From 3386f5d70426c129dd01b39f7b95fc2dc4e150d5 Mon Sep 17 00:00:00 2001 From: Zbigniew Jędrzejewski-Szmek Date: Jan 07 2025 18:25:06 +0000 Subject: [PATCH 1/12] Rename source .abignore file OBS does not support files with names starting with a dot. https://fedoraproject.org/wiki/How_to_filter_libabigail_reports does not make it really clear if the file can renamed. (The first part of the paragraph implies a positive answer, the second is unclear.) Let's see how this goes. --- diff --git a/.abignore b/.abignore deleted file mode 100644 index 6a33b88..0000000 --- a/.abignore +++ /dev/null @@ -1,3 +0,0 @@ -[suppress_file] -# Those shared objects are private to systemd -file_name_regexp=libsystemd-(shared|core)-.*.so diff --git a/libabigail.abignore b/libabigail.abignore new file mode 100644 index 0000000..6a33b88 --- /dev/null +++ b/libabigail.abignore @@ -0,0 +1,3 @@ +[suppress_file] +# Those shared objects are private to systemd +file_name_regexp=libsystemd-(shared|core)-.*.so diff --git a/systemd.spec b/systemd.spec index 456ebb0..60c3242 100644 --- a/systemd.spec +++ b/systemd.spec @@ -78,7 +78,7 @@ Source9: systemd-journal-gatewayd.xml Source10: 20-yama-ptrace.conf Source11: systemd-udev-trigger-no-reload.conf # https://fedoraproject.org/wiki/How_to_filter_libabigail_reports -Source13: .abignore +Source13: libabigail.abignore Source14: 10-oomd-defaults.conf Source15: 10-oomd-per-slice-defaults.conf @@ -963,7 +963,7 @@ install -Dm0644 -t %{buildroot}%{_pkgdocdir}/ %{SOURCE10} # https://bugzilla.redhat.com/show_bug.cgi?id=1378974 install -Dm0644 -t %{buildroot}%{system_unit_dir}/systemd-udev-trigger.service.d/ %{SOURCE11} -install -Dm0644 -t %{buildroot}%{_prefix}/lib/systemd/ %{SOURCE13} +install -Dm0644 %{SOURCE13} %{buildroot}%{_prefix}/lib/systemd/.abignore # systemd-oomd default configuration install -Dm0644 -t %{buildroot}%{_prefix}/lib/systemd/oomd.conf.d/ %{SOURCE14} From c7379c94601ff1eae2ef471ec0f72dc7b039a02f Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Jan 07 2025 19:31:21 +0000 Subject: [PATCH 2/12] Replace 'udevadm hwdb' with systemd-hwdb systemd-hwdb was added in v219 (released in 2015) and 'udevadm hwdb' was deprecated in v253. --- diff --git a/systemd.spec b/systemd.spec index 60c3242..f214d21 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1126,7 +1126,7 @@ if [ -f %{_localstatedir}/lib/systemd/clock ]; then mv %{_localstatedir}/lib/systemd/clock %{_localstatedir}/lib/systemd/timesync/. fi -udevadm hwdb --update &>/dev/null +systemd-hwdb update &>/dev/null %systemd_post %udev_services From e570cd53dfd776c33de51538cd8783e42f752369 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Jan 08 2025 12:14:30 +0000 Subject: [PATCH 3/12] spec: drop trailing whitespace [skip changelog] --- diff --git a/systemd.spec b/systemd.spec index f214d21..b526871 100644 --- a/systemd.spec +++ b/systemd.spec @@ -45,7 +45,7 @@ Name: systemd Url: https://systemd.io -# Allow users to specify the version and release when building the rpm by +# Allow users to specify the version and release when building the rpm by # setting the %%version_override and %%release_override macros. Version: %{?version_override}%{!?version_override:257.1} Release: %autorelease From 4df2711a9f69c979dd8731d8bcd05872afae4a20 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Jan 08 2025 12:14:30 +0000 Subject: [PATCH 4/12] Add bcond for OBS-specific quirks The version substitution system is not able to fully subst the current Version field due to the inline use of macros, so you end up with like: 257-123-gabcd257.1 instead of: 257-123-gabcd I.e., the hard-coded 257.1 gets appended to the OBS-specified version. If it was simply hardcoded as 257.1 it would work, but the inline macros throw it off. [skip changelog] --- diff --git a/systemd.spec b/systemd.spec index b526871..0b19b99 100644 --- a/systemd.spec +++ b/systemd.spec @@ -32,6 +32,9 @@ # Build from git main %bcond upstream 0 +# Build with OBS-specific quirks +%bcond obs 0 + # When bootstrap, libcryptsetup is disabled # but auto-features causes many options to be turned on # that depend on libcryptsetup (e.g. libcryptsetup-plugins, homed) @@ -47,7 +50,13 @@ Name: systemd Url: https://systemd.io # Allow users to specify the version and release when building the rpm by # setting the %%version_override and %%release_override macros. +# But don't do that on OBS, otherwise the version subst fails, and will be +# like 257-123-gabcd257.1 instead of 257-123-gabcd +%if %{without obs} Version: %{?version_override}%{!?version_override:257.1} +%else +Version: %{?version_override}%{!?version_override:%(cat meson.version)} +%endif Release: %autorelease %global stable %(c="%version"; [ "$c" = "${c#*.*}" ]; echo $?) From 3a9c32b8a982bb6a767e39041fc93960f64c5ffc Mon Sep 17 00:00:00 2001 From: Zbigniew Jędrzejewski-Szmek Date: Jan 08 2025 12:14:30 +0000 Subject: [PATCH 5/12] Version 257.2 - Fixes for assertion crashes and memory access issues in pid1 and systemd-machined, and other fixes for systemd-repart, systemd-resolved, systemd-stdio-bridge, systemctl, journalctl, sd-device, hibernation, and the hardware database. --- diff --git a/sources b/sources index 165fa9d..b8843e6 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-257.1.tar.gz) = dded7555077f85d0f8106b72cc46604fbe4249452be6b2d55800770b6deb2a3a122697c5a5f23b22dab416e8c050e53fc30d59dfd3bfd7c9fbbdab3162e8ebe5 +SHA512 (systemd-257.2.tar.gz) = 4f47fcd9a4148101ee7b85cf5908a04ec9e025dc7a5a2e8e61c05439cfd427851b6d356bb96a0dfae55566bbf6d3c93a13251d220840c09296e94f80bd4a5945 diff --git a/systemd.spec b/systemd.spec index 0b19b99..e13a5b3 100644 --- a/systemd.spec +++ b/systemd.spec @@ -53,7 +53,7 @@ Url: https://systemd.io # But don't do that on OBS, otherwise the version subst fails, and will be # like 257-123-gabcd257.1 instead of 257-123-gabcd %if %{without obs} -Version: %{?version_override}%{!?version_override:257.1} +Version: %{?version_override}%{!?version_override:257.2} %else Version: %{?version_override}%{!?version_override:%(cat meson.version)} %endif From 1814bfe7949a56db5918c6785d2c46a8eda1e026 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Jan 08 2025 14:50:45 +0000 Subject: [PATCH 6/12] remove STI test The test fails because of the same reason as the installability test, it tries to install every subpackage which fails because the standalone subpackages conflict with all the other packages. Given there's no owner for the test, nobody looks at or seems interested in the results, STI itself will likely be deprecated soon (https://fedoraproject.org/wiki/Changes/DeprecateSTI) and systemd's upstream integration tests will soon support checking for AVC denials (https://github.com/systemd/systemd/pull/35921), let's remove the STI test. --- diff --git a/tests/tests-reboot.yml b/tests/tests-reboot.yml deleted file mode 100644 index 94ea8a5..0000000 --- a/tests/tests-reboot.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -- hosts: localhost - vars: - - artifacts: "{{ lookup('env', 'TEST_ARTIFACTS')|default('./artifacts', true) }}" - tags: - - classic - tasks: - # switch SELinux to permissive mode - - name: Get default kernel - command: "grubby --default-kernel" - register: default_kernel - - debug: msg="{{ default_kernel.stdout }}" - - name: Set permissive mode - command: "grubby --args=enforcing=0 --update-kernel {{ default_kernel.stdout }}" - - - name: reboot - block: - - name: restart host - shell: sleep 2 && shutdown -r now "Ansible updates triggered" - async: 1 - poll: 0 - ignore_errors: true - - - name: wait for host to come back - wait_for_connection: - delay: 10 - timeout: 300 - - - name: Re-create /tmp/artifacts - command: mkdir /tmp/artifacts - - - name: Gather SELinux denials since boot - shell: | - result=pass - dmesg | grep -i -e type=1300 -e type=1400 > /tmp/avc.log && result=fail - ausearch -m avc -m selinux_err -m user_avc -ts boot &>> /tmp/avc.log - grep -q '' /tmp/avc.log || result=fail - echo -e "\nresults:\n- test: reboot and collect AVC\n result: $result\n logs:\n - avc.log\n\n" > /tmp/results.yml - ( [ $result = "pass" ] && echo PASS test-reboot || echo FAIL test-reboot ) > /tmp/test.log - - always: - - name: Pull out the artifacts - fetch: - dest: "{{ artifacts }}/" - src: "{{ item }}" - flat: yes - with_items: - - /tmp/test.log - - /tmp/avc.log - - /tmp/results.yml From 30f50b18709d84b6f7830febf2c13b1465a75340 Mon Sep 17 00:00:00 2001 From: Zbigniew Jędrzejewski-Szmek Date: Jan 10 2025 16:03:09 +0000 Subject: [PATCH 7/12] Drop patch numbers In the past, we used patch numbers to skip some patches in upstream CI builds. The upstream bcond is now used for this instead, so we can drop the numbering to make it easier to add an remove patches. [skip changelog] --- diff --git a/systemd.spec b/systemd.spec index e13a5b3..eeb632c 100644 --- a/systemd.spec +++ b/systemd.spec @@ -104,25 +104,17 @@ Source25: 98-default-mac-none.link Source26: systemd-user -%if 0 -GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v235..v235-stable -i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done|xclip -GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[67]* hwdb/parse_hwdb.py >hwdb.patch -%endif - %if 0%{?fedora} < 40 && 0%{?rhel} < 10 # Work-around for dracut issue: run generators directly when we are in initrd # https://bugzilla.redhat.com/show_bug.cgi?id=2164404 # Drop when dracut-060 is available. -Patch0010: https://github.com/systemd/systemd/pull/26494.patch +Patch: https://github.com/systemd/systemd/pull/26494.patch %endif %if %{without upstream} - # Those are downstream-only patches, but we don't want them in packit builds: # https://bugzilla.redhat.com/show_bug.cgi?id=2251843 -Patch0011: https://github.com/systemd/systemd/pull/30846.patch - +Patch: https://github.com/systemd/systemd/pull/30846.patch %endif %ifarch %{ix86} x86_64 aarch64 riscv64 From b1bd57ecce6d56e22e74eded8377faa5326ddccb Mon Sep 17 00:00:00 2001 From: Zbigniew Jędrzejewski-Szmek Date: Jan 10 2025 16:05:52 +0000 Subject: [PATCH 8/12] Revert use of PrivateTmp=disconnected ... (rhbz#2334015, https://github.com/coreos/fedora-coreos-tracker/issues/1857) --- diff --git a/0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch b/0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch new file mode 100644 index 0000000..eca67f0 --- /dev/null +++ b/0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch @@ -0,0 +1,69 @@ +From 0792bb7a9d25a1ab8a5f208f2f5cea8a362dc1c6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 10 Jan 2025 17:00:08 +0100 +Subject: [PATCH] Revert "units: use PrivateTmp=disconnected instead of 'yes' + if DefaultDependencies=no" + +This reverts commit 1f6e1928488d461d19fd1e4b4d645b0ea5ea8bf5. +--- + units/systemd-coredump@.service.in | 2 +- + units/systemd-oomd.service.in | 2 +- + units/systemd-resolved.service.in | 2 +- + units/systemd-timesyncd.service.in | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in +index c74dc7a5a1..fa3206d07b 100644 +--- a/units/systemd-coredump@.service.in ++++ b/units/systemd-coredump@.service.in +@@ -26,7 +26,7 @@ NoNewPrivileges=yes + OOMScoreAdjust=500 + PrivateDevices=yes + PrivateNetwork=yes +-PrivateTmp=disconnected ++PrivateTmp=yes + ProtectControlGroups=yes + ProtectHome=read-only + ProtectHostname=yes +diff --git a/units/systemd-oomd.service.in b/units/systemd-oomd.service.in +index 670d5e6140..82bd6245f8 100644 +--- a/units/systemd-oomd.service.in ++++ b/units/systemd-oomd.service.in +@@ -37,7 +37,7 @@ MemoryLow=64M + NoNewPrivileges=yes + OOMScoreAdjust=-900 + PrivateDevices=yes +-PrivateTmp=disconnected ++PrivateTmp=yes + ProtectClock=yes + ProtectHome=yes + ProtectHostname=yes +diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in +index e181b2528a..4aa0788ac4 100644 +--- a/units/systemd-resolved.service.in ++++ b/units/systemd-resolved.service.in +@@ -29,7 +29,7 @@ LockPersonality=yes + MemoryDenyWriteExecute=yes + NoNewPrivileges=yes + PrivateDevices=yes +-PrivateTmp=disconnected ++PrivateTmp=yes + ProtectClock=yes + ProtectControlGroups=yes + ProtectHome=yes +diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in +index 835d6327e7..cf233fbffd 100644 +--- a/units/systemd-timesyncd.service.in ++++ b/units/systemd-timesyncd.service.in +@@ -31,7 +31,7 @@ LockPersonality=yes + MemoryDenyWriteExecute=yes + NoNewPrivileges=yes + PrivateDevices=yes +-PrivateTmp=disconnected ++PrivateTmp=yes + ProtectProc=invisible + ProtectControlGroups=yes + ProtectHome=yes +-- +2.47.1 + diff --git a/systemd.spec b/systemd.spec index eeb632c..1910a32 100644 --- a/systemd.spec +++ b/systemd.spec @@ -112,6 +112,12 @@ Patch: https://github.com/systemd/systemd/pull/26494.patch %endif %if %{without upstream} +# Temporarily drop use of PrivateTmp=disconnected. This is causing failures +# in various places: +# https://bugzilla.redhat.com/show_bug.cgi?id=2334015 +# https://github.com/coreos/fedora-coreos-tracker/issues/1857 +Patch: 0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch + # Those are downstream-only patches, but we don't want them in packit builds: # https://bugzilla.redhat.com/show_bug.cgi?id=2251843 Patch: https://github.com/systemd/systemd/pull/30846.patch From 20cc578e59c292a3c5ceaf43cac2c248aa26b9b7 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Jan 11 2025 11:03:28 +0000 Subject: [PATCH 9/12] Enable signing systemd-boot on OBS builds On OBS the https://github.com/openSUSE/pesign-obs-integration package is the way to get binaries signed. Build depend on it, and call its hook. Also rename and change the description and provides of the package, given it is signed. [skip changelog] --- diff --git a/systemd.spec b/systemd.spec index 1910a32..2fba134 100644 --- a/systemd.spec +++ b/systemd.spec @@ -237,6 +237,10 @@ BuildRequires: xen-devel %endif %endif +%if %{with obs} +BuildRequires: pesign-obs-integration +%endif + Requires(post): coreutils Requires(post): grep # systemd-machine-id-setup requires libssl @@ -512,6 +516,7 @@ with a command line, and possibly PCR measurements and other metadata, into a Unified Kernel Image (UKI). %if 0%{?want_bootloader} +%if %{without obs} %package boot-unsigned Summary: UEFI boot manager (unsigned version) @@ -532,6 +537,27 @@ line. systemd-boot supports systems with UEFI firmware only. This package contains the unsigned version. Install systemd-boot instead to get the version that works with Secure Boot. +%else +%package boot +Summary: UEFI boot manager (signed version) + +Provides: systemd-boot-signed-%{efi_arch} = %version-%release +Provides: systemd-boot = %version-%release +Provides: systemd-boot%{_isa} = %version-%release +# A provides with just the version, no release or dist, used to build systemd-boot +Provides: version(systemd-boot-signed) = %version +Provides: version(systemd-boot-signed)%{_isa} = %version + +# self-obsoletes to install both packages after split of systemd-boot +Obsoletes: systemd-udev < 252.2^ + +%description boot +systemd-boot (short: sd-boot) is a simple UEFI boot manager. It provides a +graphical menu to select the entry to boot and an editor for the kernel command +line. systemd-boot supports systems with UEFI firmware only. + +This package contains the signed version. +%endif %endif %package container @@ -1045,6 +1071,11 @@ EOF # Split files in build root into rpms python3 %{SOURCE2} %buildroot %{!?want_bootloader:--no-bootloader} +# Stage sd-boot binaries for signing +%if %{with obs} && 0%{?want_bootloader} +BRP_PESIGN_FILES=/usr/lib/systemd/boot/efi/systemd-boot%{efi_arch}.efi BRP_PESIGN_PACKAGES=systemd-boot /usr/lib/rpm/brp-suse.d/brp-99-pesign +%endif + %check %if %{with tests} meson test -C %{_vpath_builddir} -t 6 --print-errorlogs @@ -1299,7 +1330,11 @@ fi %files ukify -f .file-list-ukify %if 0%{?want_bootloader} +%if %{without obs} %files boot-unsigned -f .file-list-boot +%else +%files boot -f .file-list-boot +%endif %endif %files container -f .file-list-container From 92997e2f867076cf8c3ca18b8970475a06c955a1 Mon Sep 17 00:00:00 2001 From: Matteo Croce Date: Jan 16 2025 09:41:43 +0000 Subject: [PATCH 12/12] Merge remote-tracking branch 'fedora/rawhide' into c10s-sig-hyperscale --- diff --git a/.abignore b/.abignore deleted file mode 100644 index 6a33b88..0000000 --- a/.abignore +++ /dev/null @@ -1,3 +0,0 @@ -[suppress_file] -# Those shared objects are private to systemd -file_name_regexp=libsystemd-(shared|core)-.*.so diff --git a/0001-Revert-network-lldp-do-not-save-LLDP-neighbors-under.patch b/0001-Revert-network-lldp-do-not-save-LLDP-neighbors-under.patch index 1fdbd67..234b2ad 100644 --- a/0001-Revert-network-lldp-do-not-save-LLDP-neighbors-under.patch +++ b/0001-Revert-network-lldp-do-not-save-LLDP-neighbors-under.patch @@ -1,4 +1,4 @@ -From d8798eb733d5680047128ec1f74c82f347c321ed Mon Sep 17 00:00:00 2001 +From 1ef7ac52b34cef84ad5d4103bdaab4a2578bad9e Mon Sep 17 00:00:00 2001 From: Ryan Wilson Date: Wed, 4 Dec 2024 16:53:40 -0800 Subject: [PATCH] Revert "network/lldp: do not save LLDP neighbors under @@ -18,10 +18,10 @@ This reverts commit 5a0f6adbb2e39914897f404ac97fecebcc2c385a. 9 files changed, 94 insertions(+), 2 deletions(-) diff --git a/src/libsystemd-network/lldp-neighbor.c b/src/libsystemd-network/lldp-neighbor.c -index 02af2954ae..3d381294e6 100644 +index 4e51a55bd1..39864d18f7 100644 --- a/src/libsystemd-network/lldp-neighbor.c +++ b/src/libsystemd-network/lldp-neighbor.c -@@ -376,6 +376,17 @@ int sd_lldp_neighbor_get_destination_address(sd_lldp_neighbor *n, struct ether_a +@@ -377,6 +377,17 @@ int sd_lldp_neighbor_get_destination_address(sd_lldp_neighbor *n, struct ether_a return 0; } @@ -40,10 +40,10 @@ index 02af2954ae..3d381294e6 100644 assert_return(n, -EINVAL); assert_return(type, -EINVAL); diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c -index 9ce75361fd..0436233ac9 100644 +index 3c042e6c18..6a740b186a 100644 --- a/src/network/networkd-link.c +++ b/src/network/networkd-link.c -@@ -273,6 +273,7 @@ static Link *link_free(Link *link) { +@@ -275,6 +275,7 @@ static Link *link_free(Link *link) { free(link->driver); unlink_and_free(link->lease_file); @@ -51,7 +51,7 @@ index 9ce75361fd..0436233ac9 100644 unlink_and_free(link->state_file); sd_device_unref(link->dev); -@@ -2645,7 +2646,7 @@ static Link *link_drop_or_unref(Link *link) { +@@ -2662,7 +2663,7 @@ static Link *link_drop_or_unref(Link *link) { DEFINE_TRIVIAL_CLEANUP_FUNC(Link*, link_drop_or_unref); static int link_new(Manager *manager, sd_netlink_message *message, Link **ret) { @@ -60,7 +60,7 @@ index 9ce75361fd..0436233ac9 100644 _cleanup_(link_drop_or_unrefp) Link *link = NULL; unsigned short iftype; int r, ifindex; -@@ -2686,6 +2687,9 @@ static int link_new(Manager *manager, sd_netlink_message *message, Link **ret) { +@@ -2703,6 +2704,9 @@ static int link_new(Manager *manager, sd_netlink_message *message, Link **ret) { if (asprintf(&lease_file, "/run/systemd/netif/leases/%d", ifindex) < 0) return log_oom_debug(); @@ -70,7 +70,7 @@ index 9ce75361fd..0436233ac9 100644 } link = new(Link, 1); -@@ -2708,6 +2712,7 @@ static int link_new(Manager *manager, sd_netlink_message *message, Link **ret) { +@@ -2725,6 +2729,7 @@ static int link_new(Manager *manager, sd_netlink_message *message, Link **ret) { .state_file = TAKE_PTR(state_file), .lease_file = TAKE_PTR(lease_file), @@ -79,10 +79,10 @@ index 9ce75361fd..0436233ac9 100644 .n_dns = UINT_MAX, .dns_default_route = -1, diff --git a/src/network/networkd-link.h b/src/network/networkd-link.h -index b1b2fe42db..d590d071bd 100644 +index 113217cdb6..229ce976bc 100644 --- a/src/network/networkd-link.h +++ b/src/network/networkd-link.h -@@ -184,6 +184,7 @@ typedef struct Link { +@@ -194,6 +194,7 @@ typedef struct Link { /* This is about LLDP reception */ sd_lldp_rx *lldp_rx; @@ -91,7 +91,7 @@ index b1b2fe42db..d590d071bd 100644 /* This is about LLDP transmission */ sd_lldp_tx *lldp_tx; diff --git a/src/network/networkd-lldp-rx.c b/src/network/networkd-lldp-rx.c -index f74485488e..c45d3e32d7 100644 +index 6ba198282e..853e0a0ace 100644 --- a/src/network/networkd-lldp-rx.c +++ b/src/network/networkd-lldp-rx.c @@ -52,6 +52,8 @@ static void lldp_rx_handler(sd_lldp_rx *lldp_rx, sd_lldp_rx_event_t event, sd_ll @@ -187,23 +187,23 @@ index 75c9f8ca86..22f6602bd0 100644 const char* lldp_mode_to_string(LLDPMode m) _const_; LLDPMode lldp_mode_from_string(const char *s) _pure_; diff --git a/src/network/networkd-state-file.c b/src/network/networkd-state-file.c -index fbe4fee17d..bc08a84c74 100644 +index da917dd897..2e32fbc300 100644 --- a/src/network/networkd-state-file.c +++ b/src/network/networkd-state-file.c -@@ -584,6 +584,8 @@ static int link_save(Link *link) { +@@ -714,6 +714,8 @@ static int link_save(Link *link) { if (link->state == LINK_STATE_LINGER) return 0; + link_lldp_save(link); + - admin_state = link_state_to_string(link->state); - assert(admin_state); - + admin_state = ASSERT_PTR(link_state_to_string(link->state)); + oper_state = ASSERT_PTR(link_operstate_to_string(link->operstate)); + carrier_state = ASSERT_PTR(link_carrier_state_to_string(link->carrier_state)); diff --git a/src/network/networkd.c b/src/network/networkd.c -index 69a28647c8..3384c7c3ea 100644 +index 883f16d81b..12edb68583 100644 --- a/src/network/networkd.c +++ b/src/network/networkd.c -@@ -72,7 +72,8 @@ static int run(int argc, char *argv[]) { +@@ -75,7 +75,8 @@ static int run(int argc, char *argv[]) { * to support old kernels not supporting AmbientCapabilities=. */ FOREACH_STRING(p, "/run/systemd/netif/links/", @@ -214,7 +214,7 @@ index 69a28647c8..3384c7c3ea 100644 if (r < 0) log_warning_errno(r, "Could not create directory '%s': %m", p); diff --git a/src/systemd/sd-lldp-rx.h b/src/systemd/sd-lldp-rx.h -index 154e37e2d8..a876e41b25 100644 +index b697643a07..fedf9956cf 100644 --- a/src/systemd/sd-lldp-rx.h +++ b/src/systemd/sd-lldp-rx.h @@ -75,6 +75,7 @@ sd_lldp_neighbor *sd_lldp_neighbor_unref(sd_lldp_neighbor *n); @@ -226,15 +226,15 @@ index 154e37e2d8..a876e41b25 100644 /* High-level, direct, parsed out field access. These fields exist at most once, hence may be queried directly. */ int sd_lldp_neighbor_get_chassis_id(sd_lldp_neighbor *n, uint8_t *type, const void **ret, size_t *size); diff --git a/tmpfiles.d/systemd-network.conf b/tmpfiles.d/systemd-network.conf -index 323beca59c..107317a03c 100644 +index 75b61b7d07..881937d456 100644 --- a/tmpfiles.d/systemd-network.conf +++ b/tmpfiles.d/systemd-network.conf @@ -10,4 +10,5 @@ - d /run/systemd/netif 0755 systemd-network systemd-network - - d /run/systemd/netif/links 0755 systemd-network systemd-network - - d /run/systemd/netif/leases 0755 systemd-network systemd-network - -+d /run/systemd/netif/lldp 0755 systemd-network systemd-network - - d /var/lib/systemd/network 0755 systemd-network systemd-network - + d$ /run/systemd/netif 0755 systemd-network systemd-network - + d$ /run/systemd/netif/links 0755 systemd-network systemd-network - + d$ /run/systemd/netif/leases 0755 systemd-network systemd-network - ++d$ /run/systemd/netif/lldp 0755 systemd-network systemd-network - + d$ /var/lib/systemd/network 0755 systemd-network systemd-network - -- -2.43.5 +2.47.1 diff --git a/0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch b/0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch new file mode 100644 index 0000000..eca67f0 --- /dev/null +++ b/0001-Revert-units-use-PrivateTmp-disconnected-instead-of-.patch @@ -0,0 +1,69 @@ +From 0792bb7a9d25a1ab8a5f208f2f5cea8a362dc1c6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 10 Jan 2025 17:00:08 +0100 +Subject: [PATCH] Revert "units: use PrivateTmp=disconnected instead of 'yes' + if DefaultDependencies=no" + +This reverts commit 1f6e1928488d461d19fd1e4b4d645b0ea5ea8bf5. +--- + units/systemd-coredump@.service.in | 2 +- + units/systemd-oomd.service.in | 2 +- + units/systemd-resolved.service.in | 2 +- + units/systemd-timesyncd.service.in | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in +index c74dc7a5a1..fa3206d07b 100644 +--- a/units/systemd-coredump@.service.in ++++ b/units/systemd-coredump@.service.in +@@ -26,7 +26,7 @@ NoNewPrivileges=yes + OOMScoreAdjust=500 + PrivateDevices=yes + PrivateNetwork=yes +-PrivateTmp=disconnected ++PrivateTmp=yes + ProtectControlGroups=yes + ProtectHome=read-only + ProtectHostname=yes +diff --git a/units/systemd-oomd.service.in b/units/systemd-oomd.service.in +index 670d5e6140..82bd6245f8 100644 +--- a/units/systemd-oomd.service.in ++++ b/units/systemd-oomd.service.in +@@ -37,7 +37,7 @@ MemoryLow=64M + NoNewPrivileges=yes + OOMScoreAdjust=-900 + PrivateDevices=yes +-PrivateTmp=disconnected ++PrivateTmp=yes + ProtectClock=yes + ProtectHome=yes + ProtectHostname=yes +diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in +index e181b2528a..4aa0788ac4 100644 +--- a/units/systemd-resolved.service.in ++++ b/units/systemd-resolved.service.in +@@ -29,7 +29,7 @@ LockPersonality=yes + MemoryDenyWriteExecute=yes + NoNewPrivileges=yes + PrivateDevices=yes +-PrivateTmp=disconnected ++PrivateTmp=yes + ProtectClock=yes + ProtectControlGroups=yes + ProtectHome=yes +diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in +index 835d6327e7..cf233fbffd 100644 +--- a/units/systemd-timesyncd.service.in ++++ b/units/systemd-timesyncd.service.in +@@ -31,7 +31,7 @@ LockPersonality=yes + MemoryDenyWriteExecute=yes + NoNewPrivileges=yes + PrivateDevices=yes +-PrivateTmp=disconnected ++PrivateTmp=yes + ProtectProc=invisible + ProtectControlGroups=yes + ProtectHome=yes +-- +2.47.1 + diff --git a/0001-networkctl-Make-lldp-status-backwards-compatible-wit.patch b/0001-networkctl-Make-lldp-status-backwards-compatible-wit.patch index dc78857..5dd957c 100644 --- a/0001-networkctl-Make-lldp-status-backwards-compatible-wit.patch +++ b/0001-networkctl-Make-lldp-status-backwards-compatible-wit.patch @@ -1,4 +1,4 @@ -From 11d47b91b0fd35aaf2db486783d80bdca7229d82 Mon Sep 17 00:00:00 2001 +From 9ae68659b0870f3213a8e06011b1dbccdeb86ee6 Mon Sep 17 00:00:00 2001 From: Ryan Wilson Date: Wed, 4 Dec 2024 16:15:30 -0800 Subject: [PATCH] networkctl: Make lldp/status backwards compatible with 255 @@ -6,15 +6,18 @@ Subject: [PATCH] networkctl: Make lldp/status backwards compatible with 255 --- src/libsystemd-network/lldp-neighbor.c | 22 +++ - src/network/networkctl.c | 208 ++++++++++++++++++++++++- + src/network/networkctl-lldp.c | 198 ++++++++++++++++++++++++- + src/network/networkctl-lldp.h | 1 + + src/network/networkctl-status-link.c | 9 +- + src/network/networkctl-util.c | 2 +- src/systemd/sd-lldp-rx.h | 1 + - 3 files changed, 224 insertions(+), 7 deletions(-) + 6 files changed, 226 insertions(+), 7 deletions(-) diff --git a/src/libsystemd-network/lldp-neighbor.c b/src/libsystemd-network/lldp-neighbor.c -index a4384ac2e1..02af2954ae 100644 +index 457b1e5926..4e51a55bd1 100644 --- a/src/libsystemd-network/lldp-neighbor.c +++ b/src/libsystemd-network/lldp-neighbor.c -@@ -629,6 +629,28 @@ int sd_lldp_neighbor_get_enabled_capabilities(sd_lldp_neighbor *n, uint16_t *ret +@@ -630,6 +630,28 @@ int sd_lldp_neighbor_get_enabled_capabilities(sd_lldp_neighbor *n, uint16_t *ret return 0; } @@ -43,29 +46,28 @@ index a4384ac2e1..02af2954ae 100644 int sd_lldp_neighbor_tlv_rewind(sd_lldp_neighbor *n) { assert_return(n, -EINVAL); -diff --git a/src/network/networkctl.c b/src/network/networkctl.c -index a447c39a64..e31018e813 100644 ---- a/src/network/networkctl.c -+++ b/src/network/networkctl.c -@@ -16,6 +16,7 @@ - #include "sd-device.h" - #include "sd-dhcp-client.h" - #include "sd-hwdb.h" -+#include "sd-lldp-rx.h" - #include "sd-netlink.h" - #include "sd-network.h" - -@@ -173,7 +174,7 @@ int acquire_bus(sd_bus **ret) { - if (networkd_is_running()) { - r = varlink_connect_networkd(/* ret_varlink = */ NULL); - if (r < 0) -- return r; -+ log_warning("Varlink connection failed, fallback to D-Bus."); - } else - log_warning("systemd-networkd is not running, output might be incomplete."); +diff --git a/src/network/networkctl-lldp.c b/src/network/networkctl-lldp.c +index b1dc927af9..6a3a88210c 100644 +--- a/src/network/networkctl-lldp.c ++++ b/src/network/networkctl-lldp.c +@@ -1,11 +1,15 @@ + /* SPDX-License-Identifier: LGPL-2.1-or-later */ -@@ -1410,6 +1411,99 @@ static int dump_lldp_neighbors(Varlink *vl, Table *table, int ifindex) { - return dump_list(table, "Connected To", buf); + #include "alloc-util.h" ++#include "fd-util.h" + #include "json-util.h" + #include "networkctl.h" + #include "networkctl-dump-util.h" ++#include "networkctl-link-info.h" + #include "networkctl-lldp.h" + #include "networkctl-util.h" ++#include "sd-lldp-rx.h" ++#include "sparse-endian.h" + #include "stdio-util.h" + #include "strv.h" + #include "terminal-util.h" +@@ -214,6 +218,194 @@ static int dump_lldp_neighbors_json(sd_json_variant *reply, char * const *patter + return sd_json_variant_dump(v, arg_json_format_flags, NULL, NULL); } +static int open_lldp_neighbors_legacy(int ifindex, FILE **ret) { @@ -118,7 +120,7 @@ index a447c39a64..e31018e813 100644 + return 1; +} + -+static int dump_lldp_neighbors_legacy(Table *table, const char *prefix, int ifindex) { ++int dump_lldp_neighbors_legacy(Table *table, const char *prefix, int ifindex) { + _cleanup_strv_free_ char **buf = NULL; + _cleanup_fclose_ FILE *f = NULL; + int r; @@ -159,45 +161,6 @@ index a447c39a64..e31018e813 100644 + + return dump_list(table, prefix, buf); +} -+ -+ - static int dump_dhcp_leases(Table *table, const char *prefix, sd_bus *bus, const LinkInfo *link) { - _cleanup_strv_free_ char **buf = NULL; - _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; -@@ -1696,7 +1790,6 @@ static int link_status_one( - - assert(bus); - assert(rtnl); -- assert(vl); - assert(info); - - (void) sd_network_link_get_operational_state(info->ifindex, &operational_state); -@@ -2315,7 +2408,7 @@ static int link_status_one( - return table_log_add_error(r); - } - -- r = dump_lldp_neighbors(vl, table, info->ifindex); -+ r = vl ? dump_lldp_neighbors(vl, table, info->ifindex) : dump_lldp_neighbors_legacy(table, "Connected To", info->ifindex); - if (r < 0) - return r; - -@@ -2449,8 +2542,10 @@ static int link_status(int argc, char *argv[], void *userdata) { - log_debug_errno(r, "Failed to open hardware database: %m"); - - r = varlink_connect_networkd(&vl); -- if (r < 0) -- return r; -+ if (r < 0) { -+ log_warning("Varlink connection failed, fallback to D-Bus."); -+ vl = NULL; -+ } - - if (arg_all) - c = acquire_link_info(bus, rtnl, NULL, &links); -@@ -2584,6 +2679,103 @@ static int dump_lldp_neighbors_json(JsonVariant *reply, char * const *patterns) - return json_variant_dump(v, arg_json_format_flags, NULL, NULL); - } - +static int link_lldp_status_legacy(int argc, char *argv[], void *userdata) { + _cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL; + _cleanup_(link_info_array_freep) LinkInfo *links = NULL; @@ -295,10 +258,10 @@ index a447c39a64..e31018e813 100644 + return 0; +} + - static int link_lldp_status(int argc, char *argv[], void *userdata) { - _cleanup_(varlink_flush_close_unrefp) Varlink *vl = NULL; + int link_lldp_status(int argc, char *argv[], void *userdata) { + _cleanup_(sd_varlink_flush_close_unrefp) sd_varlink *vl = NULL; _cleanup_(table_unrefp) Table *table = NULL; -@@ -2594,8 +2786,10 @@ static int link_lldp_status(int argc, char *argv[], void *userdata) { +@@ -224,8 +416,10 @@ int link_lldp_status(int argc, char *argv[], void *userdata) { int r; r = varlink_connect_networkd(&vl); @@ -311,8 +274,64 @@ index a447c39a64..e31018e813 100644 r = varlink_call_and_log(vl, "io.systemd.Network.GetLLDPNeighbors", NULL, &reply); if (r < 0) +diff --git a/src/network/networkctl-lldp.h b/src/network/networkctl-lldp.h +index 3ec6fe76c1..9828847924 100644 +--- a/src/network/networkctl-lldp.h ++++ b/src/network/networkctl-lldp.h +@@ -7,3 +7,4 @@ + + int dump_lldp_neighbors(sd_varlink *vl, Table *table, int ifindex); + int link_lldp_status(int argc, char *argv[], void *userdata); ++int dump_lldp_neighbors_legacy(Table *table, const char *prefix, int ifindex); +diff --git a/src/network/networkctl-status-link.c b/src/network/networkctl-status-link.c +index ae13eba9ae..fbda880e9c 100644 +--- a/src/network/networkctl-status-link.c ++++ b/src/network/networkctl-status-link.c +@@ -267,7 +267,6 @@ static int link_status_one( + + assert(bus); + assert(rtnl); +- assert(vl); + assert(info); + + (void) sd_network_link_get_operational_state(info->ifindex, &operational_state); +@@ -904,7 +903,7 @@ static int link_status_one( + return table_log_add_error(r); + } + +- r = dump_lldp_neighbors(vl, table, info->ifindex); ++ r = vl ? dump_lldp_neighbors(vl, table, info->ifindex) : dump_lldp_neighbors_legacy(table, "Connected To", info->ifindex); + if (r < 0) + return r; + +@@ -955,8 +954,10 @@ int link_status(int argc, char *argv[], void *userdata) { + log_debug_errno(r, "Failed to open hardware database: %m"); + + r = varlink_connect_networkd(&vl); +- if (r < 0) +- return r; ++ if (r < 0) { ++ log_warning("Varlink connection failed, fallback to D-Bus."); ++ vl = NULL; ++ } + + if (arg_all) + c = acquire_link_info(bus, rtnl, NULL, &links); +diff --git a/src/network/networkctl-util.c b/src/network/networkctl-util.c +index 88620aad53..8bda6b1aec 100644 +--- a/src/network/networkctl-util.c ++++ b/src/network/networkctl-util.c +@@ -90,7 +90,7 @@ int acquire_bus(sd_bus **ret) { + if (networkd_is_running()) { + r = varlink_connect_networkd(/* ret_varlink = */ NULL); + if (r < 0) +- return r; ++ log_warning("Varlink connection failed, fallback to D-Bus."); + } else + log_warning("systemd-networkd is not running, output might be incomplete."); + diff --git a/src/systemd/sd-lldp-rx.h b/src/systemd/sd-lldp-rx.h -index a7e1a9f376..154e37e2d8 100644 +index 51b9f39482..b697643a07 100644 --- a/src/systemd/sd-lldp-rx.h +++ b/src/systemd/sd-lldp-rx.h @@ -88,6 +88,7 @@ int sd_lldp_neighbor_get_port_description(sd_lldp_neighbor *n, const char **ret) @@ -324,5 +343,5 @@ index a7e1a9f376..154e37e2d8 100644 /* Low-level, iterative TLV access. This is for everything else, it iteratively goes through all available TLVs * (including the ones covered with the calls above), and allows multiple TLVs for the same fields. */ -- -2.43.5 +2.47.1 diff --git a/0001-networkctl-Make-networkctl-lldp-output-backwards-com.patch b/0001-networkctl-Make-networkctl-lldp-output-backwards-com.patch index f284573..0e8a953 100644 --- a/0001-networkctl-Make-networkctl-lldp-output-backwards-com.patch +++ b/0001-networkctl-Make-networkctl-lldp-output-backwards-com.patch @@ -1,18 +1,18 @@ -From 7d236cbb2ceea8881e57d9f2e2af091088c4f178 Mon Sep 17 00:00:00 2001 +From 799367ff00cd0c85acd0bbea3dcec619e48b5601 Mon Sep 17 00:00:00 2001 From: Ryan Wilson Date: Tue, 3 Dec 2024 14:46:54 -0800 Subject: [PATCH] networkctl: Make networkctl lldp output backwards compatible with 255 --- - src/network/networkctl.c | 16 +++++++--------- + src/network/networkctl-lldp.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) -diff --git a/src/network/networkctl.c b/src/network/networkctl.c -index a447c39a64..8b15ba1fdf 100644 ---- a/src/network/networkctl.c -+++ b/src/network/networkctl.c -@@ -2608,12 +2608,11 @@ static int link_lldp_status(int argc, char *argv[], void *userdata) { +diff --git a/src/network/networkctl-lldp.c b/src/network/networkctl-lldp.c +index 43ffbab..b1dc927 100644 +--- a/src/network/networkctl-lldp.c ++++ b/src/network/networkctl-lldp.c +@@ -238,12 +238,11 @@ int link_lldp_status(int argc, char *argv[], void *userdata) { table = table_new("index", "link", @@ -28,7 +28,7 @@ index a447c39a64..8b15ba1fdf 100644 if (!table) return log_oom(); -@@ -2626,7 +2625,7 @@ static int link_lldp_status(int argc, char *argv[], void *userdata) { +@@ -256,7 +255,7 @@ int link_lldp_status(int argc, char *argv[], void *userdata) { table_hide_column_from_display(table, (size_t) 0); /* Make the capabilities not truncated */ @@ -36,8 +36,8 @@ index a447c39a64..8b15ba1fdf 100644 + assert_se(cell = table_get_cell(table, 0, 4)); table_set_minimum_width(table, cell, 11); - JsonVariant *i; -@@ -2655,12 +2654,11 @@ static int link_lldp_status(int argc, char *argv[], void *userdata) { + sd_json_variant *i; +@@ -285,12 +284,11 @@ int link_lldp_status(int argc, char *argv[], void *userdata) { r = table_add_many(table, TABLE_INT, info.ifindex, TABLE_STRING, info.ifname, @@ -54,5 +54,5 @@ index a447c39a64..8b15ba1fdf 100644 return table_log_add_error(r); -- -2.43.5 +2.47.1 diff --git a/0001-tmpfiles-make-purge-hard-to-mis-use.patch b/0001-tmpfiles-make-purge-hard-to-mis-use.patch deleted file mode 100644 index 033b575..0000000 --- a/0001-tmpfiles-make-purge-hard-to-mis-use.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 1e788a7fb535a37a8268aa7dc5130f670eb72a6b Mon Sep 17 00:00:00 2001 -From: Daan De Meyer -Date: Tue, 23 Jul 2024 13:14:05 +0200 -Subject: [PATCH] tmpfiles: make --purge hard to (mis-)use - -Follow-up for https://github.com/systemd/systemd/pull/33383. ---- - src/tmpfiles/tmpfiles.c | 17 +++++++++++++++++ - test/units/TEST-22-TMPFILES.18.sh | 4 ++-- - 2 files changed, 19 insertions(+), 2 deletions(-) - -diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c -index 8cc8c1ccd6..14048545db 100644 ---- a/src/tmpfiles/tmpfiles.c -+++ b/src/tmpfiles/tmpfiles.c -@@ -4197,6 +4197,7 @@ static int parse_argv(int argc, char *argv[]) { - ARG_IMAGE_POLICY, - ARG_REPLACE, - ARG_DRY_RUN, -+ ARG_DESTROY_DATA, - ARG_NO_PAGER, - }; - -@@ -4220,10 +4221,18 @@ static int parse_argv(int argc, char *argv[]) { - { "replace", required_argument, NULL, ARG_REPLACE }, - { "dry-run", no_argument, NULL, ARG_DRY_RUN }, - { "no-pager", no_argument, NULL, ARG_NO_PAGER }, -+ -+ /* This is not documented on purpose. -+ * If you think --purge should be allowed without jumping through hoops, -+ * consider opening a bug report with the description of the use case. -+ */ -+ { "destroy-data", no_argument, NULL, ARG_DESTROY_DATA }, -+ - {} - }; - - int c, r; -+ bool destroy_data = false; - - assert(argc >= 0); - assert(argv); -@@ -4330,6 +4339,10 @@ static int parse_argv(int argc, char *argv[]) { - arg_dry_run = true; - break; - -+ case ARG_DESTROY_DATA: -+ destroy_data = true; -+ break; -+ - case ARG_NO_PAGER: - arg_pager_flags |= PAGER_DISABLE; - break; -@@ -4349,6 +4362,10 @@ static int parse_argv(int argc, char *argv[]) { - return log_error_errno(SYNTHETIC_ERRNO(EINVAL), - "Refusing --purge without specification of a configuration file."); - -+ if (FLAGS_SET(arg_operation, OPERATION_PURGE) && !arg_dry_run && !destroy_data) -+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), -+ "Refusing --purge without --destroy-data."); -+ - if (arg_replace && arg_cat_flags != CAT_CONFIG_OFF) - return log_error_errno(SYNTHETIC_ERRNO(EINVAL), - "Option --replace= is not supported with --cat-config/--tldr."); -diff --git a/test/units/TEST-22-TMPFILES.18.sh b/test/units/TEST-22-TMPFILES.18.sh -index 5d24197c81..de23bbb95f 100755 ---- a/test/units/TEST-22-TMPFILES.18.sh -+++ b/test/units/TEST-22-TMPFILES.18.sh -@@ -21,7 +21,7 @@ systemd-tmpfiles --purge --dry-run - <<<"$c" - test -f /tmp/somedir/somefile - grep -q baz /tmp/somedir/somefile - --systemd-tmpfiles --purge - <<<"$c" -+systemd-tmpfiles --purge --destroy-data - <<<"$c" - test ! -f /tmp/somedir/somefile - test ! -d /tmp/somedir/ - -@@ -29,6 +29,6 @@ systemd-tmpfiles --create --purge --dry-run - <<<"$c" - test ! -f /tmp/somedir/somefile - test ! -d /tmp/somedir/ - --systemd-tmpfiles --create --purge - <<<"$c" -+systemd-tmpfiles --create --destroy-data --purge - <<<"$c" - test -f /tmp/somedir/somefile - grep -q baz /tmp/somedir/somefile --- -2.45.2 - diff --git a/33738.patch b/33738.patch deleted file mode 100644 index 58ab604..0000000 --- a/33738.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 69c5d6bea7cc2168a2a483d232aa9a77202173f0 Mon Sep 17 00:00:00 2001 -From: Hans de Goede -Date: Tue, 16 Jul 2024 17:46:09 +0200 -Subject: [PATCH] rules: Add uaccess tag to /dev/udmabuf - -In some cases userspace may need to create dmabuffers from userspace -on such example is the software ISP part of libcamera which needs to -allocate dma-buffers for the output of the software ISP. - -At first the plan was to allow console users access to /dev/dma_heap/*, -this was discussed with various kernel folks here: -https://lore.kernel.org/all/bb372250-e8b8-4458-bc99-dd8365b06991@redhat.com/ - -Giving console users access to the dma_heap's was deemed a bad idea -because memory allocated this way is not accounted in cgroup limits. - -Giving access to /dev/udmabuf OTOH was deemed acceptable so that -is what this patch adds. - -Resolves: #32662 ---- - rules.d/70-uaccess.rules.in | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/rules.d/70-uaccess.rules.in b/rules.d/70-uaccess.rules.in -index b82ce04a39d38..e683bb1114461 100644 ---- a/rules.d/70-uaccess.rules.in -+++ b/rules.d/70-uaccess.rules.in -@@ -34,6 +34,8 @@ SUBSYSTEM=="sound", TAG+="uaccess", \ - SUBSYSTEM=="video4linux", TAG+="uaccess" - SUBSYSTEM=="dvb", TAG+="uaccess" - SUBSYSTEM=="media", TAG+="uaccess" -+# libcamera software ISP used with some cams requires udmabuf access -+KERNEL=="udmabuf", TAG+="uaccess" - - # industrial cameras, some webcams, camcorders, set-top boxes, TV sets, audio devices, and more - SUBSYSTEM=="firewire", TEST=="units", ENV{IEEE1394_UNIT_FUNCTION_MIDI}=="1", TAG+="uaccess" diff --git a/libabigail.abignore b/libabigail.abignore new file mode 100644 index 0000000..6a33b88 --- /dev/null +++ b/libabigail.abignore @@ -0,0 +1,3 @@ +[suppress_file] +# Those shared objects are private to systemd +file_name_regexp=libsystemd-(shared|core)-.*.so diff --git a/sources b/sources index db248bb..b8843e6 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-256.7.tar.gz) = 2ff3805a7d97780a716b23ddeea3722a85aba6326ecee527e53e9d35510a0ffa5ec0bf0cdbf8f3409bb9c6832406916f63eb7e8305db5f67c284e5590c642422 +SHA512 (systemd-257.2.tar.gz) = 4f47fcd9a4148101ee7b85cf5908a04ec9e025dc7a5a2e8e61c05439cfd427851b6d356bb96a0dfae55566bbf6d3c93a13251d220840c09296e94f80bd4a5945 diff --git a/split-files.py b/split-files.py index 51400fd..b08c2bd 100644 --- a/split-files.py +++ b/split-files.py @@ -154,6 +154,9 @@ for file in files(buildroot): and os.path.exists(f'./{n}.example')): o = outputs['networkd-defaults'] + # Files that are "consumed" by systemd-networkd go into the -networkd + # subpackage. As a special case, network-generator is co-owned also by + # the -udev subpackage because systemd-udevd reads .link files. elif re.search(r'''/usr/lib/systemd/network/.*\.network| networkd| networkctl| @@ -164,6 +167,8 @@ for file in files(buildroot): systemd\.netdev ''', n, re.X): o = outputs['networkd'] + elif 'network-generator' in n: + o = (outputs['networkd'], outputs['udev']) elif '.so.' in n: o = outputs['libs'] @@ -255,7 +260,10 @@ for file in files(buildroot): suffix = '*' if '/man/' in n else '' - print(f'{prefix}{n}{suffix}', file=o) + if not isinstance(o, tuple): + o = (o,) + for file in o: + print(f'{prefix}{n}{suffix}', file=file) if [print(f'ERROR: no file names were written to {o.name}') for name, o in outputs.items() diff --git a/systemd.spec b/systemd.spec index 3033ea4..191b711 100644 --- a/systemd.spec +++ b/systemd.spec @@ -32,6 +32,9 @@ # Build from git main %bcond upstream 0 +# Build with OBS-specific quirks +%bcond obs 0 + # When bootstrap, libcryptsetup is disabled # but auto-features causes many options to be turned on # that depend on libcryptsetup (e.g. libcryptsetup-plugins, homed) @@ -43,8 +46,14 @@ Name: systemd Url: https://systemd.io # Allow users to specify the version and release when building the rpm by # setting the %%version_override and %%release_override macros. -Version: %{?version_override}%{!?version_override:256.7} -Release: %{?release_override}%{!?release_override:1.13}%{?dist} +# But don't do that on OBS, otherwise the version subst fails, and will be +# like 257-123-gabcd257.1 instead of 257-123-gabcd +%if %{without obs} +Version: %{?version_override}%{!?version_override:257.2} +%else +Version: %{?version_override}%{!?version_override:%(cat meson.version)} +%endif +Release: %autorelease %global stable %(c="%version"; [ "$c" = "${c#*.*}" ]; echo $?) @@ -74,7 +83,7 @@ Source9: systemd-journal-gatewayd.xml Source10: 20-yama-ptrace.conf Source11: systemd-udev-trigger-no-reload.conf # https://fedoraproject.org/wiki/How_to_filter_libabigail_reports -Source13: .abignore +Source13: libabigail.abignore Source14: 10-oomd-defaults.conf Source15: 10-oomd-per-slice-defaults.conf @@ -91,69 +100,21 @@ Source25: 98-default-mac-none.link Source26: systemd-user -%if 0 -GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v235..v235-stable -i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done|xclip -GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[67]* hwdb/parse_hwdb.py >hwdb.patch -%endif - -# Backports of patches from upstream (0000–0499) -# -# Any patches which are "in preparation" upstream should be listed here, rather -# than in the next section. Packit CI will drop any patches in this range before -# applying upstream pull requests. - %if 0%{?fedora} < 40 && 0%{?rhel} < 10 # Work-around for dracut issue: run generators directly when we are in initrd # https://bugzilla.redhat.com/show_bug.cgi?id=2164404 # Drop when dracut-060 is available. -Patch0010: https://github.com/systemd/systemd/pull/26494.patch -%endif - -%if %{without upstream} - -# Requested in https://bugzilla.redhat.com/show_bug.cgi?id=2298422 -Patch0011: https://github.com/systemd/systemd/pull/33738.patch - -# Various logging improvements -Patch0013: https://github.com/systemd/systemd/pull/34728.patch - -# Make sure bus_connect_transport_systemd() actually connects to the private manager bus -Patch0014: https://github.com/systemd/systemd/pull/34686.patch - -# Simplify user manager upgrades -Patch0015: https://github.com/systemd/systemd/pull/34707.patch - -# core/device: ignore ID_PROCESSING udev property on enumerate -Patch0016: https://github.com/systemd/systemd/pull/35332.patch - -# Soft-disable tmpfiles --purge until a good use case comes up. -Patch0492: 0001-tmpfiles-make-purge-hard-to-mis-use.patch - +Patch: https://github.com/systemd/systemd/pull/26494.patch %endif # Those are downstream-only patches, but we don't want them in packit builds: # https://bugzilla.redhat.com/show_bug.cgi?id=2251843 -Patch0491: https://github.com/systemd/systemd/pull/30846.patch - # Meta specific backports (900-1000) %if 0%{?facebook} %if %{without upstream} -# network: Make qdisc reconfigurable -Patch0900: https://github.com/systemd/systemd/pull/34543.patch - -# network: Add support for multiq qdisc -Patch0901: https://github.com/systemd/systemd/pull/34251.patch - -# core: Add support for PrivateUsers=identity -Patch0902: https://github.com/systemd/systemd/pull/34400.patch - -# bus-util: Return ENOMEDIUM if XDG_RUNTIME_DIR is unset -Patch0903: https://github.com/systemd/systemd/pull/34851.patch - # pam_systemd: Make pam_systemd 256 backwards compatible to logind 255 Patch0904: 0001-pam_systemd-Make-pam_systemd-256-backwards-compatibl.patch @@ -181,6 +142,7 @@ Patch1003: 0001-Temporary-workaround-PrivateUsers-full-implies-Deleg.patch %endif +Patch: https://github.com/systemd/systemd/pull/30846.patch %endif %ifarch %{ix86} x86_64 aarch64 riscv64 @@ -228,7 +190,7 @@ BuildRequires: libcurl-devel BuildRequires: kmod-devel BuildRequires: elfutils-devel BuildRequires: openssl-devel -%if 0%{?fedora} >= 41 || 0%{?rhel} >= 11 +%if 0%{?fedora} >= 41 BuildRequires: openssl-devel-engine %endif %if %{with gnutls} @@ -264,7 +226,6 @@ BuildRequires: python3dist(lxml) BuildRequires: python3dist(pefile) %if 0%{?fedora} BuildRequires: python3dist(pillow) -BuildRequires: python3dist(pytest-flakes) %endif BuildRequires: python3dist(pytest) %if 0%{?want_bootloader} @@ -298,6 +259,10 @@ BuildRequires: xen-devel %endif %endif +%if %{with obs} +BuildRequires: pesign-obs-integration +%endif + Requires(post): coreutils Requires(post): grep # systemd-machine-id-setup requires libssl @@ -573,6 +538,7 @@ with a command line, and possibly PCR measurements and other metadata, into a Unified Kernel Image (UKI). %if 0%{?want_bootloader} +%if %{without obs} %package boot-unsigned Summary: UEFI boot manager (unsigned version) @@ -593,6 +559,27 @@ line. systemd-boot supports systems with UEFI firmware only. This package contains the unsigned version. Install systemd-boot instead to get the version that works with Secure Boot. +%else +%package boot +Summary: UEFI boot manager (signed version) + +Provides: systemd-boot-signed-%{efi_arch} = %version-%release +Provides: systemd-boot = %version-%release +Provides: systemd-boot%{_isa} = %version-%release +# A provides with just the version, no release or dist, used to build systemd-boot +Provides: version(systemd-boot-signed) = %version +Provides: version(systemd-boot-signed)%{_isa} = %version + +# self-obsoletes to install both packages after split of systemd-boot +Obsoletes: systemd-udev < 252.2^ + +%description boot +systemd-boot (short: sd-boot) is a simple UEFI boot manager. It provides a +graphical menu to select the entry to boot and an editor for the kernel command +line. systemd-boot supports systems with UEFI firmware only. + +This package contains the signed version. +%endif %endif %package container @@ -602,7 +589,13 @@ Requires: %{name}%{_isa} = %{version}-%{release} Requires(post): systemd%{_isa} = %{version}-%{release} Requires(preun): systemd%{_isa} = %{version}-%{release} Requires(postun): systemd%{_isa} = %{version}-%{release} -# obsolete parent package so that dnf will install new subpackage on upgrade (#1260394) +# For systemd-vmspawn which uses qemu: +Recommends: qemu-kvm-core +%if 0%{?fedora} +Recommends: qemu-device-display-virtio-gpu +Recommends: qemu-device-display-virtio-vga +%endif +# Obsolete parent package so that dnf will install new subpackage on upgrade (#1260394) Obsoletes: %{name} < 229-5 # Bias the system towards libcurl-minimal if nothing pulls in full libcurl (#1997040) Suggests: libcurl-minimal @@ -772,6 +765,10 @@ main systemd package and is meant for use in exitrds. %endif +# Disable user lockdown until rpm implements it natively. +# https://github.com/rpm-software-management/rpm/issues/3450 +sed -r -i 's/^u!/u/' sysusers.d/*.conf* + %build %global ntpvendor %(source /etc/os-release; echo ${ID}) %{!?ntpvendor: echo 'NTP vendor zone is not set!'; exit 1} @@ -799,7 +796,8 @@ VMLINUX_H_PATH=$(%python3 -c '%find_vmlinux_h') %endif CONFIGURE_OPTS=( - -Dmode=%[%{with upstream}?"developer":"release"] + -Dmode=release + -Dslow-tests=true -Dsysvinit-path=/etc/rc.d/init.d -Drc-local=/etc/rc.d/rc.local -Dntp-servers='0.%{ntpvendor}.pool.ntp.org 1.%{ntpvendor}.pool.ntp.org 2.%{ntpvendor}.pool.ntp.org 3.%{ntpvendor}.pool.ntp.org' @@ -1050,7 +1048,7 @@ install -Dm0644 -t %{buildroot}%{_pkgdocdir}/ %{SOURCE10} # https://bugzilla.redhat.com/show_bug.cgi?id=1378974 install -Dm0644 -t %{buildroot}%{system_unit_dir}/systemd-udev-trigger.service.d/ %{SOURCE11} -install -Dm0644 -t %{buildroot}%{_prefix}/lib/systemd/ %{SOURCE13} +install -Dm0644 %{SOURCE13} %{buildroot}%{_prefix}/lib/systemd/.abignore # systemd-oomd default configuration install -Dm0644 -t %{buildroot}%{_prefix}/lib/systemd/oomd.conf.d/ %{SOURCE14} @@ -1113,11 +1111,25 @@ mv %{buildroot}/usr/lib/tmpfiles.d/20-systemd-userdb.conf{,.example} install -m 0644 -t %{buildroot}%{_prefix}/lib/pam.d/ %{SOURCE26} +# Disable freezing of user sessions while we're working out the details. +mkdir -p %{buildroot}/usr/lib/systemd/system/service.d/ +cat >>%{buildroot}/usr/lib/systemd/system/service.d/50-keep-warm.conf </dev/null +systemd-hwdb update &>/dev/null %systemd_post %udev_services @@ -1296,10 +1308,8 @@ fi %systemd_post systemd-resolved.service %preun resolved +%systemd_preun systemd-resolved.service if [ $1 -eq 0 ] ; then - systemctl disable --quiet \ - systemd-resolved.service \ - >/dev/null || : if [ -L /etc/resolv.conf ] && \ realpath /etc/resolv.conf | grep ^/run/systemd/resolve/; then rm -f /etc/resolv.conf # no longer useful @@ -1386,7 +1396,11 @@ fi %files ukify -f .file-list-ukify %if 0%{?want_bootloader} +%if %{without obs} %files boot-unsigned -f .file-list-boot +%else +%files boot -f .file-list-boot +%endif %endif %files container -f .file-list-container diff --git a/sysusers.generate-pre.sh b/sysusers.generate-pre.sh index 4a87d53..944abff 100755 --- a/sysusers.generate-pre.sh +++ b/sysusers.generate-pre.sh @@ -69,7 +69,7 @@ parse() { [ -z "$line" ] && continue eval "arr=( $line )" case "${arr[0]}" in - ('u') + ('u'|'u!') if [[ "${arr[2]}" == *":"* ]]; then user "${arr[1]}" "${arr[2]%:*}" "${arr[3]}" "${arr[2]#*:}" "${arr[4]}" "${arr[5]}" else diff --git a/sysusers.prov b/sysusers.prov index f12e929..7b3d704 100755 --- a/sysusers.prov +++ b/sysusers.prov @@ -42,7 +42,7 @@ parse() { [ -z "$line" ] && continue set -- $line case "$1" in - ('u') + ('u'|'u!') process_u "$2" "$3" ;; ('g') diff --git a/test_sysusers_defined.py b/test_sysusers_defined.py index 2754578..6f04f15 100755 --- a/test_sysusers_defined.py +++ b/test_sysusers_defined.py @@ -11,7 +11,7 @@ def parse_sysusers_file(filename): continue words = line.split() match words[0]: - case 'u': + case 'u'|'u!': users.add(words[1]) case 'g': groups.add(words[1]) diff --git a/tests/tests-reboot.yml b/tests/tests-reboot.yml deleted file mode 100644 index 94ea8a5..0000000 --- a/tests/tests-reboot.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -- hosts: localhost - vars: - - artifacts: "{{ lookup('env', 'TEST_ARTIFACTS')|default('./artifacts', true) }}" - tags: - - classic - tasks: - # switch SELinux to permissive mode - - name: Get default kernel - command: "grubby --default-kernel" - register: default_kernel - - debug: msg="{{ default_kernel.stdout }}" - - name: Set permissive mode - command: "grubby --args=enforcing=0 --update-kernel {{ default_kernel.stdout }}" - - - name: reboot - block: - - name: restart host - shell: sleep 2 && shutdown -r now "Ansible updates triggered" - async: 1 - poll: 0 - ignore_errors: true - - - name: wait for host to come back - wait_for_connection: - delay: 10 - timeout: 300 - - - name: Re-create /tmp/artifacts - command: mkdir /tmp/artifacts - - - name: Gather SELinux denials since boot - shell: | - result=pass - dmesg | grep -i -e type=1300 -e type=1400 > /tmp/avc.log && result=fail - ausearch -m avc -m selinux_err -m user_avc -ts boot &>> /tmp/avc.log - grep -q '' /tmp/avc.log || result=fail - echo -e "\nresults:\n- test: reboot and collect AVC\n result: $result\n logs:\n - avc.log\n\n" > /tmp/results.yml - ( [ $result = "pass" ] && echo PASS test-reboot || echo FAIL test-reboot ) > /tmp/test.log - - always: - - name: Pull out the artifacts - fetch: - dest: "{{ artifacts }}/" - src: "{{ item }}" - flat: yes - with_items: - - /tmp/test.log - - /tmp/avc.log - - /tmp/results.yml