diff --git a/add-support-to-relabel-systemd-process-for-embedded.patch b/add-support-to-relabel-systemd-process-for-embedded.patch new file mode 100644 index 0000000..ffdc2d2 --- /dev/null +++ b/add-support-to-relabel-systemd-process-for-embedded.patch @@ -0,0 +1,36 @@ +From eae8bc192e19dbdce118bf7b936befb3953a21ea Mon Sep 17 00:00:00 2001 +From: Xin Shi +Date: Thu, 24 Aug 2023 09:34:46 +0800 +Subject: [PATCH 3/5] add support to relabel systemd process for embedded + +Signed-off-by: Xin Shi +--- + src/core/selinux-setup.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/core/selinux-setup.c b/src/core/selinux-setup.c +index 2bafbee..74e2a2f 100644 +--- a/src/core/selinux-setup.c ++++ b/src/core/selinux-setup.c +@@ -6,6 +6,7 @@ + + #if HAVE_SELINUX + #include ++#include + #endif + + #include "log.h" +@@ -68,6 +69,10 @@ int mac_selinux_setup(bool *loaded_policy) { + + mac_selinux_retest(); + ++ int ret = selinux_restorecon(SYSTEMD_BINARY_PATH, 0); ++ if (ret != 0) ++ log_warning("Failed to relabel %s, errno=%d.", SYSTEMD_BINARY_PATH, errno); ++ + /* Transition to the new context */ + r = mac_selinux_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label); + if (r < 0 || !label) { +-- +2.27.0 + diff --git a/embedded-add-noexec-mount-option-to-strenthen-tmp-pa.patch b/embedded-add-noexec-mount-option-to-strenthen-tmp-pa.patch new file mode 100644 index 0000000..69f98d2 --- /dev/null +++ b/embedded-add-noexec-mount-option-to-strenthen-tmp-pa.patch @@ -0,0 +1,50 @@ +From b6bcc208dda00ae4b310bd2fd513fe250f8b2c10 Mon Sep 17 00:00:00 2001 +From: Xin Shi +Date: Thu, 24 Aug 2023 09:35:40 +0800 +Subject: [PATCH 4/5] embedded: add noexec mount option to strenthen tmp + partition + +Signed-off-by: Xin Shi +--- + embedded/tmp.mount | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + create mode 100644 embedded/tmp.mount + +diff --git a/embedded/tmp.mount b/embedded/tmp.mount +new file mode 100644 +index 0000000..c2df09d +--- /dev/null ++++ b/embedded/tmp.mount +@@ -0,0 +1,29 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++# ++# This file is part of systemd. ++# ++# systemd is free software; you can redistribute it and/or modify it ++# under the terms of the GNU Lesser General Public License as published by ++# the Free Software Foundation; either version 2.1 of the License, or ++# (at your option) any later version. ++ ++[Unit] ++Description=Temporary Directory /tmp ++Documentation=https://systemd.io/TEMPORARY_DIRECTORIES ++Documentation=man:file-hierarchy(7) ++Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems ++ConditionPathIsSymbolicLink=!/tmp ++DefaultDependencies=no ++Conflicts=umount.target ++Before=local-fs.target umount.target ++After=swap.target ++ ++[Mount] ++What=tmpfs ++Where=/tmp ++Type=tmpfs ++Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m,noexec ++ ++# Make 'systemctl enable tmp.mount' work: ++[Install] ++WantedBy=local-fs.target +-- +2.27.0 + diff --git a/embedded-modify-dns-server-address-to-avoid-security.patch b/embedded-modify-dns-server-address-to-avoid-security.patch new file mode 100644 index 0000000..04ea932 --- /dev/null +++ b/embedded-modify-dns-server-address-to-avoid-security.patch @@ -0,0 +1,483 @@ +From 29f0311e6fe30b6e492e0bd323c6c1e975719e6b Mon Sep 17 00:00:00 2001 +From: Xin Shi +Date: Wed, 23 Aug 2023 18:11:25 +0800 +Subject: [PATCH 2/5] embedded: modify dns server address to avoid security + risk + +Signed-off-by: Xin Shi +--- + embedded/meson_options.txt | 462 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 462 insertions(+) + create mode 100644 embedded/meson_options.txt + +diff --git a/embedded/meson_options.txt b/embedded/meson_options.txt +new file mode 100644 +index 0000000..24a44c5 +--- /dev/null ++++ b/embedded/meson_options.txt +@@ -0,0 +1,462 @@ ++# -*- mode: meson -*- ++# SPDX-License-Identifier: LGPL-2.1-or-later ++ ++option('version-tag', type : 'string', ++ description : 'override the git version string') ++ ++option('mode', type : 'combo', choices : ['developer', 'release'], ++ description : 'autoenable features suitable for systemd development/release builds') ++ ++option('split-usr', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : '''/bin, /sbin aren't symlinks into /usr''') ++option('split-bin', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : '''sbin is not a symlink to bin''') ++option('rootlibdir', type : 'string', ++ description : '''[/usr]/lib/x86_64-linux-gnu or such''') ++option('rootprefix', type : 'string', ++ description : '''override the root prefix [default '/' if split-usr and '/usr' otherwise]''') ++option('link-udev-shared', type : 'boolean', ++ description : 'link systemd-udev and its helpers to libsystemd-shared.so') ++option('link-systemctl-shared', type: 'boolean', ++ description : 'link systemctl against libsystemd-shared.so') ++option('link-networkd-shared', type: 'boolean', ++ description : 'link systemd-networkd and its helpers to libsystemd-shared.so') ++option('link-timesyncd-shared', type: 'boolean', ++ description : 'link systemd-timesyncd and its helpers to libsystemd-shared.so') ++option('static-libsystemd', type : 'combo', ++ choices : ['false', 'true', 'pic', 'no-pic'], ++ description : '''install a static library for libsystemd''') ++option('static-libudev', type : 'combo', ++ choices : ['false', 'true', 'pic', 'no-pic'], ++ description : 'install a static library for libudev') ++option('standalone-binaries', type : 'boolean', value : 'false', ++ description : 'also build standalone versions of supported binaries') ++ ++option('sysvinit-path', type : 'string', value : '/etc/init.d', ++ description : 'the directory where the SysV init scripts are located') ++option('sysvrcnd-path', type : 'string', value : '/etc/rc.d', ++ description : 'the base directory for SysV rcN.d directories') ++option('telinit-path', type : 'string', value : '/lib/sysvinit/telinit', ++ description : 'path to telinit') ++option('rc-local', type : 'string', ++ value : '/etc/rc.local') ++option('initrd', type : 'boolean', ++ description : 'install services for use when running systemd in initrd') ++option('compat-mutable-uid-boundaries', type : 'boolean', value : 'false', ++ description : 'look at uid boundaries in /etc/login.defs for compatibility') ++option('nscd', type : 'boolean', ++ description : 'build support for flushing of the nscd caches') ++ ++option('quotaon-path', type : 'string', description : 'path to quotaon') ++option('quotacheck-path', type : 'string', description : 'path to quotacheck') ++option('kmod-path', type : 'string', description : 'path to kmod') ++option('kexec-path', type : 'string', description : 'path to kexec') ++option('sulogin-path', type : 'string', description : 'path to sulogin') ++option('mount-path', type : 'string', description : 'path to mount') ++option('umount-path', type : 'string', description : 'path to umount') ++option('loadkeys-path', type : 'string', description : 'path to loadkeys') ++option('setfont-path', type : 'string', description : 'path to setfont') ++option('nologin-path', type : 'string', description : 'path to nologin') ++ ++option('debug-shell', type : 'string', value : '/bin/sh', ++ description : 'path to debug shell binary') ++option('debug-tty', type : 'string', value : '/dev/tty9', ++ description : 'specify the tty device for debug shell') ++option('debug-extra', type : 'array', choices : ['hashmap', 'mmap-cache', 'siphash'], value : [], ++ description : 'enable extra debugging') ++option('memory-accounting-default', type : 'boolean', ++ description : 'enable MemoryAccounting= by default') ++option('bump-proc-sys-fs-file-max', type : 'boolean', ++ description : 'bump /proc/sys/fs/file-max to LONG_MAX') ++option('bump-proc-sys-fs-nr-open', type : 'boolean', ++ description : 'bump /proc/sys/fs/nr_open to INT_MAX') ++option('valgrind', type : 'boolean', value : false, ++ description : 'do extra operations to avoid valgrind warnings') ++option('log-trace', type : 'boolean', value : false, ++ description : 'enable low level debug logging') ++option('user-path', type : 'string', ++ description : '$PATH to use for user sessions') ++ ++option('utmp', type : 'boolean', ++ description : 'support for utmp/wtmp log handling') ++option('hibernate', type : 'boolean', ++ description : 'support for hibernation') ++option('ldconfig', type : 'boolean', ++ description : 'support for dynamic linker cache creation') ++option('resolve', type : 'boolean', ++ description : 'systemd-resolved stack') ++option('efi', type : 'boolean', ++ description : 'enable systemd-boot and bootctl') ++option('tpm', type : 'boolean', ++ description : 'TPM should be used to log events and extend the registers') ++option('environment-d', type : 'boolean', ++ description : 'support for environment.d') ++option('binfmt', type : 'boolean', ++ description : 'support for custom binary formats') ++option('repart', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'install the systemd-repart tool') ++option('coredump', type : 'boolean', ++ description : 'install the coredump handler') ++option('pstore', type : 'boolean', ++ description : 'install the pstore archival tool') ++option('oomd', type : 'boolean', ++ description : 'install the userspace oom killer') ++option('logind', type : 'boolean', ++ description : 'install the systemd-logind stack') ++option('hostnamed', type : 'boolean', ++ description : 'install the systemd-hostnamed stack') ++option('localed', type : 'boolean', ++ description : 'install the systemd-localed stack') ++option('machined', type : 'boolean', ++ description : 'install the systemd-machined stack') ++option('portabled', type : 'boolean', ++ description : 'install the systemd-portabled stack') ++option('sysext', type : 'boolean', ++ description : 'install the systemd-sysext stack') ++option('userdb', type : 'boolean', ++ description : 'install the systemd-userdbd stack') ++option('homed', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'install the systemd-homed stack') ++option('networkd', type : 'boolean', ++ description : 'install the systemd-networkd stack') ++option('timedated', type : 'boolean', ++ description : 'install the systemd-timedated daemon') ++option('timesyncd', type : 'boolean', ++ description : 'install the systemd-timesyncd daemon') ++option('remote', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'support for "journal over the network"') ++option('create-log-dirs', type : 'boolean', ++ description : 'create /var/log/journal{,/remote}') ++option('nss-myhostname', type : 'boolean', ++ description : 'install nss-myhostname module') ++option('nss-mymachines', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'install nss-mymachines module') ++option('nss-resolve', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'install nss-resolve module') ++option('nss-systemd', type : 'boolean', ++ description : 'install nss-systemd module') ++option('firstboot', type : 'boolean', ++ description : 'support for firstboot mechanism') ++option('randomseed', type : 'boolean', ++ description : 'support for restoring random seed') ++option('backlight', type : 'boolean', ++ description : 'support for restoring backlight state') ++option('vconsole', type : 'boolean', ++ description : 'support for vconsole configuration') ++option('quotacheck', type : 'boolean', ++ description : 'support for the quotacheck tools') ++option('sysusers', type : 'boolean', ++ description : 'support for the sysusers configuration') ++option('tmpfiles', type : 'boolean', ++ description : 'support for tmpfiles.d') ++option('importd', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'install the systemd-importd daemon') ++option('hwdb', type : 'boolean', ++ description : 'support for the hardware database') ++option('rfkill', type : 'boolean', ++ description : 'support for the rfkill tools') ++option('xdg-autostart', type : 'boolean', ++ description : 'install the xdg-autostart-generator and unit') ++option('man', type : 'combo', choices : ['auto', 'true', 'false'], ++ value : 'false', ++ description : 'build and install man pages') ++option('html', type : 'combo', choices : ['auto', 'true', 'false'], ++ value : 'false', ++ description : 'build and install html pages') ++option('translations', type : 'boolean', value : true, ++ description : 'build and install translations') ++ ++option('certificate-root', type : 'string', value : '/etc/ssl', ++ description : 'the prefix for TLS certificates') ++option('dbuspolicydir', type : 'string', ++ description : 'D-Bus policy directory') ++option('dbussessionservicedir', type : 'string', ++ description : 'D-Bus session service directory') ++option('dbussystemservicedir', type : 'string', ++ description : 'D-Bus system service directory') ++option('pkgconfigdatadir', type : 'string', value : '', ++ description : 'directory for arch-independent pkg-config files') ++option('pkgconfiglibdir', type : 'string', value : '', ++ description : 'directory for standard pkg-config files') ++option('xinitrcdir', type : 'string', value : '', ++ description : 'directory for xinitrc files') ++option('rpmmacrosdir', type : 'string', value : 'lib/rpm/macros.d', ++ description : 'directory for rpm macros ["no" disables]') ++option('pamlibdir', type : 'string', ++ description : 'directory for PAM modules') ++option('pamconfdir', type : 'string', ++ description : 'directory for PAM configuration ["no" disables]') ++option('docdir', type : 'string', ++ description : 'documentation directory') ++option('install-sysconfdir', type : 'combo', choices : ['true', 'no-samples', 'false'], value : 'true', ++ description : 'install configuration files and directories to $sysconfdir') ++ ++option('fallback-hostname', type : 'string', value : 'localhost', ++ description : 'the hostname used if none configured') ++option('default-hierarchy', type : 'combo', ++ choices : ['legacy', 'hybrid', 'unified'], value : 'unified', ++ description : 'default cgroup hierarchy') ++option('default-net-naming-scheme', type : 'combo', ++ choices : ['latest', 'v238', 'v239', 'v240'], ++ description : 'default net.naming-scheme= value') ++option('status-unit-format-default', type : 'combo', ++ choices : ['description', 'name', 'combined'], ++ description : 'use unit name or description in messages by default') ++option('time-epoch', type : 'integer', value : '-1', ++ description : 'time epoch for time clients') ++ ++option('system-alloc-uid-min', type : 'integer', value : '-1', ++ description : 'minimum system UID used when allocating') ++option('system-alloc-gid-min', type : 'integer', value : '-1', ++ description : 'minimum system GID used when allocating') ++option('system-uid-max', type : 'integer', value : '-1', ++ description : 'maximum system UID') ++option('system-gid-max', type : 'integer', value : '-1', ++ description : 'maximum system GID') ++option('dynamic-uid-min', type : 'integer', value : 0x0000EF00, ++ description : 'minimum dynamic UID') ++option('dynamic-uid-max', type : 'integer', value : 0x0000FFEF, ++ description : 'maximum dynamic UID') ++option('container-uid-base-min', type : 'integer', value : 0x00080000, ++ description : 'minimum container UID base') ++option('container-uid-base-max', type : 'integer', value : 0x6FFF0000, ++ description : 'maximum container UID base') ++option('adm-group', type : 'boolean', ++ description : 'the ACL for adm group should be added') ++option('wheel-group', type : 'boolean', ++ description : 'the ACL for wheel group should be added') ++option('nobody-user', type : 'string', ++ description : 'The name of the nobody user (the one with UID 65534)', ++ value : 'nobody') ++option('nobody-group', type : 'string', ++ description : 'The name of the nobody group (the one with GID 65534)', ++ value : 'nobody') ++option('adm-gid', type : 'integer', value : '-1', ++ description : 'soft-static allocation for the "adm" group') ++option('audio-gid', type : 'integer', value : '-1', ++ description : 'soft-static allocation for the "audio" group') ++option('cdrom-gid', type : 'integer', value : '-1', ++ description : 'soft-static allocation for the "cdrom" group') ++option('dialout-gid', type : 'integer', value : '-1', ++ description : 'soft-static allocation for the "dialout" group') ++option('disk-gid', type : 'integer', value : '-1', ++ description : 'soft-static allocation for the "disk" group') ++option('input-gid', type : 'integer', value : '-1', ++ description : 'soft-static allocation for the "input" group') ++option('kmem-gid', type : 'integer', value : '-1', ++ description : 'soft-static allocation for the "kmem" group') ++option('kvm-gid', type : 'integer', value : '-1', ++ description : 'soft-static allocation for the "kvm" group') ++option('lp-gid', type : 'integer', value : '-1', ++ description : 'soft-static allocation for the "lp" group') ++option('render-gid', type : 'integer', value : '-1', ++ description : 'soft-static allocation for the "render" group') ++option('sgx-gid', type : 'integer', value : '-1', ++ description : 'soft-static allocation for the "sgx" group') ++option('tape-gid', type : 'integer', value : '-1', ++ description : 'soft-static allocation for the "tape" group') ++option('tty-gid', type : 'integer', value : 5, ++ description : 'the numeric GID of the "tty" group') ++option('users-gid', type : 'integer', value : '-1', ++ description : 'soft-static allocation for the "users" group') ++option('utmp-gid', type : 'integer', value : '-1', ++ description : 'soft-static allocation for the "utmp" group') ++option('video-gid', type : 'integer', value : '-1', ++ description : 'soft-static allocation for the "video" group') ++option('wheel-gid', type : 'integer', value : '-1', ++ description : 'soft-static allocation for the "wheel" group') ++option('systemd-journal-gid', type : 'integer', value : '-1', ++ description : 'soft-static allocation for the systemd-journal group') ++option('systemd-network-uid', type : 'integer', value : '-1', ++ description : 'soft-static allocation for the systemd-network user') ++option('systemd-resolve-uid', type : 'integer', value : '-1', ++ description : 'soft-static allocation for the systemd-resolve user') ++option('systemd-timesync-uid', type : 'integer', value : '-1', ++ description : 'soft-static allocation for the systemd-timesync user') ++ ++option('dev-kvm-mode', type : 'string', value : '0666', ++ description : '/dev/kvm access mode') ++option('group-render-mode', type : 'string', value : '0666', ++ description : 'Access mode for devices owned by render group (e.g. /dev/dri/renderD*, /dev/kfd).') ++option('default-kill-user-processes', type : 'boolean', ++ description : 'the default value for KillUserProcesses= setting') ++option('gshadow', type : 'boolean', ++ description : 'support for shadow group') ++option('default-locale', type : 'string', value : '', ++ description : 'default locale used when /etc/locale.conf does not exist') ++option('localegen-path', type : 'string', value : '', ++ description : 'absolute path to the locale-gen binary in case the system is using locale-gen') ++option('service-watchdog', type : 'string', value : '3min', ++ description : 'default watchdog setting for systemd services') ++ ++option('default-dnssec', type : 'combo', ++ description : 'default DNSSEC mode', ++ choices : ['yes', 'allow-downgrade', 'no'], ++ value : 'allow-downgrade') ++option('default-dns-over-tls', type : 'combo', ++ description : 'default DNS-over-TLS mode', ++ choices : ['yes', 'opportunistic', 'no'], ++ value : 'no') ++option('default-mdns', type : 'combo', ++ choices : ['yes', 'resolve', 'no'], ++ description : 'default MulticastDNS mode', ++ value : 'yes') ++option('default-llmnr', type : 'combo', ++ choices : ['yes', 'resolve', 'no'], ++ description : 'default LLMNR mode', ++ value : 'yes') ++option('dns-over-tls', type : 'combo', choices : ['auto', 'gnutls', 'openssl', 'true', 'false'], ++ description : 'DNS-over-TLS support') ++option('dns-servers', type : 'string', ++ description : 'space-separated list of default DNS servers', ++ value : '127.0.0.1') ++option('ntp-servers', type : 'string', ++ description : 'space-separated list of default NTP servers', ++ value : '0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org') ++option('support-url', type : 'string', ++ description : 'the support URL to show in catalog entries included in systemd', ++ value : 'https://lists.freedesktop.org/mailman/listinfo/systemd-devel') ++option('www-target', type : 'string', ++ description : 'the address and dir to upload docs too', ++ value : 'www.freedesktop.org:/srv/www.freedesktop.org/www/software/systemd') ++ ++option('seccomp', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'SECCOMP support') ++option('selinux', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'SELinux support') ++option('apparmor', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'AppArmor support') ++option('smack', type : 'boolean', ++ description : 'SMACK support') ++option('smack-run-label', type : 'string', ++ description : 'run systemd --system itself with a specific SMACK label') ++option('polkit', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'polkit support') ++option('ima', type : 'boolean', ++ description : 'IMA support') ++ ++option('acl', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'libacl support') ++option('audit', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'libaudit support') ++option('blkid', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'libblkid support') ++option('fdisk', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'libfdisk support') ++option('kmod', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'support for loadable modules') ++option('pam', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'PAM support') ++option('pwquality', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'libpwquality support') ++option('microhttpd', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'libµhttpd support') ++option('libcryptsetup', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'libcryptsetup support') ++option('libcurl', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'libcurl support') ++option('idn', type : 'boolean', ++ description : 'use IDN when printing hostnames') ++option('libidn2', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'libidn2 support') ++option('libidn', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'libidn support') ++option('libiptc', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'libiptc support') ++option('qrencode', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'libqrencode support') ++option('gcrypt', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'gcrypt support') ++option('gnutls', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'gnutls support') ++option('openssl', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'openssl support') ++option('p11kit', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'p11kit support') ++option('libfido2', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'FIDO2 support') ++option('tpm2', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'TPM2 support') ++option('elfutils', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'elfutils support') ++option('zlib', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'zlib compression support') ++option('bzip2', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'bzip2 compression support') ++option('xz', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'xz compression support') ++option('lz4', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'lz4 compression support') ++option('zstd', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'zstd compression support') ++option('xkbcommon', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'xkbcommon keymap support') ++option('pcre2', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'regexp matching support using pcre2') ++option('glib', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'libglib support (for tests only)') ++option('dbus', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'libdbus support (for tests only)') ++ ++option('gnu-efi', type : 'combo', choices : ['auto', 'true', 'false'], ++ description : 'gnu-efi support for sd-boot') ++option('efi-cc', type : 'array', ++ description : 'the compiler to use for EFI modules') ++option('efi-ld', type : 'string', value : 'ld', ++ description : 'the linker to use for EFI modules') ++option('efi-libdir', type : 'string', ++ description : 'path to the EFI lib directory') ++option('efi-includedir', type : 'string', value : '/usr/include/efi', ++ description : 'path to the EFI header directory') ++option('tpm-pcrindex', type : 'integer', value : 8, ++ description : 'TPM PCR register number to use') ++option('sbat-distro', type : 'string', ++ description : 'SBAT distribution ID, e.g. fedora, or auto for autodetection') ++option('sbat-distro-generation', type : 'integer', value : 1, ++ description : 'SBAT distribution generation') ++option('sbat-distro-summary', type : 'string', ++ description : 'SBAT distribution summary, e.g. Fedora') ++option('sbat-distro-pkgname', type : 'string', ++ description : 'SBAT distribution package name, e.g. systemd') ++option('sbat-distro-version', type : 'string', ++ description : 'SBAT distribution package version, e.g. 248-7.fc34') ++option('sbat-distro-url', type : 'string', ++ description : 'SBAT distribution URL, e.g. https://src.fedoraproject.org/rpms/systemd') ++ ++option('bashcompletiondir', type : 'string', ++ description : 'directory for bash completion scripts ["no" disables]') ++option('zshcompletiondir', type : 'string', ++ description : 'directory for zsh completion scripts ["no" disables]') ++ ++option('tests', type : 'combo', choices : ['true', 'unsafe', 'false'], ++ description : 'enable extra tests with =unsafe') ++option('slow-tests', type : 'boolean', value : 'false', ++ description : 'run the slow tests by default') ++option('fuzz-tests', type : 'boolean', value : 'false', ++ description : 'run the fuzzer regression tests by default (with sanitizers)') ++option('install-tests', type : 'boolean', value : 'false', ++ description : 'install test executables') ++ ++option('ok-color', type : 'combo', ++ choices : ['black', 'red', 'green', 'yellow', 'blue', 'magenta', 'cyan', ++ 'white', 'highlight-black', 'highlight-red', 'highlight-green', ++ 'highlight-yellow', 'highlight-blue', 'highlight-magenta', ++ 'highlight-cyan', 'highlight-white'], ++ value : 'green', ++ description: 'color of the "OK" status message') ++option('urlify', type : 'boolean', value : 'true', ++ description : 'enable pager Hyperlink ANSI sequence support') ++option('fexecve', type : 'boolean', value : 'false', ++ description : 'use fexecve() to spawn children') ++ ++option('oss-fuzz', type : 'boolean', value : 'false', ++ description : 'build against oss-fuzz') ++option('llvm-fuzz', type : 'boolean', value : 'false', ++ description : 'build against LLVM libFuzzer') ++option('kernel-install', type: 'boolean', value: 'true', ++ description : 'install kernel-install and associated files') ++option('analyze', type: 'boolean', value: 'true', ++ description : 'install systemd-analyze') ++ ++option('bpf-framework', type : 'combo', choices : ['auto', 'true', 'false'], ++ description: 'build BPF programs from source code in restricted C') +-- +2.27.0 + diff --git a/embedded-sysuesrs_dir-sysctl_dir-binfmt_dir-modules_.patch b/embedded-sysuesrs_dir-sysctl_dir-binfmt_dir-modules_.patch new file mode 100644 index 0000000..b6a31f3 --- /dev/null +++ b/embedded-sysuesrs_dir-sysctl_dir-binfmt_dir-modules_.patch @@ -0,0 +1,122 @@ +From e64cff49bced685b5abeb03e89940314d72e49ae Mon Sep 17 00:00:00 2001 +From: Xin Shi +Date: Wed, 23 Aug 2023 18:06:49 +0800 +Subject: [PATCH 1/5] embedded: sysuesrs_dir, sysctl_dir, binfmt_dir, + modules_load_dir reference directories in /usr/lib + +Signed-off-by: Xin Shi +--- + embedded/systemd.pc.in | 101 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 101 insertions(+) + create mode 100644 embedded/systemd.pc.in + +diff --git a/embedded/systemd.pc.in b/embedded/systemd.pc.in +new file mode 100644 +index 0000000..65996bb +--- /dev/null ++++ b/embedded/systemd.pc.in +@@ -0,0 +1,101 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++# ++# This file is part of systemd. ++# ++# systemd is free software; you can redistribute it and/or modify it ++# under the terms of the GNU Lesser General Public License as published by ++# the Free Software Foundation; either version 2.1 of the License, or ++# (at your option) any later version. ++ ++# Names with prefixes are preferred, and the run-together names should be ++# considered deprecated (though there is no plan to remove them). New names ++# shall have underscores. ++ ++prefix=/usr ++root_prefix={{ROOTPREFIX_NOSLASH}} ++rootprefix=${root_prefix} ++sysconf_dir={{SYSCONF_DIR}} ++sysconfdir=${sysconf_dir} ++ ++systemd_util_dir=${root_prefix}/lib/systemd ++systemdutildir=${systemd_util_dir} ++ ++systemd_system_unit_dir=${rootprefix}/lib/systemd/system ++systemdsystemunitdir=${systemd_system_unit_dir} ++ ++systemd_system_preset_dir=${rootprefix}/lib/systemd/system-preset ++systemdsystempresetdir=${systemd_system_preset_dir} ++ ++systemd_user_unit_dir=${prefix}/lib/systemd/user ++systemduserunitdir=${systemd_user_unit_dir} ++ ++systemd_user_preset_dir=${prefix}/lib/systemd/user-preset ++systemduserpresetdir=${systemd_user_preset_dir} ++ ++systemd_system_conf_dir=${sysconfdir}/systemd/system ++systemdsystemconfdir=${systemd_system_conf_dir} ++ ++systemd_user_conf_dir=${sysconfdir}/systemd/user ++systemduserconfdir=${systemd_user_conf_dir} ++ ++systemd_system_unit_path=${systemd_system_conf_dir}:/etc/systemd/system:/run/systemd/system:/usr/local/lib/systemd/system:${systemd_system_unit_dir}:/usr/lib/systemd/system:/lib/systemd/system ++systemdsystemunitpath=${systemd_system_unit_path} ++ ++systemd_user_unit_path=${systemd_user_conf_dir}:/etc/systemd/user:/run/systemd/user:/usr/local/lib/systemd/user:/usr/local/share/systemd/user:${systemd_user_unit_dir}:/usr/lib/systemd/user:/usr/share/systemd/user ++systemduserunitpath=${systemd_user_unit_path} ++ ++systemd_system_generator_dir=${root_prefix}/lib/systemd/system-generators ++systemdsystemgeneratordir=${systemd_system_generator_dir} ++ ++systemd_user_generator_dir=${prefix}/lib/systemd/user-generators ++systemdusergeneratordir=${systemd_user_generator_dir} ++ ++systemd_system_generator_path=/run/systemd/system-generators:/etc/systemd/system-generators:/usr/local/lib/systemd/system-generators:${systemd_system_generator_dir} ++systemdsystemgeneratorpath=${systemd_system_generator_path} ++ ++systemd_user_generator_path=/run/systemd/user-generators:/etc/systemd/user-generators:/usr/local/lib/systemd/user-generators:${systemd_user_generator_dir} ++systemdusergeneratorpath=${systemd_user_generator_path} ++ ++systemd_sleep_dir=${root_prefix}/lib/systemd/system-sleep ++systemdsleepdir=${systemd_sleep_dir} ++ ++systemd_shutdown_dir=${root_prefix}/lib/systemd/system-shutdown ++systemdshutdowndir=${systemd_shutdown_dir} ++ ++tmpfiles_dir=${prefix}/lib/tmpfiles.d ++tmpfilesdir=${tmpfiles_dir} ++ ++sysusers_dir=${prefix}/lib/sysusers.d ++sysusersdir=${sysusers_dir} ++ ++sysctl_dir=${prefix}/lib/sysctl.d ++sysctldir=${sysctl_dir} ++ ++binfmt_dir=${prefix}/lib/binfmt.d ++binfmtdir=${binfmt_dir} ++ ++modules_load_dir=${prefix}/lib/modules-load.d ++modulesloaddir=${modules_load_dir} ++ ++catalog_dir=${prefix}/lib/systemd/catalog ++catalogdir=${catalog_dir} ++ ++system_uid_max={{SYSTEM_UID_MAX}} ++systemuidmax=${system_uid_max} ++system_gid_max={{SYSTEM_GID_MAX}} ++systemgidmax=${system_gid_max} ++ ++dynamic_uid_min={{DYNAMIC_UID_MIN}} ++dynamicuidmin=${dynamic_uid_min} ++dynamic_uid_max={{DYNAMIC_UID_MAX}} ++dynamicuidmax=${dynamic_uid_max} ++ ++container_uid_base_min={{CONTAINER_UID_BASE_MIN}} ++containeruidbasemin=${container_uid_base_min} ++container_uid_base_max={{CONTAINER_UID_BASE_MAX}} ++containeruidbasemax=${container_uid_base_max} ++ ++Name: systemd ++Description: systemd System and Service Manager ++URL: {{PROJECT_URL}} ++Version: {{PROJECT_VERSION}} +-- +2.27.0 + diff --git a/embedded-use-yocto-configs.patch b/embedded-use-yocto-configs.patch new file mode 100644 index 0000000..e976c84 --- /dev/null +++ b/embedded-use-yocto-configs.patch @@ -0,0 +1,170 @@ +From 0b43b9daeb0b194cd064830728b36a8cccbbea9b Mon Sep 17 00:00:00 2001 +From: Xin Shi +Date: Thu, 24 Aug 2023 10:02:32 +0800 +Subject: [PATCH 5/5] embedded: use yocto configs + +Signed-off-by: Xin Shi +--- + embedded/00-create-volatile.conf | 12 ++++ + embedded/init | 104 +++++++++++++++++++++++++++++++ + embedded/touchscreen.rules | 18 ++++++ + 3 files changed, 134 insertions(+) + create mode 100644 embedded/00-create-volatile.conf + create mode 100644 embedded/init + create mode 100644 embedded/touchscreen.rules + +diff --git a/embedded/00-create-volatile.conf b/embedded/00-create-volatile.conf +new file mode 100644 +index 0000000..55333b6 +--- /dev/null ++++ b/embedded/00-create-volatile.conf +@@ -0,0 +1,12 @@ ++#This goes hand-in-hand with the base-files of OE-Core. The file must ++# be sorted before 'systemd.conf' because this attempts to create a file ++# inside /var/log. ++ ++ ++d /var/volatile/log - - - - ++d /var/volatile/tmp 1777 - - ++d /var/log 0750 root root - ++f /var/log/wtmp 0640 root root - ++f /var/log/btmp 0600 root root - ++f /var/log/lastlog 0600 root root - ++f /var/log/faillog 0600 root root - +diff --git a/embedded/init b/embedded/init +new file mode 100644 +index 0000000..4931b77 +--- /dev/null ++++ b/embedded/init +@@ -0,0 +1,104 @@ ++#!/bin/sh ++ ++### BEGIN INIT INFO ++# Provides: udev ++# Required-Start: mountvirtfs ++# Required-Stop: ++# Default-Start: S ++# Default-Stop: ++# Short-Description: Start udevd, populate /dev and load drivers. ++### END INIT INFO ++ ++. /etc/init.d/functions ++ ++export TZ=/etc/localtime ++ ++[ -d /sys/class ] || exit 1 ++[ -r /proc/mounts ] || exit 1 ++[ -x @UDEVD@ ] || exit 1 ++[ -f /etc/default/udev-cache ] && . /etc/default/udev-cache ++[ -f /etc/udev/udev.conf ] && . /etc/udev/udev.conf ++ ++readfile () { ++ filename=$1 ++ READDATA="" ++ if [ -r $filename ]; then ++ while read line; do ++ READDATA="$READDATA$line" ++ done < $filename ++ fi ++} ++ ++case "$1" in ++ start) ++ export ACTION=add ++ # propagate /dev from /sys ++ echo "Starting udev" ++ ++ # mount the devtmpfs on /dev, if not already done ++ LANG=C awk '$2 == "/dev" && ($3 == "devtmpfs") { exit 1 }' /proc/mounts && { ++ mount -n -o mode=0755 -t devtmpfs none "/dev" ++ } ++ [ -e /dev/pts ] || mkdir -m 0755 /dev/pts ++ [ -e /dev/shm ] || mkdir -m 1777 /dev/shm ++ mount -a -t tmpfs 2>/dev/null ++ ++ # cache handling ++ if [ "$DEVCACHE" != "" ]; then ++ readfile /proc/version ++ VERSION="$READDATA" ++ readfile /proc/cmdline ++ CMDLINE="$READDATA" ++ readfile /proc/devices ++ DEVICES="$READDATA" ++ readfile /proc/atags ++ ATAGS="$READDATA" ++ ++ if [ -e $DEVCACHE ]; then ++ readfile /etc/udev/cache.data ++ if [ "$READDATA" = "$VERSION$CMDLINE$DEVICES$ATAGS" ]; then ++ (cd /; tar xf $DEVCACHE > /dev/null 2>&1) ++ not_first_boot=1 ++ [ "$VERBOSE" != "no" ] && echo "udev: using cache file $DEVCACHE" ++ [ -e /dev/shm/udev.cache ] && rm -f /dev/shm/udev.cache ++ else ++ echo "$VERSION$CMDLINE$DEVICES$ATAGS" > /dev/shm/udev.cache ++ fi ++ else ++ echo "$VERSION$CMDLINE$DEVICES$ATAGS" > /dev/shm/udev.cache ++ fi ++ fi ++ ++ # make_extra_nodes ++ killproc systemd-udevd > "/dev/null" 2>&1 ++ ++ # trigger the sorted events ++ echo -e '\000\000\000\000' > /proc/sys/kernel/hotplug ++ @UDEVD@ -d ++ ++ udevadm control --env=STARTUP=1 ++ if [ "$not_first_boot" != "" ]; then ++ udevadm trigger --action=add --subsystem-nomatch=tty --subsystem-nomatch=mem --subsystem-nomatch=vc --subsystem-nomatch=vtconsole --subsystem-nomatch=misc --subsystem-nomatch=dcon --subsystem-nomatch=pci_bus --subsystem-nomatch=graphics --subsystem-nomatch=backlight --subsystem-nomatch=video4linux --subsystem-nomatch=platform ++ (udevadm settle --timeout=3; udevadm control --env=STARTUP=)& ++ else ++ udevadm trigger --action=add ++ udevadm settle ++ fi ++ ;; ++ stop) ++ echo "Stopping udevd" ++ start-stop-daemon --stop --name systemd-udevd --quiet ++ ;; ++ restart) ++ $0 stop ++ sleep 1 ++ $0 start ++ ;; ++ status) ++ status systemd-udevd ++ ;; ++ *) ++ echo "Usage: $0 {start|stop|status|restart}" ++ exit 1 ++esac ++exit 0 +diff --git a/embedded/touchscreen.rules b/embedded/touchscreen.rules +new file mode 100644 +index 0000000..d83fd16 +--- /dev/null ++++ b/embedded/touchscreen.rules +@@ -0,0 +1,18 @@ ++# There are a number of modifiers that are allowed to be used in some ++# of the different fields. They provide the following subsitutions: ++# ++# %n the "kernel number" of the device. ++# For example, 'sda3' has a "kernel number" of '3' ++# %e the smallest number for that name which does not matches an existing node ++# %k the kernel name for the device ++# %M the kernel major number for the device ++# %m the kernel minor number for the device ++# %b the bus id for the device ++# %c the string returned by the PROGRAM ++# %s{filename} the content of a sysfs attribute ++# %% the '%' char itself ++# ++ ++# Create a symlink to any touchscreen input device ++SUBSYSTEM=="input", KERNEL=="event[0-9]*", ATTRS{modalias}=="input:*-e0*,3,*a0,1,*18,*", SYMLINK+="input/touchscreen0" ++SUBSYSTEM=="input", KERNEL=="event[0-9]*", ATTRS{modalias}=="ads7846", SYMLINK+="input/touchscreen0" +-- +2.27.0 + diff --git a/systemd.spec b/systemd.spec index eb43f0b..b5771e0 100644 --- a/systemd.spec +++ b/systemd.spec @@ -589,6 +589,11 @@ Patch9055: bugfix-for-cgroup-Swap-cgroup-v1-deletion-and-migration.patch Patch9056: delete-journal-files-except-system.journal-when-jour.patch Patch9057: set-the-cpuset.cpus-mems-of-machine.slice-to-all-by-.patch Patch9058: add-a-new-switch-to-control-whether-udev-complies-wi.patch +Patch9059: embedded-sysuesrs_dir-sysctl_dir-binfmt_dir-modules_.patch +Patch9060: embedded-modify-dns-server-address-to-avoid-security.patch +Patch9061: add-support-to-relabel-systemd-process-for-embedded.patch +Patch9062: embedded-add-noexec-mount-option-to-strenthen-tmp-pa.patch +Patch9063: embedded-use-yocto-configs.patch BuildRequires: gcc, gcc-c++ BuildRequires: libcap-devel, libmount-devel, pam-devel, libselinux-devel @@ -2006,6 +2011,13 @@ fi %{_libdir}/security/pam_systemd.so %changelog +* Thu Aug 24 2023 shixin - 249-55 +- sysuesrs_dir, sysctl_dir, binfmt_dir, modules_load_dir reference directories in /usr/lib for embedded +- modify dns server address to avoid security risk for embedded +- add support to relabel systemd process for embedded +- add noexec mount option to strenthen tmp partition for embedded +- use yocto configs for embedded + * Thu Aug 17 2023 wangyuhang - 249-54 - add a new switch to control whether udev complies with the new SAT standards and add sense_data.py to check if the device meets the new SAT standards