From 8d86bd5b121a671441faaf5bf829a9e88860dd86 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 24 2022 22:31:01 +0000 Subject: import systemd-239-65.el8 --- diff --git a/.systemd.metadata b/.systemd.metadata index 8ab9fd3..a883c33 100644 --- a/.systemd.metadata +++ b/.systemd.metadata @@ -1 +1 @@ -249634e3d6b3532f15465719f0437ce04c3eb377 SOURCES/systemd-239.tar.gz +8803baa484cbe36680463c8c5e6febeff074b8e7 SOURCES/systemd-239.tar.gz diff --git a/SOURCES/0792-ci-bump-the-worker-Ubuntu-version-to-Jammy.patch b/SOURCES/0792-ci-bump-the-worker-Ubuntu-version-to-Jammy.patch new file mode 100644 index 0000000..7791008 --- /dev/null +++ b/SOURCES/0792-ci-bump-the-worker-Ubuntu-version-to-Jammy.patch @@ -0,0 +1,24 @@ +From 3a35fcaad4bb3831808280854eb84f68975279a1 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 19 Jul 2022 22:44:07 +0200 +Subject: [PATCH] ci: bump the worker Ubuntu version to Jammy + +rhel-only +Related: #2087152 +--- + .github/workflows/unit_tests.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml +index 87b162fa71..f397e8ed6e 100644 +--- a/.github/workflows/unit_tests.yml ++++ b/.github/workflows/unit_tests.yml +@@ -6,7 +6,7 @@ on: [pull_request] + + jobs: + build: +- runs-on: ubuntu-20.04 ++ runs-on: ubuntu-22.04 + strategy: + fail-fast: false + matrix: diff --git a/SOURCES/0793-test-make-test-execute-pass-on-Linux-5.15.patch b/SOURCES/0793-test-make-test-execute-pass-on-Linux-5.15.patch new file mode 100644 index 0000000..9bc14ce --- /dev/null +++ b/SOURCES/0793-test-make-test-execute-pass-on-Linux-5.15.patch @@ -0,0 +1,43 @@ +From 434b4b64d17e16ed23f90c99c26dbd0e4ce6cd88 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 24 Nov 2021 15:58:50 +0100 +Subject: [PATCH] test: make test-execute pass on Linux 5.15 + +Linux 5.15 broke kernel API: + +https://github.com/torvalds/linux/commit/e70344c05995a190a56bbd1a23dc2218bcc8c924 + +Previously setting IOPRIO_CLASS_NONE for a process would then report +IOPRIO_CLASS_NONE back. But since 5.15 it reports IOPRIO_CLASS_BE +instead. Since IOPRIO_CLASS_NONE is an alias for a special setting of +IOPRIO_CLASS_BE this makes some sense, but it's also a kernel API +breakage that our testsuite trips up on. + +(I made some minimal effort to inform the kernel people about this API +breakage during the 5.15 rc phase, but noone was interested.) + +Either way let's hadle this gracefully in our test suite and accept +"best-effort" too when "none" was set. + +(This is only triggable if the tests are run on 5.15 with full privs) + +(cherry picked from commit d9b8771108cf2955efc3852b477391017d2c599a) + +Related: #2087152 +--- + test/test-execute/exec-ioschedulingclass-none.service | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/test/test-execute/exec-ioschedulingclass-none.service b/test/test-execute/exec-ioschedulingclass-none.service +index b6af122a1e..8f917d345d 100644 +--- a/test/test-execute/exec-ioschedulingclass-none.service ++++ b/test/test-execute/exec-ioschedulingclass-none.service +@@ -2,6 +2,7 @@ + Description=Test for IOSchedulingClass=none + + [Service] +-ExecStart=/bin/sh -x -c 'c=$$(LC_ALL=C ionice); test "$${c%%:*}" = "none"' ++# Old kernels might report "none" here, new kernels "best-effort". ++ExecStart=/bin/sh -x -c 'c=$$(LC_ALL=C ionice); test "$${c%%:*}" = "none" -o "$${c%%:*}" = "best-effort"' + Type=oneshot + IOSchedulingClass=none diff --git a/SOURCES/0794-ci-install-iputils.patch b/SOURCES/0794-ci-install-iputils.patch new file mode 100644 index 0000000..97881f9 --- /dev/null +++ b/SOURCES/0794-ci-install-iputils.patch @@ -0,0 +1,25 @@ +From 128d784dacb456f9ea675911e88d4b47925bda0d Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 20 Jul 2022 10:24:36 +0200 +Subject: [PATCH] ci: install iputils + +Required by test-bpf. + +rhel-only +Related: #2087152 +--- + .github/workflows/unit_tests.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/.github/workflows/unit_tests.sh b/.github/workflows/unit_tests.sh +index c1311310fb..3859433720 100755 +--- a/.github/workflows/unit_tests.sh ++++ b/.github/workflows/unit_tests.sh +@@ -11,6 +11,7 @@ ADDITIONAL_DEPS=( + dnsmasq + e2fsprogs + hostname ++ iputils + libasan + libubsan + nc diff --git a/SOURCES/0795-ci-Mergify-Add-ci-waived-logic.patch b/SOURCES/0795-ci-Mergify-Add-ci-waived-logic.patch new file mode 100644 index 0000000..4841062 --- /dev/null +++ b/SOURCES/0795-ci-Mergify-Add-ci-waived-logic.patch @@ -0,0 +1,63 @@ +From 0feaf0be515c02a10ca12f726b4a8424262cf09c Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Tue, 19 Jul 2022 12:43:43 +0200 +Subject: [PATCH] ci(Mergify): Add `ci-waived` logic + +RHEL-only + +Related: #2087152 +--- + .mergify.yml | 32 ++++++++++++++++++-------------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +diff --git a/.mergify.yml b/.mergify.yml +index 6fa400effd..3afd04f18e 100644 +--- a/.mergify.yml ++++ b/.mergify.yml +@@ -4,6 +4,7 @@ + pull_request_rules: + - name: Add `needs-ci` label on CI fail + conditions: ++ - label!=ci-waived + - or: + # Unit tests + - -check-success=build (stream8, GCC) +@@ -27,21 +28,24 @@ pull_request_rules: + + - name: Remove `needs-ci` label on CI success + conditions: +- # Unit tests +- - check-success=build (stream8, GCC) +- - check-success=build (stream8, GCC_ASAN) +- # CentOS Stream CI +- - check-success=CentOS CI (CentOS Stream 8) +- # LGTM + - or: +- - "check-success=LGTM analysis: JavaScript" +- - "check-neutral=LGTM analysis: JavaScript" +- - or: +- - "check-success=LGTM analysis: Python" +- - "check-neutral=LGTM analysis: Python" +- - or: +- - "check-success=LGTM analysis: C/C++" +- - "check-neutral=LGTM analysis: C/C++" ++ - label=ci-waived ++ - and: ++ # Unit tests ++ - check-success=build (stream8, GCC) ++ - check-success=build (stream8, GCC_ASAN) ++ # CentOS Stream CI ++ - check-success=CentOS CI (CentOS Stream 8) ++ # LGTM ++ - or: ++ - "check-success=LGTM analysis: JavaScript" ++ - "check-neutral=LGTM analysis: JavaScript" ++ - or: ++ - "check-success=LGTM analysis: Python" ++ - "check-neutral=LGTM analysis: Python" ++ - or: ++ - "check-success=LGTM analysis: C/C++" ++ - "check-neutral=LGTM analysis: C/C++" + actions: + label: + remove: diff --git a/SOURCES/0796-sd-event-don-t-invalidate-source-type-on-disconnect.patch b/SOURCES/0796-sd-event-don-t-invalidate-source-type-on-disconnect.patch new file mode 100644 index 0000000..1c94030 --- /dev/null +++ b/SOURCES/0796-sd-event-don-t-invalidate-source-type-on-disconnect.patch @@ -0,0 +1,33 @@ +From e48586dcfa66731a353ecc832e43fab75559e2cf Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 30 Oct 2019 16:37:42 +0100 +Subject: [PATCH] sd-event: don't invalidate source type on disconnect + +This fixes fd closing if fd ownership is requested. + +(cherry picked from commit f59825595182d70b9ead238d1e885d0db99cc201) + +Resolves: #2115396 +--- + src/libsystemd/sd-event/sd-event.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c +index 0adfdd9e1a..09d4584bf9 100644 +--- a/src/libsystemd/sd-event/sd-event.c ++++ b/src/libsystemd/sd-event/sd-event.c +@@ -1104,11 +1104,13 @@ static void source_disconnect(sd_event_source *s) { + + event = s->event; + +- s->type = _SOURCE_EVENT_SOURCE_TYPE_INVALID; + s->event = NULL; + LIST_REMOVE(sources, event->sources, s); + event->n_sources--; + ++ /* Note that we don't invalidate the type here, since we still need it in order to close the fd or ++ * pidfd associated with this event source, which we'll do only on source_free(). */ ++ + if (!s->floating) + sd_event_unref(event); + } diff --git a/SOURCES/0797-tests-make-sure-we-delay-running-mount-start-jobs-wh.patch b/SOURCES/0797-tests-make-sure-we-delay-running-mount-start-jobs-wh.patch new file mode 100644 index 0000000..eb18da9 --- /dev/null +++ b/SOURCES/0797-tests-make-sure-we-delay-running-mount-start-jobs-wh.patch @@ -0,0 +1,98 @@ +From e6cd875a767ba23b218cdca395307ac6fb7fd882 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Mon, 30 May 2022 14:50:05 +0200 +Subject: [PATCH] tests: make sure we delay running mount start jobs when + /p/s/mountinfo is rate limited + +(cherry picked from commit 9e15be6c8d55abd800bf33f9776dd0e307ed37bc) + +Related: #2095744 +--- + test/TEST-60-MOUNT-RATELIMIT/testsuite.sh | 53 +++++++++++++++++++++++ + test/test-functions | 2 +- + 2 files changed, 54 insertions(+), 1 deletion(-) + +diff --git a/test/TEST-60-MOUNT-RATELIMIT/testsuite.sh b/test/TEST-60-MOUNT-RATELIMIT/testsuite.sh +index 6211050faf..84fe9640e1 100755 +--- a/test/TEST-60-MOUNT-RATELIMIT/testsuite.sh ++++ b/test/TEST-60-MOUNT-RATELIMIT/testsuite.sh +@@ -2,6 +2,56 @@ + set -eux + set -o pipefail + ++test_issue_20329() { ++ local tmpdir unit ++ tmpdir="$(mktemp -d)" ++ unit=$(systemd-escape --suffix mount --path "$tmpdir") ++ ++ # Set up test mount unit ++ cat > /run/systemd/system/"$unit" <&2 "Test mount \"$unit\" unit isn't mounted" ++ return 1 ++ } ++ mountpoint -q "$tmpdir" ++ ++ trap 'systemctl stop $unit' RETURN ++ ++ # Trigger the mount ratelimiting ++ cd "$(mktemp -d)" ++ mkdir foo ++ for ((i=0;i<50;++i)); do ++ mount --bind foo foo ++ umount foo ++ done ++ ++ # Unmount the test mount and start it immediately again via systemd ++ umount "$tmpdir" ++ systemctl start "$unit" ++ ++ # Make sure it is seen as mounted by systemd and it actually is mounted ++ [[ "$(systemctl show --property SubState --value "$unit")" = "mounted" ]] || { ++ echo >&2 "Test mount \"$unit\" unit isn't in \"mounted\" state" ++ return 1 ++ } ++ ++ mountpoint -q "$tmpdir" || { ++ echo >&2 "Test mount \"$unit\" is in \"mounted\" state, actually is not mounted" ++ return 1 ++ } ++} ++ + systemd-analyze log-level debug + systemd-analyze log-target journal + +@@ -85,6 +135,9 @@ if systemctl list-units -t mount tmp-meow* | grep -q tmp-meow; then + exit 42 + fi + ++# test that handling of mount start jobs is delayed when /proc/self/mouninfo monitor is rate limited ++test_issue_20329 ++ + systemd-analyze log-level info + + echo OK >/testok +diff --git a/test/test-functions b/test/test-functions +index 4d7832b1fb..ed8ab98173 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -23,7 +23,7 @@ fi + + PATH_TO_INIT=$ROOTLIBDIR/systemd + +-BASICTOOLS="test sh bash setsid loadkeys setfont login sulogin gzip sleep echo mount umount cryptsetup date dmsetup modprobe sed cmp tee rm true false chmod chown ln xargs env" ++BASICTOOLS="test sh bash setsid loadkeys setfont login sulogin gzip sleep echo mount umount cryptsetup date dmsetup modprobe sed cmp tee rm true false chmod chown ln xargs env mktemp mountpoint" + DEBUGTOOLS="df free ls stty cat ps ln ip route dmesg dhclient mkdir cp ping dhclient strace less grep id tty touch du sort hostname find" + + STATEDIR="${BUILD_DIR:-.}/test/$(basename $(dirname $(realpath $0)))" diff --git a/SOURCES/0798-core-drop-references-to-StandardOutputFileToCreate.patch b/SOURCES/0798-core-drop-references-to-StandardOutputFileToCreate.patch new file mode 100644 index 0000000..b789e1f --- /dev/null +++ b/SOURCES/0798-core-drop-references-to-StandardOutputFileToCreate.patch @@ -0,0 +1,29 @@ +From 0bf1df5c35c310c3efe49c7a3cb8c3be3e33492b Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 26 Nov 2018 21:05:37 +0100 +Subject: [PATCH] core: drop references to 'StandardOutputFileToCreate' + +This property never existed, let's drop any reference to it. + +(cherry picked from commit 922ce049d1ed37ce77e3322711e29f256d9e5959) + +Related: #2093479 +--- + src/core/dbus-execute.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c +index 2e64f0baf4..05134851c5 100644 +--- a/src/core/dbus-execute.c ++++ b/src/core/dbus-execute.c +@@ -1809,8 +1809,8 @@ int bus_exec_context_set_transient_property( + + } else if (STR_IN_SET(name, + "StandardInputFile", +- "StandardOutputFile", "StandardOutputFileToCreate", "StandardOutputFileToAppend", +- "StandardErrorFile", "StandardErrorFileToCreate", "StandardErrorFileToAppend")) { ++ "StandardOutputFile", "StandardOutputFileToAppend", ++ "StandardErrorFile", "StandardErrorFileToAppend")) { + const char *s; + + r = sd_bus_message_read(message, "s", &s); diff --git a/SOURCES/0799-dbus-execute-fix-indentation.patch b/SOURCES/0799-dbus-execute-fix-indentation.patch new file mode 100644 index 0000000..741b756 --- /dev/null +++ b/SOURCES/0799-dbus-execute-fix-indentation.patch @@ -0,0 +1,29 @@ +From 2ba82e6b7e9a7b138c985561dd7d26b9e4111fbe Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 26 Nov 2018 21:06:19 +0100 +Subject: [PATCH] dbus-execute: fix indentation + +(cherry picked from commit dbe6c4b657aa5c58bfc049d869b94f00b41b7d95) + +Related: #2093479 +--- + src/core/dbus-execute.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c +index 05134851c5..fc433cc96f 100644 +--- a/src/core/dbus-execute.c ++++ b/src/core/dbus-execute.c +@@ -1858,9 +1858,9 @@ int bus_exec_context_set_transient_property( + c->std_error = EXEC_OUTPUT_FILE; + unit_write_settingf(u, flags|UNIT_ESCAPE_SPECIFIERS, name, "StandardOutput=file:%s", s); + } else { +- assert(streq(name, "StandardErrorFileToAppend")); +- c->std_error = EXEC_OUTPUT_FILE_APPEND; +- unit_write_settingf(u, flags|UNIT_ESCAPE_SPECIFIERS, name, "StandardOutput=append:%s", s); ++ assert(streq(name, "StandardErrorFileToAppend")); ++ c->std_error = EXEC_OUTPUT_FILE_APPEND; ++ unit_write_settingf(u, flags|UNIT_ESCAPE_SPECIFIERS, name, "StandardOutput=append:%s", s); + } + } + } diff --git a/SOURCES/0800-dbus-execute-generate-the-correct-transient-unit-set.patch b/SOURCES/0800-dbus-execute-generate-the-correct-transient-unit-set.patch new file mode 100644 index 0000000..c84dea6 --- /dev/null +++ b/SOURCES/0800-dbus-execute-generate-the-correct-transient-unit-set.patch @@ -0,0 +1,30 @@ +From 4fbd505c5a15f2b6078dc43e5a1ff999993e8b23 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 26 Nov 2018 21:07:06 +0100 +Subject: [PATCH] dbus-execute: generate the correct transient unit setting + +(cherry picked from commit 1704fba92f7b2c92238b0833943669045374daf9) + +Related: #2093479 +--- + src/core/dbus-execute.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c +index fc433cc96f..00f4aeacef 100644 +--- a/src/core/dbus-execute.c ++++ b/src/core/dbus-execute.c +@@ -1856,11 +1856,11 @@ int bus_exec_context_set_transient_property( + + if (streq(name, "StandardErrorFile")) { + c->std_error = EXEC_OUTPUT_FILE; +- unit_write_settingf(u, flags|UNIT_ESCAPE_SPECIFIERS, name, "StandardOutput=file:%s", s); ++ unit_write_settingf(u, flags|UNIT_ESCAPE_SPECIFIERS, name, "StandardError=file:%s", s); + } else { + assert(streq(name, "StandardErrorFileToAppend")); + c->std_error = EXEC_OUTPUT_FILE_APPEND; +- unit_write_settingf(u, flags|UNIT_ESCAPE_SPECIFIERS, name, "StandardOutput=append:%s", s); ++ unit_write_settingf(u, flags|UNIT_ESCAPE_SPECIFIERS, name, "StandardError=append:%s", s); + } + } + } diff --git a/SOURCES/0801-bus-unit-util-properly-accept-StandardOutput-append-.patch b/SOURCES/0801-bus-unit-util-properly-accept-StandardOutput-append-.patch new file mode 100644 index 0000000..004b1fa --- /dev/null +++ b/SOURCES/0801-bus-unit-util-properly-accept-StandardOutput-append-.patch @@ -0,0 +1,33 @@ +From b06347d1e85c98507ba386b24e6c7159edf4784f Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 26 Nov 2018 21:07:39 +0100 +Subject: [PATCH] =?UTF-8?q?bus-unit-util:=20properly=20accept=20StandardOu?= + =?UTF-8?q?tput=3Dappend:=E2=80=A6=20settings?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +(cherry picked from commit 8d33232ef1ad051b5ed00bd7b5fffb5a19bb83ae) + +Resolves: #2093479 +--- + src/shared/bus-unit-util.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c +index 9010448aaf..3910dfa812 100644 +--- a/src/shared/bus-unit-util.c ++++ b/src/shared/bus-unit-util.c +@@ -894,9 +894,11 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con + } else if ((n = startswith(eq, "file:"))) { + appended = strjoina(field, "File"); + r = sd_bus_message_append(m, "(sv)", appended, "s", n); ++ } else if ((n = startswith(eq, "append:"))) { ++ appended = strjoina(field, "FileToAppend"); ++ r = sd_bus_message_append(m, "(sv)", appended, "s", n); + } else + r = sd_bus_message_append(m, "(sv)", field, "s", eq); +- + if (r < 0) + return bus_log_create_error(r); + diff --git a/SOURCES/0802-core-be-more-careful-when-inheriting-stdout-fds-to-s.patch b/SOURCES/0802-core-be-more-careful-when-inheriting-stdout-fds-to-s.patch new file mode 100644 index 0000000..68ef399 --- /dev/null +++ b/SOURCES/0802-core-be-more-careful-when-inheriting-stdout-fds-to-s.patch @@ -0,0 +1,68 @@ +From d6ffd324cc933efec946a3ffbed6fccfe7077203 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 26 Nov 2018 21:07:48 +0100 +Subject: [PATCH] core: be more careful when inheriting stdout fds to stderr + +We need to compare the fd name/file name if we inherit an fd from stdout +to stderr. Let's do that. + +Fixes: #10875 +(cherry picked from commit 41fc585a7a3b8ae857cad5fdad1bc70cdacfa8e5) + +Related: #2093479 +--- + src/core/execute.c | 27 +++++++++++++++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index 9cbb678ac4..b1d8dceb32 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -545,6 +545,30 @@ static int setup_input( + } + } + ++static bool can_inherit_stderr_from_stdout( ++ const ExecContext *context, ++ ExecOutput o, ++ ExecOutput e) { ++ ++ assert(context); ++ ++ /* Returns true, if given the specified STDERR and STDOUT output we can directly dup() the stdout fd to the ++ * stderr fd */ ++ ++ if (e == EXEC_OUTPUT_INHERIT) ++ return true; ++ if (e != o) ++ return false; ++ ++ if (e == EXEC_OUTPUT_NAMED_FD) ++ return streq_ptr(context->stdio_fdname[STDOUT_FILENO], context->stdio_fdname[STDERR_FILENO]); ++ ++ if (IN_SET(e, EXEC_OUTPUT_FILE, EXEC_OUTPUT_FILE_APPEND)) ++ return streq_ptr(context->stdio_file[STDOUT_FILENO], context->stdio_file[STDERR_FILENO]); ++ ++ return true; ++} ++ + static int setup_output( + const Unit *unit, + const ExecContext *context, +@@ -603,7 +627,7 @@ static int setup_output( + return fileno; + + /* Duplicate from stdout if possible */ +- if ((e == o && e != EXEC_OUTPUT_NAMED_FD) || e == EXEC_OUTPUT_INHERIT) ++ if (can_inherit_stderr_from_stdout(context, o, e)) + return dup2(STDOUT_FILENO, fileno) < 0 ? -errno : fileno; + + o = e; +@@ -694,7 +718,6 @@ static int setup_output( + flags |= O_APPEND; + + fd = acquire_path(context->stdio_file[fileno], flags, 0666 & ~context->umask); +- + if (fd < 0) + return fd; + diff --git a/SOURCES/0803-test-add-a-test-for-StandardError-file.patch b/SOURCES/0803-test-add-a-test-for-StandardError-file.patch new file mode 100644 index 0000000..ed9f18d --- /dev/null +++ b/SOURCES/0803-test-add-a-test-for-StandardError-file.patch @@ -0,0 +1,136 @@ +From 2bbaa4b647c8a60a6c6a591f71313b0667447246 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 26 Nov 2018 21:09:07 +0100 +Subject: [PATCH] =?UTF-8?q?test:=20add=20a=20test=20for=20StandardError=3D?= + =?UTF-8?q?file:=E2=80=A6?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This deserves a test of its, given how broken on so many levels this +previously was. + +(cherry picked from commit 196b0a11f306b8041e35316feb05ed1f00380957) + +Related: #2093479 +--- + test/TEST-27-STDOUTFILE/Makefile | 1 + + test/TEST-27-STDOUTFILE/test.sh | 52 ++++++++++++++++++++++++++++ + test/TEST-27-STDOUTFILE/testsuite.sh | 40 +++++++++++++++++++++ + 3 files changed, 93 insertions(+) + create mode 120000 test/TEST-27-STDOUTFILE/Makefile + create mode 100755 test/TEST-27-STDOUTFILE/test.sh + create mode 100755 test/TEST-27-STDOUTFILE/testsuite.sh + +diff --git a/test/TEST-27-STDOUTFILE/Makefile b/test/TEST-27-STDOUTFILE/Makefile +new file mode 120000 +index 0000000000..e9f93b1104 +--- /dev/null ++++ b/test/TEST-27-STDOUTFILE/Makefile +@@ -0,0 +1 @@ ++../TEST-01-BASIC/Makefile +\ No newline at end of file +diff --git a/test/TEST-27-STDOUTFILE/test.sh b/test/TEST-27-STDOUTFILE/test.sh +new file mode 100755 +index 0000000000..724dbef231 +--- /dev/null ++++ b/test/TEST-27-STDOUTFILE/test.sh +@@ -0,0 +1,52 @@ ++#!/bin/bash ++# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- ++# ex: ts=8 sw=4 sts=4 et filetype=sh ++set -e ++TEST_DESCRIPTION="test StandardOutput=file:" ++ ++. $TEST_BASE_DIR/test-functions ++ ++test_setup() { ++ create_empty_image ++ mkdir -p $TESTDIR/root ++ mount ${LOOPDEV}p1 $TESTDIR/root ++ ++ ( ++ LOG_LEVEL=5 ++ eval $(udevadm info --export --query=env --name=${LOOPDEV}p2) ++ ++ inst_binary cmp ++ ++ setup_basic_environment ++ ++ # mask some services that we do not want to run in these tests ++ ln -fs /dev/null $initdir/etc/systemd/system/systemd-hwdb-update.service ++ ln -fs /dev/null $initdir/etc/systemd/system/systemd-journal-catalog-update.service ++ ln -fs /dev/null $initdir/etc/systemd/system/systemd-networkd.service ++ ln -fs /dev/null $initdir/etc/systemd/system/systemd-networkd.socket ++ ln -fs /dev/null $initdir/etc/systemd/system/systemd-resolved.service ++ ln -fs /dev/null $initdir/etc/systemd/system/systemd-machined.service ++ ++ # setup the testsuite service ++ cat >$initdir/etc/systemd/system/testsuite.service <&2' ++cmp /tmp/stdout <&2' ++cmp /tmp/stdout <&2' ++cmp /tmp/stdout < /testok ++ ++exit 0 diff --git a/SOURCES/0804-tree-wide-allow-ASCII-fallback-for-in-logs.patch b/SOURCES/0804-tree-wide-allow-ASCII-fallback-for-in-logs.patch new file mode 100644 index 0000000..d4e5b2c --- /dev/null +++ b/SOURCES/0804-tree-wide-allow-ASCII-fallback-for-in-logs.patch @@ -0,0 +1,260 @@ +From aa93c2acd6c9ed4eb0152be9002f59ecd9cc277e Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Fri, 24 Jun 2022 09:13:42 +0200 +Subject: [PATCH] =?UTF-8?q?tree-wide:=20allow=20ASCII=20fallback=20for=20?= + =?UTF-8?q?=E2=86=92=20in=20logs?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +(cherry picked from commit e2341b6bc325932b3f9f10874956952cbdbd6361) + +Resolves: #2093479 +--- + src/basic/mount-util.c | 5 +++-- + src/core/dbus.c | 4 +++- + src/core/namespace.c | 7 +++++-- + src/core/socket.c | 4 +++- + src/libsystemd/sd-bus/sd-bus.c | 4 +++- + src/login/logind-acl.c | 5 +++-- + src/resolve/resolved-dns-query.c | 11 +++++++++-- + src/shared/dns-domain.c | 9 ++++++--- + src/tmpfiles/tmpfiles.c | 4 +++- + 9 files changed, 38 insertions(+), 15 deletions(-) + +diff --git a/src/basic/mount-util.c b/src/basic/mount-util.c +index 0c709001be..e7f9e514c2 100644 +--- a/src/basic/mount-util.c ++++ b/src/basic/mount-util.c +@@ -18,6 +18,7 @@ + #include "fileio.h" + #include "fs-util.h" + #include "hashmap.h" ++#include "locale-util.h" + #include "mount-util.h" + #include "parse-util.h" + #include "path-util.h" +@@ -844,8 +845,8 @@ int mount_verbose( + log_debug("Bind-mounting %s on %s (%s \"%s\")...", + what, where, strnull(fl), strempty(o)); + else if (f & MS_MOVE) +- log_debug("Moving mount %s → %s (%s \"%s\")...", +- what, where, strnull(fl), strempty(o)); ++ log_debug("Moving mount %s %s %s (%s \"%s\")...", ++ what, special_glyph(ARROW), where, strnull(fl), strempty(o)); + else + log_debug("Mounting %s on %s (%s \"%s\")...", + strna(type), where, strnull(fl), strempty(o)); +diff --git a/src/core/dbus.c b/src/core/dbus.c +index 584a8a1b01..66d838cdb4 100644 +--- a/src/core/dbus.c ++++ b/src/core/dbus.c +@@ -31,6 +31,7 @@ + #include "dbus.h" + #include "fd-util.h" + #include "fs-util.h" ++#include "locale-util.h" + #include "log.h" + #include "missing.h" + #include "mkdir.h" +@@ -751,7 +752,8 @@ static int manager_dispatch_sync_bus_names(sd_event_source *es, void *userdata) + assert(s); + + if (!streq_ptr(s->bus_name, name)) { +- log_unit_warning(u, "Bus name has changed from %s → %s, ignoring.", s->bus_name, name); ++ log_unit_warning(u, "Bus name has changed from %s %s %s, ignoring.", ++ s->bus_name, special_glyph(ARROW), name); + continue; + } + +diff --git a/src/core/namespace.c b/src/core/namespace.c +index e4930db15c..3566795d46 100644 +--- a/src/core/namespace.c ++++ b/src/core/namespace.c +@@ -15,6 +15,7 @@ + #include "fd-util.h" + #include "fs-util.h" + #include "label.h" ++#include "locale-util.h" + #include "loop-util.h" + #include "loopback-setup.h" + #include "missing.h" +@@ -841,7 +842,8 @@ static int follow_symlink( + return -ELOOP; + } + +- log_debug("Followed mount entry path symlink %s → %s.", mount_entry_path(m), target); ++ log_debug("Followed mount entry path symlink %s %s %s.", ++ mount_entry_path(m), special_glyph(ARROW), target); + + free_and_replace(m->path_malloc, target); + m->has_prefix = true; +@@ -920,7 +922,8 @@ static int apply_mount( + if (r < 0) + return log_debug_errno(r, "Failed to follow symlinks on %s: %m", mount_entry_source(m)); + +- log_debug("Followed source symlinks %s → %s.", mount_entry_source(m), chased); ++ log_debug("Followed source symlinks %s %s %s.", ++ mount_entry_source(m), special_glyph(ARROW), chased); + + free_and_replace(m->source_malloc, chased); + +diff --git a/src/core/socket.c b/src/core/socket.c +index 6f9a0f7575..bdfeb43a70 100644 +--- a/src/core/socket.c ++++ b/src/core/socket.c +@@ -25,6 +25,7 @@ + #include "in-addr-util.h" + #include "io-util.h" + #include "label.h" ++#include "locale-util.h" + #include "log.h" + #include "missing.h" + #include "mkdir.h" +@@ -1355,7 +1356,8 @@ static int socket_symlink(Socket *s) { + } + + if (r < 0) +- log_unit_warning_errno(UNIT(s), r, "Failed to create symlink %s → %s, ignoring: %m", p, *i); ++ log_unit_warning_errno(UNIT(s), r, "Failed to create symlink %s %s %s, ignoring: %m", ++ p, special_glyph(ARROW), *i); + } + + return 0; +diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c +index 803f3f50d6..21e54591f7 100644 +--- a/src/libsystemd/sd-bus/sd-bus.c ++++ b/src/libsystemd/sd-bus/sd-bus.c +@@ -31,6 +31,7 @@ + #include "cgroup-util.h" + #include "def.h" + #include "fd-util.h" ++#include "locale-util.h" + #include "hexdecoct.h" + #include "hostname-util.h" + #include "macro.h" +@@ -518,7 +519,8 @@ void bus_set_state(sd_bus *bus, enum bus_state state) { + if (state == bus->state) + return; + +- log_debug("Bus %s: changing state %s → %s", strna(bus->description), table[bus->state], table[state]); ++ log_debug("Bus %s: changing state %s %s %s", strna(bus->description), ++ table[bus->state], special_glyph(ARROW), table[state]); + bus->state = state; + } + +diff --git a/src/login/logind-acl.c b/src/login/logind-acl.c +index cafeb8822f..fe17eac0e6 100644 +--- a/src/login/logind-acl.c ++++ b/src/login/logind-acl.c +@@ -9,6 +9,7 @@ + #include "escape.h" + #include "fd-util.h" + #include "format-util.h" ++#include "locale-util.h" + #include "logind-acl.h" + #include "set.h" + #include "string-util.h" +@@ -260,8 +261,8 @@ int devnode_acl_all(struct udev *udev, + SET_FOREACH(n, nodes, i) { + int k; + +- log_debug("Changing ACLs at %s for seat %s (uid "UID_FMT"→"UID_FMT"%s%s)", +- n, seat, old_uid, new_uid, ++ log_debug("Changing ACLs at %s for seat %s (uid "UID_FMT"%s"UID_FMT"%s%s)", ++ n, seat, old_uid, special_glyph(ARROW), new_uid, + del ? " del" : "", add ? " add" : ""); + + k = devnode_acl(n, flush, del, old_uid, add, new_uid); +diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c +index c921fe841f..573e27d662 100644 +--- a/src/resolve/resolved-dns-query.c ++++ b/src/resolve/resolved-dns-query.c +@@ -3,6 +3,7 @@ + #include "alloc-util.h" + #include "dns-domain.h" + #include "dns-type.h" ++#include "locale-util.h" + #include "hostname-util.h" + #include "local-addresses.h" + #include "resolved-dns-query.h" +@@ -942,7 +943,10 @@ static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname) + if (r < 0) + return r; + else if (r > 0) +- log_debug("Following CNAME/DNAME %s → %s.", dns_question_first_name(q->question_idna), dns_question_first_name(nq_idna)); ++ log_debug("Following CNAME/DNAME %s %s %s.", ++ dns_question_first_name(q->question_idna), ++ special_glyph(ARROW), ++ dns_question_first_name(nq_idna)); + + k = dns_question_is_equal(q->question_idna, q->question_utf8); + if (k < 0) +@@ -956,7 +960,10 @@ static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname) + if (k < 0) + return k; + else if (k > 0) +- log_debug("Following UTF8 CNAME/DNAME %s → %s.", dns_question_first_name(q->question_utf8), dns_question_first_name(nq_utf8)); ++ log_debug("Following UTF8 CNAME/DNAME %s %s %s.", ++ dns_question_first_name(q->question_utf8), ++ special_glyph(ARROW), ++ dns_question_first_name(nq_utf8)); + } + + if (r == 0 && k == 0) /* No actual cname happened? */ +diff --git a/src/shared/dns-domain.c b/src/shared/dns-domain.c +index de2fcca8b2..59799dec56 100644 +--- a/src/shared/dns-domain.c ++++ b/src/shared/dns-domain.c +@@ -17,6 +17,7 @@ + + #include "alloc-util.h" + #include "dns-domain.h" ++#include "locale-util.h" + #include "hashmap.h" + #include "hexdecoct.h" + #include "in-addr-util.h" +@@ -1260,7 +1261,7 @@ int dns_name_apply_idna(const char *name, char **ret) { + + r = idn2_lookup_u8((uint8_t*) name, (uint8_t**) &t, + IDN2_NFC_INPUT | IDN2_NONTRANSITIONAL); +- log_debug("idn2_lookup_u8: %s → %s", name, t); ++ log_debug("idn2_lookup_u8: %s %s %s", name, special_glyph(ARROW), t); + if (r == IDN2_OK) { + if (!startswith(name, "xn--")) { + _cleanup_free_ char *s = NULL; +@@ -1273,8 +1274,10 @@ int dns_name_apply_idna(const char *name, char **ret) { + } + + if (!streq_ptr(name, s)) { +- log_debug("idn2 roundtrip failed: \"%s\" → \"%s\" → \"%s\", ignoring.", +- name, t, s); ++ log_debug("idn2 roundtrip failed: \"%s\" %s \"%s\" %s \"%s\", ignoring.", ++ name, special_glyph(ARROW), t, ++ special_glyph(ARROW), s); ++ *ret = NULL; + return 0; + } + } +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index 50fada99dd..b3c2aac746 100644 +--- a/src/tmpfiles/tmpfiles.c ++++ b/src/tmpfiles/tmpfiles.c +@@ -36,6 +36,7 @@ + #include "fs-util.h" + #include "glob-util.h" + #include "io-util.h" ++#include "locale-util.h" + #include "label.h" + #include "log.h" + #include "macro.h" +@@ -2143,7 +2144,8 @@ static int patch_var_run(const char *fname, unsigned line, char **path) { + * there's no immediate need for action by the user. However, in the interest of making things less confusing + * to the user, let's still inform the user that these snippets should really be updated. */ + +- log_notice("[%s:%u] Line references path below legacy directory /var/run/, updating %s → %s; please update the tmpfiles.d/ drop-in file accordingly.", fname, line, *path, n); ++ log_notice("[%s:%u] Line references path below legacy directory /var/run/, updating %s %s %s; please update the tmpfiles.d/ drop-in file accordingly.", ++ fname, line, *path, special_glyph(ARROW), n); + + free(*path); + *path = n; diff --git a/SOURCES/0805-tree-wide-allow-ASCII-fallback-for-in-logs.patch b/SOURCES/0805-tree-wide-allow-ASCII-fallback-for-in-logs.patch new file mode 100644 index 0000000..19fb968 --- /dev/null +++ b/SOURCES/0805-tree-wide-allow-ASCII-fallback-for-in-logs.patch @@ -0,0 +1,129 @@ +From f27568d24a29590b34fec3a96a5b3b5d290ba3d8 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Fri, 24 Jun 2022 09:59:44 +0200 +Subject: [PATCH] =?UTF-8?q?tree-wide:=20allow=20ASCII=20fallback=20for=20?= + =?UTF-8?q?=E2=80=A6=20in=20logs?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +(cherry picked from commit 28e5e1e97f47067bce190ea6b3404907d63e4320) + +Related: #2093479 +--- + src/core/manager.c | 5 +++-- + src/shared/vlan-util.c | 3 ++- + src/sysusers/sysusers.c | 5 +++-- + src/tmpfiles/tmpfiles.c | 6 +++--- + 4 files changed, 11 insertions(+), 8 deletions(-) + +diff --git a/src/core/manager.c b/src/core/manager.c +index 845c26f498..5873e5b6d7 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -49,6 +49,7 @@ + #include "io-util.h" + #include "label.h" + #include "locale-setup.h" ++#include "locale-util.h" + #include "log.h" + #include "macro.h" + #include "manager.h" +@@ -1404,7 +1405,7 @@ static void manager_coldplug(Manager *m) { + + assert(m); + +- log_debug("Invoking unit coldplug() handlers…"); ++ log_debug("Invoking unit coldplug() handlers%s", special_glyph(ELLIPSIS)); + + /* Let's place the units back into their deserialized state */ + HASHMAP_FOREACH_KEY(u, k, m->units, i) { +@@ -1426,7 +1427,7 @@ static void manager_catchup(Manager *m) { + + assert(m); + +- log_debug("Invoking unit catchup() handlers…"); ++ log_debug("Invoking unit catchup() handlers%s", special_glyph(ELLIPSIS)); + + /* Let's catch up on any state changes that happened while we were reloading/reexecing */ + HASHMAP_FOREACH_KEY(u, k, m->units, i) { +diff --git a/src/shared/vlan-util.c b/src/shared/vlan-util.c +index 400994a354..9301dacbe2 100644 +--- a/src/shared/vlan-util.c ++++ b/src/shared/vlan-util.c +@@ -1,6 +1,7 @@ + /* SPDX-License-Identifier: LGPL-2.1+ */ + + #include "conf-parser.h" ++#include "locale-util.h" + #include "parse-util.h" + #include "string-util.h" + #include "vlan-util.h" +@@ -67,7 +68,7 @@ int config_parse_vlanid( + + r = parse_vlanid(rvalue, id); + if (r == -ERANGE) { +- log_syntax(unit, LOG_ERR, filename, line, r, "VLAN identifier outside of valid range 0…4094, ignoring: %s", rvalue); ++ log_syntax(unit, LOG_ERR, filename, line, r, "VLAN identifier outside of valid range 0%s4094, ignoring: %s", special_glyph(ELLIPSIS), rvalue); + return 0; + } + if (r < 0) { +diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c +index a374ebaaf4..f547388151 100644 +--- a/src/sysusers/sysusers.c ++++ b/src/sysusers/sysusers.c +@@ -12,6 +12,7 @@ + #include "format-util.h" + #include "fs-util.h" + #include "hashmap.h" ++#include "locale-util.h" + #include "pager.h" + #include "path-util.h" + #include "selinux-util.h" +@@ -1890,13 +1891,13 @@ static int read_config_files(char **args) { + + STRV_FOREACH(f, files) + if (p && path_equal(*f, p)) { +- log_debug("Parsing arguments at position \"%s\"…", *f); ++ log_debug("Parsing arguments at position \"%s\"%s", *f, special_glyph(ELLIPSIS)); + + r = parse_arguments(args); + if (r < 0) + return r; + } else { +- log_debug("Reading config file \"%s\"…", *f); ++ log_debug("Reading config file \"%s\"%s", *f, special_glyph(ELLIPSIS)); + + /* Just warn, ignore result otherwise */ + (void) read_config_file(*f, true); +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index b3c2aac746..8da525120b 100644 +--- a/src/tmpfiles/tmpfiles.c ++++ b/src/tmpfiles/tmpfiles.c +@@ -2654,7 +2654,7 @@ static int read_config_file(char **config_dirs, const char *fn, bool ignore_enoe + assert(fn); + + if (streq(fn, "-")) { +- log_debug("Reading config from stdin…"); ++ log_debug("Reading config from stdin%s", special_glyph(ELLIPSIS)); + fn = ""; + f = stdin; + } else { +@@ -2667,7 +2667,7 @@ static int read_config_file(char **config_dirs, const char *fn, bool ignore_enoe + + return log_error_errno(r, "Failed to open '%s': %m", fn); + } +- log_debug("Reading config file \"%s\"…", fn); ++ log_debug("Reading config file \"%s\"%s", fn, special_glyph(ELLIPSIS)); + f = _f; + } + +@@ -2765,7 +2765,7 @@ static int read_config_files(char **config_dirs, char **args, bool *invalid_conf + + STRV_FOREACH(f, files) + if (p && path_equal(*f, p)) { +- log_debug("Parsing arguments at position \"%s\"…", *f); ++ log_debug("Parsing arguments at position \"%s\"%s", *f, special_glyph(ELLIPSIS)); + + r = parse_arguments(config_dirs, args, invalid_config); + if (r < 0) diff --git a/SOURCES/0806-core-allow-to-set-default-timeout-for-devices.patch b/SOURCES/0806-core-allow-to-set-default-timeout-for-devices.patch new file mode 100644 index 0000000..a730ce9 --- /dev/null +++ b/SOURCES/0806-core-allow-to-set-default-timeout-for-devices.patch @@ -0,0 +1,115 @@ +From 207f51115c18c668982ef8bdb8a024fccaeb87f0 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Sat, 16 Jul 2022 09:49:12 +0200 +Subject: [PATCH] core: allow to set default timeout for devices + +Fixes: #19879 +(cherry picked from commit a0fe19f9f791c05af236265954b1d73e8fcf5468) + +Resolves: #1967245 +--- + src/core/dbus-manager.c | 1 + + src/core/device.c | 2 +- + src/core/main.c | 4 ++++ + src/core/manager.c | 1 + + src/core/manager.h | 1 + + src/core/system.conf.in | 1 + + 6 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c +index 7488f22116..5b1ed3646e 100644 +--- a/src/core/dbus-manager.c ++++ b/src/core/dbus-manager.c +@@ -2509,6 +2509,7 @@ const sd_bus_vtable bus_manager_vtable[] = { + SD_BUS_PROPERTY("DefaultTimerAccuracyUSec", "t", bus_property_get_usec, offsetof(Manager, default_timer_accuracy_usec), SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_PROPERTY("DefaultTimeoutStartUSec", "t", bus_property_get_usec, offsetof(Manager, default_timeout_start_usec), SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_PROPERTY("DefaultTimeoutStopUSec", "t", bus_property_get_usec, offsetof(Manager, default_timeout_stop_usec), SD_BUS_VTABLE_PROPERTY_CONST), ++ SD_BUS_PROPERTY("DefaultDeviceTimeoutUSec", "t", bus_property_get_usec, offsetof(Manager, default_device_timeout_usec), SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_PROPERTY("DefaultRestartUSec", "t", bus_property_get_usec, offsetof(Manager, default_restart_usec), SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_PROPERTY("DefaultStartLimitIntervalUSec", "t", bus_property_get_usec, offsetof(Manager, default_start_limit_interval), SD_BUS_VTABLE_PROPERTY_CONST), + /* The following two items are obsolete alias */ +diff --git a/src/core/device.c b/src/core/device.c +index cb8b66dfc5..71b7c1ef81 100644 +--- a/src/core/device.c ++++ b/src/core/device.c +@@ -97,7 +97,7 @@ static void device_init(Unit *u) { + * indefinitely for plugged in devices, something which cannot + * happen for the other units since their operations time out + * anyway. */ +- u->job_running_timeout = u->manager->default_timeout_start_usec; ++ u->job_running_timeout = u->manager->default_device_timeout_usec; + + u->ignore_on_isolate = true; + +diff --git a/src/core/main.c b/src/core/main.c +index 08a4df3c97..bfd4c531a7 100644 +--- a/src/core/main.c ++++ b/src/core/main.c +@@ -109,6 +109,7 @@ static usec_t arg_default_restart_usec; + static usec_t arg_default_timeout_start_usec; + static usec_t arg_default_timeout_stop_usec; + static usec_t arg_default_timeout_abort_usec; ++static usec_t arg_default_device_timeout_usec; + static bool arg_default_timeout_abort_set; + static usec_t arg_default_start_limit_interval; + static unsigned arg_default_start_limit_burst; +@@ -687,6 +688,7 @@ static int parse_config_file(void) { + { "Manager", "DefaultStandardError", config_parse_output_restricted,0, &arg_default_std_error }, + { "Manager", "DefaultTimeoutStartSec", config_parse_sec, 0, &arg_default_timeout_start_usec }, + { "Manager", "DefaultTimeoutStopSec", config_parse_sec, 0, &arg_default_timeout_stop_usec }, ++ { "Manager", "DefaultDeviceTimeoutSec", config_parse_sec, 0, &arg_default_device_timeout_usec }, + { "Manager", "DefaultRestartSec", config_parse_sec, 0, &arg_default_restart_usec }, + { "Manager", "DefaultStartLimitInterval", config_parse_sec, 0, &arg_default_start_limit_interval }, /* obsolete alias */ + { "Manager", "DefaultStartLimitIntervalSec",config_parse_sec, 0, &arg_default_start_limit_interval }, +@@ -754,6 +756,7 @@ static void set_manager_defaults(Manager *m) { + m->default_std_error = arg_default_std_error; + m->default_timeout_start_usec = arg_default_timeout_start_usec; + m->default_timeout_stop_usec = arg_default_timeout_stop_usec; ++ m->default_device_timeout_usec = arg_default_device_timeout_usec; + m->default_restart_usec = arg_default_restart_usec; + m->default_start_limit_interval = arg_default_start_limit_interval; + m->default_start_limit_burst = arg_default_start_limit_burst; +@@ -2077,6 +2080,7 @@ static void reset_arguments(void) { + arg_default_timeout_stop_usec = DEFAULT_TIMEOUT_USEC; + arg_default_timeout_abort_usec = DEFAULT_TIMEOUT_USEC; + arg_default_timeout_abort_set = false; ++ arg_default_device_timeout_usec = DEFAULT_TIMEOUT_USEC; + arg_default_start_limit_interval = DEFAULT_START_LIMIT_INTERVAL; + arg_default_start_limit_burst = DEFAULT_START_LIMIT_BURST; + arg_runtime_watchdog = 0; +diff --git a/src/core/manager.c b/src/core/manager.c +index 5873e5b6d7..f4611e6f8f 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -731,6 +731,7 @@ int manager_new(UnitFileScope scope, unsigned test_run_flags, Manager **_m) { + m->default_tasks_max = UINT64_MAX; + m->default_timeout_start_usec = DEFAULT_TIMEOUT_USEC; + m->default_timeout_stop_usec = DEFAULT_TIMEOUT_USEC; ++ m->default_device_timeout_usec = DEFAULT_TIMEOUT_USEC, + m->default_restart_usec = DEFAULT_RESTART_USEC; + m->original_log_level = -1; + m->original_log_target = _LOG_TARGET_INVALID; +diff --git a/src/core/manager.h b/src/core/manager.h +index 7b572c8dfd..3f2cfc5e2e 100644 +--- a/src/core/manager.h ++++ b/src/core/manager.h +@@ -285,6 +285,7 @@ struct Manager { + ExecOutput default_std_output, default_std_error; + + usec_t default_restart_usec, default_timeout_start_usec, default_timeout_stop_usec; ++ usec_t default_device_timeout_usec; + + usec_t default_start_limit_interval; + unsigned default_start_limit_burst; +diff --git a/src/core/system.conf.in b/src/core/system.conf.in +index 84246c0e36..2f6852a89f 100644 +--- a/src/core/system.conf.in ++++ b/src/core/system.conf.in +@@ -37,6 +37,7 @@ + #DefaultStandardError=inherit + #DefaultTimeoutStartSec=90s + #DefaultTimeoutStopSec=90s ++#DefaultDeviceTimeoutSec=90s + #DefaultRestartSec=100ms + #DefaultStartLimitIntervalSec=10s + #DefaultStartLimitBurst=5 diff --git a/SOURCES/0807-man-document-DefaultDeviceTimeoutSec.patch b/SOURCES/0807-man-document-DefaultDeviceTimeoutSec.patch new file mode 100644 index 0000000..eb248e3 --- /dev/null +++ b/SOURCES/0807-man-document-DefaultDeviceTimeoutSec.patch @@ -0,0 +1,34 @@ +From ba81eba0feaf5c34f52141301e2b7ca93128fed0 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Sat, 16 Jul 2022 10:16:41 +0200 +Subject: [PATCH] man: document DefaultDeviceTimeoutSec= + +(cherry picked from commit 9e69bd4801588c12811c611a1c68b54cecbe1718) + +Related: #1967245 +--- + man/systemd-system.conf.xml | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml +index 988c4e7665..3670f34cb5 100644 +--- a/man/systemd-system.conf.xml ++++ b/man/systemd-system.conf.xml +@@ -305,6 +305,17 @@ + 100ms. + + ++ ++ DefaultDeviceTimeoutSec= ++ ++ Configures the default timeout for waiting for devices. It can be changed per ++ device via the x-systemd.device-timeout= option in /etc/fstab ++ and /etc/crypttab (see ++ systemd.mount5, ++ crypttab5). ++ Defaults to 90s. ++ ++ + + DefaultStartLimitIntervalSec= + DefaultStartLimitBurst= diff --git a/SOURCES/0808-Revert-core-Propagate-condition-failed-state-to-trig.patch b/SOURCES/0808-Revert-core-Propagate-condition-failed-state-to-trig.patch new file mode 100644 index 0000000..51df34e --- /dev/null +++ b/SOURCES/0808-Revert-core-Propagate-condition-failed-state-to-trig.patch @@ -0,0 +1,255 @@ +From f1a1ff976ed0787c79a0f57d773bc555ab756b8c Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 17 Dec 2021 19:39:29 +0100 +Subject: [PATCH] Revert "core: Propagate condition failed state to triggering + units." + +This reverts commit 12ab94a1e4961a39c32efb60b71866ab588d3ea2. + +(cherry picked from commit 40f41f34d4af15d0147b5b2525f0b87ff62eae9a) + +Related: #2114005 +--- + src/core/automount.c | 14 ++++---------- + src/core/automount.h | 1 - + src/core/path.c | 16 +++++----------- + src/core/path.h | 1 - + src/core/socket.c | 28 +++++++++------------------- + src/core/socket.h | 1 - + src/core/timer.c | 12 +++--------- + src/core/timer.h | 1 - + src/core/unit.c | 10 ---------- + src/core/unit.h | 2 -- + 10 files changed, 21 insertions(+), 65 deletions(-) + +diff --git a/src/core/automount.c b/src/core/automount.c +index bac3b2fab7..c1c513d4a5 100644 +--- a/src/core/automount.c ++++ b/src/core/automount.c +@@ -776,11 +776,6 @@ static void automount_enter_running(Automount *a) { + goto fail; + } + +- if (unit_has_failed_condition_or_assert(trigger)) { +- automount_enter_dead(a, AUTOMOUNT_FAILURE_MOUNT_CONDITION_FAILED); +- return; +- } +- + r = manager_add_job(UNIT(a)->manager, JOB_START, trigger, JOB_REPLACE, NULL, &error, NULL); + if (r < 0) { + log_unit_warning(UNIT(a), "Failed to queue mount startup job: %s", bus_error_message(&error, r)); +@@ -1092,11 +1087,10 @@ static int automount_can_start(Unit *u) { + } + + static const char* const automount_result_table[_AUTOMOUNT_RESULT_MAX] = { +- [AUTOMOUNT_SUCCESS] = "success", +- [AUTOMOUNT_FAILURE_RESOURCES] = "resources", +- [AUTOMOUNT_FAILURE_START_LIMIT_HIT] = "start-limit-hit", +- [AUTOMOUNT_FAILURE_MOUNT_START_LIMIT_HIT] = "mount-start-limit-hit", +- [AUTOMOUNT_FAILURE_MOUNT_CONDITION_FAILED] = "mount-condition-failed", ++ [AUTOMOUNT_SUCCESS] = "success", ++ [AUTOMOUNT_FAILURE_RESOURCES] = "resources", ++ [AUTOMOUNT_FAILURE_START_LIMIT_HIT] = "start-limit-hit", ++ [AUTOMOUNT_FAILURE_MOUNT_START_LIMIT_HIT] = "mount-start-limit-hit", + }; + + DEFINE_STRING_TABLE_LOOKUP(automount_result, AutomountResult); +diff --git a/src/core/automount.h b/src/core/automount.h +index a7417d195c..21dd1c0774 100644 +--- a/src/core/automount.h ++++ b/src/core/automount.h +@@ -10,7 +10,6 @@ typedef enum AutomountResult { + AUTOMOUNT_FAILURE_RESOURCES, + AUTOMOUNT_FAILURE_START_LIMIT_HIT, + AUTOMOUNT_FAILURE_MOUNT_START_LIMIT_HIT, +- AUTOMOUNT_FAILURE_MOUNT_CONDITION_FAILED, + _AUTOMOUNT_RESULT_MAX, + _AUTOMOUNT_RESULT_INVALID = -1 + } AutomountResult; +diff --git a/src/core/path.c b/src/core/path.c +index bf7e1bf3c2..c2facf0b16 100644 +--- a/src/core/path.c ++++ b/src/core/path.c +@@ -453,7 +453,7 @@ static void path_enter_dead(Path *p, PathResult f) { + else + unit_log_failure(UNIT(p), path_result_to_string(p->result)); + +- path_set_state(p, p->result == PATH_SUCCESS ? PATH_DEAD : PATH_FAILED); ++ path_set_state(p, p->result != PATH_SUCCESS ? PATH_FAILED : PATH_DEAD); + } + + static void path_enter_running(Path *p) { +@@ -711,11 +711,6 @@ static void path_trigger_notify(Unit *u, Unit *other) { + return; + } + +- if (unit_has_failed_condition_or_assert(other)) { +- path_enter_dead(p, PATH_FAILURE_UNIT_CONDITION_FAILED); +- return; +- } +- + /* Don't propagate anything if there's still a job queued */ + if (other->job) + return; +@@ -768,11 +763,10 @@ static const char* const path_type_table[_PATH_TYPE_MAX] = { + DEFINE_STRING_TABLE_LOOKUP(path_type, PathType); + + static const char* const path_result_table[_PATH_RESULT_MAX] = { +- [PATH_SUCCESS] = "success", +- [PATH_FAILURE_RESOURCES] = "resources", +- [PATH_FAILURE_START_LIMIT_HIT] = "start-limit-hit", +- [PATH_FAILURE_UNIT_START_LIMIT_HIT] = "unit-start-limit-hit", +- [PATH_FAILURE_UNIT_CONDITION_FAILED] = "unit-condition-failed", ++ [PATH_SUCCESS] = "success", ++ [PATH_FAILURE_RESOURCES] = "resources", ++ [PATH_FAILURE_START_LIMIT_HIT] = "start-limit-hit", ++ [PATH_FAILURE_UNIT_START_LIMIT_HIT] = "unit-start-limit-hit", + }; + + DEFINE_STRING_TABLE_LOOKUP(path_result, PathResult); +diff --git a/src/core/path.h b/src/core/path.h +index 0ad6bd12c6..8a69f06c13 100644 +--- a/src/core/path.h ++++ b/src/core/path.h +@@ -46,7 +46,6 @@ typedef enum PathResult { + PATH_FAILURE_RESOURCES, + PATH_FAILURE_START_LIMIT_HIT, + PATH_FAILURE_UNIT_START_LIMIT_HIT, +- PATH_FAILURE_UNIT_CONDITION_FAILED, + _PATH_RESULT_MAX, + _PATH_RESULT_INVALID = -1 + } PathResult; +diff --git a/src/core/socket.c b/src/core/socket.c +index bdfeb43a70..9d47ca2616 100644 +--- a/src/core/socket.c ++++ b/src/core/socket.c +@@ -2274,15 +2274,6 @@ static void socket_enter_running(Socket *s, int cfd) { + goto refuse; + } + +- if (UNIT_ISSET(s->service) && cfd < 0) { +- Unit *service = UNIT_DEREF(s->service); +- +- if (unit_has_failed_condition_or_assert(service)) { +- socket_enter_dead(s, SOCKET_FAILURE_SERVICE_CONDITION_FAILED); +- return; +- } +- } +- + if (cfd < 0) { + bool pending = false; + Unit *other; +@@ -3298,16 +3289,15 @@ static const char* const socket_exec_command_table[_SOCKET_EXEC_COMMAND_MAX] = { + DEFINE_STRING_TABLE_LOOKUP(socket_exec_command, SocketExecCommand); + + static const char* const socket_result_table[_SOCKET_RESULT_MAX] = { +- [SOCKET_SUCCESS] = "success", +- [SOCKET_FAILURE_RESOURCES] = "resources", +- [SOCKET_FAILURE_TIMEOUT] = "timeout", +- [SOCKET_FAILURE_EXIT_CODE] = "exit-code", +- [SOCKET_FAILURE_SIGNAL] = "signal", +- [SOCKET_FAILURE_CORE_DUMP] = "core-dump", +- [SOCKET_FAILURE_START_LIMIT_HIT] = "start-limit-hit", +- [SOCKET_FAILURE_TRIGGER_LIMIT_HIT] = "trigger-limit-hit", +- [SOCKET_FAILURE_SERVICE_START_LIMIT_HIT] = "service-start-limit-hit", +- [SOCKET_FAILURE_SERVICE_CONDITION_FAILED] = "service-condition-failed", ++ [SOCKET_SUCCESS] = "success", ++ [SOCKET_FAILURE_RESOURCES] = "resources", ++ [SOCKET_FAILURE_TIMEOUT] = "timeout", ++ [SOCKET_FAILURE_EXIT_CODE] = "exit-code", ++ [SOCKET_FAILURE_SIGNAL] = "signal", ++ [SOCKET_FAILURE_CORE_DUMP] = "core-dump", ++ [SOCKET_FAILURE_START_LIMIT_HIT] = "start-limit-hit", ++ [SOCKET_FAILURE_TRIGGER_LIMIT_HIT] = "trigger-limit-hit", ++ [SOCKET_FAILURE_SERVICE_START_LIMIT_HIT] = "service-start-limit-hit" + }; + + DEFINE_STRING_TABLE_LOOKUP(socket_result, SocketResult); +diff --git a/src/core/socket.h b/src/core/socket.h +index b171b94316..2409dbf2a0 100644 +--- a/src/core/socket.h ++++ b/src/core/socket.h +@@ -39,7 +39,6 @@ typedef enum SocketResult { + SOCKET_FAILURE_START_LIMIT_HIT, + SOCKET_FAILURE_TRIGGER_LIMIT_HIT, + SOCKET_FAILURE_SERVICE_START_LIMIT_HIT, +- SOCKET_FAILURE_SERVICE_CONDITION_FAILED, + _SOCKET_RESULT_MAX, + _SOCKET_RESULT_INVALID = -1 + } SocketResult; +diff --git a/src/core/timer.c b/src/core/timer.c +index 3c8d89771d..990f05fee4 100644 +--- a/src/core/timer.c ++++ b/src/core/timer.c +@@ -567,11 +567,6 @@ static void timer_enter_running(Timer *t) { + return; + } + +- if (unit_has_failed_condition_or_assert(trigger)) { +- timer_enter_dead(t, TIMER_FAILURE_UNIT_CONDITION_FAILED); +- return; +- } +- + r = manager_add_job(UNIT(t)->manager, JOB_START, trigger, JOB_REPLACE, NULL, &error, NULL); + if (r < 0) + goto fail; +@@ -855,10 +850,9 @@ static const char* const timer_base_table[_TIMER_BASE_MAX] = { + DEFINE_STRING_TABLE_LOOKUP(timer_base, TimerBase); + + static const char* const timer_result_table[_TIMER_RESULT_MAX] = { +- [TIMER_SUCCESS] = "success", +- [TIMER_FAILURE_RESOURCES] = "resources", +- [TIMER_FAILURE_START_LIMIT_HIT] = "start-limit-hit", +- [TIMER_FAILURE_UNIT_CONDITION_FAILED] = "unit-condition-failed", ++ [TIMER_SUCCESS] = "success", ++ [TIMER_FAILURE_RESOURCES] = "resources", ++ [TIMER_FAILURE_START_LIMIT_HIT] = "start-limit-hit", + }; + + DEFINE_STRING_TABLE_LOOKUP(timer_result, TimerResult); +diff --git a/src/core/timer.h b/src/core/timer.h +index d23e19d622..833aadb0b8 100644 +--- a/src/core/timer.h ++++ b/src/core/timer.h +@@ -32,7 +32,6 @@ typedef enum TimerResult { + TIMER_SUCCESS, + TIMER_FAILURE_RESOURCES, + TIMER_FAILURE_START_LIMIT_HIT, +- TIMER_FAILURE_UNIT_CONDITION_FAILED, + _TIMER_RESULT_MAX, + _TIMER_RESULT_INVALID = -1 + } TimerResult; +diff --git a/src/core/unit.c b/src/core/unit.c +index 0810bf5a58..dfe0c243ef 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -5661,16 +5661,6 @@ int unit_thaw_vtable_common(Unit *u) { + return unit_cgroup_freezer_action(u, FREEZER_THAW); + } + +-bool unit_has_failed_condition_or_assert(Unit *u) { +- if (dual_timestamp_is_set(&u->condition_timestamp) && !u->condition_result) +- return true; +- +- if (dual_timestamp_is_set(&u->assert_timestamp) && !u->assert_result) +- return true; +- +- return false; +-} +- + static const char* const collect_mode_table[_COLLECT_MODE_MAX] = { + [COLLECT_INACTIVE] = "inactive", + [COLLECT_INACTIVE_OR_FAILED] = "inactive-or-failed", +diff --git a/src/core/unit.h b/src/core/unit.h +index a924bd2e83..b8b914711f 100644 +--- a/src/core/unit.h ++++ b/src/core/unit.h +@@ -847,8 +847,6 @@ void unit_thawed(Unit *u); + int unit_freeze_vtable_common(Unit *u); + int unit_thaw_vtable_common(Unit *u); + +-bool unit_has_failed_condition_or_assert(Unit *u); +- + /* Macros which append UNIT= or USER_UNIT= to the message */ + + #define log_unit_full(unit, level, error, ...) \ diff --git a/SOURCES/0809-core-Check-unit-start-rate-limiting-earlier.patch b/SOURCES/0809-core-Check-unit-start-rate-limiting-earlier.patch new file mode 100644 index 0000000..45f95d4 --- /dev/null +++ b/SOURCES/0809-core-Check-unit-start-rate-limiting-earlier.patch @@ -0,0 +1,137 @@ +From e393372ad5ba67acb9b397f044efdb1c9a100644 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Tue, 24 Aug 2021 16:46:47 +0100 +Subject: [PATCH] core: Check unit start rate limiting earlier + +[dtardon: This adds the test that's been left out by commit +471eda89a25a3ceac91a2d05e39a54aae78038ed] + +(cherry picked from commit 9727f2427ff6b2e1f4ab927cc57ad8e888f04e95) + +Related: #2114005 +--- + test/TEST-10-ISSUE-2467/test.sh | 3 ++ + test/TEST-63-ISSUE-17433/Makefile | 1 + + test/TEST-63-ISSUE-17433/test.sh | 42 ++++++++++++++++++++++ + test/TEST-63-ISSUE-17433/test63.path | 2 ++ + test/TEST-63-ISSUE-17433/test63.service | 5 +++ + test/TEST-63-ISSUE-17433/testsuite.service | 17 +++++++++ + 6 files changed, 70 insertions(+) + create mode 120000 test/TEST-63-ISSUE-17433/Makefile + create mode 100755 test/TEST-63-ISSUE-17433/test.sh + create mode 100644 test/TEST-63-ISSUE-17433/test63.path + create mode 100644 test/TEST-63-ISSUE-17433/test63.service + create mode 100644 test/TEST-63-ISSUE-17433/testsuite.service + +diff --git a/test/TEST-10-ISSUE-2467/test.sh b/test/TEST-10-ISSUE-2467/test.sh +index 0e61236686..a839ef79de 100755 +--- a/test/TEST-10-ISSUE-2467/test.sh ++++ b/test/TEST-10-ISSUE-2467/test.sh +@@ -42,6 +42,9 @@ EOF + [Unit] + Requires=test.socket + ConditionPathExistsGlob=/tmp/nonexistent ++# Make sure we hit the socket trigger limit in the test and not the service start limit. ++StartLimitInterval=1000 ++StartLimitBurst=1000 + + [Service] + ExecStart=/bin/true +diff --git a/test/TEST-63-ISSUE-17433/Makefile b/test/TEST-63-ISSUE-17433/Makefile +new file mode 120000 +index 0000000000..e9f93b1104 +--- /dev/null ++++ b/test/TEST-63-ISSUE-17433/Makefile +@@ -0,0 +1 @@ ++../TEST-01-BASIC/Makefile +\ No newline at end of file +diff --git a/test/TEST-63-ISSUE-17433/test.sh b/test/TEST-63-ISSUE-17433/test.sh +new file mode 100755 +index 0000000000..406a1e214c +--- /dev/null ++++ b/test/TEST-63-ISSUE-17433/test.sh +@@ -0,0 +1,42 @@ ++#!/usr/bin/env bash ++set -e ++ ++TEST_DESCRIPTION="https://github.com/systemd/systemd/issues/17433" ++ ++# shellcheck source=test/test-functions ++. "${TEST_BASE_DIR:?}/test-functions" ++ ++test_setup() { ++ create_empty_image ++ mkdir -p $TESTDIR/root ++ mount ${LOOPDEV}p1 $TESTDIR/root ++ ++ # Create what will eventually be our root filesystem onto an overlay ++ ( ++ LOG_LEVEL=5 ++ eval $(udevadm info --export --query=env --name=${LOOPDEV}p2) ++ ++ setup_basic_environment ++ ++ # setup the testsuite service ++ cp testsuite.service $initdir/etc/systemd/system/testsuite.service ++ ++ cp test63.path $initdir/etc/systemd/system/test63.path ++ cp test63.service $initdir/etc/systemd/system/test63.service ++ ++ setup_testsuite ++ ) || return 1 ++ setup_nspawn_root ++ ++ # mask some services that we do not want to run in these tests ++ ln -s /dev/null $initdir/etc/systemd/system/systemd-hwdb-update.service ++ ln -s /dev/null $initdir/etc/systemd/system/systemd-journal-catalog-update.service ++ ln -s /dev/null $initdir/etc/systemd/system/systemd-networkd.service ++ ln -s /dev/null $initdir/etc/systemd/system/systemd-networkd.socket ++ ln -s /dev/null $initdir/etc/systemd/system/systemd-resolved.service ++ ++ ddebug "umount $TESTDIR/root" ++ umount $TESTDIR/root ++} ++ ++do_test "$@" +diff --git a/test/TEST-63-ISSUE-17433/test63.path b/test/TEST-63-ISSUE-17433/test63.path +new file mode 100644 +index 0000000000..a6573bda0a +--- /dev/null ++++ b/test/TEST-63-ISSUE-17433/test63.path +@@ -0,0 +1,2 @@ ++[Path] ++PathExists=/tmp/test63 +diff --git a/test/TEST-63-ISSUE-17433/test63.service b/test/TEST-63-ISSUE-17433/test63.service +new file mode 100644 +index 0000000000..c83801874d +--- /dev/null ++++ b/test/TEST-63-ISSUE-17433/test63.service +@@ -0,0 +1,5 @@ ++[Unit] ++ConditionPathExists=!/tmp/nonexistent ++ ++[Service] ++ExecStart=true +diff --git a/test/TEST-63-ISSUE-17433/testsuite.service b/test/TEST-63-ISSUE-17433/testsuite.service +new file mode 100644 +index 0000000000..d3ca5b002b +--- /dev/null ++++ b/test/TEST-63-ISSUE-17433/testsuite.service +@@ -0,0 +1,17 @@ ++[Unit] ++Description=TEST-63-ISSUE-17433 ++ ++[Service] ++ExecStartPre=rm -f /failed /testok ++Type=oneshot ++ExecStart=rm -f /tmp/nonexistent ++ExecStart=systemctl start test63.path ++ExecStart=touch /tmp/test63 ++# Make sure systemd has sufficient time to hit the start limit for test63.service. ++ExecStart=sleep 2 ++ExecStart=sh -x -c 'test "$(systemctl show test63.service --value -p ActiveState)" = failed' ++ExecStart=sh -x -c 'test "$(systemctl show test63.service --value -p Result)" = start-limit-hit' ++# FIXME: The path remains active, which it should not ++# ExecStart=sh -x -c 'test "$(systemctl show test63.path --value -p ActiveState)" = failed' ++# ExecStart=sh -x -c 'test "$(systemctl show test63.path --value -p Result)" = unit-start-limit-hit' ++ExecStart=sh -x -c 'echo OK >/testok' diff --git a/SOURCES/0810-core-Add-trigger-limit-for-path-units.patch b/SOURCES/0810-core-Add-trigger-limit-for-path-units.patch new file mode 100644 index 0000000..7ddde88 --- /dev/null +++ b/SOURCES/0810-core-Add-trigger-limit-for-path-units.patch @@ -0,0 +1,127 @@ +From 9d3f5e5d222308d29aad9bf7b2bfc440143a8606 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 17 Dec 2021 20:01:31 +0100 +Subject: [PATCH] core: Add trigger limit for path units + +When conditions fail on a service unit, a path unit can cause +PID 1 to busy loop as it keeps trying to activate the service unit. +To avoid this from happening, add a trigger limit to the path unit, +identical to the trigger limit we have for socket units. + +Initially, let's start with a high limit and not make it configurable. +If needed, we can add properties to configure the rate limit similar +to the ones we have for socket units. + +(cherry picked from commit aaae822b37aa3ca39aebb516fdc6bef36d730c25) + +Resolves: #2114005 +--- + src/core/path.c | 10 ++++++++++ + src/core/path.h | 3 +++ + test/TEST-63-ISSUE-17433/test63.service | 2 +- + test/TEST-63-ISSUE-17433/testsuite.service | 21 +++++++++++++++++---- + 4 files changed, 31 insertions(+), 5 deletions(-) + +diff --git a/src/core/path.c b/src/core/path.c +index c2facf0b16..b899bde0de 100644 +--- a/src/core/path.c ++++ b/src/core/path.c +@@ -238,6 +238,9 @@ static void path_init(Unit *u) { + assert(u->load_state == UNIT_STUB); + + p->directory_mode = 0755; ++ ++ p->trigger_limit.interval = 2 * USEC_PER_SEC; ++ p->trigger_limit.burst = 200; + } + + void path_free_specs(Path *p) { +@@ -467,6 +470,12 @@ static void path_enter_running(Path *p) { + if (unit_stop_pending(UNIT(p))) + return; + ++ if (!ratelimit_below(&p->trigger_limit)) { ++ log_unit_warning(UNIT(p), "Trigger limit hit, refusing further activation."); ++ path_enter_dead(p, PATH_FAILURE_TRIGGER_LIMIT_HIT); ++ return; ++ } ++ + trigger = UNIT_TRIGGER(UNIT(p)); + if (!trigger) { + log_unit_error(UNIT(p), "Unit to trigger vanished."); +@@ -767,6 +776,7 @@ static const char* const path_result_table[_PATH_RESULT_MAX] = { + [PATH_FAILURE_RESOURCES] = "resources", + [PATH_FAILURE_START_LIMIT_HIT] = "start-limit-hit", + [PATH_FAILURE_UNIT_START_LIMIT_HIT] = "unit-start-limit-hit", ++ [PATH_FAILURE_TRIGGER_LIMIT_HIT] = "trigger-limit-hit", + }; + + DEFINE_STRING_TABLE_LOOKUP(path_result, PathResult); +diff --git a/src/core/path.h b/src/core/path.h +index 8a69f06c13..12fd13fbe3 100644 +--- a/src/core/path.h ++++ b/src/core/path.h +@@ -46,6 +46,7 @@ typedef enum PathResult { + PATH_FAILURE_RESOURCES, + PATH_FAILURE_START_LIMIT_HIT, + PATH_FAILURE_UNIT_START_LIMIT_HIT, ++ PATH_FAILURE_TRIGGER_LIMIT_HIT, + _PATH_RESULT_MAX, + _PATH_RESULT_INVALID = -1 + } PathResult; +@@ -63,6 +64,8 @@ struct Path { + mode_t directory_mode; + + PathResult result; ++ ++ RateLimit trigger_limit; + }; + + void path_free_specs(Path *p); +diff --git a/test/TEST-63-ISSUE-17433/test63.service b/test/TEST-63-ISSUE-17433/test63.service +index c83801874d..6292434c5c 100644 +--- a/test/TEST-63-ISSUE-17433/test63.service ++++ b/test/TEST-63-ISSUE-17433/test63.service +@@ -1,5 +1,5 @@ + [Unit] +-ConditionPathExists=!/tmp/nonexistent ++ConditionPathExists=/tmp/nonexistent + + [Service] + ExecStart=true +diff --git a/test/TEST-63-ISSUE-17433/testsuite.service b/test/TEST-63-ISSUE-17433/testsuite.service +index d3ca5b002b..39f9643890 100644 +--- a/test/TEST-63-ISSUE-17433/testsuite.service ++++ b/test/TEST-63-ISSUE-17433/testsuite.service +@@ -4,14 +4,27 @@ Description=TEST-63-ISSUE-17433 + [Service] + ExecStartPre=rm -f /failed /testok + Type=oneshot ++ ++# Test that a path unit continuously triggering a service that fails condition checks eventually fails with ++# the trigger-limit-hit error. + ExecStart=rm -f /tmp/nonexistent + ExecStart=systemctl start test63.path + ExecStart=touch /tmp/test63 +-# Make sure systemd has sufficient time to hit the start limit for test63.service. ++# Make sure systemd has sufficient time to hit the trigger limit for test63.path. + ExecStart=sleep 2 +-ExecStart=sh -x -c 'test "$(systemctl show test63.service --value -p ActiveState)" = failed' +-ExecStart=sh -x -c 'test "$(systemctl show test63.service --value -p Result)" = start-limit-hit' ++ExecStart=sh -x -c 'test "$(systemctl show test63.service --value -p ActiveState)" = inactive' ++ExecStart=sh -x -c 'test "$(systemctl show test63.service --value -p Result)" = success' + # FIXME: The path remains active, which it should not + # ExecStart=sh -x -c 'test "$(systemctl show test63.path --value -p ActiveState)" = failed' +-# ExecStart=sh -x -c 'test "$(systemctl show test63.path --value -p Result)" = unit-start-limit-hit' ++# ExecStart=sh -x -c 'test "$(systemctl show test63.path --value -p Result)" = trigger-limit-hit' ++ ++# Test that starting the service manually doesn't affect the path unit. ++ExecStart=rm -f /tmp/test63 ++ExecStart=systemctl reset-failed ++ExecStart=systemctl start test63.path ++ExecStart=systemctl start test63.service ++ExecStart=sh -x -c 'test "$(systemctl show test63.service --value -p ActiveState)" = inactive' ++ExecStart=sh -x -c 'test "$(systemctl show test63.service --value -p Result)" = success' ++ExecStart=sh -x -c 'test "$(systemctl show test63.path --value -p ActiveState)" = active' ++ExecStart=sh -x -c 'test "$(systemctl show test63.path --value -p Result)" = success' + ExecStart=sh -x -c 'echo OK >/testok' diff --git a/SOURCES/0811-meson-add-syscall-names-update-target.patch b/SOURCES/0811-meson-add-syscall-names-update-target.patch new file mode 100644 index 0000000..84961ed --- /dev/null +++ b/SOURCES/0811-meson-add-syscall-names-update-target.patch @@ -0,0 +1,680 @@ +From f20ccc0d505eccd59bb3814f59a63ea036be5bd5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 18 Aug 2020 16:27:20 +0200 +Subject: [PATCH] meson: add syscall-names-update target + +The calls to find_program("tools/*") are moved earlier so they can be used +in libshared/ (and it doesn't make sense to split them). + +(cherry picked from commit 47354b440e90626c320d8f142cb742ff569e3a40) + +Related: #2040247 +--- + meson.build | 13 +- + src/shared/meson.build | 6 + + src/shared/syscall-names.text | 597 ++++++++++++++++++++++++++++++++++ + tools/syscall-names-update.sh | 6 + + 4 files changed, 617 insertions(+), 5 deletions(-) + create mode 100644 src/shared/syscall-names.text + create mode 100755 tools/syscall-names-update.sh + +diff --git a/meson.build b/meson.build +index 57de947367..6729a9ea5e 100644 +--- a/meson.build ++++ b/meson.build +@@ -1417,6 +1417,14 @@ install_libsystemd_static = static_library( + + ############################################################ + ++hwdb_update_sh = find_program('tools/meson-hwdb-update.sh') ++make_directive_index_py = find_program('tools/make-directive-index.py') ++make_man_index_py = find_program('tools/make-man-index.py') ++syscall_names_update_sh = find_program('tools/syscall-names-update.sh') ++xml_helper_py = find_program('tools/xml_helper.py') ++ ++############################################################ ++ + # binaries that have --help and are intended for use by humans, + # usually, but not always, installed in /bin. + public_programs = [] +@@ -2721,11 +2729,6 @@ run_target('fuzzers', + + ############################################################ + +-make_directive_index_py = find_program('tools/make-directive-index.py') +-make_man_index_py = find_program('tools/make-man-index.py') +-xml_helper_py = find_program('tools/xml_helper.py') +-hwdb_update_sh = find_program('tools/meson-hwdb-update.sh') +- + subdir('units') + subdir('sysctl.d') + subdir('sysusers.d') +diff --git a/src/shared/meson.build b/src/shared/meson.build +index d0a1bba4c6..c9dd0a3a4e 100644 +--- a/src/shared/meson.build ++++ b/src/shared/meson.build +@@ -165,3 +165,9 @@ libshared = shared_library( + dependencies : libshared_deps, + install : true, + install_dir : rootlibexecdir) ++ ++############################################################ ++ ++run_target( ++ 'syscall-names-update', ++ command : [syscall_names_update_sh, meson.current_source_dir()]) +diff --git a/src/shared/syscall-names.text b/src/shared/syscall-names.text +new file mode 100644 +index 0000000000..40d18a8894 +--- /dev/null ++++ b/src/shared/syscall-names.text +@@ -0,0 +1,597 @@ ++_llseek ++_newselect ++_sysctl ++accept ++accept4 ++access ++acct ++add_key ++adjtimex ++alarm ++arc_gettls ++arc_settls ++arc_usr_cmpxchg ++arch_prctl ++arm_fadvise64_64 ++arm_sync_file_range ++atomic_barrier ++atomic_cmpxchg_32 ++bdflush ++bfin_spinlock ++bind ++bpf ++brk ++cache_sync ++cachectl ++cacheflush ++capget ++capset ++chdir ++chmod ++chown ++chown32 ++chroot ++clock_adjtime ++clock_adjtime64 ++clock_getres ++clock_getres_time64 ++clock_gettime ++clock_gettime64 ++clock_nanosleep ++clock_nanosleep_time64 ++clock_settime ++clock_settime64 ++clone ++clone2 ++clone3 ++close ++close_range ++connect ++copy_file_range ++creat ++create_module ++delete_module ++dipc ++dup ++dup2 ++dup3 ++epoll_create ++epoll_create1 ++epoll_ctl ++epoll_ctl_old ++epoll_pwait ++epoll_wait ++epoll_wait_old ++eventfd ++eventfd2 ++exec_with_loader ++execv ++execve ++execveat ++exit ++exit_group ++faccessat ++faccessat2 ++fadvise64 ++fadvise64_64 ++fallocate ++fanotify_init ++fanotify_mark ++fchdir ++fchmod ++fchmodat ++fchown ++fchown32 ++fchownat ++fcntl ++fcntl64 ++fdatasync ++fgetxattr ++finit_module ++flistxattr ++flock ++fork ++fp_udfiex_crtl ++fremovexattr ++fsconfig ++fsetxattr ++fsmount ++fsopen ++fspick ++fstat ++fstat64 ++fstatat64 ++fstatfs ++fstatfs64 ++fsync ++ftruncate ++ftruncate64 ++futex ++futex_time64 ++futimesat ++get_kernel_syms ++get_mempolicy ++get_robust_list ++get_thread_area ++getcpu ++getcwd ++getdents ++getdents64 ++getdomainname ++getdtablesize ++getegid ++getegid32 ++geteuid ++geteuid32 ++getgid ++getgid32 ++getgroups ++getgroups32 ++gethostname ++getitimer ++getpagesize ++getpeername ++getpgid ++getpgrp ++getpid ++getpmsg ++getppid ++getpriority ++getrandom ++getresgid ++getresgid32 ++getresuid ++getresuid32 ++getrlimit ++getrusage ++getsid ++getsockname ++getsockopt ++gettid ++gettimeofday ++getuid ++getuid32 ++getunwind ++getxattr ++getxgid ++getxpid ++getxuid ++idle ++init_module ++inotify_add_watch ++inotify_init ++inotify_init1 ++inotify_rm_watch ++io_cancel ++io_destroy ++io_getevents ++io_pgetevents ++io_pgetevents_time64 ++io_setup ++io_submit ++io_uring_enter ++io_uring_register ++io_uring_setup ++ioctl ++ioperm ++iopl ++ioprio_get ++ioprio_set ++ipc ++kcmp ++kern_features ++kexec_file_load ++kexec_load ++keyctl ++kill ++lchown ++lchown32 ++lgetxattr ++link ++linkat ++listen ++listxattr ++llistxattr ++lookup_dcookie ++lremovexattr ++lseek ++lsetxattr ++lstat ++lstat64 ++madvise ++mbind ++membarrier ++memfd_create ++memory_ordering ++migrate_pages ++mincore ++mkdir ++mkdirat ++mknod ++mknodat ++mlock ++mlock2 ++mlockall ++mmap ++mmap2 ++modify_ldt ++mount ++move_mount ++move_pages ++mprotect ++mq_getsetattr ++mq_notify ++mq_open ++mq_timedreceive ++mq_timedreceive_time64 ++mq_timedsend ++mq_timedsend_time64 ++mq_unlink ++mremap ++msgctl ++msgget ++msgrcv ++msgsnd ++msync ++multiplexer ++munlock ++munlockall ++munmap ++name_to_handle_at ++nanosleep ++newfstatat ++nfsservctl ++ni_syscall ++nice ++old_adjtimex ++old_getpagesize ++oldfstat ++oldlstat ++oldolduname ++oldstat ++oldumount ++olduname ++open ++open_by_handle_at ++open_tree ++openat ++openat2 ++or1k_atomic ++osf_adjtime ++osf_afs_syscall ++osf_alt_plock ++osf_alt_setsid ++osf_alt_sigpending ++osf_asynch_daemon ++osf_audcntl ++osf_audgen ++osf_chflags ++osf_execve ++osf_exportfs ++osf_fchflags ++osf_fdatasync ++osf_fpathconf ++osf_fstat ++osf_fstatfs ++osf_fstatfs64 ++osf_fuser ++osf_getaddressconf ++osf_getdirentries ++osf_getdomainname ++osf_getfh ++osf_getfsstat ++osf_gethostid ++osf_getitimer ++osf_getlogin ++osf_getmnt ++osf_getrusage ++osf_getsysinfo ++osf_gettimeofday ++osf_kloadcall ++osf_kmodcall ++osf_lstat ++osf_memcntl ++osf_mincore ++osf_mount ++osf_mremap ++osf_msfs_syscall ++osf_msleep ++osf_mvalid ++osf_mwakeup ++osf_naccept ++osf_nfssvc ++osf_ngetpeername ++osf_ngetsockname ++osf_nrecvfrom ++osf_nrecvmsg ++osf_nsendmsg ++osf_ntp_adjtime ++osf_ntp_gettime ++osf_old_creat ++osf_old_fstat ++osf_old_getpgrp ++osf_old_killpg ++osf_old_lstat ++osf_old_open ++osf_old_sigaction ++osf_old_sigblock ++osf_old_sigreturn ++osf_old_sigsetmask ++osf_old_sigvec ++osf_old_stat ++osf_old_vadvise ++osf_old_vtrace ++osf_old_wait ++osf_oldquota ++osf_pathconf ++osf_pid_block ++osf_pid_unblock ++osf_plock ++osf_priocntlset ++osf_profil ++osf_proplist_syscall ++osf_reboot ++osf_revoke ++osf_sbrk ++osf_security ++osf_select ++osf_set_program_attributes ++osf_set_speculative ++osf_sethostid ++osf_setitimer ++osf_setlogin ++osf_setsysinfo ++osf_settimeofday ++osf_shmat ++osf_signal ++osf_sigprocmask ++osf_sigsendset ++osf_sigstack ++osf_sigwaitprim ++osf_sstk ++osf_stat ++osf_statfs ++osf_statfs64 ++osf_subsys_info ++osf_swapctl ++osf_swapon ++osf_syscall ++osf_sysinfo ++osf_table ++osf_uadmin ++osf_usleep_thread ++osf_uswitch ++osf_utc_adjtime ++osf_utc_gettime ++osf_utimes ++osf_utsname ++osf_wait4 ++osf_waitid ++pause ++pciconfig_iobase ++pciconfig_read ++pciconfig_write ++perf_event_open ++perfctr ++perfmonctl ++personality ++pidfd_getfd ++pidfd_open ++pidfd_send_signal ++pipe ++pipe2 ++pivot_root ++pkey_alloc ++pkey_free ++pkey_mprotect ++poll ++ppoll ++ppoll_time64 ++prctl ++pread64 ++preadv ++preadv2 ++prlimit64 ++process_vm_readv ++process_vm_writev ++pselect6 ++pselect6_time64 ++ptrace ++pwrite64 ++pwritev ++pwritev2 ++query_module ++quotactl ++read ++readahead ++readdir ++readlink ++readlinkat ++readv ++reboot ++recv ++recvfrom ++recvmmsg ++recvmmsg_time64 ++recvmsg ++remap_file_pages ++removexattr ++rename ++renameat ++renameat2 ++request_key ++restart_syscall ++riscv_flush_icache ++rmdir ++rseq ++rt_sigaction ++rt_sigpending ++rt_sigprocmask ++rt_sigqueueinfo ++rt_sigreturn ++rt_sigsuspend ++rt_sigtimedwait ++rt_sigtimedwait_time64 ++rt_tgsigqueueinfo ++rtas ++s390_guarded_storage ++s390_pci_mmio_read ++s390_pci_mmio_write ++s390_runtime_instr ++s390_sthyi ++sched_get_affinity ++sched_get_priority_max ++sched_get_priority_min ++sched_getaffinity ++sched_getattr ++sched_getparam ++sched_getscheduler ++sched_rr_get_interval ++sched_rr_get_interval_time64 ++sched_set_affinity ++sched_setaffinity ++sched_setattr ++sched_setparam ++sched_setscheduler ++sched_yield ++seccomp ++select ++semctl ++semget ++semop ++semtimedop ++semtimedop_time64 ++send ++sendfile ++sendfile64 ++sendmmsg ++sendmsg ++sendto ++set_mempolicy ++set_robust_list ++set_thread_area ++set_tid_address ++setdomainname ++setfsgid ++setfsgid32 ++setfsuid ++setfsuid32 ++setgid ++setgid32 ++setgroups ++setgroups32 ++sethae ++sethostname ++setitimer ++setns ++setpgid ++setpgrp ++setpriority ++setregid ++setregid32 ++setresgid ++setresgid32 ++setresuid ++setresuid32 ++setreuid ++setreuid32 ++setrlimit ++setsid ++setsockopt ++settimeofday ++setuid ++setuid32 ++setxattr ++sgetmask ++shmat ++shmctl ++shmdt ++shmget ++shutdown ++sigaction ++sigaltstack ++signal ++signalfd ++signalfd4 ++sigpending ++sigprocmask ++sigreturn ++sigsuspend ++socket ++socketcall ++socketpair ++splice ++spu_create ++spu_run ++ssetmask ++stat ++stat64 ++statfs ++statfs64 ++statx ++stime ++subpage_prot ++swapcontext ++swapoff ++swapon ++switch_endian ++symlink ++symlinkat ++sync ++sync_file_range ++sync_file_range2 ++syncfs ++sys_debug_setcontext ++syscall ++sysfs ++sysinfo ++syslog ++sysmips ++tee ++tgkill ++time ++timer_create ++timer_delete ++timer_getoverrun ++timer_gettime ++timer_gettime64 ++timer_settime ++timer_settime64 ++timerfd ++timerfd_create ++timerfd_gettime ++timerfd_gettime64 ++timerfd_settime ++timerfd_settime64 ++times ++tkill ++truncate ++truncate64 ++udftrap ++ugetrlimit ++umask ++umount ++umount2 ++uname ++unlink ++unlinkat ++unshare ++uselib ++userfaultfd ++ustat ++utime ++utimensat ++utimensat_time64 ++utimes ++utimesat ++utrap_install ++vfork ++vhangup ++vm86 ++vm86old ++vmsplice ++wait4 ++waitid ++waitpid ++write ++writev +diff --git a/tools/syscall-names-update.sh b/tools/syscall-names-update.sh +new file mode 100755 +index 0000000000..c884b93cda +--- /dev/null ++++ b/tools/syscall-names-update.sh +@@ -0,0 +1,6 @@ ++#!/bin/sh ++set -eu ++ ++cd "$1" ++ ++curl -L -o syscall-names.text 'https://raw.githubusercontent.com/hrw/syscalls-table/master/syscall-names.text' diff --git a/SOURCES/0812-syscall-names-add-process_madvise-which-is-planned-f.patch b/SOURCES/0812-syscall-names-add-process_madvise-which-is-planned-f.patch new file mode 100644 index 0000000..4bd00ec --- /dev/null +++ b/SOURCES/0812-syscall-names-add-process_madvise-which-is-planned-f.patch @@ -0,0 +1,27 @@ +From bcc0f8bfbc0ea220895c1d3a8bf2d3124ddcef16 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sun, 25 Oct 2020 13:54:20 +0100 +Subject: [PATCH] syscall-names: add process_madvise which is planned for 5.10 + +It was added in v5.9-11793-gecb8ac8b1f and is still present in v5.10-rc1, so it +seems likely that it'll be in 5.10 too. + +(cherry picked from commit 397cca2453465d4ad5a51b16ad71acf45a3de352) + +Related: #2040247 +--- + src/shared/syscall-names.text | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/shared/syscall-names.text b/src/shared/syscall-names.text +index 40d18a8894..f1b7e29d50 100644 +--- a/src/shared/syscall-names.text ++++ b/src/shared/syscall-names.text +@@ -392,6 +392,7 @@ pread64 + preadv + preadv2 + prlimit64 ++process_madvise + process_vm_readv + process_vm_writev + pselect6 diff --git a/SOURCES/0813-shared-add-known-syscall-list.patch b/SOURCES/0813-shared-add-known-syscall-list.patch new file mode 100644 index 0000000..eb4f2f4 --- /dev/null +++ b/SOURCES/0813-shared-add-known-syscall-list.patch @@ -0,0 +1,157 @@ +From f3c6abebbe4718085fcf17ed3ab0690e379fbb7e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 19 Aug 2020 17:43:23 +0200 +Subject: [PATCH] shared: add @known syscall list + +(cherry picked from commit 95aac01259db689dac7d8e5bfafb60e8c70cd734) + +Related: #2040247 +--- + man/systemd.exec.xml | 4 ++++ + src/shared/generate-syscall-list.py | 5 +++++ + src/shared/meson.build | 11 +++++++++++ + src/shared/seccomp-util.c | 6 ++++++ + src/shared/seccomp-util.h | 3 ++- + src/test/test-seccomp.c | 19 ++++++++++++------- + 6 files changed, 40 insertions(+), 8 deletions(-) + create mode 100755 src/shared/generate-syscall-list.py + +diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml +index dc88cf9781..b04b4ba552 100644 +--- a/man/systemd.exec.xml ++++ b/man/systemd.exec.xml +@@ -1556,6 +1556,10 @@ RestrictNamespaces=~cgroup net + @timer + System calls for scheduling operations by time (alarm2, timer_create2, …) + ++ ++ @known ++ All system calls defined by the kernel. This list is defined statically in systemd based on a kernel version that was available when this systmed version was released. It will become progressively more out-of-date as the kernel is updated. ++ + + + +diff --git a/src/shared/generate-syscall-list.py b/src/shared/generate-syscall-list.py +new file mode 100755 +index 0000000000..13a6ae9241 +--- /dev/null ++++ b/src/shared/generate-syscall-list.py +@@ -0,0 +1,5 @@ ++#!/usr/bin/env python ++import sys ++ ++for line in open(sys.argv[1]): ++ print('"{}\\0"'.format(line.strip())) +diff --git a/src/shared/meson.build b/src/shared/meson.build +index c9dd0a3a4e..fed08571d1 100644 +--- a/src/shared/meson.build ++++ b/src/shared/meson.build +@@ -109,6 +109,16 @@ shared_sources = files(''' + test_tables_h = files('test-tables.h') + shared_sources += [test_tables_h] + ++generate_syscall_list = find_program('generate-syscall-list.py') ++fname = 'syscall-list.h' ++syscall_list_h = custom_target( ++ fname, ++ input : 'syscall-names.text', ++ output : fname, ++ command : [generate_syscall_list, ++ '@INPUT@'], ++ capture : true) ++ + if conf.get('HAVE_ACL') == 1 + shared_sources += files('acl-util.c') + endif +@@ -119,6 +129,7 @@ endif + + if conf.get('HAVE_SECCOMP') == 1 + shared_sources += files('seccomp-util.c') ++ shared_sources += syscall_list_h + endif + + if conf.get('HAVE_LIBIPTC') == 1 +diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c +index c57c409433..c2b2f2da92 100644 +--- a/src/shared/seccomp-util.c ++++ b/src/shared/seccomp-util.c +@@ -855,6 +855,12 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { + "timerfd_settime\0" + "times\0" + }, ++ [SYSCALL_FILTER_SET_KNOWN] = { ++ .name = "@known", ++ .help = "All known syscalls declared in the kernel", ++ .value = ++#include "syscall-list.h" ++ }, + }; + + const SyscallFilterSet *syscall_filter_set_find(const char *name) { +diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h +index 602f092255..541ba1e067 100644 +--- a/src/shared/seccomp-util.h ++++ b/src/shared/seccomp-util.h +@@ -21,7 +21,7 @@ typedef struct SyscallFilterSet { + } SyscallFilterSet; + + enum { +- /* Please leave DEFAULT first, but sort the rest alphabetically */ ++ /* Please leave DEFAULT first and KNOWN last, but sort the rest alphabetically */ + SYSCALL_FILTER_SET_DEFAULT, + SYSCALL_FILTER_SET_AIO, + SYSCALL_FILTER_SET_BASIC_IO, +@@ -49,6 +49,7 @@ enum { + SYSCALL_FILTER_SET_SYNC, + SYSCALL_FILTER_SET_SYSTEM_SERVICE, + SYSCALL_FILTER_SET_TIMER, ++ SYSCALL_FILTER_SET_KNOWN, + _SYSCALL_FILTER_SET_MAX + }; + +diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c +index 6ec04c4c55..286f01b5ce 100644 +--- a/src/test/test-seccomp.c ++++ b/src/test/test-seccomp.c +@@ -106,8 +106,10 @@ static void test_filter_sets(void) { + if (pid == 0) { /* Child? */ + int fd; + +- /* If we look at the default set (or one that includes it), whitelist instead of blacklist */ +- if (IN_SET(i, SYSCALL_FILTER_SET_DEFAULT, SYSCALL_FILTER_SET_SYSTEM_SERVICE)) ++ /* If we look at the default set (or one that includes it), allow-list instead of deny-list */ ++ if (IN_SET(i, SYSCALL_FILTER_SET_DEFAULT, ++ SYSCALL_FILTER_SET_SYSTEM_SERVICE, ++ SYSCALL_FILTER_SET_KNOWN)) + r = seccomp_load_syscall_filter_set(SCMP_ACT_ERRNO(EUCLEAN), syscall_filter_sets + i, SCMP_ACT_ALLOW, true); + else + r = seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + i, SCMP_ACT_ERRNO(EUCLEAN), true); +@@ -639,20 +641,23 @@ static void test_lock_personality(void) { + } + + static void test_filter_sets_ordered(void) { +- size_t i; +- + /* Ensure "@default" always remains at the beginning of the list */ + assert_se(SYSCALL_FILTER_SET_DEFAULT == 0); + assert_se(streq(syscall_filter_sets[0].name, "@default")); + +- for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) { ++ /* Ensure "@known" always remains at the end of the list */ ++ assert_se(SYSCALL_FILTER_SET_KNOWN == _SYSCALL_FILTER_SET_MAX - 1); ++ assert_se(streq(syscall_filter_sets[SYSCALL_FILTER_SET_KNOWN].name, "@known")); ++ ++ for (size_t i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) { + const char *k, *p = NULL; + + /* Make sure each group has a description */ + assert_se(!isempty(syscall_filter_sets[0].help)); + +- /* Make sure the groups are ordered alphabetically, except for the first entry */ +- assert_se(i < 2 || strcmp(syscall_filter_sets[i-1].name, syscall_filter_sets[i].name) < 0); ++ /* Make sure the groups are ordered alphabetically, except for the first and last entries */ ++ assert_se(i < 2 || i == _SYSCALL_FILTER_SET_MAX - 1 || ++ strcmp(syscall_filter_sets[i-1].name, syscall_filter_sets[i].name) < 0); + + NULSTR_FOREACH(k, syscall_filter_sets[i].value) { + diff --git a/SOURCES/0814-generate-syscall-list-require-python3.patch b/SOURCES/0814-generate-syscall-list-require-python3.patch new file mode 100644 index 0000000..20891a6 --- /dev/null +++ b/SOURCES/0814-generate-syscall-list-require-python3.patch @@ -0,0 +1,24 @@ +From da722bc383c359b77fab671a0e7872fe4c0232ce Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sat, 22 Aug 2020 16:07:05 +0200 +Subject: [PATCH] generate-syscall-list: require python3 + +Python3.4 works, but 2.7 returns a tuple from os.uname(). + +(cherry picked from commit 8694114b809f92f6a882134f3635aa42bfb41e11) + +Related: #2040247 +--- + src/shared/generate-syscall-list.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/generate-syscall-list.py b/src/shared/generate-syscall-list.py +index 13a6ae9241..0b90d2d276 100755 +--- a/src/shared/generate-syscall-list.py ++++ b/src/shared/generate-syscall-list.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + import sys + + for line in open(sys.argv[1]): diff --git a/SOURCES/0815-shared-seccomp-reduce-scope-of-indexing-variables.patch b/SOURCES/0815-shared-seccomp-reduce-scope-of-indexing-variables.patch new file mode 100644 index 0000000..afd8d57 --- /dev/null +++ b/SOURCES/0815-shared-seccomp-reduce-scope-of-indexing-variables.patch @@ -0,0 +1,82 @@ +From 64705366e134f06438e88f0b7fbef341d0a01431 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 19 Aug 2020 17:43:40 +0200 +Subject: [PATCH] shared/seccomp: reduce scope of indexing variables + +(cherry picked from commit 077e8fc0cad5a4532348d20a1eef8621295dd75a) + +Related: #2040247 +--- + src/shared/seccomp-util.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c +index c2b2f2da92..4d2ba31d47 100644 +--- a/src/shared/seccomp-util.c ++++ b/src/shared/seccomp-util.c +@@ -864,12 +864,10 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { + }; + + const SyscallFilterSet *syscall_filter_set_find(const char *name) { +- unsigned i; +- + if (isempty(name) || name[0] != '@') + return NULL; + +- for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) ++ for (unsigned i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) + if (streq(syscall_filter_sets[i].name, name)) + return syscall_filter_sets + i; + +@@ -1105,7 +1103,6 @@ int seccomp_restrict_namespaces(unsigned long retain) { + + SECCOMP_FOREACH_LOCAL_ARCH(arch) { + _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; +- unsigned i; + + log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch)); + +@@ -1135,7 +1132,7 @@ int seccomp_restrict_namespaces(unsigned long retain) { + continue; + } + +- for (i = 0; namespace_flag_map[i].name; i++) { ++ for (unsigned i = 0; namespace_flag_map[i].name; i++) { + unsigned long f; + + f = namespace_flag_map[i].flag; +@@ -1288,7 +1285,7 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) { + return r; + + if (whitelist) { +- int af, first = 0, last = 0; ++ int first = 0, last = 0; + void *afp; + + /* If this is a whitelist, we first block the address families that are out of range and then +@@ -1296,7 +1293,7 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) { + * the set. */ + + SET_FOREACH(afp, address_families, i) { +- af = PTR_TO_INT(afp); ++ int af = PTR_TO_INT(afp); + + if (af <= 0 || af >= af_max()) + continue; +@@ -1350,7 +1347,7 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) { + } + + /* Block everything between the first and last entry */ +- for (af = 1; af < af_max(); af++) { ++ for (int af = 1; af < af_max(); af++) { + + if (set_contains(address_families, INT_TO_PTR(af))) + continue; +@@ -1378,7 +1375,6 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) { + * checks. */ + + SET_FOREACH(af, address_families, i) { +- + r = seccomp_rule_add_exact( + seccomp, + SCMP_ACT_ERRNO(EAFNOSUPPORT), diff --git a/SOURCES/0816-shared-syscall-list-filter-out-some-obviously-platfo.patch b/SOURCES/0816-shared-syscall-list-filter-out-some-obviously-platfo.patch new file mode 100644 index 0000000..e061a38 --- /dev/null +++ b/SOURCES/0816-shared-syscall-list-filter-out-some-obviously-platfo.patch @@ -0,0 +1,32 @@ +From 2e33a4ffdd54de1f88c3cd37ca5ace94a637b1dc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 19 Aug 2020 17:46:30 +0200 +Subject: [PATCH] shared/syscall-list: filter out some obviously + platform-specific syscalls + +(cherry picked from commit 752fedbea7c02c82287c7ff2a4139f528b3f7ba8) + +Related: #2040247 +--- + src/shared/generate-syscall-list.py | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/shared/generate-syscall-list.py b/src/shared/generate-syscall-list.py +index 0b90d2d276..030c3feec4 100755 +--- a/src/shared/generate-syscall-list.py ++++ b/src/shared/generate-syscall-list.py +@@ -1,5 +1,14 @@ + #!/usr/bin/env python3 + import sys ++import os ++ ++s390 = 's390' in os.uname().machine ++arm = 'arm' in os.uname().machine + + for line in open(sys.argv[1]): ++ if line.startswith('s390_') and not s390: ++ continue ++ if line.startswith('arm_') and not arm: ++ continue ++ + print('"{}\\0"'.format(line.strip())) diff --git a/SOURCES/0817-seccomp-tighten-checking-of-seccomp-filter-creation.patch b/SOURCES/0817-seccomp-tighten-checking-of-seccomp-filter-creation.patch new file mode 100644 index 0000000..8e297c6 --- /dev/null +++ b/SOURCES/0817-seccomp-tighten-checking-of-seccomp-filter-creation.patch @@ -0,0 +1,123 @@ +From 42ed3377b5817f2c1f84e1bdca301ea51ecc3299 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 20 Sep 2018 14:19:41 +0200 +Subject: [PATCH] seccomp: tighten checking of seccomp filter creation + +In seccomp code, the code is changed to propagate errors which are about +anything other than unknown/unimplemented syscalls. I *think* such errors +should not happen in normal usage, but so far we would summarilly ignore all +errors, so that part is uncertain. If it turns out that other errors occur and +should be ignored, this should be added later. + +In nspawn, we would count the number of added filters, but didn't use this for +anything. Drop that part. + +The comments suggested that seccomp_add_syscall_filter_item() returned negative +if the syscall is unknown, but this wasn't true: it returns 0. + +The error at this point can only be if the syscall was known but couldn't be +added. If the error comes from our internal whitelist in nspawn, treat this as +error, because it means that our internal table is wrong. If the error comes +from user arguments, warn and ignore. (If some syscall is not known at current +architecture, it is still silently ignored.) + +(cherry picked from commit 7e86bd73a47f2b8dd3d9a743e69fb0117f450ad8) + +Related: #2040247 +--- + src/nspawn/nspawn-seccomp.c | 14 +++++--------- + src/shared/seccomp-util.c | 26 ++++++++++++++++---------- + 2 files changed, 21 insertions(+), 19 deletions(-) + +diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c +index fba22644da..17abfcec26 100644 +--- a/src/nspawn/nspawn-seccomp.c ++++ b/src/nspawn/nspawn-seccomp.c +@@ -140,7 +140,7 @@ static int seccomp_add_default_syscall_filter( + */ + }; + +- int r, c = 0; ++ int r; + size_t i; + char **p; + +@@ -150,21 +150,17 @@ static int seccomp_add_default_syscall_filter( + + r = seccomp_add_syscall_filter_item(ctx, whitelist[i].name, SCMP_ACT_ALLOW, syscall_blacklist, false); + if (r < 0) +- /* If the system call is not known on this architecture, then that's fine, let's ignore it */ +- log_debug_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", whitelist[i].name, seccomp_arch_to_string(arch)); +- else +- c++; ++ return log_error_errno(r, "Failed to add syscall filter item %s: %m", whitelist[i].name); + } + + STRV_FOREACH(p, syscall_whitelist) { + r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, false); + if (r < 0) +- log_debug_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", *p, seccomp_arch_to_string(arch)); +- else +- c++; ++ log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", ++ *p, seccomp_arch_to_string(arch)); + } + +- return c; ++ return 0; + } + + int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **syscall_blacklist) { +diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c +index 4d2ba31d47..710a734715 100644 +--- a/src/shared/seccomp-util.c ++++ b/src/shared/seccomp-util.c +@@ -907,9 +907,13 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name, + r = seccomp_rule_add_exact(seccomp, action, id, 0); + if (r < 0) { + /* If the system call is not known on this architecture, then that's fine, let's ignore it */ +- if (log_missing) +- log_debug_errno(r, "Failed to add rule for system call %s() / %d, ignoring: %m", +- name, id); ++ bool ignore = r == -EDOM; ++ ++ if (!ignore || log_missing) ++ log_debug_errno(r, "Failed to add rule for system call %s() / %d%s: %m", ++ name, id, ignore ? ", ignoring" : ""); ++ if (!ignore) ++ return r; + } + + return 0; +@@ -957,10 +961,8 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter + return r; + + r = seccomp_add_syscall_filter_set(seccomp, set, action, NULL, log_missing); +- if (r < 0) { +- log_debug_errno(r, "Failed to add filter set, ignoring: %m"); +- continue; +- } ++ if (r < 0) ++ return log_debug_errno(r, "Failed to add filter set: %m"); + + r = seccomp_load(seccomp); + if (IN_SET(r, -EPERM, -EACCES)) +@@ -1005,11 +1007,15 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, u + if (r < 0) { + /* If the system call is not known on this architecture, then that's fine, let's ignore it */ + _cleanup_free_ char *n = NULL; ++ bool ignore; + + n = seccomp_syscall_resolve_num_arch(SCMP_ARCH_NATIVE, id); +- if (log_missing) +- log_debug_errno(r, "Failed to add rule for system call %s() / %d, ignoring: %m", +- strna(n), id); ++ ignore = r == -EDOM; ++ if (!ignore || log_missing) ++ log_debug_errno(r, "Failed to add rule for system call %s() / %d%s: %m", ++ strna(n), id, ignore ? ", ignoring" : ""); ++ if (!ignore) ++ return r; + } + } + diff --git a/SOURCES/0818-shared-seccomp-util-added-functionality-to-make-list.patch b/SOURCES/0818-shared-seccomp-util-added-functionality-to-make-list.patch new file mode 100644 index 0000000..6dcde52 --- /dev/null +++ b/SOURCES/0818-shared-seccomp-util-added-functionality-to-make-list.patch @@ -0,0 +1,156 @@ +From eaad892c513806801e3d2055788fa202372b3f15 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 21 Aug 2020 17:21:04 +0200 +Subject: [PATCH] shared/seccomp-util: added functionality to make list of + filtred syscalls + +While at it, start removing the "seccomp_" prefix from our +own functions. It is used by libseccomp. + +(cherry picked from commit 000c05207d68658b76af9e1caf9aa3a4e3fa697b) + +Related: #2040247 +--- + src/nspawn/nspawn-seccomp.c | 9 +++++++-- + src/shared/seccomp-util.c | 39 ++++++++++++++++++++++++++++++------- + src/shared/seccomp-util.h | 8 +++++++- + 3 files changed, 46 insertions(+), 10 deletions(-) + +diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c +index 17abfcec26..2b4a65e875 100644 +--- a/src/nspawn/nspawn-seccomp.c ++++ b/src/nspawn/nspawn-seccomp.c +@@ -148,13 +148,18 @@ static int seccomp_add_default_syscall_filter( + if (whitelist[i].capability != 0 && (cap_list_retain & (1ULL << whitelist[i].capability)) == 0) + continue; + +- r = seccomp_add_syscall_filter_item(ctx, whitelist[i].name, SCMP_ACT_ALLOW, syscall_blacklist, false); ++ r = seccomp_add_syscall_filter_item(ctx, ++ whitelist[i].name, ++ SCMP_ACT_ALLOW, ++ syscall_blacklist, ++ false, ++ NULL); + if (r < 0) + return log_error_errno(r, "Failed to add syscall filter item %s: %m", whitelist[i].name); + } + + STRV_FOREACH(p, syscall_whitelist) { +- r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, false); ++ r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, false, NULL); + if (r < 0) + log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", + *p, seccomp_arch_to_string(arch)); +diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c +index 710a734715..56075d92e0 100644 +--- a/src/shared/seccomp-util.c ++++ b/src/shared/seccomp-util.c +@@ -874,15 +874,31 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name) { + return NULL; + } + +-static int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action, char **exclude, bool log_missing); ++static int add_syscall_filter_set( ++ scmp_filter_ctx seccomp, ++ const SyscallFilterSet *set, ++ uint32_t action, ++ char **exclude, ++ bool log_missing, ++ char ***added); ++ ++int seccomp_add_syscall_filter_item( ++ scmp_filter_ctx *seccomp, ++ const char *name, ++ uint32_t action, ++ char **exclude, ++ bool log_missing, ++ char ***added) { + +-int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name, uint32_t action, char **exclude, bool log_missing) { + assert(seccomp); + assert(name); + + if (strv_contains(exclude, name)) + return 0; + ++ /* Any syscalls that are handled are added to the *added strv. The pointer ++ * must be either NULL or point to a valid pre-initialized possibly-empty strv. */ ++ + if (name[0] == '@') { + const SyscallFilterSet *other; + +@@ -892,7 +908,7 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name, + return -EINVAL; + } + +- return seccomp_add_syscall_filter_set(seccomp, other, action, exclude, log_missing); ++ return add_syscall_filter_set(seccomp, other, action, exclude, log_missing, added); + + } else { + int id, r; +@@ -916,25 +932,34 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name, + return r; + } + ++ if (added) { ++ r = strv_extend(added, name); ++ if (r < 0) ++ return r; ++ } ++ + return 0; + } + } + +-static int seccomp_add_syscall_filter_set( ++static int add_syscall_filter_set( + scmp_filter_ctx seccomp, + const SyscallFilterSet *set, + uint32_t action, + char **exclude, +- bool log_missing) { ++ bool log_missing, ++ char ***added) { + + const char *sys; + int r; + ++ /* Any syscalls that are handled are added to the *added strv. It needs to be initialized. */ ++ + assert(seccomp); + assert(set); + + NULSTR_FOREACH(sys, set->value) { +- r = seccomp_add_syscall_filter_item(seccomp, sys, action, exclude, log_missing); ++ r = seccomp_add_syscall_filter_item(seccomp, sys, action, exclude, log_missing, added); + if (r < 0) + return r; + } +@@ -960,7 +985,7 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter + if (r < 0) + return r; + +- r = seccomp_add_syscall_filter_set(seccomp, set, action, NULL, log_missing); ++ r = add_syscall_filter_set(seccomp, set, action, NULL, log_missing, NULL); + if (r < 0) + return log_debug_errno(r, "Failed to add filter set: %m"); + +diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h +index 541ba1e067..291b2bffe0 100644 +--- a/src/shared/seccomp-util.h ++++ b/src/shared/seccomp-util.h +@@ -59,7 +59,13 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name); + + int seccomp_filter_set_add(Hashmap *s, bool b, const SyscallFilterSet *set); + +-int seccomp_add_syscall_filter_item(scmp_filter_ctx *ctx, const char *name, uint32_t action, char **exclude, bool log_missing); ++int seccomp_add_syscall_filter_item( ++ scmp_filter_ctx *ctx, ++ const char *name, ++ uint32_t action, ++ char **exclude, ++ bool log_missing, ++ char ***added); + + int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action, bool log_missing); + int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action, bool log_missing); diff --git a/SOURCES/0819-nspawn-return-ENOSYS-by-default-EPERM-for-known-call.patch b/SOURCES/0819-nspawn-return-ENOSYS-by-default-EPERM-for-known-call.patch new file mode 100644 index 0000000..7b29f41 --- /dev/null +++ b/SOURCES/0819-nspawn-return-ENOSYS-by-default-EPERM-for-known-call.patch @@ -0,0 +1,77 @@ +From 65d64ba146c30a5f205b650381f331fd8db2eb22 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 21 Aug 2020 17:23:48 +0200 +Subject: [PATCH] nspawn: return ENOSYS by default, EPERM for "known" calls + +(cherry picked from commit 3573e032f26724949e86626eace058d006b8bf70) + +Resolves: #2040247 +--- + src/nspawn/nspawn-seccomp.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c +index 2b4a65e875..563cda140e 100644 +--- a/src/nspawn/nspawn-seccomp.c ++++ b/src/nspawn/nspawn-seccomp.c +@@ -20,7 +20,7 @@ + + #if HAVE_SECCOMP + +-static int seccomp_add_default_syscall_filter( ++static int add_syscall_filters( + scmp_filter_ctx ctx, + uint32_t arch, + uint64_t cap_list_retain, +@@ -140,6 +140,7 @@ static int seccomp_add_default_syscall_filter( + */ + }; + ++ _cleanup_strv_free_ char **added = NULL; + int r; + size_t i; + char **p; +@@ -153,18 +154,25 @@ static int seccomp_add_default_syscall_filter( + SCMP_ACT_ALLOW, + syscall_blacklist, + false, +- NULL); ++ &added); + if (r < 0) + return log_error_errno(r, "Failed to add syscall filter item %s: %m", whitelist[i].name); + } + + STRV_FOREACH(p, syscall_whitelist) { +- r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, false, NULL); ++ r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_blacklist, true, &added); + if (r < 0) + log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", + *p, seccomp_arch_to_string(arch)); + } + ++ /* The default action is ENOSYS. Respond with EPERM to all other "known" but not allow-listed ++ * syscalls. */ ++ r = seccomp_add_syscall_filter_item(ctx, "@known", SCMP_ACT_ERRNO(EPERM), added, true, NULL); ++ if (r < 0) ++ log_warning_errno(r, "Failed to add rule for @known set on %s, ignoring: %m", ++ seccomp_arch_to_string(arch)); ++ + return 0; + } + +@@ -182,11 +190,13 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **sys + + log_debug("Applying whitelist on architecture: %s", seccomp_arch_to_string(arch)); + +- r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ERRNO(EPERM)); ++ /* We install ENOSYS as the default action, but it will only apply to syscalls which are not ++ * in the @known set, see above. */ ++ r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ERRNO(ENOSYS)); + if (r < 0) + return log_error_errno(r, "Failed to allocate seccomp object: %m"); + +- r = seccomp_add_default_syscall_filter(seccomp, arch, cap_list_retain, syscall_whitelist, syscall_blacklist); ++ r = add_syscall_filters(seccomp, arch, cap_list_retain, syscall_whitelist, syscall_blacklist); + if (r < 0) + return r; + diff --git a/SOURCES/0820-test-procfs-util-skip-test-on-certain-errors.patch b/SOURCES/0820-test-procfs-util-skip-test-on-certain-errors.patch new file mode 100644 index 0000000..55ece1d --- /dev/null +++ b/SOURCES/0820-test-procfs-util-skip-test-on-certain-errors.patch @@ -0,0 +1,75 @@ +From 33305c6801c10b741b11a3f329dc339d2e8c5514 Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Thu, 18 Aug 2022 16:35:23 +0200 +Subject: [PATCH] test-procfs-util: skip test on certain errors + +Inspired by upstream bf47f71c1c + +RHEL-only +Related: #2087152 +--- + src/shared/tests.c | 12 ++++++++++++ + src/shared/tests.h | 2 ++ + src/test/test-procfs-util.c | 6 ++++-- + 3 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/src/shared/tests.c b/src/shared/tests.c +index 1da80d653f..b1c71b992f 100644 +--- a/src/shared/tests.c ++++ b/src/shared/tests.c +@@ -78,6 +78,18 @@ void test_setup_logging(int level) { + log_open(); + } + ++int log_tests_skipped(const char *message) { ++ log_notice("%s: %s, skipping tests.", ++ program_invocation_short_name, message); ++ return EXIT_TEST_SKIP; ++} ++ ++int log_tests_skipped_errno(int r, const char *message) { ++ log_notice_errno(r, "%s: %s, skipping tests: %m", ++ program_invocation_short_name, message); ++ return EXIT_TEST_SKIP; ++} ++ + const char *ci_environment(void) { + /* We return a string because we might want to provide multiple bits of information later on: not + * just the general CI environment type, but also whether we're sanitizing or not, etc. The caller is +diff --git a/src/shared/tests.h b/src/shared/tests.h +index 4f8f349097..d50711338c 100644 +--- a/src/shared/tests.h ++++ b/src/shared/tests.h +@@ -5,6 +5,8 @@ char* setup_fake_runtime_dir(void); + bool test_is_running_from_builddir(char **exedir); + const char* get_testdata_dir(void); + void test_setup_logging(int level); ++int log_tests_skipped(const char *message); ++int log_tests_skipped_errno(int r, const char *message); + + /* Provide a convenient way to check if we're running in CI. */ + const char *ci_environment(void); +diff --git a/src/test/test-procfs-util.c b/src/test/test-procfs-util.c +index d656c4df4f..aba5692e54 100644 +--- a/src/test/test-procfs-util.c ++++ b/src/test/test-procfs-util.c +@@ -7,6 +7,7 @@ + #include "procfs-util.h" + #include "process-util.h" + #include "util.h" ++#include "tests.h" + + int main(int argc, char *argv[]) { + char buf[CONST_MAX(FORMAT_TIMESPAN_MAX, FORMAT_BYTES_MAX)]; +@@ -52,8 +53,9 @@ int main(int argc, char *argv[]) { + log_info("Reducing limit by one to %"PRIu64"…", v-1); + + r = procfs_tasks_set_limit(v-1); +- log_info_errno(r, "procfs_tasks_set_limit: %m"); +- assert_se(r >= 0 || ERRNO_IS_PRIVILEGE(r) || r == -EROFS); ++ if (IN_SET(r, -ENOENT, -EROFS) || ERRNO_IS_PRIVILEGE(r)) ++ return log_tests_skipped_errno(r, "can't set tasks limit"); ++ assert_se(r >= 0); + + assert_se(procfs_get_threads_max(&w) >= 0); + assert_se(r >= 0 ? w == v - 1 : w == v); diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec index 61646ee..a3255fa 100644 --- a/SPECS/systemd.spec +++ b/SPECS/systemd.spec @@ -13,7 +13,7 @@ Name: systemd Url: http://www.freedesktop.org/wiki/Software/systemd Version: 239 -Release: 62%{?dist} +Release: 65%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -841,7 +841,35 @@ Patch0788: 0788-test-replace-swear-words-by-hoge.patch Patch0789: 0789-core-add-new-environment-variable-RUNTIME_DIRECTORY-.patch Patch0790: 0790-test-execute-add-tests-for-RUNTIME_DIRECTORY-or-frie.patch Patch0791: 0791-man-document-RUNTIME_DIRECTORY-or-friends.patch - +Patch0792: 0792-ci-bump-the-worker-Ubuntu-version-to-Jammy.patch +Patch0793: 0793-test-make-test-execute-pass-on-Linux-5.15.patch +Patch0794: 0794-ci-install-iputils.patch +Patch0795: 0795-ci-Mergify-Add-ci-waived-logic.patch +Patch0796: 0796-sd-event-don-t-invalidate-source-type-on-disconnect.patch +Patch0797: 0797-tests-make-sure-we-delay-running-mount-start-jobs-wh.patch +Patch0798: 0798-core-drop-references-to-StandardOutputFileToCreate.patch +Patch0799: 0799-dbus-execute-fix-indentation.patch +Patch0800: 0800-dbus-execute-generate-the-correct-transient-unit-set.patch +Patch0801: 0801-bus-unit-util-properly-accept-StandardOutput-append-.patch +Patch0802: 0802-core-be-more-careful-when-inheriting-stdout-fds-to-s.patch +Patch0803: 0803-test-add-a-test-for-StandardError-file.patch +Patch0804: 0804-tree-wide-allow-ASCII-fallback-for-in-logs.patch +Patch0805: 0805-tree-wide-allow-ASCII-fallback-for-in-logs.patch +Patch0806: 0806-core-allow-to-set-default-timeout-for-devices.patch +Patch0807: 0807-man-document-DefaultDeviceTimeoutSec.patch +Patch0808: 0808-Revert-core-Propagate-condition-failed-state-to-trig.patch +Patch0809: 0809-core-Check-unit-start-rate-limiting-earlier.patch +Patch0810: 0810-core-Add-trigger-limit-for-path-units.patch +Patch0811: 0811-meson-add-syscall-names-update-target.patch +Patch0812: 0812-syscall-names-add-process_madvise-which-is-planned-f.patch +Patch0813: 0813-shared-add-known-syscall-list.patch +Patch0814: 0814-generate-syscall-list-require-python3.patch +Patch0815: 0815-shared-seccomp-reduce-scope-of-indexing-variables.patch +Patch0816: 0816-shared-syscall-list-filter-out-some-obviously-platfo.patch +Patch0817: 0817-seccomp-tighten-checking-of-seccomp-filter-creation.patch +Patch0818: 0818-shared-seccomp-util-added-functionality-to-make-list.patch +Patch0819: 0819-nspawn-return-ENOSYS-by-default-EPERM-for-known-call.patch +Patch0820: 0820-test-procfs-util-skip-test-on-certain-errors.patch %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 @@ -1471,6 +1499,43 @@ fi %files tests -f .file-list-tests %changelog +* Fri Aug 19 2022 systemd maintenance team - 239-65 +- test-procfs-util: skip test on certain errors (#2087152) + +* Thu Aug 18 2022 systemd maintenance team - 239-64 +- ci: bump the worker Ubuntu version to Jammy (#2087152) +- test: make test-execute pass on Linux 5.15 (#2087152) +- ci: install iputils (#2087152) +- ci(Mergify): Add `ci-waived` logic (#2087152) +- sd-event: don't invalidate source type on disconnect (#2115396) +- tests: make sure we delay running mount start jobs when /p/s/mountinfo is rate limited (#2095744) +- core: drop references to 'StandardOutputFileToCreate' (#2093479) +- dbus-execute: fix indentation (#2093479) +- dbus-execute: generate the correct transient unit setting (#2093479) +- bus-unit-util: properly accept StandardOutput=append:… settings (#2093479) +- core: be more careful when inheriting stdout fds to stderr (#2093479) +- test: add a test for StandardError=file:… (#2093479) +- tree-wide: allow ASCII fallback for → in logs (#2093479) +- tree-wide: allow ASCII fallback for … in logs (#2093479) +- core: allow to set default timeout for devices (#1967245) +- man: document DefaultDeviceTimeoutSec= (#1967245) +- Revert "core: Propagate condition failed state to triggering units." (#2114005) +- core: Check unit start rate limiting earlier (#2114005) +- core: Add trigger limit for path units (#2114005) +- meson: add syscall-names-update target (#2040247) +- syscall-names: add process_madvise which is planned for 5.10 (#2040247) +- shared: add @known syscall list (#2040247) +- generate-syscall-list: require python3 (#2040247) +- shared/seccomp: reduce scope of indexing variables (#2040247) +- shared/syscall-list: filter out some obviously platform-specific syscalls (#2040247) +- seccomp: tighten checking of seccomp filter creation (#2040247) +- shared/seccomp-util: added functionality to make list of filtred syscalls (#2040247) +- nspawn: return ENOSYS by default, EPERM for "known" calls (#2040247) +- revert: resolved: pin stream while calling callbacks for it (#2110549) + +* Wed Aug 03 2022 systemd maintenance team - 239-63 +- resolved: pin stream while calling callbacks for it (#2110549) + * Mon Jul 18 2022 systemd maintenance team - 239-62 - spec: Remove dependency on timedatex (#2066946)