From e35d44cab6450b27e18198b908e9d0f3d63d1485 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 3 Mar 2020 13:51:43 +0100 Subject: [PATCH 01/23] Don't require /proc to be mounted for systemd-sysusers to work --- ...fferent-errnos-to-express-one-condit.patch | 53 +++++++ ...d-a-version-of-chmod_and_chown-that-.patch | 144 ++++++++++++++++++ ...rs-do-not-require-proc-to-be-mounted.patch | 113 ++++++++++++++ systemd.spec | 9 +- 4 files changed, 318 insertions(+), 1 deletion(-) create mode 100644 0001-sysusers-many-different-errnos-to-express-one-condit.patch create mode 100644 0002-basic-fs-util-add-a-version-of-chmod_and_chown-that-.patch create mode 100644 0003-sysusers-do-not-require-proc-to-be-mounted.patch diff --git a/0001-sysusers-many-different-errnos-to-express-one-condit.patch b/0001-sysusers-many-different-errnos-to-express-one-condit.patch new file mode 100644 index 0000000..a7ce05d --- /dev/null +++ b/0001-sysusers-many-different-errnos-to-express-one-condit.patch @@ -0,0 +1,53 @@ +From e3ba241cd4003ee6eb6704e8c53240687534d6ce Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 3 Mar 2020 10:18:32 +0100 +Subject: [PATCH] sysusers: many different errnos to express one condition + +See https://bugzilla.redhat.com/show_bug.cgi?id=1807768. It turns +out that sysusers cannot query if the group exists: +Failed to check if group dnsmasq already exists: No such process +... +Failed to check if group systemd-timesync already exists: No such process + +When the same command is executed later, the issue does not occur. Not sure why +the behaviour in the initial transaction is different. But let's accept all +errors that the man pages list. +--- + src/sysusers/sysusers.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c +index 2771fd959f..1b1f19e817 100644 +--- a/src/sysusers/sysusers.c ++++ b/src/sysusers/sysusers.c +@@ -94,6 +94,12 @@ STATIC_DESTRUCTOR_REGISTER(database_groups, set_free_freep); + STATIC_DESTRUCTOR_REGISTER(uid_range, freep); + STATIC_DESTRUCTOR_REGISTER(arg_root, freep); + ++static int errno_is_not_exists(int code) { ++ /* See getpwnam(3) and getgrnam(3): those codes and others can be returned if the user or group are ++ * not found. */ ++ return IN_SET(code, 0, ENOENT, ESRCH, EBADF, EPERM); ++} ++ + static int load_user_database(void) { + _cleanup_fclose_ FILE *f = NULL; + const char *passwd_path; +@@ -971,7 +977,7 @@ static int add_user(Item *i) { + + return 0; + } +- if (!IN_SET(errno, 0, ENOENT)) ++ if (!errno_is_not_exists(errno)) + return log_error_errno(errno, "Failed to check if user %s already exists: %m", i->name); + } + +@@ -1108,7 +1114,7 @@ static int get_gid_by_name(const char *name, gid_t *gid) { + *gid = g->gr_gid; + return 0; + } +- if (!IN_SET(errno, 0, ENOENT)) ++ if (!errno_is_not_exists(errno)) + return log_error_errno(errno, "Failed to check if group %s already exists: %m", name); + } + diff --git a/0002-basic-fs-util-add-a-version-of-chmod_and_chown-that-.patch b/0002-basic-fs-util-add-a-version-of-chmod_and_chown-that-.patch new file mode 100644 index 0000000..729f4f8 --- /dev/null +++ b/0002-basic-fs-util-add-a-version-of-chmod_and_chown-that-.patch @@ -0,0 +1,144 @@ +From 6cb356ca9fe063846cfb883ef484f7e7e411096c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 3 Mar 2020 11:51:50 +0100 +Subject: [PATCH 2/3] basic/fs-util: add a version of chmod_and_chown that + doesn not use /proc + +--- + src/basic/fs-util.c | 46 +++++++++++++++++++++++++++++++++++++++++ + src/basic/fs-util.h | 1 + + src/test/test-fs-util.c | 45 ++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 92 insertions(+) + +diff --git a/src/basic/fs-util.c b/src/basic/fs-util.c +index f8095e85d8..558cafbcaf 100644 +--- a/src/basic/fs-util.c ++++ b/src/basic/fs-util.c +@@ -272,6 +272,52 @@ int fchmod_and_chown(int fd, mode_t mode, uid_t uid, gid_t gid) { + return do_chown || do_chmod; + } + ++int chmod_and_chown_unsafe(const char *path, mode_t mode, uid_t uid, gid_t gid) { ++ bool do_chown, do_chmod; ++ struct stat st; ++ ++ assert(path); ++ ++ /* Change ownership and access mode of the specified path, see description of fchmod_and_chown(). ++ * Should only be used on trusted paths. */ ++ ++ if (lstat(path, &st) < 0) ++ return -errno; ++ ++ do_chown = ++ (uid != UID_INVALID && st.st_uid != uid) || ++ (gid != GID_INVALID && st.st_gid != gid); ++ ++ do_chmod = ++ !S_ISLNK(st.st_mode) && /* chmod is not defined on symlinks */ ++ ((mode != MODE_INVALID && ((st.st_mode ^ mode) & 07777) != 0) || ++ do_chown); /* If we change ownership, make sure we reset the mode afterwards, since chown() ++ * modifies the access mode too */ ++ ++ if (mode == MODE_INVALID) ++ mode = st.st_mode; /* If we only shall do a chown(), save original mode, since chown() might break it. */ ++ else if ((mode & S_IFMT) != 0 && ((mode ^ st.st_mode) & S_IFMT) != 0) ++ return -EINVAL; /* insist on the right file type if it was specified */ ++ ++ if (do_chown && do_chmod) { ++ mode_t minimal = st.st_mode & mode; /* the subset of the old and the new mask */ ++ ++ if (((minimal ^ st.st_mode) & 07777) != 0) ++ if (chmod(path, minimal & 07777) < 0) ++ return -errno; ++ } ++ ++ if (do_chown) ++ if (lchown(path, uid, gid) < 0) ++ return -errno; ++ ++ if (do_chmod) ++ if (chmod(path, mode & 07777) < 0) ++ return -errno; ++ ++ return do_chown || do_chmod; ++} ++ + int fchmod_umask(int fd, mode_t m) { + mode_t u; + int r; +diff --git a/src/basic/fs-util.h b/src/basic/fs-util.h +index 78d68be9fd..6b9ade2ec1 100644 +--- a/src/basic/fs-util.h ++++ b/src/basic/fs-util.h +@@ -34,6 +34,7 @@ int readlink_and_make_absolute(const char *p, char **r); + + int chmod_and_chown(const char *path, mode_t mode, uid_t uid, gid_t gid); + int fchmod_and_chown(int fd, mode_t mode, uid_t uid, gid_t gid); ++int chmod_and_chown_unsafe(const char *path, mode_t mode, uid_t uid, gid_t gid); + + int fchmod_umask(int fd, mode_t mode); + int fchmod_opath(int fd, mode_t m); +diff --git a/src/test/test-fs-util.c b/src/test/test-fs-util.c +index d0c6fb82bf..d97ccfda3b 100644 +--- a/src/test/test-fs-util.c ++++ b/src/test/test-fs-util.c +@@ -802,6 +802,50 @@ static void test_chmod_and_chown(void) { + assert_se(S_ISLNK(st.st_mode)); + } + ++static void test_chmod_and_chown_unsafe(void) { ++ _cleanup_(rm_rf_physical_and_freep) char *d = NULL; ++ _unused_ _cleanup_umask_ mode_t u = umask(0000); ++ struct stat st; ++ const char *p; ++ ++ if (geteuid() != 0) ++ return; ++ ++ log_info("/* %s */", __func__); ++ ++ assert_se(mkdtemp_malloc(NULL, &d) >= 0); ++ ++ p = strjoina(d, "/reg"); ++ assert_se(mknod(p, S_IFREG | 0123, 0) >= 0); ++ ++ assert_se(chmod_and_chown_unsafe(p, S_IFREG | 0321, 1, 2) >= 0); ++ assert_se(chmod_and_chown_unsafe(p, S_IFDIR | 0555, 3, 4) == -EINVAL); ++ ++ assert_se(lstat(p, &st) >= 0); ++ assert_se(S_ISREG(st.st_mode)); ++ assert_se((st.st_mode & 07777) == 0321); ++ ++ p = strjoina(d, "/dir"); ++ assert_se(mkdir(p, 0123) >= 0); ++ ++ assert_se(chmod_and_chown_unsafe(p, S_IFDIR | 0321, 1, 2) >= 0); ++ assert_se(chmod_and_chown_unsafe(p, S_IFREG | 0555, 3, 4) == -EINVAL); ++ ++ assert_se(lstat(p, &st) >= 0); ++ assert_se(S_ISDIR(st.st_mode)); ++ assert_se((st.st_mode & 07777) == 0321); ++ ++ p = strjoina(d, "/lnk"); ++ assert_se(symlink("idontexist", p) >= 0); ++ ++ assert_se(chmod_and_chown_unsafe(p, S_IFLNK | 0321, 1, 2) >= 0); ++ assert_se(chmod_and_chown_unsafe(p, S_IFREG | 0555, 3, 4) == -EINVAL); ++ assert_se(chmod_and_chown_unsafe(p, S_IFDIR | 0555, 3, 4) == -EINVAL); ++ ++ assert_se(lstat(p, &st) >= 0); ++ assert_se(S_ISLNK(st.st_mode)); ++} ++ + int main(int argc, char *argv[]) { + test_setup_logging(LOG_INFO); + +@@ -819,6 +863,7 @@ int main(int argc, char *argv[]) { + test_fsync_directory_of_file(); + test_rename_noreplace(); + test_chmod_and_chown(); ++ test_chmod_and_chown_unsafe(); + + return 0; + } diff --git a/0003-sysusers-do-not-require-proc-to-be-mounted.patch b/0003-sysusers-do-not-require-proc-to-be-mounted.patch new file mode 100644 index 0000000..c5a1964 --- /dev/null +++ b/0003-sysusers-do-not-require-proc-to-be-mounted.patch @@ -0,0 +1,113 @@ +From 1fb5a5edc7c175ea0cd85a1e3a5af8d54084a891 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 3 Mar 2020 11:58:07 +0100 +Subject: [PATCH 3/3] sysusers: do not require /proc to be mounted + +We're operating on known paths in root-owned directories here, so the detour +through toctou-safe methods that require /proc to be mounted is not necessary. +Should fix https://bugzilla.redhat.com/show_bug.cgi?id=1807768. +--- + src/sysusers/sysusers.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c +index 1b1f19e817..f7cc7e0900 100644 +--- a/src/sysusers/sysusers.c ++++ b/src/sysusers/sysusers.c +@@ -199,7 +199,7 @@ static int load_group_database(void) { + static int make_backup(const char *target, const char *x) { + _cleanup_close_ int src = -1; + _cleanup_fclose_ FILE *dst = NULL; +- _cleanup_free_ char *temp = NULL; ++ _cleanup_free_ char *dst_tmp = NULL; + char *backup; + struct timespec ts[2]; + struct stat st; +@@ -216,7 +216,7 @@ static int make_backup(const char *target, const char *x) { + if (fstat(src, &st) < 0) + return -errno; + +- r = fopen_temporary_label(target, x, &dst, &temp); ++ r = fopen_temporary_label(target, x, &dst, &dst_tmp); + if (r < 0) + return r; + +@@ -230,7 +230,7 @@ static int make_backup(const char *target, const char *x) { + backup = strjoina(x, "-"); + + /* Copy over the access mask */ +- r = fchmod_and_chown(fileno(dst), st.st_mode & 07777, st.st_uid, st.st_gid); ++ r = chmod_and_chown_unsafe(dst_tmp, st.st_mode & 07777, st.st_uid, st.st_gid); + if (r < 0) + log_warning_errno(r, "Failed to change access mode or ownership of %s: %m", backup); + +@@ -243,7 +243,7 @@ static int make_backup(const char *target, const char *x) { + if (r < 0) + goto fail; + +- if (rename(temp, backup) < 0) { ++ if (rename(dst_tmp, backup) < 0) { + r = -errno; + goto fail; + } +@@ -251,7 +251,7 @@ static int make_backup(const char *target, const char *x) { + return 0; + + fail: +- (void) unlink(temp); ++ (void) unlink(dst_tmp); + return r; + } + +@@ -345,13 +345,13 @@ static int putsgent_with_members(const struct sgrp *sg, FILE *gshadow) { + } + #endif + +-static int sync_rights(FILE *from, FILE *to) { ++static int sync_rights(FILE *from, const char *to) { + struct stat st; + + if (fstat(fileno(from), &st) < 0) + return -errno; + +- return fchmod_and_chown(fileno(to), st.st_mode & 07777, st.st_uid, st.st_gid); ++ return chmod_and_chown_unsafe(to, st.st_mode & 07777, st.st_uid, st.st_gid); + } + + static int rename_and_apply_smack(const char *temp_path, const char *dest_path) { +@@ -389,7 +389,7 @@ static int write_temporary_passwd(const char *passwd_path, FILE **tmpfile, char + original = fopen(passwd_path, "re"); + if (original) { + +- r = sync_rights(original, passwd); ++ r = sync_rights(original, passwd_tmp); + if (r < 0) + return r; + +@@ -491,7 +491,7 @@ static int write_temporary_shadow(const char *shadow_path, FILE **tmpfile, char + original = fopen(shadow_path, "re"); + if (original) { + +- r = sync_rights(original, shadow); ++ r = sync_rights(original, shadow_tmp); + if (r < 0) + return r; + +@@ -588,7 +588,7 @@ static int write_temporary_group(const char *group_path, FILE **tmpfile, char ** + original = fopen(group_path, "re"); + if (original) { + +- r = sync_rights(original, group); ++ r = sync_rights(original, group_tmp); + if (r < 0) + return r; + +@@ -687,7 +687,7 @@ static int write_temporary_gshadow(const char * gshadow_path, FILE **tmpfile, ch + if (original) { + struct sgrp *sg; + +- r = sync_rights(original, gshadow); ++ r = sync_rights(original, gshadow_tmp); + if (r < 0) + return r; + diff --git a/systemd.spec b/systemd.spec index a6e5188..cc47b2d 100644 --- a/systemd.spec +++ b/systemd.spec @@ -15,7 +15,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 245~rc1 -Release: 3%{?commit:.git%{shortcommit}}%{?dist} +Release: 4%{?commit:.git%{shortcommit}}%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -70,6 +70,10 @@ Patch0001: https://github.com/keszybz/systemd/commit/464a73411c13596a130a7a Patch0010: https://github.com/systemd/systemd/commit/99fdffaa194cbfed659b0c1bfd0ace4bfcd2a245.patch +Patch0002: 0001-sysusers-many-different-errnos-to-express-one-condit.patch +Patch0003: 0002-basic-fs-util-add-a-version-of-chmod_and_chown-that-.patch +Patch0004: 0003-sysusers-do-not-require-proc-to-be-mounted.patch + Patch0998: 0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1803293 @@ -742,6 +746,9 @@ fi %files tests -f .file-list-tests %changelog +* Tue Mar 3 2020 Zbigniew Jędrzejewski-Szmek - 245~rc1-4 +- Don't require /proc to be mounted for systemd-sysusers to work (#1807768) + * Tue Feb 18 2020 Adam Williamson - 245~rc1-3 - Revert 097537f0 to fix plymouth etc. running when they shouldn't (#1803293) From 83daa084ee74f60f8970d16f2abc7f4dd6e82526 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 26 Mar 2020 14:48:21 +0100 Subject: [PATCH 02/23] Update to v245.3 --- sources | 2 +- systemd.spec | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 2e5faaf..191b5b1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-245.2.tar.gz) = 05e40d0b93ebd7b709d16b5f6d75f3da84417e9a401d7726fe7876328e1408c9c29818b5bcc3f5889f17f8e6af889f87dc2f78f348f2aa023e0d6bfed41b0554 +SHA512 (systemd-245.3.tar.gz) = 3a27bf8b13ae4170f6e94c4af79668f6b9f8a89f414dded7de1f62f777dcb2ba3870883860131121e287f5389a54c5cc3d0badf1499b575978ee7b74f35ce3e4 diff --git a/systemd.spec b/systemd.spec index bd9d2ec..2703d1f 100644 --- a/systemd.spec +++ b/systemd.spec @@ -16,7 +16,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 245.2 +Version: 245.3 Release: 1%{?commit:.git%{shortcommit}}%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ @@ -758,6 +758,9 @@ fi %files tests -f .file-list-tests %changelog +* Thu Mar 26 2020 Zbigniew Jędrzejewski-Szmek - 245.3-1 +- Update to latest stable version (no issue that got reported in bugzilla) + * Wed Mar 18 2020 Zbigniew Jędrzejewski-Szmek - 245.2-1 - Update to latest stable version (a few bug fixes for random things) (#1798776, #1807485) From d554c9a33b6e74975a3418777de8248ba66af240 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 1 Apr 2020 19:50:13 +0200 Subject: [PATCH 03/23] Move man pages for pam_systemd and pam_systemd_home to -pam subpackage Fixes rpmlint: systemd-pam.x86_64: W: no-documentation (cherry picked from commit 48edd5b3a5f2f8c1c7419a199475e6158338cd0d) --- split-files.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/split-files.py b/split-files.py index 71371ca..d663b61 100644 --- a/split-files.py +++ b/split-files.py @@ -46,7 +46,7 @@ for file in files(buildroot): /var(/cache|/log|/lib|/run|)$ ''', n, re.X): continue - if '/security/pam_' in n: + if '/security/pam_' in n or '/man8/pam_' in n: o = o_pam elif '/rpm/' in n: o = o_rpm_macros From c75876b0c85f5b6b6b618979e8e7c60786ba031e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 1 Apr 2020 19:55:01 +0200 Subject: [PATCH 04/23] Remove %{shortcommit} reference in %description Nowadays most builds happen from stable releases, so %shortcommit is not defined, which rpmlint justly warns about. (cherry picked from commit 24d7f17342eab4726508bd2eef65d3aa27e14a76) --- systemd.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/systemd.spec b/systemd.spec index 2703d1f..3fd2677 100644 --- a/systemd.spec +++ b/systemd.spec @@ -180,8 +180,7 @@ runtime directories and settings, and daemons to manage simple network configuration, network time synchronization, log forwarding, and name resolution. %if 0%{?stable} -This package was built from the %{version}-stable branch of systemd, -commit https://github.com/systemd/systemd-stable/commit/%{shortcommit}. +This package was built from the %{version}-stable branch of systemd. %endif %package libs From 813161271cf7ce9016ae259d60575853e857104b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 1 Apr 2020 20:43:05 +0200 Subject: [PATCH 05/23] Update to v245.4 (cherry picked from commit 91fd7acc9efc21ff251f1689d1832750a870d830) --- sources | 2 +- systemd.spec | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 191b5b1..071996e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-245.3.tar.gz) = 3a27bf8b13ae4170f6e94c4af79668f6b9f8a89f414dded7de1f62f777dcb2ba3870883860131121e287f5389a54c5cc3d0badf1499b575978ee7b74f35ce3e4 +SHA512 (systemd-245.4.tar.gz) = 02036bb1ab05301a9d0dfdd4b9c9376e90134474482531e6e292122380be2f24f99177493dd3af6f8af1a8ed2599ee0996da91a3b1b7872bbfaf26a1c3e61b4c diff --git a/systemd.spec b/systemd.spec index 3fd2677..f972d72 100644 --- a/systemd.spec +++ b/systemd.spec @@ -16,7 +16,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 245.3 +Version: 245.4 Release: 1%{?commit:.git%{shortcommit}}%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ @@ -757,6 +757,9 @@ fi %files tests -f .file-list-tests %changelog +* Wed Apr 1 2020 Zbigniew Jędrzejewski-Szmek - 245.4-1 +- Update to latest stable version (#1814454) + * Thu Mar 26 2020 Zbigniew Jędrzejewski-Szmek - 245.3-1 - Update to latest stable version (no issue that got reported in bugzilla) From 27e3b915a47af78655dc5cffdf277f16c76e4525 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 1 Apr 2020 19:42:04 +0200 Subject: [PATCH 06/23] Fix some rpmlint issues and add filter for others (cherry picked from commit be4317e8bfbd70f493b9e7069a5eae6eb1ceb9ff) --- split-files.py | 1 + systemd.rpmlintrc | 50 +++++++++++++++++++++++++++++++++++++++++++++++ systemd.spec | 8 ++++---- 3 files changed, 55 insertions(+), 4 deletions(-) create mode 100644 systemd.rpmlintrc diff --git a/split-files.py b/split-files.py index d663b61..f3e3aa6 100644 --- a/split-files.py +++ b/split-files.py @@ -43,6 +43,7 @@ for file in files(buildroot): /etc(/pam\.d|/xdg|/X11|/X11/xinit|/X11.*\.d|)$| /etc/(dnf|dnf/protected.d)$| /usr/(src|lib/debug)| # no $ + /run$| /var(/cache|/log|/lib|/run|)$ ''', n, re.X): continue diff --git a/systemd.rpmlintrc b/systemd.rpmlintrc new file mode 100644 index 0000000..6bb8cb0 --- /dev/null +++ b/systemd.rpmlintrc @@ -0,0 +1,50 @@ +# Just kill all warnings about README being wrong in every possible way +addFilter(r'README') + +addFilter(r'missing-call-to-(chdir-with-chroot|setgroups-before-setuid)') + +addFilter(r'executable-marked-as-config-file /etc/X11/xinit/xinitrc.d/50-systemd-user.sh') + +addFilter(r'non-readable /etc/crypttab') + +addFilter(r'non-conffile-in-etc /etc/inittab') + +addFilter(r'systemd-unit-in-etc /etc/systemd/.*\.wants') + +addFilter(r'dangling-relative-symlink /usr/lib/environment.d/99-environment.conf ../../../etc/environment') + +addFilter(r'devel-file-in-non-devel-package /usr/share/pkgconfig/(systemd|udev).pc') + +addFilter(r'non-standard-dir-perm /var/cache/private 700') + +addFilter(r'non-root-group-log-file /var/log/btmp utmp') + +addFilter(r'non-standard-dir-perm /var/log/private 700') + +addFilter(r'non-root-group-log-file /var/log/wtmp utmp') + +addFilter(r'dangerous-command-in-') + +addFilter(r'summary-not-capitalized C systemd') + +addFilter(r'obsolete-not-provided') + +addFilter(r'postin-without-ldconfig') + +addFilter(r'systemd-rpm-macros.noarch: W: only-non-binary-in-usr-lib') + +addFilter(r'systemd-rpm-macros.noarch: W: no-documentation') + +addFilter(r'systemd-tests\..*: W: no-documentation') + +addFilter(r'systemd-tests.*: E: zero-length /usr/lib/systemd/tests/testdata/test-umount/empty.mountinfo') + +addFilter(r'hardcoded-library-path in.*(firewalld|install.d)') + +# everybody does it this way: systemd, syslog-ng, rsyslog +addFilter(r'unversioned-explicit-provides syslog') + +# systemd-machine-id-setup requires libssl +addFilter(r'explicit-lib-dependency openssl-libs') + +addFilter(r'systemd.src:.*strange-permission') diff --git a/systemd.spec b/systemd.spec index f972d72..c9d6342 100644 --- a/systemd.spec +++ b/systemd.spec @@ -394,9 +394,9 @@ mkdir -p %{buildroot}%{system_unit_dir}/basic.target.wants mkdir -p %{buildroot}%{system_unit_dir}/default.target.wants mkdir -p %{buildroot}%{system_unit_dir}/dbus.target.wants mkdir -p %{buildroot}%{system_unit_dir}/syslog.target.wants -mkdir -p %{buildroot}%{_localstatedir}/run +mkdir -p %{buildroot}/run mkdir -p %{buildroot}%{_localstatedir}/log -touch %{buildroot}%{_localstatedir}/run/utmp +touch %{buildroot}/run/utmp touch %{buildroot}%{_localstatedir}/log/{w,b}tmp # Make sure the user generators dir exists too @@ -481,7 +481,7 @@ python3 %{SOURCE2} %buildroot < - 239-9.git9f3aed1 -- Go back to using systemctl preset-all in %post (#1647172, #1118740) +- Go back to using systemctl preset-all in %%post (#1647172, #1118740) * Mon Nov 5 2018 Adam Williamson - 239-8.git9f3aed1 - Requires(post) openssl-libs to fix live image build machine-id issue From 1a7473cbc47dc358063d9c1376d2327f5f00fcfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 2 Apr 2020 18:00:02 +0200 Subject: [PATCH 07/23] Add abignore file to make abigail happy (cherry picked from commit 8a34ce7dca89c7edc71e0548d3a8e720c8825194) --- libsystemd-shared.abignore | 3 +++ systemd.rpmlintrc | 2 +- systemd.spec | 3 +++ 3 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 libsystemd-shared.abignore diff --git a/libsystemd-shared.abignore b/libsystemd-shared.abignore new file mode 100644 index 0000000..e412d8b --- /dev/null +++ b/libsystemd-shared.abignore @@ -0,0 +1,3 @@ +[suppress_file] +# This shared object is private to systemd +file_name_regexp=libsystemd-shared-.*.so diff --git a/systemd.rpmlintrc b/systemd.rpmlintrc index 6bb8cb0..9db0ab0 100644 --- a/systemd.rpmlintrc +++ b/systemd.rpmlintrc @@ -39,7 +39,7 @@ addFilter(r'systemd-tests\..*: W: no-documentation') addFilter(r'systemd-tests.*: E: zero-length /usr/lib/systemd/tests/testdata/test-umount/empty.mountinfo') -addFilter(r'hardcoded-library-path in.*(firewalld|install.d)') +addFilter(r'hardcoded-library-path in.*(firewalld|install.d|lib/systemd)') # everybody does it this way: systemd, syslog-ng, rsyslog addFilter(r'unversioned-explicit-provides syslog') diff --git a/systemd.spec b/systemd.spec index c9d6342..021f5e1 100644 --- a/systemd.spec +++ b/systemd.spec @@ -51,6 +51,7 @@ Source9: 20-yama-ptrace.conf Source10: systemd-udev-trigger-no-reload.conf Source11: 20-grubby.install Source12: systemd-user +Source13: libsystemd-shared.abignore Source21: macros.sysusers Source22: sysusers.attr @@ -460,6 +461,8 @@ EOF install -Dm0755 -t %{buildroot}%{_prefix}/lib/kernel/install.d/ %{SOURCE11} +install -Dm0755 -t %{buildroot}%{_prefix}/lib/systemd/ %{SOURCE13} + install -D -t %{buildroot}/usr/lib/systemd/ %{SOURCE3} sed -i 's|#!/usr/bin/env python3|#!%{__python3}|' %{buildroot}/usr/lib/systemd/tests/run-unit-tests.py From 8ae0be2a766fc95d876cdb190252abfe9dbd4d72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sat, 11 Apr 2020 10:38:12 +0200 Subject: [PATCH 08/23] gitignore: add emacs backup files (cherry picked from commit 6238d479aef68420b858001840efe9a6d3814061) --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 7d93b1b..911034e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +*~ /systemd-*/ /.build-*.log /x86_64/ From e3554e7309cb758e893e67b51b3909a2973aa809 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sat, 11 Apr 2020 10:59:58 +0200 Subject: [PATCH 09/23] Move Provides:u2f-hidraw-policy to -udev subpackage https://bugzilla.redhat.com/show_bug.cgi?id=1823002#c2 (cherry picked from commit 80532792aa6f988d34f18ce1ffdfa992be9cb402) --- systemd.spec | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/systemd.spec b/systemd.spec index 021f5e1..5a6ae92 100644 --- a/systemd.spec +++ b/systemd.spec @@ -162,10 +162,6 @@ Conflicts: fedora-release < 23-0.12 Obsoletes: timedatex < 0.6-3 Provides: timedatex = 0.6-3 -# https://bugzilla.redhat.com/show_bug.cgi?id=1753381 -Provides: u2f-hidraw-policy = 1.0.2-40 -Obsoletes: u2f-hidraw-policy < 1.0.2-40 - %description systemd is a system and service manager that runs as PID 1 and starts the rest of the system. It provides aggressive parallelization @@ -236,6 +232,8 @@ to libudev or libsystemd. %package udev Summary: Rule-based device node and kernel event manager +License: LGPLv2+ + Requires: %{name}%{?_isa} = %{version}-%{release} Requires(post): systemd Requires(preun): systemd @@ -251,7 +249,10 @@ Obsoletes: udev < 183 Suggests: systemd-bootchart # https://bugzilla.redhat.com/show_bug.cgi?id=1408878 Requires: kbd -License: LGPLv2+ + +# https://bugzilla.redhat.com/show_bug.cgi?id=1753381 +Provides: u2f-hidraw-policy = 1.0.2-40 +Obsoletes: u2f-hidraw-policy < 1.0.2-40 %description udev This package contains systemd-udev and the rules and hardware database From 31b704bef2d24b580afdcea4d24afc8b77030af6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Thu, 16 Apr 2020 13:05:54 +0200 Subject: [PATCH 10/23] Add bootstrap option to break circular deps on cryptsetup (cherry picked from commit 63698f5ea01eb395b60f3e9392926b7c5445f264) --- systemd.spec | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/systemd.spec b/systemd.spec index 5a6ae92..09d02ae 100644 --- a/systemd.spec +++ b/systemd.spec @@ -12,12 +12,15 @@ %global system_unit_dir %{pkgdir}/system %global user_unit_dir %{pkgdir}/user +# Bootstrap may be needed to break intercircular dependencies with +# cryptsetup, e.g. when re-building cryptsetup on a json-c SONAME-bump. +%bcond_with bootstrap %bcond_without tests Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 245.4 -Release: 1%{?commit:.git%{shortcommit}}%{?dist} +Release: 2%{?commit:.git%{shortcommit}}%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -85,7 +88,9 @@ BuildRequires: libpwquality-devel BuildRequires: pam-devel BuildRequires: libselinux-devel BuildRequires: audit-libs-devel +%if %{without bootstrap} BuildRequires: cryptsetup-devel +%endif BuildRequires: dbus-devel BuildRequires: libacl-devel BuildRequires: gobject-introspection-devel @@ -341,7 +346,11 @@ CONFIGURE_OPTS=( -Dgcrypt=true -Daudit=true -Delfutils=true +%if %{without bootstrap} -Dlibcryptsetup=true +%else + -Dlibcryptsetup=false +%endif -Delfutils=true -Dpwquality=true -Dqrencode=true @@ -761,6 +770,9 @@ fi %files tests -f .file-list-tests %changelog +* Thu Apr 16 2020 Björn Esser - 245.4-2 +- Add bootstrap option to break circular deps on cryptsetup + * Wed Apr 1 2020 Zbigniew Jędrzejewski-Szmek - 245.4-1 - Update to latest stable version (#1814454) From 8985922cdbcb5681e9f203f605654043dd822c99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 17 Apr 2020 14:57:28 +0200 Subject: [PATCH 11/23] Update to v245.5 (cherry picked from commit b80d0073862d6eacc9d650582727304ef1db3d64) --- sources | 2 +- systemd.spec | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 071996e..02a23ee 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-245.4.tar.gz) = 02036bb1ab05301a9d0dfdd4b9c9376e90134474482531e6e292122380be2f24f99177493dd3af6f8af1a8ed2599ee0996da91a3b1b7872bbfaf26a1c3e61b4c +SHA512 (systemd-245.5.tar.gz) = 47de4a59980643002f325c499eeb4dd76fa9f1d1267686e7564f103690487bf85974590d7cb3e3641409e5bfba567fe2a66efa80320e7e8adc48af4461e2e172 diff --git a/systemd.spec b/systemd.spec index 09d02ae..97ddc6e 100644 --- a/systemd.spec +++ b/systemd.spec @@ -19,8 +19,8 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 245.4 -Release: 2%{?commit:.git%{shortcommit}}%{?dist} +Version: 245.5 +Release: 1%{?commit:.git%{shortcommit}}%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -770,6 +770,9 @@ fi %files tests -f .file-list-tests %changelog +* Fri Apr 17 2020 Zbigniew Jędrzejewski-Szmek - 245.5-1 +- Update to latest stable version (#1819313, #1815412, #1800875) + * Thu Apr 16 2020 Björn Esser - 245.4-2 - Add bootstrap option to break circular deps on cryptsetup From 227efa468e937c0edce1739d0b4bf25e0735118b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Sun, 19 Apr 2020 16:47:57 +0200 Subject: [PATCH 12/23] Add explicit BuildRequires: acl The acl package is not present in the buildroots when building in bootstrap mode, but test-acl-util needs /usr/bin/getfacl. Thus it should be an explicit build-time dependency. (cherry picked from commit b5c68a76ce83115c66ecfc135ea32f74d1830ee2) --- systemd.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/systemd.spec b/systemd.spec index 97ddc6e..3c300d4 100644 --- a/systemd.spec +++ b/systemd.spec @@ -92,6 +92,8 @@ BuildRequires: audit-libs-devel BuildRequires: cryptsetup-devel %endif BuildRequires: dbus-devel +# /usr/bin/getfacl is needed by test-acl-util +BuildRequires: acl BuildRequires: libacl-devel BuildRequires: gobject-introspection-devel BuildRequires: libblkid-devel From cab5d4fd526c451fa80212971cd30b49b6dd463d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Tue, 21 Apr 2020 19:46:02 +0200 Subject: [PATCH 13/23] Bump release and update %changelog (cherry picked from commit f9831696555a2b9840e3a8f4e69b7e003a62a9ec) --- systemd.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/systemd.spec b/systemd.spec index 3c300d4..39400a1 100644 --- a/systemd.spec +++ b/systemd.spec @@ -20,7 +20,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 245.5 -Release: 1%{?commit:.git%{shortcommit}}%{?dist} +Release: 2%{?commit:.git%{shortcommit}}%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -772,6 +772,9 @@ fi %files tests -f .file-list-tests %changelog +* Tue Apr 21 2020 Björn Esser - 245.5-2 +- Add explicit BuildRequires: acl + * Fri Apr 17 2020 Zbigniew Jędrzejewski-Szmek - 245.5-1 - Update to latest stable version (#1819313, #1815412, #1800875) From 330891b60999f6ec1c2068a9ac8381acc732d4c3 Mon Sep 17 00:00:00 2001 From: Christian Glombek Date: Mon, 11 May 2020 12:52:13 +0200 Subject: [PATCH 14/23] sysusers.generate-pre.sh: Fix parsing files that don't end with newline (cherry picked from commit 493f6fa66b3c9a6a1e1dd216f5445f5e21cbfa62) --- sysusers.generate-pre.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sysusers.generate-pre.sh b/sysusers.generate-pre.sh index 1d4b95f..6c481c3 100755 --- a/sysusers.generate-pre.sh +++ b/sysusers.generate-pre.sh @@ -50,7 +50,7 @@ fi } parse() { - while read line; do + while read line || [ "$line" ]; do [ "${line:0:1}" = '#' -o "${line:0:1}" = ';' ] && continue line="${line## *}" [ -z "$line" ] && continue From 80947b52e2bc1870dbb7d3fb87acfee86d6c0a98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 31 May 2020 11:45:46 +0200 Subject: [PATCH 15/23] Update to v245.6 (cherry picked from commit fb22f2a64048a2824f3e07634c7e92f647aa193d) --- sources | 2 +- systemd.spec | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 02a23ee..1eae4c0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-245.5.tar.gz) = 47de4a59980643002f325c499eeb4dd76fa9f1d1267686e7564f103690487bf85974590d7cb3e3641409e5bfba567fe2a66efa80320e7e8adc48af4461e2e172 +SHA512 (systemd-245.6.tar.gz) = a4add8e2fd38199d609a9eabfad1be93a304ddfd64e3d4498df536bf3d88e5e8ee16d2dfb7fad20332bb7fbd8898e6e50c3fd6df2f24ac45eec88bd339efb2fe diff --git a/systemd.spec b/systemd.spec index 39400a1..d1a7929 100644 --- a/systemd.spec +++ b/systemd.spec @@ -19,8 +19,8 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 245.5 -Release: 2%{?commit:.git%{shortcommit}}%{?dist} +Version: 245.6 +Release: 1%{?commit:.git%{shortcommit}}%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -772,6 +772,9 @@ fi %files tests -f .file-list-tests %changelog +* Sun May 31 2020 Zbigniew Jędrzejewski-Szmek - 245.6-1 +- Update to latest stable version (some documentation updates, minor memory correctness issues) + * Tue Apr 21 2020 Björn Esser - 245.5-2 - Add explicit BuildRequires: acl From 3359c24cffc8faacfd0beab47fe0f2bd5dfcc4f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 31 May 2020 12:45:44 +0200 Subject: [PATCH 16/23] Add two bug numbers --- systemd.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/systemd.spec b/systemd.spec index d1a7929..fee3b92 100644 --- a/systemd.spec +++ b/systemd.spec @@ -773,7 +773,8 @@ fi %changelog * Sun May 31 2020 Zbigniew Jędrzejewski-Szmek - 245.6-1 -- Update to latest stable version (some documentation updates, minor memory correctness issues) +- Update to latest stable version (some documentation updates, minor + memory correctness issues) (#1815605, #1827467) * Tue Apr 21 2020 Björn Esser - 245.5-2 - Add explicit BuildRequires: acl From c8dadfd9940878555450a2075df2bbe3aaaa4c8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 2 Jun 2020 09:13:17 +0200 Subject: [PATCH 17/23] Add self-obsoletes to fix upgrades from F31 Debugged and fixed by adamw! $ rpmdiff systemd-udev-245.6-[12]* removed OBSOLETES systemd < 229-5 added OBSOLETES systemd < 245.6-1 ... --- systemd.spec | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/systemd.spec b/systemd.spec index fee3b92..e7fda75 100644 --- a/systemd.spec +++ b/systemd.spec @@ -20,7 +20,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 245.6 -Release: 1%{?commit:.git%{shortcommit}}%{?dist} +Release: 2%{?commit:.git%{shortcommit}}%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -241,17 +241,18 @@ to libudev or libsystemd. Summary: Rule-based device node and kernel event manager License: LGPLv2+ -Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: systemd%{?_isa} = %{version}-%{release} Requires(post): systemd Requires(preun): systemd Requires(postun): systemd Requires(post): grep Requires: kmod >= 18-4 -# obsolete parent package so that dnf will install new subpackage on upgrade (#1260394) -Obsoletes: %{name} < 229-5 +# https://bodhi.fedoraproject.org/updates/FEDORA-2020-dd43dd05b1 +Obsoletes: systemd < 245.6-1 Provides: udev = %{version} Provides: udev%{_isa} = %{version} Obsoletes: udev < 183 + # https://bugzilla.redhat.com/show_bug.cgi?id=1377733#c9 Suggests: systemd-bootchart # https://bugzilla.redhat.com/show_bug.cgi?id=1408878 @@ -772,9 +773,12 @@ fi %files tests -f .file-list-tests %changelog +* Tue Jun 2 2020 Zbigniew Jędrzejewski-Szmek - 245.6-2 +- Add self-obsoletes to fix upgrades from F31 + * Sun May 31 2020 Zbigniew Jędrzejewski-Szmek - 245.6-1 - Update to latest stable version (some documentation updates, minor - memory correctness issues) (#1815605, #1827467) + memory correctness issues) (#1815605, #1827467, #1842067) * Tue Apr 21 2020 Björn Esser - 245.5-2 - Add explicit BuildRequires: acl From f984b3dafbace9f67e028b862503ac400bcadb93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 27 Jul 2020 10:21:58 +0200 Subject: [PATCH 18/23] Update to v245.7 --- ...-mark-as-redundant-if-deps-are-relev.patch | 144 ------------------ sources | 2 +- systemd.spec | 14 +- 3 files changed, 10 insertions(+), 150 deletions(-) delete mode 100644 0001-Revert-job-Don-t-mark-as-redundant-if-deps-are-relev.patch diff --git a/0001-Revert-job-Don-t-mark-as-redundant-if-deps-are-relev.patch b/0001-Revert-job-Don-t-mark-as-redundant-if-deps-are-relev.patch deleted file mode 100644 index 916474d..0000000 --- a/0001-Revert-job-Don-t-mark-as-redundant-if-deps-are-relev.patch +++ /dev/null @@ -1,144 +0,0 @@ -From 6f202edb2c2e340523c6c0f2c0a93690eaab7a68 Mon Sep 17 00:00:00 2001 -From: Adam Williamson -Date: Tue, 18 Feb 2020 08:44:34 -0800 -Subject: [PATCH] Revert "job: Don't mark as redundant if deps are relevant" - -This reverts commit 097537f07a2fab3cb73aef7bc59f2a66aa93f533. It -causes https://bugzilla.redhat.com/show_bug.cgi?id=1803293 . ---- - src/core/job.c | 51 ++++++------------------------------------ - src/core/job.h | 3 +-- - src/core/transaction.c | 8 +++---- - 3 files changed, 12 insertions(+), 50 deletions(-) - -diff --git a/src/core/job.c b/src/core/job.c -index 5982404cf0..5048a5093e 100644 ---- a/src/core/job.c -+++ b/src/core/job.c -@@ -383,62 +383,25 @@ JobType job_type_lookup_merge(JobType a, JobType b) { - return job_merging_table[(a - 1) * a / 2 + b]; - } - --bool job_later_link_matters(Job *j, JobType type, unsigned generation) { -- JobDependency *l; -- -- assert(j); -- -- j->generation = generation; -- -- LIST_FOREACH(subject, l, j->subject_list) { -- UnitActiveState state = _UNIT_ACTIVE_STATE_INVALID; -- -- /* Have we seen this before? */ -- if (l->object->generation == generation) -- continue; -- -- state = unit_active_state(l->object->unit); -- switch (type) { -- -- case JOB_START: -- return IN_SET(state, UNIT_INACTIVE, UNIT_FAILED) || -- job_later_link_matters(l->object, type, generation); -- -- case JOB_STOP: -- return IN_SET(state, UNIT_ACTIVE, UNIT_RELOADING) || -- job_later_link_matters(l->object, type, generation); -- -- default: -- assert_not_reached("Invalid job type"); -- } -- } -- -- return false; --} -- --bool job_is_redundant(Job *j, unsigned generation) { -- -- assert(j); -- -- UnitActiveState state = unit_active_state(j->unit); -- switch (j->type) { -+bool job_type_is_redundant(JobType a, UnitActiveState b) { -+ switch (a) { - - case JOB_START: -- return IN_SET(state, UNIT_ACTIVE, UNIT_RELOADING) && !job_later_link_matters(j, JOB_START, generation); -+ return IN_SET(b, UNIT_ACTIVE, UNIT_RELOADING); - - case JOB_STOP: -- return IN_SET(state, UNIT_INACTIVE, UNIT_FAILED) && !job_later_link_matters(j, JOB_STOP, generation); -+ return IN_SET(b, UNIT_INACTIVE, UNIT_FAILED); - - case JOB_VERIFY_ACTIVE: -- return IN_SET(state, UNIT_ACTIVE, UNIT_RELOADING); -+ return IN_SET(b, UNIT_ACTIVE, UNIT_RELOADING); - - case JOB_RELOAD: - return -- state == UNIT_RELOADING; -+ b == UNIT_RELOADING; - - case JOB_RESTART: - return -- state == UNIT_ACTIVATING; -+ b == UNIT_ACTIVATING; - - case JOB_NOP: - return true; -diff --git a/src/core/job.h b/src/core/job.h -index 02b057ee06..03ad640618 100644 ---- a/src/core/job.h -+++ b/src/core/job.h -@@ -196,8 +196,7 @@ _pure_ static inline bool job_type_is_superset(JobType a, JobType b) { - return a == job_type_lookup_merge(a, b); - } - --bool job_later_link_matters(Job *j, JobType type, unsigned generation); --bool job_is_redundant(Job *j, unsigned generation); -+bool job_type_is_redundant(JobType a, UnitActiveState b) _pure_; - - /* Collapses a state-dependent job type into a simpler type by observing - * the state of the unit which it is going to be applied to. */ -diff --git a/src/core/transaction.c b/src/core/transaction.c -index 8d67f9ce1a..a0ea0f0489 100644 ---- a/src/core/transaction.c -+++ b/src/core/transaction.c -@@ -279,7 +279,7 @@ static int transaction_merge_jobs(Transaction *tr, sd_bus_error *e) { - return 0; - } - --static void transaction_drop_redundant(Transaction *tr, unsigned generation) { -+static void transaction_drop_redundant(Transaction *tr) { - bool again; - - /* Goes through the transaction and removes all jobs of the units whose jobs are all noops. If not -@@ -299,7 +299,7 @@ static void transaction_drop_redundant(Transaction *tr, unsigned generation) { - - LIST_FOREACH(transaction, k, j) - if (tr->anchor_job == k || -- !job_is_redundant(k, generation) || -+ !job_type_is_redundant(k->type, unit_active_state(k->unit)) || - (k->unit->job && job_type_is_conflicting(k->type, k->unit->job->type))) { - keep = true; - break; -@@ -730,7 +730,7 @@ int transaction_activate( - transaction_minimize_impact(tr); - - /* Third step: Drop redundant jobs */ -- transaction_drop_redundant(tr, generation++); -+ transaction_drop_redundant(tr); - - for (;;) { - /* Fourth step: Let's remove unneeded jobs that might -@@ -772,7 +772,7 @@ int transaction_activate( - } - - /* Eights step: Drop redundant jobs again, if the merging now allows us to drop more. */ -- transaction_drop_redundant(tr, generation++); -+ transaction_drop_redundant(tr); - - /* Ninth step: check whether we can actually apply this */ - r = transaction_is_destructive(tr, mode, e); --- -2.25.0 - diff --git a/sources b/sources index 1eae4c0..f9c7f83 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-245.6.tar.gz) = a4add8e2fd38199d609a9eabfad1be93a304ddfd64e3d4498df536bf3d88e5e8ee16d2dfb7fad20332bb7fbd8898e6e50c3fd6df2f24ac45eec88bd339efb2fe +SHA512 (systemd-245.7.tar.gz) = 53f3515d327b98b242731095b2e004b14057fb522499b4511cd077e30904f752e6527cf8b52ba75cb07703eca747794e025b603fbf1f544b01e8c62b77e75dae diff --git a/systemd.spec b/systemd.spec index e7fda75..527bee3 100644 --- a/systemd.spec +++ b/systemd.spec @@ -19,8 +19,8 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 245.6 -Release: 2%{?commit:.git%{shortcommit}}%{?dist} +Version: 245.7 +Release: 1%{?commit:.git%{shortcommit}}%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -72,9 +72,6 @@ Patch0001: use-bfq-scheduler.patch Patch0998: 0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1803293 -Patch1000: 0001-Revert-job-Don-t-mark-as-redundant-if-deps-are-relev.patch - %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 %endif @@ -773,6 +770,13 @@ fi %files tests -f .file-list-tests %changelog +* Mon Jul 27 2020 Zbigniew Jędrzejewski-Szmek - 245.7-1 +- A bunch of backported patches (#1853736, #1857783, #1830896, + #1846079, #1849238, #1843566, #1856122) +- Handling of user names that resemble numerical uids is tightened (CVE-2020-13776, + #1845535) +- The hardware database is updated to the upstream version (#1849797) + * Tue Jun 2 2020 Zbigniew Jędrzejewski-Szmek - 245.6-2 - Add self-obsoletes to fix upgrades from F31 From f89ba6d87d33063079a56289e36d6599bdd017a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 27 Jul 2020 10:43:36 +0200 Subject: [PATCH 19/23] Update sources I forgot to rebase the systemd-stable branch. --- sources | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sources b/sources index f9c7f83..3479c28 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-245.7.tar.gz) = 53f3515d327b98b242731095b2e004b14057fb522499b4511cd077e30904f752e6527cf8b52ba75cb07703eca747794e025b603fbf1f544b01e8c62b77e75dae +SHA512 (systemd-245.7.tar.gz) = 306b3a9cd1d8985a05be259f8a08efb5e9f7102a657eccdef58e082822b61a6e82246dc4f3b6e0bd33eedbd550af54e0029af9d0d2b70416e27626ec43921449 From fba14824e24de37e43eaf4361d140ee24db9b1ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 20 Sep 2020 13:39:05 +0200 Subject: [PATCH 20/23] Version 245.8 --- sources | 2 +- systemd.spec | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 3479c28..8d4f601 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-245.7.tar.gz) = 306b3a9cd1d8985a05be259f8a08efb5e9f7102a657eccdef58e082822b61a6e82246dc4f3b6e0bd33eedbd550af54e0029af9d0d2b70416e27626ec43921449 +SHA512 (systemd-245.8.tar.gz) = 8c44077445f5cbc6553f973cb433aa3f6579c84f2989b21e9f56ccde0bf5da187d324b9eecb41e5560610a436f04be69e63d20ccc380d9330ac76d90236104d7 diff --git a/systemd.spec b/systemd.spec index 527bee3..660cbfb 100644 --- a/systemd.spec +++ b/systemd.spec @@ -19,7 +19,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 245.7 +Version: 245.8 Release: 1%{?commit:.git%{shortcommit}}%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ @@ -770,6 +770,12 @@ fi %files tests -f .file-list-tests %changelog +* Sun Sep 20 2020 Zbigniew Jędrzejewski-Szmek - 245.8-1 +- Update to latest stable version (smaller fixes to the manager, + homed, networkd, resolved, nspawn, sd-boot, bootctl, bless-boot, + kernel-install, documentation, systemd-tty-ask-password-agent, + udevd, coredump, systemd-analyze, tests) (#1856273) + * Mon Jul 27 2020 Zbigniew Jędrzejewski-Szmek - 245.7-1 - A bunch of backported patches (#1853736, #1857783, #1830896, #1846079, #1849238, #1843566, #1856122) From 1158ab16ab817c17e3235e5db43b0952f70f6375 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 20 Sep 2020 13:11:35 +0200 Subject: [PATCH 21/23] Add patch for kernel bug --- ...96d3e8d1cb0dd3666bc74fa673918b586612.patch | 129 ++++++++++++++++++ systemd.spec | 6 +- 2 files changed, 134 insertions(+), 1 deletion(-) create mode 100644 f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch diff --git a/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch b/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch new file mode 100644 index 0000000..84497ad --- /dev/null +++ b/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch @@ -0,0 +1,129 @@ +From f58b96d3e8d1cb0dd3666bc74fa673918b586612 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 14 Sep 2020 17:58:03 +0200 +Subject: [PATCH] test-mountpointutil-util: do not assert in test_mnt_id() + +https://bugzilla.redhat.com/show_bug.cgi?id=1803070 + +I *think* this a kernel bug: the mnt_id as listed in /proc/self/mountinfo is different +than the one we get from /proc/self/fdinfo/. This only matters when both statx and +name_to_handle_at are unavailable and we hit the fallback path that goes through fdinfo: + +(gdb) !uname -r +5.6.19-200.fc31.ppc64le + +(gdb) !cat /proc/self/mountinfo +697 664 253:0 /var/lib/mock/fedora-31-ppc64le/root / rw,relatime shared:298 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota +698 697 253:0 /var/cache/mock/fedora-31-ppc64le/yum_cache /var/cache/yum rw,relatime shared:299 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota +699 697 253:0 /var/cache/mock/fedora-31-ppc64le/dnf_cache /var/cache/dnf rw,relatime shared:300 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota +700 697 0:32 /mock-selinux-plugin.7me9bfpi /proc/filesystems rw,nosuid,nodev shared:301 master:18 - tmpfs tmpfs rw,seclabel <========================================================== +701 697 0:41 / /sys ro,nosuid,nodev,noexec,relatime shared:302 - sysfs sysfs ro,seclabel +702 701 0:21 / /sys/fs/selinux ro,nosuid,nodev,noexec,relatime shared:306 master:8 - selinuxfs selinuxfs rw +703 697 0:42 / /dev rw,nosuid shared:303 - tmpfs tmpfs rw,seclabel,mode=755 +704 703 0:43 / /dev/shm rw,nosuid,nodev shared:304 - tmpfs tmpfs rw,seclabel +705 703 0:45 / /dev/pts rw,nosuid,noexec,relatime shared:307 - devpts devpts rw,seclabel,gid=5,mode=620,ptmxmode=666 +706 703 0:6 /btrfs-control /dev/btrfs-control rw,nosuid shared:308 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +707 703 0:6 /loop-control /dev/loop-control rw,nosuid shared:309 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +708 703 0:6 /loop0 /dev/loop0 rw,nosuid shared:310 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +709 703 0:6 /loop1 /dev/loop1 rw,nosuid shared:311 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +710 703 0:6 /loop10 /dev/loop10 rw,nosuid shared:312 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +711 703 0:6 /loop11 /dev/loop11 rw,nosuid shared:313 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +712 703 0:6 /loop2 /dev/loop2 rw,nosuid shared:314 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +713 703 0:6 /loop3 /dev/loop3 rw,nosuid shared:315 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +714 703 0:6 /loop4 /dev/loop4 rw,nosuid shared:316 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +715 703 0:6 /loop5 /dev/loop5 rw,nosuid shared:317 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +716 703 0:6 /loop6 /dev/loop6 rw,nosuid shared:318 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +717 703 0:6 /loop7 /dev/loop7 rw,nosuid shared:319 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +718 703 0:6 /loop8 /dev/loop8 rw,nosuid shared:320 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +719 703 0:6 /loop9 /dev/loop9 rw,nosuid shared:321 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +720 697 0:44 / /run rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +721 720 0:25 /systemd/nspawn/propagate/9cc8a155d0244558b273f773d2b92142 /run/systemd/nspawn/incoming ro master:12 - tmpfs tmpfs rw,seclabel,mode=755 +722 697 0:32 /mock-resolv.dvml91hp /etc/resolv.conf rw,nosuid,nodev shared:322 master:18 - tmpfs tmpfs rw,seclabel +725 697 0:47 / /proc rw,nosuid,nodev,noexec,relatime shared:323 - proc proc rw +603 725 0:47 /sys /proc/sys ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw +604 725 0:44 /systemd/inaccessible/reg /proc/kallsyms ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +605 725 0:44 /systemd/inaccessible/reg /proc/kcore ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +606 725 0:44 /systemd/inaccessible/reg /proc/keys ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +607 725 0:44 /systemd/inaccessible/reg /proc/sysrq-trigger ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +608 725 0:44 /systemd/inaccessible/reg /proc/timer_list ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +609 725 0:47 /bus /proc/bus ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw +610 725 0:47 /fs /proc/fs ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw +611 725 0:47 /irq /proc/irq ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw +612 725 0:47 /scsi /proc/scsi ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw +613 703 0:46 / /dev/mqueue rw,nosuid,nodev,noexec,relatime shared:324 - mqueue mqueue rw,seclabel +614 701 0:26 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime shared:325 - cgroup2 cgroup rw,seclabel,nsdelegate +615 603 0:44 /.#proc-sys-kernel-random-boot-id4fbdce67af46d1c2//deleted /proc/sys/kernel/random/boot_id ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +616 725 0:44 /.#proc-sys-kernel-random-boot-id4fbdce67af46d1c2//deleted /proc/sys/kernel/random/boot_id rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +617 725 0:44 /.#proc-kmsg5b7a8bcfe6717139//deleted /proc/kmsg rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755 + +The test process does +name_to_handle_at("/proc/filesystems") which returns -EOPNOTSUPP, and then +openat(AT_FDCWD, "/proc/filesystems") which returns 4, and then +read(open("/proc/self/fdinfo/4", ...)) which gives +"pos:\t0\nflags:\t012100000\nmnt_id:\t725\n" + +and the "725" is clearly inconsistent with "700" in /proc/self/mountinfo. + +We could either drop the fallback path (and fail name_to_handle_at() is not +avaliable) or ignore the error in the test. Not sure what is better. I think +this issue only occurs sometimes and with older kernels, so probably continuing +with the current flaky implementation is better than ripping out the fallback. + +Another strace: +writev(2, [{iov_base="mnt ids of /proc/sys is 603", iov_len=27}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/sys is 603 +) = 28 +name_to_handle_at(AT_FDCWD, "/", {handle_bytes=128 => 12, handle_type=129, f_handle=0x52748401000000008b93e20d}, [697], 0) = 0 +writev(2, [{iov_base="mnt ids of / is 697", iov_len=19}, {iov_base="\n", iov_len=1}], 2mnt ids of / is 697 +) = 20 +name_to_handle_at(AT_FDCWD, "/proc/kcore", {handle_bytes=128 => 12, handle_type=1, f_handle=0x92ddcfcd2e802d0100000000}, [605], 0) = 0 +writev(2, [{iov_base="mnt ids of /proc/kcore is 605", iov_len=29}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/kcore is 605 +) = 30 +name_to_handle_at(AT_FDCWD, "/dev", {handle_bytes=128 => 12, handle_type=1, f_handle=0x8ae269160c802d0100000000}, [703], 0) = 0 +writev(2, [{iov_base="mnt ids of /dev is 703", iov_len=22}, {iov_base="\n", iov_len=1}], 2mnt ids of /dev is 703 +) = 23 +name_to_handle_at(AT_FDCWD, "/proc/filesystems", {handle_bytes=128}, 0x7fffe36ddb84, 0) = -1 EOPNOTSUPP (Operation not supported) +openat(AT_FDCWD, "/proc/filesystems", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4 +openat(AT_FDCWD, "/proc/self/fdinfo/4", O_RDONLY|O_CLOEXEC) = 5 +fstat(5, {st_mode=S_IFREG|0400, st_size=0, ...}) = 0 +fstat(5, {st_mode=S_IFREG|0400, st_size=0, ...}) = 0 +read(5, "pos:\t0\nflags:\t012100000\nmnt_id:\t725\n", 2048) = 36 +read(5, "", 1024) = 0 +close(5) = 0 +close(4) = 0 +writev(2, [{iov_base="mnt ids of /proc/filesystems are 700, 725", iov_len=41}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/filesystems are 700, 725 +) = 42 +writev(2, [{iov_base="the other path for mnt id 725 is /proc", iov_len=38}, {iov_base="\n", iov_len=1}], 2the other path for mnt id 725 is /proc +) = 39 +writev(2, [{iov_base="Assertion 'path_equal(p, t)' failed at src/test/test-mountpoint-util.c:94, function test_mnt_id(). Aborting.", iov_len=108}, {iov_base="\n", iov_len=1}], 2Assertion 'path_equal(p, t)' failed at src/test/test-mountpoint-util.c:94, function test_mnt_id(). Aborting. +) = 109 +rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0 +rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0 +getpid() = 20 +gettid() = 20 +tgkill(20, 20, SIGABRT) = 0 +rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 +--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=20, si_uid=0} --- ++++ killed by SIGABRT (core dumped) +++ +--- + src/test/test-mountpoint-util.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/test/test-mountpoint-util.c b/src/test/test-mountpoint-util.c +index 30b00ae4d8b..ffe5144b04a 100644 +--- a/src/test/test-mountpoint-util.c ++++ b/src/test/test-mountpoint-util.c +@@ -89,8 +89,12 @@ static void test_mnt_id(void) { + /* The ids don't match? If so, then there are two mounts on the same path, let's check if + * that's really the case */ + char *t = hashmap_get(h, INT_TO_PTR(mnt_id2)); +- log_debug("the other path for mnt id %i is %s\n", mnt_id2, t); +- assert_se(path_equal(p, t)); ++ log_debug("Path for mnt id %i from /proc/self/mountinfo is %s\n", mnt_id2, t); ++ ++ if (!path_equal(p, t)) ++ /* Apparent kernel bug in /proc/self/fdinfo */ ++ log_warning("Bad mount id given for %s: %d, should be %d", ++ p, mnt_id2, mnt_id); + } + } + diff --git a/systemd.spec b/systemd.spec index 660cbfb..9a23e22 100644 --- a/systemd.spec +++ b/systemd.spec @@ -72,6 +72,8 @@ Patch0001: use-bfq-scheduler.patch Patch0998: 0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch +Patch0009: https://github.com/systemd/systemd/pull/17050/commits/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch + %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 %endif @@ -774,7 +776,9 @@ fi - Update to latest stable version (smaller fixes to the manager, homed, networkd, resolved, nspawn, sd-boot, bootctl, bless-boot, kernel-install, documentation, systemd-tty-ask-password-agent, - udevd, coredump, systemd-analyze, tests) (#1856273) + udevd, coredump, systemd-analyze, tests) (#1856273, #1876905, + #1731557, #1878530) +- Do not fail in test because of kernel bug (#1803070) * Mon Jul 27 2020 Zbigniew Jędrzejewski-Szmek - 245.7-1 - A bunch of backported patches (#1853736, #1857783, #1830896, From 02b1e96a83674a20bfdcac46e9c22e6d5316300b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 21 Sep 2020 09:40:12 +0200 Subject: [PATCH 22/23] Fix setting of secure bits --- ...-util-let-cap_last_cap-return-unsign.patch | 226 ++++++++++++++++++ ...add-new-function-for-raising-setpcap.patch | 101 ++++++++ 0003-core-fix-securebits-setting.patch | 177 ++++++++++++++ systemd.spec | 9 +- 4 files changed, 512 insertions(+), 1 deletion(-) create mode 100644 0001-basic-capability-util-let-cap_last_cap-return-unsign.patch create mode 100644 0002-capability-util-add-new-function-for-raising-setpcap.patch create mode 100644 0003-core-fix-securebits-setting.patch diff --git a/0001-basic-capability-util-let-cap_last_cap-return-unsign.patch b/0001-basic-capability-util-let-cap_last_cap-return-unsign.patch new file mode 100644 index 0000000..971cc40 --- /dev/null +++ b/0001-basic-capability-util-let-cap_last_cap-return-unsign.patch @@ -0,0 +1,226 @@ +From 261680bc0ea61777ac22ea1c42b0d728ec52ae14 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 10 Jul 2020 16:53:51 +0200 +Subject: [PATCH 1/3] basic/capability-util: let cap_last_cap() return unsigned + integer + +We never return anything higher than 63, so using "long unsigned" +as the type only confused the reader. (We can still use "long unsigned" +and safe_atolu() to parse the kernel file.) + +(cherry picked from commit 864a25d99bb523e7a5c166771e3ddbf39baffd33) +--- + src/basic/cap-list.c | 5 ++--- + src/basic/capability-util.c | 31 ++++++++++++------------------- + src/basic/capability-util.h | 2 +- + src/libsystemd/sd-bus/bus-creds.c | 5 ++--- + src/test/test-capability.c | 2 +- + 5 files changed, 18 insertions(+), 27 deletions(-) + +diff --git a/src/basic/cap-list.c b/src/basic/cap-list.c +index af27d84ba4..2b7834ad98 100644 +--- a/src/basic/cap-list.c ++++ b/src/basic/cap-list.c +@@ -57,12 +57,11 @@ int capability_list_length(void) { + + int capability_set_to_string_alloc(uint64_t set, char **s) { + _cleanup_free_ char *str = NULL; +- unsigned long i; + size_t allocated = 0, n = 0; + + assert(s); + +- for (i = 0; i <= cap_last_cap(); i++) ++ for (unsigned i = 0; i <= cap_last_cap(); i++) + if (set & (UINT64_C(1) << i)) { + const char *p; + char buf[2 + 16 + 1]; +@@ -70,7 +69,7 @@ int capability_set_to_string_alloc(uint64_t set, char **s) { + + p = capability_to_name(i); + if (!p) { +- xsprintf(buf, "0x%lx", i); ++ xsprintf(buf, "0x%x", i); + p = buf; + } + +diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c +index ac96eabc03..5a4d020f52 100644 +--- a/src/basic/capability-util.c ++++ b/src/basic/capability-util.c +@@ -31,8 +31,8 @@ int have_effective_cap(int value) { + return fv == CAP_SET; + } + +-unsigned long cap_last_cap(void) { +- static thread_local unsigned long saved; ++unsigned cap_last_cap(void) { ++ static thread_local unsigned saved; + static thread_local bool valid = false; + _cleanup_free_ char *content = NULL; + unsigned long p = 0; +@@ -65,7 +65,7 @@ unsigned long cap_last_cap(void) { + if (prctl(PR_CAPBSET_READ, p) < 0) { + + /* Hmm, look downwards, until we find one that works */ +- for (p--; p > 0; p --) ++ for (p--; p > 0; p--) + if (prctl(PR_CAPBSET_READ, p) >= 0) + break; + +@@ -84,12 +84,10 @@ unsigned long cap_last_cap(void) { + } + + int capability_update_inherited_set(cap_t caps, uint64_t set) { +- unsigned long i; +- + /* Add capabilities in the set to the inherited caps, drops capabilities not in the set. + * Do not apply them yet. */ + +- for (i = 0; i <= cap_last_cap(); i++) { ++ for (unsigned i = 0; i <= cap_last_cap(); i++) { + cap_flag_value_t flag = set & (UINT64_C(1) << i) ? CAP_SET : CAP_CLEAR; + cap_value_t v; + +@@ -104,11 +102,10 @@ int capability_update_inherited_set(cap_t caps, uint64_t set) { + + int capability_ambient_set_apply(uint64_t set, bool also_inherit) { + _cleanup_cap_free_ cap_t caps = NULL; +- unsigned long i; + int r; + + /* Remove capabilities requested in ambient set, but not in the bounding set */ +- for (i = 0; i <= cap_last_cap(); i++) { ++ for (unsigned i = 0; i <= cap_last_cap(); i++) { + if (set == 0) + break; + +@@ -140,7 +137,7 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) { + return -errno; + } + +- for (i = 0; i <= cap_last_cap(); i++) { ++ for (unsigned i = 0; i <= cap_last_cap(); i++) { + + if (set & (UINT64_C(1) << i)) { + +@@ -167,7 +164,6 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) { + int capability_bounding_set_drop(uint64_t keep, bool right_now) { + _cleanup_cap_free_ cap_t before_cap = NULL, after_cap = NULL; + cap_flag_value_t fv; +- unsigned long i; + int r; + + /* If we are run as PID 1 we will lack CAP_SETPCAP by default +@@ -204,7 +200,7 @@ int capability_bounding_set_drop(uint64_t keep, bool right_now) { + if (!after_cap) + return -errno; + +- for (i = 0; i <= cap_last_cap(); i++) { ++ for (unsigned i = 0; i <= cap_last_cap(); i++) { + cap_value_t v; + + if ((keep & (UINT64_C(1) << i))) +@@ -390,7 +386,6 @@ bool ambient_capabilities_supported(void) { + } + + bool capability_quintet_mangle(CapabilityQuintet *q) { +- unsigned long i; + uint64_t combined, drop = 0; + bool ambient_supported; + +@@ -402,7 +397,7 @@ bool capability_quintet_mangle(CapabilityQuintet *q) { + if (ambient_supported) + combined |= q->ambient; + +- for (i = 0; i <= cap_last_cap(); i++) { ++ for (unsigned i = 0; i <= cap_last_cap(); i++) { + unsigned long bit = UINT64_C(1) << i; + if (!FLAGS_SET(combined, bit)) + continue; +@@ -431,16 +426,15 @@ int capability_quintet_enforce(const CapabilityQuintet *q) { + int r; + + if (q->ambient != (uint64_t) -1) { +- unsigned long i; + bool changed = false; + + c = cap_get_proc(); + if (!c) + return -errno; + +- /* In order to raise the ambient caps set we first need to raise the matching inheritable + permitted +- * cap */ +- for (i = 0; i <= cap_last_cap(); i++) { ++ /* In order to raise the ambient caps set we first need to raise the matching ++ * inheritable + permitted cap */ ++ for (unsigned i = 0; i <= cap_last_cap(); i++) { + uint64_t m = UINT64_C(1) << i; + cap_value_t cv = (cap_value_t) i; + cap_flag_value_t old_value_inheritable, old_value_permitted; +@@ -475,7 +469,6 @@ int capability_quintet_enforce(const CapabilityQuintet *q) { + + if (q->inheritable != (uint64_t) -1 || q->permitted != (uint64_t) -1 || q->effective != (uint64_t) -1) { + bool changed = false; +- unsigned long i; + + if (!c) { + c = cap_get_proc(); +@@ -483,7 +476,7 @@ int capability_quintet_enforce(const CapabilityQuintet *q) { + return -errno; + } + +- for (i = 0; i <= cap_last_cap(); i++) { ++ for (unsigned i = 0; i <= cap_last_cap(); i++) { + uint64_t m = UINT64_C(1) << i; + cap_value_t cv = (cap_value_t) i; + +diff --git a/src/basic/capability-util.h b/src/basic/capability-util.h +index b5bce29ab5..fcc59daedc 100644 +--- a/src/basic/capability-util.h ++++ b/src/basic/capability-util.h +@@ -12,7 +12,7 @@ + + #define CAP_ALL (uint64_t) -1 + +-unsigned long cap_last_cap(void); ++unsigned cap_last_cap(void); + int have_effective_cap(int value); + int capability_bounding_set_drop(uint64_t keep, bool right_now); + int capability_bounding_set_drop_usermode(uint64_t keep); +diff --git a/src/libsystemd/sd-bus/bus-creds.c b/src/libsystemd/sd-bus/bus-creds.c +index 908b9e75b2..2740be9226 100644 +--- a/src/libsystemd/sd-bus/bus-creds.c ++++ b/src/libsystemd/sd-bus/bus-creds.c +@@ -650,16 +650,15 @@ _public_ int sd_bus_creds_get_description(sd_bus_creds *c, const char **ret) { + } + + static int has_cap(sd_bus_creds *c, size_t offset, int capability) { +- unsigned long lc; + size_t sz; + + assert(c); + assert(capability >= 0); + assert(c->capability); + +- lc = cap_last_cap(); ++ unsigned lc = cap_last_cap(); + +- if ((unsigned long) capability > lc) ++ if ((unsigned) capability > lc) + return 0; + + /* If the last cap is 63, then there are 64 caps defined, and we need 2 entries á 32bit hence. * +diff --git a/src/test/test-capability.c b/src/test/test-capability.c +index 74b27379ea..2e04a8ea5c 100644 +--- a/src/test/test-capability.c ++++ b/src/test/test-capability.c +@@ -240,7 +240,7 @@ static void test_ensure_cap_64bit(void) { + assert_se(p <= 63); + + /* Also check for the header definition */ +- assert_se(CAP_LAST_CAP <= 63); ++ assert_cc(CAP_LAST_CAP <= 63); + } + + int main(int argc, char *argv[]) { diff --git a/0002-capability-util-add-new-function-for-raising-setpcap.patch b/0002-capability-util-add-new-function-for-raising-setpcap.patch new file mode 100644 index 0000000..3a3db1c --- /dev/null +++ b/0002-capability-util-add-new-function-for-raising-setpcap.patch @@ -0,0 +1,101 @@ +From b2b382820bcfc166d048b85aadd90f5cf71c7a4a Mon Sep 17 00:00:00 2001 +From: Tobias Kaufmann +Date: Mon, 31 Aug 2020 12:50:25 +0200 +Subject: [PATCH 2/3] capability-util: add new function for raising setpcap + +Up to now the capability CAP_SETPCAP was raised implicitly in the +function capability_bounding_set_drop. + +This functionality is moved into a new function +(capability_gain_cap_setpcap). + +The new function optionally provides the capability set as it was +before raisining CAP_SETPCAP. + +(cherry picked from commit 57d4d284c95a3dfdb9a4e3f74978623cbb3f918a) +(cherry picked from commit 4f6925484d6152214f881cfc8468d1bfa18dcff9) +--- + src/basic/capability-util.c | 40 ++++++++++++++++++++++++------------- + src/basic/capability-util.h | 1 + + 2 files changed, 27 insertions(+), 14 deletions(-) + +diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c +index 5a4d020f52..ae269e8a8a 100644 +--- a/src/basic/capability-util.c ++++ b/src/basic/capability-util.c +@@ -161,28 +161,21 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) { + return 0; + } + +-int capability_bounding_set_drop(uint64_t keep, bool right_now) { +- _cleanup_cap_free_ cap_t before_cap = NULL, after_cap = NULL; ++int capability_gain_cap_setpcap(cap_t *ret_before_caps) { ++ _cleanup_cap_free_ cap_t caps = NULL; + cap_flag_value_t fv; +- int r; +- +- /* If we are run as PID 1 we will lack CAP_SETPCAP by default +- * in the effective set (yes, the kernel drops that when +- * executing init!), so get it back temporarily so that we can +- * call PR_CAPBSET_DROP. */ +- +- before_cap = cap_get_proc(); +- if (!before_cap) ++ caps = cap_get_proc(); ++ if (!caps) + return -errno; + +- if (cap_get_flag(before_cap, CAP_SETPCAP, CAP_EFFECTIVE, &fv) < 0) ++ if (cap_get_flag(caps, CAP_SETPCAP, CAP_EFFECTIVE, &fv) < 0) + return -errno; + + if (fv != CAP_SET) { + _cleanup_cap_free_ cap_t temp_cap = NULL; + static const cap_value_t v = CAP_SETPCAP; + +- temp_cap = cap_dup(before_cap); ++ temp_cap = cap_dup(caps); + if (!temp_cap) + return -errno; + +@@ -193,8 +186,27 @@ int capability_bounding_set_drop(uint64_t keep, bool right_now) { + log_debug_errno(errno, "Can't acquire effective CAP_SETPCAP bit, ignoring: %m"); + + /* If we didn't manage to acquire the CAP_SETPCAP bit, we continue anyway, after all this just means +- * we'll fail later, when we actually intend to drop some capabilities. */ ++ * we'll fail later, when we actually intend to drop some capabilities or try to set securebits. */ + } ++ if (ret_before_caps) ++ /* Return the capabilities as they have been before setting CAP_SETPCAP */ ++ *ret_before_caps = TAKE_PTR(caps); ++ ++ return 0; ++} ++ ++int capability_bounding_set_drop(uint64_t keep, bool right_now) { ++ _cleanup_cap_free_ cap_t before_cap = NULL, after_cap = NULL; ++ int r; ++ ++ /* If we are run as PID 1 we will lack CAP_SETPCAP by default ++ * in the effective set (yes, the kernel drops that when ++ * executing init!), so get it back temporarily so that we can ++ * call PR_CAPBSET_DROP. */ ++ ++ r = capability_gain_cap_setpcap(&before_cap); ++ if (r < 0) ++ return r; + + after_cap = cap_dup(before_cap); + if (!after_cap) +diff --git a/src/basic/capability-util.h b/src/basic/capability-util.h +index fcc59daedc..fdf6ef8462 100644 +--- a/src/basic/capability-util.h ++++ b/src/basic/capability-util.h +@@ -14,6 +14,7 @@ + + unsigned cap_last_cap(void); + int have_effective_cap(int value); ++int capability_gain_cap_setpcap(cap_t *return_caps); + int capability_bounding_set_drop(uint64_t keep, bool right_now); + int capability_bounding_set_drop_usermode(uint64_t keep); + diff --git a/0003-core-fix-securebits-setting.patch b/0003-core-fix-securebits-setting.patch new file mode 100644 index 0000000..8f83a46 --- /dev/null +++ b/0003-core-fix-securebits-setting.patch @@ -0,0 +1,177 @@ +From 711ca814c9f2e81d3d25ebbed0b837b7d4fbbeda Mon Sep 17 00:00:00 2001 +From: Tobias Kaufmann +Date: Mon, 31 Aug 2020 13:48:31 +0200 +Subject: [PATCH 3/3] core: fix securebits setting + +Desired functionality: +Set securebits for services started as non-root user. + +Failure: +The starting of the service fails if no ambient capability shall be +raised. +... systemd[217941]: ...: Failed to set process secure bits: Operation +not permitted +... systemd[217941]: ...: Failed at step SECUREBITS spawning +/usr/bin/abc.service: Operation not permitted +... systemd[1]: abc.service: Failed with result 'exit-code'. + +Reason: +For setting securebits the capability CAP_SETPCAP is required. However +the securebits (if no ambient capability shall be raised) are set after +setresuid. +When setresuid is invoked all capabilities are dropped from the +permitted, effective and ambient capability set. If the securebit +SECBIT_KEEP_CAPS is set the permitted capability set is retained, but +the effective and the ambient set are cleared. + +If ambient capabilities shall be set, the securebit SECBIT_KEEP_CAPS is +added to the securebits configured in the service file and set together +with the securebits from the service file before setresuid is executed +(in enforce_user). +Before setresuid is executed the capabilities are the same as for pid1. +This means that all capabilities in the effective, permitted and +bounding set are set. Thus the capability CAP_SETPCAP is in the +effective set and the prctl(PR_SET_SECUREBITS, ...) succeeds. +However, if the secure bits aren't set before setresuid is invoked they +shall be set shortly after the uid change in enforce_user. +This fails as SECBIT_KEEP_CAPS wasn't set before setresuid and in +consequence the effective and permitted set was cleared, hence +CAP_SETPCAP is not set in the effective set (and cannot be raised any +longer) and prctl(PR_SET_SECUREBITS, ...) failes with EPERM. + +Proposed solution: +The proposed solution consists of three parts +1. Check in enforce_user, if securebits are configured in the service + file. If securebits are configured, set SECBIT_KEEP_CAPS + before invoking setresuid. +2. Don't set any other securebits than SECBIT_KEEP_CAPS in enforce_user, + but set all requested ones after enforce_user. + This has the advantage that securebits are set at the same place for + root and non-root services. +3. Raise CAP_SETPCAP to the effective set (if not already set) before + setting the securebits to avoid EPERM during the prctl syscall. + +For gaining CAP_SETPCAP the function capability_bounding_set_drop is +splitted into two functions: +- The first one raises CAP_SETPCAP (required for dropping bounding + capabilities) +- The second drops the bounding capabilities + +Why are ambient capabilities not affected by this change? +Ambient capabilities get cleared during setresuid, no matter if +SECBIT_KEEP_CAPS is set or not. +For raising ambient capabilities for a user different to root, the +requested capability has to be raised in the inheritable set first. Then +the SECBIT_KEEP_CAPS securebit needs to be set before setresuid is +invoked. Afterwards the ambient capability can be raised, because it is +in the inheritable and permitted set. + +Security considerations: +Although the manpage is ambiguous SECBIT_KEEP_CAPS is cleared during +execve no matter if SECBIT_KEEP_CAPS_LOCKED is set or not. If both are +set only SECBIT_KEEP_CAPS_LOCKED is set after execve. +Setting SECBIT_KEEP_CAPS in enforce_user for being able to set +securebits is no security risk, as the effective and permitted set are +set to the value of the ambient set during execve (if the executed file +has no file capabilities. For details check man 7 capabilities). + +Remark: +In capability-util.c is a comment complaining about the missing +capability CAP_SETPCAP in the effective set, after the kernel executed +/sbin/init. Thus it is checked there if this capability has to be raised +in the effective set before dropping capabilities from the bounding set. +If this were true all the time, ambient capabilities couldn't be set +without dropping at least one capability from the bounding set, as the +capability CAP_SETPCAP would miss and setting SECBIT_KEEP_CAPS would +fail with EPERM. + +(cherry picked from commit dbdc4098f6ebc6bf6e68f0c05a9b4e540d133e3b) +(cherry picked from commit ab6fcd913593d8ac4ad997e3dab1e1571a03a8bb) +--- + src/core/execute.c | 49 +++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 40 insertions(+), 9 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index c7098e14ea..94b5f002d0 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -1080,26 +1080,42 @@ static int enforce_groups(gid_t gid, const gid_t *supplementary_gids, int ngids) + return 0; + } + ++static int set_securebits(int bits, int mask) { ++ int current, applied; ++ current = prctl(PR_GET_SECUREBITS); ++ if (current < 0) ++ return -errno; ++ /* Clear all securebits defined in mask and set bits */ ++ applied = (current & ~mask) | bits; ++ if (current == applied) ++ return 0; ++ if (prctl(PR_SET_SECUREBITS, applied) < 0) ++ return -errno; ++ return 1; ++} ++ + static int enforce_user(const ExecContext *context, uid_t uid) { + assert(context); ++ int r; + + if (!uid_is_valid(uid)) + return 0; + + /* Sets (but doesn't look up) the uid and make sure we keep the +- * capabilities while doing so. */ ++ * capabilities while doing so. For setting secure bits the capability CAP_SETPCAP is ++ * required, so we also need keep-caps in this case. ++ */ + +- if (context->capability_ambient_set != 0) { ++ if (context->capability_ambient_set != 0 || context->secure_bits != 0) { + + /* First step: If we need to keep capabilities but + * drop privileges we need to make sure we keep our + * caps, while we drop privileges. */ + if (uid != 0) { +- int sb = context->secure_bits | 1< - 245.8-2 +- Fix setting of secure bits (#1880882) + * Sun Sep 20 2020 Zbigniew Jędrzejewski-Szmek - 245.8-1 - Update to latest stable version (smaller fixes to the manager, homed, networkd, resolved, nspawn, sd-boot, bootctl, bless-boot, From 0a8016423048bc7c55379ceb8885f3d7b264f0ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 10 Dec 2020 18:49:59 +0100 Subject: [PATCH 23/23] Version 245.9 --- ...-util-let-cap_last_cap-return-unsign.patch | 226 ------------------ ...add-new-function-for-raising-setpcap.patch | 101 -------- 0003-core-fix-securebits-setting.patch | 177 -------------- sources | 2 +- systemd.spec | 17 +- 5 files changed, 12 insertions(+), 511 deletions(-) delete mode 100644 0001-basic-capability-util-let-cap_last_cap-return-unsign.patch delete mode 100644 0002-capability-util-add-new-function-for-raising-setpcap.patch delete mode 100644 0003-core-fix-securebits-setting.patch diff --git a/0001-basic-capability-util-let-cap_last_cap-return-unsign.patch b/0001-basic-capability-util-let-cap_last_cap-return-unsign.patch deleted file mode 100644 index 971cc40..0000000 --- a/0001-basic-capability-util-let-cap_last_cap-return-unsign.patch +++ /dev/null @@ -1,226 +0,0 @@ -From 261680bc0ea61777ac22ea1c42b0d728ec52ae14 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Fri, 10 Jul 2020 16:53:51 +0200 -Subject: [PATCH 1/3] basic/capability-util: let cap_last_cap() return unsigned - integer - -We never return anything higher than 63, so using "long unsigned" -as the type only confused the reader. (We can still use "long unsigned" -and safe_atolu() to parse the kernel file.) - -(cherry picked from commit 864a25d99bb523e7a5c166771e3ddbf39baffd33) ---- - src/basic/cap-list.c | 5 ++--- - src/basic/capability-util.c | 31 ++++++++++++------------------- - src/basic/capability-util.h | 2 +- - src/libsystemd/sd-bus/bus-creds.c | 5 ++--- - src/test/test-capability.c | 2 +- - 5 files changed, 18 insertions(+), 27 deletions(-) - -diff --git a/src/basic/cap-list.c b/src/basic/cap-list.c -index af27d84ba4..2b7834ad98 100644 ---- a/src/basic/cap-list.c -+++ b/src/basic/cap-list.c -@@ -57,12 +57,11 @@ int capability_list_length(void) { - - int capability_set_to_string_alloc(uint64_t set, char **s) { - _cleanup_free_ char *str = NULL; -- unsigned long i; - size_t allocated = 0, n = 0; - - assert(s); - -- for (i = 0; i <= cap_last_cap(); i++) -+ for (unsigned i = 0; i <= cap_last_cap(); i++) - if (set & (UINT64_C(1) << i)) { - const char *p; - char buf[2 + 16 + 1]; -@@ -70,7 +69,7 @@ int capability_set_to_string_alloc(uint64_t set, char **s) { - - p = capability_to_name(i); - if (!p) { -- xsprintf(buf, "0x%lx", i); -+ xsprintf(buf, "0x%x", i); - p = buf; - } - -diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c -index ac96eabc03..5a4d020f52 100644 ---- a/src/basic/capability-util.c -+++ b/src/basic/capability-util.c -@@ -31,8 +31,8 @@ int have_effective_cap(int value) { - return fv == CAP_SET; - } - --unsigned long cap_last_cap(void) { -- static thread_local unsigned long saved; -+unsigned cap_last_cap(void) { -+ static thread_local unsigned saved; - static thread_local bool valid = false; - _cleanup_free_ char *content = NULL; - unsigned long p = 0; -@@ -65,7 +65,7 @@ unsigned long cap_last_cap(void) { - if (prctl(PR_CAPBSET_READ, p) < 0) { - - /* Hmm, look downwards, until we find one that works */ -- for (p--; p > 0; p --) -+ for (p--; p > 0; p--) - if (prctl(PR_CAPBSET_READ, p) >= 0) - break; - -@@ -84,12 +84,10 @@ unsigned long cap_last_cap(void) { - } - - int capability_update_inherited_set(cap_t caps, uint64_t set) { -- unsigned long i; -- - /* Add capabilities in the set to the inherited caps, drops capabilities not in the set. - * Do not apply them yet. */ - -- for (i = 0; i <= cap_last_cap(); i++) { -+ for (unsigned i = 0; i <= cap_last_cap(); i++) { - cap_flag_value_t flag = set & (UINT64_C(1) << i) ? CAP_SET : CAP_CLEAR; - cap_value_t v; - -@@ -104,11 +102,10 @@ int capability_update_inherited_set(cap_t caps, uint64_t set) { - - int capability_ambient_set_apply(uint64_t set, bool also_inherit) { - _cleanup_cap_free_ cap_t caps = NULL; -- unsigned long i; - int r; - - /* Remove capabilities requested in ambient set, but not in the bounding set */ -- for (i = 0; i <= cap_last_cap(); i++) { -+ for (unsigned i = 0; i <= cap_last_cap(); i++) { - if (set == 0) - break; - -@@ -140,7 +137,7 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) { - return -errno; - } - -- for (i = 0; i <= cap_last_cap(); i++) { -+ for (unsigned i = 0; i <= cap_last_cap(); i++) { - - if (set & (UINT64_C(1) << i)) { - -@@ -167,7 +164,6 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) { - int capability_bounding_set_drop(uint64_t keep, bool right_now) { - _cleanup_cap_free_ cap_t before_cap = NULL, after_cap = NULL; - cap_flag_value_t fv; -- unsigned long i; - int r; - - /* If we are run as PID 1 we will lack CAP_SETPCAP by default -@@ -204,7 +200,7 @@ int capability_bounding_set_drop(uint64_t keep, bool right_now) { - if (!after_cap) - return -errno; - -- for (i = 0; i <= cap_last_cap(); i++) { -+ for (unsigned i = 0; i <= cap_last_cap(); i++) { - cap_value_t v; - - if ((keep & (UINT64_C(1) << i))) -@@ -390,7 +386,6 @@ bool ambient_capabilities_supported(void) { - } - - bool capability_quintet_mangle(CapabilityQuintet *q) { -- unsigned long i; - uint64_t combined, drop = 0; - bool ambient_supported; - -@@ -402,7 +397,7 @@ bool capability_quintet_mangle(CapabilityQuintet *q) { - if (ambient_supported) - combined |= q->ambient; - -- for (i = 0; i <= cap_last_cap(); i++) { -+ for (unsigned i = 0; i <= cap_last_cap(); i++) { - unsigned long bit = UINT64_C(1) << i; - if (!FLAGS_SET(combined, bit)) - continue; -@@ -431,16 +426,15 @@ int capability_quintet_enforce(const CapabilityQuintet *q) { - int r; - - if (q->ambient != (uint64_t) -1) { -- unsigned long i; - bool changed = false; - - c = cap_get_proc(); - if (!c) - return -errno; - -- /* In order to raise the ambient caps set we first need to raise the matching inheritable + permitted -- * cap */ -- for (i = 0; i <= cap_last_cap(); i++) { -+ /* In order to raise the ambient caps set we first need to raise the matching -+ * inheritable + permitted cap */ -+ for (unsigned i = 0; i <= cap_last_cap(); i++) { - uint64_t m = UINT64_C(1) << i; - cap_value_t cv = (cap_value_t) i; - cap_flag_value_t old_value_inheritable, old_value_permitted; -@@ -475,7 +469,6 @@ int capability_quintet_enforce(const CapabilityQuintet *q) { - - if (q->inheritable != (uint64_t) -1 || q->permitted != (uint64_t) -1 || q->effective != (uint64_t) -1) { - bool changed = false; -- unsigned long i; - - if (!c) { - c = cap_get_proc(); -@@ -483,7 +476,7 @@ int capability_quintet_enforce(const CapabilityQuintet *q) { - return -errno; - } - -- for (i = 0; i <= cap_last_cap(); i++) { -+ for (unsigned i = 0; i <= cap_last_cap(); i++) { - uint64_t m = UINT64_C(1) << i; - cap_value_t cv = (cap_value_t) i; - -diff --git a/src/basic/capability-util.h b/src/basic/capability-util.h -index b5bce29ab5..fcc59daedc 100644 ---- a/src/basic/capability-util.h -+++ b/src/basic/capability-util.h -@@ -12,7 +12,7 @@ - - #define CAP_ALL (uint64_t) -1 - --unsigned long cap_last_cap(void); -+unsigned cap_last_cap(void); - int have_effective_cap(int value); - int capability_bounding_set_drop(uint64_t keep, bool right_now); - int capability_bounding_set_drop_usermode(uint64_t keep); -diff --git a/src/libsystemd/sd-bus/bus-creds.c b/src/libsystemd/sd-bus/bus-creds.c -index 908b9e75b2..2740be9226 100644 ---- a/src/libsystemd/sd-bus/bus-creds.c -+++ b/src/libsystemd/sd-bus/bus-creds.c -@@ -650,16 +650,15 @@ _public_ int sd_bus_creds_get_description(sd_bus_creds *c, const char **ret) { - } - - static int has_cap(sd_bus_creds *c, size_t offset, int capability) { -- unsigned long lc; - size_t sz; - - assert(c); - assert(capability >= 0); - assert(c->capability); - -- lc = cap_last_cap(); -+ unsigned lc = cap_last_cap(); - -- if ((unsigned long) capability > lc) -+ if ((unsigned) capability > lc) - return 0; - - /* If the last cap is 63, then there are 64 caps defined, and we need 2 entries á 32bit hence. * -diff --git a/src/test/test-capability.c b/src/test/test-capability.c -index 74b27379ea..2e04a8ea5c 100644 ---- a/src/test/test-capability.c -+++ b/src/test/test-capability.c -@@ -240,7 +240,7 @@ static void test_ensure_cap_64bit(void) { - assert_se(p <= 63); - - /* Also check for the header definition */ -- assert_se(CAP_LAST_CAP <= 63); -+ assert_cc(CAP_LAST_CAP <= 63); - } - - int main(int argc, char *argv[]) { diff --git a/0002-capability-util-add-new-function-for-raising-setpcap.patch b/0002-capability-util-add-new-function-for-raising-setpcap.patch deleted file mode 100644 index 3a3db1c..0000000 --- a/0002-capability-util-add-new-function-for-raising-setpcap.patch +++ /dev/null @@ -1,101 +0,0 @@ -From b2b382820bcfc166d048b85aadd90f5cf71c7a4a Mon Sep 17 00:00:00 2001 -From: Tobias Kaufmann -Date: Mon, 31 Aug 2020 12:50:25 +0200 -Subject: [PATCH 2/3] capability-util: add new function for raising setpcap - -Up to now the capability CAP_SETPCAP was raised implicitly in the -function capability_bounding_set_drop. - -This functionality is moved into a new function -(capability_gain_cap_setpcap). - -The new function optionally provides the capability set as it was -before raisining CAP_SETPCAP. - -(cherry picked from commit 57d4d284c95a3dfdb9a4e3f74978623cbb3f918a) -(cherry picked from commit 4f6925484d6152214f881cfc8468d1bfa18dcff9) ---- - src/basic/capability-util.c | 40 ++++++++++++++++++++++++------------- - src/basic/capability-util.h | 1 + - 2 files changed, 27 insertions(+), 14 deletions(-) - -diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c -index 5a4d020f52..ae269e8a8a 100644 ---- a/src/basic/capability-util.c -+++ b/src/basic/capability-util.c -@@ -161,28 +161,21 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) { - return 0; - } - --int capability_bounding_set_drop(uint64_t keep, bool right_now) { -- _cleanup_cap_free_ cap_t before_cap = NULL, after_cap = NULL; -+int capability_gain_cap_setpcap(cap_t *ret_before_caps) { -+ _cleanup_cap_free_ cap_t caps = NULL; - cap_flag_value_t fv; -- int r; -- -- /* If we are run as PID 1 we will lack CAP_SETPCAP by default -- * in the effective set (yes, the kernel drops that when -- * executing init!), so get it back temporarily so that we can -- * call PR_CAPBSET_DROP. */ -- -- before_cap = cap_get_proc(); -- if (!before_cap) -+ caps = cap_get_proc(); -+ if (!caps) - return -errno; - -- if (cap_get_flag(before_cap, CAP_SETPCAP, CAP_EFFECTIVE, &fv) < 0) -+ if (cap_get_flag(caps, CAP_SETPCAP, CAP_EFFECTIVE, &fv) < 0) - return -errno; - - if (fv != CAP_SET) { - _cleanup_cap_free_ cap_t temp_cap = NULL; - static const cap_value_t v = CAP_SETPCAP; - -- temp_cap = cap_dup(before_cap); -+ temp_cap = cap_dup(caps); - if (!temp_cap) - return -errno; - -@@ -193,8 +186,27 @@ int capability_bounding_set_drop(uint64_t keep, bool right_now) { - log_debug_errno(errno, "Can't acquire effective CAP_SETPCAP bit, ignoring: %m"); - - /* If we didn't manage to acquire the CAP_SETPCAP bit, we continue anyway, after all this just means -- * we'll fail later, when we actually intend to drop some capabilities. */ -+ * we'll fail later, when we actually intend to drop some capabilities or try to set securebits. */ - } -+ if (ret_before_caps) -+ /* Return the capabilities as they have been before setting CAP_SETPCAP */ -+ *ret_before_caps = TAKE_PTR(caps); -+ -+ return 0; -+} -+ -+int capability_bounding_set_drop(uint64_t keep, bool right_now) { -+ _cleanup_cap_free_ cap_t before_cap = NULL, after_cap = NULL; -+ int r; -+ -+ /* If we are run as PID 1 we will lack CAP_SETPCAP by default -+ * in the effective set (yes, the kernel drops that when -+ * executing init!), so get it back temporarily so that we can -+ * call PR_CAPBSET_DROP. */ -+ -+ r = capability_gain_cap_setpcap(&before_cap); -+ if (r < 0) -+ return r; - - after_cap = cap_dup(before_cap); - if (!after_cap) -diff --git a/src/basic/capability-util.h b/src/basic/capability-util.h -index fcc59daedc..fdf6ef8462 100644 ---- a/src/basic/capability-util.h -+++ b/src/basic/capability-util.h -@@ -14,6 +14,7 @@ - - unsigned cap_last_cap(void); - int have_effective_cap(int value); -+int capability_gain_cap_setpcap(cap_t *return_caps); - int capability_bounding_set_drop(uint64_t keep, bool right_now); - int capability_bounding_set_drop_usermode(uint64_t keep); - diff --git a/0003-core-fix-securebits-setting.patch b/0003-core-fix-securebits-setting.patch deleted file mode 100644 index 8f83a46..0000000 --- a/0003-core-fix-securebits-setting.patch +++ /dev/null @@ -1,177 +0,0 @@ -From 711ca814c9f2e81d3d25ebbed0b837b7d4fbbeda Mon Sep 17 00:00:00 2001 -From: Tobias Kaufmann -Date: Mon, 31 Aug 2020 13:48:31 +0200 -Subject: [PATCH 3/3] core: fix securebits setting - -Desired functionality: -Set securebits for services started as non-root user. - -Failure: -The starting of the service fails if no ambient capability shall be -raised. -... systemd[217941]: ...: Failed to set process secure bits: Operation -not permitted -... systemd[217941]: ...: Failed at step SECUREBITS spawning -/usr/bin/abc.service: Operation not permitted -... systemd[1]: abc.service: Failed with result 'exit-code'. - -Reason: -For setting securebits the capability CAP_SETPCAP is required. However -the securebits (if no ambient capability shall be raised) are set after -setresuid. -When setresuid is invoked all capabilities are dropped from the -permitted, effective and ambient capability set. If the securebit -SECBIT_KEEP_CAPS is set the permitted capability set is retained, but -the effective and the ambient set are cleared. - -If ambient capabilities shall be set, the securebit SECBIT_KEEP_CAPS is -added to the securebits configured in the service file and set together -with the securebits from the service file before setresuid is executed -(in enforce_user). -Before setresuid is executed the capabilities are the same as for pid1. -This means that all capabilities in the effective, permitted and -bounding set are set. Thus the capability CAP_SETPCAP is in the -effective set and the prctl(PR_SET_SECUREBITS, ...) succeeds. -However, if the secure bits aren't set before setresuid is invoked they -shall be set shortly after the uid change in enforce_user. -This fails as SECBIT_KEEP_CAPS wasn't set before setresuid and in -consequence the effective and permitted set was cleared, hence -CAP_SETPCAP is not set in the effective set (and cannot be raised any -longer) and prctl(PR_SET_SECUREBITS, ...) failes with EPERM. - -Proposed solution: -The proposed solution consists of three parts -1. Check in enforce_user, if securebits are configured in the service - file. If securebits are configured, set SECBIT_KEEP_CAPS - before invoking setresuid. -2. Don't set any other securebits than SECBIT_KEEP_CAPS in enforce_user, - but set all requested ones after enforce_user. - This has the advantage that securebits are set at the same place for - root and non-root services. -3. Raise CAP_SETPCAP to the effective set (if not already set) before - setting the securebits to avoid EPERM during the prctl syscall. - -For gaining CAP_SETPCAP the function capability_bounding_set_drop is -splitted into two functions: -- The first one raises CAP_SETPCAP (required for dropping bounding - capabilities) -- The second drops the bounding capabilities - -Why are ambient capabilities not affected by this change? -Ambient capabilities get cleared during setresuid, no matter if -SECBIT_KEEP_CAPS is set or not. -For raising ambient capabilities for a user different to root, the -requested capability has to be raised in the inheritable set first. Then -the SECBIT_KEEP_CAPS securebit needs to be set before setresuid is -invoked. Afterwards the ambient capability can be raised, because it is -in the inheritable and permitted set. - -Security considerations: -Although the manpage is ambiguous SECBIT_KEEP_CAPS is cleared during -execve no matter if SECBIT_KEEP_CAPS_LOCKED is set or not. If both are -set only SECBIT_KEEP_CAPS_LOCKED is set after execve. -Setting SECBIT_KEEP_CAPS in enforce_user for being able to set -securebits is no security risk, as the effective and permitted set are -set to the value of the ambient set during execve (if the executed file -has no file capabilities. For details check man 7 capabilities). - -Remark: -In capability-util.c is a comment complaining about the missing -capability CAP_SETPCAP in the effective set, after the kernel executed -/sbin/init. Thus it is checked there if this capability has to be raised -in the effective set before dropping capabilities from the bounding set. -If this were true all the time, ambient capabilities couldn't be set -without dropping at least one capability from the bounding set, as the -capability CAP_SETPCAP would miss and setting SECBIT_KEEP_CAPS would -fail with EPERM. - -(cherry picked from commit dbdc4098f6ebc6bf6e68f0c05a9b4e540d133e3b) -(cherry picked from commit ab6fcd913593d8ac4ad997e3dab1e1571a03a8bb) ---- - src/core/execute.c | 49 +++++++++++++++++++++++++++++++++++++--------- - 1 file changed, 40 insertions(+), 9 deletions(-) - -diff --git a/src/core/execute.c b/src/core/execute.c -index c7098e14ea..94b5f002d0 100644 ---- a/src/core/execute.c -+++ b/src/core/execute.c -@@ -1080,26 +1080,42 @@ static int enforce_groups(gid_t gid, const gid_t *supplementary_gids, int ngids) - return 0; - } - -+static int set_securebits(int bits, int mask) { -+ int current, applied; -+ current = prctl(PR_GET_SECUREBITS); -+ if (current < 0) -+ return -errno; -+ /* Clear all securebits defined in mask and set bits */ -+ applied = (current & ~mask) | bits; -+ if (current == applied) -+ return 0; -+ if (prctl(PR_SET_SECUREBITS, applied) < 0) -+ return -errno; -+ return 1; -+} -+ - static int enforce_user(const ExecContext *context, uid_t uid) { - assert(context); -+ int r; - - if (!uid_is_valid(uid)) - return 0; - - /* Sets (but doesn't look up) the uid and make sure we keep the -- * capabilities while doing so. */ -+ * capabilities while doing so. For setting secure bits the capability CAP_SETPCAP is -+ * required, so we also need keep-caps in this case. -+ */ - -- if (context->capability_ambient_set != 0) { -+ if (context->capability_ambient_set != 0 || context->secure_bits != 0) { - - /* First step: If we need to keep capabilities but - * drop privileges we need to make sure we keep our - * caps, while we drop privileges. */ - if (uid != 0) { -- int sb = context->secure_bits | 1< - 245.9-1 +- Latest stable release (various smaller fixes to documentation, shell + completions, support for newer kernels, compilation with newer meson and + glibc) +- 'systemctl import-environment' will ignore variables deemed invalid, so + import-environment still works even if bash functions are exported (#1754395) +- The pager will be executed in secure mode when systemctl and other tools + are executed under changed euid + * Mon Sep 21 2020 Zbigniew Jędrzejewski-Szmek - 245.8-2 - Fix setting of secure bits (#1880882)