Skip to content
Snippets Groups Projects
Commit 10df281b authored by importbot's avatar importbot
Browse files

import systemd-255.3-%autorelease

parents
Branches r8-beta
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 622 additions and 0 deletions
.systemd.checksum 0 → 100644
+ 1
0
View file @ 10df281b
Direct Git Import
.systemd.metadata 0 → 100644
+ 1
0
View file @ 10df281b
27807c65f969d0e0e44629dee8379e1e2c30e6c5e84be0389438c4ab1b225000 SOURCES/systemd-255.3.tar.gz
SOURCES/.abignore 0 → 100644
+ 3
0
View file @ 10df281b
[suppress_file]
# Those shared objects are private to systemd
file_name_regexp=libsystemd-(shared|core)-.*.so
SOURCES/10-map-count.conf 0 → 100644
+ 3
0
View file @ 10df281b
# Increase the number of virtual memory areas that one process may request
# https://fedoraproject.org/wiki/Changes/IncreaseVmMaxMapCount
vm.max_map_count=1048576
SOURCES/10-oomd-defaults.conf 0 → 100644
+ 2
0
View file @ 10df281b
[OOM]
DefaultMemoryPressureDurationSec=20s
SOURCES/10-oomd-per-slice-defaults.conf 0 → 100644
+ 3
0
View file @ 10df281b
[Slice]
ManagedOOMMemoryPressure=kill
ManagedOOMMemoryPressureLimit=80%
SOURCES/10-timeout-abort.conf 0 → 100644
+ 14
0
View file @ 10df281b
# This file is part of the systemd package.
# See https://fedoraproject.org/wiki/Changes/Shorter_Shutdown_Timer.
#
# To facilitate debugging when a service fails to stop cleanly,
# TimeoutStopFailureMode=abort is set to "crash" services that fail to stop in
# the time allotted. This will cause the service to be terminated with SIGABRT
# and a coredump to be generated.
#
# To undo this configuration change, create a mask file:
# sudo mkdir -p /etc/systemd/system/service.d
# sudo ln -sv /dev/null /etc/systemd/system/service.d/10-timeout-abort.conf
[Service]
TimeoutStopFailureMode=abort
SOURCES/20-yama-ptrace.conf 0 → 100644
+ 42
0
View file @ 10df281b
# The ptrace system call is used for interprocess services,
# communication and introspection (like synchronisation, signaling,
# debugging, tracing and profiling) of processes.
#
# Usage of ptrace is restricted by normal user permissions. Normal
# unprivileged processes cannot use ptrace on processes that they
# cannot send signals to or processes that are running set-uid or
# set-gid. Nevertheless, processes running under the same uid will
# usually be able to ptrace one another.
#
# Fedora enables the Yama security mechanism which restricts ptrace
# even further. Sysctl setting kernel.yama.ptrace_scope can have one
# of the following values:
#
# 0 - Normal ptrace security permissions.
# 1 - Restricted ptrace. Only child processes plus normal permissions.
# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
# 3 - No attach. No process may call ptrace at all. Irrevocable.
#
# For more information see Documentation/security/Yama.txt in the
# kernel sources.
#
# The default is 1., which allows tracing of child processes, but
# forbids tracing of arbitrary processes. This allows programs like
# gdb or strace to work when the most common way of having the
# debugger start the debuggee is used:
# gdb /path/to/program ...
# Attaching to already running programs is NOT allowed:
# gdb -p ...
# This default setting is suitable for the common case, because it
# reduces the risk that one hacked process can be used to attack other
# processes. (For example, a hacked firefox process in a user session
# will not be able to ptrace the keyring process and extract passwords
# stored only in memory.)
#
# Developers and administrators might want to disable those protections
# to be able to attach debuggers to existing processes. Use
# sysctl kernel.yama.ptrace_scope=0
# for change the setting temporarily, or copy this file to
# /etc/sysctl.d/20-yama-ptrace.conf to set it for future boots.
kernel.yama.ptrace_scope = 0
SOURCES/26494.patch 0 → 100644
+ 30
0
View file @ 10df281b
From 6b25470ee28843a49c50442e9d8a98edc842ceca Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon, 20 Feb 2023 12:00:30 +0900
Subject: [PATCH] core/manager: run generators directly when we are in initrd
Some initrd system write files at ourside of /run, /etc, or other
allowed places. This is a kind of workaround, but in most cases, such
sandboxing is not necessary as the filesystem is on ramfs when we are in
initrd.
Fixes #26488.
---
src/core/manager.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/core/manager.c b/src/core/manager.c
index 7b394794b0d4..306477c6e6c2 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -3822,8 +3822,8 @@ static int manager_run_generators(Manager *m) {
/* If we are the system manager, we fork and invoke the generators in a sanitized mount namespace. If
* we are the user manager, let's just execute the generators directly. We might not have the
* necessary privileges, and the system manager has already mounted /tmp/ and everything else for us.
- */
- if (MANAGER_IS_USER(m)) {
+ * If we are in initrd, let's also execute the generators directly, as we are in ramfs. */
+ if (MANAGER_IS_USER(m) || in_initrd()) {
r = manager_execute_generators(m, paths, /* remount_ro= */ false);
goto finish;
}
SOURCES/30846.patch 0 → 100644
+ 55
0
View file @ 10df281b
From 07fd822c59e29b4f5e7dab029ea1186c1b862e3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 9 Jan 2024 11:28:04 +0100
Subject: [PATCH] journal: again create user journals for users with high uids
This effectively reverts a change in 115d5145a257c1a27330acf9f063b5f4d910ca4d
'journald: move uid_for_system_journal() to uid-alloc-range.h', which slipped
in an additional check of uid_is_container(uid). The problem is that that change
is not backwards-compatible at all and very hard for users to handle.
There is no common agreement on mappings of high-range uids. Systemd declares
ownership of a large range for container uids in https://systemd.io/UIDS-GIDS/,
but this is only a recent change and various sites allocated those ranges
in a different way, in particular FreeIPA uses (used?) uids from this range
for human users. On big sites with lots of users changing uids is obviously a
hard problem. We generally assume that uids cannot be "freed" and/or changed
and/or reused safely, so we shouldn't demand the same from others.
This is somewhat similar to the situation with SYSTEM_ALLOC_UID_MIN /
SYSTEM_UID_MAX, which we tried to define to a fixed value in our code, causing
huge problems for existing systems with were created with a different
definition and couldn't be easily updated. For that case, we added a
configuration time switch and we now parse /etc/login.defs to actually use the
value that is appropriate for the local system.
Unfortunately, login.defs doesn't have a concept of container allocation ranges
(and we don't have code to parse and use those nonexistent names either), so we
can't tell users to adjust logind.defs to work around the changed definition.
login.defs has SUB_UID_{MIN,MAX}, but those aren't really the same thing,
because they are used to define where the add allocations for subuids, which is
generally a much smaller range. Maybe we should talk with other folks about
the appropriate allocation ranges and define some new settings in login.defs.
But this would require discussion and coordination with other projects first.
Actualy, it seems that this change was needed at all. The code in the container
does not log to the outside journal. It talks to its own journald, which does
journal splitting using its internal logic based on shifted uids. So let's
revert the change to fix user systems.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2251843.
---
src/basic/uid-alloc-range.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/basic/uid-alloc-range.c b/src/basic/uid-alloc-range.c
index 669cb6d56f7be..7b724b7959f60 100644
--- a/src/basic/uid-alloc-range.c
+++ b/src/basic/uid-alloc-range.c
@@ -127,5 +127,5 @@ bool uid_for_system_journal(uid_t uid) {
/* Returns true if the specified UID shall get its data stored in the system journal. */
- return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY || uid_is_container(uid);
+ return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY;
}
SOURCES/98-default-mac-none.link 0 → 100644
+ 20
0
View file @ 10df281b
# SPDX-License-Identifier: MIT-0
#
# This config file is installed as part of systemd.
# It may be freely copied and edited (following the MIT No Attribution license).
#
# To make local modifications, one of the following methods may be used:
# 1. add a drop-in file that extends this file by creating the
# /etc/systemd/network/98-default-mac-none.link.d/ directory and creating a
# new .conf file there.
# 2. copy this file into /etc/systemd/network or one of the other paths checked
# by systemd-udevd and edit it there.
# This file should not be edited in place, because it'll be overwritten on upgrades.
[Match]
Kind=bridge bond team
[Link]
NamePolicy=keep kernel database onboard slot path
AlternativeNamesPolicy=database onboard slot path
MACAddressPolicy=none
SOURCES/fedora-use-system-auth-in-pam-systemd-user.patch 0 → 100644
+ 31
0
View file @ 10df281b
From c4b803dc60b63a35c977d39610b7872175ec03bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 14 Dec 2022 22:24:53 +0100
Subject: [PATCH] fedora: use system-auth in pam systemd-user
---
src/login/systemd-user.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
index 8a3c9e0165..74ef5f2552 100644
--- a/src/login/systemd-user.in
+++ b/src/login/systemd-user.in
@@ -7,7 +7,7 @@
-account sufficient pam_systemd_home.so
{% endif %}
account sufficient pam_unix.so no_pass_expiry
-account required pam_permit.so
+account include system-auth
{% if HAVE_SELINUX %}
session required pam_selinux.so close
@@ -20,4 +20,4 @@ session required pam_namespace.so
-session optional pam_systemd_home.so
{% endif %}
session optional pam_umask.so silent
-session optional pam_systemd.so
+session include system-auth
--
2.41.0
SOURCES/inittab 0 → 100644
+ 16
0
View file @ 10df281b
# inittab is no longer used.
#
# ADDING CONFIGURATION HERE WILL HAVE NO EFFECT ON YOUR SYSTEM.
#
# Ctrl-Alt-Delete is handled by /usr/lib/systemd/system/ctrl-alt-del.target
#
# systemd uses 'targets' instead of runlevels. By default, there are two main targets:
#
# multi-user.target: analogous to runlevel 3
# graphical.target: analogous to runlevel 5
#
# To view current default target, run:
# systemctl get-default
#
# To set a default target, run:
# systemctl set-default TARGET.target
SOURCES/macros.sysusers 0 → 100644
+ 10
0
View file @ 10df281b
# RPM macros for packages creating system accounts
#
# Turn a sysusers.d file into macros specified by
# https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
%sysusers_requires_compat Requires(pre): shadow-utils
%sysusers_create_compat() \
%(%{_rpmconfigdir}/sysusers.generate-pre.sh %{?*}) \
%{nil}
SOURCES/purge-nobody-user 0 → 100755
+ 101
0
View file @ 10df281b
#!/bin/bash -eu
if [ $UID -ne 0 ]; then
echo "WARNING: This script needs to run as root to be effective"
exit 1
fi
export SYSTEMD_NSS_BYPASS_SYNTHETIC=1
if [ "${1:-}" = "--ignore-journal" ]; then
shift
ignore_journal=1
else
ignore_journal=0
fi
echo "Checking processes..."
if ps h -u 99 | grep .; then
echo "ERROR: ps reports processes with UID 99!"
exit 2
fi
echo "... not found"
echo "Checking UTMP..."
if w -h 199 | grep . ; then
echo "ERROR: w reports UID 99 as active!"
exit 2
fi
if w -h nobody | grep . ; then
echo "ERROR: w reports user nobody as active!"
exit 2
fi
echo "... not found"
echo "Checking the journal..."
if [ "$ignore_journal" = 0 ] && journalctl -q -b -n10 _UID=99 | grep . ; then
echo "ERROR: journalctl reports messages from UID 99 in current boot!"
exit 2
fi
echo "... not found"
echo "Looking for files in /etc, /run, /tmp, and /var..."
if find /etc /run /tmp /var -uid 99 -print | grep -m 10 . ; then
echo "ERROR: found files belonging to UID 99"
exit 2
fi
echo "... not found"
echo "Checking if nobody is defined correctly..."
if getent passwd nobody |
grep '^nobody:[x*]:65534:65534:.*:/:/sbin/nologin';
then
echo "OK, nothing to do."
exit 0
else
echo "NOTICE: User nobody is not defined correctly"
fi
echo "Checking if nfsnobody or something else is using the uid..."
if getent passwd 65534 | grep . ; then
echo "NOTICE: will have to remove this user"
else
echo "... not found"
fi
if [ "${1:-}" = "-x" ]; then
if getent passwd nobody >/dev/null; then
# this will remove both the user and the group.
( set -x
userdel nobody
)
fi
if getent passwd 65534 >/dev/null; then
# Make sure the uid is unused. This should free gid too.
name="$(getent passwd 65534 | cut -d: -f1)"
( set -x
userdel "$name"
)
fi
if grep -qE '^(passwd|group):.*\bsss\b' /etc/nsswitch.conf; then
echo "Sleeping, so sss can catch up"
sleep 3
fi
if getent group 65534; then
# Make sure the gid is unused, even if uid wasn't.
name="$(getent group 65534 | cut -d: -f1)"
( set -x
groupdel "$name"
)
fi
# systemd-sysusers uses the same gid and uid
( set -x
systemd-sysusers --inline 'u nobody 65534 "Kernel Overflow User" / /sbin/nologin'
)
else
echo "Pass '-x' to perform changes"
fi
SOURCES/split-files.py 0 → 100644
+ 265
0
View file @ 10df281b
import re, sys, os, collections
buildroot = sys.argv[1]
no_bootloader = '--no-bootloader' in sys.argv
known_files = '''
%ghost %config(noreplace) /etc/crypttab
%ghost %attr(0444,root,root) /etc/udev/hwdb.bin
/etc/inittab
/usr/lib/systemd/purge-nobody-user
# This directory is owned by openssh-server, but we don't want to introduce
# a dependency. So let's copy the config and co-own the directory.
%dir %attr(0700,root,root) /etc/ssh/sshd_config.d
%ghost %config(noreplace) /etc/vconsole.conf
%ghost %config(noreplace) /etc/X11/xorg.conf.d/00-keyboard.conf
%ghost %attr(0664,root,root) %verify(not group) /run/utmp
%ghost %attr(0664,root,root) %verify(not group) /var/log/wtmp
%ghost %attr(0660,root,root) %verify(not group) /var/log/btmp
%ghost %attr(0664,root,root) %verify(not md5 size mtime group) /var/log/lastlog
%ghost %config(noreplace) /etc/hostname
%ghost %config(noreplace) /etc/localtime
%ghost %config(noreplace) /etc/locale.conf
%ghost %attr(0444,root,root) %config(noreplace) /etc/machine-id
%ghost %config(noreplace) /etc/machine-info
%ghost %attr(0700,root,root) %dir /var/cache/private
%ghost %attr(0700,root,root) %dir /var/lib/private
%ghost %dir /var/lib/private/systemd
%ghost %dir /var/lib/private/systemd/journal-upload
%ghost /var/lib/private/systemd/journal-upload/state
%ghost %dir /var/lib/systemd/timesync
%ghost /var/lib/systemd/timesync/clock
%ghost %dir /var/lib/systemd/backlight
%ghost /var/lib/systemd/catalog/database
%ghost %dir /var/lib/systemd/coredump
%ghost /var/lib/systemd/journal-upload
%ghost %dir /var/lib/systemd/linger
%ghost %attr(0600,root,root) /var/lib/systemd/random-seed
%ghost %dir /var/lib/systemd/rfkill
%ghost %dir %verify(not mode group) /var/log/journal
%ghost %dir /var/log/journal/remote
%ghost %attr(0700,root,root) %dir /var/log/private
'''
known_files = {line.split()[-1]:line for line in known_files.splitlines()
if line and not line.startswith('#')}
def files(root):
os.chdir(root)
todo = collections.deque(['.'])
while todo:
n = todo.pop()
files = os.scandir(n)
for file in files:
yield file
if file.is_dir() and not file.is_symlink():
todo.append(file)
outputs = {suffix: open(f'.file-list-{suffix}', 'w')
for suffix in (
'libs',
'udev',
'ukify',
'boot',
'pam',
'rpm-macros',
'devel',
'container',
'networkd',
'networkd-defaults',
'oomd-defaults',
'remote',
'resolve',
'tests',
'standalone-repart',
'standalone-tmpfiles',
'standalone-sysusers',
'standalone-shutdown',
'main',
)}
for file in files(buildroot):
n = file.path[1:]
if re.match(r'''/usr/(share|include)$|
/usr/share/man(/man.|)$|
/usr/share/zsh(/site-functions|)$|
/usr/share/dbus-1$|
/usr/share/dbus-1/system.d$|
/usr/share/dbus-1/(system-|)services$|
/usr/share/polkit-1(/actions|/rules.d|)$|
/usr/share/pkgconfig$|
/usr/share/bash-completion(/completions|)$|
/usr(/lib|/lib64|/bin|/sbin|)$|
/usr/lib.*/(security|pkgconfig)$|
/usr/lib/rpm(/macros.d|)$|
/usr/lib/firewalld(/services|)$|
/usr/share/(locale|licenses|doc)| # no $
/etc(/pam\.d|/xdg|/X11|/X11/xinit|/X11.*\.d|)$|
/etc/(dnf|dnf/protected.d)$|
/usr/(src|lib/debug)| # no $
/run$|
/var(/cache|/log|/lib|/run|)$
''', n, re.X):
continue
if n.endswith('.standalone'):
if 'repart' in n:
o = outputs['standalone-repart']
elif 'tmpfiles' in n:
o = outputs['standalone-tmpfiles']
elif 'sysusers' in n:
o = outputs['standalone-sysusers']
elif 'shutdown' in n:
o = outputs['standalone-shutdown']
else:
assert False, 'Found .standalone not belonging to known packages'
elif '/security/pam_' in n or '/man8/pam_' in n:
o = outputs['pam']
elif '/rpm/' in n:
o = outputs['rpm-macros']
elif '/usr/lib/systemd/tests' in n:
o = outputs['tests']
elif 'ukify' in n:
o = outputs['ukify']
elif re.search(r'/libsystemd-(shared|core)-.*\.so$', n):
o = outputs['main']
elif re.search(r'/libcryptsetup-token-systemd-.*\.so$', n):
o = outputs['udev']
elif re.search(r'/lib.*\.pc|/man3/|/usr/include|\.so$', n):
o = outputs['devel']
elif re.search(r'''journal-(remote|gateway|upload)|
systemd-remote\.conf|
/usr/share/systemd/gatewayd|
/var/log/journal/remote
''', n, re.X):
o = outputs['remote']
elif re.search(r'''mymachines|
machinectl|
systemd-nspawn|
systemd-vmspawn|
import-pubring.gpg|
systemd-(machined|import|pull)|
/machine.slice|
/machines.target|
var-lib-machines.mount|
org.freedesktop.(import|machine)1
''', n, re.X):
o = outputs['container']
# .network.example files go into systemd-networkd, and the matching files
# without .example go into systemd-networkd-defaults
elif (re.search(r'''/usr/lib/systemd/network/.*\.network$''', n)
and os.path.exists(f'./{n}.example')):
o = outputs['networkd-defaults']
elif re.search(r'''/usr/lib/systemd/network/.*\.network|
networkd|
networkctl|
org.freedesktop.network1|
sysusers\.d/systemd-network.conf|
tmpfiles\.d/systemd-network.conf|
systemd\.network|
systemd\.netdev
''', n, re.X):
o = outputs['networkd']
elif '.so.' in n:
o = outputs['libs']
elif re.search(r'10-oomd-.*defaults.conf|lib/systemd/oomd.conf.d', n, re.X):
o = outputs['oomd-defaults']
elif re.search(r'''udev(?!\.pc)|
hwdb|
bootctl|
boot-update|
bless-boot|
boot-system-token|
bsod|
kernel-install|
installkernel|
vconsole|
backlight|
rfkill|
random-seed|
modules-load|
timesync|
crypttab|
cryptenroll|
cryptsetup|
kmod|
quota|
pstore|
sleep|suspend|hibernate|
systemd-tmpfiles-setup-dev|
network/98-default-mac-none.link|
network/99-default.link|
growfs|makefs|makeswap|mkswap|
fsck|
repart|
gpt-auto|
volatile-root|
veritysetup|
integritysetup|
integritytab|
remount-fs|
/initrd|
systemd-pcr|
systemd-measure|
/boot$|
/kernel/|
/kernel$|
/modprobe.d|
binfmt|
sysctl|
coredump|
homed|home1|
oomd|
portabled|portable1
''', n, re.X): # coredumpctl, homectl, portablectl are included in the main package because
# they can be used to interact with remote daemons. Also, the user could be
# confused if those user-facing binaries are not available.
o = outputs['udev']
elif re.search(r'''/boot/efi|
/usr/lib/systemd/boot|
sd-boot|systemd-boot\.|loader.conf
''', n, re.X):
o = outputs['boot']
elif re.search(r'''resolved|resolve1|
systemd-resolve|
resolvconf|
systemd\.(positive|negative)
''', n, re.X): # resolvectl and nss-resolve are in the main package.
o = outputs['resolve']
else:
o = outputs['main']
if n in known_files:
prefix = known_files[n].split()[:-1]
elif file.is_dir() and not file.is_symlink():
prefix = ['%dir']
elif 'README' in n:
prefix = ['%doc']
elif n.startswith('/etc'):
prefix = ['%config(noreplace)']
if file.stat().st_size == 0:
prefix += ['%ghost']
else:
prefix = []
prefix = ' '.join(prefix + ['']) if prefix else ''
suffix = '*' if '/man/' in n else ''
print(f'{prefix}{n}{suffix}', file=o)
if [print(f'ERROR: no file names were written to {o.name}')
for name, o in outputs.items()
if (o.tell() == 0 and
not (no_bootloader and name in ('ukify', 'boot')))
]:
sys.exit(1)
SOURCES/sysctl.conf.README 0 → 100644
+ 10
0
View file @ 10df281b
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
SOURCES/systemd-journal-gatewayd.xml 0 → 100644
+ 6
0
View file @ 10df281b
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>systemd-journal-gatewayd</short>
<description>Journal Gateway Service</description>
<port protocol="tcp" port="19531"/>
</service>
SOURCES/systemd-journal-remote.xml 0 → 100644
+ 6
0
View file @ 10df281b
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>systemd-journal-remote</short>
<description>Journal Remote Sink</description>
<port protocol="tcp" port="19532"/>
</service>
SOURCES/systemd-udev-trigger-no-reload.conf 0 → 100644
+ 3
0
View file @ 10df281b
[Unit]
# https://bugzilla.redhat.com/show_bug.cgi?id=1378974#c17
RefuseManualStop=true
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment