rpms/systemd
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: rpms:rawhide
Branches Tags
rpms:rawhide
rpms:main
rpms:f43
rpms:f42
rpms:f41
rpms:f40
rpms:f39
rpms:f38
rpms:f37
rpms:f36
rpms:f35
rpms:rhughes/chassis-type-backport
rpms:f34
rpms:f33
rpms:f32
rpms:f31
rpms:f30
rpms:f29
rpms:f28
rpms:f27
rpms:rpm-master
rpms:f25
rpms:f26
rpms:f24
rpms:f23
rpms:f22
rpms:f21
rpms:f20
rpms:f19
rpms:f18
rpms:f17
rpms:f16
rpms:f15
rpms:f14
rpms:systemd-216-16.fc21
rpms:systemd-216-15.fc21
rpms:systemd-216-14.fc21
rpms:systemd-216-13.fc21
rpms:systemd-216-12.fc21
rpms:systemd-217-4.fc22
rpms:systemd-217-3.fc22
rpms:systemd-217-2.fc22
rpms:systemd-217-1.fc22
rpms:systemd-216-12.fc22
rpms:systemd-216-11.fc22
rpms:systemd-216-10.fc22
rpms:systemd-216-9.fc22
rpms:systemd-216-8.fc22
rpms:systemd-216-7.fc22
rpms:systemd-216-6.fc22
rpms:systemd-216-5.fc22
rpms:systemd-216-4.fc22
rpms:systemd-216-3.fc22
rpms:systemd-216-2.fc22
rpms:systemd-216-1.fc22
rpms:systemd-215-12.fc22
rpms:systemd-215-11.fc22
rpms:systemd-215-10.fc22
rpms:systemd-215-9.fc22
rpms:systemd-209-1.fc21
rpms:systemd-209-2.gitf01de96.fc21
rpms:systemd-210-1.fc21
rpms:systemd-210-2.fc21
rpms:systemd-210-3.fc21
rpms:systemd-210-4.fc21
rpms:systemd-210-5.fc21
rpms:systemd-210-6.fc21
rpms:systemd-210-7.fc21
rpms:systemd-210-8.fc21
rpms:systemd-211-1.fc21
rpms:systemd-211-2.fc21
rpms:systemd-212-1.fc21
rpms:systemd-212-2.fc21
rpms:systemd-212-3.fc21
rpms:systemd-212-4.fc21
rpms:systemd-212-5.fc21
rpms:systemd-212-6.fc21
rpms:systemd-213-1.fc21
rpms:systemd-213-2.fc21
rpms:systemd-213-3.fc21
rpms:systemd-213-4.fc21
rpms:systemd-214-1.fc21
rpms:systemd-214-2.fc21
rpms:systemd-214-3.fc21
rpms:systemd-214-4.fc21
rpms:systemd-214-5.fc21
rpms:systemd-216-11.fc21
rpms:systemd-216-10.fc21
rpms:systemd-216-9.fc21
rpms:systemd-215-1.fc21
rpms:systemd-215-2.fc21
rpms:systemd-215-3.fc21
rpms:systemd-215-4.fc21
rpms:systemd-215-5.fc21
rpms:systemd-215-6.fc21
rpms:systemd-215-7.fc21
rpms:systemd-215-8.fc21
rpms:systemd-215-9.fc21
rpms:systemd-215-10.fc21
rpms:systemd-215-11.fc21
rpms:systemd-215-12.fc21
rpms:systemd-215-13.fc21
rpms:systemd-215-14.fc21
rpms:systemd-215-15.fc21
rpms:systemd-215-16.fc21
rpms:systemd-215-17.fc21
rpms:systemd-215-18.fc21
rpms:systemd-215-19.fc21
rpms:systemd-216-1.fc21
rpms:systemd-216-2.fc21
rpms:systemd-216-3.fc21
rpms:systemd-216-4.fc21
rpms:systemd-216-5.fc21
rpms:systemd-216-6.fc21
rpms:systemd-216-7.fc21
rpms:systemd-216-8.fc21
rpms:systemd-4-4_fc14
rpms:systemd-4-3_fc14
rpms:systemd-4-2_fc14
rpms:systemd-4-1_fc14
rpms:systemd-3-3_fc14
rpms:systemd-3-2_fc14
rpms:systemd-3-1_fc14
rpms:systemd-2-0_fc14
rpms:systemd-1-0_fc14
rpms:systemd-0-0_7_20100629git4176e5_fc14
rpms:systemd-0-0_6_20100622gita3723b_fc14
rpms:systemd-0-0_5_20100622gita3723b_fc14
rpms:systemd-0-0_4_20100614git393034_fc14
rpms:systemd-0-0_3_20100610git2f198e_fc14
..
compare: rpms:f31
Branches Tags
rpms:main
rpms:rawhide
rpms:f43
rpms:f42
rpms:f41
rpms:f40
rpms:f39
rpms:f38
rpms:f37
rpms:f36
rpms:f35
rpms:rhughes/chassis-type-backport
rpms:f34
rpms:f33
rpms:f32
rpms:f31
rpms:f30
rpms:f29
rpms:f28
rpms:f27
rpms:rpm-master
rpms:f25
rpms:f26
rpms:f24
rpms:f23
rpms:f22
rpms:f21
rpms:f20
rpms:f19
rpms:f18
rpms:f17
rpms:f16
rpms:f15
rpms:f14
rpms:systemd-216-16.fc21
rpms:systemd-216-15.fc21
rpms:systemd-216-14.fc21
rpms:systemd-216-13.fc21
rpms:systemd-216-12.fc21
rpms:systemd-217-4.fc22
rpms:systemd-217-3.fc22
rpms:systemd-217-2.fc22
rpms:systemd-217-1.fc22
rpms:systemd-216-12.fc22
rpms:systemd-216-11.fc22
rpms:systemd-216-10.fc22
rpms:systemd-216-9.fc22
rpms:systemd-216-8.fc22
rpms:systemd-216-7.fc22
rpms:systemd-216-6.fc22
rpms:systemd-216-5.fc22
rpms:systemd-216-4.fc22
rpms:systemd-216-3.fc22
rpms:systemd-216-2.fc22
rpms:systemd-216-1.fc22
rpms:systemd-215-12.fc22
rpms:systemd-215-11.fc22
rpms:systemd-215-10.fc22
rpms:systemd-215-9.fc22
rpms:systemd-209-1.fc21
rpms:systemd-209-2.gitf01de96.fc21
rpms:systemd-210-1.fc21
rpms:systemd-210-2.fc21
rpms:systemd-210-3.fc21
rpms:systemd-210-4.fc21
rpms:systemd-210-5.fc21
rpms:systemd-210-6.fc21
rpms:systemd-210-7.fc21
rpms:systemd-210-8.fc21
rpms:systemd-211-1.fc21
rpms:systemd-211-2.fc21
rpms:systemd-212-1.fc21
rpms:systemd-212-2.fc21
rpms:systemd-212-3.fc21
rpms:systemd-212-4.fc21
rpms:systemd-212-5.fc21
rpms:systemd-212-6.fc21
rpms:systemd-213-1.fc21
rpms:systemd-213-2.fc21
rpms:systemd-213-3.fc21
rpms:systemd-213-4.fc21
rpms:systemd-214-1.fc21
rpms:systemd-214-2.fc21
rpms:systemd-214-3.fc21
rpms:systemd-214-4.fc21
rpms:systemd-214-5.fc21
rpms:systemd-216-11.fc21
rpms:systemd-216-10.fc21
rpms:systemd-216-9.fc21
rpms:systemd-215-1.fc21
rpms:systemd-215-2.fc21
rpms:systemd-215-3.fc21
rpms:systemd-215-4.fc21
rpms:systemd-215-5.fc21
rpms:systemd-215-6.fc21
rpms:systemd-215-7.fc21
rpms:systemd-215-8.fc21
rpms:systemd-215-9.fc21
rpms:systemd-215-10.fc21
rpms:systemd-215-11.fc21
rpms:systemd-215-12.fc21
rpms:systemd-215-13.fc21
rpms:systemd-215-14.fc21
rpms:systemd-215-15.fc21
rpms:systemd-215-16.fc21
rpms:systemd-215-17.fc21
rpms:systemd-215-18.fc21
rpms:systemd-215-19.fc21
rpms:systemd-216-1.fc21
rpms:systemd-216-2.fc21
rpms:systemd-216-3.fc21
rpms:systemd-216-4.fc21
rpms:systemd-216-5.fc21
rpms:systemd-216-6.fc21
rpms:systemd-216-7.fc21
rpms:systemd-216-8.fc21
rpms:systemd-4-4_fc14
rpms:systemd-4-3_fc14
rpms:systemd-4-2_fc14
rpms:systemd-4-1_fc14
rpms:systemd-3-3_fc14
rpms:systemd-3-2_fc14
rpms:systemd-3-1_fc14
rpms:systemd-2-0_fc14
rpms:systemd-1-0_fc14
rpms:systemd-0-0_7_20100629git4176e5_fc14
rpms:systemd-0-0_6_20100622gita3723b_fc14
rpms:systemd-0-0_5_20100622gita3723b_fc14
rpms:systemd-0-0_4_20100614git393034_fc14
rpms:systemd-0-0_3_20100610git2f198e_fc14

16 commits
rawhide ... f31

Author SHA1 Message Date
Zbigniew Jędrzejewski-Szmek
54dfd2376d Revert patch that uses pthread_once() 
Apparently it's not available in F31.
 2020-09-20 14:39:04 +02:00
Zbigniew Jędrzejewski-Szmek
4866d64405 Add patch for kernel bug 2020-09-20 14:00:39 +02:00
Zbigniew Jędrzejewski-Szmek
de066f607f Version 243.9 2020-09-20 13:59:50 +02:00
Zbigniew Jędrzejewski-Szmek
f83e12aa03 Strip BOOT_IMAGE= from the kernel command-line in kernel-install 2020-03-26 15:35:03 +01:00
Zbigniew Jędrzejewski-Szmek
2f958e0537 Fix typo in udev rule 
(cherry picked from commit a4e7f2840f)
 2020-03-26 15:27:19 +01:00
Zbigniew Jędrzejewski-Szmek
c608d153c4 Modify the downstream udev rule to use bfq to only apply to disks 
(cherry picked from commit 437cd52f28)
 2020-03-26 15:27:03 +01:00
Zbigniew Jędrzejewski-Szmek
e8e687a51d Update to v243.8 2020-03-26 15:22:21 +01:00
Zbigniew Jędrzejewski-Szmek
b1442037aa Run tests with a timeout multiplier 
Tests fail to pass on s390x, and this seems to be just a timeout.
 2020-02-11 14:17:09 +01:00
Zbigniew Jędrzejewski-Szmek
22c4f572b4 Fix resume from hibernation and revert one udev patch 2020-02-10 17:28:59 +01:00
Zbigniew Jędrzejewski-Szmek
835eeac58c Update to 243.6 2020-02-05 18:22:14 +01:00
Zbigniew Jędrzejewski-Szmek
1fdb10909e Add patches to fix build on arm64 2019-12-17 10:22:43 +01:00
Zbigniew Jędrzejewski-Szmek
9741ae2ab8 Update to v243.5 2019-12-16 16:21:02 +01:00
Zbigniew Jędrzejewski-Szmek
05ce3560ea Update to v243.4 2019-11-19 14:57:31 +01:00
Zbigniew Jędrzejewski-Szmek
3d8b607209 Remove recommendation to use %{?systemd_requires} 
https://pagure.io/packaging-committee/issue/921
 2019-10-20 11:57:08 +02:00
Adam Williamson
7ec8ed014e Backport PR #13792 to fix nomodeset+BIOS CanGraphical bug (#1728240) 2019-10-18 19:11:11 -07:00
Zbigniew Jędrzejewski-Szmek
593d1c3279 Fix typo in %changelog 
https://bugzilla.redhat.com/show_bug.cgi?id=1745600
 2019-10-17 23:34:56 +02:00
46 changed files with 3121 additions and 5731 deletions
Download patch file Download diff file Expand all files Collapse all files

11
.editorconfig
View file

@ -1,11 +0,0 @@
root = true
[*]
charset = utf-8
indent_size = 4
indent_style = space
insert_final_newline = true
trim_trailing_whitespace = true
[*.{yml,yaml}]
indent_size = 2

1
.fmf/version
View file

@ -1 +0,0 @@
1

6
.gitignore vendored
View file

@ -1,5 +1,3 @@
*~
/.mail.list
/systemd-*/
/.build-*.log
/x86_64/
@ -7,7 +5,3 @@
/systemd-*.tar.xz
/systemd-*.tar.gz
/*.rpm
/mkosi.output/
/mkosi.cache/
/mkosi.builddir/
/mkosi.local.conf

7
.zuul.yaml
View file

@ -1,7 +0,0 @@
- project:
vars:
install_repo_exclude:
- systemd-standalone-repart
- systemd-standalone-shutdown
- systemd-standalone-sysusers
- systemd-standalone-tmpfiles

63
0001-Revert-hashmap-make-sure-to-initialize-shared-hash-k.patch Normal file
View file

@ -0,0 +1,63 @@
From de646878d39a184d3e5ecac5e49fac63b5d27dbf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Sun, 20 Sep 2020 14:37:39 +0200
Subject: [PATCH] Revert "hashmap: make sure to initialize shared hash key
atomically"
This reverts commit df14a160095987140f4435412156a80ec628fd7c.
---
src/basic/hashmap.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/src/basic/hashmap.c b/src/basic/hashmap.c
index 64fbad1969..3bd94a1320 100644
--- a/src/basic/hashmap.c
+++ b/src/basic/hashmap.c
@@ -1,7 +1,6 @@
/* SPDX-License-Identifier: LGPL-2.1+ */
#include <errno.h>
-#include <pthread.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
@@ -21,6 +20,7 @@
#include "strv.h"
#if ENABLE_DEBUG_HASHMAP
+#include <pthread.h>
#include "list.h"
#endif
@@ -195,6 +195,7 @@ assert_cc(DIRECT_BUCKETS(struct set_entry) < (1 << 3));
* a handful of directly stored entries in a hashmap. When a hashmap
* outgrows direct storage, it gets its own key for indirect storage. */
static uint8_t shared_hash_key[HASH_KEY_SIZE];
+static bool shared_hash_key_initialized;
/* Fields that all hashmap/set types must have */
struct HashmapBase {
@@ -770,10 +771,6 @@ static void reset_direct_storage(HashmapBase *h) {
memset(p, DIB_RAW_INIT, sizeof(dib_raw_t) * hi->n_direct_buckets);
}
-static void shared_hash_key_initialize(void) {
- random_bytes(shared_hash_key, sizeof(shared_hash_key));
-}
-
static struct HashmapBase *hashmap_base_new(const struct hash_ops *hash_ops, enum HashmapType type HASHMAP_DEBUG_PARAMS) {
HashmapBase *h;
const struct hashmap_type_info *hi = &hashmap_type_info[type];
@@ -796,8 +793,10 @@ static struct HashmapBase *hashmap_base_new(const struct hash_ops *hash_ops, enu
reset_direct_storage(h);
- static pthread_once_t once = PTHREAD_ONCE_INIT;
- assert_se(pthread_once(&once, shared_hash_key_initialize) == 0);
+ if (!shared_hash_key_initialized) {
+ random_bytes(shared_hash_key, sizeof(shared_hash_key));
+ shared_hash_key_initialized= true;
+ }
#if ENABLE_DEBUG_HASHMAP
h->debug.func = func;

88
0001-Revert-units-drop-runlevel-0-6-.target.patch
View file

@ -1,88 +0,0 @@
From 61750e265ce3f7783a8dba831e91140f84ad89f2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 5 Nov 2025 17:52:16 +0100
Subject: [PATCH 1/3] Revert "units: drop runlevel[0-6].target"
This partially reverts commit e58ba80a40fb6e96543d56774a5bc5aa9cdadbf3.
The unit are still needed for compat.
---
units/meson.build | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
diff --git a/units/meson.build b/units/meson.build
index 2e04c4aa2b..46eaac4073 100644
--- a/units/meson.build
+++ b/units/meson.build
@@ -1,5 +1,7 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
+with_runlevels = conf.get('HAVE_SYSV_COMPAT') == 1
+
units = [
{ 'file' : 'basic.target' },
{ 'file' : 'blockdev@.target' },
@@ -49,7 +51,7 @@ units = [
},
{
'file' : 'graphical.target',
- 'symlinks' : ['default.target'],
+ 'symlinks' : ['default.target'] + (with_runlevels ? ['runlevel5.target'] : []),
},
{ 'file' : 'halt.target' },
{
@@ -142,7 +144,10 @@ units = [
'conditions' : ['ENABLE_MACHINED'],
},
{ 'file' : 'modprobe@.service' },
- { 'file' : 'multi-user.target' },
+ {
+ 'file' : 'multi-user.target',
+ 'symlinks' : with_runlevels ? ['runlevel2.target', 'runlevel3.target', 'runlevel4.target'] : [],
+ },
{
'file' : 'systemd-mute-console.socket',
'symlinks' : ['sockets.target.wants/']
@@ -155,7 +160,10 @@ units = [
{ 'file' : 'nss-lookup.target' },
{ 'file' : 'nss-user-lookup.target' },
{ 'file' : 'paths.target' },
- { 'file' : 'poweroff.target' },
+ {
+ 'file' : 'poweroff.target',
+ 'symlinks' : with_runlevels ? ['runlevel0.target'] : [],
+ },
{ 'file' : 'printer.target' },
{
'file' : 'proc-sys-fs-binfmt_misc.automount',
@@ -180,7 +188,7 @@ units = [
},
{
'file' : 'reboot.target',
- 'symlinks' : ['ctrl-alt-del.target'],
+ 'symlinks' : ['ctrl-alt-del.target'] + (with_runlevels ? ['runlevel6.target'] : []),
},
{
'file' : 'remote-cryptsetup.target',
@@ -200,7 +208,10 @@ units = [
'symlinks' : ['initrd-root-device.target.wants/'],
},
{ 'file' : 'rescue.service.in' },
- { 'file' : 'rescue.target' },
+ {
+ 'file' : 'rescue.target',
+ 'symlinks' : with_runlevels ? ['runlevel1.target'] : [],
+ },
{ 'file' : 'rpcbind.target' },
{ 'file' : 'serial-getty@.service.in' },
{ 'file' : 'shutdown.target' },
@@ -1001,4 +1012,10 @@ else
dbussessionservicedir / 'org.freedesktop.systemd1.service'))
endif
+if conf.get('HAVE_SYSV_COMPAT') == 1
+ foreach i : [1, 2, 3, 4, 5]
+ install_emptydir(systemunitdir / 'runlevel@0@.target.wants'.format(i))
+ endforeach
+endif
+
subdir('user')

178
0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch Normal file
View file

@ -0,0 +1,178 @@
From 224a4eaf6701431af907179e313138213b60ce6c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 3 Apr 2019 10:56:14 +0200
Subject: [PATCH] Revert "units: set NoNewPrivileges= for all long-running
services"
This reverts commit 64d7f7b4a15f1534fb19fda6b601fec50783bee4.
---
units/systemd-coredump@.service.in | 1 -
units/systemd-hostnamed.service.in | 1 -
units/systemd-initctl.service.in | 1 -
units/systemd-journal-remote.service.in | 1 -
units/systemd-journald.service.in | 1 -
units/systemd-localed.service.in | 1 -
units/systemd-logind.service.in | 1 -
units/systemd-machined.service.in | 1 -
units/systemd-networkd.service.in | 1 -
units/systemd-resolved.service.in | 1 -
units/systemd-rfkill.service.in | 1 -
units/systemd-timedated.service.in | 1 -
units/systemd-timesyncd.service.in | 1 -
13 files changed, 13 deletions(-)
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index afb2ab9d17..5babc11e4c 100644
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -22,7 +22,6 @@ IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
Nice=9
-NoNewPrivileges=yes
OOMScoreAdjust=500
PrivateDevices=yes
PrivateNetwork=yes
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index b4f606cf78..f7977e1504 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in
index c276283908..f48d673d58 100644
--- a/units/systemd-initctl.service.in
+++ b/units/systemd-initctl.service.in
@@ -14,6 +14,5 @@ DefaultDependencies=no
[Service]
ExecStart=@rootlibexecdir@/systemd-initctl
-NoNewPrivileges=yes
NotifyAccess=all
SystemCallArchitectures=native
diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index dd6322e62c..c867aca104 100644
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -17,7 +17,6 @@ ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/va
LockPersonality=yes
LogsDirectory=journal/remote
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index fab405502a..308622e9b3 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -22,7 +22,6 @@ FileDescriptorStoreMax=4224
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
Restart=always
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index 7bca34409a..05fb4f0c80 100644
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-localed
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 3eef95c661..53af530aea 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -27,7 +27,6 @@ FileDescriptorStoreMax=512
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index d6deefea08..092abc128f 100644
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -22,7 +22,6 @@ ExecStart=@rootlibexecdir@/systemd-machined
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
ProtectHostname=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictRealtime=yes
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 2c74da6f1e..eaabcb9941 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N
ExecStart=!!@rootlibexecdir@/systemd-networkd
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index eee5d5ea8f..a8f442ef6f 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -25,7 +25,6 @@ CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
ExecStart=!!@rootlibexecdir@/systemd-resolved
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes
diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in
index 3abb958310..7447ed5b5b 100644
--- a/units/systemd-rfkill.service.in
+++ b/units/systemd-rfkill.service.in
@@ -18,7 +18,6 @@ Before=shutdown.target
[Service]
ExecStart=@rootlibexecdir@/systemd-rfkill
-NoNewPrivileges=yes
StateDirectory=systemd/rfkill
TimeoutSec=30s
Type=notify
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index df546f471f..4d50999a22 100644
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-timedated
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 6512531e1c..2b2e1d73d2 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_SYS_TIME
ExecStart=!!@rootlibexecdir@/systemd-timesyncd
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes

32
0002-machined-continue-without-resolve.hook-socket.patch
View file

@ -1,32 +0,0 @@
From 8d6d86d1d7e45eeae921e88adde55d6524027c96 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 26 Nov 2025 22:29:53 +0100
Subject: [PATCH 3/3] machined: continue without resolve.hook socket
---
src/machine/machined-varlink.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c
index f83cbb8562..0b30cd0531 100644
--- a/src/machine/machined-varlink.c
+++ b/src/machine/machined-varlink.c
@@ -894,9 +894,15 @@ static int manager_varlink_init_resolve_hook(Manager *m) {
r = sd_varlink_server_listen_address(s, VARLINK_PATH_MACHINED_RESOLVE_HOOK,
0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
- if (r < 0)
- return log_error_errno(r, "Failed to bind to varlink socket %s: %m",
- VARLINK_PATH_MACHINED_RESOLVE_HOOK);
+ if (r < 0) {
+ bool ignore = ERRNO_IS_NEG_PRIVILEGE(r);
+ log_full_errno(ignore ? LOG_WARNING : LOG_ERR,
+ r,
+ "Failed to bind to varlink socket %s%s: %m",
+ VARLINK_PATH_MACHINED_RESOLVE_HOOK,
+ ignore ? ", ignoring" : "");
+ return ignore ? 0 : r;
+ }
r = sd_varlink_server_attach_event(s, m->event, SD_EVENT_PRIORITY_NORMAL);
if (r < 0)

112
0003-ukify-omit-.osrel-section-when-os-release-is-empty.patch
View file

@ -1,112 +0,0 @@
From 75890d949f92c412c0936b8536b2e0dc8f7dfb40 Mon Sep 17 00:00:00 2001
From: Nick Rosbrook <enr0n@ubuntu.com>
Date: Fri, 19 Dec 2025 11:01:49 -0500
Subject: [PATCH] ukify: omit .osrel section when --os-release= is empty
The primary motivation for this is to allow users of ukify to build
UKI-like objects, without having them later be detected as a UKI by
tools like kernel-install and bootctl.
The common code used by these tools to determine if a PE binary is a UKI
checks that both .osrel and .linux sections are present. Hence, adding
a mechansim to skip .osrel provides a way to avoid being labeled a UKI.
---
man/ukify.xml | 5 ++++-
src/ukify/test/test_ukify.py | 15 +++++++++++----
src/ukify/ukify.py | 10 +++++++++-
3 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/man/ukify.xml b/man/ukify.xml
index 829761642d..7462c5c92f 100644
--- a/man/ukify.xml
+++ b/man/ukify.xml
@@ -365,7 +365,10 @@
<listitem><para>The os-release description (the <literal>.osrel</literal> section). The argument
may be a literal string, or <literal>@</literal> followed by a path name. If not specified, the
<citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry> file
- will be picked up from the host system.</para>
+ will be picked up from the host system. If explicitly set to an empty string, the ".osrel" section
+ is omitted from the UKI (this is not recommended in most cases, and causes the resulting artifact
+ to not be recognized as a UKI by other tools like <command>kernel-install</command>
+ and <command>bootctl</command>).</para>
<xi:include href="version-info.xml" xpointer="v253"/></listitem>
</varlistentry>
diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py
index f75ef0c891..224a38569f 100755
--- a/src/ukify/test/test_ukify.py
+++ b/src/ukify/test/test_ukify.py
@@ -641,7 +641,7 @@ def test_efi_signing_pesign(kernel_initrd, tmp_path):
shutil.rmtree(tmp_path)
-def test_inspect(kernel_initrd, tmp_path, capsys):
+def test_inspect(kernel_initrd, tmp_path, capsys, osrel=True):
if kernel_initrd is None:
pytest.skip('linux+initrd not found')
if not shutil.which('sbsign'):
@@ -653,7 +653,7 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
output = f'{tmp_path}/signed2.efi'
uname_arg='1.2.3'
- osrel_arg='Linux'
+ osrel_arg='Linux' if osrel else ''
cmdline_arg='ARG1 ARG2 ARG3'
args = [
@@ -680,8 +680,12 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
text = capsys.readouterr().out
- expected_osrel = f'.osrel:\n size: {len(osrel_arg)}'
- assert expected_osrel in text
+ if osrel:
+ expected_osrel = f'.osrel:\n size: {len(osrel_arg)}'
+ assert expected_osrel in text
+ else:
+ assert '.osrel:' not in text
+
expected_cmdline = f'.cmdline:\n size: {len(cmdline_arg)}'
assert expected_cmdline in text
expected_uname = f'.uname:\n size: {len(uname_arg)}'
@@ -694,6 +698,9 @@ def test_inspect(kernel_initrd, tmp_path, capsys):
shutil.rmtree(tmp_path)
+def test_inspect_no_osrel(kernel_initrd, tmp_path, capsys):
+ test_inspect(kernel_initrd, tmp_path, capsys, osrel=False)
+
@pytest.mark.skipif(not slow_tests, reason='slow')
def test_pcr_signing(kernel_initrd, tmp_path):
if kernel_initrd is None:
diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
index c98f8e2a5d..b7542c7eca 100755
--- a/src/ukify/ukify.py
+++ b/src/ukify/ukify.py
@@ -1477,6 +1477,9 @@ def make_uki(opts: UkifyConfig) -> None:
'.profile',
}
+ if not opts.os_release:
+ to_import.remove('.osrel')
+
for profile in opts.join_profiles:
pe = pefile.PE(profile, fast_load=True)
prev_len = len(uki.sections)
@@ -2412,7 +2415,12 @@ def finalize_options(opts: argparse.Namespace) -> None:
opts.os_release = resolve_at_path(opts.os_release)
- if not opts.os_release and opts.linux:
+ if opts.os_release == '':
+ # If --os-release= with an empty string was passed, treat that as
+ # explicitly disabling the .osrel section, and do not fallback to the
+ # system's os-release files.
+ pass
+ elif opts.os_release is None and opts.linux:
p = Path('/etc/os-release')
if not p.exists():
p = Path('/usr/lib/os-release')
--
2.52.0

51
0004-stub-Fix-NULL-pointer-deref-when-there-are-no-initrd.patch
View file

@ -1,51 +0,0 @@
From e57e599e6b11039ab6484e5622b3deae20bfd678 Mon Sep 17 00:00:00 2001
From: Hans de Goede <johannes.goede@oss.qualcomm.com>
Date: Mon, 12 Jan 2026 14:56:36 +0100
Subject: [PATCH] stub: Fix NULL pointer deref when there are no initrds
When n_all_initrds == 0, then all_initrds is unmodified from its initial
value of:
_cleanup_free_ struct iovec *all_initrds = NULL;
and in the else block of the "if (n_all_initrds > 1)" the NULL is
dereferenced:
final_initrd = all_initrds[0];
Leading to the stub crashing due to a NULL pointer deref.
Fix this by initializing final_initrd to all 0s and only
running the else block if (n_all_initrds == 1).
---
src/boot/stub.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/boot/stub.c b/src/boot/stub.c
index 06ecbc7d18..65950262c6 100644
--- a/src/boot/stub.c
+++ b/src/boot/stub.c
@@ -1302,9 +1302,9 @@ static EFI_STATUS run(EFI_HANDLE image) {
/* Combine the initrds into one */
_cleanup_pages_ Pages initrd_pages = {};
- struct iovec final_initrd;
+ struct iovec final_initrd = {};
if (n_all_initrds > 1) {
- /* There will always be a base initrd, if this counter is higher, we need to combine them */
+ /* If there is more then 1 initrd we need to combine them */
err = combine_initrds(all_initrds, n_all_initrds, &initrd_pages, &final_initrd.iov_len);
if (err != EFI_SUCCESS)
return err;
@@ -1313,7 +1313,7 @@ static EFI_STATUS run(EFI_HANDLE image) {
/* Given these might be large let's free them explicitly before we pass control to Linux */
initrds_free(&initrds);
- } else
+ } else if (n_all_initrds == 1)
final_initrd = all_initrds[0];
struct iovec kernel = IOVEC_MAKE(
--
2.52.0

48
0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch Normal file
View file

@ -0,0 +1,48 @@
From 0c670fec00f3d5c103d9b7415d4e0510c61ad006 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Fri, 11 Mar 2016 17:06:17 -0500
Subject: [PATCH] resolved: create /etc/resolv.conf symlink at runtime
If the symlink doesn't exists, and we are being started, let's
create it to provie name resolution.
If it exists, do nothing. In particular, if it is a broken symlink,
we cannot really know if the administator configured it to point to
a location used by some service that hasn't started yet, so we
don't touch it in that case either.
https://bugzilla.redhat.com/show_bug.cgi?id=1313085
---
src/resolve/resolved.c | 4 ++++
tmpfiles.d/etc.conf.m4 | 3 ---
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c
index 2ca9fbdc72..3c8a9ff12a 100644
--- a/src/resolve/resolved.c
+++ b/src/resolve/resolved.c
@@ -49,6 +49,10 @@ static int run(int argc, char *argv[]) {
/* Drop privileges, but only if we have been started as root. If we are not running as root we assume most
* privileges are already dropped. */
if (getuid() == 0) {
+ r = symlink("../run/systemd/resolve/resolv.conf", "/etc/resolv.conf");
+ if (r < 0 && errno != EEXIST)
+ log_warning_errno(errno,
+ "Could not create /etc/resolv.conf symlink: %m");
/* Drop privileges, but keep three caps. Note that we drop those too, later on (see below) */
r = drop_privileges(uid, gid,
diff --git a/tmpfiles.d/etc.conf.m4 b/tmpfiles.d/etc.conf.m4
index f82e0b82ce..66a777bdb2 100644
--- a/tmpfiles.d/etc.conf.m4
+++ b/tmpfiles.d/etc.conf.m4
@@ -12,9 +12,6 @@ L+ /etc/mtab - - - - ../proc/self/mounts
m4_ifdef(`HAVE_SMACK_RUN_LABEL',
t /etc/mtab - - - - security.SMACK64=_
)m4_dnl
-m4_ifdef(`ENABLE_RESOLVE',
-L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf
-)m4_dnl
C! /etc/nsswitch.conf - - - -
m4_ifdef(`HAVE_PAM',
C! /etc/pam.d - - - -

3
10-map-count.conf
View file

@ -1,3 +0,0 @@
# Increase the number of virtual memory areas that one process may request
# https://fedoraproject.org/wiki/Changes/IncreaseVmMaxMapCount
vm.max_map_count=1048576

2
10-oomd-defaults.conf
View file

@ -1,2 +0,0 @@
[OOM]
DefaultMemoryPressureDurationSec=20s

3
10-oomd-per-slice-defaults.conf
View file

@ -1,3 +0,0 @@
[Slice]
ManagedOOMMemoryPressure=kill
ManagedOOMMemoryPressureLimit=80%

14
10-timeout-abort.conf
View file

@ -1,14 +0,0 @@
# This file is part of the systemd package.
# See https://fedoraproject.org/wiki/Changes/Shorter_Shutdown_Timer.
#
# To facilitate debugging when a service fails to stop cleanly,
# TimeoutStopFailureMode=abort is set to "crash" services that fail to stop in
# the time allotted. This will cause the service to be terminated with SIGABRT
# and a coredump to be generated.
#
# To undo this configuration change, create a mask file:
# sudo mkdir -p /etc/systemd/system/service.d
# sudo ln -sv /dev/null /etc/systemd/system/service.d/10-timeout-abort.conf
[Service]
TimeoutStopFailureMode=abort

51
20-grubby.install Executable file
View file

@ -0,0 +1,51 @@
#!/bin/bash
if [[ ! -x /sbin/new-kernel-pkg ]]; then
exit 0
fi
COMMAND="$1"
KERNEL_VERSION="$2"
BOOT_DIR_ABS="$3"
KERNEL_IMAGE="$4"
KERNEL_DIR="${KERNEL_IMAGE%/*}"
[[ "$KERNEL_VERSION" == *\+* ]] && flavor=-"${KERNEL_VERSION##*+}"
case "$COMMAND" in
add)
if [[ "${KERNEL_DIR}" != "/boot" ]]; then
for i in \
"$KERNEL_IMAGE" \
"$KERNEL_DIR"/System.map \
"$KERNEL_DIR"/config \
"$KERNEL_DIR"/zImage.stub \
"$KERNEL_DIR"/dtb \
; do
[[ -e "$i" ]] || continue
cp -aT "$i" "/boot/${i##*/}-${KERNEL_VERSION}"
command -v restorecon &>/dev/null && \
restorecon -R "/boot/${i##*/}-${KERNEL_VERSION}"
done
# hmac is .vmlinuz-<version>.hmac so needs a special treatment
i="$KERNEL_DIR/.${KERNEL_IMAGE##*/}.hmac"
if [[ -e "$i" ]]; then
cp -a "$i" "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac"
command -v restorecon &>/dev/null && \
restorecon "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac"
fi
fi
/sbin/new-kernel-pkg --package "kernel${flavor}" --install "$KERNEL_VERSION" || exit $?
/sbin/new-kernel-pkg --package "kernel${flavor}" --mkinitrd --dracut --depmod --update "$KERNEL_VERSION" || exit $?
/sbin/new-kernel-pkg --package "kernel${flavor}" --rpmposttrans "$KERNEL_VERSION" || exit $?
;;
remove)
/sbin/new-kernel-pkg --package "kernel${flavor+-$flavor}" --rminitrd --rmmoddep --remove "$KERNEL_VERSION" || exit $?
;;
*)
;;
esac
# skip other installation plugins, if we can't find a boot loader spec conforming setup
if ! [[ -d /boot/loader/entries || -L /boot/loader/entries ]]; then
exit 77
fi

30
26494.patch
View file

@ -1,30 +0,0 @@
From 6b25470ee28843a49c50442e9d8a98edc842ceca Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon, 20 Feb 2023 12:00:30 +0900
Subject: [PATCH] core/manager: run generators directly when we are in initrd
Some initrd system write files at ourside of /run, /etc, or other
allowed places. This is a kind of workaround, but in most cases, such
sandboxing is not necessary as the filesystem is on ramfs when we are in
initrd.
Fixes #26488.
---
src/core/manager.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/core/manager.c b/src/core/manager.c
index 7b394794b0d4..306477c6e6c2 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -3822,8 +3822,8 @@ static int manager_run_generators(Manager *m) {
/* If we are the system manager, we fork and invoke the generators in a sanitized mount namespace. If
* we are the user manager, let's just execute the generators directly. We might not have the
* necessary privileges, and the system manager has already mounted /tmp/ and everything else for us.
- */
- if (MANAGER_IS_USER(m)) {
+ * If we are in initrd, let's also execute the generators directly, as we are in ramfs. */
+ if (MANAGER_IS_USER(m) || in_initrd()) {
r = manager_execute_generators(m, paths, /* remount_ro= */ false);
goto finish;
}

56
30846.patch
View file

@ -1,56 +0,0 @@
From 07bedc8f93277f705622625f440a1f56ccff1cd0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 9 Jan 2024 11:28:04 +0100
Subject: [PATCH] journal: again create user journals for users with high uids
This effectively reverts a change in 115d5145a257c1a27330acf9f063b5f4d910ca4d
'journald: move uid_for_system_journal() to uid-alloc-range.h', which slipped
in an additional check of uid_is_container(uid). The problem is that that change
is not backwards-compatible at all and very hard for users to handle.
There is no common agreement on mappings of high-range uids. Systemd declares
ownership of a large range for container uids in https://systemd.io/UIDS-GIDS/,
but this is only a recent change and various sites allocated those ranges
in a different way, in particular FreeIPA uses (used?) uids from this range
for human users. On big sites with lots of users changing uids is obviously a
hard problem. We generally assume that uids cannot be "freed" and/or changed
and/or reused safely, so we shouldn't demand the same from others.
This is somewhat similar to the situation with SYSTEM_ALLOC_UID_MIN /
SYSTEM_UID_MAX, which we tried to define to a fixed value in our code, causing
huge problems for existing systems with were created with a different
definition and couldn't be easily updated. For that case, we added a
configuration time switch and we now parse /etc/login.defs to actually use the
value that is appropriate for the local system.
Unfortunately, login.defs doesn't have a concept of container allocation ranges
(and we don't have code to parse and use those nonexistent names either), so we
can't tell users to adjust logind.defs to work around the changed definition.
login.defs has SUB_UID_{MIN,MAX}, but those aren't really the same thing,
because they are used to define where the add allocations for subuids, which is
generally a much smaller range. Maybe we should talk with other folks about
the appropriate allocation ranges and define some new settings in login.defs.
But this would require discussion and coordination with other projects first.
Actualy, it seems that this change was needed at all. The code in the container
does not log to the outside journal. It talks to its own journald, which does
journal splitting using its internal logic based on shifted uids. So let's
revert the change to fix user systems.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2251843.
---
src/basic/uid-classification.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/basic/uid-classification.c b/src/basic/uid-classification.c
index 203ce2c68a..2eb384395d 100644
--- a/src/basic/uid-classification.c
+++ b/src/basic/uid-classification.c
@@ -129,5 +129,6 @@ bool uid_for_system_journal(uid_t uid) {
/* Returns true if the specified UID shall get its data stored in the system journal. */
- return uid_is_system(uid) || uid_is_dynamic(uid) || uid_is_greeter(uid) || uid == UID_NOBODY || uid_is_container(uid) || uid_is_foreign(uid);
+ return uid_is_system(uid) || uid_is_dynamic(uid) || uid_is_greeter(uid) || uid == UID_NOBODY || uid_is_foreign(uid);
+
}

42
38769.patch
View file

@ -1,42 +0,0 @@
From 00d70f36a0866660693347009446b7f872a05bf4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Sat, 30 Aug 2025 13:55:56 +0200
Subject: [PATCH] core: create userdb root directory with correct label
Set up the /run/systemd/userdb directory with the default SELinux context
on creation.
With version 257.7-1 on Debian the directory was automatically created with the
correct label. Starting with version 258 (only tested with 258~rc3-1) it no
longer is. Regression introduced in 736349958efe34089131ca88950e2e5bb391d36a.
[zjs: edited the patch to apply comments from review and update the description.]
---
src/core/varlink.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/core/varlink.c b/src/core/varlink.c
index 99f12c59e5..71a8ffd0e5 100644
--- a/src/core/varlink.c
+++ b/src/core/varlink.c
@@ -5,6 +5,7 @@
#include "constants.h"
#include "errno-util.h"
#include "manager.h"
+#include "mkdir-label.h"
#include "path-util.h"
#include "pidref.h"
#include "string-util.h"
@@ -441,7 +442,11 @@ static int manager_varlink_init_system(Manager *m) {
if (!fresh && varlink_server_contains_socket(m->varlink_server, address))
continue;
- r = sd_varlink_server_listen_address(m->varlink_server, address, 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
+ r = mkdir_parents_label(address, 0755);
+ if (r < 0)
+ log_warning_errno(r, "Failed to create parent directory of '%s', ignoring: %m", address);
+
+ r = sd_varlink_server_listen_address(m->varlink_server, address, 0666);
if (r < 0)
return log_error_errno(r, "Failed to bind to varlink socket '%s': %m", address);
}

5
60-block-scheduler.rules
View file

@ -1,5 +0,0 @@
# do not edit this file, it will be overwritten on update
ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", \
KERNEL=="mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|sd*[!0-9]|sr*", \
ATTR{queue/scheduler}="bfq"

20
98-default-mac-none.link
View file

@ -1,20 +0,0 @@
# SPDX-License-Identifier: MIT-0
#
# This config file is installed as part of systemd.
# It may be freely copied and edited (following the MIT No Attribution license).
#
# To make local modifications, one of the following methods may be used:
# 1. add a drop-in file that extends this file by creating the
# /etc/systemd/network/98-default-mac-none.link.d/ directory and creating a
# new .conf file there.
# 2. copy this file into /etc/systemd/network or one of the other paths checked
# by systemd-udevd and edit it there.
# This file should not be edited in place, because it'll be overwritten on upgrades.
[Match]
Kind=bridge bond team
[Link]
NamePolicy=keep kernel database onboard slot path
AlternativeNamesPolicy=database onboard slot path
MACAddressPolicy=none

14
README.build-in-place.md
View file

@ -1,14 +0,0 @@
# Building systemd rpms for local development using rpmbuild --build-in-place
This approach is based on filbranden's [git-rpmbuild](https://github.com/filbranden/git-rpmbuild)
and his [talk during ASG2019](https://www.youtube.com/watch?v=fVM1kJrymRM).
```
git clone https://github.com/systemd/systemd
fedpkg clone systemd fedora-systemd
cd systemd
rpmbuild -bb --build-in-place --noprep --define "_sourcedir $PWD/../fedora-systemd" --define "_rpmdir $PWD/rpms" --with upstream ../fedora-systemd/systemd.spec
sudo dnf upgrade --setopt install_weak_deps=False rpms/*/*.rpm
```
`--without lto` and `--without tests` may be useful to speed up the build.

143
a0a1977d9a5dc28e6c1998d8d5cb712305bd0b50.patch Normal file
View file

@ -0,0 +1,143 @@
From a0a1977d9a5dc28e6c1998d8d5cb712305bd0b50 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 14 Nov 2019 17:51:30 +0100
Subject: [PATCH] seccomp: more comprehensive protection against libseccomp's
__NR_xyz namespace invasion
A follow-up for 59b657296a2fe104f112b91bbf9301724067cc81, adding the
same conditioning for all cases of our __NR_xyz use.
Fixes: #14031
(cherry picked from commit 4df8fe8415eaf4abd5b93c3447452547c6ea9e5f)
---
src/basic/missing_syscall.h | 10 +++++-----
src/test/test-seccomp.c | 19 ++++++++++---------
2 files changed, 15 insertions(+), 14 deletions(-)
diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h
index 6d9b12544d..1255d8b197 100644
--- a/src/basic/missing_syscall.h
+++ b/src/basic/missing_syscall.h
@@ -274,7 +274,7 @@ static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, c
#if !HAVE_KCMP
static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) {
-# ifdef __NR_kcmp
+# if defined __NR_kcmp && __NR_kcmp > 0
return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2);
# else
errno = ENOSYS;
@@ -289,7 +289,7 @@ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long i
#if !HAVE_KEYCTL
static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) {
-# ifdef __NR_keyctl
+# if defined __NR_keyctl && __NR_keyctl > 0
return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5);
# else
errno = ENOSYS;
@@ -300,7 +300,7 @@ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg
}
static inline key_serial_t missing_add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) {
-# ifdef __NR_add_key
+# if defined __NR_add_key && __NR_add_key > 0
return syscall(__NR_add_key, type, description, payload, plen, ringid);
# else
errno = ENOSYS;
@@ -311,7 +311,7 @@ static inline key_serial_t missing_add_key(const char *type, const char *descrip
}
static inline key_serial_t missing_request_key(const char *type, const char *description, const char * callout_info, key_serial_t destringid) {
-# ifdef __NR_request_key
+# if defined __NR_request_key && __NR_request_key > 0
return syscall(__NR_request_key, type, description, callout_info, destringid);
# else
errno = ENOSYS;
@@ -496,7 +496,7 @@ enum {
static inline long missing_set_mempolicy(int mode, const unsigned long *nodemask,
unsigned long maxnode) {
long i;
-# ifdef __NR_set_mempolicy
+# if defined __NR_set_mempolicy && __NR_set_mempolicy > 0
i = syscall(__NR_set_mempolicy, mode, nodemask, maxnode);
# else
errno = ENOSYS;
diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
index a906070f9a..6dd98672b8 100644
--- a/src/test/test-seccomp.c
+++ b/src/test/test-seccomp.c
@@ -28,7 +28,8 @@
#include "tmpfile-util.h"
#include "virt.h"
-#if SCMP_SYS(socket) < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)
+/* __NR_socket may be invalid due to libseccomp */
+#if !defined(__NR_socket) || __NR_socket <= 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)
/* On these archs, socket() is implemented via the socketcall() syscall multiplexer,
* and we can't restrict it hence via seccomp. */
# define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1
@@ -304,14 +305,14 @@ static void test_protect_sysctl(void) {
assert_se(pid >= 0);
if (pid == 0) {
-#if __NR__sysctl > 0
+#if defined __NR__sysctl && __NR__sysctl > 0
assert_se(syscall(__NR__sysctl, NULL) < 0);
assert_se(errno == EFAULT);
#endif
assert_se(seccomp_protect_sysctl() >= 0);
-#if __NR__sysctl > 0
+#if defined __NR__sysctl && __NR__sysctl > 0
assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0);
assert_se(errno == EPERM);
#endif
@@ -640,7 +641,7 @@ static void test_load_syscall_filter_set_raw(void) {
assert_se(poll(NULL, 0, 0) == 0);
assert_se(s = hashmap_new(NULL));
-#if SCMP_SYS(access) >= 0
+#if defined __NR_access && __NR_access > 0
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0);
#else
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0);
@@ -656,7 +657,7 @@ static void test_load_syscall_filter_set_raw(void) {
s = hashmap_free(s);
assert_se(s = hashmap_new(NULL));
-#if SCMP_SYS(access) >= 0
+#if defined __NR_access && __NR_access > 0
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0);
#else
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0);
@@ -672,7 +673,7 @@ static void test_load_syscall_filter_set_raw(void) {
s = hashmap_free(s);
assert_se(s = hashmap_new(NULL));
-#if SCMP_SYS(poll) >= 0
+#if defined __NR_poll && __NR_poll > 0
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0);
#else
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0);
@@ -689,7 +690,7 @@ static void test_load_syscall_filter_set_raw(void) {
s = hashmap_free(s);
assert_se(s = hashmap_new(NULL));
-#if SCMP_SYS(poll) >= 0
+#if defined __NR_poll && __NR_poll > 0
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0);
#else
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0);
@@ -767,8 +768,8 @@ static int real_open(const char *path, int flags, mode_t mode) {
* testing purposes that calls the real syscall, on architectures where SYS_open is defined. On
* other architectures, let's just fall back to the glibc call. */
-#ifdef SYS_open
- return (int) syscall(SYS_open, path, flags, mode);
+#if defined __NR_open && __NR_open > 0
+ return (int) syscall(__NR_open, path, flags, mode);
#else
return open(path, flags, mode);
#endif

3221
changelog
View file

File diff suppressed because it is too large Load diff

129
f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch Normal file
View file

@ -0,0 +1,129 @@
From f58b96d3e8d1cb0dd3666bc74fa673918b586612 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Mon, 14 Sep 2020 17:58:03 +0200
Subject: [PATCH] test-mountpointutil-util: do not assert in test_mnt_id()
https://bugzilla.redhat.com/show_bug.cgi?id=1803070
I *think* this a kernel bug: the mnt_id as listed in /proc/self/mountinfo is different
than the one we get from /proc/self/fdinfo/. This only matters when both statx and
name_to_handle_at are unavailable and we hit the fallback path that goes through fdinfo:
(gdb) !uname -r
5.6.19-200.fc31.ppc64le
(gdb) !cat /proc/self/mountinfo
697 664 253:0 /var/lib/mock/fedora-31-ppc64le/root / rw,relatime shared:298 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
698 697 253:0 /var/cache/mock/fedora-31-ppc64le/yum_cache /var/cache/yum rw,relatime shared:299 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
699 697 253:0 /var/cache/mock/fedora-31-ppc64le/dnf_cache /var/cache/dnf rw,relatime shared:300 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
700 697 0:32 /mock-selinux-plugin.7me9bfpi /proc/filesystems rw,nosuid,nodev shared:301 master:18 - tmpfs tmpfs rw,seclabel <==========================================================
701 697 0:41 / /sys ro,nosuid,nodev,noexec,relatime shared:302 - sysfs sysfs ro,seclabel
702 701 0:21 / /sys/fs/selinux ro,nosuid,nodev,noexec,relatime shared:306 master:8 - selinuxfs selinuxfs rw
703 697 0:42 / /dev rw,nosuid shared:303 - tmpfs tmpfs rw,seclabel,mode=755
704 703 0:43 / /dev/shm rw,nosuid,nodev shared:304 - tmpfs tmpfs rw,seclabel
705 703 0:45 / /dev/pts rw,nosuid,noexec,relatime shared:307 - devpts devpts rw,seclabel,gid=5,mode=620,ptmxmode=666
706 703 0:6 /btrfs-control /dev/btrfs-control rw,nosuid shared:308 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
707 703 0:6 /loop-control /dev/loop-control rw,nosuid shared:309 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
708 703 0:6 /loop0 /dev/loop0 rw,nosuid shared:310 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
709 703 0:6 /loop1 /dev/loop1 rw,nosuid shared:311 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
710 703 0:6 /loop10 /dev/loop10 rw,nosuid shared:312 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
711 703 0:6 /loop11 /dev/loop11 rw,nosuid shared:313 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
712 703 0:6 /loop2 /dev/loop2 rw,nosuid shared:314 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
713 703 0:6 /loop3 /dev/loop3 rw,nosuid shared:315 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
714 703 0:6 /loop4 /dev/loop4 rw,nosuid shared:316 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
715 703 0:6 /loop5 /dev/loop5 rw,nosuid shared:317 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
716 703 0:6 /loop6 /dev/loop6 rw,nosuid shared:318 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
717 703 0:6 /loop7 /dev/loop7 rw,nosuid shared:319 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
718 703 0:6 /loop8 /dev/loop8 rw,nosuid shared:320 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
719 703 0:6 /loop9 /dev/loop9 rw,nosuid shared:321 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755
720 697 0:44 / /run rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755
721 720 0:25 /systemd/nspawn/propagate/9cc8a155d0244558b273f773d2b92142 /run/systemd/nspawn/incoming ro master:12 - tmpfs tmpfs rw,seclabel,mode=755
722 697 0:32 /mock-resolv.dvml91hp /etc/resolv.conf rw,nosuid,nodev shared:322 master:18 - tmpfs tmpfs rw,seclabel
725 697 0:47 / /proc rw,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
603 725 0:47 /sys /proc/sys ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
604 725 0:44 /systemd/inaccessible/reg /proc/kallsyms ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
605 725 0:44 /systemd/inaccessible/reg /proc/kcore ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
606 725 0:44 /systemd/inaccessible/reg /proc/keys ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
607 725 0:44 /systemd/inaccessible/reg /proc/sysrq-trigger ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
608 725 0:44 /systemd/inaccessible/reg /proc/timer_list ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
609 725 0:47 /bus /proc/bus ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
610 725 0:47 /fs /proc/fs ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
611 725 0:47 /irq /proc/irq ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
612 725 0:47 /scsi /proc/scsi ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw
613 703 0:46 / /dev/mqueue rw,nosuid,nodev,noexec,relatime shared:324 - mqueue mqueue rw,seclabel
614 701 0:26 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime shared:325 - cgroup2 cgroup rw,seclabel,nsdelegate
615 603 0:44 /.#proc-sys-kernel-random-boot-id4fbdce67af46d1c2//deleted /proc/sys/kernel/random/boot_id ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755
616 725 0:44 /.#proc-sys-kernel-random-boot-id4fbdce67af46d1c2//deleted /proc/sys/kernel/random/boot_id rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755
617 725 0:44 /.#proc-kmsg5b7a8bcfe6717139//deleted /proc/kmsg rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755
The test process does
name_to_handle_at("/proc/filesystems") which returns -EOPNOTSUPP, and then
openat(AT_FDCWD, "/proc/filesystems") which returns 4, and then
read(open("/proc/self/fdinfo/4", ...)) which gives
"pos:\t0\nflags:\t012100000\nmnt_id:\t725\n"
and the "725" is clearly inconsistent with "700" in /proc/self/mountinfo.
We could either drop the fallback path (and fail name_to_handle_at() is not
avaliable) or ignore the error in the test. Not sure what is better. I think
this issue only occurs sometimes and with older kernels, so probably continuing
with the current flaky implementation is better than ripping out the fallback.
Another strace:
writev(2</dev/pts/0>, [{iov_base="mnt ids of /proc/sys is 603", iov_len=27}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/sys is 603
) = 28
name_to_handle_at(AT_FDCWD, "/", {handle_bytes=128 => 12, handle_type=129, f_handle=0x52748401000000008b93e20d}, [697], 0) = 0
writev(2</dev/pts/0>, [{iov_base="mnt ids of / is 697", iov_len=19}, {iov_base="\n", iov_len=1}], 2mnt ids of / is 697
) = 20
name_to_handle_at(AT_FDCWD, "/proc/kcore", {handle_bytes=128 => 12, handle_type=1, f_handle=0x92ddcfcd2e802d0100000000}, [605], 0) = 0
writev(2</dev/pts/0>, [{iov_base="mnt ids of /proc/kcore is 605", iov_len=29}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/kcore is 605
) = 30
name_to_handle_at(AT_FDCWD, "/dev", {handle_bytes=128 => 12, handle_type=1, f_handle=0x8ae269160c802d0100000000}, [703], 0) = 0
writev(2</dev/pts/0>, [{iov_base="mnt ids of /dev is 703", iov_len=22}, {iov_base="\n", iov_len=1}], 2mnt ids of /dev is 703
) = 23
name_to_handle_at(AT_FDCWD, "/proc/filesystems", {handle_bytes=128}, 0x7fffe36ddb84, 0) = -1 EOPNOTSUPP (Operation not supported)
openat(AT_FDCWD, "/proc/filesystems", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4</proc/filesystems>
openat(AT_FDCWD, "/proc/self/fdinfo/4", O_RDONLY|O_CLOEXEC) = 5</proc/20/fdinfo/4>
fstat(5</proc/20/fdinfo/4>, {st_mode=S_IFREG|0400, st_size=0, ...}) = 0
fstat(5</proc/20/fdinfo/4>, {st_mode=S_IFREG|0400, st_size=0, ...}) = 0
read(5</proc/20/fdinfo/4>, "pos:\t0\nflags:\t012100000\nmnt_id:\t725\n", 2048) = 36
read(5</proc/20/fdinfo/4>, "", 1024) = 0
close(5</proc/20/fdinfo/4>) = 0
close(4</proc/filesystems>) = 0
writev(2</dev/pts/0>, [{iov_base="mnt ids of /proc/filesystems are 700, 725", iov_len=41}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/filesystems are 700, 725
) = 42
writev(2</dev/pts/0>, [{iov_base="the other path for mnt id 725 is /proc", iov_len=38}, {iov_base="\n", iov_len=1}], 2the other path for mnt id 725 is /proc
) = 39
writev(2</dev/pts/0>, [{iov_base="Assertion 'path_equal(p, t)' failed at src/test/test-mountpoint-util.c:94, function test_mnt_id(). Aborting.", iov_len=108}, {iov_base="\n", iov_len=1}], 2Assertion 'path_equal(p, t)' failed at src/test/test-mountpoint-util.c:94, function test_mnt_id(). Aborting.
) = 109
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0
getpid() = 20
gettid() = 20
tgkill(20, 20, SIGABRT) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=20, si_uid=0} ---
+++ killed by SIGABRT (core dumped) +++
---
src/test/test-mountpoint-util.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/test/test-mountpoint-util.c b/src/test/test-mountpoint-util.c
index 30b00ae4d8b..ffe5144b04a 100644
--- a/src/test/test-mountpoint-util.c
+++ b/src/test/test-mountpoint-util.c
@@ -89,8 +89,12 @@ static void test_mnt_id(void) {
/* The ids don't match? If so, then there are two mounts on the same path, let's check if
* that's really the case */
char *t = hashmap_get(h, INT_TO_PTR(mnt_id2));
- log_debug("the other path for mnt id %i is %s\n", mnt_id2, t);
- assert_se(path_equal(p, t));
+ log_debug("Path for mnt id %i from /proc/self/mountinfo is %s\n", mnt_id2, t);
+
+ if (!path_equal(p, t))
+ /* Apparent kernel bug in /proc/self/fdinfo */
+ log_warning("Bad mount id given for %s: %d, should be %d",
+ p, mnt_id2, mnt_id);
}
}

3
libabigail.abignore
View file

@ -1,3 +0,0 @@
[suppress_file]
# Those shared objects are private to systemd
file_name_regexp=libsystemd-(shared|core)-.*.so

10
macros.sysusers
View file

@ -1,10 +0,0 @@
# RPM macros for packages creating system accounts
#
# Turn a sysusers.d file into macros specified by
# https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
#
# After https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers,
# those macros are not needed anymore.
%sysusers_requires_compat %nil
%sysusers_create_compat() %nil

10
macros.sysusers.compat
View file

@ -1,10 +0,0 @@
# RPM macros for packages creating system accounts
#
# Turn a sysusers.d file into macros specified by
# https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
%sysusers_requires_compat Requires(pre): shadow-utils
%sysusers_create_compat() \
%(%{_rpmconfigdir}/sysusers.generate-pre.sh %{?*}) \
%{nil}

53
owner-check.sh
View file

@ -1,53 +0,0 @@
#!/bin/bash
set -e
verb="$1"
[ "$verb" = "-s" ] && do_send=1 || do_send=
[ -n "$do_send" ] && [ -z "$server" -o -z "login" ] && { echo '$server and $login need to be set'; exit 1; }
header=
from=systemd-maint@fedoraproject.org
time='2 years ago'
# time='1 day ago'
port=587
for user in "$@"; do
echo "checking $user"
p=$(git log -1 --all --author "$user")
if [ -z "$p" ]; then
echo "No commits from $user, check spelling"
exit 1
fi
t=$(git shortlog --all --author "$user" --since "@{$time}" | wc -l)
if [ $t != 0 ]; then
echo "$t commits in the last two years, OK"
echo
continue
fi
echo "$p" | head -n6
echo ".. adding to list"
if [ -z "$header" ]; then
echo '$USER$;$EMAIL$' >.mail.list
header=done
fi
echo "$user;$user@fedoraproject.org" >>.mail.list
echo
done
[ -z "$header" ] && exit 0
[ -n "$do_send" ] || exit 0
echo "Sending mails…"
set -x
massmail -F "$from" \
-C "$from" \
-S 'write access to the fedora systemd package' \
-z "$server" -u "$login" -P "$port" \
.mail.list <owner-check.template

20
owner-check.template
View file

@ -1,20 +0,0 @@
Dear $USER$,
the automation to check activity in the systemd dist-git repo [1]
determined that you haven't done any commits in the last two years.
To decrease the potential for unauthorized access, such checks will be
executed periodically. Not-used accounts with write access to the repo
will be downgraded to "ticket" (no write privileges).
If you want to retain access, please reply to this mail.
Otherwise, in two weeks, your access mode will be changed to "ticket".
Even without write access, anyone can open a pull request in pagure,
so write access is not necessary to contribute to the package.
Obviously such changes not permanent, so even if your access mode is
downgraded, it can easily be restored later on.
Yours friendly,
./owner-check.sh
[1] https://src.fedoraproject.org/rpms/systemd

127
plans/run-integration-tests.sh
View file

@ -1,127 +0,0 @@
#!/bin/bash
set -eux
set -o pipefail
# Switch SELinux to permissive if possible, since the tests don't set proper contexts
setenforce 0 || true
echo "CPU and Memory information:"
lscpu
lsmem
echo "Clock source: $(cat /sys/devices/system/clocksource/clocksource0/current_clocksource)"
# Bump inotify limits if we can so nspawn containers don't run out of inotify file descriptors.
sysctl fs.inotify.max_user_watches=65536 || true
sysctl fs.inotify.max_user_instances=1024 || true
if [[ -n "${KOJI_TASK_ID:-}" ]]; then
koji download-task --noprogress --arch="noarch,$(rpm --eval '%{_arch}')" "$KOJI_TASK_ID"
elif [[ -n "${CBS_TASK_ID:-}" ]]; then
cbs download-task --noprogress --arch="noarch,$(rpm --eval '%{_arch}')" "$CBS_TASK_ID"
elif [[ -n "${PACKIT_SRPM_URL:-}" ]]; then
COPR_BUILD_ID="$(basename "$(dirname "$PACKIT_SRPM_URL")")"
COPR_CHROOT="$(basename "$(dirname "$(dirname "$PACKIT_BUILD_LOG_URL")")")"
copr download-build --rpms --chroot "$COPR_CHROOT" "$COPR_BUILD_ID"
mv "$COPR_CHROOT"/* .
else
echo "Not running within packit and no CBS/koji task ID provided"
exit 1
fi
PACKAGEDIR="$PWD"
# This will match both the regular and the debuginfo rpm so make sure we select only the
# non-debuginfo rpm.
RPMS=(systemd-tests-*.rpm)
rpm2cpio "${RPMS[0]}" | cpio --make-directories --extract
pushd usr/lib/systemd/tests
mkosi_hash="$(grep "MinimumVersion=commit:" mkosi/mkosi.conf | sed "s|MinimumVersion=commit:||g")"
# Now prepare mkosi at the same version required by the systemd repo.
git clone https://github.com/systemd/mkosi /var/tmp/systemd-integration-tests-mkosi
git -C /var/tmp/systemd-integration-tests-mkosi checkout "$mkosi_hash"
export PATH="/var/tmp/systemd-integration-tests-mkosi/bin:$PATH"
# shellcheck source=/dev/null
. /etc/os-release || . /usr/lib/os-release
tee mkosi/mkosi.local.conf <<EOF
[Distribution]
Distribution=${MKOSI_DISTRIBUTION:-$ID}
Release=${MKOSI_RELEASE:-${VERSION_ID:-rawhide}}
[Content]
PackageDirectories=$PACKAGEDIR
SELinuxRelabel=yes
[Build]
ToolsTreeDistribution=${MKOSI_DISTRIBUTION:-$ID}
ToolsTreeRelease=${MKOSI_RELEASE:-${VERSION_ID:-rawhide}}
ToolsTreePackageDirectories=$PACKAGEDIR
Environment=NO_BUILD=1
WithTests=yes
EOF
if [[ -n "${MKOSI_REPOSITORIES:-}" ]]; then
tee --append mkosi/mkosi.local.conf <<EOF
[Distribution]
Repositories=$MKOSI_REPOSITORIES
[Build]
ToolsTreeRepositories=$MKOSI_REPOSITORIES
EOF
fi
if [[ -n "${TEST_SELINUX_CHECK_AVCS:-}" ]]; then
tee --append mkosi/mkosi.local.conf <<EOF
[Runtime]
KernelCommandLineExtra=systemd.setenv=TEST_SELINUX_CHECK_AVCS=$TEST_SELINUX_CHECK_AVCS
EOF
fi
# If we don't have KVM, skip running in qemu, as it's too slow. But try to load the module first.
modprobe kvm || true
if [[ ! -e /dev/kvm ]]; then
export TEST_NO_QEMU=1
fi
NPROC="$(nproc)"
if [[ "$NPROC" -ge 10 ]]; then
export TEST_JOURNAL_USE_TMP=1
NPROC="$((NPROC / 3))"
else
NPROC="$((NPROC - 1))"
fi
# This test is only really useful if we're building with sanitizers and takes a long time, so let's skip it
# for now.
export TEST_SKIP="TEST-21-DFUZZER ${TEST_SKIP:-}"
mkosi genkey
mkosi summary
mkosi -f box -- true
mkosi box -- meson setup build integration-tests/standalone
mkosi -f
if [[ "$(mkosi box -- meson test --help)" == *"--max-lines"* ]]; then
MAX_LINES=(--max-lines 300)
else
MAX_LINES=()
fi
mkosi box -- \
meson test \
-C build \
--setup=integration \
--print-errorlogs \
--no-stdsplit \
--num-processes "$NPROC" \
"${MAX_LINES[@]}" && EC=0 || EC=$?
[[ -d build/meson-logs ]] && find build/meson-logs -type f -exec mv {} "$TMT_TEST_DATA" \;
[[ -d build/test/journal ]] && find build/test/journal -type f -exec mv {} "$TMT_TEST_DATA" \;
popd
exit "$EC"

22
plans/upstream.fmf
View file

@ -1,22 +0,0 @@
summary: systemd upstream test suite
provision:
hardware:
virtualization:
is-supported: true
prepare:
- name: install-dependencies
how: install
package:
- coreutils
- distribution-gpg-keys
- dnf
- git-core
- koji
- centos-packager
- copr-cli
exclude:
- systemd-standalone-.*
execute:
how: tmt
script: exec plans/run-integration-tests.sh
duration: 2h

101
purge-nobody-user Executable file
View file

@ -0,0 +1,101 @@
#!/bin/bash -eu
if [ $UID -ne 0 ]; then
echo "WARNING: This script needs to run as root to be effective"
exit 1
fi
export SYSTEMD_NSS_BYPASS_SYNTHETIC=1
if [ "${1:-}" = "--ignore-journal" ]; then
shift
ignore_journal=1
else
ignore_journal=0
fi
echo "Checking processes..."
if ps h -u 99 | grep .; then
echo "ERROR: ps reports processes with UID 99!"
exit 2
fi
echo "... not found"
echo "Checking UTMP..."
if w -h 199 | grep . ; then
echo "ERROR: w reports UID 99 as active!"
exit 2
fi
if w -h nobody | grep . ; then
echo "ERROR: w reports user nobody as active!"
exit 2
fi
echo "... not found"
echo "Checking the journal..."
if [ "$ignore_journal" = 0 ] && journalctl -q -b -n10 _UID=99 | grep . ; then
echo "ERROR: journalctl reports messages from UID 99 in current boot!"
exit 2
fi
echo "... not found"
echo "Looking for files in /etc, /run, /tmp, and /var..."
if find /etc /run /tmp /var -uid 99 -print | grep -m 10 . ; then
echo "ERROR: found files belonging to UID 99"
exit 2
fi
echo "... not found"
echo "Checking if nobody is defined correctly..."
if getent passwd nobody |
grep '^nobody:[x*]:65534:65534:.*:/:/sbin/nologin';
then
echo "OK, nothing to do."
exit 0
else
echo "NOTICE: User nobody is not defined correctly"
fi
echo "Checking if nfsnobody or something else is using the uid..."
if getent passwd 65534 | grep . ; then
echo "NOTICE: will have to remove this user"
else
echo "... not found"
fi
if [ "${1:-}" = "-x" ]; then
if getent passwd nobody >/dev/null; then
# this will remove both the user and the group.
( set -x
userdel nobody
)
fi
if getent passwd 65534 >/dev/null; then
# Make sure the uid is unused. This should free gid too.
name="$(getent passwd 65534 | cut -d: -f1)"
( set -x
userdel "$name"
)
fi
if grep -qE '^(passwd|group):.*\bsss\b' /etc/nsswitch.conf; then
echo "Sleeping, so sss can catch up"
sleep 3
fi
if getent group 65534; then
# Make sure the gid is unused, even if uid wasn't.
name="$(getent group 65534 | cut -d: -f1)"
( set -x
groupdel "$name"
)
fi
# systemd-sysusers uses the same gid and uid
( set -x
systemd-sysusers --inline 'u nobody 65534 "Kernel Overflow User" / /sbin/nologin'
)
else
echo "Pass '-x' to perform changes"
fi

24
rpminspect.yaml
View file

@ -1,24 +0,0 @@
# Disable badfuncs check that has tons of false positives.
badfuncs:
allowed:
/usr/lib/systemd/tests/unit-tests/*:
- inet_addr
- inet_aton
/usr/bin/networkctl:
- inet_addr
- inet_aton
# don't report changed content of compiled files
# that is expected with every update
changedfiles:
exclude_path: .*
# completely disable inspections:
inspections:
# we know about our patches, no need to report anything
patches: off
# this inspection uses `udevadm` which comes from this package
# disable so we do not check udev rules with a possibly outdated version
# of the command
udevrules: off

2
sources
View file

@ -1 +1 @@
SHA512 (systemd-259.tar.gz) = ef46b13661df43e3cfbeee1bc22f0b1eb902e8ebe39c19868c465efd08b35a199c2a2cd9d8021a6bc4d692fa0c6e0eab3f13eecd6ce24dde81d3945464a25b50
SHA512 (systemd-243.9.tar.gz) = c005580a8a28b4085cf6ba155f18b66f95cf454b5dff244b22d2b8218bcbc71ef93301f885ed4fb80714961ea9cf97e94cf970164b0021dc85f2b30bb3735252

255
split-files.py
View file

@ -1,47 +1,8 @@
import re, sys, os, collections
buildroot = sys.argv[1]
no_bootloader = '--no-bootloader' in sys.argv
known_files = '''
%ghost %config(noreplace) /etc/crypttab
%ghost %attr(0444,root,root) /etc/udev/hwdb.bin
/etc/inittab
# This directory is owned by openssh-server, but we don't want to introduce
# a dependency. So let's copy the config and co-own the directory.
%dir %attr(0700,root,root) /etc/ssh/sshd_config.d
%ghost %config(noreplace) /etc/vconsole.conf
%ghost %config(noreplace) /etc/X11/xorg.conf.d/00-keyboard.conf
%ghost %attr(0664,root,root) %verify(not group) /run/utmp
%ghost %attr(0664,root,root) %verify(not group) /var/log/wtmp
%ghost %attr(0660,root,root) %verify(not group) /var/log/btmp
%ghost %attr(0664,root,root) %verify(not md5 size mtime group) /var/log/lastlog
%ghost %config(noreplace) /etc/hostname
%ghost %config(noreplace) /etc/localtime
%ghost %config(noreplace) /etc/locale.conf
%ghost %attr(0444,root,root) %config(noreplace) /etc/machine-id
%ghost %config(noreplace) /etc/machine-info
%ghost %attr(0700,root,root) %dir /var/cache/private
%ghost %attr(0700,root,root) %dir /var/lib/private
%ghost %dir /var/lib/private/systemd
%ghost %dir /var/lib/private/systemd/journal-upload
%ghost /var/lib/private/systemd/journal-upload/state
%ghost %dir /var/lib/systemd/timesync
%ghost /var/lib/systemd/timesync/clock
%ghost %dir /var/lib/systemd/backlight
%ghost /var/lib/systemd/catalog/database
%ghost %dir /var/lib/systemd/coredump
%ghost /var/lib/systemd/journal-upload
%ghost %dir /var/lib/systemd/linger
%ghost %attr(0600,root,root) /var/lib/systemd/random-seed
%ghost %dir /var/lib/systemd/rfkill
%ghost %dir %verify(not mode group) /var/log/journal
%ghost %dir /var/log/journal/remote
%ghost %attr(0700,root,root) %dir /var/log/private
'''
known_files = {line.split()[-1]:line for line in known_files.splitlines()
if line and not line.startswith('#')}
known_files = sys.stdin.read().splitlines()
known_files = {line.split()[-1]:line for line in known_files}
def files(root):
os.chdir(root)
@ -54,31 +15,15 @@ def files(root):
if file.is_dir() and not file.is_symlink():
todo.append(file)
outputs = {suffix: open(f'.file-list-{suffix}', 'w')
for suffix in (
'shared',
'libs',
'udev',
'ukify',
'boot',
'pam',
'rpm-macros',
'sysusers',
'devel',
'container',
'networkd',
'networkd-defaults',
'oomd-defaults',
'remote',
'resolve',
'tests',
'standalone-repart',
'standalone-tmpfiles',
'standalone-sysusers',
'standalone-shutdown',
'main',
)}
o_libs = open('.file-list-libs', 'w')
o_udev = open('.file-list-udev', 'w')
o_pam = open('.file-list-pam', 'w')
o_rpm_macros = open('.file-list-rpm-macros', 'w')
o_devel = open('.file-list-devel', 'w')
o_container = open('.file-list-container', 'w')
o_remote = open('.file-list-remote', 'w')
o_tests = open('.file-list-tests', 'w')
o_rest = open('.file-list-rest', 'w')
for file in files(buildroot):
n = file.path[1:]
if re.match(r'''/usr/(share|include)$|
@ -98,201 +43,77 @@ for file in files(buildroot):
/etc(/pam\.d|/xdg|/X11|/X11/xinit|/X11.*\.d|)$|
/etc/(dnf|dnf/protected.d)$|
/usr/(src|lib/debug)| # no $
/run$|
/var(/cache|/log|/lib|/run|)$
''', n, re.X):
continue
if n.endswith('.standalone'):
if 'repart' in n:
o = outputs['standalone-repart']
elif 'tmpfiles' in n:
o = outputs['standalone-tmpfiles']
elif 'sysusers' in n:
o = outputs['standalone-sysusers']
elif 'shutdown' in n:
o = outputs['standalone-shutdown']
else:
assert False, 'Found .standalone not belonging to known packages'
elif '/security/pam_' in n or '/man8/pam_' in n:
o = outputs['pam']
elif '/rpm/' in n:
o = outputs['rpm-macros']
if '/security/pam_' in n:
o = o_pam
elif 'rpm/macros' in n:
o = o_rpm_macros
elif re.search(r'/lib.*\.pc|/man3/|/usr/include|(?<!/libsystemd-shared-...).so$', n):
o = o_devel
elif '/usr/lib/systemd/tests' in n:
o = outputs['tests']
elif 'ukify' in n and '/man/' not in n:
o = outputs['ukify']
elif re.search(r'/libsystemd-core-.*\.so$', n):
o = outputs['main']
elif re.search(r'/libsystemd-shared-.*\.so$', n):
o = outputs['shared']
elif re.search(r'/libcryptsetup-token-systemd-.*\.so$', n):
o = outputs['udev']
elif re.search(r'/lib.*\.pc$|/man3/|/usr/include|\.so$', n):
o = outputs['devel']
o = o_tests
elif re.search(r'''journal-(remote|gateway|upload)|
systemd-remote\.conf|
/usr/share/systemd/gatewayd|
/var/log/journal/remote
''', n, re.X):
o = outputs['remote']
# Just the binary, the dir, and the man page.
elif re.search(r'''systemd-sysusers$|
sysusers\.d$|
man/.*sysusers\.d\.5|
man/.*systemd-sysusers\.8
''', n, re.X):
o = outputs['sysusers']
o = o_remote
elif re.search(r'''mymachines|
machinectl|
mount.ddi|
importctl|
portablectl|
systemd-nspawn|
systemd\.nspawn|
systemd-vmspawn|
systemd-dissect|
import-pubring|
systemd-machined|
systemd-import|
systemd-export|
systemd-pull|
systemd-mountfsd|
systemd-mountwork|
systemd-nsresource|
import-pubring.gpg|
systemd-(machined|import|pull)|
/machine.slice|
/machines.target|
var-lib-machines.mount|
network/80-container-v[ez]|
org.freedesktop.(import|machine)1
''', n, re.X):
o = outputs['container']
# .network.example files go into systemd-networkd, and the matching files
# without .example go into systemd-networkd-defaults
elif (re.search(r'''/usr/lib/systemd/network/.*\.network$''', n)
and os.path.exists(f'./{n}.example')):
o = outputs['networkd-defaults']
# Files that are "consumed" by systemd-networkd go into the -networkd
# subpackage. As a special case, network-generator is co-owned also by
# the -udev subpackage because systemd-udevd reads .link files.
elif re.search(r'''/usr/lib/systemd/network/.*\.network|
networkd|
networkctl|
org.freedesktop.network1|
sysusers\.d/systemd-network.conf|
tmpfiles\.d/systemd-network.conf|
systemd\.network|
systemd\.netdev
''', n, re.X):
o = outputs['networkd']
elif 'network-generator' in n:
o = (outputs['networkd'], outputs['udev'])
o = o_container
elif '.so.' in n:
o = outputs['libs']
elif re.search(r'10-oomd-.*defaults.conf|lib/systemd/oomd.conf.d', n, re.X):
o = outputs['oomd-defaults']
o = o_libs
elif re.search(r'''udev(?!\.pc)|
hwdb|
ac-power|
bootctl|
boot-update|
bless-boot|
boot-system-token|
bsod|
kernel-install|
installkernel|
vconsole|
backlight|
rfkill|
random-seed|
modules-load|
timesync|
crypttab|
cryptenroll|
cryptsetup|
kmod|
quota|
pstore|
sleep|suspend|hibernate|
systemd-tmpfiles-setup-dev|
network/98-default-mac-none.link|
network/99-default.link|
growfs|makefs|makeswap|mkswap|
fsck|
repart|
growfs|makefs|makeswap|
gpt-auto|
volatile-root|
veritysetup|
integritysetup|
integritytab|
remount-fs|
/initrd|
systemd[.-]pcr|
/pcrlock\.d|
systemd-measure|
/boot$|
/boot/efi|
remount-fs|
/kernel/|
/kernel$|
/modprobe.d|
binfmt|
sysctl|
coredump|
homed|home1|
sysupdate|updatctl|
oomd|
portabled|portable1
''', n, re.X): # coredumpctl, homectl, portablectl are included in the main package because
# they can be used to interact with remote daemons. Also, the user could be
# confused if those user-facing binaries are not available.
o = outputs['udev']
elif re.search(r'''/boot/efi|
/usr/lib/systemd/boot|
sd-boot|systemd-boot\.|loader.conf
/modprobe.d
''', n, re.X):
o = outputs['boot']
elif re.search(r'''resolved|resolve1|
systemd-resolve|
resolvconf|
systemd\.(positive|negative)
''', n, re.X): # resolvectl and nss-resolve are in the main package.
o = outputs['resolve']
o = o_udev
else:
o = outputs['main']
o = o_rest
if n in known_files:
prefix = known_files[n].split()[:-1]
elif file.is_dir(follow_symlinks=False):
prefix = ['%dir']
elif 'README' in n:
prefix = ['%doc']
prefix = ' '.join(known_files[n].split()[:-1])
if prefix:
prefix += ' '
elif file.is_dir() and not file.is_symlink():
prefix = '%dir '
elif n.startswith('/etc'):
prefix = ['%config(noreplace)']
if not file.is_symlink() and file.stat().st_size == 0:
prefix += ['%ghost']
prefix = '%config(noreplace) '
else:
prefix = []
prefix = ' '.join(prefix + ['']) if prefix else ''
prefix = ''
suffix = '*' if '/man/' in n else ''
if not isinstance(o, tuple):
o = (o,)
for file in o:
print(f'{prefix}{n}{suffix}', file=file)
if [print(f'ERROR: no file names were written to {o.name}')
for name, o in outputs.items()
if (o.tell() == 0 and
not (no_bootloader and name == 'boot'))
]:
sys.exit(1)
print(f'{prefix}{n}{suffix}', file=o)

18
systemd-user
View file

@ -1,14 +1,10 @@
# This file is part of systemd.
#
# Used by systemd --user instances.
-account sufficient pam_systemd_home.so
account sufficient pam_unix.so no_pass_expiry
account include system-auth
account include system-auth
session required pam_selinux.so close
session required pam_selinux.so nottys open
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session required pam_namespace.so
-session optional pam_systemd_home.so
session optional pam_umask.so silent
session include system-auth
session required pam_selinux.so close
session required pam_selinux.so nottys open
session required pam_loginuid.so
session include system-auth

50
systemd.rpmlintrc
View file

@ -1,50 +0,0 @@
# Just kill all warnings about README being wrong in every possible way
addFilter(r'README')
addFilter(r'missing-call-to-(chdir-with-chroot|setgroups-before-setuid)')
addFilter(r'executable-marked-as-config-file /etc/X11/xinit/xinitrc.d/50-systemd-user.sh')
addFilter(r'non-readable /etc/crypttab')
addFilter(r'non-conffile-in-etc /etc/inittab')
addFilter(r'systemd-unit-in-etc /etc/systemd/.*\.wants')
addFilter(r'dangling-relative-symlink /usr/lib/environment.d/99-environment.conf ../../../etc/environment')
addFilter(r'devel-file-in-non-devel-package /usr/share/pkgconfig/(systemd|udev).pc')
addFilter(r'non-standard-dir-perm /var/cache/private 700')
addFilter(r'non-root-group-log-file /var/log/btmp utmp')
addFilter(r'non-standard-dir-perm /var/log/private 700')
addFilter(r'non-root-group-log-file /var/log/wtmp utmp')
addFilter(r'dangerous-command-in-')
addFilter(r'summary-not-capitalized C systemd')
addFilter(r'obsolete-not-provided')
addFilter(r'postin-without-ldconfig')
addFilter(r'systemd-rpm-macros.noarch: W: only-non-binary-in-usr-lib')
addFilter(r'systemd-rpm-macros.noarch: W: no-documentation')
addFilter(r'systemd-tests\..*: W: no-documentation')
addFilter(r'systemd-tests.*: E: zero-length /usr/lib/systemd/tests/testdata/test-umount/empty.mountinfo')
addFilter(r'hardcoded-library-path in.*(firewalld|install.d|lib/systemd)')
# everybody does it this way: systemd, syslog-ng, rsyslog
addFilter(r'unversioned-explicit-provides syslog')
# systemd-machine-id-setup requires libssl
addFilter(r'explicit-lib-dependency openssl-libs')
addFilter(r'systemd.src:.*strange-permission')

3462
systemd.spec
View file

File diff suppressed because it is too large Load diff

2
sysusers.attr
View file

@ -1,2 +0,0 @@
%__sysusers_provides %{_rpmconfigdir}/sysusers.prov
%__sysusers_path ^%{_sysusersdir}/.*\\.conf$

96
sysusers.generate-pre.sh
View file

@ -1,96 +0,0 @@
#!/bin/bash
# -*- mode: shell-script; indent-tabs-mode: true; tab-width: 4; -*-
# This script turns sysuser.d files into scriptlets mandated by Fedora
# packaging guidelines. The general idea is to define users using the
# declarative syntax but to turn this into traditional scriptlets.
user() {
user="$1"
uid="$2"
desc="$3"
group="$4"
home="$5"
shell="$6"
[ "$desc" = '-' ] && desc=
{ [ "$home" = '-' ] || [ "$home" = '' ]; } && home=/
{ [ "$shell" = '-' ] || [ "$shell" = '' ]; } && shell=/usr/sbin/nologin
if [ "$uid" = '-' ] || [ "$uid" = '' ]; then
cat <<-EOF
getent passwd '$user' >/dev/null || \\
useradd -r -g ${group@Q} -d ${home@Q} -s ${shell@Q} -c ${desc@Q} ${user@Q} || :
EOF
else
cat <<-EOF
if ! getent passwd ${user@Q} >/dev/null; then
if ! getent passwd ${uid@Q} >/dev/null; then
useradd -r -u ${uid@Q} -g ${group@Q} -d ${home@Q} -s ${shell@Q} -c ${desc@Q} ${user@Q} || :
else
useradd -r -g ${group@Q} -d ${home@Q} -s ${shell@Q} -c ${desc@Q} ${user@Q} || :
fi
fi
EOF
fi
}
group() {
group="$1"
gid="$2"
if [ "$gid" = '-' ]; then
cat <<-EOF
getent group ${group@Q} >/dev/null || groupadd -r ${group@Q} || :
EOF
else
cat <<-EOF
getent group ${group@Q} >/dev/null || groupadd -f -g ${gid@Q} -r ${group@Q} || :
EOF
fi
}
usermod() {
user="$1"
group="$2"
cat <<-EOF
if getent group ${group@Q} >/dev/null; then
usermod -a -G ${group@Q} '$user' || :
fi
EOF
}
parse() {
while read -r line || [ -n "$line" ] ; do
{ [ "${line:0:1}" = '#' ] || [ "${line:0:1}" = ';' ]; } && continue
line="${line## *}"
[ -z "$line" ] && continue
eval "arr=( $line )"
case "${arr[0]}" in
('u'|'u!')
if [[ "${arr[2]}" == *":"* ]]; then
user "${arr[1]}" "${arr[2]%:*}" "${arr[3]}" "${arr[2]#*:}" "${arr[4]}" "${arr[5]}"
else
group "${arr[1]}" "${arr[2]}"
user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}"
fi
;;
('g')
group "${arr[1]}" "${arr[2]}"
;;
('m')
group "${arr[2]}" "-"
user "${arr[1]}" "-" "" "${arr[1]}" "" ""
usermod "${arr[1]}" "${arr[2]}"
;;
esac
done
}
for fn in "$@"; do
[ -e "$fn" ] || continue
echo "# generated from $(basename "$fn")"
parse <"$fn"
done

61
sysusers.prov
View file

@ -1,61 +0,0 @@
#!/bin/bash
process_u() {
if [ ! -z "${2##*[!0-9]*}" ]; then
# Single shared static ID.
echo "user($1) = $2"
echo "group($1) = $2"
elif [[ $2 == *:* ]]; then
# UID:<group>.
uid=$(echo $2 | cut -d':' -f1 -)
group=$(echo $2 | cut -d':' -f2 -)
if [ ! -z "${group##*[!0-9]*}" ]; then
# UID:GID.
echo "user($1) = ${uid}"
echo "group($1) = ${group}"
else
# UID:<groupname>.
echo "user($1) = ${uid}"
echo "group(${group})"
fi
else
# Dynamic (or something else uninteresting).
echo "user($1)"
echo "group($1)"
fi
}
process_g() {
if [ ! -z "${2##*[!0-9]*}" ]; then
# Static GID.
echo "group($1) = $2"
else
# Dynamic (or something else uninteresting).
echo "group($1)"
fi
}
parse() {
while read line; do
[ "${line:0:1}" = '#' -o "${line:0:1}" = ';' ] && continue
line="${line## *}"
[ -z "$line" ] && continue
set -- $line
case "$1" in
('u'|'u!')
process_u "$2" "$3"
;;
('g')
process_g "$2" "$3"
;;
('m')
echo "user($2)"
echo "group($3)"
;;
esac
done
}
while read fn; do
parse < "$fn"
done

39
test_sysusers_defined.py
View file

@ -1,39 +0,0 @@
#!/usr/bin/python
import os
import sys
def parse_sysusers_file(filename):
users, groups = set(), set()
for line in open(filename):
line = line.strip()
if not line or line.startswith('#'):
continue
words = line.split()
match words[0]:
case 'u'|'u!':
users.add(words[1])
case 'g':
groups.add(words[1])
case 'm'|'r':
continue
case _:
assert False
return users, groups
setup_users, setup_groups = set(), set()
for arg in sys.argv[1:-1]:
users, groups = parse_sysusers_file(arg)
setup_users |= users
setup_groups |= groups
basic_users, basic_groups = parse_sysusers_file(sys.argv[-1])
ignored = set(os.getenv('IGNORED', '').split())
if d := basic_users - setup_users - ignored:
exit(f'We have new users: {d}')
if d := basic_groups - setup_groups - ignored:
exit(f'We have new groups: {d}')

124
triggers.systemd
View file

@ -1,85 +1,111 @@
# -*- Mode: rpm-spec; indent-tabs-mode: nil -*- */
# SPDX-License-Identifier: LGPL-2.1-or-later
# SPDX-License-Identifier: LGPL-2.1+
#
# This file is part of systemd.
#
# Copyright 2015 Zbigniew Jędrzejewski-Szmek
# Copyright 2018 Neal Gompa
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# systemd is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with systemd; If not, see <http://www.gnu.org/licenses/>.
# The contents of this are an example to be copied into systemd.spec.
#
# Minimum rpm version supported: 4.14.0
# Minimum rpm version supported: 4.13.0
%transfiletriggerin -P 900900 -- /usr/lib/systemd/system/ /etc/systemd/system/
%transfiletriggerin -P 900900 -- /usr/lib/systemd/system /etc/systemd/system
# This script will run after any package is initially installed or
# upgraded. We care about the case where a package is initially
# installed, because other cases are covered by the *un scriptlets,
# so sometimes we will reload needlessly.
/usr/lib/systemd/systemd-update-helper system-reload-restart || :
if test -d /run/systemd/system; then
%{_bindir}/systemctl daemon-reload
fi
%transfiletriggerin -P 900899 -- /usr/lib/systemd/user/ /etc/systemd/user/
/usr/lib/systemd/systemd-update-helper user-reload-restart || :
%transfiletriggerpostun -P 1000100 -- /usr/lib/systemd/system/ /etc/systemd/system/
%transfiletriggerun -- /usr/lib/systemd/system /etc/systemd/system
# On removal, we need to run daemon-reload after any units have been
# removed.
# removed. %transfiletriggerpostun would be ideal, but it does not get
# executed for some reason.
# On upgrade, we need to run daemon-reload after any new unit files
# have been installed, but before %postun scripts in packages get
# executed.
/usr/lib/systemd/systemd-update-helper system-reload || :
# executed. %transfiletriggerun gets the right list of files
# but it is invoked too early (before changes happen).
# %filetriggerpostun happens at the right time, but it fires for
# every package.
# To execute the reload at the right time, we create a state
# file in %transfiletriggerun and execute the daemon-reload in
# the first %filetriggerpostun.
%transfiletriggerpostun -P 1000099 -- /usr/lib/systemd/user/ /etc/systemd/user/
# Execute daemon-reload in user managers.
/usr/lib/systemd/systemd-update-helper user-reload || :
if test -d "/run/systemd/system"; then
mkdir -p "%{_localstatedir}/lib/rpm-state/systemd"
touch "%{_localstatedir}/lib/rpm-state/systemd/needs-reload"
fi
%transfiletriggerpostun -P 10000 -- /usr/lib/systemd/system/ /etc/systemd/system/
# We restart remaining system services that should be restarted here.
/usr/lib/systemd/systemd-update-helper system-restart || :
%filetriggerpostun -P 1000100 -- /usr/lib/systemd/system /etc/systemd/system
if test -f "%{_localstatedir}/lib/rpm-state/systemd/needs-reload"; then
rm -rf "%{_localstatedir}/lib/rpm-state/systemd"
%{_bindir}/systemctl daemon-reload
fi
%transfiletriggerpostun -P 9999 -- /usr/lib/systemd/user/ /etc/systemd/user/
# We restart remaining user services that should be restarted here.
/usr/lib/systemd/systemd-update-helper user-restart || :
%transfiletriggerin -P 1000700 -- /usr/lib/sysusers.d/
%transfiletriggerin -P 100700 -- /usr/lib/sysusers.d
# This script will process files installed in /usr/lib/sysusers.d to create
# specified users automatically. The priority is set such that it
# will run before the tmpfiles file trigger.
systemd-sysusers || :
if test -d /run/systemd/system; then
%{_bindir}/systemd-sysusers || :
fi
%transfiletriggerin -P 1000700 udev -- /usr/lib/udev/hwdb.d/
%transfiletriggerin -P 100500 -- /usr/lib/tmpfiles.d
# This script will process files installed in /usr/lib/tmpfiles.d to create
# tmpfiles automatically. The priority is set such that it will run
# after the sysusers file trigger, but before any other triggers.
if test -d /run/systemd/system; then
%{_bindir}/systemd-tmpfiles --create || :
fi
%transfiletriggerin udev -- /usr/lib/udev/hwdb.d
# This script will automatically invoke hwdb update if files have been
# installed or updated in /usr/lib/udev/hwdb.d.
systemd-hwdb update || :
if test -d /run/systemd/system; then
%{_bindir}/systemd-hwdb update || :
fi
%transfiletriggerin -P 1000700 -- /usr/lib/systemd/catalog/
%transfiletriggerin -- /usr/lib/systemd/catalog
# This script will automatically invoke journal catalog update if files
# have been installed or updated in /usr/lib/systemd/catalog.
journalctl --update-catalog || :
if test -d /run/systemd/system; then
%{_bindir}/journalctl --update-catalog || :
fi
%transfiletriggerin -P 1000700 -- /usr/lib/binfmt.d/
%transfiletriggerin udev -- /usr/lib/udev/rules.d
# This script will automatically update udev with new rules if files
# have been installed or updated in /usr/lib/udev/rules.d.
if test -e /run/udev/control; then
%{_bindir}/udevadm control --reload || :
fi
%transfiletriggerin -- /usr/lib/sysctl.d
# This script will automatically apply sysctl rules if files have been
# installed or updated in /usr/lib/sysctl.d.
if test -d /run/systemd/system; then
/usr/lib/systemd/systemd-sysctl || :
fi
%transfiletriggerin -- /usr/lib/binfmt.d
# This script will automatically apply binfmt rules if files have been
# installed or updated in /usr/lib/binfmt.d.
if test -d "/run/systemd/system"; then
if test -d /run/systemd/system; then
# systemd-binfmt might fail if binfmt_misc kernel module is not loaded
# during install
/usr/lib/systemd/systemd-binfmt || :
fi
%transfiletriggerin -P 1000600 -- /usr/lib/tmpfiles.d/
# This script will process files installed in /usr/lib/tmpfiles.d to create
# tmpfiles automatically. The priority is set such that it will run
# after the sysusers file trigger, but before any other triggers.
if test -d "/run/systemd/system"; then
systemd-tmpfiles --create || :
fi
%transfiletriggerin -P 1000600 udev -- /usr/lib/udev/rules.d/
# This script will automatically update udev with new rules if files
# have been installed or updated in /usr/lib/udev/rules.d.
/usr/lib/systemd/systemd-update-helper mark-reload-system-units systemd-udevd.service || :
%transfiletriggerin -P 1000500 -- /usr/lib/sysctl.d/
# This script will automatically apply sysctl rules if files have been
# installed or updated in /usr/lib/sysctl.d.
if test -d "/run/systemd/system"; then
/usr/lib/systemd/systemd-sysctl || :
fi

41
use-bfq-scheduler.patch Normal file
View file

@ -0,0 +1,41 @@
From 464a73411c13596a130a7a8f0ac00ca728e5f69e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 14 Aug 2019 15:57:42 +0200
Subject: [PATCH] udev: use bfq as the default scheduler
As requested in https://bugzilla.redhat.com/show_bug.cgi?id=1738828.
Test results are that bfq seems to behave better and more consistently on
typical hardware. The kernel does not have a configuration option to set
the default scheduler, and it currently needs to be set by userspace.
See the bug for more discussion and links.
---
rules/60-block-scheduler.rules | 5 +++++
rules/meson.build | 1 +
2 files changed, 6 insertions(+)
create mode 100644 rules/60-block-scheduler.rules
diff --git a/rules/60-block-scheduler.rules b/rules/60-block-scheduler.rules
new file mode 100644
index 00000000000..480b941761f
--- /dev/null
+++ b/rules/60-block-scheduler.rules
@@ -0,0 +1,6 @@
+# do not edit this file, it will be overwritten on update
+
+ACTION=="add", SUBSYSTEM=="block", \
+ KERNEL=="mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|sd*[!0-9]|sr*", \
+ ENV{DEVTYPE}=="disk", \
+ ATTR{queue/scheduler}="bfq"
diff --git a/rules/meson.build b/rules/meson.build
index b6a32ba77e2..1da958b4d46 100644
--- a/rules/meson.build
+++ b/rules/meson.build
@@ -2,6 +2,7 @@
rules = files('''
60-block.rules
+ 60-block-scheduler.rules
60-cdrom_id.rules
60-drm.rules
60-evdev.rules

2
yum-protect-systemd.conf Normal file
View file

@ -0,0 +1,2 @@
systemd
systemd-udev