packages/systemd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add embedded directory and add some features for embedded

Browse Source 
Signed-off-by: Xin Shi <shixin21@huawei.com>
(cherry picked from commit decc956d9cea842432cea9e6d6f03e520b9b9414)
This commit is contained in:
Xin Shi 2023-08-24 10:30:22 +08:00 committed by openeuler-sync-bot
parent 1025693700
commit 9ec39d0745
6 changed files with 873 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
add-support-to-relabel-systemd-process-for-embedded.patch Normal file
View File

@ -0,0 +1,36 @@
From eae8bc192e19dbdce118bf7b936befb3953a21ea Mon Sep 17 00:00:00 2001
From: Xin Shi <shixin21@huawei.com>
Date: Thu, 24 Aug 2023 09:34:46 +0800
Subject: [PATCH 3/5] add support to relabel systemd process for embedded
Signed-off-by: Xin Shi <shixin21@huawei.com>
---
src/core/selinux-setup.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/core/selinux-setup.c b/src/core/selinux-setup.c
index 2bafbee..74e2a2f 100644
--- a/src/core/selinux-setup.c
+++ b/src/core/selinux-setup.c
@@ -6,6 +6,7 @@
#if HAVE_SELINUX
#include <selinux/selinux.h>
+#include <selinux/restorecon.h>
#endif
#include "log.h"
@@ -68,6 +69,10 @@ int mac_selinux_setup(bool *loaded_policy) {
mac_selinux_retest();
+ int ret = selinux_restorecon(SYSTEMD_BINARY_PATH, 0);
+ if (ret != 0)
+ log_warning("Failed to relabel %s, errno=%d.", SYSTEMD_BINARY_PATH, errno);
+
/* Transition to the new context */
r = mac_selinux_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label);
if (r < 0 || !label) {
--
2.27.0

50
embedded-add-noexec-mount-option-to-strenthen-tmp-pa.patch Normal file
View File

@ -0,0 +1,50 @@
From b6bcc208dda00ae4b310bd2fd513fe250f8b2c10 Mon Sep 17 00:00:00 2001
From: Xin Shi <shixin21@huawei.com>
Date: Thu, 24 Aug 2023 09:35:40 +0800
Subject: [PATCH 4/5] embedded: add noexec mount option to strenthen tmp
partition
Signed-off-by: Xin Shi <shixin21@huawei.com>
---
embedded/tmp.mount | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
create mode 100644 embedded/tmp.mount
diff --git a/embedded/tmp.mount b/embedded/tmp.mount
new file mode 100644
index 0000000..c2df09d
--- /dev/null
+++ b/embedded/tmp.mount
@@ -0,0 +1,29 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Temporary Directory /tmp
+Documentation=https://systemd.io/TEMPORARY_DIRECTORIES
+Documentation=man:file-hierarchy(7)
+Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
+ConditionPathIsSymbolicLink=!/tmp
+DefaultDependencies=no
+Conflicts=umount.target
+Before=local-fs.target umount.target
+After=swap.target
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m,noexec
+
+# Make 'systemctl enable tmp.mount' work:
+[Install]
+WantedBy=local-fs.target
--
2.27.0

483
embedded-modify-dns-server-address-to-avoid-security.patch Normal file
View File

@ -0,0 +1,483 @@
From 29f0311e6fe30b6e492e0bd323c6c1e975719e6b Mon Sep 17 00:00:00 2001
From: Xin Shi <shixin21@huawei.com>
Date: Wed, 23 Aug 2023 18:11:25 +0800
Subject: [PATCH 2/5] embedded: modify dns server address to avoid security
risk
Signed-off-by: Xin Shi <shixin21@huawei.com>
---
embedded/meson_options.txt | 462 +++++++++++++++++++++++++++++++++++++
1 file changed, 462 insertions(+)
create mode 100644 embedded/meson_options.txt
diff --git a/embedded/meson_options.txt b/embedded/meson_options.txt
new file mode 100644
index 0000000..24a44c5
--- /dev/null
+++ b/embedded/meson_options.txt
@@ -0,0 +1,462 @@
+# -*- mode: meson -*-
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+option('version-tag', type : 'string',
+ description : 'override the git version string')
+
+option('mode', type : 'combo', choices : ['developer', 'release'],
+ description : 'autoenable features suitable for systemd development/release builds')
+
+option('split-usr', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : '''/bin, /sbin aren't symlinks into /usr''')
+option('split-bin', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : '''sbin is not a symlink to bin''')
+option('rootlibdir', type : 'string',
+ description : '''[/usr]/lib/x86_64-linux-gnu or such''')
+option('rootprefix', type : 'string',
+ description : '''override the root prefix [default '/' if split-usr and '/usr' otherwise]''')
+option('link-udev-shared', type : 'boolean',
+ description : 'link systemd-udev and its helpers to libsystemd-shared.so')
+option('link-systemctl-shared', type: 'boolean',
+ description : 'link systemctl against libsystemd-shared.so')
+option('link-networkd-shared', type: 'boolean',
+ description : 'link systemd-networkd and its helpers to libsystemd-shared.so')
+option('link-timesyncd-shared', type: 'boolean',
+ description : 'link systemd-timesyncd and its helpers to libsystemd-shared.so')
+option('static-libsystemd', type : 'combo',
+ choices : ['false', 'true', 'pic', 'no-pic'],
+ description : '''install a static library for libsystemd''')
+option('static-libudev', type : 'combo',
+ choices : ['false', 'true', 'pic', 'no-pic'],
+ description : 'install a static library for libudev')
+option('standalone-binaries', type : 'boolean', value : 'false',
+ description : 'also build standalone versions of supported binaries')
+
+option('sysvinit-path', type : 'string', value : '/etc/init.d',
+ description : 'the directory where the SysV init scripts are located')
+option('sysvrcnd-path', type : 'string', value : '/etc/rc.d',
+ description : 'the base directory for SysV rcN.d directories')
+option('telinit-path', type : 'string', value : '/lib/sysvinit/telinit',
+ description : 'path to telinit')
+option('rc-local', type : 'string',
+ value : '/etc/rc.local')
+option('initrd', type : 'boolean',
+ description : 'install services for use when running systemd in initrd')
+option('compat-mutable-uid-boundaries', type : 'boolean', value : 'false',
+ description : 'look at uid boundaries in /etc/login.defs for compatibility')
+option('nscd', type : 'boolean',
+ description : 'build support for flushing of the nscd caches')
+
+option('quotaon-path', type : 'string', description : 'path to quotaon')
+option('quotacheck-path', type : 'string', description : 'path to quotacheck')
+option('kmod-path', type : 'string', description : 'path to kmod')
+option('kexec-path', type : 'string', description : 'path to kexec')
+option('sulogin-path', type : 'string', description : 'path to sulogin')
+option('mount-path', type : 'string', description : 'path to mount')
+option('umount-path', type : 'string', description : 'path to umount')
+option('loadkeys-path', type : 'string', description : 'path to loadkeys')
+option('setfont-path', type : 'string', description : 'path to setfont')
+option('nologin-path', type : 'string', description : 'path to nologin')
+
+option('debug-shell', type : 'string', value : '/bin/sh',
+ description : 'path to debug shell binary')
+option('debug-tty', type : 'string', value : '/dev/tty9',
+ description : 'specify the tty device for debug shell')
+option('debug-extra', type : 'array', choices : ['hashmap', 'mmap-cache', 'siphash'], value : [],
+ description : 'enable extra debugging')
+option('memory-accounting-default', type : 'boolean',
+ description : 'enable MemoryAccounting= by default')
+option('bump-proc-sys-fs-file-max', type : 'boolean',
+ description : 'bump /proc/sys/fs/file-max to LONG_MAX')
+option('bump-proc-sys-fs-nr-open', type : 'boolean',
+ description : 'bump /proc/sys/fs/nr_open to INT_MAX')
+option('valgrind', type : 'boolean', value : false,
+ description : 'do extra operations to avoid valgrind warnings')
+option('log-trace', type : 'boolean', value : false,
+ description : 'enable low level debug logging')
+option('user-path', type : 'string',
+ description : '$PATH to use for user sessions')
+
+option('utmp', type : 'boolean',
+ description : 'support for utmp/wtmp log handling')
+option('hibernate', type : 'boolean',
+ description : 'support for hibernation')
+option('ldconfig', type : 'boolean',
+ description : 'support for dynamic linker cache creation')
+option('resolve', type : 'boolean',
+ description : 'systemd-resolved stack')
+option('efi', type : 'boolean',
+ description : 'enable systemd-boot and bootctl')
+option('tpm', type : 'boolean',
+ description : 'TPM should be used to log events and extend the registers')
+option('environment-d', type : 'boolean',
+ description : 'support for environment.d')
+option('binfmt', type : 'boolean',
+ description : 'support for custom binary formats')
+option('repart', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'install the systemd-repart tool')
+option('coredump', type : 'boolean',
+ description : 'install the coredump handler')
+option('pstore', type : 'boolean',
+ description : 'install the pstore archival tool')
+option('oomd', type : 'boolean',
+ description : 'install the userspace oom killer')
+option('logind', type : 'boolean',
+ description : 'install the systemd-logind stack')
+option('hostnamed', type : 'boolean',
+ description : 'install the systemd-hostnamed stack')
+option('localed', type : 'boolean',
+ description : 'install the systemd-localed stack')
+option('machined', type : 'boolean',
+ description : 'install the systemd-machined stack')
+option('portabled', type : 'boolean',
+ description : 'install the systemd-portabled stack')
+option('sysext', type : 'boolean',
+ description : 'install the systemd-sysext stack')
+option('userdb', type : 'boolean',
+ description : 'install the systemd-userdbd stack')
+option('homed', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'install the systemd-homed stack')
+option('networkd', type : 'boolean',
+ description : 'install the systemd-networkd stack')
+option('timedated', type : 'boolean',
+ description : 'install the systemd-timedated daemon')
+option('timesyncd', type : 'boolean',
+ description : 'install the systemd-timesyncd daemon')
+option('remote', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'support for "journal over the network"')
+option('create-log-dirs', type : 'boolean',
+ description : 'create /var/log/journal{,/remote}')
+option('nss-myhostname', type : 'boolean',
+ description : 'install nss-myhostname module')
+option('nss-mymachines', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'install nss-mymachines module')
+option('nss-resolve', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'install nss-resolve module')
+option('nss-systemd', type : 'boolean',
+ description : 'install nss-systemd module')
+option('firstboot', type : 'boolean',
+ description : 'support for firstboot mechanism')
+option('randomseed', type : 'boolean',
+ description : 'support for restoring random seed')
+option('backlight', type : 'boolean',
+ description : 'support for restoring backlight state')
+option('vconsole', type : 'boolean',
+ description : 'support for vconsole configuration')
+option('quotacheck', type : 'boolean',
+ description : 'support for the quotacheck tools')
+option('sysusers', type : 'boolean',
+ description : 'support for the sysusers configuration')
+option('tmpfiles', type : 'boolean',
+ description : 'support for tmpfiles.d')
+option('importd', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'install the systemd-importd daemon')
+option('hwdb', type : 'boolean',
+ description : 'support for the hardware database')
+option('rfkill', type : 'boolean',
+ description : 'support for the rfkill tools')
+option('xdg-autostart', type : 'boolean',
+ description : 'install the xdg-autostart-generator and unit')
+option('man', type : 'combo', choices : ['auto', 'true', 'false'],
+ value : 'false',
+ description : 'build and install man pages')
+option('html', type : 'combo', choices : ['auto', 'true', 'false'],
+ value : 'false',
+ description : 'build and install html pages')
+option('translations', type : 'boolean', value : true,
+ description : 'build and install translations')
+
+option('certificate-root', type : 'string', value : '/etc/ssl',
+ description : 'the prefix for TLS certificates')
+option('dbuspolicydir', type : 'string',
+ description : 'D-Bus policy directory')
+option('dbussessionservicedir', type : 'string',
+ description : 'D-Bus session service directory')
+option('dbussystemservicedir', type : 'string',
+ description : 'D-Bus system service directory')
+option('pkgconfigdatadir', type : 'string', value : '',
+ description : 'directory for arch-independent pkg-config files')
+option('pkgconfiglibdir', type : 'string', value : '',
+ description : 'directory for standard pkg-config files')
+option('xinitrcdir', type : 'string', value : '',
+ description : 'directory for xinitrc files')
+option('rpmmacrosdir', type : 'string', value : 'lib/rpm/macros.d',
+ description : 'directory for rpm macros ["no" disables]')
+option('pamlibdir', type : 'string',
+ description : 'directory for PAM modules')
+option('pamconfdir', type : 'string',
+ description : 'directory for PAM configuration ["no" disables]')
+option('docdir', type : 'string',
+ description : 'documentation directory')
+option('install-sysconfdir', type : 'combo', choices : ['true', 'no-samples', 'false'], value : 'true',
+ description : 'install configuration files and directories to $sysconfdir')
+
+option('fallback-hostname', type : 'string', value : 'localhost',
+ description : 'the hostname used if none configured')
+option('default-hierarchy', type : 'combo',
+ choices : ['legacy', 'hybrid', 'unified'], value : 'unified',
+ description : 'default cgroup hierarchy')
+option('default-net-naming-scheme', type : 'combo',
+ choices : ['latest', 'v238', 'v239', 'v240'],
+ description : 'default net.naming-scheme= value')
+option('status-unit-format-default', type : 'combo',
+ choices : ['description', 'name', 'combined'],
+ description : 'use unit name or description in messages by default')
+option('time-epoch', type : 'integer', value : '-1',
+ description : 'time epoch for time clients')
+
+option('system-alloc-uid-min', type : 'integer', value : '-1',
+ description : 'minimum system UID used when allocating')
+option('system-alloc-gid-min', type : 'integer', value : '-1',
+ description : 'minimum system GID used when allocating')
+option('system-uid-max', type : 'integer', value : '-1',
+ description : 'maximum system UID')
+option('system-gid-max', type : 'integer', value : '-1',
+ description : 'maximum system GID')
+option('dynamic-uid-min', type : 'integer', value : 0x0000EF00,
+ description : 'minimum dynamic UID')
+option('dynamic-uid-max', type : 'integer', value : 0x0000FFEF,
+ description : 'maximum dynamic UID')
+option('container-uid-base-min', type : 'integer', value : 0x00080000,
+ description : 'minimum container UID base')
+option('container-uid-base-max', type : 'integer', value : 0x6FFF0000,
+ description : 'maximum container UID base')
+option('adm-group', type : 'boolean',
+ description : 'the ACL for adm group should be added')
+option('wheel-group', type : 'boolean',
+ description : 'the ACL for wheel group should be added')
+option('nobody-user', type : 'string',
+ description : 'The name of the nobody user (the one with UID 65534)',
+ value : 'nobody')
+option('nobody-group', type : 'string',
+ description : 'The name of the nobody group (the one with GID 65534)',
+ value : 'nobody')
+option('adm-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "adm" group')
+option('audio-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "audio" group')
+option('cdrom-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "cdrom" group')
+option('dialout-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "dialout" group')
+option('disk-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "disk" group')
+option('input-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "input" group')
+option('kmem-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "kmem" group')
+option('kvm-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "kvm" group')
+option('lp-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "lp" group')
+option('render-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "render" group')
+option('sgx-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "sgx" group')
+option('tape-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "tape" group')
+option('tty-gid', type : 'integer', value : 5,
+ description : 'the numeric GID of the "tty" group')
+option('users-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "users" group')
+option('utmp-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "utmp" group')
+option('video-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "video" group')
+option('wheel-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the "wheel" group')
+option('systemd-journal-gid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the systemd-journal group')
+option('systemd-network-uid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the systemd-network user')
+option('systemd-resolve-uid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the systemd-resolve user')
+option('systemd-timesync-uid', type : 'integer', value : '-1',
+ description : 'soft-static allocation for the systemd-timesync user')
+
+option('dev-kvm-mode', type : 'string', value : '0666',
+ description : '/dev/kvm access mode')
+option('group-render-mode', type : 'string', value : '0666',
+ description : 'Access mode for devices owned by render group (e.g. /dev/dri/renderD*, /dev/kfd).')
+option('default-kill-user-processes', type : 'boolean',
+ description : 'the default value for KillUserProcesses= setting')
+option('gshadow', type : 'boolean',
+ description : 'support for shadow group')
+option('default-locale', type : 'string', value : '',
+ description : 'default locale used when /etc/locale.conf does not exist')
+option('localegen-path', type : 'string', value : '',
+ description : 'absolute path to the locale-gen binary in case the system is using locale-gen')
+option('service-watchdog', type : 'string', value : '3min',
+ description : 'default watchdog setting for systemd services')
+
+option('default-dnssec', type : 'combo',
+ description : 'default DNSSEC mode',
+ choices : ['yes', 'allow-downgrade', 'no'],
+ value : 'allow-downgrade')
+option('default-dns-over-tls', type : 'combo',
+ description : 'default DNS-over-TLS mode',
+ choices : ['yes', 'opportunistic', 'no'],
+ value : 'no')
+option('default-mdns', type : 'combo',
+ choices : ['yes', 'resolve', 'no'],
+ description : 'default MulticastDNS mode',
+ value : 'yes')
+option('default-llmnr', type : 'combo',
+ choices : ['yes', 'resolve', 'no'],
+ description : 'default LLMNR mode',
+ value : 'yes')
+option('dns-over-tls', type : 'combo', choices : ['auto', 'gnutls', 'openssl', 'true', 'false'],
+ description : 'DNS-over-TLS support')
+option('dns-servers', type : 'string',
+ description : 'space-separated list of default DNS servers',
+ value : '127.0.0.1')
+option('ntp-servers', type : 'string',
+ description : 'space-separated list of default NTP servers',
+ value : '0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org')
+option('support-url', type : 'string',
+ description : 'the support URL to show in catalog entries included in systemd',
+ value : 'https://lists.freedesktop.org/mailman/listinfo/systemd-devel')
+option('www-target', type : 'string',
+ description : 'the address and dir to upload docs too',
+ value : 'www.freedesktop.org:/srv/www.freedesktop.org/www/software/systemd')
+
+option('seccomp', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'SECCOMP support')
+option('selinux', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'SELinux support')
+option('apparmor', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'AppArmor support')
+option('smack', type : 'boolean',
+ description : 'SMACK support')
+option('smack-run-label', type : 'string',
+ description : 'run systemd --system itself with a specific SMACK label')
+option('polkit', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'polkit support')
+option('ima', type : 'boolean',
+ description : 'IMA support')
+
+option('acl', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libacl support')
+option('audit', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libaudit support')
+option('blkid', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libblkid support')
+option('fdisk', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libfdisk support')
+option('kmod', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'support for loadable modules')
+option('pam', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'PAM support')
+option('pwquality', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libpwquality support')
+option('microhttpd', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libµhttpd support')
+option('libcryptsetup', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libcryptsetup support')
+option('libcurl', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libcurl support')
+option('idn', type : 'boolean',
+ description : 'use IDN when printing hostnames')
+option('libidn2', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libidn2 support')
+option('libidn', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libidn support')
+option('libiptc', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libiptc support')
+option('qrencode', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libqrencode support')
+option('gcrypt', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'gcrypt support')
+option('gnutls', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'gnutls support')
+option('openssl', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'openssl support')
+option('p11kit', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'p11kit support')
+option('libfido2', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'FIDO2 support')
+option('tpm2', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'TPM2 support')
+option('elfutils', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'elfutils support')
+option('zlib', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'zlib compression support')
+option('bzip2', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'bzip2 compression support')
+option('xz', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'xz compression support')
+option('lz4', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'lz4 compression support')
+option('zstd', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'zstd compression support')
+option('xkbcommon', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'xkbcommon keymap support')
+option('pcre2', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'regexp matching support using pcre2')
+option('glib', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libglib support (for tests only)')
+option('dbus', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'libdbus support (for tests only)')
+
+option('gnu-efi', type : 'combo', choices : ['auto', 'true', 'false'],
+ description : 'gnu-efi support for sd-boot')
+option('efi-cc', type : 'array',
+ description : 'the compiler to use for EFI modules')
+option('efi-ld', type : 'string', value : 'ld',
+ description : 'the linker to use for EFI modules')
+option('efi-libdir', type : 'string',
+ description : 'path to the EFI lib directory')
+option('efi-includedir', type : 'string', value : '/usr/include/efi',
+ description : 'path to the EFI header directory')
+option('tpm-pcrindex', type : 'integer', value : 8,
+ description : 'TPM PCR register number to use')
+option('sbat-distro', type : 'string',
+ description : 'SBAT distribution ID, e.g. fedora, or auto for autodetection')
+option('sbat-distro-generation', type : 'integer', value : 1,
+ description : 'SBAT distribution generation')
+option('sbat-distro-summary', type : 'string',
+ description : 'SBAT distribution summary, e.g. Fedora')
+option('sbat-distro-pkgname', type : 'string',
+ description : 'SBAT distribution package name, e.g. systemd')
+option('sbat-distro-version', type : 'string',
+ description : 'SBAT distribution package version, e.g. 248-7.fc34')
+option('sbat-distro-url', type : 'string',
+ description : 'SBAT distribution URL, e.g. https://src.fedoraproject.org/rpms/systemd')
+
+option('bashcompletiondir', type : 'string',
+ description : 'directory for bash completion scripts ["no" disables]')
+option('zshcompletiondir', type : 'string',
+ description : 'directory for zsh completion scripts ["no" disables]')
+
+option('tests', type : 'combo', choices : ['true', 'unsafe', 'false'],
+ description : 'enable extra tests with =unsafe')
+option('slow-tests', type : 'boolean', value : 'false',
+ description : 'run the slow tests by default')
+option('fuzz-tests', type : 'boolean', value : 'false',
+ description : 'run the fuzzer regression tests by default (with sanitizers)')
+option('install-tests', type : 'boolean', value : 'false',
+ description : 'install test executables')
+
+option('ok-color', type : 'combo',
+ choices : ['black', 'red', 'green', 'yellow', 'blue', 'magenta', 'cyan',
+ 'white', 'highlight-black', 'highlight-red', 'highlight-green',
+ 'highlight-yellow', 'highlight-blue', 'highlight-magenta',
+ 'highlight-cyan', 'highlight-white'],
+ value : 'green',
+ description: 'color of the "OK" status message')
+option('urlify', type : 'boolean', value : 'true',
+ description : 'enable pager Hyperlink ANSI sequence support')
+option('fexecve', type : 'boolean', value : 'false',
+ description : 'use fexecve() to spawn children')
+
+option('oss-fuzz', type : 'boolean', value : 'false',
+ description : 'build against oss-fuzz')
+option('llvm-fuzz', type : 'boolean', value : 'false',
+ description : 'build against LLVM libFuzzer')
+option('kernel-install', type: 'boolean', value: 'true',
+ description : 'install kernel-install and associated files')
+option('analyze', type: 'boolean', value: 'true',
+ description : 'install systemd-analyze')
+
+option('bpf-framework', type : 'combo', choices : ['auto', 'true', 'false'],
+ description: 'build BPF programs from source code in restricted C')
--
2.27.0

122
embedded-sysuesrs_dir-sysctl_dir-binfmt_dir-modules_.patch Normal file
View File

@ -0,0 +1,122 @@
From e64cff49bced685b5abeb03e89940314d72e49ae Mon Sep 17 00:00:00 2001
From: Xin Shi <shixin21@huawei.com>
Date: Wed, 23 Aug 2023 18:06:49 +0800
Subject: [PATCH 1/5] embedded: sysuesrs_dir, sysctl_dir, binfmt_dir,
modules_load_dir reference directories in /usr/lib
Signed-off-by: Xin Shi <shixin21@huawei.com>
---
embedded/systemd.pc.in | 101 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 101 insertions(+)
create mode 100644 embedded/systemd.pc.in
diff --git a/embedded/systemd.pc.in b/embedded/systemd.pc.in
new file mode 100644
index 0000000..65996bb
--- /dev/null
+++ b/embedded/systemd.pc.in
@@ -0,0 +1,101 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# Names with prefixes are preferred, and the run-together names should be
+# considered deprecated (though there is no plan to remove them). New names
+# shall have underscores.
+
+prefix=/usr
+root_prefix={{ROOTPREFIX_NOSLASH}}
+rootprefix=${root_prefix}
+sysconf_dir={{SYSCONF_DIR}}
+sysconfdir=${sysconf_dir}
+
+systemd_util_dir=${root_prefix}/lib/systemd
+systemdutildir=${systemd_util_dir}
+
+systemd_system_unit_dir=${rootprefix}/lib/systemd/system
+systemdsystemunitdir=${systemd_system_unit_dir}
+
+systemd_system_preset_dir=${rootprefix}/lib/systemd/system-preset
+systemdsystempresetdir=${systemd_system_preset_dir}
+
+systemd_user_unit_dir=${prefix}/lib/systemd/user
+systemduserunitdir=${systemd_user_unit_dir}
+
+systemd_user_preset_dir=${prefix}/lib/systemd/user-preset
+systemduserpresetdir=${systemd_user_preset_dir}
+
+systemd_system_conf_dir=${sysconfdir}/systemd/system
+systemdsystemconfdir=${systemd_system_conf_dir}
+
+systemd_user_conf_dir=${sysconfdir}/systemd/user
+systemduserconfdir=${systemd_user_conf_dir}
+
+systemd_system_unit_path=${systemd_system_conf_dir}:/etc/systemd/system:/run/systemd/system:/usr/local/lib/systemd/system:${systemd_system_unit_dir}:/usr/lib/systemd/system:/lib/systemd/system
+systemdsystemunitpath=${systemd_system_unit_path}
+
+systemd_user_unit_path=${systemd_user_conf_dir}:/etc/systemd/user:/run/systemd/user:/usr/local/lib/systemd/user:/usr/local/share/systemd/user:${systemd_user_unit_dir}:/usr/lib/systemd/user:/usr/share/systemd/user
+systemduserunitpath=${systemd_user_unit_path}
+
+systemd_system_generator_dir=${root_prefix}/lib/systemd/system-generators
+systemdsystemgeneratordir=${systemd_system_generator_dir}
+
+systemd_user_generator_dir=${prefix}/lib/systemd/user-generators
+systemdusergeneratordir=${systemd_user_generator_dir}
+
+systemd_system_generator_path=/run/systemd/system-generators:/etc/systemd/system-generators:/usr/local/lib/systemd/system-generators:${systemd_system_generator_dir}
+systemdsystemgeneratorpath=${systemd_system_generator_path}
+
+systemd_user_generator_path=/run/systemd/user-generators:/etc/systemd/user-generators:/usr/local/lib/systemd/user-generators:${systemd_user_generator_dir}
+systemdusergeneratorpath=${systemd_user_generator_path}
+
+systemd_sleep_dir=${root_prefix}/lib/systemd/system-sleep
+systemdsleepdir=${systemd_sleep_dir}
+
+systemd_shutdown_dir=${root_prefix}/lib/systemd/system-shutdown
+systemdshutdowndir=${systemd_shutdown_dir}
+
+tmpfiles_dir=${prefix}/lib/tmpfiles.d
+tmpfilesdir=${tmpfiles_dir}
+
+sysusers_dir=${prefix}/lib/sysusers.d
+sysusersdir=${sysusers_dir}
+
+sysctl_dir=${prefix}/lib/sysctl.d
+sysctldir=${sysctl_dir}
+
+binfmt_dir=${prefix}/lib/binfmt.d
+binfmtdir=${binfmt_dir}
+
+modules_load_dir=${prefix}/lib/modules-load.d
+modulesloaddir=${modules_load_dir}
+
+catalog_dir=${prefix}/lib/systemd/catalog
+catalogdir=${catalog_dir}
+
+system_uid_max={{SYSTEM_UID_MAX}}
+systemuidmax=${system_uid_max}
+system_gid_max={{SYSTEM_GID_MAX}}
+systemgidmax=${system_gid_max}
+
+dynamic_uid_min={{DYNAMIC_UID_MIN}}
+dynamicuidmin=${dynamic_uid_min}
+dynamic_uid_max={{DYNAMIC_UID_MAX}}
+dynamicuidmax=${dynamic_uid_max}
+
+container_uid_base_min={{CONTAINER_UID_BASE_MIN}}
+containeruidbasemin=${container_uid_base_min}
+container_uid_base_max={{CONTAINER_UID_BASE_MAX}}
+containeruidbasemax=${container_uid_base_max}
+
+Name: systemd
+Description: systemd System and Service Manager
+URL: {{PROJECT_URL}}
+Version: {{PROJECT_VERSION}}
--
2.27.0

170
embedded-use-yocto-configs.patch Normal file
View File

@ -0,0 +1,170 @@
From 0b43b9daeb0b194cd064830728b36a8cccbbea9b Mon Sep 17 00:00:00 2001
From: Xin Shi <shixin21@huawei.com>
Date: Thu, 24 Aug 2023 10:02:32 +0800
Subject: [PATCH 5/5] embedded: use yocto configs
Signed-off-by: Xin Shi <shixin21@huawei.com>
---
embedded/00-create-volatile.conf | 12 ++++
embedded/init | 104 +++++++++++++++++++++++++++++++
embedded/touchscreen.rules | 18 ++++++
3 files changed, 134 insertions(+)
create mode 100644 embedded/00-create-volatile.conf
create mode 100644 embedded/init
create mode 100644 embedded/touchscreen.rules
diff --git a/embedded/00-create-volatile.conf b/embedded/00-create-volatile.conf
new file mode 100644
index 0000000..55333b6
--- /dev/null
+++ b/embedded/00-create-volatile.conf
@@ -0,0 +1,12 @@
+#This goes hand-in-hand with the base-files of OE-Core. The file must
+# be sorted before 'systemd.conf' because this attempts to create a file
+# inside /var/log.
+
+
+d /var/volatile/log - - - -
+d /var/volatile/tmp 1777 - -
+d /var/log 0750 root root -
+f /var/log/wtmp 0640 root root -
+f /var/log/btmp 0600 root root -
+f /var/log/lastlog 0600 root root -
+f /var/log/faillog 0600 root root -
diff --git a/embedded/init b/embedded/init
new file mode 100644
index 0000000..4931b77
--- /dev/null
+++ b/embedded/init
@@ -0,0 +1,104 @@
+#!/bin/sh
+
+### BEGIN INIT INFO
+# Provides: udev
+# Required-Start: mountvirtfs
+# Required-Stop:
+# Default-Start: S
+# Default-Stop:
+# Short-Description: Start udevd, populate /dev and load drivers.
+### END INIT INFO
+
+. /etc/init.d/functions
+
+export TZ=/etc/localtime
+
+[ -d /sys/class ] || exit 1
+[ -r /proc/mounts ] || exit 1
+[ -x @UDEVD@ ] || exit 1
+[ -f /etc/default/udev-cache ] && . /etc/default/udev-cache
+[ -f /etc/udev/udev.conf ] && . /etc/udev/udev.conf
+
+readfile () {
+ filename=$1
+ READDATA=""
+ if [ -r $filename ]; then
+ while read line; do
+ READDATA="$READDATA$line"
+ done < $filename
+ fi
+}
+
+case "$1" in
+ start)
+ export ACTION=add
+ # propagate /dev from /sys
+ echo "Starting udev"
+
+ # mount the devtmpfs on /dev, if not already done
+ LANG=C awk '$2 == "/dev" && ($3 == "devtmpfs") { exit 1 }' /proc/mounts && {
+ mount -n -o mode=0755 -t devtmpfs none "/dev"
+ }
+ [ -e /dev/pts ] || mkdir -m 0755 /dev/pts
+ [ -e /dev/shm ] || mkdir -m 1777 /dev/shm
+ mount -a -t tmpfs 2>/dev/null
+
+ # cache handling
+ if [ "$DEVCACHE" != "" ]; then
+ readfile /proc/version
+ VERSION="$READDATA"
+ readfile /proc/cmdline
+ CMDLINE="$READDATA"
+ readfile /proc/devices
+ DEVICES="$READDATA"
+ readfile /proc/atags
+ ATAGS="$READDATA"
+
+ if [ -e $DEVCACHE ]; then
+ readfile /etc/udev/cache.data
+ if [ "$READDATA" = "$VERSION$CMDLINE$DEVICES$ATAGS" ]; then
+ (cd /; tar xf $DEVCACHE > /dev/null 2>&1)
+ not_first_boot=1
+ [ "$VERBOSE" != "no" ] && echo "udev: using cache file $DEVCACHE"
+ [ -e /dev/shm/udev.cache ] && rm -f /dev/shm/udev.cache
+ else
+ echo "$VERSION$CMDLINE$DEVICES$ATAGS" > /dev/shm/udev.cache
+ fi
+ else
+ echo "$VERSION$CMDLINE$DEVICES$ATAGS" > /dev/shm/udev.cache
+ fi
+ fi
+
+ # make_extra_nodes
+ killproc systemd-udevd > "/dev/null" 2>&1
+
+ # trigger the sorted events
+ echo -e '\000\000\000\000' > /proc/sys/kernel/hotplug
+ @UDEVD@ -d
+
+ udevadm control --env=STARTUP=1
+ if [ "$not_first_boot" != "" ]; then
+ udevadm trigger --action=add --subsystem-nomatch=tty --subsystem-nomatch=mem --subsystem-nomatch=vc --subsystem-nomatch=vtconsole --subsystem-nomatch=misc --subsystem-nomatch=dcon --subsystem-nomatch=pci_bus --subsystem-nomatch=graphics --subsystem-nomatch=backlight --subsystem-nomatch=video4linux --subsystem-nomatch=platform
+ (udevadm settle --timeout=3; udevadm control --env=STARTUP=)&
+ else
+ udevadm trigger --action=add
+ udevadm settle
+ fi
+ ;;
+ stop)
+ echo "Stopping udevd"
+ start-stop-daemon --stop --name systemd-udevd --quiet
+ ;;
+ restart)
+ $0 stop
+ sleep 1
+ $0 start
+ ;;
+ status)
+ status systemd-udevd
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|status|restart}"
+ exit 1
+esac
+exit 0
diff --git a/embedded/touchscreen.rules b/embedded/touchscreen.rules
new file mode 100644
index 0000000..d83fd16
--- /dev/null
+++ b/embedded/touchscreen.rules
@@ -0,0 +1,18 @@
+# There are a number of modifiers that are allowed to be used in some
+# of the different fields. They provide the following subsitutions:
+#
+# %n the "kernel number" of the device.
+# For example, 'sda3' has a "kernel number" of '3'
+# %e the smallest number for that name which does not matches an existing node
+# %k the kernel name for the device
+# %M the kernel major number for the device
+# %m the kernel minor number for the device
+# %b the bus id for the device
+# %c the string returned by the PROGRAM
+# %s{filename} the content of a sysfs attribute
+# %% the '%' char itself
+#
+
+# Create a symlink to any touchscreen input device
+SUBSYSTEM=="input", KERNEL=="event[0-9]*", ATTRS{modalias}=="input:*-e0*,3,*a0,1,*18,*", SYMLINK+="input/touchscreen0"
+SUBSYSTEM=="input", KERNEL=="event[0-9]*", ATTRS{modalias}=="ads7846", SYMLINK+="input/touchscreen0"
--
2.27.0

12
systemd.spec
View File

@ -589,6 +589,11 @@ Patch9055: bugfix-for-cgroup-Swap-cgroup-v1-deletion-and-migration.patch
Patch9056: delete-journal-files-except-system.journal-when-jour.patch
Patch9057: set-the-cpuset.cpus-mems-of-machine.slice-to-all-by-.patch
Patch9058: add-a-new-switch-to-control-whether-udev-complies-wi.patch
Patch9059: embedded-sysuesrs_dir-sysctl_dir-binfmt_dir-modules_.patch
Patch9060: embedded-modify-dns-server-address-to-avoid-security.patch
Patch9061: add-support-to-relabel-systemd-process-for-embedded.patch
Patch9062: embedded-add-noexec-mount-option-to-strenthen-tmp-pa.patch
Patch9063: embedded-use-yocto-configs.patch
BuildRequires: gcc, gcc-c++
BuildRequires: libcap-devel, libmount-devel, pam-devel, libselinux-devel
@ -2006,6 +2011,13 @@ fi
%{_libdir}/security/pam_systemd.so
%changelog
* Thu Aug 24 2023 shixin <shixin21@huawei.com> - 249-55
- sysuesrs_dir, sysctl_dir, binfmt_dir, modules_load_dir reference directories in /usr/lib for embedded
- modify dns server address to avoid security risk for embedded
- add support to relabel systemd process for embedded
- add noexec mount option to strenthen tmp partition for embedded
- use yocto configs for embedded
* Thu Aug 17 2023 wangyuhang <wangyuhang27@huawei.com> - 249-54
- add a new switch to control whether udev complies with the new SAT standards
and add sense_data.py to check if the device meets the new SAT standards