Skip to content
Snippets Groups Projects
Commit d132ee97 authored by importbot's avatar importbot
Browse files

import systemd-257-3.el10

parent bdfa7262
No related branches found
No related tags found
No related merge requests found
Showing
with 1012 additions and 1 deletion
6a2e4b3d055966d5c77fc067653da2cdd047b0968a01b181b4e551c00f632f33 SOURCES/systemd-257.tar.gz
14f6907eb5e289d8c39cbe1ef891ca54d8a0e3582c986a9ef5844b3f29add43b SOURCES/systemd-257.tar.gz
From 217666530e117eafbed9af56e2e7ab467c02a405 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Tue, 10 Dec 2024 19:39:23 +0000
Subject: [PATCH] Create CNAME
---
docs/CNAME | 1 +
1 file changed, 1 insertion(+)
create mode 100644 docs/CNAME
diff --git a/docs/CNAME b/docs/CNAME
new file mode 100644
index 0000000000..cdcf4d9a52
--- /dev/null
+++ b/docs/CNAME
@@ -0,0 +1 @@
+systemd.io
\ No newline at end of file
From d7eeb60cdff19e3b2a69cc14118e65e7bfe96421 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 12 Dec 2024 19:42:48 +0900
Subject: [PATCH] sd-json,sd-varlink: drop unexported functions from public
headers
These functions are exported by e11f5aa7226253bf31b2ed61be8599bb213c1819
and 5fcabde35b8d2592e4ba3f4915839a54d2f246ba in upstream after v257.
Fixes #35554 in v257.
---
src/libsystemd/sd-json/json-util.h | 3 +++
src/systemd/sd-json.h | 3 ---
src/systemd/sd-varlink.h | 1 -
3 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/src/libsystemd/sd-json/json-util.h b/src/libsystemd/sd-json/json-util.h
index 808df64d98..b3b4941dcc 100644
--- a/src/libsystemd/sd-json/json-util.h
+++ b/src/libsystemd/sd-json/json-util.h
@@ -8,6 +8,9 @@
#include "macro.h"
#include "pidref.h"
+const char* sd_json_variant_type_to_string(sd_json_variant_type_t t);
+sd_json_variant_type_t sd_json_variant_type_from_string(const char *s);
+
#define JSON_VARIANT_REPLACE(v, q) \
do { \
typeof(v)* _v = &(v); \
diff --git a/src/systemd/sd-json.h b/src/systemd/sd-json.h
index 3930d82b0d..33817f2327 100644
--- a/src/systemd/sd-json.h
+++ b/src/systemd/sd-json.h
@@ -339,9 +339,6 @@ int sd_json_variant_strv(sd_json_variant *v, char ***ret);
int sd_json_variant_unbase64(sd_json_variant *v, void **ret, size_t *ret_size);
int sd_json_variant_unhex(sd_json_variant *v, void **ret, size_t *ret_size);
-const char* sd_json_variant_type_to_string(sd_json_variant_type_t t);
-sd_json_variant_type_t sd_json_variant_type_from_string(const char *s);
-
_sd_const_ static __inline__ int sd_json_format_enabled(sd_json_format_flags_t flags) {
return !(flags & SD_JSON_FORMAT_OFF);
}
diff --git a/src/systemd/sd-varlink.h b/src/systemd/sd-varlink.h
index 816b9b0ebf..17cf8b7386 100644
--- a/src/systemd/sd-varlink.h
+++ b/src/systemd/sd-varlink.h
@@ -184,7 +184,6 @@ int sd_varlink_dispatch(sd_varlink *v, sd_json_variant *parameters, const sd_jso
/* Write outgoing fds into the socket (to be associated with the next enqueued message) */
int sd_varlink_push_fd(sd_varlink *v, int fd);
int sd_varlink_push_dup_fd(sd_varlink *v, int fd);
-int sd_varlink_reset_fds(sd_varlink *v);
/* Read incoming fds from the socket (associated with the currently handled message) */
int sd_varlink_peek_fd(sd_varlink *v, size_t i);
From e231110a641237817490785bdf3e96df1de524e2 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 12 Dec 2024 10:01:48 +0900
Subject: [PATCH] test: modernize generate-sym-test.py
(cherry picked from commit 6e399ece1fd6dc8cbf5830c263a118b58d36acac)
---
src/test/generate-sym-test.py | 107 +++++++++++++++++++++-------------
1 file changed, 67 insertions(+), 40 deletions(-)
diff --git a/src/test/generate-sym-test.py b/src/test/generate-sym-test.py
index 2e5177c934..24223aa7b0 100755
--- a/src/test/generate-sym-test.py
+++ b/src/test/generate-sym-test.py
@@ -1,78 +1,99 @@
#!/usr/bin/env python3
# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# ruff: noqa: E501 UP015
import os
import re
import sys
+from typing import IO
-def process_sym_file(file):
+
+def process_sym_file(file: IO[str]) -> None:
for line in file:
m = re.search(r'^ +([a-zA-Z0-9_]+);', line)
if m:
if m[1] == 'sd_bus_object_vtable_format':
- print(' {{"{0}", &{0}}},'.format(m[1]))
+ print(f' {{ "{m[1]}", &{m[1]} }},')
else:
- print(' {{"{0}", {0}}},'.format(m[1]))
+ print(f' {{ "{m[1]}", {m[1]} }},')
+
-def process_source_file(file):
+def process_source_file(file: IO[str]) -> None:
for line in file:
# Functions
m = re.search(r'^_public_\s+(\S+\s+)+\**(\w+)\s*\(', line)
if m:
- print(' {{ "{0}", {0} }},'.format(m[2]))
+ print(f' {{ "{m[2]}", {m[2]} }},')
+ continue
+
# Variables
m = re.search(r'^_public_\s+(\S+\s+)+\**(\w+)\s*=', line)
if m:
- print(' {{ "{0}", &{0} }},'.format(m[2]))
+ print(f' {{ "{m[2]}", &{m[2]} }},')
+ continue
+
# Functions defined through a macro
m = re.search(r'^DEFINE_PUBLIC_TRIVIAL_REF_FUNC\([^,]+,\s*(\w+)\s*\)', line)
if m:
- print(' {{ "{0}_ref", {0}_ref }},'.format(m[1]))
+ print(f' {{ "{m[1]}_ref", {m[1]}_ref }},')
+ continue
+
m = re.search(r'^DEFINE_PUBLIC_TRIVIAL_UNREF_FUNC\([^,]+,\s*(\w+)\s*,', line)
if m:
- print(' {{ "{0}_unref", {0}_unref }},'.format(m[1]))
- m = re.search(r"^DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC\([^,]+,\s*(\w+)\s*,", line)
+ print(f' {{ "{m[1]}_unref", {m[1]}_unref }},')
+ continue
+
+ m = re.search(r'^DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC\([^,]+,\s*(\w+)\s*,', line)
+ if m:
+ print(f' {{ "{m[1]}_ref", {m[1]}_ref }},')
+ print(f' {{ "{m[1]}_unref", {m[1]}_unref }},')
+ continue
+
+ m = re.search(r'^_DEFINE_STRING_TABLE_LOOKUP\((\w+),\s*\w+,\s*_public_\s*\)', line)
if m:
- print(' {{ "{0}_ref", {0}_ref }},'.format(m[1]))
- print(' {{ "{0}_unref", {0}_unref }},'.format(m[1]))
+ print(f' {{ "{m[1]}_from_string", {m[1]}_from_string }},')
+ print(f' {{ "{m[1]}_to_string", {m[1]}_to_string }},')
+ continue
-print('''/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+print("""/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-''')
+""")
for header in sys.argv[3:]:
print('#include "{}"'.format(header.split('/')[-1]))
-print('''
+print("""
/* We want to check deprecated symbols too, without complaining */
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
-''')
+""")
-print('''
+print("""
struct symbol {
const char *name;
const void *symbol;
};
-static struct symbol symbols_from_sym[] = {''')
+static struct symbol symbols_from_sym[] = {""")
-with open(sys.argv[1], "r") as f:
+with open(sys.argv[1], 'r') as f:
process_sym_file(f)
-print(''' {}
-}, symbols_from_source[] = {''')
+print(""" {}
+}, symbols_from_source[] = {""")
for dirpath, _, filenames in sorted(os.walk(sys.argv[2])):
for filename in sorted(filenames):
- if not filename.endswith(".c") and not filename.endswith(".h"):
+ if not filename.endswith('.c') and not filename.endswith('.h'):
continue
- with open(os.path.join(dirpath, filename), "r") as f:
+ with open(os.path.join(dirpath, filename), 'r') as f:
process_source_file(f)
-print(''' {}
+print(""" {}
};
static int sort_callback(const void *a, const void *b) {
@@ -81,34 +102,40 @@ static int sort_callback(const void *a, const void *b) {
}
int main(void) {
- size_t i, j;
+ size_t size = sizeof(symbols_from_sym[0]),
+ n_sym = sizeof(symbols_from_sym)/sizeof(symbols_from_sym[0]) - 1,
+ n_source = sizeof(symbols_from_source)/sizeof(symbols_from_source[0]) - 1;
- qsort(symbols_from_sym, sizeof(symbols_from_sym)/sizeof(symbols_from_sym[0])-1, sizeof(symbols_from_sym[0]), sort_callback);
- qsort(symbols_from_source, sizeof(symbols_from_source)/sizeof(symbols_from_source[0])-1, sizeof(symbols_from_source[0]), sort_callback);
+ qsort(symbols_from_sym, n_sym, size, sort_callback);
+ qsort(symbols_from_source, n_source, size, sort_callback);
puts("From symbol file:");
- for (i = 0; symbols_from_sym[i].name; i++)
+ for (size_t i = 0; i < n_sym; i++)
printf("%p: %s\\n", symbols_from_sym[i].symbol, symbols_from_sym[i].name);
puts("\\nFrom source files:");
- for (j = 0; symbols_from_source[j].name; j++)
- printf("%p: %s\\n", symbols_from_source[j].symbol, symbols_from_source[j].name);
+ for (size_t i = 0; i < n_source; i++)
+ printf("%p: %s\\n", symbols_from_source[i].symbol, symbols_from_source[i].name);
puts("");
- printf("Found %zu symbols from symbol file.\\n", i);
- printf("Found %zu symbols from source files.\\n", j);
+ printf("Found %zu symbols from symbol file.\\n", n_sym);
+ printf("Found %zu symbols from source files.\\n", n_source);
+
+ unsigned n_error = 0;
- for (i = 0; symbols_from_sym[i].name; i++) {
- struct symbol *n = bsearch(symbols_from_sym+i, symbols_from_source, sizeof(symbols_from_source)/sizeof(symbols_from_source[0])-1, sizeof(symbols_from_source[0]), sort_callback);
- if (!n)
+ for (size_t i = 0; i < n_sym; i++) {
+ if (!bsearch(symbols_from_sym+i, symbols_from_source, n_source, size, sort_callback)) {
printf("Found in symbol file, but not in sources: %s\\n", symbols_from_sym[i].name);
+ n_error++;
+ }
}
- for (j = 0; symbols_from_source[j].name; j++) {
- struct symbol *n = bsearch(symbols_from_source+j, symbols_from_sym, sizeof(symbols_from_sym)/sizeof(symbols_from_sym[0])-1, sizeof(symbols_from_sym[0]), sort_callback);
- if (!n)
- printf("Found in sources, but not in symbol file: %s\\n", symbols_from_source[j].name);
+ for (size_t i = 0; i < n_source; i++) {
+ if (!bsearch(symbols_from_source+i, symbols_from_sym, n_sym, size, sort_callback)) {
+ printf("Found in source file, but not in symbol file: %s\\n", symbols_from_source[i].name);
+ n_error++;
+ }
}
- return i == j ? EXIT_SUCCESS : EXIT_FAILURE;
-}''')
+ return n_error == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+}""")
From 1601149c5b14ed9e6e34b46ddb2ba3006b5f5315 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 12 Dec 2024 13:18:59 +0900
Subject: [PATCH] test: also generate list of symbols from header files
To make the generated tests able to detect issues like #35554.
(cherry picked from commit 0b39dc23ba2d8d3e99f5dc30c3da5d0f6baf10d7)
---
src/test/generate-sym-test.py | 74 +++++++++++++++++++++++++++++++++++
1 file changed, 74 insertions(+)
diff --git a/src/test/generate-sym-test.py b/src/test/generate-sym-test.py
index 24223aa7b0..7b5ded936c 100755
--- a/src/test/generate-sym-test.py
+++ b/src/test/generate-sym-test.py
@@ -19,6 +19,47 @@ def process_sym_file(file: IO[str]) -> None:
print(f' {{ "{m[1]}", {m[1]} }},')
+def process_header_file(file: IO[str]) -> None:
+ for line in file:
+ if (
+ line.startswith('#')
+ or line.startswith('typedef')
+ or line.startswith('extern "C"')
+ or line.startswith('__extension__')
+ or line.startswith('/*')
+ or ' __inline__ ' in line
+ or re.search(r'^\s+', line)
+ ):
+ continue
+
+ m = re.search(r'^(.*)\s*__attribute__', line)
+ if m:
+ line = m[1]
+
+ m = re.search(r'^(.*)\s*_sd_printf_', line)
+ if m:
+ line = m[1]
+
+ # Functions
+ m = re.search(r'^(\S+\s+)+\**(\w+)\s*\(', line)
+ if m:
+ print(f' {{ "{m[2]}", {m[2]} }},')
+ continue
+
+ # Variables
+ m = re.search(r'^extern\s', line)
+ if m:
+ n = line.split()[-1].rstrip(';')
+ print(f' {{ "{n}", &{n} }},')
+ continue
+
+ # Functions defined by macro
+ m = re.search(r'_SD_DEFINE_POINTER_CLEANUP_FUNC\(\w+,\s*(\w+)\)', line)
+ if m:
+ print(f' {{ "{m[1]}", {m[1]} }},')
+ continue
+
+
def process_source_file(file: IO[str]) -> None:
for line in file:
# Functions
@@ -83,6 +124,13 @@ static struct symbol symbols_from_sym[] = {""")
with open(sys.argv[1], 'r') as f:
process_sym_file(f)
+print(""" {}
+}, symbols_from_header[] = {""")
+
+for header in sys.argv[3:]:
+ with open(header, 'r') as f:
+ process_header_file(f)
+
print(""" {}
}, symbols_from_source[] = {""")
@@ -104,37 +152,63 @@ static int sort_callback(const void *a, const void *b) {
int main(void) {
size_t size = sizeof(symbols_from_sym[0]),
n_sym = sizeof(symbols_from_sym)/sizeof(symbols_from_sym[0]) - 1,
+ n_header = sizeof(symbols_from_header)/sizeof(symbols_from_header[0]) - 1,
n_source = sizeof(symbols_from_source)/sizeof(symbols_from_source[0]) - 1;
qsort(symbols_from_sym, n_sym, size, sort_callback);
+ qsort(symbols_from_header, n_header, size, sort_callback);
qsort(symbols_from_source, n_source, size, sort_callback);
puts("From symbol file:");
for (size_t i = 0; i < n_sym; i++)
printf("%p: %s\\n", symbols_from_sym[i].symbol, symbols_from_sym[i].name);
+ puts("\\nFrom header files:");
+ for (size_t i = 0; i < n_header; i++)
+ printf("%p: %s\\n", symbols_from_header[i].symbol, symbols_from_header[i].name);
+
puts("\\nFrom source files:");
for (size_t i = 0; i < n_source; i++)
printf("%p: %s\\n", symbols_from_source[i].symbol, symbols_from_source[i].name);
puts("");
printf("Found %zu symbols from symbol file.\\n", n_sym);
+ printf("Found %zu symbols from header files.\\n", n_header);
printf("Found %zu symbols from source files.\\n", n_source);
unsigned n_error = 0;
for (size_t i = 0; i < n_sym; i++) {
+ if (!bsearch(symbols_from_sym+i, symbols_from_header, n_header, size, sort_callback)) {
+ printf("Found in symbol file, but not in headers: %s\\n", symbols_from_sym[i].name);
+ n_error++;
+ }
if (!bsearch(symbols_from_sym+i, symbols_from_source, n_source, size, sort_callback)) {
printf("Found in symbol file, but not in sources: %s\\n", symbols_from_sym[i].name);
n_error++;
}
}
+ for (size_t i = 0; i < n_header; i++) {
+ if (!bsearch(symbols_from_header+i, symbols_from_sym, n_sym, size, sort_callback)) {
+ printf("Found in header file, but not in symbol file: %s\\n", symbols_from_header[i].name);
+ n_error++;
+ }
+ if (!bsearch(symbols_from_header+i, symbols_from_source, n_source, size, sort_callback)) {
+ printf("Found in header file, but not in sources: %s\\n", symbols_from_header[i].name);
+ n_error++;
+ }
+ }
+
for (size_t i = 0; i < n_source; i++) {
if (!bsearch(symbols_from_source+i, symbols_from_sym, n_sym, size, sort_callback)) {
printf("Found in source file, but not in symbol file: %s\\n", symbols_from_source[i].name);
n_error++;
}
+ if (!bsearch(symbols_from_source+i, symbols_from_header, n_header, size, sort_callback)) {
+ printf("Found in source file, but not in header: %s\\n", symbols_from_source[i].name);
+ n_error++;
+ }
}
return n_error == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
From 2f2cd7a8657ebc7cdbddabe1166cbdcb94d66995 Mon Sep 17 00:00:00 2001
From: Antonio Alvarez Feijoo <antonio.feijoo@suse.com>
Date: Wed, 11 Dec 2024 07:32:04 +0100
Subject: [PATCH] man/systemd-cryptenroll: sort --fido2-credential-algorithm
after --fido2-device
And also fix a typo.
(cherry picked from commit 62b7b70bb78f85198509b3327cb29b83ed9218ec)
---
man/systemd-cryptenroll.xml | 32 ++++++++++++++++----------------
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml
index 83f8b2d8a1..f3c23adfd0 100644
--- a/man/systemd-cryptenroll.xml
+++ b/man/systemd-cryptenroll.xml
@@ -384,24 +384,9 @@
<refsect1>
<title>FIDO2 Enrollment</title>
- <para>The following options are understood that may be used to enroll PKCS#11 tokens:</para>
+ <para>The following options are understood that may be used to enroll FIDO2 tokens:</para>
<variablelist>
- <varlistentry>
- <term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
- <listitem><para>Specify COSE algorithm used in credential generation. The default value is
- <literal>es256</literal>. Supported values are <literal>es256</literal>, <literal>rs256</literal>
- and <literal>eddsa</literal>.</para>
-
- <para><literal>es256</literal> denotes ECDSA over NIST P-256 with SHA-256. <literal>rs256</literal>
- denotes 2048-bit RSA with PKCS#1.5 padding and SHA-256. <literal>eddsa</literal> denotes
- EDDSA over Curve25519 with SHA-512.</para>
-
- <para>Note that your authenticator may choose not to support some algorithms.</para>
-
- <xi:include href="version-info.xml" xpointer="v251"/></listitem>
- </varlistentry>
-
<varlistentry>
<term><option>--fido2-device=<replaceable>PATH</replaceable></option></term>
@@ -428,6 +413,21 @@
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
+ <listitem><para>Specify COSE algorithm used in credential generation. The default value is
+ <literal>es256</literal>. Supported values are <literal>es256</literal>, <literal>rs256</literal>
+ and <literal>eddsa</literal>.</para>
+
+ <para><literal>es256</literal> denotes ECDSA over NIST P-256 with SHA-256. <literal>rs256</literal>
+ denotes 2048-bit RSA with PKCS#1.5 padding and SHA-256. <literal>eddsa</literal> denotes
+ EDDSA over Curve25519 with SHA-512.</para>
+
+ <para>Note that your authenticator may choose not to support some algorithms.</para>
+
+ <xi:include href="version-info.xml" xpointer="v251"/></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--fido2-salt-file=<replaceable>PATH</replaceable></option></term>
From f4215e7909a74e01f3275c8537d9574924aefa4c Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 11 Dec 2024 10:31:41 +0100
Subject: [PATCH] analyze: tab fix
(cherry picked from commit 7167bee6c672f9a0729631ba1f7459dd5e18f549)
---
src/analyze/analyze-plot.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/analyze/analyze-plot.c b/src/analyze/analyze-plot.c
index c50343d71c..20d6811f9b 100644
--- a/src/analyze/analyze-plot.c
+++ b/src/analyze/analyze-plot.c
@@ -170,7 +170,7 @@ static void plot_tooltip(const UnitTimes *ut) {
svg("%s:\n", ut->name);
svg("Activating: %"PRI_USEC".%.3"PRI_USEC"\n", ut->activating / USEC_PER_SEC, ut->activating % USEC_PER_SEC);
svg("Activated: %"PRI_USEC".%.3"PRI_USEC"\n", ut->activated / USEC_PER_SEC, ut->activated % USEC_PER_SEC);
-
+
UnitDependency i;
FOREACH_ARGUMENT(i, UNIT_AFTER, UNIT_BEFORE, UNIT_REQUIRES, UNIT_REQUISITE, UNIT_WANTS, UNIT_CONFLICTS, UNIT_UPHOLDS)
if (!strv_isempty(ut->deps[i])) {
From bbeb07ad24f5a4e2e391dc761fa05f3b39b29077 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 11 Dec 2024 10:31:58 +0100
Subject: [PATCH] analyze: add missing --mask option to --help text
Follow-up for: 3e7a029c2856e7814b930443cc2d4fb089377592
(cherry picked from commit 4d09f976f6c10729619c7f4c87dd121aa34d019b)
---
src/analyze/analyze.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/analyze/analyze.c b/src/analyze/analyze.c
index 0db3547a49..e21f12c65e 100644
--- a/src/analyze/analyze.c
+++ b/src/analyze/analyze.c
@@ -284,6 +284,7 @@ static int help(int argc, char *argv[], void *userdata) {
" --root=PATH Operate on an alternate filesystem root\n"
" --image=PATH Operate on disk image as filesystem root\n"
" --image-policy=POLICY Specify disk image dissection policy\n"
+ " -m --mask Parse parameter as numeric capability mask\n"
"\nSee the %2$s for details.\n",
program_invocation_short_name,
link,
From 1b945fb1a727f85be9230e43d2fdaf78d2567946 Mon Sep 17 00:00:00 2001
From: Nick Rosbrook <enr0n@ubuntu.com>
Date: Tue, 10 Dec 2024 16:48:59 -0500
Subject: [PATCH] test: set nsec3-salt-length=8 in knot.conf
TEST-75-RESOLVED fails on Ubuntu autopkgtest due to this warning from
knot:
notice: config, policy 'auto_rollover_nsec3' depends on default nsec3-salt-length=8, since version 3.5 the default becomes 0
Explicitly set nsec3-salt-length=8 to silence.
(cherry picked from commit 59e5108fb4e61957cb40bb15ac7966d085d13af2)
---
test/knot-data/knot.conf | 1 +
1 file changed, 1 insertion(+)
diff --git a/test/knot-data/knot.conf b/test/knot-data/knot.conf
index b8b9e7925d..6d177d7285 100644
--- a/test/knot-data/knot.conf
+++ b/test/knot-data/knot.conf
@@ -60,6 +60,7 @@ policy:
ksk-submission: parent_zone_sbm
nsec3-iterations: 0
nsec3: on
+ nsec3-salt-length: 8
propagation-delay: 1s
signing-threads: 4
zone-max-ttl: 1s
From d80ab6aed678ed89327d86ced9fedd24b5baccd3 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Wed, 11 Dec 2024 12:10:13 +0000
Subject: [PATCH] test-capability: CAP_LINUX_IMMUTABLE is not available in
unprivileged containers
have ambient caps: yes
Capabilities:cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
Failed to drop auxiliary groups list: Operation not permitted
Failed to change group ID: Operation not permitted
Capabilities:cap_dac_override,cap_net_raw=ep
Capabilities:cap_dac_override=ep
Successfully forked off '(getambient)' as PID 12505.
Skipping PR_SET_MM, as we don't have privileges.
Ambient capability cap_linux_immutable requested but missing from bounding set, suppressing automatically.
Assertion 'x < 0 || FLAGS_SET(c, UINT64_C(1) << CAP_LINUX_IMMUTABLE)' failed at src/test/test-capability.c:273, function test_capability_get_ambient(). Aborting.
(getambient) terminated by signal ABRT.
src/test/test-capability.c:258: Assertion failed: expected "r" to succeed, but got error: Protocol error
Partially fixes #35552
(cherry picked from commit 058a07635f3ff70cc99943dcf4f2a079bc9c28b9)
---
src/test/test-capability.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/test/test-capability.c b/src/test/test-capability.c
index 51bd806348..127f5e3d87 100644
--- a/src/test/test-capability.c
+++ b/src/test/test-capability.c
@@ -254,6 +254,13 @@ static void test_capability_get_ambient(void) {
ASSERT_OK(capability_get_ambient(&c));
+ r = prctl(PR_CAPBSET_READ, CAP_MKNOD);
+ if (r <= 0)
+ return (void) log_tests_skipped("Lacking CAP_MKNOD, skipping getambient test.");
+ r = prctl(PR_CAPBSET_READ, CAP_LINUX_IMMUTABLE);
+ if (r <= 0)
+ return (void) log_tests_skipped("Lacking CAP_LINUX_IMMUTABLE, skipping getambient test.");
+
r = safe_fork("(getambient)", FORK_RESET_SIGNALS|FORK_DEATHSIG_SIGTERM|FORK_WAIT|FORK_LOG, NULL);
ASSERT_OK(r);
From 5573ac7d9c52bed8d38480788b02639ede3881fc Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Wed, 11 Dec 2024 12:01:18 +0000
Subject: [PATCH] test-fd-util: skip test when lacking privileges to create a
new namespace
To reproduce, as an unprivileged user start a docker container and build
and run the unit tests inside it:
$ docker run --rm -ti debian:bookworm bash
...
/* test_close_all_fds */
Successfully forked off '(caf-plain)' as PID 10496.
Skipping PR_SET_MM, as we don't have privileges.
(caf-plain) succeeded.
Failed to fork off '(caf-noproc)': Operation not permitted
Assertion 'r >= 0' failed at src/test/test-fd-util.c:392, function test_close_all_fds(). Aborting.
Partially fixes #35552
(cherry picked from commit 630a2e7ee195ca96e102acac8df67a278a879124)
---
src/test/test-fd-util.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/test/test-fd-util.c b/src/test/test-fd-util.c
index 20cf7b7627..5817d92725 100644
--- a/src/test/test-fd-util.c
+++ b/src/test/test-fd-util.c
@@ -389,6 +389,8 @@ TEST(close_all_fds) {
test_close_all_fds_inner();
_exit(EXIT_SUCCESS);
}
+ if (ERRNO_IS_NEG_PRIVILEGE(r))
+ return (void) log_tests_skipped("Lacking privileges for test in namespace with /proc/ overmounted");
assert_se(r >= 0);
if (!is_seccomp_available())
From c026cecac33c3b19b1a466304058eb0f7f71187b Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Wed, 11 Dec 2024 13:40:10 +0000
Subject: [PATCH] test-fd-util: compare FDs to /bin/sh instead of /dev/null
/dev/null is a character device, so same_fd() in the fallback path
that compares fstat will fail, as that bails out if the fd refers
to a char device. This happens on kernels without F_DUPFD_QUERY and
without kcmp.
/* test_same_fd */
Assertion 'same_fd(d, e) > 0' failed at src/test/test-fd-util.c:111, function test_same_fd(). Aborting.
Fixes #35552
(cherry picked from commit 3b32d333e88f2a66651d58e32e01599fa84c3d19)
---
src/test/test-fd-util.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/test/test-fd-util.c b/src/test/test-fd-util.c
index 5817d92725..a359efa052 100644
--- a/src/test/test-fd-util.c
+++ b/src/test/test-fd-util.c
@@ -76,9 +76,9 @@ TEST(same_fd) {
assert_se(pipe2(p, O_CLOEXEC) >= 0);
assert_se((a = fcntl(p[0], F_DUPFD, 3)) >= 0);
- assert_se((b = open("/dev/null", O_RDONLY|O_CLOEXEC)) >= 0);
+ assert_se((b = open("/bin/sh", O_RDONLY|O_CLOEXEC)) >= 0);
assert_se((c = fcntl(a, F_DUPFD, 3)) >= 0);
- assert_se((d = open("/dev/null", O_RDONLY|O_CLOEXEC|O_PATH)) >= 0); /* O_PATH changes error returns in F_DUPFD_QUERY, let's test explicitly */
+ assert_se((d = open("/bin/sh", O_RDONLY|O_CLOEXEC|O_PATH)) >= 0); /* O_PATH changes error returns in F_DUPFD_QUERY, let's test explicitly */
assert_se((e = fcntl(d, F_DUPFD, 3)) >= 0);
assert_se(same_fd(p[0], p[0]) > 0);
From e1659133e79d20799a0841f3099f921957743691 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Wed, 11 Dec 2024 11:48:09 +0000
Subject: [PATCH] mkosi: use inetutils package instead of hostname for
Archlinux
In Arch the hostname binary is in a different package
Follow-up for cf48bde7aea52b18ac3fa218d3f60fd3d533ef66
(cherry picked from commit 446d737cba3652a9f3dbd07cea9cb4082350b241)
---
mkosi.conf.d/10-arch/mkosi.conf | 1 +
mkosi.conf.d/10-centos-fedora/mkosi.conf | 1 +
mkosi.conf.d/10-debian-ubuntu/mkosi.conf | 1 +
mkosi.conf.d/10-opensuse/mkosi.conf | 1 +
4 files changed, 4 insertions(+)
diff --git a/mkosi.conf.d/10-arch/mkosi.conf b/mkosi.conf.d/10-arch/mkosi.conf
index 5a4015e4d7..9ceb6ea6f8 100644
--- a/mkosi.conf.d/10-arch/mkosi.conf
+++ b/mkosi.conf.d/10-arch/mkosi.conf
@@ -25,6 +25,7 @@ Packages=
f2fs-tools
git
gnutls
+ inetutils
iproute
iputils
knot
diff --git a/mkosi.conf.d/10-centos-fedora/mkosi.conf b/mkosi.conf.d/10-centos-fedora/mkosi.conf
index 5b1865a253..8004c089ad 100644
--- a/mkosi.conf.d/10-centos-fedora/mkosi.conf
+++ b/mkosi.conf.d/10-centos-fedora/mkosi.conf
@@ -32,6 +32,7 @@ Packages=
glibc-langpack-de
glibc-langpack-en
gnutls-utils
+ hostname
integritysetup
iproute
iproute-tc
diff --git a/mkosi.conf.d/10-debian-ubuntu/mkosi.conf b/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
index 46dd98828f..c898664f83 100644
--- a/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
+++ b/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
@@ -48,6 +48,7 @@ Packages=
fdisk
git-core
gnutls-bin
+ hostname
iproute2
iputils-ping
isc-dhcp-server
diff --git a/mkosi.conf.d/10-opensuse/mkosi.conf b/mkosi.conf.d/10-opensuse/mkosi.conf
index 8a08b1f8c7..4ee3894c00 100644
--- a/mkosi.conf.d/10-opensuse/mkosi.conf
+++ b/mkosi.conf.d/10-opensuse/mkosi.conf
@@ -47,6 +47,7 @@ Packages=
grep
group(wheel)
gzip
+ hostname
iputils
kernel-default
kmod
From cd727031a4daafe19f491df360c512433562f469 Mon Sep 17 00:00:00 2001
From: Katariina Lounento <katariina.lounento@vaisala.com>
Date: Mon, 9 Dec 2024 16:09:13 +0200
Subject: [PATCH] man: document unprivileged is not for reading properties
Document the fact that read-only properties may not have the flag
SD_BUS_VTABLE_UNPRIVILEGED as that is not obvious especially given the
flag is accepted for writable properties.
Based on the check in `add_object_vtable_internal` called by
`sd_bus_add_object_vtable` (as of the current tip of the main branch
f7f5ba019206cacd486b0892fec76f70f525e04d):
case _SD_BUS_VTABLE_PROPERTY: {
[...]
if ([...] ||
[...]
(v->flags & SD_BUS_VTABLE_UNPRIVILEGED && v->type == _SD_BUS_VTABLE_PROPERTY)) {
r = -EINVAL;
goto fail;
}
(where `_SD_BUS_VTABLE_PROPERTY` means read-only property whereas
`_SD_BUS_VTABLE_WRITABLE_PROPERTY` maps to writable property).
This was implemented in the commit
adacb9575a09981fcf11279f2f661e3fc21e58ff ("bus: introduce "trusted" bus
concept and encode access control in object vtables") where
`SD_BUS_VTABLE_UNPRIVILEGED` was introduced:
Writable properties are also subject to SD_BUS_VTABLE_UNPRIVILEGED
and SD_BUS_VTABLE_CAPABILITY() for controlling write access to them.
Note however that read access is unrestricted, as PropertiesChanged
messages might send out the values anyway as an unrestricted
broadcast.
(cherry picked from commit 3ca09aa4dd57327989eceb1298754601046ac041)
---
man/sd_bus_add_object.xml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/man/sd_bus_add_object.xml b/man/sd_bus_add_object.xml
index 4d14a7e731..5572f421fb 100644
--- a/man/sd_bus_add_object.xml
+++ b/man/sd_bus_add_object.xml
@@ -589,6 +589,9 @@
<constant>org.freedesktop.systemd1.Privileged</constant> annotation with value
<literal>true</literal> will be shown in introspection data.</para>
+ <para><constant>SD_BUS_VTABLE_UNPRIVILEGED</constant> may not be applied to read-only properties,
+ but read access (to both read-only and writable properties) is always unrestricted.</para>
+
<para>Note that this page describes checks implemented in the D-Bus client. The D-Bus server has an
additional policy that may permit or deny connections, see
"CONFIGURATION FILE" in
From 6b90a137892e18bd3c2cacb4aba2759da7ff3081 Mon Sep 17 00:00:00 2001
From: Tobias Klauser <tklauser@distanz.ch>
Date: Wed, 11 Dec 2024 15:10:39 +0100
Subject: [PATCH] profile.d: don't bail if $SHELL_* variables are unset
If - for whatever reason - a script uses set -u (nounset) and includes
/etc/profile.d/70-systemd-shell-extra.sh (e.g. transitively via
/etc/profile) the script would fail with:
/etc/profile.d/70-systemd-shell-extra.sh: line 15: SHELL_PROMPT_PREFIX: unbound variable
For example:
$ cat > foo.sh <<EOF
#!/bin/sh
set -u
source /etc/profile
EOF
$ chmod 700 foo.sh
$ ./foo.sh
/etc/profile.d/70-systemd-shell-extra.sh: line 15: SHELL_PROMPT_PREFIX: unbound variable
Fix this by using shell parameter substitution[^1] (which is a POSIX
shell concept) to set the $SHELL_* variables to the empty string if
undefined.
[^1]: https://pubs.opengroup.org/onlinepubs/9699919799.2018edition/utilities/V3_chap02.html
(cherry picked from commit 12e33d332b3f8754f4d5d0d21d5d3f0de8adc54c)
---
profile.d/70-systemd-shell-extra.sh | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/profile.d/70-systemd-shell-extra.sh b/profile.d/70-systemd-shell-extra.sh
index 70be3341b9..dae77e4bc7 100644
--- a/profile.d/70-systemd-shell-extra.sh
+++ b/profile.d/70-systemd-shell-extra.sh
@@ -12,14 +12,14 @@
# credentials shell.prompt.prefix, shell.prompt.suffix and shell.welcome, and
# are propagated into these environment variables by pam_systemd(8).
-if [ -n "$SHELL_PROMPT_PREFIX" ]; then
+if [ -n "${SHELL_PROMPT_PREFIX-}" ]; then
PS1="$SHELL_PROMPT_PREFIX$PS1"
fi
-if [ -n "$SHELL_PROMPT_SUFFIX" ]; then
+if [ -n "${SHELL_PROMPT_SUFFIX-}" ]; then
PS1="$PS1$SHELL_PROMPT_SUFFIX"
fi
-if [ -n "$SHELL_WELCOME" ]; then
+if [ -n "${SHELL_WELCOME-}" ]; then
printf '%b\n' "$SHELL_WELCOME"
fi
From 9fad72cc52bdec7f44337b1e48c23ee15fc08d77 Mon Sep 17 00:00:00 2001
From: andrejpodzimek <andrej@podzimek.org>
Date: Wed, 11 Dec 2024 12:46:43 +0000
Subject: [PATCH] Fixing VLAN ranges in man systemd.network.
Otherwise it doesn't hold that VLANs 100-400 are allowed (because 201-299 are disallowed).
(cherry picked from commit ae2f3af63962ba6e2f67cfce07c9fee61722e30e)
---
man/systemd.network.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/man/systemd.network.xml b/man/systemd.network.xml
index 9d8dcba509..32cfb207e0 100644
--- a/man/systemd.network.xml
+++ b/man/systemd.network.xml
@@ -6431,7 +6431,7 @@ PVID=42
EgressUntagged=42
[BridgeVLAN]
-VLAN=100-200
+VLAN=100-299
[BridgeVLAN]
EgressUntagged=300-400</programlisting>
From ab99950f1a0ab9401b44357d226a5880b5f262a7 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 11 Dec 2024 12:44:26 +0000
Subject: [PATCH] test-bpf-restrict-fs: Migrate to new assertion macros
(cherry picked from commit 1c658c639db1c902266735754f2e2883fe67d1d9)
---
src/test/test-bpf-restrict-fs.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/test/test-bpf-restrict-fs.c b/src/test/test-bpf-restrict-fs.c
index 11e97bf922..349c5a6894 100644
--- a/src/test/test-bpf-restrict-fs.c
+++ b/src/test/test-bpf-restrict-fs.c
@@ -18,9 +18,9 @@ static int test_restrict_filesystems(Manager *m, const char *unit_name, const ch
ExecContext *ec = NULL;
int cld_code, r;
- assert_se(u = unit_new(m, sizeof(Service)));
- assert_se(unit_add_name(u, unit_name) == 0);
- assert_se(ec = unit_get_exec_context(u));
+ ASSERT_NOT_NULL(u = unit_new(m, sizeof(Service)));
+ ASSERT_OK_ZERO(unit_add_name(u, unit_name));
+ ASSERT_NOT_NULL(ec = unit_get_exec_context(u));
STRV_FOREACH(allow_filesystem, allowed_filesystems) {
r = config_parse_restrict_filesystems(
@@ -30,7 +30,7 @@ static int test_restrict_filesystems(Manager *m, const char *unit_name, const ch
return log_unit_error_errno(u, r, "Failed to parse RestrictFileSystems: %m");
}
- assert_se(exec_start = strjoin("cat ", file_path));
+ ASSERT_NOT_NULL(exec_start = strjoin("cat ", file_path));
r = config_parse_exec(u->id, "filename", 1, "Service", 1, "ExecStart",
SERVICE_EXEC_START, exec_start, SERVICE(u)->exec_command, u);
if (r < 0)
@@ -84,19 +84,19 @@ int main(int argc, char *argv[]) {
ASSERT_OK(get_testdata_dir("units", &unit_dir));
ASSERT_OK(setenv_unit_path(unit_dir));
- assert_se(runtime_dir = setup_fake_runtime_dir());
+ ASSERT_NOT_NULL(runtime_dir = setup_fake_runtime_dir());
ASSERT_OK(manager_new(RUNTIME_SCOPE_SYSTEM, MANAGER_TEST_RUN_BASIC, &m));
ASSERT_OK(manager_startup(m, NULL, NULL, NULL));
/* We need to enable access to the filesystem where the binary is so we
* add @common-block and @application */
- ASSERT_LT(test_restrict_filesystems(m, "restrict_filesystems_test.service", "/sys/kernel/tracing/printk_formats", STRV_MAKE("@common-block", "@application")), 0);
+ ASSERT_FAIL(test_restrict_filesystems(m, "restrict_filesystems_test.service", "/sys/kernel/tracing/printk_formats", STRV_MAKE("@common-block", "@application")));
ASSERT_OK(test_restrict_filesystems(m, "restrict_filesystems_test.service", "/sys/kernel/tracing/printk_formats", STRV_MAKE("tracefs", "@common-block", "@application")));
- ASSERT_LT(test_restrict_filesystems(m, "restrict_filesystems_test.service", "/sys/kernel/tracing/printk_formats", STRV_MAKE("tracefs", "@common-block", "@application", "~tracefs")), 0);
- ASSERT_LT(test_restrict_filesystems(m, "restrict_filesystems_test.service", "/sys/kernel/debug/sleep_time", STRV_MAKE("@common-block", "@application")), 0);
+ ASSERT_FAIL(test_restrict_filesystems(m, "restrict_filesystems_test.service", "/sys/kernel/tracing/printk_formats", STRV_MAKE("tracefs", "@common-block", "@application", "~tracefs")));
+ ASSERT_FAIL(test_restrict_filesystems(m, "restrict_filesystems_test.service", "/sys/kernel/debug/sleep_time", STRV_MAKE("@common-block", "@application")));
ASSERT_OK(test_restrict_filesystems(m, "restrict_filesystems_test.service", "/sys/kernel/debug/sleep_time", STRV_MAKE("debugfs", "@common-block", "@application")));
- ASSERT_LT(test_restrict_filesystems(m, "restrict_filesystems_test.service", "/sys/kernel/debug/sleep_time", STRV_MAKE("~debugfs")), 0);
+ ASSERT_FAIL(test_restrict_filesystems(m, "restrict_filesystems_test.service", "/sys/kernel/debug/sleep_time", STRV_MAKE("~debugfs")));
return 0;
}
From 926f5ab6bf0e3541106e6a6f95af4cbdec50582b Mon Sep 17 00:00:00 2001
From: cvlc12 <97767846+cvlc12@users.noreply.github.com>
Date: Wed, 11 Dec 2024 22:09:11 +0100
Subject: [PATCH] man: update example in systemd-measure.xml (#35506)
In the example from systemd-measure(1), do not bind to PCR 7 in
addition to the PCR policy.
As long as this is still done by default, see #35280.
(cherry picked from commit 693038fce47a819c5eebeb4fce39c9ac991acf84)
---
man/systemd-measure.xml | 1 +
1 file changed, 1 insertion(+)
diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml
index 5d697dd62f..368c94f700 100644
--- a/man/systemd-measure.xml
+++ b/man/systemd-measure.xml
@@ -328,6 +328,7 @@ $ ukify build \
<programlisting># systemd-cryptenroll --tpm2-device=auto \
--tpm2-public-key=tpm2-pcr-public-key.pem \
--tpm2-signature=tpm2-pcr-signature.json \
+ --tpm2-pcrs="" \
/dev/sda5</programlisting>
<para>And then unlock the device with the signature:</para>
From df38ba869ceaf15ee7d5962660d644403c068f7a Mon Sep 17 00:00:00 2001
From: Carlo Teubner <carlo@cteubner.net>
Date: Wed, 11 Dec 2024 22:40:07 +0000
Subject: [PATCH] systemd-cryptenroll.xml: fix typo
(cherry picked from commit dfbd4d8bc5f18746051929e32f772078d6782e90)
---
man/systemd-cryptenroll.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml
index f3c23adfd0..fb36f455ba 100644
--- a/man/systemd-cryptenroll.xml
+++ b/man/systemd-cryptenroll.xml
@@ -634,7 +634,7 @@
<para>Note the difference between <option>--tpm2-pcrs=</option> and
<option>--tpm2-public-key-pcrs=</option>: the former binds decryption to the current, specific PCR
values; the latter binds decryption to any set of PCR values for which a signature by the specified
- public key can be provided. The latter is hence more useful in scenarios where software updates shell
+ public key can be provided. The latter is hence more useful in scenarios where software updates shall
be possible without losing access to all previously encrypted LUKS2 volumes. Like with
<option>--tpm2-pcrs=</option>, names defined in the table above can also be used to specify the
registers, for instance
From e768cf55b19caec6c8936050b245f398aba8b884 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Wed, 11 Dec 2024 20:44:25 +0000
Subject: [PATCH] semaphore: skip some tests
semaphore CI runs are always very close to the limit of 1hr, and often
time out when it's particularly oversubscribed.
Skip some low-value test cases to shorten the runtime.
(cherry picked from commit e19cae12ff2e832ce7d79aa483e1aa27ed0ea1f4)
---
.semaphore/semaphore-runner.sh | 3 +++
1 file changed, 3 insertions(+)
diff --git a/.semaphore/semaphore-runner.sh b/.semaphore/semaphore-runner.sh
index e903ced70d..b663674652 100755
--- a/.semaphore/semaphore-runner.sh
+++ b/.semaphore/semaphore-runner.sh
@@ -109,6 +109,9 @@ EOF
--env DPKG_DEB_COMPRESSOR_TYPE="none" \
--env DEB_BUILD_PROFILES="pkg.systemd.upstream noudeb nodoc" \
--env TEST_UPSTREAM=1 \
+ --skip-test localed-locale \
+ --skip-test localed-x11-keymap \
+ --skip-test build-with-static-libsystemd \
../systemd_*.dsc \
-o "$ARTIFACTS_DIR" \
-- lxc -s "$CONTAINER" \
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment