packages/systemd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!444 [sync] PR-442: sync patch from systemd community

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @licunlong 
Signed-off-by: @licunlong
This commit is contained in:
openeuler-ci-bot 2023-10-10 02:49:17 +00:00 committed by Gitee
commit 5b048ad87f
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
64 changed files with 4714 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
add-support-to-relabel-systemd-process-for-embedded.patch Normal file
View File

@ -0,0 +1,36 @@
From eae8bc192e19dbdce118bf7b936befb3953a21ea Mon Sep 17 00:00:00 2001
From: Xin Shi <shixin21@huawei.com>
Date: Thu, 24 Aug 2023 09:34:46 +0800
Subject: [PATCH 3/5] add support to relabel systemd process for embedded
Signed-off-by: Xin Shi <shixin21@huawei.com>
---
src/core/selinux-setup.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/core/selinux-setup.c b/src/core/selinux-setup.c
index 2bafbee..74e2a2f 100644
--- a/src/core/selinux-setup.c
+++ b/src/core/selinux-setup.c
@@ -6,6 +6,7 @@
#if HAVE_SELINUX
#include <selinux/selinux.h>
+#include <selinux/restorecon.h>
#endif
#include "log.h"
@@ -68,6 +69,10 @@ int mac_selinux_setup(bool *loaded_policy) {
mac_selinux_retest();
+ int ret = selinux_restorecon(SYSTEMD_BINARY_PATH, 0);
+ if (ret != 0)
+ log_warning("Failed to relabel %s, errno=%d.", SYSTEMD_BINARY_PATH, errno);
+
/* Transition to the new context */
r = mac_selinux_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label);
if (r < 0 || !label) {
--
2.27.0

72
backport-cgtop-Do-not-rewrite-P-or-k-options.patch Normal file
View File

@ -0,0 +1,72 @@
From 598260221c8184a92098a750bba32aeb56ca2872 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>
Date: Fri, 25 Nov 2022 17:50:27 +0100
Subject: [PATCH] cgtop: Do not rewrite -P or -k options
--recursive=no will overwrite possible -P or -k option hence making the
recursive disabling impossible.
Check what counting types the system supports (encoded in the ordering
of our enum) of and pick whatever user requests but is also supported.
Fixes: #25248
(cherry picked from commit 48600b3524afe05d0faa8a5c88b5aaa53b801199)
(cherry picked from commit b97c1c427c2156495e141c736babbccabba7265d)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/598260221c8184a92098a750bba32aeb56ca2872
---
src/cgtop/cgtop.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/src/cgtop/cgtop.c b/src/cgtop/cgtop.c
index b023e71757..29454cd1eb 100644
--- a/src/cgtop/cgtop.c
+++ b/src/cgtop/cgtop.c
@@ -55,6 +55,12 @@ typedef struct Group {
uint64_t io_input_bps, io_output_bps;
} Group;
+typedef enum PidsCount {
+ COUNT_USERSPACE_PROCESSES,
+ COUNT_ALL_PROCESSES,
+ COUNT_PIDS,
+} PidsCount;
+
static unsigned arg_depth = 3;
static unsigned arg_iterations = UINT_MAX;
static bool arg_batch = false;
@@ -65,11 +71,7 @@ static char* arg_root = NULL;
static bool arg_recursive = true;
static bool arg_recursive_unset = false;
-static enum {
- COUNT_PIDS,
- COUNT_USERSPACE_PROCESSES,
- COUNT_ALL_PROCESSES,
-} arg_count = COUNT_PIDS;
+static PidsCount arg_count = COUNT_PIDS;
static enum {
ORDER_PATH,
@@ -913,6 +915,7 @@ static int run(int argc, char *argv[]) {
usec_t last_refresh = 0;
bool quit = false, immediate_refresh = false;
_cleanup_free_ char *root = NULL;
+ PidsCount possible_count;
CGroupMask mask;
int r;
@@ -926,7 +929,8 @@ static int run(int argc, char *argv[]) {
if (r < 0)
return log_error_errno(r, "Failed to determine supported controllers: %m");
- arg_count = (mask & CGROUP_MASK_PIDS) ? COUNT_PIDS : COUNT_USERSPACE_PROCESSES;
+ possible_count = (mask & CGROUP_MASK_PIDS) ? COUNT_PIDS : COUNT_ALL_PROCESSES;
+ arg_count = MIN(possible_count, arg_count);
if (arg_recursive_unset && arg_count == COUNT_PIDS)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
--
2.33.0

35
backport-core-Fix-memory-leaks.patch Normal file
View File

@ -0,0 +1,35 @@
From 12b790995c2d4fa86e1a316a78a8dff9f525541a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=81ukasz=20Stelmach?= <l.stelmach@samsung.com>
Date: Tue, 21 Jun 2022 12:12:01 +0200
Subject: [PATCH] core: Fix memory leaks
arg_early_core_pattern and arg_watchdog_device hold pointers to memory
allocated with strdup() (inside path_make_absolute_cwd). The memory needs
to be freed in reset_arguments() during reload rather than forgotten.
(cherry picked from commit 919ea64f69f710840c1bc93f0f7cb7c51aae45d0)
Conflict:code context adaptation
Reference:https://github.com/systemd/systemd-stable/commit/12b790995c2d4fa86e1a316a78a8dff9f525541a
---
src/core/main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/core/main.c b/src/core/main.c
index 409b84a006..f6d12cca04 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -2377,8 +2377,8 @@ static void reset_arguments(void) {
arg_runtime_watchdog = 0;
arg_reboot_watchdog = 10 * USEC_PER_MINUTE;
arg_kexec_watchdog = 0;
- arg_early_core_pattern = NULL;
- arg_watchdog_device = NULL;
+ arg_early_core_pattern = mfree(arg_early_core_pattern);
+ arg_watchdog_device = mfree(arg_watchdog_device);
arg_default_environment = strv_free(arg_default_environment);
arg_manager_environment = strv_free(arg_manager_environment);
--
2.33.0

45
backport-core-Return-1-from-unit_add_dependency-on-success.patch Normal file
View File

@ -0,0 +1,45 @@
From f971def3c23d780aab99d988bd71b94931d74be6 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 12 May 2022 00:05:04 +0200
Subject: [PATCH] core: Return 1 from unit_add_dependency() on success
To allow checking if adding dependency was skipped or not.
Conflict:code context adaptation
Reference:https://github.com/systemd/systemd-stable/commit/f971def3c23d780aab99d988bd71b94931d74be6
---
src/core/unit.c | 2 +-
src/test/test-engine.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/core/unit.c b/src/core/unit.c
index b0756bc6f4..fd95e02153 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -3146,7 +3146,7 @@ int unit_add_dependency(
if (!noop)
unit_add_to_dbus_queue(u);
- return 0;
+ return 1;
}
int unit_add_two_dependencies(Unit *u, UnitDependency d, UnitDependency e, Unit *other, bool add_reference, UnitDependencyMask mask) {
diff --git a/src/test/test-engine.c b/src/test/test-engine.c
index ef055360fb..d430076056 100644
--- a/src/test/test-engine.c
+++ b/src/test/test-engine.c
@@ -189,8 +189,8 @@ int main(int argc, char *argv[]) {
assert_se(!hashmap_get(unit_get_dependencies(a, UNIT_PROPAGATES_RELOAD_TO), c));
assert_se(!hashmap_get(unit_get_dependencies(c, UNIT_RELOAD_PROPAGATED_FROM), a));
- assert_se(unit_add_dependency(a, UNIT_PROPAGATES_RELOAD_TO, b, true, UNIT_DEPENDENCY_UDEV) == 0);
- assert_se(unit_add_dependency(a, UNIT_PROPAGATES_RELOAD_TO, c, true, UNIT_DEPENDENCY_PROC_SWAP) == 0);
+ assert_se(unit_add_dependency(a, UNIT_PROPAGATES_RELOAD_TO, b, true, UNIT_DEPENDENCY_UDEV) >= 0);
+ assert_se(unit_add_dependency(a, UNIT_PROPAGATES_RELOAD_TO, c, true, UNIT_DEPENDENCY_PROC_SWAP) >= 0);
assert_se(hashmap_get(unit_get_dependencies(a, UNIT_PROPAGATES_RELOAD_TO), b));
assert_se(hashmap_get(unit_get_dependencies(b, UNIT_RELOAD_PROPAGATED_FROM), a));
--
2.33.0

90
backport-core-allow-list-char-rtc-with-ProtectClock-yes-only-.patch Normal file
View File

@ -0,0 +1,90 @@
From f6bba0b47e9038373627b7d2bfedac0b3e4f076e Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Thu, 20 Oct 2022 00:37:08 +0100
Subject: [PATCH] core: allow-list char-rtc with ProtectClock=yes only if
needed
Allow-listing a device implicitly blocks everything else, so this
has the opposite of the intended effect when PrivateDevices= is
not used.
Allow-list char-rtc only if there is a device policy set.
Fixes https://github.com/systemd/systemd/issues/18142
(cherry picked from commit 63857bf4f7a5dd48a2b971d9bae2c06cc829b630)
Conflict:delete modifications related to the ExecLoadCredential structure
Reference:https://github.com/systemd/systemd-stable/commit/f6bba0b47e9038373627b7d2bfedac0b3e4f076e
---
src/core/unit.c | 64 +++++++++++++++++++++++++------------------------
1 file changed, 33 insertions(+), 31 deletions(-)
diff --git a/src/core/unit.c b/src/core/unit.c
index ffac4ac719..fe509d400d 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -4134,36 +4134,39 @@ int unit_patch_contexts(Unit *u) {
cc->device_policy == CGROUP_DEVICE_POLICY_AUTO)
cc->device_policy = CGROUP_DEVICE_POLICY_CLOSED;
- if ((ec->root_image || !LIST_IS_EMPTY(ec->mount_images)) &&
- (cc->device_policy != CGROUP_DEVICE_POLICY_AUTO || cc->device_allow)) {
+ /* Only add these if needed, as they imply that everything else is blocked. */
+ if (cc->device_policy != CGROUP_DEVICE_POLICY_AUTO || cc->device_allow) {
+ if (ec->root_image || !LIST_IS_EMPTY(ec->mount_images)) {
- const char *p;
+ const char *p;
+
+ /* When RootImage= or MountImages= is specified, the following devices are touched. */
+ FOREACH_STRING(p, "/dev/loop-control", "/dev/mapper/control") {
+ r = cgroup_add_device_allow(cc, p, "rw");
+ if (r < 0)
+ return r;
+ }
+ FOREACH_STRING(p, "block-loop", "block-blkext", "block-device-mapper") {
+ r = cgroup_add_device_allow(cc, p, "rwm");
+ if (r < 0)
+ return r;
+ }
- /* When RootImage= or MountImages= is specified, the following devices are touched. */
- FOREACH_STRING(p, "/dev/loop-control", "/dev/mapper/control") {
- r = cgroup_add_device_allow(cc, p, "rw");
- if (r < 0)
- return r;
- }
- FOREACH_STRING(p, "block-loop", "block-blkext", "block-device-mapper") {
- r = cgroup_add_device_allow(cc, p, "rwm");
- if (r < 0)
- return r;
+ /* Make sure "block-loop" can be resolved, i.e. make sure "loop" shows up in /proc/devices.
+ * Same for mapper and verity. */
+ FOREACH_STRING(p, "modprobe@loop.service", "modprobe@dm_mod.service", "modprobe@dm_verity.service") {
+ r = unit_add_two_dependencies_by_name(u, UNIT_AFTER, UNIT_WANTS, p, true, UNIT_DEPENDENCY_FILE);
+ if (r < 0)
+ return r;
+ }
}
- /* Make sure "block-loop" can be resolved, i.e. make sure "loop" shows up in /proc/devices.
- * Same for mapper and verity. */
- FOREACH_STRING(p, "modprobe@loop.service", "modprobe@dm_mod.service", "modprobe@dm_verity.service") {
- r = unit_add_two_dependencies_by_name(u, UNIT_AFTER, UNIT_WANTS, p, true, UNIT_DEPENDENCY_FILE);
+ if (ec->protect_clock) {
+ r = cgroup_add_device_allow(cc, "char-rtc", "r");
if (r < 0)
return r;
}
- }
- if (ec->protect_clock) {
- r = cgroup_add_device_allow(cc, "char-rtc", "r");
- if (r < 0)
- return r;
}
}
return 0;
--
2.33.0

53
backport-core-fix-memleak-in-GetUnitFileLinks-method.patch Normal file
View File

@ -0,0 +1,53 @@
From 45090f34185cb71b87bd21d2a1d5a59ecc6f9f57 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 2 Nov 2022 07:06:46 +0900
Subject: [PATCH] core: fix memleak in GetUnitFileLinks method
(cherry picked from commit a12ba535fa677e642c7ba19e81062ed6e9365ceb)
Conflict:code context adaptation
Reference:https://github.com/systemd/systemd-stable/commit/45090f34185cb71b87bd21d2a1d5a59ecc6f9f57
---
src/core/dbus-manager.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index 92e717a00c..03ab35a941 100644
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -2639,21 +2639,27 @@ static int method_get_unit_file_links(sd_bus_message *message, void *userdata, s
(runtime ? UNIT_FILE_RUNTIME : 0);
r = unit_file_disable(UNIT_FILE_SYSTEM, flags, NULL, p, &changes, &n_changes);
- if (r < 0)
- return log_error_errno(r, "Failed to get file links for %s: %m", name);
+ if (r < 0) {
+ log_error_errno(r, "Failed to get file links for %s: %m", name);
+ goto finish;
+ }
for (i = 0; i < n_changes; i++)
if (changes[i].type_or_errno == UNIT_FILE_UNLINK) {
r = sd_bus_message_append(reply, "s", changes[i].path);
if (r < 0)
- return r;
+ goto finish;
}
r = sd_bus_message_close_container(reply);
if (r < 0)
- return r;
+ goto finish;
- return sd_bus_send(NULL, reply, NULL);
+ r = sd_bus_send(NULL, reply, NULL);
+
+finish:
+ unit_file_changes_free(changes, n_changes);
+ return r;
}
static int method_get_job_waiting(sd_bus_message *message, void *userdata, sd_bus_error *error) {
--
2.33.0

64
backport-core-transaction-make-merge_unit_ids-always-return-N.patch Normal file
View File

@ -0,0 +1,64 @@
From 1ece85e7d4af7517aa9cfe12b21cde1d82fa3167 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Sat, 18 Mar 2023 12:12:01 +0900
Subject: [PATCH] core/transaction: make merge_unit_ids() always return
NUL-terminated string
Follow-up for 924775e8ce49817f96df19c2b06356c12ecfc754.
The loop run with `STRV_FOREACH_PAIR()`, hence `if (*(unit_id+1))` is
not a good way to detect if there exist a next entry.
Fixes #26872.
(cherry picked from commit 366eced4c81a15a25b9225347fa203aa67798b02)
(cherry picked from commit 7002c5c210a7ae3607bd8a424112e9f8789bc5f9)
(cherry picked from commit 89f780969b4436cf766eb9c0d6412362fc85f042)
Conflict:keep variable unit_id and job_type to solve compilation failure
Reference:https://github.com/systemd/systemd-stable/commit/1ece85e7d4af7517aa9cfe12b21cde1d82fa3167
---
src/core/transaction.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/src/core/transaction.c b/src/core/transaction.c
index ebe5f19..9532531 100644
--- a/src/core/transaction.c
+++ b/src/core/transaction.c
@@ -328,22 +328,26 @@ _pure_ static bool unit_matters_to_anchor(Unit *u, Job *j) {
return false;
}
-static char* merge_unit_ids(const char* unit_log_field, char **pairs) {
- char **unit_id, **job_type, *ans = NULL;
- size_t size = 0, next;
+static char* merge_unit_ids(const char* unit_log_field, char * const* pairs) {
+ char **unit_id, **job_type = NULL;
+ _cleanup_free_ char *ans = NULL;
+ size_t size = 0;
STRV_FOREACH_PAIR(unit_id, job_type, pairs) {
+ size_t next;
+
+ if (size > 0)
+ ans[size - 1] = '\n';
+
next = strlen(unit_log_field) + strlen(*unit_id);
if (!GREEDY_REALLOC(ans, size + next + 1))
- return mfree(ans);
+ return NULL;
sprintf(ans + size, "%s%s", unit_log_field, *unit_id);
- if (*(unit_id+1))
- ans[size + next] = '\n';
size += next + 1;
}
- return ans;
+ return TAKE_PTR(ans);
}
static int transaction_verify_order_one(Transaction *tr, Job *j, Job *from, unsigned generation, sd_bus_error *e) {
--
2.33.0

33
backport-core-transaction-make-merge_unit_ids-return-non-NULL.patch Normal file
View File

@ -0,0 +1,33 @@
From d938e482075db406ae56f9dd37ec0d353b165aac Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Sat, 18 Mar 2023 12:17:54 +0900
Subject: [PATCH] core/transaction: make merge_unit_ids() return non-NULL on
success
(cherry picked from commit 999f16514367224cbc50cb3ccc1e4392e43f6811)
(cherry picked from commit d084528c49e84354b9a032a1138175bff1198cfa)
(cherry picked from commit 8974821f7925d07089c29d619b7996714e833aa5)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/d938e482075db406ae56f9dd37ec0d353b165aac
---
src/core/transaction.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/core/transaction.c b/src/core/transaction.c
index 043998078c..7c862f35be 100644
--- a/src/core/transaction.c
+++ b/src/core/transaction.c
@@ -341,6 +341,9 @@ static char* merge_unit_ids(const char* unit_log_field, char * const* pairs) {
size += next + 1;
}
+ if (!ans)
+ return strdup("");
+
return TAKE_PTR(ans);
}
--
2.33.0

73
backport-core-unit-fix-notification-about-unit-dependency-cha.patch Normal file
View File

@ -0,0 +1,73 @@
From ac17080c040481c35bdfa10d4e08da76175fe9d7 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 31 May 2022 01:43:15 +0900
Subject: [PATCH] core/unit: fix notification about unit dependency change
This also makes unit_add_dependency() return 1 only when a dependency
is added.
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/ac17080c040481c35bdfa10d4e08da76175fe9d7
---
src/core/unit.c | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/src/core/unit.c b/src/core/unit.c
index fd95e02153..b00d4d0e36 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -3062,7 +3062,7 @@ int unit_add_dependency(
/* Helper to know whether sending a notification is necessary or not: if the dependency is already
* there, no need to notify! */
- bool noop;
+ bool notify, notify_other = false;
assert(u);
assert(d >= 0 && d < _UNIT_DEPENDENCY_MAX);
@@ -3119,34 +3119,33 @@ int unit_add_dependency(
r = unit_add_dependency_hashmap(&u->dependencies, d, other, mask, 0);
if (r < 0)
return r;
- noop = !r;
+ notify = r > 0;
if (inverse_table[d] != _UNIT_DEPENDENCY_INVALID && inverse_table[d] != d) {
r = unit_add_dependency_hashmap(&other->dependencies, inverse_table[d], u, 0, mask);
if (r < 0)
return r;
- if (r)
- noop = false;
+ notify_other = r > 0;
}
if (add_reference) {
r = unit_add_dependency_hashmap(&u->dependencies, UNIT_REFERENCES, other, mask, 0);
if (r < 0)
return r;
- if (r)
- noop = false;
+ notify = notify || r > 0;
r = unit_add_dependency_hashmap(&other->dependencies, UNIT_REFERENCED_BY, u, 0, mask);
if (r < 0)
return r;
- if (r)
- noop = false;
+ notify_other = notify_other || r > 0;
}
- if (!noop)
+ if (notify)
unit_add_to_dbus_queue(u);
+ if (notify_other)
+ unit_add_to_dbus_queue(other);
- return 1;
+ return notify || notify_other;
}
int unit_add_two_dependencies(Unit *u, UnitDependency d, UnitDependency e, Unit *other, bool add_reference, UnitDependencyMask mask) {
--
2.33.0

79
backport-core-unit-make-JoinsNamespaceOf-implies-the-inverse-.patch Normal file
View File

@ -0,0 +1,79 @@
From a60f96fcf55c3452e5b13d6daec537af1909eda3 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 23 May 2023 06:36:44 +0900
Subject: [PATCH] core/unit: make JoinsNamespaceOf= implies the inverse
dependency
Previously, even if a.service has JoinsNamespaceOf=b.service, the
inverse direction of reference was not introduced.
Hence, a.service is started earlier than b.service, the namespace will
not shared with b.service.
Also, even if a.service had the reference to b.service, b.service did not.
If b.service is freed earlier, then unit_clear_dependencies() does not clear
the reference from a to b, and will cause use-after-free on unit_free() for
a.service.
Let's make JoinsNamespaceOf=b.service in a.service implies the inverse
dependency, i.e. JoinsNamespaceOf=a.service for b.service. Then, we can safely
free b.service.
Conflict:delete testcases because test files are not existed
Reference:https://github.com/systemd/systemd-stable/commit/a60f96fcf55c3452e5b13d6daec537af1909eda3
---
man/systemd.unit.xml | 12 +++++++-----
src/core/unit.c | 11 +++++------
2 files changed, 13 insertions(+), 12 deletions(-)
diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
index d603ec9744..fcd1f914a8 100644
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@@ -856,16 +856,18 @@
<term><varname>JoinsNamespaceOf=</varname></term>
<listitem><para>For units that start processes (such as service units), lists one or more other units
- whose network and/or temporary file namespace to join. This only applies to unit types which support
- the <varname>PrivateNetwork=</varname>, <varname>NetworkNamespacePath=</varname>,
+ whose network and/or temporary file namespace to join. If this is specified on a unit (say, a.service
+ has <varname>JoinsNamespaceOf=b.service</varname>), then this the inverse dependency
+ (<varname>JoinsNamespaceOf=a.service</varname> for b.service) is implied. This only applies to unit
+ types which support the <varname>PrivateNetwork=</varname>, <varname>NetworkNamespacePath=</varname>,
<varname>PrivateIPC=</varname>, <varname>IPCNamespacePath=</varname>, and
<varname>PrivateTmp=</varname> directives (see
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
details). If a unit that has this setting set is started, its processes will see the same
<filename>/tmp/</filename>, <filename>/var/tmp/</filename>, IPC namespace and network namespace as
- one listed unit that is started. If multiple listed units are already started, it is not defined
- which namespace is joined. Note that this setting only has an effect if
- <varname>PrivateNetwork=</varname>/<varname>NetworkNamespacePath=</varname>,
+ one listed unit that is started. If multiple listed units are already started and these do not share
+ their namespace, then it is not defined which namespace is joined. Note that this setting only has an
+ effect if <varname>PrivateNetwork=</varname>/<varname>NetworkNamespacePath=</varname>,
<varname>PrivateIPC=</varname>/<varname>IPCNamespacePath=</varname> and/or
<varname>PrivateTmp=</varname> is enabled for both the unit that joins the namespace and the unit
whose namespace is joined.</para></listitem>
diff --git a/src/core/unit.c b/src/core/unit.c
index 7a43355832..be57bdbd1d 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -3209,12 +3209,11 @@ int unit_add_dependency(
return r;
notify = r > 0;
- if (inverse_table[d] != _UNIT_DEPENDENCY_INVALID && inverse_table[d] != d) {
- r = unit_add_dependency_hashmap(&other->dependencies, inverse_table[d], u, 0, mask);
- if (r < 0)
- return r;
- notify_other = r > 0;
- }
+ assert(inverse_table[d] >= 0 && inverse_table[d] < _UNIT_DEPENDENCY_MAX);
+ r = unit_add_dependency_hashmap(&other->dependencies, inverse_table[d], u, 0, mask);
+ if (r < 0)
+ return r;
+ notify_other = r > 0;
if (add_reference) {
r = unit_add_dependency_hashmap(&u->dependencies, UNIT_REFERENCES, other, mask, 0);
--
2.33.0

238
backport-core-unit-update-bidirectional-dependency-simultaneo.patch Normal file
View File

@ -0,0 +1,238 @@
From 831108245eb757f41fe0ebbccf1b42c9dd0ce297 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 23 May 2023 17:49:16 +0900
Subject: [PATCH] core/unit: update bidirectional dependency simultaneously
Previously, if unit_add_dependency_hashmap() failed, then a
one-directional unit dependency reference might be created, and
triggeres use-after-free. See issue #27742 for more details.
This makes unit dependency always bidirectional, and cleanly revert
partial update on failure.
Fixes #27742.
Conflict:code context adaptation
Reference:https://github.com/systemd/systemd-stable/commit/831108245eb757f41fe0ebbccf1b42c9dd0ce297
---
src/core/unit.c | 164 ++++++++++++++++++++++++++++++------------------
1 file changed, 103 insertions(+), 61 deletions(-)
diff --git a/src/core/unit.c b/src/core/unit.c
index 35f41531c4..90f87a95f5 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -1056,46 +1056,6 @@ static int unit_per_dependency_type_hashmap_update(
return 1;
}
-static int unit_add_dependency_hashmap(
- Hashmap **dependencies,
- UnitDependency d,
- Unit *other,
- UnitDependencyMask origin_mask,
- UnitDependencyMask destination_mask) {
-
- Hashmap *per_type;
- int r;
-
- assert(dependencies);
- assert(other);
- assert(origin_mask < _UNIT_DEPENDENCY_MASK_FULL);
- assert(destination_mask < _UNIT_DEPENDENCY_MASK_FULL);
- assert(origin_mask > 0 || destination_mask > 0);
-
- /* Ensure the top-level dependency hashmap exists that maps UnitDependency → Hashmap(Unit* →
- * UnitDependencyInfo) */
- r = hashmap_ensure_allocated(dependencies, NULL);
- if (r < 0)
- return r;
-
- /* Acquire the inner hashmap, that maps Unit* → UnitDependencyInfo, for the specified dependency
- * type, and if it's missing allocate it and insert it. */
- per_type = hashmap_get(*dependencies, UNIT_DEPENDENCY_TO_PTR(d));
- if (!per_type) {
- per_type = hashmap_new(NULL);
- if (!per_type)
- return -ENOMEM;
-
- r = hashmap_put(*dependencies, UNIT_DEPENDENCY_TO_PTR(d), per_type);
- if (r < 0) {
- hashmap_free(per_type);
- return r;
- }
- }
-
- return unit_per_dependency_type_hashmap_update(per_type, other, origin_mask, destination_mask);
-}
-
static void unit_merge_dependencies(Unit *u, Unit *other) {
Hashmap *deps;
void *dt; /* Actually of type UnitDependency, except that we don't bother casting it here,
@@ -3103,11 +3063,38 @@ bool unit_job_is_applicable(Unit *u, JobType j) {
}
}
-int unit_add_dependency(
+static Hashmap *unit_get_dependency_hashmap_per_type(Unit *u, UnitDependency d) {
+ Hashmap *deps;
+
+ assert(u);
+ assert(d >= 0 && d < _UNIT_DEPENDENCY_MAX);
+
+ deps = hashmap_get(u->dependencies, UNIT_DEPENDENCY_TO_PTR(d));
+ if (!deps) {
+ _cleanup_hashmap_free_ Hashmap *h = NULL;
+
+ h = hashmap_new(NULL);
+ if (!h)
+ return NULL;
+
+ if (hashmap_ensure_put(&u->dependencies, NULL, UNIT_DEPENDENCY_TO_PTR(d), h) < 0)
+ return NULL;
+
+ deps = TAKE_PTR(h);
+ }
+
+ return deps;
+}
+
+typedef enum NotifyDependencyFlags {
+ NOTIFY_DEPENDENCY_UPDATE_FROM = 1 << 0,
+ NOTIFY_DEPENDENCY_UPDATE_TO = 1 << 1,
+} NotifyDependencyFlags;
+
+static int unit_add_dependency_impl(
Unit *u,
UnitDependency d,
Unit *other,
- bool add_reference,
UnitDependencyMask mask) {
static const UnitDependency inverse_table[_UNIT_DEPENDENCY_MAX] = {
@@ -3143,12 +3130,78 @@ int unit_add_dependency(
[UNIT_IN_SLICE] = UNIT_SLICE_OF,
[UNIT_SLICE_OF] = UNIT_IN_SLICE,
};
+
+ Hashmap *u_deps, *other_deps;
+ UnitDependencyInfo u_info, u_info_old, other_info, other_info_old;
+ NotifyDependencyFlags flags = 0;
+ int r;
+
+ assert(u);
+ assert(other);
+ assert(d >= 0 && d < _UNIT_DEPENDENCY_MAX);
+ assert(inverse_table[d] >= 0 && inverse_table[d] < _UNIT_DEPENDENCY_MAX);
+ assert(mask > 0 && mask < _UNIT_DEPENDENCY_MASK_FULL);
+
+ /* Ensure the following two hashmaps for each unit exist:
+ * - the top-level dependency hashmap that maps UnitDependency → Hashmap(Unit* → UnitDependencyInfo),
+ * - the inner hashmap, that maps Unit* → UnitDependencyInfo, for the specified dependency type. */
+ u_deps = unit_get_dependency_hashmap_per_type(u, d);
+ if (!u_deps)
+ return -ENOMEM;
+
+ other_deps = unit_get_dependency_hashmap_per_type(other, inverse_table[d]);
+ if (!other_deps)
+ return -ENOMEM;
+
+ /* Save the original dependency info. */
+ u_info.data = u_info_old.data = hashmap_get(u_deps, other);
+ other_info.data = other_info_old.data = hashmap_get(other_deps, u);
+
+ /* Update dependency info. */
+ u_info.origin_mask |= mask;
+ other_info.destination_mask |= mask;
+
+ /* Save updated dependency info. */
+ if (u_info.data != u_info_old.data) {
+ r = hashmap_replace(u_deps, other, u_info.data);
+ if (r < 0)
+ return r;
+
+ flags = NOTIFY_DEPENDENCY_UPDATE_FROM;
+ }
+
+ if (other_info.data != other_info_old.data) {
+ r = hashmap_replace(other_deps, u, other_info.data);
+ if (r < 0) {
+ if (u_info.data != u_info_old.data) {
+ /* Restore the old dependency. */
+ if (u_info_old.data)
+ (void) hashmap_update(u_deps, other, u_info_old.data);
+ else
+ hashmap_remove(u_deps, other);
+ }
+ return r;
+ }
+
+ flags |= NOTIFY_DEPENDENCY_UPDATE_TO;
+ }
+
+ return flags;
+}
+
+int unit_add_dependency(
+ Unit *u,
+ UnitDependency d,
+ Unit *other,
+ bool add_reference,
+ UnitDependencyMask mask) {
+
UnitDependencyAtom a;
int r;
/* Helper to know whether sending a notification is necessary or not: if the dependency is already
* there, no need to notify! */
- bool notify, notify_other = false;
+ NotifyDependencyFlags notify_flags;
assert(u);
assert(d >= 0 && d < _UNIT_DEPENDENCY_MAX);
@@ -3204,35 +3257,24 @@ int unit_add_dependency(
return log_unit_error_errno(u, SYNTHETIC_ERRNO(EINVAL),
"Requested dependency SliceOf=%s refused (%s is not a cgroup unit).", other->id, other->id);
- r = unit_add_dependency_hashmap(&u->dependencies, d, other, mask, 0);
- if (r < 0)
- return r;
- notify = r > 0;
-
- assert(inverse_table[d] >= 0 && inverse_table[d] < _UNIT_DEPENDENCY_MAX);
- r = unit_add_dependency_hashmap(&other->dependencies, inverse_table[d], u, 0, mask);
+ r = unit_add_dependency_impl(u, d, other, mask);
if (r < 0)
return r;
- notify_other = r > 0;
+ notify_flags = r;
if (add_reference) {
- r = unit_add_dependency_hashmap(&u->dependencies, UNIT_REFERENCES, other, mask, 0);
- if (r < 0)
- return r;
- notify = notify || r > 0;
-
- r = unit_add_dependency_hashmap(&other->dependencies, UNIT_REFERENCED_BY, u, 0, mask);
+ r = unit_add_dependency_impl(u, UNIT_REFERENCES, other, mask);
if (r < 0)
return r;
- notify_other = notify_other || r > 0;
+ notify_flags |= r;
}
- if (notify)
+ if (FLAGS_SET(notify_flags, NOTIFY_DEPENDENCY_UPDATE_FROM))
unit_add_to_dbus_queue(u);
- if (notify_other)
+ if (FLAGS_SET(notify_flags, NOTIFY_DEPENDENCY_UPDATE_TO))
unit_add_to_dbus_queue(other);
- return notify || notify_other;
+ return notify_flags != 0;
}
int unit_add_two_dependencies(Unit *u, UnitDependency d, UnitDependency e, Unit *other, bool add_reference, UnitDependencyMask mask) {
--
2.33.0

65
backport-coredump-filter-add-mask-for-all-using-UINT32_MAX-no.patch Normal file
View File

@ -0,0 +1,65 @@
From 085d847ae7e90f2a10d1cbe29d450a35ddc198bc Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Wed, 26 Apr 2023 14:19:33 +0100
Subject: [PATCH] coredump filter: add mask for 'all' using UINT32_MAX, not
UINT64_MAX
The kernel returns ERANGE when UINT64_MAX is passed. Create a mask
and use UINT32_max, which is accepted, so that future bits will also
be set.
(cherry picked from commit 7f3bb8f20dcccaceea8b1ee05f0560b81162037b)
(cherry picked from commit 4f8b2abf699f092576efff55a061efede795d99e)
(cherry picked from commit 5bba2890ef53ca166670aaa715bd1a5386b8cf91)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/085d847ae7e90f2a10d1cbe29d450a35ddc198bc
---
src/shared/coredump-util.c | 2 +-
src/shared/coredump-util.h | 3 +++
src/test/test-coredump-util.c | 2 ++
3 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/shared/coredump-util.c b/src/shared/coredump-util.c
index aaf3e16eff..7a44816834 100644
--- a/src/shared/coredump-util.c
+++ b/src/shared/coredump-util.c
@@ -43,7 +43,7 @@ int coredump_filter_mask_from_string(const char *s, uint64_t *ret) {
}
if (streq(n, "all")) {
- m = UINT64_MAX;
+ m = COREDUMP_FILTER_MASK_ALL;
continue;
}
diff --git a/src/shared/coredump-util.h b/src/shared/coredump-util.h
index 09e7ed443f..f4d4098136 100644
--- a/src/shared/coredump-util.h
+++ b/src/shared/coredump-util.h
@@ -22,6 +22,9 @@ typedef enum CoredumpFilter {
1u << COREDUMP_FILTER_ELF_HEADERS | \
1u << COREDUMP_FILTER_PRIVATE_HUGE)
+/* The kernel doesn't like UINT64_MAX and returns ERANGE, use UINT32_MAX to support future new flags */
+#define COREDUMP_FILTER_MASK_ALL UINT32_MAX
+
const char* coredump_filter_to_string(CoredumpFilter i) _const_;
CoredumpFilter coredump_filter_from_string(const char *s) _pure_;
int coredump_filter_mask_from_string(const char *s, uint64_t *ret);
diff --git a/src/test/test-coredump-util.c b/src/test/test-coredump-util.c
index a669da7746..4f68dd57d8 100644
--- a/src/test/test-coredump-util.c
+++ b/src/test/test-coredump-util.c
@@ -23,6 +23,8 @@ TEST(coredump_filter_mask_from_string) {
uint64_t f;
assert_se(coredump_filter_mask_from_string("default", &f) == 0);
assert_se(f == COREDUMP_FILTER_MASK_DEFAULT);
+ assert_se(coredump_filter_mask_from_string("all", &f) == 0);
+ assert_se(f == COREDUMP_FILTER_MASK_ALL);
assert_se(coredump_filter_mask_from_string(" default\tdefault\tdefault ", &f) == 0);
assert_se(f == COREDUMP_FILTER_MASK_DEFAULT);
--
2.33.0

69
backport-coredump-filter-fix-stack-overflow-with-all.patch Normal file
View File

@ -0,0 +1,69 @@
From 30a4629e4760fba96735365c31d279d402ec11e3 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Wed, 26 Apr 2023 14:18:04 +0100
Subject: [PATCH] coredump filter: fix stack overflow with =all
We translate 'all' to UNIT64_MAX, which has a lot more 'f's. Use the
helper macro, since a decimal uint64_t will always be >> than a hex
representation.
root@image:~# systemd-run -t --property CoredumpFilter=all ls /tmp
Running as unit: run-u13.service
Press ^] three times within 1s to disconnect TTY.
*** stack smashing detected ***: terminated
[137256.320511] systemd[1]: run-u13.service: Main process exited, code=dumped, status=6/ABRT
[137256.320850] systemd[1]: run-u13.service: Failed with result 'core-dump'.
(cherry picked from commit 37232d55a7bcace37280e28b207c85f5ca9b3f6b)
(cherry picked from commit 021bb972ffd87aae9f9f7bcc691bf5b812db309b)
(cherry picked from commit ab33ee67d58780eccd9082d7d75bbc1d48f50468)
Conflict:code context adaptation
Reference:https://github.com/systemd/systemd-stable/commit/30a4629e4760fba96735365c31d279d402ec11e3
---
src/basic/macro.h | 4 ++++
src/shared/coredump-util.c | 5 +++--
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/basic/macro.h b/src/basic/macro.h
index f5d63ce408..a5453fc9d7 100644
--- a/src/basic/macro.h
+++ b/src/basic/macro.h
@@ -309,6 +309,10 @@ #define char_array_0(x) x[sizeof(x)-1] = 0;
#define sizeof_field(struct_type, member) sizeof(((struct_type *) 0)->member)
+/* Maximum buffer size needed for formatting an unsigned integer type as hex, including space for '0x'
+ * prefix and trailing NUL suffix. */
+#define HEXADECIMAL_STR_MAX(type) (2 + sizeof(type) * 2 + 1)
+
/* Returns the number of chars needed to format variables of the
* specified type as a decimal string. Adds in extra space for a
* negative '-' prefix (hence works correctly on signed
diff --git a/src/shared/coredump-util.c b/src/shared/coredump-util.c
index a0b648bf79..aaf3e16eff 100644
--- a/src/shared/coredump-util.c
+++ b/src/shared/coredump-util.c
@@ -3,6 +3,7 @@
#include "coredump-util.h"
#include "extract-word.h"
#include "fileio.h"
+#include "stdio-util.h"
#include "string-table.h"
static const char *const coredump_filter_table[_COREDUMP_FILTER_MAX] = {
@@ -65,9 +66,9 @@ int coredump_filter_mask_from_string(const char *s, uint64_t *ret) {
}
int set_coredump_filter(uint64_t value) {
- char t[STRLEN("0xFFFFFFFF")];
+ char t[HEXADECIMAL_STR_MAX(uint64_t)];
- sprintf(t, "0x%"PRIx64, value);
+ xsprintf(t, "0x%"PRIx64, value);
return write_string_file("/proc/self/coredump_filter", t,
WRITE_STRING_FILE_VERIFY_ON_FAILURE|WRITE_STRING_FILE_DISABLE_BUFFER);
--
2.33.0

45
backport-dbus-util-let-s-take-it-down-a-notch-when-converting.patch Normal file
View File

@ -0,0 +1,45 @@
From 0d8dd903ff55c9aba7322005c374522387cf2713 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Thu, 1 Jun 2023 20:22:20 +0200
Subject: [PATCH] dbus-util: let's take it down a notch when converting file
mode to string
I'm definitely a fan of precision, but in this case it's a bit too much:
$ systemd-run --unit=test --socket-property=ListenFIFO=/tmp/foo --socket-property=SocketMode=0644 true
$ systemctl cat test.socket
# /run/systemd/transient/test.socket
# This is a transient unit file, created programmatically via the systemd API. Do not edit.
[Unit]
Description=/usr/bin/true
[Socket]
ListenFIFO=/tmp/foo
SocketMode=0000000000000000000000000000000000000644
(cherry picked from commit b86ed7f710b89b7a7e36da158c1bb8c69ffed144)
(cherry picked from commit 47edca1731788fc53249b95d28c66d88a85b4165)
(cherry picked from commit f566389f239addd529824e3d7b5bd9ad184b1590)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/0d8dd903ff55c9aba7322005c374522387cf2713
---
src/core/dbus-util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/core/dbus-util.c b/src/core/dbus-util.c
index 32a2ec0ff9..c253f44c35 100644
--- a/src/core/dbus-util.c
+++ b/src/core/dbus-util.c
@@ -30,7 +30,7 @@ int bus_property_get_triggered_unit(
return sd_bus_message_append(reply, "s", trigger ? trigger->id : NULL);
}
-BUS_DEFINE_SET_TRANSIENT(mode_t, "u", uint32_t, mode_t, "%040o");
+BUS_DEFINE_SET_TRANSIENT(mode_t, "u", uint32_t, mode_t, "%04o");
BUS_DEFINE_SET_TRANSIENT(unsigned, "u", uint32_t, unsigned, "%" PRIu32);
static inline bool valid_user_group_name_or_id_relaxed(const char *u) {
--
2.33.0

75
backport-escape-fix-wrong-octescape-of-bad-character.patch Normal file
View File

@ -0,0 +1,75 @@
From 0fc5cdd98a205a7bbfe4413f8b158ce9776882eb Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 6 Dec 2022 12:00:41 +0900
Subject: [PATCH] escape: fix wrong octescape of bad character
Fixes a bug introduced by 95052df3760523e1f3bb9705c918d85aae7fb431.
This also makes octescape() support NULL or zero length string.
Fixes [oss-fuzz#54059](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54059).
Fixes #25643.
(cherry picked from commit 76519cecc749a3d0e2054fd6db8a99143666e123)
(cherry picked from commit 2ea5de7881edcd1665207bb55bfd5ae2b6ccdc10)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/0fc5cdd98a205a7bbfe4413f8b158ce9776882eb
---
src/basic/escape.c | 29 ++++++++++++++---------------
1 file changed, 14 insertions(+), 15 deletions(-)
diff --git a/src/basic/escape.c b/src/basic/escape.c
index 1cb7ced545..e04b435d5b 100644
--- a/src/basic/escape.c
+++ b/src/basic/escape.c
@@ -445,31 +445,30 @@ char* escape_non_printable_full(const char *str, size_t console_width, XEscapeFl
}
char* octescape(const char *s, size_t len) {
- char *r, *t;
- const char *f;
+ char *buf, *t;
- /* Escapes all chars in bad, in addition to \ and " chars,
- * in \nnn style escaping. */
+ /* Escapes all chars in bad, in addition to \ and " chars, in \nnn style escaping. */
- r = new(char, len * 4 + 1);
- if (!r)
+ assert(s || len == 0);
+
+ t = buf = new(char, len * 4 + 1);
+ if (!buf)
return NULL;
- for (f = s, t = r; f < s + len; f++) {
+ for (size_t i = 0; i < len; i++) {
+ uint8_t u = (uint8_t) s[i];
- if (*f < ' ' || *f >= 127 || IN_SET(*f, '\\', '"')) {
+ if (u < ' ' || u >= 127 || IN_SET(u, '\\', '"')) {
*(t++) = '\\';
- *(t++) = '0' + (*f >> 6);
- *(t++) = '0' + ((*f >> 3) & 8);
- *(t++) = '0' + (*f & 8);
+ *(t++) = '0' + (u >> 6);
+ *(t++) = '0' + ((u >> 3) & 7);
+ *(t++) = '0' + (u & 7);
} else
- *(t++) = *f;
+ *(t++) = u;
}
*t = 0;
-
- return r;
-
+ return buf;
}
static char* strcpy_backslash_escaped(char *t, const char *s, const char *bad) {
--
2.33.0

34
backport-hexdecoct-add-missing-NULL-check.patch Normal file
View File

@ -0,0 +1,34 @@
From 671ea8cce47e9c556d283bd53b2c82b9c5ec2da4 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 7 Dec 2022 06:58:23 +0900
Subject: [PATCH] hexdecoct: add missing NULL check
Fixes oss-fuzz#54065 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54065).
Fixes #25650.
(cherry picked from commit 45655e776f3a4deaf68cc21a7716eba5181cbd49)
(cherry picked from commit 002fc46688e7d7057dbd7845defcc5bae758adde)
Conflict:code context adaptation
Reference:https://github.com/systemd/systemd-stable/commit/671ea8cce47e9c556d283bd53b2c82b9c5ec2da4
---
src/basic/hexdecoct.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/basic/hexdecoct.c b/src/basic/hexdecoct.c
index 0922a49bb1..b9de5bfcda 100644
--- a/src/basic/hexdecoct.c
+++ b/src/basic/hexdecoct.c
@@ -606,7 +606,7 @@ ssize_t base64mem_full(
if (!r)
return -ENOMEM;
- for (x = p; x < (const uint8_t*) p + (l / 3) * 3; x += 3) {
+ for (x = p; x && x < (const uint8_t*) p + (l / 3) * 3; x += 3) {
/* x[0] == XXXXXXXX; x[1] == YYYYYYYY; x[2] == ZZZZZZZZ */
*(z++) = base64char(x[0] >> 2); /* 00XXXXXX */
*(z++) = base64char((x[0] & 3) << 4 | x[1] >> 4); /* 00XXYYYY */
--
2.33.0

87
backport-hexdecoct-fix-NULL-pointer-dereferences-in-hexmem.patch Normal file
View File

@ -0,0 +1,87 @@
From 18bfa23b9b52fecf6f551f4c225abe8034f9dac2 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 7 Dec 2022 09:06:48 +0900
Subject: [PATCH] hexdecoct: fix NULL pointer dereferences in hexmem()
Fixes oss-fuzz#54090 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54090).
Fixes #25655.
(cherry picked from commit 7d34567444304ea0acec7ed3c44c09bb65cea32c)
(cherry picked from commit 772e89452e8e72347360bfe6556ecc3d95b2caf4)
Conflict:adapt test cases based on the existing test case framework
Reference:https://github.com/systemd/systemd-stable/commit/18bfa23b9b52fecf6f551f4c225abe8034f9dac2
---
src/basic/hexdecoct.c | 4 +++-
src/test/test-hexdecoct.c | 21 +++++++++++++++++++++
2 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/src/basic/hexdecoct.c b/src/basic/hexdecoct.c
index 99b82d4..c9cda67 100644
--- a/src/basic/hexdecoct.c
+++ b/src/basic/hexdecoct.c
@@ -59,11 +59,13 @@ char *hexmem(const void *p, size_t l) {
const uint8_t *x;
char *r, *z;
+ assert(p || l == 0);
+
z = r = new(char, l * 2 + 1);
if (!r)
return NULL;
- for (x = p; x < (const uint8_t*) p + l; x++) {
+ for (x = p; x && x < (const uint8_t*) p + l; x++) {
*(z++) = hexchar(*x >> 4);
*(z++) = hexchar(*x & 15);
}
diff --git a/src/test/test-hexdecoct.c b/src/test/test-hexdecoct.c
index c9d318b..413ad0e 100644
--- a/src/test/test-hexdecoct.c
+++ b/src/test/test-hexdecoct.c
@@ -6,6 +6,7 @@
#include "hexdecoct.h"
#include "macro.h"
#include "string-util.h"
+#include "memory-util.h"
static void test_hexchar(void) {
assert_se(hexchar(0xa) == 'a');
@@ -71,6 +72,25 @@ static void test_undecchar(void) {
assert_se(undecchar('9') == 9);
}
+static void test_hexmem_one(const char *in, const char *expected) {
+ _cleanup_free_ char *result = NULL;
+ _cleanup_free_ void *mem = NULL;
+ size_t len;
+
+ assert_se(result = hexmem(in, strlen_ptr(in)));
+ log_debug("hexmem(\"%s\") → \"%s\" (expected: \"%s\")", strnull(in), result, expected);
+ assert_se(streq(result, expected));
+
+ assert_se(unhexmem(result, SIZE_MAX, &mem, &len) >= 0);
+ assert_se(memcmp_safe(mem, in, len) == 0);
+}
+
+static void test_hexmem(void) {
+ test_hexmem_one(NULL, "");
+ test_hexmem_one("", "");
+ test_hexmem_one("foo", "666f6f");
+}
+
static void test_unhexmem_one(const char *s, size_t l, int retval) {
_cleanup_free_ char *hex = NULL;
_cleanup_free_ void *mem = NULL;
@@ -350,6 +370,7 @@ int main(int argc, char *argv[]) {
test_base64mem();
test_unbase64mem();
test_hexdump();
+ test_hexmem();
return 0;
}
--
2.33.0

63
backport-journal-Don-t-try-to-write-garbage-if-journal-entry-.patch Normal file
View File

@ -0,0 +1,63 @@
From 3d88973ff61a7e2c572fa2d80ab5446510c9a8b2 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 26 Apr 2023 13:21:55 +0200
Subject: [PATCH] journal: Don't try to write garbage if journal entry is
corrupted
If journal_file_data_payload() returns -EBADMSG or -EADDRNOTAVAIL,
we skip the entry and go to the next entry, but we never modify
the number of items that we pass to journal_file_append_entry_internal()
if that happens, which means we could try to append garbage to the
journal file.
Let's keep track of the number of fields we've appended to avoid this
problem.
(cherry picked from commit f81409f844ae8077f7ee7664871f73fa7d440581)
(cherry picked from commit 3821e3ea077810a7271dbdaccf67b08c33a28fcf)
(cherry picked from commit b9d96f2803b6fbf703463b72bb63d0c936f558e8)
Conflict:code context adaptation
Reference:https://github.com/systemd/systemd-stable/commit/3d88973ff61a7e2c572fa2d80ab5446510c9a8b2
---
src/libsystemd/sd-journal/journal-file.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c
index 3c9221c..1988488 100644
--- a/src/libsystemd/sd-journal/journal-file.c
+++ b/src/libsystemd/sd-journal/journal-file.c
@@ -3839,7 +3839,7 @@ int journal_file_open_reliably(
}
int journal_file_copy_entry(JournalFile *from, JournalFile *to, Object *o, uint64_t p) {
- uint64_t q, n, xor_hash = 0;
+ uint64_t q, n, m = 0, xor_hash = 0;
const sd_id128_t *boot_id;
dual_timestamp ts;
EntryItem *items;
@@ -3918,15 +3918,18 @@ int journal_file_copy_entry(JournalFile *from, JournalFile *to, Object *o, uint6
else
xor_hash ^= le64toh(u->data.hash);
- items[i].object_offset = htole64(h);
- items[i].hash = u->data.hash;
+ items[m].object_offset = htole64(h);
+ items[m++].hash = u->data.hash;
r = journal_file_move_to_object(from, OBJECT_ENTRY, p, &o);
if (r < 0)
return r;
}
- r = journal_file_append_entry_internal(to, &ts, boot_id, xor_hash, items, n,
+ if (m == 0)
+ return 0;
+
+ r = journal_file_append_entry_internal(to, &ts, boot_id, xor_hash, items, m,
NULL, NULL, NULL);
if (mmap_cache_got_sigbus(to->mmap, to->cache_fd))
--
2.33.0

71
backport-journal-avoid-infinite-recursion-when-closing-bad-jo.patch Normal file
View File

@ -0,0 +1,71 @@
From 2890d17f26c73a2e9e4a9635d353388fde82151d Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Fri, 16 Jun 2023 22:31:04 +0100
Subject: [PATCH] journal: avoid infinite recursion when closing bad journal FD
When trying to log, if we fail we try to close the journal FD. If
it is bad, safe_close() will fail and assert, which will try to log,
which will fail, which will try to close the journal FD...
Infinite recursion looks very pretty live in gdb, but let's avoid
that by immediately invalidating the journal FD before closing it.
(cherry picked from commit 40cdb3b756abbeb66091b8e9f1a3d38308456828)
(cherry picked from commit 228bfcf041e89f09c798af864a93543f9d43ec05)
(cherry picked from commit f62c831ba704119194ecd6aabaaee0ecb8edf559)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/2890d17f26c73a2e9e4a9635d353388fde82151d
---
src/basic/log.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/src/basic/log.c b/src/basic/log.c
index 02e37ed6ce..ef44aea948 100644
--- a/src/basic/log.c
+++ b/src/basic/log.c
@@ -83,7 +83,8 @@ bool _log_message_dummy = false; /* Always false */
} while (false)
static void log_close_console(void) {
- console_fd = safe_close_above_stdio(console_fd);
+ /* See comment in log_close_journal() */
+ (void) safe_close_above_stdio(TAKE_FD(console_fd));
}
static int log_open_console(void) {
@@ -107,7 +108,8 @@ static int log_open_console(void) {
}
static void log_close_kmsg(void) {
- kmsg_fd = safe_close(kmsg_fd);
+ /* See comment in log_close_journal() */
+ (void) safe_close(TAKE_FD(kmsg_fd));
}
static int log_open_kmsg(void) {
@@ -124,7 +126,8 @@ static int log_open_kmsg(void) {
}
static void log_close_syslog(void) {
- syslog_fd = safe_close(syslog_fd);
+ /* See comment in log_close_journal() */
+ (void) safe_close(TAKE_FD(syslog_fd));
}
static int create_log_socket(int type) {
@@ -196,7 +199,11 @@ fail:
}
static void log_close_journal(void) {
- journal_fd = safe_close(journal_fd);
+ /* If the journal FD is bad, safe_close will fail, and will try to log, which will fail, so we'll
+ * try to close the journal FD, which is bad, so safe_close will fail... Whether we can close it
+ * or not, invalidate it immediately so that we don't get in a recursive loop until we run out of
+ * stack. */
+ (void) safe_close(TAKE_FD(journal_fd));
}
static int log_open_journal(void) {
--
2.33.0

40
backport-journald-prevent-segfault-on-empty-attr-current.patch Normal file
View File

@ -0,0 +1,40 @@
From 9070c9f2f33aacc10eb65a9430e3bf78bce5aea7 Mon Sep 17 00:00:00 2001
From: Space Meyer <spm@google.com>
Date: Wed, 7 Dec 2022 14:11:30 +0100
Subject: [PATCH] journald: prevent segfault on empty attr/current
getpidcon() might set con to NULL, even when it returned a 0 return
code[0]. The subsequent strlen(con) will then cause a segfault.
Alternatively the behaviour could also be changed in getpidcon. I
don't know whether the libselinux folks are comitted to the current
behaviour, but the getpidcon man page doesn't really make it obvious
this case could happen.
[0] https://github.com/SELinuxProject/selinux/blob/fb7f35495fbad468d6efa76c5fed727659903038/libselinux/src/procattr.c#L155-L158
(cherry picked from commit ff868eaadecde2568d1e08a375ec8a3b327984fa)
(cherry picked from commit 4119d25e621b5e5b7860e971092239379768081c)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/9070c9f2f33aacc10eb65a9430e3bf78bce5aea7
---
src/journal/journald-context.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/journal/journald-context.c b/src/journal/journald-context.c
index 27608ff089..0953fb2119 100644
--- a/src/journal/journald-context.c
+++ b/src/journal/journald-context.c
@@ -258,7 +258,7 @@ static int client_context_read_label(
/* If we got no SELinux label passed in, let's try to acquire one */
- if (getpidcon(c->pid, &con) >= 0) {
+ if (getpidcon(c->pid, &con) >= 0 && con) {
free_and_replace(c->label, con);
c->label_size = strlen(c->label);
}
--
2.33.0

110
backport-json-correctly-handle-magic-strings-when-parsing-var.patch Normal file
View File

@ -0,0 +1,110 @@
From 3ee13066884acb4ac16cb41ed4ac01bb94fab4f6 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Tue, 23 May 2023 09:55:17 +0200
Subject: [PATCH] json: correctly handle magic strings when parsing variant
strv
We can't dereference the variant object directly, as it might be
a magic object (which has an address on a faulting page); use
json_variant_is_sensitive() instead that handles this case.
For example, with an empty array:
==1547789==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000023 (pc 0x7fd616ca9a18 bp 0x7ffcba1dc7c0 sp 0x7ffcba1dc6d0 T0)
==1547789==The signal is caused by a READ memory access.
==1547789==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
#0 0x7fd616ca9a18 in json_variant_strv ../src/shared/json.c:2190
#1 0x408332 in oci_args ../src/nspawn/nspawn-oci.c:173
#2 0x7fd616cc09ce in json_dispatch ../src/shared/json.c:4400
#3 0x40addf in oci_process ../src/nspawn/nspawn-oci.c:428
#4 0x7fd616cc09ce in json_dispatch ../src/shared/json.c:4400
#5 0x41fef5 in oci_load ../src/nspawn/nspawn-oci.c:2187
#6 0x4061e4 in LLVMFuzzerTestOneInput ../src/nspawn/fuzz-nspawn-oci.c:23
#7 0x40691c in main ../src/fuzz/fuzz-main.c:50
#8 0x7fd61564a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
#9 0x7fd61564a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8)
#10 0x405da4 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/fuzz-nspawn-oci+0x405da4)
DEDUP_TOKEN: json_variant_strv--oci_args--json_dispatch
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../src/shared/json.c:2190 in json_variant_strv
==1547789==ABORTING
Or with an empty string in an array:
../src/shared/json.c:2202:39: runtime error: member access within misaligned address 0x000000000007 for type 'struct JsonVariant', which requires 8 byte alignment
0x000000000007: note: pointer points here
<memory cannot be printed>
#0 0x7f35f4ca9bcf in json_variant_strv ../src/shared/json.c:2202
#1 0x408332 in oci_args ../src/nspawn/nspawn-oci.c:173
#2 0x7f35f4cc09ce in json_dispatch ../src/shared/json.c:4400
#3 0x40addf in oci_process ../src/nspawn/nspawn-oci.c:428
#4 0x7f35f4cc09ce in json_dispatch ../src/shared/json.c:4400
#5 0x41fef5 in oci_load ../src/nspawn/nspawn-oci.c:2187
#6 0x4061e4 in LLVMFuzzerTestOneInput ../src/nspawn/fuzz-nspawn-oci.c:23
#7 0x40691c in main ../src/fuzz/fuzz-main.c:50
#8 0x7f35f364a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
#9 0x7f35f364a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8)
#10 0x405da4 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/fuzz-nspawn-oci+0x405da4)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/shared/json.c:2202:39 in
Note: this happens only if json_variant_copy() in json_variant_set_source() fails.
Found by Nallocfuzz.
(cherry picked from commit 909eb4c01de03a32c915a2267166501dca5b78f6)
(cherry picked from commit 58c1816aa43b96b5ce0953bc8ff78c37c4226216)
(cherry picked from commit 89ab32d166a6920a14c19b90fe528c02ed5f4142)
Conflict:code context adaptation
Reference:https://github.com/systemd/systemd-stable/commit/3ee13066884acb4ac16cb41ed4ac01bb94fab4f6
---
src/shared/json.c | 4 ++--
test/fuzz/fuzz-nspawn-oci/invalid-read-magic-string | 1 +
test/fuzz/fuzz-nspawn-oci/invalid-read-magic-string2 | 1 +
3 files changed, 4 insertions(+), 2 deletions(-)
create mode 100644 test/fuzz/fuzz-nspawn-oci/invalid-read-magic-string
create mode 100644 test/fuzz/fuzz-nspawn-oci/invalid-read-magic-string2
diff --git a/src/shared/json.c b/src/shared/json.c
index 3ab562e219..6748dbcf8d 100644
--- a/src/shared/json.c
+++ b/src/shared/json.c
@@ -2103,7 +2103,7 @@ int json_variant_strv(JsonVariant *v, char ***ret) {
if (!json_variant_is_array(v))
return -EINVAL;
- sensitive = v->sensitive;
+ sensitive = json_variant_is_sensitive(v);
n = json_variant_elements(v);
l = new(char*, n+1);
@@ -2114,7 +2114,7 @@ int json_variant_strv(JsonVariant *v, char ***ret) {
JsonVariant *e;
assert_se(e = json_variant_by_index(v, i));
- sensitive = sensitive || e->sensitive;
+ sensitive = sensitive || json_variant_is_sensitive(e);
if (!json_variant_is_string(e)) {
l[i] = NULL;
diff --git a/test/fuzz/fuzz-nspawn-oci/invalid-read-magic-string b/test/fuzz/fuzz-nspawn-oci/invalid-read-magic-string
new file mode 100644
index 0000000000..675bed0505
--- /dev/null
+++ b/test/fuzz/fuzz-nspawn-oci/invalid-read-magic-string
@@ -0,0 +1 @@
+{"ociVersion":"1.0.0","process":{"args":[]}}
diff --git a/test/fuzz/fuzz-nspawn-oci/invalid-read-magic-string2 b/test/fuzz/fuzz-nspawn-oci/invalid-read-magic-string2
new file mode 100644
index 0000000000..fb1269b9c8
--- /dev/null
+++ b/test/fuzz/fuzz-nspawn-oci/invalid-read-magic-string2
@@ -0,0 +1 @@
+{"ociVersion":"1.0.0","process":{"args":[""]}}
\ No newline at end of file
--
2.33.0

36
backport-list-fix-double-evaluation.patch Normal file
View File

@ -0,0 +1,36 @@
From 42094f7b796cdf4df467ba31529962c643a08cae Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 20 Apr 2023 04:04:03 +0900
Subject: [PATCH] list: fix double evaluation
(cherry picked from commit 24a5370bbc1b52fee52d8891f66af13e9d77d799)
(cherry picked from commit 7b437659b15c0cd87b5720b3570dcd5e5ad9abca)
(cherry picked from commit 73f7c65d34d507c75b3044e2205d1393e43a7534)
Conflict:code context adaptation
Reference:https://github.com/systemd/systemd-stable/commit/42094f7b796cdf4df467ba31529962c643a08cae
---
src/basic/list.h | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/basic/list.h b/src/basic/list.h
index 58e83a6cb2..0dba7648e6 100644
--- a/src/basic/list.h
+++ b/src/basic/list.h
@@ -133,8 +133,11 @@
} \
} while (false)
-#define LIST_JUST_US(name,item) \
- (!(item)->name##_prev && !(item)->name##_next) \
+#define LIST_JUST_US(name, item) \
+ ({ \
+ typeof(*(item)) *_item = (item); \
+ !(_item)->name##_prev && !(_item)->name##_next; \
+ })
#define LIST_FOREACH(name,i,head) \
for ((i) = (head); (i); (i) = (i)->name##_next)
--
2.33.0

85
backport-localed-fix-invalid-free-after-shifting-pointers-usi.patch Normal file
View File

@ -0,0 +1,85 @@
From 3e880530377fcda5b203b3abfb8b58b7db867cc7 Mon Sep 17 00:00:00 2001
From: Olivier Gayot <olivier.gayot@sigexec.com>
Date: Fri, 7 Apr 2023 10:32:07 +0200
Subject: [PATCH] localed: fix invalid free after shifting pointers using
strstrip
After manually editing /etc/locale.gen, calling localectl set-locale
sometimes fails. When it fails, the systemd journal shows:
systemd-localed: free() / invalid pointer.
It turned out that it only fails if some of the uncommented lines in
/etc/locale.gen have leading spaces, as in:
* C.UTF-8 <= OK
* en_US.UTF-8 <= OK
* fr_FR.UTF-8 <= NOK
After parsing a line from /etc/locale.gen, we use strstrip() to obtain
the "trimmed" line (without leading or trailing spaces).
However, we store the result of strstrip() in the original pointer
containing the untrimmed line. This pointer is later passed to free
(this is done automatically using _cleanup_free_).
This is a problem because if any leading space is present, the pointer
will essentially be shifted from its original value. This will result in
an invalid free upon cleanup.
The same issue is present in the locale_gen_locale_supported function.
Fixed by storing the result of strstrip() in a different pointer.
(cherry picked from commit b24b10592d74b73529817813ff33f7e28e79ca41)
(cherry picked from commit d18037b8ff43a1d7310708a50786f92c1291ce80)
(cherry picked from commit fcd9ec3effc9cad63f73cba024697011c5963766)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/3e880530377fcda5b203b3abfb8b58b7db867cc7
---
src/locale/keymap-util.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/locale/keymap-util.c b/src/locale/keymap-util.c
index 2d1b9826d0..77035d6584 100644
--- a/src/locale/keymap-util.c
+++ b/src/locale/keymap-util.c
@@ -784,6 +784,7 @@ static int locale_gen_locale_supported(const char *locale_entry) {
for (;;) {
_cleanup_free_ char *line = NULL;
+ char *l;
r = read_line(f, LONG_LINE_MAX, &line);
if (r < 0)
@@ -791,8 +792,8 @@ static int locale_gen_locale_supported(const char *locale_entry) {
if (r == 0)
return 0;
- line = strstrip(line);
- if (strcaseeq_ptr(line, locale_entry))
+ l = strstrip(line);
+ if (strcaseeq_ptr(l, locale_entry))
return 1;
}
}
@@ -870,14 +871,13 @@ int locale_gen_enable_locale(const char *locale) {
continue;
}
- line = strstrip(line);
- if (isempty(line)) {
+ line_locale = strstrip(line);
+ if (isempty(line_locale)) {
fputc('\n', fw);
first_line = false;
continue;
}
- line_locale = line;
if (line_locale[0] == '#')
line_locale = strstrip(line_locale + 1);
else if (strcaseeq_ptr(line_locale, locale_entry))
--
2.33.0

90
backport-machine-fix-a-memory-leak-when-showing-multiple-imag.patch Normal file
View File

@ -0,0 +1,90 @@
From 548f64dd4c270cd40f8e764606fe2dc36d3ac265 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Fri, 12 May 2023 14:43:23 +0200
Subject: [PATCH] machine: fix a memory leak when showing multiple images
+ machinectl image-status container1 container1 container0 container1 container2 container3 container4
=================================================================
==1354==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 4704 byte(s) in 6 object(s) allocated from:
#0 0x7fc3670ba097 in calloc (/lib64/libasan.so.8+0xba097)
#1 0x7fc365e91e8e in message_from_header ../src/libsystemd/sd-bus/bus-message.c:372
#2 0x7fc365e92dfd in bus_message_from_malloc ../src/libsystemd/sd-bus/bus-message.c:421
#3 0x7fc365f089a8 in bus_socket_make_message ../src/libsystemd/sd-bus/bus-socket.c:1165
#4 0x7fc365f0affe in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1294
#5 0x7fc365f2db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082
#6 0x7fc365f33352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483
#7 0x7fc365e4da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183
#8 0x7fc3658789e8 in bus_call_method ../src/shared/bus-locator.c:109
#9 0x413b76 in show_image ../src/machine/machinectl.c:1014
#10 0x7fc365c5c8cf in dispatch_verb ../src/shared/verbs.c:103
#11 0x42e992 in machinectl_main ../src/machine/machinectl.c:2981
#12 0x42ebbd in run ../src/machine/machinectl.c:3006
#13 0x42ece3 in main ../src/machine/machinectl.c:3009
#14 0x7fc36444a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
Indirect leak of 666 byte(s) in 6 object(s) allocated from:
#0 0x7fc3670b95b5 in __interceptor_realloc.part.0 (/lib64/libasan.so.8+0xb95b5)
#1 0x7fc365f09822 in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1214
#2 0x7fc365f2db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082
#3 0x7fc365f33352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483
#4 0x7fc365e4da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183
#5 0x7fc3658789e8 in bus_call_method ../src/shared/bus-locator.c:109
#6 0x413b76 in show_image ../src/machine/machinectl.c:1014
#7 0x7fc365c5c8cf in dispatch_verb ../src/shared/verbs.c:103
#8 0x42e992 in machinectl_main ../src/machine/machinectl.c:2981
#9 0x42ebbd in run ../src/machine/machinectl.c:3006
#10 0x42ece3 in main ../src/machine/machinectl.c:3009
#11 0x7fc36444a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
Indirect leak of 12 byte(s) in 6 object(s) allocated from:
#0 0x7fc36707243b in strdup (/lib64/libasan.so.8+0x7243b)
#1 0x7fc365ec1543 in message_parse_fields ../src/libsystemd/sd-bus/bus-message.c:4125
#2 0x7fc365e93586 in bus_message_from_malloc ../src/libsystemd/sd-bus/bus-message.c:443
#3 0x7fc365f089a8 in bus_socket_make_message ../src/libsystemd/sd-bus/bus-socket.c:1165
#4 0x7fc365f0affe in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1294
#5 0x7fc365f2db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082
#6 0x7fc365f33352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483
#7 0x7fc365e4da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183
#8 0x7fc3658789e8 in bus_call_method ../src/shared/bus-locator.c:109
#9 0x413b76 in show_image ../src/machine/machinectl.c:1014
#10 0x7fc365c5c8cf in dispatch_verb ../src/shared/verbs.c:103
#11 0x42e992 in machinectl_main ../src/machine/machinectl.c:2981
#12 0x42ebbd in run ../src/machine/machinectl.c:3006
#13 0x42ece3 in main ../src/machine/machinectl.c:3009
#14 0x7fc36444a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
SUMMARY: AddressSanitizer: 5382 byte(s) leaked in 18 allocation(s).
(cherry picked from commit 4b6ce580eee3f70412637c1df4239e448995535f)
(cherry picked from commit e6a719598c80c284fb4b570c0eb89e7416616a98)
(cherry picked from commit 8dd68c29ff5a56bb4215fe9fcbb7399e21f6560c)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/548f64dd4c270cd40f8e764606fe2dc36d3ac265
---
src/machine/machinectl.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/machine/machinectl.c b/src/machine/machinectl.c
index 4ac48746ef..0f42f9f304 100644
--- a/src/machine/machinectl.c
+++ b/src/machine/machinectl.c
@@ -993,9 +993,7 @@ static int show_image_properties(sd_bus *bus, const char *path, bool *new_line)
}
static int show_image(int argc, char *argv[], void *userdata) {
-
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
- _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL;
bool properties, new_line = false;
sd_bus *bus = userdata;
int r = 0;
@@ -1020,6 +1018,7 @@ static int show_image(int argc, char *argv[], void *userdata) {
}
for (int i = 1; i < argc; i++) {
+ _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL;
const char *path = NULL;
r = bus_call_method(bus, bus_machine_mgr, "GetImage", &error, &reply, "s", argv[i]);
--
2.33.0

90
backport-machine-fix-a-memory-leak-when-showing-multiple-mach.patch Normal file
View File

@ -0,0 +1,90 @@
From 85f4849b4b86cd2246d733b48321abf804367d80 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Fri, 12 May 2023 14:50:52 +0200
Subject: [PATCH] machine: fix a memory leak when showing multiple machines
+ machinectl status long-running long-running long-running
=================================================================
==986==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 1568 byte(s) in 2 object(s) allocated from:
#0 0x7fe57caba097 in calloc (/lib64/libasan.so.8+0xba097)
#1 0x7fe57b891e8e in message_from_header ../src/libsystemd/sd-bus/bus-message.c:372
#2 0x7fe57b892dfd in bus_message_from_malloc ../src/libsystemd/sd-bus/bus-message.c:421
#3 0x7fe57b9089a8 in bus_socket_make_message ../src/libsystemd/sd-bus/bus-socket.c:1165
#4 0x7fe57b90affe in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1294
#5 0x7fe57b92db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082
#6 0x7fe57b933352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483
#7 0x7fe57b84da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183
#8 0x7fe57b2789e8 in bus_call_method ../src/shared/bus-locator.c:109
#9 0x40f71c in show_machine ../src/machine/machinectl.c:713
#10 0x7fe57b65c8cf in dispatch_verb ../src/shared/verbs.c:103
#11 0x42e9ce in machinectl_main ../src/machine/machinectl.c:2980
#12 0x42ebf9 in run ../src/machine/machinectl.c:3005
#13 0x42ed1f in main ../src/machine/machinectl.c:3008
#14 0x7fe579e4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
Indirect leak of 234 byte(s) in 2 object(s) allocated from:
#0 0x7fe57cab95b5 in __interceptor_realloc.part.0 (/lib64/libasan.so.8+0xb95b5)
#1 0x7fe57b909822 in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1214
#2 0x7fe57b92db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082
#3 0x7fe57b933352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483
#4 0x7fe57b84da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183
#5 0x7fe57b2789e8 in bus_call_method ../src/shared/bus-locator.c:109
#6 0x40f71c in show_machine ../src/machine/machinectl.c:713
#7 0x7fe57b65c8cf in dispatch_verb ../src/shared/verbs.c:103
#8 0x42e9ce in machinectl_main ../src/machine/machinectl.c:2980
#9 0x42ebf9 in run ../src/machine/machinectl.c:3005
#10 0x42ed1f in main ../src/machine/machinectl.c:3008
#11 0x7fe579e4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
Indirect leak of 4 byte(s) in 2 object(s) allocated from:
#0 0x7fe57ca7243b in strdup (/lib64/libasan.so.8+0x7243b)
#1 0x7fe57b8c1543 in message_parse_fields ../src/libsystemd/sd-bus/bus-message.c:4125
#2 0x7fe57b893586 in bus_message_from_malloc ../src/libsystemd/sd-bus/bus-message.c:443
#3 0x7fe57b9089a8 in bus_socket_make_message ../src/libsystemd/sd-bus/bus-socket.c:1165
#4 0x7fe57b90affe in bus_socket_read_message ../src/libsystemd/sd-bus/bus-socket.c:1294
#5 0x7fe57b92db71 in bus_read_message ../src/libsystemd/sd-bus/sd-bus.c:2082
#6 0x7fe57b933352 in sd_bus_call ../src/libsystemd/sd-bus/sd-bus.c:2483
#7 0x7fe57b84da61 in sd_bus_call_methodv ../src/libsystemd/sd-bus/bus-convenience.c:183
#8 0x7fe57b2789e8 in bus_call_method ../src/shared/bus-locator.c:109
#9 0x40f71c in show_machine ../src/machine/machinectl.c:713
#10 0x7fe57b65c8cf in dispatch_verb ../src/shared/verbs.c:103
#11 0x42e9ce in machinectl_main ../src/machine/machinectl.c:2980
#12 0x42ebf9 in run ../src/machine/machinectl.c:3005
#13 0x42ed1f in main ../src/machine/machinectl.c:3008
#14 0x7fe579e4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
SUMMARY: AddressSanitizer: 1806 byte(s) leaked in 6 allocation(s).
(cherry picked from commit efdaa92ecb1b358e9f27f7d263bb3383f6ab69c9)
(cherry picked from commit 4d29f741c853b95b198f58a3b8f2ae1df175522e)
(cherry picked from commit ee06c7db0cd9d3d1104ae8bfdd1a6968a6b6b6a9)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/85f4849b4b86cd2246d733b48321abf804367d80
---
src/machine/machinectl.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/machine/machinectl.c b/src/machine/machinectl.c
index 0f42f9f304..d5f8b5bbb3 100644
--- a/src/machine/machinectl.c
+++ b/src/machine/machinectl.c
@@ -694,9 +694,7 @@ static int show_machine_properties(sd_bus *bus, const char *path, bool *new_line
}
static int show_machine(int argc, char *argv[], void *userdata) {
-
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
- _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL;
bool properties, new_line = false;
sd_bus *bus = userdata;
int r = 0;
@@ -717,6 +715,7 @@ static int show_machine(int argc, char *argv[], void *userdata) {
}
for (int i = 1; i < argc; i++) {
+ _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL;
const char *path = NULL;
r = bus_call_method(bus, bus_machine_mgr, "GetMachine", &error, &reply, "s", argv[i]);
--
2.33.0

74
backport-network-bridge-fix-UseBPDU-and-AllowPortToBeRoot.patch Normal file
View File

@ -0,0 +1,74 @@
From 06dc900efa69bbebe1cff59112b4cfd40ed6b3b5 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Sat, 13 Aug 2022 05:08:38 +0900
Subject: [PATCH] network/bridge: fix UseBPDU= and AllowPortToBeRoot=
Fixes bugs caused by 7f9915f0de67f3a10a4b22810d119da65af8c84a.
Fixes #24268.
(cherry picked from commit 3f504b892b92f54087feeb3fb35e3938567d7fa0)
Conflict:code context adaptation
Reference:https://github.com/systemd/systemd-stable/commit/06dc900efa69bbebe1cff59112b4cfd40ed6b3b5
---
src/network/networkd-setlink.c | 4 ++--
test/networkd-test.py | 4 ++--
test/test-network/systemd-networkd-tests.py | 8 ++++----
3 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/network/networkd-setlink.c b/src/network/networkd-setlink.c
index 97c6848717..71ecaf4abf 100644
--- a/src/network/networkd-setlink.c
+++ b/src/network/networkd-setlink.c
@@ -230,7 +230,7 @@ static int link_configure_fill_message(
return log_link_debug_errno(link, r, "Could not open IFLA_PROTINFO container: %m");
if (link->network->use_bpdu >= 0) {
- r = sd_netlink_message_append_u8(req, IFLA_BRPORT_GUARD, link->network->use_bpdu);
+ r = sd_netlink_message_append_u8(req, IFLA_BRPORT_GUARD, !link->network->use_bpdu);
if (r < 0)
return log_link_debug_errno(link, r, "Could not append IFLA_BRPORT_GUARD attribute: %m");
}
@@ -254,7 +254,7 @@ static int link_configure_fill_message(
}
if (link->network->allow_port_to_be_root >= 0) {
- r = sd_netlink_message_append_u8(req, IFLA_BRPORT_PROTECT, link->network->allow_port_to_be_root);
+ r = sd_netlink_message_append_u8(req, IFLA_BRPORT_PROTECT, !link->network->allow_port_to_be_root);
if (r < 0)
return log_link_debug_errno(link, r, "Could not append IFLA_BRPORT_PROTECT attribute: %m");
}
diff --git a/test/networkd-test.py b/test/networkd-test.py
index 4b5ba622fa..0a5ba11f89 100755
--- a/test/networkd-test.py
+++ b/test/networkd-test.py
@@ -291,8 +291,8 @@ Priority=23
self.assertEqual(self.read_attr('port2', 'brport/path_cost'), '555')
self.assertEqual(self.read_attr('port2', 'brport/multicast_fast_leave'), '1')
self.assertEqual(self.read_attr('port2', 'brport/unicast_flood'), '1')
- self.assertEqual(self.read_attr('port2', 'brport/bpdu_guard'), '1')
- self.assertEqual(self.read_attr('port2', 'brport/root_block'), '1')
+ self.assertEqual(self.read_attr('port2', 'brport/bpdu_guard'), '0')
+ self.assertEqual(self.read_attr('port2', 'brport/root_block'), '0')
class ClientTestBase(NetworkdTestingUtilities):
"""Provide common methods for testing networkd against servers."""
diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py
index 989020e0c6..37d2151a8d 100755
--- a/test/test-network/systemd-networkd-tests.py
+++ b/test/test-network/systemd-networkd-tests.py
@@ -3931,8 +3931,8 @@ class NetworkdBridgeTests(unittest.TestCase, Utilities):
self.assertEqual(read_bridge_port_attr('bridge99', 'dummy98', 'neigh_suppress'), '1')
self.assertEqual(read_bridge_port_attr('bridge99', 'dummy98', 'learning'), '0')
self.assertEqual(read_bridge_port_attr('bridge99', 'dummy98', 'priority'), '23')
- self.assertEqual(read_bridge_port_attr('bridge99', 'dummy98', 'bpdu_guard'), '1')
- self.assertEqual(read_bridge_port_attr('bridge99', 'dummy98', 'root_block'), '1')
+ self.assertEqual(read_bridge_port_attr('bridge99', 'dummy98', 'bpdu_guard'), '0')
+ self.assertEqual(read_bridge_port_attr('bridge99', 'dummy98', 'root_block'), '0')
output = check_output('bridge -d link show test1')
print(output)
--
2.33.0

35
backport-network-ipv4acd-update-MAC-address-on-change-26753.patch Normal file
View File

@ -0,0 +1,35 @@
From 922cdcc6aed81f869fbdd875ad779ef9a2b02e75 Mon Sep 17 00:00:00 2001
From: Brett Holman <bholman.devel@gmail.com>
Date: Mon, 13 Mar 2023 09:21:30 -0600
Subject: [PATCH] network: ipv4acd: update MAC address on change (#26753)
Commit 76a86ffdbee2dd9ef0f2b5338e14eb6ba7671456 added function
ipv4acd_update_mac() but invoked ipv4ll_update_mac(), which doesn't
align with debug or commit messages.
(cherry picked from commit 0a14f83a0edb2c809c932b5d98240dd10a6bb79a)
(cherry picked from commit 59ae2a45a92025097de94cc7c0c622aa990179cf)
(cherry picked from commit 0703aa328c0c405e3771af8078c43fa9d5980860)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/922cdcc6aed81f869fbdd875ad779ef9a2b02e75
---
src/network/networkd-link.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
index 14d0f8eab4..5da0e4c563 100644
--- a/src/network/networkd-link.c
+++ b/src/network/networkd-link.c
@@ -2127,7 +2127,7 @@ static int link_update_hardware_address(Link *link, sd_netlink_message *message)
log_link_debug_errno(link, r, "Failed to manage link by its new hardware address, ignoring: %m");
}
- r = ipv4ll_update_mac(link);
+ r = ipv4acd_update_mac(link);
if (r < 0)
return log_link_debug_errno(link, r, "Could not update MAC address in IPv4 ACD client: %m");
--
2.33.0

59
backport-nspawn-call-json_dispatch-with-a-correct-pointer.patch Normal file
View File

@ -0,0 +1,59 @@
From 67fac85b82e6d91bea8ef86977d2ced2ca54692c Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Mon, 15 May 2023 19:45:13 +0200
Subject: [PATCH] nspawn: call json_dispatch() with a correct pointer
Otherwise hilarity ensues:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==722==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffff00000000 (pc 0x7f8d50ca9ffb bp 0x7fff11b0d4a0 sp 0x7fff11b0cc30 T0)
==722==The signal is caused by a READ memory access.
#0 0x7f8d50ca9ffb in __interceptor_strcmp.part.0 (/lib64/libasan.so.8+0xa9ffb)
#1 0x7f8d4f9cf5a1 in strcmp_ptr ../src/fundamental/string-util-fundamental.h:33
#2 0x7f8d4f9cf5f8 in streq_ptr ../src/fundamental/string-util-fundamental.h:46
#3 0x7f8d4f9d74d2 in free_and_strdup ../src/basic/string-util.c:948
#4 0x49139a in free_and_strdup_warn ../src/basic/string-util.h:197
#5 0x4923eb in oci_absolute_path ../src/nspawn/nspawn-oci.c:139
#6 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395
#7 0x4a8831 in oci_hooks_array ../src/nspawn/nspawn-oci.c:2089
#8 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395
#9 0x4a8b56 in oci_hooks ../src/nspawn/nspawn-oci.c:2112
#10 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395
#11 0x4aa298 in oci_load ../src/nspawn/nspawn-oci.c:2197
#12 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744
#13 0x44ffa7 in run ../src/nspawn/nspawn.c:5477
#14 0x4552fb in main ../src/nspawn/nspawn.c:5920
#15 0x7f8d4e04a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
#16 0x7f8d4e04a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8)
#17 0x40d284 in _start (/usr/bin/systemd-nspawn+0x40d284)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib64/libasan.so.8+0xa9ffb) in __interceptor_strcmp.part.0
==722==ABORTING
(cherry picked from commit f4e5c042c9a5659a5eebb4c91c0f1132f02a2c59)
(cherry picked from commit c7861222ba57e929fa6bb3efd73ab20540b243c2)
(cherry picked from commit d45301d66053ce3c96c6aa9a33b91eeeafff741b)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/67fac85b82e6d91bea8ef86977d2ced2ca54692c
---
src/nspawn/nspawn-oci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/nspawn/nspawn-oci.c b/src/nspawn/nspawn-oci.c
index 81b40c5431..4d69543254 100644
--- a/src/nspawn/nspawn-oci.c
+++ b/src/nspawn/nspawn-oci.c
@@ -2150,7 +2150,7 @@ static int oci_hooks_array(const char *name, JsonVariant *v, JsonDispatchFlags f
.timeout = USEC_INFINITY,
};
- r = json_dispatch(e, table, oci_unexpected, flags, userdata);
+ r = json_dispatch(e, table, oci_unexpected, flags, new_item);
if (r < 0) {
free(new_item->path);
strv_free(new_item->args);
--
2.33.0

36
backport-nspawn-fix-UID-map-string.patch Normal file
View File

@ -0,0 +1,36 @@
From 20037219b702dd34b9b34050bf64030d4f93db98 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 15 Jun 2022 22:32:40 +0900
Subject: [PATCH] nspawn: fix UID map string
We send/recv the set of payload uid, host uid, payload gid, host gid.
Hence, the index must be incremented with 4, instead of 2.
Fixes #23664.
(cherry picked from commit 05ab439a62de8bb47e4137d2a8a473a307ccfb33)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/20037219b702dd34b9b34050bf64030d4f93db98
---
src/nspawn/nspawn.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index c5fd978395..4ce80bba70 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -4137,8 +4137,8 @@ static int make_uid_map_string(
* quadruplet, consisting of host and container UID + GID. */
for (size_t i = 0; i < n_bind_user_uid; i++) {
- uid_t payload_uid = bind_user_uid[i*2+offset],
- host_uid = bind_user_uid[i*2+offset+1];
+ uid_t payload_uid = bind_user_uid[i*4+offset],
+ host_uid = bind_user_uid[i*4+offset+1];
assert(previous_uid <= payload_uid);
assert(payload_uid < arg_uid_range);
--
2.33.0

86
backport-nspawn-fix-a-global-buffer-overflow.patch Normal file
View File

@ -0,0 +1,86 @@
From ccb4b3522cdc6abf8a0a5443f6318fe3918795fd Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Mon, 15 May 2023 20:25:43 +0200
Subject: [PATCH] nspawn: fix a global-buffer-overflow
Whoopsie.
=================================================================
==3789231==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000051d0b8 at pc 0x7f70850bc904 bp 0x7ffd9bbdf660 sp 0x7ffd9bbdf658
READ of size 8 at 0x00000051d0b8 thread T0
#0 0x7f70850bc903 in json_dispatch ../src/shared/json.c:4347
#1 0x4a5b54 in oci_seccomp_syscalls ../src/nspawn/nspawn-oci.c:1838
#2 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395
#3 0x4a668c in oci_seccomp ../src/nspawn/nspawn-oci.c:1905
#4 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395
#5 0x4a7d8c in oci_linux ../src/nspawn/nspawn-oci.c:2030
#6 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395
#7 0x4aa31c in oci_load ../src/nspawn/nspawn-oci.c:2198
#8 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744
#9 0x44ffa7 in run ../src/nspawn/nspawn.c:5477
#10 0x4552fb in main ../src/nspawn/nspawn.c:5920
#11 0x7f7083a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
#12 0x7f7083a4a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8)
#13 0x40d284 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/systemd-nspawn+0x40d284)
0x00000051d0b8 is located 40 bytes to the left of global variable 'bus_standard_errors_copy_0' defined in '../src/libsystemd/sd-bus/bus-error.h:57:1' (0x51d0e0) of size 8
0x00000051d0b8 is located 0 bytes to the right of global variable 'table' defined in '../src/nspawn/nspawn-oci.c:1829:43' (0x51d040) of size 120
SUMMARY: AddressSanitizer: global-buffer-overflow ../src/shared/json.c:4347 in json_dispatch
Shadow bytes around the buggy address:
0x00008009b9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009b9d0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x00008009b9e0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x00008009b9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ba00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x00008009ba10: 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 00 f9 f9 f9
0x00008009ba20: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ba30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ba40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ba50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ba60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3789231==ABORTING
(cherry picked from commit 525c3e3438a7e4cd78b42f5f6ccdc3df1e363ca9)
(cherry picked from commit b8ed81660f0ad27f047153da8c28d9be4e8e1540)
(cherry picked from commit 6f52d1bf9e0a4a4e959c9967d4643084b9ed6f17)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/ccb4b3522cdc6abf8a0a5443f6318fe3918795fd
---
src/nspawn/nspawn-oci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/nspawn/nspawn-oci.c b/src/nspawn/nspawn-oci.c
index 86b838bd0e..ded7fe0d41 100644
--- a/src/nspawn/nspawn-oci.c
+++ b/src/nspawn/nspawn-oci.c
@@ -1888,6 +1888,7 @@ static int oci_seccomp_syscalls(const char *name, JsonVariant *v, JsonDispatchFl
{ "names", JSON_VARIANT_ARRAY, json_dispatch_strv, offsetof(struct syscall_rule, names), JSON_MANDATORY },
{ "action", JSON_VARIANT_STRING, oci_seccomp_action, offsetof(struct syscall_rule, action), JSON_MANDATORY },
{ "args", JSON_VARIANT_ARRAY, oci_seccomp_args, 0, 0 },
+ {}
};
struct syscall_rule rule = {
.action = UINT32_MAX,
--
2.33.0

31
backport-nspawn-fix-inverted-condition.patch Normal file
View File

@ -0,0 +1,31 @@
From 3f9f8a6ed3c05f21d6bc95e1f29cb9fbfac981e1 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Mon, 15 May 2023 20:10:05 +0200
Subject: [PATCH] nspawn: fix inverted condition
(cherry picked from commit fc832965476d106fb3d5a6c9a43f5ff3166987b2)
(cherry picked from commit 756e77b93636a6de55110e46158defd1d7e69aca)
(cherry picked from commit 40024e6d39bbcc9ee9a3f2de60edaaa7fc5a132c)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/3f9f8a6ed3c05f21d6bc95e1f29cb9fbfac981e1
---
src/nspawn/nspawn-oci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/nspawn/nspawn-oci.c b/src/nspawn/nspawn-oci.c
index 4d69543254..86b838bd0e 100644
--- a/src/nspawn/nspawn-oci.c
+++ b/src/nspawn/nspawn-oci.c
@@ -1638,7 +1638,7 @@ static int oci_sysctl(const char *name, JsonVariant *v, JsonDispatchFlags flags,
assert_se(m = json_variant_string(w));
- if (sysctl_key_valid(k))
+ if (!sysctl_key_valid(k))
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
"sysctl key invalid, refusing: %s", k);
--
2.33.0

33
backport-pid1-fix-coredump_filter-setting.patch Normal file
View File

@ -0,0 +1,33 @@
From 857fdbc6081a80e45b391ebce70539e5f900020f Mon Sep 17 00:00:00 2001
From: David Schroeder <schrdave@amazon.com>
Date: Wed, 12 Apr 2023 16:48:21 -0700
Subject: [PATCH] pid1: fix coredump_filter setting
Correct what appears to be a copy/paste error in config_parse_exec_coredump_filter that is preventing the coredump_filter setting from working correctly.
(cherry picked from commit 9c669abb7106ae340ea47e7747d3bd054fbacdc5)
(cherry picked from commit 91953109ecd0956775b5bef442cd567917b11050)
(cherry picked from commit be49fcd07b3fa6db96dc8ff237f4bad959350b6c)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/857fdbc6081a80e45b391ebce70539e5f900020f
---
src/core/load-fragment.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 8a14cd569c..478026e3ae 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -780,7 +780,7 @@ int config_parse_exec_coredump_filter(
}
c->coredump_filter |= f;
- c->oom_score_adjust_set = true;
+ c->coredump_filter_set = true;
return 0;
}
--
2.33.0

130
backport-pid1-when-taking-possession-of-passed-fds-check-O_CL.patch Normal file
View File

@ -0,0 +1,130 @@
From 4981dd7c8771e83d625ee42dec709c5504cbad80 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 30 May 2023 15:33:59 +0200
Subject: [PATCH] pid1: when taking possession of passed fds check O_CLOEXEC
state first
So here's the thing. One library we use (libselinux) is opening fds
behind our back when we initialize it and keeps it open. On the other
hand we want to automatically pick up all fds passed in to us, so that
we can distribute them to our services and close the rest. We pick them
up very early in our code, to ensure that we don't get confused by open
fds at that point. Except that libselinux insists on being initialized
even earlier. So suddenly we might take possession of libselinux' fds,
and then close them later when we decide no service wants them. Then
during shutdown we close down selinux and selinux closes its fds, but
since already closed long ago this ight close our fds instead. Hilarity
ensues.
I wish low-level software wouldn't do such things behind our back, but
well, let's make the best of it.
This changes the fd pick-up logic to only pick up fds that have
O_CLOEXEC unset. O_CLOEXEC must be unset for any fds passed in to us
over execve() after all. And for all our own fds we should set O_CLOEXEC
since we generally don't want to litter fd tables for execve(). Also,
libselinux thankfully appears to set O_CLOEXEC correctly on its fds,
hence the filter works.
Fixes: #27491
(cherry picked from commit eb564f928e401def8d3aaa2a90f33cb09cdc1517)
Backport of the cloexec filter for v253, and for v252 (actually tested
with v252). Note that I've left the name _s of the function parameter as
it was before.
(cherry picked from commit 88bf6b5815d81cb6d29e9a41f752c70584fac062)
(cherry picked from commit 4dd3f8934a51d065d2b3df6d368989f9610a37b5)
Conflict:code context adaptation
Reference:https://github.com/systemd/systemd-stable/commit/4981dd7c8771e83d625ee42dec709c5504cbad80
---
src/core/main.c | 16 ++++++++++++----
src/shared/fdset.c | 18 +++++++++++++++++-
src/shared/fdset.h | 2 +-
3 files changed, 30 insertions(+), 6 deletions(-)
diff --git a/src/core/main.c b/src/core/main.c
index 46d6968b6b..9934bda1f3 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -2578,16 +2578,24 @@ static int collect_fds(FDSet **ret_fds, const char **ret_error_message) {
assert(ret_fds);
assert(ret_error_message);
- r = fdset_new_fill(ret_fds);
+ /* Pick up all fds passed to us. We apply a filter here: we only take the fds that have O_CLOEXEC
+ * off. All fds passed via execve() to us must have O_CLOEXEC off, and our own code and dependencies
+ * should be clean enough to set O_CLOEXEC universally. Thus checking the bit should be a safe
+ * mechanism to distinguish passed in fds from our own.
+ *
+ * Why bother? Some subsystems we initialize early, specifically selinux might keep fds open in our
+ * process behind our back. We should not take possession of that (and then accidentally close
+ * it). SELinux thankfully sets O_CLOEXEC on its fds, so this test should work. */
+ r = fdset_new_fill(/* filter_cloexec= */ 0, ret_fds);
if (r < 0) {
*ret_error_message = "Failed to allocate fd set";
return log_emergency_errno(r, "Failed to allocate fd set: %m");
}
- fdset_cloexec(*ret_fds, true);
+ (void) fdset_cloexec(*ret_fds, true);
- if (arg_serialization)
- assert_se(fdset_remove(*ret_fds, fileno(arg_serialization)) >= 0);
+ /* The serialization fd should have O_CLOEXEC turned on already, let's verify that we didn't pick it up here */
+ assert_se(!arg_serialization || !fdset_contains(*ret_fds, fileno(arg_serialization)));
return 0;
}
diff --git a/src/shared/fdset.c b/src/shared/fdset.c
index c621c14ba6..6f40c6aa0d 100644
--- a/src/shared/fdset.c
+++ b/src/shared/fdset.c
@@ -124,7 +124,9 @@ int fdset_remove(FDSet *s, int fd) {
return set_remove(MAKE_SET(s), FD_TO_PTR(fd)) ? fd : -ENOENT;
}
-int fdset_new_fill(FDSet **_s) {
+int fdset_new_fill(
+ int filter_cloexec, /* if < 0 takes all fds, otherwise only those with O_CLOEXEC set (1) or unset (0) */
+ FDSet **_s) {
_cleanup_closedir_ DIR *d = NULL;
struct dirent *de;
int r = 0;
@@ -157,6 +159,20 @@ int fdset_new_fill(FDSet **_s) {
if (fd == dirfd(d))
continue;
+ if (filter_cloexec >= 0) {
+ int fl;
+
+ /* If user asked for that filter by O_CLOEXEC. This is useful so that fds that have
+ * been passed in can be collected and fds which have been created locally can be
+ * ignored, under the assumption that only the latter have O_CLOEXEC set. */
+ fl = fcntl(fd, F_GETFD);
+ if (fl < 0)
+ return -errno;
+
+ if (FLAGS_SET(fl, FD_CLOEXEC) != !!filter_cloexec)
+ continue;
+ }
+
r = fdset_put(s, fd);
if (r < 0)
goto finish;
diff --git a/src/shared/fdset.h b/src/shared/fdset.h
index 39d15ee4aa..e8a6b4869d 100644
--- a/src/shared/fdset.h
+++ b/src/shared/fdset.h
@@ -19,7 +19,7 @@ bool fdset_contains(FDSet *s, int fd);
int fdset_remove(FDSet *s, int fd);
int fdset_new_array(FDSet **ret, const int *fds, size_t n_fds);
-int fdset_new_fill(FDSet **ret);
+int fdset_new_fill(int filter_cloexec, FDSet **ret);
int fdset_new_listen_fds(FDSet **ret, bool unset);
int fdset_cloexec(FDSet *fds, bool b);
--
2.33.0

79
backport-rm-rf-fix-errno-handling.patch Normal file
View File

@ -0,0 +1,79 @@
From 37db6597daa992702b3a8a5b7a636f935e6861ba Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Sat, 18 Mar 2023 23:35:04 +0900
Subject: [PATCH] rm-rf: fix errno handling
(cherry picked from commit cd2cd095db6f26bf9889ef26f1b105843220b803)
(cherry picked from commit 80417f90b03707a873bbff89f246ece3fb9f2c95)
(cherry picked from commit 25a8b163be1558cc837af68baefac3c8f1ba3497)
Conflict:add function RET_NERRNO
Reference:https://github.com/systemd/systemd-stable/commit/37db6597daa992702b3a8a5b7a636f935e6861ba
---
src/basic/errno-util.h | 23 +++++++++++++++++++++++
src/shared/rm-rf.c | 8 ++++----
2 files changed, 27 insertions(+), 4 deletions(-)
diff --git a/src/basic/errno-util.h b/src/basic/errno-util.h
index ffa3e12..57071e5 100644
--- a/src/basic/errno-util.h
+++ b/src/basic/errno-util.h
@@ -31,6 +31,29 @@ static inline int negative_errno(void) {
return -errno;
}
+static inline int RET_NERRNO(int ret) {
+
+ /* Helper to wrap system calls in to make them return negative errno errors. This brings system call
+ * error handling in sync with how we usually handle errors in our own code, i.e. with immediate
+ * returning of negative errno. Usage is like this:
+ *
+ * …
+ * r = RET_NERRNO(unlink(t));
+ * …
+ *
+ * or
+ *
+ * …
+ * fd = RET_NERRNO(open("/etc/fstab", O_RDONLY|O_CLOEXEC));
+ * …
+ */
+
+ if (ret < 0)
+ return negative_errno();
+
+ return ret;
+}
+
static inline const char *strerror_safe(int error) {
/* 'safe' here does NOT mean thread safety. */
return strerror(abs(error)); /* lgtm [cpp/potentially-dangerous-function] */
diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c
index 954686f..58e54f6 100644
--- a/src/shared/rm-rf.c
+++ b/src/shared/rm-rf.c
@@ -288,8 +288,8 @@ int rm_rf_children(
if (!newdirname)
return log_oom();
- int newfd = openat(fd, de->d_name,
- O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
+ int newfd = RET_NERRNO(openat(fd, de->d_name,
+ O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME));
if (newfd >= 0) {
todos[n_todo++] = (TodoEntry) { TAKE_PTR(d), TAKE_PTR(dirname) };
fd = newfd;
@@ -297,8 +297,8 @@ int rm_rf_children(
goto next_fd;
- } else if (errno != -ENOENT && ret == 0)
- ret = -errno;
+ } else if (newfd != -ENOENT && ret == 0)
+ ret = newfd;
} else if (r < 0 && r != -ENOENT && ret == 0)
ret = r;
--
2.33.0

41
backport-scope-do-not-disable-timer-event-source-when-state-i.patch Normal file
View File

@ -0,0 +1,41 @@
From 7aa7e9e93db471b1811a916a3c3c6e3d53abad4a Mon Sep 17 00:00:00 2001
From: Nick Rosbrook <nick.rosbrook@canonical.com>
Date: Tue, 4 Apr 2023 18:39:26 -0400
Subject: [PATCH] scope: do not disable timer event source when state is
SCOPE_RUNNING
In scope_set_state(), the timer event source may be disabled depending
on the state. Currently, it will be disabled when the state is
SCOPE_RUNNING. This has the effect of new RuntimeMaxSec values being
ignored on coldplug.
Note that this issue is not currently present when scopes are started
because when scope_start() is called, scope_arm_timer() is called after
scope_set_state().
(cherry picked from commit e1f85b49b09ed3e3717cf7776c9da7acc4e906c6)
(cherry picked from commit 999f48558bbe5d4665b97d76c530edc12f71b70b)
(cherry picked from commit 6bdcd58a88ca70b4fc097941a8f435400eb90e53)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/7aa7e9e93db471b1811a916a3c3c6e3d53abad4a
---
src/core/scope.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/core/scope.c b/src/core/scope.c
index 1289bb8cb4..a2c9a3fd4d 100644
--- a/src/core/scope.c
+++ b/src/core/scope.c
@@ -107,7 +107,7 @@ static void scope_set_state(Scope *s, ScopeState state) {
old_state = s->state;
s->state = state;
- if (!IN_SET(state, SCOPE_STOP_SIGTERM, SCOPE_STOP_SIGKILL))
+ if (!IN_SET(state, SCOPE_STOP_SIGTERM, SCOPE_STOP_SIGKILL, SCOPE_RUNNING))
s->timer_event_source = sd_event_source_disable_unref(s->timer_event_source);
if (IN_SET(state, SCOPE_DEAD, SCOPE_FAILED)) {
--
2.33.0

33
backport-sd-bus-Use-goto-finish-instead-of-return-in-bus_add_.patch Normal file
View File

@ -0,0 +1,33 @@
From 85d37c860d29041df21038d14a4268419836bb51 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Fri, 11 Nov 2022 11:09:28 +0100
Subject: [PATCH] sd-bus: Use goto finish instead of return in
bus_add_match_full
Fixes #25340
(cherry picked from commit 0f3c342903d1a09577378912717539b530af1fcf)
(cherry picked from commit eea92b179d07ef46b2fdfe4e0a918278ac43a81c)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/85d37c860d29041df21038d14a4268419836bb51
---
src/libsystemd/sd-bus/sd-bus.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c
index a9189360fd..287d7d4753 100644
--- a/src/libsystemd/sd-bus/sd-bus.c
+++ b/src/libsystemd/sd-bus/sd-bus.c
@@ -3530,7 +3530,7 @@ static int bus_add_match_full(
s);
if (r < 0)
- return r;
+ goto finish;
/* Make the slot of the match call floating now. We need the reference, but we don't
* want that this match pins the bus object, hence we first create it non-floating, but
--
2.33.0

67
backport-sd-bus-bus_message_type_from_string-is-not-pure.patch Normal file
View File

@ -0,0 +1,67 @@
From a810ea5f9595103b834000374061f4fd30ea74e0 Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@xry111.site>
Date: Wed, 10 May 2023 01:41:28 +0800
Subject: [PATCH] sd-bus: bus_message_type_from_string is not pure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
GCC document [1] says:
The pure attribute prohibits a function from modifying the state
of the program that is observable by means other than inspecting
the functions return value.
And there is an example:
`int hash (char *) __attribute__ ((pure));`
... Even though hash takes a non-const pointer argument it must
not modify the array it points to, ...
But we are modifying the object pointed to by the pointer u, which is
clearly a violation of the semantic of pure.
With -ftrivial-auto-var-init (enabled by -Dmode=release), on some
targets (GCC 12.2 on AArch64 and GCC 13.1 on x86_64) performs an
optimization: as the variable "u" in bus_match_parse has been
zero-initialized (by the -ftrivial-auto-var-init option) and never
modified (because a "pure" bus_message_type_from_string is not allowed
to modify it), "u" will be always 0.
Then 0 is used to initialize .value_u8 field of struct
bus_match_component. This then causes a infinite event loop, so
"systemctl restart" never stops, and pam_systemd timeouts communicating
with logind, etc.
So we should remove the "pure" attribute here.
Fixes #26395.
[1]:https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-pure-function-attribute
(cherry picked from commit 6723c28f36ea566faf61d3610012cd89f95ee4a0)
(cherry picked from commit 59dccdfddbdde5d4ff047108a545106f2bac6872)
(cherry picked from commit bf2f71a0615b3831f170728760171d8bfb13fc5e)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/a810ea5f9595103b834000374061f4fd30ea74e0
---
src/libsystemd/sd-bus/bus-internal.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libsystemd/sd-bus/bus-internal.h b/src/libsystemd/sd-bus/bus-internal.h
index 51673ad1c5..d486e17fc9 100644
--- a/src/libsystemd/sd-bus/bus-internal.h
+++ b/src/libsystemd/sd-bus/bus-internal.h
@@ -361,7 +361,7 @@ bool path_complex_pattern(const char *pattern, const char *value) _pure_;
bool namespace_simple_pattern(const char *pattern, const char *value) _pure_;
bool path_simple_pattern(const char *pattern, const char *value) _pure_;
-int bus_message_type_from_string(const char *s, uint8_t *u) _pure_;
+int bus_message_type_from_string(const char *s, uint8_t *u);
const char *bus_message_type_to_string(uint8_t u) _pure_;
#define error_name_is_valid interface_name_is_valid
--
2.33.0

50
backport-sd-bus-sd-event-allow-querying-of-description-even-a.patch Normal file
View File

@ -0,0 +1,50 @@
From a1d045bb9cb781b64033be8d593a0d16d7df5053 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Thu, 18 May 2023 17:05:41 +0200
Subject: [PATCH] sd-bus,sd-event: allow querying of description even after
fork
This in unnecessarilly unpleasant: the code might report about a bus
connection, e.g. in an error message or assert. Let's let it query
the name of the object.
This partially reverts f4b2933ee7890e5d414ab266d8586f19027a2bd9.
(cherry picked from commit ed7a6f51eab5af40d3d7884ce846f74aea0c00f0)
(cherry picked from commit a3e5eb5606d92b5c4db9306cbd3fcac56e9ff10a)
(cherry picked from commit 299573b5d7eeec6b25e07cf6ec12b2ffef151f85)
Conflict:code context adaptation
Reference:https://github.com/systemd/systemd-stable/commit/a1d045bb9cb781b64033be8d593a0d16d7df5053
---
src/libsystemd/sd-bus/sd-bus.c | 1 -
src/libsystemd/sd-event/sd-event.c | 1 -
2 files changed, 2 deletions(-)
diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c
index dae85becc2..c53686f6b0 100644
--- a/src/libsystemd/sd-bus/sd-bus.c
+++ b/src/libsystemd/sd-bus/sd-bus.c
@@ -4162,7 +4162,6 @@ _public_ int sd_bus_get_description(sd_bus *bus, const char **description) {
assert_return(bus = bus_resolve(bus), -ENOPKG);
assert_return(description, -EINVAL);
assert_return(bus->description, -ENXIO);
- assert_return(!bus_pid_changed(bus), -ECHILD);
if (bus->description)
*description = bus->description;
diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c
index 00bf6ac1e5..95102921a5 100644
--- a/src/libsystemd/sd-event/sd-event.c
+++ b/src/libsystemd/sd-event/sd-event.c
@@ -2162,7 +2162,6 @@ _public_ int sd_event_source_set_description(sd_event_source *s, const char *des
_public_ int sd_event_source_get_description(sd_event_source *s, const char **description) {
assert_return(s, -EINVAL);
assert_return(description, -EINVAL);
- assert_return(!event_pid_changed(s->event), -ECHILD);
if (!s->description)
return -ENXIO;
--
2.33.0

99
backport-sd-device-add-helper-to-read-a-unsigned-int-attribut.patch Normal file
View File

@ -0,0 +1,99 @@
From 1fc74d251e30196c9196cafd60d163c218bdc1aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 23 Aug 2022 16:24:02 +0200
Subject: [PATCH] sd-device: add helper to read a unsigned int attribute
There are dozens of places where this could be used, but I don't
want to do the conversion now because it's quite a bit of work.
I think we could export this function later on, because reading
numerical attributes is so common. But for now, I'm just adding the
helper to use it one place.
(cherry picked from commit 48a511cf92cbf202e9ef6064a9b5ebd1f497e1a8)
Conflict:code context adaptation
Reference:https://github.com/systemd/systemd-stable/commit/1fc74d251e30196c9196cafd60d163c218bdc1aa
---
src/libsystemd/sd-device/device-private.h | 2 ++
src/libsystemd/sd-device/sd-device.c | 33 +++++++++++++++++++++++
src/libsystemd/sd-device/test-sd-device.c | 7 +++++
3 files changed, 42 insertions(+)
diff --git a/src/libsystemd/sd-device/device-private.h b/src/libsystemd/sd-device/device-private.h
index 9602f9eda3..7fa8dc0035 100644
--- a/src/libsystemd/sd-device/device-private.h
+++ b/src/libsystemd/sd-device/device-private.h
@@ -18,6 +18,8 @@ static inline int device_new_from_watch_handle(sd_device **ret, int wd) {
return device_new_from_watch_handle_at(ret, -1, wd);
}
+int device_get_sysattr_unsigned(sd_device *device, const char *sysattr, unsigned *ret_value);
+int device_get_sysattr_bool(sd_device *device, const char *sysattr);
int device_get_device_id(sd_device *device, const char **ret);
int device_get_devlink_priority(sd_device *device, int *priority);
diff --git a/src/libsystemd/sd-device/sd-device.c b/src/libsystemd/sd-device/sd-device.c
index 62531b9564..5660538dd3 100644
--- a/src/libsystemd/sd-device/sd-device.c
+++ b/src/libsystemd/sd-device/sd-device.c
@@ -2172,6 +2172,39 @@ _public_ int sd_device_get_sysattr_value(sd_device *device, const char *sysattr,
return 0;
}
+int device_get_sysattr_unsigned(sd_device *device, const char *sysattr, unsigned *ret_value) {
+ const char *value;
+ int r;
+
+ r = sd_device_get_sysattr_value(device, sysattr, &value);
+ if (r < 0)
+ return r;
+
+ unsigned v;
+ r = safe_atou(value, &v);
+ if (r < 0)
+ return log_device_debug_errno(device, r, "Failed to parse '%s' attribute: %m", sysattr);
+
+ if (ret_value)
+ *ret_value = v;
+ /* We return "true" if the value is positive. */
+ return v > 0;
+}
+
+int device_get_sysattr_bool(sd_device *device, const char *sysattr) {
+ const char *value;
+ int r;
+
+ assert(device);
+ assert(sysattr);
+
+ r = sd_device_get_sysattr_value(device, sysattr, &value);
+ if (r < 0)
+ return r;
+
+ return parse_boolean(value);
+}
+
static void device_remove_cached_sysattr_value(sd_device *device, const char *_key) {
_cleanup_free_ char *key = NULL;
diff --git a/src/libsystemd/sd-device/test-sd-device.c b/src/libsystemd/sd-device/test-sd-device.c
index fa334df6c7..01c184a7d0 100644
--- a/src/libsystemd/sd-device/test-sd-device.c
+++ b/src/libsystemd/sd-device/test-sd-device.c
@@ -177,6 +177,13 @@ static void test_sd_device_one(sd_device *d) {
r = sd_device_get_sysattr_value(d, "name_assign_type", &val);
assert_se(r >= 0 || ERRNO_IS_PRIVILEGE(r) || IN_SET(r, -ENOENT, -EINVAL));
+
+ if (r > 0) {
+ unsigned x;
+
+ assert_se(device_get_sysattr_unsigned(d, "name_assign_type", NULL) >= 0);
+ assert_se(device_get_sysattr_unsigned(d, "name_assign_type", &x) >= 0);
+ }
r = sd_device_get_property_value(d, "ID_NET_DRIVER", &val);
assert_se(r >= 0 || r == -ENOENT);
--
2.33.0

46
backport-sd-device-fix-double-free.patch Normal file
View File

@ -0,0 +1,46 @@
From 8f4d5828aa16756ea5653a8dec46043710c3587c Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon, 12 Dec 2022 14:16:09 +0900
Subject: [PATCH] sd-device: fix double-free
If an attribute is read but the value is not used (i.e. ret_value is NULL),
then sd_device_get_sysattr_value() mistakenly frees the read data even though
it is cached internally.
Fixes a bug introduced by acfc2a1d15560084e077ffb3be472cd117e9020a.
Fixes #25702.
(cherry picked from commit eb18e7b7825e8320bb4d6269690ef8c3f5461d2b)
(cherry picked from commit aeb36537443272f0bf73dd672837eabcecb34f3a)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/8f4d5828aa16756ea5653a8dec46043710c3587c
---
src/libsystemd/sd-device/sd-device.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/libsystemd/sd-device/sd-device.c b/src/libsystemd/sd-device/sd-device.c
index 5660538dd3..b0f6318fd8 100644
--- a/src/libsystemd/sd-device/sd-device.c
+++ b/src/libsystemd/sd-device/sd-device.c
@@ -2166,9 +2166,14 @@ _public_ int sd_device_get_sysattr_value(sd_device *device, const char *sysattr,
sysattr, value, ret_value ? "" : ", ignoring");
if (ret_value)
return r;
- } else if (ret_value)
- *ret_value = TAKE_PTR(value);
+ return 0;
+ }
+
+ if (ret_value)
+ *ret_value = value;
+
+ TAKE_PTR(value);
return 0;
}
--
2.33.0

35
backport-sd-dhcp-server-allow-to-send-header-only-message.patch Normal file
View File

@ -0,0 +1,35 @@
From 41fdc8ed32408d598ddafc7feb3beece7f654262 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Sat, 28 Jan 2023 14:01:37 +0900
Subject: [PATCH] sd-dhcp-server: allow to send header only message
If we receive a header only message, and the server is running in relay
mode, then the assertion was triggered.
Fixes #26151.
(cherry picked from commit b52031dbbcabe4b1e3016ba64d4a2822740188bc)
(cherry picked from commit 7aeb2a8d4ea660ad863e7b2c5432f64f903f1cd5)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/41fdc8ed32408d598ddafc7feb3beece7f654262
---
src/libsystemd-network/sd-dhcp-server.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c
index 5c9ba9f618..c99f8a86ad 100644
--- a/src/libsystemd-network/sd-dhcp-server.c
+++ b/src/libsystemd-network/sd-dhcp-server.c
@@ -390,7 +390,7 @@ static int dhcp_server_send_udp(sd_dhcp_server *server, be32_t destination,
assert(server);
assert(server->fd >= 0);
assert(message);
- assert(len > sizeof(DHCPMessage));
+ assert(len >= sizeof(DHCPMessage));
if (server->bind_to_interface) {
msg.msg_control = &control;
--
2.33.0

104
backport-sd-journal-avoid-double-free.patch Normal file
View File

@ -0,0 +1,104 @@
From 541d8d76b9dcc059ab7b77c76bb5c916377f4c63 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Tue, 23 May 2023 18:09:23 +0200
Subject: [PATCH] sd-journal: avoid double-free
If we fail to combine the new entry with a previous one, or update it in
the hashmap, we might later on attempt a double-free:
=================================================================
==10==ERROR: AddressSanitizer: attempting double-free on 0x611000039fc0 in thread T0:
SCARINESS: 42 (double-free)
#0 0x4a0962 in __interceptor_free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
#1 0x7f55e431d9f2 in _hashmap_clear /work/build/../../src/systemd/src/basic/hashmap.c:927:33
#2 0x7f55e431d4c8 in _hashmap_free /work/build/../../src/systemd/src/basic/hashmap.c:896:17
#3 0x4de1de in ordered_hashmap_free_free_free /work/build/../../src/systemd/src/basic/hashmap.h:120:24
#4 0x4de1de in ordered_hashmap_free_free_freep /work/build/../../src/systemd/src/basic/hashmap.h:434:1
#5 0x4de1de in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:26:1
#6 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8)
#7 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#8 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3
#9 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19
#10 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5
#11 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6
#12 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10
#13 0x4deb35 in main (/build/fuzz-catalog+0x4deb35)
#14 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
#15 0x41f7cd in _start (/build/fuzz-catalog+0x41f7cd)
DEDUP_TOKEN: __interceptor_free--_hashmap_clear--_hashmap_free
0x611000039fc0 is located 0 bytes inside of 224-byte region [0x611000039fc0,0x61100003a0a0)
freed by thread T0 here:
#0 0x4a0962 in __interceptor_free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
#1 0x7f55e451493d in freep /work/build/../../src/systemd/src/basic/alloc-util.h:107:22
#2 0x7f55e451493d in finish_item /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:187:1
#3 0x7f55e4513e56 in catalog_import_file /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:313:45
#4 0x4de1be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:23:16
#5 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8)
#6 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#7 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3
#8 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19
#9 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5
#10 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6
#11 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10
#12 0x4deb35 in main (/build/fuzz-catalog+0x4deb35)
#13 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
DEDUP_TOKEN: __interceptor_free--freep--finish_item
previously allocated by thread T0 here:
#0 0x4a0c06 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x4de539 in malloc (/build/fuzz-catalog+0x4de539)
#2 0x7f55e42bf96b in memdup /work/build/../../src/systemd/src/basic/alloc-util.c:16:15
#3 0x7f55e451475d in finish_item /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:176:28
#4 0x7f55e4513e56 in catalog_import_file /work/build/../../src/systemd/src/libsystemd/sd-journal/catalog.c:313:45
#5 0x4de1be in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-catalog.c:23:16
#6 0x4de8b8 in NaloFuzzerTestOneInput (/build/fuzz-catalog+0x4de8b8)
#7 0x4fd8c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#8 0x4fd0aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3
#9 0x4fe779 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19
#10 0x4ff445 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5
#11 0x4ee7af in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6
#12 0x4ef078 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10
#13 0x4deb35 in main (/build/fuzz-catalog+0x4deb35)
#14 0x7f55e3a32082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
DEDUP_TOKEN: __interceptor_malloc--malloc--memdup
SUMMARY: AddressSanitizer: double-free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3 in __interceptor_free
Found by Nallocfuzz.
(cherry picked from commit ac874b8fb13bf293986a3814149a820729b27a30)
(cherry picked from commit b1663b83338dc335e86eda05e28f229f25bdfa48)
(cherry picked from commit 6ebbc8fcdc844e1fa82cc995880470e0f8b31239)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/541d8d76b9dcc059ab7b77c76bb5c916377f4c63
---
src/libsystemd/sd-journal/catalog.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/libsystemd/sd-journal/catalog.c b/src/libsystemd/sd-journal/catalog.c
index b988ee3bba..046d4e0920 100644
--- a/src/libsystemd/sd-journal/catalog.c
+++ b/src/libsystemd/sd-journal/catalog.c
@@ -145,7 +145,8 @@ static int finish_item(
char *payload, size_t payload_size) {
_cleanup_free_ CatalogItem *i = NULL;
- _cleanup_free_ char *prev = NULL, *combined = NULL;
+ _cleanup_free_ char *combined = NULL;
+ char *prev;
assert(h);
assert(payload);
@@ -171,6 +172,7 @@ static int finish_item(
if (ordered_hashmap_update(h, i, combined) < 0)
return log_oom();
combined = NULL;
+ free(prev);
} else {
/* A new item */
combined = memdup(payload, payload_size + 1);
--
2.33.0

54
backport-sd-journal-copy-boot-ID.patch Normal file
View File

@ -0,0 +1,54 @@
From 905553acb1b604377ebc50010336a365f2553e1a Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 26 Apr 2023 20:37:00 +0900
Subject: [PATCH] sd-journal: copy boot ID
The pointer to boot ID may be invalidate by journal_file_move_to_object()
calls in the later loop.
(cherry picked from commit bf9b7728e6e8eb185d2c9bfc6641077489384bc8)
(cherry picked from commit 3bc2553cfcc57144aadacff0555b1a0e45e3fdbf)
(cherry picked from commit 2a4dca19f1667f9ae7d273d552e0247d3e405c62)
Conflict:code context adaptation
Reference:https://github.com/systemd/systemd-stable/commit/905553acb1b604377ebc50010336a365f2553e1a
---
src/libsystemd/sd-journal/journal-file.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c
index 204debed64..6561b12aca 100644
--- a/src/libsystemd/sd-journal/journal-file.c
+++ b/src/libsystemd/sd-journal/journal-file.c
@@ -3737,7 +3737,7 @@ int journal_file_dispose(int dir_fd, const char *fname) {
int journal_file_copy_entry(JournalFile *from, JournalFile *to, Object *o, uint64_t p) {
uint64_t n, m = 0, xor_hash = 0;
- const sd_id128_t *boot_id;
+ sd_id128_t boot_id;
dual_timestamp ts;
EntryItem *items;
int r;
@@ -3754,7 +3754,7 @@ int journal_file_copy_entry(JournalFile *from, JournalFile *to, Object *o, uint6
ts.monotonic = le64toh(o->entry.monotonic);
ts.realtime = le64toh(o->entry.realtime);
- boot_id = &o->entry.boot_id;
+ boot_id = o->entry.boot_id;
n = journal_file_entry_n_items(o);
/* alloca() can't take 0, hence let's allocate at least one */
@@ -3831,8 +3831,8 @@ int journal_file_copy_entry(JournalFile *from, JournalFile *to, Object *o, uint6
if (m == 0)
return 0;
- r = journal_file_append_entry_internal(to, &ts, boot_id, xor_hash, items, m,
- NULL, NULL, NULL);
+ r = journal_file_append_entry_internal(to, &ts, &boot_id, xor_hash, items, m,
+ NULL, NULL, NULL);
if (mmap_cache_got_sigbus(to->mmap, to->cache_fd))
return -EIO;
--
2.33.0

31
backport-sd-journal-make-journal_file_copy_entry-return-earli.patch Normal file
View File

@ -0,0 +1,31 @@
From fb1078b2e83445756e77e636a5f222f9d2c95c5a Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 26 Apr 2023 20:54:08 +0900
Subject: [PATCH] sd-journal: make journal_file_copy_entry() return earlier
(cherry picked from commit 85e38da2ec2d9d3a56659105fe4d47c84462d5f9)
(cherry picked from commit df9d1d9bb20846d081cfddfc271b40fdd0550b92)
(cherry picked from commit 141b891de7d420d5fce706e376403007dbf77712)
Conflict:code context adaptation
Reference:https://github.com/systemd/systemd-stable/commit/fb1078b2e83445756e77e636a5f222f9d2c95c5a
---
src/libsystemd/sd-journal/journal-file.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c
index 6561b12aca..a415dafedd 100644
--- a/src/libsystemd/sd-journal/journal-file.c
+++ b/src/libsystemd/sd-journal/journal-file.c
@@ -3757,6 +3757,8 @@ int journal_file_copy_entry(JournalFile *from, JournalFile *to, Object *o, uint6
boot_id = o->entry.boot_id;
n = journal_file_entry_n_items(o);
+ if (n == 0)
+ return 0;
/* alloca() can't take 0, hence let's allocate at least one */
items = newa(EntryItem, MAX(1u, n));
--
2.33.0

40
backport-sd-journal-tighten-variable-scope.patch Normal file
View File

@ -0,0 +1,40 @@
From 6e42053a1234c4c6e857569e36955ed0b0f27147 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 26 Apr 2023 20:40:08 +0900
Subject: [PATCH] sd-journal: tighten variable scope
(cherry picked from commit 265b1dc04845788973ef95e80fae8db258a8c49a)
(cherry picked from commit 45b045880c5816b36fc496e519249f57d256136d)
(cherry picked from commit 413405d856503f68afc5576644cd919485ade45e)
Conflict:code context adaptation
Reference:https://github.com/systemd/systemd-stable/commit/6e42053a1234c4c6e857569e36955ed0b0f27147
---
src/libsystemd/sd-journal/journal-file.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c
index 4510db6d3e..204debed64 100644
--- a/src/libsystemd/sd-journal/journal-file.c
+++ b/src/libsystemd/sd-journal/journal-file.c
@@ -3736,7 +3736,7 @@ int journal_file_dispose(int dir_fd, const char *fname) {
}
int journal_file_copy_entry(JournalFile *from, JournalFile *to, Object *o, uint64_t p) {
- uint64_t q, n, m = 0, xor_hash = 0;
+ uint64_t n, m = 0, xor_hash = 0;
const sd_id128_t *boot_id;
dual_timestamp ts;
EntryItem *items;
@@ -3761,7 +3761,7 @@ int journal_file_copy_entry(JournalFile *from, JournalFile *to, Object *o, uint6
items = newa(EntryItem, MAX(1u, n));
for (uint64_t i = 0; i < n; i++) {
- uint64_t l, h;
+ uint64_t l, h, q;
le64_t le_hash;
size_t t;
void *data;
--
2.33.0

31
backport-sd-netlink-fix-segfault.patch Normal file
View File

@ -0,0 +1,31 @@
From 814acf7a6f893e77a714dee4e4b1cd1882001b28 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Sat, 26 Nov 2022 09:57:16 +0900
Subject: [PATCH] sd-netlink: fix segfault
(cherry picked from commit 766417bd763db913efdd9c48442b1094c23d7042)
(cherry picked from commit 25050101780f95c27ebf094fca23d665cff5fb8c)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/814acf7a6f893e77a714dee4e4b1cd1882001b28
---
src/libsystemd/sd-netlink/sd-netlink.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/libsystemd/sd-netlink/sd-netlink.c b/src/libsystemd/sd-netlink/sd-netlink.c
index e23e2cc163..3c482192a0 100644
--- a/src/libsystemd/sd-netlink/sd-netlink.c
+++ b/src/libsystemd/sd-netlink/sd-netlink.c
@@ -701,7 +701,8 @@ int sd_netlink_read(
return r;
if (type == NLMSG_DONE) {
- *ret = NULL;
+ if (ret)
+ *ret = NULL;
return 0;
}
--
2.33.0

36
backport-shared-exec-util-null_or_empty_path-does-not-return-.patch Normal file
View File

@ -0,0 +1,36 @@
From 0626f71d90df6aba62523c111cfbce13a51273fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 28 Mar 2023 18:50:31 +0200
Subject: [PATCH] shared/exec-util: null_or_empty_path() does not return
boolean
We shouldn't report that the file is empty if the stating fails. Let's do the
same as in other places, and just ignore the error and let the subsequent
operation fail.
(cherry picked from commit 7d0c47dad0d4282c3924a654a8fe18fc5d7766f8)
(cherry picked from commit bfc03cae41ae051c9eedcb48f66b3266346719aa)
(cherry picked from commit 48e03955356c5095553ac9c26e4fea83af3814ee)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/0626f71d90df6aba62523c111cfbce13a51273fb
---
src/shared/exec-util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/shared/exec-util.c b/src/shared/exec-util.c
index d1f50249d0..d188154575 100644
--- a/src/shared/exec-util.c
+++ b/src/shared/exec-util.c
@@ -38,7 +38,7 @@ static int do_spawn(const char *path, char *argv[], int stdout_fd, pid_t *pid, b
pid_t _pid;
int r;
- if (null_or_empty_path(path)) {
+ if (null_or_empty_path(path) > 0) {
log_debug("%s is empty (a mask).", path);
return 0;
}
--
2.33.0

61
backport-shared-refuse-fd-INT_MAX.patch Normal file
View File

@ -0,0 +1,61 @@
From 1ced463496ddf3ff0c33d595ee102e975f69554d Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Thu, 4 May 2023 16:45:36 +0200
Subject: [PATCH] shared: refuse fd == INT_MAX
Since we do `FD_TO_PTR(fd)` that expands to `INT_TO_PTR(fd) + 1` which
triggers an integer overflow.
Resolves: #27522
(cherry picked from commit cc938f1ce0f1eafc435e0dd1d9fe45aaedc526e1)
(cherry picked from commit 154b108513fe4aa50e7f347abeb0f0d9789a32df)
(cherry picked from commit dd38a90202a78d54d163049d2f0a96f8153470b3)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/1ced463496ddf3ff0c33d595ee102e975f69554d
---
src/shared/fdset.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/src/shared/fdset.c b/src/shared/fdset.c
index 183fa239b6..c621c14ba6 100644
--- a/src/shared/fdset.c
+++ b/src/shared/fdset.c
@@ -74,6 +74,10 @@ int fdset_put(FDSet *s, int fd) {
assert(s);
assert(fd >= 0);
+ /* Avoid integer overflow in FD_TO_PTR() */
+ if (fd == INT_MAX)
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Refusing invalid fd: %d", fd);
+
return set_put(MAKE_SET(s), FD_TO_PTR(fd));
}
@@ -100,6 +104,12 @@ bool fdset_contains(FDSet *s, int fd) {
assert(s);
assert(fd >= 0);
+ /* Avoid integer overflow in FD_TO_PTR() */
+ if (fd == INT_MAX) {
+ log_debug("Refusing invalid fd: %d", fd);
+ return false;
+ }
+
return !!set_get(MAKE_SET(s), FD_TO_PTR(fd));
}
@@ -107,6 +117,10 @@ int fdset_remove(FDSet *s, int fd) {
assert(s);
assert(fd >= 0);
+ /* Avoid integer overflow in FD_TO_PTR() */
+ if (fd == INT_MAX)
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOENT), "Refusing invalid fd: %d", fd);
+
return set_remove(MAKE_SET(s), FD_TO_PTR(fd)) ? fd : -ENOENT;
}
--
2.33.0

32
backport-shared-reject-empty-attachment-path.patch Normal file
View File

@ -0,0 +1,32 @@
From b38eae99f5dd7c796ade7865fe8093475715a21f Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Tue, 2 May 2023 22:37:17 +0200
Subject: [PATCH] shared: reject empty attachment path
(cherry picked from commit 740831076cfcf2f73f3063fbb040c1ea593dfe6c)
(cherry picked from commit ce096b0212aac52fad658aaec5ff53b0d6eb18ad)
(cherry picked from commit f76199e779444590c50f7df60b8c5b235b9447b0)
Conflict:code context adaptation
Reference:https://github.com/systemd/systemd-stable/commit/b38eae99f5dd7c796ade7865fe8093475715a21f
---
src/shared/bpf-program.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/shared/bpf-program.c b/src/shared/bpf-program.c
index 31fa4448b0..57a009a965 100644
--- a/src/shared/bpf-program.c
+++ b/src/shared/bpf-program.c
@@ -452,6 +452,9 @@ int bpf_program_deserialize_attachment(const char *v, FDSet *fds, BPFProgram **b
return at;
/* The rest is the path */
+ if (isempty(v))
+ return -EINVAL;
+
r = cunescape(v, 0, &unescaped);
if (r < 0)
return r;
--
2.33.0

112
backport-socket-avoid-memory-leak-on-incomplete-SocketPort-ob.patch Normal file
View File

@ -0,0 +1,112 @@
From e7d800784a3ce5b03d457688c31b72cbe8ec0401 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Thu, 1 Jun 2023 22:11:01 +0200
Subject: [PATCH] socket: avoid memory leak on incomplete SocketPort object
==1==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 17 byte(s) in 1 object(s) allocated from:
#0 0x7fc096c7243b in strdup (/lib64/libasan.so.8+0x7243b)
#1 0x7fc095db3899 in bus_socket_set_transient_property ../src/core/dbus-socket.c:386
#2 0x7fc095db5140 in bus_socket_set_property ../src/core/dbus-socket.c:460
#3 0x7fc095dd20f1 in bus_unit_set_properties ../src/core/dbus-unit.c:2473
#4 0x7fc095d87d53 in transient_unit_from_message ../src/core/dbus-manager.c:1025
#5 0x7fc095d8872f in method_start_transient_unit ../src/core/dbus-manager.c:1112
#6 0x7fc0944ddf4f in method_callbacks_run ../src/libsystemd/sd-bus/bus-objects.c:406
#7 0x7fc0944e7854 in object_find_and_run ../src/libsystemd/sd-bus/bus-objects.c:1319
#8 0x7fc0944e8f03 in bus_process_object ../src/libsystemd/sd-bus/bus-objects.c:1439
#9 0x7fc09454ad78 in process_message ../src/libsystemd/sd-bus/sd-bus.c:3011
#10 0x7fc09454b302 in process_running ../src/libsystemd/sd-bus/sd-bus.c:3053
#11 0x7fc09454e158 in bus_process_internal ../src/libsystemd/sd-bus/sd-bus.c:3273
#12 0x7fc09454e2f2 in sd_bus_process ../src/libsystemd/sd-bus/sd-bus.c:3300
#13 0x7fc094551a59 in io_callback ../src/libsystemd/sd-bus/sd-bus.c:3642
#14 0x7fc094727830 in source_dispatch ../src/libsystemd/sd-event/sd-event.c:4187
#15 0x7fc094731009 in sd_event_dispatch ../src/libsystemd/sd-event/sd-event.c:4808
#16 0x7fc094732124 in sd_event_run ../src/libsystemd/sd-event/sd-event.c:4869
#17 0x7fc095f7af9f in manager_loop ../src/core/manager.c:3242
#18 0x41cc7c in invoke_main_loop ../src/core/main.c:1937
#19 0x4252e0 in main ../src/core/main.c:3072
#20 0x7fc092a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
SUMMARY: AddressSanitizer: 17 byte(s) leaked in 1 allocation(s).
(cherry picked from commit f8b21a08aa0a8db34212bccca13bfc58dbdc5667)
(cherry picked from commit 98d2a09393b6d9133d4d7e9f77f212db9685d3f3)
(cherry picked from commit e94157e6dc0f18e0c170e0f908e1f82f7829a4cb)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/e7d800784a3ce5b03d457688c31b72cbe8ec0401
---
src/core/dbus-socket.c | 2 +-
src/core/socket.c | 21 ++++++++++++++-------
src/core/socket.h | 3 +++
3 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/src/core/dbus-socket.c b/src/core/dbus-socket.c
index 6173d3ff7e..536483fc7c 100644
--- a/src/core/dbus-socket.c
+++ b/src/core/dbus-socket.c
@@ -364,7 +364,7 @@ static int bus_socket_set_transient_property(
return r;
while ((r = sd_bus_message_read(message, "(ss)", &t, &a)) > 0) {
- _cleanup_free_ SocketPort *p = NULL;
+ _cleanup_(socket_port_freep) SocketPort *p = NULL;
p = new(SocketPort, 1);
if (!p)
diff --git a/src/core/socket.c b/src/core/socket.c
index 0d96f1a933..73dfdf2c23 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -120,6 +120,19 @@ static void socket_cleanup_fd_list(SocketPort *p) {
p->n_auxiliary_fds = 0;
}
+SocketPort *socket_port_free(SocketPort *p) {
+ if (!p)
+ return NULL;
+
+ sd_event_source_unref(p->event_source);
+
+ socket_cleanup_fd_list(p);
+ safe_close(p->fd);
+ free(p->path);
+
+ return mfree(p);
+}
+
void socket_free_ports(Socket *s) {
SocketPort *p;
@@ -127,13 +140,7 @@ void socket_free_ports(Socket *s) {
while ((p = s->ports)) {
LIST_REMOVE(port, s->ports, p);
-
- sd_event_source_unref(p->event_source);
-
- socket_cleanup_fd_list(p);
- safe_close(p->fd);
- free(p->path);
- free(p);
+ socket_port_free(p);
}
}
diff --git a/src/core/socket.h b/src/core/socket.h
index 6813bdcf8c..17e912af31 100644
--- a/src/core/socket.h
+++ b/src/core/socket.h
@@ -173,6 +173,9 @@ int socket_collect_fds(Socket *s, int **fds);
/* Called from the service code when a per-connection service ended */
void socket_connection_unref(Socket *s);
+SocketPort *socket_port_free(SocketPort *p);
+DEFINE_TRIVIAL_CLEANUP_FUNC(SocketPort*, socket_port_free);
+
void socket_free_ports(Socket *s);
int socket_load_service_unit(Socket *s, int cfd, Unit **ret);
--
2.33.0

126
backport-socket-util-fix-socket_get_family.patch Normal file
View File

@ -0,0 +1,126 @@
From 01ef1b83d7c3afb5d9382b238ad6717f1e12ca8a Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 7 Mar 2023 22:50:41 +0100
Subject: [PATCH] socket-util: fix socket_get_family()
Function didn't actually return anything useful. Quite a shame.
(cherry picked from commit 5f64d2bf332371bdfdcb91b588e57d4c0c20428f)
(cherry picked from commit 59514a6d87be7013d61b4f15b993918f5d1e44e5)
(cherry picked from commit b77f041885fa68cc3bfefcae97b6ca76a327c77a)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/01ef1b83d7c3afb5d9382b238ad6717f1e12ca8a
---
src/basic/socket-util.c | 30 +++++++++++++-----------------
src/basic/socket-util.h | 2 +-
src/resolve/resolved-manager.c | 6 +++---
3 files changed, 17 insertions(+), 21 deletions(-)
diff --git a/src/basic/socket-util.c b/src/basic/socket-util.c
index 0dfe2a7dbc..cbbfa01eb5 100644
--- a/src/basic/socket-util.c
+++ b/src/basic/socket-util.c
@@ -1309,7 +1309,7 @@ ssize_t recvmsg_safe(int sockfd, struct msghdr *msg, int flags) {
return n;
}
-int socket_get_family(int fd, int *ret) {
+int socket_get_family(int fd) {
int af;
socklen_t sl = sizeof(af);
@@ -1323,12 +1323,11 @@ int socket_get_family(int fd, int *ret) {
}
int socket_set_recvpktinfo(int fd, int af, bool b) {
- int r;
if (af == AF_UNSPEC) {
- r = socket_get_family(fd, &af);
- if (r < 0)
- return r;
+ af = socket_get_family(fd);
+ if (af < 0)
+ return af;
}
switch (af) {
@@ -1352,12 +1351,11 @@ int socket_set_recvpktinfo(int fd, int af, bool b) {
int socket_set_unicast_if(int fd, int af, int ifi) {
be32_t ifindex_be = htobe32(ifi);
- int r;
if (af == AF_UNSPEC) {
- r = socket_get_family(fd, &af);
- if (r < 0)
- return r;
+ af = socket_get_family(fd);
+ if (af < 0)
+ return af;
}
switch (af) {
@@ -1374,12 +1372,10 @@ int socket_set_unicast_if(int fd, int af, int ifi) {
}
int socket_set_option(int fd, int af, int opt_ipv4, int opt_ipv6, int val) {
- int r;
-
if (af == AF_UNSPEC) {
- r = socket_get_family(fd, &af);
- if (r < 0)
- return r;
+ af = socket_get_family(fd);
+ if (af < 0)
+ return af;
}
switch (af) {
@@ -1399,9 +1395,9 @@ int socket_get_mtu(int fd, int af, size_t *ret) {
int mtu, r;
if (af == AF_UNSPEC) {
- r = socket_get_family(fd, &af);
- if (r < 0)
- return r;
+ af = socket_get_family(fd);
+ if (af < 0)
+ return af;
}
switch (af) {
diff --git a/src/basic/socket-util.h b/src/basic/socket-util.h
index 5d9c056744..22cdb94c1d 100644
--- a/src/basic/socket-util.h
+++ b/src/basic/socket-util.h
@@ -304,7 +304,7 @@ struct timespec_large {
ssize_t recvmsg_safe(int sockfd, struct msghdr *msg, int flags);
-int socket_get_family(int fd, int *ret);
+int socket_get_family(int fd);
int socket_set_recvpktinfo(int fd, int af, bool b);
int socket_set_unicast_if(int fd, int af, int ifi);
diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c
index 12e7d87f22..9d8fd4191c 100644
--- a/src/resolve/resolved-manager.c
+++ b/src/resolve/resolved-manager.c
@@ -1630,9 +1630,9 @@ int socket_disable_pmtud(int fd, int af) {
assert(fd >= 0);
if (af == AF_UNSPEC) {
- r = socket_get_family(fd, &af);
- if (r < 0)
- return r;
+ af = socket_get_family(fd);
+ if (af < 0)
+ return af;
}
switch (af) {
--
2.33.0

74
backport-specifier-avoid-leaking-memory-on-allocation-error.patch Normal file
View File

@ -0,0 +1,74 @@
From d6ff3663d24fd45b31444a4c07d6252dc74fa313 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Wed, 24 May 2023 11:39:24 +0200
Subject: [PATCH] specifier: avoid leaking memory on allocation error
==8036==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x4a10bc in __interceptor_realloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:85:3
#1 0x4deef1 in realloc (/build/fuzz-unit-file+0x4deef1)
#2 0x7ffa35abfe23 in greedy_realloc /work/build/../../src/systemd/src/basic/alloc-util.c:70:13
#3 0x7ffa35aefad2 in parse_env_file_internal /work/build/../../src/systemd/src/basic/env-file.c:127:38
#4 0x7ffa35af08a6 in parse_env_file_fdv /work/build/../../src/systemd/src/basic/env-file.c:374:13
#5 0x7ffa35b6391e in parse_extension_release_atv /work/build/../../src/systemd/src/basic/os-util.c:323:16
#6 0x7ffa35b63c8a in parse_extension_release_sentinel /work/build/../../src/systemd/src/basic/os-util.c:360:13
#7 0x7ffa35a5e3f5 in parse_os_release_specifier /work/build/../../src/systemd/src/shared/specifier.c:292:13
#8 0x7ffa35a5e3f5 in specifier_os_id /work/build/../../src/systemd/src/shared/specifier.c:303:16
#9 0x7ffa35a5c7f5 in specifier_printf /work/build/../../src/systemd/src/shared/specifier.c:70:45
#10 0x7ffa3690b279 in unit_full_printf_full /work/build/../../src/systemd/src/core/unit-printf.c:264:16
#11 0x7ffa367de795 in config_parse_bus_name /work/build/../../src/systemd/src/core/load-fragment.c:2401:13
#12 0x7ffa358fe5ec in next_assignment /work/build/../../src/systemd/src/shared/conf-parser.c:151:24
#13 0x7ffa358fe5ec in parse_line /work/build/../../src/systemd/src/shared/conf-parser.c:257:16
#14 0x7ffa358fd653 in config_parse /work/build/../../src/systemd/src/shared/conf-parser.c:400:21
#15 0x4de828 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/core/fuzz-unit-file.c:72:16
#16 0x4df208 in NaloFuzzerTestOneInput (/build/fuzz-unit-file+0x4df208)
#17 0x4fe213 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#18 0x4fd9fa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3
#19 0x4ff0c9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19
#20 0x4ffd95 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5
#21 0x4ef0ff in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6
#22 0x4ef9c8 in LLVMFuzzerRunDriver /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:925:10
#23 0x4df485 in main (/build/fuzz-unit-file+0x4df485)
#24 0x7ffa35232082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
DEDUP_TOKEN: __interceptor_realloc--realloc--greedy_realloc
SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s).
Found by Nallocfuzz.
(cherry picked from commit 6c13a39ac731a23c38685aa65b38bc0b10449b81)
(cherry picked from commit b4c9a9bfca3b65a573329056095961446462aae9)
(cherry picked from commit 6b8b0f5dcaec4e8e4a64f8ce4cdda5c0db9da42c)
Conflict:modify the corresponding memory leakage issue in the function specifier_os_release_common
Reference:https://github.com/systemd/systemd-stable/commit/d6ff3663d24fd45b31444a4c07d6252dc74fa313
---
src/shared/specifier.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/shared/specifier.c b/src/shared/specifier.c
index cb4d6da..5782175 100644
--- a/src/shared/specifier.c
+++ b/src/shared/specifier.c
@@ -211,7 +211,7 @@ int specifier_architecture(char specifier, const void *data, const char *root, c
}
static int specifier_os_release_common(const char *field, const char *root, char **ret) {
- char *t = NULL;
+ _cleanup_free_ char *t = NULL;
int r;
r = parse_os_release(root, field, &t);
@@ -225,7 +225,7 @@ static int specifier_os_release_common(const char *field, const char *root, char
return -ENOMEM;
}
- *ret = t;
+ *ret = TAKE_PTR(t);
return 0;
}
--
2.33.0

40
backport-sysusers-properly-process-user-entries-with-an-expli.patch Normal file
View File

@ -0,0 +1,40 @@
From f9d936b86561c23f5b40211254544b91e33eae7a Mon Sep 17 00:00:00 2001
From: Luca BRUNO <luca.bruno@coreos.com>
Date: Mon, 8 Aug 2022 15:56:06 +0000
Subject: [PATCH] sysusers: properly process user entries with an explicit GID
This tweaks user creation logic to properly take into consideration
an explicitly requested GID.
It fixes a bug where the creation flow would mistakenly fall back
to use the username instead, resulting in wrong lookups in case of
users and groups using the same name.
(cherry picked from commit 5ed47c4d230b9491339c16c6ea4181dfd293bc98)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/f9d936b86561c23f5b40211254544b91e33eae7a
---
src/sysusers/sysusers.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
index 77034abc8b..afbac4fb5e 100644
--- a/src/sysusers/sysusers.c
+++ b/src/sysusers/sysusers.c
@@ -1348,9 +1348,11 @@ static int process_item(Item *i) {
switch (i->type) {
case ADD_USER: {
- Item *j;
+ Item *j = NULL;
+
+ if (!i->gid_set)
+ j = ordered_hashmap_get(groups, i->group_name ?: i->name);
- j = ordered_hashmap_get(groups, i->group_name ?: i->name);
if (j && j->todo_group) {
/* When a group with the target name is already in queue,
* use the information about the group and do not create
--
2.33.0

51
backport-test-add-basic-tests-for-octescape.patch Normal file
View File

@ -0,0 +1,51 @@
From 10fa59adb6e7a1df537c939e1de90a4abe880a87 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 6 Dec 2022 12:00:45 +0900
Subject: [PATCH] test: add basic tests for octescape()
(cherry picked from commit 4f438c638b5335cd5d8f614804743a04311689f8)
(cherry picked from commit bc6fc812fdd56925b4125395d537fc8af9ffc58d)
Conflict:adapt test cases based on the existing test case framework
Reference:https://github.com/systemd/systemd-stable/commit/10fa59adb6e7a1df537c939e1de90a4abe880a87
---
src/test/test-escape.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/src/test/test-escape.c b/src/test/test-escape.c
index 8bda9cd..240545c 100644
--- a/src/test/test-escape.c
+++ b/src/test/test-escape.c
@@ -215,6 +215,22 @@ static void test_quote_command_line(void) {
"true \"\\$dollar\"");
}
+static void test_octescape_one(const char *s, const char *expected) {
+ _cleanup_free_ char *ret;
+
+ assert_se(ret = octescape(s, strlen_ptr(s)));
+ log_debug("octescape(\"%s\") → \"%s\" (expected: \"%s\")", strnull(s), ret, expected);
+ assert_se(streq(ret, expected));
+}
+
+static void test_octescap(void) {
+ test_octescape_one(NULL, "");
+ test_octescape_one("", "");
+ test_octescape_one("foo", "foo");
+ test_octescape_one("\"\\\"", "\\042\\134\\042");
+ test_octescape_one("\123\213\222", "\123\\213\\222");
+}
+
int main(int argc, char *argv[]) {
test_setup_logging(LOG_DEBUG);
@@ -226,6 +242,7 @@ int main(int argc, char *argv[]) {
test_shell_escape();
test_shell_maybe_quote();
test_quote_command_line();
+ test_octescap();
return 0;
}
--
2.33.0

101
backport-test-add-some-tests-for-RuntimeMaxSec.patch Normal file
View File

@ -0,0 +1,101 @@
From af4688398f55b110c9d7d57be5cd0199b06e18c8 Mon Sep 17 00:00:00 2001
From: Nick Rosbrook <nick.rosbrook@canonical.com>
Date: Thu, 13 Apr 2023 11:29:32 -0400
Subject: [PATCH] test: add some tests for RuntimeMaxSec
Make sure the RuntimeMaxSec is applied correctly to service and scope
units when they are started, and also on coldplug.
Conflict:NA
Reference:https://github.com/systemd/systemd/commit/af4688398f55b110c9d7d57be5cd0199b06e18c8
---
test/units/testsuite-16.sh | 66 ++++++++++++++++++++++++++++++++++++++
1 file changed, 66 insertions(+)
diff --git a/test/units/testsuite-16.sh b/test/units/testsuite-16.sh
index 1b8cd018bb..9b8a7bd6fa 100755
--- a/test/units/testsuite-16.sh
+++ b/test/units/testsuite-16.sh
@@ -23,6 +23,25 @@ function wait_for()
fi
}
+function wait_for_timeout()
+{
+ local unit="$1"
+ local time="$2"
+
+ while [[ $time -gt 0 ]]; do
+ if [[ "$(systemctl show --property=Result "$unit")" == "Result=timeout" ]]; then
+ return 0
+ fi
+
+ sleep 1
+ time=$((time - 1))
+ done
+
+ journalctl -u "$unit" >>"$TESTLOG"
+
+ return 1
+}
+
# This checks all stages, start, runtime and stop, can be extended by
# EXTEND_TIMEOUT_USEC
@@ -44,6 +63,53 @@ wait_for fail_start startfail
wait_for fail_stop stopfail
wait_for fail_runtime runtimefail
+# These ensure that RuntimeMaxSec is honored for scope and service units
+# when they are created.
+runtime_max_sec=5
+
+systemd-run \
+ --property=RuntimeMaxSec=${runtime_max_sec}s \
+ -u runtime-max-sec-test-1.service \
+ /usr/bin/sh -c "while true; do sleep 1; done"
+wait_for_timeout runtime-max-sec-test-1.service $((runtime_max_sec + 2))
+
+systemd-run \
+ --property=RuntimeMaxSec=${runtime_max_sec}s \
+ --scope \
+ -u runtime-max-sec-test-2.scope \
+ /usr/bin/sh -c "while true; do sleep 1; done" &
+wait_for_timeout runtime-max-sec-test-2.scope $((runtime_max_sec + 2))
+
+# These ensure that RuntimeMaxSec is honored for scope and service
+# units if the value is changed and then the manager is reloaded.
+systemd-run \
+ -u runtime-max-sec-test-3.service \
+ /usr/bin/sh -c "while true; do sleep 1; done"
+mkdir -p /etc/systemd/system/runtime-max-sec-test-3.service.d/
+cat > /etc/systemd/system/runtime-max-sec-test-3.service.d/override.conf << EOF
+[Service]
+RuntimeMaxSec=${runtime_max_sec}s
+EOF
+systemctl daemon-reload
+wait_for_timeout runtime-max-sec-test-3.service $((runtime_max_sec + 2))
+
+systemd-run \
+ --scope \
+ -u runtime-max-sec-test-4.scope \
+ /usr/bin/sh -c "while true; do sleep 1; done" &
+
+# Wait until the unit is running to avoid race with creating the override.
+until systemctl is-active runtime-max-sec-test-4.scope; do
+ sleep 1
+done
+mkdir -p /etc/systemd/system/runtime-max-sec-test-4.scope.d/
+cat > /etc/systemd/system/runtime-max-sec-test-4.scope.d/override.conf << EOF
+[Scope]
+RuntimeMaxSec=${runtime_max_sec}s
+EOF
+systemctl daemon-reload
+wait_for_timeout runtime-max-sec-test-4.scope $((runtime_max_sec + 2))
+
if [[ -f "$TESTLOG" ]]; then
# no mv
cp "$TESTLOG" /test.log
--
2.33.0

48
backport-test-name_assign_type-sysattr-never-exists-for-enume.patch Normal file
View File

@ -0,0 +1,48 @@
From 2682dc216483b3da1af89bc80c315344c5e96ea3 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon, 12 Dec 2022 15:04:02 +0900
Subject: [PATCH] test: name_assign_type sysattr never exists for enumerated
devices
As we filtered out network devices in the test.
(cherry picked from commit 733529d81227ca713de2d6be77939e3bfedb926f)
(cherry picked from commit a8dd94e0cc162d3d020d49af7d1e238b9c7afca3)
Conflict:code context adaptation
Reference:https://github.com/systemd/systemd-stable/commit/2682dc216483b3da1af89bc80c315344c5e96ea3
---
src/libsystemd/sd-device/test-sd-device.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/src/libsystemd/sd-device/test-sd-device.c b/src/libsystemd/sd-device/test-sd-device.c
index 01c184a7d0..3e0cfa0ee7 100644
--- a/src/libsystemd/sd-device/test-sd-device.c
+++ b/src/libsystemd/sd-device/test-sd-device.c
@@ -175,15 +175,16 @@ static void test_sd_device_one(sd_device *d) {
assert_se((r >= 0 && usec > 0) || r == -ENODATA);
}
- r = sd_device_get_sysattr_value(d, "name_assign_type", &val);
- assert_se(r >= 0 || ERRNO_IS_PRIVILEGE(r) || IN_SET(r, -ENOENT, -EINVAL));
-
- if (r > 0) {
+ r = sd_device_get_sysattr_value(d, "nsid", NULL);
+ if (r >= 0) {
unsigned x;
- assert_se(device_get_sysattr_unsigned(d, "name_assign_type", NULL) >= 0);
- assert_se(device_get_sysattr_unsigned(d, "name_assign_type", &x) >= 0);
- }
+ assert_se(device_get_sysattr_unsigned(d, "nsid", NULL) >= 0);
+ r = device_get_sysattr_unsigned(d, "nsid", &x);
+ assert_se(r >= 0);
+ assert_se((x > 0) == (r > 0));
+ } else
+ assert_se(ERRNO_IS_PRIVILEGE(r) || IN_SET(r, -ENOENT, -EINVAL));
r = sd_device_get_property_value(d, "ID_NET_DRIVER", &val);
assert_se(r >= 0 || r == -ENOENT);
--
2.33.0

78
backport-test-test-O_CLOEXEC-filtering-of-fdset-fill-logic.patch Normal file
View File

@ -0,0 +1,78 @@
From fc9deee642e554e6bdd39617375df76546c26891 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 30 May 2023 15:35:24 +0200
Subject: [PATCH] test: test O_CLOEXEC filtering of fdset fill logic
(cherry picked from commit d7aee3f41f69f46d8328f658cab84f8a4b05bb86)
Backport of the cloexec filter for v253, and for v252 (actually tested
with v252). Note that I've left the name _s of the function parameter as
it was before.
(cherry picked from commit 4c3b06f255642c39b6dccb8b063efaf66bce88c9)
(cherry picked from commit 1e932bf95e5536fea97bc48f1a409e4f1d0f7f30)
Conflict:code context adaptation
Reference:https://github.com/systemd/systemd-stable/commit/fc9deee642e554e6bdd39617375df76546c26891
---
src/test/test-fdset.c | 42 ++++++++++++++++++++++++++++++++++++++----
1 file changed, 38 insertions(+), 4 deletions(-)
diff --git a/src/test/test-fdset.c b/src/test/test-fdset.c
index 5d63eeee37..e2ef86343a 100644
--- a/src/test/test-fdset.c
+++ b/src/test/test-fdset.c
@@ -13,14 +13,48 @@
static void test_fdset_new_fill(void) {
int fd = -1;
_cleanup_fdset_free_ FDSet *fdset = NULL;
- char name[] = "/tmp/test-fdset_new_fill.XXXXXX";
- fd = mkostemp_safe(name);
+ log_close();
+ log_set_open_when_needed(true);
+
+ fd = open("/dev/null", O_CLOEXEC|O_RDONLY);
assert_se(fd >= 0);
- assert_se(fdset_new_fill(&fdset) >= 0);
+
+ assert_se(fdset_new_fill(/* filter_cloexec= */ -1, &fdset) >= 0);
assert_se(fdset_contains(fdset, fd));
+ fdset = fdset_free(fdset);
+ assert_se(fcntl(fd, F_GETFD) < 0);
+ assert_se(errno == EBADF);
- unlink(name);
+ fd = open("/dev/null", O_CLOEXEC|O_RDONLY);
+ assert_se(fd >= 0);
+
+ assert_se(fdset_new_fill(/* filter_cloexec= */ 0, &fdset) >= 0);
+ assert_se(!fdset_contains(fdset, fd));
+ fdset = fdset_free(fdset);
+ assert_se(fcntl(fd, F_GETFD) >= 0);
+
+ assert_se(fdset_new_fill(/* filter_cloexec= */ 1, &fdset) >= 0);
+ assert_se(fdset_contains(fdset, fd));
+ fdset = fdset_free(fdset);
+ assert_se(fcntl(fd, F_GETFD) < 0);
+ assert_se(errno == EBADF);
+
+ fd = open("/dev/null", O_RDONLY);
+ assert_se(fd >= 0);
+
+ assert_se(fdset_new_fill(/* filter_cloexec= */ 1, &fdset) >= 0);
+ assert_se(!fdset_contains(fdset, fd));
+ fdset = fdset_free(fdset);
+ assert_se(fcntl(fd, F_GETFD) >= 0);
+
+ assert_se(fdset_new_fill(/* filter_cloexec= */ 0, &fdset) >= 0);
+ assert_se(fdset_contains(fdset, fd));
+ fdset = fdset_free(fdset);
+ assert_se(fcntl(fd, F_GETFD) < 0);
+ assert_se(errno == EBADF);
+
+ log_open();
}
static void test_fdset_put_dup(void) {
--
2.33.0

48
backport-udev-do-not-set-ID_PATH-and-by-path-symlink-for-nvmf.patch Normal file
View File

@ -0,0 +1,48 @@
From 1807b8f1fc0afdf01e366dfa694295063e2eb982 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 10 May 2023 15:47:44 +0900
Subject: [PATCH] udev: do not set ID_PATH and by-path symlink for nvmf disks
Prompted by #27391.
(cherry picked from commit 39a39f18f2bd2b1ef7b4fa4823472d129c514030)
(cherry picked from commit dbf50f19112cf39c6f281c6dd2a0a9177774f932)
(cherry picked from commit 5ec7ad9588172bae561ce77ffadfa8f9eb44aa45)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/1807b8f1fc0afdf01e366dfa694295063e2eb982
---
src/udev/udev-builtin-path_id.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/udev/udev-builtin-path_id.c b/src/udev/udev-builtin-path_id.c
index 1084eb2d81..483350d98d 100644
--- a/src/udev/udev-builtin-path_id.c
+++ b/src/udev/udev-builtin-path_id.c
@@ -545,7 +545,7 @@ static sd_device *handle_ap(sd_device *parent, char **path) {
static int find_real_nvme_parent(sd_device *dev, sd_device **ret) {
_cleanup_(sd_device_unrefp) sd_device *nvme = NULL;
- const char *sysname, *end;
+ const char *sysname, *end, *devpath;
int r;
/* If the device belongs to "nvme-subsystem" (not to be confused with "nvme"), which happens when
@@ -576,6 +576,14 @@ static int find_real_nvme_parent(sd_device *dev, sd_device **ret) {
if (r < 0)
return r;
+ r = sd_device_get_devpath(nvme, &devpath);
+ if (r < 0)
+ return r;
+
+ /* If the 'real parent' is (still) virtual, e.g. for nvmf disks, refuse to set ID_PATH. */
+ if (path_startswith(devpath, "/devices/virtual/"))
+ return -ENXIO;
+
*ret = TAKE_PTR(nvme);
return 0;
}
--
2.33.0

36
backport-udev-match-device-tags-in-rules-using-current-device.patch Normal file
View File

@ -0,0 +1,36 @@
From ca948c9601714c8de53a87a548dfad05fef37c40 Mon Sep 17 00:00:00 2001
From: msizanoen1 <msizanoen@qtmlabs.xyz>
Date: Tue, 27 Dec 2022 11:57:12 +0700
Subject: [PATCH] udev: match device tags in rules using current device tags
This ensures that udev scripts using `TAG-="..."` and expecting later
udev rules to honor it will work properly. An use case is removing the
`uaccess` tag from a device without overriding the original file and
ensuring that `73-seat-uaccess.rules` won't run the uaccess builtin later.
(cherry picked from commit 310249903986957997b76bc52441cabb5843aad8)
(cherry picked from commit 7d4ea095d5e3e5aa87761c6c0f5f30287596dd75)
Conflict:NA
Reference:https://github.com/systemd/systemd-stable/commit/ca948c9601714c8de53a87a548dfad05fef37c40
---
src/udev/udev-rules.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c
index f95b751b75..9dc68e401e 100644
--- a/src/udev/udev-rules.c
+++ b/src/udev/udev-rules.c
@@ -1622,7 +1622,7 @@ static int udev_rule_apply_token_to_event(
case TK_M_PARENTS_TAG: {
const char *val;
- FOREACH_DEVICE_TAG(dev, val)
+ FOREACH_DEVICE_CURRENT_TAG(dev, val)
if (token_match_string(token, val))
return token->op == OP_MATCH;
return token->op == OP_NOMATCH;
--
2.33.0

50
embedded-add-noexec-mount-option-to-strenthen-tmp-pa.patch Normal file
View File

@ -0,0 +1,50 @@
From b6bcc208dda00ae4b310bd2fd513fe250f8b2c10 Mon Sep 17 00:00:00 2001
From: Xin Shi <shixin21@huawei.com>
Date: Thu, 24 Aug 2023 09:35:40 +0800
Subject: [PATCH 4/5] embedded: add noexec mount option to strenthen tmp
partition
Signed-off-by: Xin Shi <shixin21@huawei.com>
---
embedded/tmp.mount | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
create mode 100644 embedded/tmp.mount
diff --git a/embedded/tmp.mount b/embedded/tmp.mount
new file mode 100644
index 0000000..c2df09d
--- /dev/null
+++ b/embedded/tmp.mount
@@ -0,0 +1,29 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Temporary Directory /tmp
+Documentation=https://systemd.io/TEMPORARY_DIRECTORIES
+Documentation=man:file-hierarchy(7)
+Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
+ConditionPathIsSymbolicLink=!/tmp
+DefaultDependencies=no
+Conflicts=umount.target
+Before=local-fs.target umount.target
+After=swap.target
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m,noexec
+
+# Make 'systemctl enable tmp.mount' work:
+[Install]
+WantedBy=local-fs.target
--
2.27.0

483
embedded-modify-dns-server-address-to-avoid-security.patch Normal file
View File

@ -0,0 +1,483 @@
From 29f0311e6fe30b6e492e0bd323c6c1e975719e6b Mon Sep 17 00:00:00 2001
From: Xin Shi <shixin21@huawei.com>
Date: Wed, 23 Aug 2023 18:11:25 +0800
Subject: [PATCH 2/5] embedded: modify dns server address to avoid security
risk
Signed-off-by: Xin Shi <shixin21@huawei.com>
---
embedded/meson_options.txt | 462 +++++++++++++++++++++++++++++++++++++
1 file changed, 462 insertions(+)
create mode 100644 embedded/meson_options.txt
diff --git a/embedded/meson_options.txt b/embedded/meson_options.txt
new file mode 100644
index 0000000..24a44c5
--- /dev/null
+++ b/embedded/meson_options.txt
@@ -0,0 +1,462 @@
+# -*- mode: meson -*-
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+option('version-tag', type : 'string',
+ description : 'override the git version string')
+
+option('mode', type : 'combo', choices : ['developer', 'release'],
+ description : 'autoenable features suitable for systemd development/release builds')
+
+option('split-usr', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : '''/bin, /sbin aren't symlinks into /usr''')
+option('split-bin', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : '''sbin is not a symlink to bin''')
+option('rootlibdir', type : 'string',
+ description : '''[/usr]/lib/x86_64-linux-gnu or such''')
+option('rootprefix', type : 'string',
+ description : '''override the root prefix [default '/' if split-usr and '/usr' otherwise]''')
+option('link-udev-shared', type : 'boolean',
+ description : 'link systemd-udev and its helpers to libsystemd-shared.so')
+option('link-systemctl-shared', type: 'boolean',
+ description : 'link systemctl against libsystemd-shared.so')
+option('link-networkd-shared', type: 'boolean',
+ description : 'link systemd-networkd and its helpers to libsystemd-shared.so')
+option('link-timesyncd-shared', type: 'boolean',
+ description : 'link systemd-timesyncd and its helpers to libsystemd-shared.so')
+option('static-libsystemd', type : 'combo',
+ choices : ['false', 'true', 'pic', 'no-pic'],
+ description : '''install a static library for libsystemd''')
+option('static-libudev', type : 'combo',
+ choices : ['false', 'true', 'pic', 'no-pic'],
+ description : 'install a static library for libudev')
+option('standalone-binaries', type : 'boolean', value : 'false',
+ description : 'also build standalone versions of supported binaries')
+
+option('sysvinit-path', type : 'string', value : '/etc/init.d',
+ description : 'the directory where the SysV init scripts are located')
+option('sysvrcnd-path', type : 'string', value : '/etc/rc.d',
+ description : 'the base directory for SysV rcN.d directories')
+option('telinit-path', type : 'string', value : '/lib/sysvinit/telinit',
+ description : 'path to telinit')
+option('rc-local', type : 'string',
+ value : '/etc/rc.local')
+option('initrd', type : 'boolean',
+ description : 'install services for use when running systemd in initrd')
+option('compat-mutable-uid-boundaries', type : 'boolean', value : 'false',
+ description : 'look at uid boundaries in /etc/login.defs for compatibility')
+option('nscd', type : 'boolean',
+ description : 'build support for flushing of the nscd caches')
+
+option('quotaon-path', type : 'string', description : 'path to quotaon')
+option('quotacheck-path', type : 'string', description : 'path to quotacheck')
+option('kmod-path', type : 'string', description : 'path to kmod')
+option('kexec-path', type : 'string', description : 'path to kexec')
+option('sulogin-path', type : 'string', description : 'path to sulogin')
+option('mount-path', type : 'string', description : 'path to mount')
+option('umount-path', type : 'string', description : 'path to umount')
+option('loadkeys-path', type : 'string', description : 'path to loadkeys')
+option('setfont-path', type : 'string', description : 'path to setfont')
+option('nologin-path', type : 'string', description : 'path to nologin')
+
+option('debug-shell', type : 'string', value : '/bin/sh',
+ description : 'path to debug shell binary')
+option('debug-tty', type : 'string', value : '/dev/tty9',
+ description : 'specify the tty device for debug shell')
+option('debug-extra', type : 'array', choices : ['hashmap', 'mmap-cache', 'siphash'], value : [],
+ description : 'enable extra debugging')
+option('memory-accounting-default', type : 'boolean',
+ description : 'enable MemoryAccounting= by default')
+option('bump-proc-sys-fs-file-max', type : 'boolean',
+ description : 'bump /proc/sys/fs/file-max to LONG_MAX')
+option('bump-proc-sys-fs-nr-open', type : 'boolean',
+ description : 'bump /proc/sys/fs/nr_open to INT_MAX')
+option('valgrind', type : 'boolean', value : false,
+ description : 'do extra operations to avoid valgrind warnings')
+option('log-trace', type : 'boolean', value : false,
+ description : 'enable low level debug logging')
+option('user-path', type : 'string',
+ description : '$PATH to use for user sessions')
+
+option('utmp', type : 'boolean',
+ description : 'support for utmp/wtmp log handling')
+option('hibernate', type : 'boolean',
+ description : 'support for hibernation')
+option('ldconfig', type : 'boolean',
+ description : 'support for dynamic linker cache creation')
+option('resolve', type : 'boolean',
+ description : 'systemd-resolved stack')
+option('efi', type : 'boolean',
+ description : 'enable systemd-boot and bootctl')
+option('tpm', type : 'boolean',
+ description : 'TPM should be used to log events and extend the registers')
+option('environment-d', type : 'boolean',
+ description : 'support for environment.d')
+option('binfmt', type : 'boolean',
+ description : 'support for custom binary formats')
+option('repart', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'install the systemd-repart tool')
+option('coredump', type : 'boolean',
+ description : 'install the coredump handler')
+option('pstore', type : 'boolean',
+ description : 'install the pstore archival tool')
+option('oomd', type : 'boolean',
+ description : 'install the userspace oom killer')
+option('logind', type : 'boolean',
+ description : 'install the systemd-logind stack')
+option('hostnamed', type : 'boolean',
+ description : 'install the systemd-hostnamed stack')
+option('localed', type : 'boolean',
+ description : 'install the systemd-localed stack')
+option('machined', type : 'boolean',
+ description : 'install the systemd-machined stack')
+option('portabled', type : 'boolean',
+ description : 'install the systemd-portabled stack')
+option('sysext', type : 'boolean',
+ description : 'install the systemd-sysext stack')
+option('userdb', type : 'boolean',
+ description : 'install the systemd-userdbd stack')
+option('homed', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'install the systemd-homed stack')
+option('networkd', type : 'boolean',
+ description : 'install the systemd-networkd stack')
+option('timedated', type : 'boolean',
+ description : 'install the systemd-timedated daemon')
+option('timesyncd', type : 'boolean',
+ description : 'install the systemd-timesyncd daemon')
+option('remote', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'support for "journal over the network"')
+option('create-log-dirs', type : 'boolean',
+ description : 'create /var/log/journal{,/remote}')
+option('nss-myhostname', type : 'boolean',
+ description : 'install nss-myhostname module')
+option('nss-mymachines', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'install nss-mymachines module')
+option('nss-resolve', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'install nss-resolve module')
+option('nss-systemd', type : 'boolean',
+ description : 'install nss-systemd module')
+option('firstboot', type : 'boolean',
+ description : 'support for firstboot mechanism')
+option('randomseed', type : 'boolean',
+ description : 'support for restoring random seed')
+option('backlight', type : 'boolean',
+ description : 'support for restoring backlight state')
+option('vconsole', type : 'boolean',
+ description : 'support for vconsole configuration')
+option('quotacheck', type : 'boolean',
+ description : 'support for the quotacheck tools')
+option('sysusers', type : 'boolean',
+ description : 'support for the sysusers configuration')
+option('tmpfiles', type : 'boolean',
+ description : 'support for tmpfiles.d')
+option('importd', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'install the systemd-importd daemon')
+option('hwdb', type : 'boolean',
+ description : 'support for the hardware database')
+option('rfkill', type : 'boolean',
+ description : 'support for the rfkill tools')
+option('xdg-autostart', type : 'boolean',
+ description : 'install the xdg-autostart-generator and unit')
+option('man', type : 'combo', choices : ['auto', 'true', 'false'],
+ value : 'false',
+ description : 'build and install man pages')
+option('html', type : 'combo', choices : ['auto', 'true', 'false'],
+ value : 'false',
+ description : 'build and install html pages')
+option('translations', type : 'boolean', value : true,
+ description : 'build and install translations')
+
+option('certificate-root', type : 'string', value : '/etc/ssl',
+ description : 'the prefix for TLS certificates')
+option('dbuspolicydir', type : 'string',
+ description : 'D-Bus policy directory')
+option('dbussessionservicedir', type : 'string',
+ description : 'D-Bus session service directory')
+option('dbussystemservicedir', type : 'string',
+ description : 'D-Bus system service directory')
+option('pkgconfigdatadir', type : 'string', value : '',
+ description : 'directory for arch-independent pkg-config files')
+option('pkgconfiglibdir', type : 'string', value : '',
+ description : 'directory for standard pkg-config files')
+option('xinitrcdir', type : 'string', value : '',
+ description : 'directory for xinitrc files')
+option('rpmmacrosdir', type : 'string', value : 'lib/rpm/macros.d',
+ description : 'directory for rpm macros ["no" disables]')
+option('pamlibdir', type : 'string',
+ description : 'directory for PAM modules')
+option('pamconfdir', type : 'string',
+ description : 'directory for PAM configuration ["no" disables]')
+option('docdir', type : 'string',
+ description : 'documentation directory')
+option('install-sysconfdir', type : 'combo', choices : ['true', 'no-samples', 'false'], value : 'true',
+ description : 'install configuration files and directories to $sysconfdir')
+
+option('fallback-hostname', type : 'string', value : 'localhost',
+ description : 'the hostname used if none configured')
+option('default-hierarchy', type : 'combo',
+ choices : ['legacy', 'hybrid', 'unified'], value : 'unified',
+ description : 'default cgroup hierarchy')
+option('default-net-naming-scheme', type : 'combo',
+ choices : ['latest', 'v238', 'v239', 'v240'],
+ description : 'default net.naming-scheme= value')
+option('status-unit-format-default', type : 'combo',
+ choices : ['description', 'name', 'combined'],
+ description : 'use unit name or description in messages by default')
+option('time-epoch', type : 'integer', value : '-1',
+ description : 'time epoch for time clients')
+
+option('system-alloc-uid-min', type : 'integer', value : '-1',
+ description : 'minimum system UID used when allocating')
+option('system-alloc-gid-min', type : 'integer', value : '-1',
+ description : 'minimum system GID used when allocating')
+option('system-uid-max', type : 'integer', value : '-1',
+ description : 'maximum system UID')
+option('system-gid-max', type : 'integer', value : '-1',
+ description : 'maximum system GID')
+option('dynamic-uid-min', type : 'integer', value : 0x0000EF00,
+ description : 'minimum dynamic UID')
+option('dynamic-uid-max', type : 'integer', value : 0x0000FFEF,
+ description : 'maximum dynamic UID')
+option('container-uid-base-min', type : 'integer', value : 0x00080000,
+ description : 'minimum container UID base')
+option('container-uid-base-max', type : 'integer', value : 0x6FFF0000,
+ description : 'maximum container UID base')
+option('adm-group', type : 'boolean',
+ description : 'the ACL for adm group should be added')
+option('wheel-group', type : 'boolean',
+ description : 'the ACL for wheel group should be added')
+option('nobody-user', type : 'string',
+ description : 'The name of the nobody user (the one with UID 65534)',
+ value : 'nobody')
+option('nobody-group', type : 'string',
+ description : 'The name of the nobody group (the one with GID 65534)',
+ value : 'nobody')
+option('adm-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "adm" group')
+option('audio-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "audio" group')
+option('cdrom-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "cdrom" group')
+option('dialout-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "dialout" group')
+option('disk-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "disk" group')
+option('input-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "input" group')
+option('kmem-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "kmem" group')
+option('kvm-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "kvm" group')
+option('lp-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "lp" group')
+option('render-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "render" group')
+option('sgx-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "sgx" group')
+option('tape-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "tape" group')
+option('tty-gid', type : 'integer', value : 5,
+ description : 'the numeric GID of the "tty" group')
+option('users-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "users" group')
+option('utmp-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "utmp" group')
+option('video-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "video" group')
+option('wheel-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "wheel" group')
+option('systemd-journal-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the systemd-journal group')
+option('systemd-network-uid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the systemd-network user')
+option('systemd-resolve-uid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the systemd-resolve user')
+option('systemd-timesync-uid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the systemd-timesync user')
+
+option('dev-kvm-mode', type : 'string', value : '0666',
+ description : '/dev/kvm access mode')
+option('group-render-mode', type : 'string', value : '0666',
+ description : 'Access mode for devices owned by render group (e.g. /dev/dri/renderD*, /dev/kfd).')
+option('default-kill-user-processes', type : 'boolean',
+ description : 'the default value for KillUserProcesses= setting')
+option('gshadow', type : 'boolean',
+ description : 'support for shadow group')
+option('default-locale', type : 'string', value : '',
+ description : 'default locale used when /etc/locale.conf does not exist')
+option('localegen-path', type : 'string', value : '',
+ description : 'absolute path to the locale-gen binary in case the system is using locale-gen')
+option('service-watchdog', type : 'string', value : '3min',
+ description : 'default watchdog setting for systemd services')
+
+option('default-dnssec', type : 'combo',
+ description : 'default DNSSEC mode',
+ choices : ['yes', 'allow-downgrade', 'no'],
+ value : 'allow-downgrade')
+option('default-dns-over-tls', type : 'combo',
+ description : 'default DNS-over-TLS mode',
+ choices : ['yes', 'opportunistic', 'no'],
+ value : 'no')
+option('default-mdns', type : 'combo',
+ choices : ['yes', 'resolve', 'no'],
+ description : 'default MulticastDNS mode',
+ value : 'yes')
+option('default-llmnr', type : 'combo',
+ choices : ['yes', 'resolve', 'no'],
+ description : 'default LLMNR mode',
+ value : 'yes')
+option('dns-over-tls', type : 'combo', choices : ['auto', 'gnutls', 'openssl', 'true', 'false'],
+ description : 'DNS-over-TLS support')
+option('dns-servers', type : 'string',
+ description : 'space-separated list of default DNS servers',
+ value : '127.0.0.1')
+option('ntp-servers', type : 'string',
+ description : 'space-separated list of default NTP servers',
+ value : '0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org')
+option('support-url', type : 'string',
+ description : 'the support URL to show in catalog entries included in systemd',
+ value : 'https://lists.freedesktop.org/mailman/listinfo/systemd-devel')
+option('www-target', type : 'string',
+ description : 'the address and dir to upload docs too',
+ value : 'www.freedesktop.org:/srv/www.freedesktop.org/www/software/systemd')
+
+option('seccomp', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'SECCOMP support')
+option('selinux', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'SELinux support')
+option('apparmor', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'AppArmor support')
+option('smack', type : 'boolean',
+ description : 'SMACK support')
+option('smack-run-label', type : 'string',
+ description : 'run systemd --system itself with a specific SMACK label')
+option('polkit', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'polkit support')
+option('ima', type : 'boolean',
+ description : 'IMA support')
+
+option('acl', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libacl support')
+option('audit', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libaudit support')
+option('blkid', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libblkid support')
+option('fdisk', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libfdisk support')
+option('kmod', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'support for loadable modules')
+option('pam', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'PAM support')
+option('pwquality', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libpwquality support')
+option('microhttpd', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libµhttpd support')
+option('libcryptsetup', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libcryptsetup support')
+option('libcurl', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libcurl support')
+option('idn', type : 'boolean',
+ description : 'use IDN when printing hostnames')
+option('libidn2', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libidn2 support')
+option('libidn', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libidn support')
+option('libiptc', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libiptc support')
+option('qrencode', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libqrencode support')
+option('gcrypt', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'gcrypt support')
+option('gnutls', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'gnutls support')
+option('openssl', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'openssl support')
+option('p11kit', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'p11kit support')
+option('libfido2', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'FIDO2 support')
+option('tpm2', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'TPM2 support')
+option('elfutils', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'elfutils support')
+option('zlib', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'zlib compression support')
+option('bzip2', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'bzip2 compression support')
+option('xz', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'xz compression support')
+option('lz4', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'lz4 compression support')
+option('zstd', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'zstd compression support')
+option('xkbcommon', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'xkbcommon keymap support')
+option('pcre2', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'regexp matching support using pcre2')
+option('glib', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libglib support (for tests only)')
+option('dbus', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libdbus support (for tests only)')
+
+option('gnu-efi', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'gnu-efi support for sd-boot')
+option('efi-cc', type : 'array',
+ description : 'the compiler to use for EFI modules')
+option('efi-ld', type : 'string', value : 'ld',
+ description : 'the linker to use for EFI modules')
+option('efi-libdir', type : 'string',
+ description : 'path to the EFI lib directory')
+option('efi-includedir', type : 'string', value : '/usr/include/efi',
+ description : 'path to the EFI header directory')
+option('tpm-pcrindex', type : 'integer', value : 8,
+ description : 'TPM PCR register number to use')
+option('sbat-distro', type : 'string',
+ description : 'SBAT distribution ID, e.g. fedora, or auto for autodetection')
+option('sbat-distro-generation', type : 'integer', value : 1,
+ description : 'SBAT distribution generation')
+option('sbat-distro-summary', type : 'string',
+ description : 'SBAT distribution summary, e.g. Fedora')
+option('sbat-distro-pkgname', type : 'string',
+ description : 'SBAT distribution package name, e.g. systemd')
+option('sbat-distro-version', type : 'string',
+ description : 'SBAT distribution package version, e.g. 248-7.fc34')
+option('sbat-distro-url', type : 'string',
+ description : 'SBAT distribution URL, e.g. https://src.fedoraproject.org/rpms/systemd')
+
+option('bashcompletiondir', type : 'string',
+ description : 'directory for bash completion scripts ["no" disables]')
+option('zshcompletiondir', type : 'string',
+ description : 'directory for zsh completion scripts ["no" disables]')
+
+option('tests', type : 'combo', choices : ['true', 'unsafe', 'false'],
+ description : 'enable extra tests with =unsafe')
+option('slow-tests', type : 'boolean', value : 'false',
+ description : 'run the slow tests by default')
+option('fuzz-tests', type : 'boolean', value : 'false',
+ description : 'run the fuzzer regression tests by default (with sanitizers)')
+option('install-tests', type : 'boolean', value : 'false',
+ description : 'install test executables')
+
+option('ok-color', type : 'combo',
+ choices : ['black', 'red', 'green', 'yellow', 'blue', 'magenta', 'cyan',
+ 'white', 'highlight-black', 'highlight-red', 'highlight-green',
+ 'highlight-yellow', 'highlight-blue', 'highlight-magenta',
+ 'highlight-cyan', 'highlight-white'],
+ value : 'green',
+ description: 'color of the "OK" status message')
+option('urlify', type : 'boolean', value : 'true',
+ description : 'enable pager Hyperlink ANSI sequence support')
+option('fexecve', type : 'boolean', value : 'false',
+ description : 'use fexecve() to spawn children')
+
+option('oss-fuzz', type : 'boolean', value : 'false',
+ description : 'build against oss-fuzz')
+option('llvm-fuzz', type : 'boolean', value : 'false',
+ description : 'build against LLVM libFuzzer')
+option('kernel-install', type: 'boolean', value: 'true',
+ description : 'install kernel-install and associated files')
+option('analyze', type: 'boolean', value: 'true',
+ description : 'install systemd-analyze')
+
+option('bpf-framework', type : 'combo', choices : ['auto', 'true', 'false'],
+ description: 'build BPF programs from source code in restricted C')
--
2.27.0

122
embedded-sysuesrs_dir-sysctl_dir-binfmt_dir-modules_.patch Normal file
View File

@ -0,0 +1,122 @@
From e64cff49bced685b5abeb03e89940314d72e49ae Mon Sep 17 00:00:00 2001
From: Xin Shi <shixin21@huawei.com>
Date: Wed, 23 Aug 2023 18:06:49 +0800
Subject: [PATCH 1/5] embedded: sysuesrs_dir, sysctl_dir, binfmt_dir,
modules_load_dir reference directories in /usr/lib
Signed-off-by: Xin Shi <shixin21@huawei.com>
---
embedded/systemd.pc.in | 101 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 101 insertions(+)
create mode 100644 embedded/systemd.pc.in
diff --git a/embedded/systemd.pc.in b/embedded/systemd.pc.in
new file mode 100644
index 0000000..65996bb
--- /dev/null
+++ b/embedded/systemd.pc.in
@@ -0,0 +1,101 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# Names with prefixes are preferred, and the run-together names should be
+# considered deprecated (though there is no plan to remove them). New names
+# shall have underscores.
+
+prefix=/usr
+root_prefix={{ROOTPREFIX_NOSLASH}}
+rootprefix=${root_prefix}
+sysconf_dir={{SYSCONF_DIR}}
+sysconfdir=${sysconf_dir}
+
+systemd_util_dir=${root_prefix}/lib/systemd
+systemdutildir=${systemd_util_dir}
+
+systemd_system_unit_dir=${rootprefix}/lib/systemd/system
+systemdsystemunitdir=${systemd_system_unit_dir}
+
+systemd_system_preset_dir=${rootprefix}/lib/systemd/system-preset
+systemdsystempresetdir=${systemd_system_preset_dir}
+
+systemd_user_unit_dir=${prefix}/lib/systemd/user
+systemduserunitdir=${systemd_user_unit_dir}
+
+systemd_user_preset_dir=${prefix}/lib/systemd/user-preset
+systemduserpresetdir=${systemd_user_preset_dir}
+
+systemd_system_conf_dir=${sysconfdir}/systemd/system
+systemdsystemconfdir=${systemd_system_conf_dir}
+
+systemd_user_conf_dir=${sysconfdir}/systemd/user
+systemduserconfdir=${systemd_user_conf_dir}
+
+systemd_system_unit_path=${systemd_system_conf_dir}:/etc/systemd/system:/run/systemd/system:/usr/local/lib/systemd/system:${systemd_system_unit_dir}:/usr/lib/systemd/system:/lib/systemd/system
+systemdsystemunitpath=${systemd_system_unit_path}
+
+systemd_user_unit_path=${systemd_user_conf_dir}:/etc/systemd/user:/run/systemd/user:/usr/local/lib/systemd/user:/usr/local/share/systemd/user:${systemd_user_unit_dir}:/usr/lib/systemd/user:/usr/share/systemd/user
+systemduserunitpath=${systemd_user_unit_path}
+
+systemd_system_generator_dir=${root_prefix}/lib/systemd/system-generators
+systemdsystemgeneratordir=${systemd_system_generator_dir}
+
+systemd_user_generator_dir=${prefix}/lib/systemd/user-generators
+systemdusergeneratordir=${systemd_user_generator_dir}
+
+systemd_system_generator_path=/run/systemd/system-generators:/etc/systemd/system-generators:/usr/local/lib/systemd/system-generators:${systemd_system_generator_dir}
+systemdsystemgeneratorpath=${systemd_system_generator_path}
+
+systemd_user_generator_path=/run/systemd/user-generators:/etc/systemd/user-generators:/usr/local/lib/systemd/user-generators:${systemd_user_generator_dir}
+systemdusergeneratorpath=${systemd_user_generator_path}
+
+systemd_sleep_dir=${root_prefix}/lib/systemd/system-sleep
+systemdsleepdir=${systemd_sleep_dir}
+
+systemd_shutdown_dir=${root_prefix}/lib/systemd/system-shutdown
+systemdshutdowndir=${systemd_shutdown_dir}
+
+tmpfiles_dir=${prefix}/lib/tmpfiles.d
+tmpfilesdir=${tmpfiles_dir}
+
+sysusers_dir=${prefix}/lib/sysusers.d
+sysusersdir=${sysusers_dir}
+
+sysctl_dir=${prefix}/lib/sysctl.d
+sysctldir=${sysctl_dir}
+
+binfmt_dir=${prefix}/lib/binfmt.d
+binfmtdir=${binfmt_dir}
+
+modules_load_dir=${prefix}/lib/modules-load.d
+modulesloaddir=${modules_load_dir}
+
+catalog_dir=${prefix}/lib/systemd/catalog
+catalogdir=${catalog_dir}
+
+system_uid_max={{SYSTEM_UID_MAX}}
+systemuidmax=${system_uid_max}
+system_gid_max={{SYSTEM_GID_MAX}}
+systemgidmax=${system_gid_max}
+
+dynamic_uid_min={{DYNAMIC_UID_MIN}}
+dynamicuidmin=${dynamic_uid_min}
+dynamic_uid_max={{DYNAMIC_UID_MAX}}
+dynamicuidmax=${dynamic_uid_max}
+
+container_uid_base_min={{CONTAINER_UID_BASE_MIN}}
+containeruidbasemin=${container_uid_base_min}
+container_uid_base_max={{CONTAINER_UID_BASE_MAX}}
+containeruidbasemax=${container_uid_base_max}
+
+Name: systemd
+Description: systemd System and Service Manager
+URL: {{PROJECT_URL}}
+Version: {{PROJECT_VERSION}}
--
2.27.0

170
embedded-use-yocto-configs.patch Normal file
View File

@ -0,0 +1,170 @@
From 0b43b9daeb0b194cd064830728b36a8cccbbea9b Mon Sep 17 00:00:00 2001
From: Xin Shi <shixin21@huawei.com>
Date: Thu, 24 Aug 2023 10:02:32 +0800
Subject: [PATCH 5/5] embedded: use yocto configs
Signed-off-by: Xin Shi <shixin21@huawei.com>
---
embedded/00-create-volatile.conf | 12 ++++
embedded/init | 104 +++++++++++++++++++++++++++++++
embedded/touchscreen.rules | 18 ++++++
3 files changed, 134 insertions(+)
create mode 100644 embedded/00-create-volatile.conf
create mode 100644 embedded/init
create mode 100644 embedded/touchscreen.rules
diff --git a/embedded/00-create-volatile.conf b/embedded/00-create-volatile.conf
new file mode 100644
index 0000000..55333b6
--- /dev/null
+++ b/embedded/00-create-volatile.conf
@@ -0,0 +1,12 @@
+#This goes hand-in-hand with the base-files of OE-Core. The file must
+# be sorted before 'systemd.conf' because this attempts to create a file
+# inside /var/log.
+
+
+d /var/volatile/log - - - -
+d /var/volatile/tmp 1777 - -
+d /var/log 0750 root root -
+f /var/log/wtmp 0640 root root -
+f /var/log/btmp 0600 root root -
+f /var/log/lastlog 0600 root root -
+f /var/log/faillog 0600 root root -
diff --git a/embedded/init b/embedded/init
new file mode 100644
index 0000000..4931b77
--- /dev/null
+++ b/embedded/init
@@ -0,0 +1,104 @@
+#!/bin/sh
+
+### BEGIN INIT INFO
+# Provides: udev
+# Required-Start: mountvirtfs
+# Required-Stop:
+# Default-Start: S
+# Default-Stop:
+# Short-Description: Start udevd, populate /dev and load drivers.
+### END INIT INFO
+
+. /etc/init.d/functions
+
+export TZ=/etc/localtime
+
+[ -d /sys/class ] || exit 1
+[ -r /proc/mounts ] || exit 1
+[ -x @UDEVD@ ] || exit 1
+[ -f /etc/default/udev-cache ] && . /etc/default/udev-cache
+[ -f /etc/udev/udev.conf ] && . /etc/udev/udev.conf
+
+readfile () {
+ filename=$1
+ READDATA=""
+ if [ -r $filename ]; then
+ while read line; do
+ READDATA="$READDATA$line"
+ done < $filename
+ fi
+}
+
+case "$1" in
+ start)
+ export ACTION=add
+ # propagate /dev from /sys
+ echo "Starting udev"
+
+ # mount the devtmpfs on /dev, if not already done
+ LANG=C awk '$2 == "/dev" && ($3 == "devtmpfs") { exit 1 }' /proc/mounts && {
+ mount -n -o mode=0755 -t devtmpfs none "/dev"
+ }
+ [ -e /dev/pts ] || mkdir -m 0755 /dev/pts
+ [ -e /dev/shm ] || mkdir -m 1777 /dev/shm
+ mount -a -t tmpfs 2>/dev/null
+
+ # cache handling
+ if [ "$DEVCACHE" != "" ]; then
+ readfile /proc/version
+ VERSION="$READDATA"
+ readfile /proc/cmdline
+ CMDLINE="$READDATA"
+ readfile /proc/devices
+ DEVICES="$READDATA"
+ readfile /proc/atags
+ ATAGS="$READDATA"
+
+ if [ -e $DEVCACHE ]; then
+ readfile /etc/udev/cache.data
+ if [ "$READDATA" = "$VERSION$CMDLINE$DEVICES$ATAGS" ]; then
+ (cd /; tar xf $DEVCACHE > /dev/null 2>&1)
+ not_first_boot=1
+ [ "$VERBOSE" != "no" ] && echo "udev: using cache file $DEVCACHE"
+ [ -e /dev/shm/udev.cache ] && rm -f /dev/shm/udev.cache
+ else
+ echo "$VERSION$CMDLINE$DEVICES$ATAGS" > /dev/shm/udev.cache
+ fi
+ else
+ echo "$VERSION$CMDLINE$DEVICES$ATAGS" > /dev/shm/udev.cache
+ fi
+ fi
+
+ # make_extra_nodes
+ killproc systemd-udevd > "/dev/null" 2>&1
+
+ # trigger the sorted events
+ echo -e '\000\000\000\000' > /proc/sys/kernel/hotplug
+ @UDEVD@ -d
+
+ udevadm control --env=STARTUP=1
+ if [ "$not_first_boot" != "" ]; then
+ udevadm trigger --action=add --subsystem-nomatch=tty --subsystem-nomatch=mem --subsystem-nomatch=vc --subsystem-nomatch=vtconsole --subsystem-nomatch=misc --subsystem-nomatch=dcon --subsystem-nomatch=pci_bus --subsystem-nomatch=graphics --subsystem-nomatch=backlight --subsystem-nomatch=video4linux --subsystem-nomatch=platform
+ (udevadm settle --timeout=3; udevadm control --env=STARTUP=)&
+ else
+ udevadm trigger --action=add
+ udevadm settle
+ fi
+ ;;
+ stop)
+ echo "Stopping udevd"
+ start-stop-daemon --stop --name systemd-udevd --quiet
+ ;;
+ restart)
+ $0 stop
+ sleep 1
+ $0 start
+ ;;
+ status)
+ status systemd-udevd
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|status|restart}"
+ exit 1
+esac
+exit 0
diff --git a/embedded/touchscreen.rules b/embedded/touchscreen.rules
new file mode 100644
index 0000000..d83fd16
--- /dev/null
+++ b/embedded/touchscreen.rules
@@ -0,0 +1,18 @@
+# There are a number of modifiers that are allowed to be used in some
+# of the different fields. They provide the following subsitutions:
+#
+# %n the "kernel number" of the device.
+# For example, 'sda3' has a "kernel number" of '3'
+# %e the smallest number for that name which does not matches an existing node
+# %k the kernel name for the device
+# %M the kernel major number for the device
+# %m the kernel minor number for the device
+# %b the bus id for the device
+# %c the string returned by the PROGRAM
+# %s{filename} the content of a sysfs attribute
+# %% the '%' char itself
+#
+
+# Create a symlink to any touchscreen input device
+SUBSYSTEM=="input", KERNEL=="event[0-9]*", ATTRS{modalias}=="input:*-e0*,3,*a0,1,*18,*", SYMLINK+="input/touchscreen0"
+SUBSYSTEM=="input", KERNEL=="event[0-9]*", ATTRS{modalias}=="ads7846", SYMLINK+="input/touchscreen0"
--
2.27.0

75
systemd.spec
View File

@ -21,7 +21,7 @@
Name: systemd
Url: https://www.freedesktop.org/wiki/Software/systemd
Version: 249
Release: 54
Release: 56
License: MIT and LGPLv2+ and GPLv2+
Summary: System and Service Manager
@ -529,6 +529,64 @@ Patch6480: backport-mount-retrigger-run-queue-after-ratelimit-expired-to.pa
Patch6481: backport-pid1-add-a-manager_trigger_run_queue-helper.patch
Patch6482: backport-unit-add-jobs-that-were-skipped-because-of-ratelimit.patch
Patch6483: backport-unit-check-for-mount-rate-limiting-before-checking-a.patch
Patch6484: backport-nspawn-fix-UID-map-string.patch
Patch6485: backport-core-Fix-memory-leaks.patch
Patch6486: backport-sysusers-properly-process-user-entries-with-an-expli.patch
Patch6487: backport-network-bridge-fix-UseBPDU-and-AllowPortToBeRoot.patch
Patch6488: backport-core-fix-memleak-in-GetUnitFileLinks-method.patch
Patch6489: backport-sd-bus-Use-goto-finish-instead-of-return-in-bus_add_.patch
Patch6490: backport-cgtop-Do-not-rewrite-P-or-k-options.patch
Patch6491: backport-sd-netlink-fix-segfault.patch
Patch6492: backport-escape-fix-wrong-octescape-of-bad-character.patch
Patch6493: backport-test-add-basic-tests-for-octescape.patch
Patch6494: backport-journald-prevent-segfault-on-empty-attr-current.patch
Patch6495: backport-hexdecoct-add-missing-NULL-check.patch
Patch6496: backport-hexdecoct-fix-NULL-pointer-dereferences-in-hexmem.patch
Patch6497: backport-sd-device-fix-double-free.patch
Patch6498: backport-sd-device-add-helper-to-read-a-unsigned-int-attribut.patch
Patch6499: backport-test-name_assign_type-sysattr-never-exists-for-enume.patch
Patch6500: backport-udev-match-device-tags-in-rules-using-current-device.patch
Patch6501: backport-sd-dhcp-server-allow-to-send-header-only-message.patch
Patch6502: backport-core-allow-list-char-rtc-with-ProtectClock-yes-only-.patch
Patch6503: backport-socket-util-fix-socket_get_family.patch
Patch6504: backport-network-ipv4acd-update-MAC-address-on-change-26753.patch
Patch6505: backport-core-transaction-make-merge_unit_ids-always-return-N.patch
Patch6506: backport-core-transaction-make-merge_unit_ids-return-non-NULL.patch
Patch6507: backport-shared-exec-util-null_or_empty_path-does-not-return-.patch
Patch6508: backport-rm-rf-fix-errno-handling.patch
Patch6509: backport-localed-fix-invalid-free-after-shifting-pointers-usi.patch
Patch6510: backport-pid1-fix-coredump_filter-setting.patch
Patch6511: backport-scope-do-not-disable-timer-event-source-when-state-i.patch
Patch6512: backport-test-add-some-tests-for-RuntimeMaxSec.patch
Patch6513: backport-list-fix-double-evaluation.patch
Patch6514: backport-coredump-filter-fix-stack-overflow-with-all.patch
Patch6515: backport-coredump-filter-add-mask-for-all-using-UINT32_MAX-no.patch
Patch6516: backport-journal-Don-t-try-to-write-garbage-if-journal-entry-.patch
Patch6517: backport-sd-journal-tighten-variable-scope.patch
Patch6518: backport-sd-journal-copy-boot-ID.patch
Patch6519: backport-sd-journal-make-journal_file_copy_entry-return-earli.patch
Patch6520: backport-shared-reject-empty-attachment-path.patch
Patch6521: backport-shared-refuse-fd-INT_MAX.patch
Patch6522: backport-sd-bus-bus_message_type_from_string-is-not-pure.patch
Patch6523: backport-pid1-when-taking-possession-of-passed-fds-check-O_CL.patch
Patch6524: backport-test-test-O_CLOEXEC-filtering-of-fdset-fill-logic.patch
Patch6525: backport-machine-fix-a-memory-leak-when-showing-multiple-imag.patch
Patch6526: backport-machine-fix-a-memory-leak-when-showing-multiple-mach.patch
Patch6527: backport-nspawn-call-json_dispatch-with-a-correct-pointer.patch
Patch6528: backport-nspawn-fix-inverted-condition.patch
Patch6529: backport-nspawn-fix-a-global-buffer-overflow.patch
Patch6530: backport-sd-bus-sd-event-allow-querying-of-description-even-a.patch
Patch6531: backport-json-correctly-handle-magic-strings-when-parsing-var.patch
Patch6532: backport-sd-journal-avoid-double-free.patch
Patch6533: backport-udev-do-not-set-ID_PATH-and-by-path-symlink-for-nvmf.patch
Patch6534: backport-specifier-avoid-leaking-memory-on-allocation-error.patch
Patch6535: backport-dbus-util-let-s-take-it-down-a-notch-when-converting.patch
Patch6536: backport-socket-avoid-memory-leak-on-incomplete-SocketPort-ob.patch
Patch6537: backport-journal-avoid-infinite-recursion-when-closing-bad-jo.patch
Patch6538: backport-core-Return-1-from-unit_add_dependency-on-success.patch
Patch6539: backport-core-unit-fix-notification-about-unit-dependency-cha.patch
Patch6540: backport-core-unit-make-JoinsNamespaceOf-implies-the-inverse-.patch
Patch6541: backport-core-unit-update-bidirectional-dependency-simultaneo.patch
Patch9001: update-rtc-with-system-clock-when-shutdown.patch
Patch9002: udev-add-actions-while-rename-netif-failed.patch
@ -589,6 +647,11 @@ Patch9055: bugfix-for-cgroup-Swap-cgroup-v1-deletion-and-migration.patch
Patch9056: delete-journal-files-except-system.journal-when-jour.patch
Patch9057: set-the-cpuset.cpus-mems-of-machine.slice-to-all-by-.patch
Patch9058: add-a-new-switch-to-control-whether-udev-complies-wi.patch
Patch9059: embedded-sysuesrs_dir-sysctl_dir-binfmt_dir-modules_.patch
Patch9060: embedded-modify-dns-server-address-to-avoid-security.patch
Patch9061: add-support-to-relabel-systemd-process-for-embedded.patch
Patch9062: embedded-add-noexec-mount-option-to-strenthen-tmp-pa.patch
Patch9063: embedded-use-yocto-configs.patch
BuildRequires: gcc, gcc-c++
BuildRequires: libcap-devel, libmount-devel, pam-devel, libselinux-devel
@ -2006,6 +2069,16 @@ fi
%{_libdir}/security/pam_systemd.so
%changelog
* Mon Oct 9 2023 wangyuhang <wangyuhang27@huawei.com> - 249-56
- backport: sync patches from systemd community
* Thu Aug 24 2023 shixin <shixin21@huawei.com> - 249-55
- sysuesrs_dir, sysctl_dir, binfmt_dir, modules_load_dir reference directories in /usr/lib for embedded
- modify dns server address to avoid security risk for embedded
- add support to relabel systemd process for embedded
- add noexec mount option to strenthen tmp partition for embedded
- use yocto configs for embedded
* Thu Aug 17 2023 wangyuhang <wangyuhang27@huawei.com> - 249-54
- add a new switch to control whether udev complies with the new SAT standards
and add sense_data.py to check if the device meets the new SAT standards