diff --git a/0001-Revert-units-drop-runlevel-0-6-.target.patch b/0001-Revert-units-drop-runlevel-0-6-.target.patch new file mode 100644 index 0000000..faf8341 --- /dev/null +++ b/0001-Revert-units-drop-runlevel-0-6-.target.patch @@ -0,0 +1,88 @@ +From 61750e265ce3f7783a8dba831e91140f84ad89f2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 5 Nov 2025 17:52:16 +0100 +Subject: [PATCH 1/3] Revert "units: drop runlevel[0-6].target" + +This partially reverts commit e58ba80a40fb6e96543d56774a5bc5aa9cdadbf3. +The unit are still needed for compat. +--- + units/meson.build | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +diff --git a/units/meson.build b/units/meson.build +index 2e04c4aa2b..46eaac4073 100644 +--- a/units/meson.build ++++ b/units/meson.build +@@ -1,5 +1,7 @@ + # SPDX-License-Identifier: LGPL-2.1-or-later + ++with_runlevels = conf.get('HAVE_SYSV_COMPAT') == 1 ++ + units = [ + { 'file' : 'basic.target' }, + { 'file' : 'blockdev@.target' }, +@@ -49,7 +51,7 @@ units = [ + }, + { + 'file' : 'graphical.target', +- 'symlinks' : ['default.target'], ++ 'symlinks' : ['default.target'] + (with_runlevels ? ['runlevel5.target'] : []), + }, + { 'file' : 'halt.target' }, + { +@@ -142,7 +144,10 @@ units = [ + 'conditions' : ['ENABLE_MACHINED'], + }, + { 'file' : 'modprobe@.service' }, +- { 'file' : 'multi-user.target' }, ++ { ++ 'file' : 'multi-user.target', ++ 'symlinks' : with_runlevels ? ['runlevel2.target', 'runlevel3.target', 'runlevel4.target'] : [], ++ }, + { + 'file' : 'systemd-mute-console.socket', + 'symlinks' : ['sockets.target.wants/'] +@@ -155,7 +160,10 @@ units = [ + { 'file' : 'nss-lookup.target' }, + { 'file' : 'nss-user-lookup.target' }, + { 'file' : 'paths.target' }, +- { 'file' : 'poweroff.target' }, ++ { ++ 'file' : 'poweroff.target', ++ 'symlinks' : with_runlevels ? ['runlevel0.target'] : [], ++ }, + { 'file' : 'printer.target' }, + { + 'file' : 'proc-sys-fs-binfmt_misc.automount', +@@ -180,7 +188,7 @@ units = [ + }, + { + 'file' : 'reboot.target', +- 'symlinks' : ['ctrl-alt-del.target'], ++ 'symlinks' : ['ctrl-alt-del.target'] + (with_runlevels ? ['runlevel6.target'] : []), + }, + { + 'file' : 'remote-cryptsetup.target', +@@ -200,7 +208,10 @@ units = [ + 'symlinks' : ['initrd-root-device.target.wants/'], + }, + { 'file' : 'rescue.service.in' }, +- { 'file' : 'rescue.target' }, ++ { ++ 'file' : 'rescue.target', ++ 'symlinks' : with_runlevels ? ['runlevel1.target'] : [], ++ }, + { 'file' : 'rpcbind.target' }, + { 'file' : 'serial-getty@.service.in' }, + { 'file' : 'shutdown.target' }, +@@ -1001,4 +1012,10 @@ else + dbussessionservicedir / 'org.freedesktop.systemd1.service')) + endif + ++if conf.get('HAVE_SYSV_COMPAT') == 1 ++ foreach i : [1, 2, 3, 4, 5] ++ install_emptydir(systemunitdir / 'runlevel@0@.target.wants'.format(i)) ++ endforeach ++endif ++ + subdir('user') diff --git a/0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch b/0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch deleted file mode 100644 index eca67f0..0000000 --- a/0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 0792bb7a9d25a1ab8a5f208f2f5cea8a362dc1c6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Fri, 10 Jan 2025 17:00:08 +0100 -Subject: [PATCH] Revert "units: use PrivateTmp=disconnected instead of 'yes' - if DefaultDependencies=no" - -This reverts commit 1f6e1928488d461d19fd1e4b4d645b0ea5ea8bf5. ---- - units/systemd-coredump@.service.in | 2 +- - units/systemd-oomd.service.in | 2 +- - units/systemd-resolved.service.in | 2 +- - units/systemd-timesyncd.service.in | 2 +- - 4 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in -index c74dc7a5a1..fa3206d07b 100644 ---- a/units/systemd-coredump@.service.in -+++ b/units/systemd-coredump@.service.in -@@ -26,7 +26,7 @@ NoNewPrivileges=yes - OOMScoreAdjust=500 - PrivateDevices=yes - PrivateNetwork=yes --PrivateTmp=disconnected -+PrivateTmp=yes - ProtectControlGroups=yes - ProtectHome=read-only - ProtectHostname=yes -diff --git a/units/systemd-oomd.service.in b/units/systemd-oomd.service.in -index 670d5e6140..82bd6245f8 100644 ---- a/units/systemd-oomd.service.in -+++ b/units/systemd-oomd.service.in -@@ -37,7 +37,7 @@ MemoryLow=64M - NoNewPrivileges=yes - OOMScoreAdjust=-900 - PrivateDevices=yes --PrivateTmp=disconnected -+PrivateTmp=yes - ProtectClock=yes - ProtectHome=yes - ProtectHostname=yes -diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in -index e181b2528a..4aa0788ac4 100644 ---- a/units/systemd-resolved.service.in -+++ b/units/systemd-resolved.service.in -@@ -29,7 +29,7 @@ LockPersonality=yes - MemoryDenyWriteExecute=yes - NoNewPrivileges=yes - PrivateDevices=yes --PrivateTmp=disconnected -+PrivateTmp=yes - ProtectClock=yes - ProtectControlGroups=yes - ProtectHome=yes -diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in -index 835d6327e7..cf233fbffd 100644 ---- a/units/systemd-timesyncd.service.in -+++ b/units/systemd-timesyncd.service.in -@@ -31,7 +31,7 @@ LockPersonality=yes - MemoryDenyWriteExecute=yes - NoNewPrivileges=yes - PrivateDevices=yes --PrivateTmp=disconnected -+PrivateTmp=yes - ProtectProc=invisible - ProtectControlGroups=yes - ProtectHome=yes --- -2.47.1 - diff --git a/0002-machined-continue-without-resolve.hook-socket.patch b/0002-machined-continue-without-resolve.hook-socket.patch new file mode 100644 index 0000000..2903c5e --- /dev/null +++ b/0002-machined-continue-without-resolve.hook-socket.patch @@ -0,0 +1,32 @@ +From 8d6d86d1d7e45eeae921e88adde55d6524027c96 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 26 Nov 2025 22:29:53 +0100 +Subject: [PATCH 3/3] machined: continue without resolve.hook socket + +--- + src/machine/machined-varlink.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c +index f83cbb8562..0b30cd0531 100644 +--- a/src/machine/machined-varlink.c ++++ b/src/machine/machined-varlink.c +@@ -894,9 +894,15 @@ static int manager_varlink_init_resolve_hook(Manager *m) { + + r = sd_varlink_server_listen_address(s, VARLINK_PATH_MACHINED_RESOLVE_HOOK, + 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755); +- if (r < 0) +- return log_error_errno(r, "Failed to bind to varlink socket %s: %m", +- VARLINK_PATH_MACHINED_RESOLVE_HOOK); ++ if (r < 0) { ++ bool ignore = ERRNO_IS_NEG_PRIVILEGE(r); ++ log_full_errno(ignore ? LOG_WARNING : LOG_ERR, ++ r, ++ "Failed to bind to varlink socket %s%s: %m", ++ VARLINK_PATH_MACHINED_RESOLVE_HOOK, ++ ignore ? ", ignoring" : ""); ++ return ignore ? 0 : r; ++ } + + r = sd_varlink_server_attach_event(s, m->event, SD_EVENT_PRIORITY_NORMAL); + if (r < 0) diff --git a/0002-sysusers-emit-audit-events-for-user-and-group-creati.patch b/0002-sysusers-emit-audit-events-for-user-and-group-creati.patch deleted file mode 100644 index d442f5a..0000000 --- a/0002-sysusers-emit-audit-events-for-user-and-group-creati.patch +++ /dev/null @@ -1,287 +0,0 @@ -From 398049208b4aae5f2a9f0d4914dee6ab6e101118 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Fri, 10 Jan 2025 15:35:13 +0100 -Subject: [PATCH 2/2] sysusers: emit audit events for user and group creation - -Background: Fedora/RHEL are switching to sysusers.d metadata for creation of -users and groups for system users defined by packages -(https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers). -Packages carry sysusers files. During package installation, rpm calls an -program to execute on this config. This program may either be -/usr/lib/rpm/sysusers.sh which calls useradd/groupadd, or -/usr/bin/systemd-sysusers. To match the functionality provided by -useradd/groupadd from the shadow-utils project, systemd-sysusers must emit -audit events so that it provides a drop-in replacement. - -systemd-sysuers will emit audit events AUDIT_ADD_USER/AUDIT_ADD_GROUP when -adding users and groups. The operation "names" are copied from shadow-utils in -Fedora (which has a patch to change them from the upstream version), so the -format of the events that is generated on success should be identical. - -The helper code is shared between sysusers and utmp-wtmp. I changed the -audit_fd variable to be unconditional. This way we can avoid ugly iffdefery -every time the variable would be used. The cost is that 4 bytes of unused -storage might be present. This is negligible, and the compiler might even be -able to optimize that away if it inlines things. ---- - src/basic/audit-util.h | 33 +++++++++++++++++++++ - src/sysusers/meson.build | 2 ++ - src/sysusers/sysusers.c | 56 +++++++++++++++++++++++++++++++++++ - src/update-utmp/update-utmp.c | 23 ++------------ - 4 files changed, 94 insertions(+), 20 deletions(-) - -diff --git a/src/basic/audit-util.h b/src/basic/audit-util.h -index 9a74e4f102..d8ecf14f69 100644 ---- a/src/basic/audit-util.h -+++ b/src/basic/audit-util.h -@@ -1,10 +1,16 @@ - /* SPDX-License-Identifier: LGPL-2.1-or-later */ - #pragma once - -+#if HAVE_AUDIT -+# include -+#endif -+ - #include - #include - #include - -+#include "errno-util.h" -+#include "log.h" - #include "pidref.h" - - #define AUDIT_SESSION_INVALID UINT32_MAX -@@ -17,3 +23,30 @@ bool use_audit(void); - static inline bool audit_session_is_valid(uint32_t id) { - return id > 0 && id != AUDIT_SESSION_INVALID; - } -+ -+/* The wrappers for audit_open() and audit_close() are inline functions so that we don't get a spurious -+ * linkage to libaudit in libbasic, but we also don't need to create a separate source file for two very -+ * short functions. */ -+ -+static inline int close_audit_fd(int fd) { -+#if HAVE_AUDIT -+ if (fd >= 0) -+ audit_close(fd); -+#else -+ assert(fd < 0); -+#endif -+ return -EBADF; -+} -+ -+static inline int open_audit_fd_or_warn(void) { -+ int fd = -EBADF; -+ -+#if HAVE_AUDIT -+ /* If the kernel lacks netlink or audit support, don't worry about it. */ -+ fd = audit_open(); -+ if (fd < 0) -+ return log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING, -+ errno, "Failed to connect to audit log, ignoring: %m"); -+#endif -+ return fd; -+} -diff --git a/src/sysusers/meson.build b/src/sysusers/meson.build -index 123ff41d3f..c968f55110 100644 ---- a/src/sysusers/meson.build -+++ b/src/sysusers/meson.build -@@ -9,6 +9,7 @@ executables += [ - 'name' : 'systemd-sysusers', - 'public' : true, - 'sources' : files('sysusers.c'), -+ 'dependencies' : libaudit, - }, - executable_template + { - 'name' : 'systemd-sysusers.standalone', -@@ -20,6 +21,7 @@ executables += [ - libshared_static, - libsystemd_static, - ], -+ 'dependencies' : libaudit, - 'build_by_default' : have_standalone_binaries, - 'install' : have_standalone_binaries, - }, -diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c -index 44253483db..84eb9fc0c3 100644 ---- a/src/sysusers/sysusers.c -+++ b/src/sysusers/sysusers.c -@@ -3,6 +3,7 @@ - #include - - #include "alloc-util.h" -+#include "audit-util.h" - #include "build.h" - #include "chase.h" - #include "conf-files.h" -@@ -106,6 +107,8 @@ STATIC_DESTRUCTOR_REGISTER(arg_image, freep); - STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep); - - typedef struct Context { -+ int audit_fd; -+ - OrderedHashmap *users, *groups; - OrderedHashmap *todo_uids, *todo_gids; - OrderedHashmap *members; -@@ -126,6 +129,8 @@ typedef struct Context { - static void context_done(Context *c) { - assert(c); - -+ c->audit_fd = close_audit_fd(c->audit_fd); -+ - ordered_hashmap_free(c->groups); - ordered_hashmap_free(c->users); - ordered_hashmap_free(c->members); -@@ -163,6 +168,48 @@ static void maybe_emit_login_defs_warning(Context *c) { - c->login_defs_need_warning = false; - } - -+static void log_audit_accounts(Context *c, ItemType what) { -+#if HAVE_AUDIT -+ assert(c); -+ assert(IN_SET(what, ADD_USER, ADD_GROUP)); -+ -+ if (arg_dry_run || c->audit_fd < 0) -+ return; -+ -+ Item *i; -+ int type = what == ADD_USER ? AUDIT_ADD_USER : AUDIT_ADD_GROUP; -+ const char *op = what == ADD_USER ? "adding-user" : "adding-group"; -+ -+ /* Notes: -+ * -+ * The op must not contain whitespace. The format with a dash matches what Fedora shadow-utils uses. -+ * -+ * We send id == -1, even though we know the number, in particular on success. This is because if we -+ * send the id, the generated audit message will not contain the name. The name seems more useful -+ * than the number, hence send just the name: -+ * -+ * type=ADD_USER msg=audit(01/10/2025 16:02:00.639:3854) : -+ * pid=3846380 uid=root auid=zbyszek ses=2 msg='op=adding-user id=unknown(952) exe=systemd-sysusers ... res=success' -+ * vs. -+ * type=ADD_USER msg=audit(01/10/2025 16:03:15.457:3908) : -+ * pid=3846607 uid=root auid=zbyszek ses=2 msg='op=adding-user acct=foo5 exe=systemd-sysusers ... res=success' -+ */ -+ -+ ORDERED_HASHMAP_FOREACH(i, what == ADD_USER ? c->todo_uids : c->todo_gids) -+ audit_log_acct_message( -+ c->audit_fd, -+ type, -+ program_invocation_short_name, -+ op, -+ i->name, -+ /* id= */ (unsigned) -1, -+ /* host= */ NULL, -+ /* addr= */ NULL, -+ /* tty= */ NULL, -+ /* success= */ 1); -+#endif -+} -+ - static int load_user_database(Context *c) { - _cleanup_fclose_ FILE *f = NULL; - const char *passwd_path; -@@ -971,6 +1018,8 @@ static int write_files(Context *c) { - group_tmp, group_path); - group_tmp = mfree(group_tmp); - } -+ /* OK, we have written the group entries successfully */ -+ log_audit_accounts(c, ADD_GROUP); - if (gshadow) { - r = rename_and_apply_smack_floor_label(gshadow_tmp, gshadow_path); - if (r < 0) -@@ -988,6 +1037,8 @@ static int write_files(Context *c) { - - passwd_tmp = mfree(passwd_tmp); - } -+ /* OK, we have written the user entries successfully */ -+ log_audit_accounts(c, ADD_USER); - if (shadow) { - r = rename_and_apply_smack_floor_label(shadow_tmp, shadow_path); - if (r < 0) -@@ -2232,6 +2283,7 @@ static int run(int argc, char *argv[]) { - #endif - _cleanup_close_ int lock = -EBADF; - _cleanup_(context_done) Context c = { -+ .audit_fd = -EBADF, - .search_uid = UID_INVALID, - }; - -@@ -2281,6 +2333,10 @@ static int run(int argc, char *argv[]) { - assert(!arg_image); - #endif - -+ /* Prepare to emit audit events, but only if we're operating on the host system. */ -+ if (!arg_root) -+ c.audit_fd = open_audit_fd_or_warn(); -+ - /* If command line arguments are specified along with --replace, read all configuration files and - * insert the positional arguments at the specified place. Otherwise, if command line arguments are - * specified, execute just them, and finally, without --replace= or any positional arguments, just -diff --git a/src/update-utmp/update-utmp.c b/src/update-utmp/update-utmp.c -index a10e6d478a..6df9414063 100644 ---- a/src/update-utmp/update-utmp.c -+++ b/src/update-utmp/update-utmp.c -@@ -5,12 +5,9 @@ - #include - #include - --#if HAVE_AUDIT --#include --#endif -- - #include "sd-bus.h" - -+#include "audit-util.h" - #include "alloc-util.h" - #include "bus-error.h" - #include "bus-locator.h" -@@ -30,20 +27,14 @@ - - typedef struct Context { - sd_bus *bus; --#if HAVE_AUDIT - int audit_fd; --#endif - } Context; - - static void context_clear(Context *c) { - assert(c); - - c->bus = sd_bus_flush_close_unref(c->bus); --#if HAVE_AUDIT -- if (c->audit_fd >= 0) -- audit_close(c->audit_fd); -- c->audit_fd = -EBADF; --#endif -+ c->audit_fd = close_audit_fd(c->audit_fd); - } - - static int get_startup_monotonic_time(Context *c, usec_t *ret) { -@@ -256,22 +247,14 @@ static int run(int argc, char *argv[]) { - }; - - _cleanup_(context_clear) Context c = { --#if HAVE_AUDIT - .audit_fd = -EBADF, --#endif - }; - - log_setup(); - - umask(0022); - --#if HAVE_AUDIT -- /* If the kernel lacks netlink or audit support, don't worry about it. */ -- c.audit_fd = audit_open(); -- if (c.audit_fd < 0) -- log_full_errno(IN_SET(errno, EAFNOSUPPORT, EPROTONOSUPPORT) ? LOG_DEBUG : LOG_WARNING, -- errno, "Failed to connect to audit log, ignoring: %m"); --#endif -+ c.audit_fd = open_audit_fd_or_warn(); - - return dispatch_verb(argc, argv, verbs, &c); - } --- -2.47.1 - diff --git a/0003-ukify-omit-.osrel-section-when-os-release-is-empty.patch b/0003-ukify-omit-.osrel-section-when-os-release-is-empty.patch new file mode 100644 index 0000000..5f4a1dd --- /dev/null +++ b/0003-ukify-omit-.osrel-section-when-os-release-is-empty.patch @@ -0,0 +1,112 @@ +From 75890d949f92c412c0936b8536b2e0dc8f7dfb40 Mon Sep 17 00:00:00 2001 +From: Nick Rosbrook +Date: Fri, 19 Dec 2025 11:01:49 -0500 +Subject: [PATCH] ukify: omit .osrel section when --os-release= is empty + +The primary motivation for this is to allow users of ukify to build +UKI-like objects, without having them later be detected as a UKI by +tools like kernel-install and bootctl. + +The common code used by these tools to determine if a PE binary is a UKI +checks that both .osrel and .linux sections are present. Hence, adding +a mechansim to skip .osrel provides a way to avoid being labeled a UKI. +--- + man/ukify.xml | 5 ++++- + src/ukify/test/test_ukify.py | 15 +++++++++++---- + src/ukify/ukify.py | 10 +++++++++- + 3 files changed, 24 insertions(+), 6 deletions(-) + +diff --git a/man/ukify.xml b/man/ukify.xml +index 829761642d..7462c5c92f 100644 +--- a/man/ukify.xml ++++ b/man/ukify.xml +@@ -365,7 +365,10 @@ + The os-release description (the .osrel section). The argument + may be a literal string, or @ followed by a path name. If not specified, the + os-release5 file +- will be picked up from the host system. ++ will be picked up from the host system. If explicitly set to an empty string, the ".osrel" section ++ is omitted from the UKI (this is not recommended in most cases, and causes the resulting artifact ++ to not be recognized as a UKI by other tools like kernel-install ++ and bootctl). + + + +diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py +index f75ef0c891..224a38569f 100755 +--- a/src/ukify/test/test_ukify.py ++++ b/src/ukify/test/test_ukify.py +@@ -641,7 +641,7 @@ def test_efi_signing_pesign(kernel_initrd, tmp_path): + + shutil.rmtree(tmp_path) + +-def test_inspect(kernel_initrd, tmp_path, capsys): ++def test_inspect(kernel_initrd, tmp_path, capsys, osrel=True): + if kernel_initrd is None: + pytest.skip('linux+initrd not found') + if not shutil.which('sbsign'): +@@ -653,7 +653,7 @@ def test_inspect(kernel_initrd, tmp_path, capsys): + + output = f'{tmp_path}/signed2.efi' + uname_arg='1.2.3' +- osrel_arg='Linux' ++ osrel_arg='Linux' if osrel else '' + cmdline_arg='ARG1 ARG2 ARG3' + + args = [ +@@ -680,8 +680,12 @@ def test_inspect(kernel_initrd, tmp_path, capsys): + + text = capsys.readouterr().out + +- expected_osrel = f'.osrel:\n size: {len(osrel_arg)}' +- assert expected_osrel in text ++ if osrel: ++ expected_osrel = f'.osrel:\n size: {len(osrel_arg)}' ++ assert expected_osrel in text ++ else: ++ assert '.osrel:' not in text ++ + expected_cmdline = f'.cmdline:\n size: {len(cmdline_arg)}' + assert expected_cmdline in text + expected_uname = f'.uname:\n size: {len(uname_arg)}' +@@ -694,6 +698,9 @@ def test_inspect(kernel_initrd, tmp_path, capsys): + + shutil.rmtree(tmp_path) + ++def test_inspect_no_osrel(kernel_initrd, tmp_path, capsys): ++ test_inspect(kernel_initrd, tmp_path, capsys, osrel=False) ++ + @pytest.mark.skipif(not slow_tests, reason='slow') + def test_pcr_signing(kernel_initrd, tmp_path): + if kernel_initrd is None: +diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py +index c98f8e2a5d..b7542c7eca 100755 +--- a/src/ukify/ukify.py ++++ b/src/ukify/ukify.py +@@ -1477,6 +1477,9 @@ def make_uki(opts: UkifyConfig) -> None: + '.profile', + } + ++ if not opts.os_release: ++ to_import.remove('.osrel') ++ + for profile in opts.join_profiles: + pe = pefile.PE(profile, fast_load=True) + prev_len = len(uki.sections) +@@ -2412,7 +2415,12 @@ def finalize_options(opts: argparse.Namespace) -> None: + + opts.os_release = resolve_at_path(opts.os_release) + +- if not opts.os_release and opts.linux: ++ if opts.os_release == '': ++ # If --os-release= with an empty string was passed, treat that as ++ # explicitly disabling the .osrel section, and do not fallback to the ++ # system's os-release files. ++ pass ++ elif opts.os_release is None and opts.linux: + p = Path('/etc/os-release') + if not p.exists(): + p = Path('/usr/lib/os-release') +-- +2.52.0 + diff --git a/0004-stub-Fix-NULL-pointer-deref-when-there-are-no-initrd.patch b/0004-stub-Fix-NULL-pointer-deref-when-there-are-no-initrd.patch new file mode 100644 index 0000000..d6f362f --- /dev/null +++ b/0004-stub-Fix-NULL-pointer-deref-when-there-are-no-initrd.patch @@ -0,0 +1,51 @@ +From e57e599e6b11039ab6484e5622b3deae20bfd678 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 12 Jan 2026 14:56:36 +0100 +Subject: [PATCH] stub: Fix NULL pointer deref when there are no initrds + +When n_all_initrds == 0, then all_initrds is unmodified from its initial +value of: + + _cleanup_free_ struct iovec *all_initrds = NULL; + +and in the else block of the "if (n_all_initrds > 1)" the NULL is +dereferenced: + + final_initrd = all_initrds[0]; + +Leading to the stub crashing due to a NULL pointer deref. + +Fix this by initializing final_initrd to all 0s and only +running the else block if (n_all_initrds == 1). +--- + src/boot/stub.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/boot/stub.c b/src/boot/stub.c +index 06ecbc7d18..65950262c6 100644 +--- a/src/boot/stub.c ++++ b/src/boot/stub.c +@@ -1302,9 +1302,9 @@ static EFI_STATUS run(EFI_HANDLE image) { + + /* Combine the initrds into one */ + _cleanup_pages_ Pages initrd_pages = {}; +- struct iovec final_initrd; ++ struct iovec final_initrd = {}; + if (n_all_initrds > 1) { +- /* There will always be a base initrd, if this counter is higher, we need to combine them */ ++ /* If there is more then 1 initrd we need to combine them */ + err = combine_initrds(all_initrds, n_all_initrds, &initrd_pages, &final_initrd.iov_len); + if (err != EFI_SUCCESS) + return err; +@@ -1313,7 +1313,7 @@ static EFI_STATUS run(EFI_HANDLE image) { + + /* Given these might be large let's free them explicitly before we pass control to Linux */ + initrds_free(&initrds); +- } else ++ } else if (n_all_initrds == 1) + final_initrd = all_initrds[0]; + + struct iovec kernel = IOVEC_MAKE( +-- +2.52.0 + diff --git a/30846.patch b/30846.patch index ca9cffb..77da69f 100644 --- a/30846.patch +++ b/30846.patch @@ -1,4 +1,4 @@ -From 9e3d6b193d79ce447cd329617ada941f331570a9 Mon Sep 17 00:00:00 2001 +From 07bedc8f93277f705622625f440a1f56ccff1cd0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 9 Jan 2024 11:28:04 +0100 Subject: [PATCH] journal: again create user journals for users with high uids @@ -39,17 +39,18 @@ revert the change to fix user systems. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2251843. --- - src/basic/uid-classification.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) + src/basic/uid-classification.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/basic/uid-classification.c b/src/basic/uid-classification.c -index e2d2cebc6de27..2c8b06c0d3088 100644 +index 203ce2c68a..2eb384395d 100644 --- a/src/basic/uid-classification.c +++ b/src/basic/uid-classification.c -@@ -127,5 +127,5 @@ bool uid_for_system_journal(uid_t uid) { +@@ -129,5 +129,6 @@ bool uid_for_system_journal(uid_t uid) { /* Returns true if the specified UID shall get its data stored in the system journal. */ -- return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY || uid_is_container(uid); -+ return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY; +- return uid_is_system(uid) || uid_is_dynamic(uid) || uid_is_greeter(uid) || uid == UID_NOBODY || uid_is_container(uid) || uid_is_foreign(uid); ++ return uid_is_system(uid) || uid_is_dynamic(uid) || uid_is_greeter(uid) || uid == UID_NOBODY || uid_is_foreign(uid); ++ } diff --git a/38769.patch b/38769.patch new file mode 100644 index 0000000..09a7423 --- /dev/null +++ b/38769.patch @@ -0,0 +1,42 @@ +From 00d70f36a0866660693347009446b7f872a05bf4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Sat, 30 Aug 2025 13:55:56 +0200 +Subject: [PATCH] core: create userdb root directory with correct label + +Set up the /run/systemd/userdb directory with the default SELinux context +on creation. + +With version 257.7-1 on Debian the directory was automatically created with the +correct label. Starting with version 258 (only tested with 258~rc3-1) it no +longer is. Regression introduced in 736349958efe34089131ca88950e2e5bb391d36a. + +[zjs: edited the patch to apply comments from review and update the description.] +--- + src/core/varlink.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/core/varlink.c b/src/core/varlink.c +index 99f12c59e5..71a8ffd0e5 100644 +--- a/src/core/varlink.c ++++ b/src/core/varlink.c +@@ -5,6 +5,7 @@ + #include "constants.h" + #include "errno-util.h" + #include "manager.h" ++#include "mkdir-label.h" + #include "path-util.h" + #include "pidref.h" + #include "string-util.h" +@@ -441,7 +442,11 @@ static int manager_varlink_init_system(Manager *m) { + if (!fresh && varlink_server_contains_socket(m->varlink_server, address)) + continue; + +- r = sd_varlink_server_listen_address(m->varlink_server, address, 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755); ++ r = mkdir_parents_label(address, 0755); ++ if (r < 0) ++ log_warning_errno(r, "Failed to create parent directory of '%s', ignoring: %m", address); ++ ++ r = sd_varlink_server_listen_address(m->varlink_server, address, 0666); + if (r < 0) + return log_error_errno(r, "Failed to bind to varlink socket '%s': %m", address); + } diff --git a/plans/run-integration-tests.sh b/plans/run-integration-tests.sh new file mode 100755 index 0000000..6d2ee37 --- /dev/null +++ b/plans/run-integration-tests.sh @@ -0,0 +1,127 @@ +#!/bin/bash + +set -eux +set -o pipefail + +# Switch SELinux to permissive if possible, since the tests don't set proper contexts +setenforce 0 || true + +echo "CPU and Memory information:" +lscpu +lsmem + +echo "Clock source: $(cat /sys/devices/system/clocksource/clocksource0/current_clocksource)" + +# Bump inotify limits if we can so nspawn containers don't run out of inotify file descriptors. +sysctl fs.inotify.max_user_watches=65536 || true +sysctl fs.inotify.max_user_instances=1024 || true + +if [[ -n "${KOJI_TASK_ID:-}" ]]; then + koji download-task --noprogress --arch="noarch,$(rpm --eval '%{_arch}')" "$KOJI_TASK_ID" +elif [[ -n "${CBS_TASK_ID:-}" ]]; then + cbs download-task --noprogress --arch="noarch,$(rpm --eval '%{_arch}')" "$CBS_TASK_ID" +elif [[ -n "${PACKIT_SRPM_URL:-}" ]]; then + COPR_BUILD_ID="$(basename "$(dirname "$PACKIT_SRPM_URL")")" + COPR_CHROOT="$(basename "$(dirname "$(dirname "$PACKIT_BUILD_LOG_URL")")")" + copr download-build --rpms --chroot "$COPR_CHROOT" "$COPR_BUILD_ID" + mv "$COPR_CHROOT"/* . +else + echo "Not running within packit and no CBS/koji task ID provided" + exit 1 +fi + +PACKAGEDIR="$PWD" + +# This will match both the regular and the debuginfo rpm so make sure we select only the +# non-debuginfo rpm. +RPMS=(systemd-tests-*.rpm) +rpm2cpio "${RPMS[0]}" | cpio --make-directories --extract +pushd usr/lib/systemd/tests +mkosi_hash="$(grep "MinimumVersion=commit:" mkosi/mkosi.conf | sed "s|MinimumVersion=commit:||g")" + +# Now prepare mkosi at the same version required by the systemd repo. +git clone https://github.com/systemd/mkosi /var/tmp/systemd-integration-tests-mkosi +git -C /var/tmp/systemd-integration-tests-mkosi checkout "$mkosi_hash" + +export PATH="/var/tmp/systemd-integration-tests-mkosi/bin:$PATH" + +# shellcheck source=/dev/null +. /etc/os-release || . /usr/lib/os-release + +tee mkosi/mkosi.local.conf </dev/null; then - # this will remove both the user and the group. - ( set -x - userdel nobody - ) - fi - - if getent passwd 65534 >/dev/null; then - # Make sure the uid is unused. This should free gid too. - name="$(getent passwd 65534 | cut -d: -f1)" - ( set -x - userdel "$name" - ) - fi - - if grep -qE '^(passwd|group):.*\bsss\b' /etc/nsswitch.conf; then - echo "Sleeping, so sss can catch up" - sleep 3 - fi - - if getent group 65534; then - # Make sure the gid is unused, even if uid wasn't. - name="$(getent group 65534 | cut -d: -f1)" - ( set -x - groupdel "$name" - ) - fi - - # systemd-sysusers uses the same gid and uid - ( set -x - systemd-sysusers --inline 'u nobody 65534 "Kernel Overflow User" / /sbin/nologin' - ) -else - echo "Pass '-x' to perform changes" -fi diff --git a/sources b/sources index 052cc9e..af6ddf0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-257.10.tar.gz) = 49a2c8cc1cd91363d90165a1145dcc417d524afd428917dad332e4b057ed9fc3ddb5b4beafab094b02a85d930c8aef9b63c8c9c1bc76ef3bdf0ce38a7d46466f +SHA512 (systemd-259.tar.gz) = ef46b13661df43e3cfbeee1bc22f0b1eb902e8ebe39c19868c465efd08b35a199c2a2cd9d8021a6bc4d692fa0c6e0eab3f13eecd6ce24dde81d3945464a25b50 diff --git a/split-files.py b/split-files.py index fdeb66d..38bde60 100644 --- a/split-files.py +++ b/split-files.py @@ -7,7 +7,6 @@ known_files = ''' %ghost %config(noreplace) /etc/crypttab %ghost %attr(0444,root,root) /etc/udev/hwdb.bin /etc/inittab -/usr/lib/systemd/purge-nobody-user # This directory is owned by openssh-server, but we don't want to introduce # a dependency. So let's copy the config and co-own the directory. %dir %attr(0700,root,root) /etc/ssh/sshd_config.d @@ -122,7 +121,7 @@ for file in files(buildroot): o = outputs['rpm-macros'] elif '/usr/lib/systemd/tests' in n: o = outputs['tests'] - elif 'ukify' in n: + elif 'ukify' in n and '/man/' not in n: o = outputs['ukify'] elif re.search(r'/libsystemd-core-.*\.so$', n): o = outputs['main'] @@ -130,7 +129,7 @@ for file in files(buildroot): o = outputs['shared'] elif re.search(r'/libcryptsetup-token-systemd-.*\.so$', n): o = outputs['udev'] - elif re.search(r'/lib.*\.pc|/man3/|/usr/include|\.so$', n): + elif re.search(r'/lib.*\.pc$|/man3/|/usr/include|\.so$', n): o = outputs['devel'] elif re.search(r'''journal-(remote|gateway|upload)| systemd-remote\.conf| @@ -156,7 +155,7 @@ for file in files(buildroot): systemd\.nspawn| systemd-vmspawn| systemd-dissect| - import-pubring.gpg| + import-pubring| systemd-machined| systemd-import| systemd-export| @@ -235,7 +234,8 @@ for file in files(buildroot): integritytab| remount-fs| /initrd| - systemd-pcr| + systemd[.-]pcr| + /pcrlock\.d| systemd-measure| /boot$| /kernel/| @@ -245,6 +245,7 @@ for file in files(buildroot): sysctl| coredump| homed|home1| + sysupdate|updatctl| oomd| portabled|portable1 ''', n, re.X): # coredumpctl, homectl, portablectl are included in the main package because diff --git a/systemd.spec b/systemd.spec index 09352cc..afd6432 100644 --- a/systemd.spec +++ b/systemd.spec @@ -24,7 +24,8 @@ %bcond bootstrap 0 %bcond tests 1 %bcond lto 1 -%bcond docs 1 +# Build docs on 64-bit architectures only +%bcond docs %[%{?__isa_bits} >= 64] # Build from git main %bcond upstream 0 @@ -37,6 +38,11 @@ # that depend on libcryptsetup (e.g. libcryptsetup-plugins, homed) %if %{with bootstrap} %global __meson_auto_features disabled +# If we're building for upstream, don't unconditionally enable all +# new features as new features might be introduced for which we're +# missing build dependencies. +%elif %{with upstream} +%global __meson_auto_features auto %endif # Override %%autorelease. This is ugly, but rpmautospec doesn't implement @@ -67,7 +73,7 @@ Url: https://systemd.io # But don't do that on OBS, otherwise the version subst fails, and will be # like 257-123-gabcd257.1 instead of 257-123-gabcd %if %{without obs} -Version: %{?version_override}%{!?version_override:257.10} +Version: %{?version_override}%{!?version_override:259} %else Version: %{?version_override}%{!?version_override:%(cat meson.version)} %endif @@ -81,19 +87,20 @@ Summary: System and Service Manager # download tarballs with "spectool -g systemd.spec" # packit will always rewrite the first Source0 it finds, ignoring any conditionals so list -# the fallback source that's used if neither %%branch nor %%commit are defined first. -%if %{undefined branch} && %{undefined commit} -Source0: https://github.com/systemd/systemd/archive/v%{version}/%{name}-%{version}.tar.gz +# the fallback source that's used if neither %%branch, %%commit or %%obs are defined first. +%if %{undefined branch} && %{undefined commit} && %{without obs} +Source0: https://github.com/systemd/systemd/archive/v%{version_no_tilde}/%{name}-%{version_no_tilde}.tar.gz %elif %{defined branch} Source0: https://github.com/systemd/systemd/archive/refs/heads/%{branch}.tar.gz %elif %{defined commit} Source0: https://github.com/systemd/systemd/archive/%{commit}/%{name}-%{commit}.tar.gz +%elif %{with obs} +Source0: https://github.com/systemd/systemd/archive/v%{version_no_tilde}/%{name}-%{version}.tar.xz %endif # This file must be available before %%prep. # It is generated during systemd build and can be found at build/src/rpm/triggers.systemd.sh. Source1: triggers.systemd Source2: split-files.py -Source3: purge-nobody-user Source4: test_sysusers_defined.py Source6: inittab @@ -131,18 +138,26 @@ Patch: https://github.com/systemd/systemd/pull/26494.patch %if %{without upstream} # Those are downstream-only patches, but we don't want them in packit builds. -# Temporarily drop use of PrivateTmp=disconnected. This is causing failures -# in various places: -# https://bugzilla.redhat.com/show_bug.cgi?id=2334015 -# https://github.com/coreos/fedora-coreos-tracker/issues/1857 -Patch: 0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch - -# Backport of sysusers audit support for -# https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers. -Patch: 0002-sysusers-emit-audit-events-for-user-and-group-creati.patch - +# Create user journals for users with high UIDs # https://bugzilla.redhat.com/show_bug.cgi?id=2251843 -Patch: https://github.com/systemd/systemd/pull/30846.patch +Patch: 30846.patch + +# Again create runlevelX.target. Dropping those files breaks upgrades. +# https://bugzilla.redhat.com/show_bug.cgi?id=2411195 +Patch: 0001-Revert-units-drop-runlevel-0-6-.target.patch + +# userdb: create userdb root directory with correct label +# We can drop this after SELinux policy is updated to handle the transition. +Patch: 38769.patch + +# Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=2415701 +Patch: 0002-machined-continue-without-resolve.hook-socket.patch + +# 2 patches for https://fedoraproject.org/wiki/Changes/Automatic_DTB_selection_for_aarch64_EFI_systems +# Upstream commit: https://github.com/systemd/systemd/commit/75890d949f92c412c0936b8536b2e0dc8f7dfb40 +Patch: 0003-ukify-omit-.osrel-section-when-os-release-is-empty.patch +# Upstream PR: https://github.com/systemd/systemd/pull/40329 +Patch: 0004-stub-Fix-NULL-pointer-deref-when-there-are-no-initrd.patch %endif %ifarch %{ix86} x86_64 aarch64 riscv64 @@ -154,7 +169,6 @@ BuildRequires: gcc-c++ BuildRequires: clang BuildRequires: coreutils BuildRequires: rpmdevtools -BuildRequires: libcap-devel BuildRequires: libmount-devel BuildRequires: libfdisk-devel BuildRequires: libpwquality-devel @@ -164,6 +178,9 @@ BuildRequires: libselinux-devel BuildRequires: audit-libs-devel %if %{without bootstrap} BuildRequires: cryptsetup-devel +# Require (previous version) of our macros package. +# We use the %%systemd_{post,preun,…} macros for various services. +BuildRequires: systemd-rpm-macros %endif BuildRequires: dbus-devel BuildRequires: util-linux @@ -268,17 +285,17 @@ Requires(post): coreutils Requires(post): grep # systemd-machine-id-setup requires libssl Requires(post): openssl-libs -Requires: dbus >= 1.9.18 -Requires: %{name}-pam%{_isa} = %{version}-%{release} -Requires(meta): (%{name}-rpm-macros = %{version}-%{release} if rpm-build) -Requires: %{name}-libs%{_isa} = %{version}-%{release} -%{?fedora:Recommends: %{name}-networkd = %{version}-%{release}} -%{?fedora:Recommends: %{name}-resolved = %{version}-%{release}} -Requires: %{name}-shared%{_isa} = %{version}-%{release} +Recommends: dbus >= 1.9.18 +Recommends: systemd-pam%{_isa} = %{version}-%{release} +Requires(meta): (systemd-rpm-macros = %{version}-%{release} if rpm-build) +Requires: systemd-libs%{_isa} = %{version}-%{release} +%{?fedora:Recommends: systemd-networkd = %{version}-%{release}} +%{?fedora:Recommends: systemd-resolved = %{version}-%{release}} +Requires: systemd-shared%{_isa} = %{version}-%{release} Requires: /usr/bin/systemd-sysusers # The standalone version doesn't Provide the _isa suffix, # so this biases towards the common version. -Recommends: %{name}-sysusers%{_isa} = %{version}-%{release} +Recommends: systemd-sysusers%{_isa} = %{version}-%{release} Recommends: diffutils Requires: (util-linux-core or util-linux) Requires: (libbpf >= 2:1.4.7 if libbpf) @@ -311,10 +328,10 @@ Conflicts: dracut < 060-2 Conflicts: dracut < 059-16 %endif -Conflicts: %{name}-standalone-tmpfiles -Provides: %{name}-tmpfiles = %{version}-%{release} -Conflicts: %{name}-standalone-shutdown -Provides: %{name}-shutdown = %{version}-%{release} +Conflicts: systemd-standalone-tmpfiles +Provides: systemd-tmpfiles = %{version}-%{release} +Conflicts: systemd-standalone-shutdown +Provides: systemd-shutdown = %{version}-%{release} %if "%{_sbindir}" == "%{_bindir}" # Compat symlinks for Requires in other packages. @@ -324,11 +341,15 @@ Provides: /usr/sbin/halt Provides: /usr/sbin/init Provides: /usr/sbin/poweroff Provides: /usr/sbin/reboot -Provides: /usr/sbin/runlevel Provides: /usr/sbin/shutdown -Provides: /usr/sbin/telinit %endif +# libmount is always required, even in containers, so make it a hard dependency. +Requires: libmount.so.1%{?elf_suffix} +Requires: libmount.so.1(MOUNT_2.26)%{?elf_bits} +# Various systemd services have syscall filters so make libseccomp a hard dependency. +Requires: libseccomp.so.2%{?elf_suffix} + # Recommends to replace normal Requires deps for stuff that is dlopen()ed Recommends: libxkbcommon.so.0%{?elf_suffix} Recommends: libidn2.so.0%{?elf_suffix} @@ -391,6 +412,10 @@ Libraries for systemd and udev. %package shared Summary: Internal systemd shared library License: LGPL-2.1-or-later AND MIT +# in 257.3-6 /usr/lib64/systemd/libsystemd-shared-257.2-14.fc42.so +# was moved from package systemd to systemd-shared. +# Add a conflit to allow downgrades across this change. +Conflicts: systemd < 257.3-6 Conflicts: systemd-libs < %{version}-%{release} %description shared @@ -398,7 +423,7 @@ Internal libraries used by various systemd binaries. %package pam Summary: systemd PAM module -Requires: %{name} = %{version}-%{release} +Requires: systemd = %{version}-%{release} %description pam Systemd PAM module registers the session with systemd-logind. @@ -416,8 +441,11 @@ for information how to use those macros. %package sysusers Summary: systemd-sysusers program -Requires: %{name}-shared%{_isa} = %{version}-%{release} -Conflicts: %{name}-standalone-sysusers +Requires: systemd-shared%{_isa} = %{version}-%{release} +Conflicts: systemd-standalone-sysusers +# in 257.3-6 /usr/bin/systemd-sysusers was moved from package systemd +# to systemd-sysusers. Add a conflit to allow downgrades across this change. +Conflicts: systemd < 257.3-6 %description sysusers This package contains the systemd-sysusers program. @@ -425,8 +453,8 @@ This package contains the systemd-sysusers program. %package devel Summary: Development headers for systemd License: LGPL-2.1-or-later AND MIT -Requires: %{name}-libs%{_isa} = %{version}-%{release} -Requires(meta): (%{name}-rpm-macros = %{version}-%{release} if rpm-build) +Requires: systemd-libs%{_isa} = %{version}-%{release} +Requires(meta): (systemd-rpm-macros = %{version}-%{release} if rpm-build) Provides: libudev-devel = %{version} Provides: libudev-devel%{_isa} = %{version} @@ -459,11 +487,15 @@ Conflicts: systemd-timesyncd < %{version}-%{release} Obsoletes: systemd-timesyncd < %{version}-%{release} Provides: systemd-timesyncd = %{version}-%{release} %endif +Conflicts: systemd-networkd < %{version}-%{release} # Libkmod is used to load modules. Assume that if we need udevd, we certainly # want to load modules, so make this into a hard dependency here. Requires: libkmod.so.2%{?elf_suffix} Requires: libkmod.so.2(LIBKMOD_5)%{?elf_bits} +# udev uses libblkid in various builtins so make it a hard dependency. +Requires: libblkid.so.1%{?elf_suffix} +Requires: libblkid.so.1(BLKID_2.30)%{?elf_bits} # Recommends to replace normal Requires deps for stuff that is dlopen()ed # used by dissect, integritysetup, veritysetyp, growfs, repart, cryptenroll, home @@ -492,8 +524,12 @@ Requires: kbd Provides: u2f-hidraw-policy = 1.0.2-40 Obsoletes: u2f-hidraw-policy < 1.0.2-40 -Conflicts: %{name}-standalone-repart -Provides: %{name}-repart = %{version}-%{release} +Conflicts: systemd-standalone-repart +Provides: systemd-repart = %{version}-%{release} + +# Newer versions of those are required to support X11 keycode remapping +Conflicts: xorg-x11-drv-evdev < 2.11.0 +Conflicts: xorg-x11-drv-libinput < 1.5.0 %if "%{_sbindir}" == "%{_bindir}" # Compat symlinks for Requires in other packages. @@ -514,7 +550,7 @@ machine, and to create or grow partitions and make file systems automatically. %package ukify Summary: Tool to build Unified Kernel Images -Requires: %{name} = %{noarch_requires_version} +Requires: systemd = %{noarch_requires_version} Requires: (systemd-boot if %{shrink:( filesystem(x86-32) or @@ -523,9 +559,7 @@ Requires: (systemd-boot if %{shrink:( filesystem(riscv64) )}) Requires: python3dist(pefile) -%if 0%{?fedora} Requires: python3dist(zstandard) -%endif Requires: python3dist(cryptography) %if 0%{?fedora} Recommends: python3dist(pillow) @@ -587,7 +621,7 @@ This package contains the signed version. %package container # Name is the same as in Debian Summary: Tools for containers and VMs -Requires: %{name}%{_isa} = %{version}-%{release} +Requires: systemd%{_isa} = %{version}-%{release} Requires(post): systemd%{_isa} = %{version}-%{release} Requires(preun): systemd%{_isa} = %{version}-%{release} Requires(postun): systemd%{_isa} = %{version}-%{release} @@ -610,11 +644,11 @@ systemd-machined, and systemd-importd. %package journal-remote # Name is the same as in Debian Summary: Tools to send journal events over the network -Requires: %{name}%{_isa} = %{version}-%{release} +Requires: systemd%{_isa} = %{version}-%{release} License: LGPL-2.1-or-later Requires: firewalld-filesystem -Provides: %{name}-journal-gateway = %{version}-%{release} -Provides: %{name}-journal-gateway%{_isa} = %{version}-%{release} +Provides: systemd-journal-gateway = %{version}-%{release} +Provides: systemd-journal-gateway%{_isa} = %{version}-%{release} # Bias the system towards libcurl-minimal if nothing pulls in full libcurl (#1997040) Suggests: libcurl-minimal @@ -627,8 +661,9 @@ systemd-journal-upload. %package networkd Summary: System daemon that manages network configurations -Requires: %{name}%{_isa} = %{version}-%{release} -%{?fedora:Recommends: %{name}-udev = %{version}-%{release}} +Requires: systemd%{_isa} = %{version}-%{release} +%{?fedora:Recommends: systemd-udev = %{version}-%{release}} +Conflicts: systemd-udev < %{version}-%{release} License: LGPL-2.1-or-later %description networkd @@ -638,7 +673,7 @@ devices. %package networkd-defaults Summary: Configure network interfaces with networkd by default -Requires: %{name}-networkd = %{noarch_requires_version} +Requires: systemd-networkd = %{noarch_requires_version} License: MIT-0 BuildArch: noarch @@ -649,7 +684,7 @@ enabled for this to have any effect. %package resolved Summary: Network Name Resolution manager -Requires: %{name}%{_isa} = %{version}-%{release} +Requires: systemd%{_isa} = %{version}-%{release} Requires: libidn2.so.0%{?elf_suffix} Requires: libidn2.so.0(IDN2_0.0.0)%{?elf_bits} Requires(posttrans): grep @@ -661,7 +696,7 @@ resolver, as well as an LLMNR and MulticastDNS resolver and responder. %package oomd-defaults Summary: Configuration files for systemd-oomd -Requires: %{name}-udev = %{noarch_requires_version} +Requires: systemd-udev = %{noarch_requires_version} License: LGPL-2.1-or-later BuildArch: noarch @@ -671,10 +706,10 @@ a userspace out-of-memory (OOM) killer. %package tests Summary: Internal unit tests for systemd -Requires: %{name}%{_isa} = %{version}-%{release} +Requires: systemd%{_isa} = %{version}-%{release} # This dependency is provided transitively. Also add it explicitly to # appease rpminspect, https://github.com/rpminspect/rpminspect/issues/1231: -Requires: %{name}-libs%{_isa} = %{version}-%{release} +Requires: systemd-libs%{_isa} = %{version}-%{release} Requires: python3dist(psutil) License: LGPL-2.1-or-later @@ -685,8 +720,8 @@ Different binaries test different parts of the codebase. %package standalone-repart Summary: Standalone systemd-repart binary for use on systems without systemd -Provides: %{name}-repart = %{version}-%{release} -Conflicts: %{name}-udev +Provides: systemd-repart = %{version}-%{release} +Conflicts: systemd-udev Suggests: coreutils-single RemovePathPostfixes: .standalone @@ -697,8 +732,8 @@ main systemd package and is meant for use on systems without systemd. %package standalone-tmpfiles Summary: Standalone systemd-tmpfiles binary for use on systems without systemd -Provides: %{name}-tmpfiles = %{version}-%{release} -Conflicts: %{name} +Provides: systemd-tmpfiles = %{version}-%{release} +Conflicts: systemd Suggests: coreutils-single RemovePathPostfixes: .standalone @@ -709,7 +744,7 @@ main systemd package and is meant for use on systems without systemd. %package standalone-sysusers Summary: Standalone systemd-sysusers binary for use on systems without systemd -Provides: %{name}-sysusers = %{version}-%{release} +Provides: systemd-sysusers = %{version}-%{release} Suggests: coreutils-single RemovePathPostfixes: .standalone @@ -720,8 +755,8 @@ main systemd package and is meant for use on systems without systemd. %package standalone-shutdown Summary: Standalone systemd-shutdown binary for use in exitrds -Provides: %{name}-shutdown = %{version}-%{release} -Conflicts: %{name} +Provides: systemd-shutdown = %{version}-%{release} +Conflicts: systemd Suggests: coreutils-single RemovePathPostfixes: .standalone @@ -731,12 +766,15 @@ library or other libraries from systemd-libs. This package conflicts with the main systemd package and is meant for use in exitrds. %prep -%if %{defined branch} -%autosetup -n %{name}-%{branch} -p1 -%elif %{defined commit} -%autosetup -n %{name}-%{commit} -p1 -%else -%autosetup -n %{name}-%{version} -p1 +%if %{with obs} +# Recipe files in the OBS build are in a distro-specific dir, as they conflict (e.g. with SUSE ones) +mv %{_sourcedir}/%{name}.fedora/* %{_sourcedir} +%endif + +# Automatically figure out the name of the top-level directory. +# TODO: Use %%autosetup -C once we can depend on rpm >= 4.20. +%if %{undefined _build_in_place} +%autosetup -n %(tar -tf %{SOURCE0} 2>/dev/null | head -n1) -p1 %endif # Disable user lockdown until rpm implements it natively. @@ -799,7 +837,6 @@ CONFIGURE_OPTS=( -Dacl=enabled -Dsmack=true -Dopenssl=enabled - -Dcryptolib=openssl -Dp11kit=enabled -Dgcrypt=disabled -Daudit=enabled @@ -818,6 +855,8 @@ CONFIGURE_OPTS=( -Dlibfido2=enabled -Dxenctrl=%[0%{?have_xen}?"enabled":"disabled"] -Defi=true + -Dsysupdate=enabled + -Dsysupdated=enabled -Dtpm=true -Dtpm2=enabled -Dhwdb=true @@ -957,8 +996,6 @@ touch %{buildroot}/etc/systemd/coredump.conf \ %{buildroot}/etc/udev/udev.conf \ %{buildroot}/etc/udev/iocost.conf -install -D -t %{buildroot}/usr/lib/systemd/ %{SOURCE3} - # /etc/initab install -Dm0644 -t %{buildroot}/etc/ %{SOURCE6} @@ -991,6 +1028,7 @@ touch %{buildroot}%{_sysconfdir}/machine-info touch %{buildroot}%{_sysconfdir}/localtime mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d touch %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/00-keyboard.conf +install -d -m 0700 %{buildroot}%{_sysconfdir}/userdb # Make sure the shutdown/sleep drop-in dirs exist mkdir -p %{buildroot}%{pkgdir}/system-shutdown/ @@ -1060,7 +1098,7 @@ install -Dm0644 -t %{buildroot}%{_prefix}/lib/udev/rules.d/ %{SOURCE18} sed -i 's|#!/usr/bin/env python3|#!%{__python3}|' %{buildroot}/usr/lib/systemd/tests/run-unit-tests.py -%if 0%{?fedora} >= 43 +%if 0%{?fedora} >= 42 install -m 0644 -D %{SOURCE21} %{buildroot}%{_rpmconfigdir}/macros.d/macros.sysusers %else install -m 0644 -D %{SOURCE20} %{buildroot}%{_rpmconfigdir}/macros.d/macros.sysusers @@ -1092,9 +1130,14 @@ mv -v %{buildroot}/usr/sbin/* %{buildroot}%{_bindir}/ # and https://src.fedoraproject.org/rpms/setup/pull-request/10. # We skip this on upstream builds so that new users and groups # can be added without breaking the build. +%if 0%{?fedora} >= 43 +IGNORED=empower \ + %{python3} %{SOURCE4} /usr/lib/sysusers.d/setup.conf %{buildroot}/usr/lib/sysusers.d/basic.conf +%else %{python3} %{SOURCE4} /usr/lib/sysusers.d/20-setup-{users,groups}.conf %{buildroot}/usr/lib/sysusers.d/basic.conf %endif -rm %{buildroot}/usr/lib/sysusers.d/basic.conf +%endif +sed -n -r -i '1,7p; /can .do.|empower/p' %{buildroot}/usr/lib/sysusers.d/basic.conf %endif # Disable sshd_config.d/20-systemd-userdb.conf for now. @@ -1121,6 +1164,14 @@ BRP_PESIGN_FILES=/usr/lib/systemd/boot/efi/systemd-boot%{efi_arch}.efi BRP_PESIG meson test -C %{_vpath_builddir} -t 6 --print-errorlogs %endif +%if %{with lto} +# Make sure that LTO is effective at removing unused code. When compiled +# without LTO, we end up with all of libbasic_static.a in libsystemd.so. +# For example, all the configuration stuff is not needed for libsystemd.so. +# Make sure it is gone. +(! strings %{buildroot}%{_libdir}/libsystemd.so | grep Config) +%endif + ############################################################################################# %if %{without upstream} || (0%{?fedora} < 41 && 0%{?rhel} < 11) @@ -1349,6 +1400,7 @@ fi %global networkd_services %{shrink: systemd-networkd.service systemd-networkd.socket + systemd-networkd-varlink.socket systemd-networkd-wait-online.service systemd-network-generator.service systemd-networkd-persistent-storage.service diff --git a/test_sysusers_defined.py b/test_sysusers_defined.py index 6f04f15..3c1e04f 100755 --- a/test_sysusers_defined.py +++ b/test_sysusers_defined.py @@ -1,5 +1,6 @@ #!/usr/bin/python +import os import sys def parse_sysusers_file(filename): @@ -21,14 +22,18 @@ def parse_sysusers_file(filename): assert False return users, groups -setup_users, setup_groups = parse_sysusers_file(sys.argv[1]) -setup_users2, setup_groups2 = parse_sysusers_file(sys.argv[2]) -setup_users |= setup_users2 -setup_groups |= setup_groups2 +setup_users, setup_groups = set(), set() -basic_users, basic_groups = parse_sysusers_file(sys.argv[3]) +for arg in sys.argv[1:-1]: + users, groups = parse_sysusers_file(arg) + setup_users |= users + setup_groups |= groups -if d := basic_users - setup_users: +basic_users, basic_groups = parse_sysusers_file(sys.argv[-1]) + +ignored = set(os.getenv('IGNORED', '').split()) + +if d := basic_users - setup_users - ignored: exit(f'We have new users: {d}') -if d := basic_groups - setup_groups: +if d := basic_groups - setup_groups - ignored: exit(f'We have new groups: {d}') diff --git a/triggers.systemd b/triggers.systemd index f8bb078..28ddc1f 100644 --- a/triggers.systemd +++ b/triggers.systemd @@ -9,17 +9,17 @@ # # Minimum rpm version supported: 4.14.0 -%transfiletriggerin -P 900900 -- /usr/lib/systemd/system /etc/systemd/system +%transfiletriggerin -P 900900 -- /usr/lib/systemd/system/ /etc/systemd/system/ # This script will run after any package is initially installed or # upgraded. We care about the case where a package is initially # installed, because other cases are covered by the *un scriptlets, # so sometimes we will reload needlessly. /usr/lib/systemd/systemd-update-helper system-reload-restart || : -%transfiletriggerin -P 900899 -- /usr/lib/systemd/user /etc/systemd/user +%transfiletriggerin -P 900899 -- /usr/lib/systemd/user/ /etc/systemd/user/ /usr/lib/systemd/systemd-update-helper user-reload-restart || : -%transfiletriggerpostun -P 1000100 -- /usr/lib/systemd/system /etc/systemd/system +%transfiletriggerpostun -P 1000100 -- /usr/lib/systemd/system/ /etc/systemd/system/ # On removal, we need to run daemon-reload after any units have been # removed. # On upgrade, we need to run daemon-reload after any new unit files @@ -27,35 +27,35 @@ # executed. /usr/lib/systemd/systemd-update-helper system-reload || : -%transfiletriggerpostun -P 1000099 -- /usr/lib/systemd/user /etc/systemd/user +%transfiletriggerpostun -P 1000099 -- /usr/lib/systemd/user/ /etc/systemd/user/ # Execute daemon-reload in user managers. /usr/lib/systemd/systemd-update-helper user-reload || : -%transfiletriggerpostun -P 10000 -- /usr/lib/systemd/system /etc/systemd/system +%transfiletriggerpostun -P 10000 -- /usr/lib/systemd/system/ /etc/systemd/system/ # We restart remaining system services that should be restarted here. /usr/lib/systemd/systemd-update-helper system-restart || : -%transfiletriggerpostun -P 9999 -- /usr/lib/systemd/user /etc/systemd/user +%transfiletriggerpostun -P 9999 -- /usr/lib/systemd/user/ /etc/systemd/user/ # We restart remaining user services that should be restarted here. /usr/lib/systemd/systemd-update-helper user-restart || : -%transfiletriggerin -P 1000700 -- /usr/lib/sysusers.d +%transfiletriggerin -P 1000700 -- /usr/lib/sysusers.d/ # This script will process files installed in /usr/lib/sysusers.d to create # specified users automatically. The priority is set such that it # will run before the tmpfiles file trigger. systemd-sysusers || : -%transfiletriggerin -P 1000700 udev -- /usr/lib/udev/hwdb.d +%transfiletriggerin -P 1000700 udev -- /usr/lib/udev/hwdb.d/ # This script will automatically invoke hwdb update if files have been # installed or updated in /usr/lib/udev/hwdb.d. systemd-hwdb update || : -%transfiletriggerin -P 1000700 -- /usr/lib/systemd/catalog +%transfiletriggerin -P 1000700 -- /usr/lib/systemd/catalog/ # This script will automatically invoke journal catalog update if files # have been installed or updated in /usr/lib/systemd/catalog. journalctl --update-catalog || : -%transfiletriggerin -P 1000700 -- /usr/lib/binfmt.d +%transfiletriggerin -P 1000700 -- /usr/lib/binfmt.d/ # This script will automatically apply binfmt rules if files have been # installed or updated in /usr/lib/binfmt.d. if test -d "/run/systemd/system"; then @@ -64,7 +64,7 @@ if test -d "/run/systemd/system"; then /usr/lib/systemd/systemd-binfmt || : fi -%transfiletriggerin -P 1000600 -- /usr/lib/tmpfiles.d +%transfiletriggerin -P 1000600 -- /usr/lib/tmpfiles.d/ # This script will process files installed in /usr/lib/tmpfiles.d to create # tmpfiles automatically. The priority is set such that it will run # after the sysusers file trigger, but before any other triggers. @@ -72,14 +72,12 @@ if test -d "/run/systemd/system"; then systemd-tmpfiles --create || : fi -%transfiletriggerin -P 1000600 udev -- /usr/lib/udev/rules.d +%transfiletriggerin -P 1000600 udev -- /usr/lib/udev/rules.d/ # This script will automatically update udev with new rules if files # have been installed or updated in /usr/lib/udev/rules.d. -if test -e /run/udev/control; then - udevadm control --reload || : -fi +/usr/lib/systemd/systemd-update-helper mark-reload-system-units systemd-udevd.service || : -%transfiletriggerin -P 1000500 -- /usr/lib/sysctl.d +%transfiletriggerin -P 1000500 -- /usr/lib/sysctl.d/ # This script will automatically apply sysctl rules if files have been # installed or updated in /usr/lib/sysctl.d. if test -d "/run/systemd/system"; then