From b80d668d9e132c1fc2eb3229b52ff7f45fc48cb5 Mon Sep 17 00:00:00 2001 From: Zbigniew Jędrzejewski-Szmek Date: Dec 22 2018 10:12:35 +0000 Subject: Fix previous patch and revert the change that requires selinux policy update --- diff --git a/0001-test-json-check-absolute-and-relative-difference-in-.patch b/0001-test-json-check-absolute-and-relative-difference-in-.patch index 670ac3a..a34b45a 100644 --- a/0001-test-json-check-absolute-and-relative-difference-in-.patch +++ b/0001-test-json-check-absolute-and-relative-difference-in-.patch @@ -1,4 +1,4 @@ -From 034967a2a644c8cdbf855f0079299b71b6a1f435 Mon Sep 17 00:00:00 2001 +From 847364f5123f108884f8c59fb05d7ff941693dfb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 21 Dec 2018 22:49:53 +0100 Subject: [PATCH] test-json: check absolute and relative difference in floating @@ -17,7 +17,7 @@ Let's do the usual-style test for absolute and relative differences. 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/src/test/test-json.c b/src/test/test-json.c -index 5aa4d19dbe..e6ec9bfba8 100644 +index 5aa4d19dbe..cd6269f798 100644 --- a/src/test/test-json.c +++ b/src/test/test-json.c @@ -1,9 +1,6 @@ @@ -42,11 +42,11 @@ index 5aa4d19dbe..e6ec9bfba8 100644 - assert_se(fabsl(d - v.real) < 0.001L); + /* Valgrind doesn't support long double calculations and automatically downgrades to 80bit: + * http://www.valgrind.org/docs/manual/manual-core.html#manual-core.limits. -+ * Some architectures might now support long double either. ++ * Some architectures might not support long double either. + */ + -+ assert_se(fabsl(d - v.real) < 1e-15 || -+ fabsl(d - v.real) / v.real < 1e-15); ++ assert_se(fabsl(d - v.real) < 1e-10 || ++ fabsl((d - v.real) / v.real) < 1e-10); } else if (t == JSON_TOKEN_INTEGER) { intmax_t i; diff --git a/0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch b/0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch new file mode 100644 index 0000000..d7bb223 --- /dev/null +++ b/0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch @@ -0,0 +1,207 @@ +From 2cce22a4279d4f304e75b87b56b9eeb5cd313566 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sat, 22 Dec 2018 11:11:04 +0100 +Subject: [PATCH] Revert "units: set NoNewPrivileges= for all long-running + services" + +This reverts commit 64d7f7b4a15f1534fb19fda6b601fec50783bee4. +--- + units/systemd-coredump@.service.in | 1 - + units/systemd-hostnamed.service.in | 1 - + units/systemd-initctl.service.in | 1 - + units/systemd-journal-gatewayd.service.in | 1 - + units/systemd-journal-remote.service.in | 1 - + units/systemd-journal-upload.service.in | 1 - + units/systemd-journald.service.in | 1 - + units/systemd-localed.service.in | 1 - + units/systemd-logind.service.in | 1 - + units/systemd-machined.service.in | 1 - + units/systemd-networkd.service.in | 1 - + units/systemd-resolved.service.in | 1 - + units/systemd-rfkill.service.in | 1 - + units/systemd-timedated.service.in | 1 - + units/systemd-timesyncd.service.in | 1 - + 15 files changed, 15 deletions(-) + +diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in +index ffcb5f36ca..74dcf7fe06 100644 +--- a/units/systemd-coredump@.service.in ++++ b/units/systemd-coredump@.service.in +@@ -22,7 +22,6 @@ IPAddressDeny=any + LockPersonality=yes + MemoryDenyWriteExecute=yes + Nice=9 +-NoNewPrivileges=yes + OOMScoreAdjust=500 + PrivateDevices=yes + PrivateNetwork=yes +diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in +index 9c925e80d9..696d4e2e60 100644 +--- a/units/systemd-hostnamed.service.in ++++ b/units/systemd-hostnamed.service.in +@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed + IPAddressDeny=any + LockPersonality=yes + MemoryDenyWriteExecute=yes +-NoNewPrivileges=yes + PrivateDevices=yes + PrivateNetwork=yes + PrivateTmp=yes +diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in +index c276283908..f48d673d58 100644 +--- a/units/systemd-initctl.service.in ++++ b/units/systemd-initctl.service.in +@@ -14,6 +14,5 @@ DefaultDependencies=no + + [Service] + ExecStart=@rootlibexecdir@/systemd-initctl +-NoNewPrivileges=yes + NotifyAccess=all + SystemCallArchitectures=native +diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in +index ebc8bf9a25..5ef4ee0058 100644 +--- a/units/systemd-journal-gatewayd.service.in ++++ b/units/systemd-journal-gatewayd.service.in +@@ -17,7 +17,6 @@ DynamicUser=yes + ExecStart=@rootlibexecdir@/systemd-journal-gatewayd + LockPersonality=yes + MemoryDenyWriteExecute=yes +-NoNewPrivileges=yes + PrivateDevices=yes + PrivateNetwork=yes + ProtectControlGroups=yes +diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in +index 29a99aaec1..ec1311da88 100644 +--- a/units/systemd-journal-remote.service.in ++++ b/units/systemd-journal-remote.service.in +@@ -17,7 +17,6 @@ ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/va + LockPersonality=yes + LogsDirectory=journal/remote + MemoryDenyWriteExecute=yes +-NoNewPrivileges=yes + PrivateDevices=yes + PrivateNetwork=yes + PrivateTmp=yes +diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in +index 92cd4e5259..a15744e1e8 100644 +--- a/units/systemd-journal-upload.service.in ++++ b/units/systemd-journal-upload.service.in +@@ -18,7 +18,6 @@ DynamicUser=yes + ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state + LockPersonality=yes + MemoryDenyWriteExecute=yes +-NoNewPrivileges=yes + PrivateDevices=yes + ProtectControlGroups=yes + ProtectHome=yes +diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in +index 4684f095c0..7b659d4b03 100644 +--- a/units/systemd-journald.service.in ++++ b/units/systemd-journald.service.in +@@ -22,7 +22,6 @@ FileDescriptorStoreMax=4224 + IPAddressDeny=any + LockPersonality=yes + MemoryDenyWriteExecute=yes +-NoNewPrivileges=yes + Restart=always + RestartSec=0 + RestrictAddressFamilies=AF_UNIX AF_NETLINK +diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in +index 01e0703d0e..7d40fb4897 100644 +--- a/units/systemd-localed.service.in ++++ b/units/systemd-localed.service.in +@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-localed + IPAddressDeny=any + LockPersonality=yes + MemoryDenyWriteExecute=yes +-NoNewPrivileges=yes + PrivateDevices=yes + PrivateNetwork=yes + PrivateTmp=yes +diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in +index 38a7f269ac..6b362ccdca 100644 +--- a/units/systemd-logind.service.in ++++ b/units/systemd-logind.service.in +@@ -27,7 +27,6 @@ FileDescriptorStoreMax=512 + IPAddressDeny=any + LockPersonality=yes + MemoryDenyWriteExecute=yes +-NoNewPrivileges=yes + Restart=always + RestartSec=0 + RestrictAddressFamilies=AF_UNIX AF_NETLINK +diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in +index 9f1476814d..d90e71ae67 100644 +--- a/units/systemd-machined.service.in ++++ b/units/systemd-machined.service.in +@@ -22,7 +22,6 @@ ExecStart=@rootlibexecdir@/systemd-machined + IPAddressDeny=any + LockPersonality=yes + MemoryDenyWriteExecute=yes +-NoNewPrivileges=yes + RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 + RestrictRealtime=yes + SystemCallArchitectures=native +diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in +index 472ef045de..f23bf227fb 100644 +--- a/units/systemd-networkd.service.in ++++ b/units/systemd-networkd.service.in +@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N + ExecStart=!!@rootlibexecdir@/systemd-networkd + LockPersonality=yes + MemoryDenyWriteExecute=yes +-NoNewPrivileges=yes + ProtectControlGroups=yes + ProtectHome=yes + ProtectKernelModules=yes +diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in +index 3144b70063..d08842f0d4 100644 +--- a/units/systemd-resolved.service.in ++++ b/units/systemd-resolved.service.in +@@ -25,7 +25,6 @@ CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE + ExecStart=!!@rootlibexecdir@/systemd-resolved + LockPersonality=yes + MemoryDenyWriteExecute=yes +-NoNewPrivileges=yes + PrivateDevices=yes + PrivateTmp=yes + ProtectControlGroups=yes +diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in +index 3abb958310..7447ed5b5b 100644 +--- a/units/systemd-rfkill.service.in ++++ b/units/systemd-rfkill.service.in +@@ -18,7 +18,6 @@ Before=shutdown.target + + [Service] + ExecStart=@rootlibexecdir@/systemd-rfkill +-NoNewPrivileges=yes + StateDirectory=systemd/rfkill + TimeoutSec=30s + Type=notify +diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in +index 6d53024195..1105f1a980 100644 +--- a/units/systemd-timedated.service.in ++++ b/units/systemd-timedated.service.in +@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-timedated + IPAddressDeny=any + LockPersonality=yes + MemoryDenyWriteExecute=yes +-NoNewPrivileges=yes + PrivateTmp=yes + ProtectControlGroups=yes + ProtectHome=yes +diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in +index 03ade45d08..8b99e92e01 100644 +--- a/units/systemd-timesyncd.service.in ++++ b/units/systemd-timesyncd.service.in +@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_SYS_TIME + ExecStart=!!@rootlibexecdir@/systemd-timesyncd + LockPersonality=yes + MemoryDenyWriteExecute=yes +-NoNewPrivileges=yes + PrivateDevices=yes + PrivateTmp=yes + ProtectControlGroups=yes +-- +2.19.2 + diff --git a/systemd.spec b/systemd.spec index 32dc407..75eb209 100644 --- a/systemd.spec +++ b/systemd.spec @@ -51,6 +51,7 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ %endif Patch0001: 0001-test-json-check-absolute-and-relative-difference-in-.patch +Patch0002: 0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch Patch0998: 0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch