From 593d1c3279e976d3d6c8721b5375600a7ab5b4cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 17 Oct 2019 23:34:23 +0200 Subject: [PATCH 01/16] Fix typo in %changelog https://bugzilla.redhat.com/show_bug.cgi?id=1745600 --- systemd.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd.spec b/systemd.spec index a53542d..517ff1e 100644 --- a/systemd.spec +++ b/systemd.spec @@ -730,7 +730,7 @@ fi - Update to latest pre-release. Fixes #1740113, #1717712. - The default scheduler for disks is set to BFQ (1738828) - The default cgroup hierarchy is set to unified (cgroups v2) (#1732114). - Use systemd.unified-cgroup-hierachy=0 on the kernel command line to revert. + Use systemd.unified-cgroup-hierarchy=0 on the kernel command line to revert. See https://fedoraproject.org/wiki/Changes/CGroupsV2. * Wed Aug 07 2019 Adam Williamson - 243~rc1-2 From 7ec8ed014e201bd3cae77c6463a5152cb6008a83 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Fri, 18 Oct 2019 19:09:45 -0700 Subject: [PATCH 02/16] Backport PR #13792 to fix nomodeset+BIOS CanGraphical bug (#1728240) --- 13792.patch | 104 +++++++++++++++++++++++++++++++++++++++++++++++++++ systemd.spec | 10 ++++- 2 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 13792.patch diff --git a/13792.patch b/13792.patch new file mode 100644 index 0000000..e127ebc --- /dev/null +++ b/13792.patch @@ -0,0 +1,104 @@ +From 8af4c8abfb59ab66f1f5a34f0eac1342e6f0c7e5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 17 Oct 2019 12:37:12 +0200 +Subject: [PATCH] udev: tag any display devices as master-of-seat when + nomodeset is used +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes #13773. See also https://bugzilla.redhat.com/show_bug.cgi?id=1728240, +https://github.com/sddm/sddm/issues/1204. + +When nomodeset is used on the kernel command line, there is no graphics +device that the kernel knows, so we don't tag anything as master-of-seat, +and seat0 has CanGraphical=no. + +$ loginctl seat-status seat0 ; loginctl show-seat seat0 +seat0 + Devices: + ├─/sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input0 + │ input:input0 "Power Button" + ├─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1 + │ usb:usb1 + │ └─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4 + │ input:input4 "QEMU QEMU USB Tablet" + ├─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb2 + │ usb:usb2 + ├─/sys/devices/pci0000:00/0000:00:1b.0/sound/card0 + │ sound:card0 "Intel" + ├─/sys/devices/platform/i8042/serio0/input/input1 + │ input:input1 "AT Translated Set 2 keyboard" + │ ├─/sys/devices/platform/i8042/serio0/input/input1/input1::capslock + │ │ leds:input1::capslock + │ ├─/sys/devices/platform/i8042/serio0/input/input1/input1::numlock + │ │ leds:input1::numlock + │ └─/sys/devices/platform/i8042/serio0/input/input1/input1::scrolllock + │ leds:input1::scrolllock + └─/sys/devices/platform/i8042/serio1/input/input3 + input:input3 "ImExPS/2 Generic Explorer Mouse" +Id=seat0 +CanMultiSession=yes +CanTTY=yes +CanGraphical=no +Sessions= +IdleHint=yes +IdleSinceHint=0 +IdleSinceHintMonotonic=0 + +Let's tag the PCI device with "master-of-seat", so we get CanGraphical=yes, and "seat", +so it is show as part of the seat: + +[fedora@f31-bios ~]$ loginctl seat-status seat0 ; loginctl show-seat seat0 +seat0 + Devices: + ├─/sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input0 + │ input:input0 "Power Button" + ├─/sys/devices/pci0000:00/0000:00:01.0 + │ [MASTER] pci:0000:00:01.0 + ├─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1 + │ usb:usb1 + │ └─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4 + │ input:input4 "QEMU QEMU USB Tablet" + ├─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb2 + │ usb:usb2 + ├─/sys/devices/pci0000:00/0000:00:1b.0/sound/card0 + │ sound:card0 "Intel" + ├─/sys/devices/platform/i8042/serio0/input/input1 + │ input:input1 "AT Translated Set 2 keyboard" + │ ├─/sys/devices/platform/i8042/serio0/input/input1/input1::capslock + │ │ leds:input1::capslock + │ ├─/sys/devices/platform/i8042/serio0/input/input1/input1::numlock + │ │ leds:input1::numlock + │ └─/sys/devices/platform/i8042/serio0/input/input1/input1::scrolllock + │ leds:input1::scrolllock + └─/sys/devices/platform/i8042/serio1/input/input3 + input:input3 "ImExPS/2 Generic Explorer Mouse" +Id=seat0 +CanMultiSession=yes +CanTTY=yes +CanGraphical=yes +Sessions= +IdleHint=yes +IdleSinceHint=0 +IdleSinceHintMonotonic=0 +--- + src/login/71-seat.rules.in | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/login/71-seat.rules.in b/src/login/71-seat.rules.in +index 6010f048aef..2bbd18363e6 100644 +--- a/src/login/71-seat.rules.in ++++ b/src/login/71-seat.rules.in +@@ -24,6 +24,11 @@ SUBSYSTEM=="graphics", KERNEL=="fb[0-9]", DRIVERS=="hyperv_fb", TAG+="master-of- + # Allow efifb / uvesafb to be a master if KMS is disabled + SUBSYSTEM=="graphics", KERNEL=="fb[0-9]", IMPORT{cmdline}="nomodeset", TAG+="master-of-seat" + ++# Allow any PCI graphics device to be a master and synthesize a seat if KMS ++# is disabled and the kernel doesn't have a driver that would work with this device. ++SUBSYSTEM=="pci", ENV{ID_PCI_CLASS_FROM_DATABASE}=="Display controller", \ ++ ENV{DRIVER}=="", IMPORT{cmdline}="nomodeset", TAG+="seat", TAG+="master-of-seat" ++ + SUBSYSTEM=="drm", KERNEL=="card[0-9]*", TAG+="seat", TAG+="master-of-seat" + SUBSYSTEM=="usb", ATTR{bDeviceClass}=="09", TAG+="seat" + diff --git a/systemd.spec b/systemd.spec index 517ff1e..a0ae4d4 100644 --- a/systemd.spec +++ b/systemd.spec @@ -15,7 +15,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 243 -Release: 3%{?commit:.git%{shortcommit}}%{?dist} +Release: 4%{?commit:.git%{shortcommit}}%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -57,6 +57,11 @@ Patch0001: https://github.com/keszybz/systemd/commit/464a73411c13596a130a7a Patch0002: 0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1728240 +# https://github.com/systemd/systemd/issues/13773 +# https://github.com/systemd/systemd/pull/13792 +Patch0003: 13792.patch + Patch0998: 0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch %ifarch %{ix86} x86_64 aarch64 @@ -699,6 +704,9 @@ fi %files tests -f .file-list-tests %changelog +* Fri Oct 18 2019 Adam Williamson - 243-4.gitef67743 +- Backport PR #13792 to fix nomodeset+BIOS CanGraphical bug (#1728240) + * Thu Oct 10 2019 Zbigniew Jędrzejewski-Szmek - 243-3.gitef67743 - Various minor documentation and error message cleanups - Do not use cgroup v1 hierarchy in nspawn on groups v2 (#1756143) From 3d8b607209e4c3730e036b8ff64cd2094e23660e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 20 Oct 2019 11:57:02 +0200 Subject: [PATCH 03/16] Remove recommendation to use %{?systemd_requires} https://pagure.io/packaging-committee/issue/921 --- systemd.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/systemd.spec b/systemd.spec index a0ae4d4..6d007f2 100644 --- a/systemd.spec +++ b/systemd.spec @@ -199,8 +199,11 @@ Summary: Macros that define paths and scriptlets related to systemd BuildArch: noarch %description rpm-macros -Just the definitions of rpm macros. Use %%{?systemd_requires} in the -binary packages that use any scriptlets from this package. +Just the definitions of rpm macros. + +See +https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd +for information how to use those macros. %package devel Summary: Development headers for systemd From 05ce3560eab9802d192968ce86fabb2289c05dd9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 19 Nov 2019 13:27:41 +0100 Subject: [PATCH 04/16] Update to v243.4 --- 13792.patch | 104 --------------------------------------------------- sources | 2 +- systemd.spec | 24 ++++++++---- 3 files changed, 17 insertions(+), 113 deletions(-) delete mode 100644 13792.patch diff --git a/13792.patch b/13792.patch deleted file mode 100644 index e127ebc..0000000 --- a/13792.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 8af4c8abfb59ab66f1f5a34f0eac1342e6f0c7e5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Thu, 17 Oct 2019 12:37:12 +0200 -Subject: [PATCH] udev: tag any display devices as master-of-seat when - nomodeset is used -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fixes #13773. See also https://bugzilla.redhat.com/show_bug.cgi?id=1728240, -https://github.com/sddm/sddm/issues/1204. - -When nomodeset is used on the kernel command line, there is no graphics -device that the kernel knows, so we don't tag anything as master-of-seat, -and seat0 has CanGraphical=no. - -$ loginctl seat-status seat0 ; loginctl show-seat seat0 -seat0 - Devices: - ├─/sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input0 - │ input:input0 "Power Button" - ├─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1 - │ usb:usb1 - │ └─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4 - │ input:input4 "QEMU QEMU USB Tablet" - ├─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb2 - │ usb:usb2 - ├─/sys/devices/pci0000:00/0000:00:1b.0/sound/card0 - │ sound:card0 "Intel" - ├─/sys/devices/platform/i8042/serio0/input/input1 - │ input:input1 "AT Translated Set 2 keyboard" - │ ├─/sys/devices/platform/i8042/serio0/input/input1/input1::capslock - │ │ leds:input1::capslock - │ ├─/sys/devices/platform/i8042/serio0/input/input1/input1::numlock - │ │ leds:input1::numlock - │ └─/sys/devices/platform/i8042/serio0/input/input1/input1::scrolllock - │ leds:input1::scrolllock - └─/sys/devices/platform/i8042/serio1/input/input3 - input:input3 "ImExPS/2 Generic Explorer Mouse" -Id=seat0 -CanMultiSession=yes -CanTTY=yes -CanGraphical=no -Sessions= -IdleHint=yes -IdleSinceHint=0 -IdleSinceHintMonotonic=0 - -Let's tag the PCI device with "master-of-seat", so we get CanGraphical=yes, and "seat", -so it is show as part of the seat: - -[fedora@f31-bios ~]$ loginctl seat-status seat0 ; loginctl show-seat seat0 -seat0 - Devices: - ├─/sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input0 - │ input:input0 "Power Button" - ├─/sys/devices/pci0000:00/0000:00:01.0 - │ [MASTER] pci:0000:00:01.0 - ├─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1 - │ usb:usb1 - │ └─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4 - │ input:input4 "QEMU QEMU USB Tablet" - ├─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb2 - │ usb:usb2 - ├─/sys/devices/pci0000:00/0000:00:1b.0/sound/card0 - │ sound:card0 "Intel" - ├─/sys/devices/platform/i8042/serio0/input/input1 - │ input:input1 "AT Translated Set 2 keyboard" - │ ├─/sys/devices/platform/i8042/serio0/input/input1/input1::capslock - │ │ leds:input1::capslock - │ ├─/sys/devices/platform/i8042/serio0/input/input1/input1::numlock - │ │ leds:input1::numlock - │ └─/sys/devices/platform/i8042/serio0/input/input1/input1::scrolllock - │ leds:input1::scrolllock - └─/sys/devices/platform/i8042/serio1/input/input3 - input:input3 "ImExPS/2 Generic Explorer Mouse" -Id=seat0 -CanMultiSession=yes -CanTTY=yes -CanGraphical=yes -Sessions= -IdleHint=yes -IdleSinceHint=0 -IdleSinceHintMonotonic=0 ---- - src/login/71-seat.rules.in | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/login/71-seat.rules.in b/src/login/71-seat.rules.in -index 6010f048aef..2bbd18363e6 100644 ---- a/src/login/71-seat.rules.in -+++ b/src/login/71-seat.rules.in -@@ -24,6 +24,11 @@ SUBSYSTEM=="graphics", KERNEL=="fb[0-9]", DRIVERS=="hyperv_fb", TAG+="master-of- - # Allow efifb / uvesafb to be a master if KMS is disabled - SUBSYSTEM=="graphics", KERNEL=="fb[0-9]", IMPORT{cmdline}="nomodeset", TAG+="master-of-seat" - -+# Allow any PCI graphics device to be a master and synthesize a seat if KMS -+# is disabled and the kernel doesn't have a driver that would work with this device. -+SUBSYSTEM=="pci", ENV{ID_PCI_CLASS_FROM_DATABASE}=="Display controller", \ -+ ENV{DRIVER}=="", IMPORT{cmdline}="nomodeset", TAG+="seat", TAG+="master-of-seat" -+ - SUBSYSTEM=="drm", KERNEL=="card[0-9]*", TAG+="seat", TAG+="master-of-seat" - SUBSYSTEM=="usb", ATTR{bDeviceClass}=="09", TAG+="seat" - diff --git a/sources b/sources index 05390ac..8de697a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-ef67743.tar.gz) = 9e905ef4f310f5cbd739f15d51e8c500b0e6ce2fbd2ad33b6568e06212ecfb5bba1347754c00b37d30a5b65cd2432d99aef87ebbafa1a94b4185d773f4ce4987 +SHA512 (systemd-243.4.tar.gz) = f121e4ea0c65050e3cd2dcbb3d3e8aa24f728548976ba72d6da26c61fb80c4352f1ba259be4310081acde901c13b1e812cf7df4d84d6cd2bd3c4f8acf72300fb diff --git a/systemd.spec b/systemd.spec index 6d007f2..4db4312 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1,4 +1,4 @@ -%global commit ef677436aa203c24816021dd698b57f219f0ff64 +#global commit ef677436aa203c24816021dd698b57f219f0ff64 %{?commit:%global shortcommit %(c=%{commit}; echo ${c:0:7})} %global stable 1 @@ -14,8 +14,8 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 243 -Release: 4%{?commit:.git%{shortcommit}}%{?dist} +Version: 243.4 +Release: 1%{?commit:.git%{shortcommit}}%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -26,8 +26,12 @@ Summary: System and Service Manager %if %{defined commit} Source0: https://github.com/systemd/systemd%{?stable:-stable}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz %else +%if 0%{stable} +Source0: https://github.com/systemd/systemd-stable/archive/v%{github_version}/%{name}-%{github_version}.tar.gz +%else Source0: https://github.com/systemd/systemd/archive/v%{github_version}/%{name}-%{github_version}.tar.gz %endif +%endif # This file must be available before %%prep. # It is generated during systemd build and can be found in build/src/core/. Source1: triggers.systemd @@ -57,11 +61,6 @@ Patch0001: https://github.com/keszybz/systemd/commit/464a73411c13596a130a7a Patch0002: 0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1728240 -# https://github.com/systemd/systemd/issues/13773 -# https://github.com/systemd/systemd/pull/13792 -Patch0003: 13792.patch - Patch0998: 0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch %ifarch %{ix86} x86_64 aarch64 @@ -707,6 +706,15 @@ fi %files tests -f .file-list-tests %changelog +* Tue Nov 19 2019 Zbigniew Jędrzejewski-Szmek - 243.4 +- Latest bugfix release. Systemd-stable snapshots will now be numbered. +- Fix broken PrivateDevices filter on big-endian, s390x in particular (#1769148) +- systemd-modules-load.service should only warn, not fail, on error (#1254340) +- Fix incorrect certificate validation with DNS over TLS (#1771725, #1771726, + CVE-2018-21029) +- Fix regression with crypttab keys with colons +- Various memleaks and minor memory access issues, warning adjustments + * Fri Oct 18 2019 Adam Williamson - 243-4.gitef67743 - Backport PR #13792 to fix nomodeset+BIOS CanGraphical bug (#1728240) From 9741ae2ab8cd104da512e0d13edcef5f79a293c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 15 Dec 2019 14:39:23 +0100 Subject: [PATCH 05/16] Update to v243.5 --- sources | 2 +- systemd.spec | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 8de697a..272e69f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-243.4.tar.gz) = f121e4ea0c65050e3cd2dcbb3d3e8aa24f728548976ba72d6da26c61fb80c4352f1ba259be4310081acde901c13b1e812cf7df4d84d6cd2bd3c4f8acf72300fb +SHA512 (systemd-243.5.tar.gz) = ff7df8028ab8e411866a00cb3adc1228663263e08a199bcc3954f6462bae3e433fb75676705509a69d847d9bd7bac50b40a91b1d8f34f76e48a4f19b32475ec2 diff --git a/systemd.spec b/systemd.spec index 4db4312..cd4adce 100644 --- a/systemd.spec +++ b/systemd.spec @@ -14,7 +14,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 243.4 +Version: 243.5 Release: 1%{?commit:.git%{shortcommit}}%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ @@ -706,6 +706,11 @@ fi %files tests -f .file-list-tests %changelog +* Sun Dec 15 2019 - 243.5-1 +- Latest bugfix release (systemd-networkd fixups, minor cleanups to + documentation). +- Fix systemd-udev timeout on startup or shutdown (#1782879) + * Tue Nov 19 2019 Zbigniew Jędrzejewski-Szmek - 243.4 - Latest bugfix release. Systemd-stable snapshots will now be numbered. - Fix broken PrivateDevices filter on big-endian, s390x in particular (#1769148) From 1fdb10909ebfdc65dd00725223522ddce7f39fc5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 17 Dec 2019 10:22:43 +0100 Subject: [PATCH 06/16] Add patches to fix build on arm64 --- ...c1978a9a688662eb1b3983370dd1cc415083.patch | 220 ++++++++++++++++++ ...977d9a5dc28e6c1998d8d5cb712305bd0b50.patch | 143 ++++++++++++ systemd.spec | 4 +- 3 files changed, 366 insertions(+), 1 deletion(-) create mode 100644 70e8c1978a9a688662eb1b3983370dd1cc415083.patch create mode 100644 a0a1977d9a5dc28e6c1998d8d5cb712305bd0b50.patch diff --git a/70e8c1978a9a688662eb1b3983370dd1cc415083.patch b/70e8c1978a9a688662eb1b3983370dd1cc415083.patch new file mode 100644 index 0000000..d490ee2 --- /dev/null +++ b/70e8c1978a9a688662eb1b3983370dd1cc415083.patch @@ -0,0 +1,220 @@ +From 70e8c1978a9a688662eb1b3983370dd1cc415083 Mon Sep 17 00:00:00 2001 +From: Mike Gilbert +Date: Fri, 6 Dec 2019 14:28:13 -0500 +Subject: [PATCH] seccomp: real syscall numbers are >= 0 + +Real syscall numbers start at 0. The fake seccomp values seem to be +strictly less than 0. + +Fixes: 4df8fe8415eaf4abd5b93c3447452547c6ea9e5f +(cherry picked from commit fb4b0465abbd96e6d342e5606c61c919c99a82ff) +--- + src/basic/missing_syscall.h | 28 ++++++++++++++-------------- + src/test/test-seccomp.c | 16 ++++++++-------- + 2 files changed, 22 insertions(+), 22 deletions(-) + +diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h +index 1255d8b197..8879422ce9 100644 +--- a/src/basic/missing_syscall.h ++++ b/src/basic/missing_syscall.h +@@ -33,7 +33,7 @@ static inline int missing_pivot_root(const char *new_root, const char *put_old) + + #if !HAVE_MEMFD_CREATE + /* may be (invalid) negative number due to libseccomp, see PR 13319 */ +-# if ! (defined __NR_memfd_create && __NR_memfd_create > 0) ++# if ! (defined __NR_memfd_create && __NR_memfd_create >= 0) + # if defined __NR_memfd_create + # undef __NR_memfd_create + # endif +@@ -80,7 +80,7 @@ static inline int missing_memfd_create(const char *name, unsigned int flags) { + + #if !HAVE_GETRANDOM + /* may be (invalid) negative number due to libseccomp, see PR 13319 */ +-# if ! (defined __NR_getrandom && __NR_getrandom > 0) ++# if ! (defined __NR_getrandom && __NR_getrandom >= 0) + # if defined __NR_getrandom + # undef __NR_getrandom + # endif +@@ -143,7 +143,7 @@ static inline pid_t missing_gettid(void) { + + #if !HAVE_NAME_TO_HANDLE_AT + /* may be (invalid) negative number due to libseccomp, see PR 13319 */ +-# if ! (defined __NR_name_to_handle_at && __NR_name_to_handle_at > 0) ++# if ! (defined __NR_name_to_handle_at && __NR_name_to_handle_at >= 0) + # if defined __NR_name_to_handle_at + # undef __NR_name_to_handle_at + # endif +@@ -184,7 +184,7 @@ static inline int missing_name_to_handle_at(int fd, const char *name, struct fil + + #if !HAVE_SETNS + /* may be (invalid) negative number due to libseccomp, see PR 13319 */ +-# if ! (defined __NR_setns && __NR_setns > 0) ++# if ! (defined __NR_setns && __NR_setns >= 0) + # if defined __NR_setns + # undef __NR_setns + # endif +@@ -225,7 +225,7 @@ static inline pid_t raw_getpid(void) { + + #if !HAVE_RENAMEAT2 + /* may be (invalid) negative number due to libseccomp, see PR 13319 */ +-# if ! (defined __NR_renameat2 && __NR_renameat2 > 0) ++# if ! (defined __NR_renameat2 && __NR_renameat2 >= 0) + # if defined __NR_renameat2 + # undef __NR_renameat2 + # endif +@@ -274,7 +274,7 @@ static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, c + + #if !HAVE_KCMP + static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) { +-# if defined __NR_kcmp && __NR_kcmp > 0 ++# if defined __NR_kcmp && __NR_kcmp >= 0 + return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2); + # else + errno = ENOSYS; +@@ -289,7 +289,7 @@ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long i + + #if !HAVE_KEYCTL + static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) { +-# if defined __NR_keyctl && __NR_keyctl > 0 ++# if defined __NR_keyctl && __NR_keyctl >= 0 + return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5); + # else + errno = ENOSYS; +@@ -300,7 +300,7 @@ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg + } + + static inline key_serial_t missing_add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) { +-# if defined __NR_add_key && __NR_add_key > 0 ++# if defined __NR_add_key && __NR_add_key >= 0 + return syscall(__NR_add_key, type, description, payload, plen, ringid); + # else + errno = ENOSYS; +@@ -311,7 +311,7 @@ static inline key_serial_t missing_add_key(const char *type, const char *descrip + } + + static inline key_serial_t missing_request_key(const char *type, const char *description, const char * callout_info, key_serial_t destringid) { +-# if defined __NR_request_key && __NR_request_key > 0 ++# if defined __NR_request_key && __NR_request_key >= 0 + return syscall(__NR_request_key, type, description, callout_info, destringid); + # else + errno = ENOSYS; +@@ -326,7 +326,7 @@ static inline key_serial_t missing_request_key(const char *type, const char *des + + #if !HAVE_COPY_FILE_RANGE + /* may be (invalid) negative number due to libseccomp, see PR 13319 */ +-# if ! (defined __NR_copy_file_range && __NR_copy_file_range > 0) ++# if ! (defined __NR_copy_file_range && __NR_copy_file_range >= 0) + # if defined __NR_copy_file_range + # undef __NR_copy_file_range + # endif +@@ -368,7 +368,7 @@ static inline ssize_t missing_copy_file_range(int fd_in, loff_t *off_in, + + #if !HAVE_BPF + /* may be (invalid) negative number due to libseccomp, see PR 13319 */ +-# if ! (defined __NR_bpf && __NR_bpf > 0) ++# if ! (defined __NR_bpf && __NR_bpf >= 0) + # if defined __NR_bpf + # undef __NR_bpf + # endif +@@ -409,7 +409,7 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) { + + #ifndef __IGNORE_pkey_mprotect + /* may be (invalid) negative number due to libseccomp, see PR 13319 */ +-# if ! (defined __NR_pkey_mprotect && __NR_pkey_mprotect > 0) ++# if ! (defined __NR_pkey_mprotect && __NR_pkey_mprotect >= 0) + # if defined __NR_pkey_mprotect + # undef __NR_pkey_mprotect + # endif +@@ -445,7 +445,7 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) { + + #if !HAVE_STATX + /* may be (invalid) negative number due to libseccomp, see PR 13319 */ +-# if ! (defined __NR_statx && __NR_statx > 0) ++# if ! (defined __NR_statx && __NR_statx >= 0) + # if defined __NR_statx + # undef __NR_statx + # endif +@@ -496,7 +496,7 @@ enum { + static inline long missing_set_mempolicy(int mode, const unsigned long *nodemask, + unsigned long maxnode) { + long i; +-# if defined __NR_set_mempolicy && __NR_set_mempolicy > 0 ++# if defined __NR_set_mempolicy && __NR_set_mempolicy >= 0 + i = syscall(__NR_set_mempolicy, mode, nodemask, maxnode); + # else + errno = ENOSYS; +diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c +index 6dd98672b8..328a656343 100644 +--- a/src/test/test-seccomp.c ++++ b/src/test/test-seccomp.c +@@ -29,7 +29,7 @@ + #include "virt.h" + + /* __NR_socket may be invalid due to libseccomp */ +-#if !defined(__NR_socket) || __NR_socket <= 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) ++#if !defined(__NR_socket) || __NR_socket < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) + /* On these archs, socket() is implemented via the socketcall() syscall multiplexer, + * and we can't restrict it hence via seccomp. */ + # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1 +@@ -305,14 +305,14 @@ static void test_protect_sysctl(void) { + assert_se(pid >= 0); + + if (pid == 0) { +-#if defined __NR__sysctl && __NR__sysctl > 0 ++#if defined __NR__sysctl && __NR__sysctl >= 0 + assert_se(syscall(__NR__sysctl, NULL) < 0); + assert_se(errno == EFAULT); + #endif + + assert_se(seccomp_protect_sysctl() >= 0); + +-#if defined __NR__sysctl && __NR__sysctl > 0 ++#if defined __NR__sysctl && __NR__sysctl >= 0 + assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0); + assert_se(errno == EPERM); + #endif +@@ -641,7 +641,7 @@ static void test_load_syscall_filter_set_raw(void) { + assert_se(poll(NULL, 0, 0) == 0); + + assert_se(s = hashmap_new(NULL)); +-#if defined __NR_access && __NR_access > 0 ++#if defined __NR_access && __NR_access >= 0 + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0); + #else + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0); +@@ -657,7 +657,7 @@ static void test_load_syscall_filter_set_raw(void) { + s = hashmap_free(s); + + assert_se(s = hashmap_new(NULL)); +-#if defined __NR_access && __NR_access > 0 ++#if defined __NR_access && __NR_access >= 0 + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0); + #else + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0); +@@ -673,7 +673,7 @@ static void test_load_syscall_filter_set_raw(void) { + s = hashmap_free(s); + + assert_se(s = hashmap_new(NULL)); +-#if defined __NR_poll && __NR_poll > 0 ++#if defined __NR_poll && __NR_poll >= 0 + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0); + #else + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0); +@@ -690,7 +690,7 @@ static void test_load_syscall_filter_set_raw(void) { + s = hashmap_free(s); + + assert_se(s = hashmap_new(NULL)); +-#if defined __NR_poll && __NR_poll > 0 ++#if defined __NR_poll && __NR_poll >= 0 + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0); + #else + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0); +@@ -768,7 +768,7 @@ static int real_open(const char *path, int flags, mode_t mode) { + * testing purposes that calls the real syscall, on architectures where SYS_open is defined. On + * other architectures, let's just fall back to the glibc call. */ + +-#if defined __NR_open && __NR_open > 0 ++#if defined __NR_open && __NR_open >= 0 + return (int) syscall(__NR_open, path, flags, mode); + #else + return open(path, flags, mode); diff --git a/a0a1977d9a5dc28e6c1998d8d5cb712305bd0b50.patch b/a0a1977d9a5dc28e6c1998d8d5cb712305bd0b50.patch new file mode 100644 index 0000000..4771adf --- /dev/null +++ b/a0a1977d9a5dc28e6c1998d8d5cb712305bd0b50.patch @@ -0,0 +1,143 @@ +From a0a1977d9a5dc28e6c1998d8d5cb712305bd0b50 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 14 Nov 2019 17:51:30 +0100 +Subject: [PATCH] seccomp: more comprehensive protection against libseccomp's + __NR_xyz namespace invasion + +A follow-up for 59b657296a2fe104f112b91bbf9301724067cc81, adding the +same conditioning for all cases of our __NR_xyz use. + +Fixes: #14031 +(cherry picked from commit 4df8fe8415eaf4abd5b93c3447452547c6ea9e5f) +--- + src/basic/missing_syscall.h | 10 +++++----- + src/test/test-seccomp.c | 19 ++++++++++--------- + 2 files changed, 15 insertions(+), 14 deletions(-) + +diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h +index 6d9b12544d..1255d8b197 100644 +--- a/src/basic/missing_syscall.h ++++ b/src/basic/missing_syscall.h +@@ -274,7 +274,7 @@ static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, c + + #if !HAVE_KCMP + static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) { +-# ifdef __NR_kcmp ++# if defined __NR_kcmp && __NR_kcmp > 0 + return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2); + # else + errno = ENOSYS; +@@ -289,7 +289,7 @@ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long i + + #if !HAVE_KEYCTL + static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) { +-# ifdef __NR_keyctl ++# if defined __NR_keyctl && __NR_keyctl > 0 + return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5); + # else + errno = ENOSYS; +@@ -300,7 +300,7 @@ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg + } + + static inline key_serial_t missing_add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) { +-# ifdef __NR_add_key ++# if defined __NR_add_key && __NR_add_key > 0 + return syscall(__NR_add_key, type, description, payload, plen, ringid); + # else + errno = ENOSYS; +@@ -311,7 +311,7 @@ static inline key_serial_t missing_add_key(const char *type, const char *descrip + } + + static inline key_serial_t missing_request_key(const char *type, const char *description, const char * callout_info, key_serial_t destringid) { +-# ifdef __NR_request_key ++# if defined __NR_request_key && __NR_request_key > 0 + return syscall(__NR_request_key, type, description, callout_info, destringid); + # else + errno = ENOSYS; +@@ -496,7 +496,7 @@ enum { + static inline long missing_set_mempolicy(int mode, const unsigned long *nodemask, + unsigned long maxnode) { + long i; +-# ifdef __NR_set_mempolicy ++# if defined __NR_set_mempolicy && __NR_set_mempolicy > 0 + i = syscall(__NR_set_mempolicy, mode, nodemask, maxnode); + # else + errno = ENOSYS; +diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c +index a906070f9a..6dd98672b8 100644 +--- a/src/test/test-seccomp.c ++++ b/src/test/test-seccomp.c +@@ -28,7 +28,8 @@ + #include "tmpfile-util.h" + #include "virt.h" + +-#if SCMP_SYS(socket) < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) ++/* __NR_socket may be invalid due to libseccomp */ ++#if !defined(__NR_socket) || __NR_socket <= 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) + /* On these archs, socket() is implemented via the socketcall() syscall multiplexer, + * and we can't restrict it hence via seccomp. */ + # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1 +@@ -304,14 +305,14 @@ static void test_protect_sysctl(void) { + assert_se(pid >= 0); + + if (pid == 0) { +-#if __NR__sysctl > 0 ++#if defined __NR__sysctl && __NR__sysctl > 0 + assert_se(syscall(__NR__sysctl, NULL) < 0); + assert_se(errno == EFAULT); + #endif + + assert_se(seccomp_protect_sysctl() >= 0); + +-#if __NR__sysctl > 0 ++#if defined __NR__sysctl && __NR__sysctl > 0 + assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0); + assert_se(errno == EPERM); + #endif +@@ -640,7 +641,7 @@ static void test_load_syscall_filter_set_raw(void) { + assert_se(poll(NULL, 0, 0) == 0); + + assert_se(s = hashmap_new(NULL)); +-#if SCMP_SYS(access) >= 0 ++#if defined __NR_access && __NR_access > 0 + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0); + #else + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0); +@@ -656,7 +657,7 @@ static void test_load_syscall_filter_set_raw(void) { + s = hashmap_free(s); + + assert_se(s = hashmap_new(NULL)); +-#if SCMP_SYS(access) >= 0 ++#if defined __NR_access && __NR_access > 0 + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0); + #else + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0); +@@ -672,7 +673,7 @@ static void test_load_syscall_filter_set_raw(void) { + s = hashmap_free(s); + + assert_se(s = hashmap_new(NULL)); +-#if SCMP_SYS(poll) >= 0 ++#if defined __NR_poll && __NR_poll > 0 + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0); + #else + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0); +@@ -689,7 +690,7 @@ static void test_load_syscall_filter_set_raw(void) { + s = hashmap_free(s); + + assert_se(s = hashmap_new(NULL)); +-#if SCMP_SYS(poll) >= 0 ++#if defined __NR_poll && __NR_poll > 0 + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0); + #else + assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0); +@@ -767,8 +768,8 @@ static int real_open(const char *path, int flags, mode_t mode) { + * testing purposes that calls the real syscall, on architectures where SYS_open is defined. On + * other architectures, let's just fall back to the glibc call. */ + +-#ifdef SYS_open +- return (int) syscall(SYS_open, path, flags, mode); ++#if defined __NR_open && __NR_open > 0 ++ return (int) syscall(__NR_open, path, flags, mode); + #else + return open(path, flags, mode); + #endif diff --git a/systemd.spec b/systemd.spec index cd4adce..c4e4f96 100644 --- a/systemd.spec +++ b/systemd.spec @@ -58,8 +58,10 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 Patch0001: https://github.com/keszybz/systemd/commit/464a73411c13596a130a7a8f0ac00ca728e5f69e.patch +Patch0002: https://github.com/systemd/systemd-stable/commit/a0a1977d9a5dc28e6c1998d8d5cb712305bd0b50.patch +Patch0003: https://github.com/systemd/systemd-stable/commit/70e8c1978a9a688662eb1b3983370dd1cc415083.patch -Patch0002: 0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch +Patch0900: 0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch Patch0998: 0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch From 835eeac58ca3abddc010c2d20a1bbf8c59effc15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 5 Feb 2020 18:22:14 +0100 Subject: [PATCH 07/16] Update to 243.6 --- ...c1978a9a688662eb1b3983370dd1cc415083.patch | 220 ------------------ sources | 2 +- systemd.spec | 8 +- 3 files changed, 6 insertions(+), 224 deletions(-) delete mode 100644 70e8c1978a9a688662eb1b3983370dd1cc415083.patch diff --git a/70e8c1978a9a688662eb1b3983370dd1cc415083.patch b/70e8c1978a9a688662eb1b3983370dd1cc415083.patch deleted file mode 100644 index d490ee2..0000000 --- a/70e8c1978a9a688662eb1b3983370dd1cc415083.patch +++ /dev/null @@ -1,220 +0,0 @@ -From 70e8c1978a9a688662eb1b3983370dd1cc415083 Mon Sep 17 00:00:00 2001 -From: Mike Gilbert -Date: Fri, 6 Dec 2019 14:28:13 -0500 -Subject: [PATCH] seccomp: real syscall numbers are >= 0 - -Real syscall numbers start at 0. The fake seccomp values seem to be -strictly less than 0. - -Fixes: 4df8fe8415eaf4abd5b93c3447452547c6ea9e5f -(cherry picked from commit fb4b0465abbd96e6d342e5606c61c919c99a82ff) ---- - src/basic/missing_syscall.h | 28 ++++++++++++++-------------- - src/test/test-seccomp.c | 16 ++++++++-------- - 2 files changed, 22 insertions(+), 22 deletions(-) - -diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h -index 1255d8b197..8879422ce9 100644 ---- a/src/basic/missing_syscall.h -+++ b/src/basic/missing_syscall.h -@@ -33,7 +33,7 @@ static inline int missing_pivot_root(const char *new_root, const char *put_old) - - #if !HAVE_MEMFD_CREATE - /* may be (invalid) negative number due to libseccomp, see PR 13319 */ --# if ! (defined __NR_memfd_create && __NR_memfd_create > 0) -+# if ! (defined __NR_memfd_create && __NR_memfd_create >= 0) - # if defined __NR_memfd_create - # undef __NR_memfd_create - # endif -@@ -80,7 +80,7 @@ static inline int missing_memfd_create(const char *name, unsigned int flags) { - - #if !HAVE_GETRANDOM - /* may be (invalid) negative number due to libseccomp, see PR 13319 */ --# if ! (defined __NR_getrandom && __NR_getrandom > 0) -+# if ! (defined __NR_getrandom && __NR_getrandom >= 0) - # if defined __NR_getrandom - # undef __NR_getrandom - # endif -@@ -143,7 +143,7 @@ static inline pid_t missing_gettid(void) { - - #if !HAVE_NAME_TO_HANDLE_AT - /* may be (invalid) negative number due to libseccomp, see PR 13319 */ --# if ! (defined __NR_name_to_handle_at && __NR_name_to_handle_at > 0) -+# if ! (defined __NR_name_to_handle_at && __NR_name_to_handle_at >= 0) - # if defined __NR_name_to_handle_at - # undef __NR_name_to_handle_at - # endif -@@ -184,7 +184,7 @@ static inline int missing_name_to_handle_at(int fd, const char *name, struct fil - - #if !HAVE_SETNS - /* may be (invalid) negative number due to libseccomp, see PR 13319 */ --# if ! (defined __NR_setns && __NR_setns > 0) -+# if ! (defined __NR_setns && __NR_setns >= 0) - # if defined __NR_setns - # undef __NR_setns - # endif -@@ -225,7 +225,7 @@ static inline pid_t raw_getpid(void) { - - #if !HAVE_RENAMEAT2 - /* may be (invalid) negative number due to libseccomp, see PR 13319 */ --# if ! (defined __NR_renameat2 && __NR_renameat2 > 0) -+# if ! (defined __NR_renameat2 && __NR_renameat2 >= 0) - # if defined __NR_renameat2 - # undef __NR_renameat2 - # endif -@@ -274,7 +274,7 @@ static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, c - - #if !HAVE_KCMP - static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) { --# if defined __NR_kcmp && __NR_kcmp > 0 -+# if defined __NR_kcmp && __NR_kcmp >= 0 - return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2); - # else - errno = ENOSYS; -@@ -289,7 +289,7 @@ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long i - - #if !HAVE_KEYCTL - static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) { --# if defined __NR_keyctl && __NR_keyctl > 0 -+# if defined __NR_keyctl && __NR_keyctl >= 0 - return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5); - # else - errno = ENOSYS; -@@ -300,7 +300,7 @@ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg - } - - static inline key_serial_t missing_add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) { --# if defined __NR_add_key && __NR_add_key > 0 -+# if defined __NR_add_key && __NR_add_key >= 0 - return syscall(__NR_add_key, type, description, payload, plen, ringid); - # else - errno = ENOSYS; -@@ -311,7 +311,7 @@ static inline key_serial_t missing_add_key(const char *type, const char *descrip - } - - static inline key_serial_t missing_request_key(const char *type, const char *description, const char * callout_info, key_serial_t destringid) { --# if defined __NR_request_key && __NR_request_key > 0 -+# if defined __NR_request_key && __NR_request_key >= 0 - return syscall(__NR_request_key, type, description, callout_info, destringid); - # else - errno = ENOSYS; -@@ -326,7 +326,7 @@ static inline key_serial_t missing_request_key(const char *type, const char *des - - #if !HAVE_COPY_FILE_RANGE - /* may be (invalid) negative number due to libseccomp, see PR 13319 */ --# if ! (defined __NR_copy_file_range && __NR_copy_file_range > 0) -+# if ! (defined __NR_copy_file_range && __NR_copy_file_range >= 0) - # if defined __NR_copy_file_range - # undef __NR_copy_file_range - # endif -@@ -368,7 +368,7 @@ static inline ssize_t missing_copy_file_range(int fd_in, loff_t *off_in, - - #if !HAVE_BPF - /* may be (invalid) negative number due to libseccomp, see PR 13319 */ --# if ! (defined __NR_bpf && __NR_bpf > 0) -+# if ! (defined __NR_bpf && __NR_bpf >= 0) - # if defined __NR_bpf - # undef __NR_bpf - # endif -@@ -409,7 +409,7 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) { - - #ifndef __IGNORE_pkey_mprotect - /* may be (invalid) negative number due to libseccomp, see PR 13319 */ --# if ! (defined __NR_pkey_mprotect && __NR_pkey_mprotect > 0) -+# if ! (defined __NR_pkey_mprotect && __NR_pkey_mprotect >= 0) - # if defined __NR_pkey_mprotect - # undef __NR_pkey_mprotect - # endif -@@ -445,7 +445,7 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) { - - #if !HAVE_STATX - /* may be (invalid) negative number due to libseccomp, see PR 13319 */ --# if ! (defined __NR_statx && __NR_statx > 0) -+# if ! (defined __NR_statx && __NR_statx >= 0) - # if defined __NR_statx - # undef __NR_statx - # endif -@@ -496,7 +496,7 @@ enum { - static inline long missing_set_mempolicy(int mode, const unsigned long *nodemask, - unsigned long maxnode) { - long i; --# if defined __NR_set_mempolicy && __NR_set_mempolicy > 0 -+# if defined __NR_set_mempolicy && __NR_set_mempolicy >= 0 - i = syscall(__NR_set_mempolicy, mode, nodemask, maxnode); - # else - errno = ENOSYS; -diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c -index 6dd98672b8..328a656343 100644 ---- a/src/test/test-seccomp.c -+++ b/src/test/test-seccomp.c -@@ -29,7 +29,7 @@ - #include "virt.h" - - /* __NR_socket may be invalid due to libseccomp */ --#if !defined(__NR_socket) || __NR_socket <= 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) -+#if !defined(__NR_socket) || __NR_socket < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__) - /* On these archs, socket() is implemented via the socketcall() syscall multiplexer, - * and we can't restrict it hence via seccomp. */ - # define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1 -@@ -305,14 +305,14 @@ static void test_protect_sysctl(void) { - assert_se(pid >= 0); - - if (pid == 0) { --#if defined __NR__sysctl && __NR__sysctl > 0 -+#if defined __NR__sysctl && __NR__sysctl >= 0 - assert_se(syscall(__NR__sysctl, NULL) < 0); - assert_se(errno == EFAULT); - #endif - - assert_se(seccomp_protect_sysctl() >= 0); - --#if defined __NR__sysctl && __NR__sysctl > 0 -+#if defined __NR__sysctl && __NR__sysctl >= 0 - assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0); - assert_se(errno == EPERM); - #endif -@@ -641,7 +641,7 @@ static void test_load_syscall_filter_set_raw(void) { - assert_se(poll(NULL, 0, 0) == 0); - - assert_se(s = hashmap_new(NULL)); --#if defined __NR_access && __NR_access > 0 -+#if defined __NR_access && __NR_access >= 0 - assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0); - #else - assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0); -@@ -657,7 +657,7 @@ static void test_load_syscall_filter_set_raw(void) { - s = hashmap_free(s); - - assert_se(s = hashmap_new(NULL)); --#if defined __NR_access && __NR_access > 0 -+#if defined __NR_access && __NR_access >= 0 - assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0); - #else - assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0); -@@ -673,7 +673,7 @@ static void test_load_syscall_filter_set_raw(void) { - s = hashmap_free(s); - - assert_se(s = hashmap_new(NULL)); --#if defined __NR_poll && __NR_poll > 0 -+#if defined __NR_poll && __NR_poll >= 0 - assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0); - #else - assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0); -@@ -690,7 +690,7 @@ static void test_load_syscall_filter_set_raw(void) { - s = hashmap_free(s); - - assert_se(s = hashmap_new(NULL)); --#if defined __NR_poll && __NR_poll > 0 -+#if defined __NR_poll && __NR_poll >= 0 - assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0); - #else - assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0); -@@ -768,7 +768,7 @@ static int real_open(const char *path, int flags, mode_t mode) { - * testing purposes that calls the real syscall, on architectures where SYS_open is defined. On - * other architectures, let's just fall back to the glibc call. */ - --#if defined __NR_open && __NR_open > 0 -+#if defined __NR_open && __NR_open >= 0 - return (int) syscall(__NR_open, path, flags, mode); - #else - return open(path, flags, mode); diff --git a/sources b/sources index 272e69f..bec2289 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-243.5.tar.gz) = ff7df8028ab8e411866a00cb3adc1228663263e08a199bcc3954f6462bae3e433fb75676705509a69d847d9bd7bac50b40a91b1d8f34f76e48a4f19b32475ec2 +SHA512 (systemd-243.6.tar.gz) = 04f618fd5c7384dae5366691c3ff87416930a3c4d7cd3d345f4db95b59ab3d4ca0382349f960f60b6007c2948f8b5739ced15b52535799dfcad25849dfe29132 diff --git a/systemd.spec b/systemd.spec index c4e4f96..e55c033 100644 --- a/systemd.spec +++ b/systemd.spec @@ -14,7 +14,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 243.5 +Version: 243.6 Release: 1%{?commit:.git%{shortcommit}}%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ @@ -58,8 +58,6 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 Patch0001: https://github.com/keszybz/systemd/commit/464a73411c13596a130a7a8f0ac00ca728e5f69e.patch -Patch0002: https://github.com/systemd/systemd-stable/commit/a0a1977d9a5dc28e6c1998d8d5cb712305bd0b50.patch -Patch0003: https://github.com/systemd/systemd-stable/commit/70e8c1978a9a688662eb1b3983370dd1cc415083.patch Patch0900: 0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch @@ -708,6 +706,10 @@ fi %files tests -f .file-list-tests %changelog +* Wed Feb 5 2020 Zbigniew Jędrzejewski-Szmek - 243.6-1 +- Pull in a bunch of bugfixes (#1774242, #1798414/CVE-2020-1712) +- The hardware database is updated to v245-rc1 + * Sun Dec 15 2019 - 243.5-1 - Latest bugfix release (systemd-networkd fixups, minor cleanups to documentation). From 22c4f572b4924bd694699dcb55cc3185811aca7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 10 Feb 2020 17:28:59 +0100 Subject: [PATCH 08/16] Fix resume from hibernation and revert one udev patch --- sources | 2 +- systemd.spec | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/sources b/sources index bec2289..5b923f5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-243.6.tar.gz) = 04f618fd5c7384dae5366691c3ff87416930a3c4d7cd3d345f4db95b59ab3d4ca0382349f960f60b6007c2948f8b5739ced15b52535799dfcad25849dfe29132 +SHA512 (systemd-243.7.tar.gz) = 7bcc685305689c29b857c4102df914a100b8fa205ceae035b7214a09e279bfe51b73983653b3cd255809cad049246c865e1dde77f115b0f7aa3cd91bb9e63e71 diff --git a/systemd.spec b/systemd.spec index e55c033..6a9e577 100644 --- a/systemd.spec +++ b/systemd.spec @@ -14,7 +14,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 243.6 +Version: 243.7 Release: 1%{?commit:.git%{shortcommit}}%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ @@ -706,6 +706,10 @@ fi %files tests -f .file-list-tests %changelog +* Mon Feb 10 2020 Zbigniew Jędrzejewski-Szmek - 243.7-1 +- Do not time out when resuming from hibernation (#1705522) +- Revert patch causing issue with usb hubs (#1800820) + * Wed Feb 5 2020 Zbigniew Jędrzejewski-Szmek - 243.6-1 - Pull in a bunch of bugfixes (#1774242, #1798414/CVE-2020-1712) - The hardware database is updated to v245-rc1 From b1442037aa2d58c37abe646455d0b70eecfecf0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 11 Feb 2020 14:16:34 +0100 Subject: [PATCH 09/16] Run tests with a timeout multiplier Tests fail to pass on s390x, and this seems to be just a timeout. --- systemd.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd.spec b/systemd.spec index 6a9e577..2c2a682 100644 --- a/systemd.spec +++ b/systemd.spec @@ -483,7 +483,7 @@ python3 %{SOURCE2} %buildroot < Date: Thu, 26 Mar 2020 15:22:21 +0100 Subject: [PATCH 10/16] Update to v243.8 --- sources | 2 +- systemd.spec | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 5b923f5..44a572a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-243.7.tar.gz) = 7bcc685305689c29b857c4102df914a100b8fa205ceae035b7214a09e279bfe51b73983653b3cd255809cad049246c865e1dde77f115b0f7aa3cd91bb9e63e71 +SHA512 (systemd-243.8.tar.gz) = aea70b058057eac3ac1c34d1f722e777a15c2f551a49e5f29c9a27fa311ff3ec8618846adc3e4ef384c3e8e7abce17151db902e71e0300d2c38eac185dbe458d diff --git a/systemd.spec b/systemd.spec index 2c2a682..2212260 100644 --- a/systemd.spec +++ b/systemd.spec @@ -14,7 +14,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 243.7 +Version: 243.8 Release: 1%{?commit:.git%{shortcommit}}%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ @@ -706,6 +706,9 @@ fi %files tests -f .file-list-tests %changelog +* Thu Mar 26 2020 Zbigniew Jędrzejewski-Szmek - 243.8-1 +- Update to latest stable version + * Mon Feb 10 2020 Zbigniew Jędrzejewski-Szmek - 243.7-1 - Do not time out when resuming from hibernation (#1705522) - Revert patch causing issue with usb hubs (#1800820) From c608d153c4bc7258c8c97469639bb22c4dcf240e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 26 Feb 2020 22:33:08 +0100 Subject: [PATCH 11/16] Modify the downstream udev rule to use bfq to only apply to disks (cherry picked from commit 437cd52f28d51e1db652206497a41fbe3bab9124) --- systemd.spec | 3 ++- ...6a130a7a8f0ac00ca728e5f69e.patch => use-bfq-scheduler.patch | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) rename 464a73411c13596a130a7a8f0ac00ca728e5f69e.patch => use-bfq-scheduler.patch (97%) diff --git a/systemd.spec b/systemd.spec index 2212260..43c8834 100644 --- a/systemd.spec +++ b/systemd.spec @@ -57,7 +57,7 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ %endif # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 -Patch0001: https://github.com/keszybz/systemd/commit/464a73411c13596a130a7a8f0ac00ca728e5f69e.patch +Patch0001: use-bfq-scheduler.patch Patch0900: 0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch @@ -708,6 +708,7 @@ fi %changelog * Thu Mar 26 2020 Zbigniew Jędrzejewski-Szmek - 243.8-1 - Update to latest stable version +- Modify the downstream udev rule to use bfq to only apply to disks (#1803500) * Mon Feb 10 2020 Zbigniew Jędrzejewski-Szmek - 243.7-1 - Do not time out when resuming from hibernation (#1705522) diff --git a/464a73411c13596a130a7a8f0ac00ca728e5f69e.patch b/use-bfq-scheduler.patch similarity index 97% rename from 464a73411c13596a130a7a8f0ac00ca728e5f69e.patch rename to use-bfq-scheduler.patch index 4de01c4..9549fb3 100644 --- a/464a73411c13596a130a7a8f0ac00ca728e5f69e.patch +++ b/use-bfq-scheduler.patch @@ -20,11 +20,12 @@ new file mode 100644 index 00000000000..480b941761f --- /dev/null +++ b/rules/60-block-scheduler.rules -@@ -0,0 +1,5 @@ +@@ -0,0 +1,6 @@ +# do not edit this file, it will be overwritten on update + +ACTION=="add", SUBSYSTEM=="block", \ + KERNEL=="mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|sd*[!0-9]|sr*", \ ++ DEVTYPE=="disk", \ + ATTR{queue/scheduler}="bfq" diff --git a/rules/meson.build b/rules/meson.build index b6a32ba77e2..1da958b4d46 100644 From 2f958e0537f46eafe0907ac55dfa003f6cae02b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Mon, 2 Mar 2020 21:28:38 +0100 Subject: [PATCH 12/16] Fix typo in udev rule (cherry picked from commit a4e7f2840fca4e379966185d90b299606cbb44ac) --- use-bfq-scheduler.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/use-bfq-scheduler.patch b/use-bfq-scheduler.patch index 9549fb3..eacb76e 100644 --- a/use-bfq-scheduler.patch +++ b/use-bfq-scheduler.patch @@ -25,7 +25,7 @@ index 00000000000..480b941761f + +ACTION=="add", SUBSYSTEM=="block", \ + KERNEL=="mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|sd*[!0-9]|sr*", \ -+ DEVTYPE=="disk", \ ++ ENV{DEVTYPE}=="disk", \ + ATTR{queue/scheduler}="bfq" diff --git a/rules/meson.build b/rules/meson.build index b6a32ba77e2..1da958b4d46 100644 From f83e12aa034725d5a8e93306b14a4e33e17972ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Thu, 26 Mar 2020 15:35:03 +0100 Subject: [PATCH 13/16] Strip BOOT_IMAGE= from the kernel command-line in kernel-install --- ...strip-BOOT_IMAGE-from-kernel-options.patch | 24 +++++++++++++++++++ systemd.spec | 2 ++ 2 files changed, 26 insertions(+) create mode 100644 0001-kernel-install-strip-BOOT_IMAGE-from-kernel-options.patch diff --git a/0001-kernel-install-strip-BOOT_IMAGE-from-kernel-options.patch b/0001-kernel-install-strip-BOOT_IMAGE-from-kernel-options.patch new file mode 100644 index 0000000..7a887cb --- /dev/null +++ b/0001-kernel-install-strip-BOOT_IMAGE-from-kernel-options.patch @@ -0,0 +1,24 @@ +From 165ae6edc64ad6fa2129bedcac2837d24773e31f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 26 Feb 2020 23:34:41 +0100 +Subject: [PATCH] kernel-install: strip BOOT_IMAGE= from kernel options + +https://bugzilla.redhat.com/show_bug.cgi?id=1716164. +(cherry picked from commit e60228bf68427c0c0f96f816ee9124fd39585038) +(cherry picked from commit 2095b6a279cfe6e9688c5c357d550289dfcd8e8d) +--- + src/kernel-install/90-loaderentry.install | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/kernel-install/90-loaderentry.install b/src/kernel-install/90-loaderentry.install +index 47a0cd224a..133378da6b 100644 +--- a/src/kernel-install/90-loaderentry.install ++++ b/src/kernel-install/90-loaderentry.install +@@ -55,6 +55,7 @@ else + read -r -d '' -a line < /proc/cmdline + for i in "${line[@]}"; do + [[ "${i#initrd=*}" != "$i" ]] && continue ++ [[ "${i#BOOT_IMAGE=*}" != "$i" ]] && continue + BOOT_OPTIONS+=("$i") + done + fi diff --git a/systemd.spec b/systemd.spec index 43c8834..9f8395a 100644 --- a/systemd.spec +++ b/systemd.spec @@ -58,6 +58,7 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 Patch0001: use-bfq-scheduler.patch +Patch0002: 0001-kernel-install-strip-BOOT_IMAGE-from-kernel-options.patch Patch0900: 0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch @@ -709,6 +710,7 @@ fi * Thu Mar 26 2020 Zbigniew Jędrzejewski-Szmek - 243.8-1 - Update to latest stable version - Modify the downstream udev rule to use bfq to only apply to disks (#1803500) +- Strip BOOT_IMAGE= from the kernel command-line in kernel-install (#1716164) * Mon Feb 10 2020 Zbigniew Jędrzejewski-Szmek - 243.7-1 - Do not time out when resuming from hibernation (#1705522) From de066f607f84563d2f5d25152a01f8b94db7d787 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 20 Sep 2020 13:59:50 +0200 Subject: [PATCH 14/16] Version 243.9 --- ...strip-BOOT_IMAGE-from-kernel-options.patch | 24 ------------------- sources | 2 +- systemd.spec | 9 +++++-- 3 files changed, 8 insertions(+), 27 deletions(-) delete mode 100644 0001-kernel-install-strip-BOOT_IMAGE-from-kernel-options.patch diff --git a/0001-kernel-install-strip-BOOT_IMAGE-from-kernel-options.patch b/0001-kernel-install-strip-BOOT_IMAGE-from-kernel-options.patch deleted file mode 100644 index 7a887cb..0000000 --- a/0001-kernel-install-strip-BOOT_IMAGE-from-kernel-options.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 165ae6edc64ad6fa2129bedcac2837d24773e31f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 26 Feb 2020 23:34:41 +0100 -Subject: [PATCH] kernel-install: strip BOOT_IMAGE= from kernel options - -https://bugzilla.redhat.com/show_bug.cgi?id=1716164. -(cherry picked from commit e60228bf68427c0c0f96f816ee9124fd39585038) -(cherry picked from commit 2095b6a279cfe6e9688c5c357d550289dfcd8e8d) ---- - src/kernel-install/90-loaderentry.install | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/kernel-install/90-loaderentry.install b/src/kernel-install/90-loaderentry.install -index 47a0cd224a..133378da6b 100644 ---- a/src/kernel-install/90-loaderentry.install -+++ b/src/kernel-install/90-loaderentry.install -@@ -55,6 +55,7 @@ else - read -r -d '' -a line < /proc/cmdline - for i in "${line[@]}"; do - [[ "${i#initrd=*}" != "$i" ]] && continue -+ [[ "${i#BOOT_IMAGE=*}" != "$i" ]] && continue - BOOT_OPTIONS+=("$i") - done - fi diff --git a/sources b/sources index 44a572a..0ca4a04 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-243.8.tar.gz) = aea70b058057eac3ac1c34d1f722e777a15c2f551a49e5f29c9a27fa311ff3ec8618846adc3e4ef384c3e8e7abce17151db902e71e0300d2c38eac185dbe458d +SHA512 (systemd-243.9.tar.gz) = c005580a8a28b4085cf6ba155f18b66f95cf454b5dff244b22d2b8218bcbc71ef93301f885ed4fb80714961ea9cf97e94cf970164b0021dc85f2b30bb3735252 diff --git a/systemd.spec b/systemd.spec index 9f8395a..03a8fd0 100644 --- a/systemd.spec +++ b/systemd.spec @@ -14,7 +14,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 243.8 +Version: 243.9 Release: 1%{?commit:.git%{shortcommit}}%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ @@ -58,7 +58,6 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 Patch0001: use-bfq-scheduler.patch -Patch0002: 0001-kernel-install-strip-BOOT_IMAGE-from-kernel-options.patch Patch0900: 0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch @@ -707,6 +706,12 @@ fi %files tests -f .file-list-tests %changelog +* Sun Sep 20 2020 Zbigniew Jędrzejewski-Szmek - 243.9-1 +- Latest upstream stable version: uid parsing CVE-2020-13776, + fix build with µhttpd 0.9.71, smaller fixes for udevd, sd-boot, documentation, + shell completions, systemd-dissect, systemd-nspawn, kernel-install, tests) + (#1731557, #1876905, #1856273, #1878530) + * Thu Mar 26 2020 Zbigniew Jędrzejewski-Szmek - 243.8-1 - Update to latest stable version - Modify the downstream udev rule to use bfq to only apply to disks (#1803500) From 4866d644056a64d3a13d4c013b7c20652cf19803 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 20 Sep 2020 13:11:35 +0200 Subject: [PATCH 15/16] Add patch for kernel bug --- ...96d3e8d1cb0dd3666bc74fa673918b586612.patch | 129 ++++++++++++++++++ systemd.spec | 3 + 2 files changed, 132 insertions(+) create mode 100644 f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch diff --git a/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch b/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch new file mode 100644 index 0000000..84497ad --- /dev/null +++ b/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch @@ -0,0 +1,129 @@ +From f58b96d3e8d1cb0dd3666bc74fa673918b586612 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 14 Sep 2020 17:58:03 +0200 +Subject: [PATCH] test-mountpointutil-util: do not assert in test_mnt_id() + +https://bugzilla.redhat.com/show_bug.cgi?id=1803070 + +I *think* this a kernel bug: the mnt_id as listed in /proc/self/mountinfo is different +than the one we get from /proc/self/fdinfo/. This only matters when both statx and +name_to_handle_at are unavailable and we hit the fallback path that goes through fdinfo: + +(gdb) !uname -r +5.6.19-200.fc31.ppc64le + +(gdb) !cat /proc/self/mountinfo +697 664 253:0 /var/lib/mock/fedora-31-ppc64le/root / rw,relatime shared:298 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota +698 697 253:0 /var/cache/mock/fedora-31-ppc64le/yum_cache /var/cache/yum rw,relatime shared:299 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota +699 697 253:0 /var/cache/mock/fedora-31-ppc64le/dnf_cache /var/cache/dnf rw,relatime shared:300 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota +700 697 0:32 /mock-selinux-plugin.7me9bfpi /proc/filesystems rw,nosuid,nodev shared:301 master:18 - tmpfs tmpfs rw,seclabel <========================================================== +701 697 0:41 / /sys ro,nosuid,nodev,noexec,relatime shared:302 - sysfs sysfs ro,seclabel +702 701 0:21 / /sys/fs/selinux ro,nosuid,nodev,noexec,relatime shared:306 master:8 - selinuxfs selinuxfs rw +703 697 0:42 / /dev rw,nosuid shared:303 - tmpfs tmpfs rw,seclabel,mode=755 +704 703 0:43 / /dev/shm rw,nosuid,nodev shared:304 - tmpfs tmpfs rw,seclabel +705 703 0:45 / /dev/pts rw,nosuid,noexec,relatime shared:307 - devpts devpts rw,seclabel,gid=5,mode=620,ptmxmode=666 +706 703 0:6 /btrfs-control /dev/btrfs-control rw,nosuid shared:308 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +707 703 0:6 /loop-control /dev/loop-control rw,nosuid shared:309 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +708 703 0:6 /loop0 /dev/loop0 rw,nosuid shared:310 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +709 703 0:6 /loop1 /dev/loop1 rw,nosuid shared:311 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +710 703 0:6 /loop10 /dev/loop10 rw,nosuid shared:312 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +711 703 0:6 /loop11 /dev/loop11 rw,nosuid shared:313 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +712 703 0:6 /loop2 /dev/loop2 rw,nosuid shared:314 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +713 703 0:6 /loop3 /dev/loop3 rw,nosuid shared:315 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +714 703 0:6 /loop4 /dev/loop4 rw,nosuid shared:316 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +715 703 0:6 /loop5 /dev/loop5 rw,nosuid shared:317 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +716 703 0:6 /loop6 /dev/loop6 rw,nosuid shared:318 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +717 703 0:6 /loop7 /dev/loop7 rw,nosuid shared:319 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +718 703 0:6 /loop8 /dev/loop8 rw,nosuid shared:320 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +719 703 0:6 /loop9 /dev/loop9 rw,nosuid shared:321 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +720 697 0:44 / /run rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +721 720 0:25 /systemd/nspawn/propagate/9cc8a155d0244558b273f773d2b92142 /run/systemd/nspawn/incoming ro master:12 - tmpfs tmpfs rw,seclabel,mode=755 +722 697 0:32 /mock-resolv.dvml91hp /etc/resolv.conf rw,nosuid,nodev shared:322 master:18 - tmpfs tmpfs rw,seclabel +725 697 0:47 / /proc rw,nosuid,nodev,noexec,relatime shared:323 - proc proc rw +603 725 0:47 /sys /proc/sys ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw +604 725 0:44 /systemd/inaccessible/reg /proc/kallsyms ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +605 725 0:44 /systemd/inaccessible/reg /proc/kcore ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +606 725 0:44 /systemd/inaccessible/reg /proc/keys ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +607 725 0:44 /systemd/inaccessible/reg /proc/sysrq-trigger ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +608 725 0:44 /systemd/inaccessible/reg /proc/timer_list ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +609 725 0:47 /bus /proc/bus ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw +610 725 0:47 /fs /proc/fs ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw +611 725 0:47 /irq /proc/irq ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw +612 725 0:47 /scsi /proc/scsi ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw +613 703 0:46 / /dev/mqueue rw,nosuid,nodev,noexec,relatime shared:324 - mqueue mqueue rw,seclabel +614 701 0:26 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime shared:325 - cgroup2 cgroup rw,seclabel,nsdelegate +615 603 0:44 /.#proc-sys-kernel-random-boot-id4fbdce67af46d1c2//deleted /proc/sys/kernel/random/boot_id ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +616 725 0:44 /.#proc-sys-kernel-random-boot-id4fbdce67af46d1c2//deleted /proc/sys/kernel/random/boot_id rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +617 725 0:44 /.#proc-kmsg5b7a8bcfe6717139//deleted /proc/kmsg rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755 + +The test process does +name_to_handle_at("/proc/filesystems") which returns -EOPNOTSUPP, and then +openat(AT_FDCWD, "/proc/filesystems") which returns 4, and then +read(open("/proc/self/fdinfo/4", ...)) which gives +"pos:\t0\nflags:\t012100000\nmnt_id:\t725\n" + +and the "725" is clearly inconsistent with "700" in /proc/self/mountinfo. + +We could either drop the fallback path (and fail name_to_handle_at() is not +avaliable) or ignore the error in the test. Not sure what is better. I think +this issue only occurs sometimes and with older kernels, so probably continuing +with the current flaky implementation is better than ripping out the fallback. + +Another strace: +writev(2, [{iov_base="mnt ids of /proc/sys is 603", iov_len=27}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/sys is 603 +) = 28 +name_to_handle_at(AT_FDCWD, "/", {handle_bytes=128 => 12, handle_type=129, f_handle=0x52748401000000008b93e20d}, [697], 0) = 0 +writev(2, [{iov_base="mnt ids of / is 697", iov_len=19}, {iov_base="\n", iov_len=1}], 2mnt ids of / is 697 +) = 20 +name_to_handle_at(AT_FDCWD, "/proc/kcore", {handle_bytes=128 => 12, handle_type=1, f_handle=0x92ddcfcd2e802d0100000000}, [605], 0) = 0 +writev(2, [{iov_base="mnt ids of /proc/kcore is 605", iov_len=29}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/kcore is 605 +) = 30 +name_to_handle_at(AT_FDCWD, "/dev", {handle_bytes=128 => 12, handle_type=1, f_handle=0x8ae269160c802d0100000000}, [703], 0) = 0 +writev(2, [{iov_base="mnt ids of /dev is 703", iov_len=22}, {iov_base="\n", iov_len=1}], 2mnt ids of /dev is 703 +) = 23 +name_to_handle_at(AT_FDCWD, "/proc/filesystems", {handle_bytes=128}, 0x7fffe36ddb84, 0) = -1 EOPNOTSUPP (Operation not supported) +openat(AT_FDCWD, "/proc/filesystems", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4 +openat(AT_FDCWD, "/proc/self/fdinfo/4", O_RDONLY|O_CLOEXEC) = 5 +fstat(5, {st_mode=S_IFREG|0400, st_size=0, ...}) = 0 +fstat(5, {st_mode=S_IFREG|0400, st_size=0, ...}) = 0 +read(5, "pos:\t0\nflags:\t012100000\nmnt_id:\t725\n", 2048) = 36 +read(5, "", 1024) = 0 +close(5) = 0 +close(4) = 0 +writev(2, [{iov_base="mnt ids of /proc/filesystems are 700, 725", iov_len=41}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/filesystems are 700, 725 +) = 42 +writev(2, [{iov_base="the other path for mnt id 725 is /proc", iov_len=38}, {iov_base="\n", iov_len=1}], 2the other path for mnt id 725 is /proc +) = 39 +writev(2, [{iov_base="Assertion 'path_equal(p, t)' failed at src/test/test-mountpoint-util.c:94, function test_mnt_id(). Aborting.", iov_len=108}, {iov_base="\n", iov_len=1}], 2Assertion 'path_equal(p, t)' failed at src/test/test-mountpoint-util.c:94, function test_mnt_id(). Aborting. +) = 109 +rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0 +rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0 +getpid() = 20 +gettid() = 20 +tgkill(20, 20, SIGABRT) = 0 +rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 +--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=20, si_uid=0} --- ++++ killed by SIGABRT (core dumped) +++ +--- + src/test/test-mountpoint-util.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/test/test-mountpoint-util.c b/src/test/test-mountpoint-util.c +index 30b00ae4d8b..ffe5144b04a 100644 +--- a/src/test/test-mountpoint-util.c ++++ b/src/test/test-mountpoint-util.c +@@ -89,8 +89,12 @@ static void test_mnt_id(void) { + /* The ids don't match? If so, then there are two mounts on the same path, let's check if + * that's really the case */ + char *t = hashmap_get(h, INT_TO_PTR(mnt_id2)); +- log_debug("the other path for mnt id %i is %s\n", mnt_id2, t); +- assert_se(path_equal(p, t)); ++ log_debug("Path for mnt id %i from /proc/self/mountinfo is %s\n", mnt_id2, t); ++ ++ if (!path_equal(p, t)) ++ /* Apparent kernel bug in /proc/self/fdinfo */ ++ log_warning("Bad mount id given for %s: %d, should be %d", ++ p, mnt_id2, mnt_id); + } + } + diff --git a/systemd.spec b/systemd.spec index 03a8fd0..c895a4f 100644 --- a/systemd.spec +++ b/systemd.spec @@ -63,6 +63,8 @@ Patch0900: 0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch Patch0998: 0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch +Patch0009: https://github.com/systemd/systemd/pull/17050/commits/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch + %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 %endif @@ -711,6 +713,7 @@ fi fix build with µhttpd 0.9.71, smaller fixes for udevd, sd-boot, documentation, shell completions, systemd-dissect, systemd-nspawn, kernel-install, tests) (#1731557, #1876905, #1856273, #1878530) +- Do not fail in test because of kernel bug (#1803070) * Thu Mar 26 2020 Zbigniew Jędrzejewski-Szmek - 243.8-1 - Update to latest stable version From 54dfd2376d0c4a68ce4c45773ee767fe63afae1a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sun, 20 Sep 2020 14:39:04 +0200 Subject: [PATCH 16/16] Revert patch that uses pthread_once() Apparently it's not available in F31. --- ...ake-sure-to-initialize-shared-hash-k.patch | 63 +++++++++++++++++++ systemd.spec | 1 + 2 files changed, 64 insertions(+) create mode 100644 0001-Revert-hashmap-make-sure-to-initialize-shared-hash-k.patch diff --git a/0001-Revert-hashmap-make-sure-to-initialize-shared-hash-k.patch b/0001-Revert-hashmap-make-sure-to-initialize-shared-hash-k.patch new file mode 100644 index 0000000..e69a3a4 --- /dev/null +++ b/0001-Revert-hashmap-make-sure-to-initialize-shared-hash-k.patch @@ -0,0 +1,63 @@ +From de646878d39a184d3e5ecac5e49fac63b5d27dbf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sun, 20 Sep 2020 14:37:39 +0200 +Subject: [PATCH] Revert "hashmap: make sure to initialize shared hash key + atomically" + +This reverts commit df14a160095987140f4435412156a80ec628fd7c. +--- + src/basic/hashmap.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/src/basic/hashmap.c b/src/basic/hashmap.c +index 64fbad1969..3bd94a1320 100644 +--- a/src/basic/hashmap.c ++++ b/src/basic/hashmap.c +@@ -1,7 +1,6 @@ + /* SPDX-License-Identifier: LGPL-2.1+ */ + + #include +-#include + #include + #include + #include +@@ -21,6 +20,7 @@ + #include "strv.h" + + #if ENABLE_DEBUG_HASHMAP ++#include + #include "list.h" + #endif + +@@ -195,6 +195,7 @@ assert_cc(DIRECT_BUCKETS(struct set_entry) < (1 << 3)); + * a handful of directly stored entries in a hashmap. When a hashmap + * outgrows direct storage, it gets its own key for indirect storage. */ + static uint8_t shared_hash_key[HASH_KEY_SIZE]; ++static bool shared_hash_key_initialized; + + /* Fields that all hashmap/set types must have */ + struct HashmapBase { +@@ -770,10 +771,6 @@ static void reset_direct_storage(HashmapBase *h) { + memset(p, DIB_RAW_INIT, sizeof(dib_raw_t) * hi->n_direct_buckets); + } + +-static void shared_hash_key_initialize(void) { +- random_bytes(shared_hash_key, sizeof(shared_hash_key)); +-} +- + static struct HashmapBase *hashmap_base_new(const struct hash_ops *hash_ops, enum HashmapType type HASHMAP_DEBUG_PARAMS) { + HashmapBase *h; + const struct hashmap_type_info *hi = &hashmap_type_info[type]; +@@ -796,8 +793,10 @@ static struct HashmapBase *hashmap_base_new(const struct hash_ops *hash_ops, enu + + reset_direct_storage(h); + +- static pthread_once_t once = PTHREAD_ONCE_INIT; +- assert_se(pthread_once(&once, shared_hash_key_initialize) == 0); ++ if (!shared_hash_key_initialized) { ++ random_bytes(shared_hash_key, sizeof(shared_hash_key)); ++ shared_hash_key_initialized= true; ++ } + + #if ENABLE_DEBUG_HASHMAP + h->debug.func = func; diff --git a/systemd.spec b/systemd.spec index c895a4f..0b59e01 100644 --- a/systemd.spec +++ b/systemd.spec @@ -64,6 +64,7 @@ Patch0900: 0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch Patch0998: 0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch Patch0009: https://github.com/systemd/systemd/pull/17050/commits/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch +Patch0010: 0001-Revert-hashmap-make-sure-to-initialize-shared-hash-k.patch %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1