LINK_CAN, ++ })) ++ return false; + } + default: + break; +-- +2.33.0 + diff --git a/backport-networkd-Correct-documentation-for-LinkLocalAddressi.patch b/backport-networkd-Correct-documentation-for-LinkLocalAddressi.patch new file mode 100644 index 0000000..cd06060 --- /dev/null +++ b/backport-networkd-Correct-documentation-for-LinkLocalAddressi.patch @@ -0,0 +1,44 @@ +From 586e10fa612c4740517acdd67727ed8a4ac9166d Mon Sep 17 00:00:00 2001 +From: Mathias Lang +Date: Thu, 25 Apr 2024 12:29:53 +0200 +Subject: [PATCH 0578/1160] networkd: Correct documentation for + LinkLocalAddressing + +LinkLocalAddressing accepts a boolean. This can be seen by looking at +`link_local_address_family_from_strong(cont char *s)` in +`src/network/netword-util.c#L102-108` which falls back to +`address_family_from_string`, defined two lines above (L100) +using `DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN`. + +(cherry picked from commit 07b6924de4d83c0d66ddfe92d3f2df4995e1e087) +--- + man/systemd.network.xml | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/man/systemd.network.xml b/man/systemd.network.xml +index 5f0a703e8c..0aee0123b8 100644 +--- a/man/systemd.network.xml ++++ b/man/systemd.network.xml +@@ -397,13 +397,12 @@ + + LinkLocalAddressing= + +- Enables link-local address autoconfiguration. Accepts , +- , , and . An IPv6 link-local +- address is configured when or . An IPv4 link-local +- address is configured when or and when DHCPv4 +- autoconfiguration has been unsuccessful for some time. (IPv4 link-local address +- autoconfiguration will usually happen in parallel with repeated attempts to acquire a DHCPv4 +- lease). ++ Enables link-local address autoconfiguration. Accepts a boolean, , ++ and . An IPv6 link-local address is configured when ++ or . An IPv4 link-local address is configured when ++ or and when DHCPv4 autoconfiguration has been unsuccessful for some time. ++ (IPv4 link-local address autoconfiguration will usually happen in parallel with repeated attempts ++ to acquire a DHCPv4 lease). + + Defaults to when KeepMaster= or + Bridge= is set or when the specified +-- +2.33.0 + diff --git a/backport-networkd-raise-limits-on-number-of-address-8x.patch b/backport-networkd-raise-limits-on-number-of-address-8x.patch new file mode 100644 index 0000000..6a4514b --- /dev/null +++ b/backport-networkd-raise-limits-on-number-of-address-8x.patch @@ -0,0 +1,36 @@ +From c0d234ac2ed0cb14f237f8aa4ea61abc5bdb4a11 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 18 Oct 2024 09:19:23 +0200 +Subject: [PATCH 0957/1160] networkd: raise limits on number of address 8x + +Limits should be enforced, but not in a way real setups collide with +them. + +There have been multiple reports that current limits are too low, hence +raise them 8x. + +Fixes: #24852 +(cherry picked from commit af7674f4ad30e83efc84f04c45f01e6eff137702) +(cherry picked from commit dc47ba69fcc6ff01b813777b126f4cf9b571a9c9) +--- + src/network/networkd-address.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c +index 0e4d87b000..a8d460f9f0 100644 +--- a/src/network/networkd-address.c ++++ b/src/network/networkd-address.c +@@ -23,8 +23,8 @@ + #include "strv.h" + #include "strxcpyx.h" + +-#define ADDRESSES_PER_LINK_MAX 2048U +-#define STATIC_ADDRESSES_PER_NETWORK_MAX 1024U ++#define ADDRESSES_PER_LINK_MAX 16384U ++#define STATIC_ADDRESSES_PER_NETWORK_MAX 8192U + + #define KNOWN_FLAGS \ + (IFA_F_SECONDARY | \ +-- +2.33.0 + diff --git a/backport-networkd-show-wireguard-private-key-read-error-numbe.patch b/backport-networkd-show-wireguard-private-key-read-error-numbe.patch new file mode 100644 index 0000000..14e8eb6 --- /dev/null +++ b/backport-networkd-show-wireguard-private-key-read-error-numbe.patch @@ -0,0 +1,31 @@ +From 549bf6fcb7fad4d98d7776f086b952be6f1007cf Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 16 Dec 2024 17:19:59 +0100 +Subject: [PATCH 1062/1160] networkd: show wireguard private key read error + number + +Noticed while looking at #35641 + +(cherry picked from commit 0543b02cf8211353c0bb1065e09614f551944a41) +(cherry picked from commit b5dc1922f9bd0a64cf17be8c503baba58bf5ba82) +(cherry picked from commit d70b87ae322d16ee7aa8c15ea567ce5499f79df3) +--- + src/network/netdev/wireguard.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c +index 4c7d837c41..52fed20b57 100644 +--- a/src/network/netdev/wireguard.c ++++ b/src/network/netdev/wireguard.c +@@ -1085,7 +1085,7 @@ static int wireguard_verify(NetDev *netdev, const char *filename) { + r = wireguard_read_key_file(w->private_key_file, w->private_key); + if (r < 0) + return log_netdev_error_errno(netdev, r, +- "Failed to read private key from %s. Ignoring network device.", ++ "Failed to read private key from '%s', ignoring network device: %m", + w->private_key_file); + + if (eqzero(w->private_key)) +-- +2.33.0 + diff --git a/backport-nspawn-Check-later-whether-to-keep-drop-CAP_NET_BIND.patch b/backport-nspawn-Check-later-whether-to-keep-drop-CAP_NET_BIND.patch new file mode 100644 index 0000000..8e70026 --- /dev/null +++ b/backport-nspawn-Check-later-whether-to-keep-drop-CAP_NET_BIND.patch @@ -0,0 +1,49 @@ +From f665b58af742c5e95b1e33cc58443e1dd34acdd5 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Tue, 5 Dec 2023 10:24:13 +0100 +Subject: [PATCH 0019/1160] nspawn: Check later whether to keep/drop + CAP_NET_BIND_SERVICE + +Currently the check doesn't take any settings from nspawn settings +files into account, so let's delay the check until after we've +loaded any settings file. + +(cherry picked from commit dd78141c530a141f170867b3fc5572b577168759) +--- + src/nspawn/nspawn.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index 8ac86eeb55..6ab604d3dc 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -1632,13 +1632,6 @@ static int parse_argv(int argc, char *argv[]) { + + arg_caps_retain |= plus; + arg_caps_retain |= arg_private_network ? UINT64_C(1) << CAP_NET_ADMIN : 0; +- +- /* If we're not unsharing the network namespace and are unsharing the user namespace, we won't have +- * permissions to bind ports in the container, so let's drop the CAP_NET_BIND_SERVICE capability to +- * indicate that. */ +- if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO && arg_uid_shift > 0) +- arg_caps_retain &= ~(UINT64_C(1) << CAP_NET_BIND_SERVICE); +- + arg_caps_retain &= ~minus; + + /* Make sure to parse environment before we reset the settings mask below */ +@@ -5420,6 +5413,12 @@ static int run(int argc, char *argv[]) { + if (r < 0) + goto finish; + ++ /* If we're not unsharing the network namespace and are unsharing the user namespace, we won't have ++ * permissions to bind ports in the container, so let's drop the CAP_NET_BIND_SERVICE capability to ++ * indicate that. */ ++ if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO && arg_uid_shift > 0) ++ arg_caps_retain &= ~(UINT64_C(1) << CAP_NET_BIND_SERVICE); ++ + r = cg_unified(); + if (r < 0) { + log_error_errno(r, "Failed to determine whether the unified cgroups hierarchy is used: %m"); +-- +2.33.0 + diff --git a/backport-nspawn-Include-arm_fadvise64_64-in-syscall-allow_lis.patch b/backport-nspawn-Include-arm_fadvise64_64-in-syscall-allow_lis.patch new file mode 100644 index 0000000..9db3351 --- /dev/null +++ b/backport-nspawn-Include-arm_fadvise64_64-in-syscall-allow_lis.patch @@ -0,0 +1,34 @@ +From 8bf58cddbfd6e9e1d6ebe1bedc5c821bb5b359b5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= +Date: Sun, 17 Nov 2024 16:34:35 +0100 +Subject: [PATCH 1037/1160] nspawn: Include arm_fadvise64_64 in syscall + allow_list + +Add the `arm_fadvise64_64` syscall to the allow_list, in addition +to the existing `fadvise64` and `fadvise64_64` syscalls, as this is +the syscall actually defined for `arm` architecture. Adding it fixes +the syscall being rejected in arm32 containers. + +Fixes #35194 + +(cherry picked from commit 7fd70a532681c0ea4cd6ff04d1a7950dae3efc8c) +(cherry picked from commit 964ced4100fb5f5b5d41b988512f681a1b0b20f7) +--- + src/nspawn/nspawn-seccomp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c +index 673b627c3b..7dac7f330e 100644 +--- a/src/nspawn/nspawn-seccomp.c ++++ b/src/nspawn/nspawn-seccomp.c +@@ -50,6 +50,7 @@ static int add_syscall_filters( + { CAP_IPC_LOCK, "@memlock" }, + + /* Plus a good set of additional syscalls which are not part of any of the groups above */ ++ { 0, "arm_fadvise64_64" }, + { 0, "brk" }, + { 0, "capget" }, + { 0, "capset" }, +-- +2.33.0 + diff --git a/backport-nspawn-don-t-try-to-unregister-a-machine-we-never-re.patch b/backport-nspawn-don-t-try-to-unregister-a-machine-we-never-re.patch new file mode 100644 index 0000000..b9650e6 --- /dev/null +++ b/backport-nspawn-don-t-try-to-unregister-a-machine-we-never-re.patch @@ -0,0 +1,32 @@ +From 85804e690d3531ca7582e7b9f52ca9cb1b9c9b6c Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 27 Nov 2024 10:26:04 +0100 +Subject: [PATCH 1033/1160] nspawn: don't try to unregister a machine we never + registered + +When registering we condition this on "arg_register". Let's do the same +when unregistering, otherwise we might end up trying to unregister a +machine we never registered. + +(cherry picked from commit 0790f4e45f2f8c094bf929aa1fcaf4c7e9dbb001) +(cherry picked from commit 6f346ef75635b549166d1be04b1dcb620f1b724c) +--- + src/nspawn/nspawn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index 541ff94366..005a3d2be1 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -5237,7 +5237,7 @@ static int run_container( + r = wait_for_container(TAKE_PID(*pid), &container_status); + + /* Tell machined that we are gone. */ +- if (bus) ++ if (arg_register && bus) + (void) unregister_machine(bus, arg_machine); + + if (r < 0) +-- +2.33.0 + diff --git a/backport-nspawn-ignore-failure-in-creating-dev-net-tun-when-p.patch b/backport-nspawn-ignore-failure-in-creating-dev-net-tun-when-p.patch new file mode 100644 index 0000000..1de8b15 --- /dev/null +++ b/backport-nspawn-ignore-failure-in-creating-dev-net-tun-when-p.patch @@ -0,0 +1,66 @@ +From 45b39f98c9abfcf305641d697392aacbf5e022d0 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 13 Nov 2024 13:36:11 +0900 +Subject: [PATCH 1010/1160] nspawn: ignore failure in creating /dev/net/tun + when --private-network is unspecified + +Follow-up for efedb6b0f3cff37950112fd37cb750c16d599bc7. +Closes #35116. + +(cherry picked from commit 985ea98e7f90c92fcc0b8441fafb190353d2feb8) +Really rewritten from scratch. +(cherry picked from commit 04ee5e25a1082d4c6c0c52a154d5ad5fc959a853) +--- + src/nspawn/nspawn.c | 22 +++++++++++++++++++--- + 1 file changed, 19 insertions(+), 3 deletions(-) + +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index a229c70875..c067417c34 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -2161,6 +2161,7 @@ static int copy_devnodes(const char *dest) { + NULSTR_FOREACH(d, devnodes) { + _cleanup_free_ char *from = NULL, *to = NULL; + struct stat st; ++ bool ignore_mknod_failure = streq(d, "net/tun"); + + from = path_join("/dev/", d); + if (!from) +@@ -2185,16 +2186,31 @@ static int copy_devnodes(const char *dest) { + /* Explicitly warn the user when /dev is already populated. */ + if (errno == EEXIST) + log_notice("%s/dev is pre-mounted and pre-populated. If a pre-mounted /dev is provided it needs to be an unpopulated file system.", dest); +- if (errno != EPERM || arg_uid_shift != 0) ++ if (errno != EPERM || arg_uid_shift != 0) { ++ if (ignore_mknod_failure) { ++ log_debug_errno(r, "mknod(%s) failed, ignoring: %m", to); ++ return 0; ++ } + return log_error_errno(errno, "mknod(%s) failed: %m", to); ++ } + + /* Some systems abusively restrict mknod but allow bind mounts. */ + r = touch(to); +- if (r < 0) ++ if (r < 0) { ++ if (ignore_mknod_failure) { ++ log_debug_errno(r, "touch (%s) failed, ignoring: %m", to); ++ return 0; ++ } + return log_error_errno(r, "touch (%s) failed: %m", to); ++ } + r = mount_nofollow_verbose(LOG_DEBUG, from, to, NULL, MS_BIND, NULL); +- if (r < 0) ++ if (r < 0) { ++ if (ignore_mknod_failure) { ++ log_debug_errno(r, "Both mknod and bind mount (%s) failed, ignoring: %m", to); ++ return 0; ++ } + return log_error_errno(r, "Both mknod and bind mount (%s) failed: %m", to); ++ } + } else { + r = userns_lchown(to, 0, 0); + if (r < 0) +-- +2.33.0 + diff --git a/backport-nspawn-improve-log-message-on-bad-incoming-sd_notify.patch b/backport-nspawn-improve-log-message-on-bad-incoming-sd_notify.patch new file mode 100644 index 0000000..ae89798 --- /dev/null +++ b/backport-nspawn-improve-log-message-on-bad-incoming-sd_notify.patch @@ -0,0 +1,30 @@ +From 5b6e91434eb6b253514516044e372f744ac2e364 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Sat, 23 Nov 2024 00:04:43 +0100 +Subject: [PATCH 1029/1160] nspawn: improve log message on bad incoming + sd_notify() message + +It's the PID that is wrong, not the UID/GID, be precise. + +(cherry picked from commit 95116bdfd5d45cc1a7c6588e6b8bdcb0d0e007a6) +(cherry picked from commit 95c20d0b627654626924eadaf65bc1825bb38701) +--- + src/nspawn/nspawn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index 68362c65f3..541ff94366 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -4220,7 +4220,7 @@ static int nspawn_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t r + + ucred = CMSG_FIND_DATA(&msghdr, SOL_SOCKET, SCM_CREDENTIALS, struct ucred); + if (!ucred || ucred->pid != inner_child_pid) { +- log_debug("Received notify message without valid credentials. Ignoring."); ++ log_debug("Received notify message from process that is not the payload's PID 1. Ignoring."); + return 0; + } + +-- +2.33.0 + diff --git a/backport-nspawn-make-sure-private-users-ownership-no-and-off-.patch b/backport-nspawn-make-sure-private-users-ownership-no-and-off-.patch new file mode 100644 index 0000000..ecd7d4d --- /dev/null +++ b/backport-nspawn-make-sure-private-users-ownership-no-and-off-.patch @@ -0,0 +1,33 @@ +From 4b384a35349624547b07ab4a33d8100306e79b01 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 27 Nov 2024 10:20:21 +0100 +Subject: [PATCH 1035/1160] nspawn: make sure --private-users-ownership=no and + =off work the same way + +We usually want to use "extended booleans" for cases like this, i.e. +that "off", "no" and "0" can be used interchangably for turning +something off. + +(cherry picked from commit 62f3e2f84aa3413081fc1c1e1c3074fc9aeedbc9) +(cherry picked from commit 7a307c5939b0787727b144197090a0ae34cbd813) +--- + src/nspawn/nspawn-settings.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/nspawn/nspawn-settings.c b/src/nspawn/nspawn-settings.c +index 161b1c1c70..2bb034eb22 100644 +--- a/src/nspawn/nspawn-settings.c ++++ b/src/nspawn/nspawn-settings.c +@@ -936,7 +936,8 @@ static const char *const user_namespace_ownership_table[_USER_NAMESPACE_OWNERSHI + [USER_NAMESPACE_OWNERSHIP_AUTO] = "auto", + }; + +-DEFINE_STRING_TABLE_LOOKUP(user_namespace_ownership, UserNamespaceOwnership); ++/* Note: while "yes" maps to "auto" here, we don't really document that, in order to make things clearer and less confusing to users. */ ++DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(user_namespace_ownership, UserNamespaceOwnership, USER_NAMESPACE_OWNERSHIP_AUTO); + + int config_parse_userns_chown( + const char *unit, +-- +2.33.0 + diff --git a/backport-nspawn-pass-the-right-error-variable.patch b/backport-nspawn-pass-the-right-error-variable.patch new file mode 100644 index 0000000..0cc6d85 --- /dev/null +++ b/backport-nspawn-pass-the-right-error-variable.patch @@ -0,0 +1,26 @@ +From d8281b2ab916694dd670a88d16cc50a2d8909a19 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 7 May 2024 13:40:53 +0200 +Subject: [PATCH 0598/1160] nspawn: pass the right error variable + +(cherry picked from commit 192a452d1ca04cd32153d104e9e3b3c3a6957106) +--- + src/nspawn/nspawn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index e46cc1ce01..0600f3e014 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -2620,7 +2620,7 @@ static int setup_journal(const char *directory) { + + r = mount_nofollow_verbose(LOG_DEBUG, p, q, NULL, MS_BIND, NULL); + if (r < 0) +- return log_error_errno(errno, "Failed to bind mount journal from host into guest: %m"); ++ return log_error_errno(r, "Failed to bind mount journal from host into guest: %m"); + + return 0; + } +-- +2.33.0 + diff --git a/backport-nspawn-permit-ephemeral-with-link-journal-try-treat-.patch b/backport-nspawn-permit-ephemeral-with-link-journal-try-treat-.patch new file mode 100644 index 0000000..bf3ee90 --- /dev/null +++ b/backport-nspawn-permit-ephemeral-with-link-journal-try-treat-.patch @@ -0,0 +1,53 @@ +From 9a678a258d94a2fa7c02c8085d500cb07ae5b49e Mon Sep 17 00:00:00 2001 +From: Ivan Shapovalov +Date: Sat, 20 Jan 2024 12:52:28 +0100 +Subject: [PATCH 0292/1160] nspawn: permit --ephemeral with + --link-journal=try-* (treat as =no) + +Common sense says that to "try" something means "to not fail if +something turns out not to be possible", thus do not make this +combination a hard error. + +The actual implementation ignores any --link-journal= setting when +--ephemeral is in effect, so the semantics are upheld. + +(cherry picked from commit 00fcd79e65305a0d2657312b001467a055b04801) +--- + man/systemd-nspawn.xml | 3 ++- + src/nspawn/nspawn.c | 6 ++++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml +index 248105ffec..e1e6d84fa3 100644 +--- a/man/systemd-nspawn.xml ++++ b/man/systemd-nspawn.xml +@@ -1435,7 +1435,8 @@ After=sys-subsystem-net-devices-ens1.device + and the subdirectory is symlinked into the host at the same + location. try-host and + try-guest do the same but do not fail if +- the host does not have persistent journaling enabled. If ++ the host does not have persistent journaling enabled, or if ++ the container is in the mode. If + auto (the default), and the right + subdirectory of /var/log/journal exists, + it will be bind mounted into the container. If the +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index 6ab604d3dc..e46cc1ce01 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -1716,8 +1716,10 @@ static int verify_arguments(void) { + if (arg_ephemeral && arg_template) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--ephemeral and --template= may not be combined."); + +- if (arg_ephemeral && !IN_SET(arg_link_journal, LINK_NO, LINK_AUTO)) +- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--ephemeral and --link-journal= may not be combined."); ++ /* Permit --ephemeral with --link-journal=try-* to satisfy principle of the least astonishment ++ * (by common sense, "try" means "do not fail if not possible") */ ++ if (arg_ephemeral && !IN_SET(arg_link_journal, LINK_NO, LINK_AUTO) && !arg_link_journal_try) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--ephemeral and --link-journal={host,guest} may not be combined."); + + if (arg_userns_mode != USER_NAMESPACE_NO && !userns_supported()) + return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "--private-users= is not supported, kernel compiled without user namespace support."); +-- +2.33.0 + diff --git a/backport-nspawn-private-users-ownership-value-is-called-chown.patch b/backport-nspawn-private-users-ownership-value-is-called-chown.patch new file mode 100644 index 0000000..f7aea0e --- /dev/null +++ b/backport-nspawn-private-users-ownership-value-is-called-chown.patch @@ -0,0 +1,29 @@ +From 809b265172dd391e7fe4c105e5979e07b832a180 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 13 Nov 2024 12:14:53 +0100 +Subject: [PATCH 1017/1160] nspawn: --private-users-ownership= value is called + 'chown', not 'own' + +(cherry picked from commit bae936b418e08063b68c95f4df53c3cd4f70e881) +(cherry picked from commit bdf3f9b8f274d958befa54c95811910013b39a80) +--- + src/nspawn/nspawn.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index c067417c34..68362c65f3 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -475,7 +475,8 @@ static int custom_mount_check_all(void) { + if (path_equal(m->destination, "/") && arg_userns_mode != USER_NAMESPACE_NO) { + if (arg_userns_ownership != USER_NAMESPACE_OWNERSHIP_OFF) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), +- "--private-users-ownership=own may not be combined with custom root mounts."); ++ "--private-users-ownership=%s may not be combined with custom root mounts.", ++ user_namespace_ownership_to_string(arg_userns_ownership)); + if (arg_uid_shift == UID_INVALID) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "--private-users with automatic UID shift may not be combined with custom root mounts."); +-- +2.33.0 + diff --git a/backport-nspawn-refuse-to-bind-mount-device-node-from-host-wh.patch b/backport-nspawn-refuse-to-bind-mount-device-node-from-host-wh.patch new file mode 100644 index 0000000..75cbb04 --- /dev/null +++ b/backport-nspawn-refuse-to-bind-mount-device-node-from-host-wh.patch @@ -0,0 +1,49 @@ +From bc72d9557cdc0411ce95543238f95d82b5ce4a72 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 5 Sep 2024 15:05:32 +0900 +Subject: [PATCH 0866/1160] nspawn: refuse to bind mount device node from host + when --private-users= is specified + +Also do not chown if a device node is bind-mounted. + +Fixes #34243. + +(cherry picked from commit efedb6b0f3cff37950112fd37cb750c16d599bc7) +(cherry picked from commit a23591891b9e85107f39d103eabbb5bc9a6ced6f) +--- + src/nspawn/nspawn.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index 0600f3e014..a229c70875 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -2185,7 +2185,7 @@ static int copy_devnodes(const char *dest) { + /* Explicitly warn the user when /dev is already populated. */ + if (errno == EEXIST) + log_notice("%s/dev is pre-mounted and pre-populated. If a pre-mounted /dev is provided it needs to be an unpopulated file system.", dest); +- if (errno != EPERM) ++ if (errno != EPERM || arg_uid_shift != 0) + return log_error_errno(errno, "mknod(%s) failed: %m", to); + + /* Some systems abusively restrict mknod but allow bind mounts. */ +@@ -2195,12 +2195,12 @@ static int copy_devnodes(const char *dest) { + r = mount_nofollow_verbose(LOG_DEBUG, from, to, NULL, MS_BIND, NULL); + if (r < 0) + return log_error_errno(r, "Both mknod and bind mount (%s) failed: %m", to); ++ } else { ++ r = userns_lchown(to, 0, 0); ++ if (r < 0) ++ return log_error_errno(r, "chown() of device node %s failed: %m", to); + } + +- r = userns_lchown(to, 0, 0); +- if (r < 0) +- return log_error_errno(r, "chown() of device node %s failed: %m", to); +- + dn = path_join("/dev", S_ISCHR(st.st_mode) ? "char" : "block"); + if (!dn) + return log_oom(); +-- +2.33.0 + diff --git a/backport-openssl-util-avoid-freeing-invalid-pointer.patch b/backport-openssl-util-avoid-freeing-invalid-pointer.patch new file mode 100644 index 0000000..1f6a9bb --- /dev/null +++ b/backport-openssl-util-avoid-freeing-invalid-pointer.patch @@ -0,0 +1,26 @@ +From 39883556d484e1f743c8437d5a836bfd2b34a760 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 12 Dec 2023 15:47:33 +0100 +Subject: [PATCH 0059/1160] openssl-util: avoid freeing invalid pointer + +(cherry picked from commit 38e1035befef69870735e7237eb0d3c0e8a007dd) +--- + src/shared/openssl-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/openssl-util.c b/src/shared/openssl-util.c +index 311fb4d9cb..b0a5563395 100644 +--- a/src/shared/openssl-util.c ++++ b/src/shared/openssl-util.c +@@ -1109,7 +1109,7 @@ int string_hashsum( + + _cleanup_free_ void *hash = NULL; + size_t hash_size; +- _cleanup_free_ char *enc; ++ _cleanup_free_ char *enc = NULL; + int r; + + assert(s || len == 0); +-- +2.33.0 + diff --git a/backport-os-util-allow-matching-versioned-image-with-extensio.patch b/backport-os-util-allow-matching-versioned-image-with-extensio.patch new file mode 100644 index 0000000..1a99f66 --- /dev/null +++ b/backport-os-util-allow-matching-versioned-image-with-extensio.patch @@ -0,0 +1,219 @@ +From 012441e3cc618d2b24f23a2b01daadb8a7cdc99e Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 21 Feb 2024 19:31:14 +0000 +Subject: [PATCH 0539/1160] os-util: allow matching versioned image with + extension-release file + +Currently app_1.0.raw is refused if it contains extension-release.d/extension-release.app, +which stops one from using versioned images without using the force flag to disable +the check. Relax it so that only the actual name, and not the version, is compared, like +it already happens in other places. + +(cherry picked from commit 37543971aff79f3a37646ffc2bb5845c9394797b) +--- + src/basic/os-util.c | 55 ++++++++++++++++++++++++++++++++-- + src/basic/os-util.h | 1 + + src/portable/portable.c | 61 ++++++-------------------------------- + test/units/testsuite-29.sh | 13 ++++++++ + 4 files changed, 75 insertions(+), 55 deletions(-) + +diff --git a/src/basic/os-util.c b/src/basic/os-util.c +index dbd067fd44..985d89bc7e 100644 +--- a/src/basic/os-util.c ++++ b/src/basic/os-util.c +@@ -61,6 +61,39 @@ bool image_name_is_valid(const char *s) { + return true; + } + ++int path_extract_image_name(const char *path, char **ret) { ++ _cleanup_free_ char *fn = NULL; ++ int r; ++ ++ assert(path); ++ assert(ret); ++ ++ /* Extract last component from path, without any "/" suffixes. */ ++ r = path_extract_filename(path, &fn); ++ if (r < 0) ++ return r; ++ ++ if (r != O_DIRECTORY) { ++ /* Chop off any image suffixes we recognize (unless we already know this must refer to some dir */ ++ FOREACH_STRING(suffix, ".sysext.raw", ".confext.raw", ".raw") { ++ char *m = endswith(fn, suffix); ++ if (m) { ++ *m = 0; ++ break; ++ } ++ } ++ } ++ ++ /* Truncate the version/counting suffixes */ ++ fn[strcspn(fn, "_+")] = 0; ++ ++ if (!image_name_is_valid(fn)) ++ return -EINVAL; ++ ++ *ret = TAKE_PTR(fn); ++ return 0; ++} ++ + int path_is_extension_tree(ImageClass image_class, const char *path, const char *extension, bool relax_extension_release_check) { + int r; + +@@ -230,9 +263,25 @@ int open_extension_release_at( + continue; + } + +- if (!relax_extension_release_check && +- extension_release_strict_xattr_value(fd, dir_path, de->d_name) != 0) +- continue; ++ if (!relax_extension_release_check) { ++ _cleanup_free_ char *base_image_name = NULL, *base_extension = NULL; ++ ++ r = path_extract_image_name(image_name, &base_image_name); ++ if (r < 0) { ++ log_debug_errno(r, "Failed to extract image name from %s/%s, ignoring: %m", dir_path, de->d_name); ++ continue; ++ } ++ ++ r = path_extract_image_name(extension, &base_extension); ++ if (r < 0) { ++ log_debug_errno(r, "Failed to extract image name from %s, ignoring: %m", extension); ++ continue; ++ } ++ ++ if (!streq(base_image_name, base_extension) && ++ extension_release_strict_xattr_value(fd, dir_path, image_name) != 0) ++ continue; ++ } + + /* We already found what we were looking for, but there's another candidate? We treat this as + * an error, as we want to enforce that there are no ambiguities in case we are in the +diff --git a/src/basic/os-util.h b/src/basic/os-util.h +index 7cee3dd119..f6a12a3fb1 100644 +--- a/src/basic/os-util.h ++++ b/src/basic/os-util.h +@@ -25,6 +25,7 @@ ImageClass image_class_from_string(const char *s) _pure_; + * in accordance with the OS extension specification, rather than for /usr/lib/ or /etc/os-release. */ + + bool image_name_is_valid(const char *s) _pure_; ++int path_extract_image_name(const char *path, char **ret); + + int path_is_extension_tree(ImageClass image_class, const char *path, const char *extension, bool relax_extension_release_check); + static inline int path_is_os_tree(const char *path) { +diff --git a/src/portable/portable.c b/src/portable/portable.c +index 6054f0f17f..ba221fbb85 100644 +--- a/src/portable/portable.c ++++ b/src/portable/portable.c +@@ -1625,7 +1625,6 @@ int portable_attach( + + static bool marker_matches_images(const char *marker, const char *name_or_path, char **extension_image_paths) { + _cleanup_strv_free_ char **root_and_extensions = NULL; +- const char *a; + int r; + + assert(marker); +@@ -1646,7 +1645,7 @@ static bool marker_matches_images(const char *marker, const char *name_or_path, + return r; + + STRV_FOREACH(image_name_or_path, root_and_extensions) { +- _cleanup_free_ char *image = NULL; ++ _cleanup_free_ char *image = NULL, *base_image = NULL, *base_image_name_or_path = NULL; + + r = extract_first_word(&marker, &image, ":", EXTRACT_UNQUOTE|EXTRACT_RETAIN_ESCAPE); + if (r < 0) +@@ -1654,58 +1653,16 @@ static bool marker_matches_images(const char *marker, const char *name_or_path, + if (r == 0) + return false; + +- a = last_path_component(image); +- +- if (image_name_is_valid(*image_name_or_path)) { +- const char *e, *underscore; +- +- /* We shall match against an image name. In that case let's compare the last component, and optionally +- * allow either a suffix of ".raw" or a series of "/". +- * But allow matching on a different version of the same image, when a "_" is used as a separator. */ +- underscore = strchr(*image_name_or_path, '_'); +- if (underscore) { +- if (strneq(a, *image_name_or_path, underscore - *image_name_or_path)) +- continue; +- return false; +- } ++ r = path_extract_image_name(image, &base_image); ++ if (r < 0) ++ return log_debug_errno(r, "Failed to extract image name from %s, ignoring: %m", image); + +- e = startswith(a, *image_name_or_path); +- if (!e) +- return false; +- +- if(!(e[strspn(e, "/")] == 0 || streq(e, ".raw"))) +- return false; +- } else { +- const char *b, *underscore; +- size_t l; +- +- /* We shall match against a path. Let's ignore any prefix here though, as often there are many ways to +- * reach the same file. However, in this mode, let's validate any file suffix. +- * But also ensure that we don't fail if both components don't have a '/' at all +- * (strcspn returns the full length of the string in that case, which might not +- * match as the versions might differ). */ +- +- l = strcspn(a, "/"); +- b = last_path_component(*image_name_or_path); +- +- if ((a[l] != '/') != !strchr(b, '/')) /* One is a directory, the other is not */ +- return false; +- +- if (a[l] != 0 && strcspn(b, "/") != l) +- return false; +- +- underscore = strchr(b, '_'); +- if (underscore) +- l = underscore - b; +- else { /* Either component could be versioned */ +- underscore = strchr(a, '_'); +- if (underscore) +- l = underscore - a; +- } ++ r = path_extract_image_name(*image_name_or_path, &base_image_name_or_path); ++ if (r < 0) ++ return log_debug_errno(r, "Failed to extract image name from %s, ignoring: %m", *image_name_or_path); + +- if (!strneq(a, b, l)) +- return false; +- } ++ if (!streq(base_image, base_image_name_or_path)) ++ return false; + } + + return true; +diff --git a/test/units/testsuite-29.sh b/test/units/testsuite-29.sh +index 536827311b..676330cbf1 100755 +--- a/test/units/testsuite-29.sh ++++ b/test/units/testsuite-29.sh +@@ -139,6 +139,19 @@ grep -q -F "LogExtraFields=PORTABLE_EXTENSION_NAME_AND_VERSION=app" /run/systemd + + portablectl detach --now --runtime --extension /usr/share/app0.raw /usr/share/minimal_1.raw app0 + ++# Ensure versioned images are accepted without needing to use --force to override the extension-release ++# matching ++ ++cp /usr/share/app0.raw /tmp/app0_1.0.raw ++portablectl "${ARGS[@]}" attach --now --runtime --extension /tmp/app0_1.0.raw /usr/share/minimal_0.raw app0 ++ ++systemctl is-active app0.service ++status="$(portablectl is-attached --extension app0_1 minimal_0)" ++[[ "${status}" == "running-runtime" ]] ++ ++portablectl detach --now --runtime --extension /tmp/app0_1.0.raw /usr/share/minimal_1.raw app0 ++rm -f /tmp/app0_1.0.raw ++ + portablectl "${ARGS[@]}" attach --now --runtime --extension /usr/share/app1.raw /usr/share/minimal_0.raw app1 + + systemctl is-active app1.service +-- +2.33.0 + diff --git a/backport-os-util-avoid-matching-on-the-wrong-extension-releas.patch b/backport-os-util-avoid-matching-on-the-wrong-extension-releas.patch new file mode 100644 index 0000000..bcfa3e0 --- /dev/null +++ b/backport-os-util-avoid-matching-on-the-wrong-extension-releas.patch @@ -0,0 +1,74 @@ +From 129a548df5aa3f8f6e66e0b211d83832fcb48ddc Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 3 Jul 2024 21:27:28 +0100 +Subject: [PATCH 0747/1160] os-util: avoid matching on the wrong + extension-release file + +The previous commit tries to extract a substring from the +extension-release suffix, but that is not right, it's only the +images that need to be versioned and extracted, use the extension-release +suffix as-is. Otherwise if it happens to contain a prefix that +matches the wrong image, it will be taken into account. + +Follow-up for 37543971aff79f3a37646ffc2bb5845c9394797b + +(cherry picked from commit 92d1fe3efac7b3a700317ec71b64cab5ebc17b42) +(cherry picked from commit 160b539a9de2c8adc400833d976165d6158fd944) +--- + src/basic/os-util.c | 10 ++-------- + test/units/testsuite-29.sh | 11 +++++++++++ + 2 files changed, 13 insertions(+), 8 deletions(-) + +diff --git a/src/basic/os-util.c b/src/basic/os-util.c +index 985d89bc7e..3cd6134f72 100644 +--- a/src/basic/os-util.c ++++ b/src/basic/os-util.c +@@ -264,13 +264,7 @@ int open_extension_release_at( + } + + if (!relax_extension_release_check) { +- _cleanup_free_ char *base_image_name = NULL, *base_extension = NULL; +- +- r = path_extract_image_name(image_name, &base_image_name); +- if (r < 0) { +- log_debug_errno(r, "Failed to extract image name from %s/%s, ignoring: %m", dir_path, de->d_name); +- continue; +- } ++ _cleanup_free_ char *base_extension = NULL; + + r = path_extract_image_name(extension, &base_extension); + if (r < 0) { +@@ -278,7 +272,7 @@ int open_extension_release_at( + continue; + } + +- if (!streq(base_image_name, base_extension) && ++ if (!streq(image_name, base_extension) && + extension_release_strict_xattr_value(fd, dir_path, image_name) != 0) + continue; + } +diff --git a/test/units/testsuite-29.sh b/test/units/testsuite-29.sh +index 676330cbf1..55e162db28 100755 +--- a/test/units/testsuite-29.sh ++++ b/test/units/testsuite-29.sh +@@ -276,6 +276,17 @@ portablectl detach --now --runtime --enable /tmp/rootdir minimal-app0 + portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime /tmp/rootdir minimal-app0 + portablectl detach --now --runtime --enable /tmp/rootdir minimal-app0 + ++# The wrong file should be ignored, given the right one has the xattr set ++mkdir -p /tmp/wrongext/usr/lib/extension-release.d /tmp/wrongext/usr/lib/systemd/system/ ++echo "[Service]" > /tmp/wrongext/usr/lib/systemd/system/app0.service ++touch /tmp/wrongext/usr/lib/extension-release.d/extension-release.wrongext_somethingwrong.txt ++cp /tmp/rootdir/usr/lib/os-release /tmp/wrongext/usr/lib/extension-release.d/extension-release.app0 ++setfattr -n user.extension-release.strict -v "false" /tmp/wrongext/usr/lib/extension-release.d/extension-release.app0 ++portablectl "${ARGS[@]}" attach --runtime --extension /tmp/wrongext /tmp/rootdir app0 ++status="$(portablectl is-attached --extension wrongext rootdir)" ++[[ "${status}" == "attached-runtime" ]] ++portablectl detach --runtime --extension /tmp/wrongext /tmp/rootdir app0 ++ + umount /tmp/rootdir + umount /tmp/app0 + umount /tmp/app1 +-- +2.33.0 + diff --git a/backport-packit-test-switch-to-legacy-ci-branch.patch b/backport-packit-test-switch-to-legacy-ci-branch.patch new file mode 100644 index 0000000..fe2976f --- /dev/null +++ b/backport-packit-test-switch-to-legacy-ci-branch.patch @@ -0,0 +1,27 @@ +From a7108ccb12feeb271ddf2bd995af1c75242eb43b Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 29 Nov 2024 16:11:03 +0000 +Subject: [PATCH 1040/1160] packit test: switch to 'legacy-ci' branch + +The main branch switched to the mkosi runner, so we need to use +the older integration code for stable branches +--- + .packit.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.packit.yml b/.packit.yml +index 70c7155667..4d574b80da 100644 +--- a/.packit.yml ++++ b/.packit.yml +@@ -55,7 +55,7 @@ jobs: + - job: tests + trigger: pull_request + fmf_url: https://src.fedoraproject.org/tests/systemd +- fmf_ref: main ++ fmf_ref: legacy-ci + tmt_plan: ci + targets: + - fedora-40-x86_64 +-- +2.33.0 + diff --git a/backport-packit-use-Fedora-40.patch b/backport-packit-use-Fedora-40.patch new file mode 100644 index 0000000..2ad89ee --- /dev/null +++ b/backport-packit-use-Fedora-40.patch @@ -0,0 +1,51 @@ +From 2ac8041bf49be885baea0edb6562b44556a17cc2 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 9 Nov 2023 00:50:03 +0000 +Subject: [PATCH 0687/1160] packit: use Fedora 40 + +rawhide moved to 256, so stick with F40 which uses 255 +--- + .packit.yml | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/.packit.yml b/.packit.yml +index ada6f8b487..70c7155667 100644 +--- a/.packit.yml ++++ b/.packit.yml +@@ -24,8 +24,8 @@ actions: + - "bash -ec 'git describe --tags --abbrev=0 | cut -b 2-'" + + post-upstream-clone: +- # Use the Fedora Rawhide specfile +- - "git clone https://src.fedoraproject.org/rpms/systemd .packit_rpm --depth=1" ++ # Use the Fedora 40 specfile ++ - "git clone --branch f40 https://src.fedoraproject.org/rpms/systemd .packit_rpm --depth=1" + # Drop the "sources" file so rebase-helper doesn't think we're a dist-git + - "rm -fv .packit_rpm/sources" + # Drop backported patches from the specfile, but keep the downstream-only ones +@@ -46,11 +46,11 @@ jobs: + - job: copr_build + trigger: pull_request + targets: +- - fedora-rawhide-aarch64 +- - fedora-rawhide-i386 +- - fedora-rawhide-ppc64le +- - fedora-rawhide-s390x +- - fedora-rawhide-x86_64 ++ - fedora-40-aarch64 ++ - fedora-40-i386 ++ - fedora-40-ppc64le ++ - fedora-40-s390x ++ - fedora-40-x86_64 + + - job: tests + trigger: pull_request +@@ -58,4 +58,4 @@ jobs: + fmf_ref: main + tmt_plan: ci + targets: +- - fedora-rawhide-x86_64 ++ - fedora-40-x86_64 +-- +2.33.0 + diff --git a/backport-packit-use-the-closest-matching-tag-for-the-checked-.patch b/backport-packit-use-the-closest-matching-tag-for-the-checked-.patch new file mode 100644 index 0000000..75c5960 --- /dev/null +++ b/backport-packit-use-the-closest-matching-tag-for-the-checked-.patch @@ -0,0 +1,50 @@ +From 00ddffec4ec1d32130643dffbdaa5097d372b15f Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 23 Jan 2024 15:29:08 +0100 +Subject: [PATCH 0190/1160] packit: use the closest matching tag for the + checked out revision + +Packit otherwise tries to get the latest tag by creation date, which +doesn't work well in the systemd-stable repo: + +2024-01-23 13:40:47.858 upstream.py DEBUG No ref given or is not glob pattern +2024-01-23 13:40:47.859 upstream.py DEBUG We're about to get latest matching tag in the upstream repository /tmp/tmp07g2beo8. +2024-01-23 13:40:47.859 commands.py DEBUG Command: git tag --list --sort=-creatordate +2024-01-23 13:40:47.866 logging.py DEBUG v248.13 +2024-01-23 13:40:47.866 logging.py DEBUG v249.17 +2024-01-23 13:40:47.866 logging.py DEBUG v250.14 +2024-01-23 13:40:47.866 logging.py DEBUG v251.20 +2024-01-23 13:40:47.867 logging.py DEBUG v252.21 +2024-01-23 13:40:47.867 logging.py DEBUG v253.15 +2024-01-23 13:40:47.867 logging.py DEBUG v254.8 +2024-01-23 13:40:47.867 logging.py DEBUG v255.2 +2024-01-23 13:40:47.868 logging.py DEBUG v255.1 +2024-01-23 13:40:47.868 logging.py DEBUG v255 +... + +(cherry picked from commit 5ed55a9bad82924a5cf5e3e8b91cd1a3b2af9812) +--- + .packit.yml | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/.packit.yml b/.packit.yml +index b886632a95..ada6f8b487 100644 +--- a/.packit.yml ++++ b/.packit.yml +@@ -16,6 +16,13 @@ upstream_tag_template: "v{version}" + srpm_build_deps: [] + + actions: ++ get-current-version: ++ # Show the closest matching tag for the checked out revision, otherwise ++ # Packit tries to get the latest tag by creation date, which doesn't work ++ # well in the systemd-stable repo. We also need to sanitize it manually ++ # since "upstream_tag_template" defined above doesn't apply here. ++ - "bash -ec 'git describe --tags --abbrev=0 | cut -b 2-'" ++ + post-upstream-clone: + # Use the Fedora Rawhide specfile + - "git clone https://src.fedoraproject.org/rpms/systemd .packit_rpm --depth=1" +-- +2.33.0 + diff --git a/backport-pam-do-not-warn-closing-bus-connection-which-is-open.patch b/backport-pam-do-not-warn-closing-bus-connection-which-is-open.patch new file mode 100644 index 0000000..46a2887 --- /dev/null +++ b/backport-pam-do-not-warn-closing-bus-connection-which-is-open.patch @@ -0,0 +1,51 @@ +From b94404ee555c6eeef6a63cf41054629fd80737bf Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 21 Jan 2024 13:11:09 +0900 +Subject: [PATCH 0289/1160] pam: do not warn closing bus connection which is + opened after the fork + +In pam_systemd.so and pam_systemd_home.so, we open a bus connection on +session close, which is called after fork. Closing the connection is +harmless, and should not warn about that. + +This suppresses the following log message: +=== +(sd-pam)[127]: PAM Attempted to close sd-bus after fork, this should not happen. +=== + +(cherry picked from commit 34e4ad1796a42da64e196f9c6965f1a073e6dd9d) +--- + src/shared/pam-util.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/shared/pam-util.c b/src/shared/pam-util.c +index 1057104194..46a2915638 100644 +--- a/src/shared/pam-util.c ++++ b/src/shared/pam-util.c +@@ -5,6 +5,7 @@ + #include + + #include "alloc-util.h" ++#include "bus-internal.h" + #include "errno-util.h" + #include "format-util.h" + #include "macro.h" +@@ -88,8 +89,13 @@ static void pam_bus_data_destroy(pam_handle_t *handle, void *data, int error_sta + * internally anyway. That said, we still generate a warning message, since this really shouldn't + * happen. */ + +- if (error_status & PAM_DATA_SILENT) +- pam_syslog(handle, LOG_DEBUG, "Attempted to close sd-bus after fork, this should not happen."); ++ if (!data) ++ return; ++ ++ PamBusData *d = data; ++ if (FLAGS_SET(error_status, PAM_DATA_SILENT) && ++ d->bus && bus_origin_changed(d->bus)) ++ pam_syslog(handle, LOG_DEBUG, "Attempted to close sd-bus after fork whose connection is opened before the fork, this should not happen."); + + pam_bus_data_free(data); + } +-- +2.33.0 + diff --git a/backport-pam_systemd-always-check-if-session-is-busy.patch b/backport-pam_systemd-always-check-if-session-is-busy.patch new file mode 100644 index 0000000..86906ec --- /dev/null +++ b/backport-pam_systemd-always-check-if-session-is-busy.patch @@ -0,0 +1,76 @@ +From 217141f05cb1917a94fac65f8774667e5b26e9cc Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Fri, 19 Jan 2024 20:00:31 +0800 +Subject: [PATCH 0176/1160] pam_systemd: always check if session is busy + +We need to check for BUS_ERROR_SESSION_BUSY no matter +whether pidfd is used, i.e. after we retry with +CreateSession(). + +(cherry picked from commit 2948803177bf5027c1808a9a55481c45dd91624c) +--- + src/login/pam_systemd.c | 42 ++++++++++++++++++++--------------------- + 1 file changed, 21 insertions(+), 21 deletions(-) + +diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c +index b6294b8f14..3b6539aaac 100644 +--- a/src/login/pam_systemd.c ++++ b/src/login/pam_systemd.c +@@ -1097,33 +1097,33 @@ _public_ PAM_EXTERN int pam_sm_open_session( + return pam_bus_log_create_error(handle, r); + + r = sd_bus_call(bus, m, LOGIN_SLOW_BUS_CALL_TIMEOUT_USEC, &error, &reply); ++ if (r < 0 && sd_bus_error_has_name(&error, SD_BUS_ERROR_UNKNOWN_METHOD)) { ++ sd_bus_error_free(&error); ++ pam_debug_syslog(handle, debug, ++ "CreateSessionWithPIDFD() API is not available, retrying with CreateSession()."); ++ ++ m = sd_bus_message_unref(m); ++ r = create_session_message(bus, ++ handle, ++ &context, ++ /* avoid_pidfd = */ true, ++ &m); ++ if (r < 0) ++ return pam_bus_log_create_error(handle, r); ++ ++ r = sd_bus_call(bus, m, LOGIN_SLOW_BUS_CALL_TIMEOUT_USEC, &error, &reply); ++ } + if (r < 0) { + if (sd_bus_error_has_name(&error, BUS_ERROR_SESSION_BUSY)) { ++ /* We are already in a session, don't do anything */ + pam_debug_syslog(handle, debug, + "Not creating session: %s", bus_error_message(&error, r)); +- /* We are already in a session, don't do anything */ + goto success; +- } else if (sd_bus_error_has_name(&error, SD_BUS_ERROR_UNKNOWN_METHOD)) { +- pam_debug_syslog(handle, debug, +- "CreateSessionWithPIDFD() API is not available, retrying with CreateSession()."); +- +- m = sd_bus_message_unref(m); +- r = create_session_message(bus, +- handle, +- &context, +- true /* avoid_pidfd = */, +- &m); +- if (r < 0) +- return pam_bus_log_create_error(handle, r); +- +- sd_bus_error_free(&error); +- r = sd_bus_call(bus, m, LOGIN_SLOW_BUS_CALL_TIMEOUT_USEC, &error, &reply); +- } +- if (r < 0) { +- pam_syslog(handle, LOG_ERR, +- "Failed to create session: %s", bus_error_message(&error, r)); +- return PAM_SESSION_ERR; + } ++ ++ pam_syslog(handle, LOG_ERR, ++ "Failed to create session: %s", bus_error_message(&error, r)); ++ return PAM_SESSION_ERR; + } + + r = sd_bus_message_read(reply, +-- +2.33.0 + diff --git a/backport-pam_systemd-close-pidfd-after-use.patch b/backport-pam_systemd-close-pidfd-after-use.patch new file mode 100644 index 0000000..c83c197 --- /dev/null +++ b/backport-pam_systemd-close-pidfd-after-use.patch @@ -0,0 +1,50 @@ +From fff0e2c06acfa05f8a8b0d1bda7e0a6e589c2aeb Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Fri, 19 Jan 2024 19:57:31 +0800 +Subject: [PATCH 0175/1160] pam_systemd: close pidfd after use + +(cherry picked from commit 79f36b64159708cf2b261207f007fe980e6dfaa5) +--- + src/login/pam_systemd.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c +index b8da266e27..b6294b8f14 100644 +--- a/src/login/pam_systemd.c ++++ b/src/login/pam_systemd.c +@@ -802,13 +802,21 @@ typedef struct SessionContext { + const char *runtime_max_sec; + } SessionContext; + +-static int create_session_message(sd_bus *bus, pam_handle_t *handle, const SessionContext *context, bool avoid_pidfd, sd_bus_message **ret) { ++static int create_session_message( ++ sd_bus *bus, ++ pam_handle_t *handle, ++ const SessionContext *context, ++ bool avoid_pidfd, ++ sd_bus_message **ret) { ++ + _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL; +- int r, pidfd = -EBADFD; ++ _cleanup_close_ int pidfd = -EBADF; ++ int r; + + assert(bus); + assert(handle); + assert(context); ++ assert(ret); + + if (!avoid_pidfd) { + pidfd = pidfd_open(getpid_cached(), 0); +@@ -1083,7 +1091,7 @@ _public_ PAM_EXTERN int pam_sm_open_session( + r = create_session_message(bus, + handle, + &context, +- false /* avoid_pidfd = */, ++ /* avoid_pidfd = */ false, + &m); + if (r < 0) + return pam_bus_log_create_error(handle, r); +-- +2.33.0 + diff --git a/backport-pam_systemd_loadkey-add-missing-PAM_EXTERN.patch b/backport-pam_systemd_loadkey-add-missing-PAM_EXTERN.patch new file mode 100644 index 0000000..63885d8 --- /dev/null +++ b/backport-pam_systemd_loadkey-add-missing-PAM_EXTERN.patch @@ -0,0 +1,35 @@ +From b1683d8416e133aa4e4bd99b54e1b10d29cf1e0c Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Mon, 29 Apr 2024 15:46:32 +0800 +Subject: [PATCH 0581/1160] pam_systemd_loadkey: add missing PAM_EXTERN + +(cherry picked from commit 767d817895d8da04cba526cb7ab890a3d2887f08) +--- + src/login/pam_systemd_loadkey.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/login/pam_systemd_loadkey.c b/src/login/pam_systemd_loadkey.c +index 3b4e91124a..088fd355ef 100644 +--- a/src/login/pam_systemd_loadkey.c ++++ b/src/login/pam_systemd_loadkey.c +@@ -18,7 +18,7 @@ + * This can be overridden by the keyname= parameter. */ + static const char DEFAULT_KEYNAME[] = "cryptsetup"; + +-_public_ int pam_sm_authenticate( ++_public_ PAM_EXTERN int pam_sm_authenticate( + pam_handle_t *handle, + int flags, + int argc, const char **argv) { +@@ -89,7 +89,7 @@ _public_ int pam_sm_authenticate( + return PAM_SUCCESS; + } + +-_public_ int pam_sm_setcred( ++_public_ PAM_EXTERN int pam_sm_setcred( + pam_handle_t *handle, + int flags, + int argc, const char **argv) { +-- +2.33.0 + diff --git a/backport-parse-util-accept-arbitrary-MTU-size-when-AF_UNSPEC.patch b/backport-parse-util-accept-arbitrary-MTU-size-when-AF_UNSPEC.patch new file mode 100644 index 0000000..5cea5da --- /dev/null +++ b/backport-parse-util-accept-arbitrary-MTU-size-when-AF_UNSPEC.patch @@ -0,0 +1,110 @@ +From 2fa0b50566829a2e72b61d9f453a5314192c19ab Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 23 Nov 2023 05:03:43 +0900 +Subject: [PATCH 0048/1160] parse-util: accept arbitrary MTU size when + AF_UNSPEC + +When [Link] MTU= is specified in a .network file, we have no idea about +that what kind of interface will be configured with the .network file. +The maximum and minimum MTU size depend on the kind of interface. +So, we should not filter MTU eagerly in the parser. + +Closes #30140. + +(cherry picked from commit a0460dfed617a73f7dbf36a6eb7e474e887ae780) +--- + src/basic/parse-util.c | 15 +++++++++----- + src/test/test-parse-util.c | 25 ++++++++++++++++++----- + test/test-network-generator-conversion.sh | 2 +- + 3 files changed, 31 insertions(+), 11 deletions(-) + +diff --git a/src/basic/parse-util.c b/src/basic/parse-util.c +index dc868c9b8e..0430e33e40 100644 +--- a/src/basic/parse-util.c ++++ b/src/basic/parse-util.c +@@ -123,8 +123,7 @@ int parse_ifindex(const char *s) { + } + + int parse_mtu(int family, const char *s, uint32_t *ret) { +- uint64_t u; +- size_t m; ++ uint64_t u, m; + int r; + + r = parse_size(s, 1024, &u); +@@ -134,10 +133,16 @@ int parse_mtu(int family, const char *s, uint32_t *ret) { + if (u > UINT32_MAX) + return -ERANGE; + +- if (family == AF_INET6) ++ switch (family) { ++ case AF_INET: ++ m = IPV4_MIN_MTU; /* This is 68 */ ++ break; ++ case AF_INET6: + m = IPV6_MIN_MTU; /* This is 1280 */ +- else +- m = IPV4_MIN_MTU; /* For all other protocols, including 'unspecified' we assume the IPv4 minimal MTU */ ++ break; ++ default: ++ m = 0; ++ } + + if (u < m) + return -ERANGE; +diff --git a/src/test/test-parse-util.c b/src/test/test-parse-util.c +index 7a485f390f..58d22b6cfe 100644 +--- a/src/test/test-parse-util.c ++++ b/src/test/test-parse-util.c +@@ -914,15 +914,30 @@ TEST(parse_mtu) { + assert_se(parse_mtu(AF_UNSPEC, "4294967295", &mtu) >= 0 && mtu == 4294967295); + assert_se(parse_mtu(AF_UNSPEC, "500", &mtu) >= 0 && mtu == 500); + assert_se(parse_mtu(AF_UNSPEC, "1280", &mtu) >= 0 && mtu == 1280); ++ assert_se(parse_mtu(AF_UNSPEC, "4294967296", &mtu) == -ERANGE); ++ assert_se(parse_mtu(AF_UNSPEC, "68", &mtu) >= 0 && mtu == 68); ++ assert_se(parse_mtu(AF_UNSPEC, "67", &mtu) >= 0 && mtu == 67); ++ assert_se(parse_mtu(AF_UNSPEC, "0", &mtu) >= 0 && mtu == 0); ++ assert_se(parse_mtu(AF_UNSPEC, "", &mtu) == -EINVAL); ++ ++ assert_se(parse_mtu(AF_INET, "1500", &mtu) >= 0 && mtu == 1500); ++ assert_se(parse_mtu(AF_INET, "1400", &mtu) >= 0 && mtu == 1400); ++ assert_se(parse_mtu(AF_INET, "65535", &mtu) >= 0 && mtu == 65535); ++ assert_se(parse_mtu(AF_INET, "65536", &mtu) >= 0 && mtu == 65536); ++ assert_se(parse_mtu(AF_INET, "4294967295", &mtu) >= 0 && mtu == 4294967295); ++ assert_se(parse_mtu(AF_INET, "500", &mtu) >= 0 && mtu == 500); ++ assert_se(parse_mtu(AF_INET, "1280", &mtu) >= 0 && mtu == 1280); ++ assert_se(parse_mtu(AF_INET, "4294967296", &mtu) == -ERANGE); ++ assert_se(parse_mtu(AF_INET, "68", &mtu) >= 0 && mtu == 68); ++ assert_se(parse_mtu(AF_INET, "67", &mtu) == -ERANGE); ++ assert_se(parse_mtu(AF_INET, "0", &mtu) == -ERANGE); ++ assert_se(parse_mtu(AF_INET, "", &mtu) == -EINVAL); ++ + assert_se(parse_mtu(AF_INET6, "1280", &mtu) >= 0 && mtu == 1280); + assert_se(parse_mtu(AF_INET6, "1279", &mtu) == -ERANGE); +- assert_se(parse_mtu(AF_UNSPEC, "4294967296", &mtu) == -ERANGE); + assert_se(parse_mtu(AF_INET6, "4294967296", &mtu) == -ERANGE); + assert_se(parse_mtu(AF_INET6, "68", &mtu) == -ERANGE); +- assert_se(parse_mtu(AF_UNSPEC, "68", &mtu) >= 0 && mtu == 68); +- assert_se(parse_mtu(AF_UNSPEC, "67", &mtu) == -ERANGE); +- assert_se(parse_mtu(AF_UNSPEC, "0", &mtu) == -ERANGE); +- assert_se(parse_mtu(AF_UNSPEC, "", &mtu) == -EINVAL); ++ assert_se(parse_mtu(AF_INET6, "", &mtu) == -EINVAL); + } + + TEST(parse_loadavg_fixed_point) { +diff --git a/test/test-network-generator-conversion.sh b/test/test-network-generator-conversion.sh +index 6224a4d04f..9a4732c981 100755 +--- a/test/test-network-generator-conversion.sh ++++ b/test/test-network-generator-conversion.sh +@@ -296,7 +296,7 @@ INVALID_COMMAND_LINES=( + "ip=10.0.0.1:::255.255.255::foo99:off" + "ip=10.0.0.1:::255.255.255.0:invalid_hostname:foo99:off" + "ip=10.0.0.1:::255.255.255.0::verylonginterfacename:off" +- "ip=:::::dhcp99:dhcp6:0" ++ "ip=:::::dhcp99:dhcp6:4294967296" + "ip=:::::dhcp99:dhcp6:-1" + "ip=:::::dhcp99:dhcp6:666:52:54:00" + "ip=fdef:c400:bd01:1096::2::[fdef:c400:bd01:1096::1]:64::ipv6:off:[fdef:c400:bd01:1096::aaaa]" +-- +2.33.0 + diff --git a/backport-path-drop-IN_ATTRIB-from-parent-directory-watches.patch b/backport-path-drop-IN_ATTRIB-from-parent-directory-watches.patch new file mode 100644 index 0000000..2b07121 --- /dev/null +++ b/backport-path-drop-IN_ATTRIB-from-parent-directory-watches.patch @@ -0,0 +1,40 @@ +From 2818d5a0d679f5205b5a369c8be0b9dfdf9e39eb Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Mon, 1 Jul 2024 14:07:28 -0700 +Subject: [PATCH 0773/1160] path: drop IN_ATTRIB from parent directory watches + +When watching a given pathspec, systemd unconditionally installs +IN_ATTRIB watches to track the link count of the resolved file. This +way, we are notified if the watched path disappears, even if the +resolved file inode is not removed. + +Similarly, systemd installs inotify watches on each parent directory, to +be notified when the specified path appears. However, for these watches +IN_ATTRIB is an unnecessary addition to the mask. In inotify, IN_ATTRIB +on a directory is emitted whenever the attributes of any child changes, +which, for many paths, has the potential to cause a high number of +spurious wakeups in systemd. Let's remove IN_ATTRIB from the mask when +installing watches on the parent directories of the specified path. + +(cherry picked from commit 8bf8c7d83dcffffa55b5f534fb98db6b01315dc1) +(cherry picked from commit fa2b2da1466ff225363c1a0492b1b43c1d01dd8a) +--- + src/core/path.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/path.c b/src/core/path.c +index ef00c20131..cbaefb684d 100644 +--- a/src/core/path.c ++++ b/src/core/path.c +@@ -81,7 +81,7 @@ int path_spec_watch(PathSpec *s, sd_event_io_handler_t handler) { + tmp = *cut; + *cut = '\0'; + +- flags = IN_MOVE_SELF | IN_DELETE_SELF | IN_ATTRIB | IN_CREATE | IN_MOVED_TO; ++ flags = IN_MOVE_SELF | IN_DELETE_SELF | IN_CREATE | IN_MOVED_TO; + } else { + cut = NULL; + flags = flags_table[s->type]; +-- +2.33.0 + diff --git a/backport-pcrlock-Pad-pe-hash-to-a-multiple-of-8-bytes.patch b/backport-pcrlock-Pad-pe-hash-to-a-multiple-of-8-bytes.patch new file mode 100644 index 0000000..455104a --- /dev/null +++ b/backport-pcrlock-Pad-pe-hash-to-a-multiple-of-8-bytes.patch @@ -0,0 +1,32 @@ +From a8451d2be90c69869c780353665b67b7133c3823 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Sun, 3 Nov 2024 21:45:29 +0100 +Subject: [PATCH 0988/1160] pcrlock: Pad pe hash to a multiple of 8 bytes + +All other tools (sbsigntools, osslsigncode, sbctl, goblin) do this +as well so let's follow suite. + +(cherry picked from commit e37701a8cd2db1e67d28bcf337467d8efc6de41e) +(cherry picked from commit 9d22224e0021c15962ed153ae1c71974806a8ecc) +--- + src/pcrlock/pehash.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/pcrlock/pehash.c b/src/pcrlock/pehash.c +index 7e9dade1f7..39ed61cc2e 100644 +--- a/src/pcrlock/pehash.c ++++ b/src/pcrlock/pehash.c +@@ -135,6 +135,10 @@ int pe_hash(int fd, + r = hash_file(fd, mdctx, p, st.st_size - p - certificate_table->Size); + if (r < 0) + return r; ++ ++ /* If the file size is not a multiple of 8 bytes, pad the hash with zero bytes. */ ++ if (st.st_size % 8 != 0 && EVP_DigestUpdate(mdctx, (const uint8_t[8]) {}, 8 - (st.st_size % 8)) != 1) ++ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Unable to hash data."); + } + + int hsz = EVP_MD_CTX_size(mdctx); +-- +2.33.0 + diff --git a/backport-pcrlock-Print-correct-NV-index-when-writing-new-poli.patch b/backport-pcrlock-Print-correct-NV-index-when-writing-new-poli.patch new file mode 100644 index 0000000..aef74bf --- /dev/null +++ b/backport-pcrlock-Print-correct-NV-index-when-writing-new-poli.patch @@ -0,0 +1,28 @@ +From 711ce9f719a942ef122620207533452c84f68b5d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Gabr=C3=ADel=20Arth=C3=BAr=20P=C3=A9tursson?= + +Date: Thu, 4 Jan 2024 12:42:04 +0000 +Subject: [PATCH 0124/1160] pcrlock: Print correct NV index when writing new + policy + +(cherry picked from commit ab39d29606e5604bbf4adf50c45e78271d7482a0) +--- + src/pcrlock/pcrlock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c +index 56d41a1e2c..6baffce7d6 100644 +--- a/src/pcrlock/pcrlock.c ++++ b/src/pcrlock/pcrlock.c +@@ -4593,7 +4593,7 @@ static int verb_make_policy(int argc, char *argv[], void *userdata) { + return r; + } + +- log_info("Written new policy to '%s' and digest to TPM2 NV index 0x%" PRIu32 ".", path, nv_index); ++ log_info("Written new policy to '%s' and digest to TPM2 NV index 0x%x.", path, nv_index); + + log_info("Overall time spent: %s", FORMAT_TIMESPAN(usec_sub_unsigned(now(CLOCK_MONOTONIC), start_usec), 1)); + +-- +2.33.0 + diff --git a/backport-pcrlock-Take-VirtualSize-SizeOfRawData-into-account.patch b/backport-pcrlock-Take-VirtualSize-SizeOfRawData-into-account.patch new file mode 100644 index 0000000..c7d360c --- /dev/null +++ b/backport-pcrlock-Take-VirtualSize-SizeOfRawData-into-account.patch @@ -0,0 +1,48 @@ +From 006a72eb352c60f0dff3bd9042cda1ee8619dc6c Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Mon, 7 Oct 2024 17:39:27 +0200 +Subject: [PATCH 0963/1160] pcrlock: Take VirtualSize > SizeOfRawData into + account + +If VirtualSize > SizeOfRawData, measure extra zeros to take into +account the extra zeros also measured by the stub. + +(cherry picked from commit b53f2d5ed8ad0e537e9086daf84f9c2bf69fb72b) +(cherry picked from commit 206c1a0d5a14279a65fc3a33e69d399fca8fe02d) +--- + src/pcrlock/pehash.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/src/pcrlock/pehash.c b/src/pcrlock/pehash.c +index 06d1f6afc7..7e9dade1f7 100644 +--- a/src/pcrlock/pehash.c ++++ b/src/pcrlock/pehash.c +@@ -216,10 +216,24 @@ int uki_hash(int fd, + if (EVP_DigestInit_ex(mdctx, md, NULL) != 1) + return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to allocate message digest."); + +- r = hash_file(fd, mdctx, section->PointerToRawData, section->VirtualSize); ++ r = hash_file(fd, mdctx, section->PointerToRawData, MIN(section->VirtualSize, section->SizeOfRawData)); + if (r < 0) + return r; + ++ if (section->SizeOfRawData < section->VirtualSize) { ++ uint8_t zeroes[1024] = {}; ++ size_t remaining = section->VirtualSize - section->SizeOfRawData; ++ ++ while (remaining > 0) { ++ size_t sz = MIN(sizeof(zeroes), remaining); ++ ++ if (EVP_DigestUpdate(mdctx, zeroes, sz) != 1) ++ return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Unable to hash data."); ++ ++ remaining -= sz; ++ } ++ } ++ + hashes[i] = malloc(hsz); + if (!hashes[i]) + return log_oom_debug(); +-- +2.33.0 + diff --git a/backport-pcrlock-tweak-error-messages-when-we-are-not-looking.patch b/backport-pcrlock-tweak-error-messages-when-we-are-not-looking.patch new file mode 100644 index 0000000..681cf42 --- /dev/null +++ b/backport-pcrlock-tweak-error-messages-when-we-are-not-looking.patch @@ -0,0 +1,40 @@ +From 261de1c1e982e5493b71b05b52e313f7ed872716 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 30 May 2024 10:12:12 +0200 +Subject: [PATCH 0705/1160] pcrlock: tweak error messages when we are not + looking at a TPM2 event log + +If we are looking at a TPM1.2 event log the first log record will not be +the "EfiSpecIdEvent" but something else. Let's improve the log messages +about this, and say explicitly that this is likely not a TPM2.0 event +log. + +(cherry picked from commit 500552241209cf96303f47bcc38b5ba7a5b40341) +--- + src/pcrlock/pcrlock-firmware.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/pcrlock/pcrlock-firmware.c b/src/pcrlock/pcrlock-firmware.c +index 73c68c2237..6fd7363144 100644 +--- a/src/pcrlock/pcrlock-firmware.c ++++ b/src/pcrlock/pcrlock-firmware.c +@@ -100,12 +100,12 @@ int validate_firmware_header( + if (size < (uint64_t) offsetof(TCG_PCClientPCREvent, event) + (uint64_t) h->eventDataSize) + return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Event log too short for TCG_PCClientPCREvent events data."); + +- if (h->pcrIndex != 0) +- return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Event log header has unexpected PCR index %" PRIu32, h->pcrIndex); + if (h->eventType != EV_NO_ACTION) +- return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Event log header has unexpected event type 0x%" PRIx32, h->eventType); ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Event log header has unexpected event type 0x%08" PRIx32 ". (Probably not a TPM2 event log?)", h->eventType); ++ if (h->pcrIndex != 0) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Event log header has unexpected PCR index %" PRIu32 ". (Probably not a TPM2 event log?)", h->pcrIndex); + if (!memeqzero(h->digest, sizeof(h->digest))) +- return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Event log header has unexpected non-zero digest."); ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Event log header has unexpected non-zero digest. (Probably not a TPM2 event log?)"); + + if (h->eventDataSize < offsetof(TCG_EfiSpecIDEvent, digestSizes)) + return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Event log header too short for TCG_EfiSpecIdEvent."); +-- +2.33.0 + diff --git a/backport-pe-binary-.initrd-section-is-optional-for-UKI.patch b/backport-pe-binary-.initrd-section-is-optional-for-UKI.patch new file mode 100644 index 0000000..1a51840 --- /dev/null +++ b/backport-pe-binary-.initrd-section-is-optional-for-UKI.patch @@ -0,0 +1,34 @@ +From 2dad3e4d0fce0f52a232c9214e24884e5b6a331b Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 16 May 2024 06:08:27 +0900 +Subject: [PATCH 0635/1160] pe-binary: .initrd section is optional for UKI + +.osrel is also optional, but sd-boot and bootctl requires it. +So, let's keep .osrel section at least now. + +Fixes #32774. + +(cherry picked from commit 2e93331605e6b6a919121fd957a852431b0b8a19) +--- + src/shared/pe-binary.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/shared/pe-binary.c b/src/shared/pe-binary.c +index 4c05323d95..997e0e49a6 100644 +--- a/src/shared/pe-binary.c ++++ b/src/shared/pe-binary.c +@@ -234,8 +234,9 @@ bool pe_is_uki(const PeHeader *pe_header, const IMAGE_SECTION_HEADER *sections) + if (le16toh(pe_header->optional.Subsystem) != IMAGE_SUBSYSTEM_EFI_APPLICATION) + return false; + ++ /* Note that the UKI spec only requires .linux, but we are stricter here, and require .osrel too, ++ * since for sd-boot it just doesn't make sense to not have that. */ + return + pe_header_find_section(pe_header, sections, ".osrel") && +- pe_header_find_section(pe_header, sections, ".linux") && +- pe_header_find_section(pe_header, sections, ".initrd"); ++ pe_header_find_section(pe_header, sections, ".linux"); + } +-- +2.33.0 + diff --git a/backport-pe-binary-fix-array-overrun.patch b/backport-pe-binary-fix-array-overrun.patch new file mode 100644 index 0000000..d04194a --- /dev/null +++ b/backport-pe-binary-fix-array-overrun.patch @@ -0,0 +1,34 @@ +From 1d957625bf03457132dacbf82931b4be1931df68 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 19 Feb 2025 03:09:38 +0900 +Subject: [PATCH 1147/1160] pe-binary: fix array overrun + +This is a kind of paranoia, as memeqzero() does not read anyting if +length is zero. But, strictly speaking C language does not allow such, +and Coverity warn about that. + +Fixes CID#1561177. + +(cherry picked from commit 6529ab0b066c93a6b8a8bf24b999d67e67a261f5) +(cherry picked from commit 73986494b65acd5eb68b889d0b8966f72f55bbb3) +(cherry picked from commit 9b7aaf3e02469676efcbcbdeab53dda40f090fe9) +--- + src/shared/pe-binary.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/pe-binary.c b/src/shared/pe-binary.c +index 997e0e49a6..0554940da6 100644 +--- a/src/shared/pe-binary.c ++++ b/src/shared/pe-binary.c +@@ -54,7 +54,7 @@ const IMAGE_SECTION_HEADER *pe_header_find_section( + + FOREACH_ARRAY(section, sections, le16toh(pe_header->pe.NumberOfSections)) + if (memcmp(section->Name, name, n) == 0 && +- memeqzero(section->Name + n, sizeof(section->Name) - n)) ++ (n == sizeof(sections[0].Name) || memeqzero(section->Name + n, sizeof(section->Name) - n))) + return section; + + return NULL; +-- +2.33.0 + diff --git a/backport-pid1-add-env-var-to-override-default-mount-rate-limit-interval.patch b/backport-pid1-add-env-var-to-override-default-mount-rate-limit-interval.patch index fa2c478..2d1c9c9 100644 --- a/backport-pid1-add-env-var-to-override-default-mount-rate-limit-interval.patch +++ b/backport-pid1-add-env-var-to-override-default-mount-rate-limit-interval.patch @@ -13,7 +13,7 @@ This also allows users to solve #34690. Signed-off-by: xujing --- src/core/mount.c | 14 +++++++++++--- - 1 files changed, 11 insertions(+), 3 deletions(-) + 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/core/mount.c b/src/core/mount.c index ead9b46..f4bc6eb 100644 diff --git a/backport-pid1-make-clear-that-WATCHDOG_USEC-is-set-for-the-sh.patch b/backport-pid1-make-clear-that-WATCHDOG_USEC-is-set-for-the-sh.patch new file mode 100644 index 0000000..c1b117d --- /dev/null +++ b/backport-pid1-make-clear-that-WATCHDOG_USEC-is-set-for-the-sh.patch @@ -0,0 +1,42 @@ +From cab88476b2b00693463992c051a0464f6bba7c85 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 14 Nov 2024 23:16:19 +0100 +Subject: [PATCH 1016/1160] pid1: make clear that $WATCHDOG_USEC is set for the + shutdown binary, noone else + +We use the $WATCHDOG_USEC variable for two very closely uses: as part of +the sd_watchdog_enabled() protocol for implementing service watchdogs. +And as part of the protocol between the service manager and +systemd-shutdown across the PID 1 execve() transition during shutdown. + +Apparently some exitrds tools got confused by the latter use. Let's +address that by setting $WATCHDOG_PID to 1, in accordance to the +sd_watchdog_enabled() protocol to make clear this is only intended for +PID 1 and nothing else. + +Replaces: #35135 +(cherry picked from commit 4b20ae9a0e914e61d6bac095e5fc9664510ac03e) +(cherry picked from commit cf7b3cc18225ef8824f9cac9c88b7ea0b0dce3cd) +--- + src/core/main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/core/main.c b/src/core/main.c +index 1c0030a75f..8373a156cb 100644 +--- a/src/core/main.c ++++ b/src/core/main.c +@@ -1547,6 +1547,11 @@ static int become_shutdown(int objective, int retval) { + /* Tell the binary how often to ping, ignore failure */ + (void) strv_extendf(&env_block, "WATCHDOG_USEC="USEC_FMT, watchdog_timer); + ++ /* Make sure that tools that look for $WATCHDOG_USEC (and might get started by the exitrd) don't get ++ * confused by the variable, because the sd_watchdog_enabled() protocol uses the same variable for ++ * the same purposes. */ ++ (void) strv_extendf(&env_block, "WATCHDOG_PID=" PID_FMT, getpid_cached()); ++ + if (arg_watchdog_device) + (void) strv_extendf(&env_block, "WATCHDOG_DEVICE=%s", arg_watchdog_device); + +-- +2.33.0 + diff --git a/backport-po-add-false-positives-to-POTFILES.skip.patch b/backport-po-add-false-positives-to-POTFILES.skip.patch new file mode 100644 index 0000000..fd4a173 --- /dev/null +++ b/backport-po-add-false-positives-to-POTFILES.skip.patch @@ -0,0 +1,33 @@ +From 2307507a2bd464f3774e8698d154483583718819 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Piotr=20Dr=C4=85g?= +Date: Sat, 2 Mar 2024 16:06:15 +0100 +Subject: [PATCH 0432/1160] po: add false positives to POTFILES.skip + +Scripts used to detect files that should be in POTFILES.in, like +intltool-update -m used on https://l10n.gnome.org/module/systemd/, +falsely detect these files as containing translations. Avoid this +behavior by putting the files in POTFILES.skip. + +(cherry picked from commit 4c3cffff7a6c49d2f9405e38cd8dc13595d174a3) +--- + po/POTFILES.skip | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/po/POTFILES.skip b/po/POTFILES.skip +index c9cb70c424..befe6a08c5 100644 +--- a/po/POTFILES.skip ++++ b/po/POTFILES.skip +@@ -22,7 +22,10 @@ src/hostname/hostnamed.c + src/locale/localed.c + src/timedate/timedated.c + units/debug-shell.service.in ++units/systemd-battery-check.service.in ++units/systemd-bootctl@.service.in + units/systemd-journald.service.in + units/systemd-pcrextend@.service.in ++units/systemd-pcrlock@.service.in + units/systemd-timesyncd.service.in + units/user@.service.in +-- +2.33.0 + diff --git a/backport-portable-Don-t-fail-if-etc-resolv.conf-doesn-t-exist.patch b/backport-portable-Don-t-fail-if-etc-resolv.conf-doesn-t-exist.patch new file mode 100644 index 0000000..ac07b5e --- /dev/null +++ b/backport-portable-Don-t-fail-if-etc-resolv.conf-doesn-t-exist.patch @@ -0,0 +1,42 @@ +From e3d5e162eb84e5e679159bce20b9a92929f01bbc Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Thu, 25 Apr 2024 13:49:01 +0200 +Subject: [PATCH 0569/1160] portable: Don't fail if /etc/resolv.conf doesn't + exist + +The portable profiles assume /etc/resolv.conf exists, which isn't +always the case. Let's mark the mounts as optional so we don't fail +to start the unit if /etc/resolv.conf doesn't exist. + +(cherry picked from commit f449a29bb9914f2645f37a3e177afef1e2c0536a) +--- + src/portable/profile/default/service.conf | 2 +- + src/portable/profile/trusted/service.conf | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/portable/profile/default/service.conf b/src/portable/profile/default/service.conf +index 230aa60781..5c447d6641 100644 +--- a/src/portable/profile/default/service.conf ++++ b/src/portable/profile/default/service.conf +@@ -4,7 +4,7 @@ + MountAPIVFS=yes + BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout + BindReadOnlyPaths=/etc/machine-id +-BindReadOnlyPaths=/etc/resolv.conf ++BindReadOnlyPaths=-/etc/resolv.conf + BindReadOnlyPaths=/run/dbus/system_bus_socket + DynamicUser=yes + RemoveIPC=yes +diff --git a/src/portable/profile/trusted/service.conf b/src/portable/profile/trusted/service.conf +index 04deeb2262..144d4f6c23 100644 +--- a/src/portable/profile/trusted/service.conf ++++ b/src/portable/profile/trusted/service.conf +@@ -5,4 +5,4 @@ MountAPIVFS=yes + PrivateTmp=yes + BindPaths=/run + BindReadOnlyPaths=/etc/machine-id +-BindReadOnlyPaths=/etc/resolv.conf ++BindReadOnlyPaths=-/etc/resolv.conf +-- +2.33.0 + diff --git a/backport-portable-ensure-PORTABLE_FORCE_ATTACH-works-even-whe.patch b/backport-portable-ensure-PORTABLE_FORCE_ATTACH-works-even-whe.patch new file mode 100644 index 0000000..37ec028 --- /dev/null +++ b/backport-portable-ensure-PORTABLE_FORCE_ATTACH-works-even-whe.patch @@ -0,0 +1,143 @@ +From 5ce348ab304b3fab0eeb35fafd0b711aad60ad99 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 30 Aug 2024 17:55:18 +0100 +Subject: [PATCH 0874/1160] portable: ensure PORTABLE_FORCE_ATTACH works even + when there is a leftover unit + +Force means force, we skip checks with PID1 for existing units, but +then bail out with EEXIST if the files are actually there. Overwrite +everything instead. + +(cherry picked from commit 1e2d1a7202400e08a00782f32804fdc503259806) +(cherry picked from commit 2552348da2c961ac9732614eb129228bba4d51da) +--- + src/portable/portable.c | 28 ++++++++++++++++++++++------ + test/units/testsuite-29.sh | 37 +++++++++++++++++++++++++++++++++++++ + 2 files changed, 59 insertions(+), 6 deletions(-) + +diff --git a/src/portable/portable.c b/src/portable/portable.c +index 3b2a37912f..faeb97bd06 100644 +--- a/src/portable/portable.c ++++ b/src/portable/portable.c +@@ -1205,8 +1205,12 @@ static int install_profile_dropin( + return -ENOMEM; + + if (flags & PORTABLE_PREFER_COPY) { ++ CopyFlags copy_flags = COPY_REFLINK|COPY_FSYNC; + +- r = copy_file_atomic(from, dropin, 0644, COPY_REFLINK|COPY_FSYNC); ++ if (flags & PORTABLE_FORCE_ATTACH) ++ copy_flags |= COPY_REPLACE; ++ ++ r = copy_file_atomic(from, dropin, 0644, copy_flags); + if (r < 0) + return log_debug_errno(r, "Failed to copy %s %s %s: %m", from, special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), dropin); + +@@ -1214,8 +1218,12 @@ static int install_profile_dropin( + + } else { + +- if (symlink(from, dropin) < 0) +- return log_debug_errno(errno, "Failed to link %s %s %s: %m", from, special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), dropin); ++ if (flags & PORTABLE_FORCE_ATTACH) ++ r = symlink_atomic(from, dropin); ++ else ++ r = RET_NERRNO(symlink(from, dropin)); ++ if (r < 0) ++ return log_debug_errno(r, "Failed to link %s %s %s: %m", from, special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), dropin); + + (void) portable_changes_add(changes, n_changes, PORTABLE_SYMLINK, dropin, from); + } +@@ -1301,15 +1309,23 @@ static int attach_unit_file( + + if ((flags & PORTABLE_PREFER_SYMLINK) && m->source) { + +- if (symlink(m->source, path) < 0) +- return log_debug_errno(errno, "Failed to symlink unit file '%s': %m", path); ++ if (flags & PORTABLE_FORCE_ATTACH) ++ r = symlink_atomic(m->source, path); ++ else ++ r = RET_NERRNO(symlink(m->source, path)); ++ if (r < 0) ++ return log_debug_errno(r, "Failed to symlink unit file '%s': %m", path); + + (void) portable_changes_add(changes, n_changes, PORTABLE_SYMLINK, path, m->source); + + } else { ++ LinkTmpfileFlags link_flags = LINK_TMPFILE_SYNC; + _cleanup_(unlink_and_freep) char *tmp = NULL; + _cleanup_close_ int fd = -EBADF; + ++ if (flags & PORTABLE_FORCE_ATTACH) ++ link_flags |= LINK_TMPFILE_REPLACE; ++ + (void) mac_selinux_create_file_prepare_label(path, m->selinux_label); + + fd = open_tmpfile_linkable(path, O_WRONLY|O_CLOEXEC, &tmp); +@@ -1324,7 +1340,7 @@ static int attach_unit_file( + if (fchmod(fd, 0644) < 0) + return log_debug_errno(errno, "Failed to change unit file access mode for '%s': %m", path); + +- r = link_tmpfile(fd, tmp, path, LINK_TMPFILE_SYNC); ++ r = link_tmpfile(fd, tmp, path, link_flags); + if (r < 0) + return log_debug_errno(r, "Failed to install unit file '%s': %m", path); + +diff --git a/test/units/testsuite-29.sh b/test/units/testsuite-29.sh +index cf93976081..a422d97420 100755 +--- a/test/units/testsuite-29.sh ++++ b/test/units/testsuite-29.sh +@@ -68,6 +68,21 @@ busctl tree org.freedesktop.portable1 --no-pager | grep -q -F '/org/freedesktop/ + + # Ensure we don't regress (again) when using --force + ++mkdir -p /run/systemd/system.attached/minimal-app0.service.d/ ++cat </run/systemd/system.attached/minimal-app0.service ++[Unit] ++Description=Minimal App 0 ++EOF ++cat </run/systemd/system.attached/minimal-app0.service.d/10-profile.conf ++[Unit] ++Description=Minimal App 0 ++EOF ++cat </run/systemd/system.attached/minimal-app0.service.d/20-portable.conf ++[Unit] ++Description=Minimal App 0 ++EOF ++systemctl daemon-reload ++ + portablectl "${ARGS[@]}" attach --force --now --runtime /usr/share/minimal_0.raw minimal-app0 + + portablectl is-attached --force minimal-app0 +@@ -239,6 +254,28 @@ systemctl is-active app1.service + + portablectl detach --now --runtime overlay app1 + ++# Ensure --force works also when symlinking ++mkdir -p /run/systemd/system.attached/app1.service.d ++cat </run/systemd/system.attached/app1.service ++[Unit] ++Description=App 1 ++EOF ++cat </run/systemd/system.attached/app1.service.d/10-profile.conf ++[Unit] ++Description=App 1 ++EOF ++cat </run/systemd/system.attached/app1.service.d/20-portable.conf ++[Unit] ++Description=App 1 ++EOF ++systemctl daemon-reload ++ ++portablectl "${ARGS[@]}" attach --force --copy=symlink --now --runtime /tmp/overlay app1 ++ ++systemctl is-active app1.service ++ ++portablectl detach --now --runtime overlay app1 ++ + umount /tmp/overlay + + portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime --extension /tmp/app0 --extension /tmp/app1 /tmp/rootdir app0 app1 +-- +2.33.0 + diff --git a/backport-portable-fix-portablectl-list-to-show-the-actual-sta.patch b/backport-portable-fix-portablectl-list-to-show-the-actual-sta.patch new file mode 100644 index 0000000..0a801fc --- /dev/null +++ b/backport-portable-fix-portablectl-list-to-show-the-actual-sta.patch @@ -0,0 +1,72 @@ +From 1b0932676d82cd4c3def83a589d59dc4cc61e5a6 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 28 Mar 2024 14:16:39 +0000 +Subject: [PATCH 0541/1160] portable: fix 'portablectl list' to show the actual + state for extensions + +When listing images they are inspected one by one, so in case of a +portable with extensions they always resulted as not found. +Allow a partial match when listing, so that we can find the appropriate +unit that an image belongs to, and list the correct state as attached. + +(cherry picked from commit 373a1e47b2878a278c130712ab2910139ccc18a2) +--- + src/portable/portable.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/src/portable/portable.c b/src/portable/portable.c +index 38b655154c..3b2a37912f 100644 +--- a/src/portable/portable.c ++++ b/src/portable/portable.c +@@ -1623,7 +1623,7 @@ int portable_attach( + return 0; + } + +-static bool marker_matches_images(const char *marker, const char *name_or_path, char **extension_image_paths) { ++static bool marker_matches_images(const char *marker, const char *name_or_path, char **extension_image_paths, bool match_all) { + _cleanup_strv_free_ char **root_and_extensions = NULL; + int r; + +@@ -1634,7 +1634,9 @@ static bool marker_matches_images(const char *marker, const char *name_or_path, + * list of images/paths. We enforce strict 1:1 matching, so that we are sure + * we are detaching exactly what was attached. + * For each image, starting with the root, we look for a token in the marker, +- * and return a negative answer on any non-matching combination. */ ++ * and return a negative answer on any non-matching combination. ++ * If a partial match is allowed, then return immediately once it is found, otherwise ++ * ensure that everything matches. */ + + root_and_extensions = strv_new(name_or_path); + if (!root_and_extensions) +@@ -1663,11 +1665,14 @@ static bool marker_matches_images(const char *marker, const char *name_or_path, + if (r < 0) + return log_debug_errno(r, "Failed to extract image name from %s, ignoring: %m", *image_name_or_path); + +- if (!streq(base_image, base_image_name_or_path)) +- return false; ++ if (!streq(base_image, base_image_name_or_path)) { ++ if (match_all) ++ return false; ++ } else if (!match_all) ++ return true; + } + +- return true; ++ return match_all; + } + + static int test_chroot_dropin( +@@ -1722,7 +1727,9 @@ static int test_chroot_dropin( + if (!name_or_path) + r = true; + else +- r = marker_matches_images(marker, name_or_path, extension_image_paths); ++ /* When detaching we want to match exactly on all images, but when inspecting we only need ++ * to get the state of one component */ ++ r = marker_matches_images(marker, name_or_path, extension_image_paths, ret_marker != NULL); + + if (ret_marker) + *ret_marker = TAKE_PTR(marker); +-- +2.33.0 + diff --git a/backport-portable-log-structured-message-when-attach-detach-s.patch b/backport-portable-log-structured-message-when-attach-detach-s.patch new file mode 100644 index 0000000..f206cc6 --- /dev/null +++ b/backport-portable-log-structured-message-when-attach-detach-s.patch @@ -0,0 +1,194 @@ +From eef244f6c6b47c3110d20e7e7cb9152df1e90700 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 18 Jan 2024 19:32:47 +0000 +Subject: [PATCH 0269/1160] portable: log structured message when attach/detach + succeeds + +Currently portabled is completely silent (when not using debug level). But +when the system state is changed (ie: a portable is attached or detached) +there are no traces left in the journal. Log at info level when either of +those operations succeed, as they are effectively changing the state of +the system. + +Create new MESSAGE_IDs for these logs, and also append PORTABLE_ROOT= +(and PORTABLE_EXTENSION= if any), like the units themselves are +configured to do via LogExtraFields=, so that the same metadata can +be found in the attach/detach messages and in logs from the units +themselves. + +(cherry picked from commit a0cca4d1b07e603e0ceeaff6d42518d5546617f8) +--- + catalog/systemd.catalog.in | 20 +++++++++ + src/portable/portable.c | 90 ++++++++++++++++++++++++++++++++++++++ + src/systemd/sd-messages.h | 5 +++ + 3 files changed, 115 insertions(+) + +diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in +index 8591a654aa..04e90e0b75 100644 +--- a/catalog/systemd.catalog.in ++++ b/catalog/systemd.catalog.in +@@ -748,3 +748,23 @@ Compatibility support for System V services in systemd is deprecated. Please + make sure to update the package in question to provide proper, native systemd + unit files. Contact vendor if necessary. Compatibility support for System V + services is deprecated and will be removed soon. ++ ++-- 187c62eb1e7f463bb530394f52cb090f ++Subject: A Portable Service has been attached ++Defined-By: systemd ++Support: %SUPPORT_URL% ++Documentation: https://systemd.io/PORTABLE_SERVICES/ ++ ++A new Portable Service @PORTABLE_ROOT@ (with extensions: @PORTABLE_EXTENSION@) has ++been attached to the system and is now available for use. The list of attached ++Portable Services can be queried with 'portablectl list'. ++ ++-- 76c5c754d628490d8ecba4c9d042112b ++Subject: A Portable Service has been detached ++Defined-By: systemd ++Support: %SUPPORT_URL% ++Documentation: https://systemd.io/PORTABLE_SERVICES/ ++ ++A Portable Service @PORTABLE_ROOT@ (with extensions: @PORTABLE_EXTENSION@) has been ++detached from the system and is no longer available for use. The list of attached ++Portable Services can be queried with 'portablectl list'. +diff --git a/src/portable/portable.c b/src/portable/portable.c +index d4b448a627..6054f0f17f 100644 +--- a/src/portable/portable.c ++++ b/src/portable/portable.c +@@ -2,6 +2,8 @@ + + #include + ++#include "sd-messages.h" ++ + #include "bus-common-errors.h" + #include "bus-error.h" + #include "bus-locator.h" +@@ -1430,6 +1432,78 @@ static bool prefix_matches_compatible(char **matches, char **valid_prefixes) { + return true; + } + ++static void log_portable_verb( ++ const char *verb, ++ const char *message_id, ++ const char *image_path, ++ OrderedHashmap *extension_images, ++ char **extension_image_paths, ++ PortableFlags flags) { ++ ++ _cleanup_free_ char *root_base_name = NULL, *extensions_joined = NULL; ++ _cleanup_strv_free_ char **extension_base_names = NULL; ++ Image *ext; ++ int r; ++ ++ assert(verb); ++ assert(message_id); ++ assert(image_path); ++ assert(!extension_images || !extension_image_paths); ++ ++ /* Use the same structured metadata as it is attached to units via LogExtraFields=. The main image ++ * is logged as PORTABLE_ROOT= and extensions, if any, as individual PORTABLE_EXTENSION= fields. */ ++ ++ r = path_extract_filename(image_path, &root_base_name); ++ if (r < 0) ++ log_debug_errno(r, "Failed to extract basename from '%s', ignoring: %m", image_path); ++ ++ ORDERED_HASHMAP_FOREACH(ext, extension_images) { ++ _cleanup_free_ char *extension_base_name = NULL; ++ ++ r = path_extract_filename(ext->path, &extension_base_name); ++ if (r < 0) { ++ log_debug_errno(r, "Failed to extract basename from '%s', ignoring: %m", ext->path); ++ continue; ++ } ++ ++ r = strv_extendf(&extension_base_names, "PORTABLE_EXTENSION=%s", extension_base_name); ++ if (r < 0) ++ log_oom_debug(); ++ ++ if (!strextend_with_separator(&extensions_joined, ", ", ext->path)) ++ log_oom_debug(); ++ } ++ ++ STRV_FOREACH(e, extension_image_paths) { ++ _cleanup_free_ char *extension_base_name = NULL; ++ ++ r = path_extract_filename(*e, &extension_base_name); ++ if (r < 0) { ++ log_debug_errno(r, "Failed to extract basename from '%s', ignoring: %m", *e); ++ continue; ++ } ++ ++ r = strv_extendf(&extension_base_names, "PORTABLE_EXTENSION=%s", extension_base_name); ++ if (r < 0) ++ log_oom_debug(); ++ ++ if (!strextend_with_separator(&extensions_joined, ", ", *e)) ++ log_oom_debug(); ++ } ++ ++ LOG_CONTEXT_PUSH_STRV(extension_base_names); ++ ++ log_struct(LOG_INFO, ++ LOG_MESSAGE("Successfully %s%s '%s%s%s'", ++ verb, ++ FLAGS_SET(flags, PORTABLE_RUNTIME) ? " ephemeral" : "", ++ image_path, ++ isempty(extensions_joined) ? "" : "' and its extension(s) '", ++ strempty(extensions_joined)), ++ message_id, ++ "PORTABLE_ROOT=%s", strna(root_base_name)); ++} ++ + int portable_attach( + sd_bus *bus, + const char *name_or_path, +@@ -1538,6 +1612,14 @@ int portable_attach( + * operation otherwise. */ + (void) install_image_and_extensions_symlinks(image, extension_images, flags, changes, n_changes); + ++ log_portable_verb( ++ "attached", ++ "MESSAGE_ID=" SD_MESSAGE_PORTABLE_ATTACHED_STR, ++ image->path, ++ extension_images, ++ /* extension_image_paths= */ NULL, ++ flags); ++ + return 0; + } + +@@ -1861,6 +1943,14 @@ int portable_detach( + if (rmdir(where) >= 0) + portable_changes_add(changes, n_changes, PORTABLE_UNLINK, where, NULL); + ++ log_portable_verb( ++ "detached", ++ "MESSAGE_ID=" SD_MESSAGE_PORTABLE_DETACHED_STR, ++ name_or_path, ++ /* extension_images= */ NULL, ++ extension_image_paths, ++ flags); ++ + return ret; + + not_found: +diff --git a/src/systemd/sd-messages.h b/src/systemd/sd-messages.h +index b220fa0113..e3f68068a8 100644 +--- a/src/systemd/sd-messages.h ++++ b/src/systemd/sd-messages.h +@@ -267,6 +267,11 @@ _SD_BEGIN_DECLARATIONS; + #define SD_MESSAGE_SYSV_GENERATOR_DEPRECATED SD_ID128_MAKE(a8,fa,8d,ac,db,1d,44,3e,95,03,b8,be,36,7a,6a,db) + #define SD_MESSAGE_SYSV_GENERATOR_DEPRECATED_STR SD_ID128_MAKE_STR(a8,fa,8d,ac,db,1d,44,3e,95,03,b8,be,36,7a,6a,db) + ++#define SD_MESSAGE_PORTABLE_ATTACHED SD_ID128_MAKE(18,7c,62,eb,1e,7f,46,3b,b5,30,39,4f,52,cb,09,0f) ++#define SD_MESSAGE_PORTABLE_ATTACHED_STR SD_ID128_MAKE_STR(18,7c,62,eb,1e,7f,46,3b,b5,30,39,4f,52,cb,09,0f) ++#define SD_MESSAGE_PORTABLE_DETACHED SD_ID128_MAKE(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b) ++#define SD_MESSAGE_PORTABLE_DETACHED_STR SD_ID128_MAKE_STR(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b) ++ + _SD_END_DECLARATIONS; + + #endif +-- +2.33.0 + diff --git a/backport-posix_spawn_wrapper-do-not-set-POSIX_SPAWN_SETSIGDEF.patch b/backport-posix_spawn_wrapper-do-not-set-POSIX_SPAWN_SETSIGDEF.patch new file mode 100644 index 0000000..be91ceb --- /dev/null +++ b/backport-posix_spawn_wrapper-do-not-set-POSIX_SPAWN_SETSIGDEF.patch @@ -0,0 +1,43 @@ +From a1099190ef0c83a270108ce90e26dba909bec6c1 Mon Sep 17 00:00:00 2001 +From: Mike Gilbert +Date: Thu, 24 Oct 2024 12:24:35 -0400 +Subject: [PATCH 0985/1160] posix_spawn_wrapper: do not set + POSIX_SPAWN_SETSIGDEF flag + +Setting this flag is a noop without a corresponding call to +posix_spawnattr_setsigdefault. + +If we call posix_spawnattr_setsigdefault with a full signal set, +it causes glibc's posix_spawn implementation to call sigaction 63 times, +once for each signal. That seems wasteful. + +This feature is really only useful for signals which have their +disposition set to SIG_IGN. Otherwise the dispostion gets set to +SIG_DFL automatically, either by clone(CLONE_CLEAR_SIGHAND) or the +subsequent execve. + +As far as I can tell, systemd does not have any signals set to SIG_IGN +under normal operating conditions. + +(cherry picked from commit ff94426f8a2d6cd4ea2e370835db152917a1684e) +(cherry picked from commit aa0aa1093d646f3efbcbc9cf09476ee032839bdd) +--- + src/basic/process-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/process-util.c b/src/basic/process-util.c +index 4492e7ded2..1447f65399 100644 +--- a/src/basic/process-util.c ++++ b/src/basic/process-util.c +@@ -1948,7 +1948,7 @@ int posix_spawn_wrapper(const char *path, char *const *argv, char *const *envp, + if (r != 0) + return -r; /* These functions return a positive errno on failure */ + /* Set all signals to SIG_DFL */ +- r = posix_spawnattr_setflags(&attr, POSIX_SPAWN_SETSIGMASK|POSIX_SPAWN_SETSIGDEF); ++ r = posix_spawnattr_setflags(&attr, POSIX_SPAWN_SETSIGMASK); + if (r != 0) + goto fail; + r = posix_spawnattr_setsigmask(&attr, &mask); +-- +2.33.0 + diff --git a/backport-preset-all-continue-on-errors-report-more-errors.patch b/backport-preset-all-continue-on-errors-report-more-errors.patch new file mode 100644 index 0000000..a57f772 --- /dev/null +++ b/backport-preset-all-continue-on-errors-report-more-errors.patch @@ -0,0 +1,101 @@ +From 672226be317b3bb02b4281aea2dc4e2ed648ce22 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 7 May 2024 18:54:24 +0200 +Subject: [PATCH 0607/1160] preset-all: continue on errors, report more errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Firstly, if we encounter an error when iterating over the directory, gather +the error but continue. This is unlikely to happen, but if it happens, then +it doesn't seem very useful to break the preset processing at a random +point. If we can't process a unit — too bad, but since we already might +have processed some units earlier, we might as well try to process the +remaining ones. + +Secondly, add missing error codes for units that are in a bad state to the +exclusion list. Those, we report them in the changes list, but consider the +whole operation a success. (-ETXTBSY and -ENOLINK were missing.) + +Thirdly, add a message generator for -ENOLINK. + +Fixes https://github.com/systemd/systemd/issues/21224. + +(cherry picked from commit a4f0e0da3573a10bc5404142be8799418760b1d1) +--- + src/shared/install.c | 37 +++++++++++++++++++++++++++---------- + 1 file changed, 27 insertions(+), 10 deletions(-) + +diff --git a/src/shared/install.c b/src/shared/install.c +index 27a421e463..8400e489b2 100644 +--- a/src/shared/install.c ++++ b/src/shared/install.c +@@ -435,6 +435,11 @@ void install_changes_dump(int r, const char *verb, const InstallChange *changes, + err = log_error_errno(changes[i].type, "Failed to %s unit, unit %s does not exist.", + verb, changes[i].path); + break; ++ case -ENOLINK: ++ err = log_error_errno(changes[i].type, "Failed to %s unit, %s is an unresolvable alias.", ++ verb, changes[i].path); ++ break; ++ + case -EUNATCH: + err = log_error_errno(changes[i].type, "Failed to %s unit, cannot resolve specifiers in \"%s\".", + verb, changes[i].path); +@@ -3600,18 +3605,19 @@ int unit_file_preset_all( + if (r < 0) + return r; + ++ r = 0; + STRV_FOREACH(i, lp.search_path) { + _cleanup_closedir_ DIR *d = NULL; + + d = opendir(*i); + if (!d) { +- if (errno == ENOENT) +- continue; +- +- return -errno; ++ if (errno != ENOENT) ++ RET_GATHER(r, -errno); ++ continue; + } + +- FOREACH_DIRENT(de, d, return -errno) { ++ FOREACH_DIRENT(de, d, RET_GATHER(r, -errno)) { ++ int k; + + if (!unit_name_is_valid(de->d_name, UNIT_NAME_ANY)) + continue; +@@ -3619,12 +3625,23 @@ int unit_file_preset_all( + if (!IN_SET(de->d_type, DT_LNK, DT_REG)) + continue; + +- r = preset_prepare_one(scope, &plus, &minus, &lp, de->d_name, &presets, changes, n_changes); +- if (r < 0 && +- !IN_SET(r, -EEXIST, -ERFKILL, -EADDRNOTAVAIL, -EBADSLT, -EIDRM, -EUCLEAN, -ELOOP, -ENOENT, -EUNATCH, -EXDEV)) ++ k = preset_prepare_one(scope, &plus, &minus, &lp, de->d_name, &presets, changes, n_changes); ++ if (k < 0 && ++ !IN_SET(k, -EEXIST, ++ -ERFKILL, ++ -EADDRNOTAVAIL, ++ -ETXTBSY, ++ -EBADSLT, ++ -EIDRM, ++ -EUCLEAN, ++ -ELOOP, ++ -EXDEV, ++ -ENOENT, ++ -ENOLINK, ++ -EUNATCH)) + /* Ignore generated/transient/missing/invalid units when applying preset, propagate other errors. +- * Coordinate with install_changes_dump() above. */ +- return r; ++ * Coordinate with install_change_dump_error() above. */ ++ RET_GATHER(r, k); + } + } + +-- +2.33.0 + diff --git a/backport-preset-enable-confext-and-sysext-by-default-31211.patch b/backport-preset-enable-confext-and-sysext-by-default-31211.patch new file mode 100644 index 0000000..468635e --- /dev/null +++ b/backport-preset-enable-confext-and-sysext-by-default-31211.patch @@ -0,0 +1,32 @@ +From 4601f9fc8dfad84b96d30e94a1d4032f0c229e84 Mon Sep 17 00:00:00 2001 +From: Maanya Goenka <114760360+goenkam@users.noreply.github.com> +Date: Tue, 6 Feb 2024 12:19:59 -0800 +Subject: [PATCH 0206/1160] preset: enable confext and sysext by default + (#31211) + +(cherry picked from commit 34e17203bd1fda75e198a1b0ef90e30ced0b598a) +--- + presets/90-systemd.preset | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/presets/90-systemd.preset b/presets/90-systemd.preset +index 798cad46b0..2c918b2181 100644 +--- a/presets/90-systemd.preset ++++ b/presets/90-systemd.preset +@@ -17,11 +17,13 @@ enable machines.target + + enable getty@.service + enable systemd-timesyncd.service ++enable systemd-confext.service + enable systemd-networkd.service + enable systemd-networkd-wait-online.service + enable systemd-network-generator.service + enable systemd-resolved.service + enable systemd-homed.service ++enable systemd-sysext.service + enable systemd-userdbd.socket + enable systemd-pstore.service + enable systemd-boot-update.service +-- +2.33.0 + diff --git a/backport-process-util-do-not-unblock-unrelated-signals-while-.patch b/backport-process-util-do-not-unblock-unrelated-signals-while-.patch new file mode 100644 index 0000000..b11f804 --- /dev/null +++ b/backport-process-util-do-not-unblock-unrelated-signals-while-.patch @@ -0,0 +1,62 @@ +From 049896ca56c39972f392de7627c5ecaac4681c1d Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 9 Jan 2025 11:15:49 +0100 +Subject: [PATCH 1086/1160] process-util: do not unblock unrelated signals + while forking + +This makes sure when we are blocking signals in preparation for fork() +we'll not temporarily unblock any signals previously set, by mistake. + +It's safe for us to block more, but not to unblock signals already +blocked. Fix that. + +Fixes: #35470 +(cherry picked from commit 78933625084b11c495c073fc7c34067315a1da50) +(cherry picked from commit 29ac2b6515d2eecfaec95b98f0bf5ce8c2881669) +(cherry picked from commit 28de6e0aebd16dd62a879f90dc3c90be66d90e46) +--- + src/basic/process-util.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/basic/process-util.c b/src/basic/process-util.c +index 1447f65399..bbce0ea985 100644 +--- a/src/basic/process-util.c ++++ b/src/basic/process-util.c +@@ -1336,11 +1336,6 @@ int must_be_root(void) { + return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Need to be root."); + } + +-static void restore_sigsetp(sigset_t **ssp) { +- if (*ssp) +- (void) sigprocmask(SIG_SETMASK, *ssp, NULL); +-} +- + pid_t clone_with_nested_stack(int (*fn)(void *), int flags, void *userdata) { + size_t ps; + pid_t pid; +@@ -1380,6 +1375,11 @@ pid_t clone_with_nested_stack(int (*fn)(void *), int flags, void *userdata) { + return pid; + } + ++static void restore_sigsetp(sigset_t **ssp) { ++ if (*ssp) ++ (void) sigprocmask(SIG_SETMASK, *ssp, NULL); ++} ++ + static int fork_flags_to_signal(ForkFlags flags) { + return (flags & FORK_DEATHSIG_SIGTERM) ? SIGTERM : + (flags & FORK_DEATHSIG_SIGINT) ? SIGINT : +@@ -1432,8 +1432,8 @@ int safe_fork_full( + } + + if (block_signals) { +- if (sigprocmask(SIG_SETMASK, &ss, &saved_ss) < 0) +- return log_full_errno(prio, errno, "Failed to set signal mask: %m"); ++ if (sigprocmask(SIG_BLOCK, &ss, &saved_ss) < 0) ++ return log_full_errno(prio, errno, "Failed to block signal mask: %m"); + saved_ssp = &saved_ss; + } + +-- +2.33.0 + diff --git a/backport-ptyfwd-add-missing-assertions-for-pty_forward_new.patch b/backport-ptyfwd-add-missing-assertions-for-pty_forward_new.patch new file mode 100644 index 0000000..e17d329 --- /dev/null +++ b/backport-ptyfwd-add-missing-assertions-for-pty_forward_new.patch @@ -0,0 +1,27 @@ +From 867b5a72582ae91e63f3181d707977de583559af Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Tue, 21 May 2024 20:07:01 +0800 +Subject: [PATCH 0668/1160] ptyfwd: add missing assertions for pty_forward_new + +(cherry picked from commit d735753256c1e0f3e9a4efaab17ba9ee47650403) +--- + src/shared/ptyfwd.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/shared/ptyfwd.c b/src/shared/ptyfwd.c +index 195e603224..585640eb1c 100644 +--- a/src/shared/ptyfwd.c ++++ b/src/shared/ptyfwd.c +@@ -406,6 +406,9 @@ int pty_forward_new( + struct winsize ws; + int r; + ++ assert(master >= 0); ++ assert(ret); ++ + f = new(PTYForward, 1); + if (!f) + return -ENOMEM; +-- +2.33.0 + diff --git a/backport-qrcode-util-add-debug-message-to-show-why-a-qrcode-w.patch b/backport-qrcode-util-add-debug-message-to-show-why-a-qrcode-w.patch new file mode 100644 index 0000000..f41512e --- /dev/null +++ b/backport-qrcode-util-add-debug-message-to-show-why-a-qrcode-w.patch @@ -0,0 +1,67 @@ +From 0a65d027cad2bac5df14cc024afc2857e7a8f851 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 28 Oct 2024 13:15:32 +0100 +Subject: [PATCH 0975/1160] qrcode-util: add debug message to show why a qrcode + wasn't printed + +(cherry picked from commit f0764b98e5c136cb948a8034949064f610acca24) +(cherry picked from commit b3fd2104bc0b30c45ec8c04e5cf867a7f9356cc3) +--- + src/shared/qrcode-util.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/src/shared/qrcode-util.c b/src/shared/qrcode-util.c +index b0dd90acd1..55438ba716 100644 +--- a/src/shared/qrcode-util.c ++++ b/src/shared/qrcode-util.c +@@ -173,8 +173,10 @@ int print_qrcode_full(FILE *out, const char *header, const char *string, unsigne + + /* If this is not a UTF-8 system or ANSI colors aren't supported/disabled don't print any QR + * codes */ +- if (!is_locale_utf8() || !colors_enabled()) +- return -EOPNOTSUPP; ++ if (!is_locale_utf8()) ++ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Not an UTF-8 system, cannot print qrcode"); ++ if (!colors_enabled()) ++ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Colors are disabled, cannot print qrcode"); + + r = dlopen_qrencode(); + if (r < 0) +@@ -182,21 +184,21 @@ int print_qrcode_full(FILE *out, const char *header, const char *string, unsigne + + qr = sym_QRcode_encodeString(string, 0, QR_ECLEVEL_L, QR_MODE_8, 1); + if (!qr) +- return -ENOMEM; ++ return log_oom_debug(); + + if (row != UINT_MAX && column != UINT_MAX) { +- int fd; + unsigned qr_code_width, qr_code_height; +- fd = fileno(out); ++ ++ int fd = fileno(out); + if (fd < 0) + return log_debug_errno(errno, "Failed to get file descriptor from the file stream: %m"); +- qr_code_width = qr_code_height = qr->width + 8; + ++ qr_code_width = qr_code_height = qr->width + 8; + if (column + qr_code_width > tty_width) + column = tty_width - qr_code_width; + + /* Terminal characters are twice as high as they are wide so it's qr_code_height / 2, +- * our QR code prints an extra new line, so we have -1 as well */ ++ * our QR code prints an extra new line, so we have -1 as well */ + if (row + qr_code_height > tty_height) + row = tty_height - (qr_code_height / 2 ) - 1; + +@@ -212,7 +214,6 @@ int print_qrcode_full(FILE *out, const char *header, const char *string, unsigne + fprintf(out, "\n%s:\n\n", header); + + write_qrcode(out, qr, row, column); +- + fputc('\n', out); + + sym_QRcode_free(qr); +-- +2.33.0 + diff --git a/backport-qrcode-util-avoid-memleak-in-error-path.patch b/backport-qrcode-util-avoid-memleak-in-error-path.patch new file mode 100644 index 0000000..38744e5 --- /dev/null +++ b/backport-qrcode-util-avoid-memleak-in-error-path.patch @@ -0,0 +1,53 @@ +From a442374107b4c7c2dde9d71b5a105679c560b35c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 28 Oct 2024 13:45:40 +0100 +Subject: [PATCH 0978/1160] qrcode-util: avoid memleak in error path + +(cherry picked from commit 439306da8b3962f683f5359c461d1669c070f377) +(cherry picked from commit bbda54c6717a0a079741ded27401d7de363f9d26) +--- + src/shared/qrcode-util.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/shared/qrcode-util.c b/src/shared/qrcode-util.c +index e70f4e5ddb..e494a62e1f 100644 +--- a/src/shared/qrcode-util.c ++++ b/src/shared/qrcode-util.c +@@ -167,6 +167,8 @@ static void write_qrcode(FILE *output, QRcode *qr, unsigned int row, unsigned in + fflush(output); + } + ++DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(QRcode*, sym_QRcode_free, NULL); ++ + int print_qrcode_full( + FILE *out, + const char *header, +@@ -177,7 +179,6 @@ int print_qrcode_full( + unsigned tty_height, + bool check_tty) { + +- QRcode* qr; + int r; + + /* If this is not a UTF-8 system or ANSI colors aren't supported/disabled don't print any QR +@@ -191,7 +192,8 @@ int print_qrcode_full( + if (r < 0) + return r; + +- qr = sym_QRcode_encodeString(string, 0, QR_ECLEVEL_L, QR_MODE_8, 1); ++ _cleanup_(sym_QRcode_freep) QRcode *qr = ++ sym_QRcode_encodeString(string, 0, QR_ECLEVEL_L, QR_MODE_8, 1); + if (!qr) + return log_oom_debug(); + +@@ -225,7 +227,6 @@ int print_qrcode_full( + write_qrcode(out, qr, row, column); + fputc('\n', out); + +- sym_QRcode_free(qr); + return 0; + } + #endif +-- +2.33.0 + diff --git a/backport-random-util-fix-compilation-error.patch b/backport-random-util-fix-compilation-error.patch new file mode 100644 index 0000000..92d4ba4 --- /dev/null +++ b/backport-random-util-fix-compilation-error.patch @@ -0,0 +1,44 @@ +From 85eafb57df113cf85164120def1b6c42f894823c Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 16 Jan 2025 01:29:04 +0900 +Subject: [PATCH 1095/1160] random-util: fix compilation error + +Fixes the following error: +``` +../src/basic/random-util.c: In function "fallback_random_bytes": +../src/basic/random-util.c:45:26: error: initializer-string for array of "char" is too long [-Werror=unterminated-string-initialization] + 45 | .label = "systemd fallback random bytes v1", + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +cc1: all warnings being treated as errors +``` + +(cherry picked from commit e722fe74ca5e00d3c8a5f85342b75c40ace051f9) +(cherry picked from commit 8f2f04b7d4ce80d9908f93e9cb458c9e92b19108) +(cherry picked from commit 57d2446acdaa668e3a24489aa197d4672fce2197) +--- + src/basic/random-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/random-util.c b/src/basic/random-util.c +index c7277ad01e..eea9c52158 100644 +--- a/src/basic/random-util.c ++++ b/src/basic/random-util.c +@@ -44,7 +44,6 @@ static void fallback_random_bytes(void *p, size_t n) { + uint8_t auxval[16]; + } state = { + /* Arbitrary domain separation to prevent other usage of AT_RANDOM from clashing. */ +- .label = "systemd fallback random bytes v1", + .call_id = fallback_counter++, + .stamp_mono = now(CLOCK_MONOTONIC), + .stamp_real = now(CLOCK_REALTIME), +@@ -52,6 +51,7 @@ static void fallback_random_bytes(void *p, size_t n) { + .tid = gettid(), + }; + ++ memcpy(state.label, "systemd fallback random bytes v1", sizeof(state.label)); + #if HAVE_SYS_AUXV_H + memcpy(state.auxval, ULONG_TO_PTR(getauxval(AT_RANDOM)), sizeof(state.auxval)); + #endif +-- +2.33.0 + diff --git a/backport-reboot-util-Add-some-basic-validation-on-reboot-argu.patch b/backport-reboot-util-Add-some-basic-validation-on-reboot-argu.patch new file mode 100644 index 0000000..d4cd301 --- /dev/null +++ b/backport-reboot-util-Add-some-basic-validation-on-reboot-argu.patch @@ -0,0 +1,221 @@ +From dba7fd523c61ea49cefce388bf3993cd52124aeb Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 1 May 2024 10:28:34 +0200 +Subject: [PATCH 0586/1160] reboot-util: Add some basic validation on reboot + arguments + +Let's only accept valid ASCII and put a size limit on reboot arguments. + +(cherry picked from commit b7ad4778794b6bfc63d4b11c7c39cfe5a21228a4) +--- + src/core/dbus-unit.c | 4 +-- + src/core/dbus-util.c | 2 ++ + src/core/dbus-util.h | 1 + + src/core/load-fragment-gperf.gperf.in | 4 +-- + src/core/load-fragment.c | 35 +++++++++++++++++++++++++++ + src/core/load-fragment.h | 1 + + src/login/logind-dbus.c | 3 +++ + src/shared/reboot-util.c | 10 ++++++++ + src/shared/reboot-util.h | 1 + + 9 files changed, 57 insertions(+), 4 deletions(-) + +diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c +index 1a037b7035..7c8e462055 100644 +--- a/src/core/dbus-unit.c ++++ b/src/core/dbus-unit.c +@@ -2210,7 +2210,7 @@ static int bus_unit_set_transient_property( + return bus_set_transient_emergency_action(u, name, &u->job_timeout_action, message, flags, error); + + if (streq(name, "JobTimeoutRebootArgument")) +- return bus_set_transient_string(u, name, &u->job_timeout_reboot_arg, message, flags, error); ++ return bus_set_transient_reboot_parameter(u, name, &u->job_timeout_reboot_arg, message, flags, error); + + if (streq(name, "StartLimitIntervalUSec")) + return bus_set_transient_usec(u, name, &u->start_ratelimit.interval, message, flags, error); +@@ -2234,7 +2234,7 @@ static int bus_unit_set_transient_property( + return bus_set_transient_exit_status(u, name, &u->success_action_exit_status, message, flags, error); + + if (streq(name, "RebootArgument")) +- return bus_set_transient_string(u, name, &u->reboot_arg, message, flags, error); ++ return bus_set_transient_reboot_parameter(u, name, &u->reboot_arg, message, flags, error); + + if (streq(name, "CollectMode")) + return bus_set_transient_collect_mode(u, name, &u->collect_mode, message, flags, error); +diff --git a/src/core/dbus-util.c b/src/core/dbus-util.c +index d680a64268..7bb026af48 100644 +--- a/src/core/dbus-util.c ++++ b/src/core/dbus-util.c +@@ -6,6 +6,7 @@ + #include "escape.h" + #include "parse-util.h" + #include "path-util.h" ++#include "reboot-util.h" + #include "unit-printf.h" + #include "user-util.h" + #include "unit.h" +@@ -39,6 +40,7 @@ static bool valid_user_group_name_or_id_relaxed(const char *u) { + + BUS_DEFINE_SET_TRANSIENT_STRING_WITH_CHECK(user_relaxed, valid_user_group_name_or_id_relaxed); + BUS_DEFINE_SET_TRANSIENT_STRING_WITH_CHECK(path, path_is_absolute); ++BUS_DEFINE_SET_TRANSIENT_STRING_WITH_CHECK(reboot_parameter, reboot_parameter_is_valid); + + int bus_set_transient_string( + Unit *u, +diff --git a/src/core/dbus-util.h b/src/core/dbus-util.h +index 9464b25516..26024d55af 100644 +--- a/src/core/dbus-util.h ++++ b/src/core/dbus-util.h +@@ -239,6 +239,7 @@ int bus_set_transient_mode_t(Unit *u, const char *name, mode_t *p, sd_bus_messag + int bus_set_transient_unsigned(Unit *u, const char *name, unsigned *p, sd_bus_message *message, UnitWriteFlags flags, sd_bus_error *error); + int bus_set_transient_user_relaxed(Unit *u, const char *name, char **p, sd_bus_message *message, UnitWriteFlags flags, sd_bus_error *error); + int bus_set_transient_path(Unit *u, const char *name, char **p, sd_bus_message *message, UnitWriteFlags flags, sd_bus_error *error); ++int bus_set_transient_reboot_parameter(Unit *u, const char *name, char **p, sd_bus_message *message, UnitWriteFlags flags, sd_bus_error *error); + int bus_set_transient_string(Unit *u, const char *name, char **p, sd_bus_message *message, UnitWriteFlags flags, sd_bus_error *error); + int bus_set_transient_bool(Unit *u, const char *name, bool *p, sd_bus_message *message, UnitWriteFlags flags, sd_bus_error *error); + int bus_set_transient_tristate(Unit *u, const char *name, int *p, sd_bus_message *message, UnitWriteFlags flags, sd_bus_error *error); +diff --git a/src/core/load-fragment-gperf.gperf.in b/src/core/load-fragment-gperf.gperf.in +index 45f9ab03c4..1133d9ae0f 100644 +--- a/src/core/load-fragment-gperf.gperf.in ++++ b/src/core/load-fragment-gperf.gperf.in +@@ -325,7 +325,7 @@ Unit.IgnoreOnSnapshot, config_parse_warn_compat, + Unit.JobTimeoutSec, config_parse_job_timeout_sec, 0, 0 + Unit.JobRunningTimeoutSec, config_parse_job_running_timeout_sec, 0, 0 + Unit.JobTimeoutAction, config_parse_emergency_action, 0, offsetof(Unit, job_timeout_action) +-Unit.JobTimeoutRebootArgument, config_parse_unit_string_printf, 0, offsetof(Unit, job_timeout_reboot_arg) ++Unit.JobTimeoutRebootArgument, config_parse_reboot_parameter, 0, offsetof(Unit, job_timeout_reboot_arg) + Unit.StartLimitIntervalSec, config_parse_sec, 0, offsetof(Unit, start_ratelimit.interval) + {# The following is a legacy alias name for compatibility #} + Unit.StartLimitInterval, config_parse_sec, 0, offsetof(Unit, start_ratelimit.interval) +@@ -335,7 +335,7 @@ Unit.FailureAction, config_parse_emergency_action, + Unit.SuccessAction, config_parse_emergency_action, 0, offsetof(Unit, success_action) + Unit.FailureActionExitStatus, config_parse_exit_status, 0, offsetof(Unit, failure_action_exit_status) + Unit.SuccessActionExitStatus, config_parse_exit_status, 0, offsetof(Unit, success_action_exit_status) +-Unit.RebootArgument, config_parse_unit_string_printf, 0, offsetof(Unit, reboot_arg) ++Unit.RebootArgument, config_parse_reboot_parameter, 0, offsetof(Unit, reboot_arg) + Unit.ConditionPathExists, config_parse_unit_condition_path, CONDITION_PATH_EXISTS, offsetof(Unit, conditions) + Unit.ConditionPathExistsGlob, config_parse_unit_condition_path, CONDITION_PATH_EXISTS_GLOB, offsetof(Unit, conditions) + Unit.ConditionPathIsDirectory, config_parse_unit_condition_path, CONDITION_PATH_IS_DIRECTORY, offsetof(Unit, conditions) +diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c +index 0baf08ecae..6e3e6a5ee9 100644 +--- a/src/core/load-fragment.c ++++ b/src/core/load-fragment.c +@@ -56,6 +56,7 @@ + #include "pcre2-util.h" + #include "percent-util.h" + #include "process-util.h" ++#include "reboot-util.h" + #include "seccomp-util.h" + #include "securebits-util.h" + #include "selinux-util.h" +@@ -361,6 +362,40 @@ int config_parse_unit_string_printf( + return config_parse_string(unit, filename, line, section, section_line, lvalue, ltype, k, data, userdata); + } + ++int config_parse_reboot_parameter( ++ const char *unit, ++ const char *filename, ++ unsigned line, ++ const char *section, ++ unsigned section_line, ++ const char *lvalue, ++ int ltype, ++ const char *rvalue, ++ void *data, ++ void *userdata) { ++ ++ _cleanup_free_ char *k = NULL; ++ const Unit *u = ASSERT_PTR(userdata); ++ int r; ++ ++ assert(filename); ++ assert(line); ++ assert(rvalue); ++ ++ r = unit_full_printf(u, rvalue, &k); ++ if (r < 0) { ++ log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to resolve unit specifiers in '%s', ignoring: %m", rvalue); ++ return 0; ++ } ++ ++ if (!reboot_parameter_is_valid(k)) { ++ log_syntax(unit, LOG_WARNING, filename, line, 0, "Invalid reboot parameter '%s', ignoring.", k); ++ return 0; ++ } ++ ++ return config_parse_string(unit, filename, line, section, section_line, lvalue, ltype, k, data, userdata); ++} ++ + int config_parse_unit_strv_printf( + const char *unit, + const char *filename, +diff --git a/src/core/load-fragment.h b/src/core/load-fragment.h +index 69198050ea..3583046987 100644 +--- a/src/core/load-fragment.h ++++ b/src/core/load-fragment.h +@@ -23,6 +23,7 @@ void unit_dump_config_items(FILE *f); + CONFIG_PARSER_PROTOTYPE(config_parse_unit_deps); + CONFIG_PARSER_PROTOTYPE(config_parse_obsolete_unit_deps); + CONFIG_PARSER_PROTOTYPE(config_parse_unit_string_printf); ++CONFIG_PARSER_PROTOTYPE(config_parse_reboot_parameter); + CONFIG_PARSER_PROTOTYPE(config_parse_unit_strv_printf); + CONFIG_PARSER_PROTOTYPE(config_parse_unit_path_printf); + CONFIG_PARSER_PROTOTYPE(config_parse_colon_separated_paths); +diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c +index cd2db2d18c..be5d8861a5 100644 +--- a/src/login/logind-dbus.c ++++ b/src/login/logind-dbus.c +@@ -2726,6 +2726,9 @@ static int method_set_reboot_parameter( + if (r < 0) + return r; + ++ if (!reboot_parameter_is_valid(arg)) ++ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid reboot parameter '%s'.", arg); ++ + r = detect_container(); + if (r < 0) + return r; +diff --git a/src/shared/reboot-util.c b/src/shared/reboot-util.c +index 62ff697fe2..b1c1aa75e6 100644 +--- a/src/shared/reboot-util.c ++++ b/src/shared/reboot-util.c +@@ -23,8 +23,15 @@ + #include "reboot-util.h" + #include "string-util.h" + #include "umask-util.h" ++#include "utf8.h" + #include "virt.h" + ++bool reboot_parameter_is_valid(const char *parameter) { ++ assert(parameter); ++ ++ return ascii_is_valid(parameter) && strlen(parameter) <= NAME_MAX; ++} ++ + int update_reboot_parameter_and_warn(const char *parameter, bool keep) { + int r; + +@@ -42,6 +49,9 @@ int update_reboot_parameter_and_warn(const char *parameter, bool keep) { + return 0; + } + ++ if (!reboot_parameter_is_valid(parameter)) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid reboot parameter '%s'.", parameter); ++ + WITH_UMASK(0022) { + r = write_string_file("/run/systemd/reboot-param", parameter, + WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_ATOMIC); +diff --git a/src/shared/reboot-util.h b/src/shared/reboot-util.h +index ccd15c7b35..2ac478f784 100644 +--- a/src/shared/reboot-util.h ++++ b/src/shared/reboot-util.h +@@ -1,6 +1,7 @@ + /* SPDX-License-Identifier: LGPL-2.1-or-later */ + #pragma once + ++bool reboot_parameter_is_valid(const char *parameter); + int update_reboot_parameter_and_warn(const char *parameter, bool keep); + + typedef enum RebootFlags { +-- +2.33.0 + diff --git a/backport-recurse-dir-fix-wrong-assertion-and-error-code-in-lo.patch b/backport-recurse-dir-fix-wrong-assertion-and-error-code-in-lo.patch new file mode 100644 index 0000000..e605252 --- /dev/null +++ b/backport-recurse-dir-fix-wrong-assertion-and-error-code-in-lo.patch @@ -0,0 +1,40 @@ +From 68f7289b5f01f86a19a077a7f4f08c9eb3f78bae Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 28 Feb 2025 20:22:42 +0900 +Subject: [PATCH 1143/1160] recurse-dir: fix wrong assertion and error code in + log + +Fixes a bug in b5a07e524e42d2594174ca1a5b72aa4fdb9af94c (v250). + +(cherry picked from commit 91421f8379b66316f937d56c60c2e782b7a79eca) +(cherry picked from commit 349012c4935c49bde6bb7bc6daa8e4a783657338) +(cherry picked from commit 786f94faefe36fea7337ed2b2d31ea2040071da9) +--- + src/basic/recurse-dir.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/basic/recurse-dir.c b/src/basic/recurse-dir.c +index 5e98b7a5d8..d648862dbc 100644 +--- a/src/basic/recurse-dir.c ++++ b/src/basic/recurse-dir.c +@@ -308,7 +308,7 @@ int recurse_dir( + if (r < 0) { + log_debug_errno(r, "Failed to stat directory entry '%s': %m", p); + +- assert(errno <= RECURSE_DIR_SKIP_STAT_INODE_ERROR_MAX - RECURSE_DIR_SKIP_STAT_INODE_ERROR_BASE); ++ assert(-r <= RECURSE_DIR_SKIP_STAT_INODE_ERROR_MAX - RECURSE_DIR_SKIP_STAT_INODE_ERROR_BASE); + + r = func(RECURSE_DIR_SKIP_STAT_INODE_ERROR_BASE + -r, + p, +@@ -338,7 +338,7 @@ int recurse_dir( + * guarantee that RECURSE_DIR_ENTRY is strictly issued for + * non-directory dirents. */ + +- log_debug_errno(r, "Non-directory entry '%s' suddenly became a directory: %m", p); ++ log_debug("Non-directory entry '%s' suddenly became a directory.", p); + + r = func(RECURSE_DIR_SKIP_STAT_INODE_ERROR_BASE + EISDIR, + p, +-- +2.33.0 + diff --git a/backport-repart-Keep-existing-directory-timestamps-intact-whe.patch b/backport-repart-Keep-existing-directory-timestamps-intact-whe.patch new file mode 100644 index 0000000..b21225e --- /dev/null +++ b/backport-repart-Keep-existing-directory-timestamps-intact-whe.patch @@ -0,0 +1,127 @@ +From 7a3b3ad5225811e1a768e3a16cef5a0b6fe3a231 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Thu, 29 Aug 2024 22:59:48 +0200 +Subject: [PATCH 0864/1160] repart: Keep existing directory timestamps intact + when copying + +Otherwise, when merging multiple directory trees, the output becomes +unreproducible as the directory timestamps will be changed to the current +time when copying identical directories from the second tree. + +We introduce a new copy flag to achieve this behavior. + +(cherry picked from commit d850a544bc1f895decb452160c97a884a20b12b7) +(cherry picked from commit d5640c4f8583de2752a7f4e03006a1fa74942da1) +--- + src/partition/repart.c | 4 ++-- + src/shared/copy.c | 8 +++++++- + src/shared/copy.h | 39 ++++++++++++++++++++------------------- + 3 files changed, 29 insertions(+), 22 deletions(-) + +diff --git a/src/partition/repart.c b/src/partition/repart.c +index 70a96bddb0..59350dd26a 100644 +--- a/src/partition/repart.c ++++ b/src/partition/repart.c +@@ -4667,14 +4667,14 @@ static int do_copy_files(Context *context, Partition *p, const char *root) { + sfd, ".", + pfd, fn, + UID_INVALID, GID_INVALID, +- COPY_REFLINK|COPY_HOLES|COPY_MERGE|COPY_REPLACE|COPY_SIGINT|COPY_HARDLINKS|COPY_ALL_XATTRS|COPY_GRACEFUL_WARN|COPY_TRUNCATE, ++ COPY_REFLINK|COPY_HOLES|COPY_MERGE|COPY_REPLACE|COPY_SIGINT|COPY_HARDLINKS|COPY_ALL_XATTRS|COPY_GRACEFUL_WARN|COPY_TRUNCATE|COPY_RESTORE_DIRECTORY_TIMESTAMPS, + denylist, subvolumes_by_source_inode); + } else + r = copy_tree_at( + sfd, ".", + tfd, ".", + UID_INVALID, GID_INVALID, +- COPY_REFLINK|COPY_HOLES|COPY_MERGE|COPY_REPLACE|COPY_SIGINT|COPY_HARDLINKS|COPY_ALL_XATTRS|COPY_GRACEFUL_WARN|COPY_TRUNCATE, ++ COPY_REFLINK|COPY_HOLES|COPY_MERGE|COPY_REPLACE|COPY_SIGINT|COPY_HARDLINKS|COPY_ALL_XATTRS|COPY_GRACEFUL_WARN|COPY_TRUNCATE|COPY_RESTORE_DIRECTORY_TIMESTAMPS, + denylist, subvolumes_by_source_inode); + if (r < 0) + return log_error_errno(r, "Failed to copy '%s%s' to '%s%s': %m", +diff --git a/src/shared/copy.c b/src/shared/copy.c +index 2b87cbacd7..823992ca85 100644 +--- a/src/shared/copy.c ++++ b/src/shared/copy.c +@@ -981,6 +981,7 @@ static int fd_copy_directory( + + _cleanup_close_ int fdf = -EBADF, fdt = -EBADF; + _cleanup_closedir_ DIR *d = NULL; ++ struct stat dt_st; + bool exists; + int r; + +@@ -1025,6 +1026,9 @@ static int fd_copy_directory( + if (fdt < 0) + return fdt; + ++ if (exists && FLAGS_SET(copy_flags, COPY_RESTORE_DIRECTORY_TIMESTAMPS) && fstat(fdt, &dt_st) < 0) ++ return -errno; ++ + r = 0; + + if (PTR_TO_INT(hashmap_get(denylist, st)) == DENY_CONTENTS) { +@@ -1124,7 +1128,9 @@ finish: + + (void) copy_xattr(dirfd(d), NULL, fdt, NULL, copy_flags); + (void) futimens(fdt, (struct timespec[]) { st->st_atim, st->st_mtim }); +- } ++ } else if (FLAGS_SET(copy_flags, COPY_RESTORE_DIRECTORY_TIMESTAMPS)) ++ /* If the directory already exists, make sure the timestamps stay the same as before. */ ++ (void) futimens(fdt, (struct timespec[]) { dt_st.st_atim, dt_st.st_mtim }); + + if (copy_flags & COPY_FSYNC_FULL) { + if (fsync(fdt) < 0) +diff --git a/src/shared/copy.h b/src/shared/copy.h +index b8fb28a09e..db95738b80 100644 +--- a/src/shared/copy.h ++++ b/src/shared/copy.h +@@ -12,25 +12,26 @@ + #include "set.h" + + typedef enum CopyFlags { +- COPY_REFLINK = 1 << 0, /* Try to reflink */ +- COPY_MERGE = 1 << 1, /* Merge existing trees with our new one to copy */ +- COPY_REPLACE = 1 << 2, /* Replace an existing file if there's one */ +- COPY_SAME_MOUNT = 1 << 3, /* Don't descend recursively into other file systems, across mount point boundaries */ +- COPY_MERGE_EMPTY = 1 << 4, /* Merge an existing, empty directory with our new tree to copy */ +- COPY_CRTIME = 1 << 5, /* Generate a user.crtime_usec xattr off the source crtime if there is one, on copying */ +- COPY_SIGINT = 1 << 6, /* Check for SIGINT regularly and return EINTR if seen (caller needs to block SIGINT) */ +- COPY_SIGTERM = 1 << 7, /* ditto, but for SIGTERM */ +- COPY_MAC_CREATE = 1 << 8, /* Create files with the correct MAC label (currently SELinux only) */ +- COPY_HARDLINKS = 1 << 9, /* Try to reproduce hard links */ +- COPY_FSYNC = 1 << 10, /* fsync() after we are done */ +- COPY_FSYNC_FULL = 1 << 11, /* fsync_full() after we are done */ +- COPY_SYNCFS = 1 << 12, /* syncfs() the *top-level* dir after we are done */ +- COPY_ALL_XATTRS = 1 << 13, /* Preserve all xattrs when copying, not just those in the user namespace */ +- COPY_HOLES = 1 << 14, /* Copy holes */ +- COPY_GRACEFUL_WARN = 1 << 15, /* Skip copying file types that aren't supported by the target filesystem */ +- COPY_TRUNCATE = 1 << 16, /* Truncate to current file offset after copying */ +- COPY_LOCK_BSD = 1 << 17, /* Return a BSD exclusively locked file descriptor referring to the copied image/directory. */ +- COPY_VERIFY_LINKED = 1 << 18, /* Check the source file is still linked after copying. */ ++ COPY_REFLINK = 1 << 0, /* Try to reflink */ ++ COPY_MERGE = 1 << 1, /* Merge existing trees with our new one to copy */ ++ COPY_REPLACE = 1 << 2, /* Replace an existing file if there's one */ ++ COPY_SAME_MOUNT = 1 << 3, /* Don't descend recursively into other file systems, across mount point boundaries */ ++ COPY_MERGE_EMPTY = 1 << 4, /* Merge an existing, empty directory with our new tree to copy */ ++ COPY_CRTIME = 1 << 5, /* Generate a user.crtime_usec xattr off the source crtime if there is one, on copying */ ++ COPY_SIGINT = 1 << 6, /* Check for SIGINT regularly and return EINTR if seen (caller needs to block SIGINT) */ ++ COPY_SIGTERM = 1 << 7, /* ditto, but for SIGTERM */ ++ COPY_MAC_CREATE = 1 << 8, /* Create files with the correct MAC label (currently SELinux only) */ ++ COPY_HARDLINKS = 1 << 9, /* Try to reproduce hard links */ ++ COPY_FSYNC = 1 << 10, /* fsync() after we are done */ ++ COPY_FSYNC_FULL = 1 << 11, /* fsync_full() after we are done */ ++ COPY_SYNCFS = 1 << 12, /* syncfs() the *top-level* dir after we are done */ ++ COPY_ALL_XATTRS = 1 << 13, /* Preserve all xattrs when copying, not just those in the user namespace */ ++ COPY_HOLES = 1 << 14, /* Copy holes */ ++ COPY_GRACEFUL_WARN = 1 << 15, /* Skip copying file types that aren't supported by the target filesystem */ ++ COPY_TRUNCATE = 1 << 16, /* Truncate to current file offset after copying */ ++ COPY_LOCK_BSD = 1 << 17, /* Return a BSD exclusively locked file descriptor referring to the copied image/directory. */ ++ COPY_VERIFY_LINKED = 1 << 18, /* Check the source file is still linked after copying. */ ++ COPY_RESTORE_DIRECTORY_TIMESTAMPS = 1 << 19, /* Make sure existing directory timestamps don't change during copying. */ + } CopyFlags; + + typedef enum DenyType { +-- +2.33.0 + diff --git a/backport-repart-don-t-crash-when-looping-over-dropped-partiti.patch b/backport-repart-don-t-crash-when-looping-over-dropped-partiti.patch new file mode 100644 index 0000000..5668ecc --- /dev/null +++ b/backport-repart-don-t-crash-when-looping-over-dropped-partiti.patch @@ -0,0 +1,162 @@ +From 6e2df52b3660b982f232e22d2abf48aeecd72342 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Sat, 6 Jan 2024 16:07:42 +0100 +Subject: [PATCH 0129/1160] repart: don't crash when looping over dropped + partitions + +Properly skip over dropped partitions and make sure they don't affect +the final graphical output (for example by leaving empty "spaces" where +their definition file name would otherwise be). + +Resolves: #30742 +(cherry picked from commit f569dc6af2dbdd762b24ad7a2aa1e3b42705dd97) +--- + src/partition/repart.c | 37 ++++++++++++++++++++++++------------- + test/units/testsuite-58.sh | 23 +++++++++++++++++++++++ + 2 files changed, 47 insertions(+), 13 deletions(-) + +diff --git a/src/partition/repart.c b/src/partition/repart.c +index e4c876ff35..6312d7a4e8 100644 +--- a/src/partition/repart.c ++++ b/src/partition/repart.c +@@ -2908,12 +2908,13 @@ static int context_dump_partitions(Context *context) { + return table_print_with_pager(t, arg_json_format_flags, arg_pager_flags, arg_legend); + } + +-static void context_bar_char_process_partition( ++static int context_bar_char_process_partition( + Context *context, + Partition *bar[], + size_t n, + Partition *p, +- size_t *ret_start) { ++ size_t **start_array, ++ size_t *n_start_array) { + + uint64_t from, to, total; + size_t x, y; +@@ -2922,9 +2923,11 @@ static void context_bar_char_process_partition( + assert(bar); + assert(n > 0); + assert(p); ++ assert(start_array); ++ assert(n_start_array); + + if (p->dropped) +- return; ++ return 0; + + assert(p->offset != UINT64_MAX); + assert(p->new_size != UINT64_MAX); +@@ -2947,7 +2950,10 @@ static void context_bar_char_process_partition( + for (size_t i = x; i < y; i++) + bar[i] = p; + +- *ret_start = x; ++ if (!GREEDY_REALLOC_APPEND(*start_array, *n_start_array, &x, 1)) ++ return log_oom(); ++ ++ return 1; + } + + static int partition_hint(const Partition *p, const char *node, char **ret) { +@@ -2991,9 +2997,11 @@ done: + static int context_dump_partition_bar(Context *context) { + _cleanup_free_ Partition **bar = NULL; + _cleanup_free_ size_t *start_array = NULL; ++ size_t n_start_array = 0; + Partition *last = NULL; + bool z = false; + size_t c, j = 0; ++ int r; + + assert_se((c = columns()) >= 2); + c -= 2; /* We do not use the leftmost and rightmost character cell */ +@@ -3002,12 +3010,11 @@ static int context_dump_partition_bar(Context *context) { + if (!bar) + return log_oom(); + +- start_array = new(size_t, context->n_partitions); +- if (!start_array) +- return log_oom(); +- +- LIST_FOREACH(partitions, p, context->partitions) +- context_bar_char_process_partition(context, bar, c, p, start_array + j++); ++ LIST_FOREACH(partitions, p, context->partitions) { ++ r = context_bar_char_process_partition(context, bar, c, p, &start_array, &n_start_array); ++ if (r < 0) ++ return r; ++ } + + putc(' ', stdout); + +@@ -3029,7 +3036,7 @@ static int context_dump_partition_bar(Context *context) { + fputs(ansi_normal(), stdout); + putc('\n', stdout); + +- for (size_t i = 0; i < context->n_partitions; i++) { ++ for (size_t i = 0; i < n_start_array; i++) { + _cleanup_free_ char **line = NULL; + + line = new0(char*, c); +@@ -3039,9 +3046,13 @@ static int context_dump_partition_bar(Context *context) { + j = 0; + LIST_FOREACH(partitions, p, context->partitions) { + _cleanup_free_ char *d = NULL; ++ ++ if (p->dropped) ++ continue; ++ + j++; + +- if (i < context->n_partitions - j) { ++ if (i < n_start_array - j) { + + if (line[start_array[j-1]]) { + const char *e; +@@ -3061,7 +3072,7 @@ static int context_dump_partition_bar(Context *context) { + return log_oom(); + } + +- } else if (i == context->n_partitions - j) { ++ } else if (i == n_start_array - j) { + _cleanup_free_ char *hint = NULL; + + (void) partition_hint(p, context->node, &hint); +diff --git a/test/units/testsuite-58.sh b/test/units/testsuite-58.sh +index 0c4e3205eb..c64b2039f3 100755 +--- a/test/units/testsuite-58.sh ++++ b/test/units/testsuite-58.sh +@@ -1264,6 +1264,29 @@ EOF + assert_in "${loop}p3 : start= *${start}, size= *${size}, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=DB081670-07AE-48CA-9F5E-813D5E40B976, name=\"linux-generic-2\"" "$output" + } + ++testcase_dropped_partitions() { ++ local workdir image defs ++ ++ workdir="$(mktemp --directory "/tmp/test-repart.dropped-partitions.XXXXXXXXXX")" ++ # shellcheck disable=SC2064 ++ trap "rm -rf '${workdir:?}'" RETURN ++ ++ image="$workdir/image.img" ++ truncate -s 32M "$image" ++ ++ defs="$workdir/defs" ++ mkdir "$defs" ++ echo -ne "[Partition]\nType=root\n" >"$defs/10-part1.conf" ++ echo -ne "[Partition]\nType=root\nSizeMinBytes=1T\nPriority=1\n" >"$defs/11-dropped-first.conf" ++ echo -ne "[Partition]\nType=root\n" >"$defs/12-part2.conf" ++ echo -ne "[Partition]\nType=root\nSizeMinBytes=1T\nPriority=2\n" >"$defs/13-dropped-second.conf" ++ ++ systemd-repart --empty=allow --pretty=yes --dry-run=no --definitions="$defs" "$image" ++ ++ sfdisk -q -l "$image" ++ [[ "$(sfdisk -q -l "$image" | grep -c "$image")" -eq 2 ]] ++} ++ + OFFLINE="yes" + run_testcases + +-- +2.33.0 + diff --git a/backport-repart-don-t-try-to-determine-sector-size-from-a-dis.patch b/backport-repart-don-t-try-to-determine-sector-size-from-a-dis.patch new file mode 100644 index 0000000..aa485eb --- /dev/null +++ b/backport-repart-don-t-try-to-determine-sector-size-from-a-dis.patch @@ -0,0 +1,65 @@ +From 7194938ed6f83ffc6dc932ad2722b567d5a667e8 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 23 Jan 2024 16:05:37 +0100 +Subject: [PATCH 0274/1160] repart: don't try to determine sector size from a + disk image we should consider empty + +If we are told to start from scratch we shouldn't look into the old +image to determine sector size. Looking there is confusing at best, but +plain wrong in many other cases. + +(cherry picked from commit a575f2148f5bf619c75b3c2edadd7a94518ae74d) +--- + src/partition/repart.c | 29 ++++++++++++++++++----------- + 1 file changed, 18 insertions(+), 11 deletions(-) + +diff --git a/src/partition/repart.c b/src/partition/repart.c +index 6312d7a4e8..5487aaf58c 100644 +--- a/src/partition/repart.c ++++ b/src/partition/repart.c +@@ -2325,24 +2325,31 @@ static int context_load_partition_table(Context *context) { + uint32_t ssz; + struct stat st; + +- r = context_open_and_lock_backing_fd(context->node, arg_dry_run ? LOCK_SH : LOCK_EX, +- &context->backing_fd); ++ r = context_open_and_lock_backing_fd( ++ context->node, ++ arg_dry_run ? LOCK_SH : LOCK_EX, ++ &context->backing_fd); + if (r < 0) + return r; + + if (fstat(context->backing_fd, &st) < 0) + return log_error_errno(errno, "Failed to stat %s: %m", context->node); + +- /* Auto-detect sector size if not specified. */ +- r = probe_sector_size_prefer_ioctl(context->backing_fd, &ssz); +- if (r < 0) +- return log_error_errno(r, "Failed to probe sector size of '%s': %m", context->node); ++ if (IN_SET(arg_empty, EMPTY_REQUIRE, EMPTY_FORCE, EMPTY_CREATE) && S_ISREG(st.st_mode)) ++ /* Don't probe sector size from partition table if we are supposed to strat from an empty disk */ ++ fs_secsz = ssz = 512; ++ else { ++ /* Auto-detect sector size if not specified. */ ++ r = probe_sector_size_prefer_ioctl(context->backing_fd, &ssz); ++ if (r < 0) ++ return log_error_errno(r, "Failed to probe sector size of '%s': %m", context->node); + +- /* If we found the sector size and we're operating on a block device, use it as the file +- * system sector size as well, as we know its the sector size of the actual block device and +- * not just the offset at which we found the GPT header. */ +- if (r > 0 && S_ISBLK(st.st_mode)) +- fs_secsz = ssz; ++ /* If we found the sector size and we're operating on a block device, use it as the file ++ * system sector size as well, as we know its the sector size of the actual block device and ++ * not just the offset at which we found the GPT header. */ ++ if (r > 0 && S_ISBLK(st.st_mode)) ++ fs_secsz = ssz; ++ } + + r = fdisk_save_user_sector_size(c, /* phy= */ 0, ssz); + } +-- +2.33.0 + diff --git a/backport-repart-fix-memory-leak.patch b/backport-repart-fix-memory-leak.patch index 5b87d38..caab967 100644 --- a/backport-repart-fix-memory-leak.patch +++ b/backport-repart-fix-memory-leak.patch @@ -1,14 +1,16 @@ -From a81f5ffd40081441dafc678fe83d185436dde35a Mon Sep 17 00:00:00 2001 +From 759ddfd51882b9dbc9d19d61259f683a76574657 Mon Sep 17 00:00:00 2001 From: Antonio Alvarez Feijoo Date: Tue, 18 Jun 2024 14:07:50 +0200 -Subject: [PATCH 7351/9500] repart: fix memory leak +Subject: [PATCH 0701/1160] repart: fix memory leak +(cherry picked from commit a81f5ffd40081441dafc678fe83d185436dde35a) +(cherry picked from commit f8f669fd69bf15f386308ef8f4cbbbd5a7ad69cd) --- src/partition/repart.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/partition/repart.c b/src/partition/repart.c -index 473c83a..7ba2aad 100644 +index b2554a93dc..6a71e9786f 100644 --- a/src/partition/repart.c +++ b/src/partition/repart.c @@ -181,6 +181,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_tpm2_hash_pcr_values, freep); diff --git a/backport-resize-fs-Put-minimal-ext4-size-in-the-same-ballpark.patch b/backport-resize-fs-Put-minimal-ext4-size-in-the-same-ballpark.patch new file mode 100644 index 0000000..441818a --- /dev/null +++ b/backport-resize-fs-Put-minimal-ext4-size-in-the-same-ballpark.patch @@ -0,0 +1,80 @@ +From 72e5356551d02c4ec4020834d910714991b6f0b8 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Thu, 25 Jul 2024 13:22:42 +0200 +Subject: [PATCH 0805/1160] resize-fs: Put minimal ext4 size in the same + ballpark as the other filesystems + +TEST-46-HOMED fails on ext4 because the filesystem is deemed to small +for activation by cryptsetup. Let's bump the minimal filesystem size for +ext4 a bit to be in the same ballpark as ext4 and btrfs to avoid weird +errors due to impossibly small filesystems. + +(cherry picked from commit ae07feb401ff70b122650ac01041021703d4b8ad) +(cherry picked from commit 161286e989a497537f7f38741dfe722dc2762a2e) +--- + src/shared/resize-fs.h | 2 +- + test/units/testsuite-58.sh | 8 ++++---- + test/units/testsuite-70.cryptsetup.sh | 2 +- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/shared/resize-fs.h b/src/shared/resize-fs.h +index b40943c992..4a5ecec337 100644 +--- a/src/shared/resize-fs.h ++++ b/src/shared/resize-fs.h +@@ -9,7 +9,7 @@ int resize_fs(int fd, uint64_t sz, uint64_t *ret_size); + + #define BTRFS_MINIMAL_SIZE (256U*1024U*1024U) + #define XFS_MINIMAL_SIZE (300U*1024U*1024U) +-#define EXT4_MINIMAL_SIZE (1024U*1024U) ++#define EXT4_MINIMAL_SIZE (32U*1024U*1024U) + + uint64_t minimal_size_by_fs_magic(statfs_f_type_t magic); + uint64_t minimal_size_by_fs_name(const char *str); +diff --git a/test/units/testsuite-58.sh b/test/units/testsuite-58.sh +index d875461721..2ceb4cd034 100755 +--- a/test/units/testsuite-58.sh ++++ b/test/units/testsuite-58.sh +@@ -358,14 +358,14 @@ label-id: 1D2CE291-7CCE-4F7D-BC83-FDB49AD74EBD + device: $imgs/zzz + unit: sectors + first-lba: 2048 +-last-lba: 6389726 ++last-lba: 6422494 + $imgs/zzz1 : start= 2048, size= 591856, type=933AC7E1-2EB4-4F13-B844-0E14E2AEF915, uuid=4980595D-D74A-483A-AA9E-9903879A0EE5, name=\"home-first\", attrs=\"GUID:59\" + $imgs/zzz2 : start= 593904, size= 591856, type=${root_guid}, uuid=${root_uuid}, name=\"root-${architecture}\", attrs=\"GUID:59\" + $imgs/zzz3 : start= 1185760, size= 591864, type=${root_guid}, uuid=${root_uuid2}, name=\"root-${architecture}-2\", attrs=\"GUID:59\" + $imgs/zzz4 : start= 1777624, size= 131072, type=0657FD6D-A4AB-43C4-84E5-0933C84B4F4F, uuid=78C92DB8-3D2B-4823-B0DC-792B78F66F1E, name=\"swap\" + $imgs/zzz5 : start= 1908696, size= 2285568, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=A0A1A2A3-A4A5-A6A7-A8A9-AAABACADAEAF, name=\"custom_label\" + $imgs/zzz6 : start= 4194264, size= 2097152, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=2A1D97E1-D0A3-46CC-A26E-ADC643926617, name=\"block-copy\" +-$imgs/zzz7 : start= 6291416, size= 98304, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=7B93D1F2-595D-4CE3-B0B9-837FBD9E63B0, name=\"luks-format-copy\"" ++$imgs/zzz7 : start= 6291416, size= 131072, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=7B93D1F2-595D-4CE3-B0B9-837FBD9E63B0, name=\"luks-format-copy\"" + + if systemd-detect-virt --quiet --container; then + echo "Skipping encrypt mount tests in container." +@@ -566,8 +566,8 @@ EOF + output=$(sfdisk --dump "$imgs/zzz") + + assert_in "$imgs/zzz1 : start= 2048, size= 20480, type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, uuid=39107B09-615D-48FB-BA37-C663885FCE67, name=\"esp\"" "$output" +- assert_in "$imgs/zzz2 : start= 22528, size= 20480, type=${root_guid}, uuid=${root_uuid}, name=\"root-${architecture}\", attrs=\"GUID:59\"" "$output" +- assert_in "$imgs/zzz3 : start= 43008, size= 20480, type=${usr_guid}, uuid=${usr_uuid}, name=\"usr-${architecture}\", attrs=\"GUID:60\"" "$output" ++ assert_in "$imgs/zzz2 : start= 22528, size= 65536, type=${root_guid}, uuid=${root_uuid}, name=\"root-${architecture}\", attrs=\"GUID:59\"" "$output" ++ assert_in "$imgs/zzz3 : start= 88064, size= 65536, type=${usr_guid}, uuid=${usr_uuid}, name=\"usr-${architecture}\", attrs=\"GUID:60\"" "$output" + + if systemd-detect-virt --quiet --container; then + echo "Skipping second part of copy blocks tests in container." +diff --git a/test/units/testsuite-70.cryptsetup.sh b/test/units/testsuite-70.cryptsetup.sh +index cb7c8b1f31..b5dd4dfe15 100755 +--- a/test/units/testsuite-70.cryptsetup.sh ++++ b/test/units/testsuite-70.cryptsetup.sh +@@ -210,7 +210,7 @@ Format=ext4 + CopyFiles=/tmp/dditest:/ + Encrypt=tpm2 + EOF +- PASSWORD=passphrase systemd-repart --tpm2-device-key=/tmp/srk.pub --definitions=/tmp/dditest --empty=create --size=50M /tmp/dditest.raw --tpm2-pcrs= ++ PASSWORD=passphrase systemd-repart --tpm2-device-key=/tmp/srk.pub --definitions=/tmp/dditest --empty=create --size=80M /tmp/dditest.raw --tpm2-pcrs= + DEVICE="$(systemd-dissect --attach /tmp/dditest.raw)" + udevadm wait --settle --timeout=10 "$DEVICE"p1 + systemd-cryptsetup attach dditest "$DEVICE"p1 - tpm2-device=auto,headless=yes +-- +2.33.0 + diff --git a/backport-resolve-NSCOUNT-of-DNS-query-may-not-be-zero.patch b/backport-resolve-NSCOUNT-of-DNS-query-may-not-be-zero.patch new file mode 100644 index 0000000..91052ad --- /dev/null +++ b/backport-resolve-NSCOUNT-of-DNS-query-may-not-be-zero.patch @@ -0,0 +1,59 @@ +From f496ce464972b4cdefe215c568bd2ee8a5b2bffe Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 8 Jan 2024 02:02:33 +0900 +Subject: [PATCH 0130/1160] resolve: NSCOUNT of DNS query may not be zero + +This also separates check for DNS and LLMNR, as the existing comments +are for LLMNR, not DNS. And this moves the comment for mDNS. + +Fixes the issue reported at +https://github.com/systemd/systemd/pull/30809#issuecomment-1880102804. + +(cherry picked from commit ba1749f6a5a2793e558485a8c6a871daba7bf533) +--- + src/resolve/resolved-dns-packet.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c +index ca1eea4346..426711b061 100644 +--- a/src/resolve/resolved-dns-packet.c ++++ b/src/resolve/resolved-dns-packet.c +@@ -309,9 +309,23 @@ int dns_packet_validate_query(DnsPacket *p) { + + switch (p->protocol) { + +- case DNS_PROTOCOL_LLMNR: + case DNS_PROTOCOL_DNS: +- if (DNS_PACKET_TC(p)) /* mDNS query may have truncation flag. */ ++ if (DNS_PACKET_TC(p)) ++ return -EBADMSG; ++ ++ if (DNS_PACKET_QDCOUNT(p) != 1) ++ return -EBADMSG; ++ ++ if (DNS_PACKET_ANCOUNT(p) > 0) ++ return -EBADMSG; ++ ++ /* Note, in most cases, DNS query packet does not have authority section. But some query ++ * types, e.g. IXFR, have Authority sections. Hence, unlike the check for LLMNR, we do not ++ * check DNS_PACKET_NSCOUNT(p) here. */ ++ break; ++ ++ case DNS_PROTOCOL_LLMNR: ++ if (DNS_PACKET_TC(p)) + return -EBADMSG; + + /* RFC 4795, Section 2.1.1. says to discard all queries with QDCOUNT != 1 */ +@@ -329,6 +343,9 @@ int dns_packet_validate_query(DnsPacket *p) { + break; + + case DNS_PROTOCOL_MDNS: ++ /* Note, mDNS query may have truncation flag. So, unlike the check for DNS and LLMNR, ++ * we do not check DNS_PACKET_TC(p) here. */ ++ + /* RFC 6762, Section 18 specifies that messages with non-zero RCODE + * must be silently ignored, and that we must ignore the values of + * AA, RD, RA, AD, and CD bits. */ +-- +2.33.0 + diff --git a/backport-resolve-add-several-comments-for-DNS-type-table.patch b/backport-resolve-add-several-comments-for-DNS-type-table.patch new file mode 100644 index 0000000..f0c3d92 --- /dev/null +++ b/backport-resolve-add-several-comments-for-DNS-type-table.patch @@ -0,0 +1,81 @@ +From 538b97afbeda24b3e84109ccc948531ba7cc1d42 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 30 Dec 2023 06:05:32 +0900 +Subject: [PATCH 0104/1160] resolve: add several comments for DNS type table + +Also update compile time checks. + +Follow-up for 818bb6f4825b57c2cd2783fbffe2b2ef82a31573. + +(cherry picked from commit d05649ca7dbdff34c96ec7b9cd4af7d6949bec43) +--- + src/resolve/dns-type.h | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/src/resolve/dns-type.h b/src/resolve/dns-type.h +index 9255f1c345..c6be19063d 100644 +--- a/src/resolve/dns-type.h ++++ b/src/resolve/dns-type.h +@@ -7,7 +7,7 @@ + * http://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml. + */ + enum { +- /* Normal records */ ++ /* 0 is reserved */ + DNS_TYPE_A = 0x01, + DNS_TYPE_NS, + DNS_TYPE_MD, +@@ -61,7 +61,7 @@ enum { + DNS_TYPE_NSEC3PARAM, + DNS_TYPE_TLSA, + DNS_TYPE_SMIMEA, /* RFC 8162 */ +- ++ /* 0x36 (54) is not assigned */ + DNS_TYPE_HIP = 0x37, + DNS_TYPE_NINFO, + DNS_TYPE_RKEY, +@@ -73,7 +73,7 @@ enum { + DNS_TYPE_ZONEMD, + DNS_TYPE_SVCB, /* RFC 9460 */ + DNS_TYPE_HTTPS, /* RFC 9460 */ +- ++ /* 0x42…0x62 (66…98) are not assigned */ + DNS_TYPE_SPF = 0x63, + DNS_TYPE_UINFO, + DNS_TYPE_UID, +@@ -85,7 +85,7 @@ enum { + DNS_TYPE_LP, + DNS_TYPE_EUI48, + DNS_TYPE_EUI64, +- ++ /* 0x6e…0xf8 (110…248) are not assigned */ + DNS_TYPE_TKEY = 0xF9, + DNS_TYPE_TSIG, + DNS_TYPE_IXFR, +@@ -99,15 +99,20 @@ enum { + DNS_TYPE_DOA, + DNS_TYPE_AMTRELAY, + DNS_TYPE_RESINFO, ++ /* 0x106…0x7fff (262…32767) are not assigned */ + DNS_TYPE_TA = 0x8000, + DNS_TYPE_DLV, +- ++ /* 32770…65279 are not assigned */ ++ /* 65280…65534 are for private use */ ++ /* 65535 is reserved */ + _DNS_TYPE_MAX, + _DNS_TYPE_INVALID = -EINVAL, + }; + +-assert_cc(DNS_TYPE_SSHFP == 44); +-assert_cc(DNS_TYPE_TLSA == 52); ++assert_cc(DNS_TYPE_SMIMEA == 53); ++assert_cc(DNS_TYPE_HTTPS == 65); ++assert_cc(DNS_TYPE_EUI64 == 109); ++assert_cc(DNS_TYPE_RESINFO == 261); + assert_cc(DNS_TYPE_ANY == 255); + + /* DNS record classes, see RFC 1035 */ +-- +2.33.0 + diff --git a/backport-resolve-do-not-listen-to-IPv6-when-disabled-by-sysct.patch b/backport-resolve-do-not-listen-to-IPv6-when-disabled-by-sysct.patch new file mode 100644 index 0000000..17fe404 --- /dev/null +++ b/backport-resolve-do-not-listen-to-IPv6-when-disabled-by-sysct.patch @@ -0,0 +1,43 @@ +From 14970a60c46d8cbfcbadc95f8ed8450c3ac072cb Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 3 Jan 2024 04:03:25 +0900 +Subject: [PATCH 0107/1160] resolve: do not listen to IPv6 when disabled by + sysctl + +Fixes #30669. + +(cherry picked from commit a53082f07dd47c23d4c8fe4c8d1c63aadb10a4db) +--- + src/resolve/resolved-llmnr.c | 2 +- + src/resolve/resolved-mdns.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-llmnr.c b/src/resolve/resolved-llmnr.c +index 8fac351ee6..9469bdac86 100644 +--- a/src/resolve/resolved-llmnr.c ++++ b/src/resolve/resolved-llmnr.c +@@ -45,7 +45,7 @@ int manager_llmnr_start(Manager *m) { + if (r < 0) + return r; + +- if (socket_ipv6_is_supported()) { ++ if (socket_ipv6_is_enabled()) { + r = manager_llmnr_ipv6_udp_fd(m); + if (r == -EADDRINUSE) + goto eaddrinuse; +diff --git a/src/resolve/resolved-mdns.c b/src/resolve/resolved-mdns.c +index b63073af7f..3e6e83fe62 100644 +--- a/src/resolve/resolved-mdns.c ++++ b/src/resolve/resolved-mdns.c +@@ -36,7 +36,7 @@ int manager_mdns_start(Manager *m) { + if (r < 0) + return r; + +- if (socket_ipv6_is_supported()) { ++ if (socket_ipv6_is_enabled()) { + r = manager_mdns_ipv6_fd(m); + if (r == -EADDRINUSE) + goto eaddrinuse; +-- +2.33.0 + diff --git a/backport-resolve-do-not-trigger-assertion-on-exit.patch b/backport-resolve-do-not-trigger-assertion-on-exit.patch new file mode 100644 index 0000000..2676d5f --- /dev/null +++ b/backport-resolve-do-not-trigger-assertion-on-exit.patch @@ -0,0 +1,68 @@ +From 390e9420e314635a4d9051b8786e15423f58c979 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 7 Dec 2023 14:28:12 +0900 +Subject: [PATCH 0034/1160] resolve: do not trigger assertion on exit + +By making assert_return() critical, we observe the following: +--- + Program received signal SIGABRT, Aborted. + 0x00007f01320b0884 in __pthread_kill_implementation () from /lib64/libc.so.6 + (gdb) bt + #0 0x00007f01320b0884 in __pthread_kill_implementation () + from /lib64/libc.so.6 + #1 0x00007f013205fafe in raise () from /lib64/libc.so.6 + #2 0x00007f013204887f in abort () from /lib64/libc.so.6 + #3 0x00007f01338d02d6 in log_assert_failed ( + text=0x7f01340009e0 "e->state != SD_EVENT_FINISHED", + file=0x7f0133fff403 "src/libsystemd/sd-event/sd-event.c", line=1399, + func=0x7f01340045a0 <__func__.148> "sd_event_add_time") + at ../src/basic/log.c:948 + #4 0x00007f01338d0457 in log_assert_failed_return ( + text=0x7f01340009e0 "e->state != SD_EVENT_FINISHED", + file=0x7f0133fff403 "src/libsystemd/sd-event/sd-event.c", line=1399, + func=0x7f01340045a0 <__func__.148> "sd_event_add_time") + at ../src/basic/log.c:967 + #5 0x00007f0133c7ed83 in sd_event_add_time (e=0x617000022280, + ret=0x610000007e98, clock=7, usec=24054941030, accuracy=0, + callback=0x4625b4 , userdata=0x610000007e40) + at ../src/libsystemd/sd-event/sd-event.c:1399 + #6 0x00007f0133c7f725 in sd_event_add_time_relative (e=0x617000022280, + ret=0x610000007e98, clock=7, usec=1000000, accuracy=0, + callback=0x4625b4 , userdata=0x610000007e40) + at ../src/libsystemd/sd-event/sd-event.c:1462 + #7 0x0000000000464cac in dns_scope_announce (scope=0x610000007e40, goodbye=true) at ../src/resolve/resolved-dns-scope.c:1530 + #8 0x0000000000504d08 in link_free (l=0x612000023d40) at ../src/resolve/resolved-link.c:83 + #9 0x000000000052dbbd in manager_free (m=0x619000000a80) at ../src/resolve/resolved-manager.c:697 + #10 0x0000000000562328 in manager_freep (p=0x7f012f800040) at ../src/resolve/resolved-manager.h:198 + #11 0x000000000056315a in run (argc=1, argv=0x7fff22b06468) at ../src/resolve/resolved.c:25 + #12 0x0000000000563284 in main (argc=1, argv=0x7fff22b06468) at ../src/resolve/resolved.c:99 +--- +Prompted by https://github.com/systemd/systemd/pull/30049#issuecomment-1844087965. + +(cherry picked from commit a4be4ad8abad36ae2ac5c73fc00f4467fbb06404) +--- + src/resolve/resolved-dns-scope.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c +index d9d8acfd25..2e8b3e5580 100644 +--- a/src/resolve/resolved-dns-scope.c ++++ b/src/resolve/resolved-dns-scope.c +@@ -1428,6 +1428,14 @@ int dns_scope_announce(DnsScope *scope, bool goodbye) { + if (scope->protocol != DNS_PROTOCOL_MDNS) + return 0; + ++ r = sd_event_get_state(scope->manager->event); ++ if (r < 0) ++ return log_debug_errno(r, "Failed to get event loop state: %m"); ++ ++ /* If this is called on exit, through manager_free() -> link_free(), then we cannot announce. */ ++ if (r == SD_EVENT_FINISHED) ++ return 0; ++ + /* Check if we're done with probing. */ + LIST_FOREACH(transactions_by_scope, t, scope->transactions) + if (t->probing && DNS_TRANSACTION_IS_LIVE(t->state)) +-- +2.33.0 + diff --git a/backport-resolve-don-t-add-sockets-to-the-graveyard-on-shutdo.patch b/backport-resolve-don-t-add-sockets-to-the-graveyard-on-shutdo.patch new file mode 100644 index 0000000..80e03ca --- /dev/null +++ b/backport-resolve-don-t-add-sockets-to-the-graveyard-on-shutdo.patch @@ -0,0 +1,55 @@ +From 0798381cd0748d2d9656cb88137036cd73794c16 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Sun, 24 Dec 2023 18:26:47 +0100 +Subject: [PATCH 0091/1160] resolve: don't add sockets to the graveyard on + shutdown + +Since in that case the event loop is already finished and we'd hit an +assertion: + +[ 1295.993300] testsuite-75.sh[50]: + systemctl stop systemd-resolved.service +[ 1296.005152] systemd-resolved[298]: Assertion 'e->state != SD_EVENT_FINISHED' failed at src/libsystemd/sd-event/sd-event.c:1252, function sd_event_add_io(). Aborting. + +Thread 1 (Thread 0x7f17d25e2940 (LWP 298)): + #0 __pthread_kill_implementation (threadid=, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 + #1 0x00007f17d16ac8a3 in __pthread_kill_internal (signo=6, threadid=) at pthread_kill.c:78 + #2 0x00007f17d165c668 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 + #3 0x00007f17d16444b8 in __GI_abort () at abort.c:79 + #4 0x00007f17d2402d2d in log_assert_failed (text=, file=, line=, func=) at ../build/src/basic/log.c:968 + #5 0x00007f17d240401c in log_assert_failed_return (text=text@entry=0x7f17d2533f13 "e->state != SD_EVENT_FINISHED", file=file@entry=0x7f17d25195d9 "src/libsystemd/sd-event/sd-event.c", line=line@entry=1252, func=func@entry=0x7f17d2567260 <__func__.140> "sd_event_add_io") at ../build/src/basic/log.c:987 + #6 0x00007f17d24d011a in sd_event_add_io (e=0x55e5cb497270, ret=0x55e5cb4a5120, fd=fd@entry=26, events=events@entry=1, callback=callback@entry=0x55e5caff5466 , userdata=0x55e5cb4a5110) at ../build/src/libsystemd/sd-event/sd-event.c:1252 + #7 0x000055e5caff571c in manager_add_socket_to_graveyard (m=0x55e5cb43cf00, fd=26) at ../build/src/resolve/resolved-socket-graveyard.c:117 + #8 0x000055e5cafd4253 in dns_transaction_close_connection (t=t@entry=0x55e5cb57c7d0, use_graveyard=use_graveyard@entry=true) at ../build/src/resolve/resolved-dns-transaction.c:78 + #9 0x000055e5cafd8444 in dns_transaction_complete (t=t@entry=0x55e5cb57c7d0, state=state@entry=DNS_TRANSACTION_ABORTED) at ../build/src/resolve/resolved-dns-transaction.c:427 + #10 0x000055e5cafc4969 in dns_scope_abort_transactions (s=s@entry=0x55e5cb4b1a70) at ../build/src/resolve/resolved-dns-scope.c:91 + #11 0x000055e5cafc6aee in dns_scope_free (s=0x55e5cb4b1a70) at ../build/src/resolve/resolved-dns-scope.c:106 + #12 0x000055e5cafe72d1 in link_free (l=0x55e5cb4a5160) at ../build/src/resolve/resolved-link.c:94 + #13 0x000055e5cafedefc in manager_free (m=0x55e5cb43cf00) at ../build/src/resolve/resolved-manager.c:697 + #14 0x000055e5caff99b6 in manager_freep (p=p@entry=0x7ffd71fab8f8) at ../build/src/resolve/resolved-manager.h:198 + #15 0x000055e5caff9d66 in run (argc=argc@entry=1, argv=argv@entry=0x7ffd71faba78) at ../build/src/resolve/resolved.c:25 + #16 0x000055e5caff9fe3 in main (argc=1, argv=0x7ffd71faba78) at ../build/src/resolve/resolved.c:99 + +Resolves: #30618 +(cherry picked from commit ac1b7b9e1933c14bc7bf36d4f32a888afb3f2f4d) +--- + src/resolve/resolved-dns-transaction.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index fe88e502e7..afc9a2ed45 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -74,6 +74,10 @@ static void dns_transaction_close_connection( + * and the reply we might still get from the server will be eaten up instead of resulting in an ICMP + * port unreachable error message. */ + ++ /* Skip the graveyard stuff when we're shutting down, since that requires running event loop */ ++ if (!t->scope->manager->event || sd_event_get_state(t->scope->manager->event) == SD_EVENT_FINISHED) ++ use_graveyard = false; ++ + if (use_graveyard && t->dns_udp_fd >= 0 && t->sent && !t->received) { + r = manager_add_socket_to_graveyard(t->scope->manager, t->dns_udp_fd); + if (r < 0) +-- +2.33.0 + diff --git a/backport-resolve-fix-wrong-error-cause-assignment-to-log_debu.patch b/backport-resolve-fix-wrong-error-cause-assignment-to-log_debu.patch new file mode 100644 index 0000000..61d97ee --- /dev/null +++ b/backport-resolve-fix-wrong-error-cause-assignment-to-log_debu.patch @@ -0,0 +1,29 @@ +From b2a37030c1191ebd526781629986cd713330b234 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 10 Dec 2023 14:33:48 +0900 +Subject: [PATCH 0033/1160] resolve: fix wrong error cause assignment to + log_debug_errno() + +Fixes #30392. + +(cherry picked from commit fca212b0225e48097f3b6bd1f8c3a38bd9645040) +--- + src/resolve/resolved-dns-stub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c +index 259f82eff4..c59e3b7f49 100644 +--- a/src/resolve/resolved-dns-stub.c ++++ b/src/resolve/resolved-dns-stub.c +@@ -775,7 +775,7 @@ static void dns_stub_query_complete(DnsQuery *query) { + + cname_result = dns_query_process_cname_one(q); + if (cname_result == -ELOOP) { /* CNAME loop, let's send what we already have */ +- log_debug_errno(r, "Detected CNAME loop, returning what we already have."); ++ log_debug("Detected CNAME loop, returning what we already have."); + (void) dns_stub_send_reply(q, q->answer_rcode); + break; + } +-- +2.33.0 + diff --git a/backport-resolve-mdns-do-not-append-goodby-packet-entries-to-.patch b/backport-resolve-mdns-do-not-append-goodby-packet-entries-to-.patch new file mode 100644 index 0000000..785a2ff --- /dev/null +++ b/backport-resolve-mdns-do-not-append-goodby-packet-entries-to-.patch @@ -0,0 +1,39 @@ +From 466fa1e54487d046f38c57dd298fbe4ee508733c Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 3 Jan 2024 04:36:47 +0900 +Subject: [PATCH 0112/1160] resolve/mdns: do not append goodby packet entries + to known answers section + +When we receive a goodby packet about a host, and we have a cache entry about +the host, we do not immediately remove the cache entry, but update it with TTL 1. +See RFC 6762 section 10.1 and 3755027c2cada70345c96787a9b5569994dd23ed. + +If we receive a request soon after the goodby packet, previously the +entry was included in the known answers section of the reply. But such +information should not be appended. + +Follow-up for 3755027c2cada70345c96787a9b5569994dd23ed. + +(cherry picked from commit 04d4086c228afc907fc1b70fcef892d651f7c0cc) +--- + src/resolve/resolved-dns-cache.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c +index 78665bc93b..a9a649242f 100644 +--- a/src/resolve/resolved-dns-cache.c ++++ b/src/resolve/resolved-dns-cache.c +@@ -1303,6 +1303,10 @@ int dns_cache_export_shared_to_packet(DnsCache *cache, DnsPacket *p, usec_t ts, + if (!j->shared_owner) + continue; + ++ /* Ignore cached goodby packet. See on_mdns_packet() and RFC 6762 section 10.1. */ ++ if (j->rr->ttl <= 1) ++ continue; ++ + /* RFC6762 7.1: Don't append records with less than half the TTL remaining + * as known answers. */ + if (usec_sub_unsigned(j->until, ts) < j->rr->ttl * USEC_PER_SEC / 2) +-- +2.33.0 + diff --git a/backport-resolve-on_transaction_stream_error-may-free-multipl.patch b/backport-resolve-on_transaction_stream_error-may-free-multipl.patch new file mode 100644 index 0000000..5b8347c --- /dev/null +++ b/backport-resolve-on_transaction_stream_error-may-free-multipl.patch @@ -0,0 +1,43 @@ +From 170989dc8d4f7fc5b7240fc478dc874157d5816f Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 14 Jan 2024 09:40:27 +0900 +Subject: [PATCH 0151/1160] resolve: on_transaction_stream_error() may free + multiple transactions + +Fixes #30928. + +(cherry picked from commit 3db1e6a8743cd77a4dbbec755ece010eb08e3d86) +--- + src/resolve/resolved-dns-transaction.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index afc9a2ed45..6c931d71dc 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -631,9 +631,20 @@ static int on_stream_complete(DnsStream *s, int error) { + } + } + +- if (error != 0) +- LIST_FOREACH(transactions_by_stream, t, s->transactions) ++ if (error != 0) { ++ /* First, detach the stream from the server. Otherwise, transactions attached to this stream ++ * may be restarted by on_transaction_stream_error() below with this stream. */ ++ dns_stream_detach(s); ++ ++ /* Do not use LIST_FOREACH() here, as ++ * on_transaction_stream_error() ++ * -> dns_transaction_complete_errno() ++ * -> dns_transaction_free() ++ * may free multiple transactions in the list. */ ++ DnsTransaction *t; ++ while ((t = s->transactions)) + on_transaction_stream_error(t, error); ++ } + + return 0; + } +-- +2.33.0 + diff --git a/backport-resolve-refuse-invalid-service-without-type-field.patch b/backport-resolve-refuse-invalid-service-without-type-field.patch new file mode 100644 index 0000000..744f649 --- /dev/null +++ b/backport-resolve-refuse-invalid-service-without-type-field.patch @@ -0,0 +1,32 @@ +From 7b1bb6e0bc5608e5d14964faf302242827387583 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 5 Aug 2024 10:46:41 +0900 +Subject: [PATCH 0840/1160] resolve: refuse invalid service without type field + +Fixes Fixes #33935. + +(cherry picked from commit b48ab08732a76b7337628e1e716f11c687000903) +(cherry picked from commit 0195db6e919e80bdd6b4b706ebc24d5e935f5422) +--- + src/resolve/resolved-bus.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c +index 75ba29c3d0..fb07516d5d 100644 +--- a/src/resolve/resolved-bus.c ++++ b/src/resolve/resolved-bus.c +@@ -1135,6 +1135,11 @@ static void resolve_service_all_complete(DnsQuery *query) { + if (r < 0) + goto finish; + ++ if (isempty(type)) { ++ r = reply_method_errorf(q, BUS_ERROR_NO_SUCH_SERVICE, "'%s' does not provide valid service", dns_query_string(q)); ++ goto finish; ++ } ++ + r = sd_bus_message_append( + reply, + "ssst", +-- +2.33.0 + diff --git a/backport-resolve-skip-IP_UNICAST_IF-for-local-sockets.patch b/backport-resolve-skip-IP_UNICAST_IF-for-local-sockets.patch new file mode 100644 index 0000000..87a6a4a --- /dev/null +++ b/backport-resolve-skip-IP_UNICAST_IF-for-local-sockets.patch @@ -0,0 +1,69 @@ +From 78579f8b45ab22611ebc3b3e88564e83c38eac55 Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Thu, 29 Feb 2024 21:42:43 -0700 +Subject: [PATCH 0430/1160] resolve: skip IP_UNICAST_IF for local sockets + +SO_BINDTODEVICE was used during connect() to fix an issue where +IP_UNICAST_IF was improperly ignored for route lookups made by connect +in linux. This has since been resolved upstream [1][2], but as a result +we must apply the local socket excpetion to IP_UNICAST_IF as well. + +The SO_BINDTODEVICE is no longer necessary, but left in place for 5.x +kernels. + +[1] https://lore.kernel.org/all/20220829111554.GA1771@debian/ +[2] https://lore.kernel.org/all/20221208145437.GA75680@debian/ + +(cherry picked from commit 51d056858eadc3068633b32c78acf248e0974f26) +--- + src/resolve/resolved-dns-scope.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c +index 2e8b3e5580..b882d41d99 100644 +--- a/src/resolve/resolved-dns-scope.c ++++ b/src/resolve/resolved-dns-scope.c +@@ -424,7 +424,15 @@ static int dns_scope_socket( + return r; + } + +- if (ifindex != 0) { ++ bool addr_is_nonlocal = s->link && ++ !manager_find_link_address(s->manager, sa.sa.sa_family, sockaddr_in_addr(&sa.sa)) && ++ in_addr_is_localhost(sa.sa.sa_family, sockaddr_in_addr(&sa.sa)) == 0; ++ ++ if (addr_is_nonlocal && ifindex != 0) { ++ /* As a special exception we don't use UNICAST_IF if we notice that the specified IP address ++ * is on the local host. Otherwise, destination addresses on the local host result in ++ * EHOSTUNREACH, since Linux won't send the packets out of the specified interface, but ++ * delivers them directly to the local socket. */ + r = socket_set_unicast_if(fd, sa.sa.sa_family, ifindex); + if (r < 0) + return r; +@@ -463,19 +471,13 @@ static int dns_scope_socket( + else { + bool bound = false; + +- /* Let's temporarily bind the socket to the specified ifindex. The kernel currently takes +- * only the SO_BINDTODEVICE/SO_BINDTOINDEX ifindex into account when making routing decisions ++ /* Let's temporarily bind the socket to the specified ifindex. Older kernels only take ++ * the SO_BINDTODEVICE/SO_BINDTOINDEX ifindex into account when making routing decisions + * in connect() — and not IP_UNICAST_IF. We don't really want any of the other semantics of + * SO_BINDTODEVICE/SO_BINDTOINDEX, hence we immediately unbind the socket after the fact + * again. +- * +- * As a special exception we don't do this if we notice that the specified IP address is on +- * the local host. SO_BINDTODEVICE in combination with destination addresses on the local +- * host result in EHOSTUNREACH, since Linux won't send the packets out of the specified +- * interface, but delivers them directly to the local socket. */ +- if (s->link && +- !manager_find_link_address(s->manager, sa.sa.sa_family, sockaddr_in_addr(&sa.sa)) && +- in_addr_is_localhost(sa.sa.sa_family, sockaddr_in_addr(&sa.sa)) == 0) { ++ */ ++ if (addr_is_nonlocal) { + r = socket_bind_to_ifindex(fd, ifindex); + if (r < 0) + return r; +-- +2.33.0 + diff --git a/backport-resolvectl-use-JSON_ALLOW_EXTENSIONS.patch b/backport-resolvectl-use-JSON_ALLOW_EXTENSIONS.patch new file mode 100644 index 0000000..02ed629 --- /dev/null +++ b/backport-resolvectl-use-JSON_ALLOW_EXTENSIONS.patch @@ -0,0 +1,67 @@ +From bfd97c507f1c0c34d8d095b2a9e99d89a921d99d Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 10 Jan 2024 05:05:29 +0900 +Subject: [PATCH 0713/1160] resolvectl: use JSON_ALLOW_EXTENSIONS + +Follow-up for f0e4244b2fda1b3de3da1c2792ed1cd21c72087b. + +(cherry picked from commit 0c61995d80d3ba211b50e28349cdc9b121104d41) +--- + src/resolve/resolvectl.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/src/resolve/resolvectl.c b/src/resolve/resolvectl.c +index afa537f160..64b829e5e6 100644 +--- a/src/resolve/resolvectl.c ++++ b/src/resolve/resolvectl.c +@@ -2715,7 +2715,7 @@ static int print_answer(JsonVariant *answer) { + + static void monitor_query_dump(JsonVariant *v) { + _cleanup_(json_variant_unrefp) JsonVariant *question = NULL, *answer = NULL, *collected_questions = NULL; +- int rcode = -1, error = 0, r; ++ int rcode = -1, error = 0; + const char *state = NULL; + + assert(v); +@@ -2730,9 +2730,8 @@ static void monitor_query_dump(JsonVariant *v) { + {} + }; + +- r = json_dispatch(v, dispatch_table, 0, NULL); +- if (r < 0) +- return (void) log_warning("Received malformed monitor message, ignoring."); ++ if (json_dispatch(v, dispatch_table, JSON_LOG|JSON_ALLOW_EXTENSIONS, NULL) < 0) ++ return; + + /* First show the current question */ + print_question('Q', ansi_highlight_cyan(), question); +@@ -2856,7 +2855,7 @@ static int dump_cache_item(JsonVariant *item) { + _cleanup_(dns_resource_key_unrefp) DnsResourceKey *k = NULL; + int r, c = 0; + +- r = json_dispatch(item, dispatch_table, JSON_LOG, &item_info); ++ r = json_dispatch(item, dispatch_table, JSON_LOG|JSON_ALLOW_EXTENSIONS, &item_info); + if (r < 0) + return r; + +@@ -2918,7 +2917,7 @@ static int dump_cache_scope(JsonVariant *scope) { + {}, + }; + +- r = json_dispatch(scope, dispatch_table, JSON_LOG, &scope_info); ++ r = json_dispatch(scope, dispatch_table, JSON_LOG|JSON_ALLOW_EXTENSIONS, &scope_info); + if (r < 0) + return r; + +@@ -3034,7 +3033,7 @@ static int dump_server_state(JsonVariant *server) { + {}, + }; + +- r = json_dispatch(server, dispatch_table, JSON_LOG|JSON_PERMISSIVE, &server_state); ++ r = json_dispatch(server, dispatch_table, JSON_LOG|JSON_ALLOW_EXTENSIONS, &server_state); + if (r < 0) + return r; + +-- +2.33.0 + diff --git a/backport-resolved-allow-the-full-TTL-to-be-used-by-OPT-record.patch b/backport-resolved-allow-the-full-TTL-to-be-used-by-OPT-record.patch new file mode 100644 index 0000000..2b7bc2a --- /dev/null +++ b/backport-resolved-allow-the-full-TTL-to-be-used-by-OPT-record.patch @@ -0,0 +1,59 @@ +From 964b184f8e4272b5f18c96e611268c522e67a715 Mon Sep 17 00:00:00 2001 +From: James Coglan +Date: Fri, 28 Jun 2024 13:41:31 +0100 +Subject: [PATCH 0730/1160] resolved: allow the full TTL to be used by OPT + records + +Whereas RFC 1035 says the TTL field takes the "positive values of a +signed 32 bit number", and RFC 2181 says "Implementations should treat +TTL values received with the most significant bit set as if the entire +value received was zero,", the dns_packet_read_rr() function sets +rr->ttl to zero if the MSB is set. + +However, EDNS(0) as specified in RFC 6891 repurposes the TTL field's 4 +octets to store other information, c.f.: + + +0 (MSB) +1 (LSB) + +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ + 0: | EXTENDED-RCODE | VERSION | + +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ + 2: | DO| Z | + +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ + +The first octet extends the usual 4-bit RCODE from the packet header by +providing an additional 8 bits of space, extending the RCODE to 12 bits. +But, our handling of the TTL field means that the high bit in the first +octet is not actually usable, since setting it will mean these 4 octets +are replaced with 0. This may have the effect of making us believe a +server does not support DNSSEC when it actually set the DO bit in its +OPT record. + +Here we change things so that the TTL is only set to zero for record +types other than OPT. + +(cherry picked from commit 131787979c700becaf6ec24a810658d1313587cc) +(cherry picked from commit 6ead24fcac878b3623408ecb1a05d07f29c4c04c) +--- + src/resolve/resolved-dns-packet.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c +index 426711b061..a4401d860a 100644 +--- a/src/resolve/resolved-dns-packet.c ++++ b/src/resolve/resolved-dns-packet.c +@@ -1719,9 +1719,9 @@ int dns_packet_read_rr( + if (r < 0) + return r; + +- /* RFC 2181, Section 8, suggests to +- * treat a TTL with the MSB set as a zero TTL. */ +- if (rr->ttl & UINT32_C(0x80000000)) ++ /* RFC 2181, Section 8, suggests to treat a TTL with the MSB set as a zero TTL. We avoid doing this ++ * for OPT records so that all 8 bits of the extended RCODE may be used .*/ ++ if (key->type != DNS_TYPE_OPT && rr->ttl & UINT32_C(0x80000000)) + rr->ttl = 0; + + r = dns_packet_read_uint16(p, &rdlength, NULL); +-- +2.33.0 + diff --git a/backport-resolved-also-reply-NOTIMP-when-refusing-a-query-bas.patch b/backport-resolved-also-reply-NOTIMP-when-refusing-a-query-bas.patch new file mode 100644 index 0000000..bfb90eb --- /dev/null +++ b/backport-resolved-also-reply-NOTIMP-when-refusing-a-query-bas.patch @@ -0,0 +1,40 @@ +From d06f2485ca73ad456a40a187cbb82678fec4f007 Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Fri, 8 Mar 2024 14:48:03 -0700 +Subject: [PATCH 0445/1160] resolved: also reply NOTIMP when refusing a query + based on RR type + +In some cases we refuse a query based on the RR type, mostly old +deprecated types. Let's return NOTIMP in this case, which best +communicates why the query failed. + +(cherry picked from commit 591810c02eb01118961a4cd53c7f3ebf3e091a10) +--- + src/resolve/resolved-dns-stub.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c +index c4bc034ea1..10b35da40a 100644 +--- a/src/resolve/resolved-dns-stub.c ++++ b/src/resolve/resolved-dns-stub.c +@@ -841,12 +841,16 @@ static void dns_stub_query_complete(DnsQuery *query) { + (void) dns_stub_send_reply(q, DNS_RCODE_REFUSED); + break; + ++ case DNS_TRANSACTION_RR_TYPE_UNSUPPORTED: ++ /* This RR Type is not implemented */ ++ (void) dns_stub_send_reply(q, DNS_RCODE_NOTIMP); ++ break; ++ + case DNS_TRANSACTION_INVALID_REPLY: + case DNS_TRANSACTION_ERRNO: + case DNS_TRANSACTION_ABORTED: + case DNS_TRANSACTION_DNSSEC_FAILED: + case DNS_TRANSACTION_NO_TRUST_ANCHOR: +- case DNS_TRANSACTION_RR_TYPE_UNSUPPORTED: + case DNS_TRANSACTION_NETWORK_DOWN: + case DNS_TRANSACTION_NO_SOURCE: + case DNS_TRANSACTION_STUB_LOOP: +-- +2.33.0 + diff --git a/backport-resolved-always-progress-DS-queries.patch b/backport-resolved-always-progress-DS-queries.patch new file mode 100644 index 0000000..8125a8a --- /dev/null +++ b/backport-resolved-always-progress-DS-queries.patch @@ -0,0 +1,34 @@ +From 52c17febf14c866d9808d1804f13ac98d76e665b Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Mon, 29 Apr 2024 02:17:23 -0700 +Subject: [PATCH 0562/1160] resolved: always progress DS queries + +If we request a DS and the resolver offers an unsigned SOA, a new +auxiliary transaction for the DS will be rejected as a loop, and we +might not make any progress toward finding the DS we need. Let's ensure +that we at least always check the parent in this case. + +Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label") +(cherry picked from commit d840783db5208219c78d73b9b46ef5daae9fea0a) +--- + src/resolve/resolved-dns-transaction.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index ad8b88e599..345c231832 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -2545,6 +2545,10 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { + return r; + if (r == 0) + continue; ++ ++ /* If we were looking for the DS RR, don't request it again. */ ++ if (dns_transaction_key(t)->type == DNS_TYPE_DS) ++ continue; + } + + r = dnssec_has_rrsig(t->answer, rr->key); +-- +2.33.0 + diff --git a/backport-resolved-clear-the-AD-bit-for-bypass-packets.patch b/backport-resolved-clear-the-AD-bit-for-bypass-packets.patch new file mode 100644 index 0000000..8af293e --- /dev/null +++ b/backport-resolved-clear-the-AD-bit-for-bypass-packets.patch @@ -0,0 +1,66 @@ +From 6c243bbb70d994a83518099092ea71d50635ad8b Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Mon, 26 Aug 2024 01:39:20 -0700 +Subject: [PATCH 0862/1160] resolved: clear the AD bit for bypass packets + +When the bypass logic is invoked, such as for queries to the stub with +the DO bit set, be certain to clear the AD bit in the reply before +forwarding it if the answer is not known to be authentic. + +(cherry picked from commit 13e15dae9f0b4566d3ea2ed058a5dd44751216da) +(cherry picked from commit 3a2be652282db2d55d5e28546e6c9a594fb8c43e) +--- + src/resolve/resolved-dns-packet.h | 1 + + src/resolve/resolved-dns-stub.c | 10 ++++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h +index 5a5ef13c8d..04d5b700b6 100644 +--- a/src/resolve/resolved-dns-packet.h ++++ b/src/resolve/resolved-dns-packet.h +@@ -111,6 +111,7 @@ static inline uint8_t* DNS_PACKET_DATA(const DnsPacket *p) { + #define DNS_PACKET_AD(p) ((be16toh(DNS_PACKET_HEADER(p)->flags) >> 5) & 1) + #define DNS_PACKET_CD(p) ((be16toh(DNS_PACKET_HEADER(p)->flags) >> 4) & 1) + ++#define DNS_PACKET_FLAG_AD (UINT16_C(1) << 5) + #define DNS_PACKET_FLAG_TC (UINT16_C(1) << 9) + + static inline uint16_t DNS_PACKET_RCODE(DnsPacket *p) { +diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c +index 10b35da40a..3e2579bbf1 100644 +--- a/src/resolve/resolved-dns-stub.c ++++ b/src/resolve/resolved-dns-stub.c +@@ -685,7 +685,8 @@ static int dns_stub_send_failure( + static int dns_stub_patch_bypass_reply_packet( + DnsPacket **ret, /* Where to place the patched packet */ + DnsPacket *original, /* The packet to patch */ +- DnsPacket *request) { /* The packet the patched packet shall look like a reply to */ ++ DnsPacket *request, /* The packet the patched packet shall look like a reply to */ ++ bool authenticated) { + _cleanup_(dns_packet_unrefp) DnsPacket *c = NULL; + int r; + +@@ -725,6 +726,10 @@ static int dns_stub_patch_bypass_reply_packet( + DNS_PACKET_HEADER(c)->flags = htobe16(be16toh(DNS_PACKET_HEADER(c)->flags) | DNS_PACKET_FLAG_TC); + } + ++ /* Ensure we don't pass along an untrusted ad flag for bypass packets */ ++ if (!authenticated) ++ DNS_PACKET_HEADER(c)->flags = htobe16(be16toh(DNS_PACKET_HEADER(c)->flags) & ~DNS_PACKET_FLAG_AD); ++ + *ret = TAKE_PTR(c); + return 0; + } +@@ -745,7 +750,8 @@ static void dns_stub_query_complete(DnsQuery *query) { + q->answer_full_packet->protocol == DNS_PROTOCOL_DNS) { + _cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL; + +- r = dns_stub_patch_bypass_reply_packet(&reply, q->answer_full_packet, q->request_packet); ++ r = dns_stub_patch_bypass_reply_packet(&reply, q->answer_full_packet, q->request_packet, ++ FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED)); + if (r < 0) + log_debug_errno(r, "Failed to patch bypass reply packet: %m"); + else +-- +2.33.0 + diff --git a/backport-resolved-correct-parsing-of-OPT-extended-RCODEs.patch b/backport-resolved-correct-parsing-of-OPT-extended-RCODEs.patch new file mode 100644 index 0000000..ea53cd9 --- /dev/null +++ b/backport-resolved-correct-parsing-of-OPT-extended-RCODEs.patch @@ -0,0 +1,48 @@ +From c572f1ed2b7565263007b26a10872fb047526d73 Mon Sep 17 00:00:00 2001 +From: James Coglan +Date: Fri, 28 Jun 2024 13:58:22 +0100 +Subject: [PATCH 0731/1160] resolved: correct parsing of OPT extended RCODEs + +The DNS_PACKET_RCODE() function works out the full RCODE by taking the +first octet from the OPT record TTL field and bitwise-OR-ing this with +the basic RCODE from the packet header. This results in RCODE values +being lower than they should be. + +For example, if the first TTL octet is 0x7a and the basic RCODE is 3, +this function currently returns `0x7a | 3` = 123, rather than 0x7a3 = +1955. + +The first TTL octet is supposed to form the upper 8 bits of a 12-bit +value, whereas the current implementation constraints the value to 8 +bits and results in mis-interpreted RCODEs. + +This fixes things by shifting the TTL 20 places instead of 24 and +masking off the low nibble that comes from the upper bits of the version +octet. + +Note that dns_packet_append_opt() correctly converts the input RCODE +into the high octet of the OPT TTL field; this problem only affects +parsing of incoming packets. + +(cherry picked from commit c40f3714c9a4d1f2bcd308625c9c835892e3d41c) +(cherry picked from commit 7ee60a86140ebe3e60858ef3c4e749dcd2e7fd21) +--- + src/resolve/resolved-dns-packet.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h +index a6af44c6ec..5a5ef13c8d 100644 +--- a/src/resolve/resolved-dns-packet.h ++++ b/src/resolve/resolved-dns-packet.h +@@ -117,7 +117,7 @@ static inline uint16_t DNS_PACKET_RCODE(DnsPacket *p) { + uint16_t rcode; + + if (p->opt) +- rcode = (uint16_t) (p->opt->ttl >> 24); ++ rcode = (uint16_t) ((p->opt->ttl >> 20) & 0xFF0); + else + rcode = 0; + +-- +2.33.0 + diff --git a/backport-resolved-decrease-mdns-llmnr-priority-for-the-revers.patch b/backport-resolved-decrease-mdns-llmnr-priority-for-the-revers.patch new file mode 100644 index 0000000..1e1fe86 --- /dev/null +++ b/backport-resolved-decrease-mdns-llmnr-priority-for-the-revers.patch @@ -0,0 +1,67 @@ +From 28472e792b44c7acc23e5441329b6a1379fa39af Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Tue, 5 Mar 2024 18:05:57 -0700 +Subject: [PATCH 0437/1160] resolved: decrease mdns/llmnr priority for the + reverse mapping domains + +Previously all queries to the reverse mapping domains (in-addr.arpa and +ip6.arpa) were considered to be in-scope for mdns and llmnr at the same +priority as DNS. This caused sd-resolved to ignore NXDOMAIN responses +from dns in favor of lengthy timeouts. + +This narrows the scope of mdns and llmnr so they are not invariably +considered as fallbacks for these domains. Now, mdns/llmnr on a link +will only be used as a fallback when there is no suitable DNS scope, and +when that link is DefaultRoute. + +(cherry picked from commit da920fe176bd77f2ab36024ed5002a32108fc144) +--- + src/resolve/resolved-dns-scope.c | 5 +++-- + src/resolve/resolved-dns-scope.h | 1 + + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c +index b882d41d99..62c30a8b66 100644 +--- a/src/resolve/resolved-dns-scope.c ++++ b/src/resolve/resolved-dns-scope.c +@@ -603,6 +603,7 @@ DnsScopeMatch dns_scope_good_domain( + /* This returns the following return values: + * + * DNS_SCOPE_NO → This scope is not suitable for lookups of this domain, at all ++ * DNS_SCOPE_LAST_RESORT→ This scope is not suitable, unless we have no alternative + * DNS_SCOPE_MAYBE → This scope is suitable, but only if nothing else wants it + * DNS_SCOPE_YES_BASE+n → This scope is suitable, and 'n' suffix labels match + * +@@ -751,7 +752,7 @@ DnsScopeMatch dns_scope_good_domain( + + if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) || + (s->family == AF_INET6 && dns_name_endswith(domain, "ip6.arpa") > 0)) +- return DNS_SCOPE_MAYBE; ++ return DNS_SCOPE_LAST_RESORT; + + if ((dns_name_endswith(domain, "local") > 0 && /* only resolve names ending in .local via mDNS */ + dns_name_equal(domain, "local") == 0 && /* but not the single-label "local" name itself */ +@@ -774,7 +775,7 @@ DnsScopeMatch dns_scope_good_domain( + + if ((s->family == AF_INET && dns_name_endswith(domain, "in-addr.arpa") > 0) || + (s->family == AF_INET6 && dns_name_endswith(domain, "ip6.arpa") > 0)) +- return DNS_SCOPE_MAYBE; ++ return DNS_SCOPE_LAST_RESORT; + + if ((dns_name_is_single_label(domain) && /* only resolve single label names via LLMNR */ + dns_name_equal(domain, "local") == 0 && /* don't resolve "local" with LLMNR, it's the top-level domain of mDNS after all, see above */ +diff --git a/src/resolve/resolved-dns-scope.h b/src/resolve/resolved-dns-scope.h +index ca33fd007a..b1d120679a 100644 +--- a/src/resolve/resolved-dns-scope.h ++++ b/src/resolve/resolved-dns-scope.h +@@ -18,6 +18,7 @@ typedef struct DnsScope DnsScope; + + typedef enum DnsScopeMatch { + DNS_SCOPE_NO, ++ DNS_SCOPE_LAST_RESORT, + DNS_SCOPE_MAYBE, + DNS_SCOPE_YES_BASE, /* Add the number of matching labels to this */ + DNS_SCOPE_YES_END = DNS_SCOPE_YES_BASE + DNS_N_LABELS_MAX, +-- +2.33.0 + diff --git a/backport-resolved-dns-stream-pass-the-right-error-variable.patch b/backport-resolved-dns-stream-pass-the-right-error-variable.patch new file mode 100644 index 0000000..b84747a --- /dev/null +++ b/backport-resolved-dns-stream-pass-the-right-error-variable.patch @@ -0,0 +1,35 @@ +From ce1df5ee6c105580e5c1a27637d8759316832e71 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 7 May 2024 13:23:01 +0200 +Subject: [PATCH 0596/1160] resolved-dns-stream: pass the right error variable + +(cherry picked from commit be6aa742a6c522c4102a02fcd79231ff5bc5fa9f) +--- + src/resolve/resolved-dns-stream.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c +index 056ba7794f..1a43d0bd49 100644 +--- a/src/resolve/resolved-dns-stream.c ++++ b/src/resolve/resolved-dns-stream.c +@@ -195,7 +195,7 @@ static int dns_stream_identify(DnsStream *s) { + /* Make sure all packets for this connection are sent on the same interface */ + r = socket_set_unicast_if(s->fd, s->local.sa.sa_family, s->ifindex); + if (r < 0) +- log_debug_errno(errno, "Failed to invoke IP_UNICAST_IF/IPV6_UNICAST_IF: %m"); ++ log_debug_errno(r, "Failed to invoke IP_UNICAST_IF/IPV6_UNICAST_IF: %m"); + } + + s->identified = true; +@@ -454,7 +454,7 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use + if (progressed && s->timeout_event_source) { + r = sd_event_source_set_time_relative(s->timeout_event_source, DNS_STREAM_ESTABLISHED_TIMEOUT_USEC); + if (r < 0) +- log_warning_errno(errno, "Couldn't restart TCP connection timeout, ignoring: %m"); ++ log_warning_errno(r, "Couldn't restart TCP connection timeout, ignoring: %m"); + } + + return 0; +-- +2.33.0 + diff --git a/backport-resolved-don-t-cache-NXDOMAIN-for-SUDN-resolver.arpa.patch b/backport-resolved-don-t-cache-NXDOMAIN-for-SUDN-resolver.arpa.patch new file mode 100644 index 0000000..6e4af71 --- /dev/null +++ b/backport-resolved-don-t-cache-NXDOMAIN-for-SUDN-resolver.arpa.patch @@ -0,0 +1,156 @@ +From 434666dcd54f2cd0e347320b0ea623c6133303cd Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Tue, 5 Mar 2024 19:03:16 -0700 +Subject: [PATCH 0442/1160] resolved: don't cache NXDOMAIN for SUDN + resolver.arpa + +The name resolver.arpa is reserved for RFC9462 "Discovery of Designated +Resolvers" (DDR). This relies on regular dns queries for SVCB records at +the special use domain name _dns.resolver.arpa. Unfortunately, older +nameservers (or broken ones) won't know about this SUDN and will likely +return NXDOMAIN. If this is cached, the cache entry will become an +impediment for any clients trying to discover designated resolvers +through the stub-resolver, or potentially even sd-resolved itself, were +it to implement DDR. + +The RFC recommendation is that "clients MUST NOT perform A or AAAA +queries for resolver.arpa", and "resolvers SHOULD respond to queries of +any type other than SVCB for _dns.resolver.arpa. with NODATA and queries +of any type for any domain name under resolver.arpa with NODATA." which +should help avoid potential compatibility issues. This enforces that +condition within sd-resolved, and avoids caching any such erroneous +NXDOMAIN. + +The RFC also recommends requests for this domain should never be +forwarded, to prevent authentication failures. Since there isn't much +point in establishing secure communication to the local stub, we still +allow SVCB to be forwarded from the stub, in case the client cares to +implement some other authentication method and understands the +consequences of skipping the local stub. Normal clients are not +expected to implement DDR, but this change will protect sd-resolved's +own caches in case they try. + +Although A and AAAA are prohibited, I think validating resolvers +might reasonably query for dnssec records, even though the resolver.arpa +zone does not exist (it is declared to be a locally served zone). For +this reason, I have also added resolver.arpa to the builtin dnssec NTA. + +(cherry picked from commit abcc94b351ad030bce63568f6c4bc3f97fbaa109) +--- + src/resolve/resolved-dns-cache.c | 16 +++++++++++++++ + src/resolve/resolved-dns-scope.c | 27 +++++++++++++++++++++++++ + src/resolve/resolved-dns-synthesize.c | 2 +- + src/resolve/resolved-dns-trust-anchor.c | 5 +++++ + 4 files changed, 49 insertions(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c +index a9a649242f..e90915e64d 100644 +--- a/src/resolve/resolved-dns-cache.c ++++ b/src/resolve/resolved-dns-cache.c +@@ -531,6 +531,20 @@ static int dns_cache_put_positive( + TAKE_PTR(i); + return 0; + } ++/* https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml */ ++/* https://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml#transport-independent */ ++static bool dns_special_use_domain_invalid_answer(DnsResourceKey *key, int rcode) { ++ /* Sometimes we know a domain exists, even if broken nameservers say otherwise. Make sure not to ++ * cache any answers we know are wrong. */ ++ ++ /* RFC9462 § 6.4: resolvers SHOULD respond to queries of any type other than SVCB for ++ * _dns.resolver.arpa. with NODATA and queries of any type for any domain name under resolver.arpa ++ * with NODATA. */ ++ if (dns_name_endswith(dns_resource_key_name(key), "resolver.arpa") > 0 && rcode == DNS_RCODE_NXDOMAIN) ++ return true; ++ ++ return false; ++} + + static int dns_cache_put_negative( + DnsCache *c, +@@ -561,6 +575,8 @@ static int dns_cache_put_negative( + return 0; + if (dns_type_is_pseudo(key->type)) + return 0; ++ if (dns_special_use_domain_invalid_answer(key, rcode)) ++ return 0; + + if (IN_SET(rcode, DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN)) { + if (!soa) +diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c +index 62c30a8b66..3e2eac53f2 100644 +--- a/src/resolve/resolved-dns-scope.c ++++ b/src/resolve/resolved-dns-scope.c +@@ -591,6 +591,29 @@ static DnsScopeMatch match_subnet_reverse_lookups( + return _DNS_SCOPE_MATCH_INVALID; + } + ++/* https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml */ ++/* https://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml */ ++static bool dns_refuse_special_use_domain(const char *domain, DnsQuestion *question) { ++ /* RFC9462 § 6.4: resolvers SHOULD respond to queries of any type other than SVCB for ++ * _dns.resolver.arpa. with NODATA and queries of any type for any domain name under ++ * resolver.arpa with NODATA. */ ++ if (dns_name_equal(domain, "_dns.resolver.arpa") > 0) { ++ DnsResourceKey *t; ++ ++ /* Only SVCB is permitted to _dns.resolver.arpa */ ++ DNS_QUESTION_FOREACH(t, question) ++ if (t->type == DNS_TYPE_SVCB) ++ return false; ++ ++ return true; ++ } ++ ++ if (dns_name_endswith(domain, "resolver.arpa") > 0) ++ return true; ++ ++ return false; ++} ++ + DnsScopeMatch dns_scope_good_domain( + DnsScope *s, + DnsQuery *q) { +@@ -646,6 +669,10 @@ DnsScopeMatch dns_scope_good_domain( + if (dns_name_dont_resolve(domain)) + return DNS_SCOPE_NO; + ++ /* Avoid asking invalid questions of some special use domains */ ++ if (dns_refuse_special_use_domain(domain, question)) ++ return DNS_SCOPE_NO; ++ + /* Never go to network for the _gateway, _outbound, _localdnsstub, _localdnsproxy domain — they're something special, synthesized locally. */ + if (is_gateway_hostname(domain) || + is_outbound_hostname(domain) || +diff --git a/src/resolve/resolved-dns-synthesize.c b/src/resolve/resolved-dns-synthesize.c +index 5bde29c704..6144dc0173 100644 +--- a/src/resolve/resolved-dns-synthesize.c ++++ b/src/resolve/resolved-dns-synthesize.c +@@ -463,7 +463,7 @@ int dns_synthesize_answer( + + name = dns_resource_key_name(key); + +- if (dns_name_is_root(name)) { ++ if (dns_name_is_root(name) || dns_name_endswith(name, "resolver.arpa") > 0) { + /* Do nothing. */ + + } else if (dns_name_dont_resolve(name)) { +diff --git a/src/resolve/resolved-dns-trust-anchor.c b/src/resolve/resolved-dns-trust-anchor.c +index 1703c43d4b..8aea5e11a0 100644 +--- a/src/resolve/resolved-dns-trust-anchor.c ++++ b/src/resolve/resolved-dns-trust-anchor.c +@@ -165,6 +165,11 @@ static int dns_trust_anchor_add_builtin_negative(DnsTrustAnchor *d) { + /* Defined by RFC 8375. The most official choice. */ + "home.arpa\0" + ++ /* RFC 9462 doesn't mention DNSSEC, but this domain ++ * can't really be signed and clients need to validate ++ * the answer before using it anyway. */ ++ "resolver.arpa\0" ++ + /* RFC 8880 says because the 'ipv4only.arpa' zone has to + * be an insecure delegation, DNSSEC cannot be used to + * protect these answers from tampering by malicious +-- +2.33.0 + diff --git a/backport-resolved-don-t-request-the-SOA-for-every-dns-label.patch b/backport-resolved-don-t-request-the-SOA-for-every-dns-label.patch new file mode 100644 index 0000000..a843cbe --- /dev/null +++ b/backport-resolved-don-t-request-the-SOA-for-every-dns-label.patch @@ -0,0 +1,349 @@ +From 186f9daf431ef4d1093241266b0af3b25cc62265 Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Sun, 17 Mar 2024 18:02:22 -0700 +Subject: [PATCH 0459/1160] resolved: don't request the SOA for every dns label + +When validating insecure delegations we don't actually need to request +the SOA for every single dns label. We need the DS records for the zone, +and we can seek them by querying for DS directly (in case we are at a +zone cut) and then following the SOA referrals or the parent name until +we have found a chain of trust. + +Extra transactions and roundtrips, especially transactions for RRs that +aren't actually needed to validate and therefore aren't likely to be in +the recursive resolver's own cache are a big slowdown during validation. + +Consequently, this change results in an enourmous speed up in validating +most names from our own cold-cache (10x or more), by eliminating a large +number of superfluous dnssec transactions. + +(cherry picked from commit 47690634f157150e7b69c832d1f2d64d18b3f124) +--- + src/resolve/resolved-dns-transaction.c | 157 +++++++++++-------------- + 1 file changed, 71 insertions(+), 86 deletions(-) + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index 742bd08709..8ad2a2881a 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -2368,6 +2368,8 @@ static bool dns_transaction_dnssec_supported_full(DnsTransaction *t) { + int dns_transaction_request_dnssec_keys(DnsTransaction *t) { + DnsResourceRecord *rr; + ++ /* Have we already requested a record that would be sufficient to validate an insecure delegation? */ ++ bool chased_insecure = false; + int r; + + assert(t); +@@ -2380,11 +2382,11 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { + * - For RRSIG we get the matching DNSKEY + * - For DNSKEY we get the matching DS + * - For unsigned SOA/NS we get the matching DS +- * - For unsigned CNAME/DNAME/DS we get the parent SOA RR +- * - For other unsigned RRs we get the matching SOA RR ++ * - For unsigned CNAME/DNAME/DS we get the parent DS RR ++ * - For other unsigned RRs we get the matching DS RR + * - For SOA/NS queries with no matching response RR, and no NSEC/NSEC3, the DS RR +- * - For DS queries with no matching response RRs, and no NSEC/NSEC3, the parent's SOA RR +- * - For other queries with no matching response RRs, and no NSEC/NSEC3, the SOA RR ++ * - For DS queries with no matching response RRs, and no NSEC/NSEC3, the parent's DS RR ++ * - For other queries with no matching response RRs, and no NSEC/NSEC3, the DS RR + */ + + if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) || t->scope->dnssec_mode == DNSSEC_NO) +@@ -2524,6 +2526,7 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { + if (r > 0) + continue; + ++ chased_insecure = true; + ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, dns_resource_key_name(rr->key)); + if (!ds) + return -ENOMEM; +@@ -2540,11 +2543,11 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { + case DNS_TYPE_DS: + case DNS_TYPE_CNAME: + case DNS_TYPE_DNAME: { +- _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL; ++ _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL; + const char *name; + + /* CNAMEs and DNAMEs cannot be located at a +- * zone apex, hence ask for the parent SOA for ++ * zone apex, hence ask for the parent DS for + * unsigned CNAME/DNAME RRs, maybe that's the + * apex. But do all that only if this is + * actually a response to our original +@@ -2578,13 +2581,13 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { + if (r == 0) + continue; + +- soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, name); +- if (!soa) ++ ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, name); ++ if (!ds) + return -ENOMEM; + +- log_debug("Requesting parent SOA to validate transaction %" PRIu16 " (%s, unsigned CNAME/DNAME/DS RRset).", ++ log_debug("Requesting parent DS to validate transaction %" PRIu16 " (%s, unsigned CNAME/DNAME/DS RRset).", + t->id, dns_resource_key_name(rr->key)); +- r = dns_transaction_request_dnssec_rr(t, soa); ++ r = dns_transaction_request_dnssec_rr(t, ds); + if (r < 0) + return r; + +@@ -2592,11 +2595,11 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { + } + + default: { +- _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL; ++ _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL; + + /* For other unsigned RRsets (including + * NSEC/NSEC3!), look for proof the zone is +- * unsigned, by requesting the SOA RR of the ++ * unsigned, by requesting the DS RR of the + * zone. However, do so only if they are + * directly relevant to our original + * question. */ +@@ -2613,13 +2616,13 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { + if (r > 0) + continue; + +- soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, dns_resource_key_name(rr->key)); +- if (!soa) ++ ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, dns_resource_key_name(rr->key)); ++ if (!ds) + return -ENOMEM; + +- log_debug("Requesting SOA to validate transaction %" PRIu16 " (%s, unsigned non-SOA/NS RRset <%s>).", ++ log_debug("Requesting DS to validate transaction %" PRIu16 " (%s, unsigned non-SOA/NS RRset <%s>).", + t->id, dns_resource_key_name(rr->key), dns_resource_record_to_string(rr)); +- r = dns_transaction_request_dnssec_rr(t, soa); ++ r = dns_transaction_request_dnssec_rr(t, ds); + if (r < 0) + return r; + break; +@@ -2634,49 +2637,38 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { + if (r < 0) + return r; + if (r > 0) { +- const char *name, *signed_status; +- uint16_t type = 0; +- +- name = dns_resource_key_name(dns_transaction_key(t)); +- signed_status = dns_answer_contains_nsec_or_nsec3(t->answer) ? "signed" : "unsigned"; +- +- /* If this was a SOA or NS request, then check if there's a DS RR for the same domain. Note that this +- * could also be used as indication that we are not at a zone apex, but in real world setups there are +- * too many broken DNS servers (Hello, incapdns.net!) where non-terminal zones return NXDOMAIN even +- * though they have further children. If this was a DS request, then it's signed when the parent zone +- * is signed, hence ask the parent SOA in that case. If this was any other RR then ask for the SOA RR, +- * to see if that is signed. */ ++ const char *name = dns_resource_key_name(dns_transaction_key(t)); ++ bool was_signed = dns_answer_contains_nsec_or_nsec3(t->answer); + +- if (dns_transaction_key(t)->type == DNS_TYPE_DS) { +- r = dns_name_parent(&name); +- if (r > 0) { +- type = DNS_TYPE_SOA; +- log_debug("Requesting parent SOA (%s %s) to validate transaction %" PRIu16 " (%s, %s empty DS response).", +- special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), name, t->id, +- dns_resource_key_name(dns_transaction_key(t)), signed_status); +- } else ++ /* If the response is empty, seek the DS for this name, just in case we're at a zone cut ++ * already, unless we just requested the DS, in which case we have to ask the parent to make ++ * progress. ++ * ++ * If this was an SOA or NS request, we could also skip to the parent, but in real world ++ * setups there are too many broken DNS servers (Hello, incapdns.net!) where non-terminal ++ * zones return NXDOMAIN even though they have further children. */ ++ ++ if (chased_insecure || was_signed) ++ /* In this case we already reqeusted what we need above. */ ++ name = NULL; ++ else if (dns_transaction_key(t)->type == DNS_TYPE_DS) ++ /* If the DS response is empty, we'll walk up the dns labels requesting DS until we ++ * find a referral to the SOA or hit it anyway and get a positive DS response. */ ++ if (dns_name_parent(&name) <= 0) + name = NULL; + +- } else if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_SOA, DNS_TYPE_NS)) { +- +- type = DNS_TYPE_DS; +- log_debug("Requesting DS (%s %s) to validate transaction %" PRIu16 " (%s, %s empty SOA/NS response).", +- special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), name, t->id, name, signed_status); +- +- } else { +- type = DNS_TYPE_SOA; +- log_debug("Requesting SOA (%s %s) to validate transaction %" PRIu16 " (%s, %s empty non-SOA/NS/DS response).", +- special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), name, t->id, name, signed_status); +- } +- + if (name) { +- _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL; ++ _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL; + +- soa = dns_resource_key_new(dns_transaction_key(t)->class, type, name); +- if (!soa) ++ log_debug("Requesting DS (%s %s) to validate transaction %" PRIu16 " (%s empty response).", ++ special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), name, t->id, ++ dns_resource_key_name(dns_transaction_key(t))); ++ ++ ds = dns_resource_key_new(dns_transaction_key(t)->class, DNS_TYPE_DS, name); ++ if (!ds) + return -ENOMEM; + +- r = dns_transaction_request_dnssec_rr(t, soa); ++ r = dns_transaction_request_dnssec_rr(t, ds); + if (r < 0) + return r; + } +@@ -2756,7 +2748,6 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * + DnsTransaction *dt; + + /* For SOA or NS RRs we look for a matching DS transaction */ +- + SET_FOREACH(dt, t->dnssec_transactions) { + + if (dns_transaction_key(dt)->class != rr->key->class) +@@ -2764,7 +2755,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * + if (dns_transaction_key(dt)->type != DNS_TYPE_DS) + continue; + +- r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), dns_resource_key_name(rr->key)); ++ r = dns_name_endswith(dns_resource_key_name(rr->key), dns_resource_key_name(dns_transaction_key(dt))); + if (r < 0) + return r; + if (r == 0) +@@ -2793,16 +2784,16 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * + DnsTransaction *dt; + + /* +- * CNAME/DNAME RRs cannot be located at a zone apex, hence look directly for the parent SOA. ++ * CNAME/DNAME RRs cannot be located at a zone apex, hence look directly for the parent DS. + * +- * DS RRs are signed if the parent is signed, hence also look at the parent SOA ++ * DS RRs are signed if the parent is signed, hence also look at the parent DS + */ + + SET_FOREACH(dt, t->dnssec_transactions) { + + if (dns_transaction_key(dt)->class != rr->key->class) + continue; +- if (dns_transaction_key(dt)->type != DNS_TYPE_SOA) ++ if (dns_transaction_key(dt)->type != DNS_TYPE_DS) + continue; + + if (!parent) { +@@ -2820,7 +2811,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * + } + } + +- r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), parent); ++ r = dns_name_endswith(parent, dns_resource_key_name(dns_transaction_key(dt))); + if (r < 0) + return r; + if (r == 0) +@@ -2835,25 +2826,26 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * + default: { + DnsTransaction *dt; + +- /* Any other kind of RR (including DNSKEY/NSEC/NSEC3). Let's see if our SOA lookup was authenticated */ ++ /* Any other kind of RR (including DNSKEY/NSEC/NSEC3). Let's see if our DS lookup was authenticated */ + + SET_FOREACH(dt, t->dnssec_transactions) { +- + if (dns_transaction_key(dt)->class != rr->key->class) + continue; +- if (dns_transaction_key(dt)->type != DNS_TYPE_SOA) ++ if (dns_transaction_key(dt)->type != DNS_TYPE_DS) + continue; + +- r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), dns_resource_key_name(rr->key)); ++ r = dns_name_endswith(dns_resource_key_name(rr->key), dns_resource_key_name(dns_transaction_key(dt))); + if (r < 0) + return r; + if (r == 0) + continue; + +- /* We found the transaction that was supposed to find the SOA RR for us. It was +- * successful, but found no RR for us. This means we are not at a zone cut. In this +- * case, we require authentication if the SOA lookup was authenticated too. */ +- return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED); ++ if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) ++ return false; ++ ++ /* We expect this to be signed when the DS record exists, and don't expect it to be ++ * signed when the DS record is proven not to exist. */ ++ return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL); + } + + return true; +@@ -2923,7 +2915,6 @@ static int dns_transaction_requires_nsec(DnsTransaction *t) { + char key_str[DNS_RESOURCE_KEY_STRING_MAX]; + DnsTransaction *dt; + const char *name; +- uint16_t type = 0; + int r; + + assert(t); +@@ -2958,43 +2949,37 @@ static int dns_transaction_requires_nsec(DnsTransaction *t) { + + name = dns_resource_key_name(dns_transaction_key(t)); + +- if (dns_transaction_key(t)->type == DNS_TYPE_DS) { +- +- /* We got a negative reply for this DS lookup? DS RRs are signed when their parent zone is signed, +- * hence check the parent SOA in this case. */ +- ++ if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_DS, DNS_TYPE_CNAME, DNS_TYPE_DNAME)) { ++ /* We got a negative reply for this DS/CNAME/DNAME lookup? Check the parent in this case to ++ * see if this answer should have been signed. */ + r = dns_name_parent(&name); + if (r < 0) + return r; + if (r == 0) + return true; ++ } + +- type = DNS_TYPE_SOA; +- +- } else if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_SOA, DNS_TYPE_NS)) +- /* We got a negative reply for this SOA/NS lookup? If so, check if there's a DS RR for this */ +- type = DNS_TYPE_DS; +- else +- /* For all other negative replies, check for the SOA lookup */ +- type = DNS_TYPE_SOA; +- +- /* For all other RRs we check the SOA on the same level to see ++ /* For all other RRs we check the DS on the same level to see + * if it's signed. */ + + SET_FOREACH(dt, t->dnssec_transactions) { +- + if (dns_transaction_key(dt)->class != dns_transaction_key(t)->class) + continue; +- if (dns_transaction_key(dt)->type != type) ++ if (dns_transaction_key(dt)->type != DNS_TYPE_DS) + continue; + +- r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), name); ++ r = dns_name_endswith(name, dns_resource_key_name(dns_transaction_key(dt))); + if (r < 0) + return r; + if (r == 0) + continue; + +- return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED); ++ if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) ++ return false; ++ ++ /* We expect this to be signed when the DS record exists, and don't expect it to be signed ++ * when the DS record is proven not to exist. */ ++ return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL); + } + + /* If in doubt, require NSEC/NSEC3 */ +-- +2.33.0 + diff --git a/backport-resolved-don-t-treat-conn-reset-as-packet-loss.patch b/backport-resolved-don-t-treat-conn-reset-as-packet-loss.patch new file mode 100644 index 0000000..f833a69 --- /dev/null +++ b/backport-resolved-don-t-treat-conn-reset-as-packet-loss.patch @@ -0,0 +1,51 @@ +From 030dbbc39e54666bd0f393ef47f0b0d9b2dfe8b4 Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Thu, 1 Aug 2024 10:59:12 -0700 +Subject: [PATCH 0830/1160] resolved: don't treat conn reset as packet loss + +tcp reset / icmp port-unreachable are markedly different conditions than +packet loss. It doesn't make much sense to retry in this case. It's +actually not clear if there is any benefit at all retrying tcp +connections, which were presumably already retried as necessary by the +tcp stack. + +(cherry picked from commit ddd710a355acc698b48159f3e501dda5a7dc2704) +(cherry picked from commit f5376fea7de173e9369e8af569fc6ecabd0d7282) +--- + src/resolve/resolved-dns-stream.c | 6 ++++++ + src/resolve/resolved-dns-transaction.c | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c +index 1a43d0bd49..8c1512006a 100644 +--- a/src/resolve/resolved-dns-stream.c ++++ b/src/resolve/resolved-dns-stream.c +@@ -322,6 +322,12 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use + return dns_stream_complete(s, -r); + } + ++ if (revents & EPOLLERR) { ++ socklen_t errlen = sizeof(r); ++ if (getsockopt(s->fd, SOL_SOCKET, SO_ERROR, &r, &errlen) == 0) ++ return dns_stream_complete(s, r); ++ } ++ + if ((revents & EPOLLOUT) && + s->write_packet && + s->n_written < sizeof(s->write_size) + s->write_packet->size) { +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index 3f48b566b5..1354acbd0f 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -626,7 +626,7 @@ static int on_stream_complete(DnsStream *s, int error) { + if (ERRNO_IS_DISCONNECT(error) && s->protocol != DNS_PROTOCOL_LLMNR) { + log_debug_errno(error, "Connection failure for DNS TCP stream: %m"); + +- if (s->transactions) { ++ if (error != ECONNRESET && s->transactions) { + DnsTransaction *t; + + t = s->transactions; +-- +2.33.0 + diff --git a/backport-resolved-explicitly-disconnect-all-left-over-TCP-con.patch b/backport-resolved-explicitly-disconnect-all-left-over-TCP-con.patch new file mode 100644 index 0000000..51b6082 --- /dev/null +++ b/backport-resolved-explicitly-disconnect-all-left-over-TCP-con.patch @@ -0,0 +1,114 @@ +From 98f21822d6c2fd042eca69889de298b8c3cd919b Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 1 Mar 2024 21:46:46 +0100 +Subject: [PATCH 0433/1160] resolved: explicitly disconnect all left-over TCP + connections when coming back from suspend + +Fixes: #13730 (original reporter's log shows the TCP connection needed +to time out first) + +(cherry picked from commit 7addc530ac0ca1928103c715d9d6b1dafbcb36be) +--- + src/resolve/resolved-bus.c | 10 +++++++- + src/resolve/resolved-dns-stream.c | 41 +++++++++++++++++++++++++++++++ + src/resolve/resolved-dns-stream.h | 1 + + 3 files changed, 51 insertions(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c +index 1ef25acdad..75ba29c3d0 100644 +--- a/src/resolve/resolved-bus.c ++++ b/src/resolve/resolved-bus.c +@@ -13,6 +13,7 @@ + #include "missing_capability.h" + #include "resolved-bus.h" + #include "resolved-def.h" ++#include "resolved-dns-stream.h" + #include "resolved-dns-synthesize.h" + #include "resolved-dnssd-bus.h" + #include "resolved-dnssd.h" +@@ -1832,6 +1833,7 @@ static int bus_method_reset_server_features(sd_bus_message *message, void *userd + + bus_client_log(message, "server feature reset"); + ++ (void) dns_stream_disconnect_all(m); + manager_reset_server_features(m); + + return sd_bus_reply_method_return(message, NULL); +@@ -2218,9 +2220,15 @@ static int match_prepare_for_sleep(sd_bus_message *message, void *userdata, sd_b + if (b) + return 0; + +- log_debug("Coming back from suspend, verifying all RRs..."); ++ log_debug("Coming back from suspend, closing all TCP connections..."); ++ (void) dns_stream_disconnect_all(m); ++ ++ log_debug("Coming back from suspend, resetting all probed server features..."); ++ manager_reset_server_features(m); + ++ log_debug("Coming back from suspend, verifying all RRs..."); + manager_verify_all(m); ++ + return 0; + } + +diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c +index ddd1db5e09..056ba7794f 100644 +--- a/src/resolve/resolved-dns-stream.c ++++ b/src/resolve/resolved-dns-stream.c +@@ -593,3 +593,44 @@ void dns_stream_detach(DnsStream *s) { + + dns_server_unref_stream(s->server); + } ++ ++DEFINE_PRIVATE_HASH_OPS_WITH_KEY_DESTRUCTOR( ++ dns_stream_hash_ops, ++ void, ++ trivial_hash_func, ++ trivial_compare_func, ++ dns_stream_unref); ++ ++int dns_stream_disconnect_all(Manager *m) { ++ _cleanup_(set_freep) Set *closed = NULL; ++ int r; ++ ++ assert(m); ++ ++ /* Terminates all TCP connections (called after system suspend for example, to speed up recovery) */ ++ ++ log_info("Closing all remaining TCP connections."); ++ ++ bool restart; ++ do { ++ restart = false; ++ ++ LIST_FOREACH(streams, s, m->dns_streams) { ++ r = set_ensure_put(&closed, &dns_stream_hash_ops, s); ++ if (r < 0) ++ return log_oom(); ++ if (r > 0) { ++ /* Haven't seen this one before. Close it. */ ++ dns_stream_ref(s); ++ (void) dns_stream_complete(s, ECONNRESET); ++ ++ /* This might have a ripple effect, let's hence no look at the list further, ++ * but scan from the beginning again */ ++ restart = true; ++ break; ++ } ++ } ++ } while (restart); ++ ++ return 0; ++} +diff --git a/src/resolve/resolved-dns-stream.h b/src/resolve/resolved-dns-stream.h +index ba4a59e41c..912b9bf431 100644 +--- a/src/resolve/resolved-dns-stream.h ++++ b/src/resolve/resolved-dns-stream.h +@@ -126,3 +126,4 @@ static inline bool DNS_STREAM_QUEUED(DnsStream *s) { + } + + void dns_stream_detach(DnsStream *s); ++int dns_stream_disconnect_all(Manager *m); +-- +2.33.0 + diff --git a/backport-resolved-fix-DNSSEC-missing-key-error.patch b/backport-resolved-fix-DNSSEC-missing-key-error.patch new file mode 100644 index 0000000..adb7a39 --- /dev/null +++ b/backport-resolved-fix-DNSSEC-missing-key-error.patch @@ -0,0 +1,31 @@ +From 758a152ddac8c1877251ecde7b5c9bbaf3ef8e51 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabian=20M=C3=B6ller?= +Date: Wed, 22 Jan 2025 13:33:12 +0100 +Subject: [PATCH 1104/1160] resolved: fix DNSSEC `missing-key` error + +Skip unsupport/invalid `DS` and `DNSKEY` combinations during verification. + +Fixes: #12545 +(cherry picked from commit cac3b43eee83829d68ebf7d4786ebc32e62fe813) +(cherry picked from commit bb22ed069bc6220b20c75f4a873419a24cae266d) +(cherry picked from commit 49f7ac90c9403c07ea73f1b7bb16cb9d04f5c33f) +--- + src/resolve/resolved-dns-dnssec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c +index a192d82083..5756df08b8 100644 +--- a/src/resolve/resolved-dns-dnssec.c ++++ b/src/resolve/resolved-dns-dnssec.c +@@ -1466,7 +1466,7 @@ int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *vali + + r = dnssec_verify_dnskey_by_ds(dnskey, ds, false); + if (IN_SET(r, -EKEYREJECTED, -EOPNOTSUPP)) +- return 0; /* The DNSKEY is revoked or otherwise invalid, or we don't support the digest algorithm */ ++ continue; /* The DNSKEY is revoked or otherwise invalid, or we don't support the digest algorithm */ + if (r < 0) + return r; + if (r > 0) +-- +2.33.0 + diff --git a/backport-resolved-fix-fastopen-fallback.patch b/backport-resolved-fix-fastopen-fallback.patch new file mode 100644 index 0000000..a713daa --- /dev/null +++ b/backport-resolved-fix-fastopen-fallback.patch @@ -0,0 +1,49 @@ +From 4dca5688cb4c97f9072fe1c668923b2e56bfdf15 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 7 Oct 2024 13:03:51 +0200 +Subject: [PATCH 0928/1160] resolved: fix fastopen fallback + +We should not invalidate the socket address size before we use it. + +Fixes: #34579 +(cherry picked from commit 5699e4c2d470a12c922c4b7c86a8987837911626) +(cherry picked from commit 964f7772ad0ff637db80ae0a9e0afb41a40f5b04) +--- + src/resolve/resolved-dns-stream.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c +index 8c1512006a..c3e825abf4 100644 +--- a/src/resolve/resolved-dns-stream.c ++++ b/src/resolve/resolved-dns-stream.c +@@ -205,6 +205,7 @@ static int dns_stream_identify(DnsStream *s) { + + ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t iovcnt, int flags) { + ssize_t m; ++ int r; + + assert(s); + assert(iov); +@@ -224,12 +225,14 @@ ssize_t dns_stream_writev(DnsStream *s, const struct iovec *iov, size_t iovcnt, + + m = sendmsg(s->fd, &hdr, MSG_FASTOPEN); + if (m < 0) { +- if (errno == EOPNOTSUPP) { +- s->tfo_salen = 0; +- if (connect(s->fd, &s->tfo_address.sa, s->tfo_salen) < 0) +- return -errno; ++ if (ERRNO_IS_NOT_SUPPORTED(errno)) { ++ /* MSG_FASTOPEN not supported? Then try to connect() traditionally */ ++ r = RET_NERRNO(connect(s->fd, &s->tfo_address.sa, s->tfo_salen)); ++ s->tfo_salen = 0; /* connection is made */ ++ if (r < 0 && r != -EINPROGRESS) ++ return r; + +- return -EAGAIN; ++ return -EAGAIN; /* In case of EINPROGRESS, EAGAIN or success: return EAGAIN, so that caller calls us again */ + } + if (errno == EINPROGRESS) + return -EAGAIN; +-- +2.33.0 + diff --git a/backport-resolved-if-one-transaction-completes-expect-other-t.patch b/backport-resolved-if-one-transaction-completes-expect-other-t.patch new file mode 100644 index 0000000..69cd874 --- /dev/null +++ b/backport-resolved-if-one-transaction-completes-expect-other-t.patch @@ -0,0 +1,266 @@ +From 3761ffa0c925c3183337df95a4c19ba7f96bfde1 Mon Sep 17 00:00:00 2001 +From: Morten Hauke Solvang +Date: Thu, 12 Dec 2024 14:26:31 +0100 +Subject: [PATCH 1064/1160] resolved: if one transaction completes, expect + other transactions within candidate to succeed quickly + +Fixes #22575, as suggested by poettering in #35514. + +Intended as a workaround for some buggy routers, which refuse to send empty +replies. If systemd-resolved starts two DnsTransactions, one for A and one +for AAAA, and the domain in question has no AAAA entry, then the server will +send a reply for A and no reply for AAAA. Correct behavior for the server would +be to send an empty reply for AAAA. + +systemd-resolved would previously keep retrying the AAAA transaction, and +eventually timeout the whole query, returning an error to the caller. + +Now, if the server replies to one query and not another, we cut short the +timeout and return the partial result. Returning the partial result allows +the rest of the system to keep working. It matches how e.g. glibc libnss_dns +behaves. + +(cherry picked from commit 0da73fab56506ff1e4f8e59c167d27961f0fbf33) +(cherry picked from commit 1748265915e09120d75766baaa4516b2779140eb) +(cherry picked from commit e65fd8eb4b559ba621e2bd802894105ac1d575da) +--- + src/resolve/resolved-dns-query.c | 46 +++++++++++++++++++++++++- + src/resolve/resolved-dns-query.h | 1 + + src/resolve/resolved-dns-scope.c | 1 + + src/resolve/resolved-dns-transaction.c | 10 ++---- + src/resolve/resolved-dns-transaction.h | 21 ------------ + src/resolve/resolved-timeouts.h | 39 ++++++++++++++++++++++ + 6 files changed, 88 insertions(+), 30 deletions(-) + create mode 100644 src/resolve/resolved-timeouts.h + +diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c +index 16334c6300..5c6e9c92cb 100644 +--- a/src/resolve/resolved-dns-query.c ++++ b/src/resolve/resolved-dns-query.c +@@ -10,6 +10,7 @@ + #include "resolved-dns-query.h" + #include "resolved-dns-synthesize.h" + #include "resolved-etc-hosts.h" ++#include "resolved-timeouts.h" + #include "string-util.h" + + #define QUERIES_MAX 2048 +@@ -48,6 +49,8 @@ static void dns_query_candidate_stop(DnsQueryCandidate *c) { + + assert(c); + ++ (void) event_source_disable(c->timeout_event_source); ++ + /* Detach all the DnsTransactions attached to this query */ + + while ((t = set_steal_first(c->transactions))) { +@@ -62,6 +65,8 @@ static void dns_query_candidate_abandon(DnsQueryCandidate *c) { + + assert(c); + ++ (void) event_source_disable(c->timeout_event_source); ++ + /* Abandon all the DnsTransactions attached to this query */ + + while ((t = set_steal_first(c->transactions))) { +@@ -94,6 +99,8 @@ static DnsQueryCandidate* dns_query_candidate_free(DnsQueryCandidate *c) { + if (!c) + return NULL; + ++ c->timeout_event_source = sd_event_source_disable_unref(c->timeout_event_source); ++ + dns_query_candidate_stop(c); + dns_query_candidate_unlink(c); + +@@ -312,6 +319,30 @@ fail: + return r; + } + ++static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c); ++ ++static int on_candidate_timeout(sd_event_source *s, usec_t usec, void *userdata) { ++ DnsQueryCandidate *c = userdata; ++ ++ assert(s); ++ assert(c); ++ ++ log_debug("Accepting incomplete query candidate after expedited timeout on partial success."); ++ dns_query_accept(c->query, c); ++ ++ return 0; ++} ++ ++static bool dns_query_candidate_has_partially_succeeded(DnsQueryCandidate *c) { ++ DnsTransaction *t; ++ ++ SET_FOREACH(t, c->transactions) ++ if (t->state == DNS_TRANSACTION_SUCCESS) ++ return true; ++ ++ return false; ++} ++ + void dns_query_candidate_notify(DnsQueryCandidate *c) { + DnsTransactionState state; + int r; +@@ -323,11 +354,24 @@ void dns_query_candidate_notify(DnsQueryCandidate *c) { + + state = dns_query_candidate_state(c); + +- if (DNS_TRANSACTION_IS_LIVE(state)) ++ if (DNS_TRANSACTION_IS_LIVE(state)) { ++ if (dns_query_candidate_has_partially_succeeded(c)) ++ (void) event_reset_time_relative( ++ c->query->manager->event, ++ &c->timeout_event_source, ++ CLOCK_BOOTTIME, ++ CANDIDATE_EXPEDITED_TIMEOUT_USEC, /* accuracy_usec= */ 0, ++ on_candidate_timeout, c, ++ /* priority= */ 0, "candidate-timeout", ++ /* force_reset= */ false); ++ + return; ++ } + + if (state != DNS_TRANSACTION_SUCCESS && c->search_domain) { + ++ (void) event_source_disable(c->timeout_event_source); ++ + r = dns_query_candidate_next_search_domain(c); + if (r < 0) + goto fail; +diff --git a/src/resolve/resolved-dns-query.h b/src/resolve/resolved-dns-query.h +index 2723299bee..f60e3bc3aa 100644 +--- a/src/resolve/resolved-dns-query.h ++++ b/src/resolve/resolved-dns-query.h +@@ -25,6 +25,7 @@ struct DnsQueryCandidate { + DnsSearchDomain *search_domain; + + Set *transactions; ++ sd_event_source *timeout_event_source; + + LIST_FIELDS(DnsQueryCandidate, candidates_by_query); + LIST_FIELDS(DnsQueryCandidate, candidates_by_scope); +diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c +index af8e9cd113..6abb32e289 100644 +--- a/src/resolve/resolved-dns-scope.c ++++ b/src/resolve/resolved-dns-scope.c +@@ -15,6 +15,7 @@ + #include "resolved-dns-zone.h" + #include "resolved-llmnr.h" + #include "resolved-mdns.h" ++#include "resolved-timeouts.h" + #include "socket-util.h" + #include "strv.h" + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index 1354acbd0f..9b0169fd7a 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -14,13 +14,10 @@ + #include "resolved-dns-transaction.h" + #include "resolved-dnstls.h" + #include "resolved-llmnr.h" ++#include "resolved-timeouts.h" + #include "string-table.h" + + #define TRANSACTIONS_MAX 4096 +-#define TRANSACTION_TCP_TIMEOUT_USEC (10U*USEC_PER_SEC) +- +-/* After how much time to repeat classic DNS requests */ +-#define DNS_TIMEOUT_USEC (SD_RESOLVED_QUERY_TIMEOUT_USEC / DNS_TRANSACTION_ATTEMPTS_MAX) + + static void dns_transaction_reset_answer(DnsTransaction *t) { + assert(t); +@@ -1565,13 +1562,10 @@ static usec_t transaction_get_resend_timeout(DnsTransaction *t) { + + case DNS_PROTOCOL_DNS: + +- /* When we do TCP, grant a much longer timeout, as in this case there's no need for us to quickly +- * resend, as the kernel does that anyway for us, and we really don't want to interrupt it in that +- * needlessly. */ + if (t->stream) + return TRANSACTION_TCP_TIMEOUT_USEC; + +- return DNS_TIMEOUT_USEC; ++ return TRANSACTION_UDP_TIMEOUT_USEC; + + case DNS_PROTOCOL_MDNS: + if (t->probing) +diff --git a/src/resolve/resolved-dns-transaction.h b/src/resolve/resolved-dns-transaction.h +index 6be7c5fb70..66de5a6fdd 100644 +--- a/src/resolve/resolved-dns-transaction.h ++++ b/src/resolve/resolved-dns-transaction.h +@@ -201,24 +201,3 @@ DnsTransactionState dns_transaction_state_from_string(const char *s) _pure_; + + const char* dns_transaction_source_to_string(DnsTransactionSource p) _const_; + DnsTransactionSource dns_transaction_source_from_string(const char *s) _pure_; +- +-/* LLMNR Jitter interval, see RFC 4795 Section 7 */ +-#define LLMNR_JITTER_INTERVAL_USEC (100 * USEC_PER_MSEC) +- +-/* mDNS probing interval, see RFC 6762 Section 8.1 */ +-#define MDNS_PROBING_INTERVAL_USEC (250 * USEC_PER_MSEC) +- +-/* Maximum attempts to send DNS requests, across all DNS servers */ +-#define DNS_TRANSACTION_ATTEMPTS_MAX 24 +- +-/* Maximum attempts to send LLMNR requests, see RFC 4795 Section 2.7 */ +-#define LLMNR_TRANSACTION_ATTEMPTS_MAX 3 +- +-/* Maximum attempts to send MDNS requests, see RFC 6762 Section 8.1 */ +-#define MDNS_TRANSACTION_ATTEMPTS_MAX 3 +- +-#define TRANSACTION_ATTEMPTS_MAX(p) ((p) == DNS_PROTOCOL_LLMNR ? \ +- LLMNR_TRANSACTION_ATTEMPTS_MAX : \ +- (p) == DNS_PROTOCOL_MDNS ? \ +- MDNS_TRANSACTION_ATTEMPTS_MAX : \ +- DNS_TRANSACTION_ATTEMPTS_MAX) +diff --git a/src/resolve/resolved-timeouts.h b/src/resolve/resolved-timeouts.h +new file mode 100644 +index 0000000000..e17fe30175 +--- /dev/null ++++ b/src/resolve/resolved-timeouts.h +@@ -0,0 +1,39 @@ ++/* SPDX-License-Identifier: LGPL-2.1-or-later */ ++#pragma once ++ ++#include "time-util.h" ++#include "resolved-def.h" ++ ++/* LLMNR Jitter interval, see RFC 4795 Section 7 */ ++#define LLMNR_JITTER_INTERVAL_USEC (100 * USEC_PER_MSEC) ++ ++/* mDNS probing interval, see RFC 6762 Section 8.1 */ ++#define MDNS_PROBING_INTERVAL_USEC (250 * USEC_PER_MSEC) ++ ++/* Maximum attempts to send DNS requests, across all DNS servers */ ++#define DNS_TRANSACTION_ATTEMPTS_MAX 24 ++ ++/* Maximum attempts to send LLMNR requests, see RFC 4795 Section 2.7 */ ++#define LLMNR_TRANSACTION_ATTEMPTS_MAX 3 ++ ++/* Maximum attempts to send MDNS requests, see RFC 6762 Section 8.1 */ ++#define MDNS_TRANSACTION_ATTEMPTS_MAX 3 ++ ++#define TRANSACTION_ATTEMPTS_MAX(p) (\ ++ (p) == DNS_PROTOCOL_LLMNR ? \ ++ LLMNR_TRANSACTION_ATTEMPTS_MAX : \ ++ (p) == DNS_PROTOCOL_MDNS ? \ ++ MDNS_TRANSACTION_ATTEMPTS_MAX : \ ++ DNS_TRANSACTION_ATTEMPTS_MAX) ++ ++/* After how much time to repeat classic DNS requests */ ++#define TRANSACTION_UDP_TIMEOUT_USEC (SD_RESOLVED_QUERY_TIMEOUT_USEC / DNS_TRANSACTION_ATTEMPTS_MAX) ++ ++/* When we do TCP, grant a much longer timeout, as in this case there's no need for us to quickly ++ * resend, as the kernel does that anyway for us, and we really don't want to interrupt it in that ++ * needlessly. */ ++#define TRANSACTION_TCP_TIMEOUT_USEC (10 * USEC_PER_SEC) ++ ++/* Should be longer than transaction timeout for a single UDP transaction, so we get at least ++ * one transaction retry before timeouting the whole candidate */ ++#define CANDIDATE_EXPEDITED_TIMEOUT_USEC (TRANSACTION_UDP_TIMEOUT_USEC + 1 * USEC_PER_SEC) +-- +2.33.0 + diff --git a/backport-resolved-log-error-messages-for-openssl-gnutls-conte.patch b/backport-resolved-log-error-messages-for-openssl-gnutls-conte.patch index 662446b..39953ac 100644 --- a/backport-resolved-log-error-messages-for-openssl-gnutls-conte.patch +++ b/backport-resolved-log-error-messages-for-openssl-gnutls-conte.patch @@ -1,8 +1,8 @@ -From 17a3a8e91be80c93347458a1a6508bc19646607d Mon Sep 17 00:00:00 2001 +From 67954b455473b29f8a41be14f5b778044b7cfafa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 3 Nov 2024 12:58:12 +0100 -Subject: [PATCH] resolved: log error messages for openssl/gnutls context - creation +Subject: [PATCH 0990/1160] resolved: log error messages for openssl/gnutls + context creation In https://bugzilla.redhat.com/show_bug.cgi?id=2322937 we're getting an error message: @@ -15,17 +15,13 @@ related to memory. (cherry picked from commit ee95e86ae163e436384f1b782a77a7e18deba890) (cherry picked from commit abd1e408203d5d445b05f4dc0ac07e35114532d1) -(cherry picked from commit 67954b455473b29f8a41be14f5b778044b7cfafa) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/ee95e86ae163e436384f1b782a77a7e18deba890 --- src/resolve/resolved-dnstls-gnutls.c | 4 +++- src/resolve/resolved-dnstls-openssl.c | 9 ++++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c -index acdad6fa91..c086e2c198 100644 +index 6ac026ee79..321595f295 100644 --- a/src/resolve/resolved-dnstls-gnutls.c +++ b/src/resolve/resolved-dnstls-gnutls.c @@ -236,7 +236,9 @@ int dnstls_manager_init(Manager *manager) { @@ -40,7 +36,7 @@ index acdad6fa91..c086e2c198 100644 r = gnutls_certificate_set_x509_system_trust(manager->dnstls_data.cert_cred); if (r < 0) diff --git a/src/resolve/resolved-dnstls-openssl.c b/src/resolve/resolved-dnstls-openssl.c -index 4a0132ad3d..74fb79e58d 100644 +index fbcee7fc63..27179c9d51 100644 --- a/src/resolve/resolved-dnstls-openssl.c +++ b/src/resolve/resolved-dnstls-openssl.c @@ -397,11 +397,15 @@ int dnstls_manager_init(Manager *manager) { diff --git a/backport-resolved-minor-dnssec-fixups.patch b/backport-resolved-minor-dnssec-fixups.patch new file mode 100644 index 0000000..36715db --- /dev/null +++ b/backport-resolved-minor-dnssec-fixups.patch @@ -0,0 +1,56 @@ +From dc37045f3e00554c42be41eac9600c158ece6579 Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Tue, 26 Mar 2024 11:00:44 -0700 +Subject: [PATCH 0478/1160] resolved: minor dnssec fixups + +Fixes: ce5b9d5b3c24 ("resolved: request DS with DNSKEY") +(cherry picked from commit 400171036592c4e3debc5b123e406155764f987d) +--- + src/resolve/resolved-dns-transaction.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index dd914290b9..ad8b88e599 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -2249,13 +2249,18 @@ static int dns_transaction_request_dnssec_rr_full(DnsTransaction *t, DnsResource + if (r < 0) + return r; + ++ if (ret) ++ *ret = NULL; + return 0; + } + + /* This didn't work, ask for it via the network/cache then. */ + r = dns_transaction_add_dnssec_transaction(t, key, &aux); +- if (r == -ELOOP) /* This would result in a cyclic dependency */ ++ if (r == -ELOOP) { /* This would result in a cyclic dependency */ ++ if (ret) ++ *ret = NULL; + return 0; ++ } + if (r < 0) + return r; + +@@ -2421,7 +2426,7 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { + case DNS_TYPE_RRSIG: { + /* For each RRSIG we request the matching DNSKEY */ + _cleanup_(dns_resource_key_unrefp) DnsResourceKey *dnskey = NULL; +- DnsTransaction *aux = NULL; ++ DnsTransaction *aux; + + /* If this RRSIG is about a DNSKEY RR and the + * signer is the same as the owner, then we +@@ -2468,6 +2473,8 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { + if (aux) { + _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = + dns_resource_key_new(rr->key->class, DNS_TYPE_DS, dns_resource_key_name(dnskey)); ++ if (!ds) ++ return -ENOMEM; + r = dns_transaction_request_dnssec_rr(t, ds); + if (r < 0) + return r; +-- +2.33.0 + diff --git a/backport-resolved-permit-dnssec-rrtype-questions-when-we-aren.patch b/backport-resolved-permit-dnssec-rrtype-questions-when-we-aren.patch new file mode 100644 index 0000000..2759f63 --- /dev/null +++ b/backport-resolved-permit-dnssec-rrtype-questions-when-we-aren.patch @@ -0,0 +1,41 @@ +From 5299397e49536dae7903bc4f5bf11d375146261d Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Fri, 8 Mar 2024 13:40:08 -0700 +Subject: [PATCH 0693/1160] resolved: permit dnssec rrtype questions when we + aren't validating + +This check introduced in 91adc4db33f6 is intended to spare us from +encountering broken resolver behavior we don't want to deal with. +However if we aren't validating we more than likely don't know the state +of the upstream resolver's support for dnssec. Let's let clients try +these queries if they want. + +This brings the behavior of sd-resolved in-line with previouly stated +change in the meaning of DNSSEC=no, which now means "don't validate" +rather than "don't validate, because the upstream resolver is declared to +be dnssec-unaware". + +Fixes: 9c47b334445a ("resolved: enable DNS proxy mode if client wants DNSSEC") +(cherry picked from commit 364c948707afa097f6ad177b61c2b51a86c0089a) +(cherry picked from commit ba031f1fe86e36d7adc0340b047de32399c98bf7) +--- + src/resolve/resolved-dns-server.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c +index b7db83965b..32daa6134b 100644 +--- a/src/resolve/resolved-dns-server.c ++++ b/src/resolve/resolved-dns-server.c +@@ -704,9 +704,6 @@ bool dns_server_dnssec_supported(DnsServer *server) { + if (dns_server_get_dnssec_mode(server) == DNSSEC_YES) /* If strict DNSSEC mode is enabled, always assume DNSSEC mode is supported. */ + return true; + +- if (!DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(server->possible_feature_level)) +- return false; +- + if (server->packet_bad_opt) + return false; + +-- +2.33.0 + diff --git a/backport-resolved-pick-up-new-DNSSEC-KSC-from-2024.patch b/backport-resolved-pick-up-new-DNSSEC-KSC-from-2024.patch new file mode 100644 index 0000000..9ce8275 --- /dev/null +++ b/backport-resolved-pick-up-new-DNSSEC-KSC-from-2024.patch @@ -0,0 +1,45 @@ +From 6a97871d20fc0b8242483454d2d231a01e961508 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 3 Mar 2025 22:40:05 +0100 +Subject: [PATCH 1149/1160] resolved: pick up new DNSSEC KSC from 2024 + +Import thew new key from https://data.iana.org/root-anchors/root-anchors.xml. + +The old one remains valid, as per provided data. + +Fixes: #36260 +(cherry picked from commit 8113361e82eea2741290f7117034d356acb3ab4d) +(cherry picked from commit 961e351061b2366889c8af1feae522f8f4123f5d) +(cherry picked from commit 6cb60bbe838b6d153216c14c95851d095ce639a2) +--- + src/resolve/resolved-dns-trust-anchor.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/resolve/resolved-dns-trust-anchor.c b/src/resolve/resolved-dns-trust-anchor.c +index 8aea5e11a0..98e45f0cd2 100644 +--- a/src/resolve/resolved-dns-trust-anchor.c ++++ b/src/resolve/resolved-dns-trust-anchor.c +@@ -25,6 +25,10 @@ static const uint8_t root_digest2[] = + { 0xE0, 0x6D, 0x44, 0xB8, 0x0B, 0x8F, 0x1D, 0x39, 0xA9, 0x5C, 0x0B, 0x0D, 0x7C, 0x65, 0xD0, 0x84, + 0x58, 0xE8, 0x80, 0x40, 0x9B, 0xBC, 0x68, 0x34, 0x57, 0x10, 0x42, 0x37, 0xC7, 0xF8, 0xEC, 0x8D }; + ++static const uint8_t root_digest3[] = ++ { 0x68, 0x3D, 0x2D, 0x0A, 0xCB, 0x8C, 0x9B, 0x71, 0x2A, 0x19, 0x48, 0xB2, 0x7F, 0x74, 0x12, 0x19, ++ 0x29, 0x8D, 0x0A, 0x45, 0x0D, 0x61, 0x2C, 0x48, 0x3A, 0xF4, 0x44, 0xA4, 0xC0, 0xFB, 0x2B, 0x16 }; ++ + static bool dns_trust_anchor_knows_domain_positive(DnsTrustAnchor *d, const char *name) { + assert(d); + +@@ -93,6 +97,9 @@ static int dns_trust_anchor_add_builtin_positive(DnsTrustAnchor *d) { + + /* Add the currently valid RRs from https://data.iana.org/root-anchors/root-anchors.xml */ + r = add_root_ksk(answer, key, 20326, DNSSEC_ALGORITHM_RSASHA256, DNSSEC_DIGEST_SHA256, root_digest2, sizeof(root_digest2)); ++ if (r < 0) ++ return r; ++ r = add_root_ksk(answer, key, 38696, DNSSEC_ALGORITHM_RSASHA256, DNSSEC_DIGEST_SHA256, root_digest3, sizeof(root_digest3)); + if (r < 0) + return r; + +-- +2.33.0 + diff --git a/backport-resolved-probe-for-dnssec-support-in-allow-downgrade.patch b/backport-resolved-probe-for-dnssec-support-in-allow-downgrade.patch new file mode 100644 index 0000000..911e3e3 --- /dev/null +++ b/backport-resolved-probe-for-dnssec-support-in-allow-downgrade.patch @@ -0,0 +1,55 @@ +From ee15f5efaf2f6cdbb867fca601e92761276e2b1e Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Tue, 30 Apr 2024 22:15:18 -0700 +Subject: [PATCH 0563/1160] resolved: probe for dnssec support in + allow-downgrade mode + +Previously, sd-resolved unnecessarily requested SOA records for each dns +label in the query, even though they are not needed for the chain of +trust. Since 47690634f157, only the necessary records are queried when +validating. + +This is actually a problem in allow-downgrade mode, since we will no +longer attempt a query for a record that we know is signed a priori, and +will therefore never update our belief about the state of dnssec support +in the recursive resolver. + +Rectify this by reintroducing a query for the root zone SOA in the +allow-downgrade case, specifically to test that the resolver attaches +the RRSIGs which we know must exist. + +Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label") +(cherry picked from commit 5237ffdf2b63a5afea77c3470d9981a2c29643cc) +--- + src/resolve/resolved-dns-transaction.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index 345c231832..1bb1dc09ca 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -2622,6 +2622,21 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { + if (r < 0) + return r; + ++ if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE && dns_name_is_root(name)) { ++ _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL; ++ /* We made it all the way to the root zone. If we are in allow-downgrade ++ * mode, we need to make at least one request that we can be certain should ++ * have been signed, to test for servers that are not dnssec aware. */ ++ soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, name); ++ if (!soa) ++ return -ENOMEM; ++ ++ log_debug("Requesting root zone SOA to probe dnssec support."); ++ r = dns_transaction_request_dnssec_rr(t, soa); ++ if (r < 0) ++ return r; ++ } ++ + break; + } + +-- +2.33.0 + diff --git a/backport-resolved-refresh-resolv.conf-files-when-link-goes-aw.patch b/backport-resolved-refresh-resolv.conf-files-when-link-goes-aw.patch new file mode 100644 index 0000000..a757f0a --- /dev/null +++ b/backport-resolved-refresh-resolv.conf-files-when-link-goes-aw.patch @@ -0,0 +1,33 @@ +From 1de3aa4ec90cfa3f6568426982207141a1feabf0 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 18 Oct 2024 11:30:12 +0200 +Subject: [PATCH 0958/1160] resolved: refresh resolv.conf files when link goes + away + +This might have the effect that some DNS server or search domain +disappears, hence rewrite the relevant files. + +See: #27543 +(cherry picked from commit 562f7bde8872b4fd03db11bf25c9dd294fd2c186) +(cherry picked from commit 72806073770393982a50aed54c40164105c9bf14) +--- + src/resolve/resolved-manager.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c +index b52619e287..0d21cf544d 100644 +--- a/src/resolve/resolved-manager.c ++++ b/src/resolve/resolved-manager.c +@@ -94,6 +94,9 @@ static int manager_process_link(sd_netlink *rtnl, sd_netlink_message *mm, void * + log_debug("Removing link %i/%s", l->ifindex, l->ifname); + link_remove_user(l); + link_free(l); ++ ++ /* Make sure DNS servers are dropped from written resolv.conf if their link goes away */ ++ manager_write_resolv_conf(m); + } + + break; +-- +2.33.0 + diff --git a/backport-resolved-refuse-queries-with-no-suitable-scope.patch b/backport-resolved-refuse-queries-with-no-suitable-scope.patch new file mode 100644 index 0000000..11cee16 --- /dev/null +++ b/backport-resolved-refuse-queries-with-no-suitable-scope.patch @@ -0,0 +1,41 @@ +From 6669973c3f1bc9e93776da0a91e7e75c58630c3a Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Thu, 7 Mar 2024 14:27:52 -0700 +Subject: [PATCH 0444/1160] resolved: refuse queries with no suitable scope + +In some cases there is no configured server to answer a given question, +because all scopes refused the query. In this case we currently return +rcode SERVFAIL. + +In dns it is customary for authoritative nameservers to return REFUSED +where the question is outside of their authority. This is better than +SERVFAIL because it informs the client that they aren't likely to get an +answer out of us anytime soon, and either the configuration, or the +query, need to change. + +Similar logic invites us to use use the rcode REFUSED on the stub if we +aren't configured with any suitable scope for this question. + +(cherry picked from commit 4f2da49fcd333dcd1542278dce5b9642dcdeb984) +--- + src/resolve/resolved-dns-stub.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c +index c59e3b7f49..c4bc034ea1 100644 +--- a/src/resolve/resolved-dns-stub.c ++++ b/src/resolve/resolved-dns-stub.c +@@ -837,6 +837,10 @@ static void dns_stub_query_complete(DnsQuery *query) { + break; + + case DNS_TRANSACTION_NO_SERVERS: ++ /* We're not configured to give answers for this question. Refuse it. */ ++ (void) dns_stub_send_reply(q, DNS_RCODE_REFUSED); ++ break; ++ + case DNS_TRANSACTION_INVALID_REPLY: + case DNS_TRANSACTION_ERRNO: + case DNS_TRANSACTION_ABORTED: +-- +2.33.0 + diff --git a/backport-resolved-request-DS-with-DNSKEY.patch b/backport-resolved-request-DS-with-DNSKEY.patch new file mode 100644 index 0000000..5ffe6ec --- /dev/null +++ b/backport-resolved-request-DS-with-DNSKEY.patch @@ -0,0 +1,81 @@ +From ec3f8748fc5566538e2acd39ddbe36cedd80923f Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Mon, 18 Mar 2024 13:05:07 -0700 +Subject: [PATCH 0460/1160] resolved: request DS with DNSKEY + +When validating, when we lookup a DNSKEY for validation we will almost +certainly need the corresponding DS to complete the chain of trust. +Let's go ahead and request it right away so that we don't have to wait +in this common case. + +(cherry picked from commit ce5b9d5b3c2466dd35691be0a662c4e3353a2bbf) +--- + src/resolve/resolved-dns-transaction.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index 8ad2a2881a..dd914290b9 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -2232,7 +2232,7 @@ static int dns_transaction_add_dnssec_transaction(DnsTransaction *t, DnsResource + return 1; + } + +-static int dns_transaction_request_dnssec_rr(DnsTransaction *t, DnsResourceKey *key) { ++static int dns_transaction_request_dnssec_rr_full(DnsTransaction *t, DnsResourceKey *key, DnsTransaction **ret) { + _cleanup_(dns_answer_unrefp) DnsAnswer *a = NULL; + DnsTransaction *aux; + int r; +@@ -2263,11 +2263,19 @@ static int dns_transaction_request_dnssec_rr(DnsTransaction *t, DnsResourceKey * + r = dns_transaction_go(aux); + if (r < 0) + return r; ++ if (ret) ++ *ret = aux; + } + + return 1; + } + ++static int dns_transaction_request_dnssec_rr(DnsTransaction *t, DnsResourceKey *key) { ++ assert(t); ++ assert(key); ++ return dns_transaction_request_dnssec_rr_full(t, key, NULL); ++} ++ + static int dns_transaction_negative_trust_anchor_lookup(DnsTransaction *t, const char *name) { + int r; + +@@ -2413,6 +2421,7 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { + case DNS_TYPE_RRSIG: { + /* For each RRSIG we request the matching DNSKEY */ + _cleanup_(dns_resource_key_unrefp) DnsResourceKey *dnskey = NULL; ++ DnsTransaction *aux = NULL; + + /* If this RRSIG is about a DNSKEY RR and the + * signer is the same as the owner, then we +@@ -2449,9 +2458,20 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { + + log_debug("Requesting DNSKEY to validate transaction %" PRIu16" (%s, RRSIG with key tag: %" PRIu16 ").", + t->id, dns_resource_key_name(rr->key), rr->rrsig.key_tag); +- r = dns_transaction_request_dnssec_rr(t, dnskey); ++ r = dns_transaction_request_dnssec_rr_full(t, dnskey, &aux); + if (r < 0) + return r; ++ ++ /* If we are requesting a DNSKEY, we can anticiapte that we will want the matching DS ++ * in the near future. Let's request it in advance so we don't have to wait in the ++ * common case. */ ++ if (aux) { ++ _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = ++ dns_resource_key_new(rr->key->class, DNS_TYPE_DS, dns_resource_key_name(dnskey)); ++ r = dns_transaction_request_dnssec_rr(t, ds); ++ if (r < 0) ++ return r; ++ } + break; + } + +-- +2.33.0 + diff --git a/backport-resolved-validate-authentic-insecure-delegation-to-C.patch b/backport-resolved-validate-authentic-insecure-delegation-to-C.patch new file mode 100644 index 0000000..36bff9b --- /dev/null +++ b/backport-resolved-validate-authentic-insecure-delegation-to-C.patch @@ -0,0 +1,39 @@ +From a1580223a5dd67ab61c5f888b114de43b65fffbf Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Tue, 30 Apr 2024 13:19:14 -0700 +Subject: [PATCH 0564/1160] resolved: validate authentic insecure delegation to + CNAME + +If the parent zone uses a non-opt-out method that provides authenticated +negative DS replies, we still can't expect signatures from the child +zone. sd-resolved was using the authenticated status of the DS reply to +require signatures for CNAMEs, even though it had already proved that no +signature exists. + +Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label") +(cherry picked from commit 414a9b8e5e1e772261b0ffaedc853f5c0aba5719) +--- + src/resolve/resolved-dns-transaction.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index 1bb1dc09ca..3f48b566b5 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -2863,7 +2863,12 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * + if (r == 0) + continue; + +- return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED); ++ if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) ++ return false; ++ ++ /* We expect this to be signed when the DS record exists, and don't expect it to be ++ * signed when the DS record is proven not to exist. */ ++ return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL); + } + + return true; +-- +2.33.0 + diff --git a/backport-resolved-wait-to-gc-transactions-if-they-might-still.patch b/backport-resolved-wait-to-gc-transactions-if-they-might-still.patch new file mode 100644 index 0000000..d015826 --- /dev/null +++ b/backport-resolved-wait-to-gc-transactions-if-they-might-still.patch @@ -0,0 +1,107 @@ +From da474b440dc5952f32c598ad47306ed9a26c251a Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Fri, 15 Mar 2024 13:52:30 -0700 +Subject: [PATCH 0455/1160] resolved: wait to gc transactions if they might + still give an answer + +In some cases when a query completes there are still pending +transactions that are no longer useful to answer the query. But if this +query is repeated in the future and we don't have the answers cached, +we're going to ask and ignore the answer again. + +Instead of purging these superfluous transactions, let's wait and see if +they produce an answer, since we already asked the question, and use it +to fill our cache. + +(cherry picked from commit ce880172552534e7416ae3af697053c0df58b770) +--- + src/resolve/resolved-dns-query.c | 27 +++++++++++++++++++++++++- + src/resolve/resolved-dns-transaction.c | 3 +++ + src/resolve/resolved-dns-transaction.h | 5 +++++ + 3 files changed, 34 insertions(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c +index 7eb6b9736e..16334c6300 100644 +--- a/src/resolve/resolved-dns-query.c ++++ b/src/resolve/resolved-dns-query.c +@@ -57,6 +57,21 @@ static void dns_query_candidate_stop(DnsQueryCandidate *c) { + } + } + ++static void dns_query_candidate_abandon(DnsQueryCandidate *c) { ++ DnsTransaction *t; ++ ++ assert(c); ++ ++ /* Abandon all the DnsTransactions attached to this query */ ++ ++ while ((t = set_steal_first(c->transactions))) { ++ t->wait_for_answer = true; ++ set_remove(t->notify_query_candidates, c); ++ set_remove(t->notify_query_candidates_done, c); ++ dns_transaction_gc(t); ++ } ++} ++ + static DnsQueryCandidate* dns_query_candidate_unlink(DnsQueryCandidate *c) { + assert(c); + +@@ -354,6 +369,16 @@ static void dns_query_stop(DnsQuery *q) { + dns_query_candidate_stop(c); + } + ++static void dns_query_abandon(DnsQuery *q) { ++ assert(q); ++ ++ /* Thankfully transactions have their own timeouts */ ++ event_source_disable(q->timeout_event_source); ++ ++ LIST_FOREACH(candidates_by_query, c, q->candidates) ++ dns_query_candidate_abandon(c); ++} ++ + static void dns_query_unlink_candidates(DnsQuery *q) { + assert(q); + +@@ -588,7 +613,7 @@ void dns_query_complete(DnsQuery *q, DnsTransactionState state) { + + (void) manager_monitor_send(q->manager, q->state, q->answer_rcode, q->answer_errno, q->question_idna, q->question_utf8, q->question_bypass, q->collected_questions, q->answer); + +- dns_query_stop(q); ++ dns_query_abandon(q); + if (q->complete) + q->complete(q); + } +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index 8ff5653dff..742bd08709 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -175,6 +175,9 @@ DnsTransaction* dns_transaction_gc(DnsTransaction *t) { + if (t->block_gc > 0) + return t; + ++ if (t->wait_for_answer && IN_SET(t->state, DNS_TRANSACTION_PENDING, DNS_TRANSACTION_VALIDATING)) ++ return t; ++ + if (set_isempty(t->notify_query_candidates) && + set_isempty(t->notify_query_candidates_done) && + set_isempty(t->notify_zone_items) && +diff --git a/src/resolve/resolved-dns-transaction.h b/src/resolve/resolved-dns-transaction.h +index 2fd8720e24..6be7c5fb70 100644 +--- a/src/resolve/resolved-dns-transaction.h ++++ b/src/resolve/resolved-dns-transaction.h +@@ -134,6 +134,11 @@ struct DnsTransaction { + + unsigned block_gc; + ++ /* Set when we're willing to let this transaction live beyond it's usefulness for the original query, ++ * for caching purposes. This blocks gc while there is still a chance we might still receive an ++ * answer. */ ++ bool wait_for_answer; ++ + LIST_FIELDS(DnsTransaction, transactions_by_scope); + LIST_FIELDS(DnsTransaction, transactions_by_stream); + LIST_FIELDS(DnsTransaction, transactions_by_key); +-- +2.33.0 + diff --git a/backport-rpm-macros-add-_kernel_install_dir.patch b/backport-rpm-macros-add-_kernel_install_dir.patch new file mode 100644 index 0000000..2a33b2d --- /dev/null +++ b/backport-rpm-macros-add-_kernel_install_dir.patch @@ -0,0 +1,46 @@ +From b25bd391892112527597d00b82e96f0f0b6399ea Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 29 Feb 2024 21:38:03 +0100 +Subject: [PATCH 0427/1160] rpm/macros: add %_kernel_install_dir + +This makes it easier for people packaging kernel-install plugins +to get the path right. + +E.g. https://src.fedoraproject.org/rpms/python-virt-firmware/pull-request/3 +fixes an issue where %{_libdir}/kernel/install.d was used, +which gives incorrect results on 64-bit architectures. +%_kernel_install_dir will make this even easier. + +(cherry picked from commit 5248a0c5b344c0b8cb18dee5206836cd61e6bd46) +--- + meson.build | 1 + + src/rpm/macros.systemd.in | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/meson.build b/meson.build +index a577ac793e..7b31929e7a 100644 +--- a/meson.build ++++ b/meson.build +@@ -220,6 +220,7 @@ conf.set_quoted('ENVIRONMENT_DIR', environmentdir) + conf.set_quoted('INCLUDE_DIR', includedir) + conf.set_quoted('LIBDIR', libdir) + conf.set_quoted('LIBEXECDIR', libexecdir) ++conf.set_quoted('KERNEL_INSTALL_DIR', kernelinstalldir) + conf.set_quoted('MODPROBE_DIR', modprobedir) + conf.set_quoted('MODULESLOAD_DIR', modulesloaddir) + conf.set_quoted('PKGSYSCONFDIR', pkgsysconfdir) +diff --git a/src/rpm/macros.systemd.in b/src/rpm/macros.systemd.in +index 241e4b9c49..317e13dfd7 100644 +--- a/src/rpm/macros.systemd.in ++++ b/src/rpm/macros.systemd.in +@@ -13,6 +13,7 @@ + %_udevhwdbdir {{UDEV_HWDB_DIR}} + %_udevrulesdir {{UDEV_RULES_DIR}} + %_journalcatalogdir {{SYSTEMD_CATALOG_DIR}} ++%_kernel_install_dir {{KERNEL_INSTALL_DIR}} + %_binfmtdir {{BINFMT_DIR}} + %_sysctldir {{SYSCTL_DIR}} + %_sysusersdir {{SYSUSERS_DIR}} +-- +2.33.0 + diff --git a/backport-run-do-not-log-Error-on-PTY-forwarding-logic-when-di.patch b/backport-run-do-not-log-Error-on-PTY-forwarding-logic-when-di.patch new file mode 100644 index 0000000..734d378 --- /dev/null +++ b/backport-run-do-not-log-Error-on-PTY-forwarding-logic-when-di.patch @@ -0,0 +1,34 @@ +From 920dbc7b46c175ddc0ecf426ac9f855d90081160 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sun, 19 May 2024 08:53:07 +0800 +Subject: [PATCH 0648/1160] run: do not log "Error on PTY forwarding logic" + when disconnected due to user operation + +(cherry picked from commit ade0789fabbf01b95bf54d32f8cab1217a753f03) +--- + src/run/run.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/run/run.c b/src/run/run.c +index 88eca0fd6d..3b8d331b35 100644 +--- a/src/run/run.c ++++ b/src/run/run.c +@@ -1155,11 +1155,13 @@ static int on_properties_changed(sd_bus_message *m, void *userdata, sd_bus_error + } + + static int pty_forward_handler(PTYForward *f, int rcode, void *userdata) { +- RunContext *c = userdata; ++ RunContext *c = ASSERT_PTR(userdata); + + assert(f); + +- if (rcode < 0) { ++ if (rcode == -ECANCELED) ++ log_debug_errno(rcode, "PTY forwarder disconnected."); ++ else if (rcode < 0) { + sd_event_exit(c->event, EXIT_FAILURE); + return log_error_errno(rcode, "Error on PTY forwarding logic: %m"); + } +-- +2.33.0 + diff --git a/backport-run-do-not-pass-the-pty-slave-fd-to-transient-servic.patch b/backport-run-do-not-pass-the-pty-slave-fd-to-transient-servic.patch index f1fb762..4cb201a 100644 --- a/backport-run-do-not-pass-the-pty-slave-fd-to-transient-servic.patch +++ b/backport-run-do-not-pass-the-pty-slave-fd-to-transient-servic.patch @@ -1,8 +1,8 @@ From 639c922ede94852f83ccd930b28a382075f1da8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 6 Jun 2024 13:30:09 +0200 -Subject: [PATCH] run: do not pass the pty slave fd to transient service in a - machine +Subject: [PATCH 0707/1160] run: do not pass the pty slave fd to transient + service in a machine Follow-up for 28459ba1f4df824d5ef7f7d1a9acb6953ea24045 diff --git a/backport-run-handle-gracefully-if-we-can-t-find-binary-client.patch b/backport-run-handle-gracefully-if-we-can-t-find-binary-client.patch new file mode 100644 index 0000000..a8eb5e6 --- /dev/null +++ b/backport-run-handle-gracefully-if-we-can-t-find-binary-client.patch @@ -0,0 +1,36 @@ +From ccc2e1ff85433cef5df6891d0579dc66095964db Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 5 Nov 2024 11:54:14 +0100 +Subject: [PATCH 0991/1160] run: handle gracefully if we can't find binary + client-side due to perms + +Fixes: #35022 +(cherry picked from commit 9810899ef2f28fbb42cf659e6892b1a5074cfc83) +(cherry picked from commit 070dbe1e77fc25201a89770beb691135ce84bed1) +--- + src/run/run.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/run/run.c b/src/run/run.c +index 659f525db7..3ce0833ab8 100644 +--- a/src/run/run.c ++++ b/src/run/run.c +@@ -1958,10 +1958,12 @@ static int run(int argc, char* argv[]) { + + _cleanup_free_ char *command = NULL; + r = find_executable(arg_cmdline[0], &command); +- if (r < 0) ++ if (ERRNO_IS_NEG_PRIVILEGE(r)) ++ log_debug_errno(r, "Failed to find executable '%s' due to permission problems, leaving path as is: %m", arg_cmdline[0]); ++ else if (r < 0) + return log_error_errno(r, "Failed to find executable %s: %m", arg_cmdline[0]); +- +- free_and_replace(arg_cmdline[0], command); ++ else ++ free_and_replace(arg_cmdline[0], command); + } + + if (!arg_description) { +-- +2.33.0 + diff --git a/backport-run-pass-the-pty-slave-fd-to-transient-service.patch b/backport-run-pass-the-pty-slave-fd-to-transient-service.patch index a55be37..e95957a 100644 --- a/backport-run-pass-the-pty-slave-fd-to-transient-service.patch +++ b/backport-run-pass-the-pty-slave-fd-to-transient-service.patch @@ -1,7 +1,7 @@ From 182b80bede28ef6e9c0d0edd34c56a467d22dee5 Mon Sep 17 00:00:00 2001 From: Mike Yuan Date: Sun, 19 May 2024 09:07:21 +0800 -Subject: [PATCH] run: pass the pty slave fd to transient service +Subject: [PATCH 0649/1160] run: pass the pty slave fd to transient service The rationale is similar to 40e1f4ea7458a0a80eaf1ef356e52bfe0835412e. diff --git a/backport-run-when-disconnected-from-PTY-forwarder-exit-event-.patch b/backport-run-when-disconnected-from-PTY-forwarder-exit-event-.patch new file mode 100644 index 0000000..87b0e6d --- /dev/null +++ b/backport-run-when-disconnected-from-PTY-forwarder-exit-event-.patch @@ -0,0 +1,54 @@ +From 46561305cba2fcb64726616e88c7b33b2f23c988 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Tue, 21 May 2024 20:10:24 +0800 +Subject: [PATCH 0669/1160] run: when disconnected from PTY forwarder, exit + event loop if not --wait + +Follow-up for ade0789fabbf01b95bf54d32f8cab1217a753f03 + +The change in behavior was partly intentional, as I think +if both --wait and --pty are used, manually disconnecting +from PTY forwarder should not result in systemd-run exiting +with "Finished with ..." log. But we should check for +--wait here. + +Closes #32953 + +(cherry picked from commit 2b4a691c32aadbc45491c8b243ec3cf7ed910f55) +--- + src/run/run.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/run/run.c b/src/run/run.c +index 1b9fb41d7c..14cc9f9514 100644 +--- a/src/run/run.c ++++ b/src/run/run.c +@@ -1091,7 +1091,7 @@ static void run_context_check_done(RunContext *c) { + else + done = true; + +- if (c->forward && done) /* If the service is gone, it's time to drain the output */ ++ if (c->forward && !pty_forward_is_done(c->forward) && done) /* If the service is gone, it's time to drain the output */ + done = pty_forward_drain(c->forward); + + if (done) +@@ -1165,9 +1165,14 @@ static int pty_forward_handler(PTYForward *f, int rcode, void *userdata) { + + assert(f); + +- if (rcode == -ECANCELED) ++ if (rcode == -ECANCELED) { + log_debug_errno(rcode, "PTY forwarder disconnected."); +- else if (rcode < 0) { ++ if (!arg_wait) ++ return sd_event_exit(c->event, EXIT_SUCCESS); ++ ++ /* If --wait is specified, we'll only exit the pty forwarding, but will continue to wait ++ * for the service to end. If the user hits ^C we'll exit too. */ ++ } else if (rcode < 0) { + sd_event_exit(c->event, EXIT_FAILURE); + return log_error_errno(rcode, "Error on PTY forwarding logic: %m"); + } +-- +2.33.0 + diff --git a/backport-sd-bus-fix-exiting-event-loop-when-sd_bus_set_exit_o.patch b/backport-sd-bus-fix-exiting-event-loop-when-sd_bus_set_exit_o.patch new file mode 100644 index 0000000..e181cf8 --- /dev/null +++ b/backport-sd-bus-fix-exiting-event-loop-when-sd_bus_set_exit_o.patch @@ -0,0 +1,118 @@ +From e8e1b2862420121473c173c7a56529f24e3b2779 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 25 Jan 2024 20:31:39 +0000 +Subject: [PATCH 0278/1160] sd-bus: fix exiting event loop when + sd_bus_set_exit_on_disconnect is used + +If sd_bus_set_exit_on_disconnect is used and the bus is part of an event +loop, and the D-Bus connection goes away (e.g.: soft-reboot), sd-bus +will always exit() the program instead of returning from the loop, as +the reference to the event is removed before it is checked. + +(cherry picked from commit b5d4862707d0b3829c500904474fa2453ffaa525) +--- + src/libsystemd/sd-bus/sd-bus.c | 18 +++++++++++++----- + src/libsystemd/sd-bus/test-bus-watch-bind.c | 9 +++++++-- + 2 files changed, 20 insertions(+), 7 deletions(-) + +diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c +index 4a0259f8bb..8befc97460 100644 +--- a/src/libsystemd/sd-bus/sd-bus.c ++++ b/src/libsystemd/sd-bus/sd-bus.c +@@ -3084,7 +3084,7 @@ null_message: + return r; + } + +-static int bus_exit_now(sd_bus *bus) { ++static int bus_exit_now(sd_bus *bus, sd_event *event) { + assert(bus); + + /* Exit due to close, if this is requested. If this is bus object is attached to an event source, invokes +@@ -3101,8 +3101,11 @@ static int bus_exit_now(sd_bus *bus) { + + log_debug("Bus connection disconnected, exiting."); + +- if (bus->event) +- return sd_event_exit(bus->event, EXIT_FAILURE); ++ if (!event) ++ event = bus->event; ++ ++ if (event) ++ return sd_event_exit(event, EXIT_FAILURE); + else + exit(EXIT_FAILURE); + +@@ -3164,6 +3167,7 @@ static int process_closing_reply_callback(sd_bus *bus, struct reply_callback *c) + + static int process_closing(sd_bus *bus, sd_bus_message **ret) { + _cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL; ++ _cleanup_(sd_event_unrefp) sd_event *event = NULL; + struct reply_callback *c; + int r; + +@@ -3198,6 +3202,10 @@ static int process_closing(sd_bus *bus, sd_bus_message **ret) { + if (r < 0) + return r; + ++ /* sd_bus_close() will deref the event and set bus->event to NULL. But in bus_exit_now() we use ++ * bus->event to decide whether to return from the event loop or exit(), but given it's always NULL ++ * at that point, it always exit(). Ref it here and pass it through further down to avoid that. */ ++ event = sd_event_ref(bus->event); + sd_bus_close(bus); + + bus->current_message = m; +@@ -3213,7 +3221,7 @@ static int process_closing(sd_bus *bus, sd_bus_message **ret) { + + /* Nothing else to do, exit now, if the condition holds */ + bus->exit_triggered = true; +- (void) bus_exit_now(bus); ++ (void) bus_exit_now(bus, event); + + if (ret) + *ret = TAKE_PTR(m); +@@ -4309,7 +4317,7 @@ _public_ int sd_bus_set_exit_on_disconnect(sd_bus *bus, int b) { + bus->exit_on_disconnect = b; + + /* If the exit condition was triggered already, exit immediately. */ +- return bus_exit_now(bus); ++ return bus_exit_now(bus, /* event= */ NULL); + } + + _public_ int sd_bus_get_exit_on_disconnect(sd_bus *bus) { +diff --git a/src/libsystemd/sd-bus/test-bus-watch-bind.c b/src/libsystemd/sd-bus/test-bus-watch-bind.c +index d6938a7f09..7f73c6e7b8 100644 +--- a/src/libsystemd/sd-bus/test-bus-watch-bind.c ++++ b/src/libsystemd/sd-bus/test-bus-watch-bind.c +@@ -7,6 +7,7 @@ + #include "sd-id128.h" + + #include "alloc-util.h" ++#include "bus-internal.h" + #include "fd-util.h" + #include "fs-util.h" + #include "mkdir.h" +@@ -27,8 +28,11 @@ static int method_foobar(sd_bus_message *m, void *userdata, sd_bus_error *ret_er + + static int method_exit(sd_bus_message *m, void *userdata, sd_bus_error *ret_error) { + log_info("Got Exit() call"); +- assert_se(sd_event_exit(sd_bus_get_event(sd_bus_message_get_bus(m)), 1) >= 0); +- return sd_bus_reply_method_return(m, NULL); ++ ++ assert_se(sd_bus_reply_method_return(m, NULL) >= 0); ++ /* Simulate D-Bus going away to test the bus_exit_now() path with exit_on_disconnect set */ ++ bus_enter_closing(sd_bus_message_get_bus(m)); ++ return 0; + } + + static const sd_bus_vtable vtable[] = { +@@ -100,6 +104,7 @@ static void* thread_server(void *p) { + log_debug("Accepted server connection"); + + assert_se(sd_bus_new(&bus) >= 0); ++ assert_se(sd_bus_set_exit_on_disconnect(bus, true) >= 0); + assert_se(sd_bus_set_description(bus, "server") >= 0); + assert_se(sd_bus_set_fd(bus, bus_fd, bus_fd) >= 0); + assert_se(sd_bus_set_server(bus, true, id) >= 0); +-- +2.33.0 + diff --git a/backport-sd-bus-rework-assert-to-make-the-gcc-happy.patch b/backport-sd-bus-rework-assert-to-make-the-gcc-happy.patch new file mode 100644 index 0000000..df7b0dd --- /dev/null +++ b/backport-sd-bus-rework-assert-to-make-the-gcc-happy.patch @@ -0,0 +1,62 @@ +From f4d943f2bebb0be542e2f014cc41052e1963010a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sun, 7 Apr 2024 11:13:06 +0200 +Subject: [PATCH 0495/1160] sd-bus: rework assert to make the gcc happy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +With gcc-14.0.1-0.13.fc40, when compiling with -O2, the compiler doesn't understand +that sd_bus_error_setf() always returns negative on error when is provided: + +[28/576] Compiling C object systemd-resolved.p/src_resolve_resolved-bus.c.o +../src/resolve/resolved-bus.c: In function ‘call_link_method’: +../src/resolve/resolved-bus.c:1763:16: warning: ‘l’ may be used uninitialized [-Wmaybe-uninitialized] + 1763 | return handler(message, l, error); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~ +../src/resolve/resolved-bus.c:1749:15: note: ‘l’ was declared here + 1749 | Link *l; + | ^ +../src/resolve/resolved-bus.c: In function ‘bus_method_get_link’: +../src/resolve/resolved-bus.c:1822:13: warning: ‘l’ may be used uninitialized [-Wmaybe-uninitialized] + 1822 | p = link_bus_path(l); + | ^~~~~~~~~~~~~~~~ +../src/resolve/resolved-bus.c:1810:15: note: ‘l’ was declared here + 1810 | Link *l; + | ^ +... + +Let's make the assertion a bit more explicit. With this, the warning goes away, +but I think it's more obvious to a human reader too. + +(cherry picked from commit 41733186c4a946dd92fcfe754ce0f8f3c0737538) +--- + src/libsystemd/sd-bus/bus-error.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/libsystemd/sd-bus/bus-error.c b/src/libsystemd/sd-bus/bus-error.c +index 77b2e1a0fd..f415797700 100644 +--- a/src/libsystemd/sd-bus/bus-error.c ++++ b/src/libsystemd/sd-bus/bus-error.c +@@ -277,14 +277,16 @@ _public_ int sd_bus_error_setf(sd_bus_error *e, const char *name, const char *fo + + va_start(ap, format); + r = sd_bus_error_setfv(e, name, format, ap); +- assert(!name || r < 0); ++ if (name) ++ assert(r < 0); + va_end(ap); + + return r; + } + + r = sd_bus_error_set(e, name, NULL); +- assert(!name || r < 0); ++ if (name) ++ assert(r < 0); + return r; + } + +-- +2.33.0 + diff --git a/backport-sd-bus-vtable-add-dummy-macro-to-support-compile-wit.patch b/backport-sd-bus-vtable-add-dummy-macro-to-support-compile-wit.patch new file mode 100644 index 0000000..b7eb9e3 --- /dev/null +++ b/backport-sd-bus-vtable-add-dummy-macro-to-support-compile-wit.patch @@ -0,0 +1,61 @@ +From a4777db300481c872d81baf7d0523b4b54202881 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 3 Apr 2024 11:52:23 +0900 +Subject: [PATCH 0483/1160] sd-bus-vtable: add dummy macro to support compile + without GNU extension +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If SD_BUS_METHOD_WITH_ARGS() is set with SD_BUS_NO_ARGS and/or SD_BUS_NO_RESULT, +then it introduces +_SD_VARARGS_FOREACH_EVEN(_SD_ECHO, NULL) + -> _SD_VARARGS_FOREACH_SEQ(_01, …, _50, NULL) +Hence, the variadic argument `...` in _SD_VARARGS_FOREACH_SEQ() has no +argument, but it is not allowed if built without GNU extension, e.g. -std=c11. + +Let's introduce one more unused dummy argument to support such situation. + +(cherry picked from commit e10409ad55dccda89a1f1ca23c6dabca20488d51) +--- + src/systemd/sd-bus-vtable.h | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/systemd/sd-bus-vtable.h b/src/systemd/sd-bus-vtable.h +index 5e80ea895d..d06c5c3015 100644 +--- a/src/systemd/sd-bus-vtable.h ++++ b/src/systemd/sd-bus-vtable.h +@@ -208,6 +208,7 @@ struct sd_bus_vtable { + _41, _42, _43, _44, _45, _46, _47, _48, _49, _50, \ + NAME, ...) NAME + ++#define _SD_VARARGS_FOREACH_EVEN_00(FN) + #define _SD_VARARGS_FOREACH_EVEN_01(FN, X) FN(X) + #define _SD_VARARGS_FOREACH_EVEN_02(FN, X, Y) FN(X) + #define _SD_VARARGS_FOREACH_EVEN_04(FN, X, Y, ...) FN(X) _SD_VARARGS_FOREACH_EVEN_02(FN, __VA_ARGS__) +@@ -261,9 +262,11 @@ struct sd_bus_vtable { + _SD_VARARGS_FOREACH_EVEN_08, _SD_VARARGS_FOREACH_EVEN_07, \ + _SD_VARARGS_FOREACH_EVEN_06, _SD_VARARGS_FOREACH_EVEN_05, \ + _SD_VARARGS_FOREACH_EVEN_04, _SD_VARARGS_FOREACH_EVEN_03, \ +- _SD_VARARGS_FOREACH_EVEN_02, _SD_VARARGS_FOREACH_EVEN_01) \ ++ _SD_VARARGS_FOREACH_EVEN_02, _SD_VARARGS_FOREACH_EVEN_01, \ ++ _SD_VARARGS_FOREACH_EVEN_00) \ + (FN, __VA_ARGS__) + ++#define _SD_VARARGS_FOREACH_ODD_00(FN) + #define _SD_VARARGS_FOREACH_ODD_01(FN, X) + #define _SD_VARARGS_FOREACH_ODD_02(FN, X, Y) FN(Y) + #define _SD_VARARGS_FOREACH_ODD_04(FN, X, Y, ...) FN(Y) _SD_VARARGS_FOREACH_ODD_02(FN, __VA_ARGS__) +@@ -317,7 +320,8 @@ struct sd_bus_vtable { + _SD_VARARGS_FOREACH_ODD_08, _SD_VARARGS_FOREACH_ODD_07, \ + _SD_VARARGS_FOREACH_ODD_06, _SD_VARARGS_FOREACH_ODD_05, \ + _SD_VARARGS_FOREACH_ODD_04, _SD_VARARGS_FOREACH_ODD_03, \ +- _SD_VARARGS_FOREACH_ODD_02, _SD_VARARGS_FOREACH_ODD_01) \ ++ _SD_VARARGS_FOREACH_ODD_02, _SD_VARARGS_FOREACH_ODD_01, \ ++ _SD_VARARGS_FOREACH_ODD_00) \ + (FN, __VA_ARGS__) + + #define SD_BUS_ARGS(...) __VA_ARGS__ +-- +2.33.0 + diff --git a/backport-sd-common-add-__const__.patch b/backport-sd-common-add-__const__.patch new file mode 100644 index 0000000..6ccc521 --- /dev/null +++ b/backport-sd-common-add-__const__.patch @@ -0,0 +1,34 @@ +From afcbe7c406702fce3abd41fc6e945abd846a91dc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 28 Oct 2024 09:13:10 +0100 +Subject: [PATCH 0972/1160] sd-common: add __const__ + +const is stronger than pure, see +https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-pure-function-attribute +and +https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-const-function-attribute. + +(cherry picked from commit 955c51c087f1fb6d0b7a0091db943ad05ba3095e) +(cherry picked from commit a5e128ca26cab912b4e404dbd6ad9cb6f60c67da) +--- + src/systemd/_sd-common.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/systemd/_sd-common.h b/src/systemd/_sd-common.h +index d4381d90f4..1e1ce35418 100644 +--- a/src/systemd/_sd-common.h ++++ b/src/systemd/_sd-common.h +@@ -45,6 +45,10 @@ typedef void (*_sd_destroy_t)(void *userdata); + # define _sd_pure_ __attribute__((__pure__)) + #endif + ++#ifndef _sd_const_ ++# define _sd_const_ __attribute__((__const__)) ++#endif ++ + /* Note that strictly speaking __deprecated__ has been available before GCC 6. However, starting with GCC 6 + * it also works on enum values, which we are interested in. Since this is a developer-facing feature anyway + * (as opposed to build engineer-facing), let's hence conditionalize this to gcc 6, given that the developers +-- +2.33.0 + diff --git a/backport-sd-daemon-Replace-SO_LINGER-with-shutdown-recv.patch b/backport-sd-daemon-Replace-SO_LINGER-with-shutdown-recv.patch new file mode 100644 index 0000000..3766294 --- /dev/null +++ b/backport-sd-daemon-Replace-SO_LINGER-with-shutdown-recv.patch @@ -0,0 +1,42 @@ +From b15490ceead50dd7506ec8dbb3defbc1f93315e6 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 26 Apr 2024 15:02:56 +0200 +Subject: [PATCH 1043/1160] sd-daemon: Replace SO_LINGER with shutdown() + + recv() + +Let's shutdown the write end and wait for EOF from the other side +before continuing to make sure that the receiver has received all +data we sent on the socket. + +(cherry picked from commit 13b67b61b3b4a5356f5d1b29b51137b8e336aa55) +--- + src/libsystemd/sd-daemon/sd-daemon.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/src/libsystemd/sd-daemon/sd-daemon.c b/src/libsystemd/sd-daemon/sd-daemon.c +index d1a650fd43..ec87c88e57 100644 +--- a/src/libsystemd/sd-daemon/sd-daemon.c ++++ b/src/libsystemd/sd-daemon/sd-daemon.c +@@ -594,6 +594,19 @@ static int pid_notify_with_fds_internal( + } + } while (!iovec_increment(msghdr.msg_iov, msghdr.msg_iovlen, n)); + ++ if (address.sockaddr.sa.sa_family == AF_VSOCK && IN_SET(type, SOCK_STREAM, SOCK_SEQPACKET)) { ++ /* For AF_VSOCK, we need to close the socket to signal the end of the message. */ ++ if (shutdown(fd, SHUT_WR) < 0) ++ return log_error_errno(errno, "Failed to shutdown notify socket: %m"); ++ ++ char buf[1]; ++ n = recv(fd, buf, sizeof(buf), MSG_NOSIGNAL); ++ if (n > 0) ++ return log_error_errno(errno, "Unexpectedly received data on notify socket: %m"); ++ if (n < 0) ++ return log_error_errno(errno, "Failed to wait for EOF on notify socket: %m"); ++ } ++ + return 1; + } + +-- +2.33.0 + diff --git a/backport-sd-daemon-downgrade-log-level-for-library-code-use-c.patch b/backport-sd-daemon-downgrade-log-level-for-library-code-use-c.patch new file mode 100644 index 0000000..7848b08 --- /dev/null +++ b/backport-sd-daemon-downgrade-log-level-for-library-code-use-c.patch @@ -0,0 +1,41 @@ +From 16d3a644b70735bca2e897dcfd987b5b9cd6821f Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sat, 27 Apr 2024 19:34:45 +0800 +Subject: [PATCH 1044/1160] sd-daemon: downgrade log level for library code, + use correct errno + +Follow-up for 13b67b61b3b4a5356f5d1b29b51137b8e336aa55 + +(cherry picked from commit 3baab23b25aa679c20b2397f2c6e0ca7b89ed14c) +--- + src/libsystemd/sd-daemon/sd-daemon.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/libsystemd/sd-daemon/sd-daemon.c b/src/libsystemd/sd-daemon/sd-daemon.c +index ec87c88e57..b69a7c7224 100644 +--- a/src/libsystemd/sd-daemon/sd-daemon.c ++++ b/src/libsystemd/sd-daemon/sd-daemon.c +@@ -597,14 +597,14 @@ static int pid_notify_with_fds_internal( + if (address.sockaddr.sa.sa_family == AF_VSOCK && IN_SET(type, SOCK_STREAM, SOCK_SEQPACKET)) { + /* For AF_VSOCK, we need to close the socket to signal the end of the message. */ + if (shutdown(fd, SHUT_WR) < 0) +- return log_error_errno(errno, "Failed to shutdown notify socket: %m"); ++ return log_debug_errno(errno, "Failed to shutdown notify socket: %m"); + +- char buf[1]; +- n = recv(fd, buf, sizeof(buf), MSG_NOSIGNAL); +- if (n > 0) +- return log_error_errno(errno, "Unexpectedly received data on notify socket: %m"); ++ char c; ++ n = recv(fd, &c, sizeof(c), MSG_NOSIGNAL); + if (n < 0) +- return log_error_errno(errno, "Failed to wait for EOF on notify socket: %m"); ++ return log_debug_errno(errno, "Failed to wait for EOF on notify socket: %m"); ++ if (n > 0) ++ return log_debug_errno(SYNTHETIC_ERRNO(EPROTO), "Unexpectedly received data on notify socket."); + } + + return 1; +-- +2.33.0 + diff --git a/backport-sd-device-add-missing-debugging-log.patch b/backport-sd-device-add-missing-debugging-log.patch new file mode 100644 index 0000000..7705e87 --- /dev/null +++ b/backport-sd-device-add-missing-debugging-log.patch @@ -0,0 +1,30 @@ +From e8bd67dec1eef27d54c81d6958bbcdf9b897df1c Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 5 Jan 2025 03:09:29 +0900 +Subject: [PATCH 1070/1160] sd-device: add missing debugging log + +It was unexpectedly dropped by 660087dc9c4a5c610da99e7b6b1772e371eb0a80. + +(cherry picked from commit 7e5238625ed4a879c2fe8ff7e457021d174bf083) +(cherry picked from commit b3951fb0a8e1d0b1158602567dfc1cfb4ef50f49) +(cherry picked from commit df94304c84f5d8df33822dfef819d8fac1da467b) +--- + src/libsystemd/sd-device/sd-device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libsystemd/sd-device/sd-device.c b/src/libsystemd/sd-device/sd-device.c +index 01e66b4658..5f7491e8e2 100644 +--- a/src/libsystemd/sd-device/sd-device.c ++++ b/src/libsystemd/sd-device/sd-device.c +@@ -234,7 +234,7 @@ int device_set_syspath(sd_device *device, const char *_syspath, bool verify) { + + r = path_simplify_alloc(_syspath, &syspath); + if (r < 0) +- return r; ++ return log_oom_debug(); + } + + assert_se(devpath = startswith(syspath, "/sys")); +-- +2.33.0 + diff --git a/backport-sd-device-introduce-device_get_sysattr_unsigned_full.patch b/backport-sd-device-introduce-device_get_sysattr_unsigned_full.patch new file mode 100644 index 0000000..5f8214d --- /dev/null +++ b/backport-sd-device-introduce-device_get_sysattr_unsigned_full.patch @@ -0,0 +1,53 @@ +From 2bea349ff3eb30a71967cca26703d85e94cc8210 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 8 Apr 2024 11:56:58 +0900 +Subject: [PATCH 0534/1160] sd-device: introduce + device_get_sysattr_unsigned_full() + +(cherry picked from commit 705c418f20ac518cd4c6825eee308bc621a18d33) +--- + src/libsystemd/sd-device/device-private.h | 5 ++++- + src/libsystemd/sd-device/sd-device.c | 4 ++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/libsystemd/sd-device/device-private.h b/src/libsystemd/sd-device/device-private.h +index b903d1afd6..e8a6d52cab 100644 +--- a/src/libsystemd/sd-device/device-private.h ++++ b/src/libsystemd/sd-device/device-private.h +@@ -20,7 +20,10 @@ int device_opendir(sd_device *device, const char *subdir, DIR **ret); + int device_get_property_bool(sd_device *device, const char *key); + int device_get_property_int(sd_device *device, const char *key, int *ret); + int device_get_sysattr_int(sd_device *device, const char *sysattr, int *ret_value); +-int device_get_sysattr_unsigned(sd_device *device, const char *sysattr, unsigned *ret_value); ++int device_get_sysattr_unsigned_full(sd_device *device, const char *sysattr, unsigned base, unsigned *ret_value); ++static inline int device_get_sysattr_unsigned(sd_device *device, const char *sysattr, unsigned *ret_value) { ++ return device_get_sysattr_unsigned_full(device, sysattr, 0, ret_value); ++} + int device_get_sysattr_bool(sd_device *device, const char *sysattr); + int device_get_device_id(sd_device *device, const char **ret); + int device_get_devlink_priority(sd_device *device, int *ret); +diff --git a/src/libsystemd/sd-device/sd-device.c b/src/libsystemd/sd-device/sd-device.c +index 2fbc619a34..01e66b4658 100644 +--- a/src/libsystemd/sd-device/sd-device.c ++++ b/src/libsystemd/sd-device/sd-device.c +@@ -2435,7 +2435,7 @@ int device_get_sysattr_int(sd_device *device, const char *sysattr, int *ret_valu + return v > 0; + } + +-int device_get_sysattr_unsigned(sd_device *device, const char *sysattr, unsigned *ret_value) { ++int device_get_sysattr_unsigned_full(sd_device *device, const char *sysattr, unsigned base, unsigned *ret_value) { + const char *value; + int r; + +@@ -2444,7 +2444,7 @@ int device_get_sysattr_unsigned(sd_device *device, const char *sysattr, unsigned + return r; + + unsigned v; +- r = safe_atou(value, &v); ++ r = safe_atou_full(value, base, &v); + if (r < 0) + return log_device_debug_errno(device, r, "Failed to parse '%s' attribute: %m", sysattr); + +-- +2.33.0 + diff --git a/backport-sd-device-remove-debug-log-message-when-dirs-are-mis.patch b/backport-sd-device-remove-debug-log-message-when-dirs-are-mis.patch new file mode 100644 index 0000000..35646ca --- /dev/null +++ b/backport-sd-device-remove-debug-log-message-when-dirs-are-mis.patch @@ -0,0 +1,91 @@ +From a321caf0583cc70cf1ba66bdc41d07175ccc1f2a Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 17 Jul 2024 15:56:59 +0200 +Subject: [PATCH 0783/1160] sd-device: remove debug log message when dirs are + missing + +This is a common case, and nothing noteworthy at all. For example, if we +establish an enumerator for listing all devices tagged by some tag, then +the per-tag dir is not going to exist if there are currently no devices +tagged that way, but that's a really common case, and doesn't really +deserve any mention, not even at debug level. + +(cherry picked from commit a68c97a54527cacaeeac0c117493639fc455ef5e) +(cherry picked from commit 8aa9e60f89f84a90fb364ee66cf62432a6b877ba) +--- + src/libsystemd/sd-device/device-enumerator.c | 34 ++++++++------------ + 1 file changed, 13 insertions(+), 21 deletions(-) + +diff --git a/src/libsystemd/sd-device/device-enumerator.c b/src/libsystemd/sd-device/device-enumerator.c +index 15c5c42ade..edb0d493d4 100644 +--- a/src/libsystemd/sd-device/device-enumerator.c ++++ b/src/libsystemd/sd-device/device-enumerator.c +@@ -707,13 +707,11 @@ static int enumerator_scan_dir_and_add_devices( + + dir = opendir(path); + if (!dir) { +- bool ignore = errno == ENOENT; ++ /* This is necessarily racey, so ignore missing directories */ ++ if (errno == ENOENT) ++ return 0; + +- /* this is necessarily racey, so ignore missing directories */ +- log_debug_errno(errno, +- "sd-device-enumerator: Failed to open directory %s%s: %m", +- path, ignore ? ", ignoring" : ""); +- return ignore ? 0 : -errno; ++ return log_debug_errno(errno, "sd-device-enumerator: Failed to open directory '%s': %m", path); + } + + FOREACH_DIRENT_ALL(de, dir, return -errno) { +@@ -773,12 +771,10 @@ static int enumerator_scan_dir( + + dir = opendir(path); + if (!dir) { +- bool ignore = errno == ENOENT; ++ if (errno == ENOENT) ++ return 0; + +- log_debug_errno(errno, +- "sd-device-enumerator: Failed to open directory %s%s: %m", +- path, ignore ? ", ignoring" : ""); +- return ignore ? 0 : -errno; ++ return log_debug_errno(errno, "sd-device-enumerator: Failed to open directory '%s': %m", path); + } + + FOREACH_DIRENT_ALL(de, dir, return -errno) { +@@ -810,12 +806,10 @@ static int enumerator_scan_devices_tag(sd_device_enumerator *enumerator, const c + + dir = opendir(path); + if (!dir) { +- bool ignore = errno == ENOENT; ++ if (errno == ENOENT) ++ return 0; + +- log_debug_errno(errno, +- "sd-device-enumerator: Failed to open directory %s%s: %m", +- path, ignore ? ", ignoring" : ""); +- return ignore ? 0 : -errno; ++ return log_debug_errno(errno, "sd-device-enumerator: Failed to open directory '%s': %m", path); + } + + /* TODO: filter away subsystems? */ +@@ -898,12 +892,10 @@ static int parent_crawl_children(sd_device_enumerator *enumerator, const char *p + + dir = opendir(path); + if (!dir) { +- bool ignore = errno == ENOENT; ++ if (errno == ENOENT) ++ return 0; + +- log_debug_errno(errno, +- "sd-device-enumerator: Failed to open directory %s%s: %m", +- path, ignore ? ", ignoring" : ""); +- return ignore ? 0 : -errno; ++ return log_debug_errno(errno, "sd-device-enumerator: Failed to open directory '%s': %m", path); + } + + FOREACH_DIRENT_ALL(de, dir, return -errno) { +-- +2.33.0 + diff --git a/backport-sd-dhcp-server-clear-buffer-before-receive.patch b/backport-sd-dhcp-server-clear-buffer-before-receive.patch new file mode 100644 index 0000000..cd754a2 --- /dev/null +++ b/backport-sd-dhcp-server-clear-buffer-before-receive.patch @@ -0,0 +1,34 @@ +From aa93c07b3a5701f13163b190ee4e6ffd4de32eb5 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 12 Jun 2024 00:48:56 +0900 +Subject: [PATCH 0689/1160] sd-dhcp-server: clear buffer before receive + +I do not think this is necessary, but all other places in +libsystemd-network we clear buffer before receive. Without this, +Coverity warns about use-of-uninitialized-values. +Let's silence Coverity. + +Closes CID#1469721. + +(cherry picked from commit 40f9fa0af4c3094d93e833e62f7e301cd453da62) +(cherry picked from commit 0d573787ea1610ba57a359cf437841f62b186e77) +--- + src/libsystemd-network/sd-dhcp-server.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c +index b87e4d62aa..b59dc36a37 100644 +--- a/src/libsystemd-network/sd-dhcp-server.c ++++ b/src/libsystemd-network/sd-dhcp-server.c +@@ -1408,7 +1408,7 @@ static int server_receive_message(sd_event_source *s, int fd, + /* Preallocate the additional size for DHCP Relay Agent Information Option if needed */ + buflen += relay_agent_information_length(server->agent_circuit_id, server->agent_remote_id) + 2; + +- message = malloc(buflen); ++ message = malloc0(buflen); + if (!message) + return -ENOMEM; + +-- +2.33.0 + diff --git a/backport-sd-dhcp-server-refuse-invalid-hostname-in-request.patch b/backport-sd-dhcp-server-refuse-invalid-hostname-in-request.patch new file mode 100644 index 0000000..859341e --- /dev/null +++ b/backport-sd-dhcp-server-refuse-invalid-hostname-in-request.patch @@ -0,0 +1,105 @@ +From f72058f67c20729c1f61ebadae5a8cf32e5d56dd Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 12 Mar 2024 01:47:17 +0900 +Subject: [PATCH 0341/1160] sd-dhcp-server: refuse invalid hostname in request + +Currently, the received hostname is not used for assigning an address to +the host, or options in the subsequent reply message. But, the parsed +hostname is exposed through DBus, and possibly Varlink in the future. +Let's ignore spurious hostname. + +(cherry picked from commit 5a2f378362f2b16f8d837aec4c44532eed737a03) +--- + src/libsystemd-network/dhcp-option.c | 31 +++++++++++++++++++++++++ + src/libsystemd-network/dhcp-option.h | 1 + + src/libsystemd-network/sd-dhcp-server.c | 14 ++++++----- + 3 files changed, 40 insertions(+), 6 deletions(-) + +diff --git a/src/libsystemd-network/dhcp-option.c b/src/libsystemd-network/dhcp-option.c +index 8f4e8f3a1e..56790913d3 100644 +--- a/src/libsystemd-network/dhcp-option.c ++++ b/src/libsystemd-network/dhcp-option.c +@@ -10,6 +10,8 @@ + #include "alloc-util.h" + #include "dhcp-option.h" + #include "dhcp-server-internal.h" ++#include "dns-domain.h" ++#include "hostname-util.h" + #include "memory-util.h" + #include "ordered-set.h" + #include "strv.h" +@@ -420,6 +422,35 @@ int dhcp_option_parse_string(const uint8_t *option, size_t len, char **ret) { + return 0; + } + ++int dhcp_option_parse_hostname(const uint8_t *option, size_t len, char **ret) { ++ _cleanup_free_ char *hostname = NULL; ++ int r; ++ ++ assert(option); ++ assert(ret); ++ ++ r = dhcp_option_parse_string(option, len, &hostname); ++ if (r < 0) ++ return r; ++ ++ if (!hostname) { ++ *ret = NULL; ++ return 0; ++ } ++ ++ if (!hostname_is_valid(hostname, 0)) ++ return -EINVAL; ++ ++ r = dns_name_is_valid(hostname); ++ if (r < 0) ++ return r; ++ if (r == 0) ++ return -EINVAL; ++ ++ *ret = TAKE_PTR(hostname); ++ return 0; ++} ++ + static sd_dhcp_option* dhcp_option_free(sd_dhcp_option *i) { + if (!i) + return NULL; +diff --git a/src/libsystemd-network/dhcp-option.h b/src/libsystemd-network/dhcp-option.h +index 425f5b5016..aaa8f847b1 100644 +--- a/src/libsystemd-network/dhcp-option.h ++++ b/src/libsystemd-network/dhcp-option.h +@@ -44,3 +44,4 @@ int dhcp_option_parse( + char **ret_error_message); + + int dhcp_option_parse_string(const uint8_t *option, size_t len, char **ret); ++int dhcp_option_parse_hostname(const uint8_t *option, size_t len, char **ret); +diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c +index fcc5b74364..b87e4d62aa 100644 +--- a/src/libsystemd-network/sd-dhcp-server.c ++++ b/src/libsystemd-network/sd-dhcp-server.c +@@ -808,14 +808,16 @@ static int parse_request(uint8_t code, uint8_t len, const void *option, void *us + req->agent_info_option = (uint8_t*)option - 2; + + break; +- case SD_DHCP_OPTION_HOST_NAME: +- r = dhcp_option_parse_string(option, len, &req->hostname); +- if (r < 0) { +- log_debug_errno(r, "Failed to parse hostname, ignoring: %m"); +- return 0; +- } ++ case SD_DHCP_OPTION_HOST_NAME: { ++ _cleanup_free_ char *p = NULL; + ++ r = dhcp_option_parse_hostname(option, len, &p); ++ if (r < 0) ++ log_debug_errno(r, "Failed to parse hostname, ignoring: %m"); ++ else ++ free_and_replace(req->hostname, p); + break; ++ } + case SD_DHCP_OPTION_PARAMETER_REQUEST_LIST: + req->parameter_request_list = option; + req->parameter_request_list_len = len; +-- +2.33.0 + diff --git a/backport-sd-event-change-error-code-EINVAL-EIO.patch b/backport-sd-event-change-error-code-EINVAL-EIO.patch index e60a006..4a46443 100644 --- a/backport-sd-event-change-error-code-EINVAL-EIO.patch +++ b/backport-sd-event-change-error-code-EINVAL-EIO.patch @@ -1,7 +1,7 @@ -From 42885ab01726b5937390704f1d6ec33f0321fd53 Mon Sep 17 00:00:00 2001 +From da81ee2f78526f78b3c57661a59de681d208e35e Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sun, 4 Aug 2024 11:29:03 +0900 -Subject: [PATCH] sd-event: change error code -EINVAL -> -EIO +Subject: [PATCH 0804/1160] sd-event: change error code -EINVAL -> -EIO EINVAL should be used when a function is called with an invalid argument. Here, the signal is not a function argument. @@ -10,16 +10,12 @@ Follow-up for 7a64c5f23efbb51fe4f1229c1a8aed6dd858a0a9. (cherry picked from commit ab9af70edb23f2a66e93e2e16f87cd98873885b7) (cherry picked from commit 84f0eda3781f49ff7f3035861b02fe247b89d65e) -(cherry picked from commit da81ee2f78526f78b3c57661a59de681d208e35e) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/ab9af70edb23f2a66e93e2e16f87cd98873885b7 --- src/libsystemd/sd-event/sd-event.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c -index 97678a4b5e..cd78d39eb4 100644 +index 14135cb70d..25f3b1fc4f 100644 --- a/src/libsystemd/sd-event/sd-event.c +++ b/src/libsystemd/sd-event/sd-event.c @@ -3831,7 +3831,7 @@ static int process_signal(sd_event *e, struct signal_data *d, uint32_t events, i diff --git a/backport-sd-event-do-not-assert-on-invalid-signal.patch b/backport-sd-event-do-not-assert-on-invalid-signal.patch index f34510e..5ef2643 100644 --- a/backport-sd-event-do-not-assert-on-invalid-signal.patch +++ b/backport-sd-event-do-not-assert-on-invalid-signal.patch @@ -1,7 +1,7 @@ -From 74fa56ebc3d323bd6cd2315eb8b1057f0ea359a8 Mon Sep 17 00:00:00 2001 +From 5fa8b5d74aa81e884613ba68c6f765834e6dd02c Mon Sep 17 00:00:00 2001 From: David Tardon Date: Thu, 25 Jul 2024 10:06:34 +0200 -Subject: [PATCH] sd-event: do not assert on invalid signal +Subject: [PATCH 0803/1160] sd-event: do not assert on invalid signal The signalfd_siginfo struct is received from outside via a FD, hence assert() is not appropriate way to check it. Just do a normal runtime @@ -9,16 +9,12 @@ check. (cherry picked from commit 7a64c5f23efbb51fe4f1229c1a8aed6dd858a0a9) (cherry picked from commit 7a48ea958bf146a45cb4a3b7ff7aeb5885469196) -(cherry picked from commit 5fa8b5d74aa81e884613ba68c6f765834e6dd02c) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/7a64c5f23efbb51fe4f1229c1a8aed6dd858a0a9 --- src/libsystemd/sd-event/sd-event.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c -index 3cc37371b6..97678a4b5e 100644 +index b6899df192..14135cb70d 100644 --- a/src/libsystemd/sd-event/sd-event.c +++ b/src/libsystemd/sd-event/sd-event.c @@ -3830,7 +3830,8 @@ static int process_signal(sd_event *e, struct signal_data *d, uint32_t events, i diff --git a/backport-sd-event-fix-fd-leak-when-fd-is-owned-by-IO-event-source.patch b/backport-sd-event-fix-fd-leak-when-fd-is-owned-by-IO-event-source.patch index 1250f84..2070ed1 100644 --- a/backport-sd-event-fix-fd-leak-when-fd-is-owned-by-IO-event-source.patch +++ b/backport-sd-event-fix-fd-leak-when-fd-is-owned-by-IO-event-source.patch @@ -1,12 +1,17 @@ -From 2c30104f8344406e71b792a8691af60af3afe177 Mon Sep 17 00:00:00 2001 +From 6d2dd436429aafcbb3fd8c99f6b69c9a108bf7f9 Mon Sep 17 00:00:00 2001 From: Yu Watanabe -Date: Tue, 2 Jul 2024 09:55:57 +0800 -Subject: [PATCH] sd-event: fix fd leak when fd is owned by IO event source - When an IO event source owns relevant fd, replacing with a new fd leaks the - previously assigned fd. === sd_event_add_io(event, &s, fd, ...); - sd_event_source_set_io_fd_own(s, true); sd_event_source_set_io_fd(s, new_fd); - <-- The previous fd is not closed. sd_event_source_unref(s); <-- new_fd is - closed as expected. === +Date: Mon, 22 Apr 2024 05:22:24 +0900 +Subject: [PATCH 0510/1160] sd-event: fix fd leak when fd is owned by IO event + source + +When an IO event source owns relevant fd, replacing with a new fd leaks +the previously assigned fd. +=== +sd_event_add_io(event, &s, fd, ...); +sd_event_source_set_io_fd_own(s, true); +sd_event_source_set_io_fd(s, new_fd); <-- The previous fd is not closed. +sd_event_source_unref(s); <-- new_fd is closed as expected. +=== Without the change, valgrind reports the leak: ==998589== @@ -27,12 +32,7 @@ Without the change, valgrind reports the leak: ==998589== For lists of detected and suppressed errors, rerun with: -s ==998589== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) -(cherry picked from commit 2fa4805) -(cherry picked from commit 6d2dd43) -(cherry picked from commit 5f8cf63) - -Conflict:test case adaptation -Reference:https://github.com/systemd/systemd-stable/commit/a4bb56c61a7bfef9bab3380b3c18709ab8fef3d8 +(cherry picked from commit 2fa480592d4f4334881361c5558f563e5ea4c9c3) --- man/sd_event_add_io.xml | 24 ++++++++++++++---------- src/libsystemd/sd-event/sd-event.c | 17 ++++++++--------- @@ -40,7 +40,7 @@ Reference:https://github.com/systemd/systemd-stable/commit/a4bb56c61a7bfef9bab33 3 files changed, 40 insertions(+), 19 deletions(-) diff --git a/man/sd_event_add_io.xml b/man/sd_event_add_io.xml -index da0fa58..9d4fd27 100644 +index da0fa58227..9d4fd2726e 100644 --- a/man/sd_event_add_io.xml +++ b/man/sd_event_add_io.xml @@ -216,16 +216,20 @@ @@ -75,10 +75,10 @@ index da0fa58..9d4fd27 100644 sd_event_source_get_io_fd_own() may be used to query the current setting of the file descriptor ownership boolean flag as set with sd_event_source_set_io_fd_own(). It returns diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c -index d53a7a1..0b59f63 100644 +index 288798a0dc..82ea6df0ec 100644 --- a/src/libsystemd/sd-event/sd-event.c +++ b/src/libsystemd/sd-event/sd-event.c -@@ -2696,7 +2696,7 @@ _public_ int sd_event_source_get_io_fd(sd_event_source *s) { +@@ -2637,7 +2637,7 @@ _public_ int sd_event_source_get_io_fd(sd_event_source *s) { } _public_ int sd_event_source_set_io_fd(sd_event_source *s, int fd) { @@ -87,7 +87,7 @@ index d53a7a1..0b59f63 100644 assert_return(s, -EINVAL); assert_return(fd >= 0, -EBADF); -@@ -2706,16 +2706,12 @@ _public_ int sd_event_source_set_io_fd(sd_event_source *s, int fd) { +@@ -2647,16 +2647,12 @@ _public_ int sd_event_source_set_io_fd(sd_event_source *s, int fd) { if (s->io.fd == fd) return 0; @@ -108,28 +108,28 @@ index d53a7a1..0b59f63 100644 s->io.registered = false; r = source_io_register(s, s->enabled, s->io.events); -@@ -2727,6 +2723,9 @@ _public_ int sd_event_source_set_io_fd(sd_event_source *s, int fd) { - +@@ -2669,6 +2665,9 @@ _public_ int sd_event_source_set_io_fd(sd_event_source *s, int fd) { (void) epoll_ctl(s->event->epoll_fd, EPOLL_CTL_DEL, saved_fd, NULL); } -+ + + if (s->io.owned) + safe_close(saved_fd); - ++ return 0; } + diff --git a/src/libsystemd/sd-event/test-event.c b/src/libsystemd/sd-event/test-event.c -index 63d3ee7..695b0ed 100644 +index 63d3ee7284..cc3d84e2fd 100644 --- a/src/libsystemd/sd-event/test-event.c +++ b/src/libsystemd/sd-event/test-event.c -@@ -809,6 +809,24 @@ TEST(inotify_process_buffered_data) { - assert_se(sd_event_wait(e, 0) == 0); +@@ -828,6 +828,24 @@ TEST(fork) { + assert_se(r >= 0); } +TEST(sd_event_source_set_io_fd) { + _cleanup_(sd_event_source_unrefp) sd_event_source *s = NULL; + _cleanup_(sd_event_unrefp) sd_event *e = NULL; -+ _cleanup_close_pair_ int pfd_a[2] = { -EBADF, -EBADF }, pfd_b[2] = { -EBADF, -EBADF }; ++ _cleanup_close_pair_ int pfd_a[2] = EBADF_PAIR, pfd_b[2] = EBADF_PAIR; + + assert_se(sd_event_default(&e) >= 0); + @@ -144,9 +144,9 @@ index 63d3ee7..695b0ed 100644 + TAKE_FD(pfd_b[0]); +} + - TEST(fork) { - _cleanup_(sd_event_unrefp) sd_event *e = NULL; - int r; + static int hup_callback(sd_event_source *s, int fd, uint32_t revents, void *userdata) { + unsigned *c = userdata; + -- -2.27.0 +2.33.0 diff --git a/backport-sd-event-fix-memleak-when-built-without-assertion.patch b/backport-sd-event-fix-memleak-when-built-without-assertion.patch new file mode 100644 index 0000000..fbfac31 --- /dev/null +++ b/backport-sd-event-fix-memleak-when-built-without-assertion.patch @@ -0,0 +1,74 @@ +From 261469e369c0d2ea6dafb27b745d771ab98f627b Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 26 Oct 2024 03:25:26 +0900 +Subject: [PATCH 0969/1160] sd-event: fix memleak when built without assertion + +Fixes a bug introduced by baf3fdec27f0b3a1f3d39c7def2a778824cbee51. + +This also adds several assertions at the beginning of the function. + +Fixes #34899. + +(cherry picked from commit 5dc0668802cd07cdca2dc5bda52cc1e63b57f145) +(cherry picked from commit 7455e7622113969866ed116d101aa54cfe2b1f7e) +--- + src/libsystemd/sd-event/sd-event.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c +index 25f3b1fc4f..b3541a1429 100644 +--- a/src/libsystemd/sd-event/sd-event.c ++++ b/src/libsystemd/sd-event/sd-event.c +@@ -5219,6 +5219,9 @@ _public_ int sd_event_set_signal_exit(sd_event *e, int b) { + int r; + + assert_return(e, -EINVAL); ++ assert_return(e = event_resolve(e), -ENOPKG); ++ assert_return(e->state != SD_EVENT_FINISHED, -ESTALE); ++ assert_return(!event_origin_changed(e), -ECHILD); + + if (b) { + /* We want to maintain pointers to these event sources, so that we can destroy them when told +@@ -5230,7 +5233,7 @@ _public_ int sd_event_set_signal_exit(sd_event *e, int b) { + if (r < 0) + return r; + +- assert(sd_event_source_set_floating(e->sigint_event_source, true) >= 0); ++ assert_se(sd_event_source_set_floating(e->sigint_event_source, true) >= 0); + change = true; + } + +@@ -5238,26 +5241,26 @@ _public_ int sd_event_set_signal_exit(sd_event *e, int b) { + r = sd_event_add_signal(e, &e->sigterm_event_source, SIGTERM | SD_EVENT_SIGNAL_PROCMASK, NULL, NULL); + if (r < 0) { + if (change) { +- assert(sd_event_source_set_floating(e->sigint_event_source, false) >= 0); ++ assert_se(sd_event_source_set_floating(e->sigint_event_source, false) >= 0); + e->sigint_event_source = sd_event_source_unref(e->sigint_event_source); + } + + return r; + } + +- assert(sd_event_source_set_floating(e->sigterm_event_source, true) >= 0); ++ assert_se(sd_event_source_set_floating(e->sigterm_event_source, true) >= 0); + change = true; + } + + } else { + if (e->sigint_event_source) { +- assert(sd_event_source_set_floating(e->sigint_event_source, false) >= 0); ++ assert_se(sd_event_source_set_floating(e->sigint_event_source, false) >= 0); + e->sigint_event_source = sd_event_source_unref(e->sigint_event_source); + change = true; + } + + if (e->sigterm_event_source) { +- assert(sd_event_source_set_floating(e->sigterm_event_source, false) >= 0); ++ assert_se(sd_event_source_set_floating(e->sigterm_event_source, false) >= 0); + e->sigterm_event_source = sd_event_source_unref(e->sigterm_event_source); + change = true; + } +-- +2.33.0 + diff --git a/backport-sd-event-increase-test-event-timeout-to-120s.patch b/backport-sd-event-increase-test-event-timeout-to-120s.patch new file mode 100644 index 0000000..e3fb31c --- /dev/null +++ b/backport-sd-event-increase-test-event-timeout-to-120s.patch @@ -0,0 +1,40 @@ +From 1ec8328749abf28b951b9785206fcba1681a272a Mon Sep 17 00:00:00 2001 +From: Radoslav Kolev +Date: Tue, 14 May 2024 10:39:29 +0300 +Subject: [PATCH 0628/1160] sd-event: increase test-event timeout to 120s + +The test-event test seems to be taking quite a bit more time than +the other 'simple tests', which usually complete in < 1s. In case +of a slower or loaded machine the default 30s timeout is not enough. + +(cherry picked from commit 381c3b64d0a80ccda2ccb0dda6fe825878a6e150) +--- + src/libsystemd/meson.build | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/libsystemd/meson.build b/src/libsystemd/meson.build +index 5d18f974ba..4cc133a6d5 100644 +--- a/src/libsystemd/meson.build ++++ b/src/libsystemd/meson.build +@@ -159,6 +159,10 @@ libsystemd_tests += [ + 'sources' : files('sd-journal/test-journal-enum.c'), + 'timeout' : 360, + }, ++ { ++ 'sources' : files('sd-event/test-event.c'), ++ 'timeout' : 120, ++ } + ] + + ############################################################ +@@ -171,7 +175,6 @@ simple_tests += files( + 'sd-device/test-device-util.c', + 'sd-device/test-sd-device-monitor.c', + 'sd-device/test-sd-device.c', +- 'sd-event/test-event.c', + 'sd-journal/test-journal-flush.c', + 'sd-journal/test-journal-interleaving.c', + 'sd-journal/test-journal-stream.c', +-- +2.33.0 + diff --git a/backport-sd-event-sd-journal-fix-error-handling-of-inotify_ad.patch b/backport-sd-event-sd-journal-fix-error-handling-of-inotify_ad.patch new file mode 100644 index 0000000..d0d324d --- /dev/null +++ b/backport-sd-event-sd-journal-fix-error-handling-of-inotify_ad.patch @@ -0,0 +1,44 @@ +From 1dda154bbe27603437e4c5f43e3e2a52c4538cb6 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 19 Apr 2024 13:19:00 +0900 +Subject: [PATCH 0525/1160] sd-event,sd-journal: fix error handling of + inotify_add_watch_fd() + +Fixes a bug in 97ef5391697c34ee1c763fa9bddcd20a29ff3159 and +858749f7312bd0adb5433075a92e1c35a2fb56ac. + +(cherry picked from commit d5f24a0ea9ec6f5ddb0eb9d4c366d22400706f08) +--- + src/libsystemd/sd-event/sd-event.c | 2 +- + src/libsystemd/sd-journal/sd-journal.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c +index 82ea6df0ec..b6899df192 100644 +--- a/src/libsystemd/sd-event/sd-event.c ++++ b/src/libsystemd/sd-event/sd-event.c +@@ -2415,7 +2415,7 @@ static int inode_data_realize_watch(sd_event *e, struct inode_data *d) { + + wd = inotify_add_watch_fd(d->inotify_data->fd, d->fd, combined_mask); + if (wd < 0) +- return -errno; ++ return wd; + + if (d->wd < 0) { + r = hashmap_put(d->inotify_data->wd, INT_TO_PTR(wd), d); +diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c +index 6b9ff0a4ed..ca1ef0cb7a 100644 +--- a/src/libsystemd/sd-journal/sd-journal.c ++++ b/src/libsystemd/sd-journal/sd-journal.c +@@ -1720,7 +1720,7 @@ static void directory_watch(sd_journal *j, Directory *m, int fd, uint32_t mask) + + m->wd = inotify_add_watch_fd(j->inotify_fd, fd, mask); + if (m->wd < 0) { +- log_debug_errno(errno, "Failed to watch journal directory '%s', ignoring: %m", m->path); ++ log_debug_errno(m->wd, "Failed to watch journal directory '%s', ignoring: %m", m->path); + return; + } + +-- +2.33.0 + diff --git a/backport-sd-id128-gracefully-handle-systems-where-kernel-keyr.patch b/backport-sd-id128-gracefully-handle-systems-where-kernel-keyr.patch new file mode 100644 index 0000000..95e3154 --- /dev/null +++ b/backport-sd-id128-gracefully-handle-systems-where-kernel-keyr.patch @@ -0,0 +1,38 @@ +From e52806db521b91cfa9d96dcbfd112e74d9919ade Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Sun, 2 Mar 2025 07:51:05 +0100 +Subject: [PATCH 1144/1160] sd-id128: gracefully handle systems where kernel + keyring access is blocked + +In various scenarios we invoke containers with access to the kernel +keyring blocked. Let's make sure we can handle this properly: when the +invocation ID is stored in in the kernel keyring and we try to read it +and get EPERM we should handle it gracefully, like EOPNOTSUPP. + +(cherry picked from commit f2e38b01e052ebd50eaf98763bd9709e880c0a75) +(cherry picked from commit a2abc3b8ecef41dea432d39ff19cb66c6aa3baa9) +(cherry picked from commit 9cd3101704592c3022d22cac2c2877bd37768ba5) +--- + src/libsystemd/sd-id128/sd-id128.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/libsystemd/sd-id128/sd-id128.c b/src/libsystemd/sd-id128/sd-id128.c +index 9fda79ae26..d0f1be7619 100644 +--- a/src/libsystemd/sd-id128/sd-id128.c ++++ b/src/libsystemd/sd-id128/sd-id128.c +@@ -204,8 +204,10 @@ static int get_invocation_from_keyring(sd_id128_t *ret) { + + key = request_key("user", "invocation_id", NULL, 0); + if (key == -1) { +- /* Keyring support not available? No invocation key stored? */ +- if (IN_SET(errno, ENOSYS, ENOKEY)) ++ /* Keyring support not available? Keyring access locked down? No invocation key stored? */ ++ if (ERRNO_IS_NOT_SUPPORTED(errno) || ++ ERRNO_IS_PRIVILEGE(errno) || ++ errno == ENOKEY) + return -ENXIO; + + return -errno; +-- +2.33.0 + diff --git a/backport-sd-id128-mark-functions-as-const-not-pure.patch b/backport-sd-id128-mark-functions-as-const-not-pure.patch new file mode 100644 index 0000000..a91288f --- /dev/null +++ b/backport-sd-id128-mark-functions-as-const-not-pure.patch @@ -0,0 +1,60 @@ +From b166ddd3dccce64c76040e098621ba7627f987c6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 28 Oct 2024 09:20:32 +0100 +Subject: [PATCH 0973/1160] sd-id128: mark functions as const, not pure + +We would need to use pure if the funtion was getting pointers and +dereferencing them. But sd128_t is a structure and those functions +only access the parameters of the call. + +(cherry picked from commit dc32b09b70c9bb20821df92ac82ace83d8a968e2) +(cherry picked from commit 3190a427b915976c9c11979acad20682e947a3c8) +--- + src/systemd/sd-id128.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/systemd/sd-id128.h b/src/systemd/sd-id128.h +index a984a9d85e..44eeca5144 100644 +--- a/src/systemd/sd-id128.h ++++ b/src/systemd/sd-id128.h +@@ -116,24 +116,24 @@ int sd_id128_get_boot_app_specific(sd_id128_t app_id, sd_id128_t *ret); + #define SD_ID128_MAKE_UUID_STR(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p) \ + #a #b #c #d "-" #e #f "-" #g #h "-" #i #j "-" #k #l #m #n #o #p + +-_sd_pure_ static __inline__ int sd_id128_equal(sd_id128_t a, sd_id128_t b) { ++_sd_const_ static __inline__ int sd_id128_equal(sd_id128_t a, sd_id128_t b) { + return a.qwords[0] == b.qwords[0] && a.qwords[1] == b.qwords[1]; + } + + int sd_id128_string_equal(const char *s, sd_id128_t id); + +-_sd_pure_ static __inline__ int sd_id128_is_null(sd_id128_t a) { ++_sd_const_ static __inline__ int sd_id128_is_null(sd_id128_t a) { + return a.qwords[0] == 0 && a.qwords[1] == 0; + } + +-_sd_pure_ static __inline__ int sd_id128_is_allf(sd_id128_t a) { ++_sd_const_ static __inline__ int sd_id128_is_allf(sd_id128_t a) { + return a.qwords[0] == UINT64_C(0xFFFFFFFFFFFFFFFF) && a.qwords[1] == UINT64_C(0xFFFFFFFFFFFFFFFF); + } + + #define SD_ID128_NULL ((const sd_id128_t) { .qwords = { 0, 0 }}) + #define SD_ID128_ALLF ((const sd_id128_t) { .qwords = { UINT64_C(0xFFFFFFFFFFFFFFFF), UINT64_C(0xFFFFFFFFFFFFFFFF) }}) + +-_sd_pure_ static __inline__ int sd_id128_in_setv(sd_id128_t a, va_list ap) { ++_sd_const_ static __inline__ int sd_id128_in_setv(sd_id128_t a, va_list ap) { + for (;;) { + sd_id128_t b = va_arg(ap, sd_id128_t); + +@@ -145,7 +145,7 @@ _sd_pure_ static __inline__ int sd_id128_in_setv(sd_id128_t a, va_list ap) { + } + } + +-_sd_pure_ static __inline__ int sd_id128_in_set_sentinel(sd_id128_t a, ...) { ++_sd_const_ static __inline__ int sd_id128_in_set_sentinel(sd_id128_t a, ...) { + va_list ap; + int r; + +-- +2.33.0 + diff --git a/backport-sd-ipv4acd-fix-assertion-triggered-when-an-ARP-recei.patch b/backport-sd-ipv4acd-fix-assertion-triggered-when-an-ARP-recei.patch index 5326bf4..d650662 100644 --- a/backport-sd-ipv4acd-fix-assertion-triggered-when-an-ARP-recei.patch +++ b/backport-sd-ipv4acd-fix-assertion-triggered-when-an-ARP-recei.patch @@ -1,8 +1,8 @@ -From 8ed0c0bc4899f73934f3fc1c55c5cbb58b789a4d Mon Sep 17 00:00:00 2001 +From b054898f12f1987d5c6fae91e664cd7f57f7fdaa Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 20 Sep 2024 09:58:12 +0900 -Subject: [PATCH] sd-ipv4acd: fix assertion triggered when an ARP received in - STARTED state +Subject: [PATCH 0879/1160] sd-ipv4acd: fix assertion triggered when an ARP + received in STARTED state When a network is busy, an ARP may be received before the timer event source triggered first time. @@ -11,16 +11,12 @@ Fixes #34489. (cherry picked from commit 146b44d0a0001712ced2f22ca76d242eedac26ad) (cherry picked from commit 06eb9b14829f3a5819f6daefb09fdb855cd868f4) -(cherry picked from commit b054898f12f1987d5c6fae91e664cd7f57f7fdaa) - -Conflict:NA -Reference:https://github.com/systemd/systemd/commit/146b44d0a0001712ced2f22ca76d242eedac26ad --- src/libsystemd-network/sd-ipv4acd.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/libsystemd-network/sd-ipv4acd.c b/src/libsystemd-network/sd-ipv4acd.c -index d34c63e854..c7102cc4f6 100644 +index 0cc37a60bc..39c08ac35d 100644 --- a/src/libsystemd-network/sd-ipv4acd.c +++ b/src/libsystemd-network/sd-ipv4acd.c @@ -396,6 +396,7 @@ static int ipv4acd_on_packet( diff --git a/backport-sd-journal-check-sd-event-state-before-setting-up-po.patch b/backport-sd-journal-check-sd-event-state-before-setting-up-po.patch new file mode 100644 index 0000000..79c363b --- /dev/null +++ b/backport-sd-journal-check-sd-event-state-before-setting-up-po.patch @@ -0,0 +1,56 @@ +From 33ab1aa72e229e5eb5628d76194ef4c8672e1a32 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 29 Dec 2023 04:31:21 +0900 +Subject: [PATCH 0099/1160] sd-journal: check sd-event state before setting up + post change timer + +The similar check already exists in schedule_post_change(). + +The function is currently called at two places. +- journal_file_open() in sd-journal: + In this case, if the timer is not set up, then journal_file_post_change() + will be called at the end of journal_file_append_entry(). So, the necessary + task will be done sequentially when an journal entry is stored to the opened + journal file. That is desired when the function is called at outside of the + event loop. +- server_open_journal() in journald: + This is not called after we exit the event loop. + +So, we can safely do nothing in the function if the event loop is being +finished or already finished. + +Fixes #30644. + +(cherry picked from commit 5b201ffb1e72100dc7a112c95bbac0ccbc98ab0d) +--- + src/libsystemd/sd-journal/journal-file.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c +index 2812eb386a..d2493a027a 100644 +--- a/src/libsystemd/sd-journal/journal-file.c ++++ b/src/libsystemd/sd-journal/journal-file.c +@@ -2464,6 +2464,11 @@ int journal_file_enable_post_change_timer(JournalFile *f, sd_event *e, usec_t t) + assert(e); + assert(t); + ++ /* If we are already going down, we cannot install the timer. ++ * In such case, the caller needs to call journal_file_post_change() explicitly. */ ++ if (IN_SET(sd_event_get_state(e), SD_EVENT_EXITING, SD_EVENT_FINISHED)) ++ return 0; ++ + r = sd_event_add_time(e, &timer, CLOCK_MONOTONIC, 0, 0, post_change_thunk, f); + if (r < 0) + return r; +@@ -2475,7 +2480,7 @@ int journal_file_enable_post_change_timer(JournalFile *f, sd_event *e, usec_t t) + f->post_change_timer = TAKE_PTR(timer); + f->post_change_timer_period = t; + +- return r; ++ return 1; + } + + static int entry_item_cmp(const EntryItem *a, const EntryItem *b) { +-- +2.33.0 + diff --git a/backport-sd-journal-downgrade-log-message-Unused-data-entry_o.patch b/backport-sd-journal-downgrade-log-message-Unused-data-entry_o.patch new file mode 100644 index 0000000..367c997 --- /dev/null +++ b/backport-sd-journal-downgrade-log-message-Unused-data-entry_o.patch @@ -0,0 +1,34 @@ +From 99886c0839a36bc1ab00c25bbedc112e83ce2040 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 20 Apr 2024 15:20:29 +0900 +Subject: [PATCH 0508/1160] sd-journal: downgrade log message "Unused data + (entry_offset==0)" + +This happens when journal is rotated after a data is written but before +an entry that linked to the data is not written yet. +This is neither data corruption, nor program error. Let's downgrade the +log level. + +Closes #32153. + +(cherry picked from commit cb7e892c22aeadef243ae69b4c73d13ae4331fcd) +--- + src/libsystemd/sd-journal/journal-verify.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libsystemd/sd-journal/journal-verify.c b/src/libsystemd/sd-journal/journal-verify.c +index bdaa01d66f..b5ce55a418 100644 +--- a/src/libsystemd/sd-journal/journal-verify.c ++++ b/src/libsystemd/sd-journal/journal-verify.c +@@ -162,7 +162,7 @@ static int journal_file_object_verify(JournalFile *f, uint64_t offset, Object *o + int r; + + if (le64toh(o->data.entry_offset) == 0) +- warning(offset, "Unused data (entry_offset==0)"); ++ debug(offset, "Unused data (entry_offset==0)"); + + if ((le64toh(o->data.entry_offset) == 0) ^ (le64toh(o->data.n_entries) == 0)) { + error(offset, "Bad n_entries: %"PRIu64, le64toh(o->data.n_entries)); +-- +2.33.0 + diff --git a/backport-sd-journal-fix-check-in-journal_file_verify_header.patch b/backport-sd-journal-fix-check-in-journal_file_verify_header.patch new file mode 100644 index 0000000..d08cf28 --- /dev/null +++ b/backport-sd-journal-fix-check-in-journal_file_verify_header.patch @@ -0,0 +1,47 @@ +From dfd92415fee5e330a039dbb7c111f5c9b9191f7a Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Fri, 5 Apr 2024 08:27:36 +0200 +Subject: [PATCH 0491/1160] sd-journal: fix check in + `journal_file_verify_header()` + +Fixes 6ea51363c8e39fb0924dda972a212936456a2b4f + +(cherry picked from commit 1eeae735ad3d42d60f6513dea6d9ab0d2d858e82) +--- + src/libsystemd/sd-journal/journal-file.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c +index d2493a027a..ff382c624c 100644 +--- a/src/libsystemd/sd-journal/journal-file.c ++++ b/src/libsystemd/sd-journal/journal-file.c +@@ -639,7 +639,7 @@ static int journal_file_verify_header(JournalFile *f) { + return -ENODATA; + if (!VALID_REALTIME(le64toh(f->header->tail_entry_realtime))) + return -ENODATA; +- if (!VALID_MONOTONIC(le64toh(f->header->tail_entry_realtime))) ++ if (!VALID_MONOTONIC(le64toh(f->header->tail_entry_monotonic))) + return -ENODATA; + } else { + /* Otherwise, the fields must be zero. */ +@@ -650,7 +650,7 @@ static int journal_file_verify_header(JournalFile *f) { + return -ENODATA; + if (f->header->tail_entry_realtime != 0) + return -ENODATA; +- if (f->header->tail_entry_realtime != 0) ++ if (f->header->tail_entry_monotonic != 0) + return -ENODATA; + } + } +@@ -2532,7 +2532,7 @@ int journal_file_append_entry( + ts->realtime); + if (!VALID_MONOTONIC(ts->monotonic)) + return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), +- "Invalid monotomic timestamp %" PRIu64 ", refusing entry.", ++ "Invalid monotonic timestamp %" PRIu64 ", refusing entry.", + ts->monotonic); + } else { + dual_timestamp_now(&_ts); +-- +2.33.0 + diff --git a/backport-sd-journal-use-stat_verify_linked.patch b/backport-sd-journal-use-stat_verify_linked.patch new file mode 100644 index 0000000..f48b7e0 --- /dev/null +++ b/backport-sd-journal-use-stat_verify_linked.patch @@ -0,0 +1,29 @@ +From aa45d8c39e5b859152ef7191a3a882878959bf90 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 15 Feb 2024 10:08:23 +0900 +Subject: [PATCH 0556/1160] sd-journal: use stat_verify_linked() + +(cherry picked from commit cb0d5f73e600c70026b031cd4046487582ac5452) +--- + src/libsystemd/sd-journal/journal-file.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c +index ff382c624c..08cbf86126 100644 +--- a/src/libsystemd/sd-journal/journal-file.c ++++ b/src/libsystemd/sd-journal/journal-file.c +@@ -736,8 +736,9 @@ int journal_file_fstat(JournalFile *f) { + return r; + + /* Refuse appending to files that are already deleted */ +- if (f->last_stat.st_nlink <= 0) +- return -EIDRM; ++ r = stat_verify_linked(&f->last_stat); ++ if (r < 0) ++ return r; + + return 0; + } +-- +2.33.0 + diff --git a/backport-sd-journal-verify-monotonic-timestamp-before-assigni.patch b/backport-sd-journal-verify-monotonic-timestamp-before-assigni.patch new file mode 100644 index 0000000..95d195c --- /dev/null +++ b/backport-sd-journal-verify-monotonic-timestamp-before-assigni.patch @@ -0,0 +1,41 @@ +From 6549d31b2c88ffecae9502aff6ff5e8fd4414bb6 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 1 May 2024 03:31:25 +0900 +Subject: [PATCH 0588/1160] sd-journal: verify monotonic timestamp before + assigning result + +Previously, ret_boot_id was assigned even when the function failed due +to an invalid monotonic timestamp stored for a journal entry. + +(cherry picked from commit c9df4714286223017aff1b2f32f96058d249d8ab) +--- + src/libsystemd/sd-journal/sd-journal.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c +index ca1ef0cb7a..7a1dd2569f 100644 +--- a/src/libsystemd/sd-journal/sd-journal.c ++++ b/src/libsystemd/sd-journal/sd-journal.c +@@ -2526,9 +2526,7 @@ _public_ int sd_journal_get_monotonic_usec(sd_journal *j, uint64_t *ret, sd_id12 + if (r < 0) + return r; + +- if (ret_boot_id) +- *ret_boot_id = o->entry.boot_id; +- else { ++ if (!ret_boot_id) { + sd_id128_t id; + + r = sd_id128_get_boot(&id); +@@ -2545,6 +2543,8 @@ _public_ int sd_journal_get_monotonic_usec(sd_journal *j, uint64_t *ret, sd_id12 + + if (ret) + *ret = t; ++ if (ret_boot_id) ++ *ret_boot_id = o->entry.boot_id; + + return 0; + } +-- +2.33.0 + diff --git a/backport-sd-netlink-fix-rtnl_resolve_link_alternative_name.patch b/backport-sd-netlink-fix-rtnl_resolve_link_alternative_name.patch new file mode 100644 index 0000000..ffc9c3a --- /dev/null +++ b/backport-sd-netlink-fix-rtnl_resolve_link_alternative_name.patch @@ -0,0 +1,45 @@ +From e85242fdf7dfbdbf1a9e96b9fdf91ad0ed0f3350 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 17 Jan 2024 11:57:21 +0900 +Subject: [PATCH 0156/1160] sd-netlink: fix + rtnl_resolve_link_alternative_name() + +Fixes a bug introduced by afdf6c3b6040ef43b05428b834f0f302c8ce9a1b. + +(cherry picked from commit 1cdd8b1b66ec478ea2ed81ffa371e93f4b27c61e) +--- + src/libsystemd/sd-netlink/netlink-util.c | 2 +- + src/libsystemd/sd-netlink/test-netlink.c | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/libsystemd/sd-netlink/netlink-util.c b/src/libsystemd/sd-netlink/netlink-util.c +index 636af1a2d5..832159a649 100644 +--- a/src/libsystemd/sd-netlink/netlink-util.c ++++ b/src/libsystemd/sd-netlink/netlink-util.c +@@ -376,7 +376,7 @@ int rtnl_resolve_link_alternative_name(sd_netlink **rtnl, const char *name, char + assert(ifindex > 0); + + if (ret) { +- r = sd_netlink_message_read_string_strdup(message, IFLA_IFNAME, ret); ++ r = sd_netlink_message_read_string_strdup(reply, IFLA_IFNAME, ret); + if (r < 0) + return r; + } +diff --git a/src/libsystemd/sd-netlink/test-netlink.c b/src/libsystemd/sd-netlink/test-netlink.c +index 4c2d3173fb..13aedc4dbe 100644 +--- a/src/libsystemd/sd-netlink/test-netlink.c ++++ b/src/libsystemd/sd-netlink/test-netlink.c +@@ -677,6 +677,10 @@ TEST(rtnl_set_link_name) { + assert_se(!strv_contains(alternative_names, "testlongalternativename")); + assert_se(strv_contains(alternative_names, "test-additional-name")); + assert_se(!strv_contains(alternative_names, "test-shortname")); ++ ++ _cleanup_free_ char *resolved = NULL; ++ assert_se(rtnl_resolve_link_alternative_name(&rtnl, "test-additional-name", &resolved) == ifindex); ++ assert_se(streq_ptr(resolved, "test-shortname")); + } + + DEFINE_TEST_MAIN(LOG_DEBUG); +-- +2.33.0 + diff --git a/backport-sd-radv-fix-potential-buffer-overflow.patch b/backport-sd-radv-fix-potential-buffer-overflow.patch new file mode 100644 index 0000000..c9e176b --- /dev/null +++ b/backport-sd-radv-fix-potential-buffer-overflow.patch @@ -0,0 +1,33 @@ +From 0cb90f97fde1d809f72230537dd18abb3d12a6e2 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 19 Feb 2024 09:30:17 +0900 +Subject: [PATCH 0249/1160] sd-radv: fix potential buffer overflow + +Fixes a bug in 1925f829ab17cee7d65cc8c350d8281f8f41588e and +6a6d27bc5b08388964118e922f0c1b49b3c6a8ae (v255). + +(cherry picked from commit ac63c8df309e37960618610d8b57ac19ac657254) +--- + src/libsystemd-network/sd-radv.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/libsystemd-network/sd-radv.c b/src/libsystemd-network/sd-radv.c +index 511d06d805..97d306c49b 100644 +--- a/src/libsystemd-network/sd-radv.c ++++ b/src/libsystemd-network/sd-radv.c +@@ -146,9 +146,9 @@ static int radv_send(sd_radv *ra, const struct in6_addr *dst, usec_t lifetime_us + .nd_opt_mtu_type = ND_OPT_MTU, + .nd_opt_mtu_len = 1, + }; +- /* Reserve iov space for RA header, linkaddr, MTU, N prefixes, N routes, RDNSS +- and DNSSL */ +- struct iovec iov[5 + ra->n_prefixes + ra->n_route_prefixes]; ++ /* Reserve iov space for RA header, linkaddr, MTU, N prefixes, N routes, N pref64 prefixes, RDNSS, ++ * DNSSL, and home agent. */ ++ struct iovec iov[6 + ra->n_prefixes + ra->n_route_prefixes + ra->n_pref64_prefixes]; + struct msghdr msg = { + .msg_name = &dst_addr, + .msg_namelen = sizeof(dst_addr), +-- +2.33.0 + diff --git a/backport-sd-varlink-fix-bug-when-enqueuing-messages-with-fds-.patch b/backport-sd-varlink-fix-bug-when-enqueuing-messages-with-fds-.patch new file mode 100644 index 0000000..60f9703 --- /dev/null +++ b/backport-sd-varlink-fix-bug-when-enqueuing-messages-with-fds-.patch @@ -0,0 +1,34 @@ +From 03d691f8b74d25fc3bea3bd26fc7fe1e864121f7 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 20 Nov 2024 13:13:41 +0100 +Subject: [PATCH 1032/1160] sd-varlink: fix bug when enqueuing messages with + fds asynchronously + +When determining the poll events to wait for we need to take the queue +of pending messages that carry fds into account. Otherwise we might end +up not waking up if such an fd-carrying message is enqueued +asynchronously (i.e. not from a dispatch callback). + +(cherry picked from commit 7b4b3a8f7b76f266438fafb225b7980db68a276e) +(cherry picked from commit b2751b9ae97704ca75fddf2dd79b3ad2605bf629) +--- + src/shared/varlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/shared/varlink.c b/src/shared/varlink.c +index ede8099ea7..d3373266bc 100644 +--- a/src/shared/varlink.c ++++ b/src/shared/varlink.c +@@ -1547,7 +1547,8 @@ int varlink_get_events(Varlink *v) { + ret |= EPOLLIN; + + if (!v->write_disconnected && +- v->output_buffer_size > 0) ++ (v->output_queue || ++ v->output_buffer_size > 0)) + ret |= EPOLLOUT; + + return ret; +-- +2.33.0 + diff --git a/backport-seccomp-allowlist-uretprobe-syscall.patch b/backport-seccomp-allowlist-uretprobe-syscall.patch new file mode 100644 index 0000000..59cd532 --- /dev/null +++ b/backport-seccomp-allowlist-uretprobe-syscall.patch @@ -0,0 +1,38 @@ +From 1fd57ca01c180fd77b626e0f091762ecd1e2736c Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 11 Oct 2024 09:46:14 +0200 +Subject: [PATCH 0942/1160] seccomp: allowlist uretprobe() syscall + +This is a new syscall provided by the kernel used to implement faster +uprobes. It's not supposed to be called by userspace, but only by kernel +generated uprobe code. + +It should be fine to allow this, as the kernel authenticates the +invocation itself, and we shouldn't break compat with things. + +Note that this allowlisting is not sufficient to make ureprobe() work. +libseccomp must be tought the syscall too, but this can happen +independently. + +Fixes: #34615 +(cherry picked from commit d693c483a2bb3eae490fd78d68fc16d0a731fee2) +(cherry picked from commit 389fbf464907132479cd1d18c7cbee17328f36cf) +--- + src/shared/seccomp-util.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c +index e4de6b4032..eb40e29a99 100644 +--- a/src/shared/seccomp-util.c ++++ b/src/shared/seccomp-util.c +@@ -381,6 +381,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { + "sigreturn\0" + "time\0" + "ugetrlimit\0" ++ "uretprobe\0" + }, + [SYSCALL_FILTER_SET_AIO] = { + .name = "@aio", +-- +2.33.0 + diff --git a/backport-seccomp-util-include-sandbox-in-default.patch b/backport-seccomp-util-include-sandbox-in-default.patch new file mode 100644 index 0000000..f6555a3 --- /dev/null +++ b/backport-seccomp-util-include-sandbox-in-default.patch @@ -0,0 +1,47 @@ +From a3705b69814a5d61eb22199efed6664301374608 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Wed, 25 Sep 2024 15:20:23 +0200 +Subject: [PATCH 0890/1160] seccomp-util: include @sandbox in @default + +Every services and containers should be able to protect their users and +limit the impact of security bugs thanks to the security syscalls +provided by seccomp and Landlock. The goal of these syscalls is to +improve security with additional restrictions. They are designed to be +safely used by unprivileged (and then potentially malicious) users. + +Remove the now-redundant "seccomp" entry for nspawn. + +(cherry picked from commit e9966634754b8c9ee3f3c579f25d938e185c282e) +(cherry picked from commit c53c1a0fac49645588409a0a4917b2f12a5d5910) +--- + src/nspawn/nspawn-seccomp.c | 1 - + src/shared/seccomp-util.c | 1 + + 2 files changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c +index fa05a8a5b4..673b627c3b 100644 +--- a/src/nspawn/nspawn-seccomp.c ++++ b/src/nspawn/nspawn-seccomp.c +@@ -84,7 +84,6 @@ static int add_syscall_filters( + { 0, "sched_rr_get_interval" }, + { 0, "sched_rr_get_interval_time64" }, + { 0, "sched_yield" }, +- { 0, "seccomp" }, + { 0, "sendfile" }, + { 0, "sendfile64" }, + { 0, "setdomainname" }, +diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c +index 4e47cb8421..e4de6b4032 100644 +--- a/src/shared/seccomp-util.c ++++ b/src/shared/seccomp-util.c +@@ -318,6 +318,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { + .name = "@default", + .help = "System calls that are always permitted", + .value = ++ "@sandbox\0" + "arch_prctl\0" /* Used during platform-specific initialization by ld-linux.so. */ + "brk\0" + "cacheflush\0" +-- +2.33.0 + diff --git a/backport-seccomp-util-pass-negative-fds-as-is-to-fsync-and-fr.patch b/backport-seccomp-util-pass-negative-fds-as-is-to-fsync-and-fr.patch new file mode 100644 index 0000000..6149714 --- /dev/null +++ b/backport-seccomp-util-pass-negative-fds-as-is-to-fsync-and-fr.patch @@ -0,0 +1,70 @@ +From 04a54264beb34dbdf256c5784a6d62a3e772029e Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 20 Sep 2024 03:52:19 +0900 +Subject: [PATCH 0875/1160] seccomp-util: pass negative fds as is to fsync() + and friends + +Closes #34478. + +Co-authored-by: Mike Yuan +(cherry picked from commit 144fbbac235b6b89d5d31795be1cc0dca9852ccc) +(cherry picked from commit 4bbd6f589ad97a0df6ab59e03c8c535d298d05eb) +--- + src/shared/seccomp-util.c | 27 ++++++++++++++++++++------- + 1 file changed, 20 insertions(+), 7 deletions(-) + +diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c +index 00a8cedcb8..4e47cb8421 100644 +--- a/src/shared/seccomp-util.c ++++ b/src/shared/seccomp-util.c +@@ -873,6 +873,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { + .name = "@sync", + .help = "Synchronize files and memory to storage", + .value = ++ /* Please also update the list in seccomp_suppress_sync(). */ + "fdatasync\0" + "fsync\0" + "msync\0" +@@ -2454,8 +2455,10 @@ int seccomp_suppress_sync(void) { + uint32_t arch; + int r; + +- /* This is mostly identical to SystemCallFilter=~@sync:0, but simpler to use, and separately +- * manageable, and also masks O_SYNC/O_DSYNC */ ++ /* This behaves slightly differently from SystemCallFilter=~@sync:0, in that negative fds (which ++ * we can determine to be invalid) are still refused with EBADF. See #34478. ++ * ++ * Additionally, O_SYNC/O_DSYNC are masked. */ + + SECCOMP_FOREACH_LOCAL_ARCH(arch) { + _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; +@@ -2473,11 +2476,21 @@ int seccomp_suppress_sync(void) { + continue; + } + +- r = seccomp_rule_add_exact( +- seccomp, +- SCMP_ACT_ERRNO(0), /* success → we want this to be a NOP after all */ +- id, +- 0); ++ if (STR_IN_SET(c, "fdatasync", "fsync", "sync_file_range", "sync_file_range2", "syncfs")) ++ r = seccomp_rule_add_exact( ++ seccomp, ++ SCMP_ACT_ERRNO(0), /* success → we want this to be a NOP after all */ ++ id, ++ 1, ++ SCMP_A0(SCMP_CMP_LE, INT_MAX)); /* The rule handles arguments in unsigned. Hence, this ++ * means non-negative fd matches the rule, and the negative ++ * fd passed to the syscall (then it fails with EBADF). */ ++ else ++ r = seccomp_rule_add_exact( ++ seccomp, ++ SCMP_ACT_ERRNO(0), /* success → we want this to be a NOP after all */ ++ id, ++ 0); + if (r < 0) + log_debug_errno(r, "Failed to add filter for system call %s, ignoring: %m", c); + } +-- +2.33.0 + diff --git a/backport-semaphore-bump-timeout.patch b/backport-semaphore-bump-timeout.patch new file mode 100644 index 0000000..8bd4e79 --- /dev/null +++ b/backport-semaphore-bump-timeout.patch @@ -0,0 +1,31 @@ +From 5ac9650c84e185409b016e4185bbf92f84dcfa9b Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 13 Dec 2024 22:08:27 +0000 +Subject: [PATCH 1060/1160] semaphore: bump timeout + +When semaphore is overloaded tests can take more than 1hr, bump +timeout + +(cherry picked from commit 1855064d4eb95abe6909a93f72bee46658dad36b) +(cherry picked from commit 96b9fe831f888a0e9772a33acc752ebb822357b9) +(cherry picked from commit 54387482b9ddd164853ec7ffa45f67f8a698c69b) +--- + .semaphore/semaphore.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.semaphore/semaphore.yml b/.semaphore/semaphore.yml +index 07742337e8..42df0f648f 100644 +--- a/.semaphore/semaphore.yml ++++ b/.semaphore/semaphore.yml +@@ -15,7 +15,7 @@ auto_cancel: + when: "true" + + execution_time_limit: +- hours: 1 ++ hours: 2 + + blocks: + - name: "Setup & test" +-- +2.33.0 + diff --git a/backport-semaphore-do-not-build-docs.patch b/backport-semaphore-do-not-build-docs.patch new file mode 100644 index 0000000..c9a7489 --- /dev/null +++ b/backport-semaphore-do-not-build-docs.patch @@ -0,0 +1,32 @@ +From 0c6e525a1f998c37849c04a215e5a68312331272 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 7 Oct 2024 19:40:31 +0100 +Subject: [PATCH 0920/1160] semaphore: do not build docs + +There are other CI runs that build manpages, speed up build which is close to 1hr limit + +(cherry picked from commit d58a904d35d3abcb7265b28b14aac596631e27d6) +(cherry picked from commit 966d8a90ca44659123c15e3a7e7d498aa2b50510) +--- + .semaphore/semaphore-runner.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/.semaphore/semaphore-runner.sh b/.semaphore/semaphore-runner.sh +index 50ae8fac7b..ca9ae4ff48 100755 +--- a/.semaphore/semaphore-runner.sh ++++ b/.semaphore/semaphore-runner.sh +@@ -102,9 +102,9 @@ EOF + # now build the package and run the tests + rm -rf "$ARTIFACTS_DIR" + # autopkgtest exits with 2 for "some tests skipped", accept that +- sudo TMPDIR=/var/tmp "$AUTOPKGTEST_DIR/runner/autopkgtest" --env DEB_BUILD_OPTIONS="noudeb nostrip optimize=-lto" \ ++ sudo TMPDIR=/var/tmp "$AUTOPKGTEST_DIR/runner/autopkgtest" --env DEB_BUILD_OPTIONS="noudeb nostrip nodoc optimize=-lto" \ + --env DPKG_DEB_COMPRESSOR_TYPE="none" \ +- --env DEB_BUILD_PROFILES="noudeb" \ ++ --env DEB_BUILD_PROFILES="noudeb nodoc" \ + --env TEST_UPSTREAM=1 \ + ../systemd_*.dsc \ + -o "$ARTIFACTS_DIR" \ +-- +2.33.0 + diff --git a/backport-semaphore-move-back-to-autopkgtest-master-branch.patch b/backport-semaphore-move-back-to-autopkgtest-master-branch.patch new file mode 100644 index 0000000..4eedd2f --- /dev/null +++ b/backport-semaphore-move-back-to-autopkgtest-master-branch.patch @@ -0,0 +1,41 @@ +From 4f4cd7c9f4164a9fcf496ac789e9544579ac6611 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sat, 9 Mar 2024 12:42:32 +0000 +Subject: [PATCH 0916/1160] semaphore: move back to autopkgtest master branch + +Instead of fixing the commit, we can workaround the adduser issue by +simply creating a user manually beforehand, which means the broken +codepath in autopkgtest is not taken. We can remove it once it's +fixed upstream, which is in progress: + +https://salsa.debian.org/ci-team/autopkgtest/-/merge_requests/297 +(cherry picked from commit 8b7485c505f1e7a55896069224109adaf10c16b9) +--- + .semaphore/semaphore-runner.sh | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/.semaphore/semaphore-runner.sh b/.semaphore/semaphore-runner.sh +index 59aa38afbd..1063ec1003 100755 +--- a/.semaphore/semaphore-runner.sh ++++ b/.semaphore/semaphore-runner.sh +@@ -48,6 +48,8 @@ apt-get install -y fdisk tree libfdisk-dev libp11-kit-dev libssl-dev libpwqualit + apt-get purge --auto-remove -y unattended-upgrades + systemctl unmask systemd-networkd + systemctl enable systemd-networkd ++# Remove once https://salsa.debian.org/ci-team/autopkgtest/-/merge_requests/297 is sorted ++adduser --disabled-login --gecos 'Temporary autopkgtest user,,,' autopkgtest + EOF + sudo lxc-stop -n "$CONTAINER" + } +@@ -64,7 +66,7 @@ for phase in "${PHASES[@]}"; do + sudo apt-get install -y -t "$UBUNTU_RELEASE-backports" lxc + sudo apt-get install -y python3-debian git dpkg-dev fakeroot python3-jinja2 + +- [ -d "$AUTOPKGTEST_DIR" ] || git clone --quiet --branch=debian/5.32 --depth=1 https://salsa.debian.org/ci-team/autopkgtest.git "$AUTOPKGTEST_DIR" ++ [ -d "$AUTOPKGTEST_DIR" ] || git clone --quiet --depth=1 https://salsa.debian.org/ci-team/autopkgtest.git "$AUTOPKGTEST_DIR" + + create_container + ;; +-- +2.33.0 + diff --git a/backport-semaphore-remove-workaround-for-adduser.patch b/backport-semaphore-remove-workaround-for-adduser.patch new file mode 100644 index 0000000..71bc6b8 --- /dev/null +++ b/backport-semaphore-remove-workaround-for-adduser.patch @@ -0,0 +1,32 @@ +From 030f72f33565a291920a6e5dff6e2be98cc0bf39 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 11 Mar 2024 10:20:20 +0000 +Subject: [PATCH 0917/1160] semaphore: remove workaround for adduser + +Offending commit has been reverted, so it's no longer necessary: + +https://salsa.debian.org/ci-team/autopkgtest/-/commit/90167696914889efa782aac3f1f44ab68498c529 + +Follow-up for 8b7485c505f1e7a55896069224109adaf10c16b9 + +(cherry picked from commit 2bbe5ca17866494f5cbead3d7d574262a492aab2) +--- + .semaphore/semaphore-runner.sh | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/.semaphore/semaphore-runner.sh b/.semaphore/semaphore-runner.sh +index 1063ec1003..d2ee50b41c 100755 +--- a/.semaphore/semaphore-runner.sh ++++ b/.semaphore/semaphore-runner.sh +@@ -48,8 +48,6 @@ apt-get install -y fdisk tree libfdisk-dev libp11-kit-dev libssl-dev libpwqualit + apt-get purge --auto-remove -y unattended-upgrades + systemctl unmask systemd-networkd + systemctl enable systemd-networkd +-# Remove once https://salsa.debian.org/ci-team/autopkgtest/-/merge_requests/297 is sorted +-adduser --disabled-login --gecos 'Temporary autopkgtest user,,,' autopkgtest + EOF + sudo lxc-stop -n "$CONTAINER" + } +-- +2.33.0 + diff --git a/backport-semaphore-speed-up-build.patch b/backport-semaphore-speed-up-build.patch new file mode 100644 index 0000000..a68f7ec --- /dev/null +++ b/backport-semaphore-speed-up-build.patch @@ -0,0 +1,36 @@ +From 81930bc09135a0a27215947d5b27b7d248eeaf1e Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 28 Feb 2024 23:46:15 +0000 +Subject: [PATCH 0915/1160] semaphore: speed up build + +- avoid stripping debug symbols and creating dbgsym packages +- avoid LTO, slows down build a lot +- avoid compressing packages, they are thrown out immediately after use +- avoid building udeb packages, not needed + +(cherry picked from commit 7eedcb4e3ba34487d128abd3c86e0467bbd0bc92) +--- + .semaphore/semaphore-runner.sh | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/.semaphore/semaphore-runner.sh b/.semaphore/semaphore-runner.sh +index 03c139d52b..59aa38afbd 100755 +--- a/.semaphore/semaphore-runner.sh ++++ b/.semaphore/semaphore-runner.sh +@@ -101,8 +101,11 @@ EOF + # now build the package and run the tests + rm -rf "$ARTIFACTS_DIR" + # autopkgtest exits with 2 for "some tests skipped", accept that +- sudo "$AUTOPKGTEST_DIR/runner/autopkgtest" --env DEB_BUILD_OPTIONS=noudeb \ +- --env TEST_UPSTREAM=1 ../systemd_*.dsc \ ++ sudo "$AUTOPKGTEST_DIR/runner/autopkgtest" --env DEB_BUILD_OPTIONS="noudeb nostrip optimize=-lto" \ ++ --env DPKG_DEB_COMPRESSOR_TYPE="none" \ ++ --env DEB_BUILD_PROFILES="noudeb" \ ++ --env TEST_UPSTREAM=1 \ ++ ../systemd_*.dsc \ + -o "$ARTIFACTS_DIR" \ + -- lxc -s "$CONTAINER" \ + || [ $? -eq 2 ] +-- +2.33.0 + diff --git a/backport-semaphore-stop-building-and-running-extra-unit-tests.patch b/backport-semaphore-stop-building-and-running-extra-unit-tests.patch new file mode 100644 index 0000000..95e19cf --- /dev/null +++ b/backport-semaphore-stop-building-and-running-extra-unit-tests.patch @@ -0,0 +1,31 @@ +From 3891c50ce67bb4aeda13e099240c684c6dd9ca25 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 7 Oct 2024 19:38:16 +0100 +Subject: [PATCH 0919/1160] semaphore: stop building and running extra unit + tests + +This slows down the build, which is often near the 1hr limit. There are +other jobs running the extra unit tests. + +(cherry picked from commit 3bc5480bac474263881e4c5919d5cce0debf3c40) +(cherry picked from commit 52afaa8034f59dda44ec181e79604a9a222e60ad) +--- + .semaphore/semaphore-runner.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.semaphore/semaphore-runner.sh b/.semaphore/semaphore-runner.sh +index 6cb947fa71..50ae8fac7b 100755 +--- a/.semaphore/semaphore-runner.sh ++++ b/.semaphore/semaphore-runner.sh +@@ -92,7 +92,7 @@ EOF + # disable autopkgtests which are not for upstream + sed -i '/# NOUPSTREAM/ q' debian/tests/control + # enable more unit tests +- sed -i '/^CONFFLAGS =/ s/=/= --werror -Dtests=unsafe -Dslow-tests=true -Dfuzz-tests=true -Dman=true /' debian/rules ++ sed -i '/^CONFFLAGS =/ s/=/= --werror /' debian/rules + # no orig tarball + echo '1.0' >debian/source/format + +-- +2.33.0 + diff --git a/backport-semaphore-temporarily-pin-autopkgtest-to-v5.32.patch b/backport-semaphore-temporarily-pin-autopkgtest-to-v5.32.patch new file mode 100644 index 0000000..168884c --- /dev/null +++ b/backport-semaphore-temporarily-pin-autopkgtest-to-v5.32.patch @@ -0,0 +1,31 @@ +From d9668e324109e13d8bd7ed5a9c319fa098d2cf78 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Fri, 9 Feb 2024 10:30:08 +0100 +Subject: [PATCH 0205/1160] semaphore: temporarily pin autopkgtest to v5.32 + +The latest commit (ATTOW) [0] calls adduser with --logmsglevel, which is +not a valid flag for adduser on Ubuntu Focal/Jammy. + +[0] https://salsa.debian.org/ci-team/autopkgtest/-/commit/9c033b3db453acaa103bae03a4a5dcebe3858089 + +(cherry picked from commit c078f4af6ba03c6550847b6551190d91b6d1560d) +--- + .semaphore/semaphore-runner.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.semaphore/semaphore-runner.sh b/.semaphore/semaphore-runner.sh +index 13456609ad..5219172570 100755 +--- a/.semaphore/semaphore-runner.sh ++++ b/.semaphore/semaphore-runner.sh +@@ -63,7 +63,7 @@ for phase in "${PHASES[@]}"; do + sudo apt-get install -y -t "$UBUNTU_RELEASE-backports" lxc + sudo apt-get install -y python3-debian git dpkg-dev fakeroot python3-jinja2 + +- [ -d "$AUTOPKGTEST_DIR" ] || git clone --quiet --depth=1 https://salsa.debian.org/ci-team/autopkgtest.git "$AUTOPKGTEST_DIR" ++ [ -d "$AUTOPKGTEST_DIR" ] || git clone --quiet --branch=debian/5.32 --depth=1 https://salsa.debian.org/ci-team/autopkgtest.git "$AUTOPKGTEST_DIR" + + create_container + ;; +-- +2.33.0 + diff --git a/backport-semaphore-use-variable-for-Salsa-repo-URL.patch b/backport-semaphore-use-variable-for-Salsa-repo-URL.patch new file mode 100644 index 0000000..26d827b --- /dev/null +++ b/backport-semaphore-use-variable-for-Salsa-repo-URL.patch @@ -0,0 +1,36 @@ +From c64e96061b2f84c3e97e810cf7d3a1fe94550409 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 20 May 2024 13:08:26 +0100 +Subject: [PATCH 0659/1160] semaphore: use variable for Salsa repo URL + +Makes it easier to switch for debuggin + +(cherry picked from commit 5002b576d8d3d338df90f7d51543f44dd571f388) +--- + .semaphore/semaphore-runner.sh | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/.semaphore/semaphore-runner.sh b/.semaphore/semaphore-runner.sh +index 5219172570..03c139d52b 100755 +--- a/.semaphore/semaphore-runner.sh ++++ b/.semaphore/semaphore-runner.sh +@@ -7,6 +7,7 @@ set -o pipefail + # default to Debian testing + DISTRO="${DISTRO:-debian}" + RELEASE="${RELEASE:-bookworm}" ++SALSA_URL="${SALSA_URL:-https://salsa.debian.org/systemd-team/systemd.git}" + BRANCH="${BRANCH:-upstream-ci}" + ARCH="${ARCH:-amd64}" + CONTAINER="${RELEASE}-${ARCH}" +@@ -69,7 +70,7 @@ for phase in "${PHASES[@]}"; do + ;; + RUN) + # add current debian/ packaging +- git fetch --depth=1 https://salsa.debian.org/systemd-team/systemd.git "$BRANCH" ++ git fetch --depth=1 "$SALSA_URL" "$BRANCH" + git checkout FETCH_HEAD debian + + # craft changelog +-- +2.33.0 + diff --git a/backport-shared-Fix-TPM2-unsealing-when-PCR-values-change.patch b/backport-shared-Fix-TPM2-unsealing-when-PCR-values-change.patch new file mode 100644 index 0000000..1323289 --- /dev/null +++ b/backport-shared-Fix-TPM2-unsealing-when-PCR-values-change.patch @@ -0,0 +1,49 @@ +From e0be8e799a11479cceca42f6f44fb0d258d169f2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Gabr=C3=ADel=20Arth=C3=BAr=20P=C3=A9tursson?= + +Date: Wed, 20 Mar 2024 16:48:36 +0000 +Subject: [PATCH 0475/1160] shared: Fix TPM2 unsealing when PCR values change + +Recreate the encryption session on each retry. It's invalidated along +with the policy session when freed, failing subsequent retries. + + Unsealing HMAC key. + WARNING:esys:src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error + ERROR:esys:src/tss2-esys/api/Esys_Unseal.c:98:Esys_Unseal() Esys Finish ErrorCode (0x00000128) + A PCR value changed during the TPM2 policy session, restarting HMAC key unsealing (30 tries left). + Missing encryption session + Failed to unseal secret using TPM2: Invalid argument + +Fixes #31881 + +(cherry picked from commit 1923e213165d1510b553473b1a14c33cb5124bcb) +--- + src/shared/tpm2-util.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index 30b4f57fd6..892e5c7388 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -5540,13 +5540,13 @@ int tpm2_unseal(Tpm2Context *c, + if (r < 0) + return r; + +- _cleanup_(tpm2_handle_freep) Tpm2Handle *encryption_session = NULL; +- r = tpm2_make_encryption_session(c, primary_handle, hmac_key, &encryption_session); +- if (r < 0) +- return r; +- + _cleanup_(Esys_Freep) TPM2B_SENSITIVE_DATA* unsealed = NULL; + for (unsigned i = RETRY_UNSEAL_MAX;; i--) { ++ _cleanup_(tpm2_handle_freep) Tpm2Handle *encryption_session = NULL; ++ r = tpm2_make_encryption_session(c, primary_handle, hmac_key, &encryption_session); ++ if (r < 0) ++ return r; ++ + _cleanup_(tpm2_handle_freep) Tpm2Handle *policy_session = NULL; + _cleanup_(Esys_Freep) TPM2B_DIGEST *policy_digest = NULL; + r = tpm2_make_policy_session( +-- +2.33.0 + diff --git a/backport-shared-conf-parser-do-not-print-null-as-section-name.patch b/backport-shared-conf-parser-do-not-print-null-as-section-name.patch new file mode 100644 index 0000000..c8bd89b --- /dev/null +++ b/backport-shared-conf-parser-do-not-print-null-as-section-name.patch @@ -0,0 +1,38 @@ +From a2f32b99f354c3fc2d4e9b49c26f64357f5a0887 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 23 May 2024 14:47:00 +0200 +Subject: [PATCH 0679/1160] shared/conf-parser: do not print "(null)" as + section name + +Before: +/etc/kernel/install.conf:6: Unknown key name 'asdf' in section '(null)', ignoring. +After: +/etc/kernel/install.conf:6: Unknown key 'asdf', ignoring. + +Also make the message a bit better. + +(cherry picked from commit 600a7405a9a7cdf2d6a7e669df4fa6025924ba82) +--- + src/shared/conf-parser.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/shared/conf-parser.c b/src/shared/conf-parser.c +index e8ecd9bc79..9fb0395714 100644 +--- a/src/shared/conf-parser.c ++++ b/src/shared/conf-parser.c +@@ -159,7 +159,11 @@ static int next_assignment( + /* Warn about unknown non-extension fields. */ + if (!(flags & CONFIG_PARSE_RELAXED) && !startswith(lvalue, "X-")) + log_syntax(unit, LOG_WARNING, filename, line, 0, +- "Unknown key name '%s' in section '%s', ignoring.", lvalue, section); ++ "Unknown key '%s'%s%s%s, ignoring.", ++ lvalue, ++ section ? " in section [" : "", ++ strempty(section), ++ section ? "]" : ""); + + return 0; + } +-- +2.33.0 + diff --git a/backport-shared-hibernate-util-don-t-attempt-to-fiemap-fd-if-.patch b/backport-shared-hibernate-util-don-t-attempt-to-fiemap-fd-if-.patch new file mode 100644 index 0000000..c614d7e --- /dev/null +++ b/backport-shared-hibernate-util-don-t-attempt-to-fiemap-fd-if-.patch @@ -0,0 +1,53 @@ +From 6c4d03cac7f20d0e72b9470c55d7ec5cdd63be88 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Thu, 2 Jan 2025 04:13:23 +0100 +Subject: [PATCH 1071/1160] shared/hibernate-util: don't attempt to fiemap fd + if no backing dev available + +Prompted by #35798 + +Co-authored-by: Yu Watanabe +(cherry picked from commit 6d3b2273b1e14d79548a018674ad6e5a5b8b8009) +(cherry picked from commit 74d673d7ae13e561e4f72d0f16a35fb8f5f3f5be) +(cherry picked from commit e717b75f5e199798bb9f752201e0d377e061f139) +--- + src/shared/hibernate-util.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/shared/hibernate-util.c b/src/shared/hibernate-util.c +index ea1b024ab6..58808f7f20 100644 +--- a/src/shared/hibernate-util.c ++++ b/src/shared/hibernate-util.c +@@ -234,6 +234,8 @@ static int swap_entry_get_resume_config(SwapEntry *swap) { + r = get_block_device_fd(fd, &swap->devno); + if (r < 0) + return r; ++ if (r == 0) ++ return -EMEDIUMTYPE; + + r = fd_is_fs_type(fd, BTRFS_SUPER_MAGIC); + if (r < 0) +@@ -361,14 +363,16 @@ int find_suitable_hibernation_device_full(HibernationDevice *ret_device, uint64_ + + FOREACH_ARRAY(swap, entries.swaps, entries.n_swaps) { + r = swap_entry_get_resume_config(swap); +- if (r < 0) +- return log_debug_errno(r, "Failed to get devno and offset for swap '%s': %m", swap->path); +- if (swap->devno == 0) { ++ if (r == -EMEDIUMTYPE) { + assert(swap->swapfile); + +- log_debug("Swap file '%s' is not backed by block device, ignoring: %m", swap->path); ++ log_debug_errno(r, "Unable to acquire backing block device for swap file '%s' (maybe on a RAID btrfs?), ignoring.", ++ swap->path); + continue; + } ++ if (r < 0) ++ return log_debug_errno(r, "Failed to get devno and offset for swap '%s': %m", swap->path); ++ assert(swap->devno > 0); + + if (resume_config_devno > 0) { + if (swap->devno == resume_config_devno && +-- +2.33.0 + diff --git a/backport-shared-hibernate-util-handle-the-case-where-no-swap-.patch b/backport-shared-hibernate-util-handle-the-case-where-no-swap-.patch new file mode 100644 index 0000000..1845383 --- /dev/null +++ b/backport-shared-hibernate-util-handle-the-case-where-no-swap-.patch @@ -0,0 +1,50 @@ +From 4cd9921bc6c1e648f6861a5da6f0ef7a2d967469 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Thu, 2 Jan 2025 04:17:47 +0100 +Subject: [PATCH 1072/1160] shared/hibernate-util: handle the case where no + swap has available backing dev + +This also makes find_suitable_hibernation_device() report +more accurate error (ENOSPC -> ESTALE) if there's +no swap space on the system at all but resume= is set. + +Fixes #35798 +Replaces #35801 + +(cherry picked from commit bd3d361580715c7a6204c74df9185cc81d67f0c2) +(cherry picked from commit 01686c36cd564f8fd77386ae69808f498c32be83) +(cherry picked from commit a35498700cbd97b2475513ec2438097283b6336e) +--- + src/shared/hibernate-util.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/src/shared/hibernate-util.c b/src/shared/hibernate-util.c +index 58808f7f20..67862dcc61 100644 +--- a/src/shared/hibernate-util.c ++++ b/src/shared/hibernate-util.c +@@ -358,8 +358,6 @@ int find_suitable_hibernation_device_full(HibernationDevice *ret_device, uint64_ + r = read_swap_entries(&entries); + if (r < 0) + return r; +- if (entries.n_swaps == 0) +- return log_debug_errno(SYNTHETIC_ERRNO(ENOSPC), "No swap space available for hibernation."); + + FOREACH_ARRAY(swap, entries.swaps, entries.n_swaps) { + r = swap_entry_get_resume_config(swap); +@@ -395,9 +393,10 @@ int find_suitable_hibernation_device_full(HibernationDevice *ret_device, uint64_ + } + + if (!entry) { +- /* No need to check n_swaps == 0, since it's rejected early */ +- assert(resume_config_devno > 0); +- return log_debug_errno(SYNTHETIC_ERRNO(ESTALE), "Cannot find swap entry corresponding to /sys/power/resume."); ++ if (resume_config_devno > 0) ++ return log_debug_errno(SYNTHETIC_ERRNO(ESTALE), "Cannot find swap entry corresponding to /sys/power/resume."); ++ ++ return log_debug_errno(SYNTHETIC_ERRNO(ENOSPC), "No swap space available for hibernation."); + } + + if (ret_device) { +-- +2.33.0 + diff --git a/backport-shared-initialize-a-couple-of-values-explicitly.patch b/backport-shared-initialize-a-couple-of-values-explicitly.patch new file mode 100644 index 0000000..d17b3ff --- /dev/null +++ b/backport-shared-initialize-a-couple-of-values-explicitly.patch @@ -0,0 +1,51 @@ +From 205da628190f098d8ba41696ad25d2bf11f51c40 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 4 Jan 2024 17:50:13 +0100 +Subject: [PATCH 1045/1160] shared: initialize a couple of values explicitly + +As gcc has trouble figuring this itself with -O2 and -Wmaybe-initialized. + +(cherry picked from commit 0a87b834972c154b7f03738d165e5459f87a3352) +--- + src/libsystemd/sd-journal/journal-file.c | 2 +- + src/shared/tpm2-util.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c +index 08cbf86126..08f3b8267b 100644 +--- a/src/libsystemd/sd-journal/journal-file.c ++++ b/src/libsystemd/sd-journal/journal-file.c +@@ -2762,7 +2762,7 @@ static int generic_array_get( + Object **ret_object, /* The found object. */ + uint64_t *ret_offset) { /* The offset of the found object. */ + +- uint64_t a, t = 0, k; ++ uint64_t a, t = 0, k = 0; /* Explicit initialization of k to appease gcc */ + ChainCacheItem *ci; + Object *o = NULL; + int r; +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index 8f2d4da7fe..611dd6651c 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -5037,7 +5037,7 @@ static int tpm2_calculate_seal_ecc_seed( + size_t bits = (size_t) r * 8; + + _cleanup_free_ void *seed = NULL; +- size_t seed_size; ++ size_t seed_size = 0; /* Explicit initialization to appease gcc */ + r = tpm2_kdfe(parent->publicArea.nameAlg, + shared_secret, + shared_secret_size, +@@ -5074,7 +5074,7 @@ static int tpm2_calculate_seal_seed( + log_debug("Calculating encrypted seed for sealed object."); + + _cleanup_free_ void *seed = NULL, *encrypted_seed = NULL; +- size_t seed_size, encrypted_seed_size; ++ size_t seed_size = 0, encrypted_seed_size = 0; /* Explicit initialization to appease gcc */ + if (parent->publicArea.type == TPM2_ALG_RSA) + r = tpm2_calculate_seal_rsa_seed(parent, &seed, &seed_size, &encrypted_seed, &encrypted_seed_size); + else if (parent->publicArea.type == TPM2_ALG_ECC) +-- +2.33.0 + diff --git a/backport-shared-install-correctly-report-changes-in-install_i.patch b/backport-shared-install-correctly-report-changes-in-install_i.patch new file mode 100644 index 0000000..ab1b43e --- /dev/null +++ b/backport-shared-install-correctly-report-changes-in-install_i.patch @@ -0,0 +1,44 @@ +From 1f94ae4a539d7ed9b5e8602933248e1fc5973140 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Wed, 19 Jun 2024 18:45:14 +0200 +Subject: [PATCH 0769/1160] shared/install: correctly report changes in + install_info_symlink_alias() + +Follow-up for b2751cf0394d36c24590b5f7b33e9f864b57ba0d + +Also make the conditions consistent for install_info_symlink_wants(). + +Fixes #33411 + +(cherry picked from commit 4441cf330b3847d6c553fb230e8e4c86aa75ebb9) +(cherry picked from commit a42db16a1cd0e080d972bd778ea44e981ea31dfc) +--- + src/shared/install.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/shared/install.c b/src/shared/install.c +index b08ee5eb6d..e2e33de3c6 100644 +--- a/src/shared/install.c ++++ b/src/shared/install.c +@@ -1934,7 +1934,8 @@ static int install_info_symlink_alias( + broken = q == 0; /* symlink target does not exist? */ + + q = create_symlink(lp, info->path, alias_path, force || broken, changes, n_changes); +- r = r < 0 ? r : q; ++ if (q != 0 && r >= 0) ++ r = q; + } + + return r; +@@ -2033,7 +2034,7 @@ static int install_info_symlink_wants( + return -ENOMEM; + + q = create_symlink(lp, info->path, path, true, changes, n_changes); +- if ((q < 0 && r >= 0) || r == 0) ++ if (q != 0 && r >= 0) + r = q; + + if (unit_file_exists(scope, lp, dst) == 0) { +-- +2.33.0 + diff --git a/backport-shared-install-drop-unneeded-initialization.patch b/backport-shared-install-drop-unneeded-initialization.patch new file mode 100644 index 0000000..b885865 --- /dev/null +++ b/backport-shared-install-drop-unneeded-initialization.patch @@ -0,0 +1,27 @@ +From f6ef5e62fdf94df09f219a8410277cbd0adb48cd Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Wed, 19 Jun 2024 18:44:26 +0200 +Subject: [PATCH 0767/1160] shared/install: drop unneeded initialization + +(cherry picked from commit dd6b325a05c4caccd1a17dd4147f48a916eee386) +(cherry picked from commit 908edce5b6d4fd5243eab3e7fc8ec57d0e8da130) +--- + src/shared/install.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/install.c b/src/shared/install.c +index 270124cce0..b8f8848de7 100644 +--- a/src/shared/install.c ++++ b/src/shared/install.c +@@ -1957,7 +1957,7 @@ static int install_info_symlink_wants( + + UnitNameFlags valid_dst_type = UNIT_NAME_ANY; + const char *n; +- int r = 0, q; ++ int r, q; + + assert(info); + assert(lp); +-- +2.33.0 + diff --git a/backport-shared-install-propagate-all-errors-in-install_info_.patch b/backport-shared-install-propagate-all-errors-in-install_info_.patch new file mode 100644 index 0000000..d6849f3 --- /dev/null +++ b/backport-shared-install-propagate-all-errors-in-install_info_.patch @@ -0,0 +1,43 @@ +From 40b9bde76d801c4cf168819679eb77aa6f4d5010 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Wed, 19 Jun 2024 18:59:15 +0200 +Subject: [PATCH 0768/1160] shared/install: propagate all errors in + install_info_apply() + +Currently, install_info_apply() only updates r if it's 0, +meaning that if one of the earlier install_info_symlink_alias/wants() +calls returns > 0, errors generated by later calls will be discarded. +Fix that. + +(cherry picked from commit a159aa07e1548367d2fde80cb0d45b869c591864) +(cherry picked from commit bb83650f96af1a7f803696fab5dd06442c789b1c) +--- + src/shared/install.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/shared/install.c b/src/shared/install.c +index b8f8848de7..b08ee5eb6d 100644 +--- a/src/shared/install.c ++++ b/src/shared/install.c +@@ -2105,15 +2105,15 @@ static int install_info_apply( + r = install_info_symlink_alias(scope, info, lp, config_path, force, changes, n_changes); + + q = install_info_symlink_wants(scope, file_flags, info, lp, config_path, info->wanted_by, ".wants/", changes, n_changes); +- if (r == 0) ++ if (q != 0 && r >= 0) + r = q; + + q = install_info_symlink_wants(scope, file_flags, info, lp, config_path, info->required_by, ".requires/", changes, n_changes); +- if (r == 0) ++ if (q != 0 && r >= 0) + r = q; + + q = install_info_symlink_wants(scope, file_flags, info, lp, config_path, info->upheld_by, ".upholds/", changes, n_changes); +- if (r == 0) ++ if (q != 0 && r >= 0) + r = q; + + return r; +-- +2.33.0 + diff --git a/backport-shared-killall-correctly-warn-about-rootfs-daemon-s-.patch b/backport-shared-killall-correctly-warn-about-rootfs-daemon-s-.patch new file mode 100644 index 0000000..9483c2e --- /dev/null +++ b/backport-shared-killall-correctly-warn-about-rootfs-daemon-s-.patch @@ -0,0 +1,43 @@ +From 3af358e7010be6bd60609cf3a59674e0def8e2f0 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sat, 2 Dec 2023 15:23:51 +0800 +Subject: [PATCH 0002/1160] shared/killall: correctly warn about rootfs + daemon's root + +Follow-up for 9e615117dab5ede72eec22bf6369e0138f9dace5 + +We'll typically send signals to all remaining processes in the following +cases: + +1. pid1 (in initrd) when transitioning from initrd to sysroot: SIGTERM +2. pid1 (in sysroot) before transitioning back to initrd (exitrd): SIGTERM + SIGKILL +3. systemd-shutdown (in exitrd): SIGTERM + SIGKILL + +'warn_rootfs' is set to true only when we're not in initrd and we're +sending SIGKILL, which means the second case. So, we want to emit the +warning when the root of the storage daemon IS the same as that of pid1, +rather than the other way around. + +The condition is spuriously reversed in the offending commit. + +(cherry picked from commit 374c29fc883846477e2db7e77af13068b0fb177a) +--- + src/shared/killall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/killall.c b/src/shared/killall.c +index 9c2babe7d2..330b4c3272 100644 +--- a/src/shared/killall.c ++++ b/src/shared/killall.c +@@ -101,7 +101,7 @@ static bool ignore_proc(const PidRef *pid, bool warn_rootfs) { + return false; + + if (warn_rootfs && +- pid_from_same_root_fs(pid->pid) == 0) { ++ pid_from_same_root_fs(pid->pid) > 0) { + + _cleanup_free_ char *comm = NULL; + +-- +2.33.0 + diff --git a/backport-shared-log-error-when-execve-fail.patch b/backport-shared-log-error-when-execve-fail.patch index d4f942b..ff9a1d3 100644 --- a/backport-shared-log-error-when-execve-fail.patch +++ b/backport-shared-log-error-when-execve-fail.patch @@ -1,7 +1,7 @@ From 76fe6ebee84c22c96f1c9a96707c7e72706989fd Mon Sep 17 00:00:00 2001 From: Mauri de Souza Meneguzzo Date: Mon, 24 Jun 2024 23:47:15 -0300 -Subject: [PATCH] shared: log error when execve fail +Subject: [PATCH 0788/1160] shared: log error when execve fail If there is an error with the execv call in fork_agent the program exits without any meaningful log message. Log the @@ -13,9 +13,6 @@ Fixes: #33418 Signed-off-by: Mauri de Souza Meneguzzo (cherry picked from commit a408d4453145621902b9a3ef78a552f83b09bd8d) (cherry picked from commit 7fcfb73d71ed1d4230f58de1a94790e0c28719ea) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/76fe6ebee84c22c96f1c9a96707c7e72706989fd --- src/shared/exec-util.c | 1 + src/shared/spawn-polkit-agent.c | 11 ++++++++--- diff --git a/backport-shared-logs-show-restore-infinite-loop-avoidance-for.patch b/backport-shared-logs-show-restore-infinite-loop-avoidance-for.patch new file mode 100644 index 0000000..b79d0d6 --- /dev/null +++ b/backport-shared-logs-show-restore-infinite-loop-avoidance-for.patch @@ -0,0 +1,40 @@ +From 6eab0e45f4777be42a7c269e4cd1e6a5606ac352 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 26 Mar 2024 18:46:23 +0100 +Subject: [PATCH 0477/1160] shared/logs-show: restore infinite loop avoidance + for corrupted journals + +Fixes a bug introduced in e44f06065bf20e8d0e4adacff61350ebd36f299e: it was +supposed to be a refactoring, but unfortunately FOREACH_ARRAY is implemented +using a for loop, so when the 'goto finish' was replaced by 'break', it only +broke the inner loop, leading to a infinite loop. + +(cherry picked from commit 1e8c0c671e3076db811804343b3b8d744bcf27ac) +--- + src/shared/logs-show.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c +index a5d04003bd..0a31be382f 100644 +--- a/src/shared/logs-show.c ++++ b/src/shared/logs-show.c +@@ -2088,7 +2088,7 @@ int journal_get_boots(sd_journal *j, BootId **ret_boots, size_t *ret_n_boots) { + if (sd_id128_equal(i->id, boot.id)) + /* The boot id is already stored, something wrong with the journal files. + * Exiting as otherwise this problem would cause an infinite loop. */ +- break; ++ goto finish; + + if (!GREEDY_REALLOC(boots, n_boots + 1)) + return -ENOMEM; +@@ -2096,6 +2096,7 @@ int journal_get_boots(sd_journal *j, BootId **ret_boots, size_t *ret_n_boots) { + boots[n_boots++] = boot; + } + ++ finish: + *ret_boots = TAKE_PTR(boots); + *ret_n_boots = n_boots; + return n_boots > 0; +-- +2.33.0 + diff --git a/backport-shared-mountpoint-util-for-old-kernels-assume-noreco.patch b/backport-shared-mountpoint-util-for-old-kernels-assume-noreco.patch new file mode 100644 index 0000000..cc7c30b --- /dev/null +++ b/backport-shared-mountpoint-util-for-old-kernels-assume-noreco.patch @@ -0,0 +1,35 @@ +From 78e023aa021d44083a5f1213dadb32f5d0706b17 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 21 May 2024 10:39:39 +0200 +Subject: [PATCH 0667/1160] shared/mountpoint-util: for old kernels, assume + "norecovery" is supported by btrfs + +Fixup for e3828d7103a99a15a1e947ba3063294ead590631, as requested in +https://github.com/systemd/systemd/pull/32892#issuecomment-2117903328. + +(cherry picked from commit 055b465a3f56f9d53370a47b91af9cc2ffad4470) +--- + src/basic/mountpoint-util.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/basic/mountpoint-util.c b/src/basic/mountpoint-util.c +index ffd7a54c3a..9897ca0aa6 100644 +--- a/src/basic/mountpoint-util.c ++++ b/src/basic/mountpoint-util.c +@@ -511,8 +511,12 @@ const char* fstype_norecovery_option(const char *fstype) { + * old name if the new name doesn't work. */ + if (streq(fstype, "btrfs")) { + r = mount_option_supported(fstype, "rescue=nologreplay", NULL); ++ if (r == -EAGAIN) { ++ log_debug_errno(r, "Failed to check for btrfs 'rescue=nologreplay' option, assuming old kernel with 'norecovery': %m"); ++ return "norecovery"; ++ } + if (r < 0) +- log_debug_errno(r, "Failed to check for btrfs rescue=nologreplay option, assuming it is not supported: %m"); ++ log_debug_errno(r, "Failed to check for btrfs 'rescue=nologreplay' option, assuming it is not supported: %m"); + if (r > 0) + return "rescue=nologreplay"; + } +-- +2.33.0 + diff --git a/backport-shared-open-file-use-xescape-to-escape.patch b/backport-shared-open-file-use-xescape-to-escape.patch new file mode 100644 index 0000000..96915fa --- /dev/null +++ b/backport-shared-open-file-use-xescape-to-escape.patch @@ -0,0 +1,52 @@ +From 20e98a9eb7ee0df59e9ce6192d57c76257ec9725 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Tue, 9 Apr 2024 21:54:30 +0800 +Subject: [PATCH 0536/1160] shared/open-file: use xescape to escape ':' + +Fixes #32179 + +(cherry picked from commit c1f9509f79b1edf53975ebfa2052a23b23c42a49) +--- + src/shared/open-file.c | 2 +- + src/test/test-open-file.c | 10 ++++------ + 2 files changed, 5 insertions(+), 7 deletions(-) + +diff --git a/src/shared/open-file.c b/src/shared/open-file.c +index 42772bdabe..7d7a8a9bf9 100644 +--- a/src/shared/open-file.c ++++ b/src/shared/open-file.c +@@ -96,7 +96,7 @@ int open_file_to_string(const OpenFile *of, char **ret) { + assert(of); + assert(ret); + +- s = shell_escape(of->path, ":"); ++ s = xescape(of->path, ":"); + if (!s) + return -ENOMEM; + +diff --git a/src/test/test-open-file.c b/src/test/test-open-file.c +index 1b938ec5f7..4314d0de56 100644 +--- a/src/test/test-open-file.c ++++ b/src/test/test-open-file.c +@@ -172,14 +172,12 @@ TEST(open_file_to_string) { + assert_se(streq(s, "/proc/1/ns/mnt::read-only")); + + s = mfree(s); +- assert_se(free_and_strdup(&of->path, "/path:with:colon")); +- assert_se(free_and_strdup(&of->fdname, "path:with:colon")); ++ assert_se(free_and_strdup(&of->path, "/path:with:colon") >= 0); ++ assert_se(free_and_strdup(&of->fdname, "path:with:colon") >= 0); + of->flags = 0; + +- r = open_file_to_string(of, &s); +- +- assert_se(r >= 0); +- assert_se(streq(s, "/path\\:with\\:colon")); ++ assert_se(open_file_to_string(of, &s) >= 0); ++ assert_se(streq(s, "/path\\x3awith\\x3acolon")); + } + + DEFINE_TEST_MAIN(LOG_INFO); +-- +2.33.0 + diff --git a/backport-shared-verbs-minor-modernization.patch b/backport-shared-verbs-minor-modernization.patch new file mode 100644 index 0000000..735bf29 --- /dev/null +++ b/backport-shared-verbs-minor-modernization.patch @@ -0,0 +1,57 @@ +From 291818dadaa06e49d60c86a510527d2e45f5de0b Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Mon, 22 Apr 2024 17:33:54 +0800 +Subject: [PATCH 0523/1160] shared/verbs: minor modernization + +(cherry picked from commit 48fb49f1bdcae3c977883fe267d06c2e4a823046) +--- + src/shared/verbs.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/src/shared/verbs.c b/src/shared/verbs.c +index a01095288c..f2e73a3aa0 100644 +--- a/src/shared/verbs.c ++++ b/src/shared/verbs.c +@@ -13,22 +13,21 @@ + #include "verbs.h" + #include "virt.h" + +-/* Wraps running_in_chroot() which is used in various places, but also adds an environment variable check so external +- * processes can reliably force this on. +- */ ++/* Wraps running_in_chroot() which is used in various places, but also adds an environment variable check ++ * so external processes can reliably force this on. */ + bool running_in_chroot_or_offline(void) { + int r; + +- /* Added to support use cases like rpm-ostree, where from %post scripts we only want to execute "preset", but +- * not "start"/"restart" for example. ++ /* Added to support use cases like rpm-ostree, where from %post scripts we only want to execute "preset", ++ * but not "start"/"restart" for example. + * + * See docs/ENVIRONMENT.md for docs. + */ + r = getenv_bool("SYSTEMD_OFFLINE"); +- if (r < 0 && r != -ENXIO) +- log_debug_errno(r, "Failed to parse $SYSTEMD_OFFLINE: %m"); +- else if (r >= 0) ++ if (r >= 0) + return r > 0; ++ if (r != -ENXIO) ++ log_debug_errno(r, "Failed to parse $SYSTEMD_OFFLINE, ignoring: %m"); + + /* We've had this condition check for a long time which basically checks for legacy chroot case like Fedora's + * "mock", which is used for package builds. We don't want to try to start systemd services there, since +@@ -40,8 +39,7 @@ bool running_in_chroot_or_offline(void) { + */ + r = running_in_chroot(); + if (r < 0) +- log_debug_errno(r, "running_in_chroot(): %m"); +- ++ log_debug_errno(r, "Failed to check if we're running in chroot, assuming not: %m"); + return r > 0; + } + +-- +2.33.0 + diff --git a/backport-shared-verbs-show-list-of-verbs-when-missing.patch b/backport-shared-verbs-show-list-of-verbs-when-missing.patch new file mode 100644 index 0000000..ec77313 --- /dev/null +++ b/backport-shared-verbs-show-list-of-verbs-when-missing.patch @@ -0,0 +1,53 @@ +From 68c313a358f07b9817194eac7391c6e0656d8bf5 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Mon, 22 Apr 2024 17:40:53 +0800 +Subject: [PATCH 0524/1160] shared/verbs: show list of verbs when missing + +Replaces #32062 + +As discussed in #32062, making 'help' the default verb +is not very appealing for two reasons: + +1) If the verb is missing, showing a help which is pages long + isn't really helpful to locate the problem. + (https://github.com/systemd/systemd/pull/32062#issuecomment-2064997158) + +2) We want to reserve the right to set default verbs to be + more useful ones, instead of help. E.g. 'busctl' lists all + bus peers by default. + +So, when there are more than 2 verbs, let's instead add +the list of available verbs to the "Command verb required" +message, that serves as a hint. That way we try to be friendlier +to users, but still make the problem obvious. + +(cherry picked from commit adaf1f7ea38798d4ddbb3cff6513188fd6e98c9e) +--- + src/shared/verbs.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/shared/verbs.c b/src/shared/verbs.c +index f2e73a3aa0..a38591de1f 100644 +--- a/src/shared/verbs.c ++++ b/src/shared/verbs.c +@@ -143,6 +143,17 @@ int dispatch_verb(int argc, char *argv[], const Verb verbs[], void *userdata) { + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown command verb '%s'.", name); + } + ++ _cleanup_free_ char *verb_list = NULL; ++ size_t i; ++ ++ for (i = 0; verbs[i].dispatch; i++) ++ if (!strextend_with_separator(&verb_list, ", ", verbs[i].verb)) ++ return log_oom(); ++ ++ if (i > 2) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), ++ "Command verb required (one of %s).", verb_list); ++ + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Command verb required."); + } + +-- +2.33.0 + diff --git a/backport-shell-completion-add-kernel-identify-inspect-verbs-f.patch b/backport-shell-completion-add-kernel-identify-inspect-verbs-f.patch new file mode 100644 index 0000000..81de59e --- /dev/null +++ b/backport-shell-completion-add-kernel-identify-inspect-verbs-f.patch @@ -0,0 +1,41 @@ +From a70cd6a8df936ac257df0753975b69d176b1a53b Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 18 Feb 2025 21:15:08 +0000 +Subject: [PATCH 1128/1160] shell completion: add kernel-identify/inspect verbs + for bootctl + +Follow-up for a05255981ba5b04f1cf54ea656fbce1dfd9c3a68 +Follow-up for 3e0a3a0259324b4c40a9a62c8506fe683cd0273b + +(cherry picked from commit 6a6d4c3f3c123a1cbb6770f1cae8c130a48333e1) +(cherry picked from commit 769997ee17d64cf0cecd9db20ebe0af1f69dc23d) +(cherry picked from commit 1cd0325097ded1bbe91d366fce4699e252ab383c) +--- + shell-completion/bash/bootctl | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/shell-completion/bash/bootctl b/shell-completion/bash/bootctl +index 8d8b507ea9..494d1ebab9 100644 +--- a/shell-completion/bash/bootctl ++++ b/shell-completion/bash/bootctl +@@ -70,6 +70,7 @@ _bootctl() { + [STANDALONE]='help status install update remove is-installed random-seed systemd-efi-options list set-timeout set-timeout-oneshot cleanup' + [BOOTENTRY]='set-default set-oneshot unlink' + [BOOLEAN]='reboot-to-firmware' ++ [FILE]='kernel-identify kernel-inspect' + ) + + for ((i=0; i < COMP_CWORD; i++)); do +@@ -100,6 +101,9 @@ _bootctl() { + fi + elif __contains_word "$verb" ${VERBS[BOOLEAN]}; then + comps="yes no" ++ elif __contains_word "$verb" ${VERBS[FILE]}; then ++ comps=$( compgen -A file -- "$cur" ) ++ compopt -o filenames + fi + + COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) +-- +2.33.0 + diff --git a/backport-shell-completion-add-missing-args-to-bash-resolvectl.patch b/backport-shell-completion-add-missing-args-to-bash-resolvectl.patch new file mode 100644 index 0000000..63500a3 --- /dev/null +++ b/backport-shell-completion-add-missing-args-to-bash-resolvectl.patch @@ -0,0 +1,84 @@ +From df98c064c0b6bdc611c2635631bfb67884e3337e Mon Sep 17 00:00:00 2001 +From: Arthur Zamarin +Date: Sat, 27 Apr 2024 22:00:18 +0300 +Subject: [PATCH 0587/1160] shell-completion: add missing args to bash + resolvectl + +Signed-off-by: Arthur Zamarin +(cherry picked from commit 4a06acda25fb895f65ee24c6378cb8db47577c7a) +--- + shell-completion/bash/resolvectl | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/shell-completion/bash/resolvectl b/shell-completion/bash/resolvectl +index bd3e8bf939..810af40c28 100644 +--- a/shell-completion/bash/resolvectl ++++ b/shell-completion/bash/resolvectl +@@ -23,7 +23,7 @@ __contains_word () { + done + } + +-__get_interfaces(){ ++__get_interfaces() { + local name + for name in $(cd /sys/class/net && command ls); do + [[ "$name" != "lo" ]] && echo "$name" +@@ -35,10 +35,10 @@ _resolvectl() { + local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} + local -A OPTS=( + [STANDALONE]='-h --help --version -4 -6 --legend=no --cname=no +- --validate=no --synthesize=no --cache=no --zone=no ++ --validate=no --synthesize=no --cache=no --relax-single-label=no --zone=no + --trust-anchor=no --network=no --service-address=no + --service-txt=no --search=no --stale-data=no --no-pager' +- [ARG]='-t --type -c --class -i --interface -p --protocol --raw' ++ [ARG]='-t --type -c --class -i --interface -p --protocol --raw --json' + ) + local -A VERBS=( + [DOMAIN]='query service openpgp' +@@ -49,7 +49,7 @@ _resolvectl() { + [RESOLVE]='llmnr mdns' + [DNSSEC]='dnssec' + [DNSOVERTLS]='dnsovertls' +- [STANDALONE]='statistics reset-statistics flush-caches reset-server-features show-cache' ++ [STANDALONE]='statistics reset-statistics flush-caches reset-server-features monitor show-cache show-server-state' + [LOG_LEVEL]='log-level' + ) + local -A ARGS=( +@@ -59,14 +59,13 @@ _resolvectl() { + [DNSSEC]='yes no allow-downgrade' + [DNSOVERTLS]='yes no opportunistic' + ) +- local interfaces=$( __get_interfaces ) + + if __contains_word "$prev" ${OPTS[ARG]}; then + case $prev in + --interface|-i) +- comps="$interfaces" ++ comps=$( __get_interfaces ) + ;; +- --protocol|-p|--type|-t|--class|-c) ++ --protocol|-p|--type|-t|--class|-c|--json) + comps=$( resolvectl --legend=no "$prev" help; echo help ) + ;; + --raw) +@@ -97,7 +96,7 @@ _resolvectl() { + comps='' + + elif __contains_word "$verb" ${VERBS[STATUS]}; then +- comps="$interfaces" ++ comps=$( __get_interfaces ) + + elif __contains_word "$verb" ${VERBS[LOG_LEVEL]}; then + comps='debug info notice warning err crit alert emerg' +@@ -117,6 +116,7 @@ _resolvectl() { + fi + + elif __contains_word "$verb" ${VERBS[LINK]} ${VERBS[BOOLEAN]} ${VERBS[RESOLVE]} ${VERBS[DNSSEC]} ${VERBS[DNSOVERTLS]}; then ++ local interfaces=$( __get_interfaces ) + for ((i++; i < COMP_CWORD; i++)); do + if __contains_word "${COMP_WORDS[i]}" $interfaces && + ! __contains_word "${COMP_WORDS[i-1]}" ${OPTS[ARG]}; then +-- +2.33.0 + diff --git a/backport-shell-completion-fix-machinectl-import-tar-raw.patch b/backport-shell-completion-fix-machinectl-import-tar-raw.patch new file mode 100644 index 0000000..62e3d36 --- /dev/null +++ b/backport-shell-completion-fix-machinectl-import-tar-raw.patch @@ -0,0 +1,33 @@ +From aff1099b0a4adb9dc7de20fb1914a80f80f88c21 Mon Sep 17 00:00:00 2001 +From: Arthur Zamarin +Date: Fri, 26 Apr 2024 12:10:26 +0300 +Subject: [PATCH 0573/1160] shell completion: fix machinectl import-{tar,raw} + +Signed-off-by: Arthur Zamarin +(cherry picked from commit 3eb329bfb5df8f5b6eba9cef195dff54b9ba0e4b) +--- + shell-completion/bash/machinectl | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/shell-completion/bash/machinectl b/shell-completion/bash/machinectl +index b28769b0b6..6e89a3c1d2 100644 +--- a/shell-completion/bash/machinectl ++++ b/shell-completion/bash/machinectl +@@ -106,8 +106,12 @@ _machinectl() { + comps=$( __get_machines ) + + elif __contains_word "$verb" ${VERBS[FILE]}; then +- comps=$(compgen -f -- "cur") +- compopt -o filenames ++ if (( COMP_CWORD == i + 1 )); then # first argument after verb ++ comps=$(compgen -f -- "$cur") ++ compopt -o filenames ++ else ++ comps='' ++ fi + fi + + COMPREPLY=( $(compgen -W '$comps' -- "$cur") ) +-- +2.33.0 + diff --git a/backport-shell-completions-install-new-completions-which-were.patch b/backport-shell-completions-install-new-completions-which-were.patch new file mode 100644 index 0000000..3759663 --- /dev/null +++ b/backport-shell-completions-install-new-completions-which-were.patch @@ -0,0 +1,35 @@ +From 78432e557b9aea6e879ba01753b7bacbc83435b1 Mon Sep 17 00:00:00 2001 +From: Arthur Zamarin +Date: Fri, 26 Apr 2024 18:43:38 +0300 +Subject: [PATCH 0577/1160] shell-completions: install new completions which + were forgotten + +Signed-off-by: Arthur Zamarin +(cherry picked from commit 2055011a19433a17982240c13a681fc5e4e3acd7) +--- + shell-completion/bash/meson.build | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/shell-completion/bash/meson.build b/shell-completion/bash/meson.build +index 1588b538d8..16307fe326 100644 +--- a/shell-completion/bash/meson.build ++++ b/shell-completion/bash/meson.build +@@ -35,6 +35,7 @@ items = [['busctl', ''], + ['coredumpctl', 'ENABLE_COREDUMP'], + ['homectl', 'ENABLE_HOMED'], + ['hostnamectl', 'ENABLE_HOSTNAMED'], ++ ['importctl', 'ENABLE_IMPORTD'], + ['kernel-install', 'ENABLE_KERNEL_INSTALL'], + ['localectl', 'ENABLE_LOCALED'], + ['loginctl', 'ENABLE_LOGIND'], +@@ -44,6 +45,7 @@ items = [['busctl', ''], + ['portablectl', 'ENABLE_PORTABLED'], + ['resolvectl', 'ENABLE_RESOLVE'], + ['systemd-cryptenroll', 'HAVE_LIBCRYPTSETUP'], ++ ['systemd-confext', 'ENABLE_SYSEXT'], + ['systemd-dissect', 'HAVE_BLKID'], + ['systemd-resolve', 'ENABLE_RESOLVE'], + ['systemd-sysext', 'ENABLE_SYSEXT'], +-- +2.33.0 + diff --git a/backport-show-status-suffix-output-ith-CRNL-rather-than-just-.patch b/backport-show-status-suffix-output-ith-CRNL-rather-than-just-.patch new file mode 100644 index 0000000..791dde7 --- /dev/null +++ b/backport-show-status-suffix-output-ith-CRNL-rather-than-just-.patch @@ -0,0 +1,34 @@ +From d7e9123b1796b25304f6082a34f3e7f392d7d744 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 24 Nov 2023 16:41:47 +0100 +Subject: [PATCH 0006/1160] show-status: suffix output ith CRNL rather than + just NL + +This is similar to #30183 but focusses on the status output rather than +the log output. + +Since the status output always goes to a TTY we don't have to +conditionalize things on isatty(). + +Fixes: #30184 +(cherry picked from commit 936fcc4668125ab4dd198b14288b318308d9f7de) +--- + src/core/show-status.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/show-status.c b/src/core/show-status.c +index 1d47c0af4d..606237ee0e 100644 +--- a/src/core/show-status.c ++++ b/src/core/show-status.c +@@ -94,7 +94,7 @@ int status_vprintf(const char *status, ShowStatusFlags flags, const char *format + } + + iovec[n++] = IOVEC_MAKE_STRING(s); +- iovec[n++] = IOVEC_MAKE_STRING("\n"); ++ iovec[n++] = IOVEC_MAKE_STRING("\r\n"); /* use CRNL instead of just NL, to be robust towards TTYs in raw mode */ + + if (prev_ephemeral && !FLAGS_SET(flags, SHOW_STATUS_EPHEMERAL)) + iovec[n++] = IOVEC_MAKE_STRING(ANSI_ERASE_TO_END_OF_LINE); +-- +2.33.0 + diff --git a/backport-shutdown-Send-EXIT_STATUS-before-final-sync.patch b/backport-shutdown-Send-EXIT_STATUS-before-final-sync.patch new file mode 100644 index 0000000..ae67d70 --- /dev/null +++ b/backport-shutdown-Send-EXIT_STATUS-before-final-sync.patch @@ -0,0 +1,54 @@ +From 82afcbd944f3ae88dbdcab7418b7db6efb65777d Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Sun, 17 Dec 2023 19:41:56 +0100 +Subject: [PATCH 0081/1160] shutdown: Send EXIT_STATUS before final sync + +There's a race condition where the EXIT_STATUS= message we send +just before shutting down the VM doesn't arrive on the host, +presumably because the VM is shut down before the kernel has had a +chance to forward the message to the host. + +Since there's no obvious way to wait until the message has been +flushed to the host, let's send the message before we execute the +final sync() instead of after executing the final sync(). In my +testing, this seems to either guarantee the message is sent or +introduces sufficient delay that the kernel always has time to flush +its socket buffers to the host. + +(cherry picked from commit c88753db45082c95ffd005e7a9e789f328989d46) +--- + src/shutdown/shutdown.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/shutdown/shutdown.c b/src/shutdown/shutdown.c +index b976b7d8cf..b709078afe 100644 +--- a/src/shutdown/shutdown.c ++++ b/src/shutdown/shutdown.c +@@ -387,6 +387,13 @@ int main(int argc, char *argv[]) { + goto error; + } + ++ /* This is primarily useful when running systemd in a VM, as it provides the user running the VM with ++ * a mechanism to pick up systemd's exit status in the VM. Note that we execute this as early as ++ * possible since otherwise we might shut down the VM before the AF_VSOCK buffers have been flushed. ++ * While this doesn't guarantee the message will arrive, in practice we do enough work after this ++ * that the message should always arrive on the host */ ++ (void) sd_notifyf(0, "EXIT_STATUS=%i", arg_exit_code); ++ + (void) cg_get_root_path(&cgroup); + bool in_container = detect_container() > 0; + +@@ -582,10 +589,6 @@ int main(int argc, char *argv[]) { + if (!in_container) + sync_with_progress(); + +- /* This is primarily useful when running systemd in a VM, as it provides the user running the VM with +- * a mechanism to pick up systemd's exit status in the VM. */ +- (void) sd_notifyf(0, "EXIT_STATUS=%i", arg_exit_code); +- + if (streq(arg_verb, "exit")) { + if (in_container) { + log_info("Exiting container."); +-- +2.33.0 + diff --git a/backport-shutdown-clean-up-sync_with_progress-a-bit.patch b/backport-shutdown-clean-up-sync_with_progress-a-bit.patch index dae8534..4a25c9b 100644 --- a/backport-shutdown-clean-up-sync_with_progress-a-bit.patch +++ b/backport-shutdown-clean-up-sync_with_progress-a-bit.patch @@ -1,22 +1,21 @@ -From 758760a3610e3c6674de8a1d51b12b991eafef7c Mon Sep 17 00:00:00 2001 +From f11fa8399c7a8a55e830888d754480fde5e220f6 Mon Sep 17 00:00:00 2001 From: Mike Yuan Date: Wed, 5 Jun 2024 17:53:27 +0200 -Subject: [PATCH] shutdown: clean up sync_with_progress a bit +Subject: [PATCH 1004/1160] shutdown: clean up sync_with_progress a bit Also, ignore the error on caller's side. -Conflict:context adaption. -Reference:https://github.com/systemd/systemd/commit/758760a3610e3c6674de8a1d51b12b991eafef7c - +(cherry picked from commit 758760a3610e3c6674de8a1d51b12b991eafef7c) +(cherry picked from commit 489cf962ada63e3d26d8f91b589aff170bc65317) --- src/shutdown/shutdown.c | 67 ++++++++++++++++++----------------------- 1 file changed, 29 insertions(+), 38 deletions(-) diff --git a/src/shutdown/shutdown.c b/src/shutdown/shutdown.c -index 46f22cfc..8e11e353 100644 +index b709078afe..9b44ca7de6 100644 --- a/src/shutdown/shutdown.c +++ b/src/shutdown/shutdown.c -@@ -188,7 +188,9 @@ static int switch_root_initramfs(void) { +@@ -189,7 +189,9 @@ static int switch_root_initramfs(void) { static int sync_making_progress(unsigned long long *prev_dirty) { _cleanup_fclose_ FILE *f = NULL; unsigned long long val = 0; @@ -27,7 +26,7 @@ index 46f22cfc..8e11e353 100644 f = fopen("/proc/meminfo", "re"); if (!f) -@@ -196,13 +198,12 @@ static int sync_making_progress(unsigned long long *prev_dirty) { +@@ -197,13 +199,12 @@ static int sync_making_progress(unsigned long long *prev_dirty) { for (;;) { _cleanup_free_ char *line = NULL; @@ -46,7 +45,7 @@ index 46f22cfc..8e11e353 100644 break; if (!first_word(line, "NFS_Unstable:") && !first_word(line, "Writeback:") && !first_word(line, "Dirty:")) -@@ -210,25 +211,20 @@ static int sync_making_progress(unsigned long long *prev_dirty) { +@@ -211,25 +212,20 @@ static int sync_making_progress(unsigned long long *prev_dirty) { errno = 0; if (sscanf(line, "%*s %llu %*s", &ull) != 1) { @@ -76,7 +75,7 @@ index 46f22cfc..8e11e353 100644 pid_t pid; int r; -@@ -238,37 +234,32 @@ static void sync_with_progress(void) { +@@ -239,37 +235,32 @@ static void sync_with_progress(void) { * the progress. If the timeout lapses, the assumption is that the particular sync stalled. */ r = asynchronous_sync(&pid); @@ -129,7 +128,7 @@ index 46f22cfc..8e11e353 100644 } static int read_current_sysctl_printk_log_level(void) { -@@ -436,7 +427,7 @@ int main(int argc, char *argv[]) { +@@ -424,7 +415,7 @@ int main(int argc, char *argv[]) { * desperately trying to sync IO to disk within their timeout. Do not remove this sync, data corruption will * result. */ if (!in_container) @@ -138,15 +137,15 @@ index 46f22cfc..8e11e353 100644 disable_coredumps(); disable_binfmt(); -@@ -604,7 +595,7 @@ int main(int argc, char *argv[]) { +@@ -587,7 +578,7 @@ int main(int argc, char *argv[]) { * which might have caused IO, hence let's do it once more. Do not remove this sync, data corruption * will result. */ if (!in_container) - sync_with_progress(); + (void) sync_with_progress(); - /* This is primarily useful when running systemd in a VM, as it provides the user running the VM with - * a mechanism to pick up systemd's exit status in the VM. */ + if (streq(arg_verb, "exit")) { + if (in_container) { -- -2.43.0 +2.33.0 diff --git a/backport-shutdown-close-DM-block-device-before-issuing-DM_DEV.patch b/backport-shutdown-close-DM-block-device-before-issuing-DM_DEV.patch index 07e0b70..a74e681 100644 --- a/backport-shutdown-close-DM-block-device-before-issuing-DM_DEV.patch +++ b/backport-shutdown-close-DM-block-device-before-issuing-DM_DEV.patch @@ -1,8 +1,8 @@ -From c7689286f631b1dc6b4d7a56c9f056eb1d2eead1 Mon Sep 17 00:00:00 2001 +From bb1823d3ffcf432b5175ef24049b65e7b348705b Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Sat, 23 Nov 2024 05:47:40 +0900 -Subject: [PATCH] shutdown: close DM block device before issuing DM_DEV_REMOVE - ioctl +Subject: [PATCH 1028/1160] shutdown: close DM block device before issuing + DM_DEV_REMOVE ioctl Otherwise, the ioctl() may fail with EBUSY. @@ -11,10 +11,6 @@ Hopefully fixes #35243. (cherry picked from commit b76730f3fe0e824db001b38c8ea848302be786ee) (cherry picked from commit b30364a0378881c6f0d0ff3124f56f4da989d91c) -(cherry picked from commit bb1823d3ffcf432b5175ef24049b65e7b348705b) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/c7689286f631b1dc6b4d7a56c9f056eb1d2eead1 --- src/shutdown/detach-dm.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/backport-shutdown-replace-unbounded-fsync-with-bounded-sync_w.patch b/backport-shutdown-replace-unbounded-fsync-with-bounded-sync_w.patch index 2902186..28e5325 100644 --- a/backport-shutdown-replace-unbounded-fsync-with-bounded-sync_w.patch +++ b/backport-shutdown-replace-unbounded-fsync-with-bounded-sync_w.patch @@ -1,16 +1,14 @@ -From b4b66b26620bfaf5818c95d5cffafd85207694e7 Mon Sep 17 00:00:00 2001 +From 74667d46bacfb13f04d53e1dbbfdbcd06f319622 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 9 Sep 2024 17:53:03 +0200 -Subject: [PATCH] shutdown: replace unbounded fsync() with bounded +Subject: [PATCH 1006/1160] shutdown: replace unbounded fsync() with bounded sync_with_progress() Let's put a time-out on this syncing. Inspired-by: #34289 #34283 - -Conflict:NA -Reference:https://github.com/systemd/systemd/pull/34330/commits/b4b66b26620bfaf5818c95d5cffafd85207694e7 - +(cherry picked from commit b4b66b26620bfaf5818c95d5cffafd85207694e7) +(cherry picked from commit dbf933478f16d68b61150b845c4f897ae3b7a91a) --- src/shutdown/detach-dm.c | 11 ++++++----- src/shutdown/detach-loopback.c | 4 ++-- @@ -18,7 +16,7 @@ Reference:https://github.com/systemd/systemd/pull/34330/commits/b4b66b26620bfaf5 3 files changed, 10 insertions(+), 9 deletions(-) diff --git a/src/shutdown/detach-dm.c b/src/shutdown/detach-dm.c -index f6f672c7..bddd748d 100644 +index 8b8f72d678..0d1b0fc451 100644 --- a/src/shutdown/detach-dm.c +++ b/src/shutdown/detach-dm.c @@ -15,7 +15,7 @@ @@ -54,7 +52,7 @@ index f6f672c7..bddd748d 100644 return RET_NERRNO(ioctl(fd, DM_DEV_REMOVE, &(struct dm_ioctl) { .version = { diff --git a/src/shutdown/detach-loopback.c b/src/shutdown/detach-loopback.c -index 267509f7..8778a9e0 100644 +index 267509f7d0..8778a9e0c4 100644 --- a/src/shutdown/detach-loopback.c +++ b/src/shutdown/detach-loopback.c @@ -18,6 +18,7 @@ @@ -76,7 +74,7 @@ index 267509f7..8778a9e0 100644 if (ioctl(fd, LOOP_CLR_FD, 0) < 0) { if (errno == ENXIO) /* Nothing bound, didn't do anything */ diff --git a/src/shutdown/detach-md.c b/src/shutdown/detach-md.c -index ac46670f..b1aad976 100644 +index cf3130d4a7..513bbdcef1 100644 --- a/src/shutdown/detach-md.c +++ b/src/shutdown/detach-md.c @@ -17,6 +17,7 @@ @@ -98,5 +96,5 @@ index ac46670f..b1aad976 100644 return RET_NERRNO(ioctl(fd, STOP_ARRAY, NULL)); } -- -2.43.0 +2.33.0 diff --git a/backport-shutdown-teach-sync_with_progress-to-optionally-sync.patch b/backport-shutdown-teach-sync_with_progress-to-optionally-sync.patch index 4d7aea0..2c70542 100644 --- a/backport-shutdown-teach-sync_with_progress-to-optionally-sync.patch +++ b/backport-shutdown-teach-sync_with_progress-to-optionally-sync.patch @@ -1,15 +1,14 @@ -From 13b5225d6278af15e84ebd1889f04cfe81b47787 Mon Sep 17 00:00:00 2001 +From be91329e17b338f60d52b552f554ff6ba5574bed Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 9 Sep 2024 17:49:33 +0200 -Subject: [PATCH] shutdown: teach sync_with_progress() to optionally sync a - specific fd only +Subject: [PATCH 1005/1160] shutdown: teach sync_with_progress() to optionally + sync a specific fd only This is preparation for reusing the logic for syncing DM and other devices with a timeout applied. -Conflict:context adaption. -Reference:https://github.com/systemd/systemd/pull/34330/commits/13b5225d6278af15e84ebd1889f04cfe81b47787 - +(cherry picked from commit 13b5225d6278af15e84ebd1889f04cfe81b47787) +(cherry picked from commit 05df6c341951e40aca02cb116002b05ec2a26c16) --- src/shared/async.c | 22 ++++++++++++++++++++++ src/shared/async.h | 1 + @@ -19,7 +18,7 @@ Reference:https://github.com/systemd/systemd/pull/34330/commits/13b5225d6278af15 create mode 100644 src/shutdown/shutdown.h diff --git a/src/shared/async.c b/src/shared/async.c -index bbb8b810..bd043c84 100644 +index 41f6b97e02..563daed3c9 100644 --- a/src/shared/async.c +++ b/src/shared/async.c @@ -34,6 +34,28 @@ int asynchronous_sync(pid_t *ret_pid) { @@ -52,7 +51,7 @@ index bbb8b810..bd043c84 100644 * we need to fork again */ #define NEED_DOUBLE_FORK (1U << (sizeof(unsigned) * 8 - 1)) diff --git a/src/shared/async.h b/src/shared/async.h -index 96148f90..2f5bbd51 100644 +index 96148f9006..2f5bbd51a5 100644 --- a/src/shared/async.h +++ b/src/shared/async.h @@ -20,6 +20,7 @@ @@ -64,7 +63,7 @@ index 96148f90..2f5bbd51 100644 int asynchronous_rm_rf(const char *p, RemoveFlags flags); diff --git a/src/shutdown/shutdown.c b/src/shutdown/shutdown.c -index 03e6e70f..e6c9e0f8 100644 +index 9b44ca7de6..a4ef94c0ef 100644 --- a/src/shutdown/shutdown.c +++ b/src/shutdown/shutdown.c @@ -40,6 +40,7 @@ @@ -75,7 +74,7 @@ index 03e6e70f..e6c9e0f8 100644 #include "signal-util.h" #include "string-util.h" #include "switch-root.h" -@@ -223,8 +224,10 @@ static int sync_making_progress(unsigned long long *prev_dirty) { +@@ -224,8 +225,10 @@ static int sync_making_progress(unsigned long long *prev_dirty) { return r; } @@ -87,7 +86,7 @@ index 03e6e70f..e6c9e0f8 100644 pid_t pid; int r; -@@ -233,11 +236,20 @@ static int sync_with_progress(void) { +@@ -234,11 +237,20 @@ static int sync_with_progress(void) { /* Due to the possibility of the sync operation hanging, we fork a child process and monitor * the progress. If the timeout lapses, the assumption is that the particular sync stalled. */ @@ -112,7 +111,7 @@ index 03e6e70f..e6c9e0f8 100644 /* Start monitoring the sync operation. If more than * SYNC_PROGRESS_ATTEMPTS lapse without progress being made, -@@ -248,7 +260,7 @@ static int sync_with_progress(void) { +@@ -249,7 +261,7 @@ static int sync_with_progress(void) { /* Sync finished without error (sync() call itself does not return an error code) */ return 0; if (r != -ETIMEDOUT) @@ -121,7 +120,7 @@ index 03e6e70f..e6c9e0f8 100644 /* Reset the check counter if we made some progress */ if (sync_making_progress(&dirty) > 0) -@@ -258,7 +270,8 @@ static int sync_with_progress(void) { +@@ -259,7 +271,8 @@ static int sync_with_progress(void) { /* Only reached in the event of a timeout. We should issue a kill to the stray process. */ (void) kill(pid, SIGKILL); return log_error_errno(SYNTHETIC_ERRNO(ETIMEDOUT), @@ -131,7 +130,7 @@ index 03e6e70f..e6c9e0f8 100644 pid); } -@@ -432,7 +445,7 @@ int main(int argc, char *argv[]) { +@@ -415,7 +428,7 @@ int main(int argc, char *argv[]) { * desperately trying to sync IO to disk within their timeout. Do not remove this sync, data corruption will * result. */ if (!in_container) @@ -140,18 +139,18 @@ index 03e6e70f..e6c9e0f8 100644 disable_coredumps(); disable_binfmt(); -@@ -600,7 +613,7 @@ int main(int argc, char *argv[]) { +@@ -578,7 +591,7 @@ int main(int argc, char *argv[]) { * which might have caused IO, hence let's do it once more. Do not remove this sync, data corruption * will result. */ if (!in_container) - (void) sync_with_progress(); + (void) sync_with_progress(-EBADF); - /* This is primarily useful when running systemd in a VM, as it provides the user running the VM with - * a mechanism to pick up systemd's exit status in the VM. */ + if (streq(arg_verb, "exit")) { + if (in_container) { diff --git a/src/shutdown/shutdown.h b/src/shutdown/shutdown.h new file mode 100644 -index 00000000..99aaec69 +index 0000000000..99aaec697b --- /dev/null +++ b/src/shutdown/shutdown.h @@ -0,0 +1,4 @@ @@ -160,5 +159,5 @@ index 00000000..99aaec69 + +int sync_with_progress(int fd); -- -2.43.0 +2.33.0 diff --git a/backport-sleep-connect-to-correct-bus-when-locking-homed-mana.patch b/backport-sleep-connect-to-correct-bus-when-locking-homed-mana.patch new file mode 100644 index 0000000..aba2d22 --- /dev/null +++ b/backport-sleep-connect-to-correct-bus-when-locking-homed-mana.patch @@ -0,0 +1,31 @@ +From 26303b26b905da72c208def4209ee25e3b1039f4 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Tue, 26 Dec 2023 20:38:47 +0800 +Subject: [PATCH 0093/1160] sleep: connect to correct bus when locking + homed-managed homes + +Partially reverts 122f6f1eaa4447449c7054793f6497eb9e4d03c6 + +Fixes https://github.com/systemd/systemd/issues/29938#issuecomment-1869508708 + +(cherry picked from commit e14348c616eb8a8a38528b8b451a846089c4a72c) +--- + src/sleep/sleep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/sleep/sleep.c b/src/sleep/sleep.c +index 21af3e9e52..c234fc234c 100644 +--- a/src/sleep/sleep.c ++++ b/src/sleep/sleep.c +@@ -176,7 +176,7 @@ static int lock_all_homes(void) { + /* Let's synchronously lock all home directories managed by homed that have been marked for it. This + * way the key material required to access these volumes is hopefully removed from memory. */ + +- r = bus_connect_system_systemd(&bus); ++ r = sd_bus_open_system(&bus); + if (r < 0) + return log_error_errno(r, "Failed to connect to system bus: %m"); + +-- +2.33.0 + diff --git a/backport-sleep-don-t-log-duplicate-error.patch b/backport-sleep-don-t-log-duplicate-error.patch new file mode 100644 index 0000000..fb16ac9 --- /dev/null +++ b/backport-sleep-don-t-log-duplicate-error.patch @@ -0,0 +1,31 @@ +From 8094ac00a28f564ce6534d6fa10cc4d9221d56ca Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Wed, 27 Dec 2023 22:31:57 +0800 +Subject: [PATCH 0095/1160] sleep: don't log duplicate error + +write_resume_config() logs error on its own. + +(cherry picked from commit fe33920c2aee9fcde7c4602633f41b6ce1858870) +--- + src/sleep/sleep.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/src/sleep/sleep.c b/src/sleep/sleep.c +index c234fc234c..21062b24e0 100644 +--- a/src/sleep/sleep.c ++++ b/src/sleep/sleep.c +@@ -253,10 +253,8 @@ static int execute( + return r; + + r = write_resume_config(hibernation_device.devno, hibernation_device.offset, hibernation_device.path); +- if (r < 0) { +- log_error_errno(r, "Failed to write hibernation device to /sys/power/resume or /sys/power/resume_offset: %m"); ++ if (r < 0) + goto fail; +- } + } + + r = write_mode(sleep_config->modes[operation]); +-- +2.33.0 + diff --git a/backport-src-basic-missing_loop.h-fix-missing-LOOP_SET_BLOCK_.patch b/backport-src-basic-missing_loop.h-fix-missing-LOOP_SET_BLOCK_.patch new file mode 100644 index 0000000..e0af61d --- /dev/null +++ b/backport-src-basic-missing_loop.h-fix-missing-LOOP_SET_BLOCK_.patch @@ -0,0 +1,41 @@ +From ed087e865896521e5965f218ee61e074a0a098d9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rapha=C3=ABl=20M=C3=A9lotte?= +Date: Fri, 14 Jun 2024 14:37:29 +0200 +Subject: [PATCH 0859/1160] src/basic/missing_loop.h: fix missing + LOOP_SET_BLOCK_SIZE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Builds with kernels headers < 4.14 fail with: + +../src/shared/loop-util.c: In function ‘loop_configure_fallback’: +../src/shared/loop-util.c:237:31: error: ‘LOOP_SET_BLOCK_SIZE’ undeclared (first use in this function); did you mean ‘LOOP_SET_DIRECT_IO’? + if (ioctl(fd, LOOP_SET_BLOCK_SIZE, (unsigned long) c->block_size) < 0) + ^~~~~~~~~~~~~~~~~~~ + LOOP_SET_DIRECT_IO + +Fixes: https://github.com/systemd/systemd/issues/33341 + +Signed-off-by: Raphaël Mélotte +(cherry picked from commit 56ab1c54497d9fac74380ff9e11aaf931a917d2b) +(cherry picked from commit 0730ec4f3ecbbb550864ff0dbadeeeb5e271eb50) +--- + src/basic/missing_loop.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/basic/missing_loop.h b/src/basic/missing_loop.h +index 24b3e0def9..e9c8bae662 100644 +--- a/src/basic/missing_loop.h ++++ b/src/basic/missing_loop.h +@@ -22,3 +22,7 @@ struct loop_config { + #ifndef LOOP_SET_STATUS_SETTABLE_FLAGS + #define LOOP_SET_STATUS_SETTABLE_FLAGS (LO_FLAGS_AUTOCLEAR | LO_FLAGS_PARTSCAN) + #endif ++ ++#ifndef LOOP_SET_BLOCK_SIZE ++# define LOOP_SET_BLOCK_SIZE 0x4C09 ++#endif +-- +2.33.0 + diff --git a/backport-src-pcrlock-pcrlock.c-Handle-empty-pcrlock.d-directo.patch b/backport-src-pcrlock-pcrlock.c-Handle-empty-pcrlock.d-directo.patch new file mode 100644 index 0000000..7993b6e --- /dev/null +++ b/backport-src-pcrlock-pcrlock.c-Handle-empty-pcrlock.d-directo.patch @@ -0,0 +1,99 @@ +From 0bcea6761243d159adec619d0dd843751558d0f8 Mon Sep 17 00:00:00 2001 +From: Arnaud Patard +Date: Mon, 8 Jul 2024 15:39:14 +0200 +Subject: [PATCH 0842/1160] src/pcrlock/pcrlock.c: Handle empty pcrlock.d + directories + +Running the following commands: + + # mkdir -p /var/lib/pcrlock.d/123-empty.pcrlock.d + # /usr/lib/systemd/systemd-pcrlock predict --pcr=1+2+3+4+5+16 + +Will result in: + +... +Floating point exception + +Running the following commands: + # mkdir -p /var/lib/pcrlock.d/123-empty.pcrlock.d + # /usr/lib/systemd/systemd-pcrlock make-policy --pcr=1+2+3+4+5+16 + +Will result to this (partial) log: +... +Predicted future PCRs in 133us. +[] +... +Written policy digest 0000000000000000000000000000000000000000000000000000000000000000 to NV index 0x1921da6 +... + +So, add missing checks to handle gracefully cases where there's no variant +inside the component. + +Signed-off-by: Arnaud Patard +(cherry picked from commit e7a93e75219b22424bab95fe45982f5eef21d581) +(cherry picked from commit 74f830e048beab8b48c4a25dcb8666a861981aec) +--- + src/pcrlock/pcrlock.c | 16 +++++++++++++++- + test/units/testsuite-70.pcrlock.sh | 5 +++++ + 2 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c +index dde4dd93d6..ae4a357d30 100644 +--- a/src/pcrlock/pcrlock.c ++++ b/src/pcrlock/pcrlock.c +@@ -1891,6 +1891,9 @@ static int event_log_map_components(EventLog *el) { + continue; + } + ++ if (c->n_variants == 0) ++ log_notice("Component '%s' has no defined variants.", c->id); ++ + FOREACH_ARRAY(ii, c->variants, c->n_variants) { + EventLogComponentVariant *i = *ii; + +@@ -3973,6 +3976,15 @@ static int event_log_predict_pcrs( + + component = ASSERT_PTR(el->components[component_index]); + ++ if (component->n_variants == 0) ++ return event_log_predict_pcrs( ++ el, ++ context, ++ parent_result, ++ component_index + 1, /* Next component */ ++ pcr, ++ path); ++ + FOREACH_ARRAY(ii, component->variants, component->n_variants) { + _cleanup_free_ Tpm2PCRPredictionResult *result = NULL; + EventLogComponentVariant *variant = *ii; +@@ -4031,7 +4043,9 @@ static ssize_t event_log_calculate_component_combinations(EventLog *el) { + /* Overflow check */ + if (c->n_variants > (size_t) (SSIZE_MAX/count)) + return log_error_errno(SYNTHETIC_ERRNO(E2BIG), "Too many component combinations."); +- ++ /* If no variant, this will lead to count being 0 and sigfpe */ ++ if (c->n_variants == 0) ++ continue; + count *= c->n_variants; + } + +diff --git a/test/units/testsuite-70.pcrlock.sh b/test/units/testsuite-70.pcrlock.sh +index 3da992613b..61ebc24f75 100755 +--- a/test/units/testsuite-70.pcrlock.sh ++++ b/test/units/testsuite-70.pcrlock.sh +@@ -89,6 +89,11 @@ systemd-cryptenroll --unlock-key-file=/tmp/pcrlockpwd --tpm2-device=auto --tpm2- + systemd-cryptsetup attach pcrlock "$img" - tpm2-device=auto,tpm2-pcrlock=/var/lib/systemd/pcrlock.json,headless + systemd-cryptsetup detach pcrlock + ++# Ensure systemd-pcrlock not crashing on empty variant directory ++mkdir -p /var/lib/pcrlock.d/123-empty.pcrlock.d ++"$SD_PCRLOCK" predict --pcr="$PCRS" ++rm -rf /var/lib/pcrlock.d/123-empty.pcrlock.d ++ + # Measure something into PCR 16 (the "debug" PCR), which should make the activation fail + "$SD_PCREXTEND" --pcr=16 test70 + +-- +2.33.0 + diff --git a/backport-stat-util-introduce-stat-fd-_verify_linked.patch b/backport-stat-util-introduce-stat-fd-_verify_linked.patch new file mode 100644 index 0000000..1028d7b --- /dev/null +++ b/backport-stat-util-introduce-stat-fd-_verify_linked.patch @@ -0,0 +1,90 @@ +From 8b2df85a80c85f8b69fde0154f3870e0dbdcf9b1 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 15 Feb 2024 19:16:36 +0900 +Subject: [PATCH 0555/1160] stat-util: introduce {stat,fd}_verify_linked() + +(cherry picked from commit a6d0cf939c6aa7c7133122b62e3dd0048bb32e34) +--- + src/basic/stat-util.c | 20 ++++++++++++++++++++ + src/basic/stat-util.h | 3 +++ + src/test/test-stat-util.c | 19 +++++++++++++++++++ + 3 files changed, 42 insertions(+) + +diff --git a/src/basic/stat-util.c b/src/basic/stat-util.c +index 3fba3de971..581370d3a1 100644 +--- a/src/basic/stat-util.c ++++ b/src/basic/stat-util.c +@@ -262,6 +262,26 @@ int path_is_network_fs(const char *path) { + return is_network_fs(&s); + } + ++int stat_verify_linked(const struct stat *st) { ++ assert(st); ++ ++ if (st->st_nlink <= 0) ++ return -EIDRM; /* recognizable error. */ ++ ++ return 0; ++} ++ ++int fd_verify_linked(int fd) { ++ struct stat st; ++ ++ assert(fd >= 0); ++ ++ if (fstat(fd, &st) < 0) ++ return -errno; ++ ++ return stat_verify_linked(&st); ++} ++ + int stat_verify_regular(const struct stat *st) { + assert(st); + +diff --git a/src/basic/stat-util.h b/src/basic/stat-util.h +index ae0aaf8f51..3501406e7a 100644 +--- a/src/basic/stat-util.h ++++ b/src/basic/stat-util.h +@@ -71,6 +71,9 @@ int path_is_network_fs(const char *path); + */ + #define F_TYPE_EQUAL(a, b) (a == (typeof(a)) b) + ++int stat_verify_linked(const struct stat *st); ++int fd_verify_linked(int fd); ++ + int stat_verify_regular(const struct stat *st); + int fd_verify_regular(int fd); + int verify_regular_at(int dir_fd, const char *path, bool follow); +diff --git a/src/test/test-stat-util.c b/src/test/test-stat-util.c +index 5aca207fa4..8d7fd5b2eb 100644 +--- a/src/test/test-stat-util.c ++++ b/src/test/test-stat-util.c +@@ -180,6 +180,25 @@ TEST(dir_is_empty) { + assert_se(dir_is_empty_at(AT_FDCWD, empty_dir, /* ignore_hidden_or_backup= */ false) > 0); + } + ++TEST(fd_verify_linked) { ++ _cleanup_(rm_rf_physical_and_freep) char *t = NULL; ++ _cleanup_close_ int tfd = -EBADF, fd = -EBADF; ++ _cleanup_free_ char *p = NULL; ++ ++ tfd = mkdtemp_open(NULL, O_PATH, &t); ++ assert_se(tfd >= 0); ++ ++ assert_se(p = path_join(t, "hoge")); ++ assert_se(touch(p) >= 0); ++ ++ fd = open(p, O_CLOEXEC | O_PATH); ++ assert_se(fd >= 0); ++ ++ assert_se(fd_verify_linked(fd) >= 0); ++ assert_se(unlinkat(tfd, "hoge", 0) >= 0); ++ assert_se(fd_verify_linked(fd) == -EIDRM); ++} ++ + static int intro(void) { + log_show_color(true); + return EXIT_SUCCESS; +-- +2.33.0 + diff --git a/backport-stat-util-rebreak-comment.patch b/backport-stat-util-rebreak-comment.patch new file mode 100644 index 0000000..8b0e340 --- /dev/null +++ b/backport-stat-util-rebreak-comment.patch @@ -0,0 +1,28 @@ +From 93d687888a28d9cd2b88e0116188c9d66d2d31d3 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 15 Feb 2024 19:16:16 +0900 +Subject: [PATCH 0554/1160] stat-util: rebreak comment + +(cherry picked from commit dd7fa015a62385c63daf6152853bb444d63fd9ba) +--- + src/basic/stat-util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/basic/stat-util.c b/src/basic/stat-util.c +index 6f719ddd1c..3fba3de971 100644 +--- a/src/basic/stat-util.c ++++ b/src/basic/stat-util.c +@@ -265,8 +265,8 @@ int path_is_network_fs(const char *path) { + int stat_verify_regular(const struct stat *st) { + assert(st); + +- /* Checks whether the specified stat() structure refers to a regular file. If not returns an appropriate error +- * code. */ ++ /* Checks whether the specified stat() structure refers to a regular file. If not returns an ++ * appropriate error code. */ + + if (S_ISDIR(st->st_mode)) + return -EISDIR; +-- +2.33.0 + diff --git a/backport-stdio-bridge-fix-polled-fds.patch b/backport-stdio-bridge-fix-polled-fds.patch new file mode 100644 index 0000000..9c352ce --- /dev/null +++ b/backport-stdio-bridge-fix-polled-fds.patch @@ -0,0 +1,38 @@ +From fb92304041cd203d2ca84cc28721dea5e1355c4e Mon Sep 17 00:00:00 2001 +From: Jacob McNamee +Date: Tue, 7 Jan 2025 03:29:31 -0800 +Subject: [PATCH 1078/1160] stdio-bridge: fix polled fds + +Poll fds associated with the bus instead of hardcoding stdin/stdout. + +This is consequential under socket activation, when the provided fd +should be used instead of stdin/stdout. + +(cherry picked from commit 9d1c28b2d8422df700e7d94339ac6052a6755c6c) +(cherry picked from commit 59f5a4323468befbdca2bae7907219eaf8852f9a) +(cherry picked from commit a398d18e797d5b4dec6d265e753f8b688ffcd570) +(cherry picked from commit 0ae29e637c76a41d6e0ddf9f41d4c5e46b398d92) +--- + src/stdio-bridge/stdio-bridge.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/stdio-bridge/stdio-bridge.c b/src/stdio-bridge/stdio-bridge.c +index fe551cfaea..4ed24a40bc 100644 +--- a/src/stdio-bridge/stdio-bridge.c ++++ b/src/stdio-bridge/stdio-bridge.c +@@ -238,9 +238,9 @@ static int run(int argc, char *argv[]) { + t = usec_sub_unsigned(MIN(timeout_a, timeout_b), now(CLOCK_MONOTONIC)); + + struct pollfd p[3] = { +- { .fd = fd, .events = events_a }, +- { .fd = STDIN_FILENO, .events = events_b & POLLIN }, +- { .fd = STDOUT_FILENO, .events = events_b & POLLOUT }, ++ { .fd = fd, .events = events_a }, ++ { .fd = in_fd, .events = events_b & POLLIN }, ++ { .fd = out_fd, .events = events_b & POLLOUT }, + }; + + r = ppoll_usec(p, ELEMENTSOF(p), t); +-- +2.33.0 + diff --git a/backport-storagetm-always-hash-stat.st_mode.patch b/backport-storagetm-always-hash-stat.st_mode.patch new file mode 100644 index 0000000..855d587 --- /dev/null +++ b/backport-storagetm-always-hash-stat.st_mode.patch @@ -0,0 +1,32 @@ +From 7316ec5bd026ba52e13be74416290af71016a74e Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 3 Jan 2024 05:07:40 +0900 +Subject: [PATCH 0173/1160] storagetm: always hash stat.st_mode + +To make the hash function consistent with the compare function. + +(cherry picked from commit 30c1cded77b8b0456c8793a7b3ce0ffe00a798ff) +--- + src/storagetm/storagetm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/storagetm/storagetm.c b/src/storagetm/storagetm.c +index ae63baaf79..d4869afd17 100644 +--- a/src/storagetm/storagetm.c ++++ b/src/storagetm/storagetm.c +@@ -788,9 +788,10 @@ typedef struct Context { + static void device_hash_func(const struct stat *q, struct siphash *state) { + assert(q); + ++ mode_t m = q->st_mode & S_IFMT; ++ siphash24_compress(&m, sizeof(m), state); ++ + if (S_ISBLK(q->st_mode) || S_ISCHR(q->st_mode)) { +- mode_t m = q->st_mode & S_IFMT; +- siphash24_compress(&m, sizeof(m), state); + siphash24_compress(&q->st_rdev, sizeof(q->st_rdev), state); + return; + } +-- +2.33.0 + diff --git a/backport-storagetm-fix-use-of-wrong-stat-element.patch b/backport-storagetm-fix-use-of-wrong-stat-element.patch new file mode 100644 index 0000000..9d9683b --- /dev/null +++ b/backport-storagetm-fix-use-of-wrong-stat-element.patch @@ -0,0 +1,26 @@ +From fae7359778b60fd191ea15cf6d6c599bb75e3fa6 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 3 Jan 2024 05:19:00 +0900 +Subject: [PATCH 0174/1160] storagetm: fix use of wrong stat element + +(cherry picked from commit 69f4a87c8c015d356de419aea1bfe54232e15244) +--- + src/storagetm/storagetm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/storagetm/storagetm.c b/src/storagetm/storagetm.c +index d4869afd17..16d4fb07d4 100644 +--- a/src/storagetm/storagetm.c ++++ b/src/storagetm/storagetm.c +@@ -381,7 +381,7 @@ static int nvme_subsystem_add(const char *node, int consumed_fd, sd_device *devi + return log_error_errno(errno, "Failed to fstat '%s': %m", node); + if (S_ISBLK(st.st_mode)) { + if (!device) { +- r = sd_device_new_from_devnum(&allocated_device, 'b', st.st_dev); ++ r = sd_device_new_from_devnum(&allocated_device, 'b', st.st_rdev); + if (r < 0) + return log_error_errno(r, "Failed to get device information for device '%s': %m", node); + +-- +2.33.0 + diff --git a/backport-strbuf-use-GREEDY_REALLOC-to-grow-the-buffer.patch b/backport-strbuf-use-GREEDY_REALLOC-to-grow-the-buffer.patch new file mode 100644 index 0000000..0838b0d --- /dev/null +++ b/backport-strbuf-use-GREEDY_REALLOC-to-grow-the-buffer.patch @@ -0,0 +1,85 @@ +From aa0dd89d3faebce3b051f1c63bb234ea8777dd60 Mon Sep 17 00:00:00 2001 +From: q66 +Date: Thu, 6 Jun 2024 13:45:48 +0200 +Subject: [PATCH 0691/1160] strbuf: use GREEDY_REALLOC to grow the buffer + +This allows us to reserve a bunch of capacity ahead of time, +improving the performance of hwdb significantly thanks to not +having to reallocate so many times. + +Before: +``` +$ sudo time valgrind --leak-check=full ./systemd-hwdb update +==113297== Memcheck, a memory error detector +==113297== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al. +==113297== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info +==113297== Command: ./systemd-hwdb update +==113297== +==113297== +==113297== HEAP SUMMARY: +==113297== in use at exit: 0 bytes in 0 blocks +==113297== total heap usage: 1,412,640 allocs, 1,412,640 frees, 117,920,009,195 bytes allocated +==113297== +==113297== All heap blocks were freed -- no leaks are possible +==113297== +==113297== For lists of detected and suppressed errors, rerun with: -s +==113297== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) +132.44user 21.15system 2:35.61elapsed 98%CPU (0avgtext+0avgdata 228560maxresident)k +0inputs+25296outputs (0major+6886930minor)pagefaults 0swaps +``` + +After: +``` +$ sudo time valgrind --leak-check=full ./systemd-hwdb update +==112572== Memcheck, a memory error detector +==112572== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al. +==112572== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info +==112572== Command: ./systemd-hwdb update +==112572== +==112572== +==112572== HEAP SUMMARY: +==112572== in use at exit: 0 bytes in 0 blocks +==112572== total heap usage: 1,320,113 allocs, 1,320,113 frees, 70,614,501 bytes allocated +==112572== +==112572== All heap blocks were freed -- no leaks are possible +==112572== +==112572== For lists of detected and suppressed errors, rerun with: -s +==112572== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) +21.94user 0.19system 0:22.23elapsed 99%CPU (0avgtext+0avgdata 229876maxresident)k +0inputs+25264outputs (0major+57275minor)pagefaults 0swaps +``` + +Co-authored-by: Yu Watanabe +(cherry picked from commit 621b10fe2c3203c537996e84c7c89b0ff994ad93) +(cherry picked from commit 514ef0f93b76cbe0ba6b4de07a7b21fd0c2b7bae) +--- + src/basic/strbuf.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/basic/strbuf.c b/src/basic/strbuf.c +index 0617acc8d2..6d43955bb1 100644 +--- a/src/basic/strbuf.c ++++ b/src/basic/strbuf.c +@@ -107,7 +107,6 @@ static void bubbleinsert(struct strbuf_node *node, + /* add string, return the index/offset into the buffer */ + ssize_t strbuf_add_string(struct strbuf *str, const char *s, size_t len) { + uint8_t c; +- char *buf_new; + struct strbuf_child_entry *child; + struct strbuf_node *node; + ssize_t off; +@@ -147,10 +146,8 @@ ssize_t strbuf_add_string(struct strbuf *str, const char *s, size_t len) { + } + + /* add new string */ +- buf_new = realloc(str->buf, str->len + len+1); +- if (!buf_new) ++ if (!GREEDY_REALLOC(str->buf, str->len + len + 1)) + return -ENOMEM; +- str->buf = buf_new; + off = str->len; + memcpy(str->buf + off, s, len); + str->len += len; +-- +2.33.0 + diff --git a/backport-strv-introduce-strv_copy_unless_empty.patch b/backport-strv-introduce-strv_copy_unless_empty.patch new file mode 100644 index 0000000..08043a6 --- /dev/null +++ b/backport-strv-introduce-strv_copy_unless_empty.patch @@ -0,0 +1,54 @@ +From 24513d016b4278903240e192759d6d6bcc4954da Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Tue, 9 Jan 2024 17:31:01 +0100 +Subject: [PATCH 0153/1160] strv: introduce strv_copy_unless_empty() + +(cherry picked from commit 5058bd7e1f0ae226d835253fcf333da3ab8d2806) +--- + src/basic/strv.c | 16 ++++++++++++++++ + src/basic/strv.h | 2 ++ + 2 files changed, 18 insertions(+) + +diff --git a/src/basic/strv.c b/src/basic/strv.c +index c2109d35bc..1065e1bcde 100644 +--- a/src/basic/strv.c ++++ b/src/basic/strv.c +@@ -123,6 +123,22 @@ char** strv_copy_n(char * const *l, size_t m) { + return TAKE_PTR(result); + } + ++int strv_copy_unless_empty(char * const *l, char ***ret) { ++ assert(ret); ++ ++ if (strv_isempty(l)) { ++ *ret = NULL; ++ return 0; ++ } ++ ++ char **copy = strv_copy(l); ++ if (!copy) ++ return -ENOMEM; ++ ++ *ret = TAKE_PTR(copy); ++ return 1; ++} ++ + size_t strv_length(char * const *l) { + size_t n = 0; + +diff --git a/src/basic/strv.h b/src/basic/strv.h +index fec2616733..03089d5498 100644 +--- a/src/basic/strv.h ++++ b/src/basic/strv.h +@@ -38,6 +38,8 @@ char** strv_copy_n(char * const *l, size_t n); + static inline char** strv_copy(char * const *l) { + return strv_copy_n(l, SIZE_MAX); + } ++int strv_copy_unless_empty(char * const *l, char ***ret); ++ + size_t strv_length(char * const *l) _pure_; + + int strv_extend_strv(char ***a, char * const *b, bool filter_duplicates); +-- +2.33.0 + diff --git a/backport-stub-allocate-and-zero-enough-space-in-legacy-x86-ha.patch b/backport-stub-allocate-and-zero-enough-space-in-legacy-x86-ha.patch new file mode 100644 index 0000000..45c3cd7 --- /dev/null +++ b/backport-stub-allocate-and-zero-enough-space-in-legacy-x86-ha.patch @@ -0,0 +1,168 @@ +From 7941c6020567f4c4fb6561575aa5e902a5306038 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 31 Jul 2024 01:45:06 +0100 +Subject: [PATCH 0817/1160] stub: allocate and zero enough space in legacy x86 + handover protocol + +A PE image's memory footprint might be larger than its file size due +to uninitialized memory sections. Normally all PE headers should be +parsed to check the actual required size, but the legacy EFI handover +protocol is only used for x86 Linux bzImages, so we know only the last +section will require extra memory. Use SizeOfImage from the PE header +and if it is larger than the file size, allocate and zero extra memory +before using it. + +Fixes https://github.com/systemd/systemd/issues/33816 + +(cherry picked from commit 19812661f1f65ebe777d1626b5abf6475faababc) +(cherry picked from commit 84111f8916340e3e67d8166eb1d9938da94ce669) +--- + src/boot/efi/boot.c | 2 +- + src/boot/efi/linux.c | 6 ++++-- + src/boot/efi/linux.h | 3 ++- + src/boot/efi/linux_x86.c | 19 +++++++++++++++---- + src/boot/efi/pe.c | 7 ++++++- + src/boot/efi/pe.h | 2 +- + 6 files changed, 29 insertions(+), 10 deletions(-) + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index c047fcdfd4..0907733c43 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -2391,7 +2391,7 @@ static EFI_STATUS image_start( + if (err == EFI_UNSUPPORTED && entry->type == LOADER_LINUX) { + uint32_t compat_address; + +- err = pe_kernel_info(loaded_image->ImageBase, &compat_address); ++ err = pe_kernel_info(loaded_image->ImageBase, &compat_address, /* ret_size_in_memory= */ NULL); + if (err != EFI_SUCCESS) { + if (err != EFI_UNSUPPORTED) + return log_error_status(err, "Error finding kernel compat entry address: %m"); +diff --git a/src/boot/efi/linux.c b/src/boot/efi/linux.c +index 65bc176df7..c8e595188b 100644 +--- a/src/boot/efi/linux.c ++++ b/src/boot/efi/linux.c +@@ -98,6 +98,7 @@ EFI_STATUS linux_exec( + const void *initrd_buffer, + size_t initrd_length) { + ++ size_t kernel_size_in_memory = 0; + uint32_t compat_address; + EFI_STATUS err; + +@@ -105,7 +106,7 @@ EFI_STATUS linux_exec( + assert(linux_buffer && linux_length > 0); + assert(initrd_buffer || initrd_length == 0); + +- err = pe_kernel_info(linux_buffer, &compat_address); ++ err = pe_kernel_info(linux_buffer, &compat_address, &kernel_size_in_memory); + #if defined(__i386__) || defined(__x86_64__) + if (err == EFI_UNSUPPORTED) + /* Kernel is too old to support LINUX_INITRD_MEDIA_GUID, try the deprecated EFI handover +@@ -116,7 +117,8 @@ EFI_STATUS linux_exec( + linux_buffer, + linux_length, + initrd_buffer, +- initrd_length); ++ initrd_length, ++ kernel_size_in_memory); + #endif + if (err != EFI_SUCCESS) + return log_error_status(err, "Bad kernel image: %m"); +diff --git a/src/boot/efi/linux.h b/src/boot/efi/linux.h +index 46b5f4f4d7..0d74c6a3a7 100644 +--- a/src/boot/efi/linux.h ++++ b/src/boot/efi/linux.h +@@ -16,4 +16,5 @@ EFI_STATUS linux_exec_efi_handover( + const void *linux_buffer, + size_t linux_length, + const void *initrd_buffer, +- size_t initrd_length); ++ size_t initrd_length, ++ size_t kernel_size_in_memory); +diff --git a/src/boot/efi/linux_x86.c b/src/boot/efi/linux_x86.c +index 757902daac..3e42361812 100644 +--- a/src/boot/efi/linux_x86.c ++++ b/src/boot/efi/linux_x86.c +@@ -13,6 +13,7 @@ + #include "initrd.h" + #include "linux.h" + #include "macro-fundamental.h" ++#include "memory-util-fundamental.h" + #include "util.h" + + #define KERNEL_SECTOR_SIZE 512u +@@ -126,7 +127,8 @@ EFI_STATUS linux_exec_efi_handover( + const void *linux_buffer, + size_t linux_length, + const void *initrd_buffer, +- size_t initrd_length) { ++ size_t initrd_length, ++ size_t kernel_size_in_memory) { + + assert(parent); + assert(linux_buffer); +@@ -153,13 +155,22 @@ EFI_STATUS linux_exec_efi_handover( + FLAGS_SET(image_params->hdr.xloadflags, XLF_CAN_BE_LOADED_ABOVE_4G); + + /* There is no way to pass the high bits of code32_start. Newer kernels seems to handle this +- * just fine, but older kernels will fail even if they otherwise have above 4G boot support. */ ++ * just fine, but older kernels will fail even if they otherwise have above 4G boot support. ++ * A PE image's memory footprint can be larger than its file size, due to unallocated virtual ++ * memory sections. While normally all PE headers should be taken into account, this case only ++ * involves x86 Linux bzImage kernel images, for which unallocated areas are only part of the last ++ * header, so parsing SizeOfImage and zeroeing the buffer past the image size is enough. */ + _cleanup_pages_ Pages linux_relocated = {}; +- if (POINTER_TO_PHYSICAL_ADDRESS(linux_buffer) + linux_length > UINT32_MAX) { ++ if (POINTER_TO_PHYSICAL_ADDRESS(linux_buffer) + linux_length > UINT32_MAX || kernel_size_in_memory > linux_length) { + linux_relocated = xmalloc_pages( +- AllocateMaxAddress, EfiLoaderCode, EFI_SIZE_TO_PAGES(linux_length), UINT32_MAX); ++ AllocateMaxAddress, ++ EfiLoaderCode, ++ EFI_SIZE_TO_PAGES(kernel_size_in_memory > linux_length ? kernel_size_in_memory : linux_length), ++ UINT32_MAX); + linux_buffer = memcpy( + PHYSICAL_ADDRESS_TO_POINTER(linux_relocated.addr), linux_buffer, linux_length); ++ if (kernel_size_in_memory > linux_length) ++ memzero((uint8_t *) linux_buffer + linux_length, kernel_size_in_memory - linux_length); + } + + _cleanup_pages_ Pages initrd_relocated = {}; +diff --git a/src/boot/efi/pe.c b/src/boot/efi/pe.c +index 829266b7f5..fdca0c93fe 100644 +--- a/src/boot/efi/pe.c ++++ b/src/boot/efi/pe.c +@@ -209,7 +209,7 @@ static uint32_t get_compatibility_entry_address(const DosFileHeader *dos, const + return 0; + } + +-EFI_STATUS pe_kernel_info(const void *base, uint32_t *ret_compat_address) { ++EFI_STATUS pe_kernel_info(const void *base, uint32_t *ret_compat_address, size_t *ret_size_in_memory) { + assert(base); + assert(ret_compat_address); + +@@ -221,6 +221,11 @@ EFI_STATUS pe_kernel_info(const void *base, uint32_t *ret_compat_address) { + if (!verify_pe(pe, /* allow_compatibility= */ true)) + return EFI_LOAD_ERROR; + ++ /* When allocating we need to also consider the virtual/uninitialized data sections, so parse it out ++ * of the SizeOfImage field in the PE header and return it */ ++ if (ret_size_in_memory) ++ *ret_size_in_memory = pe->OptionalHeader.SizeOfImage; ++ + /* Support for LINUX_INITRD_MEDIA_GUID was added in kernel stub 1.0. */ + if (pe->OptionalHeader.MajorImageVersion < 1) + return EFI_UNSUPPORTED; +diff --git a/src/boot/efi/pe.h b/src/boot/efi/pe.h +index 7e2258fceb..860cfe5e27 100644 +--- a/src/boot/efi/pe.h ++++ b/src/boot/efi/pe.h +@@ -16,4 +16,4 @@ EFI_STATUS pe_file_locate_sections( + size_t *offsets, + size_t *sizes); + +-EFI_STATUS pe_kernel_info(const void *base, uint32_t *ret_compat_address); ++EFI_STATUS pe_kernel_info(const void *base, uint32_t *ret_compat_address, size_t *ret_size_in_memory); +-- +2.33.0 + diff --git a/backport-stub-drop-PE-sections-parsing-cap.patch b/backport-stub-drop-PE-sections-parsing-cap.patch new file mode 100644 index 0000000..10bde31 --- /dev/null +++ b/backport-stub-drop-PE-sections-parsing-cap.patch @@ -0,0 +1,42 @@ +From e79cea6fbef5bf471f82fc3b8786d319b98bbdd8 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 10 Jan 2025 21:02:55 +0000 +Subject: [PATCH 1087/1160] stub: drop PE sections parsing cap + +This was added originally as it was thought that Windows applied +the same cap. Nowadays the specs do not mention it, and it is +believed Windows no longer applies it either, so drop it in order +to allow an arbitrary number of DTBs to be included + +Fixes https://github.com/systemd/systemd/issues/35943 + +(cherry picked from commit 8c5b359579b0f1029edafb0bd96b5ebfb271db76) +(cherry picked from commit 95184817cb3ac3d3d2582496ccbfc3802cc0f245) +(cherry picked from commit 5cbe2b8e9e247670cdebed1cc9bd1d7144ca0cca) +--- + src/boot/efi/pe.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/src/boot/efi/pe.c b/src/boot/efi/pe.c +index fdca0c93fe..e3c568914a 100644 +--- a/src/boot/efi/pe.c ++++ b/src/boot/efi/pe.c +@@ -5,7 +5,6 @@ + + #define DOS_FILE_MAGIC "MZ" + #define PE_FILE_MAGIC "PE\0\0" +-#define MAX_SECTIONS 96 + + #if defined(__i386__) + # define TARGET_MACHINE_TYPE 0x014CU +@@ -130,7 +129,6 @@ static bool verify_pe(const PeFileHeader *pe, bool allow_compatibility) { + (pe->FileHeader.Machine == TARGET_MACHINE_TYPE || + (allow_compatibility && pe->FileHeader.Machine == TARGET_MACHINE_TYPE_COMPATIBILITY)) && + pe->FileHeader.NumberOfSections > 0 && +- pe->FileHeader.NumberOfSections <= MAX_SECTIONS && + IN_SET(pe->OptionalHeader.Magic, OPTHDR32_MAGIC, OPTHDR64_MAGIC); + } + +-- +2.33.0 + diff --git a/backport-stub-get-uname-from-image-before-loading-addons.patch b/backport-stub-get-uname-from-image-before-loading-addons.patch new file mode 100644 index 0000000..fe45d91 --- /dev/null +++ b/backport-stub-get-uname-from-image-before-loading-addons.patch @@ -0,0 +1,44 @@ +From acee605f2edb0170c10b6cc7c736324085a956ff Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Fri, 19 Apr 2024 11:29:31 +0200 +Subject: [PATCH 0506/1160] stub: get uname from image before loading addons + +Otherwise uname is always NULL before calling `load_addons()`, so it's not being +checked if .uname matches between addons and UKI. + +Fixes 68f85761e2eb1fd2243019980a64b174f07432c3 + +(cherry picked from commit 2f49ed9a01014f9704409edb70f217d3fa94e383) +--- + src/boot/efi/stub.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c +index 7ef3e76544..0d9df7eb28 100644 +--- a/src/boot/efi/stub.c ++++ b/src/boot/efi/stub.c +@@ -540,6 +540,10 @@ static EFI_STATUS run(EFI_HANDLE image) { + CLEANUP_ARRAY(dt_filenames_addons_global, n_dts_addons_global, dt_filenames_free); + CLEANUP_ARRAY(dt_filenames_addons_uki, n_dts_addons_uki, dt_filenames_free); + ++ if (szs[UNIFIED_SECTION_UNAME] > 0) ++ uname = xstrndup8((char *)loaded_image->ImageBase + addrs[UNIFIED_SECTION_UNAME], ++ szs[UNIFIED_SECTION_UNAME]); ++ + /* Now that we have the UKI sections loaded, also load global first and then local (per-UKI) + * addons. The data is loaded at once, and then used later. */ + err = load_addons( +@@ -614,10 +618,6 @@ static EFI_STATUS run(EFI_HANDLE image) { + /* Show splash screen as early as possible */ + graphics_splash((const uint8_t*) loaded_image->ImageBase + addrs[UNIFIED_SECTION_SPLASH], szs[UNIFIED_SECTION_SPLASH]); + +- if (szs[UNIFIED_SECTION_UNAME] > 0) +- uname = xstrndup8((char *)loaded_image->ImageBase + addrs[UNIFIED_SECTION_UNAME], +- szs[UNIFIED_SECTION_UNAME]); +- + if (use_load_options(image, loaded_image, szs[UNIFIED_SECTION_CMDLINE] > 0, &cmdline)) { + /* Let's measure the passed kernel command line into the TPM. Note that this possibly + * duplicates what we already did in the boot menu, if that was already used. However, since +-- +2.33.0 + diff --git a/backport-systemctl-allow-user-to-suppress-output-when-no-acti.patch b/backport-systemctl-allow-user-to-suppress-output-when-no-acti.patch new file mode 100644 index 0000000..8240ec3 --- /dev/null +++ b/backport-systemctl-allow-user-to-suppress-output-when-no-acti.patch @@ -0,0 +1,27 @@ +From fcac940ccc714086238f02f1a87cddc6743cc997 Mon Sep 17 00:00:00 2001 +From: MaxHearnden +Date: Thu, 18 Apr 2024 01:44:22 +0100 +Subject: [PATCH 0503/1160] systemctl: allow user to suppress output when no + action scheduled (#32278) + +(cherry picked from commit bccd7be32854d3ca3c7638f0cd4c44539fa0dcee) +--- + src/systemctl/systemctl-logind.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/systemctl/systemctl-logind.c b/src/systemctl/systemctl-logind.c +index 268e528856..7f97325f26 100644 +--- a/src/systemctl/systemctl-logind.c ++++ b/src/systemctl/systemctl-logind.c +@@ -392,7 +392,7 @@ int logind_show_shutdown(void) { + return r; + + if (isempty(action)) +- return log_error_errno(SYNTHETIC_ERRNO(ENODATA), "No scheduled shutdown."); ++ return log_full_errno(arg_quiet ? LOG_DEBUG : LOG_ERR, SYNTHETIC_ERRNO(ENODATA), "No scheduled shutdown."); + + if (STR_IN_SET(action, "halt", "poweroff", "exit")) + pretty_action = "Shutdown"; +-- +2.33.0 + diff --git a/backport-systemctl-also-grey-out-useful-hints-in-output-since.patch b/backport-systemctl-also-grey-out-useful-hints-in-output-since.patch new file mode 100644 index 0000000..f1b3b3c --- /dev/null +++ b/backport-systemctl-also-grey-out-useful-hints-in-output-since.patch @@ -0,0 +1,38 @@ +From 8c198306909aba5495f5c8473469ea703d8a999d Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 20 Nov 2023 13:00:23 +0100 +Subject: [PATCH 0010/1160] systemctl: also grey out useful hints in output, + since no primary contents shown here + +(cherry picked from commit 9b8b1d8b6bf4dcef2859f17878b983d13351000e) +--- + src/systemctl/systemctl-list-units.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/src/systemctl/systemctl-list-units.c b/src/systemctl/systemctl-list-units.c +index e48cf45333..fbc04b7cb0 100644 +--- a/src/systemctl/systemctl-list-units.c ++++ b/src/systemctl/systemctl-list-units.c +@@ -214,12 +214,14 @@ static int output_units_list(const UnitInfo *unit_infos, size_t c) { + + if (arg_all || strv_contains(arg_states, "inactive")) + printf("%s%zu loaded units listed.%s\n" +- "To show all installed unit files use 'systemctl list-unit-files'.\n", +- on, records, off); ++ "%sTo show all installed unit files use 'systemctl list-unit-files'.%s\n", ++ on, records, off, ++ ansi_grey(), ansi_normal()); + else if (!arg_states) +- printf("%s%zu loaded units listed.%s Pass --all to see loaded but inactive units, too.\n" +- "To show all installed unit files use 'systemctl list-unit-files'.\n", +- on, records, off); ++ printf("%s%zu loaded units listed.%s %sPass --all to see loaded but inactive units, too.%s\n" ++ "%sTo show all installed unit files use 'systemctl list-unit-files'.%s\n", ++ on, records, off, ++ ansi_grey(), ansi_normal(), ansi_grey(), ansi_normal()); + else + printf("%zu loaded units listed.\n", records); + } +-- +2.33.0 + diff --git a/backport-systemctl-configure-boot-loader-options-only-when-go.patch b/backport-systemctl-configure-boot-loader-options-only-when-go.patch new file mode 100644 index 0000000..c6413a8 --- /dev/null +++ b/backport-systemctl-configure-boot-loader-options-only-when-go.patch @@ -0,0 +1,123 @@ +From b6b59ce2dbe87a52be9155d03f18010382ab68a7 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Wed, 20 Dec 2023 21:25:27 +0800 +Subject: [PATCH 0171/1160] systemctl: configure boot loader options only when + going through firmware + +Fixes #30497 + +(cherry picked from commit bc9e592c4f01dd8a4f8fb5e2bbcdec5ee4bf129d) +--- + man/systemctl.xml | 25 +++++++++++---------- + src/systemctl/systemctl-start-special.c | 29 ++++++++++++------------- + 2 files changed, 28 insertions(+), 26 deletions(-) + +diff --git a/man/systemctl.xml b/man/systemctl.xml +index 1d791b44fd..25b6e46c60 100644 +--- a/man/systemctl.xml ++++ b/man/systemctl.xml +@@ -2589,9 +2589,10 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err + + + +- When used with the reboot command, indicate to the system's firmware to +- reboot into the firmware setup interface. Note that this functionality is not available on all +- systems. ++ When used with the reboot, poweroff, or ++ halt command, indicate to the system's firmware to reboot into the firmware ++ setup interface for the next boot. Note that this functionality is not available on all systems. ++ + + + +@@ -2601,10 +2602,11 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err + + + +- When used with the reboot command, indicate to the system's boot loader to +- show the boot loader menu on the following boot. Takes a time value as parameter — indicating the +- menu timeout. Pass zero in order to disable the menu timeout. Note that not all boot loaders +- support this functionality. ++ When used with the reboot, poweroff, or ++ halt command, indicate to the system's boot loader to show the boot loader menu ++ on the following boot. Takes a time value as parameter — indicating the menu timeout. Pass zero ++ in order to disable the menu timeout. Note that not all boot loaders support this functionality. ++ + + + +@@ -2614,10 +2616,11 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err + + + +- When used with the reboot command, indicate to the system's boot loader to +- boot into a specific boot loader entry on the following boot. Takes a boot loader entry identifier +- as argument, or help in order to list available entries. Note that not all boot +- loaders support this functionality. ++ When used with the reboot, poweroff, or ++ halt command, indicate to the system's boot loader to boot into a specific ++ boot loader entry on the following boot. Takes a boot loader entry identifier as argument, ++ or help in order to list available entries. Note that not all boot loaders ++ support this functionality. + + + +diff --git a/src/systemctl/systemctl-start-special.c b/src/systemctl/systemctl-start-special.c +index d93bffb759..d23ce36bfc 100644 +--- a/src/systemctl/systemctl-start-special.c ++++ b/src/systemctl/systemctl-start-special.c +@@ -121,8 +121,7 @@ static int set_exit_code(uint8_t code) { + } + + int verb_start_special(int argc, char *argv[], void *userdata) { +- bool termination_action; /* An action that terminates the manager, can be performed also by +- * signal. */ ++ bool termination_action; /* An action that terminates the system, can be performed also by signal. */ + enum action a; + int r; + +@@ -140,17 +139,21 @@ int verb_start_special(int argc, char *argv[], void *userdata) { + return r; + } + +- r = prepare_firmware_setup(); +- if (r < 0) +- return r; ++ termination_action = IN_SET(a, ACTION_HALT, ACTION_POWEROFF, ACTION_REBOOT); + +- r = prepare_boot_loader_menu(); +- if (r < 0) +- return r; ++ if (termination_action) { ++ r = prepare_firmware_setup(); ++ if (r < 0) ++ return r; + +- r = prepare_boot_loader_entry(); +- if (r < 0) +- return r; ++ r = prepare_boot_loader_menu(); ++ if (r < 0) ++ return r; ++ ++ r = prepare_boot_loader_entry(); ++ if (r < 0) ++ return r; ++ } + + if (a == ACTION_REBOOT) { + if (arg_reboot_argument) { +@@ -181,10 +184,6 @@ int verb_start_special(int argc, char *argv[], void *userdata) { + return r; + } + +- termination_action = IN_SET(a, +- ACTION_HALT, +- ACTION_POWEROFF, +- ACTION_REBOOT); + if (termination_action && arg_force >= 2) + return halt_now(a); + +-- +2.33.0 + diff --git a/backport-systemctl-do-not-try-to-acquire-triggering-units-for.patch b/backport-systemctl-do-not-try-to-acquire-triggering-units-for.patch new file mode 100644 index 0000000..d571fd5 --- /dev/null +++ b/backport-systemctl-do-not-try-to-acquire-triggering-units-for.patch @@ -0,0 +1,50 @@ +From 633704b50e0181d69ffb1a553233acdd8934ba12 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sun, 30 Jun 2024 13:12:45 +0200 +Subject: [PATCH 0766/1160] systemctl: do not try to acquire triggering units + for template units + +(cherry picked from commit 09d6038d833468ba7c24c658597387ef699ca4fd) +(cherry picked from commit f414ca0ee3bed9b67f76a67d8eb569fda99f5fde) +--- + src/systemctl/systemctl-util.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/systemctl/systemctl-util.c b/src/systemctl/systemctl-util.c +index 39f556f534..cee6c8467f 100644 +--- a/src/systemctl/systemctl-util.c ++++ b/src/systemctl/systemctl-util.c +@@ -329,14 +329,15 @@ int get_active_triggering_units(sd_bus *bus, const char *unit, bool ignore_maske + if (r < 0) + return r; + ++ if (unit_name_is_valid(name, UNIT_NAME_TEMPLATE)) ++ goto skip; ++ + if (ignore_masked) { + r = unit_is_masked(bus, name); + if (r < 0) + return r; +- if (r > 0) { +- *ret = NULL; +- return 0; +- } ++ if (r > 0) ++ goto skip; + } + + dbus_path = unit_dbus_path_from_name(name); +@@ -372,6 +373,10 @@ int get_active_triggering_units(sd_bus *bus, const char *unit, bool ignore_maske + + *ret = TAKE_PTR(active); + return 0; ++ ++skip: ++ *ret = NULL; ++ return 0; + } + + void warn_triggering_units(sd_bus *bus, const char *unit, const char *operation, bool ignore_masked) { +-- +2.33.0 + diff --git a/backport-systemctl-edit-ignore-ENOENT-from-unit_is_masked.patch b/backport-systemctl-edit-ignore-ENOENT-from-unit_is_masked.patch new file mode 100644 index 0000000..12304f8 --- /dev/null +++ b/backport-systemctl-edit-ignore-ENOENT-from-unit_is_masked.patch @@ -0,0 +1,34 @@ +From 8ab5882ca8c2da09ee119ba09e460d21f838e017 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 16 Dec 2024 12:37:17 +0900 +Subject: [PATCH 1063/1160] systemctl-edit: ignore ENOENT from unit_is_masked() + +If a specified unit does not exist, then it is definitely not masked. + +Fixes #35632. + +(cherry picked from commit b58b00e4c33474505009c8118d6cfdf29a2c6cb1) +(cherry picked from commit 48b404d546e6cb6d32d9cb346bbd43760311790b) +(cherry picked from commit 1461f520042dda644a0e9b1795265b72d385b142) +--- + src/systemctl/systemctl-edit.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/systemctl/systemctl-edit.c b/src/systemctl/systemctl-edit.c +index 367afa20f7..c5d8f5ea5b 100644 +--- a/src/systemctl/systemctl-edit.c ++++ b/src/systemctl/systemctl-edit.c +@@ -344,8 +344,8 @@ int verb_edit(int argc, char *argv[], void *userdata) { + + STRV_FOREACH(tmp, names) { + r = unit_is_masked(bus, *tmp); +- if (r < 0) +- return r; ++ if (r < 0 && r != -ENOENT) ++ return log_error_errno(r, "Failed to check if unit %s is masked: %m", *tmp); + if (r > 0) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Cannot edit %s: unit is masked.", *tmp); + } +-- +2.33.0 + diff --git a/backport-systemctl-fix-applying-zero-offset-to-null-pointer-U.patch b/backport-systemctl-fix-applying-zero-offset-to-null-pointer-U.patch new file mode 100644 index 0000000..1a95050 --- /dev/null +++ b/backport-systemctl-fix-applying-zero-offset-to-null-pointer-U.patch @@ -0,0 +1,29 @@ +From 8503ba1f91f20d4a339cd0825a4c416731a0fda7 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 16 May 2024 00:45:06 +0900 +Subject: [PATCH 0634/1160] systemctl: fix "applying zero offset to null + pointer" UBSan error + +Fixes #32837. + +(cherry picked from commit 60dbecff27159a34be044b082d3688e62e67a4cb) +--- + src/systemctl/systemctl-list-unit-files.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/systemctl/systemctl-list-unit-files.c b/src/systemctl/systemctl-list-unit-files.c +index fc1ad9800a..b8b1531834 100644 +--- a/src/systemctl/systemctl-list-unit-files.c ++++ b/src/systemctl/systemctl-list-unit-files.c +@@ -79,7 +79,7 @@ static int output_unit_file_list(const UnitFileList *units, unsigned c) { + + table_set_ersatz_string(table, TABLE_ERSATZ_DASH); + +- for (const UnitFileList *u = units; u < units + c; u++) { ++ FOREACH_ARRAY(u, units, c) { + const char *on_underline = NULL, *on_unit_color = NULL, *id; + bool underline; + +-- +2.33.0 + diff --git a/backport-systemctl-fix-fallback-for-pidfd_open-permission-err.patch b/backport-systemctl-fix-fallback-for-pidfd_open-permission-err.patch new file mode 100644 index 0000000..52a7462 --- /dev/null +++ b/backport-systemctl-fix-fallback-for-pidfd_open-permission-err.patch @@ -0,0 +1,27 @@ +From 276a254c208fcaea6e00ba353b4d73ad6a75d8da Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 28 Feb 2024 00:52:36 +0000 +Subject: [PATCH 0334/1160] systemctl: fix fallback for pidfd_open permission + error + +Follow-up for 857945cc5f2a4c1d6aa0bd7532a995c8480b1cc3 +--- + src/systemctl/systemctl-show.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/systemctl/systemctl-show.c b/src/systemctl/systemctl-show.c +index e7fabcf235..5d1eb492e1 100644 +--- a/src/systemctl/systemctl-show.c ++++ b/src/systemctl/systemctl-show.c +@@ -2255,7 +2255,7 @@ static int get_unit_dbus_path_by_pid( + * sends the numeric PID. */ + + pidfd = pidfd_open(pid, 0); +- if (pidfd < 0 && ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) ++ if (pidfd < 0 && (ERRNO_IS_NOT_SUPPORTED(errno) || ERRNO_IS_PRIVILEGE(errno))) + return get_unit_dbus_path_by_pid_fallback(bus, pid, ret_path, ret_unit); + if (pidfd < 0) + return log_error_errno(errno, "Failed to open PID %"PRIu32": %m", pid); +-- +2.33.0 + diff --git a/backport-systemctl-fix-memleak.patch b/backport-systemctl-fix-memleak.patch index aee94a6..18fdfce 100644 --- a/backport-systemctl-fix-memleak.patch +++ b/backport-systemctl-fix-memleak.patch @@ -1,7 +1,7 @@ From e820e232210376b0a1f9d3a562395beab9206ed8 Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Mon, 27 Jan 2025 04:17:27 +0900 -Subject: [PATCH] systemctl: fix memleak +Subject: [PATCH 1094/1160] systemctl: fix memleak Fixes a bug introduced by adb6cd9be2b7e9e614d2b5835c7b70cf8eacc852. @@ -39,5 +39,5 @@ index 59be6a7a7e..8d5303c2d8 100644 if (!arg_quiet) -- -2.43.0 +2.33.0 diff --git a/backport-systemctl-fix-printing-of-RootImageOptions.patch b/backport-systemctl-fix-printing-of-RootImageOptions.patch index f841729..ac47352 100644 --- a/backport-systemctl-fix-printing-of-RootImageOptions.patch +++ b/backport-systemctl-fix-printing-of-RootImageOptions.patch @@ -1,7 +1,7 @@ From 64d833dfa6bcac6d4c991447bfd63d6bcda1ba6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 27 Sep 2024 20:17:12 +0200 -Subject: [PATCH] systemctl: fix printing of RootImageOptions +Subject: [PATCH 0891/1160] systemctl: fix printing of RootImageOptions The type is a(ss), so a custom printer is required. @@ -47,3 +47,6 @@ index 5d1eb492e1..7fe7f423f6 100644 } else if (streq(name, "MountImages")) { _cleanup_free_ char *paths = NULL; +-- +2.33.0 + diff --git a/backport-systemctl-grey-out-tasks-limit-the-same-way-we-grey-.patch b/backport-systemctl-grey-out-tasks-limit-the-same-way-we-grey-.patch new file mode 100644 index 0000000..4a197b1 --- /dev/null +++ b/backport-systemctl-grey-out-tasks-limit-the-same-way-we-grey-.patch @@ -0,0 +1,32 @@ +From e00cc22e30b61b3e2e6b50bea3c569dd7c48c42d Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 18 Nov 2024 23:26:58 +0100 +Subject: [PATCH 1018/1160] systemctl: grey out tasks limit the same way we + grey out the fd store limit in the output + +"systemctl status systemd-logind" otherwise looks a bit weird, since the +tasks and the fdstore lines are so close to each other but formatted +quite differently when it comes to coloring. + +(cherry picked from commit 54646b1ca95373dfa3ebe5d6e7e27deeed9e77b0) +(cherry picked from commit ff4b66be4a35fd21ef001bbf6492e3e1f837ee1c) +--- + src/systemctl/systemctl-show.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/systemctl/systemctl-show.c b/src/systemctl/systemctl-show.c +index 7fe7f423f6..38357c93d5 100644 +--- a/src/systemctl/systemctl-show.c ++++ b/src/systemctl/systemctl-show.c +@@ -695,7 +695,7 @@ static void print_status_info( + printf(" Tasks: %" PRIu64, i->tasks_current); + + if (i->tasks_max != UINT64_MAX) +- printf(" (limit: %" PRIu64 ")\n", i->tasks_max); ++ printf("%s (limit: %" PRIu64 ")%s\n", ansi_grey(), i->tasks_max, ansi_normal()); + else + printf("\n"); + } +-- +2.33.0 + diff --git a/backport-systemctl-is-system-running-display-offline-with-ima.patch b/backport-systemctl-is-system-running-display-offline-with-ima.patch new file mode 100644 index 0000000..fe03a47 --- /dev/null +++ b/backport-systemctl-is-system-running-display-offline-with-ima.patch @@ -0,0 +1,34 @@ +From 4c5da3dbde37cd2f8c1f8669d0b0339d8fa9e8cc Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Mon, 15 Jan 2024 10:55:31 +0100 +Subject: [PATCH 0152/1160] systemctl-is-system-running: display "offline" with + --image + +With the `--image` option, the `running_in_chroot` check is not enough. E.g.: + +``` +> build/systemctl --image /tmp/20240108-openSUSE.raw is-system-running +running +``` + +(cherry picked from commit b551a687a47413a17c4ce61dacee5c0a50520fc4) +--- + src/systemctl/systemctl-is-system-running.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/systemctl/systemctl-is-system-running.c b/src/systemctl/systemctl-is-system-running.c +index 6b521c9347..59be6a7a7e 100644 +--- a/src/systemctl/systemctl-is-system-running.c ++++ b/src/systemctl/systemctl-is-system-running.c +@@ -29,7 +29,7 @@ int verb_is_system_running(int argc, char *argv[], void *userdata) { + sd_bus *bus; + int r; + +- if (running_in_chroot() > 0 || (arg_transport == BUS_TRANSPORT_LOCAL && !sd_booted())) { ++ if (!isempty(arg_root) || running_in_chroot() > 0 || (arg_transport == BUS_TRANSPORT_LOCAL && !sd_booted())) { + if (!arg_quiet) + puts("offline"); + return EXIT_FAILURE; +-- +2.33.0 + diff --git a/backport-systemctl-list-jobs-interchange-waiting-for-and-bloc.patch b/backport-systemctl-list-jobs-interchange-waiting-for-and-bloc.patch new file mode 100644 index 0000000..a8747c7 --- /dev/null +++ b/backport-systemctl-list-jobs-interchange-waiting-for-and-bloc.patch @@ -0,0 +1,72 @@ +From bf3e64f9d10d31062a18ff4f34c3dc5995218bd6 Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Wed, 24 Apr 2024 11:16:50 +0200 +Subject: [PATCH 0565/1160] systemctl: list-jobs: interchange 'waiting for' and + 'blocking' in output +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The current output of 'systemctl list-jobs' with the --after and/or --before +switches seems backwards. With artificial units + +# check-oil.service +[Unit] +Description=Check the oil level +Before=engine-ready.target + +# fill-gas.service +[Unit] +Description=Fill the tank with gasoline +Before=engine-ready.target + +# engine-ready.target +[Unit] +Description=The engine is ready + +[Unit] +Description=Start the engine! +After=engine-ready.target +Wants=engine-ready.target + +running 'systemctl list-jobs --before --after' produces + +JOB UNIT TYPE STATE +93 check-oil.service start running +└─ waiting for job 94 (engine-ready.target/start) - - +102 fill-gas.service start running +└─ waiting for job 94 (engine-ready.target/start) - - +94 engine-ready.target start waiting +└─ waiting for job 111 (start-engine.service/start) - - +└─ blocking job 93 (check-oil.service/start) - - +└─ blocking job 102 (fill-gas.service/start) - - +111 start-engine.service start waiting +└─ waiting for job 1 (multi-user.target/start) - - +└─ blocking job 94 (engine-ready.target/start) - - + +Obviously, job 93 is not waiting for job 94, but rather blocking it. + +(cherry picked from commit dc3058e4901cc26a833da981a18a85563f0d4409) +--- + src/systemctl/systemctl-list-jobs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/systemctl/systemctl-list-jobs.c b/src/systemctl/systemctl-list-jobs.c +index a752173e4e..fcfe2ac561 100644 +--- a/src/systemctl/systemctl-list-jobs.c ++++ b/src/systemctl/systemctl-list-jobs.c +@@ -102,9 +102,9 @@ static int output_jobs_list(sd_bus *bus, const struct job_info* jobs, unsigned n + return table_log_add_error(r); + + if (arg_jobs_after) +- output_waiting_jobs(bus, table, j->id, "GetJobAfter", "\twaiting for job"); ++ output_waiting_jobs(bus, table, j->id, "GetJobAfter", "\tblocking job"); + if (arg_jobs_before) +- output_waiting_jobs(bus, table, j->id, "GetJobBefore", "\tblocking job"); ++ output_waiting_jobs(bus, table, j->id, "GetJobBefore", "\twaiting for job"); + } + + r = table_print(table, NULL); +-- +2.33.0 + diff --git a/backport-systemctl-skip-triggering-unit-warning-if-unit-vanis.patch b/backport-systemctl-skip-triggering-unit-warning-if-unit-vanis.patch new file mode 100644 index 0000000..b0c69bf --- /dev/null +++ b/backport-systemctl-skip-triggering-unit-warning-if-unit-vanis.patch @@ -0,0 +1,30 @@ +From 159d8230aa13bdb8d019b7ec8adeb05c5a020c13 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Thu, 29 Feb 2024 23:45:54 +0800 +Subject: [PATCH 0765/1160] systemctl: skip triggering unit warning if unit + vanished + +(cherry picked from commit 701bd9d08ac1d16f74e2b453ca0826e85b1c8491) +(cherry picked from commit 67e0d093682d763ff1d27027a5040571fc039193) +--- + src/systemctl/systemctl-util.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/systemctl/systemctl-util.c b/src/systemctl/systemctl-util.c +index 2498725d3f..39f556f534 100644 +--- a/src/systemctl/systemctl-util.c ++++ b/src/systemctl/systemctl-util.c +@@ -385,8 +385,8 @@ void warn_triggering_units(sd_bus *bus, const char *unit, const char *operation, + + r = get_active_triggering_units(bus, unit, ignore_masked, &triggered_by); + if (r < 0) { +- log_warning_errno(r, +- "Failed to get triggering units for '%s', ignoring: %m", unit); ++ if (r != -ENOENT) /* A linked unit might have disappeared after disabling */ ++ log_warning_errno(r, "Failed to get triggering units for '%s', ignoring: %m", unit); + return; + } + +-- +2.33.0 + diff --git a/backport-systemd-boot-Allow-key-enroll-in-AuditMode.patch b/backport-systemd-boot-Allow-key-enroll-in-AuditMode.patch new file mode 100644 index 0000000..953b8cc --- /dev/null +++ b/backport-systemd-boot-Allow-key-enroll-in-AuditMode.patch @@ -0,0 +1,30 @@ +From 04f6566568e0618088c7496a7e89da8d949b3c72 Mon Sep 17 00:00:00 2001 +From: Nicolas Bouchinet +Date: Fri, 3 May 2024 11:42:09 +0200 +Subject: [PATCH 0591/1160] systemd-boot: Allow key enroll in AuditMode + +Since AuditMode automatically switches SetupMode on, it should be +authorized to enroll SecureBoot keys. + +Signed-off-by: Nicolas Bouchinet +(cherry picked from commit a23a59b324a022a0b38b5f35d01ee1b2b4edf694) +--- + src/boot/efi/boot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c +index a3d5607c1a..e0ffc3b62d 100644 +--- a/src/boot/efi/boot.c ++++ b/src/boot/efi/boot.c +@@ -2466,7 +2466,7 @@ static EFI_STATUS secure_boot_discover_keys(Config *config, EFI_FILE *root_dir) + EFI_STATUS err; + _cleanup_(file_closep) EFI_FILE *keys_basedir = NULL; + +- if (secure_boot_mode() != SECURE_BOOT_SETUP) ++ if (!IN_SET(secure_boot_mode(), SECURE_BOOT_SETUP, SECURE_BOOT_AUDIT)) + return EFI_SUCCESS; + + /* the lack of a 'keys' directory is not fatal and is silently ignored */ +-- +2.33.0 + diff --git a/backport-systemd-networkd-tests-Skip-tests-requiring-dhcpd-if.patch b/backport-systemd-networkd-tests-Skip-tests-requiring-dhcpd-if.patch new file mode 100644 index 0000000..6c431f2 --- /dev/null +++ b/backport-systemd-networkd-tests-Skip-tests-requiring-dhcpd-if.patch @@ -0,0 +1,47 @@ +From 75c81c887a86b4ed74254ca636fea9cff97bb446 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Mon, 15 Jul 2024 12:26:04 +0200 +Subject: [PATCH 0759/1160] systemd-networkd-tests: Skip tests requiring dhcpd + if it is not available + +dhcpd is not available on CentOS Stream 10 + +See https://github.com/systemd/systemd/issues/33717 + +(cherry picked from commit 985d5b4bc23f791bdc79d4c2a9a949cc5d3bc27a) +(cherry picked from commit 89904fc10c57b28d064f7abbde97a636000e1323) +--- + test/test-network/systemd-networkd-tests.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index e7462ea5e9..c609f267b5 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -6206,6 +6206,7 @@ class NetworkdDHCPPDTests(unittest.TestCase, Utilities): + self.assertGreater(prefixInfo[0]['PreferredLifetimeUSec'], 0) + self.assertGreater(prefixInfo[0]['ValidLifetimeUSec'], 0) + ++ @unittest.skipUnless(shutil.which('dhcpd'), reason="dhcpd is not available on CentOS Stream 10") + def test_dhcp6pd_no_address(self): + # For issue #29979. + copy_network_unit('25-veth.netdev', '25-dhcp6pd-server.network', '25-dhcp6pd-upstream-no-address.network') +@@ -6222,6 +6223,7 @@ class NetworkdDHCPPDTests(unittest.TestCase, Utilities): + + self.check_dhcp6_prefix('veth99') + ++ @unittest.skipUnless(shutil.which('dhcpd'), reason="dhcpd is not available on CentOS Stream 10") + def test_dhcp6pd_no_assign(self): + # Similar to test_dhcp6pd_no_assign(), but in this case UseAddress=yes (default), + # However, the server does not provide IA_NA. For issue #31349. +@@ -6239,6 +6241,7 @@ class NetworkdDHCPPDTests(unittest.TestCase, Utilities): + + self.check_dhcp6_prefix('veth99') + ++ @unittest.skipUnless(shutil.which('dhcpd'), reason="dhcpd is not available on CentOS Stream 10") + def test_dhcp6pd(self): + copy_network_unit('25-veth.netdev', '25-dhcp6pd-server.network', '25-dhcp6pd-upstream.network', + '25-veth-downstream-veth97.netdev', '25-dhcp-pd-downstream-veth97.network', '25-dhcp-pd-downstream-veth97-peer.network', +-- +2.33.0 + diff --git a/backport-systemd-update-helper-Show-executed-commands-if-debu.patch b/backport-systemd-update-helper-Show-executed-commands-if-debu.patch new file mode 100644 index 0000000..5d7c3b1 --- /dev/null +++ b/backport-systemd-update-helper-Show-executed-commands-if-debu.patch @@ -0,0 +1,30 @@ +From b095673440f3c0ab434475cf539aff018e7f5e20 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 11 Oct 2024 16:51:04 +0200 +Subject: [PATCH 0943/1160] systemd-update-helper: Show executed commands if + debug logging is enabled + +(cherry picked from commit 8b8668b9e71837cb541cd432bc37e4c9405e49cd) +(cherry picked from commit c7762098ec09c2626204c9580c91295414137bba) +--- + src/rpm/systemd-update-helper.in | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/rpm/systemd-update-helper.in b/src/rpm/systemd-update-helper.in +index c81e16c3d3..eae76576d1 100755 +--- a/src/rpm/systemd-update-helper.in ++++ b/src/rpm/systemd-update-helper.in +@@ -3,6 +3,10 @@ + set -eu + set -o pipefail + ++if [ "${SYSTEMD_LOG_LEVEL:-}" = "debug" ]; then ++ set -x ++fi ++ + command="${1:?}" + shift + +-- +2.33.0 + diff --git a/backport-sysusers-check-if-requested-group-name-matches-user-.patch b/backport-sysusers-check-if-requested-group-name-matches-user-.patch new file mode 100644 index 0000000..129be3e --- /dev/null +++ b/backport-sysusers-check-if-requested-group-name-matches-user-.patch @@ -0,0 +1,82 @@ +From 25003a6450810aeb0722ff6fb566f41297595f49 Mon Sep 17 00:00:00 2001 +From: Nick Rosbrook +Date: Mon, 5 Aug 2024 20:43:15 -0400 +Subject: [PATCH 0843/1160] sysusers: check if requested group name matches + user name in queue + +When creating a user, check if the requested group name matches a user +name in the queue. If that matched user name is also going to be a group +name, then use it for the new user too. In other words, allow the +following: + + u foo - + u bar -:foo + +when both foo and bar are new users. + +Fixes #33547 + +(cherry picked from commit 18a8f03e5160ca3828d327d9bbd1b32f26d792a3) +(cherry picked from commit edf52384c2e99cd5af9bcd4ae4b13fd8f79596d3) +--- + src/sysusers/sysusers.c | 8 +++++++- + test/test-sysusers/test-16.expected-group | 1 + + test/test-sysusers/test-16.expected-passwd | 2 ++ + test/test-sysusers/test-16.input | 7 +++++++ + 4 files changed, 17 insertions(+), 1 deletion(-) + create mode 100644 test/test-sysusers/test-16.expected-group + create mode 100644 test/test-sysusers/test-16.expected-passwd + create mode 100644 test/test-sysusers/test-16.input + +diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c +index 794e09ce53..fbdf5f4578 100644 +--- a/src/sysusers/sysusers.c ++++ b/src/sysusers/sysusers.c +@@ -1466,9 +1466,15 @@ static int process_item(Context *c, Item *i) { + case ADD_USER: { + Item *j = NULL; + +- if (!i->gid_set) ++ if (!i->gid_set) { + j = ordered_hashmap_get(c->groups, i->group_name ?: i->name); + ++ /* If that's not a match, also check if the group name ++ * matches a user name in the queue. */ ++ if (!j && i->group_name) ++ j = ordered_hashmap_get(c->users, i->group_name); ++ } ++ + if (j && j->todo_group) { + /* When a group with the target name is already in queue, + * use the information about the group and do not create +diff --git a/test/test-sysusers/test-16.expected-group b/test/test-sysusers/test-16.expected-group +new file mode 100644 +index 0000000000..54918e417a +--- /dev/null ++++ b/test/test-sysusers/test-16.expected-group +@@ -0,0 +1 @@ ++foo:x:SYSTEM_UGID_MAX: +diff --git a/test/test-sysusers/test-16.expected-passwd b/test/test-sysusers/test-16.expected-passwd +new file mode 100644 +index 0000000000..8823813f82 +--- /dev/null ++++ b/test/test-sysusers/test-16.expected-passwd +@@ -0,0 +1,2 @@ ++foo:x:SYSTEM_UGID_MAX:SYSTEM_UGID_MAX::/:NOLOGIN ++bar:x:300:SYSTEM_UGID_MAX::/:NOLOGIN +diff --git a/test/test-sysusers/test-16.input b/test/test-sysusers/test-16.input +new file mode 100644 +index 0000000000..2d80d81c0c +--- /dev/null ++++ b/test/test-sysusers/test-16.input +@@ -0,0 +1,7 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++# ++# Test fix for https://github.com/systemd/systemd/issues/33547. ++# ++#Type Name ID ++u foo - ++u bar 300:foo +-- +2.33.0 + diff --git a/backport-sysusers-handle-NSS-errors-gracefully.patch b/backport-sysusers-handle-NSS-errors-gracefully.patch index 6736922..c49449e 100644 --- a/backport-sysusers-handle-NSS-errors-gracefully.patch +++ b/backport-sysusers-handle-NSS-errors-gracefully.patch @@ -1,7 +1,7 @@ From 0f518750a44dc4b2987ecc0cea4b3d848ac46ee9 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Thu, 4 Jul 2024 10:23:04 +0100 -Subject: [PATCH] sysusers: handle NSS errors gracefully +Subject: [PATCH 0751/1160] sysusers: handle NSS errors gracefully If the io.systemd.DynamicUser or io.systemd.Machine files exist, but nothing is listening on them, the nss-systemd module returns @@ -16,9 +16,6 @@ when NSS returns an error. (cherry picked from commit fc9938d6f8e7081df5420bf88bf98f683b1391c0) (cherry picked from commit abba1e6bc29b7e07354ca23906c6f485ba245a1a) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/0f518750a44dc4b2987ecc0cea4b3d848ac46ee9 --- src/sysusers/sysusers.c | 12 ++++++------ test/units/TEST-74-AUX-UTILS.sysusers.sh | 24 ++++++++++++++++++++++++ diff --git a/backport-sysusers-tmpfiles-clarify-error-message-for-replace.patch b/backport-sysusers-tmpfiles-clarify-error-message-for-replace.patch new file mode 100644 index 0000000..483041b --- /dev/null +++ b/backport-sysusers-tmpfiles-clarify-error-message-for-replace.patch @@ -0,0 +1,59 @@ +From 703b2a8e39fe2d3b51273619d713c33b4681945d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sun, 3 Dec 2023 13:47:19 +0100 +Subject: [PATCH 0296/1160] sysusers,tmpfiles: clarify error message for + --replace + +I was trying to run sysusers --replace, but the input file didn't have the right +suffix, and the message was very confusing. Let's split the message in two to +make it clearer that we care about the extension. + +(cherry picked from commit 37ee46f7c859cb514592eb0ff8e11fc44316ef52) +--- + src/sysusers/sysusers.c | 8 +++++--- + src/tmpfiles/tmpfiles.c | 8 +++++--- + 2 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c +index 8376868136..514f3c7935 100644 +--- a/src/sysusers/sysusers.c ++++ b/src/sysusers/sysusers.c +@@ -2150,10 +2150,12 @@ static int parse_argv(int argc, char *argv[]) { + break; + + case ARG_REPLACE: +- if (!path_is_absolute(optarg) || +- !endswith(optarg, ".conf")) ++ if (!path_is_absolute(optarg)) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), +- "The argument to --replace= must an absolute path to a config file"); ++ "The argument to --replace= must be an absolute path."); ++ if (!endswith(optarg, ".conf")) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), ++ "The argument to --replace= must have the extension '.conf'."); + + arg_replace = optarg; + break; +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index afa3ae275d..bc83aaba0e 100644 +--- a/src/tmpfiles/tmpfiles.c ++++ b/src/tmpfiles/tmpfiles.c +@@ -4130,10 +4130,12 @@ static int parse_argv(int argc, char *argv[]) { + break; + + case ARG_REPLACE: +- if (!path_is_absolute(optarg) || +- !endswith(optarg, ".conf")) ++ if (!path_is_absolute(optarg)) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), +- "The argument to --replace= must an absolute path to a config file"); ++ "The argument to --replace= must be an absolute path."); ++ if (!endswith(optarg, ".conf")) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), ++ "The argument to --replace= must have the extension '.conf'."); + + arg_replace = optarg; + break; +-- +2.33.0 + diff --git a/backport-sysv-generator-break-long-message-into-lines.patch b/backport-sysv-generator-break-long-message-into-lines.patch new file mode 100644 index 0000000..753bb0a --- /dev/null +++ b/backport-sysv-generator-break-long-message-into-lines.patch @@ -0,0 +1,40 @@ +From bf6dd565d2073a34c0bc1714adb832fe2b993de6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 18 Oct 2024 19:41:25 +0200 +Subject: [PATCH 0974/1160] sysv-generator: break long message into lines + +The journal handles multi-line messages nicely, and they are easier +to read. Drop the recycling symbol, there is no circular process here, +we go from a to b and never back to a again. + +(cherry picked from commit bb56c27fc81da2777cd7064a0b88ca011eced509) +(cherry picked from commit 6a4ff7a5c1591f8fe1aa3a3ab435d01e30c08b81) +--- + src/sysv-generator/sysv-generator.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/sysv-generator/sysv-generator.c b/src/sysv-generator/sysv-generator.c +index 4485e2e368..b5b6e19e90 100644 +--- a/src/sysv-generator/sysv-generator.c ++++ b/src/sysv-generator/sysv-generator.c +@@ -763,12 +763,13 @@ static int enumerate_sysv(const LookupPaths *lp, Hashmap *all_services) { + return log_oom(); + + log_struct(LOG_WARNING, +- LOG_MESSAGE("SysV service '%s' lacks a native systemd unit file. " +- "%s Automatically generating a unit file for compatibility. Please update package to include a native systemd unit file, in order to make it safe, robust and future-proof. " ++ LOG_MESSAGE("SysV service '%s' lacks a native systemd unit file, " ++ "automatically generating a unit file for compatibility.\n" ++ "Please update package to include a native systemd unit file.\n" + "%s This compatibility logic is deprecated, expect removal soon. %s", + fpath, +- special_glyph(SPECIAL_GLYPH_RECYCLING), +- special_glyph(SPECIAL_GLYPH_WARNING_SIGN), special_glyph(SPECIAL_GLYPH_WARNING_SIGN)), ++ special_glyph(SPECIAL_GLYPH_WARNING_SIGN), ++ special_glyph(SPECIAL_GLYPH_WARNING_SIGN)), + "MESSAGE_ID=" SD_MESSAGE_SYSV_GENERATOR_DEPRECATED_STR, + "SYSVSCRIPT=%s", fpath, + "UNIT=%s", name); +-- +2.33.0 + diff --git a/backport-temporarily-disable-test-seccomp.patch b/backport-temporarily-disable-test-seccomp.patch index 6af53ba..46f5af2 100644 --- a/backport-temporarily-disable-test-seccomp.patch +++ b/backport-temporarily-disable-test-seccomp.patch @@ -12,7 +12,7 @@ index 2d06098..a95deb8 100644 --- a/src/test/test-seccomp.c +++ b/src/test/test-seccomp.c @@ -1199,4 +1199,6 @@ TEST(restrict_suid_sgid) { - assert_se(wait_for_terminate_and_check("suidsgidseccomp", pid, WAIT_LOG) == EXIT_SUCCESS); + assert_se(wait_for_terminate_and_check("seccomp_suppress_sync", pid, WAIT_LOG) == EXIT_SUCCESS); } -DEFINE_TEST_MAIN(LOG_DEBUG); diff --git a/backport-terminal-util-fix-underlining-with-SYSTEMD_COLORS-no.patch b/backport-terminal-util-fix-underlining-with-SYSTEMD_COLORS-no.patch new file mode 100644 index 0000000..f90ab71 --- /dev/null +++ b/backport-terminal-util-fix-underlining-with-SYSTEMD_COLORS-no.patch @@ -0,0 +1,29 @@ +From b2ca5772fce4b65c5f44a743de55699f64dd829a Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 20 Mar 2024 04:49:04 +0900 +Subject: [PATCH 0456/1160] terminal-util: fix underlining with + SYSTEMD_COLORS=no + +Fixes #31857. + +(cherry picked from commit 46325d932435336ff847e5cf9ea1687470a3b1de) +--- + src/basic/terminal-util.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/terminal-util.h b/src/basic/terminal-util.h +index 2a7d48b95d..80d16f6db9 100644 +--- a/src/basic/terminal-util.h ++++ b/src/basic/terminal-util.h +@@ -186,7 +186,7 @@ static inline bool colors_enabled(void) { + } + + static inline const char *ansi_underline(void) { +- return underline_enabled() ? ANSI_UNDERLINE : ANSI_NORMAL; ++ return underline_enabled() ? ANSI_UNDERLINE : ""; + } + + #define DEFINE_ANSI_FUNC_UNDERLINE(name, NAME) \ +-- +2.33.0 + diff --git a/backport-test-69-send-SIGTERM-to-ask-systemd-nspawn-to-proper.patch b/backport-test-69-send-SIGTERM-to-ask-systemd-nspawn-to-proper.patch new file mode 100644 index 0000000..4dd6a60 --- /dev/null +++ b/backport-test-69-send-SIGTERM-to-ask-systemd-nspawn-to-proper.patch @@ -0,0 +1,53 @@ +From 4b0f60de3b5b0d1ce5ab37dba56a9661e600b1f6 Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Thu, 8 Feb 2024 16:11:21 +0100 +Subject: [PATCH 0297/1160] test-69: send SIGTERM to ask systemd-nspawn to + properly stop the container + +The terminate() method sends SIGHUP but this signal is not handled by +systemd-nspawn hence the process just exits leaving the container scope around +breaking futher test executions. + +This patch sends SIGTERM instead which is a defined API to request +sytemd-nspawn to stop and release the container's resources properly. + +Follow-up for 8a7032cfb108c6daa395686320d9361c2195860a. + +(cherry picked from commit 14265c3360b02191975654981715584227c0650e) +--- + test/test-shutdown.py | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/test/test-shutdown.py b/test/test-shutdown.py +index 5339afcdd0..e491f1e1a9 100755 +--- a/test/test-shutdown.py ++++ b/test/test-shutdown.py +@@ -4,6 +4,7 @@ + + import argparse + import logging ++import signal + import sys + import time + +@@ -91,13 +92,10 @@ def run(args): + except Exception as e: + logger.error(e) + logger.info("killing child pid %d", console.pid) +- # We can't use console.terminate(force=True) right away, since +- # the internal delay between sending a signal and checking the process +- # is just 0.1s [0], which means we'd get SIGKILLed pretty quickly. +- # Let's send SIGHUP/SIGINT first, wait a bit, and then follow-up with +- # SIGHUP/SIGINT/SIGKILL if the process is still alive. +- # [0] https://github.com/pexpect/pexpect/blob/acb017a97332c19a9295660fe87316926a8adc55/pexpect/spawnbase.py#L71 +- console.terminate() ++ ++ # Ask systemd-nspawn to stop and release the container's resources properly. ++ console.kill(signal.SIGTERM) ++ + for _ in range(10): + if not console.isalive(): + break +-- +2.33.0 + diff --git a/backport-test-Add-test-for-per-device-cgroup-properties.patch b/backport-test-Add-test-for-per-device-cgroup-properties.patch new file mode 100644 index 0000000..7bb8b57 --- /dev/null +++ b/backport-test-Add-test-for-per-device-cgroup-properties.patch @@ -0,0 +1,88 @@ +From 5184f867e4e6c684da8fe804b366d4fe55e46373 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Koutn=C3=BD?= +Date: Fri, 4 Oct 2024 20:40:51 +0200 +Subject: [PATCH 0908/1160] test: Add test for per-device cgroup properties + +Reported in #34126 + +(cherry picked from commit 321637743313f896e275fd038996b8cfb5a070b3) +(cherry picked from commit 84cd501ae4d2689ac39e510d1d33b7e3234f5199) +--- + test/units/testsuite-19.keyed-properties.sh | 65 +++++++++++++++++++++ + 1 file changed, 65 insertions(+) + create mode 100755 test/units/testsuite-19.keyed-properties.sh + +diff --git a/test/units/testsuite-19.keyed-properties.sh b/test/units/testsuite-19.keyed-properties.sh +new file mode 100755 +index 0000000000..cadefe26d5 +--- /dev/null ++++ b/test/units/testsuite-19.keyed-properties.sh +@@ -0,0 +1,65 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++set -ex ++set -o pipefail ++ ++# shellcheck source=test/units/test-control.sh ++. "$(dirname "$0")"/test-control.sh ++# shellcheck source=test/units/util.sh ++. "$(dirname "$0")"/util.sh ++ ++if [[ "$(get_cgroup_hierarchy)" != unified ]]; then ++ echo "Skipping $0 as we're not running with the unified cgroup hierarchy" ++ exit 0 ++fi ++ ++testcase_iodevice_dbus () { ++ # Test that per-device properties are applied in configured order even for different devices (because ++ # they may resolve to same underlying device in the end ++ # Note: if device does not exist cgroup attribute write fails but systemd should still track the ++ # configured properties ++ systemd-run --unit=test0.service \ ++ --property="IOAccounting=yes" \ ++ sleep inf ++ ++ systemctl set-property test0.service \ ++ IOReadBandwidthMax="/dev/sda1 1M" \ ++ IOReadBandwidthMax="/dev/sda2 2M" \ ++ IOReadBandwidthMax="/dev/sda3 4M" ++ ++ local output ++ output=$(mktemp) ++ trap 'rm -f "$output"' RETURN ++ systemctl show -P IOReadBandwidthMax test0.service >"$output" ++ diff -u "$output" - </run/systemd/system/test1.service <"$output" ++ diff -u "$output" - < +Date: Mon, 21 Oct 2024 17:31:09 +0100 +Subject: [PATCH 0965/1160] test: CET/EET are deprecated, use Europe/Berlin and + Kyiv + +The links moved to the legacy dataset so they won't be available by +default, so stop using them and just use the city ones instead + +(cherry picked from commit aa077884c13769ae3bd6aa98978b4ac9e64b5365) +(cherry picked from commit 4a3fc628a24b5f13af350691ff50f8be905c9c9c) +--- + src/test/test-calendarspec.c | 22 +++++++++++----------- + test/test-functions | 2 -- + test/units/testsuite-65.sh | 1 - + test/units/testsuite-74.firstboot.sh | 6 +++--- + 4 files changed, 14 insertions(+), 17 deletions(-) + +diff --git a/src/test/test-calendarspec.c b/src/test/test-calendarspec.c +index 18a0f8f8bf..eee621f2a0 100644 +--- a/src/test/test-calendarspec.c ++++ b/src/test/test-calendarspec.c +@@ -185,18 +185,18 @@ TEST(calendar_spec_one) { + + TEST(calendar_spec_next) { + test_next("2016-03-27 03:17:00", "", 12345, 1459048620000000); +- test_next("2016-03-27 03:17:00", "CET", 12345, 1459041420000000); +- test_next("2016-03-27 03:17:00", "EET", 12345, -1); ++ test_next("2016-03-27 03:17:00", "Europe/Berlin", 12345, 1459041420000000); ++ test_next("2016-03-27 03:17:00", "Europe/Kyiv", 12345, -1); + test_next("2016-03-27 03:17:00 UTC", NULL, 12345, 1459048620000000); + test_next("2016-03-27 03:17:00 UTC", "", 12345, 1459048620000000); +- test_next("2016-03-27 03:17:00 UTC", "CET", 12345, 1459048620000000); +- test_next("2016-03-27 03:17:00 UTC", "EET", 12345, 1459048620000000); +- test_next("2016-03-27 03:17:00.420000001 UTC", "EET", 12345, 1459048620420000); +- test_next("2016-03-27 03:17:00.4200005 UTC", "EET", 12345, 1459048620420001); +- test_next("2015-11-13 09:11:23.42", "EET", 12345, 1447398683420000); +- test_next("2015-11-13 09:11:23.42/1.77", "EET", 1447398683420000, 1447398685190000); +- test_next("2015-11-13 09:11:23.42/1.77", "EET", 1447398683419999, 1447398683420000); +- test_next("Sun 16:00:00", "CET", 1456041600123456, 1456066800000000); ++ test_next("2016-03-27 03:17:00 UTC", "Europe/Berlin", 12345, 1459048620000000); ++ test_next("2016-03-27 03:17:00 UTC", "Europe/Kyiv", 12345, 1459048620000000); ++ test_next("2016-03-27 03:17:00.420000001 UTC", "Europe/Kyiv", 12345, 1459048620420000); ++ test_next("2016-03-27 03:17:00.4200005 UTC", "Europe/Kyiv", 12345, 1459048620420001); ++ test_next("2015-11-13 09:11:23.42", "Europe/Kyiv", 12345, 1447398683420000); ++ test_next("2015-11-13 09:11:23.42/1.77", "Europe/Kyiv", 1447398683420000, 1447398685190000); ++ test_next("2015-11-13 09:11:23.42/1.77", "Europe/Kyiv", 1447398683419999, 1447398683420000); ++ test_next("Sun 16:00:00", "Europe/Berlin", 1456041600123456, 1456066800000000); + test_next("*-04-31", "", 12345, -1); + test_next("2016-02~01 UTC", "", 12345, 1456704000000000); + test_next("Mon 2017-05~01..07 UTC", "", 12345, 1496016000000000); +@@ -215,7 +215,7 @@ TEST(calendar_spec_next) { + test_next("2017-04-02 03:30:00 Pacific/Auckland", "", 12345, 1491060600000000); + /* Confirm that timezones in the Spec work regardless of current timezone */ + test_next("2017-09-09 20:42:00 Pacific/Auckland", "", 12345, 1504946520000000); +- test_next("2017-09-09 20:42:00 Pacific/Auckland", "EET", 12345, 1504946520000000); ++ test_next("2017-09-09 20:42:00 Pacific/Auckland", "Europe/Kyiv", 12345, 1504946520000000); + /* Check that we don't start looping if mktime() moves us backwards */ + test_next("Sun *-*-* 01:00:00 Europe/Dublin", "", 1616412478000000, 1617494400000000); + test_next("Sun *-*-* 01:00:00 Europe/Dublin", "IST", 1616412478000000, 1617494400000000); +diff --git a/test/test-functions b/test/test-functions +index 80efa539c1..bb99dc8581 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -2331,8 +2331,6 @@ install_zoneinfo() { + inst_any /usr/share/zoneinfo/Europe/Kyiv + inst_any /usr/share/zoneinfo/Pacific/Auckland + inst_any /usr/share/zoneinfo/Pacific/Honolulu +- inst_any /usr/share/zoneinfo/CET +- inst_any /usr/share/zoneinfo/EET + inst_any /usr/share/zoneinfo/UTC + } + +diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh +index 3b493a96ef..4708bf1ad4 100755 +--- a/test/units/testsuite-65.sh ++++ b/test/units/testsuite-65.sh +@@ -150,7 +150,6 @@ systemd-analyze timestamp -- -1 + systemd-analyze timestamp yesterday now tomorrow + systemd-analyze timestamp 'Fri 2012-11-23 23:02:15' + systemd-analyze timestamp 'Fri 2012-11-23 23:02:15 UTC' +-systemd-analyze timestamp 'Fri 2012-11-23 23:02:15 CET' + for i in $(timedatectl list-timezones); do + [[ -e "/usr/share/zoneinfo/$i" ]] || continue + systemd-analyze timestamp "Fri 2012-11-23 23:02:15 $i" +diff --git a/test/units/testsuite-74.firstboot.sh b/test/units/testsuite-74.firstboot.sh +index bc7e9accf7..3f191d51b4 100755 +--- a/test/units/testsuite-74.firstboot.sh ++++ b/test/units/testsuite-74.firstboot.sh +@@ -110,7 +110,7 @@ systemd-firstboot --root="$ROOT" \ + --locale=locale-overwrite \ + --locale-messages=messages-overwrite \ + --keymap=keymap-overwrite \ +- --timezone=CET \ ++ --timezone=Europe/Berlin \ + --hostname=hostname-overwrite \ + --machine-id=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb \ + --root-password-hashed="$ROOT_HASHED_PASSWORD2" \ +@@ -131,7 +131,7 @@ systemd-firstboot --root="$ROOT" --force \ + --locale=locale-overwrite \ + --locale-messages=messages-overwrite \ + --keymap=keymap-overwrite \ +- --timezone=CET \ ++ --timezone=Europe/Berlin \ + --hostname=hostname-overwrite \ + --machine-id=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb \ + --root-password-hashed="$ROOT_HASHED_PASSWORD2" \ +@@ -140,7 +140,7 @@ systemd-firstboot --root="$ROOT" --force \ + grep -q "LANG=locale-overwrite" "$ROOT$LOCALE_PATH" + grep -q "LC_MESSAGES=messages-overwrite" "$ROOT$LOCALE_PATH" + grep -q "KEYMAP=keymap-overwrite" "$ROOT/etc/vconsole.conf" +-readlink "$ROOT/etc/localtime" | grep -q "/CET$" ++readlink "$ROOT/etc/localtime" | grep -q "/Europe/Berlin$" + grep -q "hostname-overwrite" "$ROOT/etc/hostname" + grep -q "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" "$ROOT/etc/machine-id" + grep -q "^root:x:0:0:.*:/bin/barshell$" "$ROOT/etc/passwd" +-- +2.33.0 + diff --git a/backport-test-Gracefully-handle-running-within-user-namespace.patch b/backport-test-Gracefully-handle-running-within-user-namespace.patch new file mode 100644 index 0000000..ae99288 --- /dev/null +++ b/backport-test-Gracefully-handle-running-within-user-namespace.patch @@ -0,0 +1,205 @@ +From 4d4513c1fed6140d2d5588fed5f0eddc935439f3 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Sun, 18 Aug 2024 13:20:14 +0200 +Subject: [PATCH 0856/1160] test: Gracefully handle running within user + namespace with single user + +Unprivileged users often make themselves root by unsharing a user namespace +and then mapping their current user to root which does not require privileges. +Let's make sure our tests don't fail in such an environment by adding checks +where required to see if we're not running in a user namespace with only a +single user. + +(cherry picked from commit ef31767ed7e21672a50b77e7b3935948aaba114c) +(cherry picked from commit ec5cdf9ba0e003de6f824a000c0bbe46fb4e0925) +--- + src/shared/tests.c | 15 +++++++++++++++ + src/shared/tests.h | 1 + + src/test/test-acl-util.c | 2 +- + src/test/test-capability.c | 7 +++++-- + src/test/test-chase.c | 4 ++-- + src/test/test-chown-rec.c | 4 ++-- + src/test/test-condition.c | 7 +++++++ + src/test/test-fs-util.c | 4 ++-- + src/test/test-rm-rf.c | 3 +++ + src/test/test-socket-util.c | 2 +- + 10 files changed, 39 insertions(+), 10 deletions(-) + +diff --git a/src/shared/tests.c b/src/shared/tests.c +index 3882a180c4..114d6933d2 100644 +--- a/src/shared/tests.c ++++ b/src/shared/tests.c +@@ -28,6 +28,7 @@ + #include "strv.h" + #include "tests.h" + #include "tmpfile-util.h" ++#include "uid-range.h" + + char* setup_fake_runtime_dir(void) { + char t[] = "/tmp/fake-xdg-runtime-XXXXXX", *p; +@@ -165,6 +166,20 @@ bool have_namespaces(void) { + assert_not_reached(); + } + ++bool userns_has_single_user(void) { ++ _cleanup_(uid_range_freep) UidRange *uidrange = NULL; ++ ++ /* Check if we're in a user namespace with only a single user mapped in. We special case this ++ * scenario in a few tests because it's the only kind of namespace that can be created unprivileged ++ * and as such happens more often than not, so we make sure to deal with it so that all tests pass ++ * in such environments. */ ++ ++ if (uid_range_load_userns(&uidrange, NULL) < 0) ++ return false; ++ ++ return uidrange->n_entries == 1 && uidrange->entries[0].nr == 1; ++} ++ + bool can_memlock(void) { + /* Let's see if we can mlock() a larger blob of memory. BPF programs are charged against + * RLIMIT_MEMLOCK, hence let's first make sure we can lock memory at all, and skip the test if we +diff --git a/src/shared/tests.h b/src/shared/tests.h +index d76cf2edbe..7a43ed5a96 100644 +--- a/src/shared/tests.h ++++ b/src/shared/tests.h +@@ -49,6 +49,7 @@ void test_setup_logging(int level); + int write_tmpfile(char *pattern, const char *contents); + + bool have_namespaces(void); ++bool userns_has_single_user(void); + + /* We use the small but non-trivial limit here */ + #define CAN_MEMLOCK_SIZE (512 * 1024U) +diff --git a/src/test/test-acl-util.c b/src/test/test-acl-util.c +index eb9678a7d9..acd45a100b 100644 +--- a/src/test/test-acl-util.c ++++ b/src/test/test-acl-util.c +@@ -34,7 +34,7 @@ TEST_RET(add_acls_for_user) { + cmd = strjoina("getfacl -p ", fn); + assert_se(system(cmd) == 0); + +- if (getuid() == 0) { ++ if (getuid() == 0 && !userns_has_single_user()) { + const char *nobody = NOBODY_USER_NAME; + r = get_user_creds(&nobody, &uid, NULL, NULL, NULL, 0); + if (r < 0) +diff --git a/src/test/test-capability.c b/src/test/test-capability.c +index e8a0569737..5bb2234268 100644 +--- a/src/test/test-capability.c ++++ b/src/test/test-capability.c +@@ -318,10 +318,13 @@ int main(int argc, char *argv[]) { + + show_capabilities(); + +- test_drop_privileges(); ++ if (!userns_has_single_user()) ++ test_drop_privileges(); ++ + test_update_inherited_set(); + +- fork_test(test_have_effective_cap); ++ if (!userns_has_single_user()) ++ fork_test(test_have_effective_cap); + + if (run_ambient) + fork_test(test_apply_ambient_caps); +diff --git a/src/test/test-chase.c b/src/test/test-chase.c +index 59b51a3088..5964fde170 100644 +--- a/src/test/test-chase.c ++++ b/src/test/test-chase.c +@@ -183,7 +183,7 @@ TEST(chase) { + + /* Paths underneath the "root" with different UIDs while using CHASE_SAFE */ + +- if (geteuid() == 0) { ++ if (geteuid() == 0 && !userns_has_single_user()) { + p = strjoina(temp, "/user"); + assert_se(mkdir(p, 0755) >= 0); + assert_se(chown(p, UID_NOBODY, GID_NOBODY) >= 0); +@@ -313,7 +313,7 @@ TEST(chase) { + r = chase(p, NULL, 0, &result, NULL); + assert_se(r == -ENOENT); + +- if (geteuid() == 0) { ++ if (geteuid() == 0 && !userns_has_single_user()) { + p = strjoina(temp, "/priv1"); + assert_se(mkdir(p, 0755) >= 0); + +diff --git a/src/test/test-chown-rec.c b/src/test/test-chown-rec.c +index 5d83f5915a..7558de7138 100644 +--- a/src/test/test-chown-rec.c ++++ b/src/test/test-chown-rec.c +@@ -153,8 +153,8 @@ TEST(chown_recursive) { + } + + static int intro(void) { +- if (geteuid() != 0) +- return log_tests_skipped("not running as root"); ++ if (geteuid() != 0 || userns_has_single_user()) ++ return log_tests_skipped("not running as root or in userns with single user"); + + return EXIT_SUCCESS; + } +diff --git a/src/test/test-condition.c b/src/test/test-condition.c +index bb987613e1..f294be45c5 100644 +--- a/src/test/test-condition.c ++++ b/src/test/test-condition.c +@@ -1003,6 +1003,13 @@ TEST(condition_test_group) { + condition_free(condition); + free(gid); + ++ /* In an unprivileged user namespace with the current user mapped to root, all the auxiliary groups ++ * of the user will be mapped to the nobody group, which means the user in the user namespace is in ++ * both the root and the nobody group, meaning the next test can't work, so let's skip it in that ++ * case. */ ++ if (in_group(NOBODY_GROUP_NAME) && in_group("root")) ++ return (void) log_tests_skipped("user is in both root and nobody group"); ++ + groupname = (char*)(getegid() == 0 ? NOBODY_GROUP_NAME : "root"); + condition = condition_new(CONDITION_GROUP, groupname, false, false); + assert_se(condition); +diff --git a/src/test/test-fs-util.c b/src/test/test-fs-util.c +index b32feffd30..41c4a880af 100644 +--- a/src/test/test-fs-util.c ++++ b/src/test/test-fs-util.c +@@ -368,8 +368,8 @@ TEST(chmod_and_chown) { + struct stat st; + const char *p; + +- if (geteuid() != 0) +- return; ++ if (geteuid() != 0 || userns_has_single_user()) ++ return (void) log_tests_skipped("not running as root or in userns with single user"); + + BLOCK_WITH_UMASK(0000); + +diff --git a/src/test/test-rm-rf.c b/src/test/test-rm-rf.c +index 4c69bd28c9..e4a426324f 100644 +--- a/src/test/test-rm-rf.c ++++ b/src/test/test-rm-rf.c +@@ -89,6 +89,9 @@ static void test_rm_rf_chmod_inner(void) { + TEST(rm_rf_chmod) { + int r; + ++ if (getuid() == 0 && userns_has_single_user()) ++ return (void) log_tests_skipped("running as root or in userns with single user"); ++ + if (getuid() == 0) { + /* This test only works unpriv (as only then the access mask for the owning user matters), + * hence drop privs here */ +diff --git a/src/test/test-socket-util.c b/src/test/test-socket-util.c +index e9c776a8c5..6497775c4d 100644 +--- a/src/test/test-socket-util.c ++++ b/src/test/test-socket-util.c +@@ -170,7 +170,7 @@ TEST(getpeercred_getpeergroups) { + struct ucred ucred; + int pair[2]; + +- if (geteuid() == 0) { ++ if (geteuid() == 0 && !userns_has_single_user()) { + test_uid = 1; + test_gid = 2; + test_gids = (gid_t*) gids; +-- +2.33.0 + diff --git a/backport-test-add-a-brief-comment-for-the-chattr-check.patch b/backport-test-add-a-brief-comment-for-the-chattr-check.patch new file mode 100644 index 0000000..c765cff --- /dev/null +++ b/backport-test-add-a-brief-comment-for-the-chattr-check.patch @@ -0,0 +1,28 @@ +From 71ac20d663aee0d3e927df538f1d73f387e73189 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 21 May 2024 15:08:07 +0200 +Subject: [PATCH 0666/1160] test: add a brief comment for the chattr check + +Addresses: https://github.com/systemd/systemd/pull/32907#discussion_r1605919598 +(cherry picked from commit d3c14f78cd66a498c2ff8a836bfc4f6a110315fe) +--- + test/units/testsuite-13.machinectl.sh | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/test/units/testsuite-13.machinectl.sh b/test/units/testsuite-13.machinectl.sh +index 2cd55cfd75..04e6fdc67c 100755 +--- a/test/units/testsuite-13.machinectl.sh ++++ b/test/units/testsuite-13.machinectl.sh +@@ -129,6 +129,9 @@ machinectl show-image clone1 + machinectl rename clone1 clone2 + (! machinectl show-image clone1) + machinectl show-image clone2 ++# `machinectl read-only` uses chattr (ioctl(FS_IOC_SETFLAGS)) when the container is backed by a directory, ++# and this operation might not be implemented on certain filesystems (i.e. tmpfs on older kernels), so check ++# if we have chattr support before running following tests + if lsattr -d /var/lib/machines >/dev/null; then + [[ "$(machinectl show-image --property=ReadOnly --value clone2)" == no ]] + machinectl read-only clone2 yes +-- +2.33.0 + diff --git a/backport-test-add-a-reproducer-for-33672.patch b/backport-test-add-a-reproducer-for-33672.patch new file mode 100644 index 0000000..a00bbce --- /dev/null +++ b/backport-test-add-a-reproducer-for-33672.patch @@ -0,0 +1,62 @@ +From 971345aa4e0f4050dac0cade09abaa9c1fbc7050 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Fri, 12 Jul 2024 14:38:08 +0200 +Subject: [PATCH 0789/1160] test: add a reproducer for #33672 + +(cherry picked from commit 8b6de9e6381b39f59c936d2b0c6ce47f1b70a19e) +(cherry picked from commit f81659f5f37eec39182e98ae02608c28de0ed292) +--- + test/units/TEST-07-PID1.issue-33672.sh | 41 ++++++++++++++++++++++++++ + 1 file changed, 41 insertions(+) + create mode 100755 test/units/TEST-07-PID1.issue-33672.sh + +diff --git a/test/units/TEST-07-PID1.issue-33672.sh b/test/units/TEST-07-PID1.issue-33672.sh +new file mode 100755 +index 0000000000..ab388e32b1 +--- /dev/null ++++ b/test/units/TEST-07-PID1.issue-33672.sh +@@ -0,0 +1,41 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- ++# ex: ts=8 sw=4 sts=4 et filetype=sh ++ ++set -eux ++set -o pipefail ++ ++# shellcheck source=test/units/util.sh ++. "$(dirname "$0")"/util.sh ++ ++# systemctl status always shows daemon-reload warning for a masked service with drop-ins ++# Issue: https://github.com/systemd/systemd/issues/33672 ++ ++UNIT=test-23-NeedDaemonReload.service ++ ++cleanup() { ++ rm -rf /run/systemd/system/"$UNIT" /run/systemd/system/"$UNIT".d ++ systemctl daemon-reload ++} ++ ++trap cleanup EXIT ++ ++cat > /run/systemd/system/"$UNIT" < /run/systemd/system/"$UNIT".d/desc.conf < +Date: Fri, 16 Feb 2024 16:22:05 +0100 +Subject: [PATCH 0251/1160] test: add a test for #31384 + +(cherry picked from commit dfdcc7c987bf9d66ecdb7e4a88e8abdb342df299) +--- + test/test-functions | 1 + + test/units/testsuite-23.utmp.sh | 22 ++++++++++++++++++++++ + 2 files changed, 23 insertions(+) + create mode 100755 test/units/testsuite-23.utmp.sh + +diff --git a/test/test-functions b/test/test-functions +index 948a00bc21..22c393664f 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -255,6 +255,7 @@ BASICTOOLS=( + useradd + userdel + wc ++ whoami + xargs + xzcat + ) +diff --git a/test/units/testsuite-23.utmp.sh b/test/units/testsuite-23.utmp.sh +new file mode 100755 +index 0000000000..4f8431569e +--- /dev/null ++++ b/test/units/testsuite-23.utmp.sh +@@ -0,0 +1,22 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- ++# ex: ts=8 sw=4 sts=4 et filetype=sh ++ ++set -eux ++set -o pipefail ++ ++# shellcheck source=test/units/util.sh ++. "$(dirname "$0")"/util.sh ++ ++USER="test-23-utmp" ++ ++cleanup() { ++ userdel "$USER" ++} ++ ++trap cleanup EXIT ++useradd "$USER" ++ ++assert_eq "$(systemd-run -qP -p UtmpIdentifier=test -p UtmpMode=user -p User=$USER whoami)" "$USER" ++assert_eq "$(systemd-run -qP -p UtmpIdentifier=test -p UtmpMode=user whoami)" "$(whoami)" +-- +2.33.0 + diff --git a/backport-test-add-basic-coverity-tests-for-bootctl.patch b/backport-test-add-basic-coverity-tests-for-bootctl.patch new file mode 100644 index 0000000..5679421 --- /dev/null +++ b/backport-test-add-basic-coverity-tests-for-bootctl.patch @@ -0,0 +1,299 @@ +From 87282a337d1ba7dc7d755f53b46c64b43718dcf7 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 5 Dec 2023 23:18:17 +0900 +Subject: [PATCH 0184/1160] test: add basic coverity tests for bootctl + +(cherry picked from commit ee07fff03b8a87346fc001b16fd366b84d47ba02) +--- + test/TEST-74-AUX-UTILS/test.sh | 6 + + test/units/testsuite-74.bootctl.sh | 261 +++++++++++++++++++++++++++++ + 2 files changed, 267 insertions(+) + create mode 100755 test/units/testsuite-74.bootctl.sh + +diff --git a/test/TEST-74-AUX-UTILS/test.sh b/test/TEST-74-AUX-UTILS/test.sh +index 198c609822..e3eb62f198 100755 +--- a/test/TEST-74-AUX-UTILS/test.sh ++++ b/test/TEST-74-AUX-UTILS/test.sh +@@ -19,6 +19,12 @@ test_append_files() { + # the QEMU test, as nspawn refuses the invalid machine ID with -EUCLEAN + printf "556f48e837bc4424a710fa2e2c9d3e3c\ne3d\n" >"$workspace/etc/machine-id" + fi ++ ++ if host_has_btrfs && host_has_mdadm; then ++ install_btrfs ++ install_mdadm ++ generate_module_dependencies ++ fi + } + + do_test "$@" +diff --git a/test/units/testsuite-74.bootctl.sh b/test/units/testsuite-74.bootctl.sh +new file mode 100755 +index 0000000000..61373b506e +--- /dev/null ++++ b/test/units/testsuite-74.bootctl.sh +@@ -0,0 +1,261 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++set -eux ++set -o pipefail ++ ++if systemd-detect-virt --quiet --container; then ++ echo "running on container, skipping." ++ exit 0 ++fi ++ ++if ! command -v bootctl >/dev/null; then ++ echo "bootctl not found, skipping." ++ exit 0 ++fi ++ ++# shellcheck source=test/units/util.sh ++. "$(dirname "$0")"/util.sh ++ ++# shellcheck source=test/units/test-control.sh ++. "$(dirname "$0")"/test-control.sh ++ ++basic_tests() { ++ bootctl "$@" --help ++ bootctl "$@" --version ++ ++ bootctl "$@" install --make-entry-directory=yes ++ bootctl "$@" remove --make-entry-directory=yes ++ ++ bootctl "$@" install --all-architectures ++ bootctl "$@" remove --all-architectures ++ ++ bootctl "$@" install --make-entry-directory=yes --all-architectures ++ bootctl "$@" remove --make-entry-directory=yes --all-architectures ++ ++ bootctl "$@" install ++ (! bootctl "$@" update) ++ bootctl "$@" update --graceful ++ ++ bootctl "$@" is-installed ++ bootctl "$@" is-installed --graceful ++ bootctl "$@" random-seed ++ ++ bootctl "$@" ++ bootctl "$@" status ++ bootctl "$@" status --quiet ++ bootctl "$@" list ++ bootctl "$@" list --quiet ++ bootctl "$@" list --json=short ++ bootctl "$@" list --json=pretty ++ ++ bootctl "$@" remove ++ (! bootctl "$@" is-installed) ++ (! bootctl "$@" is-installed --graceful) ++} ++ ++testcase_bootctl_basic() { ++ assert_eq "$(bootctl --print-esp-path)" "/efi" ++ assert_eq "$(bootctl --print-boot-path)" "/boot" ++ bootctl --print-root-device ++ ++ basic_tests ++} ++ ++cleanup_image() ( ++ set +e ++ ++ if [[ -z "${IMAGE_DIR:-}" ]]; then ++ return 0 ++ fi ++ ++ umount "${IMAGE_DIR}/root" ++ ++ if [[ -n "${LOOPDEV:-}" ]]; then ++ losetup -d "${LOOPDEV}" ++ unset LOOPDEV ++ fi ++ ++ udevadm settle ++ ++ rm -rf "${IMAGE_DIR}" ++ unset IMAGE_DIR ++ ++ return 0 ++) ++ ++testcase_bootctl_image() { ++ IMAGE_DIR="$(mktemp --directory /tmp/test-bootctl.XXXXXXXXXX)" ++ trap cleanup_image RETURN ++ ++ truncate -s 256m "${IMAGE_DIR}/image" ++ ++ cat >"${IMAGE_DIR}/partscript" </dev/null; then ++ echo "mdadm not found, skipping." ++ return 0 ++ fi ++ ++ if ! command -v mkfs.btrfs >/dev/null; then ++ echo "mkfs.btrfs not found, skipping." ++ return 0 ++ fi ++ ++ IMAGE_DIR="$(mktemp --directory /tmp/test-bootctl.XXXXXXXXXX)" ++ trap cleanup_raid RETURN ++ ++ truncate -s 256m "${IMAGE_DIR}/image1" ++ truncate -s 256m "${IMAGE_DIR}/image2" ++ ++ cat >"${IMAGE_DIR}/partscript" < +Date: Fri, 10 May 2024 12:17:10 +0900 +Subject: [PATCH 0619/1160] test: add basic tests for + in_addr_prefix_covers_full() + +(cherry picked from commit 4591efffc05529e1c6d51468954fda98d0cd5cba) +--- + src/test/test-in-addr-util.c | 51 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 51 insertions(+) + +diff --git a/src/test/test-in-addr-util.c b/src/test/test-in-addr-util.c +index 93ab1c5d48..3f759c284a 100644 +--- a/src/test/test-in-addr-util.c ++++ b/src/test/test-in-addr-util.c +@@ -405,4 +405,55 @@ TEST(in_addr_prefixlen_to_netmask) { + } + } + ++static void in_addr_prefix_covers_full_one(const char *prefix, const char *address, int expected) { ++ union in_addr_union p, a; ++ unsigned char plen, alen; ++ int family, r; ++ ++ assert_se(in_addr_prefix_from_string_auto(prefix, &family, &p, &plen) >= 0); ++ assert_se(in_addr_prefix_from_string(address, family, &a, &alen) >= 0); ++ r = in_addr_prefix_covers_full(family, &p, plen, &a, alen); ++ if (r != expected) ++ log_error("in_addr_prefix_covers_full(%s, %s)=%i (expected=%i)", prefix, address, r, expected); ++ assert_se(r == expected); ++} ++ ++TEST(in_addr_prefix_covers_full) { ++ /* From issue #32715. */ ++ in_addr_prefix_covers_full_one("192.168.235.129/32", "192.168.0.128/32", 0); ++ in_addr_prefix_covers_full_one("192.168.235.130/32", "192.168.0.128/32", 0); ++ in_addr_prefix_covers_full_one("169.254.0.0/17", "192.168.0.128/32", 0); ++ in_addr_prefix_covers_full_one("169.254.128.0/17", "192.168.0.128/32", 0); ++ in_addr_prefix_covers_full_one("0.0.0.0/1", "192.168.0.128/32", 0); ++ in_addr_prefix_covers_full_one("128.0.0.0/1", "192.168.0.128/32", 1); ++ in_addr_prefix_covers_full_one("0.0.0.0/0", "192.168.0.128/32", 1); ++ ++ for (unsigned i = 0; i <= 32; i++) { ++ _cleanup_free_ char *prefix = NULL; ++ ++ assert_se(asprintf(&prefix, "192.168.0.128/%u", i) >= 0); ++ ++ for (unsigned j = 0; j <= 32; j++) { ++ _cleanup_free_ char *address = NULL; ++ ++ assert_se(asprintf(&address, "192.168.0.128/%u", j) >= 0); ++ in_addr_prefix_covers_full_one(prefix, address, i <= j); ++ } ++ } ++ ++ for (unsigned i = 0; i <= 32; i++) { ++ _cleanup_free_ char *prefix = NULL; ++ ++ assert_se(asprintf(&prefix, "192.168.235.129/%u", i) >= 0); ++ in_addr_prefix_covers_full_one(prefix, "192.168.0.128/32", i <= 16); ++ } ++ ++ for (unsigned i = 0; i <= 128; i++) { ++ _cleanup_free_ char *prefix = NULL; ++ ++ assert_se(asprintf(&prefix, "dead:beef::/%u", i) >= 0); ++ in_addr_prefix_covers_full_one(prefix, "dead:0:beef::1/128", i <= 16); ++ } ++} ++ + DEFINE_TEST_MAIN(LOG_DEBUG); +-- +2.33.0 + diff --git a/backport-test-add-coverate-for-Compress-yes-config-option.patch b/backport-test-add-coverate-for-Compress-yes-config-option.patch new file mode 100644 index 0000000..544d3f6 --- /dev/null +++ b/backport-test-add-coverate-for-Compress-yes-config-option.patch @@ -0,0 +1,42 @@ +From 3cb3153013f62d3c896e8af2169be820b698a24d Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 16 May 2024 11:03:42 +0100 +Subject: [PATCH 0637/1160] test: add coverate for Compress=yes config option + +Avoid regressions like https://github.com/systemd/systemd/issues/32856 + +Follow-up for 2ef7cdc4255883d1c50860661248c9db69a86aa1 + +(cherry picked from commit 88e791171aaaa2484c0482a1e7c06ae8fd90e52a) +--- + test/units/testsuite-04.SYSTEMD_JOURNAL_COMPRESS.sh | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/test/units/testsuite-04.SYSTEMD_JOURNAL_COMPRESS.sh b/test/units/testsuite-04.SYSTEMD_JOURNAL_COMPRESS.sh +index 96d096d9ad..6da9f5e420 100755 +--- a/test/units/testsuite-04.SYSTEMD_JOURNAL_COMPRESS.sh ++++ b/test/units/testsuite-04.SYSTEMD_JOURNAL_COMPRESS.sh +@@ -7,6 +7,12 @@ set -o pipefail + mkdir /run/systemd/system/systemd-journald.service.d + MACHINE_ID="$(/run/systemd/journald.conf.d/compress.conf ++[Journal] ++Compress=yes ++EOF ++ + # Reset the start-limit counters, as we're going to restart journald a couple of times + systemctl reset-failed systemd-journald.service + +@@ -35,6 +41,7 @@ EOF + fi + done + ++rm /run/systemd/journald.conf.d/compress.conf + rm /run/systemd/system/systemd-journald.service.d/compress.conf + systemctl daemon-reload + systemctl restart systemd-journald.service +-- +2.33.0 + diff --git a/backport-test-add-missing-operators.patch b/backport-test-add-missing-operators.patch new file mode 100644 index 0000000..930756c --- /dev/null +++ b/backport-test-add-missing-operators.patch @@ -0,0 +1,53 @@ +From 26700a4a83bd2f37d560866be9d1d7ebf2131b18 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Mon, 18 Dec 2023 18:02:41 +0100 +Subject: [PATCH 0084/1160] test: add missing operators + +Without them only the last expression's return value is honored, causing +unexpected CI fails: + +[ 26.006721] testsuite-04.sh[1191]: + for _ in {0..9} +[ 26.007672] testsuite-04.sh[1191]: + setterm --term linux --dump --file /tmp/console.dump +[ 26.008871] testsuite-04.sh[1233]: + SYSTEMD_COLORS=256 +[ 26.009606] testsuite-04.sh[1233]: + /usr/lib/systemd/systemd-bsod +[ 26.063296] systemd[1]: session-1.scope: Deactivated successfully. +[ 26.124789] testsuite-04.sh[1191]: + grep -aq 'Press any key to exit' /tmp/console.dump +[ 26.131509] testsuite-04.sh[1191]: + grep -aq 'Root emergency message' /tmp/console.dump +[ 26.137882] testsuite-04.sh[1191]: + grep -aq 'The current boot has failed' /tmp/console.dump +[ 26.141650] testsuite-04.sh[1191]: + return 0 +[ 26.144816] testsuite-04.sh[1191]: + grep -aq 'Scan the QR code' /tmp/console.dump +[ 26.153591] testsuite-04.sh[1191]: + at_exit +[ 26.154744] testsuite-04.sh[1191]: + local EC=1 +[ 26.155697] testsuite-04.sh[1191]: + [[ 1 -ne 0 ]] +[ 26.156787] testsuite-04.sh[1191]: + [[ -e /tmp/console.dump ]] +[ 26.157799] testsuite-04.sh[1191]: + cat /tmp/console.dump +[ 26.158858] testsuite-04.sh[1244]: The current boot has failed! +[ 26.159858] testsuite-04.sh[1244]: Root emergency message + +I'm genuinely impressed that this worked at all. + +(cherry picked from commit 32c376a46cac5edf937c4b6e52ef8711f2034952) +--- + test/units/testsuite-04.bsod.sh | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/test/units/testsuite-04.bsod.sh b/test/units/testsuite-04.bsod.sh +index 1de446bc12..1d4ad7ec6a 100755 +--- a/test/units/testsuite-04.bsod.sh ++++ b/test/units/testsuite-04.bsod.sh +@@ -35,9 +35,9 @@ vcs_dump_and_check() { + # so try it a couple of times + for _ in {0..9}; do + setterm --term linux --dump --file /tmp/console.dump +- if grep -aq "Press any key to exit" /tmp/console.dump +- grep -aq "$expected_message" /tmp/console.dump +- grep -aq "The current boot has failed" /tmp/console.dump; then ++ if grep -aq "Press any key to exit" /tmp/console.dump && ++ grep -aq "$expected_message" /tmp/console.dump && ++ grep -aq "The current boot has failed" /tmp/console.dump; then + + return 0 + fi +-- +2.33.0 + diff --git a/backport-test-add-simple-coverage-tests-for-udevadm-lock.patch b/backport-test-add-simple-coverage-tests-for-udevadm-lock.patch new file mode 100644 index 0000000..43ba587 --- /dev/null +++ b/backport-test-add-simple-coverage-tests-for-udevadm-lock.patch @@ -0,0 +1,35 @@ +From 876ad845395b27b9162305efcd1f6ab0673d96cc Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 30 Dec 2023 02:51:50 +0900 +Subject: [PATCH 0103/1160] test: add simple coverage tests for 'udevadm lock' + +(cherry picked from commit 13a30c6dc45415b35a8b7d0719197a9b859c3de1) +--- + test/units/testsuite-17.10.sh | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/test/units/testsuite-17.10.sh b/test/units/testsuite-17.10.sh +index 20f120a930..f229dcf25f 100755 +--- a/test/units/testsuite-17.10.sh ++++ b/test/units/testsuite-17.10.sh +@@ -238,4 +238,17 @@ assert_rc 124 timeout 5 udevadm wait --removed /sys/class/net/$netdev + udevadm wait --settle /sys/class/net/$netdev + udevadm wait -h + ++udevadm lock --help ++udevadm lock --version ++for i in /dev/block/*; do ++ udevadm lock --device "$i" --print ++ udevadm lock --device "$i" true ++ (! udevadm lock --device "$i" false) ++done ++for i in / /usr; do ++ udevadm lock --backing "$i" --print ++ udevadm lock --backing "$i" true ++ (! udevadm lock --backing "$i" false) ++done ++ + exit 0 +-- +2.33.0 + diff --git a/backport-test-add-test-case-for-issue-31776.patch b/backport-test-add-test-case-for-issue-31776.patch new file mode 100644 index 0000000..3c1d6cc --- /dev/null +++ b/backport-test-add-test-case-for-issue-31776.patch @@ -0,0 +1,29 @@ +From ea53a2154e222799f7ee2a47bd7fc6045c891c12 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 20 Mar 2024 06:22:17 +0900 +Subject: [PATCH 0465/1160] test: add test case for issue #31776 + +(cherry picked from commit bf995423fd6a1614916036d678b2c49385712cb7) +--- + test/units/testsuite-04.journal.sh | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/test/units/testsuite-04.journal.sh b/test/units/testsuite-04.journal.sh +index ca23b6b739..3b72aa4520 100755 +--- a/test/units/testsuite-04.journal.sh ++++ b/test/units/testsuite-04.journal.sh +@@ -269,3 +269,11 @@ hello + world + EOF + rm -f "$CURSOR_FILE" ++ ++# Check that --until works with --after-cursor and --lines/-n ++# See: https://github.com/systemd/systemd/issues/31776 ++CURSOR_FILE="$(mktemp)" ++journalctl -q -n 0 --cursor-file="$CURSOR_FILE" ++TIMESTAMP="$(journalctl -q -n 1 --cursor="$(<"$CURSOR_FILE")" --output=short-unix | cut -d ' ' -f 1 | cut -d '.' -f 1)" ++[[ -z "$(journalctl -q -n 10 --after-cursor="$(<"$CURSOR_FILE")" --until "@$((TIMESTAMP - 3))")" ]] ++rm -f "$CURSOR_FILE" +-- +2.33.0 + diff --git a/backport-test-add-test-case-for-issue-34637.patch b/backport-test-add-test-case-for-issue-34637.patch new file mode 100644 index 0000000..591e803 --- /dev/null +++ b/backport-test-add-test-case-for-issue-34637.patch @@ -0,0 +1,78 @@ +From d0569c4405841779a89c3bc9594de99ae5ebe3f8 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 6 Oct 2024 15:39:36 +0900 +Subject: [PATCH 0911/1160] test: add test case for issue #34637 + +(cherry picked from commit 88d186e4829bc7ef4a4253fe2bf4857903bca830) +(cherry picked from commit 7b9e412d8aba8f415f35d02da5e5fa5bd92632cc) +--- + test/units/testsuite-17.14.sh | 57 +++++++++++++++++++++++++++++++++++ + 1 file changed, 57 insertions(+) + create mode 100755 test/units/testsuite-17.14.sh + +diff --git a/test/units/testsuite-17.14.sh b/test/units/testsuite-17.14.sh +new file mode 100755 +index 0000000000..0cb717fbd0 +--- /dev/null ++++ b/test/units/testsuite-17.14.sh +@@ -0,0 +1,57 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++# shellcheck disable=SC2010 ++# shellcheck disable=SC2317 ++set -ex ++set -o pipefail ++ ++# shellcheck source=test/units/util.sh ++. "$(dirname "$0")"/util.sh ++ ++# This is a test case for issue #34637. ++ ++at_exit() ( ++ set +e ++ ++ systemctl stop test-diskseq.service || : ++ rm -f /run/systemd/system/test-diskseq.service ++ systemctl daemon-reload ++ ++ [[ -d "$TMPDIR" ]] && rm -rf "$TMPDIR" ++ ++ udevadm control --log-level=info ++) ++ ++trap at_exit EXIT ++ ++udevadm control --log-level=debug ++ ++TMPDIR="$(mktemp -d)" ++truncate -s 16M "$TMPDIR"/foo.raw ++mkfs.ext4 -L foo "$TMPDIR"/foo.raw ++ ++mkdir -p /run/systemd/system/ ++cat >/run/systemd/system/test-diskseq.service < +Date: Thu, 5 Sep 2024 17:58:29 +0900 +Subject: [PATCH 0868/1160] test: add test case for systemd-repart + --seed=random + +For issue #34257. + +(cherry picked from commit 56d6ebd40468e2a743b39ad7d87b0675bdf9a042) +(cherry picked from commit 69282da9aab90c2dc1e440b04af5b2163779515a) +--- + test/units/testsuite-58.sh | 43 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 43 insertions(+) + +diff --git a/test/units/testsuite-58.sh b/test/units/testsuite-58.sh +index 2ceb4cd034..1e6fe57b2d 100755 +--- a/test/units/testsuite-58.sh ++++ b/test/units/testsuite-58.sh +@@ -1288,6 +1288,49 @@ testcase_dropped_partitions() { + [[ "$(sfdisk -q -l "$image" | grep -c "$image")" -eq 2 ]] + } + ++testcase_random_seed() { ++ local defs imgs output ++ ++ # For issue #34257 ++ ++ defs="$(mktemp --directory "/tmp/test-repart.defs.XXXXXXXXXX")" ++ imgs="$(mktemp --directory "/var/tmp/test-repart.imgs.XXXXXXXXXX")" ++ # shellcheck disable=SC2064 ++ trap "rm -rf '$defs' '$imgs'" RETURN ++ chmod 0755 "$defs" ++ ++ tee "$defs/root.conf" < +Date: Fri, 8 Dec 2023 10:41:49 +0900 +Subject: [PATCH 0044/1160] test: add test cases for issue #30357 + +(cherry picked from commit 9d51ab78300364c71a0e1f138e1d2cbc65771b93) +--- + test/units/testsuite-65.sh | 38 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 38 insertions(+) + +diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh +index ae8cd98a4e..a6bb38dd10 100755 +--- a/test/units/testsuite-65.sh ++++ b/test/units/testsuite-65.sh +@@ -296,6 +296,44 @@ EOF + # Verifies that the --offline= option works with --root= + systemd-analyze security --threshold=90 --offline=true --root=/tmp/img/ testfile.service + ++cat </tmp/foo@.service ++[Service] ++ExecStart=ls ++EOF ++ ++cat </tmp/hoge@test.service ++[Service] ++ExecStart=ls ++EOF ++ ++# issue #30357 ++pushd /tmp ++systemd-analyze verify foo@bar.service ++systemd-analyze verify foo@.service ++systemd-analyze verify hoge@test.service ++(! systemd-analyze verify hoge@nonexist.service) ++(! systemd-analyze verify hoge@.service) ++popd ++pushd / ++systemd-analyze verify tmp/foo@bar.service ++systemd-analyze verify tmp/foo@.service ++systemd-analyze verify tmp/hoge@test.service ++(! systemd-analyze verify tmp/hoge@nonexist.service) ++(! systemd-analyze verify tmp/hoge@.service) ++popd ++pushd /usr ++systemd-analyze verify ../tmp/foo@bar.service ++systemd-analyze verify ../tmp/foo@.service ++systemd-analyze verify ../tmp/hoge@test.service ++(! systemd-analyze verify ../tmp/hoge@nonexist.service) ++(! systemd-analyze verify ../tmp/hoge@.service) ++popd ++systemd-analyze verify /tmp/foo@bar.service ++systemd-analyze verify /tmp/foo@.service ++systemd-analyze verify /tmp/hoge@test.service ++(! systemd-analyze verify /tmp/hoge@nonexist.service) ++(! systemd-analyze verify /tmp/hoge@.service) ++ + # Added an additional "INVALID_ID" id to the .json to verify that nothing breaks when input is malformed + # The PrivateNetwork id description and weight was changed to verify that 'security' is actually reading in + # values from the .json file when required. The default weight for "PrivateNetwork" is 2500, and the new weight +-- +2.33.0 + diff --git a/backport-test-add-test-cases-for-journal-corruption-on-btrfs.patch b/backport-test-add-test-cases-for-journal-corruption-on-btrfs.patch new file mode 100644 index 0000000..355e0ab --- /dev/null +++ b/backport-test-add-test-cases-for-journal-corruption-on-btrfs.patch @@ -0,0 +1,73 @@ +From d1a7ffc8b192c1378d07d5ae17eca739fd4ddfc6 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Sat, 10 Feb 2024 16:24:10 +0900 +Subject: [PATCH 0560/1160] test: add test cases for journal corruption on + btrfs + +For issue #24150 and #31222. + +(cherry picked from commit 8cc42169f1f945d286ea334c55e7013d585947d8) +--- + test/test-functions | 2 +- + test/units/testsuite-04.journal-corrupt.sh | 36 ++++++++++++++++++++++ + 2 files changed, 37 insertions(+), 1 deletion(-) + create mode 100755 test/units/testsuite-04.journal-corrupt.sh + +diff --git a/test/test-functions b/test/test-functions +index 9d73c6d21e..f7376bf33c 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -2103,7 +2103,7 @@ install_testuser() { + # create unprivileged user for user manager tests + mkdir -p "${initdir:?}/etc/sysusers.d" + cat >"$initdir/etc/sysusers.d/testuser.conf" < +Date: Tue, 8 Oct 2024 13:52:40 +0900 +Subject: [PATCH 0931/1160] test: add test cases for timestamp with time zone + +(cherry picked from commit 25999f868fe0e9684af7a364224ac42071b70f74) +(cherry picked from commit b64601d4545eced99690f99eb5e8b0bb0f1cebff) +--- + test/units/testsuite-65.sh | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh +index a6bb38dd10..3b493a96ef 100755 +--- a/test/units/testsuite-65.sh ++++ b/test/units/testsuite-65.sh +@@ -148,6 +148,13 @@ systemd-analyze calendar --base-time=yesterday --iterations=5 '*-* *:*:*' + systemd-analyze timestamp now + systemd-analyze timestamp -- -1 + systemd-analyze timestamp yesterday now tomorrow ++systemd-analyze timestamp 'Fri 2012-11-23 23:02:15' ++systemd-analyze timestamp 'Fri 2012-11-23 23:02:15 UTC' ++systemd-analyze timestamp 'Fri 2012-11-23 23:02:15 CET' ++for i in $(timedatectl list-timezones); do ++ [[ -e "/usr/share/zoneinfo/$i" ]] || continue ++ systemd-analyze timestamp "Fri 2012-11-23 23:02:15 $i" ++done + (! systemd-analyze timestamp yesterday never tomorrow) + (! systemd-analyze timestamp 1) + (! systemd-analyze timestamp '*-2-29 0:0:0') +-- +2.33.0 + diff --git a/backport-test-add-tests-for-seccomp_suppress_sync.patch b/backport-test-add-tests-for-seccomp_suppress_sync.patch new file mode 100644 index 0000000..3ee4349 --- /dev/null +++ b/backport-test-add-tests-for-seccomp_suppress_sync.patch @@ -0,0 +1,82 @@ +From 299c64d8c23f5f8e4491526e9fb2d7e48b1e45af Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 19 Sep 2024 01:53:19 +0900 +Subject: [PATCH 0876/1160] test: add tests for seccomp_suppress_sync() + +(cherry picked from commit c07e10628b6add9ee9664956a28d3f727c9848f8) +(cherry picked from commit 308c93c51f85f1b6a5e6a3def951fa8e5643048d) +--- + src/test/test-seccomp.c | 52 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 52 insertions(+) + +diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c +index 279a155cb0..c48265351f 100644 +--- a/src/test/test-seccomp.c ++++ b/src/test/test-seccomp.c +@@ -18,6 +18,7 @@ + #include "capability-util.h" + #include "fd-util.h" + #include "fileio.h" ++#include "fs-util.h" + #include "macro.h" + #include "memory-util.h" + #include "missing_sched.h" +@@ -1231,4 +1232,55 @@ TEST(restrict_suid_sgid) { + assert_se(wait_for_terminate_and_check("suidsgidseccomp", pid, WAIT_LOG) == EXIT_SUCCESS); + } + ++static void test_seccomp_suppress_sync_child(void) { ++ _cleanup_(unlink_and_freep) char *path = NULL; ++ _cleanup_close_ int fd = -EBADF; ++ ++ assert_se(tempfn_random("/tmp/seccomp_suppress_sync", NULL, &path) >= 0); ++ assert_se((fd = open(path, O_RDWR | O_CREAT | O_SYNC | O_CLOEXEC, 0666)) >= 0); ++ fd = safe_close(fd); ++ ++ assert_se(fdatasync(-1) < 0 && errno == EBADF); ++ assert_se(fsync(-1) < 0 && errno == EBADF); ++ assert_se(syncfs(-1) < 0 && errno == EBADF); ++ ++ assert_se(fdatasync(INT_MAX) < 0 && errno == EBADF); ++ assert_se(fsync(INT_MAX) < 0 && errno == EBADF); ++ assert_se(syncfs(INT_MAX) < 0 && errno == EBADF); ++ ++ assert_se(seccomp_suppress_sync() >= 0); ++ ++ assert_se((fd = open(path, O_RDWR | O_CREAT | O_SYNC | O_CLOEXEC, 0666)) < 0 && errno == EINVAL); ++ ++ assert_se(fdatasync(INT_MAX) >= 0); ++ assert_se(fsync(INT_MAX) >= 0); ++ assert_se(syncfs(INT_MAX) >= 0); ++ ++ assert_se(fdatasync(-1) < 0 && errno == EBADF); ++ assert_se(fsync(-1) < 0 && errno == EBADF); ++ assert_se(syncfs(-1) < 0 && errno == EBADF); ++} ++ ++TEST(seccomp_suppress_sync) { ++ pid_t pid; ++ ++ if (!is_seccomp_available()) { ++ log_notice("Seccomp not available, skipping %s", __func__); ++ return; ++ } ++ if (!have_seccomp_privs()) { ++ log_notice("Not privileged, skipping %s", __func__); ++ return; ++ } ++ ++ assert_se((pid = fork()) >= 0); ++ ++ if (pid == 0) { ++ test_seccomp_suppress_sync_child(); ++ _exit(EXIT_SUCCESS); ++ } ++ ++ assert_se(wait_for_terminate_and_check("seccomp_suppress_sync", pid, WAIT_LOG) == EXIT_SUCCESS); ++} ++ + DEFINE_TEST_MAIN(LOG_DEBUG); +-- +2.33.0 + diff --git a/backport-test-allow-to-skip-matrix_run_one-if-TEST_MATCH_TEST.patch b/backport-test-allow-to-skip-matrix_run_one-if-TEST_MATCH_TEST.patch new file mode 100644 index 0000000..ef6b4ea --- /dev/null +++ b/backport-test-allow-to-skip-matrix_run_one-if-TEST_MATCH_TEST.patch @@ -0,0 +1,48 @@ +From 834afe7dde8ed909117438691c9f8211abe4b3f4 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 17 Aug 2024 01:47:33 +0900 +Subject: [PATCH 0858/1160] test: allow to skip matrix_run_one() if + $TEST_MATCH_TESTCASE is set + +(cherry picked from commit 7908e1d459f5f2893d6aaf1d62009da7856f9410) +(cherry picked from commit 93759103e6164e69bc92d2ce6c11d79c95da0ced) +--- + test/units/testsuite-13.nspawn.sh | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/test/units/testsuite-13.nspawn.sh b/test/units/testsuite-13.nspawn.sh +index 01f6eb6731..81ff0f906f 100755 +--- a/test/units/testsuite-13.nspawn.sh ++++ b/test/units/testsuite-13.nspawn.sh +@@ -844,6 +844,17 @@ matrix_run_one() { + return 0 + } + ++testcase_api_vfs() { ++ local api_vfs_writable ++ ++ for api_vfs_writable in yes no network; do ++ matrix_run_one no no $api_vfs_writable ++ matrix_run_one yes no $api_vfs_writable ++ matrix_run_one no yes $api_vfs_writable ++ matrix_run_one yes yes $api_vfs_writable ++ done ++} ++ + testcase_check_os_release() { + # https://github.com/systemd/systemd/issues/29185 + local base common_opts root +@@ -875,10 +886,3 @@ testcase_check_os_release() { + } + + run_testcases +- +-for api_vfs_writable in yes no network; do +- matrix_run_one no no $api_vfs_writable +- matrix_run_one yes no $api_vfs_writable +- matrix_run_one no yes $api_vfs_writable +- matrix_run_one yes yes $api_vfs_writable +-done +-- +2.33.0 + diff --git a/backport-test-also-flush-and-rotate-journal-before-read.patch b/backport-test-also-flush-and-rotate-journal-before-read.patch new file mode 100644 index 0000000..edef643 --- /dev/null +++ b/backport-test-also-flush-and-rotate-journal-before-read.patch @@ -0,0 +1,42 @@ +From 5b7b0569c1eee0526c4ade19e53649251ac2e0d5 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 22 May 2024 09:20:00 +0900 +Subject: [PATCH 0675/1160] test: also flush and rotate journal before read + +Follow-up for a610ba00d923f148702e68b1661166e887759509. + +Fixes #32890. + +(cherry picked from commit 87ed87efe1f2b5566a50939d328f39a1064b5f5b) +--- + test/units/testsuite-09.journal.sh | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/test/units/testsuite-09.journal.sh b/test/units/testsuite-09.journal.sh +index d554f6bb5c..6a14615edc 100755 +--- a/test/units/testsuite-09.journal.sh ++++ b/test/units/testsuite-09.journal.sh +@@ -24,8 +24,19 @@ get_last_timestamp() { + + # There may be huge amount of pending messages in sockets. Processing them may cause journal rotation. + # If the journal is rotated in the loop below, some journal file may not be loaded and an unexpected +-# result may be provided. To mitigate such, sync before reading journals. Workaround for #32890. ++# result may be provided. To mitigate such, flush (if not yet) and sync before reading journals. ++# Workaround for #32890. ++journalctl --flush + journalctl --sync ++# Sometimes, loading partially written .journal file, and journalctl handled that as 'truncated': ++# === ++# May 21 02:25:55 TEST-09-REBOOT.sh[433]: + journalctl --list-boots -o json ++# May 21 02:25:55 journalctl[433]: Journal file /var/log/journal/173da2fad3064e3e9211a7ed7d59360b/system.journal is truncated, ignoring file. ++# === ++# If that happens, the entries stored in the journal file are ignored, and the results of --list-boots ++# and subsequent call of journalctl may become inconsistent. To prevent such issue, let's also rotate ++# the journal. Then, all journal entries we are interested in are stored in the archived journal files. ++journalctl --rotate + + # Issue: #29275, second part + # Now let's check if the boot entries are in the correct/expected order +-- +2.33.0 + diff --git a/backport-test-always-try-to-install-the-ext4-module.patch b/backport-test-always-try-to-install-the-ext4-module.patch new file mode 100644 index 0000000..614ebb8 --- /dev/null +++ b/backport-test-always-try-to-install-the-ext4-module.patch @@ -0,0 +1,36 @@ +From adcc196c3b90da023a70411c622053805ece2b25 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 14 Feb 2024 11:24:05 +0100 +Subject: [PATCH 0319/1160] test: always try to install the ext4 module + +So the tests work even if the base image filesystem is not ext4. + +(cherry picked from commit adafa3b2f84ff38b0e1460ccafddd63e82019699) +--- + test/test-functions | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/test/test-functions b/test/test-functions +index c5363619e7..6d18477527 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -1119,14 +1119,14 @@ install_fs_tools() { + install_modules() { + dinfo "Install modules" + +- instmods bridge dummy ipvlan macvlan vfat veth ++ instmods bridge dummy ext4 ipvlan macvlan vfat veth + instmods loop =block + instmods nls_ascii =nls + instmods overlay =overlayfs + instmods scsi_debug + + if get_bool "$LOOKS_LIKE_SUSE"; then +- instmods ext4 af_packet ++ instmods af_packet + fi + } + +-- +2.33.0 + diff --git a/backport-test-answer-2nd-mdadm-create-question-for-compat-wit.patch b/backport-test-answer-2nd-mdadm-create-question-for-compat-wit.patch new file mode 100644 index 0000000..e920c85 --- /dev/null +++ b/backport-test-answer-2nd-mdadm-create-question-for-compat-wit.patch @@ -0,0 +1,89 @@ +From 133b50d7f1cd0c78838dd555585a9c68b857149d Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sun, 22 Dec 2024 13:31:36 +0000 +Subject: [PATCH 1076/1160] test: answer 2nd mdadm --create question for compat + with new version + +New version of mdadm now asks a second question, so send 'y' twice +to it in the test scripts + +[ 5.253483] TEST-64-UDEV-STORAGE.sh[684]: + echo y +[ 5.254412] TEST-64-UDEV-STORAGE.sh[685]: + mdadm --create /dev/md/mdmirror --name mdmirror --uuid aaaaaaaa:bbbbbbbb:cccccccc:00000001 /dev/disk/by-id/scsi-0systemd_foobar_deadbeefmdadm0 /dev/disk/by-id/scsi-0systemd_foobar_deadbeefmdadm1 -v -f --level=1 --raid-devices=2 +[ 5.254759] TEST-64-UDEV-STORAGE.sh[685]: To optimalize recovery speed, it is recommended to enable write-indent bitmap, do you want to enable it now? [y/N]? mdadm: Note: this array has metadata at the start and +[ 5.255085] TEST-64-UDEV-STORAGE.sh[685]: may not be suitable as a boot device. If you plan to +[ 5.255418] TEST-64-UDEV-STORAGE.sh[685]: store '/boot' on this device please ensure that +[ 5.255745] TEST-64-UDEV-STORAGE.sh[685]: your boot-loader understands md/v1.x metadata, or use +[ 5.256285] TEST-64-UDEV-STORAGE.sh[685]: --metadata=0.90 +[ 5.256672] TEST-64-UDEV-STORAGE.sh[685]: mdadm: size set to 64512K +[ 5.257063] TEST-64-UDEV-STORAGE.sh[685]: Continue creating array [y/N]? mdadm: create aborted. + +This is backward compatible with the older version that asks just one +question + +(cherry picked from commit 16406420ea449b75e70a7dced05d7b98bc0f5376) +(cherry picked from commit b2320ced3873981f1215eddb597cfa4aad5bd1b6) +(cherry picked from commit 812725926dde76baf306eefb788a951176b33977) +--- + test/units/testsuite-64.sh | 8 ++++---- + test/units/testsuite-74.bootctl.sh | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/test/units/testsuite-64.sh b/test/units/testsuite-64.sh +index dc3a87b732..d7333eccde 100755 +--- a/test/units/testsuite-64.sh ++++ b/test/units/testsuite-64.sh +@@ -1010,7 +1010,7 @@ testcase_mdadm_basic() { + "/dev/disk/by-label/$part_name" # ext4 partition + ) + # Create a simple RAID 1 with an ext4 filesystem +- echo y | mdadm --create "$raid_dev" --name "$raid_name" --uuid "$uuid" /dev/disk/by-id/ata-foobar_deadbeefmdadm{0..1} -v -f --level=1 --raid-devices=2 ++ printf 'y\ny\n' | mdadm --create "$raid_dev" --name "$raid_name" --uuid "$uuid" /dev/disk/by-id/ata-foobar_deadbeefmdadm{0..1} -v -f --level=1 --raid-devices=2 + udevadm wait --settle --timeout=30 "$raid_dev" + mkfs.ext4 -L "$part_name" "$raid_dev" + udevadm wait --settle --timeout=30 "${expected_symlinks[@]}" +@@ -1039,7 +1039,7 @@ testcase_mdadm_basic() { + "/dev/disk/by-label/$part_name" # ext4 partition + ) + # Create a simple RAID 5 with an ext4 filesystem +- echo y | mdadm --create "$raid_dev" --name "$raid_name" --uuid "$uuid" /dev/disk/by-id/ata-foobar_deadbeefmdadm{0..2} -v -f --level=5 --raid-devices=3 ++ printf 'y\ny\n' | mdadm --create "$raid_dev" --name "$raid_name" --uuid "$uuid" /dev/disk/by-id/ata-foobar_deadbeefmdadm{0..2} -v -f --level=5 --raid-devices=3 + udevadm wait --settle --timeout=30 "$raid_dev" + mkfs.ext4 -L "$part_name" "$raid_dev" + udevadm wait --settle --timeout=30 "${expected_symlinks[@]}" +@@ -1079,7 +1079,7 @@ testcase_mdadm_basic() { + "/dev/disk/by-id/md-uuid-$uuid-part3" + ) + # Create a simple RAID 10 with an ext4 filesystem +- echo y | mdadm --create "$raid_dev" --name "$raid_name" --uuid "$uuid" /dev/disk/by-id/ata-foobar_deadbeefmdadm{0..3} -v -f --level=10 --raid-devices=4 ++ printf 'y\ny\n' | mdadm --create "$raid_dev" --name "$raid_name" --uuid "$uuid" /dev/disk/by-id/ata-foobar_deadbeefmdadm{0..3} -v -f --level=10 --raid-devices=4 + udevadm wait --settle --timeout=30 "$raid_dev" + # Partition the raid device + # Here, 'udevadm lock' is meaningless, as udevd does not lock MD devices. +@@ -1132,7 +1132,7 @@ testcase_mdadm_lvm() { + "/dev/disk/by-label/$part_name" # ext4 partition + ) + # Create a RAID 10 with LVM + ext4 +- echo y | mdadm --create "$raid_dev" --name "$raid_name" --uuid "$uuid" /dev/disk/by-id/ata-foobar_deadbeefmdadmlvm{0..3} -v -f --level=10 --raid-devices=4 ++ printf 'y\ny\n' | mdadm --create "$raid_dev" --name "$raid_name" --uuid "$uuid" /dev/disk/by-id/ata-foobar_deadbeefmdadmlvm{0..3} -v -f --level=10 --raid-devices=4 + udevadm wait --settle --timeout=30 "$raid_dev" + # Create an LVM on the MD + lvm pvcreate -y "$raid_dev" +diff --git a/test/units/testsuite-74.bootctl.sh b/test/units/testsuite-74.bootctl.sh +index 4be7bfd0b8..ac517b26fb 100755 +--- a/test/units/testsuite-74.bootctl.sh ++++ b/test/units/testsuite-74.bootctl.sh +@@ -215,9 +215,9 @@ EOF + + udevadm settle + +- echo y | mdadm --create /dev/md/raid-esp --name "raid-esp" "${LOOPDEV1}p1" "${LOOPDEV2}p1" -v -f --level=1 --raid-devices=2 ++ printf 'y\ny\n' | mdadm --create /dev/md/raid-esp --name "raid-esp" "${LOOPDEV1}p1" "${LOOPDEV2}p1" -v -f --level=1 --raid-devices=2 + mkfs.vfat /dev/md/raid-esp +- echo y | mdadm --create /dev/md/raid-root --name "raid-root" "${LOOPDEV1}p2" "${LOOPDEV2}p2" -v -f --level=1 --raid-devices=2 ++ printf 'y\ny\n' | mdadm --create /dev/md/raid-root --name "raid-root" "${LOOPDEV1}p2" "${LOOPDEV2}p2" -v -f --level=1 --raid-devices=2 + mkfs.ext4 /dev/md/raid-root + mkfs.btrfs -f -M -d raid1 -m raid1 -L "raid-boot" "${LOOPDEV1}p3" "${LOOPDEV2}p3" + +-- +2.33.0 + diff --git a/backport-test-applying-timezone-is-asynchronous.patch b/backport-test-applying-timezone-is-asynchronous.patch new file mode 100644 index 0000000..6f798c7 --- /dev/null +++ b/backport-test-applying-timezone-is-asynchronous.patch @@ -0,0 +1,46 @@ +From 91d31ca3bcf929346ec872d387cd33030d4e1570 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 25 May 2024 01:32:21 +0900 +Subject: [PATCH 0681/1160] test: applying timezone is asynchronous + +So, we need to try to read timezone several times. +Also, on failure, show journal of timedated instead of hostnamed, +as the timezone is handled by timedated. + +Hopefully fixes #33007. + +(cherry picked from commit 1ef586af237e685c32676e381a5ce8d4918f9225) +--- + test/networkd-test.py | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/test/networkd-test.py b/test/networkd-test.py +index 512137cacc..bf49a6da68 100755 +--- a/test/networkd-test.py ++++ b/test/networkd-test.py +@@ -1046,13 +1046,16 @@ DNS=127.0.0.1 + self.create_iface(dhcpserver_opts='EmitTimezone=yes\nTimezone=Pacific/Honolulu') + self.do_test(coldplug=None, extra_opts='IPv6AcceptRA=false\n[DHCP]\nUseTimezone=true', dhcp_mode='ipv4') + +- # should have applied the received timezone +- try: +- self.assertEqual(get_tz(), 'Pacific/Honolulu') +- except AssertionError: ++ # Should have applied the received timezone. This is asynchronous, so we need to wait for a while: ++ for _ in range(20): ++ tz = get_tz() ++ if tz == 'Pacific/Honolulu': ++ break ++ time.sleep(0.5) ++ else: + self.show_journal('systemd-networkd.service') +- self.show_journal('systemd-hostnamed.service') +- raise ++ self.show_journal('systemd-timedated.service') ++ self.fail(f'Timezone: {tz}, expected: Pacific/Honolulu') + + + class MatchClientTest(unittest.TestCase, NetworkdTestingUtilities): +-- +2.33.0 + diff --git a/backport-test-avoid-NO_CAST.INTEGER_OVERFLOW-in-test-oomd-uti.patch b/backport-test-avoid-NO_CAST.INTEGER_OVERFLOW-in-test-oomd-uti.patch new file mode 100644 index 0000000..ebc62cb --- /dev/null +++ b/backport-test-avoid-NO_CAST.INTEGER_OVERFLOW-in-test-oomd-uti.patch @@ -0,0 +1,60 @@ +From 9ee5ab00e04078cf48d827ff13ca4d104b63b56f Mon Sep 17 00:00:00 2001 +From: aslepykh <145323274+aslepykh@users.noreply.github.com> +Date: Fri, 8 Dec 2023 04:54:52 +0300 +Subject: [PATCH 0023/1160] test: avoid NO_CAST.INTEGER_OVERFLOW in + test-oomd-util (#30365) + +The `.mem_total` variable has `uint64_t` type, therefore, when multiplying the number +`20971512` by the number `1024` with the suffix `U`, we will not get the expected result of +`21,474,828,288`, since the number `20971512` without an explicit type indication has +`uint32_t` type. + +First, multiplication will occur in accordance with the `uint32_t` type; this operation will +cause a **type overflow**, and only then will this result be assigned to a `uint64_t` type +variable. + +It's worth adding the `UL` suffix to the number `20971512` to avoid **overflow**. + +Found by Linux Verification Center (portal.linuxtesting.ru) with SVACE. +Author A. Slepykh. + +(cherry picked from commit a6f1551fe785e241e7c5534aa0c580b31a83a28b) +--- + src/oom/test-oomd-util.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/src/oom/test-oomd-util.c b/src/oom/test-oomd-util.c +index d76d91e26d..1aef6039e1 100644 +--- a/src/oom/test-oomd-util.c ++++ b/src/oom/test-oomd-util.c +@@ -291,19 +291,19 @@ static void test_oomd_pressure_above(void) { + + static void test_oomd_mem_and_swap_free_below(void) { + OomdSystemContext ctx = (OomdSystemContext) { +- .mem_total = 20971512 * 1024U, +- .mem_used = 3310136 * 1024U, +- .swap_total = 20971512 * 1024U, +- .swap_used = 20971440 * 1024U, ++ .mem_total = UINT64_C(20971512) * 1024U, ++ .mem_used = UINT64_C(3310136) * 1024U, ++ .swap_total = UINT64_C(20971512) * 1024U, ++ .swap_used = UINT64_C(20971440) * 1024U, + }; + assert_se(oomd_mem_available_below(&ctx, 2000) == false); + assert_se(oomd_swap_free_below(&ctx, 2000) == true); + + ctx = (OomdSystemContext) { +- .mem_total = 20971512 * 1024U, +- .mem_used = 20971440 * 1024U, +- .swap_total = 20971512 * 1024U, +- .swap_used = 3310136 * 1024U, ++ .mem_total = UINT64_C(20971512) * 1024U, ++ .mem_used = UINT64_C(20971440) * 1024U, ++ .swap_total = UINT64_C(20971512) * 1024U, ++ .swap_used = UINT64_C(3310136) * 1024U, + }; + assert_se(oomd_mem_available_below(&ctx, 2000) == true); + assert_se(oomd_swap_free_below(&ctx, 2000) == false); +-- +2.33.0 + diff --git a/backport-test-backup-etc-udev-udev.conf-only-if-it-exists.patch b/backport-test-backup-etc-udev-udev.conf-only-if-it-exists.patch new file mode 100644 index 0000000..1e945b4 --- /dev/null +++ b/backport-test-backup-etc-udev-udev.conf-only-if-it-exists.patch @@ -0,0 +1,62 @@ +From 49cc12975c761701e2dc0dc84ee1928b38f98c54 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Fri, 8 Dec 2023 18:38:41 +0100 +Subject: [PATCH 0030/1160] test: backup /etc/udev/udev.conf only if it exists + +On Fedora systemd recently moved all of its configuration files to +/usr/lib/ [0], so make sure we account for this case as well. + +[ 42.450325] testsuite-17.sh[800]: + mkdir -p /run/udev/rules.d +[ 42.466504] testsuite-17.sh[800]: + cp -f /etc/udev/udev.conf /etc/udev/udev.conf.bckp +[ 42.503348] testsuite-17.sh[802]: cp: cannot stat '/etc/udev/udev.conf': No such file or directory + +[0] https://src.fedoraproject.org/rpms/systemd/c/29eb35530b29232eed65718d0cd96d67cd7ffd6b?branch=rawhide + +(cherry picked from commit e23fc070e287397d2f047028f953986356badf2f) +--- + test/units/testsuite-17.03.sh | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/test/units/testsuite-17.03.sh b/test/units/testsuite-17.03.sh +index fafe9d186c..9af706fae1 100755 +--- a/test/units/testsuite-17.03.sh ++++ b/test/units/testsuite-17.03.sh +@@ -2,17 +2,18 @@ + # SPDX-License-Identifier: LGPL-2.1-or-later + set -ex + +-test_rule="/run/udev/rules.d/49-test.rules" ++TEST_RULE="/run/udev/rules.d/49-test.rules" + KILL_PID= + + setup() { +- mkdir -p "${test_rule%/*}" +- cp -f /etc/udev/udev.conf /etc/udev/udev.conf.bckp +- cat >"${test_rule}" <"${TEST_RULE}" <>/etc/udev/udev.conf </etc/udev/udev.conf < +Date: Tue, 7 May 2024 13:43:09 +0200 +Subject: [PATCH 0601/1160] test-bpf-foreign-programs: pass the right error + variable + +(cherry picked from commit 3a5046782e74d0405067a79d7aa14456801ce79e) +--- + src/test/test-bpf-foreign-programs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/test/test-bpf-foreign-programs.c b/src/test/test-bpf-foreign-programs.c +index 35c7e0d692..64a280992a 100644 +--- a/src/test/test-bpf-foreign-programs.c ++++ b/src/test/test-bpf-foreign-programs.c +@@ -253,7 +253,7 @@ static int test_bpf_cgroup_programs(Manager *m, const char *unit_name, const Tes + while (!IN_SET(SERVICE(u)->state, SERVICE_DEAD, SERVICE_FAILED)) { + r = sd_event_run(m->event, UINT64_MAX); + if (r < 0) +- return log_error_errno(errno, "Event run failed %m"); ++ return log_error_errno(r, "Event run failed %m"); + } + + cld_code = SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.code; +-- +2.33.0 + diff --git a/backport-test-bpf-restrict-fs-pass-the-right-error-variable.patch b/backport-test-bpf-restrict-fs-pass-the-right-error-variable.patch new file mode 100644 index 0000000..1ee2146 --- /dev/null +++ b/backport-test-bpf-restrict-fs-pass-the-right-error-variable.patch @@ -0,0 +1,26 @@ +From ab2579e56b47d1903c3a8e27f86889d2bbaaa040 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 7 May 2024 13:42:29 +0200 +Subject: [PATCH 0600/1160] test-bpf-restrict-fs: pass the right error variable + +(cherry picked from commit 2dd1676fa7913c6ea45ccc6d01c001e61c37c1b4) +--- + src/test/test-bpf-lsm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/test/test-bpf-lsm.c b/src/test/test-bpf-lsm.c +index 42ea64cd0a..5329bbaaf0 100644 +--- a/src/test/test-bpf-lsm.c ++++ b/src/test/test-bpf-lsm.c +@@ -46,7 +46,7 @@ static int test_restrict_filesystems(Manager *m, const char *unit_name, const ch + while (!IN_SET(SERVICE(u)->state, SERVICE_DEAD, SERVICE_FAILED)) { + r = sd_event_run(m->event, UINT64_MAX); + if (r < 0) +- return log_error_errno(errno, "Event run failed %m"); ++ return log_error_errno(r, "Event run failed %m"); + } + + cld_code = SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.code; +-- +2.33.0 + diff --git a/backport-test-call-journalctl-sync-just-before-reading-journa.patch b/backport-test-call-journalctl-sync-just-before-reading-journa.patch new file mode 100644 index 0000000..47cc235 --- /dev/null +++ b/backport-test-call-journalctl-sync-just-before-reading-journa.patch @@ -0,0 +1,34 @@ +From 46eacf705c2404fb4301ecaa4f8c4df02a5a6af0 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 21 May 2024 01:53:02 +0900 +Subject: [PATCH 0662/1160] test: call journalctl --sync just before reading + journals + +Otherwise, journal entries comes during sleep may not be read. + +Follow-up for c22a112883a46e302dae587b809c459647363ceb. + +(cherry picked from commit 123acb25605f904c9a52c67f00dfff2b299a7a58) +--- + test/units/testsuite-60.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/test/units/testsuite-60.sh b/test/units/testsuite-60.sh +index 6f4cba8319..c1afeddcd0 100755 +--- a/test/units/testsuite-60.sh ++++ b/test/units/testsuite-60.sh +@@ -295,9 +295,9 @@ done + # Figure out if we have entered the rate limit state. + # If the infra is slow we might not enter the rate limit state; in that case skip the exit check. + journalctl --sync +-if timeout 2m bash -c "until journalctl -u init.scope --since=$TS | grep -q '(mount-monitor-dispatch) entered rate limit'; do journalctl --sync; sleep 1; done"; then ++if timeout 2m bash -c "until journalctl -u init.scope --since=$TS | grep -q '(mount-monitor-dispatch) entered rate limit'; do sleep 1; journalctl --sync; done"; then + journalctl --sync +- timeout 2m bash -c "until journalctl -u init.scope --since=$TS | grep -q '(mount-monitor-dispatch) left rate limit'; do journalctl --sync; sleep 1; done" ++ timeout 2m bash -c "until journalctl -u init.scope --since=$TS | grep -q '(mount-monitor-dispatch) left rate limit'; do sleep 1; journalctl --sync; done" + fi + + # Verify that the mount units are always cleaned up at the end. +-- +2.33.0 + diff --git a/backport-test-capability-CAP_LINUX_IMMUTABLE-is-not-available.patch b/backport-test-capability-CAP_LINUX_IMMUTABLE-is-not-available.patch new file mode 100644 index 0000000..862f25b --- /dev/null +++ b/backport-test-capability-CAP_LINUX_IMMUTABLE-is-not-available.patch @@ -0,0 +1,49 @@ +From 5c3f362061613c53b03bcb4ca5d633e810a16617 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 11 Dec 2024 12:10:13 +0000 +Subject: [PATCH 1048/1160] test-capability: CAP_LINUX_IMMUTABLE is not + available in unprivileged containers + +have ambient caps: yes +Capabilities:cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep +Failed to drop auxiliary groups list: Operation not permitted +Failed to change group ID: Operation not permitted +Capabilities:cap_dac_override,cap_net_raw=ep +Capabilities:cap_dac_override=ep +Successfully forked off '(getambient)' as PID 12505. +Skipping PR_SET_MM, as we don't have privileges. +Ambient capability cap_linux_immutable requested but missing from bounding set, suppressing automatically. +Assertion 'x < 0 || FLAGS_SET(c, UINT64_C(1) << CAP_LINUX_IMMUTABLE)' failed at src/test/test-capability.c:273, function test_capability_get_ambient(). Aborting. +(getambient) terminated by signal ABRT. +src/test/test-capability.c:258: Assertion failed: expected "r" to succeed, but got error: Protocol error + +Partially fixes #35552 + +(cherry picked from commit 058a07635f3ff70cc99943dcf4f2a079bc9c28b9) +(cherry picked from commit d80ab6aed678ed89327d86ced9fedd24b5baccd3) +(cherry picked from commit dbc8f9aa9b08ec8e04612cf85721261c21b3a346) +--- + src/test/test-capability.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/test/test-capability.c b/src/test/test-capability.c +index 5bb2234268..aa2644e458 100644 +--- a/src/test/test-capability.c ++++ b/src/test/test-capability.c +@@ -254,6 +254,13 @@ static void test_capability_get_ambient(void) { + + assert_se(capability_get_ambient(&c) >= 0); + ++ r = prctl(PR_CAPBSET_READ, CAP_MKNOD); ++ if (r <= 0) ++ return (void) log_tests_skipped("Lacking CAP_MKNOD, skipping getambient test."); ++ r = prctl(PR_CAPBSET_READ, CAP_LINUX_IMMUTABLE); ++ if (r <= 0) ++ return (void) log_tests_skipped("Lacking CAP_LINUX_IMMUTABLE, skipping getambient test."); ++ + r = safe_fork("(getambient)", FORK_RESET_SIGNALS|FORK_DEATHSIG_SIGTERM|FORK_WAIT|FORK_LOG, NULL); + assert_se(r >= 0); + +-- +2.33.0 + diff --git a/backport-test-check-TPM2B_PUBLIC-name-during-PEM-TPM2B_PUBLIC.patch b/backport-test-check-TPM2B_PUBLIC-name-during-PEM-TPM2B_PUBLIC.patch new file mode 100644 index 0000000..377001b --- /dev/null +++ b/backport-test-check-TPM2B_PUBLIC-name-during-PEM-TPM2B_PUBLIC.patch @@ -0,0 +1,129 @@ +From a1288893b058338d99177bf734f88eaf1856579c Mon Sep 17 00:00:00 2001 +From: Dan Streetman +Date: Tue, 16 Jan 2024 13:49:45 -0500 +Subject: [PATCH 0160/1160] test: check TPM2B_PUBLIC "name" during + PEM->TPM2B_PUBLIC conversion tests + +Check the calculated TPM2B_PUBLIC key "name" to verify our PEM->TPM2B_PUBLIC +function remains consistent with previous code. This is important as the +TPM2B_PUBLIC "name" is used in the Authorize policy and so any change to a key +"name" would break unsealing for previously-sealed objects (see bug #30546). + +Note that the tpm2_tpm2b_public_from_openssl_pkey() function results in a +TPM2B_PUBLIC with the same "name" as using the tpm2-tools program +tpm2_loadexternal, at least as of tpm2-tools version 5.6.18, with the test keys +from TEST(tpm2b_public_from_openssl_pkey) in src/test/test-tpm2. + +(cherry picked from commit e2e8d8f2a2a710a7bfec8200022066717c739c0e) +--- + src/test/test-tpm2.c | 75 +++++++++++++++++++++++++++++--------------- + 1 file changed, 50 insertions(+), 25 deletions(-) + +diff --git a/src/test/test-tpm2.c b/src/test/test-tpm2.c +index cd1751d859..e3c7da8b08 100644 +--- a/src/test/test-tpm2.c ++++ b/src/test/test-tpm2.c +@@ -819,50 +819,75 @@ static void check_tpm2b_public_fingerprint(const TPM2B_PUBLIC *public, const cha + assert_se(memcmp_nn(fp, fp_size, expected, expected_len) == 0); + } + +-TEST(tpm2b_public_from_openssl_pkey) { +- TPM2B_PUBLIC public; ++static void check_tpm2b_public_name(const TPM2B_PUBLIC *public, const char *hexname) { ++ DEFINE_HEX_PTR(expected, hexname); ++ TPM2B_NAME name = {}; ++ ++ assert_se(tpm2_calculate_pubkey_name(&public->publicArea, &name) >= 0); ++ assert_se(memcmp_nn(name.name, name.size, expected, expected_len) == 0); ++} ++ ++static void check_tpm2b_public_from_ecc_pem(const char *pem, const char *hexx, const char *hexy, const char *hexfp, const char *hexname) { ++ TPM2B_PUBLIC public = {}; + TPMT_PUBLIC *p = &public.publicArea; + +- DEFINE_HEX_PTR(key_ecc, "2d2d2d2d2d424547494e205055424c4943204b45592d2d2d2d2d0a4d466b77457759484b6f5a497a6a3043415159494b6f5a497a6a30444151634451674145726a6e4575424c73496c3972687068777976584e50686a346a426e500a44586e794a304b395579724e6764365335413532542b6f5376746b436a365a726c34685847337741515558706f426c532b7448717452714c35513d3d0a2d2d2d2d2d454e44205055424c4943204b45592d2d2d2d2d0a"); +- get_tpm2b_public_from_pem(key_ecc, key_ecc_len, &public); ++ DEFINE_HEX_PTR(key, pem); ++ get_tpm2b_public_from_pem(key, key_len, &public); + + assert_se(p->type == TPM2_ALG_ECC); + assert_se(p->parameters.eccDetail.curveID == TPM2_ECC_NIST_P256); + +- DEFINE_HEX_PTR(expected_x, "ae39c4b812ec225f6b869870caf5cd3e18f88c19cf0d79f22742bd532acd81de"); ++ DEFINE_HEX_PTR(expected_x, hexx); + assert_se(memcmp_nn(p->unique.ecc.x.buffer, p->unique.ecc.x.size, expected_x, expected_x_len) == 0); + +- DEFINE_HEX_PTR(expected_y, "92e40e764fea12bed9028fa66b9788571b7c004145e9a01952fad1eab51a8be5"); ++ DEFINE_HEX_PTR(expected_y, hexy); + assert_se(memcmp_nn(p->unique.ecc.y.buffer, p->unique.ecc.y.size, expected_y, expected_y_len) == 0); + +- check_tpm2b_public_fingerprint(&public, "cd3373293b62a52b48c12100e80ea9bfd806266ce76893a5ec31cb128052d97c"); +- +- DEFINE_HEX_PTR(key_rsa, "2d2d2d2d2d424547494e205055424c4943204b45592d2d2d2d2d0a4d494942496a414e42676b71686b6947397730424151454641414f43415138414d49494243674b4341514541795639434950652f505852337a436f63787045300a6a575262546c3568585844436b472f584b79374b6d2f4439584942334b734f5a31436a5937375571372f674359363170697838697552756a73413464503165380a593445336c68556d374a332b6473766b626f4b64553243626d52494c2f6675627771694c4d587a41673342575278747234547545443533527a373634554650640a307a70304b68775231496230444c67772f344e67566f314146763378784b4d6478774d45683567676b73733038326332706c354a504e32587677426f744e6b4d0a5471526c745a4a35355244436170696e7153334577376675646c4e735851357746766c7432377a7637344b585165616d704c59433037584f6761304c676c536b0a79754774586b6a50542f735542544a705374615769674d5a6f714b7479563463515a58436b4a52684459614c47587673504233687a766d5671636e6b47654e540a65774944415141420a2d2d2d2d2d454e44205055424c4943204b45592d2d2d2d2d0a"); +- get_tpm2b_public_from_pem(key_rsa, key_rsa_len, &public); ++ check_tpm2b_public_fingerprint(&public, hexfp); ++ check_tpm2b_public_name(&public, hexname); ++} + +- DEFINE_HEX_PTR(expected_n, "c95f4220f7bf3d7477cc2a1cc691348d645b4e5e615d70c2906fd72b2eca9bf0fd5c80772ac399d428d8efb52aeff80263ad698b1f22b91ba3b00e1d3f57bc638137961526ec9dfe76cbe46e829d53609b99120bfdfb9bc2a88b317cc0837056471b6be13b840f9dd1cfbeb85053ddd33a742a1c11d486f40cb830ff8360568d4016fdf1c4a31dc7030487982092cb34f36736a65e493cdd97bf0068b4d90c4ea465b59279e510c26a98a7a92dc4c3b7ee76536c5d0e7016f96ddbbcefef829741e6a6a4b602d3b5ce81ad0b8254a4cae1ad5e48cf4ffb140532694ad6968a0319a2a2adc95e1c4195c29094610d868b197bec3c1de1cef995a9c9e419e3537b"); +- assert_se(p->unique.rsa.size == expected_n_len); +- assert_se(memcmp(p->unique.rsa.buffer, expected_n, expected_n_len) == 0); ++static void check_tpm2b_public_from_rsa_pem(const char *pem, const char *hexn, uint32_t exponent, const char *hexfp, const char *hexname) { ++ TPM2B_PUBLIC public = {}; ++ TPMT_PUBLIC *p = &public.publicArea; + +- assert_se(p->parameters.rsaDetail.keyBits == expected_n_len * 8); ++ DEFINE_HEX_PTR(key, pem); ++ get_tpm2b_public_from_pem(key, key_len, &public); + +- assert_se(p->parameters.rsaDetail.exponent == 0x10001); ++ assert_se(p->type == TPM2_ALG_RSA); + +- check_tpm2b_public_fingerprint(&public, "d9186d13a7fd5b3644cee05448f49ad3574e82a2942ff93cf89598d36cca78a9"); ++ DEFINE_HEX_PTR(expected_n, hexn); ++ assert_se(memcmp_nn(p->unique.rsa.buffer, p->unique.rsa.size, expected_n, expected_n_len) == 0); + +- /* RSA key with non-default (i.e. not 0x10001) exponent */ +- DEFINE_HEX_PTR(key_rsa2, "2d2d2d2d2d424547494e2050524956415445204b45592d2d2d2d2d0a4d494945765149424144414e42676b71686b6947397730424151454641415343424b63776767536a41674541416f49424151444a57573542387135564370694e0a6d6f4b4e374f2f6f306d6864347579696e2b75394b35397a5444754a4d773678574142533174424e45394e43746533326c354c4d4b6c454f42774c4636534e4d0a414e61764c51715a6a475050726a43574f6e5158316a7a5346794f5351727467417a66524e3873556436583775363047796e436f45584f6637786c39685778490a497232784f6d6a5756727564495a41323142616a6f4d6e7156466e654f43615a6335704d564d426f54516b4c366b56634778554f717959585a337a722f5531430a6f6d356c424e465a6446794a4f6b31666d386a4c2f752b53566d4f46534a4758473831673433536c783239496e766f32306963505051632b6a426e796c6b51340a7a386b51356a46724d736d4e306a6f4f546c484a6a6e485a6e496a732b315750525a4b73464534794b6a3641743555544d4c6a685864337a566e774e447855330a63754a744454656c41674d424141554367674541465770724b555838387a543366304a79464e524b77324d496b4d6d2b55506a443348546b6c6e47736f4e48640a4e38555164333171427843336869507855794d78756d5467564d6452412b34667a5965584d414176667257345655365276444963764c566e50796967536e354b0a724e6f58586e6c42364b7a4b744e6848527a4f4769412f71352b324d4a324137536d66562f4473555856363437544d65386d70464d522b3175374d38617666620a3262494a446362764442316268667844494d62466a2f69726a49376778727353387849555274636e704755594d517364325a664a2f714b52676b3635427a50300a6271736c70477a38574539437255464d58666149726f767a5a2b38584331592b574f68307745386e52346769714d4b47535a5a454a45495155446b39396174750a59613870564d62474131325a686e4732384773313756417337346238685871643152666a44454c7834514b4267514470357338326f59774a674e65626a6f78740a4341574b4d515a6b354d4d46444c4569784c6d616c48766c7332576b665573342f4d6a546b5739762f6876424e634a6d42353149617a5a365078544751484d2b0a34376a6258315156586170336f7a37664632415a733358566d3835464e4e7154756a4a5a684b6b42774143742b696c412f5a503562325a46366c6377626641610a526b6f79467131666e5933582b5563734a6e79384f3071336c774b42675144635830354b4c734c585673686839344e384531797952735030626a6a50687566510a706c6b334564696e4d4a464e52624b4648765563776a763276644f3276465567746667636c64744f546b6236674554413754624e6d334553384f7a59582f58490a576d4d774e4e4e782b753166775474774d4c66332f597a3851515573394f664c504f376d4f5a524b2f367a47717035685549567475357065453747536e6c53700a323869304343365349774b42674837355269492b2b716148684f656e3169394754587070683351432b5630502b5a364c436a6762676458447674795a676d58740a4a6e6b7a64366c4c65714834514b64573334336942784973676932794f74572f506a424a6946744c71454259437a71764d453069627332456156353967444a770a4f6f4a3675386237564c584c34596754776748426c4a4d5141484f56665530684a555146415a682f733348393539454e3837514341463833416f4741536c61660a4f3043414c70353476316b41575844552b4765766774394578414c68302b574b367a4a6f5239576d534838527a7a6d326469526a2f7268756579512f547131360a4556706a57516b424775715248505131304f33557a306a4571754f412f424d3579426c5a756c6f514a42582b76453578392b7073354e55444d757563504734660a505954484a4331754356744f5a374a676c334c7478416e326e504a6a4f65466f3356665435743843675945417a6c4170686c37522f6d6e4677757939464872490a714e456d6571654d556d6f584d4c59487444435964534d5246684d37394772737032574c5145775270775674416a5a6c53424d454c47716c542b77324d636a350a412b5453394c79445158446f7633444e462b6b705934664a654d335339757077415973344e645250423578526d4e575a4f5067307047476a695553767035634b0a46564c6c72464e59437555736c5950794331766f4a42513d0a2d2d2d2d2d454e442050524956415445204b45592d2d2d2d2d0a"); +- get_tpm2b_public_from_pem(key_rsa2, key_rsa2_len, &public); ++ assert_se(p->parameters.rsaDetail.keyBits == expected_n_len * 8); + +- DEFINE_HEX_PTR(expected_n2, "00c9596e41f2ae550a988d9a828decefe8d2685de2eca29febbd2b9f734c3b89330eb1580052d6d04d13d342b5edf69792cc2a510e0702c5e9234c00d6af2d0a998c63cfae30963a7417d63cd217239242bb600337d137cb1477a5fbbbad06ca70a811739fef197d856c4822bdb13a68d656bb9d219036d416a3a0c9ea5459de382699739a4c54c0684d090bea455c1b150eab2617677cebfd4d42a26e6504d159745c893a4d5f9bc8cbfeef925663854891971bcd60e374a5c76f489efa36d2270f3d073e8c19f2964438cfc910e6316b32c98dd23a0e4e51c98e71d99c88ecfb558f4592ac144e322a3e80b7951330b8e15dddf3567c0d0f153772e26d0d37a5"); +- assert_se(p->unique.rsa.size == expected_n2_len); +- assert_se(memcmp(p->unique.rsa.buffer, expected_n2, expected_n2_len) == 0); ++ assert_se(p->parameters.rsaDetail.exponent == exponent); + +- assert_se(p->parameters.rsaDetail.keyBits == expected_n2_len * 8); ++ check_tpm2b_public_fingerprint(&public, hexfp); ++ check_tpm2b_public_name(&public, hexname); ++} + +- assert_se(p->parameters.rsaDetail.exponent == 0x10005); ++TEST(tpm2b_public_from_openssl_pkey) { ++ /* standard ECC key */ ++ check_tpm2b_public_from_ecc_pem("2d2d2d2d2d424547494e205055424c4943204b45592d2d2d2d2d0a4d466b77457759484b6f5a497a6a3043415159494b6f5a497a6a30444151634451674145726a6e4575424c73496c3972687068777976584e50686a346a426e500a44586e794a304b395579724e6764365335413532542b6f5376746b436a365a726c34685847337741515558706f426c532b7448717452714c35513d3d0a2d2d2d2d2d454e44205055424c4943204b45592d2d2d2d2d0a", ++ "ae39c4b812ec225f6b869870caf5cd3e18f88c19cf0d79f22742bd532acd81de", ++ "92e40e764fea12bed9028fa66b9788571b7c004145e9a01952fad1eab51a8be5", ++ "cd3373293b62a52b48c12100e80ea9bfd806266ce76893a5ec31cb128052d97c", ++ "000b5c127e4dbaf8fb7bac641e8db25a84a48db876ca7ee3bd317ae1a4554ff72f17"); ++ ++ /* standard RSA key */ ++ check_tpm2b_public_from_rsa_pem("2d2d2d2d2d424547494e205055424c4943204b45592d2d2d2d2d0a4d494942496a414e42676b71686b6947397730424151454641414f43415138414d49494243674b4341514541795639434950652f505852337a436f63787045300a6a575262546c3568585844436b472f584b79374b6d2f4439584942334b734f5a31436a5937375571372f674359363170697838697552756a73413464503165380a593445336c68556d374a332b6473766b626f4b64553243626d52494c2f6675627771694c4d587a41673342575278747234547545443533527a373634554650640a307a70304b68775231496230444c67772f344e67566f314146763378784b4d6478774d45683567676b73733038326332706c354a504e32587677426f744e6b4d0a5471526c745a4a35355244436170696e7153334577376675646c4e735851357746766c7432377a7637344b585165616d704c59433037584f6761304c676c536b0a79754774586b6a50542f735542544a705374615769674d5a6f714b7479563463515a58436b4a52684459614c47587673504233687a766d5671636e6b47654e540a65774944415141420a2d2d2d2d2d454e44205055424c4943204b45592d2d2d2d2d0a", ++ "c95f4220f7bf3d7477cc2a1cc691348d645b4e5e615d70c2906fd72b2eca9bf0fd5c80772ac399d428d8efb52aeff80263ad698b1f22b91ba3b00e1d3f57bc638137961526ec9dfe76cbe46e829d53609b99120bfdfb9bc2a88b317cc0837056471b6be13b840f9dd1cfbeb85053ddd33a742a1c11d486f40cb830ff8360568d4016fdf1c4a31dc7030487982092cb34f36736a65e493cdd97bf0068b4d90c4ea465b59279e510c26a98a7a92dc4c3b7ee76536c5d0e7016f96ddbbcefef829741e6a6a4b602d3b5ce81ad0b8254a4cae1ad5e48cf4ffb140532694ad6968a0319a2a2adc95e1c4195c29094610d868b197bec3c1de1cef995a9c9e419e3537b", ++ 0x10001, ++ "d9186d13a7fd5b3644cee05448f49ad3574e82a2942ff93cf89598d36cca78a9", ++ "000be1bd75c7976e7a30e9e82223b81a9eff0d42c30618e588db592ed5da94455e81"); + +- check_tpm2b_public_fingerprint(&public, "e037697b827a730d107fda6117c0affcff3e8648d15a62e52b251649b8f67e47"); ++ /* RSA key with non-default (i.e. not 0x10001) exponent */ ++ check_tpm2b_public_from_rsa_pem("2d2d2d2d2d424547494e205055424c4943204b45592d2d2d2d2d0a4d494942496a414e42676b71686b6947397730424151454641414f43415138414d49494243674b434151454179566c7551664b75565171596a5a71436a657a760a364e4a6f58654c736f702f72765375666330773769544d4f73566741557462515452505451725874397065537a4370524467634378656b6a544144577279304b0a6d59786a7a3634776c6a7030463959383068636a6b6b4b3759414d333054664c4648656c2b377574427370777142467a6e2b385a6659567353434b397354706f0a316c61376e5347514e7451576f36444a366c525a336a676d6d584f61544654416145304a432b7046584273564471736d46326438362f314e51714a755a5154520a575852636954704e58357649792f37766b6c5a6a685569526c78764e594f4e3070636476534a37364e74496e447a3048506f775a38705a454f4d2f4a454f59780a617a4c4a6a644936446b355279593578325a7949375074566a3057537242524f4d696f2b674c6556457a43343456336438315a38445138564e334c69625130330a70514944415141460a2d2d2d2d2d454e44205055424c4943204b45592d2d2d2d2d0a", ++ "c9596e41f2ae550a988d9a828decefe8d2685de2eca29febbd2b9f734c3b89330eb1580052d6d04d13d342b5edf69792cc2a510e0702c5e9234c00d6af2d0a998c63cfae30963a7417d63cd217239242bb600337d137cb1477a5fbbbad06ca70a811739fef197d856c4822bdb13a68d656bb9d219036d416a3a0c9ea5459de382699739a4c54c0684d090bea455c1b150eab2617677cebfd4d42a26e6504d159745c893a4d5f9bc8cbfeef925663854891971bcd60e374a5c76f489efa36d2270f3d073e8c19f2964438cfc910e6316b32c98dd23a0e4e51c98e71d99c88ecfb558f4592ac144e322a3e80b7951330b8e15dddf3567c0d0f153772e26d0d37a5", ++ 0x10005, ++ "c8ca80a687d5972e1d961aaa2cfde2ff2e7a20d85e3ea0382804e70e013d65af", ++ "000beb8974d36d8cf58fdc87460dda00319e10c94c1b9f222ac9ce29d1c4776246cc"); + } + #endif + +-- +2.33.0 + diff --git a/backport-test-check-for-dev-loop-control-when-checking-lodev-.patch b/backport-test-check-for-dev-loop-control-when-checking-lodev-.patch new file mode 100644 index 0000000..ce95b22 --- /dev/null +++ b/backport-test-check-for-dev-loop-control-when-checking-lodev-.patch @@ -0,0 +1,45 @@ +From 5ab85d7f5d7f1d64563a74d4ad90f8a2ffea82a9 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 27 Mar 2024 19:35:30 +0100 +Subject: [PATCH 0342/1160] test: check for /dev/loop-control when checking + lodev availability + +losetup in util-linux 2.40 started reporting lost loop devices [0] and +it has an unfortunate side-effect where it reports lost devices even in +containers, which then makes the loop device check "falsely" pass [1]. + +Let's just check for /dev/loop-control explicitly to "work around" this. + +[0] https://github.com/util-linux/util-linux/commit/a6ca0456cc6d704a786f6b66d8bb2d89ff18eba7 +[1] https://github.com/util-linux/util-linux/issues/2824 + +(cherry picked from commit 0348b500efea840b711903124b30174f97b9ae68) +--- + test/units/testsuite-72.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/test/units/testsuite-72.sh b/test/units/testsuite-72.sh +index 953f2a16bf..de657a27ff 100755 +--- a/test/units/testsuite-72.sh ++++ b/test/units/testsuite-72.sh +@@ -22,7 +22,7 @@ fi + # change the sector size of a file, and we want to test both 512 and 4096 byte + # sectors. If loopback devices are not supported, we can only test one sector + # size, and the underlying device is likely to have a sector size of 512 bytes. +-if ! losetup --find >/dev/null 2>&1; then ++if [[ ! -e /dev/loop-control ]]; then + echo "No loopback device support" + SECTOR_SIZES="512" + fi +@@ -108,7 +108,7 @@ for sector_size in $SECTOR_SIZES ; do + rm -f "$BACKING_FILE" + truncate -s "$disk_size" "$BACKING_FILE" + +- if losetup --find >/dev/null 2>&1; then ++ if [[ -e /dev/loop-control ]]; then + # shellcheck disable=SC2086 + blockdev="$(losetup --find --show --sector-size $sector_size $BACKING_FILE)" + else +-- +2.33.0 + diff --git a/backport-test-check-if-resolved-exits-cleanly.patch b/backport-test-check-if-resolved-exits-cleanly.patch new file mode 100644 index 0000000..cceee13 --- /dev/null +++ b/backport-test-check-if-resolved-exits-cleanly.patch @@ -0,0 +1,88 @@ +From 71ca24c2599d5882c986509e37353200045789b1 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 7 Dec 2023 15:19:10 +0900 +Subject: [PATCH 0035/1160] test: check if resolved exits cleanly + +(cherry picked from commit b1384db11b565dc28e38b5fa70a0e263972b2c3b) +--- + test/units/testsuite-75.sh | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh +index 064dd3807a..5dc31f8baa 100755 +--- a/test/units/testsuite-75.sh ++++ b/test/units/testsuite-75.sh +@@ -43,6 +43,13 @@ monitor_check_rr() ( + timeout -v 30s journalctl -u resolvectl-monitor.service --since "$since" -f --full | grep -m1 "$match" + ) + ++restart_resolved() { ++ systemctl stop systemd-resolved.service ++ (! systemctl is-failed systemd-resolved.service) ++ systemctl start systemd-resolved.service ++ systemctl service-log-level systemd-resolved.service debug ++} ++ + # Test for resolvectl, resolvconf + systemctl unmask systemd-resolved.service + systemctl enable --now systemd-resolved.service +@@ -89,8 +96,7 @@ mkdir -p /run/systemd/resolved.conf.d + echo "MulticastDNS=yes" + echo "LLMNR=yes" + } >/run/systemd/resolved.conf.d/mdns-llmnr.conf +-systemctl restart systemd-resolved.service +-systemctl service-log-level systemd-resolved.service debug ++restart_resolved + # make sure networkd is not running. + systemctl stop systemd-networkd.service + # defaults to yes (both the global and per-link settings are yes) +@@ -115,8 +121,7 @@ assert_in 'no' "$(resolvectl llmnr hoge)" + echo "MulticastDNS=resolve" + echo "LLMNR=resolve" + } >/run/systemd/resolved.conf.d/mdns-llmnr.conf +-systemctl restart systemd-resolved.service +-systemctl service-log-level systemd-resolved.service debug ++restart_resolved + # set per-link setting + resolvectl mdns hoge yes + resolvectl llmnr hoge yes +@@ -136,8 +141,7 @@ assert_in 'no' "$(resolvectl llmnr hoge)" + echo "MulticastDNS=no" + echo "LLMNR=no" + } >/run/systemd/resolved.conf.d/mdns-llmnr.conf +-systemctl restart systemd-resolved.service +-systemctl service-log-level systemd-resolved.service debug ++restart_resolved + # set per-link setting + resolvectl mdns hoge yes + resolvectl llmnr hoge yes +@@ -222,7 +226,7 @@ ln -svf /etc/bind.keys /etc/bind/bind.keys + # Start the services + systemctl unmask systemd-networkd + systemctl start systemd-networkd +-systemctl restart systemd-resolved ++restart_resolved + # Create knot's runtime dir, since from certain version it's provided only by + # the package and not created by tmpfiles/systemd + if [[ ! -d /run/knot ]]; then +@@ -587,8 +591,7 @@ if command -v nft >/dev/null; then + echo "StaleRetentionSec=1d" + } >/run/systemd/resolved.conf.d/test.conf + ln -svf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf +- systemctl restart systemd-resolved.service +- systemctl service-log-level systemd-resolved.service debug ++ restart_resolved + + run dig stale1.unsigned.test -t A + grep -qE "NOERROR" "$RUN_OUT" +@@ -711,4 +714,7 @@ run resolvectl reset-statistics --json=pretty + + run resolvectl reset-statistics --json=short + ++# Check if resolved exits cleanly. ++restart_resolved ++ + touch /testok +-- +2.33.0 + diff --git a/backport-test-check-pam-warning-message.patch b/backport-test-check-pam-warning-message.patch new file mode 100644 index 0000000..4a689af --- /dev/null +++ b/backport-test-check-pam-warning-message.patch @@ -0,0 +1,39 @@ +From 021042e28f45cac2e4bb8da6786ca094bf289a3e Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 21 Jan 2024 13:14:15 +0900 +Subject: [PATCH 0290/1160] test: check pam warning message + +(cherry picked from commit 88b8d0827691a6c9643c6bd06e73f4ab86dba578) +--- + src/shared/pam-util.c | 1 + + test/units/end.sh | 3 +++ + 2 files changed, 4 insertions(+) + +diff --git a/src/shared/pam-util.c b/src/shared/pam-util.c +index 46a2915638..f5814ef700 100644 +--- a/src/shared/pam-util.c ++++ b/src/shared/pam-util.c +@@ -95,6 +95,7 @@ static void pam_bus_data_destroy(pam_handle_t *handle, void *data, int error_sta + PamBusData *d = data; + if (FLAGS_SET(error_status, PAM_DATA_SILENT) && + d->bus && bus_origin_changed(d->bus)) ++ /* Please adjust test/units/end.sh when updating the log message. */ + pam_syslog(handle, LOG_DEBUG, "Attempted to close sd-bus after fork whose connection is opened before the fork, this should not happen."); + + pam_bus_data_free(data); +diff --git a/test/units/end.sh b/test/units/end.sh +index dd50654f8d..230b716e2f 100755 +--- a/test/units/end.sh ++++ b/test/units/end.sh +@@ -6,5 +6,8 @@ set -o pipefail + + (! journalctl -q -o short-monotonic --grep "didn't pass validation" >>/failed) + ++# Here, the redundant '[.]' at the end is for making not the logged self command hit the grep. ++(! journalctl -q -o short-monotonic --grep 'Attempted to close sd-bus after fork whose connection is opened before the fork, this should not happen[.]' >>/failed) ++ + systemctl poweroff --no-block + exit 0 +-- +2.33.0 + diff --git a/backport-test-clean-up-the-code-a-bit.patch b/backport-test-clean-up-the-code-a-bit.patch new file mode 100644 index 0000000..6b08f2b --- /dev/null +++ b/backport-test-clean-up-the-code-a-bit.patch @@ -0,0 +1,111 @@ +From e79860553990392e257a44449e1e5062e8c49651 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Fri, 9 Feb 2024 18:53:19 +0100 +Subject: [PATCH 0298/1160] test: clean up the code a bit + +(cherry picked from commit 76aa0d5db1a93d16a3455b97d0c3327eb9b31b40) +--- + test/units/testsuite-55.sh | 56 ++++++++++---------------------------- + 1 file changed, 14 insertions(+), 42 deletions(-) + +diff --git a/test/units/testsuite-55.sh b/test/units/testsuite-55.sh +index 6623243622..d9de40b0e6 100755 +--- a/test/units/testsuite-55.sh ++++ b/test/units/testsuite-55.sh +@@ -13,15 +13,9 @@ test "$(cat /sys/fs/cgroup/init.scope/memory.high)" != "max" + + # Loose checks to ensure the environment has the necessary features for systemd-oomd + [[ -e /proc/pressure ]] || echo "no PSI" >>/skipped +-cgroup_type="$(stat -fc %T /sys/fs/cgroup/)" +-if [[ "$cgroup_type" != *"cgroup2"* ]] && [[ "$cgroup_type" != *"0x63677270"* ]]; then +- echo "no cgroup2" >>/skipped +-fi +-if [ ! -f /usr/lib/systemd/systemd-oomd ] && [ ! -f /lib/systemd/systemd-oomd ]; then +- echo "no oomd" >>/skipped +-fi +- +-if [[ -e /skipped ]]; then ++[[ "$(get_cgroup_hierarchy)" == "unified" ]] || echo "no cgroupsv2" >>/skipped ++[[ -x /usr/lib/systemd/systemd-oomd ]] || echo "no oomd" >>/skipped ++if [[ -s /skipped ]]; then + exit 0 + fi + +@@ -95,27 +89,16 @@ systemctl start testsuite-55-testchill.service + systemctl start testsuite-55-testbloat.service + + # Verify systemd-oomd is monitoring the expected units +-# Try to avoid racing the oomctl output check by checking in a loop with a timeout +-oomctl_output=$(oomctl) +-timeout="$(date -ud "1 minutes" +%s)" +-while [[ $(date -u +%s) -le $timeout ]]; do +- if grep "/testsuite-55-workload.slice" <<< "$oomctl_output"; then +- break +- fi +- oomctl_output=$(oomctl) +- sleep 1 +-done +- +-grep "/testsuite-55-workload.slice" <<< "$oomctl_output" +-grep "20.00%" <<< "$oomctl_output" +-grep "Default Memory Pressure Duration: 2s" <<< "$oomctl_output" ++timeout 1m bash -xec 'until oomctl | grep "/testsuite-55-workload.slice"; do sleep 1; done' ++oomctl | grep "/testsuite-55-workload.slice" ++oomctl | grep "20.00%" ++oomctl | grep "Default Memory Pressure Duration: 2s" + + systemctl status testsuite-55-testchill.service + + # systemd-oomd watches for elevated pressure for 2 seconds before acting. + # It can take time to build up pressure so either wait 2 minutes or for the service to fail. +-timeout="$(date -ud "2 minutes" +%s)" +-while [[ $(date -u +%s) -le $timeout ]]; do ++for _ in {0..59}; do + if ! systemctl status testsuite-55-testbloat.service; then + break + fi +@@ -134,26 +117,16 @@ systemctl start --machine "testuser@.host" --user testsuite-55-testbloat.service + + # Verify systemd-oomd is monitoring the expected units + # Try to avoid racing the oomctl output check by checking in a loop with a timeout +-oomctl_output=$(oomctl) +-timeout="$(date -ud "1 minutes" +%s)" +-while [[ $(date -u +%s) -le $timeout ]]; do +- if grep -E "/user.slice.*/testsuite-55-workload.slice" <<< "$oomctl_output"; then +- break +- fi +- oomctl_output=$(oomctl) +- sleep 1 +-done +- +-grep -E "/user.slice.*/testsuite-55-workload.slice" <<< "$oomctl_output" +-grep "20.00%" <<< "$oomctl_output" +-grep "Default Memory Pressure Duration: 2s" <<< "$oomctl_output" ++timeout 1m bash -xec 'until oomctl | grep "/testsuite-55-workload.slice"; do sleep 1; done' ++oomctl | grep -E "/user.slice.*/testsuite-55-workload.slice" ++oomctl | grep "20.00%" ++oomctl | grep "Default Memory Pressure Duration: 2s" + + systemctl --machine "testuser@.host" --user status testsuite-55-testchill.service + + # systemd-oomd watches for elevated pressure for 2 seconds before acting. + # It can take time to build up pressure so either wait 2 minutes or for the service to fail. +-timeout="$(date -ud "2 minutes" +%s)" +-while [[ $(date -u +%s) -le $timeout ]]; do ++for _ in {0..59}; do + if ! systemctl --machine "testuser@.host" --user status testsuite-55-testbloat.service; then + break + fi +@@ -180,8 +153,7 @@ EOF + systemctl start testsuite-55-testmunch.service + systemctl start testsuite-55-testbloat.service + +- timeout="$(date -ud "2 minutes" +%s)" +- while [[ "$(date -u +%s)" -le "$timeout" ]]; do ++ for _ in {0..59}; do + if ! systemctl status testsuite-55-testmunch.service; then + break + fi +-- +2.33.0 + diff --git a/backport-test-create-ESP-and-xbootldr-partitions.patch b/backport-test-create-ESP-and-xbootldr-partitions.patch new file mode 100644 index 0000000..fe5a111 --- /dev/null +++ b/backport-test-create-ESP-and-xbootldr-partitions.patch @@ -0,0 +1,111 @@ +From 4975a2e64f0cf6689d0efe19944899aa3321205f Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 5 Dec 2023 16:31:53 +0900 +Subject: [PATCH 0183/1160] test: create ESP and xbootldr partitions + +(cherry picked from commit 97bbb9cfbd6dffb6409a70311d925a95dae9da3b) +--- + test/TEST-24-CRYPTSETUP/test.sh | 6 +++--- + test/test-functions | 31 +++++++++++++++++++++++++------ + 2 files changed, 28 insertions(+), 9 deletions(-) + +diff --git a/test/TEST-24-CRYPTSETUP/test.sh b/test/TEST-24-CRYPTSETUP/test.sh +index d0ec63d870..eace3f23c0 100755 +--- a/test/TEST-24-CRYPTSETUP/test.sh ++++ b/test/TEST-24-CRYPTSETUP/test.sh +@@ -27,7 +27,7 @@ check_result_qemu() { + + mount_initdir + +- cryptsetup luksOpen "${LOOPDEV:?}p2" "${DM_NAME:?}" <"$TESTDIR/keyfile" ++ cryptsetup luksOpen "${LOOPDEV:?}p4" "${DM_NAME:?}" <"$TESTDIR/keyfile" + mount "/dev/mapper/$DM_NAME" "$initdir/var" + + check_result_common "${initdir:?}" && ret=0 || ret=$? +@@ -43,8 +43,8 @@ test_create_image() { + create_empty_image_rootdir + + echo -n test >"${TESTDIR:?}/keyfile" +- cryptsetup -q luksFormat --uuid="$PART_UUID" --pbkdf pbkdf2 --pbkdf-force-iterations 1000 "${LOOPDEV:?}p2" "$TESTDIR/keyfile" +- cryptsetup luksOpen "${LOOPDEV}p2" "${DM_NAME:?}" <"$TESTDIR/keyfile" ++ cryptsetup -q luksFormat --uuid="$PART_UUID" --pbkdf pbkdf2 --pbkdf-force-iterations 1000 "${LOOPDEV:?}p4" "$TESTDIR/keyfile" ++ cryptsetup luksOpen "${LOOPDEV}p4" "${DM_NAME:?}" <"$TESTDIR/keyfile" + mkfs.ext4 -L var "/dev/mapper/$DM_NAME" + mkdir -p "${initdir:?}/var" + mount "/dev/mapper/$DM_NAME" "$initdir/var" +diff --git a/test/test-functions b/test/test-functions +index 3fd795b9f7..c877f71557 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -1608,6 +1608,9 @@ create_empty_image() { + # Partition sizes are in MiBs + local root_size=768 + local data_size=100 ++ local esp_size=128 ++ local boot_size=128 ++ local total= + if ! get_bool "$NO_BUILD"; then + if meson configure "${BUILD_DIR:?}" | grep 'static-lib\|standalone-binaries' | awk '{ print $2 }' | grep -q 'true'; then + root_size=$((root_size + 200)) +@@ -1630,28 +1633,44 @@ create_empty_image() { + data_size=$((data_size + IMAGE_ADDITIONAL_DATA_SIZE)) + fi + +- echo "Setting up ${IMAGE_PUBLIC:?} (${root_size} MB)" ++ total=$((root_size + data_size + esp_size + boot_size)) ++ ++ echo "Setting up ${IMAGE_PUBLIC:?} (${total} MB)" + rm -f "${IMAGE_PRIVATE:?}" "$IMAGE_PUBLIC" + + # Create the blank file to use as a root filesystem +- truncate -s "${root_size}M" "$IMAGE_PUBLIC" ++ truncate -s "${total}M" "$IMAGE_PUBLIC" + + LOOPDEV="$(losetup --show -P -f "$IMAGE_PUBLIC")" + [[ -b "$LOOPDEV" ]] || return 1 + # Create two partitions - a root one and a data one (utilized by some tests) + sfdisk "$LOOPDEV" < +Date: Fri, 18 Oct 2024 15:02:03 +0100 +Subject: [PATCH 0961/1160] test: customize /etc/os-release instead of + /usr/lib/os-release + +As per spec image builders can create a local /etc/os-release +with per-image IDs, so modify that one instead of the original +one in /usr/lib. For example we do this when we build debian +unstable images in mkosi. + +(cherry picked from commit 2f6fe4e1131d39fcafa9e00a7902919efb5361e1) +(cherry picked from commit 602e12f34003a90b5dbaee074d12abed0142d8c1) +--- + test/units/testsuite-82.sh | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/test/units/testsuite-82.sh b/test/units/testsuite-82.sh +index ccc429c53f..a6078d05e9 100755 +--- a/test/units/testsuite-82.sh ++++ b/test/units/testsuite-82.sh +@@ -130,9 +130,9 @@ elif [ -f /run/testsuite82.touch ]; then + + # Copy os-release away, so that we can manipulate it and check that it is updated in the propagate + # directory across soft reboots. Try to cover corner cases by truncating it. +- mkdir -p /tmp/nextroot-lower/usr/lib +- grep ID /etc/os-release >/tmp/nextroot-lower/usr/lib/os-release +- echo MARKER=1 >>/tmp/nextroot-lower/usr/lib/os-release ++ mkdir -p /tmp/nextroot-lower/etc ++ grep ID /etc/os-release >/tmp/nextroot-lower/etc/os-release ++ echo MARKER=1 >>/tmp/nextroot-lower/etc/os-release + cmp /etc/os-release /run/systemd/propagate/.os-release-stage/os-release + (! grep -q MARKER=1 /etc/os-release) + +-- +2.33.0 + diff --git a/backport-test-dhcp-client-utilize-log_info-instead-of-printf.patch b/backport-test-dhcp-client-utilize-log_info-instead-of-printf.patch new file mode 100644 index 0000000..51eea4a --- /dev/null +++ b/backport-test-dhcp-client-utilize-log_info-instead-of-printf.patch @@ -0,0 +1,121 @@ +From cfa083d450b2cd21676651d9489fbcf4dfd1b9f1 Mon Sep 17 00:00:00 2001 +From: Colin Foster +Date: Fri, 1 Nov 2024 15:39:11 -0500 +Subject: [PATCH 0987/1160] test-dhcp-client: utilize log_info instead of + printf + +log_info appears to be the preferred method to convey information from +tests. Convert all the printfs to log_info to follow this standard. + +(cherry picked from commit 38557d9ffbc6351b8980faf90d54619790436d43) +(cherry picked from commit 4ea84288480115f7175a8cfc61d03e3a712396b8) +--- + src/libsystemd-network/test-dhcp-client.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/src/libsystemd-network/test-dhcp-client.c b/src/libsystemd-network/test-dhcp-client.c +index 4c24bf779d..546107d815 100644 +--- a/src/libsystemd-network/test-dhcp-client.c ++++ b/src/libsystemd-network/test-dhcp-client.c +@@ -46,7 +46,7 @@ static void test_request_basic(sd_event *e) { + sd_dhcp_client *client; + + if (verbose) +- printf("* %s\n", __func__); ++ log_info("* %s", __func__); + + /* Initialize client without Anonymize settings. */ + r = sd_dhcp_client_new(&client, false); +@@ -106,7 +106,7 @@ static void test_request_anonymize(sd_event *e) { + sd_dhcp_client *client; + + if (verbose) +- printf("* %s\n", __func__); ++ log_info("* %s", __func__); + + /* Initialize client with Anonymize settings. */ + r = sd_dhcp_client_new(&client, true); +@@ -138,7 +138,7 @@ static void test_checksum(void) { + }; + + if (verbose) +- printf("* %s\n", __func__); ++ log_info("* %s", __func__); + + assert_se(dhcp_packet_checksum((uint8_t*)&buf, 20) == be16toh(0x78ae)); + } +@@ -271,7 +271,7 @@ static int test_discover_message_verify(size_t size, struct DHCPMessage *dhcp) { + assert_se(res == DHCP_DISCOVER); + + if (verbose) +- printf(" recv DHCP Discover 0x%08x\n", be32toh(dhcp->xid)); ++ log_info(" recv DHCP Discover 0x%08x", be32toh(dhcp->xid)); + + return 0; + } +@@ -281,7 +281,7 @@ static void test_discover_message(sd_event *e) { + int res, r; + + if (verbose) +- printf("* %s\n", __func__); ++ log_info("* %s", __func__); + + r = sd_dhcp_client_new(&client, false); + assert_se(r >= 0); +@@ -425,7 +425,7 @@ static int test_addr_acq_acquired(sd_dhcp_client *client, int event, + sizeof(addrs[0].s_addr)) == 0); + + if (verbose) +- printf(" DHCP address acquired\n"); ++ log_info(" DHCP address acquired"); + + sd_event_exit(e, 0); + +@@ -444,7 +444,7 @@ static int test_addr_acq_recv_request(size_t size, DHCPMessage *request) { + assert_se(msg_bytes[size - 1] == SD_DHCP_OPTION_END); + + if (verbose) +- printf(" recv DHCP Request 0x%08x\n", be32toh(xid)); ++ log_info(" recv DHCP Request 0x%08x", be32toh(xid)); + + memcpy(&test_addr_acq_ack[26], &udp_check, sizeof(udp_check)); + memcpy(&test_addr_acq_ack[32], &xid, sizeof(xid)); +@@ -457,7 +457,7 @@ static int test_addr_acq_recv_request(size_t size, DHCPMessage *request) { + assert_se(res == sizeof(test_addr_acq_ack)); + + if (verbose) +- printf(" send DHCP Ack\n"); ++ log_info(" send DHCP Ack"); + + return 0; + }; +@@ -475,7 +475,7 @@ static int test_addr_acq_recv_discover(size_t size, DHCPMessage *discover) { + xid = discover->xid; + + if (verbose) +- printf(" recv DHCP Discover 0x%08x\n", be32toh(xid)); ++ log_info(" recv DHCP Discover 0x%08x", be32toh(xid)); + + memcpy(&test_addr_acq_offer[26], &udp_check, sizeof(udp_check)); + memcpy(&test_addr_acq_offer[32], &xid, sizeof(xid)); +@@ -488,7 +488,7 @@ static int test_addr_acq_recv_discover(size_t size, DHCPMessage *discover) { + assert_se(res == sizeof(test_addr_acq_offer)); + + if (verbose) +- printf(" sent DHCP Offer\n"); ++ log_info(" sent DHCP Offer"); + + return 0; + } +@@ -498,7 +498,7 @@ static void test_addr_acq(sd_event *e) { + int res, r; + + if (verbose) +- printf("* %s\n", __func__); ++ log_info("* %s", __func__); + + r = sd_dhcp_client_new(&client, false); + assert_se(r >= 0); +-- +2.33.0 + diff --git a/backport-test-dhcp-server-Gracefully-handle-the-network-being.patch b/backport-test-dhcp-server-Gracefully-handle-the-network-being.patch new file mode 100644 index 0000000..a9b2b92 --- /dev/null +++ b/backport-test-dhcp-server-Gracefully-handle-the-network-being.patch @@ -0,0 +1,39 @@ +From db1d9bf99602c69363de7c8b30e878cca133fcbe Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Mon, 19 Aug 2024 00:13:47 +0200 +Subject: [PATCH 0857/1160] test-dhcp-server: Gracefully handle the network + being down + +(cherry picked from commit 4cf7a676af9a79ff418227d8ff488dfca6f243ab) +(cherry picked from commit 2e52cf1df7f4a874331dcf607e0f4329ffb20bcd) +--- + src/libsystemd-network/test-dhcp-server.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/libsystemd-network/test-dhcp-server.c b/src/libsystemd-network/test-dhcp-server.c +index cd39efe3cb..3e67eecbb0 100644 +--- a/src/libsystemd-network/test-dhcp-server.c ++++ b/src/libsystemd-network/test-dhcp-server.c +@@ -127,6 +127,7 @@ static void test_message_handler(void) { + .s_addr = htobe32(INADDR_LOOPBACK + 42), + }; + static uint8_t static_lease_client_id[7] = {0x01, 'A', 'B', 'C', 'D', 'E', 'G' }; ++ int r; + + log_debug("/* %s */", __func__); + +@@ -137,7 +138,10 @@ static void test_message_handler(void) { + assert_se(sd_dhcp_server_attach_event(server, NULL, 0) >= 0); + assert_se(sd_dhcp_server_start(server) >= 0); + +- assert_se(dhcp_server_handle_message(server, (DHCPMessage*)&test, sizeof(test), NULL) == DHCP_OFFER); ++ r = dhcp_server_handle_message(server, (DHCPMessage*)&test, sizeof(test), NULL); ++ if (r == -ENETDOWN) ++ return (void) log_tests_skipped("Network is not available"); ++ assert_se(r == DHCP_OFFER); + + test.end = 0; + /* TODO, shouldn't this fail? */ +-- +2.33.0 + diff --git a/backport-test-dhcp6-terminate-fqdn-option.patch b/backport-test-dhcp6-terminate-fqdn-option.patch new file mode 100644 index 0000000..5bf162d --- /dev/null +++ b/backport-test-dhcp6-terminate-fqdn-option.patch @@ -0,0 +1,44 @@ +From 4b00dad416b1ad9f67d5a1719cf228861c85effa Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Wed, 24 Jan 2024 17:53:35 -0700 +Subject: [PATCH 0964/1160] test-dhcp6: terminate fqdn option + +The encoded fqdn in this option must be properly terminated. We will +soon validate that this field is correctly encoded, so correct it in the +test. + +(cherry picked from commit 2d9822b634680f1be1d20920aceddac76de110eb) +(cherry picked from commit 76a73088b0ea7df1290d94d60c31919c95fbf598) +--- + src/libsystemd-network/test-dhcp6-client.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/libsystemd-network/test-dhcp6-client.c b/src/libsystemd-network/test-dhcp6-client.c +index f051569380..239cee5654 100644 +--- a/src/libsystemd-network/test-dhcp6-client.c ++++ b/src/libsystemd-network/test-dhcp6-client.c +@@ -745,8 +745,8 @@ static const uint8_t msg_reply[] = { + 0x00, SD_DHCP6_OPTION_DOMAIN, 0x00, 0x0b, + 0x03, 'l', 'a', 'b', 0x05, 'i', 'n', 't', 'r', 'a', 0x00, + /* Client FQDN */ +- 0x00, SD_DHCP6_OPTION_CLIENT_FQDN, 0x00, 0x12, +- 0x01, 0x06, 'c', 'l', 'i', 'e', 'n', 't', 0x03, 'l', 'a', 'b', 0x05, 'i', 'n', 't', 'r', 'a', ++ 0x00, SD_DHCP6_OPTION_CLIENT_FQDN, 0x00, 0x13, ++ 0x01, 0x06, 'c', 'l', 'i', 'e', 'n', 't', 0x03, 'l', 'a', 'b', 0x05, 'i', 'n', 't', 'r', 'a', 0x00, + /* Vendor specific options */ + 0x00, SD_DHCP6_OPTION_VENDOR_OPTS, 0x00, 0x09, + 0x00, 0x00, 0x00, 0x20, 0x00, 0xf7, 0x00, 0x01, VENDOR_SUBOPTION_BYTES, +@@ -827,8 +827,8 @@ static const uint8_t msg_advertise[] = { + 0x00, SD_DHCP6_OPTION_DOMAIN, 0x00, 0x0b, + 0x03, 'l', 'a', 'b', 0x05, 'i', 'n', 't', 'r', 'a', 0x00, + /* Client FQDN */ +- 0x00, SD_DHCP6_OPTION_CLIENT_FQDN, 0x00, 0x12, +- 0x01, 0x06, 'c', 'l', 'i', 'e', 'n', 't', 0x03, 'l', 'a', 'b', 0x05, 'i', 'n', 't', 'r', 'a', ++ 0x00, SD_DHCP6_OPTION_CLIENT_FQDN, 0x00, 0x13, ++ 0x01, 0x06, 'c', 'l', 'i', 'e', 'n', 't', 0x03, 'l', 'a', 'b', 0x05, 'i', 'n', 't', 'r', 'a', 0x00, + /* Vendor specific options */ + 0x00, SD_DHCP6_OPTION_VENDOR_OPTS, 0x00, 0x09, + 0x00, 0x00, 0x00, 0x20, 0x00, 0xf7, 0x00, 0x01, VENDOR_SUBOPTION_BYTES, +-- +2.33.0 + diff --git a/backport-test-disable-testsuite-04.LogFilterPatterns-journal-.patch b/backport-test-disable-testsuite-04.LogFilterPatterns-journal-.patch new file mode 100644 index 0000000..81123c0 --- /dev/null +++ b/backport-test-disable-testsuite-04.LogFilterPatterns-journal-.patch @@ -0,0 +1,63 @@ +From 2d6e26342997dfc03753e6e6787f950f2fed30df Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 12 Feb 2024 09:59:28 +0000 +Subject: [PATCH 0217/1160] test: disable + testsuite-04.LogFilterPatterns/journal and testsuite-45.testcase_ntp + +They fail due to https://github.com/systemd/systemd/issues/30886 +but the switch to the new glibc API is not appropriate for stable releases, +so skip the tests instead on this branch +--- + test/units/testsuite-04.LogFilterPatterns.sh | 4 ++++ + test/units/testsuite-04.journal.sh | 4 ++++ + test/units/testsuite-45.sh | 4 ++++ + 3 files changed, 12 insertions(+) + +diff --git a/test/units/testsuite-04.LogFilterPatterns.sh b/test/units/testsuite-04.LogFilterPatterns.sh +index d5d610fe02..2192e84cf7 100755 +--- a/test/units/testsuite-04.LogFilterPatterns.sh ++++ b/test/units/testsuite-04.LogFilterPatterns.sh +@@ -3,6 +3,10 @@ + set -eux + set -o pipefail + ++# This fails due to https://github.com/systemd/systemd/issues/30886 ++# but it is too complex and risky to backport, so disable the test ++exit 0 ++ + # shellcheck source=test/units/util.sh + . "$(dirname "$0")"/util.sh + +diff --git a/test/units/testsuite-04.journal.sh b/test/units/testsuite-04.journal.sh +index 4d9e48717a..c19cd12d12 100755 +--- a/test/units/testsuite-04.journal.sh ++++ b/test/units/testsuite-04.journal.sh +@@ -3,6 +3,10 @@ + set -eux + set -o pipefail + ++# This fails due to https://github.com/systemd/systemd/issues/30886 ++# but it is too complex and risky to backport, so disable the test ++exit 0 ++ + # Rotation/flush test, see https://github.com/systemd/systemd/issues/19895 + journalctl --relinquish-var + [[ "$(systemd-detect-virt -v)" == "qemu" ]] && ITERATIONS=10 || ITERATIONS=50 +diff --git a/test/units/testsuite-45.sh b/test/units/testsuite-45.sh +index f6801da0a7..f124a2421c 100755 +--- a/test/units/testsuite-45.sh ++++ b/test/units/testsuite-45.sh +@@ -246,6 +246,10 @@ assert_timesyncd_state() { + } + + testcase_ntp() { ++ # This fails due to https://github.com/systemd/systemd/issues/30886 ++ # but it is too complex and risky to backport, so disable the test ++ return ++ + # timesyncd has ConditionVirtualization=!container by default; drop/mock that for testing + if systemd-detect-virt --container --quiet; then + systemctl disable --quiet --now systemd-timesyncd +-- +2.33.0 + diff --git a/backport-test-do-not-attempt-to-set-xattr-on-tmpfs.patch b/backport-test-do-not-attempt-to-set-xattr-on-tmpfs.patch new file mode 100644 index 0000000..ab2a6c5 --- /dev/null +++ b/backport-test-do-not-attempt-to-set-xattr-on-tmpfs.patch @@ -0,0 +1,45 @@ +From 29f475653ae3d95024c99b2117afd6bddb2dac4b Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 12 Jul 2024 16:04:22 +0200 +Subject: [PATCH 0758/1160] test: do not attempt to set xattr on tmpfs + +This is only possible since a recent kernel version, and fails otherwise, +like on CentOS 9 + +(cherry picked from commit ff8c89aa5a84733dd777f3e9113df33ce6c1ab1e) +(cherry picked from commit a8a7a6716ef2a8e6f10410b9af92fafc3ce204d4) +--- + test/units/testsuite-29.sh | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/test/units/testsuite-29.sh b/test/units/testsuite-29.sh +index 55e162db28..cf93976081 100755 +--- a/test/units/testsuite-29.sh ++++ b/test/units/testsuite-29.sh +@@ -277,15 +277,16 @@ portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime /tmp/rootdir mini + portablectl detach --now --runtime --enable /tmp/rootdir minimal-app0 + + # The wrong file should be ignored, given the right one has the xattr set +-mkdir -p /tmp/wrongext/usr/lib/extension-release.d /tmp/wrongext/usr/lib/systemd/system/ +-echo "[Service]" > /tmp/wrongext/usr/lib/systemd/system/app0.service +-touch /tmp/wrongext/usr/lib/extension-release.d/extension-release.wrongext_somethingwrong.txt +-cp /tmp/rootdir/usr/lib/os-release /tmp/wrongext/usr/lib/extension-release.d/extension-release.app0 +-setfattr -n user.extension-release.strict -v "false" /tmp/wrongext/usr/lib/extension-release.d/extension-release.app0 +-portablectl "${ARGS[@]}" attach --runtime --extension /tmp/wrongext /tmp/rootdir app0 ++trap 'rm -rf /var/cache/wrongext' EXIT ++mkdir -p /var/cache/wrongext/usr/lib/extension-release.d /var/cache/wrongext/usr/lib/systemd/system/ ++echo "[Service]" > /var/cache/wrongext/usr/lib/systemd/system/app0.service ++touch /var/cache/wrongext/usr/lib/extension-release.d/extension-release.wrongext_somethingwrong.txt ++cp /tmp/rootdir/usr/lib/os-release /var/cache/wrongext/usr/lib/extension-release.d/extension-release.app0 ++setfattr -n user.extension-release.strict -v "false" /var/cache/wrongext/usr/lib/extension-release.d/extension-release.app0 ++portablectl "${ARGS[@]}" attach --runtime --extension /var/cache/wrongext /tmp/rootdir app0 + status="$(portablectl is-attached --extension wrongext rootdir)" + [[ "${status}" == "attached-runtime" ]] +-portablectl detach --runtime --extension /tmp/wrongext /tmp/rootdir app0 ++portablectl detach --runtime --extension /var/cache/wrongext /tmp/rootdir app0 + + umount /tmp/rootdir + umount /tmp/app0 +-- +2.33.0 + diff --git a/backport-test-do-not-fail-network-namespace-test-with-permiss.patch b/backport-test-do-not-fail-network-namespace-test-with-permiss.patch new file mode 100644 index 0000000..a564dea --- /dev/null +++ b/backport-test-do-not-fail-network-namespace-test-with-permiss.patch @@ -0,0 +1,105 @@ +From ff354605fc440100c2f6aac16a6cce79cf59eef8 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 21 May 2024 01:43:24 +0100 +Subject: [PATCH 0677/1160] test: do not fail network namespace test with + permission issues + +When running in LXC with AppArmor we'll most likely get an error when creating +a network namespace due to a kernel regression in < v6.2 affecting AppArmor, +resulting in denials. Like other tests, avoid failing in case of permission +issues and handle it gracefully. + +(cherry picked from commit 6ab21f20bd982bc1a9ece47dcffa1137a76cc48a) +--- + src/test/test-namespace.c | 34 +++++++++++++++++++++++++--------- + 1 file changed, 25 insertions(+), 9 deletions(-) + +diff --git a/src/test/test-namespace.c b/src/test/test-namespace.c +index 65d08259d4..2a684ce096 100644 +--- a/src/test/test-namespace.c ++++ b/src/test/test-namespace.c +@@ -1,6 +1,7 @@ + /* SPDX-License-Identifier: LGPL-2.1-or-later */ + + #include ++#include + #include + #include + +@@ -84,6 +85,7 @@ TEST(tmpdir) { + + static void test_shareable_ns(unsigned long nsflag) { + _cleanup_close_pair_ int s[2] = EBADF_PAIR; ++ bool permission_denied = false; + pid_t pid1, pid2, pid3; + int r, n = 0; + siginfo_t si; +@@ -100,8 +102,8 @@ static void test_shareable_ns(unsigned long nsflag) { + + if (pid1 == 0) { + r = setup_shareable_ns(s, nsflag); +- assert_se(r >= 0); +- _exit(r); ++ assert_se(r >= 0 || ERRNO_IS_NEG_PRIVILEGE(r)); ++ _exit(r >= 0 ? r : EX_NOPERM); + } + + pid2 = fork(); +@@ -109,8 +111,8 @@ static void test_shareable_ns(unsigned long nsflag) { + + if (pid2 == 0) { + r = setup_shareable_ns(s, nsflag); +- assert_se(r >= 0); +- exit(r); ++ assert_se(r >= 0 || ERRNO_IS_NEG_PRIVILEGE(r)); ++ _exit(r >= 0 ? r : EX_NOPERM); + } + + pid3 = fork(); +@@ -118,24 +120,38 @@ static void test_shareable_ns(unsigned long nsflag) { + + if (pid3 == 0) { + r = setup_shareable_ns(s, nsflag); +- assert_se(r >= 0); +- exit(r); ++ assert_se(r >= 0 || ERRNO_IS_NEG_PRIVILEGE(r)); ++ _exit(r >= 0 ? r : EX_NOPERM); + } + + r = wait_for_terminate(pid1, &si); + assert_se(r >= 0); + assert_se(si.si_code == CLD_EXITED); +- n += si.si_status; ++ if (si.si_status == EX_NOPERM) ++ permission_denied = true; ++ else ++ n += si.si_status; + + r = wait_for_terminate(pid2, &si); + assert_se(r >= 0); + assert_se(si.si_code == CLD_EXITED); +- n += si.si_status; ++ if (si.si_status == EX_NOPERM) ++ permission_denied = true; ++ else ++ n += si.si_status; + + r = wait_for_terminate(pid3, &si); + assert_se(r >= 0); + assert_se(si.si_code == CLD_EXITED); +- n += si.si_status; ++ if (si.si_status == EX_NOPERM) ++ permission_denied = true; ++ else ++ n += si.si_status; ++ ++ /* LSMs can cause setup_shareable_ns() to fail with permission denied, do not fail the test in that ++ * case (e.g.: LXC with AppArmor on kernel < v6.2). */ ++ if (permission_denied) ++ return (void) log_tests_skipped("insufficient privileges"); + + assert_se(n == 1); + } +-- +2.33.0 + diff --git a/backport-test-do-not-fill-journal-with-diff.patch b/backport-test-do-not-fill-journal-with-diff.patch new file mode 100644 index 0000000..43b07be --- /dev/null +++ b/backport-test-do-not-fill-journal-with-diff.patch @@ -0,0 +1,26 @@ +From bbe01c78d77529eb559efbbf901a0f924a4014c0 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 17 May 2024 14:15:51 +0900 +Subject: [PATCH 0640/1160] test: do not fill journal with diff + +(cherry picked from commit 55732636edcdd9d01fa89ee7ca569fd94522fdc7) +--- + test/units/testsuite-63.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/units/testsuite-63.sh b/test/units/testsuite-63.sh +index ea8cd945ed..cdd323cba6 100755 +--- a/test/units/testsuite-63.sh ++++ b/test/units/testsuite-63.sh +@@ -118,7 +118,7 @@ timeout 30 bash -c 'until test "$(systemctl show test63-pr-30768.service -P Acti + diff /tmp/copyme /tmp/copied + echo test2 > /tmp/copyme + exec {lock}<&- +-timeout 30 bash -c 'until diff /tmp/copyme /tmp/copied; do sleep .2; done' ++timeout 30 bash -c 'until diff /tmp/copyme /tmp/copied >/dev/null; do sleep .2; done' + + systemctl log-level info + +-- +2.33.0 + diff --git a/backport-test-do-not-fill-journal-with-wait.patch b/backport-test-do-not-fill-journal-with-wait.patch new file mode 100644 index 0000000..ee1c46c --- /dev/null +++ b/backport-test-do-not-fill-journal-with-wait.patch @@ -0,0 +1,26 @@ +From ac9b71aefadcc4f9d47cbb1453d019ae8738155b Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 17 May 2024 14:14:00 +0900 +Subject: [PATCH 0639/1160] test: do not fill journal with "wait" + +(cherry picked from commit cad510b08cf801001ab48c154c48208cb002f6b3) +--- + test/units/testsuite-13.machinectl.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/units/testsuite-13.machinectl.sh b/test/units/testsuite-13.machinectl.sh +index b5f90f6d0c..2cd55cfd75 100755 +--- a/test/units/testsuite-13.machinectl.sh ++++ b/test/units/testsuite-13.machinectl.sh +@@ -32,7 +32,7 @@ done + # Create one "long running" container with some basic signal handling + create_dummy_container /var/lib/machines/long-running + cat >/var/lib/machines/long-running/sbin/init <<\EOF +-#!/usr/bin/bash -x ++#!/usr/bin/bash + + PID=0 + +-- +2.33.0 + diff --git a/backport-test-don-t-abbreviate-log-messages-when-dumping-the-.patch b/backport-test-don-t-abbreviate-log-messages-when-dumping-the-.patch new file mode 100644 index 0000000..15c0dfb --- /dev/null +++ b/backport-test-don-t-abbreviate-log-messages-when-dumping-the-.patch @@ -0,0 +1,29 @@ +From 1df6dd718bb7e134b62b78bdeee4e26c6dec7c9a Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Fri, 16 Feb 2024 13:49:50 +0100 +Subject: [PATCH 0322/1160] test: don't abbreviate log messages when dumping + the test journal + +To make debugging test fails easier. + +(cherry picked from commit bce0fa7da1352cae5d68bbc831525a39c2bdbfb5) +--- + test/test-functions | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/test-functions b/test/test-functions +index 6d18477527..0698b308e4 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -1846,7 +1846,7 @@ save_journal() { + + # Show messages from the testsuite-XX.service or messages with priority "warning" and higher + echo " --- $source_dir ---" +- "$JOURNALCTL" --no-pager --no-hostname -o short-monotonic -D "$source_dir" \ ++ "$JOURNALCTL" --all --no-pager --no-hostname -o short-monotonic -D "$source_dir" \ + _SYSTEMD_UNIT="testsuite-${TESTID:?}.service" + PRIORITY=4 + PRIORITY=3 + PRIORITY=2 + PRIORITY=1 + PRIORITY=0 + + if get_bool "$save"; then +-- +2.33.0 + diff --git a/backport-test-don-t-check-for-Dinstall-tests-true-with-NO_BUI.patch b/backport-test-don-t-check-for-Dinstall-tests-true-with-NO_BUI.patch new file mode 100644 index 0000000..01268f5 --- /dev/null +++ b/backport-test-don-t-check-for-Dinstall-tests-true-with-NO_BUI.patch @@ -0,0 +1,32 @@ +From 44420128b81582eed79eba7672605a11720668c4 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 14 Dec 2023 15:06:46 +0100 +Subject: [PATCH 0199/1160] test: don't check for -Dinstall-tests=true with + NO_BUILD=1 + +(cherry picked from commit 58bcbad86cc910e007fae3c66c3a5cfc17046801) +--- + test/test-functions | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/test/test-functions b/test/test-functions +index 8f04a37db9..948a00bc21 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -3345,9 +3345,10 @@ test_create_image() { + } + + test_setup() { +- if get_bool "${TEST_REQUIRE_INSTALL_TESTS:?}" && \ +- command -v meson >/dev/null && \ +- [[ "$(meson configure "${BUILD_DIR:?}" | grep install-tests | awk '{ print $2 }')" != "true" ]]; then ++ if ! get_bool "$NO_BUILD" && \ ++ get_bool "${TEST_REQUIRE_INSTALL_TESTS:?}" && \ ++ command -v meson >/dev/null && \ ++ [[ "$(meson configure "${BUILD_DIR:?}" | grep install-tests | awk '{ print $2 }')" != "true" ]]; then + dfatal "$BUILD_DIR needs to be built with -Dinstall-tests=true" + exit 1 + fi +-- +2.33.0 + diff --git a/backport-test-don-t-store-udev-worker-coredumps-in-journal.patch b/backport-test-don-t-store-udev-worker-coredumps-in-journal.patch new file mode 100644 index 0000000..7460d75 --- /dev/null +++ b/backport-test-don-t-store-udev-worker-coredumps-in-journal.patch @@ -0,0 +1,50 @@ +From 27fc7a03218464ae9b3395120574b4c06e4c8322 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 24 Jan 2024 10:26:03 +0100 +Subject: [PATCH 0194/1160] test: don't store udev worker coredumps in journal + +udev before #30532 may kill the worker process together with a slow +program, and when running with sanitizers the resulting coredump might +be too big to fit into journal (or the space currently available for +journal): + +[ 30.086194] systemd-journald[330]: Failed to write entry to /var/log/journal/e87de9ccbacf4b88924ff6d9ecaaa82d/system.journal (50 items, 68326399 bytes) despite vacuuming, ignoring: Argument list too long + +This then makes the test fail, as it checks for the presence of the +coredump. + +Since we don't really care about the coredump in this specific case (as +it is an expected one), let's just temporarily override the +testsuite-wide Storage=journal and store the coredumps externally. + +This is a v255-stable-only patch, since after #30532 the test no longer +checks for coredumps. +--- + test/units/testsuite-17.03.sh | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/test/units/testsuite-17.03.sh b/test/units/testsuite-17.03.sh +index 9af706fae1..56e352e1a0 100755 +--- a/test/units/testsuite-17.03.sh ++++ b/test/units/testsuite-17.03.sh +@@ -8,6 +8,9 @@ KILL_PID= + setup() { + mkdir -p "${TEST_RULE%/*}" + [[ -e /etc/udev/udev.conf ]] && cp -f /etc/udev/udev.conf /etc/udev/udev.conf.bak ++ # Don't bother storing the coredumps in journal for this particular test ++ mkdir -p /run/systemd/coredump.conf.d/ ++ echo -ne "[Coredump]\nStorage=external\n" >/run/systemd/coredump.conf.d/99-storage-journal.conf + + cat >"${TEST_RULE}" < +Date: Sat, 23 Dec 2023 15:11:11 +0100 +Subject: [PATCH 0086/1160] test: don't truncate the final journal + +This is no longer necessary, as the test for which this was introduced +in the first place has this handled explicitly (testsuite-04.journal.sh). + +Follow-up to 9457dd8bae. + +(cherry picked from commit eb3cdf49b17bdb511a4599f3814a6dfb503f85fb) +--- + test/units/testsuite-04.sh | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/test/units/testsuite-04.sh b/test/units/testsuite-04.sh +index 2a8f7972e4..9c2a033aa9 100755 +--- a/test/units/testsuite-04.sh ++++ b/test/units/testsuite-04.sh +@@ -3,9 +3,6 @@ + set -eux + set -o pipefail + +-# Limit the maximum journal size +-trap "journalctl --rotate --vacuum-size=20M" EXIT +- + # shellcheck source=test/units/test-control.sh + . "$(dirname "$0")"/test-control.sh + +-- +2.33.0 + diff --git a/backport-test-drop-removed-SCSI-passthrough-feature.patch b/backport-test-drop-removed-SCSI-passthrough-feature.patch new file mode 100644 index 0000000..9b68b23 --- /dev/null +++ b/backport-test-drop-removed-SCSI-passthrough-feature.patch @@ -0,0 +1,38 @@ +From 192a6e99a950c9cbcbe2a79f9045a06a10ca0288 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 18 Sep 2024 12:54:51 +0200 +Subject: [PATCH 0921/1160] test: drop removed SCSI passthrough feature + +This feature has been deprecated since QEMU 5.0 and finally removed in +QEMU 9.1 [0] which now causes issues when running the storage tests on +latest Arch: + +------ testcase_long_sysfs_path: BEGIN ------ +... +qemu-system-x86_64: -device virtio-blk-pci,drive=drive0,scsi=off,bus=pci_bridge25: Property 'virtio-blk-pci.scsi' not found +E: qemu failed with exit code 1 + +[0] https://github.com/qemu/qemu/commit/a271b8d7b2f39275a05e49deb7c8edc20b7a8279 + +(cherry picked from commit cd57920fbf6a8f7769a82cfc9bebc12965de0199) +(cherry picked from commit c5baa5d9d9d778aee25b751387c60f43a0a6fb74) +--- + test/TEST-64-UDEV-STORAGE/test.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/TEST-64-UDEV-STORAGE/test.sh b/test/TEST-64-UDEV-STORAGE/test.sh +index b9e7bdf18a..a98df38e2d 100755 +--- a/test/TEST-64-UDEV-STORAGE/test.sh ++++ b/test/TEST-64-UDEV-STORAGE/test.sh +@@ -495,7 +495,7 @@ EOF + qemu_opts+=("-device pci-bridge,id=pci_bridge$brid,bus=pci_bridge$((brid-1)),chassis_nr=$((64+brid))") + done + +- qemu_opts+=("-device virtio-blk-pci,drive=drive0,scsi=off,bus=pci_bridge$brid") ++ qemu_opts+=("-device virtio-blk-pci,drive=drive0,bus=pci_bridge$brid") + + KERNEL_APPEND="systemd.setenv=TEST_FUNCTION_NAME=${FUNCNAME[0]} ${USER_KERNEL_APPEND:-}" + QEMU_OPTIONS="${qemu_opts[*]} ${USER_QEMU_OPTIONS:-}" +-- +2.33.0 + diff --git a/backport-test-dump-a-simple-summary-at-the-end-of-TEST-02-UNI.patch b/backport-test-dump-a-simple-summary-at-the-end-of-TEST-02-UNI.patch new file mode 100644 index 0000000..64dfab8 --- /dev/null +++ b/backport-test-dump-a-simple-summary-at-the-end-of-TEST-02-UNI.patch @@ -0,0 +1,141 @@ +From 02d87c62c075881c7e768dcde3e88f3970ac3162 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 12 Jun 2024 12:09:25 +0200 +Subject: [PATCH 0694/1160] test: dump a simple summary at the end of + TEST-02-UNITTEST + +Let's dump a list of skipped tests and logs from failed tests at the end +of TEST-02-UNITTEST to make debugging fails in CI slightly less painful. + +(cherry picked from commit 2ac0e52f29eb5f0040882fc46bcfa369893577f3) +(cherry picked from commit 4a468387acbc8a2bd51bffaeca242e415e55b614) +--- + test/TEST-02-UNITTESTS/test.sh | 8 ---- + test/test-functions | 68 ---------------------------------- + test/units/testsuite-02.sh | 14 +++++++ + 3 files changed, 14 insertions(+), 76 deletions(-) + +diff --git a/test/TEST-02-UNITTESTS/test.sh b/test/TEST-02-UNITTESTS/test.sh +index f165c99368..2cf9c31096 100755 +--- a/test/TEST-02-UNITTESTS/test.sh ++++ b/test/TEST-02-UNITTESTS/test.sh +@@ -37,12 +37,4 @@ test_append_files() { + fi + } + +-check_result_nspawn() { +- check_result_nspawn_unittests "${1}" +-} +- +-check_result_qemu() { +- check_result_qemu_unittests +-} +- + do_test "$@" +diff --git a/test/test-functions b/test/test-functions +index 5fd171edf2..98d0b11649 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -1960,74 +1960,6 @@ check_result_qemu() { + return $ret + } + +-check_result_nspawn_unittests() { +- local workspace="${1:?}" +- local ret=1 +- +- [[ -e "$workspace/testok" ]] && ret=0 +- +- if [[ -s "$workspace/failed" ]]; then +- ret=$((ret + 1)) +- echo "=== Failed test log ===" +- cat "$workspace/failed" +- else +- if [[ -s "$workspace/skipped" ]]; then +- echo "=== Skipped test log ==" +- cat "$workspace/skipped" +- # We might have only skipped tests - that should not fail the job +- ret=0 +- fi +- if [[ -s "$workspace/testok" ]]; then +- echo "=== Passed tests ===" +- cat "$workspace/testok" +- fi +- fi +- +- get_bool "${TIMED_OUT:=}" && ret=1 +- check_coverage_reports "$workspace" || ret=5 +- +- save_journal "$workspace/var/log/journal" $ret +- echo "${JOURNAL_LIST:-"No journals were saved"}" +- +- _umount_dir "${initdir:?}" +- +- return $ret +-} +- +-check_result_qemu_unittests() { +- local ret=1 +- +- mount_initdir +- [[ -e "${initdir:?}/testok" ]] && ret=0 +- +- if [[ -s "$initdir/failed" ]]; then +- ret=$((ret + 1)) +- echo "=== Failed test log ===" +- cat "$initdir/failed" +- else +- if [[ -s "$initdir/skipped" ]]; then +- echo "=== Skipped test log ==" +- cat "$initdir/skipped" +- # We might have only skipped tests - that should not fail the job +- ret=0 +- fi +- if [[ -s "$initdir/testok" ]]; then +- echo "=== Passed tests ===" +- cat "$initdir/testok" +- fi +- fi +- +- get_bool "${TIMED_OUT:=}" && ret=1 +- check_coverage_reports "$initdir" || ret=5 +- +- save_journal "$initdir/var/log/journal" $ret +- echo "${JOURNAL_LIST:-"No journals were saved"}" +- +- _umount_dir "$initdir" +- +- return $ret +-} +- + create_rc_local() { + dinfo "Create rc.local" + mkdir -p "${initdir:?}/etc/rc.d" +diff --git a/test/units/testsuite-02.sh b/test/units/testsuite-02.sh +index 2a3cb08c43..30c437350d 100755 +--- a/test/units/testsuite-02.sh ++++ b/test/units/testsuite-02.sh +@@ -104,6 +104,20 @@ for key in "${!running[@]}"; do + unset "running[$key]" + done + ++# Write all pending messages, so they don't get mixed with the summaries below ++journalctl --sync ++ ++# No need for full test logs in this case ++if [[ -s /skipped-tests ]]; then ++ : "=== SKIPPED TESTS ===" ++ cat /skipped-tests ++fi ++ ++if [[ -s /failed ]]; then ++ : "=== FAILED TESTS ===" ++ cat /failed ++fi ++ + set -x + + # Test logs are sometimes lost, as the system shuts down immediately after +-- +2.33.0 + diff --git a/backport-test-execute-skip-tests-that-are-broken-without-unpr.patch b/backport-test-execute-skip-tests-that-are-broken-without-unpr.patch new file mode 100644 index 0000000..8ad53b2 --- /dev/null +++ b/backport-test-execute-skip-tests-that-are-broken-without-unpr.patch @@ -0,0 +1,227 @@ +From 8c4d70178a3c4d407e338ec389c59e3781b4d174 Mon Sep 17 00:00:00 2001 +From: Nick Rosbrook +Date: Thu, 18 Jan 2024 15:49:42 -0500 +Subject: [PATCH 0273/1160] test-execute: skip tests that are broken without + unprivileged userns + +With newer versions of AppArmor, unprivileged user namespace creation +may be restricted by default, in which case user manager instances will +not be able to apply PrivateUsers=yes (or the settings which require it). +Additionally, if a kernel has the kernel.unprivileged_userns_clone +sysctl patch, and that sysctl is 0, then unprivileged userns creation +will always fail. + +If a test unit is going to be run in a user manager, and that unit +requires PrivateUsers=yes (explicitly or implicitly), then skip it if +we do not have user namespace privileges. + +(cherry picked from commit d0c6136f5130ee5baa561e3af5a3b53719588dcf) +--- + src/test/test-execute.c | 107 +++++++++++++++++++++++++++++++++------- + 1 file changed, 90 insertions(+), 17 deletions(-) + +diff --git a/src/test/test-execute.c b/src/test/test-execute.c +index 126ca14c66..4f6ad5dcae 100644 +--- a/src/test/test-execute.c ++++ b/src/test/test-execute.c +@@ -218,6 +218,47 @@ static void start_parent_slices(Unit *unit) { + } + } + ++static bool have_userns_privileges(void) { ++ pid_t pid; ++ int r; ++ ++ r = safe_fork("(sd-test-check-userns)", ++ FORK_RESET_SIGNALS | ++ FORK_CLOSE_ALL_FDS | ++ FORK_DEATHSIG_SIGKILL, ++ &pid); ++ assert(r >= 0); ++ if (r == 0) { ++ /* Keep CAP_SYS_ADMIN if we have it to ensure we give an ++ * accurate result to the caller. Some kernels have a ++ * kernel.unprivileged_userns_clone sysctl which can be ++ * configured to make CLONE_NEWUSER require CAP_SYS_ADMIN. ++ * Additionally, AppArmor may restrict unprivileged user ++ * namespace creation. */ ++ r = capability_bounding_set_drop(UINT64_C(1) << CAP_SYS_ADMIN, /* right_now = */ true); ++ if (r < 0) { ++ log_debug_errno(r, "Failed to drop capabilities: %m"); ++ _exit(2); ++ } ++ ++ r = RET_NERRNO(unshare(CLONE_NEWUSER)); ++ if (r < 0 && !ERRNO_IS_NEG_PRIVILEGE(r)) ++ log_debug_errno(r, "Failed to create user namespace: %m"); ++ ++ _exit(r >= 0 ? EXIT_SUCCESS : ERRNO_IS_NEG_PRIVILEGE(r) ? EXIT_FAILURE : 2); ++ } ++ ++ /* The exit code records the result of the check: ++ * EXIT_SUCCESS => we can use user namespaces ++ * EXIT_FAILURE => we can NOT use user namespaces ++ * 2 => some other error occurred */ ++ r = wait_for_terminate_and_check("(sd-test-check-userns)", pid, 0); ++ if (!IN_SET(r, EXIT_SUCCESS, EXIT_FAILURE)) ++ log_debug("Failed to check if user namespaces can be used, assuming not."); ++ ++ return r == EXIT_SUCCESS; ++} ++ + static void _test(const char *file, unsigned line, const char *func, + Manager *m, const char *unit_name, int status_expected, int code_expected) { + Unit *unit; +@@ -418,9 +459,12 @@ static void test_exec_ignoresigpipe(Manager *m) { + static void test_exec_privatetmp(Manager *m) { + assert_se(touch("/tmp/test-exec_privatetmp") >= 0); + +- test(m, "exec-privatetmp-yes.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); ++ if (MANAGER_IS_SYSTEM(m) || have_userns_privileges()) { ++ test(m, "exec-privatetmp-yes.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); ++ test(m, "exec-privatetmp-disabled-by-prefix.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); ++ } ++ + test(m, "exec-privatetmp-no.service", 0, CLD_EXITED); +- test(m, "exec-privatetmp-disabled-by-prefix.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); + + (void) unlink("/tmp/test-exec_privatetmp"); + } +@@ -437,12 +481,15 @@ static void test_exec_privatedevices(Manager *m) { + return; + } + +- test(m, "exec-privatedevices-yes.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); ++ if (MANAGER_IS_SYSTEM(m) || have_userns_privileges()) { ++ test(m, "exec-privatedevices-yes.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); ++ if (access("/dev/kmsg", F_OK) >= 0) ++ test(m, "exec-privatedevices-bind.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); ++ test(m, "exec-privatedevices-disabled-by-prefix.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); ++ test(m, "exec-privatedevices-yes-with-group.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); ++ } ++ + test(m, "exec-privatedevices-no.service", 0, CLD_EXITED); +- if (access("/dev/kmsg", F_OK) >= 0) +- test(m, "exec-privatedevices-bind.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); +- test(m, "exec-privatedevices-disabled-by-prefix.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); +- test(m, "exec-privatedevices-yes-with-group.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); + + /* We use capsh to test if the capabilities are + * properly set, so be sure that it exists */ +@@ -452,9 +499,12 @@ static void test_exec_privatedevices(Manager *m) { + return; + } + +- test(m, "exec-privatedevices-yes-capability-mknod.service", can_unshare || MANAGER_IS_SYSTEM(m) ? 0 : EXIT_NAMESPACE, CLD_EXITED); ++ if (MANAGER_IS_SYSTEM(m) || have_userns_privileges()) { ++ test(m, "exec-privatedevices-yes-capability-mknod.service", can_unshare || MANAGER_IS_SYSTEM(m) ? 0 : EXIT_NAMESPACE, CLD_EXITED); ++ test(m, "exec-privatedevices-yes-capability-sys-rawio.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_NAMESPACE, CLD_EXITED); ++ } ++ + test(m, "exec-privatedevices-no-capability-mknod.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_FAILURE, CLD_EXITED); +- test(m, "exec-privatedevices-yes-capability-sys-rawio.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_NAMESPACE, CLD_EXITED); + test(m, "exec-privatedevices-no-capability-sys-rawio.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_FAILURE, CLD_EXITED); + } + +@@ -486,13 +536,17 @@ static void test_exec_protectkernelmodules(Manager *m) { + } + + test(m, "exec-protectkernelmodules-no-capabilities.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_FAILURE, CLD_EXITED); +- test(m, "exec-protectkernelmodules-yes-capabilities.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_NAMESPACE, CLD_EXITED); +- test(m, "exec-protectkernelmodules-yes-mount-propagation.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); ++ ++ if (MANAGER_IS_SYSTEM(m) || have_userns_privileges()) { ++ test(m, "exec-protectkernelmodules-yes-capabilities.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_NAMESPACE, CLD_EXITED); ++ test(m, "exec-protectkernelmodules-yes-mount-propagation.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); ++ } + } + + static void test_exec_readonlypaths(Manager *m) { + +- test(m, "exec-readonlypaths-simple.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); ++ if (MANAGER_IS_SYSTEM(m) || have_userns_privileges()) ++ test(m, "exec-readonlypaths-simple.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); + + if (path_is_read_only_fs("/var") > 0) { + log_notice("Directory /var is readonly, skipping remaining tests in %s", __func__); +@@ -521,7 +575,8 @@ static void test_exec_inaccessiblepaths(Manager *m) { + return; + } + +- test(m, "exec-inaccessiblepaths-sys.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); ++ if (MANAGER_IS_SYSTEM(m) || have_userns_privileges()) ++ test(m, "exec-inaccessiblepaths-sys.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); + + if (path_is_read_only_fs("/") > 0) { + log_notice("Root directory is readonly, skipping remaining tests in %s", __func__); +@@ -694,6 +749,9 @@ static void test_exec_mount_apivfs(Manager *m) { + return; + } + ++ if (MANAGER_IS_USER(m) && !have_userns_privileges()) ++ return (void)log_notice("Skipping %s, do not have user namespace privileges", __func__); ++ + assert_se(find_libraries(fullpath_touch, &libraries) >= 0); + assert_se(find_libraries(fullpath_test, &libraries_test) >= 0); + assert_se(strv_extend_strv(&libraries, libraries_test, true) >= 0); +@@ -718,7 +776,10 @@ static void test_exec_mount_apivfs(Manager *m) { + + static void test_exec_noexecpaths(Manager *m) { + +- test(m, "exec-noexecpaths-simple.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); ++ if (MANAGER_IS_SYSTEM(m) || have_userns_privileges()) ++ test(m, "exec-noexecpaths-simple.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); ++ else ++ return (void)log_notice("Skipping %s, do not have user namespace privileges", __func__); + } + + static void test_exec_temporaryfilesystem(Manager *m) { +@@ -1000,8 +1061,11 @@ static void test_exec_passenvironment(Manager *m) { + } + + static void test_exec_umask(Manager *m) { +- test(m, "exec-umask-default.service", can_unshare || MANAGER_IS_SYSTEM(m) ? 0 : EXIT_NAMESPACE, CLD_EXITED); +- test(m, "exec-umask-0177.service", can_unshare || MANAGER_IS_SYSTEM(m) ? 0 : EXIT_NAMESPACE, CLD_EXITED); ++ if (MANAGER_IS_SYSTEM(m) || have_userns_privileges()) { ++ test(m, "exec-umask-default.service", can_unshare || MANAGER_IS_SYSTEM(m) ? 0 : EXIT_NAMESPACE, CLD_EXITED); ++ test(m, "exec-umask-0177.service", can_unshare || MANAGER_IS_SYSTEM(m) ? 0 : EXIT_NAMESPACE, CLD_EXITED); ++ } else ++ return (void)log_notice("Skipping %s, do not have user namespace privileges", __func__); + } + + static void test_exec_runtimedirectory(Manager *m) { +@@ -1048,7 +1112,10 @@ static void test_exec_capabilityboundingset(Manager *m) { + } + + static void test_exec_basic(Manager *m) { +- test(m, "exec-basic.service", can_unshare || MANAGER_IS_SYSTEM(m) ? 0 : EXIT_NAMESPACE, CLD_EXITED); ++ if (MANAGER_IS_SYSTEM(m) || have_userns_privileges()) ++ test(m, "exec-basic.service", can_unshare || MANAGER_IS_SYSTEM(m) ? 0 : EXIT_NAMESPACE, CLD_EXITED); ++ else ++ return (void)log_notice("Skipping %s, do not have user namespace privileges", __func__); + } + + static void test_exec_ambientcapabilities(Manager *m) { +@@ -1096,6 +1163,9 @@ static void test_exec_privatenetwork(Manager *m) { + if (!have_net_dummy) + return (void)log_notice("Skipping %s, dummy network interface not available", __func__); + ++ if (MANAGER_IS_USER(m) && !have_userns_privileges()) ++ return (void)log_notice("Skipping %s, do not have user namespace privileges", __func__); ++ + r = find_executable("ip", NULL); + if (r < 0) { + log_notice_errno(r, "Skipping %s, could not find ip binary: %m", __func__); +@@ -1115,6 +1185,9 @@ static void test_exec_networknamespacepath(Manager *m) { + if (!have_netns) + return (void)log_notice("Skipping %s, network namespace not available", __func__); + ++ if (MANAGER_IS_USER(m) && !have_userns_privileges()) ++ return (void)log_notice("Skipping %s, do not have user namespace privileges", __func__); ++ + r = find_executable("ip", NULL); + if (r < 0) { + log_notice_errno(r, "Skipping %s, could not find ip binary: %m", __func__); +-- +2.33.0 + diff --git a/backport-test-execute-update-permission-of-credstore.patch b/backport-test-execute-update-permission-of-credstore.patch new file mode 100644 index 0000000..edb529f --- /dev/null +++ b/backport-test-execute-update-permission-of-credstore.patch @@ -0,0 +1,42 @@ +From 14b2795fcf0634b70a0dadfcc2ee83ac70ff1982 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 5 Jun 2023 14:18:47 +0900 +Subject: [PATCH 0966/1160] test-execute: update permission of credstore + +Follow-up for 40fb9eebbc075ce1e63100386d2c5f177ad7d738. + +(cherry picked from commit c443f6924fa3b02113da2536dd816a15ee708510) +(cherry picked from commit eaab857abade1245fc7617dbc57d43fa916be077) +--- + src/test/test-execute.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/test/test-execute.c b/src/test/test-execute.c +index 4f6ad5dcae..6fc383ca1b 100644 +--- a/src/test/test-execute.c ++++ b/src/test/test-execute.c +@@ -325,8 +325,8 @@ static void test_exec_cpuaffinity(Manager *m) { + + static void test_exec_credentials(Manager *m) { + test(m, "exec-set-credential.service", 0, CLD_EXITED); +- test(m, "exec-load-credential.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_CREDENTIALS, CLD_EXITED); +- test(m, "exec-credentials-dir-specifier.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_CREDENTIALS, CLD_EXITED); ++ test(m, "exec-load-credential.service", 0, CLD_EXITED); ++ test(m, "exec-credentials-dir-specifier.service", 0, CLD_EXITED); + } + + static void test_exec_workingdirectory(Manager *m) { +@@ -1425,8 +1425,8 @@ static int prepare_ns(const char *process_name) { + + /* Prepare credstore like tmpfiles.d/credstore.conf for LoadCredential= tests. */ + FOREACH_STRING(p, "/run/credstore", "/run/credstore.encrypted") { +- assert_se(mkdir_p(p, 0) >= 0); +- assert_se(mount_nofollow_verbose(LOG_DEBUG, "tmpfs", p, "tmpfs", MS_NOSUID|MS_NODEV, "mode=0000") >= 0); ++ assert_se(mkdir_p(p, 0700) >= 0); ++ assert_se(mount_nofollow_verbose(LOG_DEBUG, "tmpfs", p, "tmpfs", MS_NOSUID|MS_NODEV, "mode=0700") >= 0); + } + + assert_se(write_string_file("/run/credstore/test-execute.load-credential", "foo", WRITE_STRING_FILE_CREATE) >= 0); +-- +2.33.0 + diff --git a/backport-test-explicitly-set-TERM-linux-for-TEST-69-SHUTDOWN.patch b/backport-test-explicitly-set-TERM-linux-for-TEST-69-SHUTDOWN.patch new file mode 100644 index 0000000..55ca884 --- /dev/null +++ b/backport-test-explicitly-set-TERM-linux-for-TEST-69-SHUTDOWN.patch @@ -0,0 +1,43 @@ +From 275d720c9d1f2f7a7c563664a4704028a7f41e72 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Sun, 3 Mar 2024 17:15:23 +0100 +Subject: [PATCH 0343/1160] test: explicitly set TERM=linux for + TEST-69-SHUTDOWN + +sulogin from the latest util-linux started falling back to vt102 instead +of linux, which makes screen sad (because we install only the linux +terminfo into the test image) and expect trips over the unexpected +warning. Let's just explicitly set TERM=linux before invoking screen to +avoid this. + ++ make -C TEST-69-SHUTDOWN setup run +... +INFO:test-shutdown:log in and start screen +root +root +Last login: Sun Mar 3 13:19:31 from 18.191.105.60 +-bash-5.2# screen +screen +Cannot find terminfo entry for 'vt102'. +-bash-5.2# ERROR:test-shutdown:Timeout exceeded. + +(cherry picked from commit 7a63c5e550d06659096d858dc14dda04726311fa) +--- + test/TEST-69-SHUTDOWN/test.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/TEST-69-SHUTDOWN/test.sh b/test/TEST-69-SHUTDOWN/test.sh +index 8fdbaf81fe..0e12857618 100755 +--- a/test/TEST-69-SHUTDOWN/test.sh ++++ b/test/TEST-69-SHUTDOWN/test.sh +@@ -38,6 +38,7 @@ EOF + + inst /usr/bin/screen + echo "PS1='screen\$WINDOW # '" >>"$workspace/root/.bashrc" ++ echo "TERM=linux" >>"$workspace/root/.bash_profile" + echo 'startup_message off' >"$workspace/etc/screenrc" + echo 'bell_msg ""' >>"$workspace/etc/screenrc" + } +-- +2.33.0 + diff --git a/backport-test-explicitly-set-nsec3-iterations-to-0.patch b/backport-test-explicitly-set-nsec3-iterations-to-0.patch new file mode 100644 index 0000000..ab1ea8c --- /dev/null +++ b/backport-test-explicitly-set-nsec3-iterations-to-0.patch @@ -0,0 +1,41 @@ +From 3158eb9f8f3e64b2729107dc9ef06509b100150e Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 30 Jan 2024 16:27:58 +0100 +Subject: [PATCH 0207/1160] test: explicitly set nsec3-iterations to 0 + +knot v3.2 and later does this by default. knot v3.1 still has the default set to +10, but it also introduced a warning that the default will be changed to 0 in +later versions, so it effectively complains about its own default, which then +fails the config check. Let's just set the value explicitly to zero to avoid +that. + +~# knotc --version +knotc (Knot DNS), version 3.1.6 +~# grep nsec3-iterations test/knot-data/knot.conf || echo nope +nope +~# knotc -c /build/test/knot-data/knot.conf conf-check +warning: config, policy[auto_rollover_nsec3].nsec3-iterations defaults to 10, since version 3.2 the default becomes 0 +Configuration is valid + +Follow-up to 0652cf8e7b. + +(cherry picked from commit cb3244c0dcea80ad35e5bcaf7a07bd449ac65325) +--- + test/knot-data/knot.conf | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/knot-data/knot.conf b/test/knot-data/knot.conf +index cfe478fe1c..b925812312 100644 +--- a/test/knot-data/knot.conf ++++ b/test/knot-data/knot.conf +@@ -51,6 +51,7 @@ policy: + ds-push: parent_zone_server + ksk-lifetime: 365d + ksk-submission: parent_zone_sbm ++ nsec3-iterations: 0 + nsec3: on + propagation-delay: 1s + signing-threads: 4 +-- +2.33.0 + diff --git a/backport-test-extend-firstboot-testing.patch b/backport-test-extend-firstboot-testing.patch new file mode 100644 index 0000000..3c1f931 --- /dev/null +++ b/backport-test-extend-firstboot-testing.patch @@ -0,0 +1,130 @@ +From 87788007b2742eba0716084fedb5ad7d07dd04e0 Mon Sep 17 00:00:00 2001 +From: Dan Nicholson +Date: Tue, 30 Jul 2024 18:20:13 -0600 +Subject: [PATCH 0820/1160] test: extend firstboot testing + +Several features were not being tested or weren't being evaluated thoroughly. + +(cherry picked from commit 38688bbc8ffb16a449a41cab344c27f6b1e74cd3) +(cherry picked from commit fdf270a89e22ca9b0171153479cfda0c7922699e) +--- + test/units/testsuite-74.firstboot.sh | 62 +++++++++++++++++++++++++--- + 1 file changed, 57 insertions(+), 5 deletions(-) + +diff --git a/test/units/testsuite-74.firstboot.sh b/test/units/testsuite-74.firstboot.sh +index be08575c9e..d00ff6cb9d 100755 +--- a/test/units/testsuite-74.firstboot.sh ++++ b/test/units/testsuite-74.firstboot.sh +@@ -11,6 +11,7 @@ fi + at_exit() { + if [[ -n "${ROOT:-}" ]]; then + ls -lR "$ROOT" ++ grep -r . "$ROOT/etc" || : + rm -fr "$ROOT" + fi + } +@@ -61,13 +62,27 @@ grep -q "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "$ROOT/etc/machine-id" + rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" + systemd-firstboot --root="$ROOT" --root-password=foo + grep -q "^root:x:0:0:" "$ROOT/etc/passwd" +-grep -q "^root:" "$ROOT/etc/shadow" ++grep -q "^root:[^!*]" "$ROOT/etc/shadow" + rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" + echo "foo" >root.passwd + systemd-firstboot --root="$ROOT" --root-password-file=root.passwd + grep -q "^root:x:0:0:" "$ROOT/etc/passwd" +-grep -q "^root:" "$ROOT/etc/shadow" ++grep -q "^root:[^!*]" "$ROOT/etc/shadow" + rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" root.passwd ++# If /etc/passwd and /etc/shadow exist, they will only be updated if the shadow ++# password is !unprovisioned. ++echo "root:x:0:0:root:/root:/bin/sh" >"$ROOT/etc/passwd" ++echo "root:!test:::::::" >"$ROOT/etc/shadow" ++systemd-firstboot --root="$ROOT" --root-password=foo ++grep -q "^root:x:0:0:" "$ROOT/etc/passwd" ++grep -q "^root:!test:" "$ROOT/etc/shadow" ++rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" ++echo "root:x:0:0:root:/root:/bin/sh" >"$ROOT/etc/passwd" ++echo "root:!unprovisioned:::::::" >"$ROOT/etc/shadow" ++systemd-firstboot --root="$ROOT" --root-password=foo ++grep -q "^root:x:0:0:" "$ROOT/etc/passwd" ++grep -q "^root:[^!*]" "$ROOT/etc/shadow" ++rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" + # Set the shell together with the password, as firstboot won't touch + # /etc/passwd if it already exists + systemd-firstboot --root="$ROOT" --root-password-hashed="$ROOT_HASHED_PASSWORD1" --root-shell=/bin/fooshell +@@ -154,8 +169,9 @@ mkdir -p "$ROOT/bin" + touch "$ROOT/bin/fooshell" "$ROOT/bin/barshell" + # Temporarily disable pipefail to avoid `echo: write error: Broken pipe + set +o pipefail +-# We can do only limited testing here, since it's all an interactive stuff, +-# so --prompt and --prompt-root-password are skipped on purpose ++# We can do only limited testing here, since it's all an interactive stuff, so ++# --prompt is skipped on purpose and only limited --prompt-root-password ++# testing can be done. + echo -ne "\nfoo\nbar\n" | systemd-firstboot --root="$ROOT" --prompt-locale + grep -q "LANG=foo" "$ROOT$LOCALE_PATH" + grep -q "LC_MESSAGES=bar" "$ROOT$LOCALE_PATH" +@@ -171,6 +187,11 @@ echo -ne "\nEurope/Berlin\n" | systemd-firstboot --root="$ROOT" --prompt-timezon + readlink "$ROOT/etc/localtime" | grep -q "Europe/Berlin$" + echo -ne "\nfoobar\n" | systemd-firstboot --root="$ROOT" --prompt-hostname + grep -q "foobar" "$ROOT/etc/hostname" ++# With no root password provided, a locked account should be created. ++systemd-firstboot --root="$ROOT" --prompt-root-password +Date: Tue, 21 May 2024 01:44:42 +0900 +Subject: [PATCH 0665/1160] test: extend timeout for DHCP/NDisc tests + +Fixes https://github.com/systemd/systemd/pull/32932#issuecomment-2120424121. + +(cherry picked from commit f8ef1df3d1a9a22ce9d62df3910d4f940ff42a1a) +--- + src/libsystemd-network/test-dhcp-client.c | 2 +- + src/libsystemd-network/test-dhcp6-client.c | 2 +- + src/libsystemd-network/test-ndisc-ra.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/libsystemd-network/test-dhcp-client.c b/src/libsystemd-network/test-dhcp-client.c +index e3f148daf5..4c24bf779d 100644 +--- a/src/libsystemd-network/test-dhcp-client.c ++++ b/src/libsystemd-network/test-dhcp-client.c +@@ -515,7 +515,7 @@ static void test_addr_acq(sd_event *e) { + callback_recv = test_addr_acq_recv_discover; + + assert_se(sd_event_add_time_relative(e, NULL, CLOCK_BOOTTIME, +- 2 * USEC_PER_SEC, 0, ++ 30 * USEC_PER_SEC, 0, + NULL, INT_TO_PTR(-ETIMEDOUT)) >= 0); + + res = sd_dhcp_client_start(client); +diff --git a/src/libsystemd-network/test-dhcp6-client.c b/src/libsystemd-network/test-dhcp6-client.c +index ae3cdb8632..f051569380 100644 +--- a/src/libsystemd-network/test-dhcp6-client.c ++++ b/src/libsystemd-network/test-dhcp6-client.c +@@ -1086,7 +1086,7 @@ TEST(dhcp6_client) { + + assert_se(sd_event_new(&e) >= 0); + assert_se(sd_event_add_time_relative(e, NULL, CLOCK_BOOTTIME, +- 2 * USEC_PER_SEC, 0, ++ 30 * USEC_PER_SEC, 0, + NULL, INT_TO_PTR(-ETIMEDOUT)) >= 0); + + assert_se(sd_dhcp6_client_new(&client) >= 0); +diff --git a/src/libsystemd-network/test-ndisc-ra.c b/src/libsystemd-network/test-ndisc-ra.c +index 23abe780d6..5abcfc02e6 100644 +--- a/src/libsystemd-network/test-ndisc-ra.c ++++ b/src/libsystemd-network/test-ndisc-ra.c +@@ -365,7 +365,7 @@ TEST(ra) { + assert_se(sd_event_source_set_io_fd_own(recv_router_advertisement, true) >= 0); + + assert_se(sd_event_add_time_relative(e, NULL, CLOCK_BOOTTIME, +- 2 * USEC_PER_SEC, 0, ++ 30 * USEC_PER_SEC, 0, + NULL, INT_TO_PTR(-ETIMEDOUT)) >= 0); + + assert_se(sd_radv_start(ra) >= 0); +-- +2.33.0 + diff --git a/backport-test-fall-back-to-SYSLOG_IDENTIFIER-matching-where-n.patch b/backport-test-fall-back-to-SYSLOG_IDENTIFIER-matching-where-n.patch new file mode 100644 index 0000000..d4db8e4 --- /dev/null +++ b/backport-test-fall-back-to-SYSLOG_IDENTIFIER-matching-where-n.patch @@ -0,0 +1,175 @@ +From 8c0e504eb5d0d0a18296a18a288c9dc611f2c45d Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Mon, 15 Apr 2024 15:53:36 +0200 +Subject: [PATCH 0348/1160] test: fall back to SYSLOG_IDENTIFIER= matching + where necessary + +Due to systemd/systemd#30886, relying on _SYSTEMD_UNIT= matching might +be unreliable in some cases (with glibc 2.39+) as the journal message +might be missing certain metadata. Since the fix for that issue is too +risky to backport, let's just fall back to SYSLOG_IDENTIFIER= matching +that doesn't seem to have this issue, so we can still run the +"problematic" tests just with some minimal tweaks. + +This leaves the skip (from 2d6e263) for the LogFilteringPatterns= stuff +in place, because falling back to SYSLOG_IDENTIFIER= matching doesn't +work there - the output from that tests becomes very weird and I suspect +there's a bug somewhere. However, the same behavior occurs even with the +latest main, so it's not something that's caused by the v255-stable +branch. + +v255-only +Partially reverts 2d6e26342997dfc03753e6e6787f950f2fed30df. +--- + test/test-functions | 1 + + test/units/testsuite-04.journal.sh | 8 ++++---- + test/units/testsuite-45.sh | 12 ++++-------- + test/units/testsuite-50.sh | 2 +- + test/units/testsuite-75.sh | 11 ++++++----- + 5 files changed, 16 insertions(+), 18 deletions(-) + +diff --git a/test/test-functions b/test/test-functions +index 0698b308e4..9d73c6d21e 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -876,6 +876,7 @@ EOF + [Service] + Type=oneshot + RemainAfterExit=yes ++SyslogIdentifier=sysext-foo + ExecStart=echo foo + + [Install] +diff --git a/test/units/testsuite-04.journal.sh b/test/units/testsuite-04.journal.sh +index c19cd12d12..ca23b6b739 100755 +--- a/test/units/testsuite-04.journal.sh ++++ b/test/units/testsuite-04.journal.sh +@@ -1,12 +1,9 @@ + #!/usr/bin/env bash + # SPDX-License-Identifier: LGPL-2.1-or-later ++# shellcheck disable=SC2317 + set -eux + set -o pipefail + +-# This fails due to https://github.com/systemd/systemd/issues/30886 +-# but it is too complex and risky to backport, so disable the test +-exit 0 +- + # Rotation/flush test, see https://github.com/systemd/systemd/issues/19895 + journalctl --relinquish-var + [[ "$(systemd-detect-virt -v)" == "qemu" ]] && ITERATIONS=10 || ITERATIONS=50 +@@ -246,6 +243,9 @@ diff -u /tmp/lb1 - <<'EOF' + EOF + rm -rf "$JOURNAL_DIR" /tmp/lb1 + ++# v255-only: skip the following test case, as it suffers from systemd/systemd#30886 ++exit 0 ++ + # Check that using --after-cursor/--cursor-file= together with journal filters doesn't + # skip over entries matched by the filter + # See: https://github.com/systemd/systemd/issues/30288 +diff --git a/test/units/testsuite-45.sh b/test/units/testsuite-45.sh +index f124a2421c..b4269279f2 100755 +--- a/test/units/testsuite-45.sh ++++ b/test/units/testsuite-45.sh +@@ -218,7 +218,7 @@ assert_ntp() { + assert_timedated_signal() { + local timestamp="${1:?}" + local value="${2:?}" +- local args=(-q -n 1 --since="$timestamp" -p info _SYSTEMD_UNIT="busctl-monitor.service") ++ local args=(-q -n 1 --since="$timestamp" -p info _SYSTEMD_UNIT="busctl-monitor" + SYSLOG_IDENTIFIER="busctl-monitor") + + journalctl --sync + +@@ -246,10 +246,6 @@ assert_timesyncd_state() { + } + + testcase_ntp() { +- # This fails due to https://github.com/systemd/systemd/issues/30886 +- # but it is too complex and risky to backport, so disable the test +- return +- + # timesyncd has ConditionVirtualization=!container by default; drop/mock that for testing + if systemd-detect-virt --container --quiet; then + systemctl disable --quiet --now systemd-timesyncd +@@ -267,7 +263,7 @@ EOF + systemctl daemon-reload + fi + +- systemd-run --unit busctl-monitor.service --service-type=notify \ ++ systemd-run --unit busctl-monitor.service -p SyslogIdentifier=busctl-monitor --service-type=notify \ + busctl monitor --json=short --match="type=signal,sender=org.freedesktop.timedate1,member=PropertiesChanged,path=/org/freedesktop/timedate1" + + : 'Disable NTP' +@@ -302,7 +298,7 @@ assert_timesyncd_signal() { + local timestamp="${1:?}" + local property="${2:?}" + local value="${3:?}" +- local args=(-q --since="$timestamp" -p info _SYSTEMD_UNIT="busctl-monitor.service") ++ local args=(-q --since="$timestamp" -p info _SYSTEMD_UNIT="busctl-monitor.service" + SYSLOG_IDENTIFIER="busctl-monitor") + + journalctl --sync + +@@ -363,7 +359,7 @@ EOF + systemctl restart systemd-networkd + networkctl status ntp99 + +- systemd-run --unit busctl-monitor.service --service-type=notify \ ++ systemd-run --unit busctl-monitor.service -p SyslogIdentifier=busctl-monitor --service-type=notify \ + busctl monitor --json=short --match="type=signal,sender=org.freedesktop.timesync1,member=PropertiesChanged,path=/org/freedesktop/timesync1" + + # LinkNTPServers +diff --git a/test/units/testsuite-50.sh b/test/units/testsuite-50.sh +index 28218ab6d7..3726b323d9 100755 +--- a/test/units/testsuite-50.sh ++++ b/test/units/testsuite-50.sh +@@ -635,7 +635,7 @@ fi + systemd-sysext unmerge --no-reload + systemd-sysext merge + for RETRY in $(seq 60) LAST; do +- if journalctl --boot --unit foo.service | grep -q -P 'echo\[[0-9]+\]: foo'; then ++ if [[ "$(journalctl --boot _SYSTEMD_UNIT="foo.service" + SYSLOG_IDENTIFIER="sysext-foo" -p info -o cat)" == "foo" ]]; then + break + fi + if [ "${RETRY}" = LAST ]; then +diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh +index 54234484c4..7cf279ae2b 100755 +--- a/test/units/testsuite-75.sh ++++ b/test/units/testsuite-75.sh +@@ -46,7 +46,8 @@ monitor_check_rr() ( + # displayed. We turn off pipefail for this, since we don't care about the + # lhs of this pipe expression, we only care about the rhs' result to be + # clean +- timeout -v 30s journalctl -u resolvectl-monitor.service --since "$since" -f --full | grep -m1 "$match" ++ # v255-only: match against a syslog tag as well to work around systemd/systemd#30886 ++ timeout -v 30s journalctl --since "$since" -f --full _SYSTEMD_UNIT="resolvectl-monitor.service" + SYSLOG_IDENTIFIER="resolvectl-monitor" | grep -m1 "$match" + ) + + restart_resolved() { +@@ -251,8 +252,8 @@ resolvectl status + resolvectl log-level debug + + # Start monitoring queries +-systemd-run -u resolvectl-monitor.service -p Type=notify resolvectl monitor +-systemd-run -u resolvectl-monitor-json.service -p Type=notify resolvectl monitor --json=short ++systemd-run -u resolvectl-monitor.service -p SyslogIdentifier=resolvectl-monitor -p Type=notify resolvectl monitor ++systemd-run -u resolvectl-monitor-json.service -p SyslogIdentifier=resolvectl-monitor-json -p Type=notify resolvectl monitor --json=short + + # Check if all the zones are valid (zone-check always returns 0, so let's check + # if it produces any errors/warnings) +@@ -557,10 +558,10 @@ systemctl stop resolvectl-monitor-json.service + # Issue: https://github.com/systemd/systemd/issues/29580 (part #2) + # + # Check for any warnings regarding malformed messages +-(! journalctl -u resolvectl-monitor.service -u reseolvectl-monitor-json.service -p warning --grep malformed) ++(! journalctl -p warning --grep malformed _SYSTEMD_UNIT="resolvectl-monitor-json.service" + SYSLOG_IDENTIFIER="resolvectl-monitor-json") + # Verify that all queries recorded by `resolvectl monitor --json` produced a valid JSON + # with expected fields +-journalctl -p info -o cat _SYSTEMD_UNIT="resolvectl-monitor-json.service" | while read -r line; do ++journalctl -p info -o cat _SYSTEMD_UNIT="resolvectl-monitor-json.service" + SYSLOG_IDENTIFIER="resolvectl-monitor-json" | while read -r line; do + # Check that both "question" and "answer" fields are arrays + # + # The expression is slightly more complicated due to the fact that the "answer" field is optional, +-- +2.33.0 + diff --git a/backport-test-fd-util-skip-test-when-lacking-privileges-to-cr.patch b/backport-test-fd-util-skip-test-when-lacking-privileges-to-cr.patch new file mode 100644 index 0000000..0767d29 --- /dev/null +++ b/backport-test-fd-util-skip-test-when-lacking-privileges-to-cr.patch @@ -0,0 +1,43 @@ +From 9818f55a356d424531ee97085aaae42a4116d180 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 11 Dec 2024 12:01:18 +0000 +Subject: [PATCH 1049/1160] test-fd-util: skip test when lacking privileges to + create a new namespace + +To reproduce, as an unprivileged user start a docker container and build +and run the unit tests inside it: + +$ docker run --rm -ti debian:bookworm bash +... +/* test_close_all_fds */ +Successfully forked off '(caf-plain)' as PID 10496. +Skipping PR_SET_MM, as we don't have privileges. +(caf-plain) succeeded. +Failed to fork off '(caf-noproc)': Operation not permitted +Assertion 'r >= 0' failed at src/test/test-fd-util.c:392, function test_close_all_fds(). Aborting. + +Partially fixes #35552 + +(cherry picked from commit 630a2e7ee195ca96e102acac8df67a278a879124) +(cherry picked from commit 5573ac7d9c52bed8d38480788b02639ede3881fc) +(cherry picked from commit b8c85564906a7808bebc04a95be08c9a0635f2f5) +--- + src/test/test-fd-util.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/test/test-fd-util.c b/src/test/test-fd-util.c +index 021d4b47c2..c134cfedfe 100644 +--- a/src/test/test-fd-util.c ++++ b/src/test/test-fd-util.c +@@ -356,6 +356,8 @@ TEST(close_all_fds) { + test_close_all_fds_inner(); + _exit(EXIT_SUCCESS); + } ++ if (ERRNO_IS_NEG_PRIVILEGE(r)) ++ return (void) log_tests_skipped("Lacking privileges for test in namespace with /proc/ overmounted"); + assert_se(r >= 0); + + if (!is_seccomp_available()) +-- +2.33.0 + diff --git a/backport-test-fix-TEST-24-CRYPTSETUP-on-SUSE.patch b/backport-test-fix-TEST-24-CRYPTSETUP-on-SUSE.patch new file mode 100644 index 0000000..060e5ab --- /dev/null +++ b/backport-test-fix-TEST-24-CRYPTSETUP-on-SUSE.patch @@ -0,0 +1,29 @@ +From d0b9feab0158b57a3eff7becf9d35d07cb8cb20b Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Tue, 2 Jul 2024 10:33:29 +0200 +Subject: [PATCH 0739/1160] test: fix TEST-24-CRYPTSETUP on SUSE + +/etc/systemd/journald.conf.d drop-in dir already exists on SUSE. + +(cherry picked from commit 56a894e888002f44f3463b3188f9d5abdcca4bb0) +(cherry picked from commit 10b7e0a0afc31dc6a3cc30fca3a276449a60ec7d) +--- + test/TEST-24-CRYPTSETUP/test.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/TEST-24-CRYPTSETUP/test.sh b/test/TEST-24-CRYPTSETUP/test.sh +index 4ace177f1f..ebfb13d199 100755 +--- a/test/TEST-24-CRYPTSETUP/test.sh ++++ b/test/TEST-24-CRYPTSETUP/test.sh +@@ -72,7 +72,7 @@ EOF + + # Forward journal messages to the console, so we have something to investigate even if we fail to mount + # the encrypted /var +- mkdir "$initdir/etc/systemd/journald.conf.d/" ++ mkdir -p "$initdir/etc/systemd/journald.conf.d/" + echo -ne "[Journal]\nForwardToConsole=yes\n" >"$initdir/etc/systemd/journald.conf.d/99-forward.conf" + + # If $INITRD wasn't provided explicitly, generate a custom one with dm-crypt +-- +2.33.0 + diff --git a/backport-test-fix-check-for-device-in-test-execute.patch b/backport-test-fix-check-for-device-in-test-execute.patch new file mode 100644 index 0000000..be9144c --- /dev/null +++ b/backport-test-fix-check-for-device-in-test-execute.patch @@ -0,0 +1,30 @@ +From a1597f9e0644e60b631668f3cc31667ab772320f Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 22 Dec 2023 13:28:51 +0100 +Subject: [PATCH 0079/1160] test: fix check for device in test-execute + +The unit actually uses /dev/kmsg, not /dev/kvm + +Follow-up for ae7482b994e6a9bc8e + +(cherry picked from commit 4f276e97de67fa02337921703db7686725ac1827) +--- + src/test/test-execute.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/test/test-execute.c b/src/test/test-execute.c +index 88e4c8d4d9..6d51ad7b53 100644 +--- a/src/test/test-execute.c ++++ b/src/test/test-execute.c +@@ -438,7 +438,7 @@ static void test_exec_privatedevices(Manager *m) { + + test(m, "exec-privatedevices-yes.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); + test(m, "exec-privatedevices-no.service", 0, CLD_EXITED); +- if (access("/dev/kvm", F_OK) >= 0) ++ if (access("/dev/kmsg", F_OK) >= 0) + test(m, "exec-privatedevices-bind.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); + test(m, "exec-privatedevices-disabled-by-prefix.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); + test(m, "exec-privatedevices-yes-with-group.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED); +-- +2.33.0 + diff --git a/backport-test-fix-dbus-installation-on-Arch.patch b/backport-test-fix-dbus-installation-on-Arch.patch new file mode 100644 index 0000000..d18eff1 --- /dev/null +++ b/backport-test-fix-dbus-installation-on-Arch.patch @@ -0,0 +1,56 @@ +From 7b80fc2587d542b65e0ebc5cece9fca7cf83432a Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 11 Jan 2024 11:02:05 +0100 +Subject: [PATCH 0187/1160] test: fix dbus installation on Arch + +Arch finally made dbus-broker the default dbus daemon [0], but unlike +Fedora they don't use Alias=dbus.service to make the dbus.symlink under +/etc, instead they create the symlink manually under /usr/lib, so let's +account for that. + +[0] https://gitlab.archlinux.org/archlinux/packaging/packages/dbus-broker/-/commit/b24d15795addeb15f9532f28deae9475fad8b9fa + +(cherry picked from commit ec6c7bac5c92b26fc17ad165d2defc85da324391) +--- + test/test-functions | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/test/test-functions b/test/test-functions +index c877f71557..1777982684 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -2189,14 +2189,14 @@ install_dbus() { + # Newer Fedora versions use dbus-broker by default. Let's install it if it's available. + if [ -f "$ROOTLIBDIR/system/dbus-broker.service" ]; then + inst "$ROOTLIBDIR/system/dbus-broker.service" +- inst_symlink /etc/systemd/system/dbus.service + inst /usr/bin/dbus-broker + inst /usr/bin/dbus-broker-launch ++ image_install -o {/etc,/usr/lib}/systemd/system/dbus.service + elif [ -f "$ROOTLIBDIR/system/dbus-daemon.service" ]; then + # Fedora rawhide replaced dbus.service with dbus-daemon.service + inst "$ROOTLIBDIR/system/dbus-daemon.service" + # Alias symlink +- inst_symlink /etc/systemd/system/dbus.service ++ image_install -o {/etc,/usr/lib}/systemd/system/dbus.service + else + inst "$ROOTLIBDIR/system/dbus.service" + fi +@@ -2255,12 +2255,12 @@ EOF + # Newer Fedora versions use dbus-broker by default. Let's install it if it's available. + if [ -f "$userunitdir/dbus-broker.service" ]; then + inst "$userunitdir/dbus-broker.service" +- inst_symlink /etc/systemd/user/dbus.service ++ image_install -o {/etc,/usr/lib}/systemd/user/dbus.service + elif [ -f "${ROOTLIBDIR:?}/system/dbus-daemon.service" ]; then + # Fedora rawhide replaced dbus.service with dbus-daemon.service + inst "$userunitdir/dbus-daemon.service" + # Alias symlink +- inst_symlink /etc/systemd/user/dbus.service ++ image_install -o {/etc,/usr/lib}/systemd/user/dbus.service + else + inst "$userunitdir/dbus.service" + fi +-- +2.33.0 + diff --git a/backport-test-fix-indentation.patch b/backport-test-fix-indentation.patch new file mode 100644 index 0000000..73fb195 --- /dev/null +++ b/backport-test-fix-indentation.patch @@ -0,0 +1,27 @@ +From 6c44b3167397a92a8d96f2feb30bf773bf1ef10a Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 5 Sep 2024 17:57:24 +0900 +Subject: [PATCH 0869/1160] test: fix indentation + +(cherry picked from commit fe6049d0210c89a595ae598d87dcefe7bfbe3a1d) +(cherry picked from commit dda8cb4a8ef702ba526f0c2021c92fa85431330b) +--- + test/units/testsuite-58.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/units/testsuite-58.sh b/test/units/testsuite-58.sh +index 1e6fe57b2d..0ca0427d58 100755 +--- a/test/units/testsuite-58.sh ++++ b/test/units/testsuite-58.sh +@@ -161,7 +161,7 @@ $imgs/zzz1 : start= 2048, size= 1775576, type=933AC7E1-2EB4-4F13-B844 + $imgs/zzz2 : start= 1777624, size= 131072, type=0657FD6D-A4AB-43C4-84E5-0933C84B4F4F, uuid=78C92DB8-3D2B-4823-B0DC-792B78F66F1E, name=\"swap\"" + + systemd-repart --offline="$OFFLINE" \ +- --definitions="$defs" \ ++ --definitions="$defs" \ + --empty=create \ + --size=50M \ + --seed="$seed" \ +-- +2.33.0 + diff --git a/backport-test-fix-subtests-naming.patch b/backport-test-fix-subtests-naming.patch new file mode 100644 index 0000000..f245f18 --- /dev/null +++ b/backport-test-fix-subtests-naming.patch @@ -0,0 +1,27 @@ +From 7b2c089ece03ffc246242a506f9a71e6c4761bb7 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 25 Jul 2024 12:12:51 +0100 +Subject: [PATCH 0798/1160] test: fix subtests naming + +The tests haven't been renamed in this branch + +Follow-up for 0f518750a44dc4b2987ecc0cea4b3d848ac46ee9 +Follow-up for 971345aa4e0f4050dac0cade09abaa9c1fbc7050 +--- + .../{TEST-07-PID1.issue-33672.sh => testsuite-07.issue-33672.sh} | 0 + .../{TEST-74-AUX-UTILS.sysusers.sh => testsuite-74.sysusers.sh} | 0 + 2 files changed, 0 insertions(+), 0 deletions(-) + rename test/units/{TEST-07-PID1.issue-33672.sh => testsuite-07.issue-33672.sh} (100%) + rename test/units/{TEST-74-AUX-UTILS.sysusers.sh => testsuite-74.sysusers.sh} (100%) + +diff --git a/test/units/TEST-07-PID1.issue-33672.sh b/test/units/testsuite-07.issue-33672.sh +similarity index 100% +rename from test/units/TEST-07-PID1.issue-33672.sh +rename to test/units/testsuite-07.issue-33672.sh +diff --git a/test/units/TEST-74-AUX-UTILS.sysusers.sh b/test/units/testsuite-74.sysusers.sh +similarity index 100% +rename from test/units/TEST-74-AUX-UTILS.sysusers.sh +rename to test/units/testsuite-74.sysusers.sh +-- +2.33.0 + diff --git a/backport-test-fix-test-scripts-filename-pattern.patch b/backport-test-fix-test-scripts-filename-pattern.patch new file mode 100644 index 0000000..6e46b37 --- /dev/null +++ b/backport-test-fix-test-scripts-filename-pattern.patch @@ -0,0 +1,27 @@ +From cf74f26bb7231095e0430f7c58db77e97ccc2820 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 15 Nov 2024 00:48:29 +0000 +Subject: [PATCH 1014/1160] test: fix test scripts filename pattern + +In this branch it's testsuite-xy.foo, not TEST-XY-FOO + +Follow-up for 41ebd133657cbf83b202fe132ea96c0ae2906fc8 +Follow-up for e6f8282051e2066d8b32b46aba7776883e5cb953 +--- + .../{TEST-07-PID1.issue-31752.sh => testsuite-07.issue-31752.sh} | 0 + ...IPAddressAllow-Deny.sh => testsuite-19.IPAddressAllow-Deny.sh} | 0 + 2 files changed, 0 insertions(+), 0 deletions(-) + rename test/units/{TEST-07-PID1.issue-31752.sh => testsuite-07.issue-31752.sh} (100%) + rename test/units/{TEST-19-CGROUP.IPAddressAllow-Deny.sh => testsuite-19.IPAddressAllow-Deny.sh} (100%) + +diff --git a/test/units/TEST-07-PID1.issue-31752.sh b/test/units/testsuite-07.issue-31752.sh +similarity index 100% +rename from test/units/TEST-07-PID1.issue-31752.sh +rename to test/units/testsuite-07.issue-31752.sh +diff --git a/test/units/TEST-19-CGROUP.IPAddressAllow-Deny.sh b/test/units/testsuite-19.IPAddressAllow-Deny.sh +similarity index 100% +rename from test/units/TEST-19-CGROUP.IPAddressAllow-Deny.sh +rename to test/units/testsuite-19.IPAddressAllow-Deny.sh +-- +2.33.0 + diff --git a/backport-test-fix-the-container-ID-check.patch b/backport-test-fix-the-container-ID-check.patch new file mode 100644 index 0000000..61699d3 --- /dev/null +++ b/backport-test-fix-the-container-ID-check.patch @@ -0,0 +1,54 @@ +From be905c0d8166a3d89e98168ff64a003b885f2d03 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Fri, 26 Jan 2024 15:44:39 +0100 +Subject: [PATCH 0281/1160] test: fix the container ID check + +It never worked, but the fail was masked by missing set -e, see the +previous commit. + +Also, throw env into the test container and dump the environment on +container start, to make potential failures easier to debug. + +(cherry picked from commit 8ee32f688fa864a04c5c94fd9c3dbea00cffdc07) +--- + test/TEST-13-NSPAWN/test.sh | 1 + + test/units/testsuite-13.nspawn.sh | 4 +++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/test/TEST-13-NSPAWN/test.sh b/test/TEST-13-NSPAWN/test.sh +index 2e94156432..93af59ef86 100755 +--- a/test/TEST-13-NSPAWN/test.sh ++++ b/test/TEST-13-NSPAWN/test.sh +@@ -18,6 +18,7 @@ test_append_files() { + initdir="$container" setup_basic_dirs + initdir="$container" image_install \ + bash \ ++ env \ + cat \ + hostname \ + grep \ +diff --git a/test/units/testsuite-13.nspawn.sh b/test/units/testsuite-13.nspawn.sh +index 31d9371487..01f6eb6731 100755 +--- a/test/units/testsuite-13.nspawn.sh ++++ b/test/units/testsuite-13.nspawn.sh +@@ -407,6 +407,8 @@ EOF + #!/bin/bash + set -ex + ++env ++ + [[ "$1" == "foo bar" ]] + [[ "$2" == "bar baz" ]] + +@@ -414,7 +416,7 @@ set -ex + [[ "$FOO" == bar ]] + [[ "$BAZ" == "hello world" ]] + [[ "$PWD" == /tmp ]] +-[[ "$( +Date: Mon, 4 Nov 2024 20:22:01 +0000 +Subject: [PATCH 0989/1160] test: fix tool name in comment + +(cherry picked from commit c53df275d512a219806a181de3bd57f02dc38dab) +(cherry picked from commit 59f5de450a99d876d3af17d6430779976d1d8af4) +--- + src/ukify/test/test_ukify.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py +index 4d247208b8..ad464b07de 100755 +--- a/src/ukify/test/test_ukify.py ++++ b/src/ukify/test/test_ukify.py +@@ -621,7 +621,7 @@ def test_efi_signing_pesign(kernel_initrd, tmp_path): + + ukify.make_uki(opts) + +- # let's check that sbverify likes the resulting file ++ # let's check that pesign likes the resulting file + dump = subprocess.check_output([ + 'pesign', '-S', + '-i', output, +-- +2.33.0 + diff --git a/backport-test-flush-the-socket-once-the-triggered-unit-exits.patch b/backport-test-flush-the-socket-once-the-triggered-unit-exits.patch new file mode 100644 index 0000000..8d5cf90 --- /dev/null +++ b/backport-test-flush-the-socket-once-the-triggered-unit-exits.patch @@ -0,0 +1,61 @@ +From 73bd477cbfd49b2a87d730ae18a4ab1b44d7cd49 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Sun, 24 Dec 2023 12:53:53 +0100 +Subject: [PATCH 0088/1160] test: flush the socket once the triggered unit + exits + +Since the triggered unit intentionally fails without consuming any data +from the socket, we'd try to trigger it again and again, and we might +try to check the unit state in one of the "in-between" states, failing +the test: + +[ 165.271698] H testsuite-07.sh[1032]: + systemctl start badbin_assert.socket +[ 165.977637] H testsuite-07.sh[1032]: + socat - ABSTRACT-CONNECT:badbin_assert.socket +[ 165.983787] H systemd[1]: Cannot find unit for notify message of PID 1039, ignoring. +[ 166.817187] H testsuite-07.sh[1032]: + timeout 10 sh -c 'while systemctl is-active badbin_assert.service; do sleep .5; done' +[ 167.049218] H testsuite-07.sh[1065]: active +[ 167.146854] H systemd[1]: Listening on badbin_assert.socket. +[ 167.163473] H systemd[1]: badbin_assert.socket: Incoming traffic +[ 167.542626] H systemd[1]: Cannot find unit for notify message of PID 1065, ignoring. +[ 167.543437] H (badbin)[1062]: badbin_assert.service: Failed to execute /tmp/badbin: Exec format error +[ 167.548346] H systemd[1]: badbin_assert.service: Main process exited, code=exited, status=203/EXEC +[ 167.549482] H systemd[1]: badbin_assert.service: Failed with result 'exit-code'. +[ 167.561537] H systemd[1]: badbin_assert.socket: Incoming traffic +[ 167.933390] H systemd[1]: Started badbin_assert.service. +[ 167.950489] H (badbin)[1070]: badbin_assert.service: Failed to execute /tmp/badbin: Exec format error +[ 167.956318] H systemd[1]: badbin_assert.service: Main process exited, code=exited, status=203/EXEC +[ 167.957173] H systemd[1]: badbin_assert.service: Failed with result 'exit-code'. +[ 167.974609] H systemd[1]: badbin_assert.socket: Incoming traffic +[ 168.042838] H testsuite-07.sh[1072]: failed +[ 168.094431] H testsuite-07.sh[1075]: ++ systemctl show -P ExecMainStatus badbin_assert.service +[ 168.704022] H systemd[1]: Started badbin_assert.service. +[ 168.778680] H (badbin)[1074]: badbin_assert.service: Failed to execute /tmp/badbin: Exec format error +[ 168.826881] H systemd[1]: badbin_assert.service: Main process exited, code=exited, status=203/EXEC +[ 168.833825] H systemd[1]: badbin_assert.service: Failed with result 'exit-code'. +[ 168.923931] H testsuite-07.sh[1032]: + [[ 0 == 203 ]] +[ 168.951492] H systemd[1]: Cannot find unit for notify message of PID 1075, ignoring. +[ 168.999862] H testsuite-07.sh[615]: + echo 'Subtest /usr/lib/systemd/tests/testdata/units/testsuite-07.issue-30412.sh failed' +[ 168.999862] H testsuite-07.sh[615]: Subtest /usr/lib/systemd/tests/testdata/units/testsuite-07.issue-30412.sh failed + +Follow-up for 1eeaa93de36 and 28a2d27650c. + +(cherry picked from commit 4ddf27c57bbaaa66bed5cfa951e60a83b9f64e29) +--- + test/units/testsuite-07.issue-30412.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/units/testsuite-07.issue-30412.sh b/test/units/testsuite-07.issue-30412.sh +index 61801c543a..c1cb00e071 100755 +--- a/test/units/testsuite-07.issue-30412.sh ++++ b/test/units/testsuite-07.issue-30412.sh +@@ -20,6 +20,7 @@ EOF + cat >/run/systemd/system/badbin_assert.socket < +Date: Thu, 14 Dec 2023 11:36:52 +0100 +Subject: [PATCH 0083/1160] test: forward journal messages to console during + sd-bsod tests + +Since we nuke the journal multiple times during that, which makes +potential fails undebugable. + +(cherry picked from commit 8f7c876bdcde0de1a90b525c216ee6ae6c13e879) +--- + test/units/testsuite-04.bsod.sh | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/test/units/testsuite-04.bsod.sh b/test/units/testsuite-04.bsod.sh +index 8f5ff5f35c..1de446bc12 100755 +--- a/test/units/testsuite-04.bsod.sh ++++ b/test/units/testsuite-04.bsod.sh +@@ -22,6 +22,9 @@ at_exit() { + journalctl --flush + fi + ++ rm -f /run/systemd/journald.conf.d/99-forward-to-console.conf ++ systemctl restart systemd-journald ++ + return 0 + } + +@@ -49,7 +52,12 @@ vcs_dump_and_check() { + # current boot, let's temporarily overmount /var/log/journal with a tmpfs, + # as we're going to wipe it multiple times, but we need to keep the original + # journal intact for the other tests to work correctly. ++# ++# Also, since we'll eventually lose the journal from this test, let's temporarily ++# forward everything to console, to make potential fails debug-able. + trap at_exit EXIT ++mkdir -p /run/systemd/journald.conf.d/ ++echo -ne '[Journal]\nForwardToConsole=yes' >/run/systemd/journald.conf.d/99-forward-to-console.conf + mount -t tmpfs tmpfs /var/log/journal + systemctl restart systemd-journald + +-- +2.33.0 + diff --git a/backport-test-install-all-necessary-units-generators-for-LVM-.patch b/backport-test-install-all-necessary-units-generators-for-LVM-.patch new file mode 100644 index 0000000..f405211 --- /dev/null +++ b/backport-test-install-all-necessary-units-generators-for-LVM-.patch @@ -0,0 +1,69 @@ +From b1dba6bcaae70849394f34be8850f2e5e2559633 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 13 Dec 2023 12:27:17 +0100 +Subject: [PATCH 0070/1160] test: install all necessary units & generators for + LVM on Debian + +And derivates. + +Replaces: #30458 +(cherry picked from commit f9ba9d3eb7c350f31132ccd9ed1ee3c0c693f5c5) +--- + test/test-functions | 34 +++++++++++++++++++++------------- + 1 file changed, 21 insertions(+), 13 deletions(-) + +diff --git a/test/test-functions b/test/test-functions +index 42b0038789..4606745f10 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -1167,26 +1167,34 @@ install_multipath() { + } + + install_lvm() { ++ local lvm_rules rule_prefix ++ + image_install lvm + image_install "${ROOTLIBDIR:?}"/system/lvm2-lvmpolld.{service,socket} + image_install "${ROOTLIBDIR:?}"/system/{blk-availability,lvm2-monitor}.service + image_install -o "/lib/tmpfiles.d/lvm2.conf" ++ + if get_bool "$LOOKS_LIKE_DEBIAN"; then +- inst_rules 56-lvm.rules 69-lvm-metad.rules ++ lvm_rules="56-lvm.rules" ++ rule_prefix="" + else +- # Support the new udev autoactivation introduced in lvm 2.03.14 +- # https://sourceware.org/git/?p=lvm2.git;a=commit;h=67722b312390cdab29c076c912e14bd739c5c0f6 +- # Static autoactivation (via lvm2-activation-generator) was dropped +- # in lvm 2.03.15 +- # https://sourceware.org/git/?p=lvm2.git;a=commit;h=ee8fb0310c53ed003a43b324c99cdfd891dd1a7c +- if [[ -f /lib/udev/rules.d/69-dm-lvm.rules ]]; then +- inst_rules 11-dm-lvm.rules 69-dm-lvm.rules +- else +- image_install "${ROOTLIBDIR:?}"/system-generators/lvm2-activation-generator +- image_install "${ROOTLIBDIR:?}"/system/lvm2-pvscan@.service +- inst_rules 11-dm-lvm.rules 69-dm-lvm-metad.rules +- fi ++ lvm_rules="11-dm-lvm.rules" ++ rule_prefix="dm-" + fi ++ ++ # Support the new udev autoactivation introduced in lvm 2.03.14 ++ # https://sourceware.org/git/?p=lvm2.git;a=commit;h=67722b312390cdab29c076c912e14bd739c5c0f6 ++ # Static autoactivation (via lvm2-activation-generator) was dropped ++ # in lvm 2.03.15 ++ # https://sourceware.org/git/?p=lvm2.git;a=commit;h=ee8fb0310c53ed003a43b324c99cdfd891dd1a7c ++ if [[ -f "/lib/udev/rules.d/69-${rule_prefix}lvm.rules" ]]; then ++ inst_rules "$lvm_rules" "69-${rule_prefix}lvm.rules" ++ else ++ image_install "${ROOTLIBDIR:?}"/system-generators/lvm2-activation-generator ++ image_install "${ROOTLIBDIR:?}"/system/lvm2-pvscan@.service ++ inst_rules "$lvm_rules" "69-${rule_prefix}lvm-metad.rules" ++ fi ++ + mkdir -p "${initdir:?}/etc/lvm" + } + +-- +2.33.0 + diff --git a/backport-test-install-correct-kpartx-udev-rules-on-Debian.patch b/backport-test-install-correct-kpartx-udev-rules-on-Debian.patch new file mode 100644 index 0000000..147e9c1 --- /dev/null +++ b/backport-test-install-correct-kpartx-udev-rules-on-Debian.patch @@ -0,0 +1,29 @@ +From 44b9b9aca8019866d509f8770401acd5dde5f328 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 3 Jan 2024 17:24:03 +0100 +Subject: [PATCH 0115/1160] test: install correct kpartx udev rules on Debian + +Resolves: #30703 +(cherry picked from commit 519f0074cf87391b17a82ea983daed6183d62fb6) +--- + test/test-functions | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/test/test-functions b/test/test-functions +index 4606745f10..23345274b4 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -1151,7 +1151,9 @@ install_multipath() { + image_install kpartx /lib/udev/kpartx_id lsmod mpathpersist multipath multipathd partx + image_install "${ROOTLIBDIR:?}"/system/multipathd.{service,socket} + if get_bool "$LOOKS_LIKE_DEBIAN"; then +- inst_rules 56-dm-parts.rules 56-dm-mpath.rules 60-multipath.rules 68-del-part-nodes.rules 95-kpartx.rules ++ # Note: try both 60-kpartx.rules (as seen on Debian Sid with 0.9.4-7) and 90-kpartx.rules (as seen on ++ # Ubuntu Jammy with 0.8.8-1ubuntu1.22.04.4) ++ inst_rules 56-dm-parts.rules 56-dm-mpath.rules 60-kpartx.rules 60-multipath.rules 68-del-part-nodes.rules 90-kpartx.rules + else + inst_rules 11-dm-mpath.rules 11-dm-parts.rules 62-multipath.rules 66-kpartx.rules 68-del-part-nodes.rules + fi +-- +2.33.0 + diff --git a/backport-test-install-empty-directories-with-NO_BUILD-1.patch b/backport-test-install-empty-directories-with-NO_BUILD-1.patch new file mode 100644 index 0000000..c2bf831 --- /dev/null +++ b/backport-test-install-empty-directories-with-NO_BUILD-1.patch @@ -0,0 +1,80 @@ +From 03183fa3ceedcf427a7afb176a846225454cfaf0 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 14 Dec 2023 15:06:12 +0100 +Subject: [PATCH 0198/1160] test: install empty directories with NO_BUILD=1 + +Resolves: #30478 +(cherry picked from commit fdd380dde2ec2cbcecbd20b91cf6b819ef3dc0db) +--- + test/test-functions | 42 ++++++++++++++++++++++++------------------ + 1 file changed, 24 insertions(+), 18 deletions(-) + +diff --git a/test/test-functions b/test/test-functions +index 1777982684..8f04a37db9 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -1327,19 +1327,35 @@ install_compiled_systemd() { + fi + } + ++install_package_file() { ++ local file="${1:?}" ++ ++ # Skip missing files (like /etc/machine-info) ++ [[ ! -e "$file" ]] && return 0 ++ # Skip python unit tests, since the image_install machinery will try to pull ++ # in the whole python stack in a very questionable state, making the tests fail. ++ # And given we're trying to transition to mkosi-based images anyway I'm not even ++ # going to bother ++ [[ "$file" =~ /tests/unit-tests/.*.py$ ]] && return 0 ++ # If the current file is a directory, create it with the original ++ # mode; if it's a symlink to a directory, copy it as-is ++ if [[ -d "$file" ]]; then ++ inst_dir "$file" ++ else ++ inst "$file" ++ fi ++} ++ + install_debian_systemd() { + dinfo "Install debian systemd" + +- local files ++ local deb file + + while read -r deb; do +- files="$(dpkg-query -L "$deb" 2>/dev/null)" || continue + ddebug "Install debian files from package $deb" +- for file in $files; do +- [ -e "$file" ] || continue +- [ ! -L "$file" ] && [ -d "$file" ] && continue +- inst "$file" +- done ++ while read -r file; do ++ install_package_file "$file" ++ done < <(dpkg-query -L "$deb" 2>/dev/null) + done < <(grep -E '^Package:' "${SOURCE_DIR}/debian/control" | cut -d ':' -f 2) + } + +@@ -1354,17 +1370,7 @@ install_rpm() { + + dinfo "Installing contents of RPM $rpm" + while read -r file; do +- # Skip missing files (like /etc/machine-info) +- [[ ! -e "$file" ]] && continue +- # Skip directories unless they are a symlink (both -L and -d pass in this case) +- [[ -d "$file" && ! -L "$file" ]] && continue +- # Skip python unit tests, since the image_install machinery will try to pull +- # in the whole python stack in a very questionable state, making the tests fail. +- # And given we're trying to transition to mkosi-based images anyway I'm not even +- # going to bother +- [[ "$file" =~ /tests/unit-tests/.*.py$ ]] && continue +- +- image_install "$file" ++ install_package_file "$file" + done < <(rpm -ql "$rpm") + } + +-- +2.33.0 + diff --git a/backport-test-install-etc-hosts.patch b/backport-test-install-etc-hosts.patch new file mode 100644 index 0000000..8220862 --- /dev/null +++ b/backport-test-install-etc-hosts.patch @@ -0,0 +1,28 @@ +From 58205cfea853a049f79e47ca336c320c881328d8 Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Mon, 1 Jul 2024 18:06:45 +0200 +Subject: [PATCH 0738/1160] test: install /etc/hosts + +Needed for resolving the "localhost" hostname. + +(cherry picked from commit a09825ce9fb3bd315f35654b6e6ee4f92c675cde) +(cherry picked from commit 4f7d6885a12c0e5e27a9d29f9ef09fb2fa53d6ef) +--- + test/test-functions | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/test-functions b/test/test-functions +index 98d0b11649..91d87f8b73 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -2047,6 +2047,7 @@ EOF + install_config_files() { + dinfo "Install config files" + inst /etc/sysconfig/init || : ++ inst /etc/hosts || : + inst /etc/passwd + inst /etc/shadow + inst_any /etc/login.defs /usr/etc/login.defs +-- +2.33.0 + diff --git a/backport-test-install-modinfo-to-test-image.patch b/backport-test-install-modinfo-to-test-image.patch new file mode 100644 index 0000000..3192ba6 --- /dev/null +++ b/backport-test-install-modinfo-to-test-image.patch @@ -0,0 +1,37 @@ +From 0868f29eae4e1577eb494808a7875df69845f50c Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 19 May 2024 04:54:25 +0900 +Subject: [PATCH 0647/1160] test: install modinfo to test image + +Follow-up for 6c2d47d6d3ad25ffd7527c7f4de31457ee1b25d8. + +Fixes the following unexpected skip: +``` +[ 6.163670] TEST-64-UDEV-STORAGE.sh[596]: + modinfo btrfs +[ 6.164102] TEST-64-UDEV-STORAGE.sh[726]: /usr/lib/systemd/tests/testdata/units/TEST-64-UDEV-STORAGE.sh: line 726: modinfo: command not found +[ 6.164683] TEST-64-UDEV-STORAGE.sh[727]: + echo 'This test requires the btrfs kernel module but it is not installed, skipping the test' +[ 6.165069] TEST-64-UDEV-STORAGE.sh[728]: + tee --append /skipped +[ 6.166801] TEST-64-UDEV-STORAGE.sh[728]: This test requires the btrfs kernel module but it is not installed, skipping the test +[ 6.167177] TEST-64-UDEV-STORAGE.sh[596]: + exit 77 +``` + +(cherry picked from commit 2569e790f6352797f8e326ed472f49479791a2ac) +--- + test/test-functions | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/test-functions b/test/test-functions +index 9dc4783495..5fd171edf2 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -206,6 +206,7 @@ BASICTOOLS=( + mkfifo + mknod + mktemp ++ modinfo + modprobe + mount + mountpoint +-- +2.33.0 + diff --git a/backport-test-install-root-introduce-test-case-for-33411.patch b/backport-test-install-root-introduce-test-case-for-33411.patch new file mode 100644 index 0000000..7bc38a8 --- /dev/null +++ b/backport-test-install-root-introduce-test-case-for-33411.patch @@ -0,0 +1,52 @@ +From 8fc521393e13dd1a55afc9859a20c76e80e6bc9d Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Wed, 19 Jun 2024 21:28:05 +0200 +Subject: [PATCH 0770/1160] test-install-root: introduce test case for #33411 + +(cherry picked from commit 9fb5a8ca24e677e10f8c2b8973b5e2a11676bda0) +(cherry picked from commit 7684f528392ddb94455c924ec820be2c8de6989a) +--- + src/test/test-install-root.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/src/test/test-install-root.c b/src/test/test-install-root.c +index efd75b2a67..2a6d94ba42 100644 +--- a/src/test/test-install-root.c ++++ b/src/test/test-install-root.c +@@ -29,6 +29,8 @@ TEST(basic_mask_and_enable) { + assert_se(unit_file_get_state(RUNTIME_SCOPE_SYSTEM, root, "d.service", NULL) == -ENOENT); + assert_se(unit_file_get_state(RUNTIME_SCOPE_SYSTEM, root, "e.service", NULL) == -ENOENT); + assert_se(unit_file_get_state(RUNTIME_SCOPE_SYSTEM, root, "f.service", NULL) == -ENOENT); ++ assert_se(unit_file_get_state(RUNTIME_SCOPE_SYSTEM, root, "g.service", NULL) == -ENOENT); ++ assert_se(unit_file_get_state(RUNTIME_SCOPE_SYSTEM, root, "h.service", NULL) == -ENOENT); + + p = strjoina(root, "/usr/lib/systemd/system/a.service"); + assert_se(write_string_file(p, +@@ -197,6 +199,24 @@ TEST(basic_mask_and_enable) { + changes = NULL; n_changes = 0; + + assert_se(unit_file_get_state(RUNTIME_SCOPE_SYSTEM, root, "f.service", &state) >= 0 && state == UNIT_FILE_ENABLED); ++ ++ /* Test enabling units with only Alias= (unit_file_enable should return > 0 to indicate we did ++ * something, #33411) */ ++ ++ p = strjoina(root, SYSTEM_CONFIG_UNIT_DIR "/g.service"); ++ assert_se(write_string_file(p, ++ "[Install]\n" ++ "Alias=h.service\n", WRITE_STRING_FILE_CREATE) >= 0); ++ ++ assert_se(unit_file_enable(RUNTIME_SCOPE_SYSTEM, 0, root, STRV_MAKE("g.service"), &changes, &n_changes) >= 0); ++ install_changes_free(changes, n_changes); ++ changes = NULL; n_changes = 0; ++ ++ assert_se(unit_file_get_state(RUNTIME_SCOPE_SYSTEM, root, "g.service", &state) >= 0); ++ assert_se(state == UNIT_FILE_ENABLED); ++ ++ assert_se(unit_file_get_state(RUNTIME_SCOPE_SYSTEM, root, "h.service", &state) >= 0); ++ assert_se(state == UNIT_FILE_ALIAS); + } + + TEST(linked_units) { +-- +2.33.0 + diff --git a/backport-test-install-systemd-boot-in-openSUSE-test-images.patch b/backport-test-install-systemd-boot-in-openSUSE-test-images.patch new file mode 100644 index 0000000..0937752 --- /dev/null +++ b/backport-test-install-systemd-boot-in-openSUSE-test-images.patch @@ -0,0 +1,27 @@ +From 048639c653c88905852ef3f4d710fde173916cfd Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Tue, 13 Feb 2024 18:12:42 +0100 +Subject: [PATCH 0306/1160] test: install systemd-boot in openSUSE test images + +Needed since 87282a337d1ba7dc7d755f53b46c64b43718dcf7. + +(cherry picked from commit 03b1e10fc8c3d85e98c38df642158076e97025fa) +--- + test/test-functions | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/test-functions b/test/test-functions +index 22c393664f..63376c4a83 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -1382,6 +1382,7 @@ install_suse_systemd() { + + pkgs=( + systemd ++ systemd-boot + systemd-container + systemd-coredump + systemd-experimental +-- +2.33.0 + diff --git a/backport-test-lock-device-during-running-cryptsetup.patch b/backport-test-lock-device-during-running-cryptsetup.patch new file mode 100644 index 0000000..46bb547 --- /dev/null +++ b/backport-test-lock-device-during-running-cryptsetup.patch @@ -0,0 +1,47 @@ +From 640dbad3e75b0c67ed1f6c1afd02ceb313a0d8c8 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 22 May 2024 05:24:05 +0900 +Subject: [PATCH 0674/1160] test: lock device during running cryptsetup + +On running cryptsetup, udevd detects two inotify events for the +underlying device. Running the test on enough fast host, the expected +symlinks based on UUID and disk label are created by the second event. + +During processing a uevent for a device, udevd disables the inotify +watch for the device. If the test runs on slow system, the second +inotify event may comes during a udev worker processing the synthesized +uevent triggered by the first inotify event. Hence, no synthesized +uevent for the second inotify event will be generated, and the expected +symlinks will be never created. + +To prevent the issue, we need to lock the device during cryptsetup +command is running. + +Fixes #32913. + +(cherry picked from commit be43c9b0295120e508de1afd739af6fb7603186a) +--- + test/units/testsuite-64.sh | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/test/units/testsuite-64.sh b/test/units/testsuite-64.sh +index 65e5f6cd91..f41cc7fdc2 100755 +--- a/test/units/testsuite-64.sh ++++ b/test/units/testsuite-64.sh +@@ -755,9 +755,10 @@ EOF + for ((i = 0; i < ${#devices[@]}; i++)); do + # Intentionally use weaker cipher-related settings, since we don't care + # about security here as it's a throwaway LUKS partition +- cryptsetup luksFormat -q \ +- --use-urandom --pbkdf pbkdf2 --pbkdf-force-iterations 1000 \ +- --uuid "deadbeef-dead-dead-beef-11111111111$i" --label "encdisk$i" "${devices[$i]}" /etc/btrfs_keyfile ++ udevadm lock --device="${devices[$i]}" \ ++ cryptsetup luksFormat -q \ ++ --use-urandom --pbkdf pbkdf2 --pbkdf-force-iterations 1000 \ ++ --uuid "deadbeef-dead-dead-beef-11111111111$i" --label "encdisk$i" "${devices[$i]}" /etc/btrfs_keyfile + udevadm wait --settle --timeout=30 "/dev/disk/by-uuid/deadbeef-dead-dead-beef-11111111111$i" "/dev/disk/by-label/encdisk$i" + # Add the device into /etc/crypttab, reload systemd, and then activate + # the device so we can create a filesystem on it later +-- +2.33.0 + diff --git a/backport-test-loop-block-return-77-on-skip-in-more-places.patch b/backport-test-loop-block-return-77-on-skip-in-more-places.patch new file mode 100644 index 0000000..cb3cf88 --- /dev/null +++ b/backport-test-loop-block-return-77-on-skip-in-more-places.patch @@ -0,0 +1,39 @@ +From 543784efc384e362a7f77ffac78780fc7ba123ee Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 13 Nov 2024 14:20:34 +0000 +Subject: [PATCH 1058/1160] test-loop-block: return -77 on skip in more places + +(cherry picked from commit 81e0693465402d2e72cb3ba1b28e25e3c4c0206a) +(cherry picked from commit 1fb4673a6977c6a694f786dbc6cf2ff1990794ff) +(cherry picked from commit 8f92f75ae7e87e07b63974533f7ec344291267f2) +--- + src/test/test-loop-block.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/src/test/test-loop-block.c b/src/test/test-loop-block.c +index 1bd00d1af1..5c2e0c9526 100644 +--- a/src/test/test-loop-block.c ++++ b/src/test/test-loop-block.c +@@ -224,15 +224,11 @@ static int run(int argc, char *argv[]) { + dissected = dissected_image_unref(dissected); + #endif + +- if (geteuid() != 0 || have_effective_cap(CAP_SYS_ADMIN) <= 0) { +- log_tests_skipped("not running privileged"); +- return 0; +- } ++ if (geteuid() != 0 || have_effective_cap(CAP_SYS_ADMIN) <= 0) ++ return log_tests_skipped("not running privileged"); + +- if (detect_container() > 0) { +- log_tests_skipped("Test not supported in a container, requires udev/uevent notifications"); +- return 0; +- } ++ if (detect_container() > 0) ++ return log_tests_skipped("Test not supported in a container, requires udev/uevent notifications"); + + assert_se(loop_device_make(fd, O_RDWR, 0, UINT64_MAX, 0, LO_FLAGS_PARTSCAN, LOCK_EX, &loop) >= 0); + +-- +2.33.0 + diff --git a/backport-test-make-TEST-08-INITRD-slightly-less-annoying-to-d.patch b/backport-test-make-TEST-08-INITRD-slightly-less-annoying-to-d.patch new file mode 100644 index 0000000..fc4df2d --- /dev/null +++ b/backport-test-make-TEST-08-INITRD-slightly-less-annoying-to-d.patch @@ -0,0 +1,36 @@ +From 0434777bbe9865a762230d1c709c237c646930d4 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 14 Feb 2024 16:45:18 +0100 +Subject: [PATCH 0320/1160] test: make TEST-08-INITRD slightly less annoying to + debug + +Forward journal to console, since we won't have any journal from initrd +and shutdown/exit initrd phases. Also, mention +systemd.journald.max_level_console=debug that is very handy for +debugging initrd shenanigans, but don't use it by default since it +sends a _lot_ of stuff to the serial console, which slows down the test +a lot. + +(cherry picked from commit e073c1d8ed36da84540f245cd783021b2761e4d7) +--- + test/TEST-08-INITRD/test.sh | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/test/TEST-08-INITRD/test.sh b/test/TEST-08-INITRD/test.sh +index caa27f69fd..e8dbb2c36c 100755 +--- a/test/TEST-08-INITRD/test.sh ++++ b/test/TEST-08-INITRD/test.sh +@@ -3,6 +3,10 @@ + set -e + + TEST_DESCRIPTION="Test various scenarios involving transition from/to initrd" ++# Note: for debugging systemd.journald.max_level_console=debug might come in handy ++# as well, but it's not used here since it's _very_ noisy and slows the test ++# down a lot ++KERNEL_APPEND="${KERNEL_APPEND:-} systemd.journald.forward_to_console=1" + TEST_NO_NSPAWN=1 + + # shellcheck source=test/test-functions +-- +2.33.0 + diff --git a/backport-test-make-install_mdadm-also-install-relevant-kernel.patch b/backport-test-make-install_mdadm-also-install-relevant-kernel.patch new file mode 100644 index 0000000..6a5378b --- /dev/null +++ b/backport-test-make-install_mdadm-also-install-relevant-kernel.patch @@ -0,0 +1,28 @@ +From 570766c8b612c734fed642b74218bf1be142ebb1 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 6 Dec 2023 13:32:15 +0900 +Subject: [PATCH 0181/1160] test: make install_mdadm() also install relevant + kernel modules + +Installing mdadm without kernel modules is mostly meaningless. + +(cherry picked from commit 4ed943e97bb7ef4227837f7a6f607cd313cae70b) +--- + test/test-functions | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/test-functions b/test/test-functions +index 8e5570aa01..2fc207e44c 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -1290,6 +1290,7 @@ install_mdadm() { + system-shutdown/mdadm.shutdown + ) + ++ instmods "=md" + image_install mdadm mdmon + inst_rules 01-md-raid-creating.rules 63-md-raid-arrays.rules 64-md-raid-assembly.rules 69-md-clustered-confirm-device.rules + # Fedora/CentOS/RHEL ships this rule file +-- +2.33.0 + diff --git a/backport-test-make-sure-that-sd-boot-is-installed-before-test.patch b/backport-test-make-sure-that-sd-boot-is-installed-before-test.patch new file mode 100644 index 0000000..d088c15 --- /dev/null +++ b/backport-test-make-sure-that-sd-boot-is-installed-before-test.patch @@ -0,0 +1,33 @@ +From 9f7b7726b3b49061d34b6c78f12b5c00868a064f Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Tue, 13 Feb 2024 18:16:19 +0100 +Subject: [PATCH 0307/1160] test: make sure that sd-boot is installed before + testing bootctl + +bootctl can be installed also non uefi systems so its sole presence doesn't +mean that we can test installation of sd-boot. + +(cherry picked from commit 26fff16b901c5b7dac203a00fb6ca52cf451361b) +--- + test/units/testsuite-74.bootctl.sh | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/test/units/testsuite-74.bootctl.sh b/test/units/testsuite-74.bootctl.sh +index 61373b506e..4be7bfd0b8 100755 +--- a/test/units/testsuite-74.bootctl.sh ++++ b/test/units/testsuite-74.bootctl.sh +@@ -13,6 +13,11 @@ if ! command -v bootctl >/dev/null; then + exit 0 + fi + ++if [[ ! -d /usr/lib/systemd/boot/efi ]]; then ++ echo "sd-boot is not installed, skipping." ++ exit 0 ++fi ++ + # shellcheck source=test/units/util.sh + . "$(dirname "$0")"/util.sh + +-- +2.33.0 + diff --git a/backport-test-make-sure-the-dummy-CA-certificate-is-marked-as.patch b/backport-test-make-sure-the-dummy-CA-certificate-is-marked-as.patch new file mode 100644 index 0000000..1753e1c --- /dev/null +++ b/backport-test-make-sure-the-dummy-CA-certificate-is-marked-as.patch @@ -0,0 +1,70 @@ +From 2ea5ddf8186e047de70556f769e3ebcd0bf632e9 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Sat, 23 Dec 2023 13:33:11 +0100 +Subject: [PATCH 0085/1160] test: make sure the dummy CA certificate is marked + as such + +With OpenSSL 3.2.0+ this is necessary, otherwise the verification +of such CA certificate fails badly: + +$ openssl s_client -CAfile /run/systemd/remote-pki/ca.crt -connect localhost:19532 +... +Connecting to ::1 +CONNECTED(00000003) +Can't use SSL_get_servername +depth=1 C=CZ, L=Brno, O=Foo, OU=Bar, CN=Test CA +verify error:num=79:invalid CA certificate +verify return:1 +depth=1 C=CZ, L=Brno, O=Foo, OU=Bar, CN=Test CA +verify error:num=26:unsuitable certificate purpose +verify return:1 +... +--- +SSL handshake has read 1566 bytes and written 409 bytes +Verification error: unsuitable certificate purpose +--- +New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 +Server public key is 2048 bit +This TLS version forbids renegotiation. +Compression: NONE +Expansion: NONE +No ALPN negotiated +Early data was not sent +Verify return code: 26 (unsuitable certificate purpose) + +(cherry picked from commit 4e5984f0271dd14d24aa25ff1d5401378acaa7c4) +--- + test/units/testsuite-04.journal-remote.sh | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/test/units/testsuite-04.journal-remote.sh b/test/units/testsuite-04.journal-remote.sh +index b7d9cbd81b..c7b99b11fb 100755 +--- a/test/units/testsuite-04.journal-remote.sh ++++ b/test/units/testsuite-04.journal-remote.sh +@@ -109,6 +109,11 @@ L = Brno + O = Foo + OU = Bar + CN = Test CA ++ ++[ v3_ca ] ++subjectKeyIdentifier = hash ++authorityKeyIdentifier = keyid:always,issuer:always ++basicConstraints = CA:true + EOF + cat >/run/systemd/remote-pki/client.conf </run/systemd/remote-pki/ca.srl + # Generate a client key and signing request + openssl req -nodes -newkey rsa:2048 -sha256 \ +-- +2.33.0 + diff --git a/backport-test-make-sure-to-install-the-filesystem-package-in-.patch b/backport-test-make-sure-to-install-the-filesystem-package-in-.patch new file mode 100644 index 0000000..9d78573 --- /dev/null +++ b/backport-test-make-sure-to-install-the-filesystem-package-in-.patch @@ -0,0 +1,32 @@ +From f16f33d5e1e0e0f1ea469931d929a7647ae2d5b1 Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Wed, 14 Feb 2024 10:01:57 +0100 +Subject: [PATCH 0308/1160] test: make sure to install the filesystem package + in the test image on SUSE + +Othewise test images are missing the tmpfiles snippets used to create the very +basic files at boot, which can be useful when a test wants to reuse the OS tree +(is already running in) for spawning a new container in pristine state. + +(cherry picked from commit 08abfd0b8c8e50e6be411ed9c909e6ccc893f223) +--- + test/test-functions | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/test/test-functions b/test/test-functions +index 63376c4a83..c5363619e7 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -1378,6 +1378,9 @@ install_rpm() { + install_suse_systemd() { + local pkgs + ++ dinfo "Install basic filesystem structure" ++ install_rpm filesystem ++ + dinfo "Install SUSE systemd" + + pkgs=( +-- +2.33.0 + diff --git a/backport-test-make-the-MemoryHigh-limit-a-bit-more-generous-w.patch b/backport-test-make-the-MemoryHigh-limit-a-bit-more-generous-w.patch new file mode 100644 index 0000000..c03fa61 --- /dev/null +++ b/backport-test-make-the-MemoryHigh-limit-a-bit-more-generous-w.patch @@ -0,0 +1,77 @@ +From 2fb3eadf8d360a2c347870225ed87907295fe152 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Fri, 9 Feb 2024 18:44:58 +0100 +Subject: [PATCH 0209/1160] test: make the MemoryHigh= limit a bit more + generous with sanitizers + +When we're running with sanitizers, sd-executor might pull in a +significant chunk of shared libraries on startup, that can cause a lot +of memory pressure and put us in the front when sd-oomd decides to go on +a killing spree. This is exacerbated further on Arch Linux when built +with gcc, as Arch ships unstripped gcc-libs so sd-executor pulls in over +30M of additional shared libs on startup: + +~# lddtree build-san/systemd-executor +build-san/systemd-executor (interpreter => /lib64/ld-linux-x86-64.so.2) + libasan.so.8 => /usr/lib/libasan.so.8 + libstdc++.so.6 => /usr/lib/libstdc++.so.6 + libm.so.6 => /usr/lib/libm.so.6 + libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 + libsystemd-core-255.so => /root/systemd/build-san/src/core/libsystemd-core-255.so + libaudit.so.1 => /usr/lib/libaudit.so.1 + libcap-ng.so.0 => /usr/lib/libcap-ng.so.0 +... + libseccomp.so.2 => /usr/lib/libseccomp.so.2 + libubsan.so.1 => /usr/lib/libubsan.so.1 + libc.so.6 => /usr/lib/libc.so.6 + +~# ls -Llh /usr/lib/libasan.so.8 /usr/lib/libstdc++.so.6 /usr/lib/libubsan.so.1 +-rwxr-xr-x 1 root root 9.7M Feb 2 10:36 /usr/lib/libasan.so.8 +-rwxr-xr-x 1 root root 21M Feb 2 10:36 /usr/lib/libstdc++.so.6 +-rwxr-xr-x 1 root root 3.2M Feb 2 10:36 /usr/lib/libubsan.so.1 + +Sanitized libsystemd-core.so is also quite big: + +~# ls -Llh /root/systemd/build-san/src/core/libsystemd-core-255.so /usr/lib/systemd/libsystemd-core-255.so +-rwxr-xr-x 1 root root 26M Feb 8 19:04 /root/systemd/build-san/src/core/libsystemd-core-255.so +-rwxr-xr-x 1 root root 5.9M Feb 7 12:03 /usr/lib/systemd/libsystemd-core-255.so + +(cherry picked from commit 974fe6131f1fae5c31e18e0979a40d56a85c2c88) +--- + test/units/testsuite-55.sh | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/test/units/testsuite-55.sh b/test/units/testsuite-55.sh +index afd3053e4d..6623243622 100755 +--- a/test/units/testsuite-55.sh ++++ b/test/units/testsuite-55.sh +@@ -71,9 +71,23 @@ if systemctl is-active systemd-oomd.service; then + systemctl restart systemd-oomd.service + fi + +-# Ensure that we can start services even with a very low hard memory cap without oom-kills, but skip under +-# sanitizers as they balloon memory usage. +-if ! [[ -v ASAN_OPTIONS || -v UBSAN_OPTIONS ]]; then ++if [[ -v ASAN_OPTIONS || -v UBSAN_OPTIONS ]]; then ++ # If we're running with sanitizers, sd-executor might pull in quite a significant chunk of shared ++ # libraries, which in turn causes a lot of pressure that can put us in the front when sd-oomd decides to ++ # go on a killing spree. This fact is exacerbated further on Arch Linux which ships unstripped gcc-libs, ++ # so sd-executor pulls in over 30M of libs on startup. Let's make the MemoryHigh= limit a bit more ++ # generous when running with sanitizers to make the test happy. ++ mkdir -p /run/systemd/system/testsuite-55-testchill.service.d/ ++ cat >/run/systemd/system/testsuite-55-testchill.service.d/99-MemoryHigh.conf < +Date: Thu, 11 Apr 2024 11:35:17 +0200 +Subject: [PATCH 0347/1160] test: make the output of TEST-69 less painful to + read + +The logs from TEST-69 still contain a lot of unnecessary shell +metacharacters, so to make the output more readable let's just set +TERM=dumb, instead of having to strip everything semi-manually. Also, +move the related --background= tweak to TEST-69, since it's relevant +only for that particular test. + +Follow-up for 8d4bfd38ed941aa8003d7007145eccc01f52a5f6. + +v255-only change: --background= is not supported in v255's sd-nspawn, so + that hunk is dropped + +(cherry picked from commit 8d9cdb31f7cc41bb2252be70a2410030551aabde) +--- + test/test-shutdown.py | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/test/test-shutdown.py b/test/test-shutdown.py +index 870c1e269f..d19a03742c 100755 +--- a/test/test-shutdown.py ++++ b/test/test-shutdown.py +@@ -12,7 +12,6 @@ import pexpect + + + def run(args): +- + ret = 1 + logger = logging.getLogger("test-shutdown") + logfile = None +@@ -25,7 +24,7 @@ def run(args): + + logger.info("spawning test") + console = pexpect.spawn(args.command, args.arg, logfile=logfile, env={ +- "TERM": "linux", ++ "TERM": "dumb", + }, encoding='utf-8', timeout=60) + + logger.debug("child pid %d", console.pid) +-- +2.33.0 + diff --git a/backport-test-mask-mdmonitor-when-building-image.patch b/backport-test-mask-mdmonitor-when-building-image.patch new file mode 100644 index 0000000..9f84792 --- /dev/null +++ b/backport-test-mask-mdmonitor-when-building-image.patch @@ -0,0 +1,46 @@ +From 374a0f678817c1ab054587def008e65806f9c437 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 13 Dec 2023 14:28:00 +0900 +Subject: [PATCH 0182/1160] test: mask mdmonitor when building image + +Follow-up for 22e31655f3f9f54d932d4f48b92b36698e701729. + +(cherry picked from commit 0f236e8cd6309cdc392d9e62bc545dcd497a9c50) +--- + test/test-functions | 4 ++++ + test/units/testsuite-64.sh | 4 ---- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/test/test-functions b/test/test-functions +index 2fc207e44c..3fd795b9f7 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -1299,6 +1299,10 @@ install_mdadm() { + for unit in "${mdadm_units[@]}"; do + image_install "${ROOTLIBDIR:?}/$unit" + done ++ ++ # Disable the mdmonitor service, since it fails if there's no valid email address ++ # configured in /etc/mdadm.conf, which just unnecessarily pollutes the logs ++ "${SYSTEMCTL:?}" mask --root "${initdir:?}" mdmonitor.service || : + } + + install_compiled_systemd() { +diff --git a/test/units/testsuite-64.sh b/test/units/testsuite-64.sh +index 299c5eb183..65e5f6cd91 100755 +--- a/test/units/testsuite-64.sh ++++ b/test/units/testsuite-64.sh +@@ -1164,10 +1164,6 @@ testcase_mdadm_lvm() { + helper_check_device_units + } + +-# Disable the mdmonitor service, since it fails if there's no valid email address +-# configured in /etc/mdadm.conf, which just unnecessarily pollutes the logs +-systemctl list-unit-files mdmonitor.service >/dev/null && systemctl mask --runtime mdmonitor.service +- + udevadm settle + udevadm control --log-level debug + lsblk -a +-- +2.33.0 + diff --git a/backport-test-mask-rc.local-generator-broken-on-Jammy.patch b/backport-test-mask-rc.local-generator-broken-on-Jammy.patch new file mode 100644 index 0000000..fc27676 --- /dev/null +++ b/backport-test-mask-rc.local-generator-broken-on-Jammy.patch @@ -0,0 +1,35 @@ +From 565916c245b53b49f5917f5326d21246f46ae3db Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 8 Oct 2024 23:01:15 +0100 +Subject: [PATCH 0922/1160] test: mask rc.local generator, broken on Jammy + +On jammy it started to fail, it's not really needed and we install +an empty stub anyway, so just mask the generator +--- + test/test-functions | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/test/test-functions b/test/test-functions +index 91d87f8b73..80efa539c1 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -1961,13 +1961,9 @@ check_result_qemu() { + } + + create_rc_local() { +- dinfo "Create rc.local" +- mkdir -p "${initdir:?}/etc/rc.d" +- cat >"$initdir/etc/rc.d/rc.local" < +Date: Tue, 12 Dec 2023 23:01:31 +0100 +Subject: [PATCH 0062/1160] test: mask the mdmonitor.service + +It's pulled in by one of the udev rules (63-md-raid-arrays.rules) and it +fails every time, because there's no valid email address in +/etc/mdadm.conf: + +[ 5.778153] testsuite-64.sh[403]: mdadm: array /dev/md/mdmirror started. +[ 5.819137] kernel: md/raid1:md127: not clean -- starting background reconstruction +[ 5.819141] kernel: md/raid1:md127: active with 2 out of 2 mirrors +[ 5.819159] kernel: md127: detected capacity change from 0 to 129024 +[ 5.821950] kernel: md: resync of RAID array md127 +... +[ 5.887192] mdadm[424]: mdadm: No mail address or alert command - not monitoring. +[ 5.890772] systemd[1]: Starting mdmonitor.service... +[ 5.891718] systemd[1]: Started mdmonitor.service. +[ 5.892570] systemd[1]: mdmonitor.service: Main process exited, code=exited, status=1/FAILURE +[ 5.892618] systemd[1]: mdmonitor.service: Failed with result 'exit-code'. + +And as we (re)assemble the MD devices multiple times, this gets quite +noisy, especially since we later start hitting the service start rate +limit. + +Fedora has the mdmonitor.service patched, so it won't start without +/etc/mdadm.conf being present, but Arch uses the upstream unit which +doesn't have such guard. + +Let's just mask the service completely, which replaces all that noise +with one warning: + +[ 6.553583] testsuite-64.sh[294]: + udevadm wait --settle ... +[ 6.580700] systemd[1]: sys-devices-virtual-block-md127.device: Failed to enqueue SYSTEMD_WANTS job, ignoring: Unit mdmonitor.service is masked. + +(cherry picked from commit 22e31655f3f9f54d932d4f48b92b36698e701729) +--- + test/units/testsuite-64.sh | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/test/units/testsuite-64.sh b/test/units/testsuite-64.sh +index 81edb0ab7a..0e598cc6b3 100755 +--- a/test/units/testsuite-64.sh ++++ b/test/units/testsuite-64.sh +@@ -1159,6 +1159,10 @@ testcase_mdadm_lvm() { + helper_check_device_units + } + ++# Disable the mdmonitor service, since it fails if there's no valid email address ++# configured in /etc/mdadm.conf, which just unnecessarily pollutes the logs ++systemctl list-unit-files mdmonitor.service >/dev/null && systemctl mask --runtime mdmonitor.service ++ + udevadm settle + udevadm control --log-level debug + lsblk -a +-- +2.33.0 + diff --git a/backport-test-mask-tmpfiles.d-file-shipped-by-selinux-policy-.patch b/backport-test-mask-tmpfiles.d-file-shipped-by-selinux-policy-.patch new file mode 100644 index 0000000..35705a1 --- /dev/null +++ b/backport-test-mask-tmpfiles.d-file-shipped-by-selinux-policy-.patch @@ -0,0 +1,39 @@ +From 37e27eeec811af0a2d8f86b2b241669ef9ed31fa Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sat, 23 Nov 2024 13:28:03 +0000 +Subject: [PATCH 1038/1160] test: mask tmpfiles.d file shipped by selinux + policy package in containers + +This tmpfiles.d wants to write to sysfs, which is read-only in containers, +so systemd-tmpfiles --create fails in TEST-22-TMPFILES when ran in nspawn +if the selinux policy package is instealled. Mask it, as it's not our +config file, we don't need it in the test. + +(cherry picked from commit 6fd3496cfd0d28808b5489ee87f826c2130f5f0b) +(cherry picked from commit 2d975f64d40cff41f36792d92dde65a65fb0dd9d) +--- + test/units/testsuite-22.sh | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/test/units/testsuite-22.sh b/test/units/testsuite-22.sh +index 9c2a033aa9..85109a1ad5 100755 +--- a/test/units/testsuite-22.sh ++++ b/test/units/testsuite-22.sh +@@ -6,6 +6,14 @@ set -o pipefail + # shellcheck source=test/units/test-control.sh + . "$(dirname "$0")"/test-control.sh + ++if systemd-detect-virt --quiet --container; then ++ # This comes from the selinux package and tries to write ++ # some files under sysfs, which will be read-only in a container, ++ # so mask it. It's not our tmpfiles.d file anyway. ++ mkdir -p /run/tmpfiles.d/ ++ ln -s /dev/null /run/tmpfiles.d/selinux-policy.conf ++fi ++ + run_subtests + + touch /testok +-- +2.33.0 + diff --git a/backport-test-modernize-TEST-55-OOMD-s-init.patch b/backport-test-modernize-TEST-55-OOMD-s-init.patch new file mode 100644 index 0000000..ccf5afc --- /dev/null +++ b/backport-test-modernize-TEST-55-OOMD-s-init.patch @@ -0,0 +1,42 @@ +From 6cd6d89469da4340aae8b51600df8027186c49c5 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Fri, 16 Feb 2024 13:53:01 +0100 +Subject: [PATCH 0323/1160] test: "modernize" TEST-55-OOMD's init + +(cherry picked from commit 7e2bf4c5ee871f797c853d8b6474d4d379dad8e2) +--- + test/TEST-55-OOMD/test.sh | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/test/TEST-55-OOMD/test.sh b/test/TEST-55-OOMD/test.sh +index 9a9cdecf70..5e3096315c 100755 +--- a/test/TEST-55-OOMD/test.sh ++++ b/test/TEST-55-OOMD/test.sh +@@ -12,18 +12,17 @@ TEST_NO_NSPAWN=1 + . "${TEST_BASE_DIR:?}/test-functions" + + test_append_files() { +- # Create a swap file +- ( +- image_install mkswap swapon swapoff stress +- image_install -o btrfs ++ local workspace="${1:?}" + +- mkdir -p "${initdir:?}/etc/systemd/system/init.scope.d/" +- cat >>"${initdir:?}/etc/systemd/system/init.scope.d/test-55-oomd.conf" <"${workspace:?}/etc/systemd/system/init.scope.d/test-55-oomd.conf" < +Date: Wed, 28 Aug 2024 22:08:33 +0100 +Subject: [PATCH 0873/1160] test: mount ld.so.cache in minimal nspawn container + if present + +In some cases (SUSE Tumbleweed) this is needed as a library (libz) is +not in the default path, so it fails to run. + +(cherry picked from commit 1e17e48b96bb509754a0a11ea8bd0394965564c6) +(cherry picked from commit a2c84836efc5216e99af4c3e4ba3f6c2be7e67e1) +--- + test/units/testsuite-13.nspawn.sh | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/test/units/testsuite-13.nspawn.sh b/test/units/testsuite-13.nspawn.sh +index 81ff0f906f..d3e96da872 100755 +--- a/test/units/testsuite-13.nspawn.sh ++++ b/test/units/testsuite-13.nspawn.sh +@@ -870,6 +870,11 @@ testcase_check_os_release() { + --bind-ro="$base/usr:/usr" + ) + ++ # Might be needed to find libraries ++ if [ -f "$base/etc/ld.so.cache" ]; then ++ common_opts+=("--bind-ro=$base/etc/ld.so.cache:/etc/ld.so.cache") ++ fi ++ + # Empty /etc/ & /usr/ + (! systemd-nspawn "${common_opts[@]}") + (! SYSTEMD_NSPAWN_CHECK_OS_RELEASE=1 systemd-nspawn "${common_opts[@]}") +-- +2.33.0 + diff --git a/backport-test-namespace-SOCK_CLOEXEC-ify-all-the-things.patch b/backport-test-namespace-SOCK_CLOEXEC-ify-all-the-things.patch new file mode 100644 index 0000000..2225332 --- /dev/null +++ b/backport-test-namespace-SOCK_CLOEXEC-ify-all-the-things.patch @@ -0,0 +1,26 @@ +From b7866095dfe26f242f65acb8cbd80434e43caad1 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 31 Jan 2024 13:22:33 +0100 +Subject: [PATCH 0287/1160] test-namespace: SOCK_CLOEXEC'ify all the things + +(cherry picked from commit 4f6d671dd109b6631622691b1c8cd67d6e7e7cfd) +--- + src/test/test-namespace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/test/test-namespace.c b/src/test/test-namespace.c +index 130c870602..65d08259d4 100644 +--- a/src/test/test-namespace.c ++++ b/src/test/test-namespace.c +@@ -93,7 +93,7 @@ static void test_shareable_ns(unsigned long nsflag) { + return; + } + +- assert_se(socketpair(AF_UNIX, SOCK_DGRAM, 0, s) >= 0); ++ assert_se(socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, s) >= 0); + + pid1 = fork(); + assert_se(pid1 >= 0); +-- +2.33.0 + diff --git a/backport-test-netlink-Gracefully-handle-the-loopback-interfac.patch b/backport-test-netlink-Gracefully-handle-the-loopback-interfac.patch new file mode 100644 index 0000000..e159245 --- /dev/null +++ b/backport-test-netlink-Gracefully-handle-the-loopback-interfac.patch @@ -0,0 +1,49 @@ +From 77ee2a8d72964137d3e162d9d9f656e4266357a2 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Sun, 18 Aug 2024 13:19:30 +0200 +Subject: [PATCH 0855/1160] test-netlink: Gracefully handle the loopback + interface being down + +(cherry picked from commit d098b8df6e5c1b4c834272dd1397345483116db6) +(cherry picked from commit f6f96b05585ef3b05cef843a2c1cb2c55e77d3ba) +--- + src/libsystemd/sd-netlink/test-netlink.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/src/libsystemd/sd-netlink/test-netlink.c b/src/libsystemd/sd-netlink/test-netlink.c +index 13aedc4dbe..4b7cdcef13 100644 +--- a/src/libsystemd/sd-netlink/test-netlink.c ++++ b/src/libsystemd/sd-netlink/test-netlink.c +@@ -91,18 +91,24 @@ TEST(message_address) { + struct in_addr in_data; + struct ifa_cacheinfo cache; + const char *label; ++ int r; + + assert_se(sd_netlink_open(&rtnl) >= 0); + ifindex = (int) if_nametoindex("lo"); + + assert_se(sd_rtnl_message_new_addr(rtnl, &message, RTM_GETADDR, ifindex, AF_INET) >= 0); + assert_se(sd_netlink_message_set_request_dump(message, true) >= 0); +- assert_se(sd_netlink_call(rtnl, message, 0, &reply) == 1); + +- assert_se(sd_netlink_message_read_in_addr(reply, IFA_LOCAL, &in_data) >= 0); +- assert_se(sd_netlink_message_read_in_addr(reply, IFA_ADDRESS, &in_data) >= 0); +- assert_se(sd_netlink_message_read_string(reply, IFA_LABEL, &label) >= 0); +- assert_se(sd_netlink_message_read_cache_info(reply, IFA_CACHEINFO, &cache) == 0); ++ r = sd_netlink_call(rtnl, message, 0, &reply); ++ assert_se(r >= 0); ++ ++ /* If the loopback device is down we won't get any results. */ ++ if (r > 0) { ++ assert_se(sd_netlink_message_read_in_addr(reply, IFA_LOCAL, &in_data) >= 0); ++ assert_se(sd_netlink_message_read_in_addr(reply, IFA_ADDRESS, &in_data) >= 0); ++ assert_se(sd_netlink_message_read_string(reply, IFA_LABEL, &label) >= 0); ++ assert_se(sd_netlink_message_read_cache_info(reply, IFA_CACHEINFO, &cache) == 0); ++ } + } + + TEST(message_route) { +-- +2.33.0 + diff --git a/backport-test-network-add-one-more-test-case-for-DHCP-prefix-.patch b/backport-test-network-add-one-more-test-case-for-DHCP-prefix-.patch new file mode 100644 index 0000000..30f3662 --- /dev/null +++ b/backport-test-network-add-one-more-test-case-for-DHCP-prefix-.patch @@ -0,0 +1,98 @@ +From 54d7f8f9f386923e2bf8d970f5b82a4a25e32d54 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 17 Feb 2024 05:56:27 +0900 +Subject: [PATCH 0248/1160] test-network: add one more test case for DHCP + prefix delegation + +For issue #31349. + +(cherry picked from commit 3b677c6f94ab2d70352b3faa3be23c2a5ab60c4c) +--- + .../25-dhcp6pd-upstream-no-assign.network | 20 +++++++++++++++++++ + .../conf/isc-dhcpd-dhcp6pd-no-range.conf | 18 +++++++++++++++++ + test/test-network/systemd-networkd-tests.py | 17 ++++++++++++++++ + 3 files changed, 55 insertions(+) + create mode 100644 test/test-network/conf/25-dhcp6pd-upstream-no-assign.network + create mode 100644 test/test-network/conf/isc-dhcpd-dhcp6pd-no-range.conf + +diff --git a/test/test-network/conf/25-dhcp6pd-upstream-no-assign.network b/test/test-network/conf/25-dhcp6pd-upstream-no-assign.network +new file mode 100644 +index 0000000000..5f76390cec +--- /dev/null ++++ b/test/test-network/conf/25-dhcp6pd-upstream-no-assign.network +@@ -0,0 +1,20 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++[Match] ++Name=veth99 ++ ++[Network] ++IPv6PrivacyExtensions=yes ++IPv6AcceptRA=no ++DHCP=ipv6 ++DHCPPrefixDelegation=yes ++ ++[DHCPv6] ++WithoutRA=solicit ++ ++[DHCPPrefixDelegation] ++UplinkInterface=:self ++SubnetId=10 ++Announce=no ++Token=eui64 ++Token=::1a:2b:3c:4d ++Assign=no +diff --git a/test/test-network/conf/isc-dhcpd-dhcp6pd-no-range.conf b/test/test-network/conf/isc-dhcpd-dhcp6pd-no-range.conf +new file mode 100644 +index 0000000000..910853af49 +--- /dev/null ++++ b/test/test-network/conf/isc-dhcpd-dhcp6pd-no-range.conf +@@ -0,0 +1,18 @@ ++default-lease-time 2592000; ++preferred-lifetime 604800; ++ ++option dhcp-renewal-time 3600; ++option dhcp-rebinding-time 7200; ++ ++# Enable RFC 5007 support (same than for DHCPv4) ++allow leasequery; ++ ++option dhcp6.name-servers 3ffe:501:ffff:100:200:ff:fe00:3f3e; ++option dhcp6.domain-search "test.example.com","example.com"; ++ ++option dhcp6.info-refresh-time 21600; ++ ++subnet6 3ffe:501:ffff:100::/64 { ++ # Some /64 prefixes available for Prefix Delegation (RFC 3633) ++ prefix6 3ffe:501:ffff:200:: 3ffe:501:ffff:f00:: /56; ++} +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index aa59976572..ffd6a89df6 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -6169,6 +6169,23 @@ class NetworkdDHCPPDTests(unittest.TestCase, Utilities): + + self.check_dhcp6_prefix('veth99') + ++ def test_dhcp6pd_no_assign(self): ++ # Similar to test_dhcp6pd_no_assign(), but in this case UseAddress=yes (default), ++ # However, the server does not provide IA_NA. For issue #31349. ++ copy_network_unit('25-veth.netdev', '25-dhcp6pd-server.network', '25-dhcp6pd-upstream-no-assign.network') ++ ++ start_networkd() ++ self.wait_online(['veth-peer:routable']) ++ start_isc_dhcpd(conf_file='isc-dhcpd-dhcp6pd-no-range.conf', ipv='-6') ++ self.wait_online(['veth99:degraded']) ++ ++ print('### ip -6 address show dev veth99 scope global') ++ output = check_output('ip -6 address show dev veth99 scope global') ++ print(output) ++ self.assertNotIn('inet6 3ffe:501:ffff', output) ++ ++ self.check_dhcp6_prefix('veth99') ++ + def test_dhcp6pd(self): + copy_network_unit('25-veth.netdev', '25-dhcp6pd-server.network', '25-dhcp6pd-upstream.network', + '25-veth-downstream-veth97.netdev', '25-dhcp-pd-downstream-veth97.network', '25-dhcp-pd-downstream-veth97-peer.network', +-- +2.33.0 + diff --git a/backport-test-network-add-test-case-for-issue-30403.patch b/backport-test-network-add-test-case-for-issue-30403.patch new file mode 100644 index 0000000..1a90e53 --- /dev/null +++ b/backport-test-network-add-test-case-for-issue-30403.patch @@ -0,0 +1,41 @@ +From fbe064cc74a7a25060d4311b5f3a616b02f3e9c9 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 10 Dec 2023 14:04:28 +0900 +Subject: [PATCH 0075/1160] test-network: add test case for issue #30403 + +(cherry picked from commit 5e46ca9890bb463644f91426678570edc2891163) +--- + test/test-network/conf/25-route-static.network | 7 +++++++ + test/test-network/systemd-networkd-tests.py | 1 + + 2 files changed, 8 insertions(+) + +diff --git a/test/test-network/conf/25-route-static.network b/test/test-network/conf/25-route-static.network +index 3574f021b0..7ef211d410 100644 +--- a/test/test-network/conf/25-route-static.network ++++ b/test/test-network/conf/25-route-static.network +@@ -108,3 +108,10 @@ MultiPathRoute=2001:1234:5:6fff:ff:ff:ff:ff@test1 20 + MultiPathRoute=2001:1234:5:7fff:ff:ff:ff:ff@test1 30 + MultiPathRoute=2001:1234:5:8fff:ff:ff:ff:ff@dummy98 10 + MultiPathRoute=2001:1234:5:9fff:ff:ff:ff:ff@dummy98 5 ++ ++[Address] ++Address=1.1.8.105/31 ++Peer=1.1.8.104/31 ++ ++[Route] ++Gateway=1.1.8.104 +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index d167969f3c..ab1bbf5fe4 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -3105,6 +3105,7 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): + self.assertIn('default via 149.10.125.65 proto static onlink', output) + self.assertIn('default via 149.10.124.64 proto static', output) + self.assertIn('default proto static', output) ++ self.assertIn('default via 1.1.8.104 proto static', output) + + print('### ip -4 route show table local dev dummy98') + output = check_output('ip -4 route show table local dev dummy98') +-- +2.33.0 + diff --git a/backport-test-network-add-test-case-for-issue-31165.patch b/backport-test-network-add-test-case-for-issue-31165.patch new file mode 100644 index 0000000..73d6b2b --- /dev/null +++ b/backport-test-network-add-test-case-for-issue-31165.patch @@ -0,0 +1,44 @@ +From b2e0f7185c57344b06c93eb4c66e96c41b1abf2a Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 2 Feb 2024 11:20:25 +0900 +Subject: [PATCH 0238/1160] test-network: add test case for issue #31165 + +(cherry picked from commit 2bb1d3c1083f8562b00e297dae4268a38de3d99c) +--- + src/network/networkd-setlink.c | 2 ++ + test/test-network/systemd-networkd-tests.py | 6 ++++++ + 2 files changed, 8 insertions(+) + +diff --git a/src/network/networkd-setlink.c b/src/network/networkd-setlink.c +index a454853833..011ea1fe6e 100644 +--- a/src/network/networkd-setlink.c ++++ b/src/network/networkd-setlink.c +@@ -1028,6 +1028,8 @@ static int link_up_or_down(Link *link, bool up, Request *req) { + assert(link->manager->rtnl); + assert(req); + ++ /* The log message is checked in the test. Please also update test_bond_active_slave() in ++ * test/test-network/systemd-networkd-tests.py. when the log message below is modified. */ + log_link_debug(link, "Bringing link %s", up_or_down(up)); + + r = sd_rtnl_message_new_link(link->manager->rtnl, &m, RTM_SETLINK, link->ifindex); +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index fd52372c08..59dbd49073 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -4356,6 +4356,12 @@ class NetworkdBondTests(unittest.TestCase, Utilities): + print(output) + self.assertIn('active_slave dummy98', output) + ++ # test case for issue #31165. ++ since = datetime.datetime.now() ++ networkctl_reconfigure('dummy98') ++ self.wait_online(['dummy98:enslaved', 'bond199:degraded']) ++ self.assertNotIn('dummy98: Bringing link down', read_networkd_log(since=since)) ++ + def test_bond_primary_slave(self): + copy_network_unit('23-primary-slave.network', '23-bond199.network', '25-bond-active-backup-slave.netdev', '12-dummy.netdev') + start_networkd() +-- +2.33.0 + diff --git a/backport-test-network-add-test-case-for-requesting-routing-po.patch b/backport-test-network-add-test-case-for-requesting-routing-po.patch new file mode 100644 index 0000000..7faf372 --- /dev/null +++ b/backport-test-network-add-test-case-for-requesting-routing-po.patch @@ -0,0 +1,99 @@ +From 82dc7061ec5786a8985e542a9d5e6c6b4747aede Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 4 Feb 2025 09:45:45 +0900 +Subject: [PATCH 1108/1160] test-network: add test case for requesting routing + policy rules by multiple interfaces + +For issue #36244. + +(cherry picked from commit f7ae28fcec9513435f8258431b686fbaf846915b) +(cherry picked from commit 0af0e37813b5ab7e1ee4a4863f2087bb35173b5a) +(cherry picked from commit 9724602ff361a33b356ffc859fcd971619d1985c) +--- + .../25-routing-policy-rule-manual.network | 23 +++++++++++ + test/test-network/systemd-networkd-tests.py | 39 +++++++++++++++++++ + 2 files changed, 62 insertions(+) + create mode 100644 test/test-network/conf/25-routing-policy-rule-manual.network + +diff --git a/test/test-network/conf/25-routing-policy-rule-manual.network b/test/test-network/conf/25-routing-policy-rule-manual.network +new file mode 100644 +index 0000000000..fa1328189a +--- /dev/null ++++ b/test/test-network/conf/25-routing-policy-rule-manual.network +@@ -0,0 +1,23 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++[Match] ++Name=test1 ++Name=test2 ++ ++[Link] ++ActivationPolicy=manual ++ ++[Network] ++IPv6AcceptRA=no ++ ++[RoutingPolicyRule] ++Family=both ++Priority=10 ++SuppressPrefixLength=0 ++Table=51819 ++ ++[RoutingPolicyRule] ++Family=both ++FirewallMark=911 ++InvertRule=true ++Priority=11 ++Table=51820 +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index c609f267b5..9e5fd06526 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -3068,6 +3068,45 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): + print(output) + self.assertIn('10113: from all iif test1 lookup 1011', output) + ++ def test_routing_policy_rule_manual(self): ++ # For issue #36244. ++ copy_network_unit( ++ '11-dummy.netdev', ++ '25-routing-policy-rule-manual.network') ++ start_networkd() ++ self.wait_operstate('test1', operstate='off', setup_state='configuring', setup_timeout=20) ++ ++ check_output('ip link add test2 type dummy') ++ self.wait_operstate('test2', operstate='off', setup_state='configuring', setup_timeout=20) ++ ++ networkctl('up', 'test2') ++ self.wait_online('test2:degraded') ++ ++ # The request for the routing policy rules are bound to test1. Hence, we need to wait for the rules ++ # being configured explicitly. ++ for _ in range(20): ++ time.sleep(0.5) ++ ++ output = check_output('ip -4 rule list table 51819') ++ if output != '10: from all lookup 51819 suppress_prefixlength 0 proto static': ++ continue ++ ++ output = check_output('ip -6 rule list table 51819') ++ if output != '10: from all lookup 51819 suppress_prefixlength 0 proto static': ++ continue ++ ++ output = check_output('ip -4 rule list table 51820') ++ if output != '11: not from all fwmark 0x38f lookup 51820 proto static': ++ continue ++ ++ output = check_output('ip -6 rule list table 51820') ++ if output != '11: not from all fwmark 0x38f lookup 51820 proto static': ++ continue ++ ++ break ++ else: ++ self.assertFalse(True) ++ + @expectedFailureIfRoutingPolicyPortRangeIsNotAvailable() + def test_routing_policy_rule_port_range(self): + copy_network_unit('25-fibrule-port-range.network', '11-dummy.netdev') +-- +2.33.0 + diff --git a/backport-test-network-add-test-for-small-MTU-for-vcan.patch b/backport-test-network-add-test-for-small-MTU-for-vcan.patch new file mode 100644 index 0000000..56144c6 --- /dev/null +++ b/backport-test-network-add-test-for-small-MTU-for-vcan.patch @@ -0,0 +1,78 @@ +From 16f193d51861db4befd6228b773cf7a86c03339a Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 6 Dec 2023 14:55:03 +0900 +Subject: [PATCH 0052/1160] test-network: add test for small MTU for vcan + +Prompted by https://github.com/systemd/systemd/issues/30140#issuecomment-1837973580. + +(cherry picked from commit 470a329d9849d108e28f72d00dd130d130cebb01) +--- + test/test-network/conf/25-vcan.netdev | 1 + + test/test-network/conf/25-vcan98.netdev | 4 ++++ + test/test-network/conf/25-vcan98.network | 6 ++++++ + test/test-network/systemd-networkd-tests.py | 14 ++++++++++++-- + 4 files changed, 23 insertions(+), 2 deletions(-) + create mode 100644 test/test-network/conf/25-vcan98.netdev + create mode 100644 test/test-network/conf/25-vcan98.network + +diff --git a/test/test-network/conf/25-vcan.netdev b/test/test-network/conf/25-vcan.netdev +index 29bd98e5c9..2762dd2374 100644 +--- a/test/test-network/conf/25-vcan.netdev ++++ b/test/test-network/conf/25-vcan.netdev +@@ -2,3 +2,4 @@ + [NetDev] + Name=vcan99 + Kind=vcan ++MTUBytes=16 +diff --git a/test/test-network/conf/25-vcan98.netdev b/test/test-network/conf/25-vcan98.netdev +new file mode 100644 +index 0000000000..5333c82da4 +--- /dev/null ++++ b/test/test-network/conf/25-vcan98.netdev +@@ -0,0 +1,4 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++[NetDev] ++Name=vcan98 ++Kind=vcan +diff --git a/test/test-network/conf/25-vcan98.network b/test/test-network/conf/25-vcan98.network +new file mode 100644 +index 0000000000..97f824d244 +--- /dev/null ++++ b/test/test-network/conf/25-vcan98.network +@@ -0,0 +1,6 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++[Match] ++Name=vcan98 ++ ++[Link] ++MTUBytes=16 +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index f49438ecd1..d167969f3c 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -1725,10 +1725,20 @@ class NetworkdNetDevTests(unittest.TestCase, Utilities): + + @expectedFailureIfModuleIsNotAvailable('vcan') + def test_vcan(self): +- copy_network_unit('25-vcan.netdev', '26-netdev-link-local-addressing-yes.network') ++ copy_network_unit('25-vcan.netdev', '26-netdev-link-local-addressing-yes.network', ++ '25-vcan98.netdev', '25-vcan98.network') + start_networkd() + +- self.wait_online(['vcan99:carrier']) ++ self.wait_online(['vcan99:carrier', 'vcan98:carrier']) ++ ++ # https://github.com/systemd/systemd/issues/30140 ++ output = check_output('ip -d link show vcan99') ++ print(output) ++ self.assertIn('mtu 16 ', output) ++ ++ output = check_output('ip -d link show vcan98') ++ print(output) ++ self.assertIn('mtu 16 ', output) + + @expectedFailureIfModuleIsNotAvailable('vxcan') + def test_vxcan(self): +-- +2.33.0 + diff --git a/backport-test-network-add-test-for-stack-overflow-in-qdisc_dr.patch b/backport-test-network-add-test-for-stack-overflow-in-qdisc_dr.patch new file mode 100644 index 0000000..26520f2 --- /dev/null +++ b/backport-test-network-add-test-for-stack-overflow-in-qdisc_dr.patch @@ -0,0 +1,42 @@ +From e1e83c13c7ce03b738cbe919ac7f2cee582eba59 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 13 Apr 2024 09:02:01 +0900 +Subject: [PATCH 0532/1160] test-network: add test for stack overflow in + qdisc_drop() and tclass_drop() + +(cherry picked from commit e6fa91195bbe225e89d31338542455a6af10fb89) +--- + test/test-network/systemd-networkd-tests.py | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index 4410c60d66..df49d65c42 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -4222,6 +4222,23 @@ class NetworkdTCTests(unittest.TestCase, Utilities): + print(output) + self.assertRegex(output, 'qdisc teql1 31: root') + ++ @expectedFailureIfModuleIsNotAvailable('sch_fq', 'sch_sfq', 'sch_tbf') ++ def test_qdisc_drop(self): ++ copy_network_unit('12-dummy.netdev', '12-dummy.network') ++ start_networkd() ++ self.wait_online(['dummy98:routable']) ++ ++ # Test case for issue #32247 and #32254. ++ for _ in range(20): ++ check_output('tc qdisc replace dev dummy98 root fq') ++ self.assertFalse(networkd_is_failed()) ++ check_output('tc qdisc replace dev dummy98 root fq pacing') ++ self.assertFalse(networkd_is_failed()) ++ check_output('tc qdisc replace dev dummy98 handle 10: root tbf rate 0.5mbit burst 5kb latency 70ms peakrate 1mbit minburst 1540') ++ self.assertFalse(networkd_is_failed()) ++ check_output('tc qdisc add dev dummy98 parent 10:1 handle 100: sfq') ++ self.assertFalse(networkd_is_failed()) ++ + class NetworkdStateFileTests(unittest.TestCase, Utilities): + + def setUp(self): +-- +2.33.0 + diff --git a/backport-test-network-also-set-custom-altternative-name-for-n.patch b/backport-test-network-also-set-custom-altternative-name-for-n.patch new file mode 100644 index 0000000..4379258 --- /dev/null +++ b/backport-test-network-also-set-custom-altternative-name-for-n.patch @@ -0,0 +1,165 @@ +From 221b2783ba305f4e7c7c8ea8b32cbd2106499c65 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 20 May 2024 09:53:26 +0900 +Subject: [PATCH 0658/1160] test-network: also set custom altternative name for + netdevsim interface + +Due to the bug in kernel 6.9 caused by +https://github.com/torvalds/linux/commit/8debcf5832c3e8a6baaea27c75ad8a6ba5077beb, +the net_id udev builtin does not work for netdevsim interface. +So, eni99np1 cannot be used with kernel 6.9 anymore. + +Workaround for #32910. + +(cherry picked from commit f1f1be71feacb3b5d2fb89e2f6421c23b9320fbd) +--- + test/test-network/conf/25-netdevsim.link | 11 +++++++++ + test/test-network/conf/25-sriov-udev.network | 2 +- + test/test-network/conf/25-sriov.link | 3 +++ + test/test-network/conf/25-sriov.network | 2 +- + test/test-network/systemd-networkd-tests.py | 24 ++++++++++---------- + 5 files changed, 28 insertions(+), 14 deletions(-) + create mode 100644 test/test-network/conf/25-netdevsim.link + +diff --git a/test/test-network/conf/25-netdevsim.link b/test/test-network/conf/25-netdevsim.link +new file mode 100644 +index 0000000000..f8beb55cd3 +--- /dev/null ++++ b/test/test-network/conf/25-netdevsim.link +@@ -0,0 +1,11 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++[Match] ++Driver=netdevsim ++ ++[Link] ++NamePolicy=keep kernel database onboard slot path ++AlternativeNamesPolicy=database onboard slot path mac ++# Also set a fixed name. Workaround for bug in kernel 6.9: ++# https://github.com/torvalds/linux/commit/8debcf5832c3e8a6baaea27c75ad8a6ba5077beb ++AlternativeName=sim99 ++MACAddressPolicy=persistent +diff --git a/test/test-network/conf/25-sriov-udev.network b/test/test-network/conf/25-sriov-udev.network +index e9141310b7..308f5a0e76 100644 +--- a/test/test-network/conf/25-sriov-udev.network ++++ b/test/test-network/conf/25-sriov-udev.network +@@ -1,6 +1,6 @@ + # SPDX-License-Identifier: LGPL-2.1-or-later + [Match] +-Name=eni99np1 ++Name=sim99 + + [Network] + Address=192.168.100.100/24 +diff --git a/test/test-network/conf/25-sriov.link b/test/test-network/conf/25-sriov.link +index cc19561306..8f6e377868 100644 +--- a/test/test-network/conf/25-sriov.link ++++ b/test/test-network/conf/25-sriov.link +@@ -5,6 +5,9 @@ Driver=netdevsim + [Link] + NamePolicy=keep kernel database onboard slot path + AlternativeNamesPolicy=database onboard slot path mac ++# Also set a fixed name. Workaround for bug in kernel 6.9: ++# https://github.com/torvalds/linux/commit/8debcf5832c3e8a6baaea27c75ad8a6ba5077beb ++AlternativeName=sim99 + MACAddressPolicy=persistent + + [SR-IOV] +diff --git a/test/test-network/conf/25-sriov.network b/test/test-network/conf/25-sriov.network +index d87615e444..46573d92ef 100644 +--- a/test/test-network/conf/25-sriov.network ++++ b/test/test-network/conf/25-sriov.network +@@ -1,6 +1,6 @@ + # SPDX-License-Identifier: LGPL-2.1-or-later + [Match] +-Name=eni99np1 ++Name=sim99 + + [Network] + Address=192.168.100.100/24 +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index adf3664acb..e7462ea5e9 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -443,7 +443,7 @@ def link_exists(link): + return call_quiet(f'ip link show {link}') == 0 + + def link_resolve(link): +- return check_output(f'ip link show {link}').split(':')[1].strip() ++ return check_output(f'ip link show {link}').split(':')[1].strip().split('@')[0] + + def remove_link(*links, protect=False): + for link in links: +@@ -4791,14 +4791,14 @@ class NetworkdSRIOVTests(unittest.TestCase, Utilities): + + @expectedFailureIfNetdevsimWithSRIOVIsNotAvailable() + def test_sriov(self): +- copy_network_unit('25-default.link', '25-sriov.network') ++ copy_network_unit('25-netdevsim.link', '25-sriov.network') + + self.setup_netdevsim(num_vfs=3) + + start_networkd() +- self.wait_online(['eni99np1:routable']) ++ self.wait_online(['sim99:routable']) + +- output = check_output('ip link show dev eni99np1') ++ output = check_output('ip link show dev sim99') + print(output) + self.assertRegex(output, + 'vf 0 .*00:11:22:33:44:55.*vlan 5, qos 1, vlan protocol 802.1ad, spoof checking on, link-state enable, trust on, query_rss on\n *' +@@ -4813,12 +4813,12 @@ class NetworkdSRIOVTests(unittest.TestCase, Utilities): + self.setup_netdevsim() + + start_networkd() +- self.wait_online(['eni99np1:routable']) ++ self.wait_online(['sim99:routable']) + +- # the name eni99np1 may be an alternative name. +- ifname = link_resolve('eni99np1') ++ # The name sim99 is an alternative name, and cannot be used by udevadm below. ++ ifname = link_resolve('sim99') + +- output = check_output('ip link show dev eni99np1') ++ output = check_output('ip link show dev sim99') + print(output) + self.assertRegex(output, + 'vf 0 .*00:11:22:33:44:55.*vlan 5, qos 1, vlan protocol 802.1ad, spoof checking on, link-state enable, trust on, query_rss on\n *' +@@ -4834,7 +4834,7 @@ class NetworkdSRIOVTests(unittest.TestCase, Utilities): + udev_reload() + check_output(*udevadm_cmd, 'trigger', '--action=add', '--settle', f'/sys/devices/netdevsim99/net/{ifname}') + +- output = check_output('ip link show dev eni99np1') ++ output = check_output('ip link show dev sim99') + print(output) + self.assertRegex(output, + 'vf 0 .*00:11:22:33:44:55.*vlan 5, qos 1, vlan protocol 802.1ad, spoof checking on, link-state enable, trust on, query_rss on\n *' +@@ -4850,7 +4850,7 @@ class NetworkdSRIOVTests(unittest.TestCase, Utilities): + udev_reload() + check_output(*udevadm_cmd, 'trigger', '--action=add', '--settle', f'/sys/devices/netdevsim99/net/{ifname}') + +- output = check_output('ip link show dev eni99np1') ++ output = check_output('ip link show dev sim99') + print(output) + self.assertRegex(output, + 'vf 0 .*00:11:22:33:44:55.*vlan 5, qos 1, vlan protocol 802.1ad, spoof checking on, link-state enable, trust on, query_rss on\n *' +@@ -4866,7 +4866,7 @@ class NetworkdSRIOVTests(unittest.TestCase, Utilities): + udev_reload() + check_output(*udevadm_cmd, 'trigger', '--action=add', '--settle', f'/sys/devices/netdevsim99/net/{ifname}') + +- output = check_output('ip link show dev eni99np1') ++ output = check_output('ip link show dev sim99') + print(output) + self.assertRegex(output, + 'vf 0 .*00:11:22:33:44:55.*vlan 5, qos 1, vlan protocol 802.1ad, spoof checking on, link-state enable, trust on, query_rss on\n *' +@@ -4882,7 +4882,7 @@ class NetworkdSRIOVTests(unittest.TestCase, Utilities): + udev_reload() + check_output(*udevadm_cmd, 'trigger', '--action=add', '--settle', f'/sys/devices/netdevsim99/net/{ifname}') + +- output = check_output('ip link show dev eni99np1') ++ output = check_output('ip link show dev sim99') + print(output) + self.assertRegex(output, + 'vf 0 .*00:11:22:33:44:55.*vlan 5, qos 1, vlan protocol 802.1ad, spoof checking on, link-state enable, trust on, query_rss on\n *' +-- +2.33.0 + diff --git a/backport-test-network-check-existence-of-kernel-bug.patch b/backport-test-network-check-existence-of-kernel-bug.patch new file mode 100644 index 0000000..d93b459 --- /dev/null +++ b/backport-test-network-check-existence-of-kernel-bug.patch @@ -0,0 +1,61 @@ +From 55d73421ec6284aa4875a36d40fd43e64b58422f Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 10 May 2024 20:38:06 +0900 +Subject: [PATCH 0624/1160] test-network: check existence of kernel bug + +This adds checks for the kernel bug caused by +https://github.com/torvalds/linux/commit/3ddc2231c8108302a8229d3c5849ee792a63230d, +it will be fixed by +https://patchwork.kernel.org/project/netdevbpf/patch/20240510072932.2678952-1-edumazet@google.com/ + +(cherry picked from commit d22f2fb912da492a905f30fef84d1a23fdff3e55) +--- + test/test-network/systemd-networkd-tests.py | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index 572f44d948..01f5f7d177 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -249,6 +249,22 @@ def expectedFailureIfNetdevsimWithSRIOVIsNotAvailable(): + + return f + ++def expectedFailureIfKernelReturnsInvalidFlags(): ++ ''' ++ This checks the kernel bug caused by 3ddc2231c8108302a8229d3c5849ee792a63230d. ++ It will be fixed by the following patch: ++ https://patchwork.kernel.org/project/netdevbpf/patch/20240510072932.2678952-1-edumazet@google.com/ ++ ''' ++ def f(func): ++ call_quiet('ip link add dummy98 type dummy') ++ call_quiet('ip link set up dev dummy98') ++ call_quiet('ip address add 192.0.2.1/24 dev dummy98 noprefixroute') ++ output = check_output('ip address show dev dummy98') ++ remove_link('dummy98') ++ return func if 'noprefixroute' in output else unittest.expectedFailure(func) ++ ++ return f ++ + # pylint: disable=C0415 + def compare_kernel_version(min_kernel_version): + try: +@@ -2589,6 +2605,7 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): + + check_json(networkctl_json()) + ++ @expectedFailureIfKernelReturnsInvalidFlags() + def test_address_static(self): + copy_network_unit('25-address-static.network', '12-dummy.netdev', copy_dropins=False) + self.setup_nftset('addr4', 'ipv4_addr') +@@ -5432,6 +5449,7 @@ class NetworkdDHCPClientTests(unittest.TestCase, Utilities): + self.assertIn('DHCPREPLY(veth-peer)', output) + self.assertIn('sent size: 0 option: 14 rapid-commit', output) + ++ @expectedFailureIfKernelReturnsInvalidFlags() + def test_dhcp_client_ipv4_only(self): + copy_network_unit('25-veth.netdev', '25-dhcp-server-veth-peer.network', '25-dhcp-client-ipv4-only.network') + +-- +2.33.0 + diff --git a/backport-test-network-do-not-call-networkctl-if-networkd-is-i.patch b/backport-test-network-do-not-call-networkctl-if-networkd-is-i.patch new file mode 100644 index 0000000..299c2a0 --- /dev/null +++ b/backport-test-network-do-not-call-networkctl-if-networkd-is-i.patch @@ -0,0 +1,62 @@ +From 9a945df65f234f39683d64bbf08c9546cd8078cf Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 6 Jan 2024 12:42:02 +0900 +Subject: [PATCH 0531/1160] test-network: do not call networkctl if networkd is + in failed state + +Otherwise, networkd may be restarted by DBus and we may get wrong +results. + +(cherry picked from commit 6b07675d819fccd1790d7dee43419ce6a75bad3d) +--- + test/test-network/systemd-networkd-tests.py | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index 6a57e9b9a5..4410c60d66 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -712,6 +712,9 @@ def read_networkd_log(invocation_id=None, since=None): + check_output('journalctl --sync') + return check_output(*command) + ++def networkd_is_failed(): ++ return call_quiet('systemctl is-failed -q systemd-networkd.service') != 1 ++ + def stop_networkd(show_logs=True): + if show_logs: + invocation_id = networkd_invocation_id() +@@ -734,6 +737,9 @@ def networkd_pid(): + return int(check_output('systemctl show --value -p MainPID systemd-networkd.service')) + + def networkctl(*args): ++ # Do not call networkctl if networkd is in failed state. ++ # Otherwise, networkd may be restarted and we may get wrong results. ++ assert not networkd_is_failed() + return check_output(*(networkctl_cmd + list(args)), env=env) + + def networkctl_status(*args): +@@ -986,11 +992,15 @@ class Utilities(): + try: + check_output(*args, env=wait_online_env) + except subprocess.CalledProcessError: +- # show detailed status on failure +- for link in links_with_operstate: +- name = link.split(':')[0] +- if link_exists(name): +- networkctl_status(name) ++ if networkd_is_failed(): ++ print('!!!!! systemd-networkd.service is failed !!!!!') ++ call('systemctl status systemd-networkd.service') ++ else: ++ # show detailed status on failure ++ for link in links_with_operstate: ++ name = link.split(':')[0] ++ if link_exists(name): ++ networkctl_status(name) + raise + if not bool_any and setup_state: + for link in links_with_operstate: +-- +2.33.0 + diff --git a/backport-test-network-do-not-fail-if-macvlan-module-is-not-av.patch b/backport-test-network-do-not-fail-if-macvlan-module-is-not-av.patch new file mode 100644 index 0000000..d71e4fc --- /dev/null +++ b/backport-test-network-do-not-fail-if-macvlan-module-is-not-av.patch @@ -0,0 +1,26 @@ +From 1f3313d0d63d945528bb99229901d23d197f400c Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 10 May 2024 14:33:38 +0900 +Subject: [PATCH 0621/1160] test-network: do not fail if macvlan module is not + available + +(cherry picked from commit e97bb361a097fcae4d53f2ef20a958415a72853a) +--- + test/test-network/systemd-networkd-tests.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index a871d1989b..1db49bf1bc 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -1548,6 +1548,7 @@ class NetworkdNetDevTests(unittest.TestCase, Utilities): + print(output) + self.assertRegex(output, 'macvtap mode ' + mode + ' ') + ++ @expectedFailureIfModuleIsNotAvailable('macvlan') + def test_macvlan(self): + first = True + for mode in ['private', 'vepa', 'bridge', 'passthru']: +-- +2.33.0 + diff --git a/backport-test-network-do-not-fail-when-etc-protocols-does-not.patch b/backport-test-network-do-not-fail-when-etc-protocols-does-not.patch new file mode 100644 index 0000000..0613296 --- /dev/null +++ b/backport-test-network-do-not-fail-when-etc-protocols-does-not.patch @@ -0,0 +1,83 @@ +From 6ad7d1983759c2a3f344e92e49f2f28d41c3470d Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 10 May 2024 15:15:22 +0900 +Subject: [PATCH 0622/1160] test-network: do not fail when /etc/protocols does + not exist + +Also this makes several checks more strict. + +(cherry picked from commit 24e37929edc10930a1cd8f2c2b384ac61e3190ed) +--- + test/test-network/systemd-networkd-tests.py | 35 +++++++++++---------- + 1 file changed, 19 insertions(+), 16 deletions(-) + +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index 1db49bf1bc..b9e0de8c3c 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -180,8 +180,10 @@ def expectedFailureIfRoutingPolicyPortRangeIsNotAvailable(): + + def expectedFailureIfRoutingPolicyIPProtoIsNotAvailable(): + def f(func): +- rc = call_quiet('ip rule add not from 192.168.100.19 ipproto tcp table 7') +- call_quiet('ip rule del not from 192.168.100.19 ipproto tcp table 7') ++ # IP protocol name is parsed by getprotobyname(), and it requires /etc/protocols. ++ # Hence. here we use explicit number: 6 == tcp. ++ rc = call_quiet('ip rule add not from 192.168.100.19 ipproto 6 table 7') ++ call_quiet('ip rule del not from 192.168.100.19 ipproto 6 table 7') + return func if rc == 0 else unittest.expectedFailure(func) + + return f +@@ -3052,12 +3054,12 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): + + output = check_output('ip rule') + print(output) +- self.assertRegex(output, '111') +- self.assertRegex(output, 'from 192.168.100.18') +- self.assertRegex(output, '1123-1150') +- self.assertRegex(output, '3224-3290') +- self.assertRegex(output, 'tcp') +- self.assertRegex(output, 'lookup 7') ++ self.assertIn('111:', output) ++ self.assertIn('from 192.168.100.18 ', output) ++ self.assertIn('sport 1123-1150 ', output) ++ self.assertIn('dport 3224-3290 ', output) ++ self.assertRegex(output, 'ipproto (tcp|ipproto-6) ') ++ self.assertIn('lookup 7 ', output) + + @expectedFailureIfRoutingPolicyIPProtoIsNotAvailable() + def test_routing_policy_rule_invert(self): +@@ -3067,10 +3069,11 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): + + output = check_output('ip rule') + print(output) +- self.assertRegex(output, '111') +- self.assertRegex(output, 'not.*?from.*?192.168.100.18') +- self.assertRegex(output, 'tcp') +- self.assertRegex(output, 'lookup 7') ++ self.assertIn('111:', output) ++ self.assertIn('not ', output) ++ self.assertIn('from 192.168.100.18 ', output) ++ self.assertRegex(output, 'ipproto (tcp|ipproto-6) ') ++ self.assertIn('lookup 7 ', output) + + @expectedFailureIfRoutingPolicyUIDRangeIsNotAvailable() + def test_routing_policy_rule_uidrange(self): +@@ -3080,10 +3083,10 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): + + output = check_output('ip rule') + print(output) +- self.assertRegex(output, '111') +- self.assertRegex(output, 'from 192.168.100.18') +- self.assertRegex(output, 'lookup 7') +- self.assertRegex(output, 'uidrange 100-200') ++ self.assertIn('111:', output) ++ self.assertIn('from 192.168.100.18 ', output) ++ self.assertIn('lookup 7 ', output) ++ self.assertIn('uidrange 100-200 ', output) + + def _test_route_static(self, manage_foreign_routes): + if not manage_foreign_routes: +-- +2.33.0 + diff --git a/backport-test-network-fix-racy-test-for-address_static.patch b/backport-test-network-fix-racy-test-for-address_static.patch new file mode 100644 index 0000000..39c135e --- /dev/null +++ b/backport-test-network-fix-racy-test-for-address_static.patch @@ -0,0 +1,34 @@ +From 349d1762c5e11f2772ef0b74bd3958b8760939f2 Mon Sep 17 00:00:00 2001 +From: Topi Miettinen +Date: Sun, 17 Dec 2023 17:56:02 +0200 +Subject: [PATCH 0191/1160] test-network: fix racy test for address_static + +NFT sets must be installed before starting networkd, otherwise some sets may be +installed too late. + +Closes #30427 + +(cherry picked from commit 1ce2ffac6ca05bbeae0a4692a9a873c92be00a35) +--- + test/test-network/systemd-networkd-tests.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index ab1bbf5fe4..fd52372c08 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -2560,10 +2560,10 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): + + def test_address_static(self): + copy_network_unit('25-address-static.network', '12-dummy.netdev', copy_dropins=False) +- start_networkd() + self.setup_nftset('addr4', 'ipv4_addr') + self.setup_nftset('network4', 'ipv4_addr', 'flags interval;') + self.setup_nftset('ifindex', 'iface_index') ++ start_networkd() + + self.wait_online(['dummy98:routable']) + +-- +2.33.0 + diff --git a/backport-test-network-introduce-networkctl-and-friends.patch b/backport-test-network-introduce-networkctl-and-friends.patch new file mode 100644 index 0000000..002e34c --- /dev/null +++ b/backport-test-network-introduce-networkctl-and-friends.patch @@ -0,0 +1,824 @@ +From c495af37563df0143ec1606e2b6c90dc9f00bfcb Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 6 Jan 2024 12:33:09 +0900 +Subject: [PATCH 0530/1160] test-network: introduce networkctl() and friends + +(cherry picked from commit 10d670a3c1c4b06782a76fc50e70a4719f7bb7ed) +--- + test/test-network/systemd-networkd-tests.py | 240 ++++++++++---------- + 1 file changed, 117 insertions(+), 123 deletions(-) + +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index 51cb0bc4bf..6a57e9b9a5 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -733,16 +733,31 @@ def restart_networkd(show_logs=True): + def networkd_pid(): + return int(check_output('systemctl show --value -p MainPID systemd-networkd.service')) + ++def networkctl(*args): ++ return check_output(*(networkctl_cmd + list(args)), env=env) ++ ++def networkctl_status(*args): ++ return networkctl('-n', '0', 'status', *args) ++ ++def networkctl_json(*args): ++ return networkctl('--json=short', 'status', *args) ++ + def networkctl_reconfigure(*links): +- check_output(*networkctl_cmd, 'reconfigure', *links, env=env) ++ networkctl('reconfigure', *links) + + def networkctl_reload(sleep_time=1): +- check_output(*networkctl_cmd, 'reload', env=env) ++ networkctl('reload') + # 'networkctl reload' asynchronously reconfigure links. + # Hence, we need to wait for a short time for link to be in configuring state. + if sleep_time > 0: + time.sleep(sleep_time) + ++def resolvectl(*args): ++ return check_output(*(resolvectl_cmd + list(args)), env=env) ++ ++def timedatectl(*args): ++ return check_output(*(timedatectl_cmd + list(args)), env=env) ++ + def setup_common(): + print() + +@@ -930,7 +945,7 @@ class Utilities(): + time.sleep(1) + if not link_exists(link): + continue +- output = check_output(*networkctl_cmd, '-n', '0', 'status', link, env=env) ++ output = networkctl_status(link) + if re.search(rf'(?m)^\s*State:\s+{operstate}\s+\({setup_state}\)\s*$', output): + return True + +@@ -975,7 +990,7 @@ class Utilities(): + for link in links_with_operstate: + name = link.split(':')[0] + if link_exists(name): +- call(*networkctl_cmd, '-n', '0', 'status', name, env=env) ++ networkctl_status(name) + raise + if not bool_any and setup_state: + for link in links_with_operstate: +@@ -1068,7 +1083,7 @@ class NetworkctlTests(unittest.TestCase, Utilities): + start_networkd() + self.wait_online(['dummy98:degraded']) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'dummy98', env=env) ++ output = networkctl_status('dummy98') + self.assertRegex(output, 'hogehogehogehogehogehoge') + + @expectedFailureIfAlternativeNameIsNotAvailable() +@@ -1078,7 +1093,7 @@ class NetworkctlTests(unittest.TestCase, Utilities): + start_networkd() + self.wait_online(['dummyalt:degraded']) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'dummyalt', env=env) ++ output = networkctl_status('dummyalt') + self.assertIn('hogehogehogehogehogehoge', output) + self.assertNotIn('dummy98', output) + +@@ -1130,7 +1145,7 @@ class NetworkctlTests(unittest.TestCase, Utilities): + def test_renew(self): + def check(): + self.wait_online(['veth99:routable', 'veth-peer:routable']) +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'veth99', env=env) ++ output = networkctl_status('veth99') + print(output) + self.assertRegex(output, r'Address: 192.168.5.[0-9]* \(DHCP4 via 192.168.5.1\)') + self.assertIn('Gateway: 192.168.5.3', output) +@@ -1140,13 +1155,12 @@ class NetworkctlTests(unittest.TestCase, Utilities): + copy_network_unit('25-veth.netdev', '25-dhcp-client.network', '25-dhcp-server.network') + start_networkd() + check() +- output = check_output(*networkctl_cmd, '--lines=0', '--stats', '--all', '--full', '--json=short', 'status') +- check_json(output) ++ check_json(networkctl_json('--lines=0', '--stats', '--all', '--full')) + + for verb in ['renew', 'forcerenew']: +- call_check(*networkctl_cmd, verb, 'veth99') ++ networkctl(verb, 'veth99') + check() +- call_check(*networkctl_cmd, verb, 'veth99', 'veth99', 'veth99') ++ networkctl(verb, 'veth99', 'veth99', 'veth99') + check() + + def test_up_down(self): +@@ -1154,13 +1168,13 @@ class NetworkctlTests(unittest.TestCase, Utilities): + start_networkd() + self.wait_online(['dummy98:routable']) + +- call_check(*networkctl_cmd, 'down', 'dummy98') ++ networkctl('down', 'dummy98') + self.wait_online(['dummy98:off']) +- call_check(*networkctl_cmd, 'up', 'dummy98') ++ networkctl('up', 'dummy98') + self.wait_online(['dummy98:routable']) +- call_check(*networkctl_cmd, 'down', 'dummy98', 'dummy98', 'dummy98') ++ networkctl('down', 'dummy98', 'dummy98', 'dummy98') + self.wait_online(['dummy98:off']) +- call_check(*networkctl_cmd, 'up', 'dummy98', 'dummy98', 'dummy98') ++ networkctl('up', 'dummy98', 'dummy98', 'dummy98') + self.wait_online(['dummy98:routable']) + + def test_reload(self): +@@ -1192,23 +1206,23 @@ class NetworkctlTests(unittest.TestCase, Utilities): + + self.wait_online(['test1:degraded']) + +- output = check_output(*networkctl_cmd, 'list', env=env) ++ output = networkctl('list') + self.assertRegex(output, '1 lo ') + self.assertRegex(output, 'test1') + +- output = check_output(*networkctl_cmd, 'list', 'test1', env=env) ++ output = networkctl('list', 'test1') + self.assertNotRegex(output, '1 lo ') + self.assertRegex(output, 'test1') + +- output = check_output(*networkctl_cmd, 'list', 'te*', env=env) ++ output = networkctl('list', 'te*') + self.assertNotRegex(output, '1 lo ') + self.assertRegex(output, 'test1') + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'te*', env=env) ++ output = networkctl_status('te*') + self.assertNotRegex(output, '1: lo ') + self.assertRegex(output, 'test1') + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'tes[a-z][0-9]', env=env) ++ output = networkctl_status('tes[a-z][0-9]') + self.assertNotRegex(output, '1: lo ') + self.assertRegex(output, 'test1') + +@@ -1218,7 +1232,7 @@ class NetworkctlTests(unittest.TestCase, Utilities): + + self.wait_online(['test1:degraded']) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'test1', env=env) ++ output = networkctl_status('test1') + self.assertRegex(output, 'MTU: 1600') + + def test_type(self): +@@ -1226,11 +1240,11 @@ class NetworkctlTests(unittest.TestCase, Utilities): + start_networkd() + self.wait_online(['test1:degraded']) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'test1', env=env) ++ output = networkctl_status('test1') + print(output) + self.assertRegex(output, 'Type: ether') + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'lo', env=env) ++ output = networkctl_status('lo') + print(output) + self.assertRegex(output, 'Type: loopback') + +@@ -1239,7 +1253,7 @@ class NetworkctlTests(unittest.TestCase, Utilities): + start_networkd() + self.wait_online(['test1:degraded']) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'test1', env=env) ++ output = networkctl_status('test1') + print(output) + self.assertRegex(output, r'Link File: /run/systemd/network/25-default.link') + self.assertRegex(output, r'Network File: /run/systemd/network/11-dummy.network') +@@ -1248,7 +1262,7 @@ class NetworkctlTests(unittest.TestCase, Utilities): + # In that case, the udev DB for the loopback network interface may already have ID_NET_LINK_FILE property. + # Let's reprocess the interface and drop the property. + check_output(*udevadm_cmd, 'trigger', '--settle', '--action=add', '/sys/class/net/lo') +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'lo', env=env) ++ output = networkctl_status('lo') + print(output) + self.assertRegex(output, r'Link File: n/a') + self.assertRegex(output, r'Network File: n/a') +@@ -1260,13 +1274,13 @@ class NetworkctlTests(unittest.TestCase, Utilities): + + self.wait_online(['test1:degraded', 'veth99:degraded', 'veth-peer:degraded']) + +- check_output(*networkctl_cmd, 'delete', 'test1', 'veth99', env=env) ++ networkctl('delete', 'test1', 'veth99') + self.check_link_exists('test1', expected=False) + self.check_link_exists('veth99', expected=False) + self.check_link_exists('veth-peer', expected=False) + + def test_label(self): +- call_check(*networkctl_cmd, 'label') ++ networkctl('label') + + class NetworkdMatchTests(unittest.TestCase, Utilities): + +@@ -1287,7 +1301,7 @@ class NetworkdMatchTests(unittest.TestCase, Utilities): + start_networkd() + + self.wait_online(['dummy98:routable']) +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'dummy98', env=env) ++ output = networkctl_status('dummy98') + self.assertIn('Network File: /run/systemd/network/12-dummy-match-mac-01.network', output) + output = check_output('ip -4 address show dev dummy98') + self.assertIn('10.0.0.1/16', output) +@@ -1297,7 +1311,7 @@ class NetworkdMatchTests(unittest.TestCase, Utilities): + + self.wait_address('dummy98', '10.0.0.2/16', ipv='-4', timeout_sec=10) + self.wait_online(['dummy98:routable']) +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'dummy98', env=env) ++ output = networkctl_status('dummy98') + self.assertIn('Network File: /run/systemd/network/12-dummy-match-mac-02.network', output) + + check_output('ip link set dev dummy98 down') +@@ -1305,7 +1319,7 @@ class NetworkdMatchTests(unittest.TestCase, Utilities): + + self.wait_address('dummy98-1', '10.0.1.2/16', ipv='-4', timeout_sec=10) + self.wait_online(['dummy98-1:routable']) +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'dummy98-1', env=env) ++ output = networkctl_status('dummy98-1') + self.assertIn('Network File: /run/systemd/network/12-dummy-match-renamed.network', output) + + check_output('ip link set dev dummy98-1 down') +@@ -1314,7 +1328,7 @@ class NetworkdMatchTests(unittest.TestCase, Utilities): + + self.wait_address('dummy98-2', '10.0.2.2/16', ipv='-4', timeout_sec=10) + self.wait_online(['dummy98-2:routable']) +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'dummy98-2', env=env) ++ output = networkctl_status('dummy98-2') + self.assertIn('Network File: /run/systemd/network/12-dummy-match-altname.network', output) + + def test_match_udev_property(self): +@@ -1322,7 +1336,7 @@ class NetworkdMatchTests(unittest.TestCase, Utilities): + start_networkd() + self.wait_online(['dummy98:routable']) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'dummy98', env=env) ++ output = networkctl_status('dummy98') + print(output) + self.assertRegex(output, 'Network File: /run/systemd/network/14-match-udev-property') + +@@ -1401,7 +1415,7 @@ class NetworkdNetDevTests(unittest.TestCase, Utilities): + self.assertEqual(1, int(read_link_attr('bridge99', 'bridge', 'stp_state'))) + self.assertEqual(3, int(read_link_attr('bridge99', 'bridge', 'multicast_igmp_version'))) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'bridge99', env=env) ++ output = networkctl_status('bridge99') + print(output) + self.assertRegex(output, 'Priority: 9') + self.assertRegex(output, 'STP: yes') +@@ -1434,14 +1448,14 @@ class NetworkdNetDevTests(unittest.TestCase, Utilities): + self.check_link_attr('bond98', 'bonding', 'mode', 'balance-tlb 5') + self.check_link_attr('bond98', 'bonding', 'tlb_dynamic_lb', '1') + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'bond99', env=env) ++ output = networkctl_status('bond99') + print(output) + self.assertIn('Mode: 802.3ad', output) + self.assertIn('Miimon: 1s', output) + self.assertIn('Updelay: 2s', output) + self.assertIn('Downdelay: 2s', output) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'bond98', env=env) ++ output = networkctl_status('bond98') + print(output) + self.assertIn('Mode: balance-tlb', output) + +@@ -2314,7 +2328,7 @@ class NetworkdNetDevTests(unittest.TestCase, Utilities): + self.assertIn('00:11:22:33:44:66 dst 10.0.0.6 self permanent', output) + self.assertIn('00:11:22:33:44:77 dst 10.0.0.7 via test1 self permanent', output) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'vxlan99', env=env) ++ output = networkctl_status('vxlan99') + print(output) + self.assertIn('VNI: 999', output) + self.assertIn('Destination Port: 5555', output) +@@ -2555,8 +2569,7 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): + # netlabel + self.check_netlabel('dummy98', r'10\.10\.1\.0/24') + +- output = check_output(*networkctl_cmd, '--json=short', 'status', env=env) +- check_json(output) ++ check_json(networkctl_json()) + + def test_address_static(self): + copy_network_unit('25-address-static.network', '12-dummy.netdev', copy_dropins=False) +@@ -2873,7 +2886,7 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): + check_output(f'ip link set dev test1 carrier {carrier}') + self.wait_online([f'test1:{routable_map[carrier]}:{routable_map[carrier]}']) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'test1', env=env) ++ output = networkctl_status('test1') + print(output) + self.assertRegex(output, '192.168.0.15') + self.assertRegex(output, '192.168.0.1') +@@ -2897,7 +2910,7 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): + check_output(f'ip link set dev test1 carrier {carrier}') + self.wait_online([f'test1:{routable_map[carrier]}:{routable_map[carrier]}']) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'test1', env=env) ++ output = networkctl_status('test1') + print(output) + if have_config: + self.assertRegex(output, '192.168.0.15') +@@ -2942,8 +2955,7 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): + self.assertRegex(output, 'iif test1') + self.assertRegex(output, 'lookup 10') + +- output = check_output(*networkctl_cmd, '--json=short', 'status', env=env) +- check_json(output) ++ check_json(networkctl_json()) + + def test_routing_policy_rule_issue_11280(self): + copy_network_unit('25-routing-policy-rule-test1.network', '11-dummy.netdev', +@@ -3071,7 +3083,7 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): + start_networkd() + self.wait_online(['dummy98:routable']) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'dummy98', env=env) ++ output = networkctl_status('dummy98') + print(output) + + print('### ip -6 route show dev dummy98') +@@ -3174,8 +3186,7 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): + self.assertIn('via 2001:1234:5:8fff:ff:ff:ff:ff dev dummy98', output) + self.assertIn('via 2001:1234:5:9fff:ff:ff:ff:ff dev dummy98', output) + +- output = check_output(*networkctl_cmd, '--json=short', 'status', env=env) +- check_json(output) ++ check_json(networkctl_json()) + + copy_network_unit('25-address-static.network') + networkctl_reload() +@@ -3301,7 +3312,7 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): + start_networkd() + self.wait_online(['dummy98:routable']) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'dummy98', env=env) ++ output = networkctl_status('dummy98') + print(output) + + print('### ip -6 route show dev dummy98') +@@ -3446,8 +3457,7 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): + self.assertNotIn('192.168.10.2', output) + self.assertNotIn('00:00:5e:00:02:67', output) + +- output = check_output(*networkctl_cmd, '--json=short', 'status', env=env) +- check_json(output) ++ check_json(networkctl_json()) + + copy_network_unit('25-neighbor-section.network.d/override.conf') + networkctl_reload() +@@ -3500,8 +3510,7 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): + self.assertRegex(output, '2001:db8:0:f102::17 lladdr 2a:?00:ff:?de:45:?67:ed:?de:[0:]*:49:?88 PERMANENT') + self.assertNotIn('2001:db8:0:f102::18', output) + +- output = check_output(*networkctl_cmd, '--json=short', 'status', env=env) +- check_json(output) ++ check_json(networkctl_json()) + + def test_link_local_addressing(self): + copy_network_unit('25-link-local-addressing-yes.network', '11-dummy.netdev', +@@ -3790,7 +3799,7 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): + # default is true, if neither are specified + expected = True + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'test1', env=env) ++ output = networkctl_status('test1') + print(output) + + yesno = 'yes' if expected else 'no' +@@ -3814,7 +3823,7 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): + start_networkd() + self.wait_online(['dummy98:routable']) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'dummy98', env=env) ++ output = networkctl_status('dummy98') + print(output) + self.assertRegex(output, 'Address: 192.168.42.100') + self.assertRegex(output, 'DNS: 192.168.42.1') +@@ -3900,8 +3909,7 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): + self.assertIn('nexthop via 192.168.20.1 dev dummy98 weight 1', output) + self.assertIn('nexthop via 192.168.5.1 dev veth99 weight 3', output) + +- output = check_output(*networkctl_cmd, '--json=short', 'status', env=env) +- check_json(output) ++ check_json(networkctl_json()) + + copy_network_unit('25-nexthop.network', '25-veth.netdev', '25-veth-peer.network', + '12-dummy.netdev', '25-nexthop-dummy.network') +@@ -4218,10 +4226,9 @@ class NetworkdStateFileTests(unittest.TestCase, Utilities): + self.wait_online(['dummy98:routable']) + + # make link state file updated +- check_output(*resolvectl_cmd, 'revert', 'dummy98', env=env) ++ resolvectl('revert', 'dummy98') + +- output = check_output(*networkctl_cmd, '--json=short', 'status', env=env) +- check_json(output) ++ check_json(networkctl_json()) + + output = read_link_state_file('dummy98') + print(output) +@@ -4242,15 +4249,14 @@ class NetworkdStateFileTests(unittest.TestCase, Utilities): + self.assertIn('MDNS=yes', output) + self.assertIn('DNSSEC=no', output) + +- check_output(*resolvectl_cmd, 'dns', 'dummy98', '10.10.10.12#ccc.com', '10.10.10.13', '1111:2222::3333', env=env) +- check_output(*resolvectl_cmd, 'domain', 'dummy98', 'hogehogehoge', '~foofoofoo', env=env) +- check_output(*resolvectl_cmd, 'llmnr', 'dummy98', 'yes', env=env) +- check_output(*resolvectl_cmd, 'mdns', 'dummy98', 'no', env=env) +- check_output(*resolvectl_cmd, 'dnssec', 'dummy98', 'yes', env=env) +- check_output(*timedatectl_cmd, 'ntp-servers', 'dummy98', '2.fedora.pool.ntp.org', '3.fedora.pool.ntp.org', env=env) ++ resolvectl('dns', 'dummy98', '10.10.10.12#ccc.com', '10.10.10.13', '1111:2222::3333') ++ resolvectl('domain', 'dummy98', 'hogehogehoge', '~foofoofoo') ++ resolvectl('llmnr', 'dummy98', 'yes') ++ resolvectl('mdns', 'dummy98', 'no') ++ resolvectl('dnssec', 'dummy98', 'yes') ++ timedatectl('ntp-servers', 'dummy98', '2.fedora.pool.ntp.org', '3.fedora.pool.ntp.org') + +- output = check_output(*networkctl_cmd, '--json=short', 'status', env=env) +- check_json(output) ++ check_json(networkctl_json()) + + output = read_link_state_file('dummy98') + print(output) +@@ -4262,10 +4268,9 @@ class NetworkdStateFileTests(unittest.TestCase, Utilities): + self.assertIn('MDNS=no', output) + self.assertIn('DNSSEC=yes', output) + +- check_output(*timedatectl_cmd, 'revert', 'dummy98', env=env) ++ timedatectl('revert', 'dummy98') + +- output = check_output(*networkctl_cmd, '--json=short', 'status', env=env) +- check_json(output) ++ check_json(networkctl_json()) + + output = read_link_state_file('dummy98') + print(output) +@@ -4277,10 +4282,9 @@ class NetworkdStateFileTests(unittest.TestCase, Utilities): + self.assertIn('MDNS=no', output) + self.assertIn('DNSSEC=yes', output) + +- check_output(*resolvectl_cmd, 'revert', 'dummy98', env=env) ++ resolvectl('revert', 'dummy98') + +- output = check_output(*networkctl_cmd, '--json=short', 'status', env=env) +- check_json(output) ++ check_json(networkctl_json()) + + output = read_link_state_file('dummy98') + print(output) +@@ -4668,7 +4672,7 @@ class NetworkdBridgeTests(unittest.TestCase, Utilities): + self.wait_online(['bridge99:no-carrier:no-carrier']) + self.check_link_attr('bridge99', 'carrier', '0') + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'bridge99', env=env) ++ output = networkctl_status('bridge99') + self.assertRegex(output, '10.1.2.3') + self.assertRegex(output, '10.1.2.1') + +@@ -4848,7 +4852,7 @@ class NetworkdLLDPTests(unittest.TestCase, Utilities): + if trial > 0: + time.sleep(1) + +- output = check_output(*networkctl_cmd, 'lldp', env=env) ++ output = networkctl('lldp') + print(output) + if re.search(r'veth99 .* veth-peer', output): + break +@@ -4871,16 +4875,16 @@ class NetworkdRATests(unittest.TestCase, Utilities): + start_networkd() + self.wait_online(['veth99:routable', 'veth-peer:degraded']) + +- output = check_output(*resolvectl_cmd, 'dns', 'veth99', env=env) ++ output = resolvectl('dns', 'veth99') + print(output) + self.assertRegex(output, 'fe80::') + self.assertRegex(output, '2002:da8:1::1') + +- output = check_output(*resolvectl_cmd, 'domain', 'veth99', env=env) ++ output = resolvectl('domain', 'veth99') + print(output) + self.assertIn('hogehoge.test', output) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'veth99', env=env) ++ output = networkctl_status('veth99') + print(output) + self.assertRegex(output, '2002:da8:1:0') + +@@ -4900,7 +4904,7 @@ class NetworkdRATests(unittest.TestCase, Utilities): + start_networkd() + self.wait_online(['veth99:routable', 'veth-peer:degraded']) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'veth99', env=env) ++ output = networkctl_status('veth99') + print(output) + self.assertRegex(output, '2002:da8:1:0:1a:2b:3c:4d') + self.assertRegex(output, '2002:da8:1:0:fa:de:ca:fe') +@@ -4912,7 +4916,7 @@ class NetworkdRATests(unittest.TestCase, Utilities): + start_networkd() + self.wait_online(['veth99:routable', 'veth-peer:degraded']) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'veth99', env=env) ++ output = networkctl_status('veth99') + print(output) + self.assertIn('2002:da8:1:0:b47e:7975:fc7a:7d6e', output) + self.assertIn('2002:da8:2:0:1034:56ff:fe78:9abc', output) # EUI64 +@@ -4922,7 +4926,7 @@ class NetworkdRATests(unittest.TestCase, Utilities): + start_networkd() + self.wait_online(['veth99:routable', 'veth-peer:degraded']) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'veth99', env=env) ++ output = networkctl_status('veth99') + print(output) + self.assertIn('2002:da8:1:0:b47e:7975:fc7a:7d6e', output) + self.assertIn('2002:da8:2:0:f689:561a:8eda:7443', output) +@@ -4994,7 +4998,7 @@ class NetworkdRATests(unittest.TestCase, Utilities): + self.wait_online(['client:routable']) + + self.wait_address('client', '2002:da8:1:99:1034:56ff:fe78:9a00/64', ipv='-6', timeout_sec=10) +- output = check_output(*networkctl_cmd, 'status', 'client', env=env) ++ output = networkctl_status('client') + print(output) + self.assertIn('Captive Portal: http://systemd.io', output) + +@@ -5030,7 +5034,7 @@ class NetworkdRATests(unittest.TestCase, Utilities): + self.wait_online(['client:routable']) + + self.wait_address('client', '2002:da8:1:99:1034:56ff:fe78:9a00/64', ipv='-6', timeout_sec=10) +- output = check_output(*networkctl_cmd, 'status', 'client', env=env) ++ output = networkctl_status('client') + print(output) + self.assertNotIn('Captive Portal:', output) + +@@ -5047,14 +5051,14 @@ class NetworkdDHCPServerTests(unittest.TestCase, Utilities): + start_networkd() + self.wait_online(['veth99:routable', 'veth-peer:routable']) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'veth99', env=env) ++ output = networkctl_status('veth99') + print(output) + self.assertRegex(output, r'Address: 192.168.5.[0-9]* \(DHCP4 via 192.168.5.1\)') + self.assertIn('Gateway: 192.168.5.3', output) + self.assertRegex(output, 'DNS: 192.168.5.1\n *192.168.5.10') + self.assertRegex(output, 'NTP: 192.168.5.1\n *192.168.5.11') + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'veth-peer', env=env) ++ output = networkctl_status('veth-peer') + self.assertRegex(output, "Offered DHCP leases: 192.168.5.[0-9]*") + + def test_dhcp_server_null_server_address(self): +@@ -5070,14 +5074,14 @@ class NetworkdDHCPServerTests(unittest.TestCase, Utilities): + client_address = json.loads(output)[0]['addr_info'][0]['local'] + print(client_address) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'veth99', env=env) ++ output = networkctl_status('veth99') + print(output) + self.assertRegex(output, rf'Address: {client_address} \(DHCP4 via {server_address}\)') + self.assertIn(f'Gateway: {server_address}', output) + self.assertIn(f'DNS: {server_address}', output) + self.assertIn(f'NTP: {server_address}', output) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'veth-peer', env=env) ++ output = networkctl_status('veth-peer') + self.assertIn(f'Offered DHCP leases: {client_address}', output) + + def test_dhcp_server_with_uplink(self): +@@ -5086,7 +5090,7 @@ class NetworkdDHCPServerTests(unittest.TestCase, Utilities): + start_networkd() + self.wait_online(['veth99:routable', 'veth-peer:routable']) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'veth99', env=env) ++ output = networkctl_status('veth99') + print(output) + self.assertRegex(output, r'Address: 192.168.5.[0-9]* \(DHCP4 via 192.168.5.1\)') + self.assertIn('Gateway: 192.168.5.3', output) +@@ -5098,7 +5102,7 @@ class NetworkdDHCPServerTests(unittest.TestCase, Utilities): + start_networkd() + self.wait_online(['veth99:routable', 'veth-peer:routable']) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'veth99', env=env) ++ output = networkctl_status('veth99') + print(output) + self.assertRegex(output, r'Address: 192.168.5.[0-9]* \(DHCP4 via 192.168.5.1\)') + self.assertIn('Gateway: 192.168.5.1', output) +@@ -5109,7 +5113,7 @@ class NetworkdDHCPServerTests(unittest.TestCase, Utilities): + start_networkd() + self.wait_online(['veth99:routable', 'veth-peer:routable']) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'veth99', env=env) ++ output = networkctl_status('veth99') + print(output) + self.assertIn('Address: 10.1.1.200 (DHCP4 via 10.1.1.1)', output) + self.assertIn('DHCP4 Client ID: 12:34:56:78:9a:bc', output) +@@ -5119,7 +5123,7 @@ class NetworkdDHCPServerTests(unittest.TestCase, Utilities): + start_networkd() + self.wait_online(['veth99:routable', 'veth-peer:routable']) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'veth99', env=env) ++ output = networkctl_status('veth99') + print(output) + self.assertIn('Address: 10.1.1.200 (DHCP4 via 10.1.1.1)', output) + self.assertRegex(output, 'DHCP4 Client ID: IAID:[0-9a-z]*/DUID') +@@ -5143,7 +5147,7 @@ class NetworkdDHCPServerRelayAgentTests(unittest.TestCase, Utilities): + + self.wait_online(['client:routable']) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'client', env=env) ++ output = networkctl_status('client') + print(output) + self.assertRegex(output, r'Address: 192.168.5.150 \(DHCP4 via 192.168.5.1\)') + +@@ -5202,8 +5206,7 @@ class NetworkdDHCPClientTests(unittest.TestCase, Utilities): + self.assertNotIn('DHCPREPLY(veth-peer)', output) + + # Check json format +- output = check_output(*networkctl_cmd, '--json=short', 'status', 'veth99', env=env) +- check_json(output) ++ check_json(networkctl_json('veth99')) + + # solicit mode + stop_dnsmasq() +@@ -5230,7 +5233,7 @@ class NetworkdDHCPClientTests(unittest.TestCase, Utilities): + self.assertRegex(output, 'token :: dev veth99') + + # Make manager and link state file updated +- check_output(*resolvectl_cmd, 'revert', 'veth99', env=env) ++ resolvectl('revert', 'veth99') + + # Check link state file + print('## link state file') +@@ -5257,8 +5260,7 @@ class NetworkdDHCPClientTests(unittest.TestCase, Utilities): + self.assertIn('sent size: 0 option: 14 rapid-commit', output) + + # Check json format +- output = check_output(*networkctl_cmd, '--json=short', 'status', 'veth99', env=env) +- check_json(output) ++ check_json(networkctl_json('veth99')) + + # Testing without rapid commit support + with open(os.path.join(network_unit_dir, '25-dhcp-client-ipv6-only.network'), mode='a', encoding='utf-8') as f: +@@ -5284,7 +5286,7 @@ class NetworkdDHCPClientTests(unittest.TestCase, Utilities): + self.assertRegex(output, 'via fe80::1034:56ff:fe78:9abd') + + # Make manager and link state file updated +- check_output(*resolvectl_cmd, 'revert', 'veth99', env=env) ++ resolvectl('revert', 'veth99') + + # Check link state file + print('## link state file') +@@ -5311,8 +5313,7 @@ class NetworkdDHCPClientTests(unittest.TestCase, Utilities): + self.assertNotIn('rapid-commit', output) + + # Check json format +- output = check_output(*networkctl_cmd, '--json=short', 'status', 'veth99', env=env) +- check_json(output) ++ check_json(networkctl_json('veth99')) + + def test_dhcp_client_ipv6_dbus_status(self): + copy_network_unit('25-veth.netdev', '25-dhcp-server-veth-peer.network', '25-dhcp-client-ipv6-only.network') +@@ -5352,7 +5353,7 @@ class NetworkdDHCPClientTests(unittest.TestCase, Utilities): + + # Test renew command + # See https://github.com/systemd/systemd/pull/29472#issuecomment-1759092138 +- check_output(*networkctl_cmd, 'renew', 'veth99', env=env) ++ networkctl('renew', 'veth99') + + for _ in range(100): + state = get_dhcp4_client_state('veth99') +@@ -5459,8 +5460,7 @@ class NetworkdDHCPClientTests(unittest.TestCase, Utilities): + self.assertIn('DOMAINS=example.com', output) + + print('## json') +- output = check_output(*networkctl_cmd, '--json=short', 'status', 'veth99', env=env) +- j = json.loads(output) ++ j = json.loads(networkctl_json('veth99')) + + self.assertEqual(len(j['DNS']), 2) + for i in j['DNS']: +@@ -5555,8 +5555,7 @@ class NetworkdDHCPClientTests(unittest.TestCase, Utilities): + self.assertIn('DOMAINS=foo.example.com', output) + + print('## json') +- output = check_output(*networkctl_cmd, '--json=short', 'status', 'veth99', env=env) +- j = json.loads(output) ++ j = json.loads(networkctl_json('veth99')) + + self.assertEqual(len(j['DNS']), 3) + for i in j['DNS']: +@@ -5778,8 +5777,7 @@ class NetworkdDHCPClientTests(unittest.TestCase, Utilities): + self.assertNotRegex(output, r'8.8.8.8 via 192.168.5.[0-9]* proto dhcp src 192.168.5.[0-9]* metric 1024') + self.assertNotRegex(output, r'9.9.9.9 via 192.168.5.[0-9]* proto dhcp src 192.168.5.[0-9]* metric 1024') + +- output = check_output(*networkctl_cmd, '--json=short', 'status', env=env) +- check_json(output) ++ check_json(networkctl_json()) + + def test_dhcp_client_settings_anonymize(self): + copy_network_unit('25-veth.netdev', '25-dhcp-server-veth-peer.network', '25-dhcp-client-anonymize.network') +@@ -5956,7 +5954,7 @@ class NetworkdDHCPClientTests(unittest.TestCase, Utilities): + start_dnsmasq() + self.wait_online(['veth99:routable', 'veth-peer:routable']) + +- output = check_output(*networkctl_cmd, '-n', '0', 'status', 'veth99', env=env) ++ output = networkctl_status('veth99') + print(output) + self.assertRegex(output, '192.168.5') + +@@ -6020,9 +6018,9 @@ class NetworkdDHCPClientTests(unittest.TestCase, Utilities): + self.wait_address('veth99', r'inet6 2600::[0-9a-f]*/128 scope global (dynamic noprefixroute|noprefixroute dynamic)', ipv='-6') + + # make resolved re-read the link state file +- check_output(*resolvectl_cmd, 'revert', 'veth99', env=env) ++ resolvectl('revert', 'veth99') + +- output = check_output(*resolvectl_cmd, 'dns', 'veth99', env=env) ++ output = resolvectl('dns', 'veth99') + print(output) + if ipv4: + self.assertIn('192.168.5.1', output) +@@ -6033,8 +6031,7 @@ class NetworkdDHCPClientTests(unittest.TestCase, Utilities): + else: + self.assertNotIn('2600::1', output) + +- output = check_output(*networkctl_cmd, '--json=short', 'status', env=env) +- check_json(output) ++ check_json(networkctl_json()) + + copy_network_unit('25-veth.netdev', '25-dhcp-server-veth-peer.network', '25-dhcp-client.network', copy_dropins=False) + +@@ -6065,15 +6062,14 @@ class NetworkdDHCPClientTests(unittest.TestCase, Utilities): + self.wait_address('veth99', r'inet 192.168.5.[0-9]*/24 metric 1024 brd 192.168.5.255 scope global dynamic', ipv='-4') + self.wait_address('veth99', r'inet6 2600::[0-9a-f]*/128 scope global (dynamic noprefixroute|noprefixroute dynamic)', ipv='-6') + +- output = check_output(*networkctl_cmd, 'status', 'veth99', env=env) ++ output = networkctl_status('veth99') + print(output) + if ipv4 or ipv6: + self.assertIn('Captive Portal: http://systemd.io', output) + else: + self.assertNotIn('Captive Portal: http://systemd.io', output) + +- output = check_output(*networkctl_cmd, '--json=short', 'status', env=env) +- check_json(output) ++ check_json(networkctl_json()) + + copy_network_unit('25-veth.netdev', '25-dhcp-server-veth-peer.network', '25-dhcp-client.network', copy_dropins=False) + +@@ -6104,13 +6100,12 @@ class NetworkdDHCPClientTests(unittest.TestCase, Utilities): + self.wait_address('veth99', r'inet 192.168.5.[0-9]*/24 metric 1024 brd 192.168.5.255 scope global dynamic', ipv='-4') + self.wait_address('veth99', r'inet6 2600::[0-9a-f]*/128 scope global (dynamic noprefixroute|noprefixroute dynamic)', ipv='-6') + +- output = check_output(*networkctl_cmd, 'status', 'veth99', env=env) ++ output = networkctl_status('veth99') + print(output) + self.assertNotIn('Captive Portal: ', output) + self.assertNotIn('invalid/url', output) + +- output = check_output(*networkctl_cmd, '--json=short', 'status', env=env) +- check_json(output) ++ check_json(networkctl_json()) + + copy_network_unit('25-veth.netdev', '25-dhcp-server-veth-peer.network', '25-dhcp-client.network', copy_dropins=False) + +@@ -6686,18 +6681,17 @@ class NetworkdIPv6PrefixTests(unittest.TestCase, Utilities): + self.assertIn('inet6 2001:db8:0:2:fa:de:ca:fe', output) + self.assertNotIn('inet6 2001:db8:0:3:', output) + +- output = check_output(*resolvectl_cmd, 'dns', 'veth-peer', env=env) ++ output = resolvectl('dns', 'veth-peer') + print(output) + self.assertRegex(output, '2001:db8:1:1::2') + +- output = check_output(*resolvectl_cmd, 'domain', 'veth-peer', env=env) ++ output = resolvectl('domain', 'veth-peer') + print(output) + self.assertIn('example.com', output) + +- output = check_output(*networkctl_cmd, '--json=short', 'status', env=env) +- check_json(output) ++ check_json(networkctl_json()) + +- output = check_output(*networkctl_cmd, '--json=short', 'status', 'veth-peer', env=env) ++ output = networkctl_json('veth-peer') + check_json(output) + + # PREF64 or NAT64 +@@ -6733,11 +6727,11 @@ class NetworkdIPv6PrefixTests(unittest.TestCase, Utilities): + self.assertNotIn('inet6 2001:db8:0:1:', output) + self.assertIn('inet6 2001:db8:0:2:', output) + +- output = check_output(*resolvectl_cmd, 'dns', 'veth-peer', env=env) ++ output = resolvectl('dns', 'veth-peer') + print(output) + self.assertRegex(output, '2001:db8:1:1::2') + +- output = check_output(*resolvectl_cmd, 'domain', 'veth-peer', env=env) ++ output = resolvectl('domain', 'veth-peer') + print(output) + self.assertIn('example.com', output) + +-- +2.33.0 + diff --git a/backport-test-network-introduce-no-journal-option.patch b/backport-test-network-introduce-no-journal-option.patch new file mode 100644 index 0000000..4e26c49 --- /dev/null +++ b/backport-test-network-introduce-no-journal-option.patch @@ -0,0 +1,62 @@ +From ebbc5e587b0644472fe95ffb3e8e6fd96d6c21a5 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 10 May 2024 20:18:57 +0900 +Subject: [PATCH 0623/1160] test-network: introduce --no-journal option + +This should be useful when the test run as a service, e.g. +running on a mkosi image. + +(cherry picked from commit e92d7b7dd9dd8d8783e44626268aa6315331d68c) +--- + test/test-network/systemd-networkd-tests.py | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index b9e0de8c3c..572f44d948 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -61,6 +61,7 @@ asan_options = None + lsan_options = None + ubsan_options = None + with_coverage = False ++show_journal = True # When true, show journal on stopping networkd. + + active_units = [] + protected_links = { +@@ -718,6 +719,8 @@ def networkd_is_failed(): + return call_quiet('systemctl is-failed -q systemd-networkd.service') != 1 + + def stop_networkd(show_logs=True): ++ global show_journal ++ show_logs = show_logs and show_journal + if show_logs: + invocation_id = networkd_invocation_id() + check_output('systemctl stop systemd-networkd.socket') +@@ -729,6 +732,8 @@ def start_networkd(): + check_output('systemctl start systemd-networkd') + + def restart_networkd(show_logs=True): ++ global show_journal ++ show_logs = show_logs and show_journal + if show_logs: + invocation_id = networkd_invocation_id() + check_output('systemctl restart systemd-networkd.service') +@@ -6865,6 +6870,7 @@ if __name__ == '__main__': + parser.add_argument('--lsan-options', help='LSAN options', dest='lsan_options') + parser.add_argument('--ubsan-options', help='UBSAN options', dest='ubsan_options') + parser.add_argument('--with-coverage', help='Loosen certain sandbox restrictions to make gcov happy', dest='with_coverage', type=bool, nargs='?', const=True, default=with_coverage) ++ parser.add_argument('--no-journal', help='Do not show journal of systemd-networkd on stop', dest='show_journal', action='store_false') + ns, unknown_args = parser.parse_known_args(namespace=unittest) + + if ns.build_dir: +@@ -6914,6 +6920,7 @@ if __name__ == '__main__': + lsan_options = ns.lsan_options + ubsan_options = ns.ubsan_options + with_coverage = ns.with_coverage ++ show_journal = ns.show_journal + + if use_valgrind: + # Do not forget the trailing space. +-- +2.33.0 + diff --git a/backport-test-network-split-out-setup_netdevsim.patch b/backport-test-network-split-out-setup_netdevsim.patch new file mode 100644 index 0000000..f7b5337 --- /dev/null +++ b/backport-test-network-split-out-setup_netdevsim.patch @@ -0,0 +1,60 @@ +From c047c7e91a88802245efd6a73a8b71b843c586a8 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 20 May 2024 04:29:55 +0900 +Subject: [PATCH 0657/1160] test-network: split out setup_netdevsim() + +(cherry picked from commit 12e0d6ed38a2f8de0a202d2cdbdbda52a866340d) +--- + test/test-network/systemd-networkd-tests.py | 25 ++++++++++++--------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index 42fb675008..adf3664acb 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -4777,17 +4777,23 @@ class NetworkdSRIOVTests(unittest.TestCase, Utilities): + def tearDown(self): + tear_down_common() + +- @expectedFailureIfNetdevsimWithSRIOVIsNotAvailable() +- def test_sriov(self): +- copy_network_unit('25-default.link', '25-sriov.network') +- ++ def setup_netdevsim(self, id=99, num_ports=1, num_vfs=0): + call('modprobe netdevsim') + ++ # Create netdevsim device. + with open('/sys/bus/netdevsim/new_device', mode='w', encoding='utf-8') as f: +- f.write('99 1') ++ f.write(f'{id} {num_ports}') ++ ++ # Create VF. ++ if num_vfs > 0: ++ with open(f'/sys/bus/netdevsim/devices/netdevsim{id}/sriov_numvfs', mode='w', encoding='utf-8') as f: ++ f.write(f'{num_vfs}') ++ ++ @expectedFailureIfNetdevsimWithSRIOVIsNotAvailable() ++ def test_sriov(self): ++ copy_network_unit('25-default.link', '25-sriov.network') + +- with open('/sys/bus/netdevsim/devices/netdevsim99/sriov_numvfs', mode='w', encoding='utf-8') as f: +- f.write('3') ++ self.setup_netdevsim(num_vfs=3) + + start_networkd() + self.wait_online(['eni99np1:routable']) +@@ -4804,10 +4810,7 @@ class NetworkdSRIOVTests(unittest.TestCase, Utilities): + def test_sriov_udev(self): + copy_network_unit('25-sriov.link', '25-sriov-udev.network') + +- call('modprobe netdevsim') +- +- with open('/sys/bus/netdevsim/new_device', mode='w', encoding='utf-8') as f: +- f.write('99 1') ++ self.setup_netdevsim() + + start_networkd() + self.wait_online(['eni99np1:routable']) +-- +2.33.0 + diff --git a/backport-test-network-split-test_dhcp6pd-into-small-pieces.patch b/backport-test-network-split-test_dhcp6pd-into-small-pieces.patch new file mode 100644 index 0000000..167e725 --- /dev/null +++ b/backport-test-network-split-test_dhcp6pd-into-small-pieces.patch @@ -0,0 +1,180 @@ +From ef45eaabbce6910d4cae1283b4118ed21216c8cd Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 17 Feb 2024 05:47:55 +0900 +Subject: [PATCH 0247/1160] test-network: split test_dhcp6pd() into small + pieces + +(cherry picked from commit ab06b74fd38f2af8be35fe51c975711ac448ab54) +--- + .../25-dhcp6pd-upstream-no-address.network | 21 ++++++ + .../conf/25-dhcp6pd-upstream.network | 2 - + .../with-address.conf | 6 -- + test/test-network/systemd-networkd-tests.py | 73 ++++++++++--------- + 4 files changed, 58 insertions(+), 44 deletions(-) + create mode 100644 test/test-network/conf/25-dhcp6pd-upstream-no-address.network + delete mode 100644 test/test-network/conf/25-dhcp6pd-upstream.network.d/with-address.conf + +diff --git a/test/test-network/conf/25-dhcp6pd-upstream-no-address.network b/test/test-network/conf/25-dhcp6pd-upstream-no-address.network +new file mode 100644 +index 0000000000..01f0e9e6d5 +--- /dev/null ++++ b/test/test-network/conf/25-dhcp6pd-upstream-no-address.network +@@ -0,0 +1,21 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++[Match] ++Name=veth99 ++ ++[Network] ++IPv6PrivacyExtensions=yes ++IPv6AcceptRA=no ++DHCP=ipv6 ++DHCPPrefixDelegation=yes ++ ++[DHCPv6] ++WithoutRA=solicit ++UseAddress=no ++ ++[DHCPPrefixDelegation] ++UplinkInterface=:self ++SubnetId=10 ++Announce=no ++Token=eui64 ++Token=::1a:2b:3c:4d ++Assign=no +diff --git a/test/test-network/conf/25-dhcp6pd-upstream.network b/test/test-network/conf/25-dhcp6pd-upstream.network +index 01f0e9e6d5..4b8cd7d324 100644 +--- a/test/test-network/conf/25-dhcp6pd-upstream.network ++++ b/test/test-network/conf/25-dhcp6pd-upstream.network +@@ -10,7 +10,6 @@ DHCPPrefixDelegation=yes + + [DHCPv6] + WithoutRA=solicit +-UseAddress=no + + [DHCPPrefixDelegation] + UplinkInterface=:self +@@ -18,4 +17,3 @@ SubnetId=10 + Announce=no + Token=eui64 + Token=::1a:2b:3c:4d +-Assign=no +diff --git a/test/test-network/conf/25-dhcp6pd-upstream.network.d/with-address.conf b/test/test-network/conf/25-dhcp6pd-upstream.network.d/with-address.conf +deleted file mode 100644 +index 451475509d..0000000000 +--- a/test/test-network/conf/25-dhcp6pd-upstream.network.d/with-address.conf ++++ /dev/null +@@ -1,6 +0,0 @@ +-# SPDX-License-Identifier: LGPL-2.1-or-later +-[DHCPv6] +-UseAddress=yes +- +-[DHCPPrefixDelegation] +-Assign=yes +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index 59dbd49073..aa59976572 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -6133,63 +6133,64 @@ class NetworkdDHCPPDTests(unittest.TestCase, Utilities): + def tearDown(self): + tear_down_common() + +- def test_dhcp6pd(self): +- def get_dhcp6_prefix(link): +- description = get_link_description(link) ++ def check_dhcp6_prefix(self, link): ++ description = get_link_description(link) + +- self.assertIn('DHCPv6Client', description.keys()) +- self.assertIn('Prefixes', description['DHCPv6Client']) ++ self.assertIn('DHCPv6Client', description.keys()) ++ self.assertIn('Prefixes', description['DHCPv6Client']) + +- prefixInfo = description['DHCPv6Client']['Prefixes'] ++ prefixInfo = description['DHCPv6Client']['Prefixes'] + +- return prefixInfo ++ self.assertEqual(len(prefixInfo), 1) + +- copy_network_unit('25-veth.netdev', '25-dhcp6pd-server.network', '25-dhcp6pd-upstream.network', +- '25-veth-downstream-veth97.netdev', '25-dhcp-pd-downstream-veth97.network', '25-dhcp-pd-downstream-veth97-peer.network', +- '25-veth-downstream-veth98.netdev', '25-dhcp-pd-downstream-veth98.network', '25-dhcp-pd-downstream-veth98-peer.network', +- '11-dummy.netdev', '25-dhcp-pd-downstream-test1.network', +- '25-dhcp-pd-downstream-dummy97.network', +- '12-dummy.netdev', '25-dhcp-pd-downstream-dummy98.network', +- '13-dummy.netdev', '25-dhcp-pd-downstream-dummy99.network', +- copy_dropins=False) ++ self.assertIn('Prefix', prefixInfo[0].keys()) ++ self.assertIn('PrefixLength', prefixInfo[0].keys()) ++ self.assertIn('PreferredLifetimeUSec', prefixInfo[0].keys()) ++ self.assertIn('ValidLifetimeUSec', prefixInfo[0].keys()) + +- self.setup_nftset('addr6', 'ipv6_addr') +- self.setup_nftset('network6', 'ipv6_addr', 'flags interval;') +- self.setup_nftset('ifindex', 'iface_index') ++ self.assertEqual(prefixInfo[0]['Prefix'][0:6], [63, 254, 5, 1, 255, 255]) ++ self.assertEqual(prefixInfo[0]['PrefixLength'], 56) ++ self.assertGreater(prefixInfo[0]['PreferredLifetimeUSec'], 0) ++ self.assertGreater(prefixInfo[0]['ValidLifetimeUSec'], 0) ++ ++ def test_dhcp6pd_no_address(self): ++ # For issue #29979. ++ copy_network_unit('25-veth.netdev', '25-dhcp6pd-server.network', '25-dhcp6pd-upstream-no-address.network') + + start_networkd() + self.wait_online(['veth-peer:routable']) + start_isc_dhcpd(conf_file='isc-dhcpd-dhcp6pd.conf', ipv='-6') + self.wait_online(['veth99:degraded']) + +- # First, test UseAddress=no and Assign=no (issue #29979). +- # Note, due to the bug #29701, this test must be done at first. + print('### ip -6 address show dev veth99 scope global') + output = check_output('ip -6 address show dev veth99 scope global') + print(output) + self.assertNotIn('inet6 3ffe:501:ffff', output) + +- # Check DBus assigned prefix information to veth99 +- prefixInfo = get_dhcp6_prefix('veth99') +- +- self.assertEqual(len(prefixInfo), 1) +- prefixInfo = prefixInfo[0] +- +- self.assertIn('Prefix', prefixInfo.keys()) +- self.assertIn('PrefixLength', prefixInfo.keys()) +- self.assertIn('PreferredLifetimeUSec', prefixInfo.keys()) +- self.assertIn('ValidLifetimeUSec', prefixInfo.keys()) ++ self.check_dhcp6_prefix('veth99') + +- self.assertEqual(prefixInfo['Prefix'][0:6], [63, 254, 5, 1, 255, 255]) +- self.assertEqual(prefixInfo['PrefixLength'], 56) +- self.assertGreater(prefixInfo['PreferredLifetimeUSec'], 0) +- self.assertGreater(prefixInfo['ValidLifetimeUSec'], 0) ++ def test_dhcp6pd(self): ++ copy_network_unit('25-veth.netdev', '25-dhcp6pd-server.network', '25-dhcp6pd-upstream.network', ++ '25-veth-downstream-veth97.netdev', '25-dhcp-pd-downstream-veth97.network', '25-dhcp-pd-downstream-veth97-peer.network', ++ '25-veth-downstream-veth98.netdev', '25-dhcp-pd-downstream-veth98.network', '25-dhcp-pd-downstream-veth98-peer.network', ++ '11-dummy.netdev', '25-dhcp-pd-downstream-test1.network', ++ '25-dhcp-pd-downstream-dummy97.network', ++ '12-dummy.netdev', '25-dhcp-pd-downstream-dummy98.network', ++ '13-dummy.netdev', '25-dhcp-pd-downstream-dummy99.network') + +- copy_network_unit('25-dhcp6pd-upstream.network.d/with-address.conf') +- networkctl_reload() ++ start_networkd() ++ self.wait_online(['veth-peer:routable']) ++ start_isc_dhcpd(conf_file='isc-dhcpd-dhcp6pd.conf', ipv='-6') + self.wait_online(['veth99:routable', 'test1:routable', 'dummy98:routable', 'dummy99:degraded', + 'veth97:routable', 'veth97-peer:routable', 'veth98:routable', 'veth98-peer:routable']) + ++ self.setup_nftset('addr6', 'ipv6_addr') ++ self.setup_nftset('network6', 'ipv6_addr', 'flags interval;') ++ self.setup_nftset('ifindex', 'iface_index') ++ ++ # Check DBus assigned prefix information to veth99 ++ self.check_dhcp6_prefix('veth99') ++ + print('### ip -6 address show dev veth-peer scope global') + output = check_output('ip -6 address show dev veth-peer scope global') + print(output) +-- +2.33.0 + diff --git a/backport-test-network-sync-journal-before-read.patch b/backport-test-network-sync-journal-before-read.patch new file mode 100644 index 0000000..6fa0f0d --- /dev/null +++ b/backport-test-network-sync-journal-before-read.patch @@ -0,0 +1,28 @@ +From 26e04a895de5a03f78e811c66874f58f91577613 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 6 Jan 2024 11:29:01 +0900 +Subject: [PATCH 0528/1160] test-network: sync journal before read + +Otherwise, test cases that check journal entries, e.g. test_unit_file() +may fail. + +(cherry picked from commit bd581438a1019ae48037fd205d1cb5999aed8ecf) +--- + test/test-network/systemd-networkd-tests.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index ffd6a89df6..d5aec22e1f 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -709,6 +709,7 @@ def read_networkd_log(invocation_id=None, since=None): + ] + if since: + command.append(f'--since={since}') ++ check_output('journalctl --sync') + return check_output(*command) + + def stop_networkd(show_logs=True): +-- +2.33.0 + diff --git a/backport-test-network-use-different-destination-from-gateway.patch b/backport-test-network-use-different-destination-from-gateway.patch new file mode 100644 index 0000000..da5a9d7 --- /dev/null +++ b/backport-test-network-use-different-destination-from-gateway.patch @@ -0,0 +1,51 @@ +From f1ec77ce274f46b928baee2af0c52527632439be Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 17 May 2024 09:28:46 +0900 +Subject: [PATCH 0638/1160] test-network: use different destination from + gateway + +Previously, one of the test route has the same address in destination +and gateway. Even it is a test case, that's super spurious. Let's use a +different address. + +(cherry picked from commit cd6507538a5bd233c94b46c3aba328abc216154c) +--- + test/test-network/conf/25-route-static.network | 2 +- + test/test-network/systemd-networkd-tests.py | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/test/test-network/conf/25-route-static.network b/test/test-network/conf/25-route-static.network +index 7ef211d410..5ddd7de61a 100644 +--- a/test/test-network/conf/25-route-static.network ++++ b/test/test-network/conf/25-route-static.network +@@ -96,7 +96,7 @@ MultiPathRoute=149.10.124.59 10 + MultiPathRoute=149.10.124.60 5 + + [Route] +-Destination=2001:1234:5:7fff:ff:ff:ff:ff/128 ++Destination=2001:1234:5:bfff:ff:ff:ff:ff/128 + MultiPathRoute=2001:1234:5:6fff:ff:ff:ff:ff@test1 20 + MultiPathRoute=2001:1234:5:7fff:ff:ff:ff:ff@test1 30 + MultiPathRoute=2001:1234:5:8fff:ff:ff:ff:ff@dummy98 10 +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index 01f5f7d177..42fb675008 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -3212,11 +3212,11 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): + self.assertIn('dev dummy98 weight 10', output) + self.assertIn('dev dummy98 weight 5', output) + +- print('### ip -6 route show 2001:1234:5:7fff:ff:ff:ff:ff') +- output = check_output('ip -6 route show 2001:1234:5:7fff:ff:ff:ff:ff') ++ print('### ip -6 route show 2001:1234:5:bfff:ff:ff:ff:ff') ++ output = check_output('ip -6 route show 2001:1234:5:bfff:ff:ff:ff:ff') + print(output) + # old ip command does not show 'nexthop' keyword and weight... +- self.assertIn('2001:1234:5:7fff:ff:ff:ff:ff', output) ++ self.assertIn('2001:1234:5:bfff:ff:ff:ff:ff', output) + self.assertIn('via 2001:1234:5:6fff:ff:ff:ff:ff dev test1', output) + self.assertIn('via 2001:1234:5:7fff:ff:ff:ff:ff dev test1', output) + self.assertIn('via 2001:1234:5:8fff:ff:ff:ff:ff dev dummy98', output) +-- +2.33.0 + diff --git a/backport-test-network-use-read_networkd_log-at-one-more-place.patch b/backport-test-network-use-read_networkd_log-at-one-more-place.patch new file mode 100644 index 0000000..eee2618 --- /dev/null +++ b/backport-test-network-use-read_networkd_log-at-one-more-place.patch @@ -0,0 +1,35 @@ +From 74bfb958375f006aeab0789dabd7050fcaff42de Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 6 Jan 2024 11:32:03 +0900 +Subject: [PATCH 0529/1160] test-network: use read_networkd_log() at one more + place + +(cherry picked from commit 032fd10de88fedcaec68d1049596c25e9a4ea355) +--- + test/test-network/systemd-networkd-tests.py | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index d5aec22e1f..51cb0bc4bf 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -892,7 +892,6 @@ class Utilities(): + + def wait_activated(self, link, state='down', timeout=20, fail_assert=True): + # wait for the interface is activated. +- invocation_id = check_output('systemctl show systemd-networkd -p InvocationID --value') + needle = f'{link}: Bringing link {state}' + flag = state.upper() + for iteration in range(timeout + 1): +@@ -900,7 +899,7 @@ class Utilities(): + time.sleep(1) + if not link_exists(link): + continue +- output = check_output('journalctl _SYSTEMD_INVOCATION_ID=' + invocation_id) ++ output = read_networkd_log() + if needle in output and flag in check_output(f'ip link show {link}'): + return True + if fail_assert: +-- +2.33.0 + diff --git a/backport-test-never-is-not-a-valid-value-for-Restart.patch b/backport-test-never-is-not-a-valid-value-for-Restart.patch new file mode 100644 index 0000000..68aa0f4 --- /dev/null +++ b/backport-test-never-is-not-a-valid-value-for-Restart.patch @@ -0,0 +1,44 @@ +From 87bcb60c33788bb1722c05230f6e104537b27870 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 12 Dec 2023 12:43:36 +0100 +Subject: [PATCH 0057/1160] test: "never" is not a valid value for Restart= + +[ 154.140565] testsuite-07.sh[1014]: + systemctl start badbin_assert.socket +[ 154.738606] testsuite-07.sh[1014]: + socat - ABSTRACT-CONNECT:badbin_assert.socket +[ 154.768418] systemd[1]: Cannot find unit for notify message of PID 1021, ignoring. +[ 154.812357] systemd[1]: /run/systemd/system/badbin_assert.service:3: Failed to parse service restart specifier, ignoring: never +[ 155.347350] testsuite-07.sh[1014]: + timeout 10 sh -c 'while systemctl is-active badbin_assert.service; do sleep .5; done' +[ 155.669695] (badbin)[1045]: badbin_assert.service: Failed to execute /tmp/badbin: Exec format error +[ 155.676596] systemd[1]: badbin_assert.service: Failed with result 'exit-code'. +[ 156.081953] testsuite-07.sh[1051]: failed +[ 156.132018] testsuite-07.sh[1054]: ++ systemctl show -P ExecMainStatus badbin_assert.service +[ 156.326583] (badbin)[1050]: badbin_assert.service: Failed to execute /tmp/badbin: Exec format error +[ 156.343566] systemd[1]: badbin_assert.service: Failed with result 'exit-code'. +[ 156.904658] (badbin)[1055]: badbin_assert.service: Failed to execute /tmp/badbin: Exec format error +[ 156.913709] systemd[1]: badbin_assert.service: Failed with result 'exit-code'. +[ 157.066900] testsuite-07.sh[1014]: + [[ 0 == 203 ]] +[ 157.081588] testsuite-07.sh[618]: + echo 'Subtest /usr/lib/systemd/tests/testdata/units/testsuite-07.issue-30412.sh failed' + +Follow-up for 1eeaa93de36. + +(cherry picked from commit 28a2d27650c64afbe1e559a9236531472be6215b) +--- + test/units/testsuite-07.issue-30412.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/units/testsuite-07.issue-30412.sh b/test/units/testsuite-07.issue-30412.sh +index 333b95f9bb..61801c543a 100755 +--- a/test/units/testsuite-07.issue-30412.sh ++++ b/test/units/testsuite-07.issue-30412.sh +@@ -14,7 +14,7 @@ chmod 744 /tmp/badbin + cat >/run/systemd/system/badbin_assert.service </run/systemd/system/badbin_assert.socket < +Date: Thu, 22 Feb 2024 11:35:07 +0100 +Subject: [PATCH 0331/1160] test-nss-hosts: treat negative host lookup as slow + +The negative lookup can be quite slow. On my local network, skipping +this test saves about half of the runtime of test-nss-hosts. + +(cherry picked from commit 37eba4b3028da9de7e6fb42557019f98bbda91b1) +--- + src/test/test-nss-hosts.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/test/test-nss-hosts.c b/src/test/test-nss-hosts.c +index 7758f0adc9..72a9c6454c 100644 +--- a/src/test/test-nss-hosts.c ++++ b/src/test/test-nss-hosts.c +@@ -451,7 +451,11 @@ static int parse_argv(int argc, char **argv, + } else { + _cleanup_free_ char *hostname = NULL; + assert_se(hostname = gethostname_malloc()); +- assert_se(names = strv_new("localhost", "_gateway", "_outbound", "foo_no_such_host", hostname)); ++ assert_se(names = strv_new("localhost", ++ "_gateway", ++ "_outbound", ++ hostname, ++ slow_tests_enabled() ? "foo_no_such_host" : NULL)); + + n = make_addresses(&addrs); + assert_se(n >= 0); +-- +2.33.0 + diff --git a/backport-test-redirect-stdout-stderr-of-TEST-04-JOURNAL-to-co.patch b/backport-test-redirect-stdout-stderr-of-TEST-04-JOURNAL-to-co.patch new file mode 100644 index 0000000..add4741 --- /dev/null +++ b/backport-test-redirect-stdout-stderr-of-TEST-04-JOURNAL-to-co.patch @@ -0,0 +1,77 @@ +From 2c9e1ae02a74bd5383065885941aa272bbe0d1f8 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Sat, 23 Dec 2023 15:35:26 +0100 +Subject: [PATCH 0087/1160] test: redirect stdout/stderr of TEST-04-JOURNAL to + console as well + +This effectively reverts fa6f37c043 just for TEST-04, as we nuke the +journal repeatedly in this test which makes it particularly hard to +debug. Let's hope the issue behind fa6f37c043 won't bite us back in this +case. + +Follow-up for: fa6f37c043 +Reverts: 8f7c876bdc + +(cherry picked from commit b3ed0808d198901bf35c872276858db4e2ba8cd6) +--- + test/TEST-04-JOURNAL/test.sh | 9 +++++++++ + test/units/testsuite-04.bsod.sh | 8 -------- + 2 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/test/TEST-04-JOURNAL/test.sh b/test/TEST-04-JOURNAL/test.sh +index 7f1c460d47..42574ce8ea 100755 +--- a/test/TEST-04-JOURNAL/test.sh ++++ b/test/TEST-04-JOURNAL/test.sh +@@ -9,6 +9,7 @@ TEST_DESCRIPTION="Journal-related tests" + + test_append_files() { + local workspace="${1:?}" ++ local dropin_dir + + mkdir -p "$workspace/test-journals/" + cp -av "${TEST_BASE_DIR:?}/test-journals/"* "$workspace/test-journals/" +@@ -18,6 +19,14 @@ test_append_files() { + # Necessary for RH-based systems, otherwise MHD fails with: + # microhttpd: Failed to initialise TLS session. + image_install -o /etc/crypto-policies/back-ends/gnutls.config ++ ++ # Since we nuke the journal repeatedly during this test, let's redirect ++ # stdout/stderr to the console as well to make the test a bit more debug-able. ++ if ! get_bool "${INTERACTIVE_DEBUG:-}"; then ++ dropin_dir="${workspace:?}/etc/systemd/system/testsuite-04.service.d/" ++ mkdir -p "$dropin_dir" ++ printf '[Service]\nStandardOutput=journal+console\nStandardError=journal+console' >"$dropin_dir/99-stdout.conf" ++ fi + } + + do_test "$@" +diff --git a/test/units/testsuite-04.bsod.sh b/test/units/testsuite-04.bsod.sh +index 1d4ad7ec6a..30f0cb0bd4 100755 +--- a/test/units/testsuite-04.bsod.sh ++++ b/test/units/testsuite-04.bsod.sh +@@ -22,9 +22,6 @@ at_exit() { + journalctl --flush + fi + +- rm -f /run/systemd/journald.conf.d/99-forward-to-console.conf +- systemctl restart systemd-journald +- + return 0 + } + +@@ -52,12 +49,7 @@ vcs_dump_and_check() { + # current boot, let's temporarily overmount /var/log/journal with a tmpfs, + # as we're going to wipe it multiple times, but we need to keep the original + # journal intact for the other tests to work correctly. +-# +-# Also, since we'll eventually lose the journal from this test, let's temporarily +-# forward everything to console, to make potential fails debug-able. + trap at_exit EXIT +-mkdir -p /run/systemd/journald.conf.d/ +-echo -ne '[Journal]\nForwardToConsole=yes' >/run/systemd/journald.conf.d/99-forward-to-console.conf + mount -t tmpfs tmpfs /var/log/journal + systemctl restart systemd-journald + +-- +2.33.0 + diff --git a/backport-test-replace-Europe-Kiev-with-Europe-Kyiv.patch b/backport-test-replace-Europe-Kiev-with-Europe-Kyiv.patch new file mode 100644 index 0000000..27ab6f1 --- /dev/null +++ b/backport-test-replace-Europe-Kiev-with-Europe-Kyiv.patch @@ -0,0 +1,65 @@ +From 6e778d4b5fdb741e52fac7151d9789e24eb03648 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 2 May 2024 20:40:10 +0200 +Subject: [PATCH 0590/1160] test: replace Europe/Kiev with Europe/Kyiv + +As the former is deprecated and might not be available (i.e. on Ubuntu +Noble it's only available after installing the tzdata-legacy package). + +(cherry picked from commit 568d97953b77fef4cb698894f567d08dfed453c9) +--- + test/test-functions | 2 +- + test/units/testsuite-30.sh | 2 +- + test/units/testsuite-45.sh | 8 ++++---- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/test/test-functions b/test/test-functions +index f7376bf33c..9dc4783495 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -2398,7 +2398,7 @@ install_zoneinfo() { + inst_any /usr/share/zoneinfo/Australia/Sydney + inst_any /usr/share/zoneinfo/Europe/Berlin + inst_any /usr/share/zoneinfo/Europe/Dublin +- inst_any /usr/share/zoneinfo/Europe/Kiev ++ inst_any /usr/share/zoneinfo/Europe/Kyiv + inst_any /usr/share/zoneinfo/Pacific/Auckland + inst_any /usr/share/zoneinfo/Pacific/Honolulu + inst_any /usr/share/zoneinfo/CET +diff --git a/test/units/testsuite-30.sh b/test/units/testsuite-30.sh +index 104c87bfbb..83698b8da6 100755 +--- a/test/units/testsuite-30.sh ++++ b/test/units/testsuite-30.sh +@@ -16,7 +16,7 @@ systemd-run --on-clock-change touch /tmp/clock-changed + test ! -f /tmp/timezone-changed + test ! -f /tmp/clock-changed + +-timedatectl set-timezone Europe/Kiev ++timedatectl set-timezone Europe/Kyiv + + while test ! -f /tmp/timezone-changed ; do sleep .5 ; done + +diff --git a/test/units/testsuite-45.sh b/test/units/testsuite-45.sh +index b4269279f2..fbf2af4a2b 100755 +--- a/test/units/testsuite-45.sh ++++ b/test/units/testsuite-45.sh +@@ -57,12 +57,12 @@ testcase_timezone() { + assert_in "Local time:" "$(timedatectl --no-pager)" + + echo 'change timezone' +- assert_eq "$(timedatectl --no-pager set-timezone Europe/Kiev 2>&1)" "" +- assert_eq "$(readlink /etc/localtime | sed 's#^.*zoneinfo/##')" "Europe/Kiev" ++ assert_eq "$(timedatectl --no-pager set-timezone Europe/Kyiv 2>&1)" "" ++ assert_eq "$(readlink /etc/localtime | sed 's#^.*zoneinfo/##')" "Europe/Kyiv" + if [[ -f /etc/timezone ]]; then +- assert_eq "$(cat /etc/timezone)" "Europe/Kiev" ++ assert_eq "$(cat /etc/timezone)" "Europe/Kyiv" + fi +- assert_in "Time zone: Europe/Kiev \(EES*T, \+0[0-9]00\)" "$(timedatectl)" ++ assert_in "Time zone: Europe/Kyiv \(EES*T, \+0[0-9]00\)" "$(timedatectl)" + + if [[ -n "$ORIG_TZ" ]]; then + echo 'reset timezone to original' +-- +2.33.0 + diff --git a/backport-test-reset-systemd-resolved.service-s-restart-counte.patch b/backport-test-reset-systemd-resolved.service-s-restart-counte.patch new file mode 100644 index 0000000..bb5a037 --- /dev/null +++ b/backport-test-reset-systemd-resolved.service-s-restart-counte.patch @@ -0,0 +1,48 @@ +From 5cd179238eb34c836823ba8d91cf92acd908f1da Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 19 Dec 2023 16:54:35 +0100 +Subject: [PATCH 0192/1160] test: reset systemd-resolved.service's restart + counter + +Otherwise we might occasionally hit the start rate limit, as we restart +the service a bunch of times: + +[ 3702.280886] testsuite-75.sh[1135]: + tee /tmp/tmp.wUL8bkJwrt +[ 3702.283684] testsuite-75.sh[1135]: {} +[ 3702.284254] testsuite-75.sh[46]: + restart_resolved +[ 3702.284302] testsuite-75.sh[46]: + systemctl stop systemd-resolved.service +[ 3702.310678] testsuite-75.sh[1140]: + systemctl is-failed systemd-resolved.service +[ 3702.316766] testsuite-75.sh[1141]: inactive +[ 3702.316998] testsuite-75.sh[46]: + systemctl start systemd-resolved.service +[ 3702.322315] systemd[1]: systemd-resolved.service: Start request repeated too quickly. +[ 3702.322343] systemd[1]: systemd-resolved.service: Failed with result 'start-limit-hit'. +[ 3702.322609] systemd[1]: Failed to start systemd-resolved.service - Network Name Resolution. +[ 3702.323619] systemctl[1142]: Job for systemd-resolved.service failed. +[ 3702.323839] systemctl[1142]: See "systemctl status systemd-resolved.service" and "journalctl -xeu systemd-resolved.service" for details. +[ 3702.325035] systemd[1]: testsuite-75.service: Failed with result 'exit-code'. +[ 3702.325391] systemd[1]: Failed to start testsuite-75.service - Tests for systemd-resolved. + +Follow-up for b1384db11b and 6ef512c0bb. + +(cherry picked from commit 68785c7d6a3fe27a57dac3028957910afcfe1718) +--- + test/units/testsuite-75.sh | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh +index 5dc31f8baa..c9cdc687be 100755 +--- a/test/units/testsuite-75.sh ++++ b/test/units/testsuite-75.sh +@@ -46,6 +46,9 @@ monitor_check_rr() ( + restart_resolved() { + systemctl stop systemd-resolved.service + (! systemctl is-failed systemd-resolved.service) ++ # Reset the restart counter since we call this method a bunch of times ++ # and can occasionally hit the default rate limit ++ systemctl reset-failed systemd-resolved.service + systemctl start systemd-resolved.service + systemctl service-log-level systemd-resolved.service debug + } +-- +2.33.0 + diff --git a/backport-test-reset-systemd-udevd.service-restart-counter.patch b/backport-test-reset-systemd-udevd.service-restart-counter.patch new file mode 100644 index 0000000..7ac35ff --- /dev/null +++ b/backport-test-reset-systemd-udevd.service-restart-counter.patch @@ -0,0 +1,39 @@ +From 7d029ce868c42f668e692d7a3bf9e22c778840ab Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Fri, 8 Dec 2023 18:01:42 +0100 +Subject: [PATCH 0029/1160] test: reset systemd-udevd.service restart counter + +Since we restart systemd-udevd here a couple of times, we might hit the +rate limit in later tests: + +[ 26.028355] testsuite-17.sh[2074]: + udevadm control -e +[ 26.028355] testsuite-17.sh[2074]: + udevadm control -l emerg +[ 26.126160] systemd[1]: systemd-udevd.service: Start request repeated too quickly. +[ 26.126213] systemd[1]: systemd-udevd.service: Failed with result 'start-limit-hit'. +[ 26.140310] systemd[1]: Failed to start systemd-udevd.service. +[ 26.140897] systemd[1]: systemd-udevd-control.socket: Failed with result 'service-start-limit-hit'. +[ 26.141286] systemd[1]: systemd-udevd-kernel.socket: Failed with result 'service-start-limit-hit'. +[ 26.142225] testsuite-17.sh[2074]: + udevadm control -l alert +[ 26.149206] udevadm[2088]: Failed to send request to set log level: No such file or directory + +Follow-up to: 6ef512c0bb + +(cherry picked from commit ad23ff13deb4e057d435adb941e58cd552beac02) +--- + test/units/testsuite-17.06.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/units/testsuite-17.06.sh b/test/units/testsuite-17.06.sh +index 4d452ff97c..6d83645303 100755 +--- a/test/units/testsuite-17.06.sh ++++ b/test/units/testsuite-17.06.sh +@@ -64,5 +64,6 @@ rm /run/udev/rules.d/00-debug.rules + rm /run/udev/rules.d/50-testsuite.rules + + udevadm control --reload ++systemctl reset-failed systemd-udevd.service + + exit 0 +-- +2.33.0 + diff --git a/backport-test-sbat-separate-the-two-sbat-sections.patch b/backport-test-sbat-separate-the-two-sbat-sections.patch new file mode 100644 index 0000000..5d39a96 --- /dev/null +++ b/backport-test-sbat-separate-the-two-sbat-sections.patch @@ -0,0 +1,50 @@ +From df71a5165cf3a193eb6c8b5804be440319583c36 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 30 Oct 2024 15:19:24 +0100 +Subject: [PATCH 0983/1160] test-sbat: separate the two sbat sections + +(cherry picked from commit 07000101eb9529c2d6b5f5402c9fe643c5f98420) +(cherry picked from commit bf681fcdf484ca01e2bb49b7b2659ad4034285df) +--- + src/test/test-sbat.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/src/test/test-sbat.c b/src/test/test-sbat.c +index d8546b1ad9..cf9c155c9d 100644 +--- a/src/test/test-sbat.c ++++ b/src/test/test-sbat.c +@@ -8,17 +8,26 @@ + #include "sbat.h" + #include "tests.h" + +-TEST(sbat_section_text) { +- log_info("---SBAT-----------&<----------------------------------------\n" ++TEST(BOOT_SBAT) { ++ log_info("---SBAT-----------&<-----------------------------------------\n" + "%s" ++ "------------------>&-----------------------------------------", ++#ifdef SBAT_DISTRO ++ SBAT_BOOT_SECTION_TEXT ++#else ++ "(not defined)" ++#endif ++ ); ++} ++ ++TEST(STUB_SBAT) { ++ log_info("---SBAT-----------&<-----------------------------------------\n" + "%s" + "------------------>&-----------------------------------------", + #ifdef SBAT_DISTRO +- SBAT_BOOT_SECTION_TEXT, + SBAT_STUB_SECTION_TEXT + #else +- "(not defined)", +- "" ++ "(not defined)" + #endif + ); + } +-- +2.33.0 + diff --git a/backport-test-set-correct-group-for-systemd-journal-upload-te.patch b/backport-test-set-correct-group-for-systemd-journal-upload-te.patch new file mode 100644 index 0000000..6a4a74c --- /dev/null +++ b/backport-test-set-correct-group-for-systemd-journal-upload-te.patch @@ -0,0 +1,73 @@ +From f0022789db9a3ad1c032f881edc74943602ed9a0 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Mon, 4 Dec 2023 21:33:15 +0100 +Subject: [PATCH 0017/1160] test: set correct group for systemd-journal-upload + tests + +We can't use the systemd-journal-upload user here, since it's created +dynamically by DynamicUser=yes. However, we can use the group specified +in SupplementaryGroups=, so do exactly that. + +(cherry picked from commit 52c1fb6885e40ffa9fa65f7798608cf651e05c3a) +--- + test/test-functions | 5 +++-- + test/units/testsuite-04.journal-remote.sh | 7 ++++--- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/test/test-functions b/test/test-functions +index 556346d7d5..42b0038789 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -157,6 +157,7 @@ BASICTOOLS=( + bash + capsh + cat ++ chgrp + chmod + chown + chroot +@@ -2870,14 +2871,14 @@ inst_binary() { + + # Same as above, but we need to wrap certain libraries unconditionally + # +- # chown, getent, login, setfacl, su, useradd, userdel ++ # chgrp, chown, getent, login, setfacl, su, useradd, userdel + # - dlopen() (not only) systemd's PAM modules + # ls, mkfs.*, mksquashfs, mkswap, setpriv, stat + # - pull in nss_systemd with certain options (like ls -l) when + # nsswitch.conf uses [SUCCESS=merge] (like on Arch Linux) + # delv, dig - pull in nss_resolve if `resolve` is in nsswitch.conf + # tar - called by machinectl in TEST-25 +- bin_rx='/(agetty|chown|curl|delv|dig|getfacl|getent|id|login|ls|mkfs\.[a-z0-9]+|mksquashfs|mkswap|setfacl|setpriv|stat|su|tar|useradd|userdel)$' ++ bin_rx='/(agetty|chgrp|chown|curl|delv|dig|getfacl|getent|id|login|ls|mkfs\.[a-z0-9]+|mksquashfs|mkswap|setfacl|setpriv|stat|su|tar|useradd|userdel)$' + if get_bool "$IS_BUILT_WITH_ASAN" && [[ "$bin" =~ $bin_rx ]]; then + wrap_binary=1 + # Ugh, so we want to disable LSan in most cases for the wrapped binaries, since +diff --git a/test/units/testsuite-04.journal-remote.sh b/test/units/testsuite-04.journal-remote.sh +index c543129da9..b7d9cbd81b 100755 +--- a/test/units/testsuite-04.journal-remote.sh ++++ b/test/units/testsuite-04.journal-remote.sh +@@ -161,8 +161,8 @@ openssl x509 -req -days 7 \ + -CA /run/systemd/remote-pki/ca.crt \ + -CAkey /run/systemd/remote-pki/ca.key \ + -out /run/systemd/remote-pki/server.crt +-setfacl -R -m "u:systemd-journal-remote:rwX" /run/systemd/remote-pki +-setfacl -R -m "u:systemd-journal-upload:rwX" /run/systemd/remote-pki ++chown -R systemd-journal-remote:systemd-journal /run/systemd/remote-pki ++chmod -R g+rwX /run/systemd/remote-pki + + # Reconfigure journal-upload/journal remote with the new keys + cat >/run/systemd/journal-remote.conf.d/99-test.conf </run/systemd/system/systemd-journal-upload.service.d/99-test.conf < +Date: Fri, 26 Jan 2024 15:29:49 +0100 +Subject: [PATCH 0279/1160] test: set -ex separately + +We call the entrypoint.sh script using `bash entrypoint.sh`, so -ex from +the shebang won't be used in that case. Whoopsie. + +(cherry picked from commit 7b1c292953bf5726b2f5e03379de84c2488277c6) +--- + test/units/testsuite-13.nspawn.sh | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/test/units/testsuite-13.nspawn.sh b/test/units/testsuite-13.nspawn.sh +index 8a6fa84dc9..31d9371487 100755 +--- a/test/units/testsuite-13.nspawn.sh ++++ b/test/units/testsuite-13.nspawn.sh +@@ -404,7 +404,8 @@ Port=tcp:60 + Port=udp:60:61 + EOF + cat >"$root/entrypoint.sh" <<\EOF +-#!/bin/bash -ex ++#!/bin/bash ++set -ex + + [[ "$1" == "foo bar" ]] + [[ "$2" == "bar baz" ]] +-- +2.33.0 + diff --git a/backport-test-set-nsec3-salt-length-8-in-knot.conf.patch b/backport-test-set-nsec3-salt-length-8-in-knot.conf.patch new file mode 100644 index 0000000..0ab9582 --- /dev/null +++ b/backport-test-set-nsec3-salt-length-8-in-knot.conf.patch @@ -0,0 +1,34 @@ +From 6e5e510da7a94609bc74f5725cfc88ea239dea1a Mon Sep 17 00:00:00 2001 +From: Nick Rosbrook +Date: Tue, 10 Dec 2024 16:48:59 -0500 +Subject: [PATCH 1047/1160] test: set nsec3-salt-length=8 in knot.conf + +TEST-75-RESOLVED fails on Ubuntu autopkgtest due to this warning from +knot: + + notice: config, policy 'auto_rollover_nsec3' depends on default nsec3-salt-length=8, since version 3.5 the default becomes 0 + +Explicitly set nsec3-salt-length=8 to silence. + +(cherry picked from commit 59e5108fb4e61957cb40bb15ac7966d085d13af2) +(cherry picked from commit 1b945fb1a727f85be9230e43d2fdaf78d2567946) +(cherry picked from commit 12686f3f5aee20dbe7c4f21d6841fa87aca55eae) +--- + test/knot-data/knot.conf | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/knot-data/knot.conf b/test/knot-data/knot.conf +index b925812312..4dcf79b756 100644 +--- a/test/knot-data/knot.conf ++++ b/test/knot-data/knot.conf +@@ -53,6 +53,7 @@ policy: + ksk-submission: parent_zone_sbm + nsec3-iterations: 0 + nsec3: on ++ nsec3-salt-length: 8 + propagation-delay: 1s + signing-threads: 4 + zone-max-ttl: 1s +-- +2.33.0 + diff --git a/backport-test-set-pexpect-s-logfile-early.patch b/backport-test-set-pexpect-s-logfile-early.patch new file mode 100644 index 0000000..9b49e9f --- /dev/null +++ b/backport-test-set-pexpect-s-logfile-early.patch @@ -0,0 +1,50 @@ +From 8303b81fcdeb40cb39a810ce1c19d219b960f664 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 9 Apr 2024 20:55:48 +0200 +Subject: [PATCH 0345/1160] test: set pexpect's logfile early + +So we capture the container's boot as well. + +(cherry picked from commit 04f0c6752c10d152bc1884b2cc92b1f0b2df5de5) +--- + test/test-shutdown.py | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/test/test-shutdown.py b/test/test-shutdown.py +index f496122f80..b83487c5d4 100755 +--- a/test/test-shutdown.py ++++ b/test/test-shutdown.py +@@ -15,9 +15,16 @@ def run(args): + + ret = 1 + logger = logging.getLogger("test-shutdown") ++ logfile = None ++ ++ if args.logfile: ++ logger.debug("Logging pexpect IOs to %s", args.logfile) ++ logfile = open(args.logfile, 'w') ++ elif args.verbose: ++ logfile = sys.stdout + + logger.info("spawning test") +- console = pexpect.spawn(args.command, args.arg, env={ ++ console = pexpect.spawn(args.command, args.arg, logfile=logfile, env={ + "TERM": "linux", + }, encoding='utf-8', timeout=60) + +@@ -27,12 +34,6 @@ def run(args): + logger.info("waiting for login prompt") + console.expect('H login: ', 10) + +- if args.logfile: +- logger.debug("Logging pexpect IOs to %s", args.logfile) +- console.logfile = open(args.logfile, 'w') +- elif args.verbose: +- console.logfile = sys.stdout +- + logger.info("log in and start screen") + console.sendline('root') + console.expect('bash.*# ', 10) +-- +2.33.0 + diff --git a/backport-test-skip-TEST-08-INITRD-if-systemd-didn-t-run-in-th.patch b/backport-test-skip-TEST-08-INITRD-if-systemd-didn-t-run-in-th.patch new file mode 100644 index 0000000..b5fe4f7 --- /dev/null +++ b/backport-test-skip-TEST-08-INITRD-if-systemd-didn-t-run-in-th.patch @@ -0,0 +1,56 @@ +From 781e8f3592918fffd77f297b70f195e027d7e1d5 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Fri, 15 Dec 2023 11:04:39 +0100 +Subject: [PATCH 0196/1160] test: skip TEST-08-INITRD if systemd didn't run in + the initrd + +This test requires systemd in the initrd, which is not the case in +mkinitrd-based initrds (Ubuntu/Debian). + +Resolves: #30481 +(cherry picked from commit 57d61ff319ec217294d9e0c4646010322b8be5e5) +--- + test/TEST-08-INITRD/test.sh | 5 +++++ + test/units/testsuite-08.sh | 8 ++++++++ + 2 files changed, 13 insertions(+) + +diff --git a/test/TEST-08-INITRD/test.sh b/test/TEST-08-INITRD/test.sh +index 29fd1f7899..caa27f69fd 100755 +--- a/test/TEST-08-INITRD/test.sh ++++ b/test/TEST-08-INITRD/test.sh +@@ -44,8 +44,13 @@ EOF + } + + check_result_qemu_hook() { ++ local workspace="${1:?}" + local console_log="${TESTDIR:?}/console.log" + ++ if [[ -e "$workspace/skipped" ]]; then ++ return 0 ++ fi ++ + if [[ ! -e "$console_log" ]]; then + dfatal "Missing console log - this shouldn't happen" + return 1 +diff --git a/test/units/testsuite-08.sh b/test/units/testsuite-08.sh +index 9598c8ea0c..5c6b4cee79 100755 +--- a/test/units/testsuite-08.sh ++++ b/test/units/testsuite-08.sh +@@ -8,6 +8,14 @@ if systemd-detect-virt -qc; then + exit 1 + fi + ++# This test requires systemd to run in the initrd as well, which is not the case ++# for mkinitrd-based initrd (Ubuntu/Debian) ++if [[ "$(systemctl show -P InitRDTimestampMonotonic)" -eq 0 ]]; then ++ echo "systemd didn't run in the initrd, skipping the test" ++ touch /skipped ++ exit 0 ++fi ++ + # We should've created a mount under /run in initrd (see the other half of the test) + # that should've survived the transition from initrd to the real system + test -d /run/initrd-mount-target +-- +2.33.0 + diff --git a/backport-test-skip-TEST-43-PRIVATEUSER-UNPRIV-if-unprivileged.patch b/backport-test-skip-TEST-43-PRIVATEUSER-UNPRIV-if-unprivileged.patch new file mode 100644 index 0000000..c465a8d --- /dev/null +++ b/backport-test-skip-TEST-43-PRIVATEUSER-UNPRIV-if-unprivileged.patch @@ -0,0 +1,37 @@ +From c07a21408b3d99c31dc79db1ac53d46479ccf71a Mon Sep 17 00:00:00 2001 +From: Nick Rosbrook +Date: Fri, 12 Jan 2024 14:02:17 -0500 +Subject: [PATCH 0257/1160] test: skip TEST-43-PRIVATEUSER-UNPRIV if + unprivileged userns is restricted + +With newer versions of AppArmor, unprivileged user namespace creation +may be restricted by default, in which case user manager instances will +not be able to apply PrivateUsers=yes (or the settings which require it). + +This can be tested with the kernel.apparmor_restrict_unprivileged_userns +sysctl. + +(cherry picked from commit fec0d508a2f3d6bcf9be16a805dfc8facdfd9bb0) +--- + test/units/testsuite-43.sh | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/test/units/testsuite-43.sh b/test/units/testsuite-43.sh +index 07e6fc9b62..4f31a33c34 100755 +--- a/test/units/testsuite-43.sh ++++ b/test/units/testsuite-43.sh +@@ -6,6 +6,11 @@ set -o pipefail + # shellcheck source=test/units/util.sh + . "$(dirname "$0")"/util.sh + ++if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -eq 1 ]]; then ++ echo "Cannot create unprivileged user namespaces" >/skipped ++ exit 0 ++fi ++ + systemd-analyze log-level debug + + runas testuser systemd-run --wait --user --unit=test-private-users \ +-- +2.33.0 + diff --git a/backport-test-skip-TEST-84-STORAGETM-if-running-with-bugged-l.patch b/backport-test-skip-TEST-84-STORAGETM-if-running-with-bugged-l.patch new file mode 100644 index 0000000..f8be324 --- /dev/null +++ b/backport-test-skip-TEST-84-STORAGETM-if-running-with-bugged-l.patch @@ -0,0 +1,46 @@ +From 3471f60ff51ae764c91035d874848bd78fc3e6b9 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Thu, 14 Nov 2024 16:19:25 +0000 +Subject: [PATCH 1011/1160] test: skip TEST-84-STORAGETM if running with bugged + libnvme + +libnvme 1.11 appears to require a kernel built with NVME TLS +kconfigs, and fails hard if it is not, as the expected +privileged keyring '.nvme' is not present. We cannot just +create it from userspace, as privileged keyrings can only +be created by the kernel itself (those starting with '.'). + +Skip the test if the library exactly matches this version. + +https://github.com/linux-nvme/nvme-cli/issues/2573 + +Fixes https://github.com/systemd/systemd/issues/35130 + +(cherry picked from commit 893aa45886ef84b1827445dc438e410ad89fbbbf) +(cherry picked from commit d8ec2770b7bb6ba9f7e3c31cb8094a2983139952) +--- + test/units/testsuite-84.sh | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/test/units/testsuite-84.sh b/test/units/testsuite-84.sh +index eae87d5234..c5cb898902 100755 +--- a/test/units/testsuite-84.sh ++++ b/test/units/testsuite-84.sh +@@ -3,6 +3,14 @@ + set -eux + set -o pipefail + ++if systemd-analyze compare-versions "$(nvme --version | grep libnvme | awk '{print $3}')" eq 1.11; then ++ if grep -q "CONFIG_NVME_TCP_TLS is not set" "/boot/config-$(uname -r)" 2>/dev/null || grep -q "CONFIG_NVME_TCP_TLS is not set" "/usr/lib/modules/$(uname -r)/config" 2>/dev/null; then ++ # See: https://github.com/linux-nvme/nvme-cli/issues/2573 ++ echo "nvme-cli is broken and requires TLS support in the kernel" >/skipped ++ exit 77 ++ fi ++fi ++ + modprobe -v nvmet-tcp + modprobe -v nvme-tcp + +-- +2.33.0 + diff --git a/backport-test-skip-a-systemd-run-test-if-unprivileged-userns-.patch b/backport-test-skip-a-systemd-run-test-if-unprivileged-userns-.patch new file mode 100644 index 0000000..ef6f9c7 --- /dev/null +++ b/backport-test-skip-a-systemd-run-test-if-unprivileged-userns-.patch @@ -0,0 +1,45 @@ +From 159b80d44f827624ceae8a922aca883422170b1c Mon Sep 17 00:00:00 2001 +From: Nick Rosbrook +Date: Thu, 18 Jan 2024 15:29:46 -0500 +Subject: [PATCH 0267/1160] test: skip a systemd-run test if unprivileged + userns is restricted + +With newer versions of AppArmor, unprivileged user namespace creation +may be restricted by default, in which case user manager instances will +not be able to apply PrivateUsers=yes, which is implied by +PrivateTmp=yes in this systemd-run invocation. + +(cherry picked from commit 6327d3022452c3c2ad408fbee9cdfbc2120753c9) +--- + test/units/testsuite-74.run.sh | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/test/units/testsuite-74.run.sh b/test/units/testsuite-74.run.sh +index 2caca7a5a2..e894932f27 100755 +--- a/test/units/testsuite-74.run.sh ++++ b/test/units/testsuite-74.run.sh +@@ -80,11 +80,16 @@ systemd-run --wait --pipe --user --machine=testuser@ \ + bash -xec '[[ "$(id -nu)" == testuser && "$(id -ng)" == testuser ]]' + systemd-run --wait --pipe --user --machine=testuser@ \ + bash -xec '[[ "$PWD" == /home/testuser && -n "$INVOCATION_ID" ]]' +-systemd-run --wait --pipe --user --machine=testuser@ \ +- --property=LimitCORE=1M:2M \ +- --property=LimitCORE=16M:32M \ +- --property=PrivateTmp=yes \ +- bash -xec '[[ "$(ulimit -c -S)" -eq 16384 && "$(ulimit -c -H)" -eq 32768 && ! -e /tmp/public-marker ]]' ++ ++# PrivateTmp=yes implies PrivateUsers=yes for user manager, so skip this if we ++# don't have unprivileged user namespaces. ++if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -ne 1 ]]; then ++ systemd-run --wait --pipe --user --machine=testuser@ \ ++ --property=LimitCORE=1M:2M \ ++ --property=LimitCORE=16M:32M \ ++ --property=PrivateTmp=yes \ ++ bash -xec '[[ "$(ulimit -c -S)" -eq 16384 && "$(ulimit -c -H)" -eq 32768 && ! -e /tmp/public-marker ]]' ++fi + + : "Transient scope (system daemon)" + systemd-run --scope \ +-- +2.33.0 + diff --git a/backport-test-skip-test_exec_networknamespacepath-if-netns-se.patch b/backport-test-skip-test_exec_networknamespacepath-if-netns-se.patch new file mode 100644 index 0000000..7cd97dd --- /dev/null +++ b/backport-test-skip-test_exec_networknamespacepath-if-netns-se.patch @@ -0,0 +1,60 @@ +From 019d5f88eca64dfde440bc8c573ed93066934a58 Mon Sep 17 00:00:00 2001 +From: Nick Rosbrook +Date: Tue, 9 Jan 2024 11:40:52 -0500 +Subject: [PATCH 0139/1160] test: skip test_exec_networknamespacepath if netns + setup fails + +In some environments, such as a LXD container, the netns setup might +fail because ip netns exec fails trying to mount /sys: + + $ systemd-detect-virt + lxc + $ ip link add dummy-test-exec type dummy + $ ip netns add test-execute-netns + $ ip netns exec test-execute-netns ip link add dummy-test-ns type dummy + mount of /sys failed: Operation not permitted + +If this setup fails, test_exec_networknamespacepath will fail, so check +the exit codes for these setup calls and skip the test if necessary. + +(cherry picked from commit 76808638b6f1e7e257c3b09eccdb5a8cfe855f83) +--- + src/test/test-execute.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/test/test-execute.c b/src/test/test-execute.c +index 6d51ad7b53..126ca14c66 100644 +--- a/src/test/test-execute.c ++++ b/src/test/test-execute.c +@@ -39,6 +39,7 @@ + static char *user_runtime_unit_dir = NULL; + static bool can_unshare; + static bool have_net_dummy; ++static bool have_netns; + static unsigned n_ran_tests = 0; + + STATIC_DESTRUCTOR_REGISTER(user_runtime_unit_dir, freep); +@@ -1111,6 +1112,9 @@ static void test_exec_networknamespacepath(Manager *m) { + if (!have_net_dummy) + return (void)log_notice("Skipping %s, dummy network interface not available", __func__); + ++ if (!have_netns) ++ return (void)log_notice("Skipping %s, network namespace not available", __func__); ++ + r = find_executable("ip", NULL); + if (r < 0) { + log_notice_errno(r, "Skipping %s, could not find ip binary: %m", __func__); +@@ -1452,8 +1456,8 @@ static int intro(void) { + + if (have_net_dummy) { + /* Create a network namespace and a dummy interface in it for NetworkNamespacePath= */ +- (void) system("ip netns add test-execute-netns"); +- (void) system("ip netns exec test-execute-netns ip link add dummy-test-ns type dummy"); ++ have_netns = system("ip netns add test-execute-netns") == 0; ++ have_netns = have_netns && system("ip netns exec test-execute-netns ip link add dummy-test-ns type dummy") == 0; + } + + return EXIT_SUCCESS; +-- +2.33.0 + diff --git a/backport-test-socket-bind-pass-the-right-error-variable.patch b/backport-test-socket-bind-pass-the-right-error-variable.patch new file mode 100644 index 0000000..cf90e49 --- /dev/null +++ b/backport-test-socket-bind-pass-the-right-error-variable.patch @@ -0,0 +1,26 @@ +From 3cb58c662c196800f2ba3d6f93856308bc7cb7d0 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 7 May 2024 13:41:30 +0200 +Subject: [PATCH 0599/1160] test-socket-bind: pass the right error variable + +(cherry picked from commit 1174ebb45fdc96c4d58676b62b734ebfcc5299d3) +--- + src/test/test-socket-bind.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/test/test-socket-bind.c b/src/test/test-socket-bind.c +index 84a897801a..33d05b7f59 100644 +--- a/src/test/test-socket-bind.c ++++ b/src/test/test-socket-bind.c +@@ -83,7 +83,7 @@ static int test_socket_bind( + while (!IN_SET(SERVICE(u)->state, SERVICE_DEAD, SERVICE_FAILED)) { + r = sd_event_run(m->event, UINT64_MAX); + if (r < 0) +- return log_error_errno(errno, "Event run failed %m"); ++ return log_error_errno(r, "Event run failed %m"); + } + + cld_code = SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.code; +-- +2.33.0 + diff --git a/backport-test-split-out-host_has_-btrfs-mdadm-from-TEST-64-UD.patch b/backport-test-split-out-host_has_-btrfs-mdadm-from-TEST-64-UD.patch new file mode 100644 index 0000000..4c1c59f --- /dev/null +++ b/backport-test-split-out-host_has_-btrfs-mdadm-from-TEST-64-UD.patch @@ -0,0 +1,65 @@ +From a40677469af941118a2d86a386cc7a7ad8ff17ca Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 6 Dec 2023 13:29:36 +0900 +Subject: [PATCH 0180/1160] test: split out host_has_{btrfs,mdadm}() from + TEST-64-UDEV-STORAGE + +(cherry picked from commit 5b4fa6f13cf860afa53c71b52e4ceca25f8f13a5) +--- + test/TEST-64-UDEV-STORAGE/test.sh | 4 ++-- + test/test-functions | 10 ++++++++++ + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/test/TEST-64-UDEV-STORAGE/test.sh b/test/TEST-64-UDEV-STORAGE/test.sh +index d41a4f00f9..b9e7bdf18a 100755 +--- a/test/TEST-64-UDEV-STORAGE/test.sh ++++ b/test/TEST-64-UDEV-STORAGE/test.sh +@@ -24,7 +24,7 @@ _host_has_feature() {( + + case "${1:?}" in + btrfs) +- modprobe -nv btrfs && command -v mkfs.btrfs && command -v btrfs || return $? ++ host_has_btrfs + ;; + iscsi) + # Client/initiator (Open-iSCSI) +@@ -36,7 +36,7 @@ _host_has_feature() {( + command -v lvm || return $? + ;; + mdadm) +- command -v mdadm || return $? ++ host_has_mdadm + ;; + multipath) + command -v multipath && command -v multipathd || return $? +diff --git a/test/test-functions b/test/test-functions +index 23345274b4..8e5570aa01 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -1200,6 +1200,11 @@ install_lvm() { + mkdir -p "${initdir:?}/etc/lvm" + } + ++host_has_btrfs() ( ++ set -e ++ modprobe -nv btrfs && command -v mkfs.btrfs && command -v btrfs || return $? ++) ++ + install_btrfs() { + instmods btrfs + # Not all utilities provided by btrfs-progs are listed here; extend the list +@@ -1267,6 +1272,11 @@ install_iscsi() { + fi + } + ++host_has_mdadm() ( ++ set -e ++ command -v mdadm || return $? ++) ++ + install_mdadm() { + local unit + local mdadm_units=( +-- +2.33.0 + diff --git a/backport-test-support-TEST_MATCH_-stuff-in-TEST-23-UNIT-FILE-.patch b/backport-test-support-TEST_MATCH_-stuff-in-TEST-23-UNIT-FILE-.patch new file mode 100644 index 0000000..ad00291 --- /dev/null +++ b/backport-test-support-TEST_MATCH_-stuff-in-TEST-23-UNIT-FILE-.patch @@ -0,0 +1,35 @@ +From a22452af0845865befbddbeff7e469ab52566389 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Mon, 19 Feb 2024 20:37:31 +0100 +Subject: [PATCH 0326/1160] test: support TEST_MATCH_* stuff in + TEST-23-UNIT-FILE as well + +TEST-23 uses run_subtests_with_signals() which I forgot about when +introducing the change. + +Follow-up for 0efa27bd4b. + +(cherry picked from commit a69ec6fb0241f6a44fa15cd0009790221c23eb4c) +--- + test/units/test-control.sh | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/test/units/test-control.sh b/test/units/test-control.sh +index c067678668..0a1611b80a 100644 +--- a/test/units/test-control.sh ++++ b/test/units/test-control.sh +@@ -86,6 +86,11 @@ run_subtests_with_signals() { + _trap_with_sig _handle_signal "$@" + + for subtest in "${subtests[@]}"; do ++ if [[ -n "${TEST_MATCH_SUBTEST:-}" ]] && ! [[ "$subtest" =~ $TEST_MATCH_SUBTEST ]]; then ++ echo "Skipping $subtest (not matching '$TEST_MATCH_SUBTEST')" ++ continue ++ fi ++ + : "--- $subtest BEGIN ---" + SECONDS=0 + "./$subtest" & +-- +2.33.0 + diff --git a/backport-test-sync-journal-before-read.patch b/backport-test-sync-journal-before-read.patch new file mode 100644 index 0000000..1aeeb4f --- /dev/null +++ b/backport-test-sync-journal-before-read.patch @@ -0,0 +1,47 @@ +From 77c5b4750695f9e23ee939ebc201cffe8191fa05 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 19 May 2024 07:12:48 +0900 +Subject: [PATCH 0650/1160] test: sync journal before read + +Workaround for #32834 and #32890. + +(cherry picked from commit a610ba00d923f148702e68b1661166e887759509) +--- + test/units/testsuite-09.journal.sh | 5 +++++ + test/units/testsuite-82.sh | 4 ++++ + 2 files changed, 9 insertions(+) + +diff --git a/test/units/testsuite-09.journal.sh b/test/units/testsuite-09.journal.sh +index 2ef192c7a8..d554f6bb5c 100755 +--- a/test/units/testsuite-09.journal.sh ++++ b/test/units/testsuite-09.journal.sh +@@ -22,6 +22,11 @@ get_last_timestamp() { + journalctl -b "${1:?}" -o json -n 1 | jq -r '.__REALTIME_TIMESTAMP' + } + ++# There may be huge amount of pending messages in sockets. Processing them may cause journal rotation. ++# If the journal is rotated in the loop below, some journal file may not be loaded and an unexpected ++# result may be provided. To mitigate such, sync before reading journals. Workaround for #32890. ++journalctl --sync ++ + # Issue: #29275, second part + # Now let's check if the boot entries are in the correct/expected order + index=0 +diff --git a/test/units/testsuite-82.sh b/test/units/testsuite-82.sh +index b5e6dedfed..ccc429c53f 100755 +--- a/test/units/testsuite-82.sh ++++ b/test/units/testsuite-82.sh +@@ -42,6 +42,10 @@ if [ -f /run/testsuite82.touch3 ]; then + test "$(systemctl show -P ActiveState testsuite-82-nosurvive-sigterm.service)" != "active" + test "$(systemctl show -P ActiveState testsuite-82-nosurvive.service)" != "active" + ++ # There may be huge amount of pending messages in sockets. Processing them may cause journal rotation and ++ # removal of old archived journal files. If a journal file is removed during journalctl reading it, ++ # the command may fail. To mitigate such, sync before reading journals. Workaround for #32834. ++ journalctl --sync + # Check journals + journalctl -o short-monotonic --no-hostname --grep '(will soft-reboot|KILL|corrupt)' + assert_eq "$(journalctl -q -o short-monotonic -u systemd-journald.service --grep 'corrupt')" "" +-- +2.33.0 + diff --git a/backport-test-sync-journal-before-reading-journal.patch b/backport-test-sync-journal-before-reading-journal.patch new file mode 100644 index 0000000..4702bbc --- /dev/null +++ b/backport-test-sync-journal-before-reading-journal.patch @@ -0,0 +1,32 @@ +From 5187c45115b86709f0131a5de1b2daa45b4ddf17 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 17 May 2024 13:03:44 +0900 +Subject: [PATCH 0642/1160] test: sync journal before reading journal + +Otherwise, expected lines may not be processed or not sync()ed to disk. + +Fixes #32712. + +(cherry picked from commit c22a112883a46e302dae587b809c459647363ceb) +--- + test/units/testsuite-60.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/test/units/testsuite-60.sh b/test/units/testsuite-60.sh +index e800a7a12c..73bef06ade 100755 +--- a/test/units/testsuite-60.sh ++++ b/test/units/testsuite-60.sh +@@ -286,8 +286,8 @@ done + + # Figure out if we have entered the rate limit state. + # If the infra is slow we might not enter the rate limit state; in that case skip the exit check. +-if timeout 2m bash -c "until journalctl -u init.scope --since=$TS | grep -q '(mount-monitor-dispatch) entered rate limit'; do sleep 1; done"; then +- timeout 2m bash -c "until journalctl -u init.scope --since=$TS | grep -q '(mount-monitor-dispatch) left rate limit'; do sleep 1; done" ++if timeout 2m bash -c "until journalctl -u init.scope --since=$TS | grep -q '(mount-monitor-dispatch) entered rate limit'; do journalctl --sync; sleep 1; done"; then ++ timeout 2m bash -c "until journalctl -u init.scope --since=$TS | grep -q '(mount-monitor-dispatch) left rate limit'; do journalctl --sync; sleep 1; done" + fi + + # Verify that the mount units are always cleaned up at the end. +-- +2.33.0 + diff --git a/backport-test-sync-journal-before-starting-test.patch b/backport-test-sync-journal-before-starting-test.patch new file mode 100644 index 0000000..8a9e50d --- /dev/null +++ b/backport-test-sync-journal-before-starting-test.patch @@ -0,0 +1,78 @@ +From 41ec2f7038b714448ab9ef35c0bda7ec4b1c667c Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 20 May 2024 02:34:17 +0900 +Subject: [PATCH 0656/1160] test: sync journal before starting test + +Follow-up for c22a112883a46e302dae587b809c459647363ceb. + +Hopefully fixes #32712. + +(cherry picked from commit bb84142513be74a953e13d614a9d893a3d45b06d) +--- + test/units/testsuite-60.sh | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/test/units/testsuite-60.sh b/test/units/testsuite-60.sh +index 73bef06ade..6f4cba8319 100755 +--- a/test/units/testsuite-60.sh ++++ b/test/units/testsuite-60.sh +@@ -203,7 +203,7 @@ EOF + } + + test_issue_23796() { +- local mount_path mount_mytmpfs ++ local mount_path mount_mytmpfs since + + mount_path="$(command -v mount 2>/dev/null)" + mount_mytmpfs="${mount_path/\/bin/\/sbin}.mytmpfs" +@@ -225,6 +225,9 @@ EOF + # shellcheck disable=SC2064 + trap "rm -f /run/systemd/system/tmp-hoge.mount '$mount_mytmpfs'" RETURN + ++ journalctl --sync ++ since="$(date '+%H:%M:%S')" ++ + for _ in {1..10}; do + systemctl --no-block start tmp-hoge.mount + sleep ".$RANDOM" +@@ -233,7 +236,7 @@ EOF + sleep 1 + + if [[ "$(systemctl is-failed tmp-hoge.mount)" == "failed" ]] || \ +- journalctl -u tmp-hoge.mount -q --grep "but there is no mount"; then ++ journalctl --since="$since" -u tmp-hoge.mount -q --grep "but there is no mount"; then + exit 1 + fi + +@@ -249,6 +252,8 @@ NUM_DIRS=20 + # make sure we can handle mounts at very long paths such that mount unit name must be hashed to fall within our unit name limit + LONGPATH="$(printf "/$(printf "x%0.s" {1..255})%0.s" {1..7})" + LONGMNT="$(systemd-escape --suffix=mount --path "$LONGPATH")" ++ ++journalctl --sync + TS="$(date '+%H:%M:%S')" + + mkdir -p "$LONGPATH" +@@ -271,6 +276,9 @@ for ((i = 0; i < NUM_DIRS; i++)); do + mkdir "/tmp/meow${i}" + done + ++# The following loop may produce many journal entries. ++# Let's process all pending entries before testing. ++journalctl --sync + TS="$(date '+%H:%M:%S')" + + for ((i = 0; i < NUM_DIRS; i++)); do +@@ -286,7 +294,9 @@ done + + # Figure out if we have entered the rate limit state. + # If the infra is slow we might not enter the rate limit state; in that case skip the exit check. ++journalctl --sync + if timeout 2m bash -c "until journalctl -u init.scope --since=$TS | grep -q '(mount-monitor-dispatch) entered rate limit'; do journalctl --sync; sleep 1; done"; then ++ journalctl --sync + timeout 2m bash -c "until journalctl -u init.scope --since=$TS | grep -q '(mount-monitor-dispatch) left rate limit'; do journalctl --sync; sleep 1; done" + fi + +-- +2.33.0 + diff --git a/backport-test-tell-delv-to-load-anchors-from-etc-bind.keys-ex.patch b/backport-test-tell-delv-to-load-anchors-from-etc-bind.keys-ex.patch new file mode 100644 index 0000000..d1f43ee --- /dev/null +++ b/backport-test-tell-delv-to-load-anchors-from-etc-bind.keys-ex.patch @@ -0,0 +1,108 @@ +From d62f1bbe31e45059113fcc82957e4c5cb0d7d69e Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 14 Dec 2023 16:59:21 +0100 +Subject: [PATCH 0200/1160] test: tell delv to load anchors from /etc/bind.keys + explicitly + +Since [0] delv no longer does that automagically, so we have to that +explicitly with each delv invocation. + +Resolves: #30477 + +[0] https://github.com/isc-projects/bind9/commit/c144fd2871206d209ccdb916f5959a3ceab1d44c + +(cherry picked from commit 438c7cb20e83a3b88f6accc3e78d3da5e21f6db2) +--- + test/units/testsuite-75.sh | 30 ++++++++++++++++++------------ + 1 file changed, 18 insertions(+), 12 deletions(-) + +diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh +index c9cdc687be..54234484c4 100755 +--- a/test/units/testsuite-75.sh ++++ b/test/units/testsuite-75.sh +@@ -20,6 +20,12 @@ run() { + "$@" |& tee "$RUN_OUT" + } + ++run_delv() { ++ # Since [0] delv no longer loads /etc/(bind/)bind.keys by default, so we ++ # have to do that explicitly for each invocation ++ run delv -a /etc/bind.keys "$@" ++} ++ + disable_ipv6() { + sysctl -w net.ipv6.conf.all.disable_ipv6=1 + } +@@ -359,15 +365,15 @@ grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT" + # Check the trust chain (with and without systemd-resolved in between + # Issue: https://github.com/systemd/systemd/issues/22002 + # PR: https://github.com/systemd/systemd/pull/23289 +-run delv @ns1.unsigned.test signed.test ++run_delv @ns1.unsigned.test signed.test + grep -qF "; fully validated" "$RUN_OUT" +-run delv signed.test ++run_delv signed.test + grep -qF "; fully validated" "$RUN_OUT" + + for addr in "${DNS_ADDRESSES[@]}"; do +- run delv "@$addr" -t A mail.signed.test ++ run_delv "@$addr" -t A mail.signed.test + grep -qF "; fully validated" "$RUN_OUT" +- run delv "@$addr" -t AAAA mail.signed.test ++ run_delv "@$addr" -t AAAA mail.signed.test + grep -qF "; fully validated" "$RUN_OUT" + done + run resolvectl query mail.signed.test +@@ -405,7 +411,7 @@ grep -qF "10.0.0.123" "$RUN_OUT" + grep -qF "fd00:dead:beef:cafe::123" "$RUN_OUT" + grep -qF "authenticated: yes" "$RUN_OUT" + # Check OPENPGPKEY support +-run delv -t OPENPGPKEY 5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey.signed.test ++run_delv -t OPENPGPKEY 5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey.signed.test + grep -qF "; fully validated" "$RUN_OUT" + run resolvectl openpgp mr.smith@signed.test + grep -qF "5a786cdc59c161cdafd818143705026636962198c66ed4c5b3da321e._openpgpkey.signed.test" "$RUN_OUT" +@@ -421,11 +427,11 @@ check_domain() { + local addr + + for addr in "${DNS_ADDRESSES[@]}"; do +- run delv "@$addr" -t "$record" "$domain" ++ run_delv "@$addr" -t "$record" "$domain" + grep -qF "$message" "$RUN_OUT" + done + +- run delv -t "$record" "$domain" ++ run_delv -t "$record" "$domain" + grep -qF "$message" "$RUN_OUT" + + run resolvectl query "$domain" +@@ -461,9 +467,9 @@ grep -qE "^follow14\.final\.signed\.test\..+IN\s+NSEC\s+" "$RUN_OUT" + # Check the trust chain (with and without systemd-resolved in between + # Issue: https://github.com/systemd/systemd/issues/22002 + # PR: https://github.com/systemd/systemd/pull/23289 +-run delv @ns1.unsigned.test sub.onlinesign.test ++run_delv @ns1.unsigned.test sub.onlinesign.test + grep -qF "; fully validated" "$RUN_OUT" +-run delv sub.onlinesign.test ++run_delv sub.onlinesign.test + grep -qF "; fully validated" "$RUN_OUT" + + run dig +short sub.onlinesign.test +@@ -477,11 +483,11 @@ run resolvectl query --legend=no -t TXT onlinesign.test + grep -qF 'onlinesign.test IN TXT "hello from onlinesign"' "$RUN_OUT" + + for addr in "${DNS_ADDRESSES[@]}"; do +- run delv "@$addr" -t A dual.onlinesign.test ++ run_delv "@$addr" -t A dual.onlinesign.test + grep -qF "10.0.0.135" "$RUN_OUT" +- run delv "@$addr" -t AAAA dual.onlinesign.test ++ run_delv "@$addr" -t AAAA dual.onlinesign.test + grep -qF "fd00:dead:beef:cafe::135" "$RUN_OUT" +- run delv "@$addr" -t ANY ipv6.onlinesign.test ++ run_delv "@$addr" -t ANY ipv6.onlinesign.test + grep -qF "fd00:dead:beef:cafe::136" "$RUN_OUT" + done + run resolvectl query dual.onlinesign.test +-- +2.33.0 + diff --git a/backport-test-temporarily-adjust-the-default-mount-rate-limit.patch b/backport-test-temporarily-adjust-the-default-mount-rate-limit.patch new file mode 100644 index 0000000..5442044 --- /dev/null +++ b/backport-test-temporarily-adjust-the-default-mount-rate-limit.patch @@ -0,0 +1,45 @@ +From 4d60fb706918f32f3097687929debeb10a34bee9 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 3 Jan 2024 19:00:39 +0100 +Subject: [PATCH 0116/1160] test: temporarily adjust the default mount rate + limit + +(Hopefully) a temporary workaround for #30573 where starting a user +session when PID 1 is rate limited stalls even after it leaves the rate +limited state: + +[ 11.658201] H systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=UnitRemoved cookie=4208 reply_cookie=0 signature=so error-name=n/a error-mes> +[ 11.658233] H systemd[1]: Event source 0x559babdd8bb0 (mount-monitor-dispatch) left rate limit state. +[ 101.562697] H busctl[784]: Failed to get credentials: Transport endpoint is not connected +[ 101.563480] H systemd[1]: systemd-journald.service: Got notification message from PID 300 (WATCHDOG=1) +[ 101.563725] H testsuite-74.sh[784]: BusAddress=unixexec:path=systemd-run,argv1=-M.host,argv2=-PGq,argv3=--wait,argv4=-pUser%3dtestuser,argv5=-pPAMName%3dlogin,argv6=systemd-stdio-bridge,argv7=-punix:path%3d%24%7bXDG_RUNTIME_DIR%7d/bus +[ 101.564136] H systemd[1]: Successfully forked off '(sd-expire)' as PID 787. +[ 101.564754] H systemd[1]: Successfully forked off '(sd-expire)' as PID 788. +[ 101.564831] H testsuite-74.sh[381]: + echo 'Subtest /usr/lib/systemd/tests/testdata/units/testsuite-74.busctl.sh failed' + +The issue appeared after ee07fff03b which does a bunch of mounts/umounts +that get PID 1 into a rate limited state, and is frequent enough to be +annoying, so let's temporarily bump the rate limit to alleviate that. + +(cherry picked from commit c707e346fbf4d8dba262f1af4fd25e2cb6b109b6) +--- + test/TEST-74-AUX-UTILS/test.sh | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/test/TEST-74-AUX-UTILS/test.sh b/test/TEST-74-AUX-UTILS/test.sh +index f033ec469f..198c609822 100755 +--- a/test/TEST-74-AUX-UTILS/test.sh ++++ b/test/TEST-74-AUX-UTILS/test.sh +@@ -8,6 +8,9 @@ NSPAWN_ARGUMENTS="--private-network" + # shellcheck source=test/test-functions + . "${TEST_BASE_DIR:?}/test-functions" + ++# (Hopefully) a temporary workaround for https://github.com/systemd/systemd/issues/30573 ++KERNEL_APPEND="${KERNEL_APPEND:-} SYSTEMD_DEFAULT_MOUNT_RATE_LIMIT_BURST=100" ++ + test_append_files() { + local workspace="${1:?}" + +-- +2.33.0 + diff --git a/backport-test-temporarily-disable-test_sysctl.patch b/backport-test-temporarily-disable-test_sysctl.patch new file mode 100644 index 0000000..a892c43 --- /dev/null +++ b/backport-test-temporarily-disable-test_sysctl.patch @@ -0,0 +1,27 @@ +From b872bbdc8d57ee33fd4028b7bc9f46968031fe53 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 12 Dec 2023 12:20:41 +0100 +Subject: [PATCH 0551/1160] test: temporarily disable test_sysctl + +Until https://github.com/systemd/systemd/issues/30056 is resolved. + +(cherry picked from commit 8ed7800d7b0674c278513968e1bea1ebd4320c4f) +--- + test/test-network/systemd-networkd-tests.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index df49d65c42..a871d1989b 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -3581,6 +3581,7 @@ class NetworkdNetworkTests(unittest.TestCase, Utilities): + print(output) + self.assertRegex(output, 'inet6 .* scope link') + ++ @unittest.skip("Re-enable once https://github.com/systemd/systemd/issues/30056 is resolved") + def test_sysctl(self): + copy_networkd_conf_dropin('25-global-ipv6-privacy-extensions.conf') + copy_network_unit('25-sysctl.network', '12-dummy.netdev', copy_dropins=False) +-- +2.33.0 + diff --git a/backport-test-temporarily-enable-session-lingering-for-the-te.patch b/backport-test-temporarily-enable-session-lingering-for-the-te.patch new file mode 100644 index 0000000..7ea98cf --- /dev/null +++ b/backport-test-temporarily-enable-session-lingering-for-the-te.patch @@ -0,0 +1,87 @@ +From 51b1a49426b2ccc8f1bc63b203717212d0ff8e63 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 21 Feb 2024 15:42:35 +0100 +Subject: [PATCH 0328/1160] test: temporarily enable session lingering for the + test user #2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Similarly to bbac11c993 we need to enable session lingering for the test +user, so the long-running test units are not killed prematurely: + +[ 18.822261] testsuite-55.sh[403]: + systemctl start --machine testuser@.host --user testsuite-55-testchill.service +[ 18.852775] systemd[1]: Started run-u17.service. +[ 19.256431] (o-bridge)[526]: pam_unix(login:session): session opened for user testuser(uid=4711) by testuser(uid=0) +[ 19.288346] systemd[1]: Started session-2.scope. +[ 20.165874] systemd[392]: Created slice session.slice. +[ 20.166459] systemd[392]: Starting dbus-broker.service... +[ 20.220189] dbus-broker-launch[529]: Policy to allow eavesdropping in /usr/share/dbus-1/session.conf +31: Eavesdropping is deprecated and ignored +[ 20.220189] dbus-broker-launch[529]: Policy to allow eavesdropping in /usr/share/dbus-1/session.conf +33: Eavesdropping is deprecated and ignored +[ 20.220494] systemd[392]: Started dbus-broker.service. +[ 20.224276] dbus-broker-launch[529]: Ready +[ 20.231702] systemd[392]: Created slice testsuite.slice. +[ 20.231976] systemd[392]: Created slice testsuite-55.slice. +[ 20.232259] systemd[392]: Created slice testsuite-55-workload.slice. +[ 31.065294] testsuite-55.sh[403]: + systemctl start --machine testuser@.host --user testsuite-55-testbloat.service +[ 31.065641] (sd-pam)[528]: pam_unix(login:session): session closed for user testuser +[ 31.066103] (sd-pam)[528]: pam_systemd(login:session): Failed to release session: Access denied +[ 31.066152] systemd[392]: Started testsuite-55-testchill.service. +[ 31.068062] systemd[1]: run-u17.service: Deactivated successfully. +[ 31.068217] dbus-broker[389]: A security policy denied :1.20 to send method call /org/freedesktop/login1:org.freedesktop.login1.Manager.ReleaseSession to org.freedesktop.login1. +[ 31.075901] (o-bridge)[537]: pam_unix(login:session): session opened for user testuser(uid=4711) by testuser(uid=0) +[ 31.091098] systemd[1]: Stopping session-2.scope... +[ 31.092158] systemd[1]: Started run-u21.service. +[ 31.092993] systemd[1]: session-2.scope: Deactivated successfully. +[ 31.093287] systemd[1]: Stopped session-2.scope. +[ 31.095798] systemd[1]: Stopping user@4711.service... +[ 31.103541] systemd[392]: Activating special unit exit.target... +[ 31.108359] systemd[392]: Stopped target default.target. +[ 31.109798] systemd[392]: Stopped target timers.target. +[ 31.110790] systemd[392]: Stopping testsuite-55-testchill.service... +[ 31.112154] systemd[392]: Stopped testsuite-55-testchill.service. +[ 31.114033] systemd[392]: Removed slice testsuite-55-workload.slice. +[ 31.114971] systemd[392]: Removed slice testsuite-55.slice. +[ 31.115858] systemd[392]: Removed slice testsuite.slice. +... +[ 31.475949] testsuite-55.sh[403]: + systemctl --machine testuser@.host --user status testsuite-55-testchill.service +[ 31.490464] systemd[1]: session-3.scope: Deactivated successfully. +[ 31.565929] systemd[1]: Started run-u33.service. +[ 31.592437] (o-bridge)[583]: pam_unix(login:session): session opened for user testuser(uid=4711) by testuser(uid=0) +[ 31.610210] systemd[1]: Started session-5.scope. +[ 31.616960] testsuite-55.sh[578]: ○ testsuite-55-testchill.service - No memory pressure +[ 31.616960] testsuite-55.sh[578]: Loaded: loaded (/usr/lib/systemd/tests/testdata/units/testsuite-55-testchill.service; static) +[ 31.616960] testsuite-55.sh[578]: Active: inactive (dead) +[ 31.617438] (sd-pam)[586]: pam_unix(login:session): session closed for user testuser + +Addresses https://github.com/systemd/systemd/pull/31426#issuecomment-1956436844. + +(cherry picked from commit ff80bd2d6daf6c83592ba084e6241eb92e53ec7f) +--- + test/units/testsuite-55.sh | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/test/units/testsuite-55.sh b/test/units/testsuite-55.sh +index 2cdb6f44e7..81617db7cd 100755 +--- a/test/units/testsuite-55.sh ++++ b/test/units/testsuite-55.sh +@@ -118,6 +118,7 @@ if systemctl status testsuite-55-testbloat.service; then exit 42; fi + if ! systemctl status testsuite-55-testchill.service; then exit 24; fi + + # Make sure we also work correctly on user units. ++loginctl enable-linger testuser + + systemctl start --machine "testuser@.host" --user testsuite-55-testchill.service + systemctl start --machine "testuser@.host" --user testsuite-55-testbloat.service +@@ -145,6 +146,8 @@ done + if systemctl --machine "testuser@.host" --user status testsuite-55-testbloat.service; then exit 42; fi + if ! systemctl --machine "testuser@.host" --user status testsuite-55-testchill.service; then exit 24; fi + ++loginctl disable-linger testuser ++ + # only run this portion of the test if we can set xattrs + if cgroupfs_supports_user_xattrs; then + sleep 120 # wait for systemd-oomd kill cool down and elevated memory pressure to come down +-- +2.33.0 + diff --git a/backport-test-terminal-util-print-value-of-colors_enabled.patch b/backport-test-terminal-util-print-value-of-colors_enabled.patch new file mode 100644 index 0000000..f360fba --- /dev/null +++ b/backport-test-terminal-util-print-value-of-colors_enabled.patch @@ -0,0 +1,31 @@ +From f120804bb746113d911e8bdf53616aa21a6ecf6b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 28 Oct 2024 13:39:36 +0100 +Subject: [PATCH 0977/1160] test-terminal-util: print value of colors_enabled() + +This makes it easier to diagnose why colors are disabled. + +(cherry picked from commit b137b2979868e2de5fb5c26e90bacee33597b8e7) +(cherry picked from commit bbdb5f97a96e5942bb055770366e0d48c3ee8540) +--- + src/test/test-terminal-util.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/test/test-terminal-util.c b/src/test/test-terminal-util.c +index a2b7101573..338cd6a525 100644 +--- a/src/test/test-terminal-util.c ++++ b/src/test/test-terminal-util.c +@@ -22,6 +22,10 @@ + "in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat " \ + "non proident, sunt in culpa qui officia deserunt mollit anim id est laborum." + ++TEST(colors_enabled) { ++ log_info("colors_enabled: %s", yes_no(colors_enabled())); ++} ++ + TEST(default_term_for_tty) { + puts(default_term_for_tty("/dev/tty23")); + puts(default_term_for_tty("/dev/ttyS23")); +-- +2.33.0 + diff --git a/backport-test-test-rpm-macros.sh-add-build-directory-to-pkg-c.patch b/backport-test-test-rpm-macros.sh-add-build-directory-to-pkg-c.patch new file mode 100644 index 0000000..85824ca --- /dev/null +++ b/backport-test-test-rpm-macros.sh-add-build-directory-to-pkg-c.patch @@ -0,0 +1,30 @@ +From 936576d0f5300d3f5b455246acbba729b558659b Mon Sep 17 00:00:00 2001 +From: Radoslav Kolev +Date: Tue, 14 May 2024 12:19:22 +0300 +Subject: [PATCH 0633/1160] test/test-rpm-macros.sh: add build directory to + pkg-config search path + +If tests are run during build time, without an already installed +systemd they fail to resolve the sysusersdir and tpmfilesdir pkg-config variables. + +(cherry picked from commit 2aee829fc88fdde3983080de5c56fa06eb678280) +--- + test/test-rpm-macros.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/test-rpm-macros.sh b/test/test-rpm-macros.sh +index c7107dec3e..c9a45dc783 100755 +--- a/test/test-rpm-macros.sh ++++ b/test/test-rpm-macros.sh +@@ -137,7 +137,7 @@ for i in sysusers tmpfiles; do + + PKG_DATA_FILE="$(mktemp "$WORK_DIR/pkg-data-XXX")" + EXP_OUT="$(mktemp "$WORK_DIR/exp-out-XXX.log")" +- CONF_DIR="$(pkg-config --variable="${i}dir" systemd)" ++ CONF_DIR="$(PKG_CONFIG_PATH="${BUILD_DIR}/src/core" pkg-config --variable="${i}dir" systemd)" + EXTRA_ARGS=() + + if [[ "$i" == tmpfiles ]]; then +-- +2.33.0 + diff --git a/backport-test-test-shutdown.py-optionally-display-the-test-I-.patch b/backport-test-test-shutdown.py-optionally-display-the-test-I-.patch new file mode 100644 index 0000000..5a61d9e --- /dev/null +++ b/backport-test-test-shutdown.py-optionally-display-the-test-I-.patch @@ -0,0 +1,68 @@ +From dcea9bc57852b6d86651fed02445cc1c9a772164 Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Thu, 8 Feb 2024 16:12:41 +0100 +Subject: [PATCH 0344/1160] test/test-shutdown.py: optionally display the test + I/Os in a dedicated log file + +Given that the test involves screen(1), sending various control sequences to +resize/clear the screen, most of the logs sent from the python script were +nearly impossible to read or mixed with other messages sent to the console +hence making the debug harder when the test is run manually. + +This patch introduces an option to redirect the pexpect IOs into a file (to be +used in $STATEDIR/TEST-69-SHUTDOWN/run-nspawn). + +The pexpect logs are also enabled later so the boot logs are skipped since +those are already included in the journal. + +(cherry picked from commit cf14d1144717967ebdd150cb21ed5dc00e832a80) +--- + test/test-shutdown.py | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/test/test-shutdown.py b/test/test-shutdown.py +index e491f1e1a9..f496122f80 100755 +--- a/test/test-shutdown.py ++++ b/test/test-shutdown.py +@@ -21,15 +21,18 @@ def run(args): + "TERM": "linux", + }, encoding='utf-8', timeout=60) + +- if args.verbose: +- console.logfile = sys.stdout +- + logger.debug("child pid %d", console.pid) + + try: + logger.info("waiting for login prompt") + console.expect('H login: ', 10) + ++ if args.logfile: ++ logger.debug("Logging pexpect IOs to %s", args.logfile) ++ console.logfile = open(args.logfile, 'w') ++ elif args.verbose: ++ console.logfile = sys.stdout ++ + logger.info("log in and start screen") + console.sendline('root') + console.expect('bash.*# ', 10) +@@ -44,7 +47,7 @@ def run(args): + console.sendline('tty') + console.expect(r'/dev/(pts/\d+)') + pty = console.match.group(1) +- logger.info("window 1 at line %s", pty) ++ logger.info("window 1 at tty %s", pty) + + logger.info("schedule reboot") + console.sendline('shutdown -r') +@@ -112,6 +115,7 @@ def run(args): + def main(): + parser = argparse.ArgumentParser(description='test logind shutdown feature') + parser.add_argument("-v", "--verbose", action="store_true", help="verbose") ++ parser.add_argument("--logfile", metavar='FILE', help="Save all test input/output to the given path") + parser.add_argument("command", help="command to run") + parser.add_argument("arg", nargs='*', help="args for command") + +-- +2.33.0 + diff --git a/backport-test-test-that-delegation-of-some-newer-attrs-that-s.patch b/backport-test-test-that-delegation-of-some-newer-attrs-that-s.patch new file mode 100644 index 0000000..91dd8f4 --- /dev/null +++ b/backport-test-test-that-delegation-of-some-newer-attrs-that-s.patch @@ -0,0 +1,38 @@ +From ed43523a79c677861265bb3c2a52648368f49b83 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 13 Dec 2023 10:10:56 +0100 +Subject: [PATCH 0069/1160] test: test that delegation of some newer attrs that + shall be delegated work + +(cherry picked from commit 113defc76b3c85ee9041c0489883cd1eace7fe3c) +--- + test/units/testsuite-19.delegate.sh | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/test/units/testsuite-19.delegate.sh b/test/units/testsuite-19.delegate.sh +index 83446a5704..74d36c405d 100755 +--- a/test/units/testsuite-19.delegate.sh ++++ b/test/units/testsuite-19.delegate.sh +@@ -26,6 +26,19 @@ systemd-run --wait \ + -w /sys/fs/cgroup/system.slice/test-0.service/cgroup.procs -a \ + -w /sys/fs/cgroup/system.slice/test-0.service/cgroup.subtree_control + ++# Test if this also works for some of the more recent attrs the kernel might or might not support ++for attr in cgroup.threads memory.oom.group memory.reclaim ; do ++ ++ if grep -q "$attr" /sys/kernel/cgroup/delegate ; then ++ systemd-run --wait \ ++ --unit=test-0.service \ ++ --property="DynamicUser=1" \ ++ --property="Delegate=" \ ++ test -w /sys/fs/cgroup/system.slice/test-0.service/ -a \ ++ -w /sys/fs/cgroup/system.slice/test-0.service/"$attr" ++ fi ++done ++ + systemd-run --wait \ + --unit=test-1.service \ + --property="DynamicUser=1" \ +-- +2.33.0 + diff --git a/backport-test-time-util-do-more-suppression-of-time-zone-chec.patch b/backport-test-time-util-do-more-suppression-of-time-zone-chec.patch new file mode 100644 index 0000000..2e3aa05 --- /dev/null +++ b/backport-test-time-util-do-more-suppression-of-time-zone-chec.patch @@ -0,0 +1,71 @@ +From 98cf43bf9ad6515be85a42ed49cfec0a2ba13822 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 5 Dec 2024 13:32:19 +0100 +Subject: [PATCH 1065/1160] test-time-util: do more suppression of time zone + checks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The issue is directly triggered by tzdata-2024b, where the setting of timezone +started to fail and the tests stopped passing. But those timestamps in 1/1/1970 +appear to have some problems already before: + + $ sudo date -s 'Thu 1970-01-01 13:00:01 WET' + Thu Jan 1 03:00:01 PM EET 1970 + $ sudo date -s 'Thu 1970-01-01 12:00:01 WET' + date: cannot set date: Invalid argument + Thu Jan 1 02:00:01 PM EET 1970 + $ rpm -q tzdata + tzdata-2024a-9.fc41.noarch + +The same issue appears with other timezones. So move the first timestamp one +day forward to avoid the issue. + +After the previous problem is solved, we also get the problem already seen +previously where the roundtrip returns a time that is off by one hour: + +@86401000000 → Fri 1970-01-02 00:00:01 WET → @82801000000 → Thu 1970-01-01 23:00:01 WET +Assertion 'x / USEC_PER_SEC == y / USEC_PER_SEC' failed at src/test/test-time-util.c:415, function test_format_timestamp_impl(). Aborting. + +Extend the override to suppress this. + +(cherry picked from commit 3cf362f6f57b7d0b5f6b86a49316303b0dda7599) +(cherry picked from commit 43a99d49dd8af29526df5de9c00d0fdcb57171c1) +--- + src/test/test-time-util.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/src/test/test-time-util.c b/src/test/test-time-util.c +index 0a472d65d9..3397f6dfcf 100644 +--- a/src/test/test-time-util.c ++++ b/src/test/test-time-util.c +@@ -402,11 +402,12 @@ static void test_format_timestamp_impl(usec_t x) { + assert_se(yy); + + success = (x / USEC_PER_SEC == y / USEC_PER_SEC) && streq(xx, yy); +- /* Workaround for https://github.com/systemd/systemd/issues/28472 */ ++ /* Workaround for https://github.com/systemd/systemd/issues/28472 ++ * and https://github.com/systemd/systemd/pull/35471. */ + override = !success && +- (STRPTR_IN_SET(tzname[0], "CAT", "EAT") || +- STRPTR_IN_SET(tzname[1], "CAT", "EAT")) && +- DIV_ROUND_UP(y - x, USEC_PER_SEC) == 3600; /* 1 hour, ignore fractional second */ ++ (STRPTR_IN_SET(tzname[0], "CAT", "EAT", "WET") || ++ STRPTR_IN_SET(tzname[1], "CAT", "EAT", "WET")) && ++ DIV_ROUND_UP(x > y ? x - y : y - x, USEC_PER_SEC) == 3600; /* 1 hour, ignore fractional second */ + log_full(success ? LOG_DEBUG : override ? LOG_WARNING : LOG_ERR, + "@" USEC_FMT " → %s → @" USEC_FMT " → %s%s", + x, xx, y, yy, +@@ -418,7 +419,7 @@ static void test_format_timestamp_impl(usec_t x) { + } + + static void test_format_timestamp_loop(void) { +- test_format_timestamp_impl(USEC_PER_SEC); ++ test_format_timestamp_impl(USEC_PER_DAY + USEC_PER_SEC); + test_format_timestamp_impl(USEC_TIMESTAMP_FORMATTABLE_MAX_32BIT-1); + test_format_timestamp_impl(USEC_TIMESTAMP_FORMATTABLE_MAX_32BIT); + test_format_timestamp_impl(USEC_TIMESTAMP_FORMATTABLE_MAX-1); +-- +2.33.0 + diff --git a/backport-test-time-util-fix-truncation-of-usec-to-sec.patch b/backport-test-time-util-fix-truncation-of-usec-to-sec.patch new file mode 100644 index 0000000..9930861 --- /dev/null +++ b/backport-test-time-util-fix-truncation-of-usec-to-sec.patch @@ -0,0 +1,59 @@ +From b07b4cee88d7565c20e5ed3ec27bb183659f7edc Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 14 Dec 2024 16:49:54 +0900 +Subject: [PATCH 1066/1160] test-time-util: fix truncation of usec to sec + +Also +- use ASSERT_XYZ() macros, +- log tzname[] on failure. + +(cherry picked from commit 3f1d499964abb6a4c0141d7ea8f852829880adff) +(cherry picked from commit 11d70500171ca6dbbad8ecf9b1cf0d29e1d6d1ed) +(cherry picked from commit 1d4bde5a40a9a1d4dcb89b240a1b80c226866ade) +--- + src/test/test-time-util.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/test/test-time-util.c b/src/test/test-time-util.c +index 3397f6dfcf..46c5c14d18 100644 +--- a/src/test/test-time-util.c ++++ b/src/test/test-time-util.c +@@ -393,7 +393,7 @@ TEST(format_timestamp) { + static void test_format_timestamp_impl(usec_t x) { + bool success, override; + const char *xx, *yy; +- usec_t y; ++ usec_t y, x_sec, y_sec; + + xx = FORMAT_TIMESTAMP(x); + assert_se(xx); +@@ -401,19 +401,23 @@ static void test_format_timestamp_impl(usec_t x) { + yy = FORMAT_TIMESTAMP(y); + assert_se(yy); + +- success = (x / USEC_PER_SEC == y / USEC_PER_SEC) && streq(xx, yy); ++ x_sec = x / USEC_PER_SEC; ++ y_sec = y / USEC_PER_SEC; ++ success = (x_sec == y_sec) && streq(xx, yy); + /* Workaround for https://github.com/systemd/systemd/issues/28472 + * and https://github.com/systemd/systemd/pull/35471. */ + override = !success && + (STRPTR_IN_SET(tzname[0], "CAT", "EAT", "WET") || + STRPTR_IN_SET(tzname[1], "CAT", "EAT", "WET")) && +- DIV_ROUND_UP(x > y ? x - y : y - x, USEC_PER_SEC) == 3600; /* 1 hour, ignore fractional second */ ++ (x_sec > y_sec ? x_sec - y_sec : y_sec - x_sec) == 3600; /* 1 hour, ignore fractional second */ + log_full(success ? LOG_DEBUG : override ? LOG_WARNING : LOG_ERR, + "@" USEC_FMT " → %s → @" USEC_FMT " → %s%s", + x, xx, y, yy, + override ? ", ignoring." : ""); + if (!override) { +- assert_se(x / USEC_PER_SEC == y / USEC_PER_SEC); ++ if (!success) ++ log_warning("tzname[0]=\"%s\", tzname[1]=\"%s\"", tzname[0], tzname[1]); ++ assert_se(x_sec == y_sec); + assert_se(streq(xx, yy)); + } + } +-- +2.33.0 + diff --git a/backport-test-unset-TZ-before-timezone-sensitive-unit-tests-a.patch b/backport-test-unset-TZ-before-timezone-sensitive-unit-tests-a.patch new file mode 100644 index 0000000..6d5d8cd --- /dev/null +++ b/backport-test-unset-TZ-before-timezone-sensitive-unit-tests-a.patch @@ -0,0 +1,65 @@ +From 85c88db9c64242f65c814f1ede467ef66066e663 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 26 Jan 2024 00:22:38 +0000 +Subject: [PATCH 0210/1160] test: unset TZ before timezone-sensitive unit tests + are run + +Some tests have hard-coded results that need to match, and change if +the caller has a timezone set via the TZ= environment variable, as it +is the case during reproducible build tests. Unset it. + +(cherry picked from commit 1e902c3463024bb328bf0d01a5d58a69e1ccf739) +--- + src/test/test-calendarspec.c | 9 ++++++++- + src/test/test-date.c | 3 +++ + src/test/test-time-util.c | 3 +++ + 3 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/test/test-calendarspec.c b/src/test/test-calendarspec.c +index db64142f01..18a0f8f8bf 100644 +--- a/src/test/test-calendarspec.c ++++ b/src/test/test-calendarspec.c +@@ -254,4 +254,11 @@ TEST(calendar_spec_from_string) { + assert_se(calendar_spec_from_string("*:4,30:*\n", &c) == -EINVAL); + } + +-DEFINE_TEST_MAIN(LOG_INFO); ++static int intro(void) { ++ /* Tests have hard-coded results that do not expect a specific timezone to be set by the caller */ ++ assert_se(unsetenv("TZ") >= 0); ++ ++ return EXIT_SUCCESS; ++} ++ ++DEFINE_TEST_MAIN_WITH_INTRO(LOG_INFO, intro); +diff --git a/src/test/test-date.c b/src/test/test-date.c +index a7058a33d4..162ac342f5 100644 +--- a/src/test/test-date.c ++++ b/src/test/test-date.c +@@ -62,6 +62,9 @@ static void test_one_noutc(const char *p) { + } + + int main(int argc, char *argv[]) { ++ /* Tests have hard-coded results that do not expect a specific timezone to be set by the caller */ ++ assert_se(unsetenv("TZ") >= 0); ++ + test_setup_logging(LOG_DEBUG); + + test_one("17:41"); +diff --git a/src/test/test-time-util.c b/src/test/test-time-util.c +index 76931ce0ab..53bc77943b 100644 +--- a/src/test/test-time-util.c ++++ b/src/test/test-time-util.c +@@ -1171,6 +1171,9 @@ TEST(timezone_offset_change) { + } + + static int intro(void) { ++ /* Tests have hard-coded results that do not expect a specific timezone to be set by the caller */ ++ assert_se(unsetenv("TZ") >= 0); ++ + log_info("realtime=" USEC_FMT "\n" + "monotonic=" USEC_FMT "\n" + "boottime=" USEC_FMT "\n", +-- +2.33.0 + diff --git a/backport-test-use-a-dropin-for-the-journald-snippet.patch b/backport-test-use-a-dropin-for-the-journald-snippet.patch new file mode 100644 index 0000000..378ac6c --- /dev/null +++ b/backport-test-use-a-dropin-for-the-journald-snippet.patch @@ -0,0 +1,34 @@ +From cfe745d9850f2c199c97d789ca04e7f2e2d44d8d Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 31 Jan 2024 10:45:13 +0100 +Subject: [PATCH 0208/1160] test: use a dropin for the journald snippet + +The original way of appending to /etc/systemd/journald.conf doesn't work +anymore, since we no longer ship the default configs in /etc/. + +(cherry picked from commit 1d556e9e2a01e538ecddd8a2d8fb843391caf410) +--- + test/TEST-24-CRYPTSETUP/test.sh | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/test/TEST-24-CRYPTSETUP/test.sh b/test/TEST-24-CRYPTSETUP/test.sh +index eace3f23c0..4ace177f1f 100755 +--- a/test/TEST-24-CRYPTSETUP/test.sh ++++ b/test/TEST-24-CRYPTSETUP/test.sh +@@ -70,9 +70,10 @@ test_create_image() { + /dev/mapper/$DM_NAME /var ext4 defaults 0 1 + EOF + +- # Forward journal messages to the console, so we have something +- # to investigate even if we fail to mount the encrypted /var +- echo ForwardToConsole=yes >>"$initdir/etc/systemd/journald.conf" ++ # Forward journal messages to the console, so we have something to investigate even if we fail to mount ++ # the encrypted /var ++ mkdir "$initdir/etc/systemd/journald.conf.d/" ++ echo -ne "[Journal]\nForwardToConsole=yes\n" >"$initdir/etc/systemd/journald.conf.d/99-forward.conf" + + # If $INITRD wasn't provided explicitly, generate a custom one with dm-crypt + # support +-- +2.33.0 + diff --git a/backport-test-use-ahost-instead-of-hosts-where-applicable.patch b/backport-test-use-ahost-instead-of-hosts-where-applicable.patch new file mode 100644 index 0000000..f55fbf8 --- /dev/null +++ b/backport-test-use-ahost-instead-of-hosts-where-applicable.patch @@ -0,0 +1,74 @@ +From 7e53b1e7bb649f5a8caba1cf0fa7ddafbd0e4fca Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 5 Mar 2024 18:19:17 +0100 +Subject: [PATCH 0434/1160] test: use 'ahost' instead of 'hosts' where + applicable + +As explained in [0] the 'hosts' database uses deprecated +gethostbyname2() which uses AF_INET6 instead of AF_UNSPEC for IPv6 +lookups which is broken and makes the test fail with disabled IPv6. + +[0] https://github.com/systemd/systemd/pull/28136#issuecomment-1974901039 + +(cherry picked from commit 4e5a7e19232bb91b0bc4d2c34146245926de9ed4) +--- + test/units/testsuite-75.sh | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh +index 7cf279ae2b..86d602d615 100755 +--- a/test/units/testsuite-75.sh ++++ b/test/units/testsuite-75.sh +@@ -281,16 +281,16 @@ knotc reload + TIMESTAMP=$(date '+%F %T') + # Issue: https://github.com/systemd/systemd/issues/23951 + # With IPv6 enabled +-run getent -s resolve hosts ns1.unsigned.test +-grep -qE "^fd00:dead:beef:cafe::1\s+ns1\.unsigned\.test" "$RUN_OUT" ++run getent -s resolve ahosts ns1.unsigned.test ++grep -qE "^fd00:dead:beef:cafe::1\s+STREAM\s+ns1\.unsigned\.test" "$RUN_OUT" + monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN AAAA fd00:dead:beef:cafe::1" + # With IPv6 disabled + # Issue: https://github.com/systemd/systemd/issues/23951 +-# FIXME +-#disable_ipv6 +-#run getent -s resolve hosts ns1.unsigned.test +-#grep -qE "^10\.0\.0\.1\s+ns1\.unsigned\.test" "$RUN_OUT" +-#monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1" ++disable_ipv6 ++run getent -s resolve ahosts ns1.unsigned.test ++grep -qE "^10\.0\.0\.1\s+STREAM\s+ns1\.unsigned\.test" "$RUN_OUT" ++(! grep -qE "fd00:dead:beef:cafe::1" "$RUN_OUT") ++monitor_check_rr "$TIMESTAMP" "ns1.unsigned.test IN A 10.0.0.1" + enable_ipv6 + + # Issue: https://github.com/systemd/systemd/issues/18812 +@@ -298,16 +298,17 @@ enable_ipv6 + # Follow-up issue: https://github.com/systemd/systemd/issues/23152 + # Follow-up PR: https://github.com/systemd/systemd/pull/23161 + # With IPv6 enabled +-run getent -s resolve hosts localhost +-grep -qE "^::1\s+localhost" "$RUN_OUT" +-run getent -s myhostname hosts localhost +-grep -qE "^::1\s+localhost" "$RUN_OUT" ++run getent -s resolve ahosts localhost ++grep -qE "^::1\s+STREAM\s+localhost" "$RUN_OUT" ++run getent -s myhostname ahosts localhost ++grep -qE "^::1\s+STREAM\s+localhost" "$RUN_OUT" + # With IPv6 disabled + disable_ipv6 +-run getent -s resolve hosts localhost +-grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT" +-run getent -s myhostname hosts localhost +-grep -qE "^127\.0\.0\.1\s+localhost" "$RUN_OUT" ++run getent -s resolve ahosts localhost ++grep -qE "^127\.0\.0\.1\s+STREAM\s+localhost" "$RUN_OUT" ++(! grep -qE "::1" "$RUN_OUT") ++run getent -s myhostname ahosts localhost ++grep -qE "^127\.0\.0\.1\s+STREAM\s+localhost" "$RUN_OUT" + enable_ipv6 + + # Issue: https://github.com/systemd/systemd/issues/25088 +-- +2.33.0 + diff --git a/backport-test-use-btrfs-mkswapfile-on-btrfs.patch b/backport-test-use-btrfs-mkswapfile-on-btrfs.patch new file mode 100644 index 0000000..d8315df --- /dev/null +++ b/backport-test-use-btrfs-mkswapfile-on-btrfs.patch @@ -0,0 +1,51 @@ +From 06cdc05ba2b1a38f1efd2f4a8a3a2e3a750d81fb Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 14 Feb 2024 11:48:56 +0100 +Subject: [PATCH 0321/1160] test: use btrfs' mkswapfile on btrfs + +So it's created automagically with proper attributes. + +(cherry picked from commit 1b0cf0366814f3ec103d669ed151bc5b3a144563) +--- + test/TEST-55-OOMD/test.sh | 4 +--- + test/units/testsuite-55.sh | 9 ++++++++- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/test/TEST-55-OOMD/test.sh b/test/TEST-55-OOMD/test.sh +index 64e2360b08..9a9cdecf70 100755 +--- a/test/TEST-55-OOMD/test.sh ++++ b/test/TEST-55-OOMD/test.sh +@@ -15,9 +15,7 @@ test_append_files() { + # Create a swap file + ( + image_install mkswap swapon swapoff stress +- +- dd if=/dev/zero of="${initdir:?}/swapfile" bs=1M count=48 +- chmod 0600 "${initdir:?}/swapfile" ++ image_install -o btrfs + + mkdir -p "${initdir:?}/etc/systemd/system/init.scope.d/" + cat >>"${initdir:?}/etc/systemd/system/init.scope.d/test-55-oomd.conf" < +Date: Fri, 26 Jan 2024 14:28:20 +0100 +Subject: [PATCH 0216/1160] test: use lstat() instead of + stat(follow_symlinks=False) + +This makes the test compatible with Python 3.9, as the follow_symlinks +keyword was introduced in Python 3.10. + +(cherry picked from commit 56cdf81a72795e15ff7751f62d421b1505b82846) +--- + test/test-udev.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/test-udev.py b/test/test-udev.py +index 5a95b9c521..d9d840eb8c 100755 +--- a/test/test-udev.py ++++ b/test/test-udev.py +@@ -122,7 +122,7 @@ class Device: + print(f'check_add {self.devpath}') + + devnode = self.get_devnode() +- st = devnode.stat(follow_symlinks=False) ++ st = devnode.lstat() + assert stat.S_ISCHR(st.st_mode) or stat.S_ISBLK(st.st_mode) + self.check_permissions(st) + self.check_major_minor(st) +-- +2.33.0 + diff --git a/backport-test-use-the-default-nsec3-iterations-value.patch b/backport-test-use-the-default-nsec3-iterations-value.patch new file mode 100644 index 0000000..2d282e7 --- /dev/null +++ b/backport-test-use-the-default-nsec3-iterations-value.patch @@ -0,0 +1,29 @@ +From 12ee58c2884e240cef4ff282acbfc67f84abb397 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 24 Jan 2024 19:19:29 +0100 +Subject: [PATCH 0201/1160] test: use the default nsec3-iterations value + +In Knot 3.2 the nsec3-iterations default was changed to 0 and Knot now +issues a warning if the value is > 0. Let's just use the default value, +since it's not something that's important for our tests. + +(cherry picked from commit 0652cf8e7b08c97a52a0995eb8f0dc6bb20a4de0) +--- + test/knot-data/knot.conf | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/test/knot-data/knot.conf b/test/knot-data/knot.conf +index 6ea0cca3db..cfe478fe1c 100644 +--- a/test/knot-data/knot.conf ++++ b/test/knot-data/knot.conf +@@ -52,7 +52,6 @@ policy: + ksk-lifetime: 365d + ksk-submission: parent_zone_sbm + nsec3: on +- nsec3-iterations: 10 + propagation-delay: 1s + signing-threads: 4 + zone-max-ttl: 1s +-- +2.33.0 + diff --git a/backport-test-verify-PEM-TPM2B_PUBLIC-conversion-for-RSA-key-.patch b/backport-test-verify-PEM-TPM2B_PUBLIC-conversion-for-RSA-key-.patch new file mode 100644 index 0000000..4101701 --- /dev/null +++ b/backport-test-verify-PEM-TPM2B_PUBLIC-conversion-for-RSA-key-.patch @@ -0,0 +1,43 @@ +From adf2f950783d362de2f9b699f0f3cd2863661f9e Mon Sep 17 00:00:00 2001 +From: Dan Streetman +Date: Tue, 16 Jan 2024 12:26:45 -0500 +Subject: [PATCH 0159/1160] test: verify PEM->TPM2B_PUBLIC conversion for RSA + key with non-default exponent + +The tpm2 test currently verifies PEM->TPM2B_PUBLIC conversion for an RSA key +with the default exponent (0x10001); this adds verification for an RSA key with +a non-default exponent. + +(cherry picked from commit 910caa2443c8558029eb048132d86c40bd11fdd1) +--- + src/test/test-tpm2.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/src/test/test-tpm2.c b/src/test/test-tpm2.c +index f4abb5c0a8..cd1751d859 100644 +--- a/src/test/test-tpm2.c ++++ b/src/test/test-tpm2.c +@@ -849,6 +849,20 @@ TEST(tpm2b_public_from_openssl_pkey) { + assert_se(p->parameters.rsaDetail.exponent == 0x10001); + + check_tpm2b_public_fingerprint(&public, "d9186d13a7fd5b3644cee05448f49ad3574e82a2942ff93cf89598d36cca78a9"); ++ ++ /* RSA key with non-default (i.e. not 0x10001) exponent */ ++ DEFINE_HEX_PTR(key_rsa2, "2d2d2d2d2d424547494e2050524956415445204b45592d2d2d2d2d0a4d494945765149424144414e42676b71686b6947397730424151454641415343424b63776767536a41674541416f49424151444a57573542387135564370694e0a6d6f4b4e374f2f6f306d6864347579696e2b75394b35397a5444754a4d773678574142533174424e45394e43746533326c354c4d4b6c454f42774c4636534e4d0a414e61764c51715a6a475050726a43574f6e5158316a7a5346794f5351727467417a66524e3873556436583775363047796e436f45584f6637786c39685778490a497232784f6d6a5756727564495a41323142616a6f4d6e7156466e654f43615a6335704d564d426f54516b4c366b56634778554f717959585a337a722f5531430a6f6d356c424e465a6446794a4f6b31666d386a4c2f752b53566d4f46534a4758473831673433536c783239496e766f32306963505051632b6a426e796c6b51340a7a386b51356a46724d736d4e306a6f4f546c484a6a6e485a6e496a732b315750525a4b73464534794b6a3641743555544d4c6a685864337a566e774e447855330a63754a744454656c41674d424141554367674541465770724b555838387a543366304a79464e524b77324d496b4d6d2b55506a443348546b6c6e47736f4e48640a4e38555164333171427843336869507855794d78756d5467564d6452412b34667a5965584d414176667257345655365276444963764c566e50796967536e354b0a724e6f58586e6c42364b7a4b744e6848527a4f4769412f71352b324d4a324137536d66562f4473555856363437544d65386d70464d522b3175374d38617666620a3262494a446362764442316268667844494d62466a2f69726a49376778727353387849555274636e704755594d517364325a664a2f714b52676b3635427a50300a6271736c70477a38574539437255464d58666149726f767a5a2b38584331592b574f68307745386e52346769714d4b47535a5a454a45495155446b39396174750a59613870564d62474131325a686e4732384773313756417337346238685871643152666a44454c7834514b4267514470357338326f59774a674e65626a6f78740a4341574b4d515a6b354d4d46444c4569784c6d616c48766c7332576b665573342f4d6a546b5739762f6876424e634a6d42353149617a5a365078544751484d2b0a34376a6258315156586170336f7a37664632415a733358566d3835464e4e7154756a4a5a684b6b42774143742b696c412f5a503562325a46366c6377626641610a526b6f79467131666e5933582b5563734a6e79384f3071336c774b42675144635830354b4c734c585673686839344e384531797952735030626a6a50687566510a706c6b334564696e4d4a464e52624b4648765563776a763276644f3276465567746667636c64744f546b6236674554413754624e6d334553384f7a59582f58490a576d4d774e4e4e782b753166775474774d4c66332f597a3851515573394f664c504f376d4f5a524b2f367a47717035685549567475357065453747536e6c53700a323869304343365349774b42674837355269492b2b716148684f656e3169394754587070683351432b5630502b5a364c436a6762676458447674795a676d58740a4a6e6b7a64366c4c65714834514b64573334336942784973676932794f74572f506a424a6946744c71454259437a71764d453069627332456156353967444a770a4f6f4a3675386237564c584c34596754776748426c4a4d5141484f56665530684a555146415a682f733348393539454e3837514341463833416f4741536c61660a4f3043414c70353476316b41575844552b4765766774394578414c68302b574b367a4a6f5239576d534838527a7a6d326469526a2f7268756579512f547131360a4556706a57516b424775715248505131304f33557a306a4571754f412f424d3579426c5a756c6f514a42582b76453578392b7073354e55444d757563504734660a505954484a4331754356744f5a374a676c334c7478416e326e504a6a4f65466f3356665435743843675945417a6c4170686c37522f6d6e4677757939464872490a714e456d6571654d556d6f584d4c59487444435964534d5246684d37394772737032574c5145775270775674416a5a6c53424d454c47716c542b77324d636a350a412b5453394c79445158446f7633444e462b6b705934664a654d335339757077415973344e645250423578526d4e575a4f5067307047476a695553767035634b0a46564c6c72464e59437555736c5950794331766f4a42513d0a2d2d2d2d2d454e442050524956415445204b45592d2d2d2d2d0a"); ++ get_tpm2b_public_from_pem(key_rsa2, key_rsa2_len, &public); ++ ++ DEFINE_HEX_PTR(expected_n2, "00c9596e41f2ae550a988d9a828decefe8d2685de2eca29febbd2b9f734c3b89330eb1580052d6d04d13d342b5edf69792cc2a510e0702c5e9234c00d6af2d0a998c63cfae30963a7417d63cd217239242bb600337d137cb1477a5fbbbad06ca70a811739fef197d856c4822bdb13a68d656bb9d219036d416a3a0c9ea5459de382699739a4c54c0684d090bea455c1b150eab2617677cebfd4d42a26e6504d159745c893a4d5f9bc8cbfeef925663854891971bcd60e374a5c76f489efa36d2270f3d073e8c19f2964438cfc910e6316b32c98dd23a0e4e51c98e71d99c88ecfb558f4592ac144e322a3e80b7951330b8e15dddf3567c0d0f153772e26d0d37a5"); ++ assert_se(p->unique.rsa.size == expected_n2_len); ++ assert_se(memcmp(p->unique.rsa.buffer, expected_n2, expected_n2_len) == 0); ++ ++ assert_se(p->parameters.rsaDetail.keyBits == expected_n2_len * 8); ++ ++ assert_se(p->parameters.rsaDetail.exponent == 0x10005); ++ ++ check_tpm2b_public_fingerprint(&public, "e037697b827a730d107fda6117c0affcff3e8648d15a62e52b251649b8f67e47"); + } + #endif + +-- +2.33.0 + diff --git a/backport-test-wait-a-bit-before-stopping-killing-service.patch b/backport-test-wait-a-bit-before-stopping-killing-service.patch new file mode 100644 index 0000000..c32368e --- /dev/null +++ b/backport-test-wait-a-bit-before-stopping-killing-service.patch @@ -0,0 +1,72 @@ +From 139395d7332de385b28ece7a61473d9f854e080f Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 21 May 2024 17:57:59 +0900 +Subject: [PATCH 0673/1160] test: wait a bit before stopping/killing service + +Otherwise, when stopping the service, the last command may not be +started yet, and the service manager may not send SIGTERM signal to the +last command, but send SIGKILL on timeout. + +=== +May 21 08:23:24 test19-exit-cgroup.sh[437]: + disown +May 21 08:23:24 test19-exit-cgroup.sh[438]: + sleep infinity +May 21 08:23:24 test19-exit-cgroup.sh[437]: + systemd-notify --ready +May 21 08:23:24 test19-exit-cgroup.sh[437]: + sleep infinity +May 21 08:23:24 test19-exit-cgroup.sh[441]: + systemctl stop one +May 21 08:23:24 test19-exit-cgroup.sh[443]: + sleep infinity +(snip) +May 21 08:23:24 systemd[1]: one.service: Changed running -> stop-sigterm +May 21 08:23:24 systemd[1]: Stopping one.service - /tmp/test19-exit-cgroup.sh "systemctl stop one"... +May 21 08:23:24 systemd[1]: Received SIGCHLD from PID 441 (systemctl). +May 21 08:23:24 systemd[1]: Child 437 (bash) died (code=killed, status=15/TERM) +May 21 08:23:24 systemd[1]: one.service: Child 437 belongs to one.service. +May 21 08:23:24 systemd[1]: one.service: Main process exited, code=killed, status=15/TERM (success) +May 21 08:23:24 systemd[1]: Child 439 (bash) died (code=killed, status=15/TERM) +May 21 08:23:24 systemd[1]: one.service: Child 439 belongs to one.service. +May 21 08:23:24 systemd[1]: Child 441 (systemctl) died (code=killed, status=15/TERM) +May 21 08:23:24 systemd[1]: one.service: Child 441 belongs to one.service. +May 21 08:23:24 systemd[1]: Child 442 (bash) died (code=killed, status=15/TERM) +May 21 08:23:24 systemd[1]: one.service: Child 442 belongs to one.service. +(snip) +May 21 08:24:54 systemd[1]: one.service: State 'stop-sigterm' timed out. Killing. +May 21 08:24:54 systemd[1]: one.service: Killing process 443 (sleep) with signal SIGKILL. +May 21 08:24:54 systemd[1]: one.service: Changed stop-sigterm -> stop-sigkill +May 21 08:24:54 systemd[1]: Received SIGCHLD from PID 443 (sleep). +May 21 08:24:54 systemd[1]: Child 443 (sleep) died (code=killed, status=9/KILL) +May 21 08:24:54 systemd[1]: one.service: Child 443 belongs to one.service. +May 21 08:24:54 systemd[1]: one.service: Control group is empty. +May 21 08:24:54 systemd[1]: one.service: Failed with result 'timeout'. +May 21 08:24:54 systemd[1]: one.service: Service restart not allowed. +May 21 08:24:54 systemd[1]: one.service: Changed stop-sigkill -> failed +May 21 08:24:54 systemd[1]: one.service: Job 738 one.service/stop finished, result=done +May 21 08:24:54 systemd[1]: Stopped one.service - /tmp/test19-exit-cgroup.sh "systemctl stop one". +May 21 08:24:54 systemd[1]: one.service: Unit entered failed state. +May 21 08:24:54 systemd[1]: one.service: Releasing resources... +=== + +Fixes #32947. + +(cherry picked from commit a5edb9b7b1366812d5bf558c95a433dae96d7b75) +--- + test/units/testsuite-19.ExitType-cgroup.sh | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/test/units/testsuite-19.ExitType-cgroup.sh b/test/units/testsuite-19.ExitType-cgroup.sh +index cd221d74ef..65c260639a 100755 +--- a/test/units/testsuite-19.ExitType-cgroup.sh ++++ b/test/units/testsuite-19.ExitType-cgroup.sh +@@ -27,8 +27,9 @@ disown + + systemd-notify --ready + +-# Run the stop/kill command +-\$1 & ++# Run the stop/kill command, but sleep a bit to make the sleep infinity ++# below actually started before stopping/killing the service. ++(sleep 1; \$1) & + + # process tree: systemd -> bash -> sleep + sleep infinity +-- +2.33.0 + diff --git a/backport-test-wait-for-loop-backing_file-attribute-being-remo.patch b/backport-test-wait-for-loop-backing_file-attribute-being-remo.patch new file mode 100644 index 0000000..455965d --- /dev/null +++ b/backport-test-wait-for-loop-backing_file-attribute-being-remo.patch @@ -0,0 +1,35 @@ +From 53a26a675627d909cc7accd26d661ebcf565f417 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 21 May 2024 19:10:49 +0900 +Subject: [PATCH 0672/1160] test: wait for loop/backing_file attribute being + removed + +Hopefully fixes issue like +https://github.com/systemd/systemd/issues/32680#issuecomment-2120959238 +https://github.com/systemd/systemd/issues/32680#issuecomment-2122074805 + +(cherry picked from commit e504f5a33979c896213f2fb53217b14263cfe036) +--- + test/units/testsuite-74.mount.sh | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/test/units/testsuite-74.mount.sh b/test/units/testsuite-74.mount.sh +index 8065abe554..eef8d2d242 100755 +--- a/test/units/testsuite-74.mount.sh ++++ b/test/units/testsuite-74.mount.sh +@@ -126,7 +126,12 @@ test -e /run/media/system/simple.img/foo.bar + # systemd-mount --list and systemd-umount require the loopback block device is initialized by udevd. + udevadm settle --timeout 30 + assert_in "/dev/loop.* ext4 +sd-mount-test" "$(systemd-mount --list --full)" ++LOOP_AUTO=$(systemd-mount --list --full --no-legend | awk '$6 == "sd-mount-test" { print $1 }') ++LOOP_AUTO_DEVPATH=$(udevadm info --query property --property DEVPATH --value "$LOOP_AUTO") + systemd-umount "$WORK_DIR/simple.img" ++# Wait for 'change' uevent for the device with DISK_MEDIA_CHANGE=1. ++# After the event, the backing_file attribute should be removed. ++timeout 60 bash -c "while [[ -e /sys/$LOOP_AUTO_DEVPATH/loop/backing_file ]]; do sleep 1; done" + + # --owner + vfat + # +-- +2.33.0 + diff --git a/backport-test-wait-for-partition-device-being-processed-by-ud.patch b/backport-test-wait-for-partition-device-being-processed-by-ud.patch new file mode 100644 index 0000000..7117da4 --- /dev/null +++ b/backport-test-wait-for-partition-device-being-processed-by-ud.patch @@ -0,0 +1,28 @@ +From 539c7cc3f62105e0feea1413a5d30235086bf0f1 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 17 May 2024 14:21:44 +0900 +Subject: [PATCH 0644/1160] test: wait for partition device being processed by + udevd + +Fixes #32697. + +(cherry picked from commit 0664c1cf1db0c8da30dd0303379ff446fff66d01) +--- + test/units/testsuite-70.cryptsetup.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/units/testsuite-70.cryptsetup.sh b/test/units/testsuite-70.cryptsetup.sh +index 4cd627fe1a..cb7c8b1f31 100755 +--- a/test/units/testsuite-70.cryptsetup.sh ++++ b/test/units/testsuite-70.cryptsetup.sh +@@ -212,6 +212,7 @@ Encrypt=tpm2 + EOF + PASSWORD=passphrase systemd-repart --tpm2-device-key=/tmp/srk.pub --definitions=/tmp/dditest --empty=create --size=50M /tmp/dditest.raw --tpm2-pcrs= + DEVICE="$(systemd-dissect --attach /tmp/dditest.raw)" ++ udevadm wait --settle --timeout=10 "$DEVICE"p1 + systemd-cryptsetup attach dditest "$DEVICE"p1 - tpm2-device=auto,headless=yes + mkdir /tmp/dditest.mnt + mount -t ext4 /dev/mapper/dditest /tmp/dditest.mnt +-- +2.33.0 + diff --git a/backport-test-wait-for-partition-processed-by-udevd.patch b/backport-test-wait-for-partition-processed-by-udevd.patch new file mode 100644 index 0000000..40bbd00 --- /dev/null +++ b/backport-test-wait-for-partition-processed-by-udevd.patch @@ -0,0 +1,28 @@ +From 8318972184d1f6a382fc6fb28f81a5d992fe145b Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 17 May 2024 10:12:25 +0900 +Subject: [PATCH 0641/1160] test: wait for partition processed by udevd + +Fixes #32695. + +(cherry picked from commit 71f04871739892db2cdbb6a746360fb243f24dc6) +--- + test/units/testsuite-58.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/units/testsuite-58.sh b/test/units/testsuite-58.sh +index c64b2039f3..20d4bda84e 100755 +--- a/test/units/testsuite-58.sh ++++ b/test/units/testsuite-58.sh +@@ -373,7 +373,7 @@ $imgs/zzz7 : start= 6291416, size= 98304, type=0FC63DAF-8483-4772-8E79 + fi + + loop="$(losetup -P --show --find "$imgs/zzz")" +- udevadm wait --timeout 60 --settle "${loop:?}" ++ udevadm wait --timeout 60 --settle "${loop:?}p7" + + volume="test-repart-$RANDOM" + +-- +2.33.0 + diff --git a/backport-test-wait-for-sessions-being-closed.patch b/backport-test-wait-for-sessions-being-closed.patch new file mode 100644 index 0000000..5244c68 --- /dev/null +++ b/backport-test-wait-for-sessions-being-closed.patch @@ -0,0 +1,30 @@ +From ec0a8c8d469356faab5db4e116bd9d4bedfefffb Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 17 May 2024 14:00:12 +0900 +Subject: [PATCH 0645/1160] test: wait for sessions being closed + +If a session in closing state, the user state will be in online. + +Fixes #32698. + +(cherry picked from commit fc5112580a0eafe1f4f56ec35522578b7e76bca5) +--- + test/units/testsuite-35.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/units/testsuite-35.sh b/test/units/testsuite-35.sh +index 36e26da885..da3321bfcf 100755 +--- a/test/units/testsuite-35.sh ++++ b/test/units/testsuite-35.sh +@@ -563,7 +563,7 @@ testcase_list_users_sessions_seats() { + return + fi + +- assert_eq "$(loginctl list-users --no-legend | awk '$2 == "logind-test-user" { print $4 }')" lingering ++ timeout 30 bash -c "until [[ \"\$(loginctl list-users --no-legend | awk '\$2 == \"logind-test-user\" { print \$4 }')\" == lingering ]]; do sleep 1; done" + } + + teardown_stop_idle_session() ( +-- +2.33.0 + diff --git a/backport-test-wait-for-slice-unit-being-de-activated.patch b/backport-test-wait-for-slice-unit-being-de-activated.patch new file mode 100644 index 0000000..c26416d --- /dev/null +++ b/backport-test-wait-for-slice-unit-being-de-activated.patch @@ -0,0 +1,37 @@ +From c49a6771f76242e7e00f0024abe21bf64d41baa0 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 17 May 2024 13:25:25 +0900 +Subject: [PATCH 0643/1160] test: wait for slice unit being (de)activated + +Fixes #32731. + +(cherry picked from commit 272aae38f89d0c415a57370a624287cd5aeaec0b) +--- + test/units/testsuite-15.sh | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/test/units/testsuite-15.sh b/test/units/testsuite-15.sh +index e790b37c70..534bfd358e 100755 +--- a/test/units/testsuite-15.sh ++++ b/test/units/testsuite-15.sh +@@ -256,6 +256,8 @@ EOF + 'MemoryMax' t 1000000002 \ + 0 + ++ timeout 1m bash -c 'until systemctl is-active a-b-c.slice; do sleep 1s; done' ++ + # The override takes precedence for MemoryMax + check_ok a-b-c.slice MemoryMax "1000000000" + # The transient setting replaces the default +@@ -273,6 +275,8 @@ EOF + StopUnit 'ss' \ + 'a-b-c.slice' 'replace' + ++ timeout 1m bash -c 'while systemctl is-active a-b-c.slice; do sleep 1s; done' ++ + rm -f "/run/systemd/system/$dropin/override.conf" + done + +-- +2.33.0 + diff --git a/backport-test-wait-for-unit-generated-from-proc-self-mountinf.patch b/backport-test-wait-for-unit-generated-from-proc-self-mountinf.patch new file mode 100644 index 0000000..b6487c4 --- /dev/null +++ b/backport-test-wait-for-unit-generated-from-proc-self-mountinf.patch @@ -0,0 +1,36 @@ +From 1a6a2d8f2476f2468ac96bd973bbc890eaa9f996 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 21 May 2024 04:48:42 +0900 +Subject: [PATCH 0671/1160] test: wait for unit generated from + /proc/self/mountinfo to be unloaded + +Fixes https://github.com/systemd/systemd/issues/32680#issuecomment-2120974685. +=== +May 21 02:45:08 TEST-74-AUX-UTILS.sh[2475]: + mountpoint /tmp/tmp.eaRV7lSbX2/mnt +May 21 02:45:08 TEST-74-AUX-UTILS.sh[2476]: /tmp/tmp.eaRV7lSbX2/mnt is not a mountpoint +May 21 02:45:08 TEST-74-AUX-UTILS.sh[2449]: + systemd-mount /dev/loop0 /tmp/tmp.eaRV7lSbX2/mnt +May 21 02:45:08 systemd-mount[2477]: Failed to start transient mount unit: Unit tmp-tmp.eaRV7lSbX2-mnt.mount was already loaded or has a fragment file. +=== + +(cherry picked from commit 4a8ca3c6d595598f64cf532fad2c98ef7481f6a4) +--- + test/units/testsuite-74.mount.sh | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/test/units/testsuite-74.mount.sh b/test/units/testsuite-74.mount.sh +index 41c5c8652a..8065abe554 100755 +--- a/test/units/testsuite-74.mount.sh ++++ b/test/units/testsuite-74.mount.sh +@@ -39,6 +39,9 @@ mount "$LOOP" "$WORK_DIR/mnt" + touch "$WORK_DIR/mnt/foo.bar" + umount "$LOOP" + (! mountpoint "$WORK_DIR/mnt") ++# Wait for the mount unit to be unloaded. Otherwise, creation of the transient unit below may fail. ++MOUNT_UNIT=$(systemd-escape --path --suffix=mount "$WORK_DIR/mnt") ++timeout 60 bash -c "while [[ -n \$(systemctl list-units --all --no-legend $MOUNT_UNIT) ]]; do sleep 1; done" + + # Mount with both source and destination set + systemd-mount "$LOOP" "$WORK_DIR/mnt" +-- +2.33.0 + diff --git a/backport-test-wait-until-the-test-container-is-fully-booted-u.patch b/backport-test-wait-until-the-test-container-is-fully-booted-u.patch new file mode 100644 index 0000000..00a641b --- /dev/null +++ b/backport-test-wait-until-the-test-container-is-fully-booted-u.patch @@ -0,0 +1,32 @@ +From 67f620875294782cc4d8a029f97bb144979636bc Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 9 Apr 2024 21:16:41 +0200 +Subject: [PATCH 0346/1160] test: wait until the test container is fully booted + up + +TEST-69 still occasionally times out in CI and appears to be stuck on +boot, so let's see if this helps the situation a bit. + +(cherry picked from commit 515eb678a057099ee7e462ec83f71b199a368f8a) +--- + test/test-shutdown.py | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/test/test-shutdown.py b/test/test-shutdown.py +index b83487c5d4..870c1e269f 100755 +--- a/test/test-shutdown.py ++++ b/test/test-shutdown.py +@@ -43,6 +43,10 @@ def run(args): + console.send('c') + console.expect('screen1 ', 10) + ++ logger.info('wait for the machine to fully boot') ++ console.sendline('systemctl is-system-running --wait') ++ console.expect(r'\b(running|degraded)\b', 60) ++ + # console.interact() + + console.sendline('tty') +-- +2.33.0 + diff --git a/backport-tests-fix-access-mode-of-root-inode-of-throw-away-co.patch b/backport-tests-fix-access-mode-of-root-inode-of-throw-away-co.patch new file mode 100644 index 0000000..fdd48b4 --- /dev/null +++ b/backport-tests-fix-access-mode-of-root-inode-of-throw-away-co.patch @@ -0,0 +1,31 @@ +From 65dca61ca06aa303413565f6d8e5009b5f7e2edb Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 27 Nov 2024 10:17:36 +0100 +Subject: [PATCH 1034/1160] tests: fix access mode of root inode of throw-away + container images + +Otherwise the root inode will typically have what mkdtemp sets up, which +is something like 0700, which is weird and somewhat broken when trying +to look into containers from unpriv users. + +(cherry picked from commit c18a1024643809c8f28799900af4e6202623f934) +(cherry picked from commit b4db0ca7534c12002717b3f198ae39907a078024) +--- + test/units/util.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/units/util.sh b/test/units/util.sh +index 2f6a25fb97..8562b3f434 100755 +--- a/test/units/util.sh ++++ b/test/units/util.sh +@@ -164,6 +164,7 @@ create_dummy_container() { + fi + + mkdir -p "$root" ++ chmod 555 "$root" + cp -a /testsuite-13-container-template/* "$root" + coverage_create_nspawn_dropin "$root" + } +-- +2.33.0 + diff --git a/backport-time-util-copy-input-string-before-fork.patch b/backport-time-util-copy-input-string-before-fork.patch new file mode 100644 index 0000000..2c8f4b7 --- /dev/null +++ b/backport-time-util-copy-input-string-before-fork.patch @@ -0,0 +1,35 @@ +From d4ecc4859e411c56e754cd1b467f14dd15d23ae1 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 8 Oct 2024 13:50:02 +0900 +Subject: [PATCH 0930/1160] time-util: copy input string before fork() + +Fixes #34670. + +(cherry picked from commit 6d3012bab4ce4c1ed260598d05b4e9f2ea471658) +(cherry picked from commit 38d55448b9a56e406b00514303617249f30ee2f2) +--- + src/basic/time-util.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/basic/time-util.c b/src/basic/time-util.c +index 2253d868fe..0c2d739977 100644 +--- a/src/basic/time-util.c ++++ b/src/basic/time-util.c +@@ -1048,6 +1048,14 @@ int parse_timestamp(const char *t, usec_t *ret) { + if (shared == MAP_FAILED) + return negative_errno(); + ++ /* The input string may be in argv. Let's copy it. */ ++ _cleanup_free_ char *t_copy = strdup(t); ++ if (!t_copy) ++ return -ENOMEM; ++ ++ t = t_copy; ++ assert_se(tz = endswith(t_copy, tz)); ++ + r = safe_fork("(sd-timestamp)", FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_DEATHSIG_SIGKILL|FORK_WAIT, NULL); + if (r < 0) { + (void) munmap(shared, sizeof *shared); +-- +2.33.0 + diff --git a/backport-time-util-fix-parsing-timestamp-with-NZ-timezone.patch b/backport-time-util-fix-parsing-timestamp-with-NZ-timezone.patch new file mode 100644 index 0000000..5c01175 --- /dev/null +++ b/backport-time-util-fix-parsing-timestamp-with-NZ-timezone.patch @@ -0,0 +1,85 @@ +From fc131fe3bb3793ca4acadc1145d2f125246fe212 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 8 Oct 2024 18:59:37 +0900 +Subject: [PATCH 0929/1160] time-util: fix parsing timestamp with NZ timezone + +Fixes a bug caused by ef658a63f8163607d9e04f710cd26c0d36ff68ce. + +(cherry picked from commit eb87d3e1e9210d9387536cc3ece4e32aacdc5009) +(cherry picked from commit c7a00c4caee66532a32554a6123f1c56f690cf92) +--- + src/basic/time-util.c | 8 ++++++-- + src/test/test-time-util.c | 31 +++++++++++++++++++++++++++++++ + 2 files changed, 37 insertions(+), 2 deletions(-) + +diff --git a/src/basic/time-util.c b/src/basic/time-util.c +index f9014dc560..2253d868fe 100644 +--- a/src/basic/time-util.c ++++ b/src/basic/time-util.c +@@ -999,8 +999,12 @@ int parse_timestamp(const char *t, usec_t *ret) { + assert(t); + + t_len = strlen(t); +- if (t_len > 2 && t[t_len - 1] == 'Z' && t[t_len - 2] != ' ') /* RFC3339-style welded UTC: "1985-04-12T23:20:50.52Z" */ +- return parse_timestamp_impl(t, t_len - 1, /* utc = */ true, /* isdst = */ -1, /* gmtoff = */ 0, ret); ++ if (t_len > 2 && t[t_len - 1] == 'Z') { ++ /* Try to parse as RFC3339-style welded UTC: "1985-04-12T23:20:50.52Z" */ ++ r = parse_timestamp_impl(t, t_len - 1, /* utc = */ true, /* isdst = */ -1, /* gmtoff = */ 0, ret); ++ if (r >= 0) ++ return r; ++ } + + if (t_len > 7 && IN_SET(t[t_len - 6], '+', '-') && t[t_len - 7] != ' ') { /* RFC3339-style welded offset: "1990-12-31T15:59:60-08:00" */ + k = strptime(&t[t_len - 6], "%z", &tm); +diff --git a/src/test/test-time-util.c b/src/test/test-time-util.c +index 53bc77943b..0a472d65d9 100644 +--- a/src/test/test-time-util.c ++++ b/src/test/test-time-util.c +@@ -857,6 +857,29 @@ static void test_parse_timestamp_impl(const char *tz) { + test_parse_timestamp_one("69-12-31 19:00:01.0010 EST", 0, USEC_PER_SEC + 1000); + } + ++ if (timezone_is_valid("NZ", LOG_DEBUG)) { ++ /* NZ (+1200) */ ++ test_parse_timestamp_one("Thu 1970-01-01 12:01 NZ", 0, USEC_PER_MINUTE); ++ test_parse_timestamp_one("Thu 1970-01-01 12:00:01 NZ", 0, USEC_PER_SEC); ++ test_parse_timestamp_one("Thu 1970-01-01 12:00:01.001 NZ", 0, USEC_PER_SEC + 1000); ++ test_parse_timestamp_one("Thu 1970-01-01 12:00:01.0010 NZ", 0, USEC_PER_SEC + 1000); ++ ++ test_parse_timestamp_one("Thu 70-01-01 12:01 NZ", 0, USEC_PER_MINUTE); ++ test_parse_timestamp_one("Thu 70-01-01 12:00:01 NZ", 0, USEC_PER_SEC); ++ test_parse_timestamp_one("Thu 70-01-01 12:00:01.001 NZ", 0, USEC_PER_SEC + 1000); ++ test_parse_timestamp_one("Thu 70-01-01 12:00:01.0010 NZ", 0, USEC_PER_SEC + 1000); ++ ++ test_parse_timestamp_one("1970-01-01 12:01 NZ", 0, USEC_PER_MINUTE); ++ test_parse_timestamp_one("1970-01-01 12:00:01 NZ", 0, USEC_PER_SEC); ++ test_parse_timestamp_one("1970-01-01 12:00:01.001 NZ", 0, USEC_PER_SEC + 1000); ++ test_parse_timestamp_one("1970-01-01 12:00:01.0010 NZ", 0, USEC_PER_SEC + 1000); ++ ++ test_parse_timestamp_one("70-01-01 12:01 NZ", 0, USEC_PER_MINUTE); ++ test_parse_timestamp_one("70-01-01 12:00:01 NZ", 0, USEC_PER_SEC); ++ test_parse_timestamp_one("70-01-01 12:00:01.001 NZ", 0, USEC_PER_SEC + 1000); ++ test_parse_timestamp_one("70-01-01 12:00:01.0010 NZ", 0, USEC_PER_SEC + 1000); ++ } ++ + /* -06 */ + test_parse_timestamp_one("Wed 1969-12-31 18:01 -06", 0, USEC_PER_MINUTE); + test_parse_timestamp_one("Wed 1969-12-31 18:00:01 -06", 0, USEC_PER_SEC); +@@ -934,6 +957,14 @@ static void test_parse_timestamp_impl(const char *tz) { + test_parse_timestamp_one("yesterday", 0, today - USEC_PER_DAY); + } + ++ /* with timezone */ ++ if (tz) { ++ _cleanup_free_ char *s = NULL; ++ ++ assert_se((s = strjoin("Fri 2012-11-23 23:02:15 ", tz)) != NULL); ++ assert_se(parse_timestamp(s, NULL) >= 0); ++ } ++ + /* relative */ + assert_se(parse_timestamp("now", &now_usec) == 0); + test_parse_timestamp_one("+5hours", USEC_PER_MINUTE, now_usec + 5 * USEC_PER_HOUR); +-- +2.33.0 + diff --git a/backport-timedate-handle-gracefully-if-RTC-lost-time-because-.patch b/backport-timedate-handle-gracefully-if-RTC-lost-time-because-.patch new file mode 100644 index 0000000..f2bf3eb --- /dev/null +++ b/backport-timedate-handle-gracefully-if-RTC-lost-time-because-.patch @@ -0,0 +1,51 @@ +From b858433a79633bdef1ebea7d5ea4cc2585dcbaab Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 19 Apr 2024 19:20:40 +0200 +Subject: [PATCH 1159/1160] timedate: handle gracefully if RTC lost time + because of power loss + +Apparently some RTC drivers return EINVAL in that case when we try to +read it. Handle that reasonably gracefully. + +Fixes: #31854 +(cherry picked from commit 5c81de98fcb533c0889ed6c6f6cd8640bb626360) +--- + src/shared/clock-util.c | 7 ++++--- + src/timedate/timedated.c | 2 ++ + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/shared/clock-util.c b/src/shared/clock-util.c +index b0cbe30072..37d02325b7 100644 +--- a/src/shared/clock-util.c ++++ b/src/shared/clock-util.c +@@ -27,10 +27,11 @@ int clock_get_hwclock(struct tm *tm) { + if (fd < 0) + return -errno; + +- /* This leaves the timezone fields of struct tm +- * uninitialized! */ ++ /* This leaves the timezone fields of struct tm uninitialized! */ + if (ioctl(fd, RTC_RD_TIME, tm) < 0) +- return -errno; ++ /* Some drivers return -EINVAL in case the time could not be kept, i.e. power loss ++ * happened. Let's turn that into a clearly recognizable error */ ++ return errno == EINVAL ? -ENODATA : -errno; + + /* We don't know daylight saving, so we reset this in order not + * to confuse mktime(). */ +diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c +index c7be30f563..b0957a6bda 100644 +--- a/src/timedate/timedated.c ++++ b/src/timedate/timedated.c +@@ -584,6 +584,8 @@ static int property_get_rtc_time( + log_warning("/dev/rtc is busy. Is somebody keeping it open continuously? That's not a good idea... Returning a bogus RTC timestamp."); + else if (r == -ENOENT) + log_debug("/dev/rtc not found."); ++ else if (r == -ENODATA) ++ log_debug("/dev/rtc has no valid time, power loss probably occurred?"); + else if (r < 0) + return sd_bus_error_set_errnof(error, r, "Failed to read RTC: %m"); + else +-- +2.33.0 + diff --git a/backport-timesync-IPTOS_LOWDELAY-IPTOS_DSCP_EF.patch b/backport-timesync-IPTOS_LOWDELAY-IPTOS_DSCP_EF.patch new file mode 100644 index 0000000..55bda52 --- /dev/null +++ b/backport-timesync-IPTOS_LOWDELAY-IPTOS_DSCP_EF.patch @@ -0,0 +1,33 @@ +From fea42654ccd977554651ab9f24a66563b349e3a0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= +Date: Sun, 7 Jan 2024 19:49:45 -0300 +Subject: [PATCH 0132/1160] timesync: IPTOS_LOWDELAY --> IPTOS_DSCP_EF + +Deprecated IPTOS_LOWDELAY is ignored by most of today's +network equipment that only ever care about DSCP. + +Use the DSCP found in other NTP implementations and set the appropiate +TCLASS for IPv6. + +(cherry picked from commit aafaafb6f725e145192d95ef740714f0339b1252) +--- + src/timesync/timesyncd-manager.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/timesync/timesyncd-manager.c b/src/timesync/timesyncd-manager.c +index 1317bc0f76..8592197528 100644 +--- a/src/timesync/timesyncd-manager.c ++++ b/src/timesync/timesyncd-manager.c +@@ -658,8 +658,7 @@ static int manager_listen_setup(Manager *m) { + if (r < 0) + return r; + +- if (addr.sa.sa_family == AF_INET) +- (void) setsockopt_int(m->server_socket, IPPROTO_IP, IP_TOS, IPTOS_LOWDELAY); ++ (void) socket_set_option(m->server_socket, addr.sa.sa_family, IP_TOS, IPV6_TCLASS, IPTOS_DSCP_EF); + + return sd_event_add_io(m->event, &m->event_receive, m->server_socket, EPOLLIN, manager_receive_response, m); + } +-- +2.33.0 + diff --git a/backport-timesyncd-make-the-transmit-timestamp-in-requests-fu.patch b/backport-timesyncd-make-the-transmit-timestamp-in-requests-fu.patch new file mode 100644 index 0000000..47c6bb6 --- /dev/null +++ b/backport-timesyncd-make-the-transmit-timestamp-in-requests-fu.patch @@ -0,0 +1,101 @@ +From 310405ff82bfc1fe767a34d6cb99def940e0ef23 Mon Sep 17 00:00:00 2001 +From: David Venhoek +Date: Fri, 26 Jan 2024 10:40:03 +0100 +Subject: [PATCH 0282/1160] timesyncd: make the transmit timestamp in requests + fully random + +This improves security against off-path attackers, and avoids leaking +the current system time. + +(cherry picked from commit 678bd12cfc1a7f3f0d074ac9c52f0b06ec601618) +--- + src/timesync/timesyncd-manager.c | 35 ++++++++++++++------------------ + src/timesync/timesyncd-manager.h | 1 + + 2 files changed, 16 insertions(+), 20 deletions(-) + +diff --git a/src/timesync/timesyncd-manager.c b/src/timesync/timesyncd-manager.c +index 8592197528..1998ba91e1 100644 +--- a/src/timesync/timesyncd-manager.c ++++ b/src/timesync/timesyncd-manager.c +@@ -27,6 +27,7 @@ + #include "network-util.h" + #include "ratelimit.h" + #include "resolve-private.h" ++#include "random-util.h" + #include "socket-util.h" + #include "string-util.h" + #include "strv.h" +@@ -78,13 +79,6 @@ static double ts_to_d(const struct timespec *ts) { + return ts->tv_sec + (1.0e-9 * ts->tv_nsec); + } + +-static uint32_t graceful_add_offset_1900_1970(time_t t) { +- /* Adds OFFSET_1900_1970 to t and returns it as 32-bit value. This is handles overflows +- * gracefully in a deterministic and well-defined way by cutting off the top bits. */ +- uint64_t a = (uint64_t) t + OFFSET_1900_1970; +- return (uint32_t) (a & UINT64_C(0xFFFFFFFF)); +-} +- + static int manager_timeout(sd_event_source *source, usec_t usec, void *userdata) { + _cleanup_free_ char *pretty = NULL; + Manager *m = ASSERT_PTR(userdata); +@@ -126,20 +120,22 @@ static int manager_send_request(Manager *m) { + } + + /* +- * Set transmit timestamp, remember it; the server will send that back +- * as the origin timestamp and we have an indication that this is the +- * matching answer to our request. +- * +- * The actual value does not matter, We do not care about the correct +- * NTP UINT_MAX fraction; we just pass the plain nanosecond value. ++ * Generate a random number as transmit timestamp, to ensure we get ++ * a full 64 bits of entropy to make it hard for off-path attackers ++ * to inject random time to us. + */ +- assert_se(clock_gettime(CLOCK_BOOTTIME, &m->trans_time_mon) >= 0); +- assert_se(clock_gettime(CLOCK_REALTIME, &m->trans_time) >= 0); +- ntpmsg.trans_time.sec = htobe32(graceful_add_offset_1900_1970(m->trans_time.tv_sec)); +- ntpmsg.trans_time.frac = htobe32(m->trans_time.tv_nsec); ++ random_bytes(&m->request_nonce, sizeof(m->request_nonce)); ++ ntpmsg.trans_time = m->request_nonce; + + server_address_pretty(m->current_server_address, &pretty); + ++ /* ++ * Record the transmit timestamp. This should be as close as possible to ++ * the send-to to ensure the timestamp is reasonably accurate ++ */ ++ assert_se(clock_gettime(CLOCK_BOOTTIME, &m->trans_time_mon) >= 0); ++ assert_se(clock_gettime(CLOCK_REALTIME, &m->trans_time) >= 0); ++ + len = sendto(m->server_socket, &ntpmsg, sizeof(ntpmsg), MSG_DONTWAIT, &m->current_server_address->sockaddr.sa, m->current_server_address->socklen); + if (len == sizeof(ntpmsg)) { + m->pending = true; +@@ -457,9 +453,8 @@ static int manager_receive_response(sd_event_source *source, int fd, uint32_t re + + m->missed_replies = 0; + +- /* check our "time cookie" (we just stored nanoseconds in the fraction field) */ +- if (be32toh(ntpmsg.origin_time.sec) != graceful_add_offset_1900_1970(m->trans_time.tv_sec) || +- be32toh(ntpmsg.origin_time.frac) != (unsigned long) m->trans_time.tv_nsec) { ++ /* check the transmit request nonce was properly returned in the origin_time field */ ++ if (ntpmsg.origin_time.sec != m->request_nonce.sec || ntpmsg.origin_time.frac != m->request_nonce.frac) { + log_debug("Invalid reply; not our transmit time. Ignoring."); + return 0; + } +diff --git a/src/timesync/timesyncd-manager.h b/src/timesync/timesyncd-manager.h +index 8cbb91d907..f444787489 100644 +--- a/src/timesync/timesyncd-manager.h ++++ b/src/timesync/timesyncd-manager.h +@@ -71,6 +71,7 @@ struct Manager { + /* last sent packet */ + struct timespec trans_time_mon; + struct timespec trans_time; ++ struct ntp_ts request_nonce; + usec_t retry_interval; + usec_t connection_retry_usec; + bool pending; +-- +2.33.0 + diff --git a/backport-tmpfiles-Don-t-fail-if-file-does-not-exist-in-item_d.patch b/backport-tmpfiles-Don-t-fail-if-file-does-not-exist-in-item_d.patch new file mode 100644 index 0000000..cb57b49 --- /dev/null +++ b/backport-tmpfiles-Don-t-fail-if-file-does-not-exist-in-item_d.patch @@ -0,0 +1,48 @@ +From 46419527af7e91346aa523f73ecf85a96ac94c9a Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Wed, 8 May 2024 11:35:21 +0200 +Subject: [PATCH 0609/1160] tmpfiles: Don't fail if file does not exist in + item_do() + +If the file was removed by some other program, we should just go +to the next one without failing. item_do() is only used for recursive +globs instead of fixed paths so skipping on missing files makes sense +(unlike if the path was fixed where we should probably fail). + +Fixes #32691 (hopefully) + +(cherry picked from commit 677430b3c7fcd1b352eb66f19b8746741459b91a) +--- + src/tmpfiles/tmpfiles.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index 4919cb79d5..6a1c7725a1 100644 +--- a/src/tmpfiles/tmpfiles.c ++++ b/src/tmpfiles/tmpfiles.c +@@ -2366,7 +2366,7 @@ static int item_do( + fdaction_t action) { + + struct stat st; +- int r = 0, q; ++ int r = 0, q = 0; + + assert(c); + assert(i); +@@ -2401,9 +2401,10 @@ static int item_do( + continue; + + de_fd = openat(fd, de->d_name, O_NOFOLLOW|O_CLOEXEC|O_PATH); +- if (de_fd < 0) +- q = log_error_errno(errno, "Failed to open() file '%s': %m", de->d_name); +- else { ++ if (de_fd < 0) { ++ if (errno != -ENOENT) ++ q = log_error_errno(errno, "Failed to open file '%s': %m", de->d_name); ++ } else { + _cleanup_free_ char *de_path = NULL; + + de_path = path_join(path, de->d_name); +-- +2.33.0 + diff --git a/backport-tmpfiles-ERRNO_IS_NOINFO-_IS_NEG_-correct-negative-e.patch b/backport-tmpfiles-ERRNO_IS_NOINFO-_IS_NEG_-correct-negative-e.patch new file mode 100644 index 0000000..ac0aab1 --- /dev/null +++ b/backport-tmpfiles-ERRNO_IS_NOINFO-_IS_NEG_-correct-negative-e.patch @@ -0,0 +1,84 @@ +From 56f4272ac7b3e4dbc6e343d3df1f3aa9de559f48 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Thu, 19 Sep 2024 13:38:47 +0200 +Subject: [PATCH 0878/1160] tmpfiles: ERRNO_IS_NOINFO -> _IS_NEG_, correct + negative errno checks + +(cherry picked from commit 755877f20a2e18d1a2c4149662c2caec80230879) +(cherry picked from commit 7884db1b93754901750f21cf1c04e38be0e94f11) +--- + src/tmpfiles/tmpfiles.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index a84e8fc223..f4c8ebc27f 100644 +--- a/src/tmpfiles/tmpfiles.c ++++ b/src/tmpfiles/tmpfiles.c +@@ -241,12 +241,12 @@ static void context_done(Context *c) { + } + + /* Different kinds of errors that mean that information is not available in the environment. */ +-static bool ERRNO_IS_NOINFO(int r) { +- return IN_SET(abs(r), +- EUNATCH, /* os-release or machine-id missing */ +- ENOMEDIUM, /* machine-id or another file empty */ +- ENOPKG, /* machine-id is uninitialized */ +- ENXIO); /* env var is unset */ ++static bool ERRNO_IS_NEG_NOINFO(intmax_t r) { ++ return IN_SET(r, ++ -EUNATCH, /* os-release or machine-id missing */ ++ -ENOMEDIUM, /* machine-id or another file empty */ ++ -ENOPKG, /* machine-id is uninitialized */ ++ -ENXIO); /* env var is unset */ + } + + static int specifier_directory(char specifier, const void *data, const char *root, const void *userdata, char **ret) { +@@ -339,15 +339,15 @@ static int user_config_paths(char*** ret) { + return r; + + r = xdg_user_config_dir(&persistent_config, "/user-tmpfiles.d"); +- if (r < 0 && !ERRNO_IS_NOINFO(r)) ++ if (r < 0 && !ERRNO_IS_NEG_NOINFO(r)) + return r; + + r = xdg_user_runtime_dir(&runtime_config, "/user-tmpfiles.d"); +- if (r < 0 && !ERRNO_IS_NOINFO(r)) ++ if (r < 0 && !ERRNO_IS_NEG_NOINFO(r)) + return r; + + r = xdg_user_data_dir(&data_home, "/user-tmpfiles.d"); +- if (r < 0 && !ERRNO_IS_NOINFO(r)) ++ if (r < 0 && !ERRNO_IS_NEG_NOINFO(r)) + return r; + + r = strv_extend_strv_concat(&res, config_dirs, "/user-tmpfiles.d"); +@@ -3526,7 +3526,7 @@ static int parse_line( + i.try_replace = try_replace; + + r = specifier_printf(path, PATH_MAX-1, specifier_table, arg_root, NULL, &i.path); +- if (ERRNO_IS_NOINFO(r)) ++ if (ERRNO_IS_NEG_NOINFO(r)) + return log_unresolvable_specifier(fname, line); + if (r < 0) { + if (IN_SET(r, -EINVAL, -EBADSLT)) +@@ -3680,7 +3680,7 @@ static int parse_line( + if (!unbase64) { + /* Do specifier expansion except if base64 mode is enabled */ + r = specifier_expansion_from_arg(specifier_table, &i); +- if (ERRNO_IS_NOINFO(r)) ++ if (ERRNO_IS_NEG_NOINFO(r)) + return log_unresolvable_specifier(fname, line); + if (r < 0) { + if (IN_SET(r, -EINVAL, -EBADSLT)) +@@ -4556,7 +4556,7 @@ static int run(int argc, char *argv[]) { + } + } + +- if (ERRNO_IS_RESOURCE(r)) ++ if (ERRNO_IS_NEG_RESOURCE(r)) + return r; + if (invalid_config) + return EX_DATAERR; +-- +2.33.0 + diff --git a/backport-tmpfiles-do-X-bit-check-in-an-ACL-aware-manner.patch b/backport-tmpfiles-do-X-bit-check-in-an-ACL-aware-manner.patch new file mode 100644 index 0000000..3cfc12c --- /dev/null +++ b/backport-tmpfiles-do-X-bit-check-in-an-ACL-aware-manner.patch @@ -0,0 +1,88 @@ +From c745036c368ee63d2dfcf0e92f05593ede3aee8e Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Tue, 5 Mar 2024 22:25:44 +0800 +Subject: [PATCH 0440/1160] tmpfiles: do 'X' bit check in an ACL-aware manner + +Follow-up for 26d98cdd78cb5283f5771bd5866997acc494b067 + +I.e. stat() cannot be used here. + +Also, before this commit, the 'X' is only applied if +the owner has execute bit set. Now it takes group and +other into consideration too. setfacl(1) also has +the same behavior. + +(cherry picked from commit 29a438e764cbfdddd43e175490e2d8c8eb21b79e) +--- + src/tmpfiles/tmpfiles.c | 46 +++++++++++++++++++++++++---------------- + 1 file changed, 28 insertions(+), 18 deletions(-) + +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index f8e021ba7c..63a70adcdc 100644 +--- a/src/tmpfiles/tmpfiles.c ++++ b/src/tmpfiles/tmpfiles.c +@@ -1190,33 +1190,43 @@ static int parse_acl_cond_exec( + assert(ret); + + if (!S_ISDIR(st->st_mode)) { +- has_exec = st->st_mode & S_IXUSR; ++ _cleanup_(acl_freep) acl_t old = NULL; + +- if (!has_exec && append) { +- _cleanup_(acl_freep) acl_t old = NULL; ++ old = acl_get_file(path, ACL_TYPE_ACCESS); ++ if (!old) ++ return -errno; ++ ++ has_exec = false; ++ ++ for (r = acl_get_entry(old, ACL_FIRST_ENTRY, &entry); ++ r > 0; ++ r = acl_get_entry(old, ACL_NEXT_ENTRY, &entry)) { + +- old = acl_get_file(path, ACL_TYPE_ACCESS); +- if (!old) ++ acl_tag_t tag; ++ ++ if (acl_get_tag_type(entry, &tag) < 0) + return -errno; + +- for (r = acl_get_entry(old, ACL_FIRST_ENTRY, &entry); +- r > 0; +- r = acl_get_entry(old, ACL_NEXT_ENTRY, &entry)) { ++ if (tag == ACL_MASK) ++ continue; + +- if (acl_get_permset(entry, &permset) < 0) +- return -errno; ++ /* If not appending, skip ACL definitions */ ++ if (!append && IN_SET(tag, ACL_USER, ACL_GROUP)) ++ continue; + +- r = acl_get_perm(permset, ACL_EXECUTE); +- if (r < 0) +- return -errno; +- if (r > 0) { +- has_exec = true; +- break; +- } +- } ++ if (acl_get_permset(entry, &permset) < 0) ++ return -errno; ++ ++ r = acl_get_perm(permset, ACL_EXECUTE); + if (r < 0) + return -errno; ++ if (r > 0) { ++ has_exec = true; ++ break; ++ } + } ++ if (r < 0) ++ return -errno; + + /* Check if we're about to set the execute bit in acl_access */ + if (!has_exec && access) { +-- +2.33.0 + diff --git a/backport-tmpfiles-don-t-compare-errno-with-negative-value.patch b/backport-tmpfiles-don-t-compare-errno-with-negative-value.patch new file mode 100644 index 0000000..9312254 --- /dev/null +++ b/backport-tmpfiles-don-t-compare-errno-with-negative-value.patch @@ -0,0 +1,28 @@ +From 632b4934a0a0d0c048d94a3baab4668b58577a03 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Fri, 10 May 2024 18:16:31 +0800 +Subject: [PATCH 0685/1160] tmpfiles: don't compare errno with negative value + +Follow-up for 677430b3c7fcd1b352eb66f19b8746741459b91a + +(cherry picked from commit d8f5a310227e7c74548b7f6ca9aafd39af6a621f) +--- + src/tmpfiles/tmpfiles.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index 6a1c7725a1..a84e8fc223 100644 +--- a/src/tmpfiles/tmpfiles.c ++++ b/src/tmpfiles/tmpfiles.c +@@ -2402,7 +2402,7 @@ static int item_do( + + de_fd = openat(fd, de->d_name, O_NOFOLLOW|O_CLOEXEC|O_PATH); + if (de_fd < 0) { +- if (errno != -ENOENT) ++ if (errno != ENOENT) + q = log_error_errno(errno, "Failed to open file '%s': %m", de->d_name); + } else { + _cleanup_free_ char *de_path = NULL; +-- +2.33.0 + diff --git a/backport-tmpfiles-fix-copypasta-in-create_symlink-FIFO-symlin.patch b/backport-tmpfiles-fix-copypasta-in-create_symlink-FIFO-symlin.patch new file mode 100644 index 0000000..3202a67 --- /dev/null +++ b/backport-tmpfiles-fix-copypasta-in-create_symlink-FIFO-symlin.patch @@ -0,0 +1,29 @@ +From 2baea7d3968e373555531962385046a2a223c8b0 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sun, 9 Feb 2025 15:38:05 +0100 +Subject: [PATCH 1116/1160] tmpfiles: fix copypasta in create_symlink() (FIFO + -> symlink) + +(cherry picked from commit 6f91e7a3bea2c5046354b31cb650b54e3b2884d5) +(cherry picked from commit 6caab0c58c8c43c5d4244e2ef2bb739aa06d81c0) +(cherry picked from commit 3d36ded4105f326e51c13c6f516d4f6e58fd3f73) +--- + src/tmpfiles/tmpfiles.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index f4c8ebc27f..d22fa3b3c7 100644 +--- a/src/tmpfiles/tmpfiles.c ++++ b/src/tmpfiles/tmpfiles.c +@@ -2279,7 +2279,7 @@ static int create_symlink(Context *c, Item *i) { + if (r < 0) + return log_error_errno(r, "Failed to extract filename from path '%s': %m", i->path); + if (r == O_DIRECTORY) +- return log_error_errno(SYNTHETIC_ERRNO(EISDIR), "Cannot open path '%s' for creating FIFO, is a directory.", i->path); ++ return log_error_errno(SYNTHETIC_ERRNO(EISDIR), "Cannot open path '%s' for creating symlink, is a directory.", i->path); + + pfd = path_open_parent_safe(i->path, i->allow_failure); + if (pfd < 0) +-- +2.33.0 + diff --git a/backport-tmpfiles-remove-one-more-use-of-goto-and-modernizati.patch b/backport-tmpfiles-remove-one-more-use-of-goto-and-modernizati.patch new file mode 100644 index 0000000..e6fcb57 --- /dev/null +++ b/backport-tmpfiles-remove-one-more-use-of-goto-and-modernizati.patch @@ -0,0 +1,187 @@ +From 994d218e607360f25f7e617fa9061ec615e87888 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Tue, 5 Mar 2024 22:41:54 +0800 +Subject: [PATCH 0439/1160] tmpfiles: remove one more use of goto and + modernization + +(cherry picked from commit 83a5db202d94683b10eb1c3cb88b3d0cc0febfdd) +--- + src/tmpfiles/tmpfiles.c | 113 +++++++++++++++++----------------------- + 1 file changed, 47 insertions(+), 66 deletions(-) + +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index bc83aaba0e..f8e021ba7c 100644 +--- a/src/tmpfiles/tmpfiles.c ++++ b/src/tmpfiles/tmpfiles.c +@@ -1173,95 +1173,77 @@ static int parse_acls_from_arg(Item *item) { + #if HAVE_ACL + static int parse_acl_cond_exec( + const char *path, +- acl_t access, /* could be empty (NULL) */ +- acl_t cond_exec, + const struct stat *st, ++ acl_t cond_exec, ++ acl_t access, /* could be empty (NULL) */ + bool append, + acl_t *ret) { + +- _cleanup_(acl_freep) acl_t parsed = NULL; + acl_entry_t entry; + acl_permset_t permset; + bool has_exec; + int r; + + assert(path); +- assert(ret); + assert(st); ++ assert(cond_exec); ++ assert(ret); + +- parsed = access ? acl_dup(access) : acl_init(0); +- if (!parsed) +- return -errno; +- +- /* Since we substitute 'X' with 'x' in parse_acl(), we just need to copy the entries over +- * for directories */ +- if (S_ISDIR(st->st_mode)) { +- for (r = acl_get_entry(cond_exec, ACL_FIRST_ENTRY, &entry); +- r > 0; +- r = acl_get_entry(cond_exec, ACL_NEXT_ENTRY, &entry)) { ++ if (!S_ISDIR(st->st_mode)) { ++ has_exec = st->st_mode & S_IXUSR; + +- acl_entry_t parsed_entry; ++ if (!has_exec && append) { ++ _cleanup_(acl_freep) acl_t old = NULL; + +- if (acl_create_entry(&parsed, &parsed_entry) < 0) ++ old = acl_get_file(path, ACL_TYPE_ACCESS); ++ if (!old) + return -errno; + +- if (acl_copy_entry(parsed_entry, entry) < 0) +- return -errno; +- } +- if (r < 0) +- return -errno; +- +- goto finish; +- } +- +- has_exec = st->st_mode & S_IXUSR; ++ for (r = acl_get_entry(old, ACL_FIRST_ENTRY, &entry); ++ r > 0; ++ r = acl_get_entry(old, ACL_NEXT_ENTRY, &entry)) { + +- if (!has_exec && append) { +- _cleanup_(acl_freep) acl_t old = NULL; ++ if (acl_get_permset(entry, &permset) < 0) ++ return -errno; + +- old = acl_get_file(path, ACL_TYPE_ACCESS); +- if (!old) +- return -errno; +- +- for (r = acl_get_entry(old, ACL_FIRST_ENTRY, &entry); +- r > 0; +- r = acl_get_entry(old, ACL_NEXT_ENTRY, &entry)) { +- +- if (acl_get_permset(entry, &permset) < 0) +- return -errno; +- +- r = acl_get_perm(permset, ACL_EXECUTE); ++ r = acl_get_perm(permset, ACL_EXECUTE); ++ if (r < 0) ++ return -errno; ++ if (r > 0) { ++ has_exec = true; ++ break; ++ } ++ } + if (r < 0) + return -errno; +- if (r > 0) { +- has_exec = true; +- break; +- } + } +- if (r < 0) +- return -errno; +- } + +- /* Check if we're about to set the execute bit in acl_access */ +- if (!has_exec && access) { +- for (r = acl_get_entry(access, ACL_FIRST_ENTRY, &entry); +- r > 0; +- r = acl_get_entry(access, ACL_NEXT_ENTRY, &entry)) { ++ /* Check if we're about to set the execute bit in acl_access */ ++ if (!has_exec && access) { ++ for (r = acl_get_entry(access, ACL_FIRST_ENTRY, &entry); ++ r > 0; ++ r = acl_get_entry(access, ACL_NEXT_ENTRY, &entry)) { + +- if (acl_get_permset(entry, &permset) < 0) +- return -errno; ++ if (acl_get_permset(entry, &permset) < 0) ++ return -errno; + +- r = acl_get_perm(permset, ACL_EXECUTE); ++ r = acl_get_perm(permset, ACL_EXECUTE); ++ if (r < 0) ++ return -errno; ++ if (r > 0) { ++ has_exec = true; ++ break; ++ } ++ } + if (r < 0) + return -errno; +- if (r > 0) { +- has_exec = true; +- break; +- } + } +- if (r < 0) +- return -errno; +- } ++ } else ++ has_exec = true; ++ ++ _cleanup_(acl_freep) acl_t parsed = access ? acl_dup(access) : acl_init(0); ++ if (!parsed) ++ return -errno; + + for (r = acl_get_entry(cond_exec, ACL_FIRST_ENTRY, &entry); + r > 0; +@@ -1275,6 +1257,7 @@ static int parse_acl_cond_exec( + if (acl_copy_entry(parsed_entry, entry) < 0) + return -errno; + ++ /* We substituted 'X' with 'x' in parse_acl(), so drop execute bit here if not applicable. */ + if (!has_exec) { + if (acl_get_permset(parsed_entry, &permset) < 0) + return -errno; +@@ -1286,7 +1269,6 @@ static int parse_acl_cond_exec( + if (r < 0) + return -errno; + +-finish: + if (!append) { /* want_mask = true */ + r = calc_acl_mask_if_needed(&parsed); + if (r < 0) +@@ -1390,10 +1372,9 @@ static int fd_set_acls( + } + + if (item->acl_access_exec) { +- r = parse_acl_cond_exec(FORMAT_PROC_FD_PATH(fd), +- item->acl_access, ++ r = parse_acl_cond_exec(FORMAT_PROC_FD_PATH(fd), st, + item->acl_access_exec, +- st, ++ item->acl_access, + item->append_or_force, + &access_with_exec_parsed); + if (r < 0) +-- +2.33.0 + diff --git a/backport-tmpfiles.d-avoid-deprecated-undocumented-syntax-s-F-.patch b/backport-tmpfiles.d-avoid-deprecated-undocumented-syntax-s-F-.patch new file mode 100644 index 0000000..b865b2f --- /dev/null +++ b/backport-tmpfiles.d-avoid-deprecated-undocumented-syntax-s-F-.patch @@ -0,0 +1,28 @@ +From 82f420cb0dcb2c5d214b4f27892c960d3ada729c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20N=C4=9Bmec?= +Date: Tue, 27 Feb 2024 14:21:33 +0100 +Subject: [PATCH 0423/1160] tmpfiles.d: avoid deprecated, undocumented syntax + (s/F/f+/) + +Fixes: eccebf4b0dcb ("systemd-tmpfiles: deprecate F for f+") +(cherry picked from commit 0f1a5ecc1ae112fbc3a2536b70c6ee036f4126d3) +--- + tmpfiles.d/systemd.conf.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tmpfiles.d/systemd.conf.in b/tmpfiles.d/systemd.conf.in +index 11a45a3f4b..ce7206145e 100644 +--- a/tmpfiles.d/systemd.conf.in ++++ b/tmpfiles.d/systemd.conf.in +@@ -9,7 +9,7 @@ + + d /run/user 0755 root root - + {% if ENABLE_UTMP %} +-F! /run/utmp 0664 root utmp - ++f+! /run/utmp 0664 root utmp - + {% endif %} + + d /run/systemd/ask-password 0755 root root - +-- +2.33.0 + diff --git a/backport-tmpfiles.d-systemd-nologin.conf-use-f-instead-of-F-d.patch b/backport-tmpfiles.d-systemd-nologin.conf-use-f-instead-of-F-d.patch new file mode 100644 index 0000000..ea36006 --- /dev/null +++ b/backport-tmpfiles.d-systemd-nologin.conf-use-f-instead-of-F-d.patch @@ -0,0 +1,26 @@ +From 758e35b90747e1a6f064cac51bfe0610912a4424 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Thu, 7 Dec 2023 23:14:35 +0800 +Subject: [PATCH 0025/1160] tmpfiles.d/systemd-nologin.conf: use f+ instead of + F (deprecated) + +Fixes #30368 + +(cherry picked from commit 3b25958e64c77ed4d3fa2584bebab1e9593b960d) +--- + tmpfiles.d/systemd-nologin.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tmpfiles.d/systemd-nologin.conf b/tmpfiles.d/systemd-nologin.conf +index 69a212a8db..e1efc73918 100644 +--- a/tmpfiles.d/systemd-nologin.conf ++++ b/tmpfiles.d/systemd-nologin.conf +@@ -7,4 +7,4 @@ + + # See tmpfiles.d(5), systemd-user-sessions.service(8) and pam_nologin(8). + +-F! /run/nologin 0644 - - - "System is booting up. Unprivileged users are not permitted to log in yet. Please come back later. For technical details, see pam_nologin(8)." ++f+! /run/nologin 0644 - - - "System is booting up. Unprivileged users are not permitted to log in yet. Please come back later. For technical details, see pam_nologin(8)." +-- +2.33.0 + diff --git a/backport-tmpfiles.d-systemd-use-ACL-X-bit-where-appropriate.patch b/backport-tmpfiles.d-systemd-use-ACL-X-bit-where-appropriate.patch new file mode 100644 index 0000000..e3685e2 --- /dev/null +++ b/backport-tmpfiles.d-systemd-use-ACL-X-bit-where-appropriate.patch @@ -0,0 +1,38 @@ +From a8e6d2fa362ddeefde83196fff2acbe88e7ee56c Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Tue, 5 Mar 2024 17:16:49 +0800 +Subject: [PATCH 0441/1160] tmpfiles.d/systemd: use ACL 'X' bit where + appropriate + +(cherry picked from commit 22549ff4735d0820934b942998a066a6c612f7b2) +--- + tmpfiles.d/systemd.conf.in | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/tmpfiles.d/systemd.conf.in b/tmpfiles.d/systemd.conf.in +index ce7206145e..d36f0694af 100644 +--- a/tmpfiles.d/systemd.conf.in ++++ b/tmpfiles.d/systemd.conf.in +@@ -26,16 +26,13 @@ Z /run/log/journal/%m ~2750 root systemd-journal - - + {% if HAVE_ACL %} + {% if ENABLE_ADM_GROUP and ENABLE_WHEEL_GROUP %} + a+ /run/log/journal - - - - d:group::r-x,d:group:adm:r-x,d:group:wheel:r-x,group::r-x,group:adm:r-x,group:wheel:r-x +-a+ /run/log/journal/%m - - - - d:group:adm:r-x,d:group:wheel:r-x,group:adm:r-x,group:wheel:r-x +-a+ /run/log/journal/%m/*.journal* - - - - group:adm:r--,group:wheel:r-- ++A+ /run/log/journal/%m - - - - d:group:adm:r-x,d:group:wheel:r-x,group:adm:r-X,group:wheel:r-X + {% elif ENABLE_ADM_GROUP %} + a+ /run/log/journal - - - - d:group::r-x,d:group:adm:r-x,group::r-x,group:adm:r-x +-a+ /run/log/journal/%m - - - - d:group:adm:r-x,group:adm:r-x +-a+ /run/log/journal/%m/*.journal* - - - - group:adm:r-- ++A+ /run/log/journal/%m - - - - d:group:adm:r-x,group:adm:r-X + {% elif ENABLE_WHEEL_GROUP %} + a+ /run/log/journal - - - - d:group::r-x,d:group:wheel:r-x,group::r-x,group:wheel:r-x +-a+ /run/log/journal/%m - - - - d:group:wheel:r-x,group:wheel:r-x +-a+ /run/log/journal/%m/*.journal* - - - - group:wheel:r-- ++A+ /run/log/journal/%m - - - - d:group:wheel:r-x,group:wheel:r-X + {% endif %} + {% endif %} + +-- +2.33.0 + diff --git a/backport-tpm2-Do-not-use-RSA-exponent-special-case-default-va.patch b/backport-tpm2-Do-not-use-RSA-exponent-special-case-default-va.patch new file mode 100644 index 0000000..27bd1e0 --- /dev/null +++ b/backport-tpm2-Do-not-use-RSA-exponent-special-case-default-va.patch @@ -0,0 +1,78 @@ +From cf39b6b701315046860e42464f7a5fe03e19e28d Mon Sep 17 00:00:00 2001 +From: Dan Streetman +Date: Tue, 16 Jan 2024 10:02:47 -0500 +Subject: [PATCH 0158/1160] tpm2: Do not use RSA exponent special-case default + value in PEM->TPM2B_PUBLIC conversion + +The openssl default value for an RSA key exponent value is 0x10001, and the TPM +specification defines a exponent value of 0 as representing this value. The +systemd code that converted an RSA PEM public key to a TPM2B_PUBLIC object +previously used the exponent value directly, but commit +e3acb4d24c68291376b11bea5787112978e2775f changed the conversion to use the +special case exponent value of 0 for any RSA key with an exponent value of +0x10001. + +Because the entire TPM2B_PUBLIC object is used to calculate its "name", this +difference in exponent value (0x10001 vs 0) introduced a change in the key +"name". Since the Authorize policy uses the key "name" directly in its policy +session hash value, this change resulted in new systemd code being unable to +properly unseal any data (e.g. a LUKS volume) that was previously sealed. + +This reverts the code to no longer override an RSA exponent value of 0x10001 +with the special case value of 0. + +Fixes a bug introduced by commit e3acb4d24c68291376b11bea5787112978e2775f. + +Fixes: #30546 +(cherry picked from commit 1242b9ab2bd306df0df51ca9ee7801f572ce1e28) +--- + src/shared/tpm2-util.c | 12 ++++++++++-- + src/test/test-tpm2.c | 2 +- + 2 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index a03c1099f9..6367ec0d4f 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -4196,6 +4196,11 @@ int tpm2_tpm2b_public_to_openssl_pkey(const TPM2B_PUBLIC *public, EVP_PKEY **ret + } + } + ++/* Be careful before changing anything in this function, as the TPM key "name" is calculated using the entire ++ * TPMT_PUBLIC (after marshalling), and that "name" is used (for example) to calculate the policy hash for ++ * the Authorize policy. So we must ensure this conversion of a PEM to TPM2B_PUBLIC does not change the ++ * "name", because it would break unsealing of previously-sealed objects that used (for example) ++ * tpm2_calculate_policy_authorize(). See bug #30546. */ + int tpm2_tpm2b_public_from_openssl_pkey(const EVP_PKEY *pkey, TPM2B_PUBLIC *ret) { + int key_id, r; + +@@ -4274,8 +4279,11 @@ int tpm2_tpm2b_public_from_openssl_pkey(const EVP_PKEY *pkey, TPM2B_PUBLIC *ret) + uint32_t exponent = 0; + memcpy(&exponent, e, e_size); + exponent = be32toh(exponent) >> (32 - e_size * 8); +- if (exponent == TPM2_RSA_DEFAULT_EXPONENT) +- exponent = 0; ++ ++ /* TPM specification Part 2 ("Structures") section for TPMS_RSA_PARAMS states "An exponent of ++ * zero indicates that the exponent is the default of 2^16 + 1". However, we have no reason ++ * to special case it in our PEM->TPM2B_PUBLIC conversion, and doing so could break backwards ++ * compatibility, so even if it is the "default" value of 0x10001, we do not set it to 0. */ + public.parameters.rsaDetail.exponent = exponent; + + break; +diff --git a/src/test/test-tpm2.c b/src/test/test-tpm2.c +index 06b9800dec..f4abb5c0a8 100644 +--- a/src/test/test-tpm2.c ++++ b/src/test/test-tpm2.c +@@ -846,7 +846,7 @@ TEST(tpm2b_public_from_openssl_pkey) { + + assert_se(p->parameters.rsaDetail.keyBits == expected_n_len * 8); + +- assert_se(p->parameters.rsaDetail.exponent == 0); ++ assert_se(p->parameters.rsaDetail.exponent == 0x10001); + + check_tpm2b_public_fingerprint(&public, "d9186d13a7fd5b3644cee05448f49ad3574e82a2942ff93cf89598d36cca78a9"); + } +-- +2.33.0 + diff --git a/backport-tpm2-If-unsealing-results-in-policy-hash-mismatch-wh.patch b/backport-tpm2-If-unsealing-results-in-policy-hash-mismatch-wh.patch new file mode 100644 index 0000000..f912872 --- /dev/null +++ b/backport-tpm2-If-unsealing-results-in-policy-hash-mismatch-wh.patch @@ -0,0 +1,52 @@ +From cf84185ad1a28649d66541b057a4c7ddddd31f8f Mon Sep 17 00:00:00 2001 +From: Dan Streetman +Date: Tue, 16 Jan 2024 10:39:06 -0500 +Subject: [PATCH 0161/1160] tpm2: If unsealing results in policy hash mismatch + when using RSA pubkey, possibly retry + +The commit e3acb4d24c68291376b11bea5787112978e2775f changed how we format a +TPM2B_PUBLIC object from an openssl PEM RSA key if it used the TPM-defined +"default" RSA exponent, to instead set the TPM2B_PUBLIC RSA exponent to the +special-case value of 0. This broke backwards compatibility with +previously-sealed data. The previous commit fixed our code to no longer use the +"special case" exponent value of 0, while this commit adds a fallback check for +any sealed data that used the exponent value of 0. Now unsealing should work +for sealed data that used either method (either 0 or the actual value). + +(cherry picked from commit fda3e844657b61b69f8d0badffb6239840ef9e97) +--- + src/shared/tpm2-util.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index 6367ec0d4f..30b4f57fd6 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -5575,10 +5575,23 @@ int tpm2_unseal(Tpm2Context *c, + /* If we know the policy hash to expect, and it doesn't match, we can shortcut things here, and not + * wait until the TPM2 tells us to go away. */ + if (known_policy_hash_size > 0 && +- memcmp_nn(policy_digest->buffer, policy_digest->size, known_policy_hash, known_policy_hash_size) != 0) ++ memcmp_nn(policy_digest->buffer, policy_digest->size, known_policy_hash, known_policy_hash_size) != 0) { ++ ++#if HAVE_OPENSSL ++ if (pubkey_size > 0 && ++ pubkey_tpm2b.publicArea.type == TPM2_ALG_RSA && ++ pubkey_tpm2b.publicArea.parameters.rsaDetail.exponent == TPM2_RSA_DEFAULT_EXPONENT) { ++ /* Due to bug #30546, if using RSA pubkey with the default exponent, we may ++ * need to set the exponent to the TPM special-case value of 0 and retry. */ ++ log_debug("Policy hash mismatch, retrying with RSA pubkey exponent set to 0."); ++ pubkey_tpm2b.publicArea.parameters.rsaDetail.exponent = 0; ++ continue; ++ } else ++#endif + return log_debug_errno(SYNTHETIC_ERRNO(EPERM), + "Current policy digest does not match stored policy digest, cancelling " + "TPM2 authentication attempt."); ++ } + + log_debug("Unsealing HMAC key."); + +-- +2.33.0 + diff --git a/backport-tpm2-setup-Add-graceful.patch b/backport-tpm2-setup-Add-graceful.patch new file mode 100644 index 0000000..77cb0ba --- /dev/null +++ b/backport-tpm2-setup-Add-graceful.patch @@ -0,0 +1,99 @@ +From b497ed159afa7a51338c0cde36c34e6fffd7549d Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Sun, 17 Mar 2024 12:34:50 +0100 +Subject: [PATCH 0548/1160] tpm2-setup: Add --graceful + +Currently the associated units fail if full tpm support is not available +on the system. Similar to systemd-pcrextend, let's add a --graceful option +that exits gracefully if no full TPM support is detected and use it in both +units. + +(cherry picked from commit 966e05af048bd388921de88ec1a550856b8d4280) +--- + src/tpm2-setup/tpm2-setup.c | 13 +++++++++++++ + units/systemd-tpm2-setup-early.service.in | 2 +- + units/systemd-tpm2-setup.service.in | 2 +- + 3 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/src/tpm2-setup/tpm2-setup.c b/src/tpm2-setup/tpm2-setup.c +index 0dacafe4b2..35628fc02a 100644 +--- a/src/tpm2-setup/tpm2-setup.c ++++ b/src/tpm2-setup/tpm2-setup.c +@@ -18,6 +18,7 @@ + + static char *arg_tpm2_device = NULL; + static bool arg_early = false; ++static bool arg_graceful = false; + + STATIC_DESTRUCTOR_REGISTER(arg_tpm2_device, freep); + +@@ -43,6 +44,7 @@ static int help(int argc, char *argv[], void *userdata) { + " --tpm2-device=PATH\n" + " Pick TPM2 device\n" + " --early=BOOL Store SRK public key in /run/ rather than /var/lib/\n" ++ " --graceful Exit gracefully if no TPM2 device is found\n" + "\nSee the %2$s for details.\n", + program_invocation_short_name, + link, +@@ -59,6 +61,7 @@ static int parse_argv(int argc, char *argv[]) { + ARG_VERSION = 0x100, + ARG_TPM2_DEVICE, + ARG_EARLY, ++ ARG_GRACEFUL, + }; + + static const struct option options[] = { +@@ -66,6 +69,7 @@ static int parse_argv(int argc, char *argv[]) { + { "version", no_argument, NULL, ARG_VERSION }, + { "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE }, + { "early", required_argument, NULL, ARG_EARLY }, ++ { "graceful", no_argument, NULL, ARG_GRACEFUL }, + {} + }; + +@@ -100,6 +104,10 @@ static int parse_argv(int argc, char *argv[]) { + arg_early = r; + break; + ++ case ARG_GRACEFUL: ++ arg_graceful = true; ++ break; ++ + case '?': + return -EINVAL; + +@@ -247,6 +255,11 @@ static int run(int argc, char *argv[]) { + if (r <= 0) + return r; + ++ if (arg_graceful && tpm2_support() != TPM2_SUPPORT_FULL) { ++ log_notice("No complete TPM2 support detected, exiting gracefully."); ++ return EXIT_SUCCESS; ++ } ++ + umask(0022); + + _cleanup_(public_key_data_done) struct public_key_data runtime_key = {}, persistent_key = {}, tpm2_key = {}; +diff --git a/units/systemd-tpm2-setup-early.service.in b/units/systemd-tpm2-setup-early.service.in +index 5adcb7e19f..6996efe7be 100644 +--- a/units/systemd-tpm2-setup-early.service.in ++++ b/units/systemd-tpm2-setup-early.service.in +@@ -20,4 +20,4 @@ ConditionPathExists=!/run/systemd/tpm2-srk-public-key.pem + [Service] + Type=oneshot + RemainAfterExit=yes +-ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --early=yes ++ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --early=yes --graceful +diff --git a/units/systemd-tpm2-setup.service.in b/units/systemd-tpm2-setup.service.in +index 6c99f3af0a..8c1851fb68 100644 +--- a/units/systemd-tpm2-setup.service.in ++++ b/units/systemd-tpm2-setup.service.in +@@ -21,4 +21,4 @@ ConditionPathExists=!/etc/initrd-release + [Service] + Type=oneshot + RemainAfterExit=yes +-ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup ++ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --graceful +-- +2.33.0 + diff --git a/backport-tpm2-setup-Don-t-fail-if-we-can-t-access-the-TPM-due.patch b/backport-tpm2-setup-Don-t-fail-if-we-can-t-access-the-TPM-due.patch new file mode 100644 index 0000000..6986476 --- /dev/null +++ b/backport-tpm2-setup-Don-t-fail-if-we-can-t-access-the-TPM-due.patch @@ -0,0 +1,136 @@ +From 5520d89148a0e69a9879378c1c2efbf63072176e Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 17 May 2024 16:20:11 +0200 +Subject: [PATCH 0692/1160] tpm2-setup: Don't fail if we can't access the TPM + due to authorization failure + +The TPM might be password/pin protected for various reasons even if +there is no SRK yet. Let's handle those cases gracefully instead of +failing the unit as it is enabled by default. + +(cherry picked from commit d6518003f8ebbfb6f85dbf227736ae05b0961199) +(cherry picked from commit 30df42a9277bbf138d52887c9b79e452db425585) +--- + catalog/systemd.catalog.in | 13 +++++++++++++ + src/shared/tpm2-util.c | 2 ++ + src/systemd/sd-messages.h | 3 +++ + src/tpm2-setup/tpm2-setup.c | 13 ++++++++++++- + units/systemd-tpm2-setup-early.service.in | 3 +++ + units/systemd-tpm2-setup.service.in | 3 +++ + 6 files changed, 36 insertions(+), 1 deletion(-) + +diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in +index 04e90e0b75..7f528e4cac 100644 +--- a/catalog/systemd.catalog.in ++++ b/catalog/systemd.catalog.in +@@ -768,3 +768,16 @@ Documentation: https://systemd.io/PORTABLE_SERVICES/ + A Portable Service @PORTABLE_ROOT@ (with extensions: @PORTABLE_EXTENSION@) has been + detached from the system and is no longer available for use. The list of attached + Portable Services can be queried with 'portablectl list'. ++ ++-- ad7089f928ac4f7ea00c07457d47ba8a ++Subject: Authorization failure while attempting to enroll SRK into TPM ++Defined-By: systemd ++Support: %SUPPORT_URL% ++Documentation: man:systemd-tpm2-setup.service(8) ++ ++An authorization failure occured while attempting to enroll a Storage Root Key (SRK) on the Trusted Platform ++Module (TPM). Most likely this means that a PIN/Password (authValue) has been set on the Owner hierarchy of ++the TPM. ++ ++Automatic SRK enrollment on TPMs in such scenarios is not supported. In order to unset the PIN/password ++protection on the owner hierarchy issue a command like the following: 'tpm2_changeauth -c o -p ""'. +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index c7e0b2459c..b4f35cbf0b 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -2093,6 +2093,8 @@ int tpm2_create_primary( + /* creationData= */ NULL, + /* creationHash= */ NULL, + /* creationTicket= */ NULL); ++ if (rc == TPM2_RC_BAD_AUTH) ++ return log_debug_errno(SYNTHETIC_ERRNO(EDEADLK), "Authorization failure while attempting to enroll SRK into TPM."); + if (rc != TSS2_RC_SUCCESS) + return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), + "Failed to generate primary key in TPM: %s", +diff --git a/src/systemd/sd-messages.h b/src/systemd/sd-messages.h +index e3f68068a8..16e9986be3 100644 +--- a/src/systemd/sd-messages.h ++++ b/src/systemd/sd-messages.h +@@ -272,6 +272,9 @@ _SD_BEGIN_DECLARATIONS; + #define SD_MESSAGE_PORTABLE_DETACHED SD_ID128_MAKE(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b) + #define SD_MESSAGE_PORTABLE_DETACHED_STR SD_ID128_MAKE_STR(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b) + ++#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION SD_ID128_MAKE(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a) ++#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR SD_ID128_MAKE_STR(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a) ++ + _SD_END_DECLARATIONS; + + #endif +diff --git a/src/tpm2-setup/tpm2-setup.c b/src/tpm2-setup/tpm2-setup.c +index 35628fc02a..b95c5e7a58 100644 +--- a/src/tpm2-setup/tpm2-setup.c ++++ b/src/tpm2-setup/tpm2-setup.c +@@ -3,6 +3,8 @@ + #include + #include + ++#include "sd-messages.h" ++ + #include "build.h" + #include "fd-util.h" + #include "fileio.h" +@@ -223,6 +225,8 @@ static int load_public_key_tpm2(struct public_key_data *ret) { + /* ret_name= */ NULL, + /* ret_qname= */ NULL, + NULL); ++ if (r == -EDEADLK) ++ return r; + if (r < 0) + return log_error_errno(r, "Failed to get or create SRK: %m"); + if (r > 0) +@@ -289,6 +293,13 @@ static int run(int argc, char *argv[]) { + } + + r = load_public_key_tpm2(&tpm2_key); ++ if (r == -EDEADLK) { ++ log_struct_errno(LOG_INFO, r, ++ LOG_MESSAGE("Insufficient permissions to access TPM, not generating SRK."), ++ "MESSAGE_ID=" SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR); ++ return 76; /* Special return value which means "Insufficient permissions to access TPM, ++ * cannot generate SRK". This isn't really an error when called at boot. */; ++ } + if (r < 0) + return r; + +@@ -383,4 +394,4 @@ static int run(int argc, char *argv[]) { + return 0; + } + +-DEFINE_MAIN_FUNCTION(run); ++DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run); +diff --git a/units/systemd-tpm2-setup-early.service.in b/units/systemd-tpm2-setup-early.service.in +index 6996efe7be..4728def66e 100644 +--- a/units/systemd-tpm2-setup-early.service.in ++++ b/units/systemd-tpm2-setup-early.service.in +@@ -21,3 +21,6 @@ ConditionPathExists=!/run/systemd/tpm2-srk-public-key.pem + Type=oneshot + RemainAfterExit=yes + ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --early=yes --graceful ++ ++# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK. ++SuccessExitStatus=76 +diff --git a/units/systemd-tpm2-setup.service.in b/units/systemd-tpm2-setup.service.in +index 8c1851fb68..0e3d46509f 100644 +--- a/units/systemd-tpm2-setup.service.in ++++ b/units/systemd-tpm2-setup.service.in +@@ -22,3 +22,6 @@ ConditionPathExists=!/etc/initrd-release + Type=oneshot + RemainAfterExit=yes + ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --graceful ++ ++# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK. ++SuccessExitStatus=76 +-- +2.33.0 + diff --git a/backport-tpm2-setup-add-missing-O_CLOEXEC-at-two-places.patch b/backport-tpm2-setup-add-missing-O_CLOEXEC-at-two-places.patch new file mode 100644 index 0000000..30ef735 --- /dev/null +++ b/backport-tpm2-setup-add-missing-O_CLOEXEC-at-two-places.patch @@ -0,0 +1,37 @@ +From 72d766fd6c52320d7e81770ce201230c537ff793 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 26 Feb 2025 09:10:16 +0100 +Subject: [PATCH 1137/1160] tpm2-setup: add missing O_CLOEXEC at two places + +(cherry picked from commit f4e5a730002fa7ed714b89775c3e5fae6d003aae) +(cherry picked from commit e23c2e8bed7db1f12d026e8036464edba1fe309d) +(cherry picked from commit 623a9c2b6526655742a61f6ffe3dfede053ad897) +--- + src/tpm2-setup/tpm2-setup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/tpm2-setup/tpm2-setup.c b/src/tpm2-setup/tpm2-setup.c +index b95c5e7a58..e70bc9b32b 100644 +--- a/src/tpm2-setup/tpm2-setup.c ++++ b/src/tpm2-setup/tpm2-setup.c +@@ -338,7 +338,7 @@ static int run(int argc, char *argv[]) { + /* Write out public key (note that we only do that as a help to the user, we don't make use of this ever */ + _cleanup_(unlink_and_freep) char *t = NULL; + _cleanup_fclose_ FILE *f = NULL; +- r = fopen_tmpfile_linkable(pem_path, O_WRONLY, &t, &f); ++ r = fopen_tmpfile_linkable(pem_path, O_WRONLY|O_CLOEXEC, &t, &f); + if (r < 0) + return log_error_errno(r, "Failed to open SRK public key file '%s' for writing: %m", pem_path); + +@@ -365,7 +365,7 @@ static int run(int argc, char *argv[]) { + (void) mkdir_parents(tpm2b_public_path, 0755); + + /* Now also write this out in TPM2B_PUBLIC format */ +- r = fopen_tmpfile_linkable(tpm2b_public_path, O_WRONLY, &t, &f); ++ r = fopen_tmpfile_linkable(tpm2b_public_path, O_WRONLY|O_CLOEXEC, &t, &f); + if (r < 0) + return log_error_errno(r, "Failed to open SRK public key file '%s' for writing: %m", tpm2b_public_path); + +-- +2.33.0 + diff --git a/backport-tpm2-setup-early-order-against-pcrphase-initrd.patch b/backport-tpm2-setup-early-order-against-pcrphase-initrd.patch new file mode 100644 index 0000000..bfb9dd8 --- /dev/null +++ b/backport-tpm2-setup-early-order-against-pcrphase-initrd.patch @@ -0,0 +1,41 @@ +From 4b305adece235bb94a1d25b05010df1165065f42 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 22 Apr 2024 14:47:58 +0200 +Subject: [PATCH 0522/1160] tpm2-setup-early: order against pcrphase-initrd + +Right now systemd-tpm2-setup-early and systemd-pcrphase-initrd.service +are not ordered against each other. However, they require the same slow +resource to operate: the TPM2. If we allow them to access the device +simultaneously, the kernel resource manager like has to save/restore TPM +state while they operate, slowing things down further. + +hence, let's avoid all this mess, and just order them against each other +so that the shared resource is first used in full by one and then by the +other. + +I opted to order systemd-pcrphase-initrd before +systemd-tpm2-setup-early, since there's value in having the former as +early as possible in userspace, to be a good marker for the transition +from kernel to first userspace. I can see no benefit in the opposite +order however. + +(cherry picked from commit a6e9c37f5e7ecaac81f028bff6b7e206484960e6) +--- + units/systemd-tpm2-setup-early.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/units/systemd-tpm2-setup-early.service.in b/units/systemd-tpm2-setup-early.service.in +index c1597ea3f9..5adcb7e19f 100644 +--- a/units/systemd-tpm2-setup-early.service.in ++++ b/units/systemd-tpm2-setup-early.service.in +@@ -12,6 +12,7 @@ Description=TPM2 SRK Setup (Early) + Documentation=man:systemd-tpm2-setup.service(8) + DefaultDependencies=no + Conflicts=shutdown.target ++After=tpm2.target systemd-pcrphase-initrd.service + Before=sysinit.target shutdown.target + ConditionSecurity=measured-uki + ConditionPathExists=!/run/systemd/tpm2-srk-public-key.pem +-- +2.33.0 + diff --git a/backport-tpm2-util-add-generic-wrapper-tpm2_context_new_or_wa.patch b/backport-tpm2-util-add-generic-wrapper-tpm2_context_new_or_wa.patch new file mode 100644 index 0000000..0436fb1 --- /dev/null +++ b/backport-tpm2-util-add-generic-wrapper-tpm2_context_new_or_wa.patch @@ -0,0 +1,280 @@ +From 11280a0e120441b805c5091e23cc486096b422b7 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 22 Apr 2024 09:46:23 +0200 +Subject: [PATCH 0509/1160] tpm2-util: add generic wrapper + tpm2_context_new_or_warn() that wrpas tpm2_context_new and logs about errors + +We so far just print a short log message that is not very useful, let's +add some recognizable error codes, and output better log messages if we +can't get TPM stuff to work. + +Fixes: #31925 +(cherry picked from commit 21a3bc6b9f01c3b0bf906c0b28f8827db086edf8) +--- + src/analyze/analyze-srk.c | 4 +-- + src/cryptenroll/cryptenroll-tpm2.c | 4 +-- + src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c | 4 +-- + src/cryptsetup/cryptsetup-tpm2.c | 4 +-- + src/cryptsetup/cryptsetup.c | 4 +-- + src/partition/repart.c | 4 +-- + src/pcrextend/pcrextend.c | 2 +- + src/pcrlock/pcrlock.c | 8 +++--- + src/shared/creds-util.c | 4 +-- + src/shared/tpm2-util.c | 28 +++++++++++++++---- + src/shared/tpm2-util.h | 1 + + src/tpm2-setup/tpm2-setup.c | 4 +-- + 12 files changed, 45 insertions(+), 26 deletions(-) + +diff --git a/src/analyze/analyze-srk.c b/src/analyze/analyze-srk.c +index 0e24b416bb..6faf2c29a3 100644 +--- a/src/analyze/analyze-srk.c ++++ b/src/analyze/analyze-srk.c +@@ -11,9 +11,9 @@ int verb_srk(int argc, char *argv[], void *userdata) { + _cleanup_(Esys_Freep) TPM2B_PUBLIC *public = NULL; + int r; + +- r = tpm2_context_new(/* device= */ NULL, &c); ++ r = tpm2_context_new_or_warn(/* device= */ NULL, &c); + if (r < 0) +- return log_error_errno(r, "Failed to create TPM2 context: %m"); ++ return r; + + r = tpm2_get_srk( + c, +diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c +index 653ad4452a..2d93e1315a 100644 +--- a/src/cryptenroll/cryptenroll-tpm2.c ++++ b/src/cryptenroll/cryptenroll-tpm2.c +@@ -239,9 +239,9 @@ int enroll_tpm2(struct crypt_device *cd, + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Must provide all PCR values when using TPM2 device key."); + } else { +- r = tpm2_context_new(device, &tpm2_context); ++ r = tpm2_context_new_or_warn(device, &tpm2_context); + if (r < 0) +- return log_error_errno(r, "Failed to create TPM2 context: %m"); ++ return r; + + if (!tpm2_pcr_values_has_all_values(hash_pcr_values, n_hash_pcr_values)) { + r = tpm2_pcr_read_missing_values(tpm2_context, hash_pcr_values, n_hash_pcr_values); +diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c +index 72be5cc71d..846679fca7 100644 +--- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c ++++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c +@@ -85,9 +85,9 @@ int acquire_luks2_key( + } + + _cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL; +- r = tpm2_context_new(device, &tpm2_context); ++ r = tpm2_context_new_or_warn(device, &tpm2_context); + if (r < 0) +- return log_error_errno(r, "Failed to create TPM2 context: %m"); ++ return r; + + r = tpm2_unseal(tpm2_context, + hash_pcr_mask, +diff --git a/src/cryptsetup/cryptsetup-tpm2.c b/src/cryptsetup/cryptsetup-tpm2.c +index f59d5f9d1d..e7a38d4448 100644 +--- a/src/cryptsetup/cryptsetup-tpm2.c ++++ b/src/cryptsetup/cryptsetup-tpm2.c +@@ -139,9 +139,9 @@ int acquire_tpm2_key( + } + + _cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL; +- r = tpm2_context_new(device, &tpm2_context); ++ r = tpm2_context_new_or_warn(device, &tpm2_context); + if (r < 0) +- return log_error_errno(r, "Failed to create TPM2 context: %m"); ++ return r; + + if (!(flags & TPM2_FLAGS_USE_PIN)) { + r = tpm2_unseal(tpm2_context, +diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c +index b56b51a134..1822bebdcd 100644 +--- a/src/cryptsetup/cryptsetup.c ++++ b/src/cryptsetup/cryptsetup.c +@@ -846,9 +846,9 @@ static int measure_volume_key( + + #if HAVE_TPM2 + _cleanup_(tpm2_context_unrefp) Tpm2Context *c = NULL; +- r = tpm2_context_new(arg_tpm2_device, &c); ++ r = tpm2_context_new_or_warn(arg_tpm2_device, &c); + if (r < 0) +- return log_error_errno(r, "Failed to create TPM2 context: %m"); ++ return r; + + _cleanup_strv_free_ char **l = NULL; + if (strv_isempty(arg_tpm2_measure_banks)) { +diff --git a/src/partition/repart.c b/src/partition/repart.c +index 5487aaf58c..4fabe1b2e4 100644 +--- a/src/partition/repart.c ++++ b/src/partition/repart.c +@@ -3839,9 +3839,9 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Must provide all PCR values when using TPM2 device key."); + } else { +- r = tpm2_context_new(arg_tpm2_device, &tpm2_context); ++ r = tpm2_context_new_or_warn(arg_tpm2_device, &tpm2_context); + if (r < 0) +- return log_error_errno(r, "Failed to create TPM2 context: %m"); ++ return r; + + if (!tpm2_pcr_values_has_all_values(arg_tpm2_hash_pcr_values, arg_tpm2_n_hash_pcr_values)) { + r = tpm2_pcr_read_missing_values(tpm2_context, arg_tpm2_hash_pcr_values, arg_tpm2_n_hash_pcr_values); +diff --git a/src/pcrextend/pcrextend.c b/src/pcrextend/pcrextend.c +index 12959496de..394c2587bb 100644 +--- a/src/pcrextend/pcrextend.c ++++ b/src/pcrextend/pcrextend.c +@@ -199,7 +199,7 @@ static int extend_now(unsigned pcr, const void *data, size_t size, Tpm2Userspace + _cleanup_(tpm2_context_unrefp) Tpm2Context *c = NULL; + int r; + +- r = tpm2_context_new(arg_tpm2_device, &c); ++ r = tpm2_context_new_or_warn(arg_tpm2_device, &c); + if (r < 0) + return r; + +diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c +index bdc6bbd817..dde4dd93d6 100644 +--- a/src/pcrlock/pcrlock.c ++++ b/src/pcrlock/pcrlock.c +@@ -1194,7 +1194,7 @@ static int event_log_read_pcrs(EventLog *el) { + + assert(el); + +- r = tpm2_context_new(NULL, &tc); ++ r = tpm2_context_new_or_warn(/* device= */ NULL, &tc); + if (r < 0) + return r; + +@@ -4281,9 +4281,9 @@ static int verb_make_policy(int argc, char *argv[], void *userdata) { + } + + _cleanup_(tpm2_context_unrefp) Tpm2Context *tc = NULL; +- r = tpm2_context_new(NULL, &tc); ++ r = tpm2_context_new_or_warn(/* device= */ NULL, &tc); + if (r < 0) +- return log_error_errno(r, "Failed to allocate TPM2 context: %m"); ++ return r; + + if (!tpm2_supports_command(tc, TPM2_CC_PolicyAuthorizeNV)) + return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "TPM2 does not support PolicyAuthorizeNV command, refusing."); +@@ -4610,7 +4610,7 @@ static int undefine_policy_nv_index( + assert(srk_blob); + + _cleanup_(tpm2_context_unrefp) Tpm2Context *tc = NULL; +- r = tpm2_context_new(NULL, &tc); ++ r = tpm2_context_new_or_warn(/* device= */ NULL, &tc); + if (r < 0) + return r; + +diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c +index 7cc8889595..fa8ebe087d 100644 +--- a/src/shared/creds-util.c ++++ b/src/shared/creds-util.c +@@ -826,9 +826,9 @@ int encrypt_credential_and_warn( + tpm2_pubkey_pcr_mask = 0; + + _cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL; +- r = tpm2_context_new(tpm2_device, &tpm2_context); ++ r = tpm2_context_new_or_warn(tpm2_device, &tpm2_context); + if (r < 0) +- return log_error_errno(r, "Failed to create TPM2 context: %m"); ++ return r; + + r = tpm2_get_best_pcr_bank(tpm2_context, tpm2_hash_pcr_mask | tpm2_pubkey_pcr_mask, &tpm2_pcr_bank); + if (r < 0) +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index 02e0e3b803..c7e0b2459c 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -664,7 +664,7 @@ int tpm2_context_new(const char *device, Tpm2Context **ret_context) { + + context->tcti_dl = dlopen(fn, RTLD_NOW); + if (!context->tcti_dl) +- return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to load %s: %s", fn, dlerror()); ++ return log_debug_errno(SYNTHETIC_ERRNO(ENOPKG), "Failed to load %s: %s", fn, dlerror()); + + log_debug("Loaded '%s' via dlopen()", fn); + +@@ -680,7 +680,7 @@ int tpm2_context_new(const char *device, Tpm2Context **ret_context) { + + log_debug("Loaded TCTI module '%s' (%s) [Version %" PRIu32 "]", info->name, info->description, info->version); + +- rc = info->init(NULL, &sz, NULL); ++ rc = info->init(/* context= */ NULL, &sz, /* param= */ NULL); + if (rc != TPM2_RC_SUCCESS) + return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), + "Failed to initialize TCTI context: %s", sym_Tss2_RC_Decode(rc)); +@@ -715,19 +715,37 @@ int tpm2_context_new(const char *device, Tpm2Context **ret_context) { + + /* We require AES and CFB support for session encryption. */ + if (!tpm2_supports_alg(context, TPM2_ALG_AES)) +- return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM does not support AES."); ++ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "TPM does not support AES."); + + if (!tpm2_supports_alg(context, TPM2_ALG_CFB)) +- return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM does not support CFB."); ++ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "TPM does not support CFB."); + + if (!tpm2_supports_tpmt_sym_def(context, &SESSION_TEMPLATE_SYM_AES_128_CFB)) +- return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "TPM does not support AES-128-CFB."); ++ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "TPM does not support AES-128-CFB."); + + *ret_context = TAKE_PTR(context); + + return 0; + } + ++int tpm2_context_new_or_warn(const char *device, Tpm2Context **ret_context) { ++ int r; ++ ++ assert(ret_context); ++ ++ r = tpm2_context_new(device, ret_context); ++ if (r == -EOPNOTSUPP) ++ return log_error_errno(r, "TPM device not usable as it does not support the required functionality (AES-128-CFB missing?)."); ++ if (r == -ENOPKG) ++ return log_error_errno(r, "TPM TCTI driver not available."); ++ if (r == -ENOENT) ++ return log_error_errno(r, "TPM device not found."); ++ if (r < 0) ++ return log_error_errno(r, "Failed to create TPM2 context: %m"); ++ ++ return 0; ++} ++ + static void tpm2_handle_cleanup(ESYS_CONTEXT *esys_context, ESYS_TR esys_handle, bool flush) { + TSS2_RC rc; + +diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h +index 55d748159f..911a3c74ab 100644 +--- a/src/shared/tpm2-util.h ++++ b/src/shared/tpm2-util.h +@@ -72,6 +72,7 @@ typedef struct { + } Tpm2Context; + + int tpm2_context_new(const char *device, Tpm2Context **ret_context); ++int tpm2_context_new_or_warn(const char *device, Tpm2Context **ret_context); + Tpm2Context *tpm2_context_ref(Tpm2Context *context); + Tpm2Context *tpm2_context_unref(Tpm2Context *context); + DEFINE_TRIVIAL_CLEANUP_FUNC(Tpm2Context*, tpm2_context_unref); +diff --git a/src/tpm2-setup/tpm2-setup.c b/src/tpm2-setup/tpm2-setup.c +index 0be7ffc6a5..0dacafe4b2 100644 +--- a/src/tpm2-setup/tpm2-setup.c ++++ b/src/tpm2-setup/tpm2-setup.c +@@ -204,9 +204,9 @@ static int load_public_key_tpm2(struct public_key_data *ret) { + + assert(ret); + +- r = tpm2_context_new(arg_tpm2_device, &c); ++ r = tpm2_context_new_or_warn(arg_tpm2_device, &c); + if (r < 0) +- return log_error_errno(r, "Failed to create TPM2 context: %m"); ++ return r; + + r = tpm2_get_or_create_srk( + c, +-- +2.33.0 + diff --git a/backport-tpm2-util-handle-TPMs-gracefully-that-do-not-support.patch b/backport-tpm2-util-handle-TPMs-gracefully-that-do-not-support.patch new file mode 100644 index 0000000..cead294 --- /dev/null +++ b/backport-tpm2-util-handle-TPMs-gracefully-that-do-not-support.patch @@ -0,0 +1,50 @@ +From f75b716bef8190bf90a4edc9bb24cfa745b4251e Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 2 Jan 2024 18:33:37 +0100 +Subject: [PATCH 0113/1160] tpm2-util: handle TPMs gracefully that do not + support ECC and return TPM2_RC_VALUES + +If a TPM doesn't do ECC it could either return zero curves when asked +for it, or it could simply fail with TPM2_RC_VALUES because it doesn't +recognize the capability at all. + +Handle both cases the same way. + +Fixes: #30679 +(cherry picked from commit ae17fcb61ad26119b41e3f82a339c37a3a2cb383) +--- + src/shared/tpm2-util.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index 5e07b88a89..a03c1099f9 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -228,11 +228,14 @@ static int tpm2_get_capability( + count, + &more, + &capabilities); ++ if (rc == TPM2_RC_VALUE) ++ return log_debug_errno(SYNTHETIC_ERRNO(ENXIO), ++ "Requested TPM2 capability 0x%04" PRIx32 " property 0x%04" PRIx32 " apparently doesn't exist: %s", ++ capability, property, sym_Tss2_RC_Decode(rc)); + if (rc != TSS2_RC_SUCCESS) + return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), + "Failed to get TPM2 capability 0x%04" PRIx32 " property 0x%04" PRIx32 ": %s", + capability, property, sym_Tss2_RC_Decode(rc)); +- + if (capabilities->capability != capability) + return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), + "TPM provided wrong capability: 0x%04" PRIx32 " instead of 0x%04" PRIx32 ".", +@@ -333,6 +336,8 @@ static int tpm2_cache_capabilities(Tpm2Context *c) { + current_ecc_curve, + TPM2_MAX_ECC_CURVES, + &capability); ++ if (r == -ENXIO) /* If the TPM doesn't support ECC, it might return TPM2_RC_VALUE rather than capability.eccCurves == 0 */ ++ break; + if (r < 0) + return r; + +-- +2.33.0 + diff --git a/backport-tree-wide-Fix-Wformat-warnings.patch b/backport-tree-wide-Fix-Wformat-warnings.patch new file mode 100644 index 0000000..f236153 --- /dev/null +++ b/backport-tree-wide-Fix-Wformat-warnings.patch @@ -0,0 +1,59 @@ +From 44e3f1cc351b6097d8a6251bc8bf8468247b98b7 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Tue, 1 Oct 2024 09:28:42 +0200 +Subject: [PATCH 0902/1160] tree-wide: Fix Wformat warnings + +The latest clang has started catching more integer promotions which +cause us to pass the wrong type to printf() format specifiers so let's +fix those. + +(cherry picked from commit c73d14c43e7998ca54011875ad25afc634d57498) +(cherry picked from commit e129e3a8618b1b56f70978cb1db1d66a0fdcd573) +--- + src/pcrlock/pcrlock-firmware.c | 2 +- + src/udev/cdrom_id/cdrom_id.c | 2 +- + src/udev/dmi_memory_id/dmi_memory_id.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/pcrlock/pcrlock-firmware.c b/src/pcrlock/pcrlock-firmware.c +index 6fd7363144..059c87c622 100644 +--- a/src/pcrlock/pcrlock-firmware.c ++++ b/src/pcrlock/pcrlock-firmware.c +@@ -128,7 +128,7 @@ int validate_firmware_header( + + log_debug("TPM PC Client Platform Firmware Profile: family %u.%u, revision %u.%u", + id->specVersionMajor, id->specVersionMinor, +- id->specErrata / 100, id->specErrata % 100); ++ id->specErrata / 100U, id->specErrata % 100U); + + if (h->eventDataSize < (uint64_t) offsetof(TCG_EfiSpecIDEvent, digestSizes) + (uint64_t) (id->numberOfAlgorithms * sizeof(TCG_EfiSpecIdEventAlgorithmSize)) + 1U) + return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Event log header doesn't fit all algorithms."); +diff --git a/src/udev/cdrom_id/cdrom_id.c b/src/udev/cdrom_id/cdrom_id.c +index 9285dd81f0..3a57ca0fd6 100644 +--- a/src/udev/cdrom_id/cdrom_id.c ++++ b/src/udev/cdrom_id/cdrom_id.c +@@ -477,7 +477,7 @@ static int cd_profiles(Context *c) { + + switch (feature) { + case 0x00: +- log_debug("GET CONFIGURATION: feature 'profiles', with %u entries", features[i + 3] / 4); ++ log_debug("GET CONFIGURATION: feature 'profiles', with %u entries", features[i + 3] / 4U); + feature_profiles(c, features + i + 4, MIN(features[i + 3], len - i - 4)); + break; + default: +diff --git a/src/udev/dmi_memory_id/dmi_memory_id.c b/src/udev/dmi_memory_id/dmi_memory_id.c +index 3f89cc7424..52ea250af8 100644 +--- a/src/udev/dmi_memory_id/dmi_memory_id.c ++++ b/src/udev/dmi_memory_id/dmi_memory_id.c +@@ -399,7 +399,7 @@ static void dmi_memory_device_manufacturer_id( + /* LSB is 7-bit Odd Parity number of continuation codes */ + if (code != 0) + printf("MEMORY_DEVICE_%u_%s=Bank %d, Hex 0x%02X\n", slot_num, attr_suffix, +- (code & 0x7F) + 1, code >> 8); ++ (code & 0x7F) + 1, (uint16_t) (code >> 8)); + } + + static void dmi_memory_device_product_id( +-- +2.33.0 + diff --git a/backport-tree-wide-always-do-dlopen-with-RTLD_NOW-RTLD_NODELE.patch b/backport-tree-wide-always-do-dlopen-with-RTLD_NOW-RTLD_NODELE.patch new file mode 100644 index 0000000..e4165b0 --- /dev/null +++ b/backport-tree-wide-always-do-dlopen-with-RTLD_NOW-RTLD_NODELE.patch @@ -0,0 +1,162 @@ +From 82019cc6913a0901baef4fed6442cee1afb61e6f Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 1 Oct 2024 16:44:18 +0200 +Subject: [PATCH 0899/1160] tree-wide: always do dlopen() with RTLD_NOW + + RTLD_NODELETE + +Let's systematically use RTL_NOW|RLTD_NODELETE as flags passed to +dlopen(), across our codebase. + +Various distros build with "-z now" anyway, hence it's weird to specify +RTLD_LAZY trying to override that (which it doesn't). Hence, let's +follow suit, and just do what everybody else does. + +Also set RTLD_NODELETE, which is apparently what distros will probably +end up implying sooner or later anyway. Given that for pretty much all +our dlopen() calls we never call dlclose() anyway, let's just set this +everywhere too, to make things systematic. + +This way, the flags we use by default match what distros such as fedora +do, there are no surprises, and read-only relocations can be a thing. + +Fixes: #34537 +(cherry picked from commit bd4beaa2ebfbbec0a1263a7091a91e528ce8cf13) +(cherry picked from commit e012eedd727a38bd18c9a540b92b95aa880d2b42) +--- + src/shared/bpf-dlopen.c | 4 ++-- + src/shared/dlfcn-util.c | 2 +- + src/shared/idn-util.c | 5 ++--- + src/shared/tpm2-util.c | 2 +- + src/shared/userdb.c | 2 +- + src/test/test-dlopen.c | 2 +- + src/test/test-nss-hosts.c | 2 +- + src/test/test-nss-users.c | 2 +- + 8 files changed, 10 insertions(+), 11 deletions(-) + +diff --git a/src/shared/bpf-dlopen.c b/src/shared/bpf-dlopen.c +index f00dbeabae..dfdf995052 100644 +--- a/src/shared/bpf-dlopen.c ++++ b/src/shared/bpf-dlopen.c +@@ -63,13 +63,13 @@ int dlopen_bpf(void) { + + DISABLE_WARNING_DEPRECATED_DECLARATIONS; + +- dl = dlopen("libbpf.so.1", RTLD_LAZY); ++ dl = dlopen("libbpf.so.1", RTLD_NOW|RTLD_NODELETE); + if (!dl) { + /* libbpf < 1.0.0 (we rely on 0.1.0+) provide most symbols we care about, but + * unfortunately not all until 0.7.0. See bpf-compat.h for more details. + * Once we consider we can assume 0.7+ is present we can just use the same symbol + * list for both files, and when we assume 1.0+ is present we can remove this dlopen */ +- dl = dlopen("libbpf.so.0", RTLD_LAZY); ++ dl = dlopen("libbpf.so.0", RTLD_NOW|RTLD_NODELETE); + if (!dl) + return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), + "neither libbpf.so.1 nor libbpf.so.0 are installed: %s", dlerror()); +diff --git a/src/shared/dlfcn-util.c b/src/shared/dlfcn-util.c +index 8022f55294..2ebb1463c2 100644 +--- a/src/shared/dlfcn-util.c ++++ b/src/shared/dlfcn-util.c +@@ -44,7 +44,7 @@ int dlopen_many_sym_or_warn_sentinel(void **dlp, const char *filename, int log_l + if (*dlp) + return 0; /* Already loaded */ + +- dl = dlopen(filename, RTLD_LAZY); ++ dl = dlopen(filename, RTLD_NOW|RTLD_NODELETE); + if (!dl) + return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), + "%s is not installed: %s", filename, dlerror()); +diff --git a/src/shared/idn-util.c b/src/shared/idn-util.c +index 26a9d608ec..28d2dc1309 100644 +--- a/src/shared/idn-util.c ++++ b/src/shared/idn-util.c +@@ -42,11 +42,11 @@ int dlopen_idn(void) { + if (idn_dl) + return 0; /* Already loaded */ + +- dl = dlopen("libidn.so.12", RTLD_LAZY); ++ dl = dlopen("libidn.so.12", RTLD_NOW|RTLD_NODELETE); + if (!dl) { + /* libidn broke ABI in 1.34, but not in a way we care about (a new field got added to an + * open-coded struct we do not use), hence support both versions. */ +- dl = dlopen("libidn.so.11", RTLD_LAZY); ++ dl = dlopen("libidn.so.11", RTLD_NOW|RTLD_NODELETE); + if (!dl) + return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), + "libidn support is not installed: %s", dlerror()); +@@ -54,7 +54,6 @@ int dlopen_idn(void) { + } else + log_debug("Loaded 'libidn.so.12' via dlopen()"); + +- + r = dlsym_many_or_warn( + dl, + LOG_DEBUG, +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index b4f35cbf0b..8f2d4da7fe 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -662,7 +662,7 @@ int tpm2_context_new(const char *device, Tpm2Context **ret_context) { + if (!filename_is_valid(fn)) + return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name '%s' not valid, refusing.", driver); + +- context->tcti_dl = dlopen(fn, RTLD_NOW); ++ context->tcti_dl = dlopen(fn, RTLD_NOW|RTLD_NODELETE); + if (!context->tcti_dl) + return log_debug_errno(SYNTHETIC_ERRNO(ENOPKG), "Failed to load %s: %s", fn, dlerror()); + +diff --git a/src/shared/userdb.c b/src/shared/userdb.c +index 540573390c..98066bb81d 100644 +--- a/src/shared/userdb.c ++++ b/src/shared/userdb.c +@@ -1448,7 +1448,7 @@ int userdb_block_nss_systemd(int b) { + + /* Note that we might be called from libnss_systemd.so.2 itself, but that should be fine, really. */ + +- dl = dlopen(LIBDIR "/libnss_systemd.so.2", RTLD_LAZY|RTLD_NODELETE); ++ dl = dlopen(LIBDIR "/libnss_systemd.so.2", RTLD_NOW|RTLD_NODELETE); + if (!dl) { + /* If the file isn't installed, don't complain loudly */ + log_debug("Failed to dlopen(libnss_systemd.so.2), ignoring: %s", dlerror()); +diff --git a/src/test/test-dlopen.c b/src/test/test-dlopen.c +index 9c315373b4..6704e936e7 100644 +--- a/src/test/test-dlopen.c ++++ b/src/test/test-dlopen.c +@@ -10,7 +10,7 @@ int main(int argc, char **argv) { + int i; + + for (i = 0; i < argc - 1; i++) +- assert_se(handles[i] = dlopen(argv[i + 1], RTLD_NOW)); ++ assert_se(handles[i] = dlopen(argv[i + 1], RTLD_NOW|RTLD_NODELETE)); + + for (i--; i >= 0; i--) + assert_se(dlclose(handles[i]) == 0); +diff --git a/src/test/test-nss-hosts.c b/src/test/test-nss-hosts.c +index 72a9c6454c..611e135766 100644 +--- a/src/test/test-nss-hosts.c ++++ b/src/test/test-nss-hosts.c +@@ -380,7 +380,7 @@ static int test_one_module(const char *dir, + + log_info("======== %s ========", module); + +- _cleanup_(dlclosep) void *handle = nss_open_handle(dir, module, RTLD_LAZY|RTLD_NODELETE); ++ _cleanup_(dlclosep) void *handle = nss_open_handle(dir, module, RTLD_NOW|RTLD_NODELETE); + if (!handle) + return -EINVAL; + +diff --git a/src/test/test-nss-users.c b/src/test/test-nss-users.c +index 5178779d54..cba0f823b9 100644 +--- a/src/test/test-nss-users.c ++++ b/src/test/test-nss-users.c +@@ -166,7 +166,7 @@ static int test_one_module(const char *dir, + + log_info("======== %s ========", module); + +- _cleanup_(dlclosep) void *handle = nss_open_handle(dir, module, RTLD_LAZY|RTLD_NODELETE); ++ _cleanup_(dlclosep) void *handle = nss_open_handle(dir, module, RTLD_NOW|RTLD_NODELETE); + if (!handle) + return -EINVAL; + +-- +2.33.0 + diff --git a/backport-tree-wide-be-more-careful-when-passing-literal-integ.patch b/backport-tree-wide-be-more-careful-when-passing-literal-integ.patch new file mode 100644 index 0000000..71a4cbd --- /dev/null +++ b/backport-tree-wide-be-more-careful-when-passing-literal-integ.patch @@ -0,0 +1,116 @@ +From c0f501c49a3724774f979591fbde9d842997ae89 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 21 Feb 2024 11:03:35 +0100 +Subject: [PATCH 0329/1160] tree-wide: be more careful when passing literal + integers to "t" bus message fields + +Since we use varargs for sd_message_append() we need to make sure the +parameters we pass are actually 64bit wide, if "t" is used. Hence cast +appropriately if necessary. + +I went through the whole tree, and in most cases we got it right, but +there are some cases we missed so far. + +Inspired by: #31420 + +(cherry picked from commit 04a3af3c6d434bcde7118440f13d55c910eb9ba0) +--- + src/core/dbus-execute.c | 4 ++-- + src/core/dbus-service.c | 2 +- + src/machine/machinectl.c | 2 +- + src/portable/portablectl.c | 2 +- + src/shared/bus-unit-util.c | 6 +++--- + 5 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c +index 4daa1cefd3..2d05ba7e1d 100644 +--- a/src/core/dbus-execute.c ++++ b/src/core/dbus-execute.c +@@ -491,7 +491,7 @@ static int property_get_bind_paths( + c->bind_mounts[i].source, + c->bind_mounts[i].destination, + c->bind_mounts[i].ignore_enoent, +- c->bind_mounts[i].recursive ? (uint64_t) MS_REC : (uint64_t) 0); ++ c->bind_mounts[i].recursive ? (uint64_t) MS_REC : UINT64_C(0)); + if (r < 0) + return r; + } +@@ -910,7 +910,7 @@ static int bus_property_get_exec_dir_symlink( + + for (size_t i = 0; i < d->n_items; i++) + STRV_FOREACH(dst, d->items[i].symlinks) { +- r = sd_bus_message_append(reply, "(sst)", d->items[i].path, *dst, 0 /* flags, unused for now */); ++ r = sd_bus_message_append(reply, "(sst)", d->items[i].path, *dst, UINT64_C(0) /* flags, unused for now */); + if (r < 0) + return r; + } +diff --git a/src/core/dbus-service.c b/src/core/dbus-service.c +index 41f4ee399e..cc478f44b5 100644 +--- a/src/core/dbus-service.c ++++ b/src/core/dbus-service.c +@@ -61,7 +61,7 @@ static int property_get_open_files( + return r; + + LIST_FOREACH(open_files, of, *open_files) { +- r = sd_bus_message_append(reply, "(sst)", of->path, of->fdname, of->flags); ++ r = sd_bus_message_append(reply, "(sst)", of->path, of->fdname, (uint64_t) of->flags); + if (r < 0) + return r; + } +diff --git a/src/machine/machinectl.c b/src/machine/machinectl.c +index 3eadb5f4e7..418dd003ca 100644 +--- a/src/machine/machinectl.c ++++ b/src/machine/machinectl.c +@@ -1130,7 +1130,7 @@ static int copy_files(int argc, char *argv[], void *userdata) { + return bus_log_create_error(r); + + if (arg_force) { +- r = sd_bus_message_append(m, "t", MACHINE_COPY_REPLACE); ++ r = sd_bus_message_append(m, "t", (uint64_t) MACHINE_COPY_REPLACE); + if (r < 0) + return bus_log_create_error(r); + } +diff --git a/src/portable/portablectl.c b/src/portable/portablectl.c +index 532e8d9345..1588b17b08 100644 +--- a/src/portable/portablectl.c ++++ b/src/portable/portablectl.c +@@ -1171,7 +1171,7 @@ static int is_image_attached(int argc, char *argv[], void *userdata) { + return r; + + if (!strv_isempty(arg_extension_images)) { +- r = sd_bus_message_append(m, "t", 0); ++ r = sd_bus_message_append(m, "t", UINT64_C(0)); + if (r < 0) + return bus_log_create_error(r); + } +diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c +index 4ee9706847..50de98941f 100644 +--- a/src/shared/bus-unit-util.c ++++ b/src/shared/bus-unit-util.c +@@ -1419,12 +1419,12 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con + if (r < 0) + return log_error_errno(r, "Failed to parse resource limit: %s", eq); + +- r = sd_bus_message_append(m, "(sv)", field, "t", l.rlim_max); ++ r = sd_bus_message_append(m, "(sv)", field, "t", (uint64_t) l.rlim_max); + if (r < 0) + return bus_log_create_error(r); + + sn = strjoina(field, "Soft"); +- r = sd_bus_message_append(m, "(sv)", sn, "t", l.rlim_cur); ++ r = sd_bus_message_append(m, "(sv)", sn, "t", (uint64_t) l.rlim_cur); + if (r < 0) + return bus_log_create_error(r); + +@@ -2167,7 +2167,7 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con + return bus_log_create_error(r); + + STRV_FOREACH_PAIR(source, destination, symlinks) { +- r = sd_bus_message_append(m, "(sst)", *source, *destination, 0); ++ r = sd_bus_message_append(m, "(sst)", *source, *destination, UINT64_C(0)); + if (r < 0) + return bus_log_create_error(r); + } +-- +2.33.0 + diff --git a/backport-tree-wide-check-if-non-empty-password-is-acquired.patch b/backport-tree-wide-check-if-non-empty-password-is-acquired.patch new file mode 100644 index 0000000..5c4544b --- /dev/null +++ b/backport-tree-wide-check-if-non-empty-password-is-acquired.patch @@ -0,0 +1,56 @@ +From a505f10b4b35b09cab6d4b06a364e52e3982ee55 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 6 Sep 2024 15:00:32 +0900 +Subject: [PATCH 0871/1160] tree-wide: check if non-empty password is acquired + +(cherry picked from commit 204529d0fcde9a95119b489225620f36649c2f5b) +(cherry picked from commit e80e9dce63787d1d4494ed65d7c27018344387d5) +--- + src/home/homectl.c | 2 ++ + src/shared/dissect-image.c | 1 + + src/tty-ask-password-agent/tty-ask-password-agent.c | 4 +--- + 3 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/home/homectl.c b/src/home/homectl.c +index a6951c8562..a6f4215b09 100644 +--- a/src/home/homectl.c ++++ b/src/home/homectl.c +@@ -1208,6 +1208,8 @@ static int acquire_new_password( + if (r < 0) + return log_error_errno(r, "Failed to acquire password: %m"); + ++ assert(!strv_isempty(first)); ++ + question = mfree(question); + if (asprintf(&question, "Please enter new password for user %s (repeat):", user_name) < 0) + return log_oom(); +diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c +index 627b67c40f..843fea882a 100644 +--- a/src/shared/dissect-image.c ++++ b/src/shared/dissect-image.c +@@ -2987,6 +2987,7 @@ int dissected_image_decrypt_interactively( + if (r < 0) + return log_error_errno(r, "Failed to query for passphrase: %m"); + ++ assert(!strv_isempty(z)); + passphrase = z[0]; + } + } +diff --git a/src/tty-ask-password-agent/tty-ask-password-agent.c b/src/tty-ask-password-agent/tty-ask-password-agent.c +index 3a30bfe042..a75213f8ed 100644 +--- a/src/tty-ask-password-agent/tty-ask-password-agent.c ++++ b/src/tty-ask-password-agent/tty-ask-password-agent.c +@@ -257,9 +257,7 @@ static int process_one_password_file(const char *filename) { + return log_error_errno(r, "Failed to query password: %m"); + } + +- if (strv_isempty(passwords)) +- return -ECANCELED; +- ++ assert(!strv_isempty(passwords)); + r = send_passwords(socket_name, passwords); + if (r < 0) + return log_error_errno(r, "Failed to send: %m"); +-- +2.33.0 + diff --git a/backport-tree-wide-use-JSON_ALLOW_EXTENSIONS-when-disptching-.patch b/backport-tree-wide-use-JSON_ALLOW_EXTENSIONS-when-disptching-.patch new file mode 100644 index 0000000..20ed226 --- /dev/null +++ b/backport-tree-wide-use-JSON_ALLOW_EXTENSIONS-when-disptching-.patch @@ -0,0 +1,108 @@ +From 0283b9b43bd509098a5484c2dffc3cf6122e9b2a Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 5 Jan 2024 12:39:28 +0100 +Subject: [PATCH 0712/1160] tree-wide: use JSON_ALLOW_EXTENSIONS when + disptching at various places + +If we want to allow method replies to be extended without this breaking +compat, then we should set this flag. Do so at various method call +replies hence. + +Also do it when parsing user/group records, which are expressly +documented to be extensible, as well as the hibernate JSON record. + +(cherry picked from commit f0e4244b2fda1b3de3da1c2792ed1cd21c72087b) +--- + src/hibernate-resume/hibernate-resume-config.c | 2 +- + src/nss-resolve/nss-resolve.c | 2 +- + src/shared/group-record.c | 2 +- + src/shared/user-record.c | 2 +- + src/shared/userdb.c | 6 +++--- + 5 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/hibernate-resume/hibernate-resume-config.c b/src/hibernate-resume/hibernate-resume-config.c +index e4be7ca245..eaf71bb2cd 100644 +--- a/src/hibernate-resume/hibernate-resume-config.c ++++ b/src/hibernate-resume/hibernate-resume-config.c +@@ -173,7 +173,7 @@ static int get_efi_hibernate_location(EFIHibernateLocation **ret) { + if (!e) + return log_oom(); + +- r = json_dispatch(v, dispatch_table, JSON_LOG, e); ++ r = json_dispatch(v, dispatch_table, JSON_LOG|JSON_ALLOW_EXTENSIONS, e); + if (r < 0) + return r; + +diff --git a/src/nss-resolve/nss-resolve.c b/src/nss-resolve/nss-resolve.c +index c4e02bc7c1..822ad4f622 100644 +--- a/src/nss-resolve/nss-resolve.c ++++ b/src/nss-resolve/nss-resolve.c +@@ -20,7 +20,7 @@ + #include "strv.h" + #include "varlink.h" + +-static JsonDispatchFlags json_dispatch_flags = 0; ++static JsonDispatchFlags json_dispatch_flags = JSON_ALLOW_EXTENSIONS; + + static void setup_logging(void) { + log_parse_environment_variables(); +diff --git a/src/shared/group-record.c b/src/shared/group-record.c +index 1e33bdfed5..4fed5c671c 100644 +--- a/src/shared/group-record.c ++++ b/src/shared/group-record.c +@@ -230,7 +230,7 @@ int group_record_load( + if (r < 0) + return r; + +- r = json_dispatch(h->json, group_dispatch_table, json_flags, h); ++ r = json_dispatch(h->json, group_dispatch_table, json_flags | JSON_ALLOW_EXTENSIONS, h); + if (r < 0) + return r; + +diff --git a/src/shared/user-record.c b/src/shared/user-record.c +index 3fe3e80b83..035e2a7124 100644 +--- a/src/shared/user-record.c ++++ b/src/shared/user-record.c +@@ -1625,7 +1625,7 @@ int user_record_load(UserRecord *h, JsonVariant *v, UserRecordLoadFlags load_fla + if (r < 0) + return r; + +- r = json_dispatch(h->json, user_dispatch_table, json_flags, h); ++ r = json_dispatch(h->json, user_dispatch_table, json_flags | JSON_ALLOW_EXTENSIONS, h); + if (r < 0) + return r; + +diff --git a/src/shared/userdb.c b/src/shared/userdb.c +index f60d48ace4..540573390c 100644 +--- a/src/shared/userdb.c ++++ b/src/shared/userdb.c +@@ -199,7 +199,7 @@ static int userdb_on_query_reply( + + assert_se(!iterator->found_user); + +- r = json_dispatch(parameters, dispatch_table, 0, &user_data); ++ r = json_dispatch(parameters, dispatch_table, JSON_ALLOW_EXTENSIONS, &user_data); + if (r < 0) + goto finish; + +@@ -256,7 +256,7 @@ static int userdb_on_query_reply( + + assert_se(!iterator->found_group); + +- r = json_dispatch(parameters, dispatch_table, 0, &group_data); ++ r = json_dispatch(parameters, dispatch_table, JSON_ALLOW_EXTENSIONS, &group_data); + if (r < 0) + goto finish; + +@@ -309,7 +309,7 @@ static int userdb_on_query_reply( + assert(!iterator->found_user_name); + assert(!iterator->found_group_name); + +- r = json_dispatch(parameters, dispatch_table, 0, &membership_data); ++ r = json_dispatch(parameters, dispatch_table, JSON_ALLOW_EXTENSIONS, &membership_data); + if (r < 0) + goto finish; + +-- +2.33.0 + diff --git a/backport-udev-Handle-PTP-device-symlink-properly-on-udev-acti.patch b/backport-udev-Handle-PTP-device-symlink-properly-on-udev-acti.patch new file mode 100644 index 0000000..93df7ba --- /dev/null +++ b/backport-udev-Handle-PTP-device-symlink-properly-on-udev-acti.patch @@ -0,0 +1,43 @@ +From 5a50b4318b8dd4822ab3d745681cdab98d60aa81 Mon Sep 17 00:00:00 2001 +From: Chengen Du +Date: Mon, 12 Aug 2024 11:41:52 +0800 +Subject: [PATCH 0852/1160] udev: Handle PTP device symlink properly on udev + action 'change' + +PTP device symlink creation rules are currently executed only when the +udev action is 'add'. If a user reloads the rules and runs the udevadm +trigger command to reapply changes, the symlink may be deleted, which +can prevent the chronyd service from restarting properly. + +Signed-off-by: Chengen Du +(cherry picked from commit 6bd12be3fa7761f190e17efdbdbff4440da7528b) +(cherry picked from commit 2a328ce80923baa55925c99a923c40ec46b86243) +--- + rules.d/50-udev-default.rules.in | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/rules.d/50-udev-default.rules.in b/rules.d/50-udev-default.rules.in +index af4f594791..8d659add0c 100644 +--- a/rules.d/50-udev-default.rules.in ++++ b/rules.d/50-udev-default.rules.in +@@ -30,6 +30,9 @@ SUBSYSTEM=="pci|usb|platform", IMPORT{builtin}="path_id" + + SUBSYSTEM=="net", IMPORT{builtin}="net_driver" + ++SUBSYSTEM=="ptp", ATTR{clock_name}=="KVM virtual PTP", SYMLINK+="ptp_kvm" ++SUBSYSTEM=="ptp", ATTR{clock_name}=="hyperv", SYMLINK+="ptp_hyperv" ++ + ACTION!="add", GOTO="default_end" + + SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666" +@@ -119,7 +122,4 @@ KERNEL=="vhost-net", GROUP="kvm", MODE="{{DEV_KVM_MODE}}", OPTIONS+="static_node + + KERNEL=="udmabuf", GROUP="kvm" + +-SUBSYSTEM=="ptp", ATTR{clock_name}=="KVM virtual PTP", SYMLINK+="ptp_kvm" +-SUBSYSTEM=="ptp", ATTR{clock_name}=="hyperv", SYMLINK+="ptp_hyperv" +- + LABEL="default_end" +-- +2.33.0 + diff --git a/backport-udev-String-substitutions-can-be-done-in-ENV-too.patch b/backport-udev-String-substitutions-can-be-done-in-ENV-too.patch new file mode 100644 index 0000000..0af59c1 --- /dev/null +++ b/backport-udev-String-substitutions-can-be-done-in-ENV-too.patch @@ -0,0 +1,47 @@ +From 75fb8e6e35ca0f22c449a307f1e77c9a284b4cae Mon Sep 17 00:00:00 2001 +From: runiq +Date: Mon, 19 Feb 2024 12:03:57 +0100 +Subject: [PATCH 0325/1160] udev: String substitutions can be done in ENV, too + +Precedence for example in https://github.com/systemd/systemd/blob/ac63c8df309e37960618610d8b57ac19ac657254/rules.d/99-systemd.rules.in#L75. + +Add ENV to the list of keys where string substitutions can be used. + +While I'm at it, also sort the list in that paragraph alphabetically. + +(cherry picked from commit 793166aea52dfbd06cfa622d5eda0bb31f9da6cf) +--- + man/udev.xml | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/man/udev.xml b/man/udev.xml +index 709cecfd6a..15cac8d8f2 100644 +--- a/man/udev.xml ++++ b/man/udev.xml +@@ -719,15 +719,16 @@ SUBSYSTEM=="net", OPTIONS="log_level=debug" + + + +- The NAME, SYMLINK, +- PROGRAM, OWNER, +- GROUP, MODE, SECLABEL, +- and RUN fields support simple string substitutions. ++ The ENV, GROUP, ++ MODE, NAME, ++ OWNER, PROGRAM, ++ RUN, SECLABEL, and ++ SYMLINK fields support simple string substitutions. + The RUN substitutions are performed after all rules + have been processed, right before the program is executed, allowing for +- the use of device properties set by earlier matching rules. For all other +- fields, substitutions are performed while the individual rule is being +- processed. The available substitutions are: ++ the use of device properties set by earlier matching rules. For all ++ other fields, substitutions are performed while the individual rule is ++ being processed. The available substitutions are: + + + , +-- +2.33.0 + diff --git a/backport-udev-add-hwdb-execution-for-hidraw-subsystem-devices.patch b/backport-udev-add-hwdb-execution-for-hidraw-subsystem-devices.patch new file mode 100644 index 0000000..6d63c74 --- /dev/null +++ b/backport-udev-add-hwdb-execution-for-hidraw-subsystem-devices.patch @@ -0,0 +1,29 @@ +From 0c4c427a14e73054bf0e5d13043ecc541c85fb71 Mon Sep 17 00:00:00 2001 +From: djantti +Date: Sat, 23 Dec 2023 23:08:41 +0200 +Subject: [PATCH 0090/1160] udev: add hwdb execution for hidraw subsystem + devices + +Hwdb call for hidraw subsystem is missing and AV controller devices defined in hwdb.d/70-av-production.hwdb never get the proper permissions for /dev/hidraw*. This patch implements hwdb execution also for hidraw devices. + +(cherry picked from commit 43ee987a1f24f390bdee0447022d31ec30f6e5be) +--- + rules.d/50-udev-default.rules.in | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/rules.d/50-udev-default.rules.in b/rules.d/50-udev-default.rules.in +index 10234fd9e0..af4f594791 100644 +--- a/rules.d/50-udev-default.rules.in ++++ b/rules.d/50-udev-default.rules.in +@@ -14,6 +14,8 @@ SUBSYSTEM=="virtio-ports", KERNEL=="vport*", ATTR{name}=="?*", SYMLINK+="virtio- + SUBSYSTEM=="rtc", ATTR{hctosys}=="1", SYMLINK+="rtc" + SUBSYSTEM=="rtc", KERNEL=="rtc0", SYMLINK+="rtc", OPTIONS+="link_priority=-100" + ++SUBSYSTEM=="hidraw", IMPORT{builtin}="hwdb" ++ + SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", IMPORT{builtin}="usb_id", IMPORT{builtin}="hwdb --subsystem=usb" + ENV{MODALIAS}!="", IMPORT{builtin}="hwdb --subsystem=$env{SUBSYSTEM}" + +-- +2.33.0 + diff --git a/backport-udev-dmi-memory-id-update-table-with-latest-SMBIOS-s.patch b/backport-udev-dmi-memory-id-update-table-with-latest-SMBIOS-s.patch new file mode 100644 index 0000000..c501a61 --- /dev/null +++ b/backport-udev-dmi-memory-id-update-table-with-latest-SMBIOS-s.patch @@ -0,0 +1,66 @@ +From a9dac9e462f9f02c92345ab96f087d8711d44d12 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 3 Jan 2024 05:54:12 +0900 +Subject: [PATCH 0110/1160] udev/dmi-memory-id: update table with latest SMBIOS + specification + +Closes #30699. + +(cherry picked from commit e0feaedbd97de596e4c706105268abbb09ce9bbf) +--- + src/udev/dmi_memory_id/dmi_memory_id.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/udev/dmi_memory_id/dmi_memory_id.c b/src/udev/dmi_memory_id/dmi_memory_id.c +index 37c098adc8..3f89cc7424 100644 +--- a/src/udev/dmi_memory_id/dmi_memory_id.c ++++ b/src/udev/dmi_memory_id/dmi_memory_id.c +@@ -7,7 +7,7 @@ + * Copyright (C) 2020 Bastien Nocera + * + * Unless specified otherwise, all references are aimed at the "System +- * Management BIOS Reference Specification, Version 3.2.0" document, ++ * Management BIOS Reference Specification, Version 3.7.0" document, + * available from http://www.dmtf.org/standards/smbios. + * + * Note to contributors: +@@ -145,7 +145,7 @@ static void dmi_memory_array_location(uint8_t code) { + [0x01] = "PC-98/C24 Add-on Card", /* 0xA1 */ + [0x02] = "PC-98/E Add-on Card", /* 0xA2 */ + [0x03] = "PC-98/Local Bus Add-on Card", /* 0xA3 */ +- [0x04] = "CXL Flexbus 1.0", /* 0xA4 */ ++ [0x04] = "CXL Add-on Card", /* 0xA4 */ + }; + const char *str = OUT_OF_SPEC_STR; + +@@ -301,6 +301,9 @@ static void dmi_memory_device_type(unsigned slot_num, uint8_t code) { + [0x1F] = "Logical non-volatile device", + [0x20] = "HBM", + [0x21] = "HBM2", ++ [0x22] = "DDR5", ++ [0x23] = "LPDDR5", ++ [0x24] = "HBM3", + }; + + printf("MEMORY_DEVICE_%u_TYPE=%s\n", slot_num, +@@ -315,7 +318,7 @@ static void dmi_memory_device_type_detail(unsigned slot_num, uint16_t code) { + [3] = "Fast-paged", + [4] = "Static Column", + [5] = "Pseudo-static", +- [6] = "RAMBus", ++ [6] = "RAMBUS", + [7] = "Synchronous", + [8] = "CMOS", + [9] = "EDO", +@@ -358,7 +361,7 @@ static void dmi_memory_device_technology(unsigned slot_num, uint8_t code) { + [0x04] = "NVDIMM-N", + [0x05] = "NVDIMM-F", + [0x06] = "NVDIMM-P", +- [0x07] = "Intel Optane DC persistent memory", ++ [0x07] = "Intel Optane persistent memory", + }; + + printf("MEMORY_DEVICE_%u_MEMORY_TECHNOLOGY=%s\n", slot_num, +-- +2.33.0 + diff --git a/backport-udev-do-not-try-to-lock-whole-block-device-on-remove.patch b/backport-udev-do-not-try-to-lock-whole-block-device-on-remove.patch new file mode 100644 index 0000000..f4deaa1 --- /dev/null +++ b/backport-udev-do-not-try-to-lock-whole-block-device-on-remove.patch @@ -0,0 +1,52 @@ +From c21ebad151fbcb84ba245c19c8cb8ce08c857a1e Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 15 Oct 2024 06:22:24 +0900 +Subject: [PATCH 0948/1160] udev: do not try to lock whole block device on + remove event + +As another device may be created with the same device node while udevd +is processing the remove event of the previous owner of the device node. + +This also adds comment why we skip watching device node on remove. + +(cherry picked from commit e8df18c9e171c87aebb2df8ac3bdd8f116236892) +(cherry picked from commit 864a42f3098c7bf52591d31f041317e44fd305d4) +--- + src/udev/udev-watch.c | 3 +++ + src/udev/udev-worker.c | 6 ++++++ + 2 files changed, 9 insertions(+) + +diff --git a/src/udev/udev-watch.c b/src/udev/udev-watch.c +index 58c82794f0..daac0d742e 100644 +--- a/src/udev/udev-watch.c ++++ b/src/udev/udev-watch.c +@@ -181,6 +181,9 @@ int udev_watch_begin(int inotify_fd, sd_device *dev) { + assert(inotify_fd >= 0); + assert(dev); + ++ /* Ignore the request of watching the device node on remove event, as the device node specified by ++ * DEVNAME= has already been removed, and may already be assigned to another device. Consider the ++ * case e.g. a USB stick memory was unplugged and then another one is plugged. */ + if (device_for_action(dev, SD_DEVICE_REMOVE)) + return 0; + +diff --git a/src/udev/udev-worker.c b/src/udev/udev-worker.c +index 53722b21bd..617439b525 100644 +--- a/src/udev/udev-worker.c ++++ b/src/udev/udev-worker.c +@@ -97,6 +97,12 @@ static int worker_lock_whole_disk(sd_device *dev, int *ret_fd) { + * event handling; in the case udev acquired the lock, the external process can block until udev has + * finished its event handling. */ + ++ /* Do not try to lock device on remove event, as the device node specified by DEVNAME= has already ++ * been removed, and may already be assigned to another device. Consider the case e.g. a USB stick ++ * memory was unplugged and then another one is plugged. */ ++ if (device_for_action(dev, SD_DEVICE_REMOVE)) ++ goto nolock; ++ + r = udev_get_whole_disk(dev, &dev_whole_disk, &val); + if (r < 0) + return r; +-- +2.33.0 + diff --git a/backport-udev-even-if-a-device-is-a-zac-device-scsi-ID_SERIAL.patch b/backport-udev-even-if-a-device-is-a-zac-device-scsi-ID_SERIAL.patch new file mode 100644 index 0000000..bb6fc76 --- /dev/null +++ b/backport-udev-even-if-a-device-is-a-zac-device-scsi-ID_SERIAL.patch @@ -0,0 +1,81 @@ +From fa36a10c86d548efb2a52d89db1aefe9a0af1512 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E6=88=91=E8=B6=85=E5=8E=89=E5=AE=B3?= <524413304@qq.com> +Date: Tue, 16 Jan 2024 13:57:07 +0800 +Subject: [PATCH 0259/1160] udev: even if a device is a zac device, + scsi-$ID_SERIAL will be reserved for it (#30459) + +Co-authored-by: wangyuhang +(cherry picked from commit 8a86e15f07dd7030bfc31fb4944c24fb9a481fc5) +--- + rules.d/60-persistent-storage.rules.in | 2 ++ + src/udev/ata_id/ata_id.c | 13 ++++++++++--- + 2 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/rules.d/60-persistent-storage.rules.in b/rules.d/60-persistent-storage.rules.in +index 6787430208..17a9d08849 100644 +--- a/rules.d/60-persistent-storage.rules.in ++++ b/rules.d/60-persistent-storage.rules.in +@@ -59,6 +59,8 @@ KERNEL=="vd*", ATTRS{serial}=="?*", ENV{ID_SERIAL}="$attr{serial}", SYMLINK+="di + + # ATA + KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", SUBSYSTEMS=="scsi", ATTRS{vendor}=="ATA", IMPORT{program}="ata_id --export $devnode" ++KERNEL=="sd*[!0-9]|sr*", ENV{ID_BUS}=="ata", ENV{ID_ATA_PERIPHERAL_DEVICE_TYPE}=="20", PROGRAM="scsi_id -u -g $devnode", \ ++ SYMLINK+="disk/by-id/scsi-$result$env{.PART_SUFFIX}" + + # ATAPI devices (SPC-3 or later) + KERNEL=="sd*[!0-9]|sr*", ENV{ID_SERIAL}!="?*", SUBSYSTEMS=="scsi", ATTRS{type}=="5", ATTRS{scsi_level}=="[6-9]*", IMPORT{program}="ata_id --export $devnode" +diff --git a/src/udev/ata_id/ata_id.c b/src/udev/ata_id/ata_id.c +index 0b1f0b7157..4dd7e54973 100644 +--- a/src/udev/ata_id/ata_id.c ++++ b/src/udev/ata_id/ata_id.c +@@ -298,7 +298,8 @@ static void disk_identify_fixup_uint16(uint8_t identify[512], unsigned offset_wo + * non-zero with errno set. + */ + static int disk_identify(int fd, +- uint8_t out_identify[512]) { ++ uint8_t out_identify[512], ++ int *ret_peripheral_device_type) { + uint8_t inquiry_buf[36]; + int peripheral_device_type, r; + +@@ -358,6 +359,9 @@ static int disk_identify(int fd, + if (all_nul_bytes) + return log_debug_errno(SYNTHETIC_ERRNO(EIO), "IDENTIFY data is all zeroes."); + ++ if (ret_peripheral_device_type) ++ *ret_peripheral_device_type = peripheral_device_type; ++ + return 0; + } + +@@ -407,7 +411,7 @@ static int run(int argc, char *argv[]) { + char model[41], model_enc[256], serial[21], revision[9]; + _cleanup_close_ int fd = -EBADF; + uint16_t word; +- int r; ++ int r, peripheral_device_type = -1; + + log_set_target(LOG_TARGET_AUTO); + udev_parse_config(); +@@ -422,7 +426,7 @@ static int run(int argc, char *argv[]) { + if (fd < 0) + return log_error_errno(errno, "Cannot open %s: %m", arg_device); + +- if (disk_identify(fd, identify.byte) >= 0) { ++ if (disk_identify(fd, identify.byte, &peripheral_device_type) >= 0) { + /* + * fix up only the fields from the IDENTIFY data that we are going to + * use and copy it into the hd_driveid struct for convenience +@@ -615,6 +619,9 @@ static int run(int argc, char *argv[]) { + if (IN_SET(identify.wyde[0], 0x848a, 0x844a) || + (identify.wyde[83] & 0xc004) == 0x4004) + printf("ID_ATA_CFA=1\n"); ++ ++ if (peripheral_device_type >= 0) ++ printf("ID_ATA_PERIPHERAL_DEVICE_TYPE=%d\n", peripheral_device_type); + } else { + if (serial[0] != '\0') + printf("%s_%s\n", model, serial); +-- +2.33.0 + diff --git a/backport-udev-node-skip-stack-directory-creation-for-diskseq.patch b/backport-udev-node-skip-stack-directory-creation-for-diskseq.patch new file mode 100644 index 0000000..07e4718 --- /dev/null +++ b/backport-udev-node-skip-stack-directory-creation-for-diskseq.patch @@ -0,0 +1,130 @@ +From 54bc0dab04e86ad7f93087e24f5d6148b8f72e9f Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sun, 6 Oct 2024 14:43:45 +0900 +Subject: [PATCH 0910/1160] udev-node: skip stack directory creation for + diskseq + +The disk/by-diskseq symlink should not be shared with multiple block +devices. Hence, it is not necessary to create stack directory for the +symlink that manages which device owns the symlink. + +This is not just a optimization. +If a service unit tries to mount a disk image but the service fails, then +the diskseq of the loop device for the image may be continuously increased +during restart, and inodes in /run may increase rapidly, as the stack +directories are cleaned up only when udev queue is empty. + +Fixes #34637. + +(cherry picked from commit 09373c1a50297079e6b0447ea97af4e9a60f77fa) +(cherry picked from commit 02a5e5a32338869cc0ac352da81cf6d83da5c9e9) +--- + src/udev/udev-node.c | 85 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 85 insertions(+) + +diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c +index e12c26ce5a..f3cc632f05 100644 +--- a/src/udev/udev-node.c ++++ b/src/udev/udev-node.c +@@ -423,6 +423,87 @@ static int node_get_current(const char *slink, int dirfd, char **ret_id, int *re + return 0; + } + ++static int link_update_diskseq(sd_device *dev, const char *slink, bool add) { ++ _cleanup_free_ char *buf = NULL; ++ const char *fname, *diskseq, *subsystem = NULL, *devtype = NULL; ++ int r; ++ ++ assert(dev); ++ assert(slink); ++ ++ (void) sd_device_get_subsystem(dev, &subsystem); ++ if (!streq_ptr(subsystem, "block")) ++ return 0; ++ ++ fname = path_startswith(slink, "/dev/disk/by-diskseq"); ++ if (isempty(fname)) ++ return 0; ++ ++ (void) sd_device_get_devtype(dev, &devtype); ++ if (streq_ptr(devtype, "partition")) { ++ _cleanup_free_ char *suffix = NULL; ++ const char *partn, *p; ++ ++ /* Check if the symlink has an expected suffix "-part%n". See 60-persistent-storage.rules. */ ++ ++ r = sd_device_get_sysnum(dev, &partn); ++ if (r < 0) { ++ /* Cannot verify the symlink is owned by this device. Let's create the stack directory for the symlink. */ ++ log_device_debug_errno(dev, r, "Failed to get sysnum, but symlink '%s' is requested, ignoring: %m", slink); ++ return 0; ++ } ++ ++ suffix = strjoin("-part", partn); ++ if (!suffix) ++ return -ENOMEM; ++ ++ p = endswith(fname, suffix); ++ if (!p) { ++ log_device_debug(dev, "Unexpected by-diskseq symlink '%s' is requested, proceeding anyway.", slink); ++ return 0; ++ } ++ ++ buf = strndup(fname, p - fname); ++ if (!buf) ++ return -ENOMEM; ++ ++ fname = buf; ++ } ++ ++ /* Check if the diskseq part of the symlink is in digits. */ ++ if (!in_charset(fname, DIGITS)) { ++ log_device_debug(dev, "Unexpected by-diskseq symlink '%s' is requested, proceeding anyway.", slink); ++ return 0; /* unexpected by-diskseq symlink */ ++ } ++ ++ /* On removal, we cannot verify the diskseq. Skipping further check below. */ ++ if (!add) { ++ if (unlink(slink) < 0 && errno != ENOENT) ++ return log_device_debug_errno(dev, errno, "Failed to remove '%s': %m", slink); ++ ++ (void) rmdir_parents(slink, "/dev"); ++ return 1; /* done */ ++ } ++ ++ /* Check if the diskseq matches with the DISKSEQ property. */ ++ r = sd_device_get_property_value(dev, "DISKSEQ", &diskseq); ++ if (r < 0) { ++ log_device_debug_errno(dev, r, "Failed to get DISKSEQ property, but symlink '%s' is requested, ignoring: %m", slink); ++ return 0; ++ } ++ ++ if (!streq(fname, diskseq)) { ++ log_device_debug(dev, "Unexpected by-diskseq symlink '%s' is requested (DISKSEQ=%s), proceeding anyway.", slink, diskseq); ++ return 0; ++ } ++ ++ r = node_symlink(dev, /* devnode = */ NULL, slink); ++ if (r < 0) ++ return r; ++ ++ return 1; /* done */ ++} ++ + static int link_update(sd_device *dev, const char *slink, bool add) { + _cleanup_free_ char *current_id = NULL, *devnode = NULL; + _cleanup_close_ int dirfd = -EBADF, lockfd = -EBADF; +@@ -431,6 +512,10 @@ static int link_update(sd_device *dev, const char *slink, bool add) { + assert(dev); + assert(slink); + ++ r = link_update_diskseq(dev, slink, add); ++ if (r != 0) ++ return r; ++ + r = stack_directory_open(dev, slink, &dirfd, &lockfd); + if (r < 0) + return r; +-- +2.33.0 + diff --git a/backport-udev-rules-pass-the-right-error-variable.patch b/backport-udev-rules-pass-the-right-error-variable.patch new file mode 100644 index 0000000..dc76dba --- /dev/null +++ b/backport-udev-rules-pass-the-right-error-variable.patch @@ -0,0 +1,26 @@ +From 5909e5cff7f2073580c42cd205c919bc33facffa Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 7 May 2024 13:55:02 +0200 +Subject: [PATCH 0605/1160] udev-rules: pass the right error variable + +(cherry picked from commit 75c64e58d18eb3726386cde4838546b6a2de525b) +--- + src/udev/udev-rules.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c +index 5f12002394..c242549654 100644 +--- a/src/udev/udev-rules.c ++++ b/src/udev/udev-rules.c +@@ -1538,7 +1538,7 @@ int udev_rules_parse_file(UdevRules *rules, const char *filename, bool extra_che + + r = hashmap_put_stats_by_path(&rules->stats_by_path, filename, &st); + if (r < 0) +- return log_warning_errno(errno, "Failed to save stat for %s, ignoring: %m", filename); ++ return log_warning_errno(r, "Failed to save stat for %s, ignoring: %m", filename); + + (void) fd_warn_permissions(filename, fileno(f)); + +-- +2.33.0 + diff --git a/backport-udev-skipping-empty-udev-rules-file-while-collecting.patch b/backport-udev-skipping-empty-udev-rules-file-while-collecting.patch new file mode 100644 index 0000000..3c6ea68 --- /dev/null +++ b/backport-udev-skipping-empty-udev-rules-file-while-collecting.patch @@ -0,0 +1,36 @@ +From 484d31a58d7b820fa83a70a9f654b907130eec75 Mon Sep 17 00:00:00 2001 +From: Lidong Zhong +Date: Thu, 7 Nov 2024 14:41:11 +0800 +Subject: [PATCH 0997/1160] udev: skipping empty udev rules file while + collecting the stats + +To keep align with the logic used in udev_rules_parse_file(), we also +should skip the empty udev rules file while collecting the stats during +manager reload. Otherwise all udev rules files will be parsed again whenever +reloading udev manager with an empty udev rules file. It's time consuming +and the following uevents will fail with timeout. + +(cherry picked from commit 2ae79a31b7c7947e2c16e18eb85ac5607ebc40b6) +(cherry picked from commit 688eb20fdb9c4bcc6d205323f9cec119d6273169) +--- + src/shared/conf-parser.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/shared/conf-parser.c b/src/shared/conf-parser.c +index 9fb0395714..fbe8103b43 100644 +--- a/src/shared/conf-parser.c ++++ b/src/shared/conf-parser.c +@@ -763,6 +763,10 @@ int config_get_stats_by_path( + return -errno; + } + ++ /* Skipping an empty file. */ ++ if (null_or_empty(&st)) ++ continue; ++ + r = hashmap_put_stats_by_path(&stats_by_path, *f, &st); + if (r < 0) + return r; +-- +2.33.0 + diff --git a/backport-udev-watch-do-not-try-to-remove-invalid-watch-handle.patch b/backport-udev-watch-do-not-try-to-remove-invalid-watch-handle.patch new file mode 100644 index 0000000..74e8576 --- /dev/null +++ b/backport-udev-watch-do-not-try-to-remove-invalid-watch-handle.patch @@ -0,0 +1,48 @@ +From 0b15dcbd7ab53ff8da37536e6da7182543a6935c Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 12 Feb 2025 09:23:33 +0900 +Subject: [PATCH 1119/1160] udev-watch: do not try to remove invalid watch + handle + +When a new device is processed, there should be no watch handle for +the device, hence udev_watch_clear() provides -1. Let's not try to call +inotify_rm_watch() in that case. + +This should not change any behavior. Just for suppressing spurious +debugging log: +===== +(udev-worker)[3626140]: zram1: Removing watch handle -1. +===== + +(cherry picked from commit b3b442062045eac61a9dd3ed73b650dfb5be0b46) +(cherry picked from commit d32f4bcaf274e208568a5e6151c0a81d00d80438) +(cherry picked from commit 93930340c9b6725f72c5d4e811e1522d9ce9f031) +--- + src/udev/udev-watch.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/udev/udev-watch.c b/src/udev/udev-watch.c +index 35166b7798..540e3a7b2e 100644 +--- a/src/udev/udev-watch.c ++++ b/src/udev/udev-watch.c +@@ -161,7 +161,7 @@ static int udev_watch_clear(sd_device *dev, int dirfd, int *ret_wd) { + + if (ret_wd) + *ret_wd = wd; +- r = 0; ++ r = 1; + + finalize: + /* 5. remove symlink ID -> wd. +@@ -252,7 +252,7 @@ int udev_watch_end(int inotify_fd, sd_device *dev) { + + /* First, clear symlinks. */ + r = udev_watch_clear(dev, dirfd, &wd); +- if (r < 0) ++ if (r <= 0) + return r; + + /* Then, remove inotify watch. */ +-- +2.33.0 + diff --git a/backport-udev-watch-mention-that-the-failure-is-ignored.patch b/backport-udev-watch-mention-that-the-failure-is-ignored.patch new file mode 100644 index 0000000..e3a3274 --- /dev/null +++ b/backport-udev-watch-mention-that-the-failure-is-ignored.patch @@ -0,0 +1,28 @@ +From 17a6af2fb5481f8a15e5df3fe75529a1b4b58914 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 12 Feb 2025 09:22:49 +0900 +Subject: [PATCH 1118/1160] udev-watch: mention that the failure is ignored + +(cherry picked from commit a52aad3b4bb735a22ce67110142d135819589a87) +(cherry picked from commit cc77e140a8b194f710f33c9f552750ce350e6122) +(cherry picked from commit a6f86fcf0f66724913bc0725a5109b4dce585955) +--- + src/udev/udev-watch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/udev/udev-watch.c b/src/udev/udev-watch.c +index daac0d742e..35166b7798 100644 +--- a/src/udev/udev-watch.c ++++ b/src/udev/udev-watch.c +@@ -167,7 +167,7 @@ finalize: + /* 5. remove symlink ID -> wd. + * The file is always owned by the device. Hence, it is safe to remove it unconditionally. */ + if (unlinkat(dirfd, id, 0) < 0 && errno != ENOENT) +- log_device_debug_errno(dev, errno, "Failed to remove '/run/udev/watch/%s': %m", id); ++ log_device_debug_errno(dev, errno, "Failed to remove '/run/udev/watch/%s', ignoring: %m", id); + + return r; + } +-- +2.33.0 + diff --git a/backport-udev-worker-add-debugging-log-about-success-of-flock.patch b/backport-udev-worker-add-debugging-log-about-success-of-flock.patch new file mode 100644 index 0000000..1804769 --- /dev/null +++ b/backport-udev-worker-add-debugging-log-about-success-of-flock.patch @@ -0,0 +1,28 @@ +From 3a71bab03c33ad791502ea90c8ed9b134ce5973e Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 12 Feb 2025 09:20:51 +0900 +Subject: [PATCH 1117/1160] udev-worker: add debugging log about success of + flock() for whole block device + +(cherry picked from commit 951def0e276c041a262b3f147bb42206195fe13e) +(cherry picked from commit a112fca1212c1488c6c43991df2be1fc171b8138) +(cherry picked from commit 2948d0647e9077fb2181ed7792278869018cd263) +--- + src/udev/udev-worker.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/udev/udev-worker.c b/src/udev/udev-worker.c +index 617439b525..9b53ac7333 100644 +--- a/src/udev/udev-worker.c ++++ b/src/udev/udev-worker.c +@@ -123,6 +123,7 @@ static int worker_lock_whole_disk(sd_device *dev, int *ret_fd) { + if (flock(fd, LOCK_SH|LOCK_NB) < 0) + return log_device_debug_errno(dev, errno, "Failed to flock(%s): %m", val); + ++ log_device_debug(dev, "Successfully took flock(LOCK_SH) for %s, it will be released after the event has been processed.", val); + *ret_fd = TAKE_FD(fd); + return 1; + +-- +2.33.0 + diff --git a/backport-udevadm-Propagate-return-code-from-verb-result.patch b/backport-udevadm-Propagate-return-code-from-verb-result.patch new file mode 100644 index 0000000..7934b06 --- /dev/null +++ b/backport-udevadm-Propagate-return-code-from-verb-result.patch @@ -0,0 +1,71 @@ +From 34b056e3a322352df7ecc8a2ae89a340f233237a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Joakim=20Nohlg=C3=A5rd?= +Date: Fri, 29 Dec 2023 15:06:50 +0100 +Subject: [PATCH 0102/1160] udevadm: Propagate return code from verb result + +udevadm lock did not propagate the return code from the child process +because all positive values were treated as success. + +v2: +Now 'udevadm test-builtin' ignores all positive return values from the +builtin commands. Otherwise, as the hwdb builtin returns an positive value +when a matching entry found, 'udevadm test-builtin hwdb' will fail. + +v3: +Initialize partition table before calling 'sfdisk --delete'. + +Co-authored-by: Yu Watanabe +(cherry picked from commit ba340e2a75a0a16031fcb7efa05cfd250e859f17) +--- + src/udev/udevadm-test-builtin.c | 5 ++++- + src/udev/udevadm.c | 2 +- + test/units/testsuite-64.sh | 5 +++++ + 3 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/udev/udevadm-test-builtin.c b/src/udev/udevadm-test-builtin.c +index 5d1fafbd03..f5498a1e5b 100644 +--- a/src/udev/udevadm-test-builtin.c ++++ b/src/udev/udevadm-test-builtin.c +@@ -104,9 +104,12 @@ int builtin_main(int argc, char *argv[], void *userdata) { + } + + r = udev_builtin_run(event, cmd, arg_command, true); +- if (r < 0) ++ if (r < 0) { + log_debug_errno(r, "Builtin command '%s' fails: %m", arg_command); ++ goto finish; ++ } + ++ r = 0; + finish: + udev_builtin_exit(); + return r; +diff --git a/src/udev/udevadm.c b/src/udev/udevadm.c +index 51dc041a29..687b927f72 100644 +--- a/src/udev/udevadm.c ++++ b/src/udev/udevadm.c +@@ -137,4 +137,4 @@ static int run(int argc, char *argv[]) { + return udevadm_main(argc, argv); + } + +-DEFINE_MAIN_FUNCTION(run); ++DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run); +diff --git a/test/units/testsuite-64.sh b/test/units/testsuite-64.sh +index 0e598cc6b3..299c5eb183 100755 +--- a/test/units/testsuite-64.sh ++++ b/test/units/testsuite-64.sh +@@ -396,6 +396,11 @@ EOF + + udevadm control --reload + ++ # initialize partition table ++ for disk in {0..9}; do ++ echo 'label: gpt' | udevadm lock --device="${devices[$disk]}" sfdisk -q "${devices[$disk]}" ++ done ++ + # Delete the partitions, immediately recreate them, wait for udev to settle + # down, and then check if we have any dangling symlinks in /dev/disk/. Rinse + # and repeat. +-- +2.33.0 + diff --git a/backport-unit-check-for-correct-function-in-vtable.patch b/backport-unit-check-for-correct-function-in-vtable.patch index 181ffa1..fdf2d06 100644 --- a/backport-unit-check-for-correct-function-in-vtable.patch +++ b/backport-unit-check-for-correct-function-in-vtable.patch @@ -1,7 +1,7 @@ From 891be0c2e7da8d95217e25e91cf1216b46be73fd Mon Sep 17 00:00:00 2001 From: Mike Yuan Date: Wed, 17 Jan 2024 17:20:29 +0800 -Subject: [PATCH] core/unit: check for correct function in vtable +Subject: [PATCH 0157/1160] core/unit: check for correct function in vtable Prompted by https://github.com/systemd/systemd/pull/30974/commits/61e44e01325eca50e88fc9cd400ee340081e9134 @@ -11,7 +11,7 @@ Prompted by https://github.com/systemd/systemd/pull/30974/commits/61e44e01325eca 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/unit.c b/src/core/unit.c -index 41f3bdb226a..2fc9f5ad2d3 100644 +index 41f3bdb226..2fc9f5ad2d 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -6605,7 +6605,7 @@ int activation_details_append_pair(ActivationDetails *details, char ***strv) { @@ -23,3 +23,6 @@ index 41f3bdb226a..2fc9f5ad2d3 100644 r = ACTIVATION_DETAILS_VTABLE(details)->append_pair(details, strv); if (r < 0) return r; +-- +2.33.0 + diff --git a/backport-unit-order-systemd-resolved-after-systemd-sysctl.patch b/backport-unit-order-systemd-resolved-after-systemd-sysctl.patch new file mode 100644 index 0000000..aac449e --- /dev/null +++ b/backport-unit-order-systemd-resolved-after-systemd-sysctl.patch @@ -0,0 +1,29 @@ +From ae2c69e8e61032417ce712ec95df5629c5799d37 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 3 Jan 2024 04:07:11 +0900 +Subject: [PATCH 0108/1160] unit: order systemd-resolved after systemd-sysctl + +Otherwise, IPv6 enable/disable setting may be changed after resolved is +started. + +(cherry picked from commit 6e6b59ed00332e4d8061b2f0f6bc0945d4fced64) +--- + units/systemd-resolved.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in +index 736f36848c..820aecfef6 100644 +--- a/units/systemd-resolved.service.in ++++ b/units/systemd-resolved.service.in +@@ -15,7 +15,7 @@ Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-network- + Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients + + DefaultDependencies=no +-After=systemd-sysusers.service ++After=systemd-sysctl.service systemd-sysusers.service + Before=sysinit.target network.target nss-lookup.target shutdown.target initrd-switch-root.target + Conflicts=shutdown.target initrd-switch-root.target + Wants=nss-lookup.target +-- +2.33.0 + diff --git a/backport-units-Accept-modules_load-and-rd.modules_load-in-sys.patch b/backport-units-Accept-modules_load-and-rd.modules_load-in-sys.patch new file mode 100644 index 0000000..5db7ba7 --- /dev/null +++ b/backport-units-Accept-modules_load-and-rd.modules_load-in-sys.patch @@ -0,0 +1,31 @@ +From c15d8f5c4490e2a4646bd75d18ecd5baca1225c2 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Sat, 16 Mar 2024 17:10:14 +0100 +Subject: [PATCH 0454/1160] units: Accept modules_load and rd.modules_load in + systemd-modules-load.service + +The service will use either, so let's make sure either of them starts +the service as well. + +(cherry picked from commit c0aeff4b999318d4da48328fff0ea93c8c457ace) +--- + units/systemd-modules-load.service.in | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/units/systemd-modules-load.service.in b/units/systemd-modules-load.service.in +index 0fe6740bda..ad262fa13a 100644 +--- a/units/systemd-modules-load.service.in ++++ b/units/systemd-modules-load.service.in +@@ -20,7 +20,9 @@ ConditionDirectoryNotEmpty=|/usr/local/lib/modules-load.d + ConditionDirectoryNotEmpty=|/etc/modules-load.d + ConditionDirectoryNotEmpty=|/run/modules-load.d + ConditionKernelCommandLine=|modules-load ++ConditionKernelCommandLine=|modules_load + ConditionKernelCommandLine=|rd.modules-load ++ConditionKernelCommandLine=|rd.modules_load + + [Service] + Type=oneshot +-- +2.33.0 + diff --git a/backport-units-add-initrd-directory-to-list-of-conditions-for.patch b/backport-units-add-initrd-directory-to-list-of-conditions-for.patch new file mode 100644 index 0000000..f48de2c --- /dev/null +++ b/backport-units-add-initrd-directory-to-list-of-conditions-for.patch @@ -0,0 +1,30 @@ +From a95efebffcfd61a7be7af9c99be658f565498f85 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 19 Nov 2024 23:34:00 +0000 +Subject: [PATCH 1021/1160] units: add initrd directory to list of conditions + for systemd-confext + +systemd-sysext has the same check, but it was forgotten for confexts. +Needed to activate confexts from the ESP in the initrd. + +(cherry picked from commit fe077a1a582a43a6378ff29452a373cc7d393764) +(cherry picked from commit fec28cb4f94c033f42480b0b99ac30bd2bdae046) +--- + units/systemd-confext.service | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/units/systemd-confext.service b/units/systemd-confext.service +index 3b46ecae08..cd5e0f295f 100644 +--- a/units/systemd-confext.service ++++ b/units/systemd-confext.service +@@ -16,6 +16,7 @@ ConditionDirectoryNotEmpty=|/run/confexts + ConditionDirectoryNotEmpty=|/var/lib/confexts + ConditionDirectoryNotEmpty=|/usr/local/lib/confexts + ConditionDirectoryNotEmpty=|/usr/lib/confexts ++ConditionDirectoryNotEmpty=|/.extra/confext + + DefaultDependencies=no + After=local-fs.target +-- +2.33.0 + diff --git a/backport-user-util-validate-the-right-field.patch b/backport-user-util-validate-the-right-field.patch index 250212a..d98479c 100644 --- a/backport-user-util-validate-the-right-field.patch +++ b/backport-user-util-validate-the-right-field.patch @@ -1,24 +1,18 @@ -From 3db209c9567c728c13b5d901e81f151ed1d2b0f7 Mon Sep 17 00:00:00 2001 +From 624984ff423a98f1fd66e64ddfe3a8972d2f911f Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 19 Jan 2024 11:32:26 +0100 -Subject: [PATCH] user-util: validate the right field +Subject: [PATCH 0271/1160] user-util: validate the right field (cherry picked from commit 829854afa5e38db30be207fc8f8f80705e623795) -(cherry picked from commit 624984ff423a98f1fd66e64ddfe3a8972d2f911f) -(cherry picked from commit 641b8d700694984e40199008b059a65184dc946b) - -Conflict:NA -Reference:https://github.com/systemd/systemd-stable/commit/3db209c9567c728c13b5d901e81f151ed1d2b0f7 - --- src/basic/user-util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/basic/user-util.c b/src/basic/user-util.c -index 519ab70118..c81d19409d 100644 +index 9ae8577238..9e6926b707 100644 --- a/src/basic/user-util.c +++ b/src/basic/user-util.c -@@ -314,7 +314,7 @@ int get_user_creds( +@@ -328,7 +328,7 @@ int get_user_creds( if (shell) { if (FLAGS_SET(flags, USER_CREDS_CLEAN) && (isempty(p->pw_shell) || diff --git a/backport-userbdctl-show-mapped-user-range-only-inside-of-user.patch b/backport-userbdctl-show-mapped-user-range-only-inside-of-user.patch new file mode 100644 index 0000000..aa1edd2 --- /dev/null +++ b/backport-userbdctl-show-mapped-user-range-only-inside-of-user.patch @@ -0,0 +1,75 @@ +From 421c23f4fae2522f0ed9fc094836303b8faadc83 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 22 Nov 2024 09:34:56 +0100 +Subject: [PATCH 1025/1160] userbdctl: show 'mapped' user range only inside of + userns + +Outside of userns the concept makes no sense, there cannot be users +mapped from further outside. + +(cherry picked from commit e412fc5e042b8f642bcba42f5c175124583e05ae) +(cherry picked from commit aed4e9045656eb7934e3171a6fe442f7df4c4180) +--- + src/userdb/userdbctl.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/src/userdb/userdbctl.c b/src/userdb/userdbctl.c +index 238a71da9d..b141808be0 100644 +--- a/src/userdb/userdbctl.c ++++ b/src/userdb/userdbctl.c +@@ -23,6 +23,7 @@ + #include "user-util.h" + #include "userdb.h" + #include "verbs.h" ++#include "virt.h" + + static enum { + OUTPUT_CLASSIC, +@@ -130,10 +131,16 @@ static int show_user(UserRecord *ur, Table *table) { + return 0; + } + ++static bool test_show_mapped(void) { ++ /* Show mapped user range only in environments where user mapping is a thing. */ ++ return running_in_userns() > 0; ++} ++ + static const struct { + uid_t first, last; + const char *name; + UserDisposition disposition; ++ bool (*test)(void); + } uid_range_table[] = { + { + .first = 1, +@@ -166,6 +173,7 @@ static const struct { + .last = MAP_UID_MAX, + .name = "mapped", + .disposition = USER_REGULAR, ++ .test = test_show_mapped, + }, + }; + +@@ -180,6 +188,9 @@ static int table_add_uid_boundaries(Table *table, const UidRange *p) { + if (!uid_range_covers(p, uid_range_table[i].first, uid_range_table[i].last - uid_range_table[i].first + 1)) + continue; + ++ if (uid_range_table[i].test && !uid_range_table[i].test()) ++ continue; ++ + name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN), + " begin ", uid_range_table[i].name, " users ", + special_glyph(SPECIAL_GLYPH_ARROW_DOWN)); +@@ -541,6 +552,9 @@ static int table_add_gid_boundaries(Table *table, const UidRange *p) { + uid_range_table[i].last - uid_range_table[i].first + 1)) + continue; + ++ if (uid_range_table[i].test && !uid_range_table[i].test()) ++ continue; ++ + name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN), + " begin ", uid_range_table[i].name, " groups ", + special_glyph(SPECIAL_GLYPH_ARROW_DOWN)); +-- +2.33.0 + diff --git a/backport-userdb-reset-errno-before-getpwent.patch b/backport-userdb-reset-errno-before-getpwent.patch new file mode 100644 index 0000000..67e4c3e --- /dev/null +++ b/backport-userdb-reset-errno-before-getpwent.patch @@ -0,0 +1,35 @@ +From c1d49aa8d50179d55ccc7734c1a4d032c8f0ad57 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 22 Jan 2025 16:44:12 +0100 +Subject: [PATCH 1107/1160] userdb: reset errno before getpwent() + +errno handling for NSS is always a bit weird since NSS modules generally +are not particularly careful with it. Hence let's initialize errno +explicitly before we invoke getpwent() so that we know it's in a +reasonable state afterwards on failure, or zero if not. + +We do this in most places we use NSS, including in userdb when it comes +to getgrent(), just for getpwent() we don't so far. Address that. + +(cherry picked from commit 83e3b96d0a3b665b7b7a291500fa354a7760a917) +(cherry picked from commit 4fc9748a2773655e1ad55745cb2302b4a809f137) +(cherry picked from commit 443dbf488fe5246289638f8a14d2f17a845c879c) +--- + src/shared/userdb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/shared/userdb.c b/src/shared/userdb.c +index 98066bb81d..7469768233 100644 +--- a/src/shared/userdb.c ++++ b/src/shared/userdb.c +@@ -767,6 +767,7 @@ int userdb_iterator_get(UserDBIterator *iterator, UserRecord **ret) { + /* If NSS isn't covered elsewhere, let's iterate through it first, since it probably contains + * the more traditional sources, which are probably good to show first. */ + ++ errno = 0; + pw = getpwent(); + if (pw) { + _cleanup_free_ char *buffer = NULL; +-- +2.33.0 + diff --git a/backport-userdbctl-avoid-NULL-pointer-deref.patch b/backport-userdbctl-avoid-NULL-pointer-deref.patch new file mode 100644 index 0000000..40e05e7 --- /dev/null +++ b/backport-userdbctl-avoid-NULL-pointer-deref.patch @@ -0,0 +1,30 @@ +From b6ddfe38a34238d474bc8e5100fafd0b8d123204 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Mon, 8 Apr 2024 20:19:57 +0800 +Subject: [PATCH 0497/1160] userdbctl: avoid NULL pointer deref + +Error from uid_range_load_userns is ignored, +so 'p' could be NULL. + +(cherry picked from commit f48b487ddbf6cfc40f7154e06a560ec1bb9ad512) +--- + src/userdb/userdbctl.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/userdb/userdbctl.c b/src/userdb/userdbctl.c +index a7db3fb0d5..f98a080e9d 100644 +--- a/src/userdb/userdbctl.c ++++ b/src/userdb/userdbctl.c +@@ -310,6 +310,9 @@ static int table_add_uid_map( + assert(table); + assert(add_unavailable); + ++ if (!p) ++ return 0; ++ + for (size_t i = 0; p && i < p->n_entries; i++) { + UidRangeEntry *x = p->entries + i; + +-- +2.33.0 + diff --git a/backport-userdbctl-correct-uid_range_covers-check.patch b/backport-userdbctl-correct-uid_range_covers-check.patch new file mode 100644 index 0000000..7634291 --- /dev/null +++ b/backport-userdbctl-correct-uid_range_covers-check.patch @@ -0,0 +1,29 @@ +From 01f82bf4702b69dddab471c4b01c817eba513ff6 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Mon, 8 Apr 2024 20:24:23 +0800 +Subject: [PATCH 0498/1160] userdbctl: correct uid_range_covers check + +The third param should be the number of uids. + +(cherry picked from commit 8ef347de677218b4aa4b80bceff40a5740f4dc4b) +--- + src/userdb/userdbctl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/userdb/userdbctl.c b/src/userdb/userdbctl.c +index f98a080e9d..238a71da9d 100644 +--- a/src/userdb/userdbctl.c ++++ b/src/userdb/userdbctl.c +@@ -537,7 +537,8 @@ static int table_add_gid_boundaries(Table *table, const UidRange *p) { + for (size_t i = 0; i < ELEMENTSOF(uid_range_table); i++) { + _cleanup_free_ char *name = NULL, *comment = NULL; + +- if (!uid_range_covers(p, uid_range_table[i].first, uid_range_table[i].last)) ++ if (!uid_range_covers(p, uid_range_table[i].first, ++ uid_range_table[i].last - uid_range_table[i].first + 1)) + continue; + + name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN), +-- +2.33.0 + diff --git a/backport-userdbctl-fix-counting.patch b/backport-userdbctl-fix-counting.patch new file mode 100644 index 0000000..686b8ef --- /dev/null +++ b/backport-userdbctl-fix-counting.patch @@ -0,0 +1,63 @@ +From 9d0e453244c5beb615f40651936ba79d525cb859 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 22 Nov 2024 10:11:32 +0100 +Subject: [PATCH 1026/1160] userdbctl: fix counting + +Fixes: #35294 +(cherry picked from commit 7f8a4f12dfea6f644f92788bd9b03983898e9d32) +(cherry picked from commit 3d85366ab802aea92ade6a544b63ef73fff69e4a) +--- + src/userdb/userdbctl.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/userdb/userdbctl.c b/src/userdb/userdbctl.c +index b141808be0..c4d61c7233 100644 +--- a/src/userdb/userdbctl.c ++++ b/src/userdb/userdbctl.c +@@ -178,7 +178,7 @@ static const struct { + }; + + static int table_add_uid_boundaries(Table *table, const UidRange *p) { +- int r; ++ int r, n_added = 0; + + assert(table); + +@@ -248,9 +248,11 @@ static int table_add_uid_boundaries(Table *table, const UidRange *p) { + TABLE_INT, 1); /* sort after any other entry with the same UID */ + if (r < 0) + return table_log_add_error(r); ++ ++ n_added += 2; + } + +- return ELEMENTSOF(uid_range_table) * 2; ++ return n_added; + } + + static int add_unavailable_uid(Table *table, uid_t start, uid_t end) { +@@ -541,7 +543,7 @@ static int show_group(GroupRecord *gr, Table *table) { + } + + static int table_add_gid_boundaries(Table *table, const UidRange *p) { +- int r; ++ int r, n_added = 0; + + assert(table); + +@@ -606,9 +608,11 @@ static int table_add_gid_boundaries(Table *table, const UidRange *p) { + TABLE_INT, 1); /* sort after any other entry with the same GID */ + if (r < 0) + return table_log_add_error(r); ++ ++ n_added += 2; + } + +- return ELEMENTSOF(uid_range_table) * 2; ++ return n_added; + } + + static int add_unavailable_gid(Table *table, uid_t start, uid_t end) { +-- +2.33.0 + diff --git a/backport-userdbd-properly-close-the-listener-fd-on-exit.patch b/backport-userdbd-properly-close-the-listener-fd-on-exit.patch new file mode 100644 index 0000000..2dc5e2d --- /dev/null +++ b/backport-userdbd-properly-close-the-listener-fd-on-exit.patch @@ -0,0 +1,26 @@ +From af1a61b3cfa80c3ebbabc2518102913929c3e248 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 13 Dec 2023 18:18:39 +0100 +Subject: [PATCH 0072/1160] userdbd: properly close the listener fd on exit + +(cherry picked from commit 0e3cb8cf88ae3297f53591c70bd1f56832e1ef83) +--- + src/userdb/userdbd-manager.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/userdb/userdbd-manager.c b/src/userdb/userdbd-manager.c +index 62a1fa5f4b..c1dfe47ea3 100644 +--- a/src/userdb/userdbd-manager.c ++++ b/src/userdb/userdbd-manager.c +@@ -124,6 +124,8 @@ Manager* manager_free(Manager *m) { + + m->deferred_start_worker_event_source = sd_event_source_unref(m->deferred_start_worker_event_source); + ++ safe_close(m->listen_fd); ++ + sd_event_unref(m->event); + + return mfree(m); +-- +2.33.0 + diff --git a/backport-util-make-file_read-64bit-offset-safe.patch b/backport-util-make-file_read-64bit-offset-safe.patch new file mode 100644 index 0000000..f30c1b8 --- /dev/null +++ b/backport-util-make-file_read-64bit-offset-safe.patch @@ -0,0 +1,61 @@ +From 155475b474072e52294784d30a962dfecd0f5d14 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 26 Jun 2024 15:43:28 +0200 +Subject: [PATCH 0722/1160] util: make file_read() 64bit offset safe + +File offsets in UEFI are 64bit on all archs, hence let's use that typo +too, and not create artificial confusion around types. + +(cherry picked from commit 9573ab8f5a1e2dfdb3542aa647868ff73ced7dd2) +(cherry picked from commit 57661f4ea9b3f13b7395ad594f20c0bae14b6e27) +--- + src/boot/efi/util.c | 12 +++++++++++- + src/boot/efi/util.h | 2 +- + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/src/boot/efi/util.c b/src/boot/efi/util.c +index e56ccfd8ae..450b67ccfc 100644 +--- a/src/boot/efi/util.c ++++ b/src/boot/efi/util.c +@@ -330,7 +330,14 @@ EFI_STATUS chunked_read(EFI_FILE *file, size_t *size, void *buf) { + return EFI_SUCCESS; + } + +-EFI_STATUS file_read(EFI_FILE *dir, const char16_t *name, size_t off, size_t size, char **ret, size_t *ret_size) { ++EFI_STATUS file_read( ++ EFI_FILE *dir, ++ const char16_t *name, ++ uint64_t off, ++ size_t size, ++ char **ret, ++ size_t *ret_size) { ++ + _cleanup_(file_closep) EFI_FILE *handle = NULL; + _cleanup_free_ char *buf = NULL; + EFI_STATUS err; +@@ -350,6 +357,9 @@ EFI_STATUS file_read(EFI_FILE *dir, const char16_t *name, size_t off, size_t siz + if (err != EFI_SUCCESS) + return err; + ++ if (info->FileSize > SIZE_MAX) ++ return EFI_BAD_BUFFER_SIZE; ++ + size = info->FileSize; + } + +diff --git a/src/boot/efi/util.h b/src/boot/efi/util.h +index 0306e32810..9073097bf3 100644 +--- a/src/boot/efi/util.h ++++ b/src/boot/efi/util.h +@@ -102,7 +102,7 @@ char16_t *xstr8_to_path(const char *stra); + char16_t *mangle_stub_cmdline(char16_t *cmdline); + + EFI_STATUS chunked_read(EFI_FILE *file, size_t *size, void *buf); +-EFI_STATUS file_read(EFI_FILE *dir, const char16_t *name, size_t off, size_t size, char **content, size_t *content_size); ++EFI_STATUS file_read(EFI_FILE *dir, const char16_t *name, uint64_t off, size_t size, char **content, size_t *content_size); + + static inline void file_closep(EFI_FILE **handle) { + if (!*handle) +-- +2.33.0 + diff --git a/backport-utmp-wtmp-check-actual-value-of-bool-instead-of-poin.patch b/backport-utmp-wtmp-check-actual-value-of-bool-instead-of-poin.patch new file mode 100644 index 0000000..e60c14f --- /dev/null +++ b/backport-utmp-wtmp-check-actual-value-of-bool-instead-of-poin.patch @@ -0,0 +1,28 @@ +From 58de84b7acbaea6f076cd439f62473d7f4f79427 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Mon, 1 Jan 2024 20:41:18 +0800 +Subject: [PATCH 0105/1160] utmp-wtmp: check actual value of bool instead of + pointer + +(cherry picked from commit 22a8f00229c86d76e1309bcc449b3c12f9d1599b) +--- + src/shared/utmp-wtmp.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/shared/utmp-wtmp.h b/src/shared/utmp-wtmp.h +index ec1e27771e..2e04fac404 100644 +--- a/src/shared/utmp-wtmp.h ++++ b/src/shared/utmp-wtmp.h +@@ -23,7 +23,8 @@ static inline bool utxent_start(void) { + return true; + } + static inline void utxent_cleanup(bool *initialized) { +- if (initialized) ++ assert(initialized); ++ if (*initialized) + endutxent(); + } + +-- +2.33.0 + diff --git a/backport-various-correct-laccess-error-check.patch b/backport-various-correct-laccess-error-check.patch new file mode 100644 index 0000000..a8dae74 --- /dev/null +++ b/backport-various-correct-laccess-error-check.patch @@ -0,0 +1,256 @@ +From 9cf6035d14cf292e8e94b25ecacf16a6fbc69f97 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Fri, 4 Oct 2024 21:05:21 +0200 +Subject: [PATCH 0913/1160] various: correct laccess() error check + +laccess is our own macro that uses RET_NERRNO. + +(cherry picked from commit 7c1dd9e288047a69d4a6a6dd6585725410cfdadd) +(cherry picked from commit 4296a567d48ee43917b4f338fa1e927ffd53b36b) +--- + src/basic/os-util.c | 5 ++-- + src/basic/path-lookup.c | 9 ++++--- + src/coredump/coredump.c | 5 ++-- + src/home/homework-luks.c | 8 +++--- + src/kernel-install/kernel-install.c | 8 +++--- + src/libsystemd/sd-daemon/sd-daemon.c | 15 ++++++----- + src/shared/condition.c | 7 ++--- + src/shared/mount-util.c | 5 ++-- + src/sysext/sysext.c | 10 +++---- + .../system-update-generator.c | 26 +++++++++++-------- + 10 files changed, 52 insertions(+), 46 deletions(-) + +diff --git a/src/basic/os-util.c b/src/basic/os-util.c +index 3cd6134f72..aaae994060 100644 +--- a/src/basic/os-util.c ++++ b/src/basic/os-util.c +@@ -102,8 +102,9 @@ int path_is_extension_tree(ImageClass image_class, const char *path, const char + /* Does the path exist at all? If not, generate an error immediately. This is useful so that a missing root dir + * always results in -ENOENT, and we can properly distinguish the case where the whole root doesn't exist from + * the case where just the os-release file is missing. */ +- if (laccess(path, F_OK) < 0) +- return -errno; ++ r = laccess(path, F_OK); ++ if (r < 0) ++ return r; + + /* We use /usr/lib/extension-release.d/extension-release[.NAME] as flag for something being a system extension, + * /etc/extension-release.d/extension-release[.NAME] as flag for something being a system configuration, and finally, +diff --git a/src/basic/path-lookup.c b/src/basic/path-lookup.c +index 4e3d59fc56..d76705bd4b 100644 +--- a/src/basic/path-lookup.c ++++ b/src/basic/path-lookup.c +@@ -884,6 +884,7 @@ char **env_generator_binary_paths(RuntimeScope runtime_scope) { + + int find_portable_profile(const char *name, const char *unit, char **ret_path) { + const char *dot; ++ int r; + + assert(name); + assert(ret_path); +@@ -897,13 +898,13 @@ int find_portable_profile(const char *name, const char *unit, char **ret_path) { + if (!joined) + return -ENOMEM; + +- if (laccess(joined, F_OK) >= 0) { ++ r = laccess(joined, F_OK); ++ if (r >= 0) { + *ret_path = TAKE_PTR(joined); + return 0; + } +- +- if (errno != ENOENT) +- return -errno; ++ if (r != -ENOENT) ++ return r; + } + + return -ENOENT; +diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c +index f4adb32588..b6ca6f03b0 100644 +--- a/src/coredump/coredump.c ++++ b/src/coredump/coredump.c +@@ -1457,8 +1457,9 @@ static int forward_coredump_to_container(Context *context) { + + pair[0] = safe_close(pair[0]); + +- if (laccess("/run/systemd/coredump", W_OK) < 0) { +- log_debug_errno(errno, "Cannot find coredump socket, exiting: %m"); ++ r = laccess("/run/systemd/coredump", W_OK); ++ if (r < 0) { ++ log_debug_errno(r, "Cannot find coredump socket, exiting: %m"); + _exit(EXIT_FAILURE); + } + +diff --git a/src/home/homework-luks.c b/src/home/homework-luks.c +index 5bd78a03ed..30a4df78db 100644 +--- a/src/home/homework-luks.c ++++ b/src/home/homework-luks.c +@@ -1983,11 +1983,11 @@ static int wait_for_devlink(const char *path) { + _cleanup_free_ char *dn = NULL; + usec_t w; + +- if (laccess(path, F_OK) < 0) { +- if (errno != ENOENT) +- return log_error_errno(errno, "Failed to determine whether %s exists: %m", path); +- } else ++ r = laccess(path, F_OK); ++ if (r >= 0) + return 0; /* Found it */ ++ if (r != -ENOENT) ++ return log_error_errno(r, "Failed to determine whether %s exists: %m", path); + + if (inotify_fd < 0) { + /* We need to wait for the device symlink to show up, let's create an inotify watch for it */ +diff --git a/src/kernel-install/kernel-install.c b/src/kernel-install/kernel-install.c +index 07e5c31116..eef9ef78ba 100644 +--- a/src/kernel-install/kernel-install.c ++++ b/src/kernel-install/kernel-install.c +@@ -1162,12 +1162,10 @@ static int kernel_from_version(const char *version, char **ret_kernel) { + return log_oom(); + + r = laccess(vmlinuz, F_OK); +- if (r < 0) { +- if (r == -ENOENT) +- return log_error_errno(r, "Kernel image not installed to '%s', requiring manual kernel image path specification.", vmlinuz); +- ++ if (r == -ENOENT) ++ return log_error_errno(r, "Kernel image not installed to '%s', requiring manual kernel image path specification.", vmlinuz); ++ if (r < 0) + return log_error_errno(r, "Failed to determine if kernel image is installed to '%s': %m", vmlinuz); +- } + + *ret_kernel = TAKE_PTR(vmlinuz); + return 0; +diff --git a/src/libsystemd/sd-daemon/sd-daemon.c b/src/libsystemd/sd-daemon/sd-daemon.c +index 6a60cde4bb..d1a650fd43 100644 +--- a/src/libsystemd/sd-daemon/sd-daemon.c ++++ b/src/libsystemd/sd-daemon/sd-daemon.c +@@ -715,17 +715,18 @@ _public_ int sd_pid_notifyf_with_fds( + } + + _public_ int sd_booted(void) { +- /* We test whether the runtime unit file directory has been +- * created. This takes place in mount-setup.c, so is +- * guaranteed to happen very early during boot. */ ++ int r; + +- if (laccess("/run/systemd/system/", F_OK) >= 0) +- return true; ++ /* We test whether the runtime unit file directory has been created. This takes place in mount-setup.c, ++ * so is guaranteed to happen very early during boot. */ + +- if (errno == ENOENT) ++ r = laccess("/run/systemd/system/", F_OK); ++ if (r >= 0) ++ return true; ++ if (r == -ENOENT) + return false; + +- return -errno; ++ return r; + } + + _public_ int sd_watchdog_enabled(int unset_environment, uint64_t *usec) { +diff --git a/src/shared/condition.c b/src/shared/condition.c +index 3b7436c1d7..20fa1ae9ac 100644 +--- a/src/shared/condition.c ++++ b/src/shared/condition.c +@@ -169,10 +169,11 @@ static int condition_test_credential(Condition *c, char **env) { + if (!j) + return -ENOMEM; + +- if (laccess(j, F_OK) >= 0) ++ r = laccess(j, F_OK); ++ if (r >= 0) + return true; /* yay! */ +- if (errno != ENOENT) +- return -errno; ++ if (r != -ENOENT) ++ return r; + + /* not found in this dir */ + } +diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c +index 4f2acce513..1c7b727a5e 100644 +--- a/src/shared/mount-util.c ++++ b/src/shared/mount-util.c +@@ -425,8 +425,9 @@ int bind_remount_one_with_mountinfo( + + fs = mnt_table_find_target(table, path, MNT_ITER_FORWARD); + if (!fs) { +- if (laccess(path, F_OK) < 0) /* Hmm, it's not in the mount table, but does it exist at all? */ +- return -errno; ++ r = laccess(path, F_OK); /* Hmm, it's not in the mount table, but does it exist at all? */ ++ if (r < 0) ++ return r; + + return -EINVAL; /* Not a mount point we recognize */ + } +diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c +index 8dc515e4d5..784b79dc33 100644 +--- a/src/sysext/sysext.c ++++ b/src/sysext/sysext.c +@@ -938,13 +938,11 @@ static int merge_subprocess( + if (!p) + return log_oom(); + +- if (laccess(p, F_OK) < 0) { +- if (errno != ENOENT) +- return log_error_errno(errno, "Failed to check if '%s' exists: %m", p); +- +- /* Hierarchy apparently was empty in all extensions, and wasn't mounted, ignoring. */ ++ r = laccess(p, F_OK); ++ if (r == -ENOENT) /* Hierarchy apparently was empty in all extensions, and wasn't mounted, ignoring. */ + continue; +- } ++ if (r < 0) ++ return log_error_errno(r, "Failed to check if '%s' exists: %m", p); + + r = chase(*h, arg_root, CHASE_PREFIX_ROOT|CHASE_NONEXISTENT, &resolved, NULL); + if (r < 0) +diff --git a/src/system-update-generator/system-update-generator.c b/src/system-update-generator/system-update-generator.c +index a1782d5c05..d884530674 100644 +--- a/src/system-update-generator/system-update-generator.c ++++ b/src/system-update-generator/system-update-generator.c +@@ -20,22 +20,26 @@ + static const char *arg_dest = NULL; + + static int generate_symlink(void) { ++ int r; ++ + FOREACH_STRING(p, "/system-update", "/etc/system-update") { +- if (laccess(p, F_OK) >= 0) { +- _cleanup_free_ char *j = NULL; ++ r = laccess(p, F_OK); ++ if (r < 0) { ++ if (r != -ENOENT) ++ log_warning_errno(r, "Failed to check if %s symlink exists, ignoring: %m", p); ++ continue; ++ } + +- j = path_join(arg_dest, SPECIAL_DEFAULT_TARGET); +- if (!j) +- return log_oom(); ++ _cleanup_free_ char *j = NULL; + +- if (symlink(SYSTEM_DATA_UNIT_DIR "/system-update.target", j) < 0) +- return log_error_errno(errno, "Failed to create symlink %s: %m", j); ++ j = path_join(arg_dest, SPECIAL_DEFAULT_TARGET); ++ if (!j) ++ return log_oom(); + +- return 1; +- } ++ if (symlink(SYSTEM_DATA_UNIT_DIR "/system-update.target", j) < 0) ++ return log_error_errno(errno, "Failed to create symlink %s: %m", j); + +- if (errno != ENOENT) +- log_warning_errno(errno, "Failed to check if %s symlink exists, ignoring: %m", p); ++ return 1; + } + + return 0; +-- +2.33.0 + diff --git a/backport-various-don-t-log-synthetic-EIO-for-fwrite.patch b/backport-various-don-t-log-synthetic-EIO-for-fwrite.patch new file mode 100644 index 0000000..a699814 --- /dev/null +++ b/backport-various-don-t-log-synthetic-EIO-for-fwrite.patch @@ -0,0 +1,28 @@ +From d2c4086c2ddd17881a8ebb067ee2a37884ff84ec Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Fri, 8 Dec 2023 00:49:17 +0800 +Subject: [PATCH 0022/1160] various: don't log synthetic EIO for fwrite + +Follow-up for f9568765d4d3d57de1ec01d85f0a0682920f4d10 + +(cherry picked from commit 513412a69cdd44dc95f83de26bbca2a184121926) +--- + src/creds/creds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/creds/creds.c b/src/creds/creds.c +index 7a98a5dcd3..10d117118f 100644 +--- a/src/creds/creds.c ++++ b/src/creds/creds.c +@@ -350,7 +350,7 @@ static int write_blob(FILE *f, const void *data, size_t size) { + } + + if (fwrite(data, 1, size, f) != size) +- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to write credential data: %m"); ++ return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to write credential data."); + + r = print_newline(f, data, size); + if (r < 0) +-- +2.33.0 + diff --git a/backport-variuos-fwrite-does-not-set-errno.patch b/backport-variuos-fwrite-does-not-set-errno.patch new file mode 100644 index 0000000..e9b0aeb --- /dev/null +++ b/backport-variuos-fwrite-does-not-set-errno.patch @@ -0,0 +1,113 @@ +From d198248abbeadc80bb758280a0f22de52b215ae8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 5 Dec 2023 19:02:14 +0100 +Subject: [PATCH 0011/1160] variuos: fwrite() does not set errno + +The man page doesn't even mention errno. It just says that ferror() should +be used to check for errors. Those writes are unlikely to fail, but if they +do, errno might even be 0. Also, we have fflush_and_check() which does +additional paranoia around errno, because we apparently do not trust that +errno will always be set correctly. + +(cherry picked from commit f9568765d4d3d57de1ec01d85f0a0682920f4d10) +--- + src/analyze/analyze-srk.c | 10 +++++++--- + src/creds/creds.c | 7 ++++--- + src/libsystemd/sd-journal/journal-verify.c | 2 +- + src/tpm2-setup/tpm2-setup.c | 6 ++++-- + 4 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/src/analyze/analyze-srk.c b/src/analyze/analyze-srk.c +index 3138246225..0e24b416bb 100644 +--- a/src/analyze/analyze-srk.c ++++ b/src/analyze/analyze-srk.c +@@ -2,6 +2,7 @@ + + #include "analyze.h" + #include "analyze-srk.h" ++#include "fileio.h" + #include "tpm2-util.h" + + int verb_srk(int argc, char *argv[], void *userdata) { +@@ -33,12 +34,15 @@ int verb_srk(int argc, char *argv[], void *userdata) { + return log_error_errno(r, "Failed to marshal SRK: %m"); + + if (isatty(STDOUT_FILENO)) +- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Refusing to write binary data to TTY, please redirect output to file."); ++ return log_error_errno(SYNTHETIC_ERRNO(EIO), ++ "Refusing to write binary data to TTY, please redirect output to file."); + + if (fwrite(marshalled, 1, marshalled_size, stdout) != marshalled_size) +- return log_error_errno(errno, "Failed to write SRK to stdout: %m"); ++ return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to write SRK to stdout: %m"); + +- fflush(stdout); ++ r = fflush_and_check(stdout); ++ if (r < 0) ++ return log_error_errno(r, "Failed to write SRK to stdout: %m"); + + return EXIT_SUCCESS; + #else +diff --git a/src/creds/creds.c b/src/creds/creds.c +index 101e5abf9b..7a98a5dcd3 100644 +--- a/src/creds/creds.c ++++ b/src/creds/creds.c +@@ -350,14 +350,15 @@ static int write_blob(FILE *f, const void *data, size_t size) { + } + + if (fwrite(data, 1, size, f) != size) +- return log_error_errno(errno, "Failed to write credential data: %m"); ++ return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to write credential data: %m"); + + r = print_newline(f, data, size); + if (r < 0) + return r; + +- if (fflush(f) != 0) +- return log_error_errno(errno, "Failed to flush output: %m"); ++ r = fflush_and_check(f); ++ if (r < 0) ++ return log_error_errno(r, "Failed to flush output: %m"); + + return 0; + } +diff --git a/src/libsystemd/sd-journal/journal-verify.c b/src/libsystemd/sd-journal/journal-verify.c +index 8fc53beb42..bdaa01d66f 100644 +--- a/src/libsystemd/sd-journal/journal-verify.c ++++ b/src/libsystemd/sd-journal/journal-verify.c +@@ -384,7 +384,7 @@ static int journal_file_object_verify(JournalFile *f, uint64_t offset, Object *o + + static int write_uint64(FILE *fp, uint64_t p) { + if (fwrite(&p, sizeof(p), 1, fp) != 1) +- return -errno; ++ return -EIO; + + return 0; + } +diff --git a/src/tpm2-setup/tpm2-setup.c b/src/tpm2-setup/tpm2-setup.c +index be34d166d7..0be7ffc6a5 100644 +--- a/src/tpm2-setup/tpm2-setup.c ++++ b/src/tpm2-setup/tpm2-setup.c +@@ -284,7 +284,8 @@ static int run(int argc, char *argv[]) { + if (runtime_key.pkey) { + if (memcmp_nn(tpm2_key.fingerprint, tpm2_key.fingerprint_size, + runtime_key.fingerprint, runtime_key.fingerprint_size) != 0) +- return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Saved runtime SRK differs from TPM SRK, refusing."); ++ return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), ++ "Saved runtime SRK differs from TPM SRK, refusing."); + + if (arg_early) { + log_info("SRK saved in '%s' matches SRK in TPM2.", runtime_key.path); +@@ -351,7 +352,8 @@ static int run(int argc, char *argv[]) { + return log_error_errno(r, "Failed to marshal TPM2_PUBLIC key."); + + if (fwrite(marshalled, 1, marshalled_size, f) != marshalled_size) +- return log_error_errno(errno, "Failed to write SRK public key file '%s'.", tpm2b_public_path); ++ return log_error_errno(SYNTHETIC_ERRNO(EIO), ++ "Failed to write SRK public key file '%s'.", tpm2b_public_path); + + if (fchmod(fileno(f), 0444) < 0) + return log_error_errno(errno, "Failed to adjust access mode of SRK public key file '%s' to 0444: %m", tpm2b_public_path); +-- +2.33.0 + diff --git a/backport-varlink-improve-compat-with-varlink-C-reference-impl.patch b/backport-varlink-improve-compat-with-varlink-C-reference-impl.patch new file mode 100644 index 0000000..6830a07 --- /dev/null +++ b/backport-varlink-improve-compat-with-varlink-C-reference-impl.patch @@ -0,0 +1,68 @@ +From 2dab8bce02123dc37f4befee16d28da390c3ddd3 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 1 Dec 2023 17:59:49 +0100 +Subject: [PATCH 0067/1160] varlink: improve compat with varlink C reference + implementation + +The reference implementation seems to set the 'parameters' field for +method calls to 'null' if nothing is specified on its command line. We +so far only could deal if the parameters field was unset or set to the +empty object. Let's also accept the 'null' type. + +(cherry picked from commit f2ad89248b2177119b75bf82be69716166243996) +--- + src/shared/varlink.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/src/shared/varlink.c b/src/shared/varlink.c +index 2ba942f30e..749b644a56 100644 +--- a/src/shared/varlink.c ++++ b/src/shared/varlink.c +@@ -1038,12 +1038,25 @@ static int varlink_dispatch_disconnect(Varlink *v) { + } + + static int varlink_sanitize_parameters(JsonVariant **v) { ++ int r; ++ + assert(v); + + /* Varlink always wants a parameters list, hence make one if the caller doesn't want any */ + if (!*v) + return json_variant_new_object(v, NULL, 0); +- else if (!json_variant_is_object(*v)) ++ if (json_variant_is_null(*v)) { ++ JsonVariant *empty; ++ ++ r = json_variant_new_object(&empty, NULL, 0); ++ if (r < 0) ++ return r; ++ ++ json_variant_unref(*v); ++ *v = empty; ++ return 0; ++ } ++ if (!json_variant_is_object(*v)) + return -EINVAL; + + return 0; +@@ -1083,7 +1096,7 @@ static int varlink_dispatch_reply(Varlink *v) { + } else if (streq(k, "parameters")) { + if (parameters) + goto invalid; +- if (!json_variant_is_object(e)) ++ if (!json_variant_is_object(e) && !json_variant_is_null(e)) + goto invalid; + + parameters = json_variant_ref(e); +@@ -1256,7 +1269,7 @@ static int varlink_dispatch_method(Varlink *v) { + } else if (streq(k, "parameters")) { + if (parameters) + goto invalid; +- if (!json_variant_is_object(e)) ++ if (!json_variant_is_object(e) && !json_variant_is_null(e)) + goto invalid; + + parameters = json_variant_ref(e); +-- +2.33.0 + diff --git a/backport-varlink-make-errors-returned-by-verify_unix_socket-s.patch b/backport-varlink-make-errors-returned-by-verify_unix_socket-s.patch new file mode 100644 index 0000000..3a96e83 --- /dev/null +++ b/backport-varlink-make-errors-returned-by-verify_unix_socket-s.patch @@ -0,0 +1,49 @@ +From 118a48bdec59db8048ac5f0fcbce3e3ccb2038e4 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 25 Apr 2024 17:23:24 +0200 +Subject: [PATCH 0570/1160] varlink: make errors returned by + verify_unix_socket() systematic + +Previously, if we encountered a non-socket fd we'd return ENOTSOCK the +first time, but the subsequent times we'd return ENOMEDIUM, due to +caching. Let's make sure we return the same errors all the the time. + +(cherry picked from commit b24c384b5dab5f568a263311f89881dc5c799a3b) +--- + src/shared/varlink.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/shared/varlink.c b/src/shared/varlink.c +index 749b644a56..782458dfb9 100644 +--- a/src/shared/varlink.c ++++ b/src/shared/varlink.c +@@ -2855,6 +2855,16 @@ int varlink_take_fd(Varlink *v, size_t i) { + static int verify_unix_socket(Varlink *v) { + assert(v); + ++ /* Returns: ++ * • 0 if this is an AF_UNIX socket ++ * • -ENOTSOCK if this is not a socket at all ++ * • -ENOMEDIUM if this is a socket, but not an AF_UNIX socket ++ * ++ * Reminder: ++ * • v->af is < 0 if we haven't checked what kind of address family the thing is yet. ++ * • v->af == AF_UNSPEC if we checked but it's not a socket ++ * • otherwise: v->af contains the address family we determined */ ++ + if (v->af < 0) { + struct stat st; + +@@ -2870,7 +2880,8 @@ static int verify_unix_socket(Varlink *v) { + return v->af; + } + +- return v->af == AF_UNIX ? 0 : -ENOMEDIUM; ++ return v->af == AF_UNIX ? 0 : ++ v->af == AF_UNSPEC ? -ENOTSOCK : -ENOMEDIUM; + } + + int varlink_set_allow_fd_passing_input(Varlink *v, bool b) { +-- +2.33.0 + diff --git a/backport-virt-add-Google-Compute-Engine-support.patch b/backport-virt-add-Google-Compute-Engine-support.patch new file mode 100644 index 0000000..3179484 --- /dev/null +++ b/backport-virt-add-Google-Compute-Engine-support.patch @@ -0,0 +1,96 @@ +From 6610d64197d416dcb112005032886eb3cf4f36cd Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 9 Jan 2024 10:52:49 +0900 +Subject: [PATCH 0138/1160] virt: add Google Compute Engine support + +See https://cloud.google.com/run/docs/container-contract#sandbox + +(cherry picked from commit 9b0688f491674b53ef7a52bdf561a430c53673d6) +--- + man/systemd-detect-virt.xml | 5 +++++ + src/basic/virt.c | 32 +++++++++++++++++--------------- + src/basic/virt.h | 1 + + 3 files changed, 23 insertions(+), 15 deletions(-) + +diff --git a/man/systemd-detect-virt.xml b/man/systemd-detect-virt.xml +index 30b42e7feb..e1caa4fc26 100644 +--- a/man/systemd-detect-virt.xml ++++ b/man/systemd-detect-virt.xml +@@ -147,6 +147,11 @@ + LMHS SRE hypervisor + + ++ ++ google ++ Google Compute Engine ++ ++ + + Container + openvz +diff --git a/src/basic/virt.c b/src/basic/virt.c +index b84dc28f5f..426f1ac982 100644 +--- a/src/basic/virt.c ++++ b/src/basic/virt.c +@@ -168,22 +168,23 @@ static Virtualization detect_vm_dmi_vendor(void) { + const char *vendor; + Virtualization id; + } dmi_vendor_table[] = { +- { "KVM", VIRTUALIZATION_KVM }, +- { "OpenStack", VIRTUALIZATION_KVM }, /* Detect OpenStack instance as KVM in non x86 architecture */ +- { "KubeVirt", VIRTUALIZATION_KVM }, /* Detect KubeVirt instance as KVM in non x86 architecture */ +- { "Amazon EC2", VIRTUALIZATION_AMAZON }, +- { "QEMU", VIRTUALIZATION_QEMU }, +- { "VMware", VIRTUALIZATION_VMWARE }, /* https://kb.vmware.com/s/article/1009458 */ +- { "VMW", VIRTUALIZATION_VMWARE }, +- { "innotek GmbH", VIRTUALIZATION_ORACLE }, +- { "VirtualBox", VIRTUALIZATION_ORACLE }, +- { "Xen", VIRTUALIZATION_XEN }, +- { "Bochs", VIRTUALIZATION_BOCHS }, +- { "Parallels", VIRTUALIZATION_PARALLELS }, ++ { "KVM", VIRTUALIZATION_KVM }, ++ { "OpenStack", VIRTUALIZATION_KVM }, /* Detect OpenStack instance as KVM in non x86 architecture */ ++ { "KubeVirt", VIRTUALIZATION_KVM }, /* Detect KubeVirt instance as KVM in non x86 architecture */ ++ { "Amazon EC2", VIRTUALIZATION_AMAZON }, ++ { "QEMU", VIRTUALIZATION_QEMU }, ++ { "VMware", VIRTUALIZATION_VMWARE }, /* https://kb.vmware.com/s/article/1009458 */ ++ { "VMW", VIRTUALIZATION_VMWARE }, ++ { "innotek GmbH", VIRTUALIZATION_ORACLE }, ++ { "VirtualBox", VIRTUALIZATION_ORACLE }, ++ { "Xen", VIRTUALIZATION_XEN }, ++ { "Bochs", VIRTUALIZATION_BOCHS }, ++ { "Parallels", VIRTUALIZATION_PARALLELS }, + /* https://wiki.freebsd.org/bhyve */ +- { "BHYVE", VIRTUALIZATION_BHYVE }, +- { "Hyper-V", VIRTUALIZATION_MICROSOFT }, +- { "Apple Virtualization", VIRTUALIZATION_APPLE }, ++ { "BHYVE", VIRTUALIZATION_BHYVE }, ++ { "Hyper-V", VIRTUALIZATION_MICROSOFT }, ++ { "Apple Virtualization", VIRTUALIZATION_APPLE }, ++ { "Google Compute Engine", VIRTUALIZATION_GOOGLE }, /* https://cloud.google.com/run/docs/container-contract#sandbox */ + }; + int r; + +@@ -1049,6 +1050,7 @@ static const char *const virtualization_table[_VIRTUALIZATION_MAX] = { + [VIRTUALIZATION_POWERVM] = "powervm", + [VIRTUALIZATION_APPLE] = "apple", + [VIRTUALIZATION_SRE] = "sre", ++ [VIRTUALIZATION_GOOGLE] = "google", + [VIRTUALIZATION_VM_OTHER] = "vm-other", + + [VIRTUALIZATION_SYSTEMD_NSPAWN] = "systemd-nspawn", +diff --git a/src/basic/virt.h b/src/basic/virt.h +index d49f3237e8..dea39e4e76 100644 +--- a/src/basic/virt.h ++++ b/src/basic/virt.h +@@ -27,6 +27,7 @@ typedef enum Virtualization { + VIRTUALIZATION_POWERVM, + VIRTUALIZATION_APPLE, + VIRTUALIZATION_SRE, ++ VIRTUALIZATION_GOOGLE, + VIRTUALIZATION_VM_OTHER, + VIRTUALIZATION_VM_LAST = VIRTUALIZATION_VM_OTHER, + +-- +2.33.0 + diff --git a/backport-virt-fix-detection-of-avx2-and-friends.patch b/backport-virt-fix-detection-of-avx2-and-friends.patch new file mode 100644 index 0000000..71778a8 --- /dev/null +++ b/backport-virt-fix-detection-of-avx2-and-friends.patch @@ -0,0 +1,40 @@ +From 5b819f68415f7613e558632232fff2a668abc881 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Mon, 8 Jan 2024 19:59:32 +0900 +Subject: [PATCH 0131/1160] virt: fix detection of avx2 and friends +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +To get the CPUID with EAX=7, we need explicitly set 0 to ECX. + +From Intel® Architecture Instruction Set Extensions Programming +Reference and Related Specifications, +=== +Leaf 07H output depends on the initial value in ECX. +If ECX contains an invalid sub leaf index, EAX/EBX/ECX/EDX return 0 +=== + +Fixes #30822. + +(cherry picked from commit e701439998a5697317f7692aa5f169bd7315b733) +--- + src/basic/virt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/virt.c b/src/basic/virt.c +index a0b6fbcd65..b84dc28f5f 100644 +--- a/src/basic/virt.c ++++ b/src/basic/virt.c +@@ -1000,7 +1000,7 @@ static bool real_has_cpu_with_flag(const char *flag) { + return true; + } + +- if (__get_cpuid(7, &eax, &ebx, &ecx, &edx)) { ++ if (__get_cpuid_count(7, 0, &eax, &ebx, &ecx, &edx)) { + if (given_flag_in_set(flag, leaf7_ebx, ELEMENTSOF(leaf7_ebx), ebx)) + return true; + } +-- +2.33.0 + diff --git a/backport-virt-support-detection-of-Apple-Virtualization-guest.patch b/backport-virt-support-detection-of-Apple-Virtualization-guest.patch new file mode 100644 index 0000000..25ff6a2 --- /dev/null +++ b/backport-virt-support-detection-of-Apple-Virtualization-guest.patch @@ -0,0 +1,30 @@ +From 1847facf75a47b3771994c0ca7a7846b802c2430 Mon Sep 17 00:00:00 2001 +From: Black-Hole1 +Date: Fri, 19 Jan 2024 11:38:49 +0800 +Subject: [PATCH 0167/1160] virt: support detection of Apple Virtualization + guests with cpuid + +This is a supplement to #24419. On macOS Intel machines, detection needs to be done through cpuid. +In macOS, `dmi_vendors` detection is only applicable to M series. + +Signed-off-by: Black-Hole1 +(cherry picked from commit 5a02a9adb2c8f45420aa1c0383d298a248811b01) +--- + src/basic/virt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/basic/virt.c b/src/basic/virt.c +index 426f1ac982..e6c95fdae7 100644 +--- a/src/basic/virt.c ++++ b/src/basic/virt.c +@@ -53,6 +53,7 @@ static Virtualization detect_vm_cpuid(void) { + { "ACRNACRNACRN", VIRTUALIZATION_ACRN }, + /* https://www.lockheedmartin.com/en-us/products/Hardened-Security-for-Intel-Processors.html */ + { "SRESRESRESRE", VIRTUALIZATION_SRE }, ++ { "Apple VZ", VIRTUALIZATION_APPLE }, + }; + + uint32_t eax, ebx, ecx, edx; +-- +2.33.0 + diff --git a/backport-vmm-make-sure-we-can-handle-smbios-objects-without-v.patch b/backport-vmm-make-sure-we-can-handle-smbios-objects-without-v.patch new file mode 100644 index 0000000..e6aa00a --- /dev/null +++ b/backport-vmm-make-sure-we-can-handle-smbios-objects-without-v.patch @@ -0,0 +1,56 @@ +From 4c5c7c6318f014b50052c04bfb6403df92fabecb Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 4 Jul 2024 14:34:35 +0200 +Subject: [PATCH 0753/1160] vmm: make sure we can handle smbios objects without + variable part + +An smbios object with no variable part is a special case, it's just +suffixed with two NUL btes. handle that properly. + +This is inspired by a similar fix from https://github.com/systemd/systemd/pull/29726 + +(cherry picked from commit 44ec70489f377d1fa9f4e19aed95a7e39da7d93d) +(cherry picked from commit 9a2f16e4edc490a289e3b22ab9f30e3e5bc73850) +--- + src/boot/efi/vmm.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/src/boot/efi/vmm.c b/src/boot/efi/vmm.c +index 60e216d54c..bfc7acc052 100644 +--- a/src/boot/efi/vmm.c ++++ b/src/boot/efi/vmm.c +@@ -241,13 +241,21 @@ static const SmbiosHeader *get_smbios_table(uint8_t type, uint64_t *ret_size_lef + size -= header->length; + p += header->length; + +- /* Skip over string table. */ ++ /* Special case: if there are no strings appended, we'll see two NUL bytes, skip over them */ ++ if (size >= 2 && p[0] == 0 && p[1] == 0) { ++ size -= 2; ++ p += 2; ++ continue; ++ } ++ ++ /* Skip over a populated string table. */ ++ bool first = true; + for (;;) { + const uint8_t *e = memchr(p, 0, size); + if (!e) + return NULL; + +- if (e == p) {/* Double NUL byte means we've reached the end of the string table. */ ++ if (!first && e == p) {/* Double NUL byte means we've reached the end of the string table. */ + p++; + size--; + break; +@@ -255,6 +263,7 @@ static const SmbiosHeader *get_smbios_table(uint8_t type, uint64_t *ret_size_lef + + size -= e + 1 - p; + p = e + 1; ++ first = false; + } + } + +-- +2.33.0 + diff --git a/backport-vmspawn-make-sure-are-fine-with-ovmf-metadata-extens.patch b/backport-vmspawn-make-sure-are-fine-with-ovmf-metadata-extens.patch new file mode 100644 index 0000000..1e8d309 --- /dev/null +++ b/backport-vmspawn-make-sure-are-fine-with-ovmf-metadata-extens.patch @@ -0,0 +1,59 @@ +From 4e78e189a3bf3898703aa0149230ffb0834b8777 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 12 Jan 2024 15:37:15 +0100 +Subject: [PATCH 0711/1160] vmspawn: make sure are fine with ovmf metadata + extensions + +The JSON ovmf data on Fedora at least has more fields than we expect, +ignore it. + +(cherry picked from commit 1f459f3a45452a6a7c48c6ce3bd0d4f4aefee371) + +Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2294768. +--- + src/vmspawn/vmspawn-util.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/vmspawn/vmspawn-util.c b/src/vmspawn/vmspawn-util.c +index b5b5eafae6..6270b7ffae 100644 +--- a/src/vmspawn/vmspawn-util.c ++++ b/src/vmspawn/vmspawn-util.c +@@ -100,7 +100,7 @@ static int firmware_executable(const char *name, JsonVariant *v, JsonDispatchFla + {} + }; + +- return json_dispatch(v, table, 0, userdata); ++ return json_dispatch(v, table, flags, userdata); + } + + static int firmware_nvram_template(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) { +@@ -110,7 +110,7 @@ static int firmware_nvram_template(const char *name, JsonVariant *v, JsonDispatc + {} + }; + +- return json_dispatch(v, table, 0, userdata); ++ return json_dispatch(v, table, flags, userdata); + } + + static int firmware_mapping(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) { +@@ -121,7 +121,7 @@ static int firmware_mapping(const char *name, JsonVariant *v, JsonDispatchFlags + {} + }; + +- return json_dispatch(v, table, 0, userdata); ++ return json_dispatch(v, table, flags, userdata); + } + + int find_ovmf_config(int search_sb, OvmfConfig **ret) { +@@ -183,7 +183,7 @@ int find_ovmf_config(int search_sb, OvmfConfig **ret) { + if (!fwd) + return -ENOMEM; + +- r = json_dispatch(config_json, table, 0, fwd); ++ r = json_dispatch(config_json, table, JSON_ALLOW_EXTENSIONS, fwd); + if (r == -ENOMEM) + return r; + if (r < 0) { +-- +2.33.0 + diff --git a/backport-wait-online-by-default-not-all-interface-need-to-be-.patch b/backport-wait-online-by-default-not-all-interface-need-to-be-.patch new file mode 100644 index 0000000..188460f --- /dev/null +++ b/backport-wait-online-by-default-not-all-interface-need-to-be-.patch @@ -0,0 +1,36 @@ +From 64126335d715fc6875f4153d8a4373f6698f1433 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Sat, 3 Feb 2024 02:44:08 +0900 +Subject: [PATCH 0239/1160] wait-online: by default not all interface need to + be online + +Fixes an issue caused by ab3aed4a0349bbaa26f53340770c1b59b463e05d (v253). + +By default, all managed interface need to be configured, and at least +one interface need to be online. Hence, offline interface should be ignored. + +Fixes #29506. + +(cherry picked from commit 6f412c00cf06c883bf08f0e7d6f7eb7299d198e9) +--- + src/network/wait-online/manager.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/network/wait-online/manager.c b/src/network/wait-online/manager.c +index 9213795f54..40a9fba0a9 100644 +--- a/src/network/wait-online/manager.c ++++ b/src/network/wait-online/manager.c +@@ -178,7 +178,9 @@ bool manager_configured(Manager *m) { + r = manager_link_is_online(m, l, + (LinkOperationalStateRange) { _LINK_OPERSTATE_INVALID, + _LINK_OPERSTATE_INVALID }); +- if (r < 0 && !m->any) /* Unlike the above loop, unmanaged interfaces are ignored here. */ ++ /* Unlike the above loop, unmanaged interfaces are ignored here. Also, Configured but offline ++ * interfaces are ignored. See issue #29506. */ ++ if (r < 0 && r != -EADDRNOTAVAIL && !m->any) + return false; + if (r > 0) { + if (m->any) +-- +2.33.0 + diff --git a/backport-watchdog-clarify-that-we-set-the-watchdog-timeout.patch b/backport-watchdog-clarify-that-we-set-the-watchdog-timeout.patch new file mode 100644 index 0000000..e471a4c --- /dev/null +++ b/backport-watchdog-clarify-that-we-set-the-watchdog-timeout.patch @@ -0,0 +1,90 @@ +From 5a36f5eb49fc0e5ef2cfd1223f8c8b87699e57e3 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 4 Apr 2024 09:59:00 +0200 +Subject: [PATCH 0487/1160] watchdog: clarify that we set the *watchdog* + timeout + +This makes sure we mention the word "watchdog" in every log message +related to the watchdog. + +Also, this uses the expression "hardware timeout" when referring to the +primary timeout of the watchdog, as opposed to the "pretimeout". + +(Not ideal wording I know, but it's preexisting to some point, I just +continued it. I think it's OK though, in particular to underline the +difference to the software watchdog logic we implement via WATCHDOG= in +sd_notify().) + +Fixes: #31662 +(cherry picked from commit 99a1ef8c9cdcb0fc15265533dae2bbd8f2d7a3a5) +--- + src/shared/watchdog.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/src/shared/watchdog.c b/src/shared/watchdog.c +index 2d79f7147a..99ccefb227 100644 +--- a/src/shared/watchdog.c ++++ b/src/shared/watchdog.c +@@ -95,7 +95,7 @@ static int set_pretimeout_governor(const char *governor) { + governor, + WRITE_STRING_FILE_DISABLE_BUFFER | WRITE_STRING_FILE_VERIFY_ON_FAILURE | WRITE_STRING_FILE_VERIFY_IGNORE_NEWLINE); + if (r < 0) +- return log_error_errno(r, "Failed to set pretimeout_governor to '%s': %m", governor); ++ return log_error_errno(r, "Failed to set watchdog pretimeout_governor to '%s': %m", governor); + + return r; + } +@@ -157,7 +157,7 @@ static int watchdog_read_pretimeout(void) { + + if (ioctl(watchdog_fd, WDIOC_GETPRETIMEOUT, &sec) < 0) { + watchdog_pretimeout = 0; +- return log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, errno, "Failed to get pretimeout value, ignoring: %m"); ++ return log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, errno, "Failed to get watchdog pretimeout value, ignoring: %m"); + } + + watchdog_pretimeout = sec * USEC_PER_SEC; +@@ -181,7 +181,7 @@ static int watchdog_set_pretimeout(void) { + return 0; + } + +- return log_error_errno(errno, "Failed to set pretimeout to %s: %m", FORMAT_TIMESPAN(sec, USEC_PER_SEC)); ++ return log_error_errno(errno, "Failed to set watchdog pretimeout to %s: %m", FORMAT_TIMESPAN(sec, USEC_PER_SEC)); + } + + /* The set ioctl does not return the actual value set so get it now. */ +@@ -274,10 +274,10 @@ static int update_timeout(void) { + r = watchdog_set_timeout(); + if (r < 0) { + if (!ERRNO_IS_NOT_SUPPORTED(r)) +- return log_error_errno(r, "Failed to set timeout to %s: %m", ++ return log_error_errno(r, "Failed to set watchdog hardware timeout to %s: %m", + FORMAT_TIMESPAN(watchdog_timeout, 0)); + +- log_info("Modifying watchdog timeout is not supported, reusing the programmed timeout."); ++ log_info("Modifying watchdog hardware timeout is not supported, reusing the programmed timeout."); + watchdog_timeout = USEC_INFINITY; + } + } +@@ -286,8 +286,8 @@ static int update_timeout(void) { + r = watchdog_read_timeout(); + if (r < 0) { + if (!ERRNO_IS_NOT_SUPPORTED(r)) +- return log_error_errno(r, "Failed to query watchdog HW timeout: %m"); +- log_info("Reading watchdog timeout is not supported, reusing the configured timeout."); ++ return log_error_errno(r, "Failed to query watchdog hardware timeout: %m"); ++ log_info("Reading watchdog hardware timeout is not supported, reusing the configured timeout."); + watchdog_timeout = previous_timeout; + } + } +@@ -302,7 +302,7 @@ static int update_timeout(void) { + if (r < 0) + return r; + +- log_info("Watchdog running with a timeout of %s.", FORMAT_TIMESPAN(watchdog_timeout, 0)); ++ log_info("Watchdog running with a hardware timeout of %s.", FORMAT_TIMESPAN(watchdog_timeout, 0)); + + return watchdog_ping_now(); + } +-- +2.33.0 + diff --git a/backport-watchdog-ensure-configured-timeout-is-used-instead-o.patch b/backport-watchdog-ensure-configured-timeout-is-used-instead-o.patch new file mode 100644 index 0000000..3bb9e1b --- /dev/null +++ b/backport-watchdog-ensure-configured-timeout-is-used-instead-o.patch @@ -0,0 +1,60 @@ +From a46f9a7f5307d9ce08ef8ce355526d3032c9a4c9 Mon Sep 17 00:00:00 2001 +From: Holger Assmann +Date: Tue, 9 Jan 2024 15:05:19 +0100 +Subject: [PATCH 0141/1160] watchdog: ensure configured timeout is used instead + of USEC_INFINITY + +In some rare cases, a watchdog driver might neither be able to change +the watchdog timeout value, nor read it from the hardware at runtime. + +With an otherwise functional watchdog setup, this constellation worked +until systemd v249. Since then, systemd ends up ignoring the timeout +defined by the system.conf and rather uses USEC_INFINITY. Consequently, +the watchdog is not pinged anymore and eventually resets the system. + +We therefore want to ensure that the system keeps running with the +originally configured timeout. + +(cherry picked from commit f681046ededba0cd0b34e96f3f534b0077aa2de8) +--- + src/shared/watchdog.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/shared/watchdog.c b/src/shared/watchdog.c +index 4c1a968718..2d79f7147a 100644 +--- a/src/shared/watchdog.c ++++ b/src/shared/watchdog.c +@@ -261,12 +261,15 @@ static int update_pretimeout(void) { + + static int update_timeout(void) { + int r; ++ usec_t previous_timeout; + + assert(watchdog_timeout > 0); + + if (watchdog_fd < 0) + return 0; + ++ previous_timeout = watchdog_timeout; ++ + if (watchdog_timeout != USEC_INFINITY) { + r = watchdog_set_timeout(); + if (r < 0) { +@@ -281,8 +284,12 @@ static int update_timeout(void) { + + if (watchdog_timeout == USEC_INFINITY) { + r = watchdog_read_timeout(); +- if (r < 0) +- return log_error_errno(r, "Failed to query watchdog HW timeout: %m"); ++ if (r < 0) { ++ if (!ERRNO_IS_NOT_SUPPORTED(r)) ++ return log_error_errno(r, "Failed to query watchdog HW timeout: %m"); ++ log_info("Reading watchdog timeout is not supported, reusing the configured timeout."); ++ watchdog_timeout = previous_timeout; ++ } + } + + /* If the watchdog timeout was changed, the pretimeout could have been +-- +2.33.0 + diff --git a/backport-zsh-_journalctl-complete-g-case-sensitive-help-pseud.patch b/backport-zsh-_journalctl-complete-g-case-sensitive-help-pseud.patch new file mode 100644 index 0000000..676d925 --- /dev/null +++ b/backport-zsh-_journalctl-complete-g-case-sensitive-help-pseud.patch @@ -0,0 +1,36 @@ +From ffd829531c23b9e352e375a72458aa97352df9bc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=A0t=C4=9Bp=C3=A1n=20N=C4=9Bmec?= +Date: Tue, 27 Feb 2024 14:36:57 +0100 +Subject: [PATCH 0421/1160] zsh/_journalctl: complete -g, --case-sensitive, + 'help' (pseudo-)facility + +(cherry picked from commit da9e1f83222e618595279b3168473dfaa150ddb8) +--- + shell-completion/zsh/_journalctl | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/shell-completion/zsh/_journalctl b/shell-completion/zsh/_journalctl +index 5dba1e7dfe..136e16a4c6 100644 +--- a/shell-completion/zsh/_journalctl ++++ b/shell-completion/zsh/_journalctl +@@ -59,7 +59,7 @@ _journalctl_boots() { + (( $+functions[_journalctl_facilities] )) || + _journalctl_facilities() { + local -a _journalctl_facilities +- _journalctl_facilities=(kern user mail daemon auth syslog lpr news uucp cron authpriv ftp local0 local1 local2 local3 local4 local5 local6 local7) ++ _journalctl_facilities=(help kern user mail daemon auth syslog lpr news uucp cron authpriv ftp local0 local1 local2 local3 local4 local5 local6 local7) + _describe 'possible values' _journalctl_facilities + } + +@@ -117,6 +117,8 @@ _arguments -s \ + '--after-cursor=[Start showing entries from after the specified cursor]:cursors:_journalctl_field_values __CURSORS' \ + '--since=[Start showing entries on or newer than the specified date]:YYYY-MM-DD HH\:MM\:SS' \ + '--until=[Stop showing entries on or older than the specified date]:YYYY-MM-DD HH\:MM\:SS' \ ++ {-g+,--grep=}'[Show entries with MESSAGE field matching PCRE pattern]' \ ++ '--case-sensitive=[Force case sensitive or insensitive matching]:boolean:(true false)' \ + {-F,--field=}'[List all values a certain field takes]:Fields:_journalctl_fields' \ + '--system[Show system and kernel messages]' \ + '--user[Show messages from user services]' \ +-- +2.33.0 + diff --git a/backport-zsh-_networkctl-remove-duplicated-argument-for-compl.patch b/backport-zsh-_networkctl-remove-duplicated-argument-for-compl.patch new file mode 100644 index 0000000..d8b796e --- /dev/null +++ b/backport-zsh-_networkctl-remove-duplicated-argument-for-compl.patch @@ -0,0 +1,30 @@ +From 00df4dea6a3c4ba101953c1ffd39a9b16220190d Mon Sep 17 00:00:00 2001 +From: Collin L +Date: Mon, 22 Jul 2024 17:36:47 +0800 +Subject: [PATCH 0792/1160] zsh/_networkctl: remove duplicated argument for + completion (#31926) + +It is unnecessary, which will mess the completion. + +(cherry picked from commit 733518b41350ce781c7e41a4c866eafb9e549e1f) +(cherry picked from commit fd2a6ea0a8d4b535e4ac3645772b946906e02c7d) +--- + shell-completion/zsh/_networkctl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shell-completion/zsh/_networkctl b/shell-completion/zsh/_networkctl +index c7d1e3a365..18a0e0aa86 100644 +--- a/shell-completion/zsh/_networkctl ++++ b/shell-completion/zsh/_networkctl +@@ -29,7 +29,7 @@ + (list|status|up|down|cat|edit|lldp|delete|renew|forcerenew|reconfigure) + for link in ${(f)"$(_call_program links networkctl list --no-legend)"}; do _links+=($link[(w)2]:$link); done + if [[ -n "$_links" ]]; then +- _describe -t links 'links' _links _links $( [[ $cmd == (edit|cat) ]] && print -- -P@ ) ++ _describe -t links 'links' _links $( [[ $cmd == (edit|cat) ]] && print -- -P@ ) + else + _message "no links" + fi +-- +2.33.0 + diff --git a/systemd.spec b/systemd.spec index 6b6b4c2..715de4d 100644 --- a/systemd.spec +++ b/systemd.spec @@ -25,7 +25,7 @@ Name: systemd Url: https://systemd.io/ Version: 255 -Release: 46 +Release: 47 License: MIT and LGPLv2+ and GPLv2+ Summary: System and Service Manager @@ -51,68 +51,859 @@ Source106: write_net_rules Source107: detect_virt Source108: sense_data.py -Patch6001: backport-Revert-sysctl.d-switch-net.ipv4.conf.all.rp_filter-f.patch -Patch6002: backport-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch -Patch6003: backport-temporarily-disable-test-seccomp.patch -Patch6004: backport-core-exec-do-not-crash-with-UtmpMode-user-without-Us.patch -Patch6005: backport-CVE-2023-50387.patch -Patch6006: backport-CVE-2023-50868.patch -Patch6007: backport-fix-analyze-q-option-invalid-issue.patch -Patch6008: backport-allow-override-default-log-level-by-environment-variable.patch -Patch6009: backport-login-user-runtime-dir-properly-check-for-mount-poin.patch -Patch6010: backport-user-util-validate-the-right-field.patch -Patch6011: backport-fix-conf-parser-oom-check-issue.patch -Patch6012: backport-unit-check-for-correct-function-in-vtable.patch -Patch6013: backport-fix-homed-log-message-typo-error.patch -Patch6014: backport-bash-completion-add-systemctl-service-log-level-target.patch -Patch6015: backport-fix-log-message-not-match-glob-patterns-passed-to-disable-command.patch -Patch6016: backport-main-pass-the-right-error-variable.patch -Patch6017: backport-sd-event-fix-fd-leak-when-fd-is-owned-by-IO-event-source.patch -Patch6018: backport-fix-cgtop-sscanf-return-code-checks.patch -Patch6019: backport-mount-optimize-mountinfo-traversal-by-decoupling-dev.patch -Patch6020: backport-systemctl-fix-printing-of-RootImageOptions.patch -Patch6021: backport-pid1-add-env-var-to-override-default-mount-rate-limit-interval.patch -Patch6022: backport-core-escape-spaces-in-paths-during-serialization.patch -Patch6023: backport-core-escape-spaces-when-serializing-as-well.patch -Patch6024: backport-network-networkd-address-don-t-set-up-firewall-rules.patch -Patch6025: backport-install-allow-removing-symlinks-even-for-units-that-.patch -Patch6026: backport-shutdown-clean-up-sync_with_progress-a-bit.patch -Patch6027: backport-shutdown-replace-unbounded-fsync-with-bounded-sync_w.patch -Patch6028: backport-shutdown-teach-sync_with_progress-to-optionally-sync.patch -Patch6029: backport-core-reliably-check-if-varlink-socket-has-been-deser.patch -Patch6030: backport-fs-util-readlinkat-supports-an-empty-string.patch -Patch6031: backport-exec-invoke-correct-dont_close-size.patch -Patch6032: backport-core-Fix-file-descriptor-leak.patch -Patch6033: backport-core-service-fix-accept-socket-deserialization.patch -Patch6034: backport-coredump-correctly-take-tmpfs-size-into-account-for-.patch -Patch6035: backport-sysusers-handle-NSS-errors-gracefully.patch -Patch6036: backport-shared-log-error-when-execve-fail.patch -Patch6037: backport-sd-event-do-not-assert-on-invalid-signal.patch -Patch6038: backport-sd-event-change-error-code-EINVAL-EIO.patch -Patch6039: backport-basic-log-do-not-treat-all-negative-errnos-as-synthe.patch -Patch6040: backport-sd-ipv4acd-fix-assertion-triggered-when-an-ARP-recei.patch -Patch6041: backport-resolved-log-error-messages-for-openssl-gnutls-conte.patch -Patch6042: backport-journalctl-erase-verify-key-before-free.patch -Patch6043: backport-core-service-use-log_unit_-where-appropriate.patch -Patch6044: backport-core-Bump-log-level-of-reexecute-request-to-notice.patch -Patch6045: backport-core-Log-in-more-scenarios-about-which-process-initi.patch -Patch6046: backport-repart-fix-memory-leak.patch -Patch6047: backport-fix-memory-leak-in-cryptsetup-generator.patch -Patch6648: backport-shutdown-close-DM-block-device-before-issuing-DM_DEV.patch -Patch6649: backport-execute-free-syscall_log-hashmap-when-done.patch -Patch6650: backport-logind-let-system-wide-idle-begin-at-the-time-logind.patch -Patch6651: backport-core-fix-assert-when-AddDependencyUnitFiles-is-calle.patch -Patch6652: backport-CVE-2023-7008.patch -Patch6653: backport-run-pass-the-pty-slave-fd-to-transient-service.patch -Patch6654: backport-run-do-not-pass-the-pty-slave-fd-to-transient-servic.patch +Patch6001: backport-loginctl-show-a-nicer-error-message-when-no-session-.patch +Patch6002: backport-shared-killall-correctly-warn-about-rootfs-daemon-s-.patch +Patch6003: backport-network-networkd-address-don-t-set-up-firewall-rules.patch +Patch6004: backport-core-add-specifier-expansion-to-AllowedCPUs-and-frie.patch +Patch6005: backport-coredump-keep-core-files-for-two-weeks.patch +Patch6006: backport-show-status-suffix-output-ith-CRNL-rather-than-just-.patch +Patch6007: backport-log-when-writing-a-log-message-to-a-TTY-always-end-l.patch +Patch6008: backport-hostnamectl-do-not-show-local-machine-ID-and-boot-ID.patch +Patch6009: backport-hostname-expose-machine-ID-and-boot-ID-through-DBus.patch +Patch6010: backport-systemctl-also-grey-out-useful-hints-in-output-since.patch +Patch6011: backport-variuos-fwrite-does-not-set-errno.patch +Patch6012: backport-core-exec-invoke-rename-flags_fds-to-flag_fds.patch +Patch6013: backport-fdset-set-all-collected-fds-to-CLOEXEC-in-fdset_new_.patch +Patch6014: backport-core-exec-invoke-remove-redundant-fd_cloexec-call.patch +Patch6015: backport-core-exec-invoke-prevent-potential-double-close-of-e.patch +Patch6016: backport-Revert-sysusers.d-create-the-user-for-systemd-journa.patch +Patch6017: backport-test-set-correct-group-for-systemd-journal-upload-te.patch +Patch6018: backport-hibernate-resume-always-clear-HibernateLocation-if-s.patch +Patch6019: backport-nspawn-Check-later-whether-to-keep-drop-CAP_NET_BIND.patch +Patch6020: backport-journalctl-don-t-skip-over-messages-not-matching-the.patch +Patch6021: backport-various-don-t-log-synthetic-EIO-for-fwrite.patch +Patch6022: backport-test-avoid-NO_CAST.INTEGER_OVERFLOW-in-test-oomd-uti.patch +Patch6023: backport-firstboot-remove-etc-localtime-on-reset.patch +Patch6024: backport-tmpfiles.d-systemd-nologin.conf-use-f-instead-of-F-d.patch +Patch6025: backport-core-do-not-make-private-dev-read-only-too-soon.patch +Patch6026: backport-core-executor-save-argv-for-later-use-by-rename_proc.patch +Patch6027: backport-test-reset-systemd-udevd.service-restart-counter.patch +Patch6028: backport-test-backup-etc-udev-udev.conf-only-if-it-exists.patch +Patch6029: backport-core-executor-do-destruct-static-variables-and-selin.patch +Patch6030: backport-resolve-fix-wrong-error-cause-assignment-to-log_debu.patch +Patch6031: backport-resolve-do-not-trigger-assertion-on-exit.patch +Patch6032: backport-test-check-if-resolved-exits-cleanly.patch +Patch6033: backport-bootctl-fix-case-sensitive-comparisons-in-reporting-.patch +Patch6034: backport-kernel-install-Fix-inspect-with-root-when-no-version.patch +Patch6035: backport-network-neighbor-add-missing-OOM-check.patch +Patch6036: backport-network-adjust-log-message.patch +Patch6037: backport-network-drop-unused-Manager.routes_foreign.patch +Patch6038: backport-executor-don-t-duplicate-FD-array-to-avoid-double-cl.patch +Patch6039: backport-analyze-also-find-template-unit-when-a-template-inst.patch +Patch6040: backport-test-add-test-cases-for-issue-30357.patch +Patch6041: backport-network-actually-show-the-unexpected-flags.patch +Patch6042: backport-network-split-out-common-checks.patch +Patch6043: backport-network-do-not-try-to-update-IP-sysctl-settings-for-.patch +Patch6044: backport-parse-util-accept-arbitrary-MTU-size-when-AF_UNSPEC.patch +Patch6045: backport-network-update-MTU-after-CAN-specific-configs-applie.patch +Patch6046: backport-network-the-maximum-MTU-size-for-CAN-interface-may-b.patch +Patch6047: backport-network-allow-to-configure-interface-MTU-for-CAN-dev.patch +Patch6048: backport-test-network-add-test-for-small-MTU-for-vcan.patch +Patch6049: backport-hibernate-resume-don-t-wait-forever-if-hibernate-inf.patch +Patch6050: backport-core-device-add-stopping-job-message.patch +Patch6051: backport-core-job-emit-job-start-message-if-we-re-only-waitin.patch +Patch6052: backport-execute-handle-gracefully-if-we-cannot-lock-dev-cons.patch +Patch6053: backport-test-never-is-not-a-valid-value-for-Restart.patch +Patch6054: backport-execute-improve-log-message-about-TTY-ownership-rese.patch +Patch6055: backport-openssl-util-avoid-freeing-invalid-pointer.patch +Patch6056: backport-dissect-tool-right-align-the-partition-number.patch +Patch6057: backport-test-mask-the-mdmonitor.service.patch +Patch6058: backport-dissect-image-handle-continue-event-in-metadata-acqu.patch +Patch6059: backport-dissect-image-don-t-try-to-validate-an-extension-rel.patch +Patch6060: backport-dissect-image-fix-fd-leak-in-dissected_image_acquire.patch +Patch6061: backport-dissect-image-move-comment-to-right-place.patch +Patch6062: backport-varlink-improve-compat-with-varlink-C-reference-impl.patch +Patch6063: backport-cgroup-bring-list-of-delegated-cgroup-attributes-up-.patch +Patch6064: backport-test-test-that-delegation-of-some-newer-attrs-that-s.patch +Patch6065: backport-test-install-all-necessary-units-generators-for-LVM-.patch +Patch6066: backport-userdbd-properly-close-the-listener-fd-on-exit.patch +Patch6067: backport-network-route-fix-reachability-check-when-peer-addre.patch +Patch6068: backport-test-network-add-test-case-for-issue-30403.patch +Patch6069: backport-test-fix-check-for-device-in-test-execute.patch +Patch6070: backport-CVE-2023-7008.patch +Patch6071: backport-shutdown-Send-EXIT_STATUS-before-final-sync.patch +Patch6072: backport-test-forward-journal-messages-to-console-during-sd-b.patch +Patch6073: backport-test-add-missing-operators.patch +Patch6074: backport-test-make-sure-the-dummy-CA-certificate-is-marked-as.patch +Patch6075: backport-test-don-t-truncate-the-final-journal.patch +Patch6076: backport-test-redirect-stdout-stderr-of-TEST-04-JOURNAL-to-co.patch +Patch6077: backport-test-flush-the-socket-once-the-triggered-unit-exits.patch +Patch6078: backport-busctl-avoid-asserting-on-NULL-message.patch +Patch6079: backport-udev-add-hwdb-execution-for-hidraw-subsystem-devices.patch +Patch6080: backport-resolve-don-t-add-sockets-to-the-graveyard-on-shutdo.patch +Patch6081: backport-killall-fix-errno-check.patch +Patch6082: backport-sleep-connect-to-correct-bus-when-locking-homed-mana.patch +Patch6083: backport-hibernate-util-make-sure-we-use-blockdev-path-for-Hi.patch +Patch6084: backport-sleep-don-t-log-duplicate-error.patch +Patch6085: backport-bash-completion-add-systemctl-service-log-level-target.patch +Patch6086: backport-bash-completion-make-systemctl-mount-image-bind-auto.patch +Patch6087: backport-dns-update-record-type-enum-to-match-iana.patch +Patch6088: backport-sd-journal-check-sd-event-state-before-setting-up-po.patch +Patch6089: backport-fd-util-modernization.patch +Patch6090: backport-fd-util-don-t-eat-up-errors-in-fd_cloexec_many.patch +Patch6091: backport-udevadm-Propagate-return-code-from-verb-result.patch +Patch6092: backport-test-add-simple-coverage-tests-for-udevadm-lock.patch +Patch6093: backport-resolve-add-several-comments-for-DNS-type-table.patch +Patch6094: backport-utmp-wtmp-check-actual-value-of-bool-instead-of-poin.patch +Patch6095: backport-logind-use-handle_action_to_string-where-appropriate.patch +Patch6096: backport-resolve-do-not-listen-to-IPv6-when-disabled-by-sysct.patch +Patch6097: backport-unit-order-systemd-resolved-after-systemd-sysctl.patch +Patch6098: backport-network-queue-fix-potential-double-free-on-oom.patch +Patch6099: backport-udev-dmi-memory-id-update-table-with-latest-SMBIOS-s.patch +Patch6100: backport-efi-loader-when-detecting-if-we-are-booted-in-UKI-me.patch +Patch6101: backport-resolve-mdns-do-not-append-goodby-packet-entries-to-.patch +Patch6102: backport-tpm2-util-handle-TPMs-gracefully-that-do-not-support.patch +Patch6103: backport-Fix-KeepCarrier-tun-tap-device-option.patch +Patch6104: backport-test-install-correct-kpartx-udev-rules-on-Debian.patch +Patch6105: backport-test-temporarily-adjust-the-default-mount-rate-limit.patch +Patch6106: backport-basic-fix-overflow-detection-in-sigbus_pop.patch +Patch6107: backport-homed-add-missing-bus-call-to-homed-access-policy.patch +Patch6108: backport-logind-session-be-tolerant-if-we-failed-to-remove-le.patch +Patch6109: backport-Use-.d-path-for-PCRLOCK_KERNEL_-_PATH.patch +Patch6110: backport-network-do-not-make-the-implied-default-have-the-fir.patch +Patch6111: backport-pcrlock-Print-correct-NV-index-when-writing-new-poli.patch +Patch6112: backport-allow-override-default-log-level-by-environment-variable.patch +Patch6113: backport-core-escape-spaces-in-paths-during-serialization.patch +Patch6114: backport-network-link-always-join-to-the-main-interface-when-.patch +Patch6115: backport-network-route-do-not-invalidate-Route-section-when-a.patch +Patch6116: backport-repart-don-t-crash-when-looping-over-dropped-partiti.patch +Patch6117: backport-resolve-NSCOUNT-of-DNS-query-may-not-be-zero.patch +Patch6118: backport-virt-fix-detection-of-avx2-and-friends.patch +Patch6119: backport-timesync-IPTOS_LOWDELAY-IPTOS_DSCP_EF.patch +Patch6120: backport-discover-image-don-t-accidentally-set-run-systemd-ns.patch +Patch6121: backport-fix-analyze-q-option-invalid-issue.patch +Patch6122: backport-analyze-man-and-help-fixes.patch +Patch6123: backport-id128-util-do-not-expose-product-UUID-when-running-i.patch +Patch6124: backport-virt-add-Google-Compute-Engine-support.patch +Patch6125: backport-test-skip-test_exec_networknamespacepath-if-netns-se.patch +Patch6126: backport-firstboot-fix-typo-and-add-missing-option-to-help-te.patch +Patch6127: backport-watchdog-ensure-configured-timeout-is-used-instead-o.patch +Patch6128: backport-logind-Mark-LidClosed-property-as-emits-change.patch +Patch6129: backport-network-ndisc-do-not-try-to-set-too-large-value-for-.patch +Patch6130: backport-core-execute-don-t-reload-selinux-before-spawning-ex.patch +Patch6131: backport-modprobe-set-ifb-numifbs-0-to-avoid-autocreating-ifb.patch +Patch6132: backport-Fix-gcc14-Wcalloc-transposed-args-warnings.patch +Patch6133: backport-battery-util-raise-log-level-for-battery_is_discharg.patch +Patch6134: backport-resolve-on_transaction_stream_error-may-free-multipl.patch +Patch6135: backport-systemctl-is-system-running-display-offline-with-ima.patch +Patch6136: backport-strv-introduce-strv_copy_unless_empty.patch +Patch6137: backport-kernel-install-fix-context_copy.patch +Patch6138: backport-kernel-install-silence-num-kernels-installed.patch +Patch6139: backport-sd-netlink-fix-rtnl_resolve_link_alternative_name.patch +Patch6140: backport-unit-check-for-correct-function-in-vtable.patch +Patch6141: backport-tpm2-Do-not-use-RSA-exponent-special-case-default-va.patch +Patch6142: backport-test-verify-PEM-TPM2B_PUBLIC-conversion-for-RSA-key-.patch +Patch6143: backport-test-check-TPM2B_PUBLIC-name-during-PEM-TPM2B_PUBLIC.patch +Patch6144: backport-tpm2-If-unsealing-results-in-policy-hash-mismatch-wh.patch +Patch6145: backport-Reorder-arguments-for-calloc-like-functions-part-2.patch +Patch6146: backport-meson-disable-Wnonnull-compare.patch +Patch6147: backport-macro-terminate-the-temporary-VA_ARGS_FOREACH-array-.patch +Patch6148: backport-Measure-empty-PK-and-KEK-EFI-vars.patch +Patch6149: backport-virt-support-detection-of-Apple-Virtualization-guest.patch +Patch6150: backport-fix-cgtop-sscanf-return-code-checks.patch +Patch6151: backport-core-raise-the-log-priority-if-sd-executor-is-missin.patch +Patch6152: backport-systemctl-configure-boot-loader-options-only-when-go.patch +Patch6153: backport-meson-check-for-pefile-dependency-before-enabling-uk.patch +Patch6154: backport-storagetm-always-hash-stat.st_mode.patch +Patch6155: backport-storagetm-fix-use-of-wrong-stat-element.patch +Patch6156: backport-pam_systemd-close-pidfd-after-use.patch +Patch6157: backport-pam_systemd-always-check-if-session-is-busy.patch +Patch6158: backport-find-esp-do-not-fail-when-boot-on-btrfs-RAID-on-sear.patch +Patch6159: backport-find-esp-introduce-verify_esp_flags_init-helper-func.patch +Patch6160: backport-find-esp-do-not-skip-fstype-check-even-when-root-or-.patch +Patch6161: backport-test-split-out-host_has_-btrfs-mdadm-from-TEST-64-UD.patch +Patch6162: backport-test-make-install_mdadm-also-install-relevant-kernel.patch +Patch6163: backport-test-mask-mdmonitor-when-building-image.patch +Patch6164: backport-test-create-ESP-and-xbootldr-partitions.patch +Patch6165: backport-test-add-basic-coverity-tests-for-bootctl.patch +Patch6166: backport-find-esp-add-debugging-log-about-failure-in-parsing-.patch +Patch6167: backport-test-fix-dbus-installation-on-Arch.patch +Patch6168: backport-Revert-mkosi-pin-CentOS8-kernel-to-working-version.patch +Patch6169: backport-packit-use-the-closest-matching-tag-for-the-checked-.patch +Patch6170: backport-test-network-fix-racy-test-for-address_static.patch +Patch6171: backport-test-reset-systemd-resolved.service-s-restart-counte.patch +Patch6172: backport-journal-remote-use-macro-wrapper-instead-of-alloca-t.patch +Patch6173: backport-test-don-t-store-udev-worker-coredumps-in-journal.patch +Patch6174: backport-test-skip-TEST-08-INITRD-if-systemd-didn-t-run-in-th.patch +Patch6175: backport-Revert-test-disable-TEST-08-INITRD-on-ubuntu-CI.patch +Patch6176: backport-test-install-empty-directories-with-NO_BUILD-1.patch +Patch6177: backport-test-don-t-check-for-Dinstall-tests-true-with-NO_BUI.patch +Patch6178: backport-test-tell-delv-to-load-anchors-from-etc-bind.keys-ex.patch +Patch6179: backport-test-use-the-default-nsec3-iterations-value.patch +Patch6180: backport-id128-util-Attempt-to-read-UUID-from-sys-hypervisor-.patch +Patch6181: backport-machine-id-setup-Generate-stable-machine-IDs-based-o.patch +Patch6182: backport-semaphore-temporarily-pin-autopkgtest-to-v5.32.patch +Patch6183: backport-preset-enable-confext-and-sysext-by-default-31211.patch +Patch6184: backport-test-explicitly-set-nsec3-iterations-to-0.patch +Patch6185: backport-test-use-a-dropin-for-the-journald-snippet.patch +Patch6186: backport-test-make-the-MemoryHigh-limit-a-bit-more-generous-w.patch +Patch6187: backport-test-unset-TZ-before-timezone-sensitive-unit-tests-a.patch +Patch6188: backport-Sort-input-file-list.patch +Patch6189: backport-meson-drop-arch-filtering-in-syscall-list.patch +Patch6190: backport-test-use-lstat-instead-of-stat-follow_symlinks-False.patch +Patch6191: backport-test-disable-testsuite-04.LogFilterPatterns-journal-.patch +Patch6192: backport-meson-fix-installation-of-html-doc-aliases.patch +Patch6193: backport-network-fix-typo.patch +Patch6194: backport-network-do-not-bring-down-a-bonding-port-interface-w.patch +Patch6195: backport-test-network-add-test-case-for-issue-31165.patch +Patch6196: backport-wait-online-by-default-not-all-interface-need-to-be-.patch +Patch6197: backport-network-dhcp4-disable-IPv6OnlyMode-by-default.patch +Patch6198: backport-login-user-runtime-dir-properly-check-for-mount-poin.patch +Patch6199: backport-executor-really-set-POSIX_SPAWN_SETSIGDEF-for-posix_.patch +Patch6200: backport-copy-do-not-ignore-chattr_flags-and-friends-passed-t.patch +Patch6201: backport-core-escape-spaces-when-serializing-as-well.patch +Patch6202: backport-network-dhcp6-deem-DHCPv6-configuration-to-be-finish.patch +Patch6203: backport-network-do-not-request-DHCP-addresses-configured-on-.patch +Patch6204: backport-test-network-split-test_dhcp6pd-into-small-pieces.patch +Patch6205: backport-test-network-add-one-more-test-case-for-DHCP-prefix-.patch +Patch6206: backport-sd-radv-fix-potential-buffer-overflow.patch +Patch6207: backport-core-exec-do-not-crash-with-UtmpMode-user-without-Us.patch +Patch6208: backport-test-add-a-test-for-31384.patch +Patch6209: backport-gpt-auto-generator-fix-argument-passed-to-parse_imag.patch +Patch6210: backport-Fallback-from-pidfd_open-on-permission-errors-too.patch +Patch6211: backport-efi-de-inline-xmalloc-to-fix-build-failure-with-gcc-.patch +Patch6212: backport-CVE-2023-50387.patch +Patch6213: backport-CVE-2023-50868.patch +Patch6214: backport-test-skip-TEST-43-PRIVATEUSER-UNPRIV-if-unprivileged.patch +Patch6215: backport-bus-socket-Clarify-that-inotify-is-supposed-to-watch.patch +Patch6216: backport-udev-even-if-a-device-is-a-zac-device-scsi-ID_SERIAL.patch +Patch6217: backport-Restart-the-DHCPv4-client-when-max-REQUEST-attempts-.patch +Patch6218: backport-boot-don-t-print-error-if-device-tree-fixup-protocol.patch +Patch6219: backport-bash-completion-add-missing-options-to-systemd-crypt.patch +Patch6220: backport-bash-completion-add-missing-options-to-systemd-disse.patch +Patch6221: backport-test-skip-a-systemd-run-test-if-unprivileged-userns-.patch +Patch6222: backport-portable-log-structured-message-when-attach-detach-s.patch +Patch6223: backport-core-path-Re-enter-waiting-if-target-is-deactivating.patch +Patch6224: backport-user-util-validate-the-right-field.patch +Patch6225: backport-bootctl-return-earlier-with-print-esp-path.patch +Patch6226: backport-test-execute-skip-tests-that-are-broken-without-unpr.patch +Patch6227: backport-repart-don-t-try-to-determine-sector-size-from-a-dis.patch +Patch6228: backport-cgroup-don-t-enable-bpf-pseudo-controllers-when-doin.patch +Patch6229: backport-sd-bus-fix-exiting-event-loop-when-sd_bus_set_exit_o.patch +Patch6230: backport-test-set-ex-separately.patch +Patch6231: backport-test-fix-the-container-ID-check.patch +Patch6232: backport-timesyncd-make-the-transmit-timestamp-in-requests-fu.patch +Patch6233: backport-Fix-bug-where-systemd-tmpfiles-gets-stuck-on-fifos-i.patch +Patch6234: backport-fix-conf-parser-oom-check-issue.patch +Patch6235: backport-namespace-don-t-invoke-loopback_setup-unless-we-allo.patch +Patch6236: backport-test-namespace-SOCK_CLOEXEC-ify-all-the-things.patch +Patch6237: backport-core-exec-invoke-call-pam_setcred-PAM_DELETE_CRED-af.patch +Patch6238: backport-pam-do-not-warn-closing-bus-connection-which-is-open.patch +Patch6239: backport-test-check-pam-warning-message.patch +Patch6240: backport-nspawn-permit-ephemeral-with-link-journal-try-treat-.patch +Patch6241: backport-cryptenroll-Fix-reading-keyfile-from-socket.patch +Patch6242: backport-detect-virt-fix-Google-Compute-Engine-support.patch +Patch6243: backport-Install-pacman-in-Arch-Linux-image.patch +Patch6244: backport-sysusers-tmpfiles-clarify-error-message-for-replace.patch +Patch6245: backport-test-69-send-SIGTERM-to-ask-systemd-nspawn-to-proper.patch +Patch6246: backport-test-clean-up-the-code-a-bit.patch +Patch6247: backport-core-service-make-error-msg-match-with-conditions.patch +Patch6248: backport-firstboot-validate-keymap-entry.patch +Patch6249: backport-missing-change-our-close_range-syscall-wrapper-to-ma.patch +Patch6250: backport-btrfs-util-rework-btrfs_is_nocow_fd-around-fd_is_fs_.patch +Patch6251: backport-btrfs-util-use-memdup_suffix0-instead-of-strndup-at-.patch +Patch6252: backport-btrfs-util-apparently-btrfs-ioctls-return-unaligned-.patch +Patch6253: backport-test-install-systemd-boot-in-openSUSE-test-images.patch +Patch6254: backport-test-make-sure-that-sd-boot-is-installed-before-test.patch +Patch6255: backport-test-make-sure-to-install-the-filesystem-package-in-.patch +Patch6256: backport-journald-when-getting-journal-data-via-memfd-check-f.patch +Patch6257: backport-meson-do-not-attempt-to-install-tests-when-they-are-.patch +Patch6258: backport-efi-loader-make-efi_loader_get_entries-handling-miss.patch +Patch6259: backport-keyring-util-Use-reported-key-size-to-resize-buf.patch +Patch6260: backport-fs-util-readlinkat-supports-an-empty-string.patch +Patch6261: backport-chase-do-not-wrap-xopenat-with-RET_NERRNO.patch +Patch6262: backport-chattr-util-fix-error-code.patch +Patch6263: backport-loop-util-fix-error-handling.patch +Patch6264: backport-test-always-try-to-install-the-ext4-module.patch +Patch6265: backport-test-make-TEST-08-INITRD-slightly-less-annoying-to-d.patch +Patch6266: backport-test-use-btrfs-mkswapfile-on-btrfs.patch +Patch6267: backport-test-don-t-abbreviate-log-messages-when-dumping-the-.patch +Patch6268: backport-test-modernize-TEST-55-OOMD-s-init.patch +Patch6269: backport-Set-SYSTEMD_LOG_LEVEL-info-explicitly-in-test-sysuse.patch +Patch6270: backport-udev-String-substitutions-can-be-done-in-ENV-too.patch +Patch6271: backport-test-support-TEST_MATCH_-stuff-in-TEST-23-UNIT-FILE-.patch +Patch6272: backport-missing_fcntl-Fix-RAW_O_LARGEFILE.patch +Patch6273: backport-test-temporarily-enable-session-lingering-for-the-te.patch +Patch6274: backport-tree-wide-be-more-careful-when-passing-literal-integ.patch +Patch6275: backport-test-nss-hosts-treat-negative-host-lookup-as-slow.patch +Patch6276: backport-detect-virt-allow-detection-via-device-tree-on-RISC-.patch +Patch6277: backport-systemctl-fix-fallback-for-pidfd_open-permission-err.patch +Patch6278: backport-install-fix-compiler-warning-about-empty-directive-a.patch +Patch6279: backport-dhcp-option-refuse-control-and-non-UTF8-characters-i.patch +Patch6280: backport-basic-add-PIDFS-magic-31709.patch +Patch6281: backport-sd-dhcp-server-refuse-invalid-hostname-in-request.patch +Patch6282: backport-test-check-for-dev-loop-control-when-checking-lodev-.patch +Patch6283: backport-test-explicitly-set-TERM-linux-for-TEST-69-SHUTDOWN.patch +Patch6284: backport-test-test-shutdown.py-optionally-display-the-test-I-.patch +Patch6285: backport-test-set-pexpect-s-logfile-early.patch +Patch6286: backport-test-wait-until-the-test-container-is-fully-booted-u.patch +Patch6287: backport-test-make-the-output-of-TEST-69-less-painful-to-read.patch +Patch6288: backport-test-fall-back-to-SYSLOG_IDENTIFIER-matching-where-n.patch +Patch6289: backport-basic-virt-Fix-virtualbox-detection-on-proprietary-s.patch +Patch6290: backport-zsh-_journalctl-complete-g-case-sensitive-help-pseud.patch +Patch6291: backport-tmpfiles.d-avoid-deprecated-undocumented-syntax-s-F-.patch +Patch6292: backport-core-mark-JoinControllers-as-DISABLED_LEGACY-rather-.patch +Patch6293: backport-fix-the-value-of-default-shells-to-use-bin-and-not-u.patch +Patch6294: backport-rpm-macros-add-_kernel_install_dir.patch +Patch6295: backport-busctl-don-t-hit-an-assert-if-we-call-invalid-bus-me.patch +Patch6296: backport-resolve-skip-IP_UNICAST_IF-for-local-sockets.patch +Patch6297: backport-hashmap-reorder-fields-to-pack-structure-better.patch +Patch6298: backport-po-add-false-positives-to-POTFILES.skip.patch +Patch6299: backport-resolved-explicitly-disconnect-all-left-over-TCP-con.patch +Patch6300: backport-test-use-ahost-instead-of-hosts-where-applicable.patch +Patch6301: backport-core-service-Type-notify-dbus-services-shouldn-t-be-.patch +Patch6302: backport-core-service-don-t-transition-to-start-post-on-cgrou.patch +Patch6303: backport-resolved-decrease-mdns-llmnr-priority-for-the-revers.patch +Patch6304: backport-tmpfiles-remove-one-more-use-of-goto-and-modernizati.patch +Patch6305: backport-tmpfiles-do-X-bit-check-in-an-ACL-aware-manner.patch +Patch6306: backport-tmpfiles.d-systemd-use-ACL-X-bit-where-appropriate.patch +Patch6307: backport-resolved-don-t-cache-NXDOMAIN-for-SUDN-resolver.arpa.patch +Patch6308: backport-resolved-refuse-queries-with-no-suitable-scope.patch +Patch6309: backport-resolved-also-reply-NOTIMP-when-refusing-a-query-bas.patch +Patch6310: backport-data-fd-util-Fixup-header.patch +Patch6311: backport-env-util-add-new-setenvf-helper.patch +Patch6312: backport-homework-cifs-Pass-password-via-fd.patch +Patch6313: backport-fix-homed-log-message-typo-error.patch +Patch6314: backport-Update-_udevadm.patch +Patch6315: backport-units-Accept-modules_load-and-rd.modules_load-in-sys.patch +Patch6316: backport-resolved-wait-to-gc-transactions-if-they-might-still.patch +Patch6317: backport-terminal-util-fix-underlining-with-SYSTEMD_COLORS-no.patch +Patch6318: backport-dnssd-don-t-advertise-subtype-PTRs-to-the-browsing-d.patch +Patch6319: backport-kernel-install-fix-uki-copy-deinstall.patch +Patch6320: backport-resolved-don-t-request-the-SOA-for-every-dns-label.patch +Patch6321: backport-resolved-request-DS-with-DNSKEY.patch +Patch6322: backport-journalctl-make-until-work-again-with-after-cursor-a.patch +Patch6323: backport-test-add-test-case-for-issue-31776.patch +Patch6324: backport-elf2efi-remove-outdated-comment-mentioning-linker-sc.patch +Patch6325: backport-efi-check-if-all-sections-of-our-EFI-binaries-are-pr.patch +Patch6326: backport-Fix-bpf-framework-build-failure-with-gcc-bpf.patch +Patch6327: backport-bpf-socket-bind-fix-unexpected-behavior-with-either-.patch +Patch6328: backport-shared-Fix-TPM2-unsealing-when-PCR-values-change.patch +Patch6329: backport-shared-logs-show-restore-infinite-loop-avoidance-for.patch +Patch6330: backport-resolved-minor-dnssec-fixups.patch +Patch6331: backport-network-save-the-real-rdnss-address.patch +Patch6332: backport-core-serialize-reload-rate-limit.patch +Patch6333: backport-sd-bus-vtable-add-dummy-macro-to-support-compile-wit.patch +Patch6334: backport-bpf-actually-check-for-errors-when-loading-symbols.patch +Patch6335: backport-dlopen-log-debug-message-when-a-library-is-dlopened.patch +Patch6336: backport-watchdog-clarify-that-we-set-the-watchdog-timeout.patch +Patch6337: backport-cryptsetup-tokens-fix-argument-order-mismatch-in-fun.patch +Patch6338: backport-meson-set-fno-ssa-phiopt-when-building-bpf-with-gcc.patch +Patch6339: backport-sd-journal-fix-check-in-journal_file_verify_header.patch +Patch6340: backport-base-filesystem-check-for-__s390x__-first.patch +Patch6341: backport-core-silence-gcc-warning-about-unitialized-variable.patch +Patch6342: backport-sd-bus-rework-assert-to-make-the-gcc-happy.patch +Patch6343: backport-hibernate-util-check-noresume-before-reading-resume-.patch +Patch6344: backport-userdbctl-avoid-NULL-pointer-deref.patch +Patch6345: backport-userdbctl-correct-uid_range_covers-check.patch +Patch6346: backport-meson-do-not-fail-build-with-newer-kernel-headers.patch +Patch6347: backport-journalctl-update-help-to-say-priority-range-32323.patch +Patch6348: backport-systemctl-allow-user-to-suppress-output-when-no-acti.patch +Patch6349: backport-boot-fix-assignment-of-ret_-variables-in-initrd_prep.patch +Patch6350: backport-copy-ignore-EOPNOTSUPP-from-copy_file_range.patch +Patch6351: backport-stub-get-uname-from-image-before-loading-addons.patch +Patch6352: backport-cpio-fix-assert.patch +Patch6353: backport-sd-journal-downgrade-log-message-Unused-data-entry_o.patch +Patch6354: backport-tpm2-util-add-generic-wrapper-tpm2_context_new_or_wa.patch +Patch6355: backport-sd-event-fix-fd-leak-when-fd-is-owned-by-IO-event-source.patch +Patch6356: backport-core-Check-for-TERM-dumb-in-show_status.patch +Patch6357: backport-tpm2-setup-early-order-against-pcrphase-initrd.patch +Patch6358: backport-shared-verbs-minor-modernization.patch +Patch6359: backport-shared-verbs-show-list-of-verbs-when-missing.patch +Patch6360: backport-sd-event-sd-journal-fix-error-handling-of-inotify_ad.patch +Patch6361: backport-network-fix-use-of-wrong-flag.patch +Patch6362: backport-network-tc-fix-stack-overflow-when-dropping-tclass-o.patch +Patch6363: backport-test-network-sync-journal-before-read.patch +Patch6364: backport-test-network-use-read_networkd_log-at-one-more-place.patch +Patch6365: backport-test-network-introduce-networkctl-and-friends.patch +Patch6366: backport-test-network-do-not-call-networkctl-if-networkd-is-i.patch +Patch6367: backport-test-network-add-test-for-stack-overflow-in-qdisc_dr.patch +Patch6368: backport-journal-remote-fix-two-minor-memory-leaks.patch +Patch6369: backport-sd-device-introduce-device_get_sysattr_unsigned_full.patch +Patch6370: backport-blockdev-util-also-read-ext_range-sysattr-to-check-i.patch +Patch6371: backport-shared-open-file-use-xescape-to-escape.patch +Patch6372: backport-core-mount-if-unmount-retries-exceeded-max-record-as.patch +Patch6373: backport-dissect-fix-memory-leak.patch +Patch6374: backport-os-util-allow-matching-versioned-image-with-extensio.patch +Patch6375: backport-Ensure-that-a-portable-is-not-detached-when-another-.patch +Patch6376: backport-portable-fix-portablectl-list-to-show-the-actual-sta.patch +Patch6377: backport-core-mount-if-umount-8-fails-but-mount-disappeared-a.patch +Patch6378: backport-journal-remote-allow-AF_VSOCK-and-AF_UNIX-for-listen.patch +Patch6379: backport-Revert-bpf-test-with-GCC-BPF-compiler-on-opensuse.patch +Patch6380: backport-journal-remote-Use-sd_event_set_signal_exit.patch +Patch6381: backport-core-mount-if-mount-is-gone-eventually-consider-it-s.patch +Patch6382: backport-tpm2-setup-Add-graceful.patch +Patch6383: backport-core-Serialize-both-pid-and-pidfd-to-keep-downgrades.patch +Patch6384: backport-core-Serialize-both-pid-and-pidfd.patch +Patch6385: backport-test-temporarily-disable-test_sysctl.patch +Patch6386: backport-fs-util-rename-xopenat-xopanat_full.patch +Patch6387: backport-copy-use-xopenat-to-make-from-argument-optional.patch +Patch6388: backport-stat-util-rebreak-comment.patch +Patch6389: backport-stat-util-introduce-stat-fd-_verify_linked.patch +Patch6390: backport-sd-journal-use-stat_verify_linked.patch +Patch6391: backport-copy-introduce-COPY_VERIFY_LINKED-flag.patch +Patch6392: backport-journal-file-util-use-the-file-descriptor-of-journal.patch +Patch6393: backport-journal-file-util-use-COPY_VERIFY_LINKED.patch +Patch6394: backport-test-add-test-cases-for-journal-corruption-on-btrfs.patch +Patch6395: backport-exec-invoke-correct-dont_close-size.patch +Patch6396: backport-resolved-always-progress-DS-queries.patch +Patch6397: backport-resolved-probe-for-dnssec-support-in-allow-downgrade.patch +Patch6398: backport-resolved-validate-authentic-insecure-delegation-to-C.patch +Patch6399: backport-systemctl-list-jobs-interchange-waiting-for-and-bloc.patch +Patch6400: backport-journald-server-drop-spuriously-doubled-for-OBJECT_S.patch +Patch6401: backport-cryptsetup-tokens-fix-pin-asserts.patch +Patch6402: backport-portable-Don-t-fail-if-etc-resolv.conf-doesn-t-exist.patch +Patch6403: backport-varlink-make-errors-returned-by-verify_unix_socket-s.patch +Patch6404: backport-mount-setup-fix-typo.patch +Patch6405: backport-shell-completion-fix-machinectl-import-tar-raw.patch +Patch6406: backport-shell-completions-install-new-completions-which-were.patch +Patch6407: backport-networkd-Correct-documentation-for-LinkLocalAddressi.patch +Patch6408: backport-journalctl-also-check-arg_file_stdin-with-other-jour.patch +Patch6409: backport-pam_systemd_loadkey-add-missing-PAM_EXTERN.patch +Patch6410: backport-meson-define-s390-for-s390x-when-building-BPF-object.patch +Patch6411: backport-meson-copy-prefix-mapping-CFLAGS-when-building-BPF-o.patch +Patch6412: backport-core-Fix-file-descriptor-leak.patch +Patch6413: backport-fix-log-message-not-match-glob-patterns-passed-to-disable-command.patch +Patch6414: backport-reboot-util-Add-some-basic-validation-on-reboot-argu.patch +Patch6415: backport-shell-completion-add-missing-args-to-bash-resolvectl.patch +Patch6416: backport-sd-journal-verify-monotonic-timestamp-before-assigni.patch +Patch6417: backport-test-replace-Europe-Kiev-with-Europe-Kyiv.patch +Patch6418: backport-systemd-boot-Allow-key-enroll-in-AuditMode.patch +Patch6419: backport-journal-remote-main-pass-the-right-error-variable.patch +Patch6420: backport-bless-boot-pass-the-right-error-variable.patch +Patch6421: backport-main-pass-the-right-error-variable.patch +Patch6422: backport-exec-invoke-pass-the-right-error-variable.patch +Patch6423: backport-resolved-dns-stream-pass-the-right-error-variable.patch +Patch6424: backport-manager-pass-the-right-error-variable.patch +Patch6425: backport-nspawn-pass-the-right-error-variable.patch +Patch6426: backport-test-socket-bind-pass-the-right-error-variable.patch +Patch6427: backport-test-bpf-restrict-fs-pass-the-right-error-variable.patch +Patch6428: backport-test-bpf-foreign-programs-pass-the-right-error-varia.patch +Patch6429: backport-homed-manager-pass-the-right-error-variable.patch +Patch6430: backport-homework-fscrypt-pass-the-right-error-variable.patch +Patch6431: backport-homework-quota-pass-the-right-error-variable.patch +Patch6432: backport-udev-rules-pass-the-right-error-variable.patch +Patch6433: backport-clean-ipc-pass-the-right-error-variable.patch +Patch6434: backport-preset-all-continue-on-errors-report-more-errors.patch +Patch6435: backport-tmpfiles-Don-t-fail-if-file-does-not-exist-in-item_d.patch +Patch6436: backport-network-tc-Avoid-concurrent-set-modification-in-tcla.patch +Patch6437: backport-logind-Add-fallback-for-when-the-PIDFDs-property-is-.patch +Patch6438: backport-cgroup-util-allow-cg_read_pid-to-skip-unmapped-zero-.patch +Patch6439: backport-hibernate-util-logind-emit-a-clear-error-if-the-spec.patch +Patch6440: backport-TEST-81-GENERATORS-Do-a-lazy-unmounts.patch +Patch6441: backport-TEST-46-HOMED-Ignore-Disk-Usage-field-as-well.patch +Patch6442: backport-basic-linux-Copy-netfilter.h-to-the-source-tree.patch +Patch6443: backport-test-add-basic-tests-for-in_addr_prefix_covers_full.patch +Patch6444: backport-network-dhcp4-do-not-set-gateway-if-DNS-server-or-fr.patch +Patch6445: backport-test-network-do-not-fail-if-macvlan-module-is-not-av.patch +Patch6446: backport-test-network-do-not-fail-when-etc-protocols-does-not.patch +Patch6447: backport-test-network-introduce-no-journal-option.patch +Patch6448: backport-test-network-check-existence-of-kernel-bug.patch +Patch6449: backport-libcrypt-util-fix-wrong-errno-value-assignment.patch +Patch6450: backport-TEST-38-FREEZER-Relax-regex-a-little.patch +Patch6451: backport-curl-glue-catch-libcurl-attempting-to-change-timeout.patch +Patch6452: backport-sd-event-increase-test-event-timeout-to-120s.patch +Patch6453: backport-libsystemd-network-skip-dhcp-server-test-in-case-of-.patch +Patch6454: backport-libsystemd-network-remove-double-initialization.patch +Patch6455: backport-home-fix-ownership-of-files-copied-from-skelton-dire.patch +Patch6456: backport-core-Fix-assertion-in-parse_smbios_strings.patch +Patch6457: backport-test-test-rpm-macros.sh-add-build-directory-to-pkg-c.patch +Patch6458: backport-systemctl-fix-applying-zero-offset-to-null-pointer-U.patch +Patch6459: backport-pe-binary-.initrd-section-is-optional-for-UKI.patch +Patch6460: backport-journal-importer-Consider-ECONNRESET-as-EOF.patch +Patch6461: backport-test-add-coverate-for-Compress-yes-config-option.patch +Patch6462: backport-test-network-use-different-destination-from-gateway.patch +Patch6463: backport-test-do-not-fill-journal-with-wait.patch +Patch6464: backport-test-do-not-fill-journal-with-diff.patch +Patch6465: backport-test-wait-for-partition-processed-by-udevd.patch +Patch6466: backport-test-sync-journal-before-reading-journal.patch +Patch6467: backport-test-wait-for-slice-unit-being-de-activated.patch +Patch6468: backport-test-wait-for-partition-device-being-processed-by-ud.patch +Patch6469: backport-test-wait-for-sessions-being-closed.patch +Patch6470: backport-mountpoint-util-Deal-with-kernel-API-breakage-in-nor.patch +Patch6471: backport-test-install-modinfo-to-test-image.patch +Patch6472: backport-run-do-not-log-Error-on-PTY-forwarding-logic-when-di.patch +Patch6473: backport-run-pass-the-pty-slave-fd-to-transient-service.patch +Patch6474: backport-test-sync-journal-before-read.patch +Patch6475: backport-discover-image-update-Image.read_only-flag-in-image_.patch +Patch6476: backport-discover-image-also-update-Image.limit-in-image_set_.patch +Patch6477: backport-machine-split-out-manager_acquire_image-from-image_o.patch +Patch6478: backport-machine-also-acquire-Image-object-from-cache-when-a-.patch +Patch6479: backport-machine-fix-use-after-free-in-Rename-DBus-method.patch +Patch6480: backport-test-sync-journal-before-starting-test.patch +Patch6481: backport-test-network-split-out-setup_netdevsim.patch +Patch6482: backport-test-network-also-set-custom-altternative-name-for-n.patch +Patch6483: backport-semaphore-use-variable-for-Salsa-repo-URL.patch +Patch6484: backport-logind-add-one-more-debug-log.patch +Patch6485: backport-logind-do-not-fail-creating-a-session-when-request-i.patch +Patch6486: backport-test-call-journalctl-sync-just-before-reading-journa.patch +Patch6487: backport-btrfs-util-check-current-offset-before-read.patch +Patch6488: backport-btrfs-util-add-assert-to-fix-Coverity-warning.patch +Patch6489: backport-test-extend-timeout-for-DHCP-NDisc-tests.patch +Patch6490: backport-test-add-a-brief-comment-for-the-chattr-check.patch +Patch6491: backport-shared-mountpoint-util-for-old-kernels-assume-noreco.patch +Patch6492: backport-ptyfwd-add-missing-assertions-for-pty_forward_new.patch +Patch6493: backport-run-when-disconnected-from-PTY-forwarder-exit-event-.patch +Patch6494: backport-test-wait-for-unit-generated-from-proc-self-mountinf.patch +Patch6495: backport-test-wait-for-loop-backing_file-attribute-being-remo.patch +Patch6496: backport-test-wait-a-bit-before-stopping-killing-service.patch +Patch6497: backport-test-lock-device-during-running-cryptsetup.patch +Patch6498: backport-test-also-flush-and-rotate-journal-before-read.patch +Patch6499: backport-lock-util-do-not-expect-EACCES-when-it-cannot-happen.patch +Patch6500: backport-test-do-not-fail-network-namespace-test-with-permiss.patch +Patch6501: backport-libsystemd-link-with-z-nodelete.patch +Patch6502: backport-shared-conf-parser-do-not-print-null-as-section-name.patch +Patch6503: backport-test-applying-timezone-is-asynchronous.patch +Patch6504: backport-blockdev-util-partscan-sysattr-now-directly-shows-th.patch +Patch6505: backport-blockdev-util-also-check-newer-value-of-GENHD_FL_NO_.patch +Patch6506: backport-blockdev-util-also-check-loop-partscan-sysattr.patch +Patch6507: backport-tmpfiles-don-t-compare-errno-with-negative-value.patch +Patch6508: backport-executor-check-for-all-permission-related-errnos-whe.patch +Patch6509: backport-packit-use-Fedora-40.patch +Patch6510: backport-sd-dhcp-server-clear-buffer-before-receive.patch +Patch6511: backport-strbuf-use-GREEDY_REALLOC-to-grow-the-buffer.patch +Patch6512: backport-tpm2-setup-Don-t-fail-if-we-can-t-access-the-TPM-due.patch +Patch6513: backport-resolved-permit-dnssec-rrtype-questions-when-we-aren.patch +Patch6514: backport-test-dump-a-simple-summary-at-the-end-of-TEST-02-UNI.patch +Patch6515: backport-analyze-show-pcrs-also-in-sha384-bank.patch +Patch6516: backport-fundamental-declare-flex-array-updated-for-gcc15-and.patch +Patch6517: backport-core-service-fix-accept-socket-deserialization.patch +Patch6518: backport-install-allow-removing-symlinks-even-for-units-that-.patch +Patch6519: backport-repart-fix-memory-leak.patch +Patch6520: backport-core-dbus-manager-mark-unit-file-state-as-outdated-o.patch +Patch6521: backport-missing_loop.h-fix-LOOP_SET_STATUS_SETTABLE_FLAGS.patch +Patch6522: backport-efi-api-check-sys-class-tpm-tpm0-tpm_version_major-t.patch +Patch6523: backport-pcrlock-tweak-error-messages-when-we-are-not-looking.patch +Patch6524: backport-json-use-secure-un-base64-hex-mem-for-sensitive-vari.patch +Patch6525: backport-run-do-not-pass-the-pty-slave-fd-to-transient-servic.patch +Patch6526: backport-chase-Tighten-.-and-.-check.patch +Patch6527: backport-cgroup-util-Don-t-try-to-open-pidfd-for-pids-from-cg.patch +Patch6528: backport-json-add-new-dispatch-flag-JSON_ALLOW_EXTENSIONS.patch +Patch6529: backport-vmspawn-make-sure-are-fine-with-ovmf-metadata-extens.patch +Patch6530: backport-tree-wide-use-JSON_ALLOW_EXTENSIONS-when-disptching-.patch +Patch6531: backport-resolvectl-use-JSON_ALLOW_EXTENSIONS.patch +Patch6532: backport-Use-consistent-spelling-of-systemd.condition_first_b.patch +Patch6533: backport-meson-bpf-propagate-sysroot-for-cross-compilation.patch +Patch6534: backport-core-exec-invoke-reopen-OpenFile-fds-with-O_NOCTTY.patch +Patch6535: backport-Fix-typo-in-CAP_BPF-description-33464.patch +Patch6536: backport-util-make-file_read-64bit-offset-safe.patch +Patch6537: backport-cryptsetup-improve-TPM2-blob-display.patch +Patch6538: backport-core-exec-invoke-use-sched_setattr-instead-of-sched_.patch +Patch6539: backport-mountpoint-util-do-not-assume-symlinks-are-not-mount.patch +Patch6540: backport-TEST-58-REPART-reverse-order-of-diff-args.patch +Patch6541: backport-LICENSES-README-expand-text-to-summarize-state-for-b.patch +Patch6542: backport-TEST-64-UDEV-STORAGE-Make-nvme_subsystem-expected-pc.patch +Patch6543: backport-resolved-allow-the-full-TTL-to-be-used-by-OPT-record.patch +Patch6544: backport-resolved-correct-parsing-of-OPT-extended-RCODEs.patch +Patch6545: backport-core-unit-follow-merged-units-before-updating-Source.patch +Patch6546: backport-mkfs-util-Set-sector-size-for-btrfs-as-well.patch +Patch6547: backport-core-try-again-bind-mounting-if-the-destination-was-.patch +Patch6548: backport-Conditional-PSI-check-to-reflect-changes-done-in-5.1.patch +Patch6549: backport-test-install-etc-hosts.patch +Patch6550: backport-test-fix-TEST-24-CRYPTSETUP-on-SUSE.patch +Patch6551: backport-coredump-correctly-take-tmpfs-size-into-account-for-.patch +Patch6552: backport-meson-Define-__TARGET_ARCH-macros-required-by-bpf.patch +Patch6553: backport-core-dbus-manager-refuse-SoftReboot-for-user-manager.patch +Patch6554: backport-boot-cover-for-hardware-keys-on-phones-tablets.patch +Patch6555: backport-os-util-avoid-matching-on-the-wrong-extension-releas.patch +Patch6556: backport-sysusers-handle-NSS-errors-gracefully.patch +Patch6557: backport-vmm-make-sure-we-can-handle-smbios-objects-without-v.patch +Patch6558: backport-meson-build-libsystemd-core-via-an-intermediate-stat.patch +Patch6559: backport-meson-add-option-to-build-systemd-executor-staticall.patch +Patch6560: backport-test-do-not-attempt-to-set-xattr-on-tmpfs.patch +Patch6561: backport-systemd-networkd-tests-Skip-tests-requiring-dhcpd-if.patch +Patch6562: backport-systemctl-skip-triggering-unit-warning-if-unit-vanis.patch +Patch6563: backport-systemctl-do-not-try-to-acquire-triggering-units-for.patch +Patch6564: backport-shared-install-drop-unneeded-initialization.patch +Patch6565: backport-shared-install-propagate-all-errors-in-install_info_.patch +Patch6566: backport-shared-install-correctly-report-changes-in-install_i.patch +Patch6567: backport-test-install-root-introduce-test-case-for-33411.patch +Patch6568: backport-core-cgroup-make-unit_has_host_root_cgroup-take-cons.patch +Patch6569: backport-path-drop-IN_ATTRIB-from-parent-directory-watches.patch +Patch6570: backport-fsck-do-not-pull-down-mount-units-on-soft-reboot.patch +Patch6571: backport-boot-compare-filename-suffixes-without-case.patch +Patch6572: backport-bootspec-implement-sorting-by-tries-left-done-to-mat.patch +Patch6573: backport-kernel-install-Remove-existing-loader-entries-and-UK.patch +Patch6574: backport-gpt-add-more-architecture-aliases.patch +Patch6575: backport-id128-refuse-app-specific-if-we-re-listing-GPT-types.patch +Patch6576: backport-sd-device-remove-debug-log-message-when-dirs-are-mis.patch +Patch6577: backport-meson-fix-missing-failure-if-bpf-framework-was-enabl.patch +Patch6578: backport-shared-log-error-when-execve-fail.patch +Patch6579: backport-test-add-a-reproducer-for-33672.patch +Patch6580: backport-core-unit-ignore-dropins-for-masked-units-completely.patch +Patch6581: backport-import-creds-when-we-hit-ENOENT-on-SMBIOS-11-do-not-.patch +Patch6582: backport-zsh-_networkctl-remove-duplicated-argument-for-compl.patch +Patch6583: backport-core-reliably-check-if-varlink-socket-has-been-deser.patch +Patch6584: backport-test-fix-subtests-naming.patch +Patch6585: backport-meson-fix-build.patch +Patch6586: backport-basic-log-do-not-treat-all-negative-errnos-as-synthe.patch +Patch6587: backport-logind-dbus-check-auth.-for-all-inhibitor-operations.patch +Patch6588: backport-sd-event-do-not-assert-on-invalid-signal.patch +Patch6589: backport-sd-event-change-error-code-EINVAL-EIO.patch +Patch6590: backport-resize-fs-Put-minimal-ext4-size-in-the-same-ballpark.patch +Patch6591: backport-kernel-install-remove-depmod-generated-file-modules..patch +Patch6592: backport-kernel-install-Only-read-cmdline-from-proc-cmdline-w.patch +Patch6593: backport-kernel-install-Try-some-more-initrd-variants-in-90-l.patch +Patch6594: backport-cgroup-util-Ignore-kernel-threads-in-cg_kill_items.patch +Patch6595: backport-network-do-not-bring-down-bound-interfaces-immediate.patch +Patch6596: backport-Fix-detection-of-TDX-confidential-VM-on-Azure-platfo.patch +Patch6597: backport-network-call-link_handle_bound_by_list-before-trying.patch +Patch6598: backport-stub-allocate-and-zero-enough-space-in-legacy-x86-ha.patch +Patch6599: backport-efi-fix-link-to-legacy-EFI-handover-protocol.patch +Patch6600: backport-network-request-non-NULL-SSID-when-a-wlan-interface-.patch +Patch6601: backport-test-extend-firstboot-testing.patch +Patch6602: backport-firstboot-create-locked-and-empty-root-passwords-con.patch +Patch6603: backport-firstboot-handle-missing-root-password-entries.patch +Patch6604: backport-firstboot-fix-root-params-with-creds-and-prompting-d.patch +Patch6605: backport-execute-Drop-log-level-to-unit-log-level-in-exec_spa.patch +Patch6606: backport-log-Fix-size-calculation-for-number-of-iovecs.patch +Patch6607: backport-cgroup-util-Don-t-try-to-open-pidfd-for-kernel-threa.patch +Patch6608: backport-exec-credential-Log-if-we-skip-duplicate-credential.patch +Patch6609: backport-import-check-overflow.patch +Patch6610: backport-resolved-don-t-treat-conn-reset-as-packet-loss.patch +Patch6611: backport-confidential-virt-split-caching-of-CVM-detection-int.patch +Patch6612: backport-confidential-virt-add-detection-for-s390x-target.patch +Patch6613: backport-core-execute-serialize-drop-extraneous-in-ip-in-e-gr.patch +Patch6614: backport-core-execute-serialize-use-serialize_item_escaped-fo.patch +Patch6615: backport-meson-Use-fstrict-flex-arrays-3.patch +Patch6616: backport-base-filesystem-do-not-attempt-to-create-a-lib64-usr.patch +Patch6617: backport-resolve-refuse-invalid-service-without-type-field.patch +Patch6618: backport-src-pcrlock-pcrlock.c-Handle-empty-pcrlock.d-directo.patch +Patch6619: backport-sysusers-check-if-requested-group-name-matches-user-.patch +Patch6620: backport-basic-boot-silence-Wunterminated-string-initializati.patch +Patch6621: backport-meson-enable-Wunterminated-string-initialization.patch +Patch6622: backport-core-unit-do-not-use-unit-path-cache-in-unit_need_da.patch +Patch6623: backport-core-exec-invoke-call-setpriority-after-sched_setatt.patch +Patch6624: backport-udev-Handle-PTP-device-symlink-properly-on-udev-acti.patch +Patch6625: backport-test-netlink-Gracefully-handle-the-loopback-interfac.patch +Patch6626: backport-test-Gracefully-handle-running-within-user-namespace.patch +Patch6627: backport-test-dhcp-server-Gracefully-handle-the-network-being.patch +Patch6628: backport-test-allow-to-skip-matrix_run_one-if-TEST_MATCH_TEST.patch +Patch6629: backport-src-basic-missing_loop.h-fix-missing-LOOP_SET_BLOCK_.patch +Patch6630: backport-namespace-Fix-extension-release-memory-leak.patch +Patch6631: backport-bootctl-don-t-load-etc-machine-info-from-cwd.patch +Patch6632: backport-resolved-clear-the-AD-bit-for-bypass-packets.patch +Patch6633: backport-repart-Keep-existing-directory-timestamps-intact-whe.patch +Patch6634: backport-audit-util-check-correct-errno.patch +Patch6635: backport-nspawn-refuse-to-bind-mount-device-node-from-host-wh.patch +Patch6636: backport-test-add-test-case-for-systemd-repart-seed-random.patch +Patch6637: backport-test-fix-indentation.patch +Patch6638: backport-ask-password-refuse-empty-password-strv.patch +Patch6639: backport-tree-wide-check-if-non-empty-password-is-acquired.patch +Patch6640: backport-test-mount-ld.so.cache-in-minimal-nspawn-container-i.patch +Patch6641: backport-portable-ensure-PORTABLE_FORCE_ATTACH-works-even-whe.patch +Patch6642: backport-seccomp-util-pass-negative-fds-as-is-to-fsync-and-fr.patch +Patch6643: backport-test-add-tests-for-seccomp_suppress_sync.patch +Patch6644: backport-tmpfiles-ERRNO_IS_NOINFO-_IS_NEG_-correct-negative-e.patch +Patch6645: backport-sd-ipv4acd-fix-assertion-triggered-when-an-ARP-recei.patch +Patch6646: backport-Add-an-extra-debug-log-to-dissect_image.patch +Patch6647: backport-core-cgroup-Apply-IODevice-directives-in-configured-.patch +Patch6648: backport-creds-fix-cat-with-encrypted-credentials.patch +Patch6649: backport-machine-resolve-race-condition-in-TEST-13-NSPAWN.mac.patch +Patch6650: backport-Fix-reference-to-FileDescriptorStoreMax-directive.patch +Patch6651: backport-seccomp-util-include-sandbox-in-default.patch +Patch6652: backport-systemctl-fix-printing-of-RootImageOptions.patch +Patch6653: backport-Add-posttrans-versions-of-the-systemd-postun-scriptl.patch +Patch6654: backport-Update-sd_bus_message_append_array.xml.patch +Patch6655: backport-tree-wide-always-do-dlopen-with-RTLD_NOW-RTLD_NODELE.patch +Patch6656: backport-tree-wide-Fix-Wformat-warnings.patch +Patch6657: backport-chase-Fix-shortcut.patch +Patch6658: backport-test-Add-test-for-per-device-cgroup-properties.patch +Patch6659: backport-Use-case-insensitive-comparison-for-the-machine-s-ar.patch +Patch6660: backport-udev-node-skip-stack-directory-creation-for-diskseq.patch +Patch6661: backport-test-add-test-case-for-issue-34637.patch +Patch6662: backport-core-warn-if-a-generator-is-world-writable.patch +Patch6663: backport-various-correct-laccess-error-check.patch +Patch6664: backport-load-fragment-terminate-the-specifier-table-34421.patch +Patch6665: backport-semaphore-speed-up-build.patch +Patch6666: backport-semaphore-move-back-to-autopkgtest-master-branch.patch +Patch6667: backport-semaphore-remove-workaround-for-adduser.patch +Patch6668: backport-Semaphore-switch-from-tmp-to-var-tmp-to-avoid-disk-s.patch +Patch6669: backport-semaphore-stop-building-and-running-extra-unit-tests.patch +Patch6670: backport-semaphore-do-not-build-docs.patch +Patch6671: backport-test-drop-removed-SCSI-passthrough-feature.patch +Patch6672: backport-test-mask-rc.local-generator-broken-on-Jammy.patch +Patch6673: backport-core-Bump-log-level-of-reexecute-request-to-notice.patch +Patch6674: backport-core-Log-in-more-scenarios-about-which-process-initi.patch +Patch6675: backport-mmap-cache-enforce-an-unused-windows-minimum.patch +Patch6676: backport-mmap-cache-add-some-stats-about-files-windows-unused.patch +Patch6677: backport-resolved-fix-fastopen-fallback.patch +Patch6678: backport-time-util-fix-parsing-timestamp-with-NZ-timezone.patch +Patch6679: backport-time-util-copy-input-string-before-fork.patch +Patch6680: backport-test-add-test-cases-for-timestamp-with-time-zone.patch +Patch6681: backport-mount-optimize-mountinfo-traversal-by-decoupling-dev.patch +Patch6682: backport-meson-sort-includes.patch +Patch6683: backport-seccomp-allowlist-uretprobe-syscall.patch +Patch6684: backport-systemd-update-helper-Show-executed-commands-if-debu.patch +Patch6685: backport-TEST-58-REPART-drop-duplicated-inclusion-of-util.sh.patch +Patch6686: backport-udev-do-not-try-to-lock-whole-block-device-on-remove.patch +Patch6687: backport-network-dhcp6-set-hostname-even-if-UseAddress-no.patch +Patch6688: backport-core-cgroup-fix-IPAddressAllow-IPAddressDeny-set-thr.patch +Patch6689: backport-TEST-19-CGROUP-add-test-cases-for-IPAddressAllow-IPA.patch +Patch6690: backport-journalctl-erase-verify-key-before-free.patch +Patch6691: backport-Fix-maybe-uninitialized-warnings-with-gcc-14.2.patch +Patch6692: backport-TEST-60-MOUNT-RATELIMIT-wait-for-mount-unit-being-st.patch +Patch6693: backport-GREEDY_REALLOC_APPEND-Make-more-type-safe.patch +Patch6694: backport-networkd-raise-limits-on-number-of-address-8x.patch +Patch6695: backport-resolved-refresh-resolv.conf-files-when-link-goes-aw.patch +Patch6696: backport-dissect-image-uppercase-first-char-of-dissect-error-.patch +Patch6697: backport-dissect-image-generate-better-log-message-for-EUCLEA.patch +Patch6698: backport-test-customize-etc-os-release-instead-of-usr-lib-os-.patch +Patch6699: backport-pcrlock-Take-VirtualSize-SizeOfRawData-into-account.patch +Patch6700: backport-test-dhcp6-terminate-fqdn-option.patch +Patch6701: backport-test-CET-EET-are-deprecated-use-Europe-Berlin-and-Ky.patch +Patch6702: backport-test-execute-update-permission-of-credstore.patch +Patch6703: backport-logind-allow-read-write-to-char-hvc-devices.patch +Patch6704: backport-core-don-t-forget-about-fallback_smack_process_label.patch +Patch6705: backport-sd-event-fix-memleak-when-built-without-assertion.patch +Patch6706: backport-core-service-use-log_unit_-where-appropriate.patch +Patch6707: backport-meson-add-loongarch64-s-definition-to-cpu_arch_defin.patch +Patch6708: backport-sd-common-add-__const__.patch +Patch6709: backport-sd-id128-mark-functions-as-const-not-pure.patch +Patch6710: backport-sysv-generator-break-long-message-into-lines.patch +Patch6711: backport-qrcode-util-add-debug-message-to-show-why-a-qrcode-w.patch +Patch6712: backport-bsod-do-not-check-for-color-support.patch +Patch6713: backport-test-terminal-util-print-value-of-colors_enabled.patch +Patch6714: backport-qrcode-util-avoid-memleak-in-error-path.patch +Patch6715: backport-TEST-80-NOTIFYACCESS-don-t-specify-pid-if-MAINPID-is.patch +Patch6716: backport-analyze-Add-times-in-seconds-for-Activating-and-Acti.patch +Patch6717: backport-bsod-make-message-for-qrcode-more-useful.patch +Patch6718: backport-cryptenroll-homectl-journalctl-adjust-messages-befor.patch +Patch6719: backport-test-sbat-separate-the-two-sbat-sections.patch +Patch6720: backport-core-make-mount-8-and-swapon-8-inherit-SMACK-label-f.patch +Patch6721: backport-posix_spawn_wrapper-do-not-set-POSIX_SPAWN_SETSIGDEF.patch +Patch6722: backport-TEST-17-UDEV-Don-t-hardcode-root-device-name.patch +Patch6723: backport-test-dhcp-client-utilize-log_info-instead-of-printf.patch +Patch6724: backport-pcrlock-Pad-pe-hash-to-a-multiple-of-8-bytes.patch +Patch6725: backport-test-fix-tool-name-in-comment.patch +Patch6726: backport-resolved-log-error-messages-for-openssl-gnutls-conte.patch +Patch6727: backport-run-handle-gracefully-if-we-can-t-find-binary-client.patch +Patch6728: backport-udev-skipping-empty-udev-rules-file-while-collecting.patch +Patch6729: backport-login-fix-session_kill-.-KILL_LEADER-.-35105.patch +Patch6730: backport-network-tunnel-allow-Local-Remote-any-for-all-tunnel.patch +Patch6731: backport-core-namespace-honor-MountEntry.read_only-.options-a.patch +Patch6732: backport-boot-allocate-cleanup-pages-below-4GiB-only-on-x86.patch +Patch6733: backport-shutdown-clean-up-sync_with_progress-a-bit.patch +Patch6734: backport-shutdown-teach-sync_with_progress-to-optionally-sync.patch +Patch6735: backport-shutdown-replace-unbounded-fsync-with-bounded-sync_w.patch +Patch6736: backport-network-generator-vlan-can-be-specified-multiple-tim.patch +Patch6737: backport-network-generator-parse-vlan-ID-from-vlan-interface-.patch +Patch6738: backport-network-generator-drop-wrong-warning-for-rd.peerdns-.patch +Patch6739: backport-nspawn-ignore-failure-in-creating-dev-net-tun-when-p.patch +Patch6740: backport-test-skip-TEST-84-STORAGETM-if-running-with-bugged-l.patch +Patch6741: backport-test-fix-test-scripts-filename-pattern.patch +Patch6742: backport-pid1-make-clear-that-WATCHDOG_USEC-is-set-for-the-sh.patch +Patch6743: backport-nspawn-private-users-ownership-value-is-called-chown.patch +Patch6744: backport-systemctl-grey-out-tasks-limit-the-same-way-we-grey-.patch +Patch6745: backport-cryptenroll-show-better-log-message-if-slot-to-wipe-.patch +Patch6746: backport-units-add-initrd-directory-to-list-of-conditions-for.patch +Patch6747: backport-killall-gracefully-handle-processes-inserted-into-co.patch +Patch6748: backport-core-service-service_add_fd_store-consumes-passed-fd.patch +Patch6749: backport-cryptenroll-it-s-called-PKCS-11-not-PKCS11.patch +Patch6750: backport-userbdctl-show-mapped-user-range-only-inside-of-user.patch +Patch6751: backport-userdbctl-fix-counting.patch +Patch6752: backport-Undeprecate-commandline-params-forcequotacheck-fastb.patch +Patch6753: backport-shutdown-close-DM-block-device-before-issuing-DM_DEV.patch +Patch6754: backport-nspawn-improve-log-message-on-bad-incoming-sd_notify.patch +Patch6755: backport-curl-util-do-not-configure-new-io-event-source-when-.patch +Patch6756: backport-sd-varlink-fix-bug-when-enqueuing-messages-with-fds-.patch +Patch6757: backport-nspawn-don-t-try-to-unregister-a-machine-we-never-re.patch +Patch6758: backport-tests-fix-access-mode-of-root-inode-of-throw-away-co.patch +Patch6759: backport-nspawn-make-sure-private-users-ownership-no-and-off-.patch +Patch6760: backport-nspawn-Include-arm_fadvise64_64-in-syscall-allow_lis.patch +Patch6761: backport-test-mask-tmpfiles.d-file-shipped-by-selinux-policy-.patch +Patch6762: backport-execute-free-syscall_log-hashmap-when-done.patch +Patch6763: backport-packit-test-switch-to-legacy-ci-branch.patch +Patch6764: backport-logind-group-policy-entries-by-interface.patch +Patch6765: backport-logind-make-ReleaseSession-unprivileged-and-allow-cl.patch +Patch6766: backport-sd-daemon-Replace-SO_LINGER-with-shutdown-recv.patch +Patch6767: backport-sd-daemon-downgrade-log-level-for-library-code-use-c.patch +Patch6768: backport-shared-initialize-a-couple-of-values-explicitly.patch +Patch6769: backport-analyze-tab-fix.patch +Patch6770: backport-test-set-nsec3-salt-length-8-in-knot.conf.patch +Patch6771: backport-test-capability-CAP_LINUX_IMMUTABLE-is-not-available.patch +Patch6772: backport-test-fd-util-skip-test-when-lacking-privileges-to-cr.patch +Patch6773: backport-Fixing-VLAN-ranges-in-man-systemd.network.patch +Patch6774: backport-journalctl-honor-quiet-with-setup-keys.patch +Patch6775: backport-dbus-log-disconnect-on-api-and-system-busses.patch +Patch6776: backport-manager-add-list-of-subscribers-to-dump-info.patch +Patch6777: backport-battery-check-parse-options-before-checking-for-kern.patch +Patch6778: backport-test-loop-block-return-77-on-skip-in-more-places.patch +Patch6779: backport-logind-let-system-wide-idle-begin-at-the-time-logind.patch +Patch6780: backport-semaphore-bump-timeout.patch +Patch6781: backport-networkd-show-wireguard-private-key-read-error-numbe.patch +Patch6782: backport-systemctl-edit-ignore-ENOENT-from-unit_is_masked.patch +Patch6783: backport-resolved-if-one-transaction-completes-expect-other-t.patch +Patch6784: backport-test-time-util-do-more-suppression-of-time-zone-chec.patch +Patch6785: backport-test-time-util-fix-truncation-of-usec-to-sec.patch +Patch6786: backport-core-fix-assert-when-AddDependencyUnitFiles-is-calle.patch +Patch6787: backport-sd-device-add-missing-debugging-log.patch +Patch6788: backport-shared-hibernate-util-don-t-attempt-to-fiemap-fd-if-.patch +Patch6789: backport-shared-hibernate-util-handle-the-case-where-no-swap-.patch +Patch6790: backport-locale-setup-do-not-load-locale-from-environemnt-whe.patch +Patch6791: backport-machine-GC-machine-when-no-leader-PID-is-set.patch +Patch6792: backport-core-unit-serialize-fix-serialization-of-markers.patch +Patch6793: backport-test-answer-2nd-mdadm-create-question-for-compat-wit.patch +Patch6794: backport-stdio-bridge-fix-polled-fds.patch +Patch6795: backport-core-drop-unnecessary-auto_fs4.h-inclusion.patch +Patch6796: backport-linux-import-input.h-and-friends.patch +Patch6797: backport-boot-Improve-log-message.patch +Patch6798: backport-efivars-deal-with-uncommitted-efi-variables.patch +Patch6799: backport-core-device-do-not-drop-backslashes-in-SYSTEMD_WANTS.patch +Patch6800: backport-process-util-do-not-unblock-unrelated-signals-while-.patch +Patch6801: backport-stub-drop-PE-sections-parsing-cap.patch +Patch6802: backport-bus-wait-for-jobs-fix-service-result-table.patch +Patch6803: backport-core-job-never-consider-reload-jobs-redundant.patch +Patch6804: backport-systemctl-fix-memleak.patch +Patch6805: backport-random-util-fix-compilation-error.patch +Patch6806: backport-kbd-model-map-add-a-georgian-mapping.patch +Patch6807: backport-core-add-trigger-to-path-unit-debug-log.patch +Patch6808: backport-meson-generate-keyboard-keys-list-from-local-input.h.patch +Patch6809: backport-Fix-tense-in-SD_MESSAGE_SHUTDOWN_STR.patch +Patch6810: backport-resolved-fix-DNSSEC-missing-key-error.patch +Patch6811: backport-meson-Skip-getent-when-it-s-not-found.patch +Patch6812: backport-meson-also-skip-uid-gid-check-for-nobody-user-group-.patch +Patch6813: backport-userdb-reset-errno-before-getpwent.patch +Patch6814: backport-test-network-add-test-case-for-requesting-routing-po.patch +Patch6815: backport-missing_sched-add-CLONE_PIDFD.patch +Patch6816: backport-tmpfiles-fix-copypasta-in-create_symlink-FIFO-symlin.patch +Patch6817: backport-udev-worker-add-debugging-log-about-success-of-flock.patch +Patch6818: backport-udev-watch-mention-that-the-failure-is-ignored.patch +Patch6819: backport-udev-watch-do-not-try-to-remove-invalid-watch-handle.patch +Patch6820: backport-core-condition-fix-segfault-when-key-not-found-in-os.patch +Patch6821: backport-dissect-fix-log_debug_errno-assert-due-to-r-0.patch +Patch6822: backport-shell-completion-add-kernel-identify-inspect-verbs-f.patch +Patch6823: backport-fuzz-decompress_startswith-may-return-zero.patch +Patch6824: backport-fuzz-tentatively-disable-fuzz-compress-on-oss-fuzz.patch +Patch6825: backport-copy-Invoke-hardlink-context-cleanup-before-restorin.patch +Patch6826: backport-tpm2-setup-add-missing-O_CLOEXEC-at-two-places.patch +Patch6827: backport-core-service-do-not-propagate-reload-for-combined-RE.patch +Patch6828: backport-meson-Add-missing-dbus_programs-dependency-on-update.patch +Patch6829: backport-libfido2-util-accept-cached-pin-in-fido2_generate_hm.patch +Patch6830: backport-machine-id-setup-bhyve-also-provides-a-uuid.patch +Patch6831: backport-recurse-dir-fix-wrong-assertion-and-error-code-in-lo.patch +Patch6832: backport-sd-id128-gracefully-handle-systems-where-kernel-keyr.patch +Patch6833: backport-TEST-13-NSPAWN.nss-mymachines-Use-negative-matching-.patch +Patch6834: backport-async-voidify-call-of-fsync.patch +Patch6835: backport-pe-binary-fix-array-overrun.patch +Patch6836: backport-hwdb-util-drop-unused-value-assignment.patch +Patch6837: backport-resolved-pick-up-new-DNSSEC-KSC-from-2024.patch +Patch6838: backport-dns-stream-only-read-DNS-packet-data-if-we-identifie.patch +Patch6839: backport-timedate-handle-gracefully-if-RTC-lost-time-because-.patch +Patch6840: backport-99-systemd.rules-rework-SYSTEMD_READY-logic-for-devi.patch + +Patch6841: backport-Revert-sysctl.d-switch-net.ipv4.conf.all.rp_filter-f.patch +Patch6842: backport-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch +Patch6843: backport-temporarily-disable-test-seccomp.patch +Patch6844: backport-pid1-add-env-var-to-override-default-mount-rate-limit-interval.patch + #fix CVE-2025-4598 -Patch6655: backport-0001-coredump-restore-compatibility-with-older-patterns.patch -Patch6656: backport-0002-coredump-get-rid-of-_META_MANDATORY_MAX.patch -Patch6657: backport-CVE-2025-4598-coredump-use-d-in-kernel-core-pattern.patch -Patch6658: backport-0001-coredump-also-stop-forwarding-non-dumpable-processes.patch -Patch6659: backport-0002-coredump-get-rid-of-a-bogus-assertion.patch -# fix ISSUE[#ICVCYY] -Patch6660: backport-systemctl-fix-memleak.patch +Patch6845: backport-fix-memory-leak-in-cryptsetup-generator.patch +Patch6848: backport-0001-coredump-restore-compatibility-with-older-patterns.patch +Patch6849: backport-0002-coredump-get-rid-of-_META_MANDATORY_MAX.patch +Patch6850: backport-CVE-2025-4598-coredump-use-d-in-kernel-core-pattern.patch +Patch6851: backport-0001-coredump-also-stop-forwarding-non-dumpable-processes.patch +Patch6852: backport-0002-coredump-get-rid-of-a-bogus-assertion.patch Patch9008: update-rtc-with-system-clock-when-shutdown.patch Patch9009: udev-add-actions-while-rename-netif-failed.patch @@ -1703,6 +2494,9 @@ fi %{_unitdir}/veritysetup.target %changelog +* Thu Sep 04 2025 hongjinghao - 255-47 +- sync patches from upstream systemd-stable v255.18 + * Wed Sep 03 2025 Linux_zhang - 255-46 - sync patch from systemd community diff --git a/treat-underscore-as-valid-hostname-char.patch b/treat-underscore-as-valid-hostname-char.patch index 6472129..31fb748 100644 --- a/treat-underscore-as-valid-hostname-char.patch +++ b/treat-underscore-as-valid-hostname-char.patch @@ -65,7 +65,7 @@ index 6224a4d..05ef833 100755 "ip=10.0.0.1:::255.255.255::foo99:off" - "ip=10.0.0.1:::255.255.255.0:invalid_hostname:foo99:off" "ip=10.0.0.1:::255.255.255.0::verylonginterfacename:off" - "ip=:::::dhcp99:dhcp6:0" + "ip=:::::dhcp99:dhcp6:4294967296" "ip=:::::dhcp99:dhcp6:-1" -- 2.39.1 -- Gitee