rpms/systemd
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: rpms:rawhide
Branches Tags
rpms:rawhide
rpms:main
rpms:f43
rpms:f42
rpms:f41
rpms:f40
rpms:f39
rpms:f38
rpms:f37
rpms:f36
rpms:f35
rpms:rhughes/chassis-type-backport
rpms:f34
rpms:f33
rpms:f32
rpms:f31
rpms:f30
rpms:f29
rpms:f28
rpms:f27
rpms:rpm-master
rpms:f25
rpms:f26
rpms:f24
rpms:f23
rpms:f22
rpms:f21
rpms:f20
rpms:f19
rpms:f18
rpms:f17
rpms:f16
rpms:f15
rpms:f14
rpms:systemd-216-16.fc21
rpms:systemd-216-15.fc21
rpms:systemd-216-14.fc21
rpms:systemd-216-13.fc21
rpms:systemd-216-12.fc21
rpms:systemd-217-4.fc22
rpms:systemd-217-3.fc22
rpms:systemd-217-2.fc22
rpms:systemd-217-1.fc22
rpms:systemd-216-12.fc22
rpms:systemd-216-11.fc22
rpms:systemd-216-10.fc22
rpms:systemd-216-9.fc22
rpms:systemd-216-8.fc22
rpms:systemd-216-7.fc22
rpms:systemd-216-6.fc22
rpms:systemd-216-5.fc22
rpms:systemd-216-4.fc22
rpms:systemd-216-3.fc22
rpms:systemd-216-2.fc22
rpms:systemd-216-1.fc22
rpms:systemd-215-12.fc22
rpms:systemd-215-11.fc22
rpms:systemd-215-10.fc22
rpms:systemd-215-9.fc22
rpms:systemd-209-1.fc21
rpms:systemd-209-2.gitf01de96.fc21
rpms:systemd-210-1.fc21
rpms:systemd-210-2.fc21
rpms:systemd-210-3.fc21
rpms:systemd-210-4.fc21
rpms:systemd-210-5.fc21
rpms:systemd-210-6.fc21
rpms:systemd-210-7.fc21
rpms:systemd-210-8.fc21
rpms:systemd-211-1.fc21
rpms:systemd-211-2.fc21
rpms:systemd-212-1.fc21
rpms:systemd-212-2.fc21
rpms:systemd-212-3.fc21
rpms:systemd-212-4.fc21
rpms:systemd-212-5.fc21
rpms:systemd-212-6.fc21
rpms:systemd-213-1.fc21
rpms:systemd-213-2.fc21
rpms:systemd-213-3.fc21
rpms:systemd-213-4.fc21
rpms:systemd-214-1.fc21
rpms:systemd-214-2.fc21
rpms:systemd-214-3.fc21
rpms:systemd-214-4.fc21
rpms:systemd-214-5.fc21
rpms:systemd-216-11.fc21
rpms:systemd-216-10.fc21
rpms:systemd-216-9.fc21
rpms:systemd-215-1.fc21
rpms:systemd-215-2.fc21
rpms:systemd-215-3.fc21
rpms:systemd-215-4.fc21
rpms:systemd-215-5.fc21
rpms:systemd-215-6.fc21
rpms:systemd-215-7.fc21
rpms:systemd-215-8.fc21
rpms:systemd-215-9.fc21
rpms:systemd-215-10.fc21
rpms:systemd-215-11.fc21
rpms:systemd-215-12.fc21
rpms:systemd-215-13.fc21
rpms:systemd-215-14.fc21
rpms:systemd-215-15.fc21
rpms:systemd-215-16.fc21
rpms:systemd-215-17.fc21
rpms:systemd-215-18.fc21
rpms:systemd-215-19.fc21
rpms:systemd-216-1.fc21
rpms:systemd-216-2.fc21
rpms:systemd-216-3.fc21
rpms:systemd-216-4.fc21
rpms:systemd-216-5.fc21
rpms:systemd-216-6.fc21
rpms:systemd-216-7.fc21
rpms:systemd-216-8.fc21
rpms:systemd-4-4_fc14
rpms:systemd-4-3_fc14
rpms:systemd-4-2_fc14
rpms:systemd-4-1_fc14
rpms:systemd-3-3_fc14
rpms:systemd-3-2_fc14
rpms:systemd-3-1_fc14
rpms:systemd-2-0_fc14
rpms:systemd-1-0_fc14
rpms:systemd-0-0_7_20100629git4176e5_fc14
rpms:systemd-0-0_6_20100622gita3723b_fc14
rpms:systemd-0-0_5_20100622gita3723b_fc14
rpms:systemd-0-0_4_20100614git393034_fc14
rpms:systemd-0-0_3_20100610git2f198e_fc14
..
compare: rpms:f30
Branches Tags
rpms:main
rpms:rawhide
rpms:f43
rpms:f42
rpms:f41
rpms:f40
rpms:f39
rpms:f38
rpms:f37
rpms:f36
rpms:f35
rpms:rhughes/chassis-type-backport
rpms:f34
rpms:f33
rpms:f32
rpms:f31
rpms:f30
rpms:f29
rpms:f28
rpms:f27
rpms:rpm-master
rpms:f25
rpms:f26
rpms:f24
rpms:f23
rpms:f22
rpms:f21
rpms:f20
rpms:f19
rpms:f18
rpms:f17
rpms:f16
rpms:f15
rpms:f14
rpms:systemd-216-16.fc21
rpms:systemd-216-15.fc21
rpms:systemd-216-14.fc21
rpms:systemd-216-13.fc21
rpms:systemd-216-12.fc21
rpms:systemd-217-4.fc22
rpms:systemd-217-3.fc22
rpms:systemd-217-2.fc22
rpms:systemd-217-1.fc22
rpms:systemd-216-12.fc22
rpms:systemd-216-11.fc22
rpms:systemd-216-10.fc22
rpms:systemd-216-9.fc22
rpms:systemd-216-8.fc22
rpms:systemd-216-7.fc22
rpms:systemd-216-6.fc22
rpms:systemd-216-5.fc22
rpms:systemd-216-4.fc22
rpms:systemd-216-3.fc22
rpms:systemd-216-2.fc22
rpms:systemd-216-1.fc22
rpms:systemd-215-12.fc22
rpms:systemd-215-11.fc22
rpms:systemd-215-10.fc22
rpms:systemd-215-9.fc22
rpms:systemd-209-1.fc21
rpms:systemd-209-2.gitf01de96.fc21
rpms:systemd-210-1.fc21
rpms:systemd-210-2.fc21
rpms:systemd-210-3.fc21
rpms:systemd-210-4.fc21
rpms:systemd-210-5.fc21
rpms:systemd-210-6.fc21
rpms:systemd-210-7.fc21
rpms:systemd-210-8.fc21
rpms:systemd-211-1.fc21
rpms:systemd-211-2.fc21
rpms:systemd-212-1.fc21
rpms:systemd-212-2.fc21
rpms:systemd-212-3.fc21
rpms:systemd-212-4.fc21
rpms:systemd-212-5.fc21
rpms:systemd-212-6.fc21
rpms:systemd-213-1.fc21
rpms:systemd-213-2.fc21
rpms:systemd-213-3.fc21
rpms:systemd-213-4.fc21
rpms:systemd-214-1.fc21
rpms:systemd-214-2.fc21
rpms:systemd-214-3.fc21
rpms:systemd-214-4.fc21
rpms:systemd-214-5.fc21
rpms:systemd-216-11.fc21
rpms:systemd-216-10.fc21
rpms:systemd-216-9.fc21
rpms:systemd-215-1.fc21
rpms:systemd-215-2.fc21
rpms:systemd-215-3.fc21
rpms:systemd-215-4.fc21
rpms:systemd-215-5.fc21
rpms:systemd-215-6.fc21
rpms:systemd-215-7.fc21
rpms:systemd-215-8.fc21
rpms:systemd-215-9.fc21
rpms:systemd-215-10.fc21
rpms:systemd-215-11.fc21
rpms:systemd-215-12.fc21
rpms:systemd-215-13.fc21
rpms:systemd-215-14.fc21
rpms:systemd-215-15.fc21
rpms:systemd-215-16.fc21
rpms:systemd-215-17.fc21
rpms:systemd-215-18.fc21
rpms:systemd-215-19.fc21
rpms:systemd-216-1.fc21
rpms:systemd-216-2.fc21
rpms:systemd-216-3.fc21
rpms:systemd-216-4.fc21
rpms:systemd-216-5.fc21
rpms:systemd-216-6.fc21
rpms:systemd-216-7.fc21
rpms:systemd-216-8.fc21
rpms:systemd-4-4_fc14
rpms:systemd-4-3_fc14
rpms:systemd-4-2_fc14
rpms:systemd-4-1_fc14
rpms:systemd-3-3_fc14
rpms:systemd-3-2_fc14
rpms:systemd-3-1_fc14
rpms:systemd-2-0_fc14
rpms:systemd-1-0_fc14
rpms:systemd-0-0_7_20100629git4176e5_fc14
rpms:systemd-0-0_6_20100622gita3723b_fc14
rpms:systemd-0-0_5_20100622gita3723b_fc14
rpms:systemd-0-0_4_20100614git393034_fc14
rpms:systemd-0-0_3_20100610git2f198e_fc14

14 commits
rawhide ... f30

Author SHA1 Message Date
Zbigniew Jędrzejewski-Szmek
c6c2f51fd1 A bunch of fixes for various issues + hwdb update 2020-02-06 13:56:10 +01:00
Zbigniew Jędrzejewski-Szmek
b061a92747 Remove recommendation to use %{?systemd_requires} 
https://pagure.io/packaging-committee/issue/921
 2019-10-20 11:57:47 +02:00
Zbigniew Jędrzejewski-Szmek
160a332879 A few more patches 2019-10-10 21:48:35 +02:00
Zbigniew Jędrzejewski-Szmek
f90d447048 Update hwdb entries for keyboards 2019-09-03 14:56:29 +02:00
Zbigniew Jędrzejewski-Szmek
498412ca07 One more hwdb patch 2019-09-03 12:56:11 +02:00
Zbigniew Jędrzejewski-Szmek
0fafaa4b97 A bunch of minor fixes + one security patch 2019-09-03 12:53:23 +02:00
Zbigniew Jędrzejewski-Szmek
c0f5a755a5 Backport patch for systemd-networkd/kernel-5.2 issue 2019-08-02 09:56:28 +02:00
Zbigniew Jędrzejewski-Szmek
f821673257 Split out the "meson: stop creating enablement symlinks in /etc" patch out again 
This isn't really suitable for the upstream stable branch. By mistake
I didn't push the v241-stable branch to https://gh.c/systemd/systemd-stable
yet, so I'll just revert that one commit in the tree.
 2019-07-23 16:33:44 +02:00
Zbigniew Jędrzejewski-Szmek
54d9c4df41 Another patch backport 2019-07-20 23:11:05 +02:00
Zbigniew Jędrzejewski-Szmek
9d1039ece4 Stop re-enabling systemd units on upgrade 2019-05-06 14:53:26 +02:00
Zbigniew Jędrzejewski-Szmek
04ee698d16 Backport patches for a few different issues 2019-04-26 12:54:06 +02:00
Adam Williamson
60cce2e3a7 Rebuild with Meson fix for #1699099 2019-04-16 12:56:48 -07:00
Zbigniew Jędrzejewski-Szmek
9206d6be7e More patches and update %description 2019-04-12 17:38:35 +02:00
Zbigniew Jędrzejewski-Szmek
4a8db4b60f Backport more patches 2019-04-09 18:29:22 +02:00
43 changed files with 2871 additions and 5733 deletions
Download patch file Download diff file Expand all files Collapse all files

11
.editorconfig
View file

@ -1,11 +0,0 @@
root = true
[*]
charset = utf-8
indent_size = 4
indent_style = space
insert_final_newline = true
trim_trailing_whitespace = true
[*.{yml,yaml}]
indent_size = 2

1
.fmf/version
View file

@ -1 +0,0 @@
1

6
.gitignore vendored
View file

@ -1,5 +1,3 @@
*~
/.mail.list
/systemd-*/
/.build-*.log
/x86_64/
@ -7,7 +5,3 @@
/systemd-*.tar.xz
/systemd-*.tar.gz
/*.rpm
/mkosi.output/
/mkosi.cache/
/mkosi.builddir/
/mkosi.local.conf

7
.zuul.yaml
View file

@ -1,7 +0,0 @@
- project:
vars:
install_repo_exclude:
- systemd-standalone-repart
- systemd-standalone-shutdown
- systemd-standalone-sysusers
- systemd-standalone-tmpfiles

88
0001-Revert-units-drop-runlevel-0-6-.target.patch
View file

@ -1,88 +0,0 @@
From 61750e265ce3f7783a8dba831e91140f84ad89f2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 5 Nov 2025 17:52:16 +0100
Subject: [PATCH 1/3] Revert "units: drop runlevel[0-6].target"
This partially reverts commit e58ba80a40fb6e96543d56774a5bc5aa9cdadbf3.
The unit are still needed for compat.
---
units/meson.build | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
diff --git a/units/meson.build b/units/meson.build
index 2e04c4aa2b..46eaac4073 100644
--- a/units/meson.build
+++ b/units/meson.build
@@ -1,5 +1,7 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
+with_runlevels = conf.get('HAVE_SYSV_COMPAT') == 1
+
units = [
{ 'file' : 'basic.target' },
{ 'file' : 'blockdev@.target' },
@@ -49,7 +51,7 @@ units = [
},
{
'file' : 'graphical.target',
- 'symlinks' : ['default.target'],
+ 'symlinks' : ['default.target'] + (with_runlevels ? ['runlevel5.target'] : []),
},
{ 'file' : 'halt.target' },
{
@@ -142,7 +144,10 @@ units = [
'conditions' : ['ENABLE_MACHINED'],
},
{ 'file' : 'modprobe@.service' },
- { 'file' : 'multi-user.target' },
+ {
+ 'file' : 'multi-user.target',
+ 'symlinks' : with_runlevels ? ['runlevel2.target', 'runlevel3.target', 'runlevel4.target'] : [],
+ },
{
'file' : 'systemd-mute-console.socket',
'symlinks' : ['sockets.target.wants/']
@@ -155,7 +160,10 @@ units = [
{ 'file' : 'nss-lookup.target' },
{ 'file' : 'nss-user-lookup.target' },
{ 'file' : 'paths.target' },
- { 'file' : 'poweroff.target' },
+ {
+ 'file' : 'poweroff.target',
+ 'symlinks' : with_runlevels ? ['runlevel0.target'] : [],
+ },
{ 'file' : 'printer.target' },
{
'file' : 'proc-sys-fs-binfmt_misc.automount',
@@ -180,7 +188,7 @@ units = [
},
{
'file' : 'reboot.target',
- 'symlinks' : ['ctrl-alt-del.target'],
+ 'symlinks' : ['ctrl-alt-del.target'] + (with_runlevels ? ['runlevel6.target'] : []),
},
{
'file' : 'remote-cryptsetup.target',
@@ -200,7 +208,10 @@ units = [
'symlinks' : ['initrd-root-device.target.wants/'],
},
{ 'file' : 'rescue.service.in' },
- { 'file' : 'rescue.target' },
+ {
+ 'file' : 'rescue.target',
+ 'symlinks' : with_runlevels ? ['runlevel1.target'] : [],
+ },
{ 'file' : 'rpcbind.target' },
{ 'file' : 'serial-getty@.service.in' },
{ 'file' : 'shutdown.target' },
@@ -1001,4 +1012,10 @@ else
dbussessionservicedir / 'org.freedesktop.systemd1.service'))
endif
+if conf.get('HAVE_SYSV_COMPAT') == 1
+ foreach i : [1, 2, 3, 4, 5]
+ install_emptydir(systemunitdir / 'runlevel@0@.target.wants'.format(i))
+ endforeach
+endif
+
subdir('user')

145
0001-meson-stop-creating-enablement-symlinks-in-etc-durin.patch Normal file
View file

@ -0,0 +1,145 @@
From c83ec409bbc3c5ceb4b37026d12f892f6c8bdd1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Mon, 1 Apr 2019 13:57:24 +0200
Subject: [PATCH] meson: stop creating enablement symlinks in /etc during
installation
This patch was initially prompted by a report on a Fedora update [1], that the
upgrade causes systemd-resolved.service and systemd-networkd.service to be
re-enabled. We generally want to preserve the enablement of all services during
upgrades, so a reset like this is not expected.
Both services declare two symlinks in their [Install] sections, for their dbus
names and for multi-user.target.wants/. It turns out that both services were
only partially enabled, because their dbus unit symlinks
/etc/systemd/system/dbus-org.freedesktop.{resolve1,network1}.service were
created, by the symlinks in /etc/systemd/system/multi-user.target.wants/ were
not. This means that the units could be activated by dbus, but not in usual
fashion using systemctl start. Our tools make it rather hard to figure out when
something like this happens, and it is definitely an area for improvement on its
own. The symlink in .wants/ was filtered out by during packaging, but the dbus
symlink was left in (I assume by mistake).
Let's simplify things by not creating the symlinks statically during 'ninja
install'. This means that the units shipped by systemd have to be enabled in
the usual fashion, which in turns means that [Install] section and presets
become the "single source of truth" and we don't have two sets of conflicting
configuration.
Let's consider a few cases:
- developer: a developer installs systemd from git on a running system, and they
don't want the installation to reset enablement of anything. So this change is
either positive for them, or has no effect (if they have everything at
defaults).
- package creation: we want to create symlinks using 'preset-all' and 'preset'
on upgraded packages, we don't want to have any static symlinks. This change
will remove the need to filter out symlinks in packaging and of course fix
the original report.
- installation of systemd from scratch: this change means that without
'preset-all' the system will not be functional. This case could be affected
negatively by this change, but I think it's enough of a corner case to accept
this. In practice I expect people to build a package, not installl directly
into the file system, so this might not even matter in practice.
Creating those symlinks was probably the right thing in the beginning, but
nowadays the preset system is very well established and people expect it to
be honoured. Ignoring the presets and doing static configuration is not welcome
anymore.
Note: during package installation, either 'preset-all' or 'preset getty@.service
machines.target remote-cryptsetup.target remote-fs.target
systemd-networkd.service systemd-resolved.service
systemd-networkd-wait-online.service systemd-timesyncd.service' should be called.
[1] https://bodhi.fedoraproject.org/updates/FEDORA-2019-616045ca76
(cherry picked from commit 01d2041e41f4886a6dff16a53a950ae8d5b66bc7)
---
units/meson.build | 29 +++++++++--------------------
1 file changed, 9 insertions(+), 20 deletions(-)
diff --git a/units/meson.build b/units/meson.build
index d69508467f..db6d43399b 100644
--- a/units/meson.build
+++ b/units/meson.build
@@ -34,8 +34,7 @@ units = [
['local-fs-pre.target', ''],
['local-fs.target', ''],
['machine.slice', 'ENABLE_MACHINED'],
- ['machines.target', 'ENABLE_MACHINED',
- join_paths(pkgsysconfdir, 'system/multi-user.target.wants/')],
+ ['machines.target', 'ENABLE_MACHINED'],
['multi-user.target', '',
'runlevel2.target runlevel3.target runlevel4.target'],
['network-online.target', ''],
@@ -52,11 +51,9 @@ units = [
['proc-sys-fs-binfmt_misc.mount', 'ENABLE_BINFMT'],
['reboot.target', '',
'runlevel6.target ctrl-alt-del.target'],
- ['remote-cryptsetup.target', 'HAVE_LIBCRYPTSETUP',
- join_paths(pkgsysconfdir, 'system/multi-user.target.wants/')],
+ ['remote-cryptsetup.target', 'HAVE_LIBCRYPTSETUP'],
['remote-fs-pre.target', ''],
- ['remote-fs.target', '',
- join_paths(pkgsysconfdir, 'system/multi-user.target.wants/')],
+ ['remote-fs.target', ''],
['rescue.target', '',
'runlevel1.target'],
['rpcbind.target', ''],
@@ -97,8 +94,7 @@ units = [
'sockets.target.wants/'],
['systemd-journald.socket', '',
'sockets.target.wants/'],
- ['systemd-networkd.socket', 'ENABLE_NETWORKD',
- join_paths(pkgsysconfdir, 'system/sockets.target.wants/')],
+ ['systemd-networkd.socket', 'ENABLE_NETWORKD'],
['systemd-poweroff.service', ''],
['systemd-reboot.service', ''],
['systemd-rfkill.socket', 'ENABLE_RFKILL'],
@@ -175,11 +171,8 @@ in_units = [
'dbus-org.freedesktop.machine1.service'],
['systemd-modules-load.service', 'HAVE_KMOD',
'sysinit.target.wants/'],
- ['systemd-networkd.service', 'ENABLE_NETWORKD',
- join_paths(pkgsysconfdir, 'system/dbus-org.freedesktop.network1.service') + ' ' +
- join_paths(pkgsysconfdir, 'system/multi-user.target.wants/')],
- ['systemd-networkd-wait-online.service', 'ENABLE_NETWORKD',
- join_paths(pkgsysconfdir, 'system/network-online.target.wants/')],
+ ['systemd-networkd.service', 'ENABLE_NETWORKD'],
+ ['systemd-networkd-wait-online.service', 'ENABLE_NETWORKD'],
['systemd-nspawn@.service', ''],
['systemd-portabled.service', 'ENABLE_PORTABLED',
'dbus-org.freedesktop.portable1.service'],
@@ -188,9 +181,7 @@ in_units = [
'sysinit.target.wants/'],
['systemd-remount-fs.service', '',
'local-fs.target.wants/'],
- ['systemd-resolved.service', 'ENABLE_RESOLVE',
- join_paths(pkgsysconfdir, 'system/dbus-org.freedesktop.resolve1.service') + ' ' +
- join_paths(pkgsysconfdir, 'system/multi-user.target.wants/')],
+ ['systemd-resolved.service', 'ENABLE_RESOLVE'],
['systemd-rfkill.service', 'ENABLE_RFKILL'],
['systemd-suspend.service', ''],
['systemd-sysctl.service', '',
@@ -199,8 +190,7 @@ in_units = [
'sysinit.target.wants/'],
['systemd-timedated.service', 'ENABLE_TIMEDATED',
'dbus-org.freedesktop.timedate1.service'],
- ['systemd-timesyncd.service', 'ENABLE_TIMESYNCD',
- join_paths(pkgsysconfdir, 'system/sysinit.target.wants/')],
+ ['systemd-timesyncd.service', 'ENABLE_TIMESYNCD'],
['systemd-time-wait-sync.service', 'ENABLE_TIMESYNCD'],
['systemd-tmpfiles-clean.service', 'ENABLE_TMPFILES'],
['systemd-tmpfiles-setup-dev.service', 'ENABLE_TMPFILES',
@@ -230,8 +220,7 @@ m4_units = [
['console-getty.service', ''],
['container-getty@.service', ''],
['getty@.service', '',
- 'autovt@.service ' +
- join_paths(pkgsysconfdir, 'system/getty.target.wants/getty@tty1.service')],
+ 'autovt@.service '],
['serial-getty@.service', ''],
]

207
0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch Normal file
View file

@ -0,0 +1,207 @@
From 2cce22a4279d4f304e75b87b56b9eeb5cd313566 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Sat, 22 Dec 2018 11:11:04 +0100
Subject: [PATCH] Revert "units: set NoNewPrivileges= for all long-running
services"
This reverts commit 64d7f7b4a15f1534fb19fda6b601fec50783bee4.
---
units/systemd-coredump@.service.in | 1 -
units/systemd-hostnamed.service.in | 1 -
units/systemd-initctl.service.in | 1 -
units/systemd-journal-gatewayd.service.in | 1 -
units/systemd-journal-remote.service.in | 1 -
units/systemd-journal-upload.service.in | 1 -
units/systemd-journald.service.in | 1 -
units/systemd-localed.service.in | 1 -
units/systemd-logind.service.in | 1 -
units/systemd-machined.service.in | 1 -
units/systemd-networkd.service.in | 1 -
units/systemd-resolved.service.in | 1 -
units/systemd-rfkill.service.in | 1 -
units/systemd-timedated.service.in | 1 -
units/systemd-timesyncd.service.in | 1 -
15 files changed, 15 deletions(-)
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index ffcb5f36ca..74dcf7fe06 100644
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -22,7 +22,6 @@ IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
Nice=9
-NoNewPrivileges=yes
OOMScoreAdjust=500
PrivateDevices=yes
PrivateNetwork=yes
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index 9c925e80d9..696d4e2e60 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in
index c276283908..f48d673d58 100644
--- a/units/systemd-initctl.service.in
+++ b/units/systemd-initctl.service.in
@@ -14,6 +14,5 @@ DefaultDependencies=no
[Service]
ExecStart=@rootlibexecdir@/systemd-initctl
-NoNewPrivileges=yes
NotifyAccess=all
SystemCallArchitectures=native
diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index ebc8bf9a25..5ef4ee0058 100644
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -17,7 +17,6 @@ DynamicUser=yes
ExecStart=@rootlibexecdir@/systemd-journal-gatewayd
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
ProtectControlGroups=yes
diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index 29a99aaec1..ec1311da88 100644
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -17,7 +17,6 @@ ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/va
LockPersonality=yes
LogsDirectory=journal/remote
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in
index 92cd4e5259..a15744e1e8 100644
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@@ -18,7 +18,6 @@ DynamicUser=yes
ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
ProtectControlGroups=yes
ProtectHome=yes
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 4684f095c0..7b659d4b03 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -22,7 +22,6 @@ FileDescriptorStoreMax=4224
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
Restart=always
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index 01e0703d0e..7d40fb4897 100644
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-localed
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 38a7f269ac..6b362ccdca 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -27,7 +27,6 @@ FileDescriptorStoreMax=512
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
Restart=always
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 9f1476814d..d90e71ae67 100644
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -22,7 +22,6 @@ ExecStart=@rootlibexecdir@/systemd-machined
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictRealtime=yes
SystemCallArchitectures=native
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 472ef045de..f23bf227fb 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N
ExecStart=!!@rootlibexecdir@/systemd-networkd
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index 3144b70063..d08842f0d4 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -25,7 +25,6 @@ CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
ExecStart=!!@rootlibexecdir@/systemd-resolved
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes
diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in
index 3abb958310..7447ed5b5b 100644
--- a/units/systemd-rfkill.service.in
+++ b/units/systemd-rfkill.service.in
@@ -18,7 +18,6 @@ Before=shutdown.target
[Service]
ExecStart=@rootlibexecdir@/systemd-rfkill
-NoNewPrivileges=yes
StateDirectory=systemd/rfkill
TimeoutSec=30s
Type=notify
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 6d53024195..1105f1a980 100644
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-timedated
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 03ade45d08..8b99e92e01 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_SYS_TIME
ExecStart=!!@rootlibexecdir@/systemd-timesyncd
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes
--
2.19.2

32
0002-machined-continue-without-resolve.hook-socket.patch
View file

@ -1,32 +0,0 @@
From 8d6d86d1d7e45eeae921e88adde55d6524027c96 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 26 Nov 2025 22:29:53 +0100
Subject: [PATCH 3/3] machined: continue without resolve.hook socket
---
src/machine/machined-varlink.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c
index f83cbb8562..0b30cd0531 100644
--- a/src/machine/machined-varlink.c
+++ b/src/machine/machined-varlink.c
@@ -894,9 +894,15 @@ static int manager_varlink_init_resolve_hook(Manager *m) {
r = sd_varlink_server_listen_address(s, VARLINK_PATH_MACHINED_RESOLVE_HOOK,
0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
- if (r < 0)
- return log_error_errno(r, "Failed to bind to varlink socket %s: %m",
- VARLINK_PATH_MACHINED_RESOLVE_HOOK);
+ if (r < 0) {
+ bool ignore = ERRNO_IS_NEG_PRIVILEGE(r);
+ log_full_errno(ignore ? LOG_WARNING : LOG_ERR,
+ r,
+ "Failed to bind to varlink socket %s%s: %m",
+ VARLINK_PATH_MACHINED_RESOLVE_HOOK,
+ ignore ? ", ignoring" : "");
+ return ignore ? 0 : r;
+ }
r = sd_varlink_server_attach_event(s, m->event, SD_EVENT_PRIORITY_NORMAL);
if (r < 0)

112
0003-ukify-omit-.osrel-section-when-os-release-is-empty.patch
View file

@ -1,112 +0,0 @@
From 75890d949f92c412c0936b8536b2e0dc8f7dfb40 Mon Sep 17 00:00:00 2001
From: Nick Rosbrook <enr0n@ubuntu.com>
Date: Fri, 19 Dec 2025 11:01:49 -0500
Subject: [PATCH] ukify: omit .osrel section when --os-release= is empty
The primary motivation for this is to allow users of ukify to build
UKI-like objects, without having them later be detected as a UKI by
tools like kernel-install and bootctl.
The common code used by these tools to determine if a PE binary is a UKI
checks that both .osrel and .linux sections are present. Hence, adding
a mechansim to skip .osrel provides a way to avoid being labeled a UKI.
---
man/ukify.xml | 5 ++++-
src/ukify/test/test_ukify.py | 15 +++++++++++----
src/ukify/ukify.py | 10 +++++++++-
3 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/man/ukify.xml b/man/ukify.xml
index 829761642d..7462c5c92f 100644
--- a/man/ukify.xml
+++ b/man/ukify.xml
@@ -365,7 +365,10 @@
<listitem><para>The os-release description (the <literal>.osrel</literal> section). The argument
may be a literal string, or <literal>@</literal> followed by a path name. If not specified, the
<citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry> file
- will be picked up from the host system.</para>
+ will be picked up from the host system. If explicitly set to an empty string, the ".osrel" section
+ is omitted from the UKI (this is not recommended in most cases, and causes the resulting artifact
+ to not be recognized as a UKI by other tools like <command>kernel-install</command>
+ and <command>bootctl</command>).</para>
<xi:include href="version-info.xml" xpointer="v253"/></listitem>
</varlistentry>
diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py
index f75ef0c891..224a38569f 100755
--- a/src/ukify/test/test_ukify.py
+++ b/src/ukify/test/test_ukify.py
@@ -641,7 +641,7 @@ def test_efi_signing_pesign(kernel_initrd, tmp_path):
shutil.rmtree(tmp_path)
-def test_inspect(kernel_initrd, tmp_path, capsys):
+def test_inspect(kernel_initrd, tmp_path, capsys, osrel=True):
if kernel_initrd is None:
pytest.skip('linux+initrd not found')
if not shutil.which('sbsign'):
@@ -653,7 +653,7 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
output = f'{tmp_path}/signed2.efi'
uname_arg='1.2.3'
- osrel_arg='Linux'
+ osrel_arg='Linux' if osrel else ''
cmdline_arg='ARG1 ARG2 ARG3'
args = [
@@ -680,8 +680,12 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
text = capsys.readouterr().out
- expected_osrel = f'.osrel:\n size: {len(osrel_arg)}'
- assert expected_osrel in text
+ if osrel:
+ expected_osrel = f'.osrel:\n size: {len(osrel_arg)}'
+ assert expected_osrel in text
+ else:
+ assert '.osrel:' not in text
+
expected_cmdline = f'.cmdline:\n size: {len(cmdline_arg)}'
assert expected_cmdline in text
expected_uname = f'.uname:\n size: {len(uname_arg)}'
@@ -694,6 +698,9 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
shutil.rmtree(tmp_path)
+def test_inspect_no_osrel(kernel_initrd, tmp_path, capsys):
+ test_inspect(kernel_initrd, tmp_path, capsys, osrel=False)
+
@pytest.mark.skipif(not slow_tests, reason='slow')
def test_pcr_signing(kernel_initrd, tmp_path):
if kernel_initrd is None:
diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
index c98f8e2a5d..b7542c7eca 100755
--- a/src/ukify/ukify.py
+++ b/src/ukify/ukify.py
@@ -1477,6 +1477,9 @@ def make_uki(opts: UkifyConfig) -> None:
'.profile',
}
+ if not opts.os_release:
+ to_import.remove('.osrel')
+
for profile in opts.join_profiles:
pe = pefile.PE(profile, fast_load=True)
prev_len = len(uki.sections)
@@ -2412,7 +2415,12 @@ def finalize_options(opts: argparse.Namespace) -> None:
opts.os_release = resolve_at_path(opts.os_release)
- if not opts.os_release and opts.linux:
+ if opts.os_release == '':
+ # If --os-release= with an empty string was passed, treat that as
+ # explicitly disabling the .osrel section, and do not fallback to the
+ # system's os-release files.
+ pass
+ elif opts.os_release is None and opts.linux:
p = Path('/etc/os-release')
if not p.exists():
p = Path('/usr/lib/os-release')
--
2.52.0

51
0004-stub-Fix-NULL-pointer-deref-when-there-are-no-initrd.patch
View file

@ -1,51 +0,0 @@
From e57e599e6b11039ab6484e5622b3deae20bfd678 Mon Sep 17 00:00:00 2001
From: Hans de Goede <johannes.goede@oss.qualcomm.com>
Date: Mon, 12 Jan 2026 14:56:36 +0100
Subject: [PATCH] stub: Fix NULL pointer deref when there are no initrds
When n_all_initrds == 0, then all_initrds is unmodified from its initial
value of:
_cleanup_free_ struct iovec *all_initrds = NULL;
and in the else block of the "if (n_all_initrds > 1)" the NULL is
dereferenced:
final_initrd = all_initrds[0];
Leading to the stub crashing due to a NULL pointer deref.
Fix this by initializing final_initrd to all 0s and only
running the else block if (n_all_initrds == 1).
---
src/boot/stub.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/boot/stub.c b/src/boot/stub.c
index 06ecbc7d18..65950262c6 100644
--- a/src/boot/stub.c
+++ b/src/boot/stub.c
@@ -1302,9 +1302,9 @@ static EFI_STATUS run(EFI_HANDLE image) {
/* Combine the initrds into one */
_cleanup_pages_ Pages initrd_pages = {};
- struct iovec final_initrd;
+ struct iovec final_initrd = {};
if (n_all_initrds > 1) {
- /* There will always be a base initrd, if this counter is higher, we need to combine them */
+ /* If there is more then 1 initrd we need to combine them */
err = combine_initrds(all_initrds, n_all_initrds, &initrd_pages, &final_initrd.iov_len);
if (err != EFI_SUCCESS)
return err;
@@ -1313,7 +1313,7 @@ static EFI_STATUS run(EFI_HANDLE image) {
/* Given these might be large let's free them explicitly before we pass control to Linux */
initrds_free(&initrds);
- } else
+ } else if (n_all_initrds == 1)
final_initrd = all_initrds[0];
struct iovec kernel = IOVEC_MAKE(
--
2.52.0

51
0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch Normal file
View file

@ -0,0 +1,51 @@
From 86aa208e639b119007332718aa4f453af2a061d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Fri, 11 Mar 2016 17:06:17 -0500
Subject: [PATCH] resolved: create /etc/resolv.conf symlink at runtime
If the symlink doesn't exists, and we are being started, let's
create it to provie name resolution.
If it exists, do nothing. In particular, if it is a broken symlink,
we cannot really know if the administator configured it to point to
a location used by some service that hasn't started yet, so we
don't touch it in that case either.
https://bugzilla.redhat.com/show_bug.cgi?id=1313085
---
src/resolve/resolved.c | 4 ++++
tmpfiles.d/etc.conf.m4 | 3 ---
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c
index f4efddf8e5..3386e3bf67 100644
--- a/src/resolve/resolved.c
+++ b/src/resolve/resolved.c
@@ -45,6 +45,10 @@ static int run(int argc, char *argv[]) {
/* Drop privileges, but only if we have been started as root. If we are not running as root we assume most
* privileges are already dropped. */
if (getuid() == 0) {
+ r = symlink("../run/systemd/resolve/resolv.conf", "/etc/resolv.conf");
+ if (r < 0 && errno != EEXIST)
+ log_warning_errno(errno,
+ "Could not create /etc/resolv.conf symlink: %m");
/* Drop privileges, but keep three caps. Note that we drop those too, later on (see below) */
r = drop_privileges(uid, gid,
diff --git a/tmpfiles.d/etc.conf.m4 b/tmpfiles.d/etc.conf.m4
index df8d42101c..928105ea8d 100644
--- a/tmpfiles.d/etc.conf.m4
+++ b/tmpfiles.d/etc.conf.m4
@@ -13,9 +13,6 @@ L+ /etc/mtab - - - - ../proc/self/mounts
m4_ifdef(`HAVE_SMACK_RUN_LABEL',
t /etc/mtab - - - - security.SMACK64=_
)m4_dnl
-m4_ifdef(`ENABLE_RESOLVE',
-L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf
-)m4_dnl
C /etc/nsswitch.conf - - - -
m4_ifdef(`HAVE_PAM',
C /etc/pam.d - - - -
--
2.19.2

3
10-map-count.conf
View file

@ -1,3 +0,0 @@
# Increase the number of virtual memory areas that one process may request
# https://fedoraproject.org/wiki/Changes/IncreaseVmMaxMapCount
vm.max_map_count=1048576

2
10-oomd-defaults.conf
View file

@ -1,2 +0,0 @@
[OOM]
DefaultMemoryPressureDurationSec=20s

3
10-oomd-per-slice-defaults.conf
View file

@ -1,3 +0,0 @@
[Slice]
ManagedOOMMemoryPressure=kill
ManagedOOMMemoryPressureLimit=80%

14
10-timeout-abort.conf
View file

@ -1,14 +0,0 @@
# This file is part of the systemd package.
# See https://fedoraproject.org/wiki/Changes/Shorter_Shutdown_Timer.
#
# To facilitate debugging when a service fails to stop cleanly,
# TimeoutStopFailureMode=abort is set to "crash" services that fail to stop in
# the time allotted. This will cause the service to be terminated with SIGABRT
# and a coredump to be generated.
#
# To undo this configuration change, create a mask file:
# sudo mkdir -p /etc/systemd/system/service.d
# sudo ln -sv /dev/null /etc/systemd/system/service.d/10-timeout-abort.conf
[Service]
TimeoutStopFailureMode=abort

51
20-grubby.install Executable file
View file

@ -0,0 +1,51 @@
#!/bin/bash
if [[ ! -x /sbin/new-kernel-pkg ]]; then
exit 0
fi
COMMAND="$1"
KERNEL_VERSION="$2"
BOOT_DIR_ABS="$3"
KERNEL_IMAGE="$4"
KERNEL_DIR="${KERNEL_IMAGE%/*}"
[[ "$KERNEL_VERSION" == *\+* ]] && flavor=-"${KERNEL_VERSION##*+}"
case "$COMMAND" in
add)
if [[ "${KERNEL_DIR}" != "/boot" ]]; then
for i in \
"$KERNEL_IMAGE" \
"$KERNEL_DIR"/System.map \
"$KERNEL_DIR"/config \
"$KERNEL_DIR"/zImage.stub \
"$KERNEL_DIR"/dtb \
; do
[[ -e "$i" ]] || continue
cp -aT "$i" "/boot/${i##*/}-${KERNEL_VERSION}"
command -v restorecon &>/dev/null && \
restorecon -R "/boot/${i##*/}-${KERNEL_VERSION}"
done
# hmac is .vmlinuz-<version>.hmac so needs a special treatment
i="$KERNEL_DIR/.${KERNEL_IMAGE##*/}.hmac"
if [[ -e "$i" ]]; then
cp -a "$i" "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac"
command -v restorecon &>/dev/null && \
restorecon "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac"
fi
fi
/sbin/new-kernel-pkg --package "kernel${flavor}" --install "$KERNEL_VERSION" || exit $?
/sbin/new-kernel-pkg --package "kernel${flavor}" --mkinitrd --dracut --depmod --update "$KERNEL_VERSION" || exit $?
/sbin/new-kernel-pkg --package "kernel${flavor}" --rpmposttrans "$KERNEL_VERSION" || exit $?
;;
remove)
/sbin/new-kernel-pkg --package "kernel${flavor+-$flavor}" --rminitrd --rmmoddep --remove "$KERNEL_VERSION" || exit $?
;;
*)
;;
esac
# skip other installation plugins, if we can't find a boot loader spec conforming setup
if ! [[ -d /boot/loader/entries || -L /boot/loader/entries ]]; then
exit 77
fi

30
26494.patch
View file

@ -1,30 +0,0 @@
From 6b25470ee28843a49c50442e9d8a98edc842ceca Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon, 20 Feb 2023 12:00:30 +0900
Subject: [PATCH] core/manager: run generators directly when we are in initrd
Some initrd system write files at ourside of /run, /etc, or other
allowed places. This is a kind of workaround, but in most cases, such
sandboxing is not necessary as the filesystem is on ramfs when we are in
initrd.
Fixes #26488.
---
src/core/manager.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/core/manager.c b/src/core/manager.c
index 7b394794b0d4..306477c6e6c2 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -3822,8 +3822,8 @@ static int manager_run_generators(Manager *m) {
/* If we are the system manager, we fork and invoke the generators in a sanitized mount namespace. If
* we are the user manager, let's just execute the generators directly. We might not have the
* necessary privileges, and the system manager has already mounted /tmp/ and everything else for us.
- */
- if (MANAGER_IS_USER(m)) {
+ * If we are in initrd, let's also execute the generators directly, as we are in ramfs. */
+ if (MANAGER_IS_USER(m) || in_initrd()) {
r = manager_execute_generators(m, paths, /* remount_ro= */ false);
goto finish;
}

56
30846.patch
View file

@ -1,56 +0,0 @@
From 07bedc8f93277f705622625f440a1f56ccff1cd0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 9 Jan 2024 11:28:04 +0100
Subject: [PATCH] journal: again create user journals for users with high uids
This effectively reverts a change in 115d5145a257c1a27330acf9f063b5f4d910ca4d
'journald: move uid_for_system_journal() to uid-alloc-range.h', which slipped
in an additional check of uid_is_container(uid). The problem is that that change
is not backwards-compatible at all and very hard for users to handle.
There is no common agreement on mappings of high-range uids. Systemd declares
ownership of a large range for container uids in https://systemd.io/UIDS-GIDS/,
but this is only a recent change and various sites allocated those ranges
in a different way, in particular FreeIPA uses (used?) uids from this range
for human users. On big sites with lots of users changing uids is obviously a
hard problem. We generally assume that uids cannot be "freed" and/or changed
and/or reused safely, so we shouldn't demand the same from others.
This is somewhat similar to the situation with SYSTEM_ALLOC_UID_MIN /
SYSTEM_UID_MAX, which we tried to define to a fixed value in our code, causing
huge problems for existing systems with were created with a different
definition and couldn't be easily updated. For that case, we added a
configuration time switch and we now parse /etc/login.defs to actually use the
value that is appropriate for the local system.
Unfortunately, login.defs doesn't have a concept of container allocation ranges
(and we don't have code to parse and use those nonexistent names either), so we
can't tell users to adjust logind.defs to work around the changed definition.
login.defs has SUB_UID_{MIN,MAX}, but those aren't really the same thing,
because they are used to define where the add allocations for subuids, which is
generally a much smaller range. Maybe we should talk with other folks about
the appropriate allocation ranges and define some new settings in login.defs.
But this would require discussion and coordination with other projects first.
Actualy, it seems that this change was needed at all. The code in the container
does not log to the outside journal. It talks to its own journald, which does
journal splitting using its internal logic based on shifted uids. So let's
revert the change to fix user systems.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2251843.
---
src/basic/uid-classification.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/basic/uid-classification.c b/src/basic/uid-classification.c
index 203ce2c68a..2eb384395d 100644
--- a/src/basic/uid-classification.c
+++ b/src/basic/uid-classification.c
@@ -129,5 +129,6 @@ bool uid_for_system_journal(uid_t uid) {
/* Returns true if the specified UID shall get its data stored in the system journal. */
- return uid_is_system(uid) || uid_is_dynamic(uid) || uid_is_greeter(uid) || uid == UID_NOBODY || uid_is_container(uid) || uid_is_foreign(uid);
+ return uid_is_system(uid) || uid_is_dynamic(uid) || uid_is_greeter(uid) || uid == UID_NOBODY || uid_is_foreign(uid);
+
}

42
38769.patch
View file

@ -1,42 +0,0 @@
From 00d70f36a0866660693347009446b7f872a05bf4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Sat, 30 Aug 2025 13:55:56 +0200
Subject: [PATCH] core: create userdb root directory with correct label
Set up the /run/systemd/userdb directory with the default SELinux context
on creation.
With version 257.7-1 on Debian the directory was automatically created with the
correct label. Starting with version 258 (only tested with 258~rc3-1) it no
longer is. Regression introduced in 736349958efe34089131ca88950e2e5bb391d36a.
[zjs: edited the patch to apply comments from review and update the description.]
---
src/core/varlink.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/core/varlink.c b/src/core/varlink.c
index 99f12c59e5..71a8ffd0e5 100644
--- a/src/core/varlink.c
+++ b/src/core/varlink.c
@@ -5,6 +5,7 @@
#include "constants.h"
#include "errno-util.h"
#include "manager.h"
+#include "mkdir-label.h"
#include "path-util.h"
#include "pidref.h"
#include "string-util.h"
@@ -441,7 +442,11 @@ static int manager_varlink_init_system(Manager *m) {
if (!fresh && varlink_server_contains_socket(m->varlink_server, address))
continue;
- r = sd_varlink_server_listen_address(m->varlink_server, address, 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
+ r = mkdir_parents_label(address, 0755);
+ if (r < 0)
+ log_warning_errno(r, "Failed to create parent directory of '%s', ignoring: %m", address);
+
+ r = sd_varlink_server_listen_address(m->varlink_server, address, 0666);
if (r < 0)
return log_error_errno(r, "Failed to bind to varlink socket '%s': %m", address);
}

5
60-block-scheduler.rules
View file

@ -1,5 +0,0 @@
# do not edit this file, it will be overwritten on update
ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", \
KERNEL=="mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|sd*[!0-9]|sr*", \
ATTR{queue/scheduler}="bfq"

20
98-default-mac-none.link
View file

@ -1,20 +0,0 @@
# SPDX-License-Identifier: MIT-0
#
# This config file is installed as part of systemd.
# It may be freely copied and edited (following the MIT No Attribution license).
#
# To make local modifications, one of the following methods may be used:
# 1. add a drop-in file that extends this file by creating the
# /etc/systemd/network/98-default-mac-none.link.d/ directory and creating a
# new .conf file there.
# 2. copy this file into /etc/systemd/network or one of the other paths checked
# by systemd-udevd and edit it there.
# This file should not be edited in place, because it'll be overwritten on upgrades.
[Match]
Kind=bridge bond team
[Link]
NamePolicy=keep kernel database onboard slot path
AlternativeNamesPolicy=database onboard slot path
MACAddressPolicy=none

14
README.build-in-place.md
View file

@ -1,14 +0,0 @@
# Building systemd rpms for local development using rpmbuild --build-in-place
This approach is based on filbranden's [git-rpmbuild](https://github.com/filbranden/git-rpmbuild)
and his [talk during ASG2019](https://www.youtube.com/watch?v=fVM1kJrymRM).
```
git clone https://github.com/systemd/systemd
fedpkg clone systemd fedora-systemd
cd systemd
rpmbuild -bb --build-in-place --noprep --define "_sourcedir $PWD/../fedora-systemd" --define "_rpmdir $PWD/rpms" --with upstream ../fedora-systemd/systemd.spec
sudo dnf upgrade --setopt install_weak_deps=False rpms/*/*.rpm
```
`--without lto` and `--without tests` may be useful to speed up the build.

3221
changelog
View file

File diff suppressed because it is too large Load diff

3
libabigail.abignore
View file

@ -1,3 +0,0 @@
[suppress_file]
# Those shared objects are private to systemd
file_name_regexp=libsystemd-(shared|core)-.*.so

10
macros.sysusers
View file

@ -1,10 +0,0 @@
# RPM macros for packages creating system accounts
#
# Turn a sysusers.d file into macros specified by
# https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
#
# After https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers,
# those macros are not needed anymore.
%sysusers_requires_compat %nil
%sysusers_create_compat() %nil

10
macros.sysusers.compat
View file

@ -1,10 +0,0 @@
# RPM macros for packages creating system accounts
#
# Turn a sysusers.d file into macros specified by
# https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
%sysusers_requires_compat Requires(pre): shadow-utils
%sysusers_create_compat() \
%(%{_rpmconfigdir}/sysusers.generate-pre.sh %{?*}) \
%{nil}

53
owner-check.sh
View file

@ -1,53 +0,0 @@
#!/bin/bash
set -e
verb="$1"
[ "$verb" = "-s" ] && do_send=1 || do_send=
[ -n "$do_send" ] && [ -z "$server" -o -z "login" ] && { echo '$server and $login need to be set'; exit 1; }
header=
from=systemd-maint@fedoraproject.org
time='2 years ago'
# time='1 day ago'
port=587
for user in "$@"; do
echo "checking $user"
p=$(git log -1 --all --author "$user")
if [ -z "$p" ]; then
echo "No commits from $user, check spelling"
exit 1
fi
t=$(git shortlog --all --author "$user" --since "@{$time}" | wc -l)
if [ $t != 0 ]; then
echo "$t commits in the last two years, OK"
echo
continue
fi
echo "$p" | head -n6
echo ".. adding to list"
if [ -z "$header" ]; then
echo '$USER$;$EMAIL$' >.mail.list
header=done
fi
echo "$user;$user@fedoraproject.org" >>.mail.list
echo
done
[ -z "$header" ] && exit 0
[ -n "$do_send" ] || exit 0
echo "Sending mails…"
set -x
massmail -F "$from" \
-C "$from" \
-S 'write access to the fedora systemd package' \
-z "$server" -u "$login" -P "$port" \
.mail.list <owner-check.template

20
owner-check.template
View file

@ -1,20 +0,0 @@
Dear $USER$,
the automation to check activity in the systemd dist-git repo [1]
determined that you haven't done any commits in the last two years.
To decrease the potential for unauthorized access, such checks will be
executed periodically. Not-used accounts with write access to the repo
will be downgraded to "ticket" (no write privileges).
If you want to retain access, please reply to this mail.
Otherwise, in two weeks, your access mode will be changed to "ticket".
Even without write access, anyone can open a pull request in pagure,
so write access is not necessary to contribute to the package.
Obviously such changes not permanent, so even if your access mode is
downgraded, it can easily be restored later on.
Yours friendly,
./owner-check.sh
[1] https://src.fedoraproject.org/rpms/systemd

127
plans/run-integration-tests.sh
View file

@ -1,127 +0,0 @@
#!/bin/bash
set -eux
set -o pipefail
# Switch SELinux to permissive if possible, since the tests don't set proper contexts
setenforce 0 || true
echo "CPU and Memory information:"
lscpu
lsmem
echo "Clock source: $(cat /sys/devices/system/clocksource/clocksource0/current_clocksource)"
# Bump inotify limits if we can so nspawn containers don't run out of inotify file descriptors.
sysctl fs.inotify.max_user_watches=65536 || true
sysctl fs.inotify.max_user_instances=1024 || true
if [[ -n "${KOJI_TASK_ID:-}" ]]; then
koji download-task --noprogress --arch="noarch,$(rpm --eval '%{_arch}')" "$KOJI_TASK_ID"
elif [[ -n "${CBS_TASK_ID:-}" ]]; then
cbs download-task --noprogress --arch="noarch,$(rpm --eval '%{_arch}')" "$CBS_TASK_ID"
elif [[ -n "${PACKIT_SRPM_URL:-}" ]]; then
COPR_BUILD_ID="$(basename "$(dirname "$PACKIT_SRPM_URL")")"
COPR_CHROOT="$(basename "$(dirname "$(dirname "$PACKIT_BUILD_LOG_URL")")")"
copr download-build --rpms --chroot "$COPR_CHROOT" "$COPR_BUILD_ID"
mv "$COPR_CHROOT"/* .
else
echo "Not running within packit and no CBS/koji task ID provided"
exit 1
fi
PACKAGEDIR="$PWD"
# This will match both the regular and the debuginfo rpm so make sure we select only the
# non-debuginfo rpm.
RPMS=(systemd-tests-*.rpm)
rpm2cpio "${RPMS[0]}" | cpio --make-directories --extract
pushd usr/lib/systemd/tests
mkosi_hash="$(grep "MinimumVersion=commit:" mkosi/mkosi.conf | sed "s|MinimumVersion=commit:||g")"
# Now prepare mkosi at the same version required by the systemd repo.
git clone https://github.com/systemd/mkosi /var/tmp/systemd-integration-tests-mkosi
git -C /var/tmp/systemd-integration-tests-mkosi checkout "$mkosi_hash"
export PATH="/var/tmp/systemd-integration-tests-mkosi/bin:$PATH"
# shellcheck source=/dev/null
. /etc/os-release || . /usr/lib/os-release
tee mkosi/mkosi.local.conf <<EOF
[Distribution]
Distribution=${MKOSI_DISTRIBUTION:-$ID}
Release=${MKOSI_RELEASE:-${VERSION_ID:-rawhide}}
[Content]
PackageDirectories=$PACKAGEDIR
SELinuxRelabel=yes
[Build]
ToolsTreeDistribution=${MKOSI_DISTRIBUTION:-$ID}
ToolsTreeRelease=${MKOSI_RELEASE:-${VERSION_ID:-rawhide}}
ToolsTreePackageDirectories=$PACKAGEDIR
Environment=NO_BUILD=1
WithTests=yes
EOF
if [[ -n "${MKOSI_REPOSITORIES:-}" ]]; then
tee --append mkosi/mkosi.local.conf <<EOF
[Distribution]
Repositories=$MKOSI_REPOSITORIES
[Build]
ToolsTreeRepositories=$MKOSI_REPOSITORIES
EOF
fi
if [[ -n "${TEST_SELINUX_CHECK_AVCS:-}" ]]; then
tee --append mkosi/mkosi.local.conf <<EOF
[Runtime]
KernelCommandLineExtra=systemd.setenv=TEST_SELINUX_CHECK_AVCS=$TEST_SELINUX_CHECK_AVCS
EOF
fi
# If we don't have KVM, skip running in qemu, as it's too slow. But try to load the module first.
modprobe kvm || true
if [[ ! -e /dev/kvm ]]; then
export TEST_NO_QEMU=1
fi
NPROC="$(nproc)"
if [[ "$NPROC" -ge 10 ]]; then
export TEST_JOURNAL_USE_TMP=1
NPROC="$((NPROC / 3))"
else
NPROC="$((NPROC - 1))"
fi
# This test is only really useful if we're building with sanitizers and takes a long time, so let's skip it
# for now.
export TEST_SKIP="TEST-21-DFUZZER ${TEST_SKIP:-}"
mkosi genkey
mkosi summary
mkosi -f box -- true
mkosi box -- meson setup build integration-tests/standalone
mkosi -f
if [[ "$(mkosi box -- meson test --help)" == *"--max-lines"* ]]; then
MAX_LINES=(--max-lines 300)
else
MAX_LINES=()
fi
mkosi box -- \
meson test \
-C build \
--setup=integration \
--print-errorlogs \
--no-stdsplit \
--num-processes "$NPROC" \
"${MAX_LINES[@]}" && EC=0 || EC=$?
[[ -d build/meson-logs ]] && find build/meson-logs -type f -exec mv {} "$TMT_TEST_DATA" \;
[[ -d build/test/journal ]] && find build/test/journal -type f -exec mv {} "$TMT_TEST_DATA" \;
popd
exit "$EC"

22
plans/upstream.fmf
View file

@ -1,22 +0,0 @@
summary: systemd upstream test suite
provision:
hardware:
virtualization:
is-supported: true
prepare:
- name: install-dependencies
how: install
package:
- coreutils
- distribution-gpg-keys
- dnf
- git-core
- koji
- centos-packager
- copr-cli
exclude:
- systemd-standalone-.*
execute:
how: tmt
script: exec plans/run-integration-tests.sh
duration: 2h

101
purge-nobody-user Executable file
View file

@ -0,0 +1,101 @@
#!/bin/bash -eu
if [ $UID -ne 0 ]; then
echo "WARNING: This script needs to run as root to be effective"
exit 1
fi
export SYSTEMD_NSS_BYPASS_SYNTHETIC=1
if [ "${1:-}" = "--ignore-journal" ]; then
shift
ignore_journal=1
else
ignore_journal=0
fi
echo "Checking processes..."
if ps h -u 99 | grep .; then
echo "ERROR: ps reports processes with UID 99!"
exit 2
fi
echo "... not found"
echo "Checking UTMP..."
if w -h 199 | grep . ; then
echo "ERROR: w reports UID 99 as active!"
exit 2
fi
if w -h nobody | grep . ; then
echo "ERROR: w reports user nobody as active!"
exit 2
fi
echo "... not found"
echo "Checking the journal..."
if [ "$ignore_journal" = 0 ] && journalctl -q -b -n10 _UID=99 | grep . ; then
echo "ERROR: journalctl reports messages from UID 99 in current boot!"
exit 2
fi
echo "... not found"
echo "Looking for files in /etc, /run, /tmp, and /var..."
if find /etc /run /tmp /var -uid 99 -print | grep -m 10 . ; then
echo "ERROR: found files belonging to UID 99"
exit 2
fi
echo "... not found"
echo "Checking if nobody is defined correctly..."
if getent passwd nobody |
grep '^nobody:[x*]:65534:65534:.*:/:/sbin/nologin';
then
echo "OK, nothing to do."
exit 0
else
echo "NOTICE: User nobody is not defined correctly"
fi
echo "Checking if nfsnobody or something else is using the uid..."
if getent passwd 65534 | grep . ; then
echo "NOTICE: will have to remove this user"
else
echo "... not found"
fi
if [ "${1:-}" = "-x" ]; then
if getent passwd nobody >/dev/null; then
# this will remove both the user and the group.
( set -x
userdel nobody
)
fi
if getent passwd 65534 >/dev/null; then
# Make sure the uid is unused. This should free gid too.
name="$(getent passwd 65534 | cut -d: -f1)"
( set -x
userdel "$name"
)
fi
if grep -qE '^(passwd|group):.*\bsss\b' /etc/nsswitch.conf; then
echo "Sleeping, so sss can catch up"
sleep 3
fi
if getent group 65534; then
# Make sure the gid is unused, even if uid wasn't.
name="$(getent group 65534 | cut -d: -f1)"
( set -x
groupdel "$name"
)
fi
# systemd-sysusers uses the same gid and uid
( set -x
systemd-sysusers --inline 'u nobody 65534 "Kernel Overflow User" / /sbin/nologin'
)
else
echo "Pass '-x' to perform changes"
fi

24
rpminspect.yaml
View file

@ -1,24 +0,0 @@
# Disable badfuncs check that has tons of false positives.
badfuncs:
allowed:
/usr/lib/systemd/tests/unit-tests/*:
- inet_addr
- inet_aton
/usr/bin/networkctl:
- inet_addr
- inet_aton
# don't report changed content of compiled files
# that is expected with every update
changedfiles:
exclude_path: .*
# completely disable inspections:
inspections:
# we know about our patches, no need to report anything
patches: off
# this inspection uses `udevadm` which comes from this package
# disable so we do not check udev rules with a possibly outdated version
# of the command
udevrules: off

2
sources
View file

@ -1 +1 @@
SHA512 (systemd-259.tar.gz) = ef46b13661df43e3cfbeee1bc22f0b1eb902e8ebe39c19868c465efd08b35a199c2a2cd9d8021a6bc4d692fa0c6e0eab3f13eecd6ce24dde81d3945464a25b50
SHA512 (systemd-18dd3fb.tar.gz) = 697a8f714e645a3d090c68a4d4cc102077aca2c32205dc2a0d22bbb6a99324030b5ac262332adcae17ce99e92d01a4e9cdc6546176a1bdab3543be30126602ad

255
split-files.py
View file

@ -1,47 +1,8 @@
import re, sys, os, collections
buildroot = sys.argv[1]
no_bootloader = '--no-bootloader' in sys.argv
known_files = '''
%ghost %config(noreplace) /etc/crypttab
%ghost %attr(0444,root,root) /etc/udev/hwdb.bin
/etc/inittab
# This directory is owned by openssh-server, but we don't want to introduce
# a dependency. So let's copy the config and co-own the directory.
%dir %attr(0700,root,root) /etc/ssh/sshd_config.d
%ghost %config(noreplace) /etc/vconsole.conf
%ghost %config(noreplace) /etc/X11/xorg.conf.d/00-keyboard.conf
%ghost %attr(0664,root,root) %verify(not group) /run/utmp
%ghost %attr(0664,root,root) %verify(not group) /var/log/wtmp
%ghost %attr(0660,root,root) %verify(not group) /var/log/btmp
%ghost %attr(0664,root,root) %verify(not md5 size mtime group) /var/log/lastlog
%ghost %config(noreplace) /etc/hostname
%ghost %config(noreplace) /etc/localtime
%ghost %config(noreplace) /etc/locale.conf
%ghost %attr(0444,root,root) %config(noreplace) /etc/machine-id
%ghost %config(noreplace) /etc/machine-info
%ghost %attr(0700,root,root) %dir /var/cache/private
%ghost %attr(0700,root,root) %dir /var/lib/private
%ghost %dir /var/lib/private/systemd
%ghost %dir /var/lib/private/systemd/journal-upload
%ghost /var/lib/private/systemd/journal-upload/state
%ghost %dir /var/lib/systemd/timesync
%ghost /var/lib/systemd/timesync/clock
%ghost %dir /var/lib/systemd/backlight
%ghost /var/lib/systemd/catalog/database
%ghost %dir /var/lib/systemd/coredump
%ghost /var/lib/systemd/journal-upload
%ghost %dir /var/lib/systemd/linger
%ghost %attr(0600,root,root) /var/lib/systemd/random-seed
%ghost %dir /var/lib/systemd/rfkill
%ghost %dir %verify(not mode group) /var/log/journal
%ghost %dir /var/log/journal/remote
%ghost %attr(0700,root,root) %dir /var/log/private
'''
known_files = {line.split()[-1]:line for line in known_files.splitlines()
if line and not line.startswith('#')}
known_files = sys.stdin.read().splitlines()
known_files = {line.split()[-1]:line for line in known_files}
def files(root):
os.chdir(root)
@ -54,31 +15,15 @@ def files(root):
if file.is_dir() and not file.is_symlink():
todo.append(file)
outputs = {suffix: open(f'.file-list-{suffix}', 'w')
for suffix in (
'shared',
'libs',
'udev',
'ukify',
'boot',
'pam',
'rpm-macros',
'sysusers',
'devel',
'container',
'networkd',
'networkd-defaults',
'oomd-defaults',
'remote',
'resolve',
'tests',
'standalone-repart',
'standalone-tmpfiles',
'standalone-sysusers',
'standalone-shutdown',
'main',
)}
o_libs = open('.file-list-libs', 'w')
o_udev = open('.file-list-udev', 'w')
o_pam = open('.file-list-pam', 'w')
o_rpm_macros = open('.file-list-rpm-macros', 'w')
o_devel = open('.file-list-devel', 'w')
o_container = open('.file-list-container', 'w')
o_remote = open('.file-list-remote', 'w')
o_tests = open('.file-list-tests', 'w')
o_rest = open('.file-list-rest', 'w')
for file in files(buildroot):
n = file.path[1:]
if re.match(r'''/usr/(share|include)$|
@ -98,201 +43,77 @@ for file in files(buildroot):
/etc(/pam\.d|/xdg|/X11|/X11/xinit|/X11.*\.d|)$|
/etc/(dnf|dnf/protected.d)$|
/usr/(src|lib/debug)| # no $
/run$|
/var(/cache|/log|/lib|/run|)$
''', n, re.X):
continue
if n.endswith('.standalone'):
if 'repart' in n:
o = outputs['standalone-repart']
elif 'tmpfiles' in n:
o = outputs['standalone-tmpfiles']
elif 'sysusers' in n:
o = outputs['standalone-sysusers']
elif 'shutdown' in n:
o = outputs['standalone-shutdown']
else:
assert False, 'Found .standalone not belonging to known packages'
elif '/security/pam_' in n or '/man8/pam_' in n:
o = outputs['pam']
elif '/rpm/' in n:
o = outputs['rpm-macros']
if '/security/pam_' in n:
o = o_pam
elif 'rpm/macros' in n:
o = o_rpm_macros
elif re.search(r'/lib.*\.pc|/man3/|/usr/include|(?<!/libsystemd-shared-...).so$', n):
o = o_devel
elif '/usr/lib/systemd/tests' in n:
o = outputs['tests']
elif 'ukify' in n and '/man/' not in n:
o = outputs['ukify']
elif re.search(r'/libsystemd-core-.*\.so$', n):
o = outputs['main']
elif re.search(r'/libsystemd-shared-.*\.so$', n):
o = outputs['shared']
elif re.search(r'/libcryptsetup-token-systemd-.*\.so$', n):
o = outputs['udev']
elif re.search(r'/lib.*\.pc$|/man3/|/usr/include|\.so$', n):
o = outputs['devel']
o = o_tests
elif re.search(r'''journal-(remote|gateway|upload)|
systemd-remote\.conf|
/usr/share/systemd/gatewayd|
/var/log/journal/remote
''', n, re.X):
o = outputs['remote']
# Just the binary, the dir, and the man page.
elif re.search(r'''systemd-sysusers$|
sysusers\.d$|
man/.*sysusers\.d\.5|
man/.*systemd-sysusers\.8
''', n, re.X):
o = outputs['sysusers']
o = o_remote
elif re.search(r'''mymachines|
machinectl|
mount.ddi|
importctl|
portablectl|
systemd-nspawn|
systemd\.nspawn|
systemd-vmspawn|
systemd-dissect|
import-pubring|
systemd-machined|
systemd-import|
systemd-export|
systemd-pull|
systemd-mountfsd|
systemd-mountwork|
systemd-nsresource|
import-pubring.gpg|
systemd-(machined|import|pull)|
/machine.slice|
/machines.target|
var-lib-machines.mount|
network/80-container-v[ez]|
org.freedesktop.(import|machine)1
''', n, re.X):
o = outputs['container']
# .network.example files go into systemd-networkd, and the matching files
# without .example go into systemd-networkd-defaults
elif (re.search(r'''/usr/lib/systemd/network/.*\.network$''', n)
and os.path.exists(f'./{n}.example')):
o = outputs['networkd-defaults']
# Files that are "consumed" by systemd-networkd go into the -networkd
# subpackage. As a special case, network-generator is co-owned also by
# the -udev subpackage because systemd-udevd reads .link files.
elif re.search(r'''/usr/lib/systemd/network/.*\.network|
networkd|
networkctl|
org.freedesktop.network1|
sysusers\.d/systemd-network.conf|
tmpfiles\.d/systemd-network.conf|
systemd\.network|
systemd\.netdev
''', n, re.X):
o = outputs['networkd']
elif 'network-generator' in n:
o = (outputs['networkd'], outputs['udev'])
o = o_container
elif '.so.' in n:
o = outputs['libs']
elif re.search(r'10-oomd-.*defaults.conf|lib/systemd/oomd.conf.d', n, re.X):
o = outputs['oomd-defaults']
o = o_libs
elif re.search(r'''udev(?!\.pc)|
hwdb|
ac-power|
bootctl|
boot-update|
bless-boot|
boot-system-token|
bsod|
kernel-install|
installkernel|
vconsole|
backlight|
rfkill|
random-seed|
modules-load|
timesync|
crypttab|
cryptenroll|
cryptsetup|
kmod|
quota|
pstore|
sleep|suspend|hibernate|
systemd-tmpfiles-setup-dev|
network/98-default-mac-none.link|
network/99-default.link|
growfs|makefs|makeswap|mkswap|
fsck|
repart|
growfs|makefs|makeswap|
gpt-auto|
volatile-root|
veritysetup|
integritysetup|
integritytab|
remount-fs|
/initrd|
systemd[.-]pcr|
/pcrlock\.d|
systemd-measure|
/boot$|
/boot/efi|
remount-fs|
/kernel/|
/kernel$|
/modprobe.d|
binfmt|
sysctl|
coredump|
homed|home1|
sysupdate|updatctl|
oomd|
portabled|portable1
''', n, re.X): # coredumpctl, homectl, portablectl are included in the main package because
# they can be used to interact with remote daemons. Also, the user could be
# confused if those user-facing binaries are not available.
o = outputs['udev']
elif re.search(r'''/boot/efi|
/usr/lib/systemd/boot|
sd-boot|systemd-boot\.|loader.conf
/modprobe.d
''', n, re.X):
o = outputs['boot']
elif re.search(r'''resolved|resolve1|
systemd-resolve|
resolvconf|
systemd\.(positive|negative)
''', n, re.X): # resolvectl and nss-resolve are in the main package.
o = outputs['resolve']
o = o_udev
else:
o = outputs['main']
o = o_rest
if n in known_files:
prefix = known_files[n].split()[:-1]
elif file.is_dir(follow_symlinks=False):
prefix = ['%dir']
elif 'README' in n:
prefix = ['%doc']
prefix = ' '.join(known_files[n].split()[:-1])
if prefix:
prefix += ' '
elif file.is_dir() and not file.is_symlink():
prefix = '%dir '
elif n.startswith('/etc'):
prefix = ['%config(noreplace)']
if not file.is_symlink() and file.stat().st_size == 0:
prefix += ['%ghost']
prefix = '%config(noreplace) '
else:
prefix = []
prefix = ' '.join(prefix + ['']) if prefix else ''
prefix = ''
suffix = '*' if '/man/' in n else ''
if not isinstance(o, tuple):
o = (o,)
for file in o:
print(f'{prefix}{n}{suffix}', file=file)
if [print(f'ERROR: no file names were written to {o.name}')
for name, o in outputs.items()
if (o.tell() == 0 and
not (no_bootloader and name == 'boot'))
]:
sys.exit(1)
print(f'{prefix}{n}{suffix}', file=o)

18
systemd-user
View file

@ -1,14 +1,10 @@
# This file is part of systemd.
#
# Used by systemd --user instances.
-account sufficient pam_systemd_home.so
account sufficient pam_unix.so no_pass_expiry
account include system-auth
account include system-auth
session required pam_selinux.so close
session required pam_selinux.so nottys open
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session required pam_namespace.so
-session optional pam_systemd_home.so
session optional pam_umask.so silent
session include system-auth
session required pam_selinux.so close
session required pam_selinux.so nottys open
session required pam_loginuid.so
session include system-auth

50
systemd.rpmlintrc
View file

@ -1,50 +0,0 @@
# Just kill all warnings about README being wrong in every possible way
addFilter(r'README')
addFilter(r'missing-call-to-(chdir-with-chroot|setgroups-before-setuid)')
addFilter(r'executable-marked-as-config-file /etc/X11/xinit/xinitrc.d/50-systemd-user.sh')
addFilter(r'non-readable /etc/crypttab')
addFilter(r'non-conffile-in-etc /etc/inittab')
addFilter(r'systemd-unit-in-etc /etc/systemd/.*\.wants')
addFilter(r'dangling-relative-symlink /usr/lib/environment.d/99-environment.conf ../../../etc/environment')
addFilter(r'devel-file-in-non-devel-package /usr/share/pkgconfig/(systemd|udev).pc')
addFilter(r'non-standard-dir-perm /var/cache/private 700')
addFilter(r'non-root-group-log-file /var/log/btmp utmp')
addFilter(r'non-standard-dir-perm /var/log/private 700')
addFilter(r'non-root-group-log-file /var/log/wtmp utmp')
addFilter(r'dangerous-command-in-')
addFilter(r'summary-not-capitalized C systemd')
addFilter(r'obsolete-not-provided')
addFilter(r'postin-without-ldconfig')
addFilter(r'systemd-rpm-macros.noarch: W: only-non-binary-in-usr-lib')
addFilter(r'systemd-rpm-macros.noarch: W: no-documentation')
addFilter(r'systemd-tests\..*: W: no-documentation')
addFilter(r'systemd-tests.*: E: zero-length /usr/lib/systemd/tests/testdata/test-umount/empty.mountinfo')
addFilter(r'hardcoded-library-path in.*(firewalld|install.d|lib/systemd)')
# everybody does it this way: systemd, syslog-ng, rsyslog
addFilter(r'unversioned-explicit-provides syslog')
# systemd-machine-id-setup requires libssl
addFilter(r'explicit-lib-dependency openssl-libs')
addFilter(r'systemd.src:.*strange-permission')

3413
systemd.spec
View file

File diff suppressed because it is too large Load diff

2
sysusers.attr
View file

@ -1,2 +0,0 @@
%__sysusers_provides %{_rpmconfigdir}/sysusers.prov
%__sysusers_path ^%{_sysusersdir}/.*\\.conf$

96
sysusers.generate-pre.sh
View file

@ -1,96 +0,0 @@
#!/bin/bash
# -*- mode: shell-script; indent-tabs-mode: true; tab-width: 4; -*-
# This script turns sysuser.d files into scriptlets mandated by Fedora
# packaging guidelines. The general idea is to define users using the
# declarative syntax but to turn this into traditional scriptlets.
user() {
user="$1"
uid="$2"
desc="$3"
group="$4"
home="$5"
shell="$6"
[ "$desc" = '-' ] && desc=
{ [ "$home" = '-' ] || [ "$home" = '' ]; } && home=/
{ [ "$shell" = '-' ] || [ "$shell" = '' ]; } && shell=/usr/sbin/nologin
if [ "$uid" = '-' ] || [ "$uid" = '' ]; then
cat <<-EOF
getent passwd '$user' >/dev/null || \\
useradd -r -g ${group@Q} -d ${home@Q} -s ${shell@Q} -c ${desc@Q} ${user@Q} || :
EOF
else
cat <<-EOF
if ! getent passwd ${user@Q} >/dev/null; then
if ! getent passwd ${uid@Q} >/dev/null; then
useradd -r -u ${uid@Q} -g ${group@Q} -d ${home@Q} -s ${shell@Q} -c ${desc@Q} ${user@Q} || :
else
useradd -r -g ${group@Q} -d ${home@Q} -s ${shell@Q} -c ${desc@Q} ${user@Q} || :
fi
fi
EOF
fi
}
group() {
group="$1"
gid="$2"
if [ "$gid" = '-' ]; then
cat <<-EOF
getent group ${group@Q} >/dev/null || groupadd -r ${group@Q} || :
EOF
else
cat <<-EOF
getent group ${group@Q} >/dev/null || groupadd -f -g ${gid@Q} -r ${group@Q} || :
EOF
fi
}
usermod() {
user="$1"
group="$2"
cat <<-EOF
if getent group ${group@Q} >/dev/null; then
usermod -a -G ${group@Q} '$user' || :
fi
EOF
}
parse() {
while read -r line || [ -n "$line" ] ; do
{ [ "${line:0:1}" = '#' ] || [ "${line:0:1}" = ';' ]; } && continue
line="${line## *}"
[ -z "$line" ] && continue
eval "arr=( $line )"
case "${arr[0]}" in
('u'|'u!')
if [[ "${arr[2]}" == *":"* ]]; then
user "${arr[1]}" "${arr[2]%:*}" "${arr[3]}" "${arr[2]#*:}" "${arr[4]}" "${arr[5]}"
else
group "${arr[1]}" "${arr[2]}"
user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}"
fi
;;
('g')
group "${arr[1]}" "${arr[2]}"
;;
('m')
group "${arr[2]}" "-"
user "${arr[1]}" "-" "" "${arr[1]}" "" ""
usermod "${arr[1]}" "${arr[2]}"
;;
esac
done
}
for fn in "$@"; do
[ -e "$fn" ] || continue
echo "# generated from $(basename "$fn")"
parse <"$fn"
done

61
sysusers.prov
View file

@ -1,61 +0,0 @@
#!/bin/bash
process_u() {
if [ ! -z "${2##*[!0-9]*}" ]; then
# Single shared static ID.
echo "user($1) = $2"
echo "group($1) = $2"
elif [[ $2 == *:* ]]; then
# UID:<group>.
uid=$(echo $2 | cut -d':' -f1 -)
group=$(echo $2 | cut -d':' -f2 -)
if [ ! -z "${group##*[!0-9]*}" ]; then
# UID:GID.
echo "user($1) = ${uid}"
echo "group($1) = ${group}"
else
# UID:<groupname>.
echo "user($1) = ${uid}"
echo "group(${group})"
fi
else
# Dynamic (or something else uninteresting).
echo "user($1)"
echo "group($1)"
fi
}
process_g() {
if [ ! -z "${2##*[!0-9]*}" ]; then
# Static GID.
echo "group($1) = $2"
else
# Dynamic (or something else uninteresting).
echo "group($1)"
fi
}
parse() {
while read line; do
[ "${line:0:1}" = '#' -o "${line:0:1}" = ';' ] && continue
line="${line## *}"
[ -z "$line" ] && continue
set -- $line
case "$1" in
('u'|'u!')
process_u "$2" "$3"
;;
('g')
process_g "$2" "$3"
;;
('m')
echo "user($2)"
echo "group($3)"
;;
esac
done
}
while read fn; do
parse < "$fn"
done

39
test_sysusers_defined.py
View file

@ -1,39 +0,0 @@
#!/usr/bin/python
import os
import sys
def parse_sysusers_file(filename):
users, groups = set(), set()
for line in open(filename):
line = line.strip()
if not line or line.startswith('#'):
continue
words = line.split()
match words[0]:
case 'u'|'u!':
users.add(words[1])
case 'g':
groups.add(words[1])
case 'm'|'r':
continue
case _:
assert False
return users, groups
setup_users, setup_groups = set(), set()
for arg in sys.argv[1:-1]:
users, groups = parse_sysusers_file(arg)
setup_users |= users
setup_groups |= groups
basic_users, basic_groups = parse_sysusers_file(sys.argv[-1])
ignored = set(os.getenv('IGNORED', '').split())
if d := basic_users - setup_users - ignored:
exit(f'We have new users: {d}')
if d := basic_groups - setup_groups - ignored:
exit(f'We have new groups: {d}')

124
triggers.systemd
View file

@ -1,85 +1,111 @@
# -*- Mode: rpm-spec; indent-tabs-mode: nil -*- */
# SPDX-License-Identifier: LGPL-2.1-or-later
# SPDX-License-Identifier: LGPL-2.1+
#
# This file is part of systemd.
#
# Copyright 2015 Zbigniew Jędrzejewski-Szmek
# Copyright 2018 Neal Gompa
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# systemd is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with systemd; If not, see <http://www.gnu.org/licenses/>.
# The contents of this are an example to be copied into systemd.spec.
#
# Minimum rpm version supported: 4.14.0
# Minimum rpm version supported: 4.13.0
%transfiletriggerin -P 900900 -- /usr/lib/systemd/system/ /etc/systemd/system/
%transfiletriggerin -P 900900 -- /usr/lib/systemd/system /etc/systemd/system
# This script will run after any package is initially installed or
# upgraded. We care about the case where a package is initially
# installed, because other cases are covered by the *un scriptlets,
# so sometimes we will reload needlessly.
/usr/lib/systemd/systemd-update-helper system-reload-restart || :
if test -d /run/systemd/system; then
%{_bindir}/systemctl daemon-reload
fi
%transfiletriggerin -P 900899 -- /usr/lib/systemd/user/ /etc/systemd/user/
/usr/lib/systemd/systemd-update-helper user-reload-restart || :
%transfiletriggerpostun -P 1000100 -- /usr/lib/systemd/system/ /etc/systemd/system/
%transfiletriggerun -- /usr/lib/systemd/system /etc/systemd/system
# On removal, we need to run daemon-reload after any units have been
# removed.
# removed. %transfiletriggerpostun would be ideal, but it does not get
# executed for some reason.
# On upgrade, we need to run daemon-reload after any new unit files
# have been installed, but before %postun scripts in packages get
# executed.
/usr/lib/systemd/systemd-update-helper system-reload || :
# executed. %transfiletriggerun gets the right list of files
# but it is invoked too early (before changes happen).
# %filetriggerpostun happens at the right time, but it fires for
# every package.
# To execute the reload at the right time, we create a state
# file in %transfiletriggerun and execute the daemon-reload in
# the first %filetriggerpostun.
%transfiletriggerpostun -P 1000099 -- /usr/lib/systemd/user/ /etc/systemd/user/
# Execute daemon-reload in user managers.
/usr/lib/systemd/systemd-update-helper user-reload || :
if test -d "/run/systemd/system"; then
mkdir -p "%{_localstatedir}/lib/rpm-state/systemd"
touch "%{_localstatedir}/lib/rpm-state/systemd/needs-reload"
fi
%transfiletriggerpostun -P 10000 -- /usr/lib/systemd/system/ /etc/systemd/system/
# We restart remaining system services that should be restarted here.
/usr/lib/systemd/systemd-update-helper system-restart || :
%filetriggerpostun -P 1000100 -- /usr/lib/systemd/system /etc/systemd/system
if test -f "%{_localstatedir}/lib/rpm-state/systemd/needs-reload"; then
rm -rf "%{_localstatedir}/lib/rpm-state/systemd"
%{_bindir}/systemctl daemon-reload
fi
%transfiletriggerpostun -P 9999 -- /usr/lib/systemd/user/ /etc/systemd/user/
# We restart remaining user services that should be restarted here.
/usr/lib/systemd/systemd-update-helper user-restart || :
%transfiletriggerin -P 1000700 -- /usr/lib/sysusers.d/
%transfiletriggerin -P 100700 -- /usr/lib/sysusers.d
# This script will process files installed in /usr/lib/sysusers.d to create
# specified users automatically. The priority is set such that it
# will run before the tmpfiles file trigger.
systemd-sysusers || :
if test -d /run/systemd/system; then
%{_bindir}/systemd-sysusers
fi
%transfiletriggerin -P 1000700 udev -- /usr/lib/udev/hwdb.d/
%transfiletriggerin -P 100500 -- /usr/lib/tmpfiles.d
# This script will process files installed in /usr/lib/tmpfiles.d to create
# tmpfiles automatically. The priority is set such that it will run
# after the sysusers file trigger, but before any other triggers.
if test -d /run/systemd/system; then
%{_bindir}/systemd-tmpfiles --create
fi
%transfiletriggerin udev -- /usr/lib/udev/hwdb.d
# This script will automatically invoke hwdb update if files have been
# installed or updated in /usr/lib/udev/hwdb.d.
systemd-hwdb update || :
if test -d /run/systemd/system; then
%{_bindir}/systemd-hwdb update
fi
%transfiletriggerin -P 1000700 -- /usr/lib/systemd/catalog/
%transfiletriggerin -- /usr/lib/systemd/catalog
# This script will automatically invoke journal catalog update if files
# have been installed or updated in /usr/lib/systemd/catalog.
journalctl --update-catalog || :
if test -d /run/systemd/system; then
%{_bindir}/journalctl --update-catalog
fi
%transfiletriggerin -P 1000700 -- /usr/lib/binfmt.d/
%transfiletriggerin udev -- /usr/lib/udev/rules.d
# This script will automatically update udev with new rules if files
# have been installed or updated in /usr/lib/udev/rules.d.
if test -d /run/systemd/system; then
%{_bindir}/udevadm control --reload
fi
%transfiletriggerin -- /usr/lib/sysctl.d
# This script will automatically apply sysctl rules if files have been
# installed or updated in /usr/lib/sysctl.d.
if test -d /run/systemd/system; then
/usr/lib/systemd/systemd-sysctl
fi
%transfiletriggerin -- /usr/lib/binfmt.d
# This script will automatically apply binfmt rules if files have been
# installed or updated in /usr/lib/binfmt.d.
if test -d "/run/systemd/system"; then
if test -d /run/systemd/system; then
# systemd-binfmt might fail if binfmt_misc kernel module is not loaded
# during install
/usr/lib/systemd/systemd-binfmt || :
fi
%transfiletriggerin -P 1000600 -- /usr/lib/tmpfiles.d/
# This script will process files installed in /usr/lib/tmpfiles.d to create
# tmpfiles automatically. The priority is set such that it will run
# after the sysusers file trigger, but before any other triggers.
if test -d "/run/systemd/system"; then
systemd-tmpfiles --create || :
fi
%transfiletriggerin -P 1000600 udev -- /usr/lib/udev/rules.d/
# This script will automatically update udev with new rules if files
# have been installed or updated in /usr/lib/udev/rules.d.
/usr/lib/systemd/systemd-update-helper mark-reload-system-units systemd-udevd.service || :
%transfiletriggerin -P 1000500 -- /usr/lib/sysctl.d/
# This script will automatically apply sysctl rules if files have been
# installed or updated in /usr/lib/sysctl.d.
if test -d "/run/systemd/system"; then
/usr/lib/systemd/systemd-sysctl || :
fi

2
yum-protect-systemd.conf Normal file
View file

@ -0,0 +1,2 @@
systemd
systemd-udev