diff --git a/SOURCES/0863-logind-remember-our-idle-state-and-use-it-to-detect-.patch b/SOURCES/0863-logind-remember-our-idle-state-and-use-it-to-detect-.patch new file mode 100644 index 0000000..583749a --- /dev/null +++ b/SOURCES/0863-logind-remember-our-idle-state-and-use-it-to-detect-.patch @@ -0,0 +1,70 @@ +From a55bdb007ca24900a704f72359305b04125d9e05 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 20 Apr 2022 10:13:43 +0200 +Subject: [PATCH] logind: remember our idle state and use it to detect idle + level transitions + +Fixes #16391 + +(cherry picked from commit 4e2cfb778b9ed7f22ee98f48f28cf8678d25ad32) + +Resolved: #1866955 +--- + src/login/logind.c | 23 +++++++++++++++++++---- + src/login/logind.h | 1 + + 2 files changed, 20 insertions(+), 4 deletions(-) + +diff --git a/src/login/logind.c b/src/login/logind.c +index 6b576dad0d..bb1d3f3523 100644 +--- a/src/login/logind.c ++++ b/src/login/logind.c +@@ -1027,18 +1027,33 @@ static int manager_dispatch_idle_action(sd_event_source *s, uint64_t t, void *us + n = now(CLOCK_MONOTONIC); + + r = manager_get_idle_hint(m, &since); +- if (r <= 0) ++ if (r <= 0) { + /* Not idle. Let's check if after a timeout it might be idle then. */ + elapse = n + m->idle_action_usec; +- else { ++ m->was_idle = false; ++ } else { ++ + /* Idle! Let's see if it's time to do something, or if + * we shall sleep for longer. */ + + if (n >= since.monotonic + m->idle_action_usec && + (m->idle_action_not_before_usec <= 0 || n >= m->idle_action_not_before_usec + m->idle_action_usec)) { +- log_info("System idle. Taking action."); ++ bool is_edge = false; ++ ++ /* We weren't idle previously or some activity happened while we were sleeping, and now we are ++ * idle. Let's remember that for the next time and make this an edge transition. */ ++ if (!m->was_idle || since.monotonic >= m->idle_action_not_before_usec) { ++ is_edge = true; ++ m->was_idle = true; ++ } ++ ++ if (m->idle_action == HANDLE_LOCK && !is_edge) ++ /* We are idle and we were before so we are actually not taking any action. */ ++ log_debug("System idle."); ++ else ++ log_info("System idle. Doing %s operation.", handle_action_to_string(m->idle_action)); + +- manager_handle_action(m, 0, m->idle_action, false, false); ++ manager_handle_action(m, 0, m->idle_action, false, is_edge); + m->idle_action_not_before_usec = n; + } + +diff --git a/src/login/logind.h b/src/login/logind.h +index 606adf4fe6..b9b4a5113f 100644 +--- a/src/login/logind.h ++++ b/src/login/logind.h +@@ -101,6 +101,7 @@ struct Manager { + usec_t idle_action_usec; + usec_t idle_action_not_before_usec; + HandleAction idle_action; ++ bool was_idle; + + usec_t stop_idle_session_usec; + diff --git a/SOURCES/0864-test-import-logind-test-from-debian-ubuntu-test-suit.patch b/SOURCES/0864-test-import-logind-test-from-debian-ubuntu-test-suit.patch new file mode 100644 index 0000000..6c058f8 --- /dev/null +++ b/SOURCES/0864-test-import-logind-test-from-debian-ubuntu-test-suit.patch @@ -0,0 +1,103 @@ +From 1925845dc10330e4b48fec68333fac6ef2b7bf5c Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 1 Jun 2022 08:56:08 +0900 +Subject: [PATCH] test: import logind test from debian/ubuntu test suite + +[dtardon: Picked just the scaffolding, not the tests themselves.] + +(cherry picked from commit 9c94ab0f6ff22da4278a6e9a93ddc480607c55ac) + +Related: #1866955 +--- + test/TEST-35-LOGIN/Makefile | 1 + + test/TEST-35-LOGIN/test.sh | 55 +++++++++++++++++++++++++++++++++ + test/TEST-35-LOGIN/testsuite.sh | 9 ++++++ + 3 files changed, 65 insertions(+) + create mode 120000 test/TEST-35-LOGIN/Makefile + create mode 100755 test/TEST-35-LOGIN/test.sh + create mode 100755 test/TEST-35-LOGIN/testsuite.sh + +diff --git a/test/TEST-35-LOGIN/Makefile b/test/TEST-35-LOGIN/Makefile +new file mode 120000 +index 0000000000..e9f93b1104 +--- /dev/null ++++ b/test/TEST-35-LOGIN/Makefile +@@ -0,0 +1 @@ ++../TEST-01-BASIC/Makefile +\ No newline at end of file +diff --git a/test/TEST-35-LOGIN/test.sh b/test/TEST-35-LOGIN/test.sh +new file mode 100755 +index 0000000000..32410c8149 +--- /dev/null ++++ b/test/TEST-35-LOGIN/test.sh +@@ -0,0 +1,55 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++set -e ++ ++TEST_DESCRIPTION="LOGIN" ++ ++# shellcheck source=test/test-functions ++. "${TEST_BASE_DIR:?}/test-functions" ++ ++test_setup() { ++ create_empty_image ++ mkdir -p "$TESTDIR"/root ++ mount "${LOOPDEV}p1" "$TESTDIR"/root ++ ++ ( ++ LOG_LEVEL=5 ++ eval $(udevadm info --export --query=env --name="${LOOPDEV}p2") ++ ++ setup_basic_environment ++ ++ inst_binary pkill ++ inst_binary useradd ++ inst_binary userdel ++ ++ # mask some services that we do not want to run in these tests ++ ln -fs /dev/null "$initdir"/etc/systemd/system/systemd-hwdb-update.service ++ ln -fs /dev/null "$initdir"/etc/systemd/system/systemd-journal-catalog-update.service ++ ln -fs /dev/null "$initdir"/etc/systemd/system/systemd-networkd.service ++ ln -fs /dev/null "$initdir"/etc/systemd/system/systemd-networkd.socket ++ ln -fs /dev/null "$initdir"/etc/systemd/system/systemd-resolved.service ++ ln -fs /dev/null "$initdir"/etc/systemd/system/systemd-machined.service ++ ++ # setup the testsuite service ++ cat >"$initdir"/etc/systemd/system/testsuite.service </failed ++ ++touch /testok ++rm /failed diff --git a/SOURCES/0865-test-introduce-inst_recursive-helper-function.patch b/SOURCES/0865-test-introduce-inst_recursive-helper-function.patch new file mode 100644 index 0000000..cb98216 --- /dev/null +++ b/SOURCES/0865-test-introduce-inst_recursive-helper-function.patch @@ -0,0 +1,37 @@ +From 21c281585983fe2efc2b74d712d98ff7e6c013b1 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 14 Jun 2022 09:11:00 +0900 +Subject: [PATCH] test: introduce inst_recursive() helper function + +(cherry picked from commit da0465dc95388afc15598357452afef85035c639) + +Related: #1866955 +--- + test/test-functions | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/test/test-functions b/test/test-functions +index 19363be858..9606a1b085 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -1224,6 +1224,20 @@ inst_any() { + return 1 + } + ++inst_recursive() { ++ local p item ++ ++ for p in "$@"; do ++ while read -r item; do ++ if [[ -d "$item" ]]; then ++ inst_dir "$item" ++ elif [[ -f "$item" ]]; then ++ inst_simple "$item" ++ fi ++ done < <(find "$p" 2>/dev/null) ++ done ++} ++ + # dracut_install [-o ] [ ... ] + # Install to the initramfs image + # -o optionally install the and don't fail, if it is not there diff --git a/SOURCES/0866-tests-verify-that-Lock-D-Bus-signal-is-sent-when-Idl.patch b/SOURCES/0866-tests-verify-that-Lock-D-Bus-signal-is-sent-when-Idl.patch new file mode 100644 index 0000000..f1fe13a --- /dev/null +++ b/SOURCES/0866-tests-verify-that-Lock-D-Bus-signal-is-sent-when-Idl.patch @@ -0,0 +1,148 @@ +From 638c2418e705410344e07e77f944530df0f4608f Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Fri, 1 Jul 2022 12:59:57 +0200 +Subject: [PATCH] tests: verify that Lock D-Bus signal is sent when + IdleAction=lock + +(cherry picked from commit 181656fc0faa885d69bc34822b8e9b5de3fdf6bf) + +Related: #1866955 +--- + test/TEST-35-LOGIN/test.sh | 11 +++- + test/TEST-35-LOGIN/testsuite.sh | 93 +++++++++++++++++++++++++++++++++ + 2 files changed, 103 insertions(+), 1 deletion(-) + +diff --git a/test/TEST-35-LOGIN/test.sh b/test/TEST-35-LOGIN/test.sh +index 32410c8149..f83afcff49 100755 +--- a/test/TEST-35-LOGIN/test.sh ++++ b/test/TEST-35-LOGIN/test.sh +@@ -14,14 +14,23 @@ test_setup() { + + ( + LOG_LEVEL=5 +- eval $(udevadm info --export --query=env --name="${LOOPDEV}p2") ++ eval "$(udevadm info --export --query=env --name="${LOOPDEV}p2")" + + setup_basic_environment + ++ inst_binary awk + inst_binary pkill + inst_binary useradd + inst_binary userdel + ++ if command -v expect >/dev/null && command -v tclsh >/dev/null ; then ++ # shellcheck disable=SC2016 ++ version="$(tclsh <<< 'puts $tcl_version')" ++ ++ dracut_install expect ++ inst_recursive /usr/lib64/tcl"$version" /usr/share/tcl"$version" ++ fi ++ + # mask some services that we do not want to run in these tests + ln -fs /dev/null "$initdir"/etc/systemd/system/systemd-hwdb-update.service + ln -fs /dev/null "$initdir"/etc/systemd/system/systemd-journal-catalog-update.service +diff --git a/test/TEST-35-LOGIN/testsuite.sh b/test/TEST-35-LOGIN/testsuite.sh +index 9855b4bc80..e4d72beb74 100755 +--- a/test/TEST-35-LOGIN/testsuite.sh ++++ b/test/TEST-35-LOGIN/testsuite.sh +@@ -3,7 +3,100 @@ + set -eux + set -o pipefail + ++setup_idle_action_lock() { ++ useradd testuser ||: ++ ++ mkdir -p /run/systemd/logind.conf.d/ ++ cat >/run/systemd/logind.conf.d/idle-action-lock.conf </run/systemd/systemd-logind.service.d/debug.conf </dev/null ; then ++ echo >&2 "expect not installed, skiping test ${FUNCNAME[0]}" ++ return 0 ++ fi ++ ++ setup_idle_action_lock ++ trap teardown_idle_action_lock RETURN ++ ++ if loginctl --no-legend | awk '{ print $3; }' | sort -u | grep -q testuser ; then ++ echo >&2 "Session of the \'testuser\' is already present." ++ return 1 ++ fi ++ ++ # IdleActionSec is set 1s but the accuracy of associated timer is 30s so we ++ # need to sleep in worst case for 31s to make sure timer elapsed. We sleep ++ # here for 35s to accomodate for any possible scheudling delays. ++ cat > /tmp/test.exp < dbus.log & ++ ++ expect /tmp/test.exp & ++ ++ # Sleep a bit to give expect time to spawn systemd-run before we check for ++ # the presence of resulting session. ++ sleep 2 ++ if [ "$(loginctl --no-legend | awk '{ print $3; }' | sort -u | grep -c testuser)" != 1 ] ; then ++ echo >&2 "\'testuser\' is expected to have exactly one session running." ++ return 1 ++ fi ++ ++ wait %2 ++ sleep 20 ++ kill %1 ++ ++ # We slept for 35s , in that interval all sessions should have become idle ++ # and "Lock" signal should have been sent out. Then we wrote to tty to make ++ # session active again and next we slept for another 35s so sessions have ++ # become idle again. 'Lock' signal is sent out for each session, we have at ++ # least one session, so minimum of 2 "Lock" signals must have been sent. ++ if [ "$(grep -c Member=Lock dbus.log)" -lt 2 ]; then ++ echo >&2 "Too few 'Lock' D-Bus signal sent, expected at least 2." ++ return 1 ++ fi ++ ++ journalctl -b -u systemd-logind.service --since="$ts" > logind.log ++ if [ "$(grep -c 'System idle. Doing lock operation.' logind.log)" -lt 2 ]; then ++ echo >&2 "System haven't entered idle state at least 2 times." ++ return 1 ++ fi ++ ++ rm -f dbus.log logind.log ++} ++ + : >/failed + ++test_lock_idle_action ++ + touch /testok + rm /failed diff --git a/SOURCES/0867-systemctl-simplify-halt_main.patch b/SOURCES/0867-systemctl-simplify-halt_main.patch new file mode 100644 index 0000000..bd1d085 --- /dev/null +++ b/SOURCES/0867-systemctl-simplify-halt_main.patch @@ -0,0 +1,86 @@ +From 797b00e6a6f33d2b74beba02f678bf4d12e2146b Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Tue, 14 Dec 2021 17:27:05 +0100 +Subject: [PATCH] systemctl: simplify halt_main() + +The code at this point is not able to tell whether it was called as +halt/poweroff/reboot or shutdown with time "now". +The code also takes a shortcut to skip logind if called as root. +That however means asking shutdown for immediate action won't trigger a +wall message. +As per https://github.com/systemd/systemd/issues/8424#issuecomment-374677315 +all commands should trigger a wall message. +That simplifies the code as we can try logind first always. + +(cherry picked from commit adefc8789b63225662e50ceaa282f9553b5c64eb) + +Resolves: #2053273 +--- + src/systemctl/systemctl.c | 44 ++++++++++++++++----------------------- + 1 file changed, 18 insertions(+), 26 deletions(-) + +diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c +index b967550b97..4bedb52f2a 100644 +--- a/src/systemctl/systemctl.c ++++ b/src/systemctl/systemctl.c +@@ -8658,34 +8658,23 @@ static int logind_schedule_shutdown(void) { + static int halt_main(void) { + int r; + +- r = logind_check_inhibitors(arg_action); +- if (r < 0) +- return r; +- ++ /* always try logind first */ + if (arg_when > 0) +- return logind_schedule_shutdown(); +- +- if (geteuid() != 0) { +- if (arg_dry_run || arg_force > 0) { +- (void) must_be_root(); +- return -EPERM; +- } ++ r = logind_schedule_shutdown(); ++ else { ++ r = logind_check_inhibitors(arg_action); ++ if (r < 0) ++ return r; + +- /* Try logind if we are a normal user and no special +- * mode applies. Maybe PolicyKit allows us to shutdown +- * the machine. */ +- if (IN_SET(arg_action, ACTION_POWEROFF, ACTION_REBOOT, ACTION_HALT)) { +- r = logind_reboot(arg_action); +- if (r >= 0) +- return r; +- if (IN_SET(r, -EOPNOTSUPP, -EINPROGRESS)) +- /* requested operation is not +- * supported on the local system or +- * already in progress */ +- return r; +- /* on all other errors, try low-level operation */ +- } ++ r = logind_reboot(arg_action); + } ++ if (r >= 0) ++ return r; ++ if (IN_SET(r, -EOPNOTSUPP, -EINPROGRESS)) ++ /* Requested operation is not supported on the local system or already in ++ * progress */ ++ return r; ++ /* on all other errors, try low-level operation */ + + /* In order to minimize the difference between operation with and + * without logind, we explicitly enable non-blocking mode for this, +@@ -8695,7 +8684,10 @@ static int halt_main(void) { + if (!arg_dry_run && !arg_force) + return start_with_fallback(); + +- assert(geteuid() == 0); ++ if (geteuid() != 0) { ++ (void) must_be_root(); ++ return -EPERM; ++ } + + if (!arg_no_wtmp) { + if (sd_booted() > 0) diff --git a/SOURCES/0868-systemctl-shutdown-don-t-fallback-on-auth-fail.patch b/SOURCES/0868-systemctl-shutdown-don-t-fallback-on-auth-fail.patch new file mode 100644 index 0000000..dd7b2dd --- /dev/null +++ b/SOURCES/0868-systemctl-shutdown-don-t-fallback-on-auth-fail.patch @@ -0,0 +1,51 @@ +From 1d63577410cde215c04921d62f435259a6b258d7 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Mon, 20 Dec 2021 18:05:50 +0100 +Subject: [PATCH] systemctl: shutdown don't fallback on auth fail + +For shutdowns don't fall back to starting the target directly if talking +to logind failed with auth failure. That would just lead to another +polkit auth attempt. + +(cherry picked from commit 38d55bf2641f345445cb4e6a5e5e808555591db2) + +Related: #2053273 +--- + src/systemctl/systemctl.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c +index 4bedb52f2a..199f736f7f 100644 +--- a/src/systemctl/systemctl.c ++++ b/src/systemctl/systemctl.c +@@ -3675,8 +3675,8 @@ static int start_special(int argc, char *argv[], void *userdata) { + r = logind_reboot(a); + if (r >= 0) + return r; +- if (IN_SET(r, -EOPNOTSUPP, -EINPROGRESS)) +- /* requested operation is not supported or already in progress */ ++ if (IN_SET(r, -EACCES, -EOPNOTSUPP, -EINPROGRESS)) ++ /* Requested operation requires auth, is not supported or already in progress */ + return r; + + /* On all other errors, try low-level operation. In order to minimize the difference between +@@ -8644,7 +8644,7 @@ static int logind_schedule_shutdown(void) { + action, + arg_when); + if (r < 0) +- return log_warning_errno(r, "Failed to call ScheduleShutdown in logind, proceeding with immediate shutdown: %s", bus_error_message(&error, r)); ++ return log_warning_errno(r, "Failed to schedule shutdown: %s", bus_error_message(&error, r)); + + if (!arg_quiet) + log_info("Shutdown scheduled for %s, use 'shutdown -c' to cancel.", format_timestamp(date, sizeof(date), arg_when)); +@@ -8670,8 +8670,8 @@ static int halt_main(void) { + } + if (r >= 0) + return r; +- if (IN_SET(r, -EOPNOTSUPP, -EINPROGRESS)) +- /* Requested operation is not supported on the local system or already in ++ if (IN_SET(r, -EACCES, -EOPNOTSUPP, -EINPROGRESS)) ++ /* Requested operation requires auth, is not supported on the local system or already in + * progress */ + return r; + /* on all other errors, try low-level operation */ diff --git a/SOURCES/0869-systemctl-reintroduce-the-original-halt_main.patch b/SOURCES/0869-systemctl-reintroduce-the-original-halt_main.patch new file mode 100644 index 0000000..dce7359 --- /dev/null +++ b/SOURCES/0869-systemctl-reintroduce-the-original-halt_main.patch @@ -0,0 +1,82 @@ +From d36295d7c1b110d150b7af6e3354c28af4c4884d Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Mon, 30 Jan 2023 14:27:24 +0100 +Subject: [PATCH] systemctl: reintroduce the original halt_main() + +RHEL-only + +Related: #2053273 +--- + src/systemctl/systemctl.c | 59 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 59 insertions(+) + +diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c +index 199f736f7f..a26e4a913a 100644 +--- a/src/systemctl/systemctl.c ++++ b/src/systemctl/systemctl.c +@@ -8655,6 +8655,65 @@ static int logind_schedule_shutdown(void) { + #endif + } + ++static int halt_main_old(void) { ++ int r; ++ ++ r = logind_check_inhibitors(arg_action); ++ if (r < 0) ++ return r; ++ ++ if (arg_when > 0) ++ return logind_schedule_shutdown(); ++ ++ if (geteuid() != 0) { ++ if (arg_dry_run || arg_force > 0) { ++ (void) must_be_root(); ++ return -EPERM; ++ } ++ ++ /* Try logind if we are a normal user and no special ++ * mode applies. Maybe PolicyKit allows us to shutdown ++ * the machine. */ ++ if (IN_SET(arg_action, ACTION_POWEROFF, ACTION_REBOOT, ACTION_HALT)) { ++ r = logind_reboot(arg_action); ++ if (r >= 0) ++ return r; ++ if (IN_SET(r, -EOPNOTSUPP, -EINPROGRESS)) ++ /* requested operation is not ++ * supported on the local system or ++ * already in progress */ ++ return r; ++ /* on all other errors, try low-level operation */ ++ } ++ } ++ ++ /* In order to minimize the difference between operation with and ++ * without logind, we explicitly enable non-blocking mode for this, ++ * as logind's shutdown operations are always non-blocking. */ ++ arg_no_block = true; ++ ++ if (!arg_dry_run && !arg_force) ++ return start_with_fallback(); ++ ++ assert(geteuid() == 0); ++ ++ if (!arg_no_wtmp) { ++ if (sd_booted() > 0) ++ log_debug("Not writing utmp record, assuming that systemd-update-utmp is used."); ++ else { ++ r = utmp_put_shutdown(); ++ if (r < 0) ++ log_warning_errno(r, "Failed to write utmp record: %m"); ++ } ++ } ++ ++ if (arg_dry_run) ++ return 0; ++ ++ r = halt_now(arg_action); ++ return log_error_errno(r, "Failed to reboot: %m"); ++} ++ + static int halt_main(void) { + int r; + diff --git a/SOURCES/0870-systemctl-preserve-old-behavior-unless-requested.patch b/SOURCES/0870-systemctl-preserve-old-behavior-unless-requested.patch new file mode 100644 index 0000000..e652470 --- /dev/null +++ b/SOURCES/0870-systemctl-preserve-old-behavior-unless-requested.patch @@ -0,0 +1,44 @@ +From 74632586b46c7e88b09c57eec50f9c4aed254b98 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Mon, 30 Jan 2023 14:31:23 +0100 +Subject: [PATCH] systemctl: preserve old behavior unless requested + +Currently, the legacy shutdown commands ignore inhibitors and reboot +immediately if run by root. Let's preserve that behavior in RHEL-8 by +default. The new behavior can be turned on by those who want it by +exporting SYSTEMD_NEW_SHUTDOWN=1 . + +RHEL-only + +Related: #2053273 +--- + src/systemctl/systemctl.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c +index a26e4a913a..1546119ce5 100644 +--- a/src/systemctl/systemctl.c ++++ b/src/systemctl/systemctl.c +@@ -8714,7 +8714,7 @@ static int halt_main_old(void) { + return log_error_errno(r, "Failed to reboot: %m"); + } + +-static int halt_main(void) { ++static int halt_main_new(void) { + int r; + + /* always try logind first */ +@@ -8765,6 +8765,13 @@ static int halt_main(void) { + return log_error_errno(r, "Failed to reboot: %m"); + } + ++static int halt_main(void) { ++ if (getenv_bool("SYSTEMD_NEW_SHUTDOWN") > 0) ++ return halt_main_new(); ++ else ++ return halt_main_old(); ++} ++ + static int runlevel_main(void) { + int r, runlevel, previous; + diff --git a/SOURCES/0871-pam_systemd-suppress-LOG_DEBUG-log-messages-if-debug.patch b/SOURCES/0871-pam_systemd-suppress-LOG_DEBUG-log-messages-if-debug.patch new file mode 100644 index 0000000..70e8f6f --- /dev/null +++ b/SOURCES/0871-pam_systemd-suppress-LOG_DEBUG-log-messages-if-debug.patch @@ -0,0 +1,43 @@ +From ea3910e561f043f5a131a846862955c77169da1b Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Mon, 19 Nov 2018 11:39:45 +0100 +Subject: [PATCH] pam_systemd: suppress LOG_DEBUG log messages if debugging is + off + +In the PAM module we need to suppress LOG_DEBUG messages manually, if +debug logging is not on, as PAM won't do this for us. We did this +correctly for most log messages already, but two were missing. Let's fix +those too. + +Fixes: #10822 +(cherry picked from commit 2675747f3cdd6f1e6236bbb2f79abfa53fb307f1) + +Resolves: #2170084 +--- + src/login/pam_systemd.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c +index 64e1b4d1bf..c87e980b18 100644 +--- a/src/login/pam_systemd.c ++++ b/src/login/pam_systemd.c +@@ -476,7 +476,8 @@ _public_ PAM_EXTERN int pam_sm_open_session( + } + + if (seat && !streq(seat, "seat0") && vtnr != 0) { +- pam_syslog(handle, LOG_DEBUG, "Ignoring vtnr %"PRIu32" for %s which is not seat0", vtnr, seat); ++ if (debug) ++ pam_syslog(handle, LOG_DEBUG, "Ignoring vtnr %"PRIu32" for %s which is not seat0", vtnr, seat); + vtnr = 0; + } + +@@ -577,7 +578,8 @@ _public_ PAM_EXTERN int pam_sm_open_session( + r = sd_bus_call(bus, m, 0, &error, &reply); + if (r < 0) { + if (sd_bus_error_has_name(&error, BUS_ERROR_SESSION_BUSY)) { +- pam_syslog(handle, LOG_DEBUG, "Cannot create session: %s", bus_error_message(&error, r)); ++ if (debug) ++ pam_syslog(handle, LOG_DEBUG, "Cannot create session: %s", bus_error_message(&error, r)); + return PAM_SUCCESS; + } else { + pam_syslog(handle, LOG_ERR, "Failed to create session: %s", bus_error_message(&error, r)); diff --git a/SOURCES/0872-udev-net_id-introduce-naming-scheme-for-RHEL-8.8.patch b/SOURCES/0872-udev-net_id-introduce-naming-scheme-for-RHEL-8.8.patch new file mode 100644 index 0000000..c83b140 --- /dev/null +++ b/SOURCES/0872-udev-net_id-introduce-naming-scheme-for-RHEL-8.8.patch @@ -0,0 +1,50 @@ +From 33351e103734188a4a30b88e7f2ea0613d628599 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Thu, 16 Feb 2023 15:56:52 +0100 +Subject: [PATCH] udev/net_id: introduce naming scheme for RHEL-8.8 + +RHEL-only + +Resolves: #2170499 +--- + man/systemd.net-naming-scheme.xml | 6 ++++++ + src/udev/udev-builtin-net_id.c | 2 ++ + 2 files changed, 8 insertions(+) + +diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml +index a567483995..3cc7719e99 100644 +--- a/man/systemd.net-naming-scheme.xml ++++ b/man/systemd.net-naming-scheme.xml +@@ -328,6 +328,12 @@ + for that, the limit is increased to now 65535. + + ++ ++ rhel-8.8 ++ ++ Same as naming scheme rhel-8.7. ++ ++ + Note that latest may be used to denote the latest scheme known to this + particular version of systemd. + +diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c +index df84acf27c..ef2bb1b08e 100644 +--- a/src/udev/udev-builtin-net_id.c ++++ b/src/udev/udev-builtin-net_id.c +@@ -141,6 +141,7 @@ typedef enum NamingSchemeFlags { + NAMING_RHEL_8_5 = NAMING_RHEL_8_4, + NAMING_RHEL_8_6 = NAMING_RHEL_8_4, + NAMING_RHEL_8_7 = NAMING_RHEL_8_4|NAMING_SLOT_FUNCTION_ID|NAMING_16BIT_INDEX, ++ NAMING_RHEL_8_8 = NAMING_RHEL_8_7, + + _NAMING_SCHEME_FLAGS_INVALID = -1, + } NamingSchemeFlags; +@@ -161,6 +162,7 @@ static const NamingScheme naming_schemes[] = { + { "rhel-8.5", NAMING_RHEL_8_5 }, + { "rhel-8.6", NAMING_RHEL_8_6 }, + { "rhel-8.7", NAMING_RHEL_8_7 }, ++ { "rhel-8.8", NAMING_RHEL_8_8 }, + /* … add more schemes here, as the logic to name devices is updated … */ + }; + diff --git a/SOURCES/systemd-user b/SOURCES/systemd-user index 8607d4f..d1f64c1 100644 --- a/SOURCES/systemd-user +++ b/SOURCES/systemd-user @@ -8,4 +8,5 @@ account include system-auth session required pam_selinux.so close session required pam_selinux.so nottys open session required pam_loginuid.so +session required pam_namespace.so session include system-auth diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec index d00e99d..48f77b6 100644 --- a/SPECS/systemd.spec +++ b/SPECS/systemd.spec @@ -13,7 +13,7 @@ Name: systemd Url: http://www.freedesktop.org/wiki/Software/systemd Version: 239 -Release: 71%{?dist} +Release: 72%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -912,6 +912,16 @@ Patch0859: 0859-virt-Fix-the-detection-for-Hyper-V-VMs.patch Patch0860: 0860-basic-add-STRERROR-wrapper-for-strerror_r.patch Patch0861: 0861-coredump-put-context-array-into-a-struct.patch Patch0862: 0862-coredump-do-not-allow-user-to-access-coredumps-with-.patch +Patch0863: 0863-logind-remember-our-idle-state-and-use-it-to-detect-.patch +Patch0864: 0864-test-import-logind-test-from-debian-ubuntu-test-suit.patch +Patch0865: 0865-test-introduce-inst_recursive-helper-function.patch +Patch0866: 0866-tests-verify-that-Lock-D-Bus-signal-is-sent-when-Idl.patch +Patch0867: 0867-systemctl-simplify-halt_main.patch +Patch0868: 0868-systemctl-shutdown-don-t-fallback-on-auth-fail.patch +Patch0869: 0869-systemctl-reintroduce-the-original-halt_main.patch +Patch0870: 0870-systemctl-preserve-old-behavior-unless-requested.patch +Patch0871: 0871-pam_systemd-suppress-LOG_DEBUG-log-messages-if-debug.patch +Patch0872: 0872-udev-net_id-introduce-naming-scheme-for-RHEL-8.8.patch %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 @@ -1541,6 +1551,18 @@ fi %files tests -f .file-list-tests %changelog +* Fri Feb 17 2023 systemd maintenance team - 239-72 +- test: import logind test from debian/ubuntu test suite (#1866955) +- test: introduce inst_recursive() helper function (#1866955) +- tests: verify that Lock D-Bus signal is sent when IdleAction=lock (#1866955) +- systemctl: simplify halt_main() (#2053273) +- systemctl: shutdown don't fallback on auth fail (#2053273) +- systemctl: reintroduce the original halt_main() (#2053273) +- systemctl: preserve old behavior unless requested (#2053273) +- pam_systemd: suppress LOG_DEBUG log messages if debugging is off (#2170084) +- udev/net_id: introduce naming scheme for RHEL-8.8 (#2170499) +- pam: add a call to pam_namespace (#1861836) + * Tue Jan 31 2023 systemd maintenance team - 239-71 - manager: limit access to private dbus socket (#2119405) - journalctl: do not treat EINTR as an error when waiting for events (#2161683)