diff --git a/SOURCES/0216-journal-rely-on-_cleanup_free_-to-free-a-temporary-s.patch b/SOURCES/0216-journal-rely-on-_cleanup_free_-to-free-a-temporary-s.patch new file mode 100644 index 0000000..b46c491 --- /dev/null +++ b/SOURCES/0216-journal-rely-on-_cleanup_free_-to-free-a-temporary-s.patch @@ -0,0 +1,49 @@ +From c4b02a7b15c21db44542d0a136d032f8098985b8 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin +Date: Mon, 24 Dec 2018 00:29:56 +0100 +Subject: [PATCH] journal: rely on _cleanup_free_ to free a temporary string + used in client_context_read_cgroup + +Closes https://github.com/systemd/systemd/issues/11253. + +(cherry picked from commit ef30f7cac18a810814ada7e6a68a31d48cc9fccd) +(cherry picked from commit 3513426adcecc322937635c11ebb89f174f849ed) + +Resolves: #1767716 +--- + src/journal/journald-context.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/src/journal/journald-context.c b/src/journal/journald-context.c +index dba3525ed8..4f1278492f 100644 +--- a/src/journal/journald-context.c ++++ b/src/journal/journald-context.c +@@ -276,7 +276,7 @@ static int client_context_read_label( + } + + static int client_context_read_cgroup(Server *s, ClientContext *c, const char *unit_id) { +- char *t = NULL; ++ _cleanup_free_ char *t = NULL; + int r; + + assert(c); +@@ -284,7 +284,6 @@ static int client_context_read_cgroup(Server *s, ClientContext *c, const char *u + /* Try to acquire the current cgroup path */ + r = cg_pid_get_path_shifted(c->pid, s->cgroup_root, &t); + if (r < 0 || empty_or_root(t)) { +- + /* We use the unit ID passed in as fallback if we have nothing cached yet and cg_pid_get_path_shifted() + * failed or process is running in a root cgroup. Zombie processes are automatically migrated to root cgroup + * on cgroupsv1 and we want to be able to map log messages from them too. */ +@@ -298,10 +297,8 @@ static int client_context_read_cgroup(Server *s, ClientContext *c, const char *u + } + + /* Let's shortcut this if the cgroup path didn't change */ +- if (streq_ptr(c->cgroup, t)) { +- free(t); ++ if (streq_ptr(c->cgroup, t)) + return 0; +- } + + free_and_replace(c->cgroup, t); + diff --git a/SOURCES/0216-shared-but-util-drop-trusted-annotation-from-bus_ope.patch b/SOURCES/0216-shared-but-util-drop-trusted-annotation-from-bus_ope.patch deleted file mode 100644 index 63da22a..0000000 --- a/SOURCES/0216-shared-but-util-drop-trusted-annotation-from-bus_ope.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 1ac979b233499169d12e76472cf8d0eb3fb728c5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Tue, 27 Aug 2019 19:00:34 +0200 -Subject: [PATCH] shared/but-util: drop trusted annotation from - bus_open_system_watch_bind_with_description() - -https://bugzilla.redhat.com/show_bug.cgi?id=1746057 - -This only affects systemd-resolved. bus_open_system_watch_bind_with_description() -is also used in timesyncd, but it has no methods, only read-only properties, and -in networkd, but it annotates all methods with SD_BUS_VTABLE_UNPRIVILEGED and does -polkit checks. - -Resolves: #1746857 ---- - src/shared/bus-util.c | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c -index a4f2deba31..302dbb4c2e 100644 ---- a/src/shared/bus-util.c -+++ b/src/shared/bus-util.c -@@ -1699,10 +1699,6 @@ int bus_open_system_watch_bind_with_description(sd_bus **ret, const char *descri - if (r < 0) - return r; - -- r = sd_bus_set_trusted(bus, true); -- if (r < 0) -- return r; -- - r = sd_bus_negotiate_creds(bus, true, SD_BUS_CREDS_UID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CAPS); - if (r < 0) - return r; diff --git a/SOURCES/0217-sd-bus-adjust-indentation-of-comments.patch b/SOURCES/0217-sd-bus-adjust-indentation-of-comments.patch deleted file mode 100644 index 1f5c1b6..0000000 --- a/SOURCES/0217-sd-bus-adjust-indentation-of-comments.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 5f9dbe5244c10c6d55b7c8bbba87352cb6ee2e6f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Tue, 27 Aug 2019 19:00:50 +0200 -Subject: [PATCH] sd-bus: adjust indentation of comments - -Related: #1746857 ---- - src/libsystemd/sd-bus/sd-bus.c | 3 +-- - src/shared/bus-util.c | 7 ++++--- - 2 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c -index 3583e24e64..1c9e967ae0 100644 ---- a/src/libsystemd/sd-bus/sd-bus.c -+++ b/src/libsystemd/sd-bus/sd-bus.c -@@ -1341,8 +1341,7 @@ _public_ int sd_bus_open_user_with_description(sd_bus **ret, const char *descrip - b->bus_client = true; - b->is_user = true; - -- /* We don't do any per-method access control on the user -- * bus. */ -+ /* We don't do any per-method access control on the user bus. */ - b->trusted = true; - b->is_local = true; - -diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c -index 302dbb4c2e..2d908eb45c 100644 ---- a/src/shared/bus-util.c -+++ b/src/shared/bus-util.c -@@ -1675,7 +1675,8 @@ int bus_open_system_watch_bind_with_description(sd_bus **ret, const char *descri - - assert(ret); - -- /* Match like sd_bus_open_system(), but with the "watch_bind" feature and the Connected() signal turned on. */ -+ /* Match like sd_bus_open_system(), but with the "watch_bind" feature and the Connected() signal -+ * turned on. */ - - r = sd_bus_new(&bus); - if (r < 0) -@@ -1890,8 +1891,8 @@ int bus_reply_pair_array(sd_bus_message *m, char **l) { - - assert(m); - -- /* Reply to the specified message with a message containing a dictionary put together from the specified -- * strv */ -+ /* Reply to the specified message with a message containing a dictionary put together from the -+ * specified strv */ - - r = sd_bus_message_new_method_return(m, &reply); - if (r < 0) diff --git a/SOURCES/0217-shared-but-util-drop-trusted-annotation-from-bus_ope.patch b/SOURCES/0217-shared-but-util-drop-trusted-annotation-from-bus_ope.patch new file mode 100644 index 0000000..f161aaf --- /dev/null +++ b/SOURCES/0217-shared-but-util-drop-trusted-annotation-from-bus_ope.patch @@ -0,0 +1,33 @@ +From 4eedaaad7c0abb937482bc93c29c213acfe6c308 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 27 Aug 2019 19:00:34 +0200 +Subject: [PATCH] shared/but-util: drop trusted annotation from + bus_open_system_watch_bind_with_description() + +https://bugzilla.redhat.com/show_bug.cgi?id=1746057 + +This only affects systemd-resolved. bus_open_system_watch_bind_with_description() +is also used in timesyncd, but it has no methods, only read-only properties, and +in networkd, but it annotates all methods with SD_BUS_VTABLE_UNPRIVILEGED and does +polkit checks. + +Resolves: #1746857 +--- + src/shared/bus-util.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c +index a4f2deba31..302dbb4c2e 100644 +--- a/src/shared/bus-util.c ++++ b/src/shared/bus-util.c +@@ -1699,10 +1699,6 @@ int bus_open_system_watch_bind_with_description(sd_bus **ret, const char *descri + if (r < 0) + return r; + +- r = sd_bus_set_trusted(bus, true); +- if (r < 0) +- return r; +- + r = sd_bus_negotiate_creds(bus, true, SD_BUS_CREDS_UID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CAPS); + if (r < 0) + return r; diff --git a/SOURCES/0218-resolved-do-not-run-loop-twice.patch b/SOURCES/0218-resolved-do-not-run-loop-twice.patch deleted file mode 100644 index e65174c..0000000 --- a/SOURCES/0218-resolved-do-not-run-loop-twice.patch +++ /dev/null @@ -1,46 +0,0 @@ -From b72a0dc69d0c54efe2699560d3053847976f7ff2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Tue, 27 Aug 2019 19:02:53 +0200 -Subject: [PATCH] resolved: do not run loop twice - -This doesn't matter much, but let's just do the loop once and allocate -the populate the result set on the fly. If we find an error, it'll get -cleaned up automatically. - -Related: #1746857 ---- - src/resolve/resolved-link-bus.c | 13 ++++++------- - 1 file changed, 6 insertions(+), 7 deletions(-) - -diff --git a/src/resolve/resolved-link-bus.c b/src/resolve/resolved-link-bus.c -index b1581740d8..46d2b11636 100644 ---- a/src/resolve/resolved-link-bus.c -+++ b/src/resolve/resolved-link-bus.c -@@ -492,6 +492,10 @@ int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, v - if (r < 0) - return r; - -+ ns = set_new(&dns_name_hash_ops); -+ if (!ns) -+ return -ENOMEM; -+ - r = sd_bus_message_read_strv(message, &ntas); - if (r < 0) - return r; -@@ -501,14 +505,9 @@ int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, v - if (r < 0) - return r; - if (r == 0) -- return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid negative trust anchor domain: %s", *i); -- } -+ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, -+ "Invalid negative trust anchor domain: %s", *i); - -- ns = set_new(&dns_name_hash_ops); -- if (!ns) -- return -ENOMEM; -- -- STRV_FOREACH(i, ntas) { - r = set_put_strdup(ns, *i); - if (r < 0) - return r; diff --git a/SOURCES/0218-sd-bus-adjust-indentation-of-comments.patch b/SOURCES/0218-sd-bus-adjust-indentation-of-comments.patch new file mode 100644 index 0000000..14b6174 --- /dev/null +++ b/SOURCES/0218-sd-bus-adjust-indentation-of-comments.patch @@ -0,0 +1,50 @@ +From 0bd92f0fbaf7105b6d1dd6a2d96dad7e5522e027 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 27 Aug 2019 19:00:50 +0200 +Subject: [PATCH] sd-bus: adjust indentation of comments + +Related: #1746857 +--- + src/libsystemd/sd-bus/sd-bus.c | 3 +-- + src/shared/bus-util.c | 7 ++++--- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c +index 3583e24e64..1c9e967ae0 100644 +--- a/src/libsystemd/sd-bus/sd-bus.c ++++ b/src/libsystemd/sd-bus/sd-bus.c +@@ -1341,8 +1341,7 @@ _public_ int sd_bus_open_user_with_description(sd_bus **ret, const char *descrip + b->bus_client = true; + b->is_user = true; + +- /* We don't do any per-method access control on the user +- * bus. */ ++ /* We don't do any per-method access control on the user bus. */ + b->trusted = true; + b->is_local = true; + +diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c +index 302dbb4c2e..2d908eb45c 100644 +--- a/src/shared/bus-util.c ++++ b/src/shared/bus-util.c +@@ -1675,7 +1675,8 @@ int bus_open_system_watch_bind_with_description(sd_bus **ret, const char *descri + + assert(ret); + +- /* Match like sd_bus_open_system(), but with the "watch_bind" feature and the Connected() signal turned on. */ ++ /* Match like sd_bus_open_system(), but with the "watch_bind" feature and the Connected() signal ++ * turned on. */ + + r = sd_bus_new(&bus); + if (r < 0) +@@ -1890,8 +1891,8 @@ int bus_reply_pair_array(sd_bus_message *m, char **l) { + + assert(m); + +- /* Reply to the specified message with a message containing a dictionary put together from the specified +- * strv */ ++ /* Reply to the specified message with a message containing a dictionary put together from the ++ * specified strv */ + + r = sd_bus_message_new_method_return(m, &reply); + if (r < 0) diff --git a/SOURCES/0219-resolved-allow-access-to-Set-Link-and-Revert-methods.patch b/SOURCES/0219-resolved-allow-access-to-Set-Link-and-Revert-methods.patch deleted file mode 100644 index 1a8990b..0000000 --- a/SOURCES/0219-resolved-allow-access-to-Set-Link-and-Revert-methods.patch +++ /dev/null @@ -1,347 +0,0 @@ -From 3645ee20b1efb5080b96f1a6ec2fc90837687c2f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Tue, 27 Aug 2019 19:25:05 +0200 -Subject: [PATCH] resolved: allow access to Set*Link and Revert methods through - polkit - -This matches what is done in networkd very closely. In fact even the -policy descriptions are all identical (with s/network/resolve), except -for the last one: -resolved has org.freedesktop.resolve1.revert while -networkd has org.freedesktop.network1.revert-ntp and -org.freedesktop.network1.revert-dns so the description is a bit different. - -Conflicts: - src/resolve/resolved-bus.c - src/resolve/resolved-link-bus.c - -Related: #1746857 ---- - src/resolve/org.freedesktop.resolve1.policy | 99 +++++++++++++++++++++ - src/resolve/resolved-bus.c | 22 ++--- - src/resolve/resolved-link-bus.c | 97 +++++++++++++++++--- - 3 files changed, 197 insertions(+), 21 deletions(-) - -diff --git a/src/resolve/org.freedesktop.resolve1.policy b/src/resolve/org.freedesktop.resolve1.policy -index b65ba3e56a..592c4eb8b0 100644 ---- a/src/resolve/org.freedesktop.resolve1.policy -+++ b/src/resolve/org.freedesktop.resolve1.policy -@@ -40,4 +40,103 @@ - unix-user:systemd-resolve - - -+ -+ Set DNS servers -+ Authentication is required to set DNS servers. -+ -+ auth_admin -+ auth_admin -+ auth_admin_keep -+ -+ unix-user:systemd-resolve -+ -+ -+ -+ Set domains -+ Authentication is required to set domains. -+ -+ auth_admin -+ auth_admin -+ auth_admin_keep -+ -+ unix-user:systemd-resolve -+ -+ -+ -+ Set default route -+ Authentication is required to set default route. -+ -+ auth_admin -+ auth_admin -+ auth_admin_keep -+ -+ unix-user:systemd-resolve -+ -+ -+ -+ Enable/disable LLMNR -+ Authentication is required to enable or disable LLMNR. -+ -+ auth_admin -+ auth_admin -+ auth_admin_keep -+ -+ unix-user:systemd-resolve -+ -+ -+ -+ Enable/disable multicast DNS -+ Authentication is required to enable or disable multicast DNS. -+ -+ auth_admin -+ auth_admin -+ auth_admin_keep -+ -+ unix-user:systemd-resolve -+ -+ -+ -+ Enable/disable DNS over TLS -+ Authentication is required to enable or disable DNS over TLS. -+ -+ auth_admin -+ auth_admin -+ auth_admin_keep -+ -+ unix-user:systemd-resolve -+ -+ -+ -+ Enable/disable DNSSEC -+ Authentication is required to enable or disable DNSSEC. -+ -+ auth_admin -+ auth_admin -+ auth_admin_keep -+ -+ unix-user:systemd-resolve -+ -+ -+ -+ Set DNSSEC Negative Trust Anchors -+ Authentication is required to set DNSSEC Negative Trust Anchros. -+ -+ auth_admin -+ auth_admin -+ auth_admin_keep -+ -+ unix-user:systemd-resolve -+ -+ -+ -+ Revert name resolution settings -+ Authentication is required to revert name resolution settings. -+ -+ auth_admin -+ auth_admin -+ auth_admin_keep -+ -+ unix-user:systemd-resolve -+ -+ - -diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c -index da0a909dd6..4d6cc4fd48 100644 ---- a/src/resolve/resolved-bus.c -+++ b/src/resolve/resolved-bus.c -@@ -1848,18 +1848,18 @@ static const sd_bus_vtable resolve_vtable[] = { - SD_BUS_METHOD("ResolveAddress", "iiayt", "a(is)t", bus_method_resolve_address, SD_BUS_VTABLE_UNPRIVILEGED), - SD_BUS_METHOD("ResolveRecord", "isqqt", "a(iqqay)t", bus_method_resolve_record, SD_BUS_VTABLE_UNPRIVILEGED), - SD_BUS_METHOD("ResolveService", "isssit", "a(qqqsa(iiay)s)aayssst", bus_method_resolve_service, SD_BUS_VTABLE_UNPRIVILEGED), -- SD_BUS_METHOD("ResetStatistics", NULL, NULL, bus_method_reset_statistics, 0), -- SD_BUS_METHOD("FlushCaches", NULL, NULL, bus_method_flush_caches, 0), -- SD_BUS_METHOD("ResetServerFeatures", NULL, NULL, bus_method_reset_server_features, 0), -+ SD_BUS_METHOD("ResetStatistics", NULL, NULL, bus_method_reset_statistics, SD_BUS_VTABLE_UNPRIVILEGED), -+ SD_BUS_METHOD("FlushCaches", NULL, NULL, bus_method_flush_caches, SD_BUS_VTABLE_UNPRIVILEGED), -+ SD_BUS_METHOD("ResetServerFeatures", NULL, NULL, bus_method_reset_server_features, SD_BUS_VTABLE_UNPRIVILEGED), - SD_BUS_METHOD("GetLink", "i", "o", bus_method_get_link, SD_BUS_VTABLE_UNPRIVILEGED), -- SD_BUS_METHOD("SetLinkDNS", "ia(iay)", NULL, bus_method_set_link_dns_servers, 0), -- SD_BUS_METHOD("SetLinkDomains", "ia(sb)", NULL, bus_method_set_link_domains, 0), -- SD_BUS_METHOD("SetLinkLLMNR", "is", NULL, bus_method_set_link_llmnr, 0), -- SD_BUS_METHOD("SetLinkMulticastDNS", "is", NULL, bus_method_set_link_mdns, 0), -- SD_BUS_METHOD("SetLinkDNSOverTLS", "is", NULL, bus_method_set_link_dns_over_tls, 0), -- SD_BUS_METHOD("SetLinkDNSSEC", "is", NULL, bus_method_set_link_dnssec, 0), -- SD_BUS_METHOD("SetLinkDNSSECNegativeTrustAnchors", "ias", NULL, bus_method_set_link_dnssec_negative_trust_anchors, 0), -- SD_BUS_METHOD("RevertLink", "i", NULL, bus_method_revert_link, 0), -+ SD_BUS_METHOD("SetLinkDNS", "ia(iay)", NULL, bus_method_set_link_dns_servers, SD_BUS_VTABLE_UNPRIVILEGED), -+ SD_BUS_METHOD("SetLinkDomains", "ia(sb)", NULL, bus_method_set_link_domains, SD_BUS_VTABLE_UNPRIVILEGED), -+ SD_BUS_METHOD("SetLinkLLMNR", "is", NULL, bus_method_set_link_llmnr, SD_BUS_VTABLE_UNPRIVILEGED), -+ SD_BUS_METHOD("SetLinkMulticastDNS", "is", NULL, bus_method_set_link_mdns, SD_BUS_VTABLE_UNPRIVILEGED), -+ SD_BUS_METHOD("SetLinkDNSOverTLS", "is", NULL, bus_method_set_link_dns_over_tls, SD_BUS_VTABLE_UNPRIVILEGED), -+ SD_BUS_METHOD("SetLinkDNSSEC", "is", NULL, bus_method_set_link_dnssec, SD_BUS_VTABLE_UNPRIVILEGED), -+ SD_BUS_METHOD("SetLinkDNSSECNegativeTrustAnchors", "ias", NULL, bus_method_set_link_dnssec_negative_trust_anchors, SD_BUS_VTABLE_UNPRIVILEGED), -+ SD_BUS_METHOD("RevertLink", "i", NULL, bus_method_revert_link, SD_BUS_VTABLE_UNPRIVILEGED), - - SD_BUS_METHOD("RegisterService", "sssqqqaa{say}", "o", bus_method_register_service, SD_BUS_VTABLE_UNPRIVILEGED), - SD_BUS_METHOD("UnregisterService", "o", NULL, bus_method_unregister_service, SD_BUS_VTABLE_UNPRIVILEGED), -diff --git a/src/resolve/resolved-link-bus.c b/src/resolve/resolved-link-bus.c -index 46d2b11636..bf3e42264e 100644 ---- a/src/resolve/resolved-link-bus.c -+++ b/src/resolve/resolved-link-bus.c -@@ -1,5 +1,9 @@ - /* SPDX-License-Identifier: LGPL-2.1+ */ - -+#include -+#include -+#include -+ - #include "alloc-util.h" - #include "bus-common-errors.h" - #include "bus-util.h" -@@ -9,6 +13,7 @@ - #include "resolved-link-bus.h" - #include "resolved-resolv-conf.h" - #include "strv.h" -+#include "user-util.h" - - static BUS_DEFINE_PROPERTY_GET(property_get_dnssec_supported, "b", Link, link_dnssec_supported); - static BUS_DEFINE_PROPERTY_GET2(property_get_dnssec_mode, "s", Link, link_get_dnssec_mode, dnssec_mode_to_string); -@@ -235,6 +240,15 @@ int bus_link_method_set_dns_servers(sd_bus_message *message, void *userdata, sd_ - if (r < 0) - return r; - -+ r = bus_verify_polkit_async(message, CAP_NET_ADMIN, -+ "org.freedesktop.resolve1.set-dns-servers", -+ NULL, true, UID_INVALID, -+ &l->manager->polkit_registry, error); -+ if (r < 0) -+ return r; -+ if (r == 0) -+ return 1; /* Polkit will call us back */ -+ - dns_server_mark_all(l->dns_servers); - - for (i = 0; i < n; i++) { -@@ -298,12 +312,21 @@ int bus_link_method_set_domains(sd_bus_message *message, void *userdata, sd_bus_ - return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Root domain is not suitable as search domain"); - } - -- dns_search_domain_mark_all(l->search_domains); -- - r = sd_bus_message_rewind(message, false); - if (r < 0) - return r; - -+ r = bus_verify_polkit_async(message, CAP_NET_ADMIN, -+ "org.freedesktop.resolve1.set-domains", -+ NULL, true, UID_INVALID, -+ &l->manager->polkit_registry, error); -+ if (r < 0) -+ return r; -+ if (r == 0) -+ return 1; /* Polkit will call us back */ -+ -+ dns_search_domain_mark_all(l->search_domains); -+ - for (;;) { - DnsSearchDomain *d; - const char *name; -@@ -371,6 +394,15 @@ int bus_link_method_set_llmnr(sd_bus_message *message, void *userdata, sd_bus_er - return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid LLMNR setting: %s", llmnr); - } - -+ r = bus_verify_polkit_async(message, CAP_NET_ADMIN, -+ "org.freedesktop.resolve1.set-llmnr", -+ NULL, true, UID_INVALID, -+ &l->manager->polkit_registry, error); -+ if (r < 0) -+ return r; -+ if (r == 0) -+ return 1; /* Polkit will call us back */ -+ - l->llmnr_support = mode; - link_allocate_scopes(l); - link_add_rrs(l, false); -@@ -405,6 +437,15 @@ int bus_link_method_set_mdns(sd_bus_message *message, void *userdata, sd_bus_err - return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid MulticastDNS setting: %s", mdns); - } - -+ r = bus_verify_polkit_async(message, CAP_NET_ADMIN, -+ "org.freedesktop.resolve1.set-mdns", -+ NULL, true, UID_INVALID, -+ &l->manager->polkit_registry, error); -+ if (r < 0) -+ return r; -+ if (r == 0) -+ return 1; /* Polkit will call us back */ -+ - l->mdns_support = mode; - link_allocate_scopes(l); - link_add_rrs(l, false); -@@ -439,6 +480,15 @@ int bus_link_method_set_dns_over_tls(sd_bus_message *message, void *userdata, sd - return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid DNSOverTLS setting: %s", dns_over_tls); - } - -+ r = bus_verify_polkit_async(message, CAP_NET_ADMIN, -+ "org.freedesktop.resolve1.set-dns-over-tls", -+ NULL, true, UID_INVALID, -+ &l->manager->polkit_registry, error); -+ if (r < 0) -+ return r; -+ if (r == 0) -+ return 1; /* Polkit will call us back */ -+ - link_set_dns_over_tls_mode(l, mode); - - (void) link_save_user(l); -@@ -471,6 +521,15 @@ int bus_link_method_set_dnssec(sd_bus_message *message, void *userdata, sd_bus_e - return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid DNSSEC setting: %s", dnssec); - } - -+ r = bus_verify_polkit_async(message, CAP_NET_ADMIN, -+ "org.freedesktop.resolve1.set-dnssec", -+ NULL, true, UID_INVALID, -+ &l->manager->polkit_registry, error); -+ if (r < 0) -+ return r; -+ if (r == 0) -+ return 1; /* Polkit will call us back */ -+ - link_set_dnssec_mode(l, mode); - - (void) link_save_user(l); -@@ -513,6 +572,15 @@ int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, v - return r; - } - -+ r = bus_verify_polkit_async(message, CAP_NET_ADMIN, -+ "org.freedesktop.resolve1.set-dnssec-negative-trust-anchors", -+ NULL, true, UID_INVALID, -+ &l->manager->polkit_registry, error); -+ if (r < 0) -+ return r; -+ if (r == 0) -+ return 1; /* Polkit will call us back */ -+ - set_free_free(l->dnssec_negative_trust_anchors); - l->dnssec_negative_trust_anchors = TAKE_PTR(ns); - -@@ -532,6 +600,15 @@ int bus_link_method_revert(sd_bus_message *message, void *userdata, sd_bus_error - if (r < 0) - return r; - -+ r = bus_verify_polkit_async(message, CAP_NET_ADMIN, -+ "org.freedesktop.resolve1.revert", -+ NULL, true, UID_INVALID, -+ &l->manager->polkit_registry, error); -+ if (r < 0) -+ return r; -+ if (r == 0) -+ return 1; /* Polkit will call us back */ -+ - link_flush_settings(l); - link_allocate_scopes(l); - link_add_rrs(l, false); -@@ -556,14 +633,14 @@ const sd_bus_vtable link_vtable[] = { - SD_BUS_PROPERTY("DNSSECNegativeTrustAnchors", "as", property_get_ntas, 0, 0), - SD_BUS_PROPERTY("DNSSECSupported", "b", property_get_dnssec_supported, 0, 0), - -- SD_BUS_METHOD("SetDNS", "a(iay)", NULL, bus_link_method_set_dns_servers, 0), -- SD_BUS_METHOD("SetDomains", "a(sb)", NULL, bus_link_method_set_domains, 0), -- SD_BUS_METHOD("SetLLMNR", "s", NULL, bus_link_method_set_llmnr, 0), -- SD_BUS_METHOD("SetMulticastDNS", "s", NULL, bus_link_method_set_mdns, 0), -- SD_BUS_METHOD("SetDNSOverTLS", "s", NULL, bus_link_method_set_dns_over_tls, 0), -- SD_BUS_METHOD("SetDNSSEC", "s", NULL, bus_link_method_set_dnssec, 0), -- SD_BUS_METHOD("SetDNSSECNegativeTrustAnchors", "as", NULL, bus_link_method_set_dnssec_negative_trust_anchors, 0), -- SD_BUS_METHOD("Revert", NULL, NULL, bus_link_method_revert, 0), -+ SD_BUS_METHOD("SetDNS", "a(iay)", NULL, bus_link_method_set_dns_servers, SD_BUS_VTABLE_UNPRIVILEGED), -+ SD_BUS_METHOD("SetDomains", "a(sb)", NULL, bus_link_method_set_domains, SD_BUS_VTABLE_UNPRIVILEGED), -+ SD_BUS_METHOD("SetLLMNR", "s", NULL, bus_link_method_set_llmnr, SD_BUS_VTABLE_UNPRIVILEGED), -+ SD_BUS_METHOD("SetMulticastDNS", "s", NULL, bus_link_method_set_mdns, SD_BUS_VTABLE_UNPRIVILEGED), -+ SD_BUS_METHOD("SetDNSOverTLS", "s", NULL, bus_link_method_set_dns_over_tls, SD_BUS_VTABLE_UNPRIVILEGED), -+ SD_BUS_METHOD("SetDNSSEC", "s", NULL, bus_link_method_set_dnssec, SD_BUS_VTABLE_UNPRIVILEGED), -+ SD_BUS_METHOD("SetDNSSECNegativeTrustAnchors", "as", NULL, bus_link_method_set_dnssec_negative_trust_anchors, SD_BUS_VTABLE_UNPRIVILEGED), -+ SD_BUS_METHOD("Revert", NULL, NULL, bus_link_method_revert, SD_BUS_VTABLE_UNPRIVILEGED), - - SD_BUS_VTABLE_END - }; diff --git a/SOURCES/0219-resolved-do-not-run-loop-twice.patch b/SOURCES/0219-resolved-do-not-run-loop-twice.patch new file mode 100644 index 0000000..4a706d4 --- /dev/null +++ b/SOURCES/0219-resolved-do-not-run-loop-twice.patch @@ -0,0 +1,46 @@ +From 1ae0cf8c3ae565a19283d628f833668babf81b82 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 27 Aug 2019 19:02:53 +0200 +Subject: [PATCH] resolved: do not run loop twice + +This doesn't matter much, but let's just do the loop once and allocate +the populate the result set on the fly. If we find an error, it'll get +cleaned up automatically. + +Related: #1746857 +--- + src/resolve/resolved-link-bus.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/src/resolve/resolved-link-bus.c b/src/resolve/resolved-link-bus.c +index b1581740d8..46d2b11636 100644 +--- a/src/resolve/resolved-link-bus.c ++++ b/src/resolve/resolved-link-bus.c +@@ -492,6 +492,10 @@ int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, v + if (r < 0) + return r; + ++ ns = set_new(&dns_name_hash_ops); ++ if (!ns) ++ return -ENOMEM; ++ + r = sd_bus_message_read_strv(message, &ntas); + if (r < 0) + return r; +@@ -501,14 +505,9 @@ int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, v + if (r < 0) + return r; + if (r == 0) +- return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid negative trust anchor domain: %s", *i); +- } ++ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, ++ "Invalid negative trust anchor domain: %s", *i); + +- ns = set_new(&dns_name_hash_ops); +- if (!ns) +- return -ENOMEM; +- +- STRV_FOREACH(i, ntas) { + r = set_put_strdup(ns, *i); + if (r < 0) + return r; diff --git a/SOURCES/0220-resolved-allow-access-to-Set-Link-and-Revert-methods.patch b/SOURCES/0220-resolved-allow-access-to-Set-Link-and-Revert-methods.patch new file mode 100644 index 0000000..0d8cbcd --- /dev/null +++ b/SOURCES/0220-resolved-allow-access-to-Set-Link-and-Revert-methods.patch @@ -0,0 +1,347 @@ +From aa39a552bb52287c1a1da56e109c0fb4c0dc9621 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 27 Aug 2019 19:25:05 +0200 +Subject: [PATCH] resolved: allow access to Set*Link and Revert methods through + polkit + +This matches what is done in networkd very closely. In fact even the +policy descriptions are all identical (with s/network/resolve), except +for the last one: +resolved has org.freedesktop.resolve1.revert while +networkd has org.freedesktop.network1.revert-ntp and +org.freedesktop.network1.revert-dns so the description is a bit different. + +Conflicts: + src/resolve/resolved-bus.c + src/resolve/resolved-link-bus.c + +Related: #1746857 +--- + src/resolve/org.freedesktop.resolve1.policy | 99 +++++++++++++++++++++ + src/resolve/resolved-bus.c | 22 ++--- + src/resolve/resolved-link-bus.c | 97 +++++++++++++++++--- + 3 files changed, 197 insertions(+), 21 deletions(-) + +diff --git a/src/resolve/org.freedesktop.resolve1.policy b/src/resolve/org.freedesktop.resolve1.policy +index b65ba3e56a..592c4eb8b0 100644 +--- a/src/resolve/org.freedesktop.resolve1.policy ++++ b/src/resolve/org.freedesktop.resolve1.policy +@@ -40,4 +40,103 @@ + unix-user:systemd-resolve + + ++ ++ Set DNS servers ++ Authentication is required to set DNS servers. ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ unix-user:systemd-resolve ++ ++ ++ ++ Set domains ++ Authentication is required to set domains. ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ unix-user:systemd-resolve ++ ++ ++ ++ Set default route ++ Authentication is required to set default route. ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ unix-user:systemd-resolve ++ ++ ++ ++ Enable/disable LLMNR ++ Authentication is required to enable or disable LLMNR. ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ unix-user:systemd-resolve ++ ++ ++ ++ Enable/disable multicast DNS ++ Authentication is required to enable or disable multicast DNS. ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ unix-user:systemd-resolve ++ ++ ++ ++ Enable/disable DNS over TLS ++ Authentication is required to enable or disable DNS over TLS. ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ unix-user:systemd-resolve ++ ++ ++ ++ Enable/disable DNSSEC ++ Authentication is required to enable or disable DNSSEC. ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ unix-user:systemd-resolve ++ ++ ++ ++ Set DNSSEC Negative Trust Anchors ++ Authentication is required to set DNSSEC Negative Trust Anchros. ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ unix-user:systemd-resolve ++ ++ ++ ++ Revert name resolution settings ++ Authentication is required to revert name resolution settings. ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ unix-user:systemd-resolve ++ ++ + +diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c +index da0a909dd6..4d6cc4fd48 100644 +--- a/src/resolve/resolved-bus.c ++++ b/src/resolve/resolved-bus.c +@@ -1848,18 +1848,18 @@ static const sd_bus_vtable resolve_vtable[] = { + SD_BUS_METHOD("ResolveAddress", "iiayt", "a(is)t", bus_method_resolve_address, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("ResolveRecord", "isqqt", "a(iqqay)t", bus_method_resolve_record, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("ResolveService", "isssit", "a(qqqsa(iiay)s)aayssst", bus_method_resolve_service, SD_BUS_VTABLE_UNPRIVILEGED), +- SD_BUS_METHOD("ResetStatistics", NULL, NULL, bus_method_reset_statistics, 0), +- SD_BUS_METHOD("FlushCaches", NULL, NULL, bus_method_flush_caches, 0), +- SD_BUS_METHOD("ResetServerFeatures", NULL, NULL, bus_method_reset_server_features, 0), ++ SD_BUS_METHOD("ResetStatistics", NULL, NULL, bus_method_reset_statistics, SD_BUS_VTABLE_UNPRIVILEGED), ++ SD_BUS_METHOD("FlushCaches", NULL, NULL, bus_method_flush_caches, SD_BUS_VTABLE_UNPRIVILEGED), ++ SD_BUS_METHOD("ResetServerFeatures", NULL, NULL, bus_method_reset_server_features, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("GetLink", "i", "o", bus_method_get_link, SD_BUS_VTABLE_UNPRIVILEGED), +- SD_BUS_METHOD("SetLinkDNS", "ia(iay)", NULL, bus_method_set_link_dns_servers, 0), +- SD_BUS_METHOD("SetLinkDomains", "ia(sb)", NULL, bus_method_set_link_domains, 0), +- SD_BUS_METHOD("SetLinkLLMNR", "is", NULL, bus_method_set_link_llmnr, 0), +- SD_BUS_METHOD("SetLinkMulticastDNS", "is", NULL, bus_method_set_link_mdns, 0), +- SD_BUS_METHOD("SetLinkDNSOverTLS", "is", NULL, bus_method_set_link_dns_over_tls, 0), +- SD_BUS_METHOD("SetLinkDNSSEC", "is", NULL, bus_method_set_link_dnssec, 0), +- SD_BUS_METHOD("SetLinkDNSSECNegativeTrustAnchors", "ias", NULL, bus_method_set_link_dnssec_negative_trust_anchors, 0), +- SD_BUS_METHOD("RevertLink", "i", NULL, bus_method_revert_link, 0), ++ SD_BUS_METHOD("SetLinkDNS", "ia(iay)", NULL, bus_method_set_link_dns_servers, SD_BUS_VTABLE_UNPRIVILEGED), ++ SD_BUS_METHOD("SetLinkDomains", "ia(sb)", NULL, bus_method_set_link_domains, SD_BUS_VTABLE_UNPRIVILEGED), ++ SD_BUS_METHOD("SetLinkLLMNR", "is", NULL, bus_method_set_link_llmnr, SD_BUS_VTABLE_UNPRIVILEGED), ++ SD_BUS_METHOD("SetLinkMulticastDNS", "is", NULL, bus_method_set_link_mdns, SD_BUS_VTABLE_UNPRIVILEGED), ++ SD_BUS_METHOD("SetLinkDNSOverTLS", "is", NULL, bus_method_set_link_dns_over_tls, SD_BUS_VTABLE_UNPRIVILEGED), ++ SD_BUS_METHOD("SetLinkDNSSEC", "is", NULL, bus_method_set_link_dnssec, SD_BUS_VTABLE_UNPRIVILEGED), ++ SD_BUS_METHOD("SetLinkDNSSECNegativeTrustAnchors", "ias", NULL, bus_method_set_link_dnssec_negative_trust_anchors, SD_BUS_VTABLE_UNPRIVILEGED), ++ SD_BUS_METHOD("RevertLink", "i", NULL, bus_method_revert_link, SD_BUS_VTABLE_UNPRIVILEGED), + + SD_BUS_METHOD("RegisterService", "sssqqqaa{say}", "o", bus_method_register_service, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("UnregisterService", "o", NULL, bus_method_unregister_service, SD_BUS_VTABLE_UNPRIVILEGED), +diff --git a/src/resolve/resolved-link-bus.c b/src/resolve/resolved-link-bus.c +index 46d2b11636..bf3e42264e 100644 +--- a/src/resolve/resolved-link-bus.c ++++ b/src/resolve/resolved-link-bus.c +@@ -1,5 +1,9 @@ + /* SPDX-License-Identifier: LGPL-2.1+ */ + ++#include ++#include ++#include ++ + #include "alloc-util.h" + #include "bus-common-errors.h" + #include "bus-util.h" +@@ -9,6 +13,7 @@ + #include "resolved-link-bus.h" + #include "resolved-resolv-conf.h" + #include "strv.h" ++#include "user-util.h" + + static BUS_DEFINE_PROPERTY_GET(property_get_dnssec_supported, "b", Link, link_dnssec_supported); + static BUS_DEFINE_PROPERTY_GET2(property_get_dnssec_mode, "s", Link, link_get_dnssec_mode, dnssec_mode_to_string); +@@ -235,6 +240,15 @@ int bus_link_method_set_dns_servers(sd_bus_message *message, void *userdata, sd_ + if (r < 0) + return r; + ++ r = bus_verify_polkit_async(message, CAP_NET_ADMIN, ++ "org.freedesktop.resolve1.set-dns-servers", ++ NULL, true, UID_INVALID, ++ &l->manager->polkit_registry, error); ++ if (r < 0) ++ return r; ++ if (r == 0) ++ return 1; /* Polkit will call us back */ ++ + dns_server_mark_all(l->dns_servers); + + for (i = 0; i < n; i++) { +@@ -298,12 +312,21 @@ int bus_link_method_set_domains(sd_bus_message *message, void *userdata, sd_bus_ + return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Root domain is not suitable as search domain"); + } + +- dns_search_domain_mark_all(l->search_domains); +- + r = sd_bus_message_rewind(message, false); + if (r < 0) + return r; + ++ r = bus_verify_polkit_async(message, CAP_NET_ADMIN, ++ "org.freedesktop.resolve1.set-domains", ++ NULL, true, UID_INVALID, ++ &l->manager->polkit_registry, error); ++ if (r < 0) ++ return r; ++ if (r == 0) ++ return 1; /* Polkit will call us back */ ++ ++ dns_search_domain_mark_all(l->search_domains); ++ + for (;;) { + DnsSearchDomain *d; + const char *name; +@@ -371,6 +394,15 @@ int bus_link_method_set_llmnr(sd_bus_message *message, void *userdata, sd_bus_er + return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid LLMNR setting: %s", llmnr); + } + ++ r = bus_verify_polkit_async(message, CAP_NET_ADMIN, ++ "org.freedesktop.resolve1.set-llmnr", ++ NULL, true, UID_INVALID, ++ &l->manager->polkit_registry, error); ++ if (r < 0) ++ return r; ++ if (r == 0) ++ return 1; /* Polkit will call us back */ ++ + l->llmnr_support = mode; + link_allocate_scopes(l); + link_add_rrs(l, false); +@@ -405,6 +437,15 @@ int bus_link_method_set_mdns(sd_bus_message *message, void *userdata, sd_bus_err + return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid MulticastDNS setting: %s", mdns); + } + ++ r = bus_verify_polkit_async(message, CAP_NET_ADMIN, ++ "org.freedesktop.resolve1.set-mdns", ++ NULL, true, UID_INVALID, ++ &l->manager->polkit_registry, error); ++ if (r < 0) ++ return r; ++ if (r == 0) ++ return 1; /* Polkit will call us back */ ++ + l->mdns_support = mode; + link_allocate_scopes(l); + link_add_rrs(l, false); +@@ -439,6 +480,15 @@ int bus_link_method_set_dns_over_tls(sd_bus_message *message, void *userdata, sd + return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid DNSOverTLS setting: %s", dns_over_tls); + } + ++ r = bus_verify_polkit_async(message, CAP_NET_ADMIN, ++ "org.freedesktop.resolve1.set-dns-over-tls", ++ NULL, true, UID_INVALID, ++ &l->manager->polkit_registry, error); ++ if (r < 0) ++ return r; ++ if (r == 0) ++ return 1; /* Polkit will call us back */ ++ + link_set_dns_over_tls_mode(l, mode); + + (void) link_save_user(l); +@@ -471,6 +521,15 @@ int bus_link_method_set_dnssec(sd_bus_message *message, void *userdata, sd_bus_e + return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid DNSSEC setting: %s", dnssec); + } + ++ r = bus_verify_polkit_async(message, CAP_NET_ADMIN, ++ "org.freedesktop.resolve1.set-dnssec", ++ NULL, true, UID_INVALID, ++ &l->manager->polkit_registry, error); ++ if (r < 0) ++ return r; ++ if (r == 0) ++ return 1; /* Polkit will call us back */ ++ + link_set_dnssec_mode(l, mode); + + (void) link_save_user(l); +@@ -513,6 +572,15 @@ int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, v + return r; + } + ++ r = bus_verify_polkit_async(message, CAP_NET_ADMIN, ++ "org.freedesktop.resolve1.set-dnssec-negative-trust-anchors", ++ NULL, true, UID_INVALID, ++ &l->manager->polkit_registry, error); ++ if (r < 0) ++ return r; ++ if (r == 0) ++ return 1; /* Polkit will call us back */ ++ + set_free_free(l->dnssec_negative_trust_anchors); + l->dnssec_negative_trust_anchors = TAKE_PTR(ns); + +@@ -532,6 +600,15 @@ int bus_link_method_revert(sd_bus_message *message, void *userdata, sd_bus_error + if (r < 0) + return r; + ++ r = bus_verify_polkit_async(message, CAP_NET_ADMIN, ++ "org.freedesktop.resolve1.revert", ++ NULL, true, UID_INVALID, ++ &l->manager->polkit_registry, error); ++ if (r < 0) ++ return r; ++ if (r == 0) ++ return 1; /* Polkit will call us back */ ++ + link_flush_settings(l); + link_allocate_scopes(l); + link_add_rrs(l, false); +@@ -556,14 +633,14 @@ const sd_bus_vtable link_vtable[] = { + SD_BUS_PROPERTY("DNSSECNegativeTrustAnchors", "as", property_get_ntas, 0, 0), + SD_BUS_PROPERTY("DNSSECSupported", "b", property_get_dnssec_supported, 0, 0), + +- SD_BUS_METHOD("SetDNS", "a(iay)", NULL, bus_link_method_set_dns_servers, 0), +- SD_BUS_METHOD("SetDomains", "a(sb)", NULL, bus_link_method_set_domains, 0), +- SD_BUS_METHOD("SetLLMNR", "s", NULL, bus_link_method_set_llmnr, 0), +- SD_BUS_METHOD("SetMulticastDNS", "s", NULL, bus_link_method_set_mdns, 0), +- SD_BUS_METHOD("SetDNSOverTLS", "s", NULL, bus_link_method_set_dns_over_tls, 0), +- SD_BUS_METHOD("SetDNSSEC", "s", NULL, bus_link_method_set_dnssec, 0), +- SD_BUS_METHOD("SetDNSSECNegativeTrustAnchors", "as", NULL, bus_link_method_set_dnssec_negative_trust_anchors, 0), +- SD_BUS_METHOD("Revert", NULL, NULL, bus_link_method_revert, 0), ++ SD_BUS_METHOD("SetDNS", "a(iay)", NULL, bus_link_method_set_dns_servers, SD_BUS_VTABLE_UNPRIVILEGED), ++ SD_BUS_METHOD("SetDomains", "a(sb)", NULL, bus_link_method_set_domains, SD_BUS_VTABLE_UNPRIVILEGED), ++ SD_BUS_METHOD("SetLLMNR", "s", NULL, bus_link_method_set_llmnr, SD_BUS_VTABLE_UNPRIVILEGED), ++ SD_BUS_METHOD("SetMulticastDNS", "s", NULL, bus_link_method_set_mdns, SD_BUS_VTABLE_UNPRIVILEGED), ++ SD_BUS_METHOD("SetDNSOverTLS", "s", NULL, bus_link_method_set_dns_over_tls, SD_BUS_VTABLE_UNPRIVILEGED), ++ SD_BUS_METHOD("SetDNSSEC", "s", NULL, bus_link_method_set_dnssec, SD_BUS_VTABLE_UNPRIVILEGED), ++ SD_BUS_METHOD("SetDNSSECNegativeTrustAnchors", "as", NULL, bus_link_method_set_dnssec_negative_trust_anchors, SD_BUS_VTABLE_UNPRIVILEGED), ++ SD_BUS_METHOD("Revert", NULL, NULL, bus_link_method_revert, SD_BUS_VTABLE_UNPRIVILEGED), + + SD_BUS_VTABLE_END + }; diff --git a/SOURCES/0220-resolved-query-polkit-only-after-parsing-the-data.patch b/SOURCES/0220-resolved-query-polkit-only-after-parsing-the-data.patch deleted file mode 100644 index 300dd29..0000000 --- a/SOURCES/0220-resolved-query-polkit-only-after-parsing-the-data.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 1689693fbf1e8050fb5715c4af2a2df47c5ec4a3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Tue, 27 Aug 2019 19:28:19 +0200 -Subject: [PATCH] resolved: query polkit only after parsing the data - -That's what we do everywhere else because it leads to nicer user experience. - -Related: #1746857 ---- - src/resolve/resolved-bus.c | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - -diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c -index 4d6cc4fd48..3f6a6f9e12 100644 ---- a/src/resolve/resolved-bus.c -+++ b/src/resolve/resolved-bus.c -@@ -1632,15 +1632,6 @@ static int bus_method_register_service(sd_bus_message *message, void *userdata, - if (m->mdns_support != RESOLVE_SUPPORT_YES) - return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Support for MulticastDNS is disabled"); - -- r = bus_verify_polkit_async(message, CAP_SYS_ADMIN, -- "org.freedesktop.resolve1.register-service", -- NULL, false, UID_INVALID, -- &m->polkit_registry, error); -- if (r < 0) -- return r; -- if (r == 0) -- return 1; /* Polkit will call us back */ -- - service = new0(DnssdService, 1); - if (!service) - return log_oom(); -@@ -1765,6 +1756,15 @@ static int bus_method_register_service(sd_bus_message *message, void *userdata, - if (r < 0) - return r; - -+ r = bus_verify_polkit_async(message, CAP_SYS_ADMIN, -+ "org.freedesktop.resolve1.register-service", -+ NULL, false, UID_INVALID, -+ &m->polkit_registry, error); -+ if (r < 0) -+ return r; -+ if (r == 0) -+ return 1; /* Polkit will call us back */ -+ - r = hashmap_ensure_allocated(&m->dnssd_services, &string_hash_ops); - if (r < 0) - return r; diff --git a/SOURCES/0221-resolved-query-polkit-only-after-parsing-the-data.patch b/SOURCES/0221-resolved-query-polkit-only-after-parsing-the-data.patch new file mode 100644 index 0000000..c94d670 --- /dev/null +++ b/SOURCES/0221-resolved-query-polkit-only-after-parsing-the-data.patch @@ -0,0 +1,48 @@ +From 7c9077683df0c3959b1bcae973a05e114b15a600 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 27 Aug 2019 19:28:19 +0200 +Subject: [PATCH] resolved: query polkit only after parsing the data + +That's what we do everywhere else because it leads to nicer user experience. + +Related: #1746857 +--- + src/resolve/resolved-bus.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c +index 4d6cc4fd48..3f6a6f9e12 100644 +--- a/src/resolve/resolved-bus.c ++++ b/src/resolve/resolved-bus.c +@@ -1632,15 +1632,6 @@ static int bus_method_register_service(sd_bus_message *message, void *userdata, + if (m->mdns_support != RESOLVE_SUPPORT_YES) + return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Support for MulticastDNS is disabled"); + +- r = bus_verify_polkit_async(message, CAP_SYS_ADMIN, +- "org.freedesktop.resolve1.register-service", +- NULL, false, UID_INVALID, +- &m->polkit_registry, error); +- if (r < 0) +- return r; +- if (r == 0) +- return 1; /* Polkit will call us back */ +- + service = new0(DnssdService, 1); + if (!service) + return log_oom(); +@@ -1765,6 +1756,15 @@ static int bus_method_register_service(sd_bus_message *message, void *userdata, + if (r < 0) + return r; + ++ r = bus_verify_polkit_async(message, CAP_SYS_ADMIN, ++ "org.freedesktop.resolve1.register-service", ++ NULL, false, UID_INVALID, ++ &m->polkit_registry, error); ++ if (r < 0) ++ return r; ++ if (r == 0) ++ return 1; /* Polkit will call us back */ ++ + r = hashmap_ensure_allocated(&m->dnssd_services, &string_hash_ops); + if (r < 0) + return r; diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec index d70ef0c..2a2b664 100644 --- a/SPECS/systemd.spec +++ b/SPECS/systemd.spec @@ -13,7 +13,7 @@ Name: systemd Url: http://www.freedesktop.org/wiki/Software/systemd Version: 239 -Release: 18%{?dist} +Release: 18%{?dist}.1 # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -265,11 +265,12 @@ Patch0212: 0212-mount-simplify-proc-self-mountinfo-handler.patch Patch0213: 0213-mount-rescan-proc-self-mountinfo-before-processing-w.patch Patch0214: 0214-swap-scan-proc-swaps-before-processing-waitid-result.patch Patch0215: 0215-analyze-security-fix-potential-division-by-zero.patch -Patch0216: 0216-shared-but-util-drop-trusted-annotation-from-bus_ope.patch -Patch0217: 0217-sd-bus-adjust-indentation-of-comments.patch -Patch0218: 0218-resolved-do-not-run-loop-twice.patch -Patch0219: 0219-resolved-allow-access-to-Set-Link-and-Revert-methods.patch -Patch0220: 0220-resolved-query-polkit-only-after-parsing-the-data.patch +Patch0216: 0216-journal-rely-on-_cleanup_free_-to-free-a-temporary-s.patch +Patch0217: 0217-shared-but-util-drop-trusted-annotation-from-bus_ope.patch +Patch0218: 0218-sd-bus-adjust-indentation-of-comments.patch +Patch0219: 0219-resolved-do-not-run-loop-twice.patch +Patch0220: 0220-resolved-allow-access-to-Set-Link-and-Revert-methods.patch +Patch0221: 0221-resolved-query-polkit-only-after-parsing-the-data.patch %ifarch %{ix86} x86_64 aarch64 @@ -889,6 +890,9 @@ fi %files tests -f .file-list-tests %changelog +* Tue Nov 05 2019 Lukas Nykryn - 239-18.1 +- journal: rely on _cleanup_free_ to free a temporary string used in client_context_read_cgroup (#1767716) + * Fri Aug 30 2019 Lukas Nykryn - 239-18 - shared/but-util: drop trusted annotation from bus_open_system_watch_bind_with_description() (#1746857) - sd-bus: adjust indentation of comments (#1746857)