From ae48806c2ecace91faeabe3778253e94fc249274 Mon Sep 17 00:00:00 2001 From: Anita Zhang Date: Jul 28 2021 01:56:22 +0000 Subject: 249.2-1.1: new release --- diff --git a/.systemd.metadata b/.systemd.metadata index 3d124b3..f971042 100644 --- a/.systemd.metadata +++ b/.systemd.metadata @@ -1 +1 @@ -5b3ef156651d2879a54b7e1635792fad038f637f SOURCES/systemd-248.5.tar.gz +9fdcf03e0c88b3aa98c95626a588311084ef9047 SOURCES/systemd-249.2.tar.gz diff --git a/SOURCES/13496-fb.patch b/SOURCES/13496-fb.patch deleted file mode 100644 index 2f16d58..0000000 --- a/SOURCES/13496-fb.patch +++ /dev/null @@ -1,1738 +0,0 @@ -From 6999572c06303057dbdc16c04c523f407aec08bd Mon Sep 17 00:00:00 2001 -From: Julia Kartseva -Date: Wed, 16 Sep 2020 15:58:04 -0700 -Subject: [PATCH 1/9] shared: add bpf-program helpers - -Add helpers to: -- Create new BPFProgram instance from a path in bpf -filesystem and bpf attach type; -- Pin a program to bpf fs; -- Get BPF program ID by BPF program FD. ---- - src/shared/bpf-program.c | 80 ++++++++++++++++++++++++++++++++++++++++ - src/shared/bpf-program.h | 5 ++- - 2 files changed, 84 insertions(+), 1 deletion(-) - -diff --git a/src/shared/bpf-program.c b/src/shared/bpf-program.c -index 10239142af..d67ada23b0 100644 ---- a/src/shared/bpf-program.c -+++ b/src/shared/bpf-program.c -@@ -12,6 +12,26 @@ - #include "missing_syscall.h" - #include "path-util.h" - -+ /* struct bpf_prog_info info must be initialized since its value is both input and output -+ * for BPF_OBJ_GET_INFO_BY_FD syscall. */ -+static int bpf_program_get_info_by_fd(int prog_fd, struct bpf_prog_info *info, uint32_t info_len) { -+ union bpf_attr attr; -+ -+ /* Explicitly memset to zero since some compilers may produce non-zero-initialized padding when -+ * structured initialization is used. -+ * Refer to https://github.com/systemd/systemd/issues/18164 -+ */ -+ zero(attr); -+ attr.info.bpf_fd = prog_fd; -+ attr.info.info_len = info_len; -+ attr.info.info = PTR_TO_UINT64(info); -+ -+ if (bpf(BPF_OBJ_GET_INFO_BY_FD, &attr, sizeof(attr)) < 0) -+ return -errno; -+ -+ return 0; -+} -+ - int bpf_program_new(uint32_t prog_type, BPFProgram **ret) { - _cleanup_(bpf_program_unrefp) BPFProgram *p = NULL; - -@@ -28,6 +48,38 @@ int bpf_program_new(uint32_t prog_type, BPFProgram **ret) { - return 0; - } - -+int bpf_program_new_from_bpffs_path(const char *path, BPFProgram **ret) { -+ _cleanup_(bpf_program_unrefp) BPFProgram *p = NULL; -+ struct bpf_prog_info info = {}; -+ int r; -+ -+ assert(path); -+ assert(ret); -+ -+ p = new(BPFProgram, 1); -+ if (!p) -+ return -ENOMEM; -+ -+ *p = (BPFProgram) { -+ .prog_type = BPF_PROG_TYPE_UNSPEC, -+ .n_ref = 1, -+ .kernel_fd = -1, -+ }; -+ -+ r = bpf_program_load_from_bpf_fs(p, path); -+ if (r < 0) -+ return r; -+ -+ r = bpf_program_get_info_by_fd(p->kernel_fd, &info, sizeof(info)); -+ if (r < 0) -+ return r; -+ -+ p->prog_type = info.type; -+ *ret = TAKE_PTR(p); -+ -+ return 0; -+} -+ - static BPFProgram *bpf_program_free(BPFProgram *p) { - assert(p); - -@@ -254,3 +306,31 @@ int bpf_map_lookup_element(int fd, const void *key, void *value) { - - return 0; - } -+ -+int bpf_program_pin(int prog_fd, const char *bpffs_path) { -+ union bpf_attr attr; -+ -+ zero(attr); -+ attr.pathname = PTR_TO_UINT64((void *) bpffs_path); -+ attr.bpf_fd = prog_fd; -+ -+ if (bpf(BPF_OBJ_PIN, &attr, sizeof(attr)) < 0) -+ return -errno; -+ -+ return 0; -+} -+ -+int bpf_program_get_id_by_fd(int prog_fd, uint32_t *ret_id) { -+ struct bpf_prog_info info = {}; -+ int r; -+ -+ assert(ret_id); -+ -+ r = bpf_program_get_info_by_fd(prog_fd, &info, sizeof(info)); -+ if (r < 0) -+ return r; -+ -+ *ret_id = info.id; -+ -+ return 0; -+}; -diff --git a/src/shared/bpf-program.h b/src/shared/bpf-program.h -index eef77f9d8e..243cef923f 100644 ---- a/src/shared/bpf-program.h -+++ b/src/shared/bpf-program.h -@@ -26,8 +26,9 @@ struct BPFProgram { - }; - - int bpf_program_new(uint32_t prog_type, BPFProgram **ret); --BPFProgram *bpf_program_unref(BPFProgram *p); -+int bpf_program_new_from_bpffs_path(const char *path, BPFProgram **ret); - BPFProgram *bpf_program_ref(BPFProgram *p); -+BPFProgram *bpf_program_unref(BPFProgram *p); - - int bpf_program_add_instructions(BPFProgram *p, const struct bpf_insn *insn, size_t count); - int bpf_program_load_kernel(BPFProgram *p, char *log_buf, size_t log_size); -@@ -35,6 +36,8 @@ int bpf_program_load_from_bpf_fs(BPFProgram *p, const char *path); - - int bpf_program_cgroup_attach(BPFProgram *p, int type, const char *path, uint32_t flags); - int bpf_program_cgroup_detach(BPFProgram *p); -+int bpf_program_pin(int prog_fd, const char *bpffs_path); -+int bpf_program_get_id_by_fd(int prog_fd, uint32_t *ret_id); - - int bpf_map_new(enum bpf_map_type type, size_t key_size, size_t value_size, size_t max_entries, uint32_t flags); - int bpf_map_update_element(int fd, const void *key, void *value); --- -2.30.2 - - -From b04b09640c624df8f64944dead8d59faa0521d2e Mon Sep 17 00:00:00 2001 -From: Julia Kartseva -Date: Thu, 4 Feb 2021 00:02:07 -0800 -Subject: [PATCH 2/9] shared: bpf_attach_type {from,to} string - -Introduce bpf_cgroup_attach_type_table with accustomed attached type -names also used in bpftool. -Add bpf_cgroup_attach_type_{from|to}_string helpers to convert from|to -string representation of pinned bpf program, e.g. -"egress:/sys/fs/bpf/egress-hook" for -/sys/fs/bpf/egress-hook path and BPF_CGROUP_INET_EGRESS attach type. ---- - src/shared/bpf-program.c | 24 ++++++++++++++++++++++++ - src/shared/bpf-program.h | 3 +++ - 2 files changed, 27 insertions(+) - -diff --git a/src/shared/bpf-program.c b/src/shared/bpf-program.c -index d67ada23b0..a8a34521fd 100644 ---- a/src/shared/bpf-program.c -+++ b/src/shared/bpf-program.c -@@ -11,6 +11,30 @@ - #include "memory-util.h" - #include "missing_syscall.h" - #include "path-util.h" -+#include "string-table.h" -+ -+static const char *const bpf_cgroup_attach_type_table[__MAX_BPF_ATTACH_TYPE] = { -+ [BPF_CGROUP_INET_INGRESS] = "ingress", -+ [BPF_CGROUP_INET_EGRESS] = "egress", -+ [BPF_CGROUP_INET_SOCK_CREATE] = "sock_create", -+ [BPF_CGROUP_SOCK_OPS] = "sock_ops", -+ [BPF_CGROUP_DEVICE] = "device", -+ [BPF_CGROUP_INET4_BIND] = "bind4", -+ [BPF_CGROUP_INET6_BIND] = "bind6", -+ [BPF_CGROUP_INET4_CONNECT] = "connect4", -+ [BPF_CGROUP_INET6_CONNECT] = "connect6", -+ [BPF_CGROUP_INET4_POST_BIND] = "post_bind4", -+ [BPF_CGROUP_INET6_POST_BIND] = "post_bind6", -+ [BPF_CGROUP_UDP4_SENDMSG] = "sendmsg4", -+ [BPF_CGROUP_UDP6_SENDMSG] = "sendmsg6", -+ [BPF_CGROUP_SYSCTL] = "sysctl", -+ [BPF_CGROUP_UDP4_RECVMSG] = "recvmsg4", -+ [BPF_CGROUP_UDP6_RECVMSG] = "recvmsg6", -+ [BPF_CGROUP_GETSOCKOPT] = "getsockopt", -+ [BPF_CGROUP_SETSOCKOPT] = "setsockopt", -+}; -+ -+DEFINE_STRING_TABLE_LOOKUP(bpf_cgroup_attach_type, int); - - /* struct bpf_prog_info info must be initialized since its value is both input and output - * for BPF_OBJ_GET_INFO_BY_FD syscall. */ -diff --git a/src/shared/bpf-program.h b/src/shared/bpf-program.h -index 243cef923f..86fd338c93 100644 ---- a/src/shared/bpf-program.h -+++ b/src/shared/bpf-program.h -@@ -43,4 +43,7 @@ int bpf_map_new(enum bpf_map_type type, size_t key_size, size_t value_size, size - int bpf_map_update_element(int fd, const void *key, void *value); - int bpf_map_lookup_element(int fd, const void *key, void *value); - -+int bpf_cgroup_attach_type_from_string(const char *str) _pure_; -+const char *bpf_cgroup_attach_type_to_string(int attach_type) _const_; -+ - DEFINE_TRIVIAL_CLEANUP_FUNC(BPFProgram*, bpf_program_unref); --- -2.30.2 - - -From 2ab40fe0dc0f5ec83fe73bc750e9b3f5aabf1fb9 Mon Sep 17 00:00:00 2001 -From: Julia Kartseva -Date: Mon, 1 Mar 2021 16:56:04 -0800 -Subject: [PATCH 3/9] cgroup: add foreign program to cgroup context - -- Store foreign bpf programs in cgroup context. A program is considered -foreign if it was loaded to a kernel by an entity external to systemd, -so systemd is responsible only for attach and detach paths. -- Support the case of pinned bpf programs: pinning to bpffs so a program -is kept loaded to the kernel even when program fd is closed by a user -application is a common way to extend program's lifetime. -- Aadd linked list node struct with attach type and bpffs path -fields. ---- - src/core/cgroup.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ - src/core/cgroup.h | 10 ++++++++++ - 2 files changed, 55 insertions(+) - -diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index 3ed6ac09ff..a0af50518d 100644 ---- a/src/core/cgroup.c -+++ b/src/core/cgroup.c -@@ -190,6 +190,15 @@ void cgroup_context_free_blockio_device_bandwidth(CGroupContext *c, CGroupBlockI - free(b); - } - -+void cgroup_context_remove_bpf_foreign_program(CGroupContext *c, CGroupBPFForeignProgram *p) { -+ assert(c); -+ assert(p); -+ -+ LIST_REMOVE(programs, c->bpf_foreign_programs, p); -+ free(p->bpffs_path); -+ free(p); -+} -+ - void cgroup_context_done(CGroupContext *c) { - assert(c); - -@@ -217,6 +226,9 @@ void cgroup_context_done(CGroupContext *c) { - c->ip_filters_ingress = strv_free(c->ip_filters_ingress); - c->ip_filters_egress = strv_free(c->ip_filters_egress); - -+ while (c->bpf_foreign_programs) -+ cgroup_context_remove_bpf_foreign_program(c, c->bpf_foreign_programs); -+ - cpu_set_reset(&c->cpuset_cpus); - cpu_set_reset(&c->cpuset_mems); - } -@@ -360,6 +372,7 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { - CGroupIODeviceLatency *l; - CGroupBlockIODeviceBandwidth *b; - CGroupBlockIODeviceWeight *w; -+ CGroupBPFForeignProgram *p; - CGroupDeviceAllow *a; - CGroupContext *c; - IPAddressAccessItem *iaai; -@@ -544,6 +557,10 @@ void cgroup_context_dump(Unit *u, FILE* f, const char *prefix) { - - STRV_FOREACH(path, c->ip_filters_egress) - fprintf(f, "%sIPEgressFilterPath: %s\n", prefix, *path); -+ -+ LIST_FOREACH(programs, p, c->bpf_foreign_programs) -+ fprintf(f, "%sBPFProgram: %s:%s", -+ prefix, bpf_cgroup_attach_type_to_string(p->attach_type), p->bpffs_path); - } - - int cgroup_add_device_allow(CGroupContext *c, const char *dev, const char *mode) { -@@ -575,6 +592,34 @@ int cgroup_add_device_allow(CGroupContext *c, const char *dev, const char *mode) - return 0; - } - -+int cgroup_add_bpf_foreign_program(CGroupContext *c, uint32_t attach_type, const char *bpffs_path) { -+ CGroupBPFForeignProgram *p; -+ _cleanup_free_ char *d = NULL; -+ -+ assert(c); -+ assert(bpffs_path); -+ -+ if (!path_is_normalized(bpffs_path) || !path_is_absolute(bpffs_path)) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Path is not normalized: %m"); -+ -+ d = strdup(bpffs_path); -+ if (!d) -+ return log_oom(); -+ -+ p = new(CGroupBPFForeignProgram, 1); -+ if (!p) -+ return log_oom(); -+ -+ *p = (CGroupBPFForeignProgram) { -+ .attach_type = attach_type, -+ .bpffs_path = TAKE_PTR(d), -+ }; -+ -+ LIST_PREPEND(programs, c->bpf_foreign_programs, TAKE_PTR(p)); -+ -+ return 0; -+} -+ - #define UNIT_DEFINE_ANCESTOR_MEMORY_LOOKUP(entry) \ - uint64_t unit_get_ancestor_##entry(Unit *u) { \ - CGroupContext *c; \ -diff --git a/src/core/cgroup.h b/src/core/cgroup.h -index fa79ba1523..be3060eba7 100644 ---- a/src/core/cgroup.h -+++ b/src/core/cgroup.h -@@ -31,6 +31,7 @@ typedef struct CGroupIODeviceLimit CGroupIODeviceLimit; - typedef struct CGroupIODeviceLatency CGroupIODeviceLatency; - typedef struct CGroupBlockIODeviceWeight CGroupBlockIODeviceWeight; - typedef struct CGroupBlockIODeviceBandwidth CGroupBlockIODeviceBandwidth; -+typedef struct CGroupBPFForeignProgram CGroupBPFForeignProgram; - - typedef enum CGroupDevicePolicy { - /* When devices listed, will allow those, plus built-in ones, if none are listed will allow -@@ -94,6 +95,12 @@ struct CGroupBlockIODeviceBandwidth { - uint64_t wbps; - }; - -+struct CGroupBPFForeignProgram { -+ LIST_FIELDS(CGroupBPFForeignProgram, programs); -+ uint32_t attach_type; -+ char *bpffs_path; -+}; -+ - struct CGroupContext { - bool cpu_accounting; - bool io_accounting; -@@ -142,6 +149,7 @@ struct CGroupContext { - - char **ip_filters_ingress; - char **ip_filters_egress; -+ LIST_HEAD(CGroupBPFForeignProgram, bpf_foreign_programs); - - /* For legacy hierarchies */ - uint64_t cpu_shares; -@@ -202,8 +210,10 @@ void cgroup_context_free_io_device_limit(CGroupContext *c, CGroupIODeviceLimit * - void cgroup_context_free_io_device_latency(CGroupContext *c, CGroupIODeviceLatency *l); - void cgroup_context_free_blockio_device_weight(CGroupContext *c, CGroupBlockIODeviceWeight *w); - void cgroup_context_free_blockio_device_bandwidth(CGroupContext *c, CGroupBlockIODeviceBandwidth *b); -+void cgroup_context_remove_bpf_foreign_program(CGroupContext *c, CGroupBPFForeignProgram *p); - - int cgroup_add_device_allow(CGroupContext *c, const char *dev, const char *mode); -+int cgroup_add_bpf_foreign_program(CGroupContext *c, uint32_t attach_type, const char *path); - - void cgroup_oomd_xattr_apply(Unit *u, const char *cgroup_path); - --- -2.30.2 - - -From 42b3c33e312d70fec24b5daa455ab4abdcab81b4 Mon Sep 17 00:00:00 2001 -From: Julia Kartseva -Date: Wed, 16 Sep 2020 15:58:04 -0700 -Subject: [PATCH 4/9] core: add bpf-foreign unit helpers - -- Introduce support of cgroup-bpf programs managed (i.e. compiled, -loaded to and unloaded from kernel) externally. Systemd is only -responsible for attaching programs to unit cgroup hence the name -'foreign'. - -Foreign BPF programs are identified by bpf program ID and attach type. - -systemd: -- Gets kernel FD of BPF program; -- Makes a unique identifier of BPF program from BPF attach type and -program ID. Same program IDs mean the same program, i.e the same -chunk of kernel memory. Even if the same program is passed multiple -times, identical (program_id, attach_type) instances are collapsed -into one; -- Attaches programs to unit cgroup. ---- - src/core/bpf-foreign.c | 151 +++++++++++++++++++++++++++++++++++++++++ - src/core/bpf-foreign.h | 12 ++++ - src/core/meson.build | 2 + - src/core/unit.c | 3 + - src/core/unit.h | 4 ++ - 5 files changed, 172 insertions(+) - create mode 100644 src/core/bpf-foreign.c - create mode 100644 src/core/bpf-foreign.h - -diff --git a/src/core/bpf-foreign.c b/src/core/bpf-foreign.c -new file mode 100644 -index 0000000000..98655bda3c ---- /dev/null -+++ b/src/core/bpf-foreign.c -@@ -0,0 +1,151 @@ -+/* SPDX-License-Identifier: LGPL-2.1+ */ -+ -+#include "bpf-foreign.h" -+#include "bpf-program.h" -+#include "cgroup.h" -+#include "memory-util.h" -+#include "mountpoint-util.h" -+#include "set.h" -+ -+typedef struct BPFForeignKey BPFForeignKey; -+struct BPFForeignKey { -+ uint32_t prog_id; -+ uint32_t attach_type; -+}; -+ -+static int bpf_foreign_key_new(uint32_t prog_id, -+ enum bpf_attach_type attach_type, -+ BPFForeignKey **ret) { -+ _cleanup_free_ BPFForeignKey *p = NULL; -+ -+ assert(ret); -+ -+ p = new(BPFForeignKey, 1); -+ if (!p) -+ return log_oom(); -+ -+ *p = (BPFForeignKey) { -+ .prog_id = prog_id, -+ .attach_type = attach_type, -+ }; -+ -+ *ret = TAKE_PTR(p); -+ -+ return 0; -+} -+ -+static int bpf_foreign_key_compare_func(const BPFForeignKey *a, const BPFForeignKey *b) { -+ int r = CMP(a->prog_id, b->prog_id); -+ if (r != 0) -+ return r; -+ -+ return CMP(a->attach_type, b->attach_type); -+} -+ -+static void bpf_foreign_key_hash_func(const BPFForeignKey *p, struct siphash *h) { -+ siphash24_compress(&p->prog_id, sizeof(p->prog_id), h); -+ siphash24_compress(&p->attach_type, sizeof(p->attach_type), h); -+} -+ -+DEFINE_PRIVATE_HASH_OPS_FULL(bpf_foreign_by_key_hash_ops, -+ BPFForeignKey, bpf_foreign_key_hash_func, bpf_foreign_key_compare_func, free, -+ BPFProgram, bpf_program_unref); -+ -+static int attach_programs(Unit *u, const char *path, Hashmap* foreign_by_key, uint32_t attach_flags) { -+ const BPFForeignKey *key; -+ BPFProgram *prog; -+ int r; -+ -+ assert(u); -+ -+ HASHMAP_FOREACH_KEY(prog, key, foreign_by_key) { -+ r = bpf_program_cgroup_attach(prog, key->attach_type, path, attach_flags); -+ if (r < 0) -+ return log_unit_error_errno(u, r, "Attaching foreign BPF program to cgroup %s failed: %m", path); -+ } -+ -+ return 0; -+} -+ -+/* -+ * Prepare foreign BPF program for installation: -+ * - Load the program from BPF filesystem to the kernel; -+ * - Store program FD identified by program ID and attach type in the unit. -+ */ -+static int bpf_foreign_prepare( -+ Unit *u, -+ enum bpf_attach_type attach_type, -+ const char *bpffs_path) { -+ _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL; -+ _cleanup_free_ BPFForeignKey *key = NULL; -+ uint32_t prog_id; -+ int r; -+ -+ assert(u); -+ assert(bpffs_path); -+ -+ r = bpf_program_new_from_bpffs_path(bpffs_path, &prog); -+ if (r < 0) -+ return log_unit_error_errno(u, r, "Failed to create foreign BPFProgram: %m"); -+ -+ r = bpf_program_get_id_by_fd(prog->kernel_fd, &prog_id); -+ if (r < 0) -+ return log_unit_error_errno(u, r, "Failed to get BPF program id by fd: %m"); -+ -+ r = bpf_foreign_key_new(prog_id, attach_type, &key); -+ if (r < 0) -+ return log_unit_error_errno(u, r, -+ "Failed to create foreign BPF program key from path '%s': %m", bpffs_path); -+ -+ r = hashmap_ensure_put(&u->bpf_foreign_by_key, &bpf_foreign_by_key_hash_ops, key, prog); -+ if (r == -EEXIST) { -+ log_unit_warning_errno(u, r, "Foreign BPF program already exists, ignoring: %m"); -+ return 0; -+ } -+ if (r < 0) -+ return log_unit_error_errno(u, r, "Failed to put foreign BPFProgram into map: %m"); -+ -+ TAKE_PTR(key); -+ TAKE_PTR(prog); -+ -+ return 0; -+} -+ -+int bpf_foreign_supported(void) { -+ int r; -+ -+ r = cg_all_unified(); -+ if (r <= 0) -+ return r; -+ -+ return path_is_mount_point("/sys/fs/bpf", NULL, 0); -+} -+ -+int bpf_foreign_install(Unit *u) { -+ _cleanup_free_ char *cgroup_path = NULL; -+ CGroupBPFForeignProgram *p; -+ CGroupContext *cc; -+ int r; -+ -+ assert(u); -+ -+ cc = unit_get_cgroup_context(u); -+ if (!cc) -+ return 0; -+ -+ r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, NULL, &cgroup_path); -+ if (r < 0) -+ return log_unit_error_errno(u, r, "Failed to get cgroup path: %m"); -+ -+ LIST_FOREACH(programs, p, cc->bpf_foreign_programs) { -+ r = bpf_foreign_prepare(u, p->attach_type, p->bpffs_path); -+ if (r < 0) -+ return log_unit_error_errno(u, r, "Failed to prepare foreign BPF hashmap: %m"); -+ } -+ -+ r = attach_programs(u, cgroup_path, u->bpf_foreign_by_key, BPF_F_ALLOW_MULTI); -+ if (r < 0) -+ return log_unit_error_errno(u, r, "Failed to install foreign BPF programs: %m"); -+ -+ return 0; -+} -diff --git a/src/core/bpf-foreign.h b/src/core/bpf-foreign.h -new file mode 100644 -index 0000000000..7704986e3e ---- /dev/null -+++ b/src/core/bpf-foreign.h -@@ -0,0 +1,12 @@ -+/* SPDX-License-Identifier: LGPL-2.1+ */ -+ -+#pragma once -+ -+#include "unit.h" -+ -+int bpf_foreign_supported(void); -+/* -+ * Attach cgroup-bpf programs foreign to systemd, i.e. loaded to the kernel by an entity -+ * external to systemd. -+ */ -+int bpf_foreign_install(Unit *u); -diff --git a/src/core/meson.build b/src/core/meson.build -index a389c906b3..a1294f3a72 100644 ---- a/src/core/meson.build -+++ b/src/core/meson.build -@@ -11,6 +11,8 @@ libcore_sources = ''' - bpf-devices.h - bpf-firewall.c - bpf-firewall.h -+ bpf-foreign.c -+ bpf-foreign.h - cgroup.c - cgroup.h - core-varlink.c -diff --git a/src/core/unit.c b/src/core/unit.c -index c212f1043d..b7141b29af 100644 ---- a/src/core/unit.c -+++ b/src/core/unit.c -@@ -11,6 +11,7 @@ - #include "all-units.h" - #include "alloc-util.h" - #include "bpf-firewall.h" -+#include "bpf-foreign.h" - #include "bus-common-errors.h" - #include "bus-util.h" - #include "cgroup-setup.h" -@@ -723,6 +724,8 @@ Unit* unit_free(Unit *u) { - set_free(u->ip_bpf_custom_ingress_installed); - set_free(u->ip_bpf_custom_egress_installed); - -+ hashmap_free(u->bpf_foreign_by_key); -+ - bpf_program_unref(u->bpf_device_control_installed); - - condition_free_list(u->conditions); -diff --git a/src/core/unit.h b/src/core/unit.h -index 264431d04d..6de529af92 100644 ---- a/src/core/unit.h -+++ b/src/core/unit.h -@@ -305,6 +305,10 @@ typedef struct Unit { - Set *ip_bpf_custom_egress; - Set *ip_bpf_custom_egress_installed; - -+ /* BPF programs managed (e.g. loaded to kernel) by an entity external to systemd, -+ * attached to unit cgroup by provided program fd and attach type. */ -+ Hashmap *bpf_foreign_by_key; -+ - uint64_t ip_accounting_extra[_CGROUP_IP_ACCOUNTING_METRIC_MAX]; - - /* Low-priority event source which is used to remove watched PIDs that have gone away, and subscribe to any new --- -2.30.2 - - -From 4d84c1af52683f7272e021fb4c6e68148d64e33b Mon Sep 17 00:00:00 2001 -From: Julia Kartseva -Date: Thu, 4 Feb 2021 00:03:08 -0800 -Subject: [PATCH 5/9] core: add bpf-foreign cgroup mask and harness - -Add CGROUP_MASK_BPF_FOREIGN to CGROUP_MASK_BPF and standard cgroup -context harness. ---- - src/basic/cgroup-util.c | 1 + - src/basic/cgroup-util.h | 4 +++- - src/core/cgroup.c | 29 +++++++++++++++++++++++++++++ - src/test/test-cgroup-mask.c | 2 +- - 4 files changed, 34 insertions(+), 2 deletions(-) - -diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c -index 8dd3f8cd95..743fb0afe1 100644 ---- a/src/basic/cgroup-util.c -+++ b/src/basic/cgroup-util.c -@@ -2162,6 +2162,7 @@ static const char *const cgroup_controller_table[_CGROUP_CONTROLLER_MAX] = { - [CGROUP_CONTROLLER_PIDS] = "pids", - [CGROUP_CONTROLLER_BPF_FIREWALL] = "bpf-firewall", - [CGROUP_CONTROLLER_BPF_DEVICES] = "bpf-devices", -+ [CGROUP_CONTROLLER_BPF_FOREIGN] = "bpf-foreign", - }; - - DEFINE_STRING_TABLE_LOOKUP(cgroup_controller, CGroupController); -diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h -index f79e384147..8894fd9b0a 100644 ---- a/src/basic/cgroup-util.h -+++ b/src/basic/cgroup-util.h -@@ -30,6 +30,7 @@ typedef enum CGroupController { - /* BPF-based pseudo-controllers, v2 only */ - CGROUP_CONTROLLER_BPF_FIREWALL, - CGROUP_CONTROLLER_BPF_DEVICES, -+ CGROUP_CONTROLLER_BPF_FOREIGN, - - _CGROUP_CONTROLLER_MAX, - _CGROUP_CONTROLLER_INVALID = -EINVAL, -@@ -49,6 +50,7 @@ typedef enum CGroupMask { - CGROUP_MASK_PIDS = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_PIDS), - CGROUP_MASK_BPF_FIREWALL = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_BPF_FIREWALL), - CGROUP_MASK_BPF_DEVICES = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_BPF_DEVICES), -+ CGROUP_MASK_BPF_FOREIGN = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_BPF_FOREIGN), - - /* All real cgroup v1 controllers */ - CGROUP_MASK_V1 = CGROUP_MASK_CPU|CGROUP_MASK_CPUACCT|CGROUP_MASK_BLKIO|CGROUP_MASK_MEMORY|CGROUP_MASK_DEVICES|CGROUP_MASK_PIDS, -@@ -57,7 +59,7 @@ typedef enum CGroupMask { - CGROUP_MASK_V2 = CGROUP_MASK_CPU|CGROUP_MASK_CPUSET|CGROUP_MASK_IO|CGROUP_MASK_MEMORY|CGROUP_MASK_PIDS, - - /* All cgroup v2 BPF pseudo-controllers */ -- CGROUP_MASK_BPF = CGROUP_MASK_BPF_FIREWALL|CGROUP_MASK_BPF_DEVICES, -+ CGROUP_MASK_BPF = CGROUP_MASK_BPF_FIREWALL|CGROUP_MASK_BPF_DEVICES|CGROUP_MASK_BPF_FOREIGN, - - _CGROUP_MASK_ALL = CGROUP_CONTROLLER_TO_MASK(_CGROUP_CONTROLLER_MAX) - 1 - } CGroupMask; -diff --git a/src/core/cgroup.c b/src/core/cgroup.c -index a0af50518d..f3d5d89339 100644 ---- a/src/core/cgroup.c -+++ b/src/core/cgroup.c -@@ -8,6 +8,7 @@ - #include "blockdev-util.h" - #include "bpf-devices.h" - #include "bpf-firewall.h" -+#include "bpf-foreign.h" - #include "btrfs-util.h" - #include "bus-error.h" - #include "cgroup-setup.h" -@@ -1160,6 +1161,12 @@ static void set_io_weight(Unit *u, const char *controller, uint64_t weight) { - (void) set_attribute_and_warn(u, controller, p, buf); - } - -+static void cgroup_apply_bpf_foreign_program(Unit *u) { -+ assert(u); -+ -+ (void) bpf_foreign_install(u); -+} -+ - static void cgroup_context_apply( - Unit *u, - CGroupMask apply_mask, -@@ -1473,6 +1480,9 @@ static void cgroup_context_apply( - - if (apply_mask & CGROUP_MASK_BPF_FIREWALL) - cgroup_apply_firewall(u); -+ -+ if (apply_mask & CGROUP_MASK_BPF_FOREIGN) -+ cgroup_apply_bpf_foreign_program(u); - } - - static bool unit_get_needs_bpf_firewall(Unit *u) { -@@ -1505,6 +1515,17 @@ static bool unit_get_needs_bpf_firewall(Unit *u) { - return false; - } - -+static bool unit_get_needs_bpf_foreign_program(Unit *u) { -+ CGroupContext *c; -+ assert(u); -+ -+ c = unit_get_cgroup_context(u); -+ if (!c) -+ return false; -+ -+ return !LIST_IS_EMPTY(c->bpf_foreign_programs); -+} -+ - static CGroupMask unit_get_cgroup_mask(Unit *u) { - CGroupMask mask = 0; - CGroupContext *c; -@@ -1556,6 +1577,9 @@ static CGroupMask unit_get_bpf_mask(Unit *u) { - if (unit_get_needs_bpf_firewall(u)) - mask |= CGROUP_MASK_BPF_FIREWALL; - -+ if (unit_get_needs_bpf_foreign_program(u)) -+ mask |= CGROUP_MASK_BPF_FOREIGN; -+ - return mask; - } - -@@ -3032,6 +3056,11 @@ static int cg_bpf_mask_supported(CGroupMask *ret) { - if (r > 0) - mask |= CGROUP_MASK_BPF_DEVICES; - -+ /* BPF pinned prog */ -+ r = bpf_foreign_supported(); -+ if (r > 0) -+ mask |= CGROUP_MASK_BPF_FOREIGN; -+ - *ret = mask; - return 0; - } -diff --git a/src/test/test-cgroup-mask.c b/src/test/test-cgroup-mask.c -index b53e327c63..d721946f71 100644 ---- a/src/test/test-cgroup-mask.c -+++ b/src/test/test-cgroup-mask.c -@@ -140,7 +140,7 @@ static void test_cg_mask_to_string_one(CGroupMask mask, const char *t) { - - static void test_cg_mask_to_string(void) { - test_cg_mask_to_string_one(0, NULL); -- test_cg_mask_to_string_one(_CGROUP_MASK_ALL, "cpu cpuacct cpuset io blkio memory devices pids bpf-firewall bpf-devices"); -+ test_cg_mask_to_string_one(_CGROUP_MASK_ALL, "cpu cpuacct cpuset io blkio memory devices pids bpf-firewall bpf-devices bpf-foreign"); - test_cg_mask_to_string_one(CGROUP_MASK_CPU, "cpu"); - test_cg_mask_to_string_one(CGROUP_MASK_CPUACCT, "cpuacct"); - test_cg_mask_to_string_one(CGROUP_MASK_CPUSET, "cpuset"); --- -2.30.2 - - -From d1f0204f1ca7bf7b562a2fe1c90decbb5e04cf31 Mon Sep 17 00:00:00 2001 -From: Julia Kartseva -Date: Thu, 4 Feb 2021 00:04:19 -0800 -Subject: [PATCH 6/9] core: add bpf-foreign to fragment parser - -- Parse a string for bpf attach type -- Simplify bpffs path -- Add foreign bpf program to cgroup context ---- - src/core/load-fragment-gperf.gperf.m4 | 3 +- - src/core/load-fragment.c | 59 +++++++++++++++++++++++++++ - src/core/load-fragment.h | 1 + - 3 files changed, 62 insertions(+), 1 deletion(-) - -diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 -index 21bbcffe41..bbb79a12ca 100644 ---- a/src/core/load-fragment-gperf.gperf.m4 -+++ b/src/core/load-fragment-gperf.gperf.m4 -@@ -234,7 +234,8 @@ $1.ManagedOOMSwap, config_parse_managed_oom_mode, - $1.ManagedOOMMemoryPressure, config_parse_managed_oom_mode, 0, offsetof($1, cgroup_context.moom_mem_pressure) - $1.ManagedOOMMemoryPressureLimit, config_parse_managed_oom_mem_pressure_limit, 0, offsetof($1, cgroup_context.moom_mem_pressure_limit) - $1.ManagedOOMPreference, config_parse_managed_oom_preference, 0, offsetof($1, cgroup_context.moom_preference) --$1.NetClass, config_parse_warn_compat, DISABLED_LEGACY, 0' -+$1.NetClass, config_parse_warn_compat, DISABLED_LEGACY, 0 -+$1.BPFProgram, config_parse_bpf_foreign_program, 0, offsetof($1, cgroup_context)' - )m4_dnl - Unit.Description, config_parse_unit_string_printf, 0, offsetof(Unit, description) - Unit.Documentation, config_parse_documentation, 0, offsetof(Unit, documentation) -diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c -index 6da623dbda..fb80acbc02 100644 ---- a/src/core/load-fragment.c -+++ b/src/core/load-fragment.c -@@ -19,6 +19,7 @@ - #include "alloc-util.h" - #include "all-units.h" - #include "bpf-firewall.h" -+#include "bpf-program.h" - #include "bus-error.h" - #include "bus-internal.h" - #include "bus-util.h" -@@ -5580,6 +5581,64 @@ int config_parse_ip_filter_bpf_progs( - return 0; - } - -+int config_parse_bpf_foreign_program( -+ const char *unit, -+ const char *filename, -+ unsigned line, -+ const char *section, -+ unsigned section_line, -+ const char *lvalue, -+ int ltype, -+ const char *rvalue, -+ void *data, -+ void *userdata) { -+ _cleanup_free_ char *resolved = NULL, *word = NULL; -+ CGroupContext *c = data; -+ Unit *u = userdata; -+ int attach_type, r; -+ -+ assert(filename); -+ assert(lvalue); -+ assert(rvalue); -+ -+ if (isempty(rvalue)) { -+ while (c->bpf_foreign_programs) -+ cgroup_context_remove_bpf_foreign_program(c, c->bpf_foreign_programs); -+ -+ return 0; -+ } -+ -+ r = extract_first_word(&rvalue, &word, ":", 0); -+ if (r == -ENOMEM) -+ return log_oom(); -+ if (r < 0) { -+ log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to parse foreign BPF program, ignoring: %s", rvalue); -+ return 0; -+ } -+ -+ attach_type = bpf_cgroup_attach_type_from_string(word); -+ if (attach_type < 0) { -+ log_syntax(unit, LOG_WARNING, filename, line, 0, "Unknown BPF attach type=%s, ignoring: %s", word, rvalue); -+ return 0; -+ } -+ -+ r = unit_full_printf(u, rvalue, &resolved); -+ if (r < 0) { -+ log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to resolve unit specifiers in '%s', ignoring: %m", rvalue); -+ return 0; -+ } -+ -+ r = path_simplify_and_warn(resolved, PATH_CHECK_ABSOLUTE, unit, filename, line, lvalue); -+ if (r < 0) -+ return 0; -+ -+ r = cgroup_add_bpf_foreign_program(c, attach_type, resolved); -+ if (r < 0) -+ return log_error_errno(r, "Failed to add foreign BPF program to cgroup context: %m"); -+ -+ return 0; -+} -+ - static int merge_by_names(Unit **u, Set *names, const char *id) { - char *k; - int r; -diff --git a/src/core/load-fragment.h b/src/core/load-fragment.h -index b8a6d5fead..eebeda5747 100644 ---- a/src/core/load-fragment.h -+++ b/src/core/load-fragment.h -@@ -139,6 +139,7 @@ CONFIG_PARSER_PROTOTYPE(config_parse_swap_priority); - CONFIG_PARSER_PROTOTYPE(config_parse_mount_images); - CONFIG_PARSER_PROTOTYPE(config_parse_socket_timestamping); - CONFIG_PARSER_PROTOTYPE(config_parse_extension_images); -+CONFIG_PARSER_PROTOTYPE(config_parse_bpf_foreign_program); - - /* gperf prototypes */ - const struct ConfigPerfItem* load_fragment_gperf_lookup(const char *key, GPERF_LEN_TYPE length); --- -2.30.2 - - -From 75d16dfd0b2fc813534081d3bdf1a957360078e5 Mon Sep 17 00:00:00 2001 -From: Julia Kartseva -Date: Tue, 3 Sep 2019 19:08:13 -0700 -Subject: [PATCH 7/9] tests: add unit file tests for BPFProgram= - -- Pin trivial bpf programs to bpf filesystem, compose BPFProgram= option -string and pass it to a unit. Programs store `0` in r0 BPF register for -denying action, e.g. drop a packet. -- Load trivial BPF programs -- Test is skipped if not run under root or if can not lock enough -memory. -- For egress and ingress hooks, test BPFProgram= option along with -with IP{Egress|Ingress}FilterPath=, expected result should not depend on -which rule is executed first. -Expected results for BPF_CGROUP_INET_INGRESS: -5 packets transmitted, 0 received, 100% packet loss, time 89ms - -For BPF_CGROUP_INET_SOCK_CREATE: -ping: socket: Operation not permitted ---- - src/test/meson.build | 6 + - src/test/test-bpf-foreign-programs.c | 332 +++++++++++++++++++++++++++ - 2 files changed, 338 insertions(+) - create mode 100644 src/test/test-bpf-foreign-programs.c - -diff --git a/src/test/meson.build b/src/test/meson.build -index c752e995f6..6349034aeb 100644 ---- a/src/test/meson.build -+++ b/src/test/meson.build -@@ -335,6 +335,12 @@ tests += [ - libblkid], - core_includes], - -+ [['src/test/test-bpf-foreign-programs.c'], -+ [libcore, -+ libshared], -+ [], -+ core_includes], -+ - [['src/test/test-watch-pid.c'], - [libcore, - libshared], -diff --git a/src/test/test-bpf-foreign-programs.c b/src/test/test-bpf-foreign-programs.c -new file mode 100644 -index 0000000000..e703924077 ---- /dev/null -+++ b/src/test/test-bpf-foreign-programs.c -@@ -0,0 +1,332 @@ -+/* SPDX-License-Identifier: LGPL-2.1+ */ -+ -+#include -+#include -+#include -+#include -+#include -+ -+#include "bpf-foreign.h" -+#include "load-fragment.h" -+#include "manager.h" -+#include "process-util.h" -+#include "rlimit-util.h" -+#include "rm-rf.h" -+#include "service.h" -+#include "tests.h" -+#include "unit.h" -+#include "virt.h" -+ -+struct Test { -+ const char *option_name; -+ enum bpf_prog_type prog_type; -+ enum bpf_attach_type attach_type; -+ const char *bpffs_path; -+}; -+ -+typedef struct Test Test; -+ -+#define BPFFS_PATH(prog_suffix) ("/sys/fs/bpf/test-bpf-foreing-" # prog_suffix) -+static const Test single_prog[] = { -+ { -+ .option_name = "BPFProgram", -+ .prog_type = BPF_PROG_TYPE_CGROUP_SKB, -+ .attach_type = BPF_CGROUP_INET_INGRESS, -+ .bpffs_path = BPFFS_PATH("trivial-skb"), -+ }, -+}; -+static const Test path_split_test[] = { -+ { -+ .option_name = "BPFProgram", -+ .prog_type = BPF_PROG_TYPE_CGROUP_SKB, -+ .attach_type = BPF_CGROUP_INET_INGRESS, -+ .bpffs_path = BPFFS_PATH("path:split:test"), -+ }, -+}; -+ -+static const Test same_prog_same_hook[] = { -+ { -+ .option_name = "BPFProgram", -+ .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, -+ .attach_type = BPF_CGROUP_INET_SOCK_CREATE, -+ .bpffs_path = BPFFS_PATH("trivial-sock"), -+ }, -+ { -+ .option_name = "BPFProgram", -+ .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, -+ .attach_type = BPF_CGROUP_INET_SOCK_CREATE, -+ .bpffs_path = BPFFS_PATH("trivial-sock"), -+ } -+}; -+ -+static const Test multi_prog_same_hook[] = { -+ { -+ .option_name = "BPFProgram", -+ .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, -+ .attach_type = BPF_CGROUP_INET_SOCK_CREATE, -+ .bpffs_path = BPFFS_PATH("trivial-sock-0"), -+ }, -+ { -+ .option_name = "BPFProgram", -+ .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, -+ .attach_type = BPF_CGROUP_INET_SOCK_CREATE, -+ .bpffs_path = BPFFS_PATH("trivial-sock-1"), -+ } -+}; -+ -+static const Test same_prog_multi_hook[] = { -+ { -+ .option_name = "BPFProgram", -+ .prog_type = BPF_PROG_TYPE_CGROUP_SKB, -+ .attach_type = BPF_CGROUP_INET_INGRESS, -+ .bpffs_path = BPFFS_PATH("trivial-skb"), -+ }, -+ { -+ .option_name = "BPFProgram", -+ .prog_type = BPF_PROG_TYPE_CGROUP_SKB, -+ .attach_type = BPF_CGROUP_INET_EGRESS, -+ .bpffs_path = BPFFS_PATH("trivial-skb"), -+ } -+}; -+ -+static const Test same_prog_multi_option_0[] = { -+ { -+ .option_name = "BPFProgram", -+ .prog_type = BPF_PROG_TYPE_CGROUP_SKB, -+ .attach_type = BPF_CGROUP_INET_INGRESS, -+ .bpffs_path = BPFFS_PATH("trivial-skb"), -+ }, -+ { -+ .option_name = "IPIngressFilterPath", -+ .prog_type = BPF_PROG_TYPE_CGROUP_SKB, -+ .attach_type = BPF_CGROUP_INET_INGRESS, -+ .bpffs_path = BPFFS_PATH("trivial-skb"), -+ } -+}; -+ -+static const Test same_prog_multi_option_1[] = { -+ { -+ .option_name = "IPEgressFilterPath", -+ .prog_type = BPF_PROG_TYPE_CGROUP_SKB, -+ .attach_type = BPF_CGROUP_INET_EGRESS, -+ .bpffs_path = BPFFS_PATH("trivial-skb"), -+ }, -+ { -+ .option_name = "BPFProgram", -+ .prog_type = BPF_PROG_TYPE_CGROUP_SKB, -+ .attach_type = BPF_CGROUP_INET_EGRESS, -+ .bpffs_path = BPFFS_PATH("trivial-skb"), -+ } -+}; -+#undef BPFFS_PATH -+ -+static int bpf_foreign_test_to_string(enum bpf_attach_type attach_type, const char *bpffs_path, char **ret_str) { -+ const char *s = NULL; -+ -+ assert_se(bpffs_path); -+ assert_se(ret_str); -+ -+ assert_se(s = bpf_cgroup_attach_type_to_string(attach_type)); -+ assert_se(*ret_str = strjoin(s, ":", bpffs_path)); -+ -+ return 0; -+} -+ -+static char **unlink_paths_and_free(char **paths) { -+ char **i; -+ -+ STRV_FOREACH(i, paths) -+ (void) unlink(*i); -+ -+ return strv_free(paths); -+} -+ -+DEFINE_TRIVIAL_CLEANUP_FUNC(char **, unlink_paths_and_free); -+ -+static int pin_programs(Unit *u, CGroupContext *cc, const Test *test_suite, size_t test_suite_size, char ***paths_ret) { -+ _cleanup_(unlink_paths_and_freep) char **bpffs_paths = NULL; -+ static const struct bpf_insn trivial[] = { -+ BPF_MOV64_IMM(BPF_REG_0, 0), -+ BPF_EXIT_INSN() -+ }; -+ char log_buf[0xffff]; -+ int r; -+ -+ assert_se(paths_ret); -+ -+ for (size_t i = 0; i < test_suite_size; i++) { -+ _cleanup_(bpf_program_unrefp) BPFProgram *prog = NULL; -+ _cleanup_free_ char *str = NULL; -+ -+ r = bpf_foreign_test_to_string(test_suite[i].attach_type, test_suite[i].bpffs_path, &str); -+ if (r < 0) -+ return log_error_errno(r, "Failed to convert program to string"); -+ -+ r = bpf_program_new(test_suite[i].prog_type, &prog); -+ if (r < 0) -+ return log_error_errno(r, "Failed to create program '%s'", str); -+ -+ r = bpf_program_add_instructions(prog, trivial, ELEMENTSOF(trivial)); -+ if (r < 0) -+ return log_error_errno(r, "Failed to add trivial instructions for '%s'", str); -+ -+ r = bpf_program_load_kernel(prog, log_buf, ELEMENTSOF(log_buf)); -+ if (r < 0) -+ return log_error_errno(r, "Failed to load BPF program '%s'", str); -+ -+ if (strv_contains(bpffs_paths, test_suite[i].bpffs_path)) -+ continue; -+ -+ r = strv_extend(&bpffs_paths, test_suite[i].bpffs_path); -+ if (r < 0) -+ return log_error_errno(r, "Failed to put path into a vector: %m"); -+ -+ r = bpf_program_pin(prog->kernel_fd, test_suite[i].bpffs_path); -+ if (r < 0) -+ return log_error_errno(r, "Failed to pin BPF program '%s'", str); -+ } -+ -+ *paths_ret = TAKE_PTR(bpffs_paths); -+ return 0; -+} -+ -+static int test_bpf_cgroup_programs(Manager *m, const char *unit_name, const Test *test_suite, size_t test_suite_size) { -+ _cleanup_(unlink_paths_and_freep) char **bpffs_paths = NULL; -+ _cleanup_(unit_freep) Unit *u = NULL; -+ CGroupContext *cc = NULL; -+ int cld_code, r; -+ -+ assert_se(u = unit_new(m, sizeof(Service))); -+ assert_se(unit_add_name(u, unit_name) == 0); -+ assert_se(cc = unit_get_cgroup_context(u)); -+ -+ r = pin_programs(u, cc, test_suite, test_suite_size, &bpffs_paths); -+ if (r < 0) -+ return log_error_errno(r, "Failed to pin programs: %m"); -+ -+ for (size_t i = 0; i < test_suite_size; i++) { -+ if (streq(test_suite[i].option_name, "BPFProgram")) { -+ _cleanup_free_ char *option = NULL; -+ r = bpf_foreign_test_to_string(test_suite[i].attach_type, test_suite[i].bpffs_path, &option); -+ if (r < 0) -+ return log_error_errno(r, "Failed to compose option string: %m"); -+ r = config_parse_bpf_foreign_program( -+ u->id, "filename", 1, "Service", 1, test_suite[i].option_name, 0, option, cc, u); -+ -+ if (r < 0) -+ return log_error_errno(r, "Failed to parse option string '%s': %m", option); -+ } else if (STR_IN_SET(test_suite[i].option_name, "IPIngressFilterPath", "IPEgressFilterPath")) { -+ const char *option = test_suite[i].bpffs_path; -+ void *paths = NULL; -+ -+ if (streq(test_suite[i].option_name, "IPIngressFilterPath")) -+ paths = &cc->ip_filters_ingress; -+ else -+ paths = &cc->ip_filters_egress; -+ -+ r = config_parse_ip_filter_bpf_progs( -+ u->id, "filename", 1, "Service", 1, test_suite[i].option_name, 0, option, paths, u); -+ if (r < 0) -+ return log_error_errno(r, "Failed to parse option string '%s': %m", option); -+ } -+ } -+ -+ r = config_parse_exec( -+ u->id, -+ "filename", -+ 1, -+ "Service", -+ 1, -+ "ExecStart", -+ SERVICE_EXEC_START, -+ "-/bin/ping -c 5 127.0.0.1 -W 1", -+ SERVICE(u)->exec_command, -+ u); -+ if (r < 0) -+ return log_error_errno(r, "Failed to parse ExecStart"); -+ -+ SERVICE(u)->type = SERVICE_ONESHOT; -+ u->load_state = UNIT_LOADED; -+ -+ r = unit_start(u); -+ if (r < 0) -+ return log_error_errno(r, "Unit start failed %m"); -+ -+ while (!IN_SET(SERVICE(u)->state, SERVICE_DEAD, SERVICE_FAILED)) { -+ r = sd_event_run(m->event, UINT64_MAX); -+ if (r < 0) -+ return log_error_errno(errno, "Event run failed %m"); -+ } -+ -+ cld_code = SERVICE(u)->exec_command[SERVICE_EXEC_START]->exec_status.code; -+ if (cld_code != CLD_EXITED) -+ return log_error_errno(SYNTHETIC_ERRNO(EBUSY), -+ "ExecStart didn't exited, code='%s'", sigchld_code_to_string(cld_code)); -+ -+ if (SERVICE(u)->state != SERVICE_DEAD) -+ return log_error_errno(SYNTHETIC_ERRNO(EBUSY), "Service is not dead"); -+ -+ return r; -+} -+ -+int main(int argc, char *argv[]) { -+ _cleanup_(rm_rf_physical_and_freep) char *runtime_dir = NULL; -+ _cleanup_(manager_freep) Manager *m = NULL; -+ _cleanup_free_ char *unit_dir = NULL; -+ struct rlimit rl; -+ int r; -+ -+ test_setup_logging(LOG_DEBUG); -+ -+ if (detect_container() > 0) -+ return log_tests_skipped("test-bpf fails inside LXC and Docker containers: https://github.com/systemd/systemd/issues/9666"); -+ -+ if (getuid() != 0) -+ return log_tests_skipped("not running as root"); -+ -+ assert_se(getrlimit(RLIMIT_MEMLOCK, &rl) >= 0); -+ rl.rlim_cur = rl.rlim_max = MAX(rl.rlim_max, CAN_MEMLOCK_SIZE); -+ (void) setrlimit_closest(RLIMIT_MEMLOCK, &rl); -+ -+ if (!can_memlock()) -+ return log_tests_skipped("Can't use mlock(), skipping."); -+ -+ r = cg_all_unified(); -+ if (r <= 0) -+ return log_tests_skipped_errno(r, "Unified hierarchy is required, skipping."); -+ -+ r = enter_cgroup_subroot(NULL); -+ if (r == -ENOMEDIUM) -+ return log_tests_skipped("cgroupfs not available"); -+ -+ assert_se(get_testdata_dir("units", &unit_dir) >= 0); -+ assert_se(set_unit_path(unit_dir) >= 0); -+ assert_se(runtime_dir = setup_fake_runtime_dir()); -+ -+ assert_se(manager_new(UNIT_FILE_USER, MANAGER_TEST_RUN_BASIC, &m) >= 0); -+ assert_se(manager_startup(m, NULL, NULL) >= 0); -+ -+ assert_se(test_bpf_cgroup_programs(m, -+ "single_prog.service", single_prog, ELEMENTSOF(single_prog)) >= 0); -+ assert_se(test_bpf_cgroup_programs(m, -+ "multi_prog_same_hook.service", -+ multi_prog_same_hook, ELEMENTSOF(multi_prog_same_hook)) >= 0); -+ assert_se(test_bpf_cgroup_programs(m, -+ "same_prog_multi_hook.service", -+ same_prog_multi_hook, ELEMENTSOF(same_prog_multi_hook)) >= 0); -+ assert_se(test_bpf_cgroup_programs(m, -+ "same_prog_multi_option_0.service", -+ same_prog_multi_option_0, ELEMENTSOF(same_prog_multi_option_0)) >= 0); -+ assert_se(test_bpf_cgroup_programs(m, -+ "same_prog_multi_option_1.service", -+ same_prog_multi_option_1, ELEMENTSOF(same_prog_multi_option_1)) >= 0); -+ assert_se(test_bpf_cgroup_programs(m, -+ "same_prog_same_hook.service", -+ same_prog_same_hook, -+ ELEMENTSOF(same_prog_same_hook)) >= 0); -+ assert_se(test_bpf_cgroup_programs(m, -+ "path_split_test.service", -+ path_split_test, -+ ELEMENTSOF(path_split_test)) >= 0); -+ return 0; -+} --- -2.30.2 - - -From faebec942b34c62d8dce512839c3a43be6844394 Mon Sep 17 00:00:00 2001 -From: Julia Kartseva -Date: Tue, 8 Dec 2020 22:06:56 -0800 -Subject: [PATCH 8/9] man: add BPFProgram= documentation - ---- - man/systemd.resource-control.xml | 52 ++++++++++++++++++++++++++++++++ - 1 file changed, 52 insertions(+) - -diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml -index 1bc45a9f00..a2d01f7afb 100644 ---- a/man/systemd.resource-control.xml -+++ b/man/systemd.resource-control.xml -@@ -696,6 +696,12 @@ - If these settings are used multiple times in the same unit all the specified programs are attached. If an - empty string is assigned to these settings the program list is reset and all previous specified programs ignored. - -+ If the path BPF_FS_PROGRAM_PATH in IPIngressFilterPath= assignment -+ is already being handled by BPFProgram= ingress hook, e.g. -+ BPFProgram=ingress:BPF_FS_PROGRAM_PATH, -+ the assignment will be still considered valid and the program will be attached to a cgroup. Same for -+ IPEgressFilterPath= path and egress hook. -+ - Note that for socket-activated services, the IP filter programs configured on the socket unit apply to - all sockets associated with it directly, but not to any sockets created by the ultimately activated services - for it. Conversely, the IP filter programs configured for the service are not applied to any sockets passed into -@@ -710,6 +716,52 @@ - - - -+ -+ BPFProgram=type:program-path -+ -+ Add a custom cgroup BPF program. -+ -+ BPFProgram= allows attaching BPF hooks to the cgroup of a systemd unit. -+ (This generalizes the functionality exposed via IPEgressFilterPath= for egress and -+ IPIngressFilterPath= for ingress.) -+ Cgroup-bpf hooks in the form of BPF programs loaded to the BPF filesystem are attached with cgroup-bpf attach -+ flags determined by the unit. For details about attachment types and flags see . -+ For general BPF documentation please refer to . -+ -+ The specification of BPF program consists of a type followed by a -+ program-path with : as the separator: -+ type:program-path. -+ -+ type is the string name of BPF attach type also used in -+ bpftool. type can be one of egress, -+ ingress, sock_create, sock_ops, -+ device, bind4, bind6, -+ connect4, connect6, post_bind4, -+ post_bind6, sendmsg4, sendmsg6, -+ sysctl, recvmsg4, recvmsg6, -+ getsockopt, setsockopt. -+ -+ Setting BPFProgram= to an empty value makes previous assignments ineffective. -+ Multiple assignments of the same type:program-path -+ value have the same effect as a single assignment: the program with the path program-path -+ will be attached to cgroup hook type just once. -+ If BPF egress pinned to program-path path is already being -+ handled by IPEgressFilterPath=, BPFProgram= -+ assignment will be considered valid and BPFProgram= will be attached to a cgroup. -+ Similarly for ingress hook and IPIngressFilterPath= assignment. -+ -+ BPF programs passed with BPFProgram= are attached to the cgroup of a unit with BPF -+ attach flag multi, that allows further attachments of the same -+ type within cgroup hierarchy topped by the unit cgroup. -+ -+ Examples: -+BPFProgram=egress:/sys/fs/bpf/egress-hook -+BPFProgram=bind6:/sys/fs/bpf/sock-addr-hook -+ -+ -+ -+ - - DeviceAllow= - --- -2.30.2 - - -From 3e1bfa33f198feb47431d19f4d48383e070dbdca Mon Sep 17 00:00:00 2001 -From: Julia Kartseva -Date: Tue, 8 Dec 2020 22:07:30 -0800 -Subject: [PATCH 9/9] dbus-cgroup: add BPFProgram= dbus support - -- Handle BPFProgram= property in string format -":", e.g. egress:/sys/fs/bpf/egress-hook. -- Add dbus getter to list foreign bpf programs attached to a cgroup. ---- - man/org.freedesktop.systemd1.xml | 36 +++++++++++ - src/core/dbus-cgroup.c | 108 +++++++++++++++++++++++++++++++ - src/shared/bus-unit-util.c | 20 ++++++ - src/systemctl/systemctl-show.c | 17 +++++ - 4 files changed, 181 insertions(+) - -diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml -index aff43217e1..d233d96d24 100644 ---- a/man/org.freedesktop.systemd1.xml -+++ b/man/org.freedesktop.systemd1.xml -@@ -2472,6 +2472,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice { - readonly u ManagedOOMMemoryPressureLimit = ...; - @org.freedesktop.DBus.Property.EmitsChangedSignal("false") - readonly s ManagedOOMPreference = '...'; -+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false") -+ readonly a(ss) BPFProgram = [...]; - @org.freedesktop.DBus.Property.EmitsChangedSignal("const") - readonly as Environment = ['...', ...]; - @org.freedesktop.DBus.Property.EmitsChangedSignal("const") -@@ -3004,6 +3006,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice { - - - -+ -+ - - - -@@ -3560,6 +3564,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice { - - - -+ -+ - - - -@@ -4245,6 +4251,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket { - readonly u ManagedOOMMemoryPressureLimit = ...; - @org.freedesktop.DBus.Property.EmitsChangedSignal("false") - readonly s ManagedOOMPreference = '...'; -+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false") -+ readonly a(ss) BPFProgram = [...]; - @org.freedesktop.DBus.Property.EmitsChangedSignal("const") - readonly as Environment = ['...', ...]; - @org.freedesktop.DBus.Property.EmitsChangedSignal("const") -@@ -4805,6 +4813,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket { - - - -+ -+ - - - -@@ -5359,6 +5369,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket { - - - -+ -+ - - - -@@ -5946,6 +5958,8 @@ node /org/freedesktop/systemd1/unit/home_2emount { - readonly u ManagedOOMMemoryPressureLimit = ...; - @org.freedesktop.DBus.Property.EmitsChangedSignal("false") - readonly s ManagedOOMPreference = '...'; -+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false") -+ readonly a(ss) BPFProgram = [...]; - @org.freedesktop.DBus.Property.EmitsChangedSignal("const") - readonly as Environment = ['...', ...]; - @org.freedesktop.DBus.Property.EmitsChangedSignal("const") -@@ -6434,6 +6448,8 @@ node /org/freedesktop/systemd1/unit/home_2emount { - - - -+ -+ - - - -@@ -6906,6 +6922,8 @@ node /org/freedesktop/systemd1/unit/home_2emount { - - - -+ -+ - - - -@@ -7614,6 +7632,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap { - readonly u ManagedOOMMemoryPressureLimit = ...; - @org.freedesktop.DBus.Property.EmitsChangedSignal("false") - readonly s ManagedOOMPreference = '...'; -+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false") -+ readonly a(ss) BPFProgram = [...]; - @org.freedesktop.DBus.Property.EmitsChangedSignal("const") - readonly as Environment = ['...', ...]; - @org.freedesktop.DBus.Property.EmitsChangedSignal("const") -@@ -8088,6 +8108,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap { - - - -+ -+ - - - -@@ -8546,6 +8568,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap { - - - -+ -+ - - - -@@ -9107,6 +9131,8 @@ node /org/freedesktop/systemd1/unit/system_2eslice { - readonly u ManagedOOMMemoryPressureLimit = ...; - @org.freedesktop.DBus.Property.EmitsChangedSignal("false") - readonly s ManagedOOMPreference = '...'; -+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false") -+ readonly a(ss) BPFProgram = [...]; - }; - interface org.freedesktop.DBus.Peer { ... }; - interface org.freedesktop.DBus.Introspectable { ... }; -@@ -9245,6 +9271,8 @@ node /org/freedesktop/systemd1/unit/system_2eslice { - - - -+ -+ - - - -@@ -9387,6 +9415,8 @@ node /org/freedesktop/systemd1/unit/system_2eslice { - - - -+ -+ - - - -@@ -9548,6 +9578,8 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope { - readonly u ManagedOOMMemoryPressureLimit = ...; - @org.freedesktop.DBus.Property.EmitsChangedSignal("false") - readonly s ManagedOOMPreference = '...'; -+ @org.freedesktop.DBus.Property.EmitsChangedSignal("false") -+ readonly a(ss) BPFProgram = [...]; - @org.freedesktop.DBus.Property.EmitsChangedSignal("const") - readonly s KillMode = '...'; - @org.freedesktop.DBus.Property.EmitsChangedSignal("const") -@@ -9702,6 +9734,8 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope { - - - -+ -+ - - - -@@ -9870,6 +9904,8 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope { - - - -+ -+ - - - -diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c -index 04d2ba34f3..604cecf84c 100644 ---- a/src/core/dbus-cgroup.c -+++ b/src/core/dbus-cgroup.c -@@ -5,6 +5,7 @@ - #include "af-list.h" - #include "alloc-util.h" - #include "bpf-firewall.h" -+#include "bpf-foreign.h" - #include "bus-get-properties.h" - #include "cgroup-util.h" - #include "cgroup.h" -@@ -347,6 +348,33 @@ static int property_get_ip_address_access( - return sd_bus_message_close_container(reply); - } - -+static int property_get_bpf_foreign_program( -+ sd_bus *bus, -+ const char *path, -+ const char *interface, -+ const char *property, -+ sd_bus_message *reply, -+ void *userdata, -+ sd_bus_error *error) { -+ CGroupContext *c = userdata; -+ CGroupBPFForeignProgram *p; -+ int r; -+ -+ r = sd_bus_message_open_container(reply, 'a', "(ss)"); -+ if (r < 0) -+ return r; -+ -+ LIST_FOREACH(programs, p, c->bpf_foreign_programs) { -+ const char *attach_type = bpf_cgroup_attach_type_to_string(p->attach_type); -+ -+ r = sd_bus_message_append(reply, "(ss)", attach_type, p->bpffs_path); -+ if (r < 0) -+ return r; -+ } -+ -+ return sd_bus_message_close_container(reply); -+} -+ - const sd_bus_vtable bus_cgroup_vtable[] = { - SD_BUS_VTABLE_START(0), - SD_BUS_PROPERTY("Delegate", "b", bus_property_get_bool, offsetof(CGroupContext, delegate), 0), -@@ -398,6 +426,7 @@ const sd_bus_vtable bus_cgroup_vtable[] = { - SD_BUS_PROPERTY("ManagedOOMMemoryPressure", "s", property_get_managed_oom_mode, offsetof(CGroupContext, moom_mem_pressure), 0), - SD_BUS_PROPERTY("ManagedOOMMemoryPressureLimit", "u", NULL, offsetof(CGroupContext, moom_mem_pressure_limit), 0), - SD_BUS_PROPERTY("ManagedOOMPreference", "s", property_get_managed_oom_preference, offsetof(CGroupContext, moom_preference), 0), -+ SD_BUS_PROPERTY("BPFProgram", "a(ss)", property_get_bpf_foreign_program, 0, 0), - SD_BUS_VTABLE_END - }; - -@@ -570,6 +599,85 @@ static int bus_cgroup_set_transient_property( - } - } - -+ return 1; -+ } else if (streq(name, "BPFProgram")) { -+ const char *a, *p; -+ size_t n = 0; -+ -+ r = sd_bus_message_enter_container(message, 'a', "(ss)"); -+ if (r < 0) -+ return r; -+ -+ while ((r = sd_bus_message_read(message, "(ss)", &a, &p)) > 0) { -+ int attach_type = bpf_cgroup_attach_type_from_string(a); -+ if (attach_type < 0) -+ return sd_bus_error_setf( -+ error, -+ SD_BUS_ERROR_INVALID_ARGS, -+ "%s expects a valid BPF attach type, got '%s'.", -+ name, a); -+ -+ if (!path_is_normalized(p) || !path_is_absolute(p)) -+ return sd_bus_error_setf( -+ error, -+ SD_BUS_ERROR_INVALID_ARGS, -+ "%s= expects a normalized absolute path.", -+ name); -+ -+ if (!UNIT_WRITE_FLAGS_NOOP(flags)) { -+ r = cgroup_add_bpf_foreign_program(c, attach_type, p); -+ if (r < 0) -+ return r; -+ } -+ n++; -+ } -+ if (r < 0) -+ return r; -+ -+ r = sd_bus_message_exit_container(message); -+ if (r < 0) -+ return r; -+ -+ if (!UNIT_WRITE_FLAGS_NOOP(flags)) { -+ _cleanup_free_ char *buf = NULL; -+ _cleanup_fclose_ FILE *f = NULL; -+ CGroupBPFForeignProgram *fp; -+ size_t size = 0; -+ -+ if (n == 0) -+ while (c->bpf_foreign_programs) -+ cgroup_context_remove_bpf_foreign_program(c, c->bpf_foreign_programs); -+ -+ f = open_memstream_unlocked(&buf, &size); -+ if (!f) -+ return -ENOMEM; -+ -+ fputs(name, f); -+ fputs("=\n", f); -+ -+ LIST_FOREACH(programs, fp, c->bpf_foreign_programs) -+ fprintf(f, "%s=%s:%s\n", name, -+ bpf_cgroup_attach_type_to_string(fp->attach_type), -+ fp->bpffs_path); -+ -+ r = fflush_and_check(f); -+ if (r < 0) -+ return r; -+ -+ unit_write_setting(u, flags, name, buf); -+ -+ if (!LIST_IS_EMPTY(c->bpf_foreign_programs)) { -+ r = bpf_foreign_supported(); -+ if (r < 0) -+ return r; -+ if (r == 0) -+ log_full(LOG_DEBUG, -+ "Transient unit %s configures a BPF program pinned to BPF " -+ "filesystem, but the local system does not support that.\n" -+ "Starting this unit will fail!", u->id); -+ } -+ } -+ - return 1; - } - -diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c -index a75178068b..bcb4087e6d 100644 ---- a/src/shared/bus-unit-util.c -+++ b/src/shared/bus-unit-util.c -@@ -842,6 +842,26 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons - return 1; - } - -+ if (streq(field, "BPFProgram")) { -+ if (isempty(eq)) -+ r = sd_bus_message_append(m, "(sv)", field, "a(ss)", 0); -+ else { -+ _cleanup_free_ char *word = NULL; -+ -+ r = extract_first_word(&eq, &word, ":", 0); -+ if (r == -ENOMEM) -+ return log_oom(); -+ if (r < 0) -+ return log_error_errno(r, "Failed to parse %s: %m", field); -+ -+ r = sd_bus_message_append(m, "(sv)", field, "a(ss)", 1, word, eq); -+ } -+ if (r < 0) -+ return bus_log_create_error(r); -+ -+ return 1; -+ } -+ - return 0; - } - -diff --git a/src/systemctl/systemctl-show.c b/src/systemctl/systemctl-show.c -index 2402a59d31..dc45de4b3d 100644 ---- a/src/systemctl/systemctl-show.c -+++ b/src/systemctl/systemctl-show.c -@@ -1696,6 +1696,23 @@ static int print_property(const char *name, const char *expected_value, sd_bus_m - - return 1; - -+ } else if (streq(name, "BPFProgram")) { -+ const char *a, *p; -+ -+ r = sd_bus_message_enter_container(m, SD_BUS_TYPE_ARRAY, "(ss)"); -+ if (r < 0) -+ return bus_log_parse_error(r); -+ -+ while ((r = sd_bus_message_read(m, "(ss)", &a, &p)) > 0) -+ bus_print_property_valuef(name, expected_value, value, "%s:%s", a, p); -+ if (r < 0) -+ return bus_log_parse_error(r); -+ -+ r = sd_bus_message_exit_container(m); -+ if (r < 0) -+ return bus_log_parse_error(r); -+ -+ return 1; - } - - break; --- -2.30.2 - diff --git a/SOURCES/17495-rebased.patch b/SOURCES/17495-rebased.patch deleted file mode 100644 index 0a94fe5..0000000 --- a/SOURCES/17495-rebased.patch +++ /dev/null @@ -1,410 +0,0 @@ -From 945960a5e4fa339e3d747d695c0e0996c2336e02 Mon Sep 17 00:00:00 2001 -From: Chris Down -Date: Thu, 29 Oct 2020 12:03:52 +0000 -Subject: [PATCH] bpf: pid1: Pin reference to BPF programs for post-coldplug -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -During `daemon-reload` and `daemon-reexec`, we detach and reattach all -BPF programs attached to cgroups. This, however, poses a real practical -problem for DevicePolicy (and some other settings using BPF): it -presents a period of time where the old device filtering BPF program has -been unloaded, but the new one has not been loaded yet. - -Since the filtering is at open() time, it has become apparent that that -there's a non-trivial period where applications inside that ostensibly -filtered cgroup can grab any device -- and often do so -- and then -retain access to that device even after the reload is over. Due to the -file continuing to be available after the initial open(), this issue is -particularly visible for DevicePolicy={strict,closed}, however it also -applies to other BPF programs we install. - -In particular, for BPF ingress/egress filtering this may have more -concerning implications: network traffic which is supposed to be -filtered will -- for a very brief period of time -- not be filtered or -subject to any restrictions imposed by BPF. - -These BPF programs are fundamentally attached to a cgroup lifetime, not -our unit lifetime, so it's enough to pin these programs by taking a -reference to affected BPF programs before reload/reexec. We can then -serialise the program's kernel-facing FD and cgroup attachment FD for -the new daemon, and have the daemon on the other side unpin the programs -after it's finished with coldplug. - -That means that, for example, the BPF program lifecycle during -daemon-reload or daemon-reexec changes from this: - - manager_clear_jobs_and_units - │ - ╔══════╪═════════╤═══════╗ - ║ prog │ no prog │ prog' ║ - ╚══════╧═════════╪═══════╝ - │ - manager_coldplug - -to this: - - manager_clear_jobs_and_units manager_dispatch_cgroup_realize_queue - │ │ - ╔══════╪═══════════════╤═══════════════════════╪═══════╗ - ║ prog │ prog (orphan) │ prog (orphan) + prog' │ prog' ║ - ╚══════╧═══════════════╪═══════════════════════╧═══════╝ - │ - manager_coldplug - -For daemon-reexec the semantics are mostly the same, but the point at -which the program becomes orphan is tied to the process lifecycle -instead. - -None of the BPF programs we install require exclusive access, so having -multiple instances of them running at the same time is fine. Custom -programs, of course, are unknown, but it's hard to imagine legitimate -cases which should be affected, whereas the benefits of this "overlap" -approach with reference pinning is immediately tangible. - -[keszybz: use _cleanup_ for unpin, use FOREACH_POINTER] ---- - src/core/main.c | 9 +++ - src/core/manager.c | 163 ++++++++++++++++++++++++++++++++++++++- - src/core/manager.h | 5 ++ - src/core/unit.h | 8 +- - src/shared/bpf-program.c | 10 +++ - src/shared/bpf-program.h | 1 + - 6 files changed, 191 insertions(+), 5 deletions(-) - -diff --git a/src/core/main.c b/src/core/main.c -index 3ee8d0a869..cb065dbc6e 100644 ---- a/src/core/main.c -+++ b/src/core/main.c -@@ -1164,6 +1164,14 @@ static int prepare_reexecute( - if (!fds) - return log_oom(); - -+ /* We need existing BPF programs to survive reload, otherwise there will be a period where no BPF -+ * program is active during task execution within a cgroup. This would be bad since this may have -+ * security or reliability implications: devices we should filter won't be filtered, network activity -+ * we should filter won't be filtered, etc. We pin all the existing devices by bumping their -+ * refcount, and then storing them to later have it decremented. */ -+ _cleanup_(manager_unpin_all_cgroup_bpf_programs) Manager *m_unpin = -+ manager_pin_all_cgroup_bpf_programs(m); -+ - r = manager_serialize(m, f, fds, switching_root); - if (r < 0) - return r; -@@ -1179,6 +1187,7 @@ static int prepare_reexecute( - if (r < 0) - return log_error_errno(r, "Failed to disable O_CLOEXEC for serialization fds: %m"); - -+ TAKE_PTR(m_unpin); - *ret_f = TAKE_PTR(f); - *ret_fds = TAKE_PTR(fds); - -diff --git a/src/core/manager.c b/src/core/manager.c -index 688e6881c3..44a92e7577 100644 ---- a/src/core/manager.c -+++ b/src/core/manager.c -@@ -65,6 +65,7 @@ - #include "rm-rf.h" - #include "selinux-util.h" - #include "serialize.h" -+#include "set.h" - #include "signal-util.h" - #include "socket-util.h" - #include "special.h" -@@ -3203,6 +3204,79 @@ static void manager_serialize_gid_refs(Manager *m, FILE *f) { - manager_serialize_uid_refs_internal(f, m->gid_refs, "destroy-ipc-gid"); - } - -+static int serialize_limbo_bpf_program(FILE *f, FDSet *fds, BPFProgram *p) { -+ int copy; -+ _cleanup_free_ char *ap = NULL; -+ -+ /* We don't actually need the instructions or other data, since this is only used on the other side -+ * for BPF limbo, which just requires the program type, cgroup path, and kernel-facing BPF file -+ * descriptor. We don't even need to know what unit or directive it's attached to, since we're just -+ * going to expire it after coldplug. */ -+ -+ assert(f); -+ assert(p); -+ -+ /* If the program isn't attached to the kernel yet, there's no reason to serialise it for limbo. Just -+ * let it be skeletonized and then coldplug can do the work on the other side if it's still -+ * necessary. */ -+ if (p->kernel_fd < 0 || !p->attached_path) -+ return -ENOTCONN; -+ -+ copy = fdset_put_dup(fds, p->kernel_fd); -+ if (copy < 0) -+ return log_error_errno(copy, "Failed to add file descriptor to serialization set: %m"); -+ -+ /* Otherwise, on daemon-reload, we'd remain pinned. */ -+ safe_close(p->kernel_fd); -+ -+ ap = cescape(p->attached_path); -+ if (!ap) -+ return log_oom(); -+ -+ return serialize_item_format(f, "bpf-limbo", "%i %i %i \"%s\"", -+ copy, p->prog_type, p->attached_type, ap); -+} -+ -+static void deserialize_limbo_bpf_program(Manager *m, FDSet *fds, const char *value) { -+ _cleanup_free_ char *raw_fd = NULL, *raw_pt = NULL, *raw_at = NULL, *cgpath = NULL; -+ int fd, r, prog_type, attached_type; -+ -+ assert(m); -+ assert(value); -+ -+ r = extract_first_word(&value, &raw_fd, NULL, 0); -+ if (r <= 0 || safe_atoi(raw_fd, &fd) < 0 || fd < 0 || !fdset_contains(fds, fd)) -+ return (void) log_error("Failed to parse bpf-limbo FD: %s", value); -+ -+ r = extract_first_word(&value, &raw_pt, NULL, 0); -+ if (r <= 0 || safe_atoi(raw_pt, &prog_type) < 0) -+ return (void) log_error("Failed to parse bpf-limbo program type: %s", value); -+ -+ r = extract_first_word(&value, &raw_at, NULL, 0); -+ if (r <= 0 || safe_atoi(raw_at, &attached_type) < 0) -+ return (void) log_error("Failed to parse bpf-limbo attached type: %s", value); -+ -+ r = extract_first_word(&value, &cgpath, NULL, EXTRACT_CUNESCAPE | EXTRACT_UNQUOTE); -+ if (r <= 0) -+ return (void) log_error("Failed to parse attached path for BPF limbo FD %s", value); -+ -+ _cleanup_(bpf_program_unrefp) BPFProgram *p = NULL; -+ r = bpf_program_new(prog_type, &p); -+ if (r < 0) -+ return (void) log_error_errno(r, "Failed to create BPF limbo program: %m"); -+ -+ /* Just enough to free it when the time is right, this does not have enough information be used as a -+ * real BPFProgram. */ -+ p->attached_type = attached_type; -+ p->kernel_fd = fdset_remove(fds, fd); -+ p->attached_path = TAKE_PTR(cgpath); -+ -+ r = set_ensure_put(&m->bpf_limbo_progs, NULL, p); -+ if (r < 0) -+ return (void) log_error_errno(r, "Failed to register BPF limbo program for FD %s: %m", value); -+ TAKE_PTR(p); -+} -+ - int manager_serialize( - Manager *m, - FILE *f, -@@ -3212,6 +3286,7 @@ int manager_serialize( - const char *t; - Unit *u; - int r; -+ BPFProgram *p; - - assert(m); - assert(f); -@@ -3256,6 +3331,9 @@ int manager_serialize( - (void) serialize_dual_timestamp(f, joined, m->timestamps + q); - } - -+ SET_FOREACH(p, m->bpf_limbo_progs) -+ (void) serialize_limbo_bpf_program(f, fds, p); -+ - if (!switching_root) - (void) serialize_strv(f, "env", m->client_environment); - -@@ -3571,7 +3649,10 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) { - else - m->n_failed_jobs += n; - -- } else if ((val = startswith(l, "taint-usr="))) { -+ } else if ((val = startswith(l, "bpf-limbo="))) -+ deserialize_limbo_bpf_program(m, fds, val); -+ -+ else if ((val = startswith(l, "taint-usr="))) { - int b; - - b = parse_boolean(val); -@@ -3747,6 +3828,67 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) { - return manager_deserialize_units(m, f, fds); - } - -+Manager* manager_pin_all_cgroup_bpf_programs(Manager *m) { -+ int r; -+ Unit *u; -+ -+ assert(m); -+ -+ HASHMAP_FOREACH(u, m->units) { -+ BPFProgram *p; -+ -+ FOREACH_POINTER(p, -+ u->bpf_device_control_installed, -+ u->ip_bpf_ingress, -+ u->ip_bpf_ingress_installed, -+ u->ip_bpf_egress, -+ u->ip_bpf_egress_installed) -+ if (p) { -+ r = set_ensure_put(&m->bpf_limbo_progs, NULL, p); -+ if (r < 0) { -+ log_unit_error_errno(u, r, "Cannot store BPF program for reload, ignoring: %m"); -+ continue; -+ } -+ -+ bpf_program_ref(p); -+ } -+ -+ Set *s; -+ FOREACH_POINTER(s, -+ u->ip_bpf_custom_ingress, -+ u->ip_bpf_custom_ingress_installed, -+ u->ip_bpf_custom_egress, -+ u->ip_bpf_custom_egress_installed) -+ SET_FOREACH(p, s) { -+ r = set_ensure_put(&m->bpf_limbo_progs, NULL, p); -+ if (r < 0) { -+ log_unit_error_errno(u, r, "Cannot store BPF program for reload, ignoring: %m"); -+ continue; -+ } -+ -+ bpf_program_ref(p); -+ } -+ } -+ -+ log_debug("Pinned %d BPF programs", set_size(m->bpf_limbo_progs)); -+ -+ return m; -+} -+ -+static void manager_skeletonize_all_cgroup_bpf_programs(Manager *m) { -+ BPFProgram *p; -+ -+ SET_FOREACH(p, m->bpf_limbo_progs) -+ bpf_program_skeletonize(p); -+} -+ -+void manager_unpin_all_cgroup_bpf_programs(Manager **m) { -+ if (m && *m) { -+ log_debug("Unpinning %d BPF programs", set_size((*m)->bpf_limbo_progs)); -+ set_clear_with_destructor((*m)->bpf_limbo_progs, bpf_program_unref); -+ } -+} -+ - int manager_reload(Manager *m) { - _cleanup_(manager_reloading_stopp) Manager *reloading = NULL; - _cleanup_fdset_free_ FDSet *fds = NULL; -@@ -3766,6 +3908,13 @@ int manager_reload(Manager *m) { - /* We are officially in reload mode from here on. */ - reloading = manager_reloading_start(m); - -+ /* We need existing BPF programs to survive reload, otherwise there will be a period where no BPF -+ * program is active during task execution within a cgroup. This would be bad since this may have -+ * security or reliability implications: devices we should filter won't be filtered, network activity -+ * we should filter won't be filtered, etc. We pin all the existing devices by bumping their -+ * refcount, and then storing them to later have it decremented. */ -+ (void) manager_pin_all_cgroup_bpf_programs(m); -+ - r = manager_serialize(m, f, fds, false); - if (r < 0) - return r; -@@ -3790,6 +3939,12 @@ int manager_reload(Manager *m) { - m->uid_refs = hashmap_free(m->uid_refs); - m->gid_refs = hashmap_free(m->gid_refs); - -+ /* The only canonical reference left to the dynamically allocated parts of these BPF programs is -+ * going to be on the other side of manager_deserialize, so the freeable parts can now be freed. The -+ * program itself will be detached as part of manager_vacuum. */ -+ manager_skeletonize_all_cgroup_bpf_programs(m); -+ m->bpf_limbo_progs = set_free(m->bpf_limbo_progs); -+ - r = lookup_paths_init(&m->lookup_paths, m->unit_file_scope, 0, NULL); - if (r < 0) - log_warning_errno(r, "Failed to initialize path lookup table, ignoring: %m"); -@@ -4721,6 +4876,12 @@ static void manager_vacuum(Manager *m) { - - /* Release any runtimes no longer referenced */ - exec_runtime_vacuum(m); -+ -+ /* Release any outmoded BPF programs that were deserialized from the previous manager, since new ones -+ * should be in action now. We first need to make sure all entries in the cgroup realize queue are -+ * complete, otherwise BPF firewalls/etc may not have been set up yet. */ -+ (void) manager_dispatch_cgroup_realize_queue(m); -+ manager_unpin_all_cgroup_bpf_programs(&m); - } - - int manager_dispatch_user_lookup_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata) { -diff --git a/src/core/manager.h b/src/core/manager.h -index f58982a364..16bcdc1277 100644 ---- a/src/core/manager.h -+++ b/src/core/manager.h -@@ -438,6 +438,8 @@ struct Manager { - VarlinkServer *varlink_server; - /* Only systemd-oomd should be using this to subscribe to changes in ManagedOOM settings */ - Varlink *managed_oom_varlink_request; -+ -+ Set *bpf_limbo_progs; - }; - - static inline usec_t manager_default_timeout_abort_usec(Manager *m) { -@@ -479,6 +481,9 @@ int manager_add_job_by_name(Manager *m, JobType type, const char *name, JobMode - int manager_add_job_by_name_and_warn(Manager *m, JobType type, const char *name, JobMode mode, Set *affected_jobs, Job **ret); - int manager_propagate_reload(Manager *m, Unit *unit, JobMode mode, sd_bus_error *e); - -+Manager* manager_pin_all_cgroup_bpf_programs(Manager *m); -+void manager_unpin_all_cgroup_bpf_programs(Manager **m); -+ - void manager_dump_units(Manager *s, FILE *f, const char *prefix); - void manager_dump_jobs(Manager *s, FILE *f, const char *prefix); - void manager_dump(Manager *s, FILE *f, const char *prefix); -diff --git a/src/core/unit.h b/src/core/unit.h -index 6de529af92..7c9cc47f92 100644 ---- a/src/core/unit.h -+++ b/src/core/unit.h -@@ -927,10 +927,10 @@ int unit_thaw_vtable_common(Unit *u); - #define log_unit_full_errno(unit, level, error, ...) \ - ({ \ - const Unit *_u = (unit); \ -- const int _l = (level); \ -- (log_get_max_level() < LOG_PRI(_l) || (_u && !unit_log_level_test(_u, _l))) ? -ERRNO_VALUE(error) : \ -- _u ? log_object_internal(_l, error, PROJECT_FILE, __LINE__, __func__, _u->manager->unit_log_field, _u->id, _u->manager->invocation_log_field, _u->invocation_id_string, ##__VA_ARGS__) : \ -- log_internal(_l, error, PROJECT_FILE, __LINE__, __func__, ##__VA_ARGS__); \ -+ const int _v = (level); \ -+ (log_get_max_level() < LOG_PRI(_v) || (_u && !unit_log_level_test(_u, _v))) ? -ERRNO_VALUE(error) : \ -+ _u ? log_object_internal(_v, error, PROJECT_FILE, __LINE__, __func__, _u->manager->unit_log_field, _u->id, _u->manager->invocation_log_field, _u->invocation_id_string, ##__VA_ARGS__) : \ -+ log_internal(_v, error, PROJECT_FILE, __LINE__, __func__, ##__VA_ARGS__); \ - }) - - #define log_unit_full(unit, level, ...) (void) log_unit_full_errno(unit, level, 0, __VA_ARGS__) -diff --git a/src/shared/bpf-program.c b/src/shared/bpf-program.c -index a8a34521fd..314b48b229 100644 ---- a/src/shared/bpf-program.c -+++ b/src/shared/bpf-program.c -@@ -104,6 +104,16 @@ int bpf_program_new_from_bpffs_path(const char *path, BPFProgram **ret) { - return 0; - } - -+void bpf_program_skeletonize(BPFProgram *p) { -+ assert(p); -+ -+ /* Called shortly after serialization. From this point on, we are frozen for serialization and entry -+ * into BPF limbo, so we should proactively free our instructions and attached path. However, we -+ * shouldn't detach the program or close the kernel FD -- we need those on the other side. */ -+ free(p->instructions); -+ free(p->attached_path); -+} -+ - static BPFProgram *bpf_program_free(BPFProgram *p) { - assert(p); - -diff --git a/src/shared/bpf-program.h b/src/shared/bpf-program.h -index 86fd338c93..dcaeb6cde7 100644 ---- a/src/shared/bpf-program.h -+++ b/src/shared/bpf-program.h -@@ -29,6 +29,7 @@ int bpf_program_new(uint32_t prog_type, BPFProgram **ret); - int bpf_program_new_from_bpffs_path(const char *path, BPFProgram **ret); - BPFProgram *bpf_program_ref(BPFProgram *p); - BPFProgram *bpf_program_unref(BPFProgram *p); -+void bpf_program_skeletonize(BPFProgram *p); - - int bpf_program_add_instructions(BPFProgram *p, const struct bpf_insn *insn, size_t count); - int bpf_program_load_kernel(BPFProgram *p, char *log_buf, size_t log_size); --- -2.30.2 - diff --git a/SOURCES/README.build-in-place b/SOURCES/README.build-in-place new file mode 100644 index 0000000..8b66077 --- /dev/null +++ b/SOURCES/README.build-in-place @@ -0,0 +1,14 @@ +== Building systemd rpms for local development using rpmbuild --build-in-place == + +This approach is based on https://github.com/filbranden/git-rpmbuild +and filbranden's talk during ASG2019 [https://cfp.all-systems-go.io/ASG2019/talk/JM7GDN/]. + +``` +git clone https://github.com/systemd/systemd +fedpkg clone systemd fedora-systemd +cd systemd +rpmbuild -bb --build-in-place --noprep --define "_sourcedir $PWD/../fedora-systemd" --define "_rpmdir $PWD/rpms" --with inplace ../systemd.spec +sudo dnf upgrade --setopt install_weak_deps=False rpms/*/*.rpm +``` + +`--without lto` and `--without tests` may be useful to speed up the build. diff --git a/SOURCES/libsystemd-shared.abignore b/SOURCES/libsystemd-shared.abignore new file mode 100644 index 0000000..e412d8b --- /dev/null +++ b/SOURCES/libsystemd-shared.abignore @@ -0,0 +1,3 @@ +[suppress_file] +# This shared object is private to systemd +file_name_regexp=libsystemd-shared-.*.so diff --git a/SOURCES/revert-d586f642fd90e3bb378f7b6d3e3a64a753e51756.patch b/SOURCES/revert-d586f642fd90e3bb378f7b6d3e3a64a753e51756.patch deleted file mode 100644 index 76b1d48..0000000 --- a/SOURCES/revert-d586f642fd90e3bb378f7b6d3e3a64a753e51756.patch +++ /dev/null @@ -1,34 +0,0 @@ -From c6b36901b8a3771b8c3762faa67f08fc5611de66 Mon Sep 17 00:00:00 2001 -From: Anita Zhang -Date: Mon, 14 Jun 2021 10:48:01 -0700 -Subject: [PATCH] Revert "core: prevent excessive /proc/self/mountinfo parsing" - -This reverts commit d586f642fd90e3bb378f7b6d3e3a64a753e51756. - -sd-event rate limiting has a few issues in 248 that need to be worked -out. See: https://github.com/systemd/systemd/pull/19811 and -https://github.com/systemd/systemd/pull/19924. Let's try again in 249. ---- - src/core/mount.c | 6 ------ - 1 file changed, 6 deletions(-) - -diff --git a/src/core/mount.c b/src/core/mount.c -index ca5d0939a1..2939062161 100644 ---- a/src/core/mount.c -+++ b/src/core/mount.c -@@ -1859,12 +1859,6 @@ static void mount_enumerate(Manager *m) { - goto fail; - } - -- r = sd_event_source_set_ratelimit(m->mount_event_source, 1 * USEC_PER_SEC, 5); -- if (r < 0) { -- log_error_errno(r, "Failed to enable rate limit for mount events: %m"); -- goto fail; -- } -- - (void) sd_event_source_set_description(m->mount_event_source, "mount-monitor-dispatch"); - } - --- -2.31.1 - diff --git a/SOURCES/split-files.py b/SOURCES/split-files.py index 46c4982..f883f73 100644 --- a/SOURCES/split-files.py +++ b/SOURCES/split-files.py @@ -21,8 +21,10 @@ o_pam = open('.file-list-pam', 'w') o_rpm_macros = open('.file-list-rpm-macros', 'w') o_devel = open('.file-list-devel', 'w') o_container = open('.file-list-container', 'w') +o_networkd = open('.file-list-networkd', 'w') o_oomd_defaults = open('.file-list-oomd-defaults', 'w') o_remote = open('.file-list-remote', 'w') +o_resolve = open('.file-list-resolve', 'w') o_tests = open('.file-list-tests', 'w') o_standalone_tmpfiles = open('.file-list-standalone-tmpfiles', 'w') o_standalone_sysusers = open('.file-list-standalone-sysusers', 'w') @@ -75,6 +77,12 @@ for file in files(buildroot): org.freedesktop.(import|machine)1 ''', n, re.X): o = o_container + elif re.search(r'''/usr/lib/systemd/network/80-| + networkd| + networkctl| + org.freedesktop.network1 + ''', n, re.X): + o = o_networkd elif '.so.' in n: o = o_libs elif re.search(r'''udev(?!\.pc)| @@ -111,6 +119,14 @@ for file in files(buildroot): /modprobe.d ''', n, re.X): o = o_udev + elif re.search(r'''resolvectl| + resolved| + systemd-resolve| + resolvconf| + resolve1\. + ''', n, re.X): + # keep only nss-resolve in systemd + o = o_resolve elif re.search(r'10-oomd-.*defaults.conf|lib/systemd/oomd.conf.d', n, re.X): o = o_oomd_defaults elif n.endswith('.standalone'): diff --git a/SOURCES/sysusers.generate-pre.sh b/SOURCES/sysusers.generate-pre.sh index 6c481c3..fd9938d 100755 --- a/SOURCES/sysusers.generate-pre.sh +++ b/SOURCES/sysusers.generate-pre.sh @@ -12,17 +12,17 @@ user() { home="$5" shell="$6" -[ "$desc" = '-' ] && desc= -[ "$home" = '-' -o "$home" = '' ] && home=/ -[ "$shell" = '-' -o "$shell" = '' ] && shell=/sbin/nologin + [ "$desc" = '-' ] && desc= + { [ "$home" = '-' ] || [ "$home" = '' ]; } && home=/ + { [ "$shell" = '-' ] || [ "$shell" = '' ]; } && shell=/sbin/nologin -if [ "$uid" = '-' -o "$uid" = '' ]; then - cat </dev/null || \\ useradd -r -g '$group' -d '$home' -s '$shell' -c '$desc' '$user' EOF -else - cat </dev/null ; then if ! getent passwd '$uid' >/dev/null ; then useradd -r -u '$uid' -g '$group' -d '$home' -s /sbin/nologin -c '$desc' '$user' @@ -32,29 +32,29 @@ if ! getent passwd '$user' >/dev/null ; then fi EOF -fi + fi } group() { group="$1" gid="$2" -if [ "$gid" = '-' ]; then - cat </dev/null || groupadd -r '$group' -EOF -else - cat </dev/null || groupadd -f -g '$gid' -r '$group' -EOF -fi + if [ "$gid" = '-' ]; then + cat <<-EOF + getent group '$group' >/dev/null || groupadd -r '$group' + EOF + else + cat <<-EOF + getent group '$group' >/dev/null || groupadd -f -g '$gid' -r '$group' + EOF + fi } parse() { - while read line || [ "$line" ]; do - [ "${line:0:1}" = '#' -o "${line:0:1}" = ';' ] && continue + while read -r line || [ -n "$line" ] ; do + { [ "${line:0:1}" = '#' ] || [ "${line:0:1}" = ';' ]; } && continue line="${line## *}" [ -z "$line" ] && continue - eval arr=( $line ) + eval "arr=( $line )" case "${arr[0]}" in ('u') group "${arr[1]}" "${arr[2]}" @@ -74,6 +74,6 @@ parse() { for fn in "$@"; do [ -e "$fn" ] || continue - echo "# generated from $(basename $fn)" - parse < "$fn" + echo "# generated from $(basename "$fn")" + parse <"$fn" done diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec index d991a61..afe032e 100644 --- a/SPECS/systemd.spec +++ b/SPECS/systemd.spec @@ -12,35 +12,52 @@ %global system_unit_dir %{pkgdir}/system %global user_unit_dir %{pkgdir}/user +%if 0%{?__isa_bits} == 64 +%global elf_bits (64bit) +%global elf_suffix ()%{elf_bits} +%endif + # Bootstrap may be needed to break intercircular dependencies with # cryptsetup, e.g. when re-building cryptsetup on a json-c SONAME-bump. %bcond_with bootstrap %bcond_without tests %bcond_without lto + +# Support for quick builds with rpmbuild --build-in-place. +# See README.build-in-place. +%bcond_with inplace + %if 0%{?facebook} %bcond_with selinux %else %bcond_without selinux %endif +# Remove this when the macro exists in CentOS +%global version_no_tilde %(c=%{version}; echo ${c}|tr '~' '-') + Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 248.5 -Release: 1.3%{?dist} +%if %{without inplace} +Version: 249.2 +Release: 1.1%{?dist} +%else +# determine the build information from local checkout +Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') +Release: 0 +%endif # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager -%global github_version %(c=%{version}; echo ${c}|tr '~' '-') - # download tarballs with "spectool -g systemd.spec" %if %{defined commit} Source0: https://github.com/systemd/systemd%{?stable:-stable}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz %else %if 0%{?stable} -Source0: https://github.com/systemd/systemd-stable/archive/v%{github_version}/%{name}-%{github_version}.tar.gz +Source0: https://github.com/systemd/systemd-stable/archive/v%{version_no_tilde}/%{name}-%{version_no_tilde}.tar.gz %else -Source0: https://github.com/systemd/systemd/archive/v%{github_version}/%{name}-%{github_version}.tar.gz +Source0: https://github.com/systemd/systemd/archive/v%{version_no_tilde}/%{name}-%{version_no_tilde}.tar.gz %endif %endif # This file must be available before %%prep. @@ -56,6 +73,7 @@ Source9: 20-yama-ptrace.conf Source10: systemd-udev-trigger-no-reload.conf Source11: 20-grubby.install Source12: systemd-user +Source13: libsystemd-shared.abignore Source14: 10-oomd-defaults.conf Source15: 10-oomd-root-slice-defaults.conf @@ -84,15 +102,11 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # patches in this range before applying upstream pull requests. %if 0%{?facebook} -# PR 13496: Extend bpf cgroup program support -Patch0100: 13496-fb.patch # PR 18621: FB variant of quieting "proc: Bad value for 'hidepid'" messages -Patch0101: 18621-fb.patch -# PR 17495: Fixes BPF pinning post-coldplug -Patch0102: 17495-rebased.patch +Patch0001: 18621-fb.patch %else # PR 18621: Quiet "proc: Bad value for 'hidepid'" messages -Patch0101: https://github.com/systemd/systemd/pull/18621.patch +Patch0001: https://github.com/systemd/systemd/pull/18621.patch %endif # Downstream-only patches (0500–9999) @@ -101,8 +115,6 @@ Patch0101: https://github.com/systemd/systemd/pull/18621.patch Patch0501: https://github.com/systemd/systemd/pull/17050/commits/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch # Downgrade sysv-generator messages from warning to debug Patch0502: 0001-sysv-generator-downgrade-log-warning-about-autogener.patch -# Revert ratelimiting added to mount processing events -Patch0503: revert-d586f642fd90e3bb378f7b6d3e3a64a753e51756.patch %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 @@ -149,6 +161,7 @@ BuildRequires: iptables-devel BuildRequires: pkgconfig(tss2-esys) BuildRequires: pkgconfig(tss2-rc) BuildRequires: pkgconfig(tss2-mu) +BuildRequires: systemtap-sdt-devel BuildRequires: libxslt BuildRequires: docbook-style-xsl BuildRequires: pkgconfig @@ -156,9 +169,8 @@ BuildRequires: gperf BuildRequires: gawk BuildRequires: tree BuildRequires: hostname -BuildRequires: python3-devel -BuildRequires: python3-lxml -BuildRequires: python3-jinja2 +BuildRequires: python3dist(lxml) +BuildRequires: python3dist(jinja2) %if 0%{?have_gnu_efi} BuildRequires: gnu-efi gnu-efi-devel %endif @@ -178,15 +190,14 @@ Requires(post): grep # systemd-machine-id-setup requires libssl Requires(post): openssl-libs Requires(pre): coreutils -Requires(pre): /usr/bin/getent -Requires(pre): /usr/sbin/groupadd Requires: dbus >= 1.9.18 Requires: %{name}-pam = %{version}-%{release} -Requires: %{name}-rpm-macros = %{version}-%{release} +Requires: (%{name}-rpm-macros = %{version}-%{release} if rpm-build) Requires: %{name}-libs = %{version}-%{release} %{?fedora:Recommends: %{name}-networkd = %{version}-%{release}} +%{?fedora:Recommends: %{name}-resolved = %{version}-%{release}} Recommends: diffutils -Requires: util-linux +Requires: (util-linux-core or util-linux) Recommends: libxkbcommon%{?_isa} Provides: /bin/systemctl Provides: /sbin/shutdown @@ -198,7 +209,7 @@ Provides: system-setup-keyboard = 0.9 Obsoletes: systemd-sysv < 206 %if 0%{?facebook} == 0 # self-obsoletes so that dnf will install new subpackages on upgrade (#1260394) -Obsoletes: %{name} < 246.6-2 +Obsoletes: %{name} < 249~~ Conflicts: initscripts < 9.56.1 %endif Provides: systemd-sysv = 206 @@ -213,14 +224,12 @@ Conflicts: %{name}-standalone-sysusers < %{version}-%{release} Obsoletes: %{name}-standalone-sysusers < %{version}-%{release} # Recommends to replace normal Requires deps for stuff that is dlopen()ed -Recommends: libcryptsetup.so.12()(64bit) -Recommends: libcryptsetup.so.12(CRYPTSETUP_2.0)(64bit) -Recommends: libidn2.so.0()(64bit) -Recommends: libidn2.so.0(IDN2_0.0.0)(64bit) -Recommends: libpcre2-8.so.0()(64bit) -Recommends: libpwquality.so.1()(64bit) -Recommends: libpwquality.so.1(LIBPWQUALITY_1.0)(64bit) -Recommends: libqrencode.so.4()(64bit) +Recommends: libidn2.so.0%{?elf_suffix} +Recommends: libidn2.so.0(IDN2_0.0.0)%{?elf_bits} +Recommends: libpcre2-8.so.0%{?elf_suffix} +Recommends: libpwquality.so.1%{?elf_suffix} +Recommends: libpwquality.so.1(LIBPWQUALITY_1.0)%{?elf_bits} +Recommends: libqrencode.so.4%{?elf_suffix} %if %{with selinux} # Force the SELinux module to be installed @@ -322,10 +331,6 @@ Requires: kbd Provides: u2f-hidraw-policy = 1.0.2-40 Obsoletes: u2f-hidraw-policy < 1.0.2-40 -# Recommends to replace normal Requires deps for stuff that is dlopen()ed -Recommends: libcryptsetup.so.12()(64bit) -Recommends: libcryptsetup.so.12(CRYPTSETUP_2.0)(64bit) - %description udev This package contains systemd-udev and the rules and hardware database needed to manage device nodes. This package is necessary on physical @@ -368,10 +373,33 @@ and to write journal files from serialized journal contents. This package contains systemd-journal-gatewayd, systemd-journal-remote, and systemd-journal-upload. +%package networkd +Summary: System daemon that manages network configurations +Requires: %{name}%{?_isa} = %{version}-%{release} +License: LGPLv2+ +# https://src.fedoraproject.org/rpms/systemd/pull-request/34 +Obsoletes: systemd < 246.6-2 + +%description networkd +systemd-networkd is a system service that manages networks. It detects +and configures network devices as they appear, as well as creating virtual +network devices. + +%package resolved +Summary: Network Name Resolution manager +Requires: %{name}%{?_isa} = %{version}-%{release} +Obsoletes: %{name} < 249~~ + +%description resolved +systemd-resolved is a system service that provides network name resolution +to local applications. It implements a caching and validating DNS/DNSSEC +stub resolver, as well as an LLMNR and MulticastDNS resolver and responder. + %package oomd-defaults Summary: Configuration files for systemd-oomd -Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: %{name} = %{version}-%{release} License: LGPLv2+ +BuildArch: noarch %description oomd-defaults A set of drop-in files for systemd units to enable action from systemd-oomd, @@ -406,7 +434,7 @@ runs properly under an environment with SELinux enabled. %endif %prep -%autosetup -n %{?commit:%{name}%{?stable:-stable}-%{commit}}%{!?commit:%{name}%{?stable:-stable}-%{github_version}} -p1 +%autosetup -n %{?commit:%{name}%{?stable:-stable}-%{commit}}%{!?commit:%{name}%{?stable:-stable}-%{version_no_tilde}} -p1 %if %{with selinux} mkdir selinux @@ -487,10 +515,32 @@ CONFIGURE_OPTS=( -Dfallback-hostname=localhost %endif -Ddefault-dnssec=no + -Ddefault-dns-over-tls=opportunistic # https://bugzilla.redhat.com/show_bug.cgi?id=1867830 -Ddefault-mdns=no -Ddefault-llmnr=resolve -Doomd=true + -Dadm-gid=4 + -Daudio-gid=63 + -Dcdrom-gid=11 + -Ddialout-gid=18 + -Ddisk-gid=6 + -Dinput-gid=104 # https://pagure.io/setup/pull-request/27 + -Dkmem-gid=9 + -Dkvm-gid=36 + -Dlp-gid=7 + -Drender-gid=105 # https://pagure.io/setup/pull-request/27 + -Dsgx-gid=106 # https://pagure.io/setup/pull-request/27 + -Dtape-gid=33 + -Dtty-gid=5 + -Dusers-gid=100 + -Dutmp-gid=22 + -Dvideo-gid=39 + -Dwheel-gid=10 + -Dsystemd-journal-gid=190 + -Dsystemd-network-uid=192 + -Dsystemd-resolve-uid=193 + # -Dsystemd-timesync-uid=, not set yet # Need to set this for CentOS build -Ddocdir=%{_pkgdocdir} # CentOS is missing newer deps required to include these @@ -525,7 +575,17 @@ CONFIGURE_OPTS+=( export LANG=en_US.UTF-8 export LC_ALL=en_US.UTF-8 -%meson "${CONFIGURE_OPTS[@]}" +# Do configuration. If doing an inplace build, try to do +# reconfiguration to pick up new options. +%if %{with inplace} + command -v ccache 2>/dev/null && { CC="${CC:-ccache %__cc}"; CXX="${CXX:-ccache %__cxx}"; } + + [ -e %{_vpath_builddir}/build.ninja ] && + %__meson configure %{_vpath_builddir} "${CONFIGURE_OPTS[@]}" || +%endif +{ %meson "${CONFIGURE_OPTS[@]}"; } + +%meson_build new_triggers=%{_vpath_builddir}/src/rpm/triggers.systemd.sh if ! diff -u %{SOURCE1} ${new_triggers}; then @@ -534,8 +594,6 @@ if ! diff -u %{SOURCE1} ${new_triggers}; then sleep 5 fi -%meson_build - %if %{with selinux} cd selinux %{__make} -f Makefile.selinux SHARE="%{_datadir}" TARGETS="systemd_hs" @@ -627,6 +685,8 @@ EOF install -Dm0755 -t %{buildroot}%{_prefix}/lib/kernel/install.d/ %{SOURCE11} +install -Dm0644 -t %{buildroot}%{_prefix}/lib/systemd/ %{SOURCE13} + install -D -t %{buildroot}/usr/lib/systemd/ %{SOURCE3} # systemd-oomd default configuration @@ -699,31 +759,18 @@ meson test -C %{_vpath_builddir} -t 6 --print-errorlogs %include %{SOURCE1} -%pre -getent group cdrom &>/dev/null || groupadd -r -g 11 cdrom &>/dev/null || : -getent group utmp &>/dev/null || groupadd -r -g 22 utmp &>/dev/null || : -getent group tape &>/dev/null || groupadd -r -g 33 tape &>/dev/null || : -getent group dialout &>/dev/null || groupadd -r -g 18 dialout &>/dev/null || : -getent group input &>/dev/null || groupadd -r input &>/dev/null || : -getent group kvm &>/dev/null || groupadd -r -g 36 kvm &>/dev/null || : -getent group render &>/dev/null || groupadd -r render &>/dev/null || : -getent group systemd-journal &>/dev/null || groupadd -r -g 190 systemd-journal 2>&1 || : - -getent group systemd-coredump &>/dev/null || groupadd -r systemd-coredump 2>&1 || : -getent passwd systemd-coredump &>/dev/null || useradd -r -l -g systemd-coredump -d / -s /sbin/nologin -c "systemd Core Dumper" systemd-coredump &>/dev/null || : - -getent group systemd-network &>/dev/null || groupadd -r -g 192 systemd-network 2>&1 || : -getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-network -d / -s /sbin/nologin -c "systemd Network Management" systemd-network &>/dev/null || : - -getent group systemd-resolve &>/dev/null || groupadd -r -g 193 systemd-resolve 2>&1 || : -getent passwd systemd-resolve &>/dev/null || useradd -r -u 193 -l -g systemd-resolve -d / -s /sbin/nologin -c "systemd Resolver" systemd-resolve &>/dev/null || : - -getent group systemd-oom &>/dev/null || groupadd -r systemd-oom 2>&1 || : -getent passwd systemd-oom &>/dev/null || useradd -r -l -g systemd-oom -d / -s /sbin/nologin -c "systemd Userspace OOM Killer" systemd-oom &>/dev/null || : - %post systemd-machine-id-setup &>/dev/null || : +# FIXME: move to %postun. We want to restart systemd *after* removing +# files from the old rpm. Right now we may still have bits the old +# setup if the files are not present in the new version. But before +# implement restarting of *other* services after the transaction, moving +# this would make things worse, increasing the number of warnings we get +# about needed daemon-reload. + +oomd_state=$(systemctl is-active systemd-oomd 2>/dev/null || :) + systemctl daemon-reexec &>/dev/null || { # systemd v239 had bug #9553 in D-Bus authentication of the private socket, # which was later fixed in v240 by #9625. @@ -744,24 +791,19 @@ systemctl daemon-reexec &>/dev/null || { fi } -if [ $1 -eq 1 ]; then - # create /var/log/journal only on initial installation, - # and only if it's writable (it won't be in rpm-ostree). - [ -w %{_localstatedir} ] && mkdir -p %{_localstatedir}/log/journal - - [ -w %{_localstatedir} ] && journalctl --update-catalog || : - systemd-tmpfiles --create &>/dev/null || : +if [ "$oomd_state" == "active" ]; then + systemctl start -q systemd-oomd 2>/dev/null || : fi -# Make sure new journal files will be owned by the "systemd-journal" group -machine_id=$(cat /etc/machine-id 2>/dev/null) -chgrp systemd-journal /{run,var}/log/journal/{,${machine_id}} &>/dev/null || : -chmod g+s /{run,var}/log/journal/{,${machine_id}} &>/dev/null || : +[ $1 -eq 1 ] || exit 0 -# Apply ACL to the journal directory -setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ &>/dev/null || : +# create /var/log/journal only on initial installation, +# and only if it's writable (it won't be in rpm-ostree). +[ -w %{_localstatedir} ] && mkdir -p %{_localstatedir}/log/journal -[ $1 -eq 1 ] || exit 0 +[ -w %{_localstatedir} ] && journalctl --update-catalog || : +systemd-sysusers || : +systemd-tmpfiles --create &>/dev/null || : # We reset the enablement of all services upon initial installation # https://bugzilla.redhat.com/show_bug.cgi?id=1118740#c23 @@ -773,25 +815,23 @@ setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ &>/de systemctl preset-all &>/dev/null || : systemctl --global preset-all &>/dev/null || : -# Create /etc/resolv.conf symlink. -# We would also create it using tmpfiles, but let's do this here -# too before NetworkManager gets a chance. (systemd-tmpfiles invocation above -# does not do this, because it's marked with ! and we don't specify --boot.) -# https://bugzilla.redhat.com/show_bug.cgi?id=1873856 -# -# If systemd is not running, don't overwrite the symlink because that -# will immediately break DNS resolution, since systemd-resolved is -# also not running (https://bugzilla.redhat.com/show_bug.cgi?id=1891847). -# -# Also don't creat the symlink to the stub when the stub is disabled (#1891847 again). -if test -d /run/systemd/system/ && - systemctl -q is-enabled systemd-resolved.service &>/dev/null && - ! mountpoint /etc/resolv.conf &>/dev/null && - ! systemd-analyze cat-config systemd/resolved.conf 2>/dev/null | \ - grep -qE '^DNSStubListener\s*=\s*([nN][oO]?|[fF]|[fF][aA][lL][sS][eE]|0|[oO][fF][fF])$'; then - ln -fsv ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf +%postun +if [ $1 -eq 1 ]; then + [ -w %{_localstatedir} ] && journalctl --update-catalog || : + systemd-tmpfiles --create &>/dev/null || : fi +%systemd_postun_with_restart systemd-timedated.service systemd-portabled.service systemd-homed.service systemd-hostnamed.service systemd-journald.service systemd-localed.service systemd-userdbd.service systemd-oomd.service + +# FIXME: systemd-logind.service is excluded (https://github.com/systemd/systemd/pull/17558) +# FIXME: user@*.service needs to be restarted, but using systemctl --user daemon-reexec + +%triggerpostun -- systemd < 247.3-2 +# This is for upgrades from previous versions before oomd-defaults is available. +# We use %%triggerpostun here because rpm doesn't allow a second %%triggerun with +# a different package version. +systemctl --no-reload preset systemd-oomd.service &>/dev/null || : + %post libs %{?ldconfig} @@ -836,10 +876,6 @@ fi %global udev_services systemd-udev{d,-settle,-trigger}.service systemd-udevd-{control,kernel}.socket systemd-timesyncd.service -%pre udev -getent group systemd-timesync &>/dev/null || groupadd -r systemd-timesync 2>&1 || : -getent passwd systemd-timesync &>/dev/null || useradd -r -l -g systemd-timesync -d / -s /sbin/nologin -c "systemd Time Synchronization" systemd-timesync &>/dev/null || : - %post udev # Move old stuff around in /var/lib mv %{_localstatedir}/lib/random-seed %{_localstatedir}/lib/systemd/random-seed &>/dev/null @@ -874,15 +910,13 @@ grep -q -E '^KEYMAP="?fi-latin[19]"?' /etc/vconsole.conf 2>/dev/null && # Others are either oneshot services, or sockets, and restarting them causes issues (#1378974) %systemd_postun_with_restart systemd-udevd.service systemd-timesyncd.service -%pre journal-remote -getent group systemd-journal-remote &>/dev/null || groupadd -r systemd-journal-remote 2>&1 || : -getent passwd systemd-journal-remote &>/dev/null || useradd -r -l -g systemd-journal-remote -d %{_localstatedir}/log/journal/remote -s /sbin/nologin -c "Journal Remote" systemd-journal-remote &>/dev/null || : - +%global journal_remote_units_restart systemd-journal-gatewayd.service systemd-journal-remote.service systemd-journal-upload.service +%global journal_remote_units_norestart systemd-journal-gatewayd.socket systemd-journal-remote.socket %post journal-remote -%systemd_post systemd-journal-gatewayd.socket systemd-journal-gatewayd.service systemd-journal-remote.socket systemd-journal-remote.service systemd-journal-upload.service +%systemd_post %journal_remote_units_restart %journal_remote_units_norestart %preun journal-remote -%systemd_preun systemd-journal-gatewayd.socket systemd-journal-gatewayd.service systemd-journal-remote.socket systemd-journal-remote.service systemd-journal-upload.service +%systemd_preun %journal_remote_units_restart %journal_remote_units_norestart if [ $1 -eq 1 ] ; then if [ -f %{_localstatedir}/lib/systemd/journal-upload/state -a ! -L %{_localstatedir}/lib/systemd/journal-upload ] ; then mkdir -p %{_localstatedir}/lib/private/systemd/journal-upload @@ -892,7 +926,63 @@ if [ $1 -eq 1 ] ; then fi %postun journal-remote -%systemd_postun_with_restart systemd-journal-gatewayd.service systemd-journal-remote.service systemd-journal-upload.service +%systemd_postun_with_restart %journal_remote_units_restart + +%post networkd +# systemd-networkd was split out in systemd-246.6-2. +# Ideally, we would have a trigger scriptlet to record enablement +# state when upgrading from systemd <= systemd-246.6-1. But, AFAICS, +# rpm doesn't allow us to trigger on another package, short of +# querying the rpm database ourselves, which seems risky. For rpm, +# systemd and systemd-networkd are completely unrelated. So let's use +# a hack to detect if an old systemd version is currently present in +# the file system. +# https://bugzilla.redhat.com/show_bug.cgi?id=1943263 +if [ $1 -eq 1 ] && ls /usr/lib/systemd/libsystemd-shared-24[0-6].so &>/dev/null; then + echo "Skipping presets for systemd-networkd.service, seems we are upgrading from old systemd." +else + %systemd_post systemd-networkd.service systemd-networkd-wait-online.service +fi + +%preun networkd +%systemd_preun systemd-networkd.service systemd-networkd-wait-online.service + +%preun resolved +if [ $1 -eq 0 ] ; then + systemctl disable --quiet \ + systemd-resolved.service \ + >/dev/null || : +fi + +%post resolved +[ $1 -gt 1 ] && exit 0 + +# Related to https://bugzilla.redhat.com/show_bug.cgi?id=1943263 +if ls /usr/lib/systemd/libsystemd-shared-24[0-8].so &>/dev/null; then + echo "Skipping presets for systemd-resolved.service, seems we are upgrading from old systemd." + exit 0 +fi + +%systemd_post systemd-resolved.service + +# Create /etc/resolv.conf symlink. +# We would also create it using tmpfiles, but let's do this here +# too before NetworkManager gets a chance. (systemd-tmpfiles invocation above +# does not do this, because it's marked with ! and we don't specify --boot.) +# https://bugzilla.redhat.com/show_bug.cgi?id=1873856 +# +# If systemd is not running, don't overwrite the symlink because that +# will immediately break DNS resolution, since systemd-resolved is +# also not running (https://bugzilla.redhat.com/show_bug.cgi?id=1891847). +# +# Also don't create the symlink to the stub when the stub is disabled (#1891847 again). +if test -d /run/systemd/system/ && + systemctl -q is-enabled systemd-resolved.service &>/dev/null && + ! mountpoint /etc/resolv.conf &>/dev/null && + ! systemd-analyze cat-config systemd/resolved.conf 2>/dev/null | \ + grep -qE '^DNSStubListener\s*=\s*([nN][oO]?|[fF]|[fF][aA][lL][sS][eE]|0|[oO][fF][fF])$'; then + ln -fsv ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf +fi %if %{with selinux} %pre selinux @@ -943,6 +1033,8 @@ fi %files rpm-macros -f .file-list-rpm-macros +%files resolved -f .file-list-resolve + %files devel -f .file-list-devel %files udev -f .file-list-udev @@ -951,6 +1043,8 @@ fi %files journal-remote -f .file-list-remote +%files networkd -f .file-list-networkd + %files oomd-defaults -f .file-list-oomd-defaults %files tests -f .file-list-tests @@ -962,10 +1056,24 @@ fi %endif %changelog +* Wed Jul 28 2021 Anita Zhang - 249.2-1.1 +- New release for 249 +- Drop merged patches +- Split networkd and resolved into their own subpackages. However we don't + create the /etc/resolv.conf stub. + * Tue Jul 27 2021 Davide Cavalca - 248.5-1.3 - Add missing SELinux rules for the GNOME and KDE LiveDVD spins (https://pagure.io/centos-sig-hyperscale/package-bugs/issue/7) +* Fri Jul 23 2021 Zbigniew Jędrzejewski-Szmek - 249.2-1 +- Latest bugfix release (a minor hwdb regression bugfix, and correction + to kernel commandline handling when reexecuting PID 1 in a container) + +* Fri Jul 23 2021 Michael Catanzaro - 249.2-1 +- Build with -Ddefault-dns-over-tls=opportunistic + (https://fedoraproject.org/wiki/Changes/DNS_Over_TLS, #1889901) + * Wed Jul 21 2021 Davide Cavalca - 248.5-1.2 - Add missing SELinux rules for 248 (https://pagure.io/centos-sig-hyperscale/package-bugs/issue/1) @@ -985,6 +1093,34 @@ fi - systemd-networkd workaround for TALOS-2020-1142, CVE-2020-13529. - A big update of hardware descriptions. +* Wed Jul 7 2021 Neal Gompa - 249-2 +- Use correct NEWS URLs for systemd 249 releases in changelog entries + +* Wed Jul 7 2021 Zbigniew Jędrzejewski-Szmek - 249-1 +- Latest upstream release with minor bugfixes, see + https://github.com/systemd/systemd/blob/v249/NEWS. +- systemd-oomd cpu usage is reduced (#1944646) + +* Thu Jul 1 2021 Zbigniew Jędrzejewski-Szmek - 249~rc3-1 +- Latest upstream prerelease with various bugfixes, see + https://github.com/systemd/systemd/blob/v249-rc3/NEWS. + +* Fri Jun 25 2021 Zbigniew Jędrzejewski-Szmek - 249~rc2-1 +- Latest upstream prerelease with various bugfixes, see + https://github.com/systemd/systemd/blob/v249-rc2/NEWS. +- Ignore FORCERENEW DHCP packets (TALOS-2020-1142, CVE-2020-13529, #1959398) + +* Thu Jun 17 2021 Adam Williamson - 249~rc1-2 +- Stop systemd providing systemd-resolved, now the subpackage exists (#1973462) + +* Wed Jun 16 2021 Zbigniew Jędrzejewski-Szmek - 249~rc1-1 +- Latest upstream prerelease, see + https://github.com/systemd/systemd/blob/v249-rc1/NEWS. + Fixes #1963428. +- Use systemd-sysusers to create users (#1965815) +- Move systemd-resolved into systemd-resolved subpackage (#1923727) + [patch from Petr Menšík] + * Mon Jun 14 2021 Anita Zhang - 248.2-1.5 - Remove backport PR #19811 since it's still buggy - Remove d586f642fd90e3bb378f7b6d3e3a64a753e51756 to fix rate limiting instead