From 4cd9bf575b126c2fef829215a4cebe17d2ef836a Mon Sep 17 00:00:00 2001 From: Zbigniew Jędrzejewski-Szmek Date: Dec 15 2019 12:25:15 +0000 Subject: Adjust patches 0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch was added exactly a year ago because selinux policy needed to be updated. I think we can drop the patch now. Also drop part of 0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch: the service runs as unprivileged user, so the creation cannot succeed. The other part of the patch is kept. --- diff --git a/0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch b/0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch deleted file mode 100644 index 09a153a..0000000 --- a/0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch +++ /dev/null @@ -1,178 +0,0 @@ -From 69860269011435e30e45713e44ba5adeaea8b546 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 3 Apr 2019 10:56:14 +0200 -Subject: [PATCH] Revert "units: set NoNewPrivileges= for all long-running - services" - -This reverts commit 64d7f7b4a15f1534fb19fda6b601fec50783bee4. ---- - units/systemd-coredump@.service.in | 1 - - units/systemd-hostnamed.service.in | 1 - - units/systemd-initctl.service.in | 1 - - units/systemd-journal-remote.service.in | 1 - - units/systemd-journald.service.in | 1 - - units/systemd-localed.service.in | 1 - - units/systemd-logind.service.in | 1 - - units/systemd-machined.service.in | 1 - - units/systemd-networkd.service.in | 1 - - units/systemd-resolved.service.in | 1 - - units/systemd-rfkill.service.in | 1 - - units/systemd-timedated.service.in | 1 - - units/systemd-timesyncd.service.in | 1 - - 13 files changed, 13 deletions(-) - -diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in -index 951faa62a1..c3997d17d0 100644 ---- a/units/systemd-coredump@.service.in -+++ b/units/systemd-coredump@.service.in -@@ -22,7 +22,6 @@ IPAddressDeny=any - LockPersonality=yes - MemoryDenyWriteExecute=yes - Nice=9 --NoNewPrivileges=yes - OOMScoreAdjust=500 - PrivateDevices=yes - PrivateNetwork=yes -diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in -index 1365d749ca..c0d4b02418 100644 ---- a/units/systemd-hostnamed.service.in -+++ b/units/systemd-hostnamed.service.in -@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed - IPAddressDeny=any - LockPersonality=yes - MemoryDenyWriteExecute=yes --NoNewPrivileges=yes - PrivateDevices=yes - PrivateNetwork=yes - PrivateTmp=yes -diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in -index c276283908..f48d673d58 100644 ---- a/units/systemd-initctl.service.in -+++ b/units/systemd-initctl.service.in -@@ -14,6 +14,5 @@ DefaultDependencies=no - - [Service] - ExecStart=@rootlibexecdir@/systemd-initctl --NoNewPrivileges=yes - NotifyAccess=all - SystemCallArchitectures=native -diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in -index 6181d15d77..11f7aefcce 100644 ---- a/units/systemd-journal-remote.service.in -+++ b/units/systemd-journal-remote.service.in -@@ -17,7 +17,6 @@ ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/va - LockPersonality=yes - LogsDirectory=journal/remote - MemoryDenyWriteExecute=yes --NoNewPrivileges=yes - PrivateDevices=yes - PrivateNetwork=yes - PrivateTmp=yes -diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in -index 303d5a4826..f0eb094cf4 100644 ---- a/units/systemd-journald.service.in -+++ b/units/systemd-journald.service.in -@@ -24,7 +24,6 @@ FileDescriptorStoreMax=4224 - IPAddressDeny=any - LockPersonality=yes - MemoryDenyWriteExecute=yes --NoNewPrivileges=yes - Restart=always - RestartSec=0 - RestrictAddressFamilies=AF_UNIX AF_NETLINK -diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in -index 10ecff5184..f1578bd626 100644 ---- a/units/systemd-localed.service.in -+++ b/units/systemd-localed.service.in -@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-localed - IPAddressDeny=any - LockPersonality=yes - MemoryDenyWriteExecute=yes --NoNewPrivileges=yes - PrivateDevices=yes - PrivateNetwork=yes - PrivateTmp=yes -diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in -index ccbe631586..81fbee6fb6 100644 ---- a/units/systemd-logind.service.in -+++ b/units/systemd-logind.service.in -@@ -35,7 +35,6 @@ FileDescriptorStoreMax=512 - IPAddressDeny=any - LockPersonality=yes - MemoryDenyWriteExecute=yes --NoNewPrivileges=yes - PrivateTmp=yes - ProtectControlGroups=yes - ProtectHome=yes -diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in -index fa344d487d..b8ca60ddcc 100644 ---- a/units/systemd-machined.service.in -+++ b/units/systemd-machined.service.in -@@ -22,7 +22,6 @@ ExecStart=@rootlibexecdir@/systemd-machined - IPAddressDeny=any - LockPersonality=yes - MemoryDenyWriteExecute=yes --NoNewPrivileges=yes - ProtectHostname=yes - ProtectKernelLogs=yes - RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 -diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in -index 01931665a4..0531fcbf12 100644 ---- a/units/systemd-networkd.service.in -+++ b/units/systemd-networkd.service.in -@@ -25,7 +25,6 @@ DeviceAllow=char-* rw - ExecStart=!!@rootlibexecdir@/systemd-networkd - LockPersonality=yes - MemoryDenyWriteExecute=yes --NoNewPrivileges=yes - ProtectControlGroups=yes - ProtectHome=yes - ProtectKernelModules=yes -diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in -index f73697832c..4b8aa68f07 100644 ---- a/units/systemd-resolved.service.in -+++ b/units/systemd-resolved.service.in -@@ -25,7 +25,6 @@ CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE - ExecStart=!!@rootlibexecdir@/systemd-resolved - LockPersonality=yes - MemoryDenyWriteExecute=yes --NoNewPrivileges=yes - PrivateDevices=yes - PrivateTmp=yes - ProtectControlGroups=yes -diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in -index 3abb958310..7447ed5b5b 100644 ---- a/units/systemd-rfkill.service.in -+++ b/units/systemd-rfkill.service.in -@@ -18,7 +18,6 @@ Before=shutdown.target - - [Service] - ExecStart=@rootlibexecdir@/systemd-rfkill --NoNewPrivileges=yes - StateDirectory=systemd/rfkill - TimeoutSec=30s - Type=notify -diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in -index 87859f4aef..337067244e 100644 ---- a/units/systemd-timedated.service.in -+++ b/units/systemd-timedated.service.in -@@ -20,7 +20,6 @@ ExecStart=@rootlibexecdir@/systemd-timedated - IPAddressDeny=any - LockPersonality=yes - MemoryDenyWriteExecute=yes --NoNewPrivileges=yes - PrivateTmp=yes - ProtectControlGroups=yes - ProtectHome=yes -diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in -index f0486a70ab..bb1ce55977 100644 ---- a/units/systemd-timesyncd.service.in -+++ b/units/systemd-timesyncd.service.in -@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_SYS_TIME - ExecStart=!!@rootlibexecdir@/systemd-timesyncd - LockPersonality=yes - MemoryDenyWriteExecute=yes --NoNewPrivileges=yes - PrivateDevices=yes - PrivateTmp=yes - ProtectControlGroups=yes diff --git a/0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch b/0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch index 9aefc6d..f4cd87c 100644 --- a/0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch +++ b/0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch @@ -3,10 +3,7 @@ From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 11 Mar 2016 17:06:17 -0500 Subject: [PATCH] resolved: create /etc/resolv.conf symlink at runtime -If the symlink doesn't exists, and we are being started, let's -create it to provie name resolution. - -If it exists, do nothing. In particular, if it is a broken symlink, +If the symlink exists, do nothing. In particular, if it is a broken symlink, we cannot really know if the administator configured it to point to a location used by some service that hasn't started yet, so we don't touch it in that case either. @@ -17,21 +14,6 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1313085 tmpfiles.d/etc.conf.m4 | 3 --- 2 files changed, 4 insertions(+), 3 deletions(-) -diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c -index 2ca9fbdc72..3c8a9ff12a 100644 ---- a/src/resolve/resolved.c -+++ b/src/resolve/resolved.c -@@ -49,6 +49,10 @@ static int run(int argc, char *argv[]) { - /* Drop privileges, but only if we have been started as root. If we are not running as root we assume most - * privileges are already dropped. */ - if (getuid() == 0) { -+ r = symlink("../run/systemd/resolve/resolv.conf", "/etc/resolv.conf"); -+ if (r < 0 && errno != EEXIST) -+ log_warning_errno(errno, -+ "Could not create /etc/resolv.conf symlink: %m"); - - /* Drop privileges, but keep three caps. Note that we drop those too, later on (see below) */ - r = drop_privileges(uid, gid, diff --git a/tmpfiles.d/etc.conf.m4 b/tmpfiles.d/etc.conf.m4 index f82e0b82ce..66a777bdb2 100644 --- a/tmpfiles.d/etc.conf.m4 diff --git a/systemd.spec b/systemd.spec index 9439835..e0fe9af 100644 --- a/systemd.spec +++ b/systemd.spec @@ -59,8 +59,6 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 Patch0001: https://github.com/keszybz/systemd/commit/464a73411c13596a130a7a8f0ac00ca728e5f69e.patch -Patch0002: 0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch - Patch0998: 0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch %ifarch %{ix86} x86_64 aarch64 @@ -714,6 +712,7 @@ fi * Sun Dec 15 2019 - 244.1-1 - Update to latest stable batch (systemd-networkd fixups, better support for seccomp on s390x, minor cleanups to documentation). +- Drop patch to revert addition of NoNewPrivileges to systemd units * Fri Nov 29 2019 Zbigniew Jędrzejewski-Szmek - 244-1 - Update to latest version. Just minor bugs fixed since the pre-release.