From b9a1e3503914f39d8a22d763569b37f0cda28303 Mon Sep 17 00:00:00 2001 From: Zbigniew Jędrzejewski-Szmek Date: Mar 17 2016 13:26:12 +0000 Subject: Backport a few more patches --- diff --git a/0020-resolved-create-etc-resolv.conf-symlink-at-runtime.patch b/0020-resolved-create-etc-resolv.conf-symlink-at-runtime.patch deleted file mode 100644 index 58694b8..0000000 --- a/0020-resolved-create-etc-resolv.conf-symlink-at-runtime.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 4e14900fe25c53275c7d7d0c094ddf1fd477e5ed Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Fri, 11 Mar 2016 17:06:17 -0500 -Subject: [PATCH 1/2] resolved: create /etc/resolv.conf symlink at runtime - -If the symlink doesn't exists, and we are being started, let's -create it to provie name resolution. - -If it exists, do nothing. In particular, if it is a broken symlink, -we cannot really know if the administator configured it to point to -a location used by some service that hasn't started yet, so we -don't touch it in that case either. - -https://bugzilla.redhat.com/show_bug.cgi?id=1313085 ---- - src/resolve/resolved.c | 4 ++++ - tmpfiles.d/etc.conf.m4 | 3 --- - 2 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c -index 161ea03412..ea6750e949 100644 ---- a/src/resolve/resolved.c -+++ b/src/resolve/resolved.c -@@ -67,6 +67,10 @@ int main(int argc, char *argv[]) { - goto finish; - } - -+ r = symlink("../run/systemd/resolve/resolv.conf", "/etc/resolv.conf"); -+ if (r < 0 && errno != EEXIST) -+ log_warning_errno(errno, "Could not create /etc/resolv.conf symlink: %m"); -+ - r = drop_privileges(uid, gid, 0); - if (r < 0) - goto finish; -diff --git a/tmpfiles.d/etc.conf.m4 b/tmpfiles.d/etc.conf.m4 -index ef7b9b9541..928105ea8d 100644 ---- a/tmpfiles.d/etc.conf.m4 -+++ b/tmpfiles.d/etc.conf.m4 -@@ -13,9 +13,6 @@ L+ /etc/mtab - - - - ../proc/self/mounts - m4_ifdef(`HAVE_SMACK_RUN_LABEL', - t /etc/mtab - - - - security.SMACK64=_ - )m4_dnl --m4_ifdef(`ENABLE_RESOLVED', --L! /etc/resolv.conf - - - - ../run/systemd/resolve/resolv.conf --)m4_dnl - C /etc/nsswitch.conf - - - - - m4_ifdef(`HAVE_PAM', - C /etc/pam.d - - - - --- -2.7.2 - diff --git a/0020-test-compress-benchmark-skip-loop-iteration-if-size-.patch b/0020-test-compress-benchmark-skip-loop-iteration-if-size-.patch new file mode 100644 index 0000000..b290625 --- /dev/null +++ b/0020-test-compress-benchmark-skip-loop-iteration-if-size-.patch @@ -0,0 +1,25 @@ +From f4bb8c3a9aed5ddefb66380c818d04aa0b663693 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 4 Mar 2016 21:46:47 -0500 +Subject: [PATCH] test-compress-benchmark: skip loop iteration if size is 0 + +Otherwise we would hit an assert in the compression code. + +(cherry picked from commit 15b947fb798cd131355ba9935802d58e92bdba6e) +--- + src/journal/test-compress-benchmark.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/journal/test-compress-benchmark.c b/src/journal/test-compress-benchmark.c +index 5b2d130cd6..0ef6d36a50 100644 +--- a/src/journal/test-compress-benchmark.c ++++ b/src/journal/test-compress-benchmark.c +@@ -105,6 +105,8 @@ static void test_compress_decompress(const char* label, const char* type, + int r; + + size = permute(i); ++ if (size == 0) ++ continue; + + log_debug("%s %zu %zu", type, i, size); + diff --git a/0021-test-compress-benchmark-skip-loop-iteration-if-size-.patch b/0021-test-compress-benchmark-skip-loop-iteration-if-size-.patch deleted file mode 100644 index 7c51758..0000000 --- a/0021-test-compress-benchmark-skip-loop-iteration-if-size-.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 15b947fb798cd131355ba9935802d58e92bdba6e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Fri, 4 Mar 2016 21:46:47 -0500 -Subject: [PATCH] test-compress-benchmark: skip loop iteration if size is 0 - -Otherwise we would hit an assert in the compression code. ---- - src/journal/test-compress-benchmark.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/journal/test-compress-benchmark.c b/src/journal/test-compress-benchmark.c -index 5b2d130cd6..0ef6d36a50 100644 ---- a/src/journal/test-compress-benchmark.c -+++ b/src/journal/test-compress-benchmark.c -@@ -105,6 +105,8 @@ static void test_compress_decompress(const char* label, const char* type, - int r; - - size = permute(i); -+ if (size == 0) -+ continue; - - log_debug("%s %zu %zu", type, i, size); - diff --git a/0021-time-util-fall-back-to-CLOCK_MONOTONIC-if-CLOCK_BOOT.patch b/0021-time-util-fall-back-to-CLOCK_MONOTONIC-if-CLOCK_BOOT.patch new file mode 100644 index 0000000..dc11d5a --- /dev/null +++ b/0021-time-util-fall-back-to-CLOCK_MONOTONIC-if-CLOCK_BOOT.patch @@ -0,0 +1,38 @@ +From c411521802d5e89eeb5cdf39cdd7b9538a3a3a08 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Tue, 15 Mar 2016 12:43:33 +0100 +Subject: [PATCH] time-util: fall back to CLOCK_MONOTONIC if CLOCK_BOOTTIME + unsupported + +It was added in 2.6.39, and causes an assertion to fail when running in mock +hosted on 2.6.23-based RHEL-6: + +Assertion 'clock_gettime(map_clock_id(clock_id), &ts) == 0' failed at systemd/src/basic/time-util.c:70, function now(). Aborting. + +(cherry picked from commit 2abd5b5a49ae368b258ffc7257ab703bccda67dd) +--- + src/basic/time-util.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/basic/time-util.c b/src/basic/time-util.c +index 510f018d9b..ec112e23e2 100644 +--- a/src/basic/time-util.c ++++ b/src/basic/time-util.c +@@ -47,12 +47,15 @@ static clockid_t map_clock_id(clockid_t c) { + /* Some more exotic archs (s390, ppc, …) lack the "ALARM" flavour of the clocks. Thus, clock_gettime() will + * fail for them. Since they are essentially the same as their non-ALARM pendants (their only difference is + * when timers are set on them), let's just map them accordingly. This way, we can get the correct time even on +- * those archs. */ ++ * those archs. ++ * ++ * Also, older kernels don't support CLOCK_BOOTTIME: fall back to CLOCK_MONOTONIC. */ + + switch (c) { + ++ case CLOCK_BOOTTIME: + case CLOCK_BOOTTIME_ALARM: +- return CLOCK_BOOTTIME; ++ return clock_boottime_or_monotonic (); + + case CLOCK_REALTIME_ALARM: + return CLOCK_REALTIME; diff --git a/0022-headers-use-__inline__-instead-of-inline.patch b/0022-headers-use-__inline__-instead-of-inline.patch new file mode 100644 index 0000000..29ea18e --- /dev/null +++ b/0022-headers-use-__inline__-instead-of-inline.patch @@ -0,0 +1,47 @@ +From b1ab67134c28ade32eab8fde37840efac789affc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 11 Mar 2016 13:41:49 -0500 +Subject: [PATCH] headers: use __inline__ instead of inline + +https://gcc.gnu.org/onlinedocs/gcc-5.3.0/gcc/Alternate-Keywords.html#Alternate-Keywords +recommends __inline__ over inline in ANSI C compatible headers. +Tested with gcc-5.3 and clang-3.7. + +https://bugzilla.redhat.com/show_bug.cgi?id=1316964 +(cherry picked from commit 0cb27225e9c658d80538ace7a267ba0a2d2f44f2) +--- + src/systemd/_sd-common.h | 2 +- + src/systemd/sd-id128.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/systemd/_sd-common.h b/src/systemd/_sd-common.h +index 2d4e1f26e1..3bb886be75 100644 +--- a/src/systemd/_sd-common.h ++++ b/src/systemd/_sd-common.h +@@ -74,7 +74,7 @@ + #endif + + #define _SD_DEFINE_POINTER_CLEANUP_FUNC(type, func) \ +- static inline void func##p(type **p) { \ ++ static __inline__ void func##p(type **p) { \ + if (*p) \ + func(*p); \ + } \ +diff --git a/src/systemd/sd-id128.h b/src/systemd/sd-id128.h +index a3bf5897b8..4dff0b9b81 100644 +--- a/src/systemd/sd-id128.h ++++ b/src/systemd/sd-id128.h +@@ -100,11 +100,11 @@ int sd_id128_get_boot(sd_id128_t *ret); + ((x).bytes[15] & 15) >= 10 ? 'a' + ((x).bytes[15] & 15) - 10 : '0' + ((x).bytes[15] & 15), \ + 0 }) + +-_sd_pure_ static inline int sd_id128_equal(sd_id128_t a, sd_id128_t b) { ++_sd_pure_ static __inline__ int sd_id128_equal(sd_id128_t a, sd_id128_t b) { + return memcmp(&a, &b, 16) == 0; + } + +-_sd_pure_ static inline int sd_id128_is_null(sd_id128_t a) { ++_sd_pure_ static __inline__ int sd_id128_is_null(sd_id128_t a) { + return a.qwords[0] == 0 && a.qwords[1] == 0; + } + diff --git a/0023-dev-console-must-be-labeled-with-SELinux-label.patch b/0023-dev-console-must-be-labeled-with-SELinux-label.patch new file mode 100644 index 0000000..06d1842 --- /dev/null +++ b/0023-dev-console-must-be-labeled-with-SELinux-label.patch @@ -0,0 +1,47 @@ +From 641a7f0c61ff42ea55ad7152e7f874ea5d680a2d Mon Sep 17 00:00:00 2001 +From: Dan Walsh +Date: Wed, 9 Mar 2016 09:29:25 -0500 +Subject: [PATCH] /dev/console must be labeled with SELinux label + +If the user specifies an selinux_apifs_context all content created in +the container including /dev/console should use this label. + +Currently when this uses the default label it gets labeled user_devpts_t, +which would require us to write a policy allowing container processes to +manage user_devpts_t. This means that an escaped process would be allowed +to attack all users terminals as well as other container terminals. Changing +the label to match the apifs_context, means the processes would only be allowed +to manage their specific tty. + +This change fixes a problem preventing RKT containers from working with systemd-nspawn. + +(cherry picked from commit 68b020494d1ff085281061413d9236b5865ef238) +--- + src/nspawn/nspawn.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index ef348c335b..8c06f6ef75 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -87,6 +87,7 @@ + #ifdef HAVE_SECCOMP + #include "seccomp-util.h" + #endif ++#include "selinux-util.h" + #include "signal-util.h" + #include "socket-util.h" + #include "stat-util.h" +@@ -3286,6 +3287,12 @@ int main(int argc, char *argv[]) { + goto finish; + } + ++ if (arg_selinux_apifs_context) { ++ r = mac_selinux_apply(console, arg_selinux_apifs_context); ++ if (r < 0) ++ goto finish; ++ } ++ + if (unlockpt(master) < 0) { + r = log_error_errno(errno, "Failed to unlock tty: %m"); + goto finish; diff --git a/0024-fstab-generator-fix-automount-option-and-don-t-start.patch b/0024-fstab-generator-fix-automount-option-and-don-t-start.patch new file mode 100644 index 0000000..2f52d1e --- /dev/null +++ b/0024-fstab-generator-fix-automount-option-and-don-t-start.patch @@ -0,0 +1,90 @@ +From 1b8bdd05fcecd83cc8c8269f06a50ced055ab864 Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Tue, 1 Dec 2015 18:01:44 +0100 +Subject: [PATCH] fstab-generator: fix automount option and don't start + associated mount unit at boot + +Without this patch applied the mount unit with 'automount' option was still +pulled by local-fs.target and thus was activated during the boot process which +defeats the purpose of the 'automount' option: + + $ grep /mnt /etc/fstab + /dev/vdb1 /mnt ext2 defaults,x-systemd.automount 0 0 + + $ reboot + ... + + $ mount | grep mnt + systemd-1 on /mnt type autofs (rw,relatime,fd=34,pgrp=1,timeout=0,minproto=5,maxproto=5,direct) + /dev/vdb1 on /mnt type ext2 (rw,relatime) + + $ systemctl status mnt.mount | grep Active + Active: active (mounted) since Thu 2016-03-03 21:36:22 CET; 42s ago + +With the patch applied: + + $ reboot + ... + + $ mount | grep mnt + systemd-1 on /mnt type autofs (rw,relatime,fd=22,pgrp=1,timeout=0,minproto=5,maxproto=5,direct) + + $ systemctl status mnt.mount | grep Active + Active: inactive (dead) + + $ ls /mnt + lost+found + + $ systemctl status mnt.mount | grep Active + Active: active (mounted) since Thu 2016-03-03 21:47:32 CET; 4s ago + +(cherry picked from commit 2b14df4a9ae92623b584e61db6b5b37accd832c1) +--- + src/core/mount.c | 11 ++++++++++- + src/fstab-generator/fstab-generator.c | 4 ++-- + 2 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/src/core/mount.c b/src/core/mount.c +index de1075d3a0..cfe4b0f517 100644 +--- a/src/core/mount.c ++++ b/src/core/mount.c +@@ -104,6 +104,14 @@ static bool mount_is_auto(const MountParameters *p) { + return !fstab_test_option(p->options, "noauto\0"); + } + ++static bool mount_is_automount(const MountParameters *p) { ++ assert(p); ++ ++ return fstab_test_option(p->options, ++ "comment=systemd.automount\0" ++ "x-systemd.automount\0"); ++} ++ + static bool needs_quota(const MountParameters *p) { + assert(p); + +@@ -328,7 +336,8 @@ static int mount_add_device_links(Mount *m) { + if (path_equal(m->where, "/")) + return 0; + +- if (mount_is_auto(p) && UNIT(m)->manager->running_as == MANAGER_SYSTEM) ++ if (mount_is_auto(p) && !mount_is_automount(p) && ++ UNIT(m)->manager->running_as == MANAGER_SYSTEM) + device_wants_mount = true; + + r = unit_add_node_link(UNIT(m), p->what, device_wants_mount, m->from_fragment ? UNIT_BINDS_TO : UNIT_REQUIRES); +diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c +index 97a48764ae..6f576b5ecf 100644 +--- a/src/fstab-generator/fstab-generator.c ++++ b/src/fstab-generator/fstab-generator.c +@@ -336,8 +336,8 @@ static int add_mount( + if (r < 0) + return log_error_errno(r, "Failed to write unit file %s: %m", unit); + +- if (!noauto) { +- lnk = strjoin(arg_dest, "/", post, nofail || automount ? ".wants/" : ".requires/", name, NULL); ++ if (!noauto && !automount) { ++ lnk = strjoin(arg_dest, "/", post, nofail ? ".wants/" : ".requires/", name, NULL); + if (!lnk) + return log_oom(); + diff --git a/0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch b/0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch new file mode 100644 index 0000000..58694b8 --- /dev/null +++ b/0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch @@ -0,0 +1,51 @@ +From 4e14900fe25c53275c7d7d0c094ddf1fd477e5ed Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 11 Mar 2016 17:06:17 -0500 +Subject: [PATCH 1/2] resolved: create /etc/resolv.conf symlink at runtime + +If the symlink doesn't exists, and we are being started, let's +create it to provie name resolution. + +If it exists, do nothing. In particular, if it is a broken symlink, +we cannot really know if the administator configured it to point to +a location used by some service that hasn't started yet, so we +don't touch it in that case either. + +https://bugzilla.redhat.com/show_bug.cgi?id=1313085 +--- + src/resolve/resolved.c | 4 ++++ + tmpfiles.d/etc.conf.m4 | 3 --- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c +index 161ea03412..ea6750e949 100644 +--- a/src/resolve/resolved.c ++++ b/src/resolve/resolved.c +@@ -67,6 +67,10 @@ int main(int argc, char *argv[]) { + goto finish; + } + ++ r = symlink("../run/systemd/resolve/resolv.conf", "/etc/resolv.conf"); ++ if (r < 0 && errno != EEXIST) ++ log_warning_errno(errno, "Could not create /etc/resolv.conf symlink: %m"); ++ + r = drop_privileges(uid, gid, 0); + if (r < 0) + goto finish; +diff --git a/tmpfiles.d/etc.conf.m4 b/tmpfiles.d/etc.conf.m4 +index ef7b9b9541..928105ea8d 100644 +--- a/tmpfiles.d/etc.conf.m4 ++++ b/tmpfiles.d/etc.conf.m4 +@@ -13,9 +13,6 @@ L+ /etc/mtab - - - - ../proc/self/mounts + m4_ifdef(`HAVE_SMACK_RUN_LABEL', + t /etc/mtab - - - - security.SMACK64=_ + )m4_dnl +-m4_ifdef(`ENABLE_RESOLVED', +-L! /etc/resolv.conf - - - - ../run/systemd/resolve/resolv.conf +-)m4_dnl + C /etc/nsswitch.conf - - - - + m4_ifdef(`HAVE_PAM', + C /etc/pam.d - - - - +-- +2.7.2 + diff --git a/systemd.spec b/systemd.spec index dfa90ae..590e957 100644 --- a/systemd.spec +++ b/systemd.spec @@ -13,7 +13,7 @@ Name: systemd Url: http://www.freedesktop.org/wiki/Software/systemd Version: 229 -Release: 6%{?gitcommit:.git%{gitcommitshort}}%{?dist} +Release: 7%{?gitcommit:.git%{gitcommitshort}}%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: A System and Service Manager @@ -53,9 +53,13 @@ Patch0016: 0016-hashmap-use-void-and-uint8_t-for-generic-pointers.patch Patch0017: 0017-resolved-fix-notification-iteration-logic-when-trans.patch Patch0018: 0018-selinux-always-try-to-load-the-full-selinux-db.patch Patch0019: 0019-selinux-use-raw-variants-of-security_compute_create-.patch -Patch0020: 0020-resolved-create-etc-resolv.conf-symlink-at-runtime.patch -Patch0021: 0021-test-compress-benchmark-skip-loop-iteration-if-size-.patch +Patch0020: 0020-test-compress-benchmark-skip-loop-iteration-if-size-.patch +Patch0021: 0021-time-util-fall-back-to-CLOCK_MONOTONIC-if-CLOCK_BOOT.patch +Patch0022: 0022-headers-use-__inline__-instead-of-inline.patch +Patch0023: 0023-dev-console-must-be-labeled-with-SELinux-label.patch +Patch0024: 0024-fstab-generator-fix-automount-option-and-don-t-start.patch +Patch0998: 0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch Patch0999: 0999-Add-a-workaround-for-linux-net-if.h-conflict.patch # kernel-install patch for grubby, drop if grubby is obsolete @@ -927,6 +931,11 @@ getent passwd systemd-journal-upload >/dev/null 2>&1 || useradd -r -l -g systemd /usr/lib/firewalld/services/* %changelog +* Thu Mar 17 2016 Zbigniew Jędrzejewski-Szmek - 229-7 +- Moar patches (#1316964, #1317928) +- Move vconsole-setup and tmpfiles-setup-dev bits to systmed-udev +- Protect systemd-udev from deinstallation + * Fri Mar 11 2016 Zbigniew Jędrzejewski-Szmek - 229-6 - Create /etc/resolv.conf symlink from systemd-resolved (#1313085)